RH135-Day21

Written by Razib Shahriar Rubence

Manging sudo:
-------------
The purpose of sudo is to delegate privileges to non-root users. with sudo a non-root user can
execute root's command.
sudo access is controled by /etc/sudores. /etc/sudoers contains mappings of variables to
reference groups of users, hosts or commands. This file should be edited with visudo, which will
open a copy of current file with vi and check the syntex before implementing changes.
Format of the /etc/sudoers file:
usernames/group servername = (usersnames command can be run as) commands
There are some general guidelines when editing this file:
-Groups are the same as user groups and are differentiated from regular users by a % at the
beginning. For example, The Linux user group "users" would be represented by %users.
-You can have multiple usernames and groups per line separated by commas.
-Multiple commands also can be separated by commas. Spaces are considered part of the
command.
-The keyword ALL can mean all usernames, groups, commands and servers.
-If you run out of space on a line, you can end it with a back slash () and continue on the next
line.
-sudo assumes that the sudoers file will be used network wide, and therefore offers the option to
specify the names of servers which will be using it in the servername position in above format.
In most cases, the file is used by only one server and the keyword ALL suffices for the server
name.
-The NOPASSWD keyword provides access without prompting for your password.
Example of sudo rules:
%wheel ALL=ALL <-- grants members of wheel group access to any command
User_Alias ADMINS=bob,mary,david <-- Associates user bob,mary,david with the name
ADMINS
josep ALL=NETWORKING <-- Grants joseph access to commands in the NETWORKING
group
natalie ALL=NOPASSWD: SOFTWARE <-- Grants natalie access to SOFTWARE commands
(commands in SOFTWARE group) without needing password
%dba ALL = /sbin/service mysql, /sbin/chkconfig mysql <-- Grants the dba group access to the
service and chkconfig commands for mysql
One common sudoers configuration is to grant full previleges to a user or group of trusted
users. This simple configuration can be establsihed with just one line in the sudoers file:
USERNAME ALL=(ALL) ALL
1 / 3
RH135-Day21
Written by Razib Shahriar Rubence
Granting Access To Specific Users To Specific Files
This entry allows user peter and all the members of the group operator to gain access to all the
program files in the /sbin and /usr/sbin directories, plus
the privilege of running the command /usr/local/apps/check.pl. Notice how the trailing slash (/) is
required to specify a directory location:
peter, %operator ALL= /sbin/, /usr/sbin, /usr/local/apps/check.pl

Granting Access to Specific Files as Another User
The sudo -u entry allows allows you to execute a command as if you were another user, but first
you have to be granted this privilege in the sudoers file.
This feature can be convenient for programmers who sometimes need to kill processes related
to projects they are working on. For example, programmer peter is on the team developing a
financial package that runs a program called monthend as user accounts. From time to time the
application fails, requiring "peter" to stop it with the /bin/kill, /usr/bin/kill or /usr/bin/pkill
commands but only as user "accounts". The sudoers entry would look like this:
peter ALL=(accounts) /bin/kill, /usr/bin/kill, /usr/bin/pkill
Granting Access Without Needing Passwords
This example allows all users in the group operator to execute all the commands in the /sbin
directory without the need for entering a password. This has the added advantage of being
more convenient to the user:
%operator ALL= NOPASSWD: /sbin/
Using Aliases in the sudoers File
Sometimes you'll need to assign random groupings of users from various departments very
similar sets of privileges. The sudoers file allows users to be grouped according to function with
the group and then being assigned a nickname or alias which is used throughout the rest of the
file. Groupings of commands can also be assigned aliases too.
In the next example, users peter, bob and bunny and all the users in the operator group are
made part of the user alias ADMINS. All the command shell programs are then assigned to the
command alias SHELLS. Users ADMINS are then denied the option of running any SHELLS
commands and su:
Cmnd_Alias SHELLS = /usr/bin/sh, /usr/bin/csh,
/usr/bin/ksh, /usr/local/bin/tcsh,
/usr/bin/rsh, /usr/local/bin/zsh
User_Alias ADMINS = peter, bob, bunny, %operator
2 / 3
RH135-Day21
Written by Razib Shahriar Rubence
ADMINS ALL = !/usr/bin/su, !SHELLS
LAB Practice 01:
Users morries, borries and horace may use sudo to run only the "service" and "chkconfig"
commands without resupplying their password
- Add the users with password
- modify /etc/sudors
# vim /etc/sudors
User_Alias ADMINS=morries, borries, horace
Cmnd_Alias SERVICES=/sbin/service, /sbin/chkconfig
ADMINS ALL=NOPASSWD:SERVICES

3 / 3
RH135-Day22
Written by Razib Shahriar Rubence
What is FTP
FTP stands for file transfer protocol. FTP server is the server from where we can get (download)
and to where we can put (upload) files from our own computer through network.
To configure and implement FTP server using Redhat Enterprise Linux 6 we need to follow
some steps :
01. Check the required packages and install them.
The required package for ftp server is vsftpd .
# rpm -q vsftpd
# yum install vsftpd* -y
02. Edit the configuration file.
After installing the package now we need to edit the configuration file for ftp service. the
configuration file is vsftpd.conf and it resides in /etc/vsftpd folder. vsftpd.conf may be used to
control various aspects of vsftpd's behaviour. lets have a look in vsftpd.conf file
# vi vsftpd.conf
The format of vsftpd.conf is very simple. Each line is either a comment or a directive. Comment
lines start with a # and are ignored. A directive line has the format:
option=value
It is important to note that it is an error to put any space between the option, = and value.
Two basic options are anonymous_enable=YES and local_enable=YES
with anonymous_enable=YES anyone can login in our ftp server with username anonymous
and no password. with anonymous login the user will be directly enter in public folder
/var/ftp/pub.
03. Put the files in ftp folder
lest put a file in this directory for anonymous users so that they can download this file.
# cp /etc/resolv.conf /var/ftp/pub/
04. restart the ftp service and make sure its on after reboot.
# service vsftpd restart; checkfonfig vsftpd on
1 / 3
RH135-Day22
Written by Razib Shahriar Rubence
05. Test the service
# ftp localhost
login with username anonymous with no password.
ftp> cd pub
ftp> get resolv.conf
if we do anon_upload_enable=yes , anonymous user can upload the file.
ftp> put fileforupload
to block anonymous login we simply change the value anonymous_enable=NO
lets see what about the local users. first we need to create a local ftp user. its a good idea not to
give shell login permission for local ftp users. it can be done by providing -s /sbin/nologin option
when we create local user.
by default local users are directly enter in their home directory and take file from their directory
and also can put file in their home directory.
if we comment out write_enable=YES local users will also be unable to put file in their home
directory.
one problem for local ftp user is they can browse through out our server's file system !!! it can
be porhibated if we jail the local ftp users into their home directory. chroot_local_user=YES can
do this for us.
LAB Practice:
Lets assume a situation for an office where we need to deploy a ftp server for marketing
department. marketing executives will share their files by downloading each other files, but they
cant delete each other file
- Edit the /etv/vsftpd/vsftpd.conf
# vim /etc/vsftpd/vsftpd.conf
local_enable=YES
write_enable=YES
chroot_local_user=YES
# service vsftpd restart; chckconfig vsftpd on
2 / 3
RH135-Day22
Written by Razib Shahriar Rubence
- Create a group mkt
# groupadd mkt
- Create a directory /home/marketing in which marketing executives will share their files
# mkdir /home/marketing
- Change the group ownership of this directory
# chgrp mkt /home/marketing
- Change the permission of this directory as followings
01.For group the permission will be rwx
02.Set the GUID so that file uploaded (created) in this directory will automaticaly get the group
ownership of mkt group
03.Set the Sticky Bit so files in this folder can be deleted only by owner of the files
# chmod 3770 /home/marketing

- Add two users mkt1 and mkt1 with following features

01. their home directory will be /home/marketing
02. they will be a member of mkt
# adduser -d /home/marketing -G mkt mkt1
# adduser -d /home/marketing -G mkt mkt2

3 / 3
RH255-Day23
Written by Administrator
NFS:

Network File System (NFS) is a network file system protocol originally developed by Sun
Microsystems. It allows your users or client computers to access files over a network. Linux and
UNIX like operating systems can mount file system over a network and work as they are
mounted locally. This is perfect for sharing files or centralized home directories.

Required Packages

-nfs-utils
-rpcbind (Before RHEL6 portmap is used)

To get these packages run the following command:

# yum install nfs-utils* rpcbind* -y

Prerequists for nfs service:

rpcbind and nfslock service must be run in both client machine and nfs server. also make sure
these services will start when linux machine boot.

# service rpcbind restart; chkconfig rpcbind on
# service nfslock restart; chkconfig nfslock on

NFS Server Configuration
1 / 7
RH255-Day23
Written by Administrator

There are two ways to configure an NFS server:
By manually editing the NFS configuration file, i.e. /etc/exports
Through the command line, i.e. through exportfs

We'll use the manually editing of /etc/exports file. for information about exportfs command
please see man pages for exportfs.

The /etc/exports Configuration File

The /etc/exports file controls which file systems are exported to remote hosts and specifies
options. It follows the following syntax rules:

-Blank lines are ignored.
-To add a comment, start a line with the hash mark (#).
-You can wrap long lines with a backslash ().
-Each exported file system should be on its own individual line.
-Any lists of authorized hosts placed after an exported file system must be separated by space
characters.
-Options for each of the hosts must be placed in parentheses directly after the host identifier,
without any spaces separating the host and the first parenthesis.
-Each entry for an exported file system has the following structure:

export host(options)

The aforementioned structure uses the following variables:

export: The directory being exported
host :The host or network to which the export is being shared
options: The options to be used for host
2 / 7
RH255-Day23
Written by Administrator

You can specify multiple hosts, along with specific options for each host. To do so, list them on
the same line as a space-delimited list, with each hostname followed by its respective options
(in parentheses), as in:
export host1(options1) host2(options2) host3(options3)

In its simplest form, the /etc/exports file only specifies the exported directory and the hosts
permitted to access it, as in the following example:

/var/ftp/pub station1.example.com

Here, station1.example.com can mount /var/ftp/pub from the NFS server. As no options are
specified in this example, NFS will use default settings.

The default settings are:
ro
The exported file system is read-only. Remote hosts cannot change the data shared on the file
system. To allow hosts to make changes to the file system (i.e. read/write), specify the rw
option.
sync
The NFS server will not reply to requests before changes made by previous requests are written
to disk. To enable asynchronous writes instead, specify the option async.
wdelay
The NFS server will delay writing to the disk if it suspects another write request is imminent.
This can improve performance as it reduces the number of times the disk must be accesses by
separate write commands, thereby reducing write overhead. To disable this, specify the
no_wdelay; note that no_wdelay is only available if the default sync option is also specified.
root_squash
This prevents root users connected remotely (as opposed to locally) from having root privileges;
instead, the NFS server will assign them the user ID nfsnobody. This effectively "squashes" the
power of the remote root user to the lowest local user, preventing possible unauthorized writes
on the remote server. To disable root squashing, specify no_root_squash.

3 / 7
RH255-Day23
Written by Administrator
Each default for every exported file system must be explicitly overridden. For example, if the rw
option is not specified, then the exported file system is shared as read-only. The following is a
sample line from /etc/exports which overrides ro default option:
/another/exported/directory 192.168.0.3(rw)
In this example 192.168.0.3 can mount /another/exported/directory/ with read/write option.

The host(s) can be in the following forms:

Single machine
A fully-qualified domain name (that can be resolved by the server), hostname (that can be
resolved by the server), or an IP address.
Series of machines specified via wildcards
Use the * or ? character to specify a string match. Wildcards are not to be used with IP
addresses; however, they may accidentally work if reverse DNS lookups fail. When specifying
wildcards in fully qualified domain names, dots (.) are not included in the wildcard. For example,
*.example.com includes one.example.com but does not include one.two.example.com.
IP networks
Use a.b.c.d/z, where a.b.c.d is the network and z is the number of bits in the netmask (for
example 192.168.0.0/24). Another acceptable format is a.b.c.d/netmask, where a.b.c.d is the
network and netmask is the netmask (for example, 192.168.100.8/255.255.255.0).

NFS service start :

Before starting nfs service its good to restart the rpcbind and nfslock service. After that restart
the nfs service

# service rpcbind restart
# service nfslock restart
# service nfs restart; chkconfig nfs on

The exportfs command:

4 / 7
RH255-Day23
Written by Administrator
If no options are passed to the exportfs command, it displays a list of currently exported file
systems.

# exportfs

/var/ftp/pub 192.168.0.0/24

When the nfs service starts, the /usr/sbin/exportfs command launches and reads this file,
passes control to rpc.mountd (if NFSv2 or NFSv3) for the actual mounting process, then to
rpc.nfsd where the file systems are then available to remote users.

When issued manually, the /usr/sbin/exportfs command allows the root user to selectively
export or unexport directories without restarting the NFS service. When given the proper
options, the /usr/sbin/exportfs command writes the exported file systems to
/var/lib/nfs/xtab.Changes to the list of exported file systems take effect immediately.

The following is a list of commonly-used options available for /usr/sbin/exportfs:
-r
Causes all directories listed in /etc/exports to be exported by constructing a new export list in
/etc/lib/nfs/xtab. This option effectively refreshes the export list with any changes made to
/etc/exports.
-a
Causes all directories to be exported or unexported, depending on what other options are
passed to /usr/sbin/exportfs. If no other options are specified, /usr/sbin/exportfs exports all file
systems specified in /etc/exports.
-o file-systems
Specifies directories to be exported that are not listed in /etc/exports. Replace file-systems with
additional file systems to be exported. These file systems must be formatted in the same way
they are specified in /etc/exports. Refer to Section 12.7.1, The /etc/exports Configuration File
for more information on /etc/exports syntax. This option is often used to test an exported file
system before adding it permanently to the list of file systems to be exported.
-i
Ignores /etc/exports; only options given from the command line are used to define exported file
systems.
-u
Unexports all shared directories. The command /usr/sbin/exportfs -ua suspends NFS file
5 / 7
RH255-Day23
Written by Administrator
sharing while keeping all NFS daemons up. To re-enable NFS sharing, use exportfs -r.
-v
Verbose operation, where the file systems being exported or unexported are displayed in
greater detail when the exportfs command is executed.

Practice LAB:

export your /var/ftp/pub folder to 192.168.0.0/24 network with read-write option

# rpm -qa rpcbind-* nfs-*
# yum install rpcbind-* nfs-* -y
# vim /etc/exports

/var/ftp/pub 192.168.0.0/24(rw)

# service rpcbind restart; chkconfig rpcbind on
# service nfslock restart; chkconfig nfslock on
# service nfs restart; chkconfign nfs on

# exporfs -> show the exported folders (this wont show the options)

/var/ftp/pub 192.168.0.0/24

# showmount -e localhost <-- to check its mountable

Now try to mount this folder from other station with following command
6 / 7
RH255-Day23
Written by Administrator

# mount serverip:/var/ftp/pub /local/mount/dir



7 / 7