clock -a
echo "System time: $(date)"
test -f /etc/adjtime || echo "0.0 0 0.0" > /etc/adjtime
clock -a
echo "System time: $(date)"
test -f /etc/adjtime || echo "0.0 0 0.0" > /etc/adjtime
clock -a
echo "System time: $(date)"?
Remark:
Under most Linux distributions (Slackware,RedHat,Debian) you can modify
/etc/rc.d/rc.local file for this purpose)
/etc/ENVIRONMENT (unifix)
/etc/profile* (suse, unifix)
/etc/login.defs (suse, unifix)
Please see questions regarding windows sharing .
Add :
alias ls ='ls --color'
$HOME/.bashrc file.
However this may cause some weird behavior if stdout is not a tty (say
you redirect your streams or something). To fix this you will want to
use alias ls=``ls --color=tty'' instead.
NOTE: this will work if you use bash as your login shell. Please see your shell manual for aliasing in other cases.
There are some ways to do it. :-) The easiest way is to shut down your machine, boot it into shell and change root's password:
To boot into shell:
boot: Linux init=/bin/sh
To change root's password:
bash# mount -o remount / -rw
bash# passwd root
Problems You may have ``Unable to lock passwd file'', while trying to
do this. This usually caused by lock file lying in /etc. (usually
passwd.lock or similar).
You may boot your machine into single user mode by passing ``single'' parameter to a boot image:
boot: linux single
If your system is already booted, and you wish to "drop down" to single user mode, you'd switch to runlevel 1. To switch to a specific run level, pass the run level number as a parameter to the 'init' command. So, single user mode would be
init 1
See the question below. Also see Masquerade script in Frequently Asked Scripts section.
Linux is the perfect answer for networking questions like this. IP_Masquerading support is built right into the Linux kernel. The procedures used to accomplish this, while not overly difficult, are beyond the scope of this FAQ. There are several online resources devoted to this topic, including the ``IP Masquerade Resource'' at http://ipmasq.home.ml.org For a list of applications which run through IP masquerading, please see ``Masq Apps'' at http://dijon.nais.com/~nevo/masq/.
Alternatively, you can use ipchains which are much more flexible. They are built into the kernel from 2.1.102 onwards, and there is also a patch for 2.0.33. The ipchains home page is at : http://www.rustcorp.com/linux/ipchains/
Install SAMBA. Take a look at the SMB-HOWTO or look at http://samba.anu.edu.au For printer setup also take a look at the Printing-HOWTO.
Just edit your /etc/conf.modules and add
alias module XXXXX-XX off
alias module XXXXX-XX off
PS: If you don't have /etc/modules.conf nor /etc/conf.modules you should create one.
The usual reason for connection delays is the reverse DNS lookup. if the
in-addr.arpa domain has been delegated to a DNS server which can't be
reached, telnetd/ftpd will wait for the lookup to time out.(it usually
takes 155 seconds). To fix these things either Configure reverse DNS
(even the fake one or local secondary will be ok), or add the hosts, you
are connecting from, to /etc/hosts file.
Another reason for such a delay is ident lookup. If remote service is performing an indent lookup on your site, and your firewall is blocking port 113, it may cause the same sort of delay.
Add the following to /etc/rc.d/rc.local
cd /path/to/program
su <username> -c <command>
cd
cd /home/bob
su bob -c ./talker
cd
You may change the login shell to /dev/null for those users who you don't
want to be able to telnet to your box. Add /dev/null to
/etc/shells if you still want them to be able to use ftp).
Alternatively, you could write a script of your own which would do whatever
you want (log logon attempts, display messages, etc..) and exit, and set it
as the user's shell.
To stop a user from being able to ftp your machine. You could either remove
his shell from /etc/shells, or just add his username to /etc/ftpusers.
You should also look in to TCP Wrappers: ftp://ftp.win.tue.nl/pub/security/index.html.
There is also something called a UserLevel firewall (ULF).
Windows drives mounted as type ``vfat'' rather than ``msdos'' will let you
access the long file names on the drive. You must change the ``msdos'' type
that is listed in the /etc/fstab file to be type ``vfat''. In order
for vfat to automatically be loaded proc must preceed the drives in the
/etc/fstab file. Note that NTFS and FAT32 support is still in beta,
so only FAT16 drives may be mounted by a 2.0.x kernel.
Before:
/dev/hdc1 / ext2 defaults 1 1
/dev/hda1 /c msdos defaults 0 0
/dev/hdc2 swap swap defaults 0 0
/dev/fd0 /mnt/floppy ext2 noauto 0 0
/dev/cdrom /mnt/cdrom iso9660 noauto,ro 0 0
none /proc proc defaults 0 0
After:
none /proc proc defaults 0 0
/dev/hdc1 / ext2 defaults 1 1
/dev/hda1 /c vfat defaults 0 0
/dev/hdc2 swap swap defaults 0 0
/dev/fd0 /mnt/floppy ext2 noauto 0 0
/dev/cdrom /mnt/cdrom iso9660 noauto,ro 0 0
PS: Win95 Rev B and Win98 (but not NT4) can optionally use ``FAT32'', which is a different file system. To mount these, you must have FAT32 support compiled in to your kernel (kernel patches avaliable). It also been said that this method would work only if Win95 drives are formated FAT16. To support fat32 for kernels 2.0.33 and earlier, you should use patch. Kernel 2.0.34 probably supports vfat32.
Information related to ``vfat32'' could be obtained at http://bmrc.berkeley.edu/people/chaffee/fat32.html
These tools do not come with any distribution. However, you can use a third party program, and there are two good options: clobberd and idled. Both are very customizable and allow control of parameters such timeout (idle) time for a user (or a group). Both available from Linux archives such as http://metalab.unc.edu
In some Unix systems, including certain distributions of Linux, the encrypted password is stored in the file /etc/passwd, which any user can (and must be able to) read. In a shadow-password system, the encrypted password is removed from /etc/passwd, and stored in /etc/shadow, which only root can read. This makes life that much harder for any would-be password crackers.
They can press ctrl-alt-del and turn off the computer once the computer has cycled back to the Power On Self Test (POST).
NOTE:Make sure that your distribution has the following in
/etc/inittab:
ca::ctrlaltdel:/sbin/shutdown -t3 r now
No. Username length It's not configurable. Under libc-5, the utmp and wtmp files only allow 8 characters for a username. Under libc-6, this is increased to 32 characters.
You can use usernames longer than this limit. However, the utmp/wtmp entries will be truncated, and so won't correspond to a valid username. This doesn't matter for most things.
Use ulimit for this purpose. All processes which will be started
from the shell (bash in this case), will have the same limits. See the
bash manual page for more info.
To set the limits for daemons which are running at boot time add ulimit
command to boot scripts.
NOTEsh and csh havelimit command for this purpose.
Add *.* /dev/console. (or specify what kind of messages
you want to be sent there). and Do not forget to killall -HUP
syslogd. Alternatively you can redirect all messages to one
of your virtual consoles (VC), in this case you will need to use /dev/ttyXX instead.
Yes, there is.
Grab a current copy of quota tools from ftp://ftp.cistron.nl/pub/people/mvw/quota , an additional program called setquota is contained which lets you set user or group quotas from the command prompt.
Alternatively, you can make do with what you've got: use "edquota -p fromuser touser" to copy quota settings from one user to another.
Take a look at ftp://ftp.ceti.com.pl/pub/linux/poppassd-1.8-ceti.tar.gz
It uses PAM for changing the password, so it doesn't care about accessing the password database directly. On the same site there is a PERL CGI script which is poppassd interface for WWW.
There are two kind of policies you can set using this file:
This policy is less secure but easier to setup. All you need here is to add proper etries in for each service/host you want to deny:
SERVICE: badhost1 badhost2
/etc/hosts.denyfile and add
ALL:ALL
/etc/hosts.allow.
Note: for either field you may use keyword ALL and for host
entries asteriks (*) could be used.(see hosts.allow(5)/hosts.deny(5)
manual pages for detailed syntaxis and examples.
This policy is more secure, since you will open only services, and for only the hosts you want to, but meanwhile this kind of policy is harder to setup, since you will need to point out CORRECTLYwhich services you want.:-)
However, you go here the same way as pointed above:
Add
ALL:ALL
/etc/hosts.deny and then point out explictly which services you
want to allow.
NOTEYou may point IP addresses/netmasks in field for hostname, as well as hostname of remote hosts, but if you use hostnames, they should be resolved fine, and be aware of DNS spoofing.
/tmp cleanup on boot (or through cron)?
If it's a multi-user system, you do have to worry about people playing
symlink games in /tmp; a simple-minded `rm -rf /tmp/*' or a
`find /tmp ... -exec rm' or similar can be made to delete any file
on the system.
However only multi-user system, things like this could be very dangerous, since using symlinks you can set them such way, so viable files (log, /etc/ files etc) could be removed. Setting not following symlinks for find command will not help. Between the time that `rm -r' or `find' determine whether a directory is a symlink, and the time that the deletion occurs, a user could have moved the directory and replaced it with a symlink. E.g.
/tmp/foo/a/a/a/a/a/a/a/a/a/a/a/syslog
/tmp/bar/a/a/a/a/a/a/a/a/a/a/a -> /var/log
mv /tmp/foo /tmp/foo2
mv /tmp/bar /tmp/foo
/tmp/foo/a/a/a/a/a/a/a/a/a/a/a -> /var/log
unlink("/tmp/foo/a/a/a/a/a/a/a/a/a/a/a/syslog");
A secure /tmp cleaner needs to cd into each directory, and unlink the files from the current directory. This is what `rm -rf' does, however there is another race condition (although the `find' exploit is easier, as you can force a large delay between starting to descend into a directory and executing the `rm' command).
The problem with `rm -rf' is that it does a readdir() to get the filename, an lstat() to find out if it's a directory, then a chdir() to change into the directory.
If the cracker can switch a directory with a symlink between the lstat() and the chdir(), the chdir() will follow the symlink to any directory on the system, and proceed to delete its contents recursively.
Whilst the timing window is shorter than for the find exploit, that doesn't really matter as you can have as many goes as you like, until you succeed.
So, the other required step for a secure /tmp cleaner is that it has to lstat() the parent directory (`..') after the chdir(), to make sure that it really changed to a subdirectory, instead of following a symlink.
However, it has been pointed out (by Nicholas Leon, IIRC) that there is a simple alternative:
This will recursively delete everything in /tmp, without any possibility of jumping out of /tmp via symlinks.
All in all, world-writable directories are BAD NEWS. Avoid them wherever possible.
/var/spool/mail doesn't need to be world writable (unless you absolutely have to use a broken mail client which requires this), nor does /usr/tmp/.pop.
Setting TMPDIR (e.g. to /.tmp) will cause many programs to use the specified directory instead of /tmp, reducing the risk that you will overwrite some file due to a carefully place symlink.
Avoid creating files in /tmp in shell scripts, particularly ones which will be run as root.
See section Frequently Asked Scripts for a script suggested by Jim Dennis (jimd@starshine.org).
A good resource for startup is available at http://metalab.unc.edu/pub/Linux/docs/HOWTO/mini/Quota.