Solaris 8 Help Myself Guide
Helpful links
Maintaining File Systems Boot Process Scheduling processes Printing
host - a computer system
host name - a unique name assigned to a host to distinguish it from other
hosts on a network
server - a host that provides services
client - a host that uses services provided by a server
user name - unique name that is used for a user to log into a system
Managing User Accounts:
Add, modify, or delete user accounts via CLI or GUI utility called admintool.
Start Admintool GUI:
# admintool &
Any member of sysadmin group (GID 14) can run admintool (so can root).
Admintool copies and renames /etc/skel initialization file for specific user
shell.
Before you add user:
User name - Must have login name that is unique to the system, consist of
two to eight letters (A-Z,a-z) and numbers (0-9). First character must
be a letter. At least one letter must be lowercase. Cannot contain
spaces. May contain period (.), underscore (_), & hyphen (-).
UID - User ID - User name's unique numerical ID for the system. Normal UID
numbers range from 100-60000. All UID numbers must be unique. 0-99 reserved
for system accounts. 60001=nobody 60002=noaccess Duplicate UID numbers
are allowed but should be avoided.
GID - Group ID - Unique numerical ID for the group the user belongs on the
system. GID range from 100-60000. 0-99, 60001, 60002 reserved for system
accounts
User & Group Files:
/etc/passwd
/etc/shadow
/etc/group
/etc/passwd format:
loginID:x:UID:GID:comment:home_directory:login_shell
loginID=user name
x=placeholder for password entry which is in /etc/shadow
UID
GID
comment=usually the user's full name
home_directory=full path to user's home directory
login_shell=full path to user's shell (/bin/sh,/bin/ksh,/bin/csh,/bin/zsh,/bin/bash,
or /bin/tcsh)
Default system accounts:
FORMAT "username-UID-basic description"
root-0-superuser account with access to entire system
daemon-1-system account that controls background processing
bin-2-admin account which owns most commands
sys-3-admin account which owns many system files
adm-4-admin account which owns certain admin files
lp-71-print service account that owns the object and spooled data files for
the printer
smtp-0-smtp mailer uses SMTP to transfer a message
uucp-5-owns the object and spooled data files for the UNIX-to-UNIX copy program
(UUCP)
nuucp-6-used by remote users to log in to the host and start file transfers
listen-37-network listener account
nobody-60001-annonymous user account, used by NFS server when an unauth root
user makes a request
noaccess-60002-account assigned to a user or a process that needs access
to a system through some applications without logging into the system
nobody4-65534-SunOS 4.0 & 4.1 version of the nobody account
/etc/shadow format:
loginID:password:lastchg:min:max:warn:inactive:expire:
loginID=user name
password=13-character encrypted password, *LK* indicated locked account,
NP is NO PASSWORD!
lastchg=number of days between 010170 and last password modification
min=minimum number of days between password changes
max=maximum number of days password is valid before user is prompted to enter
new password at login
warn=number of days user is warned before password expires
inactive=number of inactive days allowed until user's account is locked
expire=date that user account expires
ninth field is reserved for future use
/etc/group
groupname:group-password:GID:username-list
groupname=name assigned to group - maximum eight characters
group-password=contains * or is empty field - relic from earlier versions
of UNIX. To place password in this field copy and paste password from
/etc/passwd
GID=GID
username_list=comma separated list of user names for secondary group memberships.
by default, users can belong to maximum 15 secondary groups
Creating & Managing Users and Groups from CLI:
useradd
usermod
userdel
groupadd
groupmod
groupdel
useradd [-u uid][-g gid][-G gid, gid,...][-d "directory"][-m][-s "shell path"][-c
"comment"][-k "directory"][-o][-D] loginname
-u
-g
-G
-d /export/home/username
-m Use with -d option to Make directory otherwise user cannot log in without
home directory existing
-s /bin/bash
-c
-o override and allows duplicate UID
-k /etc/alternateskel - to use another skel file other than default /etc/skel
-D sets defaults
loginname
usermod [-u uid][-o][-g gid][-G gid, gid,...][-d "directory"][-m][-s "shell
path"][-c "comment"][-l newloginname][-f inactive][-e expire] loginname
-m moves user's home directory to location specified in -d option
-l new user name
-f sets number of inactive days
-e sets an expiration date
userdel [-r] loginname
-r removes user home directory which must exist
locate all files owned by a user:
# find / -user UID
locate and remove all files owned by the user:
# find / -user UID -exec rm {} \;
Two types of initialization files - System-wide and User
Two main system initialization files:
Borne and Korn shell use /etc/profile
C login shell etc/.login
Both files check disk quotas, print the message of the day (/etc/motd) file,
or check for mail.
System admin can set up user initialization file in user's home directory.
Primary job is to customize user's environment. Owner of file or root can
change or customize the content of the files.
Bourne=
$HOME/.profile
Korn=
$HOME/.profile
$HOME/.kshrc
C=
$HOME/.cshrc
$HOME/.login
Root login's default shell is Bourne /sbin/sh is entry in /etc/passwd
Shell variables:
LOGNAME
HOME
SHELL
PATH
MAIL
TERM
LPDEST
PWD
PS1
prompt
Setting Environment Variables in User Initialization Files:
Bourne or Korn
VARIABLE=value ; export VARIABLE
For example: PS1="$HOSTNAME ! $ " ; export PS1
Initialization File Templates:
Bourne /etc/skel/local.profile
Korn /etc/skel/local.profile
C /etc/skel/local.cshrc
/etc/skel/local.login
System Admin's control access and securing data on a system.
pwconv command:
creates and updates the /etc/shadow file with information from the the
/etc/passwd file.
pwconv relies on "x" in /etc/passwd file. If the /etc/shadow file doesn't
exist, pwconv WILL create it from /etc/passwd
If /etc/shadow exists then...
/etc/passwd entries not in /etc/shadow are added to /etc/shadow
/etc/shadow entires not in /etc/passwd are removed from /etc/shadow
SysAdmin can record failed login attempts in /var/adm/loginlog
By default /var/adm/loginlog does not exist. To enable, root must create
loginlog file with root RW- permissions only and belong to the sysadm
group. All failed logins after 5 attempts are written to loginlog.
Each entry has user's login name, terminal identifier (TTY) device,
and time of failed attempt.
Example:
# touch /var/adm/loginlog
Display list of users currently logged in to local system use
who command:
console=device used to display system boot and error messages
pts=pseudo device the represents a login or window session without a physical
device, i.e. remote devices
who command looks in the /var/adm/utmpx file
Displays users logged in on remote hosts
rusers [-l]
Display detailed information about users use
finger command:
-m=matches arguement to username
finger -m username
finger -m username@remotehostname
If user creates .plan or .project file in their home directories the contents
are also displayed. Traditionally, the user would put their roles or
projects in this file. Must have permissions of 644.
Display a record of all logins and logouts with most recent on top.
last command:
last command looks in the /var/adm/wtmpx (binary)
Format:
last
last username
last reboot
su command:
su [-] username
-=specifies a complete login and uses new work environment
su command shows effective UID or EUID and effective GID or EGID.
/var/adm/sulog records su command activity as defined in /etc/default/su
whoami command:
displays switched user's EUID
who am i command:
displays original UID
Managing User Access:
/etc/default/su file controls how su attempts are logged
/etc/default/login file can be set to restrict root access
CONSOLE=/dev/console means root cannot log in except at system console
#CONSOLE=/dev/console means root can log in from anywhere
CONSOLE= means root cannot log in from anywhere, you must log into system
with another user and su to root
PASSREQ=YES Requires all users to have password NO indicates null password
is valid.
/etc/default/passwd file can be set up to enforce system-wide password aging
MAXWEEKS=maximum number of weeks that password is valid - default is no entry
MINWEEKS=minimum number of weeks that password cannot be changed by user
- default is no entry
PASSLENGTH=minimum length of valid passwords for all regular users
password aging entires in /etc/passwd override /etc/default/passwd entries
Restricting Access to Data:
groups command display your group memberships
groups [username]
displays the username group memberships
id [-a][username]
-a=view account information for a specific username
id command returns the UID, username, GID, and group name.
id command returns the EUID and name of current user.
Changing File & Directory Ownership with chown command:
chown [options(s)] username filename(s)
or
chown [option(s)] UID filename(s)
*Note* username and UID must exist in /etc/passwd file
# chown user1 file2
chown [-R] username filename(s)
-R=makes command recursive
# chown -R user1 dir2
chown simultaneous examples changing user and group:
chown [-R] [username]:[groupname] filename or directory name
# chown user1:tax file2
# chown -R user1:tax dir2
Changing file group ownership with chgrp command:
chgrp groupname filename(s)
chgrp GID filename(s)
# chgrp tax file2
Special File Permissions:
setuid
setgid
Sticky bit
setuid permission is set to ON an executable file, a user or process that
runs this executable file is granted access based on the owner of the file
(usually root) instead of the user who started the executable.
setuid permission displays as an "s" in the owners execute field.
-r-sr-xr-x
If a capital "S" is displayed in the owner's execute field, the setuid bit
is ON and execute bit "x" is OFF or DENIED.
-r-Sr-xr-x
Owner or root must set setuid permissions on an executable file using chmod
command and octal value 4000.
# chmod 4555 executable_filename
Unless you're an animal, don't use setuid other than the system defaults.
:-)
To find offending user files or any file with setuid permissions and display
their full path names:
# find / -perm -4000
setgid is similiar to setuid expect the process is changed to group owner
of the file.
setgid permission displays as an "s" in the groups execute field.
-r-xr-sr-x
If a lowercase "l" is displayed in the group's execute field, the setuid
bit is ON and execute bit "x" is OFF or DENIED.
-r-xr-lr-x
Owner or root must set setgid permissions on an executable file using chmod
command and octal value 2000.
# chmod 2555 executable_filename
To find files with setgid permissions and display their full path names:
# find / -perm -2000
Shared Directories:
setgid is useful for setting up shared directories
Create a shared directory, you must set the setgid bit using symbolic mode:
# chmod g+s shared_directory
Sticky Bit Permissions:
Sticky bit is a special permission that protects files in a publicly writable
directory.
If Sticky bit is set only the owner of the file, owner of directory, or root
can delete the file.
If sticky bit is set to ON then a lower case “t” appears in the execute field
of other and execute bit is ON.
If sticky bit is set to ON then a capital “T” appears in the execute field
of other and execute bit is OFF or DENIED.
drwsrwxrwt
Owner or root must set sticky bit permissions on an directories using chmod
command and octal value 1000.
# chmod 1777 public_directory
To find directories with sticky bit permissions and display their full path
names:
# find / -type d -perm -1000
Access Control Lists (ACLs):
When traditional permissions can’t do what you want? Bust the ACLs on them
to gain additional control over file access permissions.
ACLs are extensions to the standard UNIX file permissions.
ACL information is stored and associated with each file or directory individually.
Commands and Options for ACLs:
getfacl filename(s)
displays ACL entries for files
setfacl options filename(s)
sets, adds, modifies, and deletes ACL entries on files
setfacl -m acl_entries
makes or modifies ACL entries on files
setfacl -s acl_entries
removes old ACL entries on files and replaces them with new ACL entries
setfacl -d acl_entries
deletes one or more ACL entries (see below)
setfacl -f acl_file
specifies an ACL configuration file containing a list of permissions to be
set on other files. acl_file is used as an argument with this command only
setfacl -r
recalculates permissions for an ACL mask
Each ACL entry consists of fields which are separated by colons.
ACL Fields:
entry-type=type of entry to set file permissions for owner, owner's group,
specific users, additional groups, or the ACL mask.
UID or GID=UID or GID
perm=permissions set for entry-type - either symbolic or octal values
Examples:
u::perm - set ACL for file owner
g::perm - set ACL for owners group
o:perm - set ACL for other instead of file owner or owners group
u:UID:perm - set ACL for specific user
u:username:perm - same as above
g:GID:perm - set ACL for specific group
g:groupname:perm - same as above
m:perm - sets ACL mask - mask indicates maximum permissions allowed for all
users and all groups except owner, root, and other. Mask is quick way to
change permissions for all the users and groups.
Examples:
# setfacl -m user:user1:6 file1
# setfacl -m m:6 file1
Determine if file has ACL entries:
getfacl or ls -l command and an "+" sign indicates ACL entry exists.
-rwxr-x-w-+
Deleting an ACL:
setfacl -d ACL_entry filename(s)
setfacl -d ACL_entry, ACL_entry filename(s)
Cannot delete ACL entries for file owner, file group owner, or other, and
ACL mask.
# setfacl -d u:user1 file1
Replace entire ACL on a file:
You must specify at least the basic set of user, group, other, and mask permissions
and file names. (mask optional because group resets mask)
command format:
setfacl -s u::perm,g::perm,o:perm,m:perm,[u:UID:perm],[g:GID:perm] filename(s)
Following example sets the file owner permissions to read and write, group
permissions to read-only, and other permissions to none on file1.
Example:
# setfacl -s user::rw,group::r,other:---,mask:rw-,user:user1:rw- file1
Managing Remote Access:
Three network files provide schemes for handling basic security issues involving
remote user access to a local host.
/etc/hosts.equiv
$HOME/.rhosts
/etc/ftpusers
When remote access is requested the /etc/passwd is consulted. If no entry,
access is DENIED.
/etc/hosts.equiv and $HOME/.rhosts files bypass this password-based authentication.
Information in those files determine if ACCESS or DENIAL is in order. /etc/hosts.equiv
applies system wide while $HOME/.rhosts applies to a user.
General format:
hostname=all users from hostname are trusted
hostname username=users listed from specified hostname are trusted
+=every remote host on the network is trusted which allows users to log in
without passwords (typically, this is a bad thing)
/etc/hosts.equiv is NOT checked if remote user is requesting access as root.
$HOME/.rhosts must exist in users home directory on target system. root .rhosts
must exist in root directory.
/etc/ftpusers
Lists names of users who are prohibited from running an FTP login
format:
username
By default, the system user defaults are listed.
/etc/shells file does not exist by default
Four Main File Types:
regular or ordinary files
directories
symbolic links
device files
All file types except device files store one or more types of data. Device
files provide access to device and DO NOT store data.
To identify file types use ls -l and view the far most left-hand character.
-=regular files
d=directories
l=symbolic links
b=block-special devices
c=character-special devices
All files make use of file names and a record called an inode. Most files
use data blocks.
File names are objects often used to access and manipulate files.
Inodes are objects the system uses to record information about a file.
Data blocks are units of disk space used to store data.
To exist, a file must have a name that is associated with an inode.
Inodes generally contain two parts:
>Information about who owns it, permissions, and size.
>Contain pointers to data blocks associated with the file.
Inodes are numbered and each file system contains its own separate pool of
inodes.
Directories store information that associates file names with inode numbers.
Directories can only hold one data type.
Directories do not contain physical files.
Directory contains entries for files of all types logically found within
that directory.
Think of the information contained in a directory as a list. Basically, [filename]=[inode
number].
Symbolic link is a file that points to another file.
Symbolic links contain one data type.
Information contained is a path name to another file.
The size of a symbolic link is always equal to the characters in the path
name.
Example: Symbolic link /bin points to ./usr/bin so /bin is 9 characters in
size.
They can have absolute or relative path names.
Symbolic links can span file systems.
ln [-s] option creates a symbolic link
Device files provides access to devices.
Device files do not use data blocks.
Their inode numbers refer to devices.
Device files display two numbers separated by a comma.
First number is major device number and second is minor device number.
Major device number identifies the specific device driver required to access
a device.
Minor device number identifies the specific unit of the type that the device
driver controls.
Device files are created automatically when you perform a reconfiguration
reboot.
devfsadm creates new device files manually, before Solaris 8 drvconfig was
used.
Device files fall into two categories.
>character-special a.k.a. character or raw devices which uses disk I/O
based on the smallest addressable unit on a disk, or sector, each sector
is 512 bytes.
>block-special a.k.a. block devices which uses disk I/O based on a defined
block size, for UNIX file system (ufs) the default block size is 8 Kbytes.
Hard link is the association between an inode and file name.
Hard link is not a separate file type.
Every type of file uses at least one hard link (between file name and it's
inode)
Every entry in a directory is a hard link.
Each inode keeps count of the number of file names associated with it, this
is called a link count.
ls -l displays the link count - it's between the file permissions and own
column.
Hard links cannot span file systems.
Root subdirectories:
Logically, all directories fall below root (/)
Physically, all directories can be located on one file system or divided
amoung multiple file systems.
/ - Root for the overall file system
/bin - dir with symbolic link to /usr/bin dir. it is the dir location for
standard system command or binary files
/dev - primary location for logical device names. symbolic links that point
to device files in /devices dir
/devices - primary location for physical device names
/etc - host-specific sysadmin config files and databases
/export - default dir for commonly shared file systems, such as user's home
dir, client file systems, or shared file systems
/home - default dir or mount point for user's home dir
/kernel - directory of platform-independent loadable kernel modules required
as part of boot process
/mnt - temporary mount point for file systems (for convenience)
/opt - default dir or mount point for add-on application packages
/platform - dir of platform-dependent laodable kernel modules
/sbin - essential executables used in booting process and in manual system
recovery
/tmp - temporary files, CLEARED during boot process
/usr - mount point for /usr file system which is dir for programs, scripts,
and libraries used by all system users
/var - directory for varying files, which usually includes temporary, logging,
or status files
Components of a Disk:
sector - smallest addressable unit on a platter, one sector holds 512 bytes,
a.k.a. disk blocks
track - a series of sectors positioned end-to-end in a circular path
cylinder - a stack of tracks
Disk slices are groupings of cylinders commonly used to organize data by
function. a.k.a. partitions or slices
Solaris 8 supports 8 disk slices per hard disk, slice 0-7.
By convention, slice 2 represents the entire disk. Usually for backup purposes.
Disk naming convention:
eight character string which includes controller number [c], target number
[t], disk number [d], and slice number [s].
c=identifies the host bus adapter
t=target numbers 0-3, like IDE primary secondary master slave relationship.
d=disk number a.k.a. logical unit number (LUN). Reflects the number of disks
at the target. Always set to d0 for SCSI disks.
s=slice number 0-7.
All devices have 3 different types of names:
logical device - kept in /dev
physical device - kept in /devices
instance - abbreviated names assigned by the kernel for each device on the
system
Every disk has an entry in /dev/dsk (block) and dev/rdsk (raw)
/etc/path_to_inst file is maintained by the kernel. It is read-only at boot
time.
prtconf command:
lists all instances of devices, whether attached or not
to view only attached devices execute this command:
# prtconf | grep -v not
format command:
Utility to display both logical and physical device names
reconfiguring devices:
create the /reconfigure file, this causes the system to check for newly installed
devices next time power off or reboot
# touch /reconfigure
Manual reconfiguration reboot with PROM level command: boot -r
devfsadm
drvconfig and other commands are hardlinked to devfsadm
devfsadm -c device_class
device_class can be disk, tape, port, audio, or pseudo
devfsadm -i driver_name
print the changes made by devfsadm
devfsadm -v
drvconfig to reconfigure the system to recognize new devices without rebooting
Disk Configurations:
special area called a disk's lable or volume table of contents (VTOC)
to label a disk means to write slice info to disk
partition table which identifies a disk's slice, slice boundaries (in cylinders),
and the total size of the slices
partition table is displaying using the
format command
partition boundries must begin and end with entire cylinders
wm - writable mountable
wu - writable unmountable
rm - read-only mountable
format utility can use a file /etc/format.dat which is read when you invoke
the format utility
tag and flag are optional
Repartitioning with the modify command:
Use modify inside the format utility
Viewing Disk's VTOC:
Use verify once inside the format utility
invoke prtvtoc from CLI
Save disk's VTOC before invoking fmthard command using the prtvtoc command
Disk Based File Systems
ufs
hsfs - cd-roms
pcfs - like DOS FAT32
udfs - cd and dvd roms
Distributed File Systems
nfs
Pseudo File Systems
tmpfs
swapfs
fdfs
procfs - used by ps command
VTOC is in sector 0
bootstrap program (bootblk) is in next 15 sectors
super block in next 16 blocks - it contains # of data blocks, # of cylinders,
size of data block and fragment, description of hardware, name of mount point,
file system state [clean, stable, active, logging, or unknown]
backup super blocks - replicated on each cylinder group to protect against
catastrophic failure
Direct points [12]
refer directly to data blocks for a file up to 96 Kbytes
Indirect pointers [three types]
single - refers to a system block containing pointers to data blocks. 2048
addtional addresses of 8 Kbyte blocks which can point to an additional 16
Mbytes of data
double - file system block containing single indirect pointers. Additional
32 Gbytes of data
triple - file system block containing double indirect pointers. Additional
64 Tbytes of data. Maximum file size is 1 Tbyte in a ufs
Data blocks [8 Kbytes] are broken into fragments [1 Kbyte]
ACLs are contained in shadow inodes.
mount [options(s)] device_name mount_point
-o must use [-o] option if you want to use options
/etc/vfstab
unmount
fuser
fstyp
Back