Linux

Server
Configuration
Linux Server Configuration: Page 1 of 72
Table of Contents
Chapter 1: Introduction to Linux System Administration...................................................4
1.1 Introduction to UNIX and Linux...............................................................................4
1.2 Linux command line..................................................................................................4
1. !iles And "irectories.................................................................................................#
1.4 $or%in& $ith !iles....................................................................................................'
1.( )rocess *ana&ement...............................................................................................11
1.# Installation o+ So+t,are in Linux.............................................................................14
Chapter 2: Compressin& And Archi-in& !iles...................................................................2.
2.1 Compress A !ile Usin&: /0ip2.................................................................................2.
2.2 "ecompress A !ile Usin&: /un0ip2.........................................................................21
2. Compress A !ile Usin&: &0ip...................................................................................21
2.4 Archi-in& !iles: tar..................................................................................................21
Chapter : *an&e !ile 1,nership.....................................................................................24
.1 Users and 2roups.....................................................................................................24
.2 3he Superuser: 4oot................................................................................................24
. Chan&in& !ile 1,nership: cho,n...........................................................................24
.4 Chan&in& !ile 1,nership: ch&rp.............................................................................24
.( Chan&in& the 1,nership o+ a "irectory and Its Contents.......................................2(
.# *ana&e !ile )ermission to Control Access to !iles................................................2(
.5 6xaminin& )ermission o+ a +ile: ls 7l.......................................................................2#
.8 Chan&in& )ermissions o+ !iles and "irectories: chmod..........................................2#
.' Special "irectory )ermissions: Stic%y.....................................................................25
.1. Special "irectory )ermissions: Set&id...................................................................28
Chapter 4: !ileSystem: *ounin& and Unmounin&............................................................28
4.1 *ountin& +ilesystem: mount....................................................................................28
4.2 Unmountin& !ilesystem: umount..............................................................................
Chapter (: *ana&in& User Accounts.................................................................................
(.1 $hat is an Account9................................................................................................
(.2 Creatin& User Account: adduser..............................................................................
(. Chan&in& a User:s name: ch+n................................................................................4
(.4 Chan&in& a User Account:s )ass,ord: pass,d.......................................................4
(.( Con+i&urin& 2roup "e+initions................................................................................(
(.# Creatin& a 2roup: &roupadd.....................................................................................#
(.5 "eletin& a 2roup......................................................................................................#
(.8 Addin& a mem/er to a &roup...................................................................................#
(.' 4emo-in& a mem/er +rom a &roup..........................................................................#
(.1. "eletin& a User Account........................................................................................5
Chapter #: Sam/a !ile Ser-er............................................................................................8
............................................................................................................................................8
#.1 Installation................................................................................................................8
#.2 Con+i&uration...........................................................................................................8
#. Securin& a Sam/a !ile and )rint Ser-er..................................................................4.
Chapter 5: Net,or% !ile System ;N!S<.............................................................................44
............................................................................................................................................44
Linux Server Configuration: Page 2 of 72
5.1 Installation................................................................................................................44
5.2 Con+i&uration...........................................................................................................44
5. N!S Client Con+i&uration........................................................................................4(
Chapter 8: !3) Ser-er.......................................................................................................4#
............................................................................................................................................4#
8.1 -s+tpd = !3) Ser-er Installation...............................................................................4#
8.2 Anonymous !3) Con+i&uration...............................................................................4#
8. User Authenticated !3) Con+i&uration...................................................................45
8.4 Securin& !3)...........................................................................................................45
Chapter ': "ynamic >ost Con+i&uration )rotocol ;">C)<..............................................(.
'.1 Installation................................................................................................................(1
'.2 Con+i&uration...........................................................................................................(1
Chapter 1.: S?uid = )roxy Ser-er......................................................................................(
............................................................................................................................................(
1..1 Installation..............................................................................................................(
1..2 Con+i&uration.........................................................................................................(
Chapter 11: "NS................................................................................................................((
11.1 Installation..............................................................................................................((
11.2 Con+i&uration.........................................................................................................((
11. 1-er-ie,................................................................................................................((
Chapter 12: >33)" = Apache2 $e/ Ser-er.....................................................................#.
............................................................................................................................................#.
12.1 Installation..............................................................................................................#.
12.2 Con+i&uration.........................................................................................................#.
12. @asic Settin&s.........................................................................................................#1
12.4 "e+ault Settin&s......................................................................................................#
12.( httpd Settin&s.........................................................................................................#(
Chapter 1: *ySAL...........................................................................................................#5
............................................................................................................................................#5
1.1 Installation..............................................................................................................#5
1.2 Con+i&uration.........................................................................................................#5
Chapter 14: )ost+ix ;*ail ser-er<......................................................................................#'
............................................................................................................................................#'
14.1 Installation..............................................................................................................#'
14.2 @asic Con+i&uration...............................................................................................#'
14. 3estin&....................................................................................................................5.
Linux Server Configuration: Page 3 of 72
Chapter 1: Introduction to Linux System Administration
1.1 Introduction to UNIX and Linux
Linux is a true 32-bit operating system that runs on a variety of different platforms
in!luding "ntel Spar! #lpha and Po$er-PC %on some of these platforms su!h as #lpha
Linux is a!tually &'-bit()
Linux $as first developed ba!* in the early 1++,s by a young -innish then-university
student named Linus .orvalds) Linus had a /state-of-the-art/ 30& box at home and
de!ided to $rite an alternative to the 20&-based 1inix system %a small 23"4-li*e
implementation primarily used in operating systems !lasses( to ta*e advantage of the
extra instru!tion set available on the then-ne$ !hip and began to $rite a small bare-
bones *ernel)
.he interesting thing about Linux is it is !ompletely free5 Linus de!ided to adopt the
632 Copyleft li!ense of the -ree Soft$are -oundation $hi!h means that the !ode is
prote!ted by a !opyright -- but prote!ted in that it must al$ays be available to others)
-ree means free -- you !an get it for free use it for free and you are even free to sell it
for a profit %this isn7t as strange as it sounds8 several organi9ations in!luding :ed ;at
have pa!*aged up the standard Linux *ernel a !olle!tion of 632 utilities and put their
o$n /flavor/ of in!luded appli!ations and sell them as distributions) Some !ommon and
popular distributions are Sla!*$are 2buntu :ed ;at SuSe and <ebian(5 .he great
thing is you have a!!ess to sour!e !ode $hi!h means you !an !ustomi9e the operating
systems to your own needs not those of the /target mar*et/ of most !ommer!ial
vendors) #mong most of the distributions 2buntu is no$ very popular) "t provides very
simple gui fa!ilities and a good !ommand line interfa!e) -or the purpose of our
demonstration examples $e $ill use this operating system)
Linux !an and should be !onsidered a full-blo$n implementation of 23"4) ;o$ever it
!an not be !alled /2nix/8 not be!ause of in!ompatibilities or la!* of fun!tionality but
be!ause the $ord /2nix/ is a registered trademar* o$ned by #.=. and the use of the
$ord is only allo$able by li!ense agreement) Linux is every bit as supported as reliable
and as viable as any other operating system solution)
1.2 Linux command line
>hen Linus .orvalds introdu!ed Linux and for a long time thereafter Linux did not have
a graphi!al user interfa!e %62"(: " ran on !hara!ter-based terminals only) #ll the tools
ran from a !ommand line) .oday the Linux 62" is important but many people?
espe!ially system administrators?run many !ommand line programs) Command line
utilities are often faster more po$erful or more !omplete than their 62" !ounterparts)
Sometimes there is no 62" !ounterpart to a textual utility8 some people @ust prefer the
Linux Server Configuration: Page ' of 72
hands-on feeling of the !ommand line) >hen you $or* $ith a !ommand line interfa!e
you are $or*ing $ith a shell)
# shell provides an interfa!e bet$een the user and operating system *ernel) "t is a
!ommand interpreter that ta*es !ommands from users and exe!utes it)
LinuxAs most !ommon !ommand interpreter is !alled bash) Bash is the abbreviation of
Bourne-Again Shell)
.he shell is $here !ommands are invo*ed) >hen started the bash shell gives us a
prompt and $aits for a !ommand to be entered) .he !ommand is typed at the shell
prompt) .he prompt usually ends in a dollar sign %B() #fter typing a !ommand $e need to
press C3.C: to invo*e it) .he shell $ill exe!ute the !ommand) #nother prompt $ill then
appear)
Shell !ommands !onsist of one or more $ords separated by spa!es) .he first $ord is
the !ommand to be run) SubseDuent $ords are either options or arguments to the
!ommand) Eptions usually start $ith one or t$o hyphens)
Some examples of !ommands:
List all the Fles in the !urrent dire!tory:
B ls
List the Fles in the Glong formatA %giving more information(:
B ls l
List full information about some spe!iF! Fles:
B ls -l notes.txt report.txt
List full information about all the )txt Fles:
B ls -l *.txt
List all Fles in long format even the hidden ones:
B ls -l -a
B ls -la
.he dollar %B( represents the prompt here) >e need not type it)
1ost !ommand ta*e parameters) Some !ommands reDuire them) Parameters are also
*no$n as arguments) -or example the !ommand e!ho simply displays its arguments)
$ echo
$ echo hello there
Linux Server Configuration: Page H of 72
hello there
.he first e!ho !ommand outputs a blan* line and the se!ond e!ho !ommand outputs its
arguments)
Commands are usually !ase sensitive) 1ost of the !ommands are in lo$er !ase)
$ echo whisper
whisper
$ ECHO shout
bash: ECHO: command not found
Eften it is desired to repeat a previously exe!uted !ommand) .he shell *eeps a
command history for this purpose)
>e use 2P and <E>3 to s!roll through the list of previously exe!uted
!ommands and then press C3.C: to exe!ute the desired !ommand)
Commands !an also be edited before being run) .he LC-. and :"6;. !ursor
*eys navigate a!ross a !ommand)
Cxtra !hara!ters !an be typed at any point) I#CJSP#CC deletes !hara!ters to
the left of the !ursor) <CL and C.:LK< delete !hara!ters to the right)
.ypi!ally su!!essful !ommands do not give any output) ;o$ever messages are
displayed in the !ase of errors)
1.3 Files And Directories
# dire!tory is a !olle!tion of files andLor other dire!tories) Ie!ause a dire!tory !an
!ontain other dire!tories $e get a dire!tory hierarchy) .he top level of the hierar!hy is
the root directory) -iles and dire!tories !an be named by a path. .he root dire!tory is
referred to as L) Ether dire!tories are referred to by the path) .he path !onsists of
names separated by L) # file !an also be referred to by the path) "f it is dire!tory then the
path may end $ith a L)
#n absolute path starts at the root of the dire!tory hierar!hy and names dire!tories or
files under it) -or example:
Let!Lhostname
.he above refers to a file hostname $hi!h is in the et! dire!tory under the root %L(
dire!tory)
1.3.1 List The Names of Files In A Director: ls
>e !an use ls !ommand to list files in a spe!ifi! dire!tory by spe!ifying the spe!ifi!
dire!tory:
$ ls /usr/share/doc/
Linux Server Configuration: Page & of 72
.he above !ommand lists all he files and folders under the dire!tory LusrLshareLdo!) "f
the first argument to ls is not given then ls lists the files in !urrent $or*ing dire!tory of he
user)
.he -l option to ls gives more information in!luding the si9e of Fles and the date they
$ere last modiFed:
$ ls -l
drwxrwxr-x 2 fred users 409 !an 2" "0:#$ %ccounts
-rw-rw-r-- " fred users &4# !an 2" "0:#$ notes'txt
-rw-r--r-- " fred users &2## !an 2" "0:#$ report'txt
1.3.2 Viewing And Changing Crrent Director!: "wd# cd
.he shell has a current directory the dire!tory in $hi!h !urrently the logged user is
$or*ing in shell) 2sually after firs login the !urrent dire!tory should be the home
dire!tory of the user) Some !ommands li*e ls use the !urrent dire!tory if none is
spe!ified) >e use p$d !ommand to see $hat the !urrent dire!tory is:
$ pwd
(home(fred
>e !an !hange the !urrent dire!tory $ith the !ommand !d :
$ cd (mnt/cdrom
$ pwd
(mnt(cdrom
.he symbol tlide %M( is an abbreviation for home dire!tory) So for user fred the follo$ing
are eDuivalent:
$ cd /home/fred/documents(
$ cd /documents/
.he follo$ing are the same for user fred:
$ cd
$ cd
$ cd /home/fred
Paths do not have to start from the root dire!tory) # path $hi!h does not start $ith the L
is a relative path) "t is relative to some other dire!tory usually !urrent dire!tory) :elative
paths spe!ify files in the same $ay as the absolute ones) -or example the follo$ing sets
of dire!tory !hanges end up in the same dire!tory
$ cd /usr/share/doc
$ cd /
$ cd usr
Linux Server Configuration: Page 7 of 72
$ cd share/doc
Cvery dire!tory !ontains t$o spe!ial filenames $hi!h help ma*ing relative paths)
.he dire!tory )) points to the parent dire!tory) ls .. $ill list files in the parent dire!tory
-or example if $e start from LhomeLfred:
$ cd ..
$ pwd
(home
$ cd ..
$ pwd
(
.he dire!tory ) points to the dire!tory it is in) sp )Lfoo is the same file as foo)
.he spe!ial )) and ) dire!tories !an be used in paths @ust li*e any other dire!tory names:
$ cd ../other-dir/
.he above means the dire!tory other-dir in the parent dire!tory of the !urrent dire!tory)
"t is !ommon to see )) to go ba!* several dire!tories from the !urrent dire!tory) .he dot
dire!tory is most !ommonly used on its o$n to mean the !urrent dire!tory)
1.3.3 Creating Director!: m$dir
.he m*dir !ommand ma*es ne$ dire!tory under an existing dire!tory) -or example to
!reate a dire!tory for storing musi! files:
$ mkdir musics
.o delete an empty dire!tory $e use rmdir !ommand)
$ rmdir OldMusics
>e use rm $ith Nr option to delete dire!tories and all the files %re!ursively( they !ontain)
B rm -r OldMusics
1.3.% Viewing &idden Files And Directories: ls 'a
.he spe!ial ) and )) dire!tories donAt sho$ up $hen $e do ls) .hey are hidden files
-iles $hose name starts $ith a dot % ) ( are !onsidered hidden)
1a*e ls to list all files even the hidden ones by giving the Na option:
$ ls -a
Linux Server Configuration: Page 0 of 72
' '' 'bashrc 'profile report'doc
1.4 Working Wit Files
.his se!tion des!ribes utilities that !opy move print sear!h through display sort and
!ompare files)
1.%.1 Dis"la! A Te(t File: cat
.he !at utility displays the !ontents of a text file) .he name of the !ommand is derived
from !atenate $hi!h means to @oin together one after the other) # !onvenient $ay to
display the !ontents of a file to the s!reen is by giving the !ommand !at follo$ed by a
SP#CC and the filename) -igure 1)H)1 sho$s !at displaying the !ontents of pra!ti!e)
.his figure sho$s the differen!e bet$een the ls and !at utilities: .he ls utility displays the
name of a file $hereas !at displays the !ontents of a file)
1.%.2 Delete A File: rm
.he rm %remove( utility deletes a file) -igure 1 sho$s rm deleting the file named pra!ti!e)
#fter rm deletes the file ls and !at sho$ that pra!ti!e is no longer in the dire!tory) .he
ls utility does not list its filename and !at says that no su!h file exists)
2se rm !arefully)
$ ls
practice
$ cat practice
)his is a small file that * created
with a text editor'
$ rm practice
$ ls
$ cat practice
cat: practice: +o such file or director,
$
1.%.3 Dis"la! A Te(t File )ne *creen At A Time: less# more
>hen you $ant to vie$ a file that is longer than one s!reen you !an use either the less
utility or the more utility) Ca!h of these utilities pauses after displaying a s!reen of text)
Ie!ause these utilities sho$ one page at a time they are !alled pagers) #lthough less
and more are very similar they have subtle differen!es) #t the end of the file for
example less displays an CE- %end of file( message and $aits for you to press D before
returning you to the shell) "n !ontrast more returns you dire!tly to the shell) "n both
Linux Server Configuration: Page + of 72
utilities you !an press h to display a ;elp s!reen that lists !ommands you !an use $hile
paging through a file) -or example:
$ more taret-file!s"
displays the !ontents of target-file(s) on the s!reen pausing at the end of ea!h
s!reenful and as*ing the user to press a *ey %useful for long files() "t also in!orporates a
sear!hing fa!ility %press 7(7 and then type a phrase that you $ant to loo* for()
1.%.% Co"! A File: c"
.he !p %!opy( utility %-igure 1)&)1( ma*es a !opy of a file) .his utility !an !opy any file
in!luding text and exe!utable program %binary( files) Oou !an use !p to ma*e a ba!*up
!opy of a file or a !opy to experiment $ith) .he !p !ommand line uses the follo$ing
syntax to spe!ify sour!e and destination files:
cp source-file destination-file
.he source-file is the name of the file that !p $ill !opy) .he destination-file is the
name that !p assigns to the resulting %ne$( !opy of the file)
$ ls
memo
$ cp memo memo.cop#
$ ls
memo memo'cop,
.he !p !ommand line in -igure 1)&)1 !opies the file named memo to memo)!opy) .he
period is part of the filename?@ust another !hara!ter) .he initial ls !ommand sho$s that
memo is the only file in the dire!tory) #fter the !p !ommand se!ond ls sho$s t$o files in
the dire!tory memo and memo)!opy)
1.%.+ Changes The Name )f A File : m,
.he mv %move( utility !an rename a file $ithout ma*ing a !opy of it) .he mv !ommand
line spe!ifies an existing file and a ne$ filename using the same syntax as !p:
m$ existing-filename new-filename
.he !ommand line in -igure 1)&)2 !hanges the name of the file memo to memo),13,)
.he initial ls !ommand sho$s that memo is the only file in the dire!tory) #fter you give
the mv !ommand memo),13, is the only file in the dire!tory) Compare this result to that
of the earlier !p example)
$ ls
memo
Linux Server Configuration: Page 1, of 72
$ m$ memo memo.%&'%
$ ls
memo'0"&0
1.%.- *earch For A *tring In A File: gre"
.he grep utility sear!hes through one or more files to see $hether any !ontain a
spe!ified string of !hara!ters) .his utility does not !hange the file it sear!hes but simply
displays ea!h line that !ontains the string)
$ cat memo
Helen:
*n our meetin- on !une we
discussed the issue of credit'
Ha.e ,ou had an, further thou-hts
about it/
%lex
$ rep (credit( memo
discussed the issue of credit'
.he grep !ommand in -igure 1)&)3 sear!hes through the file memo for lines that !ontain
the string !redit and displays a single line that meets this !riterion) "f memo !ontained
su!h $ords as dis!redit !reditor or a!!reditation grep $ould have displayed those lines
as $ell be!ause they !ontain the string it $as sear!hing for) .he N$ option !auses grep
to mat!h only $hole $ords) #lthough you do not need to en!lose the string you are
sear!hing for in single Duotation mar*s doing so allo$s you to put SP#CCs and spe!ial
!hara!ters in the sear!h string)
1.! "rocess #anagement
.he *ernel !onsiders ea!h program running on our system to be a process) # pro!ess
GlivesA as it exe!utes $ith a lifetime that may be short or long) # pro!ess is said to die
$hen it terminates) .he *ernel identifies ea!h pro!ess by a number *no$n as pro!ess
id or pid. # pro!ess has a user id%uid( and a group id%gid( $hi!h together spe!ifies
$hat permissions it has) # pro!ess has a parent pro!ess id %ppid( N the pid of the
pro!ess that has !reated it)
Ca!h pro!ess has its o$n $or*ing dire!tory initially inherited from its parent pro!ess)
.here is an environment for ea!h pro!ess) # !olle!tion of named environment variables
and their asso!iated values) .he environment is usually inherited from the parent
pro!ess)
1.+.1 .rocess /onitoring: "s

Linux Server Configuration: Page 11 of 72
.he ps !ommand gives a snapshot of the pro!esses running on the system at a given
moment in time) "t normally sho$s a brief summary of ea!h pro!ess) .he !ommand ps
has many options) Some of the most !ommonly used are:
-a N Sho$ pro!esses o$ned by other users
-f N display pro!ess an!estors in a tree-li*e format
-u N use the user output format sho$ing user names and pro!ess start times
1.+.2 .rocess /onitoring: "stree
"t also displays a snapshot of !urrently running pro!esses) "t al$ays uses a tree li*e
display similar to ps Nf ) Some of the most !ommonly used options for pstree are:
-a N displays !ommandAs arguments
-! N donAt !ompa!t identi!al subtrees
-6 N attempts to use terminal spe!ifi! line-dra$ing !hara!ters
-h N highlights the an!estors of the !urrent pro!ess
-n N sort pro!esses numeri!ally by pid rather then alphabeti!ally by name
-p N in!ludes pid in the output
1.+.3 .rocess /onitoring: to"
.he top !ommand sho$s full-s!reen !ontinuously updated snapshots of pro!ess
a!tivity) "t $ais for a short period of time bet$een ea!h snapshots to give the illusion of
real-time monitoring) Pro!esses are displayed in des!ending order of ho$ mu!h
pro!essor time they are using) "t also displays system uptime load average !pu status
and memory information) Some of the most !ommonly used options for top are:
-b N Iat!h mode ? send snapshots to standard output
-n num N Cxit after displaying num snapshots
-d delay N >ait delay se!onds bet$een ea!h snapshot
-i N "gnore idle pro!esses
Ns N <isable intera!tive !ommands $hi!h !ould be dangerous the superuser
1.+.% *ignaling .rocesses
# pro!ess !an be sent a signal by the *ernel or by another pro!ess) Ca!h signal is a
very simple message: # small $hole number $ith a mnemoni! name) Signal names are
all-!apitals li*e "3.) they are often $ritten $ith S"6 as part of the name for example:
S"6"3.) .here are about 3, signals available not all of $hi!h are useful)
.he follo$ing are the most !ommonly used signals:
3ame 3umber 1eaning
"3. 2 "nterrupt ? stop running) Sent by the *ernel
$hen
you press CtrlKC in a terminal)
.C:1 1H PPlease terminate)Q 2sed to as* a pro!ess to
Linux Server Configuration: Page 12 of 72
exit
gra!efully)
J"LL + P<ie5Q -or!es the pro!ess to stop running8 it is
given
no opportunity to !lean up after itself)
.S.P 10 :eDuests the pro!ess to stop itself temporarily)
Sent
by the *ernel $hen you press CtrlKR in a
terminal)
;2P 1 ;ang up) Sent by the *ernel $hen $e log out
or
dis!onne!t a modem) Conventionally used by
many
daemons as an instru!tion to re-read a
!onFguration
Fle)
1.+.+ *ending *ignals: $ill
.he *ill !ommand is used to send a signal to a pro!ess "t is a normal exe!utable
!ommand but many shells also provide it as a built-in) -or example to send a S"6;2P
signal to a pro!ess $e use either of the follo$ing t$o:
$ kill -H)* pid or
$ kill -s H)* pid
"f $e omit out the signal name in the *ill !ommand by default *ill $ill send a S"6.C:1
to the pro!ess) >e !an spe!ify more than one pid to signal multiple pro!esses at the
same time)
1.+.- *ending *ignals to Daemons: "idof
En 23"4 systems long-lived pro!esses that provide some servi!e are often referred to
as
daemons) <aemons typi!ally have a !onFguration Fle %usually under Let!( $hi!h affe!ts
their behavior) 1any daemons read their !onFguration Fle only at startup) "f the
!onFguration !hanges you have to expli!itly tell the daemon by sending it a S"6;2P
signal) >e !an sometimes use pidof to Fnd the dSmonAs pid: for example to tell the
inetd dSmon to reload its !onFguration $e !an run:
$ kill -H)* +!pidof /usr/s,in/inetd"
1.+.0 .rocess .riorities: nice
Linux Server Configuration: Page 13 of 72
3ot all tas*s reDuire the same amount of exe!ution time) Linux has the !on!ept of
exe!ution priority to deal $ith this) Pro!ess priority is dynami!ally altered by the *ernel)
>e !an vie$ the !urrent priority by loo*ing at top or ps -l and loo*ing at the P:" !olumn)
.he priority !an be biased using ni!e) .he !urrent bias !an be seen in the 3" !olumn in
top)
.he ni!e !ommand starts a program $ith a given priority bias) Pe!uliar name: Gni!erA
pro!esses reDuire fe$er resour!es) 3i!eness ranges from K1+ %very ni!e( to T2, %not
very ni!e() 3on-root users !an only spe!ify values from 1 to 1+8 the root user !an spe!ify
the full range of values) <efault ni!eness $hen using ni!e is 1,)
.o run a !ommand at in!reased ni!eness %lo$er priority(:
$ nice -&% lon-runnin-command -
$ nice -n &% lon-runnin-command -
.o run a !ommand at de!reased ni!eness %higher priority(:
$ nice --&. important-command -
$ nice -n -&. important-command -
1.+.1 /odif!ing .riorities: renice
.he !ommand reni!e !hanges the ni!eness of existing pro!esses) 3on-root users are
only permitted to in!rease a pro!essAs ni!eness) .o set the pro!ess $ith pid 2+0' to a
higher ni!eness %lo$er priority(:
$ renice &. /012
.he ni!eness is @ust a number: no extra N sign) .o set the pro!ess $ith pid 3H+0 to a
lo$er ni!eness %higher priority(:
$ renice -&. '.01
Oou !an also !hange the ni!eness of all a userAs pro!esses:
$ renice &. -u mike,
1.$ Installation o% &o%t'are in Linux
.here are several different types of installation files for Linux and fe$ of them are as
easy to install as the C4C installation files found on >indo$s) -or Linux $e find several
different types of files: )deb )rpm )bin )tar)g9 "3S.#LL )sh et!) .hese different files all
have a different method of exe!ution) Ielo$ are instru!tions on installing these filetypes)
.he follo$ing se!tion assumes that $e are running 2buntu Linux system)
Linux Server Configuration: Page 1' of 72
1.-.1 2sing a"t'get
2buntu has something !alled apt-get $hi!h allo$s you to dra$ from a set of online
repositories %stored in the Let!LaptLsour!es)list file( that house pa!*ages %i)e)
programsLsoft$are() .he apt-get !ommand does several things at on!e?it do$nloads
the appropriate files do$nloads all their dependen!ies and installs all of them) # single
!ommand installs the soft$are) Oou don7t have to do$nload a separate installer file or
un9ip or go through a $i9ard or reboot) -or example if " $anted to install .hunderbird
"7d type these !ommands in a terminal:
$ sudo apt-et update
$ sudo apt-et install thunder,ird
.he first !ommand loo*s both at $hat " have installed and $hat7s available in the
repositories) .he se!ond !ommand do$nloads the pa!*ages needed for .hunderbird
and installs them)
#nother great thing about apt-get is the ability to install several different pa!*ages at
on!e) -or example if " $anted to install not only .hunderbird but -irefox 6"1P
"n*s!ape Uu* and >ine " !ould type in these !ommands:
$ sudo apt-et update
$ sudo apt-et install thunder,ird firefox imp inkscape
3uk wine
#nd all of those pa!*ages $ould do$nload and install themselves)
.his is the best $ay of installing soft$are in 2buntu be!ause it automati!ally resolves all
dependen!ies and installs them)
1.-.2 Configring the sorces.list File
.he sources.list file resides in the /etc/apt dire!tory) Li*e most other Linux !onfiguration
files it !an be revised by using an ordinary text editor su!h as ae)
.he file !ontains a series of lines ea!h spe!ifying a sour!e for pa!*ages) .he lines are
!onsulted serially so it7s usually advantageous to pla!e lines that spe!ify lo!al sour!es -
su!h as a C<-:E1 - ahead of lines that spe!ify remote sour!es) <oing so !an save
many minutes of do$nload time)
Ca!h line has the form:
deb
uri distribution components
Linux Server Configuration: Page 1H of 72
.he uri is a universal resour!e identifier %2:"( the spe!ifies the !omputer on $hi!h the
pa!*ages reside the lo!ation of the pa!*ages and the proto!ol used for a!!essing the
pa!*ages) "t has the follo$ing form:
protocol:LL
hostL
path
-our proto!ols - sometimes !alled 2:" types - are re!ogni9ed:
cdrom A local C"=41* dri-e.
+ile A directory o+ the local +ilesystem.
http A $e/ ser-er.
+tp An !3) ser-er.
.he host part of the 2:" and the pre!eding pair of slashes %LL( are used only for the http
and ftp proto!ols) .here the host part of the 2:" gives the name of the host that
!ontains the pa!*ages)
.he path part of the 2:" al$ays appears $ith the pre!eding slash %L() "t spe!ifies the
absolute path of the dire!tory that !ontains the pa!*ages)
;ere are some examples of typi!al 2:"s:
cdrom:(cdrom
cdrom:(mnt(cdrom
file:(mnt
file:(debian
http:((www'us'debian'or-(debian
http:((non-us'debian'or-(debian-non-01
ftp:((ftp'debian'or-(debian
ftp:((nonus'debian'or-(debian-non-01
.he distribution part of a sources.list line spe!ifies the distribution release that !ontains
the pa!*ages) .ypi!al values in!lude:
stable : .he latest stable release8 that is one that is !ommonly regarded as
having suffi!iently fe$ serious bugs for everyday use)
unstable : .he latest unstable release) .his release sometimes !ontains serious
bugs and should not be installed by users $ho reDuire high levels of system
availability or reliability)
.he !omponents part of a sources.list line spe!ifies the parts of the distribution that $ill
be a!!essed) .ypi!al values in!lude:
Linux Server Configuration: Page 1& of 72
main: .he main set of pa!*ages)
!ontrib): Pa!*ages not an integral part of the distribution but $hi!h may be
useful)
non-free: Pa!*ages that !ontain soft$are distributed under terms too restri!tive
to allo$ in!lusion in the distribution but $hi!h may be useful)
# typi!al sources.list file might !ontain the follo$ing entries:
deb file:(cdrom stable main contrib
deb http:((www'us'debian'or-(debian stable main contrib non-
free
deb http:((non-us'debian'or-(debian-non-01 stable non-01
.his !onfiguration allo$s rapid a!!ess to the distribution pa!*ages !ontained on the
lo!al C<-:E1) "t also allo$s !onvenient a!!ess via the net$or* to other pa!*ages and
more re!ent pa!*age versions stored on $eb servers)
1.-.3 2sing a"t'get
En!e you7ve !onfigured sour!es)list you !an use apt--et to update information on
available pa!*ages to install a pa!*age or to upgrade installed pa!*ages)
1.6.3.1 Updating Information on Available Packages
.o update information on available pa!*ages issue the follo$ing !ommand:
$ sudo apt-et update
1.6.3.2 Installing a Package
.o install a spe!ified pa!*age issue the follo$ing !ommand:
$ sudo apt-et install 4packae5
$here package spe!ifies the name of the pa!*age to be installed)
1.6.3.3 Upgrading Installed Packages
.o automati!ally upgrade all installed pa!*ages to the latest available version issue the
follo$ing !ommand:
$ sudo apt-et uprade
1.6.7 Installing DE files
# )deb file is the easiest file to install on 2buntu--if you are given an option for the type of
file you $ant to do$nload !hoose this option) Save the file to your <es*top) En!e it is
Linux Server Configuration: Page 17 of 72
there simply double !li!* on the file and the system pa!*age installer $ill open) Cli!* the
button in the top right !orner that says /"nstall Pa!*age/ and $ait for it to say finished)
Close the $indo$) Oour appli!ation is no$ installed and ready to use)
1.-.1 Installing 3./ files
<CI files are the default installation file for 2buntu--if at all possible you should !hoose
a )deb file over any other file type) ;o$ever sometimes an appli!ation is only available
in one or t$o formats none of $hi!h are 2buntu-flavored) :P1 is one su!h file type) "n
order to install this file you $ill need to !onvert it into something 2buntu *no$s ho$ to
install--a )deb file5
.o do this open the .erminal and type:
$ sudo apt-et install alien
Oou $ill be prompted to enter your pass$ord) #fter entering press the return *ey) Oou
$ill see some !ode s!roll by Dui!*ly and then you $ill be presented $ith the option to
!ontinue or Duit the installation) .ype 7O7 and press the return *ey)
Oou $ill see the #lien appli!ation installing8 this app $ill be used to !onvert your :P1 file
into a <CI file) "nstallation !ould ta*e several minutes depending on your "nternet and
!omputer speeds)
En!e finished move the :P1 file to your <es*top and open the .erminal) .ype: !d
<es*top) .his $ill point your .erminal to your <es*top dire!tory $here you have the
:P1 file saved)
3o$ to install the :P1 file in the .erminal type:
$ sudo alien -k filename.rpm
:epla!e filename)rpm $ith the a!tual name of the :P1 file then press the return *ey) "t
$ill !onvert the :P1 file to a <CI file) En!e finished install the <CI file using the
method above)
1.-.4 Install 5IN files
# I"3 file is similar to an :P1 file in that 2buntu !an7t understand ho$ to install it until
you !onvert it into a different format) .o do this follo$ these instru!tions)
<o$nload and save the I"3 file to your systems <es*top) En!e saved open the
.erminal and type:
$ cd 6esktop
En!e you7ve !d7ed to the <es*top type the follo$ing line into the .erminal:
$ sudo chmod 7x filename.,in
Linux Server Configuration: Page 10 of 72
Change filename)bin to the name of your I"3 file and press the return *ey) 3othing $ill
sho$ up in the .erminal nothing $ill be !opied to the <es*top--it $ill appear as if
nothing at all happened) .his is not the !ase ho$ever so do not $orry) .ype
)Lfilename)bin and press the return *ey)
.he program $ill install from $ithin the .erminal)
Linux Server Configuration: Page 1+ of 72
Chapter 2: Compressing And Archiving Files
Large files use a lot of dis* spa!e and ta*e longer than smaller files to transfer from one
system to another over a net$or*) "f you do not need to loo* at the !ontents of a large
file very often you may $ant to save it on a C< <V< or another medium and remove it
from the hard dis*) "f you have a !ontinuing need for the file retrieving a !opy from a C<
may be in!onvenient) .o redu!e the amount of dis* spa!e you use $ithout removing the
file entirely you !an !ompress the file $ithout losing any of the information it holds)
Similarly a single ar!hive of several files pa!*ed into a larger file is easier to manipulate
upload do$nload and email than multiple files) Oou may freDuently do$nload
!ompressed ar!hived files from the "nternet) .he utilities des!ribed in this se!tion
!ompress and de!ompress files and pa!* and unpa!* ar!hives)
2.1 (om)ress A File Using* +,i)2
.he b9ip2 utility !ompresses a file by analy9ing it and re!oding it more effi!iently)
.he ne$ version of the file loo*s !ompletely different) "n fa!t be!ause the ne$ file
!ontains many nonprinting !hara!ters you !annot vie$ it dire!tly) .he b9ip2 utility $or*s
parti!ularly $ell on files that !ontain a lot of repeated information su!h as ext and image
data although most image data is already in a !ompressed format) .he follo$ing
example sho$s a boring file) Ca!h of the 0,,, lines of the letterWe file !ontains 72 eAs
and a 3C>L"3C !hara!ter that mar*s the end of the line) .he file o!!upies more than
half a megabyte of dis* storage)
$ ls -l
-rw-rw-r-- " sam sam #24000 3ar " 22:&" letter4e
.he Nl %long( option !auses ls to display more information about a file) ;ere it sho$s
that letterWe is H0',,, bytes long) .he NNverbose %or Nv( option !auses b9ip2 to report
ho$ mu!h it $as able to redu!e the si9e of the file) "n this !ase it shran* the file by
++)++ per!ent:
$ ,8ip/ -$ letter9e
letter4e: ""20'00:"5 0'00" bits(b,te5 99'996 sa.ed5 #24000
in5 #0 out'
$ ls -l
-rw-rw-r-- " sam sam #0 3ar " 22:&" letter4e'b72
3o$ the file is only H, bytes long) .he b9ip2 utility also renamed the file appending )b92
to its name) .his naming !onvention reminds you that the file is !ompressed8 you $ould
not $ant to display or print it for example $ithout first de!ompressing it) .he b9ip2 utility
does not !hange the modifi!ation date asso!iated $ith the file even though it !ompletely
!hanges the fileAs !ontents)
"n the follo$ing more realisti! example the file 9a!h)@pg !ontains a !omputer
graphi!s image:
Linux Server Configuration: Page 2, of 72
$ ls -l
-rw-r--r-- " sam sam &&22$ 3ar " 22:40 7ach'8p-
.he b9ip2 utility !an redu!e the si9e of the file by only 20 per!ent be!ause the image is
already in a !ompressed format:
$ ,8ip/ -$ 8ach.3p
7ach'8p-: "'&9":"5 #'$49 bits(b,te5 22'"&6 sa.ed5 &&22$
in5 2&922 out'
2.2 Decom)ress A File Using* +un,i)2
Oou !an use the bun9ip2 utility to restore a file that has been !ompressed $ith b9ip2:
$ ,un8ip/ letter9e.,8/
$ ls -l
-rw-rw-r-- " sam sam #24000 3ar " 22:&" letter4e
$ ,un8ip/ 8ach.3p.,8/
$ ls -l
-rw-r--r-- " sam sam &&22$ 3ar " 22:40 7ach'8p-
.his !ommand is similar to b9ip2 $ith Nd option)
2.3 (om)ress A File Using* g,i)
.he g9ip %632 9ip( utility is older and less effi!ient than b9ip2) "ts flags and operations
are very similar to those of b9ip2) # file !ompressed by g9ip is mar*ed by a )g9 filename
extension) Linux stores manual pages in g9ip format to save dis* spa!e8 li*e$ise files
you do$nload from the "nternet are freDuently in g9ip format) 2se g9ip and gun9ip @ust
as you $ould use b9ip2 and bun9ip2 respe!tively)
2.4 Arci-ing Files* tar
.he tar utility performs many fun!tions) "ts name is short for tape ar!hive as its original
fun!tion $as to !reate and read ar!hive and ba!*up tapes) .oday it is used to !reate a
single file %!alled a tar file ar!hive or tarball( from multiple files or dire!tory hierar!hies
and to extra!t files from a tar file)
)
"n the follo$ing example the first ls sho$s the existen!e and si9es of the files g b and
d) 3ext tar uses the N! %!reate( Nv %verbose( and Nf %$rite to or read from a file( options
to !reate an ar!hive named all)tar from these files) Ca!h line output displays the name of
the file tar is appending to the ar!hive it is !reating) .he tar utility adds overhead $hen it
!reates an ar!hive) .he next !ommand sho$s that the ar!hive file all)tar o!!upies about
+7,, bytes $hereas the sum of the si9es of the three files is about &,,, bytes) .his
overhead is more appre!iable on smaller files su!h as the ones in this example)
Linux Server Configuration: Page 21 of 72
$ ls -l , d
-rw-r--r-- " 8enn, 8enn, "&02 %u- 20 "4:" -
-rw-r--r-- " 8enn, other ""$2 %u- 20 "4:" b
-rw-r--r-- " 8enn, 8enn, &$2& %u- 20 "4:"$ d
$ tar -c$f all.tar , d
-
b
d
$ ls -l all.tar
-rw-r--r-- " 8enn, 8enn, 9$22 %u- 20 "4:"$ all'tar
$ tar -t$f all.tar
-rw-r--r-- 8enn,(8enn, "&02 200$-02-20 "4:" -
-rw-r--r-- 8enn,(other ""$2 200$-02-20 "4:" b
-rw-r--r-- 8enn,(8enn, &$2& 200$-02-20 "4:"$ d
.he final !ommand in the pre!eding example uses the Nt option to display a table of
!ontents for the ar!hive) 2se Nx instead of Nt to extra!t files from a tar ar!hive) Emit the
Nv option if you $ant tar to do its $or* silently)
Oou !an use b9ip2 or g9ip to !ompress tar files ma*ing them easier to store and
handle) 1any files you do$nload from the "nternet $ill already be in one of these
formats) -iles that have been pro!essed by tar and !ompressed by b9ip2 freDuently
have a filename extension of )tar)b92 or )tb9) .hose pro!essed by tar and g9ip have an
extension of )tar)g9 or )t9 extension)
Oou !an unpa!* a tarred and g9ipped file in t$o steps) %-ollo$ the same pro!edure if the
file $as !ompressed by b9ip2 but use bun9ip2 instead of gun9ip)( .he next example
sho$s ho$ to unpa!* the 632 ma*e utility)
$ ls -l mak*
-rw-rw-r-- " sam sam "2""924 !an 20 "":49
ma9e-&'20'tar'-7
$ un8ip mak*
$ ls -l mak:
-rw-rw-r-- " sam sam 422&040 !an 20 "":49
ma9e-&'20'tar
$ tar -x$f mak*
ma9e-&'20(
ma9e-&'20(po(
ma9e-&'20(po(3a9efile'in'in
'''
ma9e-&'20(tests(run4ma9e4tests'pl
ma9e-&'20(tests(test4dri.er'pl
.he first !ommand lists the do$nloaded tarred and g9ipped file: ma*e-3)0,)tar)g9
%about 1)2 megabytes() .he asteris* %X( in the filename mat!hes any !hara!ters in any
filenames so you end up $ith a list of files $hose names begin $ith ma*8 in this !ase
there is only one) 2sing an asteris* saves typing and !an improve a!!ura!y $ith long
filenames) .he gun9ip !ommand de!ompresses the file and yields ma*e-3)0,)tar %no
)g9 extension( $hi!h is about ')0 megabytes) .he tar !ommand !reates the ma*e-3)0,
dire!tory in the $or*ing dire!tory and unpa!*s the files into it)
Linux Server Configuration: Page 22 of 72
$ ls -ld mak*
drwxrwxr-x 2 sam sam 409 Oct & 2002 ma9e-&'20
-rw-rw-r-- " sam sam 422&040 !an 20 "":49 ma9e-&'20'tar
$ ls -l make-'.1%
total "2"
-rw-r--r-- " sam sam 242$ Oct & 2002 %;O0)-+<1
-rw-r--r-- " sam sam "##4 !ul 2 2002 %0)HO=1
-rw-r--r-- " sam sam "204& >ec "0 "99 CO?@*+A
-rw-r--r-- " sam sam &2922 Oct & 2002 Chan-e<o-
'''
-rw-r--r-- " sam sam "#20 !an 2" 2000 .msif,'c
-rw-r--r-- " sam sam "409 %u- 9 2002 .path'c
drwxrwxr-x # sam sam 409 Oct & 2002 w&2
#fter tar extra!ts the files from the ar!hive the $or*ing dire!tory !ontains t$o files
$hose names start $ith ma*: ma*e-3)0,)tar and ma*e-3)0,) .he Nd %dire!tory( option
!auses ls to display only file and dire!tory names not the !ontents of dire!tories as it
normally does) .he final ls !ommand sho$s the files and dire!tories in the ma*e-3)0,
dire!tory)
Linux Server Configuration: Page 23 of 72
Chapter 3: Mange File !nership
3.1 Users and .rou)s
#nyone using a Linux !omputer is a user) .he system *eeps tra!* of different users by
username) Se!urity features allo$ different users to have different privileges) 2sers !an
belong to groups allo$ing se!urity to be managed for !olle!tions of people $ith different
reDuirements) >e use the su !ommand to s$it!h to a different user) "t is Dui!*er than
logging off and ba!* on again) .he !ommand su prompts us for the userAs pass$ord:
$ su - ,o,
?assword:
.he N option ma*es su behave as if $eAve logged in as that user)
3.2 /e &u)eruser* 0oot
Cvery Linux system has a user !alled GrootA) .he root user is all-po$erful) "t !an a!!ess
any Fles) .he root user a!!ount should only be used for system administration su!h as
installing soft$are) >hen logged in as root the shell prompt usually ends in Y) "t is
usually best to use su for $or*ing as root:
$ whoami
fred
$ su -
?assword:
B whoami
root
3.3 (anging File 1'nersi)* co'n
.he !ho$n !ommand !hanges the o$nership of Fles or dire!tories) .his is a se!urity
feature) Enly the superuser !an !hange the o$nership of a Fle) Simple usage follo$s:
B chown ,o, lofile.txt
.he above !ommand ma*es logFle)txt to be o$ned by the user bob)
>e !an spe!ify any number of Fles or dire!tories as arguments in the !ommand)
3.4 (anging File 1'nersi)* cgr)
Linux Server Configuration: Page 2' of 72
.he !hgrp !ommand !hanges the group o$nership of Fles or dire!tories) Simple usage
follo$s:
B chrp staff report.txt
.he above !ommand ma*es staff be the group o$ner of the Fle logFle)txt
#s for !ho$n $e !an spe!ify any number of Fles or dire!tories) .he superuser !an
!hange the group o$nership of any Fle to any group) .he o$ner of a Fle !an also
!hange its group o$nership) Iut only to a group of $hi!h the o$ner is a member
3.! (anging te 1'nersi) o% a Director2 and Its (ontents
# !ommon reDuirement is to !hange the o$nership of a dire!tory and its !ontents) Ioth
!ho$n and !hgrp a!!ept a -: %1nemoni!: Gre!ursiveA( option:
B chrp -: staff shared-director#
.he above !ommand !hanges the group o$nership of shared-dire!tory and its !ontents
and its subdire!tories re!ursively to staff) Changing user o$nership %superuser only(:
B chown -: root /usr/local/share/misc/
3.$ #anage File "ermission to (ontrol Access to Files
# permission represents an a!tion that !an be done on the file) .here are three types of
permissions to a file8 ea!h denoted by a letter:
Permissio
n
Letter <es!ription
:ead r Permission to read the data stored in the Fle
>rite $ Permission to $rite ne$ data to the Fle to
trun!ate
the Fle or to over$rite existing data
Cxe!ute x Permission to attempt to exe!ute the
!ontents of the
Fle as a program
.he r$x permissions also have a meaning for dire!tories:
Permissio
n
Letter <es!ription
:ead r Permission to get a listing of the dire!tory
>rite $ Permission to !reate delete or rename Fles
%or
subdire!tories( $ithin the dire!tory
Cxe!ute x Permission to !hange to the dire!tory or to
use the
Linux Server Configuration: Page 2H of 72
dire!tory as an intermediate part of a path to
a Fle
#s $ell as having different types of permission $e !an apply different sets of
permissions to different sets of people) # Fle %or dire!tory( has an o$ner and a group
o$ner) .he r$x permissions are spe!iFed separately for the o$ner for the group
o$ner and for everyone else %the G$orldA()
3.3 4xamining "ermission o% a %ile* ls 5l
.he ls -l !ommand allo$s us to loo* at the permissions on a Fle:
$ ls -l
drwxr-x--- 9 aaronc staff 409 Oct "2 "2:#$ accounts
-rw-rw-r-- " aaronc staff """$0 >ec 9 "4:"" report'txt
.he third and fourth !olumns are the o$ner and group-o$ner) .he Frst !olumn spe!ify
the permissions:
one !hara!ter for the Fle type: d for dire!tories N for plain Fles)
three !hara!ters of r$x permissions for the o$ner %or a dash if the permission
isnAt available(
three !hara!ters of r$x permissions for the group o$ner
three !hara!ters of r$x permissions for everyone else
"f someone o$ns a Fle then per-o$ner permissions apply to him) Ether$ise if he is in
the group that group-o$ns the Fle then per-group permissions apply to him) "f neither of
those is the !ase then for-everyone-else permissions apply to him)
3.6 (anging "ermissions o% Files and Directories* cmod
.he !hmod !ommand !hanges the permissions of a Fle or dire!tory) # FleAs permissions
may be !hanged only by its o$ner or by the superuser) .he !ommand !hmod ta*es an
argument des!ribing the ne$ permissions) .he permissions !an be spe!iFed in many
Zexible %but !orrespondingly !omplex( $ays)
Permissions !an be set using letters in the follo$ing format:
[ugoa\[K]-\[r$x\
.he Frst letters indi!ate $ho to set permissions for: u for the FleAs o$ner g for the
group o$ner o for other users or a for all users
] sets permissions for Fles K adds permissions to those already set and N
removes permissions
.he Fnal letters indi!ate $hi!h of the r$x permissions to set
Linux Server Configuration: Page 2& of 72
-or example if $e $ant to add exe!utable permission for a program named bubblesort to
all users $e type the follo$ing !ommand:
B chmod a7x ,u,,lesort
>e may use numeri!al permissions $ith !hmod) .hree de!imal numbers identify
permissions for o$ner group and others) .he number in binary format should be
interpreted as follo$s:
<e!imal: &&'
Iianry: 11, 11, 1,,
1eaning: r$x r$x r$x
Cxplanation: # G1A in ea!h position spe!ifies GpermissionA a G,A spe!ifies Gno
permissionA)
-or example:
$ chmod ;;2 ,u,,lesort
.he above !ommand is eDuivalent to:
$ chmod u<rw=o<r ,u,,lesort
# !ommon reDuirement is to !hange the permissions of a dire!tory and its !ontents) .he
!ommand !hmod a!!epts a N: %1nemoni!: Gre!ursiveA( option:
$ chmod -: 7rw>=o7r> pu,lic-director#
.he above !ommand
#dds r$x permissions on publi!-dire!tory for the group o$ner and adds rx
permissions on it for everyone else
#nd any subdire!tories re!ursively
#ny any !ontained exe!utable Fles
Contained non-exe!utable Fles have r$ permissions added for the group o$ner
and r permission for everyone else
3.7 &)ecial Director2 "ermissions* &tick2
.he Ltmp dire!tory must be $orld-$ritable so that anyone may !reate temporary Fles
$ithin it) Iut that $ould normally mean that anyone may delete any Fles $ithin it ?
obviously a se!urity hole) # dire!tory may have Gsti!*yA permissions: Enly a FleAs o$ner
may delete it from a sti!*y dire!tory) Cxpressed $ith a t %mnemoni!: temporary dire!tory(
in a listing:
$ ls -l -d /tmp
drwxrwxrwt &0 root root ""24 >ec 2" 09:&# (tmp
Linux Server Configuration: Page 27 of 72
>e enable Gsti!*yA permission $ith the follo$ing !ommand:
Y chmod 7t /data/tmp
3.18 &)ecial Director2 "ermissions* &etgid
"f a dire!tory is setgid %Gset group-idA( Fles !reated $ithin it a!Duire the group o$nership
of the dire!tory and dire!tories !reated $ithin it a!Duire both the group o$nership and
setgid permission) "t is useful for a shared dire!tory $here all users $or*ing on its Fles
are in a given group) "t is expressed $ith an s in GgroupA position in a listing:
$ ls -l -d /data/pro3ects
drwxrwsr-x " root staff 409 Oct "9 "&:"4 data(pro8ects
>e enable setgid $ith:
B chmod 7s /data/pro3ects
Chapter ": FileSystem: Mouning and #nmouning
# filesystem in this !ontext is a hierar!hy of dire!tories that is lo!ated on a single
partition %logi!ally independent se!tion of a hard dis* drive( or other device su!h as a
C<:E1 <V< floppy dis* or 2SI *ey drive and has a single filesystem type %i)e)
method for organi9ing data()
#s far as many parts of a Linux system are !on!erned a partition !ontains entirely
arbitrary data) >hen installing $e set things up so that a partition !ontains a Flesystem
? a $ay of organising data into Fles and dire!tories) Ene Flesystem is made the root
Flesystem: the root dire!tory on that Flesystem be!omes the dire!tory named L) Ether
Flesystems !an be mounted: the root dire!tory of that Flesystem is grafted onto a
dire!tory of the root Flesystem) .his arranges for every Fle in every mounted Flesystem
to be a!!essible from a single uniFed name spa!e) .he dire!tory grafted onto is !alled
the mount point)
4.1 #ounting %iles2stem* mount
1ounting refers to logi!ally atta!hing a filesystem to a spe!ified lo!ation on the !urrently
a!!essible %and thus already mounted( filesystem%s( on a !omputer system so that its
!ontents !an be a!!essed by users)
"mportant Flesystems are mounted at boot-up8 other Flesystems !an be mounted or
unmounted at any time) .he mount !ommand mounts a Flesystem) >e usually need to
have root permission to mount a Flesystem) .he mount !ommand ma*es it easy to
mount Flesystems !onFgured by the system administrator) -or example many systems
are !onFgured so that the follo$ing !ommand:
B mount /mnt/cdrom
Linux Server Configuration: Page 20 of 72
$ill mount the !ontents of the ma!hineAs C<-:E1 drive under the dire!tory LmntL!drom
B mount /de$/sd,' /mnt/extra
.he above !ommand mounts the Flesystem stored in the LdevLsdb3 devi!e on the
mount point LmntLextra) >e may o!!asionally need to spe!ify the Flesystem type
expli!itly:
B mount -t $fat /de$/hdd& /mnt/windows
#llo$able Flesystem types are listed in the mount%0( manpage) .o see a list of the
Flesystems !urrently mounted run mount $ithout any options)
.he Let!Lfstab Fle !ontains information about Flesystems that are *no$n to the system
administrator) Spe!ifying a Flesystem in Let!Lfstab ma*es it possible to use its mount
point as the only argument to mount) Let!Lfstab also !onFgures $hi!h Flesystems should
be mounted at boot-up Ca!h line in Let!Lfstab des!ribes one Flesystem) .here are six
!olumns on ea!h line)
Sample Let!Lfstab is sho$n belo$:
<evi!e 1ount-point .ype Eptions <ump Pass-no
LdevLhda3 L Cxt2 <efaults 1 1
LdevLhda1 Lbot Cxt2 <efauls 1 2
LdevLhdaH Lusr Cxt2 <efaults 1 2^
LdevLhdb1 LusrLlo!al Cxt2 <efaults 1 2
LdevLhdb2 Lhome Cxt2 <efaults 1 2
LdevLs!d, LmntL!drom "so+&&, 3oauto
usersro
, ,
LdevLfd, LmntLfloppy #uto 3oauto
users
, ,
.he most !ommon Flesystem types are:
ext2 N .he standard Linux Flesystem
iso+&&, N .he Flesystem used on C<-:E1s
pro! N 3ot a real Flesystem so uses none as the devi!e) 2sed as a $ay for the
*ernel to report system information to user pro!esses
vfat N .he Flesystem used by >indo$s +H
auto N 3ot a real Flesystem type) 2sed as a $ay of as*ing the mount !ommand
to probe for various Flesystem types parti!ularly for removable media
3et$or*ed Flesystems in!lude nfs %2nix-spe!iF!( and smbfs %>indo$s or
Samba(
Ether less !ommon types exist8 see mount%0(
.here are !omma-separated options in Let!Lfstab) #lternatively use !omma-separated
options $ith -o on the mount !ommand line) Common mount options:
Linux Server Configuration: Page 2+ of 72
3oauto N "n Let!Lfstab prevents the Flesystem being mounted at bootup) 2seful
for removable media
ro N 1ount the Flesystem read-only
users N Let non-root users mount and unmount this Flesystem
user N Li*e users but non-root users !an only unmount Flesystems that they
themselves mounted
Ether less !ommon mount options exist as $ell as many options for individual
Flesystem types N see mount%0()
.he Ffth !olumn is !alled dump) "t is used by the dump and restore ba!*up utilities) -e$
people use those tools) >e @ust use 1 for normal Flesystems and , for removable
Flesystems)
.he sixth !olumn is !alled pass-no) .his !ontrols the order in $hi!h automati!ally-
mounted Flesystems are !he!*ed by fs!*)>e use 1 for the root Flesystem and , for
Flesystems that arenAt mounted at boot-up) >e use 2 for other Flesystems)
4.2 Unmounting Files2stem* umount
2nmounting refers to logi!ally deta!hing a filesystem from the !urrently a!!essible
filesystem%s() #ll mounted filesystems are unmounted automati!ally $hen a !omputer is
shut do$n in an orderly manner) ;o$ever there are times $hen it is ne!essary to
unmount an individual filesystem $hile a !omputer is still running) # !ommon example is
$hen it is desired to remove an external devi!e su!h as a 2SI *ey drive8 should su!h
devi!e be removed before the filesystem on it is properly unmounted it is possible that
any data re!ently added to it might not be saved)
.he basi! syntax of umount is:
B umount ?options@ files#stem
umount is most !ommonly used $ithout any of its several options) .he filesystem is
identified by the full pathname of the dire!tory in $hi!h it has been mounted not by its
type) .hus for example to unmount a filesystem that is mounted in a dire!tory !alled
Ldir1 all that $ould be ne!essary is to type in the follo$ing at the *eyboard and press the
Cnter *ey:
B umount /dir&
Li*e$ise a 2SI *ey devi!e assuming that it had been mounted in the dire!tory
LmntLusb $ould be unmounted $ith the follo$ing:
B umount /mnt/us,
#ttempts to unmount a filesystem are not al$ays su!!essful) .he most !ommon problem
is that the filesystem is busy) .hat is it is !urrently being used by some pro!ess %i)e)
instan!e of a program in exe!ution() "n su!h !ase an error message su!h as umount:
Ldir1: devi!e is busy $ill be displayed on the s!reen) .his busy state !ould be the result
of something as simple as an 62" $indo$ being open that sho$s an i!on of the
Linux Server Configuration: Page 3, of 72
dire!tory !ontaining the filesystem in $hi!h !ase it !an be easily solved by !losing the
$indo$) Er it !ould be the result of a file on that filesystem being open in $hi!h !ase all
that is ne!essary is to !lose the file) "n less obvious !ases it may be ne!essary to use a
!ommand su!h as ps or pstree to try to lo!ate the offending pro!ess%es( and then use a
!ommand su!h as *ill to terminate su!h pro!ess%es()
#nother !ause of failure is $hen a user attempts to unmount a filesystem that has
already been unmounted) "n su!h !ase an error message su!h as umount: Ldir1: not
mounted $ill be returned)
"n the event that the unmounting is su!!essful umount usually $or*s silently8 that is
there is no message on the s!reen to !onfirm its su!!ess) ;o$ever umount !an be
made to provide su!h a message by using the -v %i)e) verbose( option) %.his should not
be !onfused $ith the -V option $hi!h merely returns information about the !urrently
installed version of umount)(
umount allo$s the name of the physi!al devi!e on $hi!h the filesystem is mounted to be
in!luded in the !ommand if desired) .his is !onvenient be!ause it !an minimi9e typing by
allo$ing the user to utili9e the up$ard pointing arro$ on the *eyboard to display the
!ommand that $as previously used to mount that filesystem %i)e) to use the history
!ommand( and then merely insert the letter u before the $ord mount and press the Cnter
*ey in order to unmount the filesystem) .hus for example if a filesystem that is
physi!ally lo!ated on the se!ond partition of the first ;<< %$hi!h is designated by
devLhda2( is mounted in a dire!tory !alled Ldir2 it !an be unmounted $ith either of the
follo$ing:
B umount /dir/
or
B umount /de$/hda/ /dir/
"nterestingly $hen the physi!al devi!e is in!luded a !onfirmation message is
automati!ally supplied)
.here are several options that !an be tried in the event that umount refuses to unmount
a filesystem for no immediately apparent reason) Perhaps the most useful is the -l %i)e)
la9y( option $hi!h immediately deta!hes the filesystem from the main filesystem and
then !leans up all referen!es to the unmounted filesystem as soon as it is no longer
busy) .his !apability reDuires Linux *ernel 2)')11 or later)
#nother $ay to deal $ith an unmounting failure is to use the -r option $hi!h remounts
the filesystem as read-only) .his presumably allo$s devi!es or media to be removed
$ithout affe!ting data $hi!h has @ust been $ritten to them) "n addition the -f option
for!es unmounting in the !ase of an unrea!hable 3-S %net$or* filesystem( filesystem)
.he -a option !auses all of the filesystems des!ribed in Let!Lmtab to be unmounted)
%;o$ever $ith umount version 2)7 and later the pro! filesystem is not unmounted)(
Let!Lmtab is a file that is similar to Let!Lfstab and $hi!h is updated by mount and umount
$henever filesystems are mounted or unmounted) .he -n option !auses unmounting to
o!!ur $ithout $riting to Let!Lmtab)
.he -t option follo$ed by the filesystem type indi!ates that the a!tions should only be
ta*en on filesystems of that type) 1ultiple types !an be spe!ified in a !omma-separated
Linux Server Configuration: Page 31 of 72
list) .his list !an be prefixed $ith the $ord no to spe!ify filesystem types on $hi!h no
a!tion should be ta*en)
.he -E options indi!ate that the a!tions should only be ta*en on filesystems $ith the
spe!ified options in Let!Lfstab) 1ultiple option types !an be spe!ified in a !omma-
separated list) .hose options for $hi!h no a!tion should be ta*en !an be prefixed $ith
no)
umount $ill free any loop devi!e asso!iated $ith a mounted filesystem if it finds the
option loop]))) in Let!Lmtab or if the -d option is used) # loop devi!e is a pseudo-devi!e
that is able to redire!t and transform data that goes through its loop and $hi!h is used
mainly used for en!rypting filesystems)
3ote the symmetry bet$een the umount and mount !ommands in!luding the fa!t that
many of the options are identi!al or very similar %in!luding -a -h -r -t -E -v and -V()
.his is !onsistent $ith the 2nix philosophy a fundamental !omponent of $hi!h is
simpli!ity %and hen!e !onsisten!y to the extent pra!ti!al among !ommands( in that it
eliminates unne!essary !omplexity)
umount !ould have instead been !alled unmount) .his might have simplified things for
people $ho are ne$ to the !ommand line %i)e) text-only operation() ;o$ever eliminating
unne!essary typing is also a part of the 2nix philosophy and thus the n $as not used)
Linux Server Configuration: Page 32 of 72
Chapter $: Managing #ser Accounts
!.1 Wat is an Account9
>hen a !omputer is used by many people it is usually ne!essary to differentiate
bet$een the users for example so that their private files !an be *ept private) .his is
important even if the !omputer !an only be use by a single person at a time as $ith
most mi!ro!omputers) .hus ea!h user is given a uniDue username and that name is
used to log in) .here7s more to a user than @ust a name ho$ever) #n a!!ount is all the
files resour!es and information belonging to one user) .he term hints at ban*s and in a
!ommer!ial system ea!h a!!ount usually has some money atta!hed to it and that
money vanishes at different speeds depending on ho$ mu!h the user stresses the
system) -or example dis* spa!e might have a pri!e per megabyte and day and
pro!essing time might have a pri!e per se!ond
!.2 (reating User Account* adduser
.o !reate a user a!!ount you use the adduser !ommand $hi!h has the form:
B adduser userid
$here userid spe!ifies the name of the user a!!ount that you $ant to !reate) .he
!ommand prompts you for the information needed to !reate the a!!ount)
;ere7s a typi!al example of using the !ommand $hi!h !reates a user a!!ount named
ne$bie:
B adduser new,ie
%ddin- user newbie'''
%ddin- new -roup newbie C"00"D'
%ddin- new user newbie C"00"D with -roup newbie'
Creatin- home director, (home(newbie'
Cop,in- files from (etc(s9el
Chan-in- password for newbie
Enter the new password Cminimum of #5 maximum of 2
charactersD
?lease use a combination of upper and lower case letters
and numbers'
=e-enter new password:
?assword chan-ed'
Chan-in- the user information for newbie
Enter the new .alue5 or press return for the default
Eull +ame FG: +ewbie >ewbie
=oom +umber FG:
Linux Server Configuration: Page 33 of 72
Hor9 ?hone FG:
Home ?hone FG:
Other FG:
*s the information correct/ F,(nG
,
Y
3oti!e that the lines $here the pass$ord $as typed $ere over$ritten by the subseDuent
lines) 1oreover for se!urity pass$ords are not e!hoed to the !onsole as they are
typed) 3oti!e also that several of the information fields $ere omitted - for example
:oom 3umber) Oou !an spe!ify su!h information if you thin* it may be useful but the
system ma*es no use of the information and doesn7t reDuire you to provide it) .he
similarly named useradd !ommand also !reates a user a!!ount but does not prompt
you for the pass$ord or other information)
!.3 (anging a User:s name* c%n
Oou !an !hange the name asso!iated $ith a user a!!ount by using the !hfn !ommand:
Y chfn -f name userid
$here name spe!ifies the ne$ name and userid spe!ifies the a!!ount to be modified) "f
the name !ontains spa!es or other spe!ial !hara!ters it should be en!losed in double
Duotes %/() -or example to !hange the name asso!iated $ith the a!!ount ne$bie to
<e$bie 3e$bie you $ould enter the follo$ing !ommand:
B chfn -f A6ew,ie Bew,ieA new,ie
!.4 (anging a User Account:s "ass'ord* )ass'd
-rom time to time you should !hange your pass$ord ma*ing it more diffi!ult for others
to brea* into your system) #s system administrator you may sometimes need to !hange
the pass$ord asso!iated $ith a user7s a!!ount) -or instan!e some users have a bad
habit of forgetting their pass$ord) .hey7ll !ome to you the system administrator see*ing
help in a!!essing their a!!ount)
.o !hange a pass$ord you use the pass$d !ommand) .o !hange your o$n pass$ord
enter a !ommand li*e this one:
$ passwd
.his !ommand !hanges the pass$ord asso!iated $ith the !urrent user a!!ount) Oou
don7t have to be logged in as root to !hange a pass$ord) Ie!ause of this users !an
!hange their o$n pass$ords $ithout the help of the system administrator) .he root user
ho$ever !an !hange the pass$ord asso!iated $ith any user a!!ount as you7ll see
Linux Server Configuration: Page 3' of 72
shortly) Ef !ourse only root !an do so - other users !an !hange only their o$n
pass$ord)
.he pass$d !ommand initiates a simple dialog that resembles the follo$ing:
$ passwd
Chan-in- password for newbie
Old password:
Enter the new password Cminimum of #5 maximum of 2
charactersD
?lease use a combination of upper and lower case letters
and numbers'
+ew password:
=e-enter new password:
?assword chan-ed'
3oti!e the restri!tions governing the !hoi!e of pass$ord $hi!h are designed to prohibit
pass$ords that might be easily guessed) "f you !hoose a pass$ord that violates these
restri!tions the !ommand $ill refuse the pass$ord prompting you for another)
#s the root user you !an !hange the pass$ord asso!iated $ith any user a!!ount) .he
system doesn7t as* you for the !urrent pass$ord it immediately prompts for the ne$
pass$ord:
B passwd new,ie
Chan-in- password for newbie
Enter the new password Cminimum of #5 maximum of 2
charactersD
?lease use a combination of upper and lower case letters
and numbers'
+ew password:
=e-enter new password:
?assword chan-ed'
"nformation on users is stored in the file Let!Lpass$d $hi!h you !an vie$ using a text
editor) #ny user !an read this file though only the root user !an modify it) "f you sele!ted
shado$ pass$ords pass$ords are en!rypted and stored in the file Let!Lshado$ $hi!h
!an be read only by the root user)
!.! (on%iguring .rou) De%initions
Linux uses groups to define a set of related user a!!ounts that !an share a!!ess to a file
or dire!tory) Oou probably $on7t often find it ne!essary to !onfigure group definitions
parti!ularly if you use your system as a des*top system rather than a server) ;o$ever
$hen you $ish you !reate and delete groups and modify their membership lists)
Linux Server Configuration: Page 3H of 72
!.$ (reating a .rou)* grou)add
.o !reate a ne$ group use the groupadd !ommand:
B roupadd roup
$here group spe!ifies the name of the group to be added) 6roups are stored in the file
Let!Lgroup $hi!h !an be read by any user but modified only by root)
-or example to add a group named ne$bies you $ould enter the follo$ing !ommand:
B roupadd new,ies
!.3 Deleting a .rou)
.o delete a group user the -roupdel !ommand:
B roupdel roup
$here -roup spe!ifies the name of the group to be deleted) -or example to delete the
group named newbies you $ould enter the follo$ing !ommand:
B roupdel new,ies
!.6 Adding a mem+er to a grou)
.o add a member to a group you use a spe!ial form of the adduser !ommand:
B adduser user roup
$here user spe!ifies the member and group spe!ifies the group to $hi!h the member is
added) -or example to add the user ne$bie,1 to the group ne$bies you $ould enter
the follo$ing !ommand:
B adduser new,ie%& new,ies
!.7 0emo-ing a mem+er %rom a grou)
2nfortunately no !ommand removes a user from a spe!ified group) .he easiest $ay to
remove a member from a group is by editing the Let!Lgroup file) ;ere7s an ex!erpt from a
typi!al Let!Lgroup file:
Linux Server Configuration: Page 3& of 72
users:x:"00:
no-roup:x:##&4:
bmccart,:x:"000:
newbies:x:"002:newbie0"5newbie025newbie0&
Ca!h line in the file des!ribes a single group and has the same form as other lines
!onsisting of a series of fields separated by !olons %:() .he fields are:
6roup name : .he name of the group)
Pass$ord : .he en!rypted pass$ord asso!iated $ith the group) .his field is not
generally used !ontaining an x instead)
6roup "< : .he uniDue numeri! "< asso!iated $ith the group)
1ember list : # list of user a!!ounts $ith a !omma %( separating ea!h user
a!!ount from the next)
.o remove a member from a group first !reate a ba!*up !opy of the Let!Lgroup file:
C cp /etc/roup /etc/roup.DEFE
.he ba!*up !an prove helpful if you modify the file in!orre!tly) 3ext open the Let!Lgroup
file in a text editor) Lo!ate the line that des!ribes the group and delete the user name
and the follo$ing !omma if any) Save the file exit the editor and !he!* your $or*)
!.18 Deleting a User Account
.o delete a user a!!ount use the userdel !ommand:
B userdel user
$here user spe!ifies the a!!ount to be deleted) "f you $ant to delete the user7s home
dire!tory its files and subdire!tories use this form of the !ommand:
B userdel -r user
Linux Server Configuration: Page 37 of 72
Chapter %: Sam&a File Server
Ene of the most !ommon $ays to net$or* 2buntu and >indo$s !omputers is to
!onfigure Samba as a -ile Server) .his se!tion !overs setting up a Samba server to
share files $ith >indo$s !lients)
.he server $ill be !onfigured to share files $ith any !lient on the net$or* $ithout
prompting for a pass$ord)
$.1 Installation
.he first step is to install the samba pa!*age) -rom a terminal prompt enter:
$ sudo apt-et install sam,a
.hat7s all there is to it8 you are no$ ready to !onfigure Samba to share files)
$.2 (on%iguration
.he main Samba !onfiguration file is lo!ated in (etc(samba(smb'conf) .he default
!onfiguration file has a signifi!ant amount of !omments in order to do!ument various
!onfiguration dire!tives %3ot all the available options are in!luded in the default
!onfiguration file) See the smb)!onf man page()
-irst edit the follo$ing *eyLvalue pairs in the [global] se!tion of etc(samba(smb'conf:
wor9-roup I EJ%3?<E
'''
securit, I user
.he security parameter is farther do$n in the [global\ se!tion and is !ommented by
default) #lso !hange EX!"#E to better mat!h your environment)
1) Create a ne$ se!tion at the bottom of the file or un!omment one of the
examples for the dire!tory to be shared:
FshareG
comment I 0buntu Eile 1er.er 1hare
path I (sr.(samba(share
browsable I ,es
-uest o9 I ,es
read onl, I no
create mas9 I 0$##
comment$ a short des!ription of the share) #d@ust to fit your needs)
path$ the path to the dire!tory to share)
Linux Server Configuration: Page 30 of 72
.his example uses LsrvLsambaLsharename be!ause a!!ording to the
%ilesystem &ierarchy 'tandard (%&') Lsrv is $here site-spe!ifi! data
should be served) .e!hni!ally Samba shares !an be pla!ed any$here on
the filesystem as long as the permissions are !orre!t but adhering to
standards is re!ommended)
browsable$ enables >indo$s !lients to bro$se the shared dire!tory using
Windows Explorer)
guest o($ allo$s !lients to !onne!t to the share $ithout supplying a
pass$ord)
read only$ gives $rite a!!ess to the shared dire!tory)
create mas($ determines the permissions ne$ files $ill have $hen
!reated)
2) 3o$ that Samba is !onfigured the dire!tory needs to be !reated and the
permissions !hanged) -rom a terminal enter:
$ sudo mkdir -p /sr$/sam,a/share
$ sudo chown no,od#.noroup /sr$/sam,a/share/
.he -p s$it!h tells m*dir to !reate the entire dire!tory tree if it doesn7t exist) Change the
share name to fit your environment)
3) -inally restart the samba servi!es to enable the ne$ !onfiguration:
$ sudo /etc/init.d/sam,a restart
En!e again the above !onfiguration gives all a!!ess to any !lient on the lo!al
net$or*)
-rom a >indo$s !lient you should no$ be able to bro$se to the 2buntu file server and
see the shared dire!tory) .o !he!* that everything is $or*ing try !reating a dire!tory
from >indo$s)
.o !reate additional shares simply !reate ne$ [dir] se!tions in (etc(samba(smb'conf
and restart 'amba) Uust ma*e sure that the dire!tory you $ant to share a!tually exists
and the permissions are !orre!t)
Linux Server Configuration: Page 3+ of 72
$.3 &ecuring a &am+a File and "rint &er-er
*am6a *ecrit! /odes
.here are t$o se!urity levels available to the Common "nternet -ilesystem %C"-S(
net$or* proto!ol user-level and share-level) Samba7s security mode implementation
allo$s more flexibility providing four $ays of implementing user-level se!urity and one
$ay to implement share-level:
security ) user$ reDuires !lients to supply a username and pass$ord to !onne!t
to shares) Samba user a!!ounts are separate from system a!!ounts but the
libpam-smbpass pa!*age $ill syn! system users and pass$ords $ith the
Samba user database)
security ) domain$ this mode allo$s the Samba server to appear to >indo$s
!lients as a Primary <omain Controller %P<C( Ia!*up <omain Controller %I<C(
or a <omain 1ember Server %<1S()
security ) *'$ allo$s the Samba server to @oin an #!tive <ire!tory domain as a
native member)
security ) server$ this mode is left over from before Samba !ould be!ome a
member server and due to some se!urity issues should not be used) See the
Server Se!urity se!tion of the Samba guide for more details)
security ) share$ allo$s !lients to !onne!t to shares $ithout supplying a
username and pass$ord)
.he se!urity mode you !hoose $ill depend on your environment and $hat you need the
Samba server to a!!omplish)
*ecrit! 7 2ser

-irst install the libpam-smbpass pa!*age $hi!h $ill syn! the system users to the
Samba user database:
$ sudo apt-et install li,pam-sm,pass
"f you !hose the 'amba 'erver tas* during installation libpam-smbpass is already
installed)
Cdit Let!LsambaLsmb)!onf and in the [share] se!tion !hange:
guest o* ] no
-inally restart Samba for the ne$ settings to ta*e effe!t:
Linux Server Configuration: Page ', of 72
$ sudo /etc/init.d/sam,a restart
3o$ $hen !onne!ting to the shared dire!tories or printers you should be prompted for a
username and pass$ord)
"f you !hoose to map a net$or* drive to the share you !an !he!* the P:e!onne!t
at LogonQ !he!* box $hi!h $ill reDuire you to only enter the username and
pass$ord on!e at least until the pass$ord !hanges)
*hare *ecrit!
.here are several options available to in!rease the se!urity for ea!h individual shared
dire!tory) 2sing the [share] example this se!tion $ill !over some !ommon options)
8ro"s
6roups define a !olle!tion of !omputers or users $hi!h have a !ommon level of a!!ess
to parti!ular net$or* resour!es and offer a level of granularity in !ontrolling a!!ess to
su!h resour!es) -or example if a group Da is defined and !ontains the users freda
dani*a and rob and a se!ond group support is defined and !onsists of users dani*a
@eremy and vin!ent then !ertain net$or* resour!es !onfigured to allo$ a!!ess by the Da
group $ill subseDuently enable a!!ess by freda dani*a and rob but not @eremy or
vin!ent) Sin!e the user dani*a belongs to both the Da and support groups she $ill be
able to a!!ess resour!es !onfigured for a!!ess by both groups $hereas all other users
$ill have only a!!ess to resour!es expli!itly allo$ing the group they are part of)
Iy default Samba loo*s for the lo!al system groups defined in Let!Lgroup to determine
$hi!h users belong to $hi!h groups)
>hen defining groups in the Samba !onfiguration file (etc(samba(smb'conf the
re!ogni9ed syntax is to prefa!e the group name $ith an /_/ symbol) -or example if you
$ished to define a group named sysadmin in a !ertain se!tion of the
(etc(samba(smb'conf you $ould do so by entering the group name as sysadmin)
File .ermissions
-ile Permissions define the expli!it rights a !omputer or user has to a parti!ular
dire!tory file or set of files) Su!h permissions may be defined by editing the
Let!LsambaLsmb)!onf file and spe!ifying the expli!it permissions of a defined file share)
-or example if you have defined a Samba share !alled share and $ish to give read-only
permissions to the group of users *no$n as Da but $anted to allo$ $riting to the share
by the group !alled sysadmin and the user named vin!ent then you !ould edit the
(etc(samba(smb'conf file and add the follo$ing entries under the [share] entry:
read list I KLa
write list I Ks,sadmin5 .incent
#nother possible Samba permission is to de!lare administrative permissions to a
parti!ular shared resour!e) 2sers having administrative permissions may read $rite or
Linux Server Configuration: Page '1 of 72
modify any information !ontained in the resour!e the user has been given expli!it
administrative permissions to)
-or example if you $anted to give the user melissa administrative permissions to the
share example you $ould edit the Let!LsambaLsmb)!onf file and add the follo$ing line
under the [share] entry:
admin users I melissa
#fter editing (etc(samba(smb'conf restart Samba for the !hanges to ta*e effe!t:
$ sudo /etc/init.d/sam,a restart
-or the read list and write list to $or* the Samba se!urity mode must not be set to
se!urity ] share
3o$ that Samba has been !onfigured to limit $hi!h groups have a!!ess to the shared
dire!tory the filesystem permissions need to be updated)
.raditional Linux file permissions do not map $ell to >indo$s 3. #!!ess Control Lists
%#CLs() -ortunately PES"4 #CLs are available on 2buntu servers providing more fine
grained !ontrol) -or example to enable #CLs on (sr. an C4.3 filesystem edit
(etc(fstab adding the acl option:
00*>Ibcdd2e-22"-4fb0-b$e4-e"c#9fe"$d (sr. ext&
noatime5relatime5acl 0 "
.hen remount the partition:
$ sudo mount -$ -o remount /sr$
.he above example assumes (sr. on a separate partition) "f (sr. or $herever you
have !onfigured your share path is part of the ( partition a reboot may be reDuired)
.o mat!h the Samba !onfiguration above the sysadmin group $ill be given read $rite
and exe!ute permissions to (sr.(samba(share the +a group $ill be given read and
exe!ute permissions and the files $ill be o$ned by the username melissa) Cnter the
follo$ing in a terminal:
$ sudo chown -: melissa /sr$/sam,a/share/
$ sudo chrp -: s#sadmin /sr$/sam,a/share/
$ sudo setfacl -: -m GHaGrx /sr$/sam,a/share/
.he setfacl !ommand above gives e,ecute permissions to all files in the
(sr.(samba(share dire!tory $hi!h you may or may not $ant)
3o$ from a >indo$s !lient you should noti!e the ne$ file permissions are implemented)
See the acl and setfacl man pages for more information on PES"4 #CLs)
Linux Server Configuration: Page '2 of 72
*am6a A""Armor .rofile
2buntu !omes $ith the AppArmor se!urity module $hi!h provides mandatory a!!ess
!ontrols) .he default #pp#rmor profile for Samba $ill need to be adapted to your
!onfiguration)
.here are default #pp#rmor profiles for (usr(sbin(smbd and (usr(sbin(nmbd the
Samba daemon binaries as part of the apparmor-profiles pa!*ages) .o install the
pa!*age from a terminal prompt enter:
$ sudo apt-et install apparmor-profiles
Iy default the profiles for smbd and nmbd are in complain mode allo$ing Samba to
$or* $ithout modifying the profile and only logging errors) .o pla!e the smbd profile
into enforce mode and have Samba $or* as expe!ted the profile $ill need to be
modified to refle!t any dire!tories that are shared)
Cdit (etc(apparmor'd(usr'sbin'smbd adding information for [share] from the file
server example:
(sr.(samba(share( r5
(sr.(samba(share(:: rw9ix5
3o$ pla!e the profile into enforce and reload it:
$ sudo aa-enforce /usr/s,in/sm,d
$ cat /etc/apparmor.d/usr.s,in.sm,d I sudo apparmor9parser
-r
Oou should no$ be able to read $rite and exe!ute files in the shared dire!tory as
normal and the smbd binary $ill have a!!ess to only the !onfigured files and
dire!otories) Ie sure to add entries for ea!h dire!tory you !onfigure Samba to share)
#lso any errors $ill be logged to LvarLlogLsyslog)
Linux Server Configuration: Page '3 of 72
Chapter ': (et!or) File System *(FS+
3-S allo$s a system to share dire!tories and files $ith others over a net$or*) Iy using
3-S users and programs !an a!!ess files on remote systems almost as if they $ere
lo!al files)
Some of the most notable benefits that 3-S !an provide are:
Lo!al $or*stations use less dis* spa!e be!ause !ommonly used data !an be
stored on a single ma!hine and still remain a!!essible to others over the
net$or*)
.here is no need for users to have separate home dire!tories on every net$or*
ma!hine) ;ome dire!tories !ould be set up on the 3-S server and made
available throughout the net$or*)
Storage devi!es su!h as floppy dis*s C<:E1 drives and 2SI .humb drives
!an be used by other ma!hines on the net$or*) .his may redu!e the number of
removable media drives throughout the net$or*)
3.1 Installation
#t a terminal prompt enter the follo$ing !ommand to install the 3-S Server:
$ sudo apt-et install nfs-kernel-ser$er
3.2 (on%iguration
Oou !an !onfigure the dire!tories to be exported by adding them to the Let!Lexports file)
-or example:
(ubuntu :Cro5s,nc5no4root4sLuashD
(home :Crw5s,nc5no4root4sLuashD
Oou !an repla!e X $ith one of the hostname formats) 1a*e the hostname de!laration as
spe!ifi! as possible so un$anted systems !annot a!!ess the 3-S mount)
.o start the 3-S server you !an run the follo$ing !ommand at a terminal prompt:
$ sudo /etc/init.d/nfs-kernel-ser$er start
Linux Server Configuration: Page '' of 72
3.3 NF& (lient (on%iguration
2se the mount !ommand to mount a shared 3-S dire!tory from another ma!hine by
typing a !ommand line similar to the follo$ing at a terminal prompt:
$ sudo mount example.hostname.comG/u,untu /local/),untu
.he mount point dire!tory Llo!alLubuntu must exist) .here should be no files or
subdire!tories in the Llo!alLubuntu dire!tory)
#n alternate $ay to mount an 3-S share from another ma!hine is to add a line to the
Let!Lfstab file) .he line must state the hostname of the 3-S server the dire!tory on the
server being exported and the dire!tory on the lo!al ma!hine $here the 3-S share is to
be mounted)
.he general syntax for the line in Let!Lfstab file is as follo$s:
example'hostname'com:(ubuntu (local(ubuntu nfs
rsi7eI2"925wsi7eI2"925timeoI"45intr
"f you have trouble mounting an 3-S share ma*e sure the nfs-common pa!*age is
installed on your !lient) .o install nfs-common enter the follo$ing !ommand at the
terminal prompt:
$ sudo apt-et install nfs-common

Linux Server Configuration: Page 'H of 72
Chapter ,: F-. Server
-ile .ransfer Proto!ol %-.P( is a .CP proto!ol for uploading and do$nloading files
bet$een !omputers) -.P $or*s on a !lientLserver model) .he server !omponent is
!alled an %-" daemon) "t !ontinuously listens for -.P reDuests from remote !lients)
>hen a reDuest is re!eived it manages the login and sets up the !onne!tion) -or the
duration of the session it exe!utes any of !ommands sent by the -.P !lient)
#!!ess to an -.P server !an be managed in t$o $ays:
#nonymous
#uthenti!ated
"n the #nonymous mode remote !lients !an a!!ess the -.P server by using the default
user a!!ount !alled /anonymous/ or /ftp/ and sending an email address as the
pass$ord) "n the #uthenti!ated mode a user must have an a!!ount and a pass$ord)
2ser a!!ess to the -.P server dire!tories and files is dependent on the permissions
defined for the a!!ount used at login) #s a general rule the -.P daemon $ill hide the
root dire!tory of the -.P server and !hange it to the -.P ;ome dire!tory) .his hides the
rest of the file system from remote sessions)
6.1 -s%t)d ; F/" &er-er Installation
vsftpd is an -.P daemon available in 2buntu) "t is easy to install set up and maintain)
.o install vsftpd you !an run the follo$ing !ommand:
$ sudo apt-et install $sftpd
6.2 Anon2mous F/" (on%iguration
Iy default vsftpd is !onfigured to only allo$ anonymous do$nload) <uring installation a
ftp user is !reated $ith a home dire!tory of LhomeLftp) .his is the default -.P dire!tory)
"f you $ish to !hange this lo!ation to LsrvLftp for example simply !reate a dire!tory in
another lo!ation and !hange the ftp user7s home dire!tory:
$ sudo mkdir /sr$/ftp
$ sudo usermod -d /sr$/ftp ftp
#fter ma*ing the !hange restart vsftpd:
Linux Server Configuration: Page '& of 72
$ sudo /etc/init.d/$sftpd restart
-inally !opy any files and dire!tories you $ould li*e to ma*e available through
anonymous -.P to LsrvLftp)
6.3 User Autenticated F/" (on%iguration
.o !onfigure vsftpd to authenti!ate system users and allo$ them to upload files edit
Let!Lvsftpd)!onf:
local4enableI@E1
write4enableI@E1
3o$ restart vsftpd:
$ sudo /etc/init.d/$sftpd restart
3o$ $hen system users login to -.P they $ill start in their home dire!tories $here they
!an do$nload upload !reate dire!tories et!)
Similarly by default the anonymous users are not allo$ed to upload files to -.P server)
.o !hange this setting you should un!omment the follo$ing line and restart vsftpd:
anon4upload4enableI@E1
Cnabling anonymous -.P upload !an be an extreme se!urity ris*) "t is best to not enable
anonymous upload on servers a!!essed dire!tly from the "nternet)
.he !onfiguration file !onsists of many !onfiguration parameters) .he information about
ea!h parameter is available in the !onfiguration file) #lternatively you !an refer to the
man page man ! vsftpd.conf for details of ea!h parameter)
6.4 &ecuring F/"
.here are options in Let!Lvsftpd)!onf to help ma*e vsftpd more se!ure) -or example
users !an be limited to their home dire!tories by un!ommenting:
chroot4local4userI@E1
Oou !an also limit a spe!ifi! list of users to @ust their home dire!tories:
chroot4list4enableI@E1
chroot4list4fileI(etc(.sftpd'chroot4list
#fter un!ommenting the above options !reate a Let!Lvsftpd)!hrootWlist !ontaining a list of
users one per line) .hen restart vsftpd:
Linux Server Configuration: Page '7 of 72
$ sudo /etc/init.d/$sftpd restart
#lso the Let!Lftpusers file is a list of users that are disallowed -.P a!!ess) .he default
list in!ludes root daemon nobody et!) .o disable -.P a!!ess for additional users
simply add them to the list)
-.P !an also be en!rypted using %-"') <ifferent from '%-" %-"' is -.P over Se!ure
So!*et Layer %SSL() '%-" is a -.P li*e session over an en!rypted ''& !onne!tion) #
ma@or differen!e is that users of S-.P need to have a shell a!!ount on the system
instead of a nologin shell) Providing all users $ith a shell may not be ideal for some
environments su!h as a shared $eb host)
.o !onfigure %-"' edit Let!Lvsftpd)!onf and at the bottom add:
ssl4enableI@es
#lso noti!e the !ertifi!ate and *ey related options:
rsa4cert4fileI(etc(ssl(certs(ssl-cert-sna9eoil'pem
rsa4pri.ate49e,4fileI(etc(ssl(pri.ate(ssl-cert-
sna9eoil'9e,
Iy default these options are set the the !ertifi!ate and *ey provided by the ssl-cert
pa!*age) "n a produ!tion environment these should be repla!ed $ith a !ertifi!ate and
*ey generated for the spe!ifi! host)
3o$ restart vsftpd and non-anonymous users $ill be for!ed to use %-"':
$ sudo /etc/init.d/$sftpd restart
.o allo$ users $ith a shell of LusrLsbinLnologin a!!ess to -.P but have no shell a!!ess
edit Let!Lshells adding the nologin shell:
Y (etc(shells: .alid lo-in shells
(bin(csh
(bin(sh
(usr(bin(es
(usr(bin(9sh
(bin(9sh
(usr(bin(rc
(usr(bin(tcsh
(bin(tcsh
(usr(bin(esh
(bin(dash
(bin(bash
(bin(rbash
(usr(bin(screen
(usr(sbin(nolo-in
Linux Server Configuration: Page '0 of 72
.his is ne!essary be!ause by default vsftpd uses P#1 for authenti!ation and the
Let!Lpam)dLvsftpd !onfiguration file !ontains:
auth reLuired pam4shells'so
.he shells P#1 module restri!ts a!!ess to shells listed in the Let!Lshells file)
1ost popular -.P !lients !an be !onfigured !onne!t using -.PS) .he lftp !ommand line
-.P !lient has the ability to use -.PS as $ell)
Linux Server Configuration: Page '+ of 72
Chapter /: 0ynamic 1ost Con2iguration .rotocol *01C.+
.he <ynami! ;ost Configuration Proto!ol %<;CP( is a net$or* servi!e that enables host
!omputers to be automati!ally assigned settings from a server as opposed to manually
!onfiguring ea!h net$or* host) Computers !onfigured to be <;CP !lients have no
!ontrol over the settings they re!eive from the <;CP server and the !onfiguration is
transparent to the !omputer7s user)
.he most !ommon settings provided by a <;CP server to <;CP !lients in!lude:
"P-#ddress and 3etmas*
<3S
>"3S
;o$ever a <;CP server !an also supply !onfiguration properties su!h as:
;ost 3ame
<omain 3ame
<efault 6ate$ay
.ime Server
Print Server
.he advantage of using <;CP is that !hanges to the net$or* for example a !hange in
the address of the <3S server need only be !hanged at the <;CP server and all
net$or* hosts $ill be re!onfigured the next time their <;CP !lients poll the <;CP
server) #s an added advantage it is also easier to integrate ne$ !omputers into the
net$or* as there is no need to !he!* for the availability of an "P address) Confli!ts in "P
address allo!ation are also redu!ed)
# <;CP server !an provide !onfiguration settings using t$o methods:
"A# Address
.his method entails using <;CP to identify the uniDue hard$are address of ea!h
net$or* !ard !onne!ted to the net$or* and then !ontinually supplying a !onstant
!onfiguration ea!h time the <;CP !lient ma*es a reDuest to the <;CP server
using that net$or* devi!e)
Address $ool
.his method entails defining a pool %sometimes also !alled a range or s!ope( of
"P addresses from $hi!h <;CP !lients are supplied their !onfiguration properties
dynami!ally and on a /first !ome first served/ basis) >hen a <;CP !lient is no
longer on the net$or* for a spe!ified period the !onfiguration is expired and
released ba!* to the address pool for use by other <;CP Clients)
Linux Server Configuration: Page H, of 72
2buntu is shipped $ith both <;CP server and !lient) .he server is dhcpd %dynami! host
!onfiguration proto!ol daemon() .he !lient provided $ith 2buntu is dhclient and should
be installed on all !omputers reDuired to be automati!ally !onfigured) Ioth programs are
easy to install and !onfigure and $ill be automati!ally started at system boot)
7.1 Installation
#t a terminal prompt enter the follo$ing !ommand to install dhcpd:
$ sudo apt-et install dhcp'-ser$er
Oou $ill probably need to !hange the default !onfiguration by editing
Let!Ldh!p3Ldh!pd)!onf to suit your needs and parti!ular !onfiguration)
Oou also need to edit Let!LdefaultLdh!p3-server to spe!ify the interfa!es dh!pd should
listen to) Iy default it listens to eth,)
3E.C: dh!pd7s messages are being sent to syslog) Loo* there for diagnosti!s
messages)
7.2 (on%iguration
.he error message the installation ends $ith might be a little !onfusing but the follo$ing
steps $ill help you !onfigure the servi!e:
1ost !ommonly $hat you $ant to do is assign an "P address randomly) .his !an be
done $ith settings as follo$s:
Y 1ample (etc(dhcpd'conf
Y %add ,our comments hereD
default-lease-time 00M
max-lease-time $200M
option subnet-mas9 2##'2##'2##'0M
option broadcast-address "92'"2'"'2##M
option routers "92'"2'"'2#4M
option domain-name-ser.ers "92'"2'"'"5 "92'"2'"'2M
option domain-name Nm,domain'exampleNM
subnet "92'"2'"'0 netmas9 2##'2##'2##'0 O
ran-e "92'"2'"'"0 "92'"2'"'"00M
ran-e "92'"2'"'"#0 "92'"2'"'200M
P
.his $ill result in the <;CP server giving a !lient an "P address from the range
1+2)1&0)1)1,-1+2)1&0)1)1,, or 1+2)1&0)1)1H,-1+2)1&0)1)2,,) "t $ill lease an "P address
Linux Server Configuration: Page H1 of 72
for &,, se!onds if the !lient doesn7t as* for a spe!ifi! time frame) Ether$ise the
maximum %allo$ed( lease $ill be 72,, se!onds) .he server $ill also /advise/ the !lient
that it should use 2HH)2HH)2HH), as its subnet mas* 1+2)1&0)1)2HH as its broad!ast
address 1+2)1&0)1)2H' as the routerLgate$ay and 1+2)1&0)1)1 and 1+2)1&0)1)2 as its
<3S servers)
"f you need to spe!ify a >"3S server for your >indo$s !lients you $ill need to in!lude
the netbios-name-servers option e)g)
option netbios-name-ser.ers "92'"2'"'"M

Linux Server Configuration: Page H2 of 72
Chapter 13: S4uid 5 .roxy Server
SDuid is a full-featured $eb proxy !a!he server appli!ation $hi!h provides proxy and
!a!he servi!es for ;yper .ext .ransport Proto!ol %;..P( -ile .ransfer Proto!ol %-.P(
and other popular net$or* proto!ols) SDuid !an implement !a!hing and proxying of
Se!ure So!*ets Layer %SSL( reDuests and !a!hing of <omain 3ame Server %<3S(
loo*ups and perform transparent !a!hing) SDuid also supports a $ide variety of !a!hing
proto!ols su!h as "nternet Ca!he Proto!ol %"CP( the ;yper .ext Ca!hing Proto!ol
%;.CP( the Ca!he #rray :outing Proto!ol %C#:P( and the >eb Ca!he Coordination
Proto!ol) %>CCP(
.he SDuid proxy !a!he server is an ex!ellent solution to a variety of proxy and !a!hing
server needs and s!ales from the bran!h offi!e to enterprise level net$or*s $hile
providing extensive granular a!!ess !ontrol me!hanisms and monitoring of !riti!al
parameters via the Simple 3et$or* 1anagement Proto!ol %S31P() >hen sele!ting a
!omputer system for use as a dedi!ated SDuid proxy or !a!hing servers ensure your
system is !onfigured $ith a large amount of physi!al memory as SDuid maintains an in-
memory !a!he for in!reased performan!e)
18.1 Installation
#t a terminal prompt enter the follo$ing !ommand to install the SDuid server:
$ sudo apt-et install sHuid
18.2 (on%iguration
SDuid is !onfigured by editing the dire!tives !ontained $ithin the Let!LsDuidLsDuid)!onf
!onfiguration file) .he follo$ing examples illustrate some of the dire!tives $hi!h may be
modified to affe!t the behavior of the SDuid server) -or more in-depth !onfiguration of
SDuid see the :eferen!es se!tion)
Prior to editing the !onfiguration file you should ma*e a !opy of the original file and
prote!t it from $riting so you $ill have the original settings as a referen!e and to re-use
as ne!essary)
Copy the Let!LsDuidLsDuid)!onf file and prote!t it from $riting $ith the follo$ing
!ommands entered at a terminal prompt:
Linux Server Configuration: Page H3 of 72
$ sudo cp /etc/sHuid/sHuid.conf
/etc/sHuid/sHuid.conf.oriinal
$ sudo chmod a-w /etc/sHuid/sHuid.conf.oriinal
.o set your SDuid server to listen on .CP port 0000 instead of the default .CP
port 3120 !hange the httpWport dire!tive as su!h:
httpWport 0000
Change the visibleWhostname dire!tive in order to give the SDuid server a
spe!ifi! hostname) .his hostname does not ne!essarily need to be the
!omputer7s hostname) "n this example it is set to wee.ie
visibleWhostname $ee9ie
#gain 2sing SDuid7s a!!ess !ontrol you may !onfigure use of "nternet servi!es
proxied by SDuid to be available only users $ith !ertain "nternet Proto!ol %"P(
addresses) -or example $e $ill illustrate a!!ess by users of the 1+2)1&0)'2),L2'
subnet$or* only:
#dd the follo$ing to the bottom of the #CL se!tion of your Let!LsDuidLsDuid)!onf
file:
acl fort,two4networ9 src "92'"2'42'0(24
.hen add the follo$ing to the top of the httpWa!!ess se!tion of your
Let!LsDuidLsDuid)!onf file:
http4access allow fort,two4networ9
2sing the ex!ellent a!!ess !ontrol features of SDuid you may !onfigure use of
"nternet servi!es proxied by SDuid to be available only during normal business
hours) -or example $e7ll illustrate a!!ess by employees of a business $hi!h is
operating bet$een +:,,#1 and H:,,P1 1onday through -riday and $hi!h uses
the 1,)1)'2),L'2 subnet$or*:
#dd the follo$ing to the bottom of the #CL se!tion of your Let!LsDuidLsDuid)!onf
file:
acl bi74networ9 src "0'"'42'0(24
acl bi74hours time 3 ) H ) E 9:00-"$:00
.hen add the follo$ing to the top of the httpWa!!ess se!tion of your
Let!LsDuidLsDuid)!onf file:
http4access allow bi74networ9 bi74hours
#fter ma*ing !hanges to the Let!LsDuidLsDuid)!onf file save the file and restart
the s%uid server appli!ation to effe!t the !hanges using the follo$ing !ommand
entered at a terminal prompt:
$ sudo /etc/init.d/sHuid restart
Linux Server Configuration: Page H' of 72
Chapter 11: 0(S
11.1 Installation
#t a terminal prompt enter the follo$ing !ommand to install dns:
$ sudo apt-et install ,ind0
# very useful pa!*age for testing and troubleshooting <3S issues is the dnsutils
pa!*age) .o install dnsutils enter the follo$ing:
$ sudo apt-et install dnsutils
11.2 (on%iguration
.here a many $ays to !onfigure B&'()) Some of the most !ommon !onfigurations are a
!a!hing nameserver primary master and a as a se!ondary master)
>hen !onfigured as a !a!hing nameserver I"3<+ $ill find the ans$er to name
Dueries and remember the ans$er $hen the domain is Dueried again)
#s a primary master server I"3<+ reads the data for a 9one from a file on it7s
host and is authoritative for that 9one)
"n a se!ondary master !onfiguration I"3<+ gets the 9one data from another
nameserver authoritative for the 9one)
11.3 1-er-ie'
.he <3S !onfiguration files are stored in the Let!Lbind dire!tory) .he primary
!onfiguration file is Let!LbindLnamed)!onf)
.he include line spe!ifies the filename $hi!h !ontains the <3S options) .he directory
line in the Let!LbindLnamed)!onf)options file tells <3S $here to loo* for files) #ll files
I"3< uses $ill be relative to this dire!tory)
.he file named Let!LbindLdb)root des!ribes the root nameservers in the $orld) .he
servers !hange over time so the Let!LbindLdb)root file must be maintained no$ and then)
.his is usually done as updates to the bind) pa!*age) .he .one se!tion defines a
master server and it is stored in a file mentioned in the file option)
Linux Server Configuration: Page HH of 72
"t is possible to !onfigure the same server to be a !a!hing name server primary master
and se!ondary master) # server !an be the Start of #uthority %SE#( for one 9one $hile
providing se!ondary servi!e for another 9one) #ll the $hile providing !a!hing servi!es
for hosts on the lo!al L#3)
Caching Nameser,er
.he default !onfiguration is setup to a!t as a !a!hing server) #ll that is reDuired is simply
adding the "P #ddresses of your "SP7s <3S servers) Simply un!omment and edit the
follo$ing in (etc(bind(named'conf'options:
forwarders O
"'2'&'4M
#''$'2M
PM
:epla!e /.0.1.2 and 3.4.5.6 $ith the "P #dresses of a!tual nameservers)
3o$ restart the <3S server to enable the ne$ !onfiguration) -rom a terminal prompt:
sudo *etc*init.d*bind) restart
.rimar! /aster
"n this se!tion B&'() $ill be !onfigured as the Primary 1aster for the domain
e,ample.com) Simply repla!e example)!om $ith your -`<3 %-ully `ualified <omain
3ame()
Forward 9one File
.o add a <3S 9one to I"3<+ turning I"3<+ into a Primary 1aster server the first step
is to edit (etc(bind(named'conf'local:
7one Nexample'comN O
t,pe masterM
file N(etc(bind(db'example'comNM
PM
3o$ use an existing 9one file as a template to !reate the (etc(bind(db'example'com
file:
$ sudo cp /etc/,ind/d,.local /etc/,ind/d,.example.com
Cdit the ne$ 9one file Let!LbindLdb)example)!om !hange localhost. to the -`<3 of your
server leaving the additional /)/ at the end) Change /05.7.7./ to the nameserver7s "P
#ddress and root.localhost to a valid email address but $ith a /)/ instead of the usual
/_/ symbol again leaving the /)/ at the end)
#lso !reate an record for ns)example)!om) .he name server in this example:
Linux Server Configuration: Page H& of 72
M
M ;*+> data file for local loopbac9 interface
M
$))< 04200
K *+ 1O% ns'example'com' root'example'com' C
2 M 1erial
04200 M =efresh
2400 M =etr,
24"9200 M Expire
04200 D M +e-ati.e Cache ))<
M
K *+ +1 ns'example'com'
K *+ % "2$'0'0'"
K *+ %%%% ::"
ns *+ % "92'"2'"'"0
Oou must in!rement the 'erial 8umber every time you ma*e !hanges to the 9one file) "f
you ma*e multiple !hanges before restarting I"3<+ simply in!rement the Serial on!e)
3o$ you !an add <3S re!ords to the bottom of the 9one file
1any admins li*e to use the last date edited as the serial of a 9one su!h as
07757/7/77 $hi!h is yyyymmddss %$here ss is the Serial 3umber(
En!e you have made a !hange to the 9one file B&'() $ill need to be restarted for the
!hanges to ta*e effe!t:
$ sudo /etc/init.d/,ind0 restart
3e,erse 9one File
3o$ that the 9one is setup and resolving names to "P #dresses a 9everse .one is also
reDuired) # :everse 9one allo$s <3S to resolve an address to a name)
Cdit Let!LbindLnamed)!onf)lo!al and add the follo$ing:
7one N"'"2'"92'in-addr'arpaN O
t,pe masterM
notif, noM
file N(etc(bind(db'"92NM
PM
:epla!e /./46./:0 $ith the first three o!tets of $hatever net$or* you are using) #lso
name the 9one file (etc(bind(db'"92 appropriately) "t should mat!h the first o!tet of
your net$or*)
3o$ !reate the (etc(bind(db'"92 file:
Linux Server Configuration: Page H7 of 72
$ sudo cp /etc/,ind/d,.&/J /etc/,ind/d,.&0/
3ext edit (etc(bind(db'"92 !hanging the basi!ally the same options as
(etc(bind(db'example'com:
M
M ;*+> re.erse data file for local loopbac9 interface
M
$))< 04200
K *+ 1O% ns'example'com' root'example'com' C
2 M 1erial
04200 M =efresh
2400 M =etr,
24"9200 M Expire
04200 D M +e-ati.e Cache ))<
M
K *+ +1 ns'
"0 *+ ?)= ns'example'com'
.he 'erial 8umber in the :everse 9one needs to be in!remented on ea!h !hanges as
$ell) -or ea!h record you !onfigure in Let!LbindLdb)example)!om you need to !reate a
"-9 record in Let!LbindLdb)1+2)
#fter !reating the reverse 9one file restart B&'():
$ sudo /etc/init.d/,ind0 restart
*econdar! /aster
En!e a "rimary !aster has been !onfigured a 'econdary !aster is needed in order to
maintain the availability of the domain should the Primary be!ome unavailable)
-irst on the Primary 1aster server the 9one transfer needs to be allo$ed) #dd the
allow-transfer option to the example -or$ard and :everse 9one definitions in
(etc(bind(named'conf'local:
7one Nexample'comN O
t,pe masterM
file N(etc(bind(db'example'comNM
allow-transfer O "92'"2'"'""M PM
PM
7one N"'"2'"92'in-addr'arpaN O
t,pe masterM
notif, noM
file N(etc(bind(db'"92NM
allow-transfer O "92'"2'"'""M PM
a8
:epla!e /:0./46./.// $ith the "P #ddress of your Se!ondary nameserver
Linux Server Configuration: Page H0 of 72
3ext on the Se!ondary 1aster install the bind) pa!*age the same $ay as on the
Primary) .hen edit the (etc(bind(named'conf'local and add the follo$ing
de!larations for the -or$ard and :everse 9ones:
7one Nexample'comN O
t,pe sla.eM
file N(.ar(cache(bind(db'example'comNM
masters O "92'"2'"'"0M PM
PM

7one N"'"2'"92'in-addr'arpaN O
t,pe sla.eM
file N(.ar(cache(bind(db'"92NM
masters O "92'"2'"'"0M PM
PM
:epla!e /:0./46././7 $ith the "P #ddress of your Primary nameserver
:estart B&'() on the Se!ondary 1aster:
$ sudo /etc/init.d/,ind0 restart
"n (.ar(lo-(s,slo- you should see something similar to:
sla.e 7one Nexample'comN C*+D loaded Cserial D
sla.e 7one N"00'"2'"$2'in-addr'arpaN C*+D loaded Cserial
&D
3ote: # 9one is only transferred if the 'erial 8umber on the Primary is larger than the
one on the Se!ondary)
.he default dire!tory for non-authoritative 9one files is (.ar(cache(bind()
Linux Server Configuration: Page H+ of 72
Chapter 12: 1--.0 5 Apache2 6e& Server
#pa!he is the most !ommonly used >eb Server on Linux systems) >eb Servers are
used to serve >eb Pages reDuested by !lient !omputers) Clients typi!ally reDuest and
vie$ >eb Pages using >eb Iro$ser appli!ations su!h as +irefox ,pera or "o-illa)
.he most !ommon proto!ol used to transfer >eb pages is the ;yper .ext .ransfer
Proto!ol %;..P() Proto!ols su!h as ;yper .ext .ransfer Proto!ol over Se!ure So!*ets
Layer %;..PS( and -ile .ransfer Proto!ol %-.P( a proto!ol for uploading and
do$nloading files are also supported)
#pa!he >eb Servers are often used in !ombination $ith the "yS./ database engine
the ;yper.ext Prepro!essor %$0$( s!ripting language and other popular s!ripting
languages su!h as $ython and $erl) .his !onfiguration is termed L#1P %Linux #pa!he
1yS`L and PerlLPythonLP;P( and forms a po$erful and robust platform for the
development and deployment of >eb-based appli!ations)
12.1 Installation
.he #pa!he2 $eb server is available in 2buntu Linux) .o install #pa!he2:
#t a terminal prompt enter the follo$ing !ommand:
$ sudo apt-et install apache/
12.2 (on%iguration
#pa!he2 is !onfigured by pla!ing directives in plain text !onfiguration files) .he
!onfiguration files are separated bet$een the follo$ing files and dire!tories:
apache0.conf$ the main #pa!he2 !onfiguration file) Contains settings that are
global to #pa!he2)
conf.d$ !ontains !onfiguration files $hi!h apply globally to #pa!he) Ether
pa!*ages that use #pa!he2 to serve !ontent may add files or symlin*s to this
dire!tory)
envvars$ file $here #pa!he2 environment variables are set)
Linux Server Configuration: Page &, of 72
httpd.conf$ histori!ally the main #pa!he2 !onfiguration file named after the httpd
daemon) .he file !an be used for user specific !onfiguration options that globally
effe!t #pa!he2)
mods-available$ this dire!tory !ontains !onfiguration files to both load modules
and !onfigure them) 3ot all modules $ill have spe!ifi! !onfiguration files
ho$ever)
mods-enabled$ holds symlin(s to the files in (etc(apache2(mods-a.ailable)
>hen a module !onfiguration file is symlin*ed it $ill be enabled the next time
apache1 is restarted)
ports.conf$ houses the dire!tives that determine $hi!h .CP ports #pa!he2 is
listening on)
sites-available$ this dire!tory has !onfiguration files for #pa!he ;irtual &osts)
Virtual ;osts allo$ #pa!he2 to be !onfigured for multiple sites that have separate
!onfigurations)
sites-enabled$ li*e mods-enabled sites-enabled !ontains symlin*s to the
Let!Lapa!he2Lsites-available dire!tory) Similarly $hen a !onfiguration file in sites-
available is symlin*ed it $ill be a!tive on!e #pa!he is restarted)
"n addition other !onfiguration files may be added using the <nclude dire!tive and
$ild!ards !an be used to in!lude many !onfiguration files) #ny dire!tive may be pla!ed
in any of these !onfiguration files) Changes to the main !onfiguration files are only
re!ogni9ed by #pa!he2 $hen it is started or restarted)
.he server also reads a file !ontaining mime do!ument types8 the filename is set by the
-ypes=onfig dire!tive and is (etc(mime't,pes by default)
12.3 <asic &ettings
.his se!tion explains #pa!he2 server essential !onfiguration parameters)
#pa!he2 ships $ith a virtual-host-friendly default !onfiguration) .hat is it is
!onfigured $ith a single default virtual host %using the ;irtual&ost dire!tive( $hi!h
!an modified or used as-is if you have a single site or used as a template for
additional virtual hosts if you have multiple sites) "f left alone the default virtual
host $ill serve as your default site or the site users $ill see if the 2:L they enter
does not mat!h the 'erver8ame dire!tive of any of your !ustom sites) .o modify
the default virtual host edit the file (etc(apache2(sites-a.ailable(default)
.he dire!tives set for a virtual host only apply to that parti!ular virtual host) "f a
dire!tive is set server-$ide and not defined $ithin the virtual host settings the
default setting is used) -or example you !an define a >ebmaster email address
and not define individual email addresses for ea!h virtual host)
Linux Server Configuration: Page &1 of 72
"f you $ish to !onfigure a ne$ virtual host or site !opy that file into the same
dire!tory $ith a name you !hoose) -or example:
$ sudo cp /etc/apache//sites-a$aila,le/default
/etc/apache//sites-a$aila,le/m#newsite
Cdit the ne$ file to !onfigure the ne$ site using some of the dire!tives des!ribed
belo$)
.he 'erverdmin dire!tive spe!ifies the email address to be advertised for the
server7s administrator) .he default value is $ebmaster_lo!alhost) .his should be
!hanged to an email address that is delivered to you %if you are the server7s
administrator() "f your $ebsite has a problem #pa!he2 $ill display an error
message !ontaining this email address to report the problem to) -ind this
dire!tive in your site7s !onfiguration file in Let!Lapa!he2Lsites-available)
.he #isten dire!tive spe!ifies the port and optionally the "P address #pa!he2
should listen on) "f the "P address is not spe!ified #pa!he2 $ill listen on all "P
addresses assigned to the ma!hine it runs on) .he default value for the Listen
dire!tive is 0,) Change this to 127),),)1:0, to !ause #pa!he2 to listen only on
your loopba!* interfa!e so that it $ill not be available to the "nternet to %for
example( 01 to !hange the port that it listens on or leave it as is for normal
operation) .his dire!tive !an be found and !hanged in its o$n file
Let!Lapa!he2Lports)!onf
.he 'erver8ame dire!tive is optional and spe!ifies $hat -`<3 your site should
ans$er to) .he default virtual host has no Server3ame dire!tive spe!ified so it
$ill respond to all reDuests that do not mat!h a Server3ame dire!tive in another
virtual host) "f you have @ust a!Duired the domain name ubunturo!*s)!om and
$ish to host it on your 2buntu server the value of the Server3ame dire!tive in
your virtual host !onfiguration file should be ubunturo!*s)!om) #dd this dire!tive
to the ne$ virtual host file you !reated earlier %Let!Lapa!he2Lsites-
availableLmyne$site()
Oou may also $ant your site to respond to $$$)ubunturo!*s)!om sin!e many
users $ill assume the $$$ prefix is appropriate) 2se the 'erverlias dire!tive for
this) Oou may also use $ild!ards in the Server#lias dire!tive)
-or example the follo$ing !onfiguration $ill !ause your site to respond to any
domain reDuest ending in .ubunturoc(s.com)
Server#lias X)ubunturo!*s)!om
.he *ocument9oot dire!tive spe!ifies $here #pa!he should loo* for the files that
ma*e up the site) .he default value is LvarL$$$) 3o site is !onfigured there but if
you un!omment the 9edirect!atch dire!tive in Let!Lapa!he2Lapa!he2)!onf
reDuests $ill be redire!ted to LvarL$$$Lapa!he2-default $here the default
#pa!he2 site a$aits) Change this value in your site7s virtual host file and
remember to !reate that dire!tory if ne!essary5
Linux Server Configuration: Page &2 of 72
.he Let!Lapa!he2Lsites-available dire!tory is not parsed by #pa!he2) Symboli! lin*s in
Let!Lapa!he2Lsites-enabled point to /available/ sites)
Cnable the ne$ ;irtual&ost using the a1ensite utility and restart #pa!he:
$ sudo a/ensite m#newsite
$ sudo /etc/init.d/apache/ restart
Ie sure to repla!e mynewsite $ith a more des!riptive name for the Virtual;ost) Ene
method is to name the file after the 'erver8ame dire!tive of the Virtual;ost)
Similarly use the a1dissite utility to disable sites) .his is !an be useful $hen
troubleshooting !onfiguration problems $ith multiple Virtual;osts:
$ sudo a/dissite m#newsite
$ sudo /etc/init.d/apache/ restart
12.4 De%ault &ettings
.his se!tion explains !onfiguration of the #pa!he2 server default settings) -or example
if you add a virtual host the settings you !onfigure for the virtual host ta*e pre!eden!e
for that virtual host) -or a dire!tive not defined $ithin the virtual host settings the default
value is used)
.he *irectory<nde, is the default page served by the server $hen a user
reDuests an index of a dire!tory by spe!ifying a for$ard slash %L( at the end of the
dire!tory name)
-or example $hen a user reDuests the page
http:LL$$$)example)!omLthisWdire!toryL he or she $ill get either the
<ire!tory"ndex page if it exists a server-generated dire!tory list if it does not and
the "ndexes option is spe!ified or a Permission <enied page if neither is true)
.he server $ill try to find one of the files listed in the <ire!tory"ndex dire!tive and
$ill return the first one it finds) "f it does not find any of these files and if Eptions
"ndexes is set for that dire!tory the server $ill generate and return a list in
;.1L format of the subdire!tories and files in the dire!tory) .he default value
found in Let!Lapa!he2Lapa!he2)!onf is / index)html index)!gi index)pl index)php
index)xhtml/) .hus if #pa!he2 finds a file in a reDuested dire!tory mat!hing any
of these names the first $ill be displayed)
.he Error*ocument dire!tive allo$s you to spe!ify a file for #pa!he to use for
spe!ifi! error events) -or example if a user reDuests a resour!e that does not
exist a ',' error $ill o!!ur and per #pa!he27s default !onfiguration the file
LusrLshareLapa!he2LerrorL;..PW3E.W-E23<)html)var $ill be displayed) .hat
file is not in the server7s <o!ument:oot but there is an #lias dire!tive in
Let!Lapa!he2Lapa!he2)!onf that redire!ts reDuests to the Lerror dire!tory to
LusrLshareLapa!he2LerrorL)
Linux Server Configuration: Page &3 of 72
.o see a list of the default Crror<o!ument dire!tives use this !ommand:
$ rep Error6ocument /etc/apache//apache/.conf
Iy default the server $rites the transfer log to the file
LvarLlogLapa!he2La!!ess)log) Oou !an !hange this on a per-site basis in your
virtual host !onfiguration files $ith the =ustom#og dire!tive or omit it to a!!ept
the default spe!ified in Let!Lapa!he2Lapa!he2)!onf) Oou may also spe!ify the file
to $hi!h errors are logged via the Error#og dire!tive $hose default is
LvarLlogLapa!he2Lerror)log) .hese are *ept separate from the transfer logs to aid
in troubleshooting problems $ith your #pa!he2 server) Oou may also spe!ify the
#og#evel %the default value is /$arn/( and the #og%ormat %see
Let!Lapa!he2Lapa!he2)!onf for the default value()
Some options are spe!ified on a per-dire!tory basis rather than per-server)
>ptions is one of these dire!tives) # <ire!tory stan9a is en!losed in 41L-li*e
tags li*e so:
Q>irector, (.ar(www(m,newsiteR
'''
Q(>irector,R
.he >ptions dire!tive $ithin a <ire!tory stan9a a!!epts one or more of the
follo$ing values %among others( separated by spa!es:
o Exec#2& - #llo$ exe!ution of C6" s!ripts) C6" s!ripts are not exe!uted if
this option is not !hosen)
1ost files should not be exe!uted as C6" s!ripts) .his $ould be very
dangerous) C6" s!ripts should *ept in a dire!tory separate from and
outside your <o!ument:oot and only this dire!tory should have the
Cxe!C6" option set) .his is the default and the default lo!ation for C6"
s!ripts is LusrLlibL!gi-bin)
o &ncludes - #llo$ server-side in!ludes) Server-side in!ludes allo$ an
;.1L file to include other files) .his is not a !ommon option)
o &ncludes',E3E# - #llo$ server-side in!ludes but disable the ?e,ec and
?include !ommands in C6" s!ripts)
o &ndexes - <isplay a formatted list of the dire!tory7s !ontents if no
*irectory<nde, %su!h as index)html( exists in the reDuested dire!tory)
-or se!urity reasons this should usually not be set and !ertainly should
not be set on your <o!ument:oot dire!tory) Cnable this option !arefully
on a per-dire!tory basis only if you are !ertain you $ant users to see the
entire !ontents of the dire!tory)
o "ultiview - Support !ontent-negotiated multivie$s8 this option is disabled
by default for se!urity reasons)
Linux Server Configuration: Page &' of 72
o Sym/in4s&f,wner"atch - Enly follo$ symboli! lin*s if the target file or
dire!tory has the same o$ner as the lin*)
12.! tt)d &ettings
.his se!tion explains some basi! httpd daemon !onfiguration settings)
/oc4+ile - .he Lo!*-ile dire!tive sets the path to the lo!*file used $hen the server is
!ompiled $ith either 2SCW-C3.LWSC:"#L"RC<W#CCCP. or
2SCW-LECJWSC:"#L"RC<W#CCCP.) "t must be stored on the lo!al dis*) "t should be
left to the default value unless the logs dire!tory is lo!ated on an 3-S share) "f this is the
!ase the default value should be !hanged to a lo!ation on the lo!al dis* and to a
dire!tory that is readable only by root)
$id+ile - .he Pid-ile dire!tive sets the file in $hi!h the server re!ords its pro!ess "<
%pid() .his file should only be readable by root) "n most !ases it should be left to the
default value)
5ser - .he 2ser dire!tive sets the userid used by the server to ans$er reDuests) .his
setting determines the server7s a!!ess) #ny files ina!!essible to this user $ill also be
ina!!essible to your $ebsite7s visitors) .he default value for 2ser is $$$-data)
2nless you *no$ exa!tly $hat you are doing do not set the 2ser dire!tive to root) 2sing
root as the 2ser $ill !reate large se!urity holes for your >eb server)
.he 6roup dire!tive is similar to the 2ser dire!tive) 6roup sets the group under $hi!h
the server $ill ans$er reDuests) .he default group is also $$$-data)
Apache "odules
#pa!he is a modular server) .his implies that only the most basi! fun!tionality is
in!luded in the !ore server) Cxtended features are available through modules $hi!h !an
be loaded into #pa!he) Iy default a base set of modules is in!luded in the server at
!ompile-time) "f the server is !ompiled to use dynami!ally loaded modules then modules
!an be !ompiled separately and added at any time using the Load1odule dire!tive)
Ether$ise #pa!he must be re!ompiled to add or remove modules)
2buntu !ompiles #pa!he2 to allo$ the dynami! loading of modules) Configuration
dire!tives may be !onditionally in!luded on the presen!e of a parti!ular module by
en!losing them in an @<f!oduleA blo!*)
Oou !an install additional #pa!he2 modules and use them $ith your >eb server) -or
example run the follo$ing !ommand from a terminal prompt to install the !y'B#
uthentication module:
$ sudo apt-et install li,apache/-mod-auth-m#sHl
Linux Server Configuration: Page &H of 72
See the Let!Lapa!he2Lmods-available dire!tory for additional modules)
2se the a1enmod utility to enable a module:
$ sudo a/enmod auth9m#sHl
$ sudo /etc/init.d/apache/ restart
Similarly a1dismod $ill disable a module:
$ sudo a/dismod auth9m#sHl
$ sudo /etc/init.d/apache/ restart
&TT.* Configration
.he mod6ssl module adds an important feature to the #pa!he2 server - the ability to
en!rypt !ommuni!ations) .hus $hen your bro$ser is !ommuni!ating using SSL the
https:LL prefix is used at the beginning of the 2niform :esour!e Lo!ator %2:L( in the
bro$ser navigation bar)
.he mod6ssl module is available in apache1-common pa!*age) Cxe!ute the follo$ing
!ommand from a terminal prompt to enable the mod6ssl module:
$ sudo a/enmod ssl
.here is a default ;..PS !onfiguration file in Let!Lapa!he2Lsites-availableLdefault-ssl) "n
order for Apache to provide ;..PS a certificate and (ey file are also needed) .he
default ;..PS !onfiguration $ill use a !ertifi!ate and *ey generated by the ssl-cert
pa!*age) .hey are good for testing but the auto-generated !ertifi!ate and *ey should be
repla!ed by a !ertifi!ate spe!ifi! to the site or server)
.o !onfigure Apache for ;..PS enter the follo$ing:
$ sudo a/ensite default-ssl
.he dire!tories (etc(ssl(certs and (etc(ssl(pri.ate are the default lo!ations) "f
you install the !ertifi!ate and *ey in another dire!tory ma*e sure to !hange
''#=ertificate%ile and ''#=ertificateCey%ile appropriately)
>ith #pa!he no$ !onfigured for ;..PS restart the servi!e to enable the ne$ settings:
$ sudo /etc/init.d/apache/ restart
<epending on ho$ you obtained your !ertifi!ate you may need to enter a passphrase
$hen Apache starts)
Oou !an a!!ess the se!ure server pages by typing https:LLyourWhostnameLurlL in your
bro$ser address bar)
Linux Server Configuration: Page && of 72
Chapter 13: MyS7L
1yS`L is a fast multi-threaded multi-user and robust S`L database server) "t is
intended for mission-!riti!al heavy-load produ!tion systems as $ell as for embedding
into mass-deployed soft$are)
13.1 Installation
.o install 1yS`L run the follo$ing !ommand from a terminal prompt:
$ sudo apt-et install m#sHl-ser$er
<uring the installation pro!ess you $ill be prompted to enter a pass$ord for the "yS./
root user)
En!e the installation is !omplete the 1yS`L server should be started automati!ally)
Oou !an run the follo$ing !ommand from a terminal prompt to !he!* $hether the
1yS`L server is running:
$ sudo netstat -tap I rep m#sHl
>hen you run this !ommand you should see the follo$ing line or something similar:
tcp 0 0 localhost:m,sLl ::: <*1)E+ 2##(m,sLld
"f the server is not running !orre!tly you !an type the follo$ing !ommand to start it:
$ sudo /etc/init.d/m#sHl restart
13.2 (on%iguration
Oou !an edit the Let!LmysDlLmy)!nf file to !onfigure the basi! settings -- log file port
number et!) -or example to !onfigure "yS./ to listen for !onne!tions from net$or*
hosts !hange the bindDaddress dire!tive to the server7s "P address:
bind-address I "92'"2'0'#
:epla!e 1+2)1&0),)H $ith the appropriate address)
#fter ma*ing a !hange to Let!LmysDlLmy)!nf the mys%l daemon $ill need to be restarted:
Linux Server Configuration: Page &7 of 72
$ sudo /etc/init.d/m#sHl restart
"f you $ould li*e to !hange the "yS./ root pass$ord in a terminal enter:
$ sudo dpk-reconfiure m#sHl-ser$er-..%
.he mys%l daemon $ill be stopped and you $ill be prompted to enter a ne$ pass$ord)
Linux Server Configuration: Page &0 of 72
Chapter 1": .ost2ix *Mail server+
$ostfix is the default 1ail .ransfer #gent %1.#( in 2buntu) "t attempts to be fast and
easy to administer and se!ure) "t is !ompatible $ith the 1.# sendmail) .his se!tion
explains ho$ to install and !onfigure postfix) "t also explains ho$ to set it up as an
S1.P server using a se!ure !onne!tion %for sending emails se!urely()
14.1 Installation
.o install postfix run the follo$ing !ommand:
$ sudo apt-et install postfix
Simply press return $hen the installation pro!ess as*s Duestions the !onfiguration $ill
be done in greater detail in the next stage)
14.2 <asic (on%iguration
.o !onfigure postfix run the follo$ing !ommand:
$ sudo dpk-reconfiure postfix
.he user interfa!e $ill be displayed) En ea!h s!reen sele!t the follo$ing values:
"nternet Site
mail)example)!om
steve
mail)example)!om lo!alhost)lo!aldomain lo!alhost
3o
127),),),L0 [::ffff:127),),),\L1,' [::1\L120 1+2)1&0),L2'
,
K
#ll
Linux Server Configuration: Page &+ of 72
:epla!e mail)example)!om $ith your mail server hostname 1+2)1&0),L2' $ith the a!tual
net$or* and !lass range of your mail server and steve $ith the appropriate username)
*/T. Athentication
S1.P-#2.; allo$s a !lient to identify itself through an authenti!ation me!hanism
%S#SL() .ransport Layer Se!urity %.LS( should be used to en!rypt the authenti!ation
pro!ess) En!e authenti!ated the S1.P server $ill allo$ the !lient to relay mail)
Configuring $ostfix for S1.P-#2.; is very simple using the dovecot-postfix pa!*age)
.his pa!*age $ill install (ovecot and !onfigure $ostfix to use it for both S#SL
authenti!ation and as a 1ail <elivery #gent %1<#() .he pa!*age also !onfigures
(ovecot for "1#P "1#PS PEP3 and PEP3S)
.o install the pa!*age from a terminal prompt enter:
$ sudo apt-et install do$ecot-postfix
Oou should no$ have a $or*ing mail server but there are a fe$ options that you may
$ish to further !ustomi9e) -or example the pa!*age uses the !ertifi!ate and *ey from
the ssl-cert pa!*age and in a produ!tion environment you should use a !ertifi!ate and
*ey generated for the host)
En!e you have a !ustomi9ed !ertifi!ate and *ey for the host !hange the follo$ing
options in (etc(postfix(main'cf:
smtpd4tls4cert4file I (etc(ssl(certs(ssl-mail'pem
smtpd4tls49e,4file I (etc(ssl(pri.ate(ssl-mail'9e,
.hen restart Postfix:
$ sudo /etc/init.d/postfix restart
14.3 /esting
S1.P-#2.; !onfiguration is !omplete) 3o$ it is time to test the setup)
.o see if S1.P-#2.; and .LS $or* properly run the follo$ing !ommand:
$ telnet mail.example.com /.
#fter you have established the !onne!tion to the postfix mail server type:
$ ehlo mail.example.com
Linux Server Configuration: Page 7, of 72
"f you see the follo$ing lines among others then everything is $or*ing perfe!tly) .ype
%uit to exit)
2#0-1)%=))<1
2#0-%0)H <OA*+ ?<%*+
2#0-%0)HI<OA*+ ?<%*+
2#0 2;*)3*3E
Tro6leshooting
.his se!tion introdu!es some !ommon $ays to determine the !ause if problems arise)
Escaping chroot
.he 2buntu postfix pa!*age $ill by default install into a chroot environment for se!urity
reasons) .his !an add greater !omplexity $hen troubleshooting problems)
.o turn off the !hroot operation lo!ate for the follo$ing line in the
(etc(postfix(master'cf !onfiguration file:
smtp inet n - - - - smtpd
and modify it as follo$s:
smtp inet n - n - - smtpd
Oou $ill then need to restart Postfix to use the ne$ !onfiguration) -rom a terminal
prompt enter:
$ sudo /etc/init.d/postfix restart
/og +iles
$ostfix sends all log messages to LvarLlogLmail)log) ;o$ever error and $arning
messages !an sometimes get lost in the normal log output so they are also logged to
LvarLlogLmail)err and LvarLlogLmail)$arn respe!tively)
.o see messages entered into the logs in real time you !an use the tail -f !ommand:
$ tail -f /$ar/lo/mail.err
.he amount of detail that is re!orded in the logs !an be in!reased) Ielo$ are some
!onfiguration options for in!reasing the log level for some of the areas !overed above)
.o in!rease -#' a!tivity logging set the smtpdDtlsDloglevel option to a value from
1 to ')
$ sudo postconf -e (smtpd9tls9lole$el < 2(
Linux Server Configuration: Page 71 of 72
"f you are having trouble sending or re!eiving mail from a spe!ifi! domain you
!an add the domain to the debugDpeerDlist parameter)
$ sudo postconf -e (de,u9peer9list < pro,lem.domain(
Oou !an in!rease the verbosity of any $ostfix daemon pro!ess by editing the
(etc(postfix(master'cf and adding a -v after the entry) -or example edit the
smtp entry:
smtp unix - - - - - smtp S.
"t is important to note that after ma*ing one of the logging !hanges above the
$ostfix pro!ess $ill need to be reloaded in order to re!ogni9e the ne$ !onfiguration:
sudo *etc*init.d*postfix reload
.o in!rease the amount of information logged $hen troubleshooting ''# issues
you !an set the follo$ing options in (etc(do.ecot(do.ecot'conf
auth4debu-I,es
auth4debu-4passwordsI,es
Uust li*e $ostfix if you !hange a (ovecot !onfiguration the pro!ess $ill need to be
reloaded: sudo *etc*init.d*dovecot reload)
Some of the options above !an drasti!ally in!rease the amount of information sent to
the log files) :emember to return the log level ba!* to normal after you have
!orre!ted the problem) .hen reload the appropriate daemon for the ne$
!onfiguration to ta*e affe!t)
Linux Server Configuration: Page 72 of 72