Tải bản đầy đủ - 0 (trang)
Chapter 10.  System Administration Basics

Chapter 10.  System Administration Basics

Tải bản đầy đủ - 0trang

tosupporttheISO9660filesystem.(Theymayhavenoidea

whatyou'retalkingabout,inwhichcaseyoucangivethema

copyofthisbook.)

Inthenextfewchapters,weexploreyourLinuxsystemfrom

themechanic'spointofviewshowingyouwhat'sunderthe

hood,asitwereandexplainhowtotakecareofitall,including

softwareupgrades,managingusers,filesystems,andother

resources,performingbackups,andhandlingemergencies.

Onceyouputtherightentriesinstartupfiles,yourLinux

systemwill,forthemostpart,runitself.Aslongasyou're

happywiththesystemconfigurationandthesoftwarethat's

runningonit,verylittleworkwillbenecessaryonyourpart.

However,we'dliketoencourageLinuxuserstoexperimentwith

theirsystemandcustomizeittotaste.VerylittleaboutLinuxis

carvedinstone,andifsomethingdoesn'tworkthewaythat

you'dlikeitto,youshouldbeabletochangethat.Forinstance,

inearlierchapterswe'veshownyouhowtoreadblinkinggreen

textonacyanbackgroundratherthanthetraditionalwhite-onblack,ifthat'sthewayyoupreferit,ortoaddappletstoyour

desktoppanel.Butthisbookalsoshowsyousomethingeven

moreimportant:afterinstallingaLinuxdistribution,youusually

havelotsofservicesrunningthatyoumaynotneed(suchasa

webserver).Anyoftheseservicescouldbeapotentialsecurity

hole,soyoumightwanttofiddlewiththestartupfilestoget

onlytheservicesyouabsolutelyneed.

ItshouldbenotedthatmanyLinuxsystemsincludefancytools

tosimplifymanysystemadministrationtasks.Theseinclude

YaST2onSUSEsystems,theMandrivaControlCenteron

Mandrivasystems,andanumberofutilitiesonRedHat

systems.Thesetoolscandoeverythingfrommanaginguser

accountstocreatingfilesystemstodoingyourlaundry.These

utilitiescanmakeyourlifeeithereasierormoredifficult,

dependingonhowyoulookatthem.Inthesechapters,we

presentthe"guts"ofsystemadministration,demonstratingthe

toolsthatshouldbeavailableonanyLinuxsystemandindeed



nearlyallUnixsystems.Thesearethecoreofthesystem

administrator'stoolbox:themetaphoricalhammer,screwdriver,

andsocketwrenchthatyoucanrelyontogetthejobdone.If

you'dratherusethe40-hpcircularsaw,feelfree,butit's

alwaysnicetoknowhowtousethehandtoolsincasethe

powergoesout.Goodfollow-upbooks,shouldyouwishto

investigatemoretopicsinUnixsystemadministration,include

theUnixSystemAdministrationHandbook,byEviNemethetal.

(PrenticeHall)andEssentialSystemAdministration,byỈleen

Frisch(O'Reilly).







10.1.MaintainingtheSystem

BeingthesystemadministratorforanyUnixsystemrequiresa

certaindegreeofresponsibilityandcare.Thisisequallytruefor

Linux,evenifyou'retheonlyuseronyoursystem.

Manyofthesystemadministrator'stasksaredonebylogging

intotherootaccount.Thisaccounthasspecialpropertieson

Unixsystems;specifically,theusualfilepermissionsandother

securitymechanismssimplydon'tapplytoroot.Thatis,root

canaccessandmodifyanyfileonthesystem,nomatterto

whomitbelongs.Whereasnormaluserscan'tdamagethe

system(say,bycorruptingfilesystemsortouchingotherusers'

files),roothasnosuchrestrictions.

Atthispoint,itshouldbementionedthatsomedistributions,

suchasUbuntu,disabletherootaccountandrequireusersto

usethesudotoolinstead.Withsudo,youcannotloginasroot,

butyoucanexecuteexactlyonecommandwiththerightsof

root,whichamountstothesamething,exceptthatyouhaveto

prefixeachcommandwithsudo.

WhydoestheUnixsystemhavesecurityinthefirstplace?The

mostobviousreasonforthisistoallowuserstochoosehow

theywishtheirownfilestobeaccessed.Bychangingfile

permissionbits(withthechmodcommand),userscanspecify

thatcertainfilesshouldbereadable,writable,orexecutable

onlybycertaingroupsofotherusers,orbynootherusersat

all.Permissionshelpensureprivacyandintegrityofdata;you

wouldn'twantotheruserstoreadyourpersonalmailbox,for

example,ortoeditthesourcecodeforanimportantprogram

behindyourback.

TheUnixsecuritymechanismsalsopreventusersfrom

damagingthesystem.Thesystemrestrictsaccesstomanyof

therawdevicefiles(accessedvia/dev--moreonthisin"Device



Files"laterinthischapter)correspondingtohardware,suchas

yourharddrives.Ifnormaluserscouldreadandwritedirectly

tothedisk-drivedevice,theycouldwreakallkindsofhavoc

say,completelyoverwritingthecontentsofthedrive.Instead,

thesystemrequiresnormaluserstoaccessthedrivesviathe

filesystemwheresecurityisenforcedviathefilepermissionbits

describedpreviously.

Itisimportanttonotethatnotallkindsof"damage"thatcan

becausedarenecessarilymalevolent.Systemsecurityismore

ameanstoprotectusersfromtheirownnaturalmistakesand

misunderstandingsratherthantoenforceapolicestateonthe

system.And,infact,onmanysystemssecurityisratherlax;

Unixsecurityisdesignedtofosterthesharingofdatabetween

groupsofuserswhomaybe,say,cooperatingonaproject.The

systemallowsuserstobeassignedtogroups,andfile

permissionsmaybesetforanentiregroup.Forinstance,one

developmentprojectmighthavefreereadandwritepermission

toaseriesoffiles,whileatthesametimeotherusersare

preventedfrommodifyingthosefiles.Withyourownpersonal

files,yougettodecidehowpublicorprivatetheaccess

permissionsshouldbe.

TheUnixsecuritymechanismalsopreventsnormalusersfrom

performingcertainactions,suchascallingcertainsystemcalls

withinaprogram.Forexample,thereisasystemcallthat

causesthesystemtohalt,calledbyprogramssuchas

shutdown(moreonthislaterinthechapter).Ifnormalusers

couldcallthisfunctionwithintheirprograms,theycould

accidentally(orpurposefully)haltthesystematanytime.

Inmanycases,youhavetobypassUnixsecuritymechanisms

inordertoperformsystemmaintenanceorupgrades.Thisis

whattherootaccountisfor.Becausenosuchrestrictionsapply

toroot,itiseasyforaknowledgeablesystemadministratorto

getworkdonewithoutworryingabouttheusualfilepermissions

orotherlimitations.Theusualwaytologinasrootiswiththe

sucommand.suallowsyoutoassumetheidentificationof



anotheruser.Forexample:

suandy



willpromptyouforthepasswordforandy,andifitiscorrectit

willsetyouruserIDtothatofandy.Asuperuseroftenwantsto

temporarilyassumearegularuser'sidentitytocorrecta

problemwiththatuser'sfilesorsomesimilarreason.Withouta

usernameargument,suwillpromptyoufortherootpassword,

validatingyouruserIDasroot.Onceyouarefinishedusingthe

rootaccount,youlogoutintheusualwayandreturntoyour

ownmortalidentity.[*]

[*]NoticethattheUnixkerneldoesnotcareabouttheusernameactuallybeingroot:itconsiderseverybodywho

hastheuserID0tobethesuperuser.Bydefault,theusernamerootistheonlyusernamemappedtothatuser

ID,butifyoufeellikeit,youcanalwayscreateausernamedthebigbossandmapthattouserID0aswell.The

nextchapterwillshowyouhowtodothat.



Whynotsimplyloginasrootfromtheusualloginprompt?As

we'llsee,thisisdesirableinsomeinstances,butmostofthe

timeit'sbesttousesuafterlogginginasyourself.Onasystem

withmanyusers,useofsurecordsamessage,suchas:

Nov119:28:50loomersu:mdwon/dev/ttyp1



inthesystemlogs,suchas/var/log/messages(wetalkmore

aboutthesefileslater).Thismessageindicatesthattheuser

mdwsuccessfullyissuedansucommand,inthiscaseforroot.

Ifyouweretologindirectlyasroot,nosuchmessagewould

appearinthelogs;youwouldn'tbeabletotellwhichuserwas

muckingaboutwiththerootaccount.Thisisimportantif

multipleadministratorsareonthemachine:itisoftendesirable

tofindoutwhousedsuandwhen.

Thereisanadditionallittletwisttothesucommand.Just



runningitasdescribedpreviouslywillonlychangeyouruser

ID;itwillnotgiveyouthesettingsmadeforthisID.Youmight

havespecialconfigurationfilesforeachuser,butthesearenot

executedwhenusingsuthisway.Toemulatearealloginwith

alltheconfigurationfilesbeingexecuted,youneedtoadda-,

likethis:

su-andy



or:

su-



forbecomingrootandexecutingroot'sconfigurationfiles.

Therootaccountcanbeconsideredamagicwandbothauseful

andpotentiallydangeroustool.Fumblingthemagicwordsyou

invokewhileholdingthiswandcanwreakunspeakabledamage

onyoursystem.Forexample,thesimpleeight-character

sequencerm-rf/willdeleteeveryfileonyoursystem,if

executedasroot,andifyou'renotpayingattention.Doesthis

problemseemfar-fetched?Notatall.Youmightbetryingto

deleteanolddirectory,suchas/usr/src/oldp,andaccidentally

slipinaspaceafterthefirstslash,producingthefollowing:

rm-rf/usr/src/oldp



Alsoproblematicaredirectorynameswithspacesinthem.Let's

sayyouhavedirectoriesnamedDir\1andDir\2,wherethe

backslashindicatesthatDir\1isreallyonefilenamecontaining

aspacecharacter.Nowyouwanttodeletebothdirectories,but

bymistakeaddanextraspaceagain:



rm-rfDir\*



Nowtherearetwospacesbetweenthebackslashandthe

asterisk.Thefirstoneisprotectedbythebackslash,butnotthe

secondone,soitseparatestheargumentsandmakesthe

asteriskanewargument.Oops,yourcurrentdirectoryand

everythingbelowitaregone.

Anothercommonmistakeistoconfusetheargumentsfor

commandssuchasdd,acommandoftenusedtocopylarge

chunksofdatafromoneplacetoanother.Forinstance,inorder

tosavethefirst1024bytesofdatafromthedevice/dev/hda

(whichcontainsthebootrecordandpartitiontableforthat

drive),onemightusethecommand:

ddif=/dev/hdaof=/tmp/stuffbs=1kcount=1



However,ifwereverseifandofinthiscommand,something

quitedifferenthappens:thecontentsof/tmp/stuffarewritten

tothetopof/dev/hda.Morelikelythannot,you'vejust

succeededinhosingyourpartitiontableandpossiblya

filesystemsuperblock.Welcometothewonderfulworldof

systemadministration!

Thepointhereisthatyoushouldsitonyourhandsbefore

executinganycommandasroot.Stareatthecommandfora

minutebeforepressingEnterandmakesureitmakessense.If

you'renotsureoftheargumentsandsyntaxofthecommand,

quicklycheckthemanualpagesortrythecommandinasafe

environmentbeforefiringitoff.Otherwiseyou'lllearnthese

lessonsthehardway;mistakesmadeasrootcanbedisastrous.

Anicetipistousethealiascommandtomakesomeofthe

commandslessdangerousforroot.Forexample,youcoulduse:



aliasrm="rm-i"



The-ioptionstandsforinteractivelyandmeansthattherm

commandwillaskyoubeforedeletingeachfile.Ofcourse,this

doesnotprotectyouagainstthehorriblemistakeshownearlier;

the-foption(whichstandsforforce)simplyoverridesthe-i

becauseitcomeslater.

Inmanycases,thepromptfortherootaccountdiffersfrom

thatfornormalusers.Classically,therootpromptcontainsa

hashmark(#),whereasnormaluserpromptscontain$or%.(Of

course,useofthisconventionisuptoyou;itisutilizedon

manyUnixsystems,however.)Althoughthepromptmay

remindyouthatyouarewieldingtherootmagicwand,itisnot

uncommonforuserstoforgetthisoraccidentallyentera

commandinthewrongwindoworvirtualconsole.

Likeanypowerfultool,therootaccountcanbeabused.Itis

important,asthesystemadministrator,toprotecttheroot

password,andifyougiveitoutatall,togiveitonlytothose

userswhoyoutrust(orwhocanbeheldresponsiblefortheir

actionsonthesystem).Ifyou'retheonlyuserofyourLinux

system,thiscertainlydoesn'tapplyunless,ofcourse,your

systemisconnectedtoanetworkorallowsdial-inloginaccess.

Theprimarybenefitofnotsharingtherootaccountwithother

usersisnotsomuchthatthepotentialforabuseisdiminished,

althoughthisiscertainlythecase.Evenmoreimportantisthat

ifyou'retheonepersonwiththeabilitytousetherootaccount,

youhavecompleteknowledgeofhowthesystemisconfigured.

Ifanyonewereableto,say,modifyimportantsystemfiles(as

we'lltalkaboutinthischapter),thesystemconfigurationcould

bechangedbehindyourback,andyourassumptionsabouthow

thingsworkwouldbeincorrect.Havingonesystem

administratoractasthearbiterforthesystemconfiguration



meansthatonepersonalwaysknowswhat'sgoingon.

Also,allowingotherpeopletohavetherootpasswordmeans

thatit'smorelikelysomeonewilleventuallymakeamistake

usingtherootaccount.Althougheachpersonwithknowledgeof

therootpasswordmaybetrusted,anybodycanmakemistakes.

Ifyou'retheonlysystemadministrator,youhaveonlyyourself

toblameformakingtheinevitablehumanmistakesasroot.

Thatbeingsaid,let'sdiveintotheactualtasksofsystem

administrationunderLinux.Buckleyourseatbelt.



10.2.ManagingFilesystems

Youprobablycreatedfilesystemsandswapspacewhenyoufirst

installedLinux(mostdistributionshelpyoudothebasics).Here

isachancetofine-tunetheseresources.Mostofthetime,you

dothesethingsshortlyafterinstallingyouroperatingsystem,

beforeyoustartloadingupyourdiskswithfunstuff.But

occasionallyyouwillwanttochangearunningsystem,for

example,toaddanewdeviceorperhapsupgradetheswap

spacewhenyouupgradeyourRAM.

ToUnixsystems,afilesystemissomedevice(suchasahard

drive,floppy,orCD-ROM)thatisformattedtostorefiles.

Filesystemscanbefoundonharddrives,floppies,CD-ROMs,

andotherstoragemediathatpermitrandomaccess.(Atape

allowsonlysequentialaccess,andthereforecannotcontaina

filesystemperse.)

Theexactformatandmeansbywhichfilesarestoredisnot

important;thesystemprovidesacommoninterfaceforall

filesystemtypesitrecognizes.UnderLinux,filesystemtypes

includetheThirdExtendedfilesystem,orext3fs,whichyou

probablyusetostoreLinuxfiles;theReiserfilesystem,another

popularfilesystemforstoringLinuxfiles;theVFATfilesystem,

whichallowsfilesonWindows95/98/MEpartitionsandfloppies

tobeaccessedunderLinux(aswellasWindowsNT/2000/XP

partitionsiftheyareFAT-formatted);andseveralothers,

includingtheISO9660filesystemusedbyCD-ROM.

Eachfilesystemtypehasaverydifferentunderlyingformatfor

storingdata.However,whenyouaccessanyfilesystemunder

Linux,thesystempresentsthedataasfilesarrangedintoa

hierarchyofdirectories,alongwithownerandgroupIDs,

permissionbits,andtheothercharacteristicswithwhichyou're

familiar.



Infact,informationonfileownership,permissions,andsoforth

isprovidedonlybyfilesystemtypesthataremeanttobeused

forstoringLinuxfiles.Forfilesystemtypesthatdon'tstorethis

information,thekerneldriversusedtoaccessthesefilesystems

"fake"theinformation.Forexample,theMS-DOSfilesystemhas

noconceptoffileownership;therefore,allfilesarepresented

asiftheywereownedbyroot.Thisway,aboveacertainlevel,

allfilesystemtypeslookalike,andeachfilehascertain

attributesassociatedwithit.Whetherthisdataisactuallyused

intheunderlyingfilesystemisanothermatteraltogether.

Asthesystemadministrator,youneedtoknowhowtocreate

filesystemsshouldyouwanttostoreLinuxfilesonafloppyor

addadditionalfilesystemstoyourharddrives.Youalsoneedto

knowhowtousethevarioustoolstocheckandmaintain

filesystemsshoulddatacorruptionoccur.Also,youmustknow

thecommandsandfilesusedtoaccessfilesystemsforexample,

thoseonfloppyorCD-ROM.



10.2.1.FilesystemTypes

Table10-1liststhefilesystemtypessupportedbytheLinux

kernelasofVersion2.6.5.Newfilesystemtypesarealways

beingaddedtothesystem,andexperimentaldriversforseveral

filesystemsnotlistedhereareavailable.Tofindoutwhat

filesystemtypesyourkernelsupports,lookatthefile

/proc/filesystems.Youcanselectwhichfilesystemtypesto

supportwhenbuildingyourkernel;see"Kernelconfiguration:

makeconfig"inChapter18.

Table10-1.Linuxfilesystemtypes

Filesystem Type



Description



Second

Extended

filesystem



UsedtobethemostcommonLinuxfilesystem,butisslowlybeing

madeobsoletebytheReiserandThirdExtendedfilesystems



ext2



Tài liệu bạn tìm kiếm đã sẵn sàng tải về

Chapter 10.  System Administration Basics

Tải bản đầy đủ ngay(0 tr)

×