LPI Linux Certification in a Nutshell Part 30

TransactionSummary =============================================================================== Install16Package(s) Update0Package(s) Remove0Package(s)

Totaldownloadsize:39M Isthisok[y/N]: This installation will also install the KDE KDE window manager. Once this has been installed, you can select the session you wish to boot into at startup using the session menu. The main configuration file to control the way the window manager. Once this has been installed, you can select the session you wish to boot into at startup using the session menu. The main configuration file to control the way the KDM KDM operates is called operates is called kdmrc kdmrc, which is located in /etc/kde/kdm /etc/kde/kdm. The following is an example of the contents of this file: #KDMmasterconfigurationfile # #Definition:thegreeteristhelogindialog,i.e.,thepartofKDM #whichtheusersees.

# #YoucanconfigureeveryX-displayindividually.

#Everydisplayhasadisplayname,whichconsistsofahostname #(whichisemptyforlocaldisplaysspecifiedin{Static|Reserve}Servers), #acolon,andadisplaynumber.Additionally,adisplaybelongstoa #displaycla.s.s(whichcanbeignoredinmostcases;thecontrolcenter #doesnotsupportthisfeatureatall).

#Sectionswithdisplay-specificsettingshavetheformalsyntax #"[X-"host[":"number["_"cla.s.s]]"-"sub-section"]"

#Youca.n.u.sethe"*"wildcardforhost,number,andcla.s.s.Youmayomit #trailingcomponents;theyarea.s.sumedtobe"*"then.

#Thehostpartmaybeadomainspecificationlike".inf.tu-dresden.de".

#Itmayalsobe"+",whichmeansnon-empty,i.e.remotedisplaysonly.

#Fromwhichsectionasettingisactuallytakenisdeterminedbythese #rules: Configuring GDM GDM is the window manager for the GNOME desktop environment. GNOME is the default graphical desktop environment for Fedora and Ubuntu. The is the window manager for the GNOME desktop environment. GNOME is the default graphical desktop environment for Fedora and Ubuntu. The GDM GDM window manager will be loaded automatically during the graphical installation of these operating systems. If you need to install the GNOME environment and the window manager will be loaded automatically during the graphical installation of these operating systems. If you need to install the GNOME environment and the GDM GDM manager, you can use the package manager by issuing a command similar to: manager, you can use the package manager by issuing a command similar to: #yumgroupinstall"GNOMEDesktopEnvironment"

The main configuration file for GDM GDM is either is either gdm.conf gdm.conf or or custom.conf custom.conf, depending on the distribution of Linux. The configuration file will be located in etc/gdm/gdm.conf etc/gdm/gdm.conf. This file contains sections for configuring the way the login process operates, the session environments, and the look and feel of the manager or "greeter" that the user is presented with at the initial login screen. The file is heavily commented for each section of the sections. The following is an example of this configuration file's contents: #Forfullreferencedoc.u.mentationseetheGNOMEhelpbrowserunder #GNOME|Systemcategory.Youca.n.a.lsofindthedocsinHTMLformon #http://www.gnome.org/projects/gdm/ # #NOTE:Somevaluesarecommentedout,butshowtheirdefaultvalues.Lines #thatbeginwith"#"areconsideredcomments.

# #Havefun!

[daemon]

#Automaticlogin,iftruethefirstlocalscreenwillautomaticallylogged #inasusera.s.setwithAutomaticLoginkey.

AutomaticLoginEnable=false AutomaticLogin=

#Timedlogin,usefulforkiosks.Loginacertainuserafteracertain #amountoftime.

TimedLoginEnable=false TimedLogin= TimedLoginDelay=30

#TheGDMconfigurationprogramthatisrunfromtheloginscreen,you #shouldprobablyleavethisalone.

#Configurator=/usr/sbin/gdmsetup--disable-sound--disable-crash-dialog

#Thechooserprogram.Mustoutputthechosenhostonstdout,probablyyou #shouldleavethisalone.

#Chooser=/usr/lib/gdm/gdmchooser

#Thegreeterforlocal(non-xdmcp)logins.Changegdmlogintogdmgreeter #togetthenewgraphicalgreeter.

Greeter=/usr/lib/gdm/gdmgreeter

#Thegreeterforxdmcplogins,usuallyyouwantalessgraphically #intensivegreeterheresoit'sbettertoleavethiswithgdmlogin #RemoteGreeter=/usr/lib/gdm/gdmlogin Switching display managers More than one desktop environment may be run on the Linux system at any time. If both the KDE and GNOME environments are installed, you may switch between them during the graphical login by selecting the environment from the session menu. Both the KDM KDM and and GDM GDM managers will have the session menu available at startup. It is possible to run only one of the display managers, but you can change which display manager is presented during startup. In order to change from the default managers will have the session menu available at startup. It is possible to run only one of the display managers, but you can change which display manager is presented during startup. In order to change from the default GDM GDM manager, you will need to update the manager, you will need to update the /etc/sysconfig/desktop /etc/sysconfig/desktop file by editing the following: file by editing the following: desktop="kde"

displaymanager="kdm"

Another way to switch between the KDM KDM and and GDM GDM managers is to install the managers is to install the switchdesk switchdesk tool using a package manager and then execute the application. tool using a package manager and then execute the application. switchdesk switchdesk allows users to simply switch between various desktop environments installed on the system. Not all display managers are supported; however, it does support KDE and GNOME: allows users to simply switch between various desktop environments installed on the system. Not all display managers are supported; however, it does support KDE and GNOME: $switchdeskkde RedHatLinuxswitchdesk4.0 Copyright(C)1999-2004RedHat,Inc RedistributableunderthetermsoftheGNUGeneralPublicLicense DesktopnowsetuptorunKDE.On the ExamRemember that you may run more than one desktop environment at a time with Linux. You will need to know how you can switch environments and possibly make either the KDM or GDM the default window manager.

Objective 3: Accessibility There are a wide range of physical disabilities that can impair a user's ability to interact with computers and applications. Most of the Linux distributions come with some a.s.sistive technology tools built in for visually and physically challenged users. One of the earliest tools was Emacspeak (currently at version 31), a free screen reader that allows users to interact independently with the computer. It is available for most versions of Linux. The Emacspeak desktop works with a variety of applications, including browsers.

Screen readers are software applications that provide translation of the information on the computer screen to an audio output format. The translation is pa.s.sed to the speech synthesizer, and the words are spoken out loud. Currently, fully functional screen readers are available for Linux only in console mode. The following are some of the most common screen readers: Emacspeak This tool is cla.s.sified as a screen reader, but the creator calls it an "audio desktop." It is an excellent nongraphical, text-based interface for users who are visually impaired. This application can be used as a screen reader in conjunction with a hardware synthesizer or IBM ViaVoice Run-time text-to-speech application.

Jupiter Speech System An older screen reader for Linux in console mode. This package also includes the ability to read logfiles of an interactive session and contains customizable speech commands.

Speakup A screen review package for the Linux operating system. It requires a hardware speech synthesizer such as the DecTalk Express. It allows computer interaction by verbal commands, in addition to synthesized voice feedback from the console.

Orca A screen reader designed to work with applications and toolkits that support the a.s.sistive technology service provider interface (AT-SPI). This includes the GNOME desktop and its applications, OpenOffice, Firefox, and the Java platform. Orca may be enabled under the system/preferences menu from the GNOME environment. Orca includes support for a.s.sistive tools for speech, Braille, and screen magnification.

Here are some other products that serve as screen magnifiers, which enable users who are partially blind to view selected areas of the screen, similar to using a magnifying gla.s.s: SVGATextmode This product enlarges or reduces the font size for users who prefer to work in console mode. The normal text screen that Linux provides is 80 characters across and 25 vertically. After SVGATextmode is installed, the text can be displayed much larger, for example, 50 characters across and 15 vertically. The program does not offer the ability to zoom in and out, but the user can resize when necessary. Do not run try to run SVGATextmode from an X Windows terminal; you must be in console mode for the display to function properly.

Xzoom A screen magnifier that allows the user to magnify, rotate, or mirror a portion of the screen.

Some additional applications that may be used to support Braille devices in conjunction with the computer include: BrLTTY Supports parallel port and USB Braille displays and provides access to the Linux console. It drives the terminal and provides complete screen review capabilities. It is available at http://dave.mielke.cc/brltty/.

Blind + Linux = BLINUX Provides doc.u.mentation, downloads, and a mailing list that focus on users who are blind. Information and software packages are available at http://leb.net/blinux.

The Linux operating system also has built-in features that allow for additional keyboard configuration. In some of the X Windows desktops, these settings can be changed from the preferences menu. An application developed for X Windows called AccessX provides a graphical user interface for configuring all of the following AccessX keyboard settings: StickyKeys Enables the user to lock modifier keys (for example, Ctrl and s.h.i.+ft), allowing single-finger operations in place of multiple key combinations.

MouseKeys Provides alternative keyboard sequences for cursor movement and mouse b.u.t.ton operations.

SlowKeys This setting requires the user to hold the key down for a specified period of time before the keystroke is accepted. This prevents keystrokes that are pressed accidentally from being sent.

ToggleKeys Sounds an audio alert that warns the user that a keystroke created a locking state for keys, such as Caps Lock and Num Lock.

RepeatKeys Allows a user with limited coordination additional time to release keys before multiple key sequences are sent to the application.

BounceKeys or Delay Keys These settings have a delay between keystrokes. This function can help prevent the system from accepting unintentional keystrokes.

Onscreen keyboards enable a user to select keys using a pointing device, such as a mouse, trackball, or touch pad, and can be used in place of a standard keyboard.

GTkeyboard An onscreen, graphical keyboard that can be downloaded at http://opop.nols.com/gtkeyboard.html.

GNOME Onscreen Keyboard (GOK) An onscreen, graphical keyboard that enables users to control their computers without relying on a standard keyboard or mouse. More information is available at http://www.gok.ca.

Remember that most Linux distributions will have some form of a.s.sistive technology built into the GUI, accessible through system settings or preferences. Most of these include at least the ability to modify mouse and keyboard actions and to add a screen reader or magnification. Some, as with GNOME and the Orca project, will have more support, including the ability to add an onscreen keyboard.

On the ExamYou should be aware of the various a.s.sistive technology tools that are available for use in Linux. Many of the tools may be installed already in the operating system and just need to be enabled from the system settings or preferences menu. More information about a.s.sistive technology for Linux users may be found at Ability Net Gate.

Chapter15.Administrative Tasks (Topic 107)

As a system administrator in a multiuser environment, much of your activity is related to users and their system accounts, the automation of routine tasks, and internationalization. This chapter covers these administrative aspects of Linux as required for Exam 102. This chapter has three Objectives: Objective 1: Manage User and Group Accounts and Related System Files Candidates should be able to add, remove, suspend, and change user accounts. Tasks to adding and removing groups, and changing user/group info in pa.s.sword/group databases. This Objective also includes creating special-purpose and limited accounts. Weight: 5.

Objective 2: Automate System Administration Tasks by Scheduling Jobs Candidates should be able to use cron cron or or anacron anacron to run jobs at regular intervals and to use to run jobs at regular intervals and to use at at to run jobs at a specific time. Tasks include managing to run jobs at a specific time. Tasks include managing cron cron and and at at jobs and configuring user access to jobs and configuring user access to cron cron and and at at services. Weight. 4. services. Weight. 4.

Objective 3: Localization and Internationalization Candidates should be able to localize a system in a language other than English. Additionally, candidates should understand why LANG=C is useful when scripting. Weight: 3.

Objective 1: Manage User and Group Accounts and Related System Files Whether on a corporate server or personal desktop machine, managing user accounts is an important aspect of running a Linux system. The root root, or superuser, account is established when you first install Linux. Unlike single-user systems (such as MS-DOS), multiuser systems require the notion of an owner owner for files, processes, and other system objects. An owner may be a human system user or a system service, such as a web server. Each of these owners is differentiated from others by a unique for files, processes, and other system objects. An owner may be a human system user or a system service, such as a web server. Each of these owners is differentiated from others by a unique user account user account, which is a.s.signed to it by the system administrator.

User Accounts and the Pa.s.sword File When a new user account is added to a Linux system, an entry is added to a list of users in the pa.s.sword file pa.s.sword file, which is stored in /etc/pa.s.swd /etc/pa.s.swd. This file gets its name from its original use, which was to store user information, including an encrypted form of the user's pa.s.sword. The pa.s.sword file is in plain text and is readable by everyone on the system. Each line in the pa.s.sword file contains information for a single user account, with fields separated by colons, as ill.u.s.trated in Figure15-1 Figure15-1.

Figure15-1.Sample lines from a pa.s.sword file Each line in the file contains information for a single system account and includes the following pieces of information in colon-separated fields: Username The first field on a line is a unique username username for the person or service using the account. for the person or service using the account.

Pa.s.sword Each username has an a.s.sociated pa.s.sword pa.s.sword. The pa.s.sword stored in this field is in a hashed (unreadable and unrecoverable) form. Despite the hash, for security reasons, most systems now store user pa.s.swords in a separate /etc/shadow /etc/shadow file that has restricted permissions. If the pa.s.sword is not included, its field is filled by the letter file that has restricted permissions. If the pa.s.sword is not included, its field is filled by the letter x x, which indicates that the shadow pa.s.sword system is in use.

User ID Each username requires a unique user identifier user identifier, or UID. The UID is simply a nonnegative integer. The root root account is a.s.signed the UID of 0, which gives it global privilege on the system. By convention, the UID values from 0 to 99 are reserved for administrative use; those over 99 are for regular system users. It's not unusual for new system accounts to start at 500. account is a.s.signed the UID of 0, which gives it global privilege on the system. By convention, the UID values from 0 to 99 are reserved for administrative use; those over 99 are for regular system users. It's not unusual for new system accounts to start at 500.

Group ID Each username has a default group identifier group identifier, or GID. The GID is also a nonnegative integer. Groups are a way of allowing users to share files through mutual group members.h.i.+p. Group numbers and their a.s.sociated names are specified in the /etc/group /etc/group file. The GID stored for each user in file. The GID stored for each user in /etc/pa.s.swd /etc/pa.s.swd is its default group ID, though a user may belong to many groups. is its default group ID, though a user may belong to many groups.

Full name (or other comment) The user's full name or other information is stored as plain text. This field may contain s.p.a.ces.

Home directory The home directory home directory is the default directory in the filesystem for the user's account. If a new account is meant for a person, a home directory will probably be created in the filesystem with standard configuration files that the user may then personalize. The full path to that home directory is listed here. is the default directory in the filesystem for the user's account. If a new account is meant for a person, a home directory will probably be created in the filesystem with standard configuration files that the user may then personalize. The full path to that home directory is listed here.

Default sh.e.l.l This field specifies the default sh.e.l.l for the user or service, which is the sh.e.l.l that runs when the user logs in or opens a sh.e.l.l window. In most cases, the sh.e.l.l will be /bin/bash /bin/bash, but it can be any sh.e.l.l, or even another executable program. (Nonsh.e.l.l entries may be seen in the case of some services that should own files but never log in interactively. You may see the sh.e.l.l field filled with /bin/false /bin/false, a small program that does nothing but yield an error and terminate. This ensures that a service account is secured from login.) Looking back at Figure15-1 Figure15-1, the first line shows the definition of the root root account with UID and GID of 0, a name of account with UID and GID of 0, a name of root root, a home directory of /root /root, and a default sh.e.l.l of /bin/bash /bin/bash. The second line shows a standard user account for Jeff Dean, with UID and GID of 500. The home directory is /home/jdean /home/jdean, and the default sh.e.l.l is /bin/tcsh /bin/tcsh.

More detailed information about /etc/pa.s.swd /etc/pa.s.swd can be found in can be found in Chapter22 Chapter22.

Groups and the Group File In addition to owners.h.i.+p by individual system users, filesystem objects have separate owners.h.i.+p settings for groups of users. This group owners.h.i.+p group owners.h.i.+p allows an additional level of user-specific access control beyond that of a file's individual owner. Groups are similar to users in their administration and are defined in the file allows an additional level of user-specific access control beyond that of a file's individual owner. Groups are similar to users in their administration and are defined in the file /etc/group /etc/group. Like the pa.s.swd pa.s.swd file, the file, the group group file contains colon-separated fields: file contains colon-separated fields: Group name Each group must have a unique name.

Group pa.s.sword Just as user accounts have pa.s.swords, groups can have pa.s.swords for their members.h.i.+p. If the pa.s.sword field is empty, the group does not require a pa.s.sword.

Group ID Each group requires a unique GID. Like a UID, a GID is a nonnegative integer.

Group member list The last field is a list of group members by username, separated by commas.

Together, these pieces of information define a group; colons separate the fields. Here are a few sample lines from a group file: root:x:0:root pppusers:x:230:jdean,jdoe finance:x:300:jdean,jdoe,bsmith jdean:x:500: jdoe:x:501: bsmith:x:502: In this example, both jdean jdean and and jdoe jdoe are members of the are members of the pppusers pppusers group (GID 230), and group (GID 230), and jdean jdean, jdoe jdoe, and bsmith bsmith are all members of the are all members of the finance finance group (GID 300). The remaining groups, group (GID 300). The remaining groups, root root, jdean jdean, jdoe jdoe, and bsmith bsmith, are single-user groups. These groups are not intended for multiple users and do not contain additional members. For security purposes, it is common to create new users with their own personal single-user group. Doing this enhances security because new files and directories will not have group privileges for other users. (Although the GID of these single-user groups may match the UID of the user for which they're created, there is no direct relations.h.i.+p between the UID and GID.) The Shadow Pa.s.sword and Shadow Group Systems Encrypted pa.s.swords must be secure from all users on the system, while leaving the remainder of the information in /etc/pa.s.swd /etc/pa.s.swd world-readable. To do this, the encrypted pa.s.sword is moved to a new file that world-readable. To do this, the encrypted pa.s.sword is moved to a new file that shadows shadows the pa.s.sword file line for line. The file is aptly called the pa.s.sword file line for line. The file is aptly called /etc/shadow /etc/shadow and is generally said to contain and is generally said to contain shadow pa.s.swords shadow pa.s.swords. Here are a couple of example lines from a shadow file: root:$1$oxEaSzzdXZESTGTU:10927:0:99999:7:-1:-1:134538444 jdean:$1$IviLopPn461z47J:10927:0:99999:7::11688:134538412 The first two fields contain the username and the encrypted pa.s.swords. The remaining fields contain optional additional information on pa.s.sword aging information.

Group pa.s.swords and shadow groups Just as user accounts listed in /etc/pa.s.swd /etc/pa.s.swd are protected by encrypted pa.s.swords, groups listed in are protected by encrypted pa.s.swords, groups listed in /etc/group /etc/group can also be protected by pa.s.swords. A group pa.s.sword can be used to allow access to a group by a user account that is not actually a member of the group. Account users can use the can also be protected by pa.s.swords. A group pa.s.sword can be used to allow access to a group by a user account that is not actually a member of the group. Account users can use the newgrp newgrp command to change their default group and enter the group pa.s.sword. If the pa.s.sword is correct, the account is granted the group privileges, just as a group member would be. command to change their default group and enter the group pa.s.sword. If the pa.s.sword is correct, the account is granted the group privileges, just as a group member would be.

The group definition file, like the pa.s.sword file, is readable by everyone on the system. If group pa.s.swords are stored there, a dictionary attack could be made against them. To protect against such attacks, pa.s.swords in /etc/group /etc/group can be shadowed. The protected pa.s.swords are stored in can be shadowed. The protected pa.s.swords are stored in /etc/gshadow /etc/gshadow, which is readable only by root root. Here are a few sample lines from a gshadow gshadow file: file: root:::root pppusers:!:: finance:0cf7ipLtpSBGg:: jdean:!:: jdoe:!:: bsmith:!:: In this example, the groups pppusers pppusers, jdean jdean, jdoe jdoe, and bsmith bsmith do not have group pa.s.swords, as indicated by the do not have group pa.s.swords, as indicated by the ! ! in the pa.s.sword field. The in the pa.s.sword field. The finance finance group is the only one with a pa.s.sword, which is hashed. group is the only one with a pa.s.sword, which is hashed.

More detailed information about shadow pa.s.swords can be found in Chapter22 Chapter22.

On the ExamA major contrast between pa.s.swd/group pa.s.swd/group and and shadow/gshadow shadow/gshadow is the permissions on the files. The standard files are readable by everyone on the system, but the shadow files are readable only by is the permissions on the files. The standard files are readable by everyone on the system, but the shadow files are readable only by root root, which protects encrypted pa.s.swords from theft and possible cracking.

User and Group Management Commands Although possible, it is rarely necessary (or advised) to manipulate the account and group definition files manually with a text editor. Instead, a family of convenient administrative commands is available for managing accounts, groups, pa.s.sword shadowing, group shadowing, and pa.s.sword aging. Pa.s.sword aging (rules governing change intervals and automated expiration of pa.s.swords) is not an explicit Objective for the LPIC Level 1 Exams.

Name useradd Syntax useradd[options]user Description Create the account user user on the system. Both system defaults and specified on the system. Both system defaults and specified options options define how the account is configured. All system account files are updated as required. An initial pa.s.sword must subsequently be set for new users using the define how the account is configured. All system account files are updated as required. An initial pa.s.sword must subsequently be set for new users using the pa.s.swd pa.s.swd command. It is the user's responsibility to go back and change that pa.s.sword when he first logs into the system. command. It is the user's responsibility to go back and change that pa.s.sword when he first logs into the system.

Frequently used options -c comment comment Define the comment field, probably the user's name.

-d homedir homedir Use homedir homedir as the user's home directory. as the user's home directory.

-m Create and populate the home directory.

-s sh.e.l.l sh.e.l.l Use sh.e.l.l sh.e.l.l as the default for the account. as the default for the account.

-D List (and optionally change) system default values.

Example Add a new user, bsmith bsmith, with all default settings: #useraddbsmith Add a new user, jdoe jdoe, with a name, default home directory, and the tcsh tcsh sh.e.l.l: sh.e.l.l: #useradd-mc"JaneDoe"-s/bin/tcshjdoe

Name usermod Syntax usermod[options]user Description Modify an existing user account. The usermod usermod command accepts many of the same options command accepts many of the same options useradd useradd does. does.

Frequently used options -L Lock the pa.s.sword, disabling the account.

-U Unlock the user's pa.s.sword, enabling the user to once again log in to the system.

Examples Change jdoe jdoe's name in the comment field: #usermod-c"JaneDeer-Doe"jdoe Lock the pa.s.sword for bsmith bsmith: #usermod-Lbsmith

Name userdel Syntax userdel[-r]user Description Delete an existing user account. When combined with the -r -r option, the user's home directory is deleted. Note that completely deleting accounts may lead to confusion when files owned by the deleted user remain in other system directories. For this reason, it is common to disable an account rather than delete it. Accounts can be disabled using the option, the user's home directory is deleted. Note that completely deleting accounts may lead to confusion when files owned by the deleted user remain in other system directories. For this reason, it is common to disable an account rather than delete it. Accounts can be disabled using the chage chage, usermod usermod, and pa.s.swd pa.s.swd commands. commands.

Example Delete the user bsmith bsmith, including the home directory: #userdel-rbsmith

Name groupadd Syntax groupaddgroup Description Add group group to the system. In the rare case that a group pa.s.sword is desired on to the system. In the rare case that a group pa.s.sword is desired on group group, it must be added using the gpa.s.swd gpa.s.swd command after the group is created. command after the group is created.