1.when a new user account is added to a linux system,an entry is added to a list of user in the password file.whic is stored in /etc/passwd.each line in the password file contains information for a single user account,with item detail separated by colons as illustrated following.
username password UID GID user's name home directory default shell
jdean : x : 500 : 500 :dean : /home/jdean : bin/tcsh
password each usernaem has an associated password. the password stored in his field is in an encrypted(unreadable) form,despite the encryption,for security reasons,most systems now store users passwords in a separate /etc/shadow file,if the password is not includeed,its field is filled by the letter x,which indicates that the shadow password system is in use.
User ID each username requires a unique user identifier, or UID,the UID is simply a nonnegative integer.teh root account is assigned the UID of 0,which affords it global privilege on the system.other users have a positive UID,and it is not unusual to begin the sequence for new user at a large number like 100,or some linux distributions,500.by convention(协定,惯例),the UID values from 0 to 99 are reserved for administrtive use;those over 99 are for regular system users
Group ID each username has a defult group identifier,or GID,the GID is also a nonnegative integer.groups are a way of allowing users to share files through mutual group membership.group numbers and their associated names are specified in the /etc/group file.the GID stord for each user in /etc/passes is its default group ID,though a user may belong to many groups.the protected password are stored in /etc/gshadow,which is readable only by root.here are a few sample lines from a gshadow file:
root:::root
pppusers:x::
finance:0cf7ipLtpSBG::
jdean:x::
in this example,the groups pppusers and jdean do not have group passwords as indicated by the x in the password field,the finance group is the only one with a password,which is encrypted.
groups are similar to users in their administration and are defined in the file /etc/group.like the passwd file,the group file contains colon-seperated fields:
group name
group password
group ID
group member list
2.shadow passwords
root:$1$0t.By0.1$e3992qDmIgF6NLhKIC9VI/:13598:0:99999:7:::
the first two fields contain the usename and the encrypted passwords.the remaining fields contain optional additional information on password aging information.
user and group managementg commands
3./usr/sbin/useradd
create the account user on the system.
-c "comment" define the comment field,probably the usr's name
-d homedir use homedir as the user's home directory
-D ;list(and optionally change) system default values
-m create and populate the home directory.
-s shell use shell as the default for the account
examples
add a new user,bsmith,with all default settings: /usr/sbin/useradd bsmith
add a new user,jdoe,with a name,default home directory, and the tcsh shell:
/usr/sbin/useradd -mc "jane doe" -s /bin/tcsh jdoe
4./usr/sbin/usermod
modify an existing account,the usermod command accepts many of the same option as useradd does
-L lock the password,disable the account
-U Unlock the password,enable the user to once again log into the system.
example:
change jdoe's name in the comment field:
/usr/sbin/usermod -c "jane deer-doe" jdoe
lock the password for bsmith:
/usr/sbin/usermod -L bsmith
5./usr/sbin/userdel
/usr/sbin/userdel [-r] user
delete a existing user account,when conbined with the -r option,the user's home directory is deleted, note theat completely deleting accounts may lead to confusion when files owned by the delete user remain in other system directories.for this reason,it is common to disable an account rather than delete it.accounts can be disabled using the chage,usermod,and passwd commands.
example: delete the user bsmith,include the home directory:
/usr/sbin/userdel -r bsmith
6./usr/sbin/groupadd
/usr/sbin/groupadd group
add group to the system.in the rare that a group password is desired on group,it must be added using the gpasswd command after the group is created.
7./usr/sbin/groupmod
syntax: groupmod [option] group
modify the parameters of group
-n name change the name of group to name.
8./usr/sbin/groupdel
/usr/sbin/groupdel group
delete group from the system.deleted groups can lead to the same confusion in the filesystem as described previously for deleting a user
9.passwd
passwd [options] username
interactively set the password for username.the password cannot be entered on the command line.
-l availabe only to the superuser,this option locks the password for the account.
10.gpasswd
gpasswd groupname
interactively set the group password for groupname.the password cannot be entered on the command line.
additional user and group management commands
11./usr/sbin/pwconv(password convert)
syntax: /usr/sbin/pwconv
convert(转换,变换,兑换) a standard password file to a password and shadow combination(组合,合并,联合),
enabling shadow passwords on the system.
12./usr/sbin/pwunconv
syntax: /usr/sbin/pwunconv
revert(回到,复归,恢复) from a shadow password configuration to a standard password file.
13./usr/sbin/grpconv
syntax: /usr/sbin/grpconv
convert a standard group file to a group and shadow group combination,enabling shadow groups nothe system shadow passwords are rarely necessary.
14./usr/sbin/grpunconv
syntax:/usr/sbin/grpunconv
revert from a shadow group configuration to a standard group file.
15./usr/bin/chage
syntax: /usr/bin/chage [options] user
modify password aging and expiration setting for user.nonprivileged users may use this command with the -l option for their usename only.
-E expiredate
set the account to expiration date expiredate in the form MM/DD/YY or MM/DD/YYYY
-l list a user's password settings
example: display password setting for user jdoe(including nonprivileged user jdoe):
/usr/bin/chage -l jdoe
set jdoe's account expiration date to january 1,2002:
/usr/bin/chage -E 01/01/2002 jdoe
tune(调节,旋律,心情) the user environment
16./etc/profile
when the bash shell starts,it looks for a number of configuration script files including /etc/profile.commands in this file are executed at longin time and contain global startup information and settings for all bash users.for example following contain an example profile:
# /etc/profile
# System wide environment and startup programs, for login setup
# Functions and aliases go in /etc/bashrc
pathmunge () {
if ! echo $PATH | /bin/egrep -q "(^|:)$1($|:)" ; then
if [ "$2" = "after" ] ; then
PATH=$PATH:$1
else
PATH=$1:$PATH
fi
fi
}
# Path manipulation
if [ `id -u` = 0 ]; then
pathmunge /sbin
pathmunge /usr/sbin
pathmunge /usr/local/sbin
fi
pathmunge /usr/X11R6/bin after
:unset pathmunge
# No core files by default
ulimit -S -c 0 > /dev/null 2>&1
USER="`id -un`"
LOGNAME=$USER
MAIL="/var/spool/mail/$USER"
HOSTNAME=`/bin/hostname`
HISTSIZE=1000
if [ -z "$INPUTRC" -a ! -f "$HOME/.inputrc" ]; then
INPUTRC=/etc/inputrc
fi
path="$PATH:/usr/local/bin" 这一行是加的,在该目录下有很多的用户软件.
export PATH USER LOGNAME MAIL HOSTNAME HISTSIZE INPUTRC
for i in /etc/profile.d/*.sh ; do
if [ -r "$i" ]; then
. $i
fi
done
unset i
JAVA_HOME=/usr/local/java/j2sdk1.4.2_04
export JAVA_HOME
PATH=$PATH:$JAVA_HOME/bin
export PATH
CLASSPATH=.;/usr/local/java/j2sdk1.4.2_04/lib/dt.jar;/usr/local/java/j2sdk1.4.2_04/lib/tools.jar
export CLASSPATH
####
JAVA_HOME=/usr/local/java/jre1.5.0_11
JAVA_BIN=/usr/local/java/jre1.5.0_11/bin
PATH=$PATH:$JAVA_HOME/bin
export JAVA_HOME JAVA_BIN PATH
the system administrator experts that most users will need to run programs stored in /usr/local/bin. making this modification once in /etc/profile eliminate the need for individuals to make it in their personal bash profiles.
17./etc/skel
when you creating a new account,usually you'll want to create a default home directory for the user of the account. when create a new directory, it is a courtesy(礼貌,谦恭) to the new user to initially populate the directory with useful files.these might include startup files for the user's shell,his desktop,or for X window applications.to facilitate(帮助,使容易) the automated population of new user firectory should contain all of the files and a directory /etc/skel. this directory should contain all of the files and subdirectories that all new users will need.
18.configure and use system log
the behavior of syslog is controlled by its configuration file./etc/syslog.conf.this text file contains lines indicating what is to be logged and where.each line contains directories in this form:
facility.level action
the directories are defined as follow:
facility this represents the creator of the message(that is,the kernel or process) and is one of the following:auth,authpriv,cron,daemon,kern,lpr,mail,mark,news,syslog,user,or local0 through local7.the use of these facility designator allows you to control the destination of message based on their origin.facilities local0 through local7 are for any use may wish to assign to them in your own programs and scripts.
level specifies a severity(严格,激烈,严重) threshold(门槛,入口,开端) beyond which message are logged,and is one of the following (from lowest to highest severity):debug, info, notice, warning, err,crit, alert, or emerg.there is also a special level called none that will disable a facillity.the level defines the amount of detail recorded in the log file.a single period separates the facility from the level,and together they comprise the message selector.the asterisk(*) can be used to describe all facilities or all levels.
action the derective is arguably misnamed.it represents the destination for message that correspond to a given selector(facility.level).the action by the @ sign,or a comma-separated list of users or asterisk(this means all loged-in users will be included), the action is to send the message to the specified destination.
for example,if you wanted to create a separate log file for activity reported by the scripts you write,you might include a line like this in /etc/syslog.conf:
#define a new log file for the local5 facility
local5.* /var/log/local5
you could then use the logger utility to write message to the facility from your shell script:
$logger -p local5.info "script terminated normally"
the message "script terminated normally" would be placed into /var/log/local5,along with a timestamp and hostname that sent the message.
19.log file rotation(/etc/logrotate.conf)
to prevet any of log file from growing unattended to extreme sizes,a log file rotation scheme should be installed as well.the cron system issues commands on a regural basis (usually once per day) to establish new log files.the old files fare renamed with numeric suffixes.with this kind of rotation,yesterday's /var/log/message file becomes today's messages.1
the utility that establishes the rotation is ligrotate. this privileged command is configured using ong or more files.which are specfied as arguments to the logrotate command.these configuration files can contain directorives to include other files as well. the default configuration file is /etc/logrotate.conf.
20.examing log files
syslog store the message it creates with the following information,separated by (but also including) spaces
date/time
origin hostname
message sender(such as kernel,sendmail,or a username)
message text
typical messages will look this:
Dec 28 01:39:19 localhost syslogd 1.4.1: restart.
21.automate system adminstration
there is a surprising amount of housekeeping(家事,家政) that must be done to keep a complex operating system such as linux running smoothly. log file rotation. cleanup of temporary files and directories, system database rebuilds, backups, and other tasks should be done routinely.clearly such mundane(世俗的) things should be automated by the system. any system task can that can be accomplished without real-time human intervention can be automated on linux using the cron and at can execute these commands on behalf of any autorized system user. cron is intended mainly for regularly scheduled recuring activities, and at is most useful for scheduling single commands for execution in the future. cron gets its name from the "cron_" prefix of "cronology".
using cron
the cron facility consist of two programs:
crond this is the cron daemon. this is the process that executes your instructions. it starts st system initialization time and runs in the background thereafter.
crontab this is the cron table manipulation program. this program gives you access to your cron table or crontab file. each authorized user may have his own crontab file to run commands and process on a regular basis. the cron daemon wakes up every minute and examines all crontab files.executing any commands scheduled for that time.
each system user has access to the cron facility through her crontab file. these files are stored together in a single directory(usually /var/spool/cron) and are created and maintained using the crontab utility.
crontab
syntax crontab [options]
description view or edit crontab files.
-e interacively edit the crontab file.unless otherwise specified in either the editor or visual environment variables,the editor is vi.
-l display the content of the crontab file
-r remove the crontab file
-u user operate on user's crontab file instead of your own. only root can edit or delete the crontab files of other users.
display the crontab file for user jdoe:
crontab -l -u jdoe
edit your own crontab file:
crontab -e
crontab files use a flexible(易曲的,可通融的) format to specify times for command execution. each line contains six fields:
minute hour day monty dayofweek command
these fields are specified as follows:
minute(0 through 59)
hour(0 through 23)
day of the month(1 through 31)
month(1 through 12 or jan through dec)
day of the week(0 through 6[where 0 is sunday] or sun through sat)
command(any valid command,including spaces and standard bourne shell syntax)
for example: to execute myprogram once per day at 6:15am,use this crontab entry:
#run myprogram at 6:15am(the # indicate the line is comment)
15 6 * * * myprogram
to modify the previous example to execute at 6:15 and 18:15 on the 1st and 15th of the month, use:
#run myprogram at 6:15am and 1:15pm on the list and 15th
15,6 18 1,15 * * myprogram
22.systom crontab files
in addition to crontab files owned by individual users,crond also looks for the system crontab files /etc/cronbat and files in the directory /etc/cron.d. the format for these system crontabs differs sligytly from user crontabs, system crontabs have an additional field for a username between the time specitications and the command .for example:
01 * * * * root run-parts /etc/cron.hourly
system crontab files located in /etc/cron.d are of the same form as /etc/crontab, including the extra user field.
22.at
syntax at [-f file] time or at [options]
in the first form,enter commands to the at queue for execution at time. at allows fairly complex time specifications. it accepts times of the form HH:MM to run a job at a specific time of day.(if that time is aready past, the next day is assumed) you may also spcify midnight, noon, or teatime(4 pm), and you suffix a time of day with am or pm for running in the morning or evening. you can also say what day the job will be run by giving a date in month-day form, with the year being optional,or by giving a date in MMDDYY, MM/DD/YY or DD.MM.YY form. the date specification must follow the time-of-day specification. you can also give times like now+count time-units, where time-units can be minutes, hours, days, or weeks, you can tell at to run the job today by suffixing the time with today, and you can tell it to run the job tomorrow are taken from the file, otherwise at will prompt the user for commands.
in the second form, list or delete jobs from the at queue.
-d job1[,job2,....]
delete jobs from the at queue by number(same as the atrm command)
-l list items in the at queue(same as the atq command)
example: run myprogram once at 6:15 pm tommorrow:
$at 6:15pm tomorrow
at>myprogram
at>^d
the ^d indicate that the typed Ctrl-D
example 2
run commands that are listed in the file command_list at 9 p.m two days from now:
$at -f command_list 9pm+2 days
list items in the at queue(root sees all users' entries)
$at -l
remove job number 5 from the at queue:
$at -d 5
23.controlling user access to cron and at
if your circumstances(环境,状况) dictate that one or more users should be prohibited from using these services, two simple authorization files exist for each:
cron.allow, cron.deny
at.allow, /etc/at.deny
these files are simply lists of account names. if the allow file exists, only those users listed in the allow file may use the service. if the allow file does not exist but the deny file does. only those users not listed in the deny file may use the service. for cron, if neither file exists, all users ahve access to cron. for at, if neither file exists, only has root access to at. an empty at.deny file allow access to all users and is the default.
24.maintain an effective data backup strategy
backup types
backup are usually run in one of three general foems:
full backup a full, or complete backup saves all of the files on your system.
differential backup save only files that have been modified or created since the last full backup. compared to full backup,differentials are relatively fast because of the reduced number of files written to the backup media.
incremental backup save only files that have been modified or created since the last backup, including the last incremental backup.these backups are alse relatively fast.
device files
when performing backup operations to tape and other removable media, you must specify the device using its device file. these files are stored in /dev and are understood by the kernel to stimulate the use of device drivers that control the device. here are some typical devices files you may find on linux system:
/dev/st0 first SCSI tape drive
/dev/ft0 first floppy-controller tape drive,such as travan drives
/dev/fd0 first floppy disk drive
/dev/hdd an ATAPI Zip or other removable disk.
25.using tar and mt
the tar(tape archive) program is used to recursively read files and directories. and then write them onto a tape or into a file.along with the data goes detailed information on the files and directories copied. including modification times. owners, modes, and so on.because the restored data has all of the properties of the original.
during restoration of files from a tape with multiple archives, the need arises to position the tape to the archive that holds the necessary files. to accomplish this control, use the mt command,(the name comes from "magnetic(有磁性的,有吸收力的) tape"). the mt command uses a set of simple instructions that directs the tape drive to perform a particular action.
26.tar
syntax [options] files
archive or restore files. tar recursively creates archives of files and directories, including file properities. it requires at least one basic option to specify the operational mode.
-c create a new tarfile
-t list the contents of a tarfile
-x exact files from a tarfile
-f tarfile unless tar is using standard I/O, use the -f option with tar to specify the tarfile. this might be simply a regular file or it may be a device such as /dev/st0
-v verbose mode.
-w interactive mode. in this mode, tar asks for confirmation before archiving or restoring files. this option is useful only for small archives.
-z enable compression. when using -z, data is filtered through the gzip compression program prior to being written to the tarfile. saving additional space.
-N date store only files newer than the date specified. this option can be used to construct an incremental or differental backup scheme.
-V "label" adds a label to the .tar archive. quotes(引用) are required to prevent the label from being interpreted as a filename. a label is handy if you find an unmarked tape or poorly named tarfile.
example
create an archive on SCSI tape o of the /etc directory. reporting progress:
tar cvf /dev/sto /etc
list the contents of the tar archive on SCSI tape 0:
tar tf /dev/sto
extract the entire contents of the tar archive on SCSI tape 0. reporting progress:
tar xvf /dev/st0
create a compressed archived of root's home directory on a floppy:
tar cvzf .dev/fd0 -V "root home dir" /root
26.mt
mt [-h] [-f device_file] operation [count]
description control a tape drive. the tape drive is intructed to perform the specified operation once, unless count is specified.
-h print usage information, including iperation names, and exit.
-f device_file specify the device file. if omitted, the default is used. as defined in the header file /usr/include/sys/mtio.h. the typical default is /dev/tape.
popular tape operations
fsf [count] forward space files. move forward the number of files specified by count(archives, in the case of tar). leaving the tape positioned at the first block of the next file.
rewind rewind to the beginning of the tape.
offline eject(驱逐,放逐) the tape. this is appropriate for 8 mm or similar drives. where the tape is handled automatically by the mechanism. ejecting the tape at the end of a backup may prevent at accidental subsequent backup to the same media. this operation is meaningless on devices that cannot eject the tape.
status display status information about the tape drive being used
tell for some SCSI tape drives. report the position of the tape in blocks
example:
move the tape in /dev/sto to the third archive on the tape by skipping forward over two archives:
mt -f /dev/nst0 fsf 2
rewind the tape in /dev/st0:
mt -f /dev/st0 rewind
eject the tape cartridge:
mt -f /dev/st0 offline
detemine what device is represented by the default /dev/tape:
ls -l /dev/tape
27.backup operations
what shoule I back up?
It's impossible to describe exactly what to back up your system. if you have enough time and media, complete backups of everything are safest. However, much of the data on a linux system, such as commands, libraries, and manpages don't change routinely and probably won't need to be saved often. making a full backup of the entire system makes sense after you have installed and configured your system. once you have created a backup of your system, there are some directories thta you should routinely(经常性的) backup:
/etc Most of the system configuration files for a linux system are stored in /etc, which should be backed up regularly.
/home User files are stored in /home, depending on your configuration, you may also store web server files in /home/httpd. On multiuser system or large web servers, /home can be quite large.
/usr/src If you have done any kernel compilation, back up /usr/src to save your work.
/var/log If you have security or operational concerns, it may be wise to save log files stored in /var/log
/var/spool/mail If you have use email hosted locally, the mail files are stored in /var/spool/mail and should be stained.
/var/spool/at and /var/spool/cron User's at and cron files are stored in /var/spool/at and /var/spool/cron, respectively. These directories should be retained if these services are available to your users.
Of course,the list is just a start, as each system will have different backup requirements.
when via cron using a shell script to backup, you must guarantee your system running in single user. If users or processes are actively working in a file system as it is backed up, the state of the files in the archive will be in question. To avoid this problem. It may be satest to elimilate the users and processes from the backup scheme completely by putting linux into single-user mode(runlevel 1) before executing the backup. In the mode, users will not be logged on, and servers, such as web or database servers, will be shutdown. With no active process running, the filesystem can be safely backed up.
|
