The Root User - Tonga Institute of Higher Education

Download Report

Transcript The Root User - Tonga Institute of Higher Education

The Tonga Institute of Higher Education
The Linux Operating System
Lecture 3:
Becoming the
Superuser
and Users and Groups
Root.
●
●
●
We've been looking at how to manipulate the Linux
system, figuring out where things go, but we can't
really do anything without being the superuser,
root.
The root user, remember, can do anything he
wants, so we have to be careful not to make
mistakes. We could delete things that make the
entire computer never work again.
Most Linux users recommend only using the root
user when you need to. In case you make mistakes
you don't want to destroy your system. But there
are a lot of times you'll need to be root if you have
your own system to look after
What to do as root?
●
●
Now that you are root, what are you able to
do?
Shutdown and reboot (if you are going to
shutdown, you should send the command to
do it, not just press the off button)
–
–
●
[root@usp root]# shutdown -now
[root@usp root]# reboot
Shutting down and rebooting are simple. We
can also control a lot about how the system
starts up and how it runs while it is on
System Startup
●
●
The system will have many programs that
will start up as 'services.' These will be things
like the webserver, telnet server, but also
kernel programs that keep the filesystem
together, run memory and do system
logging.
Some of these services will be defined by the
user, some by the system. You can control
them all through the use of what is called
Run Levels and the chkconfig command
What happens during a bootup?
1. BIOS: The Basic Input/Output System is the lowest level
interface between the computer and peripherals. The BIOS
performs integrity checks on memory and seeks instructions
on the Master Boor Record (MBR) on the floppy drive or
hard drive.
2. The MBR points to the boot loader (LILO: Linux boot
loader).
3. LILO will then ask for the OS label which will identify which
kernel to run. It then loads the Linux operating system.
4. The first thing the kernel does is to execute init program.
Init is the root/parent of all processes executing on Linux.
5. The first processes that init starts is a script
/etc/rc.d/rc.sysinit
6. Based on the appropriate run-level, scripts are then
executed to start various processes to run the system
Run Levels
●
A run level is a state of init and the whole
system that defines what system services are
operating. Run levels are identified by
numbers
–
Run level numbers
0 Halt the system.
1 Single-user mode (for special administration).
2-5
Normal operation (user defined).
6 Reboot.
●
Deciding on how you run your system at
startup, the run level will determine what
programs start and how much you are able
to change
Run Levels
●
Run levels are configured in /etc/inittab by lines like the
following:
–
●
●
l2:2:wait:/etc/init.d/rc 2
The first field is an arbitrary label, the second one
means that this applies for run level 2. The third field
means that init should run the command in the fourth
field once, when the run level is entered, and that init
should wait for it to complete. The /etc/init.d/rc
command runs whatever commands are necessary to
start and stop services to enter run level 2.
The command in the fourth field does all the hard work
of setting up a run level. It starts services that aren't
already running, and stops services that shouldn't be
running in the new run level any more. Exactly what
the command is, and how run levels are configured,
depends on the Linux distribution.
Run Levels
●
●
●
When init starts, it looks for a line in /etc/inittab
that specifies the default run level:
– id:2:initdefault:
You can ask init to go to a non-default run level at
startup by giving the kernel a command line
argument of single or emergency. Kernel command
line arguments can be given via LILO, for example.
This allows you to choose the single user mode
(run level 1).
While the system is running, the telinit command
can change the run level. When the run level is
changed, init runs the relevant command from
/etc/inittab.
Booting in single user mode
●
●
●
An important run level is single user mode (run level 1),
in which only the system administrator is using the
machine and as few system services, including logins, as
possible are running. Single user mode is necessary for a
few administrative tasks.
A running system can be taken to single user mode by
using telinit to request run level 1. At bootup, it can be
entered by giving the word single or emergency on the
kernel command line: the kernel gives the command line
to init as well, and init understands from that word that
it shouldn't use the default run level.
One reason to go to this level is if you forget your root
password or if you need to check the filesystem on the
“/” partition
init.d and xinet.d
●
●
●
●
init.d is a folder in your /etc/rc.d directory that
contains little programs called “scripts” that will start
or stop services and programs on your computer.
It is actually part of the startup process and based on
what run level you have decided to use, different
scripts will be run from the init.d folder
Most of the scripts will have a 'start', 'stop', 'restart'
and 'status' option so you can control the programs
yourself
For example, to start a webserver, you might do the
following
– /etc/rc.d/init.d/httpd start
rc.d
●
So the program scripts are in the /etc/rc.d/init.d folder
●
What is the /etc/rc.d folder for?
●
●
●
/etc/rc.d will contain all the files needed to boot up.
This is where the programs for the different run levels
are saved. They are located in the /etc/rc.d/rc0.d/ -->
/etc/rc.d/rc6.d/
Notice the files in these folders start with a S or a K
before them. The files with an S mean they are for
startup, the files with the K mean they are for the
shutdown
To add a new service and have it be included in the
correct run level, you'll need to put the K and S files in
the correct rcX.d folder (where X --> 0-6)
rc.d
●
●
●
Sometimes with all the run levels and files things
get confusing, so what if you just want a simple
way to make things start when you boot up the
system?
There is a file called /etc/rc.d/rc.local. This 'rc.local'
file will be run when the system starts and any
commands inside of it will also be run.
You just need to put the full path to where the file
is saved. For example, if you want a mySQL
database to start when the computer starts, just
put in on the last line of the rc.local file
– /usr/local/bin/mysql
xinet.d
●
●
●
All the talk about init.d is for programs and
services that are local, which means they run
on the system and are not for networked
enabled programs (generally speaking).
For programs that are networked services,
ones that talk to other computers on a
network, the xinet.d folder is used in /etc/.
xinet.d is relatively new to Linux, but used a
lot in RedHat. When we get to the chapter
about networking, we will look at it more in
depth
Chkconfig
●
●
●
●
So how can you control what programs will start up and
shut down and find out what is actually running?
The chkconfig command is used to activate and
deactivate services.
If you use the chkconfig --list command, you
will see a list of system services and whether they are
started (on) or stopped (off) in runlevels 0-6.
Example:
$ chkconfig --list anacron
anacron
0:off 1:off 2:on 3:on 4:on 5:on 6:off
Chkconfig
●
Examples:
●
Forces httpd service to run for levels 3, 4 and 5.
* chkconfig --level 345 httpd on
●
Start the httpd service when system starts.
* chkconfig --add httpd
●
Do not start the sendmail system start.
* chkconfig --del sendmail
●
List all services and init levels.
* chkconfig --list
chkconfig
●
●
Most of the time we can just use chkconfig
to turn things on and off (which is the
easiest)
It will make the changes for the current run
level and thus, you won't need to worry
about what run level you are changing
●
[root@comp root]# chkconfig sendmail off
●
[root@comp root]# chkconfig httpd on
Crontab
●
●
●
So you know how to make programs start
when the system starts, what about making
programs run at a regular interval, for
example every hour, or once a day?
Crontab is a small program that is the task
scheduler on Linux systems. It will act like an
alarm clock. At a certain time, it will wake up
and make a program run.
When you access crontab, you have to use
the text editor, vi. So all your practice with vi
will pay off
Using crontab
●
●
●
●
●
Each user is allowed to have his or her own crontab,
but the root user will be the one to use it the most.
To see your crontabs, type
– crontab -l
And what you'll see is something like
–
0 1 * * * /home/www/cgi-bin/awstats.pl
–
0 2 * * * /usr/bin/sarg
–
0 3 * * * echo > /var/log/squid/access.log
–
0 3 * * * echo > /var/mail/junk
Basically a list of programs with some numbers and
stars
So what does it mean and how does it work?
Using crontab
●
●
●
●
●
0 1 * * * /home/www/cgi-bin/awstats.pl
There are five fields to the schedule, and then the name of
the program that will run
The fields are, in this order,
–
MINUTE(0-59)
–
HOUR(0-23)
–
DAYOFMONTH(1-31)
–
MONTHOFYEAR(1-12)
–
DAYOFWEEK(0-6) Note 0 = Sun
Also note that the ASTERISK (*) is what's called a
WILDCARD meaning it will match any value.
So in this example it will run on the 0th minute of the 1st
hour of every day of the month, every month of the year
and every day of the week
Add your own crontab
●
●
●
●
●
So to add your own crontab, type
– crontab -e
This will open up the crontab file in 'vi' and you can
add your own crontab line
Crontab examples:
Program1 will run every minute of the 1st hour of
the 4th day of every month
– * 1 4 * * /usr/bin/program1
Program2 will run every 15th minute every 6 hours,
every 10th day of the 5th month of the year
0,15,30,45 0,6,12,18 10 5 *
/usr/bin/program2
User Management
●
●
●
An important task for the root user is to be able
to add new user's to the system and to delete old
users.
To add a user to the system we can use the
command 'useradd' or we can do it all manually
With 'useradd'
[root@usp /]$ useradd new_user -g students
●
●
This will add a user called new_user and put them in the
group called students
To remove user, 'userdel'
[root@usp /]$ userdel new_user
Setting passwords
●
To set a password for a new user, you'll use
the 'passwd' program
[root@usp /]$ passwd new_user
●
●
You'll then be prompted to enter in the new
password for that user
If you don't specify a user name, then you
can change your own password
Groups
●
●
●
●
Users also have options of being inside of groups.
This is for security and permission reasons. For
example, at a school, all students might be in the
students group and all teachers in the staff group.
You could then make student grades group
readable for staff, but not for students.
To add a new group to the system, use 'groupadd'
[root@usp /]$ groupadd students
Now you'll be able to add students to this new
group on your system
Adding users manually
●
●
●
The list of users and their home directories are in
the important file called '/etc/passwd'
This file used to contain encrypted passwords of
everyone on the system, but that proved insecure
and they moved the passwords to a file called
/etc/shadow that only root can read
Inside /etc/passwd you'll see lines like
user1:x:500:100:User 1:/home/user:/bin/bash
●
Fields are separated by the ':' The first field is for
the username. Then next, 'x' means the password
is in /etc/shadow. 500 and 100 are the user id and
group id respectively. User 1 is the name of the
user. /home/user is their home directory and
/bin/bash is the shell program they are using
The /etc/group file
●
Groups are saved inside the file /etc/group and a
line will look like this
–
●
●
administrators:x:501:user1,user2
The first field is the name of the group, the 'x' is for
no password, 501 is the group id and the last field
is a list of users who are also part of this group
For example, user1 might be a part of staff and
administrators, but his primary group is staff. So to
add him to administrators, add him to the end of
the line for in the /etc/group file
Assigning quotas
●
●
●
Quotas limit how much space one user can take up on a
system. If you don't have any quotas, then someone can put
every movie they have on the computer until you run out of
space and there is no room for virtual memory. That's bad
So if you have a lot of users, its good to have some sort of
quota system set up to limit how much they can save
To add quotas to a system is sometimes tricky, but generally
these are the steps to take. First open /etc/fstab and find
the partition you want to change. You'll see something like
/dev/hda2 /home ext3 defaults 1 1
●
You'll be adding the usrquota, and the grpquota part.
This tells the file system there is a user and group
quota. Do it like this:
/dev/hda2 /home ext3 defaults,usrquota,grpquota 1 1
Assigning quotas
●
●
●
The next step is to create a file where quotas are
saved. Depending on what filesystem you have you
might have to create a file called 'quota.user' or
'aquota.user'
– touch /home/quota.user
– chmod 600 /home/quota.user
Then you need to turn on quotas
– quotaon -av
And now you are ready to start assigning quotas
hopefully. You might have to reboot the computer so
that the partition is remounted correctly at the
beginning, with quotas enabled
Assigning quotas
●
To assign a quota for a user, you'll use a command called 'edquota'
–
edquota -u user1
●
You'll see something like the below:
●
Disk quotas for user user1 (uid 665):
Filesystem
blocks
/dev/hda3
18860
soft
99000
hard
100000
inodes soft hard
71
●
Filesystem shows which partition it is on.
●
Blocks shows how many KB the user has taken up
●
●
●
0
0
Soft is the 'soft' quota for how many KB they can use. This means they'll
get a warning when they get to this level
Hard is the 'hard', they cannot go over this limit
Inodes is the number of files they have created (hard and soft are quotas
for the number of files they can have in total)
Checking and maintaining quotas
●
To see all the quotas you have on a system, use the
command:
–
●
To see the quota for just one user, try
–
●
●
repquota -a
quota -u user1
Soft limits are like grace periods for people, it will let
them keep their files for a certain amount of time above
the soft limit, but then make them delete stuff after a
certain amount of time
To change how long that time is, use the command
–
edquota -t
Summary
●
●
●
●
This chapter gave you a basic outline of somethings
the root user is responsible for.
The root user will also be involved in doing many
other things, and there are many other commands
that help the root user to administer
We'll take a look at other things the root user can
do, especially in terms of networking and security
features on Linux
Remember, if anyone found out your root user
password, they could do whatever they want to
your computer very easily.