- •Table of Contents
- •Introduction
- •Saving Time with This Book
- •Foolish Assumptions
- •Part I: Making the Desktop Work for You
- •Part II: Getting the Most from Your File System
- •Part III: Good Housekeeping with Linux
- •Part IV: Tweaking the Kernel on Your Linux System
- •Part V: Securing Your Workspace
- •Part VI: Networking Like a Professional
- •Part VII: Monitoring Your System
- •Part VIII: Serving Up the Internet and More
- •Part X: Programming Tricks
- •Part XI: The Scary (Or Fun!) Stuff
- •Icons Used in This Book
- •Discovering Your Protocols
- •Managing Snapshots with the camera: Protocol
- •Remote File Management with fish:
- •Getting Help with help:, info:, and man:
- •Other KDE Protocols
- •Using GNOME VFS Modules
- •Stacking VFS Modules
- •Working with Packages: rpm and rpms
- •Putting VFS to Work at the Command Line
- •Burning CDs with a VFS
- •Skinning Your Desktop with VFS
- •Classifying Data with MIME
- •Creating KDE File Associations
- •Creating New MIME Types with GNOME
- •Making Basic Prompt Transformations
- •Adding Dynamically Updated Data to Your Prompt
- •Colorizing Your Prompt
- •Seeing a Red Alert When You Have Superuser Privileges
- •Saving Your Work
- •Completing Names Automatically
- •Using the Escape Key to Your Advantage
- •Customizing Completion for Maximum Speed
- •Using cd and ls to Navigate through bash
- •Setting Your CDPATH Variables to Find Directories Fast
- •Streamlining Archive Searches
- •Turning the Output of a Command into a Variable with $( )
- •Using $UID and $EUID in Shell Scripts
- •Customizing Variables for Rapid Transit
- •Finding the Right Shell Script
- •Choosing your victims
- •Timing is everything
- •Cleaning up made easy
- •Changing prototype scripts
- •Customizing Your Autostart File
- •Navigating the History List
- •Scrolling
- •Summoning a command by number
- •Searching through history
- •Customizing the History List
- •Adjusting key default settings
- •Filtering the history list
- •Executing Commands Quickly with History Variables
- •Viewing Your Aliases
- •Using Aliases for Complex Commands
- •Automating Tedious Tasks with Functions
- •Filtering file searches by file type
- •Automatic downloading
- •Monitoring Your System in a Snap
- •Un-tarring the Easy Way
- •What Is Samba?
- •Getting Up and Running with Samba
- •Checking whether Samba is installed
- •Enabling Samba
- •Adjusting the workgroup name and creating user accounts
- •Giving a Windows machine access to your home directory
- •Sharing Linux files and directories with other computers
- •Hooking Everyone Up to the Printer
- •Sharing Linux printers with SWAT
- •Using a Windows printer from Linux
- •Plugging In to Remote Data with Linux Programs Quickly
- •Finding Files with locate
- •Finding Files with find
- •Qualifying Your Search with the find Command
- •Doing updated filename searches
- •Adding time-based qualifications
- •Filtering by file size
- •Perusing commonly used qualifications
- •Acting on What You Find
- •Displaying specific info with -printf
- •Checking disk usage by user
- •Executing commands with find
- •Building Complex Commands with xargs
- •Creating Archives with File Roller
- •Inspecting and Extracting Archives with File Roller
- •Adding Functionality to tar with Complex Commands
- •Building archives from the command line
- •Archiving complex search results
- •Backing up an installed package
- •Uprooting Entire Directory Trees with scp
- •Splitting Big Files into Manageable Chunks
- •Building Software from Downloaded tarballs
- •Compiling a tarball: The basic steps
- •Downloading and compiling SuperKaramba
- •Versatile Downloading with wget
- •Mirroring sites with wget
- •Verifying your bookmarks with wget
- •Downloading files with wget
- •Downloading and unpacking in one quick step
- •Downloading and Uploading with curl
- •Setting Up ADIOS
- •Downloading ADIOS
- •Burning ADIOS to CD
- •Installing ADIOS
- •Finding Your Way around UML
- •Connecting to the Internet from an ADIOS VM
- •Using a GUI with UML
- •Installing Software into UML
- •Merging Changes to Your Prototype
- •Querying RPM Packages for Content
- •Digesting Information
- •Creating a Package Index
- •Querying for Prerequisites
- •Dissecting an RPM Package
- •Using RPM at the Command Line
- •Removing RPMs
- •Flagging Down RPM
- •Getting Graphic with RPM
- •Using Rpmdrake to install from media
- •Installing from your Konqueror browser
- •Verifying Your System
- •Reading the Tamper-Proof Seal
- •Setting Up Synaptic and apt in a Snap
- •Keeping Up-to-Date with apt and Synaptic: The Basics
- •Handy Hints about Synaptic
- •Changing repositories
- •Viewing package details
- •Installing new packages with Synaptic
- •Importing the Keys to the Repository
- •Letting Task Scheduler Work for You
- •Scheduling a new task
- •Editing a task
- •Adding environment variables
- •Reining In Resources with Disk Quotas
- •Installing the quota RPM package
- •Enabling file system quotas
- •Getting your files together
- •Setting quotas
- •Reviewing your quotas
- •Using System Accounting to Keep Track of Users
- •Setting up system accounting
- •Looking up user login hours
- •Checking out command and program usage
- •Running Down the Runlevels
- •Runlevel basics
- •Customizing runlevels in Fedora
- •Customizing runlevels in SuSE
- •Customizing runlevels in Mandrake
- •Customizing runlevels at the command line
- •Switching to a new runlevel
- •Disabling Unused Services
- •Removing Unneeded Services
- •Learning about modules
- •Installing a module with insmod
- •Taking care of dependencies automatically with modprobe and depmod
- •Loading a module for a slightly different kernel with insmod and modprobe
- •Removing modules with rmmod
- •Step 1: Making an Emergency Plan, or Boot Disk
- •Step 2: Finding the Source Code
- •Step 4: Customizing the Kernel
- •Step 5: Building the Kernel
- •Understanding the Principles of SELinux
- •Everything is an object
- •Identifying subjects in SELinux
- •Understanding the security context
- •Disabling or Disarming SELinux
- •Playing the Right Role
- •Exploring the Process-Related Entries in /proc
- •Surveying Your System from /proc
- •Popping the Cork: Speeding Up WINE with /proc
- •Reading and Understanding File Permissions
- •Controlling Permissions at the Command Line
- •Changing File Permissions from a Desktop
- •Encryption Made Easy with kgpg and the KDE Desktop
- •Creating keys with kgpg
- •Sharing your key with the world
- •Importing a public key from a public-key server
- •Encrypting and decrypting documents with drag-and-drop ease
- •Encrypting Documents with gpg at the Command Line
- •Sharing a secret file
- •Creating a key pair and receiving encrypted documents
- •Encrypting documents on your home system
- •Encrypting E-Mail for Added Security
- •Encrypting with Ximian Evolution
- •Setting up Mozilla e-mail for encryption
- •Sending and receiving encrypted messages with Mozilla mail
- •Using Cross-Platform Authentication with Linux and Windows
- •Prepping for cross-platform authentication
- •Setting up cross-platform authentication
- •Using PAM and Kerberos to Serve Up Authentication
- •Establishing synchronized system times
- •Testing your domain name server (DNS)
- •Setting up a Key Distribution Center
- •Setting up automatic ticket management with Kerberos and PAM
- •Adding users to the Key Distribution Center
- •Building Good Rules with PAM
- •Phase
- •Control level
- •Module pathname
- •Arguments
- •Dissecting a Configuration File
- •Skipping a Password with PAM
- •Feeling the Power
- •Gaining Superuser Privileges
- •Pretending to Be Other Users
- •Limiting Privileges with sudo
- •Installing sudo
- •Adding Up the Aliases
- •Adding Aliases to the sudo Configuration File
- •Defining the Alias
- •Creating a User_Alias
- •Creating a Runas_Alias
- •Simplifying group managment with a Host_Alias
- •Mounting and unmounting CDs without the superuser password
- •Managing access to dangerous commands with command aliases
- •Using SSH for Top-Speed Connections
- •Setting Up Public-Key Authentication to Secure SSH
- •Generating the key pair
- •Distributing your public key
- •Passing on your passphrase
- •Logging In with SSH and Key Authentication
- •Starting from the command line
- •Getting graphic
- •Creating Shortcuts to Your Favorite SSH Locations
- •Copying Files with scp
- •Secure (And Fast) Port Forwarding with SSH
- •Finding Your Firewall
- •Setting up a simple firewall in Mandrake Linux
- •Setting up a simple firewall in Fedora Linux
- •Setting up a simple firewall in SuSE Linux
- •Editing the Rules with Webmin
- •Starting a Webmin session
- •Reading the rules with Webmin
- •Changing the rules
- •Editing existing rules
- •Adding a new rule with Webmin
- •Sharing Desktops with VNC
- •Inviting Your Friends to Use Your Desktop
- •Serving Up a New Desktop with VNC Server
- •Using tsclient to View Remote Desktops from Linux
- •Using tsclient with a VNC server
- •Using tsclient with an RDP server
- •Creating New VNC Desktops on Demand
- •Switching display managers in SuSE Linux
- •Switching display managers in Mandrake Linux
- •Connecting gdm and VNC
- •Exploring Your Network with lsof
- •Running lsof
- •Interpreting the lsof output
- •Reading file types
- •Discovering Network Connections
- •Other Timesaving lsof Tricks
- •Packet Sniffing with the Ethereal Network Analyzer
- •Starting Ethereal
- •Capturing packets
- •Applying filters to screen packets
- •Peeking in packets
- •Color-coding packets coming from your network
- •Getting Up and Running with Nessus
- •Installing programs Nessus needs to run
- •Installing Nessus
- •Adding a user to Nessus
- •Generating a certificate
- •Starting the daemon and the interface
- •Reading the grim results
- •Keeping Your Plug-ins Up-to-Date
- •Chatting in the Fedora Chat Room
- •Looking for Answers in the SuSE Chat Room
- •Processing Processes with procps
- •Using ps to filter process status information
- •Viewing ps output the way you want to see it
- •Making parent-child relationships stand out in a ps listing
- •Climbing the family tree with pstree
- •Finding processes with pgrep
- •Killing Processes with pkill
- •Killing Processes with killall
- •Closing Windows with xkill
- •Managing Users and Groups with the Fedora/Mandrake User Manager
- •Adding new users
- •Modifying user accounts
- •Adding groups
- •Filtering users and groups
- •Managing Users and Groups with the SuSE User Administrator
- •Adding new users
- •Modifying user accounts
- •Adding groups
- •Filtering users and groups
- •Adding and deleting log files from the viewer
- •Setting up alerts and warnings
- •Viewing your log files from SuSE
- •Monitoring your log files from SuSE
- •Customizing Your Log Files
- •Keeping an Eye on Resources with KDE System Guard
- •Finding and killing runaway processes
- •Prioritizing processes to smooth a network bottleneck
- •Watching your system load
- •Creating a new worksheet
- •Creating system resource logs
- •Displaying network resources
- •Using Synaptic to download and install Apache
- •Installing Apache from disc
- •Starting the Apache Service
- •Building a Quick Web Page with OpenOffice.org
- •Taking Your Site Public with Dynamic DNS
- •Understanding how dynamic DNS works
- •Setting up dynamic DNS
- •Updating your IP address
- •Installing the Fedora HTTP Configuration tool
- •Putting the HTTP Configuration tool to work
- •Watching Your Web Server Traffic with apachetop
- •Installing apachetop
- •Running and exiting apachetop
- •Navigating apachetop
- •Switching among the log files (or watching several at once)
- •Changing the display time of apachetop statistics
- •Accessing MySQL Control Center features
- •Viewing, managing, and repairing a database with the Databases controls
- •Putting the Server Administration controls to work
- •Adding a new user
- •Watching Your MySQL Traffic with mtop
- •Gathering all the packages that mtop needs
- •Installing mtop
- •Monitoring traffic
- •Building a MySQL Server
- •Installing the necessary packages
- •Starting the MySQL server
- •Replicating MySQL Data
- •Configuring replication: The three topologies
- •Setting up replication for a single slave and master
- •Choosing a Method to Back Up MySQL Data
- •Backing Up and Restoring with mysqldump
- •mysqldump backup options
- •Backing up multiple databases
- •Compressing the archive
- •Restoring a mysqldump archive
- •Making a mysqlhotcopy of Your Database
- •Archiving a Replication Slave
- •Taking Care of Business with MySQL Administrator
- •Installing MySQL Administrator
- •Starting MySQL Administrator
- •Choosing an SSL Certificate
- •Creating a Certificate Signing Request
- •Creating a Signing Authority with openssl
- •Creating a certificate authority
- •Signing a CSR
- •Exploring Your Certificate Collection with Mozilla
- •Introducing hotway
- •Getting Started with hotway
- •Setting Up Evolution to Read HTTPMail Accounts with hotway
- •Ringing the Bells and Blowing the Whistles: Your Evolution Summary Page
- •Installing SpamAssassin
- •Installing from the distribution media
- •Installing from RPM downloads
- •Starting the service
- •Fine-Tuning SpamAssassin to Separate the Ham from the Spam
- •Customizing settings
- •Saving your settings
- •Adding a New Filter to Evolution
- •Serving Up a Big Bowl of the RulesDuJour
- •Registering Your Address
- •Taming a Sendmail Server
- •Tweaking Your Configuration Files with Webmin
- •Serving up mail for multiple domains
- •Relaying e-mail
- •Using aliases to simplify mail handling
- •Deciding What to Archive
- •Choosing Archive Media
- •Tape drives
- •Removable and external disk drives
- •Removable media
- •Optical media (CDs and DVDs)
- •Online storage
- •Choosing an Archive Scheme
- •Full backups
- •Differential backups
- •Incremental backups
- •Incremental versus differential backups
- •Choosing an Archive Program
- •Estimating Your Media Needs
- •Creating Data Archives with tar
- •Backing up files and directories
- •Backing up account information and passwords
- •Targeting bite-sized backups for speedier restores
- •Rolling whole file systems into a tarball
- •Starting an Incremental Backup Cycle
- •Restoring from Backup with tar
- •Backing Up to CD (Or DVD) with cdbackup
- •Creating the backup
- •Restoring from a CD or DVD backup
- •Restoring from a disc containing multiple archives
- •Combining the Power of tar with ssh for Quick Remote Backups
- •Testing the ssh connection to the remote host
- •Creating a tar archive over the ssh connection
- •Backing up to tape drives on remote machines
- •Backing Up to a Remote Computer with rdist and ssh
- •Testing the ssh connection to the remote host
- •Creating the distfile
- •Backing up
- •Getting Started with CVS
- •Checking whether CVS is installed
- •Discovering what to use CVS for
- •Creating a CVS Repository
- •Populating Your Repository with Files
- •Simplifying CVS with cervisia
- •Installing cervisia
- •Putting files in your sandbox
- •Adding more files to your repository
- •Committing your changes
- •Browsing your log files
- •Marking milestones with tags
- •Branching off with cervisia
- •Using the libcurl Library (C Programming)
- •Uploading a File with a Simple Program Using libcurl
- •Line 7: Defining functions and data types
- •Line 14: Calling the initialization function
- •Lines 18– 21: Defining the transfer
- •Line 23: Starting the transfer
- •Line 26: Finishing the upload
- •Installing the Ming Library
- •Building a Simple Flash Movie with Ming
- •Examining the program
- •Compiling the program
- •Running the program
- •Building Interactive Movies with Ming
- •Examining the program
- •Compiling the program
- •Running the program
- •Doing the curl E-shuffle with PHP
- •Combining PHP with curl and XML: An overview
- •Checking out the XML file
- •Downloading and displaying the XML file with a PHP script (and curl)
- •Sending E-Mail from PHP When Problems Occur
- •Debugging Perl Code with DDD
- •Installing and starting DDD
- •Examining the main window
- •Reviewing and stepping through source code
- •Making Stop Signs: Using Breakpoints to Watch Code
- •Setting a breakpoint
- •Modifying a breakpoint
- •Opening the data window
- •Adding a variable to the data window
- •Changing the display to a table
- •Using the Backtrace feature
- •Using the Help menu
- •Making Fedora Distribution CDs
- •Downloading the ISO images
- •Verifying the checksums
- •Burning an ISO File to Disc at the Command Line
- •Finding the identity of your drive
- •Running a test burn
- •Burning the distribution discs
- •Burning CDs without Making an ISO First
- •Finding setuid quickly and easily with kfind
- •Finding setuid and setgid programs at the command line
- •Deciding to Turn Off setuid or setgid
- •Changing the setuid or setgid Bit
- •Who Belongs in Jail?
- •Using UML to Jail Programs
- •Using lsof to Find Out Which Files Are Open
- •Debugging Your Environment with strace
- •Investigating Programs with ltrace
- •Handy strace and ltrace Options
- •Recording Program Errors with valgrind
- •Hardening Your Hat with Bastille
- •Downloading and installing Bastille and its dependencies
- •Welcome to the Bastille
- •Addressing file permission issues
- •Clamping down on SUID privileges
- •Moving on to account security
- •Making the boot process more secure
- •Securing connection broker
- •Limiting compiler access
- •Limiting access to hackers
- •Logging extra information
- •Keeping the daemons in check
- •Securing sendmail
- •Closing the gaps in Apache
- •Keeping temporary files safe
- •Building a better firewall
- •Port scanning with Bastille
- •Turning LIDS On and Off
- •Testing LIDS before Applying It to Your System
- •Controlling File Access with LIDS
- •Hiding Processes with LIDS
- •Running Down the Privilege List
- •Getting Graphical at the Command Line
- •Getting graphical in GNOME
- •Getting graphical with KDE
- •Staying desktop neutral
- •Index
Burning an ISO File to Disc at the Command Line 433
Verifying the checksums
Verifying a file’s checksum is like comparing fingerprints. If the fingerprints match, it’s likely that the download was successful. To verify the checksums of the ISO images you’ve downloaded, follow these steps:
1. Click the Back button on your browser to return to the first Fedora download page. Below the link to the ISO images, look for the names of the discs you’ve downloaded.
Each name is followed by an md5 checksum:
yarrow-i386-disc1.iso (md5sum: 76ef22495d186580e47efd8d7a65fe6b)
2. Write down the three checksums; you’ll need them to compare to your computed results.
3. Open a terminal window and cd to the directory containing the downloaded ISO images.
4. Use the following command to calculate the checksum for the first disc image:
$ md5sum yarrow-i386-disc1.iso
5.Compare the result to the checksum from the Fedora Web site.
The checksums should match. If they don’t, download the file again.
6.Repeat the process for the other disc files.
When you have three ISO files with good checksums, you’re ready to burn the Fedora CDs! See the next section for details.
Burning an ISO File to Disc at the Command Line
If you have access to a graphical environment, you’ll find easy-to-use tools that help you make CDs or DVDs with a few clicks of the mouse. But the easiest way to burn an ISO image onto a disc is to hit the command line.
Before you burn an ISO image, you need to find the identity of your CD or DVD drive and then run a test burn. When those steps are complete, you’re ready to burn the discs.
The cdrecord package is included in the standard Fedora distribution. It is part of the Sound and Video package and included in most installations by default.
Finding the identity of your drive
Before you can burn the ISO file to disc, you need to find the identity of your CD drive:
1. Open a terminal window and enter the following command:
$ cdrecord --scanbus
The results look something like this:
scsibus1:
1,0,0 100) ‘TEAC’ ‘DW-224E ‘ ‘F.0A’ CDR
1,1,0 101) *
1,2,0 102) *
1,3,0 103) *
1,4,0 104) *
1,5,0 105) *
1,6,0 106) *
1,7,0 107) *
2. Find your drive in the list. If you see more than one device in the list, choose your drive by its model name. The first three comma-separated numbers make up the drive identifier. Write down the drive ID because you’ll need it in a moment.
Running a test burn
A test burn does everything but turn the laser on. It tests the system speed and determines whether the image will fit on a disc. Basically, it prevents you from making a shiny coaster.
434 Technique 56: Burning CD-Rs without Getting Burned
To run a test burn, move to the directory containing the ISO disc images and enter the following command:
$cdrecord --dummy dev=1,0,0 yarrow-i386- disc1.iso
Use the device identifier that you discovered in the previous section to identify the drive in the command. The test results print to screen, displaying statistics and errors about the burn.
The most common error you’re likely to encounter is a buffer underrun. A buffer underrun means your computer wasn’t able to feed data to the burner quickly enough to keep up with the drive. Your computer may be too busy or too slow to burn a CD at the maximum rate supported by your recorder. If you get a buffer underrun error, run another test record, but set the speed to half of the speed listed in the statistics of the test burn:
$cdrecord --dummy dev=1,0,0 speed=8 yarrow-i386-disc1.iso
If you still have buffer underrun errors, halve the speed and try again. Don’t forget to stop any unnecessary programs running on your system.
Burning the distribution discs
When you get a successful result set from the test burn, take --dummy out of the command line and let the burning begin:
$cdrecord -eject dev=1,0,0 yarrow-i386- disc1.iso
Add the -eject flag to eject the disc when the write is complete.
cdrecord displays a nine-second countdown before turning on the laser. When the drive is finished writing, the disc ejects. Repeat the steps to make discs 2 and 3 of the Fedora distribution, and your set is complete!
Creating an ISO Image
at the Command Line
You can put data on a CD or DVD two ways: You can just burn the bytes that make up the data straight onto the disc, or you can create a file system to hold the data and then burn the file system onto the disc.
Here’s an example to clarify what you get with each option. Say you want to store your e-mail inbox on CD. Typically, a mailbox is made up of two files: The mail messages are stored in one file (inbox.mbox), and the index is stored in a separate file (inbox.idx). You could simply stream both files onto the CD, one right after the other, but you’ll find this method has a few disadvantages down the road:
You’ll lose useful information. First, you would lose the filenames — the filename is part of the file system, not part of the file content. In fact, you would lose the boundary between the two files. If you stream two files to a CD, you can’t tell where one file ends and the other begins. You would also lose the creation and modification dates for the file, the owner and group IDs, and the file permissions — that information is stored in the file system, not in the file.
You can’t mount a raw data disc later on. You’ll have to stream the data back off the disc instead and re-create the two data files yourself.
You can’t really tell what’s on the disc if you forget to label it properly. This is one of the biggest disadvantages to writing raw data.
By creating an ISO image so that the file system travels with the data, you’ll reap all sorts of timesaving benefits. The alternative is to create a mini–file system that holds the two files and then burn the file system to disc. The filenames are preserved, the owner and group IDs are preserved, the permissions are preserved, and the boundary between the two files is managed by the file system. You can mount a CD that contains a file system.
Burning CDs without Making an ISO First |
435 |
There are still a few legitimate reasons to create a raw-data CD (in fact, we show you how to do that in the next section), but in most cases, you should create a file system first.
Although you can write just about any type of file system to a CD (ext2, resierfs, xfs), most computers expect to find an ISO 9660 (or ISO for short) file system when you put a CD in the drive.
To make an ISO file system that holds the two mailbox files, open a terminal window and enter the following command:
$mkisofs -o mailbox.iso inbox.mbox inbox.idx
The -o mailbox.iso option tells mkisofs to write the resulting file system to a file named mailbox.iso. (You typically create the ISO image on your hard drive and then transfer it to a CD.)
Use the isovfy command to verify that the ISO file is in good shape: $ isovfy imagename.iso.
To write the ISO file to disc, use cdrecord just like we describe in the section, “Burning an ISO File to Disc at the Command Line,” earlier in this technique. For our example, we added the inbox ISO files to the command:
# cdrecord -eject dev=1,0,0 mailbox.iso
Of course, you have to use the device ID that you found in the section, “Finding the identity of your drive,” earlier in this technique.
If you haven’t tested your recorder’s burn performance, be sure to do a --dummy burn first to find the correct write speed. You can also find details on speed in “Running a test burn,” earlier in this technique.
You can also mount an ISO file system without first burning it to disc. When you mount an ISO image (using Linux’s loopback adapter), you’re sort of
treating the file system like an archive: It’s a collection of files and directories just like a tar archive. Any program can look inside a mounted file system and get to the files inside; you can’t do that with a tar archive.
To directly mount an ISO image, follow these steps:
1. Give yourself superuser privileges.
2. Create a mount point:
#mkdir /mnt/myiso
3.Mount the image to the mount point:
#mount -o loop ./mailbox.iso /mnt/myiso
4.Check out a listing of the ISO image with the ls command:
#ls /mnt/myiso
The mounted ISO image acts just like a drive. Look inside it and be sure it’s just right before you write it to disc.
Burning CDs without
Making an ISO First
If an ISO 9660 file system is so great, why would you ever want to burn a disc without one? To save time, of course (and disc space, too).
Sometimes, burning a raw data disc is the best way to save time and space. If you’re creating a backup CD or DVD, the archive tool that you’re using already builds a wrapper around all the files in the archive. Why wrap a file system around an archive when the archive already contains all the information that you need (filenames, permissions, owner IDs, and such)? Also, it takes time to create an ISO image. An ISO image takes up space on your hard drive until you’ve burned it to disc. If all you need is the data an ISO has to offer, then don’t waste time creating the ISO.
436 Technique 56: Burning CD-Rs without Getting Burned
You can pipe the output of a command directly into the standard input of cdrecord without creating an ISO image. For this to work, the recorder must support RAW-mode writing. Not all recorders support RAW mode. If you have a drive that doesn’t, you get an error message when you try to burn a CD.
To burn a CD (or DVD) with a backup of the /etc directory (the /etc directory is full of your config files — a good thing to back up), enter the following command:
#tar -czvf - /etc | cdrecord -eject dev=1,0,0 -
The -f - in the -czvf portion of the command tells tar to write the archive that it creates to its standard output stream. The | directs the output from the tar command to the cdrecord command. The - at the end of the cdrecord command tells cdrecord to read a data stream from its standard input (cdrecord burns whatever data you send to its standard input stream when you include a- at the end of the command line).
cdrecord doesn’t know how to split the data stream if the stream contains more data than the disc can hold. Use the cdbackup program that we cover in Technique 50 to split the stream across multiple discs.
You can’t mount a CD or DVD that’s been created this way because it doesn’t have a file system. Instead, you have to use a program that understands the raw data. To read a CD that you’ve created with raw tar data, use tar:
# tar -xzvf /dev/cdrom
This isn’t too difficult, and you’ve skipped all the intermediate disc image files, too.
Don’t forget that you can use the Nautilus browser with the burn:// protocol to make CDs. Check out Technique 1 for all the details!
57 Search and Destroy
setuid and setgid
Technique Programs
Save Time By
Understanding the true powers of a user’s identity
Using kfind to identify the setuid programs on your system
Carefully choosing which setuid bits to disable
There are valid reasons for having setuid and setgid programs on your system. Programs that allow other users to log in to your system are often setuid or setgid programs, and they have the power
to grant elevated privileges to otherwise unprivileged users.
Hackers are always looking for security loopholes that allow them to exploit even the slightest of vulnerabilities. Fortunately, popular programs like ssh are pretty tight, but other programs might not be so trustworthy. Security is ssh’s business — simple user applications that allow access to your system through a server might not be so careful to prevent program breakouts through a shell escape.
Keeping a vigilant eye on programs with setuid and setgid privileges is the quickest way to protect yourself from an intruder posing as an innocuous user. Closing the back door to hackers that would exploit that security lapse can save you a lot of time repairing damage to the system caused by an intruder. In this technique, we introduce you to setuid and setgid, and show you how to add another line of security to your system that will stop intruders in their tracks.
Exploring How setuid and setgid
Can Be Dangerous
Every user in a Linux system has a unique numeric user ID (called a UID). Every group has a unique numeric group ID (called a GID). If you log in twice (from two different workstations or from a remote computer), you still have the same UID. The UID is associated with the user, not with the login session.
438 Technique 57: Search and Destroy setuid and setgid Programs
Each time you run a program, Linux creates a new process for the program to run within. If you run two Solitaire games at the same time, you have two processes (but only one program). Each process has four attributes that determine what that process is allowed to do: a real UID, an effective UID (EUID), a real GID, and an effective GID (EGID).
When Linux creates a process on your behalf, the effective and real UIDs are set to your user ID. The effective and real GIDs are set to your primary group ID (you can belong to many groups, but at any one time, you have a single primary group ID).
The effective UID and effective GID are used to determine whether the process can access a given file. When you try to access a file, Linux classifies your effective user ID (and group) into one of three categories:
File Owner: If the effective user ID of the process matches the numeric UID of the file, you’re the file’s owner.
Group Member: If the effective GID of the process matches the numeric GID of the file, you’re a member of the file’s group.
Other: Your process is classified as an “other” if the effective UID doesn’t match and the effective GID doesn’t match.
After your identity has been classified, Linux checks the file permissions assigned to your category to be sure you have the privileges required to access that file.
When you run a program that has the setuid bit turned on, the effective user ID of the process is changed from your UID to the file’s UID. In other words, if you’re logged in as user freddie and you run a normal (non-setuid) program, the effective and real UID of the process is freddie. If freddie runs a
setuid program (owned by, say, user franklin), the effective UID of the process is changed from freddie to franklin (the real user ID remains freddie). Just by running a setuid program, freddie gains the privileges and permissions assigned to user franklin.
That isn’t a problem if franklin has limited privileges, but what if freddie runs a setuid program owned by root? The system would be at freddie’s mercy if he could start a terminal window from the program he’s running.
Anyone who runs a setuid program owned by root is automatically granted superuser privileges.
Remember, the superuser can
Kill off any process
Override file privileges
Grant program privileges
Lock users out
Change file ownerships
You can see from the list of privileges why you would want to limit the number of setuid and setgid programs on your system!
When you turn on the setuid and/or setgid bits for a program, the file’s owner and group IDs are very important. That’s because the privileges assigned to the owner (or group) are now assigned to anyone who runs the program. If you run a setuid program that’s owned by user root, you become the superuser while that program is running. Any processes spawned by the program run with superuser privileges, too. Imagine what would happen if you turned on the setuid bit for the bash shell (which is typically owned by user root) — anyone who ran the shell would suddenly become a superuser. Nasty business.