How to install and configure sendmail?

Ans :

1. Install :

#yum install sendmail*
#yum install m4*

2.
vi /etc/mail/sendmail.mc

Make commented like to accept all network :

----
dnl # DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')dnl
----

save this file.

3. Execute following command :

#m4 /etc/mail/sendmail.mc > /etc/mail/sendmail.cf

4. Dont forget to add the following line to your /etc/hosts.allow file:

----
sendmail: ALL
----

5. Set DAEMON to yes in /etc/sysconfig/sendmail

----
DAEMON=yes
QUEUE=1h
----

5. Do following :

#chkconfig sendmain on
#service sendmail start

Testing :

1. Check whether port listens :

#netstat -tulpn | grep 25
#telnet localhost 25
#telnet IP 25

2. Above are fine then send a mail :

#echo test | mail -s test-subject -v


Note : sendmail configurations files are inside /etc/mail/. Log is inside /var/log/maillog.

Read More

What is arp?

What is arp?

Ans : This is a command to manipulate the system ARP cache. Arp manipulates the kernel’s ARP cache in various ways. The primary options are clearing an address mapping entry and manually setting up one. For debugging purposes, the arp program also allows a complete dump of the ARP cache.
Note : This program is obsolete. For replacement check ip neighbor

Add entry of another machine's IP and MAC address :

#arp -s
arp -i eth0 -s 10.65.211.133 00:16:3e:74:8d:85 pub

View the arp cache :

#arp -n

#arp -v

Delete arp cache entry :

#arp -d

Cache stored in /proc/net/arp file.

Note : Each complete entry in the ARP cache will be marked with the C flag. Permanent entries are marked with M and published entries have the P flag.
files :

/proc/net/arp,
/etc/networks
/etc/hosts
/etc/ethers

How to atomatic update arp cache usign arping ?

arping - we can use this command to send ARP REQUEST to a neighbour host.

#arping -I
arping -c 1 -I eth0 10.220.227.52


How arp works?

Ans : In an Ethernet environment, ARP is used to map a MAC address to an IP address. ARP dynamically binds the IP address (the logical address) to the correct MAC address. Before IP unicast packets can be sent, ARP discovers the MAC address used by the Ethernet interface where the IP address is configured. Hosts that use ARP maintain a cache of discovered Internet-to-Ethernet address mappings to minimize the number of ARP broadcast messages. To keep the cache from growing too large, an entry is removed if it is not used within a certain period of time. Before sending a packet, the host looks in its cache for Internet-to-Ethernet address mapping. If the mapping is not found, the host sends an ARP request.

arping sends request to nearest host or router and get's their MAC and IP and keeps in cache. Then router sends to its nearest subnet and find out desried IP and MAC. If it gets then it sends to first host. Now first host keeps these in its cache. IP vs MAC mapping.

Set timeout value of arp ?

#arp timeout 8000

How to clear arp?
#clear arp

Why MAC address validation ?

MAC address validation is a verification process performed on each incoming packet to prevent spoofing on IP Ethernet-based interfaces, including bridged Ethernet interfaces. When an incoming packet arrives on a layer 2 interface, the validation table is used to compare the packet's source IP address with its MAC address. If the MAC address and IP address match, the packet is forwarded; if it does not match, the packet is dropped.


How to validate arp ?

#arp validate

Read More

What is the magic SysRq key?

What is the magic SysRq key?

It is a 'magical' key combo you can hit which the kernel will respond to regardless of whatever else it is doing, unless it is completely locked up.

How do I enable the magic SysRq key?

1. CONFIG_MAGIC_SYSRQ=yes in kernel config file(which has inside /boot)

2. in /proc/sys/kernel/sysrq: echo value > /proc/sys/kernel/sysrq

value =
0 - disable sysrq completely
1 - enable all functions of sysrq
2 - enable control of console logging level
4 - enable control of keyboard (SAK, unraw)
8 - enable debugging dumps of processes etc.
16 - enable sync command
32 - enable remount read-only
64 - enable signalling of processes (term, kill, oom-kill)
128 - allow reboot/poweroff
256 - allow nicing of all RT tasks

3. How do I use the magic SysRq key?

On x86 - You press the key combo 'ALT-SysRq-'. Note - Some
keyboards may not have a key labeled 'SysRq'. The 'SysRq' key is
also known as the 'Print Screen' key. Also some keyboards cannot
handle so many keys being pressed at the same time, so you might
have better luck with "press Alt", "press SysRq", "release SysRq",
"press ", release everything.

From command prompt :

echo command > /proc/sysrq-trigger

command =
'b' - Will immediately reboot the system without syncing or unmounting
your disks.

'c' - Will perform a system crash by a NULL pointer dereference.
A crashdump will be taken if configured.

'd' - Shows all locks that are held.

'e' - Send a SIGTERM to all processes, except for init.

'f' - Will call oom_kill to kill a memory hog process.

'g' - Used by kgdb (kernel debugger)

'h' - Will display help (actually any other key than those listed
here will display help. but 'h' is easy to remember :-)

'i' - Send a SIGKILL to all processes, except for init.

'j' - Forcibly "Just thaw it" - filesystems frozen by the FIFREEZE ioctl.

'k' - Secure Access Key (SAK) Kills all programs on the current virtual
console. NOTE: See important comments below in SAK section.

'l' - Shows a stack backtrace for all active CPUs.

'm' - Will dump current memory info to your console.

'n' - Used to make RT tasks nice-able

'o' - Will shut your system off (if configured and supported).

'p' - Will dump the current registers and flags to your console.

'q' - Will dump per CPU lists of all armed hrtimers (but NOT regular
timer_list timers) and detailed information about all
clockevent devices.

'r' - Turns off keyboard raw mode and sets it to XLATE.

's' - Will attempt to sync all mounted filesystems.

't' - Will dump a list of current tasks and their information to your
console.

'u' - Will attempt to remount all mounted filesystems read-only.

'v' - Forcefully restores framebuffer console
'v' - Causes ETM buffer dump [ARM-specific]

'w' - Dumps tasks that are in uninterruptable (blocked) state.

'x' - Used by xmon interface on ppc/powerpc platforms.

'y' - Show global CPU Registers [SPARC-64 specific]

'z' - Dump the ftrace buffer

'0'-'9' - Sets the console log level, controlling which kernel messages
will be printed to your console. ('0', for example would make
it so that only emergency messages like PANICs or OOPSes would
make it to your console.)

Read More

ACL and MASK in linux

When we set default ACL permission along with masking then there should not be any effect of masking bit. But apart from above all, mode of file and directory gets preference at kernel level. While we create any file, kernel passes mode 0666 to its *open* system call and it passes mode 0777 to *mkdir* system call during creating directory. Then based on the value of umask it sets permission of the file and directory. We know effective permission is mapped to masking permission while we pass extended attributes to setfacl. So, directory can inherit permission from parent but file can't do that. Even file won't get any execution permission. Whereas sub-directory will get full permission. If kernel passes mode 777 or 766 or 776 for file then there should have chance where file will get full execution permission(u+g+o), user execution(only u) and user plus group execution(u+g) permission respectively. I am going to describe these along with some examples here :

1. Case :1

Suppose we have a paranoid user who doesn't want anybody else to read his files, ever. He has set his umask to 077. Here's what we see in that case:

------
[root@kmaiti log]# umask 077; strace -eopen touch testfile 2>&1 | tail -1; ls -l testfile
open("testfile", O_WRONLY|O_CREAT|O_NOCTTY|O_NONBLOCK, 0666) = 3
-rw-------. 1 root root 0 Sep 4 15:25 testfile
[root@kmaiti log]
------

Here *touch* doesn't care of what the umask is. It just calls open with the desired permissions of 0666, and the kernel applies the umask. Our umask in this case is 0077, or ---rwxrwx, so those are the permissions we cross out. All that's left are the rw- for the owner; the group and other permissions are all taken away, and we have rw------- (0600).

2. Case :2

The same concepts apply to directories. The only real difference is that directories are created with execute permissions by default (0777 instead of 0666). Let's take a look at this:

------
[root@kmaiti log]# umask 022; strace -emkdir mkdir testdir; ls -ld testdir
mkdir("testdir", 0777) = 0
drwxr-xr-x. 2 root root 4096 Sep 4 15:26 testdir
[root@kmaiti log]#
------

There are a few new things in this example, so let's take them one at a time. The first is that we used the mkdir command, which then used the mkdir system call to the kernel. So we told strace to show us just that system call. Next, we see that mkdir (the command) told the kernel to mkdir (the system call) this directory with mode 0777 (which would be rwxrwxrwx). But the kernel took away the umask's bits, so we ended up with rwxr-xr-x (0755).

3. Case :3 (Applying default ACL)

Let's apply default ACL to check how file and directory get their permission.

-------
[root@kmaiti log]# strace -s 128 -fvTttto luv setfacl -m d:u:tgfurnish:rwx,u:tgfurnish:rwx hello
[root@kmaiti log]# getfacl --all-effective hello
# file: hello
# owner: root
# group: root
user::rwx
user:tgfurnish:rwx #effective:rwx
group::r-x #effective:r-x
mask::rwx
other::r-x
default:user::rwx
default:user:tgfurnish:rwx #effective:rwx
default:group::r-x #effective:r-x
default:mask::rwx
default:other::r-x
-------

Let's create a file inside hello directory :

-------
[root@kmaiti log]# strace -s 128 -fvTttto luvly touch hello/hii
[root@kmaiti log]# less luvly
[root@kmaiti log]# getfacl --all-effective hello/hii
# file: hello/hii
# owner: root
# group: root
user::rw-
user:tgfurnish:rwx #effective:rw-
group::r-x #effective:r--
mask::rw-
other::r--
-------

[root@kmaiti log]# less luvly |grep open |tail -1
8721 1315131118.682518 open("hello/hii", O_WRONLY|O_CREAT|O_NOCTTY|O_NONBLOCK, 0666) = 3 <0.000184>
[root@kmaiti log]#
root@kmaiti log]# umask
0022
[root@kmaiti log]#
-------

Now here we also see kernel passes "0666" mode to touch program. We were expecting that "mask" or "effective" permission will be "rwx" but it didn't happen where directory got similar permission. Note that mask won't be effective if we set default value. I have stated it earlier. That's why I didn't set masking permission though I passed extended attributes to setfacl. So, let's make a summary :

1. File won't get execution permission(masking or effective) whatever we use (ie acl or umask or mask at ACL)
2. Directory can get execution permission(This depends upon how we are setting masking field)
3. If we want to set execution permission to file which is under ACL permission then we have to manually set this permission using "chmod" command. We can implement this in shell script and run it as a cron job.

Read More

How does linux system set permission of files and directories while it uses default mask?

Ans : Kernel system call(open and mkdir) passes mode/permission 0666 to file and 0777 to directory during creation of file or directory. These are default value. As per value of umask it calculates permission by doing NOT AND logic operation. I shall describe how permissions are set. As per this mode, file won't get execution any time but directory will get.

Bash and console program uses 666 for file and 777 for directory. To confirm this I have analysed one umask value and calculated exact permission of file and directory.

Lets say we set umask 0007 at console.

Analysis for FILE : Here umask=0007 (set umask like :# umask 007):

Note : "Resultant permissions are calculated via the bitwise AND of the unary complement of the argument (using bitwise NOT) and the permissions specified by the program. Bash uses 666 for files, and 777 for directories. Remember that permission to execute a directory means being able to list it."

Example :

666 = 110 110 110 //since console uses 666 for file
007= 000 000 111 //(for NOT AND, bit will be reversed and anded)
AND = 000 000 110 = 006
NOTAND= 110 110 000 = 660=rw-rw----
rwx rwx rwx

Analysis For DIR : Here umask=0007, bash,console use 666 for its file, use 777 for directory. So directory will get 770 as calculated it here.

777 = 111 111 111
007 = 000 000 111 (for NOT AND bit will be reversed and anded)
AND = 000 000 000 = 000
NOT_AND 111 111 000 = 770 = drwxrwx---
rwx rwx rwx

Testing :

[root@vm46 log]# umask 0007
[root@vm46 log]# mkdir test123
[root@vm46 log]# touch hello
[root@vm46 log]# ls -ld test123
drwxrwx--- 2 root root 4096 Aug 31 20:31 test123
[root@vm46 log]# ls -al hello
-rw-rw---- 1 root root 0 Aug 31 20:31 hello
[root@vm46 log]# umask
0007
[root@vm46 log]#

So, example shows directory got drwxrwx--- and file got -rw-rw---- . This confirms above logic analysis.

Read More

What is "WCHAN" attribute at "ps -alwww" on linux ?

WCHAN : Name of the kernel function in which the process is sleeping, a "-" if the process is running, or a "*" if the process is multi-threaded and ps is not displaying threads.

Name of kernel functions are :


Proccess Kernel States (wchan=wait channel in ps -l ) :

biord: block on io read.
futex: [Linux emulation] process is waiting until a futex is released (see fast userspace mutex)
getblk: get block (seems to be generated often by tar)
nanoslp: process is sleeping for some number of nanoseconds (see nanosleep(2))
pause: process is waiting for a signal (see pause(3))
pcmwrv: waiting for audio samples to be played
piperd: read(2) from a pipe
pipewr: write(2) to a pipe
physrd: reading from a HDD
runnable: process is ready to run on the CPU
running: currently on CPU
sbwait: wait for socket to return data (see uipc_sockbuf.c)
swread: read in from swap
stopev: process is stopped because of a debugging event (see sys_process.c; relates to ptrace(2))
tttout: write(2) to a tty
ttyin: read(2) from a tty
ucond: a proccess is blocked until a pthreads mutex is released
vnread: part of the pager (see vnode_pager.c)
wait: wait(2) for a child process
wdrain: write drain. On a device mounted with the async option (or soft-updates) wait until all the previous writes have been completed. (see vfs_bio.c)
zombie: a process died but its parent did not wait(2) for it.

There are other syscalls that are similar to the ones mentioned above (such as readv(2) instead of read(2), and waitpid(2) instead of wait(2)) which will end up with the same wchans.

Meaning of ps STATUS :

PROCESS STATE CODES
Here are the different values that the s, stat and state output specifiers (header "STAT" or "S") will display to
describe the state of a process.
D Uninterruptible sleep (usually IO)
R Running or runnable (on run queue)
S Interruptible sleep (waiting for an event to complete)
T Stopped, either by a job control signal or because it is being traced.
W paging (not valid since the 2.6.xx kernel)
X dead (should never be seen)
Z Defunct ("zombie") process, terminated but not reaped by its parent.

For BSD formats and when the stat keyword is used, additional characters may be displayed:
< high-priority (not nice to other users)
N low-priority (nice to other users)
L has pages locked into memory (for real-time and custom IO)
s is a session leader
l is multi-threaded (using CLONE_THREAD, like NPTL pthreads do)
+ is in the foreground process group

Read More

umask concept

umask concept :

When user create a file or directory under Linux or UNIX, she create it with a default set of permissions. In most case the system defaults may be open or relaxed for file sharing purpose. For example, if a text file has 666 permissions, it grants read and write permission to everyone. Similarly a directory with 777 permissions, grants read, write, and execute permission to everyone.

Default umask Value

The user file-creation mode mask (umask) is use to determine the file permission for newly created files. It can be used to control the default file permission for new files. It is a four-digit octal number. A umask can be set or expressed using:

* Symbolic values
* Octal values

Procedure To Setup Default umask :

# vi /etc/profile or $ vi ~/.bashrc

put : umask 022

The default umask 002 used for normal user. With this mask default directory permissions are 775 and default file permissions are 664.
The default umask for the root user is 022 result into default directory permissions are 755 and default file permissions are 644.

Symbolic umasks :

A umask set to u=rwx,g=rwx,o= will result in new files having the modes -rw-rw----, and new directories having the modes drwxrwx---, if the creating programs specify the typical modes.

Symbolic umask example

In bash:

$ umask u=rwx,g=rwx,o=
$ umask
0007
$ mkdir fu
$ touch bar
$ ls -l
drwxrwx--- 2 dave dave 512 Sep 1 20:59 fu
-rw-rw---- 1 dave dave 0 Sep 1 20:59 bar

Octal umasks :

Resultant permissions are calculated via the bitwise AND of the unary complement of the argument (using bitwise NOT) and the permissions specified by the program. Bash uses 666 for files, and 777 for directories. Remember that permission to execute a directory means being able to list it.

The octal notation for the permissions masked out are:

0 – none (i.e. all permissions specified are preserved)
1 – execute only
2 – write only
3 – write and execute
4 – read only
5 – read and execute
6 – read and write
7 – read, write and execute (i.e. no permissions are preserved)

A common umask value is 022 masking out the write permission for the group and others, which ensures that new files are only writable for the owner (i.e. the user who created them). In bash:

$ umask 0022
$ mkdir xdir
$ touch xfile
$ ls -l
drwxr-xr-x 2 dave dave 512 Aug 18 20:59 xdir
-rw-r--r-- 1 dave dave 0 Aug 18 20:59 xfile

Using the above mask, octal 0 doesn't prevent any user bits being set, octal 2 prevents write and execute group bits being set, and second octal 2 prevents the write and execute bit being set for others.

Another common value is 002, which leaves the write permission for the file's group enabled. This can be used for files in shared workspaces, where several users work with the same files.

Calculating resultant permissions example :
With the umask value of 0278 (intended to prohibit non group members from accessing files and directories) any new file will be created with the permissions 640 since:

6668 AND NOT(0278) = 6408 symbolically rw-r-----

and any new directory will have permissions 750 since:

7778 AND NOT(0278) = 7508 symbolically: rwxr-x---

Early UNIX systems were often used by relatively small groups of close colleagues who found it convenient to have most files read/write by everyone. PWB/UNIX evolved in a computer center environment to serve hundreds of users from different organizations. Its developers had combed through the commands to make key file creation modes more restrictive, especially for cases exposing security holes, but this was not a general solution. The addition of umask (around 1978) allowed sites, groups, and individuals to chose their own defaults. Small close groups might choose 000, computer centers 022, security-conscious groups 077 or 066 for access to sub-directories under private directories.
[edit]

---------------------

But, How Do I Calculate umasks?

The octal umasks are calculated via the bitwise AND of the unary complement of the argument using bitwise NOT. The octal notations are as follows:

* Octal value : Permission
* 0 : read, write and execute
* 1 : read and write
* 2 : read and execute
* 3 : read only
* 4 : write and execute
* 5 : write only
* 6 : execute only
* 7 : no permissions

Now, you can use above table to calculate file permission. For example, if umask is set to 077, the permission can be calculated as follows:

Bit Targeted at File permission
0 Owner read, write and execute
7 Group No permissions
7 Others No permissions

To set the umask 077 type the following command at shell prompt:
$ umask 077
$ mkdir dir1
$ touch file
$ ls -ld dir1 file

Sample outputs:

drwx------ 2 vivek vivek 4096 2011-03-04 02:05 dir1
-rw------- 1 vivek vivek 0 2011-03-04 02:05 file
------------------

Effective permission :

Octal numbers and permissions :

You can use octal number to represent mode/permission:

* r: 4
* w: 2
* x: 1

For example, for file owner you can use octal mode as follows. Read, write and execute (full) permission on a file in octal is
0+r+w+x = 0+4+2+1 = 7

Only Read and write permission on a file in octal is
0+r+w+x = 0+4+2+0 = 6

Only read and execute permission on a file in octal is
0+r+w+x = 0+4+0+1 = 5

Use above method to calculate permission for group and others. Let us say you wish to give full permission to owner, read & execute permission to group, and read only permission to others, then you need to calculate permission as follows:

User = r+w+x = 0+4+2+1 = 7
Group= r+w+x = 0+4+2+0 = 6
Others = r+w+x = 0+0+0+1 = 1

Effective permission is 761.

===================
Octal masking in more detail :

0022 = 0 0=- - - 2= - w- 2=- w-
rwx rwx rwx
421 421 421
U G O
masking out^^ ie removing that permission.

$ umask 0022
$ mkdir xdir
$ touch xfile
$ ls -l
drwxr-xr-x 2 dave dave 512 Aug 18 20:59 xdir
-rw-r--r-- 1 dave dave 0 Aug 18 20:59 xfile

Symbolic umask example is just like setting default value of dir/files(file shouldn't have x permission) :

$ umask u=rwx,g=rwx,o=
$ umask
0007
$ mkdir fu
$ touch bar
$ ls -l
drwxrwx--- 2 dave dave 512 Sep 1 20:59 fu
-rw-rw---- 1 dave dave 0 Sep 1 20:59 bar

Detailed explanation :

FILE : Here umask=0007 , bash & console use 666 for its file, uses 777 for dir. So file will get 660 as calculated it here.

Note : "Resultant permissions are calculated via the bitwise AND of the unary complement of the argument (using bitwise NOT) and the permissions specified by the program. Bash uses 666 for files, and 777 for directories. Remember that permission to execute a directory means being able to list it."

Example :

666 = 110 110 110
007= 000 000 111 (for NOT AND bit will be reverse and anding)
AND: 000 000 110 = 006
NOT_AND:110 110 000 = 660=rw-rw----
rwx rwx rwx

For DIR : Here umask=0007 , bash & console use 666 for its file, uses 777 for dir. So dir will get 770 as calculated it here.

777 = 111 111 111
007 = 000 000 111 (for NOT AND bit will be reverse and anding)
AND = 000 000 000 = 000
NOT_AND 111 111 000 = 770 = drwxrwx---
rwx rwx rwx

Testing :

$ umask u=rwx,g=rwx,o=
$ umask
0007
$ mkdir fu
$ touch bar
$ ls -l
drwxrwx--- 2 dave dave 512 Sep 1 20:59 fu
-rw-rw---- 1 dave dave 0 Sep 1 20:59 bar

Read More