Wednesday, March 24, 2010

Linux: Assigning a password to GRUB




How to assign a password to GRUB after Linux OS is installed?

1. Login to the system as 'root' user.

2. Execute the command
bash-3.0# grub

Now we can observe the change in the prompt

Execute,

grub> md5crypt
This command will prompt for password. Type the password. It'll generate the encrypted password.


Output:


GNU GRUB version 0.97 (640K lower / 3072K upper memory)

[ Minimal BASH-like line editing is supported. For the first word, TAB
lists possible command completions. Anywhere else TAB lists the possible
completions of a device/filename.]

grub> md5crypt

Password: ******
Encrypted: $1$DDD2V/$MEJHXqlrloKA6gO1PCc3x1



3. Now make a note or copy the encrypted password, quit from grub.

grub> quit.


4. Now edit the file /etc/grub.conf as follows.
The password has to edited as follows:


Output:

bash-3.0# vi /etc/grub.conf

# grub.conf generated by anaconda
#
# Note that you do not have to rerun grub after making changes to this file
# NOTICE: You have a /boot partition. This means that
# all kernel and initrd paths are relative to /boot/, eg.
# root (hd0,0)
# kernel /vmlinuz-version ro root=/dev/sda2
# initrd /initrd-version.img
#boot=/dev/sda
default=0
timeout=5
splashimage=(hd0,0)/grub/splash.xpm.gz
password --md5 $1$DDD2V/$MEJHXqlrloKA6gO1PCc3x1
hiddenmenu
title Red Hat Enterprise Linux Server (2.6.18-8.el5)
root (hd0,0)
kernel /vmlinuz-2.6.18-8.el5 ro root=LABEL=/ rhgb quiet
initrd /initrd-2.6.18-8.el5.img

:wq!

5. Save & quite.


That's it.

Tuesday, March 16, 2010

Solaris: Autofs


The default time to automount the shared resource is 10 min (600 sec).

If the time has to be changed it can be performed by executing the following command,
bash-3.00# automount -t 15 –v
Where
-t = specifies the time to be mounted
-v = verbose mode


If the same has to be applied for all the shared resources on automounting, we can edit the following file,


bash-3.00# vi /etc/default/autofs | more
#ident "@(#)autofs 1.2 04/11/12 SMI"
#
# Copyright 2004 Sun Microsystems, Inc. All rights reserved.
# Use is subject to license terms.
#

# The duration in which a file system will remain idle before being
# unmounted. This is equivalent to the "-t" argument to automount.
AUTOMOUNT_TIMEOUT=700



(Output Truncated)

Solaris: How to customize the log settings to a flie?

Ex: Customizing the log setting to the file /var/adm/messages.


As we know, since the server is keep on running and log is more and updated to the file /var/adm/messages.
In case of limitation of disk space, we can rotate the log by having last 10 days log, specify in terms of weeks, and restrict the file size.
bash-3.00# ls -lh /var/adm | grep messages
-rw-r--r-- 1 root root 743K Mar 16 12:16 messages
Shows the file size in human readable format.

bash-3.00# logadm -S 10k /var/adm/messages
bash-3.00# ls -lh /var/adm| grep messages
-rw-r--r-- 1 root root 0 Mar 16 12:17 messages
After, restricting the file size to 10kb.

bash-3.00# logadm -A 10w /var/adm/messages
bash-3.00# ls -lh /var/adm/messages
-rw-r--r-- 1 root root 0 Mar 16 12:17 /var/adm/messages
After, restricting the file to have the log of last 10 weeks.

Saturday, March 13, 2010

Solaris: Daemons


Process Description:


init
The Unix program which spawns all other processes.

biod Works in cooperation with the remote nfsd to handle client NFS requests.

dhcpd
Dynamically configure TCP/IP information for clients.

fingerd
Provides a network interface for the finger protocol, as used by the finger command.
ftpd
Services FTP requests from a remote system. It listens at the port specified in the services file for ftp.

httpd
Web server daemon.

inetd
Listens for network connection requests. If a request is accepted, it can launch a background daemon to handle the request. Some systems use the replacement command xinetd.

lpd
The line printer daemon that manages printer spooling.

nfsd
Processes NFS operation requests from client systems. Historically each nfsd daemon handled one request at a time, so it was normal to start multiple copies.

ntpd
Network Time Protocol daemon that manages clock synchronization across the network. xntpd implements the version 3 standard of NTP.

rpcbind
Handles conversion of remote procedure calls (RPC), such as from ypbind.

sshd
Listens for secure shell requests from clients.

sendmail
SMTP daemon.

swapper Copies process regions to swap space in order to reclaim physical pages of memory for the kernel. Also called sched.

syslogd
System logger process that collects various system messages.

syncd
Periodically keeps the file systems synchronized with system memory.

xfsd
Serve X11 fonts to remote clients.

vhand
Releases pages of memory for use by other processes. Also known as the "page stealing daemon"

ypbind
Find the server for an NIS domain and store the information in a file.

Tuesday, March 9, 2010

Solaris: Security Administration

TO DENY THE USE OF A COMMAND /usr/bin/write COMMAND TO USERS:

1. Considering 2 existing users named malcomx and scbose.
2. Login in as above mentioned users through telnet.


Note:
/usr/bin/write command will send only the message whilst the user is logged in.


login: malcomx
Password:
Sun Microsystems Inc. SunOS 5.10 Generic January 2005
-bash-3.00$ id -a malcomx
uid=100(malcomx) gid=1(other) groups=1(other)
-bash-3.00$ write scbose
hi, good day



login: scbose
Password:
Sun Microsystems Inc. SunOS 5.10 Generic January 2005
-bash-3.00$
Message from malcomx on sunvm1 (pts/5) [ Tue Mar 9 12:22:11 ] ...
hi, good day


Now we observe that the message from the user malcomx is sent to the user scbose.





Now perform the following activity as “root” user:


bash-3.00# ls -l /usr/bin | grep write
-r-xr-sr-x 1 root tty 14208 Jan 23 2005 write
bash-3.00# chmod o-x /usr/bin/write
Removing the execution permission to others.
bash-3.00# ls -l /usr/bin|grep write
-r-xr-sr-- 1 root tty 14208 Jan 23 2005 write



Now checking with the user malcomx
-bash-3.00$ write scbose
-bash: /usr/bin/write: Permission denied

The user is denied since the permission-ship had been changed.

Now assigning SUID and SGID to the /usr/bin/write command.

bash-3.00# chmod 4554 /usr/bin/write
bash-3.00# chmod g+s /usr/bin/write
bash-3.00# ls -l /usr/bin|grep write
-r-sr-sr-- 1 root tty 14208 Jan 23 2005 write


Create a group (here “test”), assign password to the group (here test) and change the group to the command /usr/bin/write as follows:

bash-3.00# chgrp test /usr/bin/write
bash-3.00# ls -l /usr/bin|grep write
-r-sr-sr-- 1 root test 14208 Jan 23 2005 write


Now as the user malcomx

-bash-3.00$ write scbose
-bash: /usr/bin/write: Permission denied

Now move the group “test” by issuing the password,
-bash-3.00$ newgrp test
newgrp: Password:
bash-3.00$ write scbose
scbose is logged on more than one place.
You are connected to "pts/7".
Other locations are:
pts/8
it's works... fabulous...!


Now as scbose, we observe that the message had been sent from the user malcomx.

-bash-3.00$ id
uid=101(scbose) gid=1(other)
-bash-3.00$
Message from malcomx on sunvm1 (pts/5) [ Tue Mar 9 12:30:40 ] ...
it's works... fabulous...!

Monday, March 1, 2010

Solaris: Troubleshooting: NIS

Sometimes when we try to create an user account, soon after deleting our NIS domain, we may face the following error.

Output for kind ref:


bash-3.00# useradd -m -d /export/home/lingesh lingesh
64 blocks
bash-3.00# passwd lingesh
New Password:
Re-enter new Password:
Permission denied


This shows that, the user account can be created, where as password cannot be assigned to the newly created user account.

In this case we have to follow the following step.

bash-3.00# cp /etc/nsswitch.files /etc/nsswitch.conf

The above command replace /etc/nsswitch.conf to the default template.


Output for kind ref:

bash-3.00# passwd lingesh
New Password:
Re-enter new Password:
passwd: password successfully changed for lingesh