Intro to Linux: PHP information

It’s really common to want to review your php setup.  The easiest way is the php function phpinfo();  the following will run from the command line or from a web browser:

<?php
phpinfo();
?>

Or to just see the modules

<?php
phpinfo(INFO_MODULES);
?>

To run from the command line type

php textfile_name

Since outputting this information can be a security risk avoid running from your webserver unless the directory is secured against random visitors.

Intro to Linux: Users and groups

In another blog post I talked about how to control file permissions but I never talked about users and groups.  In linux users groups and passwords are stored in files.  You can directly modify these files but it’s a better idea to use the built in commands.

Users information is stored in /etc/passwd in the following format (fields seperated by :):

bob:x:3002:302:Bob Bobo's account:/home/bob:/bin/bash


  1. Username: It is used when user logs in. It should be between 1 and 32 characters in length.
  2. Password: An x character indicates that encrypted password is stored in /etc/shadow file.
  3. User ID (UID): Each user must be assigned a user ID (UID). UID 0 (zero) is reserved for root and UIDs 1-99 are reserved for other predefined accounts. Further UID 100-999 are reserved by system for administrative and system accounts/groups.
  4. Group ID (GID): The primary group ID (stored in /etc/group file)
  5. User ID Info: The comment field.
  6. Home directory: The absolute path to the directory the user will be in when they log in. If this directory does not exists then users directory becomes /
  7. Command/shell: The absolute path of a command or shell (/bin/bash). Typically, this is a shell. Please note that it does not have to be a shell.

Users actual password is stored in /etc/shadow in the following format:

bob:asdk1324E@#$Fsa:324:0:99999:7
 1. User name : It is your login name
 2. Password: It your encrypted password. 
 3. Last password change (lastchanged): Days since Jan 1, 1970 that password was last changed
 4. Minimum: The minimum number of days required between password changes i.e. the number of days left before the user is allowed to change his/her password
 5. Maximum: The maximum number of days the password is valid (after that user is forced to change his/her password)
 6. Warn : The number of days before password is to expire that user is warned that his/her password must be changed
 7. Inactive : The number of days after password expires that account is disabled
 8. Expire : days since Jan 1, 1970 that account is disabled i.e. an absolute date specifying when the login may no longer be used


The groups are stored in /etc/group (your Primary group will not show up here that’s in /etc/passwd)

power_users:x:3009:bob,tom,bill

 1. group_name: It is the name of group. 
 2. Password: Generally password is not used, hence it is empty/blank. 
 3. Group ID (GID): Each user must be assigned a group ID. 
 4. Group List: It is a list of user names of users who are members of the group. The user names, must be separated by commas.


So now how to we interact with these:

To add a user … useradd :

useradd -u 3002 -d /home/bill -m -c "Bill Thomas" -s /bin/bash -G 3002 bill
(-u uid)(-d home dir -m to create)(-c comment)(-s shell)(-G primary group)

To delete a user:

userdel username

This will not delete their home directory you have to do this manually.

To add a group:

groupadd -g 4021 name
(-g group id) 

To delete a group

groupdel name_or_gid

To add a user to a group as primary group (When you create a file it will be group owned by your primary group)

usermod -G gid username_or_uid

To add a user to a group as a secondary group (user has permissions but does not create files as this group)

usermod -g gid username_or_uid


To change your new users password just type the following

passwd username


	

Intro to Linux: Securing Root

As most of your are aware on a linux system root is the administrative account.  It’s also the one account that exists on most linux systems.  It is critical that your protect root’s password and login.  Once someone has root they can do anything on your system.  One of the most common methods for protecting root is to not allow anyone to login directly as root via anything but console.  This stops brute force hackers from ever getting in as root directly.   This is done by adding the following line to your sshd_config and restarting ssh.

PermitRootLogin no

Then restart sshd to pick up the changes:

/etc/init.d/sshd restart

This alone takes huge strides to protecting your linux system.  Then people have to use normal user accounts then switch to root.  This switch is done in two ways sudo and su.  Both can be protected.  Sudo stands for super user do and it a great way to provide people some root access without giving away the whole account.  For example you can use sudo to provide a user access to run /etc/init.d/httpd as root but nothing more.  It can also be used to become root without knowing root’s password.  This is great for temporary root needs.  It is recommeded that you use the program to visudo to edit sudo access (which is stored in /etc/sudoers).

So to run it as root

visudo

To give a user access to root and all commands add this line:

username  ALL=(ALL)    ALL

You can also use to to provide access to another shared user account (for example if I want a user to be able to become mysql without knowning the password)


username ALL = (root) /bin/su - mysql

Of course if they know the password for mysql they can just type:

su - mysql

If you want them to be able to execute a single command as mysql user you can use the following command:

username ALL = (mysql) /etc/scripts/command_to_run_as_mysql

All commands have to be preceded by sudo then command.  sudo also supports groups of commands or even user groups to provide access, giving the full flexability of users and groups.

Once we have locked down users to using sudo we can remove their ability to change to root using su – (This is a step most people skip and you may want to skip it depending on your environment it will not work)  You can controll who can execute the command su by using permissions.  First make sure your already root 🙂  Then find the location for the su command using which

which su

Now change the permissions on su so that only the owner and group can execute it.

chmod 770

Now create a group allowing access to use su: (wheel is a group name commonly used for this purpose)

groupadd wheel

Now add users to wheel with the following command:

useradd -G wheel username

Now only users in the wheel group can execute su further protecting it.

us

Brocade Fiber Switches Clear stats

Well time to gather stats and clear them again.. log into your brocade switch via ssh and type the following command:

portStatsClear
portLogClear

To see the stats you can run:

portErrShow
portLogShow

I will be posting more on switches in the near future…

Intro to Linux: tar

Tar stands for tape archive it’s a old unix way of collecting lots of files into a single file for transport or storage on a tape drive.  Later authors have combined gzip with tar for compress on the fly.

So to open a tar.gz use the following command:

tar xvfz filename.tar.gz

To open a tar do this

tar xvf filename.tar

To create a tar file

tar cvf filename.tar files_or_location_to_add.tar

To create a tar.gz

tar czvf filename.tar.gz files_or_location_to_add.tar.gz

More information on tar can be found by

man tar

Intro to Linux: Basic Commands

Now that you have logged into your server via ssh your all ready to navigate around the command line.  You start out in your home directory.  This is a location for your to store all your personal files.  You all file permissions to create directories and files here.  In linux most users do not have permission to create files and directories everywhere.  One user known as root has full permissions.  We will get to root later.

To see your present working directory use the pwd command

pwd

/home/username

notice is linux that directories are preceeded with a / instead of the windows \ .  Different directories can be on different partitions or hard drives but they all have a path that starts with /.  You can see the partition or hard drive layout with df -h (disk file -human readable)

df -h

If you wish to change directories then use the cd command

cd /location

or cd .. to go one directory lower or cd . to stay right where you are.

One important command is man it stands for manual you can find out detailed information on any command using man for example

man df

Will tell you all about df.

Intro to Linux: SSH

I have a good friend who is just starting on Linux so I have chosen to write a series of posts for people new to linux to help them find their way around.  If you have any requests send me an email.

We will start with ssh.  SSH stands for secure shell and is a method for getting a command line console on linux.   SSH normally operates on port 22 and is encrypted.  Making is a perfect way to provide secure connections.   Out of the box it supports two types of authentication password and public key.   Public key is a preshared key.  SSH can be configured to accept one or both of these methods.  The most secure is public key because the length of keys make it nearly impossible to brute force your way into an account.

The easiest way to login via ssh from windows is using putty which is free and tiny you can download it from here http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html

If you need to copy files up to a server using ssh try WinSCP

http://winscp.net/eng/download.php

So once you get the application you put in your server ip or name and your good to go !