TechNotes

/usr/bin/emacs-24.5: sticky ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32

The Linux alternatives system allows you configure the use of a specific executable referred to by a generic name. The typical example is to configure the use of a specific editor when several alternatives are available.

Suppose the following editors are installed on a system:

/usr/bin/vim
/usr/bin/gedit
/usr/bin/emacs
/bin/vi

First, you need to "install" these editors into the alternatives system. The general form of the "alternatives" command is:

# alternatives --install link name path priority

The "link" is just a name that you will use to invoke an editor; it should be something that exists in your PATH; in this case we will choose the value "/usr/bin/edit"
The "name" is a generic term that refers to some functionality; in this case we will choose "editor"; this will be installed in /etc/alternavites/<name> as a symbolic link
The "path" is the fully qualified path to some real, existing, executable
The "priority" is a number that determines which "alternative" is current

Now, let's "install" 3 of our alternatives in the alternatives system:

# alternatives --install /usr/bin/edit editor /usr/bin/vim 100

# alternatives --install /usr/bin/edit editor /usr/bin/gedit 200

# alternatives --install /usr/bin/edit editor /usr/bin/emacs 300

In this example, 3 of our 4 available editors have been installed in the alternatives system. The execution of the above 3 commands will cause the following:

Symbolic link /usr/bin/edit is created, pointing to /etc/alternatives/editor
Symbolic link /etc/alternatives/editor is created, pointing to /usr/bin/emacs
File /var/lib/alternatives/editor is created, with the following contents:

auto <--- the mode

/usr/bin/edit <--- the link (symbolic link /etc/alternatives/<name>)

/usr/bin/vim <--- the first alternative

100 <--- and its priority

/usr/bin/gedit <--- etc

200

/usr/bin/emacs

300

If we were to now execute the following command:

# alternatives --display editor

the alternatives system would consult the above file to display the current settings:

edit - status is auto

link currently points to /usr/bin/emacs

/usr/bin/vim - priority 100

/usr/bin/gedit - priority 200

/usr/bin/emacs - priority 300

Current 'best' version is /usr/bin/emacs

If we were to execute the following command:

# alternatives --config editor

the alternatives system would present us with a menu allowing us to change the settings. The "+" indicates which entry is current and the "*" indicates which entry is considered best (based on the priority).

If we wanted to introduce /bin/vi as a choice, we could:

# alternatives --install /usr/bin/edit editor /bin/vi 400

Instead of using "config" we could have used "--set" directly to select a new choice:

# alternatives --set editor /bin/vi

Note that "--set" can only be executed on an already "--installe[ed]" alternative

Relationship Between Contents of "/var/lib/alternatives/<name>" and "alternatives --install" Command

The generic format of the "alternatives --install" command is:

# alternatives --install link name path priority \

--slave slink1 sname1 spath1 \

--slave slink2 sname2 spath2 \

--slave slink3 sname3 spath3 \

--slave slink4 sname4 spath4

The execution of the command:

# alternatives --install /usr/bin/java java /usr/lib/jvm/jre-1.4.2-gcj/bin/java 1420 \

--slave /usr/lib/jvm/jre jre /usr/lib/jvm/jre-1.4.2-gcj \

--slave /usr/lib/jvm-exports/jre jre_exports /usr/lib/jvm-exports/jre-1.4.2-gcj \

--slave /usr/bin/keytool keytool /usr/lib/jvm/jre-1.4.2-gcj/bin/keytool \

--slave /usr/bin/rmiregistry rmiregistry /usr/lib/jvm/jre-1.4.2-gcj/bin/rmiregistry

would result in:

# cat /var/lib/alternatives/java <--- "java" is name

manual

/usr/bin/java <--- link

jre <--- sname1

/usr/lib/jvm/jre <--- slink1

jre_exports <--- sname2

/usr/lib/jvm-exports/jre <--- slink2

keytool <--- sname3

/usr/bin/keytool <--- slink3

rmiregistry <--- sname4

/usr/bin/rmiregistry <--- slink4

...blank line...

/usr/lib/jvm/jre-1.4.2-gcj/bin/java <--- path

1420 <--- priority

/usr/lib/jvm/jre-1.4.2-gcj <--- spath1

/usr/lib/jvm-exports/jre-1.4.2-gcj <--- spath2

/usr/lib/jvm/jre-1.4.2-gcj/bin/keytool <--- spath3

/usr/lib/jvm/jre-1.4.2-gcj/bin/rmiregistry <--- spath4

Note that "alternatives --display <name>" simply summarizes the contents of file "/var/lib/alternatives/<name>"

# alternatives --display java

java - status is manual

link currently points to /usr/lib/jvm/jre-1.4.2-gcj/bin/java

/usr/lib/jvm/jre-1.4.2-gcj/bin/java - priority 1450

slave jre: /usr/lib/jvm/jre-1.4.2.gcj

slave jre_exports: /usr/lib/jvm-exports/jre-1.4.2-gcj

slave keytool: /usr/lib/jvm/jre-1.4.2-gcj/bin/keytool

slave rmiregistry: /usr/lib/jvm/jre-1.4.2-gcj/bin/rmiregistry

Current 'best' version is /usr/lib/jvm/jre-1.4.2-gcj/bin/java

DIRCOLORS

dircolors is used to adjust the colors displayed by the "ls" command. To get the current settings:

$ dircolors -p > lscolors.txt

Now modify "lscolors.txt". Here is a summary of the codes used:

Attribute Text Background Color

00=none 30 40 black

01=bold 31 41 red

04=underscore 32 42 green

05=blink 33 43 yellow

07=reverse 34 44 blue

08=conceal 35 45 magenta

36 46 cyan

37 47 white

To "install" your modified "lscolors.txt":

$ eval $(dircolors lscolors.txt)

However, the easier way is to create "lscolors.txt" as ".dircolors" in your home directory. A file in /etc/profile.d (colorls.sh) detects the presence of ".dircolors" and uses it instead of the standard system version.

USER EQUIVALENCE

To setup user equivalence:

On HOST1:

# generate the host1 public and private keys

$ ssh-keygen -t {dsa|rsa}

# copy host1 public keys to host2

$ cd ~/.ssh

$ scp *.pub <userid>@<host2>:/tmp/

On HOST2:

# generate the host2 public and private keys

$ ssh-keygen -t {dsa|rsa}

# copy host2 public keys to host1

$ cd ~/.ssh

$ scp *.pub <userid>@<host1>:/tmp/

# append the public keys from host1 to the authorized_keys file

$ cat /tmp/*.pub >> authorized_keys

On HOST1:

# append the public keys from host2 to the authorized_keys file

$ cd ~/.ssh

$ cat /tmp/*.pub >> authorized_keys

NOTE: The ~/.ssh directory contains the public and private keys that belong to "this" host.

The authorized_keys file contains the public keys of the other hosts (the ones allowed to

ssh to this host). Repeat the process between all sets of hosts for which user equivalence

is desired.

NOTE: Ensure that file authorized_keys has 600 (rw- --- ---) permissions.

MISCELLANEOUS

ALIAS

See .bashrc

aliases for "ls" colors are set in /etc/profile.d/colors.x (see /etc/profile)

alias r="fc -s"

alias ls="ls -Fx color=none"

alias ps="ps -Heo euser,pid,ppid,cputime,start,comm"

AUDIT

auditd

/etc/audit/auditd.conf

/etc/audit/audit.rules

/var/log/audit -> /var/log/audit.d/bin.n

auditctl

-e 0|1 [disable, enable auditing]

-l [list rules]

-s [status]

-a list,action -F name oper value [add rule to end of list]

-A list,action -F name oper value [add rule to beginning of list]

list = task, entry, exit, user, exclude

action = never, always

aureport

Selection Options:

--failed

-i --interpret

--success

-te --end (recent, today, yesterday, this-week)

-ts --start (recent, today, yesterday, this-week)

Report Options

-au --auth

-a --avc

-cr --crypto

-e --event

-f --file

-h --host

-l --login

-m --mods

-ma --mac

-r --response

-s --syscall

-u --user

-x --executable

ausearch

Selection Options:

-i --interpret

-te --end (today, yesterday, this-week)

-ts --start (today, yesterday, this-week)

-w --word (must match whole word)

Report Options

-a --event audit_event_id

-c --comm commnad_name

-f --file file_name

-ga --gid-all group_id

-hn --host hostname

-k --key key_string

-m --message message_type

-o --object se-linux-context

-p --pid pid

-pp --ppid ppid

-sc --syscall syscall_name_or_value

-se --context se-linux-context

-su --subject se-linux-context

-sv --success yes|no

-ua --uid-all userid

-x --executable executable name

AUTO LOGON

To enable auto logon via ssh from Unix to a Windows host (without using a password)

# logon to Windows host in target userid

# create directory .ssh2

c:\documents and settings\someuser> mkdir .ssh2

#logon to Unix host from which autologon is desired

# move to .ssh directory

$ cd .ssh

# create private key (id_dsa) and public key (id_dsa.pub)

# do not supply a pass-phrase when prompted

$ ssh-keygen -t dsa

# create SECSSH Public Key file (ssh_id_dsa.pub)

$ ssh-keygen -e -f id_dsa > ssh_id_dsa.pub

# copy file "ssh_id_dsa.pub" to the Windows host

$ sftp @

> lls (ensure id_dsa, id_dsa.pub and ssh_id_dsa.pub are visible)

> cd .ssh2 (change to remote directory /HOME/.ssh2)

> put ssh_id_dsa.pub (copy file to remote Windows host)

> exit

# logon to Windows host

# move to directory .ssh2

c:\documents and settings\someuser> cd .ssh2

# edit (create) file "authorization"

# put in an entry that reads: "key ssh_id_dsa.pub"

AUTO MOUNT

disable /etc/rc.d/init.d/autofs to prevent automatic mounts

chkconfig --level ijk autofs off

service autofs stop

AUTO RUN

autorun - automatically mount cdrom on startx

See Mount

See /etc/fstab

See $HOME/.kde/Autostart/Autorun.desktop

BOOT ARGUMENTS

See "man bootparam"

/var/log/dmesg

/var/log/boot.log

cat /proc/cmdline

hda -> 1st IDE, master

hdb -> 1st IDE, slave

hdc -> 2nd IDE, master

hdd -> 2nd IDE, slave

BOOT DISK

mount /dev/cdrom /mnt/cdrom

dd if=boot,img of=/dev/fd0 bs=1440k

BOOT LOADER

/etc/grub.conf

The master boot record (MBR):

The recommended place to install a boot loader, unless the MBR already starts another operating system loader, such as System Commander or OS/2's Boot Manager. The MBR is a special area on your hard drive that is automatically loaded by your computer's BIOS, and is the earliest point at which the boot loader can take control of the boot process. If you install it in the MBR, when your machine boots, GRUB (or LILO) will present a boot prompt. You can then boot Red Hat Enterprise Linux AS or any other operating system that you have configured the boot loader to boot.

The first sector of your root partition:

Recommended if you are already using another boot loader on your system (such as OS/2's Boot Manager). In this case, your other boot loader will take control first. You can then configure that boot loader to start GRUB (or LILO), which will then boot Red Hat Enterprise Linux AS.

Caution:

If you have a RAID card, be aware that some BIOSes do not support booting from the RAID card. In cases such as these, the boot loader should not be installed on the MBR of the RAID array. Rather, the boot loader should be installed on the MBR of the same drive as the /boot partition was created.

CERTIFICATES

# GENERIC INSTRUCTIONS

# create a private key then generate a certificate request from it

openssl genrsa -out privkey.pem 1024

openssl req -new -key privkey.pem -out certreq.pem

# same thing as above, but using req

# create a private key and a certificate request (all equivalent)

openssl req -new -out certreq.pem

openssl req -new -keyout privkey.pem -out certreq.pem

openssl req -newkey rsa:1024 -out certreq.pem

openssl req -newkey rsa:1024 -keyout privkey.pem -out certreq.pem

# remove the pass phrase from an RSA private key

openssl rsa -in privkey.pem -out privkey_npp.pem

# create a private key and self signed root certificate

openssl req -x509 -newkey rsa:1024 -keyout privkey.pem -out rootcert.pem

# create self signed root certificate from a private key

openssl x509 -req -in certreq.pem -signkey privkey_npp.pem -out rootcert.pem

# examine and verify a certificate request

openssl req -in certreq.pem -text -verify -noout

# encrypt a private key using triple DES

openssl rsa -in privkey.pem -des3 -out privkey_3des.pem

# convert a private key from PEM to DER format

openssl rsa -in privkey.pem -outform DER -out privkey.der

# print out components of private key

openssl rsa -in privkey.pem -text -noout

# print out public part of a private key

openssl rsa -in privkey.pem -pubout -out pubkey.pem

# EXAMPLE

# generate private key

openssl genrsa -des3 -out server.key 1024

# generate cert signing request

openssl req -new -key server.key -out server.csr

# remove pass phrase from key

cp server.key server.key.org

openssl rsa -in server.key.org -out server.key

# create self signed certificate

openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt

# install certificate and private key

cp server.crt /usr/local/apache/conf/ssl.crt/

cp server.key /usr/local/apache/conf/ssl.key/

# configure ssl.conf

SSLEngine on

SSLCertificateFile /usr/local/apache/conf/ssl.crt/server.crt

SSLCertificateKeyFile /usr/local/apache/conf/ssl.key/server.key

CHKCONFIG

chkconfig --list [service]

chkconfig --add service

chkconfig --del service

chkconfig [--level level] service on|off|reset

Header:

# chkconfig: levels start_order kill_order

# description: description

# processname: processname

COMPRESSION

compress/uncompress .Z

gzip/gunzip .gz

zip/unzip .zip .jar .war

bzip2/bunzip2 .bz2

CONFIGURATION FILES

See /usr/share/doc/initscripts-version/sysconfig.txt for details

/etc/hosts

/etc/sysconfig/network

GATEWAY=<gateway IP>

HOSTNAME=<fqdn by default, but whatever hostname you want>

GATEWAYDEV=<gateway device to use when multiple devices have a gateway (eg eth0)>

IPV6FORWARDING=yes|no

IPV6INIT=yes|no

IPV6TO4_RADVD_PIDFILE=<pid-file> (obsolete)

IPV6_AUTOCONF=yes|no

IPV6_AUTOTUNNEL=yes|no

IPV6_DEFAULTDEV=<interface> (optional)

IPV6_DEFAULTGW=<IPv6 address[%interface]> (optional)

IPV6_RADVD_PIDFILE=<pid-file> (optional)

IPV6_RADVD_TRIGGER_ACTION=startstop|reload|restart|SIGHUP (optional)

IPV6_ROUTER=yes|no<br /> IPX=yes|no

IPXAUTOFRAME=on|off (again, not yes|no)

IPXAUTOPRIMARY=on|off (note, that MUST be on|off, not yes|no)

IPXINTERNALNETNUM=<netnum>

IPXINTERNALNODENUM=<nodenum>

NETWORKDELAY=<delay in seconds>

NETWORKING=yes|no

NETWORKING_IPV6=yes|no

NISDOMAIN=<nis domain name>

NOZEROCONF= Set this to not set a route for dynamic link-local addresses.

VLAN=yes|no

obsoleted values from earlier releases:

FORWARD_IPV4=yes|no

DEFRAG_IPV4=yes|no

/etc/sysconfig/network-scripts/ifcfg-eth0

The first defines an interface, and the second contains only the parts of the definition that are different in a

"alias" (or alternative) interface. For example, the network numbers might be different, but everything else

might be the same, so only the network numbers would be in the alias file, but all the device information would

be in the base ifcfg file.

The items that can be defined in an ifcfg file depend on the interface type.

BOOTPROTO=none|bootp|dhcp

DEVICE=<name of physical device

DHCLIENT_IGNORE_GATEWAY=yes|no|1|0

DHCPRELEASE=yes|no|1|0

DNS{1,2}=<ip address>

GATEWAY=

HOTPLUG=yes|no

HWADDR= ethernet hardware address for this device

IPADDR=

MACADDR=use of this in with HWADDR= may cause unintended behavior.

METRIC=metric for the default route using GATEWAY

MTU=default MTU for this device

NAME=<friendly name for users to see>

NETMASK=

NM_CONTROLLED=yes|no

NOZEROCONF=

ONBOOT=yes|no (not valid for alias devices; use ONPARENT)

PEERDNS=yes|no

PERSISTENT_DHCLIENT=yes|no|1|0

SCOPE= Ethernet with BOOTPROTO=none.

SRCADDR= use the specified source address for outgoing packets

USERCTL=yes|no

WINDOW= Default window for routes from this device

If BOOTPROTO is not "none", then the only other item that must be set is the DEVICE item; all the rest will be determined

by the boot protocol. No "dummy" entries need to be created.

Base items being deprecated:

NETWORK=<will be calculated automatically with ipcalc>

BROADCAST=<will be calculated automatically with ipcalc>

Alias specific items:

ONPARENT=yes|no

Whether to bring up the device when parent device is brought up.

Wireless-specific items:

See iwconfig(8) for additional information.

CHANNEL= Ignored if MODE=Managed.

DEFAULTKEY=<default key index>

ESSID= Defaults to "any".

FRAG=[off|<fragmentation threshold>

FREQ= Ignored if MODE=Managed.

IWCONFIG=<other iwconfig(8) options>

IWPRIV=<iwpriv(8) commands>

KEY=<default WEP key>

KEY{1,2,3,4}=<WEP key with the given index>

NWID=

RATE=

RTS=[auto|fixed|off|<rts threshold>

SECURITYMODE=[on|off|open|restricted]

SENS=<sensitivity threshold>

SPYIPS=<list of IP addresses to monitor for link quality>

/etc/resolv.conf

search domain | domain domain (search/domain mutually exclusive)

nameserver x.x.x.x

/etc/nsswitch.conf

where to look first to resolve names

/etc/sysconfig/static-routes

any host x.x.x.x netmask x.x.x.x gw x.x.x.x

route add -host 192.168.100.17 netmask 255.255.255.0 gw 172.16.22.1

See /etc/init.d/network

/etc/localtime

-> /usr/share/zoneinfo/EST5EDT

/etc/security/opasswd

/etc/ntp.conf

/usr/lib/X11/app-defaults

$HOME/.Xresources

$HOME/.Xdefaults

/etc/rc.d/rc.sysinit

AUTOFSCK_TIMEOUT=15

/etc/network/interfaces

(Knoppix)

auto lo

iface lo inet loopback

auto eth0

iface eth0 inet static

address 137.9.70.43

netmask 255.255.255.0

gateway 137.9.70.1

CRON

/var/spool/cron/ - contains cron files named after /etc/passwd entries; if unmatched entires exist here, may get "ORPHAN (no passwd entry)" messages in logwatch

/etc/crontab - contains entries to directories

/etc/cron.hourly/

/etc/cron.daily/ - logwatch lives here; if it doesn't run, make sure it's executable

/etc/cron.weekly/

/etc/cron.monthly/

/etc/cron.d/sysstat - contains system activity accounting jobs; produces "crond(pam_unix)" session messages in /var/log/secure

minute: 0-59 | a-b/n | */n

hour: 0-23

day_of_month: 1-31

month: 1-12

day_of_week: 0-7 (0 or 7 is Sunday)

DATA FILES

/var/log/boot.log

/var/log/cron

/var/log/dmesg

/var/log/lastlog

/var/log/messages

/var/log/ppp

/var/log/rpmpkgs (see /etc/crontab)

DIRECTORY PERMISSIONS

Need read to use ls on directory

Need write to add/remove files in directory

Need execute to cd into directory or use it as part of a path

If you don't have execute in all directories along a path to a file you cannot use the file regardless of the file's permissions

If you don't have read permissions to a directory, file name expansion will not work on that directory's files; you must use the full pathname to access files

If you don't have write permission you cannot move, create or remove files in the directory

If you have write permissions in a directory, you can remove a file, regardless of the file's permissions or who the owner is. However, as of SVR3.2, if a directory is writable and the sticky bit is set, a user can remove a file in that directory only if the user owns the file, or the user owns the directory, or the file is writable by the user, or the user is root.

DISK FAILURE

To copy physical disk to another:

dd if=/dev/hda of=/dev/hdb bs=1k conf=sync,noerror

DISK INFORMATION

fdisk -l

fdisk -l /dev/hdx

sfdisk -l

sfdisk -l /dev/hdx

hdparm -i /dev/hdx

hdparm -I /dev/hdx

parted /dev/hdx

EDGE SYNCHRONIZATION ERROR

Fonts larger than the boxes designed to hold them causes an edge synchronization error after 10,000 iterations

EDITING .WAR FILES

unzip -d /tmp some.war '*/element'

cd /tmp

vi path/element

zip -f some.war path/element

Get table of contents:

unzip -l some.war | less

Get table of contents, listing a particular element:

unzip -l some.war '*/element'

Extract particular element to stdout:

unzip -c some.war '*/element'

Extract particular element into some directory:

unzip -d dir some.war '*/element'

Extract particular element into some directory, junk paths:

unzip -j -d dir some.war '*/element'

Extract particular element into current directory, preserving paths:

unzip some.war '*/element'

Extract particular element into current directory, junk paths:

unzip -j some.war '*/element'

Remove a particular element:

zip -d some.war '*/element'...

Replace a particular element:

zip -f some.war path/element

Replace all elements under :

zip -fr some.war path/

FILE ACCESS TIMES

FIND LS

DESCRIPTION

-atime -tu

file access time

-ctime -tc

file status change time

-mtime -t

file modification time

FILE AND DIRECTORY PERMISSIONS

Linux Files and File Permission

Linux files are setup so access to them is controlled. There are three

types of access:

1. read

2. write

3. execute

Each file belongs to a specific user and group. Access to the files is

controlled by user, group, and what is called other. The term, other, is

used to refer to someone who is not the user (owner) of the file, nor is

the person a member of the group the file belongs to. When talking about

setting permissions for "other" users to use, it is commonly referred to as

setting the world execute, read, or write bit since anyone in the world

will be able to perform the operation if the permission is set in the other

category.

File names and permission characters

File names can be up to 256 characters long with "-", "_", and "."

characters along with letters and numbers.

When a long file listing is done, there are 10 characters that are shown on

the left that indicate type and permissions of the file. File permissions

are shown according to the following syntax example: drwerwerwe

There are a total of 10 characters in this example, as in all Linux files.

The first character indicates the type of file, and the next three indicate

read, write, and execute permission for each of the three user types, user,

group and other. Since there are three types of permission for three users,

there are a total of nine permission bits. The table below shows the

syntax:

1 2 3 4 5 6 7 8 9 10

d r w e r w e r w e

* Character 1 is the type of file: - is ordinary, d is directory, l is link.

* Characters 2-4 show owner permissions. Character 2 indicates read

* permission, character 3 indicates write permission, and character 4

* indicates execute permission.

* Characters 5-7 show group permissions. Character 5=read, 6=write,

* 7=execute

* Characters 8-10 show permissions for all other users. Character

* 8=read, 9=write, 10=execute

There are 5 possible characters in the permission fields. They are:

* r = read - This is only found in the read field.

* w = write - This is only found in the write field.

* x = execute - This is only found in the execute field.

* s = setuid - This is only found in the execute field.

* If there is a "-" in a particular location, there is no permission.

* This may be found in any field whether read, write, or execute field.

Examples

Type "ls -l" and a listing like the following is displayed:

total 10

drwxrwxrwx 4 george team1 122 Dec 12 18:02 Projects

-rw-rw-rw- 1 george team1 1873 Aug 23 08:34 test

-rw-rw-rw- 1 george team1 1234 Sep 12 11:13 datafile

The fields are as follows:

1. Type field: The first character in the field indicates a file type of

one of the following:

* d = directory

* l = symbolic link

* s = socket

* p = named pipe

* - = regular file

* c= character (unbuffered) device file special

* b=block (buffered) device file special

2. Permissions are explained above.

3. Links: The number of directory entries that refer to the file. In our

example, there are four.

4. The file's owner in our example is George.

5. The group the file belongs to. In our example, the group is team1.

6. The size of the file in bytes

7. The last modification date. If the file is recent, the date and time

is shown. If the file is not in the current year, the year is shown

rather than time.

8. The name of the file.

Set User Identification Attribute

The file permissions bits include an execute permission bit for file owner,

group and other. When the execute bit for the owner is set to "s" the set

user ID bit is set. This causes any persons or processes that run the file

to have access to system resources as though they are the owner of the

file. When the execute bit for the group is set to "s", the set group ID

bit is set and the user running the program is given access based on access

permission for the group the file belongs to. The following command:

chmod +s myfile

sets the user ID bit on the file "myfile". The command:

chmod g+s myfile

sets the group ID bit on the file "myfile".

The listing below shows a listing of two files that have the group or user

ID bit set.

-rws--x--x 1 root root 14024 Sep 9 1999 chfn

-rwxr-sr-x 1 root mail 12072 Aug 16 1999 lockfile

The files chfn and lockfile are located in the directory "/usr/bin". The

"s" takes the place of the normal location of the execute bit in the file

listings above. This special permission mode has no meaning unless the file

has execute permission set for either the group or other as well. This

means that in the case of the lockfile, if the other users (world execute)

bit is not set with permission to execute, then the user ID bit set would

be meaningless since only that same group could run the program anyhow. In

both files, everyone can execute the binary. The first program, when run is

executed as though the program is the root user. The second program is run

as though the group "mail" is the user's group.

For system security reasons it is not a good idea to set many program's set

user or group ID bits any more than necessary, since this can allow an

unauthorized user privileges in sensitive system areas. If the program has

a flaw that allows the user to break out of the intended use of the

program, then the system can be compromised.

Directory Permissions

There are two special bits in the permissions field of directories. They

are:

* s - Set group ID

* t - Save text attribute (sticky bit) - The user may delete or modify

* only those files in the directory that they own or have write

* permission for.

Save text attribute

The /tmp directory is typically world-writable and looks like this in a

listing:

drwxrwxrwt 13 root root 4096 Apr 15 08:05 tmp

Everyone can read, write, and access the directory. The "t'' indicates that

only the user (and root, of course) that created a file in this directory

can delete that file.

To set the sticky bit in a directory, do the following:

chmod +t data

This option should be used carefully. A possible alternative to this is

1. Create a directory in the user's home directory to which he or she

can write temporary files.

2. Set the TMPDIR environment variable using each user's login script.

3. Programs using the tempnam(3) function will look for the TMPDIR

variable and use it, instead of writing to the /tmp directory.

Directory Set Group ID

If the setgid bit on a directory entry is set, files in that directory will

have the group ownership as the directory, instead of than the group of the

user that created the file.

This attribute is helpful when several users need access to certain files.

If the users work in a directory with the setgid attribute set then any

files created in the directory by any of the users will have the permission

of the group. For example, the administrator can create a group called

spcprj and add the users Kathy and Mark to the group spcprj. The directory

spcprjdir can be created with the set GID bit set and Kathy and Mark

although in different primary groups can work in the directory and have

full access to all files in that directory, but still not be able to access

files in each other's primary group.

The following command will set the GID bit on a directory:

chmod g+s spcprjdir

The directory listing of the directory "spcprjdir":

drwxrwsr-x 2 kathy spcprj 1674 Sep 17 1999 spcprjdir

The "s'' in place of the execute bit in the group permissions causes all

files written to the directory "spcprjdir" to belong to the group "spcprj".

Note: Linux files were displayed with a default tab value of 8 in older

Linux versions. That means that file names longer than 8 may not be

displayed fully if you are using an old Linux distribution. There is an

option associated with the ls command that solves this problem. It is "-T".

Ex: "ls al -T 30" to make the tab length 30.

Umask Settings

The umask command is used to set and determine the default file creation

permissions on the system. It is the octal complement of the desired file

mode for the specific file type. Default permissions are:

* 777 - Executable files

* 666 - Text files

These defaults are set allowing all users to execute an executable file and

not to execute a text file. The defaults allow all users can read and write

the file.

The permission for the creation of new executable files is calculated by

subtracting the umask value from the default permission value for the file

type being created. An example for a text file is shown below with a umask

value of 022:

666 Default Permission for text file

-022 Minus the umask value

-----

644 Allowed Permissions

Therefore the umask value is an expression of the permissions the user,

group and world will not have as a default with regard to reading, writing,

or executing the file. The umask value here means the group the file

belongs to and users other than the owner will not be able to write to the

file. In this case, when a new text file is created it will have a file

permission value of 644, which means the owner can read and write the file,

but members of the group the file belongs to, and all others can only read

the file. A long directory listing of a file with these permissions set is

shown below.

-rw-r--r-- 1 root workgrp 14233 Apr 24 10:32 textfile.txt

A example command to set the umask is:

umask 022

The most common umask setting is 022. The /etc/profile script is where the

umask command is usually set for all users.

Red Hat Linux has a user and group ID creation scheme where there is a

group for each user and only that user belongs to that group. If you use

this scheme consistently you only need to use 002 for your umask value with

normal users.

FILESYSTEMS

Create Filesystem

1) partition the disk (parted | fdisk)

fdisk /dev/xxx

> n (new partition)

> p (primary partition)

> w (write)

2) make a filesystem

mkfs.ext3 /dev/sdx

mkfs -t ext3 /dev/sdx

mkfs -t msdos /dev/fd0

mkfs -t vfat /dev/fd0

mke2fs -j -N 30000000 /dev/sdb1

mke2fs 1.35 (28-Feb-2004)

Filesystem label=

OS type: Linux

Block size=4096 (log=2)

Fragment size=4096 (log=2)

30015488 inodes, 11677239 blocks

583861 blocks (5.00%) reserved for the super user

First data block=0

Maximum filesystem blocks=1685544960

916 block groups

12760 blocks per group, 12760 fragments per group

32768 inodes per group

Superblock backups stored on blocks:

12760, 38280, 63800, 89320, 114840, 319000, 344520, 625240, 1033560,

1595000, 3100680, 4376680, 7975000, 9302040

Writing inode tables: done

Creating journal (8192 blocks): done

Writing superblocks and filesystem accounting information: done

This filesystem will be automatically checked every 22 mounts or

180 days, whichever comes first. Use tune2fs -c or -i to override.

e2label if desired

3) mount the new partition

4) update /etc/fstab

Format of /etc/fstab

#device-name mount-point filesystem-type options fs-freq fs-passno

/dev/sdxx /home ext3 defaults 1 1

fs-freq = used by dump; 0 = do not dump

fs-passno = used by fsck; specifies order of fsck at reboot (/ should be 1, others should be 2)

Filesystem labels

see /dev/disk/by-label To Repair Corrupted Filesystem:

Determine where the superblocks are:

$ mke2fs -n /dev/sdx

Repair the filesystem:

$ e2fsck -b -p /dev/sdx

or (if -p option fails)

$ e2fsck -b /dev/sdx

Using partprobe to dynamically add partition:

Any time you use 'fdisk', 'parted' or any other favorite partitioning utility you may have to modify the partition table for a drive, run 'partprobe' after you exit the

partitioning utility and 'partprobe' will let the kernel know about the modified partition table information. If you have several disk drives and want to specify a

specific drive for 'partprobe' to scan, you can run 'partprobe <device_node>'

Use blockdev to reread a partition table

# blockdev --rereadpt /dev/sdx

FIREFOX

Firefox "about" commands:

about:

about:blank

about:buildconfig

about:cache

about:config

about:credits

about:license

about:mozilla

about:plugins

To enable java jre for firefox

cd /opt/firefox/plugins

ln -s /usr/java/jdk1.6.0_07/jre/plugin/i386/ns7/libjavaplugin_oji.so libjavaplugin_oji.so

To enable Adobe for firefox

cd /opt/firefox/plugins

ln -s /usr/local/Adobe/Acrobat7.0/Browser/intellinux/nppdf.so nppdf.so

FONTS

chkfontpath -l

chkfontpath -a font_dir

chkfontpath -r font_dir

fc-list

xfs

xfsinfo

xlsfonts

FSCK

See p. 244 of File System Admin by Arleen Frisch

When FSCK prints error messages, mode values have the following meaning

01 - named pipe

02 - character special file

04 - directory

06 - block special file

10 - plain file

12 - symbolic link

14 - socket

FTP AS SHELL SCRIPT

1) Set up .netrc:

machine name login uid password string

chmod 700 .netrc

2) Set up FTP commands in crunin

ascii

get from to

quit

3) Set up shell program crun

ftp host < crunin

4) Execute shell program

sh crun

GPG

To create a GPG key:

gpg --gen-key

To encrypt a file using GPG key:

gpg -r userid --output file.gpg --encrypt file.txt

To decrypt a file using GPG key:

gpg -r userid --output file.txt --decrypt file.gpg

GRUB

HISTORY

To keep track of date & time when commands are executed, add to /etc/profile:

HISTSIZE=2000

HISTTIMEFORMAT="%m%d%H%M%S "

HOSTNAME

/proc/sys/kernel/hostname

/etc/sysconfig/network

/etc/hosts

HTTP

File /etc/httpd/conf.d/manual.conf contains "AliasMatch" directive

"AliasMatch" allows access to HTTP manual via: http://localhost/manual

This requires "LoadModule alias_module in /etc/httpd/conf/httpd.conf

HARDWARE RESOURCES

dmidecode - list hardware resources

kudzu - looks for new hardware

To Get a List of Attached Devices:

# cat /proc/scsi/scsi

# dmidecode -s <keyword>

keyword from the following list: bios-vendor, bios-version, bios-release-date, system-manufacturer,

system-product-name, system-version, system-serial-number, system-uuid, baseboard-manufacturer,

baseboard-product-name, baseboard-ver-sion, baseboard-serial-number, baseboard-asset-tag,

chassis-man-ufacturer, chassis-type, chassis-version, chassis-serial-number, chassis-asset-tag,

processor-family, processor-manufacturer, processor-version, processor-frequency.

# dmidecode -t <type>

type can be bios, system, baseboard, chassis, processor, memory, cache, connector, slot

INFO COMMAND

Selecting other nodes:

n # next node

p # previous node

[ # previous node in document

] # next node in document

t # top node in document

u # up to parent node

d # to directory node

g # go to node [g top = t]

l # last visited node

L # list of visited nodes (c-x c-b)

m # select menu item by name (identified by "* menu:")

r|f # follow x-ref (identified by "*Note xref-name: node-name")

tab # move to next hyperlink

b # beginning of node

e # end of node

Moving around:

spc|pgdn # next page (c-v)

bsp|pgup # previous page (m-v)

down arrow # next line (c-n)

up arrow # previous lines (c-p)

c-a # cursor to beginning of line

c-e # cursor to end of line

c-b # cursor back one char

c-f # cursor forward one char

Screen Commands

c-x 0 # close current window

c-x 1 # close all windows except current

c-x 2 # split window

c-x o # move cursor to other window

c-l # refresh screen

c-g # cancel operation

Searching

/|s # search (s for next entry)

c-s # interactive search forward

c-r # interactive search backward

} # find next occurence (c-x n)

{ # find previous occurence (c-x N)

i # search index (use "," for next entry)

R # toggle regular expression

Quiting and Help

q # quit (c-x c-c)

?|h # open a help window

INITIALIZATION OPTIONS

In /etc/bashrc for global effect:

PAGER="less"; export PAGER

LESS="-FXgij10"; export LESS

alias ls="ls -Fx --color=none"

alias r="fc -s"

set -o vi

IPTABLES

To Use the Menu Interface

# system-config-securitylevel

To Update the Rules

service iptables save

edit /etc/sysconfig/iptables

service iptables restart

Files:

/etc/init.d/iptables

/etc/sysconfig/iptables

/etc/sysconfig/iptables.save

Commands:

iptables-save [> filename]

iptables-restore [< filename]

service iptables start

iptables-restore < /etc/sysconfig/iptables

service iptables stop

iptables -t table -F (flush firewall rules)

iptables -t table -X (delete firewall chains)

iptables -t table -Z (set counters to zero)

iptables -t filter -P INPUT ACCEPT

iptables -t filter -P OUTPUT ACCEPT

iptables -t filter -P FORWARD ACCEPT

service iptables restart

service iptables stop

service iptables start

service iptables status

iptables -t table --list -n --verbose --line-numbers

service iptables save

iptables-save > /tmp/iptables.XXXXXX

cp -f /etc/sysconfig/iptables /etc/sysconfig/iptables.save

cp -f /tmp/iptables.XXXXXX /etc/sysconfig/iptables

iptables [-t table] {-A|-D|--append|--delete} chain rule-specification

iptables [-t table] {-F|-L|-Z|--flush|--list|--zero} [chain [rulenum]] [options...]

iptables [-t table] -D|--delete chain rulenum

iptables [-t table] -I|--insert chain [rulenum] rule-specification

iptables [-t table] -R|--replace chain rulenum rule-specification

iptables [-t table] -S|--list-rules [chain [rulenum]]

iptables [-t table] -N|--new-chain chain

iptables [-t table] -X|--delete-chain [chain]

iptables [-t table] -P|--policy chain target

iptables [-t table] -E|--rename-chain old-chain-name new-chain-name

table:

filter|nat|mangle|raw (default is filter)

chain:

target:

ACCEPT|DROP|QUEUE|RETURN|chain

options:

-v|--verbose

-n|--numeric

--line-numbers

rule-specification:

-p|--protocol tcp|udp|icmp|all (protocols listed in /etc/protocols)

-s|--source addr[/mask]

-d|--destination addr[/mask]

-j|--jump target

-g|--goto chain

-i|--in-interface name

-o|--out-interface name

Match Extensions:

-p|--protocol allows use of match extensions implicitly

-m|--match module causes explicit load of module, thus enabling options:

Modules:

comment:

--comment "comment string"

connlimit:

--connlimit-above n

iprange:

--src-range from[-to]

--dst-range from[-to]

mac:

--mac-source address

multiport:

--source-ports|--sport port[,port|,port:port]...

--destination-ports|--dport port[,port|,port:port]...

--ports port[,port|,port:port]...

tcp:

--source-port|--sport port[:port]

--destination-port|--dport port[:port]

--tcp-flags mask comp

--syn

--tcp-option number

state:

--invalid

--established

--new

--related

--untracked

time:

--datestart

--datestop

--timestart

--timestop

--monthdays

--weekdays

Examples:

To insert in front of rule 5 of the INPUT chain a rule to accept protocol tcp whose state is new with a destination port of 2211:

iptables --insert INPUT 5 -p tcp -m state --state NEW --dport 2211 -j ACCEPT

JAVA

CLASSPATH=path_to_class_files

javac -d path_to_class_files source_file.java

java source_file

jinfo pid

JAVA TIMEZONE

To validate whether DST changes occur on the correct date for Java code, the following test code can be used:

import java.util.*;

import java.text.*;

class testdst {

public static void main(String args[]) {

if ((args.length != 4)) {

if ((args.length == 1) && args[0].equals("-list")) {

System.out.println("Available time zones are:");

String[] list = TimeZone.getAvailableIDs();

int i;

for(i = 0; i < list.length; i++)

System.out.println(list[i]);

}

else {

System.out.println("Usage testdst timezone year month day");

System.out.println("or testdst -list");

}

System.exit(1);

}

TimeZone t = TimeZone.getTimeZone(args[0]);

System.out.println("Using time zone " + t.getDisplayName());

System.out.println("Use parameter-list to get list of available time zones");

GregorianCalendar cal = new GregorianCalendar(t);

int year = new Integer(args[1]).intValue() - 1900;

int month = new Integer(args[2]).intValue() - 1;

int day = new Integer(args[3]).intValue();

Date d = new Date(year, month, day, 12, 0);

System.out.println("Testing date " + DateFormat.getDateInstance().format(d));

cal.setTime(d);

int offset_day = cal.get(Calendar.DST_OFFSET);

Date d2 = new Date(year, month, day-1, 12, 0);

cal.setTime(d2);

int offset_preday = cal.get(Calendar.DST_OFFSET);

if (offset_day == offset_preday)

System.out.println("There was no change in daylight saving time offset");

else

System.out.println("The daylight saving time offset was changed");

System.exit(0);

}

JBOSS

https://localhost:8443 (on cohort-ws1)

https://localhost:8443/mdaca (on cohort-ws1)

http://214.4.102.141:8080/jmx-console

http://214.4.102.141:8080/web-console

KERNEL MODULES

lsmod

KERNEL PAGE SIZE

getconf PAGESIZE

KERNEL VERSION

cat /proc/version

uname -a

KEYCODES

To see keycodes of special keys:

stty echo; cat -v; stty echo

enter special key

type ^D to quit

KPPP

Prevent KPPP from asking for root password:

Solution 1:

cd /etc/security/console.apps:

vi kppp:

comment out USER=root:

Solution 2:

ls -l /usr/bin/kppp

ls -l /usr/sbin/kppp

rm /usr/bin/kppp

chmod u+s /usr/sbin/kppp

ln -s /usr/sbin/kppp /usr/bin/kppp

LINE NUMBERING

nl -vstart -iincr -sstring -wwidth -nformat -bstyle

nl -v1000 -i10 -s -w4 -nrz -ba

DIRECTORY LINK COUNT

Link count represents the number of entries contained within a directory (always at least 2 to account for . and ..)

LOCKED ACCOUNT

To reset root password (must be in sudoers file):

sudo faillog -u root -r

Note: /etc/sudoers must contain "<someuserid> all=/usr/bin/faillog" for the above to work

For 64-bit systems, faillog has been replaced by pam_tally2

faillog -a list all failed logings

faillog -u user list failed logins for user

faillog -u user -l sec set lock time for user

faillog -u user -m max set max login fail count before lock

faillog -u user -r reset locked user

lastlog -u userid get last login date/time for user

pam_tally [--user userid] [--reset[=n]] set/reset login failure count

LOGICAL VOLUME MANAGEMENT

To reduce the size of a logical volume:

# umount <filesystem>

# e2fsck -f <filesystem>

# resize2fs <size> <filesystem>

# lvreduce --size <size> <filesystem>

# resize2fs <filesystem>

# mount <filesystem>

LOOPBACK

Create a file to hold the filesystem:

dd if=/dev/zero of=/.u01 bs=1024 count=20M (creates a 20G file)

Associate the file with a loopback device:

losetup /dev/loop0 /.u01

Create a filesystem on the loopback device:

mkfs -t ext3 -b 2048 -m 1 -v /dev/loop0

Create a mount point:

mkdir /u01

Mount the loopback device on the mount point:

mount -t ext3 /dev/loop0 /u01

LSOF

If an open file is accidentally deleted, use the following procedure to recover it:

$ lsof | grep filename

The output of the above should be something like this:

proc pid user nr REG 3,65 number number path (deleted)

less 4158 amachina 4r REG 3,65 123 1273 /home/f1 (deleted)

where "n" is the file descriptor (4)

Given the above information, you can take a look at the /proc entry:

$ ls -l /proc/4158/fd/4

Copy that file to a new location:

$ cp /proc/4158/fd/4 /tmp/newfile

MAILX COMMAND

To change from address:

mailx -s "subject" to@address.com -- -f from@address.com [ < from-file ]

To send HTML text:

#!/bin/bash

# parameter 1 = name of address file

IFS=","

MSGFILE="path to message text"

while read NAME ADDR

(

echo "From: somebody@somewhere.com"

echo "To: ${ADDR}"

echo "MIME-Version: 1.0"

echo "Subject: Some subject"

echo "Content-Type: Text/html"

cat ${MSGFILE}

) | sendmail -t

done < ${1}

where ${1} is a a text file containing the name and email address of the recipients (eg):

Alex Machina, address@domain.com

To set reply to address:

Create .mailrc and populate with: "set replyto=user@domain"

Message List Codes

n number

+ next undeleted

- prev undeleted

. current

^ first undeleted

$ last

* all

/str some string

:d deleted

:n new

:o old

:r read

:u unread

z +|-

MAJOR/MINOR CODES

During boot, Oracle mounts partitions identified by numbers. The numbers shown are major/minor device codes and are found in /proc/partitions

MAN PAGE SYMBOLIC LINKS

cd /usr/local/man/man3

for x in $(find /opt/appl/man/man3 -print)

ln -s $x $(basename $x)

done

MEMORY SIZE LINKS

free -mot (memory in MB)

view /proc/meminfo

wc -c /dev/mem

pmap (process memory map)

MOUSE

gpm -m /dev/input/mice -t imps2

MUTT

mutt [-a attachment] [-i include] [-s subject] [-b bcc] [-c cc] [-x] address

-x emulates mailx compose

Manual is at /usr/share/doc/mutt...

NFS

Basic setup

Create /etc/exports

chkconfig --level 345 portmap on

chkconfig --level 345 nfs on

service portmap restart

service nfs restart

mkdir /nfs_share

cd /nfs_share

mkdir disc1

mount -o loop /OS/Redhat4U2_x86_64/RHEL...disc1.iso /mnt

cp -r /mnt/* /nfs_share/disc1 [/disc1 is now exported via NFS]

Verify processes running:

rpcinfo -p

portmapper

rquotad

nfs

nlockmgr

mountd

Ensure client supports NFS:

cat /proc/filesystems

may need to "modprobe nfs"

Ensure portmapper is running on client:

/etc/ini.d: netfs, nfs, nfslock

May need to seupt /etc/hosts.allow

NSLOOKUP

server can't find : SERVFAIL

ensure /etc/resolv.conf contains "domain domain" entry

NTFS

To get name of kernel:

cat /etc/redhat-release

To get version of kernel:

uname -r

Download appropriate NTFS RPM:

rpm -ihv kernel-ntfs-rpm

[kernel-ntfs-2.4.18-14.i686.rpm or kernel-module-ntfs-x.x.x-y.i686.rpm]

To load kernel module:

modprobe ntfs

To get NTFS driver info:

dmesg | grep -i ntfs

To get list of filesystems supported by the kernel:

cat /proc/filesystem

To get device name of NTFS partition:

fdisk -l

To mount NTFS partition:

mount -t ntfs -o uid=500,gid=100,umask=022 /dev/hdax /mnt/windows

To get list of installed NTFS modules:

rpm -qa | grep -i ntfs

to uninstall a particular NTFS module:

rpm -e kernel-module-ntfs.rpm

NTP

To Ascertain If a Particular Server is a Timeserver:

# ntpdate -d <ip-of-sever>

To Check If an Association to a Configured Timeserver Exists:

# ntpq -np

Purpose of "restrict" keyword:

There is an internal list, each entry of which holds an address, a mask and a set of flags. On receipt of a packet, the source address of the packet is compared to each entry in the list, with a match being posted when the following is true: (source_addr & mask) == (addr & mask); A particular source address may match several list entries. In this case, the entry with the most one bits in the mask is chosen. The flags associated with this entry are used to control access.

References:

http://www.ntp.org

http://www.eecis.udel.edu/~mills/ntp

http://ntp.isc.org

Example:

restrict default nomodify notrap noquery

restrict 172.16.2.0 mask 255.255.255.0 nomodify notrap

restrict 214.4.102.0 mask 255.255.255.128 nomodify notrap

restrict 127.0.0.1

server ntp0.usno.navy.mil

server ntp1.usno.navy.mil

server ntp2.usno.navy.mil

driftfile /var/lib/ntd/drift

Windows NTP Client Setup

net time /querysntp:

net time /setsntp:ntp0.usno.navy.mil:

net stop w32time:

net start w32time

OPEN FILES

Provides list of open file descriptors:

ls -l /proc/pid/fd/*

List open files:

lsof (see also LSOF)

OPEN PORTS

Commands

netstat -tlnp (tcp/listening/numeric/program)

lsof -i -n (all Internet files / numeric)

nmap -sS [options] {host} (scan using TCP Sync)

nmap -sU [options] {host} (scan using UDP)

Ports

631 - Used by cupsd

5353 - Used by DNS multicast for things like Apple Bounjour

ORACLE NOTES

To Prevent Node Eviction in Case CPU is Very Busy:

# crsctl stop crs

# <crs_home>/bin/oprocd stop Ensure clusterware stack is down

# ps -ef | egrep "crsd.bin|ocssd.bin|evmd.bin|oprocd"

There should be no processes running

From one node of the cluster:

# crsctl set css diagwait 13 -force

# crsctl get css diagwait

# crsctl start crs

# crsctl check crs

CRS:

# service init.crs start

# su - "crsctl start" -l oracle

# su - "crsctl check <opt>" -l oracle {where <opt>: evmd|cssd|crsd}

Listener:

# su -c "lsnrctl <opt>" [name] -l oracle {where <opt>: start|stop|status}

PASSWORD CONTROL FILES

To force password change on next login:

chage -d 0 user

Some important files:

/etc/default/passwd

/etc/default/security

/etc/login.defs

/etc/pam.d/login

/etc/pam.d/system-auth

PCI DEVICES

# lspci

PERFORMANCE MONITORING

# sar -u 20 360 > /tmp/cpu

# sar -q 20 360 > /tmp/load

# iostat -t -d sdb1 sdc1 20 360 > /tmp/io

PRINTER CONFIGURATION

See /usr/share/cups/model/

/usr/bin/enable epson

/usr/bin/disable epson

/usr/sbin/accept epson

/usr/sbin/reject epson

lpstat -t

lpoptions -l

lpoptions -o resolution=180x180dpi|360x180dpi

PRIVATE IP ADDRESSES

Class A 10.0.0.0

Class B 172.16.0.0 - 172.31.0.0

Class C 192.168.0.0 - 192.168.255.255

PROCESSES

who -u

pstree -Apu username

ps -Ho pid,ppid,cmd -p pid,pid

RC.SYSINIT

Functions performed by rc.sysinit:

PATH=

HOSTNAME=

. /etc/sysconfig/network

NETWORKING=YES

HOSTNAME=

GATEWAY=

. /etc/init.d/functions

startup functions defined

mount -n -t proc /proc /proc

sysctl -e -p /etc/sysctl.conf

date

load keymaps / load fonts

swapon -a -e

hostname

/fsckoptions

/force check

/.autofsck

AUTOFSCK_TIMEOUT=

LVM initialization

mount -a -t nonfs,smbfs,ncpfs

/sbin/quotacheck

/sbin/quotaon

/sbin/accton

if [ -f /.unconfigured ]

/usr/sbin/password root

/usr/sbin/netconfig

/usr/sbin/kbdconfig

/usr/sbin/authconfig

/usr/sbin/ntsysv

clean up /var

clean up /etc

clean up utmp/wtmp

swapon -a

/bin/true

init serial ports

create /var/log/dmesg

create /usr/log/keyms.0

RECORD A SESSION

# script [-a] [file]

REMOTE DESKTOP

To establish an RDP connection to Windows 7 host pavilion from one of the Linux hosts:

From remote host A, logon to one of the Linux hosts (vectra, spectra, scc440) using ssh

Start vncserver from that host

# vncserver :<n> where n = port number to use

From remote host A, start vncviewer

# vncviewer --FullScreen elmtop:<n> (use F8 for options)

# rdesktop -f pavilion (use ctrl-alt-enter to toggle full screen mode)

REMOTE MOUNT

On host 1

service nfs start

service iptables stop

mount -o ro /dev/hdc /mnt/cdrom

On host 2

mount -o ro -t nfs :/mnt/cdrom /mnt

Supporting Commands:

rpcinfo -p ipli>

showmount -e ip

ROUTE COMMANDS

Linux: route add -net default netmask x.x.x.x gw x.x.x.x

Windows: route add 0.0.0.0 mask x.x.x.x y.y.y.y

RPM

/var/lib/rpm contains rpm db (can be rebuilt: rpm --rebuilddb [from packages])

/var/log/rpmpkgs contains current packages (see /etc/crontab)

CPU ARCHITECTURES:

intel 32-bit: i386,i486,i586,i686,athlon

intel 64-bit: ia64

hpalpha: alpha,alphaxx

sun: sparc,sparc9,sparc64

power pc: ppc,ppc64

motorola: m68k,m68kmint

sgi: sgi

imb rs6000: rs6000

ibm 390: i370,s390x,s90

Useful --query options:

--configfiles

(-c) displays change info for a pkg

--docfiles

(-d) lists documentation files

--info

(-i) displays pkg information; uses --queryformat if supplied

--list

(-l) lists files in pkg

--provides

lists capabilities this pkg provides

--scripts

lists scripts provided for installation/uninstallation

--state

pkg state: normal, not installed, replaced

To import a package GPG key:

rpm --import /usr/share/rhn/RPM-GPG-KEY

To query all installed packages:

rpm --query --all

To query pkg owning filename:

rpm --query --file filename

To list files this pkg provides:

rpm --query --provides pkg

To list files this pkg requires:

rpm --query --requires pkg

To list tag names:

rpm --querytags

To list using query tags:

rpm --query --queryformat '%{name}-%{version}-%{release}-(%{arch})\n' package

To list files in an rpm pkg file:

rpm2cpio pkg | cpio -t

To find what capabilities a package provides:

for x in $(ls -1)

echo ====

echo "$x provides"

rpm --query --provides --package $x

done

SCP

When scp produces a "stalled" message, refer to this excellent page for solutions:

http://linuxsecure.blogspot.com/2008/05/scp-stalled-through-firewall-ssh-no.html

Most expedient solution: use -l option to limit scp throughput

# scp -l <value> ...

SCREEN

To share a screen session:

On the control side:

$ screen - S <session_name>

ctrl-a :multiuser on

ctrl-a :acladd <userid>

On the client side:

$ screen -x <userid>/<session_name>;

where <userid> and <session_name> are from the control side

SENDEMAIL

SendEmail is a Windows command to send email

Synopsis: sendemail -f ADDRESS [options]

Required:

-f ADDRESS from (sender) email address

* At least one recipient required via -t, -cc, or -bcc

* Message body required via -m, STDIN, or -o message-file=FILE

Common:

-t ADDRESS [ADDR ...] to email address(es)

-u SUBJECT message subject

-m MESSAGE message body

-s SERVER[:PORT] smtp mail relay, default is localhost:25

Optional:

-a FILE [FILE ...] file attachment(s)

-cc ADDRESS [ADDR ...] cc email address(es)

-bcc ADDRESS [ADDR ...] bcc email address(es)

-xu USERNAME username for SMTP authentication

-xp PASSWORD password for SMTP authentication

Paranormal:

-b BINDADDR[:PORT] local host bind address

-l LOGFILE log to the specified file

-v verbosity, use multiple times for greater effect

-q be quiet (i.e. no STDOUT output)

-o NAME=VALUE advanced options, for details try: --help misc

-o message-file=FILE -o message-format=raw

-o message-header=HEADER -o message-charset=CHARSET

-o reply-to=ADDRESS -o timeout=SECONDS

-o username=USERNAME -o password=PASSWORD

-o tls=auto|yes|no -o fqdn=FQDN

Help:

--help the helpful overview you're reading now

--help addressing explain addressing and related options

--help message explain message body input and related options

--help networking explain -s, -b, etc

--help output explain logging and other output options

--help misc explain -o options, TLS, SMTP auth, and more

SENDMAIL

See: ALTERNATIVES for changing from postfix to sendmail

Some important files:

/etc/mail

/var/spool/mail

/var/spool/mail/mqueue

Warning: RunAsUser for MSP ignored, check group ids (egid=0, want=51); Try:

cd /var/spool

chown smmsp.smmsp clientmqueue

cd /usr/sbin

chown root.smmsp sendmail.sendmail

chmod +s sendmail.sendmail

Rejecting connections on daemon MTA:

load average: xx in /var/log/{messages|maillog}; Try:

Edit /usr/share/sendmail-cf/cf/submit.mc

Modify: QueueLa RefuseLa DelayLa ConnectionRateThrottle

Rebuild sendmail.cf using make

Cannot send local mail

Get "connection refused by hostname: Try:

Modify /etc/hosts.allow:

sendmail : localhost : allow

Cannot send mail to external host

Get "tcpwrappers rejection"

Get "stat=service unavailable"

Get "return to sender: service unavailable"; Try:

Modify /etc/hosts.allow:

sendmail : localhost.localdomain: allow

Aliases database out of date in logwatch report; Try:

aliases [to update /etc/aliases.db (due to update of /etc/aliases)]

After Updating "sendmail.mc", execute to make "sendmail.cf":

cd /etc/mail

m4 sendmail.mc > sendmail.cf

SERVICES

service --status-all

SHADOW FORMAT

See chage; See /etc/login.defs for default values for using useradd

amachina:x..x:13570:1:60:7:35:x:

| | | | | |_ account expires << chage -E yyyy-mm-dd usr

| | | |_ warn days << chage -W n user

| | |_ maximum age << chage -M n user

| |_ mininum age << chage -m n user

|_ last change since 1970 in days << chage -d n user

set last password change date << chage -d yyyy-mm-dd usr

SHELL FILE EXECUTION ORDER

Interactive Shell Shell started without -c option or with -i option

1) /etc/profile

...

for i in /etc/profile.d/*.sh

. $i

2) ~/.bash_profile

...

. ~/.bashrc

PATH=

# user variables

3) ~/.bashrc

...

. ./etc/bashrc

# user aliases and functions

4) /etc/basrhrc

...

umask

Interactive Login Shell or Non-Interactive Shell With --login Option:

/etc/profile /etc/profile

~/.bash_profile ~/.profile

~/.bashrc <- I put local changes here

/etc/bashrc <- I put global changes here

~/.bash_login

~/.profile

Interactive Shell That Is Not A Login Shell:

~./.bashrc . $ENV

/etc/bashrc

Non-Interactive Shell (to start a shell script):

if [ -n $BASH_ENV] (null)

then

. $BASH_ENV

SSH

SSH1 Protocol, method 1:

If remote host contains /etc/hosts.equiv | /etc/ssh/shosts.equiv

And remote host contains username in /etc/passwd

Then remote host allows ssh logon to username>

SSH1 Protocol, method 2:

If remote host contains $HOME/.rhosts | $HOME/.shosts

Then remote host allows ssh logon to username

SSH1 Protocol, method 3:

If /etc/ssh/ssh_known_hosts | $HOME/.ssh/known_hosts

Can be verified against $HOME/.ssh/authorized_keys

Then remote host allows ssh logon to username

Format of hosts.equiv and shosts.equiv:

hostname

hostname username

Format of .rhosts and .shosts:

hostname> username

You are required to change your password immediately (password aged)

Your password has expired, the session cannot proceed

Connection to localhost closed:

In /etc/ssh/sshd_config:

Change "#UsePrivilegeSepartion yes" to "UsePrivilegeSeparation no"

This workaround should not be necessary if OpenSSH is version 3.8+

Also check for missing file /etc/security/opasswd

Host key verification failed:

Ensure /dev/tty permissions = rw-rw-rw- on server and client

ssh_exchange_identification: Connection closed by remote host:

Probably due to missing entry in /etc/hosts.allow allowing host to ssh

Some important files:

/etc/ssh/sshd_config

/etc/ssh/ssh_host_key

/etc/ssh/ssh_host_rsa_key

/etc/ssh/ssh_host_dsa_key

/etc/ssh/knownn_hosts

$HOME/.ssh/authorized_keys

$HOME/.ssh/known_hosts

STARTUP

/sbin/init

/etc/rc.d/rc.sysinit

/etc/inittab

/etc/rc.d/rc 0-6

/etc/X11/prefdm -daemon

/etc/bashrc

/etc/profile

~/.bash_profile

~/.bashrc

/etc/bashrc

~/.bash_login

~/.profile

SUDOERS

visudo

SYMBOLIC LINKS

ln -s source target

ln -s existing_file new_link_file

SYSLOG

Facility.Priority Action

auth debug

authpriv info

cron notice

daemon warning

kern err

lpr crit

mail alert

news emerg

syslog -----

user none

uucp

local0-7

Example:

authpriv.err /var/log/secure

SYSTEM CALLS

System call names are defined in: /usr/include/asm-x86_64/unistd.h

TABS

To set tabs on Vtxx terminal: tabs -n; tput init

To strip tabs from a file: cat infile | col -x outfile

TERMINAL PREFERENCES

Set Terminal Attributes (setterm)

setterm -blank 10

setterm -powersave on

setterm -powerdown 20

setterm -reset

Set User Preferences for X (xset)

xset -q

xset +|-dpms

xset s off

xset x 150

xset dpms 300 600 900

xset dpms force standby|suspend|off

TIMEZONE

NOTE: When timezone definitions change, Jave JRE should be updated because Java includes its own, slightly different timezone database (see JAVA TIMEZONE)

Set system time, using servers in /etc/ntp.conf:

ntpd -g -q

Set hardware clock to system time

hwclock --systohc

displays which timezone hardware clock is set to:

hwclock --debug

Provides value for TZ variable:

tzselect

Some important files:

/usr/share/zoneinfo contains timezone files

/usr/sbin/timeconfig creates /etc/localtime

/etc/localtime can be a symbolic link to /usr/share/zoneinfo/zone

/etc/sysconfig/clock (contains: ZONE=timezone, UTC=true|false, ARC=true|false

List DST change dates:

zdump -v EST5EDT | grep 2007

Use timezone as the local time:

zic -l EST5EDT

TOP

load ave: 1M, 5M, 15M

See "man mpstat" and "man vmstat" for definitions

See "www.ibm.com/developerworks/wikis/display/LinuxP/Measuring+stolen+CPU+cycles"

us: user cpu time

sy: system cpu time

ni: user nice cpu time

id: idle cpu time

wa: iowait cpu time

hi: hardware irq (servicing hardware interrupts)

si: software irq (servicing software interrupts)

st: steal time (time in involuntary wait by virtual cpu while hypervisor is

servicing another processor)

Commands:

c - command toggle

i - ignore zombie

k - kill

u - show specific user

A - sort by age

M - sort by mem

N - sort by pid

P - sort by cpu (default)

S - cumulative mode

T - sort by time

C|1 - collapse CPU info

VIM

Global Initialization File:

:scriptfiles # to find scriptfiles

MAC: /usr/share/vim/vimrc

Linux: /etc/vimrc

Some Useful SET Options For VIMRC:

set autoindent

set ignorecase

set smartcase

set shiftwidth=3

set showmatch

set showmode

set nowrapscan

set tabstop=8

set softtabstop=3

set wrapmargin=5

set nohls

syntax off

Help Commands

:h # general help

:h index # command index

:h user-manual # user manual table of contents

:h reference_toc # reference manual table of contents

:h motion.txt # list motion commands

:h x # help on normal mode command "x"

:h :x # help on command line command ":x"

:h i_x # help on insert mode command "x"

:h v_x # help on visual mode command "x"

:h c-x # help on c-x

:h enn # help on error number

:h pattern"tab" # help on pattern (tab to next pattern)

:h pattern"c-d" # help on pattern (all patterns at once)

:h 'option' # help on particular option

:options # get a list of options

:version # get list of where .vimrc, .exrc is

:helpg pattern # subcommands: :cn :cp :cfir :cla :copen :cclose

:args :file # get info about args, current file

:let # show current let bindings

:set # show current set bindings

Moving Around

% # matching ([{}])

w W # start of next word (next whitespace word)

b B # back to start of prev word (prev whitespace word)

e E # end of next word (next whitespace word)

ge gE # back to end of prev word (prev whitespace word)

0 $ # first char (last char)

fx Fx ; , # forward (back) to char x; repeat (opposite dir)

tx Tx ; , # forward (back) to before char x; repeat (opp dir)

gg G H M L # first last home middle last

c-] # jump to link: 'opt' ":cmd" |subject|

c-t # older entry in tag stack

c-o # older entry in jump list (jump back)

c-i # newer entry in jump list

c-w h|j|k|l # move to new window

Undo/Redo

u # undo

c-r # redo

Change/Delete Commands (Operators)

~ # switch case (see :set top, :set notop)

x X # delete char under, to left of cursor

d$ D # delete to end of line

dw db # delete from cursor to end, start of word

daw diw # delete word (including, not including white space)

dgg dG # delete from cursor to beginning, end of file

g~{motion} # swap case operator

{visual}~ # swap case of highlighted text

{visual}u {visual}Gu # make highlighted text lowercase/uppercase

gu{motion} gU{motion} # make lowercase, uppercase

! # filter through external program operator

gq # text formatting operator

< > # shift left, right operators

zf{motion} # create a fold

zd # delete fold at cursor

zo # open a fold under the cursor

zc # close one fold under the cursor

. # repeat prior change

Buffers and Files

:f # show current filename

:ls # list buffers

:b n # switch to buffer n

:buffers # show buffers

# where: % (current window) # (alternate buffer) + (modified buffer)

a=active buffer = (read only buffer)

Search Commands

* # # find next, prior string under cursor

g* g# # as above but don't treat string as a word

n N # find next, prior occurence

/\<word # find whole word that begins "word"

/word\> # find whole word that ends with "word"

Copy/Paste Commands

v .. move cursor .. y # yank visual mode section

"ry{motion} # yank some motion into register r

"rp # paste register r

"rd # delete into register r

:edit f1 :saveas f2 # edit f1, mod it, save it as f2; future :w to f2

Options and Miscellaneous Commands

:set cmdheight=n # to make more room for error displays

:set aw noaw # automatic write when moving between files

:set bk nobk # make backup copies (~ at end of name)

:set is nois # incremental search

:set hl nohl # highlight

:set hls nohls # highlight search

:set list nolist # list invisible characters

:set nu nonu # line numbers

:set top notop # tilde operator (see g~)

ga # print ascii value of char under cursor

g8 # print hex value of char under cursor

8g8 # find an illegal UTF-8 byte seq after the cursor

Highlight/Format Commands

:ce # center

:le # left align

:ri # right align

:hi clear linenr # clear line number highlight

:hi DiffAdd # change the foreground (ctermfg) or background (ctermbg) colors

:hi DiffChange # 0 = black 1 = dark red 2 = dark green

:hi DiffDelete # 3 = dark yellow 4 = dark blue 5 = dark magenta

:hi DiffText # 6 = dark cyan 7 = gray n* = turn on bold attribute

Window Commands

:sp :vsp # split current window (two views on same file)

:sp f1 :vsp f1 # split and edit file f1 (editing two files)

:new :vnew # split and edit empty file (editing two files)

:next :prev # move to next, prev file

:last :first # move to last, first file

c-w+ c-w- # increase, decrease window size

c-ww # switch to other window

<n>c-w_ # set window size to n

:clo # close current window

:qall :wall # quit all windows, write all windows

:wqall # write and quit all windows

Map Commands

:map Fx cmd # map function to command

:map ^V<F1>ix^V<esc> # F1 = insert "x" at cursor

NOTE: can also enter F1 and ESC as <F1> and <ESC>, using 4 or 5 chars instead of using C-V

File Commands

:edit <file> # close current file, edit new one

:args # show file arguments

:argadd <file> # add file to list of files being edited

:first :last :prev :next # edit first, last, previous, next file

:r <file> # insert file below cursor

:r !cmd # exec cmd and insert its stdout below cursor

Tags, Jump Lists and Marks

:tags # display tag stack

:pop :tag # older/newer entry in tag stack

:jumps # display jump list

c-o c-i # older/newer jump entry

`. # jump to last edit

`" # jump to last cursor

`<x> # jump to file mark

:m x # set mark x

:delm x # delete mark x

:marks :marks x # display marks, info about mark x

'x `x # goto line, line/column marked with x

'' # goto cursor position before last jump

'[ '] # goto start, end of last change

Visual Mode

v V c-v # enter character/line/block visual mode

o O # go to other end of highlighted text

<esc> # exit visual mode

Miscellaneous Commands

:vert diffs f1 # diff current file against f1 vertically

zo zc # open, close a fold

K # invoke "man" on token under cursor

Using a Clipboard

"*yy # put yanked line in clipboard

"#p # paste clipboard contents

Record a Script

q<register>

... enter commands ...

q # to quit recording

@<register> # to execute

VIRTUAL CONSOLES

WINDOWS

Some Useful Linux-like Windows Commands

find

findstr

for

forfiles

sort

tasklist

query

To require a password:

net user account_name /passwordreq:yes

To add a Windows Service:

To enable ability to install programs after Gold Disk:

Administrative Tools > Local Security Policy > Local Policies >

User Rights Management > Manage Auditing and Security Policy

To fix black screen on install:

Possibile video card problems; may need to uninstall

any other drivers and set "standard VGA graphics adapter" for video

To prevent event logs from filling up with anonymous user login messages:

Try disabling file and printer sharing: Start > Control Panel > Network

Connections > Network Connection > Properties

To prevent autologon:

HKLM\Software\Microsoft\Windows NT\Current Version\Winlogon:

AutoAdminLogon=0

To open user management console:

control userpasswords2

To enable terminal services:

My Computer > Remote > Enable Remote Desktop

netstat -an shows computer listening on port 3389

To allow remote user to log in even though local security policy allows it:

Start > Administrative Tools > Local Security Policy

Security Settings > Local Policies > Security Options >

System cryptography: Use FIPS compliant algorithms = Disabled

To allow more than one RDP connection to Terminal Services:

If Start > Administrative Tools > Terminal Services Configuration >

Connections > RDP-Tcp Properties > Network Adapter > Maximum connections is grayed out:

Start > Run > gpedit.msc > Computer Configuration >

Administrative Templates > Windows Components >

Terminal Services > Limit number of connections

See also: HKLM\Software\Policies\Microsoft\Windows NT\Terminal Services:

MaxInstanceCount=n

To enable browsing to https sites:

HKCU > Software > Microsoft > Windows > CurrentVersion > Internet

Settings > ZoneMap > Ranges > Range1 > :Range REG_SZ xx.xx.xx.xx

https REG_DWORD 2

To control which programs startup:

HKLM > Software > Microsoft > Windows > CurrentVersion > Run

HKLM > Software > Microsoft > Windows > CurrentVersion > RunOnce

HKLM > Software > Microsoft > Windows > CurrentVersion > RunServices

HKLM > Software > Microsoft > Windows > CurrentVersion > RunServicesOnce

HKLM > Software > Microsoft > Windows > CurrentVersion > Policies > Explorer > Run

HKCU > Software > Microsoft > Windows > CurrentVersion > Run

HKCU > Software > Microsoft > Windows > CurrentVersion > RunOnce

HKCU > Software > Microsoft > Windows > CurrentVersion > RunOnceEx

HKCU > Software > Microsoft > Windows > CurrentVersion > Policies > Explorer > Run

To control dependencies of Windows Services:

HKLM > System > CurrentControlSet > Services

To disable compress old files:

HKLM > Software > Microsoft > Windows > CurrentVersion > Explorer > VolumeCaches > CompressOldFiles

To determine server uptime:

systeminfo | find /i "up time"

Format of Windows SendEmail Command:

sendemail -f "from" -t "to" -u "subject" -s "mailserver" -a "attachment" -m "message text" | -o message-file="filename"

WIRELESS

lwconfig eth0 essid TopperWireless mode Managed ap any rate auto key =0x<key>

WORKING WITH ISO's

To capture the contents of a CD Into an ISO image file

# dd if=/dev/cdrom of=image.iso

To create an ISO image file

Create a directory which will be populated with the file structure you want to create

# mkdir /tmp/isodir

Populate the directory

Create the ISO image file from the contents of the directory

# mkisofs -o image.iso -l -r -J -A appid -P pubid -V volid /tmp/dir

To view the contents of an ISO file

# mount -r -t iso9660 -o loop=/dev/loop0 image.iso /mnt

# cd /mnt

# ls

To write an ISO image file a CD

# cdrecord -v -pad -data speed=1 dev=x,y,z image.iso

# cdrecord -dev AT

NOTE: x,y,z can be determined from:

# cdrecord -scanbus

# cat /proc/scsi/scsi

NOTE: on Windows, use cdburn (available from Windows Resource Kit Tools [rktools.exe])

c:\ cdburn <drive-letter>: image.iso

To Download and ISO image

# curl -C - -o 'URL'

# wget -c 'URL'

To verify an ISO checksum

Download the ISO

Download the CHECKSUM file

Import GPG keys

$ curl https://fedoraproject.org/static/fedora.gpg | gpg --import

Verify that the checksum is valid

$ gpg --verify *-CHECKSUM

Fedora CHECKSUM signatures

Fedora 11: D22E77F2

Fedora 10: 4EBFC273

Fedora 9 and earlier: 4F2A6FD2

Now that CHECKSUM has been verified, ensure that ISO's checksum matches

$ sha256sum -c *-CHECKSUM

X

Some important files:

/usr/bin/startx

/etc/X11/xinit/xinitrc

/etc/X11/prefdm (this file contains a reference to /etc/sysconfig/desktop)

/etc/sysconfig/desktop GNOME|KDE|XDMContents of /etc/sysconfig/desktop:

DISPLAYMANAGER=GNOME|KDE|XDM

DESKTOP=GNOME|KDE

To allow dell.local.net to connect X to zenith.local.net

xhost +dell.local.net (on zenith)

To display X on zenith.local.net from dell.local.net

firefox --display=zenith.local.net:0.0

YUM

yum-utils

yum-complete-transaction

/var/lib/yum --- incomplete transactions