裝起來後就玩看看吧~
Wednesday, June 25, 2008
Install OpenSUSE 11.0 on VirtualBox
把前幾天所抓下來的OpenSUSE11.0安裝到VirtualBox中,目前還在安裝中,大致上應該沒有什麼問題,值得一提的是安裝畫面還真是漂亮。
Friday, June 20, 2008
Study TCL
最近被上頭老大要求去玩一下TCL,所以這幾天就去玩玩,目前的心得它的語法真是有點簡單過了頭 :p 不過基本上我覺得還不錯用,結合expect遠端登入到別台機器自動處理些原本要手動且重覆性高的工作,就覺得愉快。
目前覺得最不方便的是要將執行結果存入檔案了,還要開檔關檔@@,不像BASH直接給它 ">"就好。
接下來學結合curl自動登入網頁做些事情,初步已經成功login網頁且取得我需要的資料了,不過此項技能還沒很熟練,還需練練。
目前覺得最不方便的是要將執行結果存入檔案了,還要開檔關檔@@,不像BASH直接給它 ">"就好。
接下來學結合curl自動登入網頁做些事情,初步已經成功login網頁且取得我需要的資料了,不過此項技能還沒很熟練,還需練練。
Monday, June 16, 2008
sudo 免輸入密碼
這其實不是一個非常好的習慣,但是帽客在Ubuntu下常常sudo來sudo去的,有時跑些script或是執行命令時被要求輸入password,久了就有點煩,所以剛剛決定讓我自己的帳號免輸入password就可以執行所有的指令,方法非常簡單只要將下列敘述新增於/etc/sudoers就可以了,不需重新開機:
lawrence ALL=(ALL) NOPASSWD: ALL
lawrence ALL=(ALL) NOPASSWD: ALL
Thursday, June 12, 2008
新增X字型
簡單記錄一下如何在Linux下新增X字型:
1.建立字型檔案:
-將要新增的字型檔案copy到/opt/myfonts下 (隨便哪個目錄都可以)
-執行mkfontscale;mkfontdir產生字型Summary (產生fonts.scale與fonts.dir)
2.將字型加入到X字型路徑 (不透過XFS)
- vi /etc/X11/xorg.conf
-在Section "Files"與EndSection中間 加入 FontPath "/opt/myfonts"
(先後順序是有差的,當兩目錄中存放相同名稱的字型時,會優先使用第一個。)
3.重新執行X,或透過xset fp rehash重新檢查所有字型目錄。
Note: 快速檢查是否有新增成功,可透過xfontsel來測試看看。
1.建立字型檔案:
-將要新增的字型檔案copy到/opt/myfonts下 (隨便哪個目錄都可以)
-執行mkfontscale;mkfontdir產生字型Summary (產生fonts.scale與fonts.dir)
2.將字型加入到X字型路徑 (不透過XFS)
- vi /etc/X11/xorg.conf
-在Section "Files"與EndSection中間 加入 FontPath "/opt/myfonts"
(先後順序是有差的,當兩目錄中存放相同名稱的字型時,會優先使用第一個。)
3.重新執行X,或透過xset fp rehash重新檢查所有字型目錄。
Note: 快速檢查是否有新增成功,可透過xfontsel來測試看看。
Thursday, May 29, 2008
忘記SUSE Linux root密碼時的解決方法
使用SUSE Linux的朋友們,如果您不小心忘了root密碼時,可以採取以下的補救方法:
1. 在boot options輸入 init=/bin/sh:
2. 此時如果直接以passwd嘗試修改的話,系統會報錯:
3. 原因是/此時為read-only,請將它remount成read-write,再次執行passwd,即可成功修改root password:
1. 在boot options輸入 init=/bin/sh:
2. 此時如果直接以passwd嘗試修改的話,系統會報錯:
3. 原因是/此時為read-only,請將它remount成read-write,再次執行passwd,即可成功修改root password:
Tuesday, May 27, 2008
Bind view
透過bind view的功能,我們可以讓DNS Server見人說人話,見鬼說鬼話囉~怎麼說呢?比如說公司中Internet/Intranet的DNS名稱解析都是用同一台,但我不想讓Internet上的machine可以查詢到我內部的hostname時,此時透過bind view的功能,看是誰來查詢,並回應相關的結果。
整個named.conf的架構舉例如下:
22 view "intranet" {
23 match-clients {"192.168.1.0/24";};
24 zone "." IN {
25 type hint;
26 file "named.root";
27 };
28
29 zone "localdomain." IN {
30 type master;
31 file "localdomain.zone";
32 allow-update { none; };
33 };
34
35 zone "localhost." IN {
36 type master;
37 file "localhost.zone";
38 allow-update { none; };
39 };
40
41 zone "0.0.127.in-addr.arpa." IN {
42 type master;
43 file "named.local";
44 allow-update { none; };
45 };
46
47 zone "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa." IN {
48 type master;
49 file "named.ip6.local";
50 allow-update { none; };
51 };
52
53 zone "255.in-addr.arpa." IN {
54 type master;
55 file "named.broadcast";
56 allow-update { none; };
57 };
58
59 zone "0.in-addr.arpa." IN {
60 type master;
61 file "named.zero";
62 allow-update { none; };
63 };
64
65 zone "example.com" {
66 type master;
67 file "example.com.zone";
68 };
69 };
70
71
72 view "internet" {
73 match-clients {"!192.168.1.0/24";};
74 zone "." IN {
75 type hint;
76 file "named.root";
77 };
78
79 zone "localdomain." IN {
80 type master;
81 file "localdomain.zone";
82 allow-update { none; };
83 };
84
85 zone "localhost." IN {
86 type master;
87 file "localhost.zone";
88 allow-update { none; };
89 };
90
91 zone "0.0.127.in-addr.arpa." IN {
92 type master;
93 file "named.local";
94 allow-update { none; };
95 };
96
97 zone "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa." IN {
98 type master;
99 file "named.ip6.local";
100 allow-update { none; };
101 };
102
103 zone "255.in-addr.arpa." IN {
104 type master;
105 file "named.broadcast";
106 allow-update { none; };
107 };
108
109 zone "0.in-addr.arpa." IN {
110 type master;
111 file "named.zero";
112 allow-update { none; };
113 };
114 };
115
116 include "/etc/rndc.key";
其實就是多了
view "internet" {
match-clients {"!192.168.1.0/24";};
};
與
view "intranet" {
match-clients {"192.168.1.0/24";};
};
在這兩個區域內設定相關的zone/zone file就可以了。
整個named.conf的架構舉例如下:
22 view "intranet" {
23 match-clients {"192.168.1.0/24";};
24 zone "." IN {
25 type hint;
26 file "named.root";
27 };
28
29 zone "localdomain." IN {
30 type master;
31 file "localdomain.zone";
32 allow-update { none; };
33 };
34
35 zone "localhost." IN {
36 type master;
37 file "localhost.zone";
38 allow-update { none; };
39 };
40
41 zone "0.0.127.in-addr.arpa." IN {
42 type master;
43 file "named.local";
44 allow-update { none; };
45 };
46
47 zone "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa." IN {
48 type master;
49 file "named.ip6.local";
50 allow-update { none; };
51 };
52
53 zone "255.in-addr.arpa." IN {
54 type master;
55 file "named.broadcast";
56 allow-update { none; };
57 };
58
59 zone "0.in-addr.arpa." IN {
60 type master;
61 file "named.zero";
62 allow-update { none; };
63 };
64
65 zone "example.com" {
66 type master;
67 file "example.com.zone";
68 };
69 };
70
71
72 view "internet" {
73 match-clients {"!192.168.1.0/24";};
74 zone "." IN {
75 type hint;
76 file "named.root";
77 };
78
79 zone "localdomain." IN {
80 type master;
81 file "localdomain.zone";
82 allow-update { none; };
83 };
84
85 zone "localhost." IN {
86 type master;
87 file "localhost.zone";
88 allow-update { none; };
89 };
90
91 zone "0.0.127.in-addr.arpa." IN {
92 type master;
93 file "named.local";
94 allow-update { none; };
95 };
96
97 zone "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa." IN {
98 type master;
99 file "named.ip6.local";
100 allow-update { none; };
101 };
102
103 zone "255.in-addr.arpa." IN {
104 type master;
105 file "named.broadcast";
106 allow-update { none; };
107 };
108
109 zone "0.in-addr.arpa." IN {
110 type master;
111 file "named.zero";
112 allow-update { none; };
113 };
114 };
115
116 include "/etc/rndc.key";
其實就是多了
view "internet" {
match-clients {"!192.168.1.0/24";};
};
與
view "intranet" {
match-clients {"192.168.1.0/24";};
};
在這兩個區域內設定相關的zone/zone file就可以了。
Monday, May 26, 2008
Check user mailbox
以往測end user有沒有收到信時,總是習慣切到此使用者執行mail看看有沒有收到信件,今天發現了兩個方法可以不用這麼地麻煩的切換到此使用者,方法如下:
[root@vir1 ~]# mail -u lawrence
Mail version 8.1 6/6/93. Type ? for help.
"/var/mail/lawrence": 2 messages 1 new
1 MAILER-DAEMON@vir1.e Mon May 26 13:42 13/552 "DON'T DELETE THIS MES"
>N 2 root@vir1.example.co Mon May 26 17:35 20/714 "test1"
&
Message 2:
From root@vir1.example.com Mon May 26 17:35:49 2008
X-Original-To: qa@vir1.example.com
Delivered-To: qa@vir1.example.com
Date: Mon, 26 May 2008 17:35:48 +0800
From: root
To: qa@vir1.example.com
Subject: test1
CentOS release 5 (Final)
Kernel \r on an \m
or
[root@vir1 ~]# mail -f /var/spool/mail/lawrence
Mail version 8.1 6/6/93. Type ? for help.
"/var/spool/mail/lawrence": 2 messages 1 new
1 MAILER-DAEMON@vir1.e Mon May 26 13:42 13/552 "DON'T DELETE THIS MES"
>N 2 root@vir1.example.co Mon May 26 17:35 20/714 "test1"
&
Message 2:
From root@vir1.example.com Mon May 26 17:35:49 2008
X-Original-To: qa@vir1.example.com
Delivered-To: qa@vir1.example.com
Date: Mon, 26 May 2008 17:35:48 +0800
From: root
To: qa@vir1.example.com
Subject: test1
CentOS release 5 (Final)
Kernel \r on an \m
[root@vir1 ~]# mail -u lawrence
Mail version 8.1 6/6/93. Type ? for help.
"/var/mail/lawrence": 2 messages 1 new
1 MAILER-DAEMON@vir1.e Mon May 26 13:42 13/552 "DON'T DELETE THIS MES"
>N 2 root@vir1.example.co Mon May 26 17:35 20/714 "test1"
&
Message 2:
From root@vir1.example.com Mon May 26 17:35:49 2008
X-Original-To: qa@vir1.example.com
Delivered-To: qa@vir1.example.com
Date: Mon, 26 May 2008 17:35:48 +0800
From: root
To: qa@vir1.example.com
Subject: test1
CentOS release 5 (Final)
Kernel \r on an \m
or
[root@vir1 ~]# mail -f /var/spool/mail/lawrence
Mail version 8.1 6/6/93. Type ? for help.
"/var/spool/mail/lawrence": 2 messages 1 new
1 MAILER-DAEMON@vir1.e Mon May 26 13:42 13/552 "DON'T DELETE THIS MES"
>N 2 root@vir1.example.co Mon May 26 17:35 20/714 "test1"
&
Message 2:
From root@vir1.example.com Mon May 26 17:35:49 2008
X-Original-To: qa@vir1.example.com
Delivered-To: qa@vir1.example.com
Date: Mon, 26 May 2008 17:35:48 +0800
From: root
To: qa@vir1.example.com
Subject: test1
CentOS release 5 (Final)
Kernel \r on an \m
Wednesday, May 21, 2008
SSH Server allow authorized_keys only
帽客家裡目前總共有2台Linux machines與一台iBook,一台安裝CentOS5.1當作file server使用,而iBook與HP NB分別安裝Mac OSX10.4與Ubuntu7.10,透過rsync的方法將資料update至file server,由於都有使用key作為ssh認證的方法,於是乎想把透過password認證方式取消掉,透過以下的方法完成了需求:
#vi /etc/ssh/sshd_config
-> UsePAM no
-> PasswordAuthentication no
#service sshd restart
#vi /etc/ssh/sshd_config
-> UsePAM no
-> PasswordAuthentication no
#service sshd restart
Thursday, May 15, 2008
Fedora 9 available to download
前些日子出國,所以晚了些日子post到Blog上,有點想從Ubuntu轉回用Fedora,主要是因為我透過網路upgrade system時,Ubuntu 8.04在我的HP NB上運轉的很不順,3D桌面總是卡卡的,當然還有一些其它的問題,比如撥放rmvb時,超卡的根本無法看,只好用partimage recovery回7.10(好險升級前有backup),既然有備份了,那麼就安裝Fedora 9看看吧,事實上我還是使用Fedora/SUSE順手一點 :)
當然Ubuntu還是很棒的!是我目前感覺最親切的Linux distribution.
當然Ubuntu還是很棒的!是我目前感覺最親切的Linux distribution.
Thursday, April 24, 2008
Tcpreplay
Tcpreplay可說是從事網通研發人員的一個好工具,它可以將libpcap format的封包記錄檔,重新reply出來,以利除錯或是regression test,不論是In-line mode或是Routing mode的device,它都有辦法可以將封包pass through device,除了replay,它還可透過tcprewrite修改封包的內容,這麼強大的工具您怎麼可以錯過呢?
Tcpreplay website: http://tcpreplay.synfin.net/trac/
Tcpreplay website: http://tcpreplay.synfin.net/trac/
Thursday, April 17, 2008
虛擬機器軟體大集合
今天發現到有個forum針對各家虛擬機器的軟體加以整理與介紹,非常棒!值得收藏起來。
Welcome : Links to get started with Virtualization
Tuesday, April 15, 2008
Linux下的partition magic: GParted
經過測試對ext3的partition做放大與縮小都沒有問題,至於FAT與NTFS就抱歉了,因為很少用Windows所以就不驗證了。
Gparted 官網:
http://gparted.sourceforge.net/
Ubuntu Wiki對於Gparted的教學文件:
http://wiki.ubuntu.org.tw/index.php/GParted
Gparted Live-CD:
http://gparted-livecd.tuxfamily.org/
Gparted 官網:
http://gparted.sourceforge.net/
Ubuntu Wiki對於Gparted的教學文件:
http://wiki.ubuntu.org.tw/index.php/GParted
Gparted Live-CD:
http://gparted-livecd.tuxfamily.org/
Saturday, April 12, 2008
固定指定的DNS Server
帽客自己在使用Linux作業系統時,當把NIC設定成透過DHCP Server取得IP時,往往會把我自己所指定好的DNS Server覆蓋掉成DHCP Server所配置的DNS Server address,近日拜讀Cd Chen大大的書時,發現到了一個參數PEERDNS,當在NIC設定檔中把它設定成PEERDNS=no時,那麼/etc/resolv.conf的nameserver就不會被覆蓋掉了。
Friday, April 11, 2008
Apache stress test tool
今天發現到一個針對Apache Web Server的壓力/效能測試工具,在此做個簡單的筆記:
Tools: ApacheBench
Function: 針對某一Web Server提出連線請求,並且在同一時間內可設定幾個連線請求
Usage: # ab -n N -c N http://server1.example.com/index.html
-c concurrency
Number of multiple requests to perform at a time. Default is one request at a time.
-n requests
Number of requests to perform for the benchmarking session. The default is to just perform
single request which usually leads to non-representative benchmarking results.
Executed Result:
[root@server2 ~]# ab -n 100 -c 100 https://10.5.40.195/script/login.php
This is ApacheBench, Version 2.0.40-dev <$Revision: 1.146 $> apache-2.0
Copyright 1996 Adam Twiss, Zeus Technology Ltd, http://www.zeustech.net/
Copyright 2006 The Apache Software Foundation, http://www.apache.org/
Benchmarking 10.5.40.195 (be patient).....done
Server Software: Apache
Server Hostname: 10.5.40.195
Server Port: 443
SSL/TLS Protocol: TLSv1/SSLv3,DHE-RSA-AES256-SHA,1024,256
Document Path: /script/login.php
Document Length: 5953 bytes
Concurrency Level: 100
Time taken for tests: 14.492808 seconds
Complete requests: 100
Failed requests: 0
Write errors: 0
Total transferred: 635400 bytes
HTML transferred: 595300 bytes
Requests per second: 6.90 [#/sec] (mean)
Time per request: 14492.808 [ms] (mean)
Time per request: 144.928 [ms] (mean, across all concurrent requests)
Transfer rate: 42.78 [Kbytes/sec] received
Connection Times (ms)
min mean[+/-sd] median max
Connect: 680 5075 3167.2 4795 14099
Processing: 114 959 1238.7 540 6085
Waiting: 112 913 1240.5 506 6082
Total: 896 6035 3844.3 5503 14470
Percentage of the requests served within a certain time (ms)
50% 5503
66% 6735
75% 7557
80% 8250
90% 14178
95% 14334
98% 14444
99% 14470
100% 14470 (longest request)
Tools: ApacheBench
Function: 針對某一Web Server提出連線請求,並且在同一時間內可設定幾個連線請求
Usage: # ab -n N -c N http://server1.example.com/index.html
-c concurrency
Number of multiple requests to perform at a time. Default is one request at a time.
-n requests
Number of requests to perform for the benchmarking session. The default is to just perform
single request which usually leads to non-representative benchmarking results.
Executed Result:
[root@server2 ~]# ab -n 100 -c 100 https://10.5.40.195/script/login.php
This is ApacheBench, Version 2.0.40-dev <$Revision: 1.146 $> apache-2.0
Copyright 1996 Adam Twiss, Zeus Technology Ltd, http://www.zeustech.net/
Copyright 2006 The Apache Software Foundation, http://www.apache.org/
Benchmarking 10.5.40.195 (be patient).....done
Server Software: Apache
Server Hostname: 10.5.40.195
Server Port: 443
SSL/TLS Protocol: TLSv1/SSLv3,DHE-RSA-AES256-SHA,1024,256
Document Path: /script/login.php
Document Length: 5953 bytes
Concurrency Level: 100
Time taken for tests: 14.492808 seconds
Complete requests: 100
Failed requests: 0
Write errors: 0
Total transferred: 635400 bytes
HTML transferred: 595300 bytes
Requests per second: 6.90 [#/sec] (mean)
Time per request: 14492.808 [ms] (mean)
Time per request: 144.928 [ms] (mean, across all concurrent requests)
Transfer rate: 42.78 [Kbytes/sec] received
Connection Times (ms)
min mean[+/-sd] median max
Connect: 680 5075 3167.2 4795 14099
Processing: 114 959 1238.7 540 6085
Waiting: 112 913 1240.5 506 6082
Total: 896 6035 3844.3 5503 14470
Percentage of the requests served within a certain time (ms)
50% 5503
66% 6735
75% 7557
80% 8250
90% 14178
95% 14334
98% 14444
99% 14470
100% 14470 (longest request)
Thursday, April 10, 2008
IP alias
在Linux實現IP alias,一般來說大家第一個想到的方法是使用ifconfig,但其實用ifconfig來做IP alias,當要查看IP address時,會dump出一大堆IP alias的介面(ethN:N),不太容易閱讀(最近的測試在網卡上bind 16384個IP),所幸可以使用ip指令來做IP alias,簡單又方便閱讀。
怎麼做呢?非常簡單,只要下達以下指令就好了:
# ip addr add 192.168.1.102/24 dev ethN (N代表0,1,2,.... i.e.網卡編號)
查看:
# ip addr show
192.168.1.102與192.168.1.103是IP alias,如果使用ifconfig來做的話,那麼將會多出兩個ethN:N。提醒一下如果是以ip指令來做IP alias時,使用ifconfig是查看不到IP alias的IP address.
怎麼做呢?非常簡單,只要下達以下指令就好了:
# ip addr add 192.168.1.102/24 dev ethN (N代表0,1,2,.... i.e.網卡編號)
查看:
# ip addr show
192.168.1.102與192.168.1.103是IP alias,如果使用ifconfig來做的話,那麼將會多出兩個ethN:N。提醒一下如果是以ip指令來做IP alias時,使用ifconfig是查看不到IP alias的IP address.
Thursday, March 27, 2008
Check Linux distribution
以往帽客都是去cat /etc/issue這個檔案來查看是那個Linux的版本,但事實上這個檔案是可被修改的。今天找到了一個能100%確認是那一套Linux distribution的指令了,lsb_release,以下列出了cat /etc/issue與lsb_release去確認Linux distribution的結果:
1. cat /etc/issue
[root@server2 tmp]# cat /etc/issue
CentOS release 5 (Final)
Kernel \r on an \m
2. lsb_release
[root@server2 tmp]# lsb_release -a
LSB Version: :core-3.1-ia32:core-3.1-noarch:graphics-3.1-ia32:graphics-3.1-noarch
Distributor ID: CentOS
Description: CentOS release 5 (Final)
Release: 5
Codename: Final
1. cat /etc/issue
[root@server2 tmp]# cat /etc/issue
CentOS release 5 (Final)
Kernel \r on an \m
2. lsb_release
[root@server2 tmp]# lsb_release -a
LSB Version: :core-3.1-ia32:core-3.1-noarch:graphics-3.1-ia32:graphics-3.1-noarch
Distributor ID: CentOS
Description: CentOS release 5 (Final)
Release: 5
Codename: Final
Tuesday, March 18, 2008
selinux on RHEL5.1
今天在RHEL5.1中,將selinux enable起來,在此分享一下心得:
1. Enable selinux:
[root@dns html]# vi /etc/selinux/config
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - SELinux is fully disabled.
SELINUX=enforcing
# SELINUXTYPE= type of policy in use. Possible values are:
# targeted - Only targeted network daemons are protected.
# strict - Full SELinux protection.
SELINUXTYPE=targeted
-> 將SELINUX=disabled改成SELINUX=enforcing,並重新開機。
2.查看目前selinux的狀態:
[root@dns html]# sestatus
SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: enforcing
Mode from config file: enforcing
Policy version: 21
Policy from config file: targeted
如果要查詢到更多的資訊,可加上 -v參數:
[root@dns html]# sestatus -v
SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: enforcing
Mode from config file: enforcing
Policy version: 21
Policy from config file: targeted
Process contexts:
Current context: root:system_r:unconfined_t:SystemLow-SystemHigh
Init context: system_u:system_r:init_t
/sbin/mingetty system_u:system_r:getty_t
/usr/sbin/sshd system_u:system_r:unconfined_t:SystemLow-SystemHigh
File contexts:
Controlling term: root:object_r:devpts_t
/etc/passwd system_u:object_r:etc_t
/etc/shadow system_u:object_r:shadow_t
/bin/bash system_u:object_r:shell_exec_t
/bin/login system_u:object_r:login_exec_t
/bin/sh system_u:object_r:bin_t -> system_u:object_r:shell_exec_t
/sbin/agetty system_u:object_r:getty_exec_t
/sbin/init system_u:object_r:init_exec_t
/sbin/mingetty system_u:object_r:getty_exec_t
/usr/sbin/sshd system_u:object_r:sshd_exec_t
/lib/libc.so.6 system_u:object_r:lib_t -> system_u:object_r:lib_t
/lib/ld-linux.so.2 system_u:object_r:lib_t -> system_u:object_r:ld_so_t
3.查看selinux對daemon的booleans,以查尋httpd為例:
[root@dns html]# getsebool -a | grep httpd
allow_httpd_anon_write --> off
allow_httpd_mod_auth_pam --> off
allow_httpd_sys_script_anon_write --> off
httpd_builtin_scripting --> on
httpd_can_network_connect --> off
httpd_can_network_connect_db --> off
httpd_can_network_relay --> off
httpd_disable_trans --> off
httpd_enable_cgi --> on
httpd_enable_ftp_server --> off
httpd_enable_homedirs --> on
httpd_rotatelogs_disable_trans --> off
httpd_ssi_exec --> off
httpd_suexec_disable_trans --> off
httpd_tty_comm --> off
httpd_unified --> on
如果要設定booleans,可利用setsebool,比如說當我不想要selinux控管httpd時,可以這樣做:
[root@dns html]# setsebool -P httpd_disable_trans 1
[root@dns html]# getsebool -a | grep httpd_disable_trans
httpd_disable_trans --> on
其中0代表off,1代表on,而-P的參數是代表下次開機時套用新的boolean值。
現在來個狀況練習一下,在selinux enable的狀況下,允許匿名的ftp account可以get與put file,並且可以overwrite。
1. 設定vsftpd(請參考以下的configure):
[root@dns html]# cat /etc/vsftpd/vsftpd.conf | grep -v "^$" | grep -v "^#"
anonymous_enable=YES
anon_other_write_enable=YES
local_enable=YES
write_enable=YES
local_umask=022
anon_upload_enable=YES
anon_mkdir_write_enable=YES
dirmessage_enable=YES
xferlog_enable=YES
connect_from_port_20=YES
xferlog_std_format=YES
listen=YES
pam_service_name=vsftpd
userlist_enable=YES
tcp_wrappers=YES
在以往沒有開啟selinux時,已經達成了題目需求,但當selinux開啟時,是會踢到鐵板的,看一下以下的示範吧:
chiu-lawrencede-ibook-g4:~ Lawrence$ ftp 10.5.30.147
Connected to 10.5.30.147.
220 (vsFTPd 2.0.5)
Name (10.5.30.147:Lawrence): ftp
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> cd pub
250 Directory successfully changed.
ftp> put backup.sh
local: backup.sh remote: backup.sh
229 Entering Extended Passive Mode (|||50891|)
553 Could not create file.
ftp>
查看一下ftp的booleans:
[root@dns pub]# getsebool -a | grep ftp
allow_ftpd_anon_write --> off
allow_ftpd_full_access --> off
allow_ftpd_use_cifs --> off
allow_ftpd_use_nfs --> off
ftp_home_dir --> off
ftpd_disable_trans --> off
ftpd_is_daemon --> on
httpd_enable_ftp_server --> off
tftpd_disable_trans --> off
看到了嗎?allow_ftpd_anon_write --> off與allow_ftpd_full_access --> off,來enable它們吧!
[root@dns pub]# setsebool -P allow_ftpd_anon_write 1
[root@dns pub]# setsebool -P allow_ftpd_full_access 1
再試一次put檔案:
chiu-lawrencede-ibook-g4:~ Lawrence$ ftp 10.5.30.147
Connected to 10.5.30.147.
220 (vsFTPd 2.0.5)
Name (10.5.30.147:Lawrence): ftp
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> cd pub
250 Directory successfully changed.
ftp> put backup.sh
local: backup.sh remote: backup.sh
229 Entering Extended Passive Mode (|||50580|)
150 Ok to send data.
100% |***********************************************************************************| 666 1.92 MB/s 00:00
226 File receive OK.
666 bytes sent in 00:00 (1.62 KB/s)
ftp> put backup.sh
local: backup.sh remote: backup.sh
229 Entering Extended Passive Mode (|||37711|)
150 Ok to send data.
100% |***********************************************************************************| 666 2.76 MB/s 00:00
226 File receive OK.
666 bytes sent in 00:00 (2.92 KB/s)
ftp>
完成。
1. Enable selinux:
[root@dns html]# vi /etc/selinux/config
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - SELinux is fully disabled.
SELINUX=enforcing
# SELINUXTYPE= type of policy in use. Possible values are:
# targeted - Only targeted network daemons are protected.
# strict - Full SELinux protection.
SELINUXTYPE=targeted
-> 將SELINUX=disabled改成SELINUX=enforcing,並重新開機。
2.查看目前selinux的狀態:
[root@dns html]# sestatus
SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: enforcing
Mode from config file: enforcing
Policy version: 21
Policy from config file: targeted
如果要查詢到更多的資訊,可加上 -v參數:
[root@dns html]# sestatus -v
SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: enforcing
Mode from config file: enforcing
Policy version: 21
Policy from config file: targeted
Process contexts:
Current context: root:system_r:unconfined_t:SystemLow-SystemHigh
Init context: system_u:system_r:init_t
/sbin/mingetty system_u:system_r:getty_t
/usr/sbin/sshd system_u:system_r:unconfined_t:SystemLow-SystemHigh
File contexts:
Controlling term: root:object_r:devpts_t
/etc/passwd system_u:object_r:etc_t
/etc/shadow system_u:object_r:shadow_t
/bin/bash system_u:object_r:shell_exec_t
/bin/login system_u:object_r:login_exec_t
/bin/sh system_u:object_r:bin_t -> system_u:object_r:shell_exec_t
/sbin/agetty system_u:object_r:getty_exec_t
/sbin/init system_u:object_r:init_exec_t
/sbin/mingetty system_u:object_r:getty_exec_t
/usr/sbin/sshd system_u:object_r:sshd_exec_t
/lib/libc.so.6 system_u:object_r:lib_t -> system_u:object_r:lib_t
/lib/ld-linux.so.2 system_u:object_r:lib_t -> system_u:object_r:ld_so_t
3.查看selinux對daemon的booleans,以查尋httpd為例:
[root@dns html]# getsebool -a | grep httpd
allow_httpd_anon_write --> off
allow_httpd_mod_auth_pam --> off
allow_httpd_sys_script_anon_write --> off
httpd_builtin_scripting --> on
httpd_can_network_connect --> off
httpd_can_network_connect_db --> off
httpd_can_network_relay --> off
httpd_disable_trans --> off
httpd_enable_cgi --> on
httpd_enable_ftp_server --> off
httpd_enable_homedirs --> on
httpd_rotatelogs_disable_trans --> off
httpd_ssi_exec --> off
httpd_suexec_disable_trans --> off
httpd_tty_comm --> off
httpd_unified --> on
如果要設定booleans,可利用setsebool,比如說當我不想要selinux控管httpd時,可以這樣做:
[root@dns html]# setsebool -P httpd_disable_trans 1
[root@dns html]# getsebool -a | grep httpd_disable_trans
httpd_disable_trans --> on
其中0代表off,1代表on,而-P的參數是代表下次開機時套用新的boolean值。
現在來個狀況練習一下,在selinux enable的狀況下,允許匿名的ftp account可以get與put file,並且可以overwrite。
1. 設定vsftpd(請參考以下的configure):
[root@dns html]# cat /etc/vsftpd/vsftpd.conf | grep -v "^$" | grep -v "^#"
anonymous_enable=YES
anon_other_write_enable=YES
local_enable=YES
write_enable=YES
local_umask=022
anon_upload_enable=YES
anon_mkdir_write_enable=YES
dirmessage_enable=YES
xferlog_enable=YES
connect_from_port_20=YES
xferlog_std_format=YES
listen=YES
pam_service_name=vsftpd
userlist_enable=YES
tcp_wrappers=YES
在以往沒有開啟selinux時,已經達成了題目需求,但當selinux開啟時,是會踢到鐵板的,看一下以下的示範吧:
chiu-lawrencede-ibook-g4:~ Lawrence$ ftp 10.5.30.147
Connected to 10.5.30.147.
220 (vsFTPd 2.0.5)
Name (10.5.30.147:Lawrence): ftp
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> cd pub
250 Directory successfully changed.
ftp> put backup.sh
local: backup.sh remote: backup.sh
229 Entering Extended Passive Mode (|||50891|)
553 Could not create file.
ftp>
查看一下ftp的booleans:
[root@dns pub]# getsebool -a | grep ftp
allow_ftpd_anon_write --> off
allow_ftpd_full_access --> off
allow_ftpd_use_cifs --> off
allow_ftpd_use_nfs --> off
ftp_home_dir --> off
ftpd_disable_trans --> off
ftpd_is_daemon --> on
httpd_enable_ftp_server --> off
tftpd_disable_trans --> off
看到了嗎?allow_ftpd_anon_write --> off與allow_ftpd_full_access --> off,來enable它們吧!
[root@dns pub]# setsebool -P allow_ftpd_anon_write 1
[root@dns pub]# setsebool -P allow_ftpd_full_access 1
再試一次put檔案:
chiu-lawrencede-ibook-g4:~ Lawrence$ ftp 10.5.30.147
Connected to 10.5.30.147.
220 (vsFTPd 2.0.5)
Name (10.5.30.147:Lawrence): ftp
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> cd pub
250 Directory successfully changed.
ftp> put backup.sh
local: backup.sh remote: backup.sh
229 Entering Extended Passive Mode (|||50580|)
150 Ok to send data.
100% |***********************************************************************************| 666 1.92 MB/s 00:00
226 File receive OK.
666 bytes sent in 00:00 (1.62 KB/s)
ftp> put backup.sh
local: backup.sh remote: backup.sh
229 Entering Extended Passive Mode (|||37711|)
150 Ok to send data.
100% |***********************************************************************************| 666 2.76 MB/s 00:00
226 File receive OK.
666 bytes sent in 00:00 (2.92 KB/s)
ftp>
完成。
Friday, March 14, 2008
Thursday, March 13, 2008
RHEL5 群組管理員
這是以前沒有的觀念,故在此做個筆記:
Objective: 讓一般user可以控管(新增/刪除)群組的成員
Environment:
law -> g1 group的群組管理員
g1 -> 測試用的group
alex -> 將被law assign到g1 group
/home/g1 -> g1 group的共用目錄,權限為770
Setup1. 將law設定為g1群組管理員:
[root@server3 home]# gpasswd -A law g1
[root@server3 home]# grep law /etc/gshadow
law:!::
g1:!:law:
(可在/etc/gshadow中,每個群組的第三個欄位查詢群組管理員
Setup2. 將alex加讓到g1 group:
[law@server3 ~]$ id alex
uid=502(alex) gid=503(alex) groups=503(alex)
[law@server3 ~]$ gpasswd -a alex g1
Adding user alex to group g1
[law@server3 ~]$ id alex
uid=502(alex) gid=503(alex) groups=503(alex),502(g1)
Setup3. 驗證一下alex可至/home/g1 建立檔案:
[alex@server3 home]$ ls -dl /home/g1/
drwxrwx--- 2 root g1 4096 Oct 21 05:06 /home/g1/
[alex@server3 home]$ cd g1
[alex@server3 g1]$ touch alex
[alex@server3 g1]$ ls -l alex
-rw-rw-r-- 1 alex alex 0 Oct 21 05:13 alex
Objective: 讓一般user可以控管(新增/刪除)群組的成員
Environment:
law -> g1 group的群組管理員
g1 -> 測試用的group
alex -> 將被law assign到g1 group
/home/g1 -> g1 group的共用目錄,權限為770
Setup1. 將law設定為g1群組管理員:
[root@server3 home]# gpasswd -A law g1
[root@server3 home]# grep law /etc/gshadow
law:!::
g1:!:law:
(可在/etc/gshadow中,每個群組的第三個欄位查詢群組管理員
Setup2. 將alex加讓到g1 group:
[law@server3 ~]$ id alex
uid=502(alex) gid=503(alex) groups=503(alex)
[law@server3 ~]$ gpasswd -a alex g1
Adding user alex to group g1
[law@server3 ~]$ id alex
uid=502(alex) gid=503(alex) groups=503(alex),502(g1)
Setup3. 驗證一下alex可至/home/g1 建立檔案:
[alex@server3 home]$ ls -dl /home/g1/
drwxrwx--- 2 root g1 4096 Oct 21 05:06 /home/g1/
[alex@server3 home]$ cd g1
[alex@server3 g1]$ touch alex
[alex@server3 g1]$ ls -l alex
-rw-rw-r-- 1 alex alex 0 Oct 21 05:13 alex
Friday, March 07, 2008
RHEL5 系統管理寶典 基礎篇
最近獲贈永昇兄(Cd Chen)的近期新作"RHEL5 系統管理寶典 基礎篇",在此非常感謝永昇兄,這本新書算是永昇兄對於Redhat Linux系統管理介紹的第二版,因為撰寫第一版時有些原因,故以Fedora來介紹,難免有些遺憾,如今這本新作完全是以RHEL5來介紹,內容與前版相比也更新了許多,是非常值得有心學習Linux系統管理的讀者可參考的一本書物,如果有上過RHCE培訓課程的學生,這本書就等於是RH133的中文參考書,帽客當然不是在打廣告,而是好東西一定要推薦給大家知道,帽客這幾天也開始拜讀這本書了,雖然大部份的知識都知道,但真正的了解應該是: 懂->很懂->精通->分享&教導,所以帽客每次看不同的Linux書物時,都會有不同的收穫。
Subscribe to:
Posts (Atom)