ContentsIntroduction

TheExamObjectives

AssessmentTest

AnswerstotheAssessmentTest

PartI:Exam1

Chapter1:ExploringLinuxCommand-LineToolsUnderstandingCommand-LineBasicsUsingStreams,Redirection,andPipesProcessingTextUsingFiltersUsingRegularExpressionsSummaryExamEssentialsReviewQuestions

Chapter2:ManagingSoftwarePackageConceptsUsingRPMUsingDebianPackagesConvertingBetweenPackageFormatsPackageDependenciesandConflictsManagingSharedLibrariesManagingProcessesSummaryExamEssentialsReviewQuestions

Chapter3:ConfiguringHardwareConfiguringtheFirmwareandCoreHardwareConfiguringExpansionCardsConfiguringUSBDevicesConfiguringHardDisksDesigningaHardDiskLayoutCreatingPartitionsandFilesystemsMaintainingFilesystemHealthMountingandUnmountingFilesystemsSummaryExamEssentialsReviewQuestions

Chapter4:ManagingFilesUsingFileManagementCommandsManagingFileOwnershipControllingAccesstoFilesManagingDiskQuotasLocatingFilesSummaryExamEssentialsReviewQuestions

Chapter5:BootingLinuxandEditingFilesInstallingBootLoadersUnderstandingtheBootProcessDealingwithRunlevelsandtheInitializationProcessUsingAlternativeBootSystemsEditingFileswithViSummaryExamEssentials

ReviewQuestions

PartII:Exam2

Chapter6:ConfiguringtheXWindowSystem,Localization,andPrintingConfiguringBasicXFeaturesConfiguringXFontsManagingGUILoginsUsingXforRemoteAccessXAccessibilityConfiguringLocalizationandInternationalizationConfiguringPrintingSummaryExamEssentialsReviewQuestions

Chapter7:AdministeringtheSystemManagingUsersandGroupsTuningUserandSystemEnvironmentsUsingSystemLogFilesMaintainingtheSystemTimeRunningJobsintheFutureSummaryExamEssentialsReviewQuestions

Chapter8:ConfiguringBasicNetworkingUnderstandingTCP/IPNetworkingUnderstandingNetworkAddressingConfiguringLinuxforaLocalNetworkDiagnosingNetworkConnections

SummaryExamEssentialsReviewQuestions

Chapter9:WritingScripts,ConfiguringEmail,andUsingDatabasesManagingtheShellEnvironmentWritingScriptsManagingEmailManagingDatawithSQLSummaryExamEssentialsReviewQuestions

Chapter10:SecuringYourSystemAdministeringNetworkSecurityAdministeringLocalSecurityConfiguringSSHUsingGPGSummaryExamEssentialsReviewQuestions

AppendixA:AnswerstoReviewQuestions

AppendixB:AbouttheAdditionalStudyTools

Index

Advertisement

SeniorAcquisitionsEditor:JeffKellumDevelopmentEditor:AlexaMurphy

TechnicalEditors:RossBrunsonandKevinGlendenning,FOSSter.comProductionEditor:EricCharbonneau

CopyEditor:KimWimpsettEditorialManager:PeteGaughanProductionManager:TimTate

VicePresidentandExecutiveGroupPublisher:RichardSwadleyVicePresidentandPublisher:NeilEdde

MediaProjectManager1:LauraMoss-HollisterMediaAssociateProducer:DougKuhnMediaQualityAssurance:JoshFrank

BookDesigner:JudyFungProofreader:CandaceCunningham

Indexer:TedLauxProjectCoordinator,Cover:KatherineCrocker

CoverDesigner:RyanSneedCopyright©2013byJohnWiley&Sons,Inc.,Indianapolis,Indiana

PublishedsimultaneouslyinCanadaISBN:978-1-118-49563-6

ISBN:978-1-118-52648-4(ebk.)ISBN:978-1-118-57047-0(ebk.)ISBN:978-1-118-57055-5(ebk.)

Nopartofthispublicationmaybereproduced,storedinaretrievalsystemortransmittedinanyformorbyanymeans,electronic,mechanical,photocopying,recording,scanningorotherwise,exceptaspermittedunderSections107or108ofthe1976UnitedStatesCopyrightAct,withouteitherthepriorwrittenpermissionofthePublisher,orauthorizationthroughpaymentoftheappropriateper-copyfeetotheCopyrightClearanceCenter,222RosewoodDrive,Danvers,MA01923,(978)750-8400,fax(978)646-8600.RequeststothePublisherforpermissionshouldbeaddressedtothePermissions

Department,JohnWiley&Sons,Inc.,111RiverStreet,Hoboken,NJ07030,(201)748-6011,fax(201)748-6008,oronlineatwww.wiley.com/go/permissions.

LimitofLiability/DisclaimerofWarranty:Thepublisherandtheauthormakenorepresentationsorwarrantieswithrespecttotheaccuracyorcompletenessofthecontentsofthisworkandspecificallydisclaimallwarranties,includingwithoutlimitationwarrantiesoffitnessforaparticularpurpose.Nowarrantymaybecreatedorextendedbysalesorpromotionalmaterials.Theadviceandstrategies

containedhereinmaynotbesuitableforeverysituation.Thisworkissoldwiththeunderstandingthatthepublisherisnotengagedinrenderinglegal,accounting,orotherprofessionalservices.If

professionalassistanceisrequired,theservicesofacompetentprofessionalpersonshouldbesought.Neitherthepublishernortheauthorshallbeliablefordamagesarisingherefrom.ThefactthatanorganizationorWebsiteisreferredtointhisworkasacitationand/orapotentialsourceoffurtherinformationdoesnotmeanthattheauthororthepublisherendorsestheinformationtheorganizationorWebsitemayprovideorrecommendationsitmaymake.Further,readersshouldbeawarethatInternetWebsiteslistedinthisworkmayhavechangedordisappearedbetweenwhenthisworkwas

writtenandwhenitisread.Forgeneralinformationonourotherproductsandservicesortoobtaintechnicalsupport,pleasecontactourCustomerCareDepartmentwithintheU.S.at(877)762-2974,outsidetheU.S.at(317)

572-3993orfax(317)572-4002.Wileypublishesinavarietyofprintandelectronicformatsandbyprint-on-demand.Somematerialincludedwithstandardprintversionsofthisbookmaynotbeincludedine-booksorinprint-on-demand.IfthisbookreferstomediasuchasaCDorDVDthatisnotincludedintheversionyoupurchased,youmaydownloadthismaterialathttp://booksupport.wiley.com.Formoreinformation

aboutWileyproducts,visitwww.wiley.com.LibraryofCongressControlNumber:2012951869

TRADEMARKS:Wiley,theWileylogo,andtheSybexlogoaretrademarksorregisteredtrademarksofJohnWiley&Sons,Inc.and/oritsaffiliates,intheUnitedStatesandothercountries,andmaynotbeusedwithoutwrittenpermission.Allothertrademarksarethepropertyoftheirrespectiveowners.

JohnWiley&Sons,Inc.,isnotassociatedwithanyproductorvendormentionedinthisbook.

DearReader,Thank you for choosing LPIC-1: Linux Professional Institute Certification Study Guide, Third

Edition.Thisbookispartofafamilyofpremium-qualitySybexbooks,allofwhicharewrittenbyoutstandingauthorswhocombinepracticalexperiencewithagiftforteaching.Sybex was founded in 1976. More than 30 years later, we’re still committed to producing

consistentlyexceptionalbooks.Witheachofourtitles,we’reworkinghardtosetanewstandardfortheindustry.Fromthepaperweprintontotheauthorsweworkwith,ourgoalistobringyouthebestbooksavailable.Ihopeyouseeallthatreflectedinthesepages.I’dbeveryinterestedtohearyourcommentsandget

yourfeedbackonhowwe’redoing.FeelfreetoletmeknowwhatyouthinkaboutthisoranyotherSybexbookbysendingmeanemailatnedde@wiley.com.Ifyouthinkyou’vefoundatechnicalerrorin this book, please visit http://sybex.custhelp.com. Customer feedback is critical to our efforts atSybex.

Bestregards,

NeilEddeVicePresidentandPublisherSybex,anImprintofWiley

AcknowledgmentsAlthoughthisbookbearsmynameasauthor,manyotherpeoplecontributedtoitscreation.Withouttheir help, this book wouldn’t exist, or at best would exist in a lesser form. Jeff Kellumwas theacquisitionseditorandsohelpedget thebookstarted.AlexaMurphy, thedevelopmentaleditor,andEricCharbonneau, the production editor, oversaw the book as it progressed through all its stages.RossBrunsonandKevinGlendenningwerethetechnicaleditorswhocheckedthetextfor technicalerrorsandomissions—butanymistakes that remainaremyown.KimWimpsett, thecopyeditor,helped keep the text grammatical and understandable. The proofreader, Candace Cunningham,checked the text for typos. I’d also like to thankNeil Salkind and others at StudioB,who helpedconnectmewithWileytowritethisbook.

AbouttheAuthorRoderickW.Smith isaLinuxconsultantandauthor.Hehaswrittenmore than20booksonLinux,FreeBSD,andcomputernetworking,includingLinuxEssentials,theLPIC-2StudyGuide,andLinuxAdministratorStreetSmarts(allfromSybex).Hecanbereachedatrodsmith@rodsbooks.com.

TableofExercisesExercise1.1 EditingCommandsExercise2.1 ManagingPackagesUsingRPMExercise2.2 ManagingDebianPackagesExercise3.1 CreatingFilesystemsExercise4.1 ModifyingOwnershipandPermissionsExercise4.2 LocatingFilesExercise5.1 ChangingRunlevelsExercise6.1 PrintingwithLinuxExercise7.1 CreatingUserAccountsExercise7.2 CreatingUsercronJobsExercise8.1 PracticeResolvingHostnamesExercise8.2 ConfiguringaNetworkConnectionExercise9.1 ChangingYourbashPromptExercise9.2 CreatingaSimpleScriptExercise9.3 CreatingaSQLDatabaseExercise10.1MonitorNetworkPortUse

Introduction

Whyshouldyou learnaboutLinux?It’sa fast-growingoperatingsystem,and it is inexpensiveandflexible.Linuxisalsoamajorplayerinthesmallandmid-sizedserverfield,andit’sanincreasinglyviable platform for workstation and desktop use as well. By understanding Linux, you’ll increaseyourstandinginthejobmarket.EvenifyoualreadyknowWindowsorMacOSandyouremployerusesthesesystemsexclusively,understandingLinuxwillgiveyouanedgewhenyou’relookingforanew job or you’re looking for a promotion. For instance, this knowledgewill help youmake aninformeddecisionaboutifandwhenyoushoulddeployLinux.The Linux Professional Institute (LPI) has developed its LPI-1 certification as an introductory

certificationforpeoplewhowanttoentercareersinvolvingLinux.Theexamismeanttocertifythatan individual has the skills necessary to install, operate, and troubleshoot a Linux system and isfamiliarwithLinux-specificconceptsandbasichardware.The purpose of this book is to help you pass theLPIC-1 exams (101 and 102) updated in 2012.

Because these exams cover basic Linux installation, configuration, maintenance, applications,networking,andsecurity,thosearethetopicsthatareemphasizedinthisbook.You’lllearnenoughtogetaLinuxsystemupand runningand toconfigure it formanycommon tasks.Evenafteryou’vetakenandpassedtheLPIC-1exams,thisbookshouldremainausefulreference.

WhatIsLinux?Linux is a clone of theUnix operating system (OS) that has been popular in academia andmanybusiness environments foryears.Formerlyusedexclusivelyon largemainframes,UnixandLinuxcannowrunonsmallcomputers—whichareactuallyfarmorepowerfulthanthemainframesofjusta few years ago. Because of its mainframe heritage, Unix (and hence also Linux) scales well toperformtoday’sdemandingscientific,engineering,andnetworkservertasks.Linuxconsistsofakernel,whichisthecorecontrolsoftware,andmanylibrariesandutilitiesthat

relyonthekerneltoprovidefeatureswithwhichusersinteract.TheOSisavailableinmanydifferentdistributions,whicharecollectionsofaspecifickernelwithspecificsupportprograms.

WhyBecomeLinuxCertified?SeveralgoodreasonstogetyourLinuxcertificationexist.Therearefourmajorbenefits:RelevanceTheexamsweredesignedwiththeneedsofLinuxprofessionalsinmind.ThiswasdonebyperformingsurveysofLinuxadministratorstolearnwhattheyactuallyneedtoknowtodotheirjobs.QualityTheexamshavebeenextensivelytestedandvalidatedusingpsychometricstandards.Theresultisanabilitytodiscriminatebetweencompetentadministratorsandthosewhomuststilllearnmorematerial.NeutralityLPIisanorganizationthatdoesn’titselfmarketanyLinuxdistribution.Thisfactremovesthemotivationtocreateanexamthat’sdesignedasawaytomarketaparticulardistribution.

SupportTheexamsaresupportedbymajorplayersintheLinuxworld.

HowtoBecomeCertifiedThecertificationisavailabletoanyonewhopassesthetworequiredexams:101and102.Youdon’thavetoworkforaparticularcompany.It’snotasecretsociety.The exam is administered by PearsonVUE.The exam can be taken at any PearsonVUE testing

center. Ifyoupass,youwillgetacertificate in themail saying thatyouhavepassed.Contact (877)619-2096forPearsonVUEcontactinformation.

ToregisterfortheexamwithPearsonVUE,call(877)619-2096,orregisteronlineathttp://www.vue.com.Howeveryoudoit,you’llbeaskedforyourname,mailingaddress,phonenumber,employer,whenandwhereyouwanttotakethetest(i.e.,whichtestingcenter),andyourcreditcardnumber(arrangementforpaymentmustbemadeatthetimeofregistration).

WhoShouldBuyThisBookAnybodywhowantstopassthecertificationexamsmaybenefitfromthisbook.ThisbookcoversthematerialthatsomeonenewtoLinuxwillneedtolearntheOSfromthebeginning,anditcontinuestoprovidetheknowledgeyouneeduptoaproficiencylevelsufficienttopassthetwoexams.Youcanpickupthisbookandlearnfromitevenifyou’veneverusedLinuxbefore,althoughyou’llfinditaneasier read if you’ve at least casually used Linux for a few days. If you’re already familiar withLinux, this book can serve as a review and as a refresher course for informationwithwhich youmightnotbecompletelyfamiliar.Ineithercase,readingthisbookwillhelpyoupasstheexams.ThisbookiswrittenwiththeassumptionthatyouknowatleastalittlebitaboutLinux(whatitisand

possiblyafewLinuxcommands).Ialsoassumeyouknowsomebasicsaboutcomputersingeneral,suchashowtouseakeyboard,howtoinsertadiscintoanopticaldrive,andsoon.Chancesare,youhaveusedcomputers in a substantialway in thepast—perhaps evenLinux, as anordinaryuser, ormaybeyouhaveusedWindowsorMacOS. Idonotassume thatyouhaveextensiveknowledgeofLinux systemadministration,but if you’vedone some systemadministration,youcan still use thisbooktofillingapsinyourknowledge.

Asapracticalmatter,you’llneedaLinuxsystemwithwhichtopracticeandlearninahands-onway.NeithertheexamsnorthisbookcoversactuallyinstallingLinuxonacomputerfromscratch,althoughsomeoftheprerequisites(suchasdiskpartitioning)arecovered.Youmayneedtorefertoyourdistribution’sdocumentationtolearnhowtoaccomplishthistask.Alternatively,severalvendorssellcomputerswithLinuxpre-installed.

HowThisBookIsOrganizedThis book consists of 10 chapters plus supplementary information: an online glossary, thisintroduction,andtheassessmenttestaftertheintroduction.Thechaptersareorganizedasfollows:

Chapter1,“ExploringLinuxCommand-LineTools,”coversthebasictoolsyouneedtointeractwithLinux.Theseincludeshells,redirection,pipes,textfilters,andregularexpressions.Chapter2,“ManagingSoftware,”describestheprogramsyou’llusetomanagesoftware.MuchofthistaskiscenteredaroundtheRPMandDebianpackagemanagementsystems.Thechapteralsocovershandlingsharedlibrariesandmanagingprocesses(thatis,runningprograms).Chapter3,“ConfiguringHardware,”focusesonLinux’sinteractionswiththehardwareonwhichitruns.SpecifichardwareandproceduresforusingitincludetheBIOS,expansioncards,USBdevices,harddisks,andthepartitionsandfilesystemsusedonharddisks.Chapter4,“ManagingFiles,”coversthetoolsusedtomanagefiles.Thisincludescommandstomanagefiles,ownership,andpermissions,aswellasLinux’sstandarddirectorytreeandtoolsforarchivingfiles.Chapter5,“BootingLinuxandEditingFiles,”explainshowLinuxbootsupandhowyoucaneditfilesinLinux.SpecifictopicsincludetheGRUBLegacyandGRUB2bootloaders,bootdiagnostics,runlevels,andtheVieditor.Chapter6,“ConfiguringtheXWindowSystem,Localization,andPrinting,”describestheLinuxGUIandprintingsubsystems.TopicsincludeXconfiguration,managingGUIlogins,configuringlocation-specificfeatures,enablingaccessibilityfeatures,andsettingupLinuxtouseaprinter.Chapter7,“AdministeringtheSystem,”describesmiscellaneousadministrativetasks.Theseincludeuserandgroupmanagement,tuninguserenvironments,managinglogfiles,settingtheclock,andrunningjobsinthefuture.Chapter8,“ConfiguringBasicNetworking,”focusesonbasicnetworkconfiguration.TopicsincludeTCP/IPbasics,settingupLinuxonaTCP/IPnetwork,andnetworkdiagnostics.Chapter9,“WritingScripts,ConfiguringEmail,andUsingDatabases,”coversthesemiscellaneoustopics.Scriptsaresmallprogramsthatadministratorsoftenusetohelpautomatecommontasks.Email,ofcourse,isanimportanttopicforanycomputeruser,particularlyonLinux,whichoftenrunsanemailserverforlocalorremoteuse.Linuxcanrundatabasesthathelpyoustoreandretrieveinformation,andthesetoolscanbeveryimportantonesonmanyLinuxsystems.Chapter10,“SecuringYourSystem,”coverssecurity.Specificsubjectsincludenetworksecurity,localsecurity,andtheuseofencryptiontoimprovesecurity.

Chapters1through5coverthe101exam,whileChapters6through10coverthe102exam.ThesemakeupPartIandPartIIofthebook,respectively.Eachchapterbeginswith a list of the examobjectives that are covered in that chapter.Thebook

doesn’tcovertheobjectivesinorder.Thus,youshouldn’tbealarmedatsomeoftheoddorderingoftheobjectiveswithinthebook.Attheendofeachchapter,you’llfindacoupleofelementsyoucanusetopreparefortheexam:ExamEssentialsThissectionsummarizesimportantinformationthatwascoveredinthechapter.Youshouldbeabletoperformeachofthetasksorconveytheinformationrequested.

ReviewQuestionsEachchapterconcludeswith20reviewquestions.Youshouldanswerthesequestionsandcheckyouranswersagainsttheonesprovidedafterthequestions.Ifyoucan’tansweratleast80percentofthesequestionscorrectly,gobackandreviewthechapter,oratleastthosesectionsthatseemtobegivingyoudifficulty.

Thereviewquestions,assessmenttest,andothertestingelementsincludedinthisbookarenotderivedfromtheactualexamquestions,sodon’tmemorizetheanswerstothesequestionsandassumethatdoingsowillenableyoutopasstheexam.Youshouldlearntheunderlyingtopic,asdescribedinthetextofthebook.Thiswillletyouanswerthequestionsprovidedwiththisbookandpasstheexam.Learningtheunderlyingtopicisalsotheapproachthatwillserveyoubestintheworkplace—theultimategoalofacertification.

Togetthemostoutofthisbook,youshouldreadeachchapterfromstarttofinishandthencheckyourmemoryandunderstandingwiththechapter-endelements.Evenifyou’realreadyfamiliarwithatopic,you should skim thechapter;Linux is complexenough that thereareoftenmultipleways toaccomplishatask,soyoumaylearnsomethingevenifyou’realreadycompetentinanarea.

AdditionalStudyToolsReadersofthisbookcanaccessaWebsitethatcontainsseveraladditionalstudytools,includingthefollowing:

Readerscanaccessthesetoolsbyvisitinghttp://www.sybex.com/go/lpic3e.

SampleTestsAllofthequestionsinthisbookwillbeincluded,includingtheassessmenttestattheendofthisintroductionandthe200questionsfromthereviewsectionsattheendofeachchapter.Inaddition,therearetwo50-questionbonusexams.ThetestenginerunsonWindows,Linux,andMacOS.ElectronicFlashcardsTheadditionalstudytoolsincludes150questionsinflashcardformat(aquestionfollowedbyasinglecorrectanswer).Youcanusethesetoreviewyourknowledgeoftheexamobjectives.TheflashcardsrunonbothWindowsandLinux.GlossaryofTermsasaPDFFileInaddition,thereisasearchableglossaryinPDFformat,whichcanbereadonallplatformsthatsupportPDF.

ConventionsUsedinThisBookThisbookusescertaintypographicstylesinordertohelpyouquicklyidentifyimportantinformationandtoavoidconfusionoverthemeaningofwordssuchason-screenprompts.Inparticular,lookforthefollowingstyles:

Italicizedtextindicateskeytermsthataredescribedatlengthforthefirsttimeinachapter.(Italicsarealsousedforemphasis.)

Amonospacedfontindicatesthecontentsofconfigurationfiles,messagesdisplayedatatext-modeLinuxshellprompt,filenames,text-modecommandnames,andInternetURLs.Italicizedmonospacedtextindicatesavariable—informationthatdiffersfromonesystemorcommandruntoanother,suchasthenameofaclientcomputeroraprocessIDnumber.Boldmonospacedtextisinformationthatyou’retotypeintothecomputer,usuallyataLinuxshellprompt.Thistextcanalsobeitalicizedtoindicatethatyoushouldsubstituteanappropriatevalueforyoursystem.(Whenisolatedontheirownlines,commandsareprecededbynon-boldmonospaced$or#commandprompts,denotingregularuserorsystemadministratoruse,respectively.)

Inadditionto these textconventions,whichcanapply to individualwordsorentireparagraphs,afewconventionshighlightsegmentsoftext:

Anoteindicatesinformationthat’susefulorinterestingbutthat’ssomewhatperipheraltothemaintext.Anotemightberelevanttoasmallnumberofnetworks,forinstance,oritmayrefertoanoutdatedfeature.

Atipprovidesinformationthatcansaveyoutimeorfrustrationandthatmaynotbeentirelyobvious.Atipmightdescribehowtogetaroundalimitationorhowtouseafeaturetoperformanunusualtask.

Warningsdescribepotentialpitfallsordangers.Ifyoufailtoheedawarning,youmayendupspendingalotoftimerecoveringfromabug,oryoumayevenenduprestoringyourentiresystemfromscratch.

SidebarAsidebarislikeanotebutlonger.Theinformationinasidebarisuseful,butitdoesn’tfitintothemainflowofthetext.

RealWorldScenarioArealworldscenarioisatypeofsidebarthatdescribesataskorexamplethat’sparticularlygroundedintherealworld.ThismaybeasituationIorsomebodyIknowhasencountered,oritmaybeadviceonhowtoworkaroundproblemsthatarecommoninreal,workingLinuxenvironments.

EXERCISE:EXERCISEAnexerciseisaprocedureyoushouldtryonyourowncomputertohelpyoulearnaboutthematerialinthechapter.Don’tlimityourselftotheproceduresdescribedintheexercises,though!TryothercommandsandprocedurestoreallylearnaboutLinux.

TheExamObjectivesBehindeverycomputerindustryexamyoucanbesuretofindexamobjectives—thebroadtopicsinwhichexamdeveloperswanttoensureyourcompetency.Theofficialexamobjectivesarelistedhere.(They’realsoprintedatthestartofthechaptersinwhichthey’recovered.)

ExamobjectivesaresubjecttochangeatanytimewithoutpriornoticeandatLPI’ssolediscretion.PleasevisitLPI’sWebsite(http://www.lpi.org)forthemostcurrentlistingofexamobjectives.

Exam101ObjectivesThefollowingaretheareasinwhichyoumustbeproficientinordertopassthe101exam.Thisexamisbrokenintofourtopics(101−104),eachofwhichhasthreetoeightobjectives.Eachobjectivehasanassociatedweight,whichreflectsitsimportancetotheexamasawhole.Thefourmaintopicsare:SubjectArea

101SystemArchitecture102LinuxInstallationandPackageManagement103GNUandUnixCommands104Devices,LinuxFilesystems,FilesystemHierarchyStandard

101SystemArchitecture

101.1DetermineandConfigurehardwaresettings(Chapter3)EnableanddisableintegratedperipheralsConfiguresystemswithorwithoutexternalperipheralssuchaskeyboardsDifferentiatebetweenthevarioustypesofmassstoragedevicesSetthecorrecthardwareIDfordifferentdevices,especiallythebootdeviceKnowthedifferencesbetweencoldplugandhotplugdevicesDeterminehardwareresourcesfordevicesToolsandutilitiestolistvarioushardwareinformation(e.g.,lsusb,lspci,etc.)ToolsandutilitiestomanipulateUSBdevicesConceptualunderstandingofsysfs,udev,hald,dbusThefollowingisapartiallistoftheusedfiles,terms,andutilities:/sys,/proc,/dev,modprobe,lsmod,lspci,lsusb

101.2BoottheSystem(Chapter5)ProvidecommoncommandstothebootloaderandoptionstothekernelatboottimeDemonstrateknowledgeofthebootsequencefromBIOStobootcompletionCheckbooteventsinthelogfile

Thefollowingisapartiallistoftheusedfiles,termsandutilities:/var/log/messages,dmesg,BIOS,bootloader,kernel,init

101.3Changerunlevelsandshutdownorrebootsystem(Chapter5)SetthedefaultrunlevelChangebetweenrunlevelsincludingsingleusermodeShutdownandrebootfromthecommandlineAlertusersbeforeswitchingrunlevelsorothermajorsystemeventsProperlyterminateprocessesKnowledgeofbasicfeaturesofsystemdandUpstartThefollowingisapartiallistoftheusedfiles,termsandutilities:/etc/inittab,shutdown,init,/etc/init.d,telinit

102LinuxInstallationandPackageManagement

102.1Designharddisklayout(Chapter3)AllocatefilesystemsandswapspacetoseparatepartitionsordisksTailorthedesigntotheintendeduseofthesystemEnsurethe/bootpartitionconformstothehardwarearchitecturerequirementsforbootingKnowledgeofbasicfeaturesofLVMThefollowingisapartiallistoftheusedfiles,termsandutilities:/(root)filesystem,/varfilesystem,/homefilesystem,swapspace,mountpoints,partitions

102.2Installabootmanager(Chapter5)ProvidingalternativebootlocationsandbackupbootoptionsInstallandconfigureabootloadersuchasGRUBLegacyPerformbasicconfigurationchangesforGRUB2InteractwiththebootloaderThefollowingisapartiallistoftheusedfiles,terms,andutilities,/boot/grub/menu.lst,grub.cfgandothervariations,grub-install,MBR,superblock

102.3Managesharedlibraries(Chapter2)IdentifysharedlibrariesIdentifythetypicallocationsofsystemlibrariesLoadsharedlibrariesThefollowingisapartiallistoftheusedfiles,termsandutilities,ldd,ldconfig,/etc/ld.so.conf,LD_LIBRARY_PATH

102.4UseDebianpackagemanagement(Chapter2)Install,upgradeanduninstallDebianbinarypackagesFindpackagescontainingspecificfilesorlibrarieswhichmayormaynotbeinstalledObtainpackageinformationlikeversion,content,dependencies,packageintegrityand

installationstatus(whetherornotthepackageisinstalled)Thefollowingisapartiallistoftheusedfiles,termsandutilities:/etc/apt/sources.list,dpkg,dpkg-reconfigure,apt-get,apt-cache,aptitude

102.5UseRPMandYUMpackagemanagement(Chapter2)Install,re-install,upgradeandremovepackagesusingRPMandYUMObtaininformationonRPMpackagessuchasversion,status,dependencies,integrityandsignaturesDeterminewhatfilesapackageprovides,aswellasfindwhichpackageaspecificfilecomesfromThefollowingisapartiallistoftheusedfiles,termsandutilities:rpm,rpm2cpio,/etc/yum.conf,/etc/yum.repos.d/,yum,yumdownloader

103GNUandUnixCommands

103.1Workonthecommandline(Chapter1)UsesingleshellcommandsandonelinecommandsequencestoperformbasictasksonthecommandlineUseandmodifytheshellenvironmentincludingdefining,referencingandexportingenvironmentvariablesUseandeditcommandhistoryInvokecommandsinsideandoutsidethedefinedpathThefollowingisapartiallistoftheusedfiles,termsandutilities:.,bash,echo,env,exec,export,pwd,set,unset,man,uname,history

103.2Processtextstreamsusingfilters(Chapter1)SendtextfilesandoutputstreamsthroughtextutilityfilterstomodifytheoutputusingstandardUNIXcommandsfoundintheGNUtextutilspackageThefollowingisapartiallistoftheusedfiles,termsandutilities:cat,cut,expand,fmt,head,od,join,nl,paste,pr,sed,sort,split,tail,tr,unexpand,uniq,wc

103.3Performbasicfilemanagement(Chapter4)Copy,moveandremovefilesanddirectoriesindividuallyCopymultiplefilesanddirectoriesrecursivelyRemovefilesanddirectoriesrecursivelyUsesimpleandadvancedwildcardspecificationsincommandsUsingfindtolocateandactonfilesbasedontype,size,ortimeUsageoftar,cpio,andddThefollowingisapartiallistoftheusedfiles,termsandutilities:cp,find,mkdir,mv,ls,rm,rmdir,touch,tar,cpio,dd,file,gzip,gunzip,bzip2,fileglobbing

103.4Usestreams,pipesandredirects(Chapter1)

Redirectingstandardinput,standardoutputandstandarderrorPipetheoutputofonecommandtotheinputofanothercommandUsetheoutputofonecommandasargumentstoanothercommandSendoutputtobothstdoutandafileThefollowingisapartiallistoftheusedfiles,termsandutilities:tee,xargs

103.5Create,monitorandkillprocesses(Chapter2)RunjobsintheforegroundandbackgroundSignalaprogramtocontinuerunningafterlogoutMonitoractiveprocessesSelectandsortprocessesfordisplaySendsignalstoprocessesThefollowingisapartiallistoftheusedfiles,termsandutilities:&,bg,fg,jobs,kill,nohup,ps,top,free,uptime,killall

103.6Modifyprocessexecutionpriorities(Chapter2)KnowthedefaultpriorityofajobthatiscreatedRunaprogramwithhigherorlowerprioritythanthedefaultChangethepriorityofarunningprocessThefollowingisapartiallistoftheusedfiles,termsandutilities:nice,ps,renice,top

103.7Searchtextfilesusingregularexpressions(Chapter1)CreatesimpleregularexpressionscontainingseveralnotationalelementsUseregularexpressiontoolstoperformsearchesthroughafilesystemorfilecontentThefollowingisapartiallistoftheusedfiles,termsandutilities:grep,egrep,fgrep,sed,regex(7)

103.8Performbasicfileeditingoperationsusingvi(Chapter5)NavigateadocumentusingviUsebasicvimodesInsert,edit,delete,copyandfindtextThefollowingisapartiallistoftheusedfiles,termsandutilities:vi,/,?,h,j,k,l,i,o,a,c,d,p,y,dd,yy,ZZ,:w!,:q!,:e!

104Devices,LinuxFilesystems,FilesystemHierarchyStandard

104.1Createpartitionsandfilesystems(Chapter3)Usevariousmkfscommandstosetuppartitionsandcreatevariousfilesystemssuchas:ext2,ext3,xfs,reiserfsv3,vfatThefollowingisapartiallistoftheusedfiles,termsandutilities:fdisk,mkfs,mkswap

104.2Maintaintheintegrityoffilesystems(Chapter3)VerifytheintegrityoffilesystemsMonitorfreespaceandinodesRepairsimplefilesystemproblemsThefollowingisapartiallistoftheusedfiles,termsandutilities:du,df,fsck,e2fsck,mke2fs,debugfs,dumpe2fs,tune2fs,xfstools(suchasxfs_metadumpandxfs_info)

104.3Controlmountingandunmountingoffilesystems(Chapter3)ManuallymountandunmountfilesystemsConfigurefilesystemmountingonbootupConfigureusermountableremoveablefilesystemsThefollowingisapartiallistoftheusedfiles,termsandutilities:/etc/fstab,/media,mount,umount

104.4Managediskquotas(Chapter4)SetupadiskquotaforafilesystemEdit,checkandgenerateuserquotareportsThefollowingisapartiallistoftheusedfiles,termsandutilities:quota,edquota,repquota,quotaon

104.5Managefilepermissionsandownership(Chapter4)ManageaccesspermissionsonregularandspecialfilesaswellasdirectoriesUseaccessmodessuchassuid,sgidandthestickybittomaintainsecurityKnowhowtochangethefilecreationmaskUsethegroupfieldtograntfileaccesstogroupmembersThefollowingisapartiallistoftheusedfiles,termsandutilities:chmod,umask,chown,chgrp

104.6Createandchangehardandsymboliclinks(Chapter4)CreatelinksIdentifyhardand/orsoftlinksCopyingversuslinkingfilesUselinkstosupportsystemadministrationtasksThefollowingisapartiallistoftheusedfiles,termsandutilities:ln

104.7Findsystemfilesandplacefilesinthecorrectlocation(Chapter4)

UnderstandthecorrectlocationsoffilesundertheFHSFindfilesandcommandsonaLinuxsystemKnowthelocationandproposeofimportantfileanddirectoriesasdefinedintheFHSThefollowingisapartiallistoftheusedfiles,termsandutilities:find,locate,updatedb,

whereis,which,type,/etc/updatedb.conf

Exam102ObjectivesThe102examcomprisessixtopics(105–110),eachofwhichcontainsthreeorfourobjectives.Thesixmajortopicsare:SubjectArea

105Shells,ScriptingandDataManagement106UserInterfacesandDesktops107AdministrativeTasks108EssentialSystemServices109NetworkingFundamentals110Security

105Shells,ScriptingandDataManagement

105.1Customizeandusetheshellenvironment(Chapter9)Setenvironmentvariables(e.g.,PATH)atloginorwhenspawninganewshellWriteBASHfunctionsforfrequentlyusedsequencesofcommandsMaintainskeletondirectoriesfornewuseraccountsSetcommandsearchpathwiththeproperdirectoryThefollowingisapartiallistoftheusedfiles,terms,andutilities:/etc/profile,env,export,set,unset,~/.bash_profile,~/.bash_login,~/.profile,~/.bashrc,

~/.bash_logout,function,alias,lists

105.2Customizeorwritesimplescripts(Chapter9)Usestandardshsyntax(loops,tests)UsecommandsubstitutionTestreturnvaluesforsuccessorfailureorotherinformationprovidedbyacommandPerformconditionalmailingtothesuperuserCorrectlyselectthescriptinterpreterthroughtheshebang(#!)lineManagethelocation,ownership,executionandsuid-rightsofscriptsThefollowingisapartiallistoftheusedfiles,terms,andutilities:for,while,test,if,read,seq

105.3SQLdatamanagement(Chapter9)UseofbasicSQLcommandsPerformbasicdatamanipulationThefollowingisapartiallistoftheusedfiles,terms,andutilities:insert,update,select,delete,from,where,groupby,orderby,join

106UserInterfacesandDesktops

106.1InstallandconfigureX11(Chapter6)VerifythatthevideocardandmonitoraresupportedbyanXserverAwarenessoftheXfontserverBasicunderstandingandknowledgeoftheXWindowconfigurationfileThefollowingisapartiallistoftheusedfiles,terms,andutilities:/etc/X11/xorg.conf,xhost,DISPLAY,xwininfo,xdpyinfo,X

106.2Setupadisplaymanager(Chapter6)TurnthedisplaymanageronoroffChangethedisplaymanagergreetingChangedefaultcolordepthforthedisplaymanagerConfiguredisplaymanagersforusebyX-stationsThefollowingisapartiallistoftheusedfiles,terms,andutilities:/etc/inittab;plusxdm,kdm,andgdmconfigurationfiles

106.3Accessibility(Chapter6)KeyboardAccessibilitySettings(AccessX)VisualSettingsandThemesAssistiveTechnology(ATs)Thefollowingisapartiallistoftheusedfiles,terms,andutilities:Sticky/RepeatKeys,Slow/Bounce/ToggleKeys,MouseKeys,HighContrast/LargePrintDesktopThemes,ScreenReader,BrailleDisplay,ScreenMagnifier,On-ScreenKeyboard,Gestures(usedatlogin,forexamplegdm),Orca,GOK,emacspeak

107AdministrativeTasks

107.1Manageuserandgroupaccountsandrelatedsystemfiles(Chapter7)

Add,modifyandremoveusersandgroupsManageuser/groupinfoinpassword/groupdatabasesCreateandmanagespecialpurposeandlimitedaccountsThefollowingisapartiallistoftheusedfiles,terms,andutilities:/etc/passwd,/etc/shadow,/etc/group,/etc/skel,chage,groupadd,groupdel,groupmod,passwd,useradd,

userdel,usermod

107.2Automatesystemadministrationtasksbyschedulingjobs(Chapter9)

Managecronandatjobs

ConfigureuseraccesstocronandatservicesThefollowingisapartiallistoftheusedfiles,terms,andutilities:/etc/cron.{d,daily,hourly,monthly,weekly},/etc/at.deny,/etc/at.allow,/etc/crontab,/etc/cron.allow,/etc/cron.deny,/var/spool/cron/*,crontab,at,atq,atrm

107.3Localizationandinternationalization(Chapter6)LocalesettingsTimezonesettingsThefollowingisapartiallistoftheusedfiles,terms,andutilities:/etc/timezone,/etc/localtime,/usr/share/zoneinfo,environmentvariables(LC_*,LC_ALL,LANG,TZ),/usr/bin/locale,tzselect,tzconfig,date,iconv,UTF-8,ISO-8859,ASCII,Unicode

108EssentialSystemServices

108.1Maintainsystemtime(Chapter7)SetthesystemdateandtimeSetthehardwareclocktothecorrecttimeinUTCConfigurethecorrecttimezoneBasicNTPconfigurationKnowledgeofusingthepool.ntp.orgserviceThefollowingisapartiallistoftheusedfiles,terms,andutilities:/usr/share/zoneinfo,/etc/timezone,/etc/localtime,/etc/ntp.conf,date,hwclock,ntpd,ntpdate,

pool.ntp.org

108.2Systemlogging(Chapter7)Syslogconfigurationfilessyslogstandardfacilities,prioritiesandactionsThefollowingisapartiallistoftheusedfiles,terms,andutilities:syslog.conf,syslogd,klogd,logger

108.3MailTransferAgent(MTA)basics(Chapter9)Createe-mailaliasesConfiguree-mailforwardingKnowledgeofcommonlyavailableMTAprograms(postfix,sendmail,qmail,exim)(noconfiguration)Thefollowingisapartiallistoftheusedfiles,terms,andutilities:~/.forward,sendmailemulationlayercommands,newaliases,mail,mailq,postfix,sendmail,exim,qmail

108.4Manageprintersandprinting(Chapter6)BasicCUPSconfiguration(forlocalandremoteprinters)Manageuserprintqueues

TroubleshootgeneralprintingproblemsAddandremovejobsfromconfiguredprinterqueuesThefollowingisapartiallistoftheusedfiles,terms,andutilities:CUPSconfigurationfiles,toolsandutilities;/etc/cups;lpdlegacyinterface(lpr,lprm,lpq)

109NetworkingFundamentals

109.1Fundamentalsofinternetprotocols(Chapter8)DemonstrateanunderstandingnetworkmasksKnowledgeofthedifferencesbetweenprivateandpublic“dottedquad”IP-AddressesSettingadefaultrouteKnowledgeaboutcommonTCPandUDPports(20,21,22,23,25,53,80,110,119,139,143,161,443,465,993,995)KnowledgeaboutthedifferencesandmajorfeaturesofUDP,TCPandICMPKnowledgeofthemajordifferencesbetweenIPv4andIPV6KnowledgeofthebasicfeaturesofIPv6Thefollowingisapartiallistoftheusedfiles,terms,andutilities:/etc/services,ftp,telnet,host,ping,dig,traceroute,tracepath

109.2Basicnetworkconfiguration(Chapter8)ManuallyandautomaticallyconfigurenetworkinterfacesBasicTCP/IPhostconfigurationThefollowingisapartiallistoftheusedfiles,terms,andutilities:/etc/hostname,/etc/hosts,/etc/resolv.conf,/etc/nsswitch.conf,ifconfig,ifup,ifdown,route,

ping

109.3Basicnetworktroubleshooting(Chapter8)Manuallyandautomaticallyconfigurenetworkinterfacesandroutingtablestoincludeadding,starting,stopping,restarting,deletingorreconfiguringnetworkinterfacesChange,vieworconfiguretheroutingtableandcorrectanimproperlysetdefaultroutemanuallyDebugproblemsassociatedwiththenetworkconfigurationThefollowingisapartiallistoftheusedfiles,terms,andutilities:ifconfig,ifup,ifdown,route,host,hostname,dig,netstat,ping,traceroute

109.4ConfigureclientsideDNS(Chapter8)DemonstratetheuseofDNSonthelocalsystemModifytheorderinwhichnameresolutionisdoneThefollowingisapartiallistoftheusedfiles,terms,andutilities:/etc/hosts,/etc/resolv.conf,/etc/nsswitch.conf

110Security

110.1Performsecurityadministrationtasks(Chapter10)Auditasystemtofindfileswiththesuid/sgidbitsetSetorchangeuserpasswordsandpasswordaginginformationBeingabletousenmapandnetstattodiscoveropenportsonasystemSetuplimitsonuserlogins,processesandmemoryusageBasicsudoconfigurationandusageThefollowingisapartiallistoftheusedfiles,terms,andutilities:find,passwd,lsof,nmap,chage,netstat,sudo,/etc/sudoers,su,usermod,ulimit

110.2Setuphostsecurity(Chapter10)AwarenessofshadowpasswordsandhowtheyworkTurnoffnetworkservicesnotinuseUnderstandtheroleofTCPwrappersThefollowingisapartiallistoftheusedfiles,terms,andutilities:/etc/nologin,/etc/passwd,/etc/shadow,/etc/xinetd.d/*,/etc/xinetd.conf,/etc/inetd.d/*,

/etc/inetd.conf,/etc/inittab,/etc/init.d/*,/etc/hosts.allow,/etc/hosts.deny

110.3Securingdatawithencryption(Chapter10)PerformbasicOpenSSH2clientconfigurationandusageUnderstandtheroleofOpenSSH2serverhostkeysPerformbasicGnuPGconfigurationandusageUnderstandSSHporttunnels(includingX11tunnels)Thefollowingisapartiallistoftheusedfiles,terms,andutilities:ssh,ssh-keygen,ssh-agent,ssh-add,~/.ssh/id_rsaandid_rsa.pub,~/.ssh/id_dsaandid_dsa.pub,/etc/ssh/ssh_host_rsa_keyandssh_host_rsa_key.pub,/etc/ssh/ssh_host_dsa_keyandssh_host_dsa_key.pub,~/.ssh/authorized_keys,/etc/ssh_known_hosts,gpg,

~/.gnupg/*

AssessmentTest1. The following line appears in your X server ’s mouse configuration area. What can youconclude?Option"Protocol""PS/2"

A.ThemouseisconnectedtothePS/2hardwaremouseport.B.ThemouseusesthePS/2softwarecommunicationstandard.C.ThecomputerisanancientIBMPS/2system.D.ThemousewasdesignedforusewithIBM’sOS/2.E.Aslash(/)isinvalidinaprotocolname,sothemousewon’twork.

2.Howcanyoutellwhetheryoursystemisusinginetdorxinetdasasuperserver?(Selecttwo.)A.Typepsax|grepinetd,andexaminetheoutputforsignsofinetdorxinetd.B.Typesuperservertoseeareportonwhichsuperserverisrunning.C. Look for the /etc/inetd.conf file or /etc/xinetd.d subdirectory, which are signs ofinetdorxinetd,respectively.D. Examine the /etc/inittab file to see which super server is launched by init, which isresponsibleforthistask.E.Typenetstat-a|grepinetandexaminetheoutputforsignsofinetdorxinetd.

3.HowdoesthelpcutilityforCUPSdifferfromitscounterpartinBSDLPDandLPRng?A.ThelpcutilityisuniquetoCUPS;itdoesn’tshipwithBSDLPDorLPRng.B.CUPSdoesn’tshipwithanlpccommand,butBSDLPDandLPRngdo.C.CUPS’slpcismuchmorecomplexthanitscounterpartinBSDLPDandLPRng.D.CUPS’slpcismuchsimplerthanitscounterpartinBSDLPDandLPRng.E.Thelpcutilityisidenticalinallthreeoftheseprintingsystems.

4.Whatfilewouldyouedittorestrictthenumberofsimultaneousloginsausercanemploy?A./etc/pam.d/login-limitsB./etc/bashrcC./etc/security/limits.confD./etc/inittabE./etc/passwd

5.Which of the following are requiredwhen configuring a computer to use a static IP address?(Selecttwo.)

A.TheIPaddressoftheDHCPserverB.ThehostnameoftheNBNSserverC.Thecomputer ’sIPaddressD.ThenetworkmaskE.TheIPaddressoftheNTPserver

6.Whatdoesthefollowingcommandaccomplish?$wcreport.txt|teewc

A.Itlaunchesthewceditoronboththereport.txtandwc.txtfiles;eachfileopensinitsownwindow.B.Itdisplaysacountofthewindowsinwhichthereport.txtfileisdisplayedandshowsthatinformationinanewwindowcalledwc.C. It creates a countofnewlines,words, andbytes in thereport.txt file and then displays acountofthesestatisticsaboutthereportitjustgenerated.D.Itcleansupanymemoryleaksassociatedwiththeteeprogram’suseofthereport.txtfile.E.Itdisplaysacountofnewlines,words,andbytesinthereport.txtfileandcopiesthatoutputtothewcfile.

7. Which of the following characters defines the end of an OS or kernel definition in/boot/grub/grub.cfg?

A.;B.)C.}D.*/E.Noneoftheabove;thedefinitionendswiththetitlelinebeginningthenextentry

8.Whatdoesthenumber703representinthefollowing/etc/passwdentry?george:x:703:100:GeorgeBrown:/home/george:/bin/tcsh

A.Theaccount’shumanID(HID)numberB.Theaccount’sprocessID(PID)numberC.Theaccount’sgroupID(GID)numberD.Theaccount’sgloballyuniqueID(GUID)numberE.Theaccount’suserID(UID)number

9.Whatdoesthegrepcommandaccomplish?A.Itcreatesapipelinebetweentwoprograms.B.Itsearchesfiles’contentsforapattern.C.Itconcatenatestwoormorefiles.D.Itdisplaysthelastseverallinesofafile.E.Itlocatesfilesontheharddisk.

10.WhichofthefollowingarejournalingfilesystemsforLinux?(Selectthree.)A.HPFSB.ReiserFSC.Ext2fsD.Ext3fsE.XFS

11.You’ve configured your computer to use SMTP and IMAP via a tunneled SSH connection toyourISP’semailserverforimprovedsecurity.WhymightyoustillwanttouseGPGencryptionforyouremailsontopoftheencryptionprovidedbySSH?

A.TheSSH tunnel reachesonlyas far as the first email server;GPGencryptsdataonall thecomputersallthewaytoorfromyouremailcorrespondents.B. SSH encryption is notoriously poor for email, although it’s perfectly adequate for loginsessions;thus,addingGPGencryptionimprovessecurity.C.SSHdoesn’t encrypt theheadersof theemailmessages;GPGencrypts theheaders tokeepsnoopersfromlearningyourcorrespondents’identities.D.UsingGPGguaranteesthatyouremailmessageswon’tcontainunwantedvirusesorwormsthatmightinfectyourcorrespondents’computers.E. Configured in this way, SSH will encrypt the email headers and bodies, but not anyattachmentstoyouremail.

12. Which of the following ports are commonly used to retrieve email from an email servercomputer?(Selecttwo.)

A.110B.119C.139D.143E.443

13. You’re experiencing sporadic problemswith a Secure Shell (SSH) login server—sometimesuserscanlogin,andsometimestheycan’t.Whatmightyoutryimmediatelyafterafailuretohelpdiagnosethisproblem?

A.Ontheservercomputer,typehttp://localhost:631intoaWebbrowsertoaccesstheSSHconfigurationpageandcheckitserrorsubpageforerrormessages.B.TypediagnosesshdtorunadiagnosticontheSSHserverdaemon(sshd).C.Typetail/var/log/messagestolookforerrormessagesfromtheserver.D.Examinethe/dev/sshdevicefiletolookforerrormessagesfromtheserver.E.Ontheservercomputer,typesshdtoviewSSH’sdiagnosticmessages.

14.Whatisthefunctionofthe~/.profilefile?A.It’stheuserconfigurationfilefortheProFTPserver.B.It’soneofauser ’sbashstartupscripts.C.It’stheuserconfigurationfilefortheProFilefilemanager.D.Itspresencetellstcshtoignorefilemodes.E.Itholdstheuser ’sencryptedpassword.

15.Youwantyourcomputertoremindyoutogetyourcarinspectedintwoyears.Whatisthebestwaytodothis,ofthespecifiedoptions?

A.Createaprogramthatrepeatedlychecksthetimeand,whentwoyearshavepassed,displaysa

messagetogetyourcarinspected.B. Type cal day month year, where day, month, and year specify the date of the futureinspection,tohaveLinuxrunaprogramthatyouthenspecifyonthatdate.C.Createacronjobthatrunshourly.Thisjobshouldcheckthedateand,whenthecorrectdatecomesup,usemailtonotifyyouoftheneedforacarinspection.D.UsetheNTPGUIcalendarprogramtocreateanalarmfor thespecifieddate.Theprogramwillthendisplaythemessageyouenteratthespecifieddateandtime.E.Typeatdate,wheredate isadatespecification.Youcanthenspecifyacommand,suchasmailwithappropriateoptions,tonotifyyouoftheneedtogetyourcarinspected.

16.HowwouldyouconfigureacomputertousethecomputerwhoseIPaddressis172.24.21.1asagatewayforallnetworktrafficthat’snototherwiseconfigured?

A.gatewaydefault172.24.21.1B.gateway172.24.21.1C.routegateway172.24.21.1D.routeadddefaultgw172.24.21.1E.gw172.24.21.1

17.WhatsoftwarecanyouusetodriveaBrailledisplaydevice?(Selecttwo.)A.EmacspeakB.BRLTTYC.A2.6.26orlaterkernelD.GOKE.Aframebufferdriver

18.WhichistrueofsourceRPMpackages?A. They consist of three files: an original source tarball, a patch file of changes, and a PGPsignatureindicatingtheauthenticityofthepackage.B.Theyrequireprogrammingknowledgetorebuild.C.Theycansometimesbeusedtoworkarounddependencyproblemswithabinarypackage.D.TheyarenecessarytocompilesoftwareforRPM-baseddistributions.E.Theyalwayscontainsoftwarethat’slicensedundertermsoftheGPL.

19.Whichutilityshouldyouusebyitselftorenamethefilepumpkin.txttolantern.txt?A.ddB.rmC.cpD.mvE.ln

20. You want to run a lengthy scientific simulation program, called simbigbang, which doesn’trequireanyuserinteraction;theprogramoperatessolelyondiskfiles.Ifyoudon’twanttotieupthe

shellfromwhichyouruntheprogram,whatshouldyoutypetorunsimbigbanginthebackground?A.startsimbigbangB.simbigbang&C.bgsimbigbangD.backgroundsimbigbangE.nicesimbigbang

21.WhichofthefollowingcommandswillinstallanRPMpackagefilecalledtheprogram-1.2.3-4.i386.rpmonacomputer?(Selecttwo.)

A.rpm-Uvhtheprogram-1.2.3-4.i386.rpmB.rpm-itheprogram-1.2.3-4.i386.rpmC.rpm-UtheprogramD.rpm-etheprogram-1.2.3-4.i386.rpmE.rpm-Vptheprogram-1.2.3-4.i386.rpm

22.WhattoolcandiagnoseandfixmanycommonLinuxfilesystemproblems?A.mkfsB.fsckC.chkdskD.scandiskE.fdisk

23.You’vejustinstalledMySQL,andyouintendtouseittostoreinformationabouttheanimalsinazoo, from the anteaters to the zebras.What command are you likely to use first, once you startMySQL?

A.CREATEDATABASEanimals;B.USEanimals;C.CREATETABLEanimals;D.INSERTINTOanimals;E.UPDATEanimals;

24.Whichofthefollowingcommandsdisplayshelpontopic,whentypedinaLinuxshell?(Selecttwo.)

A.manualtopicB.mantopicC.?topicD.infotopicE.hinttopic

25.Acomputer ’shardwareclockkeepstrackofthetimewhilethecomputerispoweredoff.Inwhatformatsmaythistimebestoredonanx86Linuxsystem?(Selecttwo.)

A.CoordinatedUniversalTime(UTC)B.InternetTimeC.LocaltimeD.12-hourtimeE.Marstime

26.Youwanttoknowwhatkernelmodulesarecurrentlyloaded.Whatcommandwouldyoutypetolearnthisinformation?

A.insmodB.depmodC.modprobeD.lsmodE.modinfo

27.Youwant toenableallmembersof themusicgroup to read theinstruments.txt file,whichcurrentlyhas0640(-rw-r-----)permissions,ownershipbyroot,andgroupownershipbyroot.Howmightyouaccomplishthisgoal?(Selecttwo.)

A.Typechownmusicinstruments.txtinthefile’sdirectory.B.Typechgrpmusicinstruments.txtinthefile’sdirectory.C.Typechgroupmusicinstruments.txtinthefile’sdirectory.D.Typechmod0600instruments.txtinthefile’sdirectory.E.Typechown:musicinstruments.txtinthefile’sdirectory.

28.Youwant to create a link to the/usr/local/bin directory in another location.Which of thefollowingstatementsistrue?

A.Youcandothisonlyif/usr/local/binisonajournalingfilesystem.B.Youmustown/usr/local/bintocreatethelink.C.Youcancreate the linkonly if the link’s location ison the same filesystemas theoriginaldirectory.D.Onlythesystemadministratorcandothis.E.Thelinkwillprobablyhavetobeasymboliclink.

29.Whichofthefollowing,whentypedinVi’scommandmode,savesafileandquitstheprogram?(Selecttwo.)

A.:rqB.:wqC.:reD.:weE.ZZ

30.Auser ’shomedirectoryincludesafilecalled~/.forwardthatconsistsofoneline:|~/junkme.Whatistheeffectofthisconfiguration?

A.Theuser ’sincomingmailisforwardedtothejunkmeuseronthesamesystem.B.Theuser ’sincomingmailisstoredinthe~/junkmefile.C.Theuser ’sincomingmailissentthroughthe~/junkmeprogramfile.D.Theuser ’sincomingmailisflaggedasspamanddeleted.E.Theuser ’sincomingmailisforwardedtothesameuseronthejunkmecomputer.

AnswerstotheAssessmentTest1.B.“PS/2”canrefertobothahardwareinterfaceandasoftwareprotocol,butusedinthecontextof the Protocol option, it unambiguously refers to the software protocol. Thus, option B iscorrect.OptionAmightbecorrect,butthespecifiedlineisinsufficientevidenceofthat;USBmicegenerallyusethePS/2protocoloravariantofit,suchastheIntellimousePS/2protocol.AlthoughthePS/2hardwareportandprotocoloriginatedwiththeIBMPS/2computermentionedinoptionC,many other computers now use them.Mice that use the PS/2 protocolmay be usedwith justaboutanyOS,notjustIBM’sOS/2,sooptionDisincorrect.Aslash(/)isvalidaspartofthePS/2protocolname,sooptionEisincorrect.Formoreinformation,pleaseseeChapter6,“ConfiguringtheXWindowSystem,Localization,andPrinting.”2.A,C.Examiningaprocesslisting(obtainedfromps)forsignsofthesuperserveristhemostreliablewaytodeterminewhichoneisactuallyrunning,sooptionAiscorrect.Thepresenceofthesuperserver ’sconfigurationfileorfiles(asinoptionC)isalsoagooddiagnostic,althoughsomeolder systems that have been upgraded may have both sets of configuration files. There is nostandard superserver utility to report on which one is used, so option B is incorrect. Mostdistributions launch the super server through a SysV startup script; the /etc/inittab file isn’tdirectly involved in this process, so examining itwould be pointless, and optionD is incorrect.Althoughtheoutputofnetstat-ap,whentypedasroot,willincludeanindicationofanyinstanceofinetdorxinetd that’s listeningforconnections,optionEomits thecritical-p option,whichcausestheprogramtodisplayprocessnames.Thus,optionEisincorrect.Formoreinformation,pleaseseeChapter10,“SecuringYourSystem.”3.D.Thelpcutility isusedtostart,stop,changethepriorityof,andotherwisecontrol jobsinaprintqueue.CUPSshipswithanlpcutility,butit’squiterudimentarycomparedtothelpcutilitiesofBSDLPDandLPRng.Instead,CUPSreliesonitsWeb-basedinterfacetoprovidetheabilitytocontrol print jobs. Thus, option D is correct, and the remaining options must logically all beincorrect. For more information, please see Chapter 6, “Configuring the X Window System,Localization,andPrinting.”4.C.The/etc/security/limits.conffiledefinesvariouslimitsonuserresources,includingthenumber of simultaneous logins individual users are permitted. Thus, option C is correct. The/etc/pam.d/login-limits file (option A) is fictitious, although login limits do rely on thepam_limitsmoduletothePluggableAuthenticationSystem(PAM).The/etc/bashrcfile(optionB) is a global bash startup script file, but it’s not normally used to impose login limits. The/etc/inittabfile(optionD)isakeyLinuxstartupfile,butitdoesn’thaveanydirectbearingonimposing login limits. The/etc/passwd file (option E) definesmany key account features, butlogin limits arenot among these.Formore information,please seeChapter10, “SecuringYourSystem.”5.C,D.The computer ’s IP address (optionC) andnetworkmask (aka subnetmaskor netmask;option D) are the most critical components in TCIP/IP network configuration. (AdditionalinformationyoumayneedtoprovideonmanynetworksincludestheIPaddressesofonetothreeDNSservers,thehostnameorIPaddressofarouter,andthecomputer ’shostname.)Youshouldn’tneedtheIPaddressofaDynamicHostConfigurationProtocol(DHCP)server(optionA)—andifaDHCP server is present, chances are you should be using DHCP rather than static IP address

assignment.ANetBIOSNameService (NBNS)server (optionB)convertsbetweennamesandIPaddresses on NetBIOS networks. The hostname of such a computer isn’t likely to be a criticalconfiguration element, although youmay need to provide this information to Samba for someoperations to function correctly when sharing files. A Network Time Protocol (NTP) server(optionE)helpsyoumaintainsystemtimeonallyourcomputers,butthisisn’trequiredforbasicnetwork configuration. For more information, please see Chapter 8, “Configuring BasicNetworking.”6. E. The wc command displays a count of newlines, words, and bytes in the specified file(report.txt).Pipingthisdatathroughteecausesacopyoftheoutputtobestoredinthenewfile(wc in thisexample—youshouldn’t run thiscommandin thesamedirectoryas thewcexecutablefile!).Thus,optionEiscorrect.ContrarytooptionA,wcisnotaneditor,andtheremainingsyntaxwouldn’tcausetwofilestoopeninseparatewindowsevenifwcwereaneditor.ContrarytooptionB,wcdoesn’tcountwindowsoropenanewwindow.OptionCdescribestheeffectofwcreport|wc—that is, it overlooks the tee command. Contrary to option D, wc has nothing to do withcleaning up memory leaks, and tee doesn’t directly use the report.txt file. For moreinformation,pleaseseeChapter1,“ExploringLinuxCommand-LineTools.”7. C. The grub.cfg filename indicates a GRUB 2 configuration file. In such files, each OS orkernelstanzabeginswithamenuentrylineandanopencurlybrace({)andendswithaclosecurlybrace(}). Thus, optionC is correct. Some configuration files and programming languages usesemicolons(;) at the endofmost lines, but this isn’t trueofGRUB2, sooptionA is incorrect.Althoughcloseparentheses())areusedtoterminatesometypesofoptionsinsomeconfigurationfiles,includingdiskidentifiersinGRUB2’sconfigurationfile,theyaren’tusedtoterminatewholeOSorkerneldefinitionsinthisfile,sooptionBisincorrect.Thestring*/terminatescommentsinCprogramfiles,butisn’tcommonlyusedinGRUB2configurationfiles,sooptionDisincorrect.Option E would be correct if the question had asked about a GRUB Legacy configuration file(menu.lstorgrub.conf),butthequestionspecifiesaGRUB2configurationfile(grub.cfg); thetwobootloadersterminatetheirOS/kernelstanzasdifferently,sooptionEisincorrect.Formoreinformation,pleaseseeChapter5,“BootingLinuxandEditingFiles.”8.E.Thethirdfieldof/etc/passwdentriesholdstheUIDnumberfortheaccount,sooptionEiscorrect.Linuxdoesn’tuseanystandardidentifiercalledahumanID(HID;optionA),althoughtheacronymHIDstandsforhumaninterfacedevice,aclassofUSBdevices.Accountsdon’thavePIDnumbers(optionB);thosebelongtorunningprocesses.Theaccount’sGIDnumber(optionC)isstoredinthefourthfieldof/etc/passwd—100inthisexample.Linuxaccountsdon’tusegloballyuniqueID(GUID)numbers,sooptionDisincorrect.Formoreinformation,pleaseseeChapter7,“AdministeringtheSystem.”9. B. The grep command scans files to find those that contain a specified string or pattern, asdescribedbyoptionB.Inthecaseoftextfiles,grepdisplaysthematchinglineorlines;forbinaryfiles, it reports that the file matches the pattern. The method of creating a pipeline (option A)involves separating twocommandswith averticalbar (|).Thegrep command canbeused in apipeline,butitdoesn’tcreateone.Thecommandthatconcatenatesfiles(optionC)iscat,andthecommandthatdisplaysthelastseverallinesofafile(optionD)istail.Severalcommands,suchasfind,locate,andwhereis,locatefiles(optionE),butgrepisnotamongthesecommands.Formoreinformation,pleaseseeChapter1,“ExploringLinuxCommand-LineTools.”

10. B, D, E. ReiserFS (option B) was written from scratch for Linux. The Third ExtendedFilesystem(ext3fs;optionD)isajournalingfilesystembasedontheoldernon-journalingSecondExtended Filesystem (ext2fs; optionC). The Extents Filesystem (XFS; option E) is a journalingfilesystemwritten by SGI for Irix and later ported to Linux. TheHigh-Performance Filesystem(HPFS; option A) is a non-journaling filesystem designed by Microsoft for OS/2. For moreinformation,pleaseseeChapter3,“ConfiguringHardware.”11. A. Option A correctly describes the features of SSH and GPG in this context. Option B isincorrectbecauseSSHshoulddoa fine jobofencryptingyouremail so that itcan’tbedecodedbetweenyoursystemandyourISP’semailserver.OptionChasitbackward;emailtransferredviaSSHwillbecompletelyencrypted,includingbothheadersandbody.GPGdoesn’tencryptheaders,justmessagebodies.OptionDis incorrectbecauseGPGisn’tavirusscanner, justanencryptiontool.OptionE is incorrectbecause theSSH tunnelwillencrypteverything in theSMTP transfer,including email attachments. For more information, please see Chapter 10, “Securing YourSystem.”12.A,D.Port110(optionA)isassignedtothePostOfficeProtocol(POP),andport143(optionD) is assigned to the InternetMessageAccess Protocol (IMAP), both of whichmay be used toretrieve email messages from an email server system. Port 119 (option B) is assigned to theNetworkNewsTransferProtocol(NNTP),port139(optionC)isassignedtotheServerMessageBlock/CommonInternetFileSystem(SMB/CIFS)protocol,andport443(optionE)isassignedtotheHypertextTransferProtocolwithSSLencryption(HTTPS),noneofwhichiscommonlyusedforemailretrieval.Formoreinformation,pleaseseeChapter8,“ConfiguringBasicNetworking.”13. C. Log files, such as /var/log/messages and sometimes others in /var/log, often containuseful information concerning server errors.Thetail programdisplays the last few lines of afile,sousingittoexaminelogfilesimmediatelyafteraproblemoccurscanbeausefuldiagnosticprocedure.OptionCcorrectlycombinesthesefeatures.Thehttp://localhost:631URLofoptionAaccessestheCommonUnixPrintingSystem(CUPS)configurationutility,whichhasnothingtodowithSSH.Thereisnostandarddiagnoseutility(optionB)tohelpdiagnoseserverproblems,andthereisnostandard/dev/sshfile(optionD).ThesshdprogramistheSSHserveritself,sooptionBwillsimplylaunchtheserver.Formoreinformation,pleaseseeChapter5,“BootingLinuxandEditingFiles.”14. B. The ~./profile file is one of several bash startup scripts, as stated in option B. It hasnothing to dowith theProFTP server (optionA) or thetcsh shell (optionD). The ProFile filemanagermentioned in optionC is fictitious.Users’ encrypted passwords (optionE) are usuallystoredin/etc/shadow.Formoreinformation,pleaseseeChapter9,“WritingScripts,ConfiguringEmail,andUsingDatabases.”15.E.Theatutilitywascreatedtorunprogramsatonespecifiedpointinthefuture.Thus,optionEwillaccomplish thestatedgoal.OptionsAandCmightalsowork;butneither is thebestway toaccomplishthisgoal.OptionAwilltieupCPUtime,andiftheprogramcrashesorthesystemisshut downduring the intervening twoyears, themessagewill never display.OptionCwouldbemore reliable, but it adds unnecessary complexity to your hourly cron job schedule. The calprogramdisplays a text-mode calendar, enablingyou to identify thedaysof aweek for agivenmonth;itdoesn’tschedulefuturejobs,asoptionBsuggests.AGUIcalendarprogram,asspecifiedin option D, might work; but NTP is the Network Time Protocol, a protocol and like-named

program for synchronizing clocks across a network. Thus, NTP isn’t the tool for the job, andoptionDisincorrect.Formoreinformation,pleaseseeChapter7,“AdministeringtheSystem.”16.D.OptionDprovidesthecorrectcommandtoadd172.24.21.1asthedefaultgateway.OptionsAand B both use the fictitious gateway command, which doesn’t exist and therefore won’t workunlessyoucreateascriptofthisname.OptionCusesthecorrectroutecommand,butthereisnogatewayoptiontoroute;youmustuseadddefaultgw,asinoptionD.Thereisnostandardgwcommand, so option E is incorrect. Formore information, please see Chapter 8, “ConfiguringBasicNetworking.”17.B,C.TheBRLTTYpackage is anadd-ondaemon forhandlingaBrailledisplaydevice, andsomefeaturesforusingthesedeviceshavebeenaddedtothe2.6.26kernel,sooptionsBandCarecorrect.Emacspeak(optionA)isspeech-synthesissoftware;itcanbeusedto“speak”atextdisplaytoauser,butitdoesn’tinterfacewithBrailledisplays.GOK(optionD)isanon-screenkeyboard,not a Braille display tool. Framebuffer drivers (option E) are kernel drivers for managingconventionalvideocards;theyaren’tusedtodriveBrailledisplays.Formoreinformation,pleaseseeChapter6,“ConfiguringtheXWindowSystem,Localization,andPrinting.”18.C.Somedependenciesresultfromdynamicallylinkingbinariestolibrariesatcompiletimeandso can be overcome by recompiling the software from a source RPM, so option C is correct.Option A describes Debian source packages, not RPM packages. Recompiling a source RPMrequiresonlyissuinganappropriatecommand,althoughyoumustalsohaveappropriatecompilersand libraries installed. Thus, optionB is overly pessimistic. Source tarballs can also be used tocompile software for RPM systems, although this results in none of RPM’s advantages. Thus,option D is overly restrictive. The RPM format doesn’t impose any licensing requirements,contrarytooptionE.Formoreinformation,pleaseseeChapter2,“ManagingSoftware.”19.D.Themvutilitycanbeusedtorenamefilesaswellasmovethemfromonelocationtoanother,sooptionDiscorrect.Theddutility(optionA)isusedtocopyfilestobackups,rm(optionB)isusedtoremove(delete)files,cp(optionC)copiesfiles,andln(optionE)createslinks.Formoreinformation,pleaseseeChapter4,“ManagingFiles.”20. B. Appending an ampersand (&) to a command causes that command to execute in thebackground.TheprogramsolaunchedstillconsumesCPUtime,butitwon’tmonopolizetheshellyouusedtolaunchit.Thus,optionBiscorrect.Thestart(optionA)andbackground(optionD)commandsarefictitious.Althoughbg(optionC)doesplaceajobintothebackground,itdoesn’tlaunchaprogramthatway;itplacesaprocessthat’sbeensuspended(bypressingCtrl+Z)intothebackground.Theniceutility(optionE)launchesaprogramwithmodifiedpriority,butaprogramso launched still monopolizes its shell unless you take additional steps. For more information,pleaseseeChapter2,“ManagingSoftware.”21.A,B.The-Uvhparameter(optionA)issuesanupgradecommand(whichinstallstheprogramwhether or not an earlier version is installed) and creates a series of hashmarks to display thecommand’sprogress.The-iparameter(optionB)installstheprogramifit’snotalreadyinstalledbutcausesnoprogressdisplay.OptionCusesapackagename,notacompletefilename,andsoitwill fail to install thepackagefile.The-eoption(optionD)removesapackage.OptionE’s-Vpoptionverifiesthepackagefilebutdoesn’tinstallit.Formoreinformation,pleaseseeChapter2,“ManagingSoftware.”22.B.OptionB,fsck, isLinux’s filesystemcheckutility. It’s similar inpurpose to theDOSand

WindowsCHKDSKandScanDiskutilities(similartooptionsCandD),buttheseDOSandWindowsutilities don’t work on Linux filesystems like ext2fs or ReiserFS. Option A, mkfs, creates newfilesystems;itdoesn’tdiagnoseorfixfilesystemproblems.OptionE,fdisk,isatoolforcreatingormodifyingdiskpartitions;itdoesn’tmanagethefilesystemstheycontain.Formoreinformation,pleaseseeChapter3,“ConfiguringHardware.”23.A.AfreshlyinstalledMySQLdatabaseisunlikelytohaveaready-madedatabaseofanimals,soyourfirsttaskistocreatethatdatabasewiththeCREATEDATABASEcommand,asshowninoptionA.(You could call the database something other than animals, of course.) The USE command inoptionBwillbeusefulonlyoncethedatabasehasbeencreated.Oncethedatabaseiscreated,youcanuseCREATETABLE,asinoptionC,tocreateatable;however,you’llneedanexistingdatabasefirst,andthiscommandalsorequiresinformationaboutthetypeofdatatobestored,whichoptionC doesn’t provide. Option D’s INSERT INTO command stores data into a table once it’s beencreated,soit’sfarfromthefirstcommandyou’lluse.Italsorequiresadditionalspecificationofthedata to be stored, so it’s incomplete.Option E’s UPDATE commandmodifies existing entries, soyou’llusethiscommandonlyafteryou’vecreatedthedatabaseandaddedatleastoneanimaltoit.(OptionEisalsoanincompletecommandeventhen.)Formoreinformation,pleaseseeChapter9,“WritingScripts,ConfiguringEmail,andUsingDatabases.”24. B, D. The correct answers, man and info (options B and D), are two common Linux helppackages.Although?(optionC)isacommonhelpcommandwithincertaininteractiveprograms,it isn’tahelpcommand inbash orother commonLinux shells.There isnocommoncommandcalledmanual(optionA)norishint(optionE)avalidbashcommandorcommonprogramname.Formoreinformation,pleaseseeChapter1,“ExploringLinuxCommand-LineTools.”25.A,C.UnixsystemstraditionallystoretimeinUTC(akaGreenwichMeanTime),andLinuxmaydosoaswell.Thus,optionAiscorrect.Mostotherx86PCOSstraditionallystoretimeasthelocaltime, however, so Linux also supports this option, and option C is also correct. Internet Time(optionB) is an alternative to the 24-hour clock inwhich the day is broken into 1,000 “beats.”StandardPCBIOSsdon’tsupportthistimeformat.Likewise,a12-hourclockisn’tterriblyusefultocomputersbecauseitdoesn’tdifferentiatea.m.fromp.m.,makingoptionDincorrect.AlthoughthelengthoftheMartiandayissimilartothatofEarth(24hoursand37minutes),thosewantingtocolonizeMarswillhavetowaitforPCclockstosupportsettingtimefortheRedPlanet;optionEisincorrect.Formoreinformation,pleaseseeChapter7,“AdministeringtheSystem.”26. D. Typing lsmod (option D) produces a list of the modules that are currently loaded. Theinsmod(optionA)andmodprobe(optionC)programsbothloadmodules—eitherasinglemoduleorasinglemodulesandallthoseonwhichitdepends,respectively.Thedepmodcommand(optionB) generates the modules.dep file that contains module dependency information. The modinfocommand (option E) displays information, such as its version number and author, on a singlemodule.Formoreinformation,pleaseseeChapter3,“ConfiguringHardware.”27.B, E. Thechgrp andchown commands can both change the group ownership of a file. Thechgrp command takes a group name and a filename as parameters, as in option B. The chowncommandnormallychangesafile’sowner;butifyouprovideagroupnameprecededbyadot(.)oracolon(:),asinoptionE,itchangesthegroupofafile.ThechowncommandshowninoptionAwillchangetheprimaryownershipofthefiletothemusicuser,ifsuchauserexistsonthesystem;it won’t change the group ownership. There is no standard chgroup command, as in option C.

OptionDwillchangethepermissionsto0600(-rw-------),whichwillbeastepbackwardwithrespecttothegoalstate.Formoreinformation,pleaseseeChapter4,“ManagingFiles.”28.E.Hardlinkstodirectoriesarenotpermittedbymostfilesystems,soyou’llprobablyhavetocreateasymboliclink,asnotedinoptionE.Linksdon’trelyonafilesystemjournal,sooptionAisincorrect.ContrarytooptionB,anybodymaycreatealink,notjusttheoriginal’sowner.OptionCdescribesarestrictionofhardlinks;butbecausethislinkwillprobablyhavetobeasymboliclink,this restriction is unimportant and option C is incorrect. Option D describes a more severerestrictionthanoptionB,butit’sincorrectforthesamereasons.Formoreinformation,pleaseseeChapter4,“ManagingFiles.”29. B, E. The colon (:) starts ex mode, from which you can enter commands. In ex mode, rincludes a file in an existing one, w writes a file, e loads an entirely new file, and q quits theprogram.Thus, thedesired combination is:wq (optionB).As a special case,ZZ does the samething,sooptionEisalsocorrect.Formoreinformation,pleaseseeChapter5,“BootingLinuxandEditingFiles.”30.C.The~/.forwardfileisauseremailforwardingfile.Theverticalbarcharacter(|)atthestartofsuchafileisacodetosendtheemailthroughthespecifiedprogramfile,sooptionCiscorrect.To do as option A describes, the file would need to read junkme or junkme@hostname, wherehostnameisthecomputer ’shostname.TodoasoptionBdescribes,theleadingverticalbarwouldhavetobeomitted.It’sconceivablethatthe~/junkmescriptdoesasoptionDdescribes,butthere’sno way of knowing this for certain. To do as option E describes, the file would have to readuser@junkme,whereuseristheusername.Formoreinformation,pleaseseeChapter9,“WritingScripts,ConfiguringEmail,andUsingDatabases.”

PartI

Exam1

Chapter1

ExploringLinuxCommand-LineTools

THEFOLLOWINGEXAMOBJECTIVESARECOVEREDINTHISCHAPTER:

1.103.1Workonthecommandline1.103.2Processtextstreamsusingfilters1.103.4Usestreams,pipes,andredirects1.103.7Searchtextfilesusingregularexpressions

LinuxborrowsheavilyfromUnix,andUnixbeganasatext-basedoperatingsystem(OS).UnixandLinux retain much of this heritage, which means that to understand how to use and, especially,administerLinux,youmustunderstandatleastthebasicsofitscommand-linetools.Thus,thisbookbegins with an introduction to Linux shells (the programs that accept and interpret text-modecommands)andmanyofthebasiccommandsandproceduresyoucanusefromashell.Thischapterbeginswithbasicshellinformation,includingshelloptionsandproceduresforusing

them.Fromthere,thischaptercoversstreams,pipes,andredirection,whichyoucanusetoshuntinputand output between programs or between files and programs. These techniques are frequentlycombinedwith textprocessingusing filters—commandsyoucanuse tomanipulate textwithout thehelpofaconventionaltexteditor.Sometimesyoumustmanipulatetextinanabstractway,usingcodestorepresentseveraldifferenttypesoftext.Thischapterthereforecoversthistopic.

UnderstandingCommand-LineBasicsBefore youdo anything elsewithLinux, you should understandhow to use aLinux shell. Severalshellsareavailable,butmostprovidesimilarcapabilities.Understandingafewbasicswilltakeyoualongway inyouruseofLinux,soIdescribesomeof these techniquesandcommands.Youshouldalsounderstand shellenvironmentvariables,which are placeholders for data thatmaybe useful tomanyprograms.Finally,onthetopicofcommand-linebasics,youshouldknowhowtogethelpwithcommandsyou’retryingtouse.

ExploringYourLinuxShellOptionsAswithmanykeysoftwarecomponents,Linuxprovidesarangeofoptionsforshells.Acompletelistwouldbequitelong,butthemorecommonchoicesincludethefollowing:

bashTheGNUBourneAgainShell(bash)isbasedontheearlierBourneshellforUnixbutextendsitinseveralways.InLinux,bashisthemostcommondefaultshellforuseraccounts,andit’stheoneemphasizedinthisbookandontheexam.bshTheBourneshelluponwhichbashisbasedalsogoesbythenamebsh.It’snotoftenusedin

Linux,althoughthebshcommandissometimesasymboliclinktobash.tcshThisshellisbasedontheearlierCshell(csh).It’safairlypopularshellinsomecircles,butnomajorLinuxdistributionsmakeitthedefaultshell.Althoughit’ssimilartobashinmanyrespects,someoperationaldetailsdiffer.Forinstance,youdon’tassignenvironmentvariablesinthesamewayintcshasinbash.cshTheoriginalCshellisn’tmuchusedonLinux,butifauserisfamiliarwithcsh,tcshmakesagoodsubstitute.kshTheKornShell(ksh)wasdesignedtotakethebestfeaturesoftheBourneshellandtheCshellandextendthem.IthasasmallbutdedicatedfollowingamongLinuxusers.zshTheZshell(zsh)takesshellevolutionfurtherthantheKornShell,incorporatingfeaturesfromearliershellsandaddingstillmore.Inadditiontotheseshells,dozensmoreobscureonesareavailable.InLinux,mostusersrunbash

because it’s the default. Some other OSs use csh or tcsh as the default, so if your users havebackgroundsonnon-LinuxUnix-likeOSs,theymaybemorefamiliarwiththeseothershells.Youcanchange auser ’s default shell by editing the account, as described inChapter 7, “Administering theSystem.”Thefile/bin/shisasymboliclinktothesystem’sdefaultshell—normally/bin/bashforLinux.

Thispracticeenablesyoutopointtoashell(say,atthestartofasimpleshellscript,asdescribedinChapter9,“WritingScripts,ConfiguringE-mail,andUsingDatabases”)andbeassuredthatashellwillbecalled,evenifthesystem’savailableshellschange.Thisfeatureisparticularlyimportantwhendevelopingshellscriptsthatmightberunonothercomputers,asdescribedinChapter9.

UsingaShellLinuxshelluseisfairlystraightforwardforanybodywho’susedatext-modeOSbefore:Youtypeacommand, possibly including options to it, and the computer executes the command. For themostpart, Linux commands are external—that is, they’re separate programs from the shell. A fewcommandsareinternaltotheshell,though,andknowingthedistinctioncanbeimportant.Youshouldalso know some of the tricks that can make using the command shell easier—how to have thecomputercompletealongcommandorfilename,retrieveacommandyou’verecentlyrun,oreditacommandyou’verecentlyused(orhaven’tyetfullyentered).

Oneclassofcommands—thoseforhandlingbasicfilemanagement—isveryimportantbutisn’tdescribedhereingreatdetail.Formoreinformationonthesecommands,consultChapter4,“ManagingFiles.”

StartingaShellIfyoulogintoLinuxusingatext-modeloginscreen,chancesareyou’llbedroppeddirectlyintoyourdefaultshell—theshelliswhatpresentsthepromptandacceptssubsequentcommands.Ifyou log intoLinuxusingagraphicaluser interface(GUI) loginscreen, though,you’llhave to

startashellmanually.SomeGUIsprovideamenuoptiontostartaprogramcalledaterminal,xterm,Konsole,orsomethingsimilar.Theseprogramsenableyoutoruntext-modeprogramswithinLinux,andbydefaulttheycomeuprunningyourshell.Ifyoucan’tfindsuchamenuoption,lookforonethatenablesyoutorunanarbitrarycommand.Selectit,andtypextermorkonsoleasthecommandname;thiswilllaunchanxterm-typeprogramthatwillrunashell.

UsingInternalandExternalCommandsInternal commands are, asyoumight expect, built into the shell.Most shells offer a similar set ofinternalcommands,butshell-to-shelldifferencesdoexist;consultyourshell’smanpage(asdescribedlater, in“GettingHelp”)fordetails,particularly ifyou’reusinganexoticshell. Internalcommandsyou’relikelytouseenableyoutoperformsomecommontasks:ChangetheWorkingDirectoryWheneveryou’rerunningashell,you’reworkinginaspecificdirectory.Whenyourefertoafilewithoutprovidingacompletepathtothefile,theshellworksonthefileinthecurrentworkingdirectory.(Similarrulesapplytomanyprograms.)Thecdcommandchangesthecurrentworkingdirectory.Forinstance,typingcd/home/sallychangestothe/home/sallydirectory.Thetilde(~)characterisausefulshortcut;itstandsforyourhomedirectory,sotypingcd~willhavethesameeffectascd/home/sallyifyourhomedirectoryis/home/sally.DisplaytheWorkingDirectoryThepwdcommanddisplays(“prints”tothescreen)thecurrentworkingdirectory.DisplayaLineofTextTheechocommanddisplaysthetextyouenter;forinstance,typingechoHellocausesthesystemtodisplaythestringHello.Thismayseempointless,butit’susefulinscripts(describedinChapter9),anditcanalsobeagoodwaytoreviewthecontentsofenvironmentvariables(describedlaterinthischapter,in“UsingEnvironmentVariables”).ExecuteaProgramTheexeccommandrunsanexternalprogramthatyouspecify,asinexecmyprogtorunmyprog.Inmostcases,thisisbetteraccomplishedbytypingthenameoftheprogramyouwanttorun.Theexeccommandhasonespecialfeature,though:Ratherthancreateanewprocessthatrunsalongsidetheshell,thenewprocessreplacestheshell.Whenthenewprocessterminates,it’sasifyouterminatedtheshell.TimeanOperationThetimecommandtimeshowlongsubsequentcommandstaketoexecute.Forinstance,typingtimepwdtellsyouhowlongthesystemtooktoexecutethepwdcommand.Thetimeisdisplayedafterthefullcommandterminates.Threetimesaredisplayed:totalexecutiontime(akarealtime),userCPUtime,andsystemCPUtime.ThefinaltwovaluestellyouaboutCPUtimeconsumed,whichislikelytobemuchlessthanthetotalexecutiontime.SetOptionsInitsmostbasicform,setdisplaysawidevarietyofoptionsrelatingtobashoperation.Theseoptionsareformattedmuchlikeenvironmentvariables,buttheyaren’tthesamethings.Youcanpassvariousoptionstosettohaveitaffectawiderangeofshelloperations.TerminatetheShellTheexitandlogoutcommandsbothterminatetheshell.Theexitcommandterminatesanyshell,butthelogoutcommandterminatesonlyloginshells—thatis,thosethatarelaunchedautomaticallywhenyouinitiateatext-modeloginasopposedtothosethatruninxtermwindowsorthelike.

Thislistisn’tcomplete.Latersectionsofthischapterandlaterchaptersdescribesomeadditionalinternalcommands.Consultyourshell’sdocumentationforacompletelistofitsinternalcommands.

Someoftheseinternalcommandsareduplicatedbyexternalcommandsthatdothesamething,butthoseexternalcommandsaren’talwaysinstalledonallsystems.Evenwhenthoseexternalcommandsare installed, the internal command takes precedence unless you provide the complete path to theexternalcommandonthecommandline,asintyping/bin/pwdratherthanpwd.

ConfusionoverInternalandExternalCommandsWhenduplicateinternalandexternalcommandsexist,theysometimesproducesubtlydifferentresultsoracceptdifferentoptions.Thesedifferencescanoccasionallycauseproblems.Forinstance,considerthepwdcommandandsymboliclinkstodirectories.(SymboliclinksaredescribedinmoredetailinChapter4.Fornow,knowthatthey’refilesthatpointtootherfilesordirectoriesandformostintentsandpurposescanbeaccessedjustlikethefilesordirectoriestowhichtheypoint.)Supposeyoucreateasymboliclinkto/binwithinyourhomedirectoryandthencdintothatdirectory.Youthenwanttoknowwhereyouare.Thepwdcommandthat’sinternaltobashwillproduceadifferentresultfromtheexternalpwdcommand:$pwd

/home/sally/binlink

$/bin/pwd

/usr/bin

Asyoucansee,bash’sinternalpwdshowsthepathviathesymboliclink,whereastheexternalcommandshowsthepathtowhichthelinkpoints.Sometimesthesedifferencescancauseconfusion,suchasifyoureadthemanpageorotherdocumentationthatdescribesoneversionbutyouusetheotherandadifferenceisimportant.Youmaywonderwhythecommandisn’toperatingasyouexpect.Ifindoubt,lookupthedocumentationfor,andtypethecompletepathto,theexternalcommandtobesureyouuseit.

Whenyoutypeacommandthat’snotrecognizedbytheshellasoneofitsinternalcommands,theshellchecksitspathtofindaprogrambythatnametoexecuteit.Thepathisalistofdirectoriesinwhichcommandscanbefound.It’sdefinedbythePATHenvironmentvariable,asdescribedshortlyin“UsingEnvironmentVariables.”Atypicaluseraccounthasabouthalfadozenoradozendirectoriesinitspath.YoucanadjustthepathbychangingthePATHenvironmentvariableinashellconfigurationfile,asdescribedin“ExploringShellConfiguration.”Youcanrunprogramsthataren’tonthepathbyprovidingacompletepathonthecommandline.

For instance, typing ./myprog runs the myprog program in the current directory, and typing/home/arthur/thisprogrunsthethisprogprograminthe/home/arthurdirectory.

Therootaccountshouldnormallyhaveashorterpaththanordinaryuseraccounts.Typically,you’llomitdirectoriesthatstoreGUIandotheruser-orientedprogramsfromroot’spathinordertodiscourageuseoftherootaccountforroutineoperations,thusminimizingtheriskofsecuritybreachesrelatedtobuggyorcompromisedbinariesbeingrunbyroot.Mostimportant,root’spathshouldneverincludethecurrentdirectory(./).Placingthisdirectoryinroot’spathmakesitpossibleforalocalmiscreanttotrickrootintorunningreplacementsforcommonprograms,suchasls,byhavingrootchangeintoadirectorywithsuchaprogram.Indeed,omittingthecurrentdirectoryfromordinaryuserpathsisalsogenerallyagoodidea.Ifthisdirectorymustbepartoftheordinaryuserpath,itshouldappearattheendofthepathsothatthestandardprogramstakeprecedenceoveranyreplacementprogramsinthecurrentdirectory.

In thecaseofbothprogramson thepathand thosewhosecompletepathsyou typeaspartof thecommand, the program file must bemarked as executable. This is done via the execute bit that’sstoredwith the file.Standardprogramsaremarkedasexecutablewhen they’re installed,but ifyouneedtoadjustaprogram’sexecutablestatus,youcandosowiththechmodcommand,asdescribedinChapter4.

PerformingSomeShellCommandTricksManyusersfindtypingcommandstobetediousanderror-prone.Thisisparticularlytrueofsloworsloppytypists.Forthisreason,Linuxshellsincludevarioustoolsthatcanhelpspeedupoperations.Thefirstoftheseiscommandcompletion:Typepartofacommandor(asanoptiontoacommand)afilename,andthenpresstheTabkey.Theshelltriestofillintherestofthecommandorthefilename.Ifjustonecommandorfilenamematchesthecharactersyou’vetypedsofar,theshellfillsitinandaddsaspaceafterit.If thecharactersyou’vetypeddon’tuniquelyidentifyacommandorfilename,theshellfillsinwhatitcanandthenstops.Dependingontheshellanditsconfiguration,itmaybeep.IfyoupresstheTabkeyagain,thesystemrespondsbydisplayingthepossiblecompletions.Youcanthentypeanothercharacterortwoand,ifyouhaven’tcompletedthecommandorfilename,presstheTabkeyagaintohavetheprocessrepeat.ThemostfundamentalLinuxcommandshavefairlyshortnames—mv,ls,set,andsoon.Some

othercommandsaremuch longer, though, suchastraceroute orsane-find-scanner. Filenamescanalsobequitelengthy—upto255charactersonmanyfilesystems.Thus,commandcompletioncansavealotoftimewhenyou’retyping.Itcanalsohelpyouavoidtypos.

ThemostpopularLinuxshells,includingbashandtcsh,supportcommandandfilenamecompletion.Someoldershells,though,don’tsupportthishelpfulfeature.

Anotherusefulshellshortcutisthehistory.Thehistorykeepsarecordofeverycommandyoutype.Ifyou’vetypedalongcommandrecentlyandwanttouseitagainoruseaminorvariantofit,youcanpullthecommandoutofthehistory.ThesimplestwaytodothisistopresstheUparrowkeyonyour

keyboard; this brings up the previous command. Pressing the Up arrow key repeatedly movesthroughmultiple commands so you can find the one youwant. If you overshoot, press theDownarrowkeytomovedownthehistory.TheCtrl+PandCtrl+NkeystrokesdoublefortheUpandDownarrowkeys,respectively.Anotherwaytousethecommandhistoryistosearchthroughit.PressCtrl+Rtobeginabackward

(reverse)search,whichiswhatyouprobablywant,andbegintypingcharactersthatshouldbeuniqueto the command you want to find. The characters you type need not be the ones that begin thecommand; they can exist anywhere in the command.You can either keep typing until you find thecorrectcommandor,afteryou’vetypedafewcharacters,pressCtrl+Rrepeatedlyuntilyoufindtheoneyouwant.TheCtrl+Skeystrokeworkssimilarlybutsearchesforwardin thecommandhistory,whichmightbehandyifyou’veusedabackwardsearchortheUparrowkeytolookbackandhaveovershot. Ineitherevent, ifyoucan’t find thecommandyouwantor ifyouchangeyourmindandwanttoterminatethesearch,pressCtrl+Gtodoso.Frequently,afterfindingacommandinthehistory,youwanttoedit it.Thebash shell, likemany

shells,provideseditingfeaturesmodeledafterthoseoftheEmacseditor:MoveWithintheLinePressCtrl+AorCtrl+Etomovethecursortothestartorendoftheline,respectively.TheLeftandRightarrowkeysmovewithinthelineacharacteratatime.Ctrl+BandCtrl+Fdothesame,movingbackwardandforwardwithinaline.PressingCtrlplustheLeftorRightarrowkeymovesbackwardorforwardawordatatime,asdoespressingEscandthenBorF.DeleteTextPressingCtrl+DortheDeletekeydeletesthecharacterunderthecursor,whereaspressingtheBackspacekeydeletesthecharactertotheleftofthecursor.PressingCtrl+Kdeletesalltextfromthecursortotheendoftheline.PressingCtrl+XandthenBackspacedeletesallthetextfromthecursortothebeginningoftheline.TransposeTextPressingCtrl+Ttransposesthecharacterbeforethecursorwiththecharacterunderthecursor.PressingEscandthenTtransposesthetwowordsimmediatelybefore(orunder)thecursor.ChangeCasePressingEscandthenUconvertstextfromthecursortotheendofthewordtouppercase.PressingEscandthenLconvertstextfromthecursortotheendofthewordtolowercase.PressingEscandthenCconvertstheletterunderthecursor(orthefirstletterofthenextword)touppercase,leavingtherestofthewordunaffected.InvokeanEditorYoucanlaunchafull-fledgededitortoeditacommandbypressingCtrl+XfollowedbyCtrl+E.Thebashshellattemptstolaunchtheeditordefinedbythe$FCEDITor$EDITORenvironmentvariableorEmacsasalastresort.Theseeditingcommandsarejust themostusefulonessupportedbybash;consultitsmanpage to

learn about many more obscure editing features. In practice, you’re likely to make heavy use ofcommandandfilenamecompletion,thecommandhistory,andperhapsafeweditingfeatures.

IfyouprefertheVieditortoEmacs,youcanuseaVi-likemodeinbashbytypingset-ovi.(ViisdescribedinChapter5,“BootingLinuxandEditingFiles.”)

The history command provides an interface to view and manage the history. Typing history

alonedisplaysallthecommandsinthehistory(typicallythelatest500commands);addinganumbercausesonlythatnumberofthelatestcommandstoappear.Youcanexecuteacommandbynumberbytyping an exclamationmark followed by its number, as in!210 to execute command 210. Typinghistory-cclearsthehistory,whichcanbehandyifyou’verecentlytypedcommandsyou’drathernothavediscoveredbyothers,suchascommandsthatincludepasswords.Thebashhistoryisstoredinthe.bash_historyfileinyourhomedirectory.Thisisanordinary

plain-textfile,soyoucanviewitwitha texteditororacommandsuchasless (described later, in“PagingThroughFileswithless”).

Becauseyourbashhistoryisstoredinafile,itcanbeexaminedbyanybodywhocanreadthatfile.Somecommandsenableyoutotypepasswordsorothersensitivedataonthesamelineasthecommandsthemselves,whichcanthereforeberisky.The~/.bash_historyfiledoesnotrecordwhatyoutypeinresponsetootherprograms’prompts,justwhatyoutypeatthebashpromptitself.Thus,ifyouhaveachoice,youshouldletcommandsthatrequirepasswordsorothersensitivedatapromptyouthemselvestoenterthisdata,ratherthanentersuchinformationasoptionstothecommandatthebashprompt.

InExercise1.1,you’llexperimentwithyourshell’scompletionandcommand-editingtools.

EXERCISE1.1EditingCommandsToexperimentwithyourshell’scompletionandcommand-editingtools,followthesesteps:1.Loginasanordinaryuser.2.Createatemporarydirectorybytypingmkdirtest.(DirectoryandfilemanipulationcommandsaredescribedinmoredetailinChapter4.)3.Changeintothetestdirectorybytypingcdtest.4.Createafewtemporaryfilesbytypingtouchonetwothree.Thiscommandcreatesthreeemptyfilesnamedone,two,andthree.5.Typels-lt,andwithoutpressingtheEnterkey,presstheTabkey.Thesystemmaybeepatyouordisplaytwothree. If it doesn’t displaytwothree, press theTab keyagain,anditshoulddoso.Thisrevealsthateithertwoorthreeisavalidcompletiontoyour command, because these are the two files in the test directory whose filenamesbeginwiththelettert.6. Type h, and again without pressing the Enter key, press the Tab key. The systemshouldcomplete thecommand(ls-lthree),atwhichpointyoucanpress theEnterkeytoexecuteit.(You’llseeinformationonthefile.)7. Press theUp arrowkey.You should see thels -l three command appear on thecommandline.8.PressCtrl+Atomovethecursortothebeginningoftheline.9. Press theRight arrowkey once, and typees (without pressing theEnter key). Thecommandlineshouldnowreadless-lthree.10.PresstheRightarrowkeyonce,andpresstheDeletekeythreetimes.Thecommandshouldnowreadlessthree.Press theEnterkey toexecute thecommand. (Note thatyoucandosoeventhoughthecursorisn’tattheendoftheline.)Thisinvokesthelesspager on the three file. (The less pager is described more fully later, in “PagingThroughFileswithless.”)Becausethisfileisempty,you’llseeamostlyemptyscreen.11.PresstheQkeytoexitfromthelesspager.

ExploringShellConfigurationShells,likemanyLinuxprograms,areconfiguredthroughfilesthatholdconfigurationoptionsinaplain-text format.Thebash configuration files are actuallybash shell scripts,which aredescribedmorefullyinChapter9.Fornow,youshouldknowthatthe~/.bashrcand~/.profilefilesarethemain user configuration files for bash, and /etc/bash.bashrc and /etc/profile are the mainglobalconfigurationfiles.Evenwithoutknowingmuchaboutshellscripting,youcanmakesimplechangestothesefiles.Edit

them in your favorite text editor, and changewhatever needs changing. For instance, you can adddirectoriestothe$PATHenvironmentvariable,whichtakesacolon-delimitedlistofdirectories.

Becarefulwhenchangingyourbashconfiguration,particularlytheglobalbashconfigurationfiles.Saveabackupoftheoriginalfilebeforemakingchanges,andtestyourchangesimmediatelybylogginginusinganothervirtualterminal.Ifyouspotaproblem,reverttoyoursavedcopyuntilyoucanlearnthecauseandcreateaworkingfile.

UsingEnvironmentVariablesEnvironmentvariablesarelikevariablesinprogramminglanguages—theyholddatatobereferredto by the variable name. Environment variables differ from programs’ internal variables in thatthey’repartoftheenvironmentofaprogram,andotherprograms,suchastheshell,canmodifythisenvironment.Programscanrelyonenvironmentvariablestosetinformationthatcanapplytomanydifferent programs. For instance, many text-based programs need to know the capabilities of theterminalprogramyouuse.Thisinformationisconveyedinthe$TERMenvironmentvariable,whichislikely to hold a value such asxterm orlinux. Programs that need to position the cursor, displaycolor text, orperformother tasks thatdependon terminal-specific capabilities can customize theiroutputbasedonthisinformation.Chapter9describesenvironmentvariablesandtheirmanipulationinmoredetail.Forthemoment,

youshouldknowthatyoucansettheminbashbyusinganassignment(=)operatorfollowedbytheexportcommand:$NNTPSERVER=news.abigisp.com

$exportNNTPSERVER

Youcancombinethesetwocommandsintoasingleform:$exportNNTPSERVER=news.abigisp.com

Eithermethodsetsthe$NNTPSERVERenvironmentvariabletonews.abigisp.com.(Whensettinganenvironment variable, you omit the dollar sign, but subsequent references include a dollar sign toidentifytheenvironmentvariableassuch.)Thereafter,programsthatneedthisinformationcanrefertotheenvironmentvariable.Infact,youcandosofromtheshellyourself,usingtheechocommand:$echo$NNTPSERVER

news.abigisp.com

Someenvironmentvariables,includingthe$TERMenvironmentvariable,aresetautomaticallywhenyoulogin.Ifaprogramusesenvironmentvariables,itsdocumentationshouldsayso.The$NNTPSERVERvariableisusedbysomeUsenetnewsclients,whichenableparticipationinatypeofonlinediscussiongroupthatpredatesWebforums.

Youcanalsoview theentireenvironmentby typingenv.The result is likely tobe severaldozenlinesofenvironmentvariablesandtheirvalues.Chapter9describeswhatmanyofthesevariablesareinmoredetail.To delete an environment variable, use the unset command, which takes the name of an

environmentvariable(withouttheleading$symbol)asanoption.Forinstance,unsetNNTPSERVERremovesthe$NNTPSERVERenvironmentvariable.

GettingHelpLinuxprovidesa text-basedhelpsystemknownasman.Thiscommand’sname isshort formanual,anditsentries(itsmanpages)providesuccinctsummariesofwhatacommand,file,orotherfeaturedoes.Forinstance,tolearnaboutmanitself,youcantypemanman.Theresultisadescriptionofthemancommand.Themanutilityusesthelesspagertodisplayinformation.Thisprogramdisplaystextapageata

time.Pressthespacebartomoveforwardapage,EscfollowedbyVtomovebackapage,thearrowkeystomoveupordownalineatatime,theslash(/)keytosearchfortext,andsoon.(Typemanless to learn all the details, or consult the upcoming section “PagingThrough Fileswithless.”)Whenyou’redone,pressQtoexitlessandthemanpageit’sdisplaying.Linux man pages are organized into several sections, which are summarized in Table 1.1.

Sometimesasinglekeywordhasentriesinmultiplesections;forinstance,passwdhasentriesunderbothsection1andsection5.Inmostcases,manreturnstheentryinthelowest-numberedsection,butyoucanforcetheissuebyprecedingthekeywordbythesectionnumber.Forinstance,typingman5passwdreturnsinformationonthepasswdfileformatratherthanthepasswdcommand.

TABLE1.1ManualsectionsSectionnumber Description1 Executableprogramsandshellcommands2 Systemcallsprovidedbythekernel3 Librarycallsprovidedbyprogramlibraries4 Devicefiles(usuallystoredin/dev)5 Fileformats6 Games7 Miscellaneous(macropackages,conventions,andsoon)8 Systemadministrationcommands(programsrunmostlyorexclusivelybyroot)9 Kernelroutines

Someprogramshavemovedawayfrommanpagestoinfopages.Thebasicpurposeofinfopagesisthesameasthatformanpages,butinfopagesuseahypertextformatsothatyoucanmovefromsection to section of the documentation for a program. Type info info to learnmore about thissystem.Bothmanpagesandinfopagesareusuallywritten ina tersestyle.They’re intendedas reference

tools,nottutorials;theyfrequentlyassumebasicfamiliaritywiththecommand,oratleastwithLinuxgenerally.Formoretutorialinformation,youmustlookelsewhere,suchasthisbookortheWeb.TheLinux Documentation Project (http://tldp.org) is a particularly relevant Web-based resource forlearningaboutvariousLinuxtopics.

UsingStreams,Redirection,andPipesStreams,redirection,andpipesaresomeof themorepowerfulcommand-linetools inLinux.Linuxtreats the input to and output from programs as a stream, which is a data entity that can be

manipulated.Ordinarily,inputcomesfromthekeyboardandoutputgoestothescreen(whichinthiscontextcanmeanafull-screentext-modeloginsession,anxtermorasimilarwindow,orthescreenofaremotecomputerviaaremoteloginsession).Youcanredirecttheseinputandoutputstreamstocomefromorgo toothersources, though,suchas files.Similarly,youcanpipe theoutputofoneprogramintoanotherprogram.Thesefacilitiescanbegreattoolstotietogethermultipleprograms.

PartoftheUnixphilosophytowhichLinuxadheresis,wheneverpossible,todocomplexthingsbycombiningmultiplesimpletools.Redirectionandpipeshelpinthistaskbyenablingsimpleprogramstobecombinedtogetherinchains,eachlinkfeedingofftheoutputoftheprecedinglink.

ExploringTypesofStreamsTobeginunderstandingredirectionandpipes,youmustfirstunderstandthedifferenttypesofinputandoutputstreams.Threearemostimportantforthistopic:StandardInputProgramsacceptkeyboardinputviastandardinput,orstdin.Inmostcases,thisisthedatathatcomesintothecomputerfromakeyboard.StandardOutputText-modeprogramssendmostdatatotheirusersviastandardoutput(akastdout),whichisnormallydisplayedonthescreen,eitherinafull-screentext-modesessionorinaGUIwindowsuchasanxterm.(FullyGUIprogramssuchasGUIwordprocessorsdon’tusestandardoutputfortheirregularinteractions,althoughtheymightusestandardoutputtodisplaymessagesinthextermfromwhichtheywerelaunched.GUIoutputisn’thandledviaanoutputstreaminthesenseI’mdescribinghere.)StandardErrorLinuxprovidesasecondtypeofoutputstream,knownasstandarderror,orstderr.Thisoutputstreamisintendedtocarryhigh-priorityinformationsuchaserrormessages.Ordinarily,standarderrorissenttothesameoutputdeviceasstandardoutput,soyoucan’teasilytellthemapart.Youcanredirectoneindependentlyoftheother,though,whichcanbehandy.Forinstance,youcanredirectstandarderrortoafilewhileleavingstandardoutputgoingtothescreensothatyoucaninteractwiththeprogramandthenstudytheerrormessageslater.Internally,programstreatthesestreamsjustlikedatafiles—theyopenthem,readfromorwriteto

the files, and close them when they’re done. Put another way, ordinary files are streams from aprogram’spointofview.Thestandardinput,output,anderrorstreamsjusthappentobetheonesusedtointeractwithusers.

RedirectingInputandOutputToredirectinputoroutput,youusesymbolsfollowingthecommand,includinganyoptionsittakes.Forinstance,toredirecttheoutputoftheechocommand,youwouldtypesomethinglikethis:$echo$NNTPSERVER>nntpserver.txt

The result is that the filenntpserver.txt contains the output of the command (in this case, thevalue of the $NNTPSERVER environment variable). Redirection operators exist to achieve severaleffects,assummarizedinTable1.2.

TABLE1.2CommonredirectionoperatorsRedirectionoperator Effect> Createsanewfilecontainingstandardoutput.Ifthespecifiedfileexists,it’soverwritten.>> Appendsstandardoutputtotheexistingfile.Ifthespecifiedfiledoesn’texist,it’screated.2> Createsanewfilecontainingstandarderror.Ifthespecifiedfileexists,it’soverwritten.2>> Appendsstandarderrortotheexistingfile.Ifthespecifiedfiledoesn’texist,it’screated.&> Createsanewfilecontainingbothstandardoutputandstandarderror.Ifthespecifiedfileexists,it’soverwritten.< Sendsthecontentsofthespecifiedfiletobeusedasstandardinput.<< Acceptstextonthefollowinglinesasstandardinput.<> Causesthespecifiedfiletobeusedforbothstandardinputandstandardoutput.

Most of these redirectors dealwith output, both because there are two types of output (standardoutputandstandarderror)andbecauseyoumustbeconcernedwithwhattodoincaseyouspecifyafile that already exists. The most important input redirector is <, which takes the specified file’scontentsasstandardinput.

Acommontrickistoredirectstandardoutputorstandarderrorto/dev/null.Thisfileisadevicethat’sconnectedtonothing;it’susedwhenyouwanttogetridofdata.Forinstance,ifthewhineprogramisgeneratingtoomanyerrormessages,youcantypewhine2>/dev/nulltorunitanddiscarditserrormessages.

Oneredirectionoperatorthatrequireselaborationis<<.Thisoperatorimplementsaheredocument,whichtakestextfromthefollowinglinesasstandardinput.Chancesareyouwon’tusethisredirectoron thecommand line, though; thefollowing linesare standard input,so there’snoneed to redirectthem.Rather,youmightusethiscommandaspartofascript inorder topassdatatoaninteractiveprogram. Unlike most redirection operators, the text immediately following the << code isn’t afilename;instead,it’sawordthat’susedtomarktheendofinput.Forinstance,typingsomeprog<<EOFcausessomeprogtoacceptinputuntilitseesalinethatcontainsonlythestringEOF(withoutevenaspacefollowingit).

SomeprogramsthattakeinputfromthecommandlineexpectyoutoterminateinputbypressingCtrl+D.Thiskeystrokecorrespondstoanend-of-filemarkerusingtheAmericanStandardCodeforInformationInterchange(ASCII).

A final redirection tool is the tee command. This command splits standard input so that it’sdisplayed on standard output and on as many files as you specify. Typically, tee is used inconjunctionwithdatapipesso thataprogram’soutputcanbebothstoredandviewed immediately.Forinstance,toviewandstoretheoutputofsomeprog,youmighttypethis:$someprog|teeoutput.txt

Theverticalbar(|)isthepipecharacter.Itimplementsapipe,asdescribedinthenextsection.

Ordinarily,teeoverwritesanyfileswhosenamesyouspecify.Ifyouwanttoappenddatatothesefiles,passthe-aoptiontotee.

PipingDataBetweenProgramsPrograms can frequently operate on other programs’ outputs. For instance, youmight use a text-filtering command (such as the ones described shortly, in “Processing Text Using Filters”) tomanipulate textoutputbyanotherprogram.Youcando thiswith thehelpof redirectionoperators;send the first program’s standardoutput to a file, and then redirect the secondprogram’s standardinputtoreadfromthatfile.Thissolutionisawkward,though,anditinvolvesthecreationofafilethatyoumighteasilyoverlook,leadingtounnecessaryclutteronyoursystem.Thesolutionistousedatapipes(akapipelines).Apiperedirectsthefirstprogram’sstandardoutput

tothesecondprogram’sstandardinputandisdenotedbyaverticalbar(|):$first|second

Forinstance,supposethatfirstgeneratessomesystemstatistics,suchassystemuptime,CPUuse,numberofusersloggedin,andsoon.Thisoutputmightbelengthy,soyouwanttotrimitabit.Youmightthereforeusesecond,whichcouldbeascriptorcommandthatechoesfromitsstandardinputonlytheinformationinwhichyou’reinterested.(Thegrepcommand,describedin“Usinggrep,” isoftenusedinthisrole.)Pipescanbeusedinsequencesofarbitrarylength:$first|second|third|fourth|fifth|sixth[...]

GeneratingCommandLinesSometimesyou’llfindyourselfconstructingaseriesofcommandsthataresimilartoeachotherbutnot similar enough to enable you to use their normal options to substitute a single command. Forinstance,supposeyouwanttoremoveeveryfileinadirectorytreewithanamethatendsinatilde(~).(Thisfilenameconventiondenotesbackupfilescreatedbycertaintexteditors.)Withalargedirectorytree, this task can be daunting; the usual file-deletion command (rm, described in more detail inChapter 4) doesn’t provide an option to search for and delete every file in a directory tree thatmatches such a specific criterion.One command that can do the search part of the job, though, isfind,which isalsodescribed inmoredetail inChapter4.Thiscommanddisplaysall the files thatmatchcriteriayouprovide.Ifyoucouldcombinetheoutputoffind tocreateaseriesofcommandlinesusingrm,thetaskwouldbesolved.Thisispreciselythepurposeofthexargscommand.Thexargscommandbuildsacommandfromitsstandardinput.Thebasicsyntaxforthiscommand

isasfollows:xargs[options][command[initial-arguments]]

Thecommandisthecommandyouwanttoexecute,andinitial-arguments isalistofargumentsyouwant to pass to the command.Theoptions arexargs options; they aren’t passed tocommand.

Whenyourunxargs,itrunscommandonceforeverywordpassedtoitonstandardinput,addingthatwordtotheargumentlistforcommand.Ifyouwanttopassmultipleoptionstothecommand,youcanprotectthembyenclosingthegroupinquotationmarks.For instance,consider the taskofdeletingall thosebackupfiles,denotedby tildecharacters.You

candothisbypipingtheoutputoffindtoxargs,whichthencallsrm:$find./-name"*~"|xargs-d"\n"rm

Thefirstpartof thiscommand(find./-name"*~") findsall the files in thecurrentdirectory(./)oritssubdirectorieswithanamethatendsinatilde(*~).Thislististhenpipedtoxargs,whichaddseachinputvaluetoitsownrmcommand.Problemscanariseiffilenamescontainspaces,sincebydefaultxargsusesbothspacesandnewlinesasitemdelimiters.The-d"\n"optiontellsxargstouse only newlines as delimiters, thus avoiding this problem in this context. (The find commandseparateseachfoundfilenamewithanewline.)Atoolthat’ssimilartoxargsinmanywaysisthebacktick(`),whichisacharactertotheleftofthe

1keyonmost keyboards.Thebacktick isnot the same as the single quote character ('), which islocatedtotherightofthesemicolon(;)onmostkeyboards.Text within backticks is treated as a separate command whose results are substituted on the

commandline.Forinstance,todeletethosebackupfiles,youcantypethefollowingcommand:$rm`find./-name"*~"`

Thebackticksolutionworksfineinsomecases,butitbreaksdowninmorecomplexsituations.Thereasonisthattheoutputofthebacktick-containedcommandispassedtothecommanditprecedesasifithadbeentypedattheshell.Bycontrast,whenyouusexargs,itrunsthecommandyouspecify(rmintheseexamples)onceforeachoftheinputitems.What’smore,youcan’tpassoptionssuchas-d"\n"toabacktick.Thus,thesetwoexampleswillworkthesameinmanycases,butnotinallofthem.

ProcessingTextUsingFiltersInkeepingwithLinux’sphilosophyofprovidingsmall tools thatcanbetiedtogetherviapipesandredirection to accomplish more complex tasks, many simple commands to manipulate text areavailable.Thesecommandsaccomplishtasksofvarioustypes,suchascombiningfiles,transformingthedatainfiles,formattingtext,displayingtext,andsummarizingdata.

Manyofthefollowingdescriptionsincludeinput-filespecifications.Inmostcases,youcanomittheseinput-filespecifications,inwhichcasetheutilityreadsfromstandardinputinstead.

File-CombiningCommandsThefirstgroupoftext-filteringcommandsarethoseusedtocombinetwoormorefilesintoonefile.Threeimportantcommandsinthiscategoryarecat,join,andpaste,whichjoinfilesendtoend,basedonfieldsinthefile,orbymergingonaline-by-linebasis,respectively.

CombiningFileswithcatThecatcommand’sname isshort forconcatenate, and this tooldoes just that: It links togetheranarbitrarynumberoffilesendtoendandsendstheresulttostandardoutput.Bycombiningcatwithoutputredirection,youcanquicklycombinetwofilesintoone:$catfirst.txtsecond.txt>combined.txt

Although cat is officially a tool for combining files, it’s also commonly used to display thecontentsofashort file. Ifyou typeonlyonefilenameasanoption,catdisplays that file.This isagreat way to review short files; but for long files, you’re better off using a full-fledged pagercommand,suchasmoreorless.Youcanaddoptionstohavecatperformminormodificationstothefilesasitcombinesthem:DisplayLineEndsIfyouwanttoseewherelinesend,addthe-Eor--show-endsoption.Theresultisadollarsign($)attheendofeachline.NumberLinesThe-nor--numberoptionaddslinenumberstothebeginningofeveryline.The-bor--number-nonblankoptionissimilar,butitnumbersonlylinesthatcontaintext.MinimizeBlankLinesThe-sor--squeeze-blankoptioncompressesgroupsofblanklinesdowntoasingleblankline.DisplaySpecialCharactersThe-Tor--show-tabsoptiondisplaystabcharactersas^I.The-vor--show-nonprintingoptiondisplaysmostcontrolandotherspecialcharactersusingcarat(^)andM-notations.Thetaccommandissimilartocat,butitreversestheorderoflinesintheoutput.

JoiningFilesbyFieldwithjoinThejoincommandcombinestwofilesbymatchingthecontentsofspecifiedfieldswithinthefiles.Fieldsaretypicallyspace-separatedentriesonaline,althoughyoucanspecifyanothercharacterasthe field separatorwith the-tchar option,wherechar is the character youwant to use.You cancausejointoignorecasewhenperformingcomparisonsbyusingthe-ioption.Theeffectofjoinmaybestbeunderstoodthroughademonstration.ConsiderListings1.1and1.2,

whichcontaindataontelephonenumbers;Listing1.1showsthenamesassociatedwiththosenumbers,andListing1.2showswhetherthenumbersarelistedorunlisted.Listing1.1:DemonstrationFileContainingTelephoneNumbersandNames555-2397Beckett,Barry

555-5116Carter,Gertrude

555-7929Jones,Theresa

555-9871Orwell,Samuel

Listing1.2:DemonstrationFileContainingTelephoneNumberListingStatus555-2397unlisted

555-5116listed

555-7929listed

555-9871unlisted

Youcandisplaythecontentsofbothfilesusingjoin:$joinlisting1.1.txtlisting1.2.txt

555-2397Beckett,Barryunlisted

555-5116Carter,Gertrudelisted

555-7929Jones,Theresalisted

555-9871Orwell,Samuelunlisted

Bydefault,joinuses thefirst fieldas theone tomatchacross files.BecauseListings1.1and1.2bothplacethephonenumberinthisfield,it’sthekeyfieldintheoutput.Youcanspecifyanotherfieldbyusingthe-1or-2optiontospecify the joinfieldfor thefirstorsecondfile, respectively,as injoin -1 3 -2 2 cameras.txt lenses.txt to join using the third field incameras.txt and thesecond field in lenses.txt. The -o FORMAT option enables more complex specifications for theoutputfile’sformat;consultthemanpageforjoinformoredetails.Thejoin commandcanbeusedat thecoreof a setof simplecustomizeddatabase-manipulation

tools using Linux text-manipulation commands. It’s very limited by itself, though; for instance, itrequiresitstwofilestohavethesameorderingoflines.(Youcanusethesortcommandtoensurethisisso.)

MergingLineswithpasteThepastecommandmergesfileslinebyline,separatingthelinesfromeachfilewithtabs,asshowninthefollowingexample,usingListings1.1and1.2again:$pastelisting1.1.txtlisting1.2.txt

555-2397Beckett,Barry555-2397unlisted

555-5116Carter,Gertrude555-5116listed

555-7929Jones,Theresa555-7929listed

555-9871Orwell,Samuel555-9871unlisted

Youcanusepastetocombinedatafromfilesthataren’tkeyedwithfieldssuitableforusebyjoin.Ofcourse,tobemeaningful,thefiles’linenumbersmustbeexactlyequivalent.Alternatively,youcanusepasteasaquickwaytocreateatwo-columnoutputoftextualdata;however,thealignmentofthesecondcolumnmaynotbeexactifthefirstcolumn’slinelengthsaren’texactlyeven,asshownintheprecedingexample.

File-TransformingCommandsManyofLinux’stext-manipulationcommandsareaimedattransformingthecontentsoffiles.Thesecommandsdon’tactuallychangefiles’contents,though;rather,theysendthechangedfiletostandardoutput.Youcanthenpipethisoutputtoanothercommandorredirectitintoanewfile.

Animportantfile-transformingcommandissed.Thiscommandisverycomplexandiscoveredlaterinthischapter,in“Usingsed.”

ConvertingTabstoSpaceswithexpandSometimestextfilescontaintabsbutprogramsthatneedtoprocessthefilesdon’tcopewellwithtabs;orperhapsyouwanttoeditatextfileinaneditorthatusesadifferentamountofhorizontalspaceforthetabthandidtheeditorthatcreatedthefile.Insuchcases,youmaywanttoconverttabstospaces.Theexpandcommanddoesthis.Bydefault,expandassumesatabstopeveryeightcharacters.Youcanchangethisspacingwiththe-

tnumor--tabs=numoption,wherenumisthetabspacingvalue.

DisplayingFilesinOctalwithodSomefilesaren’teasilydisplayedinASCII;mostgraphicsfiles,audiofiles,andsoonusenon-ASCIIcharacters that looklikegibberish.Worse, thesecharacterscandostrangethings toyourdisplayifyoutrytoviewsuchafilewithcatorasimilartool.Forinstance,yourfontmaychange,oryourconsolemay begin beeping uncontrollably.Nonetheless, youmay sometimeswant to display suchfiles,particularlyifyouwanttoinvestigatethestructureofadatafile.YoumayalsowanttolookatanASCIIfileinawaythateliminatescertainambiguities,suchaswhetheragapbetweenwordsisataborseveralspaces.Insuchcases,od(whosenamestandsforoctaldump)canhelp.Itdisplaysafileinanunambiguousformat—octal(base8)numbersbydefault.Forinstance,considerListing1.2asparsedbyod:$odlisting1.2.txt

0000000032465026465031462033471072440066156071551062564

0000020005144032465026465030465033061066040071551062564

0000040005144032465026465034467034462066040071551062564

0000060005144032465026465034071030467072440066156071551

0000100062564005144

0000104

Thefirstfieldoneachlineisanindexintothefileinoctal.Forinstance,thesecondlinebeginsatoctal20(16inbase10)bytesintothefile.Theremainingnumbersoneachlinerepresentthebytesinthefile.Thistypeofoutputcanbedifficulttointerpretunlessyou’rewellversedinoctalnotationandperhapsintheASCIIcode.Although od is nominally a tool for generating octal output, it can generate many other output

formats, such as hexadecimal (base 16), decimal (base 10), and even ASCII with escaped controlcharacters.Consultthemanpageforodfordetailsoncreatingthesevariants.

SortingFileswithsortSometimesyou’llcreateanoutputfilethatyouwantsorted.Todoso,youcanuseacommandthat’scalled,appropriatelyenough,sort.Thiscommandcansortinseveralways,includingthefollowing:IgnoreCaseOrdinarily,sortsortsbyASCIIvalue,whichdifferentiatesbetweenuppercaseandlowercaseletters.The-for--ignore-caseoptioncausessorttoignorecase.MonthSortThe-Mor--month-sortoptioncausestheprogramtosortbythree-lettermonthabbreviation(JANthroughDEC).NumericSortYoucansortbynumberbyusingthe-nor--numeric-sortoption.ReverseSortOrderThe-ror--reverseoptionsortsinreverseorder.SortFieldBydefault,sortusesthefirstfieldasitssortfield.Youcanspecifyanotherfieldwiththe-kfieldor--key=fieldoption.(Thefieldcanbetwonumberedfieldsseparatedbycommas,tosortonmultiplefields.)Asanexample,supposeyouwantedtosortListing1.1byfirstname.Youcoulddosolikethis:$sort-k3listing1.1.txt

555-2397Beckett,Barry

555-5116Carter,Gertrude

555-9871Orwell,Samuel

555-7929Jones,Theresa

The sort command supports a large number of additional options, many of them quite exotic.Consultsort’smanpagefordetails.

BreakingaFileintoPieceswithsplitThesplit command can split a file into two ormore files.Unlikemost of the text-manipulationcommands described in this chapter, this command requires you to enter an output filename—ormore precisely, an output filename prefix, to which is added an alphabetic code. You must alsonormallyspecifyhowlargeyouwanttheindividualfilestobe:SplitbyBytesThe-bsizeor--bytes=sizeoptionbreakstheinputfileintopiecesofsizebytes.Thisoptioncanhavetheusuallyundesirableconsequenceofsplittingthefilemid-line.SplitbyBytesinLine-SizedChunksYoucanbreakafileintofilesofnomorethanaspecifiedsizewithoutbreakinglinesacrossfilesbyusingthe-C=sizeor--line-bytes=sizeoption.(Lineswillstillbebrokenacrossfilesifthelinelengthisgreaterthansize.)SplitbyNumberofLinesThe-llinesor--lines=linesoptionsplitsthefileintochunkswithnomorethanthespecifiednumberoflines.Asanexample,considerbreakingListing1.1intotwopartsbynumberoflines:$split-l2listing1.1.txtnumbers

The result is two files, numbersaa and numbersab, that together hold the original contents oflisting1.1.txt.Ifyoudon’tspecifyanydefaults(asinsplitlisting1.1.txt),theresultisoutputfilessplitinto

1,000-linechunks,withnamesbeginningwithx(xaa,xab,andsoon).Ifyoudon’tspecifyaninputfilename,splitusesstandardinput.

TranslatingCharacterswithtrThetrcommandchangesindividualcharactersfromstandardinput.Itssyntaxisasfollows:tr[options]SET1[SET2]

Youspecifythecharactersyouwantreplacedinagroup(SET1)andthecharacterswithwhichyouwantthemtobereplacedasasecondgroup(SET2).EachcharacterinSET1isreplacedwiththeoneattheequivalentpositioninSET2.Here’sanexampleusingListing1.1:$trBCJbc<listing1.1.txt

555-2397beckett,barry

555-5116carter,Gertrude

555-7929cones,Theresa

555-9871Orwell,Samuel

Thetrcommandreliesonstandardinput,whichisthereasonfortheinputredirection(<)inthisexample.Thisistheonlywaytopassthecommandafile.

Thisexampletranslatessome,butnotall,oftheuppercasecharacterstolowercase.NotethatSET2in thisexamplewasshorter thanSET1.Theresult is thattr substitutes the lastavailable letter from

SET2forthemissingletters.Inthisexample,theJinJonesbecameac.The-tor--truncate-set1optioncausestrtotruncateSET1tothesizeofSET2instead.Anothertroptionis-d,whichcausestheprogramtodeletethecharactersfromSET1.Whenusing

-d,youcanomitSET2entirely.Thetrcommandalsoacceptsanumberofshortcuts,suchas[:alnum:](allnumbersandletters),

[:upper:](alluppercaseletters),[:lower:](alllowercaseletters),and[:digit:](alldigits).Youcanspecifyarangeofcharactersbyseparatingthemwithdashes(-),asinA-MforcharactersbetweenAandM,inclusive.Consulttr’smanpageforacompletelistoftheseshortcuts.

ConvertingSpacestoTabswithunexpandTheunexpandcommandis the logicaloppositeofexpand; itconvertsmultiplespaces to tabs.Thiscan help compress the size of files that containmany spaces and can be helpful if a file is to beprocessedbyautilitythatexpectstabsincertainlocations.Likeexpand,unexpand accepts the-tnum or--tabs=num option,which sets the tab spacing to

once every num characters. If you omit this option, unexpand assumes a tab stop every eightcharacters.

DeletingDuplicateLineswithuniqTheuniqcommandremovesduplicatelines.It’smostlikelytobeusefulifyou’vesortedafileanddon’twantduplicateitems.Forinstance,supposeyouwanttosummarizeShakespeare’svocabulary.Youmightcreatea filewithallof theBard’sworks,onewordper line.Youcan thensort this fileusingsortandpassitthroughuniq.Usingashorterexamplefilecontainingthetexttobeornottobe,thatisthequestion(onewordperline),theresultlookslikethis:$sortshakespeare.txt|uniq

be

is

not

or

question

that

the

to

Note that thewordstoandbe,whichappeared in theoriginal file twice,appearonlyonce in theuniq-processedversion.

File-FormattingCommandsThenextthreecommands—fmt,nl,andpr—reformatthetextinafile.Thefirstoftheseisdesignedtoreformattextfiles,suchasifaprogram’sREADMEdocumentationfileuseslinesthataretoolongforyourdisplay.Thenlcommandnumbersthelinesofafile,whichcanbehelpfulinreferringtolines in documentation or correspondence. Finally, pr is a print-processing tool; it formats adocumentinpagessuitableforprinting.

ReformattingParagraphswithfmt

Sometimes text files arrive with outrageously long line lengths, irregular line lengths, or otherproblems.Dependingonthedifficulty,youmaybeabletocopesimplybyusinganappropriatetexteditororviewertoreadthefile.Ifyouwanttocleanupthefileabit,though,youcandosowithfmt.If calledwith no options (other than the input filename, if you’re not having it work on standardinput),theprogramattemptstocleanupparagraphs,whichitassumesaredelimitedbytwoormoreblanklinesorbychangesinindentation.Thenewparagraphformattingdefaultstonomorethan75characterswide.Youcanchangethiswiththe-width,-wwidth,or--width=widthoptions,whichsetthelinelengthtowidthcharacters.

NumberingLineswithnlAs described earlier, in “Combining Fileswithcat,” you can number the lines of a filewith thatcommand.Thecat line-numberingoptionsare limited, though, so ifyouneed todocomplex linenumbering,nl is the tool touse.In itssimplestcase,youcanusenlalone toaccomplishmuch thesamegoalascat-bachieves:numberingallthenon-blanklinesinafile.Youcanaddmanyoptionstonltoachievevariousspecialeffects:BodyNumberingStyleYoucansetthenumberingstyleforthebulkofthelineswiththe-bstyleor--body-numbering=styleoption,wherestyleisastyleformatcode,describedshortly.HeaderandFooterNumberingStyleIfthetextisformattedforprintingandhasheadersorfooters,youcansetthestylefortheseelementswiththe-hstyleor--header-numbering=styleoptionfortheheaderand-fstyleor--footer-numbering=styleoptionforthefooter.PageSeparatorSomenumberingschemesresetthelinenumbersforeachpage.Youcantellnlhowtoidentifyanewpagewiththe-d=codeor--section-delimiter=codeoption,wherecodeisacodeforthecharacterthatidentifiesthenewpage.Line-NumberOptionsforNewPagesOrdinarily,nlbeginsnumberingeachnewpagewithline1.Ifyoupassthe-por--no-renumberoption,though,itdoesn’tresetthelinenumberwithanewpage.NumberFormatYoucanspecifythenumberingformatwiththe-nformator--number-format=formatoption,whereformatisln(leftjustified,noleadingzeros),rn(rightjustified,noleadingzeros),orrz(rightjustifiedwithleadingzeros).Thebody,header,andfooteroptionsenableyoutospecifyanumberingstyleforeachofthesepage

elements,asdescribedinTable1.3.

TABLE1.3Stylesusedbynlstylecode

Description

t Thedefaultbehavioristonumberlinesthataren’tempty.Youcanmakethisdefaultexplicitbyusingastyleoft.a Thisstylecausesalllinestobenumbered,includingemptylines.n Thisstylecausesalllinenumberstobeomitted,whichmaybedesirableforheadersorfooters.pREGEXP Thisoptioncausesonlylinesthatmatchthespecifiedregularexpression(REGEXP)tobenumbered.Regularexpressionsare

describedlater,in“UsingRegularExpressions.”

Asanexample,supposeyou’vecreatedascript,buggy,butyou find that it’snotworkingasyouexpect.Whenyourunit,yougeterrormessagesthatrefertolinenumbers,soyouwanttocreateaversionofthescriptwithlinesthatarenumberedforeasyreference.Youcandosobycallingnlwiththeoptiontonumberalllines,includingblanklines(-ba):

$nl-babuggy>numbered-buggy.txt

Becausetheinputfiledoesn’thaveanyexplicitpagedelimiters,theoutputwillbenumberedinasinglesequence;nldoesn’ttrytoimposeitsownpage-lengthlimits.

Thenumbered-buggy.txtfilecreatedbythiscommandisn’tusefulasascriptbecauseofthelinenumbers thatbegineachline.Youcan,however, loadit intoa texteditorordisplay itwithapagersuchaslesstoviewthetextandseethelinenumbersalongwiththecommandstheycontain.

PreparingaFileforPrintingwithprIfyouwanttoprintaplain-textfile,youmaywanttoprepareitwithheaders,footers,pagebreaks,andsoon.Theprcommandwasdesignedtodothis.Initsmostbasicform,youpassthecommandafile:$prmyfile.txt

Theresultistextformattedforprintingonalineprinter—thatis,prassumesan80-characterlinelength inamonospacedfont.Ofcourse,youcanalsousepr inapipe,either toaccept inputpipedfromanother programor to pipe its output to another program. (The recipient programmight belpr, which is used to print files, as described in Chapter 6, “Configuring the XWindow System,Localization,andPrinting.”)Bydefault,prcreatesoutputthatincludestheoriginaltextwithheadersthatincludethecurrentdate

andtime,theoriginalfilename,andthepagenumber.Youcantweaktheoutputformatinavarietyofways,includingthefollowing:GenerateMulti-columnOutputPassingthe-numcolsor--columns=numcolsoptioncreatesoutputwithnumcolscolumns.Notethatprdoesn’treformattext;iflinesaretoolong,they’retruncatedorrunoverintomultiplecolumns.GenerateDouble-SpacedOutputThe-dor--double-spaceoptioncausesdouble-spacedoutputfromasingle-spacedfile.UseFormFeedsOrdinarily,prseparatespagesbyusingafixednumberofblanklines.Thisworksfineifyourprinterusesthesamenumberoflinesthatprexpects.Ifyouhaveproblemswiththisissue,youcanpassthe-F,-f,or--form-feedoption,whichcausesprtooutputaform-feedcharacterbetweenpages.Thisworksbetterwithsomeprinters.SetPageLengthThe-llinesor--length=linesoptionsetsthelengthofthepageinlines.SettheHeaderTextThe-htextor--header=textoptionsetsthetexttobedisplayedintheheader,replacingthefilename.Tospecifyamulti-wordstring,encloseitinquotes,asin--header="MyFile".The-tor--omit-headeroptionomitstheheaderentirely.SetLeftMarginandPageWidthThe-ocharsor--indent=charsoptionsetstheleftmargintocharscharacters.Thismarginsizeisaddedtothepagewidth,whichdefaultsto72charactersandcanbeexplicitlysetwiththe-wcharsor--widthcharsoption.Theseoptionsarejustthebeginning;prsupportsmanymore,whicharedescribedinitsmanpage.

As an example of pr in action, consider printing a double-spaced and numbered version of a

configurationfile (say,/etc/profile) foryour reference.Youcando thisbypiping togethercatandits-noptiontogenerateanumberedoutput,prandits-doptiontodouble-spacetheresult,andlprtoprintthefile:$cat-n/etc/profile|pr-d|lpr

Theresultshouldbeaprintoutthatmightbehandyfortakingnotesontheconfigurationfile.Onecaveat,though:Ifthefilecontainslinesthatapproachorexceed80charactersinlength,theresultcanbe single lines that spill across two lines. The result will be disrupted page boundaries. As aworkaround,youcansetasomewhatshortpagelengthwith-landuse-f toensurethattheprinterreceivesformfeedsaftereachpage:$cat-n/etc/profile|pr-dfl50|lpr

Theprcommandisbuiltaroundassumptionsaboutprintercapabilitiesthatwerereasonableintheearly1980s.It’sstillusefultoday,butyoumightprefertolookintoGNUEnscript(http://www.codento.com/people/mtr/genscript/).Thisprogramhasmanyofthesamefeaturesaspr,butitgeneratesPostScriptoutputthatcantakebetteradvantageofmodernprinterfeatures.

File-ViewingCommandsSometimesyoujustwanttoviewafileorpartofafile.Afewcommandscanhelpyouaccomplishthisgoalwithoutloadingthefileintoafull-fledgededitor.

Asdescribedearlier,thecatcommandisalsohandyforviewingshortfiles.

ViewingtheStartsofFileswithheadSometimesallyouneedtodoisseethefirstfewlinesofafile.Thismaybeenoughtoidentifywhatamysteryfile is,for instance;oryoumaywant toseethefirstfewentriesofa logfile todeterminewhen that filewasstarted.Youcanaccomplish thisgoalwith theheadcommand,whichechoes thefirst10linesofoneormorefilestostandardoutput.(Ifyouspecifymultiplefilenames,eachone’soutputisprecededbyaheadertoidentifyit.)Youcanmodifytheamountofinformationdisplayedbyheadintwoways:SpecifytheNumberofBytesThe-cnumor--bytes=numoptiontellsheadtodisplaynumbytesfromthefileratherthanthedefault10lines.SpecifytheNumberofLinesYoucanchangethenumberoflinesdisplayedwiththe-nnumor--lines=numoption.

ViewingtheEndsofFileswithtailThetailcommandworksjustlikehead,exceptthattaildisplaysthelast10linesofafile.(Youcanusethe-c/--bytesand-n/--linesoptionstochangetheamountofdatadisplayed,justaswith

head.)Thiscommandisusefulforexaminingrecentactivityinlogfilesorotherfilestowhichdatamaybeappended.Thetailcommandsupportsseveraloptionsthataren’tpresentinheadandthatenabletheprogram

tohandleadditionalduties,includingthefollowing:TrackaFileThe-for--followoptiontellstailtokeepthefileopenandtodisplaynewlinesasthey’readded.Thisfeatureishelpfulfortrackinglogfilesbecauseitenablesyoutoseechangesasthey’remadetothefile.StopTrackingonProgramTerminationThe--pid=pidoptiontellstailtoterminatetracking(asinitiatedby-for--follow)oncetheprocesswithaprocessID(PID)ofpidterminates.(PIDsaredescribedinmoredetailinChapter2,“ManagingSoftware.”)Someadditionaloptionsprovidemoreobscurecapabilities.Consulttail’smanpagefordetails.

Youcancombineheadwithtailtodisplayorextractportionsofafile.Forinstance,supposeyouwanttodisplaylines11–15ofafile,sample.txt.Youcanextractthefirst15linesofthefilewithhead,andthendisplaythelastfivelinesofthatextractionwithtail.Thefinalcommandwouldbehead-n15sample.txt|tail-n5.

PagingThroughFileswithlessThelesscommand’snameisajoke;it’sareferencetothemorecommand,whichwasanearlyfilepager.Theideawastocreateabetterversionofmore,sothedeveloperscalleditless.Theideabehindless(andmore,forthatmatter)istoenableyoutoreadafileascreenatatime.

Whenyoutypelessfilename, theprogramdisplays thefirst fewlinesoffilename.Youcan thenpagebackandforththroughthefile:

Pressingthespacebarmovesforwardthroughthefileascreenatatime.PressingEscfollowedbyVmovesbackwardthroughthefileascreenatatime.TheUpandDownarrowkeysmoveupordownthroughthefilealineatatime.Youcansearchthefile’scontentsbypressingtheslash(/)keyfollowedbythesearchterm.Forinstance,typing/portablefindsthefirstoccurrenceofthestringportableafterthecurrentposition.TypingaslashfollowedbytheEnterkeymovestothenextoccurrenceofthesearchterm.Typingnalonerepeatsthesearchforward,whiletypingNalonerepeatsthesearchbackward.Youcansearchbackwardinthefilebyusingthequestionmark(?)keyratherthantheslashkey.Youcanmovetoaspecificlinebytypinggfollowedbythelinenumber,asing50togotoline50.Whenyou’redone,typeqtoexitfromtheprogram.

Unlikemostoftheprogramsdescribedhere,lesscan’tbereadilyusedinapipe,exceptasthefinalcommandinthepipe.Inthatrole,though,lessisveryusefulbecauseitenablesyoutoconvenientlyexaminelengthyoutput.

AlthoughlessisquitecommononLinuxsystemsandistypicallyconfiguredasthedefaulttextpager,someUnix-likesystemsusemoreinthisrole.Manyofless’sfeatures,suchastheabilitytopagebackwardinafile,don’tworkinmore.

One additional less feature can be handy: Typing h displays less’s internal help system. Thisdisplaysummarizesthecommandsyoumayuse,butit’slongenoughthatyoumustusetheusuallesspaging features toview it all!Whenyou’redonewith thehelp screens, typeq, just as if youwereexiting from viewing a help document with less. This action will return you to your originaldocument.

File-SummarizingCommandsThefinaltext-filteringcommandsIdescribeareusedtosummarizetextinonewayoranother.Thecut command takes segments of an input file and sends them to standard output, while the wccommanddisplayssomebasicstatisticsonthefile.

ExtractingTextwithcutThe cut command extracts portions of input lines and displays them on standard output. You canspecifywhattocutfrominputlinesinseveralways:ByByteThe-blistor--bytes=listoptioncutsthespecifiedlistofbytesfromtheinputfile.(Theformatofalistisdescribedshortly.)ByCharacterThe-clistor--characters=listoptioncutsthespecifiedlistofcharactersfromtheinputfile.Inpractice,thismethodandtheby-bytemethodusuallyproduceidenticalresults.(Iftheinputfileusesamulti-byteencodingsystem,though,theresultswon’tbeidentical.)ByFieldThe-flistor--fields=listoptioncutsthespecifiedlistoffieldsfromtheinputfile.Bydefault,afieldisatab-delimitedsectionofaline,butyoucanchangethedelimitingcharacterwiththe-dchar,--delim=char,or--delimiter=charoption,wherecharisthecharacteryouwanttousetodelimitfields.Ordinarily,cutechoeslinesthatdon’tcontaindelimiters.Includingthe-sor--only-delimitedoptionchangesthisbehaviorsothattheprogramdoesn’techolinesthatdon’tcontainthedelimitercharacter.Manyoftheseoptionstakealist,whichisawaytospecifymultiplebytes,characters,orfields.

Youmake this specification by number; it can be a single number (such as 4), a closed range ofnumbers(suchas2-4),oranopenrangeofnumbers(suchas-4or4-).Inthisfinalcase,allbytes,characters, or fields from the beginning of the line to the specified number or from the specifiednumbertotheendofthelineareincludedinthelist.Thecutcommandisfrequentlyusedinscriptstoextractdatafromsomeothercommand’soutput.

For instance,supposeyou’rewritingascriptand thescriptneeds toknowthehardwareaddressofyourEthernetadapter.Thisinformationcanbeobtainedfromtheifconfigcommand(describedinmoredetailinChapter8,“ConfiguringBasicNetworking”):$ifconfigeth0

eth0Linkencap:EthernetHWaddr00:0C:76:96:A3:73

inetaddr:192.168.1.3Bcast:192.168.1.255Mask:255.255.255.0

inet6addr:fe80::20c:76ff:fe96:a373/64Scope:Link

UPBROADCASTNOTRAILERSRUNNINGMULTICASTMTU:1500Metric:1

RXpackets:7127424errors:0dropped:0overruns:0frame:0

TXpackets:5273519errors:0dropped:0overruns:0carrier:0

collisions:0txqueuelen:1000

RXbytes:6272843708(5982.2Mb)TXbytes:1082453585(1032.3Mb)

Interrupt:10Baseaddress:0xde00

Unfortunately, most of this information is extraneous for the desired purpose. The hardwareaddress is the6-bytehexadecimalnumber followingHWaddr.Toextract thatdata,youcancombinegrep(describedshortly,in“Usinggrep”)withcutinapipe:$ifconfigeth0|grepHWaddr|cut-d""-f11

00:0C:76:96:A3:73

Ofcourse, ina scriptyouwouldprobablyassign thisvalue toavariableorotherwiseprocess itthroughadditionalpipes.Chapter9describesscriptsinmoredetail.

ObtainingaWordCountwithwcThe wc command produces a word count (that’s where it gets its name), as well as line and bytecounts,forafile:$wcfile.txt

308234315534file.txt

Thisfilecontains308lines(or,moreprecisely,308newlinecharacters);2,343words;and15,534bytes.Youcan limit theoutput to thenewlinecount, thewordcount, thebyte count,or a charactercountwiththe--lines(-l),--words(-w),--bytes(-c),or--chars(-m)option, respectively.Youcanalsolearnthemaximumlinelengthwiththe--max-line-length(-L)option.

ForanordinaryASCIIfile,thecharacterandbytecountswillbeidentical.Thesevaluesmaydivergeforfilesthatusemulti-bytecharacterencodings.

UsingRegularExpressionsMany Linux programs employ regular expressions, which are tools for describing or matchingpatterns in text. Regular expressions are similar in principle to the wildcards that can be used tospecifymultiplefilenames.Attheirsimplest,regularexpressionscanbeplaintextwithoutadornment.Certaincharactersareusedtodenotepatterns,though.Becauseoftheirimportance,Idescriberegularexpressionshere.Ialsocover twoprogramsthatmakeheavyuseofregularexpressions:grepandsed.Theseprogramssearchfortextwithinfilesandpermiteditingoffilesfromthecommandline,respectively.

UnderstandingRegularExpressionsTwo forms of regular expression are common: basic and extended. Which form you must usedependsontheprogram;someacceptoneformortheother,butotherscanuseeithertype,depending

on theoptionspassed to theprogram. (Someprogramsuse theirownminorormajorvariantsoneither of these classes of regular expression.)The differences between basic and extended regularexpressionsarecomplexandsubtle,butthefundamentalprinciplesofbotharesimilar.The simplest typeof regular expression is an alphabetic string, such asLinux orHWaddr. These

regularexpressionsmatchanystringofthesamesizeorlongerthatcontainstheregularexpression.For instance, the HWaddr regular expression matches HWaddr, This is the HWaddr, and TheHWaddr is unknown. The real strength of regular expressions comes in the use of non-alphabeticcharacters,whichactivateadvancedmatchingrules:BracketExpressionsCharactersenclosedinsquarebrackets([])constitutebracketexpressions,whichmatchanyonecharacterwithinthebrackets.Forinstance,theregularexpressionb[aeiou]gmatchesthewordsbag,beg,big,bog,andbug.RangeExpressionsArangeexpressionisavariantonabracketexpression.Insteadoflistingeverycharacterthatmatches,rangeexpressionslistthestartandendpointsseparatedbyadash(-),asina[2-4]z.Thisregularexpressionmatchesa2z,a3z,anda4z.AnySingleCharacterThedot(.)representsanysinglecharacterexceptanewline.Forinstance,a.zmatchesa2z,abz,aQz,oranyotherthree-characterstringthatbeginswithaandendswithz.StartandEndofLineThecarat(^)representsthestartofaline,andthedollarsign($)denotestheendofaline.RepetitionOperatorsAfullorpartialregularexpressionmaybefollowedbyaspecialsymboltodenotehowmanytimesamatchingitemmustexist.Specifically,anasterisk(*)denoteszeroormoreoccurrences,aplussign(+)matchesoneormoreoccurrences,andaquestionmark(?)specifieszerooronematch.Theasteriskisoftencombinedwiththedot(asin.*)tospecifyamatchwithanysubstring.Forinstance,A.*LincolnmatchesanystringthatcontainsAandLincoln,inthatorder—AbeLincolnandAbrahamLincolnarejusttwopossiblematches.MultiplePossibleStringsTheverticalbar(|)separatestwopossiblematches;forinstance,car|truckmatcheseithercarortruck.ParenthesesOrdinaryparentheses(())surroundsubexpressions.Parenthesesareoftenusedtospecifyhowoperatorsaretobeapplied;forexample,youcanputparenthesesaroundagroupofwordsthatareconcatenatedwiththeverticalbar,toensurethatthewordsaretreatedasagroup,anyoneofwhichmaymatch,withoutinvolvingsurroundingpartsoftheregularexpression.EscapingIfyouwanttomatchoneofthespecialcharacters,suchasadot,youmustescapeit—thatis,precedeitwithabackslash(\).Forinstance,tomatchacomputerhostname(say,twain.example.com),youmustescapethedots,asintwain\.example\.com.Theprecedingdescriptionsapply to extended regular expressions.Somedetails aredifferent for

basicregularexpressions.Inparticular,the?,+,|,(,and)symbolslosetheirspecialmeanings.To perform the tasks handled by these characters, some programs, such as grep, enable you torecoverthefunctionsofthesecharactersbyescapingthem(say,using\|insteadof|).Whetheryouuse basic or extended regular expressions depends on which form the program supports. Forprograms,suchasgrep,thatsupportboth,youcanuseeither;whichyouchooseismostlyamatterofpersonalpreference.Regularexpressionrulescanbeconfusing,particularlywhenyou’refirstintroducedtothem.Some

examples of their use, in the context of the programs that use them,will help.The next couple of

sectionsprovidesuchexamples.

UsinggrepThegrepcommandisextremelyuseful.Itsearchesforfilesthatcontainaspecifiedstringandreturnsthenameofthefileand(ifit’satextfile)alineofcontextforthatstring.Thebasicgrepsyntaxisasfollows:grep[options]regexp[files]

Theregexpisaregularexpression,asjustdescribed.Thegrepcommandsupportsalargenumberofoptions.Someofthecommonoptionsenableyoutomodifythewaytheprogramsearchesfiles:CountMatchingLinesInsteadofdisplayingcontextlines,grepdisplaysthenumberoflinesthatmatchthespecifiedpatternifyouusethe-cor--countoption.SpecifyaPatternInputFileThe-ffileor--file=fileoptiontakespatterninputfromthespecifiedfileratherthanfromthecommandline.IgnoreCaseYoucanperformacase-insensitivesearch,ratherthanthedefaultcase-sensitivesearch,byusingthe-ior--ignore-caseoption.SearchRecursivelyThe-ror--recursiveoptionsearchesinthespecifieddirectoryandallsubdirectoriesratherthansimplythespecifieddirectory.Youcanusergrepratherthanspecifythisoption.UseanExtendedRegularExpressionThegrepcommandinterpretsregexpasabasicregularexpressionbydefault.Touseanextendedregularexpression,youcanpassthe-Eor--extended-regexpoption.Alternatively,youcancallegrepratherthangrep;thisvariantcommandusesextendedregularexpressionsbydefault.Asimpleexampleofgrepusesaregularexpressionwithnospecialcomponents:$grep-reth0/etc/*

This example finds all the files in /etc that contain the string eth0 (the identifier for the firstEthernetdeviceonmostLinuxdistributions).Becausetheexampleincludesthe-roption,itsearchesrecursively, so files in subdirectoriesof/etc areexamined inaddition to those in/etc itself. Foreachmatchingtextfile,thelinethatcontainsthestringisprinted.

Somefilesin/etccan’tbereadbyordinaryusers.Thus,ifyoutypethiscommandasanon-rootuser,you’llseesomeerrormessagesrelatingtogrep’sinabilitytoopenfiles.

Rampingupabit, supposeyouwant to locateall the files in/etc thatcontain thestringeth0oreth1.Youcanenterthefollowingcommand,whichusesabracketexpressiontospecifybothvariantdevices:$grepeth[01]/etc/*

A still more complex example searches all files in /etc that contain the hostnametwain.example.comorbronto.pangaea.eduand,lateronthesameline,thenumber127.Thistaskrequires using several of the regular expression features. Expressed using extended regularexpressionnotation,thecommandlookslikethis:

$grep-E"(twain\.example\.com|bronto\.pangaea\.edu).*127"/etc/*

Thiscommandillustratesanotherfeatureyoumayneedtouse:shellquoting.Becausetheshellusescertaincharacters,suchas theverticalbarand theasterisk, for itsownpurposes,youmustenclosecertainregularexpressionsinquoteslesttheshellattempttoparsetheregularexpressionandpassamodifiedversionofwhatyoutypetogrep.Youcanusegrepinconjunctionwithcommandsthatproducealotofoutputinordertosiftthrough

thatoutputforthematerialthat’simportanttoyou.(Severalexamplesthroughoutthisbookusethistechnique.)Forexample,supposeyouwanttofindtheprocessID(PID)ofarunningxterm.Youcanuseapipetosendtheresultofapscommand(describedinChapter2)throughgrep:#psax|grepxterm

Theresult isa listofallrunningprocessescalledxterm,alongwith theirPIDs.Youcanevendothisinseries,usinggreptofurtherrestricttheoutputonsomeothercriterion,whichcanbeusefuliftheinitialpassstillproducestoomuchoutput.

UsingsedThesedcommanddirectlymodifiesthecontentsoffiles,sendingthechangedfiletostandardoutput.Itssyntaxcantakeoneoftwoforms:sed[options]-fscript-file[input-file]

sed[options]script-text[input-file]

Ineithercase,input-fileisthenameofthefileyouwanttomodify.(Modificationsaretemporaryunlessyousavetheminsomeway,asillustratedshortly.)Thescript(script-textorthecontentsofscript-file)isthesetofcommandsyouwantsedtoperform.Whenyoupassascriptdirectlyonthe command line, the script-text is typically enclosed in single quote marks. Table 1.4summarizesafewsedcommandsthatyoucanuseinitsscripts.

TABLE1.4CommonsedcommandsCommand Addresses Meaning= 0or1 Displaythecurrentlinenumber.a\text 0or1 Appendtexttothefile.i\text 0or1 Inserttextintothefile.rfilename 0or1 Appendtextfromfilenameintothefile.c\text Range Replacetheselectedrangeoflineswiththeprovidedtext.s/regexp/replacementRange Replacetextthatmatchestheregularexpression(regexp)withreplacement.wfilename Range Writethecurrentpatternspacetothespecifiedfile.q 0or1 Immediatelyquitthescript,butprintthecurrentpatternspace.Q 0or1 Immediatelyquitthescript.

Table1.4isincomplete;sedisquitecomplex,andthissectionmerelyintroducesthistool.

The Addresses column of Table 1.4 requires elaboration: sed commands operate on addresses,whicharelinenumbers.Commandsmaytakenoaddresses,inwhichcasetheyoperateontheentirefile; one address, inwhich case they operate on the specified line; or two addresses (a range), inwhichcasetheyoperateonthatrangeoflines,inclusive.Inoperation,sedlookssomethinglikethis:

$sed's/2012/2013/'cal-2012.txt>cal-2013.txt

Thiscommandprocessestheinputfile,cal-2012.txt,usingsed’sscommandtoreplacethefirstoccurrenceof2012oneachlinewith2013.(Ifasinglelinemayhavemorethanoneinstanceofthesearch string, you must perform a global search by appending g to the command string, as ins/2012/2013/g.) By default, sed sends the modified file to standard output, so this example usesredirectiontosendtheoutputtocal-2013.txt.Theideainthisexampleistoquicklyconvertafilecreatedfortheyear2012sothat itcanbeusedin2013.Ifyoudon’tspecifyaninputfilename,sedworksfromstandardinput,soitcanaccepttheoutputofanothercommandasitsinput.Although it’s conceptually simple, sed is a very complex tool; even a modest summary of its

capabilities would fill a chapter. You can consult its man page for basic information, but to fullyunderstandsed,youmaywanttoconsultabookonthesubject,suchasDaleDoughertyandArnoldRobbins’ssed&awk,2ndEdition(O’Reilly,1997).

Certainsedcommands,includingthesubstitutioncommand,arealsousedinVi,whichisdescribedmorefullyinChapter5.

DoingOneThinginManyWaysAsyoubecomeexperiencedwithLinuxandcomparenoteswithotherLinuxadministrators,youmayfindthatthewayyouworkisdifferentfromthewayotherswork.ThisisbecauseLinuxoftenprovidesmultiplemethodstosolvecertainproblems.Forinstance,ASCIItextfilesusecertaincharacterstoencodetheendofaline.Unix(andLinux)useasinglelinefeedcharacter(ASCII0x0a,sometimesrepresentedas\n),whereasDOSandWindowsusethecombinationofacarriagereturn(ASCII0x0dor\r)andalinefeed.WhenmovingASCIIfilesbetweencomputers,youmayneedtoconvertfromoneformtotheother.Howcanyoudothis?Onesolutionistouseaspecial-purposeprogram,suchasdos2unixorunix2dos.Youcouldtypedos2unixfile.txttoconvertfile.txtfromDOS-styletoUnix-styleASCII,forinstance.Thisisusuallythesimplestsolution,butnotallcomputershavetheseutilitiesinstalled.Anotherapproachistousetr.Forinstance,toconvertfromDOSstyletoUnixstyle,youmighttypethis:$tr-d\r<dosfile.txt>unixfile.txt

Thisapproachwon’tworkwhenconvertingfromUnixstyletoDOSstyle,though.Forthat,youcanusesed:seds/$/"\r"/unixfile.txt>dosfile.txt

Variantsonboththetrandsedcommandsexist.Forinstance,sometimesthequotesaround\rmaybeomittedfromthesedcommand;whetherthey’rerequireddependsonyourshellanditsconfiguration.Yetanotherapproachistoloadthefileintoatexteditorandthensaveitusingdifferentfile-typesettings.(Notalleditorssupportsuchchanges,butsomedo.)Manyotherexamplesexistofmultiplesolutionstoaproblem.Sometimesonesolutionstandsoutaboveothersasbeingsuperior,butothertimesthedifferencesmaybesubtle,oreachapproachmayhavemeritinparticularsituations.Thus,it’sbesttobeatleastsomewhatfamiliarwithallthealternatives.Idescribemanysuchoptionsthroughoutthisbook.

SummaryThecommandlineisthekeytoLinux.EvenifyoupreferGUItoolstotext-modetools,understandingtext-mode commands is necessary to fully manage Linux. This task begins with the shell, whichacceptscommandsyou typeanddisplays theresultsof thosecommands. Inaddition,shellssupportlinking programs together via pipes and redirecting programs’ input and output. These featuresenableyou toperformcomplex tasksusingsimple toolsbyhavingeachprogramperformitsownsmallpartofthetask.ThistechniqueisfrequentlyusedwithLinuxtextfilters,whichmanipulatetextfilesinvariousways—sortingtextbyfields,mergingmultiplefiles,andsoon.

ExamEssentials

SummarizefeaturesthatLinuxshellsoffertospeedupcommandentry.Thecommandhistoryoftenenablesyoutoretrieveanearliercommandthat’ssimilaroridenticaltotheoneyouwanttoenter.Tabcompletionreducestypingeffortbylettingtheshellfinishlongcommandnamesorfilenames.Command-lineeditingletsyoueditaretrievedcommandorchangeatypobeforecommittingthecommand.Describethepurposeofthemancommand.Themancommanddisplaysthemanualpageforthekeyword(command,filename,systemcall,orotherfeature)thatyoutype.Thisdocumentationprovidessuccinctsummaryinformationthat’susefulasareferencetolearnaboutexactcommandoptionsorfeatures.Explainthepurposeofenvironmentvariables.Environmentvariablesstoresmallpiecesofdata—programoptions,informationaboutthecomputer,andsoon.Thisinformationcanbereadbyprogramsandusedtomodifyprogrambehaviorinawaythat’sappropriateforthecurrentenvironment.Describethedifferencebetweenstandardoutputandstandarderror.Standardoutputcarriesnormalprogramoutput,whereasstandarderrorcarrieshigh-priorityoutput,suchaserrormessages.Thetwocanberedirectedindependentlyofoneanother.Explainthepurposeofpipes.Pipestieprogramstogetherbyfeedingthestandardoutputfromthefirstprogramintothesecondprogram’sstandardinput.Theycanbeusedtolinktogetheraseriesofsimpleprogramstoperformmorecomplextasksthananyoneoftheprogramscouldmanage.Summarizethestructureofregularexpressions.Regularexpressionsarestringsthatdescribeotherstrings.Theycancontainnormalalphanumericcharacters,whichmatchtheexactsamecharacters,aswellasseveralspecialsymbolsandsymbolsetsthatmatchmultipledifferentcharacters.Thecombinationisapowerfulpattern-matchingtoolusedbymanyLinuxprograms.

ReviewQuestions1.Youtypeacommandintobashandpassalongfilenametoit,butafteryouenterthecommand,youreceiveaFilenotfounderrormessagebecauseofa typo in thefilename.Howmightyouproceed?

A.Retypethecommand,andbesureyoutypethefilenamecorrectly,letterbyletter.B.Retypethecommand,butpresstheTabkeyaftertypingafewlettersofthelongfilenametoensurethatthefilenameisenteredcorrectly.C.PresstheUparrowkey,andusebash’seditingfeaturestocorrectthetypo.D.Anyoftheabove.E.Noneoftheabove.

2.Whichofthefollowingcommandsisimplementedasaninternalcommandinbash?A.catB.lessC.teeD.sed

E.echo

3.Youtypeecho$PROC,andthecomputerrepliesGoaway.Whatdoesthismean?A.Nocurrentlyrunningprocessesareassociatedwithyourshell,soyoumaylogoutwithoutterminatingthem.B.TheremotecomputerPROCisn’tacceptingconnections;youshouldcontactitsadministratortocorrecttheproblem.C.Yourcomputerishandlingtoomanyprocesses;youmustkillsomeofthemtoregaincontrolofthecomputer.D.Yourcentralprocessingunit(CPU)isdefectiveandmustbereplacedassoonaspossible.E.You,oneofyourconfigurationfiles,oraprogramyou’verunhassetthe$PROCenvironmentvariabletoGoaway.

4.Whatdoesthepwdcommandaccomplish?A.Itprintsthenameoftheworkingdirectory.B.Itchangesthecurrentworkingdirectory.C.Itprintswidedisplaysonnarrowpaper.D.ItparsesWebpageURLsfordisplay.E.Itprintstheterminal’swidthincharacters.

5. In an xterm window launched from your windowmanager, you type exec gedit.What willhappenwhenyouexitfromthegeditprogram?

A.Yourshellwillbearootshell.B.Thegeditprogramwillterminate,butnothingelseunusualwillhappen.C.YourXsessionwillterminate.D.Thextermwindowwillclose.E.Anewinstanceofgeditwillbelaunched.

6.What is the surest way to run a program (say, myprog) that’s located in the current workingdirectory?

A.Type./followedbytheprogramname:./myprog.B.Typetheprogramnamealone:myprog.C.Typerunfollowedbytheprogramname:runmyprog.D.Type/.followedbytheprogramname:/.myprog.E.Typetheprogramnamefollowedbyanampersand(&):myprog&.

7.HowdoesmandisplayinformationbydefaultonmostLinuxsystems?A.UsingacustomX-basedapplicationB.UsingtheFirefoxWebbrowserC.UsingtheinfobrowserD.UsingtheVieditor

E.Usingthelesspager

8.Youwant to store the standard output of theifconfig command in a text file (file.txt) forfuture reference, andyouwant towipeout anyexistingdata in the file.Youdonotwant to storestandarderrorinthisfile.Howcanyouaccomplishthesegoals?

A.ifconfig<file.txtB.ifconfig>>file.txtC.ifconfig>file.txtD.ifconfig|file.txtE.ifconfig2>file.txt

9.Whatistheeffectofthefollowingcommand?$myprog&>input.txt

A.Standarderrortomyprogistakenfrominput.txt.B.Standardinputtomyprogistakenfrominput.txt.C.Standardoutputandstandarderrorfrommyprogarewrittentoinput.txt.D.Alloftheabove.E.Noneoftheabove.

10.Howmanycommandscanyoupipetogetheratonce?A.2B.3C.4D.16E.Anarbitrarynumber

11.Youwanttorunaninteractivescript,gabby,whichproducesa lotofoutput inresponsetotheuser ’sinputs.Tofacilitatefuturestudyofthisscript,youwanttocopyitsoutputtoafile.Howmightyoudothis?

A.gabby>gabby-out.txtB.gabby|teegabby-out.txtC.gabby<gabby-out.txtD.gabby&>gabby-out.txtE.gabby`gabby-out.txt`

12. A text-mode program, verbose, prints a lot of spurious “error”messages to standard error.Howmightyougetridofthosemessageswhilestillinteractingwiththeprogram?

A.verbose|quietB.verbose&>/dev/nullC.verbose2>/dev/nullD.verbose>junk.txt

E.quiet-modeverbose

13.Howdothe>and>>redirectionoperatorsdiffer?A.The>operatorcreatesanewfileoroverwritesanexistingone;the>>operatorcreatesanewfileorappendstoanexistingone.B.The>operatorcreatesanewfileoroverwritesanexistingone;the>>operatorappendstoanexistingfileorissuesanerrormessageifthespecifiedfiledoesn’texist.C.The>operatorredirectsstandardoutput;the>>operatorredirectsstandarderror.D.The>operatorredirectsstandardoutput;the>>operatorredirectsstandardinput.E.The> operatorwrites to an existing file but fails if the file doesn’t exist; the >> operatorwritestoanexistingfileorcreatesanewoneifitdoesn’talreadyexist.

14.Whatprogramwouldyouusetodisplaytheendofaconfigurationfile?A.uniqB.cutC.tailD.wcE.fmt

15.Whatistheeffectofthefollowingcommand?$prreport.txt|lpr

A.Thefilereport.txtisformattedforprintingandsenttothelprprogram.B.Thefilesreport.txtandlprarecombinedtogetherintoonefileandsenttostandardoutput.C.Tabsareconvertedtospacesinreport.txt,andtheresultissavedinlpr.D.Thefilereport.txtisprinted,andanyerrormessagesarestoredinthefilelpr.E.Noneoftheabove.

16.Whichofthefollowingcommandswillnumberthelinesinaleph.txt?(Selectthree.)A.fmtaleph.txtB.nlaleph.txtC.cat-baleph.txtD.cat-naleph.txtE.od-nlaleph.txt

17.Whichofthefollowingcommandswillchangealloccurrencesofdoginthefileanimals.txttomuttinthescreendisplay?

A.sed-s"dog""mutt"animals.txtB.grep-s"dog||mutt"animals.txtC.sed's/dog/mutt/g'animals.txtD.catanimals.txt|grep-c"dog""mutt"E.fmtanimals.txt|cut'dog'>'mutt'

18. You’ve received an ASCII text file (longlines.txt) that uses no carriage returns withinparagraphsbuttwocarriagereturnsbetweenparagraphs.Theresultisthatyourpreferredtexteditordisplayseachparagraphasaverylongline.Howcanyoureformatthisfilesothatyoucanmoreeasilyeditit(oracopy)?

A.sed's/Ctrl-M/NL/'longlines.txtB.fmtlonglines.txt>longlines2.txtC.catlonglines.txt>longlines2.txtD.prlonglines.txt>longlines2.txtE.greplonglines.txt>longlines2.txt

19.Whichofthefollowingcommandswillprintlinesfromthefileworld.txtthatcontainmatchestochangesandchanged?

A.grepchange[ds]world.txtB.sedchange[d-s]world.txtC.od"change'd|s'"world.txtD.catworld.txtchangeschangedE.findworld.txt"change(d|s)"

20.Whichofthefollowingregularexpressionswillmatchthestringsdog,dug,andvariousotherstringsbutnotdig?

A.d.gB.d[ou]gC.d[o-u]gD.di*gE.d.ig

Chapter2

ManagingSoftware

THEFOLLOWINGEXAMOBJECTIVESARECOVEREDINTHISCHAPTER:

1.102.3Managesharedlibraries1.102.4UseDebianpackagemanagement1.102.5UseRPMandYumpackagemanagement1.103.5Create,monitor,andkillprocesses1.103.6Modifyprocessexecutionpriorities

ALinux system is defined largely by the collection of software it contains. TheLinux kernel, thelibrariesusedbymanypackages,theshellsusedtointerpretcommands,theXWindowSystemGUI,theservers,andmoreallmakeup thesystem’ssoftwareenvironment.Manyof thechaptersof thisbook are devoted to configuring specific software components, but they all have something incommon:toolsusedtoinstall,uninstall,upgrade,andotherwisemanipulatethesoftware.Ironically,thiscommonalityisamajorsourceofdifferencesbetweenLinuxsystems.TwomajorLinuxpackagemanagementtoolsexist:RPMPackageManager(RPM)andDebianpackages.(Severalless-commonpackagemanagementsystemsalsoexist.)Withfewexceptions,eachindividualLinuxcomputerusespreciselyonepackagemanagementsystem,soyou’llneedtoknowonlyonetoadministerasinglesystem.TobetrulyfluentinallthingsLinux,though,youshouldbeatleastsomewhatfamiliarwithbothofthem.Thus,thischapterdescribesboth.This chapter also covers libraries—software components that can be used by many different

programs.Librarieshelpreducethediskspaceandmemoryrequirementsofcomplexprograms,buttheyalsorequiresomeattention;ifthatattentionisn’tgiventothem,theycancauseproblemsbytheirabsenceorbecauseofincompatibilitiesbetweentheirandtheirdependentsoftware’sversions.Packagemanagement,andinsomesenselibrarymanagement,relatestoprogramsasfilesonyour

harddisk.Oncerun,though,programsaredynamicentities.Linuxprovidestoolstohelpyoumanagerunning programs (known asprocesses)—you can learnwhat processes are running, change theirpriorities,andterminateprocessesyoudon’twantrunning.

PackageConceptsBefore proceeding, you should understand some of the principles that underlie Linux packagemanagement tools. Any computer ’s software is like a house of cards: One programmay rely onmultiple other programs or libraries, each of which relies on several more, and so on. Thefoundation on which all these programs rely is the Linux kernel. Any of these packages cantheoretically be replaced by an equivalent one; however, doing so sometimes causes problems.Worse, removingonecard from thestackcouldcause thewholehouseofcards tocome tumbling

down.Linux packagemanagement tools are intended to help build andmodify this house of cards by

trackingwhatsoftwareisinstalled.Theinformationthatthesystemmaintainshelpsavoidproblemsinseveralways:PackagesThemostbasicinformationthatpackagesystemsmaintainisinformationaboutsoftwarepackages—thatis,collectionsoffilesthatareinstalledonthecomputer.Packagesareusuallydistributedassinglefilesthataresimilartotarballs(archivescreatedwiththetarutilityandusuallycompressedwithgziporbzip2)orzipfiles.Onceinstalled,mostpackagesconsistofdozensorhundredsoffiles,andthepackagesystemtracksthemall.Packagesincludeadditionalinformationthataidsinthesubsequentdutiesofpackagemanagementsystems.InstalledFileDatabasePackagesystemsmaintainadatabaseofinstalledfiles.Thedatabaseincludesinformationabouteveryfileinstalledviathepackagesystem,thenameofthepackagetowhicheachofthosefilesbelongs,andassociatedadditionalinformation.DependenciesOneofthemostimportanttypesofinformationmaintainedbythepackagesystemisdependencyinformation—thatis,therequirementsofpackagesforoneanother.Forinstance,ifSuperProgreliesonUltraLibtodoitswork,thepackagedatabaserecordsthisinformation.IfyouattempttoinstallSuperProgwhenUltraLibisn’tinstalled,thepackagesystemwon’tletyoudoso.Similarly,ifyoutrytouninstallUltraLibwhenSuperProgisinstalled,thepackagesystemwon’tletyou.(Youcanoverridetheseprohibitions,asdescribedlaterin“ForcingtheInstallation.”Doingsoisusuallyinadvisable,though.)ChecksumsThepackagesystemmaintainschecksumsandassortedancillaryinformationaboutfiles.Thisinformationcanbeusedtoverifythevalidityoftheinstalledsoftware.Thisfeaturehasitslimits,though;it’sintendedtohelpyouspotdiskerrors,accidentaloverwritingoffiles,orothernon-sinisterproblems.It’soflimiteduseindetectingintrusions,becauseanintrudercouldusethepackagesystemtoinstallalteredsystemsoftware.UpgradesandUninstallationBytrackingfilesanddependencies,packagesystemspermiteasyupgradesanduninstallation:Tellthepackagesystemtoupgradeorremoveapackage,anditwillreplaceorremoveeveryfileinthepackage.Ofcourse,thisassumesthattheupgradeoruninstallationdoesn’tcausedependencyproblems;ifitdoes,thepackagesystemwillblocktheoperationunlessyouoverrideit.BinaryPackageCreationBoththeRPMandDebianpackagesystemsprovidetoolstohelpcreatebinarypackages(thosethatareinstalleddirectly)fromsourcecode.Thisfeatureisparticularlyhelpfulifyou’rerunningLinuxonapeculiarCPU;youcandownloadsourcecodeandcreateabinarypackageevenifthedevelopersdidn’tprovideexplicitsupportforyourCPU.Creatingabinarypackagefromsourcehasadvantagesovercompilingsoftwarefromsourceinmoreconventionalways,becauseyoucanthenusethepackagemanagementsystemtotrackdependencies,attendtoindividualfiles,andsoon.BoththeRPMandDebianpackagesystemsprovideallofthesebasicfeatures,althoughthedetails

oftheiroperationdiffer.Thesetwopackagesystemsareincompatiblewithoneanotherinthesensethat their package files and their installed file databases are different; you can’t directly install anRPMpackageonaDebian-basedsystemorviceversa. (Tools toconvertbetweenformatsdoexist,anddevelopersareworkingonwaystobetterintegratethetwopackageformats.)

Mostdistributionsinstalljustonepackagesystem.It’spossibletoinstallmorethanone,though,andsomeprograms(suchasalien)requirebothforfullfunctionality.Actuallyusingbothsystemstoinstallsoftwareisinadvisablebecausetheirdatabasesareseparate.IfyouinstallalibraryusingaDebianpackageandthentrytoinstallanRPMpackagethatreliesonthatlibrary,RPMwon’trealizethatthelibraryisalreadyinstalledandwillreturnanerror.

UsingRPMThemostpopularpackagemanagerintheLinuxworldistheRPMPackageManager(RPM).RPMisalsoavailableonnon-Linuxplatforms,althoughitsees lessuseoutside theLinuxworld.TheRPMsystemprovidesallthebasictoolsdescribedintheprecedingsection,“PackageConcepts,”suchasapackagedatabasethatallowsforidentifyingconflictsandownershipofparticularfiles.

RPMDistributionsandConventionsRedHat developedRPM for its owndistribution.RedHat released the softwareunder theGeneralPublicLicense(GPL),however,soothershavebeenfreetouseitintheirowndistributions—andthisis precisely what has happened. Some distributions, such as Mandriva (formerly Mandrake) andYellowDog, are basedonRedHat, so theyuseRPMs aswell asmanyother parts of theRedHatdistribution.Others,suchasSUSE,borrowlessfromtheRedHattemplate,buttheydouseRPMs.Ofcourse, all Linux distributions share many common components, so even those that weren’toriginallybasedonRedHatareverysimilartoitinmanywaysotherthantheiruseofRPMpackages.On theotherhand,distributions thatwereoriginallybasedonRedHathavediverged from itovertime.Asaresult,thegroupofRPM-usingdistributionsshowssubstantialvariability,butallofthemare still Linux distributions that provide the same basic tools, such as the Linux kernel, commonshells,anXserver,andsoon.

RedHathassplinteredintothreedistributions:Fedoraisthedownloadableversionfavoredbyhomeusers,students,andbusinessesonatightbudget.TheRedHatnameisnowreservedforthefor-payversionofthedistribution,knownmoreformallyasRedHatEnterpriseLinux(RHEL).CentOSisafreelyredistributableversionintendedforenterpriseusers.

RPM is a cross-platform tool. As noted earlier, some non-Linux Unix systems can use RPM,although most don’t use it as their primary package-distribution system. RPM supports any CPUarchitecture.RedHatLinuxisorhasbeenavailableforatleastfiveCPUs:x86,x86-64(akaAMD64,EM64T,andx64),IA-64,Alpha,andSPARC.Amongthedistributionsmentionedearlier,YellowDogisaPowerPCdistribution(itrunsonApplePowerPC-basedMacsandsomenon-Applesystems),andSUSE is available on x86, x86-64, and PowerPC systems. For the most part, source RPMs are

transportable across architectures—you can use the same source RPM to build packages for x86,AMD64,PowerPC,Alpha,SPARC,oranyotherplatformyoulike.Someprogramsarecomposedofarchitecture-independent scripts and so need no recompilation. There are also documentation andconfigurationpackagesthatworkonanyCPU.TheconventionfornamingRPMpackagesisasfollows:packagename-a.b.c-x.arch.rpm

Eachofthefilenamecomponentshasaspecificmeaning:PackageNameThefirstcomponent(packagename)isthenameofthepackage,suchassambaorsamba-serverfortheSambafileandprintserver.Notethatthesameprogrammaybegivendifferentpackagenamesbydifferentdistributionmaintainers.VersionNumberThesecondcomponent(a.b.c)isthepackageversionnumber,suchas3.6.5.Theversionnumberdoesn’thavetobethreeperiod-separatednumbers,butthat’sthemostcommonform.Theprogramauthorassignstheversionnumber.BuildNumberThenumberfollowingtheversionnumber(x)isthebuildnumber(alsoknownasthereleasenumber).Thisnumberrepresentsminorchangesmadebythepackagemaintainer,notbytheprogramauthor.Thesechangesmayrepresentalteredstartupscriptsorconfigurationfiles,changedfilelocations,addeddocumentation,orpatchesappendedtotheoriginalprogramtofixbugsortomaketheprogrammorecompatiblewiththetargetLinuxdistribution.Manydistributionmaintainersaddalettercodetothebuildnumbertodistinguishtheirpackagesfromthoseofothers.Notethatthesenumbersarenotcomparableacrosspackagemaintainers—George’sbuildnumber5ofapackageisnotnecessarilyanimprovementonSusan’sbuildnumber4ofthesamepackage.ArchitectureThefinalcomponentprecedingthe.rpmextension(arch)isacodeforthepackage’sarchitecture.Thei386architecturecodeiscommon;itrepresentsafilecompiledforanyx86CPUfromthe80386onward.SomepackagesincludeoptimizationsforPentiumsornewer(i586ori686),andnon-x86binarypackagesusecodesfortheirCPUs,suchasppcforPowerPCCPUsorx86_64forthex86-64platform.Scripts,documentation,andotherCPU-independentpackagesgenerallyusethenoarcharchitecturecode.ThemainexceptiontothisruleissourceRPMs,whichusethesrcarchitecturecode.As an example of RPM version numbering, the Fedora 17 distribution for x86-64 ships with a

Sambapackagecalledsamba-3.6.5-86.fc17.1.x86_64.rpm,indicatingthatthisisbuild86.fc17.1ofSamba3.6.5,compiledwithx86-64optimizations.Thesenamingconventionsarejustthat,though—conventions.It’spossibletorenameapackagehoweveryoulike,anditwillstillinstallandwork.Theinformation in the filename is retainedwithin the package. This fact can be useful if you’re everforcedtotransferRPMsusingamediumthatdoesn’tallowforlongfilenames.Infact,earlyversionsofSUSEeschewedlongfilenames,preferringshortfilenamessuchassamba.rpm.Inanidealworld,anyRPMpackagewillinstallandrunonanyRPM-baseddistributionthatusesan

appropriateCPUtype.Unfortunately,compatibility issuescancropupfromtimeto time, includingthefollowing:

DistributionsmayusedifferentversionsoftheRPMutilities.ThisproblemcancompletelypreventanRPMfromonedistributionfrombeingusedonanother.AnRPMpackagedesignedforonedistributionmayhavedependenciesthatareunmetinanotherdistribution.Apackagemayrequireanewerversionofalibrarythanispresentonthe

distributionyou’reusing,forinstance.Thisproblemcanusuallybeovercomebyinstallingorupgradingthedepended-onpackage,butsometimesdoingsocausesproblemsbecausetheupgrademaybreakotherpackages.ByrebuildingthepackageyouwanttoinstallfromasourceRPM,youcanoftenworkaroundtheseproblems,butsometimestheunderlyingsourcecodealsoneedstheupgradedlibraries.AnRPMpackagemaybebuilttodependonapackageofaparticularname,suchassamba-clientdependingonsamba-common;butifthedistributionyou’reusinghasnamedthepackagedifferently,therpmutilitywillobject.Youcanoverridethisobjectionbyusingthe--nodepsswitch,butsometimesthepackagewon’tworkonceinstalled.RebuildingfromasourceRPMmayormaynotfixthisproblem.Evenwhenadependencyappearstobemet,differentdistributionsmayincludeslightlydifferentfilesintheirpackages.Forthisreason,apackagemeantforonedistributionmaynotruncorrectlywheninstalledonanotherdistribution.Sometimesinstallinganadditionalpackagewillfixthisproblem.Someprogramsincludedistribution-specificscriptsorconfigurationfiles.Thisproblemisparticularlyacuteforservers,whichmayincludestartupscriptsthatgoin/etc/rc.d/init.dorelsewhere.OvercomingthisproblemusuallyrequiresthatyouremovetheoffendingscriptafterinstallingtheRPMandeitherstarttheserverinsomeotherwayorwriteanewstartupscript,perhapsmodeledafteronethatcamewithsomeotherserverforyourdistribution.

Inmostcases,it’sbesttousetheRPMsintendedforyourdistribution.RPMmeta-packagers,suchastheYellowDogUpdater,Modified(Yum),cansimplifylocatingandinstallingpackagesdesignedforyour distribution. If you’re forced to go outside of your distribution’s officially supported list ofpackages,mixingandmatchingRPMsfromdifferentdistributionsusuallyworksreasonablywellformostprograms.ThisisparticularlytrueifthedistributionsarecloselyrelatedoryourebuildfromasourceRPM.IfyouhavetroublewithanRPM,though,youmaydowelltotrytofindanequivalentpackagethatwasbuiltwithyourdistributioninmind.

TherpmCommandSetThemainRPMutilityprogramisknownasrpm.Usethisprogramtoinstallorupgradeapackageattheshellprompt.Therpmcommandhasthefollowingsyntax:rpm[operation][options][package-files|package-names]

Table 2.1 summarizes the most common rpm operations, and Table 2.2 summarizes the mostimportant options. Be aware, however, that rpm is a complex tool, so this listing is necessarilyincomplete.For informationaboutoperationsandoptionsmoreobscure than those listed inTables2.1and2.2,seethemanpagesforrpm.Manyofrpm’sless-usedfeaturesaredevotedtothecreationofRPMpackagesbysoftwaredevelopers.

TABLE2.1CommonrpmoperationsOperation Description-i Installsapackage;systemmustnotcontainapackageofthesamename-U Installsanewpackageorupgradesanexistingone-For--freshen

Upgradesapackageonlyifanearlierversionalreadyexists

-q Queriesapackage—findswhetherapackageisinstalled,whatfilesitcontains,andsoon-Vor--verify Verifiesapackage—checksthatitsfilesarepresentandunchangedsinceinstallation

-e Uninstallsapackage-b Buildsabinarypackage,givensourcecodeandconfigurationfiles;movedtotherpmbuildprogramwithRPMversion

4.2--rebuild Buildsabinarypackage,givenasourceRPMfile;movedtotherpmbuildprogramwithRPMversion4.2--rebuilddb RebuildstheRPMdatabasetofixerrors

TABLE2.2Most-importantrpmoptionsOption Usedwith

operationsDescription

--rootdir Any ModifiestheLinuxsystemhavingarootdirectorylocatedatdir.ThisoptioncanbeusedtomaintainoneLinuxinstallationdiscretefromanotherone(say,duringOSinstallationoremergencymaintenance).

--force -i,-U,-F Forcesinstallationofapackageevenwhenitmeansoverwritingexistingfilesorpackages.-hor--hash

-i,-U,-F Displaysaseriesofhashmarks(#)toindicatetheprogressoftheoperation.

-v -i,-U,-F Usedinconjunctionwiththe-hoptiontoproduceauniformnumberofhashmarksforeachpackage.--nodeps -i,-U,-

F,-e

Specifiesthatnodependencychecksbeperformed.Installsorremovesthepackageevenifitreliesonapackageorfilethat’snotpresentorisrequiredbyapackagethat’snotbeinguninstalled.

--test -i,-U,-F Checksfordependencies,conflicts,andotherproblemswithoutactuallyinstallingthepackage.--prefix

path

-i,-U,-F Setstheinstallationdirectorytopath(worksonlyforsomepackages).

-aor--all -q,-V Queriesorverifiesallpackages.-ffileor--filefile

-q,-V Queriesorverifiesthepackagethatownsfile.

-ppackage-file

-q QueriestheuninstalledRPMpackage-file.

-i -q Displayspackageinformation,includingthepackagemaintainer,ashortdescription,andsoon.-Ror--requires

-q Displaysthepackagesandfilesonwhichthisonedepends.

-lor--list

-q Displaysthefilescontainedinthepackage.

Touserpm,youcombineoneoperationwithoneormoreoptions.Inmostcases,youincludeoneormorepackagenamesorpackagefilenamesaswell.(Apackagefilenameisacompletefilename,butapackagenameisashortenedversion.Forinstance,apackagefilenamemightbesamba-3.6.5-86.fc17.1.x86_64.rpm, whereas the matching package name is samba.) You can issue the rpmcommand once for each package, or you can list multiple packages, separated by spaces, on thecommand line.The latter isoftenpreferablewhenyou’re installingor removingseveralpackages,someofwhichdependonothers in thegroup.Issuingseparatecommandsin thissituationrequiresthatyou install thedepended-onpackagefirstor remove it last,whereas issuingasinglecommandallowsyoutolistthepackagesonthecommandlineinanyorder.Someoperationsrequirethatyougiveapackagefilename,andothersrequireapackagename.In

particular, -i, -U, -F, and the rebuild operations require package filenames; -q, -V, and -enormallytakeapackagename,althoughthe-poptioncanmodifyaquery(-q)operationtoworkonapackagefilename.When you’re installing or upgrading a package, the -U operation is generally the most useful

becauseitenablesyoutoinstallthepackagewithoutmanuallyuninstallingtheoldone.Thisone-stepoperationisparticularlyhelpfulwhenpackagescontainmanydependencies;rpmdetectstheseandcanperformtheoperationshouldthenewpackagefulfillthedependenciesprovidedbytheoldone.Touserpmtoinstallorupgradeapackage,issueacommandsimilartothefollowing:#rpm-Uvhsamba-3.6.5-86.fc17.1.x86_64.rpm

You can also use rpm -ivh in place of rpm -Uvh if you don’t already have a samba packageinstalled.

It’spossibletodistributethesameprogramunderdifferentnames.Inthissituation,upgradingmayfailoritmayproduceaduplicateinstallation,whichcanyieldbizarreprogram-specificmalfunctions.RedHathasdescribedaformalsystemforpackagenamingtoavoidsuchproblems,buttheystilloccuroccasionally.Therefore,it’sbesttoupgradeapackageusingasubsequentreleaseprovidedbythesameindividualororganizationthatprovidedtheoriginal.

Verifythatthepackageisinstalledwiththerpm-qicommand,whichdisplaysinformationsuchaswhen and onwhat computer the binary packagewas built.Listing2.1 demonstrates this command.(rpm-qialsodisplaysanextendedplain-Englishsummaryofwhat thepackage is,whichhasbeenomittedfromListing2.1.)Listing2.1:RPMqueryoutput$rpm-qisamba

Name:samba

Epoch:2

Version:3.6.5

Release:86.fc17.1

Architecture:x86_64

InstallDate:Mon16Jul201212:28:51PMEDT

Group:SystemEnvironment/Daemons

Size:18503445

License:GPLv3+andLGPLv3+

Signature:RSA/SHA256,Fri04May201211:03:50AMEDT,KeyID

50e94c991aca3465

SourceRPM:samba-3.6.5-86.fc17.1.src.rpm

BuildDate:Fri04May201208:42:51AMEDT

BuildHost:x86-06.phx2.fedoraproject.org

Relocations:(notrelocatable)

Packager:FedoraProject

Vendor:FedoraProject

URL:http://www.samba.org/

Summary:ServerandClientsoftwaretointeroperatewithWindowsmachines

ExtractingDatafromRPMsOccasionallyyoumaywant toextractdatafromRPMswithout installingthepackage.Forinstance,thiscanbeagoodway to retrieve theoriginal sourcecode fromasourceRPMforcompiling thesoftwarewithoutthehelpoftheRPMtoolsortoretrievefontsorothernon-programdataforuseonanon-RPMsystem.RPM files are actually modified cpio archives. Thus, converting the files into cpio files is

relativelystraightforward,whereuponyoucanusecpiotoretrievetheindividualfiles.Todothisjob,youneedtousetherpm2cpioprogram,whichshipswithmostLinuxdistributions.(Youcanusethistoolevenondistributionsthatdon’tuseRPM.)Thisprogramtakesasingleargument—thenameofthe RPM file—and outputs the cpio archive on standard output. So, if you want to create a cpioarchivefile,youmustredirecttheoutput:$rpm2cpiosamba-3.6.5-86.fc17.1.src.rpm>samba-3.6.5-86.fc17.1.src.cpio

Theredirectionoperator(>)isdescribedinmoredetailinChapter1,“ExploringLinuxCommand-LineTools,”asisthepipeoperator(|),whichismentionedshortly.Chapter4,“ManagingFiles,”describescpioinmoredetail.

Youcan then extract thedatausingcpio,which takes the-i option to extract an archive and--make-directoriestocreatedirectories:$cpio-i--make-directories<samba-3.6.5-86.fc17.1.src.cpio

Alternatively, you can use a pipe to link these two commands together without creating anintermediaryfile:$rpm2cpiosamba-3.6.5-86.fc17.1.src.rpm|cpio-i--make-directories

Ineithercase,theresultisanextractionofthefilesinthearchiveinthecurrentdirectory.Inthecaseofbinarypackages, thisis likelytobeaseriesofsubdirectoriesthatmimicthelayoutoftheLinuxrootdirectory—thatis,usr,lib,etc,andsoon,althoughpreciselywhichdirectoriesareincludeddependson thepackage.Forasourcepackage, theresultof theextractionprocess is likely tobeasource code tarball, a .spec file (which holds information RPM uses to build the package), andperhapssomepatchfiles.

Whenyou’reextractingdatafromanRPMfileusingrpm2cpioandcpio,createaholdingsubdirectoryandthenextractthedataintothissubdirectory.Thispracticewillensurethatyoucanfindallthefiles.Ifyouextractfilesinyourhomedirectory,someofthemmaygetlostamidstyourotherfiles.Ifyouextractfilesasrootintheroot(/)directory,theycouldconceivablyoverwritefilesthatyouwanttokeep.

Another option for extracting data from RPMs is to use alien, which is described later in“ConvertingBetweenPackageFormats.”ThisprogramcanconvertanRPMintoaDebianpackageoratarball.

UsingYumYum(http://yum.baseurl.org),mentionedearlier,isoneofseveralmeta-packagers—itenablesyoutoeasilyinstallapackageandallitsdependenciesusingasinglecommandline.WhenusingYum,youdon’t even need to locate and download the package files, because Yum does this for you bysearchinginoneormorerepositories—InternetsitesthathostRPMfilesforaparticulardistribution.YumoriginatedwiththefairlyobscureYellowDogLinuxdistribution,butit’ssincebeenadopted

byRedHat,CentOS,Fedora,andsomeotherRPM-baseddistributions.Yumisn’tusedbyallRPM-based distributions, though; SUSE and Mandriva, to name just two, each use their own meta-packagers. Debian-based distributions generally employ the Advanced Package Tools (APT), asdescribedlaterin“Usingapt-get.”Nonetheless,becauseofthepopularityofRedHat,CentOS,andFedora,knowingYumcanbevaluable.ThemostbasicwaytouseYumiswiththeyumcommand,whichhasthefollowingsyntax:

yum[options][command][package...]

Which options are available depend on the command you use.Table 2.3 describes common yumcommands.

TABLE2.3CommonyumcommandsCommand Descriptioninstall Installsoneormorepackagesbypackagename.Alsoinstallsdependenciesofthespecifiedpackageorpackages.update Updatesthespecifiedpackageorpackagestothelatestavailableversion.Ifnopackagesarespecified,yumupdatesevery

installedpackage.check-updateCheckstoseewhetherupdatesareavailable.Iftheyare,yumdisplaystheirnames,versions,andrepositoryarea(updates

orextras,forinstance).upgrade Workslikeupdatewiththe--obsoletesflagset,whichhandlesobsoletepackagesinawaythat’ssuperiorwhen

performingadistributionversionupgrade.removeorerase

Deletesapackagefromthesystem;similartorpm-e,butyumalsoremovesdepended-onpackages.

list Displaysinformationaboutapackage,suchastheinstalledversionandwhetheranupdateisavailable.providesorwhatprovides

Displaysinformationaboutpackagesthatprovideaspecifiedprogramorfeature.Forinstance,typingyumprovidessambalistsalltheSamba-relatedpackages,includingeveryavailableupdate.Notethattheoutputcanbecopious.

search Searchespackagenames,summaries,packagers,anddescriptionsforaspecifiedkeyword.Thisisusefulifyoudon’tknowapackage’snamebutcanthinkofawordthat’slikelytoappearinoneofthesefieldsbutnotinthesefieldsforotherpackages.

info Displaysinformationaboutapackage,similartotherpm-qicommand.clean CleansuptheYumcachedirectory.Runningthiscommandfromtimetotimeisadvisable,lestdownloadedpackageschew

uptoomuchdiskspace.shell EnterstheYumshellmode,inwhichyoucanentermultipleYumcommandsoneafteranother.resolvedep Displayspackagesmatchingthespecifieddependency.localinstall InstallsthespecifiedlocalRPMfiles,usingyourYumrepositoriestoresolvedependencies.localupdate UpdatesthesystemusingthespecifiedlocalRPMfiles,usingyourYumrepositoriestoresolvedependencies.Packages

otherthanthoseupdatedbylocalfilesandtheirdependenciesarenotupdated.deplist Displaysdependenciesofthespecifiedpackage.

Inmostcases,usingYumiseasierthanusingRPMdirectlytomanagepackages,becauseYumfindsthelatestavailablepackage,downloadsit,andinstallsanyrequireddependencies.Yumhasitslimits,though; it’s only as good as its repositories, so it can’t install software that’s not stored in thoserepositories.

IfyouuseYumtoautomaticallyupgradeallpackagesonyoursystem,you’reeffectivelygivingcontrolofyoursystemtothedistributionmaintainer.AlthoughRedHatorotherdistributionmaintainersareunlikelytotrytobreakintoyourcomputerinthisway,anautomaticupdatewithminimalsupervisiononyourpartcouldeasilybreaksomethingonyoursystem,particularlyifyou’veobtainedpackagesfromunusualsourcesinthepast.

Ifyoudon’twanttoinstall thepackagebutmerelywanttoobtainit,youcanuseyumdownloader.Typethiscommandfollowedbythenameofapackage,andthelatestversionofthepackagewillbedownloaded to the current directory. This can be handy if you need to update a system that’s notconnectedtotheInternet;youcanuseanothercomputerthatrunsthesamedistributiontoobtainthepackagesandthentransferthemtothetargetsystem.IfyouprefertouseGUItoolsratherthancommand-linetools,youshouldbeawarethatGUIfront-

endstoyumexist.Examplesincludeyumexandkyum.Youcanuse the text-modeyum to install these

front-ends,asinyuminstallkyum.Exercise2.1runsyouthroughtheprocessofmanagingpackagesusingtherpmutility.

EXERCISE2.1ManagingPackagesUsingRPMTomanagepackagesusingtherpmutility,followthesesteps:1.LogintotheLinuxsystemasanormaluser.2.Acquireapackagetousefortestingpurposes.Youcantryusingapackagefromyourdistributionthatyouknowyouhaven’tinstalled;butifyoutryarandompackage,youmayfindit’salreadyinstalledorhasunmetdependencies.Thislabusesasanexamplethe installation of zsh-4.3.17-1.fc17.x86_64.rpm, a shell that’s not installed bydefaultonmostsystems,fromtheFedora17DVDontoaFedora17system.YoumustadjustthecommandsasnecessaryifyouuseanotherRPMfileinyourtests.3. Launch anxterm from the desktop environment’smenu system if you used aGUIlogin.4. Acquire root privileges. You can do this by typing su in an xterm, by selectingSession New Root Console from a Konsole window, or by using sudo (if it’sconfigured)torunthecommandsinthefollowingsteps.5. Type rpm -q zsh to verify that the package isn’t currently installed. The systemshouldrespondwiththemessagepackagezshisnotinstalled.6. Type rpm -qpi zsh-4.3.17-1.fc17.x86_64.rpm. (You’ll need to provide acompletepathtothepackagefileifit’snotinyourcurrentdirectory.)Thesystemshouldrespondbydisplaying informationabout thepackage, suchas theversionnumber, thevendor,thehostnameofthemachineonwhichitwasbuilt,andapackagedescription.7. Type rpm -ivh zsh-4.3.17-1.fc17.x86_64.rpm. The system should install thepackageanddisplayaseriesofhashmarks(#)asitdoesso.8. Type rpm -q zsh. The system should respond with the complete package name,including the version and build numbers. This response verifies that the package isinstalled.9.Typezsh.ThislaunchesaZshell,whichfunctionsmuchlikethemorecommonbashandtcshshells.You’relikelytoseeyourcommandpromptchange,butyoucanissuemostofthesamecommandsyoucanusewithbashortcsh.10.Typerpm-Vzsh.Thesystemshouldn’tproduceanyoutput—justanewcommandprompt.The verify (-V or --verify) command checks the package files against datastored in the database. Immediately after installation, most packages should show nodeviations.(Ahandfulofpackageswillbemodifiedduringinstallation,butzshisn’toneofthem.)11.Typerpm-ezsh.Thesystemshouldn’tproduceanyoutput—justanewcommandprompt. This command removes the package from the system. Note that you’reremoving thezshpackagewhile running thezshprogram.Linuxcontinues to run thezshprogramyou’reusing,butyou’llbeunabletolaunchnewinstancesoftheprogram.Someprogramsmaymisbehave ifyoudo thisbecause fileswillbemissingafteryouremovethepackage.

12.Typeexittoexitzshandreturntoyournormalshell.13. Type rpm -q zsh. The system should respond with a package zsh is not

installederrorbecauseyou’vejustuninstalledthepackage.14.Typeyuminstallzsh.Thesystemshouldcheckyourrepositories,downloadzsh,andinstallit.Itwillaskforconfirmationbeforebeginningthedownload.15. Type rpm -q zsh. The results should be similar to those in step 8, although theversionnumbermaydiffer.16.Typerpm-ezsh.Thisstepremoveszshfromthesystembutproducesnooutput,justasinstep11.

ThefinalthreestepswillworkonlyifyourdistributionusesYum.Ifyou’reusingadistributionthatusesanothertool,youmaybeabletolocateanduseitsequivalent,suchaszypperforSUSE.

RPMandYumConfigurationFilesOrdinarily,youneedn’texplicitlyconfigureRPMorYum;distributionsthatuseRPMconfigureitinreasonablewaysbydefault.Sometimes,though,youmaywanttotweakafewdetails,particularlyifyou routinelybuild sourceRPMpackagesandwant tooptimize theoutput foryourcomputer.YoumayalsowanttoaddaYumrepositoryforsomeunusualsoftwareyourun.Todoso,youtypicallyeditanRPMorYumconfigurationfile.The main RPM configuration file is /usr/lib/rpm/rpmrc. This file sets a variety of options,

mostly related to theCPUoptimizationsusedwhencompiling sourcepackages.You shouldn’t editthis file, though; instead, you should create and edit /etc/rpmrc (to make global changes) or~/.rpmrc (to make changes on a per-user basis). The main reason to create such a file is toimplementarchitectureoptimizations—for instance, tooptimizeyourcodeforyourCPUmodelbypassingappropriatecompileroptionswhenyoubuildasourceRPMintoabinaryRPM.Thisisdonewiththeoptflagsline:optflags:athlon-O2-g-march=i686

ThislinetellsRPMtopassthe-O2-g-march-i686optionstothecompilerwheneverbuildingfortheathlonplatform.AlthoughRPMcandetermineyoursystem’sarchitecture,theoptflagslinebyitself isn’t likely tobeenough to set thecorrect flags.Mostdefaultrpmrc files include a seriesofbuildarchtranslatelinesthatcauserpmbuild(orrpmforolderversionsofRPM)touseonesetofoptimizationsforawholefamilyofCPUs.Forx86systems,theselinestypicallylooklikethis:buildarchtranslate:athlon:i386

buildarchtranslate:i686:i386

buildarchtranslate:i586:i386

buildarchtranslate:i486:i386

buildarchtranslate:i386:i386

TheselinestellRPMtotranslatetheathlon,i686,i586,i486,andi386CPUcodestousethei386optimizations.ThiseffectivelydefeatsthepurposeofanyCPU-specificoptimizationsyoucreateon the optflags line for your architecture, but it guarantees that the RPMs you build will bemaximallyportable.Tochangematters,youmustalterthelineforyourCPUtype,asreturnedwhenyoutypeuname-p.Forinstance,onanAthlon-basedsystem,youmightenterthefollowingline:buildarchtranslate:athlon:athlon

Thereafter, when you rebuild a source RPM, the system will use the appropriate Athlonoptimizations. The result can be a slight performance boost on your own system, but reducedportability—dependingonthepreciseoptimizationsyouchoose,suchpackagesmaynotrunonnon-AthlonCPUs.(Indeed,youmaynotevenbeabletoinstallthemonnon-AthlonCPUs!)Yum is configured via the /etc/yum.conf file, with additional configuration files in the

/etc/yum.repos.d/directory.Theyum.conffileholdsbasicoptions,suchasthedirectorytowhichYumdownloadsRPMsandwhereYumlogsitsactivities.Chancesareyouwon’tneedtomodifythisfile.The/etc/yum.repos.d/ directory, on the other hand, potentially holds several files, each ofwhichdescribesaYumrepository—thatis,asitethatholdsRPMsthatmaybeinstalledviaYum.Youprobably shouldn’t directly edit these files; instead, if you want to add a repository, you shouldmanuallydownloadtheRPMthatincludestherepositoryconfigurationandinstallitusingrpm.Thenext time you useYum, it will access your new repository alongwith the old ones. SeveralYumrepositoriesexist,mostlyforRedHat,CentOS,andFedora,suchasthefollowing:LivnaThisrepository(http://rpm.livna.org/)hostsmultimediatools,suchasadditionalcodecsandvideodrivers.KDERedHatRedHat,CentOS,andFedorafavortheGNUNetworkObjectModelEnvironment(GNOME)desktopenvironment,althoughtheyshipwiththeKDesktopEnvironment(KDE),too.Therepositoryathttp://kde-redhat.sourceforge.netprovidesimprovedKDERPMsforthosewhofavorKDE.FreshRPMsThisrepository(http://freshrpms.net)providesadditionalRPMs,mostlyfocusingonmultimediaapplicationsanddrivers.Manyadditionalrepositoriesexist.TryaWebsearchontermssuchasyumrepository,orcheckthe

Webpageofanysite thathostsunusualsoftwareyouwant toruntoseewhether itprovidesaYumrepository. If so, it should provide an RPM or other instructions on adding its site to your Yumrepositorylist.

RPMComparedtoOtherPackageFormatsRPM is avery flexiblepackagemanagement system. Inmost respects, it’s comparable toDebian’spackage manager, and it offers many more features than tarballs do. When compared to Debianpackages, the greatest strength of RPMs is probably their ubiquity. Many software packages areavailableinRPMformfromtheirdevelopersand/orfromdistributionmaintainers.

Distributionpackagersfrequentlymodifytheoriginalprogramsinordertomakethemintegratemoresmoothlyintothedistributionasawhole.Forinstance,distribution-specificstartupscriptsmaybeadded,programbinariesmayberelocatedfromdefault/usr/localsubdirectories,andprogramsourcecodemaybepatchedtofixbugsoraddfeatures.Althoughthesechangescanbeuseful,youmaynotwantthem,particularlyifyou’reusingaprogramonadistributionotherthantheoneforwhichthepackagewasintended.

ThefactthattherearesomanyRPM-baseddistributionscanbeaboon.Youmaybeabletousean

RPMintendedforonedistributiononanother,althoughasnotedearlier,thisisn’tcertain.Infact,thisadvantagecanturnintoadrawbackifyoutrytomixandmatchtoomuch—youcanwindupwithamishmashofconflictingpackagesthatcanbedifficulttodisentangle.

TheRPMFindWebsite,http://rpmfind.net,isanextremelyusefulresourcewhenyouwanttofindanRPMofaspecificprogram.AnothersitewithsimilarcharacteristicsisFreshRPMs,http://freshrpms.net.ThesesitesincludelinkstoRPMsbuiltbyprograms’authors,specificdistributions’RPMs,andthosebuiltbythirdparties.AddingsuchsitesasYumrepositoriescanmakethemeveneasiertouse.

Comparedtotarballs,RPMsoffermuchmoresophisticatedpackagemanagementtools.Thiscanbeimportant when you’re upgrading or removing packages and also for verifying the integrity ofinstalledpackages.Ontheotherhand,althoughRPMsarecommonintheLinuxworld, they’relesscommononotherplatforms.Therefore,you’remorelikelytofindtarballsofgenericUnixsourcecode, and tarballs arepreferred ifyou’vewrittenaprogram thatyou intend todistribute forotherplatforms.

UsingDebianPackagesIntheiroverallfeatures,DebianpackagesaresimilartoRPMs;butthedetailsofoperationforeachdiffer,andDebianpackagesareusedondifferentdistributionsthanareRPMs.Becauseeachsystemusesitsowndatabaseformat,RPMsandDebianpackagesaren’tinterchangeablewithoutconvertingformats. Using Debian packages requires knowing how to use the dpkg, dselect, and apt-getcommands.Afewothercommandscanalsobehelpful.

DebianDistributionsandConventionsAs the name implies,Debian packages originatedwith theDebian distribution. Since that time, theformathasbeenadoptedbyseveralotherdistributions,includingUbuntu,LinuxMint,andXandros.SuchdistributionsarederivedfromtheoriginalDebian,whichmeansthatpackagesfromtheoriginalDebianarelikelytoworkwellonotherDebian-basedsystems.AlthoughDebiandoesn’temphasizeflashy GUI configuration tools, its derivatives tend to be more GUI-centric, which makes thesedistributionsmoreappealingtoLinuxnovices.TheoriginalDebianfavorsasystemthat’sasbug-freeaspossible,andittriestoadherestrictlytoopensourcesoftwareprinciplesratherthaninvesteffortinGUIconfigurationtools.TheoriginalDebianisunusualinthatit’smaintainednotbyacompanythatismotivatedbyprofit,butratherbyvolunteerswhoaremotivatedbythedesiretobuildaproducetheywanttouse.LikeRPM, theDebian package format is neutralwith respect to bothOS andCPU type.Debian

packagesareextremely rareoutsideLinux,althoughvarious systems thatused theDebianpackagesystemandsoftwarelibraryatopnon-Linuxkernelshavebeenattempted,andlargelyabandoned,withtheexceptionofkFreeBSD(http://www.debian.org/ports/kfreebsd-gnu/)TheoriginalDebiandistributionhasbeenported tomanydifferentCPUs, includingx86, x86-64,

IA-64, ARM, PowerPC, Alpha, 680x0, MIPS, and SPARC. The original architecture was x86, and

subsequentportsexistatvaryinglevelsofmaturity.Derivativedistributionsgenerallyworkonlyonx86orx86-64systems,butthiscouldchangeinthefuture.Debian packages follow a naming convention similar to that for RPMs; but Debian packages

sometimes omit codes in the filename to specify a package’s architecture, particularly on x86packages.When these codes are present, they may differ from RPM conventions. For instance, afilename ending in i386.deb indicates an x86 binary, powerpc.deb is a PowerPC binary, andall.debindicatesaCPU-independentpackage,suchasdocumentationorscripts.AswithRPMfiles,thisfile-namingconventionisonlythat—aconvention.Youcanrenameafileasyouseefit,toeitherinclude or omit the processor code. There is no code for Debian source packages because, asdescribedintheupcomingsection“DebianPackagesComparedtoOtherPackageFormats,”Debiansourcepackagesconsistofseveralseparatefiles.

ThedpkgCommandSetDebianpackagesareincompatiblewithRPMpackages,butthebasicprinciplesofoperationarethesameacrossbothpackagetypes.LikeRPMs,Debianpackagesincludedependencyinformation,andtheDebianpackageutilitiesmaintainadatabaseof installedpackages, files,andsoon.Youuse thedpkgcommandtoinstallaDebianpackage.Thiscommand’ssyntaxissimilartothatofrpm:dpkg[options][action][package-files|package-name]

Theaction is theaction tobe taken;commonactionsare summarized inTable2.4.Theoptions(Table2.5)modifythebehavioroftheaction,muchliketheoptionstorpm.

TABLE2.4dpkgprimaryactionsAction Description-ior--install Installsapackage--configure Reconfiguresaninstalledpackage:runsthepost-installationscripttosetsite-specificoptions-ror--remove Removesapackagebutleavesconfigurationfilesintact-Por--purge Removesapackage,includingconfigurationfiles--get-selections Displayscurrentlyinstalledpackages-por--print-avail Displaysinformationaboutaninstalledpackage-Ior--info Displaysinformationaboutanuninstalledpackagefile-lpatternor--listpattern Listsallinstalledpackageswhosenamesmatchpattern-Lor--listfiles Liststheinstalledfilesassociatedwithapackage-Spatternor--searchpattern Locatesthepackage(s)thatownthefile(s)specifiedbypattern-Cor--audit Searchesforpartiallyinstalledpackagesandsuggestswhattodowiththem

TABLE2.5Optionsforfine-tuningdpkgactionsOption Used

withactions

Description

--root=dir All ModifiestheLinuxsystemusingarootdirectorylocatedatdir.CanbeusedtomaintainoneLinuxinstallationdiscretefromanotherone,sayduringOSinstallationoremergencymaintenance.

-Bor--auto-deconfigure

-r Disablespackagesthatrelyononethatisbeingremoved.

--force-things Assorted Overridesdefaultsthatwouldordinarilycausedpkgtoabort.Consultthedpkgmanpagefordetailsofthingsthisoptiondoes.

--ignore-

depends=package

-i,-r Ignoresdependencyinformationforthespecifiedpackage.

--no-act -i,-r Checksfordependencies,conflicts,andotherproblemswithoutactuallyinstallingorremovingthepackage.--recursive -i Installsallpackagesthatmatchthepackage-namewildcardinthespecifieddirectoryandallsubdirectories.-G -i Doesn’tinstallthepackageifanewerversionofthesamepackageisalreadyinstalled.

-Eor--skip-same-version

-i Doesn’tinstallthepackageifthesameversionofthepackageisalreadyinstalled.

As with rpm, dpkg expects a package name in some cases and a package filename in others.Specifically, --install (-i) and --info (-I) both require the package filename, but the othercommandstaketheshorterpackagename.As an example, consider the following command, which installs the samba_2:3.6.3-

2ubuntu2.3_amd64.debpackage:#dpkg-isamba_2:3.6.3-2ubuntu2.3_amd64.deb

Ifyou’reupgradingapackage,youmayneedtoremoveanoldpackagebeforeinstallingthenewone.Todothis,usethe-roptiontodpkg,asinthefollowing:#dpkg-rsamba

Tofindinformationaboutaninstalledpackage,usethe-pparametertodpkg,asshowninListing2.2.ThislistingomitsanextendedEnglishdescriptionofwhatthepackagedoes.Listing2.2:dpkgpackageinformationqueryoutput$dpkg-psamba

Package:samba

Priority:optional

Section:net

Installed-Size:22862

Maintainer:UbuntuDevelopers<ubuntu-devel-discuss@lists.ubuntu.com>

Architecture:amd64

Version:2:3.6.3-2ubuntu2.3

Replaces:samba-common(<=2.0.5a-2)

Depends:samba-common(=2:3.6.3-2ubuntu2.3),libwbclient0

(=2:3.6.3-2ubuntu2.3),libacl1(>=2.2.51-5),libattr1(>=1:2.4.46-5),

libc6(>=2.15),libcap2(>=2.10),libcomerr2(>=1.01),libcups2

(>=1.4.0),libgssapi-krb5-2(>=1.10+dfsg~),libk5crypto3(>=1.6.dfsg.2),

libkrb5-3(>=1.10+dfsg~),libldap-2.4-2(>=2.4.7),libpam0g

(>=0.99.7.1),libpopt0(>=1.14),libtalloc2(>=2.0.4~git20101213),

libtdb1(>=1.2.7+git20101214),zlib1g(>=1:1.1.4),debconf(>=0.5)

|debconf-2.0,upstart-job,libpam-runtime(>=1.0.1-11),

libpam-modules,lsb-base(>=3.2-13),procps,update-inetd,

adduser,samba-common-bin

Recommends:logrotate,tdb-tools

Suggests:openbsd-inetd|inet-superserver,smbldap-tools,ldb-tools,

ctdb,ufw

Conflicts:samba4(<<4.0.0~alpha6-2)

Size:8042012

Debian-basedsystemsoftenuseapairofsomewhathigher-levelutilities,apt-getanddselect,tohandlepackageinstallationandremoval.Theseutilitiesaredescribedlater in“Usingapt-get”and“Usingdselect,aptitude, and Synaptic.” Their interfaces can be very usefulwhen youwant toinstallseveralpackages,butdpkgisoftenmoreconvenientwhenyou’remanipulatingjustoneortwopackages. Because dpkg can take package filenames as input, it’s also the preferred method ofinstallingapackagethatyoudownloadfromanunusualsourceorcreateyourself.

Usingapt-cacheTheAPTsuiteoftoolsincludesaprogram,apt-cache,that’sintendedsolelytoprovideinformationabouttheDebianpackagedatabase(knowninDebianterminologyasthepackagecache).Youmaybe

interestedinusingseveralfeaturesofthistool:DisplayPackageInformationUsingtheshowpkgsubcommand,asinapt-cacheshowpkgsamba,displaysinformationaboutthepackage.Theinformationdisplayedisdifferentfromthatreturnedbydpkg’sinformationalactions.DisplayPackageStatisticsYoucanlearnhowmanypackagesyou’veinstalled,howmanydependenciesarerecorded,andvariousotherstatisticsaboutthepackagedatabasebypassingthestatssubcommand,asinapt-cachestats.FindUnmetDependenciesIfaprogramisreportingmissinglibrariesorfiles,typingapt-cacheunmetmayhelp;thisfunctionofapt-cachereturnsinformationaboutunmetdependencies,whichmayhelpyoutrackdownthesourceofmissing-fileproblems.DisplayDependenciesUsingthedependssubcommand,asinapt-cachedependssamba,showsallofthespecifiedpackage’sdependencies.Thisinformationcanbehelpfulintrackingdowndependency-relatedproblems.Therdependssubcommandfindsreversedependencies—packagesthatdependontheoneyouspecify.LocateAllPackagesThepkgnamessubcommanddisplaysthenamesofallthepackagesinstalledonthesystem.Ifyouincludeasecondparameter,asinapt-cachepkgnamessa,theprogramreturnsonlythosepackagesthatbeginwiththespecifiedstring.

Several more subcommands and options exist, but these are the ones you’re most likely to use.Several apt-cache subcommands are intended for package maintainers and debugging seriouspackagedatabaseproblems rather thanday-to-day systemadministration.Consult theman page forapt-cacheformoreinformation.

Usingapt-getAPT,withitsapt-getutility,isDebian’sequivalenttoYumoncertainRPM-baseddistributions.Thismeta-packagingtoolenablesyoutoperformeasyupgradesofpackages,especiallyifyouhaveafastInternet connection. Debian-based systems include a file, /etc/apt/sources.list, that specifieslocationsfromwhichimportantpackagescanbeobtained.IfyouinstalledtheOSfromaCD-ROMdrive, this filewill initially list directories on the installationCD-ROM inwhich packages can befound. There are also likely to be a few lines near the top, commented out with hashmarks (#),indicating directories on an FTP site or aWeb site fromwhich you can obtain updated packages.(Theselinesmaybeuncommentedifyoudidanetworkinstallinitially.)

Don’taddasiteto/etc/apt/sources.listunlessyou’resureitcanbetrusted.Theapt-getutilitydoesautomaticandsemiautomaticupgrades,soifyouaddanetworksourcetosources.listandthatsourcecontainsunreliableprogramsorprogramswithsecurityholes,yoursystemwillbecomevulnerableafterupgradingviaapt-get.

AlthoughAPT ismost strongly associatedwithDebian systems, a port toRPM-based systems isalsoavailable.Checkhttp://apt4rpm.sourceforge.netforinformationaboutthisport.The apt-get utility works by obtaining information about available packages from the sources

listedin/etc/apt/sources.listandthenusingthatinformationtoupgradeorinstallpackages.Thesyntaxissimilartothatofdpkg:apt-get[options][command][package-names]

Table2.6liststheapt-getcommands,andTable2.7liststhemostcommonlyusedoptions.Inmostcases,youwon’tuseanyoptionswithapt-get—just a single commandandpossiblyoneormorepackagenames.Oneparticularlycommonuseofthisutilityistokeepyoursystemuptodatewithanynewpackages.Thefollowingtwocommandswillaccomplish thisgoal if/etc/apt/sources.listincludespointerstoup-to-datefilearchivesites:#apt-getupdate

#apt-getdist-upgrade

TABLE2.6apt-getcommandsCommand Descriptionupdate Obtainsupdatedinformationaboutpackagesavailablefromtheinstallationsourceslistedin/etc/apt/sources.list.upgrade Upgradesallinstalledpackagestothenewestversionsavailable,basedonlocallystoredinformationaboutavailable

packages.dselect-

upgrade

Performsanychangesinpackagestatus(installation,removal,andsoon)leftundoneafterrunningdselect.

dist-

upgrade

Similartoupgrade,butperforms“smart”conflictresolutiontoavoidupgradingapackageifdoingsowouldbreakadependency.

install Installsapackagebypackagename(notbypackagefilename),obtainingthepackagefromthesourcethatcontainsthemostup-to-dateversion.

remove Removesaspecifiedpackagebypackagename.source Retrievesthenewestavailablesourcepackagefilebypackagefilenameusinginformationaboutavailablepackagesand

installationarchiveslistedin/etc/apt/sources.list.check Checksthepackagedatabaseforconsistencyandbrokenpackageinstallations.clean PerformshousekeepingtohelpclearoutinformationaboutretrievedfilesfromtheDebianpackagedatabase.Ifyoudon’t

usedselectforpackagemanagement,runthisfromtimetotimeinordertosavediskspace.autoclean Similartocleanbutremovesinformationonlyaboutpackagesthatcannolongerbedownloaded.

TABLE2.7Most-usefulapt-getoptionsOption Usedwithcommands Description-dor--download-only upgrade,dselect-upgrade,

install,source

Downloadspackagefilesbutdoesn’tinstallthem.

-for--fix-broken install,remove Attemptstofixasystemonwhichdependenciesareunsatisfied.-m,--ignore-missing,or--fix-missing

upgrade,dselect-upgrade,

install,remove,source

Ignoresallpackagefilesthatcan’tberetrieved(becauseofnetworkerrors,missingfiles,orthelike).

-qor--quiet All Omitssomeprogressindicatorinformation.Maybedoubled(forinstance,-qq)toproducestilllessprogressinformation.

-s,--simulate,--just-print,--

dry-run,--recon,or--no-actAll Performsasimulationoftheactionwithoutactuallymodifying,

installing,orremovingfiles.-y,--yes,or--assume-yes All Producesa“yes”responsetoanyyes/nopromptininstallation

scripts.-b,--compile,or--build source Compilesasourcepackageafterretrievingit.--no-upgrade install Causesapt-gettonotupgradeapackageifanolderversionis

alreadyinstalled.

IfyouuseAPTtoautomaticallyupgradeallpackagesonyoursystem,you’reeffectivelygivingcontrolofyourcomputertothedistributionmaintainer.AlthoughDebianorotherdistributionmaintainersareunlikelytotrytobreakintoyourcomputerinthisway,anautomaticupdatewithminimalsupervisiononyourpartcouldeasilybreaksomethingonyoursystem,particularlyifyou’veobtainedpackagesfromunusualsourcesinthepast.

InExercise2.2,you’llfamiliarizeyourselfwiththeDebianpackagesystem.

EXERCISE2.2ManagingDebianPackagesTomanageDebianpackages,followthesesteps:1.LogintotheLinuxsystemasanormaluser.2.Acquireapackagetousefortestingpurposes.Youcantryusingapackagefromyourdistributionthatyouknowyouhaven’tinstalled;butifyoutryarandompackage,youmayfindit’salreadyinstalledorhasunmetdependencies.Thislabusesasanexamplethe installation of zsh_4.3.17-1ubuntu1_amd64.deb, a shell that’s not installed bydefaultonmost systems,obtainedusing the-doption toapt-get on anUbuntu12.04system. You must adjust the commands as necessary if you use another package,distribution,orarchitectureinyourtests.3. Launch anxterm from the desktop environment’smenu system if you used aGUIlogin.4. Acquire root privileges. You can do this by typing su in an xterm, by selectingSession New Root Console from a Konsole window, or by using sudo (if it’sconfigured)torunthecommandsinthefollowingsteps.5.Typedpkg-Lzshtoverifythatthepackageisn’tcurrentlyinstalled.Thiscommandrespondswithalistoffilesassociatedwiththepackageifit’sinstalledorwithanerrorthatreadsPackage`zsh'isnotinstalledifit’snot.6. Type dpkg -I zsh_4.3.17-1ubuntu1_amd64.deb. (You’ll need to add a completepathtothepackagefileifit’snotinyourcurrentdirectory.)Thesystemshouldrespondbydisplayinginformationaboutthepackage,suchastheversionnumber,dependencies,thenameofthepackagemaintainer,andapackagedescription.7. Type dpkg -i zsh_4.3.17-1ubuntu1_amd64.deb. The system should install thepackageanddisplayaseriesoflinessummarizingitsactionsasitdoesso.8.Typedpkg-pzsh.Thesystemshouldrespondwith informationabout thepackagesimilartothatdisplayedinstep6.9.Typezsh.ThislaunchesaZshell,whichfunctionsmuchlikethemorecommonbashandtcshshells.You’relikelytoseeyourcommandpromptchangeslightly,butyoucanissuemostofthesamecommandsyoucanusewithbashortcsh.10.Typedpkg-Pzsh.Thiscommandremovesthepackagefromthesystem,includingconfigurationfiles.Itmayproduceaseriesofwarningsaboutnon-emptydirectoriesthatitcouldn’t remove.Note thatyou’re removing thezshpackagewhile running thezsh

program.Linuxcontinuestorunthezshprogramyou’reusing,butyou’llbeunabletolaunchnewinstancesoftheprogram.Someprogramsmaymisbehavebecausefileswillbemissingafteryouremovethepackage.11.Typeexittoexitfromzshandreturntoyournormalshell.12. Type dpkg -L zsh. The system should respond with a Package `zsh' is notinstallederrorbecauseyou’vejustuninstalledit.13.Typeapt-getinstallzshtoinstallzshusingtheAPTsystem.Dependingonyourconfiguration,thesystemmaydownloadthepackagefromanInternetsiteoraskyoutoinsertaCD-ROM.IfitasksforaCD-ROM,insertitandpresstheEnterkey.Thesystemshouldinstallthepackage.14.Typedpkg-pzsh.Thesystemshouldrespondwithinformationaboutthepackagesimilartothatdisplayedinstep6or8.15. Type dpkg -P zsh. This command removes the package from the system, asdescribedinstep10.

Usingdselect,aptitude,andSynapticThedselectprogramisahigh-levelpackagebrowser.Usingit,youcanselectpackagestoinstallonyoursystemfromtheAPTarchivesdefinedin/etc/apt/sources.list,reviewthepackagesthatarealready installed onyour system, uninstall packages, andupgradepackages.Overall,dselect is apowerful tool, but it can be intimidating to the uninitiated because it presents a lot of options thataren’tobvious,usingatext-modeinteractiveuserinterface.Althoughdselectsupportsafewcommand-lineoptions,they’remostlyobscureorminor(suchas

optionstoset thecolorscheme).Consultdselect’smanpagefordetails.Touse theprogram, typedselect. The result is the dselect main menu, as shown running in a KDEKonsole window inFigure2.1.

FIGURE2.1ThedselectutilityprovidesaccesstoAPTfeaturesusingamenusystem.

Anothertext-basedDebianpackagemanagerisaptitude.Ininteractivemode,aptitudeissimilartodselect ina roughway,butaptitude addsmenusaccessedbypressingCtrl+Tand rearrangessome features. You can also pass various commands to aptitude on the command line, as inaptitudesearchsamba,whichsearches forpackages related toSamba.Featuresaccessible fromthecommandline(ortheinteractiveinterface)includethefollowing:UpdatePackageListsYoucanupdatepackagelistsfromtheAPTrepositoriesbytypingaptitudeupdate.InstallSoftwareTheinstallcommand-lineoptioninstallsanamedpackage.Thiscommandhasseveralvariantnamesandsyntaxesthatmodifyitsaction.Forinstance,typingaptitudeinstallzshinstallsthezshpackage,buttypingaptitudeinstallzsh-(withatrailingdash)andaptituderemovezshbothuninstallzsh.UpgradeSoftwareThefull-upgradeandsafe-upgradeoptionsbothupgradeallinstalledpackages.Thesafe-upgradeoptionisconservativeaboutremovingpackagesorinstallingnewonesandsomayfail;full-upgradeislessconservativeabouttheseactionsandsoismorelikelytocompleteitstasks,butitmaybreaksoftwareintheprocess.SearchforPackagesThesearchoption,notedearlier,searchesthedatabaseforpackagesmatchingthespecifiedname.Theresultisalistofpackages,oneperline,withsummarycodesforeachpackage’sinstallstatus,itsname,andabriefdescription.CleanUptheDatabaseTheautocleanoptionremovesalready-downloadedpackagesthatarenolongeravailable,andcleanremovesalldownloadedpackages.ObtainHelpTypingaptitudehelpresultsinacompletelistofoptions.Broadlyspeaking,aptitudecombinestheinteractivefeaturesofdselectwith thecommand-line

optionsofapt-get.Allthreeprogramsprovidesimilarfunctionality,soyoucanusewhicheverone

youprefer.Atoolthat’ssimilartodselectandaptitudeinsomewaysisSynaptic,butSynapticisaGUIX-

basedprogramandas such is easier touse.Overall,dselect,aptitude, andSynaptic are usefultools,particularlyifyouneedtolocatesoftwarebutdon’tknowitsexactname—theabilitytobrowseandsearch theavailablepackagescanbeagreatboon.Unfortunately, thehugepackage list canbeintimidating.

ReconfiguringPackagesDebianpackagesoftenprovidemore-extensiveinitialsetupoptionsthandotheirRPMcounterparts.Frequently,theinstallscriptincludedinthepackageasksahandfulofquestions,suchasqueryingforthe name of an outgoing mail relay system for a mail server program. These questions help thepackage system set up a standardized configuration that has nonetheless been customized for yourcomputer.Inthecourseofyoursystemadministration,youmayaltertheconfigurationfilesforapackage.If

youdo this and findyou’vemade amess of things, youmaywant to revert to the initial standardconfiguration. To do so, you can use the dpkg-reconfigure program, which runs the initialconfigurationscriptforthepackageyouspecify:#dpkg-reconfiguresamba

Thiscommandreconfiguresthesambapackage,askingthepackage’s initial installationquestionsandrestartingtheSambadaemons.Oncethisisdone,thepackageshouldbeinsomethingclosertoitsinitialstate.

DebianPackagesComparedtoOtherPackageFormatsThe overall functionality of Debian packages is similar to that of RPMs, although there aredifferences.Debiansourcepackagesaren’tsinglefiles;they’regroupsoffiles—theoriginalsourcetarball,apatchfilethat’susedtomodifythesourcecode(includingafilethatcontrolsthebuildingofaDebianpackage),anda.dscfilethatcontainsadigital“signature”tohelpverifytheauthenticityofthe collection. The Debian package tools can combine these and compile the package to create aDebian binary package. This structure makes Debian source packages slightly less convenient totransportbecauseyoumustmoveatleasttwofiles(thetarballandpatchfile;the.dscfileisoptional)rather than justone.Debiansourcepackagesalso support justonepatch file,whereasRPMsourcepackagesmaycontainmultiplepatchfiles.Althoughyoucancertainlycombinemultiplepatchfilesintoone,doingsomakesitlessclearwhereapatchcomesfrom,thusmakingithardertobackoutofanygivenchange.These source package differences are mostly of interest to software developers. As a system

administratororenduser,youneednotnormallybeconcernedwiththemunlessyoumustrecompilea package from a source form—and even then, the differences between the formats need not beoverwhelming. The exact commands and features used by each system differ, but they accomplishsimilaroverallgoals.BecausealldistributionsthatuseDebianpackagesarederivedfromDebian,theytendtobemore

compatible with one another (in terms of their packages) than RPM-based distributions are. Inparticular,Debian has defined details of its system startup scripts andmany other features to help

DebianpackagesinstallandrunonanyDebian-basedsystem.ThishelpsDebian-basedsystemsavoidthesortsofincompatibilitiesinstartupscriptsthatcancauseproblemsusingonedistribution’sRPMson another distribution. Of course, some future distribution could violate Debian’s guidelines forthesematters,sothisadvantageisn’tguaranteedtoholdovertime.As a practical matter, it can be harder to locate Debian packages than RPM packages for some

exoticprograms.Debianmaintainsagoodcollectionathttp://www.debian.org/distrib/packages,andsomeprogramauthorsmakeDebianpackages available aswell. If youcan find anRPMbutnot aDebian package, you may be able to convert the RPM to Debian format using a program calledalien,asdescribedshortlyin“ConvertingBetweenPackageFormats.”Ifallelsefails,youcanuseatarball,butyou’lllosetheadvantagesoftheDebianpackagedatabase.

ConfiguringDebianPackageToolsWith the exception of theAPT sources listmentioned earlier, Debian package tools don’t usuallyrequireconfiguration.Debianinstallsreasonabledefaults(asdoitsderivativedistributions).Onrareoccasions,though,youmaywanttoadjustsomeofthesedefaults.Doingsorequiresthatyouknowwheretolookforthem.Themainconfigurationfilefordpkgis/etc/dpkg/dpkg.cfgor /.dpkg.cfg.This filecontains

dpkgoptions,assummarizedinTable2.5,butwithouttheleadingdashes.Forinstance,tohavedpkgalways perform a test run rather than actually install a package, you’d create adpkg.cfg file thatcontainsoneline:no-act

ForAPT, themainconfiguration fileyou’re likely tomodify is/etc/apt/sources.list, whichwasdescribedearlier in“Usingapt-get.”Beyond this file is/etc/apt/apt.conf,which controlsAPTanddselectoptions.Aswithdpkg.cfg,chancesareyouwon’tneedtomodifyapt.conf.Ifyoudo need tomake changes, the format ismore complex and ismodeled after those of the InternetSoftwareConsortium’s(ISC’s)DynamicHostConfigurationProtocol(DHCP)andBerkeleyInternetNameDomain(BIND)servers’configurationfiles.Optionsaregroupedtogetherbyopenandclosecurlybraces({}):APT

{

Get

{

Download-Only"true";

};

};

Theselinesareequivalenttopermanentlysettingthe--download-onlyoptiondescribed inTable2.7.Youcan,ofcourse,setmanymoreoptions.Fordetails,consultapt.conf’smanpage.Youmayalsowanttoreviewthesampleconfigurationfile,/usr/share/doc/apt/examples/apt.conf. (Theworking /etc/apt/apt.conf file is typically extremely simple, or may be missing entirely andthereforenotbeveryhelpfulasanexample.)You should be aware that Debian’s package tools rely on various files in the /var/lib/dpkg

directorytree.Thesefilesmaintainlistsofavailablepackages,listsofinstalledpackages,andsoon.Inotherwords,thisdirectorytreeiseffectivelytheDebianinstalledfiledatabase.Assuch,youshouldbesuretobackupthisdirectorywhenyouperformsystembackupsandbecarefulaboutmodifying

itscontents.

ConvertingBetweenPackageFormatsSometimesyou’representedwithapackagefileinoneformat,butyouwanttouseanotherformat.ThisisparticularlycommonwhenyouuseaDebian-baseddistributionandcanfindonlytarballsorRPM files of a package. When this happens, you can keep looking for a package file in theappropriate format, install the tools for the foreign format, createapackage froma source tarballusing the standard RPM or Debian tools, or convert between package formats with a utility likealien.This section focuseson this lastoption.ThealienprogramcomeswithDebiananda fewother

distributionsbutmaynotbeinstalledbydefault.Ifit’snotinstalledonyoursystem,installitbytypingapt-getinstallalienonasystemthatusesAPT,orusetheRpmfindorDebianpackageWebsitetolocateit.ThisprogramcanconvertbetweenRPMpackages,Debianpackages,Stampedepackages(usedbyStampedeLinux),andtarballs.Youneed to be aware of some caveats. For one thing,alien requires that you have appropriate

packagemanager software installed—for instance, bothRPMandDebian to convert between theseformats.Thealienutilitydoesn’talwaysconvertalldependencyinformationcompletelycorrectly.Whenconverting froma tarball,alien copies the files directly as they had been in the tarball, soalienworksonlyiftheoriginaltarballhasfilesthatshouldbeinstalledofftheroot(/)directoryofthesystem.

AlthoughalienrequiresbothRPMandDebianpackagesystemstobeinstalledtoconvertbetweentheseformats,aliendoesn’tusethedatabasefeaturesofthesepackagesunlessyouusethe--installoption.Thepresenceofaforeignpackagemanagerisn’taproblemaslongasyoudon’tuseittoinstallsoftwarethatmightduplicateorconflictwithsoftwareinstalledwithyourprimarypackagemanager.

Thebasicsyntaxofalienisasfollows:alien[options]file[...]

Themostimportantoptionsare--to-deb,--to-rpm,--to-slp,and--to-tgz,whichconverttoDebian,RPM,Stampede,andtarballformat,respectively.(Ifyouomitthedestinationformat,alienassumes you want a Debian package.) The --install option installs the converted package andremovestheconvertedfile.Consultthealienmanpageforadditionaloptions.Forinstance,supposeyouhaveaDebianpackagecalledsomeprogram-1.2.3-4_i386.deb,andyou

want to create an RPM from it. You can issue the following command to create an RPM calledsomeprogram-1.2.3-5.i386.rpm:#alien--to-rpmsomeprogram-1.2.3-4_i386.deb

If you use a Debian-based system and want to install a tarball but keep a record of the files itcontainsinyourDebianpackagedatabase,youcandosowiththefollowingcommand:#alien--installbinary-tarball.tar.gz

It’simportanttorememberthatconvertingatarballconvertsthefilesinthedirectorystructureoftheoriginaltarballusingthesystem’srootdirectoryasthebase.Therefore,youmayneedtounpackthetarball, jugglefilesaround,andrepackit toget thedesiredresultsprior to installing the tarballwithalien.Forinstance,supposeyouhaveabinarytarballthatcreatesadirectorycalledprogram-files,withbin,man,andlibdirectoriesunderthis.Theintentmayhavebeentounpackthetarballin/usror/usr/localandcreatelinksforcriticalfiles.ToconvertthistarballtoanRPM,youcanissuethefollowingcommands:#tarxvfzprogram.tar.gz

#mvprogram-filesusr

#tarcvfzprogram.tgzusr

#rm-rusr

#alien--to-rpmprogram.tgz

By renaming the program-files directory to usr and creating a new tarball, you’ve created atarball that,when converted toRPM format,will have files in the locations youwant—/usr/bin,

/usr/man,and/usr/lib.Youmightneedtoperformmoreextensivemodifications,dependingonthecontentsoftheoriginaltarball.

PackageDependenciesandConflictsAlthoughpackage installationoftenproceedssmoothly, sometimes itdoesn’t.Theusualsourcesofproblems relate to unsatisfied dependencies or conflicts between packages. The RPM and Debianpackage management systems are intended to help you locate and resolve such problems, but onoccasion (particularly when mixing packages from different vendors), they can actually causeproblems.Ineitherevent,itpaystorecognizetheseerrorsandknowhowtoresolvethem.

Ifyouuseameta-packager,suchasYumorAPT,forallyourpackagemanagement,you’remuchlesslikelytorunintoproblemswithpackagedependenciesandconflicts.Theseproblemsaremostlikelytoarisewhenyouinstalllonepackages,especiallythosefromunusualsources.

RealandImaginedPackageDependencyProblemsPackagedependenciesandconflictscanariseforavarietyofreasons,includingthefollowing:MissingLibrariesorSupportProgramsOneofthemostcommondependencyproblemsiscausedbyamissingsupportpackage.Forinstance,allKDEprogramsrelyonQt,awidgetsetthatprovidesassortedGUItools.IfQtisn’tinstalled,youwon’tbeabletoinstallanyKDEpackagesusingRPMsorDebianpackages.Libraries—supportcodethatcanbeusedbymanydifferentprogramsasifitwerepartoftheprogramitself—areparticularlycommonsourcesofproblemsinthisrespect.IncompatibleLibrariesorSupportProgramsEvenifalibraryorsupportprogramisinstalledonyoursystem,itmaybethewrongversion.Forinstance,ifaprogramrequiresQt4.8,thepresenceofQt3.3won’tdomuchgood.Fortunately,Linuxlibrary-namingconventionsenableyou

toinstallmultipleversionsofalibraryincaseyouhaveprogramswithcompetingrequirements.DuplicateFilesorFeaturesConflictsarisewhenonepackageincludesfilesthatarealreadyinstalledandthatbelongtoanotherpackage.Occasionally,broadfeaturescanconflictaswell,asintwoWebserverpackages.Featureconflictsareusuallyaccompaniedbynameconflicts.Conflictsaremostcommonwhenmixingpackagesintendedfordifferentdistributions,becausedistributionsmaysplitfilesacrosspackagesindifferentways.MismatchedNamesRPMandDebianpackagemanagementsystemsgivenamestotheirpackages.Thesenamesdon’talwaysmatchacrossdistributions.Forthisreason,ifonepackagechecksforanotherpackagebyname,thefirstpackagemaynotinstallonanotherdistribution,eveniftheappropriatepackageisinstalled,becausethattargetpackagehasadifferentname.Someoftheseproblemsareveryrealandserious.Missinglibraries,forinstance,mustbeinstalled.

(Sometimes,though,amissinglibraryisn’tquiteasmissingasitseems,asdescribedintheupcomingsection “Forcing the Installation.”) Others, like mismatched package names, are artifacts of thepackagingsystem.Unfortunately,it’snotalwayseasytotellintowhichcategoryaconflictfits.Whenusing a package management system, you may be able to use the error message returned by thepackagesystem,alongwithyourownexperiencewithandknowledgeofspecificpackages,tomakeajudgment. For instance, if RPM reports that you’remissing a slew of librarieswithwhich you’reunfamiliar, you’ll probably have to track down at least one package—unless you know you’veinstalledthelibrariesinsomeotherway,inwhichcaseyoumaywanttoforcetheinstallation.

WorkaroundsforPackageDependencyProblemsWhenyouencounteranunmetpackagedependencyorconflict,whatcanyoudoaboutit?Thereareseveralapproachestotheseproblems.Someoftheseapproachesworkwellinsomesituationsbutnotothers,soyoushouldreviewthepossibilitiescarefully.Theoptionsincludeforcingtheinstallation,modifyingyoursystemtomeetthedependency,rebuildingtheproblempackagefromsourcecode,andfindinganotherversionoftheproblempackage.

ForcingtheInstallationOne approach is to ignore the issue. Although this sounds risky, it’s appropriate in some casesinvolvingfailedRPMorDebiandependencies.For instance, if thedependency isonapackage thatyou installedby compiling the source codeyourself, you can safely ignore thedependency.Whenusingrpm,youcantelltheprogramtoignorefaileddependenciesbyusingthe--nodepsparameter:#rpm-iapackage.rpm--nodeps

You can force installation over some other errors, such as conflicts with existing packages, byusingthe--forceparameter:#rpm-iapackage.rpm--force

Donotuse--nodepsor--forceasamatterofcourse.Ignoringthedependencycheckscanleadyouintotrouble,soyoushouldusetheseoptionsonlywhenyouneedtodoso.Inthecaseofconflicts,theerrormessagesyougetwhenyoufirsttrytoinstallwithout--forcewilltellyouwhichpackages’filesyou’llbereplacing,sobesureyoubackthemuporarepreparedtoreinstallthepackagesincaseoftrouble.

If you’re using dpkg, you can use the --ignore-depends=package, --force-depends, and --force-conflicts parameters to overcome dependency and conflict problems in Debian-basedsystems. Because there’s less deviation in package names and requirements among Debian-basedsystems,theseoptionsarelessoftenneededonsuchsystems.

UpgradingorReplacingtheDepended-onPackageOfficially, the proper way to overcome a package dependency problem is to install, upgrade, orreplacethedepended-uponpackage.Ifaprogramrequires,say,Qt4.8orgreater,youshouldupgradeanolder version (such as 4.4) to 4.8.Toperform such anupgrade, you’ll need to track down andinstall the appropriate package.This usually isn’t toodifficult if thenewpackageyouwant comesfromaLinuxdistribution,especiallyifyouuseameta-packagersuchasYumorAPT;theappropriatedepended-onpackageshouldcomewiththesamedistribution.One problemwith this approach is that packages intended for different distributions sometimes

have differing requirements. If you run Distribution A and install a package that was built forDistributionB,thepackagewillexpressdependenciesintermsofDistributionB’sfilesandversions.The appropriate versions may not be available in a form intended for Distribution A; and byinstalling Distribution B’s versions, you can sometimes cause conflicts with other Distribution Apackages.Evenifyouinstall theupgradedpackageanditworks,youmayrunintoproblemsinthefuturewhenitcomestimetoinstallsomeotherprogramorupgradethedistributionasawhole—theupgrade installermaynot recognizeDistributionB’spackageormaynotbeable toupgrade to itsownnewerversion.

RebuildingtheProblemPackageSomedependenciesresultfromthelibrariesandothersupportutilitiesinstalledonthecomputerthatcompiled the package, not from requirements in the underlying source code. If the software isrecompiled on a system that has different packages, the dependencies will change. Therefore,rebuildingapackagefromsourcecodecanovercomeatleastsomedependencies.IfyouuseanRPM-basedsystem, thecommand to rebuildapackage is straightforward:Youcall

rpmbuild (or rpm with old versions of RPM) with the name of the source package and use --rebuild,asfollows:#rpmbuild--rebuildpackagename-version.src.rpm

Ofcourse,todothisyoumusthavethesourceRPMforthepackage.ThiscanusuallybeobtainedfromthesamelocationasthebinaryRPM.Whenyouexecutethiscommand,rpmbuildextracts thesourcecodeandexecuteswhatevercommandsare required tobuildanewpackage—orsometimesseveralnewpackages.(OnesourceRPMcanbuildmultiplebinaryRPMs.)Thecompilationprocess

cantakeanywherefromafewsecondstoseveralhours,dependingonthesizeofthepackageandthespeed of your computer. The result should be one or more new binary RPMs in/usr/src/distname/RPMS/arch,wheredistnameisadistribution-specificname(suchasredhatonRedHatorpackagesonSUSE)andarchisyourCPUarchitecture(suchasi386ori586forx86orppcforPowerPC).YoucanmovetheseRPMstoanyconvenientlocationandinstallthemjustasyouwouldanyothers.

SourcepackagesarealsoavailableforDebiansystems,butasidefromsitesdevotedtoDebianandrelateddistributions,Debiansourcepackagesarerare.ThesitesthatdohavethesepackagesprovidetheminformsthattypicallyinstalleasilyonappropriateDebianorrelatedsystems.Forthisreason,it’slesslikelythatyou’llrebuildaDebianpackagefromsource.

Beawarethatcompilingasourcepackagetypicallyrequiresyoutohaveappropriatedevelopmenttools installed on your system, such as the GNU Compiler Collection (GCC) and assorteddevelopment libraries.Development libraries are the parts of a library that enable programs to bewrittenforthelibrary.ManyLinuxinstallationslackdevelopmentlibrariesevenwhenthematchingbinary libraries are installed. Thus, you may need to install quite a few packages to recompile asourcepackage.Theerrormessagesyoureceivewhenyouattemptbutfailtobuildasourcepackagecan help you track down the necessary software, but youmay need to read several lines of errormessages and use your package system to search for appropriate tools and development libraries.(Developmentlibrariesoftenincludethestringdevordevelintheirnames.)

LocatingAnotherVersionoftheProblemPackageFrequently, the simplestway to fix adependencyproblemorpackage conflict is touse adifferentversion of the package youwant to install. This could be a newer or older official version (4.2.3ratherthan4.4.7,say),oritmightbethesameofficialversionbutbuiltforyourdistributionratherthan for another distribution. Sites like Rpmfind (http://www.rpmfind.net) and Debian’s packagelisting (http://www.debian.org/distrib/packages) can be very useful in tracking down alternativeversionsofapackage.Yourowndistribution’sWebsiteorFTPsitecanalsobeagoodplacetolocatepackages.

Ifthepackageyou’retryingtoinstallrequiresnewerlibrariesthanyouhaveandyoudon’twanttoupgradethoselibraries,anolderversionofthepackagemayworkwithyourexistinglibraries.Beforeinstallingsuchaprogram,though,youshouldchecktobesurethatthenewerversionoftheprogramdoesn’tfixsecuritybugs.Ifitdoes,youshouldfindanotherwaytoinstallthepackage.

Themainproblemwithlocatinganotherversionofthepackageisthatsometimesyoureallyneedtheversionthat’snotinstallingcorrectly.Itmayhavefeaturesyouneed,oritmayfiximportantbugs.Onoccasion,otherversionsmaynotbeavailable,oryoumaybeunabletolocateanotherversionof

thepackageinyourpreferredpackageformat.

StartupScriptProblemsOneparticularlycommonproblemwhentryingtoinstallserversfromonedistributioninanotherisgettingstartupscriptsworking.Inthepast,mostmajorLinuxdistributionsusedSysVstartupscripts,but these scriptsweren’t always transportable across distributions. Today, alternatives to SysV arecommon,whichfurthercomplicatesthisproblem.Theresultisthattheserveryouinstalledmaynotstartup.Possibleworkaroundsincludemodifyingthestartupscriptthatcamewiththeserver,buildinga new script based on another one from your distribution, and starting the server through a localstartupscriptlike/etc/rc.d/rc.localor/etc/rc.d/boot.local.Chapter5,“BootingLinuxandEditingFiles,”describesstartupscriptsinmoredetail.

Startupscriptproblemsaffectonlyserversandotherprogramsthatarestartedautomaticallywhenthecomputerboots;theydon’taffecttypicaluserapplicationsorlibraries.

ManagingSharedLibrariesMostLinuxsoftwarereliesheavilyonsharedlibraries.Theprecedingsectionshavedescribedsomeoftheproblemsthatcanariseinmanagingsharedlibrarypackages—forexample,ifalibraryisn’tinstalledoristhewrongversion,youmayhaveproblemsinstallingapackage.Librarymanagementgoesbeyondmerelyconfiguringthem, though.Tounderstandthis,youmustfirstunderstandafewlibraryprinciples.Youcanthenmoveontosettingthelibrarypathandusingcommandsthatmanagelibraries.

LibraryPrinciplesTheideabehindalibraryistosimplifyprogrammers’livesbyprovidingcommonlyusedprogramfragments.For instance,oneof themost important libraries is theClibrary (libc),whichprovidesmany of the higher-level features associatedwith theC programming language.Another commontype of library is associated with GUIs. These libraries are often calledwidget sets because theyprovide theon-screenwidgets usedbyprograms—buttons, scroll bars,menubars, and so on.TheGIMP Tool Kit (GTK+) andQt are themost popular Linuxwidget sets, and both ship largely aslibraries.Librariesarechosenbyprogrammers,notbyusers;youusuallycan’tsubstituteonelibraryforanother.(Themainexceptionsareminorversionupgrades.)

LinuxusestheGNUClibrary(glibc)versionoftheClibrary.Package-managerdependenciesandotherlibraryreferencesaretoglibcspecifically.Asofglibc2.15,forhistoricalreasonsthemainglibcfileisusuallycalled/lib/libc.so.6or/lib64/libc.so.6,butthisfileissometimesasymboliclinktoafileofanothername,suchas/lib/libc-2.15.so.

Inprinciple,theroutinesinalibrarycanbelinkedintoaprogram’smainfile,justlikealltheobjectcodefilescreatedbythecompiler.Thisapproach,however,hascertainproblems:

Theresultingprogramfileishuge.Thismeansittakesupalotofdiskspace,anditconsumesalotofRAMwhenloaded.Ifmultipleprogramsusethelibrary,asiscommon,theprogram-sizeissueismultipliedseveraltimes;thelibraryiseffectivelystoredmultipletimesondiskandinRAM.Theprogramcan’ttakeadvantageofimprovementsinthelibrarywithoutrecompiling(oratleastrelinking)theprogram.

Forthesereasons,mostprogramsusetheirlibrariesassharedlibraries(akadynamiclibraries).Inthis form, themain program executable omitsmost of the library routines. Instead, the executableincludes references to shared library files,whichcan thenbe loadedalongwith themainprogramfile.Thisapproachhelpskeepprogramfilesizedown,enablessharingofthememoryconsumedbylibrariesacrossprograms,andenablesprogramstotakeadvantageofimprovementsinlibrariesbyupgradingthelibrary.

Linuxsharedlibrariesaresimilartothedynamiclinklibraries(DLLs)ofWindows.WindowsDLLsareusuallyidentifiedby.DLLfilenameextensions;butinLinux,sharedlibrariesusuallyhavea.soor.so.versionextension,whereversionisaversionnumber.(.sostandsforsharedobject.)Linuxstaticlibraries(usedbylinkersforinclusioninprogramswhendynamiclibrariesaren’ttobeused)have.afilenameextensions.

On the downside, shared libraries can degrade program load time slightly if the library isn’talreadyinusebyanotherprogram,andtheycancreatesoftwaremanagementcomplications:

Sharedlibrarychangescanbeincompatiblewithsomeorallprogramsthatusethelibrary.Linuxuseslibrarynumberingschemestoenableyoutokeepmultipleversionsofalibraryinstalledatonce.Upgradesthatshouldn’tcauseproblemscanoverwriteolderversions,whereasmajorupgradesgetinstalledsidebysidewiththeiroldercounterparts.Thisapproachminimizesthechanceofproblems,butsometimeschangesthatshouldn’tcauseproblemsdocausethem.Programsmustbeabletolocatesharedlibraries.Thistaskrequiresadjustingconfigurationfilesandenvironmentvariables.Ifit’sdonewrongorifaprogramoverridesthedefaultsandlooksinthewrongplace,theresultisusuallythattheprogramwon’trunatall.ThenumberoflibrariesforLinuxhasrisendramaticallyovertime.Whenthey’reusedinsharedform,theresultcanbeatangledmessofpackagedependencies,particularlyifyouuseprograms

thatrelyonmanyorobscurelibraries.Inmostcases,thisissueboilsdowntoapackageproblemthatcanbehandledbyyourpackagemanagementtools.Ifanimportantsharedlibrarybecomesinaccessiblebecauseitwasaccidentallyoverwritten,duetoadiskerrororforanyotherreason,theresultcanbeseveresystemproblems.Inaworst-casescenario,thesystemmightnotevenboot.

In most cases, these drawbacks are manageable and are much less important than the problemsassociatedwithusingstaticlibraries.Thus,dynamiclibrariesareverypopular.

Staticlibrariesaresometimesusedbydeveloperswhocreateprogramsusingparticularlyodd,outdated,orotherwiseexoticlibraries.Thisenablesthemtodistributetheirbinarypackageswithoutrequiringuserstoobtainandinstalltheiroddballlibraries.Likewise,staticlibrariesaresometimesusedonsmallemergencysystems,whichdon’thaveenoughprogramsinstalledtomaketheadvantagesofsharedlibrariesworthpursuing.

LocatingLibraryFilesThe major administrative challenge of handling shared libraries involves enabling programs tolocatethosesharedlibraries.Binaryprogramfilescanpointtolibrarieseitherbynamealone(asinlibc.so.6) or by providing a complete path (as in /lib/libc.so.6). In the first case, youmustconfigurealibrarypath—asetofdirectoriesinwhichprogramsshouldsearchforlibraries.Thiscanbedoneboththroughaglobalconfigurationfileandthroughanenvironmentvariable.Ifastaticpathtoalibraryiswrong,youmustfindawaytocorrecttheproblem.Inallofthesecases,aftermakingachange, you may need to use a special command to get the system to recognize the change, asdescribedlaterin“LibraryManagementCommands.”

SettingthePathSystemwideThefirstwaytosetthelibrarypathistoeditthe/etc/ld.so.conffile.Thisfileconsistsofaseriesoflines,eachofwhichlistsonedirectoryinwhichsharedlibraryfilesmaybefound.Typically,thisfilelistsbetweenhalfadozenandacoupledozendirectories.Somedistributionshaveanadditionaltype of line in this file. These lines beginwith theinclude directive; they list files that are to beincludedasif theywerepartofthemainfile.Forinstance,Ubuntu12.04’sld.so.confbeginswiththisline:include/etc/ld.so.conf.d/*.conf

Thislinetellsthesystemtoloadallthefilesin/etc/ld.so.conf.dwhosenamesendin.confasiftheywerepartof themain/etc/ld.so.conf file.Thismechanismenablespackagemaintainers toadd their unique library directories to the search list by placing a .conf file in the appropriatedirectory.Somedistributions,suchasGentoo,useamechanismwithasimilargoalbutdifferentdetails.With

these distributions, the env-update utility reads files in /etc/env.d to create the final form ofseveral/etcconfigurationfiles, including/etc/ld.so.conf. Inparticular, theLDPATHvariables inthesefilesareread,andtheirvaluesmakeupthelinesinld.so.conf.Thus,tochangeld.so.confin

Gentooorotherdistributionsthatusethismechanism,youshouldaddoreditfilesin/etc/env.dandthentypeenv-updatetodothejob.Generallyspeaking,there’sseldomaneedtochangethelibrarypathsystemwide.Librarypackage

files usually install themselves in directories that are already on the path or add their pathsautomatically.Themainreasontomakesuchchangeswouldbeifyouinstalledalibrarypackage,ora program that creates its own libraries, in an unusual location via amechanism other than yourdistribution’smainpackageutility.Forinstance,youmightcompilealibraryfromsourcecodeandthenneedtoupdateyourlibrarypathinthisway.Afteryouchangeyour librarypath,youmustuseldconfig tohaveyourprogramsuse thenew

path,asdescribedlaterin“LibraryManagementCommands.”

Inadditiontothedirectoriesspecifiedin/etc/ld.so.conf,Linuxreferstothetrustedlibrarydirectories,/liband/usr/lib.Thesedirectoriesarealwaysonthelibrarypath,eveniftheyaren’tlistedinld.so.conf.

TemporarilyChangingthePathSometimes,changingthepathpermanentlyandgloballyisunnecessaryandeveninappropriate.Forinstance,youmightwanttotesttheeffectofanewlibrarybeforeusingitforallyourprograms.Todoso,youcouldinstallthesharedlibrariesinanunusuallocationandthensettheLD_LIBRARY_PATHenvironment variable. This environment variable specifies additional directories the system is tosearchforlibraries.

Chapter9,“WritingScripts,ConfiguringEmail,andUsingDatabases,”describesenvironmentvariablesinmoredetail.

TosettheLD_LIBRARY_PATHenvironmentvariableusingthebashshell,youcantypeacommandlikethis:$exportLD_LIBRARY_PATH=/usr/local/testlib:/opt/newlib

Thislineaddstwodirectories,/usr/local/testliband/opt/newlib,tothesearchpath.Youcanspecifyasfeworasmanydirectoriesasyoulike,separatedbycolons.Thesedirectoriesareaddedtothestart of the search path,whichmeans they take precedence over other directories. This fact ishandywhenyou’retestingreplacementlibraries,butitcancauseproblemsifusersmanagetosetthisenvironmentvariableinappropriately.Youcansetthisenvironmentvariablepermanentlyinauser ’sshellstartupscriptfiles,asdescribed

inChapter9.Doingsomeans theuserwillalwaysuse thespecified librarypaths inaddition to thenormal system paths. In principle, you could set the LD_LIBRARY_PATH globally; however, using/etc/ld.so.confisthepreferredmethodofeffectingglobalchangestothelibrarypath.Unlike other library path changes, this one doesn’t require that you run ldconfig for it to take

effect.

CorrectingProblemsLibrarypathproblemsusuallymanifestasaprogram’sinabilitytolocatealibrary.Ifyoulaunchtheprogramfromashell,you’llseeanerrormessagelikethis:$gimp

gimp:errorwhileloadingsharedlibraries:libXinerama.so.1:cannot

opensharedobjectfile:Nosuchfileordirectory

Thismessageindicatesthatthesystemcouldn’tfindthelibXinerama.so.1libraryfile.Theusualcauseofsuchproblemsisthatthelibraryisn’tinstalled,soyoushouldlookforitusingcommandssuchasfind(describedinChapter4,“ManagingFiles”).Ifthefileisn’tinstalled,trytotrackdownthepackagetowhichitshouldbelong(aWebsearchcanworkwondersinthistask)andinstallit.If,ontheotherhand,thelibraryfileisavailable,youmayneedtoadditsdirectorygloballyorto

LD_LIBRARY_PATH.Sometimesthelibrary’spathishard-codedintheprogram’sbinaryfile.(Youcandiscover this using ldd, as described shortly in “Library Management Commands.”) When thishappens,youmayneedtocreateasymboliclinkfromthelocationofthelibraryonyoursystemtothelocationtheprogramexpects.Asimilarproblemcanoccurwhentheprogramexpectsalibrarytohaveonenamebutthelibraryhasanothernameonyoursystem.Forinstance,theprogrammaylinktobiglib.so.5,butyoursystemhasbiglib.so.5.2 installed.Minorversion-numberchangeslikethisareusuallyinconsequential,socreatingasymboliclinkwillcorrecttheproblem:#ln-sbiglib.so.5.2biglib.so.5

Youmust typethiscommandasroot in thedirectory inwhich the libraryresides.Youmust thenrunldconfig,asdescribedinthenextsection.

LibraryManagementCommandsLinux provides a pair of commands that you’re likely to use for library management. The lddprogram displays a program’s shared library dependencies—that is, the shared libraries that aprogram uses. The ldconfig program updates caches and links used by the system for locatinglibraries—that is, it reads /etc/ld.so.conf and implements any changes in that file or in thedirectoriestowhichitrefers.Bothofthesetoolsareinvaluableinmanaginglibraries.

DisplayingSharedLibraryDependenciesIf you run into programs thatwon’t launch because ofmissing libraries, the first step is to checkwhichlibrariestheprogramfileuses.Youcandothiswiththelddcommand:$ldd/bin/ls

librt.so.1=>/lib/librt.so.1(0x0000002a9566c000)

libncurses.so.5=>/lib/libncurses.so.5(0x0000002a95784000)

libacl.so.1=>/lib/libacl.so.1(0x0000002a958ea000)

libc.so.6=>/lib/libc.so.6(0x0000002a959f1000)

libpthread.so.0=>/lib/libpthread.so.0(0x0000002a95c17000)

/lib64/ld-linux-x86-64.so.2(0x0000002a95556000)

libattr.so.1=>/lib/libattr.so.1(0x0000002a95dad000)

Each lineof output beginswith a libraryname, such aslibrt.so.1 orlibncurses.so.5. If thelibrarynamedoesn’tcontainacompletepath,ldd attempts to find the true libraryanddisplays thecomplete path following the => symbol, as in /lib/librt.so.1 or /lib/libncurses.so.5. Youneedn’tbeconcernedaboutthelonghexadecimalnumberfollowingthecompletepathtothelibrary

file.Theprecedingexampleshowsone library (/lib64/ld-linux-x86-64.so.2) that’s referred towith a complete path in the executable file. It lacks the initial directory-less library name and =>symbol.Thelddcommandacceptsafewoptions.Themostnotableoftheseisprobably-v,whichdisplaysa

long list of version information following the main entry. This information may be helpful intracking downwhich version of a library a program is using, in case you havemultiple versionsinstalled.Keep inmind that libraries can themselves depend on other libraries. Thus, you can use ldd to

discoverwhat librariesareusedbya library.Becauseof thispotential foradependencychain, it’spossiblethataprogramwillfailtoruneventhoughallitslibrariesarepresent.Whenusingldd totrack down problems, be sure to check the needs of all the libraries of the program, and all thelibrariesusedbythefirsttieroflibraries,andsoon,untilyou’veexhaustedthechain.Thelddutilitycanberunbyordinaryusers,aswellasbyroot.Youmustrunitasrootifyoucan’t

readtheprogramfileasanordinaryuser.

RebuildingtheLibraryCacheLinux (or, more precisely, the ld.so and ld-linux.so programs, which manage the loading oflibraries)doesn’tread/etc/ld.so.confeverytimeaprogramruns.Instead,thesystemreliesonacached list of directories and the files they contain, stored inbinary format in/etc/ld.so.cache.This list is maintained in a format that’s much more efficient than a plain-text list of files anddirectories.Thedrawbackisthatyoumustrebuildthatcacheeverytimeyouaddorremovelibraries.Theseadditionsandremovalsincludebothchangingthecontentsofthelibrarydirectoriesandaddingorremovinglibrarydirectories.Thetooltodothisjobiscalledldconfig.Ordinarily,it’scalledwithoutanyoptions:#ldconfig

Thisprogramdoes,though,takeoptionstomodifyitsbehavior:DisplayVerboseInformationOrdinarily,ldconfigdoesn’tdisplayanyinformationasitworks.The-voptioncausestheprogramtosummarizethedirectoriesandfilesit’sregisteringasitgoesaboutitsbusiness.Don’tRebuildtheCacheThe-Noptioncausesldconfigtonotperformitsprimarydutyofupdatingthelibrarycache.Itwill,though,updatesymboliclinkstolibraries,whichisasecondarydutyofthisprogram.ProcessOnlySpecifiedDirectoriesThe-noptioncausesldconfigtoupdatethelinkscontainedinthedirectoriesspecifiedonthecommandline.Thesystemwon’texaminethedirectoriesspecifiedin/etc/ld.so.conforthetrusteddirectories(/liband/usr/lib).Don’tUpdateLinksThe-Xoptionistheoppositeof-N;itcausesldconfigtoupdatethecachebutnotmanagelinks.UseaNewConfigurationFileYoucanchangetheconfigurationfilefrom/etc/ld.so.confbyusingthe-fconffileoption,whereconffileisthefileyouwanttouse.UseaNewCacheFileYoucanchangethecachefilethatldconfigcreatesbypassingthe-Ccachefileoption,wherecachefileisthefileyouwanttouse.UseaNewRootThe-rdiroptiontellsldconfigtotreatdirasifitweretheroot(/)directory.

Thisoptionishelpfulwhenyou’rerecoveringabadlycorruptedsystemorinstallinganewOS.DisplayCurrentInformationThe-poptioncausesldconfigtodisplaythecurrentcache—allthelibrarydirectoriesandthelibrariestheycontain.BothRPM andDebian library packages typically run ldconfig automatically after installing or

removingthepackage.Thesamethinghappensaspartoftheinstallationprocessformanypackagescompiled from source. Thus, you may well be running ldconfig more than you realize in theprocessofsoftwaremanagement.Youmayneedtoruntheprogramyourselfifyoumanuallymodifyyourlibraryconfigurationinanyway.

ManagingProcessesWhenyoutypeacommandname,thatprogramisrun,andaprocessiscreatedforit.Knowinghowtomanage these processes is critical to using Linux. Key details in this task include identifyingprocesses, manipulating foreground and background processes, killing processes, and adjustingprocesspriorities.

UnderstandingtheKernel:TheFirstProcessTheLinuxkernelisattheheartofeveryLinuxsystem.Althoughyoucan’tmanagethekernelprocessin quite theway you canmanage other processes, short of rebooting the computer, you can learnabout it. To do so, you can use the uname command, which takes several options to displayinformation:NodeNameThe-nor--nodenameoptiondisplaysthesystem’snodename—thatis,itsnetworkhostname.KernelNameThe-sor--kernel-nameoptiondisplaysthekernelname,whichisLinuxonaLinuxsystem.KernelVersionYoucanfindthekernelversionwiththe-vor--kernel-versionoption.Ordinarily,thisholdsthekernelbuilddateandtime,notanactualversionnumber.KernelReleaseTheactualkernelversionnumbercanbefoundviathe-ror--kernel-releaseoption.MachineThe-mor--machineoptionreturnsinformationaboutyourmachine.ThisislikelytobeaCPUcode,suchasi686orx86_64.ProcessorUsingthe-por--processoroptionmayreturninformationaboutyourCPU,suchasthemanufacturer,model,andclockspeed;inpractice,itreturnsunknownonmanysystems.HardwarePlatformHardwareplatforminformationistheoreticallyreturnedbythe-ior--hardware-platformoption,butthisoptionoftenreturnsunknown.OSNameThe-oor--operating-systemoptionreturnstheOSname—normallyGNU/LinuxforaLinuxsystem.PrintAllInformationThe-aor--alloptionreturnsallavailableinformation.Inpractice,you’remost likely touseuname-a at thecommand line to learn someof thebasics

aboutyourkernelandsystem.Theotheroptionsaremostusefulinmulti-platformscripts,whichcan

usetheseoptionstoquicklyobtaincriticalinformationtohelpthemadjusttheiractionsforthesystemonwhichthey’rerunning.

ExaminingProcessListsOne of themost important tools in processmanagement is ps. This program displays processes’status (hence the name, ps). It sports many helpful options, and it’s useful in monitoring what’shappeningonasystem.Thiscanbeparticularlycriticalwhenthecomputerisn’tworkingasitshouldbe—forinstance,ifit’sunusuallyslow.Thepsprogramsupportsanunusualnumberofoptions,butjustafewofthemwilltakeyoualongway.Likewise,interpretingpsoutputcanbetrickybecausesomanyoptionsmodifytheprogram’soutput.Someps-likeprograms,mostnotablytop,alsodeserveattention.

UsingUsefulpsOptionsTheofficialsyntaxforpsisfairlysimple:ps[options]

Thissimplicityofformhidesconsiderablecomplexitybecausepssupportsthreedifferenttypesofoptions,aswellasmanyoptionswithineachtype.Thethreetypesofoptionsareasfollows:Unix98OptionsThesesingle-characteroptionsmaybegroupedtogetherandareprecededbyasingledash(-).BSDOptionsThesesingle-characteroptionsmaybegroupedtogetherandmustnotbeprecededbyadash.GNULongOptionsThesemulti-characteroptionsarenevergroupedtogether.They’reprecededbytwodashes(--).Optionsthatmaybegroupedtogethermaybeclusteredwithoutspacesbetweenthem.Forinstance,

ratherthantypingps-a-f,youcantypeps-af.Thereasonforsomuchcomplexityisthatthepsutilityhashistoricallyvarieda lot fromoneUnixOStoanother.Theversionofps that shipswithmajorLinuxdistributionsattemptstoimplementmostfeaturesfromallthesedifferentpsversions,soit supports many different personalities. In fact, you can change some of its default behaviors bysettingthePS_PERSONALITYenvironmentvariabletoposix,old,linux,bsd,sun,digital,orvariousothers.TherestofthissectiondescribesthedefaultpsbehavioronmostLinuxsystems.Someofthemoreusefulpsfeaturesincludethefollowing:DisplayHelpThe--helpoptionsummarizessomeofthemorecommonpsoptions.DisplayAllProcessesBydefault,psdisplaysonlyprocessesthatwererunfromitsownterminal(xterm,text-modelogin,orremotelogin).The-Aand-eoptionscauseittodisplayalltheprocessesonthesystem,andxdisplaysallprocessesownedbytheuserwhogivesthecommand.Thexoptionalsoincreasestheamountofinformationthat’sdisplayedabouteachprocess.DisplayOneUser’sProcessesYoucandisplayprocessesownedbyagivenuserwiththe-uuser,Uuser,and--Useruseroptions.TheuservariablemaybeausernameorauserID.DisplayExtraInformationThe-f,-l,j,l,u,andvoptionsallexpandtheinformationprovidedinthepsoutput.Mostpsoutputformatsincludeonelineperprocess,butpscandisplayenoughinformationthatit’simpossibletofititallonone80-characterline.Therefore,these

optionsprovidevariousmixesofinformation.DisplayProcessHierarchyThe-H,-f,and--forestoptionsgroupprocessesanduseindentationtoshowthehierarchyofrelationshipsbetweenprocesses.Theseoptionsareusefulifyou’retryingtotracetheparentageofaprocess.DisplayWideOutputThepscommandoutputcanbemorethan80columnswide.Normally,pstruncatesitsoutputsothatitwillfitonyourscreenorxterm.The-wandwoptionstellpsnottodothis,whichcanbeusefulifyoudirecttheoutputtoafile,asinpsw>ps.txt.Youcanthenexaminetheoutputfileinatexteditorthatsupportswidelines.Youcancombinethesepsoptionsinmanywaystoproducetheoutputyouwant.You’llprobably

needtoexperimenttolearnwhichoptionsproducethedesiredresultsbecauseeachoptionmodifiestheoutputinsomeway.Eventhosethatwouldseemtoinfluencejusttheselectionofprocessestolistsometimesmodifytheinformationthat’sprovidedabouteachprocess.

InterpretingpsOutputListings2.3and2.4showacoupleofexamplesofpsinaction.Listing2.3showsps-urodsmith--forest,andListing2.4showspsuUrodsmith.Listing2.3:Outputofps-urodsmith--forest$ps-urodsmith--forest

PIDTTYTIMECMD

2451pts/300:00:00bash

2551pts/300:00:00ps

2496?00:00:00kvt

2498pts/100:00:00bash

2505pts/100:00:00\_nedit

2506?00:00:00\_csh

2544?00:00:00\_xeyes

19221?00:00:01dfm

Listing2.4:OutputofpsuUrodsmith$psuUrodsmith

USERPID%CPU%MEMVSZRSSTTYSTATSTARTTIMECOMMAND

rodsmith192210.01.544841984?SMay070:01dfm

rodsmith24510.00.818561048pts/3S16:130:00-bash

rodsmith24960.23.262324124?S16:170:00/opt/kd

rodsmith24980.00.818601044pts/1S16:170:00bash

rodsmith25050.12.647843332pts/1S16:170:00nedit

rodsmith25060.00.721241012?S16:170:00/bin/cs

rodsmith25440.01.025761360?S16:170:00xeyes

rodsmith25560.00.72588916pts/3R16:180:00psuU

Theoutput producedbyps normally beginswith a heading line,which displays themeaning ofeachcolumn.Importantinformationthatmaybedisplayed(andlabeled)includesthefollowing:UsernameThisisthenameoftheuserwhorunstheprograms.Listings2.3and2.4restrictedthisoutputtooneusertolimitthelengthofthelistings.ProcessIDTheprocessID(PID)isanumberthat’sassociatedwiththeprocess.Thisitemisparticularlyimportantbecauseyouneedittomodifyorkilltheprocess,asdescribedlaterinthischapter.ParentProcessIDTheparentprocessID(PPID)identifiestheprocess’sparent.(NeitherListing

2.3norListing2.4showsthePPID.)TTYTheteletype(TTY)isacodeusedtoidentifyaterminal.AsillustratedbyListings2.3and2.4,notallprocesseshaveTTYnumbers—Xprogramsanddaemons,forinstance,don’t.Text-modeprogramsdohavethesenumbers,whichpointtoaconsole,xterm,orremoteloginsession.CPUTimeTheTIMEand%CPUheadingsaretwomeasuresofCPUtimeused.ThefirstindicatesthetotalamountofCPUtimeconsumed,andthesecondrepresentsthepercentageofCPUtimetheprocessisusingwhenpsexecutes.Bothcanhelpyouspotrunawayprocesses—thosethatareconsumingtoomuchCPUtime.Unfortunately,whatconstitutes“toomuch”variesfromoneprogramtoanother,soit’simpossibletogiveasimpleruletohelpyouspotarunawayprocess.CPUPriorityAsdescribedshortly,in“ManagingProcessPriorities,”it’spossibletogivedifferentprocessesdifferentprioritiesforCPUtime.TheNIcolumn,ifpresent(it’snotintheprecedingexamples)liststheseprioritycodes.Thedefaultvalueis0.Positivevaluesrepresentreducedpriority,whereasnegativevaluesrepresentincreasedpriority.MemoryUseVariousheadingsindicatememoryuse—forinstance,RSSisresidentsetsize(thememoryusedbytheprogramanditsdata),and%MEMisthepercentageofmemorytheprogramisusing.SomeoutputformatsalsoincludeaSHAREcolumn,whichismemorythat’ssharedwithotherprocesses(suchassharedlibraries).AswithCPU-usemeasures,thesecolumnscanhelppointyoutothesourcesofdifficulties;butbecauselegitimatememoryneedsofprogramsvarysomuch,it’simpossibletogiveasimplecriterionforwhenaproblemexists.CommandThefinalcolumninmostlistingsisthecommandusedtolaunchtheprocess.ThisistruncatedinListing2.4becausethisformatliststhecompletecommand,butsomuchotherinformationappearsthatthecompletecommandwon’tusuallyfitononeline.(Thisiswherethewide-columnoptionscancomeinhandy.)Asyoucansee,alotofinformationcanbegleanedfromapslisting—orperhapsthatshouldbethe

plurallistings,becausenosingleformatincludesalloftheavailableinformation.Forthemostpart,the PID, username, and command are the most important pieces of information. In some cases,though, you may need specific other components. If your system’s memory or CPU use hasskyrocketed,forinstance,you’llwanttopayattentiontothememoryorCPUusecolumn.

It’softennecessarytofindspecificprocesses.YoumightwanttofindthePIDassociatedwithaparticularcommandinordertokillit,forinstance.Thisinformationcanbegleanedbypipingthepsoutputthroughgrep,asinpsax|grepbashtofindalltheinstancesofbash.

Althoughyoumayneedawidescreenorxtermtoviewtheoutput,youmayfindps-A--foresttobeahelpfulcommandinlearningaboutyoursystem.Processesthataren’t linkedtootherswereeitherstarteddirectlybyinitorhavehad theirparentskilled,andso theyhavebeen“adopted”byinit.(Chapter5describesinitandthebootprocedureinmoredetail.)Mostoftheseprocessesarefairly important—they’re servers, login tools, and soon.Processes thathangoff severalothers inthis tree view, such as xeyes and nedit in Listing 2.3, are mostly user programs launched fromshells.

top:ADynamicpsVariantIfyouwanttoknowhowmuchCPUtimevariousprocessesareconsumingrelativetooneanotherorifyouwanttoquicklydiscoverwhichprocessesareconsumingthemostCPUtime,atoolcalledtopistheoneforthejob.Thetoptoolisatext-modeprogram,butofcourseitcanberuninanxtermorsimilarwindow, as shown inFigure2.2; there are alsoGUIvariants, likekpm andgnome-system-monitor.Bydefault,top sorts itsentriesbyCPUuse,and itupdates itsdisplayevery fewseconds.Thismakesitaverygoodtoolforspottingrunawayprocessesonanotherwiselightlyloadedsystem—thoseprocessesalmostalwaysappearinthefirstpositionortwo,andtheyconsumeaninordinateamountofCPUtime.LookingatFigure2.2,youmightthinkthatFahCore_65.exeissuchaprocess,butinfact,it’slegitimatelyconsumingalotofCPUtime.You’llneedtobefamiliarwiththepurposesandnormalhabitsofprograms runningonyour system inorder tomake suchdeterminations; thelegitimateneedsofdifferentprogramsvary somuch that it’s impossible togive a simple rule forjudgingwhenaprocessisconsumingtoomuchCPUtime.

FIGURE2.2ThetopcommandshowssystemsummaryinformationandinformationaboutthemostCPU-intensiveprocessesonacomputer.

LikemanyLinuxcommands,topacceptsseveraloptions.Themostusefularelistedhere:-ddelayThisoptionspecifiesthedelaybetweenupdates,whichisnormallyfiveseconds.-ppidIfyouwanttomonitorspecificprocesses,youcanlistthemusingthisoption.You’llneedthePIDs,whichyoucanobtainwithps,asdescribedearlier.Youcanspecifyupto20PIDsbyusingthisoptionmultipletimes,onceforeachPID.-niterYoucantelltoptodisplayacertainnumberofupdates(iter)andthenquit.(Normally,topcontinuesupdatinguntilyouterminatetheprogram.)-bThisoptionspecifiesbatchmode,inwhichtopdoesn’tusethenormalscreen-updatecommands.YoumightusethistologCPUuseoftargetedprogramstoafile,forinstance.

Youcandomorewithtopthanwatchitupdateitsdisplay.Whenit’srunning,youcanenteranyofseveral single-letter commands, some of which prompt you for additional information. Thesecommandsincludethefollowing:

hand?Thesekeystrokesdisplayhelpinformation.kYoucankillaprocesswiththiscommand.ThetopprogramwillaskforaPIDnumber,andifit’sabletokilltheprocess,itwilldoso.(Theupcomingsection“KillingProcesses”describesotherwaystokillprocesses.)qThisoptionquitsfromtop.rYoucanchangeaprocess’sprioritywiththiscommand.You’llhavetoenterthePIDnumberandanewpriorityvalue—apositivevaluewilldecreaseitspriority,andanegativevaluewillincreaseitspriority,assumingithasthedefault0prioritytobeginwith.Onlyrootmayincreaseaprocess’spriority.Therenicecommand(describedshortly,in“ManagingProcessPriorities”)isanotherwaytoaccomplishthistask.sThiscommandchangesthedisplay’supdaterate,whichyou’llbeaskedtoenter(inseconds).PThiscommandsetsthedisplaytosortbyCPUusage,whichisthedefault.MYoucanchangethedisplaytosortbymemoryusagewiththiscommand.Morecommandsareavailableintop(bothcommand-lineoptionsandinteractivecommands)than

canbesummarizedhere;consulttop’smanpageformoreinformation.Oneof thepiecesof informationprovidedbytop is the loadaverage,which isameasureof the

demandforCPUtimebyapplications.InFigure2.2,youcanseethreeload-averageestimatesonthetopline;thesecorrespondtothecurrentloadaverageandtwopreviousmeasures.AsystemonwhichnoprogramsaredemandingCPUtimehasaloadaverageof0.0.AsystemwithoneprogramrunningCPU-intensivetaskshasaloadaverageof1.0.Higherloadaveragesreflectprogramscompetingforavailable CPU time. You can also find the current load average via the uptime command, whichdisplaystheloadaveragealongwithinformationonhowlongthecomputerhasbeenrunning.Theloadaveragecanbeusefulindetectingrunawayprocesses.Forinstance,ifasystemnormallyhasaload average of 0.5 but suddenly gets stuck at a load average of 2.5, a couple of CPU-hoggingprocesses may have hung—that is, become unresponsive. Hung processes sometimes needlesslyconsumealotofCPUtime.Youcanusetoptolocatetheseprocessesand,ifnecessary,killthem.

MostcomputerstodayincludemultipleCPUsorCPUcores.Onsuchsystems,theloadaveragecanequalthenumberofCPUsorcoresbeforecompetitionforCPUtimebegins.Forinstance,onaquad-coreCPU,theloadaveragecanbeashighas4.0withoutcausingcontention.Typically,oneprogramcancreatealoadofjust1.0;however,multi-threadedprogramscancreatehigherloadaverages,particularlyonmulti-coresystems.

jobs:ProcessesAssociatedwithYourSessionThe jobs command displaysminimal information about the processes associatedwith the currentsession.Inpractice,jobs isusuallyoflimitedvalue,but itdoeshaveafewuses.Oneoftheseis to

providejobIDnumbers.ThesenumbersareconceptuallysimilartoPIDnumbers,butthey’renotthesame.Jobsarenumberedstartingfrom1foreachsession,andinmostcases,asingleshellhasonlyafewassociatedjobs.ThejobIDnumbersareusedbyahandfulofutilities inplaceofPIDs,soyoumayneedthisinformation.A seconduseofjobs is to ensure that all your programs have terminated prior to logging out.

Under somecircumstances, loggingoutofa remote login sessioncancause theclientprogram tofreezeupifyou’veleftprogramsrunning.Aquickcheckwithjobswillinformyouofanyforgottenprocessesandenableyoutoshutthemdown.

UnderstandingForegroundandBackgroundProcessesOneof themostbasicprocess-management tasks is to controlwhether aprocess is running in theforegroundorthebackground—thatis,whetherit’smonopolizingtheuseoftheterminalfromwhichitwas launched.Normally,whenyou launchaprogram, it takesover the terminal, preventingyoufromdoingotherworkinthatterminal.(Someprograms,though,releasetheterminal.ThisismostcommonforserversandsomeGUIprograms.)Ifaprogramisrunningbutyoudecideyouwanttousethatterminalforsomethingelse,pressing

Ctrl+Znormallypauses theprogramandgivesyoucontrolof the terminal. (An importantpoint isthatthisproceduresuspendstheprogram,soifit’sperformingrealwork,thatworkstops!)Thiscanbehandyif,say,you’rerunningatexteditorinatext-modeloginandyouwanttocheckafilenamesoyoucanmentionitinthefileyou’reediting.YoupressCtrl+Zandtypelstogetthefilelisting.Togetbacktothetexteditor,youthentypefg,whichrestoresthetexteditortotheforegroundofyourterminal.Ifyou’vesuspendedseveralprocesses,youaddajobnumber,asinfg2 to restore job2.Youcanobtainalistofjobsassociatedwithaterminalbytypingjobs,whichdisplaysthejobsandtheirjobnumbers.Avariantonfg isbg.Whereasfg restoresa job to theforeground,bg restoresa job to running

status,butinthebackground.Youcanusethiscommandiftheprocessyou’rerunningisperforminga CPU-intensive task that requires no human interaction but you want to use the terminal in themeantime. Another use of bg is in a GUI environment—after launching a GUI program from anxterm or similarwindow, that shell is tiedup servicing theGUIprogram,whichprobablydoesn’treallyneedtheshell.PressingCtrl+Zinthextermwindowwillenableyoutotypeshellcommandsagain,buttheGUIprogramwillbefrozen.TounfreezetheGUIprogram,typebgintheshell,whichenables the GUI program to run in the background while the shell continues to process yourcommands.As an alternative to launching a program, usingCtrl+Z, and typing bg to run a program in the

background, you can append an ampersand (&) to the commandwhen launching the program. Forinstance,ratherthaneditafilewiththeNEditGUIeditorbytypingneditmyfile.txt,youcantypeneditmyfile.txt&.Thiscommandlaunchestheneditprograminthebackgroundfromthestart,leavingyouabletocontrolyourxtermwindowforothertasks.

ManagingProcessPrioritiesSometimes,youmaywanttoprioritizeyourprograms’CPUuse.Forinstance,youmayberunningaprogramthat’sveryCPU-intensivebutthatwilltakealongtimetofinishitswork,andyoudon’twant

thatprogramtointerferewithothersthatareofamoreinteractivenature.Alternatively,onaheavilyloadedcomputer,youmayhaveajobthat’smoreimportantthanothersthatarerunning,soyoumaywanttogiveitapriorityboost.Ineithercase,theusualmethodofaccomplishingthisgoalisthroughtheniceandrenicecommands.Youcanusenicetolaunchaprogramwithaspecifiedpriorityoruserenicetoalterthepriorityofarunningprogram.Youcanassignapriority tonice in anyof threeways:by specifying thepriorityprecededbya

dash (this works well for positive priorities but makes them look like negative priorities), byspecifying the priority after a-n parameter, or by specifying the priority after an--adjustment=parameter.Inallcases,theseparametersarefollowedbythenameoftheprogramyouwanttorun:nice[argument][command[command-arguments]]

Forinstance,thefollowingthreecommandsareallequivalent:$nice-12number-crunchdata.txt

$nice-n12number-crunchdata.txt

$nice--adjustment=12number-crunchdata.txt

All three of these commands run the number-crunch program at priority 12 and pass it thedata.txt file. If you omit the adjustment value,nice uses 10 as a default. The range of possiblevalues is −20 to 19, with negative values having the highest priority. Only root may launch aprogramwithincreasedpriority(thatis,giveanegativepriorityvalue),butanyusermayusenicetolaunchaprogramwithlowpriority.Thedefaultpriorityforaprogramrunwithoutniceis0.Ifyou’vefoundthatarunningprocessisconsumingtoomuchCPUtimeorisbeingswampedby

otherprogramsandsoshouldbegivenmoreCPUtime,youcanusethereniceprogramtoalteritsprioritywithoutdisruptingtheprogram’soperation.Thesyntaxforreniceisasfollows:renicepriority[[-p]pids][[-g]pgrps][[-u]users]

You must specify the priority, which takes the same values this variable takes with nice. Inaddition,youmustspecifyoneormorePIDs(pids),oneormoregroupIDs(pgrps),oroneormoreusernames(users).Inthelattertwocases,renicechangesthepriorityofallprogramsthatmatchthespecified criterion—but only root may use renice in this way. Also, only root may increase aprocess’spriority.Ifyougiveanumericvaluewithouta-p,-g,or-uoption,reniceassumes thevalueisaPID.Youmaymixandmatchthesemethodsofspecification.Forinstance,youmightenterthefollowingcommand:#renice716580-updavisontbaker

Thiscommandsetsthepriorityto7forPID16580andforallprocessesownedbypdavisonandtbaker.

KillingProcessesSometimes,reducingaprocess’spriorityisn’tastrongenoughaction.Aprogrammayhavebecometotallyunresponsive,oryoumaywanttoterminateaprocessthatshouldn’tberunning.Inthesecases,the kill command is the tool to use. This program sends a signal (a method that Linux uses tocommunicatewithprocesses) toaprocess.Thesignal isusuallysentby thekernel, theuser,or theprogram itself to terminate the process. Linux supportsmany numbered signals, each ofwhich isassociatedwith a specific name.You can see themall by typingkill-l. If you don’t use-l, thesyntaxforkillisasfollows:kill-ssignalpid

AlthoughLinuxincludesakillprogram,manyshells,includingbashandcsh,includebuilt-inkillequivalentsthatworkinmuchthesamewayastheexternalprogram.Ifyouwanttobesureyou’reusingtheexternalprogram,typeitscompletepath,asin/bin/kill.

The-ssignalparametersendsthespecifiedsignaltotheprocess.Youcanspecifythesignalusingeitheranumber(suchas9)oraname(suchasSIGKILL).Thesignalsyou’remostlikelytouseare1(SIGHUP, which terminates interactive programs and causes many daemons to reread theirconfiguration files), 9 (SIGKILL, which causes the process to exit without performing routineshutdowntasks),and15(SIGTERM,whichcausestheprocesstoexitbutallowsit tocloseopenfilesandsoon).Ifyoudon’tspecifyasignal,thedefaultis15(SIGTERM).Youcanalsousetheshortenedform-signal.Ifyoudothisanduseasignalname,youshouldomittheSIGportionofthename—forinstance,useKILLratherthanSIGKILL.Thepidoptionis,ofcourse,thePIDfortheprocessyouwanttokill.Youcanobtainthisnumberfrompsortop.

Thekillprogramwillkillonlythoseprocessesownedbytheuserwhorunskill.Theexceptionisifthatuserisroot;thesuperusermaykillanyuser ’sprocesses.

RunningProgramsPersistentlySignalscanbepassedtoprogramsbythekernelevenifyoudon’tusethekillcommand.Forinstance,whenyoulogoutofasession,theprogramsyoustartedfromthatsessionaresenttheSIGHUPsignal,whichcausesthemtoterminate.Ifyouwanttorunaprogramthatwillcontinuerunningevenwhenyoulogout,youcanlaunchitwiththenohupprogram:$nohupprogramoptions

ThiscommandcausestheprogramtoignoretheSIGHUPsignal.Itcanbehandyifyouwanttolaunchcertainsmallserversthatmaylegitimatelyberunasordinaryusers.

Avariantonkilliskillall,whichhasthefollowingform:killall[options][--]name[...]

ThiscommandkillsaprocessbasedonitsnameratherthanitsPIDnumber.Forinstance,killallvikillsalltherunningprocessescalledvi.Youmayspecifyasignalintheshortenedform(-signal)orbyprecedingthesignalnumberwith-sor--signal.Aswithkill, thedefault is15(SIGTERM).Onepotentially importantoption tokillall is-i,which causes it to ask for confirmation beforesendingthesignaltoeachprocess.Youmightuseitlikethis:$killall-ivi

Killvi(13211)?(y/n)y

Killvi(13217)?(y/n)n

Inthisexample,twoinstancesoftheVieditorwererunning,butonlyoneshouldhavebeenkilled.

Asageneralrule,ifyourunkillallasroot,youshouldusethe-iparameter;ifyoudon’t,it’salltoolikelythatyou’llkillprocessesthatyoushouldn’t,particularlyifthecomputerisbeingusedbymanypeopleatonce.

SomeversionsofUnixprovideakillallcommandthatworksverydifferentlyfromLinux’skillall.Thisalternatekillallkillsalltheprocessesstartedbytheuserwhorunsthecommand.Thisisapotentiallymuchmoredestructivecommand,soifyoueverfindyourselfonanon-Linuxsystem,donotusekillalluntilyou’vediscoveredwhatthatsystem’skillalldoes(say,byreadingthekillallmanpage).

SummaryLinuxprovidesnumeroustoolstohelpyoumanagesoftware.MostdistributionsarebuiltaroundtheRPMorDebianpackagesystems,bothofwhichenableinstallation,upgrade,andremovalofsoftwareusingacentralizedpackagedatabasetoavoidconflictsandotherproblemsthatarecommonwhennocentralpackagedatabaseexists.Youcanperformbasicoperationsonindividualfilesor,withthehelpof extra tools such as Yum and APT, keep your system synchronized with the outside world,automaticallyorsemi-automaticallyupdatingallyoursoftwaretothelatestversions.Nomatterhowyouinstallyoursoftware,youmayneedtomanagesharedlibraries.Thesesoftware

componentsarenecessarybuildingblocksoflargemodernprograms,andinthebestofallpossibleworldstheyoperateentirelytransparently.Sometimes,though,sharedlibrariesneedtobeupgradedor the system configuration changed so that programs can find the libraries.When this happens,knowingaboutcriticalconfigurationfilesandcommandscanhelpyouworkaroundanydifficulties.Beyond managing packages and libraries, Linux software management involves manipulating

processes. Knowing how to manipulate foreground and background processes, adjust processpriorities,andkillstrayprocessescanhelpyoukeepyourLinuxsystemworkingwell.

ExamEssentialsIdentifycriticalfeaturesofRPMandDebianpackageformats.RPMandDebianpackagesstoreallfilesforagivenpackageinasinglefilethatalsoincludesinformationaboutwhatotherpackagesthesoftwaredependson.Thesesystemsmaintainadatabaseofinstalledpackagesandtheirassociatedfilesanddependencies.DescribethetoolsusedformanagingRPMs.Therpmprogramisthemaintoolforinstalling,upgrading,anduninstallingRPMs.Thisprogramacceptsoperationsandoptionsthattellitpreciselywhattodo.TheYumutility,andparticularlyitsyumcommand,enablesinstallationofapackageandallitsdependenciesviatheInternet,ratherthanfromlocalpackagefiles.DescribethetoolsusedformanagingDebianpackages.Thedpkgprograminstallsoruninstallsasinglepackageoragroupofpackagesyouspecify.Theapt-getutilityretrievesprogramsfrominstallationmediaorfromtheInternetforinstallationandcanautomaticallyupgradeyourentire

system.Thedselectprogramservesasamenu-driveninterfacetoapt-get,enablingyoutoselectprogramsyouwanttoinstallfromatext-modemenu.Summarizetoolsforextractingfilesandconvertingbetweenpackageformats.Therpm2cpioprogramcanconvertanRPMfiletoacpioarchive,enablingusersofnon-RPMsystemstoaccessfilesinanRPM.ThealienutilitycanconvertinanydirectionbetweenDebianpackages,RPMs,Stampedepackages,andtarballs.Thisenablestheuseofpackagesintendedforonesystemonanother.Summarizethereasonsforusingsharedlibraries.Sharedlibrarieskeepdiskspaceandmemoryrequirementsmanageablebyplacingcodethat’sneededbymanyprogramsinseparatefilesfromtheprogramsthatuseit,enablingonecopytobeusedmultipletimes.Moregenerally,librariesenableprogrammerstousebasic“buildingblocks”thatothershavewrittenwithouthavingtoconstantlyreinventcode.Describemethodsavailabletochangethelibrarypath.Thelibrarypathcanbechangedsystemwidebyeditingthe/etc/ld.so.conffileandthentypingldconfig.Fortemporaryorper-userchanges,directoriesmaybeaddedtothepathbyplacingthemintheLD_LIBRARY_PATHenvironmentvariable.Explainthedifferencebetweenforegroundandbackgroundprocesses.Foregroundprocesseshavecontrolofthecurrentterminalortext-modewindow(suchasanxterm).Backgroundprocessesdon’thaveexclusivecontrolofaterminalortext-modewindowbutarestillrunning.DescribehowtolimittheCPUtimeusedbyaprocess.YoucanlaunchaprogramwithniceoruserenicetoalteritspriorityinobtainingCPUtime.Ifaprocessistrulyoutofcontrol,youcanterminateitwiththekillcommand.

ReviewQuestions1.Whichofthefollowingisnotanadvantageofasourcepackageoverabinarypackage?

A.AsinglesourcepackagecanbeusedonmultipleCPUarchitectures.B.Byrecompilingasourcepackage,youcansometimesworkaroundlibraryincompatibilities.C.Youcanmodifythecodeinasourcepackage,thusalteringthebehaviorofaprogram.D.Sourcepackagescanbeinstalledmorequicklythanbinarypackagescan.E.Youmaybeabletorecompilesourcecodeforanon-LinuxUnixprogramonLinux.

2.WhichistrueofusingbothRPMandDebianpackagemanagementsystemsononecomputer?A. It’s generally inadvisable because the two systems don’t share installed-file databaseinformation.B.It’simpossiblebecausetheirinstalled-filedatabasesconflictwithoneanother.C.Itcausesnoproblemsifyouinstallimportantlibrariesonceineachformat.D.It’sacommonpracticeonRedHatandDebiansystems.E.Usingbothsystemssimultaneouslyrequiresinstallingthealienprogram.

3. Which of the following statements is true about binary RPM packages that are built for a

particulardistribution?A.Licenserequirementsforbidusingthepackageonanyotherdistribution.B. They may be used in another RPM-based distribution only when you set the --convert-distribparametertorpm.C.TheymaybeusedinanotherRPM-baseddistributiononlyafteryourecompilethepackage’ssourceRPM.D.TheycanberecompiledforanRPM-baseddistributionrunningonanothertypeofCPU.E.TheycanoftenbeusedonanotherRPM-baseddistributionforthesameCPUarchitecture,butthisisn’tguaranteed.

4.AnadministratortypesthefollowingcommandonanRPM-basedLinuxdistribution:#rpm-ivhmegaprog.rpm

Whatistheeffectofthiscommand?A.Ifthemegaprogpackageisinstalledonthecomputer,itisuninstalled.B.Ifthemegaprog.rpmpackageexists,isvalid,andisn’talreadyinstalledonthecomputer,itisinstalled.C.Themegaprog.rpmsourceRPMpackageiscompiledintoabinaryRPMforthecomputer.D.Nothing;megaprog.rpmisn’tavalidRPMfilename,sorpmwillrefusetooperateonthisfile.E. The megaprog.rpm package replaces any earlier version of the package that’s alreadyinstalledonthecomputer.

5.Which of the following commands will extract the contents of the myfonts.rpm file into thecurrentdirectory?

A.rpm2cpiomyfonts.rpm|cpio-i--make-directoriesB.rpm2cpiomyfonts.rpm>make-directoriesC.rpm-emyfonts.rpmD.alien--to-extractmyfonts.rpmE.rpmbuild--rebuildmyfonts.rpm

6.Tousedpkgtoremoveapackagecalledtheprogram,includingitsconfigurationfiles,whichofthefollowingcommandswouldyouissue?

A.dpkg-etheprogramB.dpkg-ptheprogramC.dpkg-rtheprogramD.dpkg-rtheprogram-1.2.3-4.debE.dpkg-Ptheprogram

7.Whichofthefollowingdescribesadifferencebetweenapt-getanddpkg?A.apt-getprovidesaGUIinterfacetoDebianpackagemanagement;dpkgdoesn’t.B.apt-getcaninstalltarballsinadditiontoDebianpackages;dpkgcan’t.C.apt-getcanautomaticallyretrieveandupdateprogramsfromInternetsites;dpkgcan’t.

D.apt-getisprovidedonlywiththeoriginalDebiandistribution,butdpkgcomeswithDebiananditsderivatives.E.apt-getworksonlywithDebian-baseddistributions,butdpkgcanworkwithbothRPMsandDebianpackages.

8.WhatcommandwouldyoutypetoobtainalistofallinstalledpackagesonaDebiansystem?A.apt-getshowallB.apt-cacheshowpkgC.dpkg-rallpkgsD.dpkg-iE.dpkg--get-selections

9. As root, you type apt-get update on a Debian system. What should be the effect of thiscommand?

A.None;updateisaninvalidoptiontoapt-get.B.TheAPTutilitiesdeliverinformationaboutthelatestupdatesyou’vemadetotheAPTInternetrepositories,enablingyoutoshareyourchangeswithothers.C. TheAPT utilities download all available upgrades for your installed programs and installthemonyoursystem.D. TheAPT utilities retrieve information about the latest packages available so that youmayinstallthemwithsubsequentapt-getcommands.E.TheAPTutilitiesupdatethemselves,ensuringyou’reusingthelatestversionofAPT.

10.Whichof thefollowingcommandswouldyou type toupdate theunzipprogramonaFedorasystemtothelatestversion?(Selectallthatapply.)

A.yumupdateunzipB.yumupgradeunzipC.yum-uunzipD.yum-UunzipE.yumcheck-updateunzip

11. How should you configure a system that uses Yum to access an additional Yum softwarerepository?

A.Editthe/etc/apt/sources.listfiletoincludetherepositorysite’sURL,asdetailedontherepository’sWebsite.B.DownloadapackagefromtherepositorysiteandinstallitwithRPM,orplaceaconfigurationfilefromtherepositorysiteinthe/etc/yum.repos.ddirectory.C.Usetheadd-repositorysubcommandtoyumortheAddRepositoryoptionintheFilemenuinyumex,passingittheURLoftherepository.D.Edit the/etc/yum.conf file, locate the[repos] section,andadd theURLto therepositoryaftertheexistingrepositoryURLs.E.Editthe/etc/yum.conffile,locatetheREPOSITORIES=line,andaddthenewrepositorytothe

colon-delimitedlistonthatline.

12.Whatisthepreferredmethodofaddingadirectorytothelibrarypathforallusers?A.ModifytheLD_LIBRARY_PATHenvironmentvariableinaglobalshellscript.B.Addthedirectorytothe/etc/ld.so.conffile,andthentypeldconfig.C.Typeldconfig/new/dir,where/new/diristhedirectoryyouwanttoadd.D.Createasymboliclinkfromthatdirectorytoonethat’salreadyonthelibrarypath.E.Typeldd/new/dir,where/new/diristhedirectoryyouwanttoadd.

13. You prefer the look of GTK+ widgets to Qt widgets, so you want to substitute the GTK+librariesfortheQtlibrariesonyoursystem.Howwouldyoudothis?

A.Youmusttypeldconfig--makesubs=qt,gtk.ThiscommandsubstitutestheGTK+librariesfortheQtlibrariesatloadtime.B. Youmust uninstall the Qt library packages and re-install the GTK+ packages with the --substitute=qtoptiontorpmorthe--replace=qtoptiontodpkg.C.YoumustnotethefilenamesoftheQtlibraries,uninstall thepackages,andcreatesymboliclinksfromtheQtlibrariestotheGTK+libraries.D.Youcan’teasilydothis;librariescan’tbearbitrarilyexchangedforoneanother.YouwouldneedtorewritealltheQt-usingprogramstouseGTK+.E.Youmustreboot thecomputerandpassthesubst=qt,gtkoption to thekernel.Thiscausesthekerneltomaketheappropriatesubstitutions.

14.Ausertypeskill-911287atabashprompt.What is theprobable intent,assumingtheusertypedthecorrectcommand?

A.TocutoffanetworkconnectionusingTCPport11287B.Todisplay thenumberofprocesses thathavebeenkilledwithsignal11287 in the lastninedaysC.TocauseaserverwithprocessID11287toreloaditsconfigurationfileD.ToterminateamisbehavingorhungprogramwithprocessID11287E.ToincreasethepriorityoftheprogramrunningwithprocessID11287

15.Whatprogramsmightyouusetolearnwhatyoursystem’sloadaverageis?(Selecttwo.)A.ldB.loadC.topD.uptimeE.la

16.Which of the following commands creates a display of processes, showing the parent-childrelationshipsthroughlinksbetweentheirnames?

A.ps--forestB.psaux

C.ps-eD.ps--treeE.Alloftheabove

17.Youusetop toexamine theCPU timebeingconsumedbyvariousprocessesonyour system.Youdiscoverthatoneprocess,dfcomp, isconsumingmorethan90percentofyoursystem’sCPUtime.Whatcanyouconclude?

A.Very little;dfcomp couldbe legitimatelyconsuming thatmuchCPU time,or it couldbeanunauthorizedormalfunctioningprogram.B. No program should consume 90 percent of available CPU time; dfcomp is clearlymalfunctioningandshouldbeterminated.C.Thisisnormal;dfcompisthekernel’smainschedulingprocess,anditconsumesanyunusedCPUtime.D.ThisbehaviorisnormalifyourCPUislesspowerfulthana2.5GHzEM64TPentium,butonnewersystems,noprogramshouldconsume90percentofCPUtime.E.ThisbehaviorisnormalifyourCPUhasatleastfourcores,butonsystemswithfewercoresthanthis,noprogramshouldconsume90percentofCPUtime.

18. You type jobs at a bash command prompt and receive a new command prompt with nointerveningoutput.Whatcanyouconclude?

A.ThetotalCPUtimeusedbyyourprocessesisnegligible(below0.1).B.Noprocessesarerunningunderyourusernameexcepttheshellyou’reusing.C.Thejobsshellisinstalledandworkingcorrectlyonthesystem.D.Thesystemhascrashed;jobsnormallyreturnsalargenumberofrunningprocesses.E.Nobackgroundprocessesarerunningthatwerelaunchedfromtheshellyou’reusing.

19.Whichtwoofthefollowingcommandsareequivalenttooneanother?(Selecttwo.)A.nice--value10crunchB.nice-n-10crunchC.nice-10crunchD.nice10crunchE.nicecrunch

20.Whichofthefollowingarerestrictionsonordinaryusers’abilitiestorunrenice?(Selecttwo.)A.Usersmaynotmodifytheprioritiesofprocessesthatarealreadyrunning.B.Usersmaynotmodifythepriorityoftheirprogramslaunchedfromanythingbuttheircurrentshells.C. Users may not decrease the priority (that is, increase the priority value) of their ownprocesses.D.Usersmaynotmodifytheprioritiesofotherusers’processes.E. Users may not increase the priority (that is, decrease the priority value) of their ownprocesses.

Chapter3

ConfiguringHardware

THEFOLLOWINGEXAMOBJECTIVESARECOVEREDINTHISCHAPTER:

1.101.1Determineandconfigurehardwaresettings1.102.1Designharddisklayout1.104.1Createpartitionsandfilesystems1.104.2Maintaintheintegrityoffilesystems1.104.3Controlmountingandunmountingoffilesystems

AllOSsrunatophardware,andthishardwareinfluenceshowtheOSsrun.Mostobviously,hardwarecan be fast or slow, reliable or unreliable. Somewhatmore subtly,OSs provide variousmeans ofconfiguring and accessing the hardware—partitioning hard disks and reading data fromUniversalSerialBus(USB)devices,forinstance.YoumustunderstandatleastthebasicsofhowLinuxinteractswith its hardware environment in order to effectively administer a Linux system, so this chapterpresentsthatinformation.This chapter begins with a look at firmware, which is the lowest-level software that runs on a

computer.Acomputer ’sfirmwarebeginsthebootprocessandconfigurescertainhardwaredevices.ThischapterthenmovesontoexpansioncardsandUSBdevices.Thischapterconcludeswithanexaminationofdiskhardwareandthefilesystemsitcontains—disk

interface standards,diskpartitioning,how to trackdiskusage,how to tune filesystems foroptimalperformance, how to check filesystems’ internal consistency, and how to repair simple filesystemdefects.Assumingafilesystemisingoodshape,youmustbeabletomountittobeabletouseit,sothat topic is also coveredhere. (Onedisk topic, bootmanagers, is covered inChapter5, “BootingLinuxandEditingFiles.”)

ConfiguringtheFirmwareandCoreHardwareAllcomputers shipwitha setof corehardware—mostobviously, acentral processingunit (CPU),whichdoesthebulkofthecomputationalwork,andrandomaccessmemory(RAM),whichholdsdata.Manyadditionalbasic featureshelpglueeverything together,andsomeof thesecanbeconfiguredboth inside and outside of Linux. At the heart of much of this hardware is the firmware, whichprovidesconfiguration toolsand initiates theOSbootingprocess.Youcanuse thefirmware’sownuser interface to enable anddisablekeyhardwarecomponents,butonceLinux isbooted,youmayneedtomanagethishardwareusingLinuxutilities.Keycomponentsmanagedbythefirmware(and,once it’sbooted,Linux) include interrupts, I/Oaddresses,DMAaddresses, the real-timeclock, andAdvancedTechnologyAttachment(ATA)harddiskinterfaces.

UnderstandingtheRoleoftheFirmwareManyhardwaredevicesincludefirmware,soanygivencomputercanhavemanytypesoffirmwareinstalled—for the motherboard, for a plug-in disk controller, for modems, and so on. The mostimportantfirmware,though,isinstalledonthecomputer ’smotherboard.Thisfirmwareinitializesthemotherboard’shardwareandcontrolsthebootprocess.Inthepast,thevastmajorityofx86-andx86-64-basedcomputershaveuseda typeof firmwareknownas theBasic Input/OutputSystem (BIOS).Beginningin2011,though,anewtypeoffirmware,knownastheExtensibleFirmwareInterface(EFI)or theUnifiedEFI (UEFI), has become all but standard on new computers. Someolder computersalsouseEFI.DespitethefactthatEFIisn’ttechnicallyaBIOS,mostmanufacturersrefertoitbythatnameintheirdocumentation.TheexamobjectivesrefertotheBIOS,butnottoEFI.Nonetheless,intherealworldyou’relikelytoencounterEFIonnewercomputers.ThedifferencesbetweenBIOSandEFIareparticularly important inbooting thecomputer,asdescribed inChapter5.Formanyof thesetuptasksdescribedinthischapter, thetwotypesoffirmwarebehaveverysimilarly,althoughEFIimplementationssometimesprovideflashiergraphicaluserinterfaces;mostBIOSs,andsomeEFIs,provideonlytext-modeuserinterfaces.

Inthisbook,IusethetermEFItoreferbothtotheoriginalEFIandtothenewerUEFI,whichiseffectivelyEFI2.x.

Themotherboard’s firmware resides in electronically erasable programmable read-only memory(EEPROM), aka flashmemory.When you turn on a computer, the firmware performs apower-onself-test (POST), initializes hardware to a knownoperational state, loads the boot loader from thebootdevice(typicallythefirstharddisk),andpassescontroltothebootloader,whichinturnloadstheOS.Historically,afurtherpurposeofaBIOSwastoprovidefundamentalinput/output(I/O)servicesto

theoperatingsystemandapplicationprograms,insulatingthemfromhardwarechanges.AlthoughtheLinux kernel uses the BIOS to collect information about the hardware, once Linux is running, itdoesn’tuseBIOSservicesforI/O.Intheory,someEFIservicescanbeusedbytheOS,butasofthe3.5.0kernel,LinuxtakesadvantageoffewoftheseEFIfeatures.LinuxsystemadministratorsrequireabasicunderstandingoftheBIOSorEFIbecauseofthekeyroleitplaysinconfiguringhardwareandinbooting.

Mostx86andx86-64computersuseaBIOSoranEFI;however,somecomputersuseradicallydifferentsoftwareinplaceofthesetypesoffirmware.OlderPowerPC-basedApplecomputers,forinstance,useOpenFirmware.(Intel-basedMacsuseEFI.)AlthoughOpenFirmware,EFI,andotherfirmwareprogramsdifferfromthetraditional(somenowsay“legacy”)x86BIOS,thesesystemsallperformsimilartasks.Ifyoumustadministeracomputerwithanunusualfirmware,youshouldtakesometimetoresearchthedetailsofhowitsfirmwareoperates;however,thiswon’tgreatlyaffecthowLinuxtreatsthehardwareatthelevelofday-to-daysystemadministration.

Although firmware implementations vary from manufacturer to manufacturer, most BIOSs andEFIsprovideaninteractivefacilitytoconfigurethem.Typically,youenterthissetuptoolbypressingtheDeletekeyora functionkeyearly in theboot sequence. (Consultyourmotherboardmanualorlookforonscreenpromptsfordetails.)Figure3.1showsatypicalBIOSsetupmainscreen.Youcanuse the arrow keys, the Enter key, and so on to move around the BIOS options and adjust them.ComputersusuallycomedeliveredwithreasonableBIOSdefaults,butyoumayneedtoadjustthemifyouaddnewhardwareorifastandardpieceofhardwareiscausingproblems.

FIGURE3.1ABIOSsetupscreenprovidesfeaturesrelatedtolow-levelhardwareconfiguration.

PCswithEFIsmayprovidesetuputilitiessimilartotheoneshowninFigure3.1.Asnotedearlier,though,someEFIsfeatureflashierGUIsratherthanatext-baseduserinterface.Othersareorganizedinaverydifferentway,asshowninFigure3.2.Thevariabilitymakesitimpossibletoprovidesimpleinstructions on how to locate specific features; youmay need to read yourmanual or explore theoptionsyourfirmwareprovides.

FIGURE3.2Firmwareuserinterfacesvarygreatlyfromonetoanother;youmayneedtospendsometimeexploringyours.

Onekeyabilityofthefirmwareistoenableordisableon-boardhardware.Modernmotherboardsprovideawiderangeofhardwaredevices, includingfloppydiskcontrollers,harddiskcontrollers,RS-232 serial ports, parallel ports, USB ports, Ethernet ports, audio hardware, and even videohardware.Usually,havingthishardwareavailableisbeneficial,butsometimesit’snot.Thehardwaremaybeinadequate,soyou’llwanttoreplaceitwithamorecapableplug-incard;oryoumaynotneedit. In such cases, you can disable the device in the firmware. Doing so keeps the device fromconsumingthehardwareresourcesthataredescribedshortly,reducingtheoddsofanunuseddeviceinterferingwiththehardwareyoudouse.Precisely how to disable hardware in the firmware varies from one computer to another. You

shouldperusetheavailablemenustofindmentionofthehardwareyouwanttodisable.MenusentitledIntegratedPeripheralsorAdvancedareparticularlylikelytoholdthesefeatures.Onceyou’vespottedthe options, follow the onscreen prompts for hints about how to proceed; for instance, Figure 3.1showsanItemSpecificHelpareaontherightsideofthescreen.Informationaboutkeystopresstoperformvariousactionsappearshere. (Althoughnot identifiedasahelparea, the right sideof thescreen inFigure3.2provides similar hints.)Onceyou’re finished, follow theonscreenmenus andpromptstosaveyourchangesandexit.Whenyoudoso,thecomputerwillreboot.OnceLinux boots, it uses its own drivers to access the computer ’s hardware.Understanding the

hardwareresourcesthatLinuxuseswillhelpyoudeterminewhenyoumaywanttoshutdown,bootintothefirmware,anddisableparticularhardwaredevicesatsuchalowlevel.

BootingWithoutaKeyboardMostPCshavekeyboardsattachedtothem;however,manyLinuxcomputersfunctionasservers,whichdon’trequirekeyboardsforday-to-dayoperation.Insuchcases,youmaywanttodetachthekeyboardtoreduceclutterandeliminatetheriskofaccidentalkeypressescausingproblems.Unfortunately,manycomputerscomplainandrefusetobootifyouunplugthekeyboardandattempttobootthecomputer.Todisablethiswarning,lookforafirmwareoptioncalledHaltOnorsomethingsimilar.Thisoptiontellsthefirmwareunderwhatcircumstancesitshouldrefusetoboot.Youshouldfindanoptiontodisablethekeyboardcheck.Onceyouselectthisoption,youshouldbeabletoshutdown,detachthekeyboard,andbootnormally.Ofcourse,you’llneedtobeabletoaccessthecomputerviaanetworkconnectionorinsomeotherwaytoadministerit,sobesurethisisconfiguredbeforeyouremovethekeyboard!

IRQsAninterruptrequest(IRQ),orinterrupt,isasignalsenttotheCPUinstructingittosuspenditscurrentactivity and to handle some external event such as keyboard input.On the x86 platform, IRQs arenumberedfrom0to15.Moremoderncomputers,includingx86-64systems,providemorethanthese16interrupts.Someinterruptsarereservedforspecificpurposes,suchasthekeyboardandthereal-time clock; others have common uses (and are sometimes overused) but may be reassigned; andsomeareleftavailableforextradevicesthatmaybeaddedtothesystem.Table3.1liststheIRQsandtheir common purposes in the x86 system. (On x86-64 systems, IRQs are typically assigned as inTable3.1,butadditionalhardwaremaybeassignedtohigherIRQs.)

TABLE3.1IRQsandtheircommonusesIRQ Typicaluse Notes0 Systemtimer Reservedforinternaluse.1 Keyboard Reservedforkeyboarduseonly.2 CascadeforIRQs8–15 Theoriginalx86IRQ-handlingcircuitcanmanagejust8IRQs;2aretiedtogethertohandle16

IRQs,butIRQ2mustbeusedtohandleIRQs8–15.3 SecondRS-232serialport(COM2:

inWindows)MayalsobesharedbyafourthRS-232serialport.

4 FirstRS-232serialport(COM1:inWindows)

MayalsobesharedbyathirdRS-232serialport.

5 Soundcardorsecondparallelport(LPT2:inWindows)

6 Floppydiskcontroller Reservedforthefirstfloppydiskcontroller.7 Firstparallelport(LPT1:in

Windows)8 Real-timeclock Reservedforsystemclockuseonly.9 Openinterrupt10 Openinterrupt11 Openinterrupt12 PS/2mouse13 Mathcoprocessor Reservedforinternaluse.14 PrimaryATAcontroller ThecontrollerforATAdevicessuchasharddrives;traditionally/dev/hdaand/dev/hdbunder

Linux.1

15 SecondaryATAcontroller ThecontrollerformoreATAdevices;traditionally/dev/hdcand/dev/hddunderLinux.1

1MostmoderndistributionstreatATAdisksasSCSIdisks,whichchangestheirdeviceidentifiersfrom/dev/hdxto/dev/sdx.

IRQ5isacommonsourceofinterruptconflictsonoldercomputersbecauseit’sthedefaultvalueforsoundcardsaswellasforsecondparallelports.ModerncomputersoftenuseahigherIRQforsoundcardsandalsooftenlackparallelports.

TheoriginalIndustryStandardArchitecture (ISA)busdesignmakessharingan interruptbetweentwodevices tricky. Ideally,every ISAdeviceshouldhave itsownIRQ.Themore recentPeripheralComponentInterconnect(PCI)busmakessharinginterruptsabiteasier,soPCIdevicesfrequentlyendupsharinganIRQ.TheISAbushasbecomerareoncomputersmadesince2001orso.OnceaLinuxsystemisrunning,youcanexplorewhatIRQsarebeingusedforvariouspurposesby

examiningthecontentsofthe/proc/interruptsfile.Acommonwaytodothisiswiththeuseofthecatcommand:$cat/proc/interrupts

CPU0

0:42IO-APIC-edgetimer

1:444882IO-APIC-edgei8042

4:12IO-APIC-edge

6:69IO-APIC-edgefloppy

8:0IO-APIC-edgertc

9:0IO-APIC-fasteoiacpi

14:3010291IO-APIC-edgeide0

15:11156960IO-APIC-edgeide1

16:125264892IO-APIC-fasteoieth0

17:0IO-APIC-fasteoicx88[0],cx88[0]

20:3598946IO-APIC-fasteoisata_via

21:4566307IO-APIC-fasteoiuhci_hcd:usb1,uhci_hcd:usb2,ehci_hcd:usb3

22:430444IO-APIC-fasteoiVIA8237

NMI:0Non-maskableinterrupts

LOC:168759611Localtimerinterrupts

TRM:0Thermaleventinterrupts

THR:0ThresholdAPICinterrupts

SPU:0Spuriousinterrupts

ERR:0

The/procfilesystemisavirtualfilesystem—itdoesn’trefertoactualfilesonaharddiskbuttokerneldatathat’sconvenienttorepresentusingafilesystem.Thefilesin/procprovideinformationaboutthehardware,runningprocesses,andsoon.ManyLinuxutilitiesuse/procbehindthescenes;oryoucandirectlyaccessthesefilesusingutilitieslikecat,whichcopiesthedatatothescreenwhengivenjustoneargument.

ThisoutputshowsthenamesofthedriversthatareusingeachIRQ.Someofthesedrivernamesareeasytointerpret,suchasfloppy.Othersaremorepuzzling,suchascx88 (it’sadriver foravideocapture card). If the purpose of a driver isn’t obvious, try doing aWeb search on it; chances are

you’llfindarelevanthitfairlyeasily.Notethattheprecedingoutputshowsinterruptsnumberedupto22;thissystemsupportsmorethanthe16basex86interrupts.

The/proc/interruptsfilelistsIRQsthatareinusebyLinux,butLinuxdoesn’tbeginusinganIRQuntiltherelevantdriverisloaded.Thismaynothappenuntilyoutrytousethehardware.Thus,the/proc/interruptslistmaynotshowalltheinterruptsthatareconfiguredonyoursystem.Forinstance,theprecedingexampleshowsnothingforIRQ7,whichisreservedfortheparallelport,becausetheporthadn’tbeenusedpriortoviewingthefile.Iftheparallelportwereusedand/proc/interruptsviewedagain,anentryforIRQ7andtheparport0driverwouldappear.

AlthoughIRQconflictsarerareonmodernhardware,theydooccasionallystillcropup.Whenthishappens, youmust reconfigureoneormoredevices tousedifferent IRQs.This topic is describedshortly,in“ConfiguringExpansionCards.”

I/OAddressesI/Oaddresses (also referred to as I/Oports) areunique locations inmemory that are reserved forcommunicationsbetweentheCPUandspecificphysicalhardwaredevices.LikeIRQs,I/Oaddressesare commonlyassociatedwith specificdevices and shouldnotordinarilybe shared.Table3.2 listssomeLinuxdevicefilenamesalongwith theequivalentnames inWindows,aswellas thecommonIRQandI/Oaddresssettings.

TABLE3.2CommonLinuxdevices

Althoughtheuseisdeprecated,oldersystemssometimesuse/dev/cuax(wherexisanumber0orgreater)toindicateanRS-232serialdevice.Thus,/dev/ttyS0and/dev/cua0refertothesamephysicaldevice.

Once a Linux system is running, you can explore what I/O addresses the computer is using byexamining the contents of the /proc/ioports file. A common way to do this is with the cat

command:$cat/proc/ioports

0000-001f:dma1

0020-0021:pic1

0040-0043:timer0

0050-0053:timer1

0060-006f:keyboard

0070-0077:rtc

0080-008f:dmapagereg

00a0-00a1:pic2

00c0-00df:dma2

00f0-00ff:fpu

Thisexampletruncatestheoutput,whichgoesonforquiteawayonthetestsystem.AswithIRQs,ifyoursystemsuffersfromI/Oportconflicts,youmustreconfigureoneormoredevices,asdescribedin“ConfiguringExpansionCards.”Inpractice,suchconflictsarerarerthanIRQconflicts.

DMAAddressesDirectmemoryaddressing(DMA)isanalternativemethodofcommunicationtoI/Oports.RatherthanhavetheCPUmediatethetransferofdatabetweenadeviceandmemory,DMApermitsthedevicetotransferdatadirectly,withouttheCPU’sattention.TheresultcanbelowerCPUrequirementsforI/Oactivity,whichcanimproveoverallsystemperformance.To supportDMA, the x86 architecture implements severalDMA channels, each ofwhich can be

usedbyaparticulardevice.TolearnwhatDMAchannelsyoursystemuses,examinethe/proc/dmafile:$cat/proc/dma

2:floppy

4:cascade

This output indicates that DMA channels 2 and 4 are in use. Aswith IRQs and I/O ports, DMAaddresses should not normally be shared. In practice, DMA address conflicts are rarer than IRQconflicts, so chances are you won’t run into problems. If you do, consult the upcoming section“ConfiguringExpansionCards.”

BootDisksandGeometrySettingsMostfirmwareimplementationsenableyoutochoosetheorderinwhichdevicesarebooted.Thisisan area inwhichBIOS andEFI differ, and there are substantial implementation-to-implementationdifferences,too.Generallyspeaking,though,therulesareasfollows:BIOSTheBIOSbootprocessbeginsbyreadingabootsector(typicallythefirstsector)fromadiskandthenexecutingthatcode.Thus,bootoptionsforBIOS-basedcomputersarelimited;youcanonlyselecttheorderinwhichvariousbootdevices(harddisks,floppydisks,opticaldisks,USBdevices,andsoon)areexaminedtofindabootsector.EFIUnderEFI,thebootprocessinvolvesreadingabootloaderfilefromafilesystemonaspecialpartition,knownastheEFISystemPartition(ESP).Thisfileeithercantakeaspecialdefaultnameorcanberegisteredinthecomputer ’sNVRAM.Thus,EFIcomputersoftenpresentanextendedrangeofbootoptions,involvingbothdefaultbootloaderfilesfromvariousdevices(toenablegrantingprecedencetoabootableUSBflashdrive,forexample)andmultiplebootloadersonthe

computer ’sharddisks.SomeprimitiveEFIimplementations,though,presentsimpleBIOS-likebootoptions.

ManyEFIimplementationssupportaBIOScompatibilitymodeandsocanbootmediaintendedforBIOS-basedcomputers.Thisfeature,intendedtohelpinthetransitionfromBIOStoEFI,cancomplicatefirmwaresetupandOSinstallationbecauseitcreatesextrabootoptionsthatusersoftendon’tunderstand.

Althoughboot sequences involving removabledisks are common, theyhave theirproblems.Forinstance,ifsomebodyaccidentallyleavesafloppydiskinthedrive,thiscanpreventthesystemfrombooting.Worse,somevirusesaretransmittedbyBIOSbootsectors,sothismethodcanresultinviralinfection.Usingremovabledisksasthedefaultbootmediaalsoopensthedoortointruderswhohavephysicalaccesstothecomputer;theyneedonlyrebootwithabootableremovablediskorCD-ROMtogaincompletecontrolofyoursystem.Forthesereasons,it’sbettertomakethefirstharddisk(oraboot loader on a hard disk’sESP, in the case ofEFI) the only boot device. (Youmust change thisconfigurationwheninstallingLinuxorusinganemergencybootdiskformaintenance.)Mostmoderncomputersmaketemporarychangeseasierbyprovidingaspecialkeytoallowaone-timechangetothebootsequence.Onoldercomputers,tochangethebootsequence,youmustlocatetheappropriatefirmwareoption, change it, and reboot the computer. It’s usually located in anAdvancedmenu, solookthere.Anotherdiskoptionistheonefordetectingdiskdevices.Figure3.1showsthreediskdevices:the

A:floppydisk(/dev/fd0underLinux),a1048MBprimarymasterharddisk,andaCD-ROMdriveasthe secondarymaster. Inmost cases, the firmwaredetects and configures harddisks andCD-ROMdrivescorrectly. In rarecircumstances,youmust tell aBIOS-basedcomputerabout theharddisk’scylinder/head/sector(CHS)geometry.TheCHSgeometryisaholdoverfromtheearlydaysofthex86architecture.Figure3.3showsthe

traditional hard disk layout, which consists of a fixed number of read/write heads that can moveacross thedisksurfaces (orplatters).As thediskspins,eachheadmarksoutacircular trackon itsplatter; these tracks collectively make up a cylinder. Each track is broken down into a series ofsectors. Thus, any sector on a hard disk can be uniquely identified by three numbers: a cylindernumber,aheadnumber,andasectornumber.Thex86BIOSwasdesignedtouse this three-numberCHS identification code. One consequence of this configuration is that the BIOSmust know howmanycylinders,heads,andsectorsthediskhas.ModernharddisksrelaythisinformationtotheBIOSautomatically;but for compatibilitywith theearliestharddisks,BIOSs still enableyou to set thesevaluesmanually.

FIGURE3.3Harddisksarebuiltfromplatters,eachofwhichisbrokenintotracks,whicharebrokenintosectors.

TheBIOSwilldetectonlycertaintypesofdisks.Ofparticularimportance,SCSIdisksand(onsomeoldercomputers)serialATA(SATA)diskswon’tappearinthemainBIOSdisk-detectionscreen.Thesedisksarehandledbysupplementaryfirmwareassociatedwiththecontrollersforthesedevices.SomeBIOSsdoprovideexplicitoptionstoaddSCSIdevicesintothebootsequence,soyoucangiveprioritytoeitherATAorSCSIdevices.Forthosewithouttheseoptions,SCSIdisksgenerallytakesecondseattoATAdisks.

CHSgeometry, unfortunately, has its problems.For one thing, all but the earliest hard disks usevariablenumbersofsectorspercylinder—moderndiskssqueezemoresectorsontooutertracksthaninnerones,fittingmoredataoneachdisk.Thus,theCHSgeometrypresentedtotheBIOSbytheharddiskisaconvenientlie.Worse,becauseoflimitsonthenumbersintheBIOSandintheATAharddiskinterface, plain CHS geometry tops out at 504MiB, which is puny by today’s standards. Variouspatches, such asCHSgeometry translation, can be used to expand the limit to about 8GiB.Today,though, the preference is to use logical block addressing (LBA) mode. (Some sources use theexpansionlinearblockaddressingforthisacronym.)Inthismode,asingleuniquenumberisassignedtoeachsectoronthedisk,andthedisk’sfirmwareissmartenoughtoreadfromthecorrectheadandcylinderwhengiventhissectornumber.ModernBIOSstypicallyprovideanoptiontouseLBAmode,CHS translation mode, or possibly some other modes with large disks. EFI doesn’t use CHSaddressingatall,exceptinitsBIOScompatibilitymode;instead,EFIusesLBAmodeexclusively.Inmostcases,LBAmodeisthebestchoice.Ifyoumustretrievedatafromveryolddisks,though,youmayneedtochangethisoption.

BecauseofvariabilityinhowdifferentBIOSshandleCHStranslation,movingdisksbetweencomputerscanresultinproblemsbecauseofmismatchedCHSgeometriesclaimedindiskstructuresandbytheBIOS.Linuxisusuallysmartenoughtoworkaroundsuchproblems,butyoumayseesomeodderrormessagesindiskutilitieslikefdisk.IfyouseemessagesaboutinconsistentCHSgeometries,proceedwithcautionwhenusinglow-leveldiskutilitieslestyoucreateaninconsistentpartitiontablethatcouldcauseproblems,particularlyinOSsthatarelessrobustthanLinuxonthisscore.

ColdplugandHotplugDevicesWheneveryoudealwithhardware,youshouldkeepinmindadistinctionbetweentwodevicetypes:

coldplugandhotplug.Thesedevicetypesdifferdependingonwhethertheycanbephysicallyattachedanddetachedwhenthecomputeristurnedon(thatis,“hot”),versusonlywhenit’sturnedoff(“cold”).

Coldplugdevicesaredesignedtobephysicallyconnectedanddisconnectedonlywhenthecomputeristurnedoff.Attemptingtoattachordetachsuchdeviceswhenthecomputerisrunningcandamagethedeviceorthecomputer,sodonotattempttodoso.

Traditionally,componentsthatareinternal tothecomputer,suchastheCPU,memory,PCIcards,andharddisks,havebeencoldplugdevices.AhotplugvariantofPCI,however,hasbeendevelopedandisusedonsomecomputers—mainlyonserversandothersystemsthatcan’taffordthedowntimerequiredtoinstallorremoveadevice.Hot-plugSATAdevicesarealsoavailable.Modern external devices, such as Ethernet, USB, and IEEE-1394 devices, are hotplug; you can

attach and detach such devices as you see fit. These devices rely on specializedLinux software todetect thechangestothesystemasthey’reattachedanddetached.Severalutilitieshelpinmanaginghotplugdevices:SysfsThesysfsvirtualfilesystem,mountedat/sys,exportsinformationaboutdevicessothatuser-spaceutilitiescanaccesstheinformation.

Auserspaceprogramisonethatrunsasanordinaryprogram,whetheritrunsasanordinaryuserorasroot.Thiscontrastswithkernelspacecode,whichrunsaspartofthekernel.Typically,onlythekernel(andhencekernel-spacecode)cancommunicatedirectlywithhardware.User-spaceprogramsaretheultimateusersofhardware,though.Traditionally,the/devfilesystemhasprovidedthemainmeansofinterfacebetweenuser-spaceprogramsandhardware;however,thetoolsdescribedherehelpexpandonthisaccess,particularlyinwaysthatareusefulforhotplugdevices.

HALDaemonTheHardwareAbstractionLayer(HAL)Daemon,orhald,isauser-spaceprogramthatrunsatalltimes(thatis,asadaemon)thatprovidesotheruser-spaceprogramswithinformationaboutavailablehardware.D-BusTheDesktopBus(D-Bus)providesafurtherabstractionofhardwareinformationaccess.Likehald,D-Busrunsasadaemon.D-Busenablesprocessestocommunicatewitheachotheraswellastoregistertobenotifiedofevents,bothbyotherprocessesandbyhardware(suchastheavailabilityofanewUSBdevice).udevTraditionally,Linuxhascreateddevicenodesasconventionalfilesinthe/devdirectorytree.Theexistenceofhotplugdevicesandvariousotherissues,however,havemotivatedthecreationofudev:avirtualfilesystem,mountedat/dev,whichcreatesdynamicdevicefilesasdriversareloadedandunloaded.Youcanconfigureudevthroughfilesin/etc/udev,butthestandardconfigurationisusuallysufficientforcommonhardware.These tools all help programs work seamlessly in a world of hotplug devices by enabling the

programstolearnabouthardware,includingreceivingnotificationwhenthehardwareconfiguration

changes.Older external devices, such as parallel and RS-232 ports, are officially coldplug in nature. In

practice,manypeopletreatthesedevicesasiftheywerehotplug,andtheycanusuallygetawaywithit; but there is a risk of damage, so it’s safest to power down a computer before connecting ordisconnecting such a device.WhenRS-232 or parallel port devices are hotplugged, they typicallyaren’tregisteredbytoolssuchasudevandhald.Onlytheports towhichthesedevicesconnectarehandledbytheOS;it’suptouser-spaceprograms,suchasterminalprogramsortheprintingsystem,toknowhowtocommunicatewiththeexternaldevices.

ConfiguringExpansionCardsManyhardwaredevicesrequireconfiguration—youmustsettheIRQ,I/Oport,andDMAaddressesused by the device. (Not all devices use all three resources.) Through themid-1990s, this processinvolvedtediouschangestojumpersonthehardware.Today,though,youcanconfiguremostoptionsthroughsoftware.

EvendevicesthatarebuiltintothemotherboardareconfiguredthroughthesamemeansusedtoconfigurePCIcards.

ConfiguringPCICardsThePCIbus,whichisthestandardexpansionbusformostinternaldevices,wasdesignedwithPlug-and-Play(PnP)−styleconfigurationinmind;thus,automaticconfigurationofPCIdevicesistherulerather than the exception. For the most part, PCI devices configure themselves automatically, andthere’snoneedtomakeanychanges.Youcan,though,tweakhowPCIdevicesaredetectedinseveralways:

TheLinuxkernelhasseveraloptionsthataffecthowitdetectsPCIdevices.YoucanfindtheseinthekernelconfigurationscreensunderBusOptions.Mostuserscanrelyontheoptionsintheirdistributions’defaultkernelstoworkproperly;butifyourecompileyourkernelyourselfandifyou’rehavingproblemswithdevicedetection,youmaywanttostudytheseoptions.MostfirmwareimplementationshavePCIoptionsthatchangethewayPCIresourcesareallocated.AdjustingtheseoptionsmayhelpifyourunintostrangehardwareproblemswithPCIdevices.SomeLinuxdriverssupportoptionsthatcausethemtoconfiguretherelevanthardwaretouseparticularresources.Youshouldconsultthedrivers’documentationfilesfordetailsoftheoptionstheysupport.Youmustthenpasstheseoptionstothekernelusingabootloader(asdescribedinChapter5)oraskernelmoduleoptions.YoucanusethesetpciutilitytodirectlyqueryandadjustPCIdevices’configurations.Thistoolismostlikelytobeusefulifyouknowenoughaboutthehardwaretofine-tuneitslow-levelconfiguration;it’snotoftenusedtotweakthehardware’sbasicIRQ,I/Oport,orDMAoptions.

In addition to the configuration options, youmaywant to check how PCI devices are currently

configured.Youcanusethelspcicommandfor thispurpose; itdisplaysall informationabout thePCIbussesonyour systemandalldevices connected to thosebusses.This command takes severaloptionsthatfine-tuneitsbehavior.Table3.3liststhemostcommonofthese.

TABLE3.3OptionsforlspciOption Effect-v Increasesverbosityofoutput.Thisoptionmaybedoubled(-vv)ortripled(-vvv)toproduceyetmoreoutput.-n Displaysinformationinnumericcodesratherthantranslatingthecodestomanufactureranddevicenames.-nn Displaysboththemanufactureranddevicenamesandtheirassociatednumericcodes.-x DisplaysthePCIconfigurationspaceforeachdeviceasahexadecimaldump.Thisisanextremelyadvanced

option.Tripling(-xxx)orquadrupling(-xxxx)thisoptiondisplaysinformationaboutmoredevices.-b ShowsIRQnumbersandotherdataasseenbydevicesratherthanasseenbythekernel.-t Displaysatreeviewdepictingtherelationshipbetweendevices.-s

[[[[domain]:]bus]:]

[slot][.[func]]

Displaysonlydevicesthatmatchthelistedspecification.Thiscanbeusedtotrimtheresultsoftheoutput.

-d[vendor]:[device] Showsdataonthespecifieddevice.-ifile UsesthespecifiedfiletomapvendoranddeviceIDstonames.(Thedefaultis/usr/share/misc/pci.ids.)-m Dumpsdatainamachine-readableform,intendedforusebyscripts.Asingle-musesabackward-compatible

format,whereasdoubling(-mm)usesanewerformat.-D DisplaysPCIdomainnumbers.Thesenumbersnormallyaren’tdisplayed.-M Performsascaninbus-mappingmode,whichcanrevealdeviceshiddenbehindamisconfiguredPCIbridge.This

isanadvancedoptionthatcanbeusedonlybyroot.--version Displaysversioninformation.

LearningaboutKernelModulesHardwareinLinuxishandledbykerneldrivers,manyofwhichcomeintheformofkernelmodules.These are stand-alonedriver files, typically stored in the/lib/modules directory tree, that can beloadedtoprovideaccesstohardwareandunloadedtodisablesuchaccess.Typically,Linuxloadsthemodulesitneedswhenitboots,butyoumayneedtoloadadditionalmodulesyourself.Youcanlearnaboutthemodulesthatarecurrentlyloadedonyoursystembyusinglsmod,which

takesnooptionsandproducesoutputlikethis:$lsmod

ModuleSizeUsedby

isofs358200

zlib_inflate218881isofs

floppy652000

nls_iso8859_155681

nls_cp43772961

vfat156801

fat495361vfat

sr_mod192360

ide_cd428480

cdrom390802sr_mod,ide_cd

Thisoutputhasbeeneditedforbrevity.Althoughoutputsthisshortarepossiblewithcertainconfigurations,they’rerare.

Themostimportantcolumninthisoutputisthefirstone,labeledModule;thiscolumnspecifiesthe

names of all themodules that are currently loaded.You can learnmore about thesemoduleswithmodinfo,asdescribedshortly,butsometimestheirpurposeisfairlyobvious.Forinstance,thecdrommoduleprovidesaccesstotheopticaldrive.TheUsedbycolumnofthelsmodoutputdescribeswhat’susingthemodule.Alltheentrieshavea

number,which indicates thenumberofothermodulesorprocesses that areusing themodule.Forinstance, in the preceding example, the isofs module (used to access CD-ROM filesystems) isn’tcurrently in use, as revealed by its 0 value; but the vfat module (used to read VFAT hard diskpartitionsandfloppies)isbeingused,asshownbyitsvalueof1.Ifoneofthemodulesisbeingusedbyanothermodule,theusingmodule’snameappearsintheUsedbycolumn.Forinstance,theisofsmodule relies on the zlib_inflate module, so the lattermodule’s Used by column includes theisofsmodulename.Thisinformationcanbeusefulwhenyou’remanagingmodules.Forinstance,ifyoursystemproducedtheprecedingoutput,youcouldn’tdirectlyremovethezlib_inflatemodulebecause it’s being used by the isofsmodule; but you could remove the isofs module, and afterdoingso,youcouldremovethezlib_inflatemodule.(BothmoduleswouldneedtobeaddedbacktoreadmostCD-ROMs,though.)

Thelsmodcommanddisplaysinformationonlyaboutkernelmodules,notaboutdriversthatarecompileddirectlyintotheLinuxkernel.Forthisreason,amodulemayneedtobeloadedononesystembutnotonanothertousethesamehardwarebecausethesecondsystemmaycompiletherelevantdriverdirectlyintothekernel.

LoadingKernelModulesLinux enables you to loadkernelmoduleswith twoprograms:insmod andmodprobe. The insmodprogram insertsa singlemodule into thekernel.Thisprocess requiresyou tohavealready loadedany modules on which the module you’re loading relies. The modprobe program, by contrast,automaticallyloadsanydepended-onmodulesandsoisgenerallythepreferredwaytodothejob.

Inpractice,youmaynotneedtouseinsmodormodprobetoloadmodulesbecauseLinuxcanloadthemautomatically.Thisabilityreliesonthekernel’smoduleauto-loaderfeature,whichmustbecompiledintothekernel,andonvariousconfigurationfiles,whicharealsorequiredformodprobeandsomeothertools.Usinginsmodandmodprobecanbeusefulfortestingnewmodulesorforworkingaroundproblemswiththeauto-loader,though.

Inpractice,insmod isafairlystraightforwardprogramtouse;youtypeitsnamefollowedbythemodulefilename:#insmod/lib/modules/2.6.26/kernel/drivers/block/floppy.ko

Thiscommand loads thefloppy.komodule,whichyoumust specifyby filename.Moduleshavemodulenames,too,whichareusuallythesameasthefilenamebutwithouttheextension,asinfloppy

forthefloppy.kofile.Unfortunately,insmodrequiresthefullmodulename.Youcanpassadditionalmoduleoptionstothemodulebyaddingthemtothecommandline.Module

optionsarehighlymodule-specific,soyoumustconsult thedocumentationfor themoduletolearnwhat topass.Examples includeoptions to tellanRS-232serialportdriverwhat interrupt touse toaccessthehardwareortotellavideocardframebufferdriverwhatscreenresolutiontouse.Some modules depend on other modules. In these cases, if you attempt to load a module that

dependsonothersandthoseothermodulesaren’t loaded,insmodwillfail.Whenthishappens,youmusteithertrackdownandmanuallyloadthedepended-onmodulesorusemodprobe.Inthesimplestcase,youcanusemodprobemuchasyouuseinsmod,bypassingitamodulename:#modprobefloppy

Aswithinsmod,youcanaddkerneloptions to theendof thecommand line.Unlikeinsmod,youspecify a module by its module name rather than its module filename when you use modprobe.Generally speaking, this helps make modprobe easier to use, as does the fact that modprobeautomatically loads dependencies. This greater convenience means that modprobe relies onconfigurationfiles.Italsomeansthatyoucanuseoptions(placedbetweenthecommandnameandthemodulename)tomodifymodprobe’sbehavior:BeVerboseThe-vor--verboseoptiontellsmodprobetodisplayextrainformationaboutitsoperations.Typically,thisincludesasummaryofeveryinsmodoperationitperforms.ChangeConfigurationFilesThemodprobeprogramusesaconfigurationfilecalled/etc/modprobe.conf(ormultiplefilesin/etc/modprobe.d).Youcanchangetheconfigurationfileordirectorybypassinganewfilewiththe-Cfilenameoption,asinmodprobe-C/etc/mymodprobe.conffloppy.PerformaDryRunThe-nor--dry-runoptioncausesmodprobetoperformchecksandallotheroperationsexcepttheactualmoduleinsertions.Youmightusethisoptioninconjunctionwith-vtoseewhatmodprobewoulddowithoutloadingthemodule.Thismaybehelpfulindebugging,particularlyifinsertingthemoduleishavingsomedetrimentaleffect,suchasdisablingdiskaccess.RemoveModulesThe-ror--removeoptionreversesmodprobe’susualeffect;itcausestheprogramtoremovethespecifiedmoduleandanyonwhichitdepends.(Depended-onmodulesarenotremovedifthey’reinuse.)ForceLoadingThe-for--forceoptiontellsmodprobetoforcethemoduleloadingevenifthekernelversiondoesn’tmatchwhatthemoduleexpects.Thisactionispotentiallydangerous,butit’soccasionallyrequiredwhenusingthird-partybinary-onlymodules.ShowDependenciesThe--show-dependsoptionshowsallthemodulesonwhichthespecifiedmoduledepends.Thisoptiondoesn’tinstallanyofthemodules;it’spurelyinformativeinnature.ShowAvailableModulesThe-lor--listoptiondisplaysalistofavailableoptionswhosenamesmatchthewildcardyouspecify.Forinstance,typingmodprobe-lv*displaysallmoduleswhosenamesbeginwithv.Ifyouprovidenowildcard,modprobedisplaysallavailablemodules.Like--show-depends,thisoptiondoesn’tcauseanymodulestobeloaded.

Thislistofoptionsisincomplete.Theothersarerelativelyobscure,soyou’renotlikelytoneedthemoften.Consultthemodprobemanpageformoreinformation.

RemovingKernelModulesInmostcases,youcanleavemodulesloadedindefinitely;theonlyharmthatamoduledoeswhenit’sloadedbutnotusedistoconsumeasmallamountofmemory.(Thelsmodprogramshowshowmuchmemory eachmodule consumes.) Sometimes, though, youmaywant to remove a loadedmodule.Reasonsincludereclaimingthattinyamountofmemory,unloadinganoldmodulesoyoucanloadanupdatedreplacementmodule,andremovingamodulethatyoususpectisunreliable.Thework of unloading a kernelmodule is done by the rmmod command,which is basically the

oppositeofinsmod.Thermmod command takes amodulenameas anoption, though, rather than amodulefilename:#rmmodfloppy

This example command unloads the floppy module. You canmodify the behavior of rmmod invariousways:BeVerbosePassingthe-vor--verboseoptioncausesrmmodtodisplaysomeextrainformationaboutwhatit’sdoing.Thismaybehelpfulifyou’retroubleshootingaproblem.ForceRemovalThe-for--forceoptionforcesmoduleremovalevenifthemoduleismarkedasbeinginuse.Naturally,thisisaverydangerousoption,butit’ssometimeshelpfulifamoduleismisbehavinginsomewaythat’sevenmoredangerous.ThisoptionhasnoeffectunlesstheCONFIG_MODULE_FORCE_UNLOADkerneloptionisenabled.WaitUntilUnusedThe-wor--waitoptioncausesrmmodtowaitforthemoduletobecomeunused,ratherthanreturnanerrormessage,ifthemoduleisinuse.Oncethemoduleisnolongerbeingused(say,afterafloppydiskisunmountedifyoutrytoremovethefloppymodule),rmmodunloadsthemoduleandreturns.Untilthen,rmmoddoesn’treturn,makingitlooklikeit’snotdoinganything.Afewmorermmodoptionsexist;consultthermmodmanpagefordetails.Likeinsmod,rmmodoperatesonasinglemodule.Ifyoutrytounloadamodulethat’sdependedon

by othermodules or is in use, rmmod will return an errormessage. (The -w optionmodifies thisbehavior, as just described.) If the module is depended on by other modules, rmmod lists thosemodules,soyoucandecidewhethertounloadthem.Ifyouwanttounloadanentiremodulestack—thatis,amoduleandallthoseuponwhichitdepends—youcanusethemodprobecommandandits-roption,asdescribedearlierin“LoadingKernelModules.”

ConfiguringUSBDevicesUSBisanextremelypopular(perhapsthemostpopular)externalinterfaceform.ThisfactmeansyoumustunderstandsomethingaboutUSB,includingUSBitself,Linux’sUSBdrivers,andLinux’sUSB

managementtools.

USBBasicsUSBisaprotocolandhardwareport for transferringdata toandfromdevices. Itallowsformanymore(andvaried)devicesperinterfaceportthaneitherATAorSCSIandgivesbetterspeedthanRS-232 serial and parallel ports. TheUSB 1.0 and 1.1 specifications allow for up to 127 devices and12Mbps of data transfer.USB 2.0 allows formuch higher transfer rates—480Mbps, to be precise.USB3.0,introducedin2010,supportsatheoreticalmaximumspeedof4.8Gbps,although3.2Gbpsisamorelikelytopspeedinpractice.USB3.0devicesrequireanewphysicalconnector.

Datatransferspeedsmaybeexpressedinbitspersecond(bps)ormultiplesthereof,suchasmegabitspersecond(Mbps)orgigabitspersecond(Gbps);orinbytespersecond(B/s)ormultiplesthereof,suchasmegabytespersecond(MB/s).Inmostcases,thereare8bitsperbyte,somultiplyingordividingby8maybenecessaryifyou’retryingtocomparespeedsofdevicesthatusedifferentmeasures.

USB is the preferred interface method for many external devices, including printers, scanners,mice,digitalcameras, flashdrives,andmusicplayers.USBkeyboards,Ethernetadapters,modems,speakers,harddrives,andotherdevicesarealsoavailable,althoughUSBhasyettodominatetheseareasasithassomeothers.Mostcomputers shipwith four toeightUSBports. (A fewyearsago, twoUSBportsweremore

common.)Eachportcanhandleonedevicebyitself,butyoucanuseaUSBhub toconnectseveraldevices to each port. Thus, you can theoretically connect huge numbers of USB devices to acomputer. In practice, youmay run into speed problems, particularly if you’re usingUSB 1.x fordevicesthattendtotransferalotofdata,suchasscanners,printers,orharddrives.

IfyouhaveanoldercomputerthatlacksUSB3.0supportandyouwanttoconnectahigh-speedUSB3.0device,youcanbuyaseparateUSB3.0board.Youcancontinuetousethecomputer ’sbuilt-inUSBportsforslowerdevices.

LinuxUSBDriversSeveral different USB controllers are available, with names such as UHCI, OHCI, EHCI, andR8A66597. Modern Linux distributions ship with the drivers for the common USB controllersenabled,soyourUSBportshouldbeactivatedautomaticallywhenyoubootthecomputer.TheUHCIandOHCIcontrollershandleUSB1.xdevices,butmostothercontrollerscanhandleUSB2.0devices.Youneeda2.6.31ornewerkerneltouseUSB3.0hardware.NotethatthesebasicsmerelyprovideameanstoaccesstheactualUSBhardwareandaddressthedevicesinalow-levelmanner.You’llneedadditional software—eitherdriversor specialized softwarepackages—tomakepracticaluseof thedevices.

You can learn a great deal about your devices by using the lsusb utility. A simple use of thisprogramwithnooptionsrevealsbasicinformationaboutyourUSBdevices:$lsusb

Bus003Device008:ID0686:400eMinoltaCo.,Ltd

Bus003Device001:ID0000:0000

Bus002Device002:ID046d:c401Logitech,Inc.TrackManMarbleWheel

Bus002Device001:ID0000:0000

Bus001Device001:ID0000:0000

In this example, threeUSBbusses aredetected (001, 002, and003).The first bushasnodevicesattached, but the second and third each have one device—a Logitech TrackMan Marble Wheeltrackball and aMinoltaDiMAGEScanElite 5400 scanner, respectively. (The scanner ’s name isn’tfully identified by this output, except insofar as the IDnumber encodes this information.)You cangatheradditionalinformationbyusingvariousoptionstolsusb:BeVerboseThe-voptionproducesextendedinformationabouteachproduct.RestrictBusandDeviceNumberUsingthe-s[[bus]:][devnum]optionrestrictsoutputtothespecifiedbusanddevicenumber.RestrictVendorandProductYoucanlimitoutputtoaparticularvendorandproductbyusingthe-d[vendor]:[product]option.ThevendorandproductarethecodesjustafterIDoneachlineofthebasiclsusboutput.DisplayDevicebyFilenameUsing-Dfilenamedisplaysinformationaboutthedevicethat’saccessibleviafilename,whichshouldbeafileinthe/proc/bus/usbdirectorytree.Thisdirectoryprovidesalow-levelinterfacetoUSBdevices,asdescribedshortly.TreeViewThe-toptiondisplaysthedevicelistasatreesothatyoucanmoreeasilyseewhatdevicesareconnectedtospecificcontrollers.VersionThe-Vor--versionoptiondisplaystheversionofthelsusbutilityandexits.EarlyLinuxUSBimplementationsrequiredaseparatedriverforeveryUSBdevice.Manyofthese

drivers remain in the kernel, and some software relies on them. For instance, USB disk storagedevicesuseUSBstoragedrivers that interfacewithLinux’sSCSIsupport,makingUSBharddisks,removabledisks,andsoonlooklikeSCSIdevices.LinuxprovidesaUSBfilesystemthatinturnprovidesaccesstoUSBdevicesinagenericmanner.

Thisfilesystemappearsaspartofthe/procvirtualfilesystem.Inparticular,USBdeviceinformationis accessible from /proc/bus/usb. Subdirectories of /proc/bus/usb are given numbered namesbasedontheUSBcontrollersinstalledonthecomputer,asin/proc/bus/usb/001forthefirstUSBcontroller.SoftwarecanaccessfilesinthesedirectoriestocontrolUSBdevicesratherthanusedevicefilesin/devaswithmosthardwaredevices.ToolssuchasscannersoftwareandtheLinuxprintingsystemcanautomaticallylocatecompatibleUSBdevicesandusethesefiles.

USBManagerApplicationsUSBcanbechallengingforOSsbecauseitwasdesignedasahot-pluggabletechnology.TheLinuxkernelwasn’toriginallydesignedwith thissortofactivity inmind,so thekernelreliesonexternalutilitiestohelpmanagematters.TwotoolsinparticularareusedformanagingUSBdevices:usbmgrandhotplug.

Theusbmgrpackage(locatedathttp://freecode.com/projects/usbmgr)isaprogramthatrunsinthebackgroundtodetectchangesontheUSBbus.Whenitdetectschanges,itloadsorunloadsthekernelmodulesthatarerequiredtohandlethedevices.Forinstance,ifyoupluginaUSBZipdrive,usbmgrwill load the necessary USB and SCSI disk modules. This package uses configuration files in/etc/usbmgr tohandlespecificdevicesanduses/etc/usbmgr/usbmgr.conf tocontrol theoverallconfiguration.With the shift from in-kernel device-specific USB drivers to the USB device filesystem

(/proc/bus/usb),usbmgrhasbeendeclininginimportance.Infact, itmaynotbeinstalledonyoursystem.Instead,mostdistributionsrelyontheHotplugpackage(http://linux-hotplug.sourceforge.net),which relies on kernel support addedwith the 2.4.x kernel series. This system uses files stored in/etc/hotplug to control the configuration of specific USB devices. In particular,/etc/hotplug/usb.usermap contains a database of USB device IDs and pointers to scripts in/etc/hotplug/usb that are run when devices are plugged in or unplugged. These scripts mightchange permissions on USB device files so that ordinary users can access USB hardware, runcommands to detect newUSB disk devices, or otherwise prepare the system for a new (or newlyremoved)USBdevice.

ConfiguringHardDisksHard disks are among the most important components in your system. Three different hard diskinterfacesarecommononmoderncomputers:ParallelAdvancedTechnologyAttachment(PATA),akaATA;SerialAdvancedTechnologyAttachment(SATA);andSmallComputerSystemInterface (SCSI).Inaddition,externalUSBandIEEE-1394drivesareavailable,asareexternalvariantsofSATAandSCSIdrives.Eachhasitsownmethodoflow-levelconfiguration.

ConfiguringPATADisksPATAdisksonceruledtheroostinthex86PCworld,buttodaySATAdiskshavelargelysupplantedthem. Thus, you’re most likely to encounter PATA disks on older computers—say, from 2005 orearlier.PATAdisksarestillreadilyavailable,though.Asthefullnameimplies,PATAdisksuseaparallelinterface,meaningthatseveralbitsofdataare

transferredoverthecableatonce.Thus,PATAcablesarewide,supportingatotalofeither40or80lines,dependingonthevarietyofPATA.YoucanconnectuptotwodevicestoeachPATAconnectoron a motherboard or plug-in PATA controller, meaning that PATA cables typically have threeconnectors—oneforthemotherboardandtwofordisks.PATAdisksmustbeconfiguredasmastersorasslaves.Thiscanbedoneviajumpersonthedisks

themselves.Typically,themasterdevicesitsattheendofthecable,andtheslavedeviceresidesonthemiddleconnector.AllmodernPATAdisksalsosupportanoptioncalledcableselect.Whensettothisoption, thedriveattempts toconfigure itselfautomaticallybasedon itspositionon thePATAcable.Thus,youreasiestconfigurationisusuallytosetallPATAdevicestousethecable-selectoption;youcanthenattachthemtowhateverpositionisconvenient,andthedrivesshouldconfigurethemselves.For best performance, disks should be placed on separate controllers rather than configured as

masterandslaveonasinglecontroller,becauseeachPATAcontrollerhasalimitedthroughputthatmay be exceeded by two drives. Until recently, most motherboards have included at least two

controllers,soputtingeachdriveonitsowncontrollerisn’taproblemuntilyouinstallmorethantwodrivesinasinglecomputer.All but the most ancient BIOSs auto-detect PATA devices and provide information about their

capacitiesandmodelnumbersintheBIOSsetuputilities.Inthepast,mostmotherboardswouldbootPATAdrives inpreference tootherdrives,butmodern firmwareusuallyprovidesmoreoptions tocontrolyourbootpreferences.InLinux,PATAdiskshave traditionallybeen identifiedas/dev/hda,/dev/hdb, and soon,with

/dev/hdabeingthemasterdriveonthefirstcontroller,/dev/hdbbeingtheslavedriveonthefirstcontroller,andsoon.Thus,gapscanoccurinthenumberingscheme—ifyouhavemasterdisksonthefirstandsecondcontrollersbutnoslavedisks,yoursystemwillcontain/dev/hdaand/dev/hdcbutno/dev/hdb.Partitionsareidentifiedbynumbersafterthemaindevicename,asin/dev/hda1,/dev/hda2,andsoon.The naming rules for disks also apply to opticalmedia, except that thesemedia typically aren’t

partitioned. Most Linux distributions also create a link to your optical drive under the name/dev/cdromor/dev/dvd.RemovablePATAdisks,suchasZipdisks,aregivenidentifiersasiftheywerefixedPATAdisks,optionallyincludingpartitionidentifiers.MostmodernLinuxdistributions favornewerPATAdrivers that treatPATAdisksas if theywere

SCSIdisks.Thus,youmayfindthatyourdevicefilenamesfollowtheSCSIrulesratherthanthePATArulesevenifyouhavePATAdisks.

ConfiguringSATADisksSATAisanewerinterfacethanPATA,andSATAhaslargelydisplacedPATAastheinterfaceofchoice.NewmotherboardstypicallyhostfourormoreSATAinterfacesandfrequentlylackPATAinterfaces.SATAdisksconnecttotheirmotherboardsorcontrollersonaone-to-onebasis—unlikewithPATA,

you can’t connect more than one disk to a single cable. This fact simplifies configuration; theretypically aren’t jumpers to set, and you needn’t be concernedwith the position of the disk on thecable.AsthewordserialintheexpansionofSATAimplies,SATAisaserialbus—onlyonebitofdatacan

betransferredatatime.SATAtransfersmorebitsperunitoftimeonitsdataline,though,soSATAisfaster than PATA (1.5−6.0Gbps for SATA vs. 128−1064Mbps for PATA, but these are theoreticalmaximumsthatareunlikelytobeachievedinreal-worldsituations).BecauseofSATA’sserialnature,SATAcablesaremuchthinnerthanPATAcables.ModernfirmwaredetectsSATAdisksandprovidesinformationaboutthemjustasforPATAdisks.

Thefirmwaremayprovidebootorderoptions,too.OlderBIOSsarelikelytobemorelimited.Thisisparticularlytrueifyourmotherboarddoesn’tprovideSATAsupportbutyouuseaseparateSATAcontrollercard.Youmaybeable toboot fromanSATAdisk in suchcases ifyourcontrollercardsupportsthisoption,oryoumayneedtouseaPATAbootdisk.MostLinuxSATAdriverstreatSATAdisksasiftheywereSCSIdisks,soyoushouldreadthenext

section,“ConfiguringSCSIDisks,” for informationaboutdevicenaming.Someolderdrivers treatSATAdiskslikePATAdisks,soyoumayneedtousePATAnamesinsomerarecircumstances.

ConfiguringSCSIDisks

There are many types of SCSI definitions, which use a variety of different cables and operate atvarious speeds. SCSI is traditionally a parallel bus, like PATA, although the latest variant, SerialAttachedSCSI(SAS),isaserialbuslikeSATA.SCSIhastraditionallybeenconsideredasuperiorbusto PATA; however, the cost difference has risen dramatically over the past decade or two, so fewpeopletodayuseSCSI.Youmayfinditonoldersystemsoronveryhigh-endsystems.SCSIsupportsupto8or16devicesperbus,dependingonthevariety.Oneofthesedevicesisthe

SCSIhostadapter,whicheitherisbuiltintothemotherboardorcomesasaplug-incard.Inpractice,thenumberofdevicesyoucanattachtoaSCSIbusismorerestrictedbecauseofcable-lengthlimits,whichvaryfromoneSCSIvarietytoanother.EachdevicehasitsownIDnumber,typicallyassignedviaajumperonthedevice.Youmustensurethateachdevice’sIDisunique.ConsultitsdocumentationtolearnhowtosettheID.Ifyourmotherboard lacksbuilt-inSCSIports, chancesare itwon’tdetectSCSIdevices.Youcan

stillbootfromaSCSIharddiskifyourSCSIhostadapterhasitsownfirmwarethatsupportsbooting.Mosthigh-endSCSIhostadaptershavethissupport,butlow-endSCSIhostadaptersdon’thavebuilt-in firmware. Ifyouusesuchahostadapter,youcanstillattachSCSIharddisks to theadapter,andLinuxcanusethem,butyou’llneedtobootfromaPATAorSATAharddisk.SCSI IDs aren’t used to identify the corresponding device file on a Linux system. Hard drives

followthenamingsystem/dev/sdx(wherexisaletterfromaup),SCSItapesarenamed/dev/stxand/dev/nstx (wherex isanumber from0up),andSCSICD-ROMsandDVD-ROMsarenamed/dev/scdxor/dev/srx(wherexisanumberfrom0up).SCSIdevicenumbering(orlettering)isusuallyassignedinincreasingorderbasedontheSCSIID.

IfyouhaveoneharddiskwithaSCSIIDof2andanotherharddiskwithaSCSIIDof4,theywillbeassigned to/dev/sdaand/dev/sdb, respectively.The realdanger is ifyouadda thirdSCSIdriveandgiveitanIDof0,1,or3.Thisnewdiskwillbecome/dev/sda(foranIDof0or1)or/dev/sdb(forID3),bumpinguponeorbothoftheexistingdisks’Linuxdeviceidentifiers.Forthisreason,it’susuallybest togiveharddisks the lowestpossibleSCSI IDsso thatyoucanadd futuredisksusinghigherIDs.

ThemappingofLinuxdeviceidentifierstoSCSIdevicesdependsinpartonthedesignoftheSCSIhostadapter.SomehostadaptersresultinassignmentstartingfromSCSIID7andworkingdownto0ratherthanthereverse,withWideSCSIdevicenumberingcontinuingonfromtheretoIDs14through8.

Another complication iswhen you havemultiple SCSI host adapters. In this case, Linux assignsdevicefilenamestoallofthedisksonthefirstadapter,followedbyallthoseonthesecondadapter.Depending onwhere the drivers for the SCSI host adapters are found (compiled directly into thekernelorloadedasmodules)andhowthey’reloaded(formodulardrivers),youmaynotbeabletocontrolwhichadaptertakesprecedence.

Rememberthatsomenon-SCSIdevices,suchasUSBdiskdevicesandSATAdisks,aremappedontotheLinuxSCSIsubsystem.ThiscancauseatrueSCSIharddisktobeassignedahigherdeviceIDthanyou’dexpectifyouusesuch“pseudo-SCSI”devices.

TheSCSIbus is logicallyone-dimensional—that is, everydeviceon thebus falls alonga singleline.Thisbusmustnotforkorbranchinanyway.EachendoftheSCSIbusmustbeterminated.Thisreferstothepresenceofaspecialresistorpackthatpreventssignalsfrombouncingbackandforthalong the SCSI chain.Consult your SCSI host adapter and SCSI devices’manuals to learn how toterminatethem.RememberthatbothendsoftheSCSIchainmustbeterminated,butdevicesmid-chainmustnotbeterminated.TheSCSIhostadapterqualifiesasadevice,soifit’sattheendofthechain,itmustbe terminated.Termination is a truehardware requirement; it doesn’t apply toSATAorUSBdiskdevices,eventhoughtheyuseLinuxSCSIdrivers.Incorrect termination often results in bizarre SCSI problems, such as an inability to detect SCSI

devices, poor performance, or unreliable operation. Similar symptoms can result from the use ofpoor-qualitySCSIcablesorcablesthataretoolong.

ConfiguringExternalDisksExternaldiskscomeinseveralvarieties,themostcommonofwhichareUSB,IEEE-1394,andSCSI.SCSIhaslongsupportedexternaldisksdirectly,andmanySCSIhostadaptershavebothinternalandexternalconnectors.YouconfigureexternalSCSIdisksjustlikeinternaldisks,althoughthephysicaldetailsofsettingtheSCSIIDnumberandterminationmaydiffer;consultyourdevices’manualsfordetails.Linux treats externalUSB and IEEE-1394 disks just likeSCSI devices, from a software point of

view.Typically, you canplug in thedevice, see a/dev/sdx device node appear, and use it as youwouldaSCSIdisk.This is thecase forboth trueexternalharddisksandmedia suchas solid-stateUSBflashdrives.

Externaldrivesareeasilyremoved,andthiscanbeagreatconvenience;however,youshouldneverunpluganexternaldriveuntilyou’veunmountedthediskinLinuxusingtheumountcommand,asdescribedinChapter5.Failuretounmountadiskislikelytoresultindamagetothefilesystem,includinglostfiles.Inaddition,althoughUSBandIEEE-1394bussesarehot-pluggable,mostSCSIbussesaren’t,soconnectingordisconnectingaSCSIdevicewhilethecomputerisrunningisdangerous.(InsertingorejectingaremovableSCSIdisk,suchasaZipdisk,issafe,however.)

DesigningaHardDiskLayoutWhetheryoursystemusesPATA,SATA,orSCSIdisks,youmustdesignadisklayoutforLinux.If

you’reusingasystemwithLinuxpreinstalled,youmaynotneedtodealwiththistaskimmediately;however,soonerorlateryou’llhavetoinstallLinuxonanewcomputeroronewithanexistingOSorupgradeyourharddisk.Thenextfewpagesdescribethex86partitioningschemes,Linuxmountpoints, and common choices for a Linux partitioning scheme. The upcoming section “CreatingPartitionsandFilesystems”coversthemechanicsofcreatingpartitions.

WhyPartition?The first issue with partitioning is the question of why you should do it. The answer is thatpartitioningprovidesavarietyofadvantages,includingthefollowing:Multi-OSSupportPartitioningenablesyoutokeepthedatafordifferentOSsseparate.Infact,manyOSscan’teasilyco-existonthesamepartitionbecausetheydon’tsupporteachother ’sprimaryfilesystems.ThisfeatureisobviouslyimportantmainlyifyouwantthecomputertobootmultipleOSs.Itcanalsobehandytohelpmaintainanemergencysystem—youcaninstallasingleOStwice,usingthesecondinstallationasanemergencymaintenancetoolforthefirstincaseproblemsdevelop.FilesystemChoiceBypartitioningyourdisk,youcanusedifferentfilesystems—datastructuresdesignedtoholdallthefilesonapartition—oneachpartition.Perhapsonefilesystemisfasterthananotherandsoisimportantfortime-criticalorfrequentlyaccessedfiles,butanothermayprovideaccountingorbackupfeaturesyouwanttouseforusers’datafiles.DiskSpaceManagementBypartitioningyourdisk,youcanlockcertainsetsoffilesintoafixedspace.Forinstance,ifyourestrictuserstostoringfilesononeortwopartitions,theycanfillthosepartitionswithoutcausingproblemsonotherpartitions,suchassystempartitions.Thisfeaturecanhelpkeepyoursystemfromcrashingifspacerunsout.Ontheotherhand,ifyougetthepartitionsizeswrong,youcanrunoutofdiskspaceonjustonepartitionmuchsoonerthanwouldbethecaseifyou’dusedfewerpartitions.DiskErrorProtectionDiskssometimesdevelopproblems.Theseproblemscanbetheresultofbadhardwareoroferrorsthatcreepintothefilesystems.Ineithercase,splittingadiskintopartitionsprovidessomeprotectionagainstsuchproblems.Ifdatastructuresononepartitionbecomecorrupted,theseerrorsaffectonlythefilesonthatpartition.Thisseparationcanthereforeprotectdataonotherpartitionsandsimplifydatarecovery.SecurityYoucanusedifferentsecurity-relatedmountoptionsondifferentpartitions.Forinstance,youmightmountapartitionthatholdscriticalsystemfilesread-only,preventingusersfromwritingtothatpartition.Linux’sfilesecurityoptionsshouldprovidesimilarprotection,buttakingadvantageofLinuxfilesystemmountoptionsprovidesredundancythatcanbehelpfulincaseofanerrorinsettingupfileordirectorypermissions.BackupSomebackuptoolsworkbestonwholepartitions.Bykeepingpartitionssmall,youmaybeabletobackupmoreeasilythanyoucouldifyourpartitionswerelarge.In practice, most Linux computers use several partitions, although precisely how the system is

partitioned varies fromone computer to another. (The upcoming section “CommonPartitions andFilesystemLayouts”describessomepossibilities.)

UnderstandingPartitioningSystems

Partitionsaredefinedbydata structures that arewritten to specifiedpartsof theharddisk.Severalcompetingsystemsfordefiningthesepartitionsexist.Onx86andx86-64hardware,themostcommonmethodupuntil2010hadbeentheMasterBootRecord(MBR)partitioningsystem,socalledbecauseit stores itsdata in the first sectorof thedisk,which isalsoknownas theMBR.TheMBRsystem,however,islimitedtopartitionsandpartitionplacementof2tebibytes(TiB;1TiBis240bytes),atleastwhenusingthenearlyuniversalsectorsizeof512bytes.ThesuccessortoMBRistheGUIDPartitionTable (GPT) partitioning system,which hasmuch higher limits and certain other advantages. Thetools andmethods formanipulatingMBR andGPT disks differ from each other, although there’ssubstantialoverlap.

Stillmorepartitioningsystemsexist,andyoumayrunintothemfromtimetotime.Forinstance,MacintoshesthatusePowerPCCPUsgenerallyemploytheApplePartitionMap(APM),andmanyUnixvariantsemployBerkeleyStandardDistribution(BSD)disklabels.You’remostlikelytoencounterMBRandGPTdisks,sothosearethepartitioningsystemscoveredinthisbook.Detailsforothersystemsdiffer,butthebasicprinciplesarethesame.

MBRPartitionsTheoriginalx86partitioningschemeallowedforonlyfourpartitions.Asharddisksincreasedinsizeand theneed formorepartitionsbecameapparent, theoriginal schemewas extended in away thatretainedbackwardcompatibility.Thenewschemeusesthreepartitiontypes:

Primarypartitions,whicharethesameastheoriginalpartitiontypesExtendedpartitions,whichareaspecialtypeofprimarypartitionthatservesasaplaceholderforthenexttypeLogicalpartitions,whichresidewithinanextendedpartition

Figure 3.4 illustrates how these partition types relate. Because logical partitions reside within asingleextendedpartition,alllogicalpartitionsmustbecontiguous.

FIGURE3.4TheMBRpartitioningsystemusesuptofourprimarypartitions,oneofwhichcanbeaplaceholderextendedpartitionthatcontainslogicalpartitions.

For anyonedisk, you’re limited to four primarypartitions, or three primarypartitions andoneextended partition. Many OSs, such as DOS, Windows, and FreeBSD, must boot from primarypartitions,andbecauseofthis,mostharddisksincludeatleastoneprimarypartition.Linux,however,isnotsolimited,soyoucouldbootLinuxfromadiskthatcontainsnoprimarypartitions,althoughinpracticefewpeopledothis.Theprimarypartitionshavenumbersintherangeof1−4,whereaslogicalpartitionsarenumbered

5andup.GapscanappearinthenumberingofMBRprimarypartitions;however,suchgapscannotexistinthenumberingoflogicalpartitions.Thatis,youcanhaveadiskwithpartitionsnumbered1,

3,5,6,and7butnot1,3,5,and7—ifpartition7exists,theremustbea5anda6.In addition to holding the partition table, theMBR data structure holds the primary BIOS boot

loader—thefirstdisk-loadedcodethattheCPUexecuteswhenaBIOS-basedcomputerboots.Thus,theMBRisextremelyimportantandsensitive.BecausetheMBRexistsonlyinthefirstsectorofthedisk, it’svulnerable todamage;accidentalerasurewillmakeyourdiskunusableunlessyouhaveabackup.

YoucanbackupyourMBRpartitionsbytypingsfdisk-d/dev/sda>sda-backup.txt(orsimilarcommandstospecifyanotherdiskdeviceorbackupfile).Youcanthencopythebackupfile(sda-backup.txtinthisexample)toaremovablediskoranothercomputerforsafekeeping.Youcanrestorethebackupbytypingsfdisk-f/dev/sda<sda-backup.txt.Besureyou’reusingthecorrectbackupfile,though;amistakecangenerateincorrectorevenimpossiblepartitiondefinitions!

MBRpartitionshavetypecodes,whichare1-byte(2-digithexadecimal)numbers,tohelpidentifytheir purpose. Common type codes you may run into include 0x0c (FAT), 0x05 (an old type ofextendedpartition),0x07(NTFS),0x0f(anewertypeofextendedpartition),0x82(Linuxswap),and0x83(Linuxfilesystem).AlthoughtheMBRdatastructurehassurvivedforthreedecades,itsdaysarenumberedbecauseit’s

noteasilyextensiblebeyond2TiBdisks.Thus,anewsystemisneeded.

GPTPartitionsGPTispartof Intel’sEFIspecification,butGPTcanbeusedoncomputers thatdon’tuseEFI,andGPTisthepreferredpartitioningsystemfordisksbiggerthan2TiB.MostEFI-basedcomputersuseGPTevenondiskssmallerthan2TiB.GPTemploysaprotectiveMBR,whichisalegalMBRdefinitionthatmakesGPT-unawareutilities

thinkthat thediskholdsasingleMBRpartitionthatspanstheentiredisk.AdditionaldatastructuresdefinethetrueGPTpartitions.Thesedatastructuresareduplicated,withonecopyatthestartofthediskandanotheratitsend.Thisprovidesredundancythatcanhelpindatarecoveryshouldanaccidentdamageoneofthetwosetsofdatastructures.GPTdoes awaywith theprimary/extended/logical distinctionofMBR.Youcandefineup to128

partitions by default (and that limit may be raised, if necessary). Gaps can occur in partitionnumbering, soyoucanhaveadiskwith threepartitionsnumbered3, 7, and104, toname just onepossibility.Inpractice,though,GPTpartitionsareusuallynumberedconsecutivelystartingwith1.GPT’smain drawback is that support for it is relatively immature. The fdisk utility (described

shortly in “Partitioning aDisk”) doesn’tworkwithGPT disks, although alternatives tofdisk areavailable.Someversionsof theGRUBboot loader alsodon’t support it.The situation isworse insomeOSs—particularlyolderones.Nonetheless,youshouldbeatleastsomewhatfamiliarwithGPTbecauseofMBR’sinabilitytohandlediskslargerthan2TiB.LikeMBR,GPTsupportspartitiontypecodes;however,GPTtypecodesare16-byteGUIDvalues.

Diskpartitioningtoolstypicallytranslatethesecodesintoshortdescriptions,suchas“Linuxswap.”Confusingly,mostLinuxinstallationsusethesametypecodefortheirfilesystemsthatWindowsuses

foritsfilesystems,althoughaLinux-onlycodeisavailableandislikelytobeginseeingheavierusebeginningin2013.

AnAlternativetoPartitions:LVMAnalternativetopartitionsforsomefunctionsislogicalvolumemanagement(LVM).TouseLVM,you set aside one or more partitions and assign them MBR partition type codes of 0x8e (or anequivalentonGPTdisks).Youthenuseaseriesofutilities,suchaspvcreate,vgcreate,lvcreate,andlvscan,tomanagethepartitions(knownasphysicalvolumesinthisscheme),tomergethemintovolumegroups,andtocreateandmanagelogicalvolumeswithinthevolumegroups.Ultimately,youthenaccessthelogicalvolumesusingnamesyouassignedtotheminthe/dev/mapperdirectory,suchas/dev/mapper/myvol-home.LVMsoundscomplicated,anditis.Whywouldyouwanttouseit?ThebiggestadvantagetoLVMis

thatitenablesyoutoeasilyresizeyourlogicalvolumeswithoutworryingaboutthepositionsorsizesof surroundingpartitions. Ina sense, the logicalvolumesare like files ina regular filesystem; thefilesystem(orvolumegroup,inthecaseofLVM)managestheallocationofspacewhenyouresizefiles(orlogicalvolumes).Thiscanbeagreatboonifyou’renotsureoftheoptimumstartingsizesofyourpartitions.Youcanalsoeasilyadddiskspace,intheformofanewphysicaldisk,toexpandthesizeofanexistingvolumegroup.Onthedownside,LVMaddscomplexity,andnotallLinuxdistributionssupport itoutof thebox.

LVMcancomplicatedisasterrecovery,andifyourLVMconfigurationspansmultipledisks,afailureofonediskwillputallfilesinyourvolumegroupatrisk.It’seasiesttoconfigureasystemwithatleastonefilesystem(dedicatedto/boot,orperhapstherootfilesystemcontaining/boot)initsownconventionalpartition,reservingLVMfor/home,/usr,andotherfilesystems.Despitethesedrawbacks,youmightconsiderinvestigatingLVMfurtherinsomesituations.It’smost

likelytobeusefulifyouwanttocreateaninstallationwithmanyspecializedfilesystemsandyouwanttoretaintheoptionofresizingthosefilesystemsinthefuture.AsecondsituationwhereLVMishandyisifyouneedtocreateverylargefilesystemsthataretoolargeforasinglephysicaldisktohandle.

MountPointsOnceadiskispartitioned,anOSmusthavesomewaytoaccessthedataonthepartitions.InDOSandWindows, this is done by assigning a drive letter, such as C: or D:, to each partition. (DOS andWindowsusepartition typecodes todecidewhichpartitionsgetdrive lettersandwhich to ignore.)Linux,though,doesn’tusedriveletters;instead,Linuxusesaunifieddirectorytree.Eachpartitionismountedatamountpointinthattree.Amountpointisadirectorythat’susedasawaytoaccessthefilesystemonthepartition,andmountingthefilesystemistheprocessoflinkingthefilesystemtothemountpoint.For instance, suppose that a Linux system has three partitions: the root (/) partition, /home, and

/usr. The root partition holds the basic system files, and all other partitions are accessed viadirectoriesonthatfilesystem.If/homecontainsusers’homedirectories,suchassallyandsam,thosedirectorieswillbeaccessibleas/home/sallyand/home/samoncethispartitionismountedat/home.If this partition were unmounted and remounted at /users, the same directories would becomeaccessibleas/users/sallyand/users/sam.

PartitionscanbemountedjustaboutanywhereintheLinuxdirectorytree,includingondirectoriesontherootpartitionaswellasdirectoriesonmountedpartitions.Forinstance,if/homeisaseparatepartition, you can have a /home/morehomes directory that serves as a mount point for anotherpartition.The upcoming section “Mounting and Unmounting Filesystems” describes the commands and

configurationfilesthatareusedformountingpartitions.Fornow,youshouldbeconcernedonlywithwhatconstitutesagoodfilesystemlayout(thatis,whatdirectoriesyoushouldsplitoffintotheirownpartitions)andhowtocreatethesepartitions.

CommonPartitionsandFilesystemLayoutsSo, what directories are commonly split off into separate partitions? Table 3.4 summarizes somepopularchoices.Notethattypicalsizesformanyofthesepartitionsvarygreatlydependingonhowthesystemisused.Therefore,it’simpossibletomakerecommendationsonpartitionsizethatwillbeuniversallyacceptable.

TABLE3.4CommonpartitionsandtheirusesPartition(mountpoint)

Typicalsize Use

Swap(notmounted)

OnetotwotimesthesystemRAMsize

ServesasanadjuncttosystemRAM;isslowbutenablesthecomputertorunmoreorlargerprograms.

/home 200MiB–3TiB(ormore)

Holdsusers’datafiles.Isolatingitonaseparatepartitionpreservesuserdataduringasystemupgrade.Sizedependsonthenumberofusersandtheirdatastorageneeds.

/boot 100–500MiB Holdscriticalbootfiles.CreatingitasaseparatepartitionletsyoucircumventlimitationsofolderBIOSsandbootloaders,whichoftencan’tbootakernelfromapointaboveavaluebetween504MiBand2TiB.

/usr 500MiB–25GiB

HoldsmostLinuxprogramanddatafiles;thisissometimesthelargestpartition,although/homeislargeronsystemswithmanyusersorifusersstorelargedatafiles.Changesimplementedin2012aremakingithardertocreateaseparate/usrpartitioninmanydistributions.

/usr/local 100MiB–3GiB HoldsLinuxprogramanddatafilesthatareuniquetothisinstallation,particularlythosethatyoucompileyourself.

/opt 100MiB–5GiB HoldsLinuxprogramanddatafilesthatareassociatedwiththird-partypackages,especiallycommercialones.

/var 100MiB–3TiB(ormore)

Holdsmiscellaneousfilesassociatedwiththeday-to-dayfunctioningofacomputer.Thesefilesareoftentransientinnature.Mostoftensplitoffasaseparatepartitionwhenthesystemfunctionsasaserverthatusesthe/vardirectoryforserver-relatedfileslikemailqueues.

/tmp 100MiB–20GiB

Holdstemporaryfilescreatedbyordinaryusers.

/mnt N/A Notaseparatepartition;rather,itoritssubdirectoriesareusedasmountpointsforremovablemedialikefloppiesorCD-ROMs.

/media N/A Holdssubdirectoriesthatmaybeusedasmountpointsforremovablemedia,muchlike/mntoritssubdirectories.

Some directories—/etc, /bin, /sbin, /lib, and /dev—shouldnever be placed on separatepartitions.Thesedirectorieshost critical systemconfiguration files or fileswithoutwhich aLinuxsystemcan’tfunction.Forinstance,/etccontains/etc/fstab, thefilethatspecifieswhatpartitionscorrespondtowhatdirectories,and/bincontainsthemountutilitythat’susedtomountpartitionsondirectories.Changestosystemutilitiesin2012aremakingitharder,butnotimpossible,tosplitoff/usrasaseparatepartition.

The2.4.xandnewerkernelsincludesupportforadedicated/devfilesystem,whichobviatestheneedforfilesinadisk-based/devdirectory;so,insomesense,/devcanresideonaseparatefilesystem,althoughnotaseparatepartition.Theudevutilitycontrolsthe/devfilesysteminrecentversionsofLinux.

CreatingPartitionsandFilesystemsIfyou’reinstallingLinuxonacomputer,chancesareitwillpresentyouwithatooltohelpguideyouthrough the partitioningprocess.These installation toolswill create the partitions you tell them tocreateorcreatepartitionssizedas thedistribution’smaintainersbelieveappropriate. Ifyouneed topartitionanewdiskyou’readding,though,orifyouwanttocreatepartitionsusingstandardLinuxtools rather than relyonyourdistribution’s installation tools, youmustknowsomethingabout theLinuxprogramsthataccomplishthistask.Partitioninginvolvestwotasks:creatingthepartitionsandpreparingthepartitionstobeused.InLinux,thesetwotasksareusuallyaccomplishedusingseparatetools,althoughsometoolscanhandlebothtaskssimultaneously.

WhentoCreateMultiplePartitionsOneproblemwithsplittingofflotsofseparatepartitions,particularlyfornewadministrators,isthatitcanbedifficulttosettleonappropriatepartitionsizes.AsnotedinTable3.4,theappropriatesizeofvariouspartitionscanvarysubstantiallyfromonesystemtoanother.Forinstance,aworkstationislikelytoneedafairlysmall/varpartition(say,100MiB),butamailornewsservermayneeda/varpartitionthat’sgigabytesinsize.Guessingwrongisn’tfatal,butitisannoying.You’llneedtoresizeyourpartitions(whichistediousanddangerous)orsetupsymboliclinksbetweenpartitionssothatsubdirectoriesononepartitioncanbestoredonotherpartitions.LVMcansimplifysuchafter-the-factchanges,butasnotedearlier,LVMaddsitsowncomplexity.Forthisreason,IgenerallyrecommendthatnewLinuxadministratorstrysimplepartitionlayoutsfirst.Theroot(/)partitionisrequired,andswapisaverygoodidea.Beyondthis,/bootcanbehelpfulonharddisksofmorethan8GiBwitholderdistributionsorBIOSsbutisseldomneededwithcomputersordistributionssoldsince2000.Asidefromuserdata(in/homeorelsewhere),mostLinuxinstallationsin2012require5−25GiB,sosettingroot(/)toavalueinthisrangemakessense.Anappropriatesizefor/homeisoftenrelativelyeasyfornewadministratorstoguess,oryoucandevoteallyourdiskspaceaftercreatingroot(/)andswapto/home.Beyondthesepartitions,Irecommendthatnewadministratorsproceedwithcaution.AsyougainmoreexperiencewithLinux,youmaywanttobreakoffotherdirectoriesintotheirownpartitionsonsubsequentinstallationsorwhenupgradingdiskhardware.Youcanusetheducommandtolearnhowmuchspaceisusedbyfileswithinanygivendirectory.

PartitioningaDiskThe traditionalLinux tool fordiskpartitioning iscalledfdisk.This tool’sname is short for fixeddisk,andthenameisthesameasaDOSandWindowstoolthataccomplishesthesametask.(WhenImeantorefertotheDOS/Windowstool,Icapitalizeitsname,asinFDISK.TheLinuxtool’snameisalwaysentirelylowercase.)BothDOS’sFDISKandLinux’sfdiskaretext-modetoolstoaccomplishsimilargoals,butthetwoareverydifferentinoperationaldetails.Althoughfdiskisthetraditionaltool,severalothersexist.OneoftheseisGNUParted,whichcan

handleseveraldifferentpartition table types,not just theMBRthatfdisk canhandle. IfyoupreferfdisktoGNUPartedbutmustuseGPT,youcanuseGPTfdisk(http://www.rodsbooks.com/gdisk/);thispackage’sgdiskprogramworksmuchlikefdiskbutonGPTdisks.Althoughfdiskisthetoolcoveredbytheexam,someadministratorsprefertherelatedcfdisk(orthesimilarcgdiskforGPT),which has a friendlier user interface. The sfdisk (or sgdisk forGPT) tool is useful forwritingscriptsthatcanhandlediskpartitioningtasks.

UsingfdiskTouseLinux’sfdisk,typethecommandnamefollowedbythenameofthediskdeviceyouwanttopartition,as infdisk/dev/hda topartition theprimarymasterPATAdisk.The result is anfdiskprompt:#fdisk/dev/hda

Command(mforhelp):

AttheCommand(mforhelp):prompt,youcantypecommandstoaccomplishvariousgoals:DisplaytheCurrentPartitionTableYoumaywanttobeginbydisplayingthecurrentpartitiontable.Todoso,typep.Ifyouonlywanttodisplaythecurrentpartitiontable,youcantypefdisk-l/dev/hda(orwhateverthedeviceidentifieris)atacommandpromptratherthanenterfdisk’sinteractivemode.Thiscommanddisplaysthepartitiontableandthenexits.CreateaPartitionTocreateapartition,typen.Theresultisaseriesofpromptsaskingforinformationaboutthepartition—whetheritshouldbeaprimary,extended,orlogicalpartition;thepartition’sstartingcylinder;thepartition’sendingcylinderorsize;andsoon.Thedetailsofwhatyou’reaskeddependinpartonwhat’salreadydefined.Forinstance,fdiskwon’taskyouifyouwanttocreateanextendedpartitionifonealreadyexists.Olderversionsoffdiskmeasurepartitionstartandendpointsincylinders,notmegabytes.ThisisaholdoverfromtheCHSmeasurementsusedbythex86partitiontable.Recentversionsoffdiskusesectorsasthedefaultunitofmeasure,althoughyoucanspecifyapartition’ssizebyusingaplussign,number,andsuffix,asin+20Gtocreatea20GiBpartition.

Inthepast,partitionswerealignedonCHScylinders.Thiswasbeneficialgiventhehardwareofthe1980s,buttodayit’sdetrimental.Manymoderndisksrequirepartitionalignmenton8-sectororlargerboundariesforoptimumperformance.Recentpartitioningprogramsbeginpartitionson1MiB(2048-sector)boundariesforthisreason.Failuretoalignpartitionsproperlycanresultinsevereperformancedegradation.Seehttp://www.ibm.com/developerworks/linux/library/l-4kb-sector-disks/formoreonthistopic.

DeleteaPartitionTodeleteapartition,typed.Ifmorethanonepartitionexists,theprogramwillaskforthepartitionnumber,whichyoumustenter.ChangeaPartition’sTypeWhenyoucreateapartition,fdiskassignsitatypecodeof0x83,whichcorrespondstoaLinuxfilesystem.IfyouwanttocreateaLinuxswappartitionorapartitionforanotherOS,youcantypettochangeapartitiontypecode.Theprogramthenpromptsyouforapartitionnumberandatypecode.ListPartitionTypesSeveraldozenpartitiontypecodesexist,soit’seasytoforgetwhattheyare.Typel(that’salowercaseL)atthemainfdiskprompttoseealistofthemostcommonones.YoucanalsogetthislistbytypingLwhenyou’repromptedforthepartitiontypewhenyouchangeapartition’stypecode.MarkaPartitionBootableSomeOSs,suchasDOSandWindows,relyontheirpartitionshavingspecialbootableflagsinordertoboot.Youcansetthisflagbytypinga,whereuponfdiskasksforthepartitionnumber.GetHelpTypemor?toseeasummaryofthemainfdiskcommands.ExitLinux’sfdisksupportstwoexitmodes.First,youcantypeqtoexittheprogramwithoutsavinganychanges;anythingyoudowiththeprogramislost.Thisoptionisparticularlyhelpfulifyou’vemadeamistake.Second,typingwwritesyourchangestothediskandexitstheprogram.Asanexample, considerdeletingaprimary, an extended, anda logicalpartitiononaUSB flash

driveandcreatingasinglenewoneintheirplace:#fdisk/dev/sdc

Command(mforhelp):p

Disk/dev/sdc:2038MB,2038431744bytes

63heads,62sectors/track,1019cylinders,total3981312sectors

Units=sectorsof1*512=512bytes

Sectorsize(logical/physical):512bytes/512bytes

I/Osize(minimum/optimal):512bytes/512bytes

Diskidentifier:0x88a46f2c

DeviceBootStartEndBlocksIdSystem

/dev/sdc120482099199104857683Linux

/dev/sdc2209920039813119410565Extended

/dev/sdc52101248398131194003283Linux

Command(mforhelp):d

Partitionnumber(1-5):5

Command(mforhelp):d

Partitionnumber(1-5):2

Command(mforhelp):d

Selectedpartition1

Command(mforhelp):n

Partitiontype:

pprimary(0primary,0extended,4free)

eextended

Select(defaultp):p

Partitionnumber(1-4,default1):1

Firstsector(2048-3981311,default2048):2048

Lastsector,+sectorsor+size{K,M,G}(2048-3981311,default3981311):

Usingdefaultvalue3981311

Command(mforhelp):w

Thepartitiontablehasbeenaltered!

Callingioctl()tore-readpartitiontable.

Syncingdisks.

Thisprocessbeginswithapcommandtoverifythattheprogramisoperatingonthecorrectdisk.Withthisinformationinhand,thethreeexistingpartitionsaredeleted.Notethatthefirsttwodeletionsaskforapartitionnumber,butthethirddoesn’t,becauseonlyonepartitionisleft.Oncethisisdone,nisusedtocreateanewprimarypartition.Oncethetaskiscomplete,thewcommandisusedtowritethechangestodiskandexittheprogram.Theresultofthissequenceisadiskwithasingleprimarypartition(/dev/sdc1)markedasholdingaLinuxfilesystem.ToworkonaGPTdisk,youcanusegdiskinmuchthesamewayyouusefdisk.Asidefromsome

details,suchasthelackofaprompttocreateprimary,extended,orlogicalpartitions,gdiskusesthesamebasiccommandsasfdisk.

UsingGNUPartedGNUParted(http://www.gnu.org/software/parted/)isapartitioningtoolthatworkswithMBR,GPT,APM,BSDdisklabels,andotherdisktypes.Italsosupportsmorefeaturesthanfdiskandiseasiertouseinsomeways.Ontheotherhand,GNUPartedusesitsownwayofreferringtopartitions,whichcanbeconfusing.It’salsomorefinickyaboutminordiskpartitioningquirksanderrorsthanisfdisk.AlthoughGNUPartedisn’tcoveredontheexam,knowingabitaboutitcanbehandy.YoustartGNUPartedmuchasyoustartfdisk,bytypingitsnamefollowedbythedeviceyouwant

tomodify,asinparted/dev/hda topartition/dev/hda.Theresult issomebrief introductorytextfollowed by a(parted) prompt atwhich you type commands. Type? to see a list of commands,whicharemulti-charactercommandssimilartoLinuxshellcommands.Forinstance,printdisplaysthecurrentpartitiontable,mkpartcreates(makes)apartition,andrmremovesapartition.Some still-more-advanced partitioning capabilities appear only in flashy GUI tools, such as the

GNOMEPartitionEditor,akaGParted(http://gparted.sourceforge.net),whichisshowninFigure3.5.Asidefromitsnovice-friendlyuserinterface,GParted’smainclaimtofameisthatitenablesyoutoeasilymoveorresizepartitions.Youmayneedtoruntheprogramfromanemergencydisktouse

thesefeatures,though;youcan’tmoveorresizeanypartitionthat’scurrentlyinuse.Suchpartitionsaremarkedwithapadlockicon,asshownnextto/dev/sdc1inFigure3.5.

FIGURE3.5GPartedenablespoint-and-clickpartitionmanagement,includingpartitionmovingandresizing.

Resizingormovingafilesystemcanbedangerous.Iftheresizingcodecontainsabugorifthere’sapowerfailureduringtheoperation,datacanbelost.Thus,Istronglyrecommendyoubackupanyimportantdatabeforeresizingormovingapartition.Also,resizingormovingyourbootpartitiononaBIOS-basedcomputercanrenderthesystemunbootableuntilyoure-installyourbootloader.

PreparingaPartitionforUseOnce a partition is created, you must prepare it for use. This process is often called “making afilesystem”or“formattingapartition.”Itinvolveswritinglow-leveldatastructurestodisk.Linuxcanthenreadandmodifythesedatastructurestoaccessandstorefilesinthepartition.Youshouldknowsomething about the commonLinux filesystems and knowhow to use filesystem-creation tools tocreatethem.

Thewordformattingissomewhatambiguous.Itcanrefertoeitherlow-levelformatting,whichcreatesastructureofsectorsandtracksonthediskmedia,orhigh-levelformatting,whichcreatesafilesystem.Harddisksarelow-levelformattedatthefactoryandshouldneverneedtobelow-levelformattedagain.Floppydisks,though,canbebothlow-andhigh-levelformatted.Thetoolsdescribedherecanhigh-levelformatafloppydiskaswellasaharddisk.Tolow-levelformatafloppydisk,youmustusethefdformatcommand,asinfdformat/dev/fd0.Thiscommandcannotbeusedonaharddisk.

CommonFilesystemTypesLinuxsupportsquiteafewdifferentfilesystems,bothLinux-nativeandthoseintendedforotherOSs.SomeofthelatterbarelyworkunderLinux,andevenwhentheydoworkreliably,theyusuallydon’tsupport all the features that Linux expects in its native filesystems. Thus,when preparing a Linuxsystem,you’lluseoneormoreofitsnativefilesystemsformostorallpartitions:Ext2fsTheSecondExtendedFileSystem(ext2fsorext2)isthetraditionalLinux-nativefilesystem.ItwascreatedforLinuxandwasthedominantLinuxfilesystemthroughoutthelate1990s.Ext2fshasareputationasareliablefilesystem.Ithassincebeeneclipsedbyotherfilesystems,butitstillhasitsuses.Inparticular,ext2fscanbeagoodchoiceforasmall/bootpartition,ifyouchoosetouseone,andforsmall(sub-gigabyte)removabledisks.Onsuchsmallpartitions,thesizeofthejournalusedbymoreadvancedfilesystemscanbearealproblem,sothenon-journalingext2fsisabetterchoice.(Journalingisdescribedinmoredetailshortly.)Theext2filesystemtypecodeisext2.

OnanEFI-basedcomputer,usingext2fs,ext3fs,orReiserFSonaseparate/bootpartitionenablesthefirmwaretoreadthispartitionwiththehelpofsuitabledrivers.Thiscanexpandyouroptionsforbootloaderconfiguration.

Ext3fsTheThirdExtendedFileSystem(ext3fsorext3)isbasicallyext2fswithajournaladded.Theresultisafilesystemthat’sasreliableasext2fsbutthatrecoversfrompoweroutagesandsystemcrashesmuchmorequickly.Theext3filesystemtypecodeisext3.Ext4fsTheFourthExtendedFileSystem(ext4fsorext4)isthenext-generationversionofthisfilesystemfamily.Itaddstheabilitytoworkwithverylargedisks(thoseover16TiB,thelimitforext2fsandext3fs)orverylargefiles(thoseover2TiB),aswellasextensionsintendedtoimproveperformance.Itsfilesystemtypecodeisext4.ReiserFSThisfilesystemwasdesignedfromscratchasajournalingfilesystemforLinux.It’sparticularlygoodathandlinglargenumbersofsmallfiles(say,smallerthanabout32KB)becauseReiserFSusesvarioustrickstosqueezetheendsoffilesintoeachother ’sunusedspaces.Thissmallsavingscanadduptoalargepercentageoffilesizeswhenfilesaresmall.Youcanusereiserfsasthetypecodeforthisfilesystem.

AsofLinuxkernelversion3.6.0,ReiserFSversion3.xiscurrent.Afrom-scratchrewriteofReiserFS,knownasReiser4,isunderdevelopment,althoughdevelopmenthasslowedtothepointthatit’suncertainifReiser4willeverbeincludedinthemainstreamkernel.

JFSIBMdevelopedtheJournaledFileSystem(JFS)foritsAIXOSandlaterre-implementeditonOS/2.TheOS/2versionwassubsequentlydonatedtoLinux.JFSisatechnicallysophisticatedjournalingfilesystemthatmaybeofparticularinterestifyou’refamiliarwithAIXorOS/2orwantanadvancedfilesystemtouseonadual-bootsystemwithoneoftheseOSs.Asyoumightexpect,thisfilesystem’stypecodeisjfs.

XFSSiliconGraphics(SGI)createditsExtentsFileSystem(XFS)foritsIRIXOSand,likeIBM,laterdonatedthecodetoLinux.LikeJFS,XFSisaverytechnicallysophisticatedfilesystem.XFShasgainedareputationforrobustness,speed,andflexibilityonIRIX,butsomeoftheXFSfeaturesthatmakeitsoflexibleonIRIXaren’tsupportedwellunderLinux.Usexfsasthetypecodeforthisfilesystem.BtrfsThisfilesystem(pronounced“buttereffess”or“beetreeeffess”)isanadvancedfilesystemwithfeaturesinspiredbythoseofSun’sZettabyteFileSystem(ZFS).Likeext4fs,JFS,andXFS,Btrfsisafastperformerandisabletohandleverylargedisksandfiles.Asofthe3.6.0kernel,Btrfsisconsideredexperimental;however,itsadvancedfeaturesmakeitalikelysuccessortothecurrentpopularfilesystems.In practice,most administrators choose ext3fs, ext4fs, or ReiserFS as their primary filesystems;

however, JFSandXFSalsoworkwell, andsomeadministratorsprefer them,particularlyon largedisks that store large files. (Ext4fs alsohandles large files.)Harddataon themerits andproblemswitheach filesystemaredifficult tocomeby,andevenwhen theydoexist, they’resuspectbecausefilesystemperformanceinteractswithsomanyotherfactors.Forinstance,asjustnoted,ReiserFScancrammore small files into a small space than can other filesystems, but this advantage isn’t veryimportantifyou’llbestoringmostlylargerfiles.

Ifyou’reusinganon-x86ornon-x86-64platform,besuretocheckfilesystemdevelopmentonthatplatform.AfilesystemmaybespeedyandreliableononeCPUbutsluggishandunreliableonanother.

Inaddition to theseLinux-native filesystems,youmayneed todealwith someothers from time totime,includingthefollowing:FAT TheFileAllocationTable(FAT)filesystemisoldandprimitive—butubiquitous.It’stheonlyharddiskfilesystemsupportedbyDOSandWindows9x/Me.Forthisreason,everymajorOSunderstandsFAT,makingitanexcellentfilesystemforexchangingdataonremovabledisks.TwomajororthogonalvariantsofFATexist:ItvariesinthesizeoftheFATdatastructureafterwhichthefilesystemisnamed(12-,16-,or32-bitpointers),andithasvariantsthatsupportlongfilenames.LinuxautomaticallydetectstheFATsize,soyoushouldn’tneedtoworryaboutthis.TousetheoriginalFATfilenames,whicharelimitedtoeightcharacterswithanoptionalthree-characterextension(theso-called8.3filenames),usetheLinuxfilesystemtypecodeofmsdos.TouseWindows-stylelongfilenames,usethefilesystemtypecodeofvfat.ALinux-onlylongfilenamesystem,knownasumsdos,supportsadditionalLinuxfeatures—enoughthatyoucaninstallLinuxonaFATpartition,althoughthispracticeisn’trecommendedexceptforcertaintypesofemergencydisksortotryLinuxonaWindowssystem.NTFSTheNewTechnologyFileSystem(NTFS)isthepreferredfilesystemforWindowsNT/200x/XP/Vista/7.Unfortunately,Linux’sNTFSsupportisratherrudimentary.Asofthe2.6.xkernelseries,LinuxcanreliablyreadNTFSandcanoverwriteexistingfiles,buttheLinuxkernelcan’twritenewfilestoanNTFSpartition.

IfyoumusthavegoodNTFSread/writesupportforadual-bootsystem,lookintoNTFS-3G(http://www.ntfs-3g.org).Thisisaread/writeNTFSdriverthatresidesinuserspaceratherthaninkernelspace.It’susedasthedefaultNTFSdriverbysomeLinuxdistributions.

HFSandHFS+ApplehaslongusedtheHierarchicalFileSystem(HFS)withitsMacOS,andLinuxprovidesfullread/writeHFSsupport.Thissupportisn’tasreliableasLinux’sread/writeFATsupport,though,soyoumaywanttouseFATwhenexchangingfileswithMacusers.ApplehasextendedHFStobettersupportlargeharddisksandmanyUnix-likefeatureswithitsHFS+(akaExtendedHFS).Linux2.6.xandnewerprovidelimitedHFS+support;butwritesupportworksonlywiththeHFS+journaldisabled.ISO-9660ThestandardfilesystemforCD-ROMshaslongbeenISO-9660.Thisfilesystemcomesinseverallevels.Level1issimilartotheoriginalFATinthatitsupportsonly8.3filenames.Levels2and3addsupportforlonger32-characterfilenames.LinuxsupportsISO-9660usingitsiso9660filesystemtypecode.Linux’sISO-9660supportalsoworkswiththeRockRidgeextensions,whichareaseriesofextensionstoISO-9660toenableittosupportUnix-stylelongfilenames,permissions,symboliclinks,andsoon.Similarly,JolietprovidessupportforlongfilenamesasimplementedforWindows.IfadiscincludesRockRidgeorJolietextensions,Linuxwillautomaticallydetectandusethem.UDFTheUniversalDiscFormat(UDF)isthenext-generationfilesystemforopticaldiscs.It’scommonlyusedonDVD-ROMsandrecordableopticaldiscs.Linuxsupportsit,butread/writeUDFsupportisstillinitsinfancy.Asapracticalmatter,ifyou’repreparingaharddiskforusewithLinux,youshouldprobablyuse

Linuxfilesystemsonly.Ifyou’repreparingadiskthatwillbeusedforadual-bootconfiguration,youmaywanttosetasidesomepartitionsforotherfilesystemtypes.Forremovabledisks,you’llhavetobethejudgeofwhat’smostappropriate.Youmightuseext2fsforaLinux-onlyremovabledisk,FATfor a cross-platform disk, or ISO-9660 (perhaps with Rock Ridge and Joliet) for a CD-R orrecordableDVD.

ISO-9660andotheropticaldiscfilesystemsarecreatedwithspecialtoolsintendedforthispurpose.Specifically,mkisofscreatesanISO-9660filesystem(optionallywithRockRidge,Joliet,HFS,andUDFcomponentsadded),whilecdrecordwritesthisimagetoablankCD-R.ThegrowisofsprogramcombinesbothfunctionsbutworksonlyonrecordableDVDmedia.

CreatingaFilesystemMost filesystems, including all Linux-native filesystems, have Linux tools that can create thefilesystem on a partition. Typically, these tools have filenames of the form mkfs.fstype, wherefstypeisthefilesystemtypecode.Thesetoolscanalsobecalledfromafront-endtoolcalledmkfs;

youpassthefilesystemtypecodetomkfsusingits-toption:#mkfs-text3/dev/sda6

Forext2andext3filesystems,themke2fsprogramisoftenusedinsteadofmkfs.Themke2fsprogramisjustanothernameformkfs.ext2.

Thiscommandcreatesanext3filesystemon/dev/sda6.Dependingonthefilesystem,thespeedofthedisk,andthesizeofthepartition,thisprocesscantakeanywherefromafractionofasecondtoafew seconds. Most filesystem-build tools support additional options, some of which can greatlyincrease the timerequired tobuilda filesystem.Inparticular, the-coption issupportedbyseveralfilesystems.Thisoptioncausesthetooltoperformabad-blockcheck—everysectorinthepartitionischeckedtobesureitcanreliablyholddata.Ifitcan’t,thesectorismarkedasbadandisn’tused.

Ifyouperformabad-blockcheckandfindthatsomesectorsarebad,chancesaretheentireharddiskdoesn’thavelongtolive.Sometimesthissortofproblemcanresultfromotherissues,though,suchasbadcablesorSCSIterminationproblems.

OfthecommonLinuxfilesystems,ext2fs,ext3fs,andext4fsprovidethemostoptionsintheirmkfstools. (In fact, these tools are one and the same; the program simply creates a filesystemwith theappropriatefeaturesforthenamethat’susedtocallit.)Youcantypemanmkfs.ext2 to learnaboutthese options,most ofwhich dealwith obscure and unimportant features.One obscure option thatdoesdeservemention is-mpercent,which sets the reserved-spacepercentage.The idea is thatyoudon’twantthedisktocompletelyfillupwithuserfiles;ifthediskstartsgettingclosetofull,Linuxshouldreportthatthediskisfullbeforeitreallyis,at leastforordinaryusers.Thisgivestherootusertheabilitytologinandcreatenewfiles,ifnecessary,tohelprecoverthesystem.Theext2fs/ext3fs/ext4fsreserved-spacepercentagedefaultsto5percent,whichtranslatestoquitea

lotofspaceonlargedisks.Youmaywanttoreducethisvalue(say,bypassing-m2toreduceitto2percent)onyourroot(/)filesystemandperhapsevenlower(1percentor0percent)onsome,suchas/home.Setting-m0alsomakessenseonremovabledisks,whicharen’tlikelytobecriticalforsystemrecoveryandmaybeabitcrampedtobeginwith.Inadditiontoprovidingfilesystem-creationtoolsforLinux-nativefilesystems,Linuxdistributions

usuallyprovidesuch tools forvariousnon-Linux filesystems.Themost importantof thesemaybeforFAT.Themain tool for this task iscalledmkdosfs,but it’soften linked to themkfs.msdos andmkfs.vfatnames,aswell.ThisprogramcanautomaticallyadjustthesizeoftheFATdatastructureto12,16,or32bitsdependingon thedevicesize.Youcanoverride thisoptionwith the-Ffat-sizeoption,wherefat-size is the FAT size in bits—12, 16, or 32.No special options are required tocreateaFATfilesystemthatcanhandleWindows-style(VFAT)longfilenames;thesearecreatedbytheOS.InExercise3.1,you’llpracticecreatingfilesystemsusingmkfsandrelatedutilities.

EXERCISE3.1CreatingFilesystemsTrycreatingsomefilesystemsonasparepartitionoraremovabledisk.Evenafloppydiskwilldo,althoughyouwon’tbeabletocreatejournalingfilesystemsonafloppydisk.Thefollowingstepsassumeyou’reusingaUSBflashdrive,/dev/sdc1;changethedevicespecificationasnecessary.Besuretouseanemptypartition!Accidentallyenteringthewrongdevicefilenamecouldwipeoutyourentiresystem!Thisexerciseusesafewcommandsthataredescribedinmoredetaillaterinthischapter.Tocreatesomefilesystems,followthesesteps:1.Loginasroot.2.Usefdisktoverifythepartitionsonyourtargetdiskbytypingfdisk-l/dev/sdc.Youshouldseealistofpartitions,includingtheoneyou’lluseforyourtests.(IffdiskreportsasinglepartitionwitheeundertheIdcolumn,thediskisaGPTdisk,andyoushouldverifythedisk’spartitionswithgdiskratherthanfdisk.)3.Verify thatyour testpartitionisnotcurrentlymounted.Typedf tosee thecurrentlymountedpartitionsandverifythat/dev/sdc1isnotamongthem.4.Typemkfs-text2/dev/sdc1.Youshouldseeseveral linesofstatus informationappear.5.Typemount /dev/sdc1 /mnt tomount the new filesystem to /mnt. (Youmay useanothermountpoint,ifyoulike.)6. Type df /mnt to see basic accounting information for the filesystem. On my testsystemwitha/dev/sdc1that’sprecisely1000MiBinsize,1,007,896blocksarepresent;1,264 are used; and 955,432 blocks are available.Most of the difference between thepresentandavailableblocksiscausedbythe5percentreservedspace.7.Typeumount/mnttounmountthefilesystem.8.Typemkfs-text2-m0/dev/sdc1tocreateanewext2filesystemonthedevice,butwithoutanyreservedspace.9.Repeatsteps5−7.Notethattheavailablespacehasincreased(to1,006,632blocksonmytestdisk).Theavailablespaceplustheusedspaceshouldnowequalthetotalblocks.10. Repeat steps 4−7, but use a filesystem type code of ext3 to create a journalingfilesystem. (Thiswon’tbepossible ifyouusea floppydisk.)Notehowmuchspace isconsumedbythejournal.11.Repeatsteps4−7,butuseanotherfilesystem,suchasJFSorReiserFS.Notehowthefilesystem-creation tools differ in the information they present and in their statedamountsofavailablespace.

Beawarethat,becauseofdifferencesinhowfilesystemsstorefilesandallocatespace,agreateramountofavailablespacewhenafilesystemiscreatedmaynottranslateintoagreatercapacitytostorefiles.

CreatingSwapSpaceSomepartitionsdon’tholdfiles.Mostnotably,Linuxcanuseaswappartition,which is apartition

thatLinuxtreatsasanextensionofmemory.(Linuxcanalsouseaswapfile,whichisafilethatworksinthesameway.Bothareexamplesofswapspace.)LinuxusestheMBRpartitiontypecodeof0x82to identifyswapspace,butaswithotherpartitions, thiscodeismostlyaconvenience tokeepotherOSsfromtryingtoaccessLinuxswappartitions;Linuxuses/etc/fstabtodefinewhichpartitionstouseasswapspace,asdescribedinChapter4,“ManagingFiles.”

Solarisforx86alsousesanMBRpartitiontypecodeof0x82,butinSolaris,thiscodereferstoaSolarispartition.Ifyoudual-bootbetweenSolarisandLinux,thisdoublemeaningofthe0x82partitiontypecodecancauseconfusion.ThisisparticularlytruewheninstallingtheOSs.YoumayneedtouseLinux’sfdisktotemporarilychangethepartitiontypecodestokeepLinuxfromtryingtouseaSolarispartitionasswapspaceortokeepSolarisfromtryingtointerpretLinuxswapspaceasadatapartition.

Althoughswapspacedoesn’tholdafilesystemperseandisn’tmountedinthewaythatfilesystempartitions are mounted, swap space does require preparation similar to that for creation of afilesystem. This task is accomplishedwith the mkswap command, which you can generally use bypassingitnothingbutthedeviceidentifier:#mkswap/dev/sda7

Thisexampleturns/dev/sda7intoswapspace.Tousetheswapspace,youmustactivateitwiththeswaponcommand:#swapon/dev/sda7

Topermanentlyactivateswapspace,youmustcreateanentryforitin/etc/fstab,asdescribedinChapter4.

MaintainingFilesystemHealthFilesystemscanbecome“sick”inavarietyofways.Theycanbecomeoverloadedwithtoomuchdata,theycanbetunedinappropriatelyforyoursystem,ortheycanbecomecorruptedbecauseofbuggydrivers,buggyutilities,orhardwareerrors.Fortunately,Linuxprovidesavarietyofutilitiesthatcanhelpyoukeepaneyeonthestatusofyourfilesystems,tunetheirperformance,andfixthem.

ManyofLinux’sfilesystemmaintenancetoolsshouldberunwhenthefilesystemisnotmounted.Changesmadebymaintenanceutilitieswhilethefilesystemismountedcanconfusethekernel’sfilesystemdrivers,resultingindatacorruption.Inthefollowingpages,Imentionwhenutilitiescanandcan’tbeusedwithmountedfilesystems.

TuningFilesystemsFilesystems are basically just big data structures—they’re a means of storing data on disk in anindexedmethodthatmakesiteasytolocatethedataatalatertime.Likealldatastructures,filesystems

includedesigncompromises.Forinstance,adesignfeaturemayenableyoutostoremoresmallfilesondiskbutmightchewupdiskspace,thusreducingthetotalcapacityavailableforstorageoflargerfiles.Inmanycases,youhavenochoiceconcerningthesecompromises,butsomefilesystemsincludetools that enable you to set filesystem options that affect performance. This is particularly true ofext2fs and the related ext3fs and ext4fs. Three tools are particularly important for tuning thesefilesystems:dumpe2fs,tune2fs,anddebugfs.Thefirstof these toolsprovides informationaboutthefilesystem,andtheothertwoenableyoutochangetuningoptions.

ObtainingFilesystemInformationYoucanlearnalotaboutyourext2orext3filesystemwiththedumpe2fscommand.Thiscommand’ssyntaxisfairlystraightforward:dumpe2fs[options]device

The device is the filesystem device file, such as /dev/sdb7. This command accepts severaloptions,mostofwhichareratherobscure.Themostimportantoptionisprobably-h,whichcausestheutilitytoomitinformationaboutgroupdescriptors.(Thisinformationishelpfulinveryadvancedfilesystemdebuggingbutnotforbasicfilesystemtuning.)Forinformationaboutadditionaloptions,consultthemanpagefordumpe2fs.Unlessyou’reafilesystemexpertandneedtodebugacorruptedfilesystem,you’remostlikelyto

want to use dumpe2fs with the -h option. The result is about three dozen lines of output, eachspecifyingaparticularfilesystemoption,likethese:Lastmountedon:<notavailable>

Filesystemfeatures:has_journalfiletypesparse_super

Filesystemstate:clean

Inodecount:657312

Blockcount:1313305

Lastchecked:SunFeb2614:23:232012

Checkinterval:15552000(6months)

Someof theseoptions’meaningsare fairlyself-explanatory; for instance, the filesystemwas lastchecked(withfsck,describedin“CheckingFilesystems”)onFebruary26,2012.Otheroptionsaren’tsoobvious;forinstance,theInodecountlinemaybepuzzling.(It’sacountofthenumberofinodessupportedbythefilesystem.Eachinodecontains informationforonefile,so thenumberof inodeseffectivelylimitsthenumberoffilesyoucanstore.)Thenexttwosectionsdescribesomeoftheoptionsyoumaywanttochange.Fornow,youshould

knowthatyoucan retrieve informationabouthowyour filesystemsarecurrentlyconfiguredusingdumpe2fs. You can then use this information when modifying the configuration; if your currentsettings seem reasonable, you can leave them alone, but if they seem ill-adapted to yourconfiguration,youcanchangethem.Unlikemanylow-leveldiskutilities,youcansafelyrundumpe2fsonafilesystemthat’scurrently

mounted.Thiscanbehandywhenyou’restudyingyourconfigurationtodecidewhattomodify.Mostother filesystems lackanequivalent todumpe2fs, butXFSprovides somethingwithat least

somesurfacesimilarities:xfs_info.To invoke it,pass thecommand thenameof thepartition thatholdsthefilesystemyouwanttocheck:#xfs_info/dev/sda7

meta-data=/dev/sda7isize=256agcount=88,agsize=1032192blks

=sectsz=512attr=0

data=bsize=4096blocks=89915392,imaxpct=25

=sunit=0swidth=0blks,unwritten=1

naming=version2bsize=4096

log=internalbsize=4096blocks=8064,version=1

=sectsz=512sunit=0blks

realtime=noneextsz=65536blocks=0,rtextents=0

Insteadofthepartitionname,youcanpassthemountpoint,suchas/homeor/usr/local.Unlikemostfilesystemtools,xfs_inforequiresthatthefilesystembemounted.Theinformationreturnedbyxfs_infoisfairlytechnical,mostlyrelatedtoblocksizes,sectorsizes,andsoon.AnotherXFStoolisxfs_metadump.Thisprogramcopiesthefilesystem’smetadata(filenames,file

sizes,andsoon)toafile.Forinstance,xfs_metadump/dev/sda7~/dump-filecopiesthemetadatato~/dump-file.Thiscommanddoesn’tcopyactualfilecontentsandsoisn’tusefulasabackuptool.Instead, it’s intended as a debugging tool; if the filesystem is behaving strangely, you can use thiscommandandsendtheresultingfiletoXFSdevelopersforstudy.

AdjustingTunableFilesystemParametersThetune2fsprogramenablesyoutochangemanyofthefilesystemparametersthatarereportedbydumpe2fs.Thisprogram’ssyntaxisfairlysimple,butithidesagreatdealofcomplexity:tune2fs[options]device

The complexity arises because of the large number of options that the program accepts. Eachfeaturethattune2fsenablesyoutoadjustrequiresitsownoption:AdjusttheMaximumMountCountExt2fs,ext3fs,andext4fsrequireaperiodicdiskcheckwithfsck.Thischeckisdesignedtopreventerrorsfromcreepingontothediskundetected.Youcanadjustthemaximumnumberoftimesthediskmaybemountedwithoutacheckwiththe-cmountsoption,wheremountsisthenumberofmounts.Youcantrickthesystemintothinkingthefilesystemhasbeenmountedacertainnumberoftimeswiththe-Cmountsoption;thissetsthemountcountertomounts.AdjusttheTimeBetweenChecksPeriodicdiskchecksarerequiredbasedontimeaswellasthenumberofmounts.Youcansetthetimebetweencheckswiththe-iintervaloption,whereintervalisthemaximumtimebetweenchecks.Normally,intervalisanumberwiththecharacterd,w,ormappended,tospecifydays,weeks,ormonths,respectively.AddaJournalThe-joptionaddsajournaltothefilesystem,effectivelyconvertinganext2filesystemintoanext3filesystem.Journalmanagementisdescribedinmoredetailin“MaintainingaJournal.”SettheReservedBlocksThe-mpercentoptionsetsthepercentageofdiskspacethat’sreservedforusebyroot.Thedefaultvalueis5,butthisisexcessiveonmulti-gigabyteharddisks,soyoumaywanttoreduceit.Youmaywanttosetitto0onremovabledisksintendedtostoreuserfiles.Youcanalsosetthereservedspaceinblocks,ratherthanasapercentageofdiskspace,withthe-rblocksoption.Theoptionsdescribedherearetheonesthataremostlikelytobeuseful.Severalotheroptionsare

available;consulttune2fs’smanpagefordetails.Aswithmostlow-leveldiskutilities,youshouldn’tusetune2fstoadjustamountedfilesystem.If

youwanttoadjustakeymountedfilesystem,suchasyourroot(/)filesystem,youmayneedtoboot

up an emergency disk system, such as the CD-ROM-based PartedMagic (http://partedmagic.com).Manydistributions’installdiscscanbeusedinthiscapacity,aswell.InXFS,thexfs_admincommandistheroughequivalentoftune2fs.Someoptionsyoumaywant

toadjustincludethefollowing:UseVersion2JournalFormatThe-joptionenablesversion2log(journal)format,whichcanimproveperformanceinsomesituations.ObtaintheFilesystemLabelandUUIDYoucanusethe-land-uoptionstoobtainthefilesystem’slabel(name)anduniversallyuniqueidentifier(UUID),respectively.ThenameisseldomusedinLinuxbutcanbeusedinsomecases.TheUUIDisalongcodethatisincreasinglyusedbydistributionstospecifyafilesystemtobemounted,asdescribedin“PermanentlyMountingFilesystems.”

TheblkidcommandcandisplaythelabelandUUIDofanypartition’sfilesystem,notjustanXFSpartition.

SettheFilesystemLabelandUUIDYoucanchangethefilesystem’slabelorUUIDbyusingthe-Llabelor-Uuuidoption,respectively.Thelabelisatmost12charactersinlength.You’llnormallyusethe-UoptiontosettheUUIDtoaknownvalue(suchastheUUIDthepartitionusedpriortoitbeingreformatted);oryoucanusegenerateastheuuidvaluetohavexfs_admincreateanewUUID.YoushouldnotsettheUUIDtoavaluethat’sinuseonanotherpartition!Inuse,xfs_adminmightlooksomethinglikethis:#xfs_admin-Lav_data/dev/sda7

writingallSBs

newlabel="av_data"

This example sets the name of the filesystem on /dev/sda7 to av_data. As with tune2fs,xfs_adminshouldbeusedonlyonunmountedfilesystems.

InteractivelyDebuggingaFilesystemIn addition to reviewing and changing filesystem flags with dumpe2fs and tune2fs, you caninteractivelymodify a filesystem’s features usingdebugfs. This program provides the abilities ofdumpe2fs,tune2fs,andmanyofLinux’snormalfile-manipulationtoolsallrolledintoone.Tousetheprogram,typeitsnamefollowedbythedevicefilenamecorrespondingtothefilesystemyouwanttomanipulate.You’llthenseethedebugfsprompt:#debugfs/dev/sda11

debugfs:

Youcantypecommandsatthisprompttoachievespecificgoals:DisplayFilesystemSuperblockInformationTheshow_super_statsorstatscommandproducessuperblockinformation,similartowhatdumpe2fsdisplays.DisplayInodeInformationYoucandisplaytheinodedataonafileordirectorybytypingstatfilename,wherefilenameisthenameofthefile.UndeleteaFileYoucanusedebugfstoundeleteafilebytypingundeleteinodename,where

inodeistheinodenumberofthedeletedfileandnameisthefilenameyouwanttogivetoit.(Youcanuseundelinplaceofundeleteifyoulike.)Thisfacilityisoflimitedutilitybecauseyoumustknowtheinodenumberassociatedwiththedeletedfile.Youcanobtainalistofdeletedinodesbytypinglsdelorlist_deleted_inodes,butthelistmaynotprovideenoughcluestoletyouzeroinonthefileyouwanttorecover.ExtractaFileYoucanextractafilefromthefilesystembytypingwriteinternal-fileexternal-file,whereinternal-fileisthenameofafileinthefilesystemyou’remanipulatingandexternal-fileisafilenameonyourmainLinuxsystem.Thisfacilitycanbehandyifafilesystemisbadlydamagedandyouwanttoextractacriticalfilewithoutmountingthefilesystem.ManipulateFilesMostofthecommandsdescribedinChapter4workwithindebugfs.Youcanchangeyourdirectorywithcd,createlinkswithln,removeafilewithrm,andsoon.ObtainHelpTypinglist_requests,lr,help,or?producesasummaryofavailablecommands.ExitTypingquitexitsfromtheprogram.This summary just scratches the surfaceofdebugfs’s capabilities. In thehandsof an expert, this

programcanhelprescueabadlydamagedfilesystemoratleastextractcriticaldatafromit.Tolearnmore,consulttheprogram’smanpage.

Althoughdebugfsisausefultool,it’spotentiallydangerous.Don’tuseitonamountedfilesystem,don’tuseitunlessyouhaveto,andbeverycarefulwhenusingit.Ifindoubt,leavetheadjustmentstotheexperts.Beawarethattheexamdoescoverdebugfs,though.

The closest XFS equivalent to debugfs is called xfs_db. Like debugfs, xfs_db provides aninteractive tool to access and manipulate a filesystem, but xfs_db provides fewer tools that areamenabletonoviceorintermediateuse.Instead,xfs_dbisatoolforXFSexperts.

MaintainingaJournalExt2fsisatraditionalfilesystem.Althoughit’sagoodperformer,itsuffersfromamajorlimitation:Afterapowerfailure,asystemcrash,oranotheruncontrolledshutdown,thefilesystemcouldbeinaninconsistentstate.Theonlywaytosafelymountthefilesystemsothatyou’resureitsdatastructuresarevalid is toperformafulldiskcheckonit,asdescribedin“CheckingFilesystems.”This taskisusuallyhandledautomaticallywhenthesystemboots,butittakestime—probablyseveralminutes,orperhapsmorethananhouronalargefilesystemorifthecomputerhasmanysmallerfilesystems.Thesolutiontothisproblemistochangetoajournalingfilesystem.Suchafilesystemmaintainsa

journal,whichisadatastructurethatdescribespendingoperations.Priortowritingdatatothedisk’smaindata structures,Linuxdescribeswhat it’s about todo in the journal.When theoperations arecomplete,theirentriesareremovedfromthejournal.Thus,atanygivenmomentthejournalshouldcontainalistofdiskstructuresthatmightbeundergoingmodification.Theresultisthat,intheeventofacrashorpowerfailure,thesystemcanexaminethejournalandcheckonlythosedatastructuresdescribed in it. If inconsistencies are found, the system can roll back or complete the changes,returning thedisk toaconsistent statewithoutcheckingeverydata structure in the filesystem.This

greatly speeds the disk-check process after power failures and system crashes. Today, journalingfilesystemsarethestandardformostLinuxdiskpartitions.Verysmallpartitions(suchasaseparate/bootpartition, ifyouuseone)andsmall removabledisks (suchasZipdisks)often lack journals,though.FivejournalingfilesystemsarecommononLinux:ext3fs,ext4fs,ReiserFS,XFS,andJFS.Ofthese,

thelastthreerequirelittleinthewayofjournalconfiguration.Ext3fsisabitdifferent;it’sbasicallyjust ext2fs with a journal added. This fact means you can add a journal to an ext2 filesystem,convertingitintoanext3filesystem.Thisiswhatthe-joptiontotune2fsdoes,asdescribedearlierin “Adjusting Tunable Filesystem Parameters.” Ext4fs is a further enhancement of this filesystemfamily.

Althoughusingtune2fsonamountedfilesystemisgenerallyinadvisable,it’ssafetouseits-joptiononamountedfilesystem.Theresultisafilecalled.journalthatholdsthejournal.Ifyouaddajournaltoanunmountedfilesystem,thejournalfilewillbeinvisible.

Adding a journal alone won’t do much good, though. To use a journal, you must mount thefilesystemwiththecorrectfilesystemtypecode—ext3ratherthanext2forext3fs,orext4forext4fs.(Theupcomingsection“MountingandUnmountingFilesystems”describeshowtodothis.)Thejournal,likeotherfilesystemfeatures,hasitsownsetofparameters.Youcansetthesewiththe

-J option to tune2fs. In particular, the size=journal-size and device=external-journalsuboptions enable you to set the journal’s size and the device onwhich it’s stored.By default, thesystemcreatesajournalthat’stherightsizeforthefilesystemandstoresitonthefilesystemitself.

CheckingFilesystemsTuning a filesystem is a task you’re likely to perform every once in a while—say, whenmakingmajor changes to an installation. Another task is muchmore common: checking a filesystem forerrors. Bugs, power failures, and mechanical problems can all cause the data structures on afilesystemtobecomecorrupted.Theresultsaresometimessubtle,butifthey’releftunchecked,theycancauseseveredataloss.Forthisreason,Linuxincludestoolsforverifyingafilesystem’sintegrityandforcorrectinganyproblemsthatmayexist.Themaintoolyou’lluseforthispurposeiscalledfsck. This program is actually a front end to other tools, such as e2fsck (aka fsck.ext2,fsck.ext3,andfsck.ext4)orXFS’sxfs_checkandxfs_repair.Thesyntaxforfsckisasfollows:fsck[-sACVRTNP][-tfstype][--][fsck-options]filesystems

Theexamobjectivesincludebothe2fsckandfsck,butbecausefsckisthemoregeneraltoolthat’susefulonmorefilesystems,it’stheformdescribedinmoredetailinthisbook.

Themorecommonparameterstofsckenableyoutoperformusefulactions:CheckAllFilesThe-Aoptioncausesfscktocheckallthefilesystemsmarkedtobecheckedin/etc/fstab.Thisoptionisnormallyusedinsystemstartupscripts.

IndicateProgressThe-Coptiondisplaysatext-modeprogressindicatorofthecheckprocess.Mostfilesystemcheckprogramsdon’tsupportthisfeature,bute2fsckdoes.ShowVerboseOutputThe-Voptionproducesverboseoutputofthecheckprocess.NoActionThe-Noptiontellsfscktodisplaywhatitwouldnormallydowithoutactuallydoingit.SettheFilesystemTypeNormally,fsckdeterminesthefilesystemtypeautomatically.Youcanforcethetypewiththe-tfstypeflag,though.Usedinconjunctionwith-A,thiscausestheprogramtocheckonlythespecifiedfilesystemtypes,evenifothersaremarkedtobechecked.Iffstypeisprefixedwithno,thenallfilesystemsexceptthespecifiedtypearechecked.Filesystem-SpecificOptionsFilesystemcheckprogramsforspecificfilesystemsoftenhavetheirownoptions.Thefsckcommandpassesoptionsitdoesn’tunderstand,orthosethatfollowadoubledash(--),totheunderlyingcheckprogram.Commonoptionsinclude-aor-p(performanautomaticcheck),-r(performaninteractivecheck),and-f(forceafullfilesystemcheckevenifthefilesysteminitiallyappearstobeclean).FilesystemListThefinalparameterisusuallythenameofthefilesystemorfilesystemsbeingchecked,suchas/dev/sda6.Normally,yourunfsckwithonlythefilesystemdevicename,asinfsck/dev/sda6.Youcanadd

optionsasneeded,however.Checkfsck’smanpageforlesscommonoptions.

Runfsckonlyonfilesystemsthatarenotcurrentlymountedorthataremountedinread-onlymode.Changeswrittentodiskduringnormalread/writeoperationscanconfusefsckandresultinfilesystemcorruption.

Linuxrunsfsckautomaticallyat startuponpartitions thataremarked for this in/etc/fstab, asdescribedlaterin“PermanentlyMountingFilesystems.”Thenormalbehaviorofe2fsckcausesittoperformjustaquickcursoryexaminationofapartitionifit’sbeenunmountedcleanly.TheresultisthattheLinuxbootprocessisn’tdelayedbecauseofafilesystemcheckunlessthesystemwasn’tshutdownproperly.Thisrulehasacoupleofexceptions, though:e2fsck forcesacheck if thediskhasgonelongerthanacertainamountoftimewithoutchecks(normallysixmonths)orifthefilesystemhasbeenmountedmorethanacertainnumberof timessincethelastcheck(normally20).Youcanchange these options using tune2fs, as described earlier in “Adjusting Tunable FilesystemParameters.”Therefore,you’lloccasionallyseeautomatic filesystemchecksofext2,ext3,andext4filesystemsevenifthesystemwasshutdowncorrectly.Journaling filesystems do away with full filesystem checks at system startup even if the system

wasn’t shut down correctly.Nonetheless, these filesystems still require check programs to correctproblems introduced by undetected write failures, bugs, hardware problems, and the like. If youencounter odd behavior with a journaling filesystem, you might consider unmounting it andperformingafilesystemcheck—butbesuretoreadthedocumentationfirst.SomeLinuxdistributionsdo odd things with some journaling filesystem check programs. For instance, Mandriva uses asymbolic link from /sbin/fsck.reiserfs to /bin/true. This configuration speeds system boottimesshouldReiserFSpartitionsbemarkedforautomaticchecks,butitcanbeconfusingifyouneedtomanuallycheckthefilesystem.Ifthisisthecase,run/sbin/reiserfsck todothejob.Similarly,

/sbin/fsck.xfsisusuallynothingbutascriptthatadvisestheusertorunxfs_checkorxfs_repair.

MonitoringDiskUseOnecommonproblemwithdisksisthattheycanfillup.Toavoidthisproblem,youneedtoolstotellyouhowmuchspaceyour filesareconsuming.This is the taskof thedf anddu programs,whichsummarizediskuseonapartition-by-partitionanddirectory-by-directorybasis,respectively.

MonitoringDiskUsebyPartitionThedfcommand’ssyntaxisasfollows:df[options][files]

Inthesimplestcase,youcantypethecommandnametoseeasummaryofdiskspaceusedonallofasystem’spartitions:$df

Filesystem1K-blocksUsedAvailableUse%Mountedon

/dev/sdb1058597844449900140988476%/

/dev/sdb122086264991468109479648%/opt

/dev/hda132541468320928222054013%/usr/local

/dev/hda91536134010174596518674467%/home

/dev/hda102269928813663408788282064%/other/emu

/dev/hda6101089226137430124%/boot

/dev/sdb51953216101875293446453%/other/shared

none25652802565280%/dev/shm

speaker:/home62972483845900245134862%/speaker/home

//win/music171566088100864905574448%/win/mp3s

Thisoutput shows thedevice fileassociatedwith the filesystem, the totalamountof spaceon thefilesystem,theusedspaceonthefilesystem,thefreespaceonthefilesystem,thepercentageofspacethat’s used, and the mount point. Typically, when used space climbs above about 80 percent, youshould consider cleaning up the partition. The appropriate ceiling varies from one computer andpartitiontoanother,though.Theriskisgreatestonpartitionsthatholdfilesthatchangefrequently—particularlyiflargefilesarelikelytobecreatedonapartition,evenifonlytemporarily.Youcanfine-tunetheeffectsofdfbypassingitseveraloptions.Eachoptionmodifiesthedfoutput

inaspecificway:IncludeAllFilesystemsThe-aor--alloptionincludespseudo-filesystemswithasizeof0intheoutput.Thesefilesystemsmayinclude/proc,/sys,/proc/bus/usb,andothers.UseScaledUnitsThe-hor--human-readableoptioncausesdftoscaleandlabelitsunits;forinstance,insteadofreportingapartitionashaving5859784blocks,itreportsthesizeas5.6G(for5.6GiB).The-Hand--sioptionshaveasimilareffect,buttheyusepower-of-10(1,000;1,000,000;andsoon)unitsratherthanpower-of-2(1,024;1,048,576;andsoon)units.The-k(--kilobytes)and-m(--megabytes)optionsforceoutputintheirrespectiveunits.SummarizeInodesBydefault,dfsummarizesavailableanduseddiskspace.Youcaninsteadreceiveareportonavailableandusedinodesbypassingthe-ior--inodesoption.Thisinformationcanbehelpfulifapartitionhasverymanysmallfiles,whichcandepleteavailableinodessoonerthantheydepleteavailablediskspace.

The-ioptionworkswellforext2,ext3,ext4,XFS,andsomeotherfilesystemsthatcreateafixednumberofinodeswhenthefilesystemiscreated.Otherfilesystems,suchasReiserFSandBtrfs,createinodesdynamically,renderingthe-ioptionmeaningless.

LocalFilesystemsOnlyThe-lor--localoptioncausesdftoomitnetworkfilesystems.Thiscanspeedupoperation.DisplayFilesystemTypeThe-Tor--print-typeoptionaddsthefilesystemtypetotheinformationdfdisplays.LimitbyFilesystemTypeThe-tfstypeor--type=fstypeoptiondisplaysonlyinformationaboutfilesystemsofthespecifiedtype.The-xfstypeor--exclude-type=fstypeoptionhastheoppositeeffect;itexcludesfilesystemsofthespecifiedtypefromthereport.This list is incomplete;consultdf’smanpagefordetailsaboutmoreoptions. Inaddition to these

options,youcanspecifyoneormorefilestodf.Whenyoudothis,theprogramrestrictsitsreporttothefilesystemonwhichthespecifiedfileordirectoryexists.Forinstance,tolearnaboutthediskspace used on the/home partition, you could typedf /home. Alternatively, you can give a devicefilename,asindf/dev/hda9.

MonitoringDiskUsebyDirectoryThedfcommandishelpfulforfindingoutwhichpartitionsareindangerofbecomingoverloaded,butonceyou’veobtainedthisinformation,youmayneedtofine-tunethediagnosisandtrackdownthedirectoriesandfilesthatarechewingupdiskspace.Thetoolforthistaskisdu,whichhasasyntaxsimilartothatofdf:du[options][directories]

This command searches directories you specify and reports how much disk space each isconsuming. This search is recursive, so you can learn how much space the directory and all itssubdirectoriesconsume.The result canbeavery long listing ifyou specifydirectorieswithmanyfiles,butseveraloptionscanreducethesizeofthisoutput.Otherscanperformhelpfultasksaswell:SummarizeFilesAsWellAsDirectoriesOrdinarily,dureportsonthespaceusedbythefilesindirectoriesbutnotthespaceusedbyindividualfiles.Passingthe-aor--alloptioncausesdutoreportonindividualfilesaswell.ComputeaGrandTotalAddingthe-cor--totaloptioncausesdutoaddagrandtotaltotheendofitsoutput.UseScaledUnitsThe-hor--human-readableoptioncausesdutoscaleandlabelitsunits;forinstance,insteadofreportingthetotaldiskspaceusedas5859784blocks,itreportsthesizeas5.6G(for5.6GiB).The-Hand--sioptionshaveasimilareffect,buttheyusepower-of-10(1,000;1,000,000;andsoon)unitsratherthanpower-of-2(1,024;1,048,576;andsoon)units.The-k(--kilobytes)and-m(--megabytes)optionsforceoutputintheirrespectiveunits.CountHardLinksOrdinarily,ducountsfilesthatappearmultipletimesashardlinksonlyonce.Thisreflectstruediskspaceused,butsometimesyoumaywanttocounteachlinkindependently—

forinstance,ifyou’recreatingaCD-Randthefilewillbestoredonceforeachlink.Todoso,includethe-l(that’salowercaseL)or--count-linksoption.(LinksaredescribedinmoredetailinChapter4.)LimitDepthThe--max-depth=noptionlimitsthereporttonlevels.(Thesubdirectories’contentsarecountedeveniftheyaren’treported.)SummarizeIfyoudon’twantalineofoutputforeachsubdirectoryinthetree,passthe-sor--summarizeoption,whichlimitsthereporttothosefilesanddirectoriesyouspecifyonthecommandline.Thisoptionisequivalentto--max=depth=0.LimittoOneFilesystemThe-xor--one-file-systemoptionlimitsthereporttothecurrentfilesystem.Ifanotherfilesystemismountedwithinthetreeyouwantsummarized,itscontentsaren’tincludedinthereport.Thislistisincomplete;youshouldconsultdu’smanpageforinformationaboutadditionaloptions.Asanexampleofduinaction,considerusingittodiscoverwhichofyourusersisconsumingthe

mostdiskspacein/home.Chancesareyou’renotconcernedwiththedetailsofwhichsubdirectorieswithineachhomedirectoryareusingthespace,soyou’llpassthe-soptiontotheprogram:#du-s/home/*

12/home/ellen

35304/home/freddie

1760/home/jennie

12078/home/jjones

0/home/lost+found

10110324/home/mspiggy

In this example, thewildcard character (*) stands for all the files and directories in /home, thusproducing summaries for all these subdirectories. (For more on this topic, consult Chapter 4.)Clearly,mspiggy(orwhoeverownsthe/home/mspiggydirectory)isthebiggestdiskspaceuser—oratleast,thatdirectory’scontentsareconsumingthemostspace.Youcouldinvestigatefurther,saybytyping du -s /home/mspiggy/* to learn where the disk space is being used within the/home/mspiggydirectory.Inthecaseofuserfiles,ifthisspaceconsumptionisaproblem,youmaywanttocontactthisuserinsteadoftryingtocleanitupyourself.

Manytypesoffilesshouldn’tsimplybedeleted.Forinstance,mostprogramfilesshouldberemovedviathesystem’spackagemanagementsystem,ifyoudecidetoremovethem.(ThistopiciscoveredinChapter2,“ManagingSoftware.”)Ifyou’renotsurewhatafileisorhowitshouldberemoved,don’tdeleteit—tryaWebsearch,typemanfilename,orotherwiseresearchittofigureoutwhatitis.

MountingandUnmountingFilesystemsMaintainingfilesystemsisnecessary,butthewholereasonfilesystemsexististostorefiles—inotherwords, to be useful. Under Linux, filesystems are most often used by being mounted—that is,associatedwithadirectory.Thistaskcanbeaccomplishedonaone-timebasisbyusingtoolssuchas

mount (and thenunmountedwithumount)orpersistentlyacross rebootsbyediting the/etc/fstabfile.

TemporarilyMountingorUnmountingFilesystemsLinuxprovidesthemountcommand tomounta filesystemtoamountpoint.Theumountcommandreverses this process. (Yes,umount is spelled correctly; it’smissing the firstn.) In practice, usingthesecommandsisn’tusuallytoodifficult,buttheysupportalargenumberofoptions.

SyntaxandParametersformountThesyntaxformountisasfollows:mount[-alrsvw][-tfstype][-ooptions][device][mountpoint]

Commonparametersformountsupportanumberoffeatures:MountAllFilesystemsThe-aparametercausesmounttomountallthefilesystemslistedinthe/etc/fstabfile,whichspecifiesthemost-usedpartitionsanddevices.Theupcomingsection“PermanentlyMountingFilesystems”describesthisfile’sformat.MountRead-OnlyThe-rparametercausesLinuxtomountthefilesystemread-only,evenifit’snormallyaread/writefilesystem.ShowVerboseOutputAswithmanycommands,-vproducesverboseoutput—theprogramprovidescommentsonoperationsastheyoccur.MountRead/WriteThe-wparametercausesLinuxtoattempttomountthefilesystemforbothreadandwriteoperations.Thisisthedefaultformostfilesystems,butsomeexperimentaldriversdefaulttoread-onlyoperation.The-orwoptionhasthesameeffect.SpecifytheFilesystemTypeUsethe-tfstypeparametertospecifythefilesystemtype.Commonfilesystemtypesareext2(forext2fs),ext3(forext3fs),ext4(forext4fs),reiserfs(forReiserFS),jfs(forJFS),xfs(forXFS),vfat(forFATwithVFATlongfilenames),msdos(forFATusingonlyshortDOSfilenames),iso9660(forCD-ROMfilesystems),udf(forDVDandsomeCD-ROMfilesystems),nfs(forNFSnetworkmounts),andcifs(forSMB/CIFSnetworkshares).Linuxsupportsmanyothers.Ifthisparameterisomitted,Linuxwillattempttoauto-detectthefilesystemtype.

Linuxrequiressupportinthekernelorasakernelmoduletomountafilesystemofagiventype.Ifthissupportismissing,Linuxwillrefusetomountthefilesysteminquestion.

MountbyLabelorUUIDThe-Llabeland-UuuidoptionstellmounttomountthefilesystemwiththespecifiedlabelorUUID,respectively.AdditionalOptionsYoucanaddmanyoptionsusingthe-oparameter.Manyofthesearefilesystem-specific.DeviceThedeviceisthedevicefilenameassociatedwiththepartitionordiskdevice,suchas

/dev/hda4,/dev/fd0,or/dev/cdrom.Thisparameterisusuallyrequired,butitmaybeomittedundersomecircumstances,asdescribedshortly.MountPointThemountpointisthedirectorytowhichthedevice’scontentsshouldbeattached.Aswithdevice,it’susuallyrequired,butitmaybeomittedundersomecircumstances.Theprecedinglistofmountparametersisn’tcomprehensive;consultthemountmanpageforsome

ofthemoreobscureoptions.Themostcommonapplicationsofmountuse fewparametersbecauseLinux generally does a good job of detecting the filesystem type and the default parametersworkreasonablywell.Forinstance,considerthisexample:#mount/dev/sdb7/mnt/shared

This commandmounts the contents of/dev/sdb7 on/mnt/shared, auto-detecting the filesystemtypeandusingthedefaultoptions.Ordinarily,onlyrootmay issueamountcommand;however, if/etc/fstabspecifiestheuser,users,orowneroption,anordinaryusermaymounta filesystemusing a simplified syntax in which only the device or mount point is specified, but not both. Forinstance, a user may type mount /mnt/cdrom to mount a CD-ROM if /etc/fstab specifies/mnt/cdromasitsmountpointandusestheuser,users,orowneroption.

MostLinuxdistributionsshipwithauto-mountersupport,whichcausestheOStoautomaticallymountremovablemediawhenthey’reinserted.InGUIenvironments,afilebrowsermayalsoopenontheinserteddisk.Toejectthedisk,theuserwillneedtounmountthefilesystembyusingumount,asdescribedshortly,orbyselectinganoptioninthedesktopenvironment.

WhenLinuxmountsafilesystem,itordinarilyrecordsthisfactin/etc/mtab.Thisfilehasaformatsimilartothatof/etc/fstabandisstoredin/etc,butit’snotaconfigurationfileyoushouldedit.Youmightexaminethisfiletodeterminewhatfilesystemsaremounted,though.(Thedfcommand,described in more detail in “Monitoring Disk Use by Partition,” is another way to learn whatfilesystemsaremounted.)

OptionsformountWhenyoudoneedtousespecialparameters(via-oorin/etc/fstab),it’susuallytoaddfilesystem-specific options. Table 3.5 summarizes the most important filesystem options. Some of these aremeaningfulonlyinthe/etc/fstabfile.

TABLE3.5ImportantfilesystemoptionsforthemountcommandOption Supported

filesystemsDescription

defaults All Causesthedefaultoptionsforthisfilesystemtobeused.It’susedprimarilyinthe/etc/fstabfiletoensurethatthefileincludesanoptionscolumn.

loop All Causestheloopbackdeviceforthismounttobeused.Allowsyoutomountafileasifitwereadiskpartition.Forinstance,mount-tvfat-oloopimage.img/mnt/imagemountsthefileimage.imgasifitwereadisk.

autoor

noauto

All Mountsordoesn’tmountthefilesystematboottimeorwhenrootissuesthemount-acommand.Thedefaultisauto,butnoautoisappropriateforremovablemedia.Usedin/etc/fstab.

useror

nouser

All Allowsordisallowsordinaryuserstomountthefilesystem.Thedefaultisnouser,butuserisoftenappropriateforremovablemedia.Usedin/etc/fstab.Whenincludedinthisfile,userallowsusers

totypemount/mountpoint(where/mountpointistheassignedmountpoint)tomountadisk.Onlytheuserwhomountedthefilesystemmayunmountit.

users All Similartouser,exceptthatanyusermayunmountafilesystemonceit’sbeenmounted.owner All Similartouser,exceptthattheusermustownthedevicefile.Somedistributions,suchasRedHat,

assignownershipofsomedevicefiles(suchas/dev/fd0forthefloppydisk)totheconsoleuser,sothiscanbeahelpfuloption.

remount All Changesoneormoremountoptionswithoutexplicitlyunmountingapartition.Tousethisoption,youissueamountcommandonanalreadymountedfilesystembutwithremountalongwithanyoptionsyouwanttochange.Thisfeaturecanbeusedtoenableordisablewriteaccesstoapartition,forexample.

ro All Specifiesaread-onlymountofthefilesystem.Thisisthedefaultforfilesystemsthatincludenowriteaccessandforsomewithparticularlyunreliablewritesupport.

rw Allread/writefilesystems

Specifiesaread/writemountofthefilesystem.Thisisthedefaultformostread/writefilesystems.

uid=value Mostfilesystemsthatdon’tsupportUnix-stylepermissions,suchasvfat,hpfs,ntfs,andhfs

Setstheownerofallfiles.Forinstance,uid=1000setstheownertowhoeverhasLinuxuserID1000.(CheckLinuxuserIDsinthe/etc/passwdfile.)

gid=value Mostfilesystemsthatdon’tsupportUnix-stylepermissions,suchasvfat,hpfs,ntfs,andhfs

Workslikeuid=value,butsetsthegroupofallfilesonthefilesystem.YoucanfindgroupIDsinthe/etc/groupfile.

umask=valueMostfilesystemsthatdon’tsupportUnix-stylepermissions,suchasvfat,hpfs,ntfs,andhfs

Setstheumaskforthepermissionsonfiles.valueisinterpretedinbinaryasbitstoberemovedfrompermissionsonfiles.Forinstance,umask=027yieldspermissionsof750,or–rwxr-x---.Usedinconjunctionwithuid=valueandgid=value,thisoptionletsyoucontrolwhocanaccessfilesonFAT,HPFS,andmanyotherforeignfilesystems.

dmask=valueMostfilesystemsthatdon’tsupportUnix-stylepermissions,suchasvfat,hpfs,ntfs,andhfs

Similartoumask,butsetstheumaskfordirectoriesonly,notforfiles.

fmask=valueMostfilesystemsthatdon’tsupportUnix-stylepermissions,suchasvfat,hpfs,ntfs,andhfs

Similartoumask,butsetstheumaskforfilesonly,notfordirectories.

conv=code MostfilesystemsusedonMicrosoftandAppleOSs:msdos,umsdos,vfat,hpfs,andhfs

Ifcodeisborbinary,Linuxdoesn’tmodifythefiles’contents.Ifcodeistortext,LinuxautoconvertsfilesbetweenLinux-styleandDOS-orMacintosh-styleend-of-linecharacters.Ifcodeisaorauto,Linuxappliestheconversionunlessthefileisaknownbinaryfileformat.It’susuallybesttoleavethisatitsdefaultvalueofbinarybecausefileconversionscancauseseriousproblemsforsomeapplicationsandfiletypes.

norock iso9660 DisablesRockRidgeextensionsforISO-9660CD-ROMs.nojoliet iso9660 DisablesJolietextensionsforISO-9660CD-ROMs.

Some filesystems support additional options that aren’t described here. The man page for mountcoverssomeofthese,butyoumayneedtolookatthefilesystem’sdocumentationforsomeoptions.This documentation may appear in /usr/src/linux/Documentation/filesystems or/usr/src/linux/fs/fsname,wherefsnameisthenameofthefilesystem.

UsingumountTheumountcommandissimplerthanmount.Thebasicumountsyntaxisasfollows:umount[-afnrv][-tfstype][device|mountpoint]

Mostoftheseparametershavemeaningssimilartotheirmeaningsinmount,butsomedifferences

deservemention:UnmountAllRatherthanunmountpartitionslistedin/etc/fstab,the-aoptioncausesthesystemtoattempttounmountallthepartitionslistedin/etc/mtab,thefilethatholdsinformationaboutmountedfilesystems.Onanormallyrunningsystem,thisoperationislikelytosucceedonlypartlybecauseitwon’tbeabletounmountsomekeyfilesystems,suchastherootpartition.ForceUnmountYoucanusethe-foptiontotellLinuxtoforceanunmountoperationthatmightotherwisefail.ThisfeatureissometimeshelpfulwhenunmountingNFSmountssharedbyserversthathavebecomeunreachable.FallBacktoRead-OnlyThe-roptiontellsumountthatifitcan’tunmountafilesystem,itshouldattempttoremountitinread-onlymode.UnmountPartitionsofaSpecificFilesystemTypeThe-tfstypeoptiontellsthesystemtounmountonlypartitionsofthespecifiedtype.Youcanlistmultiplefilesystemtypesbyseparatingthemwithcommas.TheDeviceandMountPointYouneedtospecifyonlythedeviceoronlythemountpoint,notboth.Aswithmount,normaluserscan’tordinarilyuseumount.Theexceptionisifthepartitionordevice

islistedin/etc/fstabandspecifiestheuser,users,orowneroption,inwhichcasenormaluserscanunmountthedevice.(Inthecaseofuser,onlytheuserwhomountedthepartitionmayunmountit;in thecaseofowner, the user issuing the commandmust alsoown thedevice file, aswithmount.)Theseoptionsaremostusefulforremovable-mediadevices.

BecautiouswhenremovingfloppydisksorunpluggingUSBdisk-likedevices(USBflashdrivesorexternalharddisks).Linuxcachesaccessestomostfilesystems,whichmeansthatdatamaynotbewrittentothediskuntilsometimeafterawritecommand.Becauseofthis,it’spossibletocorruptadiskbyejectingorunpluggingit,evenwhenthedriveisn’tactive.Youmustalwaysissueaumountcommandbeforeejectingamounteddisk.(GUIunmounttoolsdothisbehindthescenes,sousingadesktop’sunmountorejectoptionisequivalenttousingumount.)Afterissuingtheumountcommand,waitforthecommandtoreturn,andifthediskhasactivityindicators,waitforthemtostopblinkingtobesureLinuxhasfinishedusingthedevice.Anotherwaytowritethecachetodiskistousethesynccommand;butbecausethiscommanddoesnotfullyunmountafilesystem,it’snotasubstituteforumount.

PermanentlyMountingFilesystemsThe /etc/fstab file controls how Linux provides access to disk partitions and removablemediadevices. Linux supports a unified directory structure in which every disk device (partition orremovabledisk)ismountedataparticularpointinthedirectorytree.Forinstance,youmightaccessaUSBflashdriveat/media/usb.Therootofthistreeisaccessedfrom/.Directoriesoffthisrootmaybeotherpartitionsordisks,ortheymaybeordinarydirectories.Forinstance,/etcshouldbeonthesamepartitionas/,butmanyotherdirectories,suchas/home,maycorrespondtoseparatepartitions.

The /etc/fstab file describes how these filesystems are laid out. (The filename fstab is anabbreviationforfilesystemtable.)The/etc/fstabfileconsistsofaseriesoflinesthatcontainsixfieldseach;thefieldsareseparated

byoneormorespacesortabs.Alinethatbeginswithahashmark(#)isacommentandisignored.Listing3.1showsasample/etc/fstabfile.Listing3.1:Sample/etc/fstabfile#devicemountpointfilesystemoptionsdumpfsck

/dev/hda1/ext4defaults11

UUID=3631a288-673e-40f5-9e96-6539fec468e9\

/usrreiserfsdefaults00

LABEL=/home/homereiserfsdefaults00

/dev/hdb5/windowsvfatuid=500,umask=000

/dev/hdc/media/cdromiso9660users,noauto00

/dev/sda1/media/usbautousers,noauto00

server:/home/other/homenfsusers,exec00

//winsrv/shr/other/wincifsusers,credentials=/etc/creds00

/dev/hda4swapswapdefaults00

Themeaningofeachfieldinthisfileisasfollows:DeviceThefirstcolumnspecifiesthemountdevice.Theseareusuallydevicefilenamesthatreferenceharddisks,floppydrives,andsoon.MostdistributionsnowspecifypartitionsbytheirlabelsorUUIDs,asintheLABEL=/homeandUUID=3631a288-673e-40f5-9e96-6539fec468e9entriesinListing3.1.WhenLinuxencounterssuchanentry,ittriestofindthepartitionwhosefilesystemhasthespecifiednameorUUIDandmountit.Thispracticecanhelpreduceproblemsifpartitionnumberschange,butsomefilesystemslacktheselabels.It’salsopossibletolistanetworkdrive,asinserver:/home,whichisthe/homeexportonthecomputercalledserver;or//winsrv/shr,whichistheshrshareontheWindowsorSambaservercalledwinsrv.MountPointThesecondcolumnspecifiesthemountpoint;intheunifiedLinuxfilesystem,thisiswherethepartitionordiskwillbemounted.Thisshouldusuallybeanemptydirectoryinanotherfilesystem.Theroot(/)filesystemisanexception.Soisswapspace,whichisindicatedbyanentryofswap.FilesystemTypeThefilesystemtypecodeisthesameasthetypecodeusedtomountafilesystemwiththemountcommand.Youcanuseanyfilesystemtypecodeyoucanusedirectlywiththemountcommand.Afilesystemtypecodeofautoletsthekernelauto-detectthefilesystemtype,whichcanbeaconvenientoptionforremovablemediadevices.Auto-detectiondoesn’tworkwithallfilesystems,though.MountOptionsMostfilesystemssupportseveralmountoptions,whichmodifyhowthekerneltreatsthefilesystem.Youmayspecifymultiplemountoptions,separatedbycommas.Forinstance,uid=500,umask=0for/windowsinListing3.1setstheuserID(owner)ofallfilesto500andsetstheumaskto0.(UserIDsandumasksarecoveredinmoredetailinChapter4.)Table3.3summarizesthemostcommonmountoptions.BackupOperationThenext-to-lastfieldcontainsa1ifthedumputilityshouldbackupapartitionora0ifitshouldn’t.Ifyouneverusethedumpbackupprogram,thisoptionisessentiallymeaningless.(Thedumpprogramwasonceacommonbackuptool,butitismuchlesspopulartoday.)FilesystemCheckOrderAtboottime,Linuxusesthefsckprogramtocheckfilesystemintegrity.

Thefinalcolumnspecifiestheorderinwhichthischeckoccurs.A0meansthatfsckshouldnotcheckafilesystem.Highernumbersrepresentthecheckorder.Therootpartitionshouldhaveavalueof1,andallothersthatshouldbecheckedshouldhaveavalueof2.Somefilesystems,suchasReiserFS,shouldn’tbeautomaticallycheckedandsoshouldhavevaluesof0.Ifyouaddanewharddiskorhavetorepartitiontheoneyouhave,you’llprobablyneedtomodify

/etc/fstab.Youmayalsoneedtoeditittoaltersomeofitsoptions.Forinstance,settingtheuserIDorumaskonWindowspartitionsmountedinLinuxmaybenecessarytoletordinaryuserswritetothepartition.

ManagingUser-MountableMediaYoumaywanttogiveordinaryuserstheabilitytomountcertainpartitionsorremovablemedia,suchasfloppies,CD-ROMs,andUSBflashdrives.Todoso,createanordinary/etc/fstabentryforthefilesystem,butbesuretoaddtheuser,users,orowneroptiontotheoptionscolumn.Table3.5describesthedifferencesbetweenthesethreeoptions.Listing3.1showssomeexamplesofuser-mountablemedia:/media/cdrom,/media/usb,/other/home,and/other/win.Thefirsttwoofthesearedesignedforremovablemediaandincludethenoautooption,whichpreventsLinuxfromwastingtimetryingtomountthemwhentheOSfirstboots.Thesecondpairofmountpointsarenetworkfilesharesthataremountedautomaticallyatboottime;theusersoptionontheselinesenablesordinaryuserstounmountandthenremountthefilesystem,whichmightbehandyif,say,ordinaryusershavetheabilitytoshutdowntheserver.Aswithanyfilesystemsyouwanttomount,youmustprovidemountpoints—thatis,createemptydirectories—foruser-mountablemedia.Removablemediaareusuallymountedinsubdirectoriesof/mntor/media.Manymoderndistributionsincludeauto-mountfacilitiesthatautomaticallymountremovablemediawhenthey’reinserted.Thesetoolstypicallycreatemountpointsin/mediaandcreateiconsonusers’desktopstoenableeasyaccesstothemedia.ThisconfigurationproduceseffectsthatarefamiliartousersofWindowsandMacOS.

The credentials option for the /other/win mount point in Listing 3.1 deserves greaterelaboration. Ordinarily, most SMB/CIFS shares require a username and password as a means ofaccess control.Althoughyoucanuse theusername=name andpassword=pass options tosmbfs orcifs, these options are undesirable, particularly in /etc/fstab, because they leave the passwordvulnerable to discovery—anybody who can read /etc/fstab can read the password. Thecredentials=fileoptionprovidesanalternative—youcanuseittopointLinuxatafilethatholdstheusernameandpassword.Thisfilehaslabeledlines:username=hschmidt

password=yiW7t9Td

Of course, the file you specify (/etc/creds in Listing 3.1) must be well protected—it must bereadableonlytorootandperhapstotheuserwhoseshareitdescribes.

SummaryMostLinuxtoolsandproceduresprovidealayeraroundthehardware,insulatingyoufromaneedtoknowtoomanydetails.Nonetheless,sometimesyouhavetodiginandconfigurehardwaredirectly.FirmwaresettingscancontrolonboarddevicessuchasharddiskcontrollersandUSBports.USBandSCSIdeviceshavetheirownquirks,andUSBinparticularisquicklyevolving.Harddisksareoneclassofhardwarethat’slikelytorequiremoreattentionthanmost.Specifically,

youmustknowhowtocreatepartitionsandpreparefilesystemsonthosepartitions.ThesetasksarenecessarywhenyouinstallLinux(althoughmostdistributionsprovideGUItoolstohelpguideyouthroughthistaskduringinstallation),whenyouaddaharddisk,orwhenyoureconfigureanexistingsystem.Youshouldalsoknowsomethingaboutbootmanagers.TheseprogramshelpgetLinuxupandrunningwhenyouturnonacomputer ’spower,sothey’reunusuallycriticaltoLinuxoperation.FilesystemmanagementisbasictobeingabletoadministeroruseaLinuxsystem.Themostbasic

of these basic tasks are filesystem tasks—the ability tomount filesystems, check their health, andrepairailing filesystems.Oncea filesystem ismounted,youmaywant toperiodicallycheck toseehowfullitis,lestyourunoutofdiskspace.

ExamEssentialsSummarizeBIOSessentials.TheBIOSprovidestwoimportantfunctions:First,itconfigureshardware—bothhardwarethat’sbuiltintothemotherboardandhardwareonmanytypesofplug-incards.Second,theBIOSbeginsthecomputer ’sbootprocess,passingcontrolontothebootloaderintheMBR.TheBIOSiscurrentlybeingretiredinfavorofanewtypeoffirmware,EFI,whichperformsthesetasksonmoderncomputers.Describewhatfilescontainimportanthardwareinformation.Therearemanyfilesunderthe/procfilesystem.Manyofthesefileshavebeenmentionedthroughoutthischapter.Familiarizeyourselfwiththesefiles,suchas/proc/ioports,/proc/interrupts,/proc/dma,/proc/bus/usb,andothers.ExplainLinux’smodelformanagingUSBhardware.LinuxusesdriversforUSBcontrollers.Thesedriversinturnareusedbysomedevice-specificdrivers(forUSBdiskdevices,forinstance)andbyprogramsthataccessUSBhardwareviaentriesinthe/proc/bus/usbdirectorytree.SummarizehowtoobtaininformationaboutPCIandUSBdevices.ThelspciandlsusbprogramsreturninformationaboutPCIandUSBdevices,respectively.Youcanlearnmanufacturers’namesandvariousconfigurationoptionsbyusingthesecommands.Identifycommondisktypesandtheirfeatures.PATAdiskswerethemostcommontypeonPCsuntilabout2005.Sincethen,SATAdisks,whicharemoreeasilyconfigured,havegainedsubstantiallyinpopularity.SCSIdiskshavelongbeenconsideredthetop-tierdisks,buttheirhighpricehaskeptthemoutofinexpensivecommodityPCs.Describethepurposeofdiskpartitions.Diskpartitionsbreakthediskintoahandfulofdistinctparts.EachpartitioncanbeusedbyadifferentOS,cancontainadifferentfilesystem,andisisolatedfromotherpartitions.Thesefeaturesimprovesecurityandsafetyandcangreatlysimplifyrunningamulti-OSsystem.

SummarizeimportantLinuxdiskpartitions.ThemostimportantLinuxdiskpartitionistheroot(/)partition,whichisatthebaseoftheLinuxdirectorytree.Otherpossiblepartitionsincludeaswappartition,/homeforhomedirectories,/usrforprogramfiles,/varfortransientsystemfiles,/tmpfortemporaryuserfiles,/bootforthekernelandothercriticalbootfiles,andmore.Describecommandsthathelpyoumonitordiskuse.Thedfcommandprovidesaone-linesummaryofeachmountedfilesystem’ssize,availablespace,freespace,andpercentageofspaceused.Theducommandaddsupthediskspaceusedbyallthefilesinaspecifieddirectorytreeandpresentsasummarybydirectoryandsubdirectory.Summarizethetoolsthatcanhelpkeepafilesystemhealthy.Thefsckprogramisafront-endtofilesystem-specifictoolssuchase2fsckandfsck.jfs.Bywhatevername,theseprogramsexamineafilesystem’smajordatastructuresforinternalconsistencyandcancorrectminorerrors.ExplainhowfilesystemsaremountedinLinux.ThemountcommandtiesafilesystemtoaLinuxdirectory;oncethefilesystemismounted,itsfilescanbeaccessedaspartofthemountdirectory.The/etc/fstabfiledescribespermanentmappingsoffilesystemstomountpoints;whenthesystemboots,itautomaticallymountsthedescribedfilesystemsunlesstheyusethenoautooption(whichiscommonforremovabledisks).

ReviewQuestions1.WhatarecommonIRQsforRS-232serialports?(Selecttwo.)

A.1B.3C.4D.8E.16

2.Whattoolwouldyouusetodisableamotherboard’ssoundhardwareifyoudon’twanttouseit?A.ThefirmwareB.ThealsactlutilityC.ThelsmodcommandD.ThelspciprogramE.Noneoftheabove;onboardsounddevicescan’tbedisabled

3.Whatisthepurposeofudev?A.ToaidinthedevelopmentofsoftwareB.TounloadLinuxdevicedriversC.ToloadLinuxdevicedriversD.Tostoredevices’BIOSconfigurationsinfilesE.Tomanagethe/devdirectorytree

4. You’ve just installed Linux on a new computer with a single SATA hard disk. What device

identifierwillrefertothedisk?A./dev/sdaB./dev/mapper/disk1C./dev/hdaD.C:E./dev/sdaor/dev/hda

5.WhichfilescontainessentialsysteminformationsuchasIRQs,directmemoryaccesschannels,andI/Oaddresses?(Selectthree.)

A./proc/ioportsB./proc/ioaddressesC./proc/dmaD./proc/interruptsE./proc/hardware

6.Typingfdisk-l/dev/sdaonaLinuxcomputerwithanMBRdiskproducesalistingoffourpartitions:/dev/sda1,/dev/sda2,/dev/sda5,and/dev/sda6.Whichofthefollowingistrue?

A.Thediskcontainstwoprimarypartitionsandtwoextendedpartitions.B.Either/dev/sda1or/dev/sda2isanextendedpartition.C. The partition table is corrupted; there should be a /dev/sda3 and a /dev/sda4 before/dev/sda5.D.Ifyouadda/dev/sda3withfdisk,/dev/sda5willbecome/dev/sda6and/dev/sda6willbecome/dev/sda7.E.Both/dev/sda1and/dev/sda2arelogicalpartitions.

7.AnewLinuxadministratorplanstocreateasystemwithseparate/home,/usr/local,and/etcpartitions, in addition to the root (/) partition. Which of the following best describes thisconfiguration?

A.Thesystemwon’tbootbecausecriticalboot-timefilesresidein/home.B.Thesystemwillboot,but/usr/localwon’tbeavailablebecausemountedpartitionsmustbemounteddirectlyofftheirparentpartition,notinasubdirectory.C. The system will boot only if the /home partition is on a separate physical disk from the/usr/localpartition.D.Thesystemwillbootandoperatecorrectly,providedeachpartition is largeenough for itsintendeduse.E.The systemwon’t boot because/etc contains configuration files necessary tomount non-rootpartitions.

8.Whichofthefollowingdirectoriesismostlikelytobeplacedonitsownharddiskpartition?A./binB./sbin

C./mntD./homeE./dev

9. You discover that anMBR hard disk has partitions with type codes of 0x0f, 0x82, and 0x83.Assumingthesetypecodesareaccurate,whatcanyouconcludeaboutthedisk?

A.ThediskholdsapartialorcompleteLinuxsystem.B.ThediskholdsDOSorWindows9x/MeandWindowsNT/200x/XPinstallations.C.ThediskholdsaFreeBSDinstallation.D.Thediskiscorrupt;thosepartitiontypecodesareincompatible.E.ThediskholdsaMacOSXinstallation.

10. You run Linux’s fdisk and modify your partition layout. Before exiting the program, yourealizethatyou’vebeenworkingonthewrongdisk.Whatcanyoudotocorrectthisproblem?

A.Nothing;thedamageisdone,soyou’llhavetorecoverdatafromabackup.B.Typewtoexitfdiskwithoutsavingchangestodisk.C.Typeqtoexitfdiskwithoutsavingchangestodisk.D.Typeurepeatedlytoundotheoperationsyou’vemadeinerror.E.Typettoundoallthechangesandreturntotheoriginaldiskstate.

11.Whatdoesthefollowingcommandaccomplish?#mkfs-text2/dev/sda4

A.Itsetsthepartitiontabletypecodefor/dev/sda4toext2.B. ItconvertsaFATpartition intoanext2fspartitionwithoutdamaging thepartition’sexistingfiles.C.Nothing;the-toptionisn’tvalid,andsoitcausesmkfstoabortitsoperation.D.Itconvertsanext2filesystemtoanext4filesystem.E.Itcreatesanewext2filesystemon/dev/sda4,overwritinganyexistingfilesystemanddata.

12. Which of the following best summarizes the differences between DOS’s FDISK and Linux’sfdisk?

A.Linux’sfdiskisasimplecloneofDOS’sFDISKbutwrittentoworkfromLinuxratherthanfromDOSorWindows.B. The two are completely independent programs that accomplish similar goals, althoughLinux’sfdiskismoreflexible.C.DOS’sFDISKusesGUIcontrols,whereasLinux’sfdiskusesacommand-lineinterface,buttheyhavesimilarfunctionality.D.Despite their similarnames, they’re completelydifferent tools—DOS’sFDISK handles diskpartitioning,whereasLinux’sfdiskformatsfloppydisks.E.DOS’sFDISKmanagesGPTdiskswhereasLinux’sfdiskmanagesMBRdisks.

13.Whatmountpointshouldyouassociatewithswappartitions?

A./B./swapC./bootD./memE.Noneoftheabove

14.Whichofthefollowingoptionsisusedwithfscktoforceittouseaparticularfilesystemtype?A.-AB.-NC.-tD.-CE.-f

15.Whichofthefollowingpiecesofinformationcandfnotreport?A.HowlongthefilesystemhasbeenmountedB.Thenumberofinodesusedonanext3fspartitionC.ThefilesystemtypeofapartitionD.ThepercentageofavailablediskspaceusedonapartitionE.Themountpointassociatedwithafilesystem

16. What is an advantage of a journaling filesystem over a conventional (non-journaling)filesystem?

A.Journalingfilesystemsareolderandbettertestedthannon-journalingfilesystems.B.Journalingfilesystemsneverneedtohavetheirfilesystemscheckedwithfsck.C.JournalingfilesystemssupportLinuxownershipandpermissions;non-journalingfilesystemsdon’t.D.Journalingfilesystemsrequireshorterdiskchecksafterapowerfailureorsystemcrash.E.Journalingfilesystemsrecordalltransactions,enablingthemtobeundone.

17.ToaccessfilesonaUSBflashdrive,youtypemount/dev/sdc1/media/flashasroot.Whichtypesoffilesystemswillthiscommandmount?

A.Ext2fsB.FATC.HFSD.ReiserFSE.Alloftheabove

18.Which of the following/etc/fstab entrieswillmount /dev/sdb2 as the /home directory atboottime?

A./dev/sdb2reiserfs/homedefaults00B./dev/sdb2/homereiserfsdefaults00

C./homereiserfs/dev/sdb2noauto00D./home/dev/sdb2reiserfsnoauto00E.reiserfs/dev/sdb2/homenoauto00

19.Whatfilesystemoptionsmightyouspecifyin/etc/fstabtomakearemovabledisk(USBflashdrive,Zipdisk,floppydisk,andsoon)mountablebyanordinaryuserwithaUIDof1000?(Selectthree.)

A.userB.usersC.ownerD.ownersE.uid=1000

20.WhatistheminimumsafeprocedureforremovingaUSBflashdrive,mountedfrom/dev/sdb1at/media/usb,fromaLinuxcomputer?

A.Typeumount/media/usb,waitforthecommandtoreturnanddisk-activitylightstostop,andthenunplugthedrive.B.Unplugthedrive,andthentypeumount/media/usbtoensurethatLinuxregistersthedrive’sremovalfromthesystem.C.Unplugthedrive,andthentypesync/dev/sdb1toflushthecachestoensureproblemsdon’tdevelop.D. Type usbdrive-remove, and then quickly remove the disk before its activity light stopsblinking.E.Typefsck/dev/sdb1,wait for thecommand to returnanddisk-activity lights tostop,andthenunplugthedrive.

Chapter4

ManagingFiles

THEFOLLOWINGEXAMOBJECTIVESARECOVEREDINTHISCHAPTER:

1.103.3Performbasicfilemanagement1.104.4Managediskquotas1.104.5Managefilepermissionsandownership1.104.6Createandchangehardandsymboliclinks1.104.7Findsystemfilesandplacefilesinthecorrectlocation

Ultimately,Linuxisacollectionoffilesstoredonyourharddisk.Otherdiskfilescontainallyouruser data. For these reasons, being able to manage the files contained on your filesystems is animportant skill for anyLinux systemadministrator.Chapter 3, “ConfiguringHardware,” describedcreatingdiskpartitions,preparingfilesystemsonthem,maintainingthosefilesystems,andmountingthem.Thischaptercontinuesthistopicbylookingmorecloselyatfilemanagement.Thischapterbeginswithanexaminationofthebasiccommandsusedtoaccessandmanipulatefiles.

Asamulti-userOS,Linuxprovidestoolsthatenableyoutorestrictwhomayaccessyourfiles,soIdescribe theLinuxownershipmodel and thecommands that arebuilton thismodel to control fileaccess. Furthermore, Linux provides a system that enables you to restrict how much disk spaceindividualusersmayconsume,soIdescribethisfeature.Finally,thischapterlooksatlocatingfiles—boththeformaldescriptionofwherecertaintypesoffilesshouldresideandthecommandsyoucanusetolocatespecificfiles.

UsingFileManagementCommandsBasic filemanagement iscritical to theuseofanycomputer.This isparticularly trueonUnix-likesystems, including Linux, because these systems treat almost everything as a file, including mosthardwaredevicesandvariousspecializedinterfaces.Thus,beingabletocreate,delete,move,rename,archive,andotherwisemanipulatefilesisabasicskillofanyLinuxuserorsystemadministrator.Tobegin,youshouldunderstandsomethingoftherulesthatgovernfilenamesandtheshortcutsyou

canusetorefertofiles.Withthisinformationinhand,youcanmoveontolearnhowtomanipulatefiles,howtomanipulatedirectories,howtoarchivefiles,andhowtomanagelinks.

FileNamingandWildcardExpansionRulesLinux filenames aremuch like the filenames on any otherOS. EveryOS has its filename quirks,though, and thesedifferences canbe stumblingblocks to thosewhomovebetween systems—or tothosewhowanttomovefilesbetweensystems.

Linux filenamescancontainuppercaseor lowercase letters,numbers, andevenmostpunctuationandcontrolcharacters.Tosimplifyyourlifeandavoidconfusion,though,Irecommendrestrictingnon-alphanumericsymbolstothedot(.),thedash(-),andtheunderscore(_).Someprogramscreatebackup files that end in the tilde (~), as well. Although Linux filenames can contain spaces, andalthoughsuchfilenamesarecommoninsomeOSs,theymustbeescapedontheLinuxcommandlinebypreceding thespacewithabackslash (\)orbyenclosing theentire filename inquotes ("). Thisrequirement makes spaces a bit awkward in Linux, so most Linux users substitute dashes orunderscores.A fewcharactershavespecialmeaningandshouldneverbeused in filenames.These include the

asterisk(*),thequestionmark(?),theforwardslash(/),thebackslash(\),andthequotationmark(").Althoughyoucancreatefilesthatcontainallofthesecharactersexceptfortheforwardslash(whichserves to separate directory elements) by escaping them, they’re likely to cause greater confusionthanothersymbols.Linuxfilename lengthdependson the filesysteminuse.Onext2fs,ext3fs,ext4fs,ReiserFS,XFS,

andmanyothers,thelimitis255characters.Ifyou’veeverusedDOS,you’reprobablyfamiliarwiththe8.3filenamelimit:DOSfilenamesarerestrictedtoeightcharactersfollowedbyanoptionalthree-characterextension.Thesetwocomponentsareseparatedbyadot.Althoughone- tofour-characterextensionsarecommoninLinux,Linuxfilenamescancontainanarbitrarynumberofdots. Infact,filenamescanbeginwithadot.Theseso-calleddotfilesarehiddenfromviewbymostutilitiesthatdisplayfiles,sothey’repopularforstoringconfigurationfilesinyourhomedirectory.

IfyouaccessaFileAllocationTable(FAT)filesystemonaremovablediskorpartitionusedbyDOS,youcandosousingeitheroftwofilesystemtypecodes:msdos,whichlimitsyouto8.3filenames;orvfat,whichsupportsWindows-stylelongfilenames.Inaddition,theumsdosfilesystemtypecodewasaLinux-onlyextensionthatsupportedLinux-stylelongfilenames.UMSDOSsupportwasdiscontinuedafterthe2.6.11kernel.

Two filenames are particularly special.A filename that consists of a single dot (.) refers to thecurrentdirectory,whereasafilenamethatconsistsofadoubledot(..)referstotheparentdirectory.Forinstance,ifyourcurrentdirectoryis/home/jerry,then.referstothatdirectoryand..refersto/home.OnecriticaldifferencebetweenLinuxfilenamesandthoseofmanyotherOSsisthatLinuxtreatsits

filenamesinacase-sensitiveway;inotherwords,Filename.txtisdifferentfromfilename.txtorFILENAME.TXT. All three files can exist in a single directory. UnderWindows, all three filenamesrefertothesamefile.AlthoughWindows95andlaterallretainthecaseofthefilename,theyignoreitwhenyourefertoanexistingfile,andtheydon’tpermitfileswhosenamesdifferonlyincasetoco-existinasingledirectory.Thisdifferenceisn’tamajorproblemformostpeoplewhomigratefromWindowstoLinux,butyoushouldbeawareofit.ItcanalsocauseproblemswhenyoutrytoreadaFATdiskusingtheLinuxvfatdriverbecauseLinuxhastofollowtheWindowsruleswhenmanagingfilesonthatdisk.Youcanusewildcardswithmanycommands.Awildcardisasymbolorsetofsymbolsthatstands

inforothercharacters.ThreeclassesofwildcardsarecommoninLinux:

?Aquestionmark(?)standsinforasinglecharacter.Forinstance,b??kmatchesbook,balk,buck,oranyotherfour-characterfilenamethatbeginswithbandendswithk.*Anasterisk(*)matchesanycharacterorsetofcharacters,includingnocharacter.Forinstance,b*kmatchesbook,balk,andbuckjustasdoesb??k.b*kalsomatchesbk,bbk,andbacktrack.BracketedValuesCharactersenclosedinsquarebrackets([])normallymatchanycharacterintheset.Forinstance,b[ao][lo]kmatchesbalkandbookbutnotbackorback.It’salsopossibletospecifyarangeofvalues;forinstance,b[a-z]ckmatchesback,buck,andotherfour-letterfilenamesofthisformwhosesecondcharacterisalowercaseletter.Thisdiffersfromb?ck—becauseLinuxtreatsfilenamesinacase-sensitivewayandbecause?matchesanycharacter(notjustanylowercaseletter),b[a-z]ckdoesn’tmatchbAckorb3ck,althoughb?ckmatchesbothofthesefilenames.Wildcardsare implemented in theshellandpassed to thecommandyoucall.For instance, ifyou

typelsb??k,andthatwildcardmatchesthethreefilesbalk,book,andbuck,theresultispreciselyasifyou’dtypedlsbalkbookbuck.Theprocessofwildcardexpansionisknownasfileglobbingorsimplyglobbing.

Thewaywildcardsareexpandedcanleadtoundesirableconsequences.Forinstance,supposeyouwanttocopytwofiles,specifiedviaawildcard,toanotherdirectory,butyouforgettogivethedestinationdirectory.Thecpcommand(describedshortly)willinterpretthecommandasarequesttocopythefirstofthefilesoverthesecond.

FileCommandsA few file-manipulation commands are extremely important to everyday file operations. Thesecommandsenableyoutolist,copy,move,rename,anddeletefiles.

ThelsCommandTomanipulate files, it’s helpful toknowwhat they are.This is the jobof thels command,whosenameisshortforlist.Thelscommanddisplaysthenamesoffilesinadirectory.Itssyntaxissimple:ls[options][files]

The command supports a huge number of options; consult ls’s man page for details. The mostusefuloptionsincludethefollowing:DisplayAllFilesNormally,lsomitsfileswhosenamesbeginwithadot(.).Thesedotfilesareoftenconfigurationfilesthataren’tusuallyofinterest.Addingthe-aor--allparameterdisplaysdotfiles.ColorListingThe--coloroptionproducesacolor-codedlistingthatdifferentiatesdirectories,symboliclinks,andsoonbydisplayingthemindifferentcolors.ThisworksattheLinuxconsole,inxtermwindowsinX,andfromsometypesofremotelogins,butsomeremote-loginprogramsdon’tsupportcolordisplays.SomeLinuxdistributionsconfiguretheirshellstousethisoptionbydefault.

DisplayDirectoryNamesNormally,ifyoutypeadirectorynameasoneofthefiles,lsdisplaysthecontentsofthatdirectory.Thesamethinghappensifadirectorynamematchesawildcard.Addingthe-dor--directoryparameterchangesthisbehaviortolistonlythedirectoryname,whichissometimespreferable.LongListingThelscommandnormallydisplaysfilenamesonly.The-lparameter(alowercaseL)producesalonglistingthatincludesinformationsuchasthefile’spermissionstring(describedin“UnderstandingPermissions”),owner,group,size,andcreationdate.DisplayFileTypeThe-For--file-typeoptionappendsanindicatorcodetotheendofeachnamesoyouknowwhattypeoffileitis.Themeaningsareasfollows:

/Directory@ Symboliclink= Socket| Pipe

RecursiveListingThe-Ror--recursiveoptioncauseslstodisplaydirectorycontentsrecursively.Thatis,ifthetargetdirectorycontainsasubdirectory,lsdisplaysboththefilesinthetargetdirectoryandthefilesinitssubdirectory.Theresultcanbeahugelistingifadirectoryhasmanysubdirectories.Both theoptions list and thefiles list are optional. If you omit thefiles list,ls displays the

contentsofthecurrentdirectory.Youmayinsteadgiveoneormorefileordirectorynames,inwhichcaselsdisplaysinformationaboutthosefilesordirectories,asinthisexample:$ls-F/usr/bin/ls

/bin/ls*

/usr:

bin/include/lib32/local/share/X11R6/games/lib/lib64@sbin/

src/

Thisoutputshowsboththe/bin/lsprogramfileandthecontentsofthe/usrdirectory.Thelatterconsistsmainlyofsubdirectories,butitincludesonesymboliclinkaswell.Bydefault,lscreatesalistingthat’ssortedbyfilename,asshowninthisexample.Inthepast,uppercaseletters(asinX11R6)appeared before lowercase letters (as in bin); however, recent versions of ls sort in a case-insensitivemanner.Oneofthemostcommonlsoptionsis-l,whichcreatesalonglistinglikethis:$ls-lt*

-rwxr-xr-x1rodsmithusers111Apr1313:48test

-rw-r--r--1rodsmithusers176322Dec1609:34thttpd-2.20b-1.i686.rpm

-rw-r--r--1rodsmithusers1838045Apr2418:52tomsrtbt-1.7.269.tar.gz

-rw-r--r--1rodsmithusers3265021Apr2223:46tripwire.rpm

Thisoutputincludesthepermissionstrings,ownership,filesizes,andfilecreationdatesinadditiontothefilenames.Thisexamplealsoillustratestheuseofthe*wildcard,whichmatchesanystring—thus,t*matchesanyfilenamethatbeginswitht.

Youcancombinemultipleoptionsbymergingthemwithasingleprecedingdash,asinls-lFtogetalonglistingthatalsoincludesfiletypecodes.Thiscansaveabitoftypingcomparedtothealternativeofls-l-F.

ThecpCommandThecpcommandcopiesafile.Itsbasicsyntaxisasfollows:cp[options]sourcedestination

Thesourceisnormallyoneormorefiles,andthedestinationmaybeafile(whenthesourceisasinglefile)oradirectory(whenthesource isoneormorefiles).Whencopyingtoadirectory,cppreserves the original filename; otherwise, it gives the new file the filename indicated bydestination. The command supports a large number of options; consult its man page for moreinformation.Someof theusefuloptionsenableyou tomodify thecommand’soperation inhelpfulways:ForceOverwriteThe-for--forceoptionforcesthesystemtooverwriteanyexistingfileswithoutprompting.UseInteractiveModeThe-ior--interactiveoptioncausescptoaskyoubeforeoverwritinganyexistingfiles.PreserveOwnershipandPermissionsNormally,acopiedfileisownedbytheuserwhoissuesthecpcommandandusesthataccount’sdefaultpermissions.The-por--preserveoptionpreservesownershipandpermissions,ifpossible.PerformaRecursiveCopyIfyouusethe-Ror--recursiveoptionandspecifyadirectoryasthesource,theentiredirectory,includingitssubdirectories,iscopied.Although-ralsoperformsarecursivecopy,itsbehaviorwithfilesotherthanordinaryfilesanddirectoriesisunspecified.Mostcpimplementationsuse-rasasynonymfor-R,butthisbehaviorisn’tguaranteed.PerformanArchiveCopyThe-aor--archiveoptionissimilarto-R,butitalsopreservesownershipandcopieslinksasis.The-Roptioncopiesthefilestowhichsymboliclinkspointratherthanthesymboliclinksthemselves.(Linksaredescribedinmoredetaillaterinthischapterin“ManagingLinks.”)PerformanUpdateCopyThe-uor--updateoptiontellscptocopythefileonlyiftheoriginalisnewerthanthetargetorifthetargetdoesn’texist.

Thislistofcpoptionsisincompletebutcoversthemostusefuloptions.Consultcp’smanpageforinformationaboutadditionalcpoptions.

As an example, the following command copies the /etc/fstab configuration file to a backuplocationin/root,butonlyiftheoriginal/etc/fstabisnewerthantheexistingbackup:#cp-u/etc/fstab/root/fstab-backup

ThemvCommandThemvcommand(short formove) is commonlyusedboth tomove filesanddirectories fromonelocation to another and to rename them. Linux doesn’t distinguish between these two types ofoperations,althoughmanyusersdo.Thesyntaxofmvissimilartothatofcp:mv[options]sourcedestination

Thecommandtakesmanyofthesameoptionsascpdoes.Fromtheearlierlist,--preserve,--recursive,and--archivedon’tapplytomv,buttheothersdo.Tomoveoneormorefilesordirectories,specifythefilesasthesourceandspecifyadirectoryor

(optionally,forasingle-filemove)afilenameforthedestination:$mvdocument.odtimportant/purchases/

Thisexampleusesatrailingslash(/)onthedestinationdirectory.Thispracticecanhelpavoidproblemscausedbytypos.Forinstance,ifthedestinationdirectoryweremistypedasimportant/purchase(missingthefinals),mvwouldmovedocument.odtintotheimportantdirectoryunderthefilenamepurchase.Addingthetrailingslashmakesitexplicitthatyouintendtomovethefileintoasubdirectory.Ifitdoesn’texist,mvcomplains,soyou’renotleftwithmysteriousmisnamedfiles.YoucanalsousetheTabkeytoavoidproblems.WhenyoupressTabinmanyLinuxshells,suchasbash,theshelltriestocompletethefilenameautomatically,reducingtheriskofatypo.

The preceding command copies the document.odt file into the important/purchases

subdirectory. If the move occurs on one low-level filesystem, Linux does the job by rewritingdirectoryentries;thefile’sdataneednotbereadandrewritten.Thismakesmv fast.Whenthetargetdirectoryisonanotherpartitionordisk, though,Linuxmustreadtheoriginalfile,rewrite it to thenewlocation,anddeletetheoriginal.Thisslowsdownmv.Renaming a file with mv worksmuch likemoving a file, except that the source and destination

filenamesareinthesamedirectory,asshownhere:$mvdocument.odtwasher-order.odt

This renamesdocument.odt towasher-order.odt in thesamedirectory.Youcancombine thesetwoformsaswell:$mvdocument.odtimportant/purchases/washer-order.odt

Thiscommandsimultaneouslymovesandrenamesthefile.Youcanmoveorrenameentiredirectoriesusingmv, too; justspecifyoneormoredirectoriesas

thesourceinthecommand.Forinstance,considerthefollowingcommands:$mvimportantcritical

$mvcritical/tmp/

The first of these commands renames the important subdirectory as critical in the currentdirectory.Thesecondcommandmovestherenamedsubdirectorytothe/tmpdirectory. (Youcouldcombine these twocommands tomvimportant/tmp/critical.)The formof thesecommands isidenticaltotheformofmvwhenusedwithfiles,althoughyoumayoptionallyaddatrailingslash(/)todirectorynames.

ThermCommandTodeleteafile,usethermcommand,whosenameisshortforremove.Itssyntaxissimple:rm[options]files

Thermcommandacceptsmanyofthesameoptionsascpormv.Ofthosedescribedwithcp,--preserve, --archive, and --update don’t apply to rm, but all the others do. With rm, -r issynonymouswith-R.

Bydefault,Linuxdoesn’tprovideanysortof“trash-can”functionalityforitsrmcommand;onceyou’vedeletedafilewithrm,it’sgoneandcannotberecoveredwithoutretrievingitfromabackuporperforminglow-leveldiskmaintenance(suchaswithdebugfs).Therefore,youshouldbecautiouswhenusingrm,particularlywhenyou’reloggedonasroot.Thisisespeciallytruewhenyou’reusingthe-Roption,whichcandestroyalargepartofyourLinuxinstallation!ManyLinuxGUIfilemanagersdoimplementtrash-canfunctionalitysothatyoucaneasilyrecoverfilesmovedtothetrash(assumingyouhaven’temptiedthetrash),soyoumaywanttouseafilemanagerforremovingfiles.

ThetouchCommandLinux-nativefilesystemsmaintainthreetimestampsforeveryfile:

Lastfile-modificationtimeLastinodechangetimeLastaccesstime

Variousprogramsrelyonthesetimestamps;forinstance,themakeutility(whichhelpscompileaprogram from source code) uses the time stamps to determine which source-code files must berecompiled if an object file already exists for a particular file. Thus, sometimes youmay need tomodifythetimestamps.Thisisthejobofthetouchcommand,whichhasthefollowingsyntax:touch[options]files

Bydefault,touchsetsthemodificationandaccesstimestothecurrenttime.Youmightusethisif,forinstance,youwantedmaketorecompileaparticularsourcecodefileeventhoughanewerobjectfileexisted.Ifthespecifiedfilesdon’talreadyexist,touchcreatesthemasemptyfiles.Thiscanbehandyifyouwanttocreatedummyfiles—say,toexperimentwithotherfile-manipulationcommands.Youcanpassvariousoptionstotouchtohaveitchangeitsbehavior:ChangeOnlytheAccessTimeThe-aor--time=atimeoptioncausestouchtochangetheaccesstimealone,notthemodificationtime.ChangeOnlytheModificationTimeThe-mor--time=mtimeoptioncausestouchtochangethemodificationtimealone,nottheaccesstime.DoNotCreateFileIfyoudon’twanttouchtocreateanyfilesthatdon’talreadyexist,passitthe-cor--no-createoption.SettheTimeasSpecifiedThe-ttimestampoptionsetsthetimetothespecifiedtimestamp.This

valueisgivenintheformMMDDhhmm[[CC]YY][.ss],whereMMisthemonth,DDistheday,hhisthehour(ona24-hourclock),mmistheminute,[CC]YYistheyear(suchas2012or12,whichareequivalent),andssisthesecond.Anotherwaytosetaparticulartimeiswiththe-rreffileor--reference=reffileoption,wherereffileisafilewhosetimestampyouwanttoreplicate.

FileArchivingCommandsAfilearchivingtoolcollectsagroupoffilesintoasingle“package”filethatyoucaneasilymovearoundonasinglesystem;backuptoarecordableDVD,tape,orotherremovablemedia;ortransferacross a network.Linux supports several archiving commands, themost prominent beingtar andcpio.Thedd command, althoughnot technically an archiving command, is similar in someways,becauseitcancopyanentirepartitionordiskintoafile,orviceversa.

Thezipformat,whichiscommononWindows,issupportedbytheLinuxzipandunzipcommands.Otherarchiveformats,suchastheRoshalArchive(RAR)andStuffIt,canalsobemanipulatedusingLinuxutilities.Thesearchiveformatsmaybeimportantinsomeenvironments,buttheyaren’tcoveredontheexam.

ThetarUtilityThetarprogram’snamestandsfor“tapearchiver.”Despitethisfact,youcanusetartoarchivedatatoothermedia.Infact,tarballs(archivefilescreatedbytarandtypicallycompressedwithgziporbzip2) are oftenused for transferringmultiple files between computers in one step, such aswhendistributingsourcecode.Thetar program is a complexpackagewithmanyoptions, butmost ofwhat you’ll dowith the

utilitycanbecoveredwithafewcommoncommands.Table4.1liststheprimarytarcommands,andTable 4.2 lists the qualifiers thatmodifywhat the commands do.Whenever you run tar, you useexactlyonecommand,andyouusuallyuseatleastonequalifier.

TABLE4.1tarcommandsCommand AbbreviationDescription--create c Createsanarchive--concatenate A Appendstarfilestoanarchive--append r Appendsnon-tarfilestoanarchive--update u Appendsfilesthatarenewerthanthoseinanarchive--diffor--compare d Comparesanarchivetofilesondisk--list t Listsanarchive’scontents--extractor--get x Extractsfilesfromanarchive

TABLE4.2tarqualifiersQualifier Abbreviation Description--directorydir C Changestodirectorydirbeforeperformingoperations--file[host:]file f Usesthefilecalledfileonthecomputercalledhostasthearchivefile--listed-incremental

file

g Performsanincrementalbackuporrestore,usingfileasalistofpreviouslyarchivedfiles

--one-file-system l(onoldversionsoftar) Backsuporrestoresonlyonefilesystem(partition)

--multi-volume M Createsorextractsamulti-tapearchive--tape-lengthN L ChangestapesafterNkilobytes--same-permissions p Preservesallprotectioninformation--absolute-paths P Retainstheleading/onfilenames--verbose v Listsallfilesreadorextracted;whenusedwith--list,displaysfilesizes,

ownership,andtimestamps--verify W Verifiesthearchiveafterwritingit--excludefile (none) Excludesfilefromthearchive--exclude-fromfile X Excludesfileslistedinfilefromthearchive--gzipor--ungzip z Processesanarchivethroughgzip--bzip2 j(someolderversionsused

Iory)Processesanarchivethroughbzip2

--xz J Processesanarchivethroughxz

OfthecommandslistedinTable4.1,themostcommonlyusedare--create,--extract,and--list. The most useful qualifiers from Table 4.2 are --file, --listed-incremental, --one-

file-system, --same-permissions, --gzip, --bzip2, --xz, and --verbose. If you fail tospecifyafilenamewiththe--filequalifier,tarwillattempttouseadefaultdevice,whichisoften(butnotalways)atapedevicefile.Three compression tools—gzip, bzip2, and xz—are often used with tar, which applies

compressiontothetarballasawholeratherthantotheindividualfiles.Thismethodofcompressingreduces the tarball’s size compared to compressing constituent files and then adding them to thearchive,butitmakesthearchivemoresusceptibletodamage;asingle-byteerrorearlyinthearchivecanmake it impossible torecoveranysubsequentdata.Of the threecompression tools,gzip is theoldest and provides the least compression, bzip2 provides improved compression, and xz is thenewestandprovidesthebestcompression.Typically,filescompressedwiththeseutilitieshave.gz,.bz2, or .xz extensions, respectively. Compressed tarballs sometimes use their own specialextensions,suchas.tgzforagzip-compressedtarballor.tbzforonecompressedwithbzip2.As an example of tar in use, consider archiving and compressing the my-work subdirectory of

yourhomedirectorytoaUSBflashdrivemountedat/media/pen.Thefollowingcommandwilldothetrick:$tarcvfz/media/pen/my-work.tgz~/my-work

Ifyouthentransferthisflashdrivetoanothersystem,mountitat/media/usb,andwanttoextractthearchive,youcandosowithanothercommand:$tarxvfz/media/usb/my-work.tgz

Insteadofusingthecompressionoptions,youcanuseapipetoconnectacompressiontooltotarwhenextractingdata.Forinstance,gunzip-ctarball.tgz|tarxvf-uncompressestarball.tgz.

The preceding command creates a subdirectory calledmy-work in the currentworking directoryandpopulates itwith thefilesfromthearchive.Ifyoudon’tknowwhat’s inanarchive, it’sagoodpractice to examine it with the --list command before extracting its contents. Although tarballsusually contain a single subdirectory, sometimes tarballs contain many files without a “carrier”subdirectory.Extractingsuchtarballsdrops thesefiles inyourcurrentdirectory,whichcanmakeitdifficulttodeterminewhichfilescomefromthetarballandwhichwerealreadypresent.

ThecpioUtilityThecpioprogramissimilarinprincipletotar,butthedetailsofitsoperationdiffer.Aswithtar,youcandirectitsoutputstraighttoatapedeviceortoaregularfile.Backinguptoatapedevicecanbeaconvenientwaytobackupthecomputerbecauseitrequiresnointermediatestorage.Torestoredata,youusecpiotoreaddirectlyfromthetapedevicefileorfromaregularfile.Thecpioutilityhasthreeoperatingmodes:Copy-OutModeThismode,activatedbyuseofthe-oor--createoption,createsanarchiveandcopiesfilesintoit.Copy-InModeYouactivatecopy-inmodebyusingthe-ior--extractoption.Thismodeextractsdatafromanexistingarchive.Ifyouprovideafilenameorapatterntomatch,cpioextractsonlythefileswhosenamesmatchthepatternyouprovide.Copy-PassModeThismodeisactivatedbythe-por--pass-throughoption.Itcombinesthecopy-outandcopy-inmodes,enablingyoutocopyadirectorytreefromonelocationtoanother.

Thecopy-outandcopy-inmodesarenamedconfusingly.Thinkofthemasreferringtocopyingoutoforintothecomputer ’smaindirectorytree,ratherthanthearchivefile.

In addition to the options used to select the mode, cpio accepts many other options, the mostimportantofwhicharesummarizedinTable4.3.Tocreateanarchive,youcombinethe--create(or-o)optionwithoneormoreoftheoptionsinTable4.3;torestoredata,youdothesame,butyouuse--extract (or-i). In either case,cpio acts on filenames that you type at the console. In practice,you’llprobablyusetheredirectionoperator(<)topassafilenamelisttotheprogram.

TABLE4.3OptionsforusewithcpioOption AbbreviationDescription--reset-access-time -a Resetstheaccesstimeafterreadingafilesothatitdoesn’tappeartohavebeenread.--append -A Appendsdatatoanexistingarchive.--

patternfile=filename

-Efilename Usesthecontentsoffilenameasalistoffilestobeextractedincopy-inmode.

--file=filename -Ffilename Usesfilenameasthecpioarchivefile;ifthisparameterisomitted,cpiousesstandardinputoroutput.

--format=format -Hformat Usesaspecifiedformatforthearchivefile.Commonvaluesforformatincludebin(thedefault,anoldbinaryformat),crc(anewerbinaryformatwithachecksum),andtar(theformatusedbytar).

N/A -Ifilename Usesthespecifiedfilenameinsteadofstandardinput.(Unlike-F,thisoptiondoesnotredirectoutputdata.)

--no-

absolutefilenames

N/A Incopy-inmode,extractsfilesrelativetothecurrentdirectory,eveniffilenamesinthearchivecontainfulldirectorypaths.

N/A -Ofilename Usesthespecifiedfilenameinsteadofstandardoutput.(Unlike-F,thisoptiondoesnotredirectinputdata.)

--list -t Displaysatableofcontentsfortheinput.--unconditional -u Replacesallfileswithoutfirstaskingforverification.--verbose -v Displaysfilenamesasthey’readdedtoorextractedfromthearchive.Whenusedwith-t,displays

additionallistinginformation(similartols-l).

Tousecpiotoarchiveadirectory,youmustpassalistoffilestotheutilityusingstandardinput.

Youcandothiswiththefindutility(describedinmoredetaillaterin“ThefindCommand”):$find./my-work|cpio-o>/media/usb/my-work.cpio

The resulting archive file is uncompressed, though. To compress the data, you must include acompressionutility,suchasgzip,inthepipe:$find./my-work|cpio-o|gzip>/media/usb/my-work.cpio.gz

Extracting data from an uncompressed cpio archive (say, on another computer with the mediamountedat/media/usb)entailsusingthe-ioption,butnopipeisrequired:$cpio-i</media/usb/my-work.cpio

If yourcpio archive is compressed, youmust first uncompress itwithgunzip. By using the -coptiontothiscommand,youcanpassitsoutputtocpioinapipe:$gunzip-c/media/usb/my-work.cpio.gz|cpio-i

Touncompressanarchivecompressedwithbzip2,youwouldusebunzip2-c in thepiperatherthangunzip-c.Ifthearchiveiscompressedwithxz,youwoulduseunxz-binthepipe.

TheddUtilitySometimesyouwanttoarchiveafilesystemataverylowlevel.Forinstance,youmaywanttocreatearepresentationofaCD-ROMthatyoucanstoreonyourharddiskorbackupafilesystemthatLinuxcan’tunderstand.Todoso,youcanusetheddprogram.Thisutilityisalow-levelcopyingprogram,andwhenyougiveit thedevicefileforapartitionasinput, itcopiesthatpartition’scontents totheoutputfileyouspecify.Thisoutputfilecanbeanotherpartitionidentifier,atapedevice,oraregularfile,tonamethreepossibilities.Theinputandoutputfilesarepassedwiththeif=fileandof=fileoptions:#ddif=/dev/sda3of=/dev/st0

Thiscommandbacksupthe/dev/sda3diskpartitionto/dev/st0(aSCSItapedrive).Theresultisaverylow-levelbackupofthepartitionthatcanberestoredbyswappingtheif=andof=options:#ddif=/dev/st0of=/dev/sda3

Theddutilitycanbeagoodwaytocreateexactbackupsofentirepartitions,butasageneralbackuptool,ithasseriousproblems.Itbacksuptheentirepartition,includinganyemptyspace.Forinstance,a2GiBpartitionthatholdsjust5MiBoffileswillrequire2GiBofstoragespace.Restoringindividualfiles isalso impossibleunless thebackupdevice isa randomaccessdevice thatcanbemounted; ifyoubackuptotape,youmustrestoreeverything(atleasttoatemporaryfileorpartition)torecoverasinglefile.Finally,youcan’teasilyrestoredatatoapartitionthat’ssmallerthantheoriginalpartition;andwhenrestoring toa largerpartition,you’llendupwastingsomeof thespaceavailableon thatpartition.Despitetheseproblems,ddcanbehandyinsomesituations.Itcanbeagoodwaytomakeanexact

copyofaremovabledisk(includinganopticaldisc),forinstance.YoucanuseddtocopyadiskforwhichLinuxlacksfilesystemdrivers.IfyouneedtocreatemultipleidenticalLinuxinstallations,youcandosobyusingddtocopyaworkinginstallationtomultiplecomputers,aslongastheyhaveharddisksthesamesize.Youcanalsouseddinsomeothercapacities.Forinstance,ifyouneedanemptyfileofaparticular

size,youcancopyfromthe/dev/zerodevice(aLinuxdevicethatreturnsnothingbutzeroes)toatargetfile.You’llneedtousethebs=sizeandcount=lengthoptionstosettheblocksizeandlengthofthefile,though:

$ddif=/dev/zeroof=empty-file.imgbs=1024count=720

Thisexamplecreatesa720KiB(1024×720bytes)emptyfile.Youmightthenmanipulatethisfileby,forexample,creatingafilesystemonitwithmkfs.

BackingUpUsingOpticalMediaOpticalmediarequirespecialbackupprocedures.Normally,cdrecordacceptsinputfromaprogramlikemkisofs,whichcreatesanISO-9660orUDFfilesystem—thetypeoffilesystemthat’smostoftenfoundonCD-ROMsandDVDs.Oneoptionforbackinguptoopticaldiscsistousemkisofsandthencdrecordtocopyfilestothedisc.Ifyoucopyfiles“raw”thisway,though,you’lllosesomeinformation,suchaswritepermissionbits.You’llhavebetterluckifyoucreateatarorcpioarchiveondisk.YoucanthenusemkisofstoplacethatarchiveinanISO-9660orUDFfilesystemandthenburntheimagefiletotheopticaldisc.Theresultwillbeadiscthatyoucanmountandthatwillcontainanarchiveyoucanreadwithtarorcpio.Asomewhatmoredirectoptionistocreateanarchivefileandburnitdirectlytotheopticaldiscusingcdrecord,bypassingmkisofs.Suchadiscwon’tbemountableintheusualway,butyoucanaccessthearchivedirectlybyusingtheCD-ROMdevicefile.Onrestoration,thisworksmuchlikeataperestoreexceptthatyouspecifytheopticaldevicefilename(suchas/dev/cdrom)insteadofthetapedevicefilename(suchas/dev/st0).

ManagingLinksInLinux,alinkisawaytogiveafilemultipleidentities,similartoshortcutsinWindowsandaliasesinMac OS. Linux employs links to helpmake files more accessible, to give commandsmultiplenames,toenableprogramsthatlookforthesamefilesindifferentlocationstoaccessthesamefiles,andsoon.Twotypesoflinksexist:hardlinksandsymboliclinks(akasoftlinks). (Theirdifferencesaredescribedinmoredetailshortly.)Thelncommandcreateslinks.Itssyntaxissimilartothatofcp:ln[options]sourcelink

The source is the original file, and the link is the name of the link you want to create. Thiscommandsupportsoptionsthathaveseveraleffects:RemoveTargetFilesThe-for--forceoptioncauseslntoremoveanyexistinglinksorfilesthathavethetargetlinkname.The-ior--interactiveoptionhasasimilareffect,butitqueriesyoubeforereplacingexistingfilesandlinks.CreateDirectoryHardLinksOrdinarily,youcan’tcreatehardlinkstodirectories.Therootusercanattempttodoso,though,bypassingthe-d,-F,or--directoryoptiontoln.(Symboliclinkstodirectoriesaren’taproblem.)Inpractice,thisfeatureisunlikelytoworkbecausemostfilesystemsdon’tsupportit.CreateaSymbolicLinkThelncommandcreateshardlinksbydefault.Tocreateasymboliclink,passthe-sor--symbolicoptiontothecommand.Afewotheroptionsexisttoperformmoreobscuretasks;consultln’smanpagefordetails.Bydefault,lncreateshardlinks,whichareproducedbycreatingtwodirectoryentriesthatpointto

the same file (more precisely, the same inode). Both filenames are equally valid and prominent;neitherisa“truer”filenamethantheother,exceptthatonewascreatedfirst(whencreatingthefile)and the other was created second. To delete the file, you must delete both hard links to the file.Becauseofthewayhardlinksarecreated,theymustexistonasinglelow-levelfilesystem;youcan’tcreateahardlinkfrom,say,yourroot(/)filesystemtoaseparatefilesystemyou’vemountedonit,suchas/home (if it’saseparatefilesystem).Theunderlyingfilesystemmustsupporthardlinks.AllLinux-nativefilesystemssupportthisfeature,butsomenon-Linuxfilesystemsdon’t.Symbolic links, by contrast, are special file types. The symbolic link is a separate file whose

contentspointtothelinked-tofile.Linuxknowstoaccessthelinked-tofilewheneveryoutrytoaccessthesymboliclink,soinmostrespectsaccessingasymboliclinkworksjustlikeaccessingtheoriginalfile.Becausesymboliclinksarebasicallyfilesthatcontainfilenames,theycanpointacrosslow-levelfilesystems—youcanpointfromtheroot(/)filesystemtoafileonaseparate/homefilesystem,forinstance.Thelookupprocessforaccessingtheoriginalfilefromthelinkconsumesatinybitoftime,sosymboliclinkaccessisslowerthanhardlinkaccess—butnotbyenoughthatyou’dnoticeinanybutverybizarreconditionsorartificialtests.Longdirectorylistingsshowthelinked-tofile:$ls-lalink.odt

lrwxrwxrwx1rodsmithusers8Dec215:31alink.odt->test.odt

Inpractice,symbolic linksaremorecommonthanhardlinks; theirdisadvantagesareminor,andthe ability to link across filesystems and to directories can be important. Linux employs links incertain critical system administration tasks. For instance, System V (SysV) startup scripts usesymboliclinksinrunleveldirectories,asdescribedinChapter5,“BootingLinuxandEditingFiles.”Certaincommandsthathavehistoricallybeenknownbymultiplenamesarealsooftenaccessiblevialinks. For example, the /sbin/fsck.ext2, /sbin/fsck.ext3, /sbin/fsck.ext4, and/sbin/e2fsckprogramsareusually links (hard linksonsomesystems, symbolic linksonothers).You can often leave these links alone, but sometimes you must adjust them. Chapter 5 describeschanging the SysV startup script links to affect what programs run when the system boots, forinstance.

DirectoryCommandsMostofthecommandsthatapplytofilesalsoapplytodirectories.Inparticular,ls,mv,touch,andln allworkwithdirectories,with thecaveatsmentionedearlier.Thecp commandalsoworkswithdirectories,butonlywhenyouusearecursionoption,suchas-r.Acoupleofadditionalcommands,mkdirandrmdir,enableyoutocreateanddeletedirectories,respectively.

ThemkdirCommandThemkdircommandcreatesadirectory.Thiscommand’sofficialsyntaxisasfollows:mkdir[options]directory-name(s)

Inmostcases,mkdirisusedwithoutoptions,butafewaresupported:SetModeThe-mmodeor--mode=modeoptioncausesthenewdirectorytohavethespecifiedpermissionmode,expressedasanoctalnumber.(Theupcomingsection“UnderstandingPermissions”describespermissionmodes.)CreateParentDirectoriesNormally,ifyouspecifythecreationofadirectorywithinadirectorythatdoesn’texist,mkdirrespondswithaNosuchfileordirectoryerroranddoesn’tcreatethe

directory.Ifyouincludethe-por--parentsoption,though,mkdircreatesthenecessaryparentdirectory.

ThermdirCommandThermdircommandistheoppositeofmkdir;itdestroysadirectory.Itssyntaxissimilar:rmdir[options]directory-name(s)

Likemkdir,rmdirsupportsfewoptions,themostimportantofwhichhandlethesetasks:IgnoreFailuresonNon-emptyDirectoriesNormally,ifadirectorycontainsfilesorotherdirectories,rmdirdoesn’tdeleteitandreturnsanerrormessage.Withthe--ignore-fail-on-non-emptyoption,rmdirstilldoesn’tdeletethedirectory,butitdoesn’treturnanerrormessage.DeleteTreeThe-por--parentsoptioncausesrmdirtodeleteanentiredirectorytree.Forinstance,typingrmdir-pone/two/threecausesrmdirtodeleteone/two/three,thenone/two,andfinallyone,providednootherfilesordirectoriesarepresent.

Whenyou’redeletinganentiredirectorytreefilledwithfiles,youshoulduserm-Rratherthanrmdir.Thisisbecauserm-Rdeletesfileswithinthespecifieddirectorybutrmdirdoesn’t,sormdircan’tdothejob.

ManagingFileOwnershipSecurityisanimportanttopicthatcutsacrossmanytypesofcommandsandLinuxsubsystems.Inthecaseof files, security isbuilton fileownershipand filepermissions.These two topics are closelyintertwined;ownership ismeaninglesswithoutpermissions thatuse it, andpermissions relyon theexistenceofownership.Ownershipistwo-tiered:Eachfilehasanindividualownerandagroupwithwhichit’sassociated

(sometimescalledthegroupowner,orsimplythefile’sgroup).Eachgroupcancontainanarbitrarynumberofusers,asdescribedinChapter7,“AdministeringtheSystem.”Thetwotypesofownershipenableyoutoprovidethreetiersofpermissionstocontrolaccesstofiles:bythefile’sowner,bythefile’s group, and to all other users. The commands to manage these two types of ownership aresimilar,buttheyaren’tidentical.

AssessingFileOwnershipYoucanlearnwhoownsafilewiththelscommand,whichwasdescribedearlier.Inparticular,thatcommand’s -l option produces a long listing, which includes both ownership and permissioninformation:$ls-l

total1141

-rw-r--r--1rodsmithusers219648Mar813:064425ch02.doc

-rw-r--r--1rodsmithusers942590Mar623:31f0201.tif

Thislonglistingincludestheusernameoftheowner(rodsmithforbothfilesinthisexample)and

thegroupnameofthefiles’groups(usersforbothfilesinthisexample).Thepermissionstring(-rw-r--r-- for both files in this example) is also important for file security, as described later in“ControllingAccesstoFiles.”In most cases, the usernames associated with files are the same as login usernames. Files can,

however,beownedbyaccountsthataren’tordinaryloginaccounts.Forinstance,someservershaveaccountsoftheirown,andserver-specificfilesmaybeownedbytheseaccounts.Ifyoudeleteanaccount,asdescribedinChapter7,theaccount’sfilesdon’tvanish,buttheaccount

namedoes.Internally,Linuxusesnumbersratherthannames,soyou’llseenumbersinplaceoftheusername and group name in the ls output. Depending on the file, you may want to archive it,reassignownershiptoanexistinguser,ordeleteit.

ChangingaFile’sOwnerWheneverafileiscreated,it’sassignedanowner.Thesuperusercanchangeafile’sownerusingthechowncommand,whichhasthefollowingsyntax:chown[options][newowner][:newgroup]filenames

Asyoumightexpect, thenewownerandnewgroupvariablesare thenewownerandgroupfor thefile;youcanprovidebothoromiteither,butyoucan’tomitboth.Forinstance,supposeyouwanttogiveownershipofafiletosallyandtheskyhookgroup:#chownsally:skyhookforward.odt

Linux’schowncommandacceptsadot(.)inplaceofacolon(:)todelimittheownerandgroup,atleastasofthecorefileutilitiesversion8.14.Theuseofadothasbeendeprecated,though,meaningthatthedevelopersfavorthealternativeandmayeventuallyeliminatetheuseofadotasafeature.

Youcanuseseveraloptionswithchown,mostofwhicharefairlyobscure.Onethat’smostlikelytobeusefulis-Ror--recursive,whichimplementstheownershipchangeonanentiredirectorytree.Consultthemanpageforchownforinformationaboutadditionaloptions.Onlyrootmayusethechowncommandtochangetheownershipoffiles.Ifanordinaryusertries

touse it, theresult isanOperationnotpermittederrormessage.Ordinaryusersmay,however,usechown to change the group of files that they own, provided that the users belong to the targetgroup.

ChangingaFile’sGroupBothrootandordinaryusersmayrunthechgrpcommand,whichchangesafile’sgroup.(Ordinaryusersmayonlychangeafile’sgrouptoagrouptowhichtheuserbelongs.)Thiscommand’ssyntaxissimilarto,butsimplerthan,thatofchown:chgrp[options]newgroupfilenames

Thechgrpcommandacceptsmanyofthesameoptionsaschown,including-Ror--recursive.Inpractice,chgrpprovidesasubsetofthechownfunctionality.

ControllingAccesstoFilesThebulkof thecomplexity in fileownershipandpermissions ison thepermissionsendof things.Linux’ssystemofpermissions ismoderatelycomplex,sounderstandinghowitworks iscritical toanymanipulationofpermissions.Withthebasicinformationinhand,youcantacklethecommandsusedtochangefilepermissions.

UnderstandingPermissionsLinuxpermissionsarefairlycomplex.Inadditiontoprovidingaccesscontrolforfiles,afewspecialpermissionbitsexist,whichprovidesomeunusualfeatures.

TheMeaningsofPermissionBitsConsiderthefollowingfileaccesscontrolstringthat’sdisplayedwiththe-loptiontols:$ls-ltest

-rwxr-xr-x1rodsmithusers111Apr1313:48test

This string (-rwxr-xr-x in this example) is 10 characters long. The first character has specialmeaning—it’s the file type code. The type code determines how Linux will interpret the file—asordinarydata,adirectory,oraspecialfiletype.Table4.4summarizesLinuxtypecodes.

TABLE4.4LinuxfiletypecodesCode Meaning- Normaldatafile;maybetext,anexecutableprogram,graphics,compresseddata,orjustaboutanyothertypeofdata.d Directory;diskdirectoriesarefilesjustlikeanyothers,buttheycontainfilenamesandpointerstodiskinodes.l Symboliclink;thefilecontainsthenameofanotherfileordirectory.WhenLinuxaccessesthesymboliclink,ittriestoreadthe

linked-tofile.p Namedpipe;apipeenablestworunningLinuxprogramstocommunicatewitheachother.Oneopensthepipeforreading,andthe

otheropensitforwriting,enablingdatatobetransferredbetweentheprograms.s Socket;asocketissimilartoanamedpipe,butitpermitsnetworkandbidirectionallinks.b Blockdevice;afilethatcorrespondstoahardwaredevicetoandfromwhichdataistransferredinblocksofmorethanonebyte.

Diskdevices(harddisks,floppies,CD-ROMs,andsoon)arecommonblockdevices.c Characterdevice;afilethatcorrespondstoahardwaredevicetoandfromwhichdataistransferredinunitsofonebyte.Examples

includeparallelport,RS-232serialport,andaudiodevices.

Theremainingninecharactersofthepermissionstring(rwxr-xr-xintheexample)arebrokenupinto three groups of three characters, as illustrated in Figure4.1. The first group controls the fileowner ’saccesstothefile,thesecondcontrolsthegroup’saccesstothefile,andthethirdcontrolsallotherusers’accesstothefile(oftenreferredtoasworldpermissions).

FIGURE4.1ThemainLinuxpermissionoptionsareencodedin10bits,thelast9ofwhicharegroupedintothreegroupsof3bitseach.

Ineachof these threecases, thepermissionstringdetermines thepresenceorabsenceofeachofthreetypesofaccess:read,write,andexecute.Readandwritepermissionsarefairlyself-explanatory,atleastforordinaryfiles.Iftheexecutepermissionispresent,itmeansthatthefilemayberunasaprogram.(Ofcourse,thisdoesn’tturnanon-programfileintoaprogram;itonlymeansthatausermayrunafileifit’saprogram.Settingtheexecutebitonanon-programfilewillprobablycausenorealharm,butitcouldbeconfusing.)Theabsenceofthepermissionisdenotedbyadash(-) in thepermissionstring.Thepresenceofthepermissionisindicatedbyaletter—rforread,wforwrite,orxforexecute.Thus,theexamplepermissionstringrwxr-xr-xmeansthatthefile’sowner,membersofthefile’s

group,andallotheruserscanreadandexecutethefile.Onlythefile’sownerhaswritepermissiontothefile.Youcaneasilyexcludethosewhodon’tbelongtothefile’sgroup,orevenallbutthefile’sowner, by changing the permission string, as described in “Changing a File’sMode” later in thischapter.Individual permissions, such as execute access for the file’s owner, are often referred to as

permissionbits.ThisisbecauseLinuxencodesthisinformationinbinaryform.Becauseit’sbinary,the permission information can be expressed as a single 9-bit number. This number is usuallyexpressed inoctal (base8) formbecauseabase-8number is3bits in length,whichmeans that thebase-8 representationofapermissionstring is threecharacters long,onecharacter foreachof theowner,group,andworldpermissions.Theread,write,andexecutepermissionseachcorrespondtooneofthesebits.Theresultisthatyoucandetermineowner,group,orworldpermissionsbyaddingbase-8numbers:1forexecutepermission,2forwritepermission,and4forreadpermission.Table 4.5 shows some examples of common permissions and their meanings. This table is

necessarilyincomplete;with9permissionbits,thetotalnumberofpossiblepermissionsis29,or512.Mostofthosepossibilitiesarepeculiar,andyou’renotlikelytoencounterorcreatethemexceptbyaccident.

TABLE4.5ExamplepermissionsandtheirlikelyusesPermissionstring

Octalcode

Meaning

rwxrwxrwx 777 Read,write,andexecutepermissionsforallusers.rwxr-xr-x 755 Readandexecutepermissionforallusers.Thefile’sowneralsohaswritepermission.rwxr-x--- 750 Readandexecutepermissionfortheownerandgroup.Thefile’sowneralsohaswritepermission.Userswhoaren’t

thefile’sownerormembersofthegrouphavenoaccesstothefile.rwx------ 700 Read,write,andexecutepermissionsforthefile’sowneronly;allothershavenoaccess.rw-rw-rw- 666 Readandwritepermissionsforallusers.Noexecutepermissionsforanybody.rw-rw-r-- 664 Readandwritepermissionsfortheownerandgroup.Read-onlypermissionforallothers.rw-rw---- 660 Readandwritepermissionsfortheownerandgroup.Noworldpermissions.rw-r--r-- 644 Readandwritepermissionsfortheowner.Read-onlypermissionforallothers.rw-r----- 640 Readandwritepermissionsfortheowner,andread-onlypermissionforthegroup.Nopermissionforothers.

rw------- 600 Readandwritepermissionsfortheowner.Nopermissionforanybodyelse.r-------- 400 Readpermissionfortheowner.Nopermissionforanybodyelse.

Executepermissionmakessenseforordinaryfiles,butit’smeaninglessformostotherfiletypes,suchasdevicefiles.Directories,though,usetheexecutebitanotherway.Whenadirectory’sexecutebit is set, that means that the directory’s contents may be searched. This is a highly desirablecharacteristicfordirectories,soyou’llalmostneverfindadirectoryonwhichtheexecutebitisnotsetinconjunctionwiththereadbit.Directoriescanbeconfusingwithrespecttowritepermission.Recallthatdirectoriesarefilesthat

areinterpretedinaspecialway.Assuch,ifausercanwritetoadirectory,thatusercancreate,delete,or rename files in the directory, even if the user isn’t the owner of those files and does not havepermissiontowritetothosefiles.Youcanusethestickybit(describedshortly,in“SpecialPermissionBits”)toalterthisbehavior.Symboliclinksareunusualwithrespecttopermissions.Thisfiletypealwayshas777(rwxrwxrwx)

permissions, thusgranting all users full access to the file.This access applies only to the link fileitself,however,nottothelinked-tofile.Inotherwords,alluserscanreadthecontentsofthelinktodiscoverthenameofthefiletowhichitpoints,butthepermissionsonthelinked-tofiledetermineitsfileaccess.Changingthepermissionsonasymboliclinkaffectsthelinked-tofile.Manyofthepermissionrulesdon’tapplytoroot.Thesuperusercanreadorwriteanyfileonthe

computer—even files that grant access to nobody (that is, those that have 000 permissions). Thesuperuserstillneedsanexecutebittobesettorunaprogramfile,butthesuperuserhasthepowertochange the permissions on any file, so this limitation isn’t very substantial. Some files may beinaccessible toroot, but only because of an underlying restriction—for instance, even root can’taccessaharddiskthat’snotinstalledinthecomputer.

SpecialPermissionBitsA few special permissionoptions are also supported, and theymaybe indicatedby changes to thepermissionstring:SetUserID(SUID)ThesetuserID(SUID)optionisusedinconjunctionwithexecutablefiles,andittellsLinuxtoruntheprogramwiththepermissionsofwhoeverownsthefileratherthanwiththepermissionsoftheuserwhorunstheprogram.Forinstance,ifafileisownedbyrootandhasitsSUIDbitset,theprogramrunswithrootprivilegesandcanthereforereadanyfileonthecomputer.Someserversandothersystemprogramsrunthisway,whichisoftencalledSUIDroot.SUIDprogramsareindicatedbyansintheowner ’sexecutebitpositioninthepermissionstring,asinrwsr-xr-x.SetGroupID(SGID)ThesetgroupID(SGID)optionissimilartotheSUIDoption,butitsetsthegroupoftherunningprogramtothegroupofthefile.It’sindicatedbyansinthegroupexecutebitpositioninthepermissionstring,asinrwxr-sr-x.WhentheSGIDbitissetonadirectory,newfilesorsubdirectoriescreatedintheoriginaldirectorywillinheritthegroupownershipofthedirectory,ratherthanbebasedontheuser ’scurrentdefaultgroup.StickyBitThestickybithaschangedmeaningduringthecourseofUnixhistory.InmodernLinuximplementations(andmostmodernversionsofUnix),it’susedtoprotectfilesfrombeingdeletedbythosewhodon’townthefiles.Whenthisbitispresentonadirectory,thedirectory’sfilescanbedeletedonlybytheirowners,thedirectory’sowner,orroot.Thestickybitisindicatedbyatinthe

worldexecutebitposition,asinrwxr-xr-t.

Thesespecialpermissionbitsallhavesecurityimplications.SUIDandSGIDprograms(andparticularlySUIDrootprograms)arepotentialsecurityrisks.AlthoughsomeprogramsmusthavetheirSUIDbitssettofunctionproperly,mostdon’t,andyoushouldn’tsetthesebitsunlessyou’recertainthatdoingsoisnecessary.Thestickybitisn’tdangerousthisway,butbecauseitaffectswhomaydeletefilesinadirectory,youshouldconsideritseffect—ortheeffectofnothavingit—ondirectoriestowhichmanyusersshouldhavewriteaccess,suchas/tmp.Typically,suchdirectorieshavetheirstickybitsset.

UsingACLsUnix-stylepermissionshaveservedLinuxwellsinceitscreationandareemphasizedontheexam,butanewandimprovedpermissionsystemisnowavailable.Anaccesscontrollist(ACL)isalistofusersorgroupsandthepermissionsthey’regiven.LinuxACLs,likeLinuxowner,group,andworldpermissions,consistofthreepermissionbits,oneeachforread,write,andexecutepermissions.Thefile’sownercanassignACLstoanarbitrarynumberofusersandgroups,makingACLsmoreflexiblethanLinuxpermissions,whicharelimitedtogroupsdefinedbythesystemadministrator.ACLsrequiresupportintheunderlyingfilesystem.AllthemajorLinuxfilesystemsnowsupportACLs,butyoumayneedtorecompileyourkernel(oratleasttherelevantkernelmodule)toactivatethissupport.ACLsrequiretheirowncommandstosetandview.ThesetfaclcommandsetsanACL,andthegetfaclcommanddisplaystheACLsforafile.Consultthesecommands’manpagesformoreinformation.

ChangingaFile’sModeYou canmodify a file’s permissions using the chmod command. This commandmay be issued inmanydifferentwaystoachievethesameeffect.Itsbasicsyntaxisasfollows:chmod[options][mode[,mode...]]filename...

Thechmod options are similar to those of chown and chgrp. In particular, --recursive (or -R)changesallthefilesinadirectorytree.Mostofthecomplexityofchmodcomesinthespecificationofthefile’smode.Youcanspecifythe

modeintwobasicforms:asanoctalnumberorasasymbolicmode,whichisasetofcodesrelatedtothestringrepresentationofthepermissions.TheoctalrepresentationofthemodeisthesameasthatdescribedearlierandsummarizedinTable

4.5.Forinstance,tochangepermissionsonreport.textorw-r--r--,youcan issue thefollowingcommand:$chmod644report.tex

In addition, you can precede the three digits for the owner, group, and world permissions withanother digit that sets special permissions. Three bits are supported (and hence they have valuesbetween0and7):adding4setsthesetuserID(SUID)bit,adding2setsthesetgroupID(SGID)bit,andadding1setsthestickybit.Ifyouomitthefirstdigit(asintheprecedingexample),Linuxclearsallthreebits.Usingfourdigitscausesthefirsttobeinterpretedasthespecialpermissionscode.Forinstance,supposeyou’veacquiredascriptcalledbigprogram.YouwanttosetbothSUIDand

SGIDbits(6);tomaketheprogramreadable,writeable,andexecutablebytheowner(7);tomakeitreadableandexecutablebythegroup(5);andtomakeitcompletelyinaccessibletoallothers(0).Thefollowingcommandsillustratehowtodothis;notethedifferenceinthemodestringbeforeandafterexecutingthechmodcommand:$ls-lbigprogram

-rw-r--r--1rodsmithusers10323Oct3118:58bigprogram

$chmod6750bigprogram

$ls-lbigprogram

-rwsr-s---1rodsmithusers10323Oct3118:58bigprogram

Asymbolicmode,bycontrast,consistsofthreecomponents:acodeindicatingthepermissionsetyouwanttomodify(theowner,thegroup,andsoon);asymbolindicatingwhetheryouwanttoadd,delete,orsetthemodeequaltothestatedvalue;andacodespecifyingwhatthepermissionshouldbe.Table4.6summarizesallthesecodes.Notethatthesecodesareallcase-sensitive.

TABLE4.6Codesusedinsymbolicmodes

Tousesymbolicpermissionsettings,youcombineoneormoreofthecodesfromthefirstcolumnofTable4.6withonesymbolfromthethirdcolumnandoneormorecodesfromthefifthcolumn.You can combine multiple settings by separating them with commas. Table 4.7 provides someexamplesofchmodusingsymbolicpermissionsettings.

TABLE4.7ExamplesofsymbolicpermissionswithchmodCommand Initialpermissions Endpermissionschmoda+xbigprogram rw-r--r-- rwxr-xr-x

chmodug=rwreport.tex r-------- rw-rw----

chmodo-rwxbigprogram rwxrwxr-x rwxrwx---

chmodg=ureport.tex rw-r--r-- rw-rw-r--

chmodg-w,o-rwreport.tex rw-rw-rw- rw-r-----

Asageneralrule,symbolicpermissionsaremostusefulwhenyouwanttomakeasimplechange(suchasaddingexecuteorwritepermissionstooneormoreclassesofusers)orwhenyouwanttomake similar changes tomany fileswithout affecting theirotherpermissions (for instance, addingwrite permissionswithout affecting execute permissions).Octal permissions aremost usefulwhenyou want to set a specific absolute permission, such as rw-r--r-- (644). In any event, a systemadministratorshouldbefamiliarwithbothmethodsofsettingpermissions.Afile’sownerandrootaretheonlyuserswhomayadjustafile’spermissions.Evenifotherusers

havewriteaccesstoadirectoryinwhichafileresidesandwriteaccesstothefileitself,theymaynotchangethefile’spermissions(buttheymaymodifyorevendeletethefile).Tounderstandwhythisisso,youneedtoknowthatthefilepermissionsarestoredaspartofthefile’sinode,whichisn’tpartofthedirectoryentry.Read/writeaccesstothedirectoryentry,oreventhefileitself,doesn’tgiveausertherighttochangetheinodestructures(exceptindirectly—forinstance,ifawritechangesthefile’ssizeorafiledeletioneliminatestheneedfortheinode).In Exercise 4.1, you’ll experiment with the effect of Linux ownership and permissions on file

accessibility.

EXERCISE4.1ModifyingOwnershipandPermissionsDuringthisexercise,you’llneedtousethreeaccounts:rootandtwouseraccounts,eachinadifferentgroup.Tostudytheseeffects,followthesesteps:1. Log in three times using three virtual terminals: once asroot, once asuser1, andonceasuser2.(Useusernamesappropriateforyoursystem,though.Besurethatuser1anduser2areindifferentgroups.)Ifyouprefer,insteadofusingvirtualterminals,youcan open three xterm windows in an X session and use su to acquire each user ’sprivileges.2.Asroot,createascratchdirectory—say,/tmp/scratch.Typemkdir/tmp/scratch.3.Asroot,giveallusersreadandwriteaccesstothescratchdirectorybytypingchmod0777/tmp/scratch.4.Intheuser1anduser2 loginsessions,change to thescratchdirectoryby typingcd/tmp/scratch.5.Asuser1,copyashorttextfiletothescratchdirectoryusingcp,asincp/etc/fstab./testfile.6. As user1, set 0644 (-rw-r--r--) permissions on the file by typing chmod 0644

testfile.Typels-l,andverifythatthepermissionstringinthefirstcolumnmatchesthisvalue(-rw-r--r--).7.Asuser2,trytoaccessthefilebytypingcattestfile.Thefileshouldappearonthescreen.8.Asuser2, try tochange thenameof thefileby typingmvtestfilechangedfile.The systemwon’t produce any feedback, but if you type ls, you’ll see that the file’snamehaschanged.Notethatuser2doesn’townthefilebutcanrenameitbecauseuser2canwritetothedirectoryinwhichthefileresides.

9.Asuser2,trytochangethemodeofthefilebytypingchmod0600changedfile.ThesystemshouldrespondwithanOperationnotpermittederrorbecauseonlythefile’sownermaychangeitspermissions.10. As user2, try to delete the file by typing rm changedfile. Depending on yourconfiguration,thesystemmayormaynotaskforverification,butitshouldpermitthedeletion.Thisistruedespitethefactthatuser2doesn’townthefilebecauseuser2canwritetothedirectoryinwhichthefileresides.11.Asuser1,repeatstep5tore-createthetestfile.12.Asuser1,givethefilemorerestrictivepermissionsbytypingchmod0640.Typingls-lshouldrevealpermissionsof-rw-r-----,meaningthatthefile’sownercanreadandwritethefile,membersofthefile’sgroupcanreadit,andotherusersaregivennoaccess.13. As user2, repeat steps 7−10. The cat operation should fail with a Permissiondeniederror,butsteps8−10shouldproducethesameresultsastheydidthefirst timearound.(Ifthecatoperationsucceeded,theneitheruser2belongstothefile’sgrouporthefile’smodeissetincorrectly.)14.Logoutoftheuser1anduser2accounts.15.Asroot,typerm-r/tmp/scratchtodeletethescratchdirectoryanditscontents.Ifyoulike,youcanperformtestswithmorefilepermissionmodesandotherfile-manipulationcommandsbeforestep14.

SettingtheDefaultModeandGroupWhen a user creates a file, that file has default ownership and permissions. The default owner is,understandably, the userwho created the file. The default group is the user ’s primary group. Thedefaultpermissionsareconfigurable.Thesearedefinedbytheusermask(umask),whichissetbytheumaskcommand.Thiscommandtakesasinputanoctalvaluethatrepresentsthebitstoberemovedfrom 777 permissions for directories, or from 666 permissions for files, when a new file ordirectoryiscreated.Table4.8summarizestheeffectofseveralpossibleumaskvalues.

TABLE4.8SampleumaskvaluesandtheireffectsUmaskCreatedfiles Createddirectories000 666(rw-rw-rw-) 777(rwxrwxrwx)002 664(rw-rw-r--) 775(rwxrwxr-x)022 644(rw-r--r--) 755(rwxr-xr-x)027 640(rw-r-----) 750(rwxr-x---)077 600(rw-------) 700(rwx------)277 400(r--------) 500(r-x------)

Notethattheumaskisn’tasimplesubtractionfromthevaluesof777or666;it’sabit-wiseremoval.Anybitthat’ssetintheumaskisremovedfromthefinalpermissionfornewfiles,butifabitisn’tset(as in the execute bit in ordinary files), its specification in the umask doesn’t do any harm. Forinstance,considerthe7valuesinseveralentriesofTable4.8’sUmaskcolumn.Thiscorrespondstoabinaryvalueof111.Anordinaryfilemighthaverw-(110)permissions,butapplyingtheumask’s7(111)eliminates1valuesbutdoesn’ttouch0values,thusproducinga(binary)000value—thatis,---

permissions,expressedsymbolically.Ordinaryuserscanenter theumaskcommandtochangethepermissionsonnewfiles theycreate.

Thesuperusercanalsomodifythedefaultsettingforallusersbymodifyingasystemconfigurationfile. Typically, /etc/profile contains one or more umask commands. Setting the umask in/etc/profilemayormaynothaveaneffectbecauseitcanbeoverriddenatotherpoints,suchasauser ’sownconfigurationfiles.Nonetheless,settingtheumaskin/etc/profileorothersystemfilescanbeausefulprocedureifyouwanttochangethedefaultsystempolicy.MostLinuxdistributionsuseadefaultumaskof002or022.To findwhat the current umask is, typeumask alone,without any parameters. Typing umask -S

producestheumaskexpressedsymbolicallyratherthaninoctalform.Youmayalsospecifyaumaskinthiswaywhenyouwanttochangeit,butinthiscase,youspecifythebitsthatyoudowantset.Forinstance,umasku=rwx,g=rx,o=rxisequivalenttoumask022.Inadditiontosettingthedefaultmaskwithumask,userscanchangetheirdefaultgroupwithnewgrp,

as in newgrp skyhook to create new files with the group set to the skyhook group. To use thiscommand,theusermustbeamemberofthespecifiedgroup.Thenewgrpcommandalsoacceptsthe-l parameter, as innewgrp -l skyhook,which reinitializes the environment as if theuser had justloggedin.

ChangingFileAttributesSome filesystems support attributes in addition to those described in the preceding sections. Inparticular, some Linux-native filesystems support several attributes that you can adjust with thechattrcommand:AppendOnlyTheaattributesetsappendmode,whichdisableswriteaccesstothefileexceptforappendingdata.Thiscanbeasecurityfeaturetopreventaccidentalormaliciouschangestofilesthatrecorddata,suchaslogfiles.CompressedThecattributecausesthekerneltoautomaticallycompressdatawrittentothefileanduncompressitwhenit’sreadback.ImmutableTheiflagmakesafileimmutable,whichgoesastepbeyondsimplydisablingwriteaccesstothefile.Thefilecan’tbedeleted,linkstoitcan’tbecreated,andthefilecan’tberenamed.DataJournalingThejflagtellsthekerneltojournalalldatawrittentothefile.Thisimprovesrecoverabilityofdatawrittentothefileafterasystemcrashbutcanslowperformance.Thisflaghasnoeffectonext2filesystems.SecureDeletionOrdinarily,whenyoudeleteafileitsdirectoryentryisremovedanditsinodeismarkedasbeingavailableforrecycling.Thedatablocksthatmakeupthebulkofthefilearen’terased.Settingthesflagchangesthisbehavior;whenthefileisdeleted,thekernelzerositsdatablocks,whichmaybedesirableforfilesthatcontainsensitivedata.NoTail-MergingTail-mergingisaprocessinwhichsmallpiecesofdataattheendsoffilesthatdon’tfillacompleteblockaremergedwithsimilarpiecesofdatafromotherfiles.Theresultisreduceddiskspaceconsumption,particularlywhenyoustoremanysmallfilesratherthanafewbigones.Settingthetflagdisablesthisbehavior,whichisdesirableifthefilesystemwillbereadbycertainnon-kerneldrivers,suchasthosethatarepartoftheGrandUnifiedBootLoader(GRUB).

NoAccessTimeUpdatesIfyousettheAattribute,Linuxwon’tupdatetheaccesstimestampwhenyouaccessafile.Thiscanreducediskinput/output,whichisparticularlyhelpfulforsavingbatterylifeonlaptops.Thislistofattributesisincompletebutincludesthemostusefuloptions;consult themanpagefor

chattr for more flags. You set the options you want using the minus (-), plus (+), or equal (=)symboltoremoveanoptionfromanexistingset,addanoptiontoanexistingset,orsetaprecisesetofoptions(overwritinganythatalreadyexist),respectively.Forinstance,toaddtheimmutableflagtotheimportant.txtfile,youenterthefollowingcommand:#chattr+iimportant.txt

Theresultisthatyou’llbeunabletodeletethefile,evenasroot.Todeletethefile,youmustfirstremovetheimmutableflag:#chattr-iimportant.txt

ManagingDiskQuotasJustoneuserofamulti-usersystemcancauseseriousproblemsforothersbyconsumingtoomuchdiskspace.Ifasingleusercreateshugefiles(say,multimediarecordings),thosefilescanuseenoughdiskspacetopreventotherusersfromcreatingtheirownfiles.Tohelpmanagethissituation,Linuxsupportsdiskquotas—limits,enforcedbytheOS,onhowmanyfilesorhowmuchdiskspaceasingleusermayconsume.TheLinuxquotasystemsupportsquotasbothforindividualusersandforLinuxgroups.

EnablingQuotaSupportQuotas require support in both the kernel for the filesystem being used and various user-spaceutilities. The ext2fs, ext3fs,ReiserFS, JFS, andXFS filesystems support quotas, but this support ismissingforsomefilesystemsinearly2.6.xkernels.Tryusingthelatestkernelifyouhaveproblemswith your preferred filesystem. You must explicitly enable support via the Quota Support kerneloptioninthefilesystemareawhenrecompilingyourkernel.Mostdistributionsshipwiththissupportenabled,sorecompilingyourkernelmaynotbenecessary,butyoushouldbeawareofthisoptionifyourecompileyourkernel.Twogeneral quota support systems are available forLinux.The firstwasused through the2.4.x

kernelsandisreferredtoasthequotav1support.Thesecondwasaddedwiththe2.6.xkernelseriesandisreferredtoasthequotav2system.Thisdescriptionappliestothelattersystem,buttheformerworksinasimilarway.Outsideofthekernel,youneedsupporttoolstousequotas.Forthequotav2system,thispackageis

usuallycalledquota,andit installsanumberofutilities,configurationfiles,systemstartupscripts,andsoon.

Youcaninstallthesupportsoftwarefromsourcecode,ifyoulike;however,thisjobishandledmosteasilyusingapackageforyourdistribution.Thisdescriptionassumesthatyouinstallthesoftwareinthisway.Ifyoudon’t,youmayneedtocreatestartupscriptstoinitializethequotasupportwhenyoubootyourcomputer.TheQuotaMini-HOWTO,athttp://en.tldp.org/HOWTO/Quota.html,providesdetailsofhowtodothis.

You must modify your /etc/fstab entries for any partitions on which you want to use quotasupport.Inparticular,youmustaddtheusrquotafilesystemmountoptiontoemployuserquotasandthegrpquotaoptiontousegroupquotas.Entriesthataresoconfiguredresemblethefollowing:/dev/sdc5/homeext3usrquota,grpquota11

Thislineactivatesbothuserandgroupquotasupportforthe/dev/sdc5partition,whichismountedat/home.Ofcourse,youcanaddotheroptionsifyoulike.Depending on your distribution, youmay need to configure the quota package’s system startup

scripts to run when the system boots. Chapter 5 describes startup script management in detail.Typically,you’lltypeacommandsuchaschkconfigquotaon,butyoushouldcheckontheSysVscripts installed by your distribution’s quota package. Some distributions require the use ofcommandsotherthanchkconfigtodothistask,asdescribedinChapter5.Whateveritsdetails,thisstartupscriptrunsthequotaoncommand,whichactivatesquotasupport.Afterinstallingsoftwareandmakingconfigurationfilechanges,youmustactivatethesystems.The

simplestwaytodothisistorebootthecomputer,andthisstepisnecessaryifyouhadtorecompileyourkerneltoaddquotasupportdirectlyintothekernel.Ifyoudidn’tdothis,youshouldbeabletoget by with less disruptive measures: using modprobe to install the kernel module, if necessary;runningthestartupscriptforthequotatools;andremountingthefilesystemsonwhichyouintendtousequotasbytypingmount-oremount/mount-point,where/mount-pointisthemountpointinquestion.

SettingQuotasforUsersAtthispoint,quotasupportshouldbefullyactiveonyourcomputer,butthequotasthemselvesaren’tset. You can set the quotas by using edquota, which starts the Vi editor (described in Chapter 1,“ExploringLinuxCommand-LineTools”)ona temporaryconfiguration file (/etc/quotatab) thatcontrols quotas for the user you specify. When you exit the utility, edquota uses the temporaryconfiguration file to write the quota information to low-level disk data structures that control thekernel’squotamechanisms.Forinstance,youmighttypeedquotasallytoeditsally’squotas.Thecontentsoftheeditorshowthecurrentquotainformation:Diskquotasforusersally(uid21810):

Filesystemblockssofthardinodessofthard

/dev/sdc49710410485761048576124200

Thetemporaryconfigurationfileprovidesinformationaboutboththenumberofdiskblocksinuseandthenumberofinodesinuse.(Eachfileorsymboliclinkconsumesasingleinode,sotheinodelimits are effectively limits on the number of files a user may own. Disk blocks vary in sizedependingonthefilesystemandfilesystemcreationoptions,buttheytypicallyrangefrom512bytes

to8KiB.)Changingtheuseinformation(undertheblocksandinodescolumns)hasnoeffect;thesecolumnsreporthowmanyblocksorinodestheuserisactuallyconsuming.Youcanalterthesoftandhardlimitsforbothblocksandinodes.Thehardlimitisthemaximumnumberofblocksorinodesthat the usermay consume; the kernelwon’t permit a user to surpass these limits. Soft limits aresomewhat less stringent; usersmay temporarily exceed soft limit values, butwhen they do so, thesystem issues warnings. Soft limits also interact with a grace period; if the soft quota limit isexceededforlongerthanthegraceperiod,thekernelbeginstreatingitlikeahardlimitandrefusestoallowtheusertocreatemorefiles.Youcansetthegraceperiodbyusingedquotawithits-toption,asinedquota-t.Graceperiodsaresetonaper-filesystembasisratherthanaper-userbasis.Settinga limit to0 (as in the inode limits in the preceding example) eliminates the use of quotas for thatvalue;usersmayconsumeasmuchdiskspaceorcreateasmanyfilesastheylike,uptotheavailablespaceonthefilesystem.Whenusingedquota, youcanadjustquotas independently for every filesystem forwhichquotas

areenabledandseparatelyforeveryuserorgroup.(Toeditquotasforagroup,usethe-goption,asinedquota-guserstoadjustquotasfortheusersgroup.)A few more quota-related commands are useful. The first is quotacheck, which verifies and

updates quota information on quota-enabled disks. This command is normally run as part of thequotapackage’sstartupscript,butyoumaywanttorunitperiodically(say,onceaweek)asacronjob. (Chapter 7 describes cron jobs.) Although theoretically not necessary if everything workscorrectly,quotacheck ensures thatquotaaccountingdoesn’tbecome inaccurate.The secondusefulauxiliaryquotacommandisrepquota,whichsummarizesthequotainformationaboutthefilesystemyouspecifyoronallfilesystemsifyoupassitthe-aoption.Thistoolcanbeveryhelpfulinkeepingtrack of disk usage. The quota command has a similar effect. The quota tool takes a number ofoptions to have themmodify their outputs. For instance, -g displays group quotas, -l omits NFSmounts, and-q limits output to filesystems onwhich usage is over the limit.Consultquota’s manpageforstillmoreobscureoptions.

LocatingFilesMaintainingyourfilesystemsinperfecthealth,settingpermissions,andsoonispointlessifyoucan’tfindyourfiles.Forthisreason,Linuxprovidesseveraltoolstohelpyoulocatethefilesyouneedtouse. The first of these tools is actually a standard for where files are located; with the rightknowledge,youmaybeable to find fileswithout theuseofanyspecializedprograms.Thesecondclassoftoolsincludesjustsuchspecializedprograms,whichsearchadirectorytreeoradatabaseforfilesthatmeetwhatevercriteriayouspecify.

TheFHSLinux’splacementof files isderivedfrommore than40yearsofUnixhistory.Given that fact, thestructure is remarkably simple and coherent, but it’s easy for a new administrator to becomeconfused.Somedirectoriesseem,onthesurface,tofulfillsimilarorevenidenticalroles,butinfacttherearesubtlebutimportantdifferences.ThissectiondescribestheLinuxdirectorylayoutstandardsandpresentsanoverviewofwhatgoeswhere.

TheFSSTNDandFHSAlthoughLinuxdrawsheavilyonUnix,Unix’slonghistoryhasledtonumeroussplitsandvariants,startingwith theBerkeley StandardDistribution (BSD),whichwas originally a set of patches andextensions toAT&T’soriginalUnixcode.Asaresultof theseschismswithin theUnixcommunity,early Linux distributions didn’t always follow identical patterns. The result was a great deal ofconfusion.ThisproblemwasquitesevereearlyinLinux’shistory,anditthreatenedtosplittheLinuxcommunityintofactions.Variousmeasuresweretakentocombatthisproblem,oneofwhichwasthedevelopment of the Filesystem Standard (FSSTND), which was first released in early 1994. TheFSSTNDstandardizedseveralspecificfeatures,suchasthefollowing:

Standardizedtheprogramsthatresidein/binand/usr/bin.Differencesonthisscorecausedproblemswhenscriptsreferredtofilesinonelocationortheother.Specifiedthatexecutablefilesshouldn’tresidein/etc,ashadpreviouslybeencommon.Removedchangeablefilesfromthe/usrdirectorytree,enablingittobemountedread-only(ausefulsecuritymeasure).

TherehavebeenthreemajorversionsofFSSTND:1.0,1.1,and1.2.FSSTNDbegantoreininsomeof thechaos in theLinuxworld in1994.By1995,however,FSSTND’s limitationswerebecomingapparent.Thus, anewstandardwasdeveloped: theFilesystemHierarchyStandard (FHS).This newstandardisbasedonFSSTNDbutextendsitsubstantially.TheFHSismorethanaLinuxstandard;itmaybeusedtodefinethelayoutoffilesonotherUnix-likeOSs.One important distinctionmadeby theFHS is that between shareable files and unshareable files.

Shareable filesmaybe reasonably sharedbetweencomputers, such asuserdata files andprogrambinaryfiles.(Ofcourse,youdon’tneed tosharesuchfiles,butyoumaydoso.) If filesareshared,they’re normally shared through an NFS server. Unshareable files contain system-specificinformation,suchasconfiguration files.For instance,you’renot likely towant toshareaserver ’sconfigurationfilebetweencomputers.Asecond importantdistinctionused in theFHS is thatbetweenstatic filesandvariable files. The

formerdon’tnormallychangeexcept throughdirect interventionbythesystemadministrator.Mostprogramexecutablesareexamplesofstaticfiles.Variablefilesmaybechangedbyusers,automatedscripts,servers,orthelike.Forinstance,users’homedirectoriesandmailqueuesarecomposedofvariable files. The FHS tries to isolate each directory into one cell of this 2 × 2(shareable/unshareable × static/variable) matrix. Figure 4.2 illustrates these relationships. Somedirectories are mixed, but in these cases, the FHS tries to specify the status of particularsubdirectories.Forinstance,/var isvariable,anditcontainssomeshareableandsomeunshareablesubdirectories,asshowninFigure4.2.

FIGURE4.2TheFHSattemptstofiteachimportantdirectoryinonecellofa2×2matrix.

LiketheFSSTND,theFHScomesinnumberedversions.Version2.3,thelatestversionasIwrite,wasreleasedinJanuary2004.TheURLforFHS’sofficialWebpageishttp://www.pathname.com/fhs/.

SomeLinuxvendors—mostnotablyFedora—arebeginningtomakechangesthatdeviatefromtheFHS.Forinstance,Fedora17andlaternowplaceallbinariesin/usr/binand/usr/sbin.The/bindirectoryisnowasymboliclinkto/usr/bin,and/sbinisasymboliclinkto/usr/sbin.Thislayoutcomplicatessometypesofconfigurations,suchasthosethatrequireaseparate/usrpartition.

ImportantDirectoriesandTheirContentsThe FHS defines some directories very precisely, but details for others are left unresolved. Forinstance, users’ files normally go in the /home directory, but you may have reason to call thissomethingelseortousetwoormoreseparatedirectoriesforusers’files.Overall,themostcommondirectoriesdefinedbytheFHSorusedbyconventionarethefollowing:

/EveryLinuxfilesystemtracesitsrootstoasingledirectory,knownas/(pronounced,andoftenreferredto,astherootfilesystemorrootdirectory).Allotherdirectoriesbranchoffthisone.Linuxdoesn’tusedriveletters;instead,everyfilesystemismountedatamountpointwithinanotherpartition(/orsomethingelse).Certaincriticalsubdirectories,suchas/etcand/sbin,mustresideontherootpartition,butotherscanoptionallybeonseparatepartitions.Don’tconfusetherootdirectorywiththe/rootdirectory,describedshortly./bootThe/bootdirectorycontainsstaticandunshareablefilesrelatedtotheinitialbootingofthecomputer.Higher-levelstartupandconfigurationfilesresideinanotherdirectory,/etc.Somesystemsimposeparticularlimitson/boot.Forinstance,olderx86BIOSsandolderversionsoftheLinuxLoader(LILO)mayrequirethat/bootresidebelowthe1,024thcylinderoftheharddisk.Similarly,someEFIbootmethodsworkbestwithaseparate/bootpartitionthatusesext2fsorReiserFS.Theserequirementssometimes,butnotalways,necessitatethatthe/bootdirectorybeaseparatepartition./binThisdirectorycontainscertaincriticalexecutablefiles,suchasls,cp,andmount.Thesecommandsareaccessibletoallusersandconstitutethemostimportantcommandsthatordinaryusersmightissue.Youwon’tnormallyfindcommandsforbigapplicationprogramsin/bin(althoughtheVieditorislocatedhere).The/bindirectorycontainsstaticfiles.Althoughinsomesensethe/binfilesareshareable,becausethey’resoimportanttothebasicoperationofacomputer,thedirectoryisalmostnevershared—anypotentialclientsmusthavetheirownlocal/bindirectories./sbinThisdirectoryissimilarto/bin,butitcontainsprogramsthatarenormallyrunonlybythesystemadministrator—toolslikefdiskande2fsck.It’sstaticandtheoreticallyshareable,butinpractice,itmakesnosensetoshareit./libThisdirectoryissimilarto/binand/sbin,butitcontainsprogramlibraries,whicharemadeupofcodethat’ssharedacrossmanyprogramsandstoredinseparatefilestosavediskspaceandRAM.The/lib/modulessubdirectorycontainskernelmodules—driversthatcanbeloaded

andunloadedasrequired.Like/binand/sbin,/libisstaticandtheoreticallyshareable,althoughit’snotsharedinpractice./usrThisdirectoryhoststhebulkofaLinuxcomputer ’sprograms.Itscontentsareshareableandstatic,soitcanbemountedread-onlyandmaybesharedwithotherLinuxsystems.Forthesereasons,manyadministratorssplit/usroffintoaseparatepartition,althoughdoingsoisn’trequired.(Fedora’srecentchangesmakethisdifficultwiththisdistribution,though.)Somesubdirectoriesof/usraresimilartotheirnamesakesintherootdirectory(suchas/usr/binand/usr/lib),buttheycontainprogramsandlibrariesthataren’tabsolutelycriticaltothebasicfunctioningofthecomputer./usr/localThisdirectorycontainssubdirectoriesthatmirrortheorganizationof/usr,suchas/usr/local/binand/usr/local/lib.The/usr/localdirectoryhostsfilesthatasystemadministratorinstallslocally—forinstance,packagesthatarecompiledonthetargetcomputer.Theideaistohaveanareathat’ssafefromautomaticsoftwareupgradeswhentheOSasawholeisupgraded.ImmediatelyafterLinuxisinstalled,/usr/localshouldbeemptyexceptforsomestubsubdirectories.SomesystemadministratorssplitthisoffintoitsownpartitiontoprotectitfromOSreinstallationproceduresthatmighterasetheparentpartition./usr/X11R6ThisdirectoryhousesfilesrelatedtotheXWindowSystem(Xforshort),Linux’sGUIenvironment.Like/usr/local,thisdirectorycontainssubdirectoriessimilartothosein/usr,suchas/usr/X11R6/binand/usr/X11R6/lib.Althoughcommonlyusedseveralyearsago,mostmoderndistributionshavemovedthecontentsofthisdirectorytoothers,suchas/usr/bin./optThisdirectoryissimilarto/usr/localinmanyways,butit’sintendedforready-madepackagesthatdon’tshipwiththeOS,suchascommercialwordprocessorsorgames.Typically,theseprogramsresideinsubdirectoriesin/optnamedafterthemselves,suchas/opt/applix.The/optdirectoryisstaticandshareable.Somesystemadministratorsbreakitintoaseparatepartitionormakeitasymboliclinktoasubdirectoryof/usr/localandmakethataseparatepartition./homeThisdirectorycontainsusers’data,andit’sshareableandvariable.Althoughthe/homedirectoryisconsideredoptionalinFHS,inpracticeit’samatterofthenamebeingoptional.Forinstance,ifyouaddanewdisktosupportadditionalusers,youmightleavetheexisting/homedirectoryintactandcreateanew/home2directorytohousethenewusers.The/homedirectoryoftenresidesonitsownpartition./rootThisisthehomedirectoryfortherootuser.Becausetherootaccountissocriticalandsystem-specific,thisvariabledirectoryisn’treallyshareable./varThisdirectorycontainstransientfilesofvarioustypes—systemlogfiles,printspoolfiles,mailandnewsfiles,andsoon.Therefore,thedirectory’scontentsarevariable.Somesubdirectoriesareshareable,butothersarenot.Manysystemadministratorsput/varinitsownpartition,particularlyonsystemsthatseealotofactivityin/var,likemajorUsenetnewsormailservers./tmpManyprogramsneedtocreatetemporary(hencevariable)files,andtheusualplacetodosoisin/tmp.Mostdistributionsincluderoutinesthatcleanoutthisdirectoryperiodicallyandsometimeswipethedirectorycleanatbootup.The/tmpdirectoryisseldomshared.Someadministratorscreateaseparate/tmppartitiontopreventrunawayprocessesfromcausingproblemsontherootfilesystemwhenprocessescreatetoo-largetemporaryfiles.Asimilar

directoryexistsaspartofthe/vardirectorytree(/var/tmp)./mntLinuxmountsremovable-mediadeviceswithinitsnormaldirectorystructure,and/mntisprovidedforthispurpose.Some(mostlyolder)distributionscreatesubdirectorieswithin/mnt,suchas/mnt/floppyand/mnt/cdrom,tofunctionasmountpoints.Othersuse/mntdirectlyorevenuseseparatemountpointsoff/,suchas/floppyand/cdrom.TheFHSmentionsonly/mnt;itdoesn’tspecifyhowit’stobeused.Specificmediamountedin/mntmaybeeitherstaticorvariable.Asageneralrule,thesedirectoriesareshareable./mediaThisdirectoryisanoptionalpartoftheFHS.It’slike/mnt,butitshouldcontainsubdirectoriesforspecificmediatypes,suchas/media/floppyand/media/cdrom.Manymoderndistributionsuse/mediasubdirectoriesasthedefaultmountpointsforcommonremovabledisktypes,oftencreatingsubdirectoriesonthefly./devBecauseLinuxtreatsmosthardwaredevicesasiftheywerefiles,theOSmusthavealocationinitsfilesystemwherethesedevicefilesreside.The/devdirectoryisthatplace.Itcontainsalargenumberoffilesthatfunctionashardwareinterfaces.Ifauserhassufficientprivileges,thatusermayaccessthedevicehardwarebyreadingfromandwritingtotheassociateddevicefile.TheLinuxkernelsupportsadevicefilesystemthatenables/devtobeanautomaticallycreatedvirtualfilesystem—thekernelandsupporttoolscreate/deventriesontheflytoaccommodatetheneedsofspecificdrivers.Mostdistributionsnowusethisfacility./procThisisanunusualdirectorybecauseitdoesn’tcorrespondtoaregulardirectoryorpartition.Instead,it’savirtualfilesystemthat’screateddynamicallybyLinuxtoprovideaccesstocertaintypesofhardwareinformationthataren’taccessiblevia/dev.Forinstance,ifyoutypecat/proc/cpuinfo,thesystemrespondsbydisplayinginformationaboutyourCPU—itsmodelname,speed,andsoon.KnowledgeofthesedirectoriesandtheirpurposesisinvaluableinproperlyadministeringaLinux

system. For instance, understanding the purpose of directories like /bin, /sbin, /usr/bin,

/usr/local/bin, andotherswillhelpyouwhen itcomes time to installanewprogram.Placingaprograminthewronglocationcancauseproblemsatalaterdate.Forexample,ifyouputabinaryfilein/binwhenitshouldgoin/usr/local/bin,thatprogrammaylaterbeoverwrittenordeletedduringasystemupgradewhenleavingitintactwouldhavebeenmoreappropriate.

ToolsforLocatingFilesYouusefile-locationcommandstolocateafileonyourcomputer.Mostfrequently,thesecommandshelpyoulocateafilebyname,butsometimesyoucanuseothercriteria,suchasmodificationdate.Thesecommandscansearchadirectorytree(includingroot,whichscanstheentiresystem)forafilematchingthespecifiedcriteriainanysubdirectory.

ThefindCommandThe find utility implements a brute-force approach to finding files. This program finds files bysearchingthroughthespecifieddirectorytree,checkingfilenames,filecreationdates,andsoontolocatethefilesthatmatchthespecifiedcriteria.Becauseofthismethodofoperation,findtendstobeslow;butit’sveryflexibleandisverylikelytosucceed,assumingthefileforwhichyou’researching

exists.Thefindsyntaxisasfollows:find[path...][expression...]

You can specify one ormore paths in which find should operate; the programwill restrict itsoperationstothesepaths.Theexpressionisawayofspecifyingwhatyouwanttofind.Themanpageforfindincludesinformationabouttheseexpressions,butsomeofthecommonenableyoutosearchbyvariouscommoncriteria:SearchbyFilenameYoucansearchforafilenameusingthe-namepatternexpression.Doingsofindsfilesthatmatchthespecifiedpattern.Ifpatternisanordinaryfilename,findmatchesthatnameexactly.Youcanusewildcardsifyouenclosepatterninquotes,andfindwilllocatefilesthatmatchthewildcardfilename.SearchbyPermissionModeIfyouneedtofindfilesthathavecertainpermissions,youcandosobyusingthe-permmodeexpression.Themodemaybeexpressedeithersymbolicallyorinoctalform.Ifyouprecedemodewitha+,findlocatesfilesinwhichanyofthespecifiedpermissionbitsareset.Ifyouprecedemodewitha-,findlocatesfilesinwhichallthespecifiedpermissionbitsareset.SearchbyFileSizeYoucansearchforafileofagivensizewiththe-sizenexpression.Normally,nisspecifiedin512-byteblocks,butyoucanmodifythisbytrailingthevaluewithalettercode,suchascforbytesorkforkilobytes.SearchbyGroupThe-gidGIDexpressionsearchesforfileswhosegroupID(GID)issettoGID.The-groupnameoptionlocatesfileswhosegroupnameisname.TheformercanbehandyiftheGIDhasbeenorphanedandhasnoname,butthelatterisgenerallyeasiertouse.SearchbyUserIDThe-uidUIDexpressionsearchesforfilesownedbytheuserwhoseuserID(UID)isUID.The-usernameoptionsearchesforfilesownedbyname.TheformercanbehandyiftheUIDhasbeenorphanedandhasnoname,butthelatterisgenerallyeasiertouse.RestrictSearchDepthIfyouwanttosearchadirectoryand,perhaps,somelimitednumberofsubdirectories,youcanusethe-maxdepthlevelsexpressiontolimitthesearch.Therearemanyvariantandadditionaloptions;findisaverypowerfulcommand.Asanexample

ofitsuse,considerthetaskoffindingallCsourcecodefiles,whichnormallyhavenamesthatendin.c, in all users’ home directories. If these home directories reside in /home, youmight issue thefollowingcommand:#find/home-name"*.c"

Theresultwillbealistingofallthefilesthatmatchthesearchcriteria.

Ordinaryusersmayusefind,butitdoesn’tovercomeLinux’sfilepermissionfeatures.Ifyoulackpermissiontolistadirectory’scontents,findwillreturnthatdirectorynameandtheerrormessagePermissiondenied.

ThelocateCommandThelocate utilityworksmuch likefind if youwant to find a file by name, but it differs in two

importantways:Thelocatetoolisfarlesssophisticatedinitssearchoptions.Younormallyuseittosearchonlyonfilenames,andtheprogramreturnsallfilesthatcontainthespecifiedstring.Forinstance,whensearchingforrpm,locatewillreturnotherprograms,likegnorpmandrpm2cpio.Thelocateprogramworksfromadatabasethatitmaintains.Mostdistributionsincludeacronjobthatcallsutilitiesthatupdatethelocatedatabase,periodically,suchasonceanightoronceaweek.(Youcanalsousetheupdatedbcommand,whichisconfiguredviathe/etc/updatedb.conffile,todothistaskatanytime.)Forthisreason,locatemaynotfindrecentfiles,oritmayreturnthenamesoffilesthatnolongerexist.Ifthedatabase-updateutilitiesomitcertaindirectories,filesinthemwon’tbereturnedbyalocatequery.

Becauselocateworksfromadatabase,it’stypicallymuchfasterthanfind,particularlyonsystem-widesearches.It’slikelytoreturnmanyfalsealarms,though,especiallyifyouwanttofindafilewithashortname.Touseit,typelocatesearch-string,wheresearch-stringisthestringthatappearsinthefilename.

SomeLinuxdistributionsuseslocateratherthanlocate.Theslocateprogramincludessecurityfeaturestopreventusersfromseeingthenamesoffilesindirectoriestheyshouldn’tbeabletoaccess.Onmostsystemsthatuseslocate,thelocatecommandisalinktoslocate,solocateimplementsslocate’ssecurityfeatures.Afewdistributionsdon’tinstalleitherlocateorslocatebydefault.

ThewhereisCommandThewhereisprogramsearchesforfilesinarestrictedsetoflocations,suchasstandardbinaryfiledirectories,librarydirectories,andmanpagedirectories.Thistooldoesnotsearchuserdirectoriesormanyotherlocationsthatareeasilysearchedbyfindorlocate.Thewhereisutilityisaquickwaytofindprogramexecutablesandrelatedfileslikedocumentationorconfigurationfiles.Thewhereis program returns filenames thatbeginwithwhateveryou typeas a searchcriterion,

even if those filescontainextensions.This featureoften turnsupconfiguration files in/etc, manpages,andsimilarfiles.Tousetheprogram,typethenameoftheprogramyouwanttolocate.Forinstance,thefollowingcommandlocatesls:$whereisls

ls:/bin/ls/usr/share/man/man1/ls.1.bz2

The result shows both the ls executable (/bin/ls) and ls’s man page. The whereis programaccepts several parameters that modify its behavior in various ways. These are detailed in theprogram’smanpage.

ThewhichCommandConsideredasasearchcommand,whichisveryweak;itmerelysearchesyourpathforthecommandthatyoutypeandliststhecompletepathtothefirstmatchitfinds.(Youcansearchforallmatchesbyaddingthe-aoption.)Forinstance,youmightwanttoknowwherethextermprogramislocated:$whichxterm

/usr/bin/xterm

Becausethefilesthatwhichfindsareonyourpath,itwon’thelpyoutoruntheseprograms.Instead,it’slikelytobeusefulifyouneedtoknowthecompletepathforsomereason—say,becauseyouwanttocalltheprogramfromascriptanddon’twanttomakeassumptionsaboutthepathavailabletothescriptandsowanttoincludethecompletepathinthescript.

ThetypeCommandThiscommandisn’treallyasearchcommand;instead,ittellsyouhowacommandyoutypewillbeinterpreted—asabuilt-incommand,anexternalcommand,analias,andsoon.Forinstance,youcanuseittoidentifyseveralcommoncommands:$typetype

typeisashellbuiltin

$typecat

catis/bin/cat

$typels

lsisaliasedto'ls--color'

Thisexampleidentifiestypeitselfasabuilt-inshellcommand,catasaseparateprogramstoredin/bin, and ls as an alias for ls --color. You can add several options tomodify the command’sbehavior.Forinstance,-tshortenstheoutputtobuiltin,file,alias,orothershortidentifiers;and-aprovidesacompletelist, for instanceprovidingboththealiasexpansionandthelocationoftheultimateexecutablewhenprovidedwithanaliasname.InExercise4.2,you’lluseseveralmethodsoflocatingfiles.

EXERCISE4.2LocatingFilesThisexercisedemonstratesseveralmethodsoflocatingfiles.You’lllocatethestartxprogram.(Ifyoursystemdoesn’thaveXinstalled,youcantrysearchingforanotherprogramorfile,suchaspwdorfstab.Youmayneedtochangethepathpassedtofindinstep5.)Tofindafile,followthesesteps:1.LogintotheLinuxsystemasanormaluser.2. Launch anxterm from the desktop environment’smenu system if you used aGUIloginmethod.3.Typelocatestartx.The system should display several filenames that include thestring startx. This search should take very little time. (A few distributions lack thelocatecommand,sothisstepwon’tworkonsomesystems.)4.Typewhereisstartx.Thesystemrespondswiththenamesofafewfilesthatcontainthestringstartx.Note that this listmaybeslightlydifferent fromthe list returnedbystep3butthatthesearchproceedsquickly.5. Type find /usr -name startx. This search takes longer and, when run as anordinaryuser,mostlikelyreturnsseveralPermissiondeniederrormessages.Itshouldalso return a single line listing the /usr/bin/startx or /usr/X11R6/bin/startxprogramfile.Notethatthiscommandsearchesonly/usr.Ifyousearched/usr/X11R6,thecommandwould take less time; ifyousearched/, the commandwould takemoretime.6. Type which startx. This search completes almost instantaneously, returning thecompletefilenameofthefirstinstanceofstartxthesystemfindsonitspath.7. Type type startx. Again, the search completes very quickly. It should identifystartxasanexternalcommandstoredat/usr/bin/startx,/usr/X11R6/bin/startx,orpossiblysomeotherlocation.

SummaryFilemanagementisbasictobeingabletoadministeroruseaLinuxsystem.Variouscommandsareusefultobothusersandadministratorsforcopying,moving,renaming,andotherwisemanipulatingfilesanddirectories.Youmayalsowant tosetupaccesscontrols,both to limit theamountofdiskspaceusersmayconsumeandtolimitwhomayaccessspecificfilesanddirectories.Finally,Linuxprovidestoolstohelpyoulocatefilesusingvariouscriteria.

ExamEssentialsDescribecommandsusedtocopy,move,andrenamefilesinLinux.Thecpcommandcopiesfiles,asincpfirstsecondtocreateacopyoffirstcalledsecond.Themvcommanddoesdoubledutyasafile-movingandafile-renamingcommand.Itworksmuchlikecp,butmvmovesorrenamesthefileratherthancopyingit.

SummarizeLinux’sdirectory-manipulationcommands.Themkdircommandcreatesanewdirectory,andrmdirdeletesadirectory.Youcanalsousemanyfile-manipulationcommands,suchasmvandrm(withits-roption),ondirectories.Explainthedifferencebetweenhardandsymboliclinks.Hardlinksareduplicatedirectoryentriesthatbothpointtothesameinodeandhencetothesamefile.Symboliclinksarespecialfilesthatpointtoanotherfileordirectorybyname.Hardlinksmustresideonasinglefilesystem,butsymboliclinksmaypointacrossfilesystems.SummarizethecommonLinuxarchivingprograms.Thetarandcpioprogramsarebothfile-basedarchivingtoolsthatcreatearchivesoffilesusingordinaryfileaccesscommands.Theddprogramisafile-copyprogram;butwhenit’sfedapartitiondevicefile,itcopiestheentirepartitiononaverylow-levelbasis,whichisusefulforcreatinglow-levelimagebackupsofLinuxornon-Linuxfilesystems.DescribeLinux’sfileownershipsystem.Everyfilehasanownerandagroup,identifiedbynumber.Filepermissionscanbeassignedindependentlytothefile’sowner,thefile’sgroup,andallotherusers.ExplainLinux’sfilepermissionssystem.Linuxprovidesindependentread,write,andexecutepermissionsforthefile’sowner,thefile’sgroup,andallotherusers,resultinginninemainpermissionbits.Specialpermissionbitsarealsoavailable,enablingyoutolaunchprogramfileswithmodifiedaccountfeaturesoraltertherulesLinuxusestocontrolwhomaydeletefiles.SummarizethecommandsLinuxusestomodifypermissions.ThechmodcommandisLinux’smaintoolforsettingpermissions.Youcanspecifypermissionsusingeitheranoctal(base8)modeorasymbolicnotation.Thechownandchgrpcommandsenableyoutochangethefile’sownerandgroup,respectively.(Thechowncommandcandobothbutcanberunonlybyroot.)DescribetheprerequisitesofusingLinux’sdiskquotasystem.Linux’sdiskquotasystemrequiressupportintheLinuxkernelforthefilesystemonwhichquotasaretobeused.Youmustalsorunthequotaoncommand,typicallyfromaSysVstartupscript,toenablethisfeature.Explainhowquotasareset.Youcaneditquotasforanindividualuserviatheedquotacommand,asinedquotalarrytoeditlarry’squotas.Thiscommandopensaneditoronatextfilethatdescribestheuser ’squotas.Youcanchangethisdescription,savethefile,andexitfromtheeditortochangetheuser ’squotas.SummarizehowLinux’sstandarddirectoriesarestructured.Linux’sdirectorytreebeginswiththeroot(/)directory,whichholdsmostlyotherdirectories.Specificdirectoriesmayholdspecifictypesofinformation,suchasuserfilesin/homeandconfigurationfilesin/etc.Someofthesedirectoriesandtheirsubdirectoriesmaybeseparatepartitions,whichhelpsisolatedataintheeventoffilesystemcorruption.Describethemajorfile-locationcommandsinLinux.Thefindcommandlocatesfilesbybruteforce,searchingthroughthedirectorytreeforfilesthatmatchthecriteriayouspecify.Thelocate(orslocate)commandsearchesadatabaseoffilesinpubliclyaccessibledirectories.Thewhereiscommandsearchesahandfulofimportantdirectories,andwhichsearchesthepath.Thetypecommandidentifiesanothercommandasabuilt-inshellcommand,ashellalias,oranexternalcommand(includingthepathtothatcommand).

ReviewQuestions1.Whymightyoutypetouchfilename?

A.TomovefilenametothecurrentdirectoryB.Toensurethatfilename’stimestampholdsthecurrenttimeC.ToconvertfilenamefromDOS-styletoUnix-styleend-of-linecharactersD.Totestthevalidityoffilename’sdiskstructuresE.Towritecacheddatarelatingtofilenametothedisk

2.Whatparametercanyoupasstolntocreateasoftlink?(Selecttwo.)A.-sB.--softC.--slinkD.--symbolicE.--sl

3. You want to discover the sizes of several dot files in a directory. Which of the followingcommandsmightyouusetodothis?

A.ls-laB.ls-pC.ls-RD.ls-dE.ls-F

4.Youwant tomovea file fromyourharddisk toaUSBflashdrive.Whichof the following istrue?

A. You’ll have to use the --preserve option to mv to keep ownership and permissions setcorrectly.B.Themvcommandwilladjustfilesystempointerswithoutphysicallyrewritingdataiftheflashdriveusesthesamefilesystemtypeastheharddiskpartition.C.Youmustusethesamefilesystemtypeonbothmediatopreserveownershipandpermissions.D.Themvcommandwilldeletethefileontheharddiskaftercopyingittotheflashdrive.E.YoumustusetheFATfilesystemontheUSBflashdrive;Linux-nativefilesystemswon’tworkonremovabledisks.

5.Youtypemkdirone/two/threeandreceiveanerrormessagethatreads,inpart,Nosuchfileordirectory.Whatcanyoudotoovercomethisproblem?(Selecttwo.)

A.Addthe--parentsparametertothemkdircommand.B. Issue three separate mkdir commands: mkdir one, then mkdir one/two, and then mkdirone/two/three.C.Typetouch/bin/mkdirtobesurethemkdirprogramfileexists.

D.Typermdironetoclearawaytheinterferingbaseofthedesirednewdirectorytree.E.Typemktreeone/two/threeinsteadofmkdirone/two/three.

6.Whichofthefollowingcommandsarecommonlyusedtocreatearchivefiles?(Selecttwo.)A.restoreB.viC.tapeD.cpioE.tar

7.You’vereceivedatarballcalleddata79.tarfromacolleague,butyouwanttocheckthenamesofthefilesitcontainsbeforeextractingthem.Whichofthefollowingcommandswouldyouusetodothis?

A.taruvfdata79.tarB.tarcvfdata79.tarC.tarxvfdata79.tarD.tarrvfdata79.tarE.tartvfdata79.tar

8.YouwanttocreatealinkfromyourhomedirectoryonyourharddisktoadirectoryonaCD-ROMdrive.Whichofthefollowingtypesoflinksmightyouuse?

A.OnlyasymboliclinkB.OnlyahardlinkC.EitherasymbolicorahardlinkD.Onlyahardlink,andthenonlyifbothdirectoriesusethesamelow-levelfilesystemE.Noneoftheabove;suchlinksaren’tpossibleunderLinux

9.Whatcommandwouldyoutype(asroot)tochangetheownershipofsomefile.txtfromralphtotony?

A.chownralph:tonysomefile.txtB.chmodsomefile.txttonyC.chownsomefile.txttonyD.chmodtony:ralphsomefile.txtE.chowntonysomefile.txt

10. Typing ls -ld wonderjaye reveals a symbolic file mode of drwxr-xr-x. Which of thefollowingaretrue?(Selecttwo.)

A.wonderjayeisasymboliclink.B.wonderjayeisanexecutableprogram.C.wonderjayeisadirectory.D.wonderjayehasitsSUIDbitset.

E.wonderjayemaybereadbyallusersofthesystem.

11.WhenshouldprogramsbeconfiguredSUIDroot?A.Atalltimes;thispermissionisrequiredforexecutableprogramsB.WheneveraprogramshouldbeabletoaccessadevicefileC.OnlywhentheyrequirerootprivilegestodotheirjobD.Never;thispermissionisaseveresecurityriskE.Whenevertheprogramfileisownedbytherootuser

12. Which of the following commands would you type to enable world read access to the filemyfile.txt?(Assumethatyou’retheownerofmyfile.txt.)

A.chmod741myfile.txtB.chmod0640myfile.txtC.chmodu+rmyfile.txtD.chmoda-rmyfile.txtE.chmodo+rmyfile.txt

13.Whichofthefollowingumaskvalueswillresultinfileswithrw-r-----permissions?A.640B.210C.022D.027E.138

14.Youseetheusrquotaandgrpquotaoptionsinthe/etc/fstabentryforafilesystem.Whatistheconsequenceoftheseentries?

A. Quota support will be available if it’s compiled into the kernel; it will be automaticallyactivatedwhenyoumountthefilesystem.B.Userquotaswillbeavailable,butthegrpquotaoptionisinvalidandwillbeignored.C.Quotasupportwillbedisabledonthefilesysteminquestion.D.Nothing;theseoptionsaremalformedandsowillhavenoeffect.E.Quotasupportwillbeavailableifit’scompiledintoyourkernel,butyoumustactivateitwiththequotaoncommand.

15.Whichof the followingcommandscanbeused tosummarize thequota informationaboutallfilesystems?

A.repquotaB.repquota-aC.quotacheckD.quotacheck-aE.edquota-a

16. You’ve installed a commercial spreadsheet program calledWonderCalc on aworkstation. Inwhichofthefollowingdirectoriesareyoumostlikelytofindtheprogramexecutablefile?

A./usr/sbinB./etc/X11C./bootD./opt/wcalc/binE./sbin/wcalc

17.Whichofthefollowingfile-locationcommandsislikelytotakethemosttimetofindafilethatmaybelocatedanywhereonthecomputer(assumingtheoperationsucceeds)?

A.Thefindcommand.B.Thelocatecommand.C.Thewhereiscommand.D.Thetypecommand.E.They’reallequalinspeed.

18.Whatcanthetypecommanddothatwhereiscan’tdo?A.Identifythecommandasbeingforx86orx86-64CPUsB.Locatecommandsbasedontheirintendedpurpose,notjustbynameC.Identifyacommandasanalias,internalcommand,orexternalcommandD.AssistintypingacommandbyfinishingtypingitforyouE.Identifyacommandasbeingabinaryorascript

19.Youwanttotrackdownallthefilesin/homethatareownedbykaren.Whichofthefollowingcommandswilldothejob?

A.find/home-uidkarenB.find/home-userkarenC.locate/home-usernamekarenD.locate/homeKarenE.find/home-namekaren

20.Whatcanyouconcludefromthefollowinginteraction?$whichman

/usr/bin/man

A.Theonlyfilecalledmanonthecomputerisin/usr/bin.B.The/usr/bin/manprogramwasinstalledbysystempackagetools.C.The/usr/bin/manprogramwillberunbyanyuserwhotypesman.D.Thefirstinstanceofthemanprogram,inpathsearchorder,isin/usr/bin.E.Theusermanownsthe/usr/bin/manprogramfile.

Chapter5

BootingLinuxandEditingFiles

THEFOLLOWINGEXAMOBJECTIVESARECOVEREDINTHISCHAPTER:

1.101.2:Bootthesystem1.101.3:Changerunlevelsandshutdownorrebootsystem1.102.2:Installabootmanager1.103.8:Performbasicfileeditingoperationsusingvi

Sofar,thisbookhasdealtlargelywitharunningLinuxsystem,butfromtimetotimeyou’llneedtobootLinux.Ordinarily thisprocess isapainlessone:Youpress thepowerbutton,waitacoupleofminutes,andseeaLinuxloginprompt.Sometimes,though,you’llhavetointerveneinthisprocessinonewayoranother.TheLinuxbootprocesscanbeconfiguredtobootLinuxwithparticularoptionsandeventoboot

other operating systems, so knowing how to configure the boot process can help you accomplishyourboot-relatedgoals.Oncethesystemisbooted,youshouldknowhowtostudylogfilesrelatedtothebootprocess.Thiscanhelpyoudiagnoseproblemsorverifythatthesystemisoperatingthewayitshouldbe.Finally, this chapter looks at editing fileswithVi.Vi isn’t particularly boot-related, but knowing

howtoeditfilesisvitaltomanyadministrativetasks,includingeditingthebootloaderconfigurationfiles.

InstallingBootLoadersThecomputer ’sbootprocessbeginswithaprogramcalledabootloader.ThisprogramrunsbeforeanyOShasloaded,althoughyounormallyinstallandconfigureitfromwithinLinux(orsomeotherOS). Boot loaderswork in particularways that depend on both the firmware you use and theOSyou’re booting. Understanding your boot loader ’s principles is necessary to properly configurethem, so before delving into the details of specific boot loaders, I describe these boot loaderprinciples.InLinux,themost-usedbootloaderistheGrandUnifiedBootLoader(GRUB),whichisavailablein

twoversions:GRUBLegacy(withversionnumbersupto0.97)andGRUB2(withversionnumbersfrom1.9x to2.x,with2.00being the latest as Iwrite).Anassortmentof alternativeboot loaders isavailable,though,andinsomecasesyoumayneedtouseoneofthem,soIprovideabriefrundownoftheselesscommonbootloaders.

Thischapterdescribesbootloadersforx86andx86-64computers.Otherplatformshavetheirownbootloaders.Someofthesearesimilartocertainx86/x86-64bootloaders,buttheyaren’tquiteidentical.Youshouldconsultplatform-specificdocumentationifyouneedtoreconfigureanon-x86bootloader.

BootLoaderPrinciplesInonewayoranother,yourcomputer ’sfirmwarereadsthebootloaderintomemoryfromtheharddiskandexecutesit.Thebootloader,inturn,isresponsibleforloadingtheLinuxkernelintomemoryandstartingitrunning.Thus,configuringaharddisk(oratleastyourbootharddisk)isn’tcompleteuntilthebootloaderisconfigured.AlthoughLinuxdistributionsprovidesemi-automatedmethodsofconfiguringabootloaderduringsysteminstallation,youmayneedtoknowmore,particularlyifyourecompile your kernel or need to set up an advanced configuration—say, one to select betweenseveralOSs.Although the exam objectives mention only the Basic Input/Output System (BIOS) firmware,

beginning in2011 theExtensibleFirmware Interface (EFI) and itsUnifiedEFI (UEFI)varianthavebecome increasingly important. Thus, I describe the principles upon which both BIOS and EFIcomputers’bootloadersarebased.

BIOSBootLoaderPrinciplesTheBIOSbootprocesscanbeabitconvoluted,inpartbecausesomanyoptionsareavailable.Figure5.1depictsa typicalconfiguration,showingacoupleofpossiblebootpaths.Inbothcases, thebootprocessbeginswiththeBIOS.AsdescribedinChapter3,“ConfiguringHardware,”youtelltheBIOSwhichbootdevicetouse—aharddisk,afloppydisk,aCD-ROMdrive,orsomethingelse.Assumingyoupickaharddiskas theprimarybootdevice(or ifhigher-prioritydevicesaren’tbootable), theBIOSloadscodefromtheMasterBootRecord(MBR),whichisthefirstsectorontheharddisk.Thiscodeistheprimarybootloadercode.Intheory,itcouldbejustaboutanything,evenacomplete(iftiny)OS.

FIGURE5.1Thex86bootsystemprovidesseveraloptionsforredirectingtheprocess,butultimatelyanOSkernelisloaded.

Inpractice,theprimarybootloaderdoesoneoftwothings:Itexaminesthepartitiontableandlocatesthepartitionthat’smarkedasbootable.Theprimarybootloaderthenloadsthebootsectorfromthatpartitionandexecutesit.Thisbootsectorcontainsasecondarybootloader,whichcontinuestheprocessbylocatinganOSkernel,loadingit,andexecutingit.ThisoptionisdepictedbytheAarrowsinFigure5.1.ItlocatesanOSkernel,loadsit,andexecutesitdirectly.Thisapproachbypassesthesecondary

bootloaderentirely,asdepictedbytheBarrowinFigure5.1.Traditionally,x86systemsrunningDOSorWindowsfollowpathA.DOSandWindows9x/Meship

withvery simpleboot loaders thatprovide little in thewayofoptions.LaterversionsofWindowsshipwithabootloaderthatcanprovidelimitedredirectioninthesecondstageoftheApath.Linux’smost popular BIOS boot loaders, LILO andGRUB, are bothmuchmore flexible. They

supportinstallationineithertheMBRorthebootsectorofabootpartition.Thus,youcaneitherkeepaDOS/Windows-styleprimarybootloaderanddirectthesystemtobootakernelfromabootsectorinstallation(pathA)orbypassthisstepandloadthekernelstraightfromtheMBR(pathB).ThefirstoptionhastheadvantagethatanotherOSisunlikelytowipeoutLILOorGRUB,becauseit’sstoredsafelyinaLinuxpartition.WindowshasatendencytowriteitsstandardMBRbootloaderwhenit’sinstalled, so if you need to re-installWindowson a dual-boot system, this actionwillwipe out anMBR-basedbootloader.IfthebootloaderisstoredinaLinuxpartition’sbootsector,itwillremainintact,althoughWindowsmightconfigurethesystemtobypassit.ToreactivatetheLinuxbootloader,youmustuseatoolsuchastheDOS/WindowsFDISKtomarktheLinuxpartitionasthebootpartition.A drawback of placing LILO or GRUB in a partition’s boot sector is that this partition must

normally be a primary partition, at least with disks that use the MBR partitioning system. (Anexceptionisifyou’reusingsomeotherbootloaderintheMBRorinanotherpartition.Ifthisthird-partybootloadercanredirectthebootprocesstoalogicalpartition,thisrestrictiongoesaway.)Forthisreason,manypeopleprefertoputLILOorGRUBintheharddisk’sMBR.In the end, both approaches work, and for a Linux-only installation, the advantages and

disadvantages of both approaches are veryminor. Some distributions don’t give you an option atinstalltime.Forthem,youshouldreviewyourbootloaderconfigurationand,whenyoumustaddakernelorotherwisechangethebootloader,modifytheexistingconfigurationratherthantrytocreateanewone.OndisksthatusetheGUIDPartitionTable(GPT)partitioningsystem,GRUBstorespartofitselfin

aspecialpartition,knownastheBIOSBootPartition.OnMBRdisks,theequivalentcoderesidesinthesectorsimmediatelyfollowingtheMBR,whichareofficiallyunallocatedintheMBRscheme.

ALinuxbootloadercanbeinstalledtoafloppydiskorUSBflashdriveaswellastoaharddisk.Evenifyoudon’twanttousesuchadiskaspartofyourregularbootprocess,youmaywanttocreateanemergencydiskwithyourregularbootloader.YoucanthenuseittobootLinuxifsomethinggoeswrongwithyourregularbootloaderinstallation.

Thisdescriptionprovidesasomewhatsimplifiedviewofbootloaders.MostLinuxbootloadersaremuchmore complex than this. They can redirect the boot process to non-Linux boot sectors andpresentmenusthatenableyoutobootmultipleOSsormultipleLinuxkernels.Youcanchainseveralbootloaders,includingthird-partybootloaderssuchasSystemCommanderorBootMagic.Chainingboot loaders in thiswayenablesyouto takeadvantageofuniquefeaturesofmultipleboot loaders,suchastheabilityofSystemCommandertobootseveralversionsofDOSorWindowsonasinglepartition.

Theexam’sobjective102.2mentionsthesuperblock.Despiteitsplacementinanobjectiveaboutbootloaders,thesuperblockisn’treallyabootloaderconcept;rather,it’spartofthefilesystem.Thesuperblockdescribesbasicfilesystemfeatures,suchasthefilesystem’ssizeandstatus.Thedebugfsanddumpe2fscommands,describedinChapter3,providesomebasicsuperblockinformation.OnBIOS-basedcomputers,thesuperblockcanholdaportionofthebootloader,sodamagetoitcancausebootproblems.

EFIBootLoaderPrinciplesTheBIOSbootprocess,asjustdescribed,wasdesignedinthe1980s,whenthespaceavailableforaBIOSinthecomputer ’sfirmwarewastinybytoday’sstandards.Thus,thebootprocesshadtobeverysimple,andagreatdealofthecomplexityhadtobepushedintosoftwarestoredontheharddisk.ThenewerEFIfirmwareismuchmorecomplexthantheolderBIOS,andsoitsbootprocesscanbe

moresophisticated.Insteadofrelyingoncodestoredinbootsectorsontheharddisk,EFIreliesonbootloadersstoredasfilesinadiskpartition,knownastheEFISystemPartition(ESP),whichusestheFileAllocationTable(FAT)filesystem.UnderLinux,theESPistypicallymountedat/boot/efi.Boot loaders reside in fileswith.efi filenameextensions stored in subdirectoriesnamedafter theOSorbootloadernameundertheEFIsubdirectoryoftheESP.Thus,youmighthaveabootloadercalled/boot/efi/EFI/ubuntu/grub.efior/boot/efi/EFI/suse/elilo.efi.This configuration enables you to store a separate boot loader for each OS you install on the

computer.TheEFIfirmwareincludesitsownprogram,abootmanager,tohelpyouselectwhichbootloader to launch. The resulting boot path resembles Figure 5.2. In this figure, two boot loaders(loader1.efiandloader2.efi)areavailable,eachofwhichlaunchesitsownOSkernel,locatedonitsownpartition.

FIGURE5.2TheEFIbootprocessbeginsthebootredirectionfromthefirmwarelevelandemploysfilesinfilesystemsratherthanbootcodehiddeninbootsectors.

Theexamobjectivesusethetermsbootloaderandbootmanagerinterchangeably,butthisbookdoesn’t.Abootloaderloadsakernelintomemoryandtransferscontroltoit,whereasabootmanagerpresentsamenuofbootoptions.Manyprograms,includingthepopularGRUB,combinebothfunctionsinoneprogram,whichisthereasonforthelackofclarityinmanysources.

Inordertowork,theEFImustknowaboutthebootloadersinstalledontheharddisk’sESP.Thisisnormallydonebyregisteringthebootloaderswiththefirmware,eitherusingautilitybuiltintothe

firmware’sownuser interfaceorusinga tool suchasLinux’sefibootmgr program.Alternatively,mostx86-64EFIimplementationswilluseabootloadercalledEFI/boot/bootx64.efiontheESPasadefaultifnoothersareregistered.Thisisthewayyoubootmostremovabledisks;youstoreyourbootloaderusingthisnameontheremovabledisk’sESP.Themost popular EFI boot loaders for Linux are based onBIOS boot loaders, so they provide

functionalitynotrequiredbyEFIbootloadersgenerally,suchastheirownbootmanagerfeaturesthatprovide the ability to chainload to anotherEFI boot loader. Thus, the boot process on amulti-OScomputermightrunasingleEFIbootloader,whichthenchainloadsotherEFIbootloaders.Infact,thisissometimesapracticalnecessity,sincemanyEFIimplementationsprovidesuchprimitivebootmanagersthatselectinganOSmustbedonebyaseparatebootprogram.

UsingGRUBLegacyastheBootLoaderThe Grand Unified Bootloader (GRUB) is the default boot loader for most Linux distributions;however,GRUB is really twoboot loaders:GRUBLegacy andGRUB2.Although these twobootloaders are similar inmanyways, they differ inmany important details.GRUBLegacy is, as youmightexpect,theolderofthetwobootloaders.ItusedtobethedominantbootloaderforLinux,butit’sbeeneclipsedbyGRUB2.Nonetheless,because the twoboot loadersaresosimilar, IdescribeGRUBLegacyfirstandinmoredetail;theupcomingsection,“UsingGRUB2astheBootLoader,”focusesonitsdifferencesfromGRUBLegacy.Inthefollowingpages,Idescribehowtoconfigure,install,andinteractwithGRUBLegacy.

ConfiguringGRUBLegacyThe usual location for GRUB Legacy’s configuration file on a BIOS-based computer is/boot/grub/menu.lst.Somedistributions(suchasFedora,RedHat,andGentoo)use thefilenamegrub.confratherthanmenu.lst.TheGRUBconfigurationfileisbrokenintoglobalandper-imagesections,eachofwhichhas itsownoptions.Beforegetting intosectiondetails, though,youshouldunderstandafewGRUBquirks.

GRUBLegacyofficiallysupportsBIOSbutnotEFI.Aheavilypatchedversion,maintainedbyFedora,providessupportforEFI.Ifyou’reusingthisversionofGRUB,itsconfigurationfilegoesinthesamedirectoryontheESPthathousestheGRUBLegacybinary,suchas/boot/efi/EFI/redhatforastandardFedoraorRedHatinstallation.

GRUBNomenclatureandQuirksListing5.1showsasampleGRUBconfiguration file.This fileprovidesdefinitions tobootseveralOSs—Fedoraon/dev/sda5,Debianon/dev/sda6,andWindowson/dev/sda2.FedoraandDebiansharea/bootpartition(/dev/sda1),onwhichtheGRUBconfigurationresides.Listing5.1:AsampleGRUBconfigurationfile#grub.conf/menu.lst

#

#GlobalOptions:

#

default=0

timeout=15

splashimage=/grub/bootimage.xpm.gz

#

#KernelImageOptions:

#

titleFedora(3.4.1)

root(hd0,0)

kernel/vmlinuz-3.4.1roroot=/dev/sda5mem=4096M

initrd/initrd-3.4.1

titleDebian(3.4.2-experimental)

root(hd0,0)

kernel(hd0,0)/bzImage-3.4.2-experimentalroroot=/dev/sda6

#

#Otheroperatingsystems

#

titleWindows

rootnoverify(hd0,1)

chainloader+1

GRUBdoesn’trefertodiskdrivesbydevicefilenamethewayLinuxdoes.GRUBnumbersdrivesso that instead of/dev/hda or/dev/sda, GRUB uses (hd0). Similarly, /dev/hdb or /dev/sdb islikelytobe(hd1).GRUBdoesn’tdistinguishbetweenPATA,SATA,SCSI,andUSBdrives,soonaSCSI-onlysystem,thefirstSCSIdriveis(hd0).Onamixedsystem,ATAdrivesnormallyreceivethelowernumbers,althoughthisisn’talwaysthecase.GRUBLegacy’sdrivemappingscanbefoundinthe/boot/grub/device.mapfile.Additionally,GRUBLegacynumberspartitionsonadrivestartingat0insteadofthe1thatisused

by Linux. GRUB Legacy separates partition numbers from drive numbers with a comma, as in(hd0,0) for the first partition on the first disk (normally Linux’s /dev/hda1 or /dev/sda1) or(hd0,4)forthefirstlogicalpartitiononthefirstdisk(normallyLinux’s/dev/hda5or/dev/sda5).Floppydevicesarereferredtoas(fd0),orconceivably(fd1)orhigherifyouhavemorethanonefloppydrive.Floppydisksaren’tpartitioned,sotheydon’treceivepartitionnumbers.GRUBLegacytreatsUSBflashdrivesjustlikeharddisks,althoughitreliesonthefirmwaretoaccessthesedrives,soGRUBLegacywon’tbootfromaUSBflashdriveifyou’reusinganoldercomputerthatdoesn’tsupportthisoption.GRUBLegacydefinesitsownrootpartition,whichcanbedifferentfromtheLinuxrootpartition.

GRUB’srootpartitionisthepartitioninwhichGRUB’sconfigurationfile(menu.lstorgrub.conf)resides.BecausethisfileisnormallyinLinux’s/boot/grub/directory,theGRUBrootpartitionwillbethesameasLinux’srootpartitionifyoudonotuseaseparate/bootor/boot/grubpartition.Ifyou split off/boot into its own partition, as is fairly common,GRUB’s root partitionwill be thesameasLinux’s/bootpartition.YoumustkeepthisdifferenceinmindwhenreferringtofilesintheGRUBconfigurationdirectory.

EssentialGlobalGRUBLegacyOptionsGRUB’s global section precedes its per-image configurations. Typically, you’ll find just a fewoptionsinthisglobalsection:DefaultOSThedefault=optiontellsGRUBwhichOStoboot.Listing5.1’sdefault=0causesthefirstlistedOStobebooted(remember,GRUBindexesfrom0).Ifyouwanttobootthesecond

listedoperatingsystem,usedefault=1,andsoon,throughallyourOSs.TimeoutThetimeout=optiondefineshowlong,inseconds,towaitforuserinputbeforebootingthedefaultoperatingsystem.BackgroundGraphicThesplashimage=linepointstoagraphicsfilethat’sdisplayedasthebackgroundforthebootprocess.Thislineisoptional,butmostLinuxdistributionspointtoanimagetospruceupthebootmenu.ThefilenamereferenceisrelativetotheGRUBrootpartition,soif/bootisonaseparatepartition,thatportionofthepathisomitted.Alternatively,thepathmaybeginwithaGRUBdevicespecification,suchas(hd0,5)torefertoafileonthatpartition.

EssentialGRUBLegacyPer-ImageOptionsGRUBLegacy’sper-imageoptionsareoftenindentedafterthefirstline,butthisisaconvention,notarequirementofthefileformat.TheoptionsbeginwithanidentificationandcontinuewithoptionsthattellGRUBhowtohandletheimage:TitleThetitlelinebeginsaper-imagestanzaandspecifiesthelabeltodisplaywhenthebootloaderruns.TheGRUBLegacytitlecanacceptspacesandisconventionallymoderatelydescriptive,asshowninListing5.1.GRUBRootTherootoptionspecifiesthelocationofGRUBLegacy’srootpartition.Thisisthe/bootpartitionifaseparateoneexists;otherwise,it’susuallytheLinuxroot(/)partition.GRUBcanresideonaFATpartition,onafloppydisk,oroncertainotherOSs’partitions,though,soGRUB’srootcouldconceivablybesomewheremoreexotic.KernelSpecificationThekernelsettingdescribesthelocationoftheLinuxkernelaswellasanykerneloptionsthataretobepassedtoit.PathsarerelativetoGRUBLegacy’srootpartition.Asanalternative,youcanspecifydevicesusingGRUB’ssyntax,suchaskernel(hd0,5)/vmlinuzroroot=/dev/sda5.Notethatyoupassmostkerneloptionsonthisline.Someotherbootloaderssplitoffkerneloptionsonseparatelines;butinGRUB,youincorporatetheseoptionsontothekernelline.Therooptiontellsthekerneltomountitsrootfilesystemread-only(it’slaterremountedread/write),andtheroot=optionspecifiestheLinuxrootfilesystem.Becausetheseoptionsarebeingpassedtothekernel,theyuseLinux-styledeviceidentifiers,whennecessary,unlikeotheroptionsintheGRUBconfigurationfile.InitialRAMDiskUsetheinitrdoptiontospecifyaninitialRAMdisk,whichholdsaminimalsetofdrivers,utilities,andconfigurationfilesthatthekernelusestomountitsrootfilesystembeforethekernelcanfullyaccesstheharddisk.MostLinuxdistributionsrelyheavilyontheinitialRAMdiskasawaytokeepthemainkernelfilesmallandtoprovidetoolstothekernelatapointinthebootprocessbeforetheycouldbeloadedfromtheharddisk.Non-LinuxRootTherootnoverifyoptionissimilartotherootoptionexceptthatGRUBLegacywon’ttrytoaccessfilesonthispartition.It’susedtospecifyabootpartitionforOSsforwhichGRUBLegacycan’tdirectlyloadakernel,suchasDOSandWindows.ChainloadingThechainloaderoptiontellsGRUBLegacytopasscontroltoanotherbootloader.Typically,it’spasseda+1optiontoloadthefirstsectorofthetargetOS’srootpartition(usuallyspecifiedwithrootnoverify)andtohandoverexecutiontothissecondarybootloader.

ChainloadingasjustdescribedworksonBIOScomputers.Ifyou’reusinganEFI-enabledversionofGRUBLegacy,youcanchainload,butyoumusttellGRUBLegacytousetheESP(typicallybyspecifyingroot(hd0,0),althoughthedeviceidentificationmaydiffer)andthenpassthenameofanEFIbootloaderfileviathechainloaderoption,asinchainloader/EFI/Microsoft/boot/bootmgfw.efi.

ToaddakerneltoGRUB,followthesesteps:1.Asroot,loadthemenu.lstorgrub.conffileintoatexteditor.2.CopyaworkingconfigurationforaLinuxkernel.3.Modifythetitlelinetogiveyournewconfigurationauniquename.4.Modifythekernellinetopointtothenewkernel.Ifyouneedtochangeanykerneloptions,doso.5.Ifyou’readding,deleting,orchangingaRAMdisk,makeappropriatechangestotheinitrdline.6.Ifdesired,changetheglobaldefaultlinetopointtothenewkernel.7.Saveyourchanges,andexitthetexteditor.At thispoint,GRUB isconfigured tobootyournewkernel.Whenyou reboot,youshould see it

appear in your menu, and you should be able to boot it. If you have problems, boot a workingconfigurationtodebugtheissue.

Don’teliminateaworkingconfigurationforanoldkerneluntilyou’vedeterminedthatyournewkernelworkscorrectly.

InstallingGRUBLegacyThecommandfor installingGRUBLegacyonaBIOS-basedcomputer isgrub-install.Youmustspecifythebootsectorbydevicenamewhenyouinstall thebootloader.Thebasiccommandlookslike#grub-install/dev/sda

or#grub-install'(hd0)'

EithercommandwillinstallGRUBLegacyintothefirstsector(thatis,theMBR)ofyourfirstharddrive.Inthesecondexample,youneedsinglequotesaroundthedevicename.IfyouwanttoinstallGRUB Legacy in the boot sector of a partition rather than in the MBR, you include a partitionidentifier,asin/dev/sda1or(hd0,0).Ifyou’reinstallingFedora’sEFI-enabledversionofGRUBLegacy,youshouldnotusethegrub-

installcommand;instead,copythegrub.efi file toasuitablesubdirectoryonyourESP,suchas/boot/efi/EFI/redhat, and copy grub.conf to the same location. If you install using Fedora’sgrub-efiRPMfile,thegrub.efifileshouldbeplacedinthislocationbydefault.Aftercopyingthese

files,youmayneedtouseefibootmgrtoaddthebootloadertotheEFI’slist:#efibootmgr-c-l\\EFI\\redhat\\grub.efi-LGRUB

ThiscommandaddsGRUBLegacy,stored in theESP’s/EFI/redhatdirectory, to theEFI’sbootloaderlist.Youmustusedoubled-upbackslashes(\\)ratherthantheLinux-styleforwardslashes(/)asdirectoryseparators.Consulttheefibootmgrutility’smanpageformoreinformation.You do not need to reinstall GRUB after making changes to its configuration file. (Such a

reinstallation is requiredforsomeolderboot loaders, though.)Youneed to installGRUBthiswayonlyifyoumakecertainchangestoyourdiskconfiguration,suchasresizingormovingtheGRUBrootpartition,movingyourentireinstallationtoanewharddisk,orpossiblyreinstallingWindows(which tends towipeoutMBR-basedboot loaders). In someof these cases, youmayneed to bootLinuxviaabackupbootloader,suchasGRUBinstalledtoafloppyorUSBdisk.

InteractingwithGRUBLegacyThefirstscreentheGRUBLegacybootloadershowsyouisalistofall theoperatingsystemsyouspecifiedwith thetitle option in yourGRUBconfiguration file.You canwait for the timeout toexpire for the default operating system to boot. To select an alternative, use your arrow keys tohighlighttheoperatingsystemthatyouwanttoboot.Onceyourchoiceishighlighted,presstheEnterkeytostartbooting.Followthesestepswhenyouwanttochangeorpassadditionaloptionstoyouroperatingsystem:1.Use your arrow keys to highlight the operating system thatmost closelymatcheswhat youwanttoboot.2.PresstheEkeytoeditthisentry.You’llseeanewscreenlistingalltheoptionsforthisentry.3.Useyourarrowkeystohighlightthekerneloptionline.4.PresstheEkeytoeditthekerneloptions.5.Editthekernellinetoaddanyoptions,suchas1toboottosingle-usermode.GRUBLegacypassestheextraoptiontothekernel.6.PresstheEnterkeytocompletetheedits.7.PresstheBkeytostartbooting.Youcanmakewhateverchangesyoulikeinstep5,suchasusingadifferentinitprogram.Youdo

thisbyappendinginit=/bin/bash(orwhateverprogramyouwanttouse)totheendofthekernelline.

UsingGRUB2astheBootLoaderInprinciple,configuringGRUB2ismuchlikeconfiguringGRUBLegacy;however,someimportantdetails differ. First, the GRUB 2 configuration file is /boot/grub/grub.cfg. (Some distributionsplacethisfilein/boot/grub2,enablingsimultaneous installationsofGRUBLegacyandGRUB2.)GRUB2addsanumberoffeatures,suchassupportforloadablemodulesforspecificfilesystemsandmodes of operation, that aren’t present in GRUB Legacy. (The insmod command in the GRUB 2configuration file loads modules.) GRUB 2 also supports conditional logic statements, enablingloadingmodulesordisplayingmenuentriesonlyifparticularconditionsaremet.IfyoumerelywanttoaddorchangeasingleOSentry,you’llfindthemostimportantchangesare

to the per-image options. Listing 5.2 shows GRUB 2 equivalents to the image options shown in

Listing5.1.Listing5.2:GRUB2imageconfigurationexamples#

#KernelImageOptions:

#

menuentry"Fedora(3.4.1)"{

setroot=(hd0,1)

linux/vmlinuz-3.4.1roroot=/dev/sda5mem=4096M

initrd/initrd-3.4.1

}

menuentry"Debian(3.4.2-experimental)"{

setroot=(hd0,1)

linux(hd0,1)/bzImage-3.4.2-experimentalroroot=/dev/sda6

}

#

#Otheroperatingsystems

#

menuentry"Windows"{

setroot=(hd0,2)

chainloader+1

}

ImportantchangescomparedtoGRUBLegacyincludethefollowing:Thetitlekeywordisreplacedbymenuentry.Themenutitleisenclosedinquotationmarks.Anopeningcurlybrace({)followsthemenutitle,andeachentryendswithaclosingcurlybrace(}).Thesetkeywordprecedestherootkeyword,andanequalsign(=)separatesrootfromthepartitionspecification.Therootnoverifykeywordhasbeeneliminated;youuserootinstead.Partitionsarenumberedstartingfrom1ratherthanfrom0.Asimilarchangeindisknumberingisnotimplemented.Thischangecanbeveryconfusingifyou’reusedtoGRUBLegacy,butitmakespartitionnumberingmix-upswhen“translating”fromLinux-stylepartitionnumberinglesslikely.ThemostrecentversionsofGRUB2alsosupportamorecomplexpartitionidentificationschemetospecifythepartitiontabletype,asin(hd0,gpt2)tospecifythatthesecondGPTpartitionshouldbeused,or(hd1,mbr3)tospecifythatthethirdMBRpartitionshouldbeused.

GRUB 2 makes further changes, in that it employs a set of scripts and other tools that helpautomaticallymaintainthe/boot/grub/grub.cfg file.Theintent is thatsystemadministratorsneednever explicitly edit this file. Instead, you would edit files in /etc/grub.d, and the/etc/default/grub file, to change yourGRUB2 configuration.Aftermaking such changes, youmustexplicitlyrebuildthegrub.cfgfile,asdescribedshortly.Files in /etc/grub.d control particular GRUB OS probers. These scripts scan the system for

particularOSs and kernels and addGRUBentries to/boot/grub/grub.cfg to support thoseOSs.You can add custom kernel entries, such as those shown in Listing 5.2, to the 40_custom file tosupportyourownlocallycompiledkernelsorunusualOSsthatGRUBdoesn’tautomaticallydetect.The/etc/default/grubfilecontrolsthedefaultscreatedbytheGRUB2configurationscripts.For

instance,ifyouwanttoadjustthetimeout,youmightchangethefollowingline:

GRUB_TIMEOUT=10

A distribution that’s designed to use GRUB 2, such as Ubuntu, will automatically run theconfiguration scripts after certain actions, such as installing a new kernel with the distribution’spackage manager. If you need to make changes yourself, you can type update-grub or grub-mkconfig > /boot/grub/grub.cfg after you’ve edited /etc/default/grub or files in/etc/grub.d. This command re-reads these configuration files and writes a fresh/boot/grub/grub.cfg file. (Some installations use2 aftergrub in command names, as ingrub2-mkconfigratherthangrub-mkconfig.)UnlikeGRUBLegacy,GRUB2isdesignedtoworkwithbothBIOSandEFI-basedcomputers,as

wellaswithafewmore-exoticfirmwaretypes.WhenyoufirstinstallLinux,theinstallershouldsetupGRUB correctly, using grub-install in much the way described for GRUB Legacy. On EFI-based computers, GRUB 2’s version of grub-install should install the GRUB 2 EFI binary filewhere itbelongs;but ifyouhaveproblems,youmayneed touseefibootmgr,asdescribedearlierwithreferencetoGRUBLegacy.

UsingAlternativeBootLoadersAlthoughGRUBLegacyandGRUB2dominatetheLinuxbootloaderarenatodayandaretheonlybootloaderscoveredontheexam,thereareseveralothersthatyoumayencounterandthatdeservemention:SyslinuxTheSyslinuxProject(http://www.syslinux.org)isactuallyafamilyofBIOS-basedbootloaders,eachofwhichismuchsmallerandmorespecializedthanGRUBLegacyorGRUB2.ThemostnotablememberofthisfamilyisISOLINUX,whichisabootloaderforuseonopticaldiscs,whichhaveuniquebootrequirements.TheEXTLINUXbootloaderisanothermemberofthisfamily;itcanbootLinuxfromanext2,ext3,orext4filesystem.LILOTheLinuxLoader(LILO)wasthemostcommonLinuxbootloaderinthe1990s.It’sprimitiveandlimitedbytoday’sstandards,anditworksonlyonBIOS-basedcomputers.FormoreinformationonLILO,gotohttp://freshmeat.net/projects/lilo/.ELILOTheEFILinuxLoader(ELILO;http://elilo.sourceforge.net)istheoldestLinuxbootloaderforEFI-basedcomputers.It’ssimilartoLILOinitsfeaturesandfunctionalityandisusedbysomedistributions(mostnotably,OpenSUSE)asthedefaultbootloaderonEFI-basedcomputers.TheLinuxKernelSinceversion3.3.0,theLinuxkernelhasincorporatedanEFIbootloaderforx86andx86-64systems.OnanEFI-basedcomputer,thisfeatureenablesthekerneltoserveasitsownbootloader,eliminatingtheneedforaseparatetoolsuchasGRUB2orELILO.rEFItThisprogram,hostedathttp://refit.sourceforge.net,istechnicallyabootmanager,notabootloader.It’spopularonIntel-basedMacs,butsomebuildsoftheprogramcanbeusedonUEFI-basedPCs,too.Itpresentsaprettygraphicalinterface,enablinguserstoselecttheirbootOSusingiconsratherthanatext-basedinterface.rEFItappearstohavebeenabandoned;asIwrite,thelastupdatewasin2010.rEFIndThisprogramisderivedfromrEFItsoastomakeitmoreusefulonUEFI-basedPCsandtoextenditsfeatureset.LikerEFIt,rEFIndisabootmanager,notabootloader;it’sintendedtopresentalistofbootoptionstousers.It’smostusefuloncomputerswithEFIimplementationsthatprovidepoorbootmanagers.ItalsoprovidesfeaturesthataredesignedtoworkwiththeLinux

kernel’sbuilt-inEFIbootloader,tosimplifythepassingofoptionsrequiredtogetthekerneltoboot.Youcanlearnmoreathttp://www.rodsbooks.com/refind/.gummibootThisisanopensourceEFIbootmanagerthat’sconceptuallysimilartorEFItorrEFInd,butitusesatext-modeinterfaceandfeweroptions.Youcanlearnmoreathttp://freedesktop.org/wiki/Software/gummiboot.AlthoughdevelopmentofLinuxbootloadersforBIOS-basedcomputershaslargelystabilized,with

GRUB2nowdominatingthisfield,EFIbootloaderdevelopmentisquitedynamic,atleastasoflate2012.Thisislikelytocontinuetobethecaseinthenearfuture,sinceEFI-basedcomputersareonlynowbecomingcommon.The fact thatMicrosoft is requiringuseof a firmware featureknownasSecureBoot is likely to

haveanimpactonLinuxbootloadersinlate2012and2013,too.WithSecureBootenabled,anEFI-basedcomputerwilllaunchabootloaderonlyifit’sbeencryptographicallysignedwithakeywhosecounterpartisstoredinthecomputer ’sfirmware.Thegoalistomakeitharderformalwareauthorstotakeoveracomputerbyinsertingtheirprogramsearlyinthebootprocess.TheproblemfromaLinux perspective is that use of Secure Boot requires the signing of a Linux boot loader withMicrosoft’skey(sinceit’stheonlyonethat’sguaranteedtobeonmostcomputers),theadditionofadistribution-specificorlocallygeneratedkeytothecomputer ’sfirmware,ordisablingSecureBoot.Todate,Fedorahasannouncedthatitwilluseitsownnewbootloader,inconjunctionwithasignedversionofGRUB, to launchFedora18onEFI-basedcomputers; andUbuntuhas announced that itwillworkwithcomputermanufacturerstoadditsownkeytocomputersanduseitsownsignedbootloader.Inpractice,though,youmayneedtodisableSecureBootorgenerateyourownkeytobootanarbitraryLinuxdistributionoracustom-builtkernel.

FixingaDamagedBootLoaderInstallationLinuxsystemssometimesbecomeunbootablebecausethebootloaderhasbeendamaged.YoucanreinstallGRUBifyoucanmanagetobootyoursystem,butofcoursethisisacatch-22.MostLinuxdistributionsprovideawaytoresolvethisproblembyenablingyoutobootthecomputereveniftheon-diskbootloaderisn’tworking.TrybootingtheinstallationdiscyouusedtoinstalltheOSandlookforanoptiontobootakernelfromtheharddisk.Oncethesystemisbooted,youcanusegrub-installtoreinstallGRUB.Alternatively,theinstallationdiscmayprovidearecoveryoptionthatwillhelptoautomaticallyorsemi-automaticallyrestoreabrokensystem.Ifyourdistribution’sinstalldiscisn’thelpful,youcantrySuperGRUBDisk(http://www.supergrubdisk.org),whichisabootablediscimagewithavarietyofoptionstolocateandusetheGRUBconfigurationfileonyourharddisk.IfSuperGRUBDiskcanfindyourGRUBconfigurationfile,youcanbootusingitandthenre-installGRUBtoyourharddisk.Ifallelsefails,youmaybeabletouseGRUB’sinteractivefeaturestolocateandbootakernel.Doingso,however,canbefrustrating;asingletypocanproduceafailuretoboot.

UnderstandingtheBootProcessAnytimeyoumodifythewayyourcomputerboots,thepossibilityexiststhatyouwon’tgettheresultsyouexpect.Inthesecases,it’susefultoknowwhereyoucanturnformoreinformationaboutwhatishappeningduringstartup.Thereportsyoureceiveonaparticularbootcanbetterguideyouonceyouunderstandsomethingaboutwhat’ssupposedtohappenwhenaLinuxsystemboots.

ExtractingInformationabouttheBootProcessCertainLinuxkernelandmoduleloginformationisstoredinwhatiscalledthekernelringbuffer.Bydefault,Linuxdisplaysmessagesdestinedforthekernelringbufferduringthebootprocess—they’rethosemessages that scroll past too quickly to read. (Some distributions hidemost or all of thesemessagesunlessyouselectaspecialoptionduringthebootprocess.)Youcaninspectthisinformationwiththiscommand:#dmesg

This command generates a lot of output, so youmaywant to pipe it through theless pager orredirectittoafile.Herearesomeexamplesofthesecommands:#dmesg|less

#dmesg>boot.messages

ManyLinuxdistributionsstorethekernelringbufferto/var/log/dmesgsoonafterthesystemboots.Becausenewinformationisloggedtothekernelringbufferasthesystemoperatesandbecausethekernelringbuffer ’ssizeisfinite,youmayneedtoconsultthislogfiletolearnaboutthebootprocessoncethesystemhasbeenoperatingforawhile.Also,becausethekernelringbufferisheldinmemory,itscontentsareclearedandgeneratedanewwitheverybootofthecomputer.

Anothersourceoflogginginformationisthesystemlogger(syslogd).Themostusefulsyslogdfiletolookatisusually/var/log/messages,but/var/log/syslogandotherlogfilesin/var/logcanalsoholdhelpfulinformation.

SomeLinuxdistributionsalsologboot-timeinformationtootherfiles.Debianusesadaemoncalledbootlogdthat,bydefault,logsanymessagesthatgoto/dev/consoletothe/var/log/bootfile.FedoraandRedHatusesyslogdservicestologinformationto/var/log/boot.log.

LocatingandInterpretingBootMessagesBootmessagesinthekernelringbufferor/var/logfilescanbecryptictotheuninitiated.Sometipscanhelpyoulocateandinterprettheinformationyoufindinthesesources:UselessandItsSearchFunctionsThelesspagerisagreattoolforexaminingboththekernel

ringbufferandlogfiles.Thesearchfunction(accessedbypressingtheslashkey,/)canhelpyoulookforparticularstrings.LookforHardwareTypeNamesManybootmessages,particularlyinthekernelringbuffer,relatetohardware.Trysearchingforthenameofthehardwaretype,suchasSCSIorUSB,ifyou’rehavingproblemswiththesesubsystems.RememberthatLinuxtreatsmanydiskdevicesasSCSIdisks,too!LookforHardwareChipsetNamesLinuxdriverssometimeslogmessagesalongwiththeirdrivernames,whichareusuallybasedonthechipsetinquestion.Ifyouknowyourhardwarewellenoughtoknowthechipsetname,searchforitorforasubsetofit.Forinstance,searchingfor8169mayturnupmessagesrelatedtoaRealTek8169Ethernetinterface.Similarly,youcansearchforhigher-levelkernelmodulenames,suchasreiserfsformessagesfromtheReiserFSfilesystemdriver.StudytheOutputfromaWorkingSystemFamiliarizeyourselfwiththecontentsofthekernelringbufferandlogfilesonaworkingsystem.Ifyouknowwhattoexpectwhenasystemisfunctioningcorrectly,you’llfinditeasiertoidentifyproblemswhentheyoccur.Sometimes,asystemwon’tbootatall.Inthiscase,kernelbootmessages(whichordinarilygointo

thekernelringbuffer)aredisplayedonthescreen,whichcanhelpyouidentifythecauseofafailure.ManymodernLinuxdistributionshidethesemessagesbydefault,butyoucansometimesrevealthembypressingtheEsckeyduringthebootprocess.Oncethekernelbootprocesshascompleted,othersystems take over, and the last fewmessages displayed on the screen can also provide clues—forinstance, if the last message displayed mentions starting a particular server, it’s possible that theserverishangingandinterruptingthebootprocess.Youmaybeabletodisabletheserverbyusingasingle-userbootmodeandthereforebypasstheproblem.

TheBootProcessTheprocessoftakinganx86computerfromitsinitialstatewhenthepoweristurnedontohavingaworkingoperatingsystemrunningiscomplexbecauseofthewaymodernpersonalcomputershaveevolved.Thestepsacomputergoesthroughinordertobootanoperatingsystemareasfollows:

1. The system is given power, and a special hardware circuit causes the CPU to look at apredeterminedaddressandexecutethecodestoredinthatlocation.Thefirmware(BIOSorEFI)residesatthislocation,sotheCPUrunsthefirmware.2. The firmware performs some tasks. These include checking for hardware, configuringhardware,andlookingforabootloader.3.Whenthebootloadertakesoverfromthefirmware,itloadsakernelorchainloadstoanotherbootloader,asdescribedearlierinthischapter.4.OncetheLinuxkerneltakesover,itperformstaskssuchasinitializingdevices,mountingtherootpartition,andfinallyloadingandexecutingtheinitialprogramforyoursystem.Bydefault,thisistheprogram/sbin/init.5.TheinitialprogramgetstheprocessID(PID)of1becauseit’sthefirstprogramtorunonthesystem.InatraditionalLinuxbootsystem,/sbin/initreadsthe/etc/inittabfiletodeterminewhatotherprograms to run.Onsystems thatuse thenewerUpstartorsystemdstartupsystems,/sbin/initreadsotherconfigurationfiles.

How the init program and the initialization scripts work is covered next, in “Dealing withRunlevelsandtheInitializationProcess.”

Ifyouwouldlikemoredetailsaboutthisbootprocess,readhttp://www.linuxdevcenter.com/pub/a/linux/excerpts/linux_kernel/how_computer_boots.html.Thispagedescribestheprocessfromthecomputerbeingpowereduptothekernelbeingloadedandlaunching/sbin/init.

DealingwithRunlevelsandtheInitializationProcess

Linuxreliesonrunlevelstodeterminewhatfeaturesareavailable.Runlevelsarenumberedfrom0to6, and each one is assigned a set of services that should be active. Upon booting, Linux enters apredetermined runlevel,whichyoucan set.Knowingwhat these functions are, andhow tomanagerunlevels, is important ifyou’re tocontrol theLinuxbootprocessandongoingoperations.Tothisend,youmustunderstandthepurposeofrunlevels,beabletoidentifytheservicesthatareactiveinarunlevel,beabletoadjustthoseservices,beabletocheckyourdefaultandcurrentrunlevels,andbeabletochangethedefaultandcurrentrunlevels.

ThenextfewpagesdescribethetraditionalSystemV(SysV)initializationsystem.Upstartandsystemddifferfromthissystem,althoughtheyprovideenoughcompatibilityfeaturesthatmanyofthetoolsandconceptsdescribedwithrespecttoSysValsoapplytothesenewersystems.Upstartandsystemdprovidetheirownadditionaltools,though.

RunlevelFunctionsEarlierinthischapter,Idescribedsingle-usermode.TogettothismodewhenbootingLinux,youusethenumber1, the letterS ors, or thewordsingle as an option passed to the kernel by the bootloader.Single-usermodeissimplyanavailablerunlevelforyoursystem.Theavailablerunlevelsonmostsystemsarethenumbers0through6.ThelettersSandsaresynonymouswithrunlevel1asfarasmanyutilitiesareconcerned.Runlevels0,1,and6arereservedforspecialpurposes;theremainingrunlevelsareavailablefor

whatever purpose you or your Linux distribution provider decide. Table 5.1 summarizes theconventionalusesoftherunlevels.Otherassignments—andevenrunlevelsoutsidetherangeof0to6—arepossiblewithsomesystems,butsuchconfigurationsarerare.Ifyourunintopeculiarrunlevelnumbers,consult/etc/inittab—itdefinesthemandoftencontainscommentsexplainingthevariousrunlevels.

TABLE5.1Runlevelsandtheirpurposes

Runlevel Purpose0 Atransitionalrunlevel,meaningthatit’susedtoshiftthecomputerfromonestatetoanother.Specifically,itshutsdownthe

system.Onmodernhardware,thecomputershouldcompletelypowerdown.Ifnot,you’reexpectedtoeitherrebootthecomputermanuallyorpoweritoff.

1,s,orS Single-usermode.Whatservices,ifany,arestartedatthisrunlevelvariesbydistribution.It’stypicallyusedforlow-levelsystemmaintenancethatmaybeimpairedbynormalsystemoperation,suchasresizingpartitions.

2 OnDebiananditsderivatives,afullmulti-usermodewithXrunningandagraphicallogin.Mostotherdistributionsleavethisrunlevelundefined.

3 OnFedora,Mandriva,RedHat,andmostotherdistributions,afullmulti-usermodewithaconsole(non-graphical)loginscreen.

4 Usuallyundefinedbydefaultandthereforeavailableforcustomization.5 OnFedora,Mandriva,RedHat,andmostotherdistributions,thesamebehaviorasrunlevel3withtheadditionofhavingXrun

withanXDM(graphical)login.6 Usedtorebootthesystem.Thisrunlevelisalsoatransitionalrunlevel.Yoursystemiscompletelyshutdown,andthenthe

computerrebootsautomatically.

Don’tconfigureyourdefaultrunlevelto0or6.Ifyoudo,yoursystemwillimmediatelyshutdownorrebootonceitfinishespoweringup.Runlevel1couldconceivablybeusedasadefault,butchancesareyou’llwanttouse2,3,or5asyourdefaultrunlevel,dependingonyourdistributionanduseforthesystem.

Asageneralrule,distributionshavebeendriftingtowardRedHat’srunlevelset;however,therearesomeexceptionsandholdouts,suchasDebian.Distributionsthatusenewerstartupsystemsgenerallydon’tuserunlevelsnatively,buttheyprovidecompatibilitytoolsthatmakethecomputerappeartouserunlevelsforthebenefitofscriptsandprogramsthatassumetheuseofrunlevels.

IdentifyingtheServicesinaRunlevelTherearetwomainwaystoaffectwhatprogramsrunwhenyouenteranewSysVrunlevel.Thefirstis to add or delete entries in your/etc/inittab file.A typical /etc/inittab file containsmanyentries,andexceptforacoupleofspecialcases,inspectingorchangingthecontentsofthisfileisbestleft to experts. Once all the entries in /etc/inittab for your runlevel are executed, your bootprocessiscomplete,andyoucanlogin.

The/etc/inittabfileisoneSysVfeaturethatmaynotbeusedbynewerstartupsystems,suchasUpstartandsystemd.Ubuntu12.04,whichusesUpstart,providesno/etc/inittabfileatall.Fedora17,whichusessystemd,providesan/etc/inittabfilethatcontainsnothingbutcommentsnotingitsobsolescence.OpenSUSE12.1isalsobasedonsystemd,anditprovidesan/etc/inittabfile,butit’snolongerusedinanymeaningfulway.Someotherdistributions,suchasDebian,continuetouseSysV,andtheexamcontinuestoemphasizeSysV(including/etc/inittab).

Basicsofthe/etc/inittabFileEntriesin/etc/inittabfollowasimpleformat.Eachlineconsistsoffourcolon-delimitedfields:

id:runlevels:action:process

Eachofthesefieldshasaspecificmeaning:IdentificationCodeTheidfieldconsistsofasequenceofonetofourcharactersthatidentifiesitsfunction.ApplicableRunlevelsTherunlevelsfieldconsistsofalistofrunlevelsforwhichthisentryapplies.Forinstance,345meanstheentryisapplicabletorunlevels3,4,and5.ActiontoBeTakenSpecificcodesintheactionfieldtellinithowtotreattheprocess.Forinstance,waittellsinittostarttheprocessoncewhenenteringarunlevelandtowaitfortheprocess’stermination,andrespawntellsinittorestarttheprocesswheneveritterminates(whichisgreatforloginprocesses).Severalotheractionsareavailable;consultthemanpageforinittabfordetails.ProcesstoRunTheprocessfieldistheprocesstorunforthisentry,includinganyoptionsandargumentsthatarerequired.Thepartof/etc/inittabthattellsinithowtohandleeachrunlevellookslikethis:l0:0:wait:/etc/init.d/rc0

l1:1:wait:/etc/init.d/rc1

l2:2:wait:/etc/init.d/rc2

l3:3:wait:/etc/init.d/rc3

l4:4:wait:/etc/init.d/rc4

l5:5:wait:/etc/init.d/rc5

l6:6:wait:/etc/init.d/rc6

Theselinesstartwithcodesthatbeginwithanl(alowercaseletterL,notanumber1)followedbytherunlevelnumber—forinstance,l0forrunlevel0,l1forrunlevel1,andsoon.Theselinesspecifyscripts or programs that are to be run when the specified runlevel is entered. In the case of thisexample,allthescriptsarethesame(/etc/init.d/rc),butthescriptispassedtherunlevelnumberasanargument.Somedistributionscallspecificprogramsforcertainrunlevels,suchasshutdownforrunlevel0.

Theupcomingsection“CheckingandChangingYourDefaultRunlevel”describeshowtotellinitwhatrunleveltoenterwhenthesystemboots.

TheSysVStartupScriptsThe /etc/init.d/rc or /etc/rc.d/rc script performs the crucial task of running all the scriptsassociated with the runlevel. The runlevel-specific scripts are stored in /etc/rc.d/rc?.d,/etc/init.d/rc?.d, /etc/rc?.d, or a similar location. (The precise location varies betweendistributions.) In all these cases,? is the runlevel number.Whenentering a runlevel,rc passes thestartparametertoallthescriptswithnamesthatbeginwithacapitalSandpassesthestopparameterto all the scripts with names that begin with a capital K. These SysV startup scripts start or stopservices dependingon theparameter they’re passed, so thenamingof the scripts controlswhetherthey’re started or stopped when a runlevel is entered. These scripts are also numbered, as inS10networkandK35smb.

Therc program runs the scripts innumericorder.This feature enablesdistributiondesigners tocontroltheorderinwhichscriptsrunbygivingthemappropriatenumbers.Thiscontrolisimportantbecausesomeservicesdependonothers.Forinstance,networkserversmustnormallybestartedafterthenetworkisbroughtup.Inreality,thefilesintheSysVrunleveldirectoriesaresymboliclinkstothemainscripts,whichare

typically stored in /etc/rc.d, /etc/init.d, or /etc/rc.d/init.d (again, the exact locationdependsonthedistribution).TheseoriginalSysVstartupscriptshavenamesthatlacktheleadingSorKandnumber,asinsmbinsteadofK35smb.

Youcanalsostartservicesbyhand.Runthemwiththestartoption,asin/etc/init.d/smbstarttostartthesmb(Samba)server.Otherusefuloptionsarestop,restart,andstatus.Mostscriptssupportalltheseoptions.

To determinewhich services are active in a runlevel, search the appropriate SysV startup scriptdirectory for scripts with filenames that begin with an S. Alternatively, you can use a runlevelmanagementtool,asdescribednext.DistributionsbasedonUpstartandsystemdoftenprovidestartupscripts thatarenamedandwork

much like on SysV-based computers; however,when the computer boots, itmay use other startupmethods, as described later, in “Using Alternative Boot Systems.” The SysV scripts are providedmainly for backward compatibility to help system administrators who are familiar with the SysVstartupmethodandforthebenefitofadministrativescriptsthatmightrelyonSysVscripts.Fedoraisnotableinthatitprovidesveryfewsuchcompatibilityscripts(atleastasofFedora17);youmayneedtousenativesystemdmethodsratherthanSysVifyouuseFedora.

ManagingRunlevelServicesTheSysVstartupscriptsintherunleveldirectoriesaresymboliclinksbacktotheoriginalscript.Thisis done so you don’t need to copy the same script into each runlevel directory. Instead, you canmodifytheoriginalscriptwithouthavingtotrackdownitscopiesinalltheSysVrunleveldirectories.Youcanalsomodifywhichprogramsareactiveinarunlevelbyeditingthelinkfilenames.Numerousutilityprogramsareavailabletohelpyoumanagetheselinks,suchaschkconfig,update-rc.d,andrc-update. I describe the first of these tools because it’s supported onmanydistributions. If yourdistributiondoesn’tsupportthesetools,youshouldcheckdistribution-centricdocumentation.Thesetoolsmayprovideimpairedfunctionalityonsystemsthatdon’tuseSysVnatively;youmayneedtolocateUpstart-orsystemd-specifictoolsinstead.To list the services and their applicable runlevels with chkconfig, use the --list option. The

outputlookssomethinglikethisbutislikelytobemuchlonger:#chkconfig--list

pcmcia0:off1:off2:on3:on4:on5:on6:off

nfs-common0:off1:off2:off3:on4:on5:on6:off

xprint0:off1:off2:off3:on4:on5:on6:off

setserial0:off1:off2:off3:off4:off5:off6:off

Thisoutput shows the statusof the services in all seven runlevels.For instance,youcan see that

nfs-commonisinactiveinrunlevels0−2,activeinrunlevels3−5,andinactiveinrunlevel6.Ifyou’reinterestedinaspecificservice,youcanspecifyitsname:#chkconfig--listnfs-common

nfs-common0:off1:off2:off3:on4:on5:on6:off

Tomodifytherunlevelsinwhichaserviceruns,useacommandlikethis:#chkconfig--level23nfs-commonon

ThepreviousexampleisforDebian-basedsystems.OnRedHatandsimilarsystems,youwouldprobablywanttotargetrunlevels3,4,and5withsomethinglike--level345ratherthan--level23.

Youcansetthescripttobeon(toactivateit),off(todeactivateit),orreset(tosetittoitsdefaultvalue).Ifyou’veaddedastartupscripttothemainSysVstartupscriptdirectory,youcanhavechkconfig

register it and add appropriate start and stop links in the runlevel directories.When you do this,chkconfig inspects thescript forspecialcomments to indicatedefault runlevels. If thesecommentsare in the file andyou’rehappywith the suggested levels, youcanadd it to these runlevelswith acommandlikethis:#chkconfig--addnfs-common

Thiscommandaddsthenfs-commonscripttothosemanagedbychkconfig.Youwould,ofcourse,change nfs-common to your script’s name. This approach may not work if the script lacks thenecessarycommentlineswithrunlevelsequencenumbersforchkconfig’sbenefit.

CheckingYourRunlevelSometimesit’snecessarytocheckyourcurrentrunlevel.Typically,you’lldothispriortochangingtherunlevelortocheckthestatusifsomethingisn’tworkingcorrectly.Twodifferentrunlevelchecksarepossible:checkingyourdefaultrunlevelandcheckingyourcurrentrunlevel.

CheckingandChangingYourDefaultRunlevelOnaSysV-based system,youcandetermineyourdefault runlevelby inspecting the/etc/inittabfilewiththelesscommandoropeningitinaneditor.Alternatively,youmayusethegrepcommandtolookforthelinespecifyingtheinitdefaultaction.OnaDebiansystem,you’llseesomethinglikethis:#grep:initdefault:/etc/inittab

id:2:initdefault:

If grep returns nothing, chances are you’ve either mistyped the command or your computer isusing Upstart, systemd, or some other initialization tool. On some systems, the second colon-delimitedfieldwillcontaina3,5,orsomevalueotherthanthe2shownhere.Youmaynotice that theid line doesn’t define a process to run. In the case of theinitdefault

action,theprocessfieldisignored.If you want to change the default runlevel for the next time you boot your system, edit the

initdefault line in /etc/inittab and change the runlevel field to the value you want. If yoursystemlacksan/etc/inittabfile,createonethatcontainsonlyaninitdefault line thatspecifiestherunlevelyouwanttoenterbydefault.Ifyour systemdoesn’tuseSysV,you’llneed toadjust thedefault runlevel in someotherway,as

describedlaterin“UsingAlternativeBootSystems.”

DeterminingYourCurrentRunlevelIfyour system isupand running,youcandetermineyour runlevel informationwith therunlevelcommand:#runlevel

N2

Thefirstcharacteris thepreviousrunlevel.WhenthecharacterisN, thismeans thesystemhasn’tswitched runlevels sincebooting. It’s possible to switch todifferent runlevelson a running systemwiththeinitandtelinitprograms,asdescribednext.Thesecondcharacterintherunleveloutputisyourcurrentrunlevel.Both Upstart and systemd provide runlevel commands for compatibility with SysV. These

alternativesdon’t technicallyuse runlevels, though, so the information is a sortof “translation”ofwhatthestartupsystemisusingtoSysVterms.

ChangingRunlevelsonaRunningSystemSometimesyoumaywant tochangerunlevelsona runningsystem.Youmightdo this togetmoreservices,suchasgoingfromaconsoletoagraphicalloginrunlevel,ortoshutdownorrebootyourcomputer. This can be accomplishedwith the init (or telinit), shutdown, halt, reboot, andpoweroffcommands.

ChangingRunlevelswithinitortelinitTheinit process is the first process run by theLinux kernel, but you can also use it to have thesystem reread the /etc/inittab file and implement changes it finds there or to change to a newrunlevel.Thesimplestcaseistohaveitchangetotherunlevelyouspecify.Forinstance,tochangetorunlevel 1 (the runlevel reserved for single-user or maintenance mode), you would type thiscommand:#init1

Torebootthesystem,youcanuseinittochangetorunlevel6(therunlevelreservedforreboots):#init6

Avariantofinitistelinit.Thisprogramcantakearunlevelnumberjustlikeinittochangetothat runlevel, but it can also take the Q or q option to have the tool reread /etc/inittab andimplementanychangesitfindsthere.Thus,ifyou’vemadeachangetotherunlevelin/etc/inittab,youcanimmediatelyimplementthatchangebytypingtelinitq.

Themanpagesforthesecommandsindicateslightlydifferentsyntaxes;buttelinitissometimesasymboliclinktoinit,andinpracticeinitrespondsjustliketelinittotheQandqoptions.

TheUpstartandsystemdtoolsprovideinitandtelinitcommandsthatworkmuchastheydoonSysV-basedcomputers.

ChangingRunlevelswithshutdownAlthoughyoucanshutdownor reboot thecomputerwithinit,doingsohassomeproblems.Oneissue is that it’s simply anunintuitive command for this action.Another is that changing runlevelswith init causes an immediate change to the new runlevel. This may cause other users on yoursystemsomeaggravationbecausethey’llbegivennowarningabouttheshutdown.Thus,it’sbettertouse the shutdown command in amulti-user environmentwhen youwant to reboot, shut down, orswitch to single-user mode. This command supports extra options that make it friendlier in suchenvironments.Theshutdownprogramsendsamessagetoalluserswhoareloggedintoyoursystemandprevents

otherusersfromlogginginduringtheprocessofchangingrunlevels.Theshutdowncommandalsoletsyouspecifywhentoeffecttherunlevelchangesothatusershavetimetoexiteditorsandsafelystopotherprocessestheymayhaverunning.When the time tochangerunlevels is reached,shutdown signals theinitprocess foryou. In the

simplestform,shutdownisinvokedwithatimeargumentlikethis:#shutdownnow

This changes the system to runlevel 1, the single-user ormaintenancemode.Thenow parametercausesthechangetooccurimmediately.Otherpossibletimeformatsincludehh:mm,foratimein24-hourclockformat(suchas6:00for6:00a.m.or13:30for1:30p.m.),and+mforatimemminutesinthefuture.You can add extra parameters to specify that youwant to reboot or halt (that is, power off) the

computer.Specifically,-r reboots thesystem,-Hhalts it (terminatesoperationbutdoesn’tpower itoff),and-Ppowersitoff.The-hoptionmayhaltorpoweroffthecomputer,butusuallyitpowersitoff.Forinstance,youcantypeshutdown-r+10torebootthesystemin10minutes.Togivepeoplesomewarningabouttheimpendingshutdown,youcanaddamessagetotheendof

thecommand:#shutdown-h+15"systemgoingdownformaintenance"

Ifyouscheduleashutdownbutthenchangeyourmind,youcanusethe-coptiontocancelit:#shutdown-c"nevermind"

Upstart and systemd provide shutdown commands of their own that function like the shutdowncommandofSysV.Youmaywanttocheckyourcomputer ’smanpageforshutdowntoverifythatitworksinthewaydescribedhere;withdevelopmentactiveintherealmofstartupsystems,youmayfindsomesurprises!

ChangingRunlevelswiththehalt,reboot,andpoweroffCommandsThree additional shortcut commands are halt, reboot, and poweroff. (In reality, reboot andpoweroff areusually symbolic links tohalt.This commandbehavesdifferentlydependingon thenamewithwhich it’s called.) As youmight expect, these commands halt the system (shut it downwithoutpoweringitoff),rebootit,orshutitdownand(onhardwarethatsupportsthisfeature)turnoff thepower,respectively.Aswithtelinitandshutdown, thesecommandsareavailable inSysV,Upstart,andsystemd.InExercise5.1,you’llexperimentwithsomeofthemethodsofchangingrunlevelsjustdescribed.

EXERCISE5.1ChangingRunlevelsThisexercisewilldemonstratetheeffectsofchangingtherunlevelinvariouswaysonaworkingsystem.Beawarethatsomeoftheeffectswillbedifferentfromonesystemtoanother,dependingonboththedistributionandthesystem-specificconfigurationofthecomputer.Also,inthecourseofrunningthisexercise,you’llrebootthecomputer,soyoushouldn’tdoitonasystemthatanybodyelseisusing.Tomanageyourrunlevels,followthesesteps:1.Loginasroot,oracquirerootprivilegesbyusingsuorbyusingsudowitheachofthe following commands. Use a text-mode or remote login; some of the exerciseactivitieswillshutdownX.2.Typerunleveltolearnyourcurrentrunlevel.Recallthatthefirstcharacterreturnedreferstothepreviousrunlevel(Ndenotesnopreviousrunlevel; ithasn’tbeenchangedsince the system booted). The second output character is the current runlevel. This islikelytobe2onDebianorDebian-derivedsystemsand3or5onRedHatorRedHat−derivedsystems.3. If your system reports it’s in runlevel 5, type telinit 3 to switch to runlevel 3.Chances are your X server will stop working. (Pressing Alt+F7 from a text-modeconsole will show a blank text-mode screen rather than the X display this keystrokewouldnormallyreveal.)4.Ifyoursysteminitiallyreportedarunlevelof3,typetelinit5toswitchtorunlevel5. Thiswill probably startX; however, ifX ismisconfigured, the screen is likely toblink two or three times and possibly display an error message. If X isn’t installed,nothingmuchwillhappen,asidefromadisplayaboutafewservicesbeingstoppedandstarted.IfXstarts,youcangetbacktoyourtext-modeconsolebypressingCtrl+Alt+F1.5.Ifyoursystemreportedthatitwasinrunlevel2,youcantryotherrunlevels,suchas3,4,or5;however,thisisn’tlikelytohavemucheffect.YoucantemporarilystartorstopX by typing /etc/init.d/gdm start or /etc/init.d/gdm stop. (You may need tochangegdmtoxdm,mdm,orkdm.)6.Returntoyouroriginalrunlevelusingtelinit,asintelinit5.7.Ifyourdistributionuses/etc/inittabandsetsthedefaultrunlevelto5,editthatfileand change the default runlevel by changing the number in the line that readsid:n:initdefault:.Thenumber,n,islikelytobeeither3or5;changeittotheothervalue. (It’s wise to make a backup of /etc/inittab before editing it!) If your

distributiondoesn’tuse/etc/inittab or sets adefault runlevelof2, don’tmakeanychangestothisfile,andskipaheadtostep11.8.Rebootthecomputerbytypingrebootnoworshutdown-rnow.9.Loginasrootagain,andtyperunleveltoverifythatyou’rerunningintherunlevelyouspecifiedinstep7.10.Edit/etc/inittabtorestoreittoitsoriginalstate,orrestoreitfromitsbackup.11.Typetelinit6. This enters runlevel 6,which reboots the system.The computershouldnowberunningasitwasbeforeyoubeganthisexercise.

UsingAlternativeBootSystemsTheprecedingsectionshavedescribedthetraditionalLinuxbootandrunlevelsystem,basedonSysVscripts. In recent years, however, Linux developers have begun experimenting with severalalternativestoSysV,andsomeofthesehavebecomepopular.Twoinparticular,Upstartandsystemd,areworthdescribing.Both includecompatibility features toease the transition fromSysV,but theyprovideuniquefeaturesoftheirown.

ConfiguringUpstartSeveralmodernLinuxdistributions, includingrecentversionsofUbuntu,nowuseaninitprocesscalled Upstart (http://upstart.ubuntu.com) rather than the venerable SysV startup system. Broadlyspeaking, Upstart does the same job as the SysV scripts, but Upstart is designed to better handletoday’sdynamicallychanginghotplughardware,whichcanbeconnectedtoanddisconnectedfromacomputer while it’s still running. Upstart provides SysV compatibility features, so you should befamiliarwith the SysVmethods described earlier; however, it also has its own unique scripts anddiffers in some important ways. In particular, Upstart does away with /etc/inittab, insteadprovidinganintegratedsetofstartupscriptsthatcan,inprinciple,completelyreplacetheSysV-style/etc/inittabandrunlevel-specificstartupscripts.Upstartscriptsalsosupportstartingorstoppingservicesbasedonawidervarietyofactions thandoSysVstartup scripts; for instance,Upstart canlaunchaservicewheneveraparticularhardwaredeviceisattached.

UsingUpstart-NativeMethodsA system that uses nothing but Upstart and its native scripts replaces both /etc/inittab and therunlevel-specific SysV startup script directories with scripts in the /etc/init directory. (Thisdirectory was called /etc/event.d on earlier versions of Upstart.) You may want to check thecontentsofthisdirectoryonyourownUpstart-basedsystem.

AsIwrite,Upstartisunderheavydevelopment,anditsconfigurationfileformatissubjecttochange.Thus,youmayfinddifferencesfromwhatisdescribedinthesepages.

Tochangetherunlevelsinwhichaparticularserviceruns,you’llhavetoedititsconfigurationfile

in a text editor. Locate the script (typically/etc/init/name.conf, where name is the name of theservice),andloaditintoatexteditor.Lookforlinesthatincludethetextstartonandstopon,asinthefollowingexample:starton(filesystem

andstartedhal

andtty-device-addedKERNEL=tty7

and(graphics-device-addedorstoppedudevtrigger))

stoponrunlevel[016]

Locateanyrunlevelspecificationandadjustitforyourneeds.Forinstance,youmightchangetheprecedingexample’sstoponrunlevelspecificationtoreadstoponrunlevel[0126]toincluderunlevel2inthelistofrunlevelsonwhichtheserviceistobestopped.Afteryoumakesuchachange,youcanuse thestartorstop command to immediately startor

stop the service, as in stop gdm to shut down the gdm server. Before changing your runlevel (asdescribedearlier,in“ChangingRunlevelsonaRunningSystem”),youshouldtypeinitctlreloadtohaveUpstartrereaditsconfigurationfiles.

IfyouupgradethepackagethatprovidestheUpstartconfigurationscript,youmayneedtoreconfigureit.

UsingSysVCompatibilityMethodsBecausetheSysVstartupscriptsystemhasbeensocommonforsolong,alargenumberofsoftwarepackages include SysV startup scripts. To accommodate such packages, Upstart provides acompatibility mode: It runs SysV startup scripts in the usual locations (/etc/rc.d/rc?.d,/etc/init.d/rc?.d,/etc/rc?.d,orasimilarlocation).Thus,ifyouinstallapackagethatdoesn’tyet include anUpstart configuration script, it should still launch in the usualway. Furthermore, ifyou’veinstalledutilitiessuchaschkconfig,youshouldbeable touse themtomanageyourSysV-basedservicesjustasyouwouldonaSysV-basedsystem.You may find, however, that chkconfig and other SysV-based tools no longer work for some

services.Astimegoeson,thisislikelytobetrueformoreandmoreservices,becausethedevelopersof distributions that favorUpstartmay convert their packages’ startup scripts to useUpstart-nativemethods.

UsingsystemdThesystemdstartuppackage(http://www.freedesktop.org/wiki/Software/systemd/)isasecondmajorcontendertoreplaceSysVscripts.It’sintendedtoprovidefasterandmoreflexiblestartupcomparedtoSysVscripts.Thisisaccomplishedbyenablingparallelstartupofservicesandstartupofservicesbasedonexternalactivation(asopposedtostartingitemslinearlyaccordingtofixedrunlevels).Fedora15andnewer,Mandriva2011andnewer,andOpenSUSE12.1andnewerallusesystemdby

default.Someotherdistributions,suchasDebianandGentoo,providesystemdasanoptionbutdon’tuseitbydefault.Mostsystemdconfigurationfilesresidein/etc/systemdanditssubdirectories.The/etc/rc.conf

file is also sometimes used, although it’s absent by default on Fedora 17 and OpenSUSE 12.1installations.Theseconfigurationfilesconsistofsectionsidentifiedbynamesinbrackets,followedbyassignmentsofvaluestovariables,asinthefollowing:[Manager]

LogLevel=info

#LogTarget=syslog-or-kmsg

LogColor=yes

Ahashmark(#)identifiesacomment;linesbeginningwiththissymbolareignored.Chancesareyou’llfindmostlinesinadefaultconfigurationarecommentedoutinthisway.To control services on a systemd-based computer, either you can useSysV compatibility startup

scripts(ifprovided)oryoucanusethesystemctlutility.Thistooltakesalargenumberofoptionsandcommands,andyoumustalsotypicallypassitaunitname,whichisthenameofaserviceuponwhichitacts.Table5.2summarizesthemostimportantsystemctlcommands.

TABLE5.2systemctlcommandssystemctlcommandname Explanationlist-units Displaysthecurrentstatusofallconfiguredunits.startname Startsthenamedunit.stopname Stopsthenamedunit.reloadname Causesthenamedunittoreloaditsconfigurationfile.restartname Causesthenamedunittoshutdownandrestart.statusname Displaysthestatusofthenamedunit.(YoucanpassaPIDvalueratherthananame,ifyoulike.)enablename Configurestheunittostartwhenthecomputernextboots.disablename Configurestheunittonotstartwhenthecomputernextboots.

Table5.2isincomplete;systemctlisaverycomplextoolwithnumerouscommandsandoptions.Youshouldconsult itsmanpage to learnmoreabout it.Thecommandspresented inTable5.2willhelpyougetstarted, though; theywillhelpyoutoperformsomeof themostcommontasksyou’llwant to do with it. As you can see, these commands provide the same basic features that SysVprovidesinitsstartupscriptsandtoolstomanagethem,suchaschkconfig.The systemctl unit names aren’t quite identical to the SysV startup script names. Typically,

serviceshavethestring.serviceappended.Forinstance,ifyouwantedtohaltthesendmailservice,youwouldtype#systemctlstopsendmail.service

EditingFileswithViViwas the first full-screen text editorwritten forUnix. It’s designed to be small and simple.Vi issmallenoughtofitontiny,floppy-basedemergencybootsystems.Forthisreasonalone,Viisworthlearning;youmayneed touse it inanemergency recoverysituation.Vi is,however,abit strange,particularlyifyou’reusedtoGUItexteditors.TouseVi,youshouldfirstunderstandthethreemodesinwhichitoperates.Onceyouunderstandthosemodes,youcanbeginlearningaboutthetext-editingproceduresViimplements.You’llalsoexaminehowtosavefilesandexitVi.

MostLinuxdistributionsshipwithavariantofViknownasVim,or“ViImproved.”Asthenameimplies,VimsupportsmorefeaturesthantheoriginalVidoes.TheinformationpresentedhereappliestobothViandVim.MostdistributionsthatshipwithVimsupportlaunchingitbytypingvi,asifitweretheoriginalVi.

UnderstandingViModesAtanygivenmoment,Viisrunninginoneofthreemodes:CommandModeThismodeacceptscommands,whichareusuallyenteredassingleletters.Forinstance,iandabothenterinsertmode,althoughinsomewhatdifferentways,asdescribedshortly,andoopensalinebelowthecurrentone.ExModeTomanipulatefiles(includingsavingyourcurrentfileandrunningoutsideprograms),youuseexmode.Youenterexmodefromcommandmodebytypingacolon(:),typicallydirectlyfollowedbythenameoftheex-modecommandyouwanttouse.Afteryouruntheex-modecommand,Vireturnsautomaticallytocommandmode.InsertModeYouentertextininsertmode.Mostkeystrokesresultintextappearingonthescreen.OneimportantexceptionistheEsckey,whichexitsinsertmodeandreturnstocommandmode.

Ifyou’renotsurewhatmodeViisin,presstheEsckey.Doingsoreturnsyoutocommandmode,fromwhichyoucanreenterinsertmode,ifnecessary.

Unfortunately, terminology surroundingVimodes is inconsistent at best.For instance, commandmodeissometimesreferredtoasnormalmode,andinsertmodeissometimescallededitmodeorentrymode.Exmodeoftenisn’tdescribedasamodeatallbutisreferredtoascoloncommands.

ExploringBasicText-EditingProceduresAs a method of learning Vi, consider the task of editing /etc/fstab to add a new disk to thecomputer.Listing5.3showstheoriginalfstabfileusedinthisexample.Ifyouwanttofollowalong,enter it using a text editor withwhich you’re already familiar, and save it to a file on your disk.Alternatively, copy your own computer ’s /etc/fstab file to a temporary location and makeanalogouschangestoit.Listing5.3Sample/etc/fstabfile/dev/sda2/ext4defaults11

/dev/sda1/bootext4defaults12

/dev/sda4/homeext4defaults12

/dev/sda3swapswapdefaults00

tmpfs/dev/shmtmpfsdefaults00

devpts/dev/ptsdevptsgid=5,mode=62000

sysfs/syssysfsdefaults00

proc/procprocdefaults00

Don’ttryeditingyourreal/etc/fstabfileasalearningexercise;amistakecouldrenderyoursystemunbootable!Youmightputyourtestfstabfileinyourhomedirectoryforthisexercise.

Thefirst step tousingVi is to launch itandhave it load the file. In thisexample, typevi fstabwhile in the directory holding the file. The result should resemble Figure 5.3, which shows VirunninginanXfceTerminalwindow.Thetildes(~)downtheleftsideofthedisplayindicatetheendofthefile.(Thisfeatureisabsentonsomesystems,though.)Thebottomlineshowsthestatusofthelastcommand—animplicitfile-loadcommandbecauseyouspecifiedafilenamewhenlaunchingtheprogram.

FIGURE5.3ThelastlineofaVidisplayisastatuslinethatshowsmessagesfromtheprogram.

Youcanaddanewentry tofstabusingVieitherby typing it in itsentiretyorbyduplicatinganexistinglineandthenmodifyingonecopy.Todoitthefirstway,followthesesteps:

1.Movethecursortothebeginningofthe/dev/sda3linebyusingthearrowkeys.2.PresstheO(letterO,notnumber0)key.Thisopensanewlineimmediatelybelowthecurrentline,movesthecursortothatline,andentersinsertmode.

AlthoughVi’scommandsmayseemarcane,manyofthemaremnemonicintheirownway—thatis,they’redesignedtobeeasilyremembered,asintheletterOstandingforopenline.

3.Typeanewentry,suchasthefollowing:/dev/sdb1/home2ext4defaults00

4.PresstheEsckeytoreturntocommandmode.

Topracticemakingchangesbymodifyinganexistingentry,followthesesteps:1.Movethecursor to thebeginningof the/dev/sdb1 lineyou justcreatedbyusing thearrowkeys,ifnecessary;youshouldseethecursorrestingonthefirst/of/dev/sdb1.

Youcanusetheh,j,k,andlkeystomoveleft,down,up,andright,respectively,ifyouprefernottousethearrowkeys.

2.Youmustnowyankonelineoftext.Thistermisusedmuchascopyisusedinmosttexteditors—youcopythetexttoabufferfromwhichyoucanlaterpasteitbackintothefile.Toyanktext,youusetheyycommand,precededbythenumberoflinesyouwanttoyank.Thus,type1yy (donotpresstheEnterkey,though).Theddcommandworksmuchlikeyy,butitdeletesthelinesaswell as copying them to a buffer.Bothyy anddd are special cases of they andd commands,respectively,which yank or delete text in amounts specified by the next character, as in dw todeletethenextword.3.Movethecursortothelinebeforetheonewhereyouwantthenewlinetoappear.4.Typep(again,withoutpressingtheEnterkey).Vipastesthecontentsofthebufferstartingonthe line after the cursor. The file should now have two identical /dev/sdb1 lines. The cursorshouldbe restingat the startof the secondone. Ifyouwant topaste the text into thedocumentstartingonthelinebeforethecursor,useanuppercasePcommand.5.Movethecursor to the1 in/dev/sdb1on the lineyou’ve justpasted.You’reabout tobegincustomizingthisline.6.Untilnow,you’veoperatedVi incommandmode.Youcanuseanyof severalcommands toenter insertmode.At thispoint, themostappropriate isR,whichenters insertmodeso that it’sconfigured for text replacement rather than insertion. If you prefer to insert text rather thanoverwrite it,youcanuseiora (the latter advances the cursor one space,which is sometimesusefulattheendofaline).Forthepurposesoftheseinstructions,typeRtoenterinsertmode.Youshouldsee--REPLACE--appearinthestatusline.7.Type2tochange/dev/sdb1to/dev/sdb2.8.Usethearrowkeystomovethecursortothe2in/home2.Youmustmodifythismountpointname.9.Type3tochange/home2to/home3.

Youcanmakemoreextensivechangestothefstabfile,ifyoulike,butbesuretoworkfromacopyofthefile!

10.ExitinsertmodebypressingtheEsckey.11.Savethefileandquitbytyping:wq.Thisisanexmodecommand,asdescribedshortly.(TheZZcommandisequivalentto:wq.)Many additional commands are available that youmaywant to use in some situations.Here are

someofthehighlights:

ChangeCaseSupposeyouneedtochangethecaseofawordinafile.Insteadofenteringinsertmodeandretypingtheword,youcanusethetilde(~)keyincommandmodetochangethecase.Positionthecursoronthefirstcharacteryouwanttochange,andpress~repeatedlyuntilthetaskisdone.UndoToundoanychange,typeuincommandmode.OpenTextIncommandmode,typingo(alowercaseletterO)openstext—thatis,itinsertsanewlineimmediatelybelowthecurrentoneandentersinsertmodeonthatline.SearchTosearchforwardfortextinafile,type/incommandmode,followedimmediatelybythetextyouwanttolocate.Typing?searchesbackwardratherthanforward.ChangeTextTheccommandchangestextfromwithincommandmode.Youinvokeitmuchlikethedorycommand,asincwtochangethenextwordorcctochangeanentireline.GotoaLineTheGkeybringsyoutoalinethatyouspecify.TheHkey“homes”thecursor—thatis,itmovesthecursortothetoplineofthescreen.TheLkeybringsthekeytothebottomlineofthescreen.ReplaceGloballyToreplacealloccurrencesofonestringwithanother,type:%s/original/replacement/g,whereoriginalistheoriginalstringandreplacementisitsreplacement.Change%toastartinglinenumber,comma,andendinglinenumbertoperformthischangeonasmallrangeoflines.Vioffersagreatdealmoredepththanispresentedhere;theeditorisquitecapable,andsomeLinux

usersareveryattachedtoit.EntirebookshavebeenwrittenaboutVi.Consultoneofthese,oraViWebpagelikehttp://www.vim.org,formoreinformation.

SavingChangesTosavechangestoafile,type:wfromcommandmode.Thisentersexmodeandrunsthewex-modecommand,whichwritesthefileusingwhateverfilenameyouspecifiedwhenyoulaunchedVi.Relatedcommandsenableotherfunctions:EditaNewFileThe:ecommandeditsanewfile.Forinstance,:e/etc/inittabloads/etc/inittabforediting.Viwon’tloadanewfileunlesstheexistingonehasbeensavedsinceitslastchangeorunlessyoufollow:ewithanexclamationmark(!).IncludeanExistingFileThe:rcommandincludesthecontentsofanoldfileinanexistingone.ExecuteanExternalCommandTheex-modecommand:!executestheexternalcommandthatyouspecify.Forinstance,typing:!lsrunsls,enablingyoutoseewhatfilesarepresentinthecurrentdirectory.QuitUsethe:qcommandtoquittheprogram.Aswith:e,thiscommandwon’tworkunlesschangeshavebeensavedoryouappendanexclamationmarktothecommand(asin:q!).Youcancombineexcommandssuchasthesetoperformmultipleactionsinsequence.Forinstance,

typing:wqwriteschangesandthenquitsfromVi.(ZZistheequivalentof:wq.)

Summary

Although Linux distributions are designed to boot painlessly and reliably once installed,understanding theboot processwill helpyouovercomeproblems andmaintainyour system.MostLinux systems employ a boot loader known as GRUB (either GRUBLegacy or GRUB 2). TheseprogramsbothfitthemselvesintothestandardBIOSbootsystem,enablingthecomputertoloadtheLinux kernel. GRUB 2, and some patched versions of GRUB Legacy, also work on EFI-basedcomputers.Thekernelthenrunstheinitprogram,whichinturnreadsvariousconfigurationfilestobootalltheservicesthatmakearunningLinuxsystem.Modifying yourGRUB configuration enables you to boot different Linux kernels or non-Linux

OSs.YoucanalsopassnewbootoptionstoLinux.Oncethesystemisbooted,youcanusethedmesgcommandor log files to study thebootprocess inorder toverify that itwent correctlyor to findcluesastowhyitdidn’t.YoucanusetheVieditortoedityourGRUBconfigurationfile,yoursysteminitializationscripts

andconfigurationfiles,oranyotherplain-textfileonyourcomputer.AlthoughViisold-fashionedinmanyways, it’s small and fits on emergencydisk systems.Every administrator shouldbe familiarwithVi,evenifit’snotyoureditorofchoiceforday-to-dayoperations.

ExamEssentialsDescribehowGRUBLegacyisconfiguredandused.GRUBLegacyusesthemenu.lstorgrub.confconfigurationfilein/boot/grub.Thisfilecontainsglobalandper-imageoptions.Usethegrub-installprogramtoinstallthebootloader.WhenGRUBboots,itpresentsamenuofOSoptionsthatyouselectusingthekeyboardarrowkeys.DescribehowGRUB2isconfiguredandused.GRUB2usesthe/boot/grub/grub.cfgconfigurationfile;however,systemadministratorsarediscouragedfromeditingitdirectly.Instead,theyshouldrelyonautomaticconfigurationscriptsandsetsystem-specificdefaultsin/etc/defaults/grubandthefilesin/etc/grub.d.AswithGRUBLegacy,youcaninstallGRUB2usingthegrub-installprogram.Describethebootprocess.TheCPUrunsthefirmware,thefirmwareloadsandrunsabootloader,thebootloaderloadsandrunssecondarybootloaders(ifneeded)andtheLinuxkernel,theLinuxkernelloadsandrunstheinitialsystemprogram(init),andinitstartstherestofthesystemservicesviastartupscriptsthatarespecifictothestartupsystem(SysV,Upstart,systemd,orsomethingmoreexotic).BIOS-basedcomputerslookforbootloadersinvariousbootsectors,includingtheMBRofaharddriveorthebootsectorofadiskpartitionorfloppydisk.EFI-basedcomputerslookforbootloadersinfilesontheESP.Summarizewheretolookforboot-timeloginformation.Thedmesgcommandprintsoutlogsfromthekernelringbuffer,whichholdsboot-timeandotherkernelmessages.Otherusefulloginformationcanbefoundin/var/log/messagesandotherfilesin/var/log.Summarizetheroleof/sbin/init.TheinitprogramisresponsibleforstartingmanyprogramsandservicesonyourLinuxoperatingsystem.Thisisdonebyrunningprocessesthatarelistedin/etc/inittab,includinganrcscriptthatrunstheSysVinitializationscripts.Explainhowrunlevelsareconfigured.Thedefaultrunlevelisspecifiedwithalinelikeid:2:initdefault:inthe/etc/inittabfile.Usecommandssuchaschkconfig,update-rc.d,

ntsysv,andsystemctltochangewhichservicesarestartedwhenswitchingtospecificrunlevels.Runlevels0,1,and6arereservedforshutdown,single-usermode,andrebooting,respectively.Runlevels3,4,and5arethecommonuserrunlevelsonRedHatandmostotherdistributions,andrunlevel2istheusualuserrunlevelonDebiansystems.Describehowtochangerunlevels.Theprogramsinitandtelinitcanbeusedtochangetootherrunlevels.shutdown,halt,poweroff,andrebootarealsousefulwhenshuttingdown,rebooting,orswitchingtosingle-usermode.DescribeVi’sthreeeditingmodes.Youentertextusinginsertmode,whichsupportstextentryanddeletion.Thecommandandexmodesareusedtoperformmorecomplexcommandsortorunoutsideprogramstooperateonthetextenteredorchangedininsertmode.

ReviewQuestions1.WheremighttheBIOSfindabootloader?

A.RAMB./dev/bootC.MBRD./dev/kmemE.Theswappartition

2.YouwanttobootaLinuxsystemintosingle-usermode.WhatoptionmightyouaddtoaLinuxkernel’soptionslistatabootloadertoaccomplishthistask?

A.oneB.single-userC.1D.telinit6E.telinit1

3.Afterbooting,oneofyourharddisksdoesn’trespond.Whatmightyoudotofindoutwhat’sgonewrong?

A.Checkthe/var/log/diskerrorlogfiletoseewhat’swrong.B.Verifythatthediskislistedin/mnt/disks.C.Checkthecontentsof/etc/inittabtobesureit’smountingthedisk.D.Typedmesg|less,andperusetheoutputfordisk-relatedmessages.E.Checkthemenu.lst,grub.conf,orgrub.cfgconfigurationfile.

4.WhatisthefirstprogramthattheLinuxkernelrunsonceit’sbootedinanormalbootprocess?A.dmesgB.initC.startup

D.rcE.lilo

5.WhichofthefollowingistheGRUB2bootloaderconfigurationfile?A./dev/grubB.TheMBRC./boot/grub/grub.confD./boot/grub/grub.cfgE./boot/grub/menu.lst

6.HowmightyouidentifyaninitialRAMdiskfileinGRUB2?A.initrd/boot/initrd-3.4.2B.initrd=/boot/initrd-3.4.2C.initramfs/boot/initrd-3.4.2D.initramfs=/boot/initrd-3.4.2E.ramdisk=/boot/initrd-3.4.2

7.WhichcommandisusedtoinstallGRUBLegacyintotheMBRofyourfirstSATAharddrive?A.grub(hd0,1)B.grub-install/dev/sda1C.lilo/dev/sdaD.grub-install/dev/sdaE.grub-legacy/dev/sda1

8.Thestringroot(hd1,5)appearsinyour/boot/grub/menu.lstfile.Whatdoesthismean?A.GRUBLegacytellsthekernelthatthekernel’srootpartitionisthefifthpartitionofthefirstdisk.B.GRUBLegacylooksforfilesonthesixthpartitionoftheseconddisk.C.GRUBLegacylooksforfilesonthefifthpartitionofthefirstdisk.D.GRUBLegacyinstallsitselfin/dev/hd1,5.E.GRUBLegacyinstallsitselfin/dev/sdb5.

9.Whatlinein/etc/inittabwouldindicatethatyourdefaultrunlevelis5?A.ca:12345:ctrlaltdel:/sbin/shutdown-t1-a-rnowB.id:5:initdefault:C.si:5:sysinit:/etc/init.d/rcSD.l5:5:wait:/etc/init.d/rc5E.1:2345:respawn:/sbin/getty38400tty1

10.Which runlevelsare reservedbyinit for reboot, shutdown,and single-usermodepurposes?(Selectthree.)

A.0

B.1C.2D.5E.6

11.Youtypethefollowingcommand:$runlevel

53

Whatcanyoutellaboutyourrunlevelstatus?(Selecttwo.)A.Thecurrentrunlevelis5.B.Thecurrentrunlevelis3.C.Thepreviousrunlevelis5.D.Thepreviousrunlevelis3.E.Therunlevelisintheprocessofchanging.

12.Asystemadministratortypesthefollowingcommand:#shutdown-c

Whatistheeffectofthiscommand?A.Apreviouslyscheduledshutdowniscancelled.B.Thesystemshutsdownandrebootsimmediately.C.Thesystemshutsdownandhaltsimmediately.D.Thesystemasksforconfirmationandthenshutsdown.E.ThesystemclosesallopenwindowsinXwithoutshuttingdown.

13. Which of the following commands may not be used instead of shutdown in certaincircumstances(withappropriateoptionsaddedtooneortheothercommand)?

A.rebootB.haltC.poweroffD.telinitE.takedown

14.Youwanttochangetosingle-usermodeonarunningsystem.Whatcommandmightyouusetodothis?

A.runlevel1B.telinit1C.shutdown-1D.single-userE.haltto1

15.Whatdoesrunlevel4do?A.Itrebootsthecomputer.

B.Itstartsamulti-usersystemwithoutXrunning.C.Itstartsamulti-usersystemwithXandanX-basedloginrunning.D.Itstartsthecomputerintosingle-usermode.E.Itspurposeisn’tstandardized,soitcanbeusedforanythingyoulike.

16.HowwouldyouremovetwolinesoftextfromafileusingVi?A.Incommandmode,positionthecursoronthefirstline,andtype2dd.B.Incommandmode,positionthecursoronthelastline,andtype2yy.C.Ininsertmode,positionthecursoratthestartofthefirstline,holddowntheShiftkeywhilepressingtheDownarrowkeytwice,andpresstheDeletekeyonthekeyboard.D.Ininsertmode,positionthecursoratthestartofthefirstline,andpressCtrl+Ktwice.E.Usingyourmouse,selectbothlines,andthenpresstheDeleteorBackspacekey.

17.InVi’scommandmode,youtype:q!.Whatistheeffect?A.Nothing;thisisn’tavalidVicommand.B.Thetext:q!isinsertedintothefileyou’reediting.C.Theprogramterminatesandsavesanyexistingfilesthatareinmemory.D.Theprogramterminateswithoutsavingyourwork.E.Anexclamationpoint(!)overwritesthecharacterunderthecursorinthetext.

18.WhatisanadvantageofVioverEmacs?A.ViisX-basedandsoiseasiertousethanEmacs.B.ViencodestextinEBCDIC,whichismoreflexiblethanEmacs’ASCII.C.Vi’smode-basedoperationspermitittohandlenon-Englishlanguages.D.Viincludesabuilt-inWebbrowserandemailclient;Emacsdoesn’t.E.Viissmallerandsocanfitoncompactemergencysystemsandembeddeddevices.

19. FromVi’s commandmode, you want to enter insert mode. Howmight you do this? (Selectthree.)

A.TypeR.B.Typei.C.Typea.D.Type:.E.PressEsc.

20.HowdoyouexitVi’sinsertmodeinordertotypecommand-modecommands?A.Pressthe~key.B.PresstheEsckey.C.TypeCtrl+XfollowedbyCtrl+C.D.PresstheF10key.E.PresstheShift+Insertkeycombination.

PartII

Exam2

Chapter6

ConfiguringtheXWindowSystem,Localization,andPrinting

THEFOLLOWINGEXAMOBJECTIVESARECOVEREDINTHISCHAPTER:

1.106.1InstallandconfigureX111.106.2Setupadisplaymanager1.106.3Accessibility1.107.3Localizationandinternationalization1.108.4Manageprintersandprinting

MajormoderndesktopOSsallprovidesomeformofgraphicaluserinterface(GUI),whichprovidesthewindows,menus,dialogboxes,flexiblefonts,andsoon,withwhichyou’reprobablyfamiliar.InLinux,themainGUIisknownastheXWindowSystem(orXforshort).Xconfigurationiseitherveryeasy or moderately hard; most distributions today provide auto-detection and easy configurationoptionsduringinstallation,andtheseusuallyworkcorrectly.Whentheydon’torwhenyouwant totweaktheconfiguration,youmustdelveintotheXconfigurationfileoruseaGUIXconfigurationtool.DoingeitherrequiresthatyouknowhowXtreatsthevideohardware,amongotherthings.BeyondbasicX configuration are a few extra topics.These include fonts,GUI login tools, user

desktop environments, usingX for remote access, and localization.Eachof these topics is closelyassociatedwithbasicXconfiguration,buttheyallgobeyonditinonewayoranother,extendingX’scapabilitiesorprovidingmorefeaturesforusers,asdescribedinthischapter.TheXdisplaycanbeconsideredoneformofoutput.Anotherisprinting,andthischaptercovers

thattopic,aswell.Withaproperlyconfiguredprinter,youcanobtainhardcopiesofthedocumentsyoucreateandeditusingbothXandtext-basedapplications.

ConfiguringBasicXFeaturesBasic X configuration specifies features such as the mouse used, the keyboard layout, the screenresolution,thevideorefreshrate,thedisplaycolordepth,andthevideocardyou’reusing.SomeoftheseoptionsrequiretellingXaboutwhathardwareyouhaveinstalled,whereasothersenableyoutoadjust settings on your hardware. In any event, before you proceedwith actual configuration youshouldknowsomethingabouttheXserversthatareavailableforLinux,becauseyourselectionwilldeterminewhatadditional toolsareavailableandwhat filesyoumayneed toadjustmanually.GUIandtext-modeconfigurationutilitiescanhelpyouconfigureX;butsometimesyoumustdelve intotheconfigurationfiles,soknowingtheirformat is important.Thisrequires thatyouknowwhat themajoroptiongroupsdosoyoucanadjustthem.

XServerOptionsforLinuxAlthoughXisbyfarthedominantGUIforLinux,severalimplementationsofXareavailable:XFree86ThedominantXserverinLinuxuntil2004wasXFree86(http://www.xfree86.org).Thisopensourceserversupportsawidearrayofvideocardsandinputdevices,andmostLinuxsoftwarewasoriginallydesignedwithXFree86inmind.AsIwrite,themostrecentversionis4.8.0.Significantchangesoccurredbetween3.3.6andthe4.xseries,andsomeolderutilitiesworkonlywiththe3.3.6andearlierversionsofXFree86.AlthoughatinynumberofelderlysystemsmustrunXFree863.3.6orearlierfordriversupportreasons,mostsystemstodayrunXFree864.xorX.org-X11;thelatterismorecommonondistributionsreleasedsince2004.X.org-X11In2004,mostLinuxdistributionsshiftedfromXFree86toX.org-X11becauseoflicensingchangestoXFree86.X.org-X116.7.0wasbasedonXFree864.3.99,butit’sdevelopedindependentlyuptothecurrentversion,7.7.BecauseX.org-X11isbasedonXFree86,thetwoarevirtuallyidenticalinmostimportantrespects.Onesignificantdifferenceisthenameoftheconfigurationfile;anotheristhedefaultlocationforfonts.Subsequentsectionsofthischapterpointoutthesedifferences.Youcanlearnmoreathttp://www.x.org/wiki/.Accelerated-XThecommercialAccelerated-XserverfromXiGraphics(http://www.xig.com)isanalternativetotheopensourceXFree86andX.org-X11.Inpractice,runningAccelerated-Xisseldomnecessary,butifyouhaveproblemsgettingyourvideocardworking,youmaywanttolookintoAccelerated-X;itsdriverbaseisindependentofthemorepopularopensourcechoices,soit’spossibleyou’llhavebetterluckwithit.TheAccelerated-Xconfigurationtoolsandfilesarecompletelydifferentfromthosedescribedin“MethodsofConfiguringX”and“XConfigurationOptions,”soyou’llneedtoconsultitsdocumentationforhelp.Therestofthischapter ’stopicsstillapplytoAccelerated-X.In practice, it’s usually easiest to stick with whatever X server your distribution provides. For

moderndistributions, this ismostoftenX.org-X11.Forahandfulof elderlyvideocards,youmayneedtoruntheequallyelderlyXFree863.3.6ratherthanamorerecentversion.

UsingManufacturer-ProvidedVideoDriversOneofX’sfunctionsistoprovidedriversthatcontrolthevideocard.XFree86,X.org-X11,andAccelerated-Xallshipwithawidevarietyofdriversthatsupportmostvideocards.Somecards,though,haveweaksupportinthestockpackages.Othercardsaresupportedbythestandarddrivers,butthosedriversdon’tsupportallofthevideodevice’sfeatures.XFree864.xandX.org-X11bothsupportamodulardriverarchitecture,whichmeansyoucandropinadrivermoduleforyourcardanduseitwithminimalchangestoyourXconfiguration.BothAMD(formerlyATI)andnVidiaprovideLinuxvideocarddriversdesignedtoworkwithXFree86andX.org-X11.(BothXserverscanusethesamedrivers.)Thus,ifyouhaveproblemswiththestandardXvideodrivers,youmaywanttocheckwithyourvideocardmanufacturerandthevideocardchipsetmanufacturersforLinuxdrivers.Installingandusingthemanufacturer-providedvideodriversisusuallyamatterofextractingfilesfromatarballandrunninganinstallationscript.Consultthedocumentationthatcomeswiththedriverfordetails.Manyofthesedriversareparticularlyhelpfulforenabling3Daccelerationfeaturesofmoderncards.Thesefeatureswerefirstusedbygamesbutareincreasinglybeingusedbydesktopenvironmentsandothernon-gamesoftware.Oneproblemwithmanufacturer-supplieddriversisthatthey’reoftenproprietary.Youmightnothavesourcecode,whichmeansthedriversmightnotworkonmoreexoticCPUs,andthedriverscouldceaseworkingwithafutureupgradetoyourXserver.TheAMDandnVidiadriversalsobothincludeLinuxkerneldriversasanecessarycomponent,soyou’llneedtoreinstallthedriversifyouupgradeyourkernel.

MethodsofConfiguringXConfiguringX has traditionally been a difficult process because theX configuration file includesmanyarcaneoptions.Thetaskismadesimplerifyoucanuseaconfigurationutility,andmostLinuxdistributions now run such a utility as part of the installation process. If the configuration utilitydoesn’tdoeverythingyouwantittodo,though,youmayneedtodelveintotheXconfigurationfiletosetoptionsmanually,soknowingsomethingaboutitsformatwillhelpalot.YoumustalsoknowhowtogoaboutrestartingXinordertotestyourchanges.

Theupcomingsection“XConfigurationOptions”describesinmoredetailthemajorXfeaturesandhowtocontrolthem.

XConfigurationUtilitiesSeveralconfigurationtoolsforXFree864.xandX.org-X11areavailable:TheXServerItselfTheXserveritselfincludesthecapacitytoquerythehardwareandproduceaconfigurationfile.Todothis,typeXFree86-configure(forXFree86)orXorg-configure(forX.org-X11)asrootwhennoXserverisrunning.Theresultshouldbeafilecalled

/root/XF86Config.new(forXFree86)or/root/xorg.conf.new(forX.org-X11).Thisfilemaynotproduceoptimalresults,butit’satleastastartingpointformanualmodifications.Distribution-SpecificToolsManymoderndistributionsshipwiththeirowncustomXconfigurationtools.TheseincludeRedHat’s(andFedora’s)DisplaySettingstool(accessiblefromthedefaultdesktopmenuorbytypingsystem-config-displayinanxterm)andSUSE’sYaSTandYaST2.Thesetoolsfrequentlyresemblethedistribution’sinstall-timeXconfigurationtools,whichcanvarysubstantially.xf86cfgorxorgcfgThisutilityisnameddifferentlyforXFree86vs.X.org-X11.It’sdeprecated,meaningit’snolongersupported;butifit’spresentonyoursystem,itcanhelpyoutweaksettingsonceXisatleastpartiallyrunning.AlloftheseutilitiesgatherthesametypeofinformationneededtomanuallyconfigureX.Yourbest

betforunderstandingthesetoolsandwhattheywantistounderstandtheunderlyingXconfigurationfile’sformatandcontents.

Ifyou’reusingtheoldXFree863.3.6,thetoolsjustdescribeddon’twork.Instead,you’llneedtouseatoolsuchasxf86config,Xconfigurator,orXF86Setup;oryoucanconfigureXmanually.BecausesofewsystemstodayuseanythingasoldasXFree863.3.6,Idon’tdescribethesetoolsinthisbook.

TheXConfigurationFileFormatTheXconfigurationfile’snameandlocationvarywiththeversionofXbeingrun:X.org-X11Thisserver ’sconfigurationfileiscalledxorg.conf,andit’susuallystoredin/etc/X11,although/etcandseveralotherlocationsarealsoacceptabletotheserver.

ManymodernX.org-X11configurationsomittheXconfigurationfileentirely,insteadrelyingonrun-timeauto-detectionofhardware.Thisoftenworksfine,butifXdoesn’tworkorifsomeofitsfeaturesaresetincorrectly,youmayneedtogenerateanxorg.conffilebytypingXorg-configurewhenXisnotrunningandeditthefilemanually,asdescribedinsubsequentsections.

XFree864.xTheXFree864.xconfigurationfileiscalledXF86Config-4orXF86Config,whichisfoundin/etc/X11orsometimesin/etc.Thisfile’sformatisthesameasfortheX.org-X11configurationfile.XFree863.3.6andearlierTheXconfigurationfile’snameisXF86Config,andthefileismostcommonlylocatedin/etc/X11or/etc.AlthoughthefilenamecanbethesameasforXFree864.x,thefileformatisslightlydifferent.Thisbook,liketheexam,coversthenewerformatusedbyX.org-X11andXFree864.x.AllthreeoftheseclassesofXserveruseconfigurationfilesthatarebrokendownintomulti-line

sections, one section for each major feature. These sections begin with a line consisting of the

keywordSectionandthesectionnameinquotesandendwiththekeywordEndSection:Section"InputDevice"

Identifier"Keyboard0"

Driver"kbd"

Option"XkbModel""pc105"

Option"XkbLayout""us"

Option"AutoRepeat""500200"

EndSection

This section tells X about the keyboard—its model, layout, and so on. Details for the sectionsyou’remostlikelytoneedtoadjustaredescribedshortly,in“XConfigurationOptions.”For themostpart, thedifferentXserverssupport thesamesectionsandmostof thesameoption

names.Afewexceptionstothisruledoexist,though:TheOptionkeywordisn’tusedinXFree863.3.6andearlier.Instead,theoptionname(suchasXkbLayoutorAutoRepeatintheprecedingexample)appearswithoutquotesasthefirstwordontheline.XFree863.3.6andearlierdon’tusetheServerLayoutsection,describedlaterin“PuttingItAllTogether.”XFree863.3.6andearlierlacktheIdentifierandDriverlines,whicharecommonintheXFree864.xandX.org-X11configurationfiles.Somesection-specificfeaturesvarybetweenversions.Idescribethemostimportantoftheseinthecomingpages.

TheXConfigure-and-TestCycleIfyourXconfigurationisn’tworkingcorrectly,youneedtobeabletomodifythatconfigurationandthen test it.ManyLinux distributions configure the system to startX automatically; but startingXautomaticallycanmakeitdifficulttotesttheXconfiguration.ToanewLinuxadministrator,theonlyobviouswaytotestanewconfigurationistorebootthecomputer.AbettersolutionistokickthesystemintoamodeinwhichXisnotstartedautomatically.OnRed

Hat,Fedora,andsimilardistributions,thisgoalcanbeachievedbytypingtelinit3.Thisactionsetsthe computer to use runlevel 3, inwhichX normally doesn’t run. Chapter 5, “Booting Linux andEditingFiles,”coversrunlevelsinmoredetail.Somedistributions,suchasDebian,Ubuntu,andGentoo,don’tuserunlevelsasasignalforwhether

to start X. With such distributions, you must shut down the GUI login server by typing/etc/init.d/xdmstop.(Youmayneedtochangexdmtogdm,kdm,mdm,orlightdm,dependingonyourconfiguration.)OncetheXsessionisshutdown,youcanloginusingatext-modeloginpromptandtweakyourX

settingsmanually,oryoucanusetext-basedXconfigurationprograms.YoucanthentypestartxtostarttheXserveragain.Ifyougetthedesiredresults,quitfromX(typicallybyselectinga“logout”option inyourdesktopenvironment)and typetelinit5 (/etc/init.d/xdmstart inDebianandotherdistributionsthatdon’tuserunlevelstostarttheGUIloginprompt)torestorethesystemtoitsnormalXloginscreen.Ifaftertypingstartxyoudon’tgettheresultsyouwant,youcanendyourXsessionandtrymodifyingthesystemsomemore.IfXisworkingminimallybutyouwanttomodifyitusingX-basedconfigurationtools,youcando

so after typing startx to get a normal X session running. Alternatively, you can reconfigure thesystembeforetakingitoutoftheX-enabledrunlevel.

AnotherapproachtorestartingXistoleavethesysteminitsX-enabledrunlevelandthenkilltheXserver.TheCtrl+Alt+Backspacekeystrokedoesthisonmanysystems,oryoucandoitmanuallywiththekillcommandafterfindingtheappropriateprocessIDwiththepscommand,asshownhere:#psax|grepX

1375?S6:32/usr/bin/X-auth/var/gdm/:0.Xauth

#kill1375

Thisapproachworksbetteronsystemsthatdon’tmaptherunningofXtospecificrunlevels,suchasDebiananditsderivatives.

XConfigurationOptionsWhenediting theXconfiguration file, thebestapproach isusually to identify the feature that’snotworkingandzeroinonthesectionthatcontrolsthisfeature.Youcantheneditthatsection,saveyourchanges,andtestthenewconfiguration.InXFree864.xandX.org-X11,themajorsectionsdescribedhere are called Module, InputDevice, Monitor, Device, Screen, and ServerLayout. You’relikelytohavetwoInputDevicesections,oneforthekeyboardandoneforthemouse.(InXFree863.3.6 and earlier, themouse is handled by a separate Pointer section.) The section order doesn’tmatter.

Fontsareacomplexenoughtopicthatthey’redescribedinmoredetaillater,in“ConfiguringXFonts.”PartofthisconfigurationishandledintheFilessection.

LoadingModulesThe Module section controls the loading of X server modules—drivers for specific features orhardware.Atypicalexamplelookslikethis:Section"Module"

Load"dbe"

Load"extmod"

Load"fbdevhw"

Load"glx"

Load"record"

Load"freetype"

Load"type1"

Load"dri"

EndSection

Eachmodule is named (dbe,extmod, and so on) and is loaded by nameusing theLoad option.Most of these module names can be deciphered with a bit of knowledge about the features theycontrol. For instance, freetype and type1 handle TrueType and Adobe Type 1 font rendering,respectively. If you’re perusing your Module section and see modules you don’t understand, youshouldn’t worry about it; generally speaking, modules that are configured automatically arenecessaryfornormaloperation,oratleasttheydonoharm.Forthemostpart,ifanXconfigurationworks,youshouldn’ttrytoadjusttheModulesection,even

ifyouwanttotweaktheXconfiguration.Sometimes,though,you’llneedtoaddlinestoorremovelinesfromthissection.Thisisparticularlylikelytobenecessaryifyou’reactivating3Dacceleration

supportorsomesortofexoticfeature.Insuchcases,youshouldconsult thedocumentationfor thefeatureyouwanttoactivate.

SettingtheKeyboardThekeyboardisoneoftwocommoninputdevicesconfiguredviaanInputDevicesection:Section"InputDevice"

Identifier"Keyboard0"

Driver"kbd"

Option"XkbModel""pc105"

Option"XkbLayout""us"

Option"AutoRepeat""500200"

EndSection

TheIdentifier lineprovidesa label that’susedbyanothersection(ServerLayout,described in“PuttingItAllTogether”).Thestringgivenonthislineisarbitrary,butforakeyboard,adescriptivenamesuchasthisexample’sKeyboard0willhelpyouunderstandthefile.TheDriverlinetellsXwhatdrivertousetoaccessthekeyboard.Thisshouldbekbd,Keyboard,

or evdev, depending on your X server. The kbd and Keyboard drivers are, as you might expect,keyboard-specificdrivers.Theevdevdriver,bycontrast,isagenericinputdevicedriverthatworkswithmanytypesofinputdevices.Unlessyourkeyboardisn’tworkingatall,youshouldn’tadjustthisline.TheOption linessetvariousoptions thatadjustkeyboardfeatures,suchas themodel, the layout,

andtherepeatrate.Forthemostpart,thedefaultsworkwell;however,youmaywanttochangetheAutoRepeatoptionoradditifit’snotpresent.ThisoptiontellsXwhentobeginrepeatingcharacterswhenyouholddownakeyandhowoftentorepeatthem.Ittakestwonumbersasvalues,enclosedinquotes: the time until the first repeat and the time between subsequent repeats, both expressed inmilliseconds (ms). In the preceding example, the systemwaits 500ms (half a second) for the firstrepeatandthen200msforeachsubsequentrepeat(thatis,fiverepeatspersecond).

Manydesktopenvironmentsandotheruser-levelutilitiesprovidetoolstosetthekeyboardrepeatrate.Thus,theoptionsyousetintheXconfigurationfileareusedasdefaultsonlyandmaybeoverriddenbyusers’settings.

SettingtheMouseAsecondInputDevicesectioncontrolshowXtreatsthemouse:Section"InputDevice"

Identifier"Mouse0"

Driver"mouse"

Option"Protocol""IMPS/2"

Option"Device""/dev/input/mice"

Option"Emulate3Buttons""no"

Option"ZAxisMapping""45"

EndSection

Aswiththekeyboard,theIdentifierlineisusedintheServerLayoutsectiontotellXwhichinputdevicetouse.TheDriverlineidentifiesthedrivertouse:mouse.(Manymodernsystemsuseevdev

forthemouse.)TheOptionlinessetmousecontroloptions.ThemostimportantoftheseareDeviceandProtocol.TheDevice line tellsXwhatLinuxdevice file to read to access themouse. In this example, it’s

/dev/input/mice, but other possibilities include/dev/mouse (a pointer to the realmouse device,whateveritsname),/dev/psaux(forthePS/2mouseport),/dev/usb/usbmouse(anoldidentifierforUSBmice),/dev/ttyS0 (the firstRS-232 serial portmouse), and/dev/ttyS1 (the secondRS-232serialportmouse).Ifyourmouseisworkingatall(evenifitsmotionsareerratic),don’tchangethisline.Ifyourmouseisn’tworking,youmayneedtoexperiment.TheProtocol option tellsXwhat signals to expect from themouse for variousmovements and

buttonpresses.TheAutoprotocolcausesXtotrytoguessthemouse’sprotocol,whichusuallyworkscorrectly.Ifitdoesn’twork,youcantrymorespecificprotocols,suchasIMPS/2andExplorerPS/2,which are very similar in practice. (Note that “PS/2” is both a hardware interface and a softwareprotocol;manyUSBmiceusethePS/2mouseprotocoleventhoughtheydon’tusethePS/2mouseport.)Ifyourmousehasascrollwheel,chancesareyoushoulduseoneoftheseprotocols.Ifyourmouseisolder,youmayneedtotryanolderprotocol,suchasPS/2,Microsoft,orLogitech.Additional options are usually less critical than the Device and Protocol options. The

Emulate3Buttons option tells X whether to treat a chord (that is, a simultaneous press) of bothbuttonsonatwo-buttonmouseasifitwereamiddle-buttonpress.Thisoptionisusuallydisabledonthree-buttonmiceandscrollmice(thescrollwheeldoesdoubledutyasamiddlemousebutton).TheZAxisMappingoptionintheprecedingexamplemapsthescrollwheelactionstothefourthandfifthbuttons,becauseXmusttreatscrollwheelsasiftheywerebuttons.Whenyouscrollupordown,these“button”pressesaregenerated.Softwarecandetectthisandtakeappropriateactions.

SettingtheMonitorSomeof the trickiest aspectsofXconfiguration relate to themonitoroptions.You set these in theMonitorsection,whichcansometimesbequitelarge.AmodestMonitorsectionlookslikethis:Section"Monitor"

Identifier"Monitor0"

ModelName"AOCe2343Fk"

HorizSync30.0-83.0

VertRefresh55.0-75.0

#Mycustom1920x1080mode

Modeline"1920x1080"138.5019201968200020801080108310881111

EndSection

As in the keyboard andmouse configurations, the Identifier option is a free-form string thatcontainsinformationthat’susedtoidentifyamonitor.TheIdentifiercanbejustaboutanythingyoulike. Likewise, the ModelName option can be anything you like; it’s used mainly for your ownedificationwhenreviewingtheconfigurationfile.As you continue down the section, you’ll see the HorizSync and VertRefresh lines, which are

extremelycritical;theydefinetherangeofhorizontalandverticalrefreshratesthatthemonitorcanaccept,inkilohertz(kHz)andhertz(Hz),respectively.Together,thesevaluesdeterminethemonitor ’smaximumresolutionandrefreshrate.Despitethename,theHorizSyncitemalonedoesn’tdeterminethemaximumhorizontal refresh rate.Rather, thisvalue, theVertRefreshvalue, and the resolutiondeterminethemonitor ’smaximumrefreshrate.Xselectsthemaximumrefreshratethatthemonitorwillsupportgiventheresolutionyouspecifyinothersections.SomeXconfigurationutilitiesshowa

listofmonitormodelsorresolutionandrefreshratecombinations(suchas“1024×768at72Hz”).You select an option, and the utility then computes the correct values based on that selection.Thisapproachisoftensimplertohandle,butit’slessprecisethanenteringtheexacthorizontalandverticalsyncvalues.Youshouldenterthesevaluesfromyourmonitor ’smanual.

Don’tsetrandomhorizontalandverticalrefreshrates;onolderhardware,settingthesevaluestoohighcandamageamonitor.(Modernmonitorsignoresignalspresentedattoohigharefreshrate.)

To settle on a resolution, X looks through a series ofmode lines, which are specified via theModeline option. Computingmode lines is tricky, so I don’t recommend you try it unless you’reskilledinsuchmatters.Themodelinesdefinecombinationsofhorizontalandverticaltimingthatcanproduceagivenresolutionandrefreshrate.Forinstance,aparticularmodelinemightdefinea1024×768displayata90Hzrefreshrate,andanothermightrepresent1024×768at72Hz.Somemodelinesrepresentvideomodesthatareoutsidethehorizontalorverticalsyncrangesofa

monitor.Xcancomputethesecasesanddiscardthevideomodesthatamonitorcan’tsupport.Ifaskedtoproduceagivenresolution,Xsearchesallthemodelinesthataccomplishthejob,discardsthosethatthemonitorcan’thandle,andusestheremainingmodelinethatcreatesthehighestrefreshrateatthatresolution.(Ifnomodelinesupportstherequestedresolution,Xdropsdowntoanotherspecifiedresolution,asdescribedshortly,andtriesagain.)AlthoughyoucanincludeanarbitrarynumberofModelineentriesinyourMonitorsection,most

suchfileslacktheseentries.ThereasonisthatXFree864.xandX.org-X11supportafeatureknownasData Display Channel (DDC). This is a protocol that enables monitors to communicate theirmaximumhorizontalandverticalrefreshratesandappropriatemodelinestothecomputer.YoumayneedtocreateaModelineifthisfeaturefails,though.TryperformingaWebsearchonthekeywordsmodeline(ormodeline)andyourdesiredvideoresolution;ortrytheXFree86ModelineGeneratorWebsite (http://xtiming.sourceforge.net/cgi-bin/xtiming.pl),whichcangenerateaModeline foranyresolutionandrefreshrateyouspecify.

SettingtheVideoCardYourmonitorisusuallythemostimportantfactorindeterminingyourmaximumrefreshrateatanygivenresolution,butXsendsdatatothemonitoronlyindirectly,throughthevideocard.Becauseofthis,it’simportantthatyoubeabletoconfigurethiscomponentcorrectly.AnincorrectconfigurationofthevideocardislikelytoresultinaninabilitytostartX.

Inthepast,videohardwarewasalmostalwaysimplementedasaplug-incard.Mostmoderncomputersincludevideohardwareonthemotherboard,though.Despitethisfact,it’scommontorefertoavideocard,evenifthecomputerlacksaseparateplug-incard.

ChoosingtheDriver

SometimesX, andparticularlymodernversions ofX.org-X11, canpick the optimumvideodriverautomatically. Other times, though, you must provide that information in the XF86Config orxorg.conffile.Inparticular,thedrivermoduleissetbyalineintheDevicesection,whichresemblesthefollowing:Driver"nv"

Thislinesetsthenameofthedriver.Thedriversresideinthe/usr/X11R6/lib/modules/drivers/or/usr/lib/xorg/modules/drivers/directory. (Onsomesystems,libbecomeslib64.)Most ofthedrivers’filenamesendin_drv.o,andifyouremovethisportion,you’releftwiththedrivername.Forinstance,nv_drv.ocorrespondstothenvdriver.

SomeXconfigurationutilitiesprovidealargelistofchipsetsandspecificvideocardmodels,soyoucanselectthechipsetorboardfromthislisttohavetheutilityconfigurethisdetail.

IfyoutypeXorg-configuretocreateaninitialconfiguration,theresultingfileislikelytoincludemultipleDevice sections, each for a different driver. Some of these, such asfbdev and vesa, aregenericdriversthatwork—butnotoptimally—onawidevarietyofvideocards.Today,you’remostlikely to use thenv or nouveau drivers (both ofwhichwork on nVidia cards), the radeon driver(whichworksonATI/AMDcards),ortheinteldriver(whichworksonIntelcards).You’llneedtoknowsomethingaboutyourvideohardwaretopickthebestone.Ifyou’reindoubt,youcantryusingeachoneinturn,byspecifyingeachDevicesectioninturnintheScreensection,asdescribedlater,in“SettingtheResolutionandColorDepth.”

SettingCard-SpecificOptionsTheDevicesectionofthexorg.conffilesetsvariousoptionsrelatedtospecificXservers.AtypicalDevicesectionresemblesthefollowing:Section"Device"

Identifier"Videocard0"

Driver"nv"

VendorName"nVidia"

BoardName"GeForce6100"

VideoRam131072

EndSection

TheIdentifierlineprovidesanamethat’susedinthesubsequentScreensectiontoidentifythisparticular Device section. The VendorName and BoardName lines provide information that’s usefulmainlytopeoplereadingthefile.TheVideoRam line is unnecessarywithmost boards because the driver can detect the amount of

RAMinstalledinthecard.Withsomedevices,however,youmayneedtospecifytheamountofRAMinstalledinthecard,inkilobytes.Forinstance,theprecedingexampleindicatesacardwith128MBofRAMinstalled.Manydriverssupportadditionaldriver-specificoptions.Theymayenablesupportforfeaturessuch

ashardwarecursors(specialhardwarethatenablesthecardtohandlemousepointersmoreeasily)orcaches(usingsparememorytospeedupvariousoperations).ConsulttheXF86Configorxorg.conf

manpageorotherdriver-specificdocumentationfordetails.

SettingtheResolutionandColorDepthTheScreensectiontellsXaboutthecombinationofmonitorsandvideocardsyou’reusing.XFree864.x andX.org-X11supportmultiplevideocardsandmonitorsononesystem.Thiscanbehandy ifyou’retestinganewmonitororvideocarddriver.Inanyevent,theScreensectionlookssomethinglikethis:Section"Screen"

Identifier"Screen0"

Device"Videocard0"

Monitor"Monitor0"

DefaultDepth24

SubSection"Display"

Depth24

Modes"1920x1080""1280x1024""1024x768"

EndSubSection

SubSection"Display"

Depth8

Modes"1024x768""800x600""640x480"

EndSubSection

EndSection

TheDeviceandMonitorlinesrefertotheIdentifierlinesinyourDeviceandMonitorsections,respectively.TheScreensectionincludesoneormoreDisplaysubsections,whichdefinethevideomodesthatXmayuse.Thisexamplecreatestwosuchdisplays.Thefirstusesacolordepthof24bits(Depth 24) and possible video mode settings of 1920x1080, 1280x1024, and 1024x768. (Thesevideomodes are actually names that refer to themode lines defined in the Monitor section or tostandardmodelines.)Thesecondpossibledisplayusesan8-bitcolordepth(Depth8)andsupports1024x768,800x600,and640x480videomodes.TochoosebetweentheDisplaysubsections,youincludeaDefaultDepth line.Inthisexample,X

usesthe24-bitdisplayifpossible,unlessit’soverriddenbyotheroptionswhenstartingX.Graphical video modes require a certain amount of RAM on the video card. (On some laptop

computersandcomputerswithvideohardwareintegratedintothemotherboard,aportionofsystemRAMisreservedforthisusebytheBIOS.)ThetotalamountofRAMrequiredisdeterminedbyanequation:R=xres×yres×bpp÷8,388,608In this equation, R is the RAM in megabytes, xres is the x resolution in pixels, yres is the y

resolutioninpixels,andbpp is thebitdepth.For instance,considera1280×1024displayat24-bitcolordepth:R=1280×1024×24÷8,388,608=3.75MBAll modern video cards have at least 32MB of RAM—usually much more. This is more than

enoughtohandleevenveryhighresolutionsat32-bitcolordepth(thegreatestdepthpossible).Thus,videoRAMshouldn’tbealimitingfactorintermsofvideomodeselection,atleastnotwithmodernvideohardware.Veryoldvideocardscanimposelimits,soyoushouldbeawareofthem.

ModernvideocardsshipwithlargeamountsofRAMtosupport3Daccelerationfeatures.Xsupportssuchfeaturesindirectlythroughspecial3Daccelerationpackages,but3Daccelerationsupportislimitedcomparedtobasicvideocardsupport.If3Daccelerationisimportanttoyou,youshouldresearchtheavailabilityofthissupport.

PuttingItAllTogetherXFree864.xandX.org-X11requireasectionthat’snotpresentintheXFree863.3.6configurationfile:ServerLayout.ThissectionlinkstogetheralltheothercomponentsoftheXconfiguration:Section"ServerLayout"

Identifier"singleheadconfiguration"

Screen"Screen0"00

InputDevice"Mouse0""CorePointer"

InputDevice"Keyboard0""CoreKeyboard"

EndSection

Typically, this section identifies one Screen section and two InputDevice sections (for thekeyboardandthemouse).Otherconfigurationsarepossible, though.For instance,XFree864.xandX.org-X11supportmulti-headdisplays, inwhichmultiplemonitorsarecombined to forma largerdesktop than either one alone would support. In these configurations, the ServerLayout sectionincludesmultipleScreensections.

IfAllGoesWell....Inpractice,youmaynotneedtoedittheXconfigurationfile.Asalreadynoted,mostLinuxdistributionsconfigureXautomaticallyatinstallation.Indeed,mostdistributionsnowrelyonlaunch-timeauto-configurationofXalongwithusersettingsforfeaturessuchasresolution,keyboardrepeatrate,andsoon.Desktopenvironmentstypicallyprovideadialogbox,suchastheoneshowninFigure6.1,thatenableyoutosettheresolution,refreshrate,andsometimesotherdisplayoptions.Lookforsuchoptionsinthedesktopenvironment’smainsettingstool,typicallyunderatitlesuchasDisplayorMonitor.

FIGURE6.1Moderndesktopenvironmentsprovideeasy-to-usebutlimitedXconfigurationoptions.

ObtainingXDisplayInformationSometimesit’shelpfultoknowaboutthecapabilitiesofyourdisplay,asit’smanagedbyX.Thetoolforthisjobisxdpyinfo.Whenyoutypexdpyinfo,theresultiscopiousinformationaboutthecurrentdisplay,suchastheXversionnumber,theresolutionandcolordepthofallthecurrentdisplays,andsoon.Muchofthisinformationishighlytechnicalinnature,soyoumaynotunderstanditall.That’sOK.Irecommendyourunthisprogramandperusetheoutput toseewhatyoucanlearnfromit.Ifyoushouldlaterwanttoobtainsimilarinformationonanothercomputer ’sdisplay,you’llknowhowtoobtainit.For stillmore technical information, you can use the -ext extension option to xpdyinfo. The

extension is the name of an X extension, which is a software module that provides extendedcapabilities to X. (The basic xpdyinfo command, without any options, lists all the availableextensions.)

Youcanobtaindetailedtechnicalinformationaboutaspecificwindowwiththexwininfocommand.Inbasicuse,youtypexwininfo,movethemousecursoroverawindow,andclick.Theresultisalistofassorteddataaboutthewindowyouclicked,suchasthefollowing:Absoluteupper-leftX:1171

Absoluteupper-leftY:611

Relativeupper-leftX:6

Relativeupper-leftY:25

Width:657

Height:414

Depth:32

VisualClass:TrueColor

Borderwidth:0

Class:InputOutput

Colormap:0x2800003(notinstalled)

BitGravityState:NorthWestGravity

WindowGravityState:NorthWestGravity

BackingStoreState:NotUseful

SaveUnderState:no

MapState:IsViewable

OverrideRedirectState:no

Corners:+1171+611-92+611-92-55+1171-55

-geometry80x24-86-49

Some of this information, such as the window’s position and size, is easy to interpret. Otherinformation,suchasthecolormapandgravitystate,ishighlytechnical,andIdon’tdescribeitfurtherhere.Youcanpassvariousoptions toxwininfo tomodify the information it displaysor howyouselectawindow,includingthefollowing:AlternateWindowSelectionMethodsThe-ididand-namenameoptionsenableyoutoidentifyawindowbyanIDnumberorbyitsname(normallydisplayedinthewindow’sborder),respectively.The-rootoptionselectstherootwindow—thatis,theentiredisplay.WindowRelationshipsLikeprocesses,windowscanhaveparentsandchildren.Youcanidentifytheserelationshipswiththe-childrenoption.The-treeoptionworksinasimilarway,butitworksrecursively—thatis,itdisplaysinformationonthechildrenofawindow’schildren,andsoon.BasicInformationThe-statsoptionisusedbydefault.Youcanrestricttheoutputbyusingthe-bitsoption,whichlimitsoutputtoinformationonthewindow’sbitstates.AdditionalInformationThe-eventsoptionproducesinformationontheeventsthatthewindowprocesses;-sizedisplaysinformationonsizinghints;-wmdisplayswindowmanagerdata;-shapeismuchlike-statsbutaddsinformationonthewindowandbordershapes;-framemodifiesthedisplaytoincludeinformationonthewindowmanager ’sframe;-metricaddsmeasuresinmillimeters(mm)totheregularpixel-basedmeasures;-englishaddsmeasuresinfeetandinches;and-alldisplaysallavailableinformation.

WindowsinXarecreatedandmanagedbyseveralprograms.Oneofthese,thewindowmanager,handlesthewindow’sbordersandenablesyoutodragthewindowaroundthescreenandresizeit.Somexwininfostatisticsrelatetothewindowexcludingthewindowmanager ’selements,butothersincludetheseelements.Optionssuchas-frameand-wmcanmodifythisoutputordisplayinformationonthewindowmanager ’sfeaturesspecifically.

Wayland:TheFuture?Anentirelynewmethodofmanagingdisplays,knownasWayland(http://wayland.freedesktop.org),isnearingreadinessasIwrite.WaylandisintendedtoaddressmanyoftheproblemswithX,whichsuffersfromadesigndatingbacktothe1980s,beforemanymodernvideofeaturesbecameavailable.Thus,Xishobbledbylegacyfeaturessuchasafontmodelthat’sbeenlargelyreplacedbyadd-onfontlibraries.Wayland-nativeapplicationswon’tuseXatall,whichwilltheoreticallyresultinsimplerapplicationdesign,betterspeed,andfewervideoproblems,particularlyforcertaingraphics-intensiveapplications.ExistingXapplicationswillcontinuetoworkviaanXservertobeincludedwithWayland.Essentially,XwillrunasaprocesswithinWayland,althoughideallythiswillbeastopgapmeasure.ThedevelopersofseveralmajorLinuxdistributions,includingFedoraandUbuntu,haveexpressedanintentiontosupportWayland,eitherasanoptionorasthedefaultgraphicssystem.Thetimetableforsuchachangeisuncertain,though.Furthermore,Waylandhasyettobeacceptedbyusers;ifWaylandpresentsunexpectedproblems,itmayflounder.Youshouldwatchforfuturedevelopmentsconcerningthissoftware.

ConfiguringXFontsFontshave longbeena trouble spot forLinux (ormoreprecisely, forX).Xwascreatedat a timewhen available font technologies were primitive by today’s standards, and although X has beenupdated in variousways to take advantage of newer technologies, these updates have been lackingcomparedtothefontsubsystemsinmostcompetingOSs.X’scorefontsystemcanbesetupfromtheXconfigurationfile.Alternatively,youcanconfigureafontserver—aprogramthatdeliversfontstoone or many computers using network protocols—to handle the fonts. The latest Linux fonttechnology sets up fonts in a way that’smore independent of X and that producesmore pleasingresults,atleasttomostpeople’seyes.

Someapplicationsdon’trelyoneitherXoranyotherstandardlibrarytohandlefonts;theymanagetheirownfontsthemselves.Thispracticeisparticularlycommoninwordprocessors.Ifyouconfigureyourfontsasdescribedherebutfindthatanimportantprogramdoesn’tseethechangesyou’vemade,consultitsdocumentation;youmayneedtotelltheprogramwheretolooktousethefontsyou’veadded.

FontTechnologiesandFormatsFonttechnologiescanbeclassifiedasfallingintooneoftwobroadcategories:BitmapFontsThesimplesttypeoffontformatisthebitmapfont,whichrepresentsfontsmuchlikebitmapgraphics,inwhichindividualpixelsinanarrayareeitheractiveorinactive.Bitmapfontsarefairlyeasytomanipulateanddisplay,fromaprogrammingperspective,whichmakesthemgoodforlow-poweredcomputers.Theproblemisthateachfontmustbeoptimizedfordisplayataparticularresolution.Forinstance,afontthat’s20pixelshighwillappearonesizeonthescreen(typically72to100dotsperinch,ordpi)butwillbemuchsmallerwhenprinted(typicallyat300to1200dpi).Similarly,youneedmultiplefilestodisplayasinglefontatmultiplesizes(suchas9pointversus12point).Thismeansasinglefont,suchasTimes,requirespotentiallydozensofindividualfilesfordisplayatdifferentsizesandondifferentdisplaydevices.Ifyoulackthecorrectfontfile,theresultwillbeanuglyscaleddisplay.OutlineFontsMostmodernfontsaredistributedasoutlinefonts(akascalablefonts).Thistypeofformatrepresentseachcharacterasaseriesoflinesandcurvesinahigh-resolutionmatrix.Thecomputercanscalethisrepresentationtoanyfontsizeorforanydisplayresolution,enablingasinglefontfiletohandleeverypossibleuseofthefont.Themainproblemwithoutlinefontsisthatthisscalingoperationisimperfect;scalablefontsoftenlookslightlyworsethanbitmapfonts,particularlyatsmallsizes.ScalinganddisplayingthefontsalsotakesmoreCPUtimethandisplayingabitmapfont.Thisfactorusedtobeimportant,butonmodernCPUsit’snotmuchofanissue.Bothbitmapandoutline fontscome in severaldifferent formats.Xshipswithanumberofbasic

bitmap and outline fonts, and you’re unlikely to need to deal explicitlywith bitmap fonts or theirformats,soIdon’tdescribetheminanydetail.Outlinefontsareanothermatter,though.ThetwomainformatsareAdobe’sPostScriptType1(Type1forshort)andApple’sTrueType.FontsavailableontheInternetandoncommercialfontCDscomeinoneorbothoftheseformats.XFree863.3.6andearliersupportedType1fontsbutnotTrueTypefonts.XFree864.xandX.org-

X11supportbothType1andTrueTypefonts.

ConfiguringXCoreFontsX core fonts are those that are handled directly by X. To configure these fonts, youmust do twothings:prepareafontdirectorythatholdsthefonts,andaddthefontdirectorytoX’sfontpath.

PreparingaFontDirectory

The first step to installing fonts is to prepare a directory in which to store them. XFree86 hastraditionally stored its fonts in subdirectories of /usr/X11R6/lib/X11/fonts/, but X.org-X11changesthisto/usr/share/fontsor/usr/share/X11/fonts.Ineithercase,ifyou’readdingfontsyou’vedownloadedfromtheInternetorobtainedfromacommercialfontCD-ROM,youmaywanttostore these additional fonts elsewhere, such as /opt/fonts or /usr/local/fonts. (Chapter 4,“ManagingFiles,” includes informationabout the logicbehindLinux’sdirectorysystem.)Youmaywanttocreateseparatesubdirectoriesforfontsindifferentformatsorfromdifferentsources.Whenyou’reinstallingType1fonts,Linuxneedsthefontfileswithnamesthatendin.pfaor.pfb;

these files contain the actual fontdata. (The.pfaand.pfb files store the data in slightly differentformats, but the two file types are equivalent.)Additional files distributedwithType1 fonts aren’tnecessaryforLinux.TrueTypefontscomeas.ttffiles,andthat’sallyouneedforLinux.

LinuxusesfontsinthesameformatthatMacOSX,Windows,OS/2,andmostotherOSsuse.EarlierversionsofMacOSusedfontfilesinspecialMacintosh-only“suitcases,”whichLinuxcan’tusedirectly.IfyouwanttousesuchfontsinLinux,youmustconvertthem.TheFontForgeprogram(http://fontforge.sourceforge.net)candothisconversion,amongotherthings.

Onceyou’vecopiedfontstoadirectory,youmustprepareasummaryfilethatdescribesthefonts.This file is calledfonts.dir, and it beginswith a line that specifies the number of fonts that aredescribed.SubsequentlinesprovideafontfilenameandanXlogicalfontdescription(XLFD),whichisatedious-lookingdescriptionofthefont.Acompletefonts.dirlinecanberatherintimidating:courb.pfa-ibm-Courier-bold-r-normal--0-0-0-0-m-0-iso8859-1

Fortunately, you needn’t create this file manually; programs exist to do so automatically. InXFree864.3and laterand inX.org-X11, thesimplestway todo the job is tousemkfontscale andmkfontdir:#mkfontscale

#mkfontdir

Themkfontscaleprogramreadsall thefonts in thecurrentdirectoryandcreatesafonts.scalefile,which is just like afonts.dir file but describes only outline fonts. Themkfontdir programcombinesthefonts.scalefilewiththefonts.dirfile,creatingitifitdoesn’talreadyexist.Otherprograms toperform this taskalsoexist.Mostnotably,ttmkfdircreatesafonts.dir file

that describes TrueType fonts, and type1inst does the job for Type 1 fonts. The mkfontscaleprogramispreferablebecauseithandlesbothfonttypes,butifyou’reusinganolderdistributionthatlacks this program or if it’s not doing a satisfactory job, you can try one of these alternativeprograms.

AddingFontstoX’sFontPathOnceyou’vesetupfontsinadirectoryandcreatedafonts.dirfiledescribingthem,youmustaddthefontstotheXfontpath.YoudothisbyeditingtheFilessectionoftheXF86Configorxorg.conffile:Section"Files"

FontPath"/usr/share/fonts/100dpi:unscaled"

FontPath"/usr/share/fonts/Type1"

FontPath"/usr/share/fonts/truetype"

FontPath"/usr/share/fonts/URW"

FontPath"/usr/share/fonts/Speedo"

FontPath"/usr/share/fonts/100dpi"

EndSection

IfyourFilessectioncontainsFontPathlinesthatrefertounix:/7100orunix:/-1butthatdon’tlistconventionaldirectories,readthesection“ConfiguringaFontServer”;yoursystemisconfiguredtorelyonanXfontserverforitscorefonts.Inthiscase,youmaywanttomodifyyourfontserverconfigurationratherthanchangetheXcorefontsdirectly,althoughyoucanaddfontdirectoriestohaveXbothusethefontserveranddirectlyhandleyournewfonts.IfyourXserverconfigurationlacksaFilessection,itusesahard-codeddefaultfontpath.YoucanaddyourowncompleteFilessectiontoaddnewfontpaths.

Toaddyournewfontdirectorytothefontpath,duplicateoneoftheexistingFontPath lines,andchange thedirectory specification topoint toyournewdirectory.Theorderof thesedirectories issignificant;whenmatchingfontnames,Xtrieseachdirectoryinturn,soiftwodirectoriesholdfontsofthesamename,thefirstonetakesprecedence.Thus,ifyouwantyournewfontstooverrideanyexisting fonts, place the new directory at the top of the list; if you want existing fonts to takeprecedence,addyourdirectorytotheendofthelist.

The:unscaledstringinthefirstentryintheprecedingexampletellsXtousebitmapfontsfromthisdirectoryonlyiftheyexactlymatchtherequestedfontsize.Withoutthisstring,Xwillattempttoscalebitmapfontsfromafontdirectory(withpoorresults).Typically,bitmapdirectoriesarelistedtwice:oncenearthetopofthefontpathwiththe:unscaledspecificationandagainnearthebottomofthelistwithoutit.Thisproducesquickdisplayofmatchingbitmappedfonts,followedbyanymatchingscalablefonts,followedbyscaledbitmapfonts.

Onceyou’veaddedyourfontdirectorytoX’sfontpath,youshouldtesttheconfiguration.ThemostreliablewaytodothisistoshutdownXandrestartit.(IfyoursystembootsdirectlyintoX,consult“Running an XDMCP Server” for information on doing this.) A quicker approach, but one thatpresents someopportunity forerror, is toadd the fontpath toa runningsystembyusing thexsetprogram:$xsetfp+/your/font/directory

$xsetfprehash

The firstof thesecommandsadds/your/font/directory to theendof the fontpath. (Substitute+fpforfp+toaddthedirectorytothestartoftheexistingfontpath.)ThesecondcommandtellsXtore-examineallthefontdirectoriestorebuildthelistofavailablefonts.Theresultisthatyoushouldnowbe able to access thenew fonts. (You’ll need to restart anyprograms that shoulduse thenew

fonts.)Oneprogramtoquicklytestthematterisxfontsel.ThisprogramenablesyoutoselectanXcorefontfordisplaysoyoucanchecktobesurethefontsyou’veaddedareavailableanddisplayasyouexpect.

ConfiguringaFontServerPrior to thereleaseofXFree864.0,severalLinuxdistributionsbeganusingTrueType-enabledfontserverstoprovideTrueTypefontsupport.Mostdistributionshavenowabandonedthispractice,butsomehaven’t,andfontserverscanbeusefulinsomeenvironments.Afontserverisahandywaytodeliverfontstomanycomputersfromacentrallocation.Thiscan

beagreattime-saverifyouwanttoaddfontstomanycomputers—setthemuptouseafontserverandthentweakthatserver ’sfontconfiguration.Touseafontserver,Xmustlistthatserverinitsfontpath:Section"Files"

FontPath"unix:/7100"

FontPath"tcp/fount.pangaea.edu:7100"

EndSection

Thefirstlineinthisexamplespecifiesalocalfontserver.(Usingunix:/-1ratherthanunix:/7100also works in some cases.) The second line specifies that the font server on the remote systemfount.pangaea.edu is tobeused.Ifyourcomputerisalreadyconfiguredtouseafontserver,youneedn’tchangetheXconfigurationtoaddordeletefonts;instead,youcanmodifythefontserver ’sconfiguration. (You can still modify the X font configuration directly, but it may be cleaner tomanageallthelocalfontsfromoneconfigurationfile.)Toaddfontstoafontserver,youshouldfirstinstallthefontsonthesystem,asdescribedearlierin

“Preparing a Font Directory.” You should then modify the font server ’s configuration file,/etc/X11/fs/config.RatherthanaseriesofFontPathlines,asinthemainXconfigurationfile,thefont server ’s configuration lists the font pathusing thecatalogue keyword as a comma-delimitedlist:catalogue=/usr/share/fonts/100dpi:unscaled,

/usr/share/fonts/Type1,

/usr/share/fonts/truetype,

/usr/share/fonts/URW,

/usr/share/fonts/Speedo,

/usr/share/fonts/100dpi

The catalogue list may span several lines or just one. In either event, all of the entries areseparatedbycommas,butthefinalentryendswithoutacomma.Youcanaddyournewfontdirectoryanywhereinthislist.Onceyou’vesavedyourchanges,youmustrestartthefontserver.Typically,thisisdoneviaSysV

startupscripts(describedinmoredetailinChapter5):#/etc/init.d/xfsrestart

At this point, you should restartX or typexset fp rehash to haveX re-examine its font path,includingthefontsdeliveredviathefontserver.AlthoughXcorefontsandfontserverswereonceveryimportant,mostmodernXapplicationsnow

emphasizeanentirelydifferentfontsystem:Xft.YoucanaddthesamefontsasbothXcorefontsandXftfonts,buttheXftconfigurationrequiresdoingthingsinanewway.

ConfiguringXftFontsXcorefonts(includingfontsdeliveredviaafontserver)haveseveralimportantdrawbacks:

Theyaren’teasytointegratebetweenthescreendisplayandprintedoutput.Thismakesthemawkwardfromthepointofviewofwordprocessingorotherapplicationsthatproduceprintedoutput.They’reserver-based.Thismeansapplicationsmaynotbeabletodirectlyaccessthefontfilesbecausethefontsmaybestoredonadifferentcomputerthantheapplication.Thiscanexacerbatetheprintingintegrationproblem.Theyprovidelimitedornosupportforkerningandotheradvancedtypographicfeatures.Again,thisisaproblemforwordprocessingprogramsandotherprogramsthatmustgenerateprintedoutput.Theydon’tsupportfontsmoothing(akaanti-aliasing).Thistechnologyemploysgraypixels(ratherthanblackorwhitepixels)alongcurvestocreateanillusionofgreaterresolutionthanthedisplaycanproduce.

These problems are deeply embedded in theX core font system, so developers have decided tobypassthatsystem.TheresultistheXftfontsystem,whichisbasedinpartontheFreeTypelibrary(http://www.freetype.org),anopensourcelibraryforrenderingTrueTypeandType1fonts.Xftisaclient-based system,meaning that applications access font files on the computer onwhich they’rerunning. Xft also supports font smoothing and other advanced font features. Overall, the result isgreatlyimprovedfontsupport.Thecost,though,isthatLinuxnowhastwofontsystems:XcorefontsandXftfonts.Fortunately,youcansharethesamefontdirectoriesthroughbothsystems.Ifyou’vepreparedafont

directory as described earlier, in “Preparing a Font Directory,” you can add it to Xft. Load the/etc/fonts/local.conffileintoatexteditor.Lookforanylinesinthisfilethattakethefollowingform:<dir>/font/directory</dir>

Ifsuchlinesarepresent,duplicateoneofthemandchangetheduplicatetopointtoyournewfontdirectory. If such lines don’t exist, create one just before the </fontconfig> line. Be sure not toembedyournewfontdirectoryspecificationwithinacommentblock,though.Commentsbeginwithalinethatreads<!--andendwithalinethatreads-->.

Ifyoucreateafontdirectorythatholdsseveralsubdirectories,youcanaddjustthemaindirectorytolocal.conf.Forinstance,ifyoucreated/opt/fonts/ttand/opt/fonts/type1,adding/opt/fontstolocal.confwillbesufficienttoaccessallthefontsyouinstalledonthesystem.

Onceyou’vemadethesechanges,typefc-cacheasroot.ThiscommandcausesXfttorunthroughitsfontdirectoriesandcreateindexfiles.Thesefilesaresimilar tothefonts.dir file inprinciple,but thedetailsdiffer. Ifyou fail to take this step,you’ll stillbeable to access these fonts,but eachuser ’sprivateXftcachefilewillcontainthelistsoffonts.Generatingthesefilescantakesometime,thusdegradingperformance.TotestyourXftfonts,useanyXft-enabledprogram.MostmodernX-basedLinuxprogramsareso

enabled,soloadingaGUItexteditor,wordprocessor,Webbrowser,orothertoolthatenablesyoutoadjustfontsshoulddothetrick.

ManagingGUILoginsLinux can boot into a purely text-basedmode inwhich the console supports text-based logins andtext-modecommands.Thisconfigurationissuitableforasystemthatrunsasaservercomputerorfor a desktop system for a user who dislikes GUIs. Most desktop users, though, expect theircomputers toboot intoa friendlyGUI.For suchusers,Linuxsupportsa login system that startsXautomaticallyandprovidesaGUIloginscreen.Configuringandmanagingthissystemrequiresyoutounderstandabitofhowthesystemworks,howtorunit,andhowtochangetheconfiguration.

TheXGUILoginSystemAsdescribedlaterinthischapter,in“UsingXforRemoteAccess,”Xisanetwork-enabledGUI.Thisfacthasmany important consequences, andoneof these relates toLinux’sGUI login system.Thissystememploys a network login protocol, theXDisplayManagerControl Protocol (XDMCP). Tohandleremotelogins,anXDMCPserverrunsonacomputerandlistensforconnectionsfromremotecomputers’Xservers.Tohandle local logins,anXDMCPserver runsonacomputerandstarts thelocalcomputer ’sXserver.TheXDMCPserverthenmanagesthelocalXserver ’sdisplay—thatis,itputsupaloginpromptlikethatshowninFigure6.2.

FIGURE6.2AnXDMCPservermanageslocalGUIloginstoaLinuxsystem.

Five XDMCP servers are common on Linux: the X DisplayManager (XDM), the KDEDisplay

Manager (KDM), the GNOME Display Manager (GDM), the MDM Display Manager (MDM; arecursiveacronym),andtheLightDisplayManager(LightDM).AfewmoreexoticXDMCPserversarealsoavailable,butthesefivearethemostimportant.Ofthese,theexamobjectivesexplicitlycoverthefirstthree,sothey’retheonesdescribedhere.Asyoumayguessbytheirnames,KDMandGDMareassociatedwiththeKDEandGNOMEprojects,respectively.MDMisaderivativeofGDM.XDMis the oldest and least feature-heavy of these displaymanagers. LightDM aims to be compact andcompatiblewithmultipledesktopenvironments.Youcanchangewhichdesktopmanageryoursystemusesifyoudon’tlikethedefault.

AlthoughKDMandGDMareassociatedwithKDEandGNOME,respectively,neitherlimitsyourchoiceofdesktopenvironment.Infact,it’spossible,andoftennecessary,torunprogramsassociatedwithonedesktopenvironmentinsideanotherone.Thisworksfine,althoughitincreasesthememoryload.

RunninganXDMCPServerSeveralmethodsexisttostartanXDMCPserver.Thetwomostcommonaretolaunchitmoreorlessdirectlyfrominit,viaanentryin/etc/inittaboritsancillaryconfigurationfiles;ortolaunchitaspartofarunlevel’sstartupscriptset,viaasystemstartupscript.Chapter5describesbothinitandsystemstartupscriptsingeneral,soconsultitforinformationabouttheseprocesses.Whichevermethod isused,manydistributionsconfigure themselves to run theirchosenXDMCP

serverwhentheystartinrunlevel5butnotwhentheystartinrunlevel3.Thisistheonlydifferencebetweenthesetworunlevelsinmostcases.Thus,changingfromrunlevel3torunlevel5startsXandtheXDMCPserveronmanydistributions,andswitchingbacktorunlevel3stopsXandtheXDMCPserver.AsdescribedinmoredetailinChapter5,youcanchangerunlevelsasrootwiththetelinitcommand:#telinit5

PermanentlychangingtherunlevelonaSysV-basedsystemrequireseditingthe/etc/inittabfileand,inparticular,itsidline:id:5:initdefault:

Changethenumber(5inthiscase)totherunlevelyouwanttouseasthedefault.Mostdistributionsthat use Upstart or systemd start the XDMCP server via methods more akin to the methodstraditionallyusedbyDebian,asdescribednext.Afewdistributions—mostnotablyGentoo,Debian,andDebian’sderivatives(includingthepopular

Ubuntu)—attempt to start an XDMCP server in all runlevels (or don’t do so at all). This is donethroughtheuseofaSysVstartupscriptcalledxdm,kdm,orgdm.Thus,youcantemporarilystartorstop the XDMCP server by running this script and passing it the start or stop option. Topermanently enable or disable theXDMCP server, you should adjust your SysV startup scripts, asdescribedinChapter5.Inaddition to thequestionofwhether to runanXDMCPserver is thequestionofwhich XDMCP

server to run.MostdistributionssetadefaultXDMCPserver inonewayoranother.Twocommonmethodsexist:

SelectionviaConfigurationFileSomedistributionshidetheXDMCPserverchoiceinaconfigurationfile,ofteninthe/etc/sysconfigdirectory.InFedora,the/etc/sysconfig/desktopfilesetstheDISPLAYMANAGERvariabletothepathtotheexecutable,asinDISPLAYMANAGER=/bin/xdm.InopenSUSE,/etc/sysconfig/displaymanagersetstheDISPLAYMANAGERvariabletothedisplaymanager ’snameinlowercaseletters,asinDISPLAYMANAGER="xdm".SelectionviaStartupScriptInDebianandderivativedistributions,suchasUbuntu,thedisplaymanagerissetviaaSysV,Upstart,orsystemdstartupscript—usethegdmscripttouseGDM,kdmtouseKDM,andsoon.Bydefault,onlyoneXDMCPserver(andassociatedstartupscript)isinstalled,soifyouwanttochangeyourXDMCPserver,youmayneedtoinstallyourdesiredserver.Chapter5describeshowtoconfigurespecificstartupscriptstorunautomatically.Unfortunately, distributionmaintainers have had a habit of changing the details of howXDMCP

servers are launched from time to time, and the settings are often buried in poorly documentedconfigurationfiles.Thus,youmayneedtogodiggingthroughthefilesinyour/etcdirectorytofindthe correct setting. If you can’t find the setting, try using grep to search for strings such asDISPLAYMANAGERorthenameoftheXDMCPserverthat’scurrentlyrunning.

ConfiguringanXDMCPServerXDMCP servers, like most programs, can be configured. Unfortunately, this configuration variesfromoneservertoanother,althoughtherearesomecommonalities.Inthefollowingpages,IprovidesomedetailsforconfiguringXDM,KDM,andGDM.

ConfiguringXDMXDMis thesimplestof themajorXDMCPservers. Itacceptsusernamesandpasswordsbutdoesn’tenableuserstoperformotheractions,suchaschoosewhichdesktopenvironmenttorun.(Thismustbeconfiguredthroughuserloginfiles.)XDM’smainconfigurationfileis/etc/X11/xdm/xdm-config.Mostdistributionsshipwithabasic

xdm-configfilethatshouldworkfineforalocalworkstation.IfyouwanttoenablethecomputertorespondtoremoteloginrequestsfromotherXserversonthenetworkorifyouwanttoverifythatthesystemisnotsoconfigured,youshouldpayattentiontothisline:DisplayManager.requestPort:0

ThislinetellsXDMtonotaccessaconventionalserverport.ToactivateXDMasaremoteloginserver,youshouldchange0to177,thetraditionalXDMCPport.YoumustthenrestartXDM.Whensoconfigured, users on other computers can initiate remote X-based logins to your computer viaXDMCP.Thiscanbehandyonlocalnetworks,butit’salsoasecurityrisk,whichiswhythedefaultistonotenablesuchaccess.The /etc/X11/xdm/Xaccess file is another important XDM configuration file. If XDM is

configuredtopermitremoteaccess, thisfilecontrolswhomayaccess theXDMserverandinwhatways.Awide-opensystemcontainslinesthatuseanasterisk(*)todenotethatanybodymayaccessthesystem:*

*CHOOSERBROADCAST

ThefirstlinetellsXDMthatanybodymayconnect,andthesecondlinetellsXDMthatanybodymayrequestachooser—adisplayoflocalsystemsthatacceptXDMCPconnections.Tolimitthechoices,youshouldlistindividualcomputersorgroupsofcomputersinsteadofusingtheasteriskwildcard:*.pangaea.edu

tux.example.com

*.pangaea.eduCHOOSERBROADCAST

Thisexample letsanycomputer in thepangaea.edudomainconnector receiveachooser,and italsoletstux.example.comconnectbutnotreceiveachooser.Manyadditionaloptionsaresetinthe/etc/X11/xdm/Xresourcesfile;ithostsXresources,which

are similar to environment variables but apply only to X-based programs. For instance, you canchangethetextdisplayedbyXDMbyalteringthexlogin*greetingresourceinthisfile.

ConfiguringKDMKDM is based partly onXDMand so sharesmany of its configuration options.Unfortunately, thelocation of the KDM configuration files is unpredictable; sometimes KDM uses the XDMconfiguration files, other times they’re stored in /etc/X11/kdm or /etc/kde/kdm, and sometimesthey’restoredinatrulystrangelocationsuchas/usr/lib/kde4/libexec/.

Ifyoucan’tfindtheKDMconfigurationfiles,tryusingyourpackagemanagementtools,describedinChapter2,“ManagingSoftware.”Tryobtaininglistsoffilesinthekdmorkdebasepackageorsomeotherlikelycandidate,andlookfortheKDMconfigurationfiles.

KDMexpandsonXDMbyenablinguserstoselectasessiontypewhentheylogin,toshutdownthecomputerfromthemainKDMprompt,andsoon.Mostoftheseextraoptionsaresetinthekdmrcfile,which appears in the same directory as the otherKDMconfiguration files. Some of these optionsoverride the more common XDM configuration options for the same features. In particular, the[Xdmcp] sectionprovidesoptions relating tonetworkoperation.TheEnable option in that sectionshouldbesettotrueifyouwanttosupportnetworklogins.

ConfiguringGDMGDM is more of a break from XDM than is KDM. GDM doesn’t use the conventional XDMconfiguration files or similar files. Instead, it uses configuration files that are usually stored in/etc/X11/gdmor/etc/gdm.Inthepast,themostimportantofthesefileswasgdm.conf,andithadaformatsimilar to thekdmrc file.More recentversionsofGDM,however,place this file elsewhereandgiveitanewformat.Withtheseversions,youcansetlocaloptionsinthecustom.conffileintheGDMconfigurationdirectory.Thisfiletypicallystartswithnooptions,buttheonesyousetoverridethedefaults.AswithKDM,youshouldsettheenableoptiontoyesinthe[xdmcp]sectionifyouwanttoenableremotelogins.

AGUIcontroltoolforGDMexistsonsomesystemsbutismissingfromothers.Typegdmconfigorgdmsetupasroottolaunchthisprogram,whichenablesyoutosetGDMoptionsusingapoint-and-clickinterface.

LikeKDM,GDMprovidesextraoptionsover thoseofXDM.Theseoptions includetheability tochooseyourloginenvironmentandshutdownthecomputer.GDMisabitunusualinthatitpromptsfor the username and only then presents a prompt for the password.XDMandKDMboth presentfieldsfortheusernameandpasswordsimultaneously.

UsingXforRemoteAccessAsnotedearlier,in“TheXGUILoginSystem,”Xisanetwork-enabledGUI.ThisfactenablesyoutorunLinuxprogramsremotely—youcansetupaLinuxsystemwithXprogramsandrunthemfromotherLinux (orevennon-Linux)computers.Similarly,youcanuseaLinuxcomputerasanaccessterminalforXprogramsthatrunonanon-LinuxUnixcomputer,suchasonerunningSolaris.Todothis, you should first understand something ofX’s networkmodel, includingwhere the client andserver systems are located, how X controls access to itself, and so on. You can then proceed toperformtheremoteaccesses.

XClient-ServerPrinciplesMostpeoplethinkofserversaspowerfulcomputershiddenawayinmachinerooms,andofclientsasthedesktopsystemsthatordinarypeopleuse.Althoughthischaracterizationisoftencorrect,it’sverywrongwhenitcomestoX.Xisaserver,meaningthattheXserverrunsonthecomputeratwhichtheusersits.Xclientsaretheprogramsthatusersrun—xterm,xfontsel,KMail,LibreOffice,andsoon. In most cases, the X server and its clients reside on the same computer, so this peculiarterminologydoesn’tmatter;butwhenyouuseXfor remoteaccess,youmust remember that theXserverrunsontheuser ’scomputer,whiletheXclientsrunontheremotesystem.To make sense of this peculiarity, think of it from the program’s point of view. For instance,

consideraWebbrowsersuchasFirefox.ThisprogramaccessesWebpagesstoredonaWebservercomputer.TheWebserverrespondstorequestsfromFirefoxtoloadfiles.JustasFirefoxloadsfiles,itdisplaysfilesonthescreenandacceptsinputfromitsuser.Fromtheprogram’spointofview,thisactivityismuchlikeretrievingWebpages,butit’shandledbyanXserverratherthanaWebserver.ThisrelationshipisillustratedinFigure6.3.

FIGURE6.3Fromaprogram’spointofview,theXserverworksmuchlikeaconventionalnetworkserversuchasaWebserver.

Ordinarily, Linux is configured in such a way that its X server responds only to local accessrequestsasa securitymeasure.Thus, ifyouwant to runprograms remotely,youmustmake somechangestohaveLinuxloweritsdefenses—butnottoofar,lestyouletanybodyaccesstheXserver,whichcouldresultinsecuritybreaches.

UsingRemoteXClientsSupposeyourlocalnetworkcontainstwomachines.Thecomputercalledzeusisapowerfulmachinethathostsimportantprograms,likeawordprocessoranddataanalysisutilities.Thecomputercalledapolloisamuchlesspowerfulsystem,butithasanadequatemonitorandkeyboard.Therefore,youwant to sit at apollo and run programs that are located on zeus. Both systems run Linux. Toaccomplishthistask,followthesesteps:

1.Logintoapolloand,ifit’snotalreadyrunningX,startit.2.Openaterminal(suchasanxterm)onapollo.3.Typexhost+zeusinapollo’sterminal.Thiscommandtellsapollo toacceptfordisplayinitsXserverdatathatoriginatesonzeus.4.Log intozeus fromapollo.YoumightuseTelnetorSecureShell (SSH), for instance.Theresultshouldbetheabilitytotypecommandsinashellonzeus.5. On zeus, type export DISPLAY=apollo:0.0. (This assumes you’re using bash; if you’reusing tcsh, the command is setenv DISPLAY apollo:0.0.) This command tells zeus to useapollo for the display of X programs. (Chapter 9, “Writing Scripts, Configuring Email, andUsingDatabases,”describesenvironmentvariables,suchasDISPLAY,ingreaterdetail.)6.Typewhateveryouneedtotypetorunprogramsatthezeuscommandprompt.Forinstance,youcouldtypeloffice to launchLibreOffice.Youshouldseetheprogramsopenonapollo’sdisplay, but they’re running on zeus—their computations use zeus’s CPU, they can read filesaccessibleonzeus,andsoon.7.Afteryou’redone,closetheprogramsyou’velaunched,logoffzeus,andtypexhost-zeuson apollo. This tightens security so that a miscreant on zeus won’t be able to modify yourdisplayonapollo.Sometimes,youcanskipsomeofthesesteps.Forinstance,dependingonhowit’sconfigured,SSH

canforwardXconnections,meaningthatSSHinterceptsattemptstodisplayXinformationandpassesthoserequestsontothesystemthatinitiatedtheconnection.Whenthishappens,youcanskipsteps3and5,aswellasthexhostcommandinstep7.(SeetheRealWorldScenariosidebar“EncryptingXConnectionswithSSH.”)

EncryptingXConnectionswithSSHTheSSHprotocolisausefulremote-accesstool.Althoughit’softenconsideredatext-modeprotocol,SSHalsohastheabilitytotunnelnetworkconnections—thatis,tocarryanotherprotocolthroughitsownencryptedconnection.ThisfeatureismostusefulforhandlingremoteXaccess.Youcanperformthestepsdescribedin“UsingRemoteXClients”butomitsteps3and5andthexhostcommandinstep7.ThisgreatlysimplifiestheloginprocessandaddsthebenefitsofSSH’sencryption,whichXdoesn’tprovide.Ontheotherhand,SSH’sencryptionislikelytoslowdownXaccess,althoughifyouenableSSH’scompressionfeatures,thisproblemmaybereducedinseverity.Overall,tunnelingXthroughSSHisthepreferredmethodofremoteXaccess,particularlywhenanynetworkintheprocessisn’ttotallysecure.SSHtunnelingdoesrequirethatcertainoptionsbeset.Inparticular,youmusteitherusethe-Xor-YoptiontothesshclientprogramorsettheForwardX11orForwardX11Trustedoptiontoyesin/etc/ssh_configontheclientsystem.YoumustalsosettheX11Forwardingoptiontoyesinthe/etc/sshd_configfileontheSSHserversystem.TheseoptionsenableSSH’sXforwardingfeature;withouttheseoptions,SSH’sXforwardingwon’twork.

Asanaddedsecuritymeasure,manyLinuxdistributionstodayconfigureXtoignoretruenetworkconnections.Ifyourdistributionissoconfigured, theprecedingstepswon’twork;whenyoutry tolaunch anX program from the remote system, you’ll get an errormessage. Towork around thisproblem,youmustmakeanadditionalchange,dependingonhowXislaunched:GDMOnolderversionsofGDM,checktheGDMconfigurationfile(typically/etc/X11/gdm/gdm.conf):lookforthelineDisallowTCP=true,andchangeittoreadDisallowTCP=false.OnnewerversionsofGDM,edit/etc/gdm/custom.conf,andaddalinethatreadsDisallowTCP=falsetothe[security]section(addingitifrequired).KDMorXDMThesetwoXDMCPserversbothrelyonsettingsintheXserversfile(in/etc/X11/xdmforXDM,andinthislocationorsomeotherhighlyvariablelocationforKDM).Lookforthelinethatbeginswith:0.ThislinecontainsthecommandthatKDMorXDMusestolaunchtheXserver.Ifthislinecontainsthestring-nolistentcp,removethatstringfromtheline.DoingsoeliminatestheoptionthatcausesXtoignoreconventionalnetworkconnections.SpecialopenSUSEConfigurationInopenSUSE,youmustedit/etc/sysconfig/displaymanagerandsettheDISPLAYMANAGER_XSERVER_TCP_PORT_6000_OPENoptiontoyes.XLaunchedfromaText-ModeLoginIfyouloginusingtextmodeandtypestartxtolaunchX,youmayneedtomodifythestartxscriptitself,whichisusuallystoredin/usr/bin.Searchthisscriptforthestring-nolistentcp.Chancesarethisstringwillappearinavariableassignment(suchastodefaultserverargs)orpossiblyinadirectcalltotheXserverprogram.Removethe-nolistentcpoptionfromthisvariableassignmentorprogramcall.Once you’ve made these changes, you’ll need to restart X as described earlier in “Running an

XDMCPServer.”Thereafter,Xshouldrespondtoremoteaccessrequests.

IfXrespondstoremotenetworkrequests,theriskofanintruderusingabugormisconfigurationtotrickusersbydisplayingbogusmessagesonthescreenisgreatlyincreased.Thus,youshoulddisablethisprotectiononlyifyou’resurethatdoingsoisnecessary.YoumaybeabletouseanSSHlinkwithoutdisablingthisprotection.

AnotheroptionforrunningXprogramsremotelyistousetheVirtualNetworkComputing(VNC)system(http://www.realvnc.com).VNCrunsaspecialXserveronthecomputerthat’stobeusedfroma distance, and a special VNC client runs on the computer at which you sit. You use the client todirectlycontact the server.This reversalofclient and server rolesover thenormal stateofaffairswith conventionalX remote access is beneficial in some situations, such aswhen you’re trying toaccessadistantsystemfrombehindcertaintypesoffirewall.VNCisalsoacross-platformprotocol;it’spossibletocontrolaWindowsorMacOSsystemfromLinuxusingVNC,butthisisn’tpossiblewithX.(XserversforWindowsandMacOSareavailable,enablingyoutocontrolaLinuxsystemfromthesenon-LinuxOSs.)

XAccessibilityHistorically,mostcomputershavebeendesignedforindividualswithnormalphysicalcapabilities.Ascomputershavebecomeeverydaytools,though,theneedforpeoplewithvariousdisabilitiestousecomputershasrisen.Linuxprovidestoolstohelpwiththistask.SomebasicXsettings(controlledinxorg.conforXF86Config)canhelpinthisrespect—forinstance,youcanadjustthekeyboardrepeatratetopreventspuriouskeyrepeatsforindividualswhomaykeepkeyspressedlongerthanaverage.Othersettingsareunusualandmayrequiretheuseofuniqueaccessibilitytoolstoset.Someoptionsmustbesetinspecificdesktopenvironments(KDEorGNOME,forexample).

KeyboardandMouseAccessibilityIssuesYou can set many keyboard and mouse options using ordinary desktop environment tools forpersonalizing keyboard and mouse responses. Other options are more exotic, such as onscreenkeyboards.

StandardKeyboardandMouseOptionsMostLinuxdesktopenvironmentsincludekeyboardandmousecontrolpaneloptions.Forinstance,inastandardFedora17GNOMEinstallation,youcanfindthekeyboardoptionsintheKeyboarditemoftheSystemSettingscontrolpanel,andyoucan find themouseoptions in theMouseandTouchpaditem. TheAccessX utility is an older program that works in any desktop environment to providesimilarfeatures.Figure6.4showsAccessXinoperation.Becausethelocationsofsuchoptionscanbecustomizedfromonedistribution toanotherandcanchangefromonerelease toanother,youmayneedtohuntfortheoptionsinyourmenus.

FIGURE6.4AccessXanddesktopenvironmentcontrolpanelsprovideaccessibilityoptions.

TheexamobjectivesmentionAccessX;however,thispackageisnotavailableinmostdistributionsandappearstobeabandoned.Itsfunctionalityhasbeenfoldedintodesktopenvironmentcontrolpanels.Thus,althoughIdescribeAccessX’sfeatures,chancesareyou’llneedtolookforequivalentsinyourdesktopenvironment’scontrolpanel.

KeyboardandmouseaccessibilityfeaturesthatyoucansetwithAccessXorsimilartoolsindesktopenvironmentsincludethefollowing(sometimesunderslightlydifferentnames):StickyKeysWhenenabled,thisoptioncauseskeyboardmodifierkeys(Ctrl,Alt,andShift)to“stick”whenpressed,affectingthenextregularkeytobepressedevenafterreleaseofthestickykey.Thiscanbeusefulforuserswhohavedifficultypressingmultiplekeyssimultaneously.Sometools,includingAccessX,provideadditionaloptionsthataffectthedetailsofhowstickykeyswork.MouseKeysThisoptionenablesyoutousethecursorkeypadonyourkeyboardtoemulateamouse.Bounce(orDebounce)KeysIfausertendstoaccidentallypressasinglekeymultipletimes,thebouncekeysoptionmaybeabletocompensateforthistendency.(Agingkeyboardsalsosometimesproducekeybounce.)SlowKeysWhenactivated,thisoptionrequiresakeytobepressedforlongerthanaspecified

periodoftimebeforeitregistersasakeypress.Thisfeatureisusefulforindividualswhotendtoaccidentallypresskeys.KeyboardRepeatRateTherepeatdelayandratecanbesetusingsliders.ThesesettingsoverridethosesetintheXconfigurationfile;butifyouuseabarewindowmanager,youmayneedtosettheseoptionsintheXconfigurationfile.Disablingkeyboardrepeatorsettingaverylongdelaymaybenecessaryforsomeusers.TimeOutInAccessX,theTimeOutoptionsetsatimeafterwhichitsaccessibilityoptionswillbedisabled.MouseTrackingandClickOptionsTheordinarymousetrackingandclickoptionscanbeadjustedtounusualvaluesforthosewhohavespecialneeds.(ThisandthenexttwooptionsarenotprovidedbyAccessXbutareprovidedbymanydesktopenvironments.)SimulatedMouseClicksSomeenvironmentsletyouconfigurethemousetosimulateaclickwheneverthemousepointerstopsmovingortosimulateadoubleclickwheneverthemousebuttonispressedforanextendedperiod.MouseGesturesGesturesaresimilartokeyboardshortcutsbutareformice;theypermityoutoactivateprogramoptionsbymovingyourmouseinparticularways.

UsingOnscreenKeyboardsIf a user has difficulty using a regular keyboard but can use a mouse, that user can employ anonscreenkeyboard.Thisisanapplicationthatdisplaysanimageofakeyboard.Usingthemousetopressthekeysonthekeyboardimageworksmuchlikeusingarealkeyboard.Someotherkeyboardsrequiretheusertoentertextintotheirownbuffersandthencutandpastethetextfromthekeyboardapplicationintothetargetprogram.Browse themenus for your desktop environment to locate the onscreen keyboards available on

yoursystem.Ifyoucan’t findone,or ifyoudon’t like it,useyourpackagemanager tosearchforsuchprograms—searchingonkeyboardshouldturnupsomeoptions.TheGNOMEOn-ScreenKeyboard(GOK)deservesspecialmentionasaparticularlypowerfultool

in thiscategory.Thisprogramprovidesnotonlyanonscreenkeyboardbutalso tools thatprovideshortcutsforvariousmouse,menu,andtoolbarfeaturesofotherprograms,aswellastoolstohelpusersnavigatetheGNOMEdesktop.YoucanlaunchGOKbytypinggokatacommandprompt.Youcan learn more at the main GOK Web page, http://library.gnome.org/users/gnome-access-guide/stable/gok.html.

ScreenDisplaySettingsUsers with poor eyesight can benefit from adjustments to screen settings and applications. Theseincludefontoptions,contrastsettings,andscreenmagnificationtools.

AdjustingDefaultFontsMost desktop environments provide options to set the default fonts used on the screen. Figure 6.5shows the System Settings dialog box provided with KDE. You can access this by typingsystemsettingsinaterminalwindoworbyselectingConfigureDesktopfromthemainmenuandthenselectingApplicationAppearancefromtheoptionsinthewindowthatappears.Asimilartoolis

availableinXfce,accessiblefromtheAppearanceiteminitsSystemSettingspanel.

FIGURE6.5Linuxdesktopenvironmentsusuallyprovidecontrolpanelswithfontoptions.

Toadjustthefonts,clicktheChoosebuttontotherightofthefontforeachofthemaincategories,suchasGeneralandMenuinFigure6.5.Theresultisafontselectiondialogbox,inwhichyoucanselectthefontfamily(Sans,Times,andsoon),thefontstyle(normal,bold,andsoon),andthefontsizeinpoints.Adjusttheseoptionsuntilyoufindasettingthatworkswell.You’llhavetoadjustthefontforeachofthecategories,oratleastforthosethataremostimportant.

Dyslexicusersoftenbenefitfromaspecialfontthatweightsthebottomsofthecharactersmoreheavilythanthetops.Onesuchfontisavailablefromhttp://dyslexicfonts.com.

Unfortunately,althoughmanyapplicationstaketheircuesonfontsfromthedesktopenvironment’ssettings,othersdon’t.Thus,youmayneedtoadjustoptionsinatleastsomeindividualapplications,aswellasinthedesktopenvironmentasawhole.

AdjustingContrastDesktop environments provide various themes—settings for colors,windowmanager decorations,andsoon.Somethemesarebetter thanothers in termsof legibility.For instance,somethemesareverylowincontrast,andothersarehighincontrast.

Monitorshavetheirowncontrastcontrols.Youcanadjusttheseforbestlegibility,ofcourse,butthecontrastadjustmentsaffordedbydesktopenvironmentsettingsareindependentofamonitor ’scontrastsettings.

InKDE,youcansetthemesinthesameSystemSettingspreferencesdialogboxinwhichyousetthefonts(Figure6.5);youclicktheColorsiconintheleftpaneandselectthethemeyouwanttouse.TheWorkspaceAppearanceitem(accessiblebyclickingOverviewfromthescreenshowninFigure6.5)providesadditionaloptions.XfceprovidessimilaroptionsinitsAppearancecontrolpanel.

UsingMagnifierToolsA screen magnifier application enlarges part of the screen—typically the area immediatelysurroundingthemouse.OnecommonscreenmagnifierisKMag,whichispartoftheKDEsuite.(YoucanuseKMageveninGNOME,Xfce,orotherdesktopenvironments,though.)Touseit,typekmagorselectitfromyourdesktopmenus.TheresultistheKMagwindowonthescreen,whichenlargestheareaaroundthecursorbydefault.

UsingAdditionalAssistiveTechnologiesInadditiontokeyboard,mouse,andconventionaldisplaytools,someprogramscanhelpthosewithspecial needs. Most notably, screen readers and Braille displays can help those who can’t readconventionaldisplays.

ConfiguringLinuxtoSpeakComputer speech synthesis has existed for decades. Today, several speech synthesis products areavailableforLinux,includingthese:OrcaThisprogram,whichisbasedathttp://live.gnome.org/Orca,isascreenreaderthat’sbeenintegratedintoGNOME2.16andlater.EmacspeakSimilartoOrcainmanyrespects,thisprogramaimstoenablethosewithvisualimpairmentstouseaLinuxcomputer.Youcanlearnmoreathttp://emacspeak.sourceforge.net.

UsingBrailleDisplaysABrailledisplayisaspecialtypeofcomputermonitor.Ratherthandisplaydatavisually,itcreatesatactiledisplayoftextualinformationinBraille.Assuch,aBrailledisplayisanefficientwayforthosewithvisualimpairmentstoaccesstext-modeinformation,suchasthatdisplayedataLinuxtext-modeconsole.ManyLinuxtext-modeprogramscanmanageaBrailledisplaywithnochanges.To use a Braille display, special Linux software is required. The BRLTTY

(http://www.mielke.cc/brltty/) project provides a Linux daemon that redirects text-mode consoleoutputtoaBrailledisplay.Itincludesfeaturesthatsupportscrollback,multiplevirtualterminals,andevenspeechsynthesis.Linuxkernelssince2.6.26includedirectsupportforBrailledisplays.Ifyou’refamiliarwithLinux

kernelcompilation,youshouldchecktheAccessibilitySupportoptionsintheDeviceDriversareaof

thekernelconfiguration.

ConfiguringLocalizationandInternationalization

Linux is an internationalOS. Its developers and users reside inmany countries around theworld.Therefore,Linuxsupportsawidevarietyofcharactersets,keyboards,date/timedisplayformats,andotherfeaturesthatcanvaryfromoneregiontoanother.Manyofthesefeaturesaresetupwhenyouanswerquestionsduring installation,butknowingabout them—andhow tochange them—canhelpyoumanageyoursystem,particularlyifyouneedtochangetheseoptionsforanyreason.

SettingYourTimeZoneWhenyoucommunicatewithothercomputers(bysendingemail,transferringfiles,andsoon),thoseother computersmay reside in the same city or around theworld.For this reason, it’s helpful foryour computer to know something about its time zone. This can help keep files’ time stamps setsensiblyandavoidweirdtemporalproblemswhenexchangingdata.Forthemostpart,youneedtobeconcernedwithjustonetimezonesettingforaLinuxcomputer;butsometimesyoumaywanttosetthetimezoneonewayforoneaccountorloginandanotherwayforanotheraccountorlogin.Thus,Idescribebothmethodsofsettingatimezone.

SettingaLinuxComputer’sTimeZoneLinuxusesCoordinatedUniversalTime (UTC) internally. This is the time inGreenwich, England,uncorrectedfordaylightsavingtime.WhenyouwriteafiletodiskonaLinux-nativefilesystem,thetime stamp is stored in UTC. When you use tools such as cron (described in Chapter 7,“AdministeringtheSystem”),they“think”inUTC.Chancesare,though,thatyouuselocaltime.Thus,aLinuxcomputermustbeabletotranslatebetweenlocaltimeandUTC.To perform this translation, Linux needs to know your time zone. Linux looks to the

/etc/localtime file for information about its local time zone. This file is one of the rareconfigurationfilesthat’snotaplain-textfile,soyoushouldn’ttryeditingitwithatexteditor.Thisfilecouldbeafileofitsown,oritcouldbeasymbolicorhardlinktoanotherfile.Ifit’sasymboliclink,youshouldbeabletodetermineyourtimezonebyperformingalongfilelistingtoseethenameofthefiletowhichlocaltimelinks:$ls-l/etc/localtime

lrwxrwxrwx1rootroot36May142008/etc/localtime->

/usr/share/zoneinfo/America/New_York

If/etc/localtimeisaregularfileandnotasymboliclinkorifyouwantfurtherconfirmationofyourtimezone,tryusingthedatecommandbyitself:$date

MonSep312:50:58EDT2012

Theresultincludesastandardthree-lettertimezonecode(EDT inthisexample).Ofcourse,you’llneed toknowthesecodes,orat least thecodeforyourarea.Fora listof timezoneabbreviations,consulthttp://www.timeanddate.com/library/abbreviations/timezones/.Note that the time zone codes

varydependingonwhetherdaylightsavingtimeisactive,buttheLinuxtimezonefilesdon’tchangewiththisdetail.Partofwhatthesefilesdoisdescribewhentochangetheclockfordaylightsavingtime.Ifyouneedtochangeyourtimezone,youshouldcopyorlinkasamplefilefromastandarddirectorylocationtothe/etc/localtimefile:

1.Loginasrootoracquirerootprivileges.2.Changetothe/etcdirectory.3. View the contents of the /usr/share/zoneinfo directory. This directory contains files forcertain time zones named after the zones or the regions to which they apply, such as GMT,Poland, and Japan. Most users will need to look in subdirectories, such as/usr/share/zoneinfo/US for the United States or /usr/share/zoneinfo/America for NorthandSouthAmerica.Thesesubdirectoriescontainzonefilesnamedaftertheregionsorcitiestowhich theyapply,suchasEasternorLos_Angeles. (TheUS subdirectorycontains filesnamedafter time zones or states, whereas the America subdirectory holds files named after cities.)Identifythefileforyourtimezone.Notethatyoumightuseazonefilenamedafteracityotherthan the one in which you reside but that’s in the same time zone as you. For instance, theNew_York fileworks fine ifyou’re inBoston,Philadelphia,Cincinnati,oranyothercity in thesame(Eastern)timezoneasNewYork.4.Ifalocaltimefileexistsin/etc,deleteitorrenameit.(Forinstance,typermlocaltime.)5. Create a symbolic link from your chosen time zone file to the /etc/localtime file. Forinstance, you can type ln -s /usr/share/zoneinfo/US/Eastern localtime to set up acomputerintheU.S.Easterntimezone.Alternatively,youcancopyafile(cp)ratherthancreateasymboliclink(ln-s).If/etcandyourtargetfileareonthesamefilesystem,youcancreateahardlinkratherthanasymboliclinkifyoulike.Atthispoint,yoursystemshouldbeconfiguredtousethetimezoneyou’veselected.Ifyouchanged

timezones,youshouldbeable tosee thedifferenceby typingdate, asdescribedearlier.The timezonecodeonyoursystemshouldchangecomparedtoissuingthiscommandbeforeyouchangedthe/etc/localtimefileorlink.Thetimeshouldalsochangebythenumberofhoursbetweenthetimezonesyou’veselected(giveortakeabitforthetimeittookyoutochangethetimezonefiles).Inadditionto/etc/localtime,somedistributionsuseasecondaryfilewith text-modetimezone

data. This file is called /etc/timezone on Debian and its derivatives. On Fedora and relateddistributions,it’s/etc/sysconfig/clock.Thisfilecontainsalineortwowiththenameofthetimezone,sometimesintheformofavariableassignment.Forinstance, the/etc/timezone fileonmyUbuntusystemlookslikethis:America/New_York

Thisfileprovidesaquickwaytocheckyourtimezone.Itshouldalsobeupdatedwhenyouchangeyourtimezone,lesthigher-levelconfigurationtoolsbecomeconfused.Somedistributionsprovide text-modeorGUI tools tohelpmake timezonechanges.Look for a

programcalledtzsetup, tzselect, tzconfig, or something similar. Typically, these programsaskyouforyourlocationinseveralsteps(startingwithyourcontinent,thenyournation,andperhapsthenyourstateorcity)andcreateanappropriatesymboliclink.

SettinganIndividualLogin’sTimeZone

OnefinalwrinkleontimezoneissuesistheTZenvironmentvariable.(Chapter9coversenvironmentvariables inmore detail.) This environment variable holds time zone information in any of threeformats:

ThemostcommonformatonLinuxis:filename,asin:/usr/share/zoneinfo/Europe/London.Thistellsthesystemthatthetimezoneistheonedescribedinthespecifiedfile.Asecondformat,commononnon-Linuxsystems,isstdoffset,wherestdisathree-characterorlongertimezonename(suchasEST)andoffsetisatimerelativetoUTC,withpositivevaluesrepresentingoffsetswestofthePrimeMeridianandnegativevaluesbeingeastofit.Forinstance,EST+5specifiesU.S.EasternTime.Thisformatisusedwhendaylightsavingtimeisnotineffect.Ifdaylightsavingtimeisineffect,avariantontheprecedingmethodispossible:stdoffsetdst[offset],start[/time],end[time].Thisspecificationaddsthedaylightsavingtimecodeaswellasencodedstartandenddates(andoptionallytimes).Forinstance,EST+5EDT,M3.10.0/2,M11.3.0/2specifiesUSEasternTimewithdaylightsavingtimeencodedwithdatesfor2013.

Inthevastmajorityofcases,youwon’tneedtousetheTZenvironmentvariable.Itcanbeuseful,though, in the event that you’re using a computer remotely—say, if you’re logging into a workcomputerthat’sphysicallylocatedinSanFranciscowhileyou’retravelingtoLondon.UsingTZwillenableprogramsthatusethisvariabletodisplaythecorrectlocaldateandtimeinLondon,despitethefactthatthecomputer ’sglobaltimezoneis(presumably)setforSanFrancisco.Inpractice,theeasiestwaytouseTZforasingleloginistoissueacommandlikethefollowing:$exportTZ=:/usr/share/zoneinfo/Europe/London

ThisexamplesetsthetimezonetoLondonforasinglesessionbutonlyfromtheshellatwhichyoutypethiscommand.Youcanaddthiscommandtoauserstartupscriptifyouwanttouseitregularly.Youshouldnotusethismethodifallacomputer ’sprogramsshouldusethetargettimezone;instead,setitbyadjustingthe/etc/localtimefile,asdescribedearlierin“SettingaLinuxComputer ’sTimeZone.”

QueryingandSettingYourLocaleTolocalizeyourcomputer,youmust firstunderstandwhata locale is inLinuxparlance.Onceyouunderstand the basics, you can identify your current locale and other locales available to you. Ifnecessary,youmayneedtoinstallanotherlocale’sdata.Youcanthensetyourcomputertousethatlocale.

WhatIsaLocale?InLinux,a locale is awayof specifying thecomputer ’s (oruser ’s) language, country, and relatedinformationforpurposesofcustomizingdisplays.Asinglelocaletakesthefollowingform:[language[_territory][.codeset][@modifier]]

Each part of this string has a set of specific acceptable forms. For instance, language can be en(English),fr(French),ja(Japanese),andsoon.Thesearetwo-orthree-lettercodesforlanguages.The territory can beUS (UnitedStates),FR (France),JP (Japan), and so on. These are codes for

specificregions—generallynations.

Thecodeset can beASCII,UTF-8, or other encoding names. TheAmerican StandardCode forInformationInterchange(ASCII)istheoldestandmostprimitiveencodingmethod;itsupports7-bitencodings (generally stored in8-bitbytes) that canhandleEnglish, includingcommonpunctuationand symbols. ASCII can’t handle characters used in many non-English languages, though, so it’sawkwardatbestforinternationaluse.ISO-8859wasanearlyattempttoextendASCII;itemploysaneighth bit to extend ASCII by 128 characters, giving room for the characters needed by a smallnumberofnon-Romanalphabets. ISO-8859 isbrokendownintomanysubstandards,eachofwhichhandlesonelanguageorsmallgroupoflanguages.ISO-8859-1coversWesternEuropeanlanguagesandISO-8859-5providesCyrillicsupport,forinstance.The latest languagecodeset is the8-bitUnicodeTransformationFormat (UTF-8).Like ISO-8859,

UTF-8 starts with ASCII, but it extends it by supporting variable-byte extensions so that a singlecharactercantakeanywherefromonetofourbytestobeencoded.Thisprovidestheabilitytoencodetext in any language supported byUnicode, which is a character set designed to support asmanylanguagesaspossible.ThebigadvantageofUTF-8overISO-8859isthatthere’snoneedtospecifyasubstandard, such as ISO-8859-1 or ISO-8859-5; UTF-8 handles all of its writing systemsautomatically.Themodifier isalocale-specificcodethatmodifieshowitworks.Forinstance,itmayaffectthe

sortorderinalanguage-specificmanner.

WhatIsYourLocale?Alocalecodecanbeassignedtooneormoreofseveralenvironmentvariables.Tolearnhowthesearesetonyoursystem,issuethelocalecommandwithoutanyarguments:$/usr/bin/local

LANG=en_US.UTF-8

LC_CTYPE="en_US.UTF-8"

LC_NUMERIC="en_US.UTF-8"

LC_TIME="en_US.UTF-8"

LC_COLLATE="en_US.UTF-8"

LC_MONETARY="en_US.UTF-8"

LC_MESSAGES="en_US.UTF-8"

LC_PAPER="en_US.UTF-8"

LC_NAME="en_US.UTF-8"

LC_ADDRESS="en_US.UTF-8"

LC_TELEPHONE="en_US.UTF-8"

LC_MEASUREMENT="en_US.UTF-8"

LC_IDENTIFICATION="en_US.UTF-8"

LC_ALL=

Asyoucansee,quiteafewlocalevariablesexist.Whenprogramspayattentiontothesevariables,theyadjustthemselvesappropriatelyforyourlocale.Forinstance,awordprocessormaydefaulttousingcommonU.S.papersizes(suchas8.5×11inches)whentheterritorycodeinLC_PAPERissettoUS,butEuropeanpapersizes(suchasA4,210×297mm)whenterritoryissettoacodeforacountrywherethesepapersizesaremorecommon.Most of the locale variables set specific and obvious features, such as LC_PAPER (paper size),

LC_MEASUREMENT(measurementunits),andsoon.TheLC_ALLvariableisasortofmasteroverride—ifit’sset,itoverridesalltheotherLC_*variables.A relatedenvironmentvariable isLANG. It takes the same typeof locale specificationas theLC_*

variables.ItsetsthelocaleincasetheLC_*variablesaren’tset.Whileyou’reusingthelocalecommand,youshouldtryitwiththe-aoption,whichidentifiesall

thelocalesthatareavailabletoyou:$locale-a

C

en_US.utf8

POSIX

In thisexample(fromanUbuntusystem),veryfewlocalesare installed.Somesystemsmayhavemanymore;oneofmycomputershashundredsoflocalesavailable.

ChangingYourLocaleIfyouwanttochangeyourlocale,youshouldfirstverifythatanappropriateoneisavailabletoyoubyusinglocale-a, as justdescribed. Ifyoudon’t seeappropriatecodes,youmayneed to installadditionalpackages.Unfortunately,namesforthesepackagesaren’tstandardized.YourbestbetistouseaGUIpackagemanagersuchasyumexorSynaptic(describedinChapter2)tosearchonpackagenames and descriptions that include locale or language. In the case of an Ubuntu system thatprovidedjustafewlocales,manymorecouldbeinstalledfrompackagescalledlanguage-support-??,where??isatwo-characterlanguagecode.Totemporarilychangeyourlocale,thesimplestmethodistosettheLC_ALLenvironmentvariable.

Forsafety,youshouldalsosetLANG.Forinstance,tousethelocaleforGreatBritainratherthantheUnitedStates,youcantype$exportLANG=en_GB.UTF-8

$exportLC_ALL=en_GB.UTF-8

Theresultshouldbethatallthelocalevariableschangeforthatsession.Therewillalsobechangesintheoutputofprogramsthathonorlocales.Notethatthischangeaffectsonlythecurrentshellandtheprogramslaunchedfromit;youwon’tseechangesinprogramsthatarealreadyrunningorthatyoulaunchfromanothershell.To permanently change your locale, you can adjust your bash startup script files, such as

~/.bashrcor/etc/profile, asdescribed inChapter1, “ExploringLinuxCommand-LineTools.”(ShellscriptingisdescribedinmoredetailinChapter9,butsettingoradjustingtheLANGandLC_ALLenvironmentvariablesisfairlystraightforward.)X’s configuration file (xorg.conf or XF86Config) includes an option called XkbLayout in the

keyboard’s InputDevice section. This option takes a partial or complete locale specification butconvertedtolowercase—forinstance,usoren_us.utf-8.Adjustingthisoptioncanprovideyouwithaccesstolanguage-orcountry-specifickeys.Afterchangingthisoption,you’llhavetorestartXforthechangestotakeeffect.Some programs and sets of programs may require you to set the language independent of the

overallsystemlocale.Thus,youmayneedtoadjustthelanguageforcertainspecificprograms.Ifaprogramdoesn’t seem to respond to theoverall locale setting, check its documentationor browsethroughitsmenustofindawaytoadjustitsdefaults.One setting requires special mention: LANG=C. When you set LANG to C, programs that see this

environmentvariabledisplayoutputwithoutpassingitthroughlocaletranslations.Thiscanbehelpfulinsomecasesifaprogram’soutputisbeingcorruptedbythelocale—saybyhavingconversionstoUTF-8changecharactersthatneedtobepreservedas8-bitentities.Thus,settingLANG=Ccanhelpto

avoidsometypesofproblems,particularly inpipelinesandscripts thatpassoneprogram’sdata toanotherprograminbinaryform.

Localizationsupportis,tosomeextentoranother,theresponsibilityofeachprogram’sauthor.It’sentirelypossibletowriteaprogramthatsupportsjustonelanguageorasmallsubsetoflanguages.Thus,youwon’tbeabletogeteveryprogramtosupportyourdesiredlanguage,particularlyifit’sanunusualone.

ModifyingText-FileLocalesSometimesit’snecessarytoaccesstextualdatathatoriginatedonasystemthatusedoneencodingbutprocessthedatawithaprogramthatdoesn’tsupportthatencoding.Forinstance,yourpreferredtexteditormightsupportUTF-8butnotISO-8859.IfyoudealexclusivelywithEnglishtextfilesinASCII,thisisn’taproblem;butifyoureceiveanISO-8859-1textfilewithafewnon-Romancharacters,suchascharacterswithumlauts,youreditormightdisplaythosecharactersstrangely.To overcome this problem, the iconv utility converts between character sets. Its syntax is as

follows:iconv-fencoding[-tencoding][inputfile]...

The -f and -t options specify the source and destination encodings. (You can obtain a list ofencodingsbytypingiconv--list.)Ifyouomitthetargetencoding,iconvusesyourcurrentlocaleforguidance.Theprogramsendsoutputtostandardoutput,soifyouwanttostorethedatainafile,youmustredirectit:$iconv-fiso-8859-1-tUTF-8umlautfile.txt>umlautfile-utf8.txt

ConfiguringPrintingMost Linux desktop usersworkwithX, butmany alsoworkwith another outputmedium: printedpages.PrintinginLinuxisacooperativeeffortinvolvingseveraltools.Applicationssubmitprintjobsas PostScript documents. Becausemost Linux systems aren’t connected directly to true PostScriptprinters,aprogramcalledGhostscriptconvertstheprintjobintoaformthatthesystem’sprintercanactuallyhandle.Theprintqueue,whichismanagedbysoftwareknownastheCommonUnixPrintingSystem (CUPS), then sends the job to the printer. At various stages, administrators and users canexaminethecontentsofaprintqueueandmodify thequeue.Understandingthe toolsusedtocreateandmanageprintqueueswillhelpyoutomanageLinuxprinting.

ConceptualizingtheLinuxPrintingArchitectureLinuxprintingisbuiltaroundtheconceptofaprintqueue.Thisisasortofholdingareawherefileswait to be printed. A single computer can support many distinct print queues. These frequentlycorrespondtodifferentphysicalprinters,butit’salsopossibletoconfigureseveralqueuestoprintindifferentways to thesameprinter.For instance,youmightuseonequeue toprint single-sidedandanotherqueuefordouble-sidedprintingonaprinterthatsupportsduplexing.

Userssubmitprintjobsbyusingaprogramcalledlpr.Userscancallthisprogramdirectly,ortheymay letanotherprogramcall it. Ineithercase,lpr sends theprint job intoa specifiedqueue.Thisqueue corresponds to a directory on the hard disk, typically in a subdirectory of the/var/spool/cupsdirectory.TheCUPSdaemonrunsinthebackground,watchingforprintjobstobesubmitted.Theprintingsystemacceptsprintjobsfromlprorfromremotecomputers,monitorsprintqueues, and serves as a sort of “traffic cop,” directingprint jobs in anorderly fashion fromprintqueuestoprinters.

TheexamemphasizestheCUPSprintingsystem,whichisthemostcommonprintingsystemonmodernLinuxsystems.OldersystemsusedtheBSDLinePrinterDaemon(LPD)orthesimilarLPRngprintingsystem.ManyoftheCUPStoolsareworkalikesoftheLPDtools.IfyoueveruseasystemthatrunsLPDorLPRng,you’llfindthatusercommandssuchaslprworkinthewayyouexpect,butconfiguringtheprintermustbedoneinaverydifferentway.

OneimportantandunusualcharacteristicofLinuxprintingisthatit’shighlynetwork-oriented.Asjustnoted,Linuxprinting toolscanacceptprint jobs thatoriginate fromremotesystemsaswellasfrom local ones. Even local print jobs are submitted via network protocols, although they don’tnormally use network hardware, so even a computer with no network connections can print. Inaddition tobeingaserverforprint jobs,CUPScanfunctionasaclient,passingprint jobs toothercomputersthatrunthesameprotocols.Applications can query CUPS about a printer ’s capabilities—its paper sizes, whether it supports

color, and so on. The older LPD and LPRng printing systems didn’t support such bidirectionalcommunication. Thus, support for these features still isn’t universal; some programs makeassumptionsaboutaprinter ’scapabilitiesormustbetoldthingsthatotherprogramscanfigureoutbythemselves.

UnderstandingPostScriptandGhostscriptIfyou’veconfiguredprintersunderWindows,MacOS,OS/2,orcertainotherOSs,you’reprobablyfamiliar with the concept of a printer driver. In these OSs, the printer driver stands between theapplication and the printer queue. In Linux, the printer driver is part of Ghostscript(http://www.cs.wisc.edu/~ghost/), which exists as part of the printer queue, albeit a late part. Thisrelationship can be confusing at times, particularly because not all applications or printers needGhostscript. Ghostscript serves as a way to translate PostScript, a common printer language, intoforms that can be understood bymany different printers.UnderstandingGhostscript’s capabilities,andhowitfitsintoaprinterqueue,canbeimportantforconfiguringprinters.

PostScript:TheDeFactoLinuxPrinterLanguagePostScriptprintersbecamepopularasaccessoriesforUnixsystemsinthe1980s.Unixprintqueuesweren’tdesignedwithWindows-styleprinterdriversinmind,soUnixprogramsthattookadvantageof laser printer features were typically written to produce PostScript output directly. As a result,PostScriptdevelopedintothedefactoprintingstandardforUnixand,byinheritance,Linux.Where

programs on Windows systems were built to interface with the Windows printer driver, similarprogramsonLinuxgeneratePostScriptandsendtheresulttotheLinuxprinterqueue.Some programs violate this standard. Most commonly, many programs can produce raw text

output.Suchoutputseldomposesamajorproblemformodernprinters,althoughsomePostScript-only models choke on raw text. Some other programs can produce either PostScript or PrinterControlLanguage (PCL) output forHewlett-Packard laser printers or theirmany imitators.Averyfewprogramscangenerateoutputthat’sdirectlyacceptedbyothertypesofprinters.The problem with PostScript as a standard is that it’s uncommon on the low- and mid-priced

printerswithwhichLinuxisoftenpaired.Therefore,toprinttosuchprintersusingtraditionalUnixprogramsthatgeneratePostScriptoutput,youneedatranslatorandawaytofitthattranslatorintotheprintqueue.ThisiswhereGhostscriptfitsintothepicture.

Ghostscript:APostScriptTranslatorWhenitusesatraditionalPostScriptprinter,acomputersendsaPostScriptfiledirectlytotheprinter.PostScript is a programming language, albeit one that’s oriented toward the goal of producing aprinted page as output. Ghostscript is a PostScript interpreter that runs on a computer. It takesPostScript input, parses it, and produces output in any of dozens of different bitmap formats,including formats that can be accepted bymany non-PostScript printers. ThismakesGhostscript awaytoturnmanyinexpensiveprintersintoLinux-compatiblePostScriptprintersatverylowcost.OneofGhostscript’sdrawbacksisthatitproduceslargeoutputfiles.APostScriptfilethatproduces

apagefilledwithtextmaybejustafewkilobytesinsize.Ifthispageistobeprintedona600dotsperinch(dpi)printerusingGhostscript,theresultingoutputfilecouldbeaslargeas4MB—assumingit’sblack and white. If the page includes color, the size could bemuch larger. In some sense, this isunimportantbecausethesebigfileswillbestoredonyourharddiskonlybriefly.Theydostillhavetoget from the computer to the printer, though, and this process can be slow. Also, some printers(particularlyolderlaserprinters)mayrequirememoryexpansiontooperatereliablyunderLinux.

ForinformationaboutwhatprintersaresupportedbyGhostscript,checktheGhostscriptWebpageortheOpenPrintingdatabaseWebpage(http://www.openprinting.org/printers).

SqueezingGhostscriptintotheQueuePrintingtoanon-PostScriptprinterinLinuxrequiresfittingGhostscriptintotheprintqueue.Thisisgenerallydonethroughtheuseofasmartfilter.Thisisaprogramthat’scalledaspartoftheprintingprocess.Thesmartfilterexaminesthefilethat’sbeingprinted,determinesitstype,andpassesthefilethroughoneormoreadditionalprogramsbeforetheprintingsoftwaresendsitontotheprinter.Thesmart filter can be configured to call Ghostscript with whatever parameters are appropriate toproduceoutputforthequeue’sprinter.CUPSshipswithitsownsetofsmartfilters,whichitcallsautomaticallywhenyoutellthesystem

whatmodelprinteryou’reusing.CUPSprovidesaWeb-basedconfigurationtool,asdescribedintheupcomingsection“UsingtheWeb-BasedCUPSUtilities.”Thissystem,ordistribution-specificGUIprinterconfigurationtools,canmakesettingupaprinterforCUPSfairlystraightforward.

Theend resultofa typicalLinuxprinterqueueconfiguration is theability to treatanysupportedprinterasifitwereaPostScriptprinter.ApplicationsthatproducePostScriptoutputcanprintdirectlytothequeue.ThesmartfilterdetectsthattheoutputisPostScriptandrunsitthroughGhostscript.Thesmart filtercanalsodetectother file types, suchasplain-textandvariousgraphics files,and itcansendthemthroughappropriateprogramsinsteadoforinadditiontoGhostscriptinordertocreateareasonableprintout.If you have a printer that can process PostScript, the smart filter is usually still involved, but it

doesn’tpassPostScriptthroughGhostscript.Inthiscase,thesmartfilterpassesPostScriptdirectlytotheprinter,but it still sendsother file types throughwhateverprocessing isnecessary to turn themintoPostScript.

RunningaPrintingSystemBecauseLinuxprintingsystemsrunasdaemons,theymustbestartedbeforethey’reuseful.Thistaskisnormallyhandledautomaticallyvia startup scripts in/etc/rc.d,/etc/init.d, or /etc/rc?.d(where?isarunlevelnumber).Lookforstartupscriptsthatcontainthestringcups(orlpdorlprngforoldersystems)intheirnamestolearnwhatyoursystemisrunning.Ifyou’reunsureifaprintingsystemiscurrentlyactive,usethepsutilitytosearchforrunningprocessesbythesenames,asin$psax|grepcups

1896?Ss0:01cupsd

Thisexample shows thatcupsd, theCUPSdaemon, is running, so the system is usingCUPS forprinting.Ifyoucan’tfindanyrunningprintingsystem,consultyourdistribution’sdocumentationtolearnwhat is available and check that the appropriate package is installed.Allmajor distributionsincludestartupscriptsthatshouldstarttheappropriateprintingdaemonwhenthecomputerboots.

ConfiguringCUPSCUPSusesvariousconfigurationfilesinthe/etc/cupsdirectoryanditssubdirectoriestomanageitsoperation.Youcaneditthesefilesdirectly,andyoumayneedtodosoifyouwanttoshareprintersoruseprinterssharedbyotherCUPSsystems.ThesimplestwaytoaddprinterstoCUPS,though,istousethetool’sWeb-basedconfigurationutility.

EditingtheCUPSConfigurationFilesYou can add or delete printers by editing the /etc/cups/printers.conf file, which consists ofprinter definitions. Each definition begins with the name of a printer, identified by the stringDefaultPrinter(forthedefaultprinter)orPrinter(foranondefaultprinter)inanglebrackets(<>),asinthefollowing:<DefaultPrinterokidata>

This linemarks thebeginningofadefinitionforaprinterqueuecalledokidata.Theendof thisdefinition is a line that reads </Printer>. Intervening lines set assorted printer options, such asidentifying strings, the printer ’s location (its local hardware port or network location), its currentstatus, and soon.Additional options are stored in aPostScriptPrinterDefinition (PPD) file that’snamedafter thequeueandstoredinthe/etc/cups/ppdsubdirectory.PPDfilesfollowanindustry-standard format.ForPostScript printers, you canobtain aPPD file from theprintermanufacturer,

typicallyfromadriverCD-ROMorfromthemanufacturer ’sWebsite.CUPSanditsadd-ondriverpacksalsoshipwitha largenumberofPPDfiles thatare installedautomaticallywhenyouuse theWeb-basedconfigurationutilities.Asageneralrule,you’rebetteroffusingtheCUPSWeb-basedconfigurationtoolstoaddprinters

rather than adding printers by directly editing the configuration files. If you like, though, you canstudy the underlying files and tweak the configurations using a text editor to avoid having to gothroughthefullWeb-basedtooltomakeaminorchange.One exception to this rule relates to configuring the CUPSWeb-based interface tool itself and

CUPS’ability to interfacewithotherCUPSsystems.Oneof thegreatadvantagesofCUPSis that itusesanewnetworkprintingprotocol,knownastheInternetPrintingProtocol(IPP), inaddition totheolderLPDprotocolusedbyBSDLPDandLPRng.IPPsupportsafeatureitcallsbrowsing,whichenables computers on a network to automatically exchange printer lists. This feature can greatlysimplify configuring network printing. Youmay need to change some settings in themain CUPSconfigurationfile,/etc/cups/cupsd.conf,toenablethissupport.The /etc/cups/cupsd.conf file, which is structurally similar to the Apache Web server

configurationfile,containsanumberofconfigurationblocksthatspecifywhichothersystemsshouldbeable toaccess it.Eachblockcontrolsaccess toaparticular locationon theserver.Theseblockslooklikethis:<Location/printers>

OrderDeny,Allow

DenyfromAll

BrowseAllowfrom127.0.0.1

BrowseAllowfrom192.168.1.0/24

BrowseAllowfrom@LOCAL

Allowfrom127.0.0.1

Allowfrom192.168.1.0/24

Allowfrom@LOCAL

</Location>

Ifyou’reconfiguringaworkstationwithalocalprinterthatyoudon’twanttoshareorifyouwanttoconfigureaworkstationtouseprinterssharedviaLPDorsomeothernon-IPPprintingprotocol,youshouldn’tneedtoadjust/etc/cups/cupsd.conf.IfyouwanttoaccessremoteIPPprinters,however,youshouldatleastactivatebrowsingbysettingthedirectiveBrowsingOn,asdescribedshortly.Youshouldn’thavetomodifyyourlocationdefinitionsunlessyouwanttoshareyourlocalprinters.

The/printerslocation,shownhere,controlsaccesstotheprintersthemselves.Thefollowinglistincludesfeaturesofthisexample:DirectiveOrderTheOrderDeny,AllowlinetellsCUPSinwhichorderitshouldapplyallowanddenydirectives—inthiscase,allowdirectivesmodifydenydirectives.DefaultPolicyTheDenyfromAlllinetellsthesystemtorefuseallconnectionsexceptthosethatareexplicitlypermitted.BrowsingControlLinesTheBrowseAllowlinestellCUPSfromwhichothersystemsitshouldacceptbrowsingrequests.Inthiscase,itacceptsconnectionsfromitself(127.0.0.1),fromsystems

onthe192.168.1.0/24network,andfromsystemsconnectedtolocalsubnets(@LOCAL).AccessControlLinesTheAllowlinesgivethespecifiedsystemsnon-browseaccesstoprinters—thatis,thosesystemscanprinttolocalprinters.Inmostcases,theAllowlinesarethesameastheBrowseAllowlines.YoucanalsocreateadefinitionthatusesAllowfromAllandthencreatesBrowseDenyandDeny

linestolimitaccess.Asageneralrule,though,theapproachshowninthisexampleissafer.Locationsotherthanthe/printerslocationcanalsobeimportant.Forinstance,there’saroot(/)locationthatspecifiesdefaultaccesspermissionstoallotherlocationsandan/adminlocationthatcontrolsaccesstoCUPSadministrativefunctions.Beforethelocationdefinitionsincupsd.confareafewparametersthatenableordisablebrowsing

andothernetworkoperations.Youshouldlookforthefollowingoptionsspecifically:EnablingBrowsingTheBrowsingdirectiveacceptsOnandOffvalues.TheCUPSdefaultistoenablebrowsing(BrowsingOn),butsomeLinuxdistributionsdisableitbydefault.BrowsingAccessControlTheBrowseAddressdirectivespecifiesthebroadcastaddresstowhichbrowsinginformationshouldbesent.Forinstance,tobroadcastdataonyourprinterstothe192.168.1.0/24subnet,you’dspecifyBrowseAddress192.168.1.255.Onceyou’veconfiguredaCUPSservertogiveothersystemsaccesstoitsprintersviaappropriate

locationdirectionsandonceyou’veconfiguredtheclientsystemstousebrowsingviaBrowsingOn,all thesystemsonthenetworkshouldauto-detectall theprintersonthenetwork.Youdon’tneedtoconfigure the printer on any computer except the one towhich it’s directly connected.All printercharacteristics, including their network locations and PPD files, are propagated automatically byCUPS.Thisfeatureismostimportantinconfiguringlargenetworkswithmanyprintersornetworksonwhichprintersarefrequentlyaddedanddeleted.

ObtainingCUPSPrinterDefinitionsMostLinuxdistributions shipwithCUPSsmart filter support foravarietyofprinters. Ifyoucan’tfindsupportforyourprinter,youcanlookforadditionalprinterdefinitions.ThesedefinitionsmayconsistofPPDfiles,appropriatebehind-the-scenes“glue”totellCUPShowtousethem,andpossiblyGhostscriptdriverfiles.Youcanobtaintheseprinterdefinitionsfromseveralsources:YourLinuxDistributionManydistributionsshipextraprinterdefinitionsundervariousnames,socheckyourdistributionforsuchapackage.Manydistributionsincludesomeofthedriverpackagesdescribednext.FoomaticTheLinuxPrintingWebsitehostsasetofutilitiesandprinterdefinitionsknowncollectivelyasFoomatic(http://www.linuxfoundation.org/en/OpenPrinting/Database/Foomatic).TheseprovidemanyadditionalprinterdefinitionsforCUPS(aswellasforotherprintingsystems).GutenprintTheGutenprintdrivers,originallyknownasGIMPPrint,aftertheGNUImageManipulationProgram(GIMP),supportawidevarietyofprinters.Checkhttp://gimp-print.sourceforge.netformoreinformation.CUPSDDKTheCUPSDriverDevelopmentKit(DDK)isasetoftoolsdesignedtosimplifyCUPSdriverdevelopment.ItshipswithahandfulofdriversforHewlett-PackardandEpsonprintersandisincludedwiththeCUPSsourcecode.PrinterManufacturersSomeprintermanufacturersofferCUPSdriversfortheirprinters.These

maybenothingmorethanFoomatic,Gutenprint,orotheropensourcedrivers;butafewprovideproprietarydrivers,someofwhichsupportadvancedprinterfeaturesthattheopensourcedriversdon’tsupport.Chancesaregoodthatyou’llfindsupportforyourprinterinyourstandardinstallation,particularly

ifyourdistributionhasinstalledtheFoomaticorGutenprintpackage.Ifyoustartconfiguringprintersandcan’tfindyourmodel,though,youshouldlookforanadditionalprinterdefinitionsetfromoneoftheprecedingsources.

UsingtheWeb-BasedCUPSUtilitiesTheCUPSIPPprintingsystemiscloselyrelatedtotheHypertextTransferProtocol(HTTP)usedontheWeb. The protocol is so similar, in fact, that you can access aCUPS daemon by using aWebbrowser.Youneedonlyspecify thatyouwant toaccess theserveronport631—thenormalprinterport.Todoso,enterhttp://localhost:631inaWebbrowseronthecomputerrunningCUPS.(Youmaybe able to substitute the hostname or access CUPS from another computer by using the server ’shostname, depending on your cupsd.conf settings.) This action brings up a list of administrativetasks you can perform. Click Printers or Manage Printers to open the printer management page,showninFigure6.6.

FIGURE6.6CUPSprovidesitsownWeb-basedconfigurationtool.

Ifyou’reconfiguringastand-alonecomputerortheonlyoneonanetworktouseCUPS,theprinterlistmaybeempty,unliketheoneshowninFigure6.6.IfothercomputersonyournetworkuseCUPS,youmayseetheirprintersintheprinterlist,dependingontheirsecuritysettings.Manymoderndistributionsauto-configureUSBprinterswhenyouplugtheminorturnthemon,sotheymaynotneedtobeadded,either.

Youcanadd,delete,ormodifyprinterqueuesusingtheCUPSWebcontrolsystem.Toaddaprinter,followthesesteps:

1.FromtheAdministrationtab,clickAddPrinter.

CUPSislikelytoaskforausernameandpasswordatthispoint.Typerootastheusernameandyourrootpasswordasthepassword.Theneedtopassyourrootpasswordunencryptedisonereasonyoushouldbecautiousaboutconfiguringprintersfromaremotecomputer.

2.Thesystemdisplaysapagethatshowsoptionsforprinterstoaddineachofthreecategories:local printers, discovered network printers, andother network printers. One or more of thesecategoriesmaybeempty.Ifyou’retryingtoaddalocalprinterandthelocalprinterscategoryisempty, either it was auto-detected or CUPS can’t detect any likely printer interface hardware.Check your cables and drivers, and then restart CUPS and reload itsWeb page. If you see anoptionfortheprinteryouwanttoadd,selectitandclickContinue.3.Ifyouenteredanetworkprinter,theresultisapageinwhichyouenterthecompletepathtothedevice.Type thepath,suchaslpd://printserv/brother toprint to thebrother queueon theprintservcomputer.ClickContinuewhenyou’redone.4.CUPSdisplaysapageinwhichyouentertheprinter ’sname,description,andlocation.You’lluse the name to specify the printer in both command-line andGUI tools, so a short one-wordname is best.Thedescription and location fields are bothdescriptive expansions to helpuserspositivelyidentifytheprinter.YoucanalsoclicktheShareThisPrintercheckboxifyouwanttosharetheprinterdefinitionwithotherCUPS-usingcomputersonthenetwork.5.You’llnowseealistofmanufacturers.Selectone,andclickContinue.Alternatively,youcanpointdirectlytoaPPDfileifyouhaveonehandy.Ifyoudothis,you’llskipthenextstep.6.CUPSnowdisplaysacompletelistofprintermodelsintheclassyouselectedinstep5.Selectan appropriatemodel, and clickAddPrinter.Alternatively, you can provide a PPD file if youhaveone.7.Youshouldnowseeapageonwhichyoucansetdefaultoptions,suchas thepapersizeandprint resolution. The details of what options are available depend on the printer model youselected.ChangeanyoptionsyoulikeandclickSetDefaultOptions.Yourprinterisnowdefined.If you click the Printers item at the top of the page, you should be returned to the printers list

(Figure6.6), butyournewprinter shouldbe listed among the existingqueues.Youcanprint a testpagebyclickingthelinktotheprinterandthenselectingPrintTestPagefromthebuttonselectorthat

readsMaintenancebydefault.Ifallgoeswell,atestpagewillemergefromyourprinter.Ifitdoesn’t,go back and review your configuration by selectingModify Printer from the button selector thatreadsAdministrationbydefault.Thisactiontakesyouthroughthestepsforaddingaprinterbutwithyourpreviousselectionsalreadyenteredasthedefaults.Trychangingsomesettingsuntilyougettheprintertowork.

PrintingtoNetworkPrintersIfyournetworkhostsmanyWindowscomputers,youmayusetheServerMessageBlock/CommonInternet File System (SMB/CIFS) for file and printer sharing among Windows systems. Linux’sSambaserveralsoimplementsthisprotocolandsocanbeusedforsharingprintersfromLinux.Ontheflipside,youcanprinttoanSMB/CIFSprinterqueuefromaLinuxsystem.Todoso,you

selectanSMB/CIFSqueueintheprinterconfigurationtool.UnderCUPS,it’scalledWindowsPrinterviaSAMBAinstep2intheprecedingprocedure.Youmustthenprovideyourusername,password,servername,andsharename,buttheformatisn’tobviousfromtheWeb-basedconfigurationtool:smb://username:password@SERVER/SHARE

This is a URI for an SMB/CIFS share. You must substitute appropriate values for username,password,SERVER,andSHARE,ofcourse.Once this isdoneandyou’vefinishedtheconfiguration,youshouldbeabletosubmitprintjobstotheSMB/CIFSshare.

SMB/CIFSprintershostedbyWindowssystemsareusuallynon-PostScriptmodels,soyoumustselectalocalLinuxsmartfilterandGhostscriptdriver,justasyouwouldforalocalprinter.PrintershostedbyLinuxsystemsrunningSamba,bycontrast,arefrequentlyconfiguredtoactlikePostScriptprinters,soyoushouldselectaPostScriptdriverwhenconnectingtothem.

Ifyouwant toprint toaUnixorLinuxserver thatuses theoldLPDprotocol, theURI format issimilarbutomitsausernameandpassword:lpd://hostname/queue

You can use the same format, but substitute ipp:// for lpd://, to print to a CUPS server ifbrowsingisdisabledonyournetwork.In practice, you may be faced with a decision: Should you use LPD, IPP, or SMB/CIFS for

submittingprintjobs?Tobesure,notallprintserverssupportallthreeprotocols,butaLinuxservermight support them all. As a general rule, IPP is the simplest to configure because it supportsbrowsing, whichmeans that CUPS clients shouldn’t need explicit configuration to handle specificprinters. This makes IPP the best choice for Linux-to-Linux printing, assuming both systems runCUPS.WhenCUPSisn’tinuse,LPDisgenerallyeasiertoconfigurethanSMB/CIFS,andithastheadvantageofnotrequiringtheuseofausernameorpasswordtocontrolaccess.BecauseSMB/CIFSsecurity ispassword-oriented,clients typicallystorepasswords inanunencryptedformontheharddisk.Thisfactcanbecomeasecurityliability,particularlyifyouusethesameaccountforprintingasfor other tasks.On theother hand, sometimesusing apasswordon the server providesmoreof asecuritybenefitthantheriskofstoringthatpasswordontheclient.Generallyspeaking,ifclientsarefewandwellprotected,whereastheserverisexposedtotheInternetatlarge,usingpasswordscanbe

beneficial. If clients are numerous and exposed to the Internet, whereas the print server is wellprotected,apassword-freesecuritysystemthatreliesonIPaddressesmaybepreferable.

MonitoringandControllingthePrintQueueYoucanuseseveralutilitiestosubmitprintjobsandtoexamineandmanipulateaLinuxprintqueue.Theseutilitiesarelpr,lpq,lprm,andlpc.All of these commands can take the-P parameter tospecifythattheyoperateonaspecificprintqueue.

PrintingFileswithlprOnce you’ve configured the system to print, you probably want to start printing. As mentionedearlier,Linuxusesthelprprogramtosubmitprintjobs.Thisprogramacceptsmanyoptionsthatyoucanusetomodifytheprogram’saction:SpecifyaQueueNameThe-Pqueuenameoptionenablesyoutospecifyaprintqueue.Thisisusefulifyouhaveseveralprintersorifyou’vedefinedseveralqueuesforoneprinter.Ifyouomitthisoption,thedefaultprinterisused.

IntheoriginalBSDversionoflpr,thereshouldbenospacebetweenthe-Pandthequeuename.LPRngandCUPSaremoreflexibleinthisrespect;youcaninsertaspaceoromititasyouseefit.

DeletetheOriginalFileNormally,lprsendsacopyofthefileyouprintintothequeue,leavingtheoriginalunharmed.Specifyingthe-roptioncauseslprtodeletetheoriginalfileafterprintingit.SuppresstheBannerThe-hoptionsuppressesthebannerforasingleprintjob.EarlyversionsofCUPSdidn’tsupportthisoption,butrecentversionsdo.SpecifyaJobNamePrintjobshavenamestohelpidentifythem,bothwhilethey’reinthequeueandoncethey’reprinted(ifthequeueisconfiguredtoprintbannerpages).Thenameisnormallythenameofthefirstfileintheprintjob,butyoucanchangeitbyincludingthe-Jjobnameoption.The-Cand-Toptionsaresynonymouswith-J.NotifyaUserbyEmailThe-musernameoptioncauseslpdtosendemailtousernamewhentheprintjobiscomplete.ThisoptionwasunavailableinearlyversionsofCUPSbutisavailableinrecentversions.SpecifytheNumberofCopiesYoucanspecifythenumberofcopiesofaprintjobbyusingthe-#numberoption,asin-#3toprintthreecopiesofajob.Suppose you have a file called report.txt that you want to print to the printer attached to the

lexmark queue. This queue is often busy, so you want the system to send email to your account,ljones, when it’s finished so you knowwhen to pick up the printout. You can use the followingcommandtoaccomplishthistask:$lpr-Plexmark-mljonesreport.txt

Thelprcommandisaccessibletoordinaryusersaswellastoroot,soanybodymayprintusingthis command. It’s also called from many programs that need to print directly, such as graphics

programs and word processors. These programs typically give you some way to adjust the printcommandsothatyoucanenterparameterssuchastheprintername.Forinstance,Figure6.7showsFirefox’sPrintdialogbox,which featuresa listof availableprintqueues,Rangeoptions toenableyoutoprintasubsetofthedocument’spages,andaCopiesfieldsothatyoucanprintmultiplecopies.Additional tabsenableyou tosetmoreoptions.Someprogramsprovidea textentryfield inwhichyou type someor all of anlpr command instead of selecting from a list of available queues andoptions.Consulttheprogram’sdocumentationifyou’renotsurehowitworks.

FIGURE6.7MostLinuxprogramsthatcanprintdosobyusinglpr,butmanyhidethedetailsofthelprcommandbehindadialogbox.

Sometimes youwant to process a file in someway prior to sending it to the printer. Chapter 1coverssomecommandsthatcandothis,suchasfmtandpr.Anotherhandyprogramismpage,whichreads plain-text or PostScript files and reformats them so that each printed sheet contains severalreduced-sizepagesfromtheoriginaldocument.Thiscanbeagoodwaytosavepaperifyoudon’tmindareductioninthedocument’stextorimagesize.Inthesimplestcase,youcanusempagemuchasyou’duselpr:$mpage-Plexmarkreport.ps

Thiscommandprints thereport.ps file reduced to fit fourpagesper sheet.Youcanchange thenumber of source pages to fit on each printed pagewith the -1, -2, -4, and -8 options, whichspecifyone, two,four,oreight inputpagesperoutputpage, respectively.Additionalmpageoptionsexist tocontrolfeaturessuchasthepapersize, thefont tobeusedforplain-text inputfiles,andtherangeofinputfilepagestobeprinted.Consultthemanpageformpageformoredetails.

DisplayingPrintQueueInformationwithlpq

Thelpq utility displays information about the print queue—howmany files it contains, how largetheyare,whotheirownersare,andsoon.Byenteringtheuser ’snameasanargument,youcanalsouse thiscommand tocheckonanyprint jobsownedbyaparticularuser.Touselpq to examineaqueue,youcanissueacommandlikethefollowing:$lpq-Php4000

hp4000isreadyandprinting

RankOwnerJobFile(s)TotalSize

activerodsmit1630file:///90112bytes

Ofparticularinterestisthejobnumber—1630inthisexample.Youcanusethisnumbertodeleteajob from the queue or reorder it so that it prints before other jobs. Any user may use the lpqcommand.

RemovingPrintJobswithlprmThelprmcommandremovesoneormorejobsfromtheprintqueue.Youcanissuethiscommandacoupleofways:

Iflprmisusedwithanumber,thatnumberisunderstoodtobethejobID(asshowninlpq’soutput)ofthejobthat’stobedeleted.IfauserrunstheBSDorCUPSlprmandpassesadash(-)totheprogram,itremovesallthejobsbelongingtotheuser.

Thisprogrammayberunbyrootorbyanordinaryuser;butas justnoted, itscapabilitiesvarydependingonwhorunsit.Ordinaryusersmayremoveonlytheirownjobsfromthequeue,butrootmayremoveanybody’sprintjobs.

ControllingthePrintQueueIn theoriginalBSDLPDsystem, thelpcutilitystarts, stops,andreorders jobswithinprintqueues.AlthoughCUPSprovidesanlpccommand,ithasfewfeatures.Insteadofusinglpc,youshouldusetheCUPSWebinterface,whichprovidespoint-and-clickprintqueuemanagement:

YoucandisableaqueuebyclickingtheStopPrinterlinkfortheprinterontheCUPSWebinterface.Whenyoudoso,thislinkchangestoreadStartPrinter,whichreversestheeffectwhenclicked.TheJobslinkalsoprovidesawaytocancelandotherwisemanagespecificjobs.Youcanuseaseriesofcommands,suchascupsenable,cupsdisable,andlpmove,tocontrolthequeue.Thesecommandsenableaqueue,disableaqueue,ormoveajobfromonequeuetoanother.Movingajobcanbehandyifyoumustshutdownaqueueformaintenanceandwanttoredirectthequeue’sexistingjobstoanotherprinter.

InExercise6.1,you’llpracticeusingLinux’sprintingcapabilities.

EXERCISE6.1PrintingwithLinuxToperformthisexercise,youmusthaveaprinterconnectedtoyourLinuxcomputer—eitheralocalprinteroranetworkmodel.Toperformsomeofthesteps,youmustalsohaverootaccesstoyourcomputersothatyoucanmanagethequeue.Tobegin,followthesesteps:1. Launch a Web browser, enter http://localhost:631 as the URI, and then click thePrinterstab.Thisshouldproducealistofprinters,asinFigure6.6.Ifthelistisempty,you’llneedtodefineatleastoneprinterqueue,asdescribedearlier,beforeproceeding.If printers are defined, take note of their names. For purposes of this exercise, I’llassumeaqueuenamedhp4000 exists; change thisnameasnecessary in the followingsteps.2.Typelpr -Php4000 /etc/fstab to obtain a printout of this system configurationfile.Verifythatitprintedcorrectly.3. Type lpq -Php4000 to view the contents of the hp4000 queue. If you’re using asingle-usercomputer,chancesarethequeuewillbeemptyatthispoint.4. Type lpr -Php4000 /etc/fstab; lpq -Php4000. This command prints anothercopyof/etc/fstabandimmediatelydisplaysthecontentsoftheprintqueue.Itshouldnotbeemptythistime,sincethejobwillhavebeensubmittedbutwon’thavehadtimetoclearthequeuebythetimelpqexecutes.5.Inanothershell,typesutoobtainrootaccess.6.Inyourrootshell,typecupsdisablehp4000.Thisactiondisablesthequeue;itwillstillacceptjobs,buttheywon’tprint.7. Type lpr -Php4000 /etc/fstab to obtain yet another printout of /etc/fstab.Becausethequeueisdisabled,itwon’tprint.8.Typelpq-Php4000 to view the contents of the printer queue.Note that, instead ofhp4000isready,lpqreportshp4000isnotready;however,thejobyousubmittedshouldappearinthequeue.Supposeithasajobnumberof497.9.Typelprm-Php4000497(changingthejobnumberforyoursystem).10.Typelpq-Php4000againtoverifythatthejobhasbeenremovedfromthequeue.11.Typecupsenablehp4000inyourrootshell.Thisshouldre-enablethequeue.12.Typelpr-Php4000/etc/fstabtoprintanothercopyofthisfileandverifythattheprinterisactuallyworkingagain.

Usingcupsdisableandcupsenableinthisexercisehastwopurposes:togiveyouexperienceusingthesecommandsandtogiveyouachancetodeleteajobfromthequeue.Ashortfilesuchas/etc/fstabcanbeprintedsoquicklythatyoumightnothavetimetoremoveitfromthequeuebeforeitdisappearsbecauseit’ssittingintheprinter ’souttray!

SummaryXisLinux’sGUIsystem.InpartbecauseofLinux’smodularnature,Xisn’tasingleprogram;you

haveyourchoiceofXserverstorunonLinux.Fortunately,mostLinuxdistributionsusethesameXserverasallothers(X.org-X11).BothX.org-X11anditsmaincompetitor,XFree86,areconfiguredinmuch the same way, using the xorg.conf (for X.org-X11) or XF86Config configuration file.Whatever its name, this file consists of several sections, each ofwhich controls oneX subsystem,suchasthemouse,thekeyboard,orthevideocard.ThisfilealsocontrolsX’scorefontssystem,butyoucanuseafontserverinadditiontothissystem;andmostmodernprogramsarenowemphasizinganentirelynewfontsystem,Xft, insteadofXcorefonts.For this reason,Linuxfontconfigurationcanbecomplex.X’sGUIloginsystemusesanXDMCPserver,whichstartsXandmanages theXdisplay.Several

XDMCPserversareincommonuseinLinux,themostimportantbeingXDM,KDM,andGDM.Theyallperformthesamebasictasks,butconfigurationdetailsdiffer.(XDMisalsolesssophisticatedthanKDM and GDM.) X is a network-enabled GUI, which means you can use an X server to accessprograms runningon another computer.Doing so requires performing a few steps for each loginsession. You can also tunnel X accesses through SSH,which greatly improves the security of theconnection.An assortment of tools can help make Linux more accessible to users with visual or motor

impairments. You can adjust font size, screen contrast, and other display features to improvelegibility;usescreenmagnifiers tohelpusersreadpartofa largerscreen;orevenbypassavisualdisplayentirelyanduseascreenreaderforauditoryoutputoraBrailledisplayfortactileoutput.Onthe inputside,youcanadjustkeyboard repeat rates,usestickykeys,ormodify themouse trackingspeed and click sensitivity to improve users’ ability to input data accurately.You can even have amousestandinforakeyboardorviceversabyusingappropriatesoftware.The secondmain visual output tool on computers is a printer, and Linux provides sophisticated

printer support. TheCUPS packagemanages printers in Linux by accepting local or remote printjobs,passingthemthroughasmartfilterforprocessing,andqueuingthejobssothattheyprintinareasonable order. Most CUPS configuration is best handled via its ownWeb interface, but someoptions(particularlysecurityfeatures)canbesetviatextconfigurationfiles.

ExamEssentialsNamethemajorXserversforLinux.XFree86hasbeenthetraditionalstandardLinuxXserver,butin2004X.org-X11(whichwasbasedonXFree86)rapidlygainedprominenceasthenewstandardLinuxXserver.Accelerated-XisacommercialXserverthatsometimessupportsvideocardsthataren’tsupportedbyXFree86orX.org-X11.DescribetheXconfigurationfileformat.TheXFree86andX.org-X11configurationfileisbrokenintomultiplesections,eachofwhichbeginswiththekeywordSectionandendswithEndSection.EachsectionsetsoptionsrelatedtoasingleXfeature,suchasloadingmodules,specifyingthemousetype,ordescribingthescreenresolutionandcolordepth.SummarizethedifferencesbetweenXcorefonts,afontserver,andXftfonts.XcorefontsaremanageddirectlybyX,andtheylackmodernfontfeaturessuchasfontsmoothing.FontserversintegratewiththeXcorefontsbutrunasseparateprogramsandmayoptionallydeliverfontstomultiplecomputersonanetwork.XftfontsbypasstheXcorefontsystemtoprovideclient-sidefontsinawaythatsupportsmodernfeaturessuchasfontsmoothing.

ExplaintheroleofanXDMCPserver.AnXDMCPserver,suchasXDM,KDM,orGDM,launchesXandcontrolsaccesstoXviaaloginprompt—thatis,itservesasLinux’sGUIloginsystem.XDMCPserversarealsonetwork-enabled,providingawaytologinremotelyfromanotherXserver.DescribeX’sclient-servermodel.AnXserverrunsontheuser ’scomputertocontrolthedisplayandacceptinputfromthekeyboardandmouse.Clientprogramsrunonthesamecomputeroronaremotecomputertodothebulkofthecomputationalwork.TheseclientprogramstreattheXservermuchastheytreatotherservers,requestinginputfromandsendingoutputtothem.ExplainthebenefitsofusingSSHforremoteXaccess.SSHcansimplifyremoteX-basednetworkaccessbyreducingthenumberofstepsrequiredtorunXprogramsfromaremotecomputer.Moreimportant,SSHencryptsdata,whichkeepsinformationsentbetweentheXclientandXserversecurefrompryingeyes.SummarizeXaccessibilityfeatures.Youcanadjustkeyboardandmouseoptionstohelpthosewithmotorimpairmentstousekeyboardsandmiceortosubstituteonedevicefortheother.Fontsize,contrast,andmagnificationtoolscanhelpthosewithvisualimpairments.Finally,textreadersandBrailledisplayscanenableblindindividualstouseaLinuxsystem.DescribehowtosetatimezoneinLinux.Linuxusesabinaryfile,/etc/localtime,todescribethefeaturesofthetimezone.Thisfileiscopiedorlinkedfromarepositoryofsuchfilesatsysteminstallation,butyoucanreplacethefileatanytime.ExplaintheroleofGhostscriptinLinuxprinting.PostScriptisthestandardLinuxprintinglanguage,andGhostscriptconvertsPostScriptintobitmapformatsthatareacceptabletonon-PostScriptprinters.Thus,GhostscriptisacriticaltranslationstepinmanyLinuxprintqueues,althoughit’snotrequiredforPostScriptprinters.SummarizehowprintjobsaresubmittedandmanagedunderLinux.Youuselprtosubmitaprintjobforprinting,oranapplicationprogrammaycalllpritselforimplementitsfunctionalitydirectly.Thelpqutilitysummarizesjobsinaqueue,andlprmcanremoveprintjobsfromaqueue.

ReviewQuestions1.WhenyouconfigureanXserver,youneedtomakechangestoconfigurationfilesandthenstartorrestarttheXserver.Whichofthefollowingcanhelpstreamlinethisprocess?

A. Shut down X by switching to a runlevel in which X doesn’t run automatically, and thenreconfigureitandusestartxtotestXstartup.B.ShutdownXbybootingintosingle-usermode,andthenreconfigureXandusetelinit tostartXrunningagain.C.ReconfigureX,andthenunplugthecomputertoavoidthelengthyshutdownprocessbeforerestartingthesystemandXalongwithit.D.Use thestartx utility to check theX configuration file for errors before restarting theXserver.E. Connect the Linux computer ’s network port directly to the X server, without using anyinterveningrouters,inordertoreducenetworklatency.

2.WhichofthefollowingsummarizestheorganizationoftheXconfigurationfile?A.Thefilecontainsmultiplesections,oneforeachscreen.Eachsectionincludessubsectionsforindividualcomponents(keyboard,videocard,andsoon).B. Configuration options are entered in any order desired. Options relating to specificcomponents(keyboard,videocard,andsoon)maybeinterspersed.C.Thefilebeginswithasummaryofindividualscreens.Configurationoptionsareprecededbyacodewordindicatingthescreentowhichtheyapply.D.Thefileisbrokenintosections,oneormoreforeachcomponent(keyboard,videocard,andsoon).Thefilealsohasoneormoresectionsthatdefinehowtocombinethemainsections.E.ThefileisararebinaryconfigurationfilethatmustbeaccessedusingSQLdatabasetools.

3.Amonitor ’smanuallistsitsrangeofacceptablesynchronizationvaluesas27−96kHzhorizontaland50−160Hzvertical.What implicationsdoes thishave for the resolutionsand refresh rates themonitorcanhandle?

A.Themonitorcanrunatupto160Hzverticalrefreshrateinallresolutions.B.Themonitorcanhandleupto160Hzverticalrefreshratedependingonthecolordepth.C.Themonitorcanhandleupto160Hzverticalrefreshratedependingontheresolution.D.Themonitorcanhandleverticalresolutionsofupto600lines(96,000÷160),butnomore.E.Themonitorcanhandlehorizontalresolutionsofupto600columns(96,000÷160),butnomore.

4.InwhatsectionofXF86Configorxorg.confdoyouspecifytheresolutionthatyouwanttorun?A.IntheServerLayoutsection,usingtheScreenoptionB.IntheMonitorsection,usingtheModelineoptionC.IntheDevicesection,usingtheModelineoptionD.IntheDefaultResolutionsection,usingtheDefineoptionE.IntheScreensection,subsectionDisplay,usingtheModesoption

5.Whatisanadvantageofafontserver?A.Itprovidesfasterfontdisplaysthanareotherwisepossible.B.ItcansimplifyfontmaintenanceonanetworkwithmanyXservers.C.It’stheonlymeansofprovidingTrueTypesupportforXFree864.x.D.ItenablesthecomputertoturnabitmappeddisplayintoanASCIItextfile.E.ItenablesXtousefontsmoothing,whichisn’tpossiblewithcorefonts.

6.WhatmethodsdoLinuxdistributionsusetostartXautomaticallywhenthesystemboots?(Selecttwo.)

A.StartanXDMCPserverfromtheStartfolder.B.StartanXDMCPserverfroman~/.xinitrcscript.C.StartanXDMCPserverviaasystemstartupscript.D.StartanXDMCPserverviaabootmanager.

E.StartanXDMCPserverfrominit.

7.HowwouldyouchangethetextdisplayedbyXDMasagreeting?A.ClickConfigure GreetingfromtheXDMmainmenu,andeditthetextintheresultingdialogbox.B. Pass greeting="text" as a kernel option in the boot loader, changing text to the newgreeting.C.Editthe/etc/X11/xorg.conffile,andchangetheGreetingoptioninthexdmarea.D.Runxdmconfig,andchangethegreetingontheLogintab.E.Editthe/etc/X11/xdm/Xresourcesfile,andchangethetextinthexlogin*greetingline.

8.WhichofthefollowingfeaturesdoKDMandGDMprovidethatXDMdoesn’t?A.AnencryptedremoteX-basedaccessability,improvingnetworksecurityB.Theabilitytoacceptloginsfromremotecomputers,onceproperlyconfiguredC.TheabilitytoselecttheloginenvironmentfromamenuonthemainloginscreenD.AloginscreenthatshowstheusernameandpasswordsimultaneouslyratherthansequentiallyE.AnoptiontologintotextmodeifXshouldfailtostart

9. Which of the following commands tells the X server to accept connections frompenguin.example.com?

A.xhost+penguin.example.comB.exportDISPLAY=penguin.example.com:0C.telnetpenguin.example.comD.xaccesspenguin.example.comE.sshpenguin.example.com

10. To assist an employee who has trouble with keyboard repeat features, you’ve disabled thisfunction in /etc/X11/xorg.conf.Whymight this step not be sufficient to the goal of disablingkeyboardrepeat?

A. GNOME, KDE, or other desktop environment settings for keyboard repeat may overridethosesetinxorg.conf.B.Thexorg.conffilehasbeendeprecated;youshouldinsteadadjustthe/etc/X11/XF86Configfile.C.Keyboardsettings inxorg.confapplyonly toPS/2keyboards;youmustuseusbkbrate toadjustkeyboardrepeatforUSBkeyboards.D.YoumustalsolocateandresettheDIPswitchonthekeyboardtodisablekeyboardrepeat.E. The keyboard repeat options in xorg.conf work only if the keyboard’s nationality is setincorrectly,whichitoftenisnot.

11.Whichofthefollowingprogramsmaybeusedtoprovidecomputer-generatedspeechforuserswhohavetroublereadingcomputerdisplays?(Selecttwo.)

A.SoX

B.BrailleC.OrcaD.talkE.Emacspeak

12. You manage a computer that’s located in Los Angeles, California, but the time zone ismisconfigured as being in Tokyo, Japan. What procedure can you follow to fix this problem?(Selecttwo.)

A.Runhwclock--systohctoupdatetheclocktothecorrecttimezone.B.Delete/etc/localtime,andreplaceitwithanappropriatefilefrom/usr/share/zoneinfo.C. Edit the /etc/tzconfig file so that it specifies North_America/Los_Angeles as the timezone.D.Edit/etc/localtime,andchangethethree-lettertimezonecodeontheTZline.E.Usethetzselectprogramtoselectanew(LosAngeles)timezone.

13.You’reconfiguringaLinuxsystemthatdoesn’tbootanyotherOS.What is therecommendedtimetowhichthecomputer ’shardwareclockshouldbeset?

A.HelsinkitimeB.LocaltimeC.USPacifictimeD.UTCE.Internettime

14.You’vedevelopedascriptthatusesseveralLinuxcommandsandeditstheiroutput.Youwanttobe sure that the script runs correctly on a computer in Great Britain, although you’re locatedelsewhere,sincetheoutputincludesfeaturessuchascurrencysymbolsanddecimalnumbersthataredifferentfromonenationtoanother.Whatmightyoudototestthis?

A.EntertheBIOS,locateandchangethelocationcode,rebootintoLinux,andrunthescript.B.Edit/etc/locale.conf,changealltheLC_*variablestoen_GB.UTF-8,andthenrebootandrunthescript.C.TypeexportLC_ALL=en_GB.UTF-8,andrunthescriptfromthesameshellyouusedtotypethiscommand.D.Typelocale_setGreat_Britain,andrun thescript fromthesameshellyouused to typethiscommand.E.TypeexportTZ=:/usr/share/zoneinfo/Europe/London,andrunthescriptfromthesameshellyouusedtotypethiscommand.

15.WhichcharactersetencodingisthepreferredmethodonmodernLinuxsystems?A.UTF-8B.ASCIIC.ISO-8859-1D.ISO-8859-8

E.ATASCII

16.Whichofthefollowingdescribesthefunctionofasmartfilter?A.Itimprovesthelegibilityofaprintjobbyaddingfontsmoothingtothetext.B. It detects information inprint jobs thatmaybe confidential as ameasure against industrialespionage.C.Itsendsemailtothepersonwhosubmittedtheprintjob,obviatingtheneedtowaitaroundtheprinterforaprintout.D.Itdetectsanddeletesprankprintjobsthatarelikelytohavebeencreatedbymiscreantstryingtowasteyourpaperandink.E. It detects the typeof a file andpasses it throughprograms tomake it printableon agivenmodelofprinter.

17.Whatinformationaboutprintjobsdoesthelpqcommanddisplay?(Selecttwo.)A.ThenameoftheapplicationthatsubmittedthejobB.AnumericaljobIDthatcanbeusedtomanipulatethejobC.TheamountofinkortonerleftintheprinterD.TheusernameofthepersonwhosubmittedthejobE.Theestimatedtimetofinishprintingthejob

18.You’ve submitted several print jobs, but you’ve just realized that youmistakenly submitted ahugedocumentthatyoudidn’twanttoprint.Assumingyoucanidentifywhichjobthiswas,thatit’snotyetprinting,andthatitsjobIDnumberis749,whatcommandwouldyoutypetodeleteitfromtheokidataprintqueue?

A.Theanswerdependsonwhetheryou’reusingBSDLPD,LPRng,orCUPS.B.Typelpdel-Pokidata749.C.Typelprm-Pokidata749.D.Typecupsdisable-Pokidata749.E.Noneoftheabove;thetaskisimpossible.

19.WhichofthefollowingisgenerallytrueofLinuxprogramsthatprint?A.Theysenddatadirectlytotheprinterport.B.TheyproducePostScriptoutputforprinting.C.Theyincludeextensivecollectionsofprinterdrivers.D.Theycanprintonlywiththehelpofadd-oncommercialprograms.E.TheyspecifyuseoftheVerdanafont.

20.Whattoolmightyouusetoprintafour-pagePostScriptfileonasinglesheetofpaper?A.PAMB.mpageC.4FrontD.route

E.411toppm

Chapter7

AdministeringtheSystem

THEFOLLOWINGEXAMOBJECTIVESARECOVEREDINTHISCHAPTER:

1.107.1Manageuserandgroupaccountsandrelatedsystemfiles1.107.2Automatesystemadministrationtasksbyschedulingjobs1.108.1Maintainsystemtime1.108.2Systemlogging

MuchofLinuxsystemadministrationdealswithhandlingmundaneday-to-daytasks.Manyof thesetasksrelatetousersandgroups:addingthem,deletingthem,configuringtheirenvironments,andsoon.Onasmallsystemyoumightperformsuch tasks infrequently,butonabusysystemyoumightadjustaccountsfrequently.Inanyevent,youmustknowhowtodothesethings.Anotherclassofday-to-daytasksinvolvesmanagingandreviewinglogfiles.Thesearefilesthatrecorddetailsofsystemoperations,suchasremotelogins.Logfilescanbeinvaluabledebuggingresources,butevenifyouaren’texperiencingaproblem,youshouldreviewthemperiodicallytobesureeverythingisworkingasitshould.ManyLinuxtasksrelatetotime.LinuxkeepstimesomewhatdifferentlythansomeotherOSs,and

understandinghowLinux treats time is important.Soare theskillsneeded toset the time inLinux.(Someautomatedtoolscanbeveryhelpful,butyoumustknowhowtoconfigurethem.)YoucanalsotellLinux to runparticular jobsat specific times in the future.Thiscanbehandy tohelpautomaterepetitivetasks,suchassynchronizingdatawithothersystemsonaregularbasis.

ManagingUsersandGroupsLinuxisamulti-usersystemthatreliesonaccounts—datastructuresandproceduresusedtoidentifyindividual users of a computer. Managing these accounts is a basic but important systemadministration skill. Before delving into the details, I describe a few basic concepts you shouldunderstand about user and group administration.With that out of theway, I describe the tools andconfigurationfilesthatyouemploytomanageusersandgroups.

UnderstandingUsersandGroupsChancesareyouhaveagoodbasicunderstandingofaccountsalready.Fundamentally,Linuxaccountsare like accounts on Windows, Mac OS, and other OSs. Some Web sites use accounts, too.Nonetheless,afewdetailsdeserveexplanation.TheseincludeLinuxusernameconventions,thenatureofLinuxgroups,andthewayLinuxmapsthenumbersitusesinternallytotheusernamesandgroupnamesthatpeoplegenerallyuse.

UnderstandingLinuxUsernamesLinux is fairly flexible about its usernames, althoughdetails vary fromone utility to another.ThemostliberalLinuxnamingrulesrequireusernamestobeginwithaletterandtobenomorethan32characters in length. Aside from the first character, numbers and most punctuation symbols arepermitted,asarebothupper-andlowercasecharacters.Inpractice,though,someimportantutilities,such as the useradd program described in “Adding Users,” impose more restrictive rules. Theserules disallow uppercase letters andmost punctuation characters, although you can sometimes getaway with an underscore (_) or dot (.), and a dollar sign ($) as the last character is permitted.Furthermore, some utilities truncate usernames longer than 8 characters; for this reason, manyadministratorstrytolimitusernamelengthto8characters.Assumingyoucancreateaccountswithmixed-caseusernames,Linux treatsusernames inacase-

sensitiveway.Therefore,asinglecomputercansupportbothellenandEllenasseparateusers.Thispracticecanleadtoagreatdealofconfusion,soit’sbesttoavoidcreatingaccountswhoseusernamesdifferonly incase.The traditionalpractice is touseentirely lowercase letters inLinuxusernames,suchassally,sam,ellen,andgeorge.Usernamesdon’tneedtobebasedonfirstnames,ofcourse—you could use sam_jones, s.jones, sjones, jones, jones17, or d76, to name just a fewpossibilities.Most sites develop a standard method of creating usernames, such as using the firstinitial and the last name. Creating and following such a standard practice can help you locate anaccount thatbelongs toaparticular individual. Ifyourcomputerhasmanyusers, though,youmayfind a naming convention produces duplicates, particularly if your standard is to use initials toshorten usernames. You may be forced to deviate from the standard or incorporate numbers todistinguishbetweenall theDavidsorSmithsof theworld, because each account requires auniqueusername.

LinkingUsersTogetherforProductivityviaGroupsLinuxusesgroupsasameansoforganizingusers.Inmanyways,groupsparallelusers.Inparticular,they’redefinedinsimilarconfigurationfiles,havenamessimilartousernames,andarerepresentedinternallybynumbers(asareaccounts).Groups are not accounts, however. Rather, groups are a means of organizing collections of

accounts,largelyasasecuritymeasure.EveryfileonaLinuxsystemisassociatedwithaspecificuserand a specific group, and various permissions can be assigned to members of that group. Forinstance,groupmembers (suchas facultyatauniversity)maybeallowed to reada file,butothers(suchasstudents)maybedisallowedsuchaccess.BecauseLinuxprovidesaccesstomosthardwaredevices(suchasscannersandtapebackupunits)throughfiles,youcanalsousethissamemechanismtocontrolaccesstohardware.Every group has anywhere from no members to as many members as there are users on the

computer.Groupmembershipiscontrolledthroughthe/etc/groupfile.Thisfilecontainsalistofgroupsandthemembersbelongingtoeachgroup.Thedetailsofthisfile’scontentsaredescribedinthesection“ConfiguringGroups.”Inadditiontomembershipdefinedin/etc/group,eachuserhasadefaultorprimarygroup.The

user ’sprimarygroupissetintheuser ’sconfigurationin/etc/passwd(thefilethatdefinesaccounts).Whenuserslogontothecomputer,theirgroupmembershipissettotheirprimarygroup.Whenuserscreatefilesorlaunchprograms,thosefilesandrunningprogramsareassociatedwithasinglegroup

—thecurrentgroupmembership.Ausercanaccess filesbelonging toothergroupsas longas theuserbelongstothatgroupandthegroupaccesspermissionspermittheaccess.Torunprogramsorcreatefileswithagroupotherthantheprimaryone,however,theusermustrunthenewgrpcommandtoswitchcurrentgroupmembership.Forinstance,tochangetotheproject2group,youmighttypethefollowing:$newgrpproject2

If theuser typingthiscommandis listedasamemberof theproject2group in/etc/group, theuser ’s current groupmembership changes.Thereafter, files created by that userwill be associatedwiththeproject2group.Alternatively,userscanchangethegroupassociatedwithanexistingfilebyusingthechgrporchowncommand,asdescribedinChapter4,“ManagingFiles.”Thisgroupstructureenablesyou todesignasecuritysystemthatpermitsdifferentcollectionsof

userstoeasilyworkonthesamefileswhilesimultaneouslykeepingotherusersofthesamecomputerfrompryingintofilestheyshouldnotbeabletoaccess.Inasimplecase,youmaycreategroupsfordifferentprojects, classes,orworkgroups,witheachuser restricted tooneof thesegroups.Auserwho needs access to multiple groups can be a member of each of these groups—for instance, astudentwho takes twoclassescanbelong to thegroupsassociatedwitheachclass,ora supervisormaybelongtoallthesupervisedgroups.

MappingUIDsandGIDstoUsersandGroupsAsmentionedearlier,Linuxdefinesusersandgroupsbynumbers,referredtoasuserIDs(UIDs)andgroupIDs(GIDs), respectively. Internally,Linux tracksusers andgroupsby thesenumbers, not byname.Forinstance,theusersammaybetiedtoUID523,andellenmaybeUID609.Similarly,thegroupproject1maybeGID512,andproject2maybeGID523.Forthemostpart,thesedetailstakecare of themselves—you use names, and Linux uses /etc/passwd or /etc/group to locate thenumberassociatedwith thename.Youmayoccasionallyneed toknowhowLinuxassignsnumberswhenyoutellittodosomething,though.Thisisparticularlytruewhenyou’retroubleshootingorifyouhavecausetomanuallyedit/etc/passwdor/etc/group.Linuxdistributionsreserveatleastthefirst100userandgroupIDs(0−99)forsystemuse.Themost

important of these is 0,which corresponds toroot (both the user and the group). Subsequent lownumbers are used by accounts and groups that are associated with specific Linux utilities andfunctions.Forinstance,UID2andGID2maybethedaemonaccountandgroup,respectively,whichareusedbyvariousservers;andUID8andGID12mightbethemailaccountandgroup,whichcanbeusedbymail-relatedserversandutilities.Notallaccountandgroupnumbersfrom0to99areinuse;usually,onlyoneortwodozenaccountsandadozenorsogroupsareusedinthisway.Youcancheckyour/etc/passwdand/etc/groupfilestodeterminewhichuserandgroupIDsaresoused.

AsidefromUID0andGID0,UIDandGIDnumbersaren’tfullystandardized.Forinstance,althoughUID2andGID2maptothedaemonaccountanddaemongrouponRedHatandSUSE,onDebianUID2andGID2maptothebinaccountandbingroup;thedaemonaccountandgroupcorrespondtoUID1andGID1.Ifyouneedtorefertoaparticularuserorgroup,usethenameratherthanthenumber.

Thefirstnormaluseraccount isusuallyassignedaUIDof500or (moreoften)1000.Whenyoucreateadditionalaccounts,thesystemtypicallylocatesthenext-highestunusednumber,sotheseconduseryoucreateisUID1001,thethirdis1002,andsoon.Whenyouremoveanaccount,thataccount’sIDnumbermaybereused,buttheautomaticaccount-creationtoolstypicallydon’tdosoifsubsequentnumbersareinuse,leavingagapinthesequence.ThisgapcausesnoharmunlessyouhavesomanyusersthatyourunoutofIDnumbers.(Thelimitis65,536userswiththe2.2.xkernelsandmorethan4.2billionwiththe2.4.xandlaterkernels,includingrootandothersystemaccounts.Thelimitcanbeset lower in configuration files or because of limits in support programs.) In fact, reusing an IDnumbercancauseproblemsifyoudon’tclearawaytheolduser ’sfiles—thenewuserwillbecometheowneroftheolduser ’sfiles,whichcanleadtoconfusion.

Accountnumberinglimitsaresetinthe/etc/login.defsfile.Inparticular,UID_MINandUID_MAXdefinetheminimumandmaximumUIDvaluesforordinaryuseraccounts.Inmoderndistributions,thesevaluesaregenerally1000and60000,respectively.

Typically,GID100 isusers—thedefault group for somedistributions.On anybut a very smallsystem with few users, you’ll probably want to create your own groups. Because differentdistributionshavedifferentdefaultwaysofassigningusers togroups, it’sbest thatyou familiarizeyourselfwithyourdistribution’swayofdoingthisandplanyourowngroup-creationpolicieswiththisinmind.Forinstance,youmaywanttocreateyourowngroupswithincertainrangesofIDstoavoidconflictswiththedistribution’sdefaultuser-andgroup-creationprocesses.It’spossibletocreatemultipleusernamesthatusethesameUIDormultiplegroupnamesthatuse

the sameGID. In somesense, thesearedifferentaccountsorgroups; theyhavedifferententries in/etc/passwdor/etc/group,sotheycanhavedifferenthomedirectories,differentpasswords,andsoon.Because theseusersorgroupsshare IDswithotherusersorgroups, though, they’re treatedidenticallyin termsoffilepermissions.Unlessyouhaveacompellingreasontodoso,youshouldavoidcreatingmultipleusersorgroupsthatshareanID.

IntruderssometimescreateaccountswithUID0togivethemselvesrootprivilegesonthesystemstheyinvade.AnyaccountwithaUIDof0iseffectivelytherootaccount,withallthepowerofthesuperuser.Ifyouspotasuspiciousaccountinyour/etc/passwdfilewithaUIDof0,yoursystemhasprobablybeencompromised.

ConfiguringUserAccountsHowfrequentlyyou’lldousermaintenancedependsonthenatureofthesystemyouadminister.Somesystems, suchas smallpersonalworkstations,needchangesvery rarely.Others, suchasmulti-userserversthatseeheavyuserturnover,mayrequiredailymaintenance.Thelattersituationwouldseemto require more knowledge of user account configuration tools, but even in a seldom-changingsystem,it’susefultoknowhowtoadd,modify,ordeleteaccountssothatyoucandosoquicklyandcorrectlywhenyoudoneedtodoso.

Somesecurity-relatedaccountissuesarecoveredinChapter10,“SecuringYourSystem.”

Thischapterdescribes the traditional text-basedtoolsforaccountcreationandmaintenance.Mostmodern Linux distributions shipwithGUI tools that accomplish the same goals. These tools varyfromonedistributionorenvironmenttoanother,sothey’rehardtosummarizeforLinuxasawhole.The exam also emphasizes the text-based tools. Overall, the text-based tools provide the greatestflexibilityandaremostbroadlyapplicable,butyoucancertainlyusetheGUItoolsifyoulike.

AddingUsersAddinguserscanbeaccomplishedthroughtheuseraddutility.(Thisprogramiscalledadduseronsomedistributions.)Itsbasicsyntaxisasfollows:useradd[-ccomment][-dhome-dir][-eexpire-date][-finactive-days]

[-gdefault-group][-Ggroup[,...]][-m[-kskeleton-dir]|-M]

[-ppassword][-sshell][-uUID[-o]][-r][-n]username

Someoftheseparametersmodifysettingsthatarevalidonlywhenthesystemusesshadowpasswords.Thisisthestandardconfigurationformostdistributionstoday.

In its simplest form,youmay type justuseraddusername,whereusername is theusernameyouwanttocreate.Therestoftheparametersareusedtomodifythedefaultvaluesforthesystem,whicharestoredinthefile/etc/login.defs.Theparametersfortheuseraddcommandmodifytheprogram’soperationinvariousways:CommentThe-ccommentparameterpassesthecommentfieldfortheuser.Someadministratorsstorepublicinformationsuchasauser ’sofficeortelephonenumberinthisfield.Othersstorejusttheuser ’srealnameornoinformationatall.HomeDirectoryYouspecifytheaccount’shomedirectorywiththe-dhome-dirparameter.Thisdefaultsto/home/usernameonmostsystems.AccountExpirationDateSetthedateonwhichtheaccountwillbedisabled,expressedintheformYYYY-MM-DD,withthe-eexpire-dateoption.(Manysystemsacceptalternativeforms,suchasMM-DD-YYYY,aswell.)Thedefaultisforanaccountthatdoesn’texpire.InactiveDaysAnaccountbecomescompletelydisabledacertainnumberofdaysafterapasswordexpires.The-finactive-daysparametersetsthenumberofdays.Avalueof-1disablesthisfeatureandisthedefault.DefaultGroupYousetthenameorGIDoftheuser ’sdefaultgroupwiththe-gdefault-groupoption.Thedefaultforthisvaluevariesfromonedistributiontoanother.AdditionalGroupsThe-Ggroup[,...]parametersetsthenamesorGIDsofoneormoregroupstowhichtheuserbelongs.Thesegroupsneednotbethedefaultgroup,andyoucanspecifymorethanonebyseparatingthemwithcommas.HomeDirectoryOptionsThesystemautomaticallycreatestheuser ’shomedirectoryif-mis

specified.Normally,defaultconfigurationfiles(includingsubdirectories)arecopiedfrom/etc/skel,butyoumayspecifyanothertemplatedirectorywiththe-kskeleton-diroption.Manydistributionsuse-masthedefaultwhenrunninguseradd.NoHomeDirectoryCreationThe-Moptionforcesthesystemtonotautomaticallycreateahomedirectory,evenif/etc/login.defsspecifiesthatthisactionisthedefault.Youmightusethisoption,ofteninconjunctionwith-u(describedshortly)and-d(describedearlier)ifanewaccountisforauserwho’stakingoverthehomedirectoryofanexistinguser—say,becauseanewemployeeisreplacingonewhoisleaving.EncryptedPasswordSpecificationThe-pencrypted-passwordparameterpassesthepre-encryptedpasswordfortheusertothesystem.Theencrypted-passwordvalueisadded,unchanged,tothe/etc/passwdor/etc/shadowfile.Thismeansthatifyoutypeanunencryptedpassword,itwon’tworkasyouprobablyexpect.Inpractice,thisparameterismostusefulinscripts,whichcanencryptapassword(usingcrypt)andthensendtheencryptedresultthroughuseradd.Thedefaultvaluedisablestheaccount,soyoumustrunpasswdtochangetheuser ’spassword.DefaultShellSetthenameoftheuser ’sdefaultloginshellwiththe-sshelloption.Onmostsystems,thisdefaultsto/bin/bash,butyoucanspecifyanothershellorevenaprogramthat’snottraditionallyashell.Forinstance,somesystemsincludeashutdownaccountthatcalls/sbin/shutdown.Loggingintothisaccountimmediatelyshutsdownthecomputer.UIDThe-uUIDparametercreatesanaccountwiththespecifieduserIDvalue(UID).Thisvaluemustbeapositiveinteger,andit’snormallygreaterthan1000foruseraccounts.(SomedistributionspermituseraccountUIDsaslowas500,though.)Systemaccountstypicallyhavenumberslessthan200,andoftenlessthan100.The-ooptionallowsthenumbertobereusedsothattwousernamesareassociatedwithasingleUID.SystemAccountCreationThe-rparameterspecifiesthecreationofasystemaccount—anaccountwithavaluelessthanUID_MIN,asdefinedin/etc/login.defs.Theuseraddcommanddoesn’tcreateahomedirectoryforsystemaccounts.NoUserGroupInsomedistributions,suchasRedHat,thesystemcreatesagroupwiththesamenameasthespecifiedusername.The-nparameterdisablesthisbehavior.Supposeyou’veaddedaharddiskandmounteditas/home2.Youwanttocreateanaccountfora

usernamedSallyinthisdirectoryandplaceherhomedirectoryonthenewdisk.Youwanttomakethenewuseramemberoftheproject1andproject4groups,withdefaultmembershipinproject4.Theuserhasalsorequestedtcshasherdefaultshell.Thefollowingcommandsaccomplishthisgoal:#useradd-m-d/home2/sally-gproject4-Gproject1,project4-s/bin/tcshsally

#passwdsally

Changingpasswordforusersally

NewUNIXpassword:

RetypenewUNIXpassword:

passwd:allauthenticationtokensupdatedsuccessfully

Thepasswdcommandasksforthepasswordtwice,butitdoesnotechowhatyoutype.Thispreventssomebodywhoseesyourscreenfromreadingthepassword.passwdisdescribedinmoredetailshortly,in“SettingaPassword.”

ModifyingUserAccountsUser accounts may be modified in many ways: You can directly edit critical files such as/etc/passwd,modifyuser-specificconfigurationfilesintheaccount’shomedirectory,orusesystemutilitieslikethoseusedtocreateaccounts.Youusuallymodifyanexistinguser ’saccountattheuser ’srequestor to implementsomenewpolicyorsystemchange,suchasmovinghomedirectories toanew hard disk. Sometimes, though, youmust modify an account immediately after its creation inordertocustomizeitinwaysthataren’teasilyhandledthroughtheaccount-creationtoolsorbecauseyourealizeyouforgotaparametertouseradd.

SettingaPasswordAlthough useradd provides the -p parameter to set a password, this tool isn’t very useful whendirectlyaddingauserbecauseitrequiresapre-encryptedpassword.Therefore,it’susuallyeasiesttocreateanaccountindisabledform(bynotusing-pwithuseradd)andsetthepasswordaftercreatingtheaccount.Youcandothiswiththepasswdcommand,whichhasthefollowingsyntax:passwd[-k][-l][-u[-f]][-d][-S][username]

Althoughpasswdisfrequentlyusedtosetorchangepasswords,someofitsactionsdon’tpromptyouforapassword.Instead,theymodifythepasswordinpredictableways,asdescribedshortly.Otherusesproduceapasswordpromptatwhichyoumusttypeanewpassword(twice,toguardagainsttypos).

Theparameterstothiscommandenableyoutomodifyitsbehavior:UpdateExpiredAccountsThe-kparameterindicatesthatthesystemshouldupdateanexpiredaccount.LockAccountsThe-lparameterlocksanaccountbyprefixingtheencryptedpasswordwithanexclamationmark(!).Theresultisthattheusercannolongerlogintotheaccount,butthefilesarestillavailable,andthechangecanbeeasilyundone.Thisparameterisparticularlyhandyifyouwanttotemporarilysuspenduseraccesstoanaccount—say,becauseyou’vespottedsomesuspiciousactivityinvolvingtheaccountorbecauseyouknowauserwon’tbeusingtheaccountforawhileandyouwanttominimizethechanceofitbeingabusedintheinterim.UnlockAccountsThe-uparameterunlocksanaccountbyremovingaleadingexclamationmark.useraddcreatesaccountsthatarelockedandhavenopassword,sousingthiscommandonafreshaccountresultsinanaccountwithnopassword.Normally,passwddoesn’tallowthis—itreturnsanerrorifyouattemptit.Adding-fforcespasswdtoturntheaccountintoonewithnopassword.

RemoveanAccount’sPasswordThe-dparameterremovesthepasswordfromanaccount,renderingitpassword-less.DisplayAccountInformationThe-Soptiondisplaysinformationaboutthepasswordforanaccount—whetherit’ssetandwhattypeofencryptionituses.Ordinaryusersmayusepasswd to change theirpasswords,butmanypasswd parametersmaybe

usedonlybyroot.Specifically,-l,-u,-f,and-darealloff-limits toordinaryusers.Similarly,onlyrootmay specify a username topasswd.When ordinary users run the program, they shouldomit their usernames; passwd will change the password for the user who ran the program. As asecuritymeasure, passwd asks for a user ’s old password before changing the password when anordinaryuserrunstheprogram.Thisprecautionisnottakenwhenrootrunstheprogramsothatthesuperusermaychangeauser ’spasswordwithoutknowingtheoriginalpassword.This isnecessarybecausetheadministratornormallydoesn’tknowtheuser ’spassword.Italsoprovidesawayforthesystemadministratortohelpauserwho’sforgottenapassword—theadministratorcantypepasswdusernameandthenenteranewpasswordfortheuser.Linux passwords may consist of letters, numbers, and punctuation. Linux distinguishes between

upper-andlowercaselettersinpasswords,whichmeansyoucanusemixed-casepasswords,numbers,andpunctuationtoimprovesecurity.

Chapter10providesinformationaboutselectinggoodpasswords.

Exercise7.1providesyouwithpracticeincreatingaccountsonaLinuxsystem.

EXERCISE7.1CreatingUserAccountsThisexerciseexplorestheprocessofcreatinguseraccounts.Afterperformingthisexercise,youshouldbefamiliarwiththetext-modeLinuxaccount-creationtoolsandbeabletocreatenewaccounts,includingpreparingnewusers’homedirectories.Toaddandtestanewaccount,followthesesteps:1.LogintotheLinuxsystemasanormaluser.2.Launchanxterm from the desktop environment’smenu system, if you used aGUIloginmethod.3. Acquire root privileges. You can do this by typing su in an xterm, by selectingSession NewRootConsolefromaKonsole,orbyusingsudo (if it’sconfigured) torunthecommandsinthefollowingsteps.4.Typeuseradd-musername,whereusername is thenameyouwanttobeassociatedwith the account. This command creates an account. The -m parameter tells Linux tocreateahomedirectoryfortheuserandfillitwithdefaultaccountconfigurationfiles.5.Typepasswdusername.You’llbeaskedtoenterapasswordfortheuserandtotypeita second time. Enter a random string or select a password as described in “Setting aPassword.”6.PressCtrl+Alt+F2 togo toa fresh text-mode loginscreen. (Ifyou’realreadyusingmultiplevirtualterminals,youmayneedtouseafunctionkeynumbergreaterthanF2.)7.Trylogginginasthenewusertoverifythattheaccountworksproperly.

Inpractice,creatingaccountsonaproductionsystemmayrequirevariationsonthisprocedure.Youmayneedtouseadditionaloptionsinstep4,forinstance;consultthesection“AddingUsers”ortheuseraddmanpagefordetailsontheseoptions.Furthermore,settingthepasswordmayrequirechanges.Onasmallsystemwithfewusers,youmaybeabletocreateaccountsinthepresenceoftheirfutureusers,inwhichcasetheusercantypethepasswordinstep5.Onothersystems,youmayneedtogeneratepasswordsyourselfandthengivethemtousersinsomeway.

UsingusermodTheusermodprogramcloselyparallelsuseradd initsfeaturesandparameters.Thisutilitychangesanexistingaccount insteadofcreatinganewone, though.Themajordifferencesbetweenuseraddandusermodareasfollows:

usermodallowstheadditionofa-mparameterwhenusedwith-d.The-dparameteralonechangestheuser ’shomedirectory,butitdoesn’tmoveanyfiles.Adding-mcausesusermodtomovetheuser ’sfilestothenewlocation.usermodsupportsa-lparameter,whichchangestheuser ’sloginnametothespecifiedvalue.Forinstance,typingusermod-lsjonessallychangestheusernamefromsallytosjones.Youmaylockandunlockauser ’spasswordwiththe-Land-Uoptions,respectively.Theseoptionsduplicatefunctionalityprovidedbypasswd.

The usermod program changes the contents of /etc/passwd or /etc/shadow, depending on the

optionused.If-misused,usermodalsomovestheuser ’sfiles,asalreadynoted.

Changinganaccount’scharacteristicswhiletheownerisloggedincanhaveundesirableconsequences.Thisisparticularlytrueofthe-d-mcombination,whichcancausethefilesauserisworkingontomove.Mostotherchanges,suchaschangestotheaccount’sdefaultshell,don’ttakeeffectuntiltheuserhasloggedoutandbackinagain.

If you change the account’s UID, this action does not change the UIDs associated with a user ’sexisting files.Becauseof this, theusermay loseaccess to these files.Youcanmanuallyupdate theUIDsonallfilesbyusingthechowncommand,asdescribedinChapter4.Specifically,acommandlikethefollowing,issuedafterchangingtheUIDontheaccountsally,restoresproperownershiponthefilesinsally’shomedirectory:#chown-Rsally/home/sally

This actiondoesnot change the ownership of files that aren’t insally’s home directory. If youbelievesuchfilesexist,youmayneedtotrackthemdownwiththefindcommand,asyou’llseeintheupcomingsection“DeletingAccounts.”Also,thiscommandblindlychangesownershipofallfilesinthe/home/sallydirectory.ThisisprobablyOK,butit’sconceivablethatsomefilesinthatdirectoryshould be owned by somebody else—say, because sally and another user are collaborating on aproject.Whenusingthe-Goptiontoaddausertonewgroups,beawarethatanygroupsnotlistedwillbe

removed.Thegpasswd command,described in theupcoming section“Usinggpasswd,” provides awaytoaddausertooneormorespecificgroupswithoutaffectingexistinggroupmemberships,andsoit’sgenerallypreferableforthispurpose.

UsingchageThe chage command enables you to modify account settings relating to account expiration. It’spossibletoconfigureLinuxaccountssothattheyautomaticallyexpireifeitheroftwoconditionsistrue:

Thepasswordhasn’tbeenchangedinaspecifiedperiodoftime.Thesystemdateispastapredeterminedtime.

Thesesettingsarecontrolledthroughthechageutility,whichhasthefollowingsyntax:chage[-l][-mmindays][-Mmaxdays][-dlastday][-Iinactivedays]

[-Eexpiredate][-Wwarndays]username

Theprogram’sparametersmodifythecommand’sactions:DisplayInformationThe-loptioncauseschagetodisplayaccountexpirationandpasswordaginginformationforaparticularuser.SettheMinimumTimeBetweenPasswordChangesThe-mmindaysparametersetstheminimumnumberofdaysbetweenpasswordchanges.0indicatesthatausercanchangeapasswordmultipletimesinaday,1meansthatausercanchangeapasswordonceaday,2meansthatausermaychangeapasswordonceeverytwodays,andsoon.SettheMaximumTimeBetweenPasswordChangesThe-Mmaxdaysparametersetsthe

maximumnumberofdaysthatmaypassbetweenpasswordchanges.Forinstance,30requiresapasswordchangeapproximatelyonceamonth.

Iftheuserchangesapasswordbeforethedeadline,thecounterisresetfromthepassword-changedate.

SettheLastPasswordChangeDateThe-dlastdayparametersetsthelastdayapasswordwaschanged.ThisvalueisnormallymaintainedautomaticallybyLinux,butyoucanusethisparametertoartificiallyalterthepasswordchangecount.lastdayisexpressedintheformatYYYY/MM/DDorasthenumberofdayssinceJanuary1,1970.SettheMaximumInactiveDaysThe-Iinactivedaysparametersetsthenumberofdaysbetweenpasswordexpirationandaccountdisablement.Anexpiredaccountmaynotbeusedormayforcetheusertochangethepasswordimmediatelyuponloggingin,dependingonthedistribution.Adisabledaccountiscompletelydisabled.SettheExpirationDateYoucansetanabsoluteexpirationdatewiththe-Eexpiredateoption.Forinstance,youmightuse-E2013/05/21tohaveanaccountexpireonMay21,2013.ThedatemayalsobeexpressedasthenumberofdayssinceJanuary1,1970.Avalueof-1representsnoexpirationdate.SettheNumberofWarningDaysThe-Wwarndaysoptionsetsthenumberofdaysbeforeaccountexpirationthatthesystemwillwarntheuseroftheimpendingexpiration.It’sgenerallyagoodideatousethisfeaturetoalertusersoftheirsituation,particularlyifyoumakeheavyuseofpassword-changeexpirations.Notethatthesewarningsareusuallyshownonlytotext-modeloginusers;GUIloginusers,file-shareusers,andsoonusuallydon’tseethesemessages.Thechagecommandcannormallybeusedonlybyroot.Theoneexceptiontothisruleisifthe-l

optionisused;thisfeatureallowsordinaryuserstochecktheiraccount-expirationinformation.

DirectlyModifyingAccountConfigurationFilesYoucandirectlymodifyuserconfiguration files.The/etc/passwdand/etc/shadow files controlmostaspectsofanaccount’sbasicfeatures.Bothfilesconsistofasetoflines,onelineperaccount.Eachlinebeginswithausernameandcontinueswithasetoffields,delimitedbycolons(:).Manyofthese itemsmaybemodifiedwithusermod orpasswd.A typical/etc/passwd entry resembles thefollowing:sally:x:1029:100:SallyJones:/home/sally:/bin/bash

Eachfieldhasaspecificmeaning,asfollows:UsernameThefirstfieldineach/etc/passwdlineistheusername(sallyinthisexample).PasswordThesecondfieldhastraditionallybeenreservedforthepassword.MostLinuxsystems,however,useashadowpasswordsysteminwhichthepasswordisstoredin/etc/shadow.Thexintheexample’spasswordfieldisanindicationthatshadowpasswordsareinuse.Inasystemthatdoesn’tuseshadowpasswords,anencryptedpasswordappearshereinstead.UIDFollowingthepasswordistheaccount’suserID(1029inthisexample).

PrimaryGIDThedefaultlogingroupIDisnextinthe/etc/passwdlineforanaccount.TheexampleusesaprimaryGIDof100.CommentThecommentfieldmayhavedifferentcontentsondifferentsystems.Intheprecedingexample,it’stheuser ’sfullname.Somesystemsplaceadditionalinformationhere,inacomma-separatedlist.Suchinformationmayincludetheuser ’stelephonenumber,officenumber,title,andsoon.HomeDirectoryTheuser ’shomedirectoryisnextupinthelist.DefaultShellThedefaultshellisthefinalitemoneachlinein/etc/passwd.Thisisnormally/bin/bash,/bin/tcsh,orsomeothercommoncommandshell.It’spossibletousesomethingunusualhere,though.Forinstance,manysystemsincludeashutdownaccountwith/bin/shutdownastheshell.Ifyoulogintothisaccount,thecomputerimmediatelyshutsdown.Youcancreateuseraccountswithashellof/bin/false,whichpreventsusersfromlogginginasordinaryusersbutleavesotherutilitiesintact.UserscanstillreceivemailandretrieveitviaaremotemailretrievalprotocollikePOPorIMAP,forinstance.Avariantonthisschemeuses/bin/passwdsothatusersmaychangetheirpasswordsremotelybutcan’tloginusingacommandshell.Youcandirectlymodifyanyofthesefields,althoughinashadowpasswordsystem,youprobably

donotwanttomodifythepasswordfield;youshouldmakepassword-relatedchangesviapasswdsothattheycanbeproperlyencryptedandstoredin/etc/shadow.Aswithchangesinitiatedviausermod,it’sbesttochange/etc/passwddirectlyonlywhentheuserinquestionisn’tloggedin,topreventachangefromdisruptinganongoingsession.Like /etc/passwd, /etc/shadow may be edited directly. An /etc/shadow line resembles the

following:sally:$6$EmoFkLZPkHkpczVN2XRcMdyj8/ZeeT5UnTQ:15505:0:-1:7:-1:-1:

Most of these fields correspond to options setwith thechage utility, although some are setwithpasswd,useradd,orusermod.Themeaningofeachcolon-delimitedfieldonthislineisasfollows:UsernameEachlinebeginswiththeusername.NotethattheUIDisnotusedin/etc/shadow;theusernamelinksentriesinthisfiletothosein/etc/passwd.PasswordThepasswordisstoredinencryptedform,soitbearsnoobviousresemblancetotheactualpassword.Anasterisk(*)orexclamationmark(!)denotesanaccountwithnopassword(thatis,theaccountdoesn’tacceptlogins—it’slocked).Thisiscommonforaccountsusedbythesystemitself.Whenyoulockauseraccountviathe-Loptiontousermod,theutilityprependsanexclamationmark(!)tothepasswordfield.Removingtheexclamationmarkunlockstheaccount,restoringtheoriginalpassword.

Ifyou’veforgottentherootpasswordforacomputer,youcanbootwithanemergencyrecoverysystemandcopythecontentsofapasswordfieldforanaccountwhosepasswordyoudoremember.Youcanthenbootnormally,loginasroot,andchangethepassword.Inarealpinch,youcandeletethecontentsofthepasswordfield,whichresultsinarootaccountwithnopassword(thatis,noneisrequiredtologin).Ifyoudothis,besuretoimmediatelychangetherootpasswordafterrebooting!

LastPasswordChangeThenextfield(15505inthisexample)isthedateofthelastpasswordchange.ThisdateisstoredasthenumberofdayssinceJanuary1,1970.DaysUntilaChangeIsAllowedThenextfield(0inthisexample)isthenumberofdaysbeforeapasswordchangeisallowed.DaysBeforeaChangeIsRequiredThisfieldisthenumberofdaysafterthelastpasswordchangebeforeanotherpasswordchangeisrequired.DaysofWarningBeforePasswordExpirationIfyoursystemisconfiguredtoexpirepasswords,youmaysetittowarntheuserwhenanexpirationdateisapproaching.Avalueof7,asintheprecedingexample,istypical.DaysBetweenExpirationandDeactivationLinuxallowsforagapbetweentheexpirationofanaccountanditscompletedeactivation.Anexpiredaccounteithercan’tbeusedorrequiresthattheuserchangethepasswordimmediatelyafterloggingin.Ineithercase,itspasswordremainsintact.Adeactivatedaccount’spasswordiserased,andtheaccountcan’tbeuseduntilit’sreactivatedbythesystemadministrator.ExpirationDateThisfieldshowsthedateonwhichtheaccountwillexpire.Aswiththelastpasswordchangedate,thedateisexpressedasthenumberofdayssinceJanuary1,1970.Thisoptionishelpfulinthecaseofstudents,interns,auditors,contractstaff,seasonalworkers,andsimilartemporaryusers.SpecialFlagThisfieldisreservedforfutureuseandnormallyisn’tusedorcontainsameaninglessvalue.Thisfieldisemptyintheprecedingexample.Forfieldsrelatingtodaycounts,avalueof-1or99999indicatesthattherelevantfeaturehasbeen

disabled.The/etc/shadow values are generally best left tomodification through theusermod andchagecommandsbecausetheycanbetrickytosetmanually—forinstance,it’seasytoforgetaleapyear or the like when computing a date as the number of days since January 1, 1970. Similarly,becauseofitsencryptednature,thepasswordfieldcan’tbeeditedeffectivelyexceptthroughpasswdor similar utilities. You can cut and paste a value from a compatible file or use crypt, but it’sgenerallyeasiertousepasswd.Copyingencryptedpasswordsfromothersystemsisalsosomewhatriskybecauseitmeansthattheuserswillhavethesamepasswordsonbothsystems,andthisfactwillbeobvioustoanybodywho’sacquiredbothencryptedpasswordlists.

The/etc/shadowfileisnormallystoredwithveryrestrictivepermissions,suchasrw-------(600),withownershipbyroot.(Precisepermissionsvaryfromonedistributiontoanother,though.)Thisfactiscriticaltotheshadowpasswordsystem’sutilitybecauseitkeepsnon-rootusersfromreadingthefileandobtainingthepasswordlist,eveninanencryptedform.Bycontrast,/etc/passwdmustbereadablebyordinaryusersandusuallyhasrw-r--r--(644)permissions.Ifyoumanuallymodify/etc/shadow,besureithasthecorrectpermissionswhenyou’redone.

NetworkAccountDatabasesManynetworksemploynetworkaccountdatabases.SuchsystemsincludetheNetworkInformationSystem(NIS),anupdatetothissystemcalledNIS+,theLightweightDirectoryAccessProtocol(LDAP),Kerberosrealms,WindowsNT4.0domains,andActiveDirectory(AD)domains.Allofthesesystemsmoveaccountdatabasemanagementontoasinglecentralizedcomputer(oftenwithoneormorebackupsystems).Theadvantageofthisapproachtoaccountmaintenanceisthatusersandadministratorsneednotdealwithmaintainingaccountsindependentlyonmultiplecomputers.Asingleaccountdatabasecanhandleaccountsondozens(orevenhundredsorthousands)ofdifferentcomputers,greatlysimplifyingday-to-dayadministrativetasksandsimplifyingusers’lives.Usingsuchasystem,though,meansthatmostuseraccountswon’tappearin/etc/passwdand/etc/shadow,andgroupsmaynotappearin/etc/group.(Thesefileswillstillholdinformationonlocalsystemaccountsandgroups,though.)Linuxcanparticipateinthesesystems.Infact,somedistributionsprovideoptionstoenablesuchsupportatOSinstallationtime.Typically,youmustknowthenameorIPaddressoftheserverthathoststhenetworkaccountdatabase,andyoumustknowwhatprotocolthattheserveruses.Youmayalsoneedapasswordorsomeotherprotocol-specificinformation,andtheservermayneedtobeconfiguredtoacceptaccessesfromtheLinuxsystemyou’reconfiguring.ActivatinguseofsuchnetworkaccountdatabasesafterinstallingLinuxisacomplextopic.Itinvolvesinstallingappropriatesoftware,modifyingthe/etc/nsswitch.conffile,andmodifyingthePluggableAuthenticationModule(PAM)configurationfilesin/etc/pam.d.Suchsystemsoftenalterthebehavioroftoolssuchaspasswdandusermodinsubtleornot-so-subtleways.Ifyouneedtousesuchasystem,you’llhavetoconsultdocumentationspecifictotheserviceyouintendtouse.MybookLinuxinaWindowsWorld(O’Reilly,2005)coversthistopicforWindowsNT4.0domains,LDAP,andKerberos;andMarkMinasiandDanYork’sLinuxforWindowsAdministrators(Sybex,2002)coversthistopicforWindowsNT4.0domainsandNIS.

DeletingAccountsOnthesurface,deletinguseraccountsiseasy.Youmayusetheuserdelcommandtodothejobofremoving a user ’s entries from /etc/passwd and, if the system uses shadow passwords,/etc/shadow.Theuserdelcommandtakesjustthreeparameters:RemoveUserFilesThe-ror--removeparametercausesthesystemtoremoveallfilesfromtheuser ’smailspoolandhomedirectory,aswellasthehomedirectory.ForceDeletionYoucanforcedeletionoftheaccountwhileauserisloggedinbyusingthe-for--forceoptioninconjunctionwith-r.Thisoptionalsoforcesremovalofthemailspoolevenifit’sownedbyanotheruserandforcesremovalofthehomedirectoryevenifanotheruserusesthesamehomedirectory.GetHelpThe-hor--helpoptionsummarizesuserdeloptions.

Asanexample,removingthesallyaccountiseasilyaccomplishedwiththefollowingcommand:#userdel-rsally

Youmayomitthe-rparameterifyouwanttopreservetheuser ’sfiles.Beawareofonepotentialcomplication:Usersmaycreatefilesoutsidetheirhomedirectories.Forinstance,manyprogramsusethe /tmp directory as “scratch space,” so user files often wind up there. These files are deletedautomatically after a certain period, but youmay have other directories inwhich usersmay storefiles.Tolocateallsuchfiles,youcanusethefindcommandwithits-uidparameter (or-user, ifyou use find before deleting the account). For instance, if sally wasUID 1029, you can use thefollowingcommandtolocateallherfiles:#find/-uid1029

TheresultisalistoffilesownedbyUID529(formerlysally).Youcanthengothroughthislistanddecidewhat to dowith the files—change their ownership to somebody else, delete them, backthemuptoCD-R,orwhathaveyou.It’swisetodosomethingwiththesefiles,ortheymaybeassignedownershiptoanotheruserifSally’sUIDisreused.Thiscanbecomeawkwardifthefilesexceedthenewuser ’sdiskquotaoriftheycontaininformationthatthenewusershouldnothave—suchapersonmaymistakenlybeaccusedofindiscretionsorevencrimes.Afewservers—mostnotablySamba—keeptheirownlistofusers.Ifyourunsuchaserver,it’sbest

toremovetheuser ’sentryfromthatserver ’suserlistwhenyouremovetheuser ’smainaccount.InthecaseofSamba,thisisnormallydonebymanuallyeditingthesmbpasswdfile(usuallylocatedin/etc,/etc/samba,or/etc/samba.d)anddeletingthelinecorrespondingtotheuserinquestionorbyusingthesmbpasswdcommandandits-xoption,asinsmbpasswd-xsallytodeletethesallyaccountfromSamba’sdatabase.

ConfiguringGroupsLinuxprovidesgroupconfigurationtoolsthatparallelthoseforuseraccountsinmanyways.Groupsarenotaccounts,however,somanyfeaturesofthesetoolsdiffer.Likewise,youcancreateormodifygroups by directly editing the configuration files in question. Their layout is similar to that foraccountcontrolfiles,butthedetailsdiffer.

AddingGroupsLinuxprovidesthegroupaddcommandtoaddanewgroup.Thisutilityissimilartouseraddbuthasfeweroptions.Thegroupaddsyntaxisasfollows:groupadd[-gGID[-o]][-r][-f]groupname

Theparameterstothiscommandenableyoutoadjustitsoperation:SpecifyaGIDYoucanprovideaspecificGIDwiththe-gGIDparameter.Ifyouomitthisparameter,groupaddusesthenextavailableGID.Normally,theGIDyouspecifymustbeunusedbyothergroups,butthe-oparameteroverridesthisbehavior,enablingyoutocreatemultiplegroupsthatshareoneGID.CreateaSystemGroupThe-rparameterinstructsgroupaddtocreateagroupwithaGIDoflessthanSYS_GID_MIN,asdefinedin/etc/login.defs.GroupswithGIDsinthisrangeareconsideredsystemgroups,whichareanalogoustosystemaccounts—they’renormallyusedbysystemtoolsortohelpcontrolaccesstosystemresources,suchashardwaredevicefiles.Notalldistributions

supportthisoption;itwasaddedbyRedHatandhasbeenusedonsomerelateddistributions.RedHatusesGIDsof500andgreaterforuserprivategroups(thatis,groupsnamedafterindividualusers),whichisthereasonforthe-rparameter.ForceCreationNormally,ifyoutrytocreateagroupthatalreadyexists,groupaddreturnsanerrormessage.The-fparametersuppressesthaterrormessage.Notallversionsofgroupaddsupportthisparameter.Inmostcases,you’llcreategroupswithoutspecifyinganyparametersexceptfor thegroupname

itself:#groupaddproject3

Thiscommandcreatestheproject3group,givingitwhateverGIDthesystemfindsconvenient—usually thehighestexistingGIDplus1.Onceyou’vedone this,youcanaddusers to thegroup,asdescribedinthenextsection.Whenyouaddnewusers,youcanaddthemdirectlytothenewgroupwiththe-gand-Gparameterstouseradd,describedearlier.

ModifyingGroupInformationGroupinformation,likeuseraccountinformation,maybemodifiedeitherbyusingutilityprogramsor by directly editing the underlying configuration file, /etc/group. There are fewer options formodifyinggroupsthanformodifyingaccounts,andtheutilitiesandconfigurationfilesaresimilar.Infact,usermodisoneofthetoolsthat’susedtomodifygroups.

UsinggroupmodandusermodThegroupmodcommandmodifiesanexistinggroup’ssettings.Itssyntaxisasfollows:groupmod[-gGID[-o]][-nnewgroupname]oldgroupname

Theoptionstothiscommandmodifyitsoperation:SpecifyaGIDSpecifythenewgroupIDusingthe-gGIDoption.groupmodreturnsanerrorifyouspecifyanewgroupIDthat’salreadyinuse,unlessyouincludethe-oparameter,inwhichcaseyoucancreatetwogroupsthatshareasingleGID.SpecifyaGroupNameSpecifyanewgroupnamewiththe-nnewgroupnameoption.Oneof themostcommongroupmanipulationsyou’llperformisnothandled throughgroupmod;

it’s done with usermod. Specifically, usermod enables you to add a user to a group with its -Gparameter.Forinstance,thefollowingcommandsetssallytobeamemberoftheusers,project1,andproject4groups,anditremovesherfromallothergroups:#usermod-Gusers,project1,project4sally

Besuretolistalltheuser ’scurrentgroupsinadditiontoanygroupstowhichyouwanttoaddtheuser.Omittinganyoftheuser ’scurrentgroupswillremovetheuserfromthosegroups.Youcandiscoverthegroupstowhichausercurrentlybelongswiththegroupscommand,asingroupssally.Toavoidaccidentallyomittingagroup,manysystemadministratorsprefertomodifythe/etc/groupfileinatexteditororusegpasswd.Bothoptionsenableyoutoadduserstogroupswithoutspecifyingauser ’sexistinggroupmemberships.

UsinggpasswdThegpasswdcommandisthegroupequivalenttopasswd.Thegpasswdcommandalsoenablesyoutomodify other group features and to assign group administrators—users who may perform somegroup-related administrative functions for their groups. The basic syntax for this command is asfollows:gpasswd[-auser][-duser][-R][-r][-Auser[,...]][-Muser[,...]]group

Theoptionsforthiscommandmodifyitsactions:AddaUserThe-auseroptionaddsthespecifiedusertothespecifiedgroup.DeleteaUserThe-duseroptiondeletesthespecifieduserfromthespecifiedgroup.DisallownewgrpAdditionsThe-Roptionconfiguresthegrouptonotallowanybodytobecomeamemberthroughnewgrp.RemovePasswordThe-roptionremovesthepasswordfromagroup.AddGroupAdministratorsTherootusermayusethe-Auser[,...]parametertospecifygroupadministrators.Groupadministratorsmayaddmemberstoandremovemembersfromagroupandchangethegrouppassword.Usingthisparametercompletelyoverwritesthelistofadministrators,soifyouwanttoaddanadministratortoanexistingsetofgroupadministrators,youmustspecifyalloftheirusernames.AddUsersThe-Muser[,...]optionworkslike-A,butitalsoaddsthespecifieduser(s)tothelistofgroupmembers.If entered without any parameters except a group name, gpasswd changes the password for the

group. Group passwords enable you to control temporarymembership in a group, as granted bynewgrp.Ordinarily,membersofagroupmayusenewgrptochangetheircurrentgroupmembership(affecting thegroupof files theycreate). Ifapassword isset,even thosewhoaren’tmembersofagroup may become temporary group members; newgrp prompts for a password that, if enteredcorrectly,givestheusertemporarygroupmembership.Unfortunately,someofthesefeaturesaren’timplementedcorrectlyinalldistributions.Inparticular,

password entry by non-groupmembers sometimes does not give group membership—the systemresponds with an access denied error message. The -R option also sometimes doesn’t workcorrectly—groupmemberswhoseprimarygroupmembership iswith another groupmay still usenewgrptosettheirprimarygroupmembership.

DirectlyModifyingGroupConfigurationFilesGroupinformationisstoredprimarilyinthe/etc/group file.Likeaccountconfigurationfiles, the/etc/groupfileisorganizedasasetoflines,onelinepergroup.Atypicallineinthisfileresemblesthefollowing:project1:x:501:sally,sam,ellen,george

Eachfieldisseparatedfromtheothersbyacolon.Themeaningsofthefourfieldsareasfollows:GroupNameThefirstfield(project1intheprecedingexample)isthenameofthegroup.PasswordThesecondfield(xintheprecedingexample)isthegrouppassword.Distributionsthatuseshadowpasswordstypicallyplaceanxinthisfield;othersplacetheencryptedpassworddirectlyinthisfield.GIDThegroupIDnumber(inthisexample’scase,501)goesinthisfield.UserListThefinalfieldisacomma-delimitedlistofgroupmembers.Users may also be members of a group based on their own /etc/passwd file primary group

specification.Forinstance,ifusergeorgehasproject1listedashisprimarygroup,heneednotbelistedintheproject1 line in/etc/group. Ifusergeorgeusesnewgrp tochange toanothergroup,though, he won’t be able to change back to project1 unless he’s listed in the project1 line in/etc/group.Systemswith shadowpasswords also use another file,/etc/gshadow, to store shadowpassword

information about groups. This file stores the shadow password and information for groupadministrators,asdescribedearlierin“Usinggpasswd.”

IfyouconfigureLinuxtouseanetworkaccountdatabase,the/etc/groupfileispresentandmaydefinegroupsimportantforthesystem’sbasicoperation.Aswith/etc/passwdand/etc/shadow,though,importantusergroupsarelikelytobedefinedonlyonthenetworkaccountserver,notin/etc/group.

DeletingGroupsDeletinggroupsisdoneviathegroupdelcommand,whichtakesasingleparameter:agroupname.For instance, groupdel project3 removes the project3 group. You can also delete a group byediting the/etc/group file (and/etc/gshadow, if present) and removing the relevant line for thegroup.It’sgenerallybettertousegroupdel,becausegroupdelcheckstoseewhetherthegroupisanyuser ’s primarygroup. If it is,groupdel refuses to remove the group; youmust change the user ’sprimarygroupordeletetheuseraccountfirst.Aswithdeletingusers,deletinggroupscan leaveorphanedfileson thecomputer.Youcan locate

themwith the find command, which is described in more detail in Chapter 4. For instance, if adeletedgroupusedaGIDof1003,youcanfindallthefilesonthecomputerwiththatGIDbyusingthefollowingcommand:#find/-gid1003

Onceyou’vefoundanyfileswiththedeletedgroup’sownership,youmustdecidewhattodowith

them.Insomecases,leavingthemalonewon’tcauseanyimmediateproblems;butiftheGIDiseverreused,itcanleadtoconfusionandevensecuritybreaches.Therefore,it’susuallybesttodeletethefilesorassignthemothergroupownershipusingthechownorchgrpcommand.

TuningUserandSystemEnvironmentsText-modeuserenvironmentsarecontrolledthroughshellconfigurationfiles.Forbash, thesefilesinclude /etc/profile, /etc/bash.bashrc, ~/.profile, ~/.bashrc, ~/.bash_profile, and~/.profile.Thefilesin/etcareglobalconfigurationfiles,whichaffectallusers; thoseinusers’home directories (which are usually copied from the skeleton directory at account creation, asdescribedearlier)affectindividualusers’accountsandcanbecustomizedbyindividualusers.Thesefilescontrol thevariousbashoptions, includingenvironmentvariables—namedvariables thatholddataforthebenefitofmanyprograms.Forinstance,youmightsetthe$EDITORenvironmentvariabletothenameofyourfavoritetexteditor.Some(butnotall)programsthatlauncheditorspayattentiontothisenvironmentvariableandlaunchtheeditoryouspecify.As a system administrator, you can change the system-wide bash configuration files to add,

remove,orchangetheenvironmentvariablesthatallusersreceive.Generallyspeaking,youshoulddosobecausethedocumentationforaspecificprogramindicatesthatitusesparticularenvironmentvariables.Youcanalsoseeallyourcurrentenvironmentvariablesbytypingenv. (Thelist isratherlong,soyoumaywanttopipeitthroughless,asinenv|less.)Inadditiontosettingdefaultenvironmentvariablesandotherwisemodifyingusers’text-modelogin

environmentbyadjustingtheirbashconfigurationfiles,youcanadjustthedefaultsetoffilescreatedby useradd. As described earlier, in “Adding Users,” useradd copies files from the skeletondirectory(/etc/skelbydefault)intoanewlycreatedhomedirectory.Typically,/etc/skelcontainsahandfulofuserconfigurationfiles,suchas.bashrc.Youcanaddfiles(andevendirectories)tothisdirectory, includinguserconfiguration files, a startingdirectory tree,aREADME file for newusers,andanythingelseyoulike.Becausethesefilesarecopiedintousers’homedirectoriesandusersaregivenownershipofthecopies,theuserscanread,change,andevendeletetheircopiesofthesefiles.Thus,youshouldn’tplaceanyoptionsinthesefilesthataresensitivefromasecuritypointofvieworthatusersshouldnotbeabletochange.(Intruth,entriesyouplaceinglobalbashconfigurationfilescaneasilybeoverriddenbyindividualusersviamanualbashcommandsorotherconfigurationfiles,too.)Also,beawarethatanychangesyoumaketotheglobalfileswon’tautomaticallybemovedintoexistingusers’copiesofthesefiles;changeswillaffectonlythefilesreceivedbynewusers.Thisfactmakes theglobal files (suchas/etc/profile)preferable to/etc/skel foranychanges to systemdefaultsyouwant to implement system-wide,particularly ifyouexpectyou’ll everwant tomodifyyourchanges.

Variousprogramssetenvironmentvariablesthemselves,andsomearemaintainedautomaticallybybash.Forinstance,bashmaintainsthePWDenvironmentvariable,soyoushouldn’ttrytosetitinaconfigurationscript.Also,beawarethatadjustingthebashconfigurationfilesaffectsonlybash.Ifauser ’sdefaultshellissomethingelseorifauserdoesn’tuseatext-modeshell(say,iftheuserlogsintoXandlaunchesprogramsfromaGUImenu),settingenvironmentvariablesinthebashconfigurationfileswilldonogood.

UsingSystemLogFilesLinuxmaintainslogfilesthatrecordvariouskeydetailsaboutsystemoperation.Youmaybeabletobeginusinglogfilesimmediately,butknowinghowtochangethelogfileconfigurationcanalsobeimportant. You do this by configuring the syslogd daemon (a daemon is a program that runscontinuously in the backgroundwaiting for an event to trigger it to perform some action). Someserversandotherprogramsperformtheirownloggingandsomustbeconfiguredindependentlyofsyslogd.Youmayevenwanttoconfigureonecomputertosenditslogfilestoanothersystemasasecuritymeasure.Youshouldalsobeawareofissuessurroundinglogfilerotation;ifyourcomputerdoesn’tproperlymanageexistinglogfiles,theycangrowtoconsumeallyouravailablediskspace,atleastonthepartitiononwhichthey’restored.Inadditiontoconfiguringlogging,youmustbeabletousethelogfilesthatthesystemgenerates.

UnderstandingsyslogdMost Linux systems employ a special daemon to handle log maintenance in a unified way. ThetraditionalLinuxsystemloggerissyslogd,whichisofteninstalledfromapackagecalledsysklogd.The syslogd daemon handlesmessages from servers and other user-mode programs. It’s usuallypairedwithadaemoncalledklogd,whichisgenerallyinstalledfromthesamesysklogdpackageassyslogd.Theklogddaemonmanagesloggingofkernelmessages.

Otherchoicesforsystemloggersexist.Forinstance,syslog-ngisareplacementthatsupportsadvancedfilteringoptions,andmetalogisanotheroption.RecentversionsofFedoraandUbuntuusersyslogd.Thischapterdescribesthetraditionalsyslogdlogger.Othersaresimilarinprinciple,andeveninsomespecificfeatures,butdifferinmanydetails.

The basic idea behind a system logger is to provide a unifiedmeans of handling log files. Thedaemonrunsinthebackgroundandacceptsdatadeliveredfromserversandotherprogramsthatareconfiguredtouse the logdaemon.Thedaemoncanthenuse informationprovidedbytheserver toclassify the message and direct it to an appropriate log file. This configuration enables you toconsolidatemessages fromvarious servers in a handful of standard log files,which can bemuch

easiertouseandmanagethanpotentiallydozensoflogfilesfromthevariousserversrunningonthesystem.Inordertowork,ofcourse,thelogdaemonmustbeconfigured.Inthecaseofsyslogd,thisisdone

throughthe/etc/syslog.conffile.(Thersyslogdconfigurationfileis/etc/rsyslog.confandissimilartosyslog.conf.)Thenextsectiondescribesthesyslog.conffile’sformatinmoredetail.

SettingLoggingOptionsTheformatofthe/etc/syslog.conffileisconceptuallysimplebutprovidesagreatdealofpower.Commentlines,asinmanyLinuxconfigurationfiles,aredenotedbyahashmark(#).Non-commentlinestakethefollowingform:facility.priorityaction

Inthisline,thefacilityisacodewordforthetypeofprogramortoolthatgeneratedthemessagetobelogged;thepriority isacodewordfortheimportanceofthismessage;andtheaction isafile,remotecomputer,orotherlocationthat’stoacceptthemessage.Thefacilityandpriorityareoftenreferredtocollectivelyastheselector.Validcodesforthefacilityareauth,authpriv,cron,daemon,kern,lpr,mail,mark,

news,security,syslog,user,uucp,andlocal0throughlocal7.Manyofthesenamesrefertospecific servers or program classes. For instance, mail servers and other mail-processing toolstypicallylogusingthemailfacility.Mostserversthataren’tcoveredbymore-specificcodesusethedaemonfacility.Thesecurityfacilityisidenticaltoauth,butauthisthepreferredname.Themarkfacility is reservedfor internaluse.Anasterisk(*) refers toall facilities.Youcanspecifymultiplefacilitiesinoneselectorbyseparatingthefacilitieswithcommas(,).Validcodesforthepriorityaredebug,info,notice,warning,warn,error,err,crit,

alert,emerg,andpanic.Thewarningpriorityisidenticaltowarn,errorisidenticaltoerr,andemergisidenticaltopanic.Theerror,warn,andpanicprioritynamesaredeprecated;youshoulduse their equivalents instead. Other than these identical pairs, these priorities represent ascendinglevelsofimportance.Thedebuglevellogsthemostinformation;it’sintended,asthenameimplies,fordebuggingprogramsthataremisbehaving.Theemergprioritylogsthemostimportantmessages,which indicate very serious problems.When a program sends amessage to the system logger, itincludesaprioritycode;theloggerlogsthemessagetoafileifyou’veconfiguredittologmessagesofthatlevelorhigher.Thus,ifyouspecifyaprioritycodeofalert,thesystemwilllogmessagesthatareclassifiedasalertoremergbutnotmessagesofcritorbelow.Anexceptiontothisruleisifyou precede the priority code by an equal sign (=), as in =crit, which describeswhat to dowithmessages of crit priority only. An exclamation mark (!) reverses the meaning of a match. Forinstance, !crit causesmessages below crit priority to be logged.A priority of * refers to allpriorities.Youcanspecifymultipleselectorsforasingleactionbyseparatingtheselectorswithasemicolon

(;). Note that commas are used to separate multiple facilities within a single selector, whereassemicolonsareusedtoseparatemultipleselectorsasawhole.Examplesofcompleteselectorsappearshortly.Mostcommonly,theactionisafilename,typicallyinthe/var/logdirectorytree.Themessages,

syslog,andsecurefilesinthisdirectoryarethreecommonandimportantlogfiles,althoughnotall

distributionsuseallofthesefiles.Otherpossiblelogginglocationsincludeadevicefilenameforaconsole(suchas/dev/console)todisplaydataonthescreen,aremotemachinenameprecededbyanatsign(@)tologdatatothespecifiedsystem,andalistofusernamesofindividualswhoshouldseethemessage if they’re logged in.For the lastof theseoptions, an asterisk (*)means all logged-inusers.Someexamplesshouldhelpclarifytheserules.Firstisafairlyordinaryandsimpleentry:mail.*/var/log/mail

This line sends all log entries identified by the originating program as related to mail to the/var/log/mail file. Most of the entries in a default /etc/syslog.conf file resemble this one.Together,theytypicallycoverallofthefacilitiesmentionedearlier.Somemessagesmaybehandledbymultiplerules.Forinstance,anotherrulemightlooklikethisone:*.emerg*

This line sends all emerg-level messages to the consoles of all users who are logged into thecomputerusingtext-modetools.Ifthislineandtheearliermail.*selectorarebothpresent,emerg-levelmessagesrelatedtomailwillbeloggedto/var/log/mailanddisplayedonusers’consoles.Amorecomplexexamplelogskernelmessagesinvariousways,dependingontheirpriorities:kern.*/var/log/kernel

kern.crit@logger.pangaea.edu

kern.crit/dev/console

kern.info;kern.!err/var/log/kernel-info

The first of these rules logs all kernel messages to /var/log/kernel. The second line sendscriticalmessagestologger.pangaea.edu.(Thiscomputermustbeconfiguredtoacceptremotelogs,which is a topic not covered in this book.) The third line sends a copy of critical messages to/dev/console,whichcausesthemtobedisplayedonthecomputer ’smaintext-modeconsoledisplay.Finally,thelastlinesendsmessagesthatarebetweeninfoanderrinpriorityto/var/log/kernel-info.Becauseerr is thepriority immediatelyabovecrit andbecauseinfo is the lowest priority,thesefourlinescauseallkernelmessagestobeloggedtwoorthreetimes:onceto/var/log/kernelaswellaseithertotheremotesystemandtheconsoleorto/var/log/kernel-info.Mostdistributionsshipwithreasonablesystemloggersettings,butyoumaywanttoexaminethese

settingsandperhapsadjust them. Ifyouchange them,beaware thatyoumayneed tochangesomeother tools. For instance, all major distributions ship with tools that help rotate log files. If youchange the files towhichsyslogd logsmessages, youmay need to change your log file rotationscriptsaswell.Thistopiciscoveredinthenextsection.In addition to the system logger ’s options, youmaybe able to set loggingoptions in individual

programs.Forinstance,youmaytellprogramstorecordmoreorlessinformationortologroutineinformationatvaryingpriorities.Someprogramsalsoprovidethemeanstologviathesystemlogdaemon or via their ownmechanisms.Details vary greatly from one program to another, so youshouldconsulttheprogram’sdocumentationfordetails.

Mostprogramsthatusethesystemlogdaemonsareserversandothersystemtools.Programsthatindividualsrunlocallyseldomlogdataviathesystemlogdaemon,althoughtherearesomeexceptionstothisrule,suchastheFetchmailprogramforretrievingemailfromremoteservers.

ManuallyLoggingDataFor the most part, the system logger accepts log entries from system tools, such as servers.Occasionally,though,youmaywanttomanuallycreatealogentryorhaveascriptdoso.Thetoolforthisjobisknownaslogger,andithasthefollowingsyntax:logger[-isd][-ffile][-ppri][-ttag][-usocket][message...]

Optionstologgerpermitchangingitsdefaultfunction:RecordloggerPIDThe-ioptionrecordstheprocessID(PID)oftheloggerprocessalongwithotherdata.OutputtoStandardErrorYoucanechodatatostandarderror,aswellastothelogfile,byusingthe-soption.Aninteractivescriptmightusethisfeaturetoalertuserstoproblems.LogUsingDatagramsThe-doptioncausesloggertousedatagramsratherthanastreamconnectiontothesystemloggersocket.Thisisanadvancedfeaturethatyoushoulduseonlyifyou’reinstructedtodosoindocumentationorifyouunderstandthenetworkingissuesinvolved.LogaFileYoucanlogthecontentsofafilebyusingthe-ffileoption.Becautiouswiththisoption;iffileisbig,yoursystemlogfilecangrowtoridiculoussize!IdentifyaPriorityThe-pprioptionspecifiesapriority,asdescribedearlier.LogTagsBydefault,loggerincludesitsnameinthelogfileasatag.Youcanchangethistagwiththe-ttagoption.Thisisusefulifyouwanttoidentifyascriptorotherprogramthatcreatedthelogentryanddon’tcaretorecordthefactthatloggerwasinvolvedintheprocess.SpecifyaSocketOrdinarily,loggercallsthedefaultsystemlogtoolstodoitsjob.Youcanlogdirectlytoanetworksocketusingthe-usocketoptionifyouprefer.SpecifyaMessageIfyoudon’tspecifyafileusing-ffile,loggerwilllogwhateveryoutypeafterotheroptionsasthemessagetobelogged.Ifyoudon’tprovideamessageonthecommandline,loggeracceptsinputyoutypeonsubsequentlinesasinformationtobelogged.YoushouldterminatesuchinputbypressingCtrl+D.Asanexample,supposeyouwanttologthemessage“shuttingdownforsystemmaintenance”tothe

systemlog.Youcandosobytypingthefollowingcommand:$loggershuttingdownforsystemmaintenance

Theresultwillbeanentrylikethefollowing,probablyin/var/log/messages:Jul2914:09:50nessuslogger:shuttingdownforsystemmaintenance

Addingparameterschangesthedetailsofwhat’slogged,asjustdescribed.Youcanplaceacalltologgerinascriptasawayofdocumentingthescript’sactivities.Forinstance,asystembackupscriptmightuseloggertorecorddetailssuchasitsstartandstoptimesandthenumberandsizeofthefiles

ithasbackedup.

RotatingLogFilesLogfilesareintendedtoretaininformationaboutsystemactivitiesforareasonableperiodoftime,butsystemloggingdaemonsprovidenomeanstocontrol thesizeof logfiles.Leftunchecked, logfilescanthereforegrowtoconsumealltheavailablespaceonthepartitiononwhichtheyreside.Toavoid this problem, Linux employs log file rotation tools. These tools rename and optionallycompressthecurrentlogfiles,deleteoldlogfiles,andforcetheloggingsystemtobeginusingnewlogfiles.The most common log rotation tool is a package called logrotate. This program is typically

called on a regular basis via a cron job. (The upcoming section “Running Jobs in the Future”describes cron jobs inmore detail.) The logrotate program consults a configuration file called/etc/logrotate.conf, which includes several default settings and typically refers to files in/etc/logrotate.dtohandlespecificlogfiles.Atypical/etc/logrotate.conffileincludesseveralcomment lines,denotedbyhashmarks (#), aswellas lines to setvariousoptions,as illustratedbyListing7.1.Listing7.1:Sample/etc/logrotate.confFile#Rotatelogsweekly

weekly

#Keep4weeksofoldlogs

rotate4

#Createnewlogfilesafterrotation

create

#Compressoldlogfiles

compress

#Refertofilesforindividualpackages

include/etc/logrotate.d

#Setmiscellaneousoptions

notifempty

nomail

noolddir

#Rotatewtmp,whichisn'thandledbyaspecificprogram

/var/log/wtmp{

monthly

create0664rootutmp

rotate1

}

MostofthelinesinListing7.1setoptionsthatarefairlyself-explanatoryorthatarewellexplainedby thecomments that immediatelyprecede them—for instance, theweekly line sets thedefault logrotationintervaltoonceaweek.Ifyouseeanoptioninyourfilethatyoudon’tunderstand,consultthemanpageforlogrotate.

Becauselogfilerotationishandledbycronjobsthattypicallyrunlateatnight,itwon’thappenifacomputerisroutinelyturnedoffattheendoftheday.ThispracticeiscommonwithWindowsworkstationsbutisuncommonwithservers.Linuxworkstationsshouldeitherbeleftrunningovernightasageneralpracticeorbegivenspecialtoolstoenablelogrotationdespiteroutineshutdowns.Theanacronutility,describedintheupcomingsection“Usinganacron,”isparticularlywellsuitedtothelattertask.

The last few lines ofListing7.1 demonstrate the format for the definition of a specific log file.Thesedefinitionsbeginwiththefilenameforthefile(multiplefilenamesmaybelisted,separatedbyspaces),followedbyanopencurlybrace({).Theyendinaclosecurlybrace(}).Interveninglinessetoptionsthatmayoverridethedefaults.Forinstance,the/var/log/wtmpdefinitioninListing7.1setsthemonthlyoption,whichtellslogrotatetorotatethislogfileonceamonth,overridingthedefaultweeklyoption.Suchdefinitionsarecommonintheindividualfilesin/etc/logrotate.d,whicharetypicallyownedbythepackageswhoselogfilestheyrotate.Thefollowingareexamplesoffeaturesthatareoftensetinthesedefinitions:RotatedFilenamingOrdinarily,rotatedlogfilesacquirenumbers,suchasmessages.1forthefirstrotationofthemessageslogfile.Usingthedateextoptioncausestherotatedlogfiletoobtainadatecodeinstead,asinmessages-20130210fortherotationperformedonFebruary10,2013.CompressionOptionsAsalreadynoted,compresscauseslogrotatetocompresslogfilestosavespace.Thisisdoneusinggzipbydefault,butyoucanspecifyanotherprogramwiththecompresscmdkeyword,asincompresscmdbzip2tousebzip2.Thecompressoptionskeywordenablesyoutopassoptionstothecompressioncommand(say,toimprovethecompressionratio).CreationofNewLogFilesThecreateoptioncauseslogrotatetocreateanewlogfileforusebythesystemloggerorprogram.Thisoptiontakesafilemode,anowner,andagroupasadditionaloptions.Someprogramsdon’tworkwellwiththisoption,though.Mostofthemusethecopytruncateoptioninstead,whichtellslogrotatetocopytheoldlogfiletoanewnameandthenclearallthedataoutoftheoriginalfile.TimeOptionsThedaily,weekly,andmonthlyoptionstellthesystemtorotatethelogfilesatthespecifiedintervals.Theseoptionsaren’talwaysused;someconfigurationsuseasizethresholdratherthanatimethresholdforwhentorotatelogfiles.SizeOptionsThesizekeywordsetsamaximumsizeforalogfile.Ittakesasizeinbytesasanargument(addingk,M,orGtothesizechangesittokilobytes,megabytes,orgigabytes,respectively).Forinstance,size100kcauseslogrotatetorotatethefilewhenitreaches100kBinsize.RotationOptionsTherotatexoptioncausesxcopiesofoldlogfilestobemaintained.Forinstance,ifyousetrotate2forthe/var/log/messagesfile,logrotatewillmaintain/var/log/messages.1and/var/log/messages.2inadditiontotheactive/var/log/messagesfile.Whenthatfileisrotated,/var/log/messages.2isdeleted,/var/log/messages.1isrenamedto/var/log/messages.2,/var/log/messagesbecomes/var/log/messages.1,andanew

/var/log/messagesiscreated.MailOptionsIfyouusemailaddress,logrotatewillemailalogfiletothespecifiedaddresswhenit’srotatedoutofexistence.Usingnomailcausesthesystemtonotsendanyemail;thelogisquietlydeleted.ScriptsTheprerotateandpostrotatekeywordsbothbeginaseriesoflinesthataretreatedasscriptstoberunimmediatelybeforeorafterlogfilerotation,respectively.Inbothcases,thesescriptsendwiththeendscriptkeyword.Thesecommandsarefrequentlyusedtoforcesyslogdoraservertobeginusinganewlogfile.Inmostcases,serversandotherprogramsthatlogdataeitherdosoviathesystemloggingdaemon

or ship with a configuration file that goes in /etc/logrotate.d to handle the server ’s log files.Thesefilesusuallydoareasonable job,butyoumaywant todouble-checkthem.For instance,youmightdiscover thatyour system isconfigured tokeep toomanyor too fewold log files foryourtaste, in which case adjusting the rotate option is in order. You should also check the /var/logdirectoryanditssubdirectorieseverynowandthen.Ifyouseehugenumbersoffilesaccumulatingorif files are growing to unacceptable size, you may want to check the corresponding logrotateconfigurationfiles.Ifanappropriatefiledoesn’texist,createone.Useaworkingfileasatemplate,modifyingitforthenewfile.Payparticularattentiontotheprerotateandpostrotatescripts;youmayneed toconsult thedocumentation for theprogram that’screating the log file to learnhow toforcethatprogramtobeginusinganewlogfile.Inmostcases,logfilesremainonthecomputerthatrecordedthem.Sometimes,though,youmay

wanttocopysuchfilesoff-site.Theeasiestwaytodothismaybetoreconfigurethelogdaemontosendthemessagesyouwanttoarchivetoanothersystem,asdescribedin“SettingLoggingOptions.”Anotherpossibility is to create acron job (as described later, in “Running Jobs in theFuture”) tocopyfiles toanothersystemusinganetworkshare,ssh,orsomeothernetworktool.Youcanalsomanuallycopylogfilesontoremovabledisks,ifyoulike.Therearefewtechnicalreasonstoarchivelogfilesformorethanafewweeks—onlyifaproblemescapesyournoticeforalongtimewilltheybeuseful.Managersorlawyersmaywanttokeepthemaroundforthelongtermforbusinessorlegalreasons,though.

ReviewingLogFileContentsLogfilesdonogoodiftheysimplyaccumulateonthesystem.Theirpurposeistobeusedasameansof identifying problems or documenting normal activity. When a server isn’t responding as youexpect, when a computer refuses logins it should be accepting (or accepting logins it should berefusing), or when a system’s network interface isn’t coming up (to name just three types ofproblems),youshouldcheckyourlogfilesaspartofyourtroubleshootingprocedures.Logfilescanalsobeusefulinlesstroublesomesituations,suchashelpingyoutoidentifytheloadonaserversoastoplanupgrades.Severalprocedures,manyofwhichinvolvetoolsdescribedelsewhereinthisbook,canhelpyouaccessyourlogfiles:PagingThroughWholeLogFilesYoucanuseapagerprogram,suchasless(describedinChapter1,“ExploringLinuxCommand-LineTools”),toviewtheentirecontentsofalogfile.Atexteditorcanfillthesamerole.SearchingforKeywordsYoucanusegrep(describedinChapter1)topulllinesthatcontain

keywordsoutoflogfiles.Thiscanbeparticularlyhandywhenyoudon’tknowwhichlogfileislikelytoholdanentry.Forinstance,typinggrepeth0/var/log/∗locatesalllinesinallfilesinthe/var/logdirectorythatcontainthestringeth0.ExaminingtheStartorEndofaFileYoucanusetheheadortailcommand(describedinChapter1)toexaminethefirstorlastseverallinesofalogfile.Thetailcommandisparticularlyhandy;youcanuseittolookatthelastfewentriesjustafteryoutakesomeactionthatyouexpecttoproducesomediagnosticlogfileentries.MonitoringLogFilesInadditiontocheckingthelastfewlinesofalogfile,tailcanmonitorafileonanongoingbasis,echoinglinestothescreenasthey’readdedtothefile.Youdothiswiththe-foptiontotail,asintail-f/var/log/messages.UsingAdvancedLogAnalysisToolsVariouspackagesexistexpresslyforthepurposeofanalyzinglogfiles.Forinstance,there’sLogcheck,whichispartoftheSentryToolspackage(http://sourceforge.net/projects/sentrytools/).Thispackagecomeswithsomedistributions,suchasMandrivaandDebian.Unfortunately,itrequiresafairamountofcustomizationforyourownsystem,soit’smosteasilyimplementedifitcomeswithyourdistribution,preconfiguredforitslogfileformat.Log file analysis is a skill that’s best learned through experience. Many log file messages are

cryptic,andtheycanbecrypticindifferentwaysfordifferentprograms.Forinstance,considertheseentries:Apr1423:17:00speaker/USR/SBIN/CRON[6026]:(george)CMD

(/usr/bin/fetchmail-f/home/george/.fetchmailrc>/dev/null)

Apr1423:17:52speakersshd[6031]:Acceptedpublickeyforgeorgefrom

::ffff:192.168.1.3port48139ssh2

Thesetwolinesrelatetotwoentirelydifferentevents,buttheyhaveasimilarformat.Bothentriesbeginwithatimestampandthenameofthecomputeronwhichtheactivityoccurred(speakerinthisexample).Nextoneachlineisanidentifierfortheprogramthatloggedtheactivity,includingitsPIDnumber: /USR/SBIN/CRON[6026] and sshd[6031] in this example. Note that these names aregeneratedbytheprogramsthatcreatetheactivity,sotheyaren’tnecessarilyconsistentorevenfullyaccurate. For instance, there is no/USR/SBIN/CRON program, although there is a /usr/sbin/cronprogram.(RecallthatLinuxhasacase-sensitivefilesystem.)Allofthisinformationhelpsyouidentifywhatprogramloggedtheentryandwhenitdidso.The

restofthelogentrycontainstheactualloggeddata.Thefirstentryinthisexampleisfromthecronutility, and it identifies a program run on behalf ofgeorge—specifically,cron ran the fetchmailprogram,passed it thenameof a configuration file via the-f option, and redirected theoutput to/dev/null. The second entry (for sshd) identifies a login from 192.168.1.3 on port 48139, againinvolvingtheusergeorge.Youcanuseentries likethesetohelpidentifymalfunctioningservers,spotsecuritybreaches,and

otherwisedebugyoursystem.Doingso, though, requiresat least somefamiliaritywith thenormallog file contents as well as other system details. For instance, in the preceding example, if yoursystem has no george account, these entries should both be suspicious but you must be familiarenoughwiththeformatof theentries tospot thatgeorge isausername(orbeabletoworkitout).Youmustalsoknowthatyoursystemshouldhavenogeorgeaccount.Overall,youshouldprobablyexamineyour log files from time to time tobecome familiarwith

theircontents.Thiswillhelpyouspotabnormalitieswhen the systembeginsmisbehavingorwhenyouwanttouselogfilestohelptrackdownanunwelcomevisitor.

Logfileentriescanbeconspicuousbytheirabsenceaswellasbysuspiciouscontentwithinthem.Intrudersoftentrytocovertheirtracksbyeditinglogfilestoremovetheentriesthatbetraytheirunauthorizedaccesses.Sometimes,though,they’resloppyaboutthisandjustdeleteallthelogentriesfromthetimeinquestion.Ifyounoticeunusualgapsinyourlogfiles,suchasaspaceofanhourwithnoentriesonasystemthatnormallylogsacoupledozenentriesinthatperiod,youmaywanttoinvestigatefurther.

MaintainingtheSystemTimeLinuxdependsonitssystemclockmorethanmanyOSs.Toolssuchascronandat(describedlater,in “Running Jobs in theFuture”) runprogramsat specified times, themake development tool usesfiles’ timestamps todeterminewhichonesneedattention,andsoon.Thus,youshouldbe familiarwithhowLinuxdealswithtime,howtoset thetimezone,howtoset thetime,andhowtokeeptheclockaccurate.

LinuxTimeConceptsThex86 andx86-64 computers thatmost often runLinux, aswell asmost other computers of thisgeneralclass,havetwobuilt-inclocks.Thefirstoftheseclocks,sometimescalledthehardwareclock,maintainsthetimewhilethecomputeristurnedoff.WhenyoubootLinux,itreadsthehardwareclockandsetsthesoftwareclock to thevalueitretrieves.ThesoftwareclockiswhatLinuxusesformostpurposeswhileit’srunning.MostdesktopOSs, suchasWindowsandpre-XversionsofMacOS,set theirclocks to the local

time.Thisapproachissimpleandconvenientforpeoplewhoareusedtodealingmainlywithlocaltime,butforpurposesofnetworking,it’sinadequate.Whenit’s4:00a.m.inNewYork,it’s1:00a.m.inLosAngeles,sonetworkprotocols thatrelyevenpartlyontimecanbecomeconfused(orat theveryleast,createconfusinglogentries)whentheyoperateacrosstimezones.Linux,likeotherUnix-likeOSs,setsitsclocktoCoordinatedUniversalTime(UTC),whichformostpurposesisidenticaltoGreenwichMeanTime(GMT)—thetimeinGreenwich,England,unadjustedfordaylightsavingtime.ThisapproachmeansthatLinuxsystemsinNewYorkandLosAngeles(andLondonandMoscowandTokyo) shouldhave identical times, assuming all are set correctly.For communicatingwithusers,though,thesesystemsneedtoknowtheirtimezones.Forinstance,whenyoutypels-ltoseeafilelistingcompletewithtimestamps,LinuxreadsthetimestampinUTCandthenaddsorsubtractstheappropriateamountoftimesothatthetimestampappearsinyourlocaltime.Ofcourse,allofthismeansthatyoumustbeabletosetthecomputer ’stimezone.Onmostsystems,thisisdoneatsysteminstallation;thedistribution’sinstallerasksyouforyourtimezoneandsetsthingsupcorrectly.Ifyouerredduringinstallationorifyouneedtochangethetimezoneforanyreason,refertoChapter6,“Configuring theXWindowSystem,Localization, andPrinting,”whichdescribeshow to set yourtimezone.

Theexam’sobjective108.1includesthefiles/usr/share/zoneinfo,/etc/timezone,and/etc/localtime.Thesefilesarealsoincludedunderobjective107.3andaredescribedinChapter6,whichcoversthatobjective.

Linux’sinternaluseofUTCcancomplicatesettingthehardwareclock.Ideally,thehardwareclockshould be set to UTC; but if your system multi-boots between Linux and an OS that expects thehardwareclocktobeinlocaltime,you’llhavetosetthehardwareclocktolocaltimeandconfigureLinux todealwith this fact.For themostpart, this configurationworkswell,butyoumayhave towatchtheclockthefirsttimeyourebootinthespringorfallafterchangingyourclocksbecauseofadaylightsavingtime.DependingonyourLinuxandotherOS’ssettings,yourhardwareclockmayberesetinawayoneOSortheotherdoesn’texpect.Boththehardwareclockandthesoftwareclockarenotoriouslyunreliableonstandardx86andx86-

64hardware;bothclockstendtodrift,soyourclockcaneasilyendupbeingseveralminutesoffthecorrecttimewithinamonthortwoofbeingset.Todealwiththisproblem,Linuxsupportsvariousnetworkprotocolsforsettingthetime.ThemostpopularoftheseistheNetworkTimeProtocol(NTP),whichisdescribedintheupcomingsection“UsingNTP.”

ManuallySettingtheTimeYoucanmanually setyour system’sclock—ormoreprecisely, itsclocks,becauseasnotedearlier,Linuxmaintains two clocks: the hardware clock and the software clock. Themain tool to set thesoftwareclockisdate,whichhasthefollowingsyntaxwhensettingtheclock:date[-u|--utc|--universal][MMDDhhmm[[CC]YY][.ss]]

Usedwithoutanyoptions,thiscommanddisplaysthecurrentdateandtime.Ifyoupassatimetotheprogram,itsetsthesoftwareclocktothattime.Thisformatcontainsamonth,aday,anhour,andaminuteataminimum,all in two-digitcodes(MMDDhhmm).Youcanoptionallyadda2-or4-digityearandthesecondswithinaminuteifyoulike.Youshouldspecifythetimeina24-hourformat.Forinstance,tosetthetimeto3:02p.m.onOctober27,2013,you’dtypethefollowingcommand:#date102715022013

Bydefault,dateassumesyou’respecifying the time in local time. Ifyouwant toset theclock inUTC,includethe-u,--utc,or--universaloption.Becausex86 andx86-64 hardwaremaintains both software and hardware clocks, Linux provides

toolstosynchronizethetwo.Specifically, thehwclockutilityenablesyoutoset thehardwareclockfrom the software clock, or vice versa, as well as do a few other things. Its syntax is fairlystraightforward:hwclock[options]

Youcanspecifyoptionstoaccomplishseveralgoals:ShowtheHardwareClockToviewthehardwareclock,passthe-ror--showoption.Thetimeisdisplayedinlocaltime,evenifthehardwareclockissettoUTC.SettheHardwareClockManuallyTosetthehardwareclocktoadateyouspecify,youneedtwooptions:--setand--date=newdate.Thenewdateisinthedateformatthatthedateprogram

accepts.SettheHardwareClockBasedontheSoftwareClockIfyou’vesetthesoftwareclock,youcansynchronizethehardwareclocktothesamevaluewiththe--systohcoption.SettheHardwareClockBasedontheHardwareClockIfyourhardwareclockisaccuratebutyoursoftwareclockisn’t,youcanusethe--hctosysoptiontosetthesoftwareclocktothehardwareclock’svalue.ThisoptionisoftenusedinaSysVstartupscripttosetthesystemclockwhenthecomputerfirstboots.SpecifyUTCorLocalTimeYoucantellLinuxtotreatthehardwareclockasstoringUTCbyusingthe--utcoptionortotreatitasholdinglocaltimebyusingthe--localtimeoption.Thedefaultiswhicheverwaslastusedwhenthehardwareclockwasset.Ordinarily, youwon’t use hwclock directly very often. Youmay need to use it after a daylight

saving timeshift ifyoumaintainyourhardwareclock in local time,butmostdistributions includescripts thatmanage this taskautomatically.Youmayalsowant touse itonce inawhile tokeep thehardware clock fromdrifting too far froman accurate time; but again,manydistributions do thisautomaticallyaspartofthesystemshutdownprocedure.

Youcanalsosetthehardwareclockviayourcomputer ’sfirmwaresetuputility.Consultyourmotherboardorcomputerhardwaremanualfordetails.Youmustrebootthesystemtodothis,typicallypressingtheDeleteorsomeotherkeyatacriticaltimeearlyinthebootprocess(beforeyourbootloadertakesover).Youmustthenfindthetimeoptionandsetitappropriately.IfLinuxisusingUTC,remembertosettheclocktoUTCratherthanlocaltime.

UsingNTPTypically,aclockonan isolatedcomputerneedn’tbesetwithanygreatprecision. Itdoesn’t reallymatterifthetimeisoffbyafewseconds,orevenafewminutes,solongasthetimeisreasonablyconsistent on that one computer for the purpose ofcron, other scheduling tools, and time stamps.Sometimes, though, maintaining a truly accurate system time is important. This is true for a fewscientific,business,and industrialapplications (suchasastronomicalmeasurementsordeterminingthe start and stop times for television broadcasts). In a networked environment, maintaining thecorrecttimecanbemoreimportant.Timestampsonfilesmaybecomeconfusedifafileserverandits clientshavedifferent times, for instance.Worse, a fewprotocols, suchas theKerberos securitysuite, embed time stamps in their packets and rely on those time stamps for normal systemfunctioning. If two computers usingKerberoshavewildlydifferent times, theymaynot be able tocommunicate. For these reasons, several protocols exist to synchronize the clocks of multiplesystems.Ofthese,NTPisthemostpopularandflexible,soIdescribeit.YoushouldfirstunderstandthebasicprinciplesofNTPoperation.Youcan thengoon toconfiguringanNTPserver foryournetworkandsettingupothersystemsasNTPclients.

UnderstandingNTPBasics

Oneof themostpopular, flexible,andaccuratenetwork time tools isNTP.Thisprotocolcreatesatieredhierarchyof timesources, as illustrated inFigure7.1.At the topof the structure areoneormorehighlyaccurate timesources—typicallyatomicclocksorradioreceivers thatpull their timesfrombroadcasttimesignalsbasedonatomicclocks.Thesearereferredtoasstratum0timeservers,but theyaren’tdirectlyaccessible toanybut thestratum1 timeservers towhich they’reconnected.Thesestratum1computersrunNTPserversthatdeliverthetimetostratum2servers,whichdeliverthetimetostratum3servers,andsoon,foranarbitrarynumberofstrata.

FIGURE7.1NTPenablesanexpandingpyramidofcomputerstosettheirclockstoahighlyaccuratesourcesignal.

Othertime-settingprotocolsincludeonebuiltintotheServerMessageBlock/CommonInternetFileSystem(SMB/CIFS)usedforWindowsfilesharingandimplementedinLinuxbySambaandaprotocolusedbytherdateutilityinLinux.

ThekeytoNTPisthefactthateachservercandelivertimetoanexpandingnumberofclients.Forinstance,ifastratum1serverhas1,000clients,eachofwhichhas1,000clients,andsoon,stratum3willconsistof1,000,000systems,andstratum4willcontain1,000,000,000systems.Eachincreaseinthestratumnumberslightlydecreasestheaccuracyofthetimesignal,butnotbymuch;evenastratum4system’sclockshouldbeaccuratetowellunderasecond,whichisaccurateenoughforalmostallpurposes.Moreimportant,ifyourunanetwork,youcansetasideonecomputerasanNTPserverandsetallyourothercomputers’clocksfromthatoneserver.EvenifyourprimaryNTPserver ’sclockisoffbyasecond,alltheclocksonyournetworkshouldbesettowithinatinyfractionofeachother,whichisthemostimportantconsiderationfortime-dependentnetworkprotocolssuchasKerberos.

NTPworksbymeasuringtheround-triptimeforpacketsbetweentheserverandtheclient.Thetwosystems exchange packets with embedded time stamps; the client then adjusts its time so that it issynchronizedwiththesource’stimestampbutaddsabittothetimereportedbythesourcetoaccountforthepacket’sestimatedtraveltime.Forthisreason,whenyouselectanNTPsource(asdescribednext, in “Locating a Time Source”), you should pick onewith the shortest possible network timedelay, all other things being equal. (In truth, several measures of reliability exist, and the NTPprogramstrytotakethemallintoaccount.)ThemainLinuxNTPserverprogramfunctionsasbothaserverandaclient;itsetsitsclockbased

onthetimeoftheservertowhichit’spointed,anditenablesothersystemstosettheirclocksbasedonitsown.EventheendpointsintheNTPhierarchy(thestratum4andsomestratum3serversinFigure7.1)oftenrunthefullNTPserverpackage.Thereasonis that thissoftwarerunsconstantlyandcanmonitorforandadjusttheclockdriftthat’scommoninx86andothercomputers’clocks,resultinginmuchmoreconsistenttimekeepingthanispossiblewithaprogramthatsimplysetstheclockandthenignores ituntil thenext time theprogramis run. Inotherwords,NTPdoesn’t just reset thesystemclockperiodically;theserverimprovestheaccuracyofthesystemclock.Inpart,thisisdonethroughthentp.drift file,whichisusuallyburiedin/var/lib/ntpbut issometimesstored in/etc.Thisfileholdsinformationaboutthesoftwareclock’sinaccuraciesandsocanbeusedtocorrectforthem.A full NTP server, evenwhen it’s functioning only as anNTP client, periodically checks with itssourcesystemstokeepthesystemtimesetcorrectlyandtoupdatethentp.driftfile.

LocatingaTimeSourceYoumay think that locatinganNTPserverwitha lowstratumnumber (suchasstratum1) is ideal.Althoughit’struethatyourownsystemwillhaveaminutelymoreaccurateclockwhenusingsuchasource, the best approach inmost cases is to synchronize with a stratum 2 or lower system. Thereasonis that thispracticewillhelpkeeptheloadonthestratum1servers low, thusimprovingtheoverallperformanceoftheNTPnetworkasawhole.Anexceptionmightbeifyou’reconfiguringanNTPserverthatwillitselfdeliverthetimetohundredsormorecomputers.TolocateanNTPserver,youshouldconsultoneormoreofseveralsources:YourISPManyInternetserviceproviders(ISPs),includingbusinessnetworksanduniversities,operateNTPserversforthebenefitoftheirusers.Theseserversareusuallyveryclosetoyourowninanetworksense,makingthemgoodchoicesforNTP.YoushouldconsultyourISPorthenetworkingdepartmentatyourorganizationtolearnifsuchasystemisavailable.YourDistribution’sNTPServerSomeLinuxdistributionsoperateNTPserversfortheirusers.Ifyouhappentobeclosetotheseserversinanetworksense,theycanbegoodchoices;however,chancesarethisisn’tthecase,soyoumaywanttolookelsewhere.PublicNTPServerListsListsofpublicNTPserversaremaintainedathttp://support.ntp.org/bin/view/Servers/WebHome.Theseserverscanbegoodchoices,butyou’llneedtolocatetheoneclosesttoyouinanetworksenseandperhapscontactthesiteyouchoosetoobtainpermissiontouseit.PublicNTPServerPoolThepool.ntp.orgsubdomainisdedicatedtoserversthathavevolunteeredtofunctionaspublicNTPservers.Theseserversareaccessedinaround-robinfashionbyhostname,soyoucanendupusingdifferentserverseachtimeyoulaunchNTP.Thus,usingthepublicNTPserverpoolcanbeabitofagamble,buttheresultsareusuallygoodenoughforcasual

usersorifyoudon’twanttospendtimecheckingandmaintainingyourNTPconfiguration.Tousethepool,youcanconfigureyourNTPservertouseeitherthepool.ntp.orgsubdomainnameoranumberedhostwithinthatdomain,suchas0.pool.ntp.org.Youcannarrowthelistgeographicallybyaddingageographicnametothedomainname,asinnorth-america.pool.ntp.orgforserverslocatedinNorthAmerica.Consulthttp://support.ntp.org/bin/view/Servers/NTPPoolServersfordetails.

Theclosestserverinanetworksensemaynotbetheclosestcomputerinageographicsense.Forinstance,anationalISPmayroutealltrafficthroughjustoneortwohubsites.Theresultcanbethattrafficfrom,say,Atlanta,Georgia,toTampa,Florida,maygothroughChicago,Illinois.Suchadetourislikelytoincreaseround-triptimeanddecreasetheaccuracyofNTP.Insuchasituation,auserinAtlantamaybebetteroffusingaChicagoNTPserverthanoneinTampa,eventhoughTampaismuchclosergeographically.

Onceyou’velocatedafewpossibletimeservers, tryusingping todeterminetheround-triptimeforpacketstothissystem.Ifanysystemshaveveryhighpingtimes,youmaywanttoremovethemfromconsideration.

ConfiguringNTPServersWhenyou’resettingupanetworktouseNTP,selectonesystem(orperhapstwoforanetworkwithseveraldozenormorecomputers)tofunctionastheprimaryNTPserver.Thiscomputerneedn’tbeverypowerful,butitmusthavealways-upaccesstotheInternet.YoucantheninstalltheNTPserverandconfigureit.Most Linux distributions ship theNTP software in a package called ntp or ntpd. Look for this

package and, if it’s not already installed, install it. If you can’t find this package, checkhttp://www.ntp.org/downloads.html. This site hosts NTP source code, which you can compile andinstall.Ifyoudon’tinstallyourdistribution’sownNTPpackage,you’llneedtocreateyourownSysVstartupscriptorstarttheNTPdaemoninsomeotherway.OnceNTP is installed, look for its configuration file,/etc/ntp.conf.This filecontainsvarious

NTPoptions,butthemostimportantaretheserverlines:serverclock.example.com

serverntp.pangaea.edu

servertime.luna.edu

EachoftheselinespointstoasingleNTPserver.WhenyourlocalNTPdaemonstartsup,itcontactsalltheserversspecifiedin/etc/ntp.conf,measurestheiraccuracyagainsteachother,andsettlesonone as its primary time source.Typically, you list about three upstream time servers for a systemthat’stoservemanyothercomputers.Thispracticeenablesyourservertoweedoutanyserversthatdeliverabad timesignal, and it alsogivesautomatic fallback incaseanupstreamserverbecomestemporarilyorpermanentlyunavailable.IfyourNTPserverwon’tbeservingmanycomputersitself,youmaywanttoconfigureitforthreeserversinitiallyandthendroptheonesyoursystemisn’tusingasitsprimarytimesourceafteradayortwo.Thiswillreducetheloadontheseservers.You may want to peruse your configuration file for entries to remove. For instance, the

configurationfilemaycontainreferencestoserversyou’drathernotuseorotheroddoptionswithassociated comments thatmakeyou think they’re inappropriate.Generally speaking, you shouldn’tadjustentriesinthentp.conffileotherthanthereferenceserverlines,butspecialcircumstancesorodddefaultfilesmayrequireyoutomakechanges.Onceyou’vemadeyourchanges, startor restartyourNTPdaemon.Typically, this isdoneviaa

SysVstartupscript:#/etc/init.d/ntpdrestart

You may need to change the path to the file, the SysV script filename, or the option (changerestarttostartifyou’restartingNTPforthefirsttime).MostdistributionsconfigureNTPtostartwheneverthesystembootsonceyouinstalltheserver.ConsultChapter5,“BootingLinuxandEditingFiles,”fordetailsofchangingthisconfiguration.To verify that NTP is working, you can use ntpq, which is an interactive program that accepts

variouscommands.Figure7.2 shows it inoperation,displaying theoutputof thepeers command,which displays the servers to which your NTP server is connected. In Figure 7.2, three externalservers are listed, plusLOCAL(0),which is the last-resort reference source of the computer ’s ownclock. The refid column shows the server to which each system is synchronized, the st columnshowsthestratumoftheserver,andadditionalcolumnsshowmoretechnicalinformation.Theserverto which yours is synchronized is denoted by an asterisk (*), other servers with good times areindicatedbyplussigns(+),andmostothersymbols(suchasxand-)denoteservers thathavebeendiscardedfromconsiderationforvariousreasons.Youcanobtainaserver listbypassing-por--peerstontpq,asinntpq-p,withoutenteringinteractivemode.Consultntpq’smanpageformoreinformationaboutitsoperation.

FIGURE7.2ThentpqprogramenablesyoutoverifythatanNTPserverisfunctioningcorrectly.

Youwon’tseeaserverselectedasthesourceuntilafewminutesafteryourestarttheNTPdaemon.ThereasonisthatyourlocalNTPprocesstakesawhiletodeterminewhichofthesourcesisprovidingthebestsignal.

ConfiguringNTPClientsOnceyou’veconfiguredoneormoreNTPservers,youcanconfiguretherestofyourcomputerstopoint to them.Theirconfiguration isdone just like theNTPserverconfiguration,withacoupleof

exceptions:YousetyourNTPclientstorefertotheNTPserver(orservers)you’vejustconfiguredratherthantoanoutsideNTPsource.Thisway,yourlocalsystemswon’tputanunnecessaryburdenontheoutsideNTPserveryou’veselected.YoumaywanttoensurethatyourNTPclientscan’tbeaccessedasservers.Thisisasecuritymeasure.Youcandothiswithaniptablesfirewallruleorbyusingtherestrictdefaultignorelineinntp.conf.ThislinetellstheservertoignoreallincomingNTPrequests.Ideally,youshouldusebothmethods.

Onceyou’veconfiguredaclient,restartitsNTPdaemon.Youcanthenusentpqtocheckitsstatus.Youshouldseethatitrefersonlytoyournetwork’sownNTPserverorservers.Thesesystemsshouldbelistedasbelongingtoastratumwithanumberonehigherthantheserverstowhichtheyrefer.Insomecases,asimplerwaytosetthetimeonaclientistousentpdate.Thisprogramispartof

theNTPsuite,anditperformsaone-timeclocksetting.Touseit,typethecommandnamefollowedbythehostnameorIPaddressofanNTPserver:#ntpdateclock.example.com

SomeNTP packages include a call to ntpdate in their NTP daemon startup scripts in order toensurethatthesystemissettothecorrecttimewhenitstarts.Thentpdatecommand,however,hasbeendeprecatedandcoulddisappearfromtheNTPpackageatanytime.Instead,youcanstartntpdwith its -g option, which enables it to perform a one-time clock setting to a value that’s wildlydivergent from the current time. (Ordinarily,ntpd exits if the time server ’s time differs from thelocaltimebymorethanafewminutes.)

ServingTimetoWindowsSystemsIfyournetworkhostsbothLinuxandWindowscomputers,youmaywanttouseaLinuxsystemasatimesourceforWindowsclientsorconceivablyevenuseaWindowsserverasatimesourceforLinuxclients.OnewaytodothisistorunNTPonWindows.Consulthttp://www.meinberg.de/english/sw/ntp.htmorperformaWebsearchtolocateNTPsoftwareforWindowssystems.ForWindowsNT/200x/XP/Vista,youcantypeNETTIME/SETSNTP:time.server,wheretime.serveristhenameofyourlocalNTPtimeserver.Thiscommandperformsaone-timesettingoftheclockbutdoesn’truninthebackgroundlikethefullNTPpackagedoesonLinux.RunningthiscommandinaWindowsloginscriptmaybeadequateforyourpurposes.Windows7userscantypeW32TM/CONFIG/MANUALPEERLIST:time.serverinsteadoftheNETTIMEcommand.ForolderWindows9x/Mesystems,youcantypeNETTIME\\SERVER/SET/YEStohavethesystemsetthetimetothetimemaintainedbySERVER,whichmustbeaWindowsorSambafileorprintserver.Thiscommanddoesn’tuseNTP,butifyouhaveaLinuxsystemthatrunsbothNTPandSamba,itcanbeagoodwaytogetthejobdone.

RunningJobsintheFutureSomesystemmaintenancetasksshouldbeperformedatregularintervalsandarehighlyautomated.

Forinstance,the/tmpdirectory(whichholdstemporaryfilescreatedbymanyusers)tendstocollectuselessdatafiles,whichyoumightwanttodelete.Linuxprovidesameansofschedulingtaskstorunatspecifiedtimestohandlesuchissues.Thistoolisthecronprogram,whichrunswhatareknownascronjobs.Arelatedtoolisat,whichenablesyoutorunacommandonaone-timebasisataspecifiedpointinthefutureasopposedtodoingsoonaregularbasis,ascrondoes.

UnderstandingtheRoleofcronThecronprogramisadaemon,soitrunscontinuously,lookingforeventsthatcauseittospringintoaction. Unlike most daemons, which are network servers, cron responds to temporal events.Specifically,it“wakesup”onceaminute,examinesconfigurationfilesinthe/var/spool/cronand/etc/cron.d directories and the /etc/crontab file, and executes commands specified by theseconfigurationfilesifthetimematchesthetimelistedinthefiles.Therearetwotypesofcronjobs:systemcronjobsandusercronjobs.Systemcronjobsarerunas

root and perform system-wide maintenance tasks. By default, most Linux distributions includesystemcron jobs that cleanoutold files from/tmp, perform log rotation (asdescribed earlier, in“RotatingLogFiles”),andsoon.Youcanaddtothisrepertoire,asdescribedshortly.Ordinaryuserscan create user cron jobs,whichmight run some user program on a regular basis.You can alsocreateausercronjobasroot,whichmightbehandyifyouneedtoperformsometaskatatimenotsupportedbythesystemcronjobs,whicharescheduledratherrigidly.Oneof thecriticalpoints to rememberaboutcron jobs is that they rununsupervised.Therefore,

youshouldn’tcallanyprograminacronjobifthatprogramrequiresuserinput.Forinstance,youwouldn’trunatexteditorinacronjob,butyoumightrunascriptthatautomaticallymanipulatestextfiles,suchaslogfiles.

CreatingSystemcronJobsThe/etc/crontabfilecontrolssystemcron jobs.This filenormallybeginswithseveral lines thatsetenvironmentvariables,suchas$PATHand$MAILTO(theformersetsthepath,andthelatteristheaddresstowhichprograms’output ismailed).Thefile thencontainsseveral linesthatresemblethefollowing:024***rootrun-parts/etc/cron.daily

Thislinebeginswithfivefieldsthatspecifythetime.Thefieldsare,inorder,theminute(0−59),thehour(0−23),thedayofthemonth(1−31),themonth(1−12),andthedayoftheweek(0−7;both0and7correspondtoSunday).Forthemonthandday-of-the-weekvalues,youcanusethefirstthreelettersofthenameratherthananumber,ifyoulike.

Ausefulmnemonicfortheorderofthetimefieldsisthatthefirstfourfieldsareorderedinincreasingunitsize.Thedayoftheweekdoesn’tfitneatlywithinthispatternandsoisplacedoutsideofit—thatis,inthefifthfield.

Inallcases,youcanspecifymultiplevaluesinseveralways:

Anasterisk(*)matchesallpossiblevalues.Alistseparatedbycommas(suchas0,6,12,18)matchesanyofthespecifiedvalues.Twovaluesseparatedbyadash(-)indicatearange,inclusiveoftheendpoints.Forinstance,9-17inthehourfieldspecifiesatimeoffrom9:00a.m.to5:00p.m.Aslash,whenusedinconjunctionwithsomeothermulti-valueoption,specifiessteppedvalues—arangeinwhichsomemembersareskipped.Forinstance,*/10intheminutefieldindicatesajobthat’srunevery10minutes.

After the first five fields,/etc/crontab entries continuewith the accountname tobeusedwhenexecuting the program (root in the preceding example) and the command to be run (run-parts/etc/cron.daily in this example). The default /etc/crontab entries generally use run-parts,cronloop,orasimilarutilitythatrunsanyexecutablescriptswithinadirectory.Thus,theprecedingexample runsall thescripts in/etc/cron.daily at 4:02a.m. everyday.Mostdistributions includemonthly, daily,weekly, and hourly systemcron jobs, each corresponding to scripts in a directorycalled/etc/cron.interval, where interval is aword associatedwith the run frequency.Othersplacethesescriptsin/etc/cron.d/intervaldirectories.

Theexacttimeschosenforsystemcronjobstoexecutevaryfromonedistributiontoanother.Normally,though,dailyandlonger-intervalcronjobsrunearlyinthemorning—betweenmidnightand6:00a.m.Checkyour/etc/crontabfiletodeterminewhenyoursystemcronjobsrun.

Tocreateanewsystemcronjob,youmaycreateascripttoperformthetaskyouwantperformed(asdescribedinChapter9,“WritingScripts,ConfiguringEmail,andUsingDatabases”)andcopythatscript to theappropriate/etc/cron.intervaldirectory.When theruntimenext rollsaround,cronwillrunthescript.

Beforesubmittingascriptasacronjob,testitthoroughly.Thisisparticularlyimportantifthecronjobwillrunwhenyou’renotaround.Youdon’twantabuginyourcronjobscripttocauseproblemsbyfillingtheharddiskwithuselessfilesorproducingthousandsofemailmessageswhenyou’renotpresenttoquicklycorrecttheproblem.

If you need to run a cron job at a time or interval that’s not supported by the standard/etc/crontab,youcaneithermodifythatfiletochangeoraddthecronjobruntimeorcreateausercron job, as described shortly. If you choose tomodify the system cron job facility, model yourchangesafteranexistingentry,changingthetimesandscriptstoragedirectoryasrequired.

Systemcronjobstoragedirectoriesshouldbeownedbyroot,andonlyrootshouldbeabletowritetothem.Ifordinaryuserscanwritetoasystemcrondirectory,unscrupuloususerscanwritescriptstogivethemselvessuperuserprivilegesandplacetheminthesystemcrondirectory.Thenexttimecronrunsthosescripts,theuserswillgainfulladministrativeaccesstothesystem.

CreatingUsercronJobsTocreate a usercron job, you use thecrontab utility, not to be confusedwith the/etc/crontabconfigurationfile.Thesyntaxforcrontabisasfollows:crontab[-uuser][-l|-e|-r][file]

If given without the -u user parameter, crontab modifies the cron job file (or user crontab)associatedwiththecurrentuser.

Thewordcrontabhasthreerelatedbutdistinctmeanings:Itcanrefertothecrontabprogram,tothe/etc/crontabfile,ortothefilethatholdsusercronjobs.Thismultiplicityofmeaningscanobviouslybeconfusing.Inthisbook,Irefertotheprogrambyusingamonospacedcodefont,Ialwaysincludethecompletepathto/etc/crontab,andIdonotuseamonospacedfontwhenreferringtousercrontabs.Auser ’scrontabfilecandefinemultiplecronjobs.

Thecrontabutilitycanbecomeconfusedbytheuseofsutochangethecurrentuseridentity,soifyouusethiscommand,it’ssafesttoalsouse-uuser,evenwhenyou’remodifyingyourowncrontab.If youwant towork directly on a crontab, use the -l, -r, or -e option. The -l option causes

crontabtodisplaythecurrentcrontab;-rremovesthecurrentcrontab;and-eopensaneditorsothatyoucaneditthecurrentcrontab.(Viisthedefaulteditor,butyoucanchangethisbysettingtheVISUALorEDITORenvironmentvariable.)Alternatively,youcancreateacronjobconfigurationfileandpassthefilenametocrontabusing

thefileparameter.Forinstance,crontab-utbakermy-croncausesthecrontabprogramtousemy-cronfortbaker’scronjobs—thatis,itcopiestbaker’smy-cronfileintothedirectoryinwhichitstoresusercrontabs,makingafewminorchangesalongtheway.Whetheryoucreateacrontabfileandsubmititviathefileparameteroredititvia-e,theformat

oftheusercrontabfileissimilartothatdescribedearlier.YoucansetenvironmentvariablesbyusingtheformVARIABLE=value,oryoucanspecifyacommandprecededbyfivenumbersorwildcardstoindicatewhenthejobistorun.Inausercrontab,youdonotspecifytheusernameusedtoexecutethejob, asyoudowith systemcron jobs.That information is derived from the owner of the crontab.Listing7.2showsasampleusercrontabfile.Thisfilerunstwoprogramsatdifferentintervals:Thefetchmailprogramrunsevery30minutes(onthehourandhalfhour),andclean-adoublerunsonMondays at 2:00 a.m.Bothprogramsare specifiedvia completepaths, but you can include aPATH

environmentvariableandomitthecompletepathspecifications.Listing7.2:ASampleUsercrontabFileSHELL=/bin/bash

MAILTO=tbaker

HOME=/home/tbaker

0,30****/usr/bin/fetchmail-s

02**mon/usr/local/bin/clean-adouble$HOME

Ultimately, user crontab files are stored in the /var/spool/cron, /var/spool/cron/tabs, or/var/spool/cron/crontabs directory. Each file in this directory is named after the user underwhosenameitruns;forexample,tbaker’sfilemightbecalled/var/spool/cron/tabs/tbaker.Youshouldn’tdirectlyeditthefilesinthisdirectory;instead,usecrontabtomakechanges.Accesstothecronfacilitymayberestrictedinseveralways:ExecutablePermissionsThepermissionsonthecronandcrontabprogramsmayberestrictedusingstandardLinuxpermissionsmechanisms,asdescribedinChapter4.Notalldistributionsconfigurethemselvesinthisway,butforthosethatdo,userswhoshouldbeabletoschedulejobsusingcronshouldbeaddedtotheappropriategroup.Thisgroupisoftencalledcron,butyoushouldcheckthegroupownerandpermissionsonthe/usr/sbin/cronand/usr/bin/crontabprogramfilestobesure.AllowedUsersListThe/etc/cron.allowfilecontainsalistofuserswhoshouldbepermittedaccesstocron.Ifthisfileispresent,onlyuserswhosenamesappearinthefilemayusecron;allothersaredeniedaccess.Ifthisfileisn’tpresent,anybodymayusecron,assumingaccessisn’trestrictedbyexecutablepermissionsoradisallowed-userslist.Disallowed-UsersListThe/etc/cron.denyfilecontainsalistofuserswhoshouldbedeniedaccesstocron.Ifthisfileispresent,anyuserwhosenameappearsinthefileisdeniedaccesstocron,butallothersmayuseit,assumingexecutablepermissionsandtheallowed-userslistdon’trestrictaccess.Exercise7.2guidesyouthroughtheprocessofcreatingusercronjobs.

EXERCISE7.2CreatingUsercronJobscronjobscanbeausefulwaytorunprogramsatregulartimes.Inthisexercise,you’llcreateasimpleusercronjobthatwillmailyoutheoutputofanifconfigcommandonadailybasis.Thisexerciseassumesthatyou’reauthorizedtousecronasanordinaryuser.Toconfigureyourcronjob,followthesesteps:1.LogintotheLinuxsystemasanormaluser.2.Launchanxterm from the desktop environment’smenu system, if you used aGUIloginmethod.3.Createandeditafilecalledcronjob inyourhomedirectory.Useyourfavoritetexteditorforthispurpose.Thefileshouldcontainthefollowinglines:SHELL=/bin/bash

MAILTO=yourusername

0012***/sbin/ifconfig

Be sure to type these lines exactly; a typo will cause problems. One exception:Substituteyouremailaddresson theLinuxsystemorelsewhereforyourusername;cronusestheMAILTOenvironmentvariabletodeterminetowhomtoemailtheoutputofcronjobs.

4. Type crontab cronjob to install the cronjob file as a cron job. Note that thiscommandreplacesanyexistingusercrontabs thatmayexist. Ifyou’vealreadydefineduser crontabs foryouraccount,you shouldedityourexistingcronjob file to add thelinecallingifconfigratherthancreateanewfile,ortypecrontab-etoedititscopyfromthecrontabstoragedirectory.5.Wait for noon (00 12 in the cron time format).When this time rolls around, youshouldhaveanewemailwaitingforyouwiththecontentsoftheifconfigoutput.

Insteadofwaitingfornoon,youcansubstituteatimethat’sacoupleofminutesinthefuture.Rememberthatcronspecifiesminutesfirst,followedbythehourina24-hourformat.Forinstance,ifyoucreatethefileat3:52p.m.,youmightenter5415asthefirsttwonumbersonthefinallineofthefile;thiswillcausethecronjobtoexecuteat15:54ona24-hourclock,or3:54p.m.

UsinganacronAlthoughcronisagreattoolforperformingcertaintasks,suchasrotatinglogfiles,onsystemsthatareupmostorallofthetime,it’samuchlessusefultoolonsystemsthatarefrequentlyshutdown,such as notebook computers or even many desktop systems. Frequently, late-night cron jobs areneverexecutedonsuchsystems,whichcanleadtobloatedlogfiles,cluttered/tmpdirectories,andotherproblems.One solution to such problems is anacron (http://anacron.sourceforge.net). This program is

designedasasupplementtocrontoensurethatregularmaintenancejobsareexecutedatreasonableintervals.Itworksbykeepingarecordofprogramsitshouldexecuteandhowfrequentlyitshoulddoso,indays.Wheneveranacronisrun,itcheckstoseewhenitlastexecutedeachoftheprogramsit’sconfiguredtomanage.Ifaperiodgreaterthantheprogram’sexecutionintervalhaspassed,anacron

runstheprogram.Typically,anacron itself isrunfromasystemstartupscript,andperhapsfromacron job. You can then reconfigure your regular system cron jobs as anacron jobs and be surethey’llexecuteevenonsystemsthatareregularlyshutdownforlongstretchesoftime.Like cron, anacron is controlled through a configuration file named after itself:

/etc/anacrontab. This file consists of three main types of lines: comment lines (denoted by aleading hash mark, #), environment variable assignments (as in SHELL=/bin/bash), and jobdefinitionlines.Thislasttypeoflinecontainsfourfields:perioddelayidentifiercommand

Theperiodishowfrequently,indays,thecommandshouldberun.Thedelayisadelayperiod,inminutes,betweenthetimeanacronstartsandthetimethecommandisrun,if itshouldberun.Thisfeatureisintendedtohelpkeepthesystemfrombeingoverloadedifanacrondeterminesitneedstorunmanycommandswhenitstartsup;youcanspecifydifferentdelaytimestostaggertherunningofthejobs.Theidentifierisastringthatidentifiesthecommand.Youcanpassittoanacrononthecommandlinetohaveanacroncheckand,ifnecessary,runonlythatonecommand.Finally,commandis the command to be run. This is a single command or script name, optionally followed by anyparametersitmaytake.Listing7.3showsasample/etc/anacrontabfile.Thisfilesetsacoupleofenvironmentvariables;

PATH isparticularly important ifanyscriptscallprogramswithout specifying theircompletepaths.Thethreejobdefinitionlinestellanacrontoruntherun-partscommand,passingitthenameofadifferentdirectoryforeachline.Thiscommandisusedonsomedistributionstoruncronjobs,sotheeffectofcallingitfromanacronistotakeovercron’sduties.Thefirstline,runonceaday,causesanacrontorun(viarun-parts)thescriptsin/etc/cron.daily;thesecondlinecausesthescriptsin/etc/cron.weeklytoberunonceaweek;andthethird,runonceevery30days,runsthescriptsin/etc/cron.monthly.Listing7.3:Sample/etc/anacrontabFileSHELL=/bin/bash

PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

#format:perioddelayjob-identifiercommand

15cron.dailyrun-parts/etc/cron.daily

710cron.weeklyrun-parts/etc/cron.weekly

3015cron.monthlyrun-parts/etc/cron.monthly

Ofcourse,todoanygood,anacronmustbecalleditself.Thisistypicallydoneinoneoftwoways:ViaaStartupScriptYoucancreateastartupscripttorunanacron.AsimpleSysVstartupscriptthattakesnooptionsbutthatrunsanacronshoulddothejobifconfiguredtorunfromyourregularrunlevel.Alternatively,youcanplaceacalltoanacroninalocalstartupscript,suchasFedoraandRedHat’s/etc/rc.d/rc.localorSUSE’s/etc/boot.d/boot.local.ViaacronJobYoucancreateacronjobtorunanacron.Typically,thiscallwillreplaceyourregularsystemcronjobentries(in/etc/crontab),andyou’llprobablywanttocallanacrononadailybasisormorefrequently.The startup script approach is best employed on systems that are shut down and started up

frequently,suchaslaptopsordesktopsystemsthatareregularlyshutdownattheendoftheday.Onedrawback to this approach is that it can cause sluggish performancewhen the system is booted ifanacronneedstorunatime-consumingtask.Callinganacronviaacronjobcanshifttheburdentooff-hours,but ifcron can reliably runanacron,cron can as easily and reliably run the jobs that

anacronruns.Typically,youuseacronjobifthesystemissometimes,butnotalways,leftrunningovernight. This ensures that anacron and the jobs it handles are run fairly frequently, if not on acompletelyregularbasis.Alternatively,youcancallanacronmorefrequently thanonceaday.Forinstance,ifit’scalledonceeverysixhours,itwillalmostcertainlybecalledduringatypicaleight-hourworkday.

Foradesktopsystem,youmighttrycallinganacronviaacronjobattheuser ’stypicallunchbreak.Thiswillhelpminimizethedisruptioncausedbyanyresource-intensiveprogramsthatanacronmustrun.

Nomatterhowyourunanacron, you shouldbe sure todisableanycron jobs thatanacron nowhandles.Ifyoudon’tdoso,thosetaskswillbeperformedtwice,whichmayneedlesslyburdenyoursystem.Becauseanacronmeasuresitsrunintervalsindays,it’snotausefulutilityforrunninghourlycron jobs. Thus, you shouldn’t eliminate any hourly system cron jobs when you edit your cronconfigurationforanacron.

UsingatSometimes cron and anacron are overkill. You may simply want to run a single command at aspecificpointinthefutureonaone-timebasisratherthanonanongoingbasis.Forthistask,Linuxprovides another command: at. In ordinary use, this command takes a single option (althoughoptionstofine-tuneitsbehaviorarealsoavailable):atime.Thistimecantakeanyofseveralforms:TimeofDayYoucanspecifythetimeofdayasHH:MM,optionallyfollowedbyAMorPMifyouusea12-hourformat.Ifthespecifiedtimehasalreadypassed,theoperationisscheduledforthenextoccurrenceofthattime—thatis,forthenextday.noon,midnight,orteatimeThesethreekeywordsstandforwhatyou’dexpect(teatimeis4:00p.m.).DaySpecificationToscheduleanatjobmorethan24hoursinadvance,youmustaddadatespecificationafterthetime-of-dayspecification.Thiscanbedoneinnumericform,usingtheformatMMDDYY,MM/DD/YYorDD.MM.YY.Alternatively,youcanspecifythedateasmonth-namedayormonth-namedayyear.ASpecifiedPeriodintheFutureYoucanspecifyatimeusingthekeywordnow,aplussign(+),andatimeperiod,asinnow+2hourstorunajobintwohours.

Theatcommandreliesonadaemon,atd,toberunning.Ifyoursystemdoesn’tstartatdautomatically,youmayneedtoconfigureastartupscripttodoso.

Whenyourunatandgiveitatimespecification,theprogramrespondswithitsownprompt,at>,whichyoucantreatmuchlikeyournormalbashorothercommandshellprompt.Whenyou’redonetypingcommands,pressCtrl+Dtoterminateinput.Alternatively,youcanpassafilewithcommands

byusingthe-fparametertoat,asinat-fcommands.shnoontousethecontentsofcommands.shasthecommandsyouwanttorunatnoon.Theat commandhas several support tools.Themost important of these isatd, theat daemon.

Thisprogrammustberunningforattodoitswork.Ifit’snot,checkforitspresenceusingps.Ifit’snotrunning,lookforastartupscriptandensurethatit’senabled,asdescribedinChapter5.Otheratsupportprogramsincludeatq,whichlistspendingat jobs;atrm,whichremovesanat

jobfromthequeue;andbatch,whichworksmuch likeat but executes jobswhen the system loadlevel dropsbelow0.8.Theseutilities are all fairly simple.Touseatq, simply type its name. (Theprogramdoessupportacoupleofoptions,butchancesareyouwon’tneedthem;consultatq’smanpagefordetails.)Touseatrm,typetheprogramnameandthenumberoftheatjob,asreturnedbyatq.Forinstance,youmighttypeatrm12toremoveatjobnumber12.The at facility supports access restrictions similar to those of cron. Specifically, the

/etc/at.allow and /etc/at.deny files work analogously to the /etc/cron.allow and/etc/cron.deny files.There are a fewwrinkleswithat, though.Specifically, if neitherat.allownorat.denyexists,onlyrootmayuseat.Ifat.allowexists,theusersitlistsaregrantedaccesstoat; if at.deny exists, everybody except thosementioned in this file is granted access to at. Thisdiffersfromcron,inwhicheverybodyisgrantedaccessifneitheraccess-controlfileispresent.Thistighter default security on at means that the program is seldom installed with restrictive executepermissions,butofcourseyoucanuseprogramfilepermissionstodenyordinaryuserstheabilitytorunatifyouwantanextralayerofsecurity.

SummaryRoutine system administration involves a variety of tasks, many of which center around usermanagement. Adding, deleting, andmodifying user accounts and groups are critical tasks that allsystemadministratorsmustmaster.Alsorelatedtousers,youshouldknowwheretogotomodifythedefaultuserenvironment.Systemlogfilesarecriticaltroubleshootingtoolsthataremaintainedbythesystem.Youshouldbe

abletoconfigurewhatdataisloggedtowhatfilesandknowhowtousetheselogfiles.TimemanagementisimportantinLinux.SettingtheLinuxclocks(bothhardwareandsoftware)and

configuringNTPtokeepthesoftwareclockaccurateareimportanttasks.Toolsthatrelyonthetimeincludecron,anacron,andat,whichenablethesystemtorunprogramsinthefuture.Thesetoolsareusedformanycommonsystemtasks,includingrotatinglogfiles.

ExamEssentialsSummarizemethodsofcreatingandmodifyinguseraccounts.Accountscanbecreatedormodifiedwiththehelpoftoolsdesignedforthepurpose,suchasuseraddandusermod.Alternatively,youcandirectlyeditthe/etc/passwdand/etc/shadowfiles,whichholdtheaccountinformation.DescribethefunctionofgroupsinLinux.Linuxgroupsenablesecurityfeaturestobeappliedtoarbitrarygroupsofusers.Eachgroupholdsanarbitrarycollectionofusers,andgroup

permissionscanbesetonfiles,givingallgroupmembersthesameaccessrightstothefiles.Explainthepurposeoftheskeletonfiles.Skeletonfilesprovideacoresetofconfigurationfilesthatshouldbepresentinusers’homedirectorieswhenthosedirectoriesarecreated.Theyprovideastartingpointforuserstomodifytheirimportantshellandotherconfigurationfiles.Summarizehowtoconfiguresystemlogging.Systemloggingiscontrolledviathe/etc/syslog.conffile.Linesinthisfiledescribewhattypesoflogdata,generatedbyprograms,aresenttologfilesandtowhichlogfilesthelogmessagesshouldgo.Describehowlogrotationismanaged.Logrotationiscontrolledviathe/etc/logrotate.conffile(whichtypicallyreferstofilesin/etc/logrotate.d).Entriesinthesefilestellthesystemwhethertorotatelogsatfixedintervalsorwhentheyreachparticularsizes.Whenalogrotates,it’srenamed(andpossiblycompressed),anewlogfileiscreated,andtheoldestarchivedlogfilemaybedeleted.Explainthetwotypesofclocksinx86andx86-64hardware.Thehardwareclockkeepstimewhenthecomputerispowereddown,butitisn’tusedbymostprogramswhilethecomputerisrunning.Suchprogramsrefertothesoftwareclock,whichissetfromthehardwareclockwhenthecomputerboots.SummarizethefunctionofNTP.TheNetworkTimeProtocol(NTP)enablesacomputertosetitsclockbasedonthetimemaintainedbyanNTPserversystem.NTPcanfunctionasatieredprotocol,enablingonesystemtofunctionasaclienttoanNTPserverandasaservertoadditionalNTPclients.Thisstructureenablesasinglehighlyaccuratetimesourcetobeusedbyanywherefromafewto(theoretically)billionsofcomputersviaatieredsystemoflinks.Explainthedifferencebetweensystemandusercronjobs.Systemcronjobsarecontrolledfrom/etc/crontab,arecreatedbyroot,andmayberunasanyuser(butmostcommonlyasroot).Systemcronjobsaretypicallyrunatcertainfixedtimesonanhourly,daily,weekly,ormonthlybasis.Usercronjobsmaybecreatedbyanyuser(varioussecuritymeasurespermitting),arerunundertheauthorityoftheaccountwithwhichthey’reassociated,andmayberunatjustaboutanyrepeatingintervaldesired.

ReviewQuestions1.WhichofthefollowingisalegalLinuxusernamethatwillbeacceptedbyuseradd?

A.larrythemooseB.4saleC.PamJonesD.Samuel_Bernard_Delaney_the_FourthE.tedcho

2.WhyaregroupsimportanttotheLinuxuseradministrationandsecuritymodels?A.Theycanbeusedtoprovideasetofuserswithaccesstofileswithoutgivingallusersaccesstothefiles.B.Theyenableyoutosetasingleloginpasswordforalluserswithinadefinedgroup.

C.Usersmayassignfileownershiptoagroup,therebyhidingtheirowncreationofthefile.D.Bydeletingagroup,youcanquicklyremovetheaccountsforallusersinthegroup.E.Theyenableyoutolinktogethertheaccountdatabasesinagroupoftwoormorecomputers,simplifyingadministration.

3.Anadministratortypeschage-M7time.Whatistheeffectofthiscommand?A.Thetimeaccount’spasswordmustbechangedatleastonceeverysevendays.B.Allusersmustchangetheirpasswordsatleastonceeverysevendays.C.Allusersarepermittedtochangetheirpasswordsatmostseventimes.D.Thetimeaccount’sageissettosevenmonths.E.Theaccountdatabase’stimestampissettosevenmonthsago.

4.Whatiswrongwiththefollowing/etc/passwdfileentry?(Selecttwo.)4sally:x:1029:SallyJones:/home/myhome:/bin/passwd

A.Thedefaultshellissetto/bin/passwd,whichisaninvalidshell.B.Theusernameisinvalid;Linuxusernamescan’tbeginwithanumber.C.Thehomedirectorydoesn’tmatchtheusername.D.EithertheUIDortheGIDfieldismissing.E.Theencryptedpasswordismissing.

5.Youwantsally,tom,anddale tobemembersofthegroupmanagers (GID501).Howwouldyoueditthemanagersentryin/etc/grouptoaccomplishthisgoal?

A.managers:501:sallytomdaleB.managers:501:sally:tom:daleC.managers:x:501:sally:tom:daleD.managers:x:501:dale,sally,tomE.managers:501:x:dale\sally\tom

6.Whattypesoffilesmightyouexpecttofindin/etc/skel?(Selectthree.)A.Acopyofthe/etc/shadowfileB.AnemptysetofdirectoriestoencouragegoodfilemanagementpracticesC.AREADMEorsimilarwelcomefilefornewusersD.Astarting.bashrcfileE.TheRPMorDebianpackagemanagementdatabase

7. What would a Linux system administrator type to remove the nemo account and its homedirectory?

A.userdelnemoB.userdel-fnemoC.userdel-rnemoD.rm-r/home/nemo

E.usermod-Dnemo

8.Whichofthefollowingsystemloggingcodesrepresentsthehighestpriority?A.infoB.warningC.critD.debugE.emerg

9.Whichofthefollowingconfigurationfilesdoesthelogrotateprogramconsultforitssettings?A./etc/logrotate.confB./usr/sbin/logrotate/logrotate.confC./usr/src/logrotate/logrotate.confD./etc/logrotate/.confE.~/.logrotate

10.Youwanttocreatealogfileentrynotingthatyou’remanuallyshuttingdownthesystemtoaddanewnetworkcard.Howmightyoucreatethislogentry,justpriortousingshutdown?

A.dmesg-l"shuttingdowntoaddnetworkcard"B.syslogshuttingdowntoaddnetworkcardC.rsyslogd"shuttingdowntoaddnetworkcard"D.loggershuttingdowntoaddnetworkcardE.wall"shuttingdowntoaddnetworkcard"

11.Yourmanagerhas asked thatyouconfigurelogrotate to run on a regular, unattendedbasis.Whatutility/featureshouldyouconfiguretomakethispossible?

A.atB.logrotate.dC.cronD.inittabE.ntpd

12.You’vesetyoursystem(software)clockonaLinux-onlycomputertothecorrecttime,andnowyouwant to set the hardware clock tomatch.What commandmight you type to accomplish thisgoal?

A.date--sethwclockB.ntpdateC.sysclock--tohcD.time--set-hwE.hwclock--utc--systohc

13.Asroot,youtypedate12110710.Whatwillbetheeffect?

A.Thesoftwareclockwillbesetto7:10a.m.onDecember11ofthecurrentyear.B.Thesoftwareclockwillbesetto12:11p.m.onOctober7ofthecurrentyear.C.Thesoftwareclockwillbesetto7:10a.m.onNovember12ofthecurrentyear.D.Thesoftwareclockwillbesetto12:11p.m.onJuly10ofthecurrentyear.E.ThesoftwareclockwillbesettoJuly10intheyear1211.

14.Whatwillbetheeffectofacomputerhavingthefollowingtwolinesin/etc/ntp.conf?serverpool.ntp.org

servertardis.example.org

A.Thelocalcomputer ’sNTPserverwillpollaserverinthepublicNTPserverpool; thefirstserveroptionoverridessubsequentserveroptions.B. The local computer ’s NTP server will poll the tardis.example.org time server; the lastserveroptionoverridesearlierserveroptions.C.Thelocalcomputer ’sNTPserverwillpollbothaserverinthepublicNTPserverpoolandtardis.example.organdusewhicheversiteprovidesthecleanesttimedata.D. The local computer ’s NTP server will refuse to run because of a malformed serverspecificationin/etc/ntp.conf.E.Thelocalcomputer ’sNTPserverwillpollacomputerinthepublicNTPserverpoolbutwillfallbackontardis.example.orgifandonlyifthepublicpoolserverisdown.

15.You’veconfiguredonecomputer(gateway.pangaea.edu)onyourfive-computernetworkasanNTP server that obtains its time signal from ntp.example.com. What computer(s) should yournetwork’sothercomputersuseastheirtimesource(s)?

A.YoushouldconsultapublicNTPserverlisttolocatethebestserverforyou.B.Bothgateway.pangaea.eduandntp.example.com.C.Onlyntp.example.com.D.Onlygateway.pangaea.edu.E.None;NTPshouldbeusedontheInternet,notonsmalllocalnetworks.

16.Whichofthefollowingtasksaremostlikelytobehandledbyacronjob?(Selecttwo.)A.StartinganimportantserverwhenthecomputerbootsB.FindinganddeletingoldtemporaryfilesC.ScriptingsupervisedaccountcreationD.MonitoringthestatusofserversandemailingareporttothesuperuserE.Sendingfilestoaprinterinanorderlymanner

17.Which of the following lines, if used in a usercron job,will run/usr/local/bin/cleanuptwiceaday?

A.157,19***tbaker/usr/local/bin/cleanupB.157,19***/usr/local/bin/cleanupC.15*/2***tbaker/usr/local/bin/cleanup

D.15*/2***/usr/local/bin/cleanupE.2****/usr/local/bin/cleanup

18.You’reinstallingLinuxonalaptopcomputer.Whichofthefollowingprogramsmightyouwanttoaddtoensurethatlogrotationishandledcorrectly?

A.tempusB.anacronC.crontabD.ntpdE.syslog-ng

19.Whatdothefollowingcommandsaccomplish?(TheadministratorpressesCtrl+Daftertypingthesecondcommand.)#atteatime

at>/usr/local/bin/system-maintenance

A.Nothing;thesecommandsaren’tvalid.B.Nothing;teatimeisn’tavalidoptiontoat.C.Nothing;youmayonlytypevalidbashbuilt-incommandsattheat>prompt.D.Nothing;atrequiresyoutopassitthenameofascript,whichteatimeisnot.E.The/usr/local/bin/system-maintenanceprogramorscriptisrunat4:00p.m.

20.HowmightyouscheduleascripttorunonceadayonaLinuxcomputer?(Selecttwo.)A.Placethescript,oralinktoit,in/etc/cron.daily.B.Usetheatcommandtoschedulethespecifiedscripttorunonadailybasisatatimeofyourchoosing.C.Createausercron jobthatcalls thespecifiedscriptonceadayata timeofyourchoosing,andinstallthatcronjobusingcrontab.D.Userun-partstoschedulethespecifiedscripttorunonadailybasis.E.Typecrontab-dscriptname,wherescriptnameisthenameofyourscript

Chapter8

ConfiguringBasicNetworking

THEFOLLOWINGEXAMOBJECTIVESARECOVEREDINTHISCHAPTER:

1.109.1Fundamentalsofinternetprotocols1.109.2Basicnetworkconfiguration1.109.3Basicnetworktroubleshooting1.109.4Configureclient-sideDNS

MostLinuxsystemsareconnected toanetwork,eitherasclientsoras servers (andoftenasboth).EvenhomecomputersanddedicatedappliancessuchassmartphonesusuallyconnecttotheInternet.Forthisreason,settingupLinux’sbasicnetworkingtoolsisnecessaryforfullyconfiguringLinux.Tobeginthistask,youmustfirstunderstandthebasicsofmodernnetworking,suchasthenatureofnetworkaddressesandthetypesoftoolsthatarecommonlyusedonnetworks.Fromthere,youcanmove on to Linux network configuration, including tasks such as setting a computer ’s address,routing, and name resolution. Unfortunately, network configuration sometimes goes wrong;understandingthetoolsandtechniquesusedtodiagnoseandfixnetworkproblemsisanecessarypartofnetworkconfiguration,sothischaptercoversthebasicsofnetworktroubleshooting.

UnderstandingTCP/IPNetworkingNetworkinginvolvesquiteafewcomponentsthatarebuiltatoponeanother.Theseincludenetworkhardware, data packets, and protocols for data exchange. Together, these components make up anetworkstack.ThemostcommonnetworkstacktodayistheTransmissionControlProtocol/InternetProtocol(TCP/IP)stack,butthisisn’ttheonlystackavailable.Nonetheless,understandingthebasicsofTCP/IPtheorywillhelpyoutoconfigureandmanagenetworks.

KnowingtheBasicFunctionsofNetworkHardwareNetworkhardware isdesignedtoenable twoormorecomputers tocommunicatewithoneanother.Moderncomputershavenetworkinterfacesbuiltintotheirmotherboards,butinternal(PCI,PCIe,orsimilar) network cards and external (USB, PC Card, and similar) network interfaces are alsoavailable.Many networks rely on wires or cables to transmit data betweenmachines as electricalimpulses,butnetworkprotocolsthatuseradiowavesorevenlighttodothejobaregrowingrapidlyinpopularity.Sometimes the line between network hardware and peripheral interface ports can be blurry. For

instance,aparallelportnormallyisn’tconsideredanetworkport;butwhenit’susedwiththeParallelLine Interface Protocol (PLIP; http://tldp.org/HOWTO/PLIP.html), the parallel port becomes a

networkdevice.Inthepast,aUSBorRS-232serialportfrequentlybecameanetworkinterfacewhenusedwiththePoint-to-PointProtocol (PPP), typicallyinconjunctionwithatelephonemodem.Suchconnections are rare today,but they’re still possible. If youneed toknowhow to configure aPPPconnection, consult your distribution’s documentation or the PPP HOWTO(http://tldp.org/HOWTO/PPP-HOWTO/).At its core,networkhardware ishardware that facilitates the transferofdatabetweencomputers.

Hardware that’smost oftenused for networking includes features that help this transfer in variousways. For instance, such hardwaremay includeways to address data intended for specific remotecomputers, as described later in the section “Addressing Hardware.”When basically non-networkhardwareispressedintoserviceasanetworkmedium,thelackofsuchfeaturesmaylimittheutilityof the hardware or require extra software to make up for the lack. If extra software is required,you’re unlikely to notice the deficiencies as a user or system administrator because the protocoldrivershandlethework,butthismakesthehardwaremoredifficulttoconfigureandmorepronetosluggishnessorotherproblemsthandedicatednetworkhardware.

InvestigatingTypesofNetworkHardwareLinuxsupportsseveraltypesofcommonnetworkhardware.ThemostcommonoftheseisEthernet,whichcomes inseveralvarieties.MostmodernEthernethardwareuses twisted-pair cabling,whichconsists of pairs of wires twisted around each other to minimize interference. Such varieties ofEthernetareidentifiedbya-TsuffixtotheEthernetvarietyname,asin10Base-Tor100Base-T.Thenumbersdenotethespeedoftheprotocolinmegabitspersecond(Mbps).Inthelate1990s,100Base-Ttook over from 10Base-T as the standard in office and even home networks. More recently,1000Base-TandEthernetvariants thatuseopticalcablingand thatarecapableof1000Mbpsspeeds(that is, gigabit Ethernet) have become the standard, with 10-gigabit Ethernet the new emergingstandard.Other types of network hardware exist, but most are less common than Ethernet. These include

TokenRing,LocalTalk,FiberDistributedDataInterface(FDDI),High-PerformanceParallelInterface(HIPPI),andFibreChannel.TokenRingwascommononsomeIBM-dominatednetworksinthe1990sbut has been steadily losing ground to Ethernet for years. Likewise, LocalTalk was the favoredmedium for earlyMacintoshes, but modernMacs ship with Ethernet instead of LocalTalk. FDDI,HIPPI,andFibreChannelareallhigh-speedinterfacesthatareusedinhigh-performanceapplications.Some of these protocols support significantly greatermaximum cable lengths than does Ethernet,whichmakesthemsuitableforlinkingbuildingsthataremanyyards,orevenmiles,apart.Wireless networking (aka Wi-Fi) is an exception to Ethernet’s dominance. Common wireless

protocolsinclude802.11a,802.11b,802.11g,and802.11n.Theseprotocolssupportmaximumspeedsof 11Mbps (for 802.11b), 54Mbps (for 802.11a and 802.11g), or 300Mbps (for 802.11n).With theexceptionof therarelyused802.11a,Wi-Fiprotocolsarecompatiblewithoneanother,albeitat thespeedoftheslowestprotocolinuse.Wirelessnetworkingisparticularlyusefulforlaptopcomputers,butit’sevenhandyfordesktopcomputersinhomesandsmallofficesthatdon’thaveadequatewirednetworkinfrastructuresinplace.

Ifyouuseawirelessprotocol,yourdataaretransmittedviaradiowaves,whichareeasilyintercepted.Wirelessprotocolsincludeoptionalencryption,butthisfeatureissometimesdisabledbydefault,andsomevarietiesofwirelessencryptionarenotoriouslypoor.Ifyouusewirelessnetworkproducts,besuretoenableWi-FiProtectedAccess(WPA)or,better,WPA2encryption.TheweakerWiredEquivalentPrivacy(WEP)encryptioniseasilybroken.Foraddedprotection,useastrongencryptionprotocol,suchastheSecureShell(SSH)logintoolorSecureSocketsLayer(SSL)encryption,whentransferringanydatathat’sevenremotelysensitive;andbeextracautiousaboutsecurityonnetworksthatsupportwirelessaccess.Inatypicalconfiguration,anintruderwhocanbreakintoyourwirelessaccesspointlookstotherestofyournetworklikeanyotherlocaluser,soprotectingthataccesspointisextremelyimportant.

In addition to the network hardware in your computers, you need network hardware outside thecomputers.Withtheexceptionofwirelessnetworks,youneedsomeformofnetworkcablingthat’suniquetoyourhardwaretype.(For100Base-TEthernet,getcablingthatmeetsatleastCategory5,orCat-5,specifications.GigabitEthernetworksbestwithCat-5eoropticalcables.)Manynetworktypes,includingtwisted-pairEthernet,requiretheuseofacentraldeviceknownasahuborswitch.Youplugeverycomputeronalocalnetworkintothiscentraldevice,asshowninFigure8.1.Thehuborswitchthenpassesdatabetweenthecomputers.

FIGURE8.1Manynetworkslinkcomputerstogetherviaacentraldeviceknownasahuborswitch.

Asageneralrule,switchesaresuperiortohubs.Hubsmirroralltraffictoallcomputers,whereasswitchesaresmartenoughtosendpacketsonlytotheintendeddestination.Switchesalsoallowfull-duplextransmission,inwhichbothpartiescansenddataatthesametime(liketwopeopletalkingonatelephone).Hubspermitonlyhalf-duplex transmission, inwhich the twocomputersmust take turns(liketwopeopleusingwalkie-talkies).Theresultisthatswitcheslettwopairsofcomputersengageinfull-speeddata transferswith eachother;with ahub, these two transferswould interferewith eachother.ComputerswithWi-Fiadapterscanbeconfiguredtocommunicatedirectlywithoneanother,butit’s

morecommontoemployawirelessrouter,whichlinkstogetherbothwirelessandEthernetdevices.Suchroutersalsoprovideconnectionstoanoutsidenetwork—typicallytheInternet,sometimesviaa

broadbandconnection.

UnderstandingNetworkPacketsModernnetworksoperateondiscretechunksofdataknownaspackets.Supposeyouwanttosenda100KiB file from one computer to another. Rather than send the file in one burst of data, yourcomputerbreaksitdownintosmallerchunks.Thesystemmightsend100packetsof1KiBeach,forinstance.Thisway,ifthere’sanerrorsendingonepacket,thecomputercanresendjustthatonepacketratherthantheentirefile.(Manynetworkprotocolsincludeerror-detectionprocedures.)When the recipient system receives packets, itmust hold on to them and reassemble them in the

correctordertore-createthecompletedatastream.It’snotuncommonforpacketstobedelayedoreven lost in transmission,soerror-recoveryproceduresarecritical forprotocols thathandle largetransfers.Sometypesoferrorrecoveryarehandledtransparentlybythenetworkinghardware.Thereareseveraltypesofpackets,andtheycanbestoredwithineachother.Forinstance,Ethernet

includesitsownpackettype(knownasaframe),andthepacketsgeneratedbynetworkingprotocolsthatrunatopEthernet,suchasthosedescribedinthenextsection,arestoredwithinEthernetframes.Alltold,adatatransfercaninvolveseverallayersofwrappingandunwrappingdata.Witheachlayer,packetsfromtheadjacentlayermaybemergedorsplitup.

UnderstandingNetworkProtocolStacksIt’spossible to thinkofnetworkdata atvarious levelsof abstractness.For instance, atone level, anetwork carries data packets for a specific network type (such as Ethernet); the data packets areaddressed to specific computers on a local network. Such a description, while useful forunderstandinga localnetwork, isn’tveryuseful forunderstandinghigher-levelnetworkprotocols,suchasthosethathandleemailtransfers.Thesehigh-levelprotocolsaretypicallydescribedintermsof commands sent back and forthbetween computers, frequentlywithout reference topackets.Theaddresses used at different levels also vary, as explained in the upcoming section “UsingNetworkAddresses.”A protocol stack is a set of software that converts and encapsulates data between layers of

abstraction.Forinstance,thestackcantakethecommandsofemailtransferprotocols,andtheemailmessagesthataretransferred,andpackagethemintopackets.AnotherlayerofthestackcantakethesepacketsandrepackagethemintoEthernetframes.Thereareseverallayerstoanyprotocolstack,andthey interact inhighlyspecifiedways. It’softenpossible toswapoutonecomponent foranotheratanygivenlayer.Forinstance,atthetopofeachstackisaprogramthatusesthestack,suchasanemailclient.Youcanswitchfromoneemailclienttoanotherwithouttoomuchdifficulty;bothrestatopthesame stack. Likewise, if you change a network card, you have to change the driver for that card,whichconstitutesalayerverylowinthestack.Applicationsabovethatdrivercanremainthesame.Eachcomputerinatransactionrequiresacompatibleprotocolstack.Whentheycommunicate,the

computers pass data down their respective stacks and then send data to the partner system, whichpasses the data up its stack. Each layer on the receiving system sees the data as packaged by itscounterpartonthesendingcomputer.ProtocolstacksarefrequentlyrepresentedgraphicallyindiagramslikeFigure8.2,whichshowsthe

configurationoftheTCP/IPprotocolstackthatdominatestheInternettoday.AsshowninFigure8.2,client programs at the application layer initiate data transfers. These requests pass through the

transport,internet,andlinklayersontheclientcomputer,whereupontheyleavetheclientsystemandpasstotheserversystem.(ThistransfercaninvolvealotofcomplexitynotdepictedinFigure8.2.)On the server, theprocess reverses itself,with the serverprogramrunningat theapplication layerreplyingtotheclientprogram.Thisreplyreversesthejourney,travelingdowntheservercomputer ’sstack, across the network, and up the stack on the client. A full-fledged network connection caninvolvemanyback-and-forthdatatransfers.

FIGURE8.2Informationtravels“down”and“up”protocolstacks,beingcheckedandre-packedateachstepoftheway.

WhenspelledwithanuppercaseI,thewordInternetreferstotheglobe-spanningnetworkofnetworkswithwhichyou’renodoubtfamiliar.Whenspelledwithalowercasei,however,thewordinternetreferstoanycollectionofnetworks.Aninternetinthissensecouldbeacoupleofsmallnetworksinsomebody’sbasementwithnooutsideconnections.InternetnetworkingprotocolssuchasTCP/IPcanworkonanyinternet,uptoandincludingtheInternet.

Eachcomponent layerof thesendingsystemisequivalent toa layeron thereceivingsystem,buttheselayersneednotbeabsolutelyidentical.Forinstance,youcanhavedifferentmodelsofnetworkcardatthelinklayer,oryoucanevenuseentirelydifferentnetworkhardwaretypes,suchasEthernetand Token Ring, if some intervening system translates between them. The computers may rundifferentOSsandhenceusedifferent—butlogicallyequivalent—protocolstacks.What’simportantisthatthestacksoperateincompatibleways.LinuxwasdesignedwithTCP/IPinmind,andtheInternetisbuiltatopTCP/IP.Otherprotocolstacks

are available, though, and you may occasionally run into them. In particular, NetBEUI was theoriginal Microsoft and IBM protocol stack forWindows, AppleTalk was Apple’s initial protocolstack,andtheInternetPacketExchange/SequencedPacketExchange(IPX/SPX)wasNovell’sfavoredprotocolstack.All threearenowfadinginimportance,butyoumaystillneedtousetheminsomeenvironments.LinuxsupportsAppleTalkandIPX/SPXbutnotNetBEUI.

KnowingTCP/IPProtocolTypesWithinTCP/IP,severaldifferentprotocolsexist.Eachoftheseprotocolscanbeclassifiedasfallingon one of the four layers of theTCP/IP stack, as shown in Figure8.2. Themost important of theinternet- and transport-layer protocols are the building blocks for the application-layer protocolswithwhichyouinteractmoredirectly.Theseimportantinternet-andtransport-layerprotocolsincludethefollowing:IPTheInternetProtocol(IP)isthecoreprotocolinTCP/IPnetworking.ReferringtoFigure8.2,IPisaninternet-layer(akaanetwork-layerorlayer2)protocol.IPprovidesa“besteffort”methodfortransferringpacketsbetweencomputers—thatis,thepacketsaren’tguaranteedtoreachtheirdestination.Packetsmayalsoarriveoutoforderorcorrupted.OthercomponentsoftheTCP/IPstackmustdealwiththeseissuesandhavetheirownwaysofdoingso.IPisalsotheportionofTCP/IPwithwhichIPaddressesareassociated.(TheRealWorldScenariosidebar“TheComingofIPv6”describesachangeintheIPportionofTCP/IPthat’sunderway.)ICMPTheInternetControlMessageProtocol(ICMP)isasimpleprotocolforcommunicatingdata.ICMPismostoftenusedtosenderrormessagesbetweencomputers—forinstance,tosignalthatarequestedserviceisn’tavailable.ThisisoftendonebymodifyinganIPpacketandreturningittoitssender,whichmeansthatICMPistechnicallyaninternet-layerprotocol,althoughitreliesuponIP.Inmostcases,youwon’tuseprogramsthatgenerateICMPpacketsondemand;they’recreatedbehindthescenesasyouuseotherprotocols.Oneexceptionisthepingprogram,whichisdescribedinmoredetailin“TestingBasicConnectivity.”UDPTheUserDatagramProtocol(UDP)isthesimplestofthecommontransport-layer(akalayer3)TCP/IPprotocols.Itdoesn’tprovidesophisticatedprocedurestocorrectforout-of-orderpackets,guaranteedelivery,orotherwiseimprovethelimitationsofIP.Thisfactcanbeaproblem,butitalsomeansthatUDPcanbefasterthanmore-sophisticatedtoolsthatprovidesuchimprovementstoIP.Commonapplication-layerprotocolsthatarebuiltatopUDPincludetheDomainNameSystem(DNS),theNetworkFileSystem(NFS),andmanystreaming-mediaprotocols.TCPTheTransmissionControlProtocol(TCP)maybethemostwidelyusedtransport-layerprotocolintheTCP/IPstack.UnlikeUDP,TCPcreatesfullconnectionswitherrorcheckingandcorrectionaswellasotherfeatures.Thesefeaturessimplifythecreationofnetworkprotocolsthatmustexchangelargeamountsofdata,butthefeaturescomeatacost:TCPimposesasmallperformancepenalty.Mostoftheapplication-layerprotocolswithwhichyoumayalreadybefamiliar,includingtheSimpleMailTransferProtocol(SMTP),theHypertextTransferProtocol(HTTP),andtheFileTransferProtocol(FTP),arebuiltatopTCP.YoumaynoticethatthenameoftheTCP/IPstackisbuiltupoftwoofthestack’sprotocolnames:

TCPandIP.This isbecausethesetwoprotocolsaresoimportantforTCP/IPnetworkinggenerally.TCP/IP,though,ismuchmorethanjustthesetwoprotocols;itincludesadditionalprotocols,mostofwhich(belowtheapplicationlayer)areratherobscure.Ontheotherhand,aTCP/IPexchangeneednotusebothTCPandIP—itcouldbeaUDPorICMPexchange,forinstance.

TheComingofIPv6TheIPportionofTCP/IPhasbeenatversion4formanyyears.Amajorupgradetothisisunderway,however,anditgoesbythenameIPv6,forIPversion6.ItsmostimportantimprovementsoverIPv4includethefollowing:

IPv4supportsatheoreticalmaximumofabout4billionaddresses.Althoughthismaysoundlikeplenty,thoseaddresseshavenotbeenallocatedasefficientlyaspossible.Therefore,astheInternethasexpanded,thenumberoftrulyavailableaddresseshasbeenshrinkingatarapidrate—infact,theglobalpoolisalreadyexhausted,althoughIPv4addressesremainavailablefromlocalregistriesinmanypartsoftheworld,asoflate2012.IPv6raisesthenumberofaddressesto2128,or3.4×1038.ThisisenoughtogiveeverysquaremillimeteroflandsurfaceonEarth2.2×1018addresses.IPv6makesmulticasting—thesimultaneoustransmissionofdatafromonecomputertomultiplerecipients—partofthebasicIPspecification,comparedtoanoptional(albeitcommonlyimplemented)partofIPv4.IPv6includesanewfeature,knownasstatelessaddressauto-configuration(SLAAC),whichsimplifiesinitialnetworksetup.ThisfeatureissimilarinsomewaystotheDynamicHostConfigurationProtocol(DHCP)that’scommonlyusedonIPv4.(DHCPcanalsobeusedonIPv6;whichworksbestdependsonthelocalnetwork’sconfiguration.)IPv6originatedtheInternetProtocolSecurity(IPsec)tools,whichcanimprovethesecurityofInternetconnections.IPsechassincebeenback-portedtoIPv4.IPv6hasstreamlinedsomedatastructures,enablingquickerprocessingbyrouters.

Moreobscuredifferencesalsoexist.Checkhttp://en.wikipedia.org/wiki/IPv6orhttp://www.ipv6forum.comfordetailedinformationaboutIPv6.IPv6isstartingtoemergeasarealnetworkingforceinmanypartsoftheworld.TheUnitedStates,though,islaggingbehindonIPv6deployment.TheLinuxkernelincludesIPv6support,andmostdistributionsnowattempttoautomaticallyconfigureIPv6networkinginadditiontoIPv4.ChancesarethatbythetimetheaverageofficewillneedIPv6,itwillbestandard.ConfiguringasystemforIPv6issomewhatdifferentfromconfiguringitforIPv4,whichiswhatthischapteremphasizes.

UnderstandingNetworkAddressingInorderforonecomputertocommunicatewithanotheroveranetwork,thecomputersneedtohavesome way to refer to each other. The basic mechanism for doing this is provided by a networkaddress,whichcantakeseveraldifferentforms,dependingonthetypeofnetworkhardware,protocolstack,andsoon.Largeandroutednetworksposeadditionalchallenges tonetworkaddressing,andTCP/IP provides answers to these challenges. Finally, to address a specific program on a remotecomputer,TCP/IPusesaportnumber,which identifiesa specific runningprogram, something liketheway a telephone extension number identifies an individual in a large company. The followingsectionsdescribeallthesemethodsofaddressing.

UsingNetworkAddressesConsideranEthernetnetwork.WhenanEthernetframeleavesonecomputer,it’snormallyaddressedtoanotherEthernetcard.Thisaddressing isdoneusing low-levelEthernet features, independentofthe protocol stack in question. Recall, however, that the Internet is composed of many differentnetworks that use many different low-level hardware components. A user may have a dial-uptelephoneconnection(throughaserialport)butconnecttooneserverthatusesEthernetandanotherthat uses Token Ring. Each of these devices uses a different type of low-level network address.TCP/IP requires somethingmore to integrate across different types of network hardware. In total,threetypesofaddressesareimportantwhenyou’retryingtounderstandnetworkaddressing:networkhardwareaddresses,numericIPaddresses,andtext-basedhostnames.

AddressingHardwareOneofthecharacteristicsofdedicatednetworkhardwaresuchasEthernetorTokenRingcardsisthatthey have unique hardware addresses, also known as Media Access Control (MAC) addresses,programmed into them. In the case of Ethernet, these addresses are 6 bytes in length, and they’regenerally expressed as hexadecimal (base 16) numbers separated by colons.You can discover thehardwareaddressforanEthernetcardbyusingtheifconfigcommand.Typeifconfigethn,wherenisthenumberoftheinterface(0forthefirstcard,1forthesecond,andsoon).You’llseeseverallinesofoutput,includingonelikethefollowing:eth0Linkencap:EthernetHWaddr00:A0:CC:24:BA:02

This line tells you that the device is an Ethernet card and that its hardware address is00:A0:CC:24:BA:02.Whatuse is this, though?Certain low-levelnetworkutilitiesandhardwareusethehardwareaddress.Forinstance,networkswitchesuseittodirectdatapackets.Theswitchdetectsthataparticularaddressisconnectedtoaparticularwire,andsoitsendsdatadirectedatthataddressonlyovertheassociatedwire.TheDynamicHostConfigurationProtocol(DHCP),whichisdescribedin theupcoming section “ConfiguringwithDHCP,” is ameansof automating the configurationofspecificcomputers.IthasanoptionthatusesthehardwareaddresstoconsistentlyassignthesameIPaddresstoagivencomputer.Inaddition,advancednetworkdiagnostictoolsareavailablethatletyouexaminepacketsthatcomefromoraredirectedtospecifichardwareaddresses.Forthemostpart,though,youdon’tneedtobeawareofacomputer ’shardwareaddress.Youdon’t

enteritinmostutilitiesorprograms.It’simportantforwhatitdoesingeneral.

Linuxidentifiesnetworkhardwaredeviceswithtype-specificcodes.Withmostdistributions,Ethernethardwareisethn,wherenisanumberfrom0up.ThefirstEthernetdeviceiseth0,thesecondiseth1,andsoon.(FedorausesamorecomplexEthernetnamingsystem,though.)Wirelessdeviceshavenamesoftheformwlann.UnlikemostLinuxhardwaredevices,networkdevicesdon’thaveentriesin/dev;instead,low-levelnetworkutilitiestakethedevicenamesandworkwiththemdirectly.

ManagingIPAddresses

Earlier, I said thatTCP/IP, at least in its IPv4 incarnation, supports about 4 billion addresses.Thisfigure is based on the size of the IP address used in TCP/IP: 4 bytes (32 bits). Specifically, 232 =4,294,967,296.ForIPv6,16-byte(128-bit)addressesareused.Notalloftheseaddressesareusable;someareoverheadassociatedwithnetworkdefinitions,andsomearereserved.The4-byteIPv4addressand6-byteEthernetaddressaremathematicallyunrelated.Thiscanbethe

casefor IPv6, too,although theIPv6standardallows theIPv6address tobebuilt, inpart, fromthecomputer ’sMACaddress.Inanyevent,theTCP/IPstackconvertsbetweentheMACaddressandtheIPaddressusing theAddressResolutionProtocol (ARP) for IPv4or theNeighborDiscovery Protocol(NDP)forIPv6.Theseprotocolsenableacomputertosendabroadcastquery—amessagethatgoesouttoallthecomputersonthelocalnetwork.ThisqueryasksthecomputerwithagivenIPaddresstoidentifyitself.Whenareplycomesin,itincludesthehardwareaddress,sotheTCP/IPstackcandirecttrafficforagivenIPaddresstothetargetcomputer ’shardwareaddress.

Theprocedureforcomputersthataren’tonthelocalnetworkismorecomplex.Forsuchcomputers,aroutermustbeinvolved.Localcomputerssendpacketsdestinedfordistantaddressestorouters,whichsendthepacketsontootherroutersortotheirdestinationsystems.

IPv4addressesareusuallyexpressedasfourbase-10numbers(0−255)separatedbyperiods,asin172.30.9.102.IfyourLinuxsystem’sprotocolstackisalreadyupandrunning,youcandiscoveritsIPaddressbyusingifconfig,asdescribedearlier.Theoutputincludesalinelikethefollowing,whichidentifiestheIPaddress(inetaddr):inetaddr:172.30.9.102Bcast:172.30.255.255Mask:255.255.0.0

Althoughitisn’tobviousfromtheIPaddressalone,thisaddressisbrokenintotwocomponents:anetworkaddressandacomputeraddress.ThenetworkaddressidentifiesablockofIPaddressesthatare used by one physical network, and the computer address identifies one computer within thatnetwork.Thereasonforthisbreakdownistomakethejobofrouterseasier—ratherthanrecordhowtodirectpacketsdestinedforeachofthe4billionIPaddresses,routerscanbeprogrammedtodirecttrafficbasedonpackets’networkaddresses,whichisamuchsimplerjob.Ordinarily,acomputercandirectlycommunicateonlywithcomputersonitslocalnetworksegment;tocommunicateoutsideofthissetofcomputers,aroutermustbeinvolved.IPv6addressesworkinasimilarway,exceptthatthey’relarger.Specifically,IPv6addressesconsist

of eight groups of four-digit hexadecimal numbers separated by colons, as infed1:0db8:85a3:08d3:1319:8a2e:0370:7334. If one ormore groups of four digits is 0000, thatgroupor thosegroupsmaybeomitted, leaving twocolons.Onlyonesuchgroupofzeroescanbecompressedinthisway,becauseifyouremovedtwogroups,therewouldbenowayoftellinghowmanysetsofzeroeswouldhavetobereplacedineachgroup.The network mask (also known as the subnet mask or netmask) is a number that identifies the

portionoftheIPaddressthat’sanetworkaddressandthepartthat’sacomputeraddress.It’shelpfultothink of this in binary (base 2) because the netmask uses binary 1 values to represent the networkportionof an address andbinary0values to represent the computer address.Thenetworkportionordinarilyleadsthecomputerportion.Expressedinbase10,theseaddressesusuallyconsistof255or0values,255beinganetworkbyteand0beingacomputerbyte. Ifabyte ispartnetworkandpart

computeraddress,itwillhavesomeothervalue.Figure8.3illustratesthisrelationship,usingtheIPaddress172.30.9.102andthenetmask255.255.0.0.

FIGURE8.3TCP/IPaddressesarecombinedwithanetmasktoisolatethenetworkaddress.

Anotherwayofexpressinganetmaskisasasinglenumberrepresentingthenumberofnetworkbitsintheaddress.ThisnumberusuallyfollowstheIPaddressandaslash.Forinstance,172.30.9.102/16isequivalentto172.30.9.102withanetmaskof255.255.0.0—thelastnumbershowsthenetworkportiontobetwosolid8-bitbytesandhenceis16bits.Thelongernotationshowingall4bytesofthenetmaskisreferredtoasdottedquadnotation.IPv6netmasksworkjustlikeIPv4netmasks,exceptthatlargernumbersareinvolved,andIPv6favorshexadecimaloverdecimalnotation.OnmodernIPv4networks,netmasksareoftendescribedinClasslessInter-DomainRouting(CIDR)

form. Such network masks can be broken at any bit boundary for any address. For instance,192.168.1.7 could have a netmask of 255.255.0.0, 255.255.255.0, 255.255.255.128, or various othervalues. (Keeping each byte at 0 or 255 reduces the odds of human error causing problems butsometimes isn’t practical, depending on the required or desired sizes of subnets.) Traditionally,though, IPv4 networks have been broken into one of several classes, as summarized in Table 8.1.ClassesA,B,andCareforgeneralnetworkinguse.ClassDaddressesarereservedformulticasting—sendingdatatomultiplecomputerssimultaneously.ClassEaddressesarereservedforfutureuse.Therearea fewspecialcaseswithinmostof these ranges.For instance, the127.x.y.z addresses arereservedforuseasloopback(akalocalhost)devices—theseaddressesrefertothecomputeronwhichtheaddressisentered.Addressesinwhichallthemachinebitsaresetto1refertothenetworkblockitself—they’reused forbroadcasts.Theultimatebroadcastaddress is255.255.255.255,whichsendsdatatoallcomputersonanetworksegment.(Routersnormallyblockpacketsdirectedtothisaddress.Iftheydidn’t,theInternetcouldeasilybebroughttoitskneesbyafewpeoplefloodingthenetworkwithbroadcastpackets.)

TABLE8.1IPv4networkclassesandprivatenetworkrangesClass Addressrange ReservedprivateaddressesA 1.0.0.0−127.255.255.255 10.0.0.0−10.255.255.255B 128.0.0.0−191.255.255.255 172.16.0.0−172.31.255.255C 192.0.0.0−223.255.255.255 192.168.0.0−192.168.255.255D 224.0.0.0−239.255.255.255 noneE 240.0.0.0−255.255.255.255 none

Withineachof the threegeneral-usenetworkclasses isa rangeofaddressesreservedforprivateuse.Most IP addresses must be assigned to individual computers by a suitable authority, lest twosystemsontheInternetbothtrytouseasingleaddress.Anybodycanusethereservedprivateaddressspaces, though. (These address blocks are sometimes referred to as RFC1918 addresses, after thestandardsdocument—RFC1918—inwhichthey’redefined.)Thecaveatisthatroutersnormallydrop

packetssenttotheseaddresses,effectivelyisolatingthemfromtheInternetasawhole.Theideaisthatthese addresses may be safely used by small private networks. Today, they’re often used behindNetworkAddressTranslation(NAT)routers,whichenablearbitrarynumbersofcomputersto“hide”behindasinglesystem.TheNATroutersubstitutesitsownIPaddressonoutgoingpacketsandthendirectsthereplytothecorrectsystem.ThisisveryhandyifyouwanttoconnectmorecomputerstotheInternetthanyouhaveIPaddresses.

Igenerallyusereservedprivateaddressesforexamplesinthisbook.Unlessotherwisespecified,theseexamplesworkequallywellonconventionalassigned(non-private)IPaddresses.

IPv6hasitsequivalenttoprivateaddresses.IPv6site-localaddressesmayberoutedwithinasitebutnotoff-site.Theybeginwith thehexadecimalnumberfec, fed, fee,or fef.Link-localaddressesarerestrictedtoasinglenetworksegment;theyshouldn’tberoutedatall.Theseaddressesbeginwiththehexadecimalnumberfe8,fe9,fea,orfeb.IPv4 address classesweredesigned to simplify routing; but as the Internet evolved, theybecame

restrictive.Thus,todaytheyservemainlyasawaytosetdefaultnetmasks,suchas255.0.0.0forClassA addresses or 255.255.255.0 for Class C addresses. Most configuration tools set these netmasksautomatically,butyoucanoverridethesettingsifnecessary.IP addresses and netmasks are extremely important for network configuration. If your network

doesn’t useDHCP or a similar protocol to assign IP addresses automatically, youmust configureyoursystem’s IPaddressmanually.Amistake in thisconfigurationcancauseacomplete failureofnetworkingormoresubtleerrors,suchasaninabilitytocommunicatewithjustsomecomputers.

Non-TCP/IPstackshavetheirownaddressingmethods.NetBEUIusesmachinenames;ithasnoseparatenumericaddressingmethod.AppleTalkusestwo16-bitnumbers.TheseaddressingschemesareindependentfromIPaddresses.

BroadcastingDataEarlier, Imentionedbroadcasts.Abroadcast is a typeofnetwork transmission that’s sent toall thecomputers on a local network, or occasionally all of the computers on a remote network. UnderTCP/IP,abroadcastisdonebyspecifyingbinary1valuesinallthemachinebitsoftheIPaddress.ThenetworkportionoftheIPaddressmaybesettothenetwork’sregularvalue,andthisisrequiredfordirected broadcasts—that is, those that are sent to a remote network. (Many routers drop directedbroadcasts, though.) Inmanycases,broadcastsarespecifiedby theuseof255.255.255.255asan IPaddress.Packetsdirectedatthisaddressaresenttoallthemachinesonalocalnetwork.BecausethebroadcastaddressforanetworkisdeterminedbytheIPaddressandnetmask,youcan

convertbetweenthebroadcastaddressandnetmask,givenoneoftheseandacomputer ’sIPaddress.Ifthenetmaskhappenstoconsistofwhole-bytevalues(expressedas0or255indottedquadnotation),the conversion is easy: Replace the IP address components that have 0 values in the dotted quad

netmaskwith255values toget thebroadcastaddress.For instance,consideracomputerwithanIPaddressof172.30.9.102andanetmaskof255.255.0.0.Thefinaltwoelementsofthenetmaskhave0values,soyouswapin255valuesforthesefinaltwoelementsintheIPaddresstoobtainabroadcastaddressof172.30.255.255.In the case of aCIDRaddress that has non-255 and non-0 values in the netmask, the situation is

morecomplexbecauseyoumustresorttobinary(base2)numbers.Forinstance,consideracomputerwithanIPaddressof172.30.9.102andanetmaskof255.255.128.0(thatis,172.30.0.0/17).Expressedinbinary,thesenumbersare10101100000111100000100101100110

11111111111111111000000000000000

Tocreatethebroadcastaddress,youmustsetthetop(networkaddress)valuesto1whenthebottom(netmask)valueis0.Inthiscase,theresultis10101100000111100111111111111111

Convertedbackintobase10notation,theresultingbroadcastaddressis172.30.127.255.Fortunately,youseldomneedtoperformsuchcomputations.Whenconfiguringacomputer,youcanentertheIPaddressandnetmaskandletthecomputerdothebinarycomputations.

UnderstandingHostnamesComputers work with numbers, so it’s not surprising that TCP/IP uses numbers as computeraddresses. People, though,work betterwith names. For this reason,TCP/IP includes away to linknamesforcomputers(knownashostnames)toIPaddresses.Infact,thereareseveralwaystodothis,someofwhicharedescribedinthenextsection,“ResolvingHostnames.”AswithIPaddresses,hostnamesarecomposedoftwoparts:machinenamesanddomainnames.The

formerreferstoaspecificcomputerandthelattertoacollectionofcomputers.Domainnamesarenot equivalent to the network portion of an IP address, though; they’re completely independentconcepts.Domainnamesareregisteredforusebyanindividualororganization,whichmayassignmachinenameswithinthedomainandlinkthosemachinenamestoanyarbitraryIPaddressdesired.Nonetheless, there is frequently some correspondence between domains and network addressesbecause an individual or organization that controls a domain is also likely to want a block of IPaddressesforthecomputersinthatdomain.Internetdomainsarestructuredhierarchically.Atthetopofthehierarchyarethetop-leveldomains

(TLDs), suchas.com,.edu,and.uk.TheseTLDnames appear at theend of an Internet address.Some correspond to nations (such as.uk and.us, for theUnitedKingdom and theUnited States,respectively),butotherscorrespondtoparticulartypesofentities(suchas.comand.edu,whichstandforcommercialandeducationalorganizations,respectively).WithineachTLDarevariousdomainsthat identify specific organizations, such as sybex.com for Sybex or loc.gov for the Library ofCongress. These organizations may optionally break their domains into subdomains, such ascis.upenn.edu for the Computer and Information Science department at the University ofPennsylvania.Evensubdomainsmaybefurthersubdividedintotheirownsubdomains;thisstructurecan continue for many levels but usually doesn’t. Domains and subdomains include specificcomputers,suchaswww.sybex.com,Sybex’sWebserver.When you configure your Linux computer, you may need to know its hostname. This will be

assigned by your network administrator and will be a machine name within your organization’sdomain. If your computer isn’t part of anorganizationalnetwork (say, if it’s a system thatdoesn’t

connect to the Internetatallor if itconnectsonlyviaadial-upaccount),you’llhave tomakeupahostname.Alternatively,youcanregisteradomainname,evenifyoudon’tuseitforrunningyourown servers. Check http://www.icann.org/registrar-reports/accredited-list.html for pointers toaccredited domain registrars. Most registrars charge between $10 and $15 per year for domainregistration. If your network uses DHCP, it may or may not assign your system a hostnameautomatically.

Ifyoumakeupahostname,chooseaninvaliddomainname.Thiswillguaranteethatyoudon’taccidentallygiveyourcomputeranamethatlegitimatelybelongstosomebodyelse.Suchanameconflictmightpreventyoufromcontactingthatsystem,anditcouldcauseotherproblemsaswell,suchasmisdirectedemail.FourTLDs—.example,.invalid,.localhost,and.test—arereservedforsuchpurposes.Threesecond-leveldomains—.example.com,.example.net,and.example.org—arealsoreservedandsomaybesafelyused.

ResolvingHostnamesTheDomain Name System (DNS) is a distributed database of computers that converts between IPaddresses and hostnames. Every domain must maintain at least two DNS servers that can eitherprovide thenames foreverycomputerwithin thedomainor redirectaDNSquery toanotherDNSserverthatcanbetterhandletherequest.Therefore,lookingupahostnameinvolvesqueryingaseriesofDNSservers,eachofwhichredirectsthesearchuntiltheserverthat’sresponsibleforthehostnameis found. In practice, this process is hidden from you because most organizations maintain DNSservers that do all the tediousworkof chattingwithotherDNSservers.Youneedonlypointyourcomputertoyourorganization’sDNSservers.ThisdetailmaybehandledthroughDHCP,oritmaybeinformationyouneedtoconfiguremanually,asdescribedlaterinthesection“ConfiguringLinuxforaLocalNetwork.”Sometimes,youneedtolookupDNSinformationmanually.YoumightdothisifyouknowtheIP

addressofaserver throughnon-DNSmeansandsuspectyourDNSconfiguration isdelivering thewrong address or to checkwhether aDNS server isworking.Several programs canbe helpful inperformingsuchchecks:

nslookupThisprogramperformsDNSlookups(onindividualcomputersbydefault)andreturnstheresults.Italsosportsaninteractivemodeinwhichyoucanperformaseriesofqueries.Thisprogramisofficiallydeprecated,meaningthatit’snolongerbeingmaintainedandwilleventuallybedroppedfromitsparentpackage(bind-utilsorbind-toolsonmostdistributions).Thus,youshouldgetinthehabitofusinghostordiginsteadofnslookup.hostThisprogramservesasareplacementforthesimplerusesofnslookup,butitlacksaninteractivemode,andofcoursemanydetailsofitsoperationdiffer.Inthesimplestcase,youcantypehosttarget.name,wheretarget.nameisthehostnameorIPaddressyouwanttolookup.Youcanaddvariousoptionsthattweaktheprogram’sbasicoperation;consulthost’smanpagefordetails.digThisprogramperformsmorecomplexDNSlookupsthanhost.Althoughyoucanuseitto

findtheIPaddressforasinglehostname(orahostnameforasingleIPaddress),it’smoreflexiblethanhost.whoisYoucanlookupinformationonadomainasawholewiththiscommand.Forinstance,typingwhoissybex.comrevealswhoownsthesybex.comdomain,whotocontactincaseofproblems,andsoon.Youmaywanttousethiscommandwith-H,whichomitsthelengthylegaldisclaimersthatmanydomainregistriesinsistondeliveringalongwithwhoisinformation.Checkthemanpageforwhoisforinformationonadditionaloptions.Exercise8.1illustratestheuseofthenslookup,host,anddigtools.

EXERCISE8.1PracticeResolvingHostnamesThedifferencesbetweennslookup,host,anddigarebestillustratedbyexample.Inthisexercise,you’llpracticeusingthesethreetoolstoperformbothforwardandreverseDNSlookups.Todoso,followthesesteps:1.LogintoaLinuxtext-modesessionorlaunchaterminalwindowinaGUIsession.2. Type nslookup www.google.com. You may substitute another hostname; however,one key point of this hostname is that it resolves to multiple IP addresses, whichnslookup shows onmultiple Name: and Address: lines. This practice is common onextremely popular sites because the load can be balanced across multiple computers.NotealsothatnslookupreportstheIPaddressoftheDNSserverituses,ontheServer:andAddress:lines.(Thelatterincludestheportnumber,asdescribedlater,in“NetworkPorts.”3.Typehostwww.google.com.Theoutputof this command is likely tobe somewhatbriefer thanthatof thenslookupcommand,but it shouldreport thesameIPaddressesfor the server. Although host doesn’t report the DNS server ’s address, it is IPv6-enabled,soitreportsanIPv6address,aswellasthesite’sIPv4addresses.4. Type dig www.google.com. This output is significantly longer than that of eithernslookuporhost.Infact,itcloselyresemblestheformatoftheconfigurationfilesusedtodefineadomain inaDNSserver. In thecaseofwww.google.com, thathostname isdefinedasaCNAMErecordthatpointstowww.l.google.com,whichinturnhasseveralA-recordentriesthatpointtospecificIPaddresses.(Thisstructurecouldchangebythetimeyoureadthis,though,andofcourseit’slikelytobedifferentifyouexamineotherhostnames.)You’llalsoseeseveralNSrecordsthatpointtothedomain’snameservers,andyou’llseeadditionalArecordsthatpointtothenameservers’IPaddresses.5. Perform nslookup, host, and dig queries on IP addresses, such as one of thosereturnedbyyourlookupsonwww.google.com.(Thisisknownasareverse lookup.) Ineachcase,thetoolshouldreturnahostname.Note,however,thatthehostnamemightnotmatchtheoneyouusedoriginally.ThisisbecausemultiplehostnamescanpointtothesameIPaddress,andtheownerofthatIPaddressdecideswhichhostnametolinktotheIPaddressforreverselookuppurposes.Insomecases,thetoolwillreturnanNXDOMAINerror,whichmeansthattheIPaddress’sownerhasn’tconfiguredreverselookups.6. Perform similar queries on other computers, such as ones associated with yourschool,employer,orISP.MosthostnameshavejustoneIPaddressassociatedwiththem,andyoumayseeotherdifferences,too.

SometimesDNSisoverkill.For instance,youmight justneedtoresolveahandfulofhostnames.Thismaybebecauseyou’reconfiguringasmallprivatenetworkthat’snotconnectedtotheInternetatlargeorbecauseyouwanttosetupafewnamesforlocal(orevenremote)computersthataren’tintheglobalDNSdatabase.Forsuchsituations,/etc/hostsmaybejustwhatyouneed.ThisfileholdsmappingsofIPaddressestohostnames,onaone-line-per-mappingbasis.Eachmappingincludesatleastonename,andsometimesmore:127.0.0.1localhost

192.168.7.23apollo.luna.eduapollo

In this example, the name localhost is associated with the 127.0.0.1 address, and the namesapollo.luna.edu and apollo are tied to 192.168.7.23. The first of these linkages is standard; itshouldexistinany/etc/hostsfile.Thesecondlinkageisanexamplethatyoucanmodifyasyouseefit.Thefirstnameisafullhostname,includingthedomainportion;subsequentnamesonthelinearealiases—typicallythehostnamewithoutitsfulldomainspecification.Once you’ve set up an /etc/hosts file, you can refer to computers listed in the file by name,

whether or not those names are recognized by the DNS servers the computer uses. One majordrawback to /etc/hosts is that it’s a purely local file; setting a mapping in one computer ’s/etc/hosts file affects name lookups performedby that computer alone.Thus, to do goodon anentirenetwork,youmustmodifythe/etc/hostsfilesonallofthecomputersonthenetwork.Linuxnormallyperformslookupsin/etc/hostsbeforeitusesDNS.Youcanmodifythisbehavior

byeditingthe/etc/nsswitch.conf file,whichconfigures theNameServiceSwitch(NSS)service.More specifically, youmust adjust the hosts line. This line lists the order of the files and dnsoptions,whichstandfor/etc/hostsandDNS,respectively:hosts:filesdns

ReversetheorderofthefilesanddnsoptionstohavethesystemconsultDNSbeforeitconsults/etc/hosts.

The/etc/nsswitch.conffilesupportsmanymoreoptions.Forinstance,youcanperformnameresolutionusingWindowsNetBIOScallsoraLightweightDirectoryAccessProtocol(LDAP)serverbyaddingappropriateoptionstothehostsline,alongwiththenecessarysupportsoftware.Thepasswd,shadow,andgrouplinescontrolhowLinuxauthenticatesusersandmanagesgroups.Youshouldnotattempttochangetheseconfigurationsunlessyouunderstandthesystemsinvolved,butyoushouldbeawareoftheimportanceof/etc/nsswitch.confgenerally.

In addition to /etc/hosts, Linux supports a file called /etc/networks. It works much like/etc/hosts, but it applies tonetwork addresses, and it reverses theorder of thenames and the IPaddressoneachline:loopback127.0.0.0

mynet192.168.7.0

Thisexamplesetsuptwolinkages:theloopbacknametothe127.0.0.0/8networkandmynetforthe192.168.7.0/24network.It’sseldomnecessarytoeditthisfile.

NetworkPortsContactingaspecificcomputerisimportant,butoneadditionaltypeofaddressingisleft:Thesendermust have an address for a specific program on the remote system. For instance, suppose you’reusingaWebbrowser.TheWebservercomputermayberunningmoreserversthanjustaWebserver—itmayalsoberunninganemailserveroranFTPserver, tonamejust twoofmanypossibilities.Another number beyond the IP address enables you to direct traffic to a specific program. Thisnumberisanetworkportnumber,andprogramsthataccessaTCP/IPnetworktypicallydosothrough

oneormoreports.

PortnumbersarefeaturesoftheUDPandTCPprotocols.Someprotocols,suchasICMP,don’tuseportnumbers.

Whentheystartup,serverstiethemselvestospecificports,whichbyconventionareassociatedwithspecificserverprograms.Forinstance,port25isassociatedwithemailservers,andport80isusedbyWebservers.Table8.2summarizesthepurposesofseveralimportantports.Aclientcandirectitsrequesttoaspecificportandexpecttocontactanappropriateserver.Theclient’sownportnumberisn’tfixed;it’sassignedbytheOS.Becausetheclientinitiatesatransfer,itcanincludeitsownportnumber in the connection request, so clients don’t need fixed port numbers.Assigning client portnumbers dynamically also enables one computer to easily run several instances of a single clientbecausetheywon’tcompeteforaccesstoasingleport.

TABLE8.2Portnumbers,theirpurposes,andtypicalLinuxservers

One key distinction inTCP/IP ports is that betweenprivileged ports andunprivileged ports. Theformerhavenumbers less than1024.UnixandLinuxsystems restrict access toprivilegedports toroot.Theideaisthataclientcanconnecttoaprivilegedportandbeconfidentthattheserverrunningonthatportwasconfiguredbythesystemadministratorandcanthereforebetrusted.Unfortunately,ontoday’sInternet,thistrustwouldbeunjustifiedbasedsolelyontheportnumber,sothisdistinctionisn’tveryuseful.Portnumbersgreaterthan1024maybeaccessedbyordinaryusers.

ClientsandServersAnimportantdistinctionistheonebetweenclientsandservers.Aclientisaprogramthatinitiatesanetworkconnectiontoexchangedata.Aserverlistensforsuchconnectionsandrespondstothem.Forinstance,aWebbrowser,suchasFirefoxorOpera,isaclientprogram.YoulaunchtheprogramanddirectittoaWebpage,whichmeansthattheWebbrowsersendsarequesttotheWeb(HTTP)serveratthespecifiedaddress.TheWebserversendsbackdatainreplytotherequest.Clientscanalsosenddata,likewhenyouenterinformationinaWebformandclickaSubmitorSendbutton.Thetermsclientandservercanalsobeappliedtoentirecomputersthatoperatemostlyinoneortheotherrole.Thus,aphrasesuchasWebserverissomewhatambiguous—itcanrefereithertotheWebserverprogramortothecomputerthatrunsthatprogram.Whenthisdistinctionisimportantandunclearfromcontext,Iclarifyit(forinstance,byreferringto“theWebserverprogram”).

Fortunately, forbasic functioning,youneed todonothing toconfigureportsonaLinuxsystem.Youmayhave todealwith this issue ifyou rununusual servers, though,becauseyoumayneed toconfigurethesystemtolinktheserverstothecorrectports.Thiscansometimesinvolveeditingthe/etc/services file, which maps port numbers to names, enabling you to use names in serverconfigurationsandelsewhere.Thisfileconsistsoflinesthatbeginwithanameandendwithaportnumber,includingthetypeofprotocolituses(TCPorUDP):ssh22/tcp#SSHRemoteLoginProtocol

ssh22/udp#SSHRemoteLoginProtocol

telnet23/tcp

smtp25/tcp

ConfiguringLinuxforaLocalNetworkNow that you know something about how networking functions, the question arises: How do youimplementnetworkinginLinux?MostLinuxdistributionsprovideyouwiththemeanstoconfigureanetworkconnectionduringsysteminstallation.Therefore,chancesaregoodthatnetworkingalreadyfunctionsonyoursystem.Incaseitdoesn’t,though,thefollowingsectionssummarizewhatyoumustdo toget the jobdone.Actual configuration canbedoneusing either the automaticDHCP tool orstaticIPaddresses.Linux’sunderlyingnetworkconfigurationmechanismsrelyonstartupscriptsandtheirconfigurationfiles,butyoumaybeabletouseGUItoolstodothejobinstead.

NetworkHardwareConfigurationThemostfundamentalpartofnetworkconfigurationisgettingthenetworkhardwareupandrunning.Inmost cases, this task is fairly automatic—most distributions shipwith system startup scripts thatauto-detect the network card and load the correct driver module. If you recompile your kernel,buildingthecorrectdriverintothemainkernelfilewillalsoensurethatit’sloadedatsystemstartup.Ifyournetworkhardwareisn’tcorrectlydetected, though,subsequentconfiguration(asdescribed

in the upcoming sections “Configuring with DHCP” and “Configuring with a Static IP Address”)won’twork.Tocorrectthisproblem,youmustloadyournetworkhardwaredriver.Youcandothis

withthemodprobecommand:#modprobetulip

You must know the name of your network hardware’s kernel module (tulip in this example).Chapter3,“ConfiguringHardware,”describes the taskofhardwareconfigurationandactivation inmoredetail.

ConfiguringwithDHCPOne of the easiestways to configure a computer to use a TCP/IP network is to useDHCP,whichenablesonecomputeronanetworktomanagethesettingsformanyothercomputers.Itworkslikethis:When a computer running aDHCPclient boots up, it sends a broadcast in searchof aDHCPserver.The server replies (using nothing but the client’s hardware address)with the configurationinformationtheclientneedstoenableittocommunicatewithothercomputersonthenetwork—mostimportant,theclient’sIPaddressandnetmaskandthenetwork’sgatewayandDNSserveraddresses.TheDHCP servermay alsogive the client a hostname andprovidevariousother details about thenetwork. The client then configures itself with these parameters. The IP address isn’t assignedpermanently;it’sreferredtoasaDHCPlease,andifit’snotrenewed,theDHCPservermaygivetheleasetoanothercomputer.Therefore,fromtimetotimetheclientchecksbackwiththeDHCPservertorenewitslease.ThreeDHCPclientsareincommonuseonLinux:pump,dhclient,anddhcpcd(nottobeconfused

withtheDHCPserver,dhcpd).SomeLinuxdistributionsshipwith justoneof these,butothersshipwithtwoorevenallthree.AlldistributionshaveadefaultDHCPclient—theonethat’sinstalledwhenyoutell thesystemyouwant touseDHCPatsysteminstallation time.Those thatshipwithmultipleDHCPclientstypicallyenableyoutoswapoutoneforanothersimplybyremovingtheoldpackageandinstallingthenewone.Ideally, theDHCP client runs at systembootup.This is usually handled either by its own startup

script,asdescribedinChapter5,“BootingLinuxandEditingFiles,”oraspartofthemainnetworkconfigurationstartupfile(typicallyastartupscriptcallednetworkornetworking).ThesystemoftenusesalineinaconfigurationfiletodeterminewhethertorunaDHCPclient.Forinstance,RedHatand Fedora set this option in a file called/etc/sysconfig/network-scripts/ifcfg-name, wherenameisthenameofthenetworkinterface,suchasp2p1.Thelineinquestionlookslikethis:BOOTPROTO="dhcp"

Recallthatmostdistributionsuseeth0torefertothecomputer ’sfirstEthernetport,eth1forthesecond(ifpresent),andsoon.Fedoranamesitsinterfacesdifferently,though,andinawaythat’sinconsistentfromonecomputertoanother.

If theBOOTPROTO variable is set to something else, changing it as shownherewill configure thesystemtouseDHCP.It’susuallyeasiertouseaGUIconfigurationtooltosetthisoption,though.Ubuntuusesthe/etc/network/interfacesfileforasimilarpurpose,butthedetailsdiffer.Ona

systemthatusesDHCP,alinelikethefollowingappears:ifaceeth0inetdhcp

Detailsmayvary,ofcourse; for instance, the interfacename (eth0)maybe somethingelse.You

mayprefertousetheGUIsystemconfigurationtoolstoadjusttheseoptions.OnceaDHCPclientisconfiguredtorunwhenthecomputerboots,theconfigurationtaskisdone—

at least, if everythingworks as it should. On very rare occasions, youmay need to tweakDHCPsettings to work around client-server incompatibilities or to have the DHCP client do somethingunusual.ConsultthemanpageforyourDHCPclientifyouneedtomakechanges.You’llthenhavetomodifyitsstartupscriptorafiletowhichitrefersinordertochangeitsoperation.Ifyouneed tomanually runaDHCPclient,youcanusuallydo soby typing itsname (asroot),

optionallyfollowedbyanetworkidentifier,asindhclienteth0tohavetheDHCPclientattempttoconfigureeth0withthehelpofanyDHCPserveritfindsonthatnetwork.

ConfiguringwithaStaticIPAddressIfanetworklacksaDHCPserver,youmustprovidebasicnetworkconfigurationoptionsmanually.Youcansettheseoptionsusinginteractivecommands,asdescribedshortly;buttosettheminthelongterm, you adjust a configuration file such as /etc/sysconfig/network-scripts/ifcfg-name or/etc/network/interfaces.Listing8.1showsatypicalifcfg-namefile,configuredtouseastaticIPaddress.(Notethatthisfile’sexactlocationandnamemayvaryfromonedistributiontoanother.)Listing8.1:AsamplenetworkconfigurationfileDEVICE="p2p1"

BOOTPROTO="static"

IPADDR="192.168.29.39"

NETMASK="255.255.255.0"

NETWORK="192.168.29.0"

BROADCAST="192.168.29.255"

GATEWAY="192.168.29.1"

ONBOOT="yes"

Severalspecificitemsarerequired,oratleasthelpful,forstaticIPaddressconfiguration:IPAddressYoucansettheIPaddressmanuallyviatheifconfigcommand(describedinmoredetailshortly)orviatheIPADDRitemintheconfigurationfile.NetworkMaskThenetmaskcanbesetmanuallyviatheifconfigcommandorviatheNETMASKiteminaconfigurationfile.GatewayAddressYoucanmanuallysetthegatewayviatheroutecommand.Tosetitpermanently,youneedtoadjustaconfigurationfile,whichmaybethesameconfigurationfilethatholdsotheroptionsoranotherfile,suchas/etc/sysconfig/network/routes.Ineithercase,theoptionislikelytobecalledGATEWAY.Thegatewayisn’tnecessaryonacomputerthatisn’tconnectedtoawidernetwork—thatis,ifthecomputerworksonlyonalocalnetworkthatcontainsnorouters.DNSSettingsInorderforLinuxtouseDNStotranslatebetweenIPaddressesandhostnames,youmustspecifyatleastoneDNSserverinthe/etc/resolv.conffile.PrecedetheIPaddressoftheDNSserverbythekeywordnameserver,asinnameserver192.168.29.1.Youcanincludeuptothreenameserverlinesinthisfile.Adjustingthisfileisallyouneedtodotosetthenameserveraddresses;youdon’thavetodoanythingelsetomakethesettingpermanent.Youcanalsosetyourcomputer ’slocaldomainnameinthisfileusingthedomainoption,asindomainluna.edutosetthedomaintoluna.edu.

The network configuration script may hold additional options, but most of these are related toothers. For instance, Listing 8.1 has an option specifying the interface name (DEVICE="p2p1"),another that tells the computer to assign a static IP address (BOOTPROTO="static"), and a third tobringuptheinterfacewhenthecomputerboots(ONBOOT="yes").TheNETWORKandBROADCAST itemsin Listing 8.1 are derived from the IPADDR and NETMASK items, but you can change them if youunderstandtheconsequences.Unfortunately,theseconfigurationdetailsvaryfromonedistributiontoanother.Forinstance,ifyou

use Ubuntu, you would edit /etc/network/interfaces rather than /etc/sysconfig/network-scripts/ifcfg-eth0.Thepreciselayoutandformattingofinformationinthetwofilesdiffers,butthesamebasicinformationispresentinbothofthem.Youmayneedtoconsultdistribution-specificdocumentationtolearnaboutthesedetails.Alternatively,GUItoolsareusuallyfairlyeasytofigureout,soyoucanlookforthese.If you aren’t sure what to enter for the basic networking values (the IP address, networkmask,

gatewayaddress,andDNSserveraddresses),youshouldconsultyournetworkadministrator.Donotenterrandomvaluesorvaluesyoumakeupthataresimilartothoseusedbyothersystemsonyournetwork.Doingsoisunlikelytoworkatall,anditcouldconceivablycauseagreatdealoftrouble—say,ifyoumistakenlyuseanIPaddressthat’sreservedforanothercomputer.Asjustmentioned,theifconfigprogramiscriticallyimportantforsettingboththeIPaddressand

netmask.Thisprogramcanalsodisplaycurrentsettings.Basicuseofifconfigtobringupanetworkinterfaceresemblesthefollowing:ifconfiginterfaceupaddrnetmaskmask

For instance, the following command brings up eth0 (the first Ethernet device on mostdistributions)usingtheaddress192.168.29.39andthenetmask255.255.255.0:#ifconfigeth0up192.168.29.39netmask255.255.255.0

This command links the specified IP address to the device so that the computer responds to theaddressandclaimstobethataddresswhensendingdata.Itdoesn’t,though,setuparoutefortrafficbeyondyourcurrentnetwork.Forthat,youneedtousetheroutecommand:#routeadddefaultgw192.168.29.1

Substitute your own gateway address for 192.168.29.1. (Routing and the route command aredescribed inmoredetailshortly, in“ConfiguringRouting.”)Bothifconfigandroutecandisplayinformation on the current network configuration. For ifconfig, omit up and everything thatfollows; for route, omit add and everything that follows. For instance, to view interfaceconfiguration,youmightissuethefollowingcommand:#ifconfigeth0

eth0Linkencap:EthernetHWaddr00:A0:CC:24:BA:02

inetaddr:192.168.29.39Bcast:192.168.29.255Mask:255.255.255.0

UPBROADCASTRUNNINGMULTICASTMTU:1500Metric:1

RXpackets:10469errors:0dropped:0overruns:0frame:0

TXpackets:8557errors:0dropped:0overruns:0carrier:0

collisions:0txqueuelen:100

RXbytes:1017326(993.4Kb)TXbytes:1084384(1.0Mb)

Interrupt:10Baseaddress:0xc800

When configured properly, ifconfig should show a hardware address (HWaddr), an IP address(inet addr), and additional statistics. There should be few or no errors, dropped packets, oroverrunsforbothreceived(RX)andtransmitted(TX)packets. Ideally, few(ifany)collisionsshould

occur,butsomeareunavoidable ifyournetworkusesahubrather thanaswitch. Ifcollisions totalmore than a few percent of the total transmitted and received packets, you may want to considerreplacingahubwithaswitch.Touseroutefordiagnosticpurposes,youmighttrythefollowing:#route-n

KernelIProutingtable

DestinationGatewayGenmaskFlagsMetricRefUseIface

192.168.29.0*255.255.255.0U000eth0

127.0.0.0*255.0.0.0U000lo

0.0.0.0192.168.29.10.0.0.0UG000eth0

The-noptiontoroutecausesittonotattempttofindthehostnamesassociatedwithIPaddresses.Althoughhostnamesareoftenuseful,thislookupcanbesloworfailaltogetherifyourDNSconfigurationisbroken,sousing-nwithrouteissometimesnecessary.

This shows that data destined for 192.168.29.0 (that is, any computerwith an IP address between192.168.29.1and192.168.29.254)goesdirectlyovereth0.The127.0.0.0networkisaspecialinterfacethat“loopsback”totheoriginatingcomputer.Linuxusesthisforsomeinternalnetworkingpurposes.Thelastlineshowsthedefaultroute,whichdescribeswhattodowitheverythingthatdoesn’tmatchany other entry in the routing table. This line specifies the default route’s gateway system as192.168.29.1.Ifit’smissingormisconfigured,someoralltrafficdestinedforexternalnetworks,suchastheInternet,won’tmakeitbeyondyourlocalnetworksegment.AswithDHCPconfiguration, it’s almost always easier touse aGUIconfiguration tool to setup

static IP addresses, at least for new administrators. The exact locations of the configuration filesdifferfromonedistributiontoanother,sotheexampleslistedearliermaynotapplytoyoursystem.

ConfiguringRoutingAs explained earlier, routers pass traffic from one network to another.You configure your Linuxsystem to directly contact systems on the local network. You also give the computer a router ’saddress,whichyoursystemusesasagatewaytotheInternetatlarge.Anytrafficthat’snotdestinedforthelocalnetworkisdirectedatthisrouter,whichpassesitontoitsdestination.Inpractice,therearelikelytobeadozenormoreroutersbetweenyouandmostInternetsites.Eachrouterhasatleasttwo network interfaces and keeps a table of rules concerning where to send data based on thedestination IP address. Your own Linux computer has such a table, but it’s probably very simplecomparedtothoseonmajorInternetrouters.Linuxcanfunctionasarouter,whichmeansitcanlinktwoormorenetworkstogether,directing

traffic between them on the basis of its routing table. This task is handled, in part, by the routecommand.Thiscommandcanbeusedtodomuchmorethanspecifyasinglegatewaysystem,though,asdescribedearlier.Asimplifiedversionoftheroutesyntaxisasfollows:route{add|del}[-net|-host]target[netmasknm][gwgw]

[reject][[dev]interface]

Youspecifyaddordelalongwithatarget(acomputerornetworkaddress)andoptionallyotherparameters.The-netand-hostoptionsforceroutetointerpretthetargetasanetworkorcomputeraddress,respectively.Thenetmaskoptionletsyousetanetmaskasyoudesire,andgwletsyouspecify

a router through which packets to the specified target should go. (Some versions of route usegateway rather than gw.) The reject keyword installs a blocking route, which refuses all trafficdestined for the specified network. (This is not a firewall, though.) Finally, although route canusuallyfigureouttheinterfacedevice(forinstance,eth0)onitsown,youcanforcetheissuewiththedevoption.Asanexample,consideranetworkinwhichpacketsdestinedforthe172.20.0.0/16subnetshouldbe

passedthroughthe172.21.1.1router,whichisn’tthedefaultgatewaysystem.Youcansetupthisroutewiththefollowingcommand:#routeadd-net172.20.0.0netmask255.255.0.0gw172.21.1.1

Incorrectroutingtablescancauseseriousproblemsbecausesomeorallcomputerswon’trespond.Youcanexamineyourroutingtablebytypingroutealoneandcomparetheresultstowhatyourroutingtableshouldbe.(Consultanetworkadministratorifyou’renotsurewhatyourroutingtableshouldcontain.)Youcanthendeleteincorrectroutesandaddnewonestoreplacethem,ifnecessary.Ultimately,ofcourse,changingyourconfigurationfilesisthebestsolution,buttypingacoupleofroutecommandswilldothetrickintheshortterm.

Onemorethingyoumayneedtodoifyou’resettinguparouterisenablingrouting.Ordinarily,aLinuxsystemwon’tforwardpacketsitreceivesfromonesystemthataredirectedatanothersystem.IfLinux is toactasa router, though, itmustaccept thesepacketsandsend themon to thedestinationnetwork(oratleasttoanappropriategateway).Toenablethisfeature,youmustmodifyakeyfileinthe/procfilesystem:#echo"1">/proc/sys/net/ipv4/ip_forward

This command enables IP forwarding. Permanently setting this option requires modifying aconfigurationfile.Somedistributionssetitin/etc/sysctl.conf:net.ipv4.ip_forward=1

Otherdistributionsuseotherconfigurationfilesandoptions,suchas/etc/sysconfig/sysctlanditsIP_FORWARDline.Ifyoucan’tfindit,tryusinggreptosearchforip_forwardorIP_FORWARD,ormodifyalocalstartupscripttoaddthecommandtoperformthechange.

UsingGUIConfigurationToolsMost distributions include their ownGUI configuration tools for network interfaces. For instance,Fedora andRedHat shipwith a customGUI tool calledNetworkConfiguration (system-config-network), and SUSE has a text-mode and GUI tool called YaST. The details of operating theseprogramsdiffer,buttheGUIconfigurationtoolprovidesameanstoentertheinformationdescribedearlier.Although the exam doesn’t cover GUI network configuration tools, they’re generally easier to

locateandusethantheconfigurationfilesinwhichsettingsarestored.Thus,youmaywanttolookfor your distribution’s tool and learn to use it. Once you understand the principles of networkconfiguration (IP addresses,DHCP, and so on), you shouldn’t have trouble entering the necessaryinformationintheGUIfields.

The precise details of how to configure a Linux system using GUI tools differ from onedistribution toanother.For instance,SUSE’sYaSTdoesn’t layout itsoptions inprecisely thesamewayasFedora’sNetworkConfiguration tool.Thebasicprinciples are the same, though;youmustchoosewhethertousestaticIPaddressassignmentoranautomaticsystemsuchasDHCPandenteranumberofkeyoptions,dependingonwhatconfigurationmethodyouchoose.

UsingtheifupandifdownCommandsMostLinuxdistributionstodayshipwithtwocommands,ifupandifdown,thatcombinethefunctionsofseveralothernetworkcommands,mostnotablyifconfigandroute.Intheirsimplestforms,theybringinterfacesuporshutthemdownbasedoninformationinwhateverfilesyourdistributionusestostorenetworkconfigurationdata:#ifupeth0

DeterminingIPinformationforeth0...done.

After you issue this command,eth0will be fully configured, including all routing information,assumingyou’veproperlyconfigureditbyusingyourdistribution’snetworkconfigurationtoolsorby manually editing configuration files such as /etc/network/interfaces and/etc/sysconfig/network-scripts/ifcfg-name.Youcanbringtheinterfacedownwithequaleasebytypingifdowneth0.Theifupandifdowncommandsareusefulforverifyingthatthenetworksettingsareconfigured

properlyforthenexttimethecomputerboots.They’realsousefulifyouwanttoquicklytakedownthenetworkorbringitbackupagain,becauseyoucantypefewercommandsandyoudon’tneedtoremember all the details of IP addresses, routes, and so on. If you need to experiment or debug aproblem,though,usingifconfigandroute individuallyispreferable,becausetheygiveyoufinercontrolovertheprocess.

Theifupandifdowncommandsareimplementedasscriptsthatconsulttheconfigurationfilesandruntherelevantlow-levelcommandsbehindthescenes.

ConfiguringHostnamesThehostnamesdescribedearlier(in“ResolvingHostnames”)areconfiguredinacoupleofways:OnDNSYournetworkadministratorshouldbeabletoaddanentryforyoursystemtoyournetwork’sDNSserver.Thisentryshouldmakeyourcomputeraddressablebynamefromothercomputersonyourlocalnetwork,andperhapsfromtheInternetatlarge.Alternatively,remotesystems’/etc/hostsfilescanbemodifiedtoincludeyoursystem.OnYourLocalComputerVariouslocalprogramsshouldknowyourcomputer ’sname.Forinstance,youmaywanttohaveyourhostnamedisplayedaspartofacommandpromptorenteredautomaticallyinemailmessages.Forthistask,youmustsetyourhostnamelocally.NotethatthisisentirelyindependentofyourDNShostname.Intheory,youcansetthetwotoverydifferentvalues,butthispracticeislikelytoleadtoconfusionandperhapsevenfailureofsomeprogramstooperateproperly.

Themostbasic tool forsettingyourhostnamelocally iscalled,appropriatelyenough,hostname.Typethecommandalonetoseewhatyourhostnameis,ortypeitwithanewnametosetthesystem’shostnametothatname:#hostnamenessus.example.com

Similarcommands,domainnameanddnsdomainname,displayorset thecomputer ’sdomainname(such as example.com). The domainname command sets the domain name as used by NetworkInformation System (NIS),whereas dnsdomainname sets the domain name as used byDNS. Thesecommandsdon’taffectremoteservers—justthenamegiventoprogramsthatusecallsdesignedfortheseservers.ManyLinuxdistributionslookinthe/etc/hostnameor/etc/HOSTNAMEfileforahostnametoset

atboottime.Thus,ifyouwanttosetyourhostnamepermanently,youshouldlookforthesefiles,andifoneispresent,youshouldeditit.Fedorauses/etc/sysconfig/networkforthispurpose,amongothers.Ifyoucan’tfindoneofthesefiles,consultyourdistribution’sdocumentation;it’sconceivablethatyourdistributionstoresitshostnameinsomeunusuallocation.InExercise8.2,you’llfamiliarizeyourselfwithsomeofthetoolsusedtoconfigurebasicnetwork

settings.You’llusethesetoolsbothtostudyandtochangeyournetworkconfiguration.

EXERCISE8.2ConfiguringaNetworkConnectionInthisexercise,theassumptionisthatthecomputeriscorrectlyconfiguredtouseanIPv4Ethernetnetwork,includingbothlocalnetworkaccessandaccesstoalargernetwork(probablytheInternet)viaarouter.Someoftheproceduresinthisexercisecaneasilybreakyournetworkconnectivityifsomethinggoeswrong.Ifthishappens,typingifdownfollowedbyifupisonewaytorecover.Ifthisfails,rebootingthecomputerisalmostcertaintowork,althoughit’saradicalsolution.Tostudyandmodifyyoursystem’snetworkconfiguration,followthesesteps:1.LogintotheLinuxsystemasanormaluser.2.Launchanxterm from the desktop environment’smenu system, if you used aGUIloginmethod.3.Acquirerootprivileges.Youcandothisbytypingsuinanxtermorbyusingsudo(ifit’sconfigured)torunthecommandsinthefollowingsteps.4. Type ifconfig. This command displays information about your local networksettings for all your network interfaces.Most systems have both a loopback interface(lo)andanEthernetinterface(eth0).LookforalineintheEthernetsectionthatincludesthestringinetaddr:.Thefollowing4-bytenumberisyourIPaddress.Writeitdown,aswellasthevalueofyournetmask(Mask:).Studytheotherinformationinthisoutput,too, such as the number of received (RX) and transmitted (TX) packets, the number oferrors,thenumberofcollisions,andtheEthernetadapter ’shardwareaddress.5. Type route -n. The output is your computer ’s routing table information. Thisnormally includes information about the loopback network address (127.0.0.0/24), thelocal network address, and a default route (identified as the route for 0.0.0.0). Somesystemsmaydisplay feweror additional lines, dependingon local configuration.The

defaultrouteincludesanIPaddressundertheGatewaycolumn.Writedownthataddress.6.Usepingtotestconnectivitytobothlocalandremotecomputers.(Thiscommandisdescribedinmoredetailshortly,in“TestingBasicConnectivity.”)YouneedthenameorIPaddressofatleastonelocalcomputerandatleastonedistantcomputer(beyondyourlocalrouter).Typepingaddress,whereaddressisthenameorIPaddressofeachtestmachine.Performthistestforlocalhostor127.0.0.1,yourownmachine(usetheIPaddressyounotedinstep4),yourlocalrouter(usetheIPaddressyounotedinstep5),and a distant computer (if you’re connected to the Internet, you can use an Internet-accessible site, such as www.linux.org). All of these ping tests should be successful.Note, however, that some computers are configured to ignore packets sent by ping.Thus, some of these tests may fail if you run into such systems. You can learn theconfigurationof local computers from their administrators, but for Internet sites, youmaywanttosimplytryanothersiteifthefirstoneyoutestfails.7.BringdownthelocalEthernetconnectionbytypingifconfigeth0down.8. Repeat steps 4−6. Note that the eth0 interface is no longer shown when you typeifconfig,all routesassociatedwith ithavebeen removedfromthe routing table,andpinging systems accessible from the interface no longer works. (Linux retains someinformationaboutitsformerEthernetlink,soyoumaystillbeabletopingthecomputeritselfviaitsformereth0address.)9.Bring the localEthernetconnectionbackupby typingifconfigeth0up addressnetmask mask, where address is the original IP address and mask is the originalnetmask,bothasidentifiedinstep4.10.Repeatsteps4−6.Note that theifconfigcommandautomaticallyaddedbackyourlocalnetworktotheroutingtablebutthatthedefaultrouteisstillmissing.Asaresult,youcan’tcontactanysystemsthatarelocatedoffthelocalnetwork.IfyourDNSserverissuchasystem,thismeansyourabilitytocontactevenlocalmachinesbynamemaybeimpairedaswell.11.Restorethedefaultroutebytypingrouteadddefaultgwgateway,wheregatewayistherouteraddressyouidentifiedinstep5.12.Repeatsteps4−6.Ifyournetworkconfigurationistypical,allconnectivityshouldberestored.(Somemoreexoticsystemsmaystillbelackingcertainroutes.)

UsingPPPwithDSLBroadbandusers,andparticularlythosewithDigitalSubscriberLine(DSL)connections,sometimeshavetouseavariantofPPPtomaketheirconnections.PPPisalogin-basedwaytoaccesstheInternet—youuseaPPPutilitytoinitiateaconnectiontoaremotecomputer,whichincludesanexchangeofausernameandapassword.Adecadeago,PPPwasusedindial-upInternetaccess(andit’sstillusedinthiscapacity),butsomeDSLprovidershaveadaptedPPPfortheirownpurposes.InthecaseofDSL,thisconfigurationmethodiscalledPPPoverEthernet(PPPoE).Inmanycases,thesimplestwaytouseaPPPoEconfigurationistopurchaseabroadbandrouter.ThisdeviceattachestotheDSLmodemandmakesthePPPoEconnection.ThebroadbandrouterthenworksjustlikeanordinaryEthernetorWi-Firouter,asfarasyourlocalcomputersareconcerned,soyoucanconfigureLinuxasyouwouldonanyotherlocalnetwork.IfyoumustconnectaLinuxsystemdirectlytoaDSLnetworkthatusesPPPoE,youmustuseaLinuxPPPoEclient.MostLinuxdistributionsshipwithsuchclients,butconfigurationdetailsvaryfromonedistributiontoanother.Yourbestbetistolookforyourdistribution’sGUInetworkconfigurationtool;chancesare,you’llbeabletofindasetofoptionsthatareclearlylabeledasapplyingtoDSLorPPPoE.

DiagnosingNetworkConnectionsNetwork configuration is a complex task, and unfortunately, things don’t alwayswork as planned.Fortunately, there are a fewcommandsyou canuse to help diagnose a problem.Five of these areping, traceroute, tracepath, netstat, and tcpdump. Each of these commands exercises thenetworkinaparticularwayandprovidesinformationthatcanhelpyoutrackdownthesourceofaproblem.Youcanalsousesomecommonnetworkprogramsthataren’tprimarilydebuggingtoolsinyourdebuggingefforts.

TestingBasicConnectivityThemostbasicnetworktestisthepingcommand,whichsendsasimpleICMPpackettothesystemyou name (via IP address or hostname) and waits for a reply. In Linux, ping continues sendingpackets once every second or so until you interrupt it with a Ctrl+C keystroke. (You can insteadspecifyalimitednumberoftestsviathe-cnumoption.)Here’sanexampleofitsoutput:$ping-c4speaker

PINGspeaker(192.168.1.1)56(84)bytesofdata.

64bytesfromspeaker.example.com(192.168.1.1):icmp_seq=1ttl=64time=0.194ms

64bytesfromspeaker.example.com(192.168.1.1):icmp_seq=2ttl=64time=0.203ms

64bytesfromspeaker.example.com(192.168.1.1):icmp_seq=3ttl=64time=0.229ms

64bytesfromspeaker.example.com(192.168.1.1):icmp_seq=4ttl=64time=0.217ms

---speakerpingstatistics---

4packetstransmitted,4received,0%packetloss,time3002ms

rttmin/avg/max/mdev=0.194/0.210/0.229/0.022ms

Thiscommandsent fourpacketsandwaited for their return,whichoccurredquitequickly (inanaverageof0.210ms)becausethetargetsystemwasonthelocalnetwork.Bypingingsystemsonbothlocalandremotenetworks,youcanisolatewhereanetworkproblemoccurs.Forinstance,ifyoucanping local computers but not remote systems, the problem is most probably in your routerconfiguration. If you can ping by IP address but not by name, the problem is with your DNSconfiguration.

TracingaRouteAstepupfrompingisthetraceroutecommand,whichsendsaseriesofthreetestpacketstoeachcomputerbetweenyoursystemandaspecifiedtargetsystem.Theresultlookssomethinglikethis:$traceroute-n10.1.0.43

tracerouteto10.1.0.43(10.1.0.43),30hopsmax,52bytepackets

1192.168.1.11.021ms36.519ms0.971ms

210.10.88.117.250ms9.959ms9.637ms

310.9.8.1738.799ms19.501ms10.884ms

410.9.8.13321.059ms9.231ms103.068ms

510.9.14.98.554ms12.982ms10.029ms

610.1.0.4410.273ms9.987ms11.215ms

710.1.0.4316.360ms*8.102ms

The-noption to thiscommand tells it todisplay targetcomputers’ IPaddresses rather than theirhostnames.Thiscanspeedup theprocessabit,particularly ifyou’rehavingDNSproblems,and itcansometimesmaketheoutputeasiertoread—butyoumaywanttoknowthehostnamesofproblemsystemsbecausethatcanhelpyoupinpointwho’sresponsibleforaproblem.Thissampleoutputshowsagreatdealofvariabilityinresponsetimes.Thefirsthop,to192.168.1.1,

ispurelylocal;thisrouterrespondedin1.021,36.519,and0.971milliseconds(ms)toitsthreeprobes.(Presumably thesecondprobecaught thesystemwhile itwasbusywithsomethingelse.)Probesofmostsubsequentsystemsareinthe8−20msrange,althoughoneisat103.068ms.Thefinalsystemhasonlytwotimes;themiddleprobeneverreturned,astheasterisk(*)onthislineindicates.Usingtraceroute,youcanlocalizeproblemsinnetworkconnectivity.Highlyvariabletimesand

missing times can indicate a router that’soverloadedor thathas anunreliable link to theprevioussystemon the list. Ifyouseeadramatic jump in times, it typicallymeans that thephysicaldistancebetweentworoutersisgreat.Thisiscommoninintercontinentallinks.Suchjumpsdon’tnecessarilysignifyaproblemunlessthetwosystemsarecloseenoughthatahugejumpisn’texpected.What can you do with the traceroute output? Most immediately, traceroute is helpful in

determining whether a problem in network connectivity exists in a network for which you’reresponsible.For instance, thevariability in the firsthopof theprecedingexamplecould indicate aproblemonthelocalnetwork,butthelostpacketassociatedwiththefinaldestinationmostlikelyisnot a local problem. If the trouble link iswithin your jurisdiction, you can check the status of theproblemsystem,nearbysystems,andthenetworksegmentingeneral.

Someroutersareconfiguredinsuchawaythattracerouteisn’tausefultool;theseroutersblockalltraceroutedata,eithertothemselvesonlyorforallpacketsthatpassthroughthem.IfyourtracerouteoutputcontainsoneortwolinesofallasterisksbuteverythingelseseemsOK,chancesareyou’verunintosuchasystem.Ifyouseenothingbutasterisksafteracertainrouterbutdiagnostictoolssuchaspingstillwork,arouterisprobablyblockingalltracerouteoperations.

Thetracepathprogramisanalternativetotraceroute.Inbasicoperation,it’ssimilar,althoughitproducesonelineofoutputforeachtestpacketandsoyieldslongeroutputsthantraceroute.Therearealsofewertracepathoptionsthantherearetracerouteoptions.

CheckingNetworkStatusAnotherusefuldiagnostictoolisnetstat.ThisissomethingofaSwissArmyknifeofnetworktoolsbecauseitcanbeusedinplaceofseveralothers,dependingontheparametersit’spassed.Itcanalsoreturninformationthat’snoteasilyobtainedinotherways.Examplesincludethefollowing:InterfaceInformationPassnetstatthe--interfaceor-iparametertoobtaininformationaboutyournetworkinterfacessimilartowhatifconfigreturns.(Someversionsofnetstatreturninformationinthesameformat,butothersdisplaytheinformationdifferently.)RoutingInformationYoucanusethe--routeor-rparametertoobtainaroutingtablelistingsimilartowhattheroutecommanddisplays.MasqueradeInformationPassnetstatthe--masqueradeor-MparametertoobtaininformationaboutconnectionsmediatedbyLinux’sNATfeatures,whichoftengobythenameIPmasquerading.NATenablesaLinuxrouterto“hide”anetworkbehindasingleIPaddress.ThiscanbeagoodwaytostretchlimitedIPv4addresses.ProgramUseSomeversionsofnetstatsupportthe--program(or-p)parameter,whichattemptstoprovideinformationabouttheprogramsthatareusingnetworkconnections.Thisattemptisn’talwayssuccessful,butitoftenis,soyoucanseewhatprogramsaremakingoutsideconnections.OpenPortsWhenusedwithvariousotherparameters,orwithoutanyparametersatall,netstatreturnsinformationaboutopenportsandthesystemstowhichtheyconnect.AllConnectionsThe--allor-aoptionisusedinconjunctionwithothers.Itcausesnetstattodisplayinformationabouttheportsthatserverprogramsopentolistenfornetworkconnections,inadditiontoalready-openconnections.ThisuseofnetstatisdescribedinmoredetailinChapter10,“SecuringYourSystem.”Keep in mind that netstat is a very powerful tool, and its options and output aren’t entirely

consistentfromonedistributiontoanother.Youmaywanttoperuseitsmanpageandexperimentwithittolearnwhatitcando.

ExaminingRawNetworkTraffic

One advanced network troubleshooting tool istcpdump. This utility is apacket sniffer, which is aprogram that can intercept network packets and log them or display them on the screen. Packetsnifferscanbeusefuldiagnostictoolsbecausetheyenableyoutoverifythatacomputerisactuallyreceivingdatafromothercomputers.Theyalsoenableyoutoexaminethedatainitsrawform,whichcanbeusefulifyouunderstandenoughoftheprotocol’simplementationdetailstospotproblems.

Althoughpacketsniffersareusefuldiagnostictools,theycanalsobeabused.Forinstance,unscrupulousindividualscanrunpacketsnifferstocapturepasswordsthatotherssendoverthenetwork.Dependingonyournetworkconfiguration,thistrickcanworkevenifthepacketsnifferisn’trunningoneitherthesendingorthereceivingcomputer.Forthisreason,manyorganizationshavepoliciesforbiddingtheuseofpacketsniffersexceptunderlimitedcircumstances.Thus,beforerunningapacketsniffer,youshouldobtainwrittenpermissiontousesuchaprogramfromanindividualwhoisauthorizedtograntsuchpermission.Failuretodosocanleadyouintoserioustrouble,possiblyuptolosingyourjoborevenbeingsued.

Initsmostbasicform,youcanusetcpdumpbytypingitsname:#tcpdump

tcpdump:verboseoutputsuppressed,use-vor-vvforfullprotocoldecode

listeningoneth0,link-typeEN10MB(Ethernet),capturesize96bytes

19:31:55.503759IPspeaker.example.com.631>192.168.1.255.631:UDP,

length:139

19:31:55.505400IPnessus.example.com.33513>speaker.example.com.domain:

46276+PTR?255.1.168.192.in-addr.arpa.(44)

19:31:55.506086IPspeaker.example.com.domain>nessus.example.com.33513:

46276NXDomain*0/1/0(110)

Thefirst thing tonoteabout thiscommand is thatyoumust run itasroot; ordinaryusers aren’tallowed tomonitornetwork traffic in thisway.Once it’s run,tcpdump summarizeswhat it’sdoingandthenbeginsprintinglines,oneforeachpacketitmonitors.(Someoftheselinescanbequitelongand so may take more than one line on your display.) These lines include a time stamp, a stackidentifier(IPinalloftheseexamples),theoriginsystemnameorIPaddressandport,thedestinationsystem name or IP address and port, and packet-specific information. Ordinarily, tcpdump keepsdisplayingpackets indefinitely, soyoumust terminate it bypressingCtrl+C.Alternatively,youcanpassitthe-cnumoptiontohaveitdisplaynumpacketsandthenquit.Even thisbasicoutputcanbeveryhelpful.For instance,consider theprecedingexampleof three

packets, which was captured on nessus.example.com. This computer successfully received onebroadcast packet (addressed to 192.168.1.255) from speaker.example.com’sUDP port 631, sent apacket to speaker.example.com, and received a packet from that system directed atnessus.example.com rather than sent as a broadcast. This sequence verifies that at least minimalcommunication exists between these two computers. If you were having problems establishing aconnection,youcouldruleoutawholerangeofpossibilitiesbasedonthisevidence,suchasfaultycablesorafirewallthatwasblockingtraffic.Ifyouneedmoreinformation,tcpdumpprovidesseveraloptionsthatenhanceormodifyitsoutput.

These include -A to display packet contents in ASCII, -D to display a list of interfaces to which

tcpdumpcanlisten,-ntodisplayalladdressesnumerically,-v(andadditional-voptions,upto-vvv)todisplayadditionalpacket information,and-wfile towrite thecapturedpackets to the specifiedfile.Consulttcpdump’smanpageformoredetailsontheseoptionsandforadditionaloptions.

UsingAdditionalToolsInadditiontospecializednetworkdiagnosticprograms,youcanusesomecommonuserprogramsasdebuggingtools.OneofthemostusefulofthesemaybeTelnet.Thisprogramandprotocolismainlyaremotelogintool; typetheprogramnamefollowedbythenameofaremotesystemtoreceivealoginpromptonthatsystem:$telnetspeaker

Trying192.168.1.1...

Connectedtospeaker.

Escapecharacteris'^]'.

speakerlogin:harry

Password:

Lastlogin:MonApr2521:48:44fromnessus.example.com

Havealotoffun...

harry@speaker:~>

Telnetisapoorchoiceasaremoteloginprotocolbecauseit’sentirelyunencrypted.Asageneralrule,youshouldremovetheTelnetserverfromyoursystemandneverusethetelnetclientprogram.Itcanbeausefullowest-common-denominatorprotocolonsufficientlyprotectedprivatenetworks,though,andthetelnetclientcanalsobeahandytoolfordebugging,asdescribednext.Chapter10describesSSH,whichisamuchsaferalternativetoTelnet.

You can use Telnet to debug network protocols; if you give it a port number after the remotehostname,thetelnetprogramconnectstothatport,enablingyoutointeractwiththeserver:$telnetspeaker25

Trying192.168.1.1...

Connectedtospeaker.

Escapecharacteris'^]'.

220speaker.example.comESMTPPostfix

HELOnessus.example.com

250speaker.example.com

Thisexampleconnectstoport25,whichisusedbyemailservers.Afterconnecting,IenteredaHELOcommand,whichisusedbySMTPtoidentifyaclient;theremotesystemrespondedwitha250code,whichindicatesanacceptedcommand.Ofcourse,touseTelnetinthisway,youmustknowagreatdealabouttheprotocol.Evenwithout

thisknowledge,though,youcanuseTelnettotestwhetheraserverisrunning:Ifyoutrytoconnectbut get aConnectionrefused errormessage, you know that a remote server isn’t running or isinaccessible for some reason (say, because it’s being blocked by a firewall). If you get in (to theEscapecharactermessageshownintheearlierexampleorbeyond),theserverisrunning,althoughitmaynotbeworkingcorrectly.ThistestworksonlyforprotocolsthatuseTCP.SometoolsuseUDPinstead,andTelnetwon’tconnectwiththem.

SometimestheFileTransferProtocol(FTP)canbeausefuldiagnostictool,aswell.Thisprogram,asitsnamesuggests,enablesyoutotransferfilesbetweensystems.Touseit,typetheprogramnamefollowed by the FTP server ’s name. You’ll then see a login prompt and be able to issue FTPcommands:$ftpspeaker

Connectedtospeaker.

220(vsFTPd1.2.1)

Name(speaker:harry):harry

530PleaseloginwithUSERandPASS.

SSLnotavailable

331Pleasespecifythepassword.

Password:

230Loginsuccessful.

RemotesystemtypeisUNIX.

Usingbinarymodetotransferfiles.

ftp>getzathras.wav

local:zathras.wavremote:zathras.wav

200PORTcommandsuccessful.ConsiderusingPASV.

150OpeningBINARYmodedataconnectionforzathras.wav(109986bytes).

226FilesendOK.

109986bytesreceivedin0.104secs(1e+03Kbytes/sec)

ftp>quit

221Goodbye.

Thisexampleretrievesasinglefile,zathras.wav,fromtheremotecomputer.Thebasicftpclientdisplays a file size, transfer time, and transfer rate (1e+03 Kbytes/sec—in otherwords, 1 × 103KiB/s,or1000KiB/s).Thiscanbeausefulwaytotestyournetworktransferspeed,althoughyou’llgetmorereliableresultswithfilesthatareseveralhundredkilobytesorlargerinsize.Inadditiontoget,whichretrievesfiles,youcanissuecommandssuchasputtouploadafile;lsordirtodisplaythe remote system’s directory contents;cd to change directories on the remote system; delete toremoveafile;andquitorexittoexitfromtheprogram.Youcanusethehelpor?commandtoseealistofavailableftpcommands.LikeTelnet,FTPisapoorchoiceofprotocolforsecurityreasons.ThesameSSHprotocolthatcan

substituteforTelnetcanalsohandlemostFTPduties.Oneimportantexceptionexiststotherulenottouse FTP, though: Anonymous FTP sites are a commonmethod of distributing public files on theInternet. You can download Linux itself from anonymous FTP sites. These sites typically take ausernameofanonymous andanypassword (youremailaddress is theconventional reply)andgiveyoureadaccesstotheircontents.Inmostcases,youcan’tuploadfilestoanonymousFTPsites,andyoucanaccessonlyalimitednumberoffiles.

YoucanaccesspublicFTPsitesusingaWebbrowser.EnteraURLthatbeginswithftp://,suchasftp://downloads.example.org,andtheWebbrowserconnectstothesiteusingFTPratherthanHTTP.

Summary

Linuxisanetwork-enabledOS,anditreliesonitsnetworkingfeaturesmorethanmostOSsdo.Thisnetworking is built around TCP/IP, so you should understand the basics of this protocol stack,includingIPaddresses,hostnames,androuting.MostLinuxdistributionsprovidetoolstoconfigurenetworkingduring system installation,but if youwant to temporarilyorpermanently changeyoursettings, you can do so.Tools such asifconfig androute can temporarily change your networkconfiguration,andeditingcriticalfilesorrunningdistribution-specificutilitiesenablesyoutomakeyourchangespermanent.

ExamEssentialsDescribetheinformationneededtoconfigureacomputeronastaticIPnetwork.Fourpiecesofinformationareimportant:theIPaddress,thenetmask(akathenetworkmaskorsubnetmask),thenetwork’sgatewayaddress,andtheaddressofatleastoneDNSserver.Thefirsttwoarerequired,butifyouomiteitherorbothofthelattertwo,basicnetworkingwillfunction,butyouwon’tbeabletoconnecttotheInternetorusemostDNShostnames.Determinewhenusing/etc/hostsratherthanDNSmakesthemostsense.The/etc/hostsfileprovidesastaticmappingofhostnamestoIPaddressesonasinglecomputer.Therefore,maintainingthisfileonahandfulofcomputersforasmalllocalnetworkisfairlystraightforward,butwhenthenumberofcomputersrisesbeyondafeworwhenIPaddresseschangefrequently,runningaDNSservertohandlelocalnameresolutionmakesmoresense.SummarizetoolsyoucanusetotranslatebetweenhostnamesandIPaddresses.Thenslookupprogramcanperformthesetranslationsinbothdirectionsusingeithercommand-lineorinteractivemodes,butthisprogramhasbeendeprecated.You’rebetteroffusinghostforsimplelookupsordigformorecomplextasks.Describethefunctionofnetworkports.Networkportsenablepacketstobedirectedtospecificprograms;eachnetwork-enabledprogramattachesitselftooneormoreports,sendingdatafromthatportandreceivingdatadirectedtotheport.Certainportsareassignedtobeusedbyspecificservers,enablingclientprogramstocontactserversbydirectingrequestsatspecificportnumbersontheservercomputers.ExplainwhenyoushouldusestaticIPaddressesorDHCP.StaticIPaddressconfigurationinvolvesmanuallyenteringtheIPaddressandotherinformationandisusedwhenanetworklacksaDynamicHostConfigurationProtocol(DHCP)serverorwhenacomputershouldn’tbeconfiguredbythatserver(say,becausethecomputeristheDHCPserver).DHCPconfigurationiseasiertosetupontheclientbutworksonlyifthenetworkhasaDHCPserversystem.Explainwhattheroutecommandaccomplishes.Theroutecommanddisplaysormodifiestheroutingtable,whichtellsLinuxhowtodirectpacketsbasedontheirdestinationIPaddresses.Describesomebasicnetworkdiagnostictools.Thepingprogramtestsbasicnetworkconnectivity,andtracerouteandtracepathperformsimilarbutmorecomplexteststhatcanhelpyoulocalizewhereonaroutebetweentwosystemsaproblemexists.Thenetstatutilityisageneral-purposenetworkstatustoolthatcanreportawidevarietyofinformationaboutyournetworkconfiguration.Packetsnifferssuchastcpdumpprovidedetailedinformationaboutthenetworkpackets“seen”byacomputer,whichcanbeausefulwaytoverifythatcertainpackettypes

areactuallybeingsentorreceived.

ReviewQuestions1.WhichtypesofnetworkhardwaredoesLinuxsupport?(Selectthree.)

A.TokenRingB.EthernetC.DHCPD.NetBEUIE.FibreChannel

2.WhichofthefollowingisavalidIPv4addressforasinglecomputeronaTCP/IPnetwork?A.202.9.257.33B.63.63.63.63C.107.29.5.3.2D.98.7.104.0/24E.255.255.255.255

3.YouwanttosetupacomputeronalocalnetworkviaastaticTCP/IPconfiguration,butyoulackagatewayaddress.Whichofthefollowingistrue?

A.Becausethegatewayaddressisnecessary,noTCP/IPnetworkingfunctionswillwork.B.TCP/IPnetworkingwillfunction,butyou’llbeunabletoconverthostnamestoIPaddressesorviceversa.C.You’ll be able to communicatewithmachinesonyour local network segmentbut notwithothersystems.D.SinceagatewayisneededonlyforIPv6,you’llbeabletouseIPv4butnotIPv6protocols.E.Withoutagatewayaddressavailable,you’llbeunabletouseDHCPtosimplifyconfiguration.

4.Usingapacket sniffer,younoticea lotof trafficdirectedatTCPport22ona localcomputer.Whatprotocoldoesthistrafficuse,assumingit’susingthestandardport?

A.HTTPB.SMTPC.TelnetD.SSHE.NNTP

5.WhatnetworkportwouldanIMAPservernormallyuseforIMAPexchanges?A.21B.25C.110D.143

E.443

6.WhichofthefollowingarenotLinuxDHCPclients?(Selecttwo.)A.pumpB.dhcpcdC.dhcpdD.dhclientE.ifconfig

7.Which of the following types of information are returned by typing ifconfig eth0? (Selecttwo.)

A.Thenamesofprogramsthatareusingeth0B.TheIPaddressassignedtoeth0C.Thehardwareaddressofeth0D.Thehostnameassociatedwitheth0E.Thekerneldriverusedbyeth0

8.WhichofthefollowingprogramsisconventionallyusedtoperformaDNSlookup?A.hostB.dnslookupC.pumpD.ifconfigE.netstat

9.Whichofthefollowingcommandsshouldyoutypetoaddtohost192.168.0.10adefaultgatewayto192.168.0.1?

A.routeadddefaultgw192.168.0.10192.168.0.1B.routeadddefaultgw192.168.0.1C.routeadd192.168.0.10default192.168.0.1D.route192.168.0.10gw192.168.0.1E.routehostgw192.168.0.1

10.Whichofthefollowingcommandsmightbringupaninterfaceoneth1?(Selecttwo.)A.dhclienteth1B.ifupeth1C.ifconfigeth1D.networketh1E.netstat-upeth1

11.Whatisthepurposeof/etc/hostname,ifit’spresentonthesystem?A.Itholdsthehostnameofapackagerepositoryserver.

B.Itholdsalistofserversthatresolvehostnames.C.ItholdsalistofIPaddressesandassociatedhostnames.D.Itholdsthehostnameofthelocalgatewaycomputer.E.Itholdsthecomputer ’sdefaulthostname.

12. Network accesses to parts of the Internet work fine, but several common sites have stoppedresponding(evenwhenaddressedviarawIPaddresses).Whichofthefollowingtoolswillbemosthelpfulindiagnosingthesourceofthisproblem?

A.netstatB.pingC.tracerouteD.ifconfigE.dig

13.ThepingutilityrespondsnormallywhenyouuseitwithanIPaddressbutnotwhenyouuseitwithahostnamethatyou’repositivecorrespondstothisIPaddress.Whatmightcausethisproblem?(Selecttwo.)

A.Thetargetcomputermaybeconfiguredtoignorepacketsfromping.B.Yourcomputer ’sDNSconfigurationmaybebroken.C.TheDNSconfigurationonthetargetsystemmaybebroken.D.TheroutebetweenyourcomputeranditsDNSservermaybeincorrect.E.Yourcomputer ’shostnamemaybesetincorrectlyin/etc/hostname.

14.HowcanyoulearnwhatprogramsarecurrentlyaccessingthenetworkonaLinuxsystem?A.Typeifconfig-peth0.B.Examine/proc/network/programs.C.Typenetstat-p.D.Examine/etc/xinetd.conf.E.Typedmesg|less.

15. To diagnose a problem with an IMAP server (imap.example.com), you type telnetimap.example.com143fromaremoteclient.Howcanthisprocedurehelpyou?(Selecttwo.)

A.Youcanverifybasicconnectivitybetweentheclientcomputerandtheserverprogram.B.Byexaminingtheoutput,youcanlocateintermediateroutersthataremisbehaving.C.Byusinganencryptedprotocol,youensurethatproblemsaren’tcausedbyapacket-sniffingintruder.D.Onceconnected,youcantypeIMAPcommandstotesttheserver ’sresponsetothem.E.Onceyou’veloggedintotheremotesystem,youcanexamineitsIMAPlogfiles.

16. You’re configuring a new system, and your network administrator scribbles its IP address(172.25.78.89), netmask (255.255.255.0), gateway address (172.25.79.1), and DNS server address(10.24.89.201)onapieceofpaper.Youenterthisinformationintoyourconfigurationfilesandtype

ifup eth0, but you find that you can’t access the Internet with this computer. Which of thefollowingisdefinitelytrue?

A.BecausetheDNSserverisonacompletelydifferentnetwork,itwon’tfunctionproperlyforyoursystem.Youshouldaskforthelocalnetwork’sDNSserver ’sIPaddress.B.Thenetmaskidentifiesthegatewayasbeingonadifferentnetworksegmentthanthecomputeryou’reconfiguring,sothetwocan’tcommunicatedirectly.Youmostlikelymisreadoneaddress.C.BecausetheIPaddressesinvolvedareprivateIPaddresses,there’snowayforthemtoaccesstheInternet.YoumustaskforpublicIPaddressesforthissystemoruseonlyyourlocalprivatenetwork.D.Thecomputer ’sIPaddressisaClassBaddress,butthenetmaskisforaClassCaddress.Thiscombinationcan’tworktogether,soyoumustobtainanewIPaddressornetmask.E.TheifuputilityworksonlyforcomputersthatuseDHCP,sotheuseofastaticIPaddressasspecifiedinthequestionwon’tworkcorrectly.

17.Whatisthepurposeofthe-noptiontoroute?A.Itcausesnooperationtobeperformed;routereportswhatitwoulddoif-nwereomitted.B.Itprecedesspecificationofanetmaskwhensettingtheroute.C.Itlimitsroute’soutputtodescriptionsofnon-Internetroutes.D.Itforcesinterpretationofaprovidedaddressasanetworkaddressratherthanahostaddress.E.ItcausesmachinestobeidentifiedbyIPaddressratherthanhostnameinoutput.

18.Whatisthepurposeof/etc/resolv.conf?A.Itholdsthenamesofnetworkprotocolsandtheportnumberswithwhichthey’reassociated.B.Itcontrolswhetherthecomputer ’snetworkoptionsareconfiguredstaticallyorviaaDHCPserver.C.ItspecifiestheIPaddressofaDHCPserverfromwhichthecomputerattemptstoobtainanIPaddress.D.Itholdstheroutingtableforthecomputer,determiningtheroutethatnetworkpacketstaketoothercomputers.E. Itsets thecomputer ’sdefaultsearchdomainand identifies(byIPaddress) thenameserversthatthecomputermayuse.

19.Whichofthefollowingentriesarefoundinthe/etc/hostsfile?A.AlistofhostsallowedtoremotelyaccessthisoneB.MappingsofIPaddressestohostnamesC.AlistofusersallowedtoremotelyaccessthishostD.PasswordsforremoteWebadministrationE.Alistofportnumbersandtheirassociatedprotocols

20.HowcanyoureconfigureLinuxtouseDNSqueriespriortoconsulting/etc/hosts?A. Edit the /etc/resolv.conf file, and be sure the nameserver dns line comes before thenameserverfilesline.

B.Asroot,typenslookupdns.C.Editthe/etc/named.conffile,andchangethepreferred-resolutionoptionfromfilestodns.D.Edit/etc/nsswitch.conf,andchangetheorderofthefilesanddnsoptionsonthehosts:line.E.Asroot,typediglocaldns.

Chapter9

WritingScripts,ConfiguringEmail,andUsingDatabases

THEFOLLOWINGEXAMOBJECTIVESARECOVEREDINTHISCHAPTER:

1.105.1Customizeandusetheshellenvironment1.105.2Customizeorwritesimplescripts1.105.3SQLdatamanagement1.108.3MailTransferAgent(MTA)basics

Thischaptercoversanumberofmiscellaneoustopics.Thefirstoftheserelatetoshellmanagementandscripting.Linuxshells (introducedinChapter1,“ExploringLinuxCommand-LineTools”)canbe customized in various ways. Knowing how to do this will help you be productive when usingLinux.Youmayevenneed tosetvariousoptions touseparticularprograms,andyoumayneed tomakesimilarchangesonaglobal levelso thatallyouruserscanworkeffectively.Managingyourshell environment is done, essentially, bymodifying standard shell startup scripts, so this chaptercovers scriptingnext.Youcanwrite scripts tohelpautomate tedious repetitive tasksor toperformnewandcomplex tasks.ManyofLinux’sstartupfunctions(described inChapter5,“BootingLinuxandEditingFiles”)areperformedbyscripts,somasteringscriptingwillhelpyoumanagethestartupprocess.ThenextmajortopicofthischapterisStructuredQueryLanguage(SQL)datamanagement.Many

Linux installations rely on a SQL database to store information, and so you may need at least aminimalgroundinginhowtointeractwithSQLdatabases.Finally, this chapterdescribes thebasicsof emailmanagementunderLinux.SeveralLinuxemail

packagesexist,andyou’renotexpectedtounderstandthedetailsoftheirconfigurationfortheexam;however,youshouldknowhowtoconfiguremailforwarding,examinemailqueues,andotherwiseinteractwithaLinuxmailserverthat’salreadybasicallyworking.

ManagingtheShellEnvironmentChapter 1 introduced Linux shell use, including topics such as command completion, history,redirection,and thebasicsofenvironmentvariables.Nowit’s time togofurther,withmoredetailsaboutenvironmentvariables,aliases,andconfigurationfiles.Usingthisinformation,you’llbeabletocustomizeyourshellenvironmenttosuityourpersonal tastesorchangethedefaultenvironmentforalltheusersonyoursystem.

ReviewingEnvironmentVariables

AsdescribedinChapter1,environmentvariablesprovidethemeanstopassnameddata(variables)toprogramslaunchedfromashell.Shellsthemselvesalsorelyonenvironmentvariables.Forinstance,$HOSTNAMEconventionallyholdsthecomputer ’sname,suchascarson.example.com.Aprogramthatneedstoknowthecomputer ’snamecanreferto$HOSTNAMEtoobtainthisinformation.You set an environment variable manually via an equal-sign assignment operator. To make the

variableavailabletoprogramsyoulaunchfromyourshell,youthenusetheexportcommand:$HOSTNAME=carson.example.com

$exportHOSTNAME

Youcancombinethesetwocommandsintooneforbrevity:$exportHOSTNAME=carson.example.com

Onabashcommandline,youcanrefertoanenvironmentvariablebyusingtheechocommandtoexamineasinglevariable (as inecho$HOSTNAME)orby typingenv todisplay all the environmentvariables.

Environmentvariablenamesareusuallyprecededbyadollarsign($)inscriptsandonshellcommandlines,exceptwhenthey’reassigned.Gettingthisdetailwrongcanproduceresultsyouweren’texpecting;forinstance,typingechoHOSTNAMEproducestheoutputHOSTNAMEratherthanthecomputer ’shostname.

Settinganenvironmentvariable as justdescribed sets it permanently for the shellor (whenusedwithexport)forallprogramsyoulaunchfromit.Ifyouwanttosetanenvironmentvariableforjustoneprogram,youcandosowithenv:$envDISPLAY=seeker.example.com:0.0nedit

This command launches the nedit program such that it attempts to use the :0.0 display onseeker.example.com rather than the default local display (or whatever the original DISPLAYenvironment variable specifies; for more on this variable, see the next section). This particularcommand is not guaranteed to work, though, since it depends on the configuration ofseeker.example.com to work. It’s actually possible to omit the env command in most cases;however,envcantakeoptionsthatrequireitsuse.Mostnotably,-ior--ignore-environmentbeginswith a completely empty environment, and -u VARNAME or --unset=VARNAME unsets the specifiedvariable,$VARNAME.Althoughyoucansetenvironmentvariablesmanuallyatabashprompt,amorecommonapproach

is to set them in a global or local bash startup script. These scripts are described inmore detailshortly,in“ModifyingShellConfigurationFiles.”

UnderstandingCommonEnvironmentVariablesYoumay encountermany common environment variables on your system. You can find out howenvironment variables are configured by typing env alone. When it’s typed without options, envreturns all the environment variables that are currently set, in a format similar to that of bashenvironmentvariableassignments:$env|grepHOSTNAME

HOSTNAME=carson.example.com

Of course, the variables you see and their values will be unique to your system and even youraccount—that’s thewholepointofenvironmentvariables.Table9.1summarizescommonvariablesyoumayseeinthisoutput.

TABLE9.1CommonenvironmentvariablesandtheirmeaningsVariablename ExplanationUSERorUSERNAME Thisisyourcurrentusername.It’savariablethat’smaintainedbythesystem.SHELL Thisvariableholdsthepathtothecurrentcommandshell.PWD Thisisthepresentworkingdirectory.Thisenvironmentvariableismaintainedbythesystem.Programsmayuseitto

searchforfileswhenyoudon’tprovideacompletepathname.HOSTNAME ThisisthecurrentTCP/IPhostnameofthecomputer.PATH Thisisanunusuallyimportantenvironmentvariable.Itsetsthepathforasession,whichisacolon-delimitedlistof

directoriesinwhichLinuxsearchesforexecutableprogramswhenyoutypeaprogramname.Forinstance,ifPATHis/bin:/usr/binandyoutypels,Linuxlooksforanexecutableprogramcalledlsin/binandthenin/usr/bin.Ifthecommandyoutypeisn’tonthepath,Linuxrespondswithacommandnotfounderror.ThePATHvariableistypicallybuiltupinseveralconfigurationfiles,suchas/etc/profileandthe.bashrcfileintheuser’shomedirectory.

HOME Thisvariablepointstoyourhomedirectory.Someprogramsuseittohelpthemlookforconfigurationfilesorasadefaultlocationinwhichtostorefiles.

MAIL Thisvariableholdsthelocationoftheuser’smailspool.It’susually/var/spool/mail/username.LANG Thesystemholdsyourcurrentlanguage,specifiedasalocale,usingthisvariable.Localesaredescribedfurtherin

Chapter6,“ConfiguringtheXWindowSystem,Localization,andPrinting.”TZ Youcansetthisenvironmentvariabletoyourowntimezone,whichismostusefulifthat’sdifferentthanthecomputer’s

timezone—forinstance,ifyou’reusingacomputerremotely.Chapter6describestheformatsyoucanusewhensettingthetimezoneinthisway.

LD_LIBRARY_PATHAfewprogramsusethisenvironmentvariabletoindicatedirectoriesinwhichlibraryfilesmaybefound.ItworksmuchlikePATH.

PS1 Thisisthedefaultpromptinbash.Itgenerallyincludesvariablesofitsown,suchas\u(fortheusername),\h(forthehostname),and\W(forthecurrentworkingdirectory).Thisvalueisfrequentlysetin/etc/profile,butit’softenoverriddenbyusers.

TERM Thisvariableisthenameofthecurrentterminaltype.Tomoveatext-modecursoranddisplaytexteffectsforprogramsliketext-modeeditors,Linuxhastoknowwhatcommandstheterminalsupports.TheTERMenvironmentvariablespecifiestheterminalinuse.Thisinformationiscombinedwithdatafromadditionalfilestoprovideterminal-specificcodeinformation.TERMisnormallysetautomaticallyatlogin,butinsomecasesyoumayneedtochangeit.

DISPLAY ThisvariableidentifiesthedisplayusedbyX.It’susually:0.0,whichmeansthefirst(numberedfrom0)displayonthecurrentcomputer.WhenyouuseXinanetworkedenvironment,though,thisvaluemaybeprecededbythenameofthecomputeratwhichyou’resitting,asinmachine4.luna.edu:0.0.Thisvalueissetautomaticallywhenyoulogin,butyoumaychangeitifnecessary.YoucanrunmultipleXsessionsononecomputer,inwhichcaseeachonegetsadifferentDISPLAYnumber—forinstance,:0.0forthefirstsessionand:1.0forthesecond.

EDITOR Someprogramslaunchtheprogrampointedtobythisenvironmentvariablewhentheyneedtocallatexteditorforyoutouse.Thus,changingthisvariabletoyourfavoriteeditorcanhelpyouworkinLinux.It’sbesttosetthisvariabletoatext-modeeditor,though;GUIeditorsmaycauseproblemsifthey’recalledfromaprogramthatwaslaunchedfromatext-modelogin.

ThePATHvariablesometimesincludesthecurrentdirectoryindicator(.)sothatyoucaneasilyrunprogramsinthecurrentdirectory.Thispracticeposesasecurityrisk,though,becauseamiscreantcancreateaprogramwiththesamenameassomeotherprogram(suchasls)andtrickanotheruserintorunningitbysimplyleavingitinadirectorythevictimfrequents.Eventherootusermaybevictimizedthisway.Forthisreason,it’sbesttoomitthecurrentdirectoryfromthePATHvariable,especiallyforthesuperuser.Ifit’sreallyneededforordinaryusers,putitattheendofthepath.

Any given system is likely to have several other environment variables set, but these are fairlyesoteric or relate to specific programs. If a program’s documentation says that it needs certainenvironment variables set, you can set them system-wide in/etc/profile or some other suitablefile,oryoucansettheminuserconfigurationfiles,asyoudeemappropriate.Althoughyoucanseetheentireenvironmentbytypingenv, thisoutputcanbe longenoughtobe

intimidating. If you justwant to know the value of one variable, you can use the echo command,whichechoestothescreenwhatyoutype.Ifyoupassitavariablenameprecededbyadollarsign($),echoreturnsthevalueofthevariable.Here’sanexample:$echo$PS1

[\u@\h\W]$

This command reveals that the PS1 environment variable is set to [\u@\h \W]$, which in turnproducesabashpromptlike[david@penguinhomes]$.Exercise9.1illustrateshowyoucanchangeyourbashprompt.

EXERCISE9.1ChangingYourbashPromptThisexercisedescribeshowtochangeyourbashprompttoshowthecurrenttimeandnumberofjobsmanagedbytheshell.Toaccomplishthistask,followthesesteps:1.LogintotheLinuxsystemasanormaluser.2.Launchanxterm from the desktop environment’smenu system, if you used aGUIloginmethod.3.TypeexportPS1="\T;\jjobs>".Thebackslash(\) is an escape character thatdenotes special data to be inserted into the promptwhenused in thePS1 environmentvariable.\Tisexpandedintothecurrenttimein12-hourformat,and\jisexpandedintothe number of jobs the shellmanages. The man page for bash has a complete list ofexpansions thePS1 variable accepts. The result of typing this command should be animmediatechangeinyourprompttoresemblesomethinglike04:42;0jobs>.4.Waitforaminute,andthenrunaprograminthebackgroundbytypingitsnameandappending an ampersand (&). For instance, you can type xeyes & to run the xeyesprogram from an xterm. You should see the number of jobs increase, and the timeshouldchange.5.Tomakethischangepermanent,editthe.bashrc file inyourhomedirectory.Loadthisfileintoyourfavoriteeditor,andaddalinetoitsendthatreadsexportPS1="\T;\jjobs>".Savethefile,andexittheeditor.(Shellconfigurationfilesaredescribedinmoredetailshortly,in“ModifyingShellConfigurationFiles.”)6.Totestyourchangeto.bashrc, logoutandthenlogbackinagain.Insteadofyourdistribution’sdefaultprompt,youshouldseethenewone.7.Ifyoudon’tlikethenewprompt,edit.bashrcagainanddeletethelineyouaddedinstep5.

UsingAliasesMostLinuxshells,includingbash,supportcommandaliases,whicharenewnamesyoucangiveto

regular commands. Typically, you’ll use aliases to assign easier-to-remember names to obscurecommands, to implement desirable command options as the default for commands, or to create ashortened version of a command tominimize the amount of typing youmust do. You can definealiases inaone-offfashionatanybashprompt,but they’re typically included inyourbash startupscripts,asdescribedshortlyin“ModifyingShellConfigurationFiles.”Toimplementanalias,youusethefollowingsyntax:aliasalias_name='commands'

The alias_name is what you want to type at the command prompt, and the shell substitutescommandsforwhateveryoutype.Asanexample,considerthelscommand,whichliststhecontentsofa directory.A popular option for this command is --color, which color-codes the output, givingdirectories,links,andotherspecialfilesparticularcolorstomakethemstandout.Ifyouwanttousethisoptionasthedefault,youcanusealias:$aliasls='ls--color'

In this example, ls becomes an alias for an extended version of itself. This doesn’t result inrecursion—that is, thels to the right of the equal sign isnot expanded.After you type thisaliascommand,typinglswillworkasifyou’dtypedls--color.Infact,thisparticularaliasispopularenoughthatit’sincludedasastandardpartofmanydistributions’bashstartupscripts.Youcanuseanaliasname that’sunrelated to theoriginal commandname.For instance, suppose

youwanttotypebye insteadoflogout to terminatea text-mode loginsession.Youcandosowithalias:$aliasbye='logout'

In practice, this particular alias isn’t likely to be useful if you type it manually at a commandprompt,becauseyou’lllogoutofasessiononlyonce.Youmightwanttoincludeitinabashstartupscript,though.Ifyoudothat,thenyouwon’tneedtotypethealiasmanuallyateachsession;itwillbecreatedautomaticallywheneveryoulogin.

ModifyingShellConfigurationFilesConfiguringshellsrequireseditingshellconfigurationfiles.Thesefilescanbeclassifiedinacoupleofways.First,filesmaybeglobalfilesthataffectallusersofashellorlocalfilesthataffectjustoneuser.Second,filesmaybeloginfilesthatarelaunchedonlybyaloginprocess(suchasatext-modeconsole login) or non-login files that are launched by other processes (such as when starting anxtermwindow).Theresultisa2×2matrixofconfigurationfiles,asshowninTable9.2.(Thistableshows only bash configuration files; consult your shell’s documentation if you’re using anothershell.)

TABLE9.2CommonbashconfigurationfilesTypeoffile Loginfilelocation Non-loginfilelocationGlobal /etc/profileandfilesin/etc/profile.d /etc/bashrcor/etc/bash.bashrcUser ~/.bash_login,~/.profile,or~/.bash_profile ~/.bashrc

Preciselywhichofthesefilesareuseddiffersfromonedistributiontoanother.Nomatterthename,though, these files are shell scripts. Shell scripting is described in more detail later, in “WritingScripts,”butmostbashstartupscriptscontainaseriesofcommands.Thesecommandsmayincludebothbuilt-inbashcommandsandexternalcommands.

Globalconfigurationfilesaffectallusersofasystem;however,theirsettingsmaybeoverriddenbyindividualusers,eitherinuserconfigurationfilesorincommandstheuserstypethemselves.Thus,youshouldn’trelyonglobalconfigurationfilestosetoptionsthatshouldn’tbechangedbyusers.Forthat,youshouldlooktoglobalsecurityfeatures,suchaspermissionsonexecutablefiles.The /etc/skel directory holds files that are copied to individual users’ home directorieswhen

theiraccountsarecreated.Thesefilesaresometimescalledskeletonfiles.Typically,thissetoffilesincludeslocalbashstartupfiles.Youcanexaminethesefilesand,ifnecessary,alterthemtosuityourlocal needs.Changes to these files affect only new accounts, not existing accounts. If youwant tomakeachange thataffectsbothexistingandnewusers,youshouldeditaglobalconfigurationfileinstead.Justasshellshavestartupscripts,theymayalsohavelogoutscripts—scriptsthatrunwhentheuser

logsout.Forbash,thisscriptis~/.bash_logout.Mostdistributionsdon’tcreatethisscriptaspartofusers’ default home directories, but individual users can do so. The logout script might executeprogramstocleanuptemporarydirectories,removesecuritykeysfrommemory,clearthescreen,orperformothertasksthatareappropriatewhenauserlogsout.

Oneproblemwithlogoutscriptsisthattheymaynotworkwellwhenusersloginmultipletimes.Ifyouregularlyhavemultiplesessionsopen,suchasloginsinmultipleLinuxvirtualterminals,becarefulaboutwhatyoudoinalogoutscriptlestyouwipeoutimportanttemporaryfileswhenyoulogoutofjustonesession.

Another bash configuration file is ~/.inputrc, which helps customize your keyboardconfiguration.Itconsistsoflinesthatlooklikethis:M-Control-u:universal-argument

This line maps theMeta-Ctrl+U keystroke to the universal-argument action. The Meta key isusuallytheEsckeyonx86orx86-64systems,and theuniversal-argumentaction isoneofmanypossibleactionsdefinedby the readline library,which isoneof thebasic text-mode input librariesusedbyLinux.Inmostcases,there’snoneedtoadjustthe~/.inputrcfile,becausethedefaultreadlinemappings

workwellforx86systemswithstandardkeyboards.Ifyoufindthatcertainkeystrokesdon’tworkthewaytheyshouldintextmode,though,youmaywanttoresearchthisconfigurationfilefurther.

Xusesitsownkeyboardinputroutines,so~/.inputrcdoesn’taffectprogramsruninX,eventext-modeprogramsruninsidextermwindows.

WritingScriptsYou’lldomuchofyourworkonaLinuxsystembytypingcommandsatashellprompt.AsyouuseLinux,though,you’relikelytofindsomeofthesetaskstoberepetitive.Ifyouneedtoadd100new

userstothesystem,forinstance,typinguseradd100timescanbetedious.Fortunately,Linuxincludesaway tocut through the tedium:shellscripts.Theseare simpleprogramswritten inan interpretedcomputerlanguagethat’sembeddedintheLinuxshellyouusetotypecommands.MostLinuxsystemsusebashbydefault,soshellscriptsareoftenwritteninthebashshellscripting

language;buttcshandothershellscriptinglanguagesaresimilar.Infact,it’snotuncommontoseeshellscriptsthatruninanycommonLinuxshell.You’renotrestrictedtorunningshellscriptswritteninyourdefaultshell,however;thefirstlineofashellscriptidentifiestheshellthatshouldbeusedtorunit.

ManyLinuxstartupscripts,includingSysVstartupscripts,areinfactshellscripts.Therefore,understandingshellscriptingisnecessaryifyouwanttomodifyaLinuxstartupscript.

Likeanyprogrammingtask,shellscriptingcanbequitecomplex.Consequently,thischapterbarelyscratchesthesurfaceofwhatcanbeaccomplishedthroughshellscripting.Consultabookonthetopic,suchasCameronNewham’sLearningtheBashShell,3rdEdition(O’Reilly,2005)orRichardBlumandChristineBresnahan’sLinuxCommandLineandShellScriptingBible,2ndEdition(Wiley,2011),formoreinformation.

Tocreateashellscript,youmustfirstknowhowtobegineditingone.Onceyoudoso,you’llfindthatoneof theeasiest tasks todo is tocallexternalcommands.Moreadvanced tasks includeusingvariablesandusingconditionalexpressions.

BeginningaShellScriptShellscriptsareplain-textfiles,soyoucreatethemintexteditors.Ashellscriptbeginswithalinethatidentifiestheshellthat’susedtorunit,suchasthefollowing:#!/bin/sh

ThefirsttwocharactersareaspecialcodethattellstheLinuxkernelthatthisisascriptandtousetherestofthelineasapathnametotheprogramthat’stointerpretthescript.(Thislineissometimescalled theshebang,hashbang,hashpling,orpoundbang line.)Shell scripting languagesuse ahashmark(#)asacommentcharacter,sothescriptutilityignoresthisline,althoughthekerneldoesn’t.Onmostsystems,/bin/sh is a symbolic link that points to/bin/bash, but it can point to someothershell. Specifying the script as using /bin/sh guarantees that any Linux system will have a shellprogramtorunthescript;butifthescriptusesanyfeaturesspecifictoaparticularshell,youshouldspecifythatshellinstead—forinstance,use/bin/bashor/bin/tcshinsteadof/bin/sh.Whenyou’redonewritingtheshellscript,youshouldmodifyitsothatit’sexecutable.Youdothis

withthechmodcommand,asdescribedinChapter4,“ManagingFiles.”Specifically,youusethe+xoption toaddexecutepermissions,probably inconjunctionwitha toadd thesepermissions forallusers. For instance, to make a file called my-script executable, you should issue the following

command:$chmoda+xmy-script

You’llthenbeabletoexecutethescriptbytypingitsname,possiblyprecededby./totellLinuxtorunthescript in thecurrentdirectoryrather thansearchingthecurrentpath.Ifyoufail tomakethescript executable, you can still run the script by running the shell program followed by the scriptname(asinbashmy-script),but it’sgenerallybetter tomakethescriptexecutable.If thescript isoneyourunregularly,youmaywanttomoveittoalocationonyourpath,suchas/usr/local/bin.When you do that, youwon’t have to type the complete path ormove to the script’s directory toexecuteit;youcanjusttypemy-script.

It’spossibletosetascript’sSUIDorSGIDbits.(SeeChapter4forinformationabouttheSUIDandSGIDbits.)Doingsoispotentiallydangerous,particularlyifthescriptisownedbyroot,forreasonsdescribedinChapter4.YoushouldthereforebeverycautiousaboutapplyingtheSUIDbittoscripts.

Anotherway to run a script requiresmention: sourcing it. You can source a script by using thesourcekeywordoradot(.),asfollows:$sourcemy-script

$.my-script

Sourcingascriptcausesittoruninthecurrentshell,asopposedtolaunchinganewinstanceoftheshell, as occurs when you run a script by typing its name alone or using the exec command, asdescribedinChapter1.Thishassomeimportantimplications:

Whenyousourceascript,itwillhaveaccesstoenvironmentvariablessetinthecallingshell,evenifyouhaven’texportedthem.Ordinarily,onlyenvironmentvariablesthatyouexplicitlyexportbecomeavailabletoscriptsyourun.Ifyousourceascriptandifthatscriptsetsanenvironmentvariable,thatvariablewillbecomeavailable(orwillbechanged)inthecallingshell.Ifyourunthescriptnormally,anyenvironmentvariablesitsetswillremainlocaltoitandtotheprogramsthatitcalls,evenifthescriptexportsthevariables.Runningascriptinthenormalwaysimposesoverheadcostsassociatedwithlaunchingthenewshell.Thesecostsarenormallynegligible,butifascriptcallsitselfrecursivelyorcallsmanyotherscripts,sourcingthosescriptswithinthefirstscriptmayimproveperformance.Sourcingascriptcausesittoexecuteinthecallingshell’slanguage,whereasrunningascriptnormallycausesittousetheshelllanguagespecifiedonthehashbangline.

UsingCommandsOneofthemostbasicfeaturesofshellscriptsistheabilitytoruncommands.Youcanusebothshellinternal commandsandexternal commands.Mostof thecommandsyou type ina shellpromptareexternal commands—they’re programs located in/bin,/usr/bin, and other directories on yourpath. You can run such programs, as well as internal commands, by including their names in thescript.Youcanalsospecifyparameterstosuchprogramsinascript.Forinstance,supposeyouwantascript that launches twoxtermwindowsand theKMailmail readerprogram.Listing9.1presents a

shellscriptthataccomplishesthisgoal.Listing9.1:Asimplescriptthatlaunchesthreeprograms#!/bin/bash

/usr/bin/xterm&

/usr/bin/xterm&

/usr/bin/kmail&

Aside from the first line that identifies it asa script, thescript looks just like thecommandsyoumighttypetoaccomplishthetaskmanually,exceptforonefact:Thescriptliststhecompletepathstoeach program. This is usually not strictly necessary, but listing the complete path ensures that thescriptwillfindtheprogramsevenifthePATHenvironmentvariablechanges.Ontheotherhand,iftheprogram files move (say, because you upgrade the package from which they’re installed and thepackagerdecidestomovethem),scriptsthatusecompletepathswillbreak.Eachprogram-launchlineinListing9.1endsinanampersand(&).Thischaractertellstheshellto

goontothenextlinewithoutwaitingforthefirsttofinish.IfyouomittheampersandsinListing9.1,the effectwill be that the firstxtermwill open but the secondwon’t open until the first is closed.Likewise,KMailwon’tstartuntilthesecondxtermterminates.Although launching several programs from one script can save time in starting your working

environmentandsomeothersituations,scriptsarealsofrequentlyusedtorunaseriesofprogramsthatmanipulatedatainsomeway.Suchscriptstypicallydonotincludetheampersandsattheendsofthe commandsbecauseonecommandmust runafter anotherormayeven relyonoutput from thefirst.Acomprehensive listofsuchcommandsis impossiblebecauseyoucanrunanyprogramyoucan install in Linux as a command in a script—even another script. A few commands that arecommonlyusedinscriptsincludethefollowing:NormalFileManipulationCommandsThefilemanipulationcommands,suchasls,mv,cp,andrm,areoftenusedinscripts.Youcanusethesecommandstohelpautomaterepetitivefilemaintenancetasks.grepThiscommandisdescribedinChapter1.Itlocatesfilesthatcontainspecificstrings.findWheregrepsearchesforpatternswithinthecontentsoffiles,finddoessobasedonfilenames,ownership,andsimilarcharacteristics.ThiscommandisdescribedinChapter4.cutThiscommandextractstextfromfieldsinafile.It’sfrequentlyusedtoextractvariableinformationfromafilewhosecontentsarehighlypatterned.Touseit,youpassitoneormoreoptionsthatspecifywhatinformationyouwant,followedbyoneormorefilenames.Forinstance,users’homedirectoriesappearinthesixthcolon-delimitedfieldofthe/etc/passwdfile.Youcanthereforetypecut-f6-d":"/etc/passwdtoextractthisinformation.Thesamecommandinascriptwillextractthisinformation,whichyou’llprobablysavetoavariableorpasstoasubsequentcommandviaapipe.sedThisprogramisdescribedinChapter1.Itprovidesmanyofthecapabilitiesofaconventionaltexteditorbutviacommandsthatcanbetypedatacommandpromptorenteredinascript.echoSometimesascriptmustprovideamessagetotheuser;echoisthetooltoaccomplishthisgoal.Youcanpassvariousoptionstoechoorjustastringtobeshowntotheuser.Forinstance,echo"PresstheEnterkey"causesascripttodisplaythespecifiedstring.mailThemailcommandcanbeusedtosendemailfromwithinascript.Passitthe-ssubjectparametertospecifyasubjectline,andgiveitanemailaddressasthelastargument.Ifusedatthecommandline,youthentypeamessageandterminateitwithaCtrl+Dkeystroke.Ifusedfroma

script,youmightomitthesubjectentirely,passitanexternalfileasthemessageusinginputredirection,oruseaheredocumenttopasstexttothemailcommandasinput.(Chapter1describesinputredirectionandheredocuments.)Youmightwanttousethiscommandtosendmailtothesuperuserabouttheactionsofastartupscriptorascriptthatrunsonanautomatedbasis.Thiscommandisdescribedinmoredetaillaterinthischapter.

Manyofthesecommandsareextremelycomplex,andcompletelydescribingthemisbeyondthescopeofthischapter.Youcanconsultthesecommands’manpagesformoreinformation.Afewofthemaredescribedelsewhereinthisbook.

Even if you have a full grasp of how to use some key external commands, simply executingcommands you might when typing them at a command prompt is of limited utility. Manyadministrativetasksrequireyoutomodifywhatyoutypeatacommand,orevenwhatcommandsyouenter,dependingoninformationfromothercommands.Forthisreason,scriptinglanguagesincludeadditionalfeaturestohelpyoumakeyourscriptsuseful.

UsingVariablesVariablescanhelpyouexpandtheutilityofscripts.Avariableisaplaceholderinascriptforavaluethatwillbedeterminedwhenthescriptruns.Variables’valuescanbepassedasparameterstoscripts,generatedinternallytothescripts,orextractedfromthescript’senvironment.Variables that arepassed to the script are frequentlycalledparameters.They’re representedby a

dollarsign($)followedbyanumberfrom0to9—$0standsforthenameofthescript,$1isthefirstparameter to the script, $2 is the second parameter, and so on. To understand how this might beuseful, consider the taskof adding auser.Asdescribed inChapter 7, “Administering theSystem,”creatinganaccountforanewusertypicallyinvolvesrunningatleasttwocommands—useraddandpasswd.Youmayalsoneedtorunadditionalsite-specificcommands,suchascommandsthatcreateunusualuser-owneddirectoriesasidefromtheuser ’shomedirectory.

Theshiftcommandshiftstheparametervariablessothatwhatwouldordinarilybe$2becomes$1,whatwouldbe$3becomes$2,andsoon.Addinganumber,asinshift3,shiftstheassignmentsbythatnumberofunits.Theshiftcommanddoesnotalterthe$0variable,though.Youcanuseshiftinconjunctionwithaloop(describedlater,in“UsingLoops”)toexaminealloftheparameterspassedtoascript,incasetheirorderornumberisunknownwhenyouwritethescript.

As an example of how a script with a parameter variable can help in such situations, considerListing9.2.Thisscriptcreatesanaccountandchangestheaccount’spassword(you’llbepromptedtoenter the password when you run the script). It creates a directory in the /shared directory treecorrespondingtotheaccount,anditsetsasymboliclinktothatdirectoryfromthenewuser ’shomedirectory.Italsoadjustsownershipandpermissionsinawaythatmaybeuseful,dependingonyour

system’sownershipandpermissionspolicies.Listing9.2:Ascriptthatreducesaccount-creationtedium#!/bin/sh

useradd-m$1

passwd$1

mkdir-p/shared/$1

chown$1.users/shared/$1

chmod775/shared/$1

ln-s/shared/$1/home/$1/shared

chown$1.users/home/$1/shared

IfyouuseListing9.2,youneedtypeonlythreethings: thescriptnamewiththedesiredusernameandthepassword(twice).Forinstance,ifthescriptiscalledmkuser,youcanuseitlikethis:#mkuserajones

Changingpasswordforuserajones

Newpassword:

Retypenewpassword:

passwd:allauthenticationtokensupdatedsuccessfully

Mostof the scripts’programsoperate silentlyunless theyencounterproblems, so the interaction(including typing the passwords, which don’t echo to the screen) is a result of just the passwdcommand. In effect, Listing9.2’s script replaces seven lines of commandswith one. Every one ofthoselinesusestheusername,sobyrunningthisscript,youalsoreducethechanceofatypocausingproblems.Anothertypeofvariableisassignedwithinscripts—forinstance,suchvariablescanbesetfromthe

outputofacommand.Thesevariablesarealsoidentifiedbyleadingdollarsigns,butthey’retypicallygivennames thatat leastbeginwitha letter,suchas$Addror$Name. (Whenvaluesareassigned tovariables, the dollar sign is omitted, as illustrated shortly.) You can then use these variables inconjunction with normal commands as if they were command parameters, but the value of thevariableispassedtothecommand.Forinstance,considerListing9.3,whichcheckstoseewhetherthecomputer ’srouterisupwiththe

helpofthepingutility.Thisscriptusestwovariables.Thefirst is$ip,which isextractedfromtheoutputofrouteusingthegrep,tr,andcutcommands.(ThesecommandsaredescribedinChapter1.)Whenyou’reassigningavaluetoavariablefromtheoutputofacommand,thatcommandshouldbe enclosed in back-tick characters (`), which appear on the same key as the tilde (~) on mostkeyboards.Thesearenotordinarysinglequotes,whichappearonthesamekeyastheregularquotecharacter(")onmostkeyboards.Thesecondvariable,$ping,simplypointstothepingprogram.Itcan easily be omitted,with subsequent uses of $ping replaced by the full path to the program orsimplybyping(relyingonthe$PATHenvironmentvariabletofindtheprogram).Variableslikethisaresometimesusedtomakeiteasiertomodifythescriptinthefuture.Forinstance,ifyoumovethepingprogram,youneedonlymodifyonelineofthescript.Variablesthatpointtobinariescanalsobe used in conjunction with conditionals to ensure that the script works on more systems—forinstance,ifpingwerecalledsomethingelseonsomesystems.Listing9.3:Scriptdemonstratingassignmentanduseofvariables#!/bin/sh

ip=`route-n|grepUG|tr-s""|cut-f2-d""`

ping="/bin/ping"

echo"Checkingtoseeif$ipisup..."

$ping-c5$ip

In practice, you use Listing 9.3 by typing the script’s name. The result should be the messageChecking to see if192.168.1.1is up (with 192.168.1.1 replaced by the computer ’s defaultgatewaysystem)andtheoutputfromthepingcommand,whichshouldattempttosendfivepacketstotherouter.Iftherouterisupandisconfiguredtorespondtopings,you’llseefivereturnpacketsandsummaryinformation.Iftherouterisdown,you’llseeerrormessagestotheeffectthatthehostwasunreachable.

Listing9.3isoflimitedpracticaluseandcontainsbugs.Forinstance,thescriptidentifiesthecomputer ’sgatewaymerelybythepresenceofthestringUGintherouter ’soutputlinefromroute.Ifacomputerhastworoutersdefined,thiswon’tworkcorrectly,andtheresultislikelytobeascriptthatmisbehaves.ThepointofListing9.3isnottobeaflawlessprogrambuttodemonstratehowvariablescanbeassignedandused.

ScriptslikeListing9.3,whichobtaininformationfromrunningoneormorecommands,areusefulinconfiguringfeaturesthatrelyonsystem-specificinformationorinformationthatvarieswithtime.Youcanuseasimilarapproachtoobtain thecurrenthostname(usingthehostnamecommand), thecurrenttime(usingdate),thetotaltimethecomputer ’sbeenrunning(usinguptime),freediskspace(usingdf), and so on.When combinedwith conditional expressions (described shortly), variablesbecomeevenmorepowerfulbecausethenyourscriptcanperformoneactionwhenoneconditionismet,andanotherinsomeothercase.Forinstance,ascriptthatinstallssoftwarecancheckfreediskspaceandaborttheinstallationifinsufficientdiskspaceisavailable.Inaddition to assigningvariableswith theassignmentoperator (=), you can read variables from

standard inputusingread,as inreadresponse to read input for subsequentaccessas$response.Thismethodofvariableassignment isuseful forscripts thatmust interactwithusers.For instance,insteadofreadingtheusernamefromthecommandline,Listing9.2maybemodifiedtoprompttheuserfortheusername.Listing9.4showstheresult.Tousethisscript,youtypeitsnamewithouttypingausernameonthecommandline.Thescriptwillthenpromptforausername,andafteryouenterone,thescriptwillattempttocreateanaccountwiththatname.Listing9.4:ModifiedversionofListing9.2thatemploysuserinteraction#!/bin/sh

echo-n"Enterausername:"

readname

useradd-m$name

passwd$name

mkdir-p/shared/$name

chown$name.users/shared/$name

chmod775/shared/$name

ln-s/shared/$name/home/$name/shared

chown$name.users/home/$name/shared

Onespecialtypeofvariablewasmentionedearlierinthischapter:environmentvariables,describedin “Managing the Shell Environment.” Environment variables are assigned and accessed just likeshellscriptvariables.Thedifferenceisthatthescriptorcommandthatsetsanenvironmentvariableuses the export command (in bash) to make the value of the variable accessible to programslaunched from the shell or shell script that made the assignment. In other words, you can set an

environment variable in one script and use it in another script that the first script launches.Environmentvariablesaremostoftenset inshell startupscripts,but thescriptsyouusecanaccessthem. For instance, if your script calls X programs, it might check for the presence of a valid$DISPLAY environment variable and abort if it finds that this variable isn’t set. By convention,environmentvariablenamesarealluppercase,whereasnon-environmentshellscriptvariablesarealllowercaseormixedcase.

UsingConditionalExpressionsScripting languages support several types of conditional expressions. These expressions enable ascript to perform one of several actions contingent on some condition—typically the value of avariable.Onecommoncommandthatusesconditionalexpressionsisif,whichallowsthesystemtotakeoneoftwoactionsdependingonwhethersomeconditionistrue.Theifkeyword’sconditionalexpressionappearsinbracketsaftertheifkeywordandcantakemanyforms.Forinstance,-ffileistrueiffileexistsandisaregularfile;-sfileistrueiffileexistsandhasasizegreaterthan0;andstring1 == string2 is true if the two strings have the same values. (Typically, one or bothstringsisavariable.)Conditionals may be combined together with the logical and (&&) or logical or (||) operators.

Whenconditionalsarecombinedwith&&,bothsidesoftheoperatormustbetruefortheconditionasawholetobetrue.When||isused,ifeithersideoftheoperatoristrue,theconditionasawholeistrue.Tobetterunderstandtheuseofconditionals,considerthefollowingcodefragment:if[-s/tmp/tempstuff]

then

echo"/tmp/tempstufffound;aborting!"

exit

fi

This fragmentcauses the script toexit if the file/tmp/tempstuff ispresent and is larger than0bytes.Thethenkeywordmarksthebeginningofaseriesoflinesthatexecuteonlyiftheconditionalis true,andfi (ifbackward)marks theendof theifblock.Suchcodemaybeuseful if thescriptcreatesandthenlaterdeletesthisfile,becauseitspresenceindicatesthatapreviousrunofthescriptdidn’tsucceedorisstillunderway.Analternativeformforaconditionalexpressionusesthetestkeywordratherthansquarebrackets

aroundtheconditional:iftest-s/tmp/tempstuff

Youcanalsotestacommand’sreturnvaluebyusingthecommandasthecondition:if[command]

then

additional-commands

fi

Inthisexample, theadditional-commandswillberunonlyifcommandcompletessuccessfully. Ifcommandreturnsanerrorcode,theadditional-commandswon’tberun.Conditionalexpressionsmaybeexpandedbyuseoftheelseclause:if[conditional-expression]

then

commands

else

other-commands

fi

Code of this form causes either commands or other-commands to execute, depending on theevaluationofconditional-expression.This isuseful ifsomething shouldhappen inapartof theprogrambutpreciselywhatshouldhappendependsonsomecondition.Forinstance,youmaywanttolaunchoneoftwodifferentfilearchivingprogramsdependingonauser ’sinput.Whatdoyoudoifmorethantwooutcomesarepossible—forinstance,ifausermayprovideany

oneoffourpossibleinputs?Youcannestseveralif/then/elseclauses,butthisgetsawkwardveryquickly.Acleanerapproachistousecase:casewordin

pattern1)command(s);;

pattern2)command(s);;

...

esac

Foracasestatement,awordislikelytobeavariable,andeachpatternisapossiblevalueofthatvariable.Thepatternscanbeexpandedmuchlikefilenames,usingthesamewildcardsandexpansionrules(*tostandforanystring,forinstance).Youcanmatchanarbitrarynumberofpatternsinthisway.Eachsetofcommandsmustendwithadoublesemicolon(;;),andthecasestatementasawholeendsinthestringesac(casebackward).Uponexecution,bash executes the commands associatedwith the first pattern tomatch theword.

Execution then jumps to the line following the esac statement; any intervening commands don’texecute.Ifnopatternsmatchtheword,nocodewithinthecasestatementexecutes.Ifyouwanttohaveadefaultcondition,use*asthefinalpattern;thispatternmatchesanyword,soitscommandswillexecuteifnootherpatternmatches.

UsingLoopsConditional expressions are sometimes used in loops. Loops are structures that tell the script toperformthesametaskrepeatedlyuntilsomeconditionismet(oruntilsomeconditionisnolongermet).Forinstance,Listing9.5showsaloopthatplaysallthe.wavaudiofilesinadirectory.Listing9.5:Ascriptthatexecutesacommandoneverymatchingfileinadirectory#!/bin/bash

fordin`ls*.wav`;do

aplay$d

done

TheaplaycommandisabasicaudiofileplayerthatworkswiththeAdvancedLinuxSoundArchitecture(ALSA)audiodrivers.Onsomesystems,youmayneedtouseplayorsomeothercommandinsteadofaplay.

Theforloopasusedhereexecutesonceforeveryiteminthelistgeneratedbyls*.wav.Eachofthoseitems(filenames)isassignedinturntothe$dvariableandsoispassedtotheaplaycommand.Theseq command can be useful in creatingfor loops (and in otherways, too): This command

generatesalistofnumbersstartingfromitsfirstargumentandcontinuingtoitslastone.Forinstance,typingseq110generates10lines,eachwithanumberbetween1and10.Youcanuseafor loopbeginning for x in `seq 1 10` to have the loop execute 10 times, with the value of $xincrementingwitheachiteration.Ifyoupassjustoneparametertoseq,itinterpretsthatnumberasanendingpoint,with thestartingpointbeing1. Ifyoupass threevalues toseq, it interprets themasastartingvalue,anincrementamount,andanendingvalue.Anothertypeofloopisthewhileloop,whichexecutesforaslongasitsconditionistrue.Thebasic

formofthislooptypeislikethis:while[condition]

do

commands

done

Theuntilloopissimilarinform,butitcontinuesexecutionforaslongasitsconditionisfalse—thatis,untiltheconditionbecomestrue.

UsingFunctionsAfunctionisapartofascriptthatperformsaspecificsubtaskandthatcanbecalledbynamefromother parts of the script. Functions are defined by placing parentheses after the function name andenclosingthelinesthatmakeupthefunctionwithincurlybraces:myfn(){

commands

}

Thekeywordfunctionmayoptionallyprecede thefunctionname.Ineitherevent, thefunction iscalledbynameasifitwereanordinaryinternalorexternalcommand.Functionsareveryusefulinhelpingtocreatemodularscripts.Forinstance,ifyourscriptneedsto

performhalfadozendistinctcomputations,youmayplaceeachcomputationinafunctionandthencall them all in sequence. Listing 9.6 demonstrates the use of functions in a simple program thatcopiesa filebutabortswithanerrormessage if the target filealreadyexists.Thisscriptacceptsatargetandadestinationfilenameandmustpassthosefilenamestothefunctions.Listing9.6:Ascriptdemonstratingtheuseoffunctions#/bin/bash

doit(){

cp$1$2

}

functioncheck(){

if[-s$2]

then

echo"Targetfileexists!Exiting!"

exit

fi

}

check$1$2

doit$1$2

IfyouenterListing9.6andcallitsafercp,youcanuseitlikethis,assumingthefileoriginal.txtexistsanddest.txtdoesn’t:$./safercporiginal.txtdest.txt

$./safercporiginal.txtdest.txt

Targetfileexists!Exiting!

The first runof thecommandsucceededbecausedest.txt didn’t exist.When thecommandwasrun a second time, though, the destination file did exist, so the program terminatedwith the errormessage.Note that the functions aren’t run directly and in the order in which they appear in the script.

They’rerunonlywhencalledinthemainbodyofthescript(whichinListing9.6consistsofjusttwolines,eachcorrespondingtoonefunctioncall).Shell scripts are useful tools, and creating them requires practice. Exercise 9.2 begins your

explorationofshellscripts,butinthelongrunyou’llneedtolearntodesignyourownshellscriptsbydoingmorethancopyingexamplesfromabook.

EXERCISE9.2CreatingaSimpleScriptThisexercisepresentsashellscriptthatgivesyoutheoptionofusinglesstoreadeverytextfile(withanameendingin.txt)inthecurrentdirectory.Tobeginwiththisscript,followthesesteps:1.LogintotheLinuxsystemasanormaluser.2.Launchanxterm from the desktop environment’smenu system, if you used aGUIloginmethod.3.Startaneditor,andtellittoeditafilecalledtestscript.4.Typethefollowinglinesintotheeditor:#!/bin/bash

forfilein`ls*.txt`;do

echo-n"Display$file?"

readanswer

if[$answer=='y']

then

less$file

fi

done

Besureyou’vetypedeverycharactercorrectly;anymistakemaycausethescripttomisbehave.Onecommonerrorismistypingtheback-tickcharacters(`)onthesecondlineasordinarysingle-quotecharacters(').5.Savethefile,andexittheeditor.6.Typechmoda+xtestscripttoaddtheexecutablebittothefile’spermissions.7.Type./testscripttorunthescript.Iftherearenotext(*.txt)filesinyourcurrentdirectory,thescriptdisplaysanosuchfileordirectoryerrormessage;butifanytext files are present, the script gives you the option of viewing each one in turn vialess.

Thisexamplescriptisextremelylimited,butitillustratesseveralimportantscriptfeatures,suchasvariableassignmentanduse,forloops,andif/thenconditionalexpressions.

ManagingEmail

Emailisoneofthemostimportantnetworkservices.What’smore,Linuxreliesonemaileveninacompletely non-networked environment—certain Linux subsystems, such as cron (described inChapter7),mayuseemailtonotifyyouofactivities.Forthisreason,mostLinuxdistributionsshipwithemailserversoftwareinstalledandconfiguredforbasicactivities,andyoushouldhaveabasicunderstandingof how to use these servers to accomplish various tasks.You should understand thebasicsofemailandbeabletoidentifythespecificemailserverpackageyoursystemisrunning.Youshouldalsobeabletosetupemailaliases(alternatenamesforusers)andforwarding(tosendmailforausertoanotherdestination).Finally,youshouldunderstandthesecurityimplicationsofemailsothatyoucanpreventproblemsoridentifythemwhentheyoccur.

UnderstandingEmailSeveral protocols exist tomanage email. Themost common of these is the SimpleMail TransferProtocol (SMTP), which is designed as a push mail protocol, meaning that the sending systeminitiatesthetransfer.Thisdesignisgoodforsendingdata,soSMTPisusedthroughmostofamaildeliverysystem.Thefinalstage,though,oftenemploysapullmailprotocol,suchasthePostOfficeProtocol(POP)ortheInternetMessageAccessProtocol(IMAP).Withtheseprotocols,thereceivingsystem initiates the transfer.This isusefulwhen the receiving system is anenduser ’sworkstation,whichmaynotbepoweredonatalltimesorabletoreceiveincomingconnections.SMTPwasdesignedtoenableamessagetoberelayedthroughanarbitrarynumberofcomputers.

For instance,anendusermaycomposeamessage,which issent to the localSMTPserver. (SMTPserversarealsoknownasmail transferagents,orMTAs.)This server looksupa recipient systemusingtheDomainNameSystem(DNS)andsendsthemessagetothatcomputer.Thissystemmayuseits own internal routing table to redirect the message to another local computer, from which themessagemayberead,eitherdirectlyorviaaPOPorIMAPserver.ThisarrangementisillustratedinFigure9.1.Bearinmindthatthenumberoflinksinthischainisvariableanddependsonhoweachsystem is configured. In the simplest case, local email stays on just one system. In theory, anarbitrarilylargenumberofcomputerscanbeinvolvedinanemailexchange,althoughinpracticeit’sraretoseeemailpassthroughmorethanhalfadozensystems.

FIGURE9.1Emailtypicallytraversesseverallinksbetweensenderandrecipient.

At each step in a relay chain, email is altered.Most important, each server adds aheader to theemail,which is a line that provides information about themessage. In particular,mail servers addReceived:headers todocument thepath themailhas taken. In theory, thisenablesyou to trace theemail back to its source. Unfortunately, spammers and other email abusers have learned to forgeemailheaders,whichgreatlycomplicatessuchanalysis.BecauseanSMTPservercanfunctionasbothaserver(receivingmailfromothersystems)anda

client(sendingmail toothersystems),youmustdealwithbothsidesof theconfigurationequation.Forthemostpart,thischapterandtheexamdon’tcoverallthesedetails,though,justafewofthem.Sometimesacomputerneverfunctionsinoneroleortheother,whichcansimplifymatters—butyou

mustthenbecarefulnottoaccidentallyconfigurethecomputerincorrectly.Inparticular,openrelayconfigurations,inwhichamailserverrelaysmailfromanybody,shouldbeavoided.ThisandothersecurityimplicationsofrunninganSMTPserverarecoveredin“SecuringYourEmailServer.”OnLinux,emailistiedintricatelytouseraccounts.Themailserverholdsincomingmessagesfor

eachuser,typicallyinafilein/var/spool/mail—forinstance,/var/spool/mail/benfholdsmailfor the user benf. Some email servers store incoming mail in subdirectories of the users’ homedirectories,though.Thisincomingmailfileordirectoryisreferredtoastheuser ’smailspool.

Youmayrecallthattheuserdelcommand,describedinChapter7,includesoptionsrelatedtothehandlingofusers’mailspools.Ifyoudeleteauseraccountbutleavetheuser ’smailspoolintact,themailcanstillbeaccessed.Ifthemailserversoftwarestoresmailin/var/spool/mail,leftovermailspoolscancauseproblemsifyoueventuallyre-useanoldusername.Emailcanbesentaswellasreceived.ThetraditionalLinuxapproachtosendingemailistohavelocalprogramscontactthelocalmailservertosendemail.Thelocalmailserverthencontactsitsoutgoingemailserver,asinFigure9.1.MostLinuxemailclients(akamailuseragents,orMUAs),aswellassimilarprogramsonotherplatforms,providetheoptiontodirectlycontactaremoteSMTPserverwhensendingemail.Suchaconfigurationslightlysimplifiestheemailpathbutcanmakeoperationunreliableifthelocalnetworklinkgoesdown.IfyouremailclienttalkstoanSMTPserverthatrunslocally,theemailcanbequeuedfordeliverybytheSMTPserverevenifthenetworkistemporarilydown.

ChoosingEmailSoftwareLinuxsupportsquiteafewemailservers.Chancesare,oneofthemajorserverswillbeinstalledonyoursystembydefault.Ifnotandifyouwanttoinstallone,you’llhavetopickone.Youmayalsowant to changeyour email server if youneed to configure it in advancedways; some servers areeasiertoconfigurethanothersorsupportspecificoptionsthatothersdon’t.FouremailserversaremostpopularonLinux:SendmailThesendmailprogram(http://www.sendmail.org)wasformanyyearsthedominantemailserverpackageontheInternet.Inrecentyearsit’slostsomeofitsdominancetotheotherserversdescribedhere,aswellastoWindowsemailservers.Nonetheless,sendmailremainsapopularserver.It’sverypowerful,butit’salsodifficulttoconfigurebecauseitsconfigurationfileformatsareratherarcane.PostfixPostfix(http://www.postfix.org)wasdesignedasamodularreplacementforsendmail—ratherthanasingleprogramthatdoeseverything(assendmailisdesigned),Postfixusesmultipleprograms,eachofwhichhandlesitsownspecificsmalltask.Thisdesignimprovessecurity,atleastintheory.Postfixtendstobeeasiertoconfigurethansendmail,andit’sbecomethedefaultemailserveronmanyLinuxdistributions.EximAlthoughExim(http://www.exim.org)isamonolithicserver,likesendmail,ithasamuchsimplerconfigurationfileformatandsoiseasiertoconfigure.AfewLinuxdistributionsuseEximasthedefaultemailserver.

qmailThefourthmajorLinuxemailserver,qmail(http://www.qmail.org),isamodularserverwithsecurityasamajordesigngoal.LikePostfixandExim,qmailiseasiertoconfigurethansendmail.It’snotthestandardemailserverinanyLinuxdistributionbecauseitslicenseisabitstrangeandcomplicatesqmaildistributionwithLinux;however,manysystemadministratorslikeqmailenoughthattheyreplacetheirdistributions’standardemailserverswithqmail.You learnwhich email server your Linux distribution runs have severalways to. The twomost

reliablearetouseps(describedinChapter2,“ManagingSoftware”)tolookforrunningprocessesor to use your packagemanagement tools (also described in Chapter 2) to see which package isinstalled.Ineithercase,youmayneedtocheckforeachof theprogramsinturn.Forinstance,youmightseeresultslikethese:$psax|grepsend

31129pts/2R+0:00grepsend

$psax|greppost

7778?Ss0:45/usr/lib/postfix/master

31132pts/2S+0:00greppost

Thesearchforaprocesscontainingthestringsendfailed,butthesearchforpostreturnedaprocesscalled/usr/lib/postfix/master—thus,itappearsthatPostfixisrunningonthissystem.Youcanalsolookforexecutablefilenamesforeachemailserverin/usr/binor/usr/sbin;but

be aware that most Linux email servers include a program called sendmail. This is done forcompatibility reasons; because the original sendmail program was once ubiquitous, providing acompatibleinterfaceforscriptsandadministratorshelpsotherSMTPserverswork.In addition to the SMTP server, a fully functional Linux email system is likely to include other

software:PullMailServersTwopullmailprotocols,POPandIMAP,arepopular.IfaLinuxsystemshouldfunctionasamailserverfromwhichuserscanreadtheiremailremotely,chancesareyou’llinstallaPOPoranIMAPserverpackage,suchasCyrusIMAP(http://cyrusimap.web.cmu.edu/)orDovecot(http://www.dovecot.org).FetchmailThisprogram,basedathttp://fetchmail.berlios.de,fillsanoddgapintheemail-deliverychain.IfyourunasmallsitethatreliesonanexternalISPforemaildelivery,chancesaretheISPsupportsonlyPOPorIMAP.Ifyouwanttouseavarietyofemailclients,youmaywanttorunyourownSMTPserver,andperhapsyourownPOPorIMAPserver,todelivermaillocally.Todothis,youneedaprogramthatpullsmailusingPOPorIMAPandtheninjectsitintoalocalSMTPmailqueue.ThisisthejobofFetchmail.Mostsitesdon’tneedit,butforthosethatdo,it’sindispensable.MailreadersThefinallinkintheemailchainisthemailreader.ExamplesinLinuxincludeEvolution(http://projects.gnome.org/evolution/),KMail(http://userbase.kde.org/KMail),Thunderbird(http://www.mozilla.org/en-US/thunderbird/),andmutt(http://www.mutt.org).Themailutility,whichisinstalledonmostLinuxsystemsbydefault,isthelowest-common-denominatoremailutility.It’sdescribedshortly,in“SendingandReceivingEmail.”MostLinuxemailclientsenablereadingeitherfromalocalmailqueueorfromaremotePOPorIMAPmailserver.Amulti-usersystemislikelytohavemultipleemailclientsinstalled,enablingeachusertochoosewhichclienttouse.Neitherthisbooknortheexamcoverspullmailservers,Fetchmail,ormailreadersinanydetail.

Asapracticalmatter,youmayneedtolearnhowtoconfigureanyorallofthesepackages,dependingon your site’s needs. Fortunately, mail reader configuration, which is the most common task, is

usuallyfairlystraightforward,aslongasyouhaveinformationonthehostnamesofyouroutgoing(SMTP)andincoming(POP,IMAP,orlocalqueue)emailservers.

WorkingwithEmailAlthough setting up an email server for a site is beyond the scope of this book and the exam,managingafewcommonemailserveradministrativetasksisnot.Ithereforedescribesomecommonadministrative tasks involving sending and receiving mail using the mail utility, email queuemanagement,configuringaliases,andforwardingemail.

SendingandReceivingEmailLinuxsupportsawidevarietyofemailclients,someofwhichwerementionedearlier,in“ChoosingEmail Software.” Chances are, you’ll use a full-fledged email client for your personal email;however,youshouldalsoknowhowtousethemailprogram.Thistoolisaverybasiccommand-lineemail utility. It has the advantage of being usable from a script, so you can write a script toautomaticallyhandlesomeemailtasks,andperhapsevenrunthatscriptautomatically.Forinstance,youmightwriteascripttocheckforuserpasswordsthatareabouttoexpireandthenemailtheusersaboutthisimpendingeventsothattheycanchangetheirpasswordsbeforetheiraccountsarelocked.

SomeLinuxsystemsshipwithaprogramcallednailratherthanmail.Thenailprogramsupportsadditionalfeaturescomparedtotheoriginalmail,suchastheabilitytoaddattachments,butthetwoprogramsareverysimilarinbasicoperation.Typically,alinkwiththenamemailpointstonail,soyoucancallnailasmail.

Themailprogramis intended tobeusedon thecommandline tosendorreceivemessages.Thebasicsyntaxformail,includingitsmostusefuloptions,isasfollows:mail[-v][-ssubject][-ccc-addr][-bbcc-addr]to-addr

mail[-v][-f[name]|-uuser]

The first of these syntax lines is used for sending email; the second is used for reading email.(Unlikemostemailreaders,mailonlysupports reading the localemailqueue,notemailstoredonremoteserversandreadviaPOPorIMAP.)Youcanachievevariousgoalswiththeoptionstomail:UseVerboseOperationAswithmanycommands,the-voptionproducesmoreverboseoutput.Thismaybehelpfulifyouneedtodebugproblems.SpecifyaSubjectLineThe-ssubjectoptionenablesyoutospecifyasubjectline.SetaCarbonCopyAddressYoucansendamessagetomultiplepeoplebysendingacarboncopyusingthe-ccc-addror-bbcc-addroptions.Theseoptionsvaryinthatthe-boptionproducesa“blind”carboncopy,meaningthattherecipient’saddressdoesn’tappearintheaddresslist.Thisisusefulifyouwanttodiscreetlysendacopyofanemailtosomebody,butsomespamfiltersmaydeletesuchemails.SettheRecipient’sAddressThemainrecipient’semailaddressterminatesthemailcommand’slineforanoutgoingemail.ReadEmailToreadyouremail,passthe-foptiontotheprogram,optionallyfollowedbythe

nameofthemailspoolfile.Alternatively,youcanusethe-uuseroptiontoreadthemailofthespecifieduser.Thislistofoptionsisincomplete,butitincludesthemostimportantfeatures.Youshouldconsultthe

man page for mail to learn about more exotic options. Remember that some systems use mailwhereasothersusenail,andavailableoptionsdifferforthesetwoprograms.Theprecedingoptionshavethesameeffectforbothprograms;butsomeoptions,suchas-a,havedifferentmeaningsforthetwoprograms.(The-aoptionenablesyoutoinsertanarbitraryemailheaderintheoriginalmail,butinnailit’showyouattachafiletoanoutgoingmessage.)Asanexampleofmailinaction,considerthetaskofsendingaquickemailmessage.Supposeyou

wanttosendanemailtotworecipientsinformingthemofameeting.Youcandosoasfollows:$mail-s"Meetingreminder"-cbenf@example.comsallyg@example.com

Rememberthemeetingat4:00today!

Cc:benf@example.com

Afteryou type themail command, theprogramwaits for inputvia standard input,but there’snoprompt.YousignaltheendofthemessagebypressingCtrl+D.Thisexampleshowsasimpleone-linemessage.AfteryoupressCtrl+D,theprogramdisplaystheCc:linetoverifythisoption.Youcanstillchangetheaddressatthispoint,butifyoudon’twantto,youcanpresstheEnterkeyandthemessagewillbeonitsway.Tousemailinascript,youcanuseinputredirectiontopassitthecontentsofafiletobemailed:mail-s"Automatedalert!"</tmp/alert.txtbenf@example.com

Thisline,ifincludedinascript,sendsthecontentsof/tmp/alert.txttobenf@example.comwiththespecifiedsubject.Youcanusemailtoreadincomingemail,too,butonlyifit’sstoredonalocalLinuxmailspool.In

thiscase,you’llnormallyusemailinteractively.Typemail,andyou’llseethecontentsofyourmailspool.Eachmessagehasasummarylinethatliststhesender,date,andsubject,amongotherthings:0046sally@luna.eduSunJan1318:27116/4262Priorities

This ismessage number 46; it’s from sally@luna.edu; it arrived on January 13 at 18:27 (6:27p.m.); ithas116 linesand4262bytes (includingheaders);and itssubject isPriorities.To readamessage,typeitsnumber.Youcanthendeletethemessagebytypingdorreplytoitbytypingr.Asapracticalmatter,mostpeopleprefer tousemore-sophisticatedmailreadersfor theirday-to-

daymailreading.You’llprobablyfindmailmoreusefulforthescriptedsendingofemailthanforreadingemailorsendingpersonalemail.

CheckingtheEmailQueueAnemail servermanages a queue of emailmessages that itmust deliver.This queue is similar insome respects to the queue of print jobs that the Linux printing system handles, as described inChapter 6. Instead of sending jobs to a printer, though, the email server sends emailmessages toanothercomputerorstorestheminlocalusers’mailspools.Thistaskmaysoundsimple,butitcanbesurprisinglycomplex.Theservermaybeaskedtodelivermanymessagesinaveryshortperiodoftime,andthusitmayneedtodelaydeliveryofsomemessageswhileitworksonothers.Furthermore,anynumberofproblemscanleadtotemporaryorpermanentinabilitytodelivermessages.Whenaproblemseems tobe temporary, suchasanetwork routing failure, theemail servermust store themessage and try to deliver it again later. Thus, a Linux computer ’s email queue may contain

undeliveredmessages.KnowinghowtoidentifythesemessagesandmanagethequeuecanhelpyoukeepyourLinuxcomputer ’semailsubsystemworkingsmoothly.The mailq program is the main tool to help in email queue management. This program was

originallypartofthesendmailpackage,butPostfix,Exim,qmail,andotherLinuxSMTPservershaveall implemented compatible commands. Unfortunately, command options differ betweenimplementations.Thebasiccommand,withoutanyoptions,showsthecontentsoftheemailqueueonallsystems:$mailq

-QueueID---Size------ArrivalTime-----Sender/Recipient-------

5B42F963F*440FriJan1813:58:19sally@example.com

benf@luna.edu

--0Kbytesin1Request.

Thisexample, takenfromasystemrunningPostfix,showsonemessage in thequeue,alongwithrelevantidentifyinginformation.TheexactdisplayformatvariesfromoneSMTPservertoanother.Inmostcases,typingmailqisequivalenttotypingsendmail-bp.Ifyournetworkconnectiongoesdowntemporarilyorifanupstreamemailservergoesdownfora

while,emailmessagescanpileupinthequeue.YourSMTPserverwillordinarilyattemptredeliveryat a laterdate;but ifyournetworkconnectionhas comeupagainandyouwant to clear thequeueimmediately,youcandoso.Typingsendmail-qwilldothejobwithmostSMTPservers,andsomehaveotherequivalentcommands,suchaspostqueueinPostfixorrunqinExim.All email servers offer a wide variety of advanced options to prioritize email delivery, accept

messagesonthecommandline,deletespecificmessagesfromthequeue,debugemailconnections,andsoon.Unfortunately,commandsandprocedurestousethesefeaturesvaryfromoneemailservertoanother.Thus,youshouldconsultyourserver ’sdocumentationtolearnhowtousethesefeatures.

RedirectingEmailEmailaliases enable one address to stand in for another one. For instance, all email servers aresupposed to maintain an account called postmaster. Email to this account should be read bysomebodywho’s responsible formaintaining the system.Oneway to do this is to set up an aliaslinkingthepostmasternametothenameofarealaccount.Youcandothisbyeditingthealiasesfile,whichusuallyresidesin/etcorsometimesin/etc/mail.Thealiases fileformat isfairlystraightforward.Comment linesbeginwithhashmarks(#),and

otherlinestakethefollowingform:name:addr1[,addr2[,...]]

Thenamethatleadsthelineisalocalname,suchaspostmaster.Eachaddress(addr1,addr2,andsoon)canbethenameofalocalaccounttowhichthemessagesareforwarded,thenameofalocalfileinwhichmessagesarestored(denotedbyaleadingslash),acommandthroughwhichmessagesarepiped(denotedbyaleadingverticalbarcharacter),thenameofafilewhosecontentsaretreatedas a seriesof addresses (denotedby a leading:include: string), or a full email address (such asfred@example.com).Atypicaldefaultconfigurationincludesafewusefulaliasesforaccountssuchaspostmaster.Most

suchconfigurationsmapmostofthesealiasestoroot.Readingmailasrootisinadvisable,though—doingso increases theoddsofasecuritybreachorotherproblembecauseofa typoorbug in themailreader.Thus,youmaywanttosetupanaliaslinelikethefollowing:

root:yourusername

This redirects all of root’s mail, including mail directed to root via another alias, toyourusername,whichcantakeanyoftheformsjustdescribed(it’smostlikelytobealocalusernameoravalidremoteemailaddress).Somemailservers,includingsendmail,Postfix,andqmail,requireyoutocompile/etc/aliasesintoabinaryfilethatcanbeprocessedmorequickly.Todoso,usethenewaliasescommand:#newaliases

Eximhasanewaliasescommandforcompatibilitywithsendmail,butitdoesn’tdoanythingbydefault.

Anotherapproach to redirectingmail is todosoon theuser level. Inparticular,youcanedit the~/.forward file in a user ’s home directory to have mail for that user sent to another address.Specifically,the~/.forward fileshouldcontain thenewaddress—eitherausernameonthecurrentcomputeroranentireemailaddressonanothercomputer.Thisapproachhastheadvantagethatitcanbeemployedbyindividualusers—say,toconsolidateemailfrommultiplesystemsintooneaccountwithout bothering system administrators. A drawback is that it can’t be used to set up aliases fornonexistent accounts or for accounts that lack home directories. The ~/.forward file can also bechanged or deleted by the account owner, whichmight not be desirable if you want to enforce aforwardingrulethattheusershouldn’tbeabletooverride.

SecuringYourEmailServerLike any server, an email server is a potential security risk.Broadly speaking, this risk takes twoforms:BugsBugsintheemailservercanexposeyourcomputertodanger.Intheory,abugmightenablesomebodytogainaccesstoyoursystembysendinganemailorbyconnectingtotheSMTPport(25)viaaTelnetclientandtypingSMTPcommandstotriggerthebug.Forthisreason,manyLinuxdistributionstodaylimitaccesstotheemailservertothelocalcomputeronly.MisconfigurationPoorconfigurationofanemailservercancauseproblems.Emailserversaren’tdesignedtoprovideloginaccess,sotheyaren’tlikelytobeabusabletogainfullloginaccess.Instead,thebigriskisaconfigurationthatwillmakeyoursystemamenacetotheInternet.Themostcommonmisconfigurationofthisnatureisanopenrelay,whichisacomputerthatwillrelaymailfromanycomputertoanyothercomputer.Inthepast,spammersmadeheavyuseofopenrelaysasawaytohelphidetheirtrueidentities,butspammerstodayhavelargelymovedontoothertechniques.Nonetheless,somespammersstillabuseopenrelays.Toguardagainstbugs,youshouldensurethatyouremailserverisupgradedtothelatestversion.

Chapter 2 describes software management, so you should consult it for advice on keeping yoursystemsoftwareuptodate.MajorLinuxdistributionsconfiguretheiremailserverssothattheyaren’topenrelays;however,a

misconfiguration can open your email server. Various Web sites provide tests for suchmisconfigurations.Checkhttp://www.abuse.net/relay.htmlorhttp://www.spamhelp.org/shopenrelay/totestyoursystemtoverifythatit’snotanopenrelay.Thesesites,andotherslikethem,runaseriesof

tests,attemptingtorelayemailthroughyourserver.Ifyourserverisproperlyconfigured,thepagewillreportthatitwasunabletoconnectorthatitwasunabletorelayemail.Ifthetestingsitewasabletorelayemail, though,you’llneedtolearnmoretoproperlyconfigureyourserver.Unfortunately,the steps needed to secure an open relay vary from one email server to another, and they requirerelativelyadvancedconfiguration,whichisbeyondthescopeofthisbookortheexam.Youcanlearnaboutclosingopenrelayconfigurationsinyouremailserver ’sdocumentation.

ManagingDatawithSQLThe Structured Query Language (SQL), as its expanded name suggests, is a language used forretrieving data from a database. In practice, SQL is implemented in several different databaseproducts.Thus,youshouldknowalittleabouttheSQLproductsthatareavailableforLinux.WithaSQLpackageinstalled,youcanbeginlearningabouttheprinciplesofSQLuseandmoveontoactualdatastorageandretrieval.

PickingaSQLPackageSQL is a language for accessing data, and specific SQL packages implement that language. Thisdistinction is similar to that between a network protocol (such as SMTP) and the servers thatimplement it (such as sendmail, Postfix, andExim). In principle, you canuse anySQLpackage tosatisfyyourSQLdatabaseneeds. Inpractice,specificproducts thatstoredatausingSQLmayworkbetter with (or even require) particular packages. Some common choices in Linux include thefollowing:MySQLOracleownsthisSQLimplementation,whichhasbeenreleasedundertheGPL.MostmajorLinuxdistributionsincludeMySQLintheirpackagedatabases.Foracompleteinstallation,you’llprobablyneedtoinstallmultiplepackages,suchasaclient,aserver,andperhapsdevelopmenttools.Youcanlearnmoreathttp://www.mysql.comPostgreSQLThisSQLimplementationevolvedfromtheearlierIngressoftware(thenamePostgreSQLisacompressedformofpost-IngresSQL).It’savailableundertheBSDlicenseandisavailableasmultiplepackagesinmostLinuxdistributions.AswithMySQL,you’llmostlikelyhavetoinstallaclient,aserver,andperhapsadditionalsupportpackages.PostgreSQLisheadquarteredathttp://www.postgresql.org.SQLiteThispackage,basedathttp://www.sqlite.org,isalibrarythatimplementsSQL.Assuch,it’snotastand-alonedatabase;instead,it’sintendedasawaytoprovideprogramswithawaytostoredatausingaSQLinterfacewithintheprogram.IfyouinstallaprogramthatusesSQLite,yourdistribution’spackagemanagershouldinstalltherelevantlibrariesforyou.Ifyouwanttowriteaprogramthatrequiresdatabaseaccessandyoudon’twanttoinstallacompleteclient-serverSQLpackagesuchasMySQLorPostgreSQL,SQLitemaybejustwhatyouneed.TherearedozensmoreSQLdatabaseproductsforLinux.ForthepurposeoflearningSQL,MySQL

orPostgreSQLshoulddofine,oryoucanuseanotherfullimplementationifyouprefer.IfyouhaveaspecificpurposeinmindforusingSQL,though,youshouldresearchSQLpackagesinmoredetail.Youmayneed aparticular product for compatibilitywithother software, or youmayneed aSQLpackagethatprovidesspecificfeatures.Asjustnoted,someSQLpackages,includingMySQLandPostgreSQL,operateonaclient-server

model:Oneprogram(theserver)managesthedatabase,whileanother(theclient)providesusersandprogramswithaccesstothedatabase.Suchimplementationscanworkoveranetwork,enablingusersatmultipleclientsystemstoaccessacentralizeddatabaseserver.

UnderstandingSQLBasicsSQL is a tool for accessing databases, and more specifically, relational databases. Figure 9.2illustratesdata ina relationaldatabase.Each row(sometimesknownasa tuple) representsa singleobjectorother item,andeachcolumn (sometimes referred toasanattributeor field) representsaspecificfeature.Thecombinationofrowsandcolumnsisreferredtoasatable.Eachdatabasemaycontainmultiple tables, and SQL supportsmultiple databases. Thus, to access data, youmust firstselectadatabaseandatable,asdescribedinmoredetailshortly.

FIGURE9.2Arelationaldatabasestoresdatainatable,witheachrowrepresentingoneobjectoritemandeachcolumnrepresentingspecificattributes.

Thedatainatableareunordered,atleastconceptually.(Inpractice,ofcourse,datawillbestoredinsome order on disk, but this order is arbitrary.) You can impose an order on query results, asdescribedshortly;forinstance,youmayretrievedatafromthedatabaserepresentedbyFigure9.2andordertheresultsaccordingtocost(thefinalcolumn).Adatabaseenablesretrievalofinformationthatmatchesspecificcriteria.Youcansearchforallthe

greenobjectsinFigure9.2,forinstance.Youcanalsoinsert,delete,andupdateinformationinatable.SQL supportsmultiple tables, so you can have, for instance, different tables for property in yourofficeandforemployeeswhoworkinyouroffice.Columns (attributes) in a database hold specific types of data, and swapping them aroundmakes

littlesense.Forinstance,it’sclearthatthesecondcolumninFigure9.2isacolor,whereasthefinalcolumnisapriceorvalue,expressedindollars.Itwouldmakelittlesensetoentergreenasapriceor$1.00asacolor.Therestrictionsplacedonwhatmayappearinacolumnareknownasadomainoradata type:Thedomain for the secondcolumn isa setofcolornames,whereas thedomain for thefinalcolumnisanumericvalueexpressedindollars.Table9.3summarizessomecommonSQLdatatypes.

TABLE9.3CommonSQLdatatypeDataTypeName

Purpose

INTEGER(akaINT) 4-byteintegervalueSMALLINT 2-byteintegervalueDECIMAL PrecisionstorageofdecimalvaluesNUMERIC PrecisionstorageofdecimalvaluesFLOAT Floating-pointnumberDOUBLE

PRECISION

Floating-pointnumberstoredwithtwicetheprecisionofFLOAT

DATETIME AdateandtimeDATE AdateTIME Atime,inHH:MM:SSformat;maybeatimeofdayoraperiodoftimeCHAR OneormorecharactersVARCHAR AvariablenumberofcharactersENUM Anenumeratedlist,suchasoneofsmall,medium,orlargeSET Datathatmayhavezeroormorevalues,asinanyofthesetofnuts,sprinkles,fudge,andcherryforicecream

toppings

Additionaldatatypesexist;Table9.3isintendedtogiveyouafeelforwhat’savailableandtolistsomeofthedatatypesyou’relikelytoencounter.Someimplementationssupportuniquedatatypes,too. Each of these data types has its own features. For instance, the numeric data types (INTEGER,DECIMAL,andsoon)canbemanipulatedbymathematicoperators.

UsingMySQLTolearnaboutSQL,youshouldhaveaccesstoaSQLdatabase.Forpurposesofdemonstration,I’musingMySQL as a reference.Other SQL implementations are similar towhat I describe here, butsome details differ. One of these details is how to start the database. In the case ofMySQL, yourdistributionshould includeaSysVorotherstartupscript for theSQLserver.Thisservermayalsoneedtobeconfiguredwithitsownrootpassword.Debianandrelateddistributionswillpromptforthiswhenyouinstallthepackage,butyoumayneedtosetthismanuallywithotherdistributions.

StartingtoUseMySQLTobeginaSQLsession,youshouldfirstensurethattheserverisrunning,asjustdescribed.YoucanthenstarttheSQLclient.InthecaseofMySQL,thisprogramiscalledmysql:$mysql

Ifyou’vejust installedMySQLfor learningpurposes, itmayhavenodatabasesdefined.Tolearnwhat’sdefined,youcanusetheSHOWDATABASEScommand:mysql>SHOWDATABASES;

+--------------------+

|Database|

+--------------------+

|information_schema|

+--------------------+

1rowinset(0.00sec)

ThisexampleillustratesanimportantfeatureofSQL:Commandsareterminatedbysemicolons(;).Thereareafewexceptionstothisrule,butifyouforgetthesemicolon,you’relikelytoseeanewpromptthatreads->ratherthanmysql>,atleastinMySQL.Youcanusethisfacttosplityourcommandsacrossmultiplelines,ifyoulike.Ifyouforgetthesemicolonthatterminatesacommand,youcanenteritbyitselfonthe->promptline.SQLcommandsareconventionallyshowninuppercase,butSQLcommandsarecase-insensitive,soyoucantypeyourcommandsinuppercase,lowercase,oranymixtureofcaseyoulike.

Inthisexample,onedatabaseisalreadydefined:information_schema.Someinstallationsdefineadatabasecalledtest.Ifyouseesuchadatabase,youcanprobablyuseitforyourowntests;however,otherusersmaybeabletoseeandmodifythisdatabase,sodon’tstoreimportantdatainit.Ifyou’renotinchargeoftheSQLinstallation,youshoulddouble-checkwithwhoeverisinchargeofittobesureyoucanusethetestdatabase—oranyotherdatabase,forthatmatter.

CreatingDatabasesandTablesIfnodatabasefortestingpurposesexists,youcancreateonewiththeCREATEDATABASEcommand,whichtakesadatabasenameasanoption:mysql>CREATEDATABASEtest;

QueryOK,1rowaffected(0.00sec)

AlthoughSQLcommandsarecase-insensitive,databasenamesarenot.Thus,besuretocreatethedatabasenameusingwhatevercaseyouintendtousetorefertoitinthefuture.

IfyoutypeSHOWDATABASES;,you’llseethetestdatabaseinadditiontoanythatalreadyexisted.Regardlessofwhethertest(orsomeothertestingdatabase)existedwhenyoufirststartedMySQLorhadtobecreated,youcanbeginusingitwiththeUSEcommand:mysql>USEtest;

Within each database, tables must be created and selected for use. The commands to do so aresimilar to thecommandsused tocreateandselectdatabases. Inanewlycreateddatabase,no tablesexist:mysql>SHOWTABLES;

Emptyset(0.00sec)

TheresponseEmptysetdenotesanemptydatabase.Tofill thedatabasewithdata,youmustfirstdecide on a table structure—what sort of data youwant to record. For instance, Figure 9.2 showsvariousattributesofcommonobjects:theirnames,colors,sizes,hardnesses,andvaluesindollars.Tocreate a table that includes columns for these five attributes, you use a CREATE TABLE command,passingitvariousdetails:mysql>CREATETABLEobjects(nameVARCHAR(30),colorVARCHAR(20),

->sizeFLOAT,hardnessENUM('soft','medium','hard'),

->valueDECIMAL(10,2));

QueryOK,0rowsaffected(0.01sec)

Thisexamplecreatesatablewithfivecolumns:name,color,size,hardness,andvalue.Eachcolumnhasanassociateddata type,asdescribedinTable9.3.Afewpointsworthnotingabout thistabledefinitionareasfollows:

ThenameandcolorcolumnsarebothVARCHARexamples,butwithdifferentsizes:Thenamemaybeupto30characters,whereasthecolormaybeupto20characters.IftheseweredefinedasCHARs,eachnamewouldhavetobeprecisely30charactersinsize,witheachcolorprecisely20characters.AlimitedsetofcolorscanbespecifiedbyusinganENUMratherthanaVARCHAR.Presumablyyouwouldn’twanttolimitobjectnamesthisway.ThesizecolumnisaFLOAT,whichislessprecisethananintegerdatatype,butaFLOATcanholdreal(non-integer)numbers.Figure9.2includessizesininchesandfeet,butinpracticeyou’llneedtoconverteverythingtooneunit—probablyinchesinthiscase.NotethesyntaxfordefiningtheENUM:Thelistofvaluesasawholeisenclosedinparentheses(()),andeachenumeratedvalueisenclosedinsinglequotes(')andseparatedfromothervaluesbyacomma(,).TheDECIMALvalueincludesaspecificationofthenumberofdigits(10inthisexample)andthenumberofdigitsafterthedecimalpoint(2inthisexample),separatedbyacomma.SomeimplementationssupportaMONEYdatatypethatcanbeusedinthiscase,butMySQLlacksthisdatatype,soDECIMAListhebestchoiceforthejob.ADECIMALtypeisbetterforcurrencythanFLOATbecauseaFLOATtypeislikelytointroduceroundingerrorsbecauseofthewaynumbersareencodedinaFLOATvalue.Sucherrorsaretypicallyunacceptableincurrency,althoughtheymaybetolerableinsomeapplications.

Ifyouneedtocreateatablewithothertypesofvalues,youshouldconsult thedocumentationforyourspecificSQLimplementationtoseewhatdatatypesitsupports.With the table created, youmaywant toverify that it’s been created correctly.Youcando soby

typingDESCRIBEobjects;.Theresultshouldbeasummaryofthefieldsyou’vejustcreatedfortheobjectstable.

StoringDataYoucannowbeginstoringdatainyourdatabase.Todoso,usetheINSERTINTOcommand:mysql>INSERTINTOobjects

->VALUES('lizard','green',6,'soft',10.00);

This example creates an entry for the first row of Figure 9.2 (but with one error, which isdeliberate).Youcanverify that thedatabasenowholds this informationby typingSELECT ∗ FROMobjects;.Theresultisalistingofallthedataintheobjectstable,whichinthiscaseshouldbejusttheoneentry.(Thenextsection,“RetrievingData,”coversdataretrievalinmoredetail.)This example entered incorrect data for one field: The lizard is entered in the table as being 6

inchesinsize,ratherthan5.YoucancorrectthiserrorbyusingUPDATE:mysql>UPDATEobjectsSETsize=5WHEREname='lizard';

QueryOK,1rowaffected(0.00sec)

Rowsmatched:1Changed:1Warnings:0

ThisexamplebeginswiththekeywordUPDATEandthetablename(objects).TheexamplethentellsMySQLwhat to update:SETsize=5—inotherwords, set thesize field to5. The WHERE keyword

beginsaspecificationofwhichrowstochange.Inthiscase,withonlyonerowpresent,youcanuseanydataorevenomitWHEREandtherestofthelineuptothesemicolon.Inmostcases,though,youmustprovideenoughcriteriatouniquelyidentifythecolumnyouwanttochange.Inthisexample,thenameoftheobjectisused—hencename='lizard',whichtellsMySQLtochangethedataforallrowsforwhichthenamefieldislizard.Beforeyoucontinuewithdataretrievalactivities,youshouldcompleteadatabase.Exercise9.3will

guideyouthroughthisprocess.

EXERCISE9.3CreatingaSQLDatabaseInthisexercise,you’llcontinuecreatingasmalldatabase.Thisexerciseassumesyou’veperformedthestepsdescribedin“CreatingDatabasesandTables”and“StoringData”andthatyouthereforehaveaSQLdatabasecalledtest,whichcontainsatablecalledobjects,whichcontainsoneentrybasedonthefirstlineinthematrixinFigure9.2.Tocompletethisdatabase,followthesesteps:1.Ifyou’renotcurrentlyrunningMySQL,dosobytypingmysql.2.Ifyou’renotalreadyusingthetestdatabase,typeUSEtest;tobeginusingthetestdatabase.3.TypeINSERTINTOobjectsVALUES('tree','green',120,'medium',200);.(Youmaysplitthiscommandacrosslines,ifyoulike.)ThisentryisbasedonthesecondrowofFigure9.2,butnotethatthesizevaluehasbeenexpressedininches.4.Verify thatyouentered thedatacorrectlyby typingSELECT∗FROMobjects; andverifyingthatthenewentryispresent.5.Repeatstep3(andstep4,ifyoulike)fortheremainingrowsinFigure9.2.

Ifyoulike,youcancontinueandentermoredata;however,ifyoudoso,somesubsequentexamplesmaynotworkasdescribed.

RetrievingDataThewholepointofhavingadatabaseistobeabletoretrievedatafromit.Themaincommandfordoing so has already been described: SELECT. This command’s power lies in its ability to acceptspecificationsofwhattoselect.Youcanuseavarietyofkeywordstoselectdatathatmatchesvariouscriteria,suchasexactmatchesormatchestoarangeofvalues.TheoverallformofSELECTmaybedescribedinthisway:SELECTfield(s)FROMtable[WHEREconditions][ORDERBYfield]

PrevioususesofSELECThaveusedanasterisk(*)asfield(s),meaningthatthecommandreturnsall the columns that match the remaining criteria. You can instead specify columns by name. Forinstance, suppose you’re interested only in the colors and values of objects. You can view thisrestrictedsetofdatausingSELECT:mysql>SELECTvalue,colorFROMobjects;

+--------+--------+

|value|color|

+--------+--------+

|10.00|green|

|200.00|green|

|5.00|white|

|1.00|red|

|0.10|yellow|

+--------+--------+

5rowsinset(0.00sec)

Thefield(s)criteriaappearsasacomma-separatedlistofcolumns.Inthisexample, thecriteriawere listed in the reverseorder fromtheirorder in thedatabase,andso theyappear in the reverseorderintheoutput.Amore interestingway to retrieve data is to useWHEREconditions. This tool has already been

mentioned,inreferencetoupdatingdata.Youcanuseconditionstoretrievespecificdatainseveralways:ExactMatchesUsingacolumnname,anequalsign,andavaluetomatchreturnsonlythoserowsthatmatchthespecifiedvalue.Forinstance,typingSELECT∗FROMobjectsWHEREcolor='green';returnsthetwoentriesforgreenobjects(lizardandtree).NumericTestsYoucanretrievedatathatmatchcertainnumericcriteria.Forinstance,toretrievedataonallobjectsthataregreaterthan10inchesinsize,youcantypeSELECT∗FROMobjectsWHEREsize>10;.AlphabeticTestsThegreater-than(>)andless-than(<)operatorsworkonlettersaswellasnumbers.Thisfactcanbeusedtoretrievedatabasedonthefirstletterofastring,asinSELECT∗FROMobjectsWHEREname>'b';toretrieverecordsforwhichthenamebeginswithborlaterlettersinthealphabet.(Althoughthisexampleusesagreater-thanoperator,itdoesinfactmatchtheletterb.)MultipleTestsYoucancombinemultiplecriteriausingtheANDandORoperators.Forinstance,toretrievedataonsoftobjectsvaluedatmorethan$7.50,youcantypeSELECT∗FROMobjectsWHEREhardness='soft'ANDvalue>7.50;.YoucanhaveMySQLreturnthedataasanorderedlistbyspecifyingafieldnameaftertheORDER

BYkeyword:mysql>SELECT*FROMobjectsWHEREhardness='soft'ORDERBYvalue;

+--------+--------+------+----------+-------+

|name|color|size|hardness|value|

+--------+--------+------+----------+-------+

|banana|yellow|8|soft|0.10|

|pillow|white|18|soft|5.00|

|lizard|green|5|soft|10.00|

+--------+--------+------+----------+-------+

3rowsinset(0.00sec)

CombiningDatafromMultipleTablesAsnotedearlier,adatabasemaycontainmultiple tables.This featureofSQLenablesyou tocreatetables for different functions. For instance, Figure 9.2 might represent a database of objectcharacteristics that are of interest for some reason.Youmight also have a database containing thelocationsandconditions(ona10-pointscale)ofdifferentobjects,asshowninTable9.4.Sometimesyou might want to combine these two tables to create a master table on which you can performqueries.Inordertodoso,though,thetwotablesmusthaveonematchingfieldthatcanbeusedtobindthetwotablestogether,andeachtablemusthaveonefieldwhosevalueuniquelyidentifieseachrow.Thisuniquelyidentifyingfieldisknownasaprimarykey.InthecaseofFigure9.2,thefirstcolumn

(calledname)canserveasaprimarykey.InthecaseofTable9.4,theObjectIDcolumnwilldothejob.

TABLE9.4Dataonobjectlocationsandconditions

Youcancreatethistablemuchasyoucreatedthefirstone:mysql>CREATETABLElocations(idINTEGER,nameVARCHAR(30),

->locationVARCHAR(30),condINTEGER);

mysql>INSERTINTOlocationsVALUES(1,'banana','kitchen',9);

AdditionalINSERToperationswillfilloutthetable.Atthispoint,youcanusetheSELECToperatortoselectdatabasedonfieldsfrombothtables.Forinstance,supposeyouwanttoknowwhereallthegreenobjectsarelocated.Thefirsttable(objects)containscolordatabutnotlocations,whereasthesecondtable(locations)holdslocationsbutnotcolordata.Youcanaccomplishthegoalbyusingafewtricks:mysql>SELECTobjects.name,objects.color,locations.location

->FROMobjects,locations

->WHEREobjects.name=locations.nameANDobjects.color='green';

+--------+-------+-------------+

|name|color|location|

+--------+-------+-------------+

|tree|green|backyard|

|lizard|green|livingroom|

+--------+-------+-------------+

2rowsinset(0.00sec)

MySQL automatically combines the two tables and produces output based on the criteria youspecify.Thefinaloutput in thisexample includes thename,color,andlocationof theobjects,eventhougheachtablehasjusttwoofthosethreevalues.AsecondwaytocombinedatafrommultipletablesistouseJOIN.Thisapproachisverysimilarto

theprecedingone,butyouspecifyonetableusingFROMandtheotherusingJOIN:mysql>SELECTobjects.name,objects.color,locations.location

->FROMobjects

->JOINlocations

->WHEREobjects.name=locations.nameANDobjects.color='green';

Combining data enables you to simplify the structure of your database in certain situations. Theexamplesusedhereillustratethisfact,albeitwithverysmalldatasets.Thedataintheobjects tabledescribesobjectsgenerically,whereasthedatainthelocationstabledescribesobjectsspecifically.A

retail business might use similar tables to describe its inventory—something analogous to theobjects table can hold descriptions of products,whereas something like the locations table canspecify where each box holding a particular product is shelved, perhaps even across multiplewarehousesorstores.Thisdesignenableseachtabletoberelativelysmall.Ifallthedatawerestoredinasingletable,thattablewouldrequiremultipleentriesforeachitem,duplicatingalotofdata.Bysplittingthedataacrosstables,eachtablecanbemuchsmaller,thusreducingstoragespace.A retrieval command that requires special mention is GROUP BY. This command is used in

conjunctionwithmathematicaloperators,suchasSUM(), torestrict theoperationof theoperator tothespecifiedcolumns.Forinstance,supposeyouwanttoknowthetotalvalueofalltheobjectsinthedatabase,groupedbyobjecttype.Youcandosoasfollows,combiningdatafrombothtables:mysql>SELECTobjects.name,objects.value,SUM(value)

->FROMobjects,locations

->WHERElocations.name=objects.name

->GROUPBYvalue;

The result is a summary of the values of all the objects by type.Omitting the GROUP BY clauseproducesanerrormessageinMySQL.

DeletingDataSometimesyourdataneed tobedeleted.Table9.4 suggests that the tree in thebackyard is ill—itscondition rating is just 2 on a 10-point scale. Perhaps you’ll decide to cut it down and thereforeremoveitfromthelocationsdatabase.Todoso,you’llusetheDELETEcommand,whichtakesthefollowingform:DELETEFROMtableWHEREconditions

Forinstance,todeletethatnow-removedtree,youcantypethefollowingcommand:mysql>DELETEFROMlocations

->WHEREname='tree'ANDlocation='backyard';

QueryOK,1rowaffected(0.05sec)

Inthisspecificcase,theWHEREconditionismoredetailedthanitneedstobe,becausethebackyardtreeistheonlyoneinthetable.Asusualwhendeletinganysortofdataonacomputer,though,it’sbettertobeoverlycautiousthansloppy.

Beforedeletingdata,tryusingSELECTtoseewhatdatayourWHEREconditionsmatch.Doingthiswillhelpyoupreventaccidentallydeletingtoomuchdata.

YoucandeleteallthedatafromatablebyusingavariantoftheDELETEcommand:DELETE∗fromlocations;.Thiscommanddeletesall thetable’sdatawithoutdeletingthetableitself.Thismaybeuseful if the table is hopelessly messed up from experimentation. An even more drastic deletionoperation is DROP: DROP TABLE locations;. This example completely eliminates the locationstable.Naturally,thisisanextremelydangerouscommand,butyoumaywanttouseitwhencleaningupyourownSQLpracticesession.

LearningMoreAboutSQLSQL isaverycomplex topic,and thischaptercanonlyscratch the surface.Formore information,

youshouldreadmorefromvarioussources.YourownSQLpackage’sdocumentationcanbeagoodstartingpoint,particularlyifyouneedtousefeaturesthatareuniquetoyourimplementation.BooksonSQL,suchasAlanBeaulieu’sLearningSQL,2ndEdition(O’Reilly,2009)andAlexKriegel’sSQLBible(Wiley,2008),arealsoworthreadingifyouneedtodomorethantrivialSQLwork.

SummarySerious Linux administrators must have at least a basic understanding of shell scripts. Manyconfiguration and startup files are in fact shell scripts, and being able to read them, and perhapsmodify them,will help you administer your system.Being able to create new shell scripts is alsoimportant, because doing so will help you simplify tedious tasks and create site-specific tools bygluingtogethermultipleprogramstoaccomplishyourgoals.Emailserveradministrationisanothertask with which you must have at least a passing familiarity. Although most Linux systems don’toperateasemailserversinthesenseofcomputerswhoseprimarydutyistohandleemail,mostLinuxinstallationsdoincludeemailserversforprocessinglocallygeneratedemailandsometimestosendemail to outside systems or even to receive email for local users. You can configure emailforwarding and perform a few other tweaks without delving too heavily into email serverconfiguration.The final topicof thischapter,SQLuse,willhelpyoumanagesimpledatabases storedusing the

SQL language.Many programs rely onSQL for their operation, so being able to perform simpleSQLquerieswillhelpyouworkwiththeseprograms.Youmayevendecidetosetupdatabasestohelpmanageyourowntasks,suchastrackingwhereyoukeepthingsinyourofficeorhome.

ExamEssentialsExplainthefunctionofenvironmentvariables.Environmentvariablesareusedtostoreinformationonthesystemforthebenefitofrunningprograms.ExamplesincludethePATHenvironmentvariable,whichholdsthelocationsofexecutableprograms,andHOSTNAME,whichholdsthesystem’shostname.Describehowashellscriptcanbeuseful.Ashellscriptcombinesseveralcommands,possiblyincludingconditionalexpressions,variables,andotherprogrammingfeatures,tomakethescriptresponddynamicallytoasystem.Therefore,ashellscriptcanreduceadministrativeeffortbyperformingaseriesofrepetitivetasksatonecommand.Describethepurposeofshellaliases.Aliasesenableyoutocreateacommand“shortcut”—asimplecommandthatcanstandinforadifferentorlongercommand.Aliasesaretypicallydefinedinshellstartupscriptsasawaytocreateashortenedversionofacommand,tohaveusefuloptionsforacommandbeusedasnewdefaults,ortocreateaneasier-to-rememberversionofacommand.SummarizethemajorSMTPserversforLinux.SendmailwasthemostcommonSMTPserveradecadeagoandisstillverypopulartoday.PostfixandEximareoftensuppliedasthedefaultmailserversonmoderndistributions,whereasqmailissometimesinstalledbyadministratorsbutisn’tthedefaultforanymajordistribution.Postfixandqmailusemodulardesigns,whereassendmailandEximaremonolithic.

Explainthedifferencebetweenanemailaliasandemailforwarding.Anemailaliasisconfiguredsystemwide,typicallyin/etc/aliases.Itcansetupforwardingforanylocaladdress,evenifthataddressdoesn’tcorrespondtoarealaccount;andifthesystemisproperlyconfigured,onlyrootmayedit/etc/aliasesandthereforemodifyaliases.Emailforwarding,ontheotherhand,ishandledbythe~/.forwardfileinauser ’shomedirectory;it’sintendedasameansforuserstocontroltheirownemailforwardingwithoutbotheringthesystemadministrator.SummarizethestructureofaSQLdatabase.EachSQLinstallationconsistsofanumberofnameddatabases,eachofwhichinturnmaycontainmultipletables.Eachtablecanbethoughtofasatwo-dimensionalarrayofdata.Eachrowinatabledescribessomeobjectorconcept(inventoryitems,employees,moviesinapersonalDVDcollection,andsoon),andeachcolumninatableholdsdataabouttheseobjectsorconcepts(modelnumber,salary,ordirector,forexample).DescribethecommandsusedtoenterdatainaSQLdatabase.TheINSERTcommandinsertsasingleentryintoadatabase.Itrequiresatablenameandasetofvalues,asinINSERTINTOmoviesVALUES('Brazil','TerryGilliam',1985);.TheUPDATEcommandcanbeusedinasimilarwaytoupdateanexistingentry,butyoumustuseSETtospecifythecolumntosetandWHEREtoidentifytheroworrowstobemodified.ExplainthecommandsusedtoextractdatafromaSQLdatabase.TheSELECTcommandretrievesdatafromaSQLdatabase.Itcanbeusedwithavarietyofadditionaloptions,suchasFROM,JOIN,andWHERE,toidentifythetableortablesfromwhichdatashouldberetrievedandtolocatespecificvaluesofinterest.

ReviewQuestions1. Where is the best location for the current directory indicator (.) to reside in root’s PATHenvironmentvariable?

A.BeforeallotherdirectoriesB.AfterallotherdirectoriesC.AtanylocationexceptthelastoneD.WhereverisconvenientE.Nowhere;itshouldn’tbeinroot’spath

2. Youwant to create a shortcut for the command cd ~/papers/trade.Which of the followinglines,ifenteredinabashstartupscript,willaccomplishthisgoal?

A.aliascdpt='cd~/papers/trade'B.exportcdpt='cd~/papers/trade'C.cd~/papers/tradeD.shortcutcdpt"cd~/papers/trade"E.envcdpt`cd~/papers/trade`

3.WhatisthepurposeoftheEDITORenvironmentvariable?A. Set to Y (the default), the shell environment permits editing of commands; set to N, such

editingisdisallowed.B. It specifies the filename of the text editor that bash uses by default while you’re enteringcommandsatitsprompt.C.Ifyoutypeeditfilenameatacommandprompt,theprogramspecifiedbyEDITORwillbelaunched.D.SettoGUI,programscallaGUIeditor;settoTEXT,programscallatext-basededitor.E.SomeprogramsrefertoEDITORtodeterminewhatexternaleditortolaunchwhentheyneedtolaunchone.

4.Inwhatenvironmentvariableisthecurrentworkingdirectorystored?A.PATHB.CWDC.PWDD.PRESENTE.WORKING

5.Whichofthefollowingcommands,iftypedinabashshell,willcreateanenvironmentvariablecalledMYVARwiththecontentsmystuffthatwillbeaccessibletosubsequentlylaunchedprograms?

A.exportMYVAR='mystuff'B.MYVAR='mystuff'C.$MYVAR==mystuffD.echo$MYVARmystuffE.setenvMYVARmystuff

6.Whatfilemightausermodifytoalterhisorherownbashenvironment?A.~/.startupB./etc/bashrcC./home/.bashrcD./home/profilercE.~/.bashrc

7.Whatcommandsmightyouuse(alongwithappropriateoptions)tolearnthevalueofaspecificenvironmentvariable?(Selecttwo.)

A.envB.DISPLAYC.exportD.echoE.cat

8.Afterusingatexteditortocreateashellscript,whatstepshouldyoutakebeforetryingtousethescript?

A.SettheSUIDbitusingchmod.B.Copythescripttothe/usr/bin/scriptsdirectory.C.Compilethescriptbytypingbashscriptname,wherescriptnameisthescript’sname.D.Runaviruscheckeronthescripttobesureitcontainsnoviruses.E.Setoneormoreexecutablebitsusingchmod.

9.Describetheeffectofthefollowingshortscript,cp1,ifit’scalledascp1big.cbig.cc:#!/bin/bash

cp$2$1

A.Ithasthesameeffectasthecpcommand—copyingthecontentsofbig.ctobig.cc.B.ItcompilestheCprogrambig.candcallstheresultbig.cc.C.Itcopiesthecontentsofbig.cctobig.c,eliminatingtheoldbig.c.D.ItconvertstheCprogrambig.cintoaC++programcalledbig.cc.E.Itinterpretsthebig.candbig.ccfilesasbashscripts.

10.Whatisthepurposeofconditionalexpressionsinshellscripts?A.Theypreventscriptsfromexecutingiflicenseconditionsaren’tmet.B.Theydisplayinformationaboutthescript’scomputerenvironment.C.Theyenablethescripttotakedifferentactionsinresponsetovariabledata.D.TheyenablescriptstolearninamannerreminiscentofPavlovianconditioning.E.Theyimprovecodequalitybyimprovingitsreadability.

11. Which of the following lines identify valid shell scripts on a normally configured system?(Selecttwo.)

A.#!/bin/scriptB.#!/bin/bashC.!#/bin/tcshD.#!/bin/shE.!#/bin/zsh

12.Whichofthefollowingarevalidloopingstatementsinbashshellscripting?(Selectthree.)A.forB.whileC.gotoD.untilE.case

13. Your SMTP email server, mail.luna.edu, receives a message addressed topostmaster@mail.luna.edu. There is no postmaster account on this computer. Assuming thesystemisproperlyconfigured,howshouldtheemailserverrespond?

A.Acceptthemessage,butdosoveryslowlysoastotieupthesender ’sresources.

B.Bouncethemessagesothatthesenderknowstheaccountdoesn’texist.C.Holdthemessageinthelocalmailqueueuntilthepostmasteraccountiscreated.D.Deletethemessagewithoutbouncingitsoastoreduceemailclutter.E.Delivertheemailtoanotheraccount,eitherlocallyoronanothercomputer.

14.WhichofthefollowingisnotapopularSMTPserverforLinux?A.PostfixB.SendmailC.FetchmailD.EximE.qmail

15.Youseethefollowinglineinascript:mail-s"Error"-cabort</tmp/msgroot

Whatistheeffectofthisline,ifandwhenitexecutes?A. An email is sent to the user Error, the script is aborted using root privileges, and errormessagesarewrittento/tmp/msg.B.AnemailwiththesubjectofErrorandthecontentsfrom/tmp/msgissenttothelocalusersrootandabort.C.AnemailwiththesubjectofErrorandthecontentsof/tmp/msgissenttothelocaluserroot,andthenthescriptisaborted.D.AnemailissentwithErrorprioritytothelocaluserroot,andtheemailsystemisthenshutdownwitherrormessagesbeingstoredin/tmp/msg.E.AnemailwiththesubjectofErrorandcontentsof/tmp/msgissenttoroot,andinformationonthisisloggedwithpriorityabort.

16.YourInternetconnectionhasgonedownforseveralhours.Whatistrueofemailsentbyyouruserstooff-siterecipientsviaaproperlyconfiguredlocalSMTPserver?

A.TheSMTPserverwillrefusetoacceptemailfromlocalclientsduringtheoutage.B.Emailwillbeneitherdelayednorlost.C.Allemailsentduringtheoutagewillbelost.D.Emailwillbedelayedbyafewhoursbutnotlost.E.RecipientswillhavetoretrievethemailviaPOPorIMAP.

17.Youexamineyour/etc/aliasesfileandfinditcontainsthefollowingline:root:jody

Whatcanyouconcludefromthis?A.Emailaddressedtojodyonthissystemwillbesenttothelocaluserroot.B.Emailaddressedtorootonthissystemwillbesenttothelocaluserjody.C.Thelocaluserjodyhasbrokenintothesystemandacquiredrootprivileges.D.Thelocaluserjodyhaspermissiontoreademaildirectlyfromroot’smailqueue.

E.Theadministratormayloginusingeitherusername:rootorjody.

18.You’vejustinstalledMySQLandrunitbytypingmysql.Howwouldyoucreateadatabasecalledfishtostoredataondifferentvarietiesoffish?

A.TypeNEWDATABASEfish;atthemysql>prompt.B.TypeCREATEDATABASEfish;atthemysql>prompt.C.TypeNEWDATABASEFISH;atthemysql>prompt.D.TypeDATABASECREATEfish;atthemysql>prompt.E.TypeDBCREATEfish;atthemysql>prompt.

19.WhichofthefollowingaretruestatementsaboutSQLtables?(Selecttwo.)A.MultipletablesmayexistinasingleSQLdatabase.B.Tablesmaybecombinedforcross-tablesearchesusingtheDROPcommand.C.Tablesconsistofrows,eachofwhichholdsattributes,andcolumns,eachofwhichdefinesaspecificdatabaseitem.D.Carefultabledesigncanreducetheamountofdataentryanddatabasestoragesize.E.Tablesarestoredondiskusingalossycompressionalgorithm.

20.WhatistheeffectofthefollowingSQLcommand,assumingthevariousnamesanddataexist?mysql>UPDATEstarsSETmagnitude=2.25WHEREstarname='Mintaka';

A. It returns database entries from the stars table for all stars with magnitude of 2.25 andstarnameofMintaka.B.ItsetsthevalueofthestarsfieldinthemagnitudesettoMintaka,usingaprecisionof2.25.C. It sets the value of the magnitude field to 2.25 for any item in the stars table with thestarnameofMintaka.D.Itcombinesthestarsandmagnitude=2.25tables,returningallitemsforwhichstarnameisMintaka.E. It updates the stars database, creating a new entry with a starname of Mintaka and amagnitudeof2.25.

Chapter10

SecuringYourSystem

THEFOLLOWINGEXAMOBJECTIVESARECOVEREDINTHISCHAPTER:

1.110.1Performsecurityadministrationtasks1.110.2Setuphostsecurity1.110.3Securingdatawithencryption

Chancesare,you takebasic securitymeasures inyourdaily life—locking thedoor toyourhouse,avoidingunsafeneighborhoods,keepingvaluablesoutofsightinyourcar,andsoon.Suchmeasurescanminimizetheriskofatheftorevenpersonalinjury,andsimilarmeasuresonacomputercanhelpprotectthecomputerfromcompromise.Thischaptercoversseveralsecurityissues:restrictingaccesstothecomputerbyportnumber,managingthesecurityofindividualprograms,managingpasswords,settingmiscellaneous account security options, andusing encryption to secure data.Understandingthesebasicswillhelpyoubegintosecureyourcomputer.

Thereisnosuchthingasa100percentsecurecomputer.Youcantakestepstoimprovesecurity,butnoonesteporsetofstepswillabsolutelyguaranteethatyou’llhavenoproblems.Youmustdecideforyourself(ortheorganizationforwhichyouworkmustdecide)justhowmuchefforttoputintosecuringyoursystemsandlivewiththelevelofthreatthatremains.Thischapter ’ssecurityinformationcanhelpyoustartsecuringyourcomputer;butifyouneedmorethanverybasicsecurity,you’llhavetolearnanddomorethanIcandescribehere.

AdministeringNetworkSecurityLinuxsystemsareoftenusedasservercomputers,oratleastthey’reconnectedtotheInternetmoreor less directly. On such systems, network security is particularly important, because incorrectlyconfigured servers canprovidemiscreantswith away intoyour computer todowhateverdamagethey like.Severalmethodsof protectingnetworked computers fromunwantedoutside access exist.Someofthesimplestofthesemethodsinvolveshuttingdownorrestrictingaccesstonetworkserversbycontrollingthenetworkportstheyuse.(NetworkportsaredescribedinChapter8,“ConfiguringBasicNetworking.”)Youcancheckforexistingnetworkconnections,checkforopenports(thatis,portsthatareinusebyaserverprogram),usesuperserverrestrictionstolimitaccess,anddisableserversyou’renotusing.

Thepopularmediausesthetermhackertorefertocomputercriminals.Thiswordhasanoldermeaning,though:Itreferstoindividualswhoareskilledwithcomputers(andparticularlywithprogramming),whoenjoytheseactivities,andwhousetheirskillstoproductiveandlegalends.ManyLinuxprogrammersconsiderthemselveshackersinthispositivesense.Therefore,Iuseanotherterm,cracker,torefertocomputercriminals.

UsingSuperServerRestrictionsMany network server programs open network ports and listen for connections directly. Someprograms,though,workthroughanintermediary:asuperserver.This isaprogramthat listensfornetworkconnectionsonbehalfofanotherprogramandthen,whenaconnectionisinitiated,handsoffcontrolofthatconnectiontotheintendedserver.Thisactivitymaysoundlikepointlesscomplication,but it actually has several advantages over a more direct connection. For instance, using a superservercan reducememory load if the super serverhandles several servers thatare seldomused—mostof the time,only thesuperserverandperhapsoneor twoof theservers ithandleswillbe inmemory.Anotheradvantageissecurity:Youcanemploysecuritychecksinthesuperservertoprotectall the servers that the super server manages. In the following pages, I describe the basics ofconfiguringLinux’s twomajorsuperservers,inetdandxinetd,withparticularemphasison theirsecurity features. In the case of inetd, security is handled by a package called TCP Wrappers.xinetd’ssecurityfeaturesarebuiltintoxinetditself,bycontrast.

Wheneverpossible,applyredundantaccesscontrols.Forinstance,youcanusebothaserver ’sownsecurityfeaturesandTCPWrappersorxinetdtoblockunwantedaccess.Doingthishelpsprotectagainstbugsandmisconfiguration—ifaproblememergesinthesuperserverconfiguration,forinstance,thesecondaryblockwillprobablyhalttheintruder.Ifyouconfigurethesystemcarefully,suchanaccesswillalsoleavealogfilemessagethatyou’llsee,soyou’llbealertedtothefactthatthesuperserverdidn’tdoitsjob.

ConfiguringinetdTheinetdpackagewasoncethestandardsuperserverinLinux,andit’sstillusedonsomesystems.Overthepastdecade,though,xinetdhasgainedsubstantialground,soyoursystemmayusexinetdinstead.Typepsax|grepinetdtoseewhichsuperserverisrunningonyoursystem—theoutputshould include a linewith either the inetd or xinetd command. Some systems run neither superserver,though.Ifyoursystemhasinetdinstalled,thenextfewpagescoverit.

SettingUpinetdYou control servers that launch via inetd through the /etc/inetd.conf file or files in

/etc/inetd.d.The/etc/inetd.conffileconsistsofaseriesoflines,oneforeachserver.Atypicallineresemblesthefollowing:ftpstreamtcpnowaitroot/usr/sbin/tcpd/usr/sbin/in.ftpd-l

Thisandseveralsubsequentexamplesrefertoin.ftpd,anFTPserverthatwasoncequitepopularbutthat’sbeenreplacedonmanysystemsbyotherFTPservers.Someoftheseserverscannotberunfromasuperserver.

Insteadofusingasinglemonolithic/etc/inetd.conffile,recentversionsofinetdenableyoutosplit the configuration into several files in the /etc/inetd.d directory. Doing so enables you toeasilyaddordeleteserverconfigurationsbyaddingordeletingtheirconfigurationfiles.Forbrevity,the following paragraphs refer only to /etc/inetd.conf, but the description applies to files in/etc/inetd.d,aswell.Each line in /etc/inetd.conf consists of several fields separated by one or more spaces. The

meaningsofthesefieldsareasfollows:ServiceNameThefirstfield(ftpintheprecedingexample)isthenameoftheserviceasitappearsinthe/etc/servicesfile.SocketTypeThesockettypeentrytellsthesystemwhattypeofconnectiontoexpect—areliabletwo-wayconnection(stream),alessreliableconnectionwithlessoverhead(dgram),alow-levelconnectiontothenetwork(raw),orvariousothers.Thedifferencesbetweenthesetypesarehighlytechnical;yourmainconcernineditingthisentryshouldbetocorrectlytypethevaluespecifiedbytheserver ’sdocumentation.ProtocolThisistheTCP/IPtransport-layerprotocolused,usuallytcporudp.Wait/NoWaitFordgramsockettypes,thisentryspecifieswhethertheserverconnectstoitsclientandfreesthesocket(nowait)orprocessesallitspacketsandthentimesout(wait).Serversthatuseothersockettypesshouldspecifynowaitinthisfield.UserThisistheusernameusedtoruntheserver.Therootandnobodyusersarecommonchoices,butothersarepossibleaswell.Asageneralrule,youshouldrunserverswithalow-privilegeuserwheneverpossibleasasecurityprecaution.Someserversrequirerootaccess,though.Consulttheserver ’sdocumentationfordetails.ServerNameThisisthefilenameoftheserver.Intheprecedingexample,theserverisspecifiedas/usr/sbin/tcpd,whichistheTCPWrappersbinary.Asdescribedshortlyin“ControllingAccessviaTCPWrappers,”thisprogramisanimportantsecuritytoolandshouldusuallybeincludedasthemeansoflaunchingprogramsviainetd.ParametersEverythingaftertheservernameconsistsofparametersthatarepassedtotheserver.IfyouuseTCPWrappers,youpassthenameofthetruetargetserver(suchas/usr/sbin/in.ftpd)inthisfield,alongwithitsparameters.Thehashmark(#) isacommentsymbolfor/etc/inetd.conf.Therefore, ifaserver isrunning

viainetdandyouwanttodisableit,youcanplaceahashmarkatthestartoftheline.Ifyouwanttoadda server toinetd.conf, youneed to create an entry for it.Most servers that canbe run from

inetd includesampleentriesintheirdocumentation.Manydistributionsshipwithinetd.conf filesthatincludeentriesforcommonserversaswell,althoughmanyofthemarecommentedout;removethehashmarkatthestartofthelinetoactivatetheserver.Aftermodifyinginetd.conf,youmustrestarttheinetdsuperserver.Youcangenerallyrestartit

byusingyourstartupscriptsystem,asdescribedinChapter5,“BootingLinuxandEditingFiles.”Onmostcomputers,typingsomethingsimilartothefollowingshouldwork:#/etc/init.d/inetdrestart

Alternatively, you can tellinetd to reload its configuration by using areload parameter ratherthan restart. The restart option shuts down the server and then starts it again. When you usereload, the server never stops running; it just rereads the configuration file and implements anychanges. As a practical matter, the two are similar. Using restart is more likely to correctlyimplementchanges,butit’salsomorelikelytodisruptexistingconnections.Instead of using theSysV startup scripts, you can usekill orkillall (described in Chapter 2,

“ManagingSoftware”)topasstheSIGHUPsignaltoinetd.Thissignalcausesmanyservers,includinginetd,toreloadtheirconfigurationfiles.Forinstance,youcantypekill-HUPpidifyouknowtheprocess ID (PID) of inetd, or you can type killall -HUP inetd to have all instances of inetdreload their configuration files. (Ordinarily, only one instance of inetd runs on a system.) Inpractice,thisshouldworkverymuchlikethereloadoptiontotheSysVstartupscript—infact,suchscriptsoftenusethistechniquetoimplementthisoption.

It’sgenerallywisetodisableasmanyserversaspossibleininetd.conf(orthexinetdconfigurationfiles,ifyouusexinetd).Asageneralrule,ifyoudon’tunderstandwhataserverdoes,disableit.Thiswillimprovethesecurityofyoursystembyeliminatingpotentiallybuggyormisconfiguredserversfromtheequation.

ControllingAccessviaTCPWrappersThe TCPWrappers package provides a program known as tcpd. Instead of having inetd call aserverdirectly,inetdcallstcpd,whichdoes two things: Itcheckswhetheraclient isauthorized toaccesstheserver,andiftheclienthasthisauthorization,tcpdcallstheserverprogram.TCPWrappers is configured through two files: /etc/hosts.allow and /etc/hosts.deny. The

first of these specifies computers that are allowed access to the system in a particular way, theimplication being that systems not listed are not permitted access. By contrast, hosts.deny listscomputers thatarenotallowedaccess;allothersaregrantedaccess to thesystem. Ifacomputer islistedinbothfiles,hosts.allowtakesprecedence.Bothfilesusethesamebasicformat.Thefilesconsistoflinesofthefollowingform:daemon-list:client-list

Thedaemon-listisalistofservers,usingthenamesfortheserversthatappearin/etc/services.Wildcardsarealsoavailable,suchasALLforallservers.Theclient-list isa listofcomputers tobegrantedordeniedaccess to thespecifieddaemons.

You can specify computers by name or by IP address, and you can specify a network by using a

leadingortrailingdot(.)whenidentifyingnetworksbynameorIPaddressblock,respectively.Forinstance, .luna.edu blocks all computers in the luna.edu domain, and 192.168.7. blocks allcomputersinthe192.168.7.0/24network.Youcanalsousewildcardsintheclient-list,suchasALL(allcomputers).EXCEPTcreatesanexception.Forinstance,whenplacedinhosts.deny,192.168.7.EXCEPT192.168.7.105blocksallcomputersinthe192.168.7.0/24networkexceptfor192.168.7.105.The man pages for hosts.allow and hosts.deny (they’re actually the same document) provide

additional information aboutmore advanced features. You should consult them as you build TCPWrappersrules.

RememberthatnotallserversareprotectedbyTCPWrappers.Normally,onlythoseserversthatinetdrunsviatcpdaresoprotected.Suchserversofteninclude,butarenotlimitedto,Telnet,FTP,TFTP,rlogin,finger,POP,andIMAPservers.AfewserverscanindependentlyparsetheTCPWrappersconfigurationfiles,though;consulttheserver ’sdocumentationifindoubt.

ConfiguringxinetdThexinetdprogramisanextendedsuperserver.ItprovidesthefunctionalityofinetdplussecurityoptionsthataresimilartothoseofTCPWrappers.ModernversionsofFedora,Mandriva,RedHat,SUSE,andafewotherdistributionsusexinetdbydefault.Otherdistributionsmayuseitinthefuture.Ifyoulike,youcanreplaceinetdwithxinetdonanydistribution.

SettingUpxinetdThe/etc/xinetd.conf file controlsxinetd. On distributions that use xinetd by default, this filecontainsonlyglobaldefaultoptionsandadirective to includefilesstored in/etc/xinetd.d.Eachserver that should runviaxinetd then installs a file in/etc/xinetd.dwith its ownconfigurationoptions.Whethertheentryforaservergoesin/etc/xinetd.conforafilein/etc/xinetd.d,itcontains

informationsimilartothatintheinetd.conffile.Thexinetdconfigurationfile,though,spreadstheinformationacrossmultiplelinesandlabelsitmoreexplicitly.Listing10.1showsanexamplethat’sequivalenttotheearlierinetd.confentryfrom“SettingUpinetd.”Thisentryprovidespreciselythesame information as the inetd.conf entry except that it doesn’t include a reference to/usr/sbin/tcpd, the TCP Wrappers binary. Because xinetd includes similar functionality, it’sgenerallynotusedwithTCPWrappers.Listing10.1:Samplexinetdconfigurationentryserviceftp

{

socket_type=stream

protocol=tcp

wait=no

user=root

server=/usr/sbin/in.ftpd

server_args=-l

}

One additional xinetd.conf parameter is commonly present: disable. If you include the linedisable=yesinaservicedefinition,xinetdignorestheentry.Someserverpackagesinstallstartupfilesin/etc/xinetd.dthathavethisoptionsetbydefault;youmusteditthefileandchangetheentrytoreaddisable=notoenabletheserver.Youcanalsodisableasetofserversbylistingtheirnamesinthedefaultssectionofthemainxinetd.conffileonalinecalleddisabled,as indisabled=ftpshell.Aswithinetd,afteryoumakechangestoxinetd’sconfiguration,youmustrestartthesuperserver.

Youdothisbytypingacommandsimilartotheoneusedtorestartinetd.Aswiththatcommand,youcanuseeitherreloadorrestart,withsimilareffects:#/etc/init.d/xinetdrestart

Alsoaswithinetd,youmaypasstheSIGHUPsignaltoxinetdviathekillorkillallcommandtohaveitreloaditsconfigurationfile.Thisapproachmaybepreferableifyou’reusingadistributionthatdoesn’tuseaconventionalSysVstartupscripttolaunchxinetd.

ControllingAccessviaxinetdSecurity is handled on a server-by-server basis through the use of configuration parameters in/etc/xinetd.confortheserver-specificconfigurationfiles.Someoftheseoptionsaresimilartothefunctionofhosts.allowandhosts.deny:NetworkInterfaceThebindoptiontellsxinetdtolistenononlyonenetworkinterfacefortheservice.Forinstance,youcanspecifybind=192.168.23.7onaroutertohaveitlistenonlyontheEthernetcardassociatedwiththataddress.Thisfeatureisextremelyusefulinrouters,butitisn’tasusefulincomputerswithjustonenetworkinterface.Youcan,however,usethisoptiontobindaserveronlytotheloopbackinterface,127.0.0.1,ifaservershouldbeavailableonlylocally.YoumightdothiswithaconfigurationtoolliketheSambaWebAdministrationTool(SWAT).Asynonymforthisoptionisinterface.AllowedIPorNetworkAddressesYoucanusetheonly_fromoptiontospecifyIPaddresses,networks(asin192.168.78.0/24),orcomputernamesonthisline,separatedbyspaces.Theresultisthatxinetdwillacceptconnectionsonlyfromtheseaddresses,similartoTCPWrappers’hosts.allowentries.DisallowedIPorNetworkAddressesTheno_accessoptionistheoppositeofonly_from;youlistcomputersornetworksherethatyouwanttoblacklist.Thisissimilartothehosts.denyfileofTCPWrappers.AccessTimesTheaccess_timesoptionsetstimesduringwhichusersmayaccesstheserver.Thetimerangeisspecifiedintheformhour:min-hour:min,usinga24-hourclock.Notethatthisoptionaffectsonlythetimesduringwhichtheserverwillrespond.Ifthexinetdaccess_timesoptionissetto8:00-17:00andsomebodylogsinat4:59p.m.(oneminutebeforetheendtime),thatusermaycontinueusingthesystemwellbeyondthe5:00p.m.cutofftime.Youshouldentertheseoptionsintothefilesin/etc/xinetd.dthatcorrespondtotheserversyou

wanttoprotect.Placethelinesbetweentheopeningbrace({)andclosingbrace(})fortheservice.Ifyouwant to restrictall yourxinetd-controlled servers, you can place the entries in thedefaultssectionin/etc/xinetd.conf.

SomeserversprovideaccesscontrolmechanismssimilartothoseofTCPWrappersorxinetd.Forinstance,SambaprovideshostsallowandhostsdenyoptionsthatworkmuchliketheTCPWrappersfileentries.Theseoptionsaremostcommononserversthatareawkwardorimpossibletorunviainetdorxinetd.

ConfiguringaFirewallAlthoughtheexamobjectivesdon’tmentionfirewalls,youshouldbefamiliarwiththeconcept.Afirewallisacomputerthatrestrictsaccesstoothercomputersorsoftwarethatrunsonasinglecomputertoprotectitalone.Broadlyspeaking,twotypesoffirewallsexist:packet-filterfirewalls,whichworkbyblockingorpermittingaccessbasedonlow-levelinformationinindividualdatapackets(suchassourceanddestinationIPaddressesandports),andproxyfilters,whichpartiallyprocessatransaction(suchasaWebpageretrieval)andblockordenyaccessbasedonhigh-levelfeaturesinthistransaction(suchasthefilenameofanimageintheWebpage).InLinux,thekernelincludespacket-filterfirewallcapabilities,whichcanbeprogrammedviatheiptablesprogram.Youcansetuprulesbytypingiptablesfollowedbyvariousoptionsthatdefinespecificrestrictions,suchaslimitsontheIPaddressesthatmayaccessaspecificnetworkport.Creatinganeffectivefirewallrequireslearningiptablesindetailandwritingascriptthatcallsthisprogramrepeatedlytosetupspecificrules.ManydistributionsmakethingseasierbyprovidingagenericfirewallscriptthatyoucanconfigureusingaGUItool.Thesetoolsaregenerallydesignedforprotectingasinglecomputeragainstunwantedoutsideaccess.Checkyourdistribution’sGUIsystemadministrationoptionsforafirewallconfigurationtool.Youmaybeabletosetsecuritybasedonafewlevels(high,medium,andlowsecurity,forinstance)orinasomewhatmorerefinedmanner.Linuxcanalsofunctionasafirewallcomputerthatprotectsanentirenetwork;however,suchaconfigurationislikelytorequirein-depthknowledgeofiptables,aswellastopicssuchasconfiguringLinuxasarouter.

DisablingUnusedServersQuitea fewserverprogramsshipwithmostLinuxdistributions,whichcanbeagreatadvantage—youdon’tneedtohuntforserversyouwanttorun.Ontheotherhand,thisveryadvantagecanbeadrawback;ifyou’renotcareful,youcanenduprunningaserverandnotevenrealizeit’sinstalled!For this reason,youshouldperiodically search for serversandshutdownanyyou find thataren’treallynecessary.Youmustbeginthistaskbylocatingunwantedservers.Severaltoolstodosoexist,suchasnetstat,lsof,andremotenetworkscanners.Youcanalsosearchyourlocalconfigurationfilesforcluesaboutwhatmayberunning.Disablingunusedserverscanbedonebyuninstallingthepackageorbyreconfiguringtheserver.

UsingnetstatOneway to begin diagnosing network security is to look for network activity or open ports on acomputer.Onetoolthatcanhelpinthisrespectisnetstat.ThisprogramistheSwissArmyknifeofnetwork status tools; it providesmany different options and output formats to deliver informationabout routing tables, interface statistics, and so on. For spotting unnecessary servers, you can usenetstatwithits-aand-poptions,asshownhere:#netstat-ap

ActiveInternetconnections(serversandestablished)

ProtoRecv-QSend-QLocalAddressForeignAddressState

PID/Programname

tcp00*:ftp*:*LISTEN

690/inetd

tcp00teela.rodsbooks.com:sshnessus.rodsbooks.:39361ESTABLISHED

787/sshd

I’vetrimmedmostoftheentriesfromthisoutputtomakeitmanageableasanexample.Also,netstatcanberunasanordinaryuser,butitmaynotreturnasmuchinformation.Specifically,onlyrootandaprocess’sownerseethePIDandprogramnameofaprocess.

This version of the netstat command shows active network connections, which can reveal thepresenceofserversthatarerunningonyourcomputer.TheLocalAddressandForeignAddresscolumnsspecify the localandremoteaddresses, includingboth thehostnameor IPaddressand theportnumberorassociatednamefrom/etc/services.Thefirstofthetwoentriesshownhereisn’tactively connected, so the local address, the foreign address, and the port number are all listed asasterisks(*).Thisentrydoesspecify the localport, though:ftp.This line indicates thataserver isrunningontheftpport(TCPport21).TheStatecolumnspecifiesthattheserverislisteningforaconnection.Thefinalcolumninthisoutput,underthePID/Programnameheading,indicatesthattheprocesswithaprocessID(PID)of690isusingthisport.Inthiscase,it’sinetd.Inotherwords,thisserverisrunningandlisteningforconnections,butnobodyiscurrentlyconnectedtoit.The second output line indicates that a connection has been established between

teela.rodsbooks.com and nessus.rodsbooks.com (the second hostname is truncated). The localsystem(teela)isusingthesshport(TCPport22),andtheclient(nessus)isusingport39361ontheclientsystem.Theprocessthat’shandlingthisconnectiononthelocalsystemissshd,runningasPID787.Itmaytakesometimetoperusetheoutputofnetstat,butdoingsowill leaveyouwithamuch-

improvedunderstandingofyourcomputer ’snetworkconnections. Ifyouspot servers listening forconnections that you didn’t realize were active, you should investigate the matter further. Someserversmaybeinnocentorevennecessary.Othersmaybepointlesssecurityrisks.

Whenyouusethe-poptiontoobtainthenameandPIDoftheprocessusingaport,thenetstatoutputiswiderthan80columns.Youmaywanttoopenanextra-wideterminalwindowtohandlethisoutputorredirectittoafilethatyoucanstudyinatexteditorcapableofdisplayingmorethan80columns.Toquicklyspotserverslisteningforconnections,typenetstat-lpratherthannetstat-ap.Theresultwillshowallserversthatarelisteningforconnections,omittingclientconnectionsandspecificserverinstancesthatarealreadyconnectedtoclients.

Exercise10.1demonstratestheuseofnetstattomonitornetworkportuse.

EXERCISE10.1MonitorNetworkPortUseTogetstartedwithnetstat,followthesesteps:1.LogintotheLinuxsystemasanormaluser.(Acquiringrootprivilegeswillproducemorecompleteoutput,asdescribedearlier,butisn’tstrictlynecessaryforthisexercise.)2.Launcha terminal from thedesktopenvironment’smenusystem ifyouusedaGUIloginmethod.3.Typenetstat-ap|less,andpagethroughtheoutput.Chancesare,you’llseequitea few entries for servers that are listening for connections and for establishedconnections to local servers or from local clients to remote servers. Pay particularattentiontoserversthatarelisteningfornewconnections—thatis,thosethatlistLISTENintheStatecolumnoftheoutput.4.Typenetstat-ap|grepssh to find connections involvingSSH.Dependingonyourconfigurationandtheserversyouhaverunning,youmayseenooutputormanylinesofoutput.5. In another login session or xterm window, initiate an SSH connection to anothercomputer.Forinstance,typesshremote.luna.edutoconnecttoremote.luna.edu.6. Type netstat -ap | grep ssh in your original session (not in your SSHconnection).Comparetheoutputtothatwhichyouobtainedinstep4.Theoutputshouldhaveanadditionalline,reflectingthesessionyouinitiatedinstep5.7.LogoutoftheSSHsessionyouinitiated.8.Typenetstat-ap|grepsshagain.Theoutputshouldbemissingthelineforthesessionyou’venowclosed.

Ifyou’reusingamulti-usersystem,additionalSSHsessionsmaycomeandgoduringthecourseofthisexercise,reflectingtheactivitiesofotherusers.

UsinglsofThe lsof program nominally lists open files. It can be used to identify what files are open in adirectory,findwho’saccessingthem,andsoon.Thedefinitionoffileusedbylsofisbroad,though;itincludesnetworkconnections.Thus,youcanuselsofinsteadofnetstatforsometasks,including

locatingserversthatareinuse.Initsmostbasicforminthisrole,youshouldpassthe-iparametertolsof:#lsof-i

COMMANDPIDUSERFDTYPEDEVICESIZENODENAME

ssh2498rodsmith3uIPv43292662TCP

nessus.rodsbooks.com:53106->seeker.rodsbooks.com:ssh(ESTABLISHED)

exim44827Debian-exim5uIPv43369596TCP*:smtp(LISTEN)

sshd4997root3uIPv413273TCP*:ssh(LISTEN)

Asintheoutputofnetstatshownearlier,thisoutputistruncatedforbrevity’ssake.Thisexampleshowstwotypesofconnections.Thefirstnon-headerline,whichbeginswithssh,showsanoutgoingconnectionfromnessus.rodsbooks.com (thesystemonwhich thecommandwas typed) to thesshportonseeker.rodsbooks.com.SuchconnectionsareidentifiedbytheexistenceoftwohostnamesintheNAME columnandby thekeywordESTABLISHED in the samecolumn.Thenext two lines,whichbeginwithexim4andsshd,showtwoserversthatarelisteningforconnectionsonthesmtpandsshports, respectively. These lines are identified by the fact that the NAME column takes the form*:service (LISTEN), where service is the service name or port number. Other columns in theoutputrevealadditionalinformation,suchasthePIDandusernameassociatedwiththeportaccess.

Ifyoutypelsof-iasanordinaryuser,you’llseeonlyyourownnetworkconnections;thus,inorderforthiscommandtobeausefuldiagnosticforsystemsecurity,youmustrunitasroot.

Youcanrestricttheoutputoflsofbyincludinganaddressafterthe-ioption.Theaddresstakesthefollowingform:[46][protocol][@hostname|hostaddr][:service|port]

Thedigit4or6representsanIPv4orIPv6connection,theprotocolistheprotocoltype(TCPorUDP),thehostnameorhostaddristhecomputerhostnameorIPaddressassociatedwiththeremotesystem,theserviceisaservicename(from/etc/services),andtheport istheportnumber.Forinstance,supposeyouwanttoverifythatnoFTPserverisrunningonacomputer.YoucansearchforanyconnectionsassociatedwiththeFTPport:#lsof-i:ftp

Alternatively,youcanreplaceftpwith21,because21istheportnumberassociatedwiththeFTPport. (Table 8.2 in Chapter 8 summarizes the common network port numbers.) In either case, thiscommand returns a list of all processes associated with FTP connections, both incoming andoutgoing.Ifnosuchconnectionsexist,thecommandreturnsnooutput;thesystemsimplyproducesanewcommandprompt.Besuretonotewhichoutputlinesarelinkedwithserverasopposedtoclientprocesses.Evenifyou’renot runninganFTPserver locally, theprecedingcommandmayproducedozensoflinesofoutputifusersonthecomputeraremakinguseofFTPclients.To perform a general audit of your system’s network connections, you should typelsof -i by

itself,without restricting theoutput.You’llprobablywant topipe theoutput throughless oruse aterminal’sscrollbuffertoreviewtheoutput.PipingtheoutputthroughgreptosearchforthestringLISTENcanbeashortcuttofindactiveservers:#lsof-i|grepLISTEN

Pagingthroughtherawoutput(withoutusinggreptosearchforLISTEN)willprovideyouwithabetterideaofyoursystem’soverallnetworkuse.Youcouldconceivablyspotsomethingsuspicious,such as an outgoing network connection to a sensitive computer that the client shouldn’t becontacting. This network activity may indicate active cracking attempts by a user of the client,intrusionbyanoutsider,ortheworkofanautomatedwormorTrojanhorseprogram.Ifyou identifyprograms that shouldn’tbe running, suchasunnecessaryservers,youcanuse the

command name, PID, and other information to help shut them down. The preceding section“DisablingUnusedServers”describeshowtodothisinmoredetail.Anotheruseoflsof is in identifyingwho’s accessing files.Thismight be handy if you need to

unmount a filesystem (including a network filesystem) but can’t because of in-use files or if yoususpectinappropriateactivitiesinvolvingfileaccess.

UsingRemoteNetworkScannersNetworkscanners,suchasNmap(http://www.insecure.org/nmap/)orNessus(http://www.nessus.org),can scan for open ports on the local computer or on other computers. The more sophisticatedscanners, includingNessus, check for knownvulnerabilities, so they can tell youwhether a servermaybecompromisedshouldyoudecidetoleaveitrunning.

Networkscannersareusedbycrackerstolocatelikelytargetsystems,aswellasbynetworkadministratorsforlegitimatepurposes.Manyorganizationshavepoliciesforbiddingtheuseofnetworkscannersexceptunderspecificconditions.Therefore,youshouldcheckthesepoliciesandobtainexplicitpermission,signedandinwriting,toperformanetworkscan.Failuretodosocouldcostyouyourjoborevenresultincriminalcharges,evenifyourintentionsarehonorable.

Nmapiscapableofperformingabasiccheckforopenports.Passthe-sTparameterandthenameofthetargetsystemtoit,asshownhere:$nmap-sTseeker.rodsbooks.com

StartingNmap4.53(http://insecure.org)at2008-09-0415:38EDT

Interestingportsonseeker.rodsbooks.com(192.168.1.6):

Notshown:1704closedports

PORTSTATESERVICE

22/tcpopenssh

80/tcpopenhttp

2049/tcpopennfs

3306/tcpopenmysql

Nmapdone:1IPaddress(1hostup)scannedin0.100seconds

Aswiththeoutputofnetstatandlsofshownearlier,thisoutputhasbeentrimmedforbrevity’ssake.

Thisoutputshowsfouropenports:22,80,2049,and3306,usedbyssh,http,nfs,andmysql,respectively.Ifyouweren’tawarethattheseportswereactive,youshouldlogintothescannedsystem

andinvestigatefurther,usingnetstat,lsof,orpstolocatetheprogramsusingtheseportsand,ifdesired,shutthemdown.The-sToptionspecifiesascanofTCPports.Afewservers,though,runonUDP ports, so you need to scan them by typing nmap -sU hostname. (This usage requires rootprivileges,unlikescanningTCPports.)Nmap is capable of more-sophisticated scans, including “stealth” scans that aren’t likely to be

noticedbymosttypesoffirewalls,pingscanstodetectwhichhostsareactive,andmore.TheNmapman page provides details. Nessus, which is built atop Nmap, provides a GUI and a means ofperformingautomatedandstill-more-sophisticatedtests.Nessuscomesasseparateclientandservercomponents;theclientenablesyoutocontroltheserver,whichdoestheactualwork.Whenyouuseanetworkscanner,youshouldconsiderthefactthattheportsyouseefromyourtest

systemmaynotbe the sameas those thatmightbevisible to an attacker.This issue isparticularlyimportantifyou’retestingasystemthatresidesbehindafirewallfromanothersystemthat’sbehindthe same firewall.Your test system is likely to reveal accessibleports thatwouldnotbeaccessiblefromtheoutsideworld.Ontheotherhand,acrackeronyourlocalnetworkwouldmostlikelyhaveaccesssimilartoyourown,soyoushouldn’tbecomplacentbecauseyouuseafirewall.Nonetheless,firewallscanbeimportanttoolsforhidingserverswithoutshuttingthemdown.

Youcanuseastand-aloneLinuxbootCD-ROMtoperformsecuritychecksonanetwork.Toolsintendedforthispurpose,suchasBackTrack(http://www.backtrack-linux.org),provideeasyaccesstoNmapandothernetworksecuritytools,enablingquickchecksofnetworksecurityevenifnocomputeronthatnetworkregularlyrunsLinux.

ExaminingConfigurationFilesMostLinuxserverpackagesincludeconfigurationfiles.Thus,youmaybeabletospotinstalledbutunwantedserversbylookingfortheirconfigurationfiles.Onmostsystems,twoclassesoffilesareimportant:thosecontrollingstartupscriptsandthosecontrollingyoursuperserver.Startup scripts are described in Chapter 5, so review that chapter for details of how they’re

managed. Generally speaking, you’ll look in /etc/rc?.d, /etc/init.d/rc?.d, or/etc/rc.d/rc?.d,where? isyourdefault runlevelnumber, forSysVstartup scriptswhosenamestaketheformS##server,where##isanumberandserveristhenameoftheserver.Ifyoufindsuchascriptforaserveryouknowyoudon’twanttorun,youshoulddisableitusingyourSysVstartupscriptediting tools,asdescribed inChapter5. IfyourdistributionusesUpstartorsystemd, though,you’llneedtolookelsewheretofindtherelevantstartupfiles.Beawarethatmanystartupscriptsstartentiresubsystemsthataren’tdirectlynetwork-related.Thus,

you’llprobablyseestartupscriptsthatyoudon’trecognize.Youshouldn’tautomaticallydisablethesescripts,becausetheymaybenecessaryevenifyoudon’trecognizethename.Ifindoubt,leaveitinplaceuntilyoucanresearchthematterfurther.

TrydoingaWebsearchonthenameofthestartupscript(minustheSandsequencenumberorothercomponentsuniquetoyourstartupsystem),possiblyinconjunctionwith“Linux”or“startupscript.”Chancesare,you’llfindahelpfulreference.

The other major configuration-file class you should examine is the super server configuration.Thus,youshouldcheckyourinetdorxinetdconfigurationfilesforunwantedservers.Also,unlikesystem startup scripts, super servers launch network servers only, not non-network services.Therefore, you should take amore aggressive approach to disabling entries you don’t recognizefromyoursuperserverconfigurationthanyoudowithsystemstartupscripts.On computers using the SysV startup system, /etc/inittab deserves examination. This file,

describedinChapter5,controlssomeoftheearlieststagesofthestartupprocess.Ofgreatestinterestfromasecuritypointofviewis thefact thatolder/etc/inittab installationsstarted theprocessesused to accept text-mode logins, as well as similar processes used to accept logins via dial-upmodemsandRS-232serialports.Theseprocessesarecalledgettyorsomevariantofthis,suchasmingetty. Ordinarily, a Linux machine must have at least one such process running, and it’scontrolledviaan/etc/inittabentrysuchasthefollowing:1:2345:respawn:/sbin/mingetty--nocleartty1

The first character of this line (1) specifies the virtual terminal (VT) it controls. Most Linuxdistributions include similar lines for the first sixVTs, and there’s usually no need to adjust theselines. Lines that begin with S#, where # is a number, control login via RS-232 serial ports andmodems:S0:2345:respawn:/usr/sbin/mgetty-F-s57600/dev/ttyS0

If you want to use a modem with the computer but don’t want to enable remote logins via themodem,youshouldensurethat/etc/inittabdoesnothavesuchlines.Modern systems that lack /etc/inittab or have only very basic /etc/inittab files typically

movethesefunctionsintootherfiles,suchasSysVstartupscriptsorfilesin/etc/init.Youwon’tordinarilyneed tomodify suchconfigurations,butyoumaywant to check tobe sureyour systemisn’tlisteningfordial-upmodemconnectionsunnecessarily.Filescalled/etc/init/tty#(where#isa number) control local login access, whereas /etc/init/ttyS# files control RS-232 serial ormodemaccess.

UninstallingorReconfiguringServersOnceyou’ve identifiedanunnecessaryserver,your taskbecomesoneof shutting itdown.Broadlyspeaking,twooptionsexist:

Youcandisabletheserverbychangingitsstartupscriptconfigurationorbydisablingitinyoursystem’ssuperserver.ConsultChapter5andtheprecedingsectionsoninetdandxinetdfordetailsonhowtoperformthesetasks.Disablingtheserverinthiswayhastheadvantagethatyoucaneasilyreactivatetheserverinthefutureifyoudecidetodoso.Ithasthedisadvantagethattheserver ’sfileswillcontinuetoconsumediskspace,andtheservermightbeaccidentallyreactivatedinthefuture.Youcancompletelyuninstalltheserverusingyourdistribution’spackagemanagementtoolsor

byotherwisedeletingitsfiles.Chapter2,“ManagingSoftware,”describesthistask.Completelyuninstallingsoftwarehastheadvantageofreducingtheriskofaccidentalreactivation,butithasthedrawbackthatitwilltakemoreefforttoreactivatetheservershouldyoudecidetodosointhefuture.

Overall, completely removing the server is generally preferable unless you merely want totemporarilydisableaserver.Ifyoudecidetoreactivatetheserverinthefuture,youcanalwaysre-installit.

AdministeringLocalSecuritySecurity isn’t limited to networking—local security issues can be as much of a threat as remoteintruders.Thus,youshouldattendtosomelocalsecuritymatters:securingpasswords,limitingrootaccesstothecomputer,settinguserlimits,andtrackingdownSUID/SGIDfiles.

SecuringPasswordsAdefaultLinuxconfigurationreliesheavilyonpasswords.Users’passwordsaretheirkeysintothesystem,andcarelesshandlingofpasswordsismuchlikecarelesshandlingofphysicalkeys—securitybreachescanresult.Understandingtheserisksiscriticaltomaintainingsystemsecurity,butthisisonetaskforwhichyoumustenlistthehelpofyourusers;afterall,they’retheoneswhoareinpossessionof their passwords! You should also be aware of some of the tools Linux provides to help keeppasswords secure. (Most of the details concerning password-related commands are described inChapter7,“AdministeringtheSystem.”)

PasswordRisksPasswordscanendupincrackers’handsinvariousways,andyoumusttakestepstominimizetheserisks.Stepsyoucantaketoimproveyoursystem’ssecurityincludethefollowing:UseStrongPasswordsUsersshouldemploygoodpasswords,asdescribedshortlyin“ChoosingaGoodPassword.”Thispracticewon’teliminateallrisk,though.ChangePasswordsFrequentlyYoucanminimizethechanceofdamageduetoacompromisedpasswordbychangingpasswordsfrequently.SomeLinuxtoolscanhelptoenforcesuchchanges,asdescribedbrieflyin“ToolsforManagingPasswords”andinmoredetailinChapter7.UseShadowPasswordsIfacrackerwho’sbrokenintoyoursystemthroughanordinaryuseraccountcanreadthepasswordfileorifoneofyourregularusersisacrackerwhohasaccesstothepasswordfile,thatindividualcanrunanyofseveralpassword-crackingprogramsonthefile.Forthisreason,youshoulduseshadowpasswordsstoredin/etc/shadowwheneverpossible.AllmajorLinuxdistributionsuseshadowpasswordsbydefault.Ifyoursdoesn’t,consulttheupcomingsection“ToolsforManagingPasswords”forinformationaboutenablingthisfeature.KeepPasswordsSecretYoushouldremindyourusersnottorevealtheirpasswordstoothers.Suchtrustissometimesmisplaced,andsometimesevenawell-intentionedpasswordrecipientmayslipupandletthepasswordfallintothewronghands.Thiscanhappenbywritingthepassworddown,storingitinelectronicform,orsendingitbyemailorotherelectronicmeans.Usersshouldn’temailtheirownpasswordseventothemselves,becauseemailcanbeintercepted.

UseSecureRemoteLoginProtocolsCertainremoteloginprotocolsareinherentlyinsecure;alldatatraversethenetworkinanunencryptedform.Interveningcomputerscanbeconfiguredtosnatchpasswordsfromsuchsessions.Becauseofthis,it’sbesttodisableTelnet,FTP,andotherprotocolsthatusecleartextpasswordsinfavorofprotocolsthatencryptpasswords,suchasSSH.BeAlerttoShoulderSurfingIfyourusersloginusingpublicterminals,asiscommononcollegecampuses,inInternetcafes,andthelike,it’spossiblethatotherswillbeabletowatchthemtypetheirpasswords—apracticesometimescalledshouldersurfing.Usersshouldbealerttothispossibilityandminimizesuchloginsifpossible.UseEachPasswordonJustOneSystemIfonecomputer ’spassworddatabaseiscompromisedandifusersofthatsystemreusetheirpasswordsonothersystems,thoseothersystemscanbecompromised.Forthisreason,it’sbesttouseeachpasswordjustonce.Unfortunately,theproliferationofWebsitesthatrequirepasswordsforaccessmakesthisrulealmostimpossibletoenforce,atleastwithoutviolatingtheruleofnotwritingthepassworddown.(ModernWebbrowserscanrememberpasswordsforyou,butthisisdonebystoringtheminafile—essentially,writingthemdown.)Areasonablecompromisemightbetouseonepasswordfortheleast-sensitiveWebsites(suchasonlinenewspapers)anduniquepasswordsforsensitiveWebsites(suchasbankingsites)andloginaccounts.BeAlerttoSocialEngineeringCrackersoftenusesocialengineeringtoobtainpasswords.Thispracticeinvolvestrickingindividualsintogivinguptheirpasswordsbypretendingtobeasystemadministratororbyotherwisemisleadingvictims.Amazingly,alargepercentageofpeoplefallforthisploy.Arelatedpracticeisphishing,inwhichanattackerputsupafakeWebsiteorsendsanemailpretendingtobefromsomebodyelse.Thevictimisthenluredintorevealingsensitivedata(suchascreditcardnumbers).Someofthesestepsarethingsyoucando,suchasreplacinginsecureremoteloginprotocolswith

encrypted ones. Others are things your users must do. This illustrates the importance of usereducation,particularlyonsystemswithmanyusers.

ChoosingaGoodPasswordAsageneral rule,people tend tobe lazywhen it comes to security. Incomputer terms, thismeansusers tend topickpasswords that are easy toguess, and they change thosepasswords infrequently.Both these conditions make a cracker ’s life easier, particularly if the cracker knows the victim.Fortunately,Linux includes tools tohelpmakeyourusers selectgoodpasswordsandchange themregularly.Poorbutcommonpasswordsincludethosebasedonthefollowing:Thenamesoffamilymembers,friends,andpetsFavoritebooks,movies,televisionshows,orthecharactersinanyoftheseTelephonenumbers,streetaddresses,orSocialSecuritynumbersAnyothermeaningfulpersonalinformationAnysinglewordthat’sfoundinadictionary(inanylanguage)Anysimplekeyboardoralphanumericcombination,suchasqwertyor123456

The best possible passwords are random collections of letters, digits, and punctuation.Unfortunately, such passwords are difficult to remember. A reasonable compromise is to build apasswordintwosteps:

1.Chooseabasethat’seasytorememberbutdifficulttoguess.2.Modifythatbaseinwaysthatincreasethedifficultyofguessingthepassword.Oneapproachtobuildingabaseistousetwounrelatedwords,suchasbunandpen.Youcanthen

mergethesetwowords(bunpen).Anotherapproach,andonethat’sarguablybetterthanthefirst,istousethefirstlettersofaphrasethat’smeaningfultotheuser.Forinstance,thefirstlettersof“yesterdayIwenttothedentist”becomeyiwttd.Inbothcases,thebaseshouldnotbeawordinanylanguage.Asageneralrule,thelongerthepassword,thebetter.OlderversionsofLinuxcouldhandlepasswordsofnomore than eight characters, but those limits have been lifted by the use of theMD5 and SHApasswordhashes,whicharethestandardonmodernLinuxdistributions.ManyLinuxsystemsrequirepasswords to be at least four to six characters in length; the passwd utility won’t accept anythingshorterthanthedistribution’sminimum.Withthebaseinhand,it’stimetomodifyittocreateapassword.Theusershouldapplyatleasta

coupleofseveralpossiblemodifications:AddingNumbersorPunctuationOneimportantmodificationistoinsertrandomnumbersorpunctuationinthebase.Thisstepmightyield,forinstance,bu3npe&nory#i9wttd.Asageneralrule,addatleasttwosymbolsornumbers.MixingCaseLinuxusescase-sensitivepasswords,sojumblingthecaseofletterscanimprovesecurity.ApplyingthisrulemightproduceBu3nPE&nandy#i9WttD,forinstance.ReversingOrderAchangethat’sveryweakbyitselfbutthatcanaddsomewhattosecuritywhenusedinconjunctionwiththeothersistoreversetheorderofsomeorallletters.Youmightapplythistojustonewordofatwo-wordbase.ThiscouldyieldBu3nn&EPandDttW9i#y,forinstance.GrowingtheHaystackAwould-beintruder ’staskofdiscoveringapasswordhasbeenlikenedtofindinganeedleinahaystack.Onewaytomakethistaskharderistoincreasethesizeofthehaystack.Inpasswordterms,thismeansmakingapasswordlonger.Youcandothisbyusinglongerwordsorphrases,ofcourse,butthiscanmakeapasswordhardertorememberandtype.Evenasizeincreasethatsimplyrepeatsasinglecharactercanbehelpful.Thus,youmightturnthepasswordsintoBu3nn&EPiiiiiiiiiiorDtt:::::::::::W9i#y.Yourbesttoolforgettinguserstopickgoodpasswordsistoeducatethem.Tellthemthatpasswords

can be guessed by malicious individuals who know them or even who target them and look uppersonal information in telephonebooks,onWebpages,andsoon.Tell them that,althoughLinuxencrypts its passwords internally, programs exist that feed entire dictionaries through Linux’spassword encryption algorithms for comparison to encrypted passwords. If a match is found, thecrackerhasfoundthepassword.Therefore,usingapasswordthat’snotinadictionary,andthatisn’tasimple variant of a dictionary word, improves security substantially. Tell your users that theiraccountsmightbeusedasa first step towardcompromising theentirecomputerorasa launchingpoint for attacks on other computers. Explain to your users that they should never reveal theirpasswordstoothers,evenpeopleclaimingtobesystemadministrators—thisisacommonscam,butreal systemadministrators don’t needusers’ passwords.You should alsowarn themnot to use thesamepasswordonmultiplesystemsbecausedoingsoquicklyturnsacompromisedaccountononesystemintoacompromisedaccountonallthesystems.Tellingyourusersthesethingswillhelpthemunderstandthereasonsforyourconcern,andit’slikelytohelpmotivateatleastsomeofthemtopickgoodpasswords.Ifyourusersareunconcernedafterbeingtoldthesethings(andinanylargeinstallation,somewill

be),you’llhavetorelyonthecheckspossibleinpasswd.Mostdistributions’implementationsofthisutility require a minimum password length (typically four to eight characters). They also usuallycheck the password against a dictionary, thusweeding out some of the absoluteworst passwords.Somerequirethatapasswordcontainatleastoneortwodigitsorpunctuation.

Password-crackingprograms,suchasJohntheRipper(http://www.openwall.com/john/),areeasytoobtain.Youmightconsiderrunningsuchprogramsonyourownencryptedpassworddatabasetospotpoorpasswords,andinfact,thisisagoodpolicyinmanycases.It’salsogroundsfordismissalinmanyorganizationsandcanevenresultincriminalchargesbeingbrought,atleastifdonewithoutauthorization.Ifyouwanttoweedoutbadpasswordsthisway,discussthematterwithyoursuperiorsandobtainwrittenpermissionfromapersonwiththeauthoritytograntitbeforeproceeding.Takeextremecarewiththefilesinvolved,too;it’sbesttocrackthepasswordsonacomputerwithnonetworkconnections.

Anotherpasswordsecurity issue ispasswordchanges.Frequentlychangingpasswordsminimizesthewindowofopportunityforcrackerstododamage;ifacrackerobtainsapasswordbutitchangesbefore thecrackercanuse it (orbefore thecrackercandofurtherdamageusing thecompromisedaccount),thepasswordchangehasaverteddisaster.Asdescribedshortly,youcanconfigureaccountsto require periodic password changes.When so configured, an accountwill stop accepting loginsafteratimeifthepasswordisn’tchangedperiodically.(Youcanconfigurethesystemtowarnuserswhen this time isapproaching.)This isaverygoodoption toenableonsensitivesystemsor thosewithmanyusers.Don’tsettheexpiretimetoolow,though—ifusershavetochangetheirpasswordstoo frequently, they’ll probably just switch between a couple of passwords or pick poor ones.Preciselywhat“toolow”apasswordchangetimeisdependsontheenvironment.Formostsystems,onetosixmonthsisprobablyareasonablechangetime,butforsomeitmaybelongerorshorter.

ToolsforManagingPasswordsMost Linux distributions use shadow passwords by default, and for the most part, this chapter iswritten with the assumption that this feature is active. In addition to providing extra security bymoving hashed passwords out of the world-readable /etc/passwd file and into the more secure/etc/shadowfile,shadowpasswordsaddextraaccountinformation.One of the advantages of shadow passwords is that they support password aging and account

expirationfeatures.Thesefeaturesenableyoutoenforcepasswordchangesatregularintervalsortoautomaticallydisableanaccountafteraspecifiedperiodoftime.Youcanenablethesefeaturesandsetthetimesusingthechagecommand,whichisdescribedinmoredetailinChapter7.Theusermodutility,describedinChapter7,canbeusedtoadjustsomeshadowpasswordfeatures,

such as account expiration dates. The chage command is more thorough with respect to accountsecurityfeatures,butusermodcanadjustmorenon-securityaccountfeatures.

LimitingrootAccessBecauserootcandoanythingonaLinuxcomputer,accesstothataccountmustofcoursebelimited.

Onasystemwithasingleadministrator,thiscanbeaccomplishedbyhavingtheadministratorsetauniquerootpasswordthatnobodyelseknows.Thisusercanthenlogindirectlyasrootorusesutoacquire root privileges.Thesu command’sname stands for switchuser, and it’s used to change auser ’sapparentidentity.Typingsualoneresultsinapromptfortherootpassword.Iftheusertypesthatpasswordcorrectly,thesessioneffectivelybecomesarootsession.Youcanalsotypeausernameafter su to acquire that user ’s privileges. When root does so, no password is required. (This issometimeshandyforinvestigatingproblemsreportedbyasingleuser.)Torunasingleprogramwithrootprivileges,use-ctospecifytheprogramname,asinsu-c"lsof-i"torunlsof-iasroot.Loggingindirectlyasrootisgenerallydiscouragedforseveralreasons:Norecordofwhotyped

thepasswordappearsinlogfiles; therootpasswordcanbeinterceptedinvariousways;andif theuserleavestheterminal,apasserbycanhijackthecomputer.Usingsuissomewhatbetterthanadirectloginfromasecuritypointofview,becauseuseofsugenerallyleavesatraceinsystemlogsofwhobecameroot.Amethodofacquiringrootaccessthatissomewhatmoresecurethaneitherdirectloginsorsuis

sudo.Thisprogramrunsasinglecommandasroot;forinstance,torunlsof-iasroot,youtype$sudolsof-i

[sudo]passwordforgeorgia:

In this example, the computer prompts for the user’s (georgia’s) password, not for the rootpassword.The ideabehindsudo is that you first configure the computer to accept certain users assudousers.Thoseusersmaythenusetheirownpasswordstoperformsuperusertasks,evenifthoseusersdon’thavetherootpassword.(Somesudoconfigurationsrequireuserstoenterthesuperuser ’spassword rather than their own password, though.) You can even fine-tune what tasks users mayperform.Thisisdoneviathe/etc/sudoersconfigurationfile.Youmusteditthisconfigurationfileviavisudo,whichisavariantofVi(describedinChapter5)that’susedonlytoedit/etc/sudoers.The/etc/sudoersfileconsistsoftwotypesofentries:aliasesanduserspecifications.Aliasesare

basically variables; you can use them to define groups of commands, groups of users, and so on.User specifications link users tomachines and commands (possibly using aliases for some or alloptions).Thus,youcanconfiguresudoerssuchthatgeorgiacanrunnetworkprogramswithrootprivilegesbutnotaccountmaintenancetools,whereasgeorgecanrunaccountmaintenancetoolsbutnotnetworkprograms.Yourdefault/etc/sudoersfileprobablyincludesseveralexamples.Considerthefollowinglines:##Storage

Cmnd_AliasSTORAGE=/sbin/fdisk,/sbin/sfdisk,/sbin/parted,

/sbin/partprobe,/bin/mount,/bin/umount

##Processes

Cmnd_AliasPROCESSES=/bin/nice,/bin/kill,/usr/bin/kill,/usr/bin/killall

%sysALL=STORAGE,PROCESSES

%diskALL=STORAGE

%wheelALL=(ALL)ALL

Thisexampledefinestwocommandaliases,STORAGEandPROCESSES,eachofwhichstandsinforasetofcommands.Userswhoaremembersofthesysgroupmayusebothsetsofcommands;userswho are members of the disk group may use the STORAGE commands but not the PROCESSEScommands; and members of the wheel group may use all commands, whether or not they’reexplicitlymentionedin/etc/sudoers.Somedistributions,suchasUbuntu,makeheavyuseofsudo;thesedistributionsaredesignedtobe

administeredexclusivelyviasudo, and they set up an/etc/sudoers file that provides at least oneuserwitheasyaccesstoallsystemutilities.Otherdistributionsdon’trelyonsudothisway,althoughyoucantweakyoursudoconfigurationtoenableadministrationviasudoifyoulike.

SettingLogin,Process,andMemoryLimitsSometimesyoumaywanttoimposelimitsonhowmanytimesusersmaylogin,howmuchCPUtimethey can consume, howmuchmemory they can use, and so on. Imposing such limits is best donethroughaPluggableAuthenticationModules (PAM)modulecalledpam_limits.MostmajorLinuxdistributionsusethismoduleaspartoftheirstandardPAMconfiguration,sochancesareyouwon’tneed to add it; however, you will still need to configure pam_limits. You do so by editing itsconfiguration file, /etc/security/limits.conf. This file contains comments (denoted by a hashmark,#)andlimitlinesthatconsistoffourfields:domaintypeitemvalue

Eachofthesefieldsspecifiesaparticulartypeofinformation:TheDomainThedomaindescribestheentitytowhichthelimitapplies.Itcanbeausername;agroupname,whichtakestheform@groupname;oranasterisk(*)wildcard,whichmatcheseverybody.HardorSoftLimitsThetypefieldspecifiesthelimitashardorsoft.Ahardlimitisimposedbythesystemadministratorandcannotbeexceededunderanycircumstances,whereasasoftlimitmaybetemporarilyexceededbyauser.Youcanalsouseadash(-)tosignifythatalimitisbothhardandsoft.TheLimitedItemTheitemfieldspecifieswhattypeofitemisbeinglimited.Examplesincludecore(thesizeofcorefiles),data(thesizeofaprogram’sdataarea),fsize(thesizeoffilescreatedbytheuser),nofile(thenumberofopendatafiles),rss(theresidentsetsize),stack(thestacksize),cpu(theCPUtimeofasingleprocessinminutes),nproc(thenumberofconcurrentprocesses),maxlogins(thenumberofsimultaneouslogins),andpriority(theprocesspriority).Thedata,rss,andstackitemsallrelatetomemoryconsumedbyaprogram.Theseandothermeasuresofdatacapacityaremeasuredinkilobytes.TheValueThefinalfieldspecifiesthevaluethat’stobeappliedtothelimit.Asanexample,considerasystemonwhichcertainusersshouldbeable to log inandperforma

limitednumberofactionsbutnotstayloggedinindefinitelyandconsumevastamountsofCPUtime.Youcanuseaconfigurationlikethisone:@limitedhardcpu2

ThisconfigurationappliesahardCPUlimitoftwominutestothelimitedgroup.Membersofthisgroupcanloginandrunprograms;butifoneofthoseprogramsconsumesmorethantwominutesofCPUtime,itwillbeterminated.

CPUtimeandtotalsystemaccesstimearetwoentirelydifferentthings.CPUtimeiscalculatedbasedontheamountoftimetheCPUisactivelyprocessingauser ’sdata.Idletime(forinstance,whenauser ’sshellisactivebutnoCPU-intensivetasksarerunning)doesn’tcount.Thus,ausercanloginandremainloggedinforhoursevenwithaverylowhardCPUtimelimit.ThislimitisintendedtopreventproblemscausedbyuserswhorunveryCPU-intensiveprogramsonsystemsthatshouldn’tbeusedforsuchpurposes.

Anotherwaytosetlimitsonsystemresourceuseisviatheulimitcommand.Thiscommandisabashbuilt-incommand,soitaffectsonlybashandprogramslaunchedfromit.Theulimitsyntaxisasfollows:ulimit[options[limit]]

Theoptionsdefinewhatisbeinglimited:CoreFileLimitsThe-coptionlimitsthesizeofcoredumps,whicharefilescreatedfordebuggingpurposesincertaintypesofprogramcrashes.FileLimitsThe-foptionlimitsthesizeoffilesthatmaybecreatedbytheshell,and-nlimitsthenumberofopenfiledescriptors.(Mostsystemsdon’thonorthe-nlimits,though.)ProcessLimitsThe-uoptionlimitsthenumberofprocessesausermayrun,and-tlimitsthetotalCPUtimeinseconds.MemoryLimitsThe-voptionsetsthetotalamountofvirtualmemoryavailabletotheshell,-ssetsthemaximumstacksize,-msetsthemaximumresidentsetsize,-dlimitsprograms’datasetsize,and-lsetsthemaximumsizethatmaybelockedintomemory.HardandSoftLimitsThe-Hand-Soptionsmodifyotheroptions,causingthemtobesetashardorsoftlimits,respectively.Hardlimitsmaynotbesubsequentlyincreased,butsoftlimitsmaybe.Ifneitheroptionisprovided,ulimitsetsboththehardandsoftlimitsforthefeaturespecified.CurrentSettingsPassing-acausesulimittoreportitscurrentsettings.Thelimit is typically a numeric value associatedwith the limit. Theulimit command is often

foundinsystemoruserbashstartupscripts,typicallyasulimit-c0,inordertopreventcreationofcore files,which can sometimes clutter a filesystem. If your users perform software development,youmaywanttoensurethatyoudonotsetthislimit,oratleastsetitasasoftlimit(asinulimit-Sc0)sousersmayoverrideitwhennecessary.

Becauseulimitisabashbuilt-incommand,itsutilityasasystemsecuritytoolislimited.IfusershaveaccesstoGUIlogintoolsorcanlogintothesysteminanywaythatbypassesbash(suchasviaSSH,dependingonhowit’sconfigured),restrictionsimposedbyulimitbecomemeaningless.Thus,youshouldtreatulimitasawaytopreventproblemsbecauseofaccidental,ratherthanintentional,abuseofthesystem.

Oneparticularlyradicalapproachtosecurityistousethe/etc/nologinfile.Ifthisfileispresent,

only root may log into the computer. Other users are shown the contents of this file when theyattempttologin.Inmanyrespects, this is likesettingcriticalsystemlimits to0forallotherusers.This file ismost likely to be useful on dedicated server systems that have no regular console orremoteshellusers.

LocatingSUID/SGIDFilesChapter4,“ManagingFiles,”describestheSUIDandSGIDbits.Inbrief,thesearespecialflagsthatmaybeappliedtoexecutableprogramfiles,causingLinuxtotreattheprogramasifitwererunbytheprogramfile’sowner(forSUID)orbythefile’sgroup(forSGID)ratherthanbytheindividualwhoactuallyrantheprogram.Forinstance,ifaprogram’sSUIDbitissetandiftheprogramfileisownedbybruce, theprogram,when runbyanybody,will be able to access all the filesownedbybruceandotherwisebehaveasifbrucehadrunit.TheSUIDandSGIDbitsarefrequentlyassociatedwiththerootaccountinordertoenablethemto

performtasksthatrequirespecialprivilege.Forinstance,thepasswdprogram(describedinChapter7)isSUIDrootbecauseonlyrootmaymodifytheLinuxpassworddatabase.Thus,foranordinaryusertochangeapassword,somemechanismmustexisttorunaprocessasroot.Thatmechanism,inthecaseofpasswd,istheSUIDbit.The problemwith all of this is that the SUID and SGID bits can be security risks. For instance,

supposethermprogram’sSUIDbitwasset.Thisprogramisnormallyownedbyroot,sosettingtheSUIDbitonrmwouldmeanthatanyusercoulddeleteanyfileonthecomputer.AlthoughnoLinuxdistribution sets the SUID bit on rm by default, the SUID bit can be set inappropriately. This canhappenbyaccident(say,amistypedcommandbyroot),bymalice(ifacrackergainsaccesstothesystem),orbecauseofamoresubtlemisconfigurationbythedistributionmaintainer(theSUIDbitsetunnecessarilyonaprogramforwhichit’slessblatantlyinappropriatethanrm).EveniftheSUIDorSGID bit is set appropriately, a bug in the program can become more serious because the bugexecutesasroot.Ifthebugenablesuserstowritefiles,forexample,anyusercanexploitthebugtooverwritecriticalsystemconfigurationfiles.Forthesereasons,youshouldperiodicallyreviewyoursystemtofindalltheSUIDprogramsand,ifappropriate,changetheirconfiguration.Todothis,youcanusethefindcommand,whichisdescribedindetailinChapter4.Inparticular,

youcanusethe-permmodeoption,whichsearchesforfileswiththespecifiedpermissionmode.TosearchforSUIDandSGIDfiles,youshouldpassamodeof+6000.ThesymbolicrepresentationfortheSUIDandSGIDbits is6000, and theplus sign (+) tellsfind to locate any filewith anyof thespecifiedbitsset.(YoucouldsearchforSUIDfilesalonebypassing+4000orSGIDalonebypassing+2000.)Youmayalsowanttopass-typef,whichrestricts thesearchtoregularfiles.(Directoriesuse the SUID and SGID bits differently, as described in Chapter 4.) Thus, to search the entirecomputerforSUIDandSGIDprograms,youtypethis:#find/-perm+6000-typef

Theresultisalistoffiles,oneperline,thathaveeithertheSUIDortheSGIDbitsset.Programsthatarelikelytobepresentinthislistincludesu,ping,mount,passwd,umount,andsudo.Theseprograms all have a legitimate need to be so configured.Most systems have additional SUID andSGIDprograms,someofwhichmayseemtrivial.Forinstance,somegamesareassociatedwiththegamesgroupandsettheSGIDbit.Thisconfigurationenablesuserstomodifythegames’system-widehigh-score files. Ifyouhavedoubts aboutwhether theprogram reallyneedsSUIDorSGIDstatus,

youshouldinvestigatefurther.TryverifyingthepackageintegrityusingyourpackagemanagementtoolsandperformaWebsearchontheprogramnameand“SUID”or“SGID,”asappropriate.YoucanalsotrychangingtheSUIDstatusoftheprogramusingchmod,asdescribedinChapter4,andseeifitstillworksasitshouldwhenrunbyanormaluser.

ProgramsthatareSUIDorSGIDroot,butthatshouldn’tbe,canbeasignofsystemcompromise.Crackersmightreconfigureprogramsthiswayinordertomoreeasilydotheirdirtywork.Thus,ifyoufindsuchprograms,investigatetheoverallintegrityofthesystem.Ontheotherhand,ifadistributionmaintainersettheSUIDorSGIDbitunnecessarily,thisisn’tcauseforconcernaboutabreak-in,althoughyoumaywanttofixthematter.Likewise,accidentalmisconfigurationbyyouoranotheradministratorisn’tcauseformassivesystemupheaval—butyou’llneedtodigabitdeepertoascertainwhethersuchachangewasaccidentalorasignofadeeperproblem.

ConfiguringSSHIn thepast,Telnetwas the remote text-mode loginprotocol of choiceonLinux andUnix systems.Unfortunately,Telnetisseverelylackinginsecurityfeatures.Thus,inrecentyearsSSHhasgrowninpopularity, and it is now the preferred remote login tool. SSH can also handle file transfer taskssimilartothoseofFTP.Forthesereasons,knowinghowtoconfigureSSHcanbeveryhelpful.ThistaskrequiresknowingabitaboutSSHgenerallyandabouttheSSHconfigurationfileunderLinux.Asisusualinthischapter,IconcludethelookatSSHwithinformationaboutthesecurityimplicationsofrunningtheserver.

SSHiscomplexenoughthatIcan’tcovermorethanitsbasicsinthischapter.ConsultOpenSSH’sdocumentationorabookonthetopic,suchasSSH,TheSecureShell:TheDefinitiveGuide,SecondEdition,byDanielJ.Barrett,RichardSilverman,andRobertG.Byrnes(O’Reilly,2005)orSSHMastery:OpenSSH,PuTTY,TunnelsandKeys(CreateSpace,2012)byMichaelW.Lucas,formoredetails.

SSHBasicsLinux supports remote login access through several different servers, including Telnet, VirtualNetworkComputing(VNC),andevenX.Unfortunately,mostofthesemethodssufferfromamajordrawback:Theytransferalldataoverthenetworkinunencryptedform.Thisfactmeansthatanybodywhocanmonitornetwork trafficcaneasily snatch sensitivedata,often includingpasswords. (VNCandafewotherprotocolsencryptpasswordsbutnototherdata.)Thislimitationputsaseriousdentintheutilityof these remote login tools; afterall, ifusinga remoteaccessprotocolmeansyou’llbegivingawaysensitivedataorcompromisingyourentirecomputer,it’snotaveryusefulprotocol.

Non-encryptingremoteaccesstoolsareparticularlyriskyforperformingworkasroot,eitherbyloggingindirectlyasrootorbylogginginasanordinaryuserandthenusingsu,sudo,orothertoolstoacquirerootprivileges.

SSHwas designed to close this potentiallymajor security hole by employing strong encryptiontechniques for all parts of the network connection. SSH encrypts the password exchange and allsubsequentdatatransfers,makingitamuchsaferprotocolforremoteaccess.Inadditiontoencryption,SSHprovidesfiletransferfeaturesandtheabilitytotunnelothernetwork

protocols—that is, to enable non-encrypted protocols to piggyback their data over an SSHconnection,thusdeliveringSSH’sencryptionadvantagestootherprotocols.ThisfeatureisfrequentlyemployedinconjunctionwithX,enablingencryptedremoteGUIaccess,asdescribedinChapter6,“ConfiguringtheXWindowSystem,Localization,andPrinting.”Of course, SSH’s advantages don’t comewithout a price.Themain drawbackofSSH is that the

encryptionanddecryptionconsumeCPUtime.ThisfactslowsdownSSHconnectionscomparedtothose of direct connections and can degrade overall system performance. This effect is modest,though, particularly for plain text-mode connections. If you tunnel a protocol that transfersmuchmoredata,suchasX,youmayseeagreaterperformancedropwhenusingSSH.Eveninthiscase,theimprovedsecurityisgenerallyworththeslightspeedcost.SeveralSSHserversareavailable forLinux,but themostpopularby far is theOpenSSHserver

(http://www.openssh.org).ThisprogramwasoneofthefirstopensourceimplementationsoftheSSHprotocol, which was developed by the commercial SSH Communications Security(http://www.ssh.com),whoseserver isnowsoldunder thenameSSHTectia.OpenSSH,SSHTectia,andotherSSHproductscaninteroperatewithoneanother,assumingthey’reallconfiguredtosupportatleastonecommonleveloftheSSHprotocol.OpenSSH6.1,thelatestversionasIwrite,supportsSSHlevels1.3,1.5,and2.0,with2.0beingthepreferredlevelbecauseofknownvulnerabilitiesintheearlierversions.

OpenSSHiscloselyassociatedwiththeOpenBSDOS,soitsWebsitehasanOpenBSDbias.Ifyouvisitthesite,youmaywanttoclicktheLinuxlinkundertheForOtherOS’sheading.YoucanfindLinux-compatiblesourcecodeandbinariesfromthatsite,andOpenSSHnowshipswithmostLinuxdistributions.

OpenSSHmaybe launchedviaeithera super server (inetdorxinetd) or aSysV startup script.The lattermethod is preferred because the servermay need to performCPU-intensive tasks uponstarting, so if it’s started froma super serverOpenSSHmaybe sluggish to respond to connectionrequests,particularlyonsystemswithweakerCPUs.MostdistributionsdeliversuitablestartupscriptswiththeirSSHpackages.IfyoumakechangestoyourSSHconfiguration,youmayneedtopassthereloadorrestartoptiontothestartupscript,asin/etc/init.d/sshdreload.(Chapter5coversstartupscriptsinmoredetail.)Howeverit’slaunched,theOpenSSHserverbinarynameissshd—thesameasthebinarynameforSSHTectia.

SettingSSHOptionsforYourComputerForthemostpart,SSHworksreasonablywellwhenit’sfirstinstalled,soyoumaynotneedtomakeanychangestoitsconfiguration.Ifyoudoneedtomakechanges,though,thesearemostlyhandledthroughthemainSSHconfigurationfile,/etc/ssh/sshd_config.YoucanalsoeditsomeadditionalfilestolimitaccesstotheSSHserverortochangehowSSHmanagestheloginprocess.

ConfiguringBasicSSHFeaturesThe/etc/ssh/sshd_configfileconsistsmainlyofoptionlinesthattakethefollowingform:Optionvalue

Don’tconfusethesshd_configfilewiththessh_configfile.TheformercontrolstheOpenSSHserver,whereasthelattercontrolstheSSHclientprogram,ssh.

Inadditiontoconfigurationlines,thesshd_configfileholdscomments,whicharedenotedbyhashmarks (#). Most sample configuration files include a large number of SSH options that arecommentedout;theselinesspecifythedefaultvalues,souncommentingthelineswithoutotherwisechangingthemwillhavenoeffect.Ifyouwanttochangeanoption,uncommentthelineandchangeit.Mostoptions’defaultvaluesaresuitableformostsystems.Thefollowinglistincludessomethatyoumaywanttocheckand,perhaps,change:ProtocolThisoptionspecifiestheprotocollevelsOpenSSHunderstands.Possiblevaluesare1and2.YoucanconfigureOpenSSHtosupportbothprotocolsbyseparatingthembyacomma,asin1,2or2,1,whichareequivalent.GiventhefactthatOpenSSHprotocollevel1hasbeencompromised,thesafestconfigurationistosetProtocol2.Thislimitstheserver ’sabilitytocommunicatewitholderclients,though.PermitRootLoginBydefault,thisoptionissettoyes,whichenablesOpenSSHtoacceptdirectloginsbyroot.ThisissaferthanasimilarconfigurationunderTelnet,butforabitofaddedsecurity,setthisvaluetono.Theresultwillbethatanybodywantingtoperformremoteworkasrootwillneedtofirstloginasanordinaryuser,whichmeansthatanintruderwhohassomehowacquiredtherootpasswordwillalsoneedaregularusernameanditspassword.(Ifthecomputerisconfiguredtoallowanordinaryusertoworkviasudo,though,acompromiseofthatuser ’saccountwouldalsoeffectivelybeacompromiseoftherootaccount.)X11ForwardingThisoptionspecifieswhetherOpenSSH’sXtunnelingfeaturesshouldbeactive.IfyouwanttoenableremoteuserstorunXprogramsviaSSH,youmustsetthisoptiontoyes.Doingsocanslightlydegradesecurityoftheclient’sXdisplay,though,dependingoncertainotheroptions;hencetheconservativedefaultvalueofno.For information about additional options, consult the man page for sshd_config. If you make

changestotheSSHconfiguration,remembertorestartitusingtheserver ’sSysVstartupscript.

SSHKeysPart of SSH’s security involves encryption keys. Each server system and each user have a unique

number,orkey,foridentificationpurposes.Infact,SSHusesasecuritysystemthatinvolvestwokeys:a public key and a private key. These two keys aremathematically linked in such a way that dataencryptedwithaparticularpublickeymaybedecryptedonlywith thematchingprivatekey.Whenestablishingaconnection,eachsidesends itspublickey to theother.Thereafter,eachsideencryptsdatawith the other side’s public key, ensuring that the data can be decrypted only by the intendedrecipient.Inpractice,thisisjustthefirststepoftheprocess,butit’scritical.What’smore,SSHclientstypicallyretainthepublickeysofserversthey’vecontacted.Thisenablesthemtospotchangestothepublickey.Suchchangescanbesignsoftampering,soifaclientdetectssuchachange,itwillwarnitsuserofthisfact.MostOpenSSHserverstartupscriptsincludecodethatlooksforstoredpublicandprivatekeysand,

ifthey’renotpresent,generatesthem.Intotal,fourtosixkeysareneeded:publicandprivatekeysfortwo or three encryption tools SSH supports. These keys are normally stored in/etc/ssh and arecalled ssh_host_rsa_key and ssh_host_dsa_key for private keys,with .pub filename extensionsaddedforpublickeys.Somesystemsaddssh_host_rsa1_keyanditsassociatedpublickey.Ifyoursystemdoesn’thavethesekeysandyoucan’tgettheSSHservertostartup,youcantrygeneratingthekeyswiththessh-keygencommand:#ssh-keygen-q-trsa1-f/etc/ssh/ssh_host_key-C''-N''

#ssh-keygen-q-trsa-f/etc/ssh/ssh_host_rsa_key-C''-N''

#ssh-keygen-q-tdsa-f/etc/ssh/ssh_host_dsa_key-C''-N''

Eachofthesecommandsgeneratesbothaprivatekey(namedinthe-fparameter)andapublickey(withthesamenamebutwith.pubappended).Don’trunthesessh-keygencommands if theSSHkeyfilesalreadyexist.Replacing theworking

fileswill causeclientswho’vealreadyconnected to theSSHserver tocomplainabout thechangedkeysandpossiblyrefusetoestablishaconnection.

Besuretheprivatekeysaresuitablyprotected;ifanintruderobtainsoneofthesekeys,theintrudercanimpersonateyoursystem.Typically,thesefilesshouldhave0600(-rw-------)permissionsandbeownedbyroot.Thepublickeyfiles(with.pubfilenameextensions)shouldbereadablebyallusers,though.

Whenyouconfigureaclientsystem,youmaywanttoconsidercreatingaglobalcacheofhostkeys.Asalreadynoted,thesshprogramrecordshostkeysforeachindividualuser.(Itstorestheseinthe~/.ssh/known_hostsfile.)Whenyousetuptheclient,youcanpopulatetheglobalssh_known_hostsfile,which isnormally stored in/etcor/etc/ssh.Doing so ensures that thepublickey list is asaccurateasthesourcesyouusetopopulatetheglobalfile.Italsoeliminatesconfirmationmessageswhenusersconnecttothehostswhosekeysyou’veselectedtoincludeintheglobalfile.Howdoyoucreatethisfile?Onesimplewayistocopythefilefromauseraccountthat’sbeenused

to connect to the servers you want to include. For instance, you can type cp

/home/ecernan/.ssh/known_hosts/etc/ssh/ssh_known_hoststouseecernan’sfile.

Inthepast,youcouldreviewSSH’sknownhostsfileinatexteditor,sinceit’satext-modefile.Today,though,OpenSSH4.0andnewersupporthashingofthedatainthisfile.Whenthisfeatureisenabled,theinformationishashed(thatis,encryptedusingaone-wayencryptionalgorithm)andstoredinhashedform.Theideaisthatyou’llstillbeabletoauthenticateSSHserverstowhichyouconnect,becauseahashofthetypedhostnamewillmatchahashofthestoredhostname;butifanintruderstealsyourknownhostsfile,theintruderwillbeunabletodeterminetheidentitiesofthecomputerstowhichyou’vebeenconnecting.Anunfortunatesideeffectofthishashingisthatyoucan’ttellwhatserversitdescribesyourself.

ControllingSSHAccessYoucanlimitwhomayaccessanSSHserverinvariousways.Themostobviousandbasicmethodisvia password authentication. The usual SSH authentication method is to employ a username andpassword,muchasTelnetdoes.(Thesshclientprogramsendstheusernameautomaticallyoraspartofthecommandline,soyouwon’tseeausernamepromptwhenlogginginviassh.)Beyondpasswordauthentication,SSHsupportsseveralothertypesoflimitations:TCPWrappersIfyourunSSHfromasuperserveroriftheserverwascompiledwithTCPWrapperssupport,youcanusethe/etc/hosts.allowand/etc/hosts.denyfilestolimitaccessbyIPaddress.NotethatifyoulaunchSSHviaasystemstartupscript,thisapproachworksonlyiftheserverwascompiledtosupportit.Thissupportmayormaynotbepresentinyourdistribution’sstandardSSHpackage.FirewallsAswithallservers,youcanrestrictaccessbyusingafirewall.SSHusesTCPport22.Technically,thisisn’tanSSHfeature,butit’scertainlyusefulforprotectinganSSHserver./etc/nologinIfthisfileispresent,SSHhonorsit.Asdescribedearlier,thisfile’spresencemeansthatonlyrootmaylogin.Whenanon-rootusertriestologinlocally,thefile’scontentsaredisplayedasanerrormessage;however,OpenSSHdoesn’tdothis.

CopyingFilesviaSSHMost users employ the ssh client program, which provides remote login access—type sshothersystemtologintoothersystemusingthesameusernameyou’reusingontheclientsystem;oraddausername,asinsshuser@othersystem,tologinusinganotherusername.SSHincludesafile-copyingcommand,too:scp.Thiscommandworksmuchlikethecpcommand

for copying files locally; however, you must specify the target computer, and optionally theusername, justbefore thetargetfilename.For instance, tocopythefilemasterpiece.c to thelisaaccountonleonardo.example.com,youwouldtype$scpmasterpiece.clisa@leonardo.example.com:

Thecolon(:)thatterminatesthiscommandisextremelyimportant;ifyouomitit,you’llfindthatscpworkslikecp,andyou’llendupwithafilecalledlisa@leonardo.example.comontheoriginalsystem.Ifyouwanttorenamethefile,youcandosobyincludingthenewnamefollowingthecolon.Likewise,youcanplacethefileinaparticulardirectoryinthesameway,asfollows:

$scpmasterpiece.clisa@leonardo.example.com:~/art/mona.c

Thisexamplecopiesmasterpiece.ctothe~/artdirectoryonthetargetcomputerandrenamesitmona.c.Ifthespecifieddirectorydoesn’texist,anerrorresults,andthefileisnottransferred.Ifyouspecifyadirectorywithoutatrailingslashorfilenameandyoumistypethedirectoryname,scpwillcopythefileandrenameittoyourmistypeddirectoryname.(scpworksjustlikecpinthisrespect.)

ConfiguringLoginsWithoutPasswordsIfyouuseSSHalotorifyouuseitinautomatedtools,you’llnodoubtbecomeannoyedbytheneedtotypeapasswordwitheveryconnection.Thereisawayaroundthisrequirement:YoucansetuptheSSHclientwithkeysandgivetheclient’spublickeytotheservercomputer.Withthisconfiguration,theSSHclientcomputercanidentifyitself,possiblyobviatingtheneedforyoutotypeapassword.

ConfiguringSSHtooperatewithouttheuseofpasswordsisconvenient,butitdoesincreasesecurityrisks.Ifsomebodyyoudon’ttrustevergainsaccesstoyouraccountontheSSHclientsystem,thatpersonwillbeabletologintotheSSHserversystemasyouwithoutthebenefitofyourpassword.Thus,youshouldcreateapassword-lessloginonlyfromaclientthat’sverywellprotected,ifatall.Configuringaccesstotherootaccountinthiswayisparticularlyrisky.

ToconfigureSSHtonotrequireapassword,followthesesteps:1.LogintotheSSHclientsystemastheuserwhowillbeperformingremoteaccess.2.Typethefollowingcommandtogenerateaversion2SSHkey:$ssh-keygen-q-trsa-f~/.ssh/id_rsa-C''-N''

Step2generatesaversion2key.Youcaninsteadgenerateaversion1keybytypingssh-keygen-q-tdsa-f~/.ssh/id_dsa-C''-N''.Thisgeneratesid_dsaandid_dsa.pubfiles.ThisprocedureisnotrecommendedbecauseSSHversion1isnotassecureasversion1;however,youmayneedtouseversion1toconnecttosomeservers.

3.Step2generates twofiles:id_rsaandid_rsa.pub.Transfer thesecondof these files to theSSHservercomputerinanywaythat’sconvenient—viaaUSBflashdrive,byusingscp,orbyanyothermeans.Copythefileunderatemporaryname,suchastemp.rsa.4.LogintotheSSHserversystem.IfyouuseSSH,you’llneedtotypeyourpassword.5.Addthecontentsofthefileyou’vejusttransferredtotheendofthe~/.ssh/authorized_keysfile.(Thisfileissometimescalled~/.ssh/authorized_keys2,soyoushouldchecktoseewhichis present. If neither is present, you may need to experiment.) Typing cat ~/temp.rsa >>

~/.ssh/authorized_keysshoulddothisjob,ifyoustoredtheoriginalfileas~/temp.rsa.6.Onsomesystems,youmayneedtomodifypermissionsonthe~/.ssh/authorized_keysfileandon thedirectories leading to it.Theauthorized_keys filemay require 0600 permissions,

andyoumayneedtoremovewritepermissionsforanybut theaccount’sowneronyourhomedirectoryandonthe~/.sshdirectory.IfyounowlogoutoftheSSHserversystemandtrytologinagainviaSSHfromtheclient,you

shouldn’tbepromptedforapassword;thetwocomputershandletheauthenticationautomatically.Ifthisdoesn’twork,chancesare the~/.ssh/authorized_keys fileneedsanothername,asdescribedearlier.Youmayalsowanttocheckthatthefileincludesalinematchingthecontentsoftheoriginalpublic-keyfileontheclient.Someolderclientsmayrequireyoutospecifythatyouuseversion2oftheSSHprotocolbyincludingthe-2option:$ssh-2server

Usingssh-agentAnother SSH authentication option is to use the ssh-agent program. This program requires apassword to initiate connections, so it’s more secure than configuring logins without passwords;however,ssh-agentremembersyourpassword,soyouneedtypeitonlyonceperlocalsession.Tousessh-agent,followthesesteps:

1. Follow the procedure for enabling no-password logins described in “Configuring LoginsWithoutPasswords,”butwithonechange:Omitthe-N''optionfromthessh-keygencommandinstep2.You’llbeaskedforapassphraseat thisstep.ThispassphrasewillbeyourkeyforallSSHloginsmanagedviassh-agent.2.OntheSSHclientsystem,typessh-agent/bin/bash.Thislaunchesssh-agent,whichinturnlaunchesbash.You’llusethisbashsessionforsubsequentSSHlogins.3. In your new shell, type ssh-add ~/.ssh/id_rsa. This adds your RSA key to the set that’smanagedbyssh-agent.You’llbeaskedtotypeyourSSHpassphraseatthistime.Fromthispointon,wheneveryouuseSSHtoconnect toaremotesystemtowhichyou’vegiven

yourpublickey,youwon’tneedtotypeapassword.Youwill,however,havetorepeatsteps2and3wheneveryoulogout,andthebenefitswillaccrueonlytotheshelllaunchedinstep2oranyshellsyoulaunchfromthatone.Ifyoumakeheavyuseofthisfacility,youcaninsertssh-agentintoyournormalloginprocedure.

Forinstance,youcanedit/etc/passwdsothatssh-agent/bin/bashisyourloginshell.ForaGUIlogin, you can rename your normal GUI login script (for instance, change ~/.xsession to~/.xsession-nossh)andcreateanewGUIloginscriptthatcallsssh-agentwiththerenamedscriptasitsparameter.Eitheractioninsertsssh-agentattherootofyouruserprocesstreesothatanycalltoSSHusesssh-agent.

UsingSSHLoginScriptsOrdinarily,anSSHtext-modeloginsessionruns theuser ’sconfiguredshell,whichruns theshell’sdefinedloginscripts.TheOpenSSHserveralsosupportsitsownloginscript,sshrc(normallystoredin /etc or /etc/ssh). The OpenSSH server runs this script using /bin/sh, which is normally asymboliclinktobash,soyoucantreatitasanordinarybashscript.

SettingUpSSHPortTunnelsSSHhastheabilitytoextenditsencryptioncapabilitiestootherprotocols,butdoingsorequiresextra

configuration.Thewaythisisdoneisknownastunneling.Chapter6describedaspecialtypeofSSHtunnelinginvolvingX,buttheprocesscanworkforotherprotocols.Figure10.1 illustrates thebasic ideabehindanSSH tunnel.Theservercomputer runs twoserver

programs: a server for the tunneled protocol (Figure10.1 uses the InternetMailAccess Protocol,IMAP, as an example) and an SSH server. The client computer also runs two clients: one for thetunneled protocol and one for SSH. The SSH client also listens for connections for the tunneledprotocol;it’seffectivelybothaclientandaserver.WhentheSSHclientreceivesaconnectionfromthetunneledprotocol’sclient,theresultisthatthetunneledprotocol’sconnectionisencryptedusingSSH, tunneled to the SSH server, and then directed to the target server. Thus, data pass over thenetworkinencryptedform,evenifthetargetprotocoldoesn’tsupportencryption.

FIGURE10.1AnSSHtunnelextendsSSH’sencryptionbenefitstootherprotocols.

Of course, all of this requires special configuration. The default configuration on the serverenables tunneling; but to be sure, check the /etc/ssh/sshd_config file on the server for thefollowingoption:AllowTcpForwardingno

Ifthislineispresent,changenotoyes.Ifit’snotpresentorifit’salreadysettoyes,youshouldn’tneedtochangeyourSSHserverconfiguration.Ontheclientside,youmustestablishaspecialSSHconnectiontotheservercomputer.Youdothis

withthenormalsshclientprogram,butyoumustpass itseveralparameters.Anexamplewillhelpillustratethisuseofssh:#ssh-N-f-L142:mail.luna.edu:143benf@mail.luna.edu

The-Nand-foptionstellsshtonotexecutearemotecommandandtoexecuteinthebackgroundafter asking for a password, respectively. These options are necessary to create a tunnel. The -Loptionspecifiesthelocalportonwhichtolisten, theremotecomputertowhichtoconnect,andtheport on the remote computer towhich to connect. This example listens on the local port 142 andconnectstoport143onmail.luna.edu.(You’relikelytousethesameportnumberonbothends;Ichanged the local port number in this example to more clearly distinguish between the local andremote port numbers.) The final parameter (benf@mail.luna.edu in this example) is the remoteusernameandcomputertowhichthetunnelgoes.Notethatthiscomputerneednotbethesameasthetargetsystemspecifiedvia-L.

IfyouwantSSHontheclientsystemtolistentoaprivilegedport(thatis,onenumberedbelow1024),youmustexecutethesshprogramasroot,asshownintheprecedingexample.Iflisteningtoanon-privilegedportisacceptable,thesshclientcanberunasanormaluser.

Withthetunnelestablished,youcanusetheclientprogramtoconnecttothelocalportspecifiedbythefirstnumberinthe-Lparameter(port142intheprecedingexample).Forinstance,thisexampleisintended to forward IMAP traffic, soyou’dconfigureamail readeron theclient to retrieve IMAPemail from port 142 onlocalhost.When the email reader does this, SSH kicks in and forwardstraffictotheSSHserver,whichthenpassesthedataontotheSSHservercomputer ’slocalport143,which is presumably running the real IMAP server. All of this is hidden from the email readerprogram;asfarasit’sconcerned,it’sretrievingemailfromalocalIMAPserver.

SSHSecurityConsiderationsSSHisintendedtosolvesecurityproblemsratherthancreatethem.Indeed,onthewholeusingSSHissuperiortousingTelnetforremotelogins,andSSHcanalsotakeoverFTP-likefunctionsandtunnelotherprotocols.Thus,SSHisabigsecuritypluscomparedtousingless-securetools.Likeallservers,though,SSHcanbeasecurityliabilityifit’srununnecessarilyorinappropriately.

Ideally,youshouldconfigureSSHtoacceptonlyprotocol level2connectionsand to refusedirectroot logins. IfX forwarding is unnecessary, you should disable this feature. If possible, useTCPWrappersorafirewalltolimitthemachinesthatcancontactanSSHserver.Aswithallservers,youshouldkeepSSHuptodate;there’salwaysthepossibilityofabugcausingproblems.Youshouldconsiderwhetheryoureallyneedaremotetext-modeloginserver.Suchaservercanbe

agreatconvenience—oftenenoughtojustifythemodestriskinvolved.Forextremelyhigh-securitysystems,though,usingthecomputerexclusivelyfromtheconsolemaybeanappropriateapproachtosecurity.OneunusualsecurityissuewithSSHisitskeys.Asnotedearlier,theprivate-keyfilesareextremely

sensitiveandshouldbeprotectedfrompryingeyes.Remembertoprotectthebackupsofthesefiles,aswell—don’tleaveasystembackuptapelyingaroundwhereitcanbeeasilystolen.

UsingGPGSSHisdesignedtoencryptinteractiveloginsessionsandfiletransfers.Sometimes,though,anothertype of encryption is desirable: Youmaywant to encrypt emailmessages or files sent to anotherperson via some othermeans. Email was never designed as a secure data transfer tool, andmostemailmessagespassthroughseveralemailserversandnetworkrouters.Acompromiseatanyoneofthesepointsenablesacrackertosniffemailtrafficandextractsensitivedata,suchascreditcardorSocialSecuritynumbers.Encryptingyouremailkeepssuchdetailsprivate.The usual tool for encrypting email is the GNU Privacy Guard (GPG or GnuPG;

http://www.gnupg.org)package.Thispackageisanopensourcere-implementationoftheproprietary

PrettyGoodPrivacy(PGP).Inadditiontoencryptingentiremessages,GPGenablesyoutodigitally“sign”messages.Usedinthisway,messagescanbereadbyrecipientswholacktheGPGsoftwareorappropriatekeys;but thosewhohavethese toolscanverify that thecontentshaven’tbeentamperedwith.

GeneratingKeysTobeginusingGPG,youshouldfirstinstallthesoftware.Chancesare,yourdistributionincludesitasastandardpackage,soyoucaninstallitthatway.Oncethisisdone,youmustgeneratekeys.GPGkeysareconceptuallysimilartoSSHkeys:Youneedaprivatekey(akaasecretkey)andapublickey.Asthenamesimply,theprivatekeyiskeptprivate,butthepublickeyispubliclyavailable.Youcansignyourmessageswithyourprivatekey,andreaderscanverifyitwithyourpublickey;oryoucanencryptamessagewithanotheruser ’spublickey,anditcanbedecryptedonlywiththatuser ’sprivatekey.Togeneratekeys,youusethegpgprogramwithits--gen-keyoption:$gpg--gen-key

Theprogramwillaskyouaseriesofquestions.Inmostcases,answeringwiththedefaultsshouldworkwell,althoughyoumayhavetotypeinyourfullnameandemailaddress.Thekeysarestoredinakeyring(afilethatholdskeys)inthe~/.gnupgdirectory.Onceyou’vegeneratedyourkeys,youcanexportyourpublickey:$gpg--exportname>gpg.pub

This command saves the public key associatedwithname in the filegpg.pub. You can use youremail address as name. (If you create additional public keys or add others’ public keys to yourkeyring, you can specify their names to export those keys.) You can then make your public keyavailable to others so that they may encrypt email messages sent to you or verify your signedmessages.Addingthe--armoroptionproducesASCIIoutput,whichmaybepreferableifyouintendtoemailthekey.YoucanmakethefileaccessibleonyourWebsite,transferitasanemailattachment,ordistributeitinvariousotherways.Oneimportantmethodofdistributingyourpublickeyisviaakeyserver.Thisisanetworkserver

that functions much like a keyring. To send your public key to a keyserver, you can use the --keyserverhostnameand--send-keyskeynameoptionstogpg,asfollows:$gpg--keyserverpgp.mit.edu--send-keysjennie@luna.edu

Thisexamplesendsthepublickeyforjennie@luna.edufromyourpublickeyringtotheserveratpgp.mit.edu.Thereafter,anybodywhowantstocanretrievethekeyfromthatserver.(pgp.mit.eduisapopularsiteforhostingPGPpublickeys.)

ImportingKeysToencryptemailyousendtoothers,youmustobtaintheirpublickeys.Askyourcorrespondentshowtoobtainthem.Onceyou’vedoneso,youcanaddtheirkeystoyourkeyring(thatis,thesetofkeysGPGmaintains):$gpg--importfilename

Thiscommandaddsfilenametoyoursetofpublickeysbelongingtootherpeople.

Althoughpublickeysare,bydefinition,public,therearesecurityconcernsrelatingtothem.Specifically,youshouldbesureyouusealegitimatepublickey.Hypothetically,amiscreantcouldpublishafakepublickeyinordertoobtainsensitivecommunicationsorfakeasignedemail.Forinstance,GeorgemightdistributeafakeGPGpublickeythatclaimedtobefromHarold.GeorgecouldtheneithersignmessagesclaimingtobefromHaroldorinterceptemailsenttoHaroldthatwasencryptedusingthefakekey.Thus,youshoulduseassecureacommunicationmethodaspossibletodistributeyourpublickeyandtoreceivepublickeysfromothers.

Onceyou’vecreatedyourownkeyand,perhaps,importedkeysfromothers,youcanseewhatkeysareavailablebyusingthe--list-keysoptiontogpg:$gpg--list-keys

/home/gjones/.gnupg/pubring.gpg

---------------------------------

pub1024D/190EDB2E2008-09-05

uidGeorgeA.Jones<gjones@example.com>

sub2048g/0D657AC82008-09-05

pub1024D/A8B2061A2008-09-05

uidJennieMartin<jennie@luna.edu>

sub2048g/4F33EF6B2008-09-05

Theuidlinescontainidentifiersyou’llusewhenencryptingordecryptingdata,soyoushouldpayparticularattentiontothatinformation.

RevokingaKeySometimes,youmighthavecausetorevokeapublickey.Forinstance,supposeyou’vestoredacopyofyourprivatekeyonalaptopcomputerandthatlaptopisstolen,orperhapssomeemployeeshaveleftyourorganizationandyounolongerwantthoseindividualstobeabletousethekeysassociatedwiththeiremployeeaccounts.Torevokeakey,youusethe--gen-revokekeynameoptiontogpg:$gpg--gen-revokejennie@luna.edu

Theprogramasksyoutoanswerafewquestions,suchasthereasonforrevokingthekey.Itthengeneratesakeyblock,suchasthefollowing:-----BEGINPGPPUBLICKEYBLOCK-----Version:GnuPGv2.0.19 (GNU/Linux)Comment:

Arevocationcertificateshouldfollow

iEwEIBECAAwFAlBPvbkFHQBG28bACgkQbBimvBMO2y4uzwCeQiLkZx8jl2jk+

hn0OKUl3EznmBQAn2WvtuQW+AP6wlvOvNU/qYi8a7t8=s0/s

-----ENDPGPPUBLICKEYBLOCK-----

Youshouldcopythistextintoafile(say,revocation.gpg)andimportthefiletoyourkeyring:$gpg--importrevocation.gpg

If you’ve distributed public keys associated with the revoked key, you should distribute thisrevocation, too. Ifyou’vesentyourpublickeys toaGPGkeyserver,youcanpassyourrevocationalonginthesamewayyousentyouroriginalpublickey:$gpg--keyserverpgp.mit.edu--send-keysjennie@luna.edu

Oncethisisdone,youcangenerateanddistributeanewsetofkeys,ifdesired.

EncryptingandDecryptingDataToencryptdata,youusegpgwithits--outand--encryptoptionsand,optionally,--recipientand--armor:$gpg--outencrypted-file--recipientuid--armor--encryptoriginal-file

YoucanusetheUIDfromagpg--list-keysoutput,orjusttheemailaddressportion,astheuidinthiscommand.Ifyouhaven’tsignedtherecipient’skey,you’llhavetoverifythatyouwanttousethatkey.Theresultisanewfile,encrypted-file,whichholdsanencryptedversionoforiginal-file.Ifyouomitthe--armoroption,theresultingfileisabinaryfile;ifyousenditasemail,you’llneed to send it as an attachment or otherwise encode it for transmission over the text-based emailsystem.Ifyouincludethe--armoroption,theoutputisASCII,soyoucancutandpastetheencryptedmessageintoanemailorsenditasanattachment.If you receive a message or file that was encrypted with your public key, you can reverse the

encryptionbyusingthe--decryptoption:$gpg--outdecrypted-file--decryptencrypted-file

You’llbeaskedtoenteryourpassphrase.Theresultshouldbeadecryptedversionoftheoriginalfile.In practice, GPG can be even easier to use than this description may make you think. GPG is

primarilyusedtosecureandverifyemail,somostLinuxemailclientsprovideGPGinterfaces.Theseoptionscallgpgwith appropriate options to encrypt, sign, or decryptmessages.Details vary fromoneemailclienttoanother,soyoushouldconsultyouremailclient’sdocumentationfordetails.

SigningMessagesandVerifyingSignaturesAsnotedearlier,GPGcanbeusedtosignmessagessothatrecipientsknowtheycomefromyou.Todoso,usethe--signor--clearsignoptiontogpg:$gpg--clearsignoriginal-file

The--signoptioncreatesanewfilewiththesamenameastheoriginal,butwith.gpgappendedtothefilename.Thisfileisencryptedusingyourprivatekeysothatitmaybedecryptedonlywithyourpublickey.Thismeans thatanybodywithyourpublickeymayread themessage,butanybodywhocanreaditknowsit’sfromyou.The--clearsignoptionworkssimilarly,butitleavesthemessagetextunencryptedandonlyaddsanencryptedsignaturethatcanbeverifiedusingyourpublickey.The--clearsignoptioncreatesafilewithanamethatendsin.asc.Ifyoureceiveasignedmessage,youcanverifythesignatureusingthe--verifyoptiontogpg:$gpg--verifyreceived-file

Ifanyofthekeysinyourkeyringcandecodethemessageorverifythesignature,gpgdisplaysaGoodsignaturemessage.To read amessage thatwas encryptedvia the--sign option, youmustdecryptthemessageviathe--decryptoption,asdescribedearlier.

SummaryMaintainingsystemsecurityisbothimportantandtime-consuming.Agreatdealofsecurityemphasisisonnetworksecurity,andforthis,configuringyoursuperserveranddisablingunusedserverswill

go a long way. Attending to passwords and performing miscellaneous tasks to keep your localaccountsfrombecomingsecurityrisksarealsoimportantsecuritytasks.Encryption is a hot topic in security. SSH is a protocol and tool that can handlemany network

encryptiontasksbyencryptingtwo-wayconnectionsbetweencomputers.Typicallyusedasaremoteloginprotocol,SSHcanalsobeusedtotransferfilesorencryptotherprotocols.Whenyouwanttoencryptdatasenttoanotherindividualviaatoolsuchasemail,youcandosowiththehelpofGPG.Thispackageenablesyoutoencrypt individualfiles,whichcanthenbeattachedtoorembeddedinemailmessagesanddecryptedbytherecipient.

ExamEssentialsIdentifythepurposeofasuperserver.Superservers,suchasinetdandxinetd,manageincomingnetworkconnectionsformultipleservers.Theycanaddsecurityandconveniencefeatures,andtheycanhelpminimizethememoryloadimposedbyseldom-accessedservers.Explainthefunctionofsuperserverportaccesscontrols.Superserversorprogramscalledbythem(suchasTCPWrappers)canrestrictaccesstoportsfortheserverstheymanage.Theserestrictionsoccuratahigherlevelthanafirewall’srestrictions,andtheyapplyonlytotheserversmanagedbythesuperserver.Summarizethetoolsyoucanusetoidentifytheserversrunningonacomputer.Thenetstatandlsofprogramsbothprovideoptionstolistall(orasubsetof)theopennetworkconnections,aswellasprogramsthatarelisteningforconnections.Remotenetworkscanners,suchasNmap,canprobeanothercomputerforopennetworkports.Perusaloflocalconfigurationfilescanalsoprovidecluestowhat’srunningonacomputer.DescribewhySUIDandSGIDprogramsarepotentiallyrisky.ThesetuserID(SUID)andsetgroupID(SGID)bitstellLinuxtoruntheprogramastheuserorgroupthatownsthefile.Thisisparticularlyriskywhenrootownstheprogramfilebecauseitessentiallyelevatesalluserstorootforthepurposesofrunningthefile,makingbugsintheprogrammoredangerousandraisingthepossibilityofacleveruserabusingtheprogramtoacquirefullrootprivilegesorotherwisewreakinghavoc.Explainwhyshadowpasswordsareimportant.Shadowpasswordsstorepasswordhashesinafilethatcan’tbereadbyordinaryusers,thusmakingitharderformiscreantsonthelocalsystemtoreadthehashedpasswordsandusebrute-forceattackstodiscoverotherusers’passwords.ModernLinuxdistributionsuseshadowpasswordsbydefault.Explainhowtogenerateagoodpassword.Ideally,passwordsshouldberandom.Failingthat,onegoodapproachistogenerateabasethat’shardtoguessandthenmodifyitbyaddingdigitsandpunctuation,changingthecaseofsomecharacters,changingletterorder,andsignificantlyincreasingthelengthofthepassword(evenwithrepeatedcharacters).ExplainwhySSHisthepreferredremotetext-modelogintool.TheSecureShell(SSH)protocolprovidesencryptionforalltraffic,includingboththepasswordexchangeandallsubsequentdataexchanges,whereasoldertools,suchasTelnet,donot.ThismakesSSHmuchsafer(ifnot100percentsafe)fortheexchangeofsensitivedata,particularlyoveruntrustednetworkssuchastheInternet.

IdentifythemostimportantSSHconfigurationfile.TheSSHserveriscontrolledthroughthe/etc/ssh/sshd_configfile.TheSSHclientconfigurationfileis/etc/ssh/ssh_config;don’tconfusethetwo.DescribethefunctionofGPG.GPGenablespublic-keyencryptionofindividualfilesoremailmessages.YoucanuseGPGtoencryptsensitivedatafortransmissionoveremailorotherinsecuremeans.

ReviewQuestions1.Typinglsof-i|grepLISTENasrootproduces three linesofoutput,corresponding to thesendmail,sshd,andproftpdservers.Whatcanyouconcludeaboutthesecurityofthissystem?

A.Everything’sOK;thepresenceofsshdensuresthatdataarebeingencryptedviaSSH.B.Thesendmailandsshd serversareOK,but theFTPprotocolusedbyproftpd is insecureandshouldneverbeused.C.ThesendmailservershouldbereplacedbyPostfixorqmailforimprovedsecurity,butsshdandproftpdarefine.D. Because sendmail and proftpd both use unencrypted text-mode data transfers, neither isappropriateonanetwork-connectedcomputer.E.Noconclusioncanbedrawnwithoutfurtherinformation;thelistedserversmayormaynotbeappropriateorauthentic.

2.Aspartofasecurityaudit,youplantouseNmaptocheckallthecomputersonyournetworkforunnecessary servers. Which of the following tasks should you do prior to running your Nmapcheck?

A.Backup/etc/passwdonthetargetsystemstoeliminatethepossibilityofitsbeingdamaged.B.ObtaintherootpasswordstothetargetsystemssothatyoucanproperlyconfigurethemtoaccepttheNmapprobes.C.ObtainwrittenpermissionfromyourbosstoperformtheNmapsweep.D.Configure/etc/sudoersonthecomputeryouintendtouseforthesweep,togiveyourselftheabilitytorunNmap.E.Disableanyfirewallbetweenthecomputerthat’srunningNmapandtheserversyouintendtoscan.

3.YourloginserverisusingPAM,andyouwanttolimitusers’accesstosystemresources.Whichconfigurationfilewillyouneedtoedit?

A./etc/limits.confB./etc/pam/limits.confC./etc/security/limits.confD./etc/security/pam/limits.confE./usr/local/limits.conf

4.Whichofthefollowingtoolsmightyouusetocheckforopenportsonalocalcomputer?(Select

three.)A.NmapB.netstatC.lsofD.portmapE.services

5.Which of the following commandswill locate all program files on a computer onwhich theSUIDbitisset?

A.find/-typeSUIDB.find/-perm+4000-typefC.find/-perm+SUID-typefD.find/-type+4000E.find/-suid

6.The/etc/sudoersfileonacomputerincludesthefollowingline.Whatisitseffect?%adminALL=(ALL)ALL

A.Membersoftheadmingroupmayrunallprogramswithrootprivilegesbyusingsudo.B.Users in theadmin user alias, defined earlier in the file,may run all programswith rootprivilegesbyusingsudo.C.Theadminuseraliasisdefinedtoincludeallusersonthesystem.D.Theadmincommandaliasisdefinedtoincludeallcommands.E.Theuseradminmayrunallprogramsonthecomputerasrootbyusingsudo.

7.Which commandwould you type, asroot, to discover all the open network connections on aLinuxcomputer?

A.lsof-caB.netstat-apC.ifconfigeth0D.nmap-sTlocalhostE.top-net

8.Aserver/computercombinationappearsinbothhosts.allowandhosts.deny.What’stheresultofthisconfigurationwhenTCPWrappersruns?

A.TCPWrappersrefusestorunandlogsanerrorin/var/log/messages.B.Thesystem’sadministratorispagedtodecidewhethertoallowaccess.C.hosts.denytakesprecedence;theclientisdeniedaccesstotheserver.D.hosts.allowtakesprecedence;theclientisgrantedaccesstotheserver.E.Theclientisgrantedaccesstotheserverifnootherclientiscurrentlyaccessingit.

9.Whenisthebindoptionofxinetdmostuseful?

A.WhenyouwanttoruntwoserversononeportB.WhenyouwanttospecifycomputersbynameratherthanIPaddressC.WhenxinetdisrunningonasystemwithtwonetworkinterfacesD.WhenresolvingconflictsbetweendifferentserversE.WhenxinetdmanagesaDNSserverprogram

10.You’ve discovered that theWaiter program (a network server) is running inappropriately onyourcomputer.YouthereforelocateitsSysVstartupscriptandshutitdownbyremovingthatscriptfromyourdefault runlevel.Howcanyou further reduce the risk that theWaiterprogramwill beabusedbyoutsiders?(Selecttwo.)

A.ByblockingtheWaiterprogram’sportusingafirewallruleB.ByreadingtheWaiterprogram’sdocumentationtolearnhowtorunitinstealthmodeC.BytunnelingtheWaiterprogram’sportthroughSSHD.ByuninstallingtheWaiterpackageE.ByuninstallinganyclientsassociatedwithWaiterfromtheservercomputer

11.Youwant tousexinetd access controls to limitwhomay access a server that’s launchedviaxinetd. Specifically, only users on the 192.168.7.0/24 network block should be able to use thatserver.Howmayyoudothis?

A. Enter hosts_allow = 192.168.7.0/24 in the /etc/xinetd.d configuration file for theserverinquestion.B.Enteronly_from=192.168.7.0/24inthe/etc/xinetd.dconfigurationfilefortheserverinquestion.C.Enterserver:192.168.7.,whereserver is theserver ’sname, in the/etc/hosts.allowfile.D.Enterserver:192.168.7.,whereserver is the server ’s name, in the/etc/hosts.denyfile.E.Typeiptables-L192.168.7.0toenableonlyusersof192.168.7.0/24toaccesstheserver.

12.Ofthefollowing,whichisthebestpassword?A.OdysseusB.iA71Oci^My~~~~~~C.pickettomatoD.Denver2ColoradoE.123456

13. Which of the following types of attacks involves sending bogus email to lure unsuspectingindividualsintodivulgingsensitivefinancialorotherinformation?

A.PhishingB.ScriptkiddiesC.SpoofingD.Ensnaring

E.Hacking

14.Ordinaryusersreportbeingunabletologontoacomputer,butroothasnoproblemsdoingso.Whatmightyoucheckfortoexplainthissituation?

A.AmisbehavingsyslogddaemonB.Aloginprocessthat’srunningasrootC.Thepresenceofan/etc/nologinfileD.ThepresenceofanSUIDbiton/bin/loginE.Inappropriateuseofshadowpasswords

15.WhichserversmightyouconsiderretiringafteractivatinganSSHserver?(Selecttwo.)A.SMTPB.TelnetC.FTPD.NTPE.Samba

16.Youfindthatthessh_host_dsa_keyfilein/etc/sshhas0666(-rw-rw-rw-)permissions.YourSSHserverhasbeeninoperationforseveralmonths.Shouldyoubeconcerned?

A.YesB.NoC.Onlyifthessh_host_dsa_key.pubfileisalsoworld-readableD.Onlyifyou’relaunchingSSHfromasuperserverE.Onlyifyou’reusingalaptopcomputer

17. For best SSH server security, how should you set the Protocol option in/etc/ssh/sshd_config?

A.Protocol1B.Protocol2C.Protocol1,2D.Protocol2,1E.Protocol*

18.WhyisitunwisetoallowroottologondirectlyusingSSH?A.Disallowingdirectroot accessmeans that theSSHservermaybe runbyanon-root user,improvingsecurity.B.Therootpasswordshouldneverbesentoveranetworkconnection;allowingrootloginsinthiswayisinvitingdisaster.C.SSHstoresalllogininformation,includingpasswords,inapubliclyreadablefile.D.When loggedonusingSSH,root’s commandscanbe easily interceptedandduplicatedbyundesirableelements.

E.Somebodywiththerootpasswordbutnootherpasswordcanthenbreakintothecomputer.

19.You’vedownloadedaGPGpublickeyfromaWebsite, into thefilefredkey.pub.Whatmustyoudowiththiskeytouseit?

A.Typeinspect-gpgfredkey.pub.B.Typegpg--readkeyfredkey.pub.C.Typeimport-gpgfredkey.pub.D.Typegpg--importfredkey.pub.E.Typegpg-importfredkey.pub.

20.Youwanttosendanencryptedmessagetoanemailcorrespondent.YoubothhaveGPG.Whatdoyouneedtoexchangebeforeyoucansendyourencryptedmessage?

A.YourcorrespondentmustobtainyourGPGpublickey.B.YourcorrespondentmustobtainyourGPGprivatekey.C.Youmustexchangeprivatekeyswithyourcorrespondent.D.Youmustobtainyourcorrespondent’sGPGprivatekey.E.Youmustobtainyourcorrespondent’sGPGpublickey.

AppendixA

AnswerstoReviewQuestions

Chapter1:ExploringLinuxCommand-LineTools

1.D.Anyoftheseapproacheswillwork,oratleastmightwork.(Youmighterrwhenperforminganyofthem.)OptionBorCislikelytobethemostefficientapproach;withalongfilenametotype,optionAislikelytobetedious.

2.E.Theecho command is implemented internally tobash, although an external version is alsoavailable on most systems. The cat, less, tee, and sed commands are not implementedinternallytobash,althoughtheycanbecalledfrombashasexternalcommands.

3. E. The echo command echoes what follows to standard output, and $PROC is an environmentvariable.Thus,echo$PROCdisplays thevalueof the$PROCenvironmentvariable,meaning that itmust have been set to the specified value by you, one of your configuration files, or a programyou’ve run. Although many environment variables are set to particular values to conveyinformation,$PROCisn’tastandardenvironmentvariablethatmightbeassociatedwithinformationdescribedinoptionsA,B,C,orD.

4.A.Thepwdcommandprints(tostandardoutput)thenameofthecurrentworkingdirectory.Theremainingoptionsaresimplyincorrect,althoughoptionBdescribesthecdcommand,andvarioustoolscanbeusedtoreformatwidetextfordisplayorprintinginfewercolumns,asinoptionC.

5.D.Theexeccommandcauses therestof thecommandtoreplace thecurrentshell.Thus,whenyouexit fromgedit in this scenario, the resultwillbe the sameas ifyou’d terminated the shell;namely,thextermwindowwillclose.Theexeccommanddoesn’traisetheexecutionprivilege,sooptionAisincorrect.(Thesuandsudocommandscanraiseexecutionprivilege,though.)Becausethextermwindowcloses,optionBisincorrect.Xwon’tordinarilyterminatewhenasinglextermdoes, and definitely not if that xterm was launched from a window manager, so option C isincorrect.Theexeccommanddoesnotcausere-executionof thecommandafter thefirst instanceterminates,sooptionEisincorrect.

6.A.Thedot(.)characterreferstothecurrentworkingdirectory,andtheslash(/)isadirectoryseparator.Thus,precedingaprogramnameby./unambiguouslyidentifiestheintentiontoruntheprogramthat’sstoredin thecurrentdirectory.OptionBwill runthefirst instanceof theprogramthat’sfoundonthecurrentpath.Becausepathsoftenomitthecurrentdirectoryforsecurityreasons,this option is likely to fail. The run command isn’t a standard Linux command, so option C isunlikelytodoanything,muchlesswhatthequestionspecifies.OptionDwouldbecorrectexceptthatitreversestheorderofthetwocharacters.Theeffectistoattempttorunthe.myprogfileintheroot(/) directory. This file probably doesn’t exist, and even if it did, it’s not the file the questionspecifies should be run. Option E runs the first instance of myprog found on the path, andadditionally it runs the program in the background. (Chapter 2 covers background execution inmoredetail.)

7.E.Bydefault,manusesthelesspagertodisplayinformationonmostLinuxsystems,sooptionE

iscorrect.AlthoughanX-basedversionofmandoesexist(xman),thebasicmandoesn’tuseacustomX-basedapplication(optionA),nordoesituseFirefox(optionB)ortheVieditor(optionD).Theinfocommandisacompetingdocumentationsystemtoman,sooptionCisincorrect.

8. C. The > redirection operator stores a command’s standard output in a file, overwriting thecontentsofanyexisting fileby the specifiedname, sooptionC iscorrect.OptionAspecifies thestandardinputredirectionsothatifconfigwilltakethecontentsoffile.txtasinput.OptionBisalmost correct; the>> redirection operator redirects standard output, as requested, but it appendsdatatothespecifiedfileratherthanoverwritingit.OptionDspecifiesapipe;theoutputofifconfigissentthroughthefile.txtprogram,ifitexists.(Chancesareitdoesn’t,soyou’dgetacommandnot found error message.) Option E redirects standard error, rather than standard output, tofile.txt,andsoisincorrect.

9.C.The&>redirectionoperatorsendsbothstandardoutputandstandarderrortothespecifiedfile,asoptionCstates.(Thenameofthefile,input.txt,isintentionallydeceptive,buttheusageisstillvalid.)OptionAmentionsstandarderrorbutdescribesitasifitwereaninputstream,whichit’snot;it’sanoutputstream.OptionBmentionsstandardinput,butthe&>operatordoesn’taffectstandardinput.BecauseonlyoptionCiscorrect,neitheroptionDnorEcanbecorrect.

10.E. Inprinciple,youcanpipe togetherasmanycommandsasyou like. (Inpractice,ofcourse,therewillbe limitsbasedoninputbuffersize,memory,andsoon,but these limitsarefarhigherthanthe2,3,4,or16commandsspecifiedinoptionsA,B,C,andD.)

11.B.Theteecommandsendsitsoutputbothtostandardoutputandtoanamedfile.Thus,placingthe tee command (with an output filename) after another command and a pipe will achieve thedesiredeffect.OptionsAandDredirectgabby’soutputtoafile,whichmeansyouwon’tbeabletoseetheoutputandinteractwithit.OptionCsendsthecontentsofgabby-out.txttogabbyasinput,whichisn’twhat’sdesired,either.OptionEattemptstorungabby-out.txtasaprogramanduseitsoutputascommand-lineargumentstogabby,whichisnotwhat’sdesired.

12.C.The2>redirectionoperatorredirectsstandarderroronly,leavingstandardoutputunaffected.Sendingstandarderror to/dev/nullgets ridof it.Thus,optionC iscorrect.OptionApipes thestandard output of verbose through the quiet program, which isn’t a standard Linux program.Option B sends both standard output and standard error to /dev/null, so you won’t be able tointeract with the program, as the question specifies you must be able to do. Option D redirectsstandardoutputonlytothejunk.txtfile,soonceagain,interactionwillbeimpossible—andyou’llseetheunwantederrormessagesonthescreen.OptionE’squiet-modeprogramisfictitious(oratleastnon-standard),sothisoptionisincorrect.

13.A.OptionAcorrectlydescribesthedifferencebetweenthesetworedirectionoperators.OptionBis almost correct, but the>> operatorwill create a new file if one doesn’t already exist. The >>operatordoesnotredirectstandarderror(asstatedinoptionC)orstandardinput(asstatedinoptionD).Both operatorswill create a new file if one doesn’t already exist, contrary towhat optionEstates.

14.C.Thetail command displays the final 10 lines of a file, so optionC is correct. (You canchangethenumberoflinesdisplayedwiththe-noption.)Theuniqcommand(optionA)removesduplicate lines froma list.Thecutcommand(optionB)echoes thespecifiedcharactersor fields

froman input text file.Thewc command (optionD)displayscountsof thenumberofcharacters,words,andlinesinafile.Thefmtcommand(optionE)isaplain-textformatter.

15.A.Theprprogramtakesatextfileasinputandaddsformattingfeaturesintendedforprinting,suchasaheaderandblanklinestoseparatepages.Thecommandalsopipestheoutputthroughlpr(whichisaLinuxprintingcommand).OptionAdescribestheseeffectsandsoiscorrect.OptionBdescribestheeffectofthecatprogram,andsoisincorrect.Theconversionoftabstospacescanbedonebytheexpandprogram,sooptionCisincorrect.Althoughthespecifiedcommanddoesprintreport.txt,errormessagesarenotstoredinthelprfile,sooptionDisincorrect.BecauseoptionAiscorrect,optionEisincorrect.

16.B,C,D.Thenlcommandnumbers lines,so itdoes this taskwithoutanyspecialoptions,andoptionBiscorrect.(Itsoptionscanfine-tunethewayitnumberslines,though.)Thecatcommandcanalsonumberlinesviaits-band-noptions;-bnumbersnon-blanklines,whereas-nnumbersalllines(includingblanklines).Thus,optionsCandDarebothcorrect.Neitherthefmtcommandnortheodcommandwillnumberthelinesoftheinputfile,sooptionsAandEarebothincorrect.

17.C.Thesedutilitycanbeusedto“stream”textandchangeonevaluetoanother.Inthiscase,thesoption is used to replace dog with mutt, making option C correct. The syntax in option A isincorrect,andchoicesBandDareincorrectbecausegrepdoesn’tincludethefunctionalityneededtomakethechanges.OptionEcombinesfmt,cut,andredirectioninawaythatsimplywon’tworktoachievethedesiredgoal.

18.B.Thefmtcommandperformsthedesiredtaskofshorteninglonglinesbyinsertingcarriagereturns.Itsendsitsresultstostandardoutput,sooptionBusesoutputredirectiontosavetheresultsinanewfile.ThesedcommandofoptionAwon’taccomplishanythinguseful;itonlyreplacesthestringCtrl-MwiththestringNL.Although thesestringsarebothsometimesusedasabbreviationsfor carriage returns or new lines, the replacement of these literal strings isn’t what’s required.Option C creates an exact copy of the original file, with the long single-line paragraphs intact.AlthoughoptionD’sprcommandisaformattingtool, itwon’treformat individualparagraphs.Itwill also add headers that you probably don’twant.OptionE’sgrep command searches for textwithinfiles;itwon’treformattextfiles.

19.A.Thegrep utility is used to findmatching textwithin a file and print those lines. It acceptsregular expressions,whichmeans you can place in brackets the two characters that differ in thewordsforwhichyou’relooking.Thus,optionAiscorrect.Thesyntaxforsed,od,cat,andfindwouldn’tperformthespecifiedtask,sooptionsBthroughEareallincorrect.

20.C.Thebracket expressionwithin thed[o-u]g regular expression in optionCmeans that anythree-characterstringbeginning ind,ending ing, andwith themiddle characterbeingbetweenoand u will match. These results meet the question’s criteria. Option A’s dot matches any singlecharacter, sod.gmatches all threewords. The bracket expression [ou] in optionBmatches thecharactersoandu,butnoothervalues.Sincethequestionspecifiesthatsomeothermatcheswillbemade,thisoptionisincorrect.OptionD’sdi*gmatchesdig;diig;diiig;oranyotherword thatbeginswithd,endswithg,andcontainsanynumberofilettersinbetween.Thus,optionDmatchesdigbutnotdogordugasrequired.OptionE,likeOptionA,usesadottomatchanycharacter,soitwillactuallymatchcertainfour-letterwords,butnotdogordug.

Chapter2:ManagingSoftware1.D.Because theymust be compiled prior to installation, source packages requiremore time toinstall thanbinarypackagesdo,contrary tooptionD’sassertion, thusmaking thisoptioncorrect.Theotheroptionsalldescribeadvantagesofsourcepackagesoverbinarypackages.

2.A. The two systems use different databases,whichmakes coordinating between them difficult.Thus, using them both simultaneously is inadvisable, making option A correct. Packagemanagement systems don’t share information, but neither do their databases actively conflict, sooptionBisincorrect.Installingthesamelibrariesusingbothsystemswouldalmostguaranteethatthe files served by both systems would conflict with one another, making option C incorrect.Actively using both RPM and Debian packages isn’t common on any distribution, although it’spossiblewithallofthem,sooptionDisincorrect.Thealienprogramconvertsbetweenpackageformats.Althoughit requires thatbothsystemsbe installed toconvertbetweenthem,alien isnotrequiredtoinstallboththesesystems.Thus,optionEisincorrect.

3.E.RPMsareusuallyportableacrossdistributions,butoccasionallytheycontainincompatibilities,so option E is correct. The package format and software licensing have nothing to dowith oneanother,sooptionAisincorrect.Thereisno--convert-distribparametertorpm,sooptionBisincorrect.Althoughrecompilingasourcepackagecanhelpworkaroundincompatibilities,thisstepisnotalwaysrequired,sooptionCisincorrect.Binarypackagescan’tberebuiltforanotherCPUarchitecture,sooptionDis incorrect,althoughsourcepackagesmayberebuilt foranysupportedarchitectureprovidedthesourcecodedoesn’trelyonanyCPU-specificfeatures.

4.B.The-ioperationinstallssoftware,sooptionBiscorrect.(The-vand-hoptionscauseastatusdisplayof theprogressof theoperation,whichwasn’tmentioned in theoption.)Uninstallation isperformedbythe-eoperation,andrebuildingsourceRPMsisdonebythe--rebuildoperation(toeitherrpmorrpmbuild,dependingontheRPMversion),sooptionsAandCareincorrect.Althoughthe filename megaprog.rpm is missing several conventional RPM filename components, the rpmutility doesn’t use the filename as a package validity check, so option D is incorrect. Option Edescribes apackageupgrade,which is handledby the-U operation,not-i as in the question, sooptionEisincorrect.

5.A.Therpm2cpio programextracts data fromanRPM file and converts it into acpio archivethat’s sent to standard output. Piping the results through cpio and using the -i and --make-directories options, as in option A, will extract those files to the current directory. Option Bcreatesacpiofilecalledmake-directoriesthatcontainsthefilesfromtheRPMpackage.OptionCwilluninstallthepackagecalledmyfonts.rpm(butnotthemyfontspackage).Thealienutilityhasno--to-extract target, sooptionD is invalid.Therpmbuildutilitybuildsa sourceRPMintoabinaryRPM,makingoptionEincorrect.

6.E.Anuppercase-P invokes the purge operation,which completely removes a package and itsconfigurationfiles,sooptionEiscorrect.The-eparameteruninstallsapackageforrpm,butnotfordpkg, so optionA is incorrect. The lowercase-p causesdpkg to print information about thepackage’s contents, so option B is incorrect. The -r parameter removes a package but leaves

configuration files behind, so options C and D are both incorrect. (Option D also specifies acompletefilename,whichisn’tusedforremovingapackage—youshouldspecifyonlytheshorterpackagename.)

7.C.YoucanspecifyDebianpackagearchivesites in/etc/apt/sources.list,and thenyoucantype apt-get update and apt-get upgrade to quickly update a Debian system to the latestpackages, so option C is correct. GUI package management tools for Debian and relateddistributions exist, but they aren’t apt-get, so option A is incorrect. The alien program canconvertatarballandinstalltheconvertedpackageonaDebiansystem,butapt-getcan’tdothis,sooptionBisincorrect.dpkgandapt-getbothcomewithallDebian-baseddistributions,sooptionDisincorrect.ThedpkgprogramcaninstallonlyDebianpackagesonDebian-basedsystems,butapt-getcanworkwithbothpackagesystems,sooptionEisbackward.

8.E.The--get-selectionsactiontodpkgdisplaysthenamesofallinstalledpackages,makingoptionE correct. There is no showall option to apt-get, so option A is incorrect. The showpkgsubcommand to apt-cache displays information about a named package; when used without apackagename,asinoptionB,itdisplaysnodata.Thedpkg-ractionremovesapackage,sooptionC would remove the package called allpkgs if it were installed. The dpkg -i action installs apackage,sooptionDisincorrect—andthatoptiondoesn’tlistapackagename,whichthe-iactionrequires.

9.D.Theupdateoptiontoapt-getcausesretrievalofnewinformation,asdescribedinoptionD.This option is perfectly valid, contrary to option A’s assertion. The apt-get program doesn’tpermit you to upload information to the Internet repositories, so optionB is incorrect.OptionCdescribestheeffectoftheupgradeordist-upgradeoptions,nottheupdateoption.Theupgradeordist-upgradeoptionscanupgradeAPTitself,butupdatealonewon’tdothejob,sooptionEisincorrect.

10.A,B.Theyumutility’supdateandupgradeoptionsarenearlyidenticalineffect,andeithercanbeusedtoupgradeanindividualpackage,suchasunzip,sooptionsAandBarebothcorrect.Theprimary command options to yum don’t use dashes, so options C andD are both incorrect. Thecheck-update option to yum checks for the availability of updates but does not install them, sooptionEisincorrect.

11.B.Yumusesfilesinthe/etc/yum.repos.ddirectorytolocateitsrepositories,soyoucanaddtothe repository list by adding files to this subdirectory, as option B specifies, typically either byinstallinganRPMorbyaddingafilemanually.OptionAdescribesamethodofaddingarepositoryto a computer that uses APT, not Yum. Option C’s add-repository subcommand is fictitious.Although the/etc/yum.conf filedescribed inoptionsDandE is real, itdoesn’tstore repositorydata.

12. B. The /etc/ld.so.conf file holds the global library path, so editing it is the preferredapproach. You must then type ldconfig to have the system update its library path cache. Thus,option B is correct. Although you can add a directory to the library path by altering theLD_LIBRARY_PATHenvironmentvariableglobally,as inoptionA, thisapproachisn’t thepreferredone,sothisoptionisincorrect.OptionCsimplywon’twork.OptionDalsowon’twork,althoughlinkingindividuallibraryfileswouldwork.Thismethodisn’tthepreferredoneforaddingawhole

directory, though. The ldd utility displays information on libraries used by executable files, sooptionEwon’thavethedesiredeffect.

13.D.Librariesareselectedbyprogrammers,notbyusersorsystemadministrators.Ifyoudon’tlike thewidgets provided by one library, you have few options, and optionD is correct. (Manywidgetsetsdoprovideagreatdealofconfigurability,though,soyoumaybeabletoworkaroundthe problem in otherways.) OptionsA, B, and E describe fictitious options to ldconfig, rpm,dpkg, and thekernel.OptionCwouldn’twork;Qt-usingprogramswould crashwhen they foundGTK+librariesinplaceoftheQtlibrariestheywereexpecting.

14.D.Thekill programaccepts various signals in numeric or named form (9 in this example)alongwithaprocessIDnumber(11287inthisexample).Signal9correspondstoSIGKILL,whichisanextremewaytokillprocessesthathaverunoutofcontrol.Thus,optionDdescribestheeffectofthiscommand.Althoughyoumightusekilltokillnetworkprocesses,youcan’tpasskillaTCPport number and expect it to work, so option A is incorrect. The program also won’t displayinformationaboutthenumberofprocessesthathavebeenkilled,makingoptionBincorrect.TodoasoptionCsuggests,you’dneedtotellkilltopassSIGHUP(signal1),sothecommandwouldbekill-111287,andoptionCisincorrect.Thekillprogramcan’tchangethepriorityofaprocess,sooptionEisincorrect.

15.C,D.Thetoputilitydisplaysadynamic listofprocessesorderedaccording to theirCPUusealongwithadditional system information, including loadaverages, sooptionC is correct. Ifyouwant only the load average at a specific moment, uptime (option D) may be better because itpresents less extraneous information—it shows the current time, the time since the system wasbooted,thenumberofactiveusers,andtheloadaverages.OptionA’sldcommandhasnothingtodowithdisplayingloadaverages(it’saprogrammingtoolthatlinkstogetherprogrammodulesintoanexecutableprogram).TherearenostandardLinuxprogramscalledload(optionB)orla (optionE).

16.A.The--forestoptiontopsshowsparent-childrelationshipsbycreatingvisuallinksbetweenprocessnamesinthepsoutput,makingoptionAcorrect.(Listing2.4showsthiseffect.)OptionsBandCarebothvalidps commands, but neither creates the specified effect.OptionDdescribes afictitiouspsoption.SinceoptionsB,C,andDareincorrect,optionEisalsonecessarilyincorrect.

17.A.CPU-intensiveprogramsroutinelyconsume90percentormoreofavailableCPUtime,butnotallsystemsrunsuchprograms.Furthermore,sometypesofprogrambugscancreatesuchCPUloads.Thus,optionA is correct, andyoumust investigate themattermore.What isdfcomp? Is itdesignedasaCPU-intensiveprogram?IsitconsumingthismuchCPUtimeconsistently,orwasthisabriefburstofactivity?OptionsB,C,D,andEalljumptoconclusionsorpresentfictitiousreasonsforthebehaviorbeingnormalorabnormal.

18.E.Thejobscommandsummarizesprocessesthatwerelaunchedfromyourcurrentshell.Whennosuchprocessesare running,jobs returnsnothing, sooptionE is correct.Thejobs commanddoesn’tcheckorsummarizeCPUload,sooptionAis incorrect.Thejobscommandalsodoesn’tcheckforprocessesrunfromshellsotherthanthecurrentone,sooptionBisincorrect(processesrunning under your username could have been launched from another shell or from a GUIenvironment).ThereisnostandardjobsshellinLinux,sooptionCisincorrect.Becausethejobs

outputislimitedtoyourownprocessesintheshellyou’rerunning,ablankoutputdoesnotindicateacrashedsystem,makingoptionDincorrect.

19. C, E. The nice command launches a program (crunch in this example) with increased ordecreased priority. The default prioritywhen none is specified is 10, and the nice -10 crunchcommandalsosetsthepriorityto10,sooptionsCandEareequivalent.OptionAisn’tavalidnicecommandbecausenicehasno--valueoption.OptionBisavalidnicecommand,but itsets thepriorityto−10ratherthan10.DespitethesimilarityinformofoptionsCandD,optionDisnotavalidnicecommand,andsoisincorrect.(Whenpassinganumericvaluetonice,youmustuseaprecedingdash,-,or-n.)

20.D,E.Linuxinsulatesusers’actionsfromoneanother,andthisruleappliestorenice;onlyrootmaymodifythepriorityofotherusers’processes,sooptionDiscorrect.Similarly,onlyrootmayincrease the priority of a process, in order to prevent users from setting their processes tomaximumpriority,thusstealingCPUtimefromothers,sooptionEiscorrect.OptionAcorrectlydescribesnice,butnotrenice;thewholepointofreniceistobeabletochangetheprioritiesofexistingprocesses.ContrarytooptionB,renicedoesn’tcareabouttheshellfromwhichreniceorthetargetprogramwaslaunched.Usersmayuserenicetodecreasetheirownprocesses’priorities,contrarytooptionC.

Chapter3:ConfiguringHardware1.B,C. IRQs3and4arecommondefaults forRS-232serialports, sooptionsBandCarebothcorrect.IRQ1isreservedforthekeyboard,sooptionAisincorrect.IRQ8isreservedforusebythereal-timeclock,sooptionDisincorrect.AlthoughIRQ16existsonmodernsystems,itdidn’texistonearlyx86systems,anditspurposeisn’tstandardized.

2. A. Modern firmware (BIOSs and EFIs) provide the means to disable many onboard devices,includingsoundhardware,incaseyoudon’twanttousethem,sooptionAiscorrect.AlthoughthealsactlutilitymentionedinoptionBisreal,it’susedtoloadorstoresoundcardmixersettings,nottodisablethesoundhardware.ThelsmodcommandmentionedinoptionCdisplaysinformationabout loaded kernel modules, but it doesn’t remove them or disable the hardware they use.Similarly,optionD’slspcidisplaysinformationonPCIdevicesbutcan’tdisablethem.ContrarytooptionD,on-boardsoundhardwarecanusuallybedisabled.

3.E.Theudevsoftwarecreatesandmanagesadynamic/devdirectorytree,addingentriestothatdirectoryfordevicesthatexistonthetargetsystem,sooptionEiscorrect.Theudevsoftwarehasnothing todowithsoftwaredevelopment (optionA). Itdoesn’tunloaddrivers (optionB)or loaddrivers(optionC),althoughitdoesrespondtotheloadingofdriversbycreatingappropriateentriesin/dev.Italsodoesn’tstoreBIOSconfigurationoptionsinafile(optionD).

4.E.SATAdisksareusuallyhandledbyLinux’sSCSIsubsystemandsoarereferredtoas/dev/sdx;however, some drivers handle these disks as if they were PATA disks and so refer to them as/dev/hdx. Thus, option E is correct, and both options A and C are incorrect. The /dev/mapperdirectoryholdsdevicefilesrelatedtoLVMandRAIDconfigurations,notdiskpartitionidentifiers,sooptionBisincorrect.OptionD(C:)ishowWindowswouldlikelyrefertothefirstpartitiononthedisk,butLinuxdoesn’tusethisstyleofdiskidentifier.

5.A,C,D.Therearenofilescalled/proc/ioaddressesor/proc/hardware,sooptionsBandEare both incorrect. All the other files listed contain useful information; /proc/ioports holdsinformation about I/O ports, /proc/dma holds information about DMA port usage, and/proc/interruptsholdsinformationaboutIRQs.

6. B. Logical partitions are numbered 5 and up, and they reside in an extended partition with anumberbetween1and4.Therefore,oneofthefirsttwopartitionsmustbeanextendedpartitionthathouses partitions 5 and 6,making optionB correct.Because one of the first two partitions is anextendedpartition,theothermustbeaprimarypartition,andtherecanbenomoreofeithertypeofpartition.ThismakesoptionA incorrect.Gaps in the rangeofpartitions1−4arenormal inMBRdisks, contrary to optionC.Because logical partitions are numbered starting at 5, their numberswon’t change if /dev/sda3 is subsequently added, so option D is incorrect. On MBR disks,partitions 1−4must be primary or extended partitions; logical partitions are numbered 5 and up.Thus,optionEisincorrect.

7.E.The/etc/fstabfilecontainsthemappingofpartitionstomountpoints,so/etcmustbeanordinary directory on the root partition, not on a separate partition, making option E correct.AlthoughoptionA’sstatementthatthesystemwon’tbootiscorrect,thereasonisnot;/homeholds

userfiles,notcriticalsystemfiles.OptionsBandCdescriberestrictionsthatdon’texist.OptionDwouldbecorrectif/etcwerenotaseparatepartition.

8.D.The/homedirectory(optionD)isfrequentlyplacedonitsownpartitioninordertoisolateitfrom the rest of the system and sometimes to enable use of a particular filesystemor filesystemmountoptions.The/binand/sbindirectories(optionsAandB)shouldneverbesplitofffromtheroot(/)filesystembecausetheycontaincriticalexecutablefilesthatmustbeaccessibleinordertodo the most basic work, including mounting filesystems. The /mnt directory (option C) oftencontainssubdirectoriesusedformountingfloppydisks,CD-ROMs,andotherremovablemediaormaybeusedforthispurposeitself.It’sseldomusedtodirectlyaccessharddiskpartitions,althoughit can be used for this purpose. The /dev directory (option E) usually corresponds to a virtualfilesystem,whichholdspseudo-filesbutisnotstoredonadiskpartition.

9. A. The 0x0f partition type code is one of two common partition type codes for an extendedpartition.(Theotheris0x05.)The0x82codereferstoaLinuxswappartition,and0x83denotesaLinux filesystempartition.Thus, it appears that thisdiskholdsLinuxpartitions,makingoptionAcorrect. DOS, Windows 9x/Me, Windows NT/200x/XP, FreeBSD, and Mac OS X all use otherpartitiontypecodesfortheirpartitions,sooptionsB,C,andEareallincorrect.(MacOSXisalsorarely installed toMBRdisks.)Partitionsexist, inpart, toenabledifferentOSs to store theirdataside-by-sideonthesamedisk,somixingseveralpartitiontypes(evenfordifferentOSs)ononediskdoesnotindicatediskcorruption,makingoptionDincorrect.

10.C.Linux’sfdiskdoesn’twritechangestodiskuntilyouexittheprogrambytypingw.Typingqexitswithoutwritingthosechanges,sotypingqinthissituationwillavertdisaster,makingoptionCcorrect.Typingw(optionB)wouldbepreciselythewrongthingtodo.Becausefdiskdoesn’twritechangesuntilyoutypew,thedamageisnotyetdone,contrarytooptionA.Typingu(optionD)ort(optionE)woulddonothingusefulbecausethosearen’tundocommands.

11. E. The mkfs command creates a new filesystem, overwriting any existing data and thereforemakingexistingfilesinaccessible,asstatedinoptionE.Thiscommanddoesn’tsetthepartitiontypecodeinthepartitiontable,sooptionAisincorrect.Themkfscommandisdestructive,contrarytooptionB.The-text2optiontellsmkfstocreateanext2filesystem;it’saperfectlyvalidoption,sooptionC is incorrect. Although mkfs could (destructively) convert ext2fs to ext4fs, the -t ext2optionclearlyindicatesthatanext2filesystemisbeingcreated,sooptionDisincorrect.

12.B.Although theyhave similarnamesandpurposes,Linux’sfdisk isn’tmodeled afterDOS’sFDISK, so option B is correct and option A is not. DOS’s FDISK does not have GUI controls,contrary to option C. Linux’s fdisk does not format floppy disks, contrary to option D. BothprogramsmanageMBRdisks,contrarytooptionE.

13.E.Swappartitionsaren’tmountedinthewayfilesystemsare,sotheyhavenoassociatedmountpoints,makingoptionEcorrect.

14.C.The-toptionisusedtotellfsckwhatfilesystemtouse,sooptionCiscorrect.(Ifthisoptionisn’tused,fsckdeterminesthefilesystemtypeautomatically.)The-Aoption(optionA)causesfsckto check all the filesystemsmarked to be checked in/etc/fstab.The-N option (optionB) tellsfsck to takeno action and todisplaywhat itwouldnormallydowithoutdoing it.The-C option(optionD)displaysatext-modeprogressindicatorofthecheckprocess.The-foption(optionE)is

fictitious.

15.A.Adefaultuseofdfreportsthepercentageofdiskspaceused(optionD)andthemountpointforeachfilesystem(optionE).Thenumberofinodes(optionB)andfilesystemtypes(optionC)canbothbeobtainedbypassingparameterstodf.Thisutilitydoesnotreporthowlongafilesystemhasbeenmounted(optionA),sothatoptioniscorrect.

16.D.Thejournalofajournalingfilesystemrecordspendingoperations,resultinginquickerdiskchecks after an uncontrolled shutdown, so optionD is correct. Contrary to optionA, journalingfilesystemsare,asaclass,newer thannon-journalingfilesystems; in fact, the journalingext3fs isbuiltuponthenon-journalingext2fs.Althoughdiskchecksarequickerwithjournalingfilesystemsthanwithnon-journalingfilesystems, journalingfilesystemsdohavefsckutilities,and thesemaystillneedtoberunfromtimetotime,sooptionBisincorrect.AllLinux-nativefilesystemssupportLinux ownership and permissions; this isn’t an advantage of journaling filesystems, contrary tooptionC.The journalof a journaling filesystemdoesn’tprovideanunlimited“undo” feature, sooptionEisincorrect.

17. E. When typed without a filesystem type specification, mount attempts to auto-detect thefilesystemtype.Ifthemediacontainsanyofthespecifiedfilesystems,itshouldbedetectedandthediskmounted,sooptionEiscorrect.

18.B.The/etc/fstabfileconsistsoflinesthatcontainthedeviceidentifier, themountpoint, thefilesystemtypecode,filesystemmountoptions,thedumpflag,andthefilesystemcheckfrequency,inthat order. Option B provides this information in the correct order and so will work. Option Areversesthesecondandthirdfieldsbut isotherwisecorrect.OptionsC,D,andEallscrambletheorderofthefirstthreefieldsandalsospecifythenoautomountoption,whichcausesthefilesystemtonotmountautomaticallyatboottime.

19.A,B,C.Theuser,users,andowneroptionsin/etc/fstaballenableordinaryuserstomountafilesystem,butwithslightlydifferentimplications:userenablesanybody tomounta filesystem,andonlythatusermayunmountit;usersenablesanybodytomountafilesystem,andanybodymayunmountit;andownerenablesonlytheownerofthemountpointtomountorunmountafilesystem.Thus, optionsA,B, andC are all correct. Theowners parameter of optionD doesn’t exist. Theuid=1000parameterofoptionEtellsLinuxtosettheownershipoffilestoUID1000onfilesystemsthat lackLinux permissions features.Although thismight be desirable for some disks, it doesn’tenabletheuserwithUID1000tomountthedisk,sooptionEisincorrect.

20.A.OptionAcorrectlydescribesthesafeprocedureforremovingaremovablemediumthatlacksalockingmechanismfromaLinuxcomputer.(Insteadoftypingumount/media/usb,youcouldtypeumount/dev/sdb1; inthiscontext, thetwocommandsareequivalent.)OptionBreversestheorder of operations; theumount commandmust be typedbefore you physically remove the flashdrive.OptionCalsohasitbackward;thesynccommandwouldneedtobeissuedbefore removingthedrive. (Thesync command can prevent damagewhen removingdisks, but it isn’t a completesubstituteforumount.)Thereisnostandardusbdrive-removecommandinLinux,andifyouweretowriteascript thatcallsumountandcall itusbdrive-remove,pulling theflashdrivequickly,asoptionDdescribes,wouldbeexactlythewrongthingtodo.ThefsckcommandofoptionEchecksafilesystemforerrors.It’snotnecessarytodothisbeforeremovingadisk,anditwon’tunmount

thedisk,sooptionEisincorrect.

Chapter4:ManagingFiles1. B. The touch utility updates a file’s time stamps, as option B specifies. (If the specified filedoesn’texist,touchcreatesanemptyfile.)Youcan’tmovefileswithtouch;that’sthejobofthemvcommand,sooptionAisincorrect.Varioustoolscanconvertend-of-lineformats,buttouchisnotone of them, so option C is incorrect. Testing the validity of disk structures, as in option D, isnormallydoneonawhole-filesystembasiswithfsckandrelatedtools;touchcan’tdothisjob.Youcanwritecacheddatatodiskforawholefilesystembyunmountingitorbyusingsync,buttouchcan’tdothis,sooptionEisincorrect.

2.A,D.The-sand--symbolicoptionstolnareequivalent,andbothcreateasymbolic(akasoft)link.Thus,optionsAandDarebothcorrect.OptionsB,C,andEareallfictitious.

3.A.The-lparameterproducesalonglisting,includingfilesizes.The-aparameterproducesalistingof all files in adirectory, including thedot files.Combining the twoproduces thedesiredinformation(alongwithinformationaboutotherfiles),sooptionAiscorrect.The-p,-R,-d,and-Foptionsdon’thavethespecifiedeffects,sotheremainingoptionsareallincorrect.

4.D.Whenmovingfromonepartitionordisktoanother,mvmustnecessarilyreadandcopythefileand then delete the original if that copywas successful, as stated in optionD. If both filesystemssupportownershipandpermissions, they’llbepreserved;mvdoesn’tneedanexplicit--preserveoption todo this,and thispreservationdoesnot relyonhavingexactly thesamefilesystemtypes.Thus, option A is incorrect. Although mv doesn’t physically rewrite data when moving within asinglelow-levelfilesystem,thisapproachcan’tworkwhenyou’recopyingtoaseparatelow-levelfilesystem(suchasfromaharddisktoapendrive);ifthedataisn’twrittentothenewlocation,itwon’t be accessible should the disk be inserted in another computer.Thus, optionB is incorrect.Althoughnotallfilesystemssupportownershipandpermissions,manydo,andtheseattributesarepreservedwhenmovingfilesbetweenthem,sooptionCis incorrect.AlthoughFATisacommonchoiceonremovablemediabecauseofitsexcellentcross-platformsupport,otherfilesystemswillworkonsuchdisks,sooptionEisincorrect.

5.A,B.Ifyoutrytocreateadirectoryinsideadirectorythatdoesn’texist,mkdirrespondswithaNosuchfileordirectoryerror.The--parentsparametertellsmkdir toautomaticallycreateallnecessaryparentdirectoriesinsuchsituations,sooptionAiscorrect.Youcanalsomanuallydothisbycreatingeachnecessarydirectoryseparately,sooptionBisalsocorrect.(It’spossiblethatmkdironewouldn’tbenecessaryinthisexampleifthedirectoryonealreadyexisted.Noharmwillcomefrom trying to create a directory that already exists, although mkdir will return a File existserror.)Typingtouch/bin/mkdir,asoptionCsuggests,will likely result inanerrormessage iftypedasanormaluserandwon’thelpiftypedasroot,so thisoptionis incorrect.Clearingawayexisting directories in the one/two/three tree won’t help, so option D is incorrect. Option E’smktreecommandisfictitious.

6.D,E.ThecpioandtarprogramsarecommonLinuxarchive-creationutilities,sooptionsDandE are both correct. The restore command restores (but does not back up) data; its backupcounterpartcommandisdump.Thus,optionAisincorrect.Thevicommandlaunchesatexteditor;

it’s not used to create archives, so optionB is incorrect.There is no standardtape command inLinux,sooptionCisincorrect.

7. E. With the tar utility, the --list (t) command is used to read the archive and display itscontents. The --verbose (v) option creates a verbose file listing, and --file (f) specifies thefilename—data79.tarinthiscase.OptionEusesallofthesefeatures.OptionsA,B,C,andDallsubstituteothercommandsfor--list,whichisrequiredbythequestion.

8.A.Symboliclinkscanpointacrossfilesystems,socreatingasymboliclinkfromonefilesystem(inwhichyourhomedirectoryresides)toanother(ontheCD-ROM)isn’taproblem,makingoptionAcorrect.Hardlinks,asinoptionsB,C,andD,arerestrictedtoasinglefilesystemandsowon’twork for the described purpose. Because symbolic links will work as described, option E isincorrect.

9.E.OptionEisthecorrectcommand.Typingchownralph:tonysomefile.txt,asinoptionA,setstheownerofthefiletoralphandthegrouptotony.ThechmodcommandusedinoptionsBandDisused tochangefilepermissions,notownership.OptionCreverses theorderof the filenameandtheowner.

10.C,E.Thedcharacterthatleadsthemodeindicatesthatthefileisactuallyadirectory(optionC),and ther symbol in ther-x triplet at theendof the symbolicmode indicates thatallusersof thesystem have read access to the directory (option E). Symbolic links are denoted by leading lcharacters,whichthismodelacks,sooptionAisincorrect.Althoughthexsymbolsusuallydenoteexecutable program files, as specified in option B, in the case of directories this permission bitindicatesthatthedirectory’scontentsmaybesearched;executingadirectoryismeaningless.SUIDbits are indicated by an s character in place of the owner ’s execute bit position in the symbolicmode.Sincethispositionholdsanxinthisexample,optionDisincorrect.

11.C.ThesetuserID(SUID)bitenablesprogramstorunastheprogram’sownerratherthanastheuserwhoranthem.ThismakesSUIDrootprogramsrisky,sosettingtheSUIDbitonroot-ownedprogramsshouldbedoneonlywhenit’srequiredfortheprogram’snormalfunctioning,asstatedinoptionC.ThisshouldcertainlynotbedoneforallprogramsbecausetheSUIDbitisnotrequiredofall executable programs as optionA asserts. Although the SUID root configuration does enableprograms to access device files, the device files’ permissions can bemodified to give programsaccesstothosefiles,ifthisisrequired,sooptionBisincorrect.AlthoughSUIDrootprogramsareasecurityrisk,asstatedinoptionD,they’reanecessaryriskforafewprograms,sooptionDgoestoo far. Many program files that should not be SUID root are owned by root, so option E isincorrect.

12. E. Using symbolicmodes, the o+r option adds read (r) permissions to the world (o). Thus,optionEiscorrect.OptionAsets themodetorwxr----x,which isabitoddanddoesn’tprovideworldreadaccesstothefile,althoughitdoesprovideworldexecuteaccess.OptionBsetsthemodetorw-r-----,whichgivestheworldnoaccesswhatsoevertothefile.OptionCaddsreadaccesstothefilefortheowner(u) if theownerdoesn’talreadyhavethisaccess; itdoesn’taffect theworldpermissions.OptionDremovesreadaccessforallusers,soit’sincorrect.

13.D.OptionD,027, removeswritepermissions for thegroupandallworldpermissions. (Filesnormally don’t have execute permissions set, but explicitly removing write permissions when

removingreadpermissionsensuresreasonablebehaviorfordirectories.)OptionA,640,istheoctalequivalentofthedesiredrw-r-----permissions;buttheumasksetsthebitsthataretoberemovedfrompermissions,notthosethataretobeset.OptionB,210,wouldremovewritepermissionfortheowner,but itwouldn’tremovewritepermissionfor thegroup,whichis incorrect.Thiswouldalso leave all world permissions open. Option C, 022, wouldn’t removeworld read permission.OptionE,138,isaninvalidumask,sinceallthedigitsintheumaskmustbebetween0and7.

14.E.Usingquotasrequireskernelsupport,theusrquotaorgrpquota(foruserorgroupquotas)filesystemmountoption,andactivationviathequotaoncommand(whichoftenappears insystemstartupscripts).Thus,optionEiscorrect.OptionAsuggeststhatquotaonisnotnecessary,whichisincorrect.OptionB’sstatementthatgrpquotaisinvalidisincorrect.OptionC’sstatementthattheseoptionsdisablequotasupportisbackward.Theusrquotaandgrpquotaoptionsarebothvalid,sooptionDisincorrect.

15.B.Therepquotautilityisusedtosummarizethequotainformationaboutthefilesystem.Whenusedwiththe-aoption, itshowsthis informationforall filesystems,sooptionBiscorrect.Thiscommandwon’treturnusefulinformationwhentypedalone,though,sooptionAisincorrect.Thequotacheckutilitychecksquotainformationaboutadiskandwritescorrections,sooptionsCandDarebothincorrect.Theedquotautilityenablesyoutoeditquotainformation.Itdoesn’tsummarizequotainformation,and-aisn’tavalidoptiontoedquota.Thus,optionEisincorrect.

16. D. The /opt directory tree exists to hold programs that aren’t a standard part of a Linuxdistribution,suchascommercialprograms.Theseprogramsshouldinstallintheirowndirectoriesunder /opt; these directories usually have bin subdirectories of their own, although this isn’trequired.Thus, optionD is correct (that is, it’s a plausible possibility).The/usr/sbin directoryholdsprogramsthatarenormallyrunonlybythesystemadministrator,soit’snotalikelylocation,makingoptionAincorrect.The/etc/X11directoryholdsX-relatedconfigurationfiles,soit’sveryunlikely thatWonderCalcwill be housed there,making option B incorrect. The /boot directoryholdscriticalsystembootfiles,sooptionCisincorrect.The/sbindirectory,like/usr/sbin,isanunlikely location for user files, so option E is incorrect. (Furthermore, /sbin seldom containssubdirectories.)

17.A.Thefindutility(optionA)operatesbysearchingallfilesinadirectorytree,andsoit’slikelyto take a long time to search all of a computer ’s directories. The locate program uses aprecompileddatabase,whereissearchesa limitedsetofdirectories,andtype searches theshell’spathandbuilt-incommands,sothesecommandswilltakelesstime.Thus,optionsB,C,D,andEareallincorrect.

18.C.Thetypecommandidentifiesacommand,asexecutedbytheshell,asbeingabuilt-inshellcommand, a shell alias, or an external command, whereas the whereis command helps find thelocationofexternalcommandfiles.Thus,optionCiscorrect.Neithertypenorwhereis identifiestheCPUarchitectureofaprogramfile,canlocatecommandsbasedonintendedpurpose,completeanincompletelytypedcommand,oridentifyacommandasabinaryorascript;thus,theremainingoptionsareallincorrect.

19.B.Thefindcommandincludestheabilitytosearchbyusernameusingthe-usernameoption,wherenameistheusername;thus,optionBiscorrect.The-uidoptiontofindcanalsolocatefiles

ownedbyauser,butittakesanumericuserID(UID)numberasanargument,sooptionAisn’tquitecorrect. The locate command provides no ability to search by user, so options C and D areincorrect. Although option E is a valid find command, it finds all the files under /home with afilenameofkaren,notallfilesownedbytheuserkaren,sothisoptionisincorrect.

20. D. The which program searches the path just as bash does, but it prints the path to the firstexecutable program it finds on the path. Thus, option D is correct. The which program doesn’tconduct anexhaustive searchof the system, so there couldbemanymore files calledman on thesystem,contrary tooptionA.Systempackage tools andwhich aren’t closely related; optionB isincorrect.Although/usr/bin/manwouldberunwhentheuserwhosewhichoutputmatchesthatinthequestion typesman, thismaynotbe trueofothersbecause thepathcanvary fromoneuser toanother.Thus,optionCisincorrect.Thewhichprogramdoesn’trevealfileownershipinformation,sooptionEisincorrect.

Chapter5:BootingLinuxandEditingFiles1.C.TheMasterBootRecord(MBR)cancontainaboot loader that isupto446bytes insize,sooptionCiscorrect.Ifmorespaceisrequired, thebootloadermust loadasecondarybootloader.AlthoughthebootloaderisloadedintoRAM(optionA),it’snotstoredtherepermanentlybecauseRAMisvolatilestorage.Both/dev/bootand/dev/kmem(optionsBandD)arereferencestofilesonLinuxfilesystems;they’remeaningfulonlyaftertheBIOShasfoundabootloaderandrunitandlotsofotherbootprocesseshaveoccurred.Theswappartition(optionE) isusedasanadjunct toRAM;theBIOSwon’tlookthereforabootloader.

2.C.Runlevel1 is single-usermode,andadding thedigit1 to thekernel’soptions line inabootloaderwilllaunchthesysteminthisrunlevel,sooptionCiscorrect.OptionsAandBbothpresentinvalidkerneloptionsandsoareincorrect.AlthoughthetelinitcommandspecifiedinoptionsDandEwillchangetherunleveloncethecomputerisrunningandrunlevel1isasingle-usermode,thesecommandsarenotpassedtothekernelviaabootloader,sotheseoptionsarebothincorrect.

3.D.Thekernelringbuffer,whichcanbeviewedbytypingdmesg (piping this throughless isagood supplement), contains messages from the kernel, including those from hardware drivers.Thesemessagesmayprovideaclueaboutwhythediskdidn’tappear;thus,optionDiscorrect.The/var/log/diskerrorfile(optionA)isfictitious,asis/mnt/disks(optionB).The/etc/inittabfile(optionC)doesn’tdirectlycontroldiskaccessandsoisunlikelytoprovideusefulinformation.The files specified in optionC areGRUBLegacy andGRUB 2 configuration files,which don’tcontaininformationthatcouldexplainwhyadiskisn’tresponding.

4. B. Ordinarily, Linux runs init (option B) as the first program; init then runs, via variousscripts,otherprograms.Thedmesgprogram(optionA) isauserdiagnosticand information toolused to access the kernel ring buffer; it’s not part of the startup process. The startup program(option C) is fictitious. The rc program (option D) is a script that some versions of init call,typicallyindirectly,duringthestartupsequence,butit’snotthefirstprogramthekernelruns.LILOisanolderbootloaderforLinuxonBIOSsystems,andlilo(optionE)isthecommandthatinstallsthisbootloadertotheMBR.Sincebootloadersrunbeforethekernelloads,thisoptionisincorrect.

5.D.OptionDisthecorrectGRUB2configurationfile.OptionAisafictitiousfile;itdoesn’texist.AlthoughsomeofGRUB2’sbootloadercodemaybewrittentotheMBR,asimpliedbyoptionB,thisisn’tthelocationoftheprogram’sconfigurationfile.OptionsCandDarebothpossiblenamesfortheGRUBLegacyconfigurationfile,butthatnameisnotsharedbyGRUB2.

6.A.TheinitrdkeywordidentifiesaninitialRAMdiskfileintheGRUB2configurationfile,anda space separates this keyword from the filename. (Several variants on this syntax are possible.)OptionBaddsanequal sign (=),which renders the syntax incorrect.OptionsC,D,andEuse theincorrectinitramfsandramdiskkeywordsinsteadofinitrd.

7.D.Youusegrub-install to install theGRUBLegacyboot loader code into anMBRor bootsector.Whenusinggrub-install,youspecify thebootsectoronthecommandline.TheMBRisthefirstsectoronaharddrive,soyougiveit theLinuxdeviceidentifierfor theentireharddisk,/dev/sda. Hence, option D is correct. Option A specifies using the grub utility, which is an

interactive tool, and the device identifier shown in optionA is aGRUB-style identifier forwhatwouldprobablybethe/dev/sda3partitioninLinux.OptionBisalmostcorrectbutinstallsGRUBtothe/dev/sda1partition’sbootsectorratherthantheharddisk’sMBR.OptionCisthecommandtoinstallLILOtotheMBRratherthantoinstallGRUB.OptionEcontainsthesameerrorasoptionB,anditalsousesthefictitiousgrub-legacycommand.

8.B.TherootkeywordinaGRUBLegacyconfigurationfile tells theboot loaderwheretolookfor files, including its own configuration files, kernel files, and so on. Because GRUB Legacynumbers both disks and partitions starting from 0, (hd1,5) refers to the sixth partition on theseconddisk,asoptionBspecifies.OptionAisincorrectbecauseyoupasstheLinuxrootpartitiontothekernelonthekernelline,notviatheGRUBrootkeyword.OptionsA,C,andEallmisinterprettheGRUBnumbering scheme.TheGRUB installation location is specified on thegrub-installcommandline,sooptionsDandEareincorrect;and/dev/hd1,5isn’tastandardLinuxdevicefile,sooptionDisincorrect.

9.B.Theinitdefaultactionspecifiesthedefaultrunlevel,sooptionBiscorrect.Theremainingoptionsarealltakenfromactual/etc/inittabfilesbutdon’thavethespecifiedmeaning.

10.A,B,E.Runlevel0(optionA)isthereservedrunlevelforhaltingthesystem.Runlevel1(optionB) is reserved for single-usermode.Runlevel6 (optionE) is reserved for rebooting.Runlevel2(optionC)isthedefaultrunlevelonDebianandmostdistributionsderivedfromit,butitdoesnoneof the things described in the question. Runlevel 5 (option D) is a regular, user-configurablerunlevel,whichisn’tnormallyusedforthethingsdescribedinthequestion.(ManysystemsuseitforaregularbootwithaGUIloginprompt.)

11.B,C.The firstnumber in therunleveloutput is theprevious runlevel (the letterN isused toindicatethatthesystemhasn’tchangedrunlevelssincebooting).Thesecondnumberisthecurrentrunlevel.Hence,optionsBandCarebothcorrect,whileoptionsAandDareboth incorrect.Therunlevelchangesveryquickly,andtherunlevelutilitydoesn’tprovideacodeto indicate that therunlevelisintheprocessofbeingchanged,sooptionEisincorrect.

12.A.The-coptiontoshutdowncancelsapreviouslyscheduledshutdown,asstated inoptionA.Options B and C describe the effects of the -r and -h options to shutdown, respectively. Noshutdownoptionasksforconfirmationbeforetakingaction,althoughyoucandelayashutdownbyspecifyingashutdowntimeinthefuture,sooptionDisincorrect.NoshutdownoptionclosesopenwindowsinX,exceptasaconsequenceofshuttingdown,sooptionEisincorrect.

13. E. There is no standard takedown command in Linux, so option E is correct. The rebootcommand(optionA)isequivalenttoshutdown-r,halt(optionB)isequivalenttoshutdown-H,poweroff (option C) is equivalent to shutdown -P, and telinit 0 (option D) is equivalent toshutdown-H.

14.B.Thetelinitcommandisusedtochangerunlevels;whenit’spassedthe1parameter,as inoption B, telinit changes to runlevel 1, which is single-user mode. The runlevel command(optionA)displaysthecurrentrunlevelbutdoesn’tchangerunlevels.Althoughtelinitcanbeusedto shutdownor reboot thecomputer, theshutdown command (optionC)can’tbeused tochangerunlevelsexcept to runlevel0or6.There isnostandardsingle-user command (optionD).Thehaltcommand(optionE),likeshutdown,can’tbeusedtochangetosingle-usermode.

15. E. Runlevel 4 isn’t standardized, and most distributions don’t use it for anything specific(althoughinpracticeitwilldosomethingifyouenterit).Thus,youcansafelyredefinerunlevel4toachievespecificgoals,andoptionEiscorrect.OptionAdescribesrunlevel6.OptionBdescribesrunlevel 3 on Red Hat and related distributions. Option C describes runlevel 5 on Red Hat andrelateddistributions.OptionDdescribesrunlevel1.

16.A. InVi,dd is the command-modecommand that deletes lines.Preceding this commandby anumber deletes that number of lines. Thus, option A is correct. Although yy works similarly, itcopies(yanks)textratherthandeletingit,sooptionBisincorrect.OptionCworksinmanymoremoderntexteditors,butnotinVi.OptionDworksinEmacsandsimilartexteditors,butnotinVi.OptionEworksinmanyGUItexteditors,butnotinVi.

17.D.The:q!Vi commanddoes asoptionD states.OptionsAandEareboth simply incorrect.OptionBwouldbecorrectifthiscommandweretypedwhileinVi’sinsertmode,butthequestionspecifiesthatcommandmodeisinuse.ToachieveoptionC,thecommandwouldbe:wq,not:q!.

18.E.ViisincludedonLinuxemergencydisks,embeddedsystems,andothersystemswherespaceisatapremiumbecauseitsexecutableistiny.Emacsis,incontrast,abehemoth.Thus,optionEiscorrect. Contrary to option A, Vi isn’t an X-based program (although X-based Vi variants areavailable);EmacscanbeusedintextmodeorwithX.ExtendedBinaryCodedDecimalInterchangeCode(EBCDIC)isanobscure8-bitcharacterencodingsystemusedonsomeveryoldmainframeOSs. When run on Linux, Vi doesn’t use EBCDIC; furthermore, EBCDIC offers few or noadvantagesovertheAmericanStandardCodeforInformationInterchange(ASCII).Thus,optionBis incorrect.Vi’smodes, referred to in optionC, have nothing to dowith non-English languagesupport.OptionDisbackward;it’sEmacsthatincludesaWebbrowser,emailclient,andotheradd-ons.

19.A,B,C.TypingR(optionA)incommandmodeentersinsertmodewiththesystemconfiguredtooverwriteexistingtext.Typingiora(optionsBandC,respectively)entersinsertmodewiththesystem configured to insert text. (The i and a commands differ in how they place the cursor; aadvancesonespace.)Typing:(optionD)incommandmodeentersexmode(youtypicallytypetheex-modecommandon thesamecommandline immediatelyafter thecolon).Pressing theEsckey(optionE)returnsVitocommandmodefrominsertmode.

20. B. The Esc key exits Vi’s insert mode, as option B specifies. Typing a tilde (~) inserts thatcharacter into the file, so optionA is incorrect. TheCtrl+X,Ctrl+C key combination exits fromEmacs, but it’s not a defined Vi key sequence, so option C is incorrect. The F10 key and theShift+Insertkeycombinationalsoaren’tdefinedinVi,sooptionsDandEarebothincorrect.

Chapter6:ConfiguringtheXWindowSystem,Localization,andPrinting

1.A.OnmostLinuxsystems,somerunlevelsdon’trunXbydefault,sousingoneof themalongwiththestartxprogram(whichstartsXrunning)canbeaneffectivewaytoquicklytestchangestoanXconfiguration,makingoptionAcorrect.Thetelinitprogramchangesrunlevels,whichisalengthyprocesscomparedtousingstartx, sooptionB is incorrect.Unplugging thecomputer toavoidtheshutdownprocessisself-defeatingbecauseyou’llhavetosufferthroughalongstartup(ifyouuseanon-journalingfilesystem),anditcanalsoresultindataloss.Thus,optionCisincorrect.Thestartxutilitydoesn’tchecktheveracityofanXconfigurationfile;itstartsXrunningfromatext-modelogin,makingoptionDincorrect.ReconfiguringanXserverdoesnotnormallyrequirenetworkaccess;theXserverrunsonthecomputeratwhichyousit.Thus,optionEisincorrect.

2. D. The XF86Config and xorg.conf file design enables you to define variants or multiplecomponents and easily combineor recombine themas necessary, using the structure specified inoptionD.OptionsA,B,andCalldescribe fictitious structures.OptionE is incorrectbecause theX.org-X11andXFree86configurationfilesuseatext-modestructure,notabinarystructure.

3.C.Theverticalrefreshraterangeincludesamaximumvalue,butthatvaluemaybereducedwhenthe resolution and vertical refresh rate would demand a higher horizontal refresh rate than themonitor can handle. Thus, optionC is correct. Since the resolution affects themaximum refreshrate,optionAisincorrect.Thecolordepthisirrelevanttoresolutionandrefreshratecalculations,so option B is incorrect. The computations shown in options D and E are bogus, making theseoptionsincorrect.

4.E.OptionEdescribesthecorrectlocationforthisoption.TheServerLayoutsection(referencedinoptionA)combinesall theotheroptions togetherbutdoesn’t set the resolution.TheModelineoptionintheMonitorsection(asdescribedinoptionB)definesonepossibleresolution,buttheremaybe severalModeline entries definingmany resolutions, and there’s noguarantee that anyofthemwillbeused.TheModelineoptiondoesn’texistintheDevicesection(assuggestedbyoptionC), nor is that section where the resolution is set. There is no DefaultResolution section (asreferencedinoptionD).

5.B.BymaintainingfontsononefontserverandpointingotherXserverstothatfontserver,youcanreducetheadministrativecostofmaintainingthefontsonallthesystems,sooptionBiscorrect.Font servers don’t produce faster font displays than X’s local font handling; if anything, theoppositeistrue.Thus,optionAisincorrect.XFree864.xsupportsTrueTypefontsdirectly,sooptionC is incorrect. Converting a bitmapped display intoASCII text is a function of optical characterrecognition(OCR)software,notafontserver,sooptionDisincorrect.NeitherXcorefontsnorafontserverhandlesfontsmoothing;forthat,youneedXft.Thus,optionEisincorrect.

6.C,E.XDMCPserversare typically launchedeither fromasystemstartupscriptorbyinit (asspecifiedin/etc/inittab),asdescribedinoptionsCandE.TheXDMCPserverthenstartsX.TheStartfoldermentionedinoptionAisaWindowsconstruct,notaLinuxconstruct.The~/.xinitrc

scriptmentionedinoptionBisanXloginscriptusedwhenstartingXfromthecommandlineviastartx;it’snotusedtoautomaticallystartXwhenthesystemboots.Abootmanager,asdescribedinoptionD,launchesthekernel;itdoesn’tdirectlystartX,sooptionDisincorrect.

7. E. TheXDMgreeting is a resource set in the /etc/X11/xdm/Xresources file, so option E iscorrect.XDMdoesn’t offermany options on itsmain screen and certainly not one to change itsgreeting,asdescribedinoptionA.Thekerneldoesn’tdirectlyhandletheloginprocess,nordoesitpassoptionsdirectlytoXDM,sooptionBisincorrect.Althoughthexorg.conffilementionedinoption C is real, this file provides no XDM configuration options because XDM is a separateprogramfromtheXserver.Thereisnostandardxdmconfigprogram,asmentionedinoptionD.

8.C.KDMandGDMaddmanyfeatures,oneofwhichisamenuthatenablesusers toselect theirdesktop environment or window manager when they log in rather than specifying it in aconfigurationfile,asoptionCstates.OptionAdescribesoneoftheadvantagesoftheSecureShell(SSH) as a remote-access protocol. Option B describes a feature common to all three XDMCPservers.OptionDdescribes thewaybothKDMandXDMfunction;GDMis theone thatpresentsusernameandpasswordfieldsinseriesratherthansimultaneously.AlthoughafailureofXtostartusuallyresultsinafallbacktoatext-modelogin,thisfeatureisnotprovidedbytheXDMCPserver,sooptionEisincorrect.

9. A. The xhost command controls various aspects of the local X server, including the remotecomputers from which it will accept connections, making option A correct. Option B sets theDISPLAY environment variable, which doesn’t directly affect the X server (it does tell X clientswhich X server to use). Option C initiates a text-mode remote login session withpenguin.example.com. Option D’s xaccess is a fictitious program. Although logging intopenguin.example.comviasshmayalsoinitiateanXtunnel,thisisn’tguaranteed,andsuchatunneldoesn’tcausethelocalXservertoacceptdirectconnectionsfromtheremotecomputer,sooptionEisincorrect.

10.A.AsstatedinoptionA,GNOME,KDE,andotheruserprogramsoftenoverridethekeyboardrepeat settings in the X configuration file. Option B has it almost backward; most LinuxdistributionshaveabandonedXFree86,andthereforeitsXF86Configfile,infavorofX.org-X11anditsxorg.conffile.OptionCispurefiction;xorg.confsettingsapplytoallvarietiesofkeyboards,andthereisnostandardusbkbrateprogram.Althoughsomekeyboardsdohavehardwareswitches,theydon’taffectX’sabilitytocontrolthekeyboardrepeatrate,contrarytooptionD.Althoughyoucansetakeyboard’snationalityinxorg.conf,thisoptionisindependentofthekeyboardrepeatratesettings,sooptionEisincorrect.

11.C,E.TheOrcaandEmacspeakprogramsbothprovide text-to-speechconversionfacilities,sooptionsCandEarebothcorrect.Brailleisaformofwritingthatusesbumpsorholesinasurfacethatcanbefeltbythereader.AlthoughLinuxsupportsBrailleoutputdevices,thequestionspecifiescomputer-generated speech,whichBraille is not, so optionB is incorrect. SoX (optionA) is anaudioformatconverter,butitwon’tconvertfromtexttospeech.Thetalkprogram(optionD)isanearlyUnixonlinetext-mode“chat”program,butithasnobuilt-inspeechsynthesiscapabilities.

12. B, E. Time zones are determined by the/etc/localtime file, so replacing that onewith thecorrectfile(aselectionisstoredin/usr/share/zoneinfo)willfixtheproblem,makingoptionBcorrect. (Youmayalsoneed toedit/etc/timezone or someother file tokeepautomaticutilities

from becoming confused.) Utilities such as tzselect will make these changes for you afterpromptingyouforyourlocation,sooptionEisalsocorrect.ThehwclockprogrammentionedinoptionAreadsandwritesdatafromthesystem’shardwareclock.Althoughit reliesontimezonedata, it can’t adjust your system’s time zone itself. There is no standard /etc/tzconfig file,althoughthetzconfigprogram,liketzselect,canhelpyouset the timezone.Thus,optionCisincorrect. The /etc/localtime file is a binary format; you shouldn’t attempt to edit it in a texteditor,makingoptionDincorrect.

13. D. Linux, like Unix, maintains its time internally in Coordinated Universal Time (UTC), sosetting the computer ’s hardware clock to UTC (option D) is the recommended procedure forcomputers that runonlyLinux.AlthoughLinusTorvalds spent timeat theUniversityofHelsinki,Helsinki time (as in option A) has no special place in Linux. Local time (as in option B) isappropriateifthecomputerdual-bootstoanOS,suchasWindows,thatrequiresthehardwareclocktobe set to local time,but this is the second-bestoption for aLinux-only system.OptionC’sUSPacifictime,likeHelsinkitime,hasnospecialsignificanceinLinux.Internettime(optionE)isanobscurewaytomeasuretimethatdivideseachdayinto1,000“beats.”It’snotatimezoneandisnotanappropriatewaytosetyourhardwareclock.

14.C.TheLC_ALLenvironmentvariable(optionC),whenset,adjustsallthelocale(LC_*)variables,sosettingthisandthenrunningthescriptwillmaketheprogramsthatyourscriptusesworkasifona British computer. The BIOS has no location code data, so option A is incorrect. There is nostandard/etc/locale.conffile,sooptionBisincorrect.Thereisnostandardlocale_setutility,sooptionDisincorrect.AlthoughsettingtheTZenvironmentvariable,asinoptionE,willsetthetimezoneforyourlocalshelltothatforGreatBritain,thiswon’taffectthesortoftextformattingoptionsnotedinthequestion.

15.A.TheUnicodeTransformationFormat8(UTF-8)standardcanencodecharactersforjustaboutany language onEarth,while looking just like ordinaryASCII to programs that only understandASCII.Thus,UTF-8 (optionA) is the preferredmethod for character encodingwhen a choice ispossible.ASCII(optionB)isanoldstandardthat’sadequateforEnglishandafewotherlanguages,but it lacks some or all characters needed bymost languages. ISO-8859 (options C and D) is astandard that extendsASCII, but it requires separate encodings for different languages and so isawkwardwhen a computermust process data frommultiple languages. ATASCII (option E) is avariant ofASCIIused in the1980sbyAtari for its homecomputers; it’s obsolete and inadequatetoday.

16.E.Thesmart filtermakesaprintqueue“smart” in that itcanacceptdifferent file types (plaintext,PostScript,graphics,andsoon)andprintthemallcorrectly,asinoptionE.Fontsmoothingisusefulonlow-resolutioncomputermonitors,butnotonmostprinters,andaddingfontsmoothingisnota functionofasmart filter, sooptionA is incorrect.Asmart filterdoesn’tdetectconfidentialinformation(optionB)orprankprintjobs(optionD).Thelprprogramcanbegivenaparametertoemailauserwhenthejobfinishes(optionC),butthesmartfilterdoesn’tdothis.

17.B,D.The job ID (optionB) and jobowner (optionD) arebothdisplayedbylpq.Unless theapplicationembedsitsownname(optionA)inthefilename,thatinformationwon’tbepresent.Mostprinters lack Linux utilities to query ink or toner status (option C); certainly lpq can’t do this.Althoughknowingwhenyourjobwillfinishprinting(optionE)wouldbehandy,thisinformationis

wellbeyondlpq’scapabilitiestoprovide.

18.C.Thelprm command (optionC) deletes a job from the print queue. It can take the-Pqueueoption to specify thequeueandaprint jobnumberorvariousotherparameters to specifywhichjobstodelete.BSDLPD,LPRng,andCUPSallimplementthelprmcommand,soyoucanuseitwithanyofthesesystems,makingoptionAincorrect.OptionBpresentsthecorrectsyntaxbutthewrongcommandname;thereisnostandardlpdelcommand.Thecupsdisablecommandcanbeusedtodisablethewholequeue,butnottodeleteasingleprintjob,sooptionDisincorrect.BecauseoptionCiscorrect,optionEobviouslyisnot.

19. B. PostScript is the de facto printing standard forUnix and Linux programs, as specified inoptionB.Linuxprogramsgenerallydonot senddatadirectly to theprinterport (optionA);onamulti-tasking, multi-user system, this would produce chaos because of competing print jobs.Althoughafewprogramsincludeprinterdrivercollections,mostforgothisinfavorofgeneratingPostScript, making option C incorrect. Printing utilities come standard with Linux; add-oncommercialutilitiesaren’trequired,sooptionDisincorrect.Verdanaisoneofseveral“Webfonts”releasedbyMicrosoft.AlthoughmanyLinuxprogramscanuseVerdanaforprintingif thefontisinstalled,mostLinuxdistributionsdon’tinstallVerdanabydefault,andfewLinuxprogramsuseitforprintingbydefaultevenifit’sinstalled,sooptionEiscorrect.

20.B.Thempageutility(optionB)printsmultipleinputpagesonasingleoutputpage,soit’sideallysuited to the specified task. PAM (optionA) is the PluggableAuthenticationModules, a tool forhelpingtoauthenticateusers.4Front(optionC)isthenameofacompanythatproducescommercialsounddriversforLinux.Theroutecommand(optionD) isused todisplayorconfigureaLinuxroutingtable.The411toppmprogram(optionE)convertsfilesfromSony’s.411imagefileformattothe.ppmimagefileformat;itdoesn’tdothespecifiedtask.

Chapter7:AdministeringtheSystem1.A.ALinux usernamemust contain fewer than 32 characters and startwith a letter, and itmayconsistofletters,numbers,andcertainsymbols.Theuseraddutilityimposesadditionalrestrictions:Uppercaselettersandmostsymbolsarenotpermitted.Oftheseoptions,onlyoptionAmeetsallofthesecriteria.OptionBbeginswithanumberandsoisinvalid.OptionCisalegalLinuxusernamebutwon’tbeacceptedbyuseraddbecauseofitsuppercaseletters.OptionDistoolongtobelegalat33characters,anditcontainsuppercaselettersandunderscoresymbols.OptionEisalegalLinuxusernamebutwon’tbeacceptedbyuseraddbecauseofthespaceinthename.

2.A.Groupsprovideagoodmethodoffile-accesscontrol,asdescribedinoptionA.Althoughtheymayhavepasswords,thesearenotaccountloginpasswords,asoptionBsuggests;thosepasswordsare set on a per-account basis. Files do have associated groups, but these are in addition toindividual file ownership and so they can’t be used to mask the file’s owner, making option Cincorrect.Deletingagroupdoesnotdeletealltheaccountsassociatedwiththegroup,sooptionDisincorrect. Groups are not fundamentally a cross-computer construct, contrary to option E. (Thisoption describes the function of network account databases such as LDAP accounts or ActiveDirectory.)

3.A.Thechagecommandchangesvariousaccountexpirationoptions.The-M parameter sets themaximumnumberofdaysforwhichapasswordisvalid,andinthecontextofthegivencommand,timeisausername.Thus,optionAiscorrect.OptionsB,C,D,andEareallmadeup.

4. B, D. As stated in option B, Linux usernames may not begin with numbers, so the username(4sally)isinvalid.The/etc/passwdentrieshavethirdandfourthfieldsoftheUIDandtheGID,but this linehasonlyoneof those fields (whichone is intended is impossible todetermine); thisexampleline’sfourthfieldisclearlythefifthfieldofavalidentry.Thus,optionDiscorrect.OptionAisincorrectbecause,although/bin/passwdisanunorthodoxloginshell,it’sperfectlyvalid.Thisconfigurationmightbeusedon,say,aSambafileserveroraPOPmailserver toenableusers tochange their passwords via SSH without granting login shell access. Option C is a correctobservation but an incorrect answer; the username and the user ’s home directory name need notmatch.The encryptedpassword is officially stored in the second field (x in this example), but inpractice,mostLinuxcomputersuseshadowpasswords,andanxvalueforthepasswordisconsistentwiththisuse,sooptionEisincorrect.

5.D.OptionDshowsavalid/etc/groupentry thathas thedesiredeffect. (Note that theorderofusers inthecomma-separateduser list isunimportant.)OptionAhastwoproblems:It’smissingapassword field (x in the correct entry), and the usernames are separated by spaces rather thancommas. Option B also has two problems: It’s missing a password field, and its usernames areseparatedbycolonsratherthancommas.OptionChasjustoneproblem:Itsusernamesareseparatedby colons rather than commas. Option E has two problems: Its password and GID fields arereversed,anditsusernamesareseparatedbybackslashesratherthancommas.

6.B,C,D.Files in/etc/skel are copied from this directory to newusers’ homedirectories bycertainaccount-creationtools.Thus,filesyouwantinallnewusers’homedirectoriesshouldreside

in/etc/skel.OptionsB,C,andDalldescribereasonablepossibilities,althoughnoneisabsolutelyrequired. Including a copy of /etc/shadow in /etc/skel (option A) would be a very bad idea,because thiswouldgiveallusersaccess toallotherusers’encryptedpasswords,at leastasof themomentofaccountcreation.Youwouldn’tlikelyfindpackagemanagementdatabases(optionE)in/etc/skel, sinceusersdon’t needprivileged access to thisdata, nordo theyneed individualizedcopiesofit.

7.C.Theuserdelcommanddeletesanaccount,andthe-roptiontouserdel(optionC)causesittodeletetheuser ’shomedirectoryandmailspool,thussatisfyingthetermsofthequestion.OptionAdeletes the account but leaves the user ’s home directory intact. Option B does the same; the -foptionforcesaccountdeletionandfileremovalundersomecircumstances,butit’smeaningfulonlywhen -r is also used. OptionD’s rm command deletes the user ’s home directory (assuming it’slocatedintheconventionalplace,giventheusername)butdoesn’tdeletetheuser ’saccount.OptionE’susermod command canmodify accounts, including locking them, but it can’t delete accounts.Furthermore,the-Doptiontousermodisfictitious.

8.E.Theemergprioritycode(optionE)isthehighestcodeavailableandsoishigherthanalltheotheroptions.(Thepaniccodeisequivalenttoemergbutisn’toneoftheoptions.)Fromhighesttolowestpriorities,thecodesgivenasoptionsareemerg,crit,warning,info,anddebug.

9.A.Thelogrotate programconsults a configuration file called/etc/logrotate.conf (optionA), which includes several default settings and typically refers to files in /etc/logrotate.d tohandlespecificlogfiles.Theremainingoptionsareallfictitious,atleastasworkinglogfilesforlogrotate.

10. D. The logger utility can be used to create a one-time log file entry that you specify. In itssimplest form, it takes no special arguments, just amessage to be inserted in the log file, as inoptionD.ThedmesgutilityinoptionAisusedtoreviewthekernelringbuffer;itdoesn’tcreatelogfileentries.OptionB’ssyslogcommandisn’taLinuxuser-modecommand,althoughitisthenameoftheloggingsystemgenerically,aswellasaprogramminglanguagecommandname.OptionC’srsyslogd is thenameofoneofseveralsystemloggingdaemons; itmaintains thesystemlogbutisn’tusedtomanuallyinsertlogentries.OptionE’swallcommandwritesamessagetoallusers’terminals.Althoughyoumightwant tousewallprior toshuttingdownsoas toalertusersof thisfact,itwon’tcreatealogfileentryasthequestionrequires.

11.C.Thelogrotateprogramcanbestartedautomatically—andunattended—onaregularbasisbyaddinganentryforitincron,sooptionCiscorrect.Theatutility(optionA)wouldbeusedifyouwantedtheprogramtorunonlyonce.logrotate.d(optionB)defineshowtheprogramistohandlespecificlogfiles.Theinittabfile(optionD)isusedforservicesandstartupandnotforindividualprograms. The ntpd program (option E) is the Network Time Protocol daemon, whichsynchronizesthesystem’sclockwithoutsidetimesources.

12.E.Thehwclockutilityisusedtovieworsetthehardwareclock.The--utcoptiontellsittouseUTC,whichisappropriateforaLinux-onlysystem,and--systohcsetsthehardwareclockbasedonthecurrentvalueofthesoftwareclock.Thus,optionEiscorrect.OptionA’sdateutilitycanbeusedtosetthesoftwareclockbutnotthehardwareclock;ithasno--sethwclockoption.OptionB’sntpdateisusedtosetthesoftwareclocktothetimemaintainedbyanNTPserver;itdoesn’tdirectly

setthehardwareclock.OptionC’ssysclockutilityisfictitious.OptionD’stimecommandisusedtotimehowlongacommandtakestocomplete;ithasno--setor--hwoptionanddoesnotsetthehardwareclock.

13.A.Theformatofthedatecommand’sdatecodeis[MMDDhhmm[[CC]YY][.ss]].Given thatthe question specified an eight-digit code, thismeans that the ordering of the items, in two-digitblocks, ismonth-day-hour-minute.OptionAcorrectlyparses thisorder,whereasoptionsB,C,D,andEdonot.

14.C.Multipleserverentriesin/etc/ntp.conftellthesystemtopollallthenamedserversandtouse whichever one provides the best time data. Thus, option C is correct. (The pool.ntp.orgsubdomainandnumberedcomputerswithinthatsubdomaingiveround-robinaccesstoavarietyofpublic time servers.)OptionsA andB both incorrectly state that oneserver statement overridesanother,wheninfactthisisn’tthecase.Theserverstatementsshowninthequestionareproperlyformed.Theseserverentriesareproperlyformed,sooptionDisincorrect.Althoughitistruethatthis configuration will result in use of tardis.example.com should the public-pool server beunavailable, as option E states, this is not the only reason the NTP server will usetardis.example.com;thiscouldhappenifthepublic-poolserverprovidesaninferiortimesignal,forinstance.Thus,optionEisincorrect.

15.D.Onceyou’veconfiguredonecomputeronyournetworktouseanoutsidetimesourceandrunNTP,therestofyourcomputersshouldusethefirstcomputerastheirtimereference.Thispracticereduces the loadon theexternal timeservers,aswellasyourownexternalnetwork traffic.Thus,optionD is correct. (Very largenetworksmightconfigure twoor three internal timeservers thatrefertooutsideserversforredundancy,butthisisn’tnecessaryforthesmallnetworkdescribedinthe question.) Option A describes the procedure to locate a time server for the first computerconfigured(gateway.pangaea.edu)butnotforsubsequentcomputers.Althoughconfiguringothercomputerstousentp.example.cominsteadoforinadditiontogateway.pangaea.eduispossible,doingsowillneedlesslyincreaseyournetworktrafficandtheloadonthentp.example.comserver.Thus,optionsBandCareboth incorrect.Contrary tooptionE,NTP is suitable foruseonsmalllocalnetworks,andinfactit’sveryhelpfulifyouusecertainprotocols,suchasKerberos.

16.B,D.Thecronutilityisagoodtoolforperformingtasksthatcanbedoneinanunsupervisedmanner,suchasdeletingoldtemporaryfiles(optionB)orcheckingtoseethatserversarerunningcorrectly (option D). Tasks that require interaction, such as creating accounts (option C), aren’tgoodcandidatesforcronjobs,whichmustexecuteunsupervised.Althoughacronjobcouldrestartacrashedserver, it’snotnormallyused to starta serverwhen thesystemboots (optionA); that’sdone through system startup scripts or a super server. Sending files to a printer (option E) isgenerallyhandledbyaprintserversuchasCUPS.

17.B.Usercronjobsdon’tincludeausernamespecification(tbakerinoptionsAandC).The*/2specificationforthehourinoptionsCandDcausesthejobtoexecuteeveryotherhour;the7,19specification in options A and B causes it to execute twice a day, on the 7th and 19th hours (inconjunctionwiththe15minutespecification,thatmeansat7:15a.m.and7:15p.m.).Thus,optionBprovidesthecorrectsyntaxandrunsthejobtwiceaday,asthequestionspecifies,whereasoptionsA,C,andDallgetsomethingwrong.OptionEcausesthejobtorunonceanhour,nottwiceaday.

18. B. The anacron program is a supplement to cron that helps ensure that log rotation, /tmp

directorycleanup,andothertraditionalcrontasksarehandledevenwhenthecomputerisshutdown(and,hence,whencronisn’trunning)forextendedperiodsoftime.Thus,thisistheprogramtoaddtothesystemtoachievethestatedgoal,andoptionBiscorrect.ThereisnocommonLinuxutilitycalledtempus,sooptionAis incorrect.OptionC’scrontab is thenameofafileorprogramforcontrollingcron,which is likely tobeanunreliablemeansof log rotationona laptopcomputer.Thentpdprogram(optionE)istheNTPdaemon,whichhelpskeepthesystemclockinsyncwithanexternalsource.Althoughrunningntpdonalaptopcomputerispossible,itwon’tdirectlyhelpwiththetaskofschedulinglogrotation.Thesyslog-ngpackageisanalternativesystemlogdaemon,butthisprogramdoesn’thelpsolvetheproblemofpotentiallyunreliablelogrotationonlaptopswhenusingstandardcronutilities.

19.E.Theatcommandrunsaspecifiedprogramatthestatedtimeinthefuture.Thistimemaybespecified inseveralways,oneofwhich isteatime,whichstands for4:00p.m.Thus,optionD iscorrect.TheobjectionsstatedinoptionsA,B,C,andDareallinvalid.(Youmaypassascripttoatwiththe-fparameter,butthisisn’trequired,contrarytooptionD.)

20.A,C.Thecontentsof/etc/cron.daily areautomatically runonadailybasis inmostLinuxdistributions,andthecrontabutilitycancreateusercronjobsthatrunprogramsatarbitrarytimeintervals, so bothA andC are correct.Theat commandnoted in optionB can be used to run aprogramasingle time,butnotonaregularbasis (suchasdaily).OptionD’srun-partsutility isusedbysomedistributionsasa tool tohelprunprogramsin the/etc/cron.* subdirectories,butit’snotused toschedule jobs.Although thecrontabprogramcanmaintainusercrontabs, it’snotusedasshowninoptionE,andithasno-dparameteratall.

Chapter8:ConfiguringBasicNetworking1.A,B,E.Ethernet(optionB)iscurrentlythemostcommontypeofwirednetworkhardwareforlocalnetworks.Linuxsupportsitverywell,andLinuxalsoincludessupportforTokenRing(optionA)andFibreChannel(optionE)networkhardware.DHCP(optionC)isaprotocolusedtoobtainaTCP/IPconfigurationoveraTCP/IPnetwork.It’snotatypeofnetworkhardware,butitcanbeusedoverhardwarethatsupportsTCP/IP.NetBEUI(optionD)isanetworkstackthatcanbeusedinsteadoforinadditiontoTCP/IPovervarioustypesofnetworkhardware.Linuxdoesn’tsupportNetBEUIdirectly.

2.B.IPaddressesconsistoffour1-bytenumbers(0−255).They’renormallyexpressedinbase10and separated by periods. 63.63.63.63 meets these criteria, so option B is correct. 202.9.257.33includesonevalue(257)that’snota1-bytenumber,sooptionAisincorrect.107.29.5.3.2includesfive1-bytenumbers, sooptionC is incorrect.98.7.104.0/24 (optionD) is anetworkaddress—thetrailing /24 indicates that the final byte is a machine identifier, and the first 3 bytes specify thenetwork.OptionE,255.255.255.255,meetsthebasicformofanIPaddress,butit’saspecialcase—thisisabroadcastaddressthatreferstoallcomputers,ratherthanthesinglecomputerspecifiedbythequestion.

3.C.Thegatewaycomputerisarouterthattransfersdatabetweentwoormorenetworksegments.Assuch,ifacomputerisn’tconfiguredtouseagateway,itwon’tbeabletocommunicatebeyonditslocal network segment,makingoptionC correct.Agateway is not necessary for communicatingwithothersystemsonthelocalnetworksegment,sooptionAisincorrect.IfyourDNSserverisonadifferentnetworksegment,nameresolutionviaDNSwon’twork,asstatedinoptionB;however,othertypesofnameresolution,suchas/etc/hostsfileentries,willstillwork,andtheDNSservermightbeonthelocalnetworksegment,sooptionBisincorrect.Gatewaysplaythesamefunctioninboth IPv4and IPv6networking, sooptionD is incorrect.DHCPfunctions finewithoutagateway,provided aDHCP server is on the same local network segment as its clients (as is normally thecase),sooptionEisincorrect.

4.D.TheSecureShell(SSH)protocolusesport22,soifthetraffictoport22isusingthecorrectprotocol,it’sSSHtraffic,andoptionDiscorrect.TheHypertextTransferProtocol(HTTP;optionA) isconventionallyboundtoport80; theSimpleMailTransferProtocol(SMTP;optionB)usesport25;Telnet(optionC)usesport22;andtheNetworkNewsTransferProtocol(NNTP;optionE)usesport119.Noneofthesewouldnormallybedirectedtoport22.

5.D.TheInteractiveMailAccessProtocol(IMAP)isassignedtoTCPport143.Ports21,25,110,and 443 are assigned to the File Transfer Protocol (FTP), the Simple Mail Transfer Protocol(SMTP),thePostOfficeProtocolversion3(POP-3),andtheHypertextTransferProtocoloverSSL(HTTPS), respectively. Although some IMAP server programs also support POP-3 and mightthereforelistentobothports110and143,thequestionspecifiesIMAPexchanges,sooptionDistheonlycorrectanswer.

6.C,E.OptionC,dhcpd, istheLinuxDHCPserver.OptionE,ifconfig,canbeusedfornetworkconfigurationbutisnotitselfaDHCPclient.TheothersareallDHCPclients.AnygivencomputerwillusejustoneDHCPclient(ornoneatall),butfromonetothreeofA,B,andDwillbeavailable

choices.

7.B,C.Whenused todisplay informationon an interface,ifconfig shows the hardware and IPaddresses(optionsBandC)oftheinterface,theprotocols(suchasTCP/IP)boundtotheinterface,andstatisticsontransmittedandreceivedpackets.Thiscommanddoesnotreturninformationaboutprogramsusingtheinterface(optionA),thehostnameassociatedwiththeinterface(optionD),orthekerneldriverusedbytheinterface(optionE).

8.A.Thehostprogram(optionA)isacommonlyusedprogramtoperformaDNSlookup.Thereis no standard dnslookup program (option B), although the nslookup program is a deprecatedprogramforperformingDNSlookups.pump(optionC)isaDHCPclient.ifconfig (optionD) isused for configuration of networking parameters and cards. netstat (option E) is a general-purposenetworkdiagnostictool.

9. B. To add a default gateway of 192.168.0.1, the commandwould be route add default gw192.168.0.1,asinoptionB.SpecifyingtheIPaddressofthehostsystem(asinoptionsA,C,andD)is not necessary and in factwill confuse theroute command.Althoughroute provides a -hostoption,usinghost (withoutadash),as inoptionE, is incorrect.Furthermore,optionEomits thecriticaladdparameter.

10.A,B.Thedhclientutility,ifinstalled,attemptstoconfigureandbringupthenetwork(s)passedtoitasoptions(orallnetworksifit’sgivennooptions)usingaDHCPserverforguidance.Thus,option A may work, although it won’t work if no DHCP server is available. Option B applieswhatever network options are configured using distribution-specific tools and brings up thenetwork.Thus,optionsAandBbothmaywork,althoughneitherisguaranteedtowork.OptionCdisplaysthenetworkstatusofeth1,butitwon’tactivateeth1ifit’snotalreadyactive.Thereisnostandard network utility in Linux, so option D won’t work. The netstat utility is a networkdiagnostictool;itwon’tbringupanetworkinterface,sooptionEisincorrect.

11. E. Although not all systems use /etc/hostname, option E correctly describes it for thosesystemsthatuseit.Thefileorfilesthatholdinformationonpackagerepositoryserversvaryfromone package system to another, so option A is incorrect. Option B describes the purpose of/etc/resolv.conf.OptionCdescribesthepurposeof/etc/hosts.OptionDdoesn’tdescribeanystandardLinuxconfigurationfile,althoughthegatewaycomputer ’sIPaddressislikelytoappearinadistribution-specificconfigurationfile.

12. C. The traceroute command (option C) identifies the computers that lie between your owncomputerandadestinationcomputer,alongwithsomeverybasicinformationaboutnetworkpackettravel timeandreliability.Thus,traceroutecanhelpyoutrackdownthesourceof thedescribedproblem—perhapsarouter that’scritical toreachingallof thenon-responsivesystemshasfailed.The netstat and ifconfig utilities of options A and D both provide information about localnetworkconfigurationoptions,buttheymostlikelywon’tbeofmuchhelpindiagnosingaproblemthataffectsonlysomesites.Thepingutility(optionB)mayhelpyouquicklyidentifysitesthathavefailedbutwon’tbeofmuchusebeyondthat.Youcanusedig(optionE)toobtaininformationonthemappingofhostnamestoIPaddresses,butitwon’thelpinresolvingbasicconnectivityproblems.

13.B,D.DNSproblemscanmanifestasanabilitytoconnecttocomputersusingIPaddressesbutnotusinghostnames.Thus,optionsBandD(andvariousotherDNS-relatedproblems)couldcreate

thesymptomsdescribed.Ifthetargetsystemwereconfiguredtoignorepingpackets,asdescribedinoptionA,thenitwouldn’trespondwhenyouidentifieditbyIPaddress.Thetargetsystem’sDNSconfiguration(optionC)doesn’tenterintotheequation,becauseitrespondstothepingrequestviaIPaddressalone.Yourowncomputer ’slocallysethostname(in/etc/hostname) isn’tusedbytheremotesystemtoreply,sooptionEisincorrect.

14.C.Thenetstatprogramproducesvariousnetworkstatistics,includingtheprocessIDs(PIDs)andnamesofprogramscurrentlyaccessingthenetworkwhenpassedthe-pparameter.Thus,optionC is correct. The ifconfig program can’t produce this information, and the -p option to thisprogram is fictitious, so optionA is incorrect.OptionB’s/proc/network/programs file is alsofictitious.OptionC’s/etc/xinetd.conffileisrealandmayprovidesomeinformationaboutsomeservers that are using the network (as described in Chapter 10); but this file won’t provideinformation about all servers,much less about clients that are accessing the network. Thedmesgcommanddisplaysthekernelringbuffer,whichdoesn’tcontaininformationonprogramsthatarecurrentlyaccessingthenetwork,sooptionEisincorrect.

15.A,D. If youget any response at all, youknow that thebasicnetwork connection isworking,including that the server is responding to the client.With basic knowledge of IMAP commands,telnet enables you to test the server ’s responses in more detail than most IMAP clients (mailreaders) permit. Thus, optionsA andD are both correct.OptionC describes the functionality oftraceroute or tracepath; telnet provides no information about intermediate routers’functionality, so option B is incorrect. Because neither telnet nor IMAP on port 143 usesencryption, optionC is incorrect.Furthermore, a packet sniffer is likely tohaveno effect on thetransferofdata;itjustcopiesthedatasothatthepacketsniffer ’susercanseeit.Althoughtelnetcan be used for remote access in away that couldmake optionE correct, the question specifiesusingtelnettoconnecttoport143,whichistheIMAPport,nottheTelnetport.Thus,optionEisincorrect.(Furthermore,usingtelnet forremoteadministrationisveryrisky,sincetelnet isanunencryptedprotocol.)

16.B.Thecomputer ’sIPaddress(172.25.78.89)andnetmask(255.255.255.0)meanthatthecomputercandirectlyaddresscomputerswithIPaddressesintherangeof172.25.78.1to172.25.78.254,butthegateway address (172.25.79.1) is outside of this range.Thus, either the IP address or the gatewayaddressiswrong,andoptionBiscorrect.NothingaboutthewayDNSoperatesnecessitatesthattheDNSserverbeonthesamenetworksegmentastheDNSclient,sooptionAisincorrect.Althoughprivate IP addresses are often isolated from the Internet, as optionC specifies,NetworkAddressTranslation(NAT)cangetaroundthislimitation.Thus,althoughtherecouldbesometruthtooptionC,it’snotcertaintobetrue.TheclassA/B/Cdistinctionsarejustguidelinesthatcanbeoverriddenbyspecificconfigurations.Thus,optionDisincorrect.OptionE’sassertionthatifupisusedonlyoncomputersthatuseDHCPisincorrect;ifupcanworkoncomputersthatusestaticIPaddresses,providedthattherelevantinformationisenteredcorrectly.

17.E.The-noptionisusedwhenyouwanttouseroutetodisplaythecurrentroutingtable,anditdoes as optionE specifies. There is noroute parameter that behaves as optionsA orC specify.OptionBdescribesthepurposeofthenetmaskparametertoroute.OptionDdescribesthepurposeofthe-netparametertoroute.

18. E. Option E correctly identifies the function of /etc/resolv.conf. Option A describes the

purposeof/etc/services.Variousdistribution-specific configuration filesperform the functiondescribed in option B, but /etc/resolv.conf is not one of these files. A DHCP client sends abroadcasttolocateaDHCPserver;thereisnoclientconfigurationfilethatholdstheDHCPserver ’saddress, as optionCdescribes.The routing table ismaintained internally, althoughbasic routinginformationmaybestoredindistribution-specificconfigurationfiles,sooptionDisalsoincorrect.

19. B. The /etc/hosts file holds mappings of IP addresses to hostnames, on a one-line-per-mappingbasis.Thus,optionBiscorrect.Thefiledoesnotlisttheusers(optionC)orotherhosts(optionA)allowedtoremotelyaccessthisone,affectremoteadministrationthroughaWebbrowser(optionD),ormapportnumberstoprotocols(optionE).

20.D.The/etc/nsswitch.conf file controls the order of name resolution, amongother things.OptionDcorrectlydescribestheprocedureforchangingtheorderinwhichLinuxperformsnameresolution.The/etc/resolv.conffilementionedinoptionAcontrolstheDNSserversthatLinuxconsults, but it doesn’t control access to/etc/hosts.OptionB’snslookup command resolves ahostname,sooptionBwillreturntheIPaddressofthecomputercalleddns,ifLinuxcanfindsuchasystem. The /etc/named.conf file of option C is the configuration file for the standard nameserver.Thisserverisn’tlikelytobeinstalledonmostLinuxsystems,andevenifitis,theproceduredescribedinoptionCisinvalid.LikeoptionB’snslookup,optionE’sdiglooksuphostname-to-IP-addressmappings,sooptionEwilldisplaysuchmappingsforthecomputerscalledlocalanddns,iftheyexist.

Chapter9:WritingScripts,ConfiguringEmail,andUsingDatabases

1.E.Thecurrentdirectoryindicatorisparticularlydangerousinroot’sPATHenvironmentvariablebecause it can be used by unscrupulous local users to trick root into running programs of theunscrupuloususer ’sdesign.Thus,optionEiscorrectandalltheotheroptionsareincorrect.

2. A. The alias built-in command creates a duplicate name for a (potentially much longer)command.OptionA shows the correct syntax for using this built-in command; it causes the newaliascdpt towork like themuch longercd~/papers/trade.Theexport command inoptionBcreatesanenvironmentvariablecalledcdptthatholdsthevaluecd~/papers/trade.Thiswillhavenousefuleffect.OptionC,ifplacedinabashstartupscript,willcausetheuser ’scurrentdirectoryto shift to ~/papers/trade immediately after the user logs in. There is no standard shortcutcommand,sooptionDismeaningless.Althoughenv isavalidcommand, it’sused incorrectly inoptionE,andsothisoptionisincorrect.

3.E.Someprogramsuse theEDITOR environment variable as described in optionE.Contrary tooptionA, the EDITOR environment variable has nothing to do with command-line editing.Whenyou’retypingatabashcommandprompt,bashitselfprovidessimpleeditingfeatures,sooptionBisincorrect.(Youcanlaunchtheeditorspecifiedby$EDITORbytypingCtrl+XfollowedbyCtrl+E,though.) The edit command doesn’t behave as option C suggests. (This command may beconfigureddifferentlyondifferentsystems.)YoucancreatelinkscalledGUIandTEXT tohave theEDITORenvironmentvariablebehaveasoptionDsuggests,butthisisn’tanormalconfiguration.

4.C.ThePWDenvironmentvariableholdsthepresentworkingdirectory,sooptionCiscorrect.ThePATH environment variable (option A) holds a colon-delimited list of directories in whichexecutable programs are stored so that they may be run without specifying their completepathnames.TherearenostandardCWD,PRESENT,orWORKINGenvironmentvariables,sooptionsB,D,andEareallincorrect.

5.A.OptionAcreatesthedesiredenvironmentvariable.OptionBcreatesalocalvariable—butnotanenvironmentvariable—calledMYVAR,holdingthevaluemystuff.AftertypingoptionB,youcanalsotypeexportMYVARtoachievethedesiredgoal,butoptionBbyitselfisinsufficient.OptionCisn’t a validbash shell command.OptionDdisplays the contents of theMYVAR variable and alsoechoesmystufftothescreen,butitdoesn’tchangethecontentsofanyenvironmentvariable.OptionE’ssetenvisn’tavalidbashcommand,butitwillsetanenvironmentvariableintcsh.

6.E.The~/.bashrc file isanon-loginbash startup script file.As such, it canbeused toalter auser ’sbashenvironment,andoptionEiscorrect.Thereisnostandard~/.startupfileforbash,sooptionAis incorrect.The/etc/bashrc file isaglobalbash startupscript.Editing itwillmodifyusers’bash environments, but an individual user should not be able tomodify it, so optionB isincorrect.Thereisnostandard/home/.bashrcfile;thisoptionwouldbecorrectonlyiftheuser ’shome directorywere set to /home, which would almost certainly be an error. Thus, option C isincorrect.Likewise,optionD’s/home/profilercdoesn’t refer toauser ’sconfigurationfile;and

evenifitdid,profilercisn’tavalidbashconfigurationfilename(although~/.profileisavaliduserconfigurationfileand/etc/profileisavalidglobalconfigurationfile).

7. A,D. The env command displays all defined environment variables, so optionA satisfies thequestion. (In practice, you might pipe the results through grep to find the value of a specificenvironment variable.) The echo command, when passed the name of a specific environmentvariable,displaysitscurrentvalue,sooptionDisalsocorrect.DISPLAYisanenvironmentvariable,butit’snotacommandfordisplayingenvironmentvariables,sooptionBisincorrect.Youcanusetheexport command tocreateanenvironmentvariablebutnot todisplay thecurrent settings forone,sooptionCisincorrect.OptionE’scatcommandconcatenatesfilesordisplaysthecontentsofafiletothescreen,butitdoesn’tdisplayenvironmentvariables.

8.E.Scripts,likebinaryprograms,normallyhaveatleastoneexecutablebitset,althoughtheycanberunincertainwayswithoutthisfeature.Thus,youshouldusechmod,asinoptionE.Youshouldnot, however, use chmod to set the set-user-ID (SUID) bit, as in option A, since this would be asecurity risk formost scripts.There is no standard/usr/bin/scripts directory, and scripts canresideinanydirectory,sooptionBisincorrect.Scriptsareinterpretedprograms,whichmeanstheydon’tneedtobecompiled,makingoptionCincorrect.(Typingbashscriptnamewillrunthescript,though.)VirusesareextremelyrareinLinux,andbecauseyoujustcreatedthescript,theonlywaysitcouldpossiblycontainaviruswouldbeifyoursystemwasalreadyinfectedorifyouwroteitasavirus.Thus,optionDisincorrect.

9.C.Thecpcommandistheonlyonecalledinthescript,andthatcommandcopiesfiles.Becausethescriptpassesthearguments($1and$2)tocpinreverseorder,theireffectisreversed—wherecpcopiesitsfirstargumenttothesecondname,thecp1scriptcopiesthesecondargumenttothefirstname. Thus, option C is correct. Because the order of arguments to cp is reversed, option A isincorrect.Thecpcommandhasnothingtodowithcompiling(optionB)orconverting(optionD)CorC++ programs, so neither does the script. The reference to/bin/bash in the first line of thescriptidentifiesthescriptitselfasbeingabashscript;itdoesnotcausetheargumentstothescripttoberunasbashscripts,sooptionEisincorrect.

10.C.Conditionalexpressionsenablethescript toexecutedifferentsetsof instructionsdependingon some condition, as described in option C. They have nothing to do with license conditions(optionA),thecomputer ’senvironment(optionB),orPavlovianconditioning(optionD).Althoughcode readability can be influenced by proper or improper use of many programming features,including conditional expressions, this isn’t the primary purpose of conditional expressions, sooptionEisincorrect.

11.B,D.Validshellscriptsbeginwiththecharacters#!andthecompletepathtoaprogramthatcanrunthescript.OptionsBandDbothmeet thisdescription,because/bin/bash isashellprogramthat’sinstalledonvirtuallyallLinuxsystemsand/bin/shisusuallyalinkto/bin/bashortosomeothervalidshell.Thereisnostandard/bin/scriptprogram,sooptionAisincorrect.OptionsCandEarebothalmostcorrect;/bin/tcshand/bin/zsharevalidshellsonmanysystems,buttheorderofthefirsttwocharactersisreversed,sothisoptionisincorrect.

12.A,B,D.Thefor,while, anduntil statements are all valid looping statements in bash, sooptionsA,B, andD are all correct.There is nogoto statement inbash’s scripting language, so

option C is incorrect. The case statement is a conditional, not a looping, statement in bash, sooptionEisincorrect.

13.E.AllSMTPemailserversaresupposedtoacceptemailtopostmaster.Linuxsystemstypicallydo so by using an alias to forward the email to another local user, or occasionally to a user onanother computer. Thus, option E is correct. OptionAwould be rude and pointless in this case,although this type of response is used by some administratorswhen receivingmail from knownspamsites,soastodegradespammers’operations.OptionsBandDbothdescribenon-deliveryofthemessage,inviolationofproperemailserverconfiguration.OptionCiseffectivelythesameasoptionDunlesscreationofthepostmasteraccountisimminent,andanemailserverwouldhavenowayofknowingthis.

14.C.TheFetchmailprogramisatoolforretrievingemailfromremotePOPorIMAPserversandinjectingitintoalocal(orremote)SMTPemailqueue.Assuch,it’snotanSMTPserver,sooptionCiscorrect.Postfix(optionA),sendmail(optionB),Exim(optionD),andqmail(optionE)areallpopularSMTPemailserversforLinux.

15.B.The-soptiontomailsetsthemessagesubjectline,and-csetscarboncopy(cc:)recipients.Inputredirection(via<)readsthecontentsofalineintomailasamessage.Amailcommandlinenormallyterminateswiththeprimaryrecipient.Thus,optionBcorrectlydescribestheeffectofthespecifiedline.OptionsA,C,D,andEareallconfusedintheirinterpretationoftheeffectsofmailparameters.OptionsB andD also confuse input and output redirection, and optionA incorrectlysuggeststhatascript(orthemailprogram)canelevateitsrunstatustorootprivileges.

16.D.SMTPserversacceptlocalemailfordeliveryeveniftheirInternetconnectionsaredown.Ifthe SMTP server can’t contact recipient servers, the SMTP server holds the email and attemptsdelivery later, so option D is correct. Because SMTP servers don’t check on the availability ofremote servers until after email is accepted for delivery, option A is incorrect. Option B can’tpossiblybecorrectunlesstheserverhasabackupInternetconnection,whichwasn’tspecifiedinthequestion.OptionC isn’t correctbecause theSMTPserverwillhold themail andattemptdeliverylater.Howrecipientsretrievetheirmailisnotunderyourcontrol,sooptionEisincorrect.

17.B.The/etc/aliasesfileconfiguressystem-wideemailforwarding.ThespecifiedlinedoesasoptionBdescribes.Aconfigurationlikethisoneiscommon.OptionAhasthingsreversed.OptionC is not a valid conclusion from this evidence alone, although an intruder may conceivably beinterestedinredirectingroot’semail;soifjodyshouldn’tbereceivingroot’semail,thisshouldbeinvestigatedfurther.AlthoughtheeffectofoptionD(jodyreadingroot’semail)isnearlyidenticalto thecorrectanswer ’seffect, theyaredifferent;jody cannotdirectlyaccess the fileordirectorythat isroot’semailqueue. Instead, thedescribedconfiguration redirectsroot’s email intojody’semailqueue.Thus,optionDisincorrect.Because/etc/aliasesisanemailconfigurationfile,notanaccountconfigurationfile,itcan’thavetheeffectdescribedinoptionE.

18.B.TheCREATEDATABASE command creates a new databasewith the specified name.BecauseSQLcommands are case-insensitive, this commandmaybe typed inuppercaseor lowercase, andoptionBiscorrect.OptionsAandCbothusetheincorrectcommandNEWratherthanCREATE,andoptionCspecifiesthedatabasenameasFISHratherthanfish.(Databasenamesarecase-sensitive.)OptionD reverses the order of theCREATE andDATABASE keywords.Option E uses the fictitiouscommandDB.

19.A,D.Asingledatabasemayholdmultipletables,asoptionAsuggests.OptionDisalsocorrect;bysplittingdataacross tables(suchas into tablesdescribingobjectsgenericallyandspecifically),databases can bemore space-efficient. OptionB is incorrect because the DROP command doesn’tcombinetables;itdeletesatable!OptionCisincorrectbecauseitreversesthemeaningofrowsandcolumnsinaSQLtable.Alossycompressionalgorithm,asthenamesuggests,deliberatelycorruptsorlosessomedata—anunacceptableoptionforatextdatabase,makingoptionEincorrect.(Lossycompressionisusedforsomeaudioandvideofileformats,though.)

20.C.TheUPDATEcommandmodifiesexistingdatabasetableentries,andinthiscaseitdoessoasoptionCdescribes.OptionBalsodescribes anupdateoperation, but in a confused and incorrectway.OptionsAandDbothdescribedatabaseretrievaloperations,butUPDATEdoesn’tretrievedata.OptionEmistakenly identifiesstars as a databasename, but it’s a table name; and itmistakenlyidentifiestheoperationasaddinganewentry(INSERTinSQL)ratherthanasmodifyinganexistingentry(UPDATEinSQL).

Chapter10:SecuringYourSystem1.E.Theservernamesaloneareinsufficienttodeterminewhetherthey’relegitimate.Thecomputerinquestionmayormaynotneedtorunanyoftheseservers,andtheirpresencemayormaynotbeintentional,accidental,orthesignofanintrusion.Thus,optionEiscorrect.ContrarytooptionA,themerepresenceofanSSHserverdoesnotensuresecurity.Although,asoptionBasserts,FTPisnotasecureprotocol,it’sstillusefulinsomesituations,sothemerepresenceofanFTPserverisnot, by itself, grounds for suspicion.Similarly, inoptionC, although someadministratorspreferPostfixorqmail tosendmail forsecurity reasons,sendmail isn’tnecessarilybad,and thenamesalone don’t guarantee that the sshd and proftpd servers are legitimate. As option D states,sendmail andproftpd both use unencrypted text-mode transfers; but this is appropriate in somesituations,sooptionDisincorrect.

2. C. Although Nmap and other port scanners are useful security tools, they’re also used bycrackers,andmanyorganizationshavepoliciesrestrictingtheiruse.Thus,youshouldalwaysobtainpermissiontousesuchtoolspriortousingthem,asoptionCspecifies.Aportscannercan’tcausedamageto/etc/passwd,sothere’snoneedtobackitup,contrarytooptionA.Aportscanneralsodoesn’tneedtherootpasswordonatargetsystemtooperate,soyoudon’tneedthisinformation,making option B incorrect. (In fact, asking for the root password could be seen as extremelysuspicious!)AlthoughyoucouldusesudotorunNmap,there’snoneedtodosotoperformaTCPscan,andyoucanperformaUDPscanbyrunningNmapasrootinotherways(suchasviaadirectloginor byusingsu). Thus, optionD isn’t strictly necessary, although youmightwant to tweak/etc/sudoers as amatterof systempolicy.Asa firewall ispartofyournetwork’s security,youprobablywantitrunningwhenyouperformanetworkscan,contrarytooptionE.Furthermore,itwouldbesafertoleavethefirewallrunningandscanfrombehindit,ifyouwanttotestthesecurityofthenetworkincaseofafirewallbreach.

3.C.The/etc/security/limits.conf (optionC)fileholds theconfigurationsettings thatallowyoutolimitusers’access.Theotheroptionslisteddon’tgivethecorrectpathtothisfile.

4.A,B,C.Nmap(optionA)isusuallyusedtoperformscansofremotecomputers,butitcanscanthecomputeronwhichit’srun,aswell.Thenetstat (optionB)andlsof (optionC)utilitiescanbothidentifyprogramsthatarelisteningforconnections(thatis,openports)onthelocalcomputer.Theportmapprogram(optionD)isusedbytheNetworkFileSystem(NFS)andsomeotherservers,but it’s not used to identify openports.There is no standardLinux services program (optionE),althoughthe/etc/servicesfileholdsamappingofportnumberstocommonservicenames.

5. B. The -perm option to find locates files with the specified permissions, and +4000 is apermissioncodethatmatchesSUIDfiles.The-typefoptionrestrictsmatchestofilesinordertoavoidfalsealarmsondirectories.OptionBusesthesefeaturescorrectly.OptionsA,C,andDusethesefeaturesincorrectly.OptionEspecifiesafictitious-suidparametertofind.

6.A.OptionAcorrectlydescribesthemeaningofthespecifiedline.Apercentsign(%)identifiesaLinuxgroupname,andtheremainderofthelinetellssudoerstoenableusersofthatgrouptorunallprogramsasrootbyusingsudo.Theremainingoptionsallmisinterpretoneormoreelements

ofthisconfigurationfileentry.

7.B.Thenetstatcommandcandowhatisdescribedinthequestion.Todoso,the-apoptionstothecommandaregoodchoices,sooptionBiscorrect.Althoughlsofcanalsoaccomplishthejob,the-ca option is incorrect; this option restricts output to processeswhose names beginwitha.Thus, option A is incorrect. Option C’s ifconfig command doesn’t display open networkconnections,soit’sincorrect.AlthoughoptionD’snmapcommandwilllocateportsthatareopenonthelocalhost interface, it doesn’t locate all openconnections, nor does it locate connectionsonanythingbutthelocalhostinterface.OptionD’stopcommanddisplaysalistofprocessessortedbyCPUuse,notopennetworkconnections(and-netisaninvalidoptiontotop,aswell).

8.D.OptionDiscorrect.TCPWrappersusesthisfeaturetoallowyoutooverridebroaddenialsbyaddingmore specific explicit accesspermissions tohosts.allow, aswhen setting a default denypolicy(ALL:ALL)inhosts.deny.

9.C.Thebindoptionofxinetdletsyoutieaservertojustonenetworkinterfaceratherthanlinktothem all, so option C is correct. It has nothing to dowith runningmultiple servers on one port(option A), specifying computers by hostname (option B), resolving conflicts between servers(optionD),ortheBerkeleyInternetNameDomain(BIND)oranyotherDNSserver(optionE).

10. A, D. Using a firewall rule to blockWaiter ’s port, as in option A, can increase security byprovidingredundancy;ifWaiterisaccidentallyruninthefuture,thefirewallrulewillblockaccesstoitsport.Uninstallingtheprogram,asinoptionD,improvessecuritybyreducingtheriskthattheprogram will be accidentally run in the future. Most programs don’t have a “stealth” mode, sooptionBis incorrect.(Furthermore,reading thedocumentation isn’tenough; to improvesecurity,youmustchangesomeconfiguration.)TunnelingWaiter ’sconnectionsmighthavesomebenefitinsomesituations,but this configuration requires setuponbothclient and servercomputersandbyitself leaves the server ’s port open, so option C is incorrect. Clients associated with the serverprogram,installedontheservercomputer,poselittleornoriskofabuseoftheassociatedserver;it’sclientsonothercomputersthataremostlikelytobeusedtoabuseaserverprogram,andyoucan’tcontrolthat.Thus,optionEisincorrect.

11.B.OptionBcorrectlydescribeshowtoaccomplishthisgoal.OptionAisincorrectbecausethehosts_allow option isn’t a legalxinetd configuration file option.OptionC correctly describeshowtoconfigurethedescribedrestrictionusingTCPWrappers,whichisgenerallyusedwithinetd,butit’snotthewaythisisdoneusingxinetd.OptionDalsodescribesaTCPWrappersdescription,butitreversesthemeaning.OptionE’siptablesutilityconfiguresafirewall.Althoughafirewallrulecouldbeausefulredundantmeasure,thequestionspecifiesaxinetdconfiguration;andoptionE’suseofiptablesisincorrect.

12.B. Ideally,passwordsshouldbecompletelyrandombutstillmemorable.OptionB’spasswordwasgeneratedfromapersonallymeaningfulacronymandthenmodifiedtochangethecaseofsomeletters, add random numbers and symbols, and extend its length using a repeated character. Thiscreates a password that’s close to random but still memorable. Option A uses a well-knownmythologicalfigure,whoislikelytobeinadictionary.OptionCusestwocommonwords,whichisarguablybetterthanoptionA,butnotbymuch.OptionDusestwocloselyrelatedwordsseparatedbyasinglenumber,whichisalsoapoorchoiceforapassword.OptionEusesasequentialseriesofnumbers,whichisapoor(butsadlycommon)passwordchoice.

13. A. Phishing (option A) involves sending bogus email or setting up fakeWeb sites that lureunsuspecting individuals into divulging sensitive financial or other information. Script kiddies(optionB)areintruderswhouserootkits.Spoofing(optionC)involvespretendingdataiscomingfrom one computer when it’s coming from another. Ensnaring (optionD) isn’t a type of attack.Hacking(optionE)referstoeitherlawfuluseofacomputerforprogrammingorotheradvancedtasksorbreakingintocomputers.

14.C.The/etc/nologinfile,ifpresent,preventsloginsfromordinaryusers;onlyrootmaylogin. You might set this file when performing maintenance and then forget to remove it, thusexplainingthesymptomsinthequestion.Thus,optionCiscorrect.ThesyslogddaemonmentionedinoptionArecordssystemmessagesandisunlikelytoproducethespecifiedsymptoms.TheloginprocessordinarilyrunsasrootandisnormallySUIDroot,sooptionsBandDarealsoincorrect.Shadowpasswords,asinoptionE,areusedonalmostallmodernLinuxsystems,andarenotlikelytocausethesesymptoms.

15. B, C. SSH is most directly a replacement for Telnet (option B), but SSH also includes file-transfer features that enable it to replace FTP (optionC) inmany situations. SSH is not a directreplacementfortheSimpleMailTransferProtocol(SMTP;optionA),theNetworkTimeProtocol(NTP;optionD),orSamba(optionE).

16.A.Thessh_host_dsa_keyfileholdsoneofthreecriticalprivatekeysforSSH.Thefactthatthiskeyisreadable(andwriteable!)totheentireworldisdisturbing,sooptionAiscorrect.Inprinciple,amiscreant who has acquired this filemight be able to redirect traffic andmasquerade as yoursystem,dupingusersintodeliveringpasswordsandothersensitivedata.Becauseof this,optionB(No)isanincorrectresponse,andtheconditionsimposedbyoptionsC,D,andEareallirrelevant,makingalloftheseoptionsincorrect.

17. B. SSH protocol level 2 is more secure than protocol level 1; thus, option B (specifyingacceptanceof level 2 only) is the safest approach.OptionA is the least safe approach because itprecludes the use of the safer level 2. Options C and D are exactly equivalent in practice; bothsupportbothprotocollevels.OptionEisinvalid.

18.E.Allowingonlynormalusers to log inviaSSHeffectively requires twopasswords for anyremoterootmaintenance, improvingsecurity, sooptionE iscorrect.Whetherornotyoupermitrootlogins,theSSHservermustnormallyrunasroot,sinceSSHusesport22,aprivilegedport.Thus, option A is incorrect. SSH encrypts all connections, so it’s unlikely that the password, orcommands issuedduring anSSH session,will be intercepted, so optionB isn’t amajor concern.(Nonetheless, some administrators prefer not to take even this small risk.) SSH doesn’t storepasswordsinafile,sooptionCisincorrect.BecauseSSHemploysencryption,optionDisincorrect(thisoptionbetterdescribesTelnetthanSSH).

19.D.OptionDprovidesthecorrectcommandtoimportfredkey.pubpriortouse.Theinspect-gpg,import-gpg,andgpg-importcommandsofoptionsA,C,andEarefictitious;andthereisno--readkeyoptiontogpg,asoptionBsuggests.

20. E. The usual method of sending encrypted messages with GPG entails the sender using therecipient’spublickeytoencryptthemessage.Thus,optionEiscorrect.OptionAwouldbecorrectif your correspondent needed to send you an encryptedmessage, but the question only specifiesyoursendingtheencryptedmessage.OptionsB,C,andDallentaildeliveryofprivatekeys,whichis

inadvisableatbest,becauseprivatekeys in thewronghandspermit theholder to impersonate thepersonwhoownsthekeys.

AppendixB

AbouttheAdditionalStudyToolsInthisappendix:

AdditionalStudyToolsSystemRequirementsUsingtheStudyToolsTroubleshooting

AdditionalStudyToolsThe following sections are arranged by category and summarize the software and other goodiesyou’ll find from the companionWeb site. If you need help with installing the items, refer to theinstallationinstructionsinthe“UsingtheStudyTools”sectionofthisappendix.

Theadditionalstudytoolscanbefoundathttp://www.sybex.com/go/lpic3e.Here,youwillgetinstructionsonhowtodownloadthefilestoyourharddrive.

SybexTestEngineThe files contain the Sybex test engine, which includes two bonus practice exams, as well as theassessmenttestandthechapterreviewquestions,whicharealsoincludedinthebookitself.

ElectronicFlashcardsThesehandyelectronicflashcardsarejustwhattheysoundlike.Onesidecontainsaquestion,andtheothersideshowstheanswer.

PDFofGlossaryofTermsWehaveincludedanelectronicversionoftheglossaryin.pdfformat.YoucanviewtheelectronicversionoftheglossarywithAdobeReader.

AdobeReaderWe’vealsoincludedalinktodownloadAdobeReadersoyoucanviewPDFfilesthataccompanythebook’s content. For more information on Adobe Reader or to check for a newer version, visitAdobe’sWebsiteathttp://www.adobe.com/products/reader/.

SystemRequirementsMake sure your computermeets theminimum system requirements shown in the following list. Ifyour computerdoesn’tmatchup tomostof these requirements, youmayhaveproblemsusing thesoftwareandfiles.Forthelatestandgreatestinformation,pleaserefertotheReadMefilelocatedinthedownloads.WindowsUsers

APCrunningMicrosoftWindows98,Windows2000,WindowsNT4(withSP4orlater),WindowsMe,WindowsXP,WindowsVista,orWindows7AnInternetconnection

LinuxUsersAcomputerwithFlashPlayer9AnInternetconnection

MacUsersAcomputerwithOSXorlaterAnInternetconnection

UsingtheStudyToolsInstallationonaWindowsmachine:1.Downloadthe.ZIPfiletoyourharddrive,andunziptoanappropriatelocation.Instructionsonwheretodownloadthisfilecanbefoundhere:http://www.sybex.com/go/lpic3e.2.ClicktheStart.EXEfiletoopenthestudytoolsfile.3.Readthelicenseagreement,andthenclicktheAcceptbuttonifyouwanttousethestudytools.Themain interface appears. The interface allows you to access the contentwith just one or two

clicks.InstallationonaLinuxmachine:1.Downloadthe.ZIPfiletoyourharddrive,andunziptoanappropriatelocation.Instructionsonwheretodownloadthisfilecanbefoundhere:http://www.sybex.com/go/lpic3e.2.OpentheStart.htmlfileinaninternetbrowsertoopenthestudytoolsfile.3.Readthelicenseagreement,andthenclicktheAcceptbuttonifyouwanttousethestudytools.InstallationonaMacmachine:1.Downloadthe.ZIPfiletoyourharddrive,andunziptoanappropriatelocation.Instructionsonwheretodownloadthisfilecanbefoundhere:http://www.sybex.com/go/lpic3e.2.Clicktheimagefiletomountthevolumetoyourdesktop.3.OpentheJWSvolumeonyourdesktopandclickStart.4.Readthelicenseagreement,andthenclicktheAcceptbuttonifyouwanttousethestudytools.

TroubleshootingWiley has attempted to provide programs thatwork onmost computerswith theminimum system

requirements.Alas,yourcomputermaydiffer,andsomeprogramsmaynotworkproperlyforsomereason.Thetwolikeliestproblemsarethatyoudon’thaveenoughmemory(RAM)fortheprogramsyou

want to use or you have other programs running that are affecting installation or running of aprogram.Ifyougetanerrormessagesuchas“Notenoughmemory”or“Setupcannotcontinue,”tryoneormoreofthefollowingsuggestionsandthentryusingthesoftwareagain:Turnoff any antivirus software running on your computer. Installation programs sometimesmimicvirusactivityandmaymakeyourcomputerincorrectlybelievethatit’sbeinginfectedbyavirus.Closeallrunningprograms.Themoreprogramsyouhaverunning,thelessmemoryisavailabletootherprograms.Installationprogramstypicallyupdatefilesandprograms;soifyoukeepotherprogramsrunning,installationmaynotworkproperly.HaveyourlocalcomputerstoreaddmoreRAMtoyourcomputer.Thisis,admittedly,adrasticandsomewhatexpensive step.However, addingmorememorycan reallyhelp the speedofyourcomputerandallowmoreprogramstorunatthesametime.

CustomerCareIfyouhavetroublewiththebook’scompanionstudytools,pleasecall theWileyProductTechnicalSupportphonenumberat(800)762-2974oremailthemathttp://sybex.custhelp.com/.

IndexA.afilenameextensionAccelerated-Xserveraccessfiles.SeepermissionsremoterootSSHxinetdconfiguration

accesscontrollinesinCUPSprintingaccesscontrollists(ACLs)accesstimes,fileaccessibilityissuesAccessXutilityaccounts.SeeusersanduseraccountsACLs(accesscontrollists)actionsrunlevelssystemlogfiles

ActiveDirectory(AD)domainsactiveservicesAddressResolutionProtocol(ARP)addressesDMAI/OIP.SeeIPaddressesnetwork.Seenetworkaddresses

addusercommandadministration.Seesystemadministrationadministrators,groupAdvancedLinuxSoundArchitecture(ALSA)audiodriversAdvancedTechnologyAttachment(ATA)harddiskinterfacesaliascommandaliasescommandsemailroot

aliasesfilealiasing,fontalienutility

aligning,partitionsallowedIPandnetworkaddressesalloweduserslistsatcommandjobscronjobs

alphabetictestsinSELECTALSA(AdvancedLinuxSoundArchitecture)audiodriversalternativebootloadersalternativebootsystemsAmericanStandardCodeforInformationInterchange(ASCII)ampersands(&)backgroundprogramsredirectionscripts

anacronprogramanalysistoolsforsystemlogfilesandoperatorsscriptsSELECT

anonymousFTPsitesanti-aliasingforfontsaplaycommandAPM(ApplePartitionMap)appendmodeattributeappendingfilesarchivelimiting

ApplePartitionMap(APM)AppleTalkprotocolapt-cacheprogramapt-getprogramaptitudepackagemanagerarchitecturepackagesprinting

archivingfilescpcommandcpioprogramddcommandtarutility

arguments,commandlineARP(AddressResolutionProtocol)

ASCII(AmericanStandardCodeforInformationInterchange)assignmentofvariablesasterisks(∗)casestatementscronjobsdomainsfacilitiesfilenamesgrepharddiskmonitoringnetstatNTPserverspasswordsregularexpressionsroutetracingSELECTXDMserveraccess

atcommandatsigns(@)forsystemlogfilesATA(AdvancedTechnologyAttachment)harddiskinterfacesatomicclocksatqprogramattributesfilesSQL

authenticationinSSHauthorized_keysfileautofilesystemmountingAutoRepeatkeyboardsettingavailablekernelmodulesdisplay

Bback-quotecharacters(`)inscriptstextwith

backgroundgraphicsinGRUBbackgroundprocessesbackslashes(\)bashpromptEFIloaderfilenamesregularexpressions

backtickcharacters(`)

inscriptstextwith

BackTracktoolbackupsfilesystemmountsopticalmediapartitionsfor

bad-blockchecksbannersforprintjobsbash(BourneAgainShell).bash_historyfilebash_logoutscript/.bashrcfileBasicInput/OutputSystem(BIOS)andbootloadersbootprocessrole

basicregularexpressionsBerkeleyInternetNameDomain(BIND)BerkeleyStandardDistribution(BSD)bgcommand/bindirectory/bin/shfilebinarypackagecreationBIND(BerkeleyInternetNameDomain)BIOS(BasicInput/OutputSystem)andbootloadersbootprocessrole

BIOSBootPartitionsbitmapfontsblanklineswithcatblkidcommandblockdevicesblockingroutesbodynumberingstyle/bootdirectorybootdiskanddevicegeometry/boot/efifile/boot/grub/grub.cfgfile/boot/grub/grub.conffile/boot/grub/menu.lstfile

/boot/grubpartitionbootloadersalternativedamagedEFIGRUBGRUB2overview

bootmanagers/bootpartitionbootprocessexamessentialsextractinginformationaboutwithoutkeyboardsmessagesrunlevels.SeerunlevelsstepssummaryVieditor

bootsectorsbootsystems,alternativebootablepartitionsbootlogddaemonBOOTPROTOvariablebouncekeysoptionBourneshell(bsh)BourneAgainShell(bash)braces({})/etc/apt/apt.conffunctionsGRUB2bootloaderlogrotationfilesxinetdconfiguration

brackets([])filenamesregularexpressions

BrailledisplaybreakingfilesintopiecesBRLTTYprojectbroadcastqueriesbroadcastingdatabrowsingcontrolinCUPSprintingbrowsinginIPP

BSD(BerkeleyStandardDistribution)BSDpsoptionsbshshell(Bourne)Btrfsfilesystembugsinemailserversbuildnumbersforpackagesbuildarchtranslatelinesbytescountingextractingtextbysplittingfilesby

CClibrary(libc)Cshellcablingcachesfilesystemunmountinglibrarypackage

carats(^)catregularexpressions

carboncopyaddressescaseandcase-sensitivitycommandhistorytextfilenamespasswordsregularexpressionssortingfilesusernamesVieditor

casestatementscatcommandcdcommandcdrecordcommandCentOSdistributioncentralprocessingunits(CPUs)informationaboutlimitsmulti-coreprocesspriorityprocesstime

cfdisktoolchagecommandchainloadingchannelsinDMACHARdatatypecharacterdevicesfiletypecodecharactersetconversionscharacterscountingextractingtextbyregularexpressionstranslating

chattrcommandcheck-updatecommandchecksumsforpackageschgrpcommandchipsetsinbootmessageschkconfigcommandchmodcommandchoosersinXDMchords,mousechowncommandgroupsoptionsandUIDs

CHS(cylinder/head/sector)geometryClasslessInter-DomainRouting(CIDR)cleancommandcleaningDebianpackagesclickoptionsclientsNTPremotevs.serversXWindowSystem

clockscodesfiletypepartitiontype

codesetscoldplugdevicescolons(:)

chown/etc/group/etc/inittab/etc/passwdhardwareaddressesIPaddressesPATHdirectoriesSSHfilecopyingVieditor

colorfilelistingsXWindowSystemsettings

colorink-jetprinterscolumnsinSQLcombiningfilestables

commandcompletioncommandlinesexamessentialsgeneratingregularexpressions.Seeregularexpressionsshells.Seeshellsandshellenvironmentsummarytextfiltercommands

combiningfilesformattingfilessummarizingfilestransformingfilesviewingfiles

CommandmodeinVieditorcommandsaliaseseditinghelpsystemhistoryinternalandexternallaunchingprocessespipingredirectingscriptsstreams

commas(,)comments

cronjobsENUMlistsfacilitiesfilemodesfilesystemlistsfontsgroupsGRUBdrivenumbersmountoptionsSELECTsortfieldsSSHuserlistsVi

commentsaliasesfileanacronjobsconfigurationfiles/etc/apt/sources.list/etc/inetd.conf/etc/security/limits.conffilesystemmountinglogrotationfilesscriptsSSHconfigurationsystemlogfilessystemduseraccounts

CommonUnixPrintingSystem(CUPS)configurationfilesprinterdefinitionsweb-basedutilities

comparingtarfilescompressionoptionsfileattributelogrotationfiles

computeraddressconcatenatingfilesconditionalexpressionsconfigurationfilesexaminingshellenvironment

conflicts,packageconnections,network.Seenetworkconnections

contrastsettingsconvertingcharactersetspackageformatsspacestotabstabstospaces

CoordinatedUniversalTime(UTC)copy-inmodecopy-outmodecopy-passmodecopyingfilescoredumpscores,CPUscorruptingdiskscpcommandcpioprogramCPUs(centralprocessingunits)informationaboutlimitsmulti-coreprocesspriorityprocesstime

crackersCREATEDATABASEcommandCREATETABLEcommandcreationdateinfilelistingscredentialsoptioncronprogramforanacronjobcreationlogrotationpurpose

cronlooputilitycrontabutilitycrontabscshshellCUPS(CommonUnixPrintingSystem)configurationfilesprinterdefinitionsWeb-basedutilities

CUPSDriverDevelopmentKitcupsddaemon

cupsdisablecommandcupsenablecommandcurlybraces({})/etc/apt/apt.conffunctionsGRUB2bootloaderlogrotationfilesxinetdconfiguration

currentdirectorycurrentrunlevelscutcommandcylinder/head/sector(CHS)geometrycylinders

DD-Bus(DesktopBus)daemonsdamagedbootloadersdashes(-)attributescronjobsfilenamesfilesystemoptionslimitslprmlsoptionspermissionsprocessprioritypsoptionsranges

DataDisplayChannel(DDC)featuredatapipesdatatypesinSQLdatabasesMySQL.SeeMySQLnetworkaccountSQL

datagramsdatecommanddaysettingforatcommandddcommandDDC(DataDisplayChannel)featureDDK(DriverDevelopmentKit)

deactivationdateDebianpackagesapt-cachecommandsapt-getcommandsaptitudemanagerconvertingtodistributionsandconventionsdpkgcommandsdselectprogrammanagingvs.otherpackageformatsreconfiguringSynaptictooltoolsconfiguration

debouncekeysdebugfscommanddebuggingfilesystemsnetworkprotocols

DECIMALdatatypedefaultsconfigurationfileshellsCUPSprintingpolicyfilesystemoptionsfontsgroupsGRUBOSloginshellsownershipandpermissionsroutesrunlevels

delayperiodswithanacronjobsDELETEcommanddeletedinodesdeletingaccountscommandhistorytextdirectoriesduplicatelinesfilesgrouppasswordsgroupsMySQLdatapartitions

usersfromgroupsdependenciesapt-cachekernelmodulespackagessharedlibraries

deplistcommanddepthcolorfilesearchesharddiskmonitoring

DESCRIBEcommandDesktopBus(D-Bus)/devdirectory/dev/cdromdirectory/dev/consoledirectory/dev/dvddirectory/dev/hdadirectory/dev/input/micefile/dev/mapperdirectory/dev/mousefile/dev/nullfile/dev/sddirectory/dev/stdirectorydevicescoldplugandhotplugcommonfiletypecodesfilesystemmountsfilesystemunmountsXWindowSystemsettings

dfcommandDFS(DomainFileSystem)dhclientclientDHCP(DynamicHostConfigurationProtocol)DHCPleasesdhcpcdclientdigprogramDigitalSubscriberLine(DSL)connectionsdirectmemoryaddressing(DMA)directivesorderforCUPSprintingdirectories

changingcreatingdeletingdiskusemonitoringbyfilelistingsfiletypecodehardlinkspermissions

disablingon-boardhardwaresystemctlunusedservers

disallowedIPandnetworkaddressesdisalloweduserslistsatcommandjobscronjobs

disallowinggroupadditionsdisksanddiskdrivesbootcorruptingfloppy.SeefloppydisksanddrivesGRUBreferenceshard.SeeharddisksRAM

displaycontrastfontsinformationaboutmagnifiertoolsresolutionandcolordepth

DISPLAYenvironmentvariableDLLs(dynamiclinklibraries)DMA(directmemoryaddressing)dmesgcommandDNS(DomainNameSystem)emailhostnamessettings

dnsdomainnamecommanddollarsigns($)catenvironmentvariablesregularexpressions

scriptvariablesDomainFileSystem(DFS)DomainNameSystem(DNS)emailhostnamessettings

domainnamecommanddomainsActiveDirectorydatabasehostnameslimits

dotfilesdots(.)chownfilenamesIPaddressesregularexpressionsscriptsTCPwrappersusernames

dottedquadnotationdouble-spacedoutputinprintingdpkgcommandsetdependencies

dpkg-reconfigureprogramDriverDevelopmentKit(DDK)driversaudiomanufacturer-providednetworkhardwareprinterUSBvideocards

DROPTABLEcommand.dscfilesdselectutilityDSL(DigitalSubscriberLine)connectionsducommanddual-bootsystemsdumpe2fscommandduplicatecommands

duplicatelinesremovalduplicatepackagefilesandfeaturesDynamicHostConfigurationProtocol(DHCP)dynamiclibrariesdynamiclinklibraries(DLLs)

Ee2fsckcommandechocommandenvironmentvariablesscriptstextlines

editingcommandhistorycommands

EDITORenvironmentvariableeditorscommandhistorytextscriptsVi

edquotacommandEEPROM(electronicallyerasableprogrammableread-onlymemory)EFI(ExtensibleFirmwareInterface)EFILinuxLoader(ELILO)EFISystemPartition(ESP)systemefibootmgrcommand8-bitUnicodeTransformationFormat8.3filenameselectronicallyerasableprogrammableread-onlymemory(EEPROM)ELILO(EFILinuxLoader)elsekeywordEmacseditorEmacspeakspeechsynthesisproductemailencryptingexamessentialslogrotationoptionsoverviewqueuesredirectingsendingandreceivingserversecurity

softwaresummary

emergencydisksystemsemulation,mouseenablingCUPSbrowsingon-boardhardwarequotassystemctl

encryptionGPGpasswordsSSH.SeeSSH(SecureShell)wirelessnetworksXWindowSystem

endoffiles,viewingendoflinescatregularexpressions

ENUMdatatypeenvcommandenv-updateutilityenvironmentvariablescommonpurposescriptssettingusers

equalsigns(=)aliasesattributesdatabasematchesenvironmentvariablesfilemodesGRUB2bootloadersystemlogfilesvariables

erasecommanderrorprotection,partitionsforesacstatementescapinginregularexpressionsESP(EFISystemPartition)system/etcdirectory

aliasesexecutablesin

/etc/aliasesfile/etc/anacrontabfile/etc/apt/apt.conffile/etc/apt/sources.listfile/etc/at.allowfile/etc/at.denyfile/etc/bash.bashrcfile/etc/bashrcfile/etc/cron.allowfile/etc/cron.ddirectories/etc/cron.dailyfile/etc/cron.denyfile/etc/cron.monthlyfile/etc/cron.weeklyfile/etc/crontabfile/etc/crontabfile.dailyfile/etc/cupsdirectory/etc/cups/ppddirectory/etc/cups/printers.conffile/etc/default/grubfile/etc/dpkg/dpkg.cfgfile/etc/env.ddirectory/etc/fonts/local.conffile/etc/fstabfileeditingfilesystemchecksfilesystemmountingquotasswapspace

/etc/groupfileeditingGIDslinesinmembership

/etc/grub.ddirectory/etc/gshadowfile/etc/hostnamefile/etc/hostsfile/etc/hosts.allowfile/etc/hosts.denyfile

/etc/hotplugdirectory/etc/hotplug/usbdirectory/etc/hotplug/usb.usermapfile/etc/inetd.conffile/etc/inetd.ddirectory/etc/init.ddirectory/etc/init.d/ntpdrestartcommand/etc/init.d/rcscript/etc/init.d/sshdscript/etc/init.d/xdmstartcommand/etc/init.d/xdmstopcommand/etc/init.d/xfsrestartcommand/etc/init/ttyfile/etc/inittabfilebootprocessrunlevelssecurityissuesandUpstartXDMCPservers

/etc/kde/kdmdirectory/etc/ld.so.cachefile/etc/ld.so.conf.ddirectory/etc/ld.so.conffile/etc/localtimefile/etc/login.defsfile/etc/logrotate.conffile/etc/logrotate.ddirectory/etc/maildirectory/etc/modprobe.conffile/etc/mtabfile/etc/network/interfacesfile/etc/networksfile/etc/nologinfile/etc/nsswitch.conffile/etc/ntp.conffile/etc/pam.ddirectory/etc/passwdfileeditingfieldsGIDsandUIDspasswordsuseraccounts

usermodfor/etc/profilefile/etc/rc.conffile/etc/rc.ddirectory/etc/rc.d/boot.localfile/etc/rc.d/rc.localfile/etc/rc.d/rcscript/etc/resolv.conffile/etc/rpmrcfile/etc/rsyslog.conffile/etc/security/limits.conffile/etc/servicesfile/etc/shadowfilefieldspasswordsusermodfor

/etc/skeldirectory/etc/sshfile/etc/ssh_configfile/etc/ssh/sshd_configfile/etc/sshd_configfile/etc/sudoersfile/etc/sysconfigdirectory/etc/sysconfig/clockfile/etc/sysconfig/displaymanagerfile/etc/sysconfig/networkfile/etc/sysconfig/network-scripts/ifcfgfile/etc/sysconfig/sysctl.conffile/etc/sysctl.conffile/etc/syslog.conffile/etc/systemddirectory/etc/timezonefile/etc/udevdirectory/etc/usbmgrdirectory/etc/usbmgr/usbmgr.conffile/etc/X11/fs/configfile/etc/X11/gdmdirectory/etc/X11/gdm.conffile/etc/X11/gdm/gdm.conffile/etc/X11/kdmdirectory/etc/X11/X.orgX11file/etc/X11/xdmdirectory

/etc/X11/xdm/Xaccessfile/etc/X11/xdm/xdm-configfile/etc/X11/xdm/Xresourcesfile/etc/X11/xdm/Xserversfile/etc/X11/XF86Configfile/etc/XF86Configfile/etc/xinetd.conffile/etc/xinetd.ddirectory/etc/yum.conffile/etc/yum.repos.ddirectoryEthernetframeshardware

EvolutionmailreaderExmodeinVieditorexactmatcheswithSELECTexclamationmarks(!)lockedaccountspasswordsscriptssystemlogfilesVieditor

execcommandexecutepermissionsEximprogramexitcommandexpandcommandexpansioncardsexpansionrulesforwildcardsexpirationdatesforuseraccountsexpiredaccounts,updatingexportcommandexportingenvironmentvariablesGPGkeys

expressions.Seeregularexpressionsext2fsorext2(SecondExtendedFileSystem)ext3fsorext3(ThirdExtendedFileSystem)ext4fsorext4(FourthExtendedFileSystem)extendedHFSextendedpartitionsextendedregularexpressions

ExtensibleFirmwareInterface(EFI)ExtentsFileSystem(XFS)externalcommandsexternaldisksEXTLINUXbootloaderextractingbootprocessinformationfilesRPMdatatarfilestext

FfacilitiesinsystemlogfilesFAT(FileAllocationTable)filesystemfc-cachecommandFCEDITenvironmentvariableFDDI(FiberDistributedDataInterface)fdformatcommandfdisktoolFedoradistributionfetchmailprogramfgcommandFHS(FilesystemHierarchyStandard)commondirectoriesoverview

fikeywordFiberDistributedDataInterface(FDDI)FibreChannelfieldsextractingtextbyjoiningfilesbysortSQL

FileAllocationTable(FAT)filesystemfileglobbingfilesizeinfilelistingsFileTransferProtocol(FTP)filenames,filesearchesbyfilesarchivingattributes

breakingintopiecescombiningcopyingdeletingdirectories.Seedirectoriesexamessentialsextractingformattinggroupshexadecimaldisplaysjoininglimitslinkslistinglocating.Seelocatingfilesmodesmovingnamingoctaldisplaysopenownershippagingthroughpermissions.Seepermissionspreparingforprintingrenamingsortingsummarizingsummarytimestampstransformingundeletingviewingwordcounts

FilesystemHierarchyStandard(FHS)commondirectoriesoverview

FilesystemStandard(FSSTND)filesystemscheckingcommontypescreatingdebugginginformationjournals

layoutsmountingpartitionstunableparameterstuningunmountingvirtual

filtersprintingproxytext

combiningfilesformattingfilessummarizingfilestransformingfilesviewingfiles

findcommandarchivedfilesoptionsscriptsSUID/SGIDfileswithUIDs

firewallsflashmemoryFLOATdatatypefloppydisksanddrivesbootloadersoncorruptingdetectingdriversformattingGRUBvirusesfrom

fmtcommandFontForgeprogramfontsdefaultdirectoriespathsserverstechnologiesandformatsXcoreXft

fonts.dirfile

fonts.scalefileFoomaticprinterdefinitionsfootersnumberingstyleforloopsforcingactionsaccountdeletionfileoverwritesfilesystemunmountsgroupcreationkernelmoduleloadingkernelmoduleremovalpackageinstallations

formfeedsinprintingformatsfontslinenumberingtime

formattingpartitionstextfiles

forwardfileforwardslashes(/)cronjobsdirectoriesfilenameshelpsystemIPaddressespaging

forwardingfeatureinXWindowSystemFourthExtendedFileSystem(ext4fsorext4)framesFreeTypelibraryFROMclauseinSELECTfsckcommandfsck.ext2filefsck.ext3fileFSSTND(FilesystemStandard)FTP(FileTransferProtocol)full-duplextransmissionsfunctionkeywordfunctionsinscripts

G

gatewayaddressesGDM(GNOMEDisplayManager)configuringremoteaccess

gdmstartupscriptgdmconfigcommandgdmsetupcommandGeneralPublicLicense(GPL)Gentoodistributiongeometrysettingsgestures,mousegetfaclcommandGhostscriptGIDs(groupIDs)configurationfilesSGIDfilesspecifyingusersandgroups

gigabitEthernetGIMPPrintdriversGIMPToolKit(GTK+)glibc(GNUClibrary)versionglobalconfigurationfilesGloballyUniqueIdentifiers(GUIDs)globbingGMT(GreenwichMeanTime)GNOME(GNUNetworkObjectModelEnvironment)desktopenvironmentGNOMEDisplayManager(GDM)configuringremoteaccess

GNOMEOn-ScreenKeyboard(GOK)gnome-system-monitortoolGNUClibrary(glibc)versionGNUEnscriptprogramGNUNetworkObjectModelEnvironment(GNOME)desktopenvironmentGNUPartedtoolGNUPrivacyGuard(GPG)encryptinganddecryptingdatakeysmessagesigning

GNUpsoptionsGOK(GNOMEOn-ScreenKeyboard)

gpasswdcommandGPG(GNUPrivacyGuard)encryptinganddecryptingdatakeysmessagesigning

GPL(GeneralPublicLicense)GPT(GUIDPartitionTable)partitionsgrandtotalsinharddiskmonitoringGrandUnifiedBootLoader.SeeGRUB(GrandUnifiedBootLoader)graphicaluserinterfaces(GUIs).SeeXWindowSystemgraphicsforGRUBgreaterthansigns(>)librarypathsredirection

GreenwichMeanTime(GMT)grepcommandpipingwithregularexpressionsscriptssystemlogfiles

GROUPBYcommandgroupIDs(GIDs)configurationfilesSGIDfilesspecifyingusersandgroups

groupaddcommandgroupdelcommandgroupmodcommandgroupsaddingdeletingfileslinkingusersinmodifyingpermissionsUIDsandGIDsuseraccounts

growisofscommandgrpquotaoptionGRUB(GrandUnifiedBootLoader)globaloptionsinstalling

interactingwithnomenclatureandquirksper-imageoptions

GRUB2bootloadergrub.efifilegrub-installcommandGTK+(GIMPToolKit)GUIconfigurationtoolsGUIDPartitionTable(GPT)partitionsGUIDs(GloballyUniqueIdentifiers)GUIs(graphicaluserinterfaces).SeeXWindowSystemgummibootbootmanagergunziputilityGutenprintdrivers

HhackersHAL(HardwareAbstractionLayer)daemonhaldtoolhalf-duplextransmissionshaltcommandHaltOnoptionharddisksexternalGRUBlayout

filesystems.SeefilesystemsLVMmountpointspartitions.Seepartitionsswapspace

monitoringusePATAquotasSATASCSI

hardlimitshardlinkshardwareBIOSbootdisksandgeometrysettingsbootmessagescoldplugandhotplugdevices

configurationDMAaddressesexamessentialsexpansioncardsfilesystems.SeefilesystemsharddisklayoutharddisksinterruptrequestsI/Oaddresseskernelmodulesnetworkpartitions.SeepartitionssummaryUSBdevices

HardwareAbstractionLayer(HAL)daemonhardwareaddresseshardwareclockhashmarks(#)aliasesfileanacronjobs/etc/apt/sources.list/etc/inetd.conf/etc/security/limits.conffilesystemmountinglogrotationfilesrpmscriptsSSHconfigurationsystemlogfilessystemd

hashbanglineshashinghostnameshashplinglinesheadcommandheadersemailnumberingstyleprinting

heads,drivehelpaptitudepackagemanagerwithlesspartitionspsoptions

shellsheredocumentshexadecimalfiledisplayhiddenfilesHierarchicalFileSystem(HFS)hierarchyofprocesseshigh-levelformattingHigh-PerformanceParallelInterface(HIPPI)historycommandhistoryofcommandshomedirectoriesconfigurationfilesuseraccounts

/homedirectoryHOMEenvironmentvariable/homepartitionhostprogramhostnamecommandHOSTNAMEenvironmentvariablehostnamesaddressesconfiguringhashingresolving

hotplugdeviceshotplugtoolHTTP(HypertextTransferProtocol)hubsnetworkUSB

hungprocesseshwclockutilityHypertextTransferProtocol(HTTP)hyphens.Seedashes(-)

IICMP(InternetControlMessageProtocol)iconvutilityIDnumbersgroup.SeegroupIDs(GIDs)GUIDsPIDs.SeeprocessIDs(PIDs)

SCSIdisksUIDs.SeeuserIDs(UIDs)

id_rsafileid_rsa.pubfileidentificationcodesforrunlevelsifkeywordifconfigcommandhardwareaddressesIPaddresses

ifdowncommandifupcommandIMAP(InternetMessageAccessProtocol)immutablefilesimportingGPGkeysin.ftpdserverinactivedayssettingsincompatiblelibrariesandsupportprogramsIndustryStandardArchitecture(ISA)businetcommandinetdpackageinfocommandinfopagesinitprograminitializationprocessinodesdeleteddescriptioninformationmonitoring

input/output(I/O)servicesinputredirectionInputDevicesectionsinXWindowSysteminputrcscriptINSERTINTOcommandInsertmodeinVieditorinsmodcommandinstallcommandinstalledfiledatabaseinteractivemodeforcopyingfilesinternalcommandsinternationalizationlocalesettings

timezonesInternetInternetControlMessageProtocol(ICMP)InternetMessageAccessProtocol(IMAP)InternetPacketExchange/SequencedPacketExchange(IPX/SPX)InternetPrintingProtocol(IPP)InternetProtocol(IP)InternetProtocolSecurity(IPsec)Internetserviceproviders(ISPs)astimesourceinternetsinterpretingbootprocessmessagesinterruptrequests(IRQs)intervalsforfilesystemchecksI/OaddressesIP(InternetProtocol)IPaddressesbroadcastsnetstatstaticxinetdconfiguration

IPmasqueradingIPP(InternetPrintingProtocol)IPsec(InternetProtocolSecurity)iptablescommandIPv6(IPversion6)IPX/SPX(InternetPacketExchange/SequencedPacketExchange)IRQs(interruptrequests)ISA(IndustryStandardArchitecture)busISO-8859codesetISO-9660filesystemisofsmoduleISOLINUXbootloaderISPs(Internetserviceproviders)astimesource

JJFS(JournaledFileSystem)jobsprintscheduling

anacronatcron

jobscommandJohntheRipperprogramJOINclauseinSELECTjoincommandjoiningfilesJolietfilesystemJournaledFileSystem(JFS)journalingattributejournals,filesystemjumpersforSCSIdisks

KKDE(KDesktopEnvironment)KDERedHatrepositoryKDM(KDEDisplayManager)configuringremoteaccess

kdmstartupscriptKerberoskernelbootprocessEFIbootloaderGRUBinformation

kernelmodulesinformationloadingremoving

kernelringbufferskernelspaceprogramskeyboardsaccessibilityissuesbootingwithoutconfiguringonscreen

keyringsinGPGkeysGPGSSH

killcommandkillallcommandkillingprocesses

klogddaemonkmagcommandKMagmagnifiertoolKMailprogramkonsolecommandkpmtoolkshshell(Korn)

Llabels,filesystemLANGenvironmentvariablelanguagesinlocalesLBA(logicalblockaddressing)modeLC_environmentvariablesLD_LIBRARY_PATHenvironmentvariableLDAP(LightweightDirectoryAccessProtocol)ldconfigcommandlddcommandLDPATHvariablesleases,DHCPleftmargininprintinglengthpasswordsprintingpages

lesspagerbootprocessmessageshelpsystemsystemlogfilestextfiles

lessthansigns(<)forredirection/libdirectory/lib/libc.so/6file/lib/modulesdirectorylibc(Clibrary)librariesmissingshared.Seesharedlibraries

LightDisplayManager(LightDM)LightweightDirectoryAccessProtocol(LDAP)LILO(LinuxLoader)lineendscat

regularexpressionslinenumberswithcatLinePrinterDaemon(LPD)linearblockaddressinglinesduplicatemergingnumbering

linksfilessharedlibraries

LinuxDocumentationProjectlistcommandsystemctlyum

list_deleted_inodescommandlist_requestscommandlistingfilesLivnarepositorylncommandloadaverage,displayingloaders.SeebootloadersloadingkernelmodulesXservermodules

localnetworksDHCPconfigurationGUIconfigurationtoolshardwareconfigurationhostnamesifupandifdowncommandsnetworkconnectionconfigurationroutingconfigurationstaticIPaddresses

localsecuritylocaltimelocalecommandlocaleschangingdescriptiondeterminingtextfiles

localhostdeviceaddresses

localinstallcommandlocalizationlocalesettings.Seelocalestimezones

LocalTalknetworkslocalupdatecommand,yumlocateutilitylocatingfilesbootprocessmessagesdirectoryconventionsexerciseFHSsystemfindcommandlocateutilitywhereisprogramwhichcommand

lockingaccountslogfilesrotationsystem.Seesystemlogfilestracking

Logchecktoolloggertoollogicalblockaddressing(LBA)modelogicaloperatorsscriptsSELECT

logicalpartitionslogicalvolumemanagement(LVM)loginslimitssettingwithoutpasswordsSSHscriptsXWindowSystem

logoutcommandlogoutscriptslogrotatetoollongfilelistingslongfilenamesystemsloopbackaddressesloopbackdevicesloopsinscriptslow-levelformatting

lpcutilityLPD(LinePrinterDaemon)lpdcommandlpmovecommandlpqcommandlprcommandlprmcommandlscommandfileownershiplinksoptionspermissions

lsdelcommandlsmodcommandlsofprogramlspcicommandlsusbutilitylvcreateutilityLVM(logicalvolumemanagement)lvscanutility

MMAC(MediaAccessControl)addressesmachineinformationmachinenamesmagnifiertoolsmail.SeeemailmailcommandMAILenvironmentvariablemailoptionsforlogrotationfilesmailprogrammailreadersmailspoolsmailtransferagents(MTAs)mailuseragents(MUAs)mailqprogramMAILTOenvironmentvariablesmakeutilitymanpagesmanufacturer-providedvideodriversmasqueradeinformationmasterbootrecords(MBRs)

masterPATAdisksmatchinglinesinregularexpressionsMBRpartitionsMBRs(masterbootrecords)MDMDisplayManagerMediaAccessControl(MAC)addresses/mediadirectory/mediapartitionmemorylibrarieslimitssettingprocessusevideo

merginglinesmessagesigninginGPGmessagesbootprocesssystemlogfiles

minussigns.Seedashes(-)misconfigurationofemailserversmismatchednamesmissinglibrariesandsupportprogramsmkdircommandmkdosfstoolmke2fsprogrammkfontdirprogrammkfontscaleprogrammkfstoolmkisofscommandmkpartcommandmkswapcommand/mntdirectory/mntpartitionmodesdirectoriesfilesmonitorsrunlevelVieditor

modificationtime,changingmodinfocommandmodprobecommand

networkhardwaredriversoptionsquotas

modulestacksmoduleskernelXWindowSystem

monitoringharddiskuselogfilesnetworkportuseprintqueues

monitorscontrastcontrolsXWindowSystemsettings

monthinsortingfilesmountcommandmountpointsfilesystemmountsfilesystemunmountspartitions

mountedfilesystemsmountedharddisksmountingfilesystemsmouseaccessibilityissuesXWindowSystemsettings

movingfilespartitionsprintjobs

mpagecommandmsdosfilesystemcodeMTAs(mailtransferagents)MUAs(mailuseragents)multi-columnprintingoutputmulti-headdisplaysmulti-OSsupportmulti-threadedprogramsmulti-usermodemulti-volumetarfilesmulticasting

multiplepartitionsmultipletestsinSELECTmuttmailreadermvcommandMySQLcombiningdatadatabasesandtablesdeletingdataexamessentialsretrievingdatastartingstoringdatasummary

mysqlprogram

NnailprogramNameServiceSwitch(NSS)namedpipesfiletypecodenamesdisksfilesgroupshostnameresolutionkernelkernelmodulesmismatchednodespackagesprintjobssystemctl

NAT(NetworkAddressTranslation)routersnativemethodsinUpstartNeighborDiscoveryProtocol(NDP)Nessusscannernestingif/then/elseclausesNETTIMEcommandNetBEUIprotocolnetmasksnetstatcommandnetworkaccountdatabasesNetworkAddressTranslation(NAT)routersnetworkaddresses

broadcastingdatahardwarehostnamesIPIPv6portsxinetdconfiguration

NetworkConfigurationtoolnetworkconnectionsconfiguringFTPcommandsrawnetworktrafficstatusTelnettestingtracing

NetworkFileSystem(NFS)NetworkInformationSystem(NIS)networkportsoverviewusemonitoring

networkprintersnetworkscannersnetworkstacksNetworkTimeProtocol(NTP)clientconfigurationoverviewserverconfigurationtimesources

networkingaddresses.Seenetworkaddressesconnections.Seenetworkconnectionsexamessentialshardwarelocalnetworks.SeelocalnetworkspacketsprotocolstackssummaryTCP/IP

hardwareprotocolstackstypes

NewTechnologyFileSystem(NTFS)newaliasescommand

newgrpcommandNFS(NetworkFileSystem)nfs-commonscriptnicecommandNIS(NetworkInformationSystem)nlcommandnmapcommandNMapscannerNNTPSERVERenvironmentvariablenodenamesnohupprogramnon-blanklinesnumberingoptionnon-LinuxrootnslookupprogramNSS(NameServiceSwitch)NTFS(NewTechnologyFileSystem)NTFS-3GfilesystemNTP(NetworkTimeProtocol)clientconfigurationoverviewserverconfigurationtimesources

ntp.driftfilentppackagentpdpackagentpdatecommandntpqprogramnumberofcopiesforprintjobsnumberinglinesnumbersinpasswordsnumericsortsnumerictestswithSELECT

Ooctalfiledisplaysoctalpermissionsodcommandon-boardhardwareonscreenkeyboardsopenfileslistingopenportsopenrelays

OpenFirmwareprogramOpenPrintingdatabaseOpenSSHserveropenSUSEconfiguration/optdirectory/opt/fontsdirectory/opt/local/fontsdirectory/optpartitionoptflagslinesopticalmediaoptions,commandoroperatorsscriptsSELECT

OrcaspeechsynthesisproductORDERBYkeywordOS(operatingsystem)GRUBinformation

outlinefontsoutputprintingredirection

ownershipdefaultsfilesfilesystemmounting

PpackagescachesDebian.SeeDebianpackagesdependenciesandconflictsformatconversionsoverviewrebuildingRPM.SeeRPM(RPMPackageManager)andRPMssharedlibraries.SeesharedlibrariesSQLstartupscriptproblemsversions

packet-filterfirewallspacketsniffers

packetspagelengthinprintingpageseparatorsinlinenumberingpagewidthinprintingpagingthroughfilesPAM(PluggableAuthenticationModules)pam_limitsmoduleparagraphs,reformattingParallelAdvancedTechnologyAttachment(PATA)ParallelLineInterfaceProtocol(PLIP)parallelportsparametersfilesystemsscriptsserverconfigurationfiles

parentdirectoriesparentprocessIDs(PPIDs)parentheses()ENUMlistsfunctionsregularexpressions

PartedMagicdisksystemPartedtoolpartitionsaligningarchivingbootprocesscommoncreatingdeletingdisplayingfdisktoolfilesystemsGNUPartedtoolGRUBGRUB2monitoringharddiskusebymountpointspreparingpurposeswapsystems

passwdcommand

passwordschangerequirementschangingconfigurationfilescrackingprogramsfilesystemmountsgoodgroupshistoryfilesrisksrootsettingSMB/CIFSSSHloginswithouttoolsuseraccounts

pastecommandPATA(ParallelAdvancedTechnologyAttachment)PATHenvironmentvariablepathsarchivingfilesexternalcommandsfontssharedlibraries

patterninputfilesinregularexpressionsPCI(PeripheralComponentInterconnect)buscardconfigurationIRQs

PCL(PrinterControlLanguage)peerscommandper-imageoptionsinGRUBperiodsettingforatcommandperiods(.)chownfilenamesIPaddressesregularexpressionsscriptsTCPwrappersusernames

PeripheralComponentInterconnect(PCI)buscardconfigurationIRQs

permissionmode,searchingforfilesbypermissionsarchivingfilesbitschmodcommandcopyingfilescronjobsdefaultsdirectories/etc/shadowspecial

PermitRootLoginoption.pfaand.pfbfilesPGP(PrettyGoodPrivacy)phishingphysicalvolumesPIDs(processIDs)bootprocessdisplayinginkillingprocessessystemlogfiles

pingcommandpipesfiletypecodepipingdataplatters,diskplaycommandPLIP(ParallelLineInterfaceProtocol)Plug-and-Play(PnP)-styleconfigurationPluggableAuthenticationModules(PAM)plussigns(+)atcommandattributesfindNTPserversregularexpressions

PnP(Plug-and-Play)-styleconfigurationPoint-to-PointProtocol(PPP)pools,NTPserverPOP(PostOfficeProtocol)portnumbersportsmonitoringnetstat

networkopenSSHtunnelsUSB

POST(power-onself-test)PostOfficeProtocol(POP)PostfixprogramPostgreSQLpackagepostmasteraccountPostScriptPrinterDefinition(PPD)filesPostScriptprinterlanguagePostScriptType1fontspoundbanglinespoundsigns(#).Seehashmarks(#)power-onself-test(POST)poweroffcommandPPD(PostScriptPrinterDefinition)filesPPIDs(parentprocessIDs)PPP(Point-to-PointProtocol)PPPoE(PPPoverEthernet)prcommandPrettyGoodPrivacy(PGP)primarybootloadersprimarygroupsprimarykeysprimarypartitionsPrinterControlLanguage(PCL)printerdefinitionsprintingarchitectureCUPSconfigurationexamessentialsexercisekernelinformationtonetworkprintersPostScriptandGhostscriptpreparingfilesforprintermanufacturersqueuesrunningsystemssummary

prioritiesprocesses

systemlogfilesprivatekeysGPGSSH

privilegedports/procdirectory/proc/bus/usbdirectory/proc/dmafile/procfilesystem/proc/interruptsfile/proc/ioportsfileprocessIDs(PIDs)bootprocessdisplayinginkillingprocessessystemlogfiles

processesforegroundandbackgroundkernelinformationkillinglistsmemorylimitssettingprioritiesrunlevels

processors.Seecentralprocessingunits(CPUs).profilefilesprogramsbackgroundexecutingrunningpersistently

progress,filesystemcheckingprompts,changingprotectiveMBRprotocolstacksprotocolsmouseserverconfigurationfilesSSHconfiguration

providescommandproxyfiltersPS_PERSONALITYenvironmentvariablepsprogramemail

optionsoutputinterpretationsearchingforrunningprocesses

PS1environmentvariablepublickeysGPGSSH

pullmailprotocolspumpclientpunctuationinpasswordspvcreateutilitypwdcommandPWDenvironmentvariable

QqmailprogramQtwidgetsetsquestionmarks(?)filenamesregularexpressionssearches

queuesdisplayingemailGhostscriptforprint

quotapackagequotacheckcommandquotaoncommandquotasenablingsetting

quotationmarks(“)commandoptionsinfilenames

RRAMdisksrandomaccessmemory(RAM)librariesvideo

rangeexpressionsinregularexpressions

rangeofvaluesinfilenamesrawnetworktrafficrcprogramrc-updateprogramreadcommandread-onlyfilesystemsmountingreadpermissionsread/writefilesystemsmountingrebootcommandrebuildinglibrarycachepackages

receivingemailreconfiguringserversrecursivecopiesrecursivefilenamelistingsrecursivesearchesingrepRedHatdistributionpackagenamingXconfigurationtools

RedHatEnterpriseLinux(RHEL)redirectingemailinputandoutput

reduced-sizepagesrEFIndprogramrEFItprogramreformattingparagraphsrefreshratesformonitorsregisteringdomainnamesregularexpressionsgrepwithforlinenumberingoverviewsedwith

ReiserFSfilesystemdescriptionjournalingpartitionmonitoring

relationaldatabasesreleasenumbersforpackagesreleases,kernel

reloadcommandinsystemctlremoteaccessinXWindowSystemremoteloginprotocolsremotenetworkscannersremovecommandremovingDebianpackageskernelmodulesoptionspasswordsprintjobsyumpackages

renamingfilesrenicecommandrepeatrateforkeyboardsrepetitionoperatorsinregularexpressionsreplacingpackagesVieditortext

repquotacommandreservedblocksinfilesystemsresistorpacksforSCSIdisksresizingpartitionsresolutionmonitorsvideocards

resolvedepcommandresolvinghostnamesresources,XDMrestartcommandinsystemctlretrievingMySQLdatareversesortsreversingpasswordorderrevokingGPGkeysRHEL(RedHatEnterpriseLinux)risks,passwordrmcommandrmdircommandrmmodcommandRockRidgeextensionsrootaccountaccess

cronjobsdefaultusersettingsfileownershipkillingprocessespasswordspathspermissionsUIDs

rootdirectory/rootdirectoryrootfilesystem/rootpartitionrootpartitionsinGRUB/root/XF86Config.newfile/root/xorg.conf.newfilerotatingsystemlogfilesroutecommandroutetracingroutingconfiguringrowsinSQLRPM(RPMPackageManager)andRPMsconvertingtodependenciesdistributionsandconventionsvs.otherpackageformatspackages

creatingdataextractionmanaging

rpmcommandsYum

rpm2cpioprogramrpmbuildprogramRpmfindsiteRS-232portsrsyslogdloggerrun-partsutilityrunlevelcommandrunlevelschangingcheckingcurrentfunctions

halt,reboot,andpoweroffinitandtelinitmanagingservicesshutdownSysVstartupscripts

runningprogramspersistently

SSAS(SerialAttachedSCSI)busSATA(SerialAdvancedTechnologyAttachment)savingVieditorchanges/sbindirectory/sbin/initprogramscalablefontsscaledunitsinharddiskmonitoringscanners,networkschedulingtasksanacronatcron

scpcommandscreendisplaysettingscontrastfontsmagnifiertoolsresolutionandcolordepth

screenreadersscriptsanacronjobsbeginningcommandsconditionalexpressionsconfigurationfilescreatingfunctionslogrotationfileslogoutloopsoverviewrunlevelsstartup.Seestartupscriptsvariables

XDMCPserversSCSI(SmallComputerSystemInterface)diskssearchcommandsearchesbootprocessmessagescommandhistoryDebianpackagesfiles.SeelocatingfileswithlessregularexpressionssystemlogfilesVieditoryum

SecondExtendedFileSystem(ext2fsorext2)secretkeysinGPGsectorsSecureBootfeaturesecuredeletionsSecureShell.SeeSSH(SecureShell)SecureSocketsLayer(SSL)encryptionsecurityconfigurationfilesdisablingunusedserversemailserversexamessentialsfileownershipfirewallsFTPGPGinetdpackagelocallogin,process,andmemorylimitsnetworkportmonitoringpartitionsforremotenetworkscannersrootaccessserveruninstallingandreconfiguringSSH.SeeSSH(SecureShell)SUID/SGIDfilessummarysuperserverrestrictionsTCPWrappersxinetd

sedcommand

regularexpressionsscripts

SELECTcommandsemicolons(;)casestatementsMySQLsystemlogfiles

sendingemailsendmailprogramseqcommandSerialAdvancedTechnologyAttachment(SATA)SerialAttachedSCSI(SAS)busServerMessageBlock/CommonInternetFileSystem(SMB/CIFS)serversvs.clientsdisablingemailsecurityfontsuperserverrestrictions

inetdconfigurationxinetdconfiguration

uninstallingandreconfiguringXWindowSystem

servicesI/Orunlevelsserverconfigurationfiles

sessions,processesassociatedwithsetcommandsetgroupID(SGID)optionsetkeywordinGRUB2setuserID(SUID)optionsetfaclcommandsetpciutilitysfdiskutilitySGIDfiles,locatingSGID(setgroupID)optionshadowpasswordsshareablefilesinFHSsharedlibrariesdependenciespathsprinciples

rebuildinglibrarycacheshebanglinesshellcommandSHELLenvironmentvariableshellsandshellenvironmentaliasescommandcompletioncommandhistoryconfigurationfilesenvironmentvariablesexamessentialshelpsysteminternalandexternalcommandsoptionsscripts.Seescriptsstartingsummary

shiftcommandshouldersurfingSHOWDATABASEScommandshow_super_statscommandSHOWTABLEScommandshutdowncommandSIGHUPsignalSIGKILLsignalsignalsforprocessessigningGPGmessagesSIGTERMsignalSimpleMailTransferProtocol(SMTP)simulatedmouseclickssingle-usermodesizefilelimitsinfilelistingslogrotationfilespartitionssearchingforfilesby

skeletonfilesSLAAC(statelessaddressauto-configuration)slashes(/)cronjobsdirectoriesfilenames

helpsystemIPaddressespaging

slavePATAdisksslocateutilityslowkeysSmallComputerSystemInterface(SCSI)diskssmartfiltersSMB/CIFS(ServerMessageBlock/CommonInternetFileSystem)smbpasswdcommandsmoothingfontsSMTP(SimpleMailTransferProtocol)sniffers.sofilenameextensionsocialengineeringsocketsfiletypecodeserverconfigurationfilessystemlogfiles

softlimitssoftlinkssoftwareexamessentialspackages.Seepackagesprocesses.Seeprocessessummary

softwareclocksortcommandsortingfilesprocesses

sourcingscriptsspacesconvertingtabstoconvertingtotabsusernames

.specfilesspecialcharacterswithcatspeechsynthesisproductssplitcommandspools,mailSQL(StructuredQueryLanguage)

basicsMySQL.SeeMySQLpackages

SQLitepackagesquarebrackets([])filenamesregularexpressions

SSH(SecureShell)accesscontrolauthenticationbasicsconfiguringfilecopyingkeysloginscriptsloginswithoutpasswordsporttunnelssecurityissuesXWindowSystem

ssh-agentprogramssh_host_dsa_keyfilessh_host_rsa_keyfilessh-keygencommandssh_known_hostsfileSSHTectiaserverSSL(SecureSocketsLayer)encryptionStampedeformatstandarderror(stderr)standardinput(stdin)standardoutput(stdout)startcommandinsystemctlstartoffiles,viewingstartoflinesinregularexpressionsstartupscriptsanacronjobsconfigurationfilespackageproblemsrunlevelsXDMCPservers

startxcommandstatelessaddressauto-configuration(SLAAC)staticfilesinFHSstaticIPaddresses

staticlibrariesstatisticswithapt-cachestatscommandstatus,networkstatuscommandinsystemctlstderr(standarderror)stdin(standardinput)stdout(standardoutput)stickybitsforpermissionsstickykeysstopcommandinsystemctlstoringMySQLdatastrataintimeserversstreamsstrongpasswordsStructuredQueryLanguage(SQL)basicsMySQL.SeeMySQLpackages

sucommandsubdomainssubexpressionsinregularexpressionssubjectlinesinemailsubnetmaskssudoprogramSUIDfiles,locatingSUID(setuserID)optionsummarieswithharddiskmonitoringsummarizingcommandsforfilesSuperGRUBDisksuperserverrestrictionsinetdconfigurationxinetdconfiguration

superblockssuperuser.Seerootaccountsupportprograms,missingSUSEdistributionswapspaceswaponcommandswitchessymboliclinksSynaptictool

sysfsvirtualfilesystemsysklogdpackageSyslinuxProjectsyslog-ngloggersyslogddaemonsystemaccountssystemadministrationexamessentialsgroups.Seegroupslogfiles.Seesystemlogfilesschedulingtasks

anacronatcron

summarysystemtimemanagement

NTPtimeconceptstimesetting

users.Seeusersanduseraccountssystem-config-displaycommandsystem-config-networktoolsystemcronjobssystemenvironmenttuningsystemlogfilesmanualloggingreviewingcontentsrotatingsettingssyslogd

SystemSettingsdialogboxsystemtimemanagementNTPtimeconceptstimesetting

systemctlutilitysystemdpackageSysVstartupscriptsconfigurationfilesproblemsrunlevelsandsystemdpackagewithUpstart

XDMCPservers

TTabkeyforcommandcompletiontablescombiningdeletingMySQLpartitionSQL

tabs,convertingspacestotagsforsystemlogfilestailcommandtail-mergingprocesstarutilitytarballstargetfiles,linkingtaskschedulinganacronatcron

TCP(TransmissionControlProtocol)TCP/IP(TransmissionControlProtocol/InternetProtocol)hardwareprotocolstackstypes

TCPwrapperstcpdprogramtcpdumpcommandtcshshellteecommandteletype(TTY)codetelinitprogramrunlevelsXWindowSystemXDMCPservers

telnetprogramTelnetprotocolTERMenvironmentvariableterminatingshellsterminationsforSCSIbusterritoriesinlocales

testkeywordtestingnetworkconnectivitytextandtextfileswithbackticksdisplayingextractingfiltercommands

combiningfilesformattingfilessummarizingfilestransformingfilesviewingfiles

localestexteditorscommandhistorytextscriptsVi

text-modeXloginthenkeywordThirdExtendedFileSystem(ext3fsorext3)3DaccelerationsupportThunderbirdmailreadertildecharacter(~)backupfileshomedirectoryVieditor

timecommandtimemanagementNTPtimeconceptstimesetting

timeofdaysettingforatcommandtimeoptionsforlogrotationfilesTimeOutsettingforaccessibilitytimestampstimezonestimeoutsinGRUBtitlesinGRUBTLDs(top-leveldomains)/tmpdirectory/tmppartitionTokenRingnetworkstop-leveldomains(TLDs)

toptooltouchcommandtrcommandtracepathprogramtraceroutecommandtracingroutestrackinglogfilesmouse

tracks,disktransformingfilestranslatingcharactersTransmissionControlProtocol(TCP)TransmissionControlProtocol/InternetProtocol(TCP/IP)hardwareprotocolstackstypes

transposingcommandhistorytextTrueTypefonts.ttffilesttmkfdirprogramTTY(teletype)codetune2fscommandtuningfilesystemstunnelsinSSHtuplesinSQLtwisted-paircablingType1fontstypecommandTZvariabletzconfigprogramtzselectprogramtzsetupprogram

UudevtoolUDF(UniversalDiscFormat)UDP(UserDatagramProtocol)UEFI(UnifiedEFI)UIDs.SeeuserIDs(UIDs)ulimitcommandumaskcommand

umasksumountcommandexternaldisksfilesystems

umsdosfilesystemunamecommandundeletingfilesunderscores(_)filenamesusernames

unexpandcommandUnicodeformatUnicodeTransformationFormat(UTF-8)UnifiedEFI(UEFI)uniformresourceidentifiers(URIs)uninstallationpackagesservers

uniqcommandUniversalDiscFormat(UDF)UniversalSerialBus.SeeUSB(UniversalSerialBus)devicesuniversallyuniqueidentifiers(UUIDs)Unix98psoptionsunlockingaccountsunmetdependencieswithapt-cacheunmountingexternaldisksfilesystems

unprivilegedports:unscaledspecificationunsetcommandunshareablefilesinFHSuntilloopsunusedservers,disablingUPDATEcommandinMySQLupdatecommandinyumupdatecopiesupdate-rc.dprogramupdatingDebianpackagesexpiredaccountslibrarycachelinks

tarfilesyumpackages

upgradecommandinyumupgradingpackagesDebiandepended-onyum

UpstartprocessuptimecommandURIs(uniformresourceidentifiers)USB(UniversalSerialBus)devicesdriversmanagingoverviewports

usbmgrpackageUSEcommandusercronjobsUserDatagramProtocol(UDP)USERenvironmentvariableuserIDs(UIDs)changingconfigurationfilesdeletedaccountssearchingforfilesbyuseraccounts

usermasksuser-mountablemediauserspaceprogramsuseraddutilityuserdelcommandusermodcommandUSERNAMEenvironmentvariableusernamescharacteristicsconfigurationfilesfilesystemmountsprocessesserverconfigurationfiles

usersanduseraccountsaddingchangingconfigurationfiles

configuringcreatingdeletingenvironmentsexpirationsettingsingroupspasswordsprocessesscriptsforUIDs.SeeuserIDs(UIDs)usernames

/usrdirectory/usr/libdirectory/usr/lib/rpm/rpmrcfile/usr/localdirectory/usr/localpartition/usrpartition/usr/share/fontsdirectory/usr/share/X11/fontsdirectory/usr/share/zoneinfodirectory/usr/X11R6directory/usr/X11R6/lib/modules/driversdirectory/usr/X11R6/lib/X11/fontsdirectoryUTC(CoordinatedUniversalTime)UTF-8(UnicodeTransformationFormat)UUIDs(universallyuniqueidentifiers)

V/vardirectory/var/lib/dpkgdirectory/var/lib/ntpfile/var/logdirectory/var/log/bootfile/var/log/boot.logfile/var/log/dmesgdirectory/var/log/kerneldirectory/var/log/kernel-infofiles/var/log/mailfile/var/log/messagesdirectory/var/log/syslogdirectory/var/log/wtmpfile/varpartition

/var/spool/crondirectory/var/spool/cupsdirectory/var/spool/maildirectoryVARCHARdatatypevariablefilesinFHSvariablesassignmentenvironment.Seeenvironmentvariablesscripts

vendorsofUSBdriversverboseoutputarchivingfilesemailfilesystemcheckingfilesystemmountingkernelmoduleslibrarycacheUSBdrivers

verifyingarchivingfilesGPGmessages

versionskernelpackagesUSBdrivers

verticalbars(|)pipingregularexpressionsscripts

vfatdrivervfatmodulevgcreateutilityVieditormodesproceduressavingchanges

videocontrastfontsmagnifiertoolsmanufacturer-provideddriversresolutionandcolordepth

videocardsettings

viewingcommandsforfilesVimeditorvirtualfilesystemsvirtualmemorylimitsVirtualNetworkComputing(VNC)systemvirusesfromfloppydiskVISUALenvironmentvariablevisudoeditorVNC(VirtualNetworkComputing)systemvolumemanagement

WwarningdayssettingWaylanddisplaymethodwccommandweb-basedutilitiesforCUPSWEP(WiredEquivalentPrivacy)encryptionwhatprovidescommandWHEREconditionsDELETESELECT

whereisprogramwhichcommandwhileloopswhoiscommandWi-FiProtectedAccess(WPA)protocolWi-FiprotocolswideoutputwithpswidgetsetswidgetswidthofprintingpageswildcardcharacterscasestatementsfilenameexpansionrulesharddiskmonitoringSELECT

WindowsNT4.0domainsWindowssystemstimeserversWiredEquivalentPrivacy(WEP)encryptionwirelessnetworkingwordcountsworkingdirectory

worldpermissionsWPA(Wi-FiProtectedAccess)protocolWPA2encryptionwrappers,TCPwritecommandwritepermissions

XX.SeeXWindowSystemXDisplayManager(XDM)configuringremoteaccess

XDisplayManagerControlProtocol(XDMCP)serversconfiguringrunning

Xlogicalfontdescriptions(XLFDs)X.org-X11serverconfigurationtoolsfordrivers

XWindowSystemconfigurationfileformatconfigurationutilitiesconfigure-and-testcycledisplayinformationexamessentialsfontskeyboardandmouseaccessibilitykeyboardsettingslocalizationandinternationalizationloginsmoduleloadingmonitorsettingsmousesettingsoptionsprinting.Seeprintingremoteaccessscreendisplaysettingsspeechsynthesissummaryvideocardsettings

X11ForwardingoptionxargscommandXconfiguratortool

XDM(XDisplayManager)configuringremoteaccess

xdmscriptXDMCP(XDisplayManagerControlProtocol)serversconfiguringrunning

xdpyinfotoolxf86cfgutilityXF86ConfigfileXF86Config-4filexf86configtoolXF86SetuptoolXFree86serverconfigurationfileformatconfigurationtoolsdrivers

XFS(ExtentsFileSystem)xfs_admincommandxfs_checkcommandxfs_dbcommandxfs_infocommandxfs_metadumpcommandxfs_repaircommandXftfontsxinetdserverXkbLayoutoptionXLFDs(Xlogicalfontdescriptions)xorg.conffilexorgcfgutilityxsetprogramxtermprogramxwininfocommand

YyankoperationinViYaSTtoolYellowDogdistributionsYumpackagerconfigurationfilesyumcommands

yumdownloader

yumexpackagemanager

ZZshell(zsh)ZAxisMappingoptionzlib_inflatemodulezshshell(Z)