GURGAON INSTITUTE OF TECHNOLOGY & MANAGEMENT

Course material of Principle of system and network administration

The readings referred to in the table below are recommended material from
A. Principles of Network and System Administration by Mark Burgess ohn
!iley " Sons #td
B. TCP$%P Network administration by Craig &unt oreilly publications
C. TCP$%P Protocol Suite by 'ro(en TM&
). Analytical Network and System Administration Managing &uman*
Computer Networks by Mark Burgess ohn !iley " Sons #td
+. Cryptography " Network Security by Atul ,ahate TM&
'. Cryptography " Network Security by !illiam Stalling Pearson +ducation
-. .our /N%0 /ltimate -uide by Sumitabha )as TM&
&. )ata Communication " computer networks by Bi1ender Singh +++

A
u
g
-
D
e
c
2
0
0
9
DEPTT : IT Paper Code : IT 403 E SEMESTER: 7
th
#ecture 23
4eading5 A2.262.78 A2.98 )2.262.:8 )2.;
Contents56
1) Introduction to System and Network Administration
2) The Goal of System and Network Administration
%ntroduction
2.2 !hat is System and Network Administration
Network and system administration is a branch of engineering that concerns the operational
management of humancomputer systems! It is unusual as an engineering discipline in that it
addresses both the technology of computer systems and the users of the technology on an e"ual
basis!
It is about putting together a network of computers #workstations$ %&s and supercomputers)$
getting them running and then keeping them running in spite of the acti'ities of users who tend to
cause the systems to fail!
A system administrator works for users$ so that they can use the system to produce work! (nce a
computer is attached to the Internet$ we ha'e to consider the conse"uences of being directly
connected to all the other computers in the world!
The terms network administration and system administration e)ist separately and are used both
'ariously and inconsistently by industry and by academics!
System administration is the term used traditionally by mainframe and *NI+ engineers to
describe the management of computers whether they are coupled by a network or not!
Network administration means the management of network infrastructure de'ices #routers and
switches)! Network administration is the management of %&s in a network!
!hat is a system< 5 A system is most often an organi,ed effort to fulfill a goal$ or at least carry
out some predictable beha'ior A system could be a mechanical de'ice$ a computer$ an office of
workers$ a network of humans and machines$ a series of forms and procedures #a bureaucracy) etc!
Systems in'ol'e themes$ such as collaboration and communication between different actors$ the
use of structure to represent information or to promote efficiency$ and the laws of cause and effect
A computer system is usually understood to mean a system composed primarily of computers$
using computers or supporting computers! A humancomputer system includes the role of
humans$ such as in a business enterprise where computers are widely used! The principles and
theories concerning systems come from a wide range of fields of study! They are synthesi,ed here
in a form and language that is suitable for scholars of science and engineering!
!hat is administration< 5 In humancomputer system administration$ the definition is broadened
to include all of the organi,ational aspects and also engineering issues$ such as system fault
diagnosis! In this regard$ it is like the medical profession$ which combines checking$ management
and repair of bodily functions! The main issues are the following-
. System design and rationali,ation
. /esource management
. 0ault !handing
In order to achie'e these goals$ it re"uires
. %rocedure
. Team work
. 1thical practices
. Appreciation of security!
Administration comprises two aspects- technical solutions and arbitrary policies! A technical
solution is re"uired to achie'e goals and sub2goals$ so that a problem can be broken down into
manageable pieces! %olicy is re"uired to make the system$ as far as possible$ predictable- it pre2
decides the answers to "uestions on issues that cannot be deri'ed from within the system itself!
%olicy is therefore an arbitrary choice$ perhaps guided by a goal or a principle!
2.= Applying technology in an en>ironment
A key task of network and system administration is to build hardware configurations3 another is to
configure software systems! 4oth of these tasks are performed for users! 1ach of these tasks
presents its own challenges$ but neither can be 'iewed in isolation!
5ardware has to conform to the constraints of the physical world3 it re"uires power$ a temperate
#usually indoor) climate$ and a conformance to basic standards in order to work systematically!
The type of hardware limits the kind of software that can run on it!
Software re"uires hardware$ a basic operating system infrastructure and a conformance to certain
standards$ but is not necessarily limited by physical concerns as long as it has hardware to run on!
Today the comple)ity of multiple software systems sharing a common Internet space reaches
almost the le'el of the biological! Today that strategy is less dominant$ and e'en untenable$ thanks
to networking! Today$ there is not only a physical en'ironment but a technological one$ with a
di'ersity that is constantly changing! %art of the challenge is to knit apparently disparate pieces of
this community into a harmonious whole!
The global 'iew$ presented to us by information technology means that we ha'e to think
penetratingly about the systems that are deployed! The e)tensi'e filaments of our inter2networked
systems are e)posed to attack$ both accidental and malicious in a competiti'e 6ungle! Ignore the
en'ironment and one e)poses oneself to unnecessary risk!
2.:The human role in systems
0or humans$ the task of system administration is a balancing act! It re"uires patience$
understanding$ knowledge and e)perience! Administrators need to be the doctor$ the psychologist$
and when instruments fail the mechanic!
7e need to work with the limited resources we ha'e$ be in'enti'e in a crisis$ and know a lot of
general facts and figures about the way computers work!
7e need to recogni,e that the answers are not always written down for us to copy$ that machines
do not always beha'e the way we think they should!
7e need to remain calm and attenti'e$ and learn a do,en new things a year!
&omputing systems re"uire the 'ery best of organi,ational skills and the most professional of
attitudes!
To start down the road of system administration$ we need to know many facts and build
confidence though e)perience but we also need to know our limitations in order to a'oid the
careless mistakes which are all too easily pro'oked!
2.7The challenges of system administration
System administration is not 6ust about installing operating systems! It is about planning and designing an
efficient community of computers so that real users will be able to get their 6obs done! That means-
8esigning a network which is logical and efficient!
8eploying large numbers of machines which can be easily upgraded later!
8eciding what ser'ices are needed!
%lanning and implementing ade"uate security!
%ro'iding a comfortable en'ironment for users!
8e'eloping ways of fi)ing errors and problems which occur!
9eeping track of and understanding how to use the enormous amount of knowledge which
increases e'ery year!
=? The -oal of System and Network Administration
=.2-oal of network administration56
The goal of network administration is to ensures that the users of networks recei'e the information
and technically ser'es with "uality of ser'ices they e)cept!
Network administration means the management of network infrastructures de'ices #such as router
and switches)
Network administration compromises of : ma6ors groups-
1! Network pro'isioning
2! Network operations
:! Network maintenance
Network pro>isioning56 is the primary responsibility of engineering groups and its consists of
planning and design of network which is done by engineer!
Network operations5 2 it consists of fault$ configurations$ traffic$ all type of management and it is
done by plant facilities group! Its is ner'e center of network management operations!
Network maintenance56 its consists of all type of installations and maintenance work!
4esponsibilities of Network Administration56
It is to pro'ide a reliable consistent and scalable network infrastructure that meets or e)ceeds
le'els and optimi,e enterprises assets!
To build hardware configuration
To configure software configuration
8esigning of network which is logical and official
8isplaying large nos of machines which can be easily upgraded later
8eciding which; what ser'ices are needed!
%lanning and implementing en'ironments for users!
8e'eloping a ways of fi)ing errors and problems when occurs!
To make user life 'ery easy and to empower them in production of real work!
1! So to meets abo'e goal a management should establish policy either formally or
informally contract ser'ice le'els agreements with users!
2! 0rom a business administration point of 'iew$ network administration in'ol'es strategic
and tactical planning of engineering$ operations and maintenance of network and network
ser'ice for current and future needs at minimum o'erall costs
:! 7ell established communications and interactions among 'arious groups are necessary to
perform these functions
=.= -oal of System administration56
The primary tasks of system administration is to ensures that the following things happens
a) The top management is assured of efficiency in utili,ations of the system resources
b) The general user<s community gets the ser'ices which they are seeking!
=arious tasks performed by system administrators are
Systems starts up and shutdowns
(pening and closing of users accounts
5elping users to set up there working en'ironments
>aintaining users ser'ices
Allocating disks spaces and relocating "uotas when the needs grows
#ecture =3
4eading5 A=.26=.=
#inks56
http-;;www!geocities!com;ra'ee?2@;
www!NT0S!(/G
http-;;gama!'tu!lt;biblioteka;(perating?systems;(perating?systems!pdf
http-;;nptel!iitm!ac!in;courses;7ebcourse2contents;IISc 4ANG;(perating
A2BSystems;pdf;Cecture?Notes;>odA2B1?CN!pdf
Contents56
:) System &omponents and there >anagements
D) (perating System - 7indows and *NI+ 'ariants
2? System Components and there Managements
2.2 !hat is @the systemA<
In system administration$ the word system is used to refer both to the operating system of a computer and
often$ collecti'ely the set of all computers that cooperate in a network! If we look at computer systems
analytically$ we would speak more precisely about humancomputer systems-
)efinition 2 Bhuman*computer system?. An organi,ed collaboration between humans and computers to
sol'e a problem or pro'ide a ser'ice! Although computers are deterministic$ humans are non2deterministic$
so humancomputer systems are non2deterministic!
2.2.2 Network infrastructure
There are three main components in a humancomputer system #see figure below)
&umans 5 who use and run the fi)ed infrastructure$ and cause most problems!
5ost computers- computer de'ices that run software! These might be in a fi)ed location$ or mobile de'ices!
Network hardware- This co'ers a 'ariety of speciali,ed de'ices including the following key components-
8edicated computing de'ices that direct traffic around the Internet! /outers talk at the I% address
le'el$ or Elayer :<$ by simple speaking!
Switches 5 fi)ed hardware de'ices that direct traffic around local area networks! Switches talk at
the le'el of 1thernet or Elayer 2< protocols!
Cables 5 There are many types of cable that interconnect de'ices- !fiber optic cables$ twisted pair
cables$ null2modem cables etc!
0ig- some of the key dependencies in system administration! The sum of these elements forms a networked
community$ bound by human ties and cable ties! Ser'ices depend on a physical network$ on hosts and
users$ both as consumers of the resources and as teams of administrators that maintain them!
2.2.= Computers
All contemporary computers in common use are based on the 1ckert>auchly'on Neumann
architecture as shown in figure below
1ach computer has a clock which dri'es a central processor unit #&%*)$ a random access memory
#/A>) and an array of other de'ices$ such as disk dri'es! In order to make these parts work
together$ the &%* is designed to run programs which can read and write to hardware de'ices!
The most important program is the operating system kernel! (n top of this are software layers that
pro'ide working abstractions for programmers and users! These consist of files$ processes and
ser'ices! %art of Ethe system< refers to the network de'ices that carry messages from computer to
computer$ including the cables themsel'es! 0inally$ the system refers to all of these parts and
le'els working together!
0igure- The basic elements of the 'on Neumann architecture!
2.= &andling hardware
To be a system administrator it is important to ha'e a basic appreciation of the frailties and procedures
surrounding hardware!
All electronic e"uipment should be treated as highly fragile and easily damaged$ regardless of how
sturdy it is!
Ne'er insert or remo'e power cords from e"uipment without ensuring that it is switched off!
Take care when inserting multi2pin connectors that the pins are oriented the right way up and that
no pins are bent on insertion!
Moreo>er5
2? 4ead instructions5 7hen dealing with hardware$ one should always look for and read instructions in a
manual!
=? &andling components5 >odern day &>(S chips work at low 'oltages #typically F 'olts or lower)!
Standing on the floor with insulating shoes$ you can pick up a static electric charge of se'eral thousand
'olts! Such a charge can instantly destroy computer chips! 4efore touching any computer components$
earth yourself by touching the metal casing of the computer! If you are installing e"uipment inside a
computer$ wear a conducti'e wrist strap!
:? )isks5 8isk technology has been impro'ing steadily for two decades! The most common disk types$ in
the workplace$ fall into two families- ATA #formerly I81) and S&SI! ATA disks are now generally cheaper
than S&SI disks #due to 'olume sales) and e)cel at se"uential access$ but S&SI disks ha'e traditionally
been more efficient at handling multiple accesses due to a multitasking bus design$ and are therefore better
in multitasking systems$ where random access is important!
7? Memory5 >emory chips are sold on small pluggable boards! They are sold in different si,es and with
different speeds! A computer has a number of slots where they can be installed! 7hen buying and installing
/A>$ remember
The physical si,e of memory plug2in is important! Not all of them fit into all sockets!
>emory is sold in units with different capacities and data rates! (ne must find out what si,e can
be used in a system!
;? #ightning5 strikes can destroy fragile e"uipment! No fuse will protect hardware from a lightning strike!
Transistors and &>(S chips burn out much faster than any fuse! 1lectronic spike protectors can help here$
but nothing will protect against a direct strike!
9? Power5 failure can cause disk damage and loss of data! A *%S #uninterruptible power supply) can help!
C? &eat - 4la,ing summer heat or a poorly placed heater can cause systems to o'erheat and suddenly black
out! (ne should not let the ambient temperature near a computer rise much abo'e 2F degrees &entigrade!
Increased temperature also increases noise le'els that can reduce network capacities by a fraction of a
percent! 5eat can cause /A> to operate unpredictably and disks to misread;miswrite! Good 'entilation is
essential for computers and screens to a'oid electrical faults!
D? Cold5 Sudden changes from hot to cold are 6ust as bad! They can cause unpredictable changes in
electrical properties of chips and cause systems to crash! In the long term$ these changes could lead to
cracks in the circuit boards and irreparable chip damage!
E? &umidity5 In times of 'ery cold weather and 'ery dry heat$ the humidity falls to 'ery low le'els! At
these times$ the amount of static electricity builds up to "uite high le'els without dissipating! This can be a
risk to electronic circuitry! 5umans pick up charge 6ust by walking around$ which can destroy fragile
circuitry! %aper sticks together causing paper crashes in laser printers! Too much humidity can lead to
condensation and short circuits!
=? Fperating System5 !indows and /N%0 >ariants
(perating System #or shortly (S) primarily pro'ides ser'ices for running applications on a computer
system
=.2 Need for an FS5
The primary need for the (S arises from the fact that user needs to be pro'ided with ser'ices and (S ought
to facilitate the pro'isioning of these ser'ices! The central part of a computer system is a processing engine
called &%*! A system should make it possible for a user<s application to use the processing unit! A user
application would need to store information! The (S makes memory a'ailable to an application when
re"uired! Similarly$ user applications need use of input facility to communicate with the application! This is
often in the form of a key board$ or a mouse or e'en a 6oy stick #if the application is a game for instance)!
The output usually pro'ided by a 'ideo monitor or a printer as some times the user may wish to generate an
output in the form of a printed document! (utput may be a'ailable in some other forms! 0or e)ample it may
be a 'ideo or an audio file! Cet us consider few applications!
. 8ocument 8esign
. Accounting
. 12mail
. Image processing
7e notice that each of the abo'e application re"uires resources for
. %rocessing information
. Storage of Information
. >echanism to inputting information
. %ro'ision for outputting information
. These ser'ice facilities are pro'ided by an operating system regardless of the nature of application!
The (S offers generic ser'ices to support all the abo'e operations! These operations in turn facilitate the
applications mentioned earlier! To that e)tent an (S operation is application neutral and service specific.
=.= /ser and System Giew5
0rom the user point of 'iew the primary consideration is always the con'enience! It should be easy to use
an application! ! The human computer interface which helps to identify an application and its launch is 'ery
useful! If we e)amine the programs that help us in using input de'ices like a key board all the comple)
details of character reading program are hidden from the user! The same is true when we write a program!
0or instance$ when we use a programming language like &$ a printf command helps to generate the desired
form of output! The following figure essentially depicts the basic schema of the use of (S from a user stand
point! 5owe'er$ when it comes to the 'iew point of a system$ the (S needs to ensure that all the system
users and applications get to use the facilities that they need!
=.: what does an FS )o<
. %ower (n Self Test #%(ST)
. /esource management Support for multi2user
. 1rror 5andling
. &ommunication support o'er Network
. #(ptional) 8eadline support so that safety critical application run and fail gracefully
=.7 /N%0
*NI+ is a powerful computer operating system originally de'eloped at ATGT 4ell Caboratories! It is 'ery
popular among the scientific$ engineering$ and academic communities due to its multi2user and multi2
tasking en'ironment$ fle)ibility and portability$ electronic mail and networking capabilities$ and the
numerous programming$ te)t processing and scientific utilities a'ailable!
Unix Variants
This diagram shows the Hfamily treeH of the *ni) operating system! *ni)2like The *ni)2like family is a
di'erse group of operating systems$ with se'eral ma6or subcategories including System =$ 4S8$ and Cinu)!
The name H*ni)H is a trademark of The (pen Group which licenses it for use to any operating system that
has been shown to conform to the definitions that they ha'e cooperati'ely de'eloped! The name is
commonly used to refer to the large set of operating systems which resemble the original *ni)! *ni)
systems run on a wide 'ariety of machine architectures! They are used hea'ily as ser'er systems in
business$ as well as workstations in academic and engineering en'ironments! 0ree software *ni) 'ariants$
such as Cinu) and 4S8$ are increasingly popular! They are used in the desktop market as well$ for e)ample
*buntu$ but mostly by hobbyists! Some *ni) 'ariants like 5%Is 5%2*+ and I4>Is AI+ are designed to run
only on that 'endorIs proprietary hardware! (thers$ such as Solaris$ can run on both proprietary hardware
and on commodity )J@ %&s! AppleIs >ac (S +$ a microkernel 4S8 'ariant deri'ed from Ne+TST1%$
>ach$ and 0ree4S8$ has replaced AppleIs earlier #non2*ni)) >ac (S! ('er the past se'eral years$ free
*ni) systems ha'e supplanted proprietary ones in most instances
=.; Microsoft !indows
The >icrosoft 7indows family of operating systems originated as a graphical layer on top of the older >S2
8(S en'ironment for the I4> %&! >odern 'ersions are based on the newer 7indows NT core that first
took shape in (S;2 and borrowed from (pen=>S! 7indows runs on :22bit and @D2bit Intel and A>8
computers$ although earlier 'ersions also ran on the 81& Alpha$ >I%S$ and %ower%& architectures #some
work was done to port it to the S%A/& architecture)! As of 2BBD$ 7indows held a near2monopoly of
around KBA of the worldwide desktop market share$ although this is thought to be dwindling due to the
increase of interest focused on open source operating systems! It is also used on low2end and mid2range
ser'ers$ supporting applications such as web ser'ers and database ser'ers!
#ecture :3
4eading5 A=.78 A=.7.26=.7.78 A=.;8 A=.9
#inks56
http-;;www!cim!mcgill!ca;Lfranco;(pSys2:BD2D2M;lecture2notes;node1@!html
http-;;amath!colorado!edu;computing;uni);cheatsheet;A!pdf
http-;;hpce!iitm!ac!in;website;*serInfo;uni)A2Bcommands!pdf
http-;;cs!nyu!edu;courses;fallB@;G22!22DF2BB1;syll;lect:!pdf
Contents56
F) %rocesses and Nob &ontrol
@) %ri'ileged $*ser and Group Accounts
M) Cogs and audits
2? Processes and ob Control
(n a multitasking computer$ all work on a running program is performed by an abstraction called a
process! This is a collection of resources such as file handles$ allocated memory$ program code and &%*
registers that is associated with a specific running program! (n modern operating systems$ processes can
contain many concurrent threads which share program resources!
2.2The /N%0 process model
A %rocess is simply an instance of a running a program! A process is said to be born when program starts
e)ecutions and remains ali'e as long as the program is acti'e! So after e)ecution is complete a process is
said to be die!
A process also has name$ usually the name of the program being e)ecuted! 0or e!g! when you e)ecute the
grep command a process name grep is created! 5owe'er a process can be considered synonymous with a
program when 2 users run the same program$ there one program on disks but 2 process in memory!
The kernel is responsible for management of process !its determines the time and priorities that are
allocated to processes so that multiple processes are able to share &%* resources! its pro'ides a
mechanisms by which a process is able to e)ecute for a finite period of time and then relin"uish control to
another process!
1'ery process has attributes so some of attributes of e'ery process is maintained by kernel in memory in
separate structure called process table
'igure *NI+ process state model
In case of *NI+ the /unning state is di'ided into 2 states
*ser running state
9ernel running state!
1) New State-2 the process being created
2) /eady State- 2 the process is waiting to be assigned to a processor!
:) 4locked State-2 the process is in main memory and waiting for an e'ents
D) 4locked Suspended- 2 the process is in secondary memory and waiting for an e'ent!
F) Suspend ; /eady-2 the process is in secondary memory but is a'ailable for e)ecution as soon as it
is loaded into memory
@) 1)ited State- 2 it is a process for which parent ha'e decided not to waits for them after a process
die for their cleaning purpose! So this process does not ha'e any entry in process table!
M) Oombie-2 it is a process for which there parent ha'e to waits for the completions # possibly to
clean after them) and system maintain its entry in process tables
J) %reempted State-2 it is a special case pf blocked state a process retaining from system calls # hence
after ha'ing run in kernel modes) to immediately blocked and put the ready process "ueue instead
of returning $lea'ing &%* to another process!
All processes in *NI+ are created using the fork() system call ! *NI+ implements through the fork()
and exec() system calls an elegant two2step mechanism for process creation and e)ecution! fork() is
used to create the image of a process using the one of an e)isting one$ and exec is used to e)ecute a
program by o'erwriting that image with the programIs one!
A call to fork() of the form-
Pinclude Qsys;types!hR
pid?t childpid3
!!!
childpid S fork#)3 ;T childIs pid in the parent$ B in the child T;
!!!
creates #if it succeeds) a new process$ which a child of the callerIs$ and is an e)act copy of of the #parent)
caller itself! 4y e)act copy we mean that itIs image is a physical bitwise copy of the parentIs
The two processes ob'iously ha'e two different process id!s! #pid)! In a & program process id!s are
con'eniently represented by 'ariables of pid_t type$ the type being defined in the
sys/types.h header!
In *NI+ the %&4 of a process contains the id of the processIs parent$ hence the childIs %&4 will
contain as parent id #ppid) the pid of the process that called fork()$ while the caller will ha'e as
ppid the pid of the process that spawned it!
The child process has its own copy of the parentIs file descriptors! These descriptors reference the
same under2lying ob6ects$ so that files are shared between the child and the parent! This makes
sense$ since other processes might access those files as well$ and ha'ing them already open in the
child is a time2sa'er!
The fork() call returns in both the parent and the child$ and both resume their e)ecution from the
statement immediately following the call! (ne usually wants that parent and child beha'e differently$
and the way to distinguish between them in the programIs source code is to test the 'alue returned by
fork()! This 'alue is B in the child$ and the childIs pid in the parent!
Process management command
ps -To display the currently working processes
top -8isplay all running process
kill pid -9ill the process with gi'en pid
killall proc- 9ill all the process named proc
pkill pattern -7ill kill all processes matching the pattern
bg -Cist stopped or background 6obs$resume a stopped 6ob in the background
fg- 4rings the most recent 6ob to foreground
fg n- 4rings 6ob n to the foreground
ps )- gi'es information about currently2running processes that you own! These may be from
other *NI+ sessions than your current *NI+ session! The name of each process is in the far right
column$ and the process id for each process is in the first column! #417A/1- the options for ps
'ary on different fla'ors of *NI+ and Cinu)U
2.= Child processes and (ombies
7hen we start a process$ the new process becomes a child of the original! If one of the children starts a new
process then it will be a child of the child #a grandchild)! %rocesses therefore form hierarchies! Se'eral
children can ha'e a common parent! All *ni) user2processes are children of the initial process init$ with
process I8 1! If we kill a parent$ then #unless the child has detached itself from the parent) all of its children
die too! If a child dies$ the parent is not affected! Sometimes when a child is killed$ it does not die but
becomes defunct or a zombie process! This means that the child has a parent which is waiting for it to
finish! If the parent has not yet been informed that the child has died$ because it has been suspended itself
for instance$ then the dead child is not completely remo'ed from the kernel<s process table! 7hen the
parent wakes up and recei'es the message that the child has terminated #and its e)it status)$ the process
entry for the dead child can be remo'ed! >ost *NI+ processes go through a ,ombie state$ but most
terminate so "uickly that they cannot be seen!
It is not possible to kill a ,ombie process$ since it is already dead! The only way to remo'e a ,ombie is to
either reacti'ate the process which is waiting for it$ or to kill that process! %ersistent ,ombie processes are
usually caused by software bug
2.: The !indows process model
Cike *NI+$ processes under 7indows;NT can li'e in the foreground or in the background$ though unlike
*NI+$ 7indows does not fork processes by replicating e)isting ones! A background process can be started
with
start ;4
In order to kill the process it is necessary to purchase the /esource kit which contains a kill command! A
background process detaches itself from a login session and can continue to run e'en when the user is
logged out! Threads are the preferred method for multitasking! This means that additional functionality is
often implemented as modules to e)isting software$ rather than as independent ob6ects!
The shutdown of the whole system is normally performed from the 7indows menu! Any logged on user
can shut down a host! 4ackground processes die when this happens and updates from an administrator
could fail to be applied!
= Pri>ileged accounts
(perating systems that restrict user pri'ileges need an account which can be used to configure and maintain
the system! Such an account must ha'e access to the whole system$ without regard for restrictions! It is
therefore called a pri'ileged account!
In *NI+ the pri'ileged account is called root$ also referred to collo"uially as the super2user! In 7indows$
the Administrator account is similar to *NI+<s root$ e)cept that the administrator does not ha'e automatic
access to e'erything as does root! Instead he;she must be first granted access to an ob6ect! 5owe'er the
Administrator always has the right to grant them self access to a resource !These accounts place 'irtually no
restriction on what the account holder can do! In a sense$ they pro'ide the pri'ileged user with a skeleton
key$ a uni'ersal pass to any part of the system!
Administrator and root accounts should ne'er be used for normal work- they wield far too much power!
This is one of the hardest things to drill into no'ices$ particularly those who ha'e grown up using insecure
operating systems! Such users are used to being able to do whate'er they please!
: #ogs and audits
(perating system kernels share resources and offer ser'ices! They can be asked to keep lists of transactions
which ha'e taken place so that one can later go back and see e)actly what happened at a gi'en time! This is
called logging or auditing!
0ull system auditing in'ol'es logging e'ery single operation that the computer performs! This consumes
'ast amounts of disk space and &%* time and is generally inad'isable unless one has a specific reason to
audit the system!
Auditing has become an issue again in connection with security! (rgani,ations ha'e become afraid of
break2ins from system crackers and want to be able to trace the acti'ities of the system in order to be able
to look back and find out the identity of a cracker! The other side of the coin is that system accounting is so
resource consuming that the loss of performance might be more important to an organi,ation than the threat
of intrusion
0or some organi,ations auditing is important$ howe'er! (ne use for auditing is so2called non2repudiation$
or non2denial! If e'erything on a system is logged$ then users cannot back away and claim that they did not
do something- it<s all there in the log! Non2repudiation is a security feature which encourages users to be
responsible for their actions!
#ecture 73
4eading5 AD.228 AD.22.26 D.22.7
Contents56
System %erformance Tuning
1) System %erformance Tuning
System performance tuning is a comple) sub6ect$ in which no part of the system is sacrosanct! Although it
is "uite easy to pin2point general performance problems$ it is harder to make general recommendations to
fi) these!
7hat processes are running
5ow much a'ailable memory the system has
7hether disks are being used e)cessi'ely
7hether the network is being used hea'ily
7hat software dependencies the system has #e!g! 8NS$ N0S)!
2.24esources and dependencies
Since all resources are scheduled by processes$ it is natural to check the process table first and then look at
resource usage!
(n 7indows$ one has the process manager and performance monitor for this! (n *ni)2like systems$ we
check the process listing with ps au)! A 4S8 process listing looks like this-
hostA ps au) V more
*S1/ %I8 A&%* A>1> SO /SS TT S STA/T TI>1 &(>>AN8
root : B!2 B!B B B W S Nun 1F FF-:J fsflush
root 22112 B!1 B!F 1D@D 1112 pts;2 ( 1F-:K-FD B-BB ps au)
mark 2211: B!1 B!: 11DD M2B pts;2 ( 1F-:K-FD B-BB more
root :DB B!1 B!D 1MK2 K@J W S Nun 1F :-1: ;bin;fingerd
This one was taken on a "uiet system$ with no load! The columns show the user I8 of the process$ the
process I8$ an indication of the amount of &%* time used in e)ecuting the program #the percentage scale
can be taken with a pinch of salt$ since it means different things for different kernels)$ and an indication of
the amount of memory allocated!
The SO post is the si,e of the process in total #code plus data plus stack)$ while /SS is the resident si,e$ or
how much of the program code is actually resident in /A>$ as opposed to being paged out$ or ne'er e'en
loaded! TI>1 shows the amount of &%* time accumulated by the process$ while STA/T indicates the
amount of clock time which has elapsed since the process started!
2.= &ardware
)isks5 7hen assigning partitions to new disks$ it pays to use the fastest disks for the data which are
accessed most often$ e!g! for user home directories! To impro'e disk performance$ we can do two things!
(ne is to buy faster disks and the other is to use parallelism to o'ercome the time it takes for physical
motions to be e)ecuted! The mechanical problem which is inherent in disk dri'es is that the heads which
read and write data ha'e to mo'e as a unit! If we need to collect two files concurrently which lie spread all
o'er the disk$ this has to be done serially! 8isk striping is a techni"ue whereby filesystems are spread o'er
se'eral disks! 4y spreading files o'er se'eral disks$ we ha'e se'eral sets of disk heads which can seek
independently of one another$ and work in parallel! This does not necessarily increase the transfer rate$ but
it does lower seek times$ and thus performance impro'ement can approach as much as N times with N
disks! /AI8 technologies employ striping techni"ues and are widely a'ailable commercially! Spreading
disks and files across multiple disk controllers will also increase parallelism!
Network5 To impro'e network performance$ we need fast interfaces! All interfaces$ whether they be
1thernet or some other technology$ 'ary in "uality and speed! This is particularly true in the %& world$
where the number of competing products is huge! Network interfaces should not be trusted to gi'e the
performance they ad'ertise! Some interfaces which are sold as 1BB>bits;sec$ 0ast 1thernet$ manage little
more than DB>bits;sec!
+thernet collisions5 1thernet communication is like a tele'ision panel of politicians- many parties shouting
at random$ without waiting for others to finish! The 1thernet cable is a shared bus! 7hen a host wishes to
communicate with another host$ it simply tries! If another host happens to be using the bus at that time$
there is a collision and the host must try again at random until it is heard! This method naturally leads to
contention for bandwidth! The system works "uite well when traffic is low$ but as the number of hosts
competing for bandwidth increases$ the probability of a collision increases in step
)isk thrashing5 Thrashing is a problem which occurs because of the slowness of disk head mo'ements$
compared with the speed of kernel time2sharing algorithms! If two processes attempt to take control of a
resource simultaneously$ the kernel and its de'ice dri'ers attempt to minimi,e the motion of the heads by
"ueuing re"uested blocks in a special order! The algorithms really try to make the disks tra'erse the disk
platter uniformly$ but the re"uests do not always come in a predictable or congenial order! The result is that
the disk heads can be forced back and forth across the disk$ dri'en by different processes and slowing the
system to a 'irtual standstill! The time for disk heads to mo'e is an eternity to the kernel$ some hundreds of
times slower than conte)t switching times!
2.: Software tuning and kernel configuration
Software performance tuning is a more comple) problem than hardware performance tuning$ simply
because the options we ha'e for tuning software depend on what the software is$ how it is written and
whether or not the designer made it easy for us to tune its performance! Some software is designed to be
stable rather than efficient! 1fficiency is not a fundamental re"uirement3 there are other priorities$ such as
simplicity and robustness!
%erformance tuning is related to the a'ailability or sharing of system resources! This re"uires tuning the
system kernel! The most configurable piece of software on the system is the kernel! All *ni)2like systems
kernel parameters can be altered and tuned! The most elegant approach to this is taken by *ni) S=/D$ and
Solaris! 5ere$ many kernel parameters can be set at run time using the kernel module configuration
command ndd! (thers can be configured in a single file ;etc;system! The parameters in this file can be set
with a reboot of the kernel$ using the reconfigure flag
reboot 22 2r
0or instance$ on a hea'ily loaded system which allows many users to run e)ternal logins$ terminals$ or +2
terminal software$ we need to increase many of the default system parameters! The ma)users parameter
#actually in most *ni)2like systems) is used as a guide to estimating the si,e of many tables and limits on
resources! Its default 'alue is based on the amount of a'ailable /A>$ so one should be careful about
changing its 'alue in Solaris$ though other (Ss are less intelligent! The file ;etc;system$ then looks like this-
set ma)usersS1BB
set shmsys-shminfo?shmma) S B)1BBBBBBB
set pt?cntS12J
>ost *ni)2like operating systems do not permit run2time configuration! New kernels ha'e to be compiled
and the 'alues hard2coded into the kernel! This re"uires not 6ust a reboot$ but a recompilation of the kernel
in order to make a change! This is not an optimal way to e)periment with parameters! >odularity in kernel
design can sa'e us memory$ since it means that static code does not ha'e to take up 'aluable memory
space! 5owe'er$ the downside of this is that modules take time to load from disk$ on demand!
The GN*;Cinu) system kernel is a modular kernel$ which can load dri'ers for special hardware at run time$
in order to remain small in the memory! 7hen we build a kernel$ we ha'e the option to compile in modules
statically!
7indows performance tuning can be undertaken by perusing the multitudinous screens in the graphical
performance monitor and editing the 'alues! 0or once$ this useful tool is a standard part of the 7indows
system!
2.7 )ata efficiency
1fficiency of storage and transmission depends on the configuration parameters used to manage disks and
networks$ and also on the amount of traffic the de'ices !
Some filesystem formatting programs on *ni)2like systems allow us to reser'e a certain percentage of disk
space for pri'ileged users! 0or instance$ the default for 4S8 is to reser'e ten percent of the si,e of a
partition for use by pri'ileged processes only! The idea here is to pre'ent the operating system from
choking due to the acti'ities of users! This practice goes back to the early times when disks were small and
e)pensi'e and partition numbers were limited! Today$ these limits are somewhat inappropriate! Ten percent
of a gigabyte disk is a huge amount of space$ which many users could li'e happily with for many weeks! If
we ha'e partitioned a host so as to separate users from the operating system$ then there is no need to
reser'e space on user disks! 4etter to let users utili,e the e)isting space until a real problem occurs!
%re'entati'e tidying helps to a'oid full disks! The effect is to sa'e us time and loss of resource a'ailability
Another issue with disk efficiency is the configuration of block si,es! 4riefly$ the standard unit of space
which is allocated on a filesystem is a block! 4locks are "uite large$ usually around J kilobytes! 1'en if we
allocate a file which is one byte long$ it will be stored as a separate unit$ in a block by itself$ or in a
fragment! 0ragments are usually around 1 kilobyte! If we ha'e many small files$ this can clearly lead to a
large wastage of space and it might be prudent to decrease the filesystem block si,e! If$ con'ersely$ we deal
with mostly large files$ then the block si,e could be increased to impro'e transfer efficiency! The
filesystem parameters can$ in other words$ be tuned to balance file si,e and transfer2rate efficiency!
Normally the default settings are a good compromise
#ecture ; 3
4eading5 A7.=8 A7.=28 A78 =:8 A7.:=8 A7.::8 A7.::8 A7.:78 A7.:;8 A7.7.D
Contents56
1) 5ost >anagement- 4ooting and Shutting down of an (perating System$
2) 0ormatting$ %artitioning and 4uilding a 0ile System$ 0ile System Cayout$
:) &oncept of swap space$ &loning Systems!
2 &ost management5 Booting and shutting down of an Fperating System
2.2 -lobal >iew8 local action
=arious point considers foe host installation are-2
0ollow the (S designer<s recommended setupW #(ften this is insufficient for our purpose)
&reate our own setupW
>ake all machines alikeW
>ake all machines differentW
2.= Physical considerations of ser>er room
1) &ritical hardware needs to be protected from accidental and malicious damage! An organi,ation<s
'ery li'elihood could be at stake from a lack of protection of its basic hardware! Not all
organi,ations ha'e the lu)ury of choosing ideal conditions for their e"uipment$ but all
organi,ations could dedicate a room or two to ser'er e"uipment!
2) Any ser'er room should ha'e$ at the 'ery least$ a lockable door$ probably cooling or 'entilation
e"uipment to pre'ent the temperature from rising abo'e about 2B degrees &elsius and some kind
of anti2theft protection!
:) /emember that backup tapes should ne'er be stored in the same room as the hosts they contain
data from$ and duplicate ser'ers are best placed in different physical locations so that natural
disasters or physical attacks #fire$ bombs etc!) will not wipe out all e"uipment at the same time!
D) Security registration should be re"uired for all workers and 'isitors$ with camera recorded
registration and security guards! =isitors should present photo2I8 and be pre'ented from bringing
anything into the building3 they should be accompanied at all times!
F) 7ithin the ser'er area-
A reliable #uninterruptible) power supply is needed for essential e"uipment!
Single points of failure$ e!g! network cables$ should be a'oided!
5ot standby e"uipment should be a'ailable for minimal loss of uptime in case of failure!
/eplaceable hard disks should be considered1 with /AI8 protection for continuity!
%rotection from natural disasters like fire and floods$ and heating failure in cold countries should
be secured! Note that most countries ha'e regulations about fire control! A ser'er room should be
in its own Efire cell<$ i!e! it should be isolated by doorways and 'entilation systems from
neighboring areas to pre'ent the spread of fire!
2.: Computer startup and shutdown
The two most fundamental operations which one can perform on a host are to start it up and to shut it
down! 7ith any kind of mechanical de'ice with mo'ing parts$ there has to be a procedure for shutting it
down! (ne does not shut down any machine in the middle of a crucial operation! 7ith a multitasking
operating system$ the problem is that it is ne'er possible to predict when the system will be performing a
crucial operation in the background!
0or this simple reason$ e'ery multitasking operating system pro'ides a procedure for shutting down safely!
A safe shutdown a'oids damage to disks by mechanical interruption$ but it also synchroni,es hardware and
memory caches$ making sure that no operation is left incomplete!
2.:.2 Booting /niH
*ni) systems can boot in se'eral different modes or run levels! The most common modes are
called multi2user mode and single2user mode!
In single2user mode no e)ternal logins are permitted! The purpose of single2user mode is to allow
the system administrator access to the system without fear of interference from other users! It is
used for installing disks or when repairing filesystems$ where the presence of other users on the
system would cause problems!
The *ni) boot procedure is controlled entirely by the init program3 init reads a configuration file
called ;etc;inittab!
(n older 4S8 *nices$ a file called ;etc;rc meaning Erun commands< and subsidiary files like
rc!local was then called to start all ser'ices! These files were no more than shell scripts! In the
System = approach$ a directory called #something like) ;etc;rc!d is used to keep one script per
ser'ice! ;etc;inittab defines a number of run2le'els$ and starts scripts depending on what run2le'el
you choose!
The idea behind inittab is to make *ni) installable in packages$ where each package can be started
or configured by a separate script! 7hich packages get started depends on the run2le'el you
choose!
If the system does not boot right away$ you might see the line type b) boot$ c) continue or n) new
command! In this case$ you should type
b s
in order to boot in single2user mode! *nder the GN*;Cinu) operating system$ using the CIC( (/
G/*4 boot system$ we interrupt the normal boot se"uence by pressing the S5I0T key when the
CIC( prompt appears! This should cause the system to stop at the prompt-
4oot-
To boot$ we must normally specify the name of a kernel file$ normally linu)! To boot in single2
user mode$ we then type
4oot- linu) single
The correct run2le'el should be determined from the file ;etc;inittab! It is normally called S or 1 or
e'en 1S!
2.:.= Shutting down /niH
Anyone can start a *ni)2like system$ but we ha'e to be an administrator or Esuperuser< to shut one
down correctly!The correct way to shut down a *ni) system is to run one of the following
programs!
halt- Stops the system immediately and without warning! All processes are killed with the T1/>2
inate signal 1F and disks are synchroni,ed!
reboot- As halt$ but the system reboots in the default manner immediately!
shutdown- This program is the recommended way of shutting down the system! It is 6ust a friendly
user2interface to the other programs$ but it warns the users of the system about the impending
shutdown and allows them to finish what they are doing before the system goes down!
5ere are some e)amples of the shutdown command! The first is from 4S8 *ni)-
shutdown 2h X: HSystem halting in three minutes$ please log outH
shutdown 2r XD HSystem rebooting in four minutesH
The 2h option implies that the system will halt and not reboot automatically!
The 2r option implies that the system will reboot automatically! The times are specified in minutes!
The shutdown command allows one to switch run2le'els in a 'ery general way! To halt the system$
we ha'e to call this!
shutdown 2i F 2g 12B H%owering down os!!!!H
The 2i F option tells S=/D to go to run2le'el F$ which is the power2off state! /un
The 2g 12B option tells shutdown to wait for a grace2period of 12B seconds before shutting down!
Note that Solaris also pro>ides a BS) >ersion of shutdown in $usr$ucb.
2.:.: Booting and shutting down !indows
To boot the system$ it is simply a matter of switching on the power!
To shut it down$ one chooses shutdown from the Start >enu!
There is no direct e"ui'alent of single2user mode for 7indows$ though Esecure mode< is
sometimes in'oked$ in which only the essential de'ice dri'ers are loaded$ if some problem is
suspected!
The 7indows boot procedure on a %& begins with the 4I(S$ or %& hardware! This performs a
memory check and looks for a boot2able disk!
A boot2able disk is one which contains a master boot record #>4/)! Normally the 4I(S is
configured to check the floppy dri'e A- first and then the hard2disk &- for a boot block!
The boot block is located in the first sector of the boot2able dri'e! It identifies which partition is to
be used to continue with the boot procedure!
(n each primary partition of a boot2able disk$ there is a boot program which Eknows< how to load
the operating system it finds there!
7indows has a menu2dri'en boot manager program which makes it possible for se'eral (Ss to
coe)ist on different partitions!
(nce the disk partition containing 7indows has been located$ the program NTC8/ is called to
load the kernel!
The file 4((T!INI configures the defaults for the boot manager!
After the initial boot$ a program is run which attempts to automatically detect new hardware and
'erify old hardware! 0inally the kernel is loaded and 7indows starts properly!
= 'ormatting8 Partitioning and Building a 'ile System8 'ile System #ayout
=.2 Partitioning
8isks can be di'ided up into partitions! %artitions physically di'ide the disk surface into separate
areas which do not o'erlap!
The main difference between two partitions on one disk and two separate disks is that partitions
can only be accessed one at a time$ whereas multiple disks can be accessed in parallel!
8isks are partitioned so that files with separate purposes cannot be allowed to spill o'er into one
another<s space!
%artitioning a disk allows us to reser'e a fi)ed amount of space for a particular purpose$ safe in the
knowledge that nothing else will encroach on that space! 0or e)ample$ it makes sense to place the
operating system on a separate partition$ and user data on another partition! If these two
independent areas shared common space$ the acti'ities of users could "uickly choke the operating
system by using up all of its workspace!
5ere are some practical points to consider when partitioning disks-
1! Si,e partitions appropriately for the 6obs they will perform! 4ear in mind that operating
system upgrades are almost always bigger than pre'ious 'ersions$ and that there is a
general tendency for e'erything to grow!
2! 4ear in mind that /IS& #e!g! Sun Sparc) compiled code is much larger than &IS&
compiled code #e!g! software on an Intel architecture)$ so software will take up more
space on a /IS& system!
:! &onsider how backups of the partitions will be made! It might sa'e many complications
if disk partitions are small enough to be backed up in one go with a single tape$ or other
backup de'ice!
8isk partitioning is performed with a special program! (n %& hardware$ this is called fdisk or
cfdisk! (n Solaris systems the program is called$ confusingly$ format!
To repartition a disk$ we first edit the partition tables! Then we ha'e to write the changes to the
disk itself! This is called labelling the disk!
4oth of these tasks are performed from the partitioning programs! It is important to make sure
manually that partitions do not o'erlap! The partitioning programs do not normally help us here! If
partitions o'erlap$ data will be destroyed and the system will sooner or later get into deep trouble$
as it assumes that the o'erlapping area can be used legitimately for two separate purposes!
%artitions are labelled with logical de'ice names in *ni)! As one comes to e)pect$ these are
different in e'ery fla'or of *ni)! The general pattern is that of a separate de'ice node for each
partition$ in the ;de' directory$ e!g! ;etc;sd1a$ ;etc;sd1b$ ;de';dsk;cBtBdBsB etc!
=.= 'ormatting and building file systems
8isk formatting is a way of organi,ing and finding a way around the surface of a disk! (n a disk
surface$ it makes sense to di'ide up the a'ailable space into sectors or blocks! The way in which
different operating systems choose to do this differs$ and thus one kind of formatting is
incompatible with another!
>aking a filesystem also in'ol'es setting up an infrastructure for creating and naming files and
directories! A filesystem is not 6ust a labeling scheme$ it also pro'ides functionality! If a filesystem
becomes damaged$ it is possible to lose data!
*sually filesystem checking programs called disk doctors$ e!g! the *ni) program fsck #filesystem
check)$ can be used to repair the operating system<s map of a disk!
In *ni) filesystems$ data which lose their labelling get placed for human inspection in a special
directory which is found on e'ery partition$ called lostXfound!
The filesystem creation programs for different operating systems go by 'arious names! 0or
instance$ on a Sun host running Sun(S;Solaris$ we would create a filesystem on the ,eroth
partition of disk B$ controller ,ero with a command like this to the raw de'ice-
newfs 2m B ;de';rdsk;cBtBdBsB
The newfs command is a friendly front2end to the mkfs program!
The option m B$ used here$ tells the filesystem creation program to reser'e ,ero bytes of special
space on the partition!
This partition is then made a'ailable to the system by mounting it! This can either be performed
manually-
mount ;de';dsk;cBtBdBsB ;mountpoint;directory
or by placing it in the filesystem table
;etc;'fstab!
GN*;Cinu) systems ha'e the mkfs command$ e!g!
mkfs ;de';hda1
The filesystems are registered in the file ;etc;fstab!
(n 7indows systems$ disks are detected automatically and partitions are assigned to different
logical dri'e names! 8ri'e letters &- to O- are used for nonfloppy disk de'ices! 7indows assigns
dri'e letters based on what hardware it finds at boot2time! %rimary partitions are named first$ then
each secondary partition is assigned a dri'e letter!
The format program is used to generate a filesystem on a dri'e! The command
format ;fs-ntfs ;'-spare 0-
would create an NT0S filesystem on dri'e 0- and gi'e it a 'olume label Espare<!
=.7 'ilesystem layout
7e ha'e no choice about the layout of the software and support files which are installed on a host
as part of Ethe operating system<! This is decided by the system designers and cannot easily be
changed
A working computer system has se'eral facets-
1! The operating system software distribution$
2! Third party software$
:! *sers< files$
D! Information databases$
F! Temporary scratch space!
@! These are logically separate because-
M! They ha'e different functions$
J! They are maintained by different sources$
K! They change at different rates$
1B! A different policy of backup is re"uired for each!
The point of directories and partitions is to separate files so as not to mi) together things which are
logically separate! There are many things which we might wish to keep separate- for e)ample$
1! *ser home directories
2! 8e'elopment work
:! &ommercial software
D! 0ree software
F! Cocal scripts and databases!
(ne of the challenges of system design is in finding an appropriate directory structure for all data
which are not part of the operating system$ i!e! all those files which are locally maintained!
: Concept of swap space8 Cloning Systems.
:.2 Swap space
In 7indows operating systems$ 'irtual memory uses filesystem space for sa'ing data to disk!
In *ni)2like operating systems$ a preferred method is to use a whole$ unformatted partition for
'irtual memory storage!
A 'irtual memory partition is traditionally called the swap partition$ though few modern *ni)2like
systems Eswap< out whole processes$ in the traditional sense!
The swap partition is now used for paging! It is 'irtual memory scratch space$ and uses direct disk
access to address the partition!
:.= Cloning systems
! A system administrator usually has to install ten$ twenty or e'en a hundred machines at a time!
5e or she would also like them to be as far as possible the same$ so that users will always know
what to e)pect! This might sound like a straightforward problem$ but it is not! There are se'eral
approaches!
1! A few *ni)2like operating systems pro'ide a solution to this using package templates so
that the installation procedure becomes standardi,ed!
2! The hard disks of one machine can be physically copied and then the hostname and I%
address can be edited afterwards!
:! All software can be placed on one host and shared using N0S$ or another shared file
system!
1ach of these approaches has its attractions! The N0S;shared filesystem approach is without doubt
the least amount of work$ since it in'ol'es installing the software only once$ but it is also the
slowest in operation for users!
In /ed5at Cinu) we use this command $ rpm 2i'h package!rpm
8isks can be mirrored directly$ using some kind of cloning program! 0or instance$ the *ni) tape
archi'e program #tar) can be used to copy the entire directory tree of one host! In order to make
this work$ we first ha'e to perform a basic installation of the (S$ with ,ero packages and then
copy o'er all remaining files which constitutes the packages we re"uire! 0or e)ample$ with a
GN*;Cinu) distribution-
tar 22e)clude ;proc 22e)clude ;lib;libc!so!F!D!2: Y
22e)clude ;etc;hostname 22e)clude ;etc;hosts 2c 2' Y
2f host2imprint!tar ;
#ecture 9 3
4eading5 A7.78 A7.7.267.7.=8 A7.7.967.7.CA
Contents56
1) (S Installation$ Installation and configuration of de'ices and dri'ers$
2 FS %nstallation8 %nstallation and configuration of de>ices and dri>ers
2.2 %nstalling a /N%0 disk
There are se'eral types of disk interface used for communicating with hard2disks!
ATA/IDE disks
SSI disks
IEEE !"#$ disks
2.2.2 mount and umount
To make a disk partition appear as part of the file tree it has to be mounted! 7e say that a particular
filesystem is mounted on a directory or mountpoint! The command mount mounts filesystems defined in the
filesystem table file! This is a file which holds data for mount to read!
The synta) of the command is mount filesystem directory type #options) There are two main types of
filesystem a disk filesystem #called ufs$ hfs etc!) #which means a physical disk) and the %&S network
filesystem!
5ere are some e)amples$ using the Sun(S filesystem list abo'e-
mount 2a P mount all in fstab
mount 2at nfs P mount all in fstab which are type nfs
mount 2at D!2 P mount all in fstab which are type D!2
mount ;'ar;spool;mail P mount only this fs with options gi'en in fstab
#The 2t option does not work on all *ni) implementations!)
2.= %nstallation of the operating system
The installation process is one of the most destructi'e things we can do to a computer! 1'erything
on the disk will disappear during the installation process! (ne should therefore ha'e a plan for
restoring the information if it should turn out that reinstallation was in error!
Today$ installing a new machine is a simple affair! The operating system comes on some
remo'able medium #like a &8 or 8=8) that is inserted into the player and booted! (ne then
answers a few "uestions and the installation is done!
(perating systems are now large so they are split up into packages! (ne is e)pected to choose
whether to install e'erything that is a'ailable or 6ust certain packages! >ost operating systems
pro'ide a package installation program which helps this process!
In order to answer the "uestions about installing a new host$ information must be collected and
some choices made-
1! 7e must decide a name for each machine!
2! 7e need an unused Internet address for each!
:! 7e must decide how much 'irtual memory #swap) space to allocate!
D! 7e need to know the local netmask and domain name!
F! 7e need to know the local time,one!
2.=.2 Solaris
Solaris can be installed in a number of ways! The simplest is from &82/(>! At the boot prompt$
we simply type
W boot cdrom
This starts a graphical user interface which leads one through the steps of the installation from
disk partitioning to operating system installation!The installation procedure proceeds through the
standard list of "uestions$ in this order-
1! %referred language and keyboard type!
2! Name of host!
:! Net interfaces and I% addresses!
D! Subscribe to NIS or NIS plus domain$ or not!
F! Subnet mask!
@! Time,one!
M! &hoose upgrade or install from scratch!!
2.=.= -N/$#inuH
Installing GN*;Cinu) is simply a case of inserting a &82/(> and booting from it$ then following
the instructions!
7hat makes GN*;Cinu) installation uni"ue amongst operating system installations is the sheer
si,e of the program base! Since e'ery piece of free software is bundled$ there are literally hundreds
of packages to choose from! This presents GN*;Cinu) distributors with a dilemma! To make
installation as simple as possible$ package maintainers make software self2installing with some
kind of default configuration! This applies to user programs and to operating system ser'ices!
As with most operating systems$ GN*;Cinu) installations assume that you are setting up a stand2
alone %& which is yours to own and do with as you please!
Although GN*;Cinu) is a multiuser system$ it is treated as a single2user system! Cittle thought is
gi'en to the effect of installing ser'ices like news ser'ers and web ser'ers! The scripts which are
bundled for adding user accounts also treat the host as a little microcosm$ placing users in ;home
and software in ;usr;local!
2.=.: !indows
The installation of 7indows is similar to both of the abo'e! (ne inserts a &82/(> and boots!
5ere it is preferable to begin with an already partitioned hard2dri'e #the installation program is
somewhat ambiguous with regard to partitions)!
(n rebooting$ we are asked whether we wish to install 7indows anew$ or repair an e)isting
installation! This is rather like the GN*;Cinu) rescue disk!
Ne)t we choose the filesystem type for 7indows to be installed on$ either 8(S or NT0S! There is
clearly only one choice- installing on a 8(S partition would be irresponsible with regard to
security! &hoose NT0S!
7indows reboots se'eral times during the installation procedure$ though this has impro'ed
somewhat in recent 'ersions! The first time around$ it con'erts its default 8(S partition into
NT0S and reboots again! Then the remainder of the installation proceeds with a graphical user
interface! There are se'eral installation models for 7indows workstations$ including regular$
laptop$ minimum and custom! 5a'ing chosen one of these$ one is asked to enter a license key for
the operating system! The installation procedure asks us whether we wish to use 85&% to
configure the host with an I% address dynamically$ or whether a static I% address will be set! After
'arious other "uestions$ the host reboots and we can log in as Administrator!
#ecture C3
4eading5 A;.28 A;.2.26;.2.=8 A;.2.78 A;.:6A;.:.28 A;.:.28 A;.:.:8 A;.;8 A;.;.26;.;.:
#inks56
http-;;hell!org!ua;8ocs;oreilly;tcpip;puis;chBD?B2!htm
http-;;nptel!iitm!ac!in;courses;7ebcourse2contents;IISc 4ANG;(perating
A2BSystems;pdf;Cecture?Notes;>odA2B1K?CN!pdf
Contents56
1) *ser >anagement$ Adding;/emo'ing users!
2) &ontrolling *ser /esources$ 8isk Space Allocation and "uotas!
:) Super user;Administrator %ri'ileges!
2 /ser management
7ithout users$ there would be few challenges in system administration! *sers are both the reason that
computers e)ist and their greatest threat!
2.2 %ssues
*ser management is about interfacing humans to computers! This brings to light a number of issues-
. Accounting- registering new users and deleting old ones!
. &omfort and con'enience!
. Support ser'ices!
. 1thical issues!
. Trust management and security!
2.= /ser registration
(ne of the first issues on a new host is to issue accounts for users! The tools pro'ided by operating systems
for this task are$ at best$ primiti'e and are rarely suitable for the task without considerable modification
0or small organi,ations$ user registration are a relati'ely simple matter! *sers can be registered at a
centrali,ed location by the system manager$ and made a'ailable to all of the hosts in the network by some
sharing mechanism$ such as a login ser'er$ distributed authentication ser'ice or by direct copying of the
data!
0or larger organi,ations$ with many departments$ user registration is much more complicated! The need for
centrali,ation is often in conflict with the need for delegation of responsibility! It is con'enient for
autonomous departments to be able to register their own users$ but it is also important for all users to be
registered under the umbrella of the organi,ation$ to ensure uni"ue identities for the users and fle)ibility of
access to different parts of the organi,ation!
2.=.2 #ocal and network accounts
>ost organi,ations need a system for centrali,ing passwords$ so that each user will ha'e the same
password on each host on the network! In !fi)ed model computing en'ironments such as NT or No'ell
Netware$ where a login or domain ser'er is used$ this is a simple matter! In larger organi,ations with many
departments or sub2domains it is more difficult!
4oth *ni) and NT support the creation of accounts locally on a single host$ or Eglobally< within a network
domain!
7ith a local account$ a user has permission to use only the local host! 7ith a network account$ the user can
use any host which belongs to a network domain! Cocal accounts are configured on the local host itself!
*ni) registers local users by added them to the files ;etc;passwd and ;etc;shadow! In NT the Security
Accounts >anager #SA>) is used to add local accounts to a gi'en workstation!
Principle B)istributed accounts?! *sers mo'e around from host to host$ share data and collaborate! They
need easy access to data and workstations all o'er an organi,ation!
Suggestion BPasswords?. Gi'e users a common username on all hosts$ of no more than eight characters!
Gi'e them a common password on all hosts$ unless there is a special reason not to do so! Some users ne'er
change their passwords unless forced to$ and some users ne'er e'en log in$ so it is important to assign good
passwords initially! Ne'er assign a simple password and assume that it will be changed!
Adding$4emo>ing users
2.=.= /niH accounts
7hen a new person 6oins an organi,ation he is usually gi'en an account by the system administrator! This
is the login account of the user! Now a day<s almost all *ni) systems support an admin tool which seeks
the following information from the system administrator to open a new account-
1! *sername- This ser'es as the login name for the user!
2! %assword- *sually a system administrator gi'es a simple password! The users are ad'ised to later select a
password which they feel comfortable using! *serIs password appears in the shadow files in encrypted
forms! *sually$ the ;etc;passwd file contains the information re"uired by the login program to authenticate
the login name and to initiate appropriate shell as shown in the description below-
bhatt'('!))*'!''/e(port/home/bhatt'/usr/local/bin/bash
damu'('!))!'!)''/e(port/home/damu'/usr/local/bin/bash
1ach line abo'e contains information about one user! The first field is the name of the user3 the ne)t a
dummy indicator of password$ which is in another file$ a shadow file! %assword programs use a trap2door
algorithm for encryption!
:! 5ome directory- 1'ery new user has a home directory defined for him! This is the default login
directory! *sually it is defined in the run command files!
D! 7orking set2up- The system administrators prepare !login and !profile files to help users to obtain an
initial set2up for login! The administrator may prepare !cshrc$ !)initrc !mailrc !ircrc files! these files are used
in customi,ing a userIs working en'ironment! A natural point of curiosity would be- what happens when
users log outW *ni) systems recei'e signals when users log out! As earlier we mentioned that a user logs in
under a login process initiated by getty process! %rocess getty identifies the terminal being used! So when a
user logs out$ the getty process which was running to communicate with that terminal is first killed! A new
getty process is now launched to enable yet another prospecti'e login from that terminal! The working set2
up is completely determined by the startup files! These are basically !rc #run command) files! These files
help to customi,e the userIs working en'ironment! 0or instance$ a userIs !cshrc file shall ha'e a path
'ariable which defines the access to 'arious *ni) built2in shell commands$ utilities$ libraries etc! In fact$
many other shell en'ironmental 'ariables like 5(>1$ S51CC$ >AIC$ TO #the time ,one) are set up
automatically! In addition$ the !rc files define the access to network ser'ices or some need2based access to
certain licensed software or databases as well! To that e)tent the +rc files help to customi,e the userIs
working en'ironment!
F! Group2id- The user login name is the user2id! *nder *ni) the access pri'ileges are determined by the
group a user belongs to! So a user is assigned a group2id! It is possible to obtain the id information by using
an id command as shown below-
,bhatt-iiitbsun .S/0id
uid1!))*2bhatt3 gid1!2other3
,bhatt-iiitbsun .S/0
(nce an account has been opened the user may do the following-
1! &hange the pass2word for access to one of his liking!
2! &ustomi,e many of the run command files to suit his needs!
Closing a user account5 5ere again the password file plays a role! 7e know that ;etc;password file has all
the information about the usersI home directory$ password$ shell$ user and group2id$ etc! 7hen a userIs
account is to be deleted$ all of this information needs to be erased! System administrators login as root and
delete the user entry from the password file to delete the account!
)isabling and$or remo>ing user accounts.
/emo'e or modify entry in ;etc;passwd
/emo'e entry in NIS;NISX maps
/emo'e Z5(>1;!rhosts files
/emo'e mail spool file
/emo'e from mail aliases file
/emo'e any cron or at 6obs
/emo'e directory
Garious file contents 56
2?Password file 6 $etc$passwd
;etc;passwd contains M fields$ each separated by H5H$ in the form-
Cogin2id- password- user2idP- group2idP- *ser Info-home2dir-shell
= -roup file 6 $etc$group
$etc$group contains D fields$ each separated by a H-H$ in the form-
group2name-password-gid-comma2separated$list$of$names
: Shadow file 6 $etc$shadow
etc$shadow contains K fields$ each separated by a H-H$ in the form-
login2id-password-lastchg-min-ma)-warn-inacti'e-e)pire-flag
The encrypted password field might also contain the entries-
NP for no password is 'alid
I#,I meaning the account is locked until the superuser sets a password
A typical $etc$shadow file might be-
root-stDDwfkg)::"+-------
daemon-N%-@DDF------
The shadow password file is updated using the commands-
passwd change the password and password attributes
useradd add a new user
usermod modify a userIs login information
userdel delete a userJs login entry
7 Password Aging
7ith password aging you can set minimum and ma)imum lengths of time for which the password is 'alid!
(nly the super user can change these 'alues! >a)imum time lengths force your users to change passwords
regularly! >inimum lengths pre'ent them from "uickly changing them back!
P passwd 2) DB frank
2.=.: !indows accounts
Single 7indows accounts are added with the command net user username password ;A88 ;domain or
using the G*I!
The additional /esource 9it package contains tools which allow lists of users to be registered from a
standard file format$ with addusers!e)e$ but only at additional cost!
7indows users begin in the root directory by default! It is customary to create a Yusers directory for home
directories! Network users con'entionally ha'e their home directory on the domain ser'er mapped to the
dri'e 5-! There is only a single choice of shell #command interpreter) for NT$ so this is not specified in the
user registration procedure! Se'eral possibilities e)ist for creating user profiles and access policies$
depending on the management model used!
= Controlling /ser 4esources8 )isk Space Allocation and Kuotas
1'ery system has a mi)ture of passi'e and acti'e users! 4assive users utili,e the system often minimally$
"uietly accepting the choices which ha'e been made for them! %assi'e users can be a security risk$ because
they are not aware of their actions!
Active users$ on the other hand$ follow e'ery detail of system de'elopment! They fre"uently 0ind e'ery
error in the system and contact system administrators fre"uently$ demanding upgrades of their fa'orite
programs! Acti'e users can be of great help to a system administrator$ because they test out problems and
report them acti'ely! They are an important part of the system administration team$ or community$ and can
also go a long way to helping the passi'e users!
Principle BActi>e users?. Active users need to understand that5 while their skills are appreciated5 they do
not decide system policy' they must obey it+ Even in a democracy5 rules are determined by process and then
obeyed by everyone+
=.2 4esource consumption
8isks fill up at an alarming rate! *sers almost ne'er throw away 0iles unless they ha'e to! If one is lucky
enough to ha'e only 'ery e)perienced and e)tremely friendly users on the system$ then one can try asking
them nicely to tidy up their files! >ost administrators do not ha'e this lu)ury howe'er! >ost users ne'er
think about the trouble they might cause others by keeping lots of 6unk around! After all$ multi2user systems
and network ser'ers are designed to gi'e e'ery user the impression that they ha'e their own pri'ate
machine! (f course$ some users are problematical by nature!
Suggestion BProblem users?. 9eep a separate partition for problem users< home directories$ or enforce
strict "uotas on them
To keep hosts working it is necessary to remo'e files$ not 6ust add them! [uotas limit the amount of disk
space users can ha'e access to$ but this does not sol'e the real problem! The real problem is that in the
course of using a computer many flies are created as temporary data but are ne'er deleted afterwards! The
solution is to delete them!
7hen a *NI+ program crashes$ the kernel dumps its image to disk in a file called core! These files crop up
all o'er the place and ha'e no useful purpose for most users! To most users they are 6ust fluff on the
upholstery and should be remo'ed! A lot of free disk space can be reclaimed by deleting these files! >any
users will not delete them themsel'es$ howe'er$ because they do not e'en understand why they are there!
+Hample. A useful strategy is to delete files one is not sure about only if they have not been accessed for a
certain period of time5 say a week+ This allows users to use +les freely as long as they need to5 but prevents
them from keeping the +les around for ever+ fengine can be used to perform this task
=.= ,illing old processes
%rocesses sometimes do not get terminated when they should! There are se'eral reasons for this! Sometimes
users forget to log out$ sometimes poorly written terminal software does not properly kill its processes
when a user logs out!
Sometimes background programs simply crash or go into loops from which they ne'er return! (ne way to
clean up processes in a work en'ironment is to look for user processes which ha'e run for more than a day!
#Note that the assumption here is that e'eryone is supposed to log out each day and then log in again the
ne)t day that is not always the case!) &fengine can also be used to clean up old processes! &fengine<s
processes commands are used to match processes in the process table #which can be seen by running ps a)
on *ni))!
=.: Mo>ing users
7hen disk partitions become full$ it is necessary to mo'e users from old partitions to new ones! >o'ing
users is a straightforward operation$ but it should be done with some caution! A user who is being mo'ed
should not be logged in while the mo'e is taking place$ or !les could be copied incorrectly! 7e begin by
looking for an appropriate user$ perhaps one who has used a particularly large amount of disk space!
6sers need to be informed about the move' we have to remember that they might hard7code the names of
their home directories in scripts and programs5 e+g+ 8Iscripts+ Also5 the user9s account must be closed by
altering their login shell5 for instance5 before the +les are moved+
=. 7 )eleting old users
*sers who lea'e an organi,ation e'entually need to be deleted from the system! 0or the sake of certainty$ it
is often ad'isable to keep old accounts for a time in case the user actually returns$ or wishes to transfer data
to a new location! 7hether or not this is acceptable must be a "uestion of policy! &learly it would be
unacceptable for company secrets to be transferred to a new location! 4efore deleting a user completely$ a
backup of the data can be made for safe2keeping!
Then we ha'e to remo'e the following-
Account entry from the password database!
%ersonal files!
12mail and 'oice mail and mailing lists!
/emo'al from groups and lists #e!g! mailing lists)!
/emo'al of cron and batch tasks!
/e'ocation of smartcards and electronic I8 codes
=.; )isk Space Allocation and Kuotas
In this section we shall discuss how does a system administrator manage the disk space!
we stated that at the time of formatting$ partitions of the disk get defined! The partitions may be physical or
logical! In case of a physical partition we ha'e the file system resident within one disk dri'e! In case of
logical partition$ the file system may e)tend o'er se'eral dri'es! In either of these cases the following
issues are at stake-
=.;.2 )isk Kuota5 8isk "uota can be allocated by reconfiguring the file system usually located at /etc/fstab!
To e)tend the allocation "uota in a file system we first ha'e to modify the corresponding entry in the
/etc/fstab file! The system administration can set hard or soft limits of user "uota! If a hard limit has been
set$ then the user simply cannot e)ceed the allocated space! 5owe'er$ if a soft limit is set$ then the user is
cautioned when he approaches the soft limit! *sually$ it is e)pected that the user will resort to purging files
no longer in use! 1lse he may seek additional disk space! Some systems ha'e "uota set at the group le'el! It
may also be possible to set "uota for indi'idual users! 4oth these situations re"uire e)ecuting an edit "uota
instruction with user name or group name as the argument! The format of ed:uota instruction is shown
below!
ed:uota user7name
8isk "uotas mean that users ha'e a hard limit to the number of bytes they are allowed to use on the disk!
They are an e)ample of a more general concept known as system accounting whereby you can control the
resources used by any user$ whether they be the number of printed pages sent to the printer or the number
of bytes written to the disk! 8isk "uotas ha'e ad'antages and disad'antages!
The ad'antage is that users really cannot e)ceed their limits! There is no way around this!
8isk "uotas are 'ery restricti'e and when a user e)ceeds their limit they often do not understand what has
happened! *sually users do not e'en get a message unless they are logging in! [uotas also pre'ent users
from creating large temporary files which can be a problem when compiling programs! They carry with
them a system o'erhead$ which makes e'erything run a little slower!
A user may interrogate the disk space a'ailable at any time by using the df command! Its usage is shown
below-
df ,options/ ,name/ ' to know the free disk space+
where name refers to a mounted file system$ local or remote! 7e may specify directory if we need to know
the information about that directory! The following options may help with additional information-
7l ' for local file system
7t ' reports total no+ of allocated blocks and i7nodes on the device+
The *ni) command du reports the number of disk blocks occupied by a file! Its usage is shown below-
du ,options/ ,name/+++ where name is a directory or a file
Abo'e name by default refers to the current directory! The following options may help with additional
information-
7a ' produce output line for each file
7s ' report only the total usage for each name that is a directory i+e+ not individual files+
7r ' produce messages for files that cannot be read or opened
: Super user$Administrator Pri>ileges.
As we know$ a pri'ileged account has potentially dangerous conse"uences for the system! 0rom this
account$ we ha'e the power to destroy the system$ or sabotage it! In short$ the superuser<s account should
be configured to a'oid as many casual mistakes as possible!
There is no harm in gi'ing *ni)<s root account an intelligent shell like tcsh or bash pro'ided that shell is
physically stored on the root partition! 7hen a *ni) system boots$ only the root partition is mounted! If we
reference a shell which is not a'ailable$ we can render the host unbootable!
The superuser<s %AT5 'ariable should ne'er include E!<$ i!e! the current directory! This is because it opens
the system to a type of security 'ulnerability that can lead to accidental e)ecution of the wrong command!
0or instance$ suppose an ordinary user left a files called ls in the ;tmp directory$ and suppose the root
account had the path
seten' %AT5 !-;bin-;usr;bin
If the superuser does the following
hostP cd ;tmp
hostP ls
then$ because the path search looks in the current directory first$ it would find and e)ecute the program
which had been left by the user! That program then gets e)ecuted with root pri'ileges and could be used to
gi'e the user concerned permanent pri'ileged access to the system$ for instance by installing a special
account for the user which has root pri'ileges! It should be clear that this is a security ha,ard!
The pri'ileged user should ne'er log in directly #unless the system is in single user mode or on the
console)!
The Superuser
1'ery *NI+ system comes with a special user in the /etc/passwd file with a *I8 of B! This user is known
as the superuser and is normally gi'en the username root! The password for the root account is usually
called simply the Hroot password!H
The root account is the identity used by the operating system itself to accomplish its basic functions$ such
as logging users in and out of the system$ recording accounting information$ and managing input;output
de'ices! 0or this reason$ the superuser e)erts nearly complete control o'er the operating system- nearly all
security restrictions are bypassed for any program that is run by the root user$ and most of the checks and
warnings are turned off!
#ecture D 3
4eading5 A2L.=.=62L.=.:
Contents56
2? Maintaining #og 'iles
=? 'ile System 4epair
:? Backup and 4estoration
#inks56
http-;;en!wikibooks!org;wiki;*NI+?&omputing?Security;Cog?files?and?auditing
http-;;fuseDbsd!creo!hu;localcgi;man2cgi!cgiWloggerX1
http-;;www!adminschoice!com;docs;fsck!htm
Contents56
2? Maintaining #og 'iles
=? 'ile System 4epair
:? Backup and 4estoration
2 Maintaining #og 'iles
Cog files are generated by system processes to record acti'ities for subse"uent analysis! They can be useful
tools for troubleshooting system problems and also to check for inappropriate acti'ity! The *NI+ releases
are preconfigured to record certain information in log files$ but configuration settings are a'ailable to
increase the amount of information recorded! Cog files can be 'ery useful resources for security incident
in'estigations! They can also be essential for prosecution of criminal acti'ity! 0or these reasons log files
should be periodically backed up to separate media$ and precautions need to be taken to pre'ent tampering
with the log files! It is e)peced that an unauthori,ed intruder into a computing system will attempt to
remo'e any trace of their acti'ities from the system log files!
0or log files that tend to grow significantly in si,e o'er the course of time$ it can be good practice to
periodically rotate the logs! That is to say$ rename the current log file to a name in a se"uence$ and start a
new log! 5ere is an e)ample of rotating a log file called mylog5
Z cd ;'ar;adm
Z test 2f mylog!2 GG m' 2f mylog!2 mylog!:
Z test 2f mylog!1 GG m' 2f mylog!1 mylog!2
Z test 2f mylog!log GG cp 2p mylog mylog!1
Z -Rmylog
1.1 Syslog
The system log is a log file that is maintained by the syslogd daemon! This log file can collect a 'ariety
of useful information$ including panic conditions$ data corruption$ hardware errors$ as well as warnings and
tracking information! This log file can be written to from a shell or script by means of the logger
command! >essages are sent to the syslogd daemon$ which processes them according to a configuration
defined by a special file #such as /etc/syslog.conf)!
1'ents passed to the syslog are defined by a set of facilities and log le'els! &ombinations of facilities and
log le'els can be processed in different manners$ or ignored altogether! 0or e)ample$ all error messages can
be copied to the syslog.log file and e2mailed to the System Administrator$ alerts can be printed to the
console$ mail debug messages can be added to a mail.log file$ and so forth! The System Administrator
should also be wary of misleading log messages! *sers can add log entries using the logger command$
and this can be employed as a prank or nuisance factor!
2.= Newsyslog 22 maintain system log files to manageable si,es
newsyslog \6C'Nnrs>] \64 tagname] \6a directory] \6d directory]\6f config;file] \file +++]
The newsyslog utility should be scheduled to run periodically !
2.: syslogd 22 log systems messages
syslogd \679DACcdknosu>] \6a allowed;peer] \6b bind;address]\6f config;file] \6l \mode-]path] \6m
mark;interval] \6P pid;file] \6p log;socket]
The syslogd utility reads and logs messages to the system console$ log files$ other machines and;or users as
specified by its configuration
2.7 logger 22 make entries in the system log
logger \679Ais] \6f file] \6h host] \6P port] \6p pri] \6t tag] \message +++]
The logger utility pro'ides a shell command interface to the syslog system log module!
= 'ile System 4epair
fsck is a *ni) utility for checking and repairing file system inconsistencies ! 0ile system can become
inconsistent due to se'eral reasons and the most common is abnormal shutdown due to hardware failure $
power failure or switching off the system without proper shutdown ! 8ue to these reasons the superblock in
a file system is not updated and has mismatched information relating to system data blocks$ free blocks
and inodes !
=.2 Modes of operation -
fsck operates in two modes interacti'e and non interacti'e -
a? interacti>e - the fsck e)amines the file system and stops at each error it finds in the file system and gi'es
the problem description and ask for user response usually whether to correct the problem or continue
without making any change to the file system!
b?noninteracti>e -fsck tries to repair all the problems it finds in a file system without stopping for user
response useful in case of a large number of inconsistencies in a file system but has the disad'antage of
remo'ing some useful files which are detected to be corrupt !
If file system is found to ha'e problem at the booting time non interacti'e fsck fsck is run and all errors
which are considered safe to correct are corrected! 4ut if still file system has problems the system boots in
single user mode asking for user to manually run the fsck to correct the problems in file system
=8=4unning fsck -
fsck should always be run in a single user mode which ensures proper repair of file system ! If it is run in a
busy system where the file system is changing constantly fsck may see the changes as inconsistencies and
may corrupt the file system !
if the system can not be brought in a single user mode fsck should be run on the partitions $other than root
G usr $ after unmounting them ! /oot G usr partitions can not be unmounted ! If the system fails to come up
due to root;usr files system corruption the system can booted with &8 and root;usr partitions can be
repaired using fsck!
command syntaH5
fsck \ 6' fstype] \6G] \6y^] \6o options] special
=.: phases -
fsck checks the file system in a series of F pages and checks a specific functionality of file system in each
phase!
TT phase 1 2 &heck 4locks and Si,es
TT phase 2 2 &heck %athnames
TT phase : 2 &heck &onnecti'ity
TT phase D 2 &heck /eference &ounts
TT phase F 2 &heck &ylinder Groups
: Backup and 4estoration
:.2 Backup schemes
4ackup applies to indi'idual changes$ to system setup and to user data alike! In backing up data according
to a regular pattern$ we are assuming that no ma6or changes occur in the structure of data !If ma6or changes
occur$ we need to start backups afresh! The network has completely changed the way we ha'e to think
about backup! Transmitting copies of files to secondary locations is now much simpler! The basics of
backup are these-
Physical location: A backup should be kept at a different physical location than the original! If
data were lost because of fire or natural disaster$ then copies will also be lost if they are stored
nearby! (n the other hand$ they should not be too far away$ or restoration time will suffer!
How often? 5ow often does the data change significantly$ i!e! how often do we need to make a
backupW 1'ery dayW 8o you need to archi'e se'eral different 'ersions of files$ or 6ust the latest
'ersionW The cost of making a backup is a rele'ant factor her
Relevant and irrelevant files: There is no longer much point in making a backup of parts of the
operating system distribution itself! Today it is usually 6ust as "uick to reinstall the operating
system from source$ using the original &82/(>! If we ha'e followed the principle of separating
local modifications from the system files$ then it should be tri'ial to backup only the files which
cannot be reco'ered from the &82/(>$ without ha'ing to backup e'erything!
Backup policy: Some sites might ha'e rules for defining what is regarded as 'alid information$ i!e!
what it is worth making a backup of! 0iles like prog!tar!g, might not need to be kept on backup
media since they can be reco'ered from the network 6ust as easily! Also one might not want to
make backups of teen Eartwork< which certain users collect from the network$ nor temporary data$
such as browser cache files!
:.2.2 Medium
Traditionally backups ha'e been made from disk to tape #which is relati'ely cheap and mobile)$ but tape
backup is awkward and difficult to automate unless one can afford a speciali,ed robot to change and
manage the tapes! 0or small sites it is also possible to perform disk mirroring! 8isk is cheap$ while human
operators are e)pensi'e! >any modern filesystems #e!g! 80S) are capable of automatic disk mirroring in
real2time! A cheap approach to mirroring is to use cfengine-
P cfengine!conf on backup host
copy-
;home destS;backup;home
recurseSinf
ser'erSmyhost
e)cludeScore
7hen run on the backup host$ this makes a backup of all the files under the directory ;home on the host
myhost$ apart from core files!
/AI8 disks also ha'e inbuilt redundancy which allows data to be reco'ered in the e'ent of a single disk
crash! Another ad'antage with a simple mirroring scheme is that users can reco'er their files themsel'es$
immediately without ha'ing to bother a system administrator!
:.2.=A backup schedule
5ow often we need to make backups depends on two competing rates of change-
The rate at which new data are produced!
The e)pected rate of loss or failure!
0or most sites$ a daily backup is sufficient! In a war2,one$ where risk of bombing is a threat at any moment$
it might be necessary to back up more often!
>ost organi,ations do not produce huge amounts of data e'ery day3 there are limits to human creati'ity!
5owe'er$ other organi,ations$ such as research laboratories collect data automatically from instruments
which would be impractically e)pensi'e to re2ac"uire! In that case$ the importance of backup would be
e'en greater! (f course$ there are limits to how often it is possible to make a backup! 4ackup is a resource2
intensi'e process!
Suggestion BStatic data?. <hen new data are ac:uired and do not change5 they should be backed up to
permanent write7once media at once+ D7=.> is an e(cellent medium for storing permanent data+
Backup 4estore
cp 2ar cp 2ar
tar cf tar )pf
GN* tar ,cf tar ,)pf
dd dd
cpio cpio
dump restore
ufsdump restore
rdump rrestore
NT4ackup (f course$ commercial backup solutions e)ist for all operating systems$ but they are often
costly!
(n both *NI+ and 7indows$ it is possible to backup filesystems either fully or differentially$ also called
incrementally. A full dump is a copy of e'ery file! An incremental backup is a copy of only those files
which ha'e changed since the last backup was taken! Incremental backups rely on dump timestamps and a
consistent and reliable system clock to a'oid files being missed! 0or instance$ the *NI+ dump utility
records the dates of its dumps in a file ;etc;dumpdates!
Incremental dumps work on a scheme of le'els$ as we shall see in the e)amples below! There is many
schemes for performing system dumps-
M Mirroring' 4y far the simplest backup scheme is to mirror data on a daily basis! A tool like cfengine or
rsync #*ni)) can be used for this$ copying only the files which ha'e changed since the pre'ious backup!
&fengine is capable of retaining the last two 'ersions of a file$ if disk space permits! A disad'antage with
this approach is that it places the onus of keeping old
'ersions of files on the user! (ld 'ersions will be mercilessly o'erwritten by new ones!
. Simple tape ackup: Tape backups are made at different levels! A le'el B dump is a complete dump of a
filesystem! A le'el 1 dump is a dump of only those files which ha'e changed since the last le'el B dump3 a
le'el 2 dump backs up files which ha'e changed since the last le'el 1 dump and so on$ incrementally! There
are commonly nine le'els of dumps using the *ni) dump commands!
NT4ackup also allows incremental dumps!
The point of making incremental backups is that they allow us to capture changes in rapidly changing files
without ha'ing to copy an entire filesystem e'ery time! The 'ast ma6ority of files on a filesystem do not
change appreciably o'er the space of a few weeks$ but the few files which we are working on specifically
do change often! 4y pin2pointing these for special treatment we
sa'e both time and tapes!
So how do we choose a backup schemeW There are many approaches$ but the key principle to ha'e in mind
is that of redundancy. The more copies of a file we ha'e$ the less likely we are to lose the file!
A dump se"uence should always begin with a le'el B dump$ i!e! the whole filesystem! This initiali,es the
se"uence of incremental dumps! >onday e'ening$ Tuesday morning or Saturday are good days to make a
le'el B dump$ since that will capture most large changes to the filesystem that occur during the week or
weekend$ in the le'el B dump rather than in the subse"uent incremental ones!
Studies show that users download large amounts of data on >ondays #after the weekend break) and it
stands to reason that after a week of work$ large changes will ha'e taken place by Saturday! So we can take
our pick! 5ere is a simple backup se"uence for user home2directories$ then$ assuming that the backups are
taken at the end of each day-
Notice how this se"uence works! 7e start with a full dump on >onday e'ening$ collecting all files on the
filesystem! Then on subse"uent days we add only those files which ha'e changed since the pre'ious day!
0inally on Saturday we go back to a le'el 1 dump which captures all the changes from the whole week
#since the >onday dump) in one go! 4y doing this$ we ha'e two backups of the changes$ not 6ust one! If we
do not e)pect much to happen o'er the weekend$ we might want to drop the dump on Saturday!
A 'ariation on this scheme$ which captures se'eral copies of e'ery file o'er multiple tapes$ is the so2called
!owers of Hanoi se"uence! The idea here is to switch the order of the dump le'els e'ery other day! This
has the effect of capturing not only the files which ha'e changed since the last dump$ but also all of the
files from the pre'ious dump as well! 5ere is a sample for >onday to
Saturday-
There are se'eral things to notice here! 0irst of all$ we begin with a le'el B dump at the beginning of the
month! This captures primarily all of the static files! Ne)t we begin our first week with a le'el : dump
which captures all changes since the le'el B dump! Then$ instead of stepping up$ we step down and capture
all of the changes since the le'el B dump again #since : is higher than 2)! This means that we get e'erything
from the le'el : dump and all the changes since then too! (n
day D we go for a le'el F dump which captures e'erything since the last le'el :$ and so on!
1ach backup captures not only new changes$ but all of the pre'ious backup also! This pro'ides double the
amount of redundancy as would be gained by a simple incremental se"uence! 7hen it comes to >onday
again$ we begin with a le'el 1 backup which grabs the changes from the whole of the pre'ious week! Then
once a month$ a le'el B backup grabs the whole thing again!
2=.:.: 4eco>ery from loss
The ability to reco'er from loss presupposes that we ha'e enough pieces of the system from which to
reconstruct it$ should disaster strike! This is where the principle of redundancy comes in! If we ha'e done
an ade"uate 6ob of backing up the system$ including special information about its hardware configuration$
then we will not lose data$ but we can still lose 'aluable time!
/eco'ery plans can be useful pro'ided they are not merely bureaucratic e)ercises! *sually a checklist is
sufficient$ pro'ided the system administration team is all familiar with the details of the local configuration!
A common mistake in a large organi,ation$ which is guaranteed to lead to friction$ is to make unwarranted
assumptions about a local department! 8elegation can be a 'aluable strategy in the fight against time! If
there are sufficient local system administrators who know the details of each part of the network$ then it
will take such people less time to make the appropriate decisions and implement the reco'ery plan!
5owe'er$ delegation also opens us up to the possibility of inconsistency we must make sure that those we
delegate to be well trained! #/emember to set the write2protect tab on tapes and ha'e someone check this
afterwards!)
7hen loss occurs$ we ha'e to reco'er files from the backups! (ne of the great ad'antages of a disk
mirroring scheme is that users can find backups of their own files without ha'ing to in'ol'e an
administrator! 0or larger file reco'eries$ it is more efficient for a system administrator to deal with the task!
/estoring from tape backup is a much more in'ol'ed task! *nfortunately$ it is not merely a matter of
donkey work! 0irst of all we ha'e to locate the correct tape #or tapes) which contain the appropriate
'ersions of backed up files! This in'ol'es ha'ing a system for storage$ reading labels and understanding
any incremental se"uence which was used to perform the dump! It is a time2consuming business! (ne of
the awkwardness<s of incremental backups is that backing up files can in'ol'e changing se'eral tapes to
gather all of the files!
Suggestion B/4# filesystem names?. 6se a global 6=? naming scheme for all filesystems5 so that the
filename contains the true location of the file5 and you will never lose a file on a tape5 even if the label falls
off+ Each file will be sufficiently labeled by its time7stamp and its name+
7e ha'e two choices in reco'ery- reconstruction from backup or from source!
/eco'ery from source is not an attracti'e option for local data! It would in'ol'e typing in e'ery document
from scratch! 0or software which is imported from e)ternal sources #&82/(>s or ftp repositories)$ it is
possible to reconstruct software repositories like ;usr;local or 7indows< software directories! 7hether or
not this is a realistic option depends on how much money one has to spend! 0or a particularly impo'erished
department$ reconstruction from source is a cheap option!
A&Cs present an awkward problem for 7indows filesystems! 7hereas *ni)<s root account always has
permission to change the ownership and access rights of a file$ 7indows<s Administrator account does not!
(n 7indows systems$ it is important not to reinstate files with permissions intact if there is a risk of them
belonging to a foreign domain! If we did that$ the files would be unreadable to e'eryone$ with no possibility
of changing their permissions!
/eco'ery also in'ol'es some soul searching! 7e ha'e to consider the reason for the loss of the data! &ould
the loss of data ha'e been pre'entedW &ould it be pre'ented at a later timeW If the loss was due to a security
breach or some other form of 'andalism$ then it is prudent to consider other security measures at the same
time as we reconstruct the system from the pieces!
#ecture E 3
4eading5 A7.C
Contents56
2? &andling Man Pages$&elp System
=? ,ernel Customi(ation
#inks56
http-;;www!computerhope!com;uni);uman!htm
2 &andling Man Pages$&elp System
man
The man command which is short for manual pro'ides in depth information about the re"uested command
or allows users to search for commands related to a particular keyword!
SyntaH
Shows you online manuals on *ni) commands!
man ,7/ ,7k keywords/ topic
6 8isplays the manual without stopping!
6k keywords Searches for keywords in all of the manuals a'ailable!
topic 8isplays the manual for the topic or command typed
in!
+Hamples
man mkdir 2 Cists help information on the mkdir command!
man 6k irc 2 [uickly search for manuals containing irc within them! 4elow is an e)ample of what the
results may look like-
= ,ernel customi(ation
The operating system kernel is that most important part of the system which dri'es the hardware of the
machine and shares it between multiple processes! If the kernel does not work well$ the system as a whole
will not work well! The main reason for making changes to the kernel is to fi) bugs and to upgrade system
software$ such as support for new hardware3 performance gains can also be achie'ed howe'er$ if one is
patient!>any operating system kernels are monolithic$ statically compiled programs which are specially
built for each host$ but static programs are infle)ible and the current trend is to replace them with software
configurable systems which can be manipulated without the need to recompile the kernel! System = *ni)
has bla,ed the trail of adaptable$ configurable kernels$ in its "uest to build an operating system which will
scale from laptops to mainframes! It introduces kernel modules which can be loaded on demand! 4y
loading parts of the kernel only when re"uired$ one reduces the si,e of the resident kernel memory image$
which can sa'e memory! This policy also makes upgrades of the different modules independent of the main
kernel software$ which makes patching and reconfiguration simpler! &onfiguration of the 7indows kernel
also does not re"uire a recompilation$ only the choice of a number of parameters$ accessed through the
system editor in the %erformance >onitor$ followed by a reboot! GN*;Cinu) switched from a static$
monolithic kernel to a modular design "uite "uickly! The Cinu) kernel strikes a balance between static
compilation and modular loading! This balances the con'enience of modules with the increased speed of
ha'ing statically compiled code fore'er in memory!
Solaris
Neither Solaris nor 7indows re"uire or permit kernel recompilation in order to make changes! In Solaris$
for instance$ one edits configuration files and reboots for an auto2reconfiguration! 0irst we edit the file
;etc;system to change kernel parameters$ then reboot with the command
reboot 22 2r which reconfigures the system automatically! There is also a large number of system parameters
which can be configured on the fly #at run time) using the ndd command!
-N/$#inuH
The Cinu) kernel is sub6ect to more fre"uent re'ision than many other systems$ owing to the pace of its
de'elopment! It must be recompiled when new changes are to be included$ or when an optimi,ed kernel is
re"uired! >any GN*;Cinu) distributions are distributed with older kernels$ while newer kernels offer
significant performance gains$ particularly in kernel2intensi'e applications like N0S$ so there is a practical
reason to upgrade the kernel! The compilation of a new kernel is a straightforward but time2consuming$
process! The standard published procedure for installing and configuring a new kernel is as follows! New
kernel distributions are obtained from any mirror of the Cinu) kernel site \1M@]! 0irst we back up the old
kernel$ unpack the kernel sources into the operating system<s files #see the note below) and alias the kernel
re'ision
to ;usr;src;linu)! Note that the bash shell is re"uired for kernel compilation!
Z cp ;boot;'mlinu, ;boot;'mlinu)!old
Z cd ;usr;src
Z tar ,)f ;local;site;src;linu)22!2!K!tar!g,
Z ln 2s linu)22!2!K linu)
There are often patches to be collected and applied to the sources! 0or each patch file-
Z ,cat ;local;site;src;patch+!g, V patch 2pB
Then we make sure that we are building for the correct architecture #Cinu) now runs on se'eral types of
processor)!
Z cd ;usr;include
Z rm 2rf asm linu) scsi
Z ln 2s ;usr;src;linu);include;asm2i:J@ asm
Z ln 2s ;usr;src;linu);include;linu) linu)
Z ln 2s ;usr;src;linu);include;scsi scsi
Ne)t we prepare the configuration-
Z cd ;usr;src;linu)
Z make mrproper
lilo and -rub
After copying a kernel loader into place$ we ha'e to update the boot blocks on the system disk so that a
boot program can be located before there is an operating kernel which can interpret the filesystem! This
applies to any operating system$ e!g! Sun(S has the installboot program! After installing a new kernel in
GN*;Cinu)$ we update the boot records on the system disk by running the lilo program! The new loader
program is called by simply typing lilo! This reads
a default configuration file ;etc;lilo!conf and writes loader data to the >aster 4oot /ecord #>4/)! (ne can
also write to the primary Cinu) partition$ in case something should go wrong-
lilo 2b ;de';hda1
so that we can still boot$ e'en if another operating system should destroy the boot block!
#ogistics of kernel customi(ation
The standard procedure for installing a new kernel breaks a basic principle- don<t mess with the operating
system distribution$ as this will 6ust be o'erwritten by later upgrades! It also potentially breaks the principle
of reproducibility- the choices and parameters which we choose for one host do not necessarily apply for
others! It seems as though kernel configuration is doomed to lead us down the slippery path of making
irreproducible$ manual changes to e'ery host!
7e should always bear in mind that what we do for one host must usually be repeated for many others! If it
were necessary to recompile and configure a new kernel on e'ery host indi'idually$ it would simply ne'er
happen! It would be a pro6ect for eternity!
The situation with a kernel is not as bad as it seems$ howe'er! Although$ in the case of GN*;Cinu)$ we
collect kernel upgrades from the net as though it were third party software$ it is rightfully a part of the
operating system! The kernel is maintained by the same source as the kernel in the distribution$ i!e! we are
not in danger of losing anything more serious than a configuration file if we upgrade later! 5owe'er$
reproducibility across hosts is a more serious concern! 7e do not want to repeat the 6ob of kernel
compilation on e'ery single host! Ideally$ we would like to compile once and then distribute to similar
hosts! 9ernels can be compiled$ cloned and distributed to different hosts pro'ided they ha'e a common
hardware base #this comes back to the principle of uniformity)!
#ecture 2L3
4eading- A9.C8 A9.C.269.C.:
Contents56
%ntegrating Multiple Fperating Systems
System Sharing
/ser %)s8 Passwords and Authentication.
Integrating >ultiple (perating Systems-2
&ombining radically different operating systems in a network en'ironment is a challenge both to users and
administrators! 1ach operating system ser'ices a specific function well$ and if we are to allow users to
mo'e from operating system to operating system with access to their personal data$ we need to balance the
con'enience of a'ailability with the caution of differentiation! It ought to be clear to users where they are$
and what system they are using$ to a'oid unfortunate mistakes! &ombining different *ni)2like systems is
challenge enough$ but adding 7indows hosts or >acintosh technology to a primarily *ni)2based network$
or 'ice 'ersa$ re"uires careful planning! It is always possible to mo'e data between two hosts using the
uni'ersally supported 0T% protocol! 4ut do we need to ha'e open file sharing or software compatibilityW
2.2 Compatible naming
8ifferent operating systems use "uite different naming schemes for ob6ects! *NI+ names could not be
represented in >S8(S unless they were no longer than eight characters! Some operating systems did not
allow spaces in filenames! Some assign and reser'e special meanings for characters! The Internet */C
naming scheme has created its own naming scheme for ob6ects$ which takes into account the ser'ice or
communications channel used to access the ob6ect-
&hannel-;;(b6ect2name
0ile names are often$ but not always$ hierarchical! 7indows introduced the notion of Edri'es<$ for instance-
A-$ 4-$ &- and so on! The Internet %rotocol family uses a hierarchical naming scheme encoded into I%
addresses! The general problem of naming ob6ects in distributed systems has great importance to being able
to locate resources and e)press their locations! Names can play a fundamental role in how we choose to
integrate resources within a system! They address both cultural and practical issues!
2.= 'ilesystem sharing
Sharing of filesystems between different operating systems can be useful in a 'ariety of circumstances!
0ile2ser'ers$ which host and share users< files$ need to be fast$ stable and capable machines! 7orkstations
for end2users$ on the other hand$ are chosen for "uite different reasons! They might be chosen to run some
particular software$ or on economic ground$ or perhaps for user2friendliness! The >acIntosh has always
been a fa'orite workstation for multi2media applications! It is often the preferred platform for music and
graphical applications! 7indows operating systems are cheap and ha'e a wide and successful software
base!
There are other reasons for wanting to keep an inhomogeneous #heterogeneous) network! An organi,ation
might need a mainframe or 'ector processor for intensi'e computation$ whose disks need to be a'ailable to
workstations for collecting data!
There might be legacy systems waiting to be replaced with new machinery$ which we ha'e to
accommodate in order to run old software$ or de'elopment groups supporting software across multiple
platforms! There are a do,en reasons for integration!
>ost solutions to the file2sharing problem are software based! &lient and ser'er software is a'ailable for
implementing network2sharing protocols across platform boundaries! 0or e)ample$ client software for the
*ni) N0S filesystem has been implemented for both 7indows #%&N0S) and >acIntosh system This
enables 7indows and >acIntosh workstations to use *ni)like hosts as file and printer ser'ers$ in much the
same way as 7indows ser'ers or No'ell Netware ser'ers pro'ide those ser'ices!
These ser'ices are ade"uate for insecure operating systems$ since there is no need to map file permissions
across foreign filesystems! 7indows is more of a problem$ howe'er! 7indows A&Cs cannot be represented
in a simple fashion on a *ni) filesystem!
The con'erse$ that of making *ni) files a'ailable to %&s$ has the re'erse problem! 7hile NT is capable of
representing *ni) file permissions$ 7indows K) and the >acIntosh are not!
Insecure operating systems are always a risk in network sharing! The Samba software is a free software
package which implements *ni) file semantics in terms of the 7indows S>4 #Ser'er >essage 4lock)
protocols! Netware pro'ides an NT client called N8S #Network 8irectory Ser'ices) for NT which allows
NT domain ser'ers to understand the No'ell ob6ect directory model!
>echanisms clearly e)ist to implement cross2platform sharing! The main "uestion is$ how easy are these
systems to implement and maintainW Are they worth the cost in time and moneyW
2.: /ser %)s and passwords
If we intend to implement sharing across such different operating systems as *ni) and 7indows$ we need
to ha'e common usernames on both systems! &rossplatform user authentication is usually based on the
understanding that username te)t can be mapped across operating systems! &learly numerical *ni) user
I8s and 7indows security I8s cannot map meaningfully between systems without some glue to match
them- that glue is the username! To achie'e sharing$ then$ we must standardi,e usernames! *ni)2like
systems often re"uire usernames to be no more than eight characters$ so this is a good limit to keep to if
*ni)2like operating systems are in'ol'ed or might become in'ol'ed!
Principle BFne name for one ob1ect %%?. Each user should have the same uni:ue name on every host+
>ultiple names lead to confusion and mistaken identity+ A uni:ue username makes it clear which user is
responsible for which actions+
&ommon passwords across multiple platforms are much harder than disk sharing$ and it is a much more
"uestionable practice #see below)!
2.7 /ser authentication
>aking passwords work across different operating systems is problem in a scheme for complete
integration! The password mechanisms for *NI+ and 7indows are completely different and basically
incompatible! The new >ac (S Ser'er + is based on 4S8D!D emulation$ so its integration with other *ni)2
like operation systems should be relati'ely painless! 7indows$ howe'er$ remains the odd2one2out! 7hether
or not it is correct to merge the password files of two separate operating systems is a matter for policy!
The user bases of one operating system are often different from the user bases of another! 0rom a security
perspecti'e$ making access easy is not always the right thing to do!
%asswords are incompatible between 7indows and *NI+ for two reasons-
NT passwords can be longer than *NI+ passwords and the form of encryption used to store them is
different!
The encryption mechanisms which are used to store passwords are one2way transformations$ so it is not
possible to con'ert one into the other! There is no escaping the fact that these systems are basically
incompatible!
The %A> #%luggable Authentication >odules) mechanism is an indirection mechanism for e)changing or
supplementing authentication mechanisms$ for users and for network ser'ices$ simply by adding modules to
a configuration file
;etc;pam!conf!
Instead of being prompted for a *NI+ password on login$ users are connected to one or more password
modules! 1ach module prompts for a password and grants security credentials if the password is correctly
recei'ed! Thus$ for instance$ users could be immediately prompted for a *NI+ password$ a 9erberos
password and a 8&1 password on login$ thus remo'ing the necessity for a manual login to these e)tra
systems later!
%A> also supports the idea of mapped passwords$ so that a single strong password can be used to trigger
the automatic login to se'eral stacked modules$ each with its own pri'ate password stored in a %A>
database!
%A> could clearly help in the integration of *ni) with 7indows if a module for 7indows2style
authentication could be written for *ni)!
#ecture 22 3
4eading5 A=.:.26=.:.:
#inks56
http-;;www!geocities!com;ra'ee?2@;
www!NT0S!(/G
http-;;gama!'tu!lt;biblioteka;(perating?systems;(perating?systems!pdf
http-;;nptel!iitm!ac!in;courses;7ebcourse2contents;IISc 4ANG;(perating
A2BSystems;pdf;Cecture?Notes;>odA2B1?CN!pdf
Contents56
0ile Systems and standards #*0S!N0S$NT0S)
10ile Systems and standards #*0S!N0S$NT0S)
2 'ile systems
0iles and file systems are at the 'ery heart of what system administration is about! Almost e'ery task in
host administration or network configuration in'ol'es making changes to files! 7e need to ac"uire a basic
understanding of the principles of file systems$ so what better way than to e)amine some of the most
important files systems in use today
2.2 /niH file model B/'S?
*NI+ has a hierarchical file system$ which makes use of directories and subdirectories to form a tree! All
file systems on *ni)2like operating systems are based on a system of inde) nodes$ or inodes$ in which
e'ery file has an inde) entry stored in a special part of the file system! The inodes contain an e)tensible
system of pointers to the actual disk blocks which are associated with the file! The inode contains essential
information needed to locate a file on the disk! The top or start of the *NI+ file tree is called the root file
system or E;<!
The file hierarchy
All files and directories in the *NI+ system are stored in a hierarchical tree structure! 1n'ision it as an
*pside2down tree$ as in the figure below!
0igure *NI+ 8irectory Structure
At the top of the tree is the root directory! Its directory name is simply ; #a slash character)!
4elow the root directory is a set of ma6or subdirectories that usually include bin$ de'$ etc$ lib$ pub$ tmp$ and
usr! 0or e)ample$ the ;bin directory is a subdirectory$ or _child$` of ; #the root directory)! The root
directory$ in this case$ is also the parent directory of the bin directory! 1ach path leading down$ away from
the root$ ends in a file or directory! (ther paths can branch out from directories$ but not from files!
>any directories on a *NI+ system ha'e traditional names and traditional contents! 0or e)ample$
directories named bin contain binary files$ which are the e)ecutable command and application files!
A lib directory contains library files$ which are often collections of routines that can be included in
programs by a compiler!
de> contains de'ice files$ which are the software components of terminals$ printers$ disks$ etc!
tmp directories are for temporary storage$ such as when a program creates a file for something and then
deletes it when it is done!
The etc directory is used for miscellaneous administrati'e files and commands!
pub is for public files that anyone can use
usr has traditionally been reser'ed for user directories
^our home directory is the directory that you start out from when you first login! It is the top le'el
directory of your account! ^our home directory name is almost always the same as your userid!
1'ery directory and file on the system has a path by which it is accessed$ starting from the root
directory! The path to the directory is called its pathname.
^ou can refer to any point in the directory hierarchy in two different ways- using its full Bor absolute?
pathname or its relati>e pathname.
The full pathname traces the absolute position of a file or directory back to the root directory$ using
slashes #;) to connect e'ery point in the path! 0or e)ample$ in the figure abo'e$ the full pathname of
file2 would be ;usr;bin;file2!
4elati>e pathnames begin with the current directory #also called the working directory$ the one you are
in)! If ;usr were your current directory$ then the relati'e pathname for file2 would be bin;file2!
2.= !indows file model
The 7indows operating system supports a 'ariety of legacy file systems for backward compatibility with
8(S and 7indows K)!
NT0S
0AT
'ile system layout
8rawing on its 8(S legacy$ 7indows treats different disk partitions as independent floppy disks$ labeled
by a letter of the alphabet-
A- 4- &- 8- !!!
0or historical reasons$ dri'e A- is normally the diskette station$ while dri'e &- is the primary hard disk
partition! (ther dri'e names are assigned at random$ but often 5- is reser'ed for partitions containing users<
home directories!
The layout of the 7indows file system has changed through the different 'ersions$ in an effort to impro'e
the structure! This description relates to NT D!B! The system root is usually stored in &-Y7inNT and is
generally referred to by the system en'ironment 'ariable ASystem /ootA!
&-YI:J@ This directory contains binary code and data for the 7indows operating system! This should
normally be left alone!
&-Y%rogram 0iles this is 7indows<s official location for new software! %rogram packages which you buy
should install themsel'es in subdirectories of this directory! >ore often than not they choose their own
locations$ howe'er$ often with a distressing lack of discipline!
&-YTemp Temporary scratch space$ like *ni)<s ; tmp!
&-Y7inNT this is the root directory for the 7indows system! This is mainly for operating system files$ so
you should not place new files under this directory yourself unless you really know what you are doing!
Some software packages might install themsel'es here!
&-Y7inNTYconfig &onfiguration information for programs! These are generally binary files so the contents
of 7indows configuration files are not 'ery interesting!
&-Y7inNTYsystem:2 this is the so2called system root! This is where most system applications and data2
files are kept!
'ile eHtensions
7hereas files can go by any name in *NI+$ >icrosoft operating systems ha'e always used the concept of
file e)tensions to identify special file types! 0or e)ample-
2.: 'ile System Standards
Garious file system standards are
2? 'AT
=? NT'S
:? /'SB /N%0 'ile System?
7? N'S
2? 'AT B'ile allocation Table?
0ile Allocation Table #0AT) is a patented file system de'eloped by >icrosoft for >S28(S and is the
primary file system for consumer 'ersions of >icrosoft 7indows up to and including 7indows >e!
0AT is a table that an operating system maintains in order to map the clusters #the smallest unit of storage)
that a file has been stored in! 7hen files are written to a hard disk$ the files are stored in one or more
clusters that may be spread out all o'er the hard disk! The table allows 7indows to find the HpiecesH of
your file and reassemble them when you wish to open it!
A partition is di'ided up into identically si,ed clusters$ small blocks of contiguous space! &luster si,es 'ary
depending on the type of 0AT file system being used and the si,e of the partition$ typically cluster si,es lie
somewhere between 2 94 and :2 94! 1ach file may occupy one or more of these clusters depending on its
si,e3 thus$ a file is represented by a chain of these clusters #referred to as a singly linked list)! 5owe'er
these chains are not necessarily stored ad6acent to one another on the diskIs surface but are often instead
fragmented throughout the 8ata /egion!
The 0ile Allocation Table #0AT) is a list of entries that map to each cluster on the partition! 1ach entry
records one of fi'e things-
. The address of the ne)t cluster in a chain
. A special end of file #1(0) character that indicates the end of a chain
. A special character to mark a bad cluster
. A special character to mark a reser'ed cluster
. A ,ero to note that that cluster is unused
'AT29 6 0AT1@ table entries are 1@ bits in length limiting hard disk si,es to 2G4! Note that e'en
if the (S supports larger partition si,es$ the 4I(S must also support logical block addressing
#C4A) or the ma)imum partition that you will be able to create will be either FBD or F2J >4!
'AT:= 6 &reated to allow more efficient use of hard dri'e space and allowed for partitions up to
JG4 using D94 cluster si,es! In order to format a dri'e as 0AT:2$ the HCarge disk SupportH must
be enabled when starting 08IS9! 0AT:2 is not compatible with older 'ersions of 7indows
including 7indows KFA and NT! In 7indows K!)$ the &=T1!1+1 can be used to con'ert 0AT1@
partitions to 0AT:2
Main disk structures
A 0AT file system is composed of four different sections!
2. The 4eser>ed sectors$ located at the 'ery beginning! The first reser'ed sector is the Boot Sector
BPartition Boot 4ecord?! It includes an area called the 4I(S %arameter 4lock #with some basic file system
information$ in particular its type$ and pointers to the location of the other sections) and usually contains the
operating systemIs boot loader code! The total count of reser'ed sectors is indicated by a field inside the
4oot Sector! Important information from the 4oot Sector is accessible through an operating system
structure called the 8ri'e %arameter 4lock in 8(S and (S;2!
=. The 'AT 4egion! This contains two copies of the 0ile Allocation Table for the sake of redundancy$
although the e)tra copy is rarely used$ e'en by disk repair utilities! These are maps of the partition$
indicating how the clusters are allocated!
:. The 4oot )irectory 4egion! This is a 8irectory Table that stores information about the files and
directories in the root directory! 7ith 0AT:2 it can be stored anywhere in the partition$ howe'er with
earlier 'ersions it is always located immediately after the 0AT /egion!
7. The )ata 4egion. This is where the actual file and directory data is stored and takes up most of the
partition! The si,e of files and subdirectories can be increased arbitrarily #as long as there are free clusters)
by simply adding more links to the fileIs chain in the 0AT! Note howe'er$ that each cluster can be taken
only by one file$ and so if a 1 94 file resides in a :2 94 cluster$ :1 94 are wasted!
Ad>antage56
The 0AT file system is considered relati'ely uncomplicated$ and is conse"uently supported by
'irtually all e)isting operating systems for personal computers! This ubi"uity makes it an ideal
format for floppy disks and solid2state memory cards$ and a con'enient way of sharing data
between disparate operating systems installed on the same computer #a dual boot en'ironment)!
It is not possible to perform an undelete under 7indows NT on any of the supported file systems!
*ndelete utilities try to directly access the hardware$ which cannot be done under 7indows NT!
5owe'er$ if the file was located on a 0AT partition$ and the system is restarted under >S28(S$
the file can be undeleted! The 0AT file system is best for dri'es and;or partitions under
appro)imately 2BB >4$ because 0AT starts out with 'ery little o'erhead
)isad>antages56
7hen files are deleted and new files written to the media$ their fragments tend to become scattered
o'er the entire media making reading and writing a slow process! 8efragmentation is one solution
to this$ but is often a lengthy process in itself and has to be repeated regularly to keep the 0AT file
system clean!
%referably$ when using dri'es or partitions of o'er 2BB >4 the 0AT file system should not be
used! This is because as the si,e of the 'olume increases$ performance with 0AT will "uickly
decrease! It is not possible to set permissions on files that are 0AT partitions!
0AT partitions are limited in si,e to a ma)imum of D Gigabytes #G4) under 7indows NT and 2
G4 in >S28(S
= NT'S BNew Technology 'AT System?
An ad'anced file system that pro'ides performance$ security$ reliability$ and ad'anced features that are not
found in any 'ersion of 0AT! It is designed to "uickly perform standard file operations such as read$ write$
and search 2 and e'en ad'anced operations such as file2system reco'ery 2 on 'ery large hard disks!
0ormatting a 'olume with the NT0S file system results in the creation of se'eral system files and the
>aster 0ile Table #>0T)$ this contains information about all the files and folders on the NT0S 'olume! The
first information on an NT0S 'olume is the %artition 4oot Sector$ which starts at sector B and can be up to
1@ sectors long! The first file on an NT0S 'olume is the >aster 0ile Table #>0T)! The following figure
illustrates the layout of an NT0S 'olume when formatting has finished!
0igure F21 0ormatted NT0S =olume
Ad>antages56
+ncryption5 The 1ncrypting 0ile System #10S) pro'ides the core file encryption technology used to store
encrypted files on NT0S 'olumes! 10S keeps files safe from intruders who might gain unauthori,ed
physical access to sensiti'e$ stored data #for e)ample$ by stealing a portable computer or e)ternal disk
dri'e)!
)isk Nuotas- 7indows 2BBB supports disk "uotas for NT0S 'olumes! ^ou can use disk "uotas to monitor
and limit disk2space use!
4eparse Points5 /eparse points are new file system ob6ects in NT0S that can be applied to NT0S files or
folders! A file or folder that contains a reparse point ac"uires additional beha'ior not present in the
underlying file system! /eparse points are used by many of the new storage features in 7indows 2BBB$
including 'olume mount points!
Golume Mount Points5 =olume mount points are new to NT0S! 4ased on reparse points$ 'olume mount
points allow administrators to graft access to the root of one local 'olume onto the folder structure of
another local 'olume!
Sparse 'iles- Sparse files allow programs to create 'ery large files but consume disk space only as
needed!
)istributed #ink Tracking5 NT0S pro'ides a link2tracking ser'ice that maintains the integrity of
shortcuts to files as well as (C1 links within compound documents!
'ile compressions5 6 NT0S uses lossless compression algorithm which ensures that no data is lost when
compressing and decompressing the data
NT0S is best for use on 'olumes of about DBB >4 or more! This is because performance does
not degrade under NT0S$ as it does under 0AT$ with larger 'olume si,es!
The reco'erability designed into NT0S is such that a user should ne'er ha'e to run any sort of
disk repair utility on an NT0S partition!
)raw backs56
(ld software might not run on NT0S properly!
Secondly$ if youIre going to run an earlier 'ersion of 7indows along with 7indows +%$ youIll
need to ha'e a 0AT or 0AT:2 as the start2up partition! The reason is that earlier 'ersions of
7indows canIt access a partition with the latest 'ersion of NT0S!
It is not recommended to use NT0S on a 'olume that is smaller than appro)imately DBB >4$
because of the amount of space o'erhead in'ol'ed in NT0S! This space o'erhead is in the
form of NT0S system files that typically use at least D >4 of dri'e space on a 1BB >4
partition!
&urrently$ there is no file encryption built into NT0S! Therefore$ someone can boot under
>S28(S$ or another operating system$ and use a low2le'el disk editing utility to 'iew data
stored on an NT0S 'olume!
It is not possible to format a floppy disk with the NT0S file system3 7indows NT formats all
floppy disks with the 0AT file system because the o'erhead in'ol'ed in
NT0S will not fit into a floppy disk
Conversion of FATS into NTFS
^ouI'e got two options- either format a dri'e with NT0S or use the Icon'ertI command! The first way is
recommended because all data on the partition will be erased 2 conse"uently$ youIll be starting with a
IcleanI dri'e! *se this method only if you donIt need to keep your files intact! 4ut most of us would want
to keep our files$ and to do this youI'e got two options-
2. Backup all your data before formatting
So you want to start with a IcleanI dri'e but canIt afford losing your precious filesW =ery simple!
All you need to do is back up your files to an e)ternal hard2dri'e or a partition other than the one
you want to con'ert$ or burn the data onto &8s! After youIre done you can format a dri'e with
NT0S!
=. /se the con>ert command from command prompt
This way$ you donIt need to back up! All files are preser'ed as they are! 5owe'er$ I recommend a
backup! ^ou donIt know what might go wrong and besides what would you lose if you do back2
upW 7hen I con'erted to NT0S using con'ert!e)e$ e'erything went smooth! &hances are your
con'ersion will be e"ually smooth!
Note5 This is a one2way con'ersion! (nce youI'e con'erted to NT0S$ you canIt go back to 0AT or 0AT:2
unless you format the dri'e!
(pen command prompt# by going start$ all program $ accessories $ click command prompt)
(/
Start V /un V type HcmdH without "uotes V (9
Type Hcon'ert dri'e letter- ;fs-ntfsH and press 1nter! 0or e)ample$ type Hcon'ert &- ;fs-ntfsH
#without "uotes) if you want to con'ert dri'e &!
If youIre asked whether you want to dismount the dri'e$ agree!
To find more information about con'ert!e)e type Hhelp con'ertH #without "uotes) in &ommand %rompt
and press 1nter!
7? N'S BNetwork 'ile System?
A network file system is any computer file system that supports sharing of files$ printers and other
resources as persistent storage o'er a computer networkThe Network 0ile System #N0S) is a client;ser'er
application that lets a computer user 'iew and optionally store and update file on a remote computer as
though they were on the userIs own computer! The userIs system needs to ha'e an N0S client and the other
computer needs the N0S ser'er! 4oth of them re"uire that you also ha'e T&%;I% installed since the N0S
ser'er and client use T&%;I% as the program that sends the files and updates back and forth! #5owe'er$ the
*ser 8atagram %rotocol$ *8%$ which comes with T&%;I%$ is used instead of T&% with earlier 'ersions of
N0S!) N0S was de'eloped by Sun >icrosystems and has been designated a file ser'er standard! Its
protocol uses the /emote %rocedure &all #/%&) method of communication between computers! ^ou can
install N0S on 7indows KF and some other operating systems using products like SunIs Solstice Network
&lient! *sing N0S$ the user or a system administrator can mount all or a portion of a file system #which is a
portion of the hierarchical tree in any file directory and subdirectory$ including the one you find on your %&
or >ac)! The portion of your file system that is mounted #designated as accessible) can be accessed with
whate'er pri'ileges go with your access to each file #read2only or read2write)! N0S allows a system to
share directories and files with others o'er a network! 4y using N0S$ users and programs can access files
on remote systems almost as if they were local files!
Ad>antages5
Cocal workstations use less disk space because commonly used data can be stored on a single
machine and still remain accessible to others o'er the network!
There is no need for users to ha'e separate home directories on e'ery network machine! 5ome
directories could be set up on the N0S ser'er and made a'ailable throughout the network!
N0S is centrali,ed administration so its much easier $for e)ample $ to backup a file systems stored
on ser'ers than on indi'idually backup a scattered system!
N0S when used with NIS makes it tri'ially simple to update keys configurations files!
)isad>antages56
N0S is sensiti'e to network congestion! 5ea'y disk acti'ity of N0S ser'er effects the N0S
performance
If an e)ported file system is not a'ailable when client to attempts to mount$ client system hangs
although this can be mitigated using specific mount!
If ser'er is hosting the e)ported file system becomes una'ailable due to any reasons no one can
access the resources!
N0S has security problems because its design assumes a trusted network.
#ecture 2= 3
4eading5 A7.;8 A7.;.26;.=
Contents56
Software %nstallations and Structuring Software8 Fpen Source Software5 The -N/
Pro1ect
Software %nstallations and Structuring Software8 Fpen Source Software5 The -N/
Pro1ect
2 Software installation
2.2 'ree and proprietary software
*nlike most other popular operating systems$ *ni) grew up around people who wrote their own software
rather than relying on off2the2shelf products! The Internet now contains gigabytes of software for *ni)
systems which cost nothing! Traditionally$ only large companies like the oil industry and newspapers could
afford off2the2shelf software for *ni)! There are therefore two kinds of software installation- the
installation of software from binaries and the installation of software from source! &ommercial software is
usually installed from a &8 by running an installation program and following the instructions carefully3 the
only decision we need to make is where we want to install the software! 0ree software and open source
software usually come in source form and must therefore be compiled! *ni) programmers ha'e gone to
great lengths to make this process as simple as possible for system administrators!
2.= Structuring software
The first step in installing software is to decide where we want to keep it! 7e could$ naturally$ locate
software anywhere we like$ but consider the following-
. Software should be separated from the operating system<s installed files$ so that the (S can be reinstalled
or upgraded without ruining a software installation!
. *ni)2like operating systems ha'e a naming con'ention! &ompiled software can be collected in a special
area$ with a bin directory and a lib directory so that binaries and libraries conform to the usual *ni)
con'entions! This makes the system consistent and easy to understand! It also keeps the program search
%AT5 'ariable simple!
. 5ome2grown files and programs which are special to our own particular site can be kept separate from
files which could be used anywhere! That way$ we define clearly the 'alidity of the files and we see who is
responsible for maintaining them!
The directory traditionally chosen for installed software is called ;usr;local! (ne then makes subdirectories
;usr;local;bin and ;usr;local;lib and so on \1DM]! *ni) has a de2facto naming standard for directories which
we should try to stick to as far as reason permits$ so that others will understand how our system is built up!
. bin 4inaries or e)ecutables for normal user programs!
. sbin 4inaries or e)ecutables for programs which only system administrators re"uire! Those files in ;sbin
are often statically linked to a'oid problems with libraries which lie on unmounted disks during system
booting!
. lib Cibraries and support files for special software!
. etc &onfiguration files!
. share 0iles which might be shared by se'eral programs or hosts! 0or instance$ databases or help2
information3 other common resources!
0igure - (ne way of structuring local software!
Another is shown in figure D!2! 5ere we di'ide these into three categories- regular installed software$ GN*
software #i!e! free software) and sitesoftware! The di'ision is fairly arbitrary! The reason for this is as
follows-
. ;usr;local is the traditional place for software which does not belong to the (S! 7e could keep e'erything
here$ but we will end up installing a lot of software after a while$ so it is useful to create two other sub2
categories!
. GN* software$ written by and for the 0ree Software 0oundation$ forms a self2contained set of tools which
replace many of the older *ni) e"ui'alents$ like ls and cp! GN* software has its own system of installation
and set of standards! GN* will also e'entually become an operating system in its own right! Since these
files are maintained by one source it makes sense to keep
them separate! This also allows us to place GN* utilities ahead of others in a user<s command %AT5!
. Site2specific software includes programs and data which we build locally to replace the software or data
which follows with the operating system! It also includes special data like the database of aliases for 12mail
and the 8NS tables for our site! Since it is special to our site$ created and maintained by our site$ we should
keep it separate so that it can be backed up often and separately! A similar scheme to this was described !in
a system called Depot! In the 8epot system$ software is installed under a file node called ;depot which
replaces ;usr;local! In the depot scheme$ separate directories are maintained for different machine
architectures under a single file tree! This has the ad'antage of allowing e'ery host to mount the same
filesystem$ but the disad'antage of making the single filesystem 'ery large! Software is installed in
0igure D!2- Another$ more rational way of structuring local software! 5ere we drop the affectation of
placing local modifications under the operating system<s ;usr tree and separate it completely! Symbolic
links can be used to alias ;usr;local to one of these directories for historical consistency! a package2like
format under the depot tree and is linked in to local hosts with symbolic links!
2.: -N/ software eHample
7hen installing GN* software$ we are e)pected to gi'e the name of a prefi( for installing the package! The
prefi) in the abo'e cases is ;usr;local for ordinary software$ ;usr;local;gnu for GN* software and
;usr;local;site for site2specific software! >ost software installation scripts place files under bin and lib
automatically! The steps are as follows!
1! >ake sure we are working as a regular$ unpri'ileged user! The software installation procedure might do
something which we do not agree with! It is best to work with as few pri'ileges as possible until we are
sure!
2! &ollect the software package by ftp from a site like ftp!uu!net or ftp!funet!fi etc! *se a program like ncftp
for painless anonymous login!
:! *npack the file using tar ,)f software!tar!g,$ if using GN* tar$ or gun,ip software!tar!g,3 tar )f
software!tar if not!
D! 1nter the directory which is unpacked$ cd software!
F! Type- configure 22prefi)S;usr;local;gnu! This checks the state of our local operating system and other
installed software and configures the software to work correctly there!
@! Type- make!
M! If all goes well$ type make 2n install! This indicates what the make program will install and where! If we
ha'e any doubts$ this allows us to make changes or abort the procedure without causing any damage!
J! 0inally$ switch to pri'ileged root;Administrator mode with the su command and type make install! This
should be enough to install the software! Note$ howe'er$ that this step is a security 'ulnerability! If one
blindly e)ecutes commands with pri'ilege$ one can be tricked into installing back2doors and Tro6an horses
K! Some installation scripts lea'e files with the wrong permissions so that ordinary users cannot access the
files! 7e might ha'e to check that the files ha'e a mode like FFF so that normal users can access them! This
is in spite of the fact that installation programs attempt to set the correct
permissions
2.7 Proprietary software eHample
If we are installing proprietary software$ we will ha'e recei'ed a copy of the program on a &82/(>$
together with licensing information$ i!e! a code which acti'ates the program! The steps are somewhat
different!
1! To install from &82/(> we must start work with root;Administrator pri'ileges$ so the authenticity of
the &82/(> should be certain!
2! Insert the &82/(> into the dri'e! 8epending on the operating system$ the &82/(> might be mounted
automatically or not! &heck this using the mount command with no arguments$ on a *ni)2like system! If
the &82/(> has not been mounted$ then$ for standard &82/(> formats$ the following will normally
suffice-
mkdir ;cdrom if necessary
mount ;de';cdrom ;cdrom
0or some manufacturers$ or on older operating systems$ we might ha'e to specify the type of filesystem on
the &82/(>! &heck the installation instructions!
:! (n a 7indows system a clickable icon appears to start the installation program! (n a *ni)2like system
we need to look for an installation script
cd ;cdrom; cd2name
less /1A8>1
!;install2script
D! 0ollow the instructions!
Some proprietary software re"uires the use of a license ser'er$ such as lmgrd! This is installed
automatically$ and we are re"uired only to edit a configuration file with a license key which is pro'ided$ in
order to complete the installation!
2.; %nstalling shared libraries
Systems which use shared libraries or shared ob6ects sometimes need to be reconfigured when new libraries
are added to the system! This is because the names of the libraries are cached to pro'ide fast access! The
system will not look for a library if it is not in the cache file!
. Sun(S #prior to Solaris 2)- After adding a new library$ one must run the command ldconfig lib2directory!
The file ;etc;ld!so!cache is updated!
. GN*;Cinu)- New library directories are added to the file ;etc;ld!so!conf! Then one runs the command
ldconfig! The file ;etc;ld!so!cache is updated!
2.9 Configuration security
Principle BSeparation %%%?. "ndependent systems should not interfere with one another# or e confused
with one another. $eep them in separate storage areas.
Suggestion 2 BGigilance?. Be on the lookout for software which is configured# y default# to install itself
on top of the operating system. %lways check the destination using make 6n install efore actually
committing to an installation. Programs which are replacements for standard operating system
components often reak the principle of separation.
Principle B#imited pri>ilege?. &o process or file should e given more privileges than it needs to do its
'o. !o do so is a security ha(ard.
Another use for this principle arises when we come to configure certain types of software! 7hen a user
e)ecutes a software package$ it normally gets e)ecuted with the user pri'ileges of that user! There are two
e)ceptions to this-
. Services which are run by the system' 8aemons which carry out essential ser'ices for users or for the
system itself$ run with a user I8 which is independent of who is logged on to the system! (ften$ such
daemons are started as root or the Administrator when the system boots! In many cases$ the daemons do not
need these pri'ileges and will function "uite happily with ordinary user pri'ileges after changing the
permissions of a few files! This is a much safer strategy than allowing them to run with full access! 0or
e)ample$ the httpd daemon for the 777 ser'ice uses this approach! In recent years$ bugs in many
programs which run with root pri'ileges ha'e been e)ploited to gi'e intruders access to the system! If
software is run with a non2pri'ileged
user I8$ this is not possible!
. 6ni( setuid programs' *ni) has a mechanism by which special pri'ilege can be gi'en to a user for a short
time$ while a program is being e)ecuted! Software which is installed with the *ni) setuid bit set$ and which
is owned by root$ runs with root<s special pri'ileges! Some software producers install software with this bit
set with no respect for the pri'ilege it affords! >ost programs which are setuid root do not need to be! A
good e)ample of this is the &ommon 8esktop 1n'ironment #a multi2'endor desktop en'ironment used on
*ni) systems)! In a recent release$ almost e'ery program was installed setuid root! 7ithin only a short
time$ a list of reports about users e)ploiting bugs to gain control of these systems appeared
Principle BTemporary files?. !emporary files or sockets which are opened y any program# should not
e placed in any pulicly writale directory like $tmp. !his opens the possiility of race conditions and
symolic link attacks. "f possile# configure them to write to a private directory+
Principle B'lagging customi(ation?. )ustomi(ations and deviations from standards should e made
conspicuous to users and administrators. !his makes the system easier to understand oth for ourselves
and our successors.
2.C !hen compilation fails
Today$ software producers who distribute their source code are able to configure it automatically to work
with most operating systems! &ompilation usually proceeds without incident! (ccasionally though$ an error
will occur which causes the compilation to halt! There are a few things we can try to remedy this-
. A pre'ious configuration might ha'e been left lying around$ try
make clean
make distclean
and start again$ from the beginning!
. >ake sure that the software does not depend on the presence of another package$ or library! Install any
dependencies$ missing libraries and try again!
. 1rrors at the linking stage about missing functions are usually due to missing or un2locatable libraries!
&heck that the
C8 CI4/A/^ %AT5
'ariable includes all rele'ant library locations! Are any other en'ironment 'ariables re"uired to configure
the softwareW
. Sometimes an e)tra library needs to be added to the >akefile! To find out whether a library contains a
function$ we can use the following &2shell trick-
hostA cd ;lib
hostA foreach lib # libT )
R echo &hecking Zlib 2222222222222222222222
R nm Zlib V grep function
Rend
. &arefully try to patch the source code to make the code compile!
. &heck in news groups whether others ha'e e)perienced the same problem!
. &ontact the author of the program!
2.D /pgrading software
Some software #especially free software) gets updated 'ery often! 7e could easily spend an entire life 6ust
chasing the latest 'ersions of fa'orite software packages! A'oid this!
. It is a waste of time!
. Sometimes new 'ersions contain more bugs than the old one$ and an e'ennewer2 'ersion is 6ust around
the corner!
. *sers will not thank us for changing things all the time! Stability is a 'irtue!
1'eryone likes time to get used to the system before change strikes! A plan is needed for testing new
'ersions of software! %ackage systems for software make this process easier$ since one can allow se'eral
'ersions of software to coe)ist$ or roll back to earlier 'ersions if problems are disco'ered with newer
'ersions!