HOWTO Check if a user or group already exists

Dont directly check with /etc/passwd, or /etc/group for existence of a user or group. This wont look up NIS database entries. A better way is to use getent, part of glibc. Lookup database entry for an existing user:

getent passwd username1 [username2 ...]

Lookup database entry for an existing group:

getent group groupname1 [groupname2 ...]

Identifying Linux distributor and version

The Linux Standard Base makes it really easy to identify the Linux distributor and version for LSB compliant. If the lsb package is installed (redhat-lsb, lsb, asianux-lsb, ...), just run:

lsb_release -i -d

or

lsb_release -a

KDM and XDMCP

After installing OpenSuse 11.1, I wanted to configure my favorite handcrafted WoW login theme, darkportal. The problem was I couldn't preview it without logging off. No problem - I just need to fire up Xephyr and check. So I enabled XDMCP thru the /etc/sysconfig editor, and ran:

xephyr -query localhost -screen 1280x1024 :1

Got a blank screen for my efforts. Grrrr... I ran:

netstat -aunp | grep ":177"

only to figure that kdm was listening at port 177 over IPv6! Recalling an old KDE bug, I edited /etc/X11/xdm/Xaccess to read:

LISTEN 0.0.0.0

and restarted kdm. That did the trick - phew!

[Fix] Slow browsing on Suse 10.2 for some sites

I went fairly bananas trying to figure out why OpenSuse 10.2 was frigging slow on some web sites and not so bad on others. Looking at forums, I ended up disabling ipv6 in Firefox, then disabling ipv6 all together. It didn't help. Eventually, it turned out that the MTU was the problem. It was set to 1500. It required to be brought down to 1492. I couldn't figure that earlier, because our firewall blindly drops all icmp packets. A quick

ifconfig eth0 mtu 1492

or alternately

ip link set eth0 mtu 1492

fixed the problem. Phew! [Hey you newbie network admin types: Set your f/w to allow ICMP unreachable -- fragmentation needed messages. These are type 3, code 4 messages. Don't just blindly block ICMP because you read somewhere that it's unsafe. i.e. in Linux:

iptables -A FORWARD -p icmp --icmp-type fragmentation-needed -j ACCEPT
iptables -A INPUT -p icmp --icmp-type fragmentation-needed -j ACCEPT
...
iptables -A FORWARD -p icmp -j DROP
iptables -A INPUT -p icmp -j DROP

]

Making ntsysv/chkconfig compatible rc scripts

To make a startup/shutdown script that can be used with ntsysv or chkconfig, the script must follow the template:
#!
#
# chkconfig: runlevel startpriority stoppriority
# description: brief, possibly multi-line description \
# follows

For example:
#!/bin/bash
#
# Init file for OpenSSH server daemon
#
# chkconfig: 2345 55 25
# description: OpenSSH server daemon


Sharing the GNOME desktop

GNOME now has a built-in VNC service called vino. It's there in Applications->Preferences-> Remote Desktop. Unlike VNC server, the display number used with this desktop is :0.

Resizing mounted partitions

Starting with kernel version 2.6.10, you can resize ext3 partitions using resize2fs program (part of e2fsprogs). While resize2fs could be used to shrink and grow ext3 partitions, the one bundled with e2fsprogs-1.36+ can apparently resize even mounted partitions! Woo hoo!

Configuring X Window

Each distribution seems to have it's own thing for configuring X:

xf86config

Standard X Window configuration tool

system-config-display

Red Hat/Fedora X-window configuration tool

redhat-config-xfree86/Xconfigurator

Older Red Hat and Fedora versions

sax

Suse Linux

CD recording stuff

Detecting the CD recorder

cdrecord -scanbus

To burn a CD

cdrecord -v dev=0,0,0 driveropts=burnfree -multi -eject speed=2 archive.iso
Omit the -multi if it's a single session CD.

To burn a multisession CD

First burn:
cdrecord -v dev=0,0,0 driveropts=burnfree -multi -eject session1.iso
For subsequent burn:
First create the ISO
Place the CD in the drive. Execute
cdrecord dev=0,1,0 -msinfo
0,27139
mkisofs -o session2.iso -Jr -V Session2 -C 0,27139 -M 0,0,0 /path/to/files/

Alternately:
mkisofs -o session2.iso -Jr -V Session2 -C $(cdrecord dev=0,1,0 -msinfo) -M 0,0,0 /path/2/files/

Now burn (dropping the -multi for the last burn):
cdrecord -v dev=0,0,0 driveropts=burnfree -multi -eject session2.iso

Simplify the cdrecord command line

To keep the cdrecord command line simple, put common options in /etc/default/cdrecord:
#/etc/default/cdrecord
CDR_DEVICE=0,0,0
CDR_SPEED=2

Now the command line can be greatly simplified to:
cdrecord archive.iso


To erase a CD-RW

cdrecord -v dev=0,0,0 blank=all
where

-v

verbose

dev

cdrom device (detected using cdrecord -scanbus)

blank=all

blanks the entire disk.

Creating a hybrid ISO

mkisofs -a -J -r -v -V vol_label -L -o img1.iso ~/cds/cd0/
where:

-a

Include all files on the ISO9660 file system. Files that contain '~' or '#' will be included.

-r

Use rockridge naming conventions

-J

Generate Joliet directory records in addition to iso9660.

-L

Allow file names to begin with a period.

-o outputfilename

output file name.

Test the created ISO by mounting it with mount -o loop.

Changing role in SELinux enabled FC4

To run a command with a different role, first use newrole to change the role. For example, to switch to the sysadm_r role:
newrole -r sysadm_r

Enabling public_html for Apache in FC4

To enable per-user web directories on SELinux enabled FC3+, edit /etc/httpd/conf/httpd.conf:

• Comment out the line UserDir disable
• Add UserDir public_html.
• Save the file and run service httpd reload

Each user who needs web directories must do the following:

• Create ~/public_html, and populate it.
• Change perms with chmod
• Change the security context of the folder recursively:
  chcon -R -t httpd_user_content_t ~/public_html/


At this point, it should work. If it does not, check to see that the Boolean that enables user home directories is enabled:

• Run system-config-securitylevel
• Under the SELinux tab within the Modify SELinux Policy area: enable Allow HTTPD to read home directories.
• Alternatively, execute
  setsebool httpd_enable_homedirs true

Preventing console message flooding

To prevent kernel messages flooding the console:
dmesg -n 1


SE Linux essentials (FC3)

Bare minimal SElinux:

• SELinux in FC3 uses a targeted policy by default. One could opt for a strict policy too, which was default with FC2. The policy files needed are in these RPMs
  selinux-policy-strict-.rpm and selinux-policy-strict-sources-.rpm
  • selinux-policy-targeted-.rpm and selinux-policy-targeted-sources-.rpm
  The policy source resides in /etc/selinux/policyname/src/policy, when it is installed, and the binary policy file is in /etc/selinux/policyname/policy.
• Use system-config-securitylevel to change SELinux based settings.
• The ls command's -Z option will display the security context of a file
• The id command's -Z option will display the security context of a user
• The ps command's -Z option will display the security context of a process.
• Don't take policy switching lightly. Unless of course, it's for learning :)
• To change the policy - easy way - run system-config-securitylevel, change the policy and reboot.
• To change the policy manually -
  1. Edit /etc/selinux/config and change the type of policy to SELINUXTYPE=policyname.
  2. Set the mode to permissive. SELINUX=permissive.
  3. Tell the init scripts to relabel the system on reboot with the command touch /.autorelabel.
  4. Reboot the system.
  5. Confirm your changes took effect with the command sestatus -v. With the new system running in permissive mode, check /var/log/messages for avc: denied messages. Fix any problems.
  6. When you are satisfied that the system runs stable under the new policy, enable enforcing by changing SELINUX=enforcing. You can either reboot or run setenforce 1 to turn enforcing on in real time.
• Ordinary backups will not backup the security context which are stored as extended attributes. Use star to backup files on an SElinux protected system. In particular, use the -xattr and -H=exustar options. Eg:
  star -xattr -H=exustar -c -f ../test.star ./*

• The variable SELINUX in /etc/selinux/config can take the values disabled, enforcing, or permissive. Booting the kernel with enforcing=0 is the same as SELINUX=permissive. Similarly, ooting the kernel with enforcing=1 is the same as SELINUX=enforcing
• As a safer alternative to booting with selinux=0, use SELINUX=disabled in /etc/selinux/config.
• To temporarily turn off the enforcing mode, use setenforce 0. To return to enforcing mode, setenforce 1.
• To turn off selinux at bootup, add selinux=0 to your kernel command line. Note that if you boot with selinux=0, any files you create while SELinux is disabled will NOT have SELinux context information. If booting with selinux=1 fails, relabel the files with a touch /.autorelabel and reboot into single user mode.
• /usr/sbin/sestatus -v displays status info about SELinux
• To relabel a directory, use restorecon -v -R /path.
• If you have file systems shared by both SELinux enabled and non-SELinux machines - eg a dual-boot Suse and FC4 sharing the same /home, it sort of spells trouble when booting into SElinux as it may require relabelling.
• Mounting a non-SELinux file system via NFS results in SELinux treating all the files in the share as having a context of nfs_t. To override the default context to say, system_u:object_r:tmp_t to SELinux:
mount -t nfs -o context=system_u:object_r:tmp_t server:/shared/foo /mnt/foo
• To change and load the security policy:
cd /etc/selinux/targeted/src/policy
make clean
make load


Upgrading CentOS 4.0 to CentOS 4.1

CentOS 4 is basically Red Hat Enterprise Linux 4. I just upgraded it to CentOS 4.1 using the rpms using these steps:

• Download the rpms from CentOS/4.1/os on any mirror.
• Download the updates from CentOS/4.1/updates on any mirror.
• Download any extra modules that depend on the kernel version. In my case, I had to download linux-ntfs rpms for the 2.6.11ELhugemem kernel.
• Disable selinux using
  setenforce 0.
  (Failing to do this made the rpm postinstall fail for some rpm files. Off the cuff, I recall the rpms for bzip2-libs, and krb5-* failing.)
• From the directory containing the 4.1 rpms, run
  rpm -Fvh *.rpm
  You do need a lot of free disk space for this to work. Alternately, freshen a few rpms at a time :)
• Now enable selinux with setenforce 1.
  
• Reboot in run level 1 so that no services start up
• Run
  /sbin/fixfiles relabel
  Alternately, to speeden things up, you can also use
  /sbin/restorecon -R pathname
  to recursively restore security context on the specified path - in my case /lib and /usr/lib were definitely affected. I opted for the fixfiles approach rather than weed out directories individually.
• Change to the normal runlevel

That's all there is to it :-)

Adorning links in HTML with images

Not really linux - more HTML+CSS stuff :-) I always wondered if it would be too painful to get images next to links like the way they have in some wikis. Seems for every HTML problem, there's a CSS solution lurking, just waiting to jump out :-) You need to do something like this:
<style>
.whatever {
background-color: transparent;
background-image: url(imgfilename);
background-attachment: scroll;
background-repeat: no-repeat;
/* Change following to 'right' instead of 'left' if you need it right aligned. */
background-position: left;
/* Change following to 'right' instead of 'left' if you need it right aligned. */
padding-left: 18px;
}
</style>
<body>
... Testing <a class="whatever" href="...">links</a>
</body>

I'll probably separate out the HTML stuff from this blog if there are too many of these HTML tips.

Installing grub on removable media

Grub is a really nifty boot loader. I especially love two things about it:

• A command-line interface
• No reinstallation for kernel changes

Even if the OS boot loader gets knackered, you can probably restore it if you have a grub floppy.

Installing grub on a floppy
Here's how to get grub on a floppy:

• Kiss the prior contents of the floppy goodbye ;-)
• Change to the directory /usr/share/grub/i386-redhat (on fedora) or /usr/lib/grub (on Suse) or /usr/share/grub/i386-pc if you built and installed grub yourself
  
• Execute the commands:
dd if=stage1 of=/dev/fd0 bs=512 count=1
dd if=stage2 of=/dev/fd0 bs=512 seek=1


You ought to be able to get a grub prompt on booting with this disk.

Here's another way to do the same thing - not so destructively

• Mount a ext2-formatted floppy to say /mnt/floppy
• Copy the contents of the /usr/share/grub/i386*/{stage1,stage2,e2fs_stage1_5} to /mnt/floppy/boot/
• Optionally create a /mnt/floppy/boot/menu.lst
• Execute grub-install --root-directory=/mnt/floppy fd0
• Umount the floppy

If you dont have grub-install, or are paranoid about using it, there's yet another way - boot into a grub prompt either using a floppy created using the destructive way outlined above, or on some machine with grub installed on the hard disk. Drop to a grub prompt. Then place the ext2 floppy in the drive and execute:
root (fd0)
setup (fd0)
You ought to have a grub-bootable on your hands now. I think the grub-install part ought to work with USB drives as well tho' I haven't really tried it.

Installing grub on a CD

• mkdir -p iso/boot/grub
• cp /usr/share/grub/i386-*/stage2_eltorito iso/boot/grub
• Optionally create a iso/boot/grub/menu.lst.
• Create an iso image:
  mkisofs -R -b boot/grub/stage2_eltorito -no-emul-boot \
  -boot-load-size 4 -boot-info-table -o grub.iso iso
• Burn the grub.iso image to cd.

Hopefully if all goes right, you have a bootable grub CD. Of course, try this with rewriteable CDs if you *really* need to be sure :)

Unzipping large files in Linux

Infozip's Unzip program has certain file size limits. It may not support files whose unzipped size is larger than 4GB and instead produce this error:
skipping: yeas3/yeas3.TRC need PK compat. v4.5 (can do v2.1)
Support for unzipping large files will come with Unzip 6.x - the current version is 5.52.
So what if you want to unzip a large file on unix *now*? You could either unzip on Windows with any number of utilities (7-zip/PowerArchiver/Izarc) and somehow get the file over to Linux/Unix - or locate the unix version of 7-zip's command line utility (7za) called p7zip. All you need to do is build the executable from source:
make
make install
Then run:
7za x file.zip [filename ...]
Till unzip 6.0 arrives, this one is going to be one fixture on my machine.

NSD - Name Server Daemon

Ack! Now here's a good replacement for BIND if your requirements aren't too heavy. It's a high-performance authoritative name server. Being authoritative is good I guess since it

• separates cached & authoritative data
• simplifies the software
• avoids BIND bugs and security flaws

It caters to the security conscious with DNSSEC. I've yet to try it - looks promising, tho'.

Newsforge's 10 commandments of system administration

Newsforge has a nice collection of articles for system administration titled
The Ten Commandments of System Administration

In short:

1. Thou shalt make regular and complete backups
   Use whatever floats your boat for this one - amanda, rsync, tar, etc.
2. Thou shalt establish absolute trust in thy servers
   using file integrity tools like tripwire, aide, and afick.
3. Thou shalt be the first to know when something goes down
   using tools like Nagios, Big Sister and Zabbix
4. Thou shalt keep server logs on everything
5. Thou shalt document complete and effective policies and procedures
6. Thou shalt know what cable goes where
7. Thou shalt use encryption for insecure services
8. Thou shalt not lose system logs when a server dies
9. Thou shalt know the openings into your servers
   using the well-established nmap program.
10. Thou shalt not waste time doing repetitive and mundane tasks

TrueType and Mozilla

Downloaded and installed that latest version of Mozilla? You may need to tweak some settings - if you create a new profile, these steps would have to be repeated

1. In the location bar, type about:config
2. In the filter bar that appears, type font
3. Locate the line "font.FreeType2.enable". If the value here is false, change it to true
4. Edit the /default/firefox.js or /default/unix.js and add a line for each directory with TrueType/OpenType fonts like this:
   pref("font.directory.truetype.1", "/usr/local/share/fonts/TrueType");
pref("font.directory.truetype.2", "/usr/share/fonts/TrueType");


Now hopefully mozilla will render fonts better. If not, check this page for anything I may have missed out.