Games

218 Part II Working with Debian

X Window

The X Window System, or X, is the normal graphical environment for most applications using graphical display. This environment consumes a majority of resources to manage the desktop environment, leaving less for the game itself. Game performance may suffer as a result.

The Super VGA Library

The Super VGA library interface (SVGALIB) for Linux enables games to run in their own environment. It controls both the graphics and mouse for the game application. This enables the game to run faster than in the X environment. Some games include the SVGA package, or it can be installed separately with the svgalibg1 Debian package.

Tip If you find that you don’t have mouse control when using SVGA, edit the /etc/ vga/libvga.conf file. This configures the mouse control for the SVGALIB interface.

Currently, support for this interface is lagging behind other technologies. Eventually, it may be replaced altogether by one of the newer technologies such as GGI. You can find out more about this interface at www.svgalib.org.

General Graphics Interface

The General Graphics Interface (GGI) provides an alternative to the older versions of the graphical interface — X and SVGALIB. It can actually run under the other interfaces and still provide the higher graphic performance. You can find out more about GGI at www.ggi-project.org.

You can install the libggi2 package from the CD, but be aware that this package was made from a beta snapshot. If you are serious about using GGI, get the current version from their Web site.

One specific area where graphics has a large following is in the gamming arena.

Note There is a GGI X server specially designed to take advantage of the performance that makes GGI enticing. This too comes as a Debian package. Look for the xserver-ggi package on the Debian archive.

Sound system requirements

What is a good graphical game without the sounds to go with it? For some games, such as the legendary Doom, the sound gives you hints for the games, such as where the next monster will come from. More recent examples of games providing sound along with the game would be Quake, Quake II, or Quake Arena.

Chapter 11 Games 219

As with graphic technology, sound systems are driven by the gaming industry, though to a lesser degree. Most games work with the Open Sound System (OSS), a set of drivers incorporated into the Linux kernel. A commercial version of the OSS drivers can be found at www.opensound.com. If you check the list of cards that are compatible with their drivers, you’ll see that most are supported by Linux. For more specific information about sound in Linux, go to Chapter 10.

Other system demands

As games grow in complexity, so do the demands on your system. More intricate, detailed games take up more space on the hard drive and demand more memory to run. These demands encourage gamers to upgrade to new hardware, if not entirely new systems.

Because of the way in which Linux manages its resources, Linux games usually can operate with far fewer resources than some other operating systems. Moreover, the game hardware demands have not reached the levels you might see for other operating systems such as Windows. As more games are ported to the Linux platform from the Windows platform, you might start noticing the minimum systems requirements rising as well.

Playing Debian-Packaged Games

220 Part II Working with Debian

Adventure games

Adventure games existed long before graphical games. Most of these were in the form of a textual adventure. A textual adventure works by describing the environment, objects, and possible directions you can go. For instance, the game Adventure starts with the following description of your location:

You are standing at the end of a road before a small brick building. Around you is a forest. A small stream flows out of the building and down a gully.

You then respond with the text of what action you would like to take:

goto building

The game then responds with:

You are inside a building, a well house for a large spring. There are some keys on the ground here.

There is a shiny brass lamp nearby.

There is food here.

There is a bottle of water here.

You can then pick up an object, each of which provides help in completing the adventure. These textual adventure games respond to a number of text commands. Table 11-1 contains many of the adventure games packaged for Debian.

Chapter 11 Games 221

Arcade games

Many of the games that some of us grew up with in the arcade are now available for Linux, such as Space Invaders Galaga and Digger. These types of games generally consist of a 2-D graphical display, and are controlled by either the keyboard or the mouse. Table 11-2 describes some of the games packaged for Debian.

Continued

222 Part II Working with Debian

A few of these arcade games are similar to some of the Windows arcade games, such as Minesweeper. Try a few out and see which ones you like.

Board games

In spite of today’s sophisticated software, nothing can replace a classic board game like backgammon or chess. Many of the classic board games are available for Linux. Table 11-3 describes some of the board games packaged for Debian.

Chapter 11 Games 223

If you like the classic board games, something in this list will surely appeal to you.

Card games

If you enjoy card games, a slew of them are available for Linux. Some are text-based, while others are graphical. Whether you want to brush up on the rules for a game or improve your skill, these card games can be a nice diversion for a few minutes before returning to work. Table 11-4 describes some of the card games packaged for Debian.

224 Part II Working with Debian

The most popular card game is Klondike solitaire. Playing solitaire with a deck of cards just doesn’t seem as much fun after you’ve played it on a computer.

Simulation games

The simulation games are a little different from the classic, arcade, or card games. These games let you control various environments, such as the growth of a city (see LinCity) or the control tower of a busy airport (see Air Traffic Controller). Table 11-5 describes some of the simulation games packaged for Debian.

LinCity

LinCity is a popular simulation game. It is similar to SimCity. Once installed, you can start this game from the menu or from the command line (with /usr/games/ xlincity). Either way, you end up with a screen interface that looks like the one shown in Figure 11-1.

When you start LinCity for the first time, it asks you to create a directory to save your games. You can then read up on how to play the game. You develop your city by adding roads, markets, ore mines, communes, and so on. These elements help the city grow. Following are some tips for playing the game:

Right-click a button to read a description about it before selecting it.

Use the Tips button on the left sidebar to create an area for trash.

Food is important to the community. If you run out of food, people will either move out of the community or die. Have farms create the food or import it.

Mills can create food, but the people running the mills also consume a lot of it.

Chapter 11 Games 225

Figure 11-1: With LinCity, you can develop a virtual community.

Strategy games

If you need a real challenge, play a game of chess against the computer; and not on a single-layer board, but on a three-tiered board, as in 3-D chess. Other strategy games let you build a civilization or battle it out in space. Table 11-6 describes some of the strategy games packaged for Debian.

226 Part II Working with Debian

Xlaby

If you like maze puzzles, then you’ll like this fun little game. When you start this game from the Debian menu, a maze appears with your mouse “caught” in the maze. The cursor cannot cross the line of the maze, so you can’t cheat. You must follow the maze to reach the colored dots in a particular order. When you get to the first dot that disappears, go on to the next dot that disappears. After you reach the last dot, the maze is completed and you can use it again.

Chapter 11 Games 227

FreeCiv

In this popular game, you develop a civilization with the goal of conquering the world. FreeCiv is a client/server game, although you can play in the single-player mode. The client comes in two versions: Gtk and Xaw3d. Both client versions work in the X environment, but if I had to choose between them, I’d go with the Gtk version because of the interface. Figure 11-2 shows a game in progress using the Gtk client version.

Figure 11-2: Viewing the resource associated with a community in FreeCiv

Once installed, the first step in playing FreeCiv is starting the server. The server appears in a text terminal. As people join the games, their names show up on the terminal and in each client’s text box. Once everyone has joined the server, type start in the server console for the game to begin.

From the client console, the flashing character indicates which player is ready for instructions to move, build, or attack. Clicking on a city shows what the city is producing and lets you control what gets built in the queue.

Quake

This is one of the most popular first-person shooter games of all time. Two forms of this game are included among the Debian packages. One can be played as a single

228 Part II Working with Debian

player fighting monsters. The other is the Quakeworld server with clients. The server gets used when playing against multiple people in Quakeworld. Once installed, both versions can be found in /usr/games — with the first listed starting with quake, and the second listed starting with qw.

Note There are external configuration files for the quake, quakeworld, server and quakeworld client applications. If these files do not exist, the default settings apply. In order for the game to actually work, you need a commercial CD for the data files.

Running the server for a multi-player session, first start the server (/etc/games/ qw-server) from a separate virtual terminal, and then run the quakeworld client for the video driver you wish to use — 3dfx, ggi, or svga. When the screen opens for the client, press the keyboard button with the tilde (~) on it to enter the command shell for Quake. Type connect hostname at the console, where hostname is either localhost on the same machine as the server, the host name, or the IP address for the server. Pressing the tilde key again closes the command console. You should now be connected and able to play Quake in a multi-player session. Both versions only come with the first level, which is the shareware version. You can find more information about this game and other versions at www.linuxgames.com/quake.

GNOME games

Most, if not all, of the games listed in Table 11-8 are also included among the Debian packaged games. These games are both graphical and easy to control. When installed, they show up in main GNOME menu under Games. As with the other games, these are installed in /usr/games by default, and can alternatively be launched from the command line.

Chapter 11 Games 229

The special thing about GNOME games is that they all work well with the GNOME desktop environment specifically as opposed to KDE games. In addition, these games will show up in the GNOME games menu.

Playing Commercial Games

Most of the popular computer games you find in a game store are produced by independent software companies for the Windows platform. Some of these games are now being ported to the Linux platform by Loki Games (www.lokigames.com). Table 11-9 lists and describes these games.

Because of the commercial effort behind them and their popularity among the Windows gamers, these games are beginning to find their way into the Linux world. Now you can use the Linux platform, with all its stability, to play these high-quality games.

Even though you can find a number of excellent and quality games among the Debian package archives and for Linux in general, the commercial games tend to generate a larger following. In my opinion, the larger following of the commercial games is due to the quality of the graphics and the entertainment factor of the game. Many of the free open source games have a tremendous entertainment value; however, the interface may not have the same polished quality that the commercial competitor maintains.

230 Part II Working with Debian

Most of these games can be /played with other gamers over a network or on the Internet. This aspect of allowing multiple people to play in the games only adds to their appeal. With commercial versions of these games now available, you can play the same games against and with people using Windows.

Chapter 11 Games 231

Highlighted in the following sections are two of the more popular commercial games, including the system requirements necessary to play them. This will give you an idea of two very different commercial games. SimCity 3000 lets you act as a city planner, managing the city’s resources as it grows. The other game is a fast action shoot’em up type of game. Both let you play with other people over the Internet.

SimCity 3000 Unlimited

SimCity 3000 is a simulator game in which you manage the development of a city as it grows. You have to be concerned with utilities such as power, water, and trash disposal. In addition to the infrastructure of the city, including roads, highways, subways and railways, you must also manage the economics by balancing residential, commercial, and industrial zoning.

In order to run the game successfully, you need to meet the following system requirements:

Linux Kernel — 2.2.x and glibc-2.1 (both come with Debian 2.2)

Processor — Pentium 233 MHz or faster (300 MHz Pentium II processor recommended)

Video — 4MB graphics card, XFree86 3.3.5 or higher, and 16-bit color depth

CD-ROM — 8x CD-ROM drive (600 KB/s sustained transfer rate)

RAM — 32MB required; 64MB recommended

Sound — 16-bit sound card and OSS-compatible (it works without sound, but isn’t as much fun)

Hard disk — 230MB free hard disk space plus space for saved games

The game comes compiled because the source code is not public. Follow the instructions that accompany the game to get it installed on your system and running. Figure 11-3 shows the game in action. The level of detail in the graphics can be adjusted to show animation. The right side enables control for adding zones, roads, utilities, and such.

232 Part II Working with Debian

Figure 11-3: Watching the neighborhood develop in SimCity 3000

If you want to try the game before purchasing it, you can download a demo version from the Web site at www.lokigames.com/products/sc3k.

Unreal Tournament

If unbelievable action combined with team play is what you have in mind, you need Unreal Tournament. This is one of the fastest action shoot-em-up games around. Enter rooms, pick up weapons, and blast anything that moves (except for teammates).

You’ll need to meet the following minimum requirements in order to get the most out of the game:

Linux Kernel — 2.2.x and glibc-2.1

Processor — Pentium II with 3-D accelerator card

Video — Video card capable of 640×480 resolution, XFree86 version 3.3.5 or newer at 16-bit color

RAM — 64MB required; 128MB recommended

Sound — OSS-compatible sound card

Hard disk — Minimum 550MB free space

Chapter 11 Games 233

All the software requirements are met with Debian 2.2, so the only thing you need to worry about is your hardware. Follow the instructions that come with the software for installing the game and running it. Once you have it installed and running, the fun begins. Being a multi-player game, you can play online or via a network.

This game can be controlled by keyboard, keyboard and mouse, or joystick.

Summary

Everyone likes to have fun. Although Linux is tough enough to be used as a robust server, it can also be used for entertainment. Some of that entertainment can blow your socks off with its high-powered graphics.

If none of the games described in this chapter really appeal to you, you might check out some of the public software sites:

Linux Games (www.linuxgames.com) — The site includes game news, howto’s, and all types of games.

Download.com (www.download.com) — A public site for all platforms, including Linux. Contains more than just games.

Tucows (www.tucows.com) — A general repository for publicly available programs, including games.

238 Part III Administering Linux

Starting and shutting down (Chapter 3)

This is not a task you want available to just anyone who has an account on the system. For an individual machine or a single user, it can be more convenient. However, when you have processes and services that are expected to be running, limiting this responsibility is mandatory.

User accounts (this chapter)

Creating accounts is another privileged activity. Many systems have special policies for the accounts; therefore, they need an administrator to dole them out appropriately. The wrong privileges in the right hands can turn into a hacker’s paradise, thus spelling disaster for the administrator or even for the system.

Security (Chapter 19)

The most secure system is one that only one person uses. That isn’t practical, so limiting the numbers of accounts that have access to the more powerful functions is the next best solution.

Monitoring the system resources (this chapter)

The system requires constant monitoring. Oftentimes, you can do this through scripts or programs, but occasions arise when someone must intervene. Disks fill with data, programs run away chewing up processor time, and properly running systems get overworked by overloaded use. It’s the administrator’s job to keep it all running.

Automating tasks (Chapter 14)

This is a crucial duty. It involves creating scripts and programs to take over the mundane tasks in an effort to produce more reliability, repeatability, and regularity. These tasks can range from backing up files to searching through log files for anomalies — turning hours of work entering multiple commands and reviewing the results into minutes of issuing only a few simple commands that produce only the results you preprogrammed.

System configuration (Chapters 5, 6, 9, 19, 23, 24, and 25)

Most all of the aspects of the daemons — such as printing, networking, e-mail, and so on — need some configuration for their environment and purpose. Most of these applications require special account privileges to run like those that come with root. These configuration files range in complexity from a simple test file with a dozen lines of information to text files that contain hundreds of lines.

Filesystems and disk drives (Chapter 3)

The filesystem and, therefore, the disk drives are rudimentary to the whole operating system. Should something happen to the data on the drives, this can affect the performance (not to mention the function) of the system.

Someone must watch the disk drives to make sure there remains room for the data. Set up quotas for accounts to prevent one person from using all the available space.

Chapter 12 System Administration 239

Backups and restores (Chapter 18)

Nothing can take the place of a good backup when data is lost. Hundreds, thousands, and even millions of dollars have been saved because the administrator has faithfully backed up the valuable data. This duty, which can be automated fully, must be a priority for any administrator.

Printing services (Chapter 17)

Any printing services that come through the network fall on the administrator’s shoulders — from setting up the print spooling queues to configuring the printers to even changing the toner cartridges in the printers. I also have seen administrators taking charge of ordering, storing, and replenishing printer paper.

Network management (Chapter 5)

When one or more computers are connected to communicate with one another, you have a network. Someone must monitor that network to keep it in peak performance. Included in this category are firewalls, routing, and Internet access. This is no small task for the administrator.

Mail/Web/and other services (Chapters 20, 21, 22, 23, 24, and 25)

Each machine may function as a server, providing such services as hosting Web pages, sending and receiving e-mail as a central post office, or acting as a repository for a database. The size, demand, and shear volume of usage determine the number of services on one machine. Again, the administrator must manage the load on the computers.

From this list, you can begin to get some idea of the scope of an administrator’s responsibilities. Yes, in an environment of hundreds of people working on workstations accessing servers of all types, the administrator’s job may be spread over a few people. However, when there is only one machine — yours — then these duties fall to you. You get to make all the decisions concerning your machine.

The System Administrator

and the Root Account

When you install Linux on your computer, you are forced to enter a password for the root account. All Linux systems have a root account, which has full rights to all services, functions, and controls. From that account, you can do anything you want — or don’t want. Along with this power comes the accompanying danger — of accidentally replacing a crucial configuration file, deleting needed files, misconfig-

uring systems, and so on. You can see that giving everyone the root password is not the best thing to do for the system. Because of this power, root access should always be limited to the local machine console.

240 Part III Administering Linux

Using the su command

As the administrator, working along as a normal user of a system, you need the same privileges as root from time to time. One approach is to log out from the normal account, and then log back in as the root account. This takes time and disturbs any processes you may have running at the time. Or, you can change identities from the normal user into a superuser with the su command. This enables you to work along in your own account. When you need to perform a task at a higher level, you just issue the su command. This program still uses the root password and offers the same power as the root account, but there is no need to log out of your current terminal and then log back in as root.

Tip I strongly suggest that you get in the habit of using the full path of /bin/su for the superuser privileges. It prevents the implementation of any unauthorized versions of this program, which can compromise the security of the system. You can find more on security in Chapter 19.

You can use this application in several ways. Employing the command without any options logs the person in as the superuser (assuming they know the password). All attempts to use the su command are logged into the /var/log/auth.log file as are all other logon attempts. Here is the syntax for the su command:

su [OPTS] [-] [username [ARGS]]

The su command has more uses than just logging in as the superuser. Adding an account name to the end enables you to log in as that user. This finds its usefulness when a new account is added because you can employ the new name to verify that the account is working. Adding the hyphen (-) between the command and the username requests that the shell assigned to the account be used instead of the current shell.

Using the -c option enables you to temporarily log in as the other account, execute the indicated command, and then return to your original account. Suppose you are logged in as yourself — a regular, unprivileged user. You need to briefly check on the status of the network card in the computer. You can use the su command to log in as root long enough to execute the one command, or you can log in as another user to list the contents of his or her directories. Here are the two examples and the corresponding results:

RX packets:534 errors:0 dropped:0 overruns:0 frame:0 TX packets:534 errors:0 dropped:0 overruns:0

carrier:0

collisions:0 txqueuelen:0

$

Chapter 12 System Administration 241

and

$ su -c ‘ls -l /home/jo’ jo

Password:

docs pics newfiles programs

$

These examples show logging in as the other person long enough to execute the command and returning to the original account. Notice that the passwords don’t get echoed back to the screen. To better prove this, I use the whoami command to display the different account identifications:

$ whoami steve

$ su -c whoami

Password: root

$ su -c whoami jo

Password: jo

$ whoiami steve

$

You can see from this listing that each time the su command runs the whoami command to identify the user, it returns a different name based on who is logging in.

Using the sudo command

If you want some people to only have access to certain programs, then implement the sudo command. (It can be installed using apt-get install sudo.) Some of the administrative duties can be delegated to other privileged users. Give those people access to run only those programs necessary to perform their duties. The syntax looks like this:

sudo -V | -h | -L | -l | -v | -H | [-b] [-p prompt] [-u username/#uid] -s | <command>

This may look a little confusing, but once you set it up it’s really easy to use. Basically, sudo restricts only one command option at a time. Table 12-1 lists some of the available options.

242 Part III Administering Linux

You can find a complete list of the options through the online documentation. You must edit the configuration file, located in /etc/sudoers, using visudo. This file contains all the users and the respective applications, commands, and features that they are allowed to access.

Administering and Setting up Accounts

Accounts give users access to use the system, so everyone needs one. If you have a large company, this can take quite a bit of time monitoring, setting up new accounts, and removing old ones. On the other hand, just one machine can demand a little account management from time to time. The following sections cover what you need to know to administer accounts.

The passwd file

The passwd file contains all the account information — well most of it, but I’ll get to that in a minute. This file is referenced at the time of login; it verifies the account name, the account password, the home directory path, and the default shell for the account. It can also contain personal information about the account, such as the user’s full name, address, and other information for identification purposes by the administrator. Here is an example of the contents of the passwd file.

Chapter 12 System Administration 243

root:x:0:0:root:/root:/bin/bash

daemon:x:1:1:daemon:/usr/sbin:/bin/sh

bin:x:2:2:bin:/bin:/bin/sh

sys:x:3:3:sys:/dev:/bin/sh

.

.

.

jake:x:1003:1003:jake,101,555-1234,555-4321,waterboy:/home/jake:/bin/bas

...and so on. Colons separate the information. To interpret a line, use this format:

Username:EncriptedPassword:UserIDnumber:GroupIDnumber:PersonalData,Comments, and/or Descriptions:DefaultAccountPath:DefaultShell

You can edit this file manually with your favorite text editor. When you do so, leave the password area blank and assign a password to the account after you finish editing the file. The command to set the password is passwd followed by the new account name.

Note Sometimes you may need to create an account for a process that no one will ever log into. That account belongs only to that process. To keep anyone from accessing the system, use /bin/false for the shell (instead of /bin/sh or /bin/bash). This prevents a shell from activating at log in, thus preventing a live connection by any person.

The purpose of shadow passwords

You may have noticed that the passwords do not appear in the password file. This is so that no one can simply view the passwd file and have access to everyone’s actual passwords. The passwords are actually kept in a separate file called shadow, with the password encrypted (assuming shadow passwords were enabled during the install process).

The group file

The /etc/group file contains group information. This information can apply to one user or many. Generally, each user account will belong to at least one group — often using the same name in the passwd and group files. Here is a sample of the group file contents:

root:x:0:

daemon:x:1:

bin:x:2:

sys:x:3:

adm:x:4:

tty:x:5:

disk:x:6:

Continued

244 Part III Administering Linux

.

.

.

users:x:100:user1,user2

jake:x:1003:jake

As with the passwd file, the pertinent information uses colons to separate the values. Here is the syntax of the lines:

GroupName:Password:GroupIDNumber:User1,User2,...

Yes, groups can have passwords, too. Use the -g option with the passwd command to set group passwords. When a person becomes a member of a group, he or she gains access to the group’s files along with his or her own files. Every account should belong to a group, even if the user accounts all belong to one group account.

Note The Debian distribution creates a separate group account for each user account created when using the adduser command. This helps to lock down the user’s file access. See Chapter 19 for more information about access security.

You can add someone to a group by adding his or her account name to the end of the group name line. Each name assigned to a group must be separated by a comma (,). Again, your favorite editor can edit this text file.

As the administrator, adding a group for each user account can result in management problems. However, lumping all users into one group can also have the same result. If you expect to maintain a large number of accounts, you might consider creating functional groups. For instance, all users working in the engineering department would belong to the engr group, while all users working in the sales department would belong to the sales group. Smaller environments with few users may not need to create such a group, but can follow the one-user-one-group system used with the adduser command.

Employing adduser to add a user account

You now know how to set up accounts the hard way. Let me introduce you to the easy method of adding users to a system. Debian comes with several handy utilities. The adduser tool is no exception. This command takes care of all the responsibilities when creating a new account. Here is the syntax:

adduser [options] user [group]

You can use this tool with just a user name. You can also add the options to modify some of the default information. This information comes from the /etc/adduser. conf file. You can modify the configuration file for your environment, especially if this system will host many accounts. You may find some settings to adjust for your environment. Let’s take a look at what happens when you add a user:

Chapter 12 System Administration 245

$ adduser john

Adding user john...

Adding new group john (1004).

Adding new user john (1004) with group john. Creating home directory /home/john.

Copying files from /etc/skel Enter new UNIX password: Retype new UNIX password:

passwd: password updated successfully Changing the user information for john

Enter the new value, or press return for the default Full Name []: john both

Room Number []: 403 Work Phone []: 555-1234 Home Phone []: 555-4321 Other []: 555-9867

Is the information correct? [y/n] y

$

This tool takes the user name and searches for the next available user ID to assign to the name. adduser takes the same name and uses it as a group name if you do not provide one. Then, it creates a home directory using the user name as the directory name. adduser then copies the essential files from the template directory and requests to set a password. Lastly, adduser requests reference information. This information is optional, but you can use it with other applications such as fingerd.

Note While adding a new user, you are asked for a password for the account. You then are asked to confirm the password by retyping it. If the passwords do not match, then all the files and directories that were created for the new account are removed.

The new user template — skel

To make life even easier when adding a user to the system, a template directory was created called /etc/skel. There may be special settings, startup applications, or customizations that need to reside in the template directory as the skeleton for each new account. The default skel files included with the Debian distribution are shown here:

246 Part III Administering Linux

You can make changes to these files, add new ones, or leave them as is. Be aware, however, that what resides in this directory is given to every new account set up with the adduser program.

Using userdel to remove a user

As employees come and go, oftentimes the hardest part of administering a system is keeping the accounts up to date. By that I mean removing “dead” accounts from people who have left or no longer need access to the system. To assist with the maintenance comes this nifty utility called userdel. This is the syntax for the userdel command:

userdel [-r] username

The -r option removes all traces of the account, including the user’s directory and mailbox. If you omit this option, the directory remains to be dealt with later. In addition, the user must be logged out of the system and all processes owned by the user must be killed before you can successfully remove the account. As a precaution, you may want to back up /home before completely removing the user’s account and directory. Better safe than sorry.

Restricting access to the root account

In some situations, such as when a machine works as a server, no one needs to access the machine by local or remote means except to make a few adjustments from time to time. In this case, you can limit access to the machine to only the root account. Adding a text file called nologin to the /etc directory allows only the root account to log in. If anyone tries to log in to the machine, the contents of the nologin file are displayed and the connection is closed.

One caveat to using this method is that you are now required to be at the machine to log in as root. For security reasons, root is not accepted as an account name through a Telnet session. Therefore, think carefully before implementing this level of restriction.

Setting File and Directory Permissions

Now that you have accounts set up, take a look at the access these accounts have and what this all means. Permissions essentially define who has access to what files

Chapter 12 System Administration 247

and directories. There are three levels of permission access modes for each file and directory on the filesystem: user level, group level, and other level.

User-level access gives permission to the account user for accessing files and directories. Users are defined in the /etc/passwd file. Group access allows all members of a group access to files and directories. Group members are defined in the /etc/group. Other access means anyone who can log onto that machine who does not currently belong in user or group categories will have access.

Access with chmod

At times, you may need to modify the degree to which a file or directory can be accessed. You accomplish this by changing the rights or permissions for a file or directory. Here is the syntax for the chmod command:

chmod [OPTION] MODE[,MODE] FILE...

To understand how to use this command, you need to have an understanding of the anatomy of the file information. When you list a directory to get a detailed view of the contents (as shown next), the beginning shows a cryptic series of letters and dashes. Take a closer look at the contents of Jo’s directory.

The first column contains the permission levels. In detail, reading the first line for the docs file, you have drwxr-sr-x. The d stands for directory and refers to the type of entry. The next three, rwx, refer to the user mode. From here, you can tell that the user can read (r), write (w), and execute (x) these files and directories. The second set of three characters (r-s) refers to the group’s mode, which has access to read (r), and no write access (indicated by the dash). All files created inside the directories inherit the directories’ group identity. The last set of three characters refers to the rights other users have to the files. Here, others can read (r), cannot write (w), and can execute (x). Table 12-2 lists some of the available options for the access modes.

248 Part III Administering Linux

Table 12-2

Identifiers, operators, and permissions modes

Identifier Description

uUser

gGroup

oOther (those not part of the user or group)

aAll (includes user, group, and other)

Operator Description

+Adds

-Removes

=Assigns

Mode Description

rReads

wWrites

xExecutes or accesses directories

sSets user or group ID upon execution

There are other modes, but they are not commonly used. These modes set absolute control for the files. You can also use plus (+), minus (-), and equal (=) signs to modify the different levels. To get an idea of how this works, change a couple of modes for a directory. You just saw the modes for Jo’s directory. Here is the current listing for the program directory:

To change the modes for the program directory, you can add the ability to write for the group and remove all rights for the world. Here is the command string to accomplish this:

$ chmod g+w,o-rx programs

$

This command string says that you want to add write capability to the group access and remove read and execute from the other access. This produces the following:

Chapter 12 System Administration 249

This looks relatively easy. When changing several things at once, as you just did, be sure not to add a space after the comma (which separates group changes from other changes). You can also make changes throughout an entire directory by using the recursive option (-R). Using the -R option immediately after the chmod command changes all files and directories below the specified directory to the same settings.

Changing user ownership with chown

From time to time, it is important to change the ownership of files and directories. If a file belongs to a certain individual and then gets transferred to another, the ownership of that file needs to change as well. This is the syntax for the chown command:

chown [OPTION] OWNER FILE...

To determine the ownership of a file, you can look at the long listing of a directory for the details. Here you can see that all the items listed belong to user jo. The specified user appears in the third column (in bold).

Suppose that Jo leaves the company and her coworker, Jane, takes over Jo’s responsibilities. You can transfer the ownership of all the files and directories to Jane. This is the command that you use as root or superuser:

$ chown -R jane *

The command string changes ownership recursively (indicated with the –R option) to Jane, thus affecting all contents of the current directory (indicated by the wildcard asterisk); however, the group remains assigned to Jo. This results in the following changes:

250 Part III Administering Linux

You can see that only the user identifier for the files and directories changes. Everything else stays the same. Again, as indicated by the example, the recursive option (-R) changes the contents of all affected directories.

Changing group membership with chgrp

Likewise with groups as with owners, the group association changes from time to time. Changing the group association affects which group members have access to which files and directories. If only one person belongs to a group, only one person is affected. If a group has several members, you need to apply the correct group association. Here is the syntax for the chgrp command:

chgrp [OPTION] OWNER FILE...

Looking back at the previous chown example, user Jo left the responsibilities of the files and directories to user Jane. Jane now has ownership of these, but Jo still has group ownership. To completely remove Jo from having any control of the files and directories, the group identifier must change as well. The fourth column of the following listing indicates the group membership. Change the group membership for these as well.

To transfer the group ownership from Jo to Jane, you issue the following command:

$ chgrp -R jane *

Again, you changed the group recursively (indicated with the –R option) to Jane through all files and directories. Getting a long listing of the current directory now, you see that the group has changed over to Jane.

Chapter 12 System Administration 251

The recursive option (-R) is very useful in situations where you change many files. This option is non-discriminating and affects all files in subdirectories where the conditions match. In situations where few files require changes, add the individual files to the end of the command string, with a space between each file.

Using Quotas for Accounts

A quota is a maximum limit setting for drive space. When only a few people are working on a system, drive space may not be a concern. As the number of users increases, so does the amount of “stuff” stored on the disk drive. Adding more drives is an option for the long term, but it is not always the better solution overall because more file creation, Web use, and mail use will continue to increase. Some individuals will utilize as much space as they have. Therefore, establishing quotas on the amount of allowable space for users of the system prevents the gluttony of disk storage.

Quotas can also prevent the accidental mishap of a runaway program as it continues to eat up more and more space on a drive. Limiting the amount of space for a user enables the other users on the system to continue to work while the unfortunate owner of the runaway program tries to recover from the accident.

Installing quotas

Installing quotas on a system involves only four steps: kernel configuration, program installation, quota configuration, and activation. The first is making sure that the kernel has quota support turned on. Generally, the Debian builds of the kernel include quotas by default; in the event they are omitted, you need to recompile the kernel with quota support enabled. Next, you need to install the application on the system by using the Debian packages (apt-get install quota). This is an easy process, so I don’t expect you will have any difficulties with this step.

Configuring the system to use quotas takes only a couple of seconds. Using a text editor, modify the /etc/fstab file to include either usrquota or grpquota in the options area for each filesystem you want monitored. These options are ignored when the filesystem is mounted anyway, so you don’t need to restart the filesystem. Here is an example of adding usrquota to the /etc/fstab file.

252 Part III Administering Linux

Lastly, activate disk quota monitoring by starting the daemon with the following command:

$ /etc/init.d/quota start

Now you have quotas monitoring the drive space of all users on your system. When users reach the limit of their quota, they are notified. If users are curious about their current status, they can issue the quota command to find this information.

Likewise, quotas can be stopped by issuing the following command:

$ /etc/init.d/quota stop

Using edquota

A little utility that comes with quota when you install it is edquota. This program sets and edits the limitations to each person’s account. This is the syntax for the command:

edquota [ -ug ] name..

The options u and g specify whether the quota values should apply the name as a user or as a group, because you can apply quotas to either. When you execute the edquota command for a user or group, an editor opens (vi by default unless you change the EDITOR environment variable) to create a temporary file that displays the current setting for the account, as shown here:

/dev/hdb1: blocks in use: 44, limits (soft = 1000, hard = 1500) inodes in use: 12, limits (soft = 500, hard = 550)

This shows that a user has a quota set on the hdb1 device setting both user and group limits. This user has a limitation on the number of blocks he or she can use. Each block consists of 1,024 bytes. The soft setting indicates when the user begins to be notified with warnings that he or she has reached the quota (giving this user around 1MB before warning start). The hard limitation (1.5MB in this example) is the absolute setting. Once reached, you cannot store any more data. At this time, the user must delete data or have the administrator increase the quota. To change these hard and soft limit settings, just edit the file directly at this time.

The second line indicates the number of inodes, or objects (such as files and directories), available to the user. Each inode is an object; therefore, every file, directory, and such counts against this setting. This limits the number of objects an account can create. You can change, add to, or set new quotas for other devices with these settings.

Chapter 12 System Administration 253

Once the user reaches the soft quota setting, he or she has a time limit to comply with the limit or it is treated as a hard limit. This is considered a grace period, which is seven days by default. You can change this time frame using edquota -t (similarly to changing user quotas).

Note When you use quotas to control the amount of drive space an individual consumes, set up the quota amount when you create the account. You can set it up by modifying the /etc/adduser.conf file. At the end of the configuration file is a line resembling QUOTAUSER=””. Add a value for the quota amount variable between the double quotes (“”) to enable setting up quotas when you create the accounts. By default, this is left empty.

Quota reporting

To be a good administrator, it’s important that you know what’s going on with the system. Therefore, checking on the status of your system quotas is crucial. There are two ways to get report information from the system. The first is by using the quota command.

quota [ -gv | q ] [name]

This command gives you instant information about anyone. By default, quota (when used without anything after it) shows the current user’s quota information. Alternatively, employing one of the options shown in Table 12-3 produces the same results.

Both users and administrators can employ this command. However, some of the features — such as checking on users’ account information — are only available to the administrator.

The second way to get information from the system is through the repquota command. This command provides a more thorough listing of all accounts. Administrators use this command to get complete accounting information. Here is the syntax for this command:

254 Part III Administering Linux

repquota [ -vug ] -a|filesystem...

The options listed in Table 12-4 explain the choices for the repquota command. These options give you the ability to report on combinations of filesystems, users, and groups.

The following example shows a report on all (-a) users on the root filesystem. A comprehensive report is generated. This particular report shows only one account with user quotas set for this filesystem. You can generate more individualized reports by using combinations of options.

$ repquota -a

Using this type of reporting can also help track suspicious activity — both from abusers among legitimate users and would-be hackers attempting to crack your system. One indication of potential abuse is when the limits for one user are set higher than all others. The user may have a legitimate use for all the space or not. At minimum, the discrepancy merits further investigation. (See Chapter 19 for more information about preventing hackers.)

Chapter 12 System Administration 255

Using System Monitoring Tools

One of the most important duties of the administrator is to monitor the system. This can be one of the most mundane of tasks; but when done properly, it reveals weaknesses with the system, areas where resources are running low, and areas where possible abuse has taken place. Monitoring the system becomes a skill over time as you become familiar with the system. Several aspects of the Linux system need monitoring. The first and foremost are the log files.

Monitoring system log files

Log files keep track of the system’s activities. Consider them bank transactions. Each time money enters or leaves an account at a bank, a record is made of the transaction. The same goes for the Linux system. Each time a process starts, a person logs in, e-mail gets sent, or any number of other activities, a transaction is written to a file recording the activity.

There are a couple of processes that take care of this record keeping. These processes run as daemons, monitoring the activity of other daemons while recording various activities to text files.

System logging with syslogd

The syslogd daemon collects log information from the applications and functions specified in the /etc/syslog.conf file that is read at startup. Included in this configuration file are reports on login information, mail, news, and so on. The type of information that is put in the log files includes time of the event, hostname, and program name.

Kernel logging with klogd

The klogd daemon records information from the kernel. These Linux kernel messages report on the kernel’s interaction with the hardware in the system — from the processor to the hard drives to the serial ports. All this information is placed in the

/var/log/kern.log file.

Both the syslogd and klogd daemons start with the system when you first initialize it. These daemons must start first to capture the information from the other applications as they start.

Watching the system with top

When you want to know what processes are consuming the most resources, turn to the top program to view a text display of this information. This program lists the top processes and shows a variety of information about them. Each process is listed on a separate line. The display lists the process ID, the user, the status, the percentage of CPU usage, the percentage of memory usage, and other information. The following shows an example of how the top program displays the information:

256 Part III Administering Linux

The header information (the first five lines) lists the current time, how long the system has been running, the number of users connected to the system, and statistics on the system CPU, memory, and swap memory. Quickly perusing this information can help you to evaluate the status of your system and locate any trouble spots. In this case, the information in the columns list in descending order the processes using the CPU. As only one process is using the %CPU, all other processes are listed according to their process ID (PID). top only shows the processes that can fit on the screen. Table 12-5 shows the available commands for top.

SToggles cumulative mode

iToggles display of idle processes

Chapter 12 System Administration 257

Command Description

cToggle display of command name/line

lToggles display of load average

mToggles display of memory information

tToggles display of summary information

kKills a task (with any signal)

NSorts by PID (numerically)

ASorts by age

PSorts by CPU usage

MSorts by resident memory usage

TSorts by time/cumulative time

UShows only a specific user

sSets the delay in seconds between updates

WWrites configuration file ~/.toprc

QQuits

Figure 12-1: You can graphically monitor your system resources with gtop.

258 Part III Administering Linux

Watching the system with gtop

If you are interested in viewing the system information of top, but in a graphical interface, use gtop. This interface enables you to view, at a glance, how your system is currently performing. You get graphical representations of the CPU usage, memory usage, and swap space usage. Furthermore, the Memory tab contains a graphical representation of the used memory, the proportion used by each process, and the corresponding name of each of the processes. Figure 12-1 shows the gtop application launched from a command line.

The only advantage of gtop is the point-and-click interface and menu features. top only uses keyboard interaction. gtop is more limited; for instance, you cannot kill a command from within gtop, whereas you can using top. These more advanced features have not yet been developed for gtop.

Disk monitoring

Another aspect of monitoring involves looking at the consumable space on the hard drives. The first Linux system I built used a 120MB hard drive. Granted not much was installed on it, but I was very concerned about the usable space on the drive.

Users are not the only ones that consume disk space. Quotas can help to control user consumption, but the system itself can eat up a drive if you do not take some care. To track down these problem areas on the disk, you have to use disk utilities to monitor them. A couple of common disk utilities are du and df. They provide the useful information on the disks and filesystem, respectively.

Displaying used space with du

The du utility displays the space currently used by a file or directory. Here is the syntax for the du command:

du [OPTION]... [FILE]...

By default, the results are displayed in units of 1,024 bytes. Therefore, by issuing the du command of your home directory, you should get something that looks like this:

Chapter 12 System Administration 259

Each directory is listed separately, but the accumulation shows up as a period (.), which represents the current directory. As you can see from the example, the pics directory contains nearly 5.5MB of data while the newfiles directory contains only 4KB of data.

You may be interested in some of the options, which help to make the results more readable. You can combine these options to get the results in the form you most prefer (see Table 12-6).

Checking used space on the filesystem with df

When a filesystem is spread across different drives or partitions, it is important that you monitor each filesystem to make sure that enough space remains for files to be written properly. When a filesystem reaches 100 percent capacity, you must create more room in order for more information to be written again. The df command shows the vital information you need to quickly check on the filesystem. Here is the syntax for the command:

df [OPTION]... [FILE]...

Here is an example of a system with its filesystem spread over several partitions of the same drive. This is not always necessary, but it illustrates how you can use the df command to get an immediate sense of a system’s capacity.

Continued

260 Part III Administering Linux

Table 12-7 lists some of the options for this command. Use these options to get a listing in the format that makes the most sense to you.

sync forces any blocks stored in cache to be written to the disk. Depending on the system, this can accumulate to a significant amount of stored data in cache. Some administrators invoke the sync command as a ritual step to assure that the disk cache gets flushed.

User monitoring

A third form of monitoring involves monitoring the users. This is not a Big-Brother approach, but rather a means of tracking who uses the system. Tracking users as they log in helps you track login information (who is using the system, when, and for how long). This information helps you to manage the resources.

Each time anyone logs into the system, an entry is made in the /var/log/wtmp file. This includes only those who are currently logged directly into the system from the console or through a remote connection.

The last command

The last command filters through the /var/log/wtmp file and prints all users who have logged into the machine since the file was created (which can be a long list). It also searches based on certain criteria such as user and tty number (the tty stands for teletype and refers to the virtual terminal connection someone is using). Here is the syntax for the last command:

Chapter 12 System Administration 261

last [option] [name...] [tty...]

If at some point you feel the need to keep a record of the wtmp file for later review, make a copy of the file. If wtmp gets moved or deleted, nothing will be logged. For this reason, it is best to make a copy of the file. Some of the options for the last command are found in Table 12-8.

Note /var/log/wtmp keeps a log of all successful login attempts, so what happens when a bad attempt is made? Adding a /var/log/btmp file to the system starts recording all failed login attempts to the system. It makes sure that the mode, user, and group match the wtmp file — which is usually read/write for user and group only, root as user, and utmp for group. You can then use the lastb command to view a report on the bad attempts to login to the system. This command works the same as the last command, only it defaults to the btmp file. If either file doesn’t exist, then the system makes no attempts to record any login information. Debian normally installs the wtmp file only.

When you reboot the system, a pseudo-user named reboot logs in. You can search on reboot to see all the times the system has been rebooted. The system logs remote hosts during log in, so it records the host IP address. Using the -d option prints a remote host as the hostname, while using the -i option displays the host as an IP address.

262 Part III Administering Linux

Tools from the acct package

The accounting package (acct) can help with monitoring users. When you install this package, three programs are included: ac, sa, and lastcomm. Table 12-9 explains these three tools.

The accounting application may not be useful for everyone, but it provides good information for your toolbelt in case the need arises. If you think you may need this information, it is better to install the package to begin tracking the information — even if you never use it.

Using who

The who command lists everyone presently logged on to a system. This command shows who is logged on, what time they logged on, and from where (local port or remote hostname). The syntax is:

who [OPTION][am i]

The -m option works the same as the am i argument at the end. These result in displaying who you are currently logged in as. This helps me after I log in as other accounts and forget whom I originally logged in as.

Another useful option shows the idle time. There are three choices that do the same thing: -i, -u, and --idle. The results show the time that use is idle. If a period (.) is displayed, the user has been active within the last minute. If “old” shows up instead of a time, then the user has been idle for more than 24 hours.

Chapter 12 System Administration 263

Using whowatch

When it comes to keeping track of individuals as they come and go on a system, having to use who all the time gets old. A handy little utility called whowatch runs in a terminal window (as seen in Figure 12-2). This program continuously updates itself to show any changes in the attached accounts.

Figure 12-2: You can dynamically monitor who logs in and out of your system with whowatch.

This program goes further than the who application. Using the arrow keys, you can select a specific user and view his or her process tree. You can essentially see what this user is doing. As an administrator, this can be very important as you monitor the system.

Automated monitoring

Manually typing in commands, perusing through the screens of data, and remembering to perform those routine tasks is mundane after a while. However, you still need to do those things. The question is, can any of these tasks be automated to make the poor administrator’s life easier? They certainly can be automated. Here I briefly touch on the subject of scripting, although I fully cover it in Chapter 13.

I was once told, “If you find yourself repeating a task over and over, then there has to be a shortcut to make doing the task faster.” This has haunted me ever since.

264 Part III Administering Linux

Whenever you find that you are repeatedly typing the same command strings, enter that sequence into a text file. You can then change the mode of the file to executable. This is how you go about creating an automated task. Let’s say that your daily task is to perform this command:

df -ah | grep -e [8-9][0-9]% -h

This command prints any filesystems that are in the range of 80 to 99 percent capacity. Now, type this line into a text file and name it dcheck. I use the chmod command to make the file executable for myself and my group by issuing this command line:

$ chmod u+x,g+x dcheck

$

which results in a listing of:

All you have to do now is execute the new command of dcheck to perform the same task you normally type manually. This saves time and prevents you from making typos in the command line. You can follow this procedure to start making your own commands customized for your own special needs.

Summary

Through the course of this chapter, you read about the basics of the administrator’s duties. I stress basic because there is more information and more to keep on top of all the time. Many of the commands listed in this chapter have more options than those highlighted; you can always look up additional ones yourself.

Of the duties, the most important are knowing how to set up and manage accounts; controlling permissions on accounts, groups and files; and monitoring the system resources. Also, keep guard of the superuser (root) account. Once the password for that account gets out, regaining security control is difficult.