Sys Admin Useing the Ksh

8/12/2019 Sys Admin Useing the Ksh

1/21

All rights reserved. Reproduction and/or distribution in whole or inpart in electronic, paper or other forms without written permission

is prohibited.

Working with Korn ShellSkillSoft Corporation. (c) 2003. Copying Prohibited.

Reprinted for R aman Ramachandran, [email protected]

Reprinted with permission as a subscription benefit of Books24x7 ,http://www.books24x7.com/
http://www.books24x7.com/http://www.books24x7.com/


2/21


3/21

Chapter 12: System Administration Using the KornShellYou can use the Korn shell for system administration to customize the environment in which a UNIXuser works. The environment contains the settings that are provided when an end user logs on tothe Korn shell. System administration involves ensuring security and monitoring the performance ofthe system. The goal of system administration is to manage and improve the performance of thesystem. You should log on to the Korn shell with super user privileges to work with theadministration utilities, such as create the file system, and add or remove UNIX users.

This chapter explains how to customize the UNIX environment, and add users to or remove usersfrom a UNIX operating system. The chapter describes the disk management and disk monitoringutilities. The chapter also explains how to use the system security tools to secure the Korn shell.

Reprinted for [email protected], IBM Skil lSoft, Ski llSoft Corporation (c) 2003, Copying Prohibited


4/21


5/21

Figure 121 shows the permissions that are granted to a new file:

Figure 121: Viewing the Permissions on a FileYou use the UNIX operating system to change the umask value of the UNIX operating system.

The methods to change the umask value are:

Change the umask value in the profile file that resides in the /etc directory.

Use the umask command on the command line along with the parameter representing thenew permissions.

The syntax to use the umask command to change the default values is:

umask new_permissions

This syntax replaces the earlier permission values with the permission values that the parameter,new_permissions, indicates. You set the permission using the octal or the symbolic representation.

Only the current shell reflects the changes to the umask value that you make using the umaskcommand. Wh en you log o ff, the unmask value reverts to the original value. You can use the Soption of the umask command to change the default umask values using the symbolicrepresentation instead of the octal representation.

Figure 122 shows how to change the unmask permissions using the symbolic representation:

Figure 122: Changing the umask Permissions Using the Symbolic RepresentationSetting the System Resources

You use the Korn shell command, ulimit, to set a limit for the UNIX operating system resources,such as the memory that a process can use. The ulimit command acts as an interface between aUNIX user and the Korn shell to view and set the system resources for a process or command.

Working with Korn Shell 3



6/21

The ulimit command is usually defined in the .profile file that resides in the home directory of eachUNIX user. The system administrator can also save this command in the profile file that resides inthe /etc directory, so that every UNIX user works within the restriction that the ulimit commanddefines.

The syntax to implement the ulimit command is:

ulimit [ a | c | d | f | s | n | t | v | H | S ][ int_value | unlimited ]

This syntax shows how to implement the ulimit command to set the limit for a system resource thatis specified with the ulimit command. Along with the specified resource, the ulimit command cancontain an integer value that the parameter, int_value, represents. The ulimit command can alsouse the string, unlimited, which ensures that a process makes unlimited use of the specifiedresource.

If you do not use the integer value or the string, unlimited, the ulimit command displays the currentsettings for the specified resource.

The resources for which you can set a limit using the ulimit command are:

a: Displays the limit set for all the resources that you can use with the ulimit command.

c: Displays or sets the limit for the core files. These files are created when a processterminates unconditionally, because of an interrupt signal. You can use the core files to findthe reason for the termination of a process. The limit for core files is set in blocks of 512bytes.

d: Displays or sets the limit for the data segments of a process. A data segment is amemory area in which the process variables are stored. The limit for data segments is set inblocks of 1024 bytes.

f: Displays or sets the limit for a file, which is set in blocks of 512 bytes.

n: Displays or sets the limit for file descriptors, which are integers that are used for the I/Ooperation of a Korn shell process.

t: Displays or sets the limit for the CPU time that a process can use, which is set inseconds.

v: Displays or sets the limit for the virtual memory that a process can use, which is set inblocks of 1024 bytes.

You can also use the H and S options with the ulimit command. The H option represents thehard limit for a particular system resource. Once set, you cannot change the hard limit for aparticular reso urce. Howev er, the S option represents the soft limit for a particular systemresource. Once set, you can change the soft limit for a particular resource, but the soft limit cannotexceed the value of the hard limit.

Figure 123 shows how to use the ulimit command to set the system resources:




7/21

Figure 123: Using the ulimit Command




8/21

System AdministrationSystem Administration is managing the system resources. System Administrator performs variousfunctions, such as:

Add/remove UNIX users

Install software

Add hardware devices

Maintain security

Make backups

Manage a disk

Another name of system administrator in UNIX is super user. To log on to the UNIX system, theuser id of the system administrator is root and the prompt of the root is #.

Adding/Removing a UNIX User

The primary function of a super user is to maintain the login accounts for the UNIX users. Theinformation about a UNIX user, such as the login name, group name, and home directory, is storedin the /etc/pass wd file. The super user can change the password of any UNIX user. Every time thesuper user creates a new UNIX user, an entry that pertains the UNIX user is stored in the

/etc/passwd file, which the super user maintains.

Figure 124 shows how the entries of UNIX users are stored in the /etc/passwd file:



9/21

Figure 124: Contents of the /etc/passwd FileThe first column in the passwd file is the login name of the UNIX user. The second column is theencrypted password of the UNIX user to prevent unauthorized access. The third column is theuserid of the UNIX users.

The userid of the super user is always zero (0) and userids from 1 to 100 are reserved for thebuiltin users of the UNIX system. The ordinary UNIX users are assigned the userid from 200 andhigher. The fourth column is the group id of the UNIX user.

The file, /etc/group, stores information about the users and the groups to which they belong. Thefifth column of the /etc/passwd file is the comment column to store additional information about theUNIX user. The sixth column indicates the home directory of the UNIX user. The seventh column isthe shell in which the UNIX user works.

The super use r can add a n ew UNIX user to the system. The first method to add the UNIX user is toenter the UNIX user in the /etc/passwd file and grant the appropriate permission to the homedirectory of the new UNIX user.

Listing 121 shows how to create a new user using the userdefined shell script, adduser:

Listing 121: Creating a New User Account

# Retrieve the last user iduserid='tail 1 /etc/passwd | cut f3 d":"'# Increment userid by 1 to create an id for new useruserid='expr $userid + 1'echo "Enter the group name"read group# Retrieve the group id of the specified groupgroupid='grep "^$group" /etc/group | cut f3 d":"'grep "^$group" /etc/groupret=$?# Check the status of the last executed commandIf [ $ret eq 0 ]thenecho "Enter the login name"read loginecho "Enter the full name of the user"read name# Add new user's information to the /etc/passwd file




10/21

echo "$login::$userid:$group:$name:/usr/$login:/bin/ksh">>/etc/passwd# create login directoryhome=/usr/$loginmkdir home# Add .profile file to the new user accountcp /usr/lib/mkuser/ksh/profile /$home/.profile# Grant permission to the home directory and .profile filechmod 755 $home $home/*chmod 700 $home/.profile# Assign ownership to all files and directories of the new userchown $login $home $home/* $home/.profilechgrp $group $home $home/* $home/.profileelseecho "Enter the existing group name"fi

The above listing shows that the script accepts the account name and group name of the newlycreated UNIX user. The list ing finds the userid and groupid of the new UNIX user, appends theinformation to the /etc/passwd file, creates the directory with the name of the new user and assignsownership to the home directory. The newly created account is not given a password.

Figure 125 shows the output of the script file, adduser:

Figure 125: Output of the Script File, adduserAn example of implementing the passwd command is:

$ passwd

This command changes the password of the currently loggedon UNIX user.

Figure 126 shows the output of the passwd command:




11/21

Figure 126: Output of the passwd CommandThe other function of the super user is to delete the accounts of the UNIX users who no longer existon the network.

Listing 122 shows how to remove an existing user from a network using the userdefined shellscript, removeuser:

Listing 122: Removing an Existing User

echo "Enter the user name to be deleted"read user# Search the specified user in the file, /etc/passwdlist='grep $user /etc/passwd'ret=$?# Check the status of the last executed commandIf [ $ret eq 0 ]then# Remove the home directory and subdirectories of the specified userrm r /usr/$usergrep v "$user" /etc/passwd | tee /etc/passwdecho "User has been deleted"elseecho "Invalid UNIX user"fi

The above listing shows that the script accepts the login account of the UNIX user to delete. Thislisting determin es whether the specified UNIX user exists. If the specified user does not exist in the

/etc/passwd file, the listing displays the appropriate error message. Otherwise, the listing removesthe home directory and subdirectories of the specified UNIX user.

Figure 127 shows the output of the script file, removeuser:




12/21

Figure 127: Output of the Script File, removeuserStarting and Shutting Down the System

The process of starting the UNIX system is called booting. The UNIX system performs variousfunctions to initialize the boot process.

The various functions that the boot process performs are:

Checks the basic hardware parts of the system.

Searches for a boot device.

Loads the kernel and file system.

Initializes the other devices of the system, such as the keyboard and printer.

Starts all the services of the system, such as init, inetd, cron, named, telnetd, ftpd, and httpd.

Starts the other applications of the system, such as mounting the disk and file systems, andthe network and mail applications.

When a system boots, the system startup messages appear on the screen, which indicate that thebooting process is in progress. If any of the booting functions is not accomplished, the system stopsand displays the appropriate message.

In a booting process, the run level indicates the running mode of a system. You can change themode of a system using the run level in the init process. The init process contains seven run levelsthat range from 0 to 6, and s or S, for a single user mode. The default run level is two (2), which is




13/21

the multiuser mode.

The run levels and their functions are:

0: Shuts down the system and powersoff automatically.

1: Starts the system in the single user mode.

2: Starts the system in the multiuser mode.

3: Starts the system in the multiuser mode and allows remote file sharing.

4: Starts the system in the multiuser mode and activates the graphical interface.

5: Shuts down the system but does not poweroff automatically.

6: Shuts down the system and restarts it with a run level 2 or 3.

S/s: Starts the system in the single user mode.

The file, /etc/inittab, contains the number of UNIX users and the devices that are available for aspecific run level. In the process of booting, the UNIX system uses the /etc/inittab file to start all theservices, such as mount a disk, start the terminal devices, /dev/tty. Use the who r command tocheck the current run level of the system.

In the multiuser mode, the script file, /etc/rc, runs to check all the file systems and start the variousbackground processes, such as cron and at. After the script file, /etc/rc, runs all the terminals thatare connected to the system obtain the login prompt.

The process of closing the running programs and applications in a safe mode so that the systemfiles are not corrupted is called shutting down the system. Problems arise if you do not shut downthe system systematically.

The various functions that a system performs while shutting down are:

Complete the running commands.

Unmount the file system.

Unmount the device files.

You use the shutdown command to shut down the system. The /etc/shutdown shell scriptautomatically executes when you run the shutdown command. The shutdown script uses the wallcommand to inform the UNIX users to save their work and log off, because the system is going toshut down shortly. As you enter the shutdown command, the system initiates the shutdown processwithin 60 seconds. You can change the waiting time for the shutdown process using the g option inthe shutdown command.

To shut down a system, use the command:




14/21

# shutdown g180

This command shows that the waiting time for the shutdown process is 180 seconds. After 180seconds, the shutdown command initiates the shutdown process.

A shutdown process is an interactive process in which the system prompts you for responses. Youcan change the interactive process of shutdown using the y option with the shutdown command.

Disk ManagementYou can secure important and confidential information by making backups in floppy diskettes,CDROMs, or on magnetic tapes. Before making backups on a floppy disk, you must format thefloppy disk on a UNIX system. All the devices in UNIX are treated as special files.

The two methods to use a formatted floppy disk are:

Make a file system on the floppy disk, use the floppy as a directory on the hard disk, andmount the file system at a specific location on the hard disk.

Use the raw disk method, which does not require that you create a file system on the floppy.

Formatting a Disk

In UNIX, the /dev directory stores the devicerelated files and their capacity. For example,rfd0135ds15 is the name of a floppy disk file in which rfd stands for a raw floppy disk, 0 for thefloppy is in drive A, and 1 for the floppy is in drive B. The number, 135, indicates the tracks per inch,ds stands for doublesided, and 15 indicates the number of sectors per track.

The syntax to format a floppy disk is:

$ format /dev/rfd0135ds15

This syntax formats the floppy disk in drive A. If you do not enter the device name, the formatcommand reads the device name in the /etc/default/format file, which contains the name of thedevice file.

After formatting the floppy disk, create a file system on the floppy to use the floppy as a storagemedium.

Creating a File System

When you create a file system on a formatted floppy, the existing data on the floppy is deleted. Usethe mkfs command to create a file system on a floppy. The mkfs command creates the Acer FastFileSystem file system, which is the default file system.

Only the super user can use the mkfs command. The syntax to implement the mkfs command is:

mkfs device_name device_blocks:inode

In this syntax, device_name is the name of device in which to create the file system. The secondargument indicates the number of 512 KB blocks and number of inode that is created in the filesystem.

The syntax to calculate the number of 512 KB blocks in the file system is:

Number of tracks per side * number of sides of the disk * number of sectors per track * bytes

The syntax calculates the number of blocks in the floppy disk. In the doublesided floppy with a1.44MB capacity, the number of tracks per side is 80.




15/21

The command to use the mkfs command is:

# /etc/mkfs /dev/ rfd0135ds15 2400:600

This command shows that the floppy disk with a capacity of 1.44MB contains 2400 blocks and 600inodes after creating the file system on a floppy. Each inode represents one file in the file system.

Mounting a File System

The file system of the different storage devices, such as a floppy disk, hard disk, and magnetic tape,is not the same. The mount command links the file system of the floppy disk to the hard disk. Youcan create directories and files in the new mounted file systems. The mounted file system has a rootdirectory and other directories.

The mounting process of a file system is connecting the file system at a particular point in theexisting file system. The point of attachment is the mount point for the particular file system. Thepath of a newly mounted file is the root directory of the existing file system. By default, the mountpoint is the /mnt directory. This directory is the default directory and is accessible from all UNIXlogins, until special restrictions are imposed.

The syntax to mount a floppy disk on a system is:

# /etc/mount /dev/fd0135ds15 /mnt

This command shows the use of fd, instead of rfd that is the name of the floppy device. The use offd indicates that the file system is created on the floppy disk.

To change the UNIX default mount point, set the mount point of the new file system in anotherdirectory.

The syntax to mount a file system in a new directory is:

$ /etc/mount /dev/fd0135ds15 /usr/temp

This syntax mounts the floppy disk, fd0135ds15, in the /usr/temp directory.

The two methods to check whether the file system is successfully mounted are:

Change the current directory to the /mnt directory and create files and directories in it. If themounting process is successful, these files are created on the floppy disk, otherwise, anerror message appears.

Run the mount command without passing any parameter and verify that the mountcommand displays all the currently mounted file systems to the current file system.

Note Running the mount command lists all the file systems that are mounted, whether theyare in the default /mnt directory or in any other directory.

Unmounting a File System

Use the umount command to unmount a file system. The umount command unmounts the new filesystem that is mounted on the current file system. After unmounting a file system, the files becomeinaccessible. To make the files accessible, you must remount the file system. If you remove thefloppy drive without unmounting it, your system might generate errors, such as linking errors.

To unmount a file system and avoid these errors, type the following syntax:

$/etc/umount /mnt




16/21

This syntax unmounts the file system that is mounted in the default directory. To unmount all themounted file systems in the current file system before you shut down the system, run theunmountall command.

Note The unmount command fails when a file on the mounted file system is in use. You need tocheck that there is no file or directory in use before you unmount the file system.

Disk Monitoring

You need to frequently monitor a disk to delete data that are no longer needed. When you work onthe UNIX operating system, temporary files are accumulated in the /PDF document object directory.You need to remove these temporary files to improve the performance of the system.

The commands that you can use to improve the disk performance are df and du. The df commandrefers to disk free, and du refers to disk usage. Use the df command to ascertain the free diskblocks on a particular file system.

Note If you do not specify the file system with the df command, the df command displaysthe free disk blocks for all the mounted file systems. You can find the file systems thatare mounted on your computer in the mnttab file in the /etc directory.

The syntax to implement the df command to find the free disk space is:

df [option] [file_system]

This syntax finds the free disk space for the file system that the parameter, file_system, represents.The options that are available with the df command define the pattern in which you must obtain thefree disk space.

The most common options to use with the df command are:

P: Displays the disk space information, such as the name of the file system, total number ofblocks, total number of blocks free, total number of blocks in use, percentage of blocks thatare in use, and the directory in which the file systems are mounted

f: Displays the free disk space on the file systems that are mounted on your computer

i: Displays the inode information, such as the total number of inodes and total number ofinodes free. You can also use the options to view the percentage of inodes that is usedfor each file system that is mounted on your computer.

k: Displays the total number of inodes and disk space on each file system on yourcomput er. With the k option, the size of a block is 1024 bytes; instead of 512 bytes.

Figure 128 shows the use of the df command to view the disk space for a particular file system thatis mounted on the computer:




17/21

Figure 128: Using the df Command




18/21

Setting the System SecuritySystem security protects the system from unexpected errors. The errors can be scripting errors; forexample, setting wrong permissions for a file. You can restrict the Korn shell by invoking the shellusing the rksh command. The environment is restricted by allowing a UNIX user limited access tothe system resources. You can protect a file using the builtin commands, such as chmod, to setthe access permissions for a file.

Securing the Shell Scripts

You should design the script structure before writing it in the editor. You need to includeerrorhandling code in your script to handle errors. You must also check the commands that cangenerate errors under the influence of other commands. For example, if two shell scripts share thesame environment variable at the same time, an error can occur.

Your script needs to check the arguments that are passed at run time. For example, if the scriptrequires numeric arguments, the script should have a check on the arguments passed. If a passedvalue is not the same as what an application requires, the script must exit or prompt you to reenterthe value.

The scripts must keep track of the operations that commands perform. For example, the syslogcommand automatically generates a log using the logger() function. If the syslog command is not onyour system, you can make a log file. Listing 123 shows the syntax to update a log file:

Listing 123: The syntax to update a log file

# Adds the process number in the fileprint r "$$" >> /usr/jack/adam/log# Adds the login name of the end userprint r $LOGNAME >> /usr/jack/adam/log# Adds the current date of the computerprint r 'date' >> /usr/jack/adam/log

In the above syntax, the "$$" command provides the current process number, and the outputredirection operator, >>, redirects the output in the log file, /usr/jack/adam/log.

You need to enclose the input from the end user in double quotes (""). For example, the input isused as "$1" or "$3"; so that the application does not further process any wrong input from the enduser.

When an end user enters data, the eval command is not used. If t he end user discovers that thescript uses the eval command, the end user can manipulate the processing of data by altering theinput and replacing it with variable names.

Note To learn more about the eval command, see Appendix C.

The script that alters the PATH variable of the UNIX environment should not contain a dot (.). Thedot (.) signifies the path of the current working directory. When the PATH variable includes a dot (.),it is interpreted as the path of the end user s current working directory. The end user can use a dot(.) in the PATH variable to manipulate the functionality of the script.

Securing a Restricted Korn Shell

The restricted Korn shell is a shell in which a UNIX user has restricted permission to access theresources. Use this version of a shell for the guest accounts in UNIX.

The two methods to invoke the restricted Korn shell are:

Using the rksh command at the command prompt

http://www.books24x7.com//viewer.asp?bookid=6327&chunkid=682505748?bkid=6327&destid=569#569http://www.books24x7.com//viewer.asp?bookid=6327&chunkid=682505748?bkid=6327&destid=569#569


19/21

Assigning the set r option to a shell

You can restrict the login session of the guest account by setting the PATH variable to the path ofthe Restricted Korn shell.

The Restricted Korn shell does not support the:Change directory, cd command

Output redirection operators

Reassignment of the environment variables

Addition of new builtin commands using the builtin command

Commands that contain a backslash (\)

You must have system administrator privileges to set the values for these features in the .profile file.These restrictions are applied to set the restricted environment after reading the .profile file. Youneed to safeguard the .profile file from unauthorized updating.

The two methods to protect the .profile file are:

Make the .profile file readonly so that a UNIX user can only read the contents of the file; notmodify them.

Change the path of the .profile file; so that a UNIX user cannot find the .profile file.

Note You need to confirm that no other session of any other shell contains the samevalue for the PATH variable. If any other session shares the same value for thePATH variable, a UNIX user can easily escape the restricted features of therestricted environment.

Setting the UNIX User ID

In UNIX, a process has two user IDs, real and effective. The setuid command in UNIX checks the

value of the effective user ID.According to the value of the effective user ID, the values of the real user ID are set as:

Zero if the value of the effective uid is zero.

Value of the effective user ID to real user ID if the value of the effective uid is nonzero.

Every Korn shell script file has a setuid that is associated with it. You can protect your script filefrom any unauthorized updating by changing the setuid of the script file to a user ID that you define.This method prevents any program with a different user ID from updating your script file. This




20/21

feature checks the user ID of the current login session and then updates the file.

You can use the setuid command to set the root user ID as the super user. The syntax to set theuser ID using the setuid command:

chmod 4755 file_name

In this syntax, the number, 4, is the bit for the setuid command.

The setgid command sets the uid for a group of UNIX users.

The syntax to set the group permissions is:

chmod 2755 file_name

In this syntax, number 2 is the bit for the setgid command. The change of permissions appears inthe ls l command when the x permission is changed to the s permission.

Figure 129 shows the changing mode for the setuid and setgid commands:

Figure 129: Access ModesThe Korn shell provides the option of a privileged mode.

You can set the shell option to the privileged mode in two ways:

set o privileged

set p

The privileged mode runs the file, /etc/suid_profile, by default. You need to update this file with thenew value of the PATH variable to restrict the new end user.




21/21

Sys Admin Useing the Ksh

Documents

Transcript of Sys Admin Useing the Ksh