================== LPIC 101 ================= Installation lab Put /, /home on separate partitions. Leave 10G free Create non-root account. Install Gnome desktop. Use static IP addressing. Assign an IP address to each student and have them choose a hostname. 101.1: DEMO? - Change BIOS settings - change boot device, disable devices 101.2: Do a single-user boot 101.3: Change default runlevel in inittab to 3 and reboot. Then transition to runlevel 5 Use chkconfig to enable or disable sshd 102.1: No lab 102.2: grub shell? Add a stanza in grub.conf to do a single-user boot Set a grub password 102.3: Determine what libraries are used by (e.g. apache) using ldd Remove the symlink to libgssapi, run ldd again. 102.4: No lab possible 102.5: List all packages with rpm -qa Use yumdownloader to download an rpm, then install it with rpm -i Query to see which package a /bin/bash came from (rpm -qf) ... what other files are in that package? Have them add CentosExtras to repositories *** Add the centos CD to the repository list, if no internet, mv the CentOS-Base.repo file out of the way Have them install mysql, nmap 103.1: Setting / unsetting variables Simple script "echo the value of foo if $foo"; cd /etc In parent, foo=bar, run script, show foo not inherited Now export foo, re-run script, show foo is inherited Look something up with man man passwd vs man 5 passwd 103.2: cut user names from /etc/passwd, sort them reverse numeric sort on output from du, pick off first 10 lines 103.3: using find create tar file: check size. Run file on it. Compress it with gzip. check size again, check file type with "file" Uncompress it. Compress it with bzip2. Check size again Filename wildcards 103.4: Using streams, pipes and redirects Redirect output from date into a file Append output from ls into the same file Redirect find output (and find's stderr to /dev/null) Compare "wc < foo.txt" with "wc foo.txt". Why is the output different? Use "mail" with stdin redirection to send a pre-prepared message from a file Pipe output from ls -l into sort, do a reverse numeric sort on the file size Compare: ls | xargs echo hello ls | xargs -n 1 hello Look up the man page for xargs. What does the -n option do? Find the largest UID in the password file. Solution: cut -d: -f1 /etc/passwd | sort -n tail -1 Use tee to capture the output from find into a file, AND show it on the screen 103.5: Create, monitor and kill processes Run top. How busy is the CPU? How much memory is in use? How much swap space is in use? Which process is using the most CPU time? Run ps. What is the process ID of your shell? Run ps -e. What is the process ID of init? Job control: something like: Start xclock -update 1 in the background Start xeyes in the background Run the jobs command, see two background jobs Bring xclock into the foreground Suspend it (^Z) notice clock stops ticking Resume it in the foreground, notice clock starts ticking again Kill xclock using a kill command from the command line Kill xeyes using top Examine the output from the commmand 'free'. How much memory does the machine have? How much is free? nohup ??? 103.6: Modify process execution priorities Start xclock in the background with a nice value of 10 Examine its current niceness using top Use renice to set xclock's niceness to 15 Verify the the setting using top 103.7: Search text files using regular expressions Use grep to find the line in /etc/password that relates to your own account Use grep to find the lines in /var/log/dmesg that relate to SELinux Did the X server report any errors in its log file? (Hint: look for '(EE)' Use grep to show the non-comment lines in /etc/ssh/ssh_config. Can you also find a way to eliminate the blank lines? Do the same thing using sed List the lines in /etc/shadow relating to accounts that are NOT disabled. (That is they do not have a !! or a * in the password field). Pipe the output into cut to display just the user names of these accounts. Solution: grep -v ':[\!*]' /etc/shadow | cut -d: -f 1 103.8: Perform basic file editing operations using vi Make a copy of /etc/ssh/sshd_config in your home directory. Use vi to edit the file and make the following changes: 1. Uncomment the line "PermitRootLogin" and change "yes" to "no" 2. Delete all lines relating to Kerberos 3. Add a comment at the start of the file to say that you edited it 4. Use a global susbsitution to change all occurrences of 'yes' to 'no' 5. Save the file and quit the editor 104.1: Create partitions and file systems Use fdisk to create two new partitions: one of type 83 and size 5Gbytes, and one of type 82 and size 1 Gbyte. Use "mkfs -t ext2 -j" to create an ext3 file system on the first of these partitions. Be careful to use the correct partition for this! Use mkswap to prepare the second partition as swap space. Run swapon -s and free to show current swap partitions and available space Run swapon to add the new swap partition Run swapon -s and free to show current swap partitions and available space 104.2 and 104.3: Run df -h. What partitions are currently mounted? How much space is available on the root partition? Run tune2fs -c and set the maximum mount count for the partition to 2 Create a directory called /backup for use as a mount point. Mount your new file system (from topic 104.1) onto /backup Run df -h again and verify that your new partition is mounted. How much free space does it have? Make a copy of the /etc directory on your new partition. List the contents of /backup Unmount the partition. List the contents of /backup again Add entries to /etc/fstab so that the new swap partition and the new file system are automatically mounted at boot time. For the line that refers to the file system (not the swap partition) specify the "users" mount option. Reboot the system. Run the mount command without arguments and verify your filesystem is mounted Run swapon -s and verify that your new swap area is active Verify that you can unmount the /backup file system as a non-root user 104.4: Manage disk quotas No lab 104.5: By examining the access permissions on the relevant files and directories, predict which of the following commands would suceed. For the commands that would fail, determine which permissions you are lacking. Assume you're in your home directory. cp /etc/passwd ./Desktop cp /etc/shadow ./Desktop rm /etc/passwd ls -l /var/spool/cron ls -l /var/spool/mail cp .bashrc /etc/passwd cp .bashrc /etc/xyzzy Make sure your new file system from topic 104.3 is mounted on /backup Modify the permissions on the /backup directory so that all users have write permission. Verify that you can copy files into this directory. Set your umask to 000 Create a directory called d1 in your home directory Examine the access permissions on d1 Set your umask to 077 Create a directory called d2 in your home directory Predict what mode d2 will have. Check and see if you are correct. 104.6: Create and change hard and symbolic links ================= LPIC 102 ================ 105.1: Customise and use the shell environment Define some aliases. Put them in ~/.bashrc. Start a new shell. Verify the aliases are there 105.2: Customise or write simple shell scripts Write a script that takes a list of filenames as arguments For each one, if the file does not exist, send a mail message to root to say so. Write a script that takes a list of user names as arguments For each one, if that user is using more than 5000 block of disk space, mail a message to root to say so SOLUTIONS: ------ first script ------- #!/bin/bash for file in $* do if [ ! -e $file ] then echo $file does not exist | mail -s "missing file" root fi done ------- second script --------- #!/bin/bash for user in $* do diskused=$(du -s /home/$user | cut -f1) echo $user $diskused if [[ $diskused -gt 10000 ]] # if (( diskused > 10000 )) then echo echo $user is using $diskused blocks | mail -s "high disk usage" root fi done 105.3: SQL data management Add the centos CD to the repository list, if no internet, mv the CentOS-Base.repo file out of the way Install mysql-server Start the mysqld deamon mysql -u root < demodb.sql (This file can be downloaded from the ict@innovation portal) UNFINISHED Select data from the products tables Select data from the the products table and join to the supplier table select data from the supplier table - see all rows Insert a new supplier into the supplier tables Select data from the supplier table to verify that the data has been inserted Delete the inserted supplier Select from supplier table to verify that the supplier has been deleted 106.1 Install and configure X11 run the command xwinfo run the command xdpyinfo 106.2 Setup a display manager For this lab students will need to pair up. We will have each student export their x display to their partner and start an application, such as firefox, that will display on their partners monitor. The step below are for each student to carry out 1. edit the /etc/gdm/gdm-custom.conf and add the following entries in the appropriate places. [security] DisallowTCP=false AllowRemoteRoot=true [xdmcp] Enable=true 2. restart x server, this can be done by rebooting or by killing and restarting x, 3. enter xhost + 4. enter export DISPLAY= 5. firefox -- this should start firefox locally but the display will run on the partners machine. We will change the greeter used by Centos. For this we will need to change the file /etc/gdm/custom.conf. Add the following in the appropriate space. You can change the greeter back by changing gdmlogin to gdmgreeter. [daemon] Greeter=/usr/libexec/gdmlogin We can also change the image by taking a screenshot with the screenshot tool and changing the logo to use the screenshot. [greeter] #Logo=/usr/share/pixmaps/gdm-foot-logo.png Logo=/usr/share/pixmaps/Screenshot.png 106.3 Accessibility No Lab 107.1 Manage user and group accounts and related system files add a user temba to the system with useradd, create a home directory with -m set user password with passwd adduser to group with usermod run id temba to see if user is member of the group add a group called finance with groupadd make temba a group administrator with gpasswd -A su to temba and see if you can add yourself as a member of a group with gpasswd -a run id and see that temba is not a member of the group finance less /etc/group and see that temba is an administrator of the group, by looking at the :: exit the su context create a directory /finance and copy some file to it. change the group on /finance with chgrp -r /finance - this will make all files owned by the finance group change the permissions on the directory and files so they are only accessible by the owner and group. i.e chmod -R 660 /finance/* and change the directory to chmod 770 /finance su to temba and observe that you cannot list the /finance directory or any file in it. use the gpwasswd -a temba command to make temba a member of the group finance observer that temba can enter the /finance directory and read files and create new ones exit su run groupdel finance. and do a ls -l /. Notice that the group id is displayed and not the group name. this is because deleting a group does not change ownership of files owned by that group. remove the /finance directory ls /home to see temba's home director delete temba with userdel -r, observe that the user home directory is also deleted. 107.2: Add a cron job to send a timestamp to a file in their home directory every minute Add cron job that displays a gui interface (to be verified) create 'command_list.txt' in your home directory, and in it a command such as - mail -s "i just run at" root run at -f /home/my_account/command_list now compare with running the same instruction as: at now 107.3 Localisation and internationalisation No Lab =============== 108.1: Maintain system time Set the correct time zone for your location Set the system time and date to the correct values Use the ntpdate command to set the time from a time server. You can use the time server suggested in the notes or one suggested by the instructor. Install the appropriate package for the ntp server. Modify the /etc/ntp.conf file to use two time servers, either the ones suggested in the notes or the ones suggested by your instructor. Start the ntp server. 108.2: System logging Examine the current /etc/syslog.conf file. From your examination of the file, where will messages of priority kernel.warning be sent? Try loading a new module into the kernel (modprobe tulip) and verify that you can see the messages logged by this module as it is loaded. ("Tulip" is a module for a network card driver). Modify the /etc/syslog.conf file so that all messages from facility local4 are sent to the first console terminal, /dev/tty1. Don't forget to send a HUP signal to syslogd after changing the file. Now use the logger command to send a message from facility local4 with priority info. Switch to the first console terminal and verify that the message appears. Does the message also appear in /var/log/messages? [HARDER] Work with another class student. Configure syslog so that messages from facility local4 on student A's meachine are also sent to student B's machine. Verify that this is working 108.3: Mail Transfer Agent (MTA) basics ls - Use the mail command to send a message to your own user account. You may have to wait a minute for the message to be delivered. Examine the file var/spool/mail/your-user-name. This is your "maildrop", where the server stores messages you haven't read yet. You should see your message. Read the message using the mail command without arguments. Use adduser to create two new additional accounts called alex and beth. Edit the /etc/aliases file and add an alias called student that contains the user names alex and beth. Run the command newaliases to rebuild the alias database. Send a mail message to the students alias. Wait a moment for it to be delivered. Examine the maildrop files /var/spool/mail/alex and /var/spool/mail/beth and verify that the message arrived in both. Create a .forward file in your home directory, containing a single line that forwards your mail to the file /tmp/forward and to the account alex. Send a mail message to your own user account. Verify that it arrives in the file /tmp/forward and is also delivered to alex. [NOT WORKING] 108.4: Manage printers and printing If you have a physical printer avaiilable, use the CUPS web-based interface to add it to the CUPS print system. (Start a browser and browse to http://localhost:631). Use a command-line tool such as lpr to send a text file to the printer and verify that it is printed correctly. If you do not have a physical printer available, simply add a fictitious HP deskjet printer. You will not be able to print but you will be able to verify that you can add and remove jobs from the print queue. After you have added the printer, run the command lpstat -t to verify that it is known to the CUPS print system. Now run the command cupsdisable to stop printing on your printer. Use the lpr command to print some files on your printer. Verify the content of the printer queue with lpq. Remove one of the jobs from the queue with lprm. Use the reject command to prevent new jobs being sent to the printer queue. Verify that you can no longer use the lpr command to print files to that printer. 109.1: Fundamentals of Internet Protocols Run the command ifconfig eth0 to examine the settings of your network interface. From this information, determine: (a) your IP address, (b) your netmask, (c) Your network address, (d) the broadcast address of your network. Suppose that your network interface is connected to the network 10.0.0.0/20 (using CIDR notation). Which of the following IP addresses are on the same network? [Here give 4 example addresses] 10.0.0.21 10.1.0.21 10.0.14.6 10.0.16.4 Examine the file /etc/services. What ports do the services ssh, smtp and http listen on? 109.2: Basic Network Configuration Examine the output of the command lspci and determine what type of Ethernet card your machine has. Ask your neighbour for his IP address. Verify that you can ping this address. Now add an entry to /etc/hosts which associates the name "neighbour" with your neighbour's IP address. Verify that you can now ping your neighbour's machine by specifying the hostname "neighbour" instead of an IP address. Examine the file /etc/sysconfig/network. Is networking configured to start at boot time? What host name is defined here? Examine the file /etc/sysconfig/network-scripts/ifcfg-eth0. Is this network interface statically configured or does it use DHCP? If it's a static configuration, what is the IP address of this interface? Does this agree with the value reported by ifconfig? Modify this file to (temporarily) change your IP address by adding 100 to the final octet. For example if your current IP address is 10.0.0.4, change it to 10.0.0.104. Restart the eth0 interface and run ifconfig again to verify that the change has been made. Ask your neighbour to trying pinging you at this new address. Don't forget to set your IP address back to its original value when you're done. (Note: to restart the network interface you can either run "service network restart" or use the commands ifdown and ifup to restart one specific interface.) Examine the routing table. Which entry in the table specifies the network to which your eth0 interface is connected? What is the IP address of this network. Which entry in the table specifies the default gateway? What is the IP address of this gateway? 109.3.: Basic Network Troubleshooting Use dig to perform a DNS lookup for the machine www.lpi.org. From the output of dig, determine (a) the IP address of www.lpi.org, and (b) the IP address of the DNS server that responded to the request. Try using nslookup to perform the same query. Which tool gives the most helpful output for debugging? Use the following four methods to determine if the sshd daemon is running on your machine: 1. See if it is present in the output from ps -ef 2. Run the command "service sshd status" 3. Run the command netstat -ant. Is anything listening on port 22? 4. Run the command lsof -i. Is anything listening on port 22? Run the command traceroute www.lpi.org or some other site of your choice. Examine the output. Which gateway does the packet go through on its first hop? How many gateways does the packet go through altogether? 109.4: Configure client-side DNS Examine the file /etc/nsswitch.conf. Which information sources are consulted for host name lookups? Is DNS used? Examine the file /etc/resolv.conf. Which DNS servers is your machine configured to use? 110.1: Perform Security Administration Tasks Set a grub password, following the procedure shown in the notes. Reboot, and verify that you can boot using the pre-defined settings without supplying the grub password, but that you need to supply the password to change those settings. Run find to get a list of all the setuid programs owned by root. Save the list in a file. Log in as root and set the setuid bit on the program /bin/cat. Run the find command again and save the output in a second file. diff the files. Do you see the new setuid program? Why would it be VERY insecure if cat ran as a setuid program on a real-world system? Run chage -l to list the password ageing settings for your own account. Change the settings so that your account will expire on 31 December of the current year and so that you are required to change your password every month. Run chage -l again to verify the new settings. Install nmap and run a port scan on your neighbour's machine. Which ports are open? As root, edit the file /etc/security/limits.conf and set a hard limit on file size of 50 Kbytes for your own account. Log out and log back in again. Run the ulimit -a command and verify that the file size limit is what you expect. Try to copy the linux kernel image from /boot (the name will be of the form vmlinuz-2.6.*) into your home directory. Does this succeed? If not, how much of the file is copied? Is this consistent with your ulimit setting? Set the filesize limit back to being unlimited. Log out and log in again to restore the original limit. 110.2: Set up host security In this exercise we'll configure xinetd to enable the very simple chargen service. First, verify that the chargen service is not running by verifying that nothing is listening on port 19. Modify the xinetd config file for chargen to enable the service. Send a HUP signal to xinetd. Verify that there is now a service listening on port 19. Try connecting to the chargen service with "telnet localhost chargen". You should see a continuous stream of characters output. (To get back to a telnet prompt enter ^] then type quit.) Ask your neighbour to try telnetting to your chargen service. Does this work? Modify your xinetd configuration so that you can still connect to your chargen service but your neighbour cannot. In this exercise we'll use TCP wrappers to limit access to sshd to one of your fellow students, but deny it to others. First run ldd to verify that your sshd is linked against the libwrap library. (If it isn't, this is not going to work!) Create a /etc/hosts.deny file that contains the line: ALL: ALL Edit your /etc/hosts.allow file and add an entry that allows access to your sshd from one of your fellow students, but no-one else. Restart the sshd daemon. Verify that your chosen student is able to perform an ssh login to your machine, but other students cannot. 110.3: Securing data with encryption In this exercise you will work with another student (your "neighbour") in this exercise. The object is to set up passwordless secure login using ssh and user public/private keys. Perform an ssh login to an account on your neighbour's machine. If this is the first time you have done this you'll be asked to verify the authenticity of the host. Compare the key fingerprint reported in this message with the fingerprint reported on your neighbour's machine. (See the student guide for how to do this.) Following the steps in the student guide, create a DSA key pair for yourself (do not set a password) and copy the public key into the appropriate directory on the your neighbour's machine. Verify that you can now perform a password-less ssh login to your neighbour's machine. ==== Use ssh remote port forwarding so that your neighbour can make a telnet connection to port 6789 on his local machine, and connect to your own chargen service (enabled in an earlier exercise)