Linux Acl

If you require more control of your file permissions, Access Control Lists (ACLs) may be the way to go. ACLs go beyond the normal user/group/other paradigm and allow setting permissions per individual user or group.
ACLs are a great option when you want to grant permissions without creating entire user groups. They are also great when you need to allow your non-super-users the ability to set permissions. You still have to be the main owner of a file to modify its permissions, though.

Proceed with caution! ACLs can cause mysterious permission errors that are not immediately obvious to someone who isn't aware of them. For this very reason, ACLs are enabled but not used by default in the latest RHEL / CentOS.

To check if your ext3 filesystem has the proper default options, use tune2fs. Look for "Default mount options:" with acl set. Let's assume we have /dev/sdb1 mounted on /data1 and we want to enable the acl option.

[root@foobaz ~]# tune2fs -l /dev/sdb1

To enable ACLs on a filesystem, we must set the fs default and remount:

[root@foobaz ~]# tune2fs -o acl /dev/sdb1
[root@foobaz ~]# mount -o remount,acl /data1

Use getfacl to view ACLs:

[root@foobaz ~]# touch /data1/foo.txt
[root@foobaz ~]# getfacl /data1/foo.txt
getfacl: Removing leading '/' from absolute path names
# file: data1/foo.txt
# owner: root
# group: root
user::rw-
group::r--
other::r--

Use setfacl to set ACLs, with -m to modify and -x to remove a given ACL.

give user bob read+write+execute on a file:

[root@foobaz ~]# setfacl -m u:bob:rwx /data1/singh.txt

give group peeps read+write on a file:

[root@foobaz ~]# setfacl -m g:peeps:rw /data1/singh.txt

remove bob's ACL permissions:

[root@foobaz ~]# setfacl -x u:bob /data1/singh.txt

set the default ACL permissions on a directory:

[root@foobaz ~]# setfacl -m d:g:peeps:rw /data1/stuff/

revoke write permission for everyone:

[root@foobaz ~]# setfacl -m m::rx /data1/singh.txt

When ACLs are present, an ls -l will show a plus sign to notify you:

[root@foobaz ~]# ls -l /data1/singh.txt 
-rw-rwxr--+ 1 root root 0 Dec  3 14:54 /data1/foo.txt

Note that the mv and cp -p commands will preserve ACLs. If you have defaults set on a parent directory, new files in that directory will inherit those settings.

If you want to remove all ACLs, reverting back to the base unix permissions of owner, group and other:

[root@foobaz ~]# setfacl --remove-all /data1/singh.txt

TCP Wrapper Managment In Linux Machine

Explain Linux / UNIX TCP Wrappers / Find Out If Program Compiled With TCP Wrappers

What are TCP Wrappers? How do I find out if program / server / service is compile with TCP Wrappers? What are the advantages and disadvantages of TCP Wrappers over Firewalls like netfilter or pf? How do I protect my Mac OS X or Sun Solaris or Linux workstation using TCP Wrappers?

Almost all BSD / UNIX / Linux like operating systems are compiled with TCP Wrappers support. For e.g. Solaris 9, various Linux / *BSD distributions, and Mac OS X have TCP Wrappers configured to run out-of-the-box. It is a library which provides simple access control and standardized logging for supported applications which accept connections over a network.
TCP Wrapper is a host-based Networking ACL system, used to filter network access to Internet. TCP wrappers was original written to monitor and stop cracking activities on the UNIX workstation in 90s. It was best solution in 90s to protect the UNIX workstations over the Internet. However it has few disadvantages:

1. All UNIX apps must be compiled with the libwrap library.
2. The wrappers do not work with RPC services over TCP.
3. The user name lookup feature of TCP Wrappers uses identd to identify the username of the remote host. By default, this feature is disabled, as identd may appear hung when there are large number of TCP connections.

However, it has one strong advantage over firewall. It works on the application layer. It can filter requests when encryption is used. Basically, you need to use both host based and network based security. Common services such as pop3, ftp, sshd, telnet, r-services are supported by TCP Wrappers.

TCPD Benefits

1. Logging - Connections that are monitored by tcpd are reported through the syslog facility.
2. Access Control - tcpd supports a simple form of access control that is based on pattern matching. You can evern hook the execution of shell commands / script when a pattern matches.
3. Host Name Verification - tcpd verifies the client host name that is returned by the address->name DNS server by looking at the host name and address that are returned by the name->address DNS server.
4. Spoofing Protection

How do I Find Out If Program Is Compiled With TCP Wrappers Or Not?

To determine whether a given executable daemon /path/to/daemon supports TCP Wrapper, check the man page, or ennter:

$ ldd /path/to/daemon | grep libwrap.so

If this command returns any output, then the daemon probably supports TCP Wrapper. In this example, find out of if sshd supports tcp wrappers on not, enter:
$ whereis sshd
Sample Output:

sshd: /usr/sbin/sshd /usr/share/man/man8/sshd.8.gz

$ ldd /usr/sbin/sshd | grep libwrap.so
Sample Output:

libwrap.so.0 => /lib64/libwrap.so.0 (0x00002b759b381000)

ldd is used to see if libwrap.so is a dependency or not. An alternative to TCP Wrapper support is packet filtering using iptables.

Important Files

• tcpd - access control facility for internet services.
• /etc/hosts.allow - This file describes the names of the hosts which are allowed to use the local INET services, as decided by the /usr/sbin/tcpd server.
• /etc/hosts.deny - This file describes the names of the hosts which are NOT allowed to use the local INET services, as decided by the /usr/sbin/tcpd server.
• If the same client / user / ip is listed in both hosts.allow and hosts.deny, then hosts.allow takes precedence and access is permitted. If the client is listed in hosts.allow, then is access permitted. If the client is listed in hosts.deny, then access is denied.
• tcpdchk and tcpdmatch - test programs for tcpd

Syntax (format) Of Host Access Control Files

Both /etc/hosts.allow and /etc/hosts.deny uses the following format:

daemon_list : client_list [ : shell_command ]

Where,

• daemon_list - a list of one or more daemon process names.
• client_list - a list of one or more host names, host addresses, patterns or wildcards that will be matched against the client host name or address.

WildCards

The access control language supports explicit wildcards (quoting from the man page):

ALL    The universal wildcard, always matches.
       LOCAL  Matches any host whose name does not contain a dot character.
       UNKNOWN
       Matches  any  user  whose  name is unknown, and matches any host
       whose name or address are unknown.  This pattern should be  used
       with  care:  host names may be unavailable due to temporary name
       server problems. A network address will be unavailable when  the
       software cannot figure out what type of network it is talking
       to.
       KNOWN  Matches any user whose name is known, and matches any host whose
       name  and  address  are  known. This pattern should be used with
       care: host names may be unavailable due to temporary name server
       problems.   A network address will be unavailable when the soft-
       ware cannot figure out what type of network it is talking to.
       PARANOID
       Matches any host whose name does not match  its  address.   When
       tcpd  is built with -DPARANOID (default mode), it drops requests
       from such clients even before  looking  at  the  access  control
       tables. Build  without -DPARANOID  when you want more control
       over such requests.

TCPD Configuration Examples

Set default policy to to deny access. Only explicitly authorized hosts are permitted to access. Update /etc/hosts.deny as follows:

# The default policy (no access) is implemented with a trivial deny file
ALL: ALL
 

Above will denies all service to all hosts, unless they are permitted access by entries in the allow file. For example, allow access as follows via /etc/hosts.allow:

 
  ALL: LOCAL @devels
  ALL: .nixcraft.net.in EXCEPT boobytrap.nixcraft.net.in
 

Log and deny access (booby traps) - we do not allow connections from crackers.com:

 
ALL : .crackers.com \
    : spawn (/bin/echo %a from %h attempted to access %d >> \
      /var/log/connections.log) \
    : deny
 

A Typical UNIX Example

Allow access to various service inside LAN only via /etc/hosts.allow:

popd : 192.168.1.200 192.168.1.104
imapd : 192.168.1.0/255.255.255.0
sendmail : 192.168.1.0/255.255.255.0
sshd : 192.168.1.2 172.16.23.12

Deny everything via /etc/hosts.deny:

ALL : ALL

Reject All Connections

Restrict all connections to non-public services to localhost only. Suppose sshd and ftpd are the names of service which must be accessed remotely. Edit /etc/hosts.allow. Add the following lines:

sshd ,ftpd : ALL
ALL: localhost

Save and close the file. Edit /etc/hosts.deny. Add the following line:

ALL: ALL

Default Log Files

TCP Wrappers will do all its logging via syslog according to your /etc/syslog.conf file. The following table lists the standard locations where messages from TCP Wrappers will appear:

1. AIX - /var/adm/messages
2. HP-UX - /usr/spool/mqueue/syslog
3. Linux - /var/log/messages
4. FreeBSD / OpenBSD / NetBSD - /var/log/messages
5. Mac OS X - /var/log/system.log
6. Solaris - /var/log/syslog

Use the following command to view logs:
# tail -f /path/to/log/file
# grep 'ip' /path/to/log/file
# egrep -i 'ip|hostname' /path/to/log/file

How Do I Predicts How The Tcp Wrapper Would Handle a Specific Request For Service?

Use tcpdmatch command. predict how tcpd would handle a sshd request from the local system:
tcpdmatch sshd localhost
The same request, pretending that hostname lookup failed:
tcpdmatch sshd 192.168.1.5
To predict what tcpd would do when the client name does not match the client address:
tcpdmatch sshd paranoid
Replace sshd with in.telnetd, or ftpd and so on. You can use all daemon names specified in inetd.conf or xinetd.conf file.

How do I Examines My TCP Wrapper Config File?

Use tcpdchk command toexamines your tcp wrapper configuration and reports all potential and real problems it can find.
tcpdchk
tcpdchk -v

CHeck The system health. On linux OS

How To Get System Info In Linux

Here's a list of commands, tips and info that I've compiled from several different sources. I use this as a quick reference when I need to find info about my computer or my operating system.

General System Info

Note: Most hardware info commands should be run as root. Some even show more info when run as root.
Run qtparted or GParted for hard drive and partition info!!!
Also, see KDiskFree. And fdisk -l for info on all partitions.
hardinfo - good report to run; also, check the Details tab.
Ko's Method For Getting A Hardware Report:
This report runs a series of reports, some of which are listed individually further on in this document.
Install through Synaptic the package installation-report.
Then run in a maximized konsole:
report-hw
or
report-hw > hwreport (Sends the output to a textfile called hwreport in your home folder)
sysinfo a nice graphical display, run it from a terminal.
hal-device-manager
kde-hal-device-manager
These packages can be installed from Synaptic. Use kde-hal-device-manager by clicking KMenu > System > Device Manager.
dmidecode -t memory (as root) The dmidecode tool dumps your system’s DMI (Desktop Management Interface) table contents in a human-readable format. This table contains information regarding system’s hardware components, as well as BIOS revisions etc. dmidecode output not only describes system current configuration, but also reports the BIOS limitations on supported CPU speed, Maximum Memory allowed and more.
dmidecode | less (as root) BIOS info and system info (space to page down, q to quit)
uname -a (info on your server)
uname -m machine number (i.e. - i686)
uname -r kernel version
lshw (as root) - list hardware; might want to run lshw | less (space to page-down, q to quit)
lshw-gtk (as root) - download this from Synaptic; it can be started from the terminal; click on any item for info; double click on the the items in bold to drill down; excellent front-end for lshw.
lsb_release -a (release info) (don't forget the underscore) (or see /etc/lsb_release)
***In Mepis Linux 6.5, this command returns:
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 6.06.1 LTS
Release: 6.06
Codename: dapper

In Mepis 6.5, one solution for finding the version that you're running is to go to take a look at the login screen.

lspci (as root) (controllers, etc.) (VERY good report; -v is verbose, -vv is very verbose
lspci -tv (as root) shows tree
lsusb, lsusb -tv - list usb devices
lsmod (at root, shows kernel modules currently loaded. Also try lsmod | less)
/proc - there's important info located in this directory! cd /proc, then ls; use cat to read the files in /proc such as cpuinfo, devices, filesystems, meminfo, partitions, swaps, uptime, version, etc.; also, you can cd into the subdirectories in /proc, for example cd driver.
Examples:
cat /proc/cpuinfo (or cat cpuinfo from inside /proc)
cat /proc/version (or cat verson from inside /proc) - version info
cat /proc/swaps (or cat swaps from inside /proc) will show info on each swap partition.
top - display Linux tasks, real-time; system summary info and a list of tasks currently being managed by the kernel - includes a live report on swap being used; type Shift-f to get sort options while running (default sort is k - CPU usage)
htop - even better than top; interactive process viewer can be used to kill processes.
ctrl-esc (from anywhere in KDE) - brings up the ProcessTable procinfo – procinfo is a small program that gathers some system information from diverse files under /proc and prints it to the screen. It duplicates some of the functionality of free(1) and uptime(1). This also includes lsdev for displaying information about installed hardware and socklist for displaying a list of open sockets.
Other Ways To List Processes:
ps aux
ps -e
swapon -s shows swap partitions and info
swapon -a makes all swap partitions available as indicated in /etc/fstab.
fdisk -l gives all partition info on hard disk(s).
/etc/fstab (the fstab file contains file system configuration information)
free (memory usage, in kilobytes.
free -m (memory usage, in MB).
ksysguard application and ksysguard tray applet both show memory usage
df -h (disk info about all mounted file systems, human-readable)
df -hT (disk info about all mounted file systems, human-readable, showing file system type)
du / -bh | more detailed diskusage for each subdirectory starting at root, human readable; use space to page down, q to quit.
du -s /var/log/* - displays space usage of all the files in /var/log
hdparm -t /dev/hda (as root) - display disk performance of hda
This shows what the cpu identifies itself as:
arch (but it could be wrong, see command below)
rpm --showrc| grep " arch" (if rpm is installed)
ifconfig -a – displays IP address and other info
Time Info Commands:
date
uptime

---

Package Info

apt-show-versions > InstalledPkgs (as root) - outputs the text file InstalledPkgs to your home directory. This shows all packages on your system. This list won't be alphabetized. You can copy and paste it into a spreadsheet and then sort it. You can download apt-show-versions with Synaptic. See man apt-show-versions for more info. Another option is to look at the installed packages in Synaptic.
ls /var/cache/apt/archives > AddedPkgs outputs the text file AddedPkgs to your home directory. This shows all of the packages that you've added to your system (unless you've deleted this info, or unless Synaptic has been set to delete it!). There's also a "partial" directory, so
ls /var/cache/apt/archives/partial > PartialPkgs to output a text file called PartialPkgs.
To get a package list sorted by size:
dpkg-query -W --showformat='${Installed-Size} ${Package}\n' | sort -n

---

Here's a section that I tacked on, just so I'd have a quick reference to some helpful bash commands.

Bash Info

echo $PATH show the content of the environmental variable named PATH
echo $? shows the exit code of the last command
help shows a list of shell builtin commands, and help name shows help on the command name; also, see the section on Shell Builtin Commands in man bash
whereis locates the binary, source, and manual page files for a command.
which returns the pathnames of the files which would be executed in the current environment, had its arguments been given as commands in a strictly POSIX-conformant shell. It does this by searching the PATH for executable files matching the names of the arguments. Note: In Mepis Linux, which is an alias for type -path. Although that command is not explicitly defined, try the command help type for more info on the type command. which=type -path may be the same as type -P. In practice, the which command and the type -path command may be equivalent. To see the true which command in action in Mepis Linux, type "which" (use quotes) (or unalias which to permanently remove the alias).
type (name) indicates how it would be interpreted if used as a command name
alias shows a list of all aliases
unalias will remove an alias permanently
"command" quoting the command will run the "true" command (if it exists) instead of the alias
file guesses what type of file
file file
file -i file for more info
file -iz file for compressed files
file -s file for block or special character files
tree – list directory structure and content in a tree-like format; by default lists the contents of the directory that you're in.
cal - current month
cal -3 - last month, current month, and next month
cal [month] year - specify month, or month and year [examples: cal august 2007; cal 2006]

Create Multiple Users In Linux

Linux: How To Create Multiple Users Accounts in Batch

The useradd command is used to create a new user or update default new user information from the command line. However, sometimes you need to create a large number of users or import usernames from a text file. You can use newusers command, which update and create new users in batch.

This is useful at universities or large corporate Linux networks. Adding users in batch saves the time.

Task: Set Password

Type the following command to change or set user password:
echo "username:password" | newusers
For example, change user password for vivek user:
echo "Vishvendra:Password" | newusers

Task: Update and create new users in batch

newusers command reads a file of user name and clear-text password pairs and uses this information to update a group of existing users or to create new users. Each line is in the same format as the standard password file.
This command is intended to be used in a large system environment where many accounts are updated at a single time (batch mode). Since username and passwords are stored in clear text format make sure only root can read/write the file. Use chmod command:
# touch /root/batch-user-add.txt
# chmod 0600 /root/batch-user-add.txt

Create a user list as follows. Open file:
# vi /root/batch-user-add.txt
Append username and password:
user1:password:1001:513:Student Account:/home/user1:/bin/bash
user2:password:1002:513:Sales user:/home/user2:/bin/bash
user100:password:1100:513:Sales user:/home/user100:/bin/bash
tom:password:1110:501:Guest Account:/home/guest:/bin/menu
jerry:password:1120:501:Guest Account:/home/guest:/bin/menu

Now, create users in batch:
# newusers /root/batch-user-add.txt
Verify that your /etc/group, /etc/passwd and /etc/shadow files are updated:
less /etc/group
less /etc/passwd
less /etc/shadow