A Practical Guide To Ubuntu Linux (3rd Edition) Mark G. Sobell

User Manual:

Open the PDF directly: View PDF PDF.
Page Count: 1292

DownloadA Practical Guide To Ubuntu Linux (3rd Edition) - Mark G. Sobell
Open PDF In BrowserView PDF
A PRACTICAL GUIDE TO UBUNTU LINUX
THIRD EDITION

MARKG. SOBELL

PRENTICE
HALL

Upper Saddle River, NJ • Boston • Indianapolis • San Francisco
New York* Toronto • Montreal • London • Munich • Paris • Madrid
Capetown • Sydney • Tokyo • Singapore • Mexico City

M a n y of the designations used by manufacturers and sellers to distinguish their products are claimed as trademarks. W h e r e
those designations appear in this b o o k , and the publisher w a s aware o f a trademark claim, the designations have been printed
with initial capital letters or in all capitals.
Ubuntu® is a trademark o f Canonical Ltd and is used under license from Canonical Ltd. Points of view or opinions in this
publication do not necessarily represent the policies or positions o f Canonical Ltd or imply affiliation with Ubuntu,
www.ubuntu.com.
The author and publisher have taken care in the preparation o f this b o o k , but make no expressed or implied warranty of any
kind and assume no responsibility for errors or omissions. N o liability is assumed for incidental or consequential damages in
connection with or arising out of the use of the information or programs contained herein.
The publisher offers excellent discounts on this b o o k when ordered in quantity for bulk purchases or special sales, which may
include electronic versions and/or custom covers and content particular to your business, training goals, marketing focus, and
branding interests. F o r more information, please contact:
U.S. Corporate and Government Sales
(800) 3 8 2 - 3 4 1 9
corpsales@pearsontechgroup.com
For sales outside the United States, please contact:
International Sales
international@pearsoned .com
Visit us on the W e b : informit.com/ph

Library of Congress Cataloging-in-Publication

Data

Sobell, M a r k G.
A practical guide to Ubuntu Linux / M a r k G. S o b e l l . — 3 r d ed.
p. cm.
Includes index.
I S B N 9 7 8 - 0 - 1 3 - 2 5 4 2 4 8 - 7 (pbk. : alk. paper)
1. Ubuntu (Electronic resource) 2 . Linux. 3 . Operating systems (Computers) I. Title.
QA76.76.063S59497 2010
005.4'32—dc22
2010024353
Copyright © 2 0 1 1 M a r k G. Sobell
All rights reserved. Printed in the United States o f America. T h i s publication is protected by copyright, and permission must
be obtained from the publisher prior to any prohibited reproduction, storage in a retrieval system, or transmission in any
form or by any means, electronic, mechanical, photocopying, recording, or likewise. For information regarding permissions,
write to:
Pearson Education, Inc.
Rights and Contracts Department
5 0 1 Boylston Street, Suite 9 0 0
Boston, M A 0 2 1 1 6
Fax: (617) 6 7 1 - 3 4 4 7
ISBN-13: 978-0-13-254248-7
ISBN-10:

0-13-254248-X

Printed in the United States o f America on recycled paper at Edwards Brothers in Ann Arbor, Michigan.
First printing, August 2 0 1 0

CONTENTS
LIST OFJUMPSTARTS
PREFACE

xxxvii

xxxix

CHAPTER 1: WELCOME TO LINUX
Ubuntu Linux

1

2

The History of UNIX and GNU-Linux 3
The Heritage of Linux: UNIX 3
Fade to 1983 4
Next Scene, 1991 5
The Code Is Free 5
Have Fun! 6
What Is So Good About Linux? 6
Why Linux Is Popular with Hardware Companies and Developers
Linux Is Portable 10
The C Programming Language 11
Overview of Linux 12
Linux Has a Kernel Programming Interface 12
Linux Can Support Many Users 13
Linux Can Run Many Tasks 13
Linux Provides a Secure Hierarchical Filesystem 13
The Shell: Command Interpreter and Programming Language 14
A Large Collection of Useful Utilities 16
Interprocess Communication 16
System Administration 17

10

xiv

CONTENTS

Additional Features of Linux 17
GUIs: Graphical User Interfaces 17
(Inter)Networking Utilities 18
Software Development 19
Conventions Used in This Book 19
Chapter Summary 21
Exercises 22

PART I

INSTALLING UBUNTU LINUX

CHAPTER 2: INSTALLATION OVERVIEW

23

25

The Live/Install Desktop CD and the Live/Install DVD 26
More Information 26
Planning the Installation 27
Considerations 27
Requirements 27
Processor Architecture 29
Interfaces: Installer and Installed System 30
Ubuntu Releases 31
Ubuntu Editions 32
Installing a Fresh Copy or Upgrading an Existing Ubuntu System?
Setting Up the Hard Disk 33
RAID 40
LVM: Logical Volume Manager 41
The Installation Process 42
Downloading and Burning a CD/DVD 43
The Easy Way to Download a CD ISO Image File 43
Other Ways to Download a CD/DVD ISO Image File 44
Verifying an ISO Image File 46
Burning the CD/DVD 47
Gathering Information About the System 47
Chapter Summary 49
Exercises 49
Advanced Exercises 49

CHAPTER 3: STEP-BY-STEP INSTALLATION

51

Booting from a Live/Install Desktop CD or a Live/Install DVD
Live Session 52
Basic Instructions 53
Detailed Instructions 53
The Live/Install DVD 55
The Live/Install Desktop CD 56

52

32

CONTENTS

The Welcome Screen 57
ubiquity: Installing Ubuntu Graphically 57
Graphical Partition Editors 63
gparted: The GNOME Partition Editor 64
palimpsest: The GNOME Disk Utility 66
ubiquity: Setting Up Partitions 70
Upgrading to a New Release 74
Installing KDE 75
Setting Up a Dual-Boot System 76
Creating Free Space on a Windows System 76
Installing Ubuntu Linux as the Second Operating System
Advanced Installation 77
The Disk Menu Screens 78
The Ubuntu Textual Installer 85
Chapter Summary 93
Exercises 94
Advanced Exercises 94

PART II

77

GETTING STARTED WITH UBUNTU LINUX

CHAPTER 4: INTRODUCTION TO UBUNTU LINUX
Curbing Your Power: root Privileges/sudo 98
A Tour of the Ubuntu Desktop 99
Logging In on the System 100
Introduction 100
Launching Programs from the Desktop 102
Switching Workspaces 104
Setting Personal Preferences 104
Mouse Preferences 105
Working with Windows 106
Using Nautilus to Work with Files 107
The Update Manager 112
Changing Appearance (Themes) 113
Session Management 116
Getting Help 116
Feel Free to Experiment 116
Logging Out 117
Getting the Most Out of the Desktop 117
GNOME Desktop Terminology 117
Opening Files 118
Panels 118
The Main Menu 122
Windows 123
The Object Context Menu 126

XV

97

95

xvi

CONTENTS

Updating, Installing, and Removing Software Packages 131
Software Sources Window 131
The Ubuntu Software Center 132
synaptic: Finds, Installs, and Removes Software 133
Where to Find Documentation 136
Ubuntu Help Center 136
man: Displays the System Manual 136
apropos: Searches for a Keyword 139
info: Displays Information About Utilities 139
The —help Option 142
HOWTOs: Finding Out How Things Work 142
Getting Help 143
More About Logging In 144
The Login Screen 145
What to Do If You Cannot Log In 146
Logging In Remotely: Terminal Emulators, ssh, and Dial-Up Connections
Logging In from a Terminal (Emulator) 147
Changing Your Password 148
Using Virtual Consoles 149
Working from the Command Line 150
Correcting Mistakes 150
Repeating/Editing Command Lines 152
Controlling Windows: Advanced Operations 153
Changing the Input Focus 153
Changing the Resolution of the Display 154
The Window Manager 155
Chapter Summary 156
Exercises 157
Advanced Exercises 158

CHAPTER 5: THE LINUX UTILITIES

159

Special Characters 160
Basic Utilities 161
Is: Lists the Names of Files 161
cat: Displays a Text File 162
rm: Deletes a File 162
less Is more: Display a Text File One Screen at a Time
hostname: Displays the System Name 163
Working with Files 163
cp: Copies a File 163
mv: Changes the Name of a File 164
Ipr: Prints a File 165
grep: Searches for a String 166
head: Displays the Beginning of a File 166

162

147

CONTENTS

tail: Displays the End of a File 167
sort: Displays a File in Order 168
uniq: Removes Duplicate Lines from a File 168
diff: Compares Two Files 168
file: Identifies the Contents of a File 170
I (Pipe): Communicates Between Processes 170
Four More Utilities 171
echo: Displays Text 171
date: Displays the Time and Date 172
script: Records a Shell Session 172
todos: Converts Linux and Macintosh Files to Windows Format
Compressing and Archiving Files 174
bzip2: Compresses a File 174
bunzip2 and bzcat: Decompress a File 175
gzip: Compresses a File 175
tar: Packs and Unpacks Archives 176
Locating Commands 178
which and whereis: Locate a Utility 178
mlocate: Searches for a File 180
Obtaining User and System Information 180
who: Lists Users on the System 180
finger: Lists Users on the System 181
w: Lists Users on the System 183
Communicating with Other Users 184
write: Sends a Message 184
mesg: Denies or Accepts Messages 185
Email 185
Tutorial: Using vim to Create and Edit a File
Starting vim 186
Command and Input Modes 188
Entering Text 189
Getting Help 190
Ending the Editing Session 193
The compatible Parameter 193
Chapter Summary 193
Exercises 196
Advanced Exercises 197

CHAPTER 6: THE LINUX FILESYSTEM
The Hierarchical Filesystem 200
Directory Files and Ordinary Files
Filenames 201
The Working Directory 204
Your Home Directory 204

200

186

199

173

xvii

x v i i i BRIEF CONTENTS

Pathnames 205
Absolute Pathnames 205
Relative Pathnames 206
Working with Directories 207
mkdir: Creates a Directory 208
cd: Changes to Another Working Directory 209
rmdir: Deletes a Directory 210
Using Pathnames 211
mv, cp: Move or Copy Files 212
mv: Moves a Directory 212
Important Standard Directories and Files 213
Access Permissions 215
Is -1: Displays Permissions 215
chmod: Changes Access Permissions 216
Setuid and Setgid Permissions 218
Directory Access Permissions 220
ACLs: Access Control Lists 221
Enabling ACLs 222
Working with Access Rules 222
Setting Default Rules for a Directory 225
Links 226
Hard Links 228
Symbolic Links 230
rm: Removes a Link 232
Chapter Summary 232
Exercises 234
Advanced Exercises 236

CHAPTER 7: THE S H E L L

237

The Command Line 238
Syntax 238
Processing the Command Line 240
Executing the Command Line 243
Editing the Command Line 243
Standard Input and Standard Output 243
The Screen as a File 244
The Keyboard and Screen as Standard Input and Standard Output
Redirection 245
Pipes 251
Running a Command in the Background 254
Filename Generation/Pathname Expansion 256
The ? Special Character 256
The
Special Character 257
The [ ] Special Characters 259

244

CONTENTS

Builtins 261
Chapter Summary 261
Utilities and Builtins Introduced in This Chapter
Exercises 262
Advanced Exercises 264

PART III

262

DIGGING INTO UBUNTU LINUX

CHAPTER 8: LINUX GUIs: X AND GNOME

267

X Window System 268
Using X 270
Desktop Environments/Managers 275
The Nautilus File Browser Window 276
The View Pane 277
The Side Pane 277
Control Bars 278
Menubar 279
The Nautilus Spatial View 282
GNOME Utilities 284
Font Preferences 284
Pick a Font Window 284
Pick a Color Window 285
Run Application Window 286
Searching for Files 286
GNOME Terminal Emulator/Shell 287
Chapter Summary 288
Exercises 289
Advanced Exercises 289

CHAPTER 9: THE BOURNE AGAIN S H E L L
Background 292
Shell Basics 293
Startup Files 293
Commands That Are Symbols 297
Redirecting Standard Error 297
Writing a Simple Shell Script 300
Separating and Grouping Commands 303
Job Control 307
Manipulating the Directory Stack 310

291

265

xix

x x BRIEF CONTENTS

Parameters and Variables 312
User-Created Variables 314
Variable Attributes 317
Keyword Variables 318
Special Characters 326
Processes 328
Process Structure 328
Process Identification 328
Executing a Command 330
History 330
Variables That Control History 330
Reexecuting and Editing Commands 332
The Readline Library 340
Aliases 346
Single Versus Double Quotation Marks in Aliases
Examples of Aliases 348
Functions 349
Controlling bash: Features and Options 352
Command-Line Options 352
Shell Features 352
Processing the Command Line 356
History Expansion 356
Alias Substitution 356
Parsing and Scanning the Command Line
Command-Line Expansion 357
Chapter Summary 365
Exercises 367
Advanced Exercises 369

347

356

CHAPTER 10: NETWORKING AND THE INTERNET
Types of Networks and How They Work 373
Broadcast Networks 374
Point-to-Point Networks 374
Switched Networks 374
LAN: Local Area Network 375
WAN: Wide Area Network 376
Internetworking Through Gateways and Routers
Network Protocols 379
Host Address 381
CIDR: Classless Inter-Domain Routing 386
Hostnames 386

376

371

CONTENTS

xxi

Communicate over a Network 388
finger: Displays Information About Remote Users 389
Sending Mail to a Remote User 390
Mailing List Servers 390
Network Utilities 390
Trusted Hosts 391
OpenSSH Tools 391
telnet: Logs In on a Remote System 391
ftp: Transfers Files over a Network 393
ping: Tests a Network Connection 393
traceroute: Traces a Route over the Internet 394
host and dig: Query Internet Nameservers 396
jwhois: Looks Up Information About an Internet Site 396
Distributed Computing 397
The Client/Server Model 398
DNS: Domain Name Service 399
Ports 401
NIS: Network Information Service
NFS: Network Filesystem 401
Network Services 402
Common Daemons 402
Proxy Servers 405
RPC Network Services 406
Usenet 407
WWW: World Wide Web 409
URL: Uniform Resource Locator
Browsers 410
Search Engines 411
Chapter Summary 411
Exercises 412
Advanced Exercises 413

PART IV

401

410

SYSTEM ADMINISTRATION

415

CHAPTER 11: SYSTEM ADMINISTRATION: CORE CONCEPTS
Running Commands with root Privileges 419
sudo: Running a Command with root Privileges 421
sudoers: Configuring sudo 426
Unlocking the root Account (Assigning a Password to root)
su: Gives You Another User's Privileges 431

431

417

x x i i BRIEF CONTENTS

The Upstart Event-Based init Daemon 432
Software Package 433
Definitions 433
Jobs 435
SysVinit (rc) Scripts: Start and Stop System Services
System Operation 443
Runlevels 443
Booting the System 444
Recovery (Single-User) Mode 445
Going to Multiuser Mode 448
Logging In 448
Logging Out 450
Bringing the System Down 450
Crash 452
Avoiding a Trojan Horse 453
Getting Help 454

440

Textual System Administration Utilities 455
kill: Sends a Signal to a Process 455
Other Textual Utilities 457
Setting Up a Server 460
Standard Rules in Configuration Files 460
rpcinfo: Displays Information About portmap 462
The inetd and xinetd Superservers 464
Securing a Server 465
DHCP: Configures Network Interfaces 470
nsswitch.conf: Which Service to Look at First 475
How nsswitch.conf Works 475
PAM 478
More Information 479
Configuration Files, Module Types, and Control Flags
Example 481
Modifying the PAM Configuration 482
Chapter Summary 483
Exercises 484
Advanced Exercises 484

479

CHAPTER 12: FILES, DIRECTORIES, AND FILESYSTEMS
Important Files and Directories 488
File Types 500
Ordinary Files, Directories, Links, and Inodes
Device Special Files 501

500

487

CONTENTS

Filesystems 505
mount: Mounts a Filesystem 506
umount: Unmounts a Filesystem 509
fstab: Keeps Track of Filesystems 510
fsck: Checks Filesystem Integrity 512
tune2fs: Changes Filesystem Parameters
RAID Filesystem 514
Chapter Summary 514
Exercises 515
Advanced Exercises 515

512

CHAPTER 13: DOWNLOADING AND INSTALLING SOFTWARE
JumpStart: Installing and Removing Packages Using aptitude 519
Finding the Package That Holds a File You Need 521
APT: Keeps the System Up-to-Date 522
Repositories 522
sources.list: Specifies Repositories for APT to Search 523
The APT Local Package Indexes and the APT Cache 524
The apt cron Script and APT Configuration Files 524
aptitude: Works with Packages and the Local Package Index 526
apt-cache: Displays Package Information 530
apt-get source: Downloads Source Files 532
dpkg: The Debian Package Management System 532
deb Files 533
dpkg: The Foundation of the Debian Package Management System
BitTorrent 539
Installing Non-dpkg Software 541
The /opt and /usr/local Directories 541
GNU Configure and Build System 542
wget: Downloads Files Noninteractively 543
Chapter Summary 544
Exercises 545
Advanced Exercises 545

CHAPTER 14: PRINTING WITH C U P S
Introduction 548
Prerequisites 548
More Information 549
Notes 549
JumpStart I: Configuring a Local Printer

xxiii

549

547

534

517

x x i v BRIEF CONTENTS

system-config-printer: Configuring a Printer 550
Configuration Selections 550
Setting Up a Remote Printer 552
JumpStart II: Setting Up a Local or Remote Printer Using the CUPS Web
Interface 555
Traditional UNIX Printing

558

Configuring Printers 560
The CUPS Web Interface 560
CUPS on the Command Line 561
Sharing CUPS Printers 565
Printing from Windows 566
Printing Using CUPS 566
Printing Using Samba 567
Printing to Windows 568
Chapter Summary 568
Exercises 569
Advanced Exercises 569

CHAPTER 15: BUILDING A LINUX KERNEL
Prerequisites

571

572

Downloading the Kernel Source Code 573
aptitude: Downloading and Installing the Kernel Source Code
git: Obtaining the Latest Kernel Source Code 574
/usr/src/linux: The Working Directory 575
Read the Documentation 575
Configuring and Compiling the Linux Kernel 575
.config: Configures the Kernel 575
Customizing a Kernel 577
Cleaning the Source Tree 579
Compiling a Kernel Image File and Loadable Modules 579
Using Loadable Kernel Modules 580
Installing the Kernel, Modules, and Associated Files 582
Rebooting 583
GRUB: The Linux Boot Loader 583
Configuring GRUB 584
update-grub: Updates the grub.cfg File 587
grub-install: Installs the MBR and GRUB Files 589
dmesg: Displays Kernel Messages 589
Chapter Summary 590
Exercises 590
Advanced Exercises 591

573

CONTENTS

CHAPTER 16: ADMINISTRATION TASKS

593

Configuring User and Group Accounts 594
users-admin: Manages User Accounts 594
useradd: Adds a User Account 597
userdel: Removes a User Account 598
usermod: Modifies a User Account 598
groupadd: Adds a Group 598
groupdel: Removes a Group 598
Backing Up Files 599
Choosing a Backup Medium 600
Backup Utilities 600
Performing a Simple Backup 602
dump, restore: Back Up and Restore Filesystems 603
Scheduling Tasks 605
cron and anacron: Schedule Routine Tasks 605
at: Runs Occasional Tasks 608
System Reports 608
vmstat: Reports Virtual Memory Statistics 609
top: Lists Processes Using the Most Resources 610
parted: Reports on and Partitions a Hard Disk 611
Keeping Users Informed 614
Creating Problems 615
Solving Problems 616
Helping When a User Cannot Log In 616
Speeding Up the System 617
Isof: Finds Open Files 618
Keeping a Machine Log 618
Keeping the System Secure 619
Log Files and Mail for root 620
Monitoring Disk Usage 620
logrotate: Manages Log Files 622
Removing Unused Space from Directories 624
Disk Quota System 625
rsyslogd: Logs System Messages 625
MySQL 628
More Information 628
Terminology 628
Syntax and Conventions 628
Prerequisites 629
Notes 629
JumpStart: Setting Up MySQL 629
Options 630
The .my.cnf Configuration File 630
Working with MySQL 630

XXV

x x v i BRIEF CONTENTS

Chapter Summary 635
Exercises 636
Advanced Exercises 636

CHAPTER 17: CONFIGURING AND MONITORING A LAN
Setting Up the Hardware 638
Connecting the Computers 638
Routers 638
NIC: Network Interface Card 639
Tools 640
Configuring the Systems 641
NetworkManager: Configures Network Connections
The NetworkManager Applet 642
Setting Up Servers 646
Introduction to Cacti 647
Configuring SNMP 648
Setting Up LAMP 648
The Cacti Poller 652
Configuring Cacti 652
Basic Cacti Administration 652
Setting Up a Remote Data Source 654
More Information 658
Chapter Summary 659
Exercises 660
Advanced Exercises 660

637

642

PART V USING CLIENTS AND SETTING UP
SERVERS
661
CHAPTER 18: O P E N S S H : SECURE NETWORK
COMMUNICATION

663

Introduction to OpenSSH 664
How OpenSSH Works 664
Files 665
More Information 666
Running the ssh, scp, and sftp OpenSSH Clients 667
Prerequisites 667
JumpStart: Using ssh and scp to Connect to an OpenSSH Server

667

CONTENTS

Configuring OpenSSH Clients 668
ssh: Connects to or Executes Commands on a Remote System 670
scp: Copies Files to and from a Remote System 672
sftp: A Secure FTP Client 674
~/.ssh/config and /etc/ssh/ssh_config Configuration Files 674
Setting Up an OpenSSH Server (sshd) 676
Prerequisites 676
Note 676
JumpStart: Starting an OpenSSH Server 677
Authorized Keys: Automatic Login 677
Command-Line Options 678
/etc/ssh/sshd_config Configuration File 679
Troubleshooting 680
Tunneling/Port Forwarding 681
Chapter Summary 684
Exercises 684
Advanced Exercises 685

CHAPTER 19: FTP: TRANSFERRING FILES A C R O S S
A NETWORK

687

Introduction to FTP 688
Security 688
FTP Connections 688
FTP Clients 689
More Information 689
Running the ftp and sftp FTP Clients 690
Prerequisites 690
JumpStart I: Downloading Files Using ftp 690
Anonymous FTP 694
Automatic Login 694
Binary Versus ASCII Transfer Mode 694
ftp Specifics 695
Setting Up an FTP Server (vsftpd) 699
Prerequisites 699
Notes 699
JumpStart II: Starting a vsftpd FTP Server 700
Testing the Setup 700
Configuring a vsftpd Server 701
Chapter Summary 711
Exercises 712
Advanced Exercises 712

xxvii

x x v i i i BRIEF C O N T E N T S

CHAPTER 20: e x i m 4 : SETTING UP MAIL SERVERS, CLIENTS,
AND MORE

713

Introduction to exim4 714
Alternatives to exim4 715
More Information 715
Setting Up a Mail Server (exim4) 715
Prerequisites 715
Notes 716
JumpStart I: Configuring exim4 to Use a Smarthost 716
JumpStart II: Configuring exim4 to Send and Receive Mail
Working with exim4 Messages 720
Mail Logs 720
Working with Messages 721
Aliases and Forwarding 722
Related Programs 723
Configuring an exim4 Mail Server 724
Using a Text Editor to Configure exim4 724
The update-exim4.conf.conf Configuration File 724
dpkg-reconfigure: Configures exim4 726
SpamAssassin 727
How SpamAssassin Works 727
Prerequisites 728
Testing SpamAssassin 728
Configuring SpamAssassin 730
Additional Email Tools 731
Webmail 731
Mailing Lists 733
Setting Up an IMAP or POP3 Mail Server 735
Authenticated Relaying 736
Chapter Summary 738
Exercises 738
Advanced Exercises 739

CHAPTER 21: N I S AND L D A P

741

Introduction to NIS 742
How NIS Works 742
More Information 744
Running an NIS Client 744
Prerequisites 745
Notes 745
Configuring an NIS Client 746
Testing the Setup 747
yppasswd: Changes NIS Passwords

748

718

CONTENTS

Setting Up an NIS Server 750
Prerequisites 750
Notes 751
Configuring the Server 751
Testing the Server 756
yppasswdd: The NIS Password Update Daemon

757

LDAP 758
More Information 760
Setting Up an LDAP Server 760
Prerequisites 760
Notes 760
Set up the Server 761
Add Entries to the Directory 764
Other Tools for Working with LDAP 767
Evolution Mail 767
Konqueror 770
Chapter Summary 770
Exercises 771
Advanced Exercises 771

CHAPTER 22: NFS: SHARING FILESYSTEMS

773

Introduction to NFS 774
More Information 776
Running an NFS Client 776
Prerequisites 776
JumpStart I: Mounting a Remote Directory Hierarchy 777
mount: Mounts a Directory Hierarchy 778
Improving Performance 780
/etc/fstab: Mounts Directory Hierarchies Automatically 781
Setting Up an NFS Server 782
Prerequisites 782
Notes 782
JumpStart II: Configuring an NFS Server Using shares-admin 783
Manually Exporting a Directory Hierarchy 785
Where the System Keeps NFS Mount Information 789
exportfs: Maintains the List of Exported Directory Hierarchies 791
Testing the Server Setup 792
automount: Mounts Directory Hierarchies on Demand 792
Chapter Summary 795
Exercises 795
Advanced Exercises 795

xxix

x x x BRIEF C O N T E N T S

CHAPTER 23: SAMBA: LINUX AND WINDOWS FILE AND
PRINTER SHARING

797

Introduction to Samba 798
More Information 799
Notes 799
Samba Users, User Maps, and Passwords 799
Setting Up a Samba Server 800
Prerequisites 800
JumpStart: Configuring a Samba Server Using system-config-samba
swat: Configures a Samba Server
804
smb.conf: Manually Configuring a Samba Server 807
Working with Linux Shares from Windows 814
Browsing Shares 814
Mapping a Share 814
Working with Windows Shares from Linux 815
smbtree: Displays Windows Shares 815
smbclient: Connects to Windows Shares 815
Browsing Windows Networks 816
Mounting Windows Shares 816
Troubleshooting 817
Chapter Summary 819
Exercises 820
Advanced Exercises 820

CHAPTER 24: D N S / B I N D : TRACKING DOMAIN NAMES
AND A D D R E S S E S

821

Introduction to DNS 822
Nodes, Domains, and Subdomains
Zones 824
Queries 825
Servers 826
Resource Records 827
DNS Queries and Responses 830
Reverse Name Resolution 831
How DNS Works 833
More Information 833
Notes 833
Setting Up a DNS Server 834
Prerequisites 834
JumpStart: Setting Up a DNS Cache
Configuring a DNS Server 836

822

834

800

CONTENTS

Setting Up Different Types of DNS Servers
A Full-Functioned Nameserver 850
A Slave Server 854
A Split Horizon Server 855
Chapter Summary 860
Exercises 860
Advanced Exercises 861

xxxi

850

CHAPTER 25: firestarter, gufw, AND iptables:
SETTING UP A FIREWALL

863

Introduction to firestarter 864
Notes 864
More Information 866
firestarter: Setting Up and Maintaining a Firewall 866
Prerequisites 866
JumpStart: Configuring a Firewall Using the firestarter Firewall Wizard
Maintaining a Firewall using firestarter 868
ufw: The Uncomplicated Firewall 874
gufw: The Graphical Interface to ufw 876
The Firewall Window 876
Adding Rules 877
Introduction to iptables 880
More Information 883
Prerequisites 883
Notes 883
Anatomy of an iptables Command 884
Building a Set of Rules Using iptables 885
Commands 885
Packet Match Criteria 887
Display Criteria 887
Match Extensions 887
Targets 890
Copying Rules to and from the Kernel 891
Sharing an Internet Connection Using NAT 892
Connecting Several Clients to a Single Internet Connection
Connecting Several Servers to a Single Internet Connection
Chapter Summary 896
Exercises 897
Advanced Exercises 897

893
896

867

x x x i i BRIEF C O N T E N T S

CHAPTER 26: APACHE: SETTING UP A WEB SERVER

899

Introduction 900
More Information 901
Notes 901
Running a Web Server (Apache) 902
Prerequisites 902
JumpStart: Getting Apache Up and Running 903
Configuring Apache 905
Configuration Directives 909
Directives I: Directives You May Want to Modify as You Get Started
Contexts and Containers 915
Directives II: Advanced Directives 919
Configuration Files 932
The Ubuntu apache2.conf File 932
The Ubuntu default Configuration File 934
Advanced Configuration 935
Redirects 935
Content Negotiation 935
Server-Generated Directory Listings (Indexing) 937
Virtual Hosts 937
Troubleshooting 940
Modules 941

910

mod_cgi and CGI Scripts 942
mod_ssl 943
Authentication Modules and .htaccess 945
Scripting Modules 946
Multiprocessing Modules (MPMs) 947
webalizer: Analyzes Web Traffic 948
MRTG: Monitors Traffic Loads 948
Error Codes 948
Chapter Summary 949
Exercises 950
Advanced Exercises 950

PART VI

PROGRAMMING TOOLS

951

CHAPTER 27: PROGRAMMING THE BOURNE AGAIN S H E L L
Control Structures 954
if...then 954
if...then...else 958
if...then...elif 961

953

CONTENTS

for... in 967
for 968
while 970
until 974
break and continue 976
case 977
select 983
Here Document 985
File Descriptors 987
Parameters and Variables 990
Array Variables 990
Locality of Variables 992
Special Parameters 994
Positional Parameters 996
Expanding Null and Unset Variables
Builtin Commands 1002

1001

type: Displays Information About a Command 1003
read: Accepts User Input 1003
exec: Executes a Command or Redirects File Descriptors
trap: Catches a Signal 1009
kill: Aborts a Process 1012
getopts: Parses Options 1012
A Partial List of Builtins 1015
Expressions 1016
Arithmetic Evaluation 1016
Logical Evaluation (Conditional Expressions) 1017
String Pattern Matching 1018
Operators 1019
Shell Programs 1024
A Recursive Shell Script 1025
The quiz Shell Script 1028
Chapter Summary 1034
Exercises 1036
Advanced Exercises 1038

CHAPTER 28: THE PERL SCRIPTING LANGUAGE
Introduction to Perl 1042
More Information 1042
Help 1043
perldoc 1043
Terminology 1045
Running a Perl Program 1046
Syntax 1047

1006

1041

xxxiii

x x x i v BRIEF CONTENTS

Variables 1049
Scalar Variables 1051
Array Variables 1053
Hash Variables 1056
Control Structures 1057
if/unless 1057
if...else 1059
if...elsif...else 1060
foreach/for 1061
last and next 1062
while/until 1064
Working with Files 1066
Sort 1069
Subroutines 1071
Regular Expressions 1073
Syntax and the =~ Operator
CPAN Modules 1079
Examples 1081
Chapter Summary 1085
Exercises 1085
Advanced Exercises 1086

PART VII

1074

APPENDIXES

1087

APPENDIX A: REGULAR EXPRESSIONS
Characters 1090
Delimiters 1090
Simple Strings 1090
Special Characters 1090
Periods 1091
Brackets 1091
Asterisks 1092
Carets and Dollar Signs 1092
Quoting Special Characters 1093
Rules 1093
Longest Match Possible 1093
Empty Regular Expressions 1094
Bracketing Expressions 1094
The Replacement String 1094
Ampersand 1095
Quoted Digit 1095
Extended Regular Expressions 1095
Appendix Summary 1097

1089

CONTENTS

APPENDIX B: HELP

1099

Solving a Problem 1100
Finding Linux-Related Information 1101
Documentation 1101
Useful Linux Sites 1102
Linux Newsgroups 1103
Mailing Lists 1103
Words 1104
Software 1104
Office Suites and Word Processors 1106
Specifying a Terminal 1106

APPENDIX C: SECURITY

1109

Encryption 1110
Public Key Encryption 1111
Symmetric Key Encryption 1112
Encryption Implementation 1113
GnuPG/PGP 1113
File Security 1115
Email Security 1115
MTAs (Mail Transfer Agents) 1115
MUAs (Mail User Agents) 1116
Network Security 1116
Network Security Solutions 1117
Network Security Guidelines 1117
Host Security 1119
Login Security 1120
Remote Access Security 1121
Viruses and Worms 1122
Physical Security 1122
Security Resources 1124
Appendix Summary 1127

APPENDIX D: THE FREE SOFTWARE DEFINITION
GLOSSARY

1133

JUMPSTA RT INDEX
FILE TREE INDEX
UTILITY INDEX
MAIN INDEX

1183
1185
1189

1195

1129

XXXV

This page intentionally left blank

JUMPSTARTS
JumpStarts

get you off to a quick start when you need to use a client or set up a server.

Once you have the client or server up and running, you can refine its
using the information

presented

in the sections

following

each

configuration

JumpStart.

A P T (SOFTWARE PACKAGES)
Installing and Removing Packages Using aptitude

519

C U P S (PRINTING)
Configuring a Local Printer
549
Setting Up a Local or Remote Printer Using the CUPS Web Interface

555

M Y S Q L (DATABASE)
Setting Up MySQL

629

O P E N S S H (SECURE COMMUNICATION)
Using ssh and scp to Connect to an OpenSSH Server
Starting an OpenSSH Server 677

667

FTP (DOWNLOAD AND UPLOAD FILES)
Downloading Files Using ftp
Starting a vsftpd FTP Server

690
700
xxxvii

xxxviii

JUMPSTARTS

EMAIL
Configuring exim4 to Use a Smarthost
716
Configuring exim4 to Send and Receive Mail

718

N F S (NETWORK FILESYSTEM)
Mounting a Remote Directory Hierarchy
777
Configuring an NFS Server Using shares-admin 783

SAMBA (LINUX/WINDOWS FILE SHARING)
Configuring a Samba Server Using system-config-samba

800

D N S (DOMAIN NAME SERVICE)
Setting Up a DNS Cache

834

firestarter (FIREWALL)
Configuring a Firewall Using the firestarter Firewall Wizard

APACHE (HTTP)
Getting Apache Up and Running

903

867

PREFACE
The book Whether you are an end user, a system administrator, or a little of both, this book
explains with step-by-step examples how to get the most out of an Ubuntu Linux
system. In 28 chapters, this book takes you from installing an Ubuntu system
through understanding its inner workings to setting up secure servers that run on
the system.
The audience This book is designed for a wide range of readers. It does not require you to have
programming experience, although having some experience using a general-purpose
computer, such as a Windows, Macintosh, UNIX, or another Linux system is certainly helpful. This book is appropriate for
• Students who are taking a class in which they use Linux
• Home users who want to set up and/or run Linux
• Professionals who use Linux at work
• System administrators who need an understanding of Linux and the tools
that are available to them including the bash and Perl scripting languages
• Computer science students who are studying the Linux operating system
• Technical executives who want to get a grounding in Linux
Benefits A Practical Guide to Ubuntu LinuxThird
Edition, gives you a broad understanding of many facets of Linux, from installing Ubuntu Linux through using and customizing it. No matter what your background, this book provides the knowledge
you need to get on with your work. You will come away from this book understanding how to use Linux, and this book will remain a valuable reference for years
to come.
xxxix

xl

PREFACE

New in this edition This edition includes many updates to the previous edition:
• Coverage of the MySQL relational database, which has been added to
Chapter 16 (page 628).
• An all-new section on the Cacti network monitoring tool, which has been
added to Chapter 17 (page 647).
• Coverage of the gufw firewall, which has been added to Chapter 25
(page 874).
• Updated chapters to reflect the Ubuntu 10.04 LTS (Lucid Lynx; maintained until 2013).
• Four indexes to make it easier to find what you are looking for quickly.
These indexes locate tables (page numbers followed by the letter t, definitions (italic page numbers), and differentiate between light and comprehensive coverage (light and standard fonts).
• The JumpStart index (page 1183) lists all the JumpStart sections in
this book. These sections help you set up servers and clients as quickly
as possible.
• The File Tree index (page 1185) lists, in hierarchical fashion, most
files mentioned in this book. These files are also listed in the main
index.
• The Utility index (page 1189) locates all utilities mentioned in this
book. A page number in a ight fon indicates a brief mention of the
utility while the regular font indicates more substantial coverage.
• The revised Main index (page 1195) is designed for ease of use.
Overlap If you have read the second edition of A Practical Guide to Linux® Commands, Editors, and Shell Programming, you will notice some overlap between that book and the
one you are reading now. The first chapter; the chapters on the utilities and the filesystem; the appendix on regular expressions; and the Glossary are very similar in the
two books, as are the three chapters on the Bourne Again Shell (bash). Chapters that
appear in this book but do not appear in A Practical Guide to Linux® Commands,
Editors, and Shell Programming include Chapters 2 and 3 (installation), Chapters 4
and 8 (Ubuntu Linux and the GUI), Chapter 10 (networking), all of the chapters in
Part IV (system administration) and Part V (servers), and Appendix C (security).
Differences While this book explains how to use Linux from a graphical interface and from the
command line (a textual interface), A Practical Guide to Linux® Commands, Editors, and Shell Programming, Second Edition works exclusively with the command
line and covers Mac OS X in addition to Linux. It includes full chapters on the vim
and emacs editors, as well as chapters on the gawk pattern processing language, the
sed stream editor, and the rsync secure copy utility. In addition, it has a command
reference section that provides extensive examples of the use of 100 of the most

FEATURES OF T H I S B O O K

xli

important Linux and Mac OS X utilities. You can use these utilities to solve problems without resorting to programming in C.

THIS BOOK INCLUDES UBUNTU LUCID LYNX ( 1 0 . 0 4 LTS)
ON A LIVE/INSTALL DVD
This book includes a live/install DVD that holds the Lucid Lynx (10.04) release of
Ubuntu Linux. You can use this DVD to run a live Ubuntu session that displays the
GNOME desktop without making any changes to your computer: Boot from the
DVD, run an Ubuntu live session, and log off. Your system remains untouched:
When you reboot, it is exactly as it was before you ran the Ubuntu live session.
Alternatively, you can install Ubuntu from the live session. Chapter 2 helps you get
ready to install Ubuntu. Chapter 3 provides step-by-step instructions for installing
Ubuntu from this DVD. This book guides you through learning about, using, and
administrating an Ubuntu Linux system.
DVD features The included DVD incorporates all the features of the live/install Desktop CD as
well as many of the features of the Alternate and Server CDs. It also includes all
software packages supported by Ubuntu. You can use it to perform a graphical or
textual (command line) installation of either a graphical or a textual Ubuntu system. If you do not have an Internet connection, you can use the DVD as a software
repository and install any supported software packages from it.

FEATURES OF THIS BOOK
This book is designed and organized so you can get the most out of it in the least
amount of time. You do not have to read this book straight through in page order.
Instead, once you are comfortable using Linux, you can use this book as a reference:
Look up a topic of interest in the table of contents or in an index and read about it.
Or think of the book as a catalog of Linux topics: Flip through the pages until a
topic catches your eye. The book includes many pointers to Web sites where you
can obtain additional information: Consider the Internet to be an extension of this
book.
A Practical Guide to Ubuntu LinuxThird
features:

Edition, is structured with the following

• Optional sections enable you to read the book at different levels, returning
to more difficult material when you are ready to delve into it.
• Caution boxes highlight procedures that can easily go wrong, giving you
guidance before you run into trouble.

xlii

PREFACE

• Tip boxes highlight ways you can save time by doing something differently
or situations when it may be useful or just interesting to have additional
information.
• Security boxes point out places where you can make a system more secure.
The security appendix presents a quick background in system security issues.
• Concepts are illustrated by practical examples throughout the book.
• Chapter summaries review the important points covered in each chapter.
• Review exercises are included at the end of each chapter for readers who
want to further hone their skills. Answers to even-numbered exercises can
be found at www.sobell.com.
• The glossary defines more than 500 commonly encountered terms.
• The chapters that cover servers include JumpStart sections that get you off
to a quick start using clients and setting up servers. Once a server is up and
running, you can test and modify its configuration as explained in the rest
of each of these chapters.
• This book provides resources for finding software on the Internet. It also
explains how to download and install software using Synaptic, aptitude,
the Ubuntu Software Center window, and BitTorrent. It details controlling
automatic updates using the Update Manager window.
• This book describes in detail many important GNU tools, including the
GNOME desktop, the Nautilus File Browser, the parted, palimpsest, and
gparted partition editors, the gzip compression utility, and many command-line utilities that come from the GNU project.
• Pointers throughout the text provide help in obtaining online documentation from many sources, including the local system, the Ubuntu Web site,
and other locations on the Internet.
• Many useful URLs point to Web sites where you can obtain software,
security programs and information, and more.
• The multiple comprehensive indexes help you locate topics quickly and
easily.

KEY TOPICS COVERED IN THIS BOOK
This book contains a lot of information. This section distills and summarizes its
contents. In addition, "Details" (starting on page xlvi) describes what each chapter
covers. Finally, the table of contents provides more detail. This book:

KEY T O P I C S COVERED IN T H I S B O O K

Installation

• Describes how to download Ubuntu Linux ISO images from the Internet
and burn the Ubuntu live/install Desktop CD, the DVD, or the Ubuntu
Alternate or Server installation CD.
• Helps you plan the layout of the system's hard disk. It includes a discussion of partitions, partition tables, and mount points, and assists you in
using the ubiquity, palimpsest, or gparted graphical partition editor or the
Ubuntu textual partition editor to examine and partition the hard disk.
• Explains how to set up a dual-boot system so you can install Ubuntu
Linux on a Windows system and boot either operating system.
• Describes in detail how to install Ubuntu Linux from a live/install Desktop
CD or the live/install DVD using the ubiquity graphical installer. It also
explains how to use the textual installer found on the Alternate CD, the
Server CD, and the DVD. The graphical installer is fast and easy to use.
The textual installer gives you more options and works on systems with
less RAM (system memory).
• Covers testing an Ubuntu CD/DVD for defects, setting boot command-line
parameters (boot options), and creating a RAID array.

Working with
Ubuntu Linux

• Introduces the GNOME desktop (GUI) and explains how to use desktop
tools, including the Top and Bottom panels, panel objects, the Main menu,
object context menus, the Workspace Switcher, the Nautilus File Browser,
and the GNOME terminal emulator.
• Explains how to use the Appearance Preferences window to add and modify themes to customize your desktop to please your senses and help you
work more efficiently.
• Details how to set up 3D desktop visual effects that take advantage of
Compiz Fusion.
• Covers the Bourne Again Shell (bash) in three chapters, including an entire
chapter on shell programming that includes many sample shell scripts.
These chapters provide clear explanations and extensive examples of how
bash works both from the command line in day-to-day work and as a programming language in which to write shell scripts.
• Explains the textual (command-line) interface and introduces more than
30 command-line utilities.
• Presents a tutorial on the vim textual editor.
• Covers types of networks, network protocols, and network utilities.
• Explains hostnames, IP addresses, and subnets, and explores how to use
host and dig to look up domain names and IP addresses on the Internet.
• Covers distributed computing and the client/server model.

xliii

xliv

PREFACE

• Explains how to use ACLs (Access Control Lists) to fine-tune user access
permissions.
System
administration

• Explains how to use the Ubuntu graphical and textual (command-line)
t 0 0 l s t 0 configure the display, DNS, NFS, Samba, Apache, a firewall, a
network interface, and more. You can also use these tools to add users and
manage local and remote printers.
• Goes into detail about using sudo to allow specific users to work with root
privileges (become Superuser) and customizing the way sudo works by
editing the sudoers configuration file. It also explains how you can unlock
the root account if necessary.
• Describes how to use the following tools to download and install software
to keep a system up-to-date and to install new software:
• The Software Sources window controls which Ubuntu and third-party
software repositories Ubuntu downloads software packages from and
whether Ubuntu downloads updates automatically. You can also use
this window to cause Ubuntu to download and install security updates
automatically.
• If you do not have an Internet connection, you can use the Software
Sources window to set up the DVD included with this book as a software repository. You can then install any software packages that
Ubuntu supports from this repository.
• Based on how you set up updates in the Software Sources window, the
Update Manager window appears on the desktop to let you know
when software updates are available. You can download and install
updates from the Update Manager window.
• The Ubuntu Software Center window provides an easy way to select,
download, and install a wide range of software packages.
• Synaptic allows you to search for, install, and remove software packages. It gives you more ways to search for packages than does the
Ubuntu Software Center window.
• APT downloads and installs software packages from the Internet (or
the included DVD), keeping a system up-to-date and resolving dependencies as it processes the packages. You can use APT from a graphical
interface (Synaptic) or from several textual interfaces (e.g., aptitude and
apt-get).

• BitTorrent is a good choice for distributing large amounts of data such
as the Ubuntu installation DVD and CDs. The more people who use
BitTorrent to download a file, the faster it works.
• Covers graphical system administration tools, including the many tools
available from the GNOME Main menu.

KEY T O P I C S COVERED IN T H I S B O O K

• Explains system operation, including the boot process, init scripts, recovery (single-user) and multiuser modes, and steps to take if the system
crashes.
• Describes how to use and program the new Upstart init daemon, which
replaces the System V init daemon.
• Explains how to set up and use the Cacti network monitor tool to graph
system and network information over time, including installing and setting
up the LAMP (Linux, Apache, MySQL, and PHP) stack.
• Provides instructions on installing and setting up a MySQL relational
database.
• Describes files, directories, and filesystems, including types of files and filesystems, fstab (the filesystem table), and automatically mounted filesystems, and explains how to fine-tune and check the integrity of filesystems.
• Covers backup utilities, including tar, cpio, dump, and restore.
• Describes compression/archive utilities, including gzip, bzip2, compress,
and zip.
• Explains how to customize and build a Linux kernel.
Security

• Helps you manage basic system security issues using ssh (secure shell), vsftpd
(secure FTP server), Apache (Web server), iptables (firewalls), and more.
• Describes how to use the textual uncomplicated firewall (ufw) and its
graphical interface (gufw) to protect the system.
• Covers the use of firestarter to share an Internet connection over a LAN,
run a DHCP server, and set up a basic firewall to protect the system.
• Provides instructions on using iptables to share an Internet connection over
a LAN and to build advanced firewalls.
• Describes how to set up a chroot jail to help protect a server system.
• Explains how to use TCP wrappers to control who can access a server.

Clients and servers

• Explains how to set up and use the most popular Linux servers, providing
a chapter on each: Apache, Samba, OpenSSH, exim4, DNS, NFS, FTP,
gufw and iptables, and NIS/LDAP (all of which are supported by Ubuntu
Linux).
• Describes how to set up a CUPS printer server.
• Explains how to set up and use a MySQL relational database.
• Describes how to set up and use a DHCP server either by itself or from
firestarter.

Programming

• Provides a chapter on the Perl programming language and a full chapter
covering shell programming using bash, including many examples.

xlv

xlvi

PREFACE

DETAILS
Chapter 1 Chapter 1 presents a brief history of Linux and explains some of the features that
make it a cutting-edge operating system. The "Conventions Used in This Book"
(page 19) section details the typefaces and terminology used in this book.
Part I Part I, "Installing Ubuntu Linux," discusses how to install Ubuntu Linux. Chapter 2
presents an overview of the process of installing Ubuntu Linux, including hardware
requirements, downloading and burning a CD or DVD, and planning the layout of
the hard disk. Chapter 3 is a step-by-step guide to installing Ubuntu Linux from a
CD or DVD, using the graphical or textual installer.
Part II Part II, "Getting Started with Ubuntu Linux," familiarizes you with Ubuntu Linux,
covering logging in, the GUI, utilities, the filesystem, and the shell. Chapter 4 introduces desktop features, including the Top and Bottom panels and the Main menu;
explains how to use the Nautilus File Browser to manage files, run programs, and
connect to FTP and HTTP servers; covers finding documentation, dealing with login
problems, and using the window manager; and presents some suggestions on where
to find documentation, including manuals, tutorials, software notes, and HOWTOs.
Chapter 5 introduces the shell command-line interface, describes more than 30 useful utilities, and presents a tutorial on the vim text editor. Chapter 6 discusses the
Linux hierarchical filesystem, covering files, filenames, pathnames, working with
directories, access permissions, and hard and symbolic links. Chapter 7 introduces
the Bourne Again Shell (bash) and discusses command-line arguments and options,
redirecting input to and output from commands, running programs in the background, and using the shell to generate and expand filenames.

Experienced users may want to skim Part II
tip If you have used a UNIX or Linux system before, you may want to skim or skip some or all of the
chapters in Part II. Two sections that all readers should take a look at are: "Conventions Used in
This Book" (page 19), which explains the typographic and layout conventions used in this book,
and "Where to Find Documentation" (page 136), which points out both local and remote sources
of Linux and Ubuntu documentation.
Part III Part III, "Digging into Ubuntu Linux," goes into more detail about working with
the system. Chapter 8 discusses the GUI (desktop) and includes a section on how to
run a graphical program on a remote system and have the display appear locally.
The section on GNOME describes several GNOME utilities and goes into more
depth about the Nautilus File Browser. Chapter 9 extends the bash coverage from
Chapter 7, explaining how to redirect error output, avoid overwriting files, and
work with job control, processes, startup files, important shell builtin commands,
parameters, shell variables, and aliases. Chapter 10 explains networks, network
security, and the Internet and discusses types of networks, subnets, protocols,
addresses, hostnames, and various network utilities. The section on distributed
computing describes the client/server model and some of the servers you can use on a
network. Details of setting up and using clients and servers are reserved until Part V.

KEY T O P I C S COVERED IN T H I S B O O K

xlvii

Part IV Part IV covers system administration. Chapter 11 discusses core concepts such as
the use of sudo, working with root privileges, system operation including a discussion of the Upstart init daemon, chroot jails, TCP wrappers, general information
about how to set up a server, DHCP, and PAM. Chapter 12 explains the Linux filesystem, going into detail about types of files, including special and device files; the
use of fsck to verify the integrity of and repair filesystems; and the use of tune2fs to
change filesystem parameters. Chapter 13 explains how to keep a system up-to-date
by downloading software from the Internet and installing it, including examples
that use APT programs such as aptitude, apt-get, and apt-cache to perform these
tasks. It also covers the dpkg software packaging system and the use of some dpkg
utilities. Finally, it explains how to use BitTorrent from the command line to download files. Chapter 14 explains how to set up the CUPS printing system so you can
print on both local and remote systems. Chapter 15 details customizing and building a Linux kernel. Chapter 16 covers additional administration tasks, including
setting up user accounts, backing up files, scheduling automated tasks, tracking disk
usage, solving general problems, and setting up a MySQL relational database.
Chapter 17 explains how to set up a local area network (LAN), including both
hardware (including wireless) and software configuration, and how to set up Cacti
to monitor the network.
Part V Part V goes into detail about setting up and running servers and connecting to them
using clients. Where appropriate, these chapters include JumpStart sections that get
you off to a quick start in using clients and setting up servers. The chapters in Part V
cover the following clients/servers:
• OpenSSH—Set up an OpenSSH server and use ssh, scp, and sftp to communicate securely over the Internet.
• FTP—Set up a vsftpd secure FTP server and use any of several FTP clients
to exchange files with the server.
• Email—Configure exim4 and use Webmail, POP3, or IMAP to retrieve
email; use SpamAssassin to combat spam.
• NIS and LDAP—Set up NIS to facilitate system administration of a LAN
and LDAP to maintain databases.
• NFS—Share filesystems between systems on a network.
• Samba—Share filesystems and printers between Windows and Linux
systems.
• DNS/BIND—Set up a domain nameserver to let other systems on the
Internet know the names and IP addresses of local systems they may need
to contact.
• firestarter, ufw, gufw, and iptables—Set up a firewall to protect local systems,
share a single Internet connection between systems on a LAN, and run a
DHCP server.

xlviii

PREFACE

• Apache—Set up an HTTP server that serves Web pages, which browsers
can then display. This chapter includes many suggestions for increasing
Apache security.
Part VI Part VI covers two important programming tools that are used extensively in
Ubuntu system administration and general-purpose programming. Chapter 27 continues where Chapter 9 left off, going into greater depth about shell programming
using bash, with the discussion enhanced by extensive examples. Chapter 28 introduces the popular, feature-rich Perl programming language, including coverage of
regular expressions and file handling.
Part VII Part VII includes appendixes on regular expressions, helpful Web sites, system security, and free software. This part also includes an extensive glossary with more than
500 entries plus the JumpStart index, the File Tree index, the Utility index, and a
comprehensive traditional index.

SUPPLEMENTS
The author's home page (www.sobell.com) contains downloadable listings of the
longer programs from this book as well as pointers to many interesting and useful
Linux sites on the World Wide Web, a list of corrections to the book, answers to evennumbered exercises, and a solicitation for corrections, comments, and suggestions.

THANKS
First and foremost, I want to thank Mark L. Taub, Editor-in-Chief, Prentice Hall,
who provided encouragement and support through the hard parts of this project.
Mark is unique in my 28 years of book writing experience: an editor who works
with the tools I write about. Because Mark runs Ubuntu on his home computer, we
shared experiences as I wrote this book. Mark, your comments and direction are
invaluable; this book would not exist without your help. Thank you, Mark T.
Molly Sharp of ContentWorks worked with me day-by-day during production of
this book providing help, listening to my rants, and keeping everything on track.
Thanks to Jill Hobbs, Copyeditor, who made the book readable, understandable,
and consistent; and Bob Campbell, Proofreader, who made each page sparkle and
found the mistakes that the author left behind.
Thanks also to the folks at Prentice Hall who helped bring this book to life, especially Julie Nahil, Full-Service Production Manager, who oversaw production of the
book; John Fuller, Managing Editor, who kept the large view in check; Stephane
Nakib, Marketing Manager; Kim Boedigheimer, Editorial Assistant, who attended
to the many details involved in publishing this book; Heather Fox, Publicist; Dan
Scherf, Media Developer; Cheryl Lenser, Senior Indexer; Sandra Schroeder, Design
Manager; Chuti Prasertsith, Cover Designer; and everyone else who worked behind
the scenes to make this book come into being.

THANKS

xlix

I am also indebted to Denis Howe, Editor of The Free On-Line Dictionary of Computing (FOLDOC). Denis has graciously permitted me to use entries from his compilation. Be sure to look at this dictionary (www.foldoc.org).
A big "thank you" to the folks who read through the drafts of the book and
made comments that caused me to refocus parts of the book where things were
not clear or were left out altogether: John Dong, Ubuntu Developer, Forums
Council Member; Nathan Handler; Andy Lester, author of Land the Tech Job
You Love: Why Skill and Luck Are Not Enough; Max Sobell, New York University; Scott James Remnant, Ubuntu Development Manager and Desktop Team Leader;
and Susan Lauber, Lauber System Solutions, Inc.
Thanks also to the people who helped with the first and second editions of this book:
David Chisnall, Swansea University; Scott Mann, Aztek Networks; Thomas Achtemichuk, Mansueto Ventures; Daniel R. Arfsten, Pro/Engineer Drafter/Designer; Chris Cooper, Senior Education Consultant, Hewlett-Packard Education Services; Sameer Verma,
Associate Professor of Information Systems, San Francisco State University; Valerie
Chau, Palomar College and Programmers Guild; James Kratzer; Sean McAllister;
Nathan Eckenrode, New York Ubuntu Local Community Team; Christer Edwards;
Nicolas Merline; Michael Price; Mike Basinger, Ubuntu Community and Forums Council Member; Joe Barker, Ubuntu Forums Staff Member; Matthew Miller, Senior Systems
Analyst/Administrator, BU Linux Project, Boston University Office of Information Technology; George Vish II, Senior Education Consultant, Hewlett-Packard; James Stockford, Systemateka, Inc.; Stephanie Troeth, Book Oven; Doug Sheppard; Bryan Helvey, IT
Director, OpenGeoSolutions; and Vann Scott, Baker College of Flint.
Thanks also to the following people who helped with my previous Linux books,
which provided a foundation for this book: Chris Karr, Northwestern University;
Jesse Keating, Fedora Project; Carsten Pfeiffer, Software Engineer and KDE Developer; Aaron Weber, Ximian; Cristof Falk, Software Developer at CritterDesign;
Steve Elgersma, Computer Science Department, Princeton University; Scott Dier,
University of Minnesota; Robert Haskins, Computer Net Works; Lars KelloggStedman, Harvard University; Jim A. Lola, Principal Systems Consultant, Privateer
Systems; Eric S. Raymond, Cofounder, Open Source Initiative; Scott Mann; Randall
Lechlitner, Independent Computer Consultant; Jason Wertz, Computer Science
Instructor, Montgomery County Community College; Justin Howell, Solano Community College; Ed Sawicki, The Accelerated Learning Center; David Mercer;
Jeffrey Bianchine, Advocate, Author, Journalist; John Kennedy; and Jim Dennis,
Starshine Technical Services.
Thanks also to Dustin Puryear, Puryear Information Technology; Gabor Liptak,
Independent Consultant; Bart Schaefer, Chief Technical Officer, iPost; Michael J.
Jordan, Web Developer, Linux Online; Steven Gibson, Owner, SuperAnt.com; John
Viega, Founder and Chief Scientist, Secure Software; K. Rachael Treu, Internet
Security Analyst, Global Crossing; Kara Pritchard, K & S Pritchard Enterprises;
Glen Wiley, Capital One Finances; Karel Baloun, Senior Software Engineer, Looksmart; Matthew Whitworth; Dameon D. Welch-Abernathy, Nokia Systems; Josh
Simon, Consultant; Stan Isaacs; and Dr. Eric H. Herrin II, Vice President, Herrin
Software Development. And thanks to Doug Hughes, long-time system designer

li

PREFACE

and administrator, who gave me a big hand with the sections on system administration, networks, the Internet, and programming.
More thanks go to consultants Lorraine Callahan and Steve Wampler; Ronald
Hiller, Graburn Technology; Charles A. Plater, Wayne State University; Bob
Palowoda; Tom Bialaski, Sun Microsystems; Roger Hartmuller, TIS Labs at Network Associates; Kaowen Liu; Andy Spitzer; Rik Schneider; Jesse St. Laurent; Steve
Bellenot; Ray W. Hiltbrand; Jennifer Witham; Gert-Jan Hagenaars; and Casper Dik.
A Practical Guide to Ubuntu Linux®, Third Edition, is based in part on two of my
previous UNIX books: UNIX System V: A Practical Guide and A Practical Guide to
the UNIX System. Many people helped me with those books, and thanks here go to
Pat Parseghian; Dr. Kathleen Hemenway; Brian LaRose; Byron A. Jeff, Clark Atlanta
University; Charles Stross; Jeff Gitlin, Lucent Technologies; Kurt Hockenbury;
Maury Bach, Intel Israel; Peter H. Salus; Rahul Dave, University of Pennsylvania;
Sean Walton, Intelligent Algorithmic Solutions; Tim Segall, Computer Sciences Corporation; Behrouz Forouzan, DeAnza College; Mike Keenan, Virginia Polytechnic
Institute and State University; Mike Johnson, Oregon State University; Jandelyn
Plane, University of Maryland; Arnold Robbins and Sathis Menon, Georgia Institute
of Technology; Cliff Shaffer, Virginia Polytechnic Institute and State University; and
Steven Stepanek, California State University, Northridge, for reviewing the book.
I continue to be grateful to the many people who helped with the early editions of
my UNIX books. Special thanks are due to Roger Sippl, Laura King, and Roy
Harrington for introducing me to the UNIX system. My mother, Dr. Helen Sobell,
provided invaluable comments on the original manuscript at several junctures. Also,
thanks go to Isaac Rabinovitch, Professor Raphael Finkel, Professor Randolph
Bentson, Bob Greenberg, Professor Udo Pooch, Judy Ross, Dr. Robert Veroff,
Dr. Mike Denny, Joe DiMartino, Dr. John Mashey, Diane Schulz, Robert Jung, Charles
Whitaker, Don Cragun, Brian Dougherty, Dr. Robert Fish, Guy Harris, Ping Liao,
Gary Lindgren, Dr. Jarrett Rosenberg, Dr. Peter Smith, Bill Weber, Mike Bianchi,
Scooter Morris, Clarke Echols, Oliver Grillmeyer, Dr. David Korn, Dr. Scott
Weikart, and Dr. Richard Curtis.
Finally, thanks to Peter and his family for providing
fortable place to work. I spent many hours reading
Peter's neighborhood coffee and sandwich shop. If
(24th & Guerrero in San Francisco), stop by and say

nourishment and a very comthe manuscript at JumpStart,
you are in the neighborhood
"Hi."

I take responsibility for any errors and omissions in this book. If you find one or
just have a comment, let me know (mgs@sobell.com) and I will fix it in the next
printing. My home page (www.sobell.com) contains a list of errors and credits those
who found them. It also offers copies of the longer scripts from the book and pointers to interesting Linux pages on the Internet.
Mark G. Sobell
San Francisco, California

1
WELCOME TO LINUX
IN THIS CHAPTER
Ubuntu Linux

2

The History of UNIX and
GNU-Linux

3

The Heritage of Linux: UNIX

3

What Is So Good About Linux?

6

Overview of Linux

12

Additional Features of Linux

17

Conventions Used in This B o o k . . . 19

An operating system is the low-level software that schedules tasks,
allocates storage, and handles the interfaces to peripheral hardware, such as printers, disk drives, the screen, keyboard, and
mouse. An operating system has two main parts: the kernel and
the system programs. The kernel allocates machine resources—
including memory, disk space, and CPU (page 1143) cycles—to all
other programs that run on the computer. The system programs
include device drivers, libraries, utility programs, shells (command
interpreters), configuration scripts and files, application programs,
servers, and documentation. They perform higher-level housekeeping tasks, often acting as servers in a client/server relationship.
Many of the libraries, servers, and utility programs were written
by the GNU Project, which is discussed shortly.

1

2

CHAPTER 1

WELCOME TO LINUX

Linux kernel

The Linux kernel was developed by Finnish undergraduate student Linus Torvalds,
who used the Internet to make the source code immediately available to others for
free. Torvalds released Linux version 0.01 in September 1991.
The new operating system came together through a lot of hard work. Programmers
around the world were quick to extend the kernel and develop other tools, adding
functionality to match that already found in both BSD UNIX and System V UNIX
(SVR4) as well as new functionality. The name Linux is a combination of Linus
and UNIX.
The Linux operating system, which was developed through the cooperation of
many, many people around the world, is a product of the Internet and is a free operating system. In other words, all the source code is free. You are free to study it,
redistribute it, and modify it. As a result, the code is available free of cost—no
charge for the software, source, documentation, or support (via newsgroups, mailing lists, and other Internet resources). As the GNU Free Software Definition (reproduced in Appendix D) puts it:

Free beer

"Free software" is a matter of liberty, not price. To understand the
concept, you should think of "free" as in "free speech," not as in
"free beer."

UBUNTU LINUX
Distributions

Various organizations package the Linux kernel and system programs as Linux distributions (visit distrowatch.com for more information). Some of the most popular
distributions are SUSE, Fedora, Ubuntu, Red Hat, Debian, and Mandriva. One of
the biggest differences between distributions typically is how the user installs the
operating system. Other differences include which graphical configuration tools are
installed by default and which tools are used to keep the system up-to-date.

Canonical

Under the leadership of Mark Shuttleworth, Canonical Ltd. (www.canonical.com),
the sponsor of Ubuntu Linux, supports many, similar Linux distributions: Ubuntu
runs the GNOME desktop manager, Kubuntu (www.kubuntu.org) runs the KDE
desktop manager, Edubuntu (www.edubuntu.org) includes many school-related
applications, and Xubuntu (www.xubuntu.org) runs the lightweight Xfce desktop,
which makes it ideal for older, slower machines.
From its first release in October 2004, Ubuntu has been a community-oriented
project. Ubuntu maintains several structures that keep it functioning effectively, with
community members invited to participate in all structures. For more information
about Ubuntu governance, see www.ubuntu.com/community/processes/governance.
Ubuntu Linux is based on Debian Linux and focuses on enhancing usability, accessibility, and internationalization. Although Ubuntu initially targeted the desktop

THE H I S T O R Y OF U N I X AND G N U - L I N U X

3

user, recent releases have put increasing emphasis on the server market. With a new
release scheduled every six months, Ubuntu provides cutting-edge software.
An Ubuntu system uses the GNOME desktop manager (www.gnome.org) and
includes the OpenOffice.org suite of productivity tools, the Firefox Web browser,
the Pidgin (formerly Gaim) IM client, and an assortment of tools and games. To
keep software on a system up-to-date, Ubuntu uses Debian's deb package format
and various APT-based tools.
The Ubuntu governance structure follows a benevolent dictator model: Mark
Shuttleworth is the Self-Appointed Benevolent Dictator for Life (SABDFL). The
structure includes the Technical Board, Ubuntu Community Council, Local Communities (LoCos), and Masters of the Universe (MOTU; wiki.ubuntu.com/MOTU).
For more information about Ubuntu, see www.ubuntu.com/aboutus/faq.

THE HISTORYOF UNIX AND G N U - L I N U X
This section presents some background on the relationships between UNIX and
Linux and between GNU and Linux.

THE HERITAGE OF LINUX: UNIX
The UNIX system was developed by researchers who needed a set of modern computing tools to help them with their projects. The system allowed a group of people
working together on a project to share selected data and programs while keeping
other information private.
Universities and colleges played a major role in furthering the popularity of the UNIX
operating system through the "four-year effect." When the UNIX operating system
became widely available in 1975, Bell Labs offered it to educational institutions at
nominal cost. The schools, in turn, used it in their computer science programs, ensuring that computer science students became familiar with it. Because UNIX was such
an advanced development system, the students became acclimated to a sophisticated
programming environment. As these students graduated and went into industry, they
expected to work in a similarly advanced environment. As more of them worked their
way up the ladder in the commercial world, the UNIX operating system found its way
into industry.
In addition to introducing students to the UNIX operating system, the Computer
Systems Research Group (CSRG) at the University of California at Berkeley made
significant additions and changes to it. In fact, it made so many popular changes
that one version of the system is called the Berkeley Software Distribution (BSD) of
the UNIX system (or just Berkeley UNIX). The other major version is UNIX
System V (SVR4), which descended from versions developed and maintained by
AT&T and UNIX System Laboratories.

4

CHAPTER 1

W E L C O M E TO L I N U X

FADE TO 1 9 8 3
Richard Stallman (www.stallman.org) announced1 the GNU Project for creating an
operating system, both kernel and system programs, and presented the GNU Manifesto,2 which begins as follows:
GNU, which stands for Gnu's Not UNIX, is the name for the complete UNIX-compatible software system which I am writing so that
I can give it away free to everyone who can use it.
Some years later, Stallman added a footnote to the preceding sentence when he realized that it was creating confusion:
The wording here was careless. The intention was that nobody
would have to pay for * permission* to use the GNU system. But
the words don't make this clear, and people often interpret them as
saying that copies of GNU should always be distributed at little or
no charge. That was never the intent; later on, the manifesto mentions the possibility of companies providing the service of distribution for a profit. Subsequently I have learned to distinguish
carefully between "free" in the sense of freedom and "free" in the
sense of price. Free software is software that users have the freedom to distribute and change. Some users may obtain copies at no
charge, while others pay to obtain copies—and if the funds help
support improving the software, so much the better. The important
thing is that everyone who has a copy has the freedom to cooperate
with others in using it.
In the manifesto, after explaining a little about the project and what has been
accomplished so far, Stallman continues:
Why I Must Write GNU
I consider that the golden rule requires that if I like a program I must
share it with other people who like it. Software sellers want to divide
the users and conquer them, making each user agree not to share
with others. I refuse to break solidarity with other users in this way.
I cannot in good conscience sign a nondisclosure agreement or a
software license agreement. For years I worked within the Artificial
Intelligence Lab to resist such tendencies and other inhospitalities,
but eventually they had gone too far: I could not remain in an institution where such things are done for me against my will.
So that I can continue to use computers without dishonor, I have
decided to put together a sufficient body of free software so that I
will be able to get along without any software that is not free. I
1. www.gnu.org/gnu/initial-announcement.html
2. www.gnu.org/gnu/manifesto.html

THE H I S T O R Y OF U N I X AND G N U - L I N U X

5

have resigned from the AI Lab to deny MIT any legal excuse to
prevent me from giving GNU away.

NEXT SCENE, 1 9 9 1
The GNU Project has moved well along toward its goal. Much of the GNU operating
system, except for the kernel, is complete. Richard Stallman later writes:
By the early '90s we had put together the whole system aside from
the kernel (and we were also working on a kernel, the GNU Hurd,3
which runs on top of Mach 4 ). Developing this kernel has been a lot
harder than we expected, and we are still working on finishing it. 5
...[M]any believe that once Linus Torvalds finished writing the kernel, his friends looked around for other free software, and for no
particular reason most everything necessary to make a UNIX-like
system was already available.
What they found was no accident—it was the GNU system. The
available free software6 added up to a complete system because the
GNU Project had been working since 1984 to make one. The GNU
Manifesto had set forth the goal of developing a free UNIX-like
system, called GNU. The Initial Announcement of the GNU
Project also outlines some of the original plans for the GNU system. By the time Linux was written, the [GNU] system was almost
finished.7
Today the GNU "operating system" runs on top of the FreeBSD (www.freebsd.org)
and NetBSD (www.netbsd.org) kernels with complete Linux binary compatibility
and on top of Hurd pre-releases and Darwin (developer.apple.com/opensource)
without this compatibility.

THE CODE IS FREE
The tradition of free software dates back to the days when UNIX was released to
universities at nominal cost, which contributed to its portability and success. This
tradition eventually died as UNIX was commercialized and manufacturers came to
regard the source code as proprietary, making it effectively unavailable. Another
problem with the commercial versions of UNIX related to their complexity. As each
manufacturer tuned UNIX for a specific architecture, the operating system became
less portable and too unwieldy for teaching and experimentation.

3. www.gnu .org/software/hurd/hurd .html
4. www.gnu.org/software/hurd/gnumach.html
5. www.gnu.org/software/hurd/hurd-and-linux.html
6. See Appendix D or www.gnu.org/philosophy/free-sw.html.
7. www.gnu .org/gnu/linux-and-gnu .html

6

CHAPTER 1

W E L C O M E TO LINUX

MINIX Two professors created their own stripped-down UNIX look-alikes for educational
purposes: Doug Comer created XINU and Andrew Tanenbaum created MINIX.
Linus Torvalds created Linux to counteract the shortcomings in MINIX. Every time
there was a choice between code simplicity and efficiency/features, Tanenbaum
chose simplicity (to make it easy to teach with MINIX), which meant this system
lacked many features people wanted. Linux went in the opposite direction.
You can obtain Linux at no cost over the Internet (page 43). You can also obtain the
GNU code via the U.S. mail at a modest cost for materials and shipping. You can support the Free Software Foundation (www.fsf.org) by buying the same (GNU) code in
higher-priced packages, and you can buy commercial packaged releases of Linux
(called distributions), such as Ubuntu Linux, that include installation instructions,
software, and support.
GPL Linux and GNU software are distributed under the terms of the GNU General Public
License (GPL, www.gnu.org/licenses/licenses.html). The GPL says you have the right
to copy, modify, and redistribute the code covered by the agreement. When you
redistribute the code, however, you must also distribute the same license with the
code, thereby making the code and the license inseparable. If you get source code off
the Internet for an accounting program that is under the GPL and then modify that
code and redistribute an executable version of the program, you must also distribute
the modified source code and the GPL agreement with it. Because this arrangement is
the reverse of the way a normal copyright works (it gives rights instead of limiting
them), it has been termed a copyleft. (This paragraph is not a legal interpretation of
the GPL; it is intended merely to give you an idea of how it works. Refer to the GPL
itself when you want to make use of it.)

HAVE FUN!
Two key words for Linux are "Have Fun!" These words pop up in prompts and documentation. The UNIX—now Linux—culture is steeped in humor that can be seen
throughout the system. For example, less is more—GNU has replaced the UNIX
paging utility named more with an improved utility named less. The utility to view
PostScript documents is named ghostscript, and one of several replacements for the vi
editor is named elvis. While machines with Intel processors have "Intel Inside" logos
on their outside, some Linux machines sport "Linux Inside" logos. And Torvalds
himself has been seen wearing a T-shirt bearing a "Linus Inside" logo.

WHAT IS S O GOOD ABOUT LINUX?
In recent years Linux has emerged as a powerful and innovative UNIX work-alike.
Its popularity has surpassed that of its UNIX predecessors. Although it mimics
UNIX in many ways, the Linux operating system departs from UNIX in several significant ways: The Linux kernel is implemented independently of both BSD and System V, the continuing development of Linux is taking place through the combined

WHAT I s S o GOOD ABOUT LINUX?

7

efforts of many capable individuals throughout the world, and Linux puts the power
of UNIX within easy reach of both business and personal computer users. Using the
Internet, today's skilled programmers submit additions and improvements to the
operating system to Linus Torvalds, GNU, or one of the other authors of Linux.
Standards

In 1985, individuals from companies throughout the computer industry joined
together to develop the POSIX (Portable Operating System Interface for Computer
Environments) standard, which is based largely on the UNIX System V Interface
Definition (SVID) and other earlier standardization efforts. These efforts were
spurred by the U.S. government, which needed a standard computing environment
to minimize its training and procurement costs. Released in 1988, POSIX is a group
of IEEE standards that define the API (application programming interface), shell,
and utility interfaces for an operating system. Although aimed at UNIX-like systems,
the standards can apply to any compatible operating system. Now that these standards have gained acceptance, software developers are able to develop applications
that run on all conforming versions of UNIX, Linux, and other operating systems.

Applications

A rich selection of applications is available for Linux—both free and commercial—
as well as a wide variety of tools: graphical, word processing, networking, security,
administration, Web server, and many others. Large software companies have
recently seen the benefit in supporting Linux and now have on-staff programmers
whose job it is to design and code the Linux kernel, GNU, KDE, or other software
that runs on Linux. For example, IBM (www.ibm.com/linux) is a major Linux supporter. Linux conforms increasingly more closely to POSIX standards, and some
distributions and parts of others meet this standard. These developments indicate
that Linux is becoming mainstream and is respected as an attractive alternative to
other popular operating systems.

Peripherals

Another aspect of Linux that appeals to users is the amazing range of peripherals that is
supported and the speed with which support for new peripherals emerges. Linux often
supports a peripheral or interface card before any company does. Unfortunately
some types of peripherals—particularly proprietary graphics cards—lag in their
support because the manufacturers do not release specifications or source code for
drivers in a timely manner, if at all.

Software

Also important to users is the amount of software that is available—not just source
code (which needs to be compiled) but also prebuilt binaries that are easy to install
and ready to run. These programs include more than free software. Netscape, for
example, has been available for Linux from the start and included Java support
before it was available from many commercial vendors. Its sibling Mozilla/Thunderbird/Firefox is also a viable browser, mail client, and newsreader, performing
many other functions as well.

Platforms

Linux is not just for Intel-based platforms (which now include Apple computers): It
has been ported to and runs on the Power PC—including older Apple computers
(ppclinux), Compaq's (née Digital Equipment Corporation) Alpha-based machines,
MlPS-based machines, Motorola's 68K-based machines, various 64-bit systems,
and IBM's S/390. Nor is Linux just for single-processor machines: As of version 2.0,

8

CHAPTER 1

WELCOME TO LINUX

it runs on multiple-processor machines (SMPs; page 1172). It also includes an O ( l )
scheduler, which dramatically increases scalability on SMP systems.
Emulators

Linux supports programs, called emulators, that run code intended for other operating systems. By using emulators you can run some DOS, Windows, and Macintosh
programs under Linux. For example, Wine (www.winehq.com) is an open-source
implementation of the Windows API that runs on top of the X Window System and
UNIX/Linux.

Virtual machines

A virtual machine (VM or guest) appears to the user and to the software running on
it as a complete physical machine. It is, however, one of potentially many such VMs
running on a single physical machine (the host). The software that provides the virtualization is called a virtual machine monitor (VMM) or hypervisor. Each V M can
run a different operating system from the other VMs. For example, on a single host
you could have VMs running Windows, Ubuntu 7.10, Ubuntu 8.04, and Fedora 9.
A multitasking operating system allows you to run many programs on a single
physical system. Similarly, a hypervisor allows you to run many operating systems
(VMs) on a single physical system.
VMs provide many advantages over single, dedicated machines:
• Isolation—Each V M is isolated from the other VMs running on the same
host: Thus, if one V M crashes or is compromised, the others are not
affected.
• Security—When a single server system running several servers is compromised, all servers are compromised. If each server is running on its own
VM, only the compromised server is affected; other servers remain secure.
• Power consumption—Using VMs, a single powerful machine can replace
many less powerful machines, thereby cutting power consumption.
• Development and support—Multiple VMs, each running a different version
of an operating system and/or different operating systems, can facilitate
development and support of software designed to run in many environments.
With this organization you can easily test a product in different environments
before releasing it. Similarly, when a user submits a bug, you can reproduce
the bug in the same environment it occurred in.
• Servers—In some cases, different servers require different versions of system libraries. In this instance, you can run each server on its own VM, all
on a single piece of hardware.
• Testing—Using VMs, you can experiment with cutting-edge releases of
operating systems and applications without concern for the base (stable)
system, all on a single machine.
• Networks—You can set up and test networks of systems on a single
machine.

WHAT I s S o GOOD ABOUT LINUX?

9

• Sandboxes—A V M presents a sandbox—an area (system) that you can
work in without regard for the results of your work or for the need to
clean up.
• Snapshots—You can take snapshots of a V M and return the V M to the
state it was in when you took the snapshot simply by reloading the V M
from the snapshot.
Xen Xen, which was created at the University of Cambridge and is now being developed
in the open-source community, is an open-source virtual machine monitor (VMM).
A V M M enables several virtual machines (VMs), each running an instance of a separate operating system, to run on a single computer. Xen isolates the VMs so that if
one crashes it does not affect any of the others. In addition, Xen introduces minimal
performance overhead when compared with running each of the operating systems
natively.
Using VMs, you can experiment with cutting-edge releases of operating systems and
applications without concern for the base (stable) system, all on a single machine.
You can also set up and test networks of systems on a single machine. Xen presents
a sandbox, an area (system) that you can work in without regard for the results of
your work or for the need to clean up.
The Lucid release of Ubuntu supports Xen 3.3. This book does not cover the installation or use of Xen. See help.ubuntu.com/community/Xen for information on running Xen under Ubuntu. For more information on Xen, refer to the Xen home page
at www.cl.cam.ac.uk/research/srg/netos/xen and to wiki.xensource.com/xenwiki.
VMware

VMware, Inc. (www.vmware.com) offers VMware Server, a free, downloadable,
proprietary product you can install and run as an application under Ubuntu.
VMware Server enables you to install several VMs, each running a different
operating system, including Windows and Linux. VMware also offers a free
VMware player that enables you to run VMs you create with the VMware
Server.

KVM

The Kernel-based Virtual Machine (KVM; kvm.qumranet.com and libvirt.org) is an
open-source V M and runs as part of the Linux kernel. It works only on systems
based on the Intel VT (VMX) CPU or the AMD SVM CPU; it is implemented as the
kvm, libvirt-bin, and ubuntu-vm-builder packages. For more information refer to
help.ubuntu.com/community/KVM.

Qemu

Qemu (bellard.org/qemu), written by Fabrice Bellard, is an open-source V M M that
runs as a user application with no CPU requirements. It can run code written for a
different CPU than that of the host machine. For more information refer to
https://help.ubuntu.com/community/Installation/QemuEmulator.

VirtualBox

VirtualBox (www.virtualbox.org) is a V M developed by Sun Microsystems. If you
want to run a virtual instance of Windows, you may want to investigate KVM
(help.ubuntu.com/community/KVM) and VirtualBox.

10

CHAPTER 1

WELCOME TO LINUX

WHY LINUX IS POPULAR WITH HARDWARE COMPANIES
AND DEVELOPERS
Two trends in the computer industry set the stage for the growing popularity of UNIX
and Linux. First, advances in hardware technology created the need for an operating
system that could take advantage of available hardware power. In the mid-1970s,
minicomputers began challenging the large mainframe computers because, in many
applications, minicomputers could perform the same functions less expensively. More
recently, powerful 64-bit processor chips, plentiful and inexpensive memory, and
lower-priced hard disk storage have allowed hardware companies to install multiuser
operating systems on desktop computers.
Proprietary
operating systems

Second, with the cost of hardware continually dropping, hardware manufacturers
could no longer afford to develop and support proprietary operating systems. A
proprietary operating system is one that is written and owned by the manufacturer
of the hardware (for example, DEC/Compaq owns VMS). Today's manufacturers
need a generic operating system that they can easily adapt to their machines.

Generic operating
systems

A generic operating system is written outside of the company manufacturing the hardware and is sold (UNIX, Windows) or given (Linux) to the manufacturer. Linux is a
generic operating system because it runs on different types of hardware produced by
different manufacturers. Of course, if manufacturers can pay only for development and
avoid per-unit costs (which they have to pay to Microsoft for each copy of Windows
they sell), they are much better off. In turn, software developers need to keep the prices
of their products down; they cannot afford to create new versions of their products to
run under many different proprietary operating systems. Like hardware manufacturers,
software developers need a generic operating system.
Although the UNIX system once met the needs of hardware companies and
researchers for a generic operating system, over time it has become more proprietary as manufacturers added support for their own specialized features and introduced new software libraries and utilities. Linux emerged to serve both needs: It is a
generic operating system that takes advantage of available hardware power.

LINUX Is PORTABLE
A portable operating system is one that can run on many different machines. More
than 95 percent of the Linux operating system is written in the C programming language, and C is portable because it is written in a higher-level, machine-independent
language. (The C compiler is written in C.)
Because Linux is portable, it can be adapted (ported) to different machines and can
meet special requirements. For example, Linux is used in embedded computers,
such as the ones found in cellphones, PDAs, and the cable boxes on top of many
TVs. The file structure takes full advantage of large, fast hard disks. Equally important, Linux was originally designed as a multiuser operating system—it was not

WHAT I s S o G O O D A B O U T LINUX?

11

modified to serve several users as an afterthought. Sharing the computer's power
among many users and giving them the ability to share data and programs are central features of the system.
Because it is adaptable and takes advantage of available hardware, Linux runs on
many different microprocessor-based systems as well as mainframes. The popularity of the microprocessor-based hardware drives Linux; these microcomputers are
getting faster all the time, at about the same price point. Linux on a fast microcomputer has become good enough to displace workstations on many desktops. This
widespread acceptance benefits both users, who do not like having to learn a new
operating system for each vendor's hardware, and system administrators, who like
having a consistent software environment.
The advent of a standard operating system has given a boost to the development of
the software industry. Now software manufacturers can afford to make one version
of a product available on machines from different manufacturers.

THE C PROGRAMMING LANGUAGE
Ken Thompson wrote the UNIX operating system in 1969 in PDP-7 assembly language. Assembly language is machine dependent: Programs written in assembly
language work on only one machine or, at best, on one family of machines. For this
reason, the original UNIX operating system could not easily be transported to run
on other machines (it was not portable).
To make UNIX portable, Thompson developed the B programming language, a
machine-independent language, from the BCPL language. Dennis Ritchie developed
the C programming language by modifying B and, with Thompson, rewrote UNIX
in C in 1973. Originally, C was touted as a "portable assembler." The revised operating system could be transported more easily to run on other machines.
That development marked the start of C. Its roots reveal some of the reasons why it
is such a powerful tool. C can be used to write machine-independent programs. A
programmer who designs a program to be portable can easily move it to any computer that has a C compiler. C is also designed to compile into very efficient code.
With the advent of C, a programmer no longer had to resort to assembly language
to get code that would run well (that is, quickly—although an assembler will always
generate more efficient code than a high-level language).
C is a good systems language. You can write a compiler or an operating system in
C. It is a highly structured but is not necessarily a high-level language. C allows a
programmer to manipulate bits and bytes, as is necessary when writing an operating system. At the same time, it has high-level constructs that allow for efficient,
modular programming.
In the late 1980s the American National Standards Institute (ANSI) defined a standard version of the C language, commonly referred to as ANSI C or C89 (for the

12

CHAPTER 1

W E L C O M E TO LINUX

Compilers

Figure 1-1

Database
Management
Systems

Word
Processors

Ma

"and
^ ffge
Facilities
eS

Shells

A layered view of the Linux operating system

year the standard was published). Ten years later the C99 standard was published;
it is mostly supported by the GNU Project's C compiler (named gcc). The original
version of the language is often referred to as Kernighan & Ritchie (or K&R) C,
named for the authors of the book that first described the C language.
Another researcher at Bell Labs, Bjarne Stroustrup, created an object-oriented programming language named C++, which is built on the foundation of C. Because
object-oriented programming is desired by many employers today, C++ is preferred
over C in many environments. Another language of choice is Objective-C, which
was used to write the first Web browser. The GNU Project's C compiler supports C,
C++, and Objective-C.

OVERVIEW OF LINUX
The Linux operating system has many unique and powerful features. Like other
operating systems, it is a control program for computers. But like UNIX, it is also a
well-thought-out family of utility programs (Figure 1-1) and a set of tools that
allow users to connect and use these utilities to build systems and applications.

LINUX HAS A KERNEL PROGRAMMING INTERFACE
The Linux kernel—the heart of the Linux operating system—is responsible for allocating the computer's resources and scheduling user jobs so each one gets its fair
share of system resources, including access to the CPU; peripheral devices, such as
hard disk, DVD, and CD-ROM storage; printers; and tape drives. Programs interact
with the kernel through system calls, special functions with well-known names. A
programmer can use a single system call to interact with many kinds of devices. For
example, there is one write() system call, rather than many device-specific ones.

OVERVIEW OF LINUX

13

When a program issues a write() request, the kernel interprets the context and passes
the request to the appropriate device. This flexibility allows old utilities to work with
devices that did not exist when the utilities were written. It also makes it possible to
move programs to new versions of the operating system without rewriting them
(provided the new version recognizes the same system calls).

LINUX CAN SUPPORT MANY USERS
Depending on the hardware and the types of tasks the computer performs, a Linux
system can support from 1 to more than 1,000 users, each concurrently running a
different set of programs. The per-user cost of a computer that can be used by many
people at the same time is less than that of a computer that can be used by only a
single person at a time. It is less because one person cannot generally take advantage
of all the resources a computer has to offer. That is, no one can keep all the printers
going constantly, keep all the system memory in use, keep all the disks busy reading
and writing, keep the Internet connection in use, and keep all the terminals busy at
the same time. By contrast, a multiuser operating system allows many people to use
all of the system resources almost simultaneously. The use of costly resources can be
maximized and the cost per user can be minimized—the primary objectives of a
multiuser operating system.

LINUX CAN RUN MANY TASKS
Linux is a fully protected multitasking operating system, allowing each user to run
more than one job at a time. Processes can communicate with one another but
remain fully protected from one another, just as the kernel remains protected from
all processes. You can run several jobs in the background while giving all your
attention to the job being displayed on the screen, and you can switch back and
forth between jobs. If you are running the X Window System (page 17), you can
run different programs in different windows on the same screen and watch all of
them. This capability helps users be more productive.

LINUX PROVIDES A SECURE HIERARCHICAL FILESYSTEM
A file is a collection of information, such as text for a memo or report, an accumulation of sales figures, an image, a song, or an executable program. Each file is
stored under a unique identifier on a storage device, such as a hard disk. The Linux
filesystem provides a structure whereby files are arranged under directories, which
are like folders or boxes. Each directory has a name and can hold other files and
directories. Directories, in turn, are arranged under other directories, and so forth,
in a treelike organization. This structure helps users keep track of large numbers of

14

CHAPTER 1

WELCOME TO LINUX

Figure 1-2

The Linux filesystem structure

files by grouping related files in directories. Each user has one primary directory
and as many subdirectories as required (Figure 1-2).
Standards

With the idea of making life easier for system administrators and software developers,
a group got together over the Internet and developed the Linux Filesystem Standard
(FSSTND), which has since evolved into the Linux Filesystem Hierarchy Standard
(FHS). Before this standard was adopted, key programs were located in different
places in different Linux distributions. Today you can sit down at a Linux system and
expect to find any given standard program at a consistent location (page 213).

Links

A link allows a given file to be accessed by means of two or more names. The alternative names can be located in the same directory as the original file or in another
directory. Links can make the same file appear in several users' directories, enabling
those users to share the file easily. Windows uses the term shortcut in place of link
to describe this capability. Macintosh users will be more familiar with the term
alias. Under Linux, an alias is different from a link; it is a command macro feature
provided by the shell (page 346).

Security

Like most multiuser operating systems, Linux allows users to protect their data
from access by other users. It also allows users to share selected data and programs
with certain other users by means of a simple but effective protection scheme. This
level of security is provided by file access permissions, which limit the users who can
read from, write to, or execute a file. More recently, Linux has implemented Access
Control Lists (ACLs), which give users and administrators finer-grained control
over file access permissions.

THE SHELL: COMMAND INTERPRETER AND
PROGRAMMING LANGUAGE

In a textual environment, the shell—the command interpreter—acts as an interface
between you and the operating system. When you enter a command on the screen,
the shell interprets the command and calls the program you want. A number of
shells are available for Linux. The four most popular shells are

OVERVIEW OF LINUX

15

• The Bourne Again Shell (bash), an enhanced version of the original Bourne
Shell (the original UNIX shell).
• The Debian Almquist Shell (dash; page 292), a smaller version of bash,
with fewer features. Most startup shell scripts call dash in place of bash to
speed the boot process.
• The TC Shell (tcsh), an enhanced version of the C Shell, developed as part
of BSD UNIX.
• The Z Shell (zsh), which incorporates features from a number of shells,
including the Korn Shell.
Because different users may prefer different shells, multiuser systems can have several different shells in use at any given time. The choice of shells demonstrates one
of the advantages of the Linux operating system: the ability to provide a customized
interface for each user.
Shell scripts

Besides performing its function of interpreting commands from a keyboard and
sending those commands to the operating system, the shell is a high-level programming language. Shell commands can be arranged in a file for later execution (Linux
calls these files shell scripts; Windows calls them batch files). This flexibility allows
users to perform complex operations with relative ease, often by issuing short commands, or to build with surprisingly little effort elaborate programs that perform
highly complex operations.

Wildcards and

When you type commands to be processed by the shell, you can construct patterns
u s i n g characters that have special meanings to the shell. These characters are called
characters. The patterns, which are called ambiguous file references, are a
wmcar(i
kind of shorthand: Rather than typing in complete filenames, you can type patterns;
the shell expands these patterns into matching filenames. An ambiguous file reference
can save you the effort of typing in a long filename or a long series of similar filenames. For example, the shell might expand the pattern mak* to make-3.80.tar.gz.
Patterns can also be useful when you know only part of a filename or cannot remember the exact spelling of a filename.

FILENAME GENERATION
ambiguous file
references

COMPLETION
In conjunction with the Readline library, the shell performs command, filename,
pathname, and variable completion: You type a prefix and press ESCAPE, and the shell
lists the items that begin with that prefix or completes the item if the prefix specifies
a unique item.

DEVICE-INDEPENDENT INPUT AND OUTPUT
Redirection

Devices (such as a printer or a terminal) and disk files appear as files to Linux programs. When you give a command to the Linux operating system, you can instruct
it to send the output to any one of several devices or files. This diversion is called
output redirection.

16

CHAPTER 1
Device
independence

WELCOME TO LINUX

In a similar manner, a program's input, which normally comes from a keyboard, can
b e redirected so that it comes from a disk file instead. Input and output are device
independent; that is, they can be redirected to or from any appropriate device.
As an example, the cat utility normally displays the contents of a file on the screen.
When you run a cat command, you can easily cause its output to go to a disk file
instead of the screen.

S H E L L FUNCTIONS
One of the most important features of the shell is that users can use it as a programming language. Because the shell is an interpreter, it does not compile programs
written for it but rather interprets programs each time they are loaded from the
disk. Loading and interpreting programs can be time-consuming.
Many shells, including the Bourne Again Shell, support shell functions that the shell
holds in memory so it does not have to read them from the disk each time you execute them. The shell also keeps functions in an internal format so it does not have to
spend as much time interpreting them.

JOB CONTROL
Job control is a shell feature that allows users to work on several jobs at once,
switching back and forth between them as desired. When you start a job, it is frequently run in the foreground so it is connected to the terminal. Using job control,
you can move the job you are working with to the background and continue running it there while working on or observing another job in the foreground. If a
background job then needs your attention, you can move it to the foreground so it
is once again attached to the terminal. (The concept of job control originated with
BSD UNIX, where it appeared in the C Shell.)

A LARGE COLLECTION OF USEFUL UTILITIES
Linux includes a family of several hundred utility programs, often referred to as commands. These utilities perform functions that are universally required by users. The
sort utility, for example, puts lists (or groups of lists) in alphabetical or numerical
order and can be used to sort lists by part number, last name, city, ZIP code, telephone
number, age, size, cost, and so forth. The sort utility is an important programming
tool that is part of the standard Linux system. Other utilities allow users to create,
display, print, copy, search, and delete files as well as to edit, format, and typeset text.
The man (for manual) and info utilities provide online documentation for Linux.

INTERPROCESS COMMUNICATION
Pipes and filters

Linux enables users to establish both pipes and filters on the command line. A pipe
sends the output of one program to another program as input. A filter is a special
kind of pipe that processes a stream of input data to yield a stream of output data.

ADDITIONAL FEATURES OF LINUX

17

A filter processes another program's output, altering it as a result. The filter's output
then becomes input to another program.
Pipes and filters frequently join utilities to perform a specific task. For example, you
can use a pipe to send the output of the sort utility to head (a filter that lists the first
ten lines of its input); you can then use another pipe to send the output of head to a
third utility, Ipr, that sends the data to a printer. Thus, in one command line, you can
use three utilities together to sort and print part of a file.

SYSTEM ADMINISTRATION
On a Linux system the system administrator is frequently the owner and only user
of the system. This person has many responsibilities. The first responsibility may
be to set up the system, install the software, and possibly edit configuration files.
Once the system is up and running, the system administrator is responsible for
downloading and installing software (including upgrading the operating system),
backing up and restoring files, and managing such system facilities as printers, terminals, servers, and a local network. The system administrator is also responsible
for setting up accounts for new users on a multiuser system, bringing the system
up and down as needed, monitoring the system, and taking care of any problems
that arise.

ADDITIONAL FEATURES OF LINUX
The developers of Linux included features from BSD, System V, and Sun Microsystems' Solaris, as well as new features, in their operating system. Although most of
the tools found on UNIX exist for Linux, in some cases these tools have been
replaced by more modern counterparts. This section describes some of the popular
tools and features available under Linux.

GUIs: GRAPHICAL USER INTERFACES
The X Window System (also called X or X I 1 ) was developed in part by researchers at
MIT (Massachusetts Institute of Technology) and provides the foundation for the
GUIs available with Linux. Given a terminal or workstation screen that supports X, a
user can interact with the computer through multiple windows on the screen, display
graphical information, or use special-purpose applications to draw pictures, monitor
processes, or preview formatted output. X is an across-the-network protocol that
allows a user to open a window on a workstation or computer system that is remote
from the CPU generating the window.
Desktop manager

Usually two layers run on top of X: a desktop manager and a window manager. A desktop manager is a picture-oriented user interface that enables you to interact with system
programs by manipulating icons instead of typing the corresponding commands to a shell.

18

CHAPTER 1

WELCOME TO LINUX

Figure 1 -3

A GNOME workspace

Ubuntu runs the GNOME desktop manager (Figure 1-3; www.gnome.org) by default,
but it can also run KDE (www.kde.org) and a number of other desktop managers.
Window manager

A window manager is a program that runs under the desktop manager and allows
you to open and close windows, run programs, and set up a mouse so it has different
effects depending on how and where you click. The window manager also gives the
screen its personality. Whereas Microsoft Windows allows you to change the color of
key elements in a window, a window manager under X allows you to customize the
overall look and feel of the screen: You can change the way a window looks and
works (by giving it different borders, buttons, and scrollbars), set up virtual desktops,
create menus, and more.
Several popular window managers run under X and Linux. Ubuntu Linux provides
both Metacity (the default under GNOME) and kwin (the default under KDE).
Other window managers, such as Sawfish and WindowMaker, are also available.
Chapters 4 and 8 present information on GUIs.

(INTERNETWORKING UTILITIES
Linux network support includes many utilities that enable you to access remote systems over a variety of networks. In addition to sending email to users on other systems,
you can access files on disks mounted on other computers as if they were located on
the local system, make your files available to other systems in a similar manner, copy
files back and forth, run programs on remote systems while displaying the results on
the local system, and perform many other operations across local area networks
(LANs) and wide area networks (WANs), including the Internet.
Layered on top of this network access is a wide range of application programs that
extend the computer's resources around the globe. You can carry on conversations
with people throughout the world, gather information on a wide variety of subjects,

CONVENTIONS USED IN THIS B O O K

19

and download new software over the Internet quickly and reliably. Chapter 10 discusses networks, the Internet, and the Linux network facilities.

SOFTWARE DEVELOPMENT
One of Linux's most impressive strengths is its rich software development environment. Linux supports compilers and interpreters for many computer languages.
Besides C and C++, languages available for Linux include Ada, Fortran, Java, Lisp,
Pascal, Perl, and Python. The bison utility generates parsing code that makes it easier to write programs to build compilers (tools that parse files containing structured information). The flex utility generates scanners (code that recognizes lexical
patterns in text). The make utility and the GNU Configure and Build System make
it easier to manage complex development projects. Source code management systems, such as CVS, simplify version control. Several debuggers, including ups and
gdb, can help you track down and repair software defects. The GNU C compiler
(gcc) works with the gprof profiling utility to help programmers identify potential
bottlenecks in a program's performance. The C compiler includes options to perform extensive checking of C code, thereby making the code more portable and
reducing debugging time. Table B-4 on page 1104 lists some sites you can download software from.

CONVENTIONS USED IN THIS BOOK
This book uses conventions to make its explanations shorter and clearer. The following paragraphs describe these conventions.
Widgets

A widget is a simple graphical element that a user interacts with, such as a text box,
radio button, or combo box. When referring to a widget, this book specifies the
type of widget and its label. The term "tick" refers to the mark you put in a check
box, sometimes called a check mark. For example, "put a tick in the check box
labeled Run in terminal." See the glossary for definitions of various widgets.

Tabs and frames

Tabs allow windows to display sets of related information, one set at a time. For
example, Figure 4-12 on page 114 shows the Appearance Preferences window, which
has four tabs; the Theme tab is highlighted. A frame isolates a set of information
within a window. See Figure 14-3 on page 551 for an example.

Menu selection path

The menu selection path is the name of the menu or the location of the menu, followed by a colon, a SPACE, and the menu selections separated by •=> markers. The
entire menu selection path appears in bold type. You can read Main menu: System1^
Preferences "^Appearance as "From the Main menu, select System; from System,
select Preferences; and then select Appearance."

Text and examples

The text is set in this type, whereas examples are shown in a monospaced font (also
called a fixed-width font):
$ cat practice
This is a small file I created
with a text editor.

20

CHAPTER 1

Items

W E L C O M E TO LINUX

you enter Everything you enter at the keyboard is shown in a bold typeface. Within the text,
this bold typeface is used; within examples and screens, thi s one is used. In the previous example, the dollar sign ($) on the first line is a prompt that Linux displays, so
it is not bold; the remainder of the first line is entered by a user, so it is bold.

Utility names

Names of utilities are printed in t h i s s a n s s e r i f t y p e f a c e . This book references the
e m a c s text editor and the Is utility or Is command (or just Is) but instructs you to
enter Is - a on the command line. In this way the text distinguishes between utilities,
which are programs, and the instructions you give on the command line to invoke
the utilities.

Filenames

Filenames appear in a bold typeface. Examples are memo5, letter.1283, and reports.
Filenames may include uppercase and lowercase letters; however, Linux is case sensitive (page 1139), so memo5, M E M 0 5 , and Memo5 name three different files.

Character strings

Within the text, characters and character strings are marked by putting them in a
bold typeface. This convention avoids the need for quotation marks or other delimiters before and after a string. An example is the following string, which is displayed
by the p a s s w d utility: Sorry, passwords do not match.

Buttons and labels

Words appear in a bold typeface in the sections of the book that describe a GUI.
This font indicates you can click a mouse button when the mouse pointer is over
these words on the screen or over a button with this name: Click Next.

Keys and characters

This book uses SMALL CAPS for three kinds of items:
• Keyboard keys, such as the SPACE bar and the RETURN,8 ESCAPE, and TAB keys.
• The characters that keys generate, such as the SPACES generated by the SPACE bar.
• Keyboard keys that you press with the CONTROL key, such as C0NTR0L-D. (Even
though D is shown as an uppercase letter, you do not have to press the SHIFT
key; enter C0NTR0L-D by holding the CONTROL key down and pressing d.)

Most examples include the shell prompt—the signal that Linux is waiting for a
RETURNS command—as a dollar sign ($), a hashmark (#), or sometimes a percent sign (%).
The prompt does not appear in a bold typeface in this book because you do not
enter it. Do not type the prompt on the keyboard when you are experimenting with
examples from this book. If you do, the examples will not work.

Prompts and

Examples omit the RETURN keystroke that you must use to execute them. An example
of a command line is
$ vim.tiny memo.1204

To use this example as a model for running the vim text editor, give the command
vim.tiny memo.1204 and press the RETURN key. (Press ESCAPE ZZ to exit from vim; see
page 186 for a vim tutorial.) This method of entering commands makes the examples
in the book correspond to what appears on the screen.

8. Different keyboards use different keys to move the cursor (page 1143) to the beginning of the next line. This
book always refers to the key that ends a line as the RETURN key. Your keyboard may have a RET, NEWLINE, ENTER,
RETURN, or other key. Use the corresponding key on your keyboard each time this book asks you to press RETURN.

CHAPTER SUMMARY
Definitions

21

All glossary entries marked with FOLDOC are courtesy of Denis Howe, editor of the Free
Online Dictionary of Computing (foldoc.org), and are used with permission. This
site is an ongoing work containing definitions, anecdotes, and trivia.

optional OPTIONAL INFORMATION
Passages marked as optional appear in a gray box. This material is not central to the
ideas presented in the chapter but often involves more challenging concepts. A good
strategy when reading a chapter is to skip the optional sections and then return to
them when you are comfortable with the main ideas presented in the chapter. This is
an optional paragraph.
URLs (Web Web addresses, or URLs, have an implicit http:// prefix, unless ftp:// or https:// is
addresses) shown. You do not normally need to specify a prefix when the prefix is http://, but
you must use a prefix from a browser when you specify an FTP or secure HTTP site.
Thus you can specify a URL in a browser exactly as shown in this book.
Tip, caution, and
security boxes

The following boxes highlight information that may be helpful while you are using
administrating a Linux system.

or

This is a tip box
tip A tip box may help you avoid repeating a common mistake or may point toward additional information.

This box warns you about something
caution A caution box warns you about a potential pitfall.

This box marks a security note
security A security box highlights a potential security issue. These notes are usually intended for system
administrators, but some apply to all users.

CHAPTER SUMMARY
The Linux operating system grew out of the UNIX heritage to become a popular
alternative to traditional systems (that is, Windows) available for microcomputer
(PC) hardware. UNIX users will find a familiar environment in Linux. Distributions
of Linux contain the expected complement of UNIX utilities, contributed by programmers around the world, including the set of tools developed as part of the
GNU Project. The Linux community is committed to the continued development of
this system. Support for new microcomputer devices and features is added soon
after the hardware becomes available, and the tools available on Linux continue to
be refined. Given the many commercial software packages available to run on
Linux platforms and the many hardware manufacturers offering Linux on their systems, it is clear that the system has evolved well beyond its origin as an undergraduate project to become an operating system of choice for academic, commercial,
professional, and personal use.

22

CHAPTER 1

W E L C O M E TO LINUX

EXERCISES
1. What is free software? List three characteristics of free software.
2. Why is Linux popular? Why is it popular in academia?
3. What are multiuser systems? Why are they successful?
4. What is the Free Software Foundation/GNU? What is Linux? Which parts
of the Linux operating system did each provide? Who else has helped build
and refine this operating system?
5. In which language is Linux written? What does the language have to do
with the success of Linux?
6. What is a utility program?
7. What is a shell? How does it work with the kernel? With the user?
8. How can you use utility programs and a shell to create your own applications?
9. Why is the Linux filesystem referred to as hierarchical?
10. What is the difference between a multiprocessor and a multiprocessing
system?
11. Give an example of when you would want to use a multiprocessing
system.
12. Approximately how many people wrote Linux? Why is this project
unique?
13. What are the key terms of the GNU General Public License?

PART I
INSTALLING UBUNTU LINUX
CHAPTER 2
INSTALLATION OVERVIEW

25

CHAPTER 3
STEP-BY-STEP INSTALLATION

51

23

This page intentionally left blank

2
INSTALLATION
OVERVIEW
IN THIS CHAPTER
More Information

26

Planning the Installation

27

Setting Up the Hard Disk

33

LVM: Logical Volume Manager

41

The Installation Process

42

Downloading and Burning a
CD/DVD

43

Using BitTorrent

46

Gathering Information About the
System

47

Installing Ubuntu Linux is the process of copying operating
system files from a CD, DVD, or USB flash drive to hard
disk(s) on a system and setting up configuration files so that
Linux runs properly on the hardware. Several types of installations are possible, including fresh installations, upgrades from
older releases of Ubuntu Linux, and dual-boot installations.
This chapter discusses the installation process in general: planning,
partitioning the hard disk, obtaining the files for the installation,
burning a CD or a DVD, and collecting information about the
hardware that may be helpful for installation and administration.
Chapter 3 covers the process of installing Ubuntu.
The ubiquity utility is a user-friendly graphical tool that installs
Ubuntu. To install Ubuntu Linux on standard hardware, you can
typically insert the live/install Desktop CD or a live/install DVD
and boot the system. After you answer a few questions, you are
done. Of course, sometimes you may want to customize the system
or you may be installing on nonstandard hardware: The installer
presents you with these kinds of choices as the installation process
unfolds. Ubuntu also provides a textual installer that gives you
more control over the installation. Refer to "Booting from a
25

26

CHAPTER 2

INSTALLATION OVERVIEW

Live/Install Desktop CD or a Live/Install DVD" (page 52) and "Advanced Installation"
(page 77) for information about installing and customizing Ubuntu Linux.

THE LIVE/INSTALL DESKTOP C D AND THE LIVE/INSTALL DVD
The live/install Desktop CD and the live/install DVD run Ubuntu without installing
it on the hard disk. To boot from a live/install Desktop CD or a live/install DVD,
make sure the computer is set up to boot from a CD/DVD; see "BIOS setup" and
" C M O S " on page 28 for more information. When you boot a live/install Desktop
CD/DVD, it brings up a GNOME desktop: You are running a live session. When
you exit from the live session, the system returns to the state it was in before you
booted from the CD/DVD. If the system has a Linux swap partition (most Linux
systems have one; see page 37), the live session uses it to improve its performance
but does not otherwise write to the hard disk. You can also install Ubuntu from a
live session.
Running a live session is a good way to test hardware and fix a system that will not
boot from the hard disk. You can use a live session before you upgrade an Ubuntu
system to a new release: In some cases a new kernel may not boot. A live session is
also ideal for people who are new to Ubuntu or Linux and want to experiment with
Ubuntu but are not ready to install Ubuntu on their system.

Saving files during a live session
tip You cannot save a file to a live/install CD/DVD as these are readonly media. During a live session,
even though you may appear to save a file, it will not be there after you exit from the live session. To
save data from a live session, save it to a network share or a USB flash drive, or mail it to yourself.

MORE INFORMATION
In addition to the following references, see "Where to Find Documentation" on
page 136 and refer to Appendix B for additional resources.
Web memtest86+: www.memtest.org
gparted (GNOME Partition Editor): gparted.sourceforge.net
Hardware compatibility: wiki.ubuntu.com/HardwareSupport
Swap space: help.ubuntu.com/community/SwapFaq
Partition HOWTO: tldp.org/HOWTO/Partition
Upgrading: www.ubuntu.com/getubuntu/upgrading
Boot command-line parameters: help.ubuntu.com/community/BootOptions and
www. tldp. org/HO WTO/Bo otPrompt-HO WTO. html
Releases: wiki.ubuntu.com/Releases
Release notes: www.ubuntu.com/getubuntu/releasenotes
Burning a CD: help.ubuntu.com/community/BurninglsoHowto
Installing from a USB flash drive:
help.ubuntu.com/community/Installation/FromUSBStick

PLANNING THE INSTALLATION

27

RAID: help.ubuntu.com/community/Installation/SoftwareRAID,
en.wikipedia.org/wiki/RAID, and raid.wiki.kernel.org/index.php/Linux_Raid
LVM Resource Page (includes many links): sourceware.org/lvm2
LVM HO WTO: www.tldp.org/HOWTO/LVM-HOWTO
BitTorrent: help.ubuntu.com/community/BitTorrent and azureus.sourceforge.net
ARM: wiki.ubuntu.com/ARM/LucidReleaseNotes
X.org release information: wiki.x.org
Download Ubuntu

Easiest download: www.ubuntu.com/getubuntu
Released versions: releases.ubuntu.com
Minimal CD: help.ubuntu.com/community/Installation/MinimalCD
Older versions: old-releases.ubuntu.com/releases
Development images and unsupported releases: cdimage.ubuntu.com
Mac (PowerPC): wiki.ubuntu.com/PowerPCDownloads
BitTorrent torrent files: torrent.ubuntu.com/releases

PLANNING THE INSTALLATION
The major decision when planning an installation is determining how to divide the
hard disk into partitions or, in the case of a dual-boot system, where to put the
Linux partitions. Once you have installed Ubuntu, you can decide which software
packages you want to add to the base system (or whether you want to remove
some). In addition to these topics, this section discusses hardware requirements for
Ubuntu Linux and fresh installations versus upgrades.

CONSIDERATIONS
GUI On most systems, except for servers, you probably want to install a graphical user
interface (a desktop). Ubuntu installs GNOME by default. See page 75 for information about installing KDE.
Software and
services

As you install more software packages on a system, the number of updates and the
interactions between the packages increase. Server packages that listen for network
connections make the system more vulnerable by increasing the number of ways the
system can be attacked. Including additional services can also slow the system down.
If you want a system to learn on or a development system, additional packages
services may be useful. For a more secure production system, it is best to install
maintain the minimum number of packages required and to enable only needed
vices. See page 432 for information on the Upstart init daemon, which starts
stops system services.

Minimal CD

and
and
serand

The Minimal CD is small and provides a quick installation (page 32).

REQUIREMENTS
Hardware

This chapter and Chapter 3 cover installing Ubuntu on 32-bit Intel and compatible
processor architectures such as AMD as well as 64-bit processor architectures such as
AMD64 processors and Intel processors with Intel EM64T technology. Within these
processor architectures, Ubuntu Linux runs on much of the available hardware. You

28

CHAPTER 2

INSTALLATION OVERVIEW

can view Ubuntu's list of compatible and supported hardware at
wiki.ubuntu.com/HardwareSupport. Many Internet sites discuss Linux hardware;
use Google (www.google.com) to search for linux hardware, ubuntu hardware, or
linux and the specific hardware you want more information on (for example, linux
sata or linux a8n). In addition, many HOWTOs cover specific hardware. The Linux
Hardware Compatibility HO WTO is also available, although it may not be up-todate at the time you read it. Ubuntu Linux usually runs on the same systems Windows
runs on, unless the system includes a very new or unusual component.
The hardware required to run Ubuntu depends on which kind of system you want
to set up. A very minimal system that runs a textual (command-line) interface and
has very few software packages installed requires very different hardware from a
system that runs a GUI, has many installed packages, and supports visual effects
(page 115). Use the Alternate CD (page 32) if you are installing Ubuntu on a system
with less than 320 megabytes of RAM. If you want to run visual effects on the system, look up visual effects on help.ubuntu.com.
A network connection is invaluable for keeping Ubuntu up-to-date. A sound card is
nice to have for multimedia applications. If you are installing Ubuntu on old or
minimal hardware and want to run a GUI, consider installing Xubuntu
(www.xubuntu.org), as it provides a lightweight desktop that uses system resources
more efficiently than Ubuntu does.
RAM (memory) An extremely minimal textual (command-line) system requires 48 megabytes of
RAM. A standard desktop system requires 320 megabytes, although you may be
able to use less RAM if you install Xubuntu. Installing Ubuntu from a live session
requires 256 megabytes, although it will run slowly if the system has less than 512
megabytes of RAM. Use the textual installer (page 85) if the system has less than
256 megabytes of RAM.
Linux makes good use of extra memory: The more memory a system has, the faster
it runs. Adding memory is one of the most cost-effective ways you can speed up a
Linux system.
Ubuntu Linux requires a minimum of a 200-megahertz Pentium-class processor or the
equivalent AMD or other processor for textual mode and at least a 400-megahertz
Pentium II processor or the equivalent for graphical mode.
Hard disk space

The amount of hard disk space Ubuntu requires depends on which edition of Ubuntu
Linux you install, which packages you install, how many languages you install, and
how much space you need for user data (your files). The operating system typically
requires 2 - 8 gigabytes, although a minimal system can make do with much less space.
Installing Ubuntu from a live session requires 4 gigabytes of space on a hard disk.

BIOS setup

Modern computers can be set up to boot from a CD/DVD, hard disk, or USB flash
drive. The BIOS determines the order in which the system tries to boot from each
device. You may need to change this order: Make sure the BIOS is set up to try
booting from the CD/DVD before it tries to boot from the hard disk. See page 583
for more information.

CMOS

CMOS is the persistent memory that stores hardware configuration information. To
change the BIOS setup, you need to edit the information stored in CMOS. When the

PLANNING THE INSTALLATION

29

system boots, it displays a brief message about how to enter System Setup or CMOS
Setup mode. Usually you need to press DEL or F2 while the system is booting. Press the
key that is called for and then move the cursor to the screen and line that deal with
booting the system. Generally there is a list of three or four devices that the system
tries to boot from; if the first attempt fails, the system tries the second device, and so
on. Manipulate the list so that the CD/DVD is the first choice, save the list, and
reboot. Refer to the hardware/BIOS manual for more information.

PROCESSOR ARCHITECTURE
Ubuntu CDs and DVDs hold programs compiled to run on a specific processor architecture (class of processors, or CPUs). The following list describes each of the architectures Ubuntu is compiled for. See help.ubuntu.com/community/ProcessorArch for a
detailed list of processors in each architecture. Because Linux source code is available to
everyone, a knowledgeable user can compile Ubuntu Linux to run on other processor
architectures.

Should I install 32-bit or 64-bit Ubuntu on a 64-bit-capable processor?
tip

The following information may help you decide whether to install 32-bit or 64-bit Ubuntu on a 64bit-capable processor.
• EM64T/AMD64 processors can run either version of Ubuntu equally well.
• A 64-bit distribution allows each process to address more than 4 gigabytes of RAM.
Larger address space is the biggest advantage of a 64-bit distribution. It is typically
useful only for certain engineering/scientific computational work and when you are
running multiple virtual machines.
• A 64-bit processor is not faster than a 32-bit processor in general; most benchmarks show
more or less similar performance. In some cases the performance is better and in some
cases it is worse: There is no clear performance advantage for either type of processor.
• The memory model for 64-bit Linux makes pointers twice as big as those in 32-bit
Linux. This size difference translates to a more than 5 percent RAM usage increase,
depending on the application. If a system is low on RAM, this overhead may make
performance worse.
• ASLR (Address Space Layout Randomization) works better with the larger address
space provided by 64-bit Ubuntu. ALSR can help improve system security. See
en.wikipedia.org/wiki/Address_space_layout_randomization.
• Some multimedia encoders run 10-30 percent faster under 64-bit Ubuntu.
• Because more people are using 32-bit Linux, bugs in 32-bit Linuxtend to be discovered
and fixed faster than those in 64-bit Linux.
• Ubuntu can set up Flashplayer and Java with a single click on 64-bit systems just as it
can on 32-bit systems. However, for some applications, such as Skype, you must
apply ugly workarounds to run them on 64-bit systems.
• There is no simple way to go back and forth between 32-bit and 64-bit versions of
Ubuntu without reinstalling Ubuntu.
• If you are not sure which distribution to use, install the 32-bit version of Ubuntu.

30

CHAPTER 2

INSTALLATION OVERVIEW

¡386 (Intel x86)

Software on an Ubuntu PC (Intel x 8 6 ) CD/DVD is compiled to run on Intel x 8 6 compatible processors, including most machines with Intel and AMD processors,
almost all machines that run Microsoft Windows, and newer Apple Macintosh
machines that use Intel processors. If you are not sure which type of processor a
machine has, assume it has this type of processor.

amd64 (AMD64

Software on an Ubuntu 64-bit PC (AMD64) CD/DVD is compiled to run on
AMD64 processors, including the Athlon64, Opteron, and Intel 64-bit processors
that incorporate EM64T technology, such as the EMT64 Xeon. Because some features of proprietary third-party applications are not available for 64-bit architecture, you may want to run Ubuntu compiled for a 32-bit (Intel x86) processor on a
system with a 64-bit processor.

and Intel EM64T)

armel+dove Dove refers to the Marvell Dove System-on-Chip (code name for the Armada 500).
This all-in-one chipset features an ARM general processor and a specific set of peripherals. For more information see www.ubuntu.com/products/whatisubuntu/arm and
wiki.ubuntu.com/ARM/LucidReleaseNotes.
powerpc (PowerPC)

Ubuntu does not officially support the IBM/Motorola PowerPC (used by older
Apple Macintosh computers), but extensive community support for this processor
architecture is available. See wiki.ubuntu.com/PowerPCFAQ for more information
about running Ubuntu on a PowerPC. You can download PowerPC versions of
Ubuntu from wiki.ubuntu.com/PowerPCDownloads.

spare (Sun SPARC)

Ubuntu supports UltraSPARC machines, including those based on the multicore
UltraSPARC T1 (Niagara) processors.

ia64 (Intel IA-64)

Ubuntu supports the Itanium family of 64-bit Intel processors.

INTERFACES: INSTALLER AND INSTALLED SYSTEM
When you install Ubuntu, you have a choice of interfaces to use while you install it
(to work with the installer). You also have a choice of interfaces to use to work with
the installed system. This section describes the two basic interfaces: textual and
graphical.
Textual (CLI)

A textual interface, also called a command-line interface (CLI) or character-based
interface, displays characters and some simple graphical symbols. It is line oriented;
you give it instructions using a keyboard only.

Graphical (GUI)

A graphical user interface (GUI) typically displays a desktop (such as GNOME) and
windows; you give it instructions using a mouse and keyboard. You can run a textual
interface within a GUI by opening a terminal emulator window (page 125). A GUI
uses more computer resources (CPU time and memory) than a textual interface does.

Pseudographical

A pseudographical interface is a textual interface that takes advantage of graphical
elements on a text-based display device such as a terminal. It may also use color.
This interface uses text elements, including simple graphical symbols, to draw rudimentary boxes that emulate GUI windows and buttons. Pressing the TAB key frequently moves the cursor from one element to the next and pressing the RETURN key
selects the element the cursor is on.

PLANNING THE INSTALLATION

31

1 I!) Curitigure ths IJIULK
W h e r e are yau?
SclecE y• ij * •*!:
rh.i " lyi'ri' [ nr l
lot y• ij [ Din[ry fdch updates from i 'C. (late To yi
Wect loi.il Lime.

Select your time îcnç:
d M'L [he clEKk

Ihe

Havana
«I , ' 11 y
Ind iana/Ind i an a polis
Indians/Knox
K r : i-yy r ( T — ' i i y

Indiana/leii. City
Indiana/Veva4
Ind lana/vincennes
Tndinna/hlnnman
inuvix
Iqilul*'

Juneau
Kentucky/Lou is y i 110
Kent ucky/Hont ice1lo
m: j United s

Time zww: I united
Oirf

Figure 2-1
Advantages

lias

ANVCN H^

Limo

Back

Graphical (left) and textual (pseudographical, right) installers

A GUI is user friendly, whereas the textual interface is compact, uses fewer system
resources, and can work on a text-only terminal or over a text-only connection.
Because it is more efficient, a textual interface is useful for older, slower systems and
systems with minimal amounts of RAM. Server systems frequently use a textual
interface because it allows the system to dedicate more resources to carrying out the
job it is set up to do and fewer resources to pleasing the system administrator. Not
running a GUI can also improve system security.
Even though it uses a graphical interface, Ubuntu's live installer installs Ubuntu
faster than the textual installer. The live installer copies an installed system image to
the hard disk and then sets up the system, whereas the textual installer uses APT
and dpkg to unpack hundreds of packages one by one.

Installer interfaces

Ubuntu provides a user-friendly graphical installer ( u b i q u i t y ) as well as an efficient
pseudographical installer (debian-installer) that offers more options and gives you
greater control over the installation (Figure 2-1). Both interfaces accomplish the
same task: They enable you to tell the installer how you want it to configure
Ubuntu.

UBUNTU RELEASES
Canonical, the company that supports Ubuntu, distributes a new release about every
six months. Each release has both a number and a name. The number comprises the
last one or two digits of the year and the two digits of the month of the release. For
example, the 9.10 release was released in October 2009. In sequence, recent releases
are 7.10 (Gutsy Gibbon), 8.04 (Hardy Heron), 8.10 (Intrepid Ibex), 9.04 (Jaunty
Jackalope), 9.10 (Karmic Koala), and 10.04 (Lucid Lynx). Ubuntu supports (i.e.,
provides updates for, including security updates) each release for at least 18 months.
For a complete list of Ubuntu releases, see wiki.ubuntu.com/Releases.
LTS releases

Some releases of Ubuntu are marked LTS (long-term support); for example, Lucid
Lynx is an LTS release. Canonical supports LTS releases for three years for a desktop

32

CHAPTER 2

INSTALLATION OVERVIEW

system and for five years for a server system. LTS releases are designed for people
who are more interested in having a stable, unchanging operating system rather than
the latest, fastest version. Large and corporate installations, servers, and highly customized distributions frequently fall into this category. You can install and upgrade
an LTS release just as you would any other release.

UBUNTU EDITIONS
Each Ubuntu release disk is called an edition. Following is an overview of each disk.
Table 3-1 on page 78 lists the selections available on each disk menu.
The DVD is a live/install DVD (page 26); you can use it to boot into a live session. You
can install Ubuntu from a live session (page 57). This DVD is available for PC and 64bit PC architectures (page 29), uses the graphical or textual installer, and installs an
Ubuntu system that displays either a graphical or a textual interface. The DVD includes
all software packages supported by Ubuntu, not just those installed by default. It is an
excellent resource for someone with a system that has no Internet connection.
Desktop CD

The Desktop CD is a live/install CD (page 26); you can use it to boot into a live session. You can install Ubuntu from a live session (page 57). This CD is available for
PC and 64-bit PC architectures (page 29), uses the graphical installer, and installs a
graphical (desktop) Ubuntu system.

Alternate CD

The Alternate Install CD is not a live CD; it is intended for special installations only.
It presents more advanced installation options than the Desktop CD does. This CD
is available for PC and 64-bit PC architectures (page 29), uses the textual installer,
and installs an Ubuntu system that displays either a graphical or a textual interface.

Server CD

The Server CD is not a live CD; it is intended for installation only. This CD is available for PC, 64-bit PC, and SPARC architectures (page 29). It uses the textual
installer and installs an Ubuntu system that displays a textual interface (no desktop). During installation, the Server CD gives you the option of installing any of
several servers including DNS and LAMP (Linux, Apache, MySQL, and PHP). A
system installed using this CD has no open ports (page 401) and includes only software essential to a server.

Minimal CD

Not an official edition, the Minimal CD is small (5-20 megabytes) and provides a
quick installation. Because it downloads software packages while it installs the
system, you do not have to update the packages immediately after you install the
system. Also, the Minimal CD installs only those packages required to install
Ubuntu, so installing with this CD results in a minimal system. You can install
additional packages once the system is up and running. The Minimal CD uses the
textual installer (page 85), which also allows this CD to be compact. For more
information see help.ubuntu.com/community/Installation/MinimalCD.

INSTALLING A FRESH COPY OR UPGRADING AN EXISTING
UBUNTU SYSTEM?
Clean install

An installation, sometimes referred to as a clean install, writes all fresh data to a
disk. The installation program overwrites all system programs and data as well as

PLANNING THE INSTALLATION

33

the kernel. You can preserve some user data during an installation depending on
where it is located and how you format/partition the hard disk. Alternatively, you
can perform a clean install on an existing system without overwriting data by setting up a dual-boot system (page 76).

If you have a system running Ubuntu, upgrade instead of install
tip Ubuntu recommends that, if you have a system running Ubuntu and want to run a newer release,
you upgrade the release on the system. The rationale for this recommendation is twofold. First,
the upgrade path is more aggressively tested by Ubuntu developers than are the installers. Thus
you are less likely to run into problems with an update. Second, an upgrade preserves the system
settings and applications, making an upgrade easier perform than a clean install.
Upgrade

An upgrade replaces all installed software packages with the most recent version
available on the new release. During an upgrade, the installation program preserves
both system configuration and user data files. An upgrade brings utilities that are
present in the old release up-to-date and installs new utilities. Before you upgrade a
system, back up all files on the system.
In general, all new features are provided by an upgrade. However, GRUB is not
automatically updated to GRUB 2 (page 584) during an upgrade. For information
on upgrading from GRUB to GRUB 2, see help.ubuntu.com/community/Grub2. See
page 74 for instructions on upgrading an Ubuntu system to a new release. See
www.ubuntu.com/getubuntu/releasenotes to learn about features that will not take
effect with an upgrade.

SETTING UP THE HARD DISK
Free space

A hard disk must be prepared in several ways so Linux can write to and read from
it. Low-level formatting is the first step in preparing a disk for use. You do not need
to perform this task, as it is done at the factory where the hard disk is manufactured. The next steps in preparing a hard disk for use are to write a partition table
to it and to create partitions on the disk. Finally, you need to create a filesystem on
each partition. The area of a partitioned disk that is not occupied by partitions is
called free space. A new disk has no partition table, no partitions, and no free space.
Under DOS/Windows, the term formatting means creating a filesystem on a partition; see "Filesystems" below.

Partitions A partition, or slice, is a logical section of a hard disk that has a device name, such
as /dev/sdal, so you can refer to it separately from other sections. For normal use,
you must create at least one partition on a hard disk (pages 34 and following).
From a live session, and after you install Ubuntu, you can use the GNOME Partition Utility (page 66) to view, resize, and create partitions on an existing system.
During installation, you can use the graphical partition editor (pages 60 and 70) or
the textual partition editor (page 87) to create partitions. After installation, you can
use parted (page 611) or fdisk to manipulate partitions. See /dev on page 488 for
more information on device names.
Partition table

A partition table holds information about the partitions on a hard disk. Before the
first partition can be created on a disk, the program creating the partition must set

34

CHAPTER 2

INSTALLATION OVERVIEW

up an empty partition table on the disk. As partitions are added, removed, and
modified, information about these changes is recorded in the partition table. If you
remove the partition table, you can no longer access information on the disk except
by extraordinary means.
Filesystems

Before most programs can write to a partition, a data structure (page 1144), called
a filesystem, needs to be written to the partition. This data structure holds inodes
(page 501) that map locations on the disk that store files to the names of the files.
At the top of the data structure is a single unnamed directory. As will be explained
shortly, this directory joins the system directory structure when the filesystem is
mounted.
When the Ubuntu installer creates a partition, it automatically writes a filesystem to
the partition. You can use the mkfs (make filesystem; page 458) utility, which is similar to the DOS/Windows format utility, to manually create a filesystem on a partition. Table 12-1 on page 505 lists some common types of filesystems. Ubuntu Linux
typically creates ext4 filesystems for data; unless you have reason to use another
filesystem type, use ext4. Windows uses FAT16, FAT32, and NTFS filesystems.
Apple uses HFS (Hierarchical Filesystem) and HFS+. OS X uses either HFS+ or
UFS. Different types of filesystems can coexist in different partitions on a single
hard disk, including both Windows and Linux filesystems.

PRIMARY, EXTENDED, AND LOGICAL PARTITIONS
You can divide an IDE/ATA/SATA disk into a maximum of 63 partitions and a
SCSI disk into a maximum of 15 partitions. You can use each partition independently for swap devices, filesystems, databases, other resources, and even other
operating systems.
Primary and
extended partitions

Unfortunately, disk partitions follow the template established for DOS machines a
l o n g time ago. At most, a disk can hold four primary partitions. You can divide one
(and only one) of these primary partitions into multiple logical partitions; this
divided primary partition is called an extended partition. If you want more than
four partitions on a drive—and you frequently do—you must set up an extended
partition.
A typical disk is divided into three primary partitions (frequently numbered 1, 2,
and 3) and one extended partition (frequently numbered 4). The three primary partitions are the sizes you want the final partitions to be. The extended partition occupies the rest of the disk. Once you establish the extended partition, you can
subdivide it into additional logical partitions (numbered 5 or greater), each of
which is the size you want. You cannot use the extended partition (number 4)—only
the logical partitions it holds. Figure 16-5 on page 611 illustrates the disk described
in this paragraph. See the Linux Partition HO WTO (tldp.org/HOWTO/Partition)
for more information.

PLANNING THE INSTALLATION

35

THE LINUX DIRECTORY HIERARCHY
Skip this section for a basic installation
tip This section briefly describes the Linux directory hierarchy so you may better understand some
of the decisions you may need to make when you divide the hard disk into partitions while installing Linux. You do not have to read this section to install Linux. You can use guided partitioning
(pages 60 and 70) to set up the disk and return to this section when and if you want to. See the
beginning of Chapter 6 for a more thorough explanation of the Linux directory hierarchy.
Namespace
Windows versus
Linux

A namespace

is a set of names (identifiers) in which each name is unique.

As differentiated from a Windows machine, a Linux system presents a single
namespace that holds all files, including directories, on the local system. The Linux
system namespace is called the directory hierarchy or directory tree. Under Windows, C : \ is a separate namespace from D : \ . The directory hierarchy rooted at C : \ is
separate from the directory hierarchy rooted at D : \ and there is no path or connection between them. Under Linux, the single system namespace is rooted at /, which
is the root directory. Under the root directory are top-level subdirectories such as
bin, boot, etc, home, and usr.

Absolute pathnames

All files on a Linux system, including directories, have a unique identifier called an
absolute pathname. An absolute pathname traces a path through the directory hierarchy starting at the root directory and ending at the file or directory identified by
the pathname. Thus the absolute pathname of the top-level directory named home
is /home. See page 205 for more information.

Slashes (/) in

Within a pathname, a slash (/) follows (appears to the right of) the name of a directory. Thus /home/sam specifies that the ordinary or directory file named sam is
located in the directory named home, which is a subdirectory of the root directory
(/). The pathname /home/sam/ (with a trailing slash) specifies that sam is a directory file. In most instances this distinction is not important. The root directory is
implied when a slash appears at the left end of a pathname or when it stands alone.

pathnames

Linux system
namespace

The Linux system namespace comprises the set of absolute pathnames of all files,
including directories, in the directory hierarchy of a system.

MOUNT POINTS
A filesystem on a partition holds no information about where it will be mounted in
the directory hierarchy (the top-level directory of a filesystem does not have a
name). When you use the installer to create most partitions, you specify the type of
filesystem to be written to the partition and the name of a directory that Ubuntu
associates with the partition.
Mounting a filesystem associates the filesystem with a directory in the directory
hierarchy. You can mount a filesystem on any directory in the directory hierarchy.

36

CHAPTER 2

INSTALLATION OVERVIEW

The directory that you mount a filesystem on is called a mount point. The directory
you specify when you use the installer to create a partition is the mount point for
the partition. Most mount points are top-level subdirectories, with a few exceptions
(such as /usr/local, which is frequently used as a mount point).

Do not create files on mount points before mounting a filesystem
caution Do not put any files in a directory that is a mount point while a filesystem is not mounted on that
mount point. Any files in a directory that is used as a mount point are covered up while the filesystem is mounted on that directory; you will not be able to access them. They reappear when the
filesystem is unmounted.
For example, suppose the second partition on the first hard disk has the device
name /dev/sda2. To create an ext4 filesystem that you want to appear as /home in
the directory hierarchy, you must instruct Linux to mount the /dev/sda2 partition
on /home when the system boots. With this filesystem mounted on its normal
mount point, you can access it as the /home directory.
Filesystem
independence

The state of one filesystem does not affect other filesystems: One filesystem on a
Jriyg may be corrupt and unreadable, while other filesystems function normally.
One filesystem may be full so you cannot write to it, while others have plenty of
room for more data.

/etc/fstab The file that holds the information relating partitions to mount points is /etc/fstab
(filesystem table; page 510). The associations stored in the fstab file are the normal
ones for the system, but you can easily override them. When you work in recovery
mode, you may mount a filesystem on the /target directory so you can repair the
filesystem. For example, if you mount on /target the partition holding the filesystem
normally mounted on /home, the directory you would normally find at /home/sam
will be found at /target/sam.
Naming partitions
and filesystems

A partition and any filesystem it holds have no name or identification other than a
device name (and a related UUID value—see page 510). Instead, the partition and
the filesystem are frequently referred to by the name of the partition's normal
mount point. Thus "the /home partition" and "the /home filesystem" refer to the
partition that holds the filesystem normally mounted on the /home directory. See
page 506 for more information on mounting filesystems.

PARTITIONING A D I S K
During installation, the installer calls a partition editor to set up disk partitions.
This section discusses how to plan partition sizes. Although this section uses the
term partition, planning and sizing LVs (logical volumes; page 41) works the same
way. For more information refer to pages 64 and 70 and to the Linux Partition
HO WTO at www.tldp.org/HOWTO/Partition.
GUIDED PARTITIONING
It can be difficult to plan partition sizes appropriately if you are not familiar with
Linux. During installation, Ubuntu provides guided partitioning. Without asking

PLANNING THE INSTALLATION

37

any questions, guided partitioning divides the portion of the disk allotted to Ubuntu
into two partitions. One partition is the swap partition, which can be any size from
512 megabytes to 2 or more gigabytes. The other partition is designated as / (root)
and contains the remainder of the disk space. The next section discusses the advantages of manual partitioning.

GiB versus GB
tip Historically a gigabyte (GB) meant either 2 30 (1,073,741,824) or 10 9 (1,000,000,000) bytes.
Recently the term gibibyte (giga binary byte; abbreviated as GiB) has been used to mean 2 30 bytes;
in turn, gigabyte is used more frequently to mean 109 bytes. Similarly, a mebibyte (MiB) is 2 20
(1,048,576) bytes. The Ubuntu partition editor uses mebibytes and gibibytes for specifying the
size of partitions. See wiki.ubuntu.com/UnitsPolicy for information about the Ubuntu policy
regarding this issue.
MANUAL PARTITIONING: PLANNING PARTITIONS
If you decide to manually partition the hard disk and set up partitions other than a
root partition (/) and a swap partition, first consider which kinds of activities will
occur under each top-level subdirectory. Then decide whether it is appropriate to
isolate that subdirectory by creating a filesystem in a partition and mounting it on
its own mount point. Advantages of creating additional filesystems include the following points:
• Separating data that changes frequently (e.g., /var and /home) from data
that rarely changes (e.g., /usr and /boot) can reduce fragmentation on the
less frequently changing filesystems, helping to maintain optimal system
performance.
• Isolating filesystems (e.g., /home) can preserve data when you reinstall
Linux.
• Additional filesystems can simplify backing up data on a system.
• If all directories are part of a single filesystem, and if a program then runs
amok or the system is the target of a DoS attack (page 1146), the entire
disk can fill up. System accounting and logging information, which may
contain data that can tell you what went wrong, may be lost. On a system
with multiple filesystems, such problems typically fill a single filesystem
and do not affect other filesystems. Data that may help determine what
went wrong will likely be preserved and the system is less likely to crash.
/(root) The following paragraphs discuss the advantages of making each of the major
top-level subdirectories a separate, mountable filesystem. Any directories you do
not create filesystems for automatically become part of the root (/) filesystem.
For example, if you do not create a /home filesystem, /home is part of the root (/)
filesystem.
(swap) Linux temporarily stores programs and data on a swap partition when it does not
have enough RAM to hold all the information it is processing. The swap partition is

38

CHAPTER 2

INSTALLATION OVERVIEW

also used when you hibernate (suspend to disk) a system. The size of the swap partition should be between one and two times the size of the RAM in the system, with a
minimum size of 256 megabytes and a maximum around 2 gigabytes. The worst-case
hibernation requires a swap size that is one and a half times the size of RAM. For
example, a system with 1 gigabyte of RAM should have a 1- to 2-gigabyte swap partition. Although a swap partition is not required, most systems perform better when
one is present. On a system with more than one drive, having swap partitions on each
drive can improve performance even further. A swap partition is not mounted, so it is
not associated with a mount point. See swap on page 498 for more information.
/boot The /boot partition holds the kernel and other data the system needs when it boots.
This partition is typically approximately 100 megabytes, although the amount of
space required depends on how many kernel images you want to keep on hand. It
can be as small as 50 megabytes.
Although you can omit the /boot partition, it is useful in many cases. Many administrators put an ext2 filesystem on this partition because the data on it does not change
frequently enough to justify the overhead of the ext4 journal. Systems that use software RAID (page 40) or LVM (page 41) require a separate /boot partition. Some
BIOSs, even on newer machines, require the /boot partition [or the / (root) partition
if there is no /boot partition] to appear near the beginning of the disk (page 583).

Where to put the /boot partition
caution On some systems, the /boot partition must reside completely below cylinder 1023 of the hard disk.
An easy way to ensure compliance with this restriction is to make the /boot partition one of the
first partitions on the disk. When a system has more than one hard disk, the /boot partition must
also reside on a drive in the following locations:
• Multiple IDE or EIDE drives: the primary controller
• Multiple SCSI drives: ID 0 or ID 1
• Multiple IDE and SCSI drives: the primary IDE controller or SCSI ID 0
/var The name var is short for variable: The data in this partition changes frequently.
Because it holds the bulk of system logs, package information, and accounting data,
making /var a separate partition is a good idea. Then, if a user runs a job that consumes all of the users' disk space, system log files in /var/log will not be affected.
The /var partition can occupy from 500 megabytes to as much as several gigabytes
for extremely active systems with many verbose daemons and a lot of printer and
mail activity (the print queues reside in /var/spool/cups and incoming mail is stored
in /var/mail). For example, software license servers are often extremely active systems. By default, Apache content (the Web pages it serves) is stored on /var under
Ubuntu; you may want to change the location Apache uses.
Although such a scenario is unlikely, many files or a few large files may be created
under the /var directory. Creating a separate filesystem to hold the files in /var will
prevent these files from overrunning the entire directory structure, bringing the system to a halt, and possibly creating a recovery problem.

PLANNING THE INSTALLATION

39

/var/log Some administrators choose to put the log directory in a separate partition to isolate
system logs from other files in the /var directory.
/home It is a common strategy to put user home directories on their own filesystem. Such a
filesystem is usually mounted on /home. Having /home as a separate filesystem
allows you to perform a clean install without risking damage to or loss of user files.
Also, having a separate /home filesystem prevents a user from filling the directory
structure with her data; at most she can fill the /home filesystem, which will affect
other users but not bring the system down.

Set up partitions to aid in making backups
tip Plan partitions based on which data you want to back up and how often you want to back it up.
One very large partition can be more difficult to back up than several smaller ones.
/usr Separating the /usr partition can be useful if you plan to export /usr to another system and want the security that a separate partition can give. Many administrators
put an ext2 filesystem on this partition because the data on it does not change frequently enough to justify the overhead of the ext4 journal. The size of /usr depends
on the number of packages you install. On a default system, it is typically 2 - 4
gigabytes.
/usr/local Both /usr/local and /opt are candidates for separation. If you plan to install many
and/opt packages in addition to Ubuntu Linux, such as on an enterprise system, you may
want to keep them on a separate partition. If you install the additional software in
the same partition as the users' home directories, for example, it may encroach on
the users' disk space. Many sites keep all /usr/local or /opt software on one server;
from there, they export the software to other systems. If you choose to create a
/usr/local or /opt partition, its size should be appropriate to the software you plan
to install.
Table 2-1 gives guidelines for minimum sizes for partitions used by Linux. Set the
sizes of other partitions, such as those for /home, /opt, and /usr/local, according to
need and the size of the hard disk. If you are not sure how you will use additional
disk space, you can create extra partitions using whatever names you like (for
example, /bOl, /b02, and so on). Of course, you do not have to partition the entire
drive when you install Linux; you can wait until later to divide the additional space
into partitions.
Table 2-1

Example minimum partition sizes 3

Partition

Example size

/boot

50-100 megabytes

/ (root)

1 gigabyte

(swap)

One to two times the amount of RAM in the system with a minimum of 256
megabytes

40

CHAPTER 2

INSTALLATION OVERVIEW

Table 2-1

Example minimum partition sizes 3 (continued)

Partition

Example size

/home

As large as necessary; depends on the number of users and the type of work
they do

/tmp

Minimum of 500 megabytes

/usr

Minimum of 2-16 gigabytes; depends on which and how many software packages you install

/var

Minimum of 500 megabytes—much larger if you are running a server

a. The sizes in this table assume you create all partitions separately. For example, if you create a 1-gigabyte
/ (root) partition and do not create a /usr partition, in most cases you will not have enough room to store
all of the system programs.

RAID

RAID (Redundant Array of Inexpensive/Independent Disks) employs two or more
hard disk drives or partitions in combination to improve fault tolerance and/or performance. Applications and utilities see these multiple drives/partitions as a single
logical device. RAID, which can be implemented in hardware or software (Ubuntu
gives you this option), spreads data across multiple disks. Depending on which level
you choose, RAID can provide data redundancy to protect data in the case of hardware failure. Although it can improve disk performance by increasing read/write
speed, software RAID uses quite a bit of CPU time, which may be a consideration.
True hardware RAID requires hardware designed to implement RAID and is not
covered in this book (but see "Fake RAID" on the next page).

RAID does not replace backups
caution The purposes of RAID are to improve performance and/or to minimize downtime in the case of a
disk failure. RAID does not replace backups.
Do not use RAID as a replacement for regular backups. If the system experiences a catastrophic
failure, RAID is useless. Earthquake, fire, theft, and other disasters may leave the entire system
inaccessible (if the hard disks are destroyed or missing). RAID also does not take care of the simple
case of replacing a file when a user deletes it by accident. In these situations, a backup on a removable medium (which has been removed) is the only way you will be able to restore a filesystem.
RAID can be an effective addition to a backup. Ubuntu offers RAID software that
you can install either when you install an Ubuntu system or as an afterthought. The
Linux kernel automatically detects RAID arrays (sets of partitions) at boot time if
the partition ID is set to Oxfd (raid autodetect).
Software RAID, as implemented in the kernel, is much cheaper than hardware
RAID. Not only does this approach avoid the need for specialized RAID disk controllers, but it also works with the less expensive ATA disks as well as SCSI disks.

PLANNING THE INSTALLATION
Fake RAID

41

Ubuntu does not officially support motherboard-based RAID (known as fake
RAID) but accepts it through the dmraid driver set. Linux software RAID is almost
always better than fake RAID. See help.ubuntu.com/community/FakeRaidHowto
for more information.
The partition editor on the Alternate CD gives you the choice of implementing
RAID level 0, 1, or 5. For levels 1 and 5, be sure to put member partitions on different drives. That way, if one drive fails, your data will be preserved.
• RAID level 0 (striping)—Improves performance but offers no redundancy.
The storage capacity of the RAID device is equal to that of the member
partitions or disks.
• RAID level 1 (mirroring)—Provides simple redundancy, improving data
reliability, and can improve the performance of read-intensive applications. The storage capacity of the RAID device is equal to one of the member partitions or disks.
• RAID level 5 (disk striping with parity)—Provides redundancy and
improves performance (most notably, read performance). The storage
capacity of the RAID device is equal to that of the member partitions or
disks, minus one of the partitions or disks (assuming they are all the same
size).
• RAID level 6 (disk striping with double parity)—Improves upon level 5
RAID by protecting data when two disks fail at once. Level 6 RAID is inefficient with a small number of drives.
• RAID level 10 (mirroring and striping)—A combination of RAID 1 and
RAID 0 (also called RAID 1+0), RAID 10 uses mirroring to improve fault
tolerance and striping to improve performance. Multiple RAID 1 arrays
(mirroring) are overlaid with a RAID 0 array (striping). The storage capacity of the RAID device is equal to one-half that of the member partitions or
disks. You must use at least four partitions or disks.
For more information see help.ubuntu.com/community/Installation/SoftwareRAID
and raid.wiki.kernel.org/index.php/Linux_Raid.

LVM: LOGICAL VOLUME MANAGER
The Logical Volume Manager (LVM2, which this book refers to as LVM) allows
you to change the size of logical volumes (LVs, the LVM equivalent of partitions) on
the fly. With LVM, if you make a mistake in setting up LVs or if your needs change,
you can make LVs either smaller or larger without affecting user data. You must
choose to use LVM at the time you install the system or add a hard disk; you cannot
retroactively apply it to a disk full of data. LVM supports IDE and SCSI drives as
well as multiple devices such as those found in RAID arrays.

42

CHAPTER 2

INSTALLATION OVERVIEW

LVM groups disk components (partitions, hard disks, or storage device arrays), called
physical volumes (PVs), into a storage pool, or virtual disk, called a volume group
(VG). See Figure 2-2. You allocate a portion of a VG to create a logical volume.
An LV is similar in function to a traditional disk partition in that you can create a filesystem on an LV. It is much easier, however, to change and move LVs than partitions:
When you run out of space on a filesystem on an LV, you can grow (expand) the LV
and its filesystem into empty or new disk space, or you can move the filesystem to a
larger LV. For example, you can add a hard disk to a system and incorporate it into an
LV to expand the capacity of that LV. LVM's disk space manipulation is transparent
to users; service is not interrupted.
LVM also eases the burden of storage migration. When you outgrow the PVs or
need to upgrade them, LVM can move data to new PVs. To read more about LVM,
refer to the resources listed on page 26.

THE INSTALLATION PROCESS
The following steps outline the process of installing Ubuntu Linux from a CD/DVD.
See Chapter 3 for specifics.
1. Make sure the BIOS is set to boot from the CD/DVD (page 28). Insert the
installation CD/DVD in and reset the computer. The computer boots from
the CD/DVD and displays a language overlay (Figure 3-1, page 52) over a
disk menu (Figure 3-3, page 54).
2. You can press function keys to display options, make a selection from the
disk menu, and begin bringing up a live session or installing Ubuntu when
you are ready. With a live/install DVD, you can also do nothing: A
live/install DVD starts to bring up the system after 30 seconds. When the
Welcome screen appears, click Try Ubuntu to bring up a live session or

DOWNLOADING AND BURNING A C D / D V D

43

click Install Ubuntu to begin installation. The installation CDs wait for
you to select an item from the menu. One of the menu items checks the
installation medium.
3. As part of the process of bringing up a live session or installing Ubuntu,
Ubuntu Linux creates RAM disks (page 1168) that it uses in place of the
hard disk used for a normal boot operation. The installer copies tools
required for the installation or to bring up a system from a live/install
Desktop CD or a live/install DVD to the RAM disks. The use of RAM
disks allows the installation process to run through the specification and
design phases without writing to the hard disk and enables you to opt out
of the installation at any point before the last step of the installation. If
you opt out before this point, the system is left in its original state. The
RAM disks also allow a live session to leave the hard disk untouched.
4. The installer prompts you with questions about how you want to configure
Ubuntu Linux.
5. When the installer is finished collecting information, it displays the Ready
to install screen (Figure 3-9, page 63). When you click Install, it writes the
operating system files to the hard disk.
6. The installer prompts you to remove the CD/DVD and press RETURN; it then
reboots the system.
7. The Ubuntu Linux system is ready for you to log in and use.

DOWNLOADING AND BURNING A CD/DVD
There are several ways to obtain an Ubuntu CD/DVD. Ubuntu makes available
releases of Linux as CD and DVD ISO image files (named after the ISO 9660 standard that defines the CD filesystem). This section describes how to download one of
these images and burn a CD/DVD. You can also purchase a CD/DVD from a Web
site. If you cannot obtain Ubuntu by any other means, you can point a browser at
shipit.ubuntu.com to display a Web page with links that enable you to request a free
CD from Ubuntu (but first read blog.canonical.com/?p=264).

THE EASY WAY TO DOWNLOAD A CD I S O IMAGE FILE
This section explains the easiest way to download a CD ISO image file. This technique works in most situations; it is straightforward but limited. For example, it
does not allow you to use BitTorrent to download the file nor does it download a
DVD image.

You can find ISO images for all supported architectures here
tip If you cannot find an ISO image for a CD that supports the type of hardware you want to install
Ubuntu on, go to this site: cdimage.ubuntu.com/ports/releases/10.04/release.

44

CHAPTER 2

INSTALLATION OVERVIEW

fife Edit View Mitny Book marts
O Ubuntu IWt««

y
'J

+

Ubuntu Releases
The (ofcfivng r«lc«n>s or Ubuim arif nviUiUit:
• Ubuntu 6.06.2 LTS (Dapper DialuO
. Ubuntu 8 04.4 LT3(HiVrJ>C.:.rn..j
* Ubuntu 9.04 (Jaunty JackalOM)
« Ubuntu 5 10 (Knimic Koala)
• Ubuntu 10.W LT5(Ltic-d Lynn)
Releases of Kub until and Cdubuntu are also available here.
We aie happytopiovnte Irortno for Ow iolowina projects via the crijrnaoe sctwr
tfiey
Whare
* tKX cotnmorciafy
supported by Canonical Biey »ecewe ful supporttoomfrieitcommunities.
• Myth bunlu
* UbuntuSfcidio
• XubutHu
For OM rcteasci, m;« oMrelcascs.ubunau con.
t—«
LD 13.IM/
i.i 36 2/
C] !l5B/
Q 0 'MJ/
D DW
'III 9 W
C3 9 UW
• dJflflttf
L3 tiAmtu/

F~i

Figure 2-3

Liil »t-fcfud

Sm tWsi nplton

S "(Ir 3010 09: 22
Lfcurtu 10. M LTSftjjiiJLpU)
01 Oct 3009 02: 38
Lbuftu Î.B.ÎltS ID*»«' Dr»t«J
01 Oct 3009 02»
»->*n-»](l llr»
t*uniu 1M 4 ITS until 10.04 LTS [Lucid Lynx) -..UFirrt«
Men
(lit ytoi Hijbtfy (ntmuU Rdj QCp
t

•

* C WFTC HTPY^J-FT^^FTGTWM
I- XJUFFFALUÖ^

C Utnflu 10 04 US (Luüd Lfrul

?

J

45


Figure 3-5

The symbols on the initial boot screen

THE LIVE/INSTALL DESKTOP CD
When you boot from a live/install desktop CD, Ubuntu displays the initial boot
screen, a mostly blank screen with keyboard layout and accessibility symbols at the
bottom (Figure 3-5). While the initial boot screen is displayed, whether you press a
key determines what happens next. If you do not press a key, after a few seconds
Ubuntu displays a logo and progress dots and then displays the Welcome screen of
the Install window (Figure 3-2). To select a default language other than English
from this screen, see "Changing the default language" on page 57.
Bring up a live

session

From the Welcome screen, click Try Ubuntu 10.04 to bring up a live session running
GNOME desktop (Figure 3-4).

a

Check the CD/DVD for defects
tip Testing the CD/DVD takes a few minutes but can save you much aggravation if the installation fails
or you run into problems after installing Ubuntu due to bad media. Whether you burned your own
CD/DVD, purchased it, or are using the disk included with this book, it is a good idea to verify that
the contents of the CD/DVD is correct.
With the DVD menu screen or one of the CD menu screens displayed, use the ARROW keys to highlight Check disc for Defects and press RETURN. Checking the CD/DVD takes a few minutes—Ubuntu
keeps you apprised of its progress. When Ubuntu finishes checking the CD/DVD, it displays the
result of its testing. Press RETURN to reboot the system.
Install Ubuntu

From the Welcome screen, click Install Ubuntu 10.04 to install Ubuntu on the hard
disk; continue with the Where are you? screen as described on page 59.
If you press a key while the initial boot screen is displayed, Ubuntu displays the language overlay covering the Desktop CD menu. This screen looks similar to
Figure 3-1 on page 52 except that no countdown timer is visible because the system
is not counting down; instead it is waiting for your input. You can use the ARROW

B O O T I N G FROM A L I V E / I N S T A L L D E S K T O P C D OR A L I V E / I N S T A L L D V D

57

keys to highlight a language for the installer to use and press RETURN to select the language and expose the CD menu screen (similar to Figure 3-3 on page 54). On this
screen you can use the ARROW keys to highlight a selection and press RETURN to make
the selection. For more information refer to "Advanced Installation" on page 77.

THE WELCOME SCREEN
Two varieties of the Welcome screen exist. One screen, shown in Figure 3-2, allows
you to choose between bringing up a live Ubuntu system and installing Ubuntu on
the hard disk. It has two buttons: Try Ubuntu 10.04 and Install Ubuntu 10.04. The
other screen, which is similar to the one shown in Figure 3-2, simply marks the start
of the installation process. It has three buttons: Quit, Back (grayed out and nonfunctional because you cannot go back from this screen), and Forward.
Quit button

When you click Quit, Ubuntu displays a GNOME desktop running under a live
session (Figure 3-4, page 55).

Changing the default Along the left side of both Welcome screens is a list box (page 1157) that holds a list
language of languages. The highlighted language is the language the live session or the
installer/installed system will use. If the highlighted language is not the language
you want, use the ARROW keys or the mouse to highlight your desired language before
proceeding. See "The Function Keys" on page 79 for information about changing
the language, keyboard layout, and accessibility features used by a live session and
the installer/installed system.

optional S E E I N G W H A T I s G O I N G O N
If you are curious and want to see what Ubuntu is doing as it boots, perform an
advanced installation (page 77) and remove quiet and splash from the boot command
line (Figure 3-22, page 81): With the DVD menu screen or one of the CD menu
screens displayed, press F6 to display the boot command line and a drop-down list.
Next press ESCAPE to close the drop-down list. Then press BACKSPACE or DEL to back up
and erase quiet and splash from the boot command line. If you have not added anything to this line, you can remove the two hyphens at the end of the line. If you have
added to this line, use the LEFT ARROW key to back up over—but not remove—whatever
you added, the hyphens, and the SPACE on each side of them. Then remove quiet and
splash. Press RETURN. Now, as Ubuntu boots, it displays information about what it is
doing. Text scrolls on the screen, although sometimes too rapidly to read.

ubiquity: INSTALLING UBUNTU GRAPHICALLY
This section covers the ubiquity graphical installer, written mostly in Python, that
installs Ubuntu. You can also install Ubuntu using the textual installer (debianinstaller; page 85).

Before you start, see what is on the hard disk
tip Unless you are certain you are working with a new disk, or you are sure the data on the disk is of no
value, it is a good idea to see what is on the hard disk before you start installing Ubuntu. You can use
the palimpsest disk utility to mount partitions on a hard disk. You can then examine the files in
these partitions and see what is on the disk. See page 66 for more information on palimpsest.

58

3

S T E P - B Y - S T E P INSTALLATION

USING THE MOUSE TO WORK WITH THE INSTALL
WINDOW S C R E E N S
You can use either the mouse or the keyboard to make selections from the Install
window screens. To select a language from the Welcome screen using the mouse,
left-click the language you want to use in the list box at the left. If the language you
want does not appear on the displayed portion of the list, click or drag the scrollbar (Figure 3-2 on page 53 and Figure 4-16 on page 123) to display more languages; then click the language you want to use. Ubuntu highlights the language
you click. Once you select a language, you are finished working with the Welcome
screen. Click the button labeled Forward or Install Ubuntu 10.04 to display the
next screen.

USING THE KEYBOARD TO WORK WITH THE INSTALL
WINDOW S C R E E N S
To use the keyboard to make selections, first use the TAB key to move the highlight to
the object you want to work with. On the Welcome screen, the objects are the
selected item in the list box and the buttons labeled or Install Ubuntu 10.04 or
Quit, Back, and Forward.
List

box With a language in the list box highlighted, use the UP ARROW and DOWN ARROW keys to
move the highlight to the language you want to use. The list scrolls automatically
when you move the highlight to the next, undisplayed entry in the list.

Button

Once you select a language, you are finished working with the Welcome screen. Use
the TAB key to highlight the button labeled Forward or the button labeled Install
Ubuntu 10.04. The button turns orange with an orange border when it is highlighted. Press RETURN to display the next screen.

Drop-down list

To make a selection from a drop-down list, such as the one in the box labeled
Region shown in Figure 2-1 on page 31, use the TAB key to highlight the box and
then use the ARROW keys to move the highlight from one item to the next. With the
selection you want to choose highlighted, press RETURN.

STARTING THE INSTALLATION
This book describes using the mouse to make selections from a graphical interface;
you can use the keyboard if you prefer.
WELCOME SCREEN
The Welcome screen of the Install window (Figure 3-2) contains a welcome message
and a list of languages for you to choose from. The language you choose will be the
one ubiquity uses as you install the system and the default language for the installed
system; you can change this default once the system is installed (page 145). Click
Forward.
Ubuntu displays the Setting up the clock window and, if it can connect to a network
time server, sets the clock. You can click Skip to bypass this step.

BOOTING FROM A LIVE/INSTALL DESKTOP C D OR A LIVE/INSTALL DVD

O ©

59

Install

Keyboard

layout

Which layout is most similar to your keyboard?
t suggested option:
C Guess keymap;

LJSA
Guess.,.

Choose your own:
USA

Thailand

USA - AILsiridliue MiLerik)Uonal (run

lurkey

USA

Turkmenistan

Cherokee

USA - Classic Dvorak

USA

USA - colemak

Ukraine
u n i t e d Kingdom
Uzbekistan

0

USA - Dvorak
USA - Dvorak international
USA - Group roggte on multlply/drvi

TU'U tail Lype inlo II s l>jx Lo LebL you I < •/, keyboard Idyuul.

step 3 nf 7

Figure 3-6

quit

The Keyboard layout screen

WHERE ARE YOU?
As the first step in installing Ubuntu, ubiquity displays the Where are you? screen.
This screen allows you to specify the time zone where the computer is located. You
can use the map or the drop-down lists labeled Region and Time Zone to specify
the time zone. When you click the name of a city on the map, the appropriate region
appears in the box labeled Region and the name of the time zone or a city within
the time zone appears in the box labeled Time Zone.
To use the Region drop-down list, click the down arrow at the right end of the box
labeled Region; ubiquity expands the box into a list of parts of the world. Click the
region you want to select. Now, repeat this process with the box labeled Time
Zone. Click Forward.
KEYBOARD LAYOUT
The Keyboard layout screen (Figure 3-6) allows you to specify the type of keyboard
to be used by the installed system. (See "F3 Keymap" on page 79 to change the layout of the keyboard ubiquity uses during installation.) When ubiquity displays the
Keyboard layout screen, the radio button (page 1167) labeled Suggested option is
selected and the name of a keyboard layout appears to the right of these words. If
the suggested option is acceptable, click Forward.
Anytime the Keyboard layout screen is displayed, you can highlight the text box at
the bottom of the screen and type some letters to see if the selected option is correct
for the keyboard you are using.

60

3

S T E P - B Y - S T E P INSTALLATION

When you select the radio button labeled Guess keymap and click Guess, ubiquity
leads you through a series of questions and, based on your answers, tries to determine which type of keyboard you are using. Click Forward when you are satisfied
with the result.
When you select the radio button labeled Choose your own, ubiquity activates the
two list boxes below these words. Select a country and keyboard type from these list
boxes and click Forward.
PREPARE DISK SPACE
The Prepare disk space screen controls how ubiquity partitions the hard disk. See
page 36 for a discussion of the issues involved in partitioning a hard disk.
GUIDED PARTITIONING
With a single, clean hard disk—a hard disk with nothing installed on it, as it comes
from the factory (i.e., no partition table)—the ubiquity partition editor displays a
Prepare disk space screen similar to the one shown in Figure 3-7. In this case, the
simplest way to partition the disk is to allow the ubiquity partitioner to do it for you.
This technique is called guided partitioning. By default, the radio button labeled
Erase and use the entire disk is selected and the name of the only hard disk in the
system is displayed in the drop-down list below these words. If the system has two
or more hard disks, you must select from this list the disk where you want to install
Ubuntu. Click Forward. The ubiquity partition editor creates two partitions on the
hard disk: a small swap partition (page 37) and a root partition (/, page 37) that
occupies the rest of the disk.
The ubiquity partition editor does not partition the disk at this time. At any time
before you click Install on the Ready to install screen, you can change your mind
about how you want to partition the disk. Click the button labeled Back. You may
have to back up through several screens to display the Prepare disk space screen
again, but you can then set up the disk the way you want it.
See "Advanced Guided Partitioning" on page 70 for information on using the other
selections in the Prepare disk space screen.
MIGRATE DOCUMENTS AND SETTINGS
If you are installing Ubuntu on a system that already has one or more operating systems installed on it, and you are not overwriting those operating systems, the
Migrate documents and settings screen displays a list of accounts and settings from
the existing operating systems. For example, if you are creating a dual-boot system
on a system that already has Windows installed on it, this screen shows the
accounts from the Windows system and a list of programs and settings. It might
show your name from the Windows system and, under that, Internet Explorer and
My Documents. Put ticks in the check boxes adjacent to those items you want to
migrate to the Ubuntu system. On the lower portion of the screen, enter the information necessary to create an Ubuntu user to receive the migrated information.
Click Forward.

BOOTING FROM A LIVE/INSTALL D E S K T O P C D OR A LIVE/INSTALL D V D

O S Q

61

Install

P r e p a r e disk space
This computer has no operating systems on it.

Where do you want to put Ubuntu 10.04 US?
^ Erase and use the entire disk
SCSI3 (o.o.o) Isdal - 214.7 GB VMware. VMware virtual s

T

Specify partitions manually (advanced)
• Ubuntu 10.04 ITS

step 4 nf 7

Figure 3-7

Quit

Bark

Forward

The ubiquity partition editor showing one empty hard disk

WHO ARE YOU?
The Who are you? screen (Figure 3-8, next page) sets up the first Ubuntu user. This
user can use sudo (page 98) to administer the system, including setting up additional
users (page 594). Enter the full name of the user in the text box labeled What is
your name?. As you type, ubiquity enters the first name from the name you are entering in the box labeled What name do you want to use to log in?. Press TAB to move
the cursor to this box. If you want to use a different username, press BACKSPACE
(page 151) to erase the username and enter a new one. Press TAB.
Enter the same password in the two (adjacent) boxes labeled Choose a password to
keep your account safe. The strength of the password is displayed to the right of the
password boxes. Although ubiquity accepts any password, it is a good idea to choose
a stronger (more secure) password if the system is connected to the Internet. See
"Changing Your Password" on page 148 for a discussion of password security.
The final text box specifies the name of the computer. For use on a local network
and to connect to the Internet with a Web browser or other client, you can use a
simple name such as fox8. If you are setting up a server system, see " F Q D N " on
page 823 for information on names that are valid on the Internet.
The three radio buttons at the bottom of the window configure the login process for
the user you are specifying. Select Require my password to log in to cause Ubuntu
to require a password for you log in on the system.
Select Require my password to log in and to decrypt my home folder if you are setting up an encrypted home folder.

62

3

STEP-BY-STEP

INSTALLATION

O S O

Install

W h o are you?
What is your name?
[Sam Smith

)

What name do you want to use to log in?

flam

] 4

•r m u t e Hid 11one [ - ' M > i mill Jit' U i s L'j i r ip u Lt , y uu < III act. u p multiple d t t u u n l s tiHei
installation.

Choose a password to keep your account safe.
•

strength: weak

What is the name ol llns computer?
from

4

T h i s n a m e will be u s e d if y o u m a k e the c o m p u t e r v i s i b l e t o o t h e r s a n a network.

O Loq in automatically
& It'iiti'i' my passwuid to log in
Require my password to log in and to decrypt my home tolder
step 5 of 7

Figure 3-8

Quit

Bark

Forward

The Install window, Who are you? screen

Select Log in automatically if you want Ubuntu to log you in automatically when
the system boots—select this option only if you trust everyone who has physical
access to the system. Click Forward.
READY TO INSTALL
The final screen ubiquity displays is the Ready to install screen (Figure 3-9). At this
point, the ubiquity partition editor has not yet written to the disk. Thus, if you click
Quit at this point, the hard disk will remain untouched. This screen summarizes
your answers to the questions ubiquity asked in the previous screens. Click Advanced
to display the Advanced Options window, which allows you to choose whether to
install a boot loader (normally you want to) and whether to set up a network proxy
(page 405). Click OK to close the Advanced Options window. If everything looks
right in the summary, click Install. The installer begins installing Ubuntu on the
hard disk.

When ubiquity writes to the hard disk
caution You can abort the installation by clicking the Quit button at any point, up to and including when
the Ready to install screen (Figure 3-9) is displayed, without making any changes to the hard disk.
Once you click Install in this screen, ubiquity writes to the hard disk.
The ubiquity installer displays messages to keep you informed of its progress. When
the new system is installed, Ubuntu displays the Installation Complete window,
which gives you the choice of continuing the live session (Continue Testing) or

GRAPHICAL PARTITION EDITORS

O S Q

63

Install

Ready to install
Your new operating system will row be installed with the following settings:
Language: English
Keyboard layout: USA
Name: Sam Smith
Login name: sam
Location: Amcrica/Los_Angclc5
Migration Assi stank

If you continue, the changes listed below will be written to the disks.
Otherwise, you will be able to make further changes manually.
'N: partition tables of the following devices are changed:
SCSI 3 (0,0,0) (sda)
Ttie following partitions are going to be formatted:
partition #1 ot SCSI3 (0,0,0) (sda) as ext4
partition #5 ot SCSI3 (0,0,0) (sda) as swap
Advanced...
step I nf 7

Figure 3-9

Quit

Hack

Install

The Install window, Ready to install screen

rebooting the system so you can use the newly installed copy of Ubuntu. Click
Restart N o w to reboot the system.
The installer displays the Ubuntu logo and progress dots. When it has finished shutting
down the system, it asks you to remove the disk (so you do not reboot from the
CD/DVD) and press RETURN. After you complete these steps, Ubuntu reboots the system
and displays the Ubuntu GNOME login screen (Figure 4-1, page 100).
Log in as the user you specified on the Who are you? screen and continue with
Chapter 4.

GRAPHICAL PARTITION EDITORS
A partition editor displays and can add, delete, and modify partitions on a hard
disk. This section describes three graphical partition editors you can use to configure a hard disk in the process of installing Ubuntu. The gparted and palimpsest partition editors are available from a live session. The other partition editor is part of
the ubiquity installer and is not available by itself. See page 87 for information on
using the textual partition editor, which is available when you use the textual
installer. After you install Ubuntu Linux, you can use parted (page 611) or palimpsest (page 66) to view and manipulate partitions. The gparted partition editor is not

64

3

S T E P - B Y - S T E P INSTALLATION

•Cf Applications Places SystemJ

•

Examples

Preferences

*

Administration

•

Help and Support

Computer Janitor
•

Disk Utility
GParted

About GNOME

£ Hardware Drivers

About Ubuntu

£ 5 Install Ubuntu 10.04 LIS
fp Language Support
^

Log file Viewer
Login Screen
Network Tools

Figure 3-10 Selecting gparted from the Main menu
available from an installed system unless you install the gparted package
(page 519). If you want a basic set of partitions, you can allow ubiquity to partition
the hard disk automatically using guided partitioning.
See "Setting Up the Hard Disk" on page 33 for a discussion of free space, partitions, partition tables, and filesystems. "Manual Partitioning: Planning Partitions"
on page 37 discusses some of the filesystems for which you may want to set up partitions if you choose to partition the hard disk manually.
Unless you are certain the hard disk you are installing Ubuntu Linux on has nothing
on it (it is a new disk) or you are sure the disk holds no information of value, it is a
good idea to examine the disk before you start the installation. The gparted and palimpsest partition editors, which are available from a live session, are good tools for
this job.

gparted: THE G N O M E PARTITION EDITOR
Open a GParted window by selecting Main menu: SystemOAdministrationO
GParted as shown in Figure 3-10.
The gparted utility displays the layout of the hard disk and can be used to resize partitions, such as when you are setting up a dual-boot system by adding Ubuntu to a
Windows system (page 76). Although you can create partitions using gparted, you
cannot specify the mount point (page 35) for a partition—this step must wait until
you are installing Ubuntu and using the ubiquity partition editor.

AN EMPTY HARD D I S K
The gparted utility shows one large unallocated space for a new hard disk (empty,
with no partition table). An exclamation point in a triangle is a warning; on a new
disk it indicates an unrecognized file system (there is no partition table). If you have
more than one hard disk, use the list box in the upper-right corner of the window to
select which disk gparted displays information about. Figure 3-11 shows an empty

GRAPHICAL PARTITION EDITORS

65

© 9 ® /dev/sda - GParted
GParted Edit View Device Partition Help
/dev/sda (200.00 GiB) *
unal located
200.00 Gi8
Partition
Filesystem
unallocated A H unallocated

Size
200.00 GIB

used

Unused

Flags

—

[o operations pending

|

Figure 3-11 The gparted utility displaying an empty disk drive
200-gibibyte (page 1150) hard disk on the device named /dev/sda. Figure 3-7 on
page 61 shows the ubiquity partition editor ready to partition an empty drive similar
to the one shown in Figure 3-11.

R E S I Z I N G A PARTITION
Although you can resize a partition using the ubiquity partition editor while you are
installing Ubuntu, you may find it easier to see what you are doing when you use
the gparted partition editor from a live session for this task. This section explains
how to use gparted to resize a partition.

Always back up the data on a hard disk
caution

If you are installing Ubuntu on a disk that holds important data, back up the data before you start
the installation. Things can and do go wrong. The power may go out in the middle of an installation, corrupting the data on the hard disk. There may be a bug in the partitioning software that
destroys a filesystem. Although it is unlikely, you might make a mistake and format a partition
holding data you want to keep.
Figure 3-12 (next page) shows gparted displaying information about a hard disk
with a single partition that occupies the entire disk. This partition holds a single
200-gibibyte NTFS filesystem. The process of resizing a partition is the same
regardless of the type of partition, so you can use the following technique to resize
Windows, Linux, or other types of partitions.
To install Ubuntu on this system, you must resize (shrink) the partition to make
room for Ubuntu. To resize the partition, right-click to highlight the line that
describes the partition and click the arrow pointing to a line on the toolbar at the
top of the window. The partition editor opens a small Resize/Move window, as
shown in Figure 3-12.
At the top of the Resize/Move window is a graphical representation of the partition.
Initially the partition occupies the whole disk. The spin box labeled N e w Size ( M i B )

66

3

S T E P - B Y - S T E P INSTALLATION

* -• " /dev/sda - GParted
GParted Edit View Device Partition Help
© NN

te

/dev/sda (200.00 GiBi Y

/dev/sda 1
200,00 GiB
Paitilion
File System Label
/dcv/srial | riffs Windows
0

Used
so.b'JMiB

Unused
i0lJ.03GiB

Flags

Resize/Move /dev/sdai

«
0 operations pend

Size
200.00 GÎK

Mn
im
i um size: 86 M¡8
Maximum size: 201797 MiB
Free space preceding (MiB): 10
New (MiB):
I 10OOOO
Free space folowing (MiB): 104797*
¿i Fiourvd to cylinders
Cancel

nesi7e/Move

Figure 3-12 The gparted partition editor displaying a disk drive
holding a Windows system
shows the number of mebibytes occupied by the partition—in this case, the whole
disk. The two spin boxes labeled Free Space show no free space.
You can specify how the partition should be resized by (right-clicking and) dragging
one of the triangles at the ends of the graphical representation of the partition or by
entering the number of mebibytes you want to shrink the Windows partition to in
the spin box labeled New Size (MiB). The value in one of the spin boxes labeled Free
Space increases when you make this change (as shown in Figure 3-12). Click
Resize/Move to add the resize operation to the list of pending operations at the bottom of the window. Click the green check mark on the toolbar to resize the partition.

DELETING A PARTITION
Before you delete a partition, make sure it does not contain any data you need. To
use gparted to delete a partition, highlight the partition you want to delete, click the
circle with a line through it, and then click the green check mark on the toolbar.

palimpsest: THE G N O M E DISK UTILITY
The palimpsest graphical disk utility can create, remove, and modify partitions and
filesystems on many types of media, including internal and external hard disks,
CD/DVDs, and USB flash drives. It can encrypt partitions and change passwords on
already encrypted partitions.
Open the Palimpsest Disk Utility window by selecting Main menu: System^
AdministrationODisk Utility (just above GParted in Figure 3-10 on page 64). To

GRAPHICAL PARTITION EDITORS

67

6 0 A 2IS GB Hard DLTK (VMwar*. VMi«w< Virtual St tidavMa] — DISK Utility
file he*0

Figure 3-13 The palimpsest Disk Utility window
display information about a hard disk, click a hard disk under Storage
Devices/Peripheral Devices on the left side of the window
With a hard disk selected, the palimpsest Disk Utility window is divided into three
sections (Figure 3-13): Storage Devices holds a list of CD/DVD drives, hard disks,
and other devices; Drive holds information about the hard disk that is highlighted
in the list of storage devices; and Volumes displays information about the partition
that is highlighted in the graphical representation of the hard drive.
When you select a hard disk in the Storage Devices section, palimpsest displays
information about that disk in the Drive section of the window. Click one of the
partitions in the graphical representation of the hard disk and palimpsest displays
information about that partition in the Volumes section.
From this window you can view, create, and delete partitions. Although you can
create partitions using palimpsest, you cannot specify the mount point (page 35) for
a partition—this step must wait until you are installing Ubuntu and using the ubiquity partition editor. You can save time if you use palimpsest to examine a hard disk
and ubiquity to set up the partitions you install Ubuntu on.

DISPLAYING THE CONTENTS OF A FILESYSTEM
To display the contents of a filesystem, select the partition holding the filesystem as
described above and click Mount Volume in the Volumes section of the Disk Utility
window. Figure 3-13 shows Unmount Volume because the partition is already
mounted. When palimpsest mounts the highlighted filesystem, the mounted filesystem appears as a directory (folder) on the desktop. When you click the mount
point (the link following Mount Point: mounted at) in the Volumes section or
double-click the directory icon on the desktop, Nautilus displays the filesystem in a
file browser window (page 107). When you have finished examining the contents of
the filesystem, click Unmount Volume to unmount the filesystem.

68

3

S T E P - B Y - S T E P INSTALLATION

Figure 3-14 The palimpsest Disk Utility showing a disk without a partition table

WRITING A PARTITION TABLE
A new disk does not have a partition table (page 33) and looks similar to the disk
highlighted in Figure 3-14. In the Drive section of a Disk Utility window, Not Partitioned follows the Partitioning label, the graphical representation of the disk is
marked Unknown, and Usage is blank. If the disk you are working with already has
a partition table, skip to the next section.
To partition a hard disk, click Format Drive in the Drive section of the Disk Utility
window: palimpsest opens a Format window holding a drop-down list labeled
Scheme. Select a scheme. In most cases you will want to accept the default scheme
of Master Boot Record. Click Format. After checking that you really want to format the drive, palimpsest creates the partition table. Now Master Boot Record follows the Partitioning label, the graphical representation of the disk is marked Free
(free space; page 33), and Unallocated Space follows the Usage label.
If you want to create a single filesystem that occupies the entire disk drive, instead
of following the instructions in the preceding paragraph, click Format Volume in
the Volumes section of the Disk Utility window: palimpsest opens a Format wholedisk volume window. To create a filesystem, follow the instructions for the Create
partition window in the next section.

CREATING A PARTITION AND A FILESYSTEM
Once you have created a partition table, you will be able to create a partition that
holds a filesystem in the free space. When you click Create Partition, palimpsest
opens a Create partition window (Figure 3-15).

GRAPHICAL PARTITION EDITORS

fi

69

Create partition on VMware, VMware Virtual S
100 GB

Size:
Type:

100.000 GB

Ext4

;
¥

1

This file system is compatible with Linux systems only
and provides classic UNIX file permissions support.

Name:

vol l]

Ul Take ownership of filesystem
Encrypt underlying device
Cancel

Create

Figure 3-15 The palimpsest Create partition window
In this window, use the slider labeled Size, or the adjacent spin box, to specify the
size of the new partition. Next specify a filesystem type; ext4 filesystems are the
most common. You can optionally enter a disk label in the text box labeled Name.
This name is not the mount point for the disk. Typically you will want to own the
filesystem, so allow the tick to remain in the check box labeled Take ownership of
file system. If you want the filesystem to be encrypted, put a tick in the check box
labeled Encrypt underlying device. Click Create. After checking with you, palimpsest creates the filesystem. Now the graphical representation of the disk is divided
to represent the division of the hard disk and Usage corresponds to the highlighted
section of the graphical representation (Filesystem or Unallocated Space). If you did
not use all the free space, you can create additional partitions and filesystems in the
same manner.

DELETING A PARTITION
Before deleting a partition, make sure it does not contain any data you need. To use
the palimpsest utility to delete a partition, highlight the partition you want to delete
in the graphical representation of the hard disk and click Delete Partition. After
checking with you, palimpsest deletes the partition.

USING S M A R T TO DISPLAY D I S K PERFORMANCE INFORMATION
SMART (Self-Monitoring, Analysis, and Reporting Technology) monitors hard
disks and attempts to predict hard disk failures. To see a SMART report for a disk
on the system, highlight the disk in the Storage Devices section and click Smart Data
in the Drive section; palimpsest displays a window similar to the one shown in

70

3

S T E P - B Y - S T E P INSTALLATION

Updated:

3 minutes ago

Self-tests:

Completed OK

Powered On:

72.5 days

Power Cycles:

956

Temperature:

24° C / 75° T

Dad Sectors:

None

Gelt Assessment:

Passed

Overall Assessment:

• Disk is healthy

Refresh
Reads SMART Data, waking up the disk

2

Run Self-test
Test the disk surface tor errors

ID

Attribute

1

R e a d brror K a t e
Frequency of errors while reading raw riara from
• Gond
the disk. A non zero value indicates a problem with
either liie disk surf ate or lead/write heads

Assessment Value

7

Throughput Performance
Average efficiency of the disk

• Gond

3

Spinup Time
lime needed to spin up the disk

• Good

start/stop count

Normalized:
Worst
Threshold:
Value:

100
100
46
141178

Normalized:
MnsL
Threshold:
Value:
Normalized:
Wjrst:
Threshnld
Value:
Normal&ed"
Worst:

100
100
30
N/A
100
100
2 msec
99
99

Don't warn if the disk is failing

Figure 3-16

SMART data as displayed by palimpsest

Figure 3-16. From this window you can run various self-tests and scroll through the
information at the bottom of the window.

ubiquity: SETTING UP PARTITIONS
While you are installing Ubuntu, ubiquity offers two ways to partition a disk: guided
and manual. Guided partitioning sets up two partitions—one for swap space
(page 37) and one for / (root, where the entire Ubuntu filesystem gets mounted;
page 37). The amount of space occupied by root depends on which guided option
you select. Manual partitioning enables you to set up partitions of any type and
size; you can also specify the mount point for each partition.

ADVANCED GUIDED PARTITIONING
"Prepare Disk Space" on page 60 explained how to use guided partitioning to partition an empty disk. This section explains how guided partitioning works on a disk
that is already partitioned.
Depending on the contents of the hard disk you are installing Ubuntu on, the ubiquity partition editor presents different choices. Figure 3-17 shows the Prepare disk
space screen for a hard disk with one partition that occupies the entire disk. That
partition holds a Windows system. This screen shows all possible choices. In some
cases, not all of these choices appear. Click the radio button adjacent to a choice to
select it. The choices possible are outlined here:
• Install them side by side, choosing between them each startup—Allows
you to shrink a partition and use the space freed up by this operation to
install Ubuntu. You can use this choice to set up a dual-boot system

G R A P H I C A L PARTITION E D I T O R S

O S Q

Figure 3-17

71

Install

The Prepare disk space screen showing a hard disk with a Windows
partition occupying the entire disk

(page 76) on a system where a single Windows partition occupies the
whole disk. This section describes how to use the ubiquity partition editor
to resize a partition. See "Resizing a Partition" on page 65 for instructions
on using gparted to resize a partition.
This choice includes a slider with a handle that allows you to specify how
you want to resize the partition. See Figure 3-17. Click and drag the handle to specify the new size of the partition you are resizing and, by default,
the size of the new partition where Ubuntu will be installed.
• Erase and use the entire disk—Deletes all information on the disk and
installs Ubuntu on the entire disk. After deleting information from the
disk, this choice uses guided partitioning as explained on page 60.
Using the whole disk for Ubuntu is easy. Before you start, make certain the
disk does not contain any information you need. Once you rewrite the
partition table, the data will be gone for good. If you are not sure about
the contents of the disk, use palimpsest (page 66) to take a look.
• Use the largest continuous free space—Installs Ubuntu in the largest chunk
of free space on the disk. Because free space holds no data, this technique
does not change any data on the disk. This choice uses guided partitioning
(as explained on page 60) on the free space. If an operating system occupies the existing partition, this choice sets up a dual-boot system (page 76).

72

3

STEP-BY-STEP

INSTALLATION

O Q 9

Install

Prepare

partitions

• Free spdLe
214.7 GB

Add...
step 5 of R

Figure 3-18

Change.

| Delete
quit

Reuert
Rack

Forward

An empty hard disk with a partition table

• Specify partitions manually (advanced)—Gives you total control over the
size, placement, and naming of partitions where Ubuntu is installed. See
the next section.
When you are done working with the Prepare disk space screen, click Forward.

MANUAL PARTITIONING
This section explains how to use the ubiquity partition editor to create a partition on
an empty hard disk. Figure 3-7 on page 61 shows the Prepare disk space screen for
an empty hard disk. To create partitions manually, select Specify the Partitions
Manually (advanced) and click Forward. The ubiquity partition editor displays a
Prepare partitions screen that shows a device without any partitions—only free
space. Before you can create partitions, you must set up a partition table (page 33).
To do so, highlight the device name (e.g., /dev/sda) and click New partition table.
The partition editor asks you to confirm that you want to create a new, empty partition table. Click Continue to create a partition table that contains only free space.
Now ubiquity displays a screen that looks similar to the one in Figure 3-18. (Note:
214,748 MiB [mebibytes; page 1159] equals 200 GB [gigabytes; page 1150]—
Figure 3-18 should show MiB in place of MB.) The hard disk at /dev/sda has a partition table without any partitions; it contains only free space.
To create a partition, highlight the line containing free space in the Device column
and click Add. The ubiquity partition editor displays a Create partition window
(Figure 3-19), which asks you to specify whether you want to create a primary or a
logical partition (page 34), what size the partition should be (in megabytes),
whether the partition should appear at the beginning or end of the free space, what

GRAPHICAL PARTITION EDITORS

0

73

Create partition

Create a new partition
Type tor the new partition:

$ Primary

New partition si7e in megabytes (1000000 byres):

100000

Location for the new partition:

$ Beqinninq

Use as:

Logical
T
End

Ext4 joumaiing file s ystcm

Mount point:

H

|/horne
Cancel

OK

The Create partition window

Figure 3-19

type the partition should be (Use as), and what name the mount point (page 35) for
the partition should have. Because Linux does not mount a swap partition, you cannot specify a mount point for a type swap partition. If you are unsure of which type
a partition should be, choose ext4 (page 505). Click OK.
After a few moments the Prepare partitions screen displays the new partition
(Figure 3-20). To create another partition, highlight the line containing free space
and repeat the preceding steps. Remember to create a swap partition (page 37).
When you have finished creating partitions, click Forward.
The Prepare partitions screen displays five buttons immediately below the frame
that lists the disks and partitions. Some of these buttons are grayed out (inactive)
Q 9 9

Install

Prepare partitions

• s d a l (exl4)
100.0 GB
Devtce
|

• Free spate
114.7 GB

Type Mount point Format? Size

Used

h

/riev/sria
/dev/sdal ext4 /home
free space

•s

| New Partition Table...] |AdcL, | Change...
|
step 5 Of 8

Figure 3-20

99998 MB unknown
114748 MB

Delete
Quit

Revert
Bark

F onward

The Prepare partitions screen displaying a new partition

74

3

S T E P - B Y - S T E P INSTALLATION

depending on what is highlighted in the frame above. The button labeled Revert is
always active. When a device is highlighted, the button labeled New Partition Table
is active. Clicking this button creates a new partition table, thereby destroying any
existing partition table. Highlighting a partition gives you the choice of editing or
deleting the partition. Editing a partition you just created allows you to change only
its type and mount point. You must delete and re-create a partition to change any of
its other attributes. As mentioned earlier, highlighting the line containing free space
allows you to create a new partition.

UPGRADING TO A NEW RELEASE
Upgrading a system is the process of installing a new release of Ubuntu over an older
one. All user and configuration files are preserved and all software is upgraded to the
most recent version consistent with the new release of Ubuntu. Ubuntu advises against
upgrading systems that have had packages installed from repositories (page 522) it does
not control. These packages may corrupt the software package database, causing the
upgrade to fail. For release notes that detail features that will not take effect with an
upgrade, see www.ubuntu.com/getubuntu/releasenotes.

Use a standard upgrade procedure
caution Do not use procedures for upgrading to a new release of Ubuntu other than the ones specified in
this section or atwww.ubuntu.com/getubuntu/upgrading. Specifically, do not use apt-get distupgrade, aptitude full-upgrade, or any Debian tools.

Upgrading from an LTS release to a non-LTS release
tip When you start the Update Manager from the Main menu, it does not offer you the option of
upgrading from an LTS release to a non-LTS release. To upgrade from an LTS release to a nonLTS release, you must enter update-manager - c on a command line (from a terminal emulator or
Run Command window [ALT-F2]) to open the Update Manager window.

Watch out for Pop-up windows
tip During the installation phase of an upgrade, some packages open windows that ask questions
about how you want to handle the upgrade of a package. These windows can be hidden by other
windows on the workspace. If the upgrade stops for no apparent reason, drag windows around to
see if a window with a question in it is hidden below another window. When you respond to the
question, the upgrade will continue.
Before you upgrade a system, it is a good idea to back up all user files on the system.
Also make sure the drop-down list labeled Show new distribution releases in the
Updates tab of the Software Sources window (page 132) displays the type of release
you want to upgrade to.
The following procedure assumes you have a desktop system connected to the Internet. Even with a fast Internet connection, this process takes a long time. Follow
these steps to upgrade a system:

INSTALLING K D E

75

1. Open the Update Manager window (Figure 4-11, page 112) by selecting
Main menu: System •=> Administration1^ Update Manager.
2. Regardless of whether the window says You can install nn updates or
not, click Check. This step ensures the software package database is upto-date.
3. If the window displays You can install nn updates, click Install Updates.
This step ensures all software packages on the system are up-to-date.
4. At this point, if a new release is available, the window displays the message New distribution release 'XX.XX' is available. Click Upgrade.
5. The utility displays the Release Notes window. Read the release notes and
then click Upgrade.
6. The utility downloads the upgrade tool and updates some files.
7. You are asked if you want to start the upgrade. Click Start Upgrade.
8. When the upgrade is complete, reboot the system.
See www.ubuntu.com/getubuntu/upgrading
upgrading Ubuntu.

for more detailed instructions on

INSTALLING KDE
You can install KDE in one of two ways. The first approach installs KDE only: Follow the instructions in Chapter 2 and this chapter but instead of downloading and
burning an Ubuntu CD/DVD, download a Kubuntu CD/DVD from
www.kubuntu.org, burn it, and use that disk to install Linux.
The second approach requires the system to be connected to the Internet and
installs KDE plus a host of other programs (e.g., Amarok, Kate) in addition to
GNOME. After you install Ubuntu as explained in this chapter, use Synaptic
(page 133) or aptitude (page 526) to perform the following steps. This process takes
a while; you will be downloading and installing more than 200 software packages.
1. Ensure the software package database is up-to-date: From Synaptic, click
Reload. To use aptitude, give the command sudo aptitude update from a
command line, terminal emulator, or Run Application window (ALT-F2).
2. Ensure all software packages on the system are up-to-date: From Synaptic,
click Mark All Upgrades and then click Apply. To use aptitude, give the
command sudo aptitude safe-upgrade from a command line, terminal
emulator, or Run Application window (ALT-F2).
3. Install the KDE software: From Synaptic, search for and install the
kubuntu-desktop virtual package (page 526). To use aptitude, give the
command sudo aptitude install kubuntu-desktop from a command line,
terminal emulator, or Run Application window (ALT-F2).

76

3

S T E P - B Y - S T E P INSTALLATION

After the software is downloaded, while it is being installed, debconf asks if you
want to use the gdm (GNOME) or kdm (KDE) display manager. Either one works
with either desktop. One way to choose which display manager to use is to select
the one associated with the desktop you will be using most often.
Once KDE is installed, reboot the system. From the Login screen, follow the
instructions on page 145 to display the Sessions drop-down list and select the session you want to run (GNOME or KDE).

SETTING UP A DUAL-BOOT SYSTEM
A dual-boot system is one that can boot one of two (or more) operating systems.
This section describes how to add Ubuntu to a system that can boot Windows,
thereby creating a system that can boot Windows or Linux. You can use the same
technique for adding Ubuntu to a system that runs a different version or distribution of Linux. One issue in setting up a dual-boot system is finding disk space for
the new Ubuntu system. The next section discusses several ways to create the
needed space.

CREATING FREE SPACE ON A WINDOWS SYSTEM
Typically you install Ubuntu Linux in free space on a hard disk. To add Ubuntu
Linux to a Windows system, you must have enough free space on a hard disk that
already holds Windows. There are several ways to provide or create this free
space. The following paragraphs discuss these options in order from easiest to
most difficult.
Add a new hard disk

Add another hard disk to the system and install Linux on the new disk, which
contains only free space. This technique is very easy and clean but requires a new
hard disk.

Use existing
free space

If there is sufficient free space on the Windows disk, you can install Linux there.
This technique is the optimal choice, but there is rarely enough free space on an
installed Windows system to use it.

Resize Windows
partitions

Windows partitions typically occupy the entire disk, making resizing a Windows
partition the technique most commonly used to free up space. Windows systems
typically use NTFS, FAT32, and/or FAT16 filesystems. You can use the gparted partition editor to examine and resize an existing Windows partition to open up free
space in which to install Linux (page 65). You can also use the ubiquity partition editor while you are installing Ubuntu for the same purpose. See "Install them side-byside..." on page 70.

Remove a Windows
partition

If you can delete a big enough Windows partition, you can install Linux in its place.
To delete a Windows partition, you must have multiple partitions under Windows
and be willing to lose the data in the partition you delete. In many cases, you can

ADVANCED INSTALLATION

77

preserve the data by moving it from the partition you will delete to another Windows partition.
Once you are sure a partition contains no useful information, you can use a gparted
(page 66) or palimpsest (page 69) to delete it . After deleting the partition, you can
install Ubuntu Linux in the free space opened by removal of the partition.

INSTALLING UBUNTU LINUX AS THE SECOND OPERATING SYSTEM
When enough free space on a Windows system is available (see the previous section), you can install Ubuntu Linux. On the ubiquity Prepare disk space screen, select
Use the largest continuous free space (page 71). Alternatively, if you are installing
Ubuntu on its own hard disk, select Erase and use the entire disk (page 71) and click
the radio button next to the disk you want to install Ubuntu on. Click Forward.
After the installation is complete, when you boot from the hard disk, you will be
able to choose which operating system you want to run.

ADVANCED INSTALLATION
This section explains how to install Ubuntu from each of the four disk menus: the
DVD menu, the Desktop CD menu, the Alternate CD menu, and the Server CD
menu. It also describes using the Ubuntu textual installer from the DVD.
Each menu screen includes a menu centered on the screen and a list of function key
names and labels along the bottom. Figure 3-3 on page 54 shows the DVD menu
screen.
The DVD menu

The Ubuntu DVD includes most of the selections from each of the CDs and includes
all software packages supported by Ubuntu, not just those installed by default. If
the system you are installing is not connected to the Internet, you can install software packages from the DVD but you will have no way to update the system.

The Desktop CD
menu

The Desktop CD can bring up a live session, install Ubuntu on a hard disk, and rescue a broken system.

The Server CD menu

The Server CD uses the textual installer (page 85) to install a minimal system with a
textual interface and no open ports. The installed system is appropriate for a server.

The Alternate CD
menu

The Alternate CD uses the textual installer (page 85) to install a system that uses a
graphical interface or one that uses a textual interface. It is not a live CD (i.e., it
does not bring up a desktop to install from). The textual installer does not require
as much RAM to install Ubuntu and presents more installation options than the
graphical installer.
Ubuntu displays the language overlay (page 54) on top of each of these four menus.
After you select a language from the overlay, you can work with the disk menu. The
language you select from the language overlay is the default language. As you install
Ubuntu, you can change the default language from the Welcome screen (page 58).

78

3

S T E P - B Y - S T E P INSTALLATION

THE DISK MENU SCREENS
Each of the four disk menus holds different selections. In addition, the F4 key displays different selections from each of these menus. This section discusses each of
the menu selections and describes what happens when you press each of the function keys from each of these menus. The final part of this section covers boot command-line parameters.

MENU SELECTIONS
The Minimal CD (page 32) does not display a menu, but rather displays a boot:
prompt. Enter linux RETURN to start a textual installation from this disk or enter help
RETURN to display more information.
Table 3-1 details the menu selections available from each installation disk. The following paragraphs describe what each menu selection does. With the Try Ubuntu
without installing and Install Ubuntu selections, you can further modify the installation by pressing F4. Pressing F4 while Install Ubuntu in text mode is highlighted on
the DVD menu also modifies the installation. See "F4 Modes" on page 80 for more
information.
Try Ubuntu without installing—Boots to a live session (page 52). You can install
Ubuntu from a live session.
Install Ubuntu—Boots an X session with the Metacity window manager and ubiquity
installer, rather than launching a full GNOME desktop. For systems with minimal
RAM, this selection installs Ubuntu more quickly than installing from a live session.
Table 3-1

Menu selections on Ubuntu CD/DVD

DVD

Desktop

Try Ubuntu without installing

X

X

Install Ubuntu

X

X

Install Ubuntu in text mode

X

Check disc for defects

X

X

X

X

Test memory

X

X

X

X

Boot from first hard disk

X

X

X

X

Rescue a broken system

Xa

Xa

Xa

Install Ubuntu Server

Xa

Xa

Install Ubuntu Enterprise Cloud

X

Xa

Name of CD/DVD

Server

Alternate

Menu selection

a. R u n s i n t e x t m o d e .

Xa

ADVANCED INSTALLATION

79

Install Ubuntu in text mode—Installs a graphical Ubuntu system using the debianinstall textual installer. For more information refer to "The Ubuntu Textual
Installer" on page 85.
Check disc for defects—Verifies the contents of the CD/DVD you are booting from;
see the tip on page 56. Ubuntu reboots the system after checking the disk.
Test memory—Runs m e m t e s t 8 6 + , a GPL-licensed, stand-alone memory test utility
for x86-based computers. Press C to configure the test; press ESCAPE to exit and
reboot. For more information see www.memtest.org.
Boot from first hard disk—Boots the system from the first hard disk. This selection
frequently has the same effect as booting the system without the CD/DVD
(depending on how the BIOS [page 28] is set up).
Rescue a broken system—Provides tools to repair a system that will not boot or that
has a problem with the filesystem mounted at / (root). See page 83.
Install Ubuntu Server—Installs a textual Ubuntu server system using the textual
installer. For more information refer to "The Ubuntu Textual Installer" on page 85.
During the installation, the installer displays the Software selection screen, which
asks if you want to install various servers, including a DNS server (Chapter 24), a
LAMP server (includes Apache [Chapter 26], MySQL [page 628], and PHP), an
OpenSSH server (Chapter 18), a Samba server (Chapter 23), and others. Use the
ARROW keys to move the highlight to the space between the brackets ([ ]) and press the
SPACE bar to select a choice.
Install Ubuntu Enterprise Cloud—Brings up a private cloud. For more information
see www.ubuntu.com/cloud/private.
The boot: prompt You can press ESCAPE from any of these menus to display a b o o t : prompt.

THE FUNCTION KEYS
Along the bottom of each menu screen is a row of labeled function key names.
Pressing each function key displays information or a menu that may be helpful if
you experience a problem while booting Ubuntu or working in a live session. Some
of the keys allow you to change boot parameters.
F1 Help The F1 key displays the help window shown in Figure 3-21 (next page). Pressing a

function key while this window is visible displays yet another help window. Pressing
a function key when this window is not displayed has the effect described in the following paragraphs. Press ESCAPE to close the help window.
F2 Language The F2 key displays the language overlay (Figure 3-1, page 52). Use the ARROW keys to

highlight the language you want the live session or the installer/installed system to
use and press RETURN. Ubuntu gives you the opportunity to change this selection for
the installed system as you install the system.
F3 Keymap The F3 key displays a country overlay. Use the ARROW keys to highlight the country of

the keyboard layout you want the live session or the installer/installed system to use

80

3

STEP-BY-STEP

INSTALLATION

Welr.nme tn llhuntu!
This i s a l i v e system tor Ubuntu 10.04. I t
mas built nn ?01004i"J.
HtLH INUtX

KRY TOPIC










Tress

This page, the help index.
Prerequisites for running ubuntu.
Oeet methods tor special ways ot using t h i s system.
Additional boot methods; rescuing a broken system.
Special buut paraiiietiirs, overview.
special boot parameters for special machines.
Special boot parameters tor selected disk controllers.
Sper.ia] bnnt parameters fnr the bootstrap system.
Hum Lu ¿el fielp.
copyrights and warranties.
through T10 for details, or Escape to exit help.

F1 Help F2 Language F3 Keymap F4 Mudes F5 Accessibility

Figure 3-21

F6 Other Opliuri^

The Menu screen, F1 help window

and press RETURN. Ubuntu gives you the opportunity to change this selection as you
install the system.
F4 Modes The F4 key displays a different set of startup modes depending on which CD/DVD you
booted from. The F4 key is effective only when either the Try Ubuntu without installing or Install Ubuntu selection is highlighted. An exception is when you are installing
from the live/install DVD and the Install Ubuntu in text mode selection is highlighted. See Table 3-2 for a list of which modes are available from which CD/DVD.
Following is a list of all available modes:
• Normal—Starts Ubuntu in normal mode, as though you had not
pressed F4.
• OEM install (for manufacturers)—Allows a manufacturer or reseller to
preinstall Ubuntu but leaves some configuration details, such as creation
of a user account, to the purchaser.
• Use driver update disk—Installs Ubuntu with an updated driver.
• Install an LTSP server—Installs a Linux Terminal Server Project server. For
more information refer to "Diskless systems" on page 774.
• Install a command-line system—Installs a textual Ubuntu system (no
graphical interface [GUI] or desktop; only a textual interface [page 30]).
• Install a minimal system—Installs the absolute minimum set of packages
required for a working Ubuntu system as specified by the ubuntu-minimal
virtual package (page 526). In earlier releases, this setup was called JeOS;
it is useful for routers and other systems that must occupy minimal disk
space. Contrast a minimal system with the default server system, which
installs additional packages such as Python and rsync.

A D V A N C E D INSTALLATION

Table 3-2

81

F4 selections on the CD/DVD with the Try Ubuntu or Install Ubuntu
selection highlighted
DVD

DVDa

Desktop

Server

Alternate

Normal

X

X

X

X

X

OEM install (for manufacturers)

X

X

X

X

X

Use driver update disk

X

X

Install an LTSP server

X

X

Install a command-line system

X

X

Install a minimal system

X

Install a minimal virtual machine

X
X

Install a server
a. With I n s t a l l i n t e x t m o d e highlighted.

• Install a minimal virtual machine—Installs a virtual machine (page 8) that
will use the least amount of disk space possible.
• Install a server—Installs a Ubuntu server. With this selection you will be
prompted for the type of server(s) you want to install.
F5 Accessibility

The F5 key displays a list of features, such as a high-contrast display and a Braille
terminal, that can make Ubuntu more accessible for some people. Use the ARROW keys
to highlight the feature you want the live session or the installer/installed system to
use and press RETURN.

F6 Other Options

The F6 key displays part of the boot command line and a drop-down list holding a
menu of parameters (Figure 3-22). Use the ARROW keys to highlight the parameter

Boot c o m m a n d
line^

ubuntu®
T r y Uburilu w i t h u u l iris tailing

^ ^ ^
^s.
^x.

Install tlhiintu
Check disc tor detects
rest memory
Boot from first hard disk

QCOi=Ott
nnapir.
noiapic
cdd=on
nnrlmrairl
nuuiudese t

rinntflptinns =sfiprl/ijhijntij.seeri hnnt=ras|rip.r initrr1=/nfisper/i

l-res s o f t w a r e o n m
| F1 Help

Figure 3-22

F 2 Ls

f

F 3 Kt

p

F 4 Hu

S

F 5 At

The Desktop menu screen after pressing F6

y

F6 Qt

|

82

3

STEP-BY-STEP INSTALLATION

you want to add to the boot command line (discussed in the next section) and press
RETURN to select the highlighted parameter. Press ESCAPE to close the list.
With the drop-down list closed, the ARROW keys can once again be used to move the
highlight on the disk menu; the boot command line changes to reflect the highlighted
selection.
On the Alternate and Server CDs, F6 also offers Expert mode. When you select
this mode, the installer asks more questions about how you want to configure the
system.
One special selection in this menu is Free software only. This selection installs free
software only; it does not install proprietary software, including proprietary device
drivers.
Alternatively, you can enter the parameters you wish to add after the double hyphen
at the end of the displayed portion of the boot command line and press RETURN to
boot the system. If you remove quiet and splash from this line, Ubuntu displays
information about what it is doing while it boots (page 57).

BOOT COMMAND-LINE PARAMETERS (BOOT OPTIONS)
Following are some of the parameters you can add to the boot command line (see
"F6 Other Options" on the previous page). You can specify multiple parameters separated by SPACES. See help.ubuntu.com/community/BootOptions (Common Boot
Options) and The Linux BootPrompt-HowTo
for more information.
noacpi Disables ACPI (Advanced Configuration and Power Interface). Useful for systems
that do not support ACPI or that have problems with their ACPI implementation.
Also acpi=off. The default is to enable ACPI.
noapic Disables APIC (Advanced Programmable Interrupt Controller). The default is to
enable APIC.
noapm Disables APM (Advanced Power Management). Also apm=off. The default is to
enable APM.
nodmraid Disables DMRAID (Device-Mapper Software Raid), also called fake raid (page 41).
The default is to enable DMRAID.
edd=on Enables EDD (BIOS Enhanced Disk Drive services).
noframebuffer Turns off the framebuffer (video memory). Useful if problems occur when the
graphical phase of the installation starts. Particularly useful for systems with LCD
displays. Also framebuffer=false.
irqpoll Changes the way the kernel handles interrupts.
nolapic Disables local APIC. The default is to enable local APIC.
nomodeset Disables KMS (kernel-mode-setting technology), which may help some older
graphics chips work properly. Include this parameter if the display does not work
properly as you boot from a CD/DVD.

ADVANCED INSTALLATION

83

~1 [!!] Enter rescue mode I
Enter a device you wish to use as your root f i l e system. You w i l l be
able to choose among various rescue operations to perform on t h i s
f i l c system.
If you choose not to use a root f i l e system, you w i l l be given a
reduced choice of operations that can be performed without one. This
may be useful i f you need to correct a partitioning problem.
Device to use as root t i l e system:

/dev/sda'ii
/dev/sdB5

rjn nnt IJRP a rnnt F L I P system

Figure 3-23

Selecting the root filesystem while rescuing a broken system

VIRTUAL C O N S O L E S
While it is running, Ubuntu opens a shell on each of the six virtual consoles (also
called virtual terminals; page 149). You can display a virtual console by pressing
CONTROL-ALT-Fx, where x is the virtual console number and Fx is the function key that
corresponds to the virtual console number.
At any time during the installation, you can switch to a virtual console and give
shell commands to display information about processes and files. Do not give commands that change any part of the installation process. To switch back to the graphical installation screen, press C0NTR0L-ALT-F7. To switch to the textual (pseudographical)
installation screen, press C0NTR0L-ALT-F1.

RESCUING A BROKEN SYSTEM
Rescuing a broken system versus recovery mode
tip To rescue a broken system, boot Ubuntu from an Alternate CD, a Server CD, or a live/install DVD,
and select Rescue a broken system from the Disk menu. Ubuntu displays the pseudographical
Rescue Operations menu (Figure 3-24). This section explains how to rescue a broken system.
When you bring a system up in recovery mode (classically called single-user mode), Ubuntu
boots from the hard disk and displays the pseudographical Recovery menu (Figure 11-2,
page 447) as explained on page 445.
The Rescue a broken system selection on the Alternate CD, Server CD, and
live/install DVD brings up Ubuntu but does not install it. After beginning a textual
installation (page 85), asking a few questions, and detecting the system's disks and
partitions, Ubuntu presents a menu from which you can select the device you want
to mount as the root filesystem (Figure 3-23).
Use the ARROW keys to highlight the device holding the filesystem you want Ubuntu to
mount as the root filesystem while you are rescuing it. If you choose the wrong
device, you can easily return to this menu and select a different device. Press RETURN
to select the highlighted device.

84

3

S T E P - B Y - S T E P INSTALLATION

I [! ! ] Enter rescue mode
Rescue operations
¡Execute a s h e l l in /dev/sdal
Execute a s h e l l in the i n s t a l l e r environment
R e i n s t a l l GRUB boot loader
Choose a different root f i l e system
Reboot the system


Figure 3-24

The Rescue Operations menu

Once you select a device, Ubuntu displays the Rescue Operations menu (Figure 3-24).
The following paragraphs list the selections on the Rescue Operations menu:
• Execute a shell in /dev/xxx—Mounts the device you selected (/dev/xxx) as
/ (root) and spawns a root shell (e.g., dash or bash; Chapter 7) if a shell is
available on the mounted device. You are working with root privileges
(page 98) and can make changes to the filesystem on the device you
selected. You have access only to the shell and utilities on the mounted filesystem, although you may be able to mount other filesystems. If the
mounted filesystem does not include a shell, you must use the next selection. Give an exit command to return to the Rescue Operations menu.
• Execute a shell in the installer environment—Mounts the device you
selected (/dev/xxx) as /target; runs Busybox (www.busybox.net), a sizeand resource-optimized collection of Linux-like utilities; and spawns a
shell. You are running a minimal Busybox shell with root privileges
(page 98). You have access to the many BusyBox utilities and can use nano
to edit files, but some familiar utilities to may not be available and others
may take fewer parameters than their Linux counterparts. You can make
changes to the filesystem on the device you selected, which is mounted on
/target. You can mount other filesystems. Give an exit command to return
to the Rescue Operations menu.
• Reinstall the GRUB boot loader—Updates the GRUB boot loader by
prompting for a device and running update-grub (page 587) and grub-install
(page 589) to update GRUB and install it on the device you specify. A typical system has GRUB installed on the MBR (master boot record) of the
first hard disk (e.g., /dev/sda). This selection will not upgrade from GRUB
legacy to GRUB 2; see the tip on page 584.
• Choose a different root file system—Returns to the previous step where
you can select a filesystem to work with.
• Reboot the system—Reboots the system. Remove the CD/DVD if you
want to boot from the hard disk.

ADVANCED INSTALLATION

85

1 [!] Ubuntu i n s t a l l e r main menu |—
Choose the next step in the i n s t a l l process:
Choose language
Configure the keyboard
Detect and mount CD-ROM
Load debconf préconfiguration f i l e
Load i n s t a l l e r components from CD
Detect network hardware
Configure the network
Configure the clock
Detect disks
P a r t i t i o n disks
I n s t a l l the base system
Set up users and passwords
Configure the package manager
Select and i n s t a l l software
I n s t a l l the GRUB boot loader on a hard disk
I n s t a l l the LILD boot loader on a hard disk
Continue without boot loader
F i n i s h the i n s t a l l a t i o n
Change debconf p r i o r i t y
Check the CD-ROM(s) i n t e g r i t y
Save debug logs

Figure 3-25

The Ubuntu installer main menu

THE UBUNTU TEXTUAL INSTALLER
The Ubuntu textual installer (debian-installer) gives you more control over the
installation process than the Ubuntu graphical installer (page 57) does. The textual
installer displays a pseudographical (page 30) interface and uses fewer system
resources, including less RAM, than the graphical installer does, making it ideal for
older systems. You can install either a graphical (desktop) or textual (commandline) system using the textual installer, depending on which CD/DVD you use and
which selections you make from the disk menu and the F4 menu.
Many of the screens the textual installer displays parallel the screens displayed by
the graphical installer. Within the textual installer's screens, TAB moves between
items, the ARROW keys move between selections in a list, and RETURN selects the highlighted item and causes the installer to display the next screen. A few screens include
brackets ([ ]) that function similarly to check boxes; they use an asterisk in place of
a tick. Use the ARROW keys to move the highlight to the space between the brackets.
Press the SPACE bar to place an asterisk between the brackets and select the adjacent
choice. Press the SPACE bar again to remove the asterisk.
The textual installer main menu (the contents of this menu varies—Figure 3-25
shows an example) allows you to go directly to any step of the installation process
or enter recovery mode (see "Rescuing a Broken System" on page 83). At the lower-

86

3

S T E P - B Y - S T E P INSTALLATION

~1 [ ! f] ChDose language |
Please choose the language used for the i n s t a l l a t i o n process. Ttiis
language w i l l be the default language for the f i n a l system.
Choose o language:
Arabic
fisturion
Basque
Belarusian
Bosnian
Bulgarian
Catalan
Chinese (Simplified)
Chinese (Traditional)
Croat ian
czech
Danish
DuTnh
Fsperantn
Esluriiari

Figure 3-26

-

fisturianu
Euskara
Ee/tapycKafi
Bosanski
EtflrapcKH
Catala

•-

Hrvatski
cestina
uansk
Nfirterlands

-

Fsperantn
Eesli

-

m
ffSctSS;i

The Choose a language screen

left corner of most textual installer screens is . See Figure 3-26 for an
example. Use the TAB key to highlight this item and press RETURN to display the Ubuntu
installer main menu. You may have to back up through several screens to display
this menu.
The first screen the textual installer displays is Choose a language (Figure 3-26). Use
the UP and DOWN arrow keys to select a language. You can type the first letter of the
language to move the highlight to the vicinity of the language you want to choose.
This language will be the default language for the installer/installed system; you can
change the default once the system is installed (page 145). Press RETURN to select the
highlighted language and display the next screen.
The installer steps through a series of screens, each of which has an explanation and
asks a question. Use the ARROW keys and/or TAB key to highlight an answer or selection
and press RETURN to make a selection on each of the screens. After a few screens, the
installer detects and installs programs from the CD/DVD, detects the network hardware, and configures it with DHCP (if available).
As it is configuring the network, the installer asks you for the hostname of the system you are installing. For use on a local network and to connect to the Internet
with a Web browser or other client, you can make up a simple name. If you are setting up a server, see " F Q D N " on page 823 for information on names that are valid
on the Internet.
After this step, the installer asks which time zone the computer is in, continues
detecting hardware, starts the partition editor, and displays the Partitioning method
screen (Figure 3-27). Many of the selections available from the textual partition editor parallel those available from the graphical partition editor. This section
describes how to use the textual partition editor to partition a hard disk manually.

ADVANCED INSTALLATION

87

I [!! ] F a r t i t ian d i s k s I
The i n s t a l l e r can guide you through p a r t i t i o n i n g a d i s k (using
d i f f e r e n t standard schemes) o r , i f you p r e f e r , you can do i t
manually. ! : ' ' i guided p a r t i t i o n i n g you w i l l s t i l l have a chance l a t e r
ta review and customise the r e s u l t s .
I f you choose guided p a r t i t i o n i n g f o r an e n t i r e d i s k , you w i l l next
he asked which d i s k should be used.
P a r t i t i o n i n g method:
; i: I ' l - use e n t i r e d i s k
; i: I ' l - use e n t i r e d i s k and set up

'•-!

(Go Bai;k>

Figure 3-27

The Partitioning method screen

Page 70 describes guided partitioning using the graphical partition editor. Guided
partitioning using the textual installer is similar but offers more options.

MANUAL PARTITIONING
When you select Manual from the Partitioning method screen (Figure 3-27), the
textual partition editor displays the Partition overview screen, which lists the hard
disks in the system and partitions on those disks. If a hard disk has no partitions,
the partition editor displays only information about the hard disk. Figure 3-28
shows a single 200-gigabyte hard disk (highlighted) that has no partition table (and
no partitions). (Note: 214.7 GB equals 200 GiB—Figure 3-28 should show GiB in
place of GB. See the tip on page 37.)
If you want to set up RAID, see page 91 before continuing.
Creating a
partition table

If the Partition overview screen shows no partitions and no free space on a hard
disk, as it does in Figure 3-28, the hard disk does not have a partition table: You
need to create one. If this screen shows at least one partition or some free space, the
disk has a partition table and you can skip this step and continue with "Creating a
partition" on the next page.
I E! f] Part i t ion d i s k s I
T h i s i s an overview of your c u r r e n t l y configured p a r t i t i o n s and mount
p a i n t s . S e l e c t a p a r t i t i o n to modify i t s s e t t i n g s ( f i l e system, mount
p a i n t , c t c . ) , a f r e e space to c r o a t c p a r t i t i o n s , or a device to
i n i t i a l i z e i t s partition table.
Guided p a r t i t i o n i n g
Configure i S C E I volumes
ISCSI3 (Ci.0.0) (sda) - 214.7 GB VMniare. VHuare V i r t u a l ;:|
Iiniin nhangas t n part i t inns
F i n i s h part I t Inning anrl w r i t s nhangps tn d i s k


Figure 3-28

The Partition overview screen I

88

3

S T E P - B Y - S T E P INSTALLATION

I [! f] Fart it ian disKs I
This i s an over view of your currently configured p a r t i t i o n s and (riount
paints. Select a p a r t i t i o n to modify i t s settings [ f i l e system, mount
point, c t c . ) , o free spoco to crcotc p a r t i t i o n s , or o device to
i n i t i a l i z e i t s p a r t i t i o n table.
Guided p a r t i t i o n i n g
Configure software RAID
Configure the L o g i c a l Volume Manager
Configure encrypted volumes
Configure iSCEI volumes
BlTBia [u.u.u) (sda) - 31g-7 Lib! VMniare. VHuiare v i r t u a l E
llnrtn nhangen tn p a r t i t i o n s
F i n i s h part It Inning and write nhangps tn disk

Figure 3-29

The Partition overview screen II

The iSCSI (page 1155) selection creates a partition on a remote system.
To create a partition table, highlight the disk you want to create a partition table on
and press RETURN. The installer asks if you want to create a new partition table on the
device and warns that doing so will destroy all data on the disk. Highlight Yes and
press RETURN. The installer displays the Partition overview screen showing the disk with
a single block of free space as large as the disk (Figure 3-29). The Partition overview
screen displays additional choices because the hard disk now has a partition table.
Creating a partition

To create a partition, highlight the line containing the words FREE SPACE and press
RETURN. The partition editor asks how you want to use the free space; highlight Create
a new partition and press RETURN. Next the partition editor asks you to specify the size
of the new partition. You can enter either a percentage (e.g., 5 0 % ) or a number of
gigabytes followed by GB (e.g., 30 GB). Press RETURN. The partition editor then asks
you to specify the type of the new partition (primary or logical; page 34) and asks
whether you want to create the partition at the beginning or the end of the free
space. It does not usually matter where you create the partition. After answering
each of these questions, press RETURN. The partition editor then displays the Partition
settings screen (Figure 3-30).

Ubuntu officially supports ext3 and ext4 filesystems only
caution The ext3 and ext4 filesystems are the only type of filesystems officially supported by Ubuntu
(other than swap). Set up other types of filesystems—such as JFS, XFS, or reiserfs—only if you
know what you are doing. Filesystems other than ext3 and ext4 may be more likely to become corrupted when the system crashes and may exhibit unusual performance characteristics (e.g., XFS
runs slowly with small files and may take a long time to upgrade).
To change a setting on the Partition settings screen, use the ARROW keys to move the
highlight to the setting you want to change and press RETURN. The partition editor
displays a screen that allows you to change the setting.
Specifying a
partition type
(Use as)

The first line, labeled Use as, allows you to specify the type of filesystem the installer
creates on the partition. This setting defaults to ext4, which is a good choice for most
filesystems. If you want to change the filesystem type, move the highlight to
n o r m a l

ADVANCED INSTALLATION

89

I [ i! ] Part i t ion disks I
You are editing p a r t i t i o n
of SCSI3 (0,0,0) (sda). No e x i s t i n g f i l e
system was detected in t h i s p a r t i t i o n .
Partition settings:
Use as:

Ext4 journaling f i l e system

|Hount point:
Mount options:
Label:
Reserved blocks:
l y p i c a l usage:
Hoatabie f l a g :

/
defaults
none
5%
standard
off

nntiy data frnrn annihpr p a r t i t i o n
nplRTp The parttttnn
nnnp seTT1ng up the p a r t i t i o n


Figure 3-30

The Partition settings screen

this line and press RETURN; the installer displays the How to use this partition screen
(Figure 3-31). You can select ext2 for /boot and /usr, swap area (page 37), RAID
(page 91), LVM (page 41), or another type of filesystem. Table 12-1 on page 505
lists some common types of filesystems. Move the highlight to the selection you want
and press RETURN. The partition editor redisplays the Partition settings screen, which
now reflects the selection you made. For a swap area, there is nothing else to set up;
skip to "Done setting up the partition" on the next page.
Specifying a m o u n t
point

The mount point defaults to / (root). To change the mount point for the filesystem,
highlight the line labeled Mount point and press RETURN. The partition editor displays a
1 [!!] Partition disks
How to use this partition:
|Ext4 .journaling file system
Ext3 journaling file system
Ext2 file system
ReiserFS journaling file system
JFS journaling file system
XFS journaling file system
FAT16 file system
FAT32 file system
swap area
physical volume for encryption
physical volume for RAID
physical volume for LVM
do not use the partition


Figure 3-31

The How to use this partition screen

90

3

S T E P - B Y - S T E P INSTALLATION

| [! !] Partition disks |—
Mount point for this partition:
/ - the root f i l e system
/boot - static f i l e s of the boot loader
l/home - user home directories
/tmp - temporary f i l e s
/usr - static data
/var - variable data
/srv - data for services provided by this system
/opt - add-on application software packages
/usr/local - local hierarchy
Enter manually
Do not mount it


Figure 3-32

The Mount point for this partition screen

screen that allows you to specify a mount point (Figure 3-32). Select a mount point; if
the mount point you want to use is not listed, select Enter manually. Press RETURN.
The bootable flag

Typically the only other setting you need to change is the bootable flag. Turn this
flag on for the /boot partition if the system has one; otherwise, turn it on for the /
(root) partition. To change the state of the bootable flag, highlight the line labeled
Bootable flag on the Partition settings screen and press RETURN. After a moment, the
partition editor redisplays the screen, now showing the changed state of this flag.

Done setting up

When you are satisfied with the partition settings, highlight Done setting up the
partition and press RETURN. The partition editor displays the Partition overview
screen showing the new partition setup. To create another partition, repeat the steps
starting with "Creating a partition" on page 88. To modify a partition, highlight
the partition and press RETURN.

the partition

Writing the
partitions to disk

Continuing the
installation

Specifying software
packages

When you are satisfied with the design of the partition table(s), highlight Finish partitioning and write changes to disk and press RETURN. After giving you another chance
to back out, the partition editor writes the partitions to the hard disk.
The installer continues by installing the base system and asking you to set up a user
account. It gives you the option of setting up an encrypted home directory and specifying an HTTP proxy and continues installing the system.
Next the installer displays the Software selection screen (Figure 3-33), which allows
y
t 0 specify the packages to be installed. The Ubuntu desktop package is specified
by default. Use the ARROW keys to move the highlight and use the SPACE bar to add and
remove the asterisk next to each selection. The asterisk indicates an item is selected.
The last selection, Manual package selection, installs the selected packages; you can
install additional packages once the system has been installed.
O U

ADVANCED INSTALLATION

91

I [ ! ] Software s e l e c t i o n I
fit the moment, o n l y the core of the system i s i n s t a l l e d . To tune the
system to your needs, you can choose to i n s t a l l one or more of the
f a l l o w i n g predefined c o l l e c t i o n s of software.
Choose software to i n s t a l l :
]
]
]
]
J
J
J
]
]
]
]
*]
1

B a s i c Ubuntu s e r v e r ^ l
DNS s e r v e r
LAMP s e r v e r
Mail s e r v e r
OpenSSH s e r v e r
PostgreSQL database
Print server
yarrtba f i l e s e r u e r
lomcat J a v a s e r u e r
ilhuntu h n t e r p r i s R Klnuri ( i n s t a n c e )
v i r t u a l Machine host
Ilhuntu rlpsktnp
Manual package selection


Figure 3-33
GRUB

Finishing the
installation

The Software selection screen

The Configuring grub-pc screen asks you to confirm that you want to write the
boot loader to the MBR (master boot record) of the first hard drive. Unless you
have another boot manager in the MBR, such as Smart Boot Manager, another
operating system's GRUB, or the Windows 7 bootmgr boot loader, and want to
manually edit that boot manager to boot Ubuntu from the boot sector on the
Ubuntu partition, choose to write the boot loader to the MBR. When all selections
are correct, highlight Yes and press RETURN.
Finally the installer asks if the system clock is set to UTC (page 1179). When the
installer displays the Installation Complete window, remove the CD/DVD and click
Continue to reboot the system.

SETTING UP A RAID ARRAY
To set up a RAID array (page 40), you must first create two or more partitions of
the same size. Usually these partitions will be on different hard disks. You create
RAID partitions as explained in the preceding section, except instead of making the
partitions of type ext4 or swap, you declare each to be a RAID volume. (RAID partitions are referred to as volumes.) Once you have two or more RAID volumes, the
partition editor allows you to combine these volumes into a RAID array that looks
and acts like a single partition.
The following example uses 100 gigabytes from each of two new hard disks to set
up a 100-gigabyte RAID 1 array that is mounted on /home. Follow the instructions
on page 87 to create a new partition table on each hard disk. Then create two 100gigabyte partitions, one on each disk. When the partition editor displays the How
to use this partition screen (Figure 3-31, page 89), follow the instructions on
page 88 and specify a partition type of physical volume for RAID.

92

3

STEP-BY-STEP

INSTALLATION

I [ i! ] Part i t ion d i s k s I
T h i s i s an overview of your c u r r e n t l y configured p a r t i t i o n s and mount
p o i n t s . S e l e c t a p a r t i t i o n to modify i t s s e t t i n g s ( f i l e system, mount
p o i n t , e t c . ) , a f r e e space to c r e a t e p a r t i t i o n s , or a d e v i c e to
i n i t i a l i z e i t s partition tabic.
Guided p a r t i t i o n i n g
IConfigure software RAID
Configure the L o g i c a l Volume Manager
Configure encrypted volumes
Configure i S C E I volumec
SCSI3 10,0,0) (sda) - 214.7 GB VMmare, VHirare V i r t u a l S
#1 primary 100.0 GE
K raid
p r i / i o g 114. I l-it!
hKht s r a c t
s c s m [[J,1,0) (sdb) - 214./ GH VMW3re, VHirare v i r t u a l G
#1 primary 100.0 GE
t raid
p r i / i n g 114.7 GFi
FRFF SPAGF
llnrtn changes Tn p a r t l t t n n s
F i n i s h n a r t l t l o r l r g and ourite changes to dlsK.


The partition editor ready to set up RAID

Figure 3-34

Figure 3-34 shows the partition editor screen after setting up the RAID volumes. Once
you have at least two RAID volumes, the partition editor adds the Configure software
RAID selection as the top line of its menu (this line is highlighted in Figure 3-34).
Highlight Configure software RAID, press RETURN, and confirm you want to write
changes to the hard disk. From the next screen, select Create MD device (MD
stands for multidisk) and press RETURN. Then select RAID 0, 1, 5, 6, or 10 and press
RETURN. The different types of RAID arrays are described on page 41. The partition
editor then asks you to specify the number of active devices (2) and the number of
spares (0) in the RAID array. The values the partition editor enters in these fields are
based on your previous input and are usually correct. Next select the active devices
for the RAID array (use the SPACE bar to put an asterisk before each device;
Figure 3-35) and press RETURN.
I [ ! ! ] F a r t i t ion d i s K s I
You have chosen to c r e a t e a I ' ¡ 1 1 a r r a y with ' a c t i v e d e v i c e s .
P l e a s e chaase which p a r t i t i o n s a r c a c t i v e d e v i c c s . You must s c l c c t
exactly 2 partitions.
A c t i v e devices f o r the RfilOl a r r a y :
l*J
[ ]
I»]
[ ]

/dev/sdal
/dev/sda f r e e fll
/deu/sdbi
/dev/srih f r e e

< j i B j:A;

Figure 3-35

133393MB; r a i d )
(114248MBJ FREE. SHHCt)
(33333HB; r a i d )
CI14746MB; FRFF KPftCF)


Specifying the active devices in the RAID array

CHAPTER SUMMARY

93

I [!! ] Fart it ian disKs I
This i s an overview of your currently configured p a r t i t i o n s and mount
points. Select a p a r t i t i o n to modify i t s settings [ f i l e system, mount
point, e t c . ) , a free space to create p a r t i t i o n s , or a device to
i n i t i a l i z e i t s p a r t i t i o n table.
Configure iSCEI volumes

+

RAIDI device m - 100..0 GB Software RftID device
1
/Il
100. GB
f extl
/home I
963.0 KB
unusable
SCSI3 [0,0,0) (sda) - 214.7 GB VMware, VHuiare V i r t u a l S |
U1 primary 100.0 GB
K raid
•
t2 primary 100.0 GE B t eKt4
/
pri/log
14.7 GE
FREE SPACE
licsia [0,1.0) (sdb) - 214./ OB VMiiiare, Wluiare v i r t u a l K
#1 primary 100-0 HE
K raid
nz primary
4.0 HE
f sw3p
sutap
p r i z i n g 110.7 OFi
FRFF SPfl^F
llnrtn nhangen tn p a r t U i n n s
F i n i s h p a r t i t i o n i n g and wrile uhanges Lu disk

+

iGu Bai;K>

Figure 3-36

The finished partition tables

Highlight Finish on the next screen (the one that asks if you want to create an MD
device again) and press RETURN. Now you need to tell the installer where to mount the
RAID array. Highlight the RAID array. In the example, this line contains #1 100.0
GB (this line is highlighted in Figure 3-36, but is shown after the partition is created). Press RETURN. Highlight Use as: do not use and press RETURN. The installer displays the How to use this partition screen (Figure 3-31, page 89). Highlight the type
of filesystem you want to create on the RAID array (typically ext4) and press RETURN.
Continue to set up the RAID array as you would any other partition by following
the instructions under "Creating a partition" on page 88. In the example, the full
100 gigabytes is used for an ext4 filesystem mounted on /home.
To complete this example, create a bootable / (root) partition using the rest of the
free space on the first drive and a 4-gigabyte swap partition on the second drive.
Figure 3-36 shows the Partition overview screen that includes these changes. Highlight Finish partitioning and write changes to disk (you may have to scroll down to
expose this line) and press RETURN.

CHAPTER SUMMARY
Most installations of Ubuntu Linux begin by booting from the live/install DVD or
the live/install Desktop CD and running a live session that displays a GNOME
desktop. To start the installation, double-click the object on the desktop labeled
Install.

94

3

S T E P - B Y - S T E P INSTALLATION

Ubuntu provides a graphical installer (ubiquity) on the live/install Desktop CD/DVD;
it offers a textual installer (debian-install) on the Alternate and Server CDs and the
DVD. Both installers identify the hardware present in the system, build the filesystems, and install the Ubuntu Linux operating system. The ubiquity installer does not
write to the hard disk until it displays the Ready to install screen or warns you it is
about to write to the disk. Until that point, you can back out of the installation
without making any changes to the hard disk.
A dual-boot system can boot one of two operating systems—frequently either Windows or Linux. You can use the GNOME Partition Editor (gparted) or the GNOME
Disk Utility (palimpsest) from a live session to examine the contents of a hard disk
and to resize partitions to make room for Ubuntu when setting up a dual-boot system. During installation from a live session, you can use the ubiquity partition editor
to add, delete, and modify partitions.

EXERCISES
1. How do you start a live session? List two problems you could encounter
and explain what you would do to fix them.
2. What steps should you take before you start a live session the first time or
install Ubuntu with a new CD/DVD? How would you do it?
3. What is guided partitioning?
4. What is ubiquity?
5. Describe the ubiquity partition editor. How does it differ from the partition
editor found on the Alternate and Server CDs?
6. When is it beneficial to use an ext2 filesystem instead of an ext4 filesystem?

ADVANCED EXERCISES
7. What is a virtual console? During installation, for what purposes can you
use a virtual console? If the system is displaying a virtual console, how do
you display the graphical installation screen instead?
8. What steps would you take to have the system display all the things it is
doing as it boots from a live/install Desktop CD/DVD?

P A R T II
GETTING STARTED WITH
UBUNTU LINUX
CHAPTER 4
INTRODUCTION TO UBUNTU LINUX
CHAPTER 5
THE LINUX UTILITIES
CHAPTER 6
THE LINUX FILESYSTEM
CHAPTER 7
THE SHELL

237

159
199

97

This page intentionally left blank

4
INTRODUCTION TO
UBUNTU LINUX
IN THIS CHAPTER
Curbing Your Power: root
Privileges/sudo

98

ATourof the Ubuntu Desktop

99

Mouse Preferences

105

Using Nautilus to Work with
Files

107

The Update Manager

112

Updating, Installing, and
Removing Software
Packages

131

Where to Find Documentation . . . 136
More About Logging In

144

What to Do If You Cannot
Log In

146

Working from the Command
Line

150

Controlling Windows: Advanced
Operations

153

One way or another you are sitting in front of a computer that
is running Ubuntu Linux. After describing root (Superuser)
privileges, this chapter takes you on a tour of the system to
give you some ideas about what you can do with it. The tour
does not go into depth about choices, options, menus, and so
on; that is left for you to experiment with and to explore in
greater detail in Chapter 8 and throughout later chapters of
this book. Instead, this chapter presents a cook's tour of the
Linux kitchen: As you read it, you will have a chance to sample
the dishes that you will enjoy more fully as you read the rest of
this book.
Following the tour is a section that describes where to find
Linux documentation (page 136). The next section offers
more about logging in on the system, including information
about passwords (page 144). The chapter concludes with a
more advanced, optional section about working with Linux
windows (page 153).
Be sure to read the warning about the dangers of misusing the
powers of root (sudo) in the next section. While heeding that

97

98

CHAPTER 4

INTRODUCTION TO UBUNTU LINUX

warning, feel free to experiment with the system: Give commands, create files,
click objects, choose items from menus, follow the examples in this book, and
have fun.

root account
tip Most Linux systems include an account for a user named root. This user has special privileges and
is sometimes referred to as Superuser. On a classic system a user can log in and work as root by
providing the root password.
As installed, Ubuntu has a root account but no password for the account: The root account is
locked. The next section explains how you can use s u d o and provide your password to run a
command with root privileges. This book uses the phrase "working with root privileges" to
distinguish this temporary escalation of privileges from the classic scenario wherein a user
can work with root privileges for an entire session. See page 419 for more information on root
privileges.

CURBING YOUR POWER: root PRIVILEGES/SUCIO
When you enter your password to run a program (not when you log in on the
system) or when you use sudo from the command line, you are working with
root privileges and have extraordinary systemwide powers. A person working
with root privileges is sometimes referred to as Superuser or administrator. When
working with root privileges, you can read from or write to any file on the system, execute programs that ordinary users cannot, and more. On a multiuser
system you may not be permitted to run certain programs, but someone—the
system administrator—can,
and that person maintains the system. When you are
running Linux on your own computer, the first user you set up, usually when
you install Ubuntu, is able to use sudo and its graphical counterpart, gksudo, to
run programs with root privileges.

Who is allowed to run sudo?
security The first user you set up when you install Ubuntu can administer the system: This user can
use s u d o to execute any command. When you add user accounts, you can specify whether
they are allowed to administer the system. See page 594 and Figure 16-3 on page 596 for
more information.
In this chapter and in Chapter 8, when this book says you have to enter your password, it assumes
you have permission to administer the system. If not, you must get an administrator to perform
the task.
There are two primary ways to gain root privileges. First, when you start a program
that requires root privileges, a dialog box pops up asking you to Enter your password

A TOUR OF THE UBUNTU D E S K T O P

99

to perform administrative tasks. After you enter your password, the program runs
with root privileges. Second, if you use the sudo utility (for textual applications;
page 421) or gksudo utility (for graphical applications; page 423) from the command
line (such as from a terminal emulator; page 125) and provide your password, the
command you enter runs with root privileges. In both cases you cease working with
root privileges when the command finishes or when you exit from the program you
started with root privileges. For more information refer to "Running Commands with
root Privileges" on page 419.

Do not experiment while you are working with root privileges
caution Feel free to experiment when you are not working with root privileges. When you are working with
root privileges, do only what you have to do and make sure you know exactly what you are doing.
After you have completed the task at hand, revert to working as yourself. When working with root
privileges, you can damage the system to such an extent that you will need to reinstall Linux to
get it working again.

A TOUR OF THE UBUNTU DESKTOP
This section presents new words (for some readers) in a context that explains the
terms well enough to get you started with the Linux desktop. If you would like
exact definitions as you read this section, refer to "GNOME Desktop Terminology"
on page 117 and to the Glossary. The Glossary also describes the data entry widgets
(page 1180), such as the combo box (page 1141), drop-down list (page 1146), list
box (page 1157), and text box (page 1176).
GNOME

GNOME (www.gnome.org), a product of the GNU project (page 5), is the userfriendly default desktop manager under Ubuntu. KDE, the K Desktop Environment,
is a powerful desktop manager and complete set of tools you can use in place of
GNOME (www.kde.org/community/whatiskde). The version of Ubuntu that runs
KDE is named Kubuntu.
This tour describes GNOME, a full-featured, mature desktop environment that
boasts a rich assortment of configurable tools. After discussing logging in, this
section covers desktop features—including panels, objects, and workspaces—
and explains how to move easily from one workspace to another. It describes
several ways to launch objects (run programs) from the desktop, how to set up
the desktop to meet your needs and please your senses, and how to manipulate
windows. As the tour continues, it explains how to work with files and folders
using the Nautilus File Browser window, one of the most important GNOME
tools. The tour concludes with a discussion of the Update Manager, the tool
that allows you to keep a system up-to-date with the click of a button; getting
help; and logging out.

100

CHAPTER 4

INTRODUCTION TO UBUNTU L I N U X

Figure 4-1

The Ubuntu GNOME Login screen

LOGGING IN ON THE SYSTEM
When you boot a standard Ubuntu system, GDM (GNOME display manager)
displays a Login screen (Figure 4-1) on the system console. In the middle of the
screen is a window that holds a list of names. When you click a name, Ubuntu
displays a text box labeled Password. In addition, in the panel at the bottom of
the screen, Ubuntu displays icons that allow you to work in a different language,
select a different keyboard layout, change your accessibility preferences (e.g.,
make the text larger and easier to read), and restart or shut down the system. For
more information refer to "The Login Screen" on page 145.
To log in, click your name. A text box labeled Password appears. Enter your
password and press RETURN. If Ubuntu displays an error message, try clicking your
name and entering your password again. Make sure the CAPS LOCK key is not on
(Ubuntu displays a message if it is) because the routine that verifies your entries
is case sensitive. See page 146 if you need help with logging in and page 148 if
you want to change your password. The system takes a moment to set things up
and then displays a workspace (Figure 4-2).

INTRODUCTION
You can use the desktop as is or you can customize it until it looks and functions
nothing like the initial desktop. If you have a computer of your own, you may want
to add a user (page 594) and work as that user while you experiment with the desktop. When you figure out which features you like, you can log in as yourself and
implement those features. That way you need not concern yourself with "ruining"
your desktop and not being able to get it back to a satisfactory configuration.

A TOUR OF THE UBUNTU DESKTOP

Firefox Web browser

101

NetworkManagen

Sound
Indicator
Clock

Main menu

Session Indicator

Show Desktop
Bottom panek

Figure 4-2
Panels and objects

Workspace Switchei

The initial workspace

When you log in, GNOME displays a workspace that includes Top and Bottom
panels (bars) that are essential to getting your work done easily and efficiently
(Figure 4-2). Each of the panels holds several icons and words called objects. (Buttons, applets, and menus, for example, are all types of objects.) When you click an
object, something happens.
A panel does not allow you to do anything you could not do otherwise, but rather
collects objects in one place and makes your work with the system easier. Because
the panels are easy to configure, you can set them up to hold those tools you use frequently. You can create additional panels to hold different groups of tools.

Workspaces and
the desktop

What you see displayed on the screen is a workspace. Initially Ubuntu configures
GNOME with four workspaces. The desktop, which is not displayed all at once, is
the collection of all workspaces. "Switching Workspaces" on page 104 describes
some of the things you can do with workspaces.

Do not remove objects or panels yet
caution You can add and remove panels and objects as you please. Until you are comfortable working with
the desktop and have finished reading this section, however, it is best not to remove any panels
or objects from the desktop.

Click and right-click
tip This book uses the term click when you need to click the left mouse button. It uses the term rightclick when you need to click the right mouse button. See page 105 for instructions on adapting
the mouse for left-handed use.

102

CHAPTER 4

I N T R O D U C T I O N TO U B U N T U L I N U X

•£} Applications! Places System ? )
Accessories
g j Games
^

- ^

?

Calculator

> P f CD/DVD Creator
•

ChararterMap

- ^

Disk Usage Analyzer

^Office

• ^

gedlt Text Editor

( f . Soond & Video

• ft Manage Print Jobs

^

firaphirs
Internet

f j Ubuntu Software Center

^

Passwords and Encryption Keys

*

Search for Files...
Take Screenshot

Figure 4-3

Main menu: Applications•=>Accessories•=>Terminal

LAUNCHING PROGRAMS FROM THE DESKTOP
This section describes three of the many ways you can start a program running from
the desktop.
Click an object

The effect of clicking an object depends on what the object is designed to do. Clicking an object may, for example, start a program, display a menu or a folder, or open
a file, a window, or a dialog box.
For example, to start the Firefox Web browser, (left-) click the Firefox object (the
blue and orange globe on the Top panel; see Figure 4-2. GNOME opens a window
running Firefox. When you are done using Firefox, click the small x at the left end
of the titlebar at the top of the window. GNOME closes the window.
When you (left-) click the date and time near the right end of the Top panel, the
Clock applet displays a calendar for the current month. (If you double-click a date
on the calendar, the object opens the Evolution calendar to the date you
clicked—but first you have to set up Evolution.) Click the date and time again to
close the calendar.

Select f r o m the
Main menu

The second way to start a program is by selecting it from a menu. The Main menu
¡ s t he object at the left end of the Top panel that includes the words Applications,
Places, and System. Click one of these words to display the corresponding menu.
Each menu selection that holds a submenu displays a triangle (pointing to the right)
to the right of the name of the menu (Figure 4-3). When you move the mouse
pointer over one of these selections and leave it there for a moment (this action is
called hovering), the menu displays the submenu. When you allow the mouse cursor
to hover over one of the submenu selections, GNOME displays a tooltip
(page 118).

A TOUR OF THE UBUNTU D E S K T O P

#

103

t'rtox
Run in terminal

Run with file...

+ Show list of known applications
hplp

Figure 4-4

The Run Application window

Experiment with the Main menu. Start Sudoku (Main menu: Applications1^
Games^Sudoku), a terminal emulator (Main menu: Applications1^Accessories1^
Terminal), and other programs from the Applications menu. The Places and System
menus are discussed on page 122.
Use the Run
Application window

optional
Running textual
applications

You can also start a program by pressing ALT-F2 to display the Run Application window
(Figure 4-4). As you start to type firefox in the text box at the top of the window, for
example, the window recognizes what you are typing and displays the Firefox logo
and the rest of the word firefox. Click Run to start Firefox.

You can run command-line utilities, which are textual (not graphical), from the Run
Applications window. When you run a textual utility from this window, you must
put a tick in the check box labeled Run in terminal (click the check box to put a tick
in it; click it again to remove the tick). The tick tells GNOME to run the command
in a terminal emulator window. When the utility finishes running, GNOME closes
the window.
For example, type vim.tiny (the name of a text-based editor) in the text box, put a tick
in the check box labeled Run in terminal, and click Run. GNOME opens a Terminal
(emulator) window and runs the vim text editor in that window. When you exit from
vim (press ESCAPE:q!RETURN sequentially to do so), GNOME closes the Terminal window.
You can run a command-line utility that only displays output and then terminates.
Because the window closes as soon as the utility is finished running, and because
most utilities run quickly, you will probably not see the output. Type the following
command in the text box to run the df (disk free; page 774) utility and keep the window open until you press RETURN (remember to put a tick in the check box labeled
Run in terminal):
bash - c "df -h ; read"
This command starts a b a s h shell (Chapter 7) that executes the command line following the - c option. The command line holds two commands separated by a semicolon.
The second command, r e a d (page 1003), waits for you to press RETURN before terminating. Thus the output from the df -h command remains on the screen until you press
RETURN. Replace read with sleep 10 to have the window remain open for ten seconds.

104

CHAPTER 4

INTRODUCTION TO UBUNTU LINUX

SWITCHING WORKSPACES
Workspace Switcher

Each rectangle in the Workspace Switcher applet (or just Switcher)—the group of
rectangles near the right end of the Bottom panel—represents a workspace
(Figure 4-2, page 101). When you click a rectangle, the Switcher displays the corresponding workspace and highlights the rectangle to indicate which workspace is
displayed. You can also press CONTROL-ALT-RIGHT ARROW to display the workspace to the
right of the current workspace; pressing CONTROL-ALT-LEFT ARROW works in the opposite
direction.
Click the rightmost rectangle in the Switcher (not the Trash applet to its right) and
then select Main menu: Systerm•=>PreferencesOiViouse. GNOME opens the Mouse
Preferences window. The Switcher rectangle that corresponds to the workspace you
are working in displays a small rectangle. This rectangle corresponds in size and location within the Switcher rectangle to the window within the workspace. Click and
hold the left mouse button with the mouse pointer on the titlebar at the top of the
window and drag the window to the edge of the desktop. The small rectangle within
the Switcher moves to the corresponding location within the Switcher rectangle.
Now click a different rectangle in the Switcher and open another application—for
example, the Ubuntu Help Center (click the blue question mark on the Top panel).
With the Ubuntu Help Center window in one workspace and the Mouse Preferences
window in another, you can click the corresponding rectangles in the Switcher to
switch back and forth between the workspaces (and applications).
You can move a window from one workspace to another by right-clicking the Window List applet (page 121) on the Bottom panel and selecting one of the choices
that starts with Move.

Right-click to display an Object context menu
tip A context menu is one that is appropriate to its context. When you right-click an object, it displays
an Object context menu. Each object displays its own context menu, although similar objects have
similar context menus. Most Object context menus have either a Preferences or Properties selection. See the following section, "Setting Personal Preferences," and page 126 for more information on Object context menus.

SETTING PERSONAL PREFERENCES
You can set preferences for many objects on the desktop, including those on the panels.
Workspace Switcher

To display the Workspace Switcher Preferences window (Figure 4-5), first rightclick anywhere on the Switcher to display the Switcher menu and then select Preferences. (The window looks different when visual effects [page 115] are enabled.)
Specify the number of workspaces you want in the spin box labeled Number of
workspaces. The number of workspaces the Switcher displays changes as you
change the number in the spin box—you can see the result of your actions before
you close the Preferences window. Four workspaces is typically a good number to
start with. Click Close.

A TOUR OF THE UBUNTU D E S K T O P

S O

105

Workspace Switcher Preferences

Switcher
Show only the current workspace
it Show all workspaces in:
Workspaces
Number of workspaces: KT
Workspace names:
Desk 1
Desk 2
Desk 3
Desk 4
Show workspace names in switcher
Help
Figure 4-5
Clock applet

Close

The Workspace Switcher Preferences window

The Clock applet has an interesting Preferences window. Right-click the Clock
applet (Figure 4-2, page 101) and select Preferences. GNOME displays the General
tab of the Clock Preferences window. This tab enables you to customize the date
and time displayed on the Top panel. The clock immediately reflects the changes
you make in this window. Click the Locations tab and then the Add button and
enter the name of the city you are in or near to cause the Clock applet to display
weather information.
Different objects display different Preferences windows. In contrast, objects that
launch programs display Properties windows and do not have Preferences windows.
Experiment with different Preferences and Properties windows and see what happens.

MOUSE PREFERENCES
The Mouse Preferences window (Figure 4-6, next page) enables you to change the
characteristics of the mouse to suit your needs. To display this window, select Main
menu: SystemOPreferences^Mouse or give the command gnome-mouse-properties
from a terminal emulator or Run Application window (ALT-F2). The Mouse Preferences
window has two tabs: General and Accessibility (and a third, Touchpad, on a laptop).
Left-handed mouse

Click the General tab. To change the orientation of the mouse buttons for use by a
left-handed person, click the radio button labeled Left-handed. If you change the
setup of the mouse buttons, remember to reinterpret the descriptions in this book
accordingly. That is, when this book asks you to click the left button or does not
specify a button to click, click the right button, and vice versa. See "Remapping
Mouse Buttons" on page 274 for information on changing the orientation of the
mouse buttons from the command line.

106

CHAPTER 4

INTRODUCTION TO UBUNTU LINUX

Q

Mouse Preferences

General Accessibility
Mouse Orientation
«1 Klght handed
Lett handed

Locate Painter
Show position of pointer when'K' Control key is pressed
Pointer S p e e d

Acceleration: sio» :
SensiLlvily: urn

^^^^^^^^
— Hmn

Drag and Drop
Threshold:

1

,

Double-Click Timeout

TlmeOUtr

Sfwrt =

test your double-click
settings, try Ta double
dick on Lf re light bulb.

Help

Figure 4-6
Double-click
timeout

The Mouse Preferences window, General tab

Use the Double-Click Timeout slider to change the speed with which you must
double-click a mouse button to have the system recognize your action as a doubleclick rather than as two single clicks. You can also control the acceleration and
sensitivity of the mouse. The Drag and Drop Threshold specifies how far you
must drag an object before the system considers the action to be the drag part of a
drag-and-drop operation.
You can control different aspects of mouse clicks from the Accessibility tab.

WORKING WITH WINDOWS
To resize a window, position the mouse pointer over an edge of the window; the
pointer turns into an arrow pointing to a line. When the pointer is an arrow pointing to a line, you can click and drag the side of a window. When you position the
mouse pointer over a corner of the window, you can resize both the height and the
width of the window simultaneously.
To move a window, click and drag the titlebar (the bar across the top of the window
with the name of the window in it). Alternatively, when you hold the ALT key down
you can move a window by clicking and dragging any part of the window. For fun,
try moving the window past either side of the workspace. What happens? The result
depends on how visual effects (page 115) is set.
Titlebar

At the left of the titlebar are three icons that control the window (Figure 4-17,
page 123). Clicking the down arrow, which usually appears in the middle of the set

A TOUR OF THE UBUNTU D E S K T O P

107

of icons, minimizes (iconifies) the window so that the only indication of the window
is the object with the window's name in it on the Bottom panel (a Window List
applet; page 121). Click the Window List applet to toggle the window between visible and minimized. Clicking the up arrow icon, which usually appears at the right
end of the three icons, maximizes the window (displays the window at its maximum
size) and changes the up arrow to a rectangle. Clicking the rectangle returns the
window to its normal size. Double-clicking the titlebar toggles the window between
its normal and maximum size.
Terminating a
program

Clicking the x closes the window and usually terminates the program running in
window. In some cases you may need to click several times. Some programs,
such as Rhythmbox Music Player, do not terminate, but rather continue to run in
the background. When in this state, the program displays an icon on the Top
panel. Click the icon and select Quit from the drop-down list to terminate the
program.

USING NAUTILUS TO WORK WITH FILES
Nautilus, the GNOME file manager, is a simple, powerful file manager. You can
use it to create, open, view, move, and copy files and folders as well as to execute
programs and scripts. One of its most basic and important functions is to create
and manage the desktop. This section introduces Nautilus and demonstrates the
correspondence between Nautilus and the desktop. See page 276 for more detailed
information on Nautilus.
Terms: folder and
directory

Term: File Browser

Opening Nautilus

Nautilus displays the File Browser window, which displays the contents of a folder.
The terms folder and directory are synonymous; "folder" is frequently used in
graphical contexts, whereas "directory" may be used in textual or command-line
contexts. This book uses these terms interchangeably.
This book sometimes uses the terms File Browser
referring to the Nautilus File Browser window.

window

and File Browser

when

Select Main menu: PlacesOHome Folder to open a Nautilus File Browser window
that shows the files in your home folder.
Double-clicking an object in a File Browser window has the same effect as doubleclicking an object on the desktop: Nautilus takes an action appropriate to the
object. For example, when you double-click a text file, Nautilus opens the file with
a text editor. When you double-click an OpenOffice.org document, Nautilus opens
the file with OpenOffice.org. If the file is executable, Nautilus runs it. If the file is a
folder, Nautilus opens the folder and displays its contents in place of what had previously appeared in the window.
From within a Nautilus File Browser window, you can open a folder in a new tab.
To do so, middle-click the folder or right-click the folder and select Open in New
Tab from the drop-down list; Nautilus displays a new tab named for the folder you
clicked. Click the tab to display contents of the directory.

108

CHAPTER 4

I N T R O D U C T I O N TO U B U N T U L I N U X

0 A O

.*_»y..

sam

m

Desktop

C

Documents

¿ y roiwmd

•3

m
Videos

X

Downloads

B

Templates

sam - File Browser

Fite Edit View Go Bookmarks Help

File Edit View Places Help

IB Desktop

¿J Ole System
jîi Network

_ Floppy Drive
"
vmwcKC-toolsdistrib

• sam f 10 items, Free space: 181.? GH

trash

i 3 Documents

g l

*

T

Q, 100* ^

C m

urn

m

Desktop

J

mJ

Documents

m

Music

Pictures

m

j a

£ Music
¿a Pictures

A Vide«
¿1 Downloads

Tempiares

videos

mJ

Downloads

m

Public

H

vmware-tßölsdistrib

10 items. Free spate: 181.2 GB

Figure 4-7

The Nautilus Spatial view (left) and File Browser window (right)

THE TWO FACES OF NAUTILUS
The appearance of Nautilus differs depending on how it is set up: It can display a
Spatial view or a File Browser window. Figure 4-7 shows an example of each type
of display. By default, Ubuntu displays browser windows. See page 282 for information on the Spatial view.

THE

Desktop DIRECTORY

The files on the desktop are held in a directory that has a pathname (page 205) of
/home/wseratfme/Desktop, where username is your login name or, if you are logged
in on a live session, ubuntu. The simple directory name is Desktop. When you select
Main menu: Places "^Desktop, GNOME opens a File Browser window showing the
files on the desktop (Figure 4-8). Initially there are no files. The buttons below the
toolbar and to the right of Places show the pathname of the directory Nautilus is
displaying (/sam/Desktop in the Figure 4-8).
To see the correspondence between the graphical desktop and the Desktop directory, right-click anywhere within the large clear area of the Desktop File Browser
window. Select Create Document^Empty File. Nautilus creates a new file on the
desktop and displays its object in this window. When you create this file, GNOME
highlights the name new file under the file: You can type any name you like at this
point. Press RETURN when you are finished entering the name. If you double-click the
new file, Nautilus assumes it is a text file and opens the file in a gedit window. (The
gedit utility is a simple text editor.) Type some text and click Save on the toolbar.
Close the window either by using the File menu or by clicking the x at the left end of
the titlebar. You have created a text document on the desktop. You can now doubleclick the document object on the desktop or in the File Browser window to open
and edit it.
Next, create a folder by right-clicking the root window (any empty part of the
workspace) and selecting Create Folder. You can name this folder in the same way

A TOUR OF THE UBUNTU D E S K T O P

•IS Applications Place

untitled fofder

•

new file

Sy-Jpml» V A A .
Change system appearance and behavior, or qet help
0 0 6

4)

109

£23 Thu

Desktop - File Browser

file Edit View Go Bookmarks Help
^
Places T

X

jjjjSam

^

tJ

Q.

100% Q,

Icon View

T

Q^

Desktop

jtisam
I B Desktop
File System
^¡1 Network

m

untitied folder

new file

Floppy Drive
3 Tfash
C Documents
^ Music
j i Pictures

Figure 4-8

» 2 items, Free space: 1BI.7 GB

|

Part of a workspace with a Nautilus File Browser window

you named the file you created previously. The folder object appears on the desktop
and within the Desktop File Browser window.
On the desktop, drag the file until it is over the folder; the folder opens. Release the
mouse button to drop the file into the folder; GNOME moves the file to the folder.
Again on the desktop, double-click the folder you just moved the file to. GNOME
opens another File Browser window, this one displaying the contents of the folder.
The file you moved to the folder appears in the new window. Now drag the file from
the window to the previously opened Desktop File Browser window. The file is back
on the desktop, although it may be hidden by one of the File Browser windows.
Next, open a word processing document by selecting Main menu: Applications1^
Office^OpenOffice.org Word Processor. Type some text and click the Save icon
(the arrow pointing down to a hard disk drive) or select menubar: File^Save to
save the document. OpenOffice.org displays a Save window (Figure 4-9, next page).
Type the name you want to save the document as (use memo for now) in the text
box labeled Name. You can specify the directory in which you want to save the document in one of two ways: by using the drop-down list labeled Save in folder or by
using the Browse for other folders section of the Save window.
Click the plus sign (+) to the left of Browse for other folders to open this section of
the window. When you open this section, the plus sign changes to a minus sign (-);
click the minus sign to close this section. Figure 4-9 shows the Save window with
this section closed. With the Browse for other folders section closed, you can select
a directory from the drop-down list labeled Save in folder. This technique is quick
and easy, but presents a limited number of choices of folders. By default, it saves the
document in Documents (/home/wseratfme/Documents). If you want to save the
document to the desktop, click Desktop in this drop-down list and then click Save.
OpenOffice.org saves the document with a filename extension of .odt, which indicates it is an OpenOffice.org word processing document. The object for this type of
file has some text and a stripe or picture in it.

110

CHAPTER 4

INTRODUCTION TO UBUNTU LINUX

0

Save

Name;
S a v e in folder:

memo)
|j

Datumente

+ Browse for other f o l d e n
+ File type
S a v e with password
cancel

Figure 4-9

optional
Browse/Save
window

save

The Save window

With the Browse for other folders section opened (click the plus sign [+] to the left
0 f Browse for other folders), the Save window grays out the drop-down list labeled
Save in folder and expands the Browse for other folders section, as shown in
Figure 4-10. This expanded section holds two large side-by-side list boxes: Places
and Name. The list box labeled Places displays directories and locations on the system, including File System. The list box labeled Name lists the files within the
directory highlighted in Places.
The Browse for other folders section of the Save window allows you to look through
the filesystem and select a directory or file. GNOME utilities and many applications
use this window, although sometimes applications call it a Browse window. In this
O

Save

Name;

memo

s a v e in folder:

—

tmp

- Growse for other folders
Create Folder

tmp
Maces

Name

Search

» Size

Modified

^ keyrirvg-z2rvqf

05/06/2010

© Recently Used

^ orbit-qdm

Ob/06/7010

jy, sam

m «ttt-sam
^ pulse-l7972GhVrRvm

Ob/06/7010

U Desktop

05/06/2010
16:35

m svk68.tmp
M virtual-sam.EFid7Y

¡ 3 Documents
Music

H Pictures
u Videos
BQ, Downloads

||Adrj

05/06/2010

m pulse~PKdhtXMmrl8n
^üsh-jrprisflSOa

' 1 File System
u . Floppy Drive
4

16:35

05/06/2010

alVMwaraOnD
^ v m ware-root

05/06/2010

*vmware-sam

05/06/2010

[Remove

05/06/2010

ODF Text Document (.odl)

(

+ File type
Save with password
Cancel

Figure 4-10

Save

The Save window with Browse for other folders open

A T O U R OF THE U B U N T U D E S K T O P

111

example, the word processor calls it a Save window and uses it to locate the directory where the document will be saved.
Assume you want to save a file in the /tmp directory. Click File System in the list
box on the left. The list box on the right displays the files and directories in the root
directory (represented by /; see "Absolute Pathnames" on page 205 for more information). Next, double-click tmp in the list box on the right. The buttons above the
list box on the left change to reflect the directory displayed in the list box on the
right. Click Save.
The buttons above the left-side list box represent directories. The right-side list box
displays the directories found within the directory named in the highlighted (darker)
button. This directory is the one you would save the file to if you clicked Save at
this point. Click one of these buttons to display the corresponding directory in the
list box on the right and then click Save to save the file in that directory.
When you have finished editing the document, close the window. If you have made
any changes since you last saved it, the word processor asks if you want to save the
document. If you choose to save it, the word processor saves the revised version
over (in the same file as) the version you saved previously. Now the memo.odt
object appears on the desktop and in the Desktop File Browser window. Doubleclick either object to open it.
The Desktop In summary, the Desktop directory is like any other directory, except that GNOME
directory is special displays its contents on the desktop (in every workspace). It is as though the desktop is a large, plain Desktop File Browser window. You can work with the Desktop
directory because it is always displayed. Within the GUI, you must use a utility, such
as Nautilus, to display and work with the contents of any other directory.

SELECTING OBJECTS
The same techniques can be used to select one or more objects in a File Browser
window or on the desktop. Select an object by clicking it once; GNOME highlights
the object. Select additional objects by holding down the CONTROL key while you click
each object. To select a group of adjacent objects, highlight the first object and then,
while holding down the SHIFT key, click the last object; GNOME highlights all objects
between the two objects you clicked. Alternatively, you can use the mouse pointer
to drag a box around a group of objects.
To experiment with these techniques, open a File Browser window displaying your
home folder. Display the Examples folder by double-clicking it. Select a few objects,
right-click, and select Copy. Now move the mouse pointer over an empty part of the
desktop, right-click, and select Paste. You have copied the selected objects from the
Examples folder to the desktop. You can drag and drop objects to move them.

EMPTYING THE TRASH
Selecting Move to Trash from an object's context menu moves the selected (highlighted) object to the Trash directory. Because files in the trash take up space on the

112

CHAPTER 4

I N T R O D U C T I O N TO U B U N T U L I N U X

0 9 9

»

Update Manager

Software updates are available for this computer

If you don't waul lo install them now, choose "Update Manager" from liie
Administration menu later.

Recommended updates
apt
Advancea

front-end for dpkg (Size: 1 . 0 MB)

apt-transport- https

y

APT https transport (Size: 7 8 KB)

1*5

APT utility programs {Size: 2 3 0 KB)

^

apt-uttls
ghostscript
T h e GPL Ghostscript PostScript/PDf interpreter (Size. 7GG KB)

ghostscript-cups
Tlie GPL G h u i b u i p L PustScr ipl/PDF inter pi elei - CUPS filLeis ( S u e : SO KB)

ghostscript-x
The GPLGnostscrlpt PostScript/PDF interpreter - X Display support (Size: 6 7 KB)

hoi

Hardware Abstraction Layer (Size: i S b KB)

1 1 2 MH

rhpric

i^ 1 ^ 11 ^ ^

+ Description of update
Settings...

Figure 4-11

Close

The Update Manager window

hard disk (just as any files do), it is a good idea to remove them periodically. All File
Browser windows allow you to permanently delete all files in the Trash directory by
selecting File Browser menubar: File^Empty Trash. To view the files in the trash,
click the Trash applet at the right end of the Bottom panel (Figure 4-2, page 101);
Nautilus displays the Trash File Browser window. Select Empty Trash from the
Trash applet context menu to permanently remove all files from the trash. (This
selection does not appear if there are no files in the trash.) Alternatively, you can
right-click an object in the Trash File Browser window and select Delete Permanently to remove only that object (file) or you can select Restore to move the file
back to its original location. You can drag and drop files to and from the trash just
as you can with any other folder.

THE UPDATE MANAGER
On systems connected to the Internet, Ubuntu notifies you when software updates
are available by opening the Update Manager window (Figure 4-11). You can open
this window manually by selecting Main menu: System •=> Administration1^ Update
Manager or by giving the command update-manager from a terminal emulator or
Run Application window (ALT-F2).

A TOUR OF THE UBUNTU D E S K T O P

113

When the Update Manager window opens, it displays the message Starting Update
Manager; after a moment it displays the number of available updates. If no updates
are available, the window displays the message Your system is up-to-date. If you
have reason to believe the system is not aware of available updates, click Check.
The update-manager asks for your password, reloads its database, and checks for
updates again.
If updates are available, click Install Updates. The Update Manager asks for your
password, displays the Downloading Package Files window, and counts the packages as it downloads them. Next the Update Manager displays the Applying
Changes window with the message Installing software and describes the steps it is
taking to install the packages. When it is finished, the Update Manager displays the
message Your system is up-to-date. Click Close. If the updates require you to reboot
the system, the Update Manager asks if you want to restart the system now or later.
Selecting now restarts the system immediately. Selecting later closes the Update
Manager window and turns the Session Indicator applet (Figure 4-2, page 101) red.
Click this applet and select Restart Required from the drop-down list as soon as you
are ready to reboot the system. For more information refer to "Updating, Installing,
and Removing Software Packages" on page 131.

CHANGING APPEARANCE (THEMES)
One of the most exciting aspects of a Linux desktop is the flexibility it offers in
allowing you to change its appearance. You can change not only the backgrounds,
but also window borders (including the titlebar), icons, the buttons used by applications, and more. To see some examples of what you can do, visit art.gnome.org.
Themes

In a GUI, a theme is a recurring pattern and overall look that (ideally) pleases the
eye and is easy to interpret and use. You can work with desktop themes at several
levels. The first and easiest choice is to leave well enough alone. Ubuntu comes with
a good-looking theme named Ambiance. If you are not interested in changing the
way the desktop looks, continue with the next section.
The next choice, which is almost as easy, is to select one of the alternative themes
that comes with Ubuntu. You can also modify one of these themes, changing the
background, fonts, or interface. In addition, you can download themes from many
sites on the Internet and change them in the same ways.
The next level is customizing a theme, which changes the way the theme looks—for
example, changing the icons used by a theme. At an even higher level, you can
design and code your own theme. For more information see the tutorials at
art.gnome.org.

Appearance
Preferences window

The key to changing the appearance of the desktop is the Appearance Preferences
window. Display this window by choosing Main menu: SystemOPreferences1^
Appearance or by right-clicking the root window (any empty area on a workspace)

114

CHAPTER 4

I N T R O D U C T I O N TO U B U N T U L I N U X

$

Appearance Preferences

Theme Rarfcgmnnrl Fonts visual Ffferts

Delete

Save As...

Customize...

Install...

Get more themes online
Help

Figure 4-12

Close

The Appearance Preferences window, Theme tab

and selecting Change Desktop Background. The Appearance Preferences window
has four tabs:
• The Theme tab (Figure 4-12) enables you to select one of several themes.
Click a theme and the workspace immediately reflects the use of that
theme. Ambiance is the default Ubuntu theme; select this theme to make
the workspace appear as it did when you installed the system. Once you
select a theme, you can either click Close if you are satisfied with your
choice or click the other tabs to modify the theme.
• The Background tab enables you to specify a wallpaper or color for the
desktop background. To specify a wallpaper, click one of the samples in
the Wallpaper frame or click Add and choose a file—perhaps a picture—
you want to use as wallpaper. (Clicking Add displays the Add Wallpaper
window; see "Browse/Save window" on page 110 for instructions on
selecting a file using this window.) Then choose the style you want
GNOME to use to apply the wallpaper. For example, Zoom makes the
picture you chose fit the workspace.
You can also specify a color for the background: either solid or a gradient between two colors. To use a color, you must first select No Desktop
Background from the Wallpaper frame: Allow the mouse pointer to
hover over each of the wallpapers displayed in the Wallpaper frame until
you find one that displays the tooltip No Desktop Background. Select
that (non)wallpaper. (Initially the icon for this wallpaper appears at the

A TOUR OF THE UBUNTU D E S K T O P

115

upper-left corner of the wallpaper icons.) Next select Solid color from the
drop-down list labeled Colors and click the colored box to the right of
this list. GNOME displays the Pick a Color window. Click a color you
like from the ring and adjust the color by dragging the little circle within
the triangle. Click O K when you are done. The color you chose becomes
the background color of the desktop. See page 285 for more information
on the Pick a Color window.
• The Fonts tab (Figure 8-8, page 284) enables you to specify which fonts
you want GNOME to use in different places on the desktop. You can also
change how GNOME renders the fonts (page 284).
Visual effects

• The Visual Effects tab enables you to select one of three levels of visual
effects: None, Normal, and Extra. The Normal and Extra effects replace
the Metacity window manager with Compiz Fusion (compiz.org), which
implements 3D desktop visual effects. (Compiz is the name of the core; the
plugins are called Compiz Fusion.) When you install Ubuntu, Ubuntu
determines what the hardware is capable of running and sets the proper
level of effects. One of the most dramatic visual effects is wiggly windows:
To see this effect, select Normal or Extra and drag a window around using
its titlebar. You can use the simple-ccsm (Compizconfig settings manager)
package to configure Compiz. If you experience problems with the system,
select None.

Visual effects can cause problems
caution Selecting Normal or Extra in the Visual Effects tab can cause unexpected graphical artifacts,
shorten battery life, reduce performance in 3D applications and video playback, and in some rare
cases cause the system to lock up. If you are having problems with an Ubuntu system, try selecting None in the Visual Effects tab and see if the problem goes away.
The changes you make in the Background, Fonts, and Visual Effects tabs are used
by any theme you select, including ones you customize. When you have finished
making changes in the Appearance Preferences window tabs, you can either click
Close to use the theme as you have modified it or return to the Theme tab to customize the theme.
Customizing From the Theme tab of the Appearance Preferences window, select the theme you
a theme w a n t to customize or continue with the theme you modified in the preceding sections. Click Customize to open the Customize Theme window. Go through each
tab in this window; choose entries and watch how each choice changes the workspace. Not all tabs work with all themes. When you are satisfied with the result,
click Close.
After you customize a theme, it is named Custom. When you customize another
theme, those changes overwrite the Custom theme. For this reason it is best to save
a customized theme by clicking Save As and specifying a unique name for the
theme. After you save a theme, it appears among the themes listed in the Theme tab.

116

CHAPTER 4

INTRODUCTION TO UBUNTU L I N U X

SESSION MANAGEMENT
A session starts when you log in and ends when you log out or reset the session.
With fully GNOME-compliant applications, GNOME can manage sessions so the
desktop looks the same when you log in as it did when you saved a session or
logged out: The same windows will be positioned as they were on the same workspaces, and programs will be as you left them.
The Startup Applications Preferences window allows you to select which applications you want to run each time you log in. It also allows you to save automatically
those applications that were running and those windows that were open when you
logged out; they will start running when you log on again. To open the Startup
Applications Preferences window, select Main menu: SystemOPreferences"^Startup
Applications or give the command gnome-session-properties from a terminal emulator or Run Application window (ALT-F2). You must give this command while logged
in as yourself (not while working with root privileges).
To save a session, first make sure you have only those windows open that you
want to appear the next time you log in. Then open the Startup Applications
Preferences window. Click the Options tab and then click Remember currently
running applications. The window displays Your session has been saved. Each time
you log in, the same windows will appear as when you clicked Remember currently running applications. If you want GNOME to remember what you were
doing each time you log off, put a tick in the check box labeled Automatically
remember running applications when logging out.

GETTING HELP
Ubuntu provides help in many forms. Clicking the question mark object on the Top
panel displays the Ubuntu Help Center window, which provides information about
Ubuntu. To display other information, click a topic in the list on the left side of this
window. You can also enter text to search for in the text box labeled Search and
press RETURN. In addition, most windows provide a Help object or menu. See "Where
to Find Documentation" on page 136 for more resources.

FEEL FREE TO EXPERIMENT
Try selecting different items from the Main menu and see what you discover. Following are some applications you may want to explore:
• The gedit text editor is a simple text editor. Select Main menu: Applications1^
Accessories^gedit Text Editor to access it.
• OpenOffice.org's Writer is a full-featured word processor that can import
and export Microsoft Word documents. Select Main menu: Applications1^
Office^OpenOffice.org Word Processor. The Office menu also offers a
dictionary, presentation manager, and spreadsheet.

GETTING THE M O S T OUT OF THE D E S K T O P

117

• Firefox is a powerful, full-featured Web browser. Click the blue and
orange globe object on the Top panel to start Firefox. You can also select
Main menu: Applications Olnternet1^Firefox Web Browser.
• Empathy is a graphical IM (instant messaging) client that allows you to
chat on the Internet with people who are using IM clients such as AOL,
MSN, and Yahoo! To start Empathy, select Main menu: Applications1^
Internet1^ Empathy IM Client.
The first time you start Empathy, it opens a window that says Welcome to
Empathy. Follow the instructions to access an existing IM account or open
a new one. Visit live.gnome.org/Empathy for more information.

LOGGING OUT
To log out, click the Session Indicator button (Figure 4-2, page 101) at the upperright corner of the workspace. GNOME displays a drop-down list; select Log Out.
You can also choose to shut down or restart the system, among other options. From
a textual environment, press CONTROL-D or give the command exit in response to the
shell prompt.

GETTING THE MOST OUT OF THE DESKTOP
The GNOME desktop is a powerful tool with many features. This section covers
many aspects of its panels, the Main menu, windows, terminal emulation, and ways
to update, install, and remove software. Chapter 8 continues where this chapter
leaves off, discussing the X Window System, covering Nautilus in more detail, and
describing a few of the GNOME utilities.

G N O M E DESKTOP TERMINOLOGY
The following terminology, which is taken from the GNOME Users Guide, establishes a foundation for discussing the GNOME desktop. Figure 4-2 on page 101
shows the initial Ubuntu GNOME desktop.
Desktop

The desktop comprises all aspects of the GNOME GUI. While you are working with
GNOME, you are working on the desktop. There is always exactly one desktop.

Panels

Panels are bars that appear on the desktop and hold (panel) objects. Initially there
are two panels: one along the top of the screen (the Top Edge panel, or just Top
panel) and one along the bottom (the Bottom Edge panel, or just Bottom panel).
You can add and remove panels. You can place panels at the top, bottom, and both
sides of the desktop, and you can stack more than one panel at any of these locations. The desktop can have no panels, one panel, or several panels. See the next
page for more information on panels.

118

CHAPTER 4

INTRODUCTION TO UBUNTU LINUX

Panel objects Panel objects appear as words or icons on panels. You can click these objects to display menus, run applets, or launch programs. The five types of panel objects are
applets, launchers, buttons, menus, and drawers. See page 120 for more information on panel objects.
Windows A graphical application typically displays a window and runs within that window.
At the top of most windows is a titlebar you can use to move, resize, and close the
window. The root window is the unoccupied area of the workspace and is frequently obscured. The desktop can have no windows, one window, or many windows. Although most windows have decorations (page 155), some, such as the
Logout window, do not.
Workspaces Workspaces divide the desktop into one or more areas, with one such area filling
the screen at any given time. Initially there are four workspaces. Because panels and
objects on the desktop are features of the desktop, all workspaces display the same
panels and objects. By default, a window appears in a single workspace. The
Switcher (page 104) enables you to display any one of several workspaces.
Tooltips Tooltips (Figure 4-2, page 101) is a minicontext help system that you activate by
moving the mouse pointer over a button, icon, window border, or applet (such as
those on a panel) and allowing it to hover there. When the mouse pointer hovers
over an object, GNOME displays a brief explanation of the object called a tooltip.

OPENING FILES
By default, you double-click an object to open it; alternatively, you can right-click
the object and select Open from the drop-down list. When you open a file,
GNOME figures out the appropriate tool to use by determining the file's MIME
(page 1160) type. GNOME associates each filename extension with a MIME type
and each MIME type with a program. Initially GNOME uses the filename extension to try to determine a file's MIME type. If it does not recognize the filename
extension, it examines the file's magic number (page 1158).
For example, when you open a file with a filename extension of ps, GNOME calls
the Evince document viewer, which displays the PostScript file in a readable format.
When you open a text file, GNOME uses gedit to display and allow you to edit the
file. When you open a directory, GNOME displays its contents in a File Browser
window. When you open an executable file such as Firefox, GNOME runs the executable. When GNOME uses the wrong tool to open a file, the tool generally issues
an error message. See "Open With" on page 130 for information on how to use a
tool other than the default tool to open a file.

PANELS
As explained earlier, panels are the bars that initially appear at the top and bottom
of the desktop. They are part of the desktop, so they remain consistent across
workspaces.

GETTING THE M O S T OUT OF THE D E S K T O P

Figure 4-13

119

The Add to Panel window

THE PANEL (CONTEXT) MENU
Right-clicking an empty part of a panel displays the Panel (Context) menu. Aside
from help and informational selections, this menu has four selections.
Add to Panel Selecting Add to Panel displays the Add to Panel window (Figure 4-13). You can
drag an object from this window to a panel, giving you the choice of which panel
the object appears on. You can also highlight an object and click Add to add the
object to the panel whose menu you used to display this window. Many objects in
this window are whimsical: Try Eyes and select Bloodshot from its preferences window, or try Fish. One of the more useful objects is Search for Files. When you click
this object on the panel, it displays the Search for Files window (page 286).
Properties Selecting Properties displays the Panel Properties window (Figure 4-14, next page).
This window has two tabs: General and Background.
In the General tab, Orientation selects which side of the desktop the panel appears
on. Size adjusts the width of the panel. Expand causes the panel to span the width
or height of the workspace—without a tick in this check box, the panel is centered
and just wide enough to hold its objects. Autohide causes the panel to disappear
until you bump the mouse pointer against the side of the workspace. Hide buttons
work differently from autohide: Show hide buttons displays buttons at each end
of the panel. When you click one of these buttons, the panel slides out of view,

120

CHAPTER 4

INTRODUCTION TO UBUNTU

LINUX

©

Panel properties

General

Background

Orientation:

Tup

Size:

24

,T
pixels

v: Fxpanri
r

Autohide

r

Show hide buttons
t

Arrows on hide buttons

Help

Figure 4-14

Close

The Panel Properties window, General tab

leaving only a button remaining. When you click that button, the panel slides
back into place.
If you want to see what stacked panels look like, use the Orientation drop-down list
to change the location of the panel you are working with. If you are working with
the Top panel, select Bottom, and vice versa. Like Preferences windows, Properties
windows lack Apply and Cancel buttons; they implement changes immediately. Use
the same procedure to put the panel back where it was.
The Background tab of the Panel Properties window enables you to specify a color
and transparency or an image for the panel. See "Pick a Color Window" on
page 285 for instructions on changing the color of the panel. Once you have
changed the color, move the slider labeled Style to make the color of the panel more
or less transparent. If you do not like the effect, click the radio button labeled None
(use system theme) to return the panel to its default appearance. Click Close.
Delete This Panel Selecting Delete This Panel does what you might expect. Be careful with this selection: When it removes a panel, it removes all objects on the panel and you will need
to reconstruct the panel if you want it back as it was.
New Panel Selecting New Panel adds a new panel to the desktop. GNOME decides where it
goes. You can then move the panel to somewhere else using the drop-down list
labeled Orientation in the General tab of the Panel Properties window for the new
panel.

PANEL OBJECTS
The icons and words on a panel, called panel objects, display menus, launch programs, and present information. The panel object with the blue and orange globe,
for example, starts Firefox. The Indicator applet (the envelope icon; Figure 4-2 on
page 101) can start Evolution (www.gnome.org/projects/evolution), an email and
calendaring application. The Session Indicator applet (Figure 4-2, page 101) can log

GETTING THE MOST OUT OF THE D E S K T O P

g

memo.odt - OpenOffice... B

Figure 4-15

Sudoku

121

0 samtaiynxl: •

Window List applets

you out or shut down the system. You can start almost any utility or program on
the system using a panel object. This section describes the various types of panel
objects.
Applets

An applet is a small program that displays its user interface on or adjacent to the
panel. You interact with the applet using its Applet panel object. The Clock (date
and time) and Workspace Switcher (both shown in Figure 4-2 on page 101) are
applets.

W i n d o w List applet

Although not a distinct type of object, the Window List applet is a unique and
important tool. One Window List applet (Figure 4-15) appears on the Bottom panel
for each open or iconified window on the displayed workspace. Left-clicking this
object minimizes its window or restores the window if it is minimized. Right-click
this object to display the Window Operations menu (page 124). If a window is buried under other windows, click its Window List applet to make it visible.

Launchers

When you open a launcher, it can execute a command, start an application, display
the contents of a folder or file, open a URI in a Web browser, and so on. In addition
to appearing on panels, launchers can appear on the desktop. The Firefox object is a
launcher: It starts the Firefox application. Under Main menu: Applications, you can
find launchers that start other applications. Under Main menu: Places, the Home
Folder, Documents, Desktop, and Computer objects are launchers that open File
Browser windows to display folders.

Buttons

A button performs a single, simple action. The Sound button (Figure 4-2, page 101)
displays a volume control. The Show Desktop button, which may appear at the left
end of the Bottom panel, minimizes all windows on the workspace.

Menus

A menu displays a list of selections you can choose from. Some of the selections can
be submenus with more selections. All other selections are launchers. The next section discusses the Main menu.

Drawers

A drawer is an extension of a panel. You can put the same objects in a drawer that
you can put on a panel, including another drawer. When you click a drawer object,
the drawer opens; you can then click an object in the drawer the same way you click
an object on a panel.

THE PANEL OBJECT CONTEXT MENUS
Three selections are unique to Panel Object context menus (right-click a panel
object to display this menu). The Remove from Panel selection does just that. The
Move selection allows you to move the object within the panel and to other panels;
you can also move an object by dragging it with the middle mouse button. The
Lock to Panel selection locks the object in position so it cannot be moved. When
you move an object on a panel, it can move through other objects. If the other

122

CHAPTER 4

INTRODUCTION TO UBUNTU LINUX

object is not locked, it can displace the object if necessary. The Move selection is
grayed out when the object is locked.

THE MAIN MENU
The Main menu appears at the left end of the Top panel and includes Applications,
Places, and System. Click one of these words to display the corresponding menu.
Applications

The Applications menu holds several submenus, each named for a category of applications (e.g., Games, Graphics, Internet, Office—the list varies depending on the
software installed on the system). The last selection, Ubuntu Software Center, is discussed on page 132. Selections from the submenus launch applications—peruse
these selections, hovering over those you are unsure of to display the associated
tooltips.

Places

The Places menu holds a variety of launchers, most of which open a File Browser
window. The Home Folder, Desktop, and Documents objects display your directories with corresponding names. The Computer, CD/DVD Creator, and Network
objects display special locations. Each of these locations enables you to access file
manager functions. A special URI (page 1179) specifies each of these locations. For
example, the CD/DVD Creator selection displays the b u r n : / / / URI, which enables
you to burn a CD or DVD. The Connect to Server selection opens a window that
allows you to connect to various types of servers, including SSH and FTP servers
(see "File" on page 280). Below these selections are mounted filesystems; click one
of them to display the top-level directory of that filesystem. The Search for Files
selection enables you to search for files (page 286).

System

The System menu holds two submenus as well as selections that provide support.
The two submenus are key to configuring your account and setting up and maintaining the system.
The Preferences submenu establishes the characteristics of your account; each user
can establish her own preferences. Click some of these selections to become familiar
with the various ways you can customize your account on an Ubuntu system.
The Administration submenu controls the way the system works. For example,
AdministrationOPrinting (page 550) sets up and configures printers you can use
from the system and AdministrationOSoftware Sources (page 131) controls which
repositories you can download software from and how often the system checks for
updated software. Most of these selections require you to be a system administrator
and enter your password to make changes. These menu selections are discussed
throughout this book.

Copying launchers
to a panel

You can copy any launcher from the Main menu to the Top panel or the desktop.
Instead of left-clicking the menu selection, right-click it. GNOME displays a dropdown list that enables you to add the launcher to the Top panel or desktop.

GETTING THE MOST OUT OF THE DESKTOP

1

123

— Titlebar
Buttons

Toolbar

Desktop

H

Pictures

Pub c

-

scrollbar

Templates

Window contents

A.
rai-Oi^-afl.memos.Ldi.bz2

Examples

"letter" selected (0 bytes}

Figure 4-16

A typical window

WINDOWS
In a workspace, a window is a region that runs, or is controlled by, a particular program (Figure 4-16). Because you can control the look and feel of windows—even
the buttons they display—your windows may not look like the ones shown in this
book. Each window in a workspace has a Window List applet (page 121) on the
Bottom panel.
Titlebar

A titlebar (Figures 4-16 and 4-17) appears at the top of most windows and controls
the window it is attached to. You can change the appearance and function of a titlebar, but it will usually have at least the functionality of the buttons shown in
Figure 4-17.
The minimize (iconify) button collapses the window so that the only indication of
its presence is its Window List applet on the Bottom panel; click this applet to
restore the window. Click the maximize button to expand the window so that it

Figure 4-17

A window titlebar

124

CHAPTER 4

INTRODUCTION TO UBUNTU LINUX

occupies the whole workspace; click the same button (now displaying a square in
place of the up arrow) on the titlebar of a maximized window to restore the window to its former size. You can also double-click the titlebar to maximize and
restore a window. Clicking the close button closes the window and usually terminates the program running in it. To reposition the window, left-click the titlebar and
drag the window to the desired location.
W i n d o w Operations
menu

Toolbar

The Window Operations menu contains operations that you most commonly need
t 0 perform on any window. Right-click either the titlebar or the Window List applet
(page 121) to display this menu. You can use this menu to move a window to
another workspace, keep the window on top of or below other windows, and cause
the window to always be visible on the displayed workspace.
A toolbar (Figure 4-16, preceding page) usually appears near the top of a window
and contains icons, text, applets, menus, and more. Many kinds of toolbars exist.
The titlebar is not a toolbar; rather, it is part of the window decorations placed
there by the window manager (page 155).

CHANGING THE INPUT FOCUS (WINDOW CYCLING)
The window with the input focus is the one that receives keyboard characters and
commands you type. In addition to using the Window List applet (page 121), you
can change which window on the displayed workspace has the input focus by using
the keyboard; this process is called window cycling. When you press ALT-TAB,
GNOME displays in the center of the workspace a box that holds icons representing the programs running in the windows in the workspace. It also shifts the input
focus to the window that was active just before the currently active window, making it easy to switch back and forth between two windows. When you hold ALT and
press TAB multiple times, the focus moves from window to window. Holding ALT and
SHIFT and repeatedly pressing TAB cycles in the other direction. See page 153 for more
information on the input focus.

CUTTING AND PASTING OBJECTS USING THE CLIPBOARD
There are two similar ways to cut/copy and paste objects and text on the desktop
and both within and between windows. In the first method, you use the clipboard,
technically called the copy buffer, to copy or move objects or text. To do so, you
explicitly copy an object or text to the buffer and then paste it somewhere else.
Applications that follow the user interface guidelines use CONTROL-X to cut, CONTROL-C to
copy, and CONTROL-V to paste. Application context menus frequently provide these
same options.
You may not be familiar with the second method to copy and paste text—using the
selection or primary buffer, which always contains the text you most recently selected
(highlighted). You cannot use this method to copy objects. Clicking the middle mouse
button (click the scroll wheel on a mouse that has one) pastes the contents of the

GETTING THE M O S T OUT OF THE D E S K T O P

125

selection buffer at the location of the mouse pointer. If you are using a two-button
mouse, click both buttons at the same time to simulate clicking the middle button.
With both these techniques, start by highlighting an object or text to select it. You
can drag a box around multiple objects to select them or drag the mouse pointer
over text to select it. Double-click to select a word or triple-click to select a line or a
paragraph.
Next, to use the clipboard, explicitly copy (CONTROL-C) or cut (CONTROL-X) the objects or
text. If you want to use the selection buffer, skip this step.
To paste the selected objects or text, position the mouse pointer where you want to
put it and then either press CONTROL-V (clipboard method) or press the middle mouse
button (selection buffer method).
Use SHIFT-CONTROL-Cand SHIFT-CONTROL-V within a terminal emulator
tip The CONTROL-C, CONTROL-X, and CONTROL-V characters do not work in a terminal emulator window
because the shell running in the window intercepts them before the terminal emulator can receive
them. However, you can use SHIFT-CONTROL-Cand SHIFT-CONTROL-X, respectively, in their place. There
is no keyboard shortcut for CONTROL-X. YOU can also use the selection buffer in this environment
or use copy/paste from the Edit selection on the menubar or from the context menu (right-click).
When using the clipboard, you can give as many commands as you like between the
CONTROL-C or CONTROL-X and C0NTR0L-V, as long as you do not press C0NTR0L-C or CONTROL-X
again. When using the selection buffer, you can give other commands after selecting
text and before pasting it, as long as you do not select (highlight) other text.

USING THE ROOT WINDOW
The root window is any part of a workspace that is not occupied by a window,
panel, or object. It is the part of the workspace where you can see the background.
To view the root window when it is obscured, click the Show Desktop button at the
left end of the Bottom panel to minimize the windows in the workspace.
Desktop menu

Right-click the root window to display the Desktop menu, which enables you to
create a folder, launcher, or document. The Change Desktop Background selection
opens the Appearance Preferences window (page 113) to its Background tab.

RUNNING COMMANDS FROM A TERMINAL EMULATOR/SHELL
A terminal emulator is a window that presents a command-line interface (CLI); it
functions as a textual (character-based) terminal and is displayed in a graphical
environment.
To display the GNOME terminal emulator named Terminal (Figure 4-18, next page),
select Main menu: Applications •=>Accessories •=>Terminal or enter the command
gnome-terminal from a Run Application window (ALT-F2). Because you are already

126

CHAPTER 4

I N T R O D U C T I O N TO U B U N T U L I N U X

O O O »m@]ynxl: File Edit View Terminal Help

sflm£Lynxl:-s Is
all.ieiDS.tar.bz2 Desktop
Downloads
Husic
Public Videos
app.pine
Documents l i t t e r {copy) Pictures Templates Videos (copyl
sam$lynxl:~s
samfil.yiixl:-$ df -h
F1 lesystern
size Used Avail (Jse% Mounted on
/dev/sdal
195G 3.1G 182G 2\/
none
498M 248K 497M 1\/dev
none
592M 264K 591M I% /dev/shm
none
502M 194K 502M 1% /var/run
B 502M 0% /var/lock
none
502M
none
592H
B 592H
/Ub/inlt/rw
saAdministration1^
Software Sources (you will need to supply your password) or by giving the command
gksudo software-properties-gtk from a terminal emulator or Run Application window (ALT-F2). The Software Sources window has five tabs, which are discussed next.

Ubuntu Software

The Ubuntu Software tab controls which categories of packages (page 522) APT
(page 522) and s y n a p t i c install and the Update Manager updates automatically.
Typically all categories have ticks in their check boxes except for Source code.
Put a tick in this check box if you want to download source code. If the dropdown list labeled Download from does not specify a server near you, use the list
to specify one.
If the system does not have an Internet connection, put a tick in one of the
check boxes in the frame labeled Installable from CD-ROM/DVD; APT will then
install software from that source. If you do have an Internet connection,
remove the tick from that check box. You can specify a new CD/DVD in the
Other Software tab.

Add only repositories you know to be trustworthy
security Adding software from sources other than the official Ubuntu repositories can cause the system to
not work properly and cause updates to fail. Even worse, it can make the system vulnerable to
attack.
The package installation process runs with root privileges. Regard adding a repository as giving
the person in control of that repository the s u d o password. Do not add a third-party repository
unless you trust it implicitly.

132

CHAPTER 4

INTRODUCTION TO UBUNTU LINUX

0 9 0

Software Sources

Ubuntu Software Other Software Updates Authentication Statistics
Ubuntu updates
Important security updates (lucid-security)
i£ Recommended updates [lucid-updates)
Pre-released updates (lucid-proposed)
r unsupported updates (iucld-backports)
Automatic updates
kif Check for updates:

T

Daily

Install security updates without confirmation
P Download all updates in the background
« only notify about available updates
Release upgrade
Show new distribution releases:

Long term support releases oniy T

| Revert

Figure 4-22

Close

The Software Sources window, Updates tab

Other Software You can add, edit, and remove repositories from the Other Software tab. See the
adjacent security box concerning adding repositories. Unless you are working with
software that is not distributed by Ubuntu, you do not need to add any repositories.
To add a CD/DVD as a repository, click Add CD-ROM.
Updates The top part of the Updates tab (Figure 4-22) specifies which types of updates you
want the Update Manager to monitor. Typically you will want to monitor important security updates and recommended updates. In the middle section of this tab
you can specify if and how often the Update Manager will check for updates and
what to do when it finds updates. The drop-down list labeled Show new distribution releases allows you to specify whether you want the Update Manager to inform
you when you can upgrade the system to a new release of Ubuntu and whether you
are interested in all releases or just LTS (page 31) releases.
Authentication The Authentication tab holds keys for trusted software providers. Ubuntu uses keys
to authenticate software, which protects the system against malicious software.
Typically Ubuntu provides these keys automatically.
Statistics The Statistics tab allows you to participate in a software popularity contest.

THE UBUNTU SOFTWARE CENTER
You can use the Ubuntu Software Center window (Figure 4-23) to add and remove
applications from the system. It is simpler and has fewer selections than synaptic

UPDATING, INSTALLING, AND REMOVING SOFTWARE P A C K A G E S

Figure 4-23

133

The Add/Remove Applications window

(described next). Open this window by selecting Main menu: Applications1^
Ubuntu Software Center or by giving the command software-center from a terminal
emulator or Run Application window (ALT-F2).
When you select a category of applications from the window when you first open it,
the Ubuntu Software Center displays a list of applications in that category on the
right side of the window. If you know the name of the application you want to
install, you can query for it by entering the name or part of the name of the application in the text box at the upper-right corner of the window. The Ubuntu Software
Center displays a list of applications that satisfy your query.
Scroll through the applications displayed on the right side of the window. When you
click/highlight an application, the window displays two buttons: More Info and
Install. Click the first button to display information about the application. When
you click Install, the Ubuntu Software Center asks for your password and starts
downloading and installing the application. While it is working, you can search for
and select additional applications to install. When it is finished, the Ubuntu Software Center puts a green check mark next to the name of the package. Close the
window. Packages you installed should be available on the Main menu.

optional

synaptic: FINDS, INSTALLS, AND REMOVES SOFTWARE
This section describes how to use synaptic to find, download, install, and remove
software packages. Open the Synaptic Package Manager window by selecting
System1^AdministrationOSynaptic Package Manager from the Main menu or by

134

CHAPTER 4

INTRODUCTION TO UBUNTU LINUX

O * *

Synaptic Package Manager

File Edit Package Settings Help
^il

^

Reload

Mark All Upgrades

Quick search
A|JJJI y

Properties

Seaich

Category list box
Handle
button
on the essential components for a basic exim4 installation.
The Debian exim4 packages have their own web page,
Custom FilU:i:>

http;1|j,pkg-exim4,a lioth.debian.org', There is also a Debian-specific

Search Resui S

configured can be found in

FAQ list, information about the way the Debian packages are
1? packages listed, 1306 installed, 0 broken. 0 to installAipgrade, 0 to remove

Figure 4-24

The Synaptic Package Manager window

giving the command gksudo synaptic from a terminal emulator or Run Application
window (ALT-F2). Figure 4-24 shows the initial window. The first time you run synaptic, it reminds you to reload package information regularly. You can do so by clicking Reload on the toolbar.
The Synaptic Package Manager window displays a lot of information. Maximizing
this window and widening the left column (by dragging the handle) may make it
easier to use. When the Sections button is highlighted in the left column, the top of
the left column holds a list box containing categories of software. Initially All is
selected in this list box, causing the window to display all software packages in the
list box at the top of the right column.
You can shorten the list of packages in the list box by searching for a package. To
do so, display the Find window by clicking Search on the toolbar. Enter the name or
part of the name of the package you are looking for in the text box labeled Search.
(Alternatively, you can search using the text box labeled Quick search on the main
Synaptic window.) For example, to display all packages related to exim4, enter
exim4 in the text box labeled Search and select Description and Name from the
drop-down list labeled Look in (Figure 4-25). Click Search. The Synaptic Package
Manager window displays the list of packages meeting the search criteria specified
9

Find

Search:

exim4

Look in:

Description and Name

Cancel
Figure 4-25

i

Qj Search

The Find window

UPDATING,

INSTALLING, AND REMOVING SOFTWARE

PACKAGES

1 3 5

Synaptic Package Manager
File Edit Package Settings Help

C

Reload

searcn
Mark All Upgrades

All

Package

chess

Q|

email
exim4

q^
Search

("I

installed version

Latest version

dreamchess
• Unmark
dreamchess-da
Mark for installation
eboard

a
df

L

Mark for Reinstallation
a 3D c h e s s gam
Get Screens hot
Sections
Status

Dreamchess featur
board sets,
ranging from classli

Origin

Ö
*

Mark loi Upqradé
Mark fot Removal
Mark for Complete Removal

; chess

Properties
Mark Recommended for installation

Mark Suggested for Installation
A rnoderaLely shorn
er, should
custom Filters
this
engine be too weak for you. OKU you can use any other XBoard
Search Results
rnmriatlhle r h « (
SFI packacjes liL,1edr 130(5 installed, 0 broken. 0 ID irislall/upqrarie, 0 to remove

Figure 4-26

The Synaptic Package Manager window displaying chess programs

in the list box at the top of the right column. When you click a package name in this
list, synaptic displays a description of the package in the frame below the list.
The following example explains how to use synaptic to locate, download, and install
a chess program. With the Synaptic Package Manager window open, search for
chess. The synaptic utility displays a list of chess-related packages in the righthand
list box. Click several packages, one at a time, reading the descriptions in the frame
at the lower right of the window.
Assume you decide to install Dream Chess (the dreamchess package; see the
www.dreamchess.org Web site). When you click the check box to the left of dreamchess, synaptic displays a list of options. Because this package is not installed, all
selections except Mark for Installation are grayed out (Figure 4-26); click this selection. Because the dreamchess package is dependent on other packages that are not
installed, synaptic displays a window asking if you want to mark additional required
changes (Figure 4-27). This window lists the additional packages synaptic needs to
install so Dream Chess will run. Click Mark to mark the additional packages; these
packages are then highlighted in green.

Mark additional required changes?
The chosen action also affects other packages.
The following changes arcrequiredin order to
- lb be installed
drewnchcu-diiEii

Figure 4-27

Mark additional required changes screen

136

CHAPTER 4

INTRODUCTION TO UBUNTU LINUX

To apply the changes you have marked, click Apply on the toolbar; synaptic displays
a Summary window. (If you were installing and/or removing several packages, this
summary would be longer.) Click Apply. The synaptic utility keeps you informed of
its progress. When it is done, it displays the Changes applied window. Click Close
and then close the Synaptic Package Manager window. Now Dream Chess appears
on the Main menu: Applications^Games menu.

WHERETO FIND DOCUMENTATION
Distributions of Linux, including Ubuntu, typically do not come with hardcopy reference manuals. However, its online documentation has always been one of Linux's
strengths. The m a n (or manual) and info pages have been available via the m a n and
info utilities since early releases of the operating system. Ubuntu provides a graphical help center. Not surprisingly, with the ongoing growth of Linux and the Internet,
the sources of documentation have expanded as well. This section discusses some of
the places you can look for information on Linux in general and on Ubuntu in particular. See also Appendix B.

UBUNTU HELP CENTER
To display the Ubuntu Help Center window (Figure 4-28), click the blue object
with a question mark in it on the Top panel or select Main menu: SystemOHelp
and Support. Click topics in this window until you find the information you are
looking for. You can also search for a topic using the text box labeled Search.

m a n : DISPLAYS THE SYSTEM MANUAL
In addition to the graphical Ubuntu Help Center, the textual m a n utility displays
( m a n ) pages from the system documentation. This documentation is helpful when
you know which utility you want to use but have forgotten exactly how to use it.
You can also refer to the m a n pages to get more information about specific topics or
to determine which features are available with Linux. Because the descriptions in
the system documentation are often terse, they are most helpful if you already
understand the basic functions of a utility.

Online m a n pages
t i p The Ubuntu manpages.ubuntu.com site holds dynamically generated copies of m a n pages from
every package of every supported Ubuntu release. In addition to presenting m a n pages in easyto-read HTML format, this site does not require you to install the package holding a utility to read
its m a n page. It also allows you to read m a n pages for a release you do not have installed.
Because m a n is a character-based utility, you need to open a terminal emulator window (page 125) to run it. You can also log in on a virtual terminal (page 149) and
run m a n from there.

W H E R E TO FIND D O C U M E N T A T I O N

O O Q

137

Ubuntu Help Center

File Edit Go Bookmarks Help
Search:

Ubuntu Help Center
Topics

W e l c o m e to the Ubuntu Help Center

New to Ubuntu?
Adding, Removing
and Updating
Applications
Files, Folders a n d
Documents

To find lu'b insert d keyword in Üie search bdr
Common Questions
.
.
.
.
.

Connecting to the internet
Cndblinq visudl effects
P]dying music
Importing phnrns
Keeping your computer updated

Customizing Your
Computer

Can't find the

Internet and
Networks

Tfie Ubuntu community provides extensive free
sqjfnt

Music, Video and
Photos
Assistive Tools
Keeping Your
Computer Safe

answer?

Canonical, its partners and approved companies
provide cummer Lid! technicdl suppuiL
How to Contribute
Ubuntu has dn open dnd vibrant community of
contributors. Find out how to contribute

The Ubuntu Help Center window

Figure 4-28

To find out more about a utility, give the command man, followed by the name of
the utility. Figure 4 - 2 9 shows man displaying information about itself; the user
entered a man man command.
O O O

lannglynxl: -

File Edit View Terminal Help

MAN(X)
NAME

Manual pager u t l l s

MAN(1}

man - art interface to the on-line reference manuals

SYNOPSIS
nan [-C f i l e ] l - d j [-D] I--warnings[=warninas11 [-R encoding 1 l - L
locale] [-b s y s i f i j n t . . . . ] ] (-M path] [ - S l i s t ) [ - e extension! ( - i | - I )
[--regex|--wildcard]
f--names-only] f-a] [ - u ] [--no-subpages] [ - P
pagerl f - r proopt] [ - 7 ] [ - E encoding] ¡--no-hyphenation] [ - n o - j u s t i f i cation! [ - P strlnol [~t] l - T l d e v l c e l I I-HI browser 11 [ - X l f l ß i J ] [ - Z ]
I[section! pane . . . ] . . .
man -k fapropos options] reqexp .
man -K [ w|-Wl [ - S U s t l i - i | - I ] t ^ K f l S X l ISetULfifl) tMJM . . .
man - f Iwliatis options] page . . .
man -I | - c t i l e I l - d j I-DJ I--warnings[=warnlna5]1 [-R encoding] l - L
locale 1 [ - P aaaer1 l - r prompt] 1-7J [ - E encoding] [ - p s t r i n g ] [ - t j
[-TtdfiYiifi]] f-Hfbrowser] 1 i-Xtstpi]] J-Z] f i l e . . .
man -w|-W f-C i i i f i ] f-dl f-DJ page . . .
man -c [-C i l l s ) f-d] f-D] page . . .
man

[-hV]

DESCRIPTION
man i s the system's manual pager. Each page argument given to man i s
normally the name of a program, u t i l i t y or function. The manual page
associated with each of these arguments i s then found and displayed. A
section, i f provided, w i l l direct nan to look only in that section of
the manual. The default action i s to search i n a l l of the available

Figure 4-29

The man utility displaying information about itself

138

CHAPTER 4

INTRODUCTION TO UBUNTU LINUX

less (pager) The m a n utility automatically sends its output through a pager—usually
less
(page 162), which displays one screen at a time. When you access a manual page in
this manner, less displays a prompt [e.g., Manual page man(l) line 1] at the bottom
of the screen after it displays each screen of text and waits for you to request
another screen of text by pressing the SPACE bar. You can also use the PAGEUP, PAGEDOWN,
UP ARROW, and DOWN ARROW keys to navigate the text. Pressing h (help) displays a list of
less commands. Pressing q (quit) stops less and causes the shell to display a prompt.
You can search for topics covered by m a n pages using the apropos utility (page 139).
Manual sections Based on the FHS (Filesystem Hierarchy Standard; page 213), the Linux system
manual and the m a n pages are divided into ten sections, where each section
describes related tools:
1. User Commands
2. System Calls
3. Subroutines
4. Devices
5. File Formats
6. Games
7. Miscellaneous
8. System Administration
9. Kernel
10. New
This layout closely mimics the way the set of U N I X manuals has always been
divided. Unless you specify a manual section, m a n displays the earliest occurrence in
the manual of the word you specify on the command line. Most users find the information they need in sections 1, 6, and 7; programmers and system administrators
frequently need to consult the other sections.
In some cases the manual contains entries for different tools with the same name.
For example, the following command displays the m a n page for the p a s s w d utility
from section 1 of the system manual:
$ man passwd

To see the m a n page for the passwd file from section 5, enter this command:
$ man 5 passwd

The preceding command instructs m a n to look only in section 5 for the m a n page. In
documentation you may see this m a n page referred to as passwd(5). Use the - a
option (see the adjacent tip) to view all m a n pages for a given subject (press qRETURN
to display each subsequent m a n page). For example, give the command man - a
passwd to view all m a n pages for passwd.

WHERE TO FIND DOCUMENTATION

139

Options
tip

An option modifies the way a utility or command works. Options are usually specified as one or
more letters that are preceded by one or two hyphens. An option typically appears following the
name of the utility you are calling and a SPACE. Other arguments (page 1135) to the command follow the option and a SPACE. For more information refer to "Options" on page 239.

a p r o p o s : SEARCHES FOR A KEYWORD
When you do not know the name of the command required
task, you can use apropos with a keyword to search for it.
the keyword in the short description line of all m a n pages
contain a match. The m a n utility, when called with the - k
vides the same output as apropos.

to carry out a particular
This utility searches for
and displays those that
(keyword) option, pro-

The database a p r o p o s uses, named whatis, is not available on Ubuntu systems when
they are first installed, but is built automatically by crond (page 605) using m a n d b .
If a p r o p o s does not produce any output, give the command s u d o mandb.
The following example shows the output of apropos when you call it with the w h o
keyword. The output includes the name of each command, the section of the manual that contains it, and the brief description from the m a n page. This list includes
the utility you need ( w h o ) and identifies other, related tools you might find useful:
$ apropos who
at.allow (5)
at.deny (5)
from (1)
w (1)
w.procps (1)
who (1)
whoami (1)

-

determine who can submit jobs v i a at or
determine who can submit jobs v i a at or
print names of those who have sent mail
Show who is logged on and w h a t they are
Show who is logged on and w h a t they are
show who is logged on
print effective userid

batch
batch
doing,
doing,

whatis The whatis utility is similar to a p r o p o s but finds only complete word matches for the
name of the utility:
$ whati s who
who (1)

- show who is logged on

info: DISPLAYS INFORMATION ABOUT UTILITIES
The textual info utility is a menu-based hypertext system developed by the GNU
project (page 4) and distributed with Ubuntu. It includes a tutorial on itself and
documentation on many Linux shells, utilities, and programs developed by the
GNU project (www.gnu.org/software/texinfo/manual/info). Figure 4 - 3 0 (next page)
shows the screen that info displays when you give the command i n f o c o r e u t i l s (the
c o r e u t i l s software package holds the Linux core utilities).

140

CHAPTER 4

INTRODUCTION TO UBUNTU LINUX

Figure 4-30

The initial screen displayed by the command info coreutils

m a n and info display different information
t i p The info utility displays more complete and up-to-date information on GNU utilities than does
m a n . When a m a n page displays abbreviated information on a utility that is covered by info, the
m a n page refers to info. The m a n utility frequently displays the only information available on
non-GNU utilities. When info displays information on non-GNU utilities, it is frequently a copy of
the m a n page.
Because the information on this screen is drawn from an editable file, your display
may differ from the screens shown in this section. You can press any of the following keys while the initial info screen is displayed:
• h to go through an interactive tutorial on info
• ? to list info commands
• SPACE t o s c r o l l t h r o u g h t h e m e n u o f i t e m s f o r w h i c h i n f o r m a t i o n is a v a i l a b l e
• m f o l l o w e d b y t h e n a m e o f t h e m e n u y o u w a n t t o d i s p l a y o r a SPACE t o d i s p l a y a list o f m e n u s

• q or C0NTR0L-C to quit
The notation info uses to describe keyboard keys may not be familiar to you. The
notation C-h is the same as C0NTR0L-H. Similarly, M - x means hold down the META or ALT
key and press x . (On some systems you need to press ESCAPE and then x to duplicate
the function of META-X.)
After giving the command info coreutils, press the SPACE bar a few times to scroll
through the display. Type /sleepRETURN to search for the string sleep. When you type
/, the cursor moves to the bottom line of the window and displays Search for string
[string]:, where string is the last string you searched for. Press RETURN to search for
string or enter the string you want to search for. Typing sleep displays sleep on that
line, and pressing RETURN displays the next occurrence of sleep.

W H E R E TO FIND DOCUMENTATION

O O O iam@1ynxl: File Edit View Terminal Help
* su invocation::

Run a command with substitute user and group I\

* timeout invocation::

Run a command with a time l i m i t

141

Process control
* k i l l invocation::

Sending a s i g n a l to processes.

Delaying
* 0leep invocation::

Delay Tor a s p e c i f i e d t i n e

Numeric operations
* factor invocation::
* seq invocation::

Print prime f a c t o r s
Print numeric sequences

F i l e permissions
* Mode S t r u c t u r e : :
Structure of f i l e mode b i t s .
* Symbolic Hades::
Mnemonic representation of f i l e mode b i t s .
* Numer i c Modes : :
F i l e node b i t s as o c t a l numbers.
- - z z - I n f o : ( c o r e u t i l s . i n f o . g z ) T o p , 328 l i n e s

1

Figure 4-31

I

The screen displayed by the command i n f o c o r e u t i l s
after you type /sleepRETURN twice

You may find p i n f o easier to use than info
t i p The p i n f o utility is similar to info but is more intuitive if you are not familiar with the e m a c s editor. This utility runs in a textual environment, as does info. When it is available, p i n f o uses color
to make its interface easier to use. If p i n f o is not installed on the system, use s y n a p t i c
(page 133) to install the pinfo package. Run p i n f o from a terminal emulator or Run Application
window (ALT-F2) and select Run in terminal.
Now type /RETURN (or /sleepRETURN) to search for the next occurrence of sleep as
shown in Figure 4 - 3 1 . The asterisk at the left end of the line indicates that this entry
is a menu item. Following the asterisk is the name of the menu item and a description of the item.
Each menu item is a link to the info page that describes the item. To jump to that
page, search for or use the ARROW keys to move the cursor to the line containing the
menu item and press RETURN. With the cursor positioned as it is in Figure 4 - 3 1 , press
RETURN to display information on sleep. Alternatively, you can type the name of the
menu item in a menu command to view the information: To display information on
sleep, for example, you can give the command m sleep, followed by RETURN. When
you type m (for menu), the cursor moves to the bottom line of the window (as it did
when you typed /) and displays Menu item:. Typing sleep displays sleep on that line,
and pressing RETURN displays information about the menu item you have chosen.
Figure 4 - 3 2 (on the next page) shows the top node of information on sleep. A node
groups a set of information you can scroll through by pressing the SPACE bar. To display the next node, press n . Press p to display the previous node.
As you read through this book and learn about new utilities, you can use m a n or info
to find out more about those utilities. If you can print PostScript documents, you
can print a manual page by using the m a n utility with the - t option. For example,

142

CHAPTER 4

INTRODUCTION TO UBUNTU LINUX

Figure 4-32

The info page on the sleep utility

man - t cat I lpr prints information about the cat utility. You can also use a Web
browser to display the documentation at manpages.ubuntu.com, www.tldp.org,
help.ubuntu.com, help.ubuntu.com/community, or answers.launchpad.net/ubuntu
and then print the desired information from the browser.

THE — h e l p OPTION
Another tool you can use in a textual environment is the —help option. Most GNU
utilities provide a —help option that displays information about the utility. NonGNU utilities may use a - h or -help option to display help information.
$ cat --help
Usage: cat [OPTION] [FILE]...
Concatenate FILE(s), or standard input, to standard
-A,
-b,
-e
-E,

--show-all
--number-nonblank
--show-ends

output.

equivalent to - v E T
number nonblank output lines
equivalent to - v E
display $ at end of each line

If the information that —help displays runs off the screen, send the output through
the less pager (page 138) using a pipe (page 170):
$ Is --help | less

H O W T O s : FINDING OUT HOW THINGS WORK
A H O W T O document explains in detail how to do something related to
Linux—from setting up a specialized piece of hardware to performing a system
administration task to setting up specific networking software. M i n i - H O W T O s
offer shorter explanations. As with Linux software, one person or a few people generally are responsible for writing and maintaining a H O W T O document, but many
people may contribute to it.

W H E R E TO FIND DOCUMENTATION

0 Ö 9

143

• getpeemame failed, error was transport end point" - Google Search - Mozilla FlreTox

file B W » c w History fiookmailcs ixrts tHHp
*

*

W

&

' S I hUiiJfwww. g«yjlJ II Ii m» mtdmanng Mlh regular ...
gMJ^fluo^xoiii'uioupftemnaanili^.n
• CwSTM • Slnilai

» Shaw HHKf) |M*5

q e t p f c t m a n » taJlad. Error w a s T r a n s p o r t e n d p o i n t tr. noi connoded
2 pwili - Z mJtm - Lhü puü CW 14. ÏOJU
•j«pecrnam* tailed. Enor was Tramfxxi crtdpolm ft not ccmecicfl Untn NccmriUng
Cuclwd SnKui

IB Transport endpoint re riot...
Oct 4, 7005 ... (»09100* II OJ-IO. 0) H*idll_SDCk r . 1 5 0 ) gatpMriumit
MM. Error was Transport ei'dpt-nK a nut cam«*«! lïWS/lOW...
A Ranger's Tale » Samba etron getpeemame faded
Apr IX XOF.... Apr 13 ffl i.H I
tmi^l 1&17] gnpMnuma Mil«]. Error IHM

Problem Accessing Samba S

Transport endpoint not connected

Figure 4-33

Google reporting on an error message

The Linux Documentation Project (LDP, page 144) site houses most H O W T O and
mini-HOWTO documents. Use a Web browser to visit www.tldp.org, click H O W TOs, and pick the index you want to use to find a H O W T O or mini-HOWTO. You
can also use the LDP search feature on its home page to find H O W T O s and other
documents.

GETTING HELP
G N O M E provides tooltips (page 118), a context-sensitive Help system, and Ubuntu
provides the Ubuntu Help Center discussed on page 136.

FINDING HELP LOCALLY
/usr/share/doc The /usr/src/linux/Documentation (present only if you install the kernel source
code, as explained in Chapter 15) and /usr/share/doc directories often contain more
detailed and different information about a utility than either m a n or info provides.
Frequently this information is meant for people who will be compiling and modifying the utility, not just using it. These directories hold thousands of files, each containing information on a separate topic.

USING THE INTERNET TO GET HELP
The Internet provides many helpful sites related to Linux. Aside from sites that offer
various forms of documentation, you can enter an error message from a program
you are having a problem with in a search engine such as Google (www.google.com,
or its Linux-specific version at www.google.com/linux). Enclose the error message
within double quotation marks to improve the quality of the results. The search will
likely yield a post concerning your problem and suggestions about how to solve it.
See Figure 4-33.

144

CHAPTER 4

INTRODUCTION TO UBUNTU LINUX

Ubuntu Web sites The Ubuntu Web site is a rich source of information. The following list identifies
some locations that may be of interest:
• Ubuntu documentation is available at help.ubuntu.com.
• Ubuntu community documentation is available at
help.ubuntu.com/community.
• You can find answers to many questions at
answers.launchpad.net/ubuntu.
• The Ubuntu forums (ubuntuforums.org) is another good place to find
answers to questions.
• You can talk with other Ubuntu users using IRC (Internet relay chat). See
help.ubuntu.com/community/InternetRelayChat for a list of Ubuntu IRC
channels available via the freenode IRC service.
• You can subscribe to Ubuntu mailing lists; see lists.ubuntu.com.
• You can search for information about packages and find out which package contains a specific file at packages.ubuntu.com.
GNU GNU manuals are available at www.gnu.org/manual. In addition, you can visit the
GNU home page (www.gnu.org) to obtain other documentation and GNU resources.
Many of the GNU pages and resources are available in a variety of languages.
The Linux The Linux Documentation Project (www.tldp.org; Figure 4-34), which has been
Documentation around for almost as long as Linux, houses a complete collection of guides, HOWProject J Q S j pAQs, man pages, and Linux magazines. The home page is available in
English, Portuguese, Spanish, Italian, Korean, and French. It is easy to use and supports local text searches. It also provides a complete set of links you can use to find
almost anything you want related to Linux (click Links in the Search box or go to
www.tldp.org/links). The links page includes sections on general information,
events, getting started, user groups, mailing lists, and newsgroups, with each section
containing many subsections.

MORE ABOUT LOGGING IN
Refer to "Logging In on the System" on page 100 for information about logging in.
This section covers options you can choose from the Login screen and solutions to
common login problems. It also describes how to log in from a terminal and from a
remote system.

Always use a password
security

Unless you are the only user of a system; the system is not connected to any other systems, the
Internet, or a modem; and you are the only one with physical access to the system, it is poor practice to maintain a user account without a password.

MORE ABOUT LOGGING IN

0 Ô ®

145

The Linux D o c u m e n t a t i o n P r o j e c t - M o z i l l a F l r e f o x

flic B M ¥icw History fiookmailcs î w * s ö d p
&
—I

-'I - I-.,I ,•.-.:•'

"llhtWfldp-org/

The LiniA Documentation Project

-, I .

+

T h e
L i nil*
Documentation
P

Figure 4-34

roject

The Linux Documentation Project home page

THE LOGIN SCREEN
The Login screen (Figure 4-1, page 100) presents a list of users who are allowed to
log in on the system. On the panel at the bottom of the screen are two buttons.
Click the button depicting a person in a circle to select from a list of accessibility
preferences that may make it easier for some people to use the system. Click the
button depicting a broken circle with a vertical line running through the break to
restart or shut down the system. Click your name from the list of users to log in.
Once you have clicked your name, the login screen displays a text box labeled
Password. In addition, it adds drop-down lists labeled Language, Keyboard, and
Sessions to the panel at the bottom of the screen. Enter your password in the text
box and press RETURN to log in.
Languages Before you log in, the drop-down list labeled Language displays the name of the language the upcoming session will use. To change the language of the upcoming and
future sessions, click the arrow at the right end of the list and select a language from
the drop-down list. If the language you want is not listed, select Other; Ubuntu displays the Languages window. Select the language you want from this window, click
OK, and then log in. The change in language preference affects window titles,
prompts, error messages, and other textual items displayed by G N O M E and many
applications.
Keyboard You can change the keyboard layout that the upcoming and future sessions expect
from the drop-down list labeled Keyboard.
Sessions You can use the drop-down list labeled Sessions to choose between window managers for the upcoming and future sessions. Click the arrow at the right end of the list,

146

CHAPTER 4

INTRODUCTION TO UBUNTU LINUX

select a session from the drop-down list, and continue logging in. Selections in this
list vary but can include the following choices:
• GNOME—Brings up the G N O M E desktop environment.
• KDE—Brings up the KDE desktop environment (if you have installed
Kubuntu or KDE; page 75).
• Failsafe GNOME—Brings up a default G N O M E session without running any startup scripts. Use this choice to fix problems that prevent
you from logging in normally.
• xterm—Brings up an x t e r m terminal emulator window without a desktop manager and without running any startup scripts. This setup
allows you to log in on a minimal desktop when your standard login
does not work well enough to allow you to log in to fix a problem.
Give the command exit from the x t e r m window to log out and display
the Login screen.

WHAT TO D o IF Y o u CANNOT LOG IN
If you enter either your username or your password incorrectly, the system displays
an error message after you enter both your username and your password. This message indicates that you have entered either the username or the password incorrectly
or that they are not valid. It does not differentiate between an unacceptable username and an unacceptable password—a strategy meant to discourage unauthorized
people from guessing names and passwords to gain access to the system.
Following are some common reasons why logins fail:
• The username and password are case sensitive. Make sure the CAPS LOCK key
is off and enter your username and password exactly as specified or as you
set them up.
• You are not logging in on the right machine. The login/password combination may not be valid if you are trying to log in on the wrong machine. On
a larger, networked system, you may have to specify the machine you want
to connect to before you can log in.
• Your username is not valid. The login/password combination may not be
valid if you have not been set up as a user. If you are the system administrator, refer to "Configuring User and Group Accounts" on page 594.
Otherwise, check with the system administrator.
• A filesystem is full. When a filesystem critical to the login process is full, it
may appear as though you have logged in successfully, but after a moment
the Login screen reappears. You must boot the system in recovery mode
(page 4 4 5 ) and delete some files.
• The account is disabled. The root account is disabled by default. An
administrator may disable other accounts. Often the root account is not
allowed to log in over a network. Use sudo (page 4 2 1 ) if you need to work
with root privileges.

MORE ABOUT LOGGING IN

147

Refer to "Changing Your Password" on page 148 if you want to change your
password.

LOGGING IN REMOTELY: TERMINAL EMULATORS, ssh,
AND DIAL-UP CONNECTIONS
When you are not using a console, terminal, or other device connected directly to
the Linux system you are logging in on, you are probably connected to the Linux
system using terminal emulation software on another system. Running on the local
system, this software connects to the remote Linux system via a network (Ethernet,
asynchronous phone line, PPP, or other type) and allows you to log in.

Make sure TERM is set correctly
tip

No matter how you connect, make sure you have the TERM variable set to the type of terminal your
emulator is emulating. For more information refer to "Specifying a Terminal" on page 1106.
When you log in via a dial-up line, the connection is straightforward: You instruct
the local emulator program to contact the remote Linux system, it dials the phone,
and the remote system displays a login prompt. When you log in via a directly connected network, you either use ssh (secure; page 670) or telnet (not secure;
page 391) to connect to the remote system. The ssh program has been implemented
on many operating systems, not just Linux. Many user interfaces to ssh include a
terminal emulator. From an Apple, Windows, or U N I X machine, open the program
that runs ssh and give it the name or IP address (refer to "Host Address" on
page 381) of the system you want to log in on. For examples and more details on
working with a terminal emulator, refer to "Running Commands from a Terminal
Emulator/Shell" on page 125. The next section provides more information about
logging in from a terminal emulator.

LOGGING IN FROM A TERMINAL (EMULATOR)
Before you log in on a terminal, terminal emulator, or other textual device, the system displays a message called issue (stored in the /etc/issue file) that identifies the
version of Ubuntu running on the system. A sample issue message follows:
Ubuntu 10.04 LTS plum tty2

This message is followed by a prompt to log in. Enter your username and password
in response to the system prompts. If you are using a terminal (page 1176) and the
screen does not display the login: prompt, check whether the terminal is plugged in
and turned on, and then press the RETURN key a few times. If login: still does not
appear, try pressing C0NTR0L-Q (Xoff). If you are using a workstation
(page 1181), run
ssh (page 670), telnet (page 391), or whatever communications/emulation software
you use to log in on the system.
Once the shell prompt (or just prompt) appears, you have successfully logged in; this
prompt shows the system is ready for you to give a command. The first shell prompt

148

CHAPTER 4

INTRODUCTION TO UBUNTU LINUX

line may be preceded by a short message called the message of the day, or motd
(page 494), which is stored in the /etc/motd file. Ubuntu establishes a prompt of
[user@host: directory]$, where user is your username, host is the name of the system,
and directory is the name of the directory you are working in. A tilde (~) represents
your home directory. For information on how to change the prompt, refer to page 321.

Did you log in last?
s e c u r i t y When you log in to a textual environment, after you enter your username and password, the system displays information about the last login on this account, showing when it took place and
where it originated. You can use this information to determine whether anyone has accessed the
account since you last used it. If someone has, perhaps an unauthorized user has learned your
password and logged in as you. In the interest of maintaining security, advise the system administrator of any circumstances that make you suspicious—and change your password.

CHANGING YOUR PASSWORD
If someone else assigned you a password, it is a good idea to give yourself a new one.
For security reasons, none of the passwords you enter is displayed by any utility.

Protect your password
security

Do not allow someone to find out your password: Do not put your password in a file that is not
encrypted, allow someone to watch you type your password, or give your password to someone
you do not know (a system administrator never needs to know your password). You can always
write your password down and keep it in a safe, private place.

Choose a password that is difficult to guess
security

Do not use phone numbers, names of pets or kids, birthdays, words from a dictionary (not even
a foreign language), and so forth. Do not use permutations of these items or a I33t-speak variation
of a word: Modern dictionary crackers may also try these permutations.

Differentiate between important and less important passwords
security

It is a good idea to differentiate between important and less important passwords. For example,
Web site passwords for blogs or download access are not very important; it is acceptable to use
the same password for these types of sites. However, your login, mail server, and bank account
Web site passwords are critical: Never use these passwords for an unimportant Web site.
To change your password, select Main menu: SystemOPreferences1^About Me and
click Change Password. From a command line, give the command passwd.
The first item the system asks for is your current (old) password. This password is
verified to ensure that an unauthorized user is not trying to alter your password.
Then the system requests a new password.
To be relatively secure, a password should contain a combination of numbers,
uppercase and lowercase letters, and punctuation characters. It should also meet the
following criteria:

MORE ABOUT LOGGING IN

149

• Must be at least six characters long (or longer if the system administrator
sets it up that way). Seven or eight characters is a good compromise
between length and security.
• Should not be a word in a dictionary of any language, no matter how
seemingly obscure.
• Should not be the name of a person, place, pet, or other thing that might
be discovered easily.
• Should contain at least two letters and one digit or punctuation character.
• Should not be your username, the reverse of your username, or your username shifted by one or more characters.
Only the first item is mandatory. Avoid using control characters (such as CONTROL-H)
because they may have a special meaning to the system, making it impossible for
you to log in. If you are changing your password, the new password should differ
from the old one by at least three characters. Changing the case of a character does
not make it count as a different character. Refer to "Keeping the System Secure" on
page 619 for more information about choosing a password.

p w g e n helps you pick a password
s e c u r i t y The p w g e n utility (install the pwgen package) generates a list of almost random passwords. With
a little imagination, you can pronounce, and therefore remember, some of these passwords.
After you enter your new password, the system asks you to retype it to ensure you
did not make a mistake when you entered it the first time. If the new password is
the same both times you enter it, your password is changed. If the passwords differ,
you made an error in one of them. In this situation the system displays an error message or does not allow you to click the OK button. If the password you enter is not
long enough, the system displays a message similar to The password is too short.
When you successfully change your password, you change the way you log in. If
you forget your password, a user running with root privileges can change it and tell
you the new password.

USING VIRTUAL CONSOLES
When running Linux on a personal computer, you will frequently work with the
display and keyboard attached to the computer. Using this physical console, you can
access as many as 63 virtual consoles (also called virtual terminals). Some are set up
to allow logins; others act as graphical displays. To switch between virtual consoles,
hold the CONTROL and ALT keys down and press the function key that corresponds to
the console you want to view. For example, C0NTR0L-ALT-F5 displays the fifth virtual
console. This book refers to the console you see when you press C0NTR0L-ALT-F1 as the
system console, or just console.
By default, five or six virtual consoles are active and have textual login sessions running. When you want to use both textual and graphical interfaces, you can set up a

150

CHAPTER 4

INTRODUCTION TO UBUNTU LINUX

textual session on one virtual console and a graphical session on another. By
default, a graphical session runs on virtual console number 8.

WORKING FROM THE COMMAND LINE
Before the introduction of the graphical user interface (GUI), U N I X and then Linux
provided only a command-line (textual) interface (CLI). Today, a CLI is available
when you log in from a terminal, a terminal emulator, or a textual virtual console,
or when you use ssh (secure; page 6 6 7 ) or telnet (not secure; page 3 9 1 ) to log in on
a system.
This section introduces the Linux CLI. Chapter 5 describes some of the more important utilities you can use from the command line. Most of the examples in Parts IV
and V of this book use the CLI, adding examples of graphical tools where available.
Advantages Although the concept may seem antiquated, the CLI has a place in modern computof the CLI i n g_ i n some cases an administrator may use a command-line tool either because a
graphical equivalent does not exist or because the graphical tool is not as powerful
or flexible as the textual one. Frequently, on a server system, a graphical interface
may not even be installed. The first reason for this omission is that a GUI consumes
a lot of system resources; on a server, those resources are better dedicated to the
main task of the server. Additionally, security considerations mandate that a server
system run as few tasks as possible because each additional task can make the system more vulnerable to attack.
You can also write scripts using the CLI. Using scripts, you can easily reproduce
tasks on multiple systems, enabling you to scale the tasks to larger environments.
When you are the administrator of only a single system, using a GUI is often the easiest way to configure the system. When you act as administrator for many systems,
all of which need the same configuration installed or updated, a script can make the
task go more quickly. Writing a script using command-line tools is frequently easy,
whereas the same task can be difficult to impossible using graphical tools.
Pseudographical Before the introduction of GUIs, resourceful programmers created textual interfaces
interface that included graphical elements such as boxes, borders outlining rudimentary windows, highlights, and, more recently, color. These textual interfaces, called pseudographical interfaces, bridge the gap between textual and graphical interfaces.
One example of a modern utility that uses a pseudographical interface is the dpkgreconfigure utility, which reconfigures an installed software package.

CORRECTING MISTAKES
This section explains how to correct typographical and other errors you may make
while you are logged in on a textual display. Because the shell and most other utilities do not interpret the command line or other text until after you press RETURN, you
can readily correct your typing mistakes before you press RETURN.

WORKING FROM THE COMMAND LINE

151

You can correct such mistakes in several ways: erase one character at a time, back
up a word at a time, or back up to the beginning of the command line in one step.
After you press RETURN, it is too late to correct a mistake: At that point, you must
either wait for the command to run to completion or abort execution of the program (page 151).

ERASING A CHARACTER
While entering characters from the keyboard, you can back up and erase a mistake
by pressing the erase key once for each character you want to delete. The erase key
backs over as many characters as you wish. It does not, in general, back up past the
beginning of the line.
The default erase key is BACKSPACE. If this key does not work, try pressing DEL or
CONTROL-H. If these keys do not work, give the following stty 1 command to set the erase
and line kill (see "Deleting a Line") keys to their default values:
$ stty ek

DELETING A WORD
You can delete a word you entered by pressing CONTROL-W. A word is any sequence of
characters that does not contain a SPACE or TAB. When you press CONTROL-W, the cursor
moves left to the beginning of the current word (as you are entering a word) or the
previous word (when you have just entered a SPACE or TAB), removing the word.
CONTROL-Z
tip

suspends a program

Although It Is not a way of correcting a mistake, you may press the suspend key (typically
CONTROL-Z) by mistake and wonder what happened. If you see a message containing the word
Stopped, you have just stopped your job using job control (page 255). If you give the command
fg to continue your job In the foreground, you should return to where you were before you pressed
the suspend key. For more Information refer to "bg: Sends a Job to the Background" on page 309.

DELETING A LINE
Any time before you press RETURN, you can delete the line you are entering by pressing the (line) kill key. When you press this key, the cursor moves to the left, erasing
characters as it goes, back to the beginning of the line. The default line kill key is
CONTROL-U. If this key does not work, try CONTROL-X. If these keys do not work, give the
stty command described under "Erasing a Character."

ABORTING EXECUTION
Sometimes you may want to terminate a running program. For example, you may
want to stop a program that is performing a lengthy task such as displaying the

1. The command stty is an abbreviation for set teletypewriter,
stty is commonly thought of as meaning set terminal.

the first terminal UNIX was run on. Today

152

CHAPTER 4

INTRODUCTION TO UBUNTU LINUX

contents of a file that is several hundred pages long or copying a large file that is
not the one you meant to copy.
To terminate a program from a textual display, press the interrupt key (CONTROL-C or
sometimes DELETE or DEL). When you press this key, the Linux operating system sends
a termination signal to the program you are running and to the shell. Exactly what
effect this signal has depends on the program. Some programs stop execution immediately, some ignore the signal, and some take other actions. When the shell receives
a termination signal, it displays a prompt and waits for another command.
If these methods do not terminate the program, try sending the program a quit signal (CONTROLA). If all else fails, try pressing the suspend key (typically CONTROL-Z), giving
a jobs command to verify the number of the job running the program, and using kill
to abort the job. The job number is the number within the brackets at the left end of
the line displayed by jobs ([1]). In the next example, the kill command (page 455)
uses - T E R M to send a termination signal2 to the job specified by the job number,
which is preceded by a percent sign (%1). You can omit - T E R M from the command, as kill sends a termination signal by default.
$ bigjob
Z
[1]+
Stopped
$ jobs
[1]+
Stopped
$ kill - T E R M % 1
$ RETURN
[1]+
Killed

A

bi g job
bi g job

bi g job

The kill command returns a prompt; press RETURN again to see the confirmation message. For more information refer to "Running a Command in the Background" on
page 254.

REPEATING/EDITING COMMAND LINES
To repeat a previous command, press the UP ARROW key. Each time you press this key,
the shell displays an earlier command line. To reexecute the displayed command
line, press RETURN. Press the DOWN ARROW key to browse through the command lines in
the other direction.
You can also repeat the previous command using !!. This technique is useful if you
forgot to use sudo (page 421) before a command. In this case, if you type sudo !!,
the shell will repeat the previous command preceded by sudo.
The command A old A new A reruns the previous command, substituting the first
occurrence of old with new. Also, on a command line, the shell replaces the characters !$ with the last argument (word) of the previous command. The following

2. When the termination signal does not work, use the kill signal (-KILL). A running program cannot
ignore a kill signal; it is sure to abort the program (page 455).

CONTROLLING WINDOWS: ADVANCED OPERATIONS

153

example shows the user correcting the filename meno to memo using A n A m A and
then printing the file named memo by giving the command lpr !$. The shell replaces
!$ with memo, the last argument of the previous command.
$ cat meno
cat: meno: No such file or directory
$

AnAmA

cat memo
This is the memo file.
$ lpr !$
lpr memo

The RIGHT and LEFT ARROW keys move the cursor back and forth along the displayed
command line. At any point along the command line, you can add characters by
typing them. Use the erase key to remove characters from the command line.
For information about more complex command-line editing, see page 332.

optional

CONTROLLING WINDOWS: ADVANCED OPERATIONS
Refer to "Windows" on page 123 for an introduction to working with windows
under Ubuntu. This section explores the following topics: changing the input focus
on the workspace, changing the resolution of the display, and understanding more
about the window manager.

CHANGING THE INPUT FOCUS
When you type on the keyboard, the window manager (page 155) directs the characters you type somewhere, usually to a window. The active window is the window
accepting input from the keyboard; it is said to have the input focus. Depending on
how you set up your account, you can use the mouse in one of three ways to change
the input focus (you can also use the keyboard; see page 124):
• Click-to-focus (explicit focus)—Gives the input focus to a window when
you click the window. That window continues to accept input from the
keyboard regardless of the location of the mouse pointer. The window
loses the focus when you click another window. Although clicking the
middle or right mouse button also activates a window, use only the left
mouse button for this purpose; other buttons may have unexpected effects
when you use them to activate a window.
• Focus-follows-mouse (sloppy focus, enter-only, or
focus-under-mouse)—
Gives the input focus to a window when you move the mouse pointer onto
the window. That window maintains the input focus until you move the
mouse pointer onto another window, at which point the new window gets

154

CHAPTER 4

INTRODUCTION TO UBUNTU LINUX

the focus. When you move the mouse pointer off a window and onto the
root window, the window that had the input focus does not lose it.
• Focus-strictly-under-mouse (enter-exit focus)—Gives the input focus to a
window when you move the mouse pointer onto the window. That window maintains the input focus until you move the mouse pointer off the
window, at which point no window has the focus. When you move the
mouse pointer off a window and onto the root window, the window that
had the input focus loses it, and input from the keyboard is lost.
You can use the Window Preferences window to change the focus policy. To display
this window, select Main menu: System "^Preferences "^Windows or give the command gnome-window-properties from a terminal emulator or Run Application window (ALT-F2). Put a tick in the check box next to Select windows when the mouse
moves over them to select the focus-follows-mouse policy. When there is no tick in
this check box, click-to-focus is in effect. Click Close. Focus-strictly-under-mouse is
not available from this window.
To determine which window has the input focus, compare the window borders. The
border color of the active window is different from the others or, on a monochrome display, is darker. Another indication that a window is active is that the keyboard cursor is
a solid rectangle; in windows that are not active, the cursor is an outline of a rectangle.
Use the following tests to determine which keyboard focus method you are using. If
you position the mouse pointer in a window and that window does not get the
input focus, your window manager is configured to use the click-to-focus method. If
the border of the window changes, you are using the focus-follows-mouse or focusstrictly-under-mouse method. To determine which of the latter methods you are
using, start typing something, with the mouse pointer positioned on the active window. Then move the mouse pointer over the root window and continue typing. If
characters continue to appear within the window, you are using focus-followsmouse; otherwise, you are using focus-strictly-under-mouse.

CHANGING THE RESOLUTION OF THE DISPLAY
The X server (the basis for the Linux graphical interface; page 268) starts at a specific display resolution and color depth (page 1141). Although you can change the
color depth only when you start an X server, you can change the resolution while
the X server is running. The number of resolutions available depends both on the
display hardware and on the configuration of the X server. Many users prefer to
do most of their work at a higher resolution but might want to switch to a lower
resolution for some tasks, such as playing games. You can switch between display
resolutions by pressing either CONTROL-ALT-KEYPAD-+ or CONTROL-ALT-KEYPAD--, using the +
and - keys on the keyboard's numeric keypad. You can also use the Monitor Resolution Settings window (Main menu: SystemOPreferences^Monitors) to change
the resolution of the display.

CONTROLLING WINDOWS: ADVANCED OPERATIONS

155

Changing to a lower resolution has the effect of zooming in on the display; as a
result, you may no longer be able to view the entire workspace at once. To scroll the
display, push the mouse pointer against the edge of the screen.

THE WINDOW MANAGER
A window manager—the program that controls the look and feel of the basic
GUI—runs under a desktop manager (such as G N O M E or KDE) and controls all
aspects of the windows in the X Window System environment. The window manager defines the appearance of the windows on the desktop and controls how you
operate and position them: open, close, move, resize, minimize, and so on. It may
also handle some session management functions, such as how a session is paused,
resumed, restarted, or ended (page 116).
Window decorations A window manager controls window decorations—that
is, the titlebar and border
of a window. Aside from the aesthetic aspects of changing window decorations, you
can alter their functionality by modifying the number and placement of buttons on
the titlebar.
The window manager takes care of window manipulation so client programs do not
need to do so. This setup is very different from that of many other operating systems, and the way that GNOME deals with window managers is different from
how other desktop environments work. Window managers do more than simply
manage windows—they provide a useful, good-looking, graphical shell where you
can work. Their open design allows users to define their own policies, down to the
fine details.
Theoretically GNOME is not dependent on any particular window manager and
can work with any of several window managers. Because of their flexibility, you
would not see major parts of the desktop environment change if you were to switch
from one window manager to another. A desktop manager collaborates with the
window manager to make your work environment intuitive and easy to use.
Although the desktop manager does not control window placement, it does get
information from the window manager about window placement.

UBUNTU WINDOW MANAGERS
Metacity and Compiz—the default window managers for GNOME—provide window management and start many components through GNOME panel objects.
They also communicate with and facilitate access to other components in the environment. The Visual Effects tab of the Appearance Preferences window (page 115)
allows you to switch between Metacity and Compiz.
Using the standard X libraries, programmers have created other window managers,
including blackbox, fluxbox, and WindowMaker. You can use synaptic (page 133)
to install any of these packages.

156

CHAPTER 4

INTRODUCTION TO UBUNTU LINUX

CHAPTER SUMMARY
As with many operating systems, your access to a Linux system is authorized when
you log in. To do so, you enter your username and password on the Login screen.
You can change your password at any time while you are logged in. Choose a password that is difficult to guess and that conforms to the criteria imposed by the utility that changes your password.
The system administrator is responsible for maintaining the system. On a singleuser system, you are the system administrator. On a small, multiuser system, you or
another user may act as the system administrator, or this job may be shared. On a
large, multiuser system or a network of systems, there is frequently a full-time system administrator. When extra privileges are required to perform certain system
tasks, the system administrator uses sudo to obtain extra privileges, called root privileges. An administrator working with root privileges is sometimes referred to as
Superuser.
Do not work with root privileges as a matter of course. When you have to do something that requires root privileges, work with root privileges for only as long as
absolutely necessary; revert to working as yourself as soon as possible.
Understanding the desktop and its components is essential to getting the most out
of the Ubuntu GUI. Its panels offer a convenient way to launch applications, either
by clicking objects or by using the Main menu. The Main menu is a multilevel menu
you can work with to customize and maintain the system and to start many commonly used applications. A window is the graphical manifestation of an application. You can control its size, location, and appearance by clicking buttons on the
window's titlebar. A terminal emulator allows you to use the Linux command-line
interface from a graphical environment. You can use a terminal emulator to launch
both textual and graphical programs.
Panels and menus enable you to select an object (which can be just about anything
on the system). On a panel, you generally click an object; on a menu, you typically
click text in a list.
The GNOME environment provides users with a variety of interests and experience
levels—the casual user, the office worker, the power user, and the programmer/system designer—with a space to work in and a set of tools to work with. GNOME
also provides off-the-shelf productivity and many ways to customize its look, feel,
and response.
Nautilus is GNOME's simple, yet powerful file manager. It can create, open, display, move, and copy files and directories as well as execute programs and scripts.
One of its most basic and important functions is to create and manage the desktop.
The man utility provides online documentation for system utilities. This utility is
helpful both to new Linux users and to experienced users, who must often delve
into system documentation for information on the finer points of a utility's behav-

EXERCISES

157

ior. The info utility also helps the beginner and the expert alike. It provides a tutorial
on its use and documentation on many Linux utilities.
The textual or command-line interface (CLI) continues to have a place in modern
computing. For example, sometimes a graphical tool does not exist or may not be as
powerful or flexible as its textual counterpart. Security concerns on a server system
mandate that the system run as few tasks as possible. Because each additional task
can make a server more vulnerable to attack, frequently these systems do not have
GUIs installed.

EXERCISES
1. The system displays the following message when you attempt to log in
with an incorrect username or an incorrect password:
Login

incorrect

a. This message does not indicate whether your username, your password,
or both are invalid. Why does it not reveal this information?
b. Why does the system wait for a couple of seconds to respond after you
supply an incorrect username or password?
2. Give three examples of poor password choices. What is wrong with each?
3. Is fido an acceptable password? Give several reasons why or why not.
4. What is a context menu? How does a context menu differ from other
menus?
5. What appears when you right-click the root window? How can you use
this object?
6. How would you swap the effects of the right and left buttons on a mouse?
What is the drag-and-drop threshold? How would you change it?
7. What are the primary functions of the Main menu?
8. What is the input focus? When no window has the input focus, what happens to the letters you type on the keyboard? Which type of input focus
would you prefer to work with? Why?
9. What are the functions of a Window Operations menu? How do you display this menu?
10. What is a panel? Name a few objects on the panels and explain what you
can use them for. What do the Workspace Switcher applet and the Window List applet do?
11. What are tooltips? How are they useful?

158

CHAPTER 4

INTRODUCTION TO UBUNTU LINUX

ADVANCED EXERCISES
12. How does the mouse pointer change when you move it to the edge of a
window? What happens when you left-click and drag the mouse pointer
when it looks like this? Repeat this experiment with the mouse pointer at
the corner of a window.
13. Assume you have started a window manager without a desktop manager.
What would be missing from the screen? Describe what a window manager does. How does a desktop manager make it easier to work with a
GUI?
14. When the characters you type do not appear on the screen, what might be
wrong? How can you fix this problem?
15. What happens when you run vim.tiny from the Run Application window
without specifying that it be run in a terminal? Where does the output go?
16. The example on page 138 shows that the m a n pages for p a s s w d appear in
sections 1 and 5 of the system manual. Explain how you can use m a n to
determine which sections of the system manual contain a manual page
with a given name.
17. How many m a n pages are in the Devices subsection of the system manual?
(Hint: Devices is a subsection of Special Files.)

5
THE L I N U X U T I L I T I E S
IN T H I S C H A P T E R
Special Characters

160

Basic Utilities

161

less Is more: Display a Text File
One Screen at a Time

162

Working with Files

163

Ipr: Prints a File

165

| (Pipe): Communicates Between
Processes
170
Compressing and Archiving
Files

174

Obtaining User and System
Information

180

Tutorial: Using vim to Create
and Edit a File

186

When Linus Torvalds introduced Linux and for a long time thereafter, Linux did not have a graphical user interface (GUI): It ran
on character-based terminals only, using a command-line interface
(CLI), also referred to as a textual interface. All the tools ran from
a command line. Today the Linux GUI is important but many
people—especially system administrators—run many commandline utilities. Command-line utilities are often faster, more powerful, or more complete than their GUI counterparts. Sometimes
there is no GUI counterpart to a textual utility; some people just
prefer the hands-on feeling of the command line.
When you work with a command-line interface, you are working
with a shell (Chapters 7, 9, and 27). Before you start working with
a shell, it is important that you understand something about the
characters that are special to the shell, so this chapter starts with a
discussion of special characters. The chapter then describes five
basic utilities: Is, cat, rm, less, and hostname. It continues by
describing several other file manipulation utilities as well as utilities that display who is logged in; that communicate with other
users; that print, compress, and decompress files; and that pack
and unpack archive files.

159

160

CHAPTER 5

THE LINUX UTILITIES

SPECIAL CHARACTERS
Special characters, which have a special meaning to the shell, are discussed in "Filename Generation/Pathname Expansion" on page 256. These characters are mentioned here so that you can avoid accidentally using them as regular characters until
you understand how the shell interprets them. For example, it is best to avoid using
any of the following characters in a filename (even though emacs and some other
programs do) because they make the file harder to reference on the command line:
[1

( ) $ < > { } # / \ !

Whitespace Although not considered special characters, RETURN, SPACE, and TAB have special meanings to the shell. RETURN usually ends a command line and initiates execution of a
command. The SPACE and TAB characters separate elements on the command line and
are collectively known as whitespace or blanks.
Quoting special If you need to use a character that has a special meaning to the shell as a regular
characters character, you can quote (or escape) it. When you quote a special character, you
keep the shell from giving it special meaning. The shell treats a quoted special character as a regular character. However, a slash (!) is always a separator in a pathname, even when you quote it.
Backslash To quote a character, precede it with a backslash (\). When two or more special
characters appear together, you must precede each with a backslash (for example,
you would enter * * as \ * \ * ) . You can quote a backslash just as you would quote
any other special character—by preceding it with a backslash (\\).
Single quotation Another way of quoting special characters is to enclose them between single quotation
marks marks: ' * * ' . You can quote many special and regular characters between a pair of single quotation marks: 'This is a special character: >'. The regular characters are interpreted as usual, and the shell also interprets the special characters as regular characters.
The only way to quote the erase character (C0NTR0L-H), the line kill character
(C0NTR0L-U), and other control characters (try C0NTR0L-M) is by preceding each with a
C0NTR0L-V. Single quotation marks and backslashes do not work. Try the following:
$ echo ' xxxxxxCONTROL-U'
$ echo xxxxxxCONTROL-VCONTROL-U

optional Although you cannot see the

C0NTR0L-U displayed by the second of the preceding pair
of commands, it is there. The following command sends the output of echo
(page 171) through a pipe (page 170) to od (octal display, see the od man page) to
display C0NTR0L-U as octal 25 (025):
$ echo xxxxxxCONTROL-VCONTROL-U | od -c
0000000
X
x
x
x
x
x 025
0000010

\n

The \ n is the NEWLINE character that echo sends at the end of its output.

BASIC UTILITIES

161

BASIC UTILITIES
One of the important advantages of Linux is that it comes with thousands of utilities that perform myriad functions. You will use utilities whenever you work with
Linux, whether you use them directly by name from the command line or indirectly
from a menu or icon. The following sections discuss some of the most basic and
important utilities; these utilities are available from a CLI. Some of the more important utilities are also available from a GUI; others are available only from a GUI.

Run these utilities from a command line
tip This chapter describes command-line, or textual, utilities. You can experiment with these utilities
from a terminal, a terminal emulator within a GUI (page 125), or a virtual console (page 149).
Folder/directory

The term directory is used extensively in the next sections. A directory is a resource
that can hold files. On other operating systems, including Windows and Macintosh,
and frequently when speaking about a Linux GUI, a directory is referred to as a
folder. That is a good analogy: A traditional manila folder holds files just as a directory does.

In this chapter you work in your home directory
tip When you log in on the system, you are working in your home directory. In this chapter that is the
only directory you use: All the files you create in this chapter are in your home directory. Chapter 6
goes into more detail about directories.

Is: LISTS THE NAMES OF FILES
Using the editor of your choice, create a small file named practice. (A tutorial on the
vim editor appears on page 186.) After exiting from the editor, you can use the Is
(list) utility to display a list of the names of the files in your home directory. In the
first command in Figure 5-1, Is lists the name of the practice file. (You may also see
files that the system or a program created automatically.) Subsequent commands in
Figure 5-1 display the contents of the file and remove the file. These commands are
described next.
$ Is
practi ce
$ cat practice
This is a small file that I created
with a text editor.
$ rm practice
$ Is
$ cat practice
cat: practice: No such file or di rectory

S

Figure 5-1

Using Is, cat, and rm on the file named practice

162

CHAPTER 5

THE LINUX UTILITIES

cat: DISPLAYS A TEXT FILE
The cat utility displays the contents of a text file. The name of the command is
derived from catenate,
which means to join together, one after the other.
(Figure 7-8 on page 2 4 7 shows how to use cat to string together the contents of
three files.)
A convenient way to display the contents of a file to the screen is by giving the command cat, followed by a SPACE and the name of the file. Figure 5-1 shows cat displaying the contents of practice. This figure shows the difference between the Is and cat
utilities: The Is utility displays the name of a file, whereas cat displays the contents
of a file.

rm: DELETES A FILE
The rm (remove) utility deletes a file. Figure 5-1 shows rm deleting the file named
practice. After rm deletes the file, Is and cat show that practice is no longer in the
directory. The Is utility does not list its filename, and cat says that no such file exists.
Use rm carefully.

A safer way of removing files
t i p You can use the interactive form of rm to make sure that you delete only the file(s) you intend to
delete. When you follow rm with the - i option (see page 139 for a tip on options) and the name
of the file you want to delete, rm displays the name of the file and then waits for you to respond
with y (yes) before it deletes the file. It does not delete the file if you respond with a string that
begins with a character other than y.
$ rm -i toollist
rm: remove regular file 'toollist'? y

Optional: You can create an alias (page 346) for rm - i and put it in your startup file (page 204) so
that rm always runs in interactive mode.

less Is m o r e : DISPLAY A TEXT FILE ONE SCREEN AT A TIME
Pagers When you want to view a file that is longer than one screen, you can use either the less utility or the more utility. Each of these utilities pauses after displaying a screen
of text; press the SPACE bar to display the next screen of text. Because these utilities
show one page at a time, they are called pagers. Although less and more are very
similar, they have subtle differences. At the end of the file, for example, less displays
an E N D message and waits for you to press q before returning you to the shell. In
contrast, more returns you directly to the shell. While using both utilities you can
press h to display a Help screen that lists commands you can use while paging
through a file. Give the commands less practice and more practice in place of the cat
command in Figure 5-1 to see how these commands work. Use the command less
/etc/adduser.conf instead if you want to experiment with a longer file. Refer to the
less and more man pages for more information.

WORKING WITH FILES

163

h o s t n a m e : DISPLAYS THE SYSTEM NAME
The h o s t n a m e utility displays the name of the system you are working on. Use this
utility if you are not sure that you are logged in on the right machine.
$ hostname
bravo.example.com

WORKING WITH FILES
This section describes utilities that copy, move, print, search through, display, sort,
and compare files.

Filename completion
tip

After you enter one or more letters of a filename (following a command) on a command line, press
TAB and the Bourne Again Shell will complete as much of the filename as It can. When only one
filename starts with the characters you entered, the shell completes the filename and places a
SPACE after It. You can keep typing or you can press RETURN to execute the command at this point.
When the characters you entered do not uniquely Identify a filename, the shell completes what It
can and waits for more Input. When pressing TAB does not change the display, press TAB again to
display a list of possible completions. For more Information refer to "Pathname Completion" on
page 342.

cp: COPIES A FILE
The cp (copy) utility (Figure 5-2) makes a copy of a file. This utility can copy any
file, including text and executable program (binary) files. You can use cp to make a
backup copy of a file or a copy to experiment with.
The cp command line uses the following syntax to specify source and destination
files:
cp source-file

destination-file

The source-file is the name of the file that cp will copy. The destination-file
name that cp assigns to the resulting (new) copy of the file.
$ Is
memo
$ cp memo memo.copy
$ Is
memo memo..copy

Figure 5-2

cp copies a file

is the

164

CHAPTER 5

THE LINUX UTILITIES

The cp command line in Figure 5-2 copies the file named memo to memo.copy. The
period is part of the filename—just another character. The initial Is command shows
that memo is the only file in the directory. After the cp command, a second Is shows
two files in the directory, memo and memo.copy.
Sometimes it is useful to incorporate the date in the name of a copy of a file. The
following example includes the date January 30 ( 0 1 3 0 ) in the copied file:
$ cp memo memo.0130

Although it has no significance to Linux, the date can help you find a version of a
file you created on a certain date. Including the date can also help you avoid overwriting existing files by providing a unique filename each day. For more information refer to "Filenames" on page 201.
Use scp (page 667) or ftp (page 687) when you need to copy a file from one system
to another on a common network.

c p can destroy a file
caution

If the destination-file exists before you give a c p command, c p overwrites It. Because c p overwrites (and destroys the contents of) an existing destination-file without warning, you must take
care not to cause c p to overwrite a file that you need. The c p - i (Interactive) option prompts you
before It overwrites a file. See page 139 for a tip on options.
The following example assumes that the file named orange.2 exists before you give the c p command. The user answers y to overwrite the file:
$

cp

—i

orange

cp: overwrite

orange.2

'orange.2'?y

mv: CHANGES THE NAME OF A FILE
The mv (move) utility can rename a file without making a copy of it. The mv command line specifies an existing file and a new filename using the same syntax as cp:
mv existing-filename

new-filename

The command line in Figure 5-3 changes the name of the file memo to memo.0130.
The initial Is command shows that memo is the only file in the directory. After you
give the mv command, memo.0130 is the only file in the directory. Compare this
result to that of the cp example in Figure 5-2.
The mv utility can be used for more than changing the name of a file. Refer to " m v ,
cp: Move or Copy Files" on page 2 1 2 . See the mv info page for more information.

m v can destroy a file
c a u t i o n Just as c p can destroy a file, so can mv. Also like cp, m v has a - i (Interactive) option. See the
caution box labeled "cp can destroy a file."

WORKING WITH FILES

$

165

I s

memo
$ mv memo memo.0130
$

I s

memo.0130

Figure 5-3

mv renames a file

Ipr: PRINTS A FILE
The Ipr (line printer) utility places one or more files in a print queue for printing.
Linux provides print queues so that only one job is printed on a given printer at a
time. A queue allows several people or jobs to send output simultaneously to a single printer with the expected results. On systems that have access to more than one
printer, you can use lpstat - p to display a list of available printers. Use the - P option
to instruct Ipr to place the file in the queue for a specific printer—even one that is
connected to another system on the network. The following command prints the file
named report:
$ Ipr report

Because this command does not specify a printer, the output goes to the default
printer, which is the printer when you have only one printer.
The next command line prints the same file on the printer named mailroom:
$ Ipr - P mailroom report

You can see which jobs are in the print queue by giving an lpstat - o command or by
using the Ipq utility:
$ Ipq
lp is ready and printing
Rank Owner
Job Files
active max
86 (standard input)

Total Size
954061 bytes

In this example, M a x has one job that is being printed; no other jobs are in the
queue. You can use the job number (86 in this case) with the Iprm utility to remove
the job from the print queue and stop it from printing:
$ Iprm 86

You can send more than one file to the printer with a single command. The following command line prints three files on the printer named laserl:
$ Ipr - P laserl 05.txt 108.txt 12.txt

Refer to Chapter 14 for information on setting up a printer and defining the default
printer.

166

CHAPTER 5

THE LINUX UTILITIES

$ cat memo
Helen:
In our m e e t i n g on June 6 we
d i s c u s s e d the issue of credit.
Have you had any f u r t h e r t h o u g h t s
a b o u t it?
Max

$ grep 'credit' memo
d i s c u s s e d the issue of credit.

Figure 5-4

grep searches for a string

grep: SEARCHES FOR A STRING
The g r e p 1 utility searches through one or more files to see whether any contain a
specified string of characters. This utility does not change the file it searches but
simply displays each line that contains the string.
The grep command in Figure 5-4 searches through the file memo for lines that contain the string credit and displays the single line that meets this criterion. If memo
contained such words as discredit, creditor, or accreditation, grep would have displayed those lines as well because they contain the string it was searching for. The
- w (words) option causes grep to match only whole words. Although you do not
need to enclose the string you are searching for in single quotation marks, doing so
allows you to put SPACEs and special characters in the search string.
The grep utility can do much more than search for a simple string in a single file.
Refer to the grep info page and Appendix A, "Regular Expressions," for more
information.

h e a d : DISPLAYS THE BEGINNING OFA FILE
By default the head utility displays the first ten lines of a file. You can use head to
help you remember what a particular file contains. For example, if you have a file
named months that lists the 12 months of the year in calendar order, one to a line,
then h e a d displays Jan through Oct (Figure 5-5).
This utility can display any number of lines, so you can use it to look at only the
first line of a file, at a full screen, or even more. To specify the number of lines

1. Originally the name grep was a play on an ed—an original UNIX editor, available on Ubuntu
Linux—command: g/re/p. In this command g stands for global, re is a regular expression delimited by
slashes, and p means print.

WORKING WITH FILES

167

$ head months
Jan
Feb
Mar
Apr
May
Jun
Jul
Aug
Sep
Oct
$ tail -5 months
Aug
Sep
Oct
Nov
Dec

Figure 5-5

head displays the first ten lines of a file

displayed, include a hyphen followed by the number of lines you want head to
display. For example, the following command displays only the first line of
months:
$ head -1 months
Jan

The head utility can also display parts of a file based on a count of blocks or characters rather than lines. Refer to the head info page for more information.

tail: DISPLAYS THE END OF A FILE
The tail utility is similar to head but by default displays the last ten lines of a file.
Depending on how you invoke it, this utility can display fewer or more than ten
lines, use a count of blocks or characters rather than lines to display parts of a file,
and display lines being added to a file that is changing. The tail command in
Figure 5-5 displays the last five lines (Aug through Dec) of the months file.
You can monitor lines as they are added to the end of the growing file named logfile
with the following command:
$ tail - f logfile

Press the interrupt key (usually CONTROL-C) to stop tail and display the shell prompt.
Refer to the tail info page for more information.

168

CHAPTER 5

THE LINUX UTILITIES

$ cat days
Monday
Tuesday
Wednesday
Thursday
Fri day
Saturday
Sunday

$ sort days
Fri day
Monday
Saturday
Sunday
Thursday
Tuesday
Wednesday

Figure 5-6

sort displays the lines of a file in order

sort: DISPLAYS A FILE IN ORDER
The sort utility displays the contents of a file in order by lines but does not change
the original file.
Figure 5 - 6 shows cat displaying the file named d a y s , which contains the name of
each day of the week on a separate line in calendar order. The sort utility then displays the file in alphabetical order.
The sort utility is useful for putting lists in order. The - u option generates a sorted
list in which each line is unique (no duplicates). The - n option puts a list of numbers
in numerical order. Refer to the sort info page for more information.

uniq: REMOVES DUPLICATE LINES FROM A FILE
The uniq (unique) utility displays a file, skipping adjacent duplicate lines, but does
not change the original file. If a file contains a list of names and has two successive
entries for the same person, uniq skips the extra line (Figure 5 - 7 ) .
If a file is sorted before it is processed by uniq, this utility ensures that no two lines
in the file are the same. (Of course, sort can do that all by itself with the - u option.)
Refer to the uniq info page for more information.

cliff: COMPARES TWO FILES
The diff (difference) utility compares two files and displays a list of the differences
between them. This utility does not change either file; it is useful when you want to
compare two versions of a letter or a report or two versions of the source code for a
program.
The diff utility with the - u (unified output format) option first displays two lines
indicating which of the files you are comparing will be denoted by a plus sign (+)

WORKING WITH FILES

169

$ cat dups
Cathy
Fred
Joe
John
Mary
Mary
Paula
$ uniq dups
Cathy
Fred
Joe
John
Mary
Paula

Figure 5-7

uniq removes duplicate lines

and which by a minus sign (-). In Figure 5-8, a minus sign indicates the colors.1 file;
a plus sign indicates the colors.2 file.
The diff - u command breaks long, multiline text into hunks. Each hunk is preceded
by a line starting and ending with two at signs (@@). This hunk identifier indicates
the starting line number and the number of lines from each file for this hunk. In
Figure 5-8, the hunk covers the section of the colors. 1 file (indicated by a minus
sign) from the first line through the sixth line. The + 1 , 5 then indicates that the hunk
covers colors.2 from the first line through the fifth line.
Following these header lines, diff - u displays each line of text with a leading minus
sign, a leading plus sign, or a SPACE. A leading minus sign indicates that the line
occurs only in the file denoted by the minus sign. A leading plus sign indicates that
the line occurs only in the file denoted by the plus sign. A line that begins with a
SPACE (neither a plus sign nor a minus sign) occurs in both files in the same location.
Refer to the diff info page for more information.
$ diff -u colors.1 colors.2
--- colors.1
2010-07-29 16:: 41 :
11.00000 10000 -0700
+++ colors.2
2010-07-29 16:: 41 :
17.00000 10000 -0700
@@ -1,6 +1,5 @@
red
+bl ue
green
yellow
-pi nk
-purple
orange

Figure 5-8

diff displaying the unified output format

170

CHAPTER 5

THE LINUX UTILITIES

file: IDENTIFIES THE CONTENTS OF A FILE
You can use the file utility to learn about the contents of any file on a Linux system
without having to open and examine the file yourself. In the following example, file
reports that l e t t e r _ e . b z 2 contains data that was compressed by the bzip2 utility
(page 174):
$ file letter_e.bz2
letter_e.bz2: bzip2 compressed data, block size = 900k

Next file reports on two more files:
$ file memo zach.jpg
memo:
ASCII text
zach.jpg: JPEG image data, ... resolution (DPI), 72 x 72

Refer to the file m a n page for more information.

(PIPE): COMMUNICATES BETWEEN PROCESSES
Because pipes are integral to the functioning of a Linux system, this chapter introduces them for use in examples. Pipes are covered in detail beginning on page 2 5 1 .
A process is the execution of a command by Linux (page 328). Communication
between processes is one of the hallmarks of both U N I X and Linux. A pipe (written
as a vertical bar, I, on the command line and appearing as a solid or broken vertical
line on a keyboard) provides the simplest form of this kind of communication. Simply put, a pipe takes the output of one utility and sends that output as input to
another utility. Using UNIX/Linux terminology, a pipe takes standard output of one
process and redirects it to become standard input of another process. (For more
information refer to "Standard Input and Standard Output" on page 243.) Most of
what a process displays on the screen is sent to standard output. If you do not redirect it, this output appears on the screen. Using a pipe, you can redirect standard
output so it becomes standard input of another utility. For example, a utility such as
head can take its input from a file whose name you specify on the command line following the word head, or it can take its input from standard input. The following
command line sorts the lines of the months file (Figure 5-5, page 167) and uses head
to display the first four months of the sorted list:
$ sort months | head -4
Apr
Aug
Dec
Feb

The next command line displays the number of files in a directory. The wc (word
count) utility with the - w (words) option displays the number of words in its standard input or in a file you specify on the command line:
$ 1S I wc -w
14

FOUR MORE UTILITIES

171

You can use a pipe to send output of a program to the printer:
$ tail months | lpr

FOUR MORE UTILITIES
The echo and date utilities are two of the most frequently used members of the large
collection of Linux utilities. The script utility records part of a session in a file, and
t o d o s makes a copy of a text file that can be read on either a Windows or a
Macintosh machine.

echo: DISPLAYS TEXT
The echo utility copies the characters you type on the command line after e c h o to
the screen. Figure 5-9 shows some examples. The last example shows what the shell
does with an unquoted asterisk ( * ) on the command line: It expands the asterisk
into a list of filenames in the directory.
The echo utility is a good tool for learning about the shell and other Linux utilities.
Some examples on page 2 5 7 use echo to illustrate how special characters, such as
the asterisk, work. Throughout Chapters 7, 9, and 27, e c h o helps explain how shell
variables work and how you can send messages from shell scripts to the screen.
Refer to the c o r e u t i l s info page, echo section for more information.
optional

You can use echo to create a simple file by redirecting its output to a file:
$ echo 'My new file.' > myfile
$ cat myfile
My new file.

The greater than (>) sign tells the shell to send the output of echo to the file named
m y f i l e instead of to the screen. For more information refer to "Redirecting Standard
Output" on page 2 4 6 .

$

I s

memo memo.0714
practice
$ echo Hi
Hi
$ echo This is a sentence.
This is a sentence.
$ echo star: *
star: memo memo.0714 practice

Figure 5-9

echo copies the command line (but not the word e c h o ) to the screen

172

CHAPTER 5

THE LINUX UTILITIES

d a t e : DISPLAYS THE TIME AND DATE
The date utility displays the current date and time:
$ date
Thu Jan 21 10:24:00 PST 2010

The following example shows how you can choose the format and select the contents of the output of date:
$ date +"%A %B %d"
Thursday January 21

Refer to the date info page for more information.

script: RECORDS A SHELL SESSION
The script utility records all or part of a login session, including your input and the
system's responses. This utility is useful only from character-based devices, such as a
terminal or a terminal emulator. It does capture a session with vim; however, because
vim uses control characters to position the cursor and display different typefaces,
such as bold, the output will be difficult to read and may not be useful. When you cat
a file that has captured a vim session, the session quickly passes before your eyes.
By default script captures the session in a file named typescript. To specify a different
filename, follow the script command with a SPACE and the filename. To append to a
file, use the - a option after script but before the filename; otherwise script overwrites an existing file. Following is a session being recorded by script:
$ script
Script started, file is typescript
$ whoami
sam

$ Is -1 /bin
total 6632
-rwxr-xr-x 1
-rwxr-xr-x 1
-rwxr-xr-x 1
-rwxr-xr-x 1
$ exit
exi t
Script done,

| head -5
root
root
root
root

root 818232 2010-04-10
root
30200 2010-02-08
root 1269432 2010-01-22
root
30200 2010-02-08

05:10
02:54
08:23
02:54

bash
bunzip2
busybox
bzcat

file is typescript

Use the exit command to terminate a script session. You can then view the file you
created using cat, less, more, or an editor. Following is the file that was created by
the preceding script command:
$ cat typescript
Script started on Mon Sep 27 20:54:59 2010
$ whoami
sam

FOUR MORE UTILITIES
$ Is -1 /bin
total 6632
-rwxr-xr-x 1
-rwxr-xr-x 1
-rwxr-xr-x 1
-rwxr-xr-x 1
$ exit
exi t

173

| head -5
root
root
root
root

root 818232 2010-04-10
root
30200 2010-02-08
root 1269432 2010-01-22
root
30200 2010-02-08

05:10
02:54
08:23
02:54

bash
bunzip2
busybox
bzcat

Script done on Mon Sep 27 20:55:29 2010

If you will be editing the file with v i m , e m a c s , or another editor, you can use f r o m d o s
(below) to eliminate from the typescript file the A M characters that appear at the
ends of the lines. Refer to the script m a n page for more information.

t o d o s : CONVERTS LINUX AND MACINTOSH FILES TO
WINDOWS FORMAT
If you want to share a text file you created on a Linux system with someone on a
Windows or Macintosh system, you need to convert the file before the person on
the other system can read it easily. The todos (to DOS) utility converts a Linux text
file so it can be read on a Windows or Macintosh system. This utility is part of the
tofrodos software package; give the command sudo aptitude install tofrodos to
install this package. Give the following command to convert a file named memo.txt
(created with a text editor) to a DOS-format file:
$ todos memo.txt

You can now email the file as an attachment to someone on a Windows or Macintosh
system. Without any options, t o d o s overwrites the original file. Use the - b (backup)
option to cause t o d o s to make a copy of the file with a .bak filename extension before
modifying it.
fromdos You can use the f r o m d o s utility to convert Windows or Macintosh files so they can
be read on a Linux system:
$ fromdos memo.txt

See the t o d o s and f r o m d o s man pages for more information.
tr You can also use tr (translate) to change a Windows or Macintosh text file into a
Linux text file. In the following example, the - d (delete) option causes tr to remove
RETURNS (represented by \r) as it makes a copy of the file:
$ cat memo | tr -d '\r' > memo.txt

The greater than (>) symbol redirects the standard output of tr to the file named
memo.txt. For more information refer to "Redirecting Standard Output" on
page 246. Converting a file the other way without using todos is not as easy.

174

CHAPTER 5

THE LINUX UTILITIES

COMPRESSING AND ARCHIVING FILES
Large files use a lot of disk space and take longer than smaller files to transfer from
one system to another over a network. If you do not need to look at the contents of
a large file often, you may want to save it on a CD, DVD, or another medium and
remove it from the hard disk. If you have a continuing need for the file, retrieving a
copy from another medium may be inconvenient. To reduce the amount of disk
space you use without removing the file entirely, you can compress the file without
losing any of the information it holds. Similarly a single archive of several files
packed into a larger file is easier to manipulate, upload, download, and email than
multiple files. You may frequently download compressed, archived files from the
Internet. The utilities described in this section compress and decompress files and
pack and unpack archives.

b z i p 2 : COMPRESSES A FILE
The bzip2 utility compresses a file by analyzing it and recoding it more efficiently.
The new version of the file looks completely different. In fact, because the new file
contains many nonprinting characters, you cannot view it directly. The bzip2 utility
works particularly well on files that contain a lot of repeated information, such as
text and image data, although most image data is already in a compressed format.
The following example shows a boring file. Each of the 8 , 0 0 0 lines of the l e t t e r _ e
file contains 72 e's and a NEWLINE character that marks the end of the line. The file
occupies more than half a megabyte of disk storage.
$

I s

- 1

-rw-rw-r--

1 sam sam 584000 2010-03-01 22:31 letter_e

The -1 (long) option causes Is to display more information about a file. Here it
shows that l e t t e r _ e is 5 8 4 , 0 0 0 bytes long. The - v (verbose) option causes bzip2 to
report how much it was able to reduce the size of the file. In this case, it shrank the
file by 9 9 . 9 9 percent:
$ bzip2 -v letter_e
letter_e: 11680.00:1, 0.001 bits/byte, 99.99% saved, 584000 in, 50 out.
$ I s -1
-rw-rw-r-- 1 sam sam 50 2010-03-01 22:31 letter_e.bz2

.bz2 filename Now the file is only 50 bytes long. The bzip2 utility also renamed the file, appending
extension _bz2 to its name. This naming convention reminds you that the file is compressed;
you would not want to display or print it, for example, without first decompressing
it. The bzip2 utility does not change the modification date associated with the file,
even though it completely changes the file's contents.

Keep the original file by using the - k option
t i p The b z i p 2 utility (and its counterpart, b u n z i p 2 ) remove the original file when they compress or
decompress a file. Use the - k (keep) option to keep the original file.

COMPRESSING AND ARCHIVING FILES

175

In the following, more realistic example, the file zach.jpg contains a computer
graphics image:
$

I s

- 1

-rw-r--r--

1 sam sam 33287 2010-03-01 22:40 zach.jpg

The bzip2 utility can reduce the size of the file by only 28 percent because the image
is already in a compressed format:
$ bzip2 -v zach.jpg
zach.jpg:
$ I s -1
-rw-r—r—

1.391:1,

5.749 bits/byte, 28.13% saved, 33287 in, 23922 out.

1 sam sam 23922 2010-03-01 22:40 zach.jpg. bz2

Refer to the bzip2 m a n page, www.bzip.org, and the Bzip2 mini-HOWTO
page 142 for instructions on obtaining this document) for more information.

(see

bunzip2 AND bzcat: DECOMPRESS A FILE
You can use the bunzip2 utility to restore a file that has been compressed with bzip2:
$ bunzip2 letter_e.bz2
$

I s

- 1

-rw-rw-r--

1 sam sam 584000 2010-03-01 22:31 letter_e

$ bunzip2 zach.jpg.bz2
$

I s

- 1

-rw-r--r--

1 sam sam

33287 2010-03-01 22:40 zach.jpg

The bzcat utility displays a file that has been compressed with bzip2. The equivalent
of cat for .bz2 files, bzcat decompresses the compressed data and displays the
decompressed data. Like cat, bzcat does not change the source file. The pipe in the
following example redirects the output of bzcat so instead of being displayed on the
screen it becomes the input to head, which displays the first two lines of the file:
$ bzcat letter_e.bz2 | head -2
eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee
eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee

After bzcat is run, the contents of letter_e.bz is unchanged; the file is still stored on
the disk in compressed form.
bzip2recover The bzip2recover utility supports limited data recovery from media errors. Give the
command bzip2recover followed by the name of the compressed, corrupted file
from which you want to try to recover data.

gzip: COMPRESSES A FILE
gunzip and zcat The gzip (GNU zip) utility is older and less efficient than bzip2. Its flags and operation are very similar to those of bzip2. A file compressed by gzip is marked by a .gz
filename extension. Linux stores manual pages in gzip format to save disk space;
likewise, files you download from the Internet are frequently in gzip format. Use
gzip, gunzip, and zcat just as you would use bzip2, bunzip2, and bzcat, respectively.
Refer to the gzip info page for more information.

176

CHAPTER 5

THE LINUX UTILITIES

compress The compress utility can also compress files, albeit not as well as gzip. This utility
marks a file it has compressed by adding .Z to its name.

gzip versus zip
tip

Do not confuse g z i p and g u n z i p with the z i p and u n z i p utilities. These last two are used to pack
and unpack zip archives containing several files compressed into a single file that has been
imported from or is being exported to a system running Windows. The z i p utility constructs a zip
archive, whereas u n z i p unpacks z i p archives. The zip and u n z i p utilities are compatible with
PKZIP, a Windows program that compresses and archives files.

tar: PACKS AND UNPACKS ARCHIVES
The tar utility performs many functions. Its name is short for tape archive, as its
original function was to create and read archive and backup tapes. Today it is used
to create a single file (called a tar file, archive, or tarball) from multiple files or
directory hierarchies and to extract files from a tar file. The cpio utility (page 602)
performs a similar function.
In the following example, the first Is shows the sizes of the files g, b, and d. Next tar
uses the - c (create), - v (verbose), and - f (write to or read from a file) options to create an archive named a l l . t a r from these files. Each line of output displays the name
of the file tar is appending to the archive it is creating.
The tar utility adds overhead when it creates an archive. The next command shows
that the archive file a l l . t a r occupies about 9,700 bytes, whereas the sum of the sizes
of the three files is about 6,000 bytes. This overhead is more appreciable on smaller
files, such as the ones in this example:
t l s - l g b d
-rw-r--r-1 zach
-rw-r--r-1 zach
-rw-r--r-1 zach

other 1178 2 0 1 0 - 0 8 - 2 0 14:16 b
zach
3783 2 0 1 0 - 0 8 - 2 0 14:17 d
zach
1302 2 0 1 0 - 0 8 - 2 0 14:16 g

$ tar - c v f a l l . t a r g b

d

g
b
d
$ Is -1 all .tar
-rw-r--r-1 zach
$ tar - t v f
-rw-r--r--rw-r--r--rw-r--r--

all.tar
zach / z a c h
zach / o t h e r
zach / z a c h

zach

9728 2 0 1 0 - 0 8 - 2 0 14:17

all.tar

1302 2 0 1 0 - 0 8 - 2 0 14:16 g
1178 2 0 1 0 - 0 8 - 2 0 14:16 b
3783 2 0 1 0 - 0 8 - 2 0 14:17 d

The final command in the preceding example uses the - t option to display a table of
contents for the archive. Use - x instead of - t to extract files from a tar archive. Omit
the - v option if you want tar to do its work silently.2
2. Although the original UNIX tar did not use a leading hyphen to indicate an option on the command
line, the GNU/Linux version accepts hyphens, but works as well without them. This book precedes tar
options with a hyphen for consistency with most other utilities.

COMPRESSING AND ARCHIVING FILES

177

You can use bzip2, c o m p r e s s , or gzip to compress tar files, making them easier to
store and handle. Many files you download from the Internet will already be in one
of these formats. Files that have been processed by tar and compressed by bzip2 frequently have a filename extension of . t a r . b z 2 or . t b z . Those processed by tar and
gzip have an extension of . t a r . g z or .tz, whereas files processed by tar and c o m p r e s s
use . t a r . Z as the extension.
You can unpack a tarred and gzipped file in two steps. (Follow the same procedure if
the file was compressed by bzip2, but use bunzip2 instead of gunzip.) The next example shows how to unpack the GNU make utility after it has been downloaded
(ftp.gnu.org/pub/gnu/make/make-3.80.tar.gz):
$ Is -1 mak*
-rw-r—r—

1 sam sam 1564560 2010-04-12 15:51 make-B.81. tar.gz

$ gunzip mak*
$ Is -1 mak*
-rw-r--r-- 1 sam sam 6072B20 2010-04-12 15:51 make-B.81.tar

$ tar -xvf mak*
make-3.81/
make-3.81/confi g/
make-3.81/confi g/dospaths. m4
make-3.81/tests/run_make_tests.pi
make-3.81/tests/test_driver.pi

The first command lists the downloaded tarred and g z i p p e d file: m a k e - 3 . 8 0 . t a r . g z
(about 1 . 2 megabytes). The asterisk ( * ) in the filename matches any characters in
any filenames (page 2 5 7 ) , so Is displays a list of files whose names begin with m a k ;
in this case there is only one. Using an asterisk saves typing and can improve accuracy with long filenames. The gunzip command decompresses the file and yields
m a k e - 3 . 8 0 . t a r (no .gz extension), which is about 4 . 8 megabytes. The tar command
creates the m a k e - 3 . 8 0 directory in the working directory and unpacks the files into it.
$ Is -Id mak*
drwxr-xr-x 8 sam sam
4096 2006-03-31 22:42 make-3.81
-rw-r--r-- 1 sam sam 6072320 2010-04-12 15:51 make-3.81.tar

$ Is -1 make-3.80
total 1816
-rw-r--r--rw-r--r--rw-r--r--rw-r--r--

1
1
1
1

sam
sam
sam
sam

sam
sam
sam
sam

-rw-r--r-- 1 sam sam
-rw-r--r-- 1 sam sam
drwxr- xr-x 6 sam sam

53838
4918
33872
14231

2006--03-31
2006--02-11
2006--03-31
2002--10-14

22::
14::
22::
14::

39
16
39
54

AB0UT-NLS
acinclude.m4
aclocal.m4
alloca.c

16907 2006--02-11 14:: 16 vmsjobs.c
17397 2006--02-11 14::16 vpath.c
4096 2006--03-31 22::42 w32

After tar extracts the files from the archive, the working directory contains two files
whose names start with m a k : m a k e - 3 . 8 0 . t a r and m a k e - 3 . 8 0 . The - d (directory)
option causes Is to display only file and directory names, not the contents of directories as it normally does. The final Is command shows the files and directories in the
m a k e - 3 . 8 0 directory. Refer to the tar info page for more information.

178

CHAPTER 5

THE LINUX UTILITIES

tar: the - x option may extract a lot of files
caution

Some tar archives contain many files. To list the files in the archive without unpacking them, run
tar with the - t option and the name of the tar file. In some cases you may want to create a new
directory (mkdir [page 208]), move the tar file into that directory, and expand it there. That way
the unpacked files will not mingle with existing files, and no confusion will occur. This strategy
also makes it easier to delete the extracted files. Depending on how they were created, some tar
files automatically create a new directory and put the files into it; the - t option indicates where tar
will place the files you extract.

tar: the - x option can overwrite files
caution

The - x option to tar overwrites a file that has the same filename as a file you are extracting. Follow
the suggestion in the preceding caution box to avoid overwriting files.

optional

You can combine the gunzip and tar commands on one command line with a pipe
(I), which redirects the output of gunzip so that it becomes the input to tar:
$ gunzip -c make-3.81.tar.gz | tar -xvf -

The - c option causes gunzip to send its output through the pipe instead of creating a file.
The final hyphen ( - ) causes tar to read from standard input. Refer to "Pipes" (page 251)
and gzip (page 175) for more information about how this command line works.
A simpler solution is to use the - z option to tar. This option causes tar to call gunzip
(or gzip when you are creating an archive) directly and simplifies the preceding command line to
$ tar -xvzf make-3.81.tar.gz

In a similar manner, the -j option calls bzip2 or bunzip2.

LOCATING COMMANDS
The w h e r e i s and mlocate utilities can help you find a command whose name you
have forgotten or whose location you do not know. When multiple copies of a utility or program are present, which tells you which copy you will run. The mlocate
utility searches for files on the local system.

which AND whereis: LOCATE A UTILITY
When you give Linux a command, the shell searches a list of directories for a program with that name and runs the first one it finds. This list of directories is called a
search path. For information on how to change the search path, refer to "PATH:
Where the Shell Looks for Programs" on page 3 1 9 . If you do not change the search
path, the shell searches only a standard set of directories and then stops searching.
However, other directories on the system may also contain useful utilities.
which The which utility locates utilities by displaying the full pathname of the file for the
utility. (Chapter 6 contains more information on pathnames and the structure of the

LOCATING COMMANDS

179

Linux filesystem.) The local system may include several utilities that have the same
name. When you type the name of a utility, the shell searches for the utility in your
search path and runs the first one it finds. You can find out which copy of the utility
the shell will run by using which. In the following example, which reports the location of the tar utility:
$ which tar
/bi n/tar

The which utility can be helpful when a utility seems to be working in unexpected
ways. By running which, you may discover that you are running a nonstandard
version of a tool or a different one from the one you expected. ("Important Standard Directories and Files" on page 213 provides a list of standard locations for
executable files.) For example, if tar is not working properly and you find that you
are running / u s r / l o c a l / b i n / t a r instead of /bin/tar, you might suspect that the local
version is broken.
whereis The whereis utility searches for files related to a utility by looking in standard locations instead of using your search path. For example, you can find the locations for
files related to tar:
$ whereis tar
tar: /bin/tar /usr/include/tar.h /usr/share/man/manl/tar.l.gz

...

In this example whereis finds three references to tar: the tar utility file, a tar header
file, and the tar man page.

which versus whereis
tip Given the name of a utility, w h i c h looks through the directories in your search path (page 319),
in order, and locates the utility. If your search path includes more than one utility with the specified
name, w h i c h displays the name of only the first one (the one you would run).
The w h e r e i s utility looks through a list of standard directories and works independently of your
search path. Use w h e r e i s to locate a binary (executable) file, any manual pages, and source code
for a program you specify; w h e r e i s displays all the files it finds.

which, whereis, and builtin commands
caution

Both the w h i c h and w h e r e i s utilities report only the names for utilities as they are found on the
disk; they do not report shell builtins (utilities that are built into a shell; see page 261). When you
use w h e r e i s to try to find where the e c h o command (which exists as both a utility program and
a shell builtin) is kept, you get the following result:
$ whereis echo
echo: /bin/echo /usr/share/man/manl/echo.1.gz

The w h e r e i s utility does not display the e c h o builtin. Even the w h i c h utility reports the wrong
information:
$ which echo
/bi n/echo

Under b a s h you can use the t y p e builtin (page 1003) to determine whether a command is a builtin:
$ type echo
echo is a shell builtin

180

CHAPTER 5

THE LINUX UTILITIES

m l o c a t e : SEARCHES FOR A FILE
The mlocate utility searches for files on the local system:
$ mlocate upstart
/etc/i ni t/upstart-udev-bri dge.conf
/etc/network/if-down.d/upstart
/etc/network/if-up.d/upstart
/li b/i ni t/upstart-job
/sbi n/upstart-udev-bri dge

This utility is part of the m l o c a t e software package; give the command sudo aptitude install m l o c a t e to install this package. Before you can use mlocate, the updatedb
utility must build or update the mlocate database. Typically the database is updated
once a day by a cron script (page 605).

If you are not on a network, skip to the v i m tutorial
tip

If you are the only user on a system that is not connected to a network, you may want to skip to
the tutorial on the vim editor on page 186. If you are not on a network but are set up to send and
receive email, read "Email" on page 185.

OBTAINING USER AND SYSTEM INFORMATION
This section covers utilities that provide information about who is using the system,
what those users are doing, and how the system is running.
To find out who is using the local system, you can employ one of several utilities
that vary in the details they provide and the options they support. The oldest utility,
w h o , produces a list of users who are logged in on the local system, the device each
person is using, and the time each person logged in.
The w and finger utilities show more detail, such as each user's full name and the
command line each user is running. You can use the finger utility to retrieve information about users on remote systems if the local system is attached to a network.
Table 5-1 on page 183 summarizes the output of these utilities.

w h o : LISTS USERS ON THE SYSTEM
The w h o utility displays a list of users who are logged in on the local system. In
Figure 5-10 the first column w h o displays shows that Sam, Max, and Zach are logged
in. (Max is logged in from two locations.) The second column shows the device that
each user's terminal, workstation, or terminal emulator is connected to. The third column shows the date and time the user logged in. An optional fourth column shows (in
parentheses) the name of the system that a remote user logged in from.

OBTAINING USER AND SYSTEM INFORMATION

181

$ who
sam
max
zach
max

Figure 5-10

tty4
tty2
ttyl
pts/4

2010-07-25 17:18
2010-07-25 16:42
2010-07-25 16:39
2010-07-25 17:27 (coffee)

w h o lists who is logged in

The information that w h o displays is useful when you
user on the local system. When the user is logged in,
to establish communication immediately. If w h o does
not need to communicate immediately, you can
(page 1 8 5 ) .

want to communicate with a
you can use write (page 1 8 4 )
not list the user or if you do
send email to that person

If the output of w h o scrolls off the screen, you can redirect the output through a
pipe (I, page 1 7 0 ) so that it becomes the input to less, which displays the output one
screen at a time. You can also use a pipe to redirect the output through grep to look
for a specific name.
If you need to find out which terminal you are using or what time you logged in,
you can use the command w h o a m i:
$ who am i
max

tty2

2010-07-25

16:42

finger: LISTS USERS ON THE SYSTEM
You can use finger to display a list of users who are logged in on the local system.
In addition to usernames, finger supplies each user's full name along with information about which device the user's terminal is connected to, how recently the
user typed something on the keyboard, when the user logged in, and what contact information is available. If the user has logged in over the network, the name
of the remote system is shown as the user's location. For example, in Figure 5 - 1 1
M a x is logged in from the remote system named c o f f e e . The asterisks ( * ) in front
of the device names in the T t y column indicate that the user has blocked messages sent directly to his terminal (refer to " m e s g : Denies or Accepts Messages"
on page 1 8 5 ) .
$ finger
Logi n
max
max
sam
zach

Figure 5-11

Name
Max W i I d
Max W i I d
Sam the Great
Zach Brill

Tty
*tty2
pts/4
*tty4
*ttyl

finger I: lists who is logged in

Idle
3
29
1:07

Login Time
Office ..
Jul 25 16:42
Jul 25 17:27 (coffee)
Jul 25 17:18
Jul 25 16:39

182

CHAPTER 5

THE LINUX UTILITIES

$ f i n g e r max
Login: max
Name: Max Wild
Directory: /home/max
Shell: /bin/bash
On since Fri Jul 25 16:42 (PDT) on tty2 (messages off)
On since Fri Jul 25 17:27 (PDT) on pts/4 from coffee
3 minutes 7 seconds idle
New mail received Fri Jul 25 17:16 2010 (PDT)
Unread since Fri Jul 25 16:44 2010 (PDT)
Plan:
I will be at a conference in Hawaii all next week.
If you need to see me, contact Zach Brill, X1693.

Figure 5-12

finger I I : lists details about one user

f i n g e r can be a security risk
security

On systems where security is a concern, the system administrator may disable finger. This utility
can reveal information that can help a malicious user break into a system.
You can also use finger to learn more about an individual by specifying a username
on the command line. In Figure 5 - 1 2 , finger displays detailed information about
M a x . M a x is logged in and actively using one of his terminals ( t t y 2 ) ; he has not
used his other terminal ( p t s / 4 ) for 3 minutes and 7 seconds. You also learn from
finger that if you want to set up a meeting with M a x , you should contact Zach at
extension 1693.

.plan and .project Most of the information in Figure 5 - 1 2 was collected by finger from system files.
The information shown after the heading Plan:, however, was supplied by Max. The
finger utility searched for a file named .plan in Max's home directory and displayed
its contents.
(Filenames that begin with a period, such as .plan, are not normally listed by Is and
are called hidden filenames [page 204].) You may find it helpful to create a .plan file
for yourself; it can contain any information you choose, such as your schedule,
interests, phone number, or address. In a similar manner, finger displays the contents
of the .project and .pgpkey files in your home directory. If M a x had not been logged
in, finger would have reported only his user information, the last time he logged in,
the last time he read his email, and his plan.
S w
17:47: 35 up 1 day,
8:10,
USER
TTY
FROM
s am
tty4
max
tty2
zach
ttyl
max
pts/4
coffee

Figure 5-13

T h e w utility

6 users, load average : 0.34, 0.23, 0.26
LOGIN®
IDLE
JCPU
PCPU WHAT
17:18
29:14m 0 ,20s 0 .00s vi memo
16:42
0.00s 0 ,20s 0 . 07s w
16:39
1:07
0 ,05s 0 .00s run_bdgt
17:27
3:10m 0 ,24s 0 .24s -bash

OBTAINING USER AND SYSTEM INFORMATION

183

You can also use finger to display a user's username. For example, on a system with
a user named Helen Simpson, you might know that Helen's last name is Simpson
but might not guess her username is his. The finger utility, which is not case sensitive, can search for information on Helen using her first or last name. The following
commands find the information you seek as well as information on other users
whose names are Helen or Simpson:
$ finger HELEN
Login: his

Name: Helen

Simpson.

Name: Helen

Simpson.

$ finger simpson
Login: his

See page 3 8 9 for information about using finger over a network.

w : LISTS USERS ON THE SYSTEM

The w utility displays a list of the users who are logged in. As discussed in the section on w h o , the information that w displays is useful when you want to communicate with someone at your installation.
The first column in Figure 5 - 1 3 shows that Max, Zach, and Sam are logged in. The
second column shows the name of the device file each user's terminal is connected
to. The third column shows the system that a remote user is logged in from. The
fourth column shows the time each user logged in. The fifth column indicates how
long each user has been idle (how much time has elapsed since the user pressed a
key on the keyboard). The next two columns identify how much computer processor time each user has used during this login session and on the task that user is running. The last column shows the command each user is running.
The first line that the w utility displays includes the time of day, the period of time
the computer has been running (in days, hours, and minutes), the number of users
logged in, and the load average (how busy the system is). The three load average
numbers represent the number of jobs waiting to run, averaged over the past 1, 5 ,
and 15 minutes. Use the uptime utility to display just this line. Table 5 - 1 compares
the w, w h o , and finger utilities.
Table 5 - 1

Comparison of w , w h o , and f i n g e r

Information displayed

w

who

finger

Username

X

X

X

Terminal-line identification (tty)

X

X

X

Login time (and day for old logins)

X
X

X

Login date and time
Idle time

x

x

184

CHAPTER 5

THE LINUX UTILITIES

Table 5 - 1

Comparison of w , w h o , and f i n g e r (continued)

Information displayed

w

Program the user is executing

X

Location the user logged in from
CPU time used

who

finger

X
X

Full name (or other information from /etc/passwd)

X

User-supplied vanity information

X

System uptime and load average

X

COMMUNICATING WITH OTHER USERS
You can use the utilities discussed in this section to exchange messages and files
with other users either interactively or through email.

write: SENDS A MESSAGE
The write utility sends a message to another user who is logged in. When you and
another user use write to send messages to each other, you establish two-way communication. Initially a write command (Figure 5-14) displays a banner on the other
user's terminal, saying that you are about to send a message.
The syntax of a write command line is
write username

[terminal]

The username is the username of the user you want to communicate with. The terminal is an optional device name that is useful if the user is logged in more than
once. You can display the usernames and device names of all users who are logged
in on the local system by using who, w, or finger.
To establish two-way communication with another user, you and the other user must
each execute write, specifying the other's username as the username. The write utility
then copies text, line by line, from one keyboard/display to the other (Figure 5-15).
Sometimes it helps to establish a convention, such as typing o (for "over") when you
are ready for the other person to type and typing oo (for "over and out") when you
are ready to end the conversation. When you want to stop communicating with the
other user, press CONTROL-D at the beginning of a line. Pressing CONTROL-D tells write to
$ write max
Hi Max, are you there? o

Figure 5-14

The write utility I

EMAIL

185

$ write max
Hi Max, are you there?
Message from maxObravo..example.com on pts/0 at 16:23 ...
Yes Zach, I'm here, o

Figure 5-15

The write utility II

quit, displays E O F (end of file) on the other user's terminal, and returns you to the
shell. The other user must do the same.
If the Message from banner appears on your screen and obscures something you are
working on, press CONTROL-L or CONTROL- R to refresh the screen and remove the banner.
Then you can clean up, exit from your work, and respond to the person who is
writing to you. You have to remember who is writing to you, however, because the
banner will no longer appear on the screen.

m e s g : DENIES OR ACCEPTS MESSAGES
By default, messages to your screen are blocked. Give the following m e s g command
to allow other users to send you messages:
$ mesg y

If M a x had not given this command before Zach tried to send him a message, Zach
might have seen the following message:
$ write max
write: max has messages disabled

You can block messages by entering mesg n. Give the command mesg by itself to
display is y (for "yes, messages are allowed") or is n (for "no, messages are not
allowed").
If you have messages blocked and you write to another user, write displays the following message because, even if you are allowed to write to another user, the user
will not be able to respond to you:
$ write max
write: write: you have write permission turned off.

EMAIL
Email enables you to communicate with users on the local system and, if the installation is part of a network, with other users on the network. If you are connected to
the Internet, you can communicate electronically with users around the world.
Email utilities differ from write in that email utilities can send a message when the
recipient is not logged in. In this case the email is stored until the recipient reads it.
These utilities can also send the same message to more than one user at a time.

186

CHAPTER 5

THE LINUX UTILITIES

Many email programs are available for Linux, including the original character-based
mail program, Mozilla/Thunderbird, pine, mail through e m a c s , KMail, and evolution.
Another popular graphical email program is s y l p h e e d (sylpheed.good-day.net).
Two programs are available that can make any email program easier to use and
more secure. The procmail program (www.procmail.org) creates and maintains
email servers and mailing lists; preprocesses email by sorting it into appropriate files
and directories; starts various programs depending on the characteristics of incoming email; forwards email; and so on. The GNU Privacy Guard (GPG or GNUpg,
page 1113) encrypts and decrypts email and makes it almost impossible for an
unauthorized person to read.
Refer to Chapter 2 0 for more information on setting email clients and servers.
Network addresses If the local system is part of a LAN, you can generally send email to and receive
email from users on other systems on the LAN by using their usernames. Someone
sending M a x email on the Internet would need to specify his domain
name
(page 1146) along with his username. Use this address to send email to the author
of this book: mgs@sobell.com.

TUTORIAL: USING vim TO CREATE AND EDIT A FILE
This section explains how to start v i m , enter text, move the cursor, correct text, save
the file to the disk, and exit from v i m . The tutorial discusses three of the modes of
operation of v i m and explains how to switch from one mode to another.
vimtutor In addition to working with this tutorial, you may want to try vim's instructional
program, named vimtutor. Give its name as a command to run it.

v i m t u t o r and v i m help files are not installed by default
t i p To run vimtutor and to get help as described on page 190, you must install the vim-runtime package; give the command sudo aptitude install vim-runtime to install this package.
Specifying a Because v i m takes advantage of features that are specific to various kinds of termiterminal n a l S j y O U m u s t tell it what type of terminal or terminal emulator you are using. On
many systems, and usually when you work on a terminal emulator, your terminal
type is set automatically. If you need to specify your terminal type explicitly, refer to
"Specifying a Terminal" on page 1106.

STARTING vim
Start v i m with the following command to create and edit a file named practice:
$ vim practice

When you press RETURN, the command line disappears, and the screen looks similar to
the one shown in Figure 5-16.
The tildes (~) at the left of the screen indicate that the file is empty. They disappear
as you add lines of text to the file. If your screen looks like a distorted version of the
one shown in Figure 5-16, your terminal type is probably not set correctly.

TUTORIAL: USING vim TO CREATE AND EDIT A FILE

Figure 5-16

187

Starting v i m

v i m is not installed by default: use v i m . t i n y
t i p The full version of the vim editor is not installed by default. Instead, a small version of vim, named
vim.tiny is installed. You can either replace each vim command in this section with vim.tiny, or
you can install the full vim editor by giving the command sudo aptitude install vim and then use
the vim command as shown in this section.

The vi command runs v i m
tip

On Ubuntu Linux systems the command vi runs vim in vi-compatible mode (page 193).
If you start v i m with a terminal type that is not in the terminfo database, v i m displays an error message and the terminal type defaults to ansi, which works on many
terminals. In the following example, the user mistyped v t l O O and set the terminal
type to v g l O O :
E558: Terminal entry not found in terminfo
'vgl00' not known. Available builtin terminals are:
bui1ti n_ansi
bui 1 ti n_xterm
bui 1 ti n_i ri s-ansi
bui1ti n_dumb
defaulting to 'ansi'

Emergency exit

T o r e s e t t h e t e r m i n a l t y p e , p r e s s ESCAPE a n d t h e n g i v e t h e f o l l o w i n g c o m m a n d t o e x i t
f r o m vim a n d display the shell p r o m p t :
:q!

When you enter the colon (:), v i m moves the cursor to the bottom line of the screen.
The characters q ! tell v i m to quit without saving your work. (You will not ordinarily
exit from v i m this way because you typically want to save your work.) You must

188

CHAPTER 5

THE LINUX UTILITIES

1

VIM - Vi IMproved
version 7.2.330
by Bram Moolenaar et
.
Vim is open source and freely distributable

Figure 5-17

type

Help poor children in Uganda!
¡help iccf
tor information

type
type
type

:q
¡help or 
¡help version7

to exit
tor on-line help
for version info

Starting vim without a filename

press RETURN after you give this command. Once you get the shell prompt back, refer
to "Specifying a Terminal" on page 1 1 0 6 , and then start v i m again.
If you start this editor without a filename, vim assumes that you are a novice and
tells you how to get started (Figure 5 - 1 7 ) .
The practice file is new so it does not contain any text. The vim editor displays a
message similar to the one shown in Figure 5 - 1 6 on the status (bottom) line of the
terminal to indicate that you are creating and editing a new file. When you edit an
existing file, vim displays the first few lines of the file and gives status information
about the file on the status line.

COMMAND AND INPUT MODES
Two of vim's modes of operation are Command mode (also called Normal
mode)
and Input mode (Figure 5 - 1 8 ) . While vim is in Command mode, you can give vim
commands. For example, you can delete text or exit from vim. You can also command vim to enter Input mode. In Input mode, vim accepts anything you enter as
text and displays it on the screen. Press ESCAPE to return vim to Command mode. By
default the vim editor keeps you informed about which mode it is in: It displays
INSERT at the lower-left corner of the screen while it is in Insert mode.
The following command causes vim to display line numbers next to the text you are
editing:
:set number RETURN

Last Line mode The colon (:) in the preceding command puts v i m into another mode, Last Line mode.
While in this mode, vim keeps the cursor on the bottom line of the screen. When you
finish entering the command by pressing RETURN, vim restores the cursor to its place in
the text. Give the command :set n o n u m b e r RETURN to turn off line numbers.

o

TUTORIAL: USING vim TO CREATE AND EDIT A FILE

Colon (:)

RETURN
Insert,
Append
Open,
Replace,
Change

a
ESCAPE

Figure 5-18

189

Modes in v i m

vim is case When you give v i m a command, remember that the editor is case sensitive. In
sensitive other words, v i m interprets the same letter as two different commands, depending
on whether you enter an uppercase or lowercase character. Beware of the CAPS LOCK
(SHIFTLOCK) key. If you set this key to enter uppercase text while you are in Input
mode and then exit to Command mode, v i m interprets your commands as uppercase letters. It can be confusing when this happens because v i m does not appear to
be executing the commands you are entering.

ENTERING TEXT
i/a (Input mode) When you start v i m , you must put it in Input mode before you can enter text. To put v i m
in Input mode, press the i (insert before cursor) key or the a (append after cursor) key.
If you are not sure whether v i m is in Input mode, press the ESCAPE key; v i m returns to
Command mode if it was in Input mode or beeps, flashes, or does nothing if it is
already in Command mode. You can put v i m back in Input mode by pressing the i
or a key again.
While v i m is in Input mode, you can enter text by typing on the keyboard. If the text
does not appear on the screen as you type, v i m is not in Input mode.
To continue with this tutorial, enter the sample paragraph shown in Figure 5 - 1 9
(next page), pressing the RETURN key at the end of each line. If you do not press RETURN
before the cursor reaches the right side of the screen or window, v i m wraps the text
so that it appears to start a new line. Physical lines will not correspond to programmatic (logical) lines in this situation, so editing will be more difficult. While you are
using v i m , you can always correct any typing mistakes you make. If you notice a
mistake on the line you are entering, you can correct it before you continue
(page 190). You can correct other mistakes later. When you finish entering the paragraph, press ESCAPE to return v i m to Command mode.

190

CHAPTER 5

THE LINUX UTILITIES

I f you a r e not s u r e w h e t h e r vim i s i n I n p u t mode, p r e s s t h e ESCAPE
k e y ; v i m r e t u r n s t o Command mode i f i t was i n I n p u t mode o r b e e p s ,
flashes* or docs nothing if it is already in Command made. Yon can
put vim back in Input mode by pressing the i or a key again.[

- - INSERT - -

Figure 5-19

Entering text with vim

GETTING HELP
You must have the v i m - r u n t i m e package installed to use vim's help system; see the
tip on page 186.
To get help while you are using vim, give the command :help [feature] followed by
RETURN (you must be in Command mode when you give this command). The colon
moves the cursor to the last line of the screen. If you type :help, vim displays an
introduction to vim Help (Figure 5-20). Each dark band near the bottom of the
screen names the file that is displayed above it. (Each area of the screen that displays a file, such as the two areas shown in Figure 5-20, is a vim "window.") The
h e l p . t x t file occupies most of the screen (the upper window) in Figure 5-20. The file
that is being edited (practice) occupies a few lines in the lower portion of the screen
(the lower window).
Read through the introduction to Help by scrolling the text as you read. Press j or
the DOWN ARROW key to move the cursor down one line at a time; press C0NTR0L-D or
C0NTR0L-U to scroll the cursor down or up half a window at a time. Give the command
:q to close the Help window.
You can display information about the insert commands by giving the command
:help insert while vim is in Command mode (Figure 5-21).

CORRECTING TEXT AS YOU INSERT IT
The keys that back up and correct a shell command line serve the same functions
when vim is in Input mode. These keys include the erase, line kill, and word kill keys
(usually C0NTR0L-H, C0NTR0L-U, and C0NTR0L-W, respectively). Although vim may not
remove deleted text from the screen as you back up over it using one of these keys,
the editor does remove it when you type over the text or press RETURN.

TUTORIAL: U S I N G v i m TO CREATE AND EDIT A FILE

[help, txt*

For Vim version 7.2.
VIH

Move around:
Close this window:
Get out of Vim:
Jump to a subject:
With the mouse:
Jump back:
Get specific help:

Use
"J"
Use
Use

191

Last change: 20O8 Jul 21

main help file

h
the cursor keys, or "h" to go left.
to go down, "k" to go up, "I" to go right»
":q".
" :qa! " (careful, all changes are lost!).

k
j

1

Position the cursor on a tag (e.g. |bars|) and hit CTRL-].
":set mouse=a" to enable the mouse (in xtertn or GUI).
Double-click the left mouse button on a tag. e.g. |bars|.
Type CTRL-T or CTRL-0 (repeat to go further back).
It is possible to go directly to whatever you want help
on. by giving an argument to the |:help| command.
It is possible to further specify the context:
^help-context*
WHAT
PREPEND
EXAMPLE

f you are not sure whether vim is in Input mode, press the ESCAPE
key; vim returns to Command mode if it was in Input mode or beeps,
flashes, or does nothing if it is already in Command mode. You can
p u ^ / ^ i ^ a c l ^ ^ ^ n p u ^ i o d ^ b ^ p ^ s s i n g the i or a key again.
'help.txt" I readonly 1 217L, 8055C

Figure 5-20

The main v i m Help screen

MOVING THE CURSOR
YOU need to be able to move the cursor on the screen so that you can delete,
insert, and correct text. While v i m is in Command mode, you can use the RETURN
key, the SPACE bar, and the ARROW keys to move the cursor. If you prefer to keep your
hand closer to the center of the keyboard, if your terminal does not have ARROW
keys, or if the emulator you are using does not support them, you can use the h,
j, k, and 1 (lowercase "1") keys to move the cursor left, down, up, and right,
respectively.
flinsert* **
Insert text before the cursor [count] times.
When using CTRL 0 in Insert mode |i CTRL-Q| the count
is not supported.
Insert text before the first non-btank in the line
(count] times.
When the 1H" flag is present in 'cpoptions" and the
line only contains blanks, insert start just before
the last blank.

gi

*gl*
Insert text in column 1 [count] times,

{not in Vi}

*gi*
Insert text in the same position as where Insert mode
was stopped last time in the current buffer.
This uses the | , A | mark. It's different from
when the mark is past the end of the line.
insert,txt [Helo RO
It you are not sure whether vim is in Input mode, press the ESCAPE
key; vim returns to Command mode if it was in Input mode or beeps,
flashes, or does nothing if it is already in Command mode. You can
"insert.txt" [readonly] 1879L, 77029C

Figure 5-21

Help with insert commands

192

CHAPTER 5

THE LINUX UTILITIES

DELETING TEXT
x (Delete character) You can delete a single character by moving the cursor until it is over the character
dw (Delete word) y O U w a n t to delete and then giving the command x. You can delete a word by posidd (Delete line) t j o n j n g ^ g c u r s 0 r on the first letter of the word and then giving the command dw
(Delete word). You can delete a line of text by moving the cursor until it is anywhere
on the line and then giving the command dd.

UNDOING MISTAKES
u (Undo) If you delete a character, line, or word by mistake or give any command you want
to reverse, give the command u (Undo) immediately after the command you want to
undo. The vim editor will restore the text to the way it was before you gave the last
command. If you give the u command again, vim will undo the command you gave
before the one it just undid. You can use this technique to back up over many of
your actions. With the compatible parameter (page 193) set, however, vim can undo
only the most recent change.
:redo (Redo) If you undo a command you did not mean to undo, give a Redo command: CONTROL-R
or :redo (followed by a RETURN). The vim editor will redo the undone command. As
with the Undo command, you can give the Redo command many times in a row.

ENTERING ADDITIONAL TEXT
i (Insert) When you want to insert new text within existing text, move the cursor so it is on
a (Append) the character that follows the new text you plan to enter. Then give the i (Insert)
command to put vim in Input mode, enter the new text, and press ESCAPE to return vim
to Command mode. Alternatively, you can position the cursor on the character that
precedes the new text and use the a (Append) command.
o/O (Open) To enter one or more lines, position the cursor on the line above where you want
the new text to go. Give the command o (Open). The vim editor opens a blank line
below the line the cursor was on, puts the cursor on the new, empty line, and goes
into Input mode. Enter the new text, ending each line with a RETURN. When you are
finished entering text, press ESCAPE to return vim to Command mode. The O command works in the same way o works, except it opens a blank line above the line
the cursor is on.

CORRECTING TEXT
To correct text, use dd, dw, or x to remove the incorrect text. Then use i, a, o, or O
to insert the correct text.
For example, to change the word pressing to hitting in Figure 5-19 on page 190,
you might use the ARROW keys to move the cursor until it is on top of the p in pressing. Then give the command dw to delete the word pressing. Put vim in Input mode
by giving an i command, enter the word hitting followed by a SPACE, and press ESCAPE.
The word is changed and vim is in Command mode, waiting for another command.
A shorthand for the two commands dw followed by the i command is cw (Change
word). The command cw puts vim into Input mode.

CHAPTER SUMMARY

193

Page breaks for the printer
tip

CONTROL-Ltells the printer to skip to the top of the next page. You can enter this character anywhere
in a document by pressing CONTROL-L while you are in Input mode. If A L does not appear, press
CONTROL-V b e f o r e CONTROL-L.

ENDING THE EDITING S E S S I O N
While you are editing, v i m keeps the edited text in an area named the Work buffer.
When you finish editing, you must write out the contents of the Work buffer to a
disk file so that the edited text is saved and available when you next want it.
Make sure v i m is in Command mode, and use the Z Z command (you must use
uppercase Zs) to write your newly entered text to the disk and end the editing session. After you give the Z Z command, v i m returns control to the shell. You can exit
with :q! if you do not want to save your work.

Do not confuse zzwith CONTROL-Z
c a u t i o n When you exit from vim with ZZ, make sure that you type ZZ and not COI\ITROL-Z (typically the suspend key). When you press COI\ITROL-Z, vim disappears from your screen, almost as though you
had exited from it. In fact, vim will continue running in the background with your work unsaved.
Refer to "Job Control" on page 307. If you try to start editing the same file with a new vim command, vim displays a message about a swap file.

THE compatible PARAMETER
The compatible parameter makes v i m more compatible with vi. By default this
parameter is not set. From the command line use the - C option to set the compatible parameter and use the - N option to unset it. To get started with v i m you can
ignore this parameter.
Setting the compatible parameter changes many aspects of how v i m works. For
example, when the compatible parameter is set, the Undo command (page 192) can
undo only your most recent change; in contrast, with the compatible parameter
unset, you can call Undo repeatedly to undo many changes. To obtain more details
on the compatible parameter, give the command :help compatible RETURN. To display
a complete list of vim's differences from the original vi, use :help vi-diff RETURN. See
page 190 for a discussion of the help command.

CHAPTER SUMMARY
The utilities introduced in this chapter are a small but powerful subset of the many
utilities available on an Ubuntu Linux system. Because you will use them frequently
and because they are integral to the following chapters, it is important that you
become comfortable using them.

194

CHAPTER 5

THE LINUX UTILITIES

The utilities listed in Table 5-2 manipulate, display, compare, and print files.
Table 5 - 2

File utilities

Utility

Function

cp

Copies one or more files (page 163)

diff

Displays the differences between two files (page 168)

file

Displays information about the contents of a file (page 170)

grep

Searches file(s) for a string (page 166)

head

Displays the lines at the beginning of a file (page 166)

Ipq

Displays a list of jobs in the print queue (page 165)

Ipr

Places file(s) in the print queue (page 165)

Iprm

Removes a job from the print queue (page 165)

mv

Renames a file or moves file(s) to another directory (page 164)

sort

Puts a file in order by lines (page 168)

tail

Displays the lines at the end of a file (page 167)

uniq

Displays the contents of a file, skipping adjacent duplicate lines (page 168)

To reduce the amount of disk space a file occupies, you can compress it with the bzip2
utility. Compression works especially well on files that contain patterns, as do most
text files, but reduces the size of almost all files. The inverse of b z i p 2 — b u n z i p 2 —
restores a file to its original, decompressed form. Table 5-3 lists utilities that compress
and decompress files. The bzip2 utility is the most efficient of these.
Table 5 - 3

(De)compression utilities

Utility

Function

bunzip2

Returns a file compressed with b z i p 2 to its original size and format
(page 175)

bzcat

Displays a file compressed with b z i p 2 (page 175)

bzip2

Compresses a file (page 174)

compress

Compresses a file (not as well as b z i p 2 or g z i p ; page 176)

gunzip

Returns a file compressed with g z i p or c o m p r e s s to its original size and format (page 175)

gzip

Compresses a file (not as well as b z i p 2 ; page 175)

zcat

Displays a file compressed with g z i p (page 175)

An archive is a file, frequently compressed, that contains a group of files. The tar
utility (Table 5-4) packs and unpacks archives. The filename extensions . t a r . b z 2 ,

CHAPTER SUMMARY

195

.tar.gz, and .tgz identify compressed tar archive files and are often seen on software
packages obtained over the Internet.
Table 5 - 4

Archive utility

Utility

Function

tar

Creates or extracts files from an archive file (page 176)

The utilities listed in Table 5-5 determine the location of a utility on the local system. For example, they can display the pathname of a utility or a list of C++ compilers available on the local system.
Table 5 - 5

Location utilities

Utility

Function

m locate

Searches for files on the local system (page 180)

whereis

Displays the f iill pathnames of a utility, source code, or m a n page
(page 178)

which

Displays the f iill pathname of a command you can run (page 178)

Table 5-6 lists utilities that display information about other users. You can easily
learn a user's full name, the user's login status, the login shell of the user, and other
items of information maintained by the system.
Table 5 - 6

User and system information utilities

Utility

Function

finger

Displays detailed information about users, including their full names
(page 181)

hostname

Displays the name of the local system (page 163)

w

Displays detailed information about users who are logged in on the local
system (page 183)

who

Displays information about users who are logged in on the local system
(page 180)

The utilities shown in Table 5-7 can help you stay in touch with other users on the
local network.
Table 5 - 7

User communication utilities

Utility

Function

mesg

Permits or denies messages sent by w r i t e (page 185)

write

Sends a message to another user who is logged in (page 184)

196

CHAPTER 5

THE LINUX UTILITIES

Table 5-8 lists miscellaneous utilities.
Table 5 - 8

Miscellaneous utilities

Utility

Function

date

Displays the current date and time (page 172)

echo

Copies its arguments

vim

Edits text (page 186)

(page 1135) to the screen (page 171 )

EXERCISES
1. Which commands can you use to determine who is logged in on a specific
terminal?
2. How can you keep other users from using write to communicate with you?
Why would you want to?
3. What happens when you give the following commands if the file named
done already exists?
$ cp to_do done
$ mv to_do done

4. How can you find out which utilities are available on your system for editing files? Which utilities are available for editing on your system?
5. How can you find the phone number for Ace Electronics in a file named
phone that contains a list of names and phone numbers? Which command
can you use to display the entire file in alphabetical order? How can you
display the file without any adjacent duplicate lines? How can you display
the file without any duplicate lines?
6. What happens when you use diff to compare two binary files that are not
identical? (You can use gzip to create the binary files.) Explain why the diff
output for binary files is different from the diff output for ASCII files.
7. Create a .plan file in your home directory. Does finger display the contents
of your .plan file?
8. What is the result of giving the which utility the name of a command that
resides in a directory that is not in your search path?
9. Are any of the utilities discussed in this chapter located in more than one
directory on the local system? If so, which ones?
10. Experiment by calling the file utility with the names of files in /usr/bin.
How many different types of files are there?

ADVANCED EXERCISES

11. Which command can you use to look at the first few lines of a file named
status.report? Which command can you use to look at the end of the file?

ADVANCED EXERCISES
12. Re-create the colors.1 and colors.2 files used in Figure 5-8 on page 169.
Test your files by running diff - u on them. Do you get the same results as
in the figure?
13. Try giving these two commands:
$ echo cat
$ cat echo

Explain the differences between the output of each command.
14. Repeat exercise 5 using the file phone.gz, a compressed version of the list
of names and phone numbers. Consider more than one approach to
answer each question, and explain how you made your choices.
15. Find existing files or create files that
a. gzip compresses by more than 80 percent.
b. gzip compresses by less than 10 percent.
c. Get larger when compressed with gzip.
d. Use Is -1 to determine the sizes of the files in question. Can you characterize the files in a, b, and c?
16. Older email programs were not able to handle binary files. Suppose that
you are emailing a file that has been compressed with gzip, which produces
a binary file, and the recipient is using an old email program. Refer to the
man page on uuencode, which converts a binary file to ASCII. Learn about
the utility and how to use it.
a. Convert a compressed file to ASCII using uuencode. Is the encoded file
larger or smaller than the compressed file? Explain. (If uuencode is not
on the local system, you can install it using aptitude [page 519]; it is part
of the sharutils package.)
b. Would it ever make sense to use uuencode on a file before compressing
it? Explain.

197

This page intentionally left blank

6
THE LINUX FILESYSTEM

The Hierarchical Filesystem

200

A filesystem
is a set of data structures
(page 1 1 4 4 ) that usually
resides on part of a disk and that holds directories of files. Filesysterns store user and system data that are the basis of users' work

Directory Files and Ordinary
Files

200

on the system and the system's existence. This chapter discusses
the organization and terminology of the Linux filesystem, defines

The Working Directory

204

Your Home Directory
Pathnames

204
205

Relative Pathnames
... ..
, .
Working with Directories

206

Access Permissions

215

important files and directories as well as file access permissions
and Access Control Lists (ACLs), which allow you to share
,
....
• ,
,
, ,
•,
,.
•
T
r
selected files with other users. It concludes with a discussion of
hard and symbolic links, which can make a single file appear in

ACLs: Access Control Lists

221

more than one directory.

Hard Links

228

In addition to reading this chapter, you may want to refer to the

Symbolic Links

230

^f
P a 8 e a n d to the fsck, mkfs, and tune2fs man pages for
more information on filesystems.

IN T H I S C H A P T E R

207

ordinary and directory files, and explains the rules for naming
them. It also shows how to create and delete directories, move
through the filesystem, and use absolute and relative pathnames
to access files in various directories. It includes a discussion of

199

200

CHAPTER 6

THE LINUX FILESYSTEM

Figure 6-1

A f a m i l y tree

THE HIERARCHICAL FILESYSTEM
Family tree

A hierarchical

structure (page 1151) frequently takes the shape of a p y r a m i d .

One

e x a m p l e o f t h i s t y p e o f s t r u c t u r e is f o u n d b y t r a c i n g a f a m i l y ' s l i n e a g e : A c o u p l e h a s
a child, w h o m a y i n t u r n have several children, each o f w h o m m a y have m o r e child r e n . T h i s h i e r a r c h i c a l s t r u c t u r e is c a l l e d a family
Directory tree

tree ( F i g u r e 6 - 1 ) .

L i k e t h e f a m i l y t r e e i t r e s e m b l e s , t h e L i n u x f i l e s y s t e m i s c a l l e d a tree.

It consists of a

set o f c o n n e c t e d f i l e s . T h i s s t r u c t u r e a l l o w s y o u t o o r g a n i z e f i l e s s o y o u c a n e a s i l y
f i n d a n y p a r t i c u l a r one. O n a s t a n d a r d L i n u x system, each user starts w i t h

one

directory, t o w h i c h the user c a n a d d subdirectories t o a n y desired level. B y c r e a t i n g
m u l t i p l e l e v e l s o f s u b d i r e c t o r i e s , a u s e r c a n e x p a n d t h e s t r u c t u r e as n e e d e d .
Subdirectories

T y p i c a l l y e a c h s u b d i r e c t o r y i s d e d i c a t e d t o a s i n g l e s u b j e c t , s u c h as a p e r s o n , p r o j e c t ,
or event. T h e subject dictates w h e t h e r a subdirectory s h o u l d be subdivided further.
F o r e x a m p l e , F i g u r e 6 - 2 s h o w s a s e c r e t a r y ' s s u b d i r e c t o r y n a m e d correspond.

This

d i r e c t o r y c o n t a i n s t h r e e s u b d i r e c t o r i e s : business, m e m o s , a n d personal. T h e business
d i r e c t o r y c o n t a i n s files t h a t store e a c h letter t h e secretary types. I f y o u e x p e c t m a n y
l e t t e r s t o g o t o o n e c l i e n t , as is t h e c a s e w i t h m i l k _ c o , y o u c a n d e d i c a t e a s u b d i r e c t o r y to that client.
O n e m a j o r s t r e n g t h o f t h e L i n u x f i l e s y s t e m is its a b i l i t y t o a d a p t t o u s e r s ' n e e d s .
Y o u c a n t a k e a d v a n t a g e o f this s t r e n g t h b y s t r a t e g i c a l l y o r g a n i z i n g y o u r files so t h e y
are m o s t convenient a n d useful for y o u .

D I R E C T O R Y FILES A N D O R D I N A R Y FILES
L i k e a f a m i l y t r e e , t h e t r e e r e p r e s e n t i n g t h e f i l e s y s t e m is u s u a l l y p i c t u r e d
d o w n , w i t h i t s root

at the t o p . Figures 6 - 2 a n d 6 - 3 s h o w t h a t the tree

upside

"grows"

DIRECTORY FILES AND ORDINARY FILES

Figure 6-2

201

A secretary's directories

d o w n w a r d f r o m t h e r o o t , w i t h p a t h s c o n n e c t i n g t h e r o o t t o e a c h o f t h e o t h e r files. A t
t h e e n d o f e a c h p a t h is e i t h e r a n o r d i n a r y

file o r a d i r e c t o r y file. Special

w h i c h c a n also appear at the ends o f paths, are described o n page 5 0 1 .
files,

o r s i m p l y files,

Directory

files,

appear at the ends of paths that c a n n o t support other

a l s o r e f e r r e d t o as directories

paths can branch off from.

o r folders,

(Figures 6-2 and 6-3 s h o w some e m p t y

D i r e c t o r i e s d i r e c t l y c o n n e c t e d b y a p a t h a r e c a l l e d parents
( f a r t h e r f r o m t h e r o o t ) . A pathname

paths.

are the p o i n t s t h a t other

W h e n y o u r e f e r t o t h e t r e e , up i s t o w a r d t h e r o o t a n d down
children

files,

Ordinary

directories.)

is a w a y f r o m t h e r o o t .
(closer to the r o o t )

and

is a series o f n a m e s t h a t t r a c e a p a t h

a l o n g b r a n c h e s f r o m o n e f i l e t o a n o t h e r . See p a g e 2 0 5 f o r m o r e i n f o r m a t i o n

about

pathnames.

FILENAMES
E v e r y f i l e h a s a filename.

T h e m a x i m u m length of a filename varies w i t h the type of

filesystem; L i n u x

supports several types of filesystems. A l t h o u g h m o s t of

filesystems

files w i t h

allow

Figure 6-3

names

up

to 255

characters

D i r e c t o r i e s a n d o r d i n a r y files

long,

some

today's

filesystems

202

CHAPTER 6

THE LINUX FILESYSTEM
restrict filenames t o f e w e r characters. W h i l e y o u c a n use a l m o s t a n y c h a r a c t e r i n a
f i l e n a m e , y o u w i l l a v o i d c o n f u s i o n i f y o u c h o o s e characters f r o m the f o l l o w i n g list:
• U p p e r c a s e letters ( A - Z )
• L o w e r c a s e letters (a-z)
• Numbers

(0-9)

• Underscore (_)
• P e r i o d (.)
• C o m m a (,)
L i k e t h e c h i l d r e n o f o n e p a r e n t , n o t w o files i n t h e s a m e d i r e c t o r y c a n h a v e t h e s a m e
n a m e . (Parents g i v e t h e i r c h i l d r e n d i f f e r e n t n a m e s because it m a k e s g o o d sense, b u t
L i n u x requires it.) Files i n d i f f e r e n t directories, like the c h i l d r e n o f d i f f e r e n t parents,
can have the same name.
T h e f i l e n a m e s y o u c h o o s e s h o u l d m e a n s o m e t h i n g . T o o o f t e n a d i r e c t o r y is f i l l e d
w i t h i m p o r t a n t f i l e s w i t h s u c h u n h e l p f u l n a m e s as h o l d l , w o m b a t , a n d junk, n o t t o
m e n t i o n f o o a n d foobar. S u c h n a m e s a r e p o o r c h o i c e s b e c a u s e t h e y d o n o t h e l p y o u
recall w h a t y o u s t o r e d i n a file. T h e f o l l o w i n g filenames c o n f o r m t o the suggested
s y n t a x and c o n v e y i n f o r m a t i o n a b o u t t h e c o n t e n t s o f t h e f i l e :
• correspond
• january
• davis
• reports

• 2001
• acct_payable
Filename length

W h e n y o u share y o u r files w i t h users o n o t h e r systems, y o u m a y n e e d t o m a k e l o n g
filenames differ w i t h i n the first f e w characters. Systems r u n n i n g D O S or older versions of W i n d o w s have an 8-character filename b o d y length l i m i t a n d a 3-character
filename extension length limit. Some U N I X systems have a 14-character l i m i t a n d
older M a c i n t o s h systems have a 31-character limit. If y o u keep the filenames short,
t h e y are easy t o type; later y o u c a n a d d extensions t o t h e m w i t h o u t e x c e e d i n g the
s h o r t e r l i m i t s i m p o s e d b y s o m e f i l e s y s t e m s . T h e d i s a d v a n t a g e o f s h o r t f i l e n a m e s is
t h a t t h e y a r e t y p i c a l l y l e s s d e s c r i p t i v e t h a n l o n g f i l e n a m e s . See s t a t o n p a g e 4 5 9 f o r a
w a y to determine the m a x i m u m length of a filename o n the local system.
L o n g f i l e n a m e s e n a b l e y o u t o assign d e s c r i p t i v e n a m e s t o files. T o h e l p y o u select
a m o n g files w i t h o u t t y p i n g entire f i l e n a m e s , shells s u p p o r t f i l e n a m e c o m p l e t i o n . F o r
m o r e i n f o r m a t i o n a b o u t t h i s f e a t u r e , see t h e " F i l e n a m e c o m p l e t i o n " t i p o n p a g e 1 6 3 .

Case sensitivity

Y o u c a n use u p p e r c a s e a n d / o r l o w e r c a s e l e t t e r s w i t h i n f i l e n a m e s . L i n u x is case sens i t i v e , so files n a m e d J A N U A R Y , January, a n d january r e p r e s e n t t h r e e d i s t i n c t files.

DIRECTORY FILES AND ORDINARY FILES

203

Do not use SPACES within filenames
caution Although you can use SPACES within filenames, It Is a poor Idea. Because a SPACE IS a special character, you must quote It on a command line. Quoting a character on a command line can be difficult
for a novice user and cumbersome for an experienced user. Use periods or underscores Instead of
SPACES: joe.05.04.26, new_stuff.
If you are working with a filename that Includes a SPACE, such as a file from another operating system, you must quote the SPACE on the command line by preceding It with a backslash or by placing
quotation marks on either side of the filename. The two following commands send the file named
my file to the printer.
$ lpr my\ file
$ lpr "my file"

FILENAME EXTENSIONS
A filename

extension

is t h e p a r t o f t h e f i l e n a m e f o l l o w i n g a n e m b e d d e d p e r i o d . I n t h e

filenames listed i n T a b l e 6 - 1 , f i l e n a m e extensions h e l p describe the c o n t e n t s o f the file.
S o m e p r o g r a m s , s u c h as t h e C p r o g r a m m i n g l a n g u a g e c o m p i l e r , d e f a u l t t o

specific

f i l e n a m e e x t e n s i o n s ; i n m o s t cases, h o w e v e r , f i l e n a m e e x t e n s i o n s are o p t i o n a l . U s e
e x t e n s i o n s f r e e l y t o m a k e f i l e n a m e s easy t o u n d e r s t a n d . I f y o u l i k e , y o u c a n use seve r a l p e r i o d s w i t h i n t h e s a m e f i l e n a m e — f o r e x a m p l e , n o t e s . 4 . 1 0 . 0 1 o r files.tar.gz.

Table 6-1

Filename extensions

Filename with extension

Meaning of extension

compute.c

A C programming language source file

compute.o

The object code file for compute.c

compute

The executable file for compute.c

memo.0410.txt

A text file

memo.pdf

A PDF file; view with

memo.ps

A PostScript file; view with gs or kpdf under a GUI

memo.Z

A file compressed with compress (page 176); use
uncompress or gunzip (page 175) to decompress

memo.tgz or memo.tar.gz

A tar (page 176) archive of files compressed with gzip (page 175)

memo.gz

A file compressed with gzip (page 175); view with zcat or
decompress with gunzip (both on page 175)

memo.bz2

A file compressed with bzip2 (page 174); view with bzcat or
decompress with bunzip2 (both on page 175)

memo.html

A file meant to be viewed using a Web browser, such as Flrefox

photo.gif, photo.jpg,
photo.jpeg, photo.bmp,
photo.tif, or photo.tiff

A file containing graphical Information, such as a picture

xpdf

or kpdf under a GUI

204

CHAPTER 6

THE LINUX FILESYSTEM

login:
max
Password:
Last login:
$ pwd
/home/max

Figure 6-4

Wed O c t

20 1 1 : 1 4 : 2 1 f r o m

bravo

Logging in and displaying the pathname of your h o m e

directory

HIDDEN FILENAMES
A f i l e n a m e t h a t b e g i n s w i t h a p e r i o d i s c a l l e d a hidden
s o m e t i m e s a n invisible

file)

filename

( o r a hidden

file

or

b e c a u s e Is d o e s n o t n o r m a l l y d i s p l a y i t . T h e c o m m a n d Is

- a d i s p l a y s all f i l e n a m e s , e v e n h i d d e n o n e s . N a m e s o f s t a r t u p f i l e s ( f o l l o w i n g )

usu-

ally b e g i n w i t h a p e r i o d so t h a t t h e y are h i d d e n a n d d o n o t c l u t t e r a d i r e c t o r y listing.
T h e .plan f i l e ( p a g e 1 8 2 ) is a l s o h i d d e n . T w o s p e c i a l h i d d e n e n t r i e s — a s i n g l e

and

d o u b l e p e r i o d (. a n d . . ) — a p p e a r i n e v e r y d i r e c t o r y ( p a g e 2 1 0 ) .

THE WORKING DIRECTORY
pwd

W h i l e y o u are logged i n o n a character-based interface to a L i n u x system, y o u are
a l w a y s a s s o c i a t e d w i t h a d i r e c t o r y . T h e d i r e c t o r y y o u a r e a s s o c i a t e d w i t h is c a l l e d
t h e working

directory

o r current

directory.

i n a p h y s i c a l s e n s e : " Y o u a r e in ( o r working

S o m e t i m e s t h i s a s s o c i a t i o n is r e f e r r e d t o
in) t h e z a c h d i r e c t o r y . " T h e pwd ( p r i n t

w o r k i n g directory) builtin displays the p a t h n a m e of the w o r k i n g directory.

YOUR HOME DIRECTORY
W h e n y o u first log i n o n a L i n u x system or start a t e r m i n a l e m u l a t o r w i n d o w ,
w o r k i n g d i r e c t o r y i s y o u r home

directory.

To display the pathname of your

the

home

d i r e c t o r y , u s e pwd j u s t a f t e r y o u l o g i n ( F i g u r e 6 - 4 ) .
W h e n u s e d w i t h o u t a n y a r g u m e n t s , t h e Is u t i l i t y d i s p l a y s a l i s t o f t h e f i l e s i n

the

w o r k i n g directory. Because y o u r h o m e directory has been the only w o r k i n g directory
y o u h a v e u s e d s o f a r , Is h a s a l w a y s d i s p l a y e d a l i s t o f f i l e s i n y o u r h o m e

directory.

( A l l t h e files y o u h a v e c r e a t e d u p t o this p o i n t w e r e created i n y o u r h o m e d i r e c t o r y . )

STARTUP FILES
Startup

files,

w h i c h appear i n y o u r h o m e directory, give the shell a n d other

pro-

g r a m s i n f o r m a t i o n a b o u t y o u a n d y o u r preferences. F r e q u e n t l y o n e o f these files
t e l l s t h e s h e l l w h a t k i n d o f t e r m i n a l y o u a r e u s i n g ( p a g e 1 1 0 6 ) a n d e x e c u t e s t h e stty
(set t e r m i n a l ) u t i l i t y t o e s t a b l i s h t h e erase ( p a g e 1 5 1 ) a n d l i n e k i l l ( p a g e 1 5 1 ) k e y s .
Either y o u o r the system a d m i n i s t r a t o r c a n p u t a shell s t a r t u p file c o n t a i n i n g shell
c o m m a n d s i n y o u r h o m e directory. T h e shell executes the c o m m a n d s i n this
e a c h t i m e y o u l o g in. B e c a u s e t h e s t a r t u p files h a v e h i d d e n f i l e n a m e s , y o u

file
must

u s e t h e Is - a c o m m a n d t o s e e w h e t h e r o n e i s i n y o u r h o m e d i r e c t o r y . A G U I

has

m a n y s t a r t u p files. U s u a l l y y o u d o n o t n e e d t o w o r k w i t h these files d i r e c t l y

but

c a n c o n t r o l s t a r t u p s e q u e n c e s u s i n g i c o n s o n t h e d e s k t o p . See p a g e 2 9 3 f o r
i n f o r m a t i o n a b o u t s t a r t u p files.

more

PATHNAMES

Figure 6-5

205

Absolute pathnames

PATHNAMES
E v e r y f i l e h a s a pathname,

w h i c h is a t r a i l f r o m a d i r e c t o r y t h r o u g h p a r t o f t h e

d i r e c t o r y h i e r a r c h y to a n o r d i n a r y file or a directory. W i t h i n a p a t h n a m e , a slash (!)
f o l l o w i n g ( t o t h e r i g h t o f ) a f i l e n a m e i n d i c a t e s t h a t t h e f i l e is a d i r e c t o r y f i l e . T h e f i l e
f o l l o w i n g (to t h e r i g h t of) t h e slash c a n be a n o r d i n a r y file o r a d i r e c t o r y file. T h e
s i m p l e s t p a t h n a m e is a s i m p l e f i l e n a m e , w h i c h p o i n t s t o a f i l e i n t h e w o r k i n g d i r e c tory. T h i s section discusses a b s o l u t e a n d relative p a t h n a m e s a n d e x p l a i n s h o w

to

use each.

ABSOLUTE PATHNAMES
/ (root)

T h e r o o t d i r e c t o r y o f t h e f i l e s y s t e m h i e r a r c h y d o e s n o t h a v e a n a m e ; i t is r e f e r r e d t o
as t h e root

directory

a n d is r e p r e s e n t e d b y a / ( s l a s h ) s t a n d i n g a l o n e o r a t t h e l e f t

end of a pathname.
A n absolute

pathname

starts w i t h a slash (/), w h i c h represents the r o o t directory.

T h e s l a s h is f o l l o w e d b y t h e n a m e o f a f i l e l o c a t e d i n t h e r o o t d i r e c t o r y .
absolute p a t h n a m e can continue, tracing a p a t h t h r o u g h all intermediate

An

direc-

tories, t o the file identified b y the p a t h n a m e . String all the filenames i n the p a t h
together, f o l l o w i n g each directory w i t h a slash (/). This string of filenames

is

called a n absolute p a t h n a m e because it locates a file absolutely b y t r a c i n g a p a t h
f r o m the r o o t d i r e c t o r y t o the file. T y p i c a l l y the absolute p a t h n a m e o f a direct o r y does n o t i n c l u d e the t r a i l i n g slash, a l t h o u g h that f o r m a t m a y be used
e m p h a s i z e t h a t t h e p a t h n a m e specifies a d i r e c t o r y (e.g., /home/zach/). T h e
o f a p a t h n a m e f o l l o w i n g t h e f i n a l s l a s h i s c a l l e d a simple
basename.

filename,

filename,

Figure 6-5 shows the absolute pathnames of directories and

files i n p a r t o f a f i l e s y s t e m h i e r a r c h y .

to

part
or

ordinary

206

CHAPTER 6

THE LINUX FILESYSTEM
U s i n g a na b s o l u t e p a t h n a m e , y o u c a n list o r o t h e r w i s e w o r k w i t h a n y file o n the
l o c a l system, a s s u m i n g y o u h a v e p e r m i s s i o n t o d o so, regardless o f the

working

directory a tthe t i m e y o u give the c o m m a n d . For example, S a m c a n give the

follow-

i n g c o m m a n d w h i l e w o r k i n g i n his h o m e d i r e c t o r y t o list t h e files i n t h e /etc/apt
directory:
$ pwd
/home/sam
$ Is /etc/apt
apt.conf.d
preferences.d

secring.gpg
sources.list

sources.list.d
trustdb.gpg

trusted.gpg
trusted.gpg. d
trusted.gpg-

- (TILDE) IN PATHNAMES
I n another f o r m o f absolute p a t h n a m e , the shell expands the characters - / (a tilde
f o l l o w e d b y a slash) a t the start o f a p a t h n a m e i n t o the p a t h n a m e o f y o u r

home

d i r e c t o r y . U s i n g t h i s s h o r t c u t , y o u c a n d i s p l a y y o u r .bashrc s t a r t u p file ( p a g e 2 9 4 )
w i t h the f o l l o w i n g c o m m a n d , n o matter w h i c h directory isthe w o r k i n g
$ less

directory:

bashrc

A t i l d e q u i c k l y r e f e r e n c e s p a t h s t h a t s t a r t w i t h y o u r o r s o m e o n e else's h o m e

direc-

tory. T h e shell e x p a n d s a tilde f o l l o w e d b y a u s e r n a m e a t the b e g i n n i n g o f a p a t h n a m e i n t o the p a t h n a m e o f t h a t user's h o m e directory. F o r e x a m p l e , a s s u m i n g h e
has p e r m i s s i o n t o d o so, M a x

c a n e x a m i n e S a m ' s .bashrc file w i t h t h e

following

command:
$ less ~sam/.bashrc
Refer t o "Tilde Expansion" on page 359 for more

information.

RELATIVE PATHNAMES
A relative

pathname

n a m e i s relative

traces a p a t h f r o m t h e w o r k i n g d i r e c t o r y t o a file. T h e

path-

t othe w o r k i n g directory. A n y p a t h n a m e that does not begin w i t h the

r o o t d i r e c t o r y (represented b y/ ) o r a tilde (~) is a relative p a t h n a m e . L i k e

absolute

pathnames, relative pathnames can trace a p a t h t h r o u g h m a n y directories. T h e
plest relative p a t h n a m e is a s i m p l e filename, w h i c h identifies a file i n the

sim-

working

directory. T h e e x a m p l e s i nthe n e x t sections use a b s o l u t e a n d relative p a t h n a m e s .

SIGNIFICANCE OF THE WORKING DIRECTORY
T o access a n y file i n t h e w o r k i n g d i r e c t o r y , y o u n e e d o n l y a s i m p l e f i l e n a m e . T o
a c c e s s a f i l e i n a n o t h e r d i r e c t o r y , y o u must

use a p a t h n a m e . T y p i n g a l o n g p a t h n a m e

is t e d i o u s a n d i n c r e a s e s t h e c h a n c e o f m a k i n g a m i s t a k e . T h i s p o s s i b i l i t y is less l i k e l y
under a G U I , w h e r e y o u click filenames o r icons. Y o u can choose a w o r k i n g

direc-

tory for any particular task t oreduce the need for long pathnames. Your choice o f a
working

directory

does

n o t allow

y o u t o d o anything

o t h e r w i s e — i t j u s t m a k e s s o m e o p e r a t i o n s easier.

y o u could

n o td o

WORKING WITH DIRECTORIES

207

When using a relative pathname, know which directory is the working directory
caution The location of the file that you are accessing with a relative pathname is dependent on (is relative
to) the working directory. Always make sure you know which directory is the working directory
before you use a relative pathname. Use pwd to verify the directory. If you are creating a file using
vim and you are not where you think you are in the file hierarchy, the new file will end up in an
unexpected location.
It does not matter which directory is the working directory when you use an absolute pathname.
Thus, the following command always edits a file named goals in your home directory:
$ vim.tiny ~/goals
R e f e r t o F i g u r e 6 - 6 as y o u r e a d t h i s p a r a g r a p h . F i l e s t h a t a r e c h i l d r e n o f t h e
ing directory can be referenced by simple filenames. Grandchildren of the

work-

working

directory can be referenced b y short relative pathnames: t w o filenames separated b y
a slash. W h e n y o u m a n i p u l a t e files i n a large d i r e c t o r y s t r u c t u r e , u s i n g s h o r t r e l a t i v e
p a t h n a m e s c a n save y o u t i m e a n d a g g r a v a t i o n . If y o u choose a w o r k i n g

directory

t h a t c o n t a i n s t h e files used m o s t o f t e n f o r a p a r t i c u l a r task, y o u n e e d use
long, cumbersome

WORKING WITH

fewer

pathnames.

DIRECTORIES

T h i s section discusses h o w t o create directories (mkdir), s w i t c h b e t w e e n
(cd), r e m o v e

directories

(rmdir), use p a t h n a m e s

to make

your

work

directories
easier,

and

m o v e a n d c o p y files a n d d i r e c t o r i e s b e t w e e n d i r e c t o r i e s . I t c o n c l u d e s w i t h a sect i o n t h a t lists a n d describes b r i e f l y i m p o r t a n t s t a n d a r d directories a n d files i n t h e
Ubuntu

filesystem.

Figure 6-6

Relative

pathnames

208

CHAPTER 6

THE LINUX FILESYSTEM

promo

Figure 6-7

T h e file structure developed i n the examples

mkdir: CREATES A DIRECTORY
T h e mkdir u t i l i t y c r e a t e s a d i r e c t o r y . T h e argument

( p a g e 1 1 3 5 ) t o mkdir b e c o m e s t h e

p a t h n a m e of the n e w directory. T h e f o l l o w i n g examples develop the directory structure s h o w n i n Figure 6-7. I n the figure, the directories that are a d d e d appear i na
lighter shade t h a n the others a n d are c o n n e c t e d b y dashes.
I n F i g u r e 6 - 8 , pwd s h o w s t h a t M a x is w o r k i n g i n h i s h o m e d i r e c t o r y ( / h o m e / m a x )
a n d Is s h o w s t h e n a m e s o f t h e f i l e s i n h i s h o m e d i r e c t o r y : d e m o , n a m e s , a n d temp.
U s i n g mkdir, M a x c r e a t e s a d i r e c t o r y n a m e d literature as a c h i l d o f h i s h o m e d i r e c t o r y . H e u s e s a r e l a t i v e p a t h n a m e (a s i m p l e f i l e n a m e ) b e c a u s e h e w a n t s t h e literature
d i r e c t o r y t o be a child o f the w o r k i n g directory. M a x c o u l d have used a n absolute
p a t h n a m e t o c r e a t e t h e s a m e d i r e c t o r y : mkdir / h o m e / m a x / l i t e r a t u r e .
T h e s e c o n d Is i n F i g u r e 6 - 8 v e r i f i e s t h e p r e s e n c e o f t h e n e w d i r e c t o r y . T h e - F o p t i o n
t o Is d i s p l a y s a s l a s h a f t e r t h e n a m e o f e a c h d i r e c t o r y a n d a n a s t e r i s k a f t e r e a c h e x e cutable file (shell script, utility, o r application). W h e n y o u call i t w i t h a n a r g u m e n t
$ pwd
/home/max
$ Is
demo names
temp
$ mkdir l i t e r a t u r e
$ Is
demo literature
names temp
$ I s -F
demo literature/
names temp
$ Is l i t e r a t u r e
S

Figure 6-8

T h e mkdir u t i l i t y

W O R K I N G WITH D I R E C T O R I E S 2 0 9
t h a t i s t h e n a m e o f a d i r e c t o r y , Is l i s t s t h e c o n t e n t s o f t h a t d i r e c t o r y . T h e f i n a l Is d o e s
n o t d i s p l a y a n y t h i n g b e c a u s e t h e r e a r e n o f i l e s i n t h e literature d i r e c t o r y .
T h e f o l l o w i n g c o m m a n d s s h o w t w o w a y s t o c r e a t e t h e p r o m o d i r e c t o r y as a c h i l d o f
t h e n e w l y c r e a t e d literature d i r e c t o r y . T h e f i r s t w a y c h e c k s t h a t / h o m e / m a x i s t h e
w o r k i n g d i r e c t o r y a n d uses a r e l a t i v e

pathname:

$ pwd
/home/max
$ mkdir l i t e r a t u r e / p r o m o
T h e s e c o n d w a y uses a n a b s o l u t e
$ mkdir

pathname:

/home/max/literature/promo

U s e t h e - p ( p a r e n t s ) o p t i o n t o m k d i r t o c r e a t e b o t h t h e literature a n d p r o m o d i r e c t o ries w i t h o n e

command:

$ pwd
/home/max
$ I s
demo
names
temp
$ mkdir -p l i t e r a t u r e / p r o m o

or
$ mkdir -p /home/max/literature/promo

cd: CHANGES TO ANOTHER WORKING DIRECTORY
T h e cd (change directory) utility m a k e s another directory the w o r k i n g directory
d o e s not c h a n g e t h e c o n t e n t s o f t h e w o r k i n g d i r e c t o r y . F i g u r e 6 - 9 s h o w s t w o

but
ways

t o m a k e the /home/max/literature d i r e c t o r y the w o r k i n g directory, as verified b y
pwd. First M a x

uses c d w i t h a n a b s o l u t e p a t h n a m e t o m a k e literature h i s

working

d i r e c t o r y — i t does n o t m a t t e r w h i c h is the w o r k i n g d i r e c t o r y w h e n y o u give a c o m m a n d w i t h an absolute

pathname.

A pwd c o m m a n d confirms the change m a d e b yM a x . W h e n used w i t h o u t a n argument, cdmakes your home

directory the w o r k i n g

directory, as i t was w h e n

you

logged in. T h e second c dc o m m a n d i n Figure 6-9 does n o t have a na r g u m e n t so i t

$ cd / h o m e / m a x / l i t e r a t u r e
$ pwd
/home/max/1i terature
$ cd
$ pwd
/home/max
$ cd l i t e r a t u r e
$ pwd
/home/max/1i terature

Figure 6-9

cd changes the w o r k i n g

directory

210

CHAPTER 6

THE LINUX FILESYSTEM
makes M a x ' s h o m e directory the w o r k i n g directory. Finally, k n o w i n g that h e is
w o r k i n g i n h i s h o m e d i r e c t o r y , M a x u s e s a s i m p l e f i l e n a m e t o m a k e t h e literature
d i r e c t o r y h i s w o r k i n g d i r e c t o r y (cd literature) a n d c o n f i r m s t h e c h a n g e u s i n g pwd.

The working directory versus your home directory
tip The working directory is not the same as your home directory. Your home directory remains the
same for the duration of your session and usually from session to session. Immediately after you
log in, you are always working in the same directory: your home directory.
Unlike your home directory, the working directory can change as often as you like. You have no
set working directory, which explains why some people refer to it as the current directory. When
you log in and until you change directories using cd, your home directory is the working directory.
If you were to change directories to Sam's home directory, then Sam's home directory would be
the working directory.

THE . AND .. DIRECTORY ENTRIES
T h e mkdir u t i l i t y a u t o m a t i c a l l y p u t s t w o e n t r i e s i n e a c h d i r e c t o r y i t c r e a t e s : a s i n g l e
p e r i o d (.) a n d a d o u b l e p e r i o d (..). T h e . is s y n o n y m o u s w i t h t h e p a t h n a m e o f t h e
w o r k i n g d i r e c t o r y a n d c a n be used i n its p l a c e ; t h e . . is s y n o n y m o u s w i t h t h e p a t h n a m e of the p a r e n t of the w o r k i n g directory. These entries are h i d d e n because their
filenames begin w i t h a period.
W i t h t h e literature d i r e c t o r y as t h e w o r k i n g d i r e c t o r y , t h e f o l l o w i n g e x a m p l e u s e s . .
three times: first t o list the contents o fthe p a r e n t directory (/home/max), second t o
c o p y the memoA file t o the p a r e n t directory, a n d t h i r d t o list the contents o f the
parent directory again.
$ pwd
/home/max/1i t e r a t u r e
$ I s ..
demo l i t e r a t u r e
names
$ cp memoA . .
$ I s ..
demo l i t e r a t u r e
memoA

temp

names

temp

A f t e r u s i n g cd t o m a k e p r o m o ( a s u b d i r e c t o r y o f literature) h i s w o r k i n g

directory,

M a x c a n u s e a r e l a t i v e p a t h n a m e t o c a l l vim t o e d i t a f i l e i n h i s h o m e d i r e c t o r y .
$ cd promo
$ v i m . t i n y ../../names
Y o u c a n use a n a b s o l u t e o r r e l a t i v e p a t h n a m e o r a s i m p l e f i l e n a m e v i r t u a l l y

any-

w h e r e a utility o r p r o g r a m requires a filename o r p a t h n a m e . This usage holds true
f o r Is, vim, mkdir, rm, a n d m o s t o t h e r L i n u x u t i l i t i e s .

rmdir: DELETES A DIRECTORY
T h e rmdir ( r e m o v e d i r e c t o r y ) u t i l i t y d e l e t e s a d i r e c t o r y . Y o u c a n n o t d e l e t e t h e w o r k i n g d i r e c t o r y o r a d i r e c t o r y t h a t c o n t a i n s files o t h e r t h a n t h e . a n d . . entries. I f y o u

W O R K I N G WITH D I R E C T O R I E S 2 1 1
n e e d t o d e l e t e a d i r e c t o r y t h a t h a s f i l e s i n i t , f i r s t u s e rm t o d e l e t e t h e f i l e s a n d

then

delete the directory. Y o u d o n o t have t o (nor c a n y o u ) delete the . a n d . . entries;
rmdir r e m o v e s

them

automatically.

The

following

command

deletes

t h e promo

directory:
$ rmdir

/home/max/literature/promo

T h e r m u t i l i t y h a s a - r o p t i o n ( r m - r filename)

t h a t r e c u r s i v e l y deletes files, i n c l u d -

i n g directories, w i t h i n a d i r e c t o r y a n d also deletes the d i r e c t o r y itself.

Use rm - r carefully, if at all
caution Although rm -r Is a handy command, you must use It carefully. Do not use It with an ambiguous
file reference such as *. It Is frlghtenlngly easy to wipe out your entire home directory with a single
short command.

USING PATHNAMES
touch

U s e a t e x t e d i t o r t o c r e a t e a f i l e n a m e d letter i f y o u w a n t t o e x p e r i m e n t w i t h

the

e x a m p l e s t h a t f o l l o w . A l t e r n a t i v e l y y o u c a n u s e touch t o c r e a t e a n e m p t y f i l e :
$ cd
$ pwd
/home/max
$ touch l e t t e r
W i t h / h o m e / m a x a s t h e w o r k i n g d i r e c t o r y , t h e f o l l o w i n g e x a m p l e u s e s cp w i t h a
r e l a t i v e p a t h n a m e t o c o p y t h e f i l e letter t o t h e / h o m e / m a x / l i t e r a t u r e / p r o m o d i r e c tory. ( Y o u w i l l need t o create promo a g a i n i f y o u deleted i t earlier.) T h e c o p y o f the
file h a s t h e s i m p l e f i l e n a m e letter.0610:
$ cp l e t t e r
If M a x

literature/promo/letter.0610

does n o t c h a n g e t o a n o t h e r d i r e c t o r y , h ec a n use vim as s h o w n t o edit

the

c o p y o fthe file he just m a d e :
$ vim.tiny
If M a x

literature/promo/letter.0610

d o e s n o t w a n t t o u s e a l o n g p a t h n a m e t o s p e c i f y t h e f i l e , h e c a n u s e cd t o

m a k e p r o m o t h e w o r k i n g d i r e c t o r y b e f o r e u s i n g vim:
$ cd l i t e r a t u r e / p r o m o
$ pwd
/home/max/1i terature/promo
$ vim.tiny letter.0610
To m a k e the parent o f the w o r k i n g

directory

( n a m e d /home/max/literature) t h e

n e w w o r k i n g directory, M a x can give the f o l l o w i n g c o m m a n d , w h i c h takes
tage o fthe .. directory entry:
$ cd . .
$ pwd
/home/max/1i terature

advan-

212

CHAPTER 6

THE LINUX FILESYSTEM

Figure 6-10

U s i n g mv t o m o v e n a m e s a n d t e m p

mv, cp: MOVE OR COPY FILES
C h a p t e r 5 d i s c u s s e d t h e u s e o f mv t o r e n a m e f i l e s . H o w e v e r , mv w o r k s e v e n m o r e
generally: Y o u c a n use this u t i l i t y t o m o v e files f r o m o n e d i r e c t o r y t o a n o t h e r
( c h a n g e t h e p a t h n a m e o f a f i l e ) as w e l l as t o c h a n g e a s i m p l e f i l e n a m e . W h e n u s e d
t o m o v e o n e o r m o r e f i l e s t o a n e w d i r e c t o r y , t h e mv c o m m a n d h a s t h i s s y n t a x :
mv existing-file-list

directory

I f t h e w o r k i n g d i r e c t o r y is / h o m e / m a x , M a x c a n u s e t h e f o l l o w i n g c o m m a n d t o m o v e
t h e f i l e s n a m e s a n d t e m p f r o m t h e w o r k i n g d i r e c t o r y t o t h e literature d i r e c t o r y :
$ mv names temp l i t e r a t u r e
T h i s c o m m a n d c h a n g e s t h e a b s o l u t e p a t h n a m e s o f t h e names a n d temp files

from

/home/max/names a n d /home/max/temp t o /home/max/literature/names a n d
/home/max/literature/temp, respectively

(Figure 6-10).

Like

most

Linux

com-

m a n d s , mv a c c e p t s e i t h e r a b s o l u t e o r r e l a t i v e p a t h n a m e s .
A s y o u w o r k w i t h L i n u x a n d create m o r e files, y o u w i l l n e e d t o create n e w d i r e c t o r i e s u s i n g mkdir t o k e e p t h e f i l e s o r g a n i z e d . T h e mv u t i l i t y i s a u s e f u l t o o l f o r m o v i n g
f i l e s f r o m o n e d i r e c t o r y t o a n o t h e r as y o u e x t e n d y o u r d i r e c t o r y h i e r a r c h y .
T h e cp u t i l i t y w o r k s i n t h e s a m e w a y as mv d o e s , e x c e p t t h a t i t m a k e s c o p i e s o f t h e
existing-file-list

in the specified

directory.

mv: MOVES A DIRECTORY
J u s t as i t m o v e s o r d i n a r y f i l e s f r o m o n e d i r e c t o r y t o a n o t h e r , s o mv c a n m o v e d i r e c tories. T h e syntax is similar except that y o u specify one o r m o r e directories,
o r d i n a r y files, t o m o v e :
mv existing-directory-list

new-directory

not

WORKING WITH DIRECTORIES

Figure 6-11

213

A typical FHS-based L i n u x filesystem structure

I f new-directory

d o e s n o t e x i s t , t h e existing-directory-list

d i r e c t o r y n a m e , w h i c h mv c h a n g e s t o new-directory

m u s t contain just
(mv r e n a m e s t h e

one

directory).

A l t h o u g h y o u c a n r e n a m e d i r e c t o r i e s u s i n g mv, y o u c a n n o t c o p y t h e i r c o n t e n t s w i t h
cp u n l e s s y o u u s e t h e - r ( r e c u r s i v e ) o p t i o n . R e f e r t o t h e tar a n d cpio man p a g e s f o r
other ways to copy and m o v e directories.

IMPORTANT STANDARD DIRECTORIES AND FILES
O r i g i n a l l y files o n a L i n u x s y s t e m w e r e n o t l o c a t e d i n s t a n d a r d places w i t h i n t h e
d i r e c t o r y h i e r a r c h y . T h e scattered files m a d e it d i f f i c u l t t o d o c u m e n t a n d m a i n t a i n a
L i n u x system a n d just a b o u t i m p o s s i b l e f o r s o m e o n e to release a s o f t w a r e p a c k a g e
that w o u l d c o m p i l e a n d r u n o n all L i n u x systems. T h e first s t a n d a r d for the L i n u x
filesystem, the F S S T N D ( L i n u x Filesystem Standard), w a s released early i n 1994. I n
e a r l y 1 9 9 5 w o r k w a s s t a r t e d o n a b r o a d e r s t a n d a r d c o v e r i n g m a n y U N I X - l i k e systems: F H S ( L i n u x Filesystem H i e r a r c h y Standard; proton.pathname.com/fhs).

More

recently F H S has been i n c o r p o r a t e d i n L S B ( L i n u x S t a n d a r d Base; w w w . l i n u x f o u n dation.org/collaborate/workgroups/lsb),

a

workgroup

of

FSG

(Free

Standards

Group). Finally, FSG c o m b i n e d w i t h O p e n Source Development Labs ( O S D L )
f o r m the L i n u x

Foundation

(www.linuxfoundation.org).

Figure 6-11

shows

l o c a t i o n s o f s o m e i m p o r t a n t d i r e c t o r i e s a n d f i l e s as s p e c i f i e d b y F H S . T h e

to
the

signifi-

c a n c e o f m a n y o f t h e s e d i r e c t o r i e s w i l l b e c o m e c l e a r as y o u c o n t i n u e r e a d i n g .
T h e f o l l o w i n g list describes the directories s h o w n i n Figure 6 - 1 1 , s o m e of

the

directories specified by F H S , and some other directories. U b u n t u L i n u x , however,
does n o t

use all t h e d i r e c t o r i e s

specified by FHS.

Be a w a r e that y o u

a l w a y s d e t e r m i n e t h e f u n c t i o n o f a d i r e c t o r y b y its n a m e . F o r e x a m p l e ,

cannot
although

/opt stores a d d - o n s o f t w a r e , /etc/opt stores c o n f i g u r a t i o n files f o r t h e s o f t w a r e i n
/opt. See a l s o " I m p o r t a n t F i l e s a n d D i r e c t o r i e s " o n p a g e 4 8 8 .
/

Root

T h e r o o t d i r e c t o r y , p r e s e n t i n a l l L i n u x f i l e s y s t e m s t r u c t u r e s , is t h e a n c e s t o r

o f a l l files i n t h e filesystem.
/bin

Essential c o m m a n d binaries H o l d s t h e f i l e s n e e d e d t o b r i n g t h e s y s t e m u p a n d r u n i t
w h e n it first comes u p i n recovery m o d e (page 445).

/boot
/dev

Static files of the b o o t loader C o n t a i n s a l l t h e f i l e s n e e d e d t o b o o t t h e s y s t e m .
Device files C o n t a i n s a l l f i l e s t h a t r e p r e s e n t p e r i p h e r a l d e v i c e s , s u c h as d i s k d r i v e s ,
terminals, a n d printers. Previously this d i r e c t o r y w a s filled w i t h all possible devices.
T h e udev u t i l i t y ( p a g e 5 0 2 ) p r o v i d e s a d y n a m i c d e v i c e d i r e c t o r y t h a t e n a b l e s / d e v t o
c o n t a i n o n l y devices that are present o n the system.

214

CHAPTER 6

THE LINUX FILESYSTEM

/etc M a c h i n e - l o c a l system configuration files H o l d s a d m i n i s t r a t i v e , c o n f i g u r a t i o n ,

and

o t h e r s y s t e m files. O n e o f t h e m o s t i m p o r t a n t is /etc/passwd, w h i c h c o n t a i n s a l i s t
o f a l l users w h o h a v e p e r m i s s i o n t o use t h e system.
/etc/opt C o n f i g u r a t i o n files for a d d - o n s o f t w a r e p a c k a g e s kept in / o p t
/etc/Xll
/home

M a c h i n e - l o c a l configuration files for the X W i n d o w System
U s e r h o m e directories E a c h u s e r ' s h o m e d i r e c t o r y is t y p i c a l l y o n e o f m a n y

sub-

directories o f the /home directory. A s a n e x a m p l e , a s s u m i n g t h a t users' directories
a r e u n d e r / h o m e , t h e a b s o l u t e p a t h n a m e o f Z a c h ' s h o m e d i r e c t o r y is / h o m e / z a c h .
O n s o m e systems the users' directories m a y n o t be f o u n d u n d e r /home b u t instead
m i g h t b e s p r e a d a m o n g o t h e r d i r e c t o r i e s s u c h as / i n h o u s e a n d /clients.
/lib
/lib/modules
/mnt
/opt

Shared libraries
L o a d a b l e kernel m o d u l e s
M o u n t point for t e m p o r a r i l y m o u n t i n g filesystems
A d d - o n (optional) s o f t w a r e p a c k a g e s

/proc

Kernel and process i n f o r m a t i o n virtual filesystem

/root

H o m e directory for the r o o t a c c o u n t

/sbin

Essential system binaries U t i l i t i e s u s e d f o r s y s t e m a d m i n i s t r a t i o n a r e s t o r e d i n / s b i n
a n d /usr/sbin. T h e /sbin d i r e c t o r y i n c l u d e s u t i l i t i e s n e e d e d d u r i n g t h e b o o t i n g p r o cess, a n d /usr/sbin h o l d s u t i l i t i e s u s e d a f t e r t h e s y s t e m is u p a n d r u n n i n g . I n o l d e r
versions o f L i n u x , m a n y s y s t e m a d m i n i s t r a t i o n utilities w e r e scattered t h r o u g h several directories that often included other

s y s t e m files (/etc, /usr/bin, /usr/adm,

/usr/include).
/sys
/tmp
/usr

Device pseudofilesystem See u d e v o n p a g e 5 0 2 f o r m o r e i n f o r m a t i o n ,
T e m p o r a r y files
Second m a j o r hierarchy T r a d i t i o n a l l y i n c l u d e s s u b d i r e c t o r i e s t h a t c o n t a i n i n f o r m a t i o n u s e d b y t h e s y s t e m . Files i n /usr s u b d i r e c t o r i e s d o n o t c h a n g e o f t e n a n d m a y be
shared b y several systems.

/usr/bin

M o s t user c o m m a n d s C o n t a i n s t h e s t a n d a r d L i n u x u t i l i t y p r o g r a m s — t h a t i s , b i n a r i e s
that are n o t needed i n recovery m o d e (page 4 4 5 ) .

/usr/games
/usr/include
/usr/lib
/usr/local

G a m e s and educational p r o g r a m s
H e a d e r files included by C p r o g r a m s
Libraries
L o c a l hierarchy H o l d s l o c a l l y i m p o r t a n t f i l e s a n d d i r e c t o r i e s t h a t a r e a d d e d t o t h e
s y s t e m . S u b d i r e c t o r i e s c a n i n c l u d e bin, games, include, lib, sbin, share, a n d src.

/usr/sbin
/usr/share

N o n v i t a l system administration binaries See /sbin.
Architecture-independent d a t a S u b d i r e c t o r i e s c a n i n c l u d e diet, d o c , games, info,
locale, m a n , misc, terminfo, a n d zoneinfo.

ACCESS PERMISSIONS 2 1 5
/usr/share/doc

Documentation

/usr/share/info G N U info system's p r i m a r y directory
/usr/share/man Online m a n u a l s
/usr/src Source code
/var

Variable d a t a F i l e s w i t h c o n t e n t s t h a t v a r y a s t h e s y s t e m r u n s a r e k e p t i n s u b d i r e c t o r i e s u n d e r /var. T h e m o s t c o m m o n e x a m p l e s a r e t e m p o r a r y f i l e s , s y s t e m l o g
f i l e s , s p o o l e d f i l e s , a n d u s e r m a i l b o x f i l e s . S u b d i r e c t o r i e s c a n i n c l u d e cache, lib, lock,
log, mail, opt, r u n , spool, t m p , a n d yp. O l d e r v e r s i o n s o f L i n u x s c a t t e r e d s u c h f i l e s
t h r o u g h several s u b d i r e c t o r i e s o f / u s r (/usr/adm, /usr/mail, /usr/spool, /usr/tmp).

/var/log L o g files C o n t a i n s lastlog ( a r e c o r d o f t h e l a s t l o g i n b y e a c h u s e r ) , messages ( s y s t e m m e s s a g e s f r o m syslogd), a n d w t m p ( a r e c o r d o f a l l l o g i n s / l o g o u t s ) ,

among

o t h e r l o g files.
/var/spool Spooled application d a t a C o n t a i n s a n a c r o n , at, c r o n , lpd, mail, mqueue, s a m b a ,
a n d o t h e r d i r e c t o r i e s . T h e f i l e / v a r / s p o o l / m a i l is t y p i c a l l y a l i n k t o / v a r / m a i l .

ACCESS

PERMISSIONS
U b u n t u L i n u x s u p p o r t s t w o m e t h o d s o f c o n t r o l l i n g w h o c a n access a file a n d

how

t h e y c a n access i t : t r a d i t i o n a l L i n u x access p e r m i s s i o n s a n d A c c e s s C o n t r o l

Lists

( A C L s ) . T h i s s e c t i o n d e s c r i b e s t r a d i t i o n a l L i n u x a c c e s s p e r m i s s i o n s . See p a g e 2 2 1
f o r a d i s c u s s i o n o f A C L s , w h i c h p r o v i d e f i n e r - g r a i n e d c o n t r o l o f access p e r m i s s i o n s
t h a n d o t r a d i t i o n a l access p e r m i s s i o n s .
T h r e e t y p e s o f u s e r s c a n a c c e s s a f i l e : t h e o w n e r o f t h e f i l e [owner),
g r o u p t h a t t h e f i l e i s a s s o c i a t e d w i t h [group;

a member of a

see p a g e 4 9 2 f o r m o r e i n f o r m a t i o n o n

g r o u p s ) , a n d e v e r y o n e e l s e [other).

A user c a n a t t e m p t t o access a n o r d i n a r y file i n

t h r e e w a y s : b y t r y i n g t o read

write

from,

to, o r execute

it.

Is - I : DISPLAYS PERMISSIONS
W h e n y o u c a l l Is w i t h t h e - 1 o p t i o n a n d t h e n a m e o f o n e o r m o r e o r d i n a r y f i l e s , Is
displays a line o f i n f o r m a t i o n a b o u t the file. T h e f o l l o w i n g e x a m p l e displays i n f o r mation

f o r t w o files.

^

T h e file

/ir-1

Ci Aj

i?

contains

t h e text

o f a letter, a n d

C- ¿s,
/

-rwxrwxr-x+

Figure 6-12

letter.0610

/

3 max pubs

/
2048 2010-08-12 13:15 memo

T h e c o l u m n s d i s p l a y e d b y t h e Is

-1

command

216

CHAPTER 6

THE LINUX FILESYSTEM
check_spell c o n t a i n s a s h e l l s c r i p t , a p r o g r a m w r i t t e n i n a h i g h - l e v e l s h e l l p r o g r a m m i n g language:
$ I s -1 l e t t e r . 0 6 1 0 check_spell
- r w x r - x r - x 1 max p u b s
852 2010-07-31 13:47 check_spell
- r w - r - - r - - 1 max p u b s 3355 2 0 1 0 - 0 6 - 2 2 1 2 : 4 4 l e t t e r . 0 6 1 0
F r o m l e f t t o r i g h t , t h e l i n e s t h a t a n Is - 1 c o m m a n d d i s p l a y s c o n t a i n t h e

following

i n f o r m a t i o n (refer t o Figure 6 - 1 2 , preceding page):
• T h e type o ffile (first character)
• T h e file's access p e r m i s s i o n s (the n e x t n i n e c h a r a c t e r s )
• The A C L

flag

(present i f the file has a n A C L , page 2 2 1 )

• T h e n u m b e r o flinks t othe file (page 2 2 6 )
• T h e n a m e o fthe o w n e r o fthe file (usually the p e r s o n w h o created the file)
• T h e n a m e o fthe g r o u p the file is associated w i t h
• T h e size o f t h e file i n c h a r a c t e r s (bytes)
• T h e date a n d t i m e the file w a s created o rlast m o d i f i e d
• T h e n a m e o fthe file
T h e t y p e o f file (first c o l u m n ) f o r letter.0610 i s a h y p h e n ( - ) b e c a u s e i t i s a n o r d i n a r y file ( d i r e c t o r y files h a v e a d i n this c o l u m n ) .
T h e n e x t t h r e e c h a r a c t e r s s p e c i f y t h e a c c e s s p e r m i s s i o n s f o r t h e owner

o f t h e file: r

indicates read permission, w indicates write permission, and x indicates execute perm i s s i o n . A - i n a c o l u m n i n d i c a t e s t h a t t h e o w n e r d o e s not h a v e t h e p e r m i s s i o n t h a t
c o u l d have appeared i nt h a t position.
In a similar m a n n e r the next three characters represent permissions for the
a n d t h e f i n a l t h r e e c h a r a c t e r s r e p r e s e n t p e r m i s s i o n s f o r other

group,

( e v e r y o n e else). I n t h e

p r e c e d i n g e x a m p l e , t h e o w n e r o f letter.0610 c a n r e a d f r o m a n d w r i t e t o t h e

file,

w h e r e a s the g r o u p a n d others c a n o n l y r e a d f r o m the file a n d n oo n e is a l l o w e d t o
execute i t . A l t h o u g h execute p e r m i s s i o n c a n b e a l l o w e d f o r a n y file, i t does

not

m a k e sense t o assign e x e c u t e p e r m i s s i o n t o a file t h a t c o n t a i n s a d o c u m e n t , s u c h as
a l e t t e r . T h e check_spell f i l e i s a n e x e c u t a b l e s h e l l s c r i p t , s o e x e c u t e p e r m i s s i o n i s
a p p r o p r i a t e f o r it. ( T h e o w n e r , g r o u p , a n d others h a v e execute permission.)

c h m o d : CHANGES ACCESS PERMISSIONS
T h e L i n u x file access p e r m i s s i o n s c h e m e lets y o u g i v e o t h e r users access t o t h e files
y o u w a n t t o share yet k e e p y o u r p r i v a t e files c o n f i d e n t i a l . Y o u c a n a l l o w o t h e r users
t o r e a d f r o m and w r i t e t o a f i l e ( h a n d y i f y o u a r e o n e o f s e v e r a l p e o p l e w o r k i n g o n
a j o i n t project). Y o u c a n a l l o w others o n l y t o r e a d f r o m a file (perhaps a project
specification y o u are p r o p o s i n g ) . O r y o u c a n a l l o w others o n l y t o w r i t e t o a file
(similar t o a n i n b o x o rm a i l b o x , w h e r e y o u w a n t others t o be able t o send y o u m a i l
but d onot w a n t t h e m t o read y o u r mail). Similarly y o u can protect entire directories f r o m b e i n g s c a n n e d ( c o v e r e d s h o r t l y ) .

ACCESS PERMISSIONS 2 1 7

A user with root privileges can access any file on the system
security There is an exception to the access permissions described in this section. Anyone who can gain
root privileges has full access to a//files, regardless of the file's owner or access permissions.
T h e o w n e r o f a file c o n t r o l s w h i c h users h a v e p e r m i s s i o n t o access t h e file a n d
t h o s e users c a n access i t . W h e n y o u o w n

a file, y o u c a n use the c h m o d

m o d e ) u t i l i t y t o c h a n g e access p e r m i s s i o n s f o r t h a t file. Y o u c a n specify

how

(change
symbolic

(relative) o rn u m e r i c (absolute) arguments t o chmod.

SYMBOLIC ARGUMENTS TO c h m o d
T h e f o l l o w i n g e x a m p l e , w h i c h uses s y m b o l i c a r g u m e n t s t o c h m o d , a d d s (+) r e a d a n d
w r i t e p e r m i s s i o n s ( r w ) f o r a l l (a) users:
$ I s -1 l e t t e r . 0 6 1 0
_rw
i m a x pubs 3355 2 0 1 0 - 0 6 - 2 2
$ chmod a+rw l e t t e r . 0 6 1 0
$ I s -1 l e t t e r . 0 6 1 0
- r w - r w - r w - 1 max p u b s 3355 2 0 1 0 - 0 6 - 2 2

12:44

letter.0610

12:44

letter.0610

You must have read permission to execute a shell script
tip Because a shell needs to read a shell script (a text file containing shell commands) before it can
execute the commands within that script, you must have read permission for the file containing
the script to execute it. You also need execute permission to execute a shell script directly from
the command line. In contrast, binary (program) files do not need to be read; they are executed
directly. You need only execute permission to run a binary program.
Using symbolic arguments w i t h chmod modifies existing permissions; the change a
g i v e n a r g u m e n t m a k e s depends o n (isrelative to) the existing permissions. I n the
n e x t e x a m p l e , c h m o d r e m o v e s ( - ) r e a d (r) a n d e x e c u t e (x) p e r m i s s i o n s f o r o t h e r

(o)

users. T h e o w n e r a n d g r o u p p e r m i s s i o n s are n o t affected.
$ I s -1 check_spell
- r w x r - x r - x 1 max p u b s 852
$ chmod o - r x check_spell
$ I s -1 check_spell
- r w x r - x — 1 max p u b s 852

2010-07-31 13:47

check_spell

2010-07-31 13:47

check_spell

I n a d d i t i o n t o a (all) a n d o ( o t h e r ) , y o u c a n use g ( g r o u p ) a n d u (user, a l t h o u g h
r e f e r s t o t h e owner

user

o fthe file w h o m a y o rm a y n o t be the user o fthe file a t a n y g i v e n

time) i n the argument t o chmod. For example, c h m o d a+x adds execute

permission

for all users (other, g r o u p , a n d o w n e r ) a n d c h m o d g o - r w x r e m o v e s all permissions
f o r all b u t t h e o w n e r o ft h e file.

chmod: o for other, u for owner
tip When using chmod, many people assume that the o stands for owner; it does not. The o stands
for other, whereas u stands for owner [user). The acronym UGO (user-group-other) may help you
remember how permissions are named.

218

CHAPTER 6

THE LINUX FILESYSTEM

NUMERIC ARGUMENTS TO c h m o d
Y o u c a n also use n u m e r i c a r g u m e n t s t o s p e c i f y p e r m i s s i o n s w i t h chmod. I n p l a c e
of the letters a n d s y m b o l s specifying permissions used i n the previous

examples,

n u m e r i c a r g u m e n t s comprise three octal digits. ( A fourth, leading digit

controls

setuid a n d setgid permissions a n d is discussed next.) T h e first digit specifies

per-

missions f o r the o w n e r , the s e c o n d f o r the g r o u p , a n d the t h i r d f o r o t h e r users. A
1 gives the specified user(s) execute permission, a 2 gives w r i t e permission, a n d a
4 gives read permission. C o n s t r u c t the digit representing the permissions for

the

o w n e r , g r o u p , o r o t h e r s b y O R i n g ( a d d i n g ) t h e a p p r o p r i a t e v a l u e s as s h o w n i n t h e
f o l l o w i n g e x a m p l e s . U s i n g n u m e r i c a r g u m e n t s sets file p e r m i s s i o n s a b s o l u t e l y ; i t
d o e s n o t m o d i f y e x i s t i n g p e r m i s s i o n s as s y m b o l i c a r g u m e n t s

do.

I n the f o l l o w i n g e x a m p l e , chmod changes permissions s oo n l y the o w n e r o f the file
c a n read f r o m a n d w r i t e t o the file, regardless o f h o w p e r m i s s i o n s w e r e
set. T h e 6 i n t h e f i r s t p o s i t i o n g i v e s t h e o w n e r r e a d (4) a n d w r i t e (2)

previously

permissions.

T h e Os r e m o v e a l l p e r m i s s i o n s f o r t h e g r o u p a n d o t h e r u s e r s .
$ chmod 600 l e t t e r . 0 6 1 0
$ I s -1 l e t t e r . 0 6 1 0
_rw
i m a x pubs 3355

2010-06-22

12:44

letter.0610

N e x t , 7 (4 + 2 + 1) g i v e s t h e o w n e r r e a d , w r i t e , a n d e x e c u t e p e r m i s s i o n s . T h e 5 (4 + 1 )
gives the g r o u p a n d o t h e r users r e a d a n d execute permissions:
$ chmod 755 check_spell
$ I s -1 check_spell
-rwxr-xr-x

1 max p u b s

852

2010-07-31 13:47

Refer t oTable 6-2 for m o r e examples o fnumeric

Table 6-2

check_spell

permissions.

Examples of numeric permission specifications

Mode

Meaning

777

Owner, group, and others can read, write, and execute file

755

Owner can read, write, and execute file; group and others can read and execute file

711

Owner can read, write, and execute file; group and others can execute file

644

Owner can read and write file; group and others can read file

640

Owner can read and write file, group can read file, and others cannot access file

Refer t o page 3 0 0 for m o r e i n f o r m a t i o n o nu s i n g chmod t o m a k e a file

executable

a n d t o t h e chmod man p a g e f o r i n f o r m a t i o n o n a b s o l u t e a r g u m e n t s a n d chmod i n
general. Refer t opage 4 9 2 for m o r e i n f o r m a t i o n o n groups.

SETUID AND SETGID PERMISSIONS
W h e n y o u e x e c u t e a file t h a t h a s s e t u i d (set user I D ) p e r m i s s i o n , t h e p r o c e s s

exe-

c u t i n g t h e file t a k e s o n t h e p r i v i l e g e s o f t h e file's o w n e r . F o r e x a m p l e , i f y o u r u n a

ACCESS PERMISSIONS 2 1 9
setuid p r o g r a m t h a t r e m o v e s all files i n a d i r e c t o r y , y o u c a n r e m o v e files i n a n y o f
t h e file o w n e r ' s directories, e v e n i f y o u d o n o t n o r m a l l y h a v e p e r m i s s i o n t o d o so.
I n a s i m i l a r m a n n e r , s e t g i d (set g r o u p I D ) p e r m i s s i o n gives t h e p r o c e s s
the file the privileges o f the g r o u p the file is associated

executing

with.

Minimize use of setuid and setgid programs owned by root
security Executable files that are setuid and owned by root have root privileges when they run, even if they
are not run by root. This type of program is very powerful because it can do anything that root can
do (and that the program is designed to do). Similarly executable files that are setgid and belong
to the group root have extensive privileges.
Because of the power they hold and their potential for destruction, it is wise to avoid indiscriminately creating and using setuid programs owned by root and setgid programs belonging to the
group root. Because of their inherent dangers, many sites minimize the use of these programs on
their systems. One necessary setuid program is passwd. See page 421 for a tip on setuid files
owned by root and page 454 for a command that lists setuid files on the local system.
T h e f o l l o w i n g e x a m p l e s h o w s a user w o r k i n g w i t h r o o t privileges a n d using s y m b o l i c
arguments t oc h m o d to give one p r o g r a m setuid privileges a n d another p r o g r a m setgid
privileges. T h e Is- 1 o u t p u t (page 2 1 5 ) s h o w s setuid p e r m i s s i o n b yd i s p l a y i n g a n s i n
the owner's

executable

position

and

setgid permission

b y displaying a n s i n t h e

group's executable position:
$ I s -1 myprog*
-rwxr-xr-x 1 root
-rwxr-xr-x 1 root

pubs
pubs

19704
19704

2010-07-31 14:30
2010-07-31 14:30

myprogl
myprog2

2010-07-31 14:30
2010-07-31 14:30

myprogl
myprog2

$ sudo chmod u+s myprogl
$ sudo chmod g+s myprog2
$ I s -1 myprog*
-rwsr-xr-x 1 root
-rwxr-sr-x 1 root
The next example

pubs
pubs

19704
19704

uses n u m e r i c

arguments t o chmod t o m a k e the same

changes.

W h e n y o u use f o u r d i g i t s t o s p e c i f y p e r m i s s i o n s , s e t t i n g t h e f i r s t d i g i t t o 1 sets t h e
sticky

bit ( p a g e 1 1 7 4 ) , s e t t i n g i t t o 2 s p e c i f i e s s e t g i d p e r m i s s i o n s , a n d s e t t i n g i t t o 4

specifies setuid permissions:
$ I s -1 myprog*
-rwxr-xr-x
-rwxr-xr-x

1 root
1 root

pubs
pubs

19704
19704

2010-07-31 14:30
2010-07-31 14:30

myprogl
myprog2

2010-07-31 14:30
2010-07-31 14:30

myprogl
myprog2

$ sudo chmod 4755 myprogl
$ sudo chmod 2755 myprog2
$ I s -1 myprog*
-rwsr-xr-x 1 root
-rwxr-sr-x 1 root

pubs
pubs

19704
19704

Do not write setuid shell scripts
security Never give shell scripts setuid permission. Several techniques for subverting them are well known.

220

CHAPTER 6

THE LINUX FILESYSTEM

DIRECTORY ACCESS PERMISSIONS
Access permissions have slightly different meanings w h e n they are used w i t h

direc-

tories. A l t h o u g h the three types o f users c a n r e a d f r o m o r w r i t e t o a directory,

the

directory cannot b e executed. Execute permission is redefined f o ra directory: I t
m e a n s t h a t y o u c a n c d i n t o t h e d i r e c t o r y a n d / o r e x a m i n e files t h a t y o u h a v e p e r m i s s i o n t o r e a d f r o m i n t h e d i r e c t o r y . I t has n o t h i n g t o d o w i t h e x e c u t i n g a file.
W h e n y o u h a v e o n l y e x e c u t e p e r m i s s i o n f o r a d i r e c t o r y , y o u c a n u s e Is t o l i s t a f i l e
i n t h e d i r e c t o r y i f y o u k n o w i t s n a m e . Y o u c a n n o t u s e Is w i t h o u t a n a r g u m e n t t o l i s t
the entire contents o f the directory. I n the f o l l o w i n g exchange, Z a c h first

verifies

t h a t h e i s l o g g e d i n as h i m s e l f . H e t h e n c h e c k s t h e p e r m i s s i o n s o n M a x ' s info d i r e c t o r y . Y o u c a n v i e w t h e a c c e s s p e r m i s s i o n s a s s o c i a t e d w i t h a d i r e c t o r y b y r u n n i n g Is
w i t h t h e - d ( d i r e c t o r y ) a n d -1 ( l o n g )

options:

$ who am i
zach
pts/7
Aug 2 1 1 0 : 0 2
$ I s - I d /home/max/info
drwx
x
2 max pubs 5 1 2 2 0 1 0 - 0 8 - 2 1 0 9 : 3 1
$ I s -1 /home/max/info
Is: /home/max/info: Permission denied

/home/max/info

T h e d a t t h e l e f t e n d o f t h e l i n e t h a t Is d i s p l a y s i n d i c a t e s t h a t / h o m e / m a x / i n f o i s a
o f the

pubs

g r o u p h a v e n o access p e r m i s s i o n s ; a n d o t h e r users h a v e e x e c u t e p e r m i s s i o n

directory.

M a x

has read, write,

and

execute permissions;

members

only,

indicated b ythe x a tthe right end o fthe permissions. Because Z a c h does n o t

have

r e a d p e r m i s s i o n f o r t h e d i r e c t o r y , t h e Is - 1 c o m m a n d r e t u r n s a n e r r o r .
W h e n Z a c h specifies t h e n a m e s o f t h e files h ew a n t s i n f o r m a t i o n a b o u t , h eis n o t
reading new

directory i n f o r m a t i o n b u t rather searching f o rspecific

information,

w h i c h h e is a l l o w e d t o d o w i t h e x e c u t e access t o t h e d i r e c t o r y . H e has r e a d p e r m i s s i o n f o r notes s o h e h a s n o p r o b l e m u s i n g cat t o d i s p l a y t h e f i l e . H e c a n n o t

display

financial b e c a u s e h e d o e s n o t h a v e r e a d p e r m i s s i o n f o r i t :
$ I s -1 / h o m e / m a x / i n f o / f i n a n c i a l /home/max/info/notes
-rw
1 max pubs 3 4 2 0 1 0 - 0 8 - 2 1 0 9 : 3 1 / h o m e / m a x / i n f o / f i n a n c i a l
-rw-r--r-1 max pubs 3 0 2 0 1 0 - 0 8 - 2 1 0 9 : 3 2 / h o m e / m a x / i n f o / n o t e s
$ cat /home/max/info/notes
T h i s i s t h e f i l e named n o t e s .
$ cat / h o m e / m a x / i n f o / f i n a n c i a l
cat: /home/max/info/financial: Permission denied
N e x t M a x g i v e s o t h e r s r e a d a c c e s s t o h i s info d i r e c t o r y :
$ chmod o+r /home/max/info
W h e n Z a c h c h e c k s h i s a c c e s s p e r m i s s i o n s o n info, h e f i n d s t h a t h e h a s b o t h
a n d e x e c u t e a c c e s s t o t h e d i r e c t o r y . N o w Is - 1 w o r k s j u s t f i n e w i t h o u t

read

arguments,

b u t h e s t i l l c a n n o t r e a d financial. ( T h i s r e s t r i c t i o n i s a n i s s u e o f f i l e p e r m i s s i o n s ,

not

d i r e c t o r y p e r m i s s i o n s . ) F i n a l l y , Z a c h t r i e s t o c r e a t e a f i l e n a m e d n e w f i l e u s i n g touch.

A C L s : A C C E S S CONTROL LISTS 2 2 1
I f M a x w e r e t o g i v e h i m w r i t e p e r m i s s i o n t o t h e info d i r e c t o r y , Z a c h w o u l d b e a b l e
t o create n e w files i n i t :
$ I s - I d /home/max/info
drwx—r-x
2 max pubs 5 1 2 2 0 1 0 - 0 8 - 2 1 0 9 : 3 1 / h o m e / m a x / i n f o
$ I s -1 /home/max/info
total 8
_rw
i max pubs 34 2 0 1 0 - 0 8 - 2 1 0 9 : 3 1 f i n a n c i a l
-rw-r—r—
1 max pubs 3 0 2 0 1 0 - 0 8 - 2 1 0 9 : 3 2 n o t e s
$ cat / h o m e / m a x / i n f o / f i n a n c i a l
cat: f i n a n c i a l : Permission denied
$ touch /home/max/info/newfile
touch: cannot touch '/home/max/info/newfile': Permission denied

ACLs:

ACCESS CONTROL LISTS
Access

Control

access

specific

Lists ( A C L s )
directories

provide
a n d files

finer-grained control
than

over w h i c h

d o traditional

Linux

users

can

permissions

(page 2 1 5 ) . U s i n g A C L s y o u c a n specify the w a y s i nw h i c h each o fseveral users c a n
access a d i r e c t o r y o r file. B e c a u s e A C L s

can reduce performance,

d onot

t h e m o nfilesystems t h a t h o l d s y s t e m files, w h e r e t h e t r a d i t i o n a l L i n u x

enable

permissions

are sufficient. A l s o be c a r e f u l w h e n m o v i n g , c o p y i n g , o r a r c h i v i n g files: N o t all utilities preserve A C L s . I n a d d i t i o n , y o u c a n n o t c o p y A C L s t o filesystems t h a t d o n o t
support

ACLs.

A n A C L c o m p r i s e s a set o f r u l e s . A r u l e specifies h o w a s p e c i f i c user o r g r o u p
access t h e file t h a t t h e A C L is a s s o c i a t e d w i t h . T h e r e are t w o k i n d s o f rules:

rules a n d default
ACLs,

rules.

( T h e d o c u m e n t a t i o n r e f e r s t o access

ACLs

and

even t h o u g h there is o n l y one t y p e o f A C L : T h e r e is one t y p e o f list

can
access

default
[ACL]

a n d there are t w o types o frules that a n A C L can contain.)
A n access r u l e specifies access i n f o r m a t i o n f o r a single file o r d i r e c t o r y . A
A C L p e r t a i n s t o a d i r e c t o r y o n l y ; i t specifies d e f a u l t access i n f o r m a t i o n ( a n
for a n y file i nthe d i r e c t o r y t h a t is n o t g i v e n a n explicit

default
ACL)

ACL.

Most utilities do not preserve ACLs
caution When used with the -p (preserve) or -a (archive) option, cp preserves ACLs when it copies files.
The mv utility also preserves ACLs. When you use cp with the -p or -a option and it is not able
to copy ACLs, and in the case where mv is unable to preserve ACLs, the utility performs the operation and issues an error message:
$ m v report /tmp
mv: p r e s e r v i n g p e r m i s s i o n s

f o r '/tmp/report' : Operation

n o t supported

Other utilities, such as tar, cpio, and dump, do not support ACLs. You can use cp with the -a
option to copy directory hierarchies, including ACLs.
You can never copy ACLs to a filesystem that does not support ACLs or to a filesystem that does
not have ACL support turned on.

222

CHAPTER 6

THE LINUX FILESYSTEM

ENABLING A C L S
B e f o r e y o u c a n u s e A C L s y o u m u s t i n s t a l l t h e acl s o f t w a r e p a c k a g e :
$ sudo aptitude i n s t a l l

acl

U b u n t u L i n u x o f f i c i a l l y s u p p o r t s A C L s o n ext2, ext3, a n d ext4 f i l e s y s t e m s

only,

a l t h o u g h i n f o r m a l s u p p o r t f o r A C L s is a v a i l a b l e o n o t h e r filesystems. T o use A C L s
o n a n e x t 2 / e x t 3 / e x t 4 f i l e s y s t e m , y o u m u s t m o u n t t h e d e v i c e w i t h t h e acl

option

( n o _ a c l is t h e d e f a u l t ) . F o r e x a m p l e , i f y o u w a n t t o m o u n t t h e d e v i c e r e p r e s e n t e d b y
/ h o m e s o t h a t y o u c a n u s e A C L s o n f i l e s i n / h o m e , y o u c a n a d d acl t o i t s o p t i o n s l i s t
i n /etc/fstab:
$ grep home / e t c / f s t a b
LABEL=/home
/home

ext4

defaults,acl

12

r e m o u n t option A f t e r c h a n g i n g fstab, y o u n e e d t o r e m o u n t / h o m e b e f o r e y o u c a n u s e A C L s . I f n o
o n e else i s u s i n g t h e s y s t e m , y o u c a n u n m o u n t i t a n d m o u n t i t a g a i n ( w o r k i n g w i t h
root p r i v i l e g e s ) as l o n g as t h e w o r k i n g d i r e c t o r y i s n o t i n t h e /home

hierarchy.

A l t e r n a t i v e l y y o u c a n u s e t h e r e m o u n t o p t i o n t o mount t o r e m o u n t / h o m e w h i l e t h e
device is i n use:
$ sudo mount -v -o remount /home
/ d e v / s d a B on /home type e x t 4 ( r w , a c l )
See p a g e 5 1 0 f o r i n f o r m a t i o n o n fstab a n d p a g e 5 0 6 f o r i n f o r m a t i o n o n mount.

WORKING WITH ACCESS RULES
T h e setfacl u t i l i t y m o d i f i e s a f i l e ' s A C L a n d getfacl d i s p l a y s a f i l e ' s A C L . W h e n

you

u s e getfacl t o o b t a i n i n f o r m a t i o n a b o u t a f i l e t h a t d o e s n o t h a v e a n A C L , i t d i s p l a y s
t h e s a m e i n f o r m a t i o n as a n Is -1 c o m m a n d , a l b e i t i n a d i f f e r e n t f o r m a t :
$ I s -1 report
-rw-r--r-1 max max 9 5 3 7 2 0 1 0 - 0 1 - 1 2

23:17

report

$ getfacl report
# file:
report
# o w n e r : max
# g r o u p : max
user::rwgroup::r-other::r-T h e f i r s t t h r e e l i n e s o f t h e getfacl o u t p u t c o m p r i s e t h e h e a d e r ; t h e y s p e c i f y t h e n a m e
o f the file, the o w n e r o fthe file, a n d t h e g r o u p the file is associated w i t h . F o r m o r e
i n f o r m a t i o n r e f e r t o "Is -1: D i s p l a y s P e r m i s s i o n s " o n p a g e 2 1 5 . T h e — o m i t - h e a d e r
( o r j u s t — o m i t ) o p t i o n c a u s e s getfacl n o t t o d i s p l a y t h e h e a d e r :
$ getfacl --omit-header
user::rwgroup::r-other::r--

report

A C L s : ACCESS CONTROL LISTS 2 2 3
I n t h e l i n e t h a t s t a r t s w i t h user, t h e t w o c o l o n s ( : : ) w i t h n o n a m e b e t w e e n t h e m i n d i cate t h a t the l i n e specifies t h e p e r m i s s i o n s f o r t h e o w n e r o f t h e file. S i m i l a r l y , the
t w o c o l o n s i n t h e group l i n e i n d i c a t e t h a t t h e l i n e specifies p e r m i s s i o n s f o r t h e g r o u p
t h e f i l e i s a s s o c i a t e d w i t h . T h e t w o c o l o n s f o l l o w i n g other a r e t h e r e f o r c o n s i s t e n c y :
N o n a m e c a n b e a s s o c i a t e d w i t h other.
T h e setfacl — m o d i f y ( o r - m ) o p t i o n a d d s o r m o d i f i e s o n e o r m o r e r u l e s i n a f i l e ' s
A C L using the f o l l o w i n g format:

setfacl —modify

ugo.name.permissions

file-list

w h e r e ugo c a n b e e i t h e r u, g , o r o t o i n d i c a t e t h a t t h e c o m m a n d sets f i l e p e r m i s s i o n s
f o r a u s e r , a g r o u p , o r a l l o t h e r u s e r s , r e s p e c t i v e l y ; name
g r o u p t h a t p e r m i s s i o n s a r e b e i n g s e t f o r ; permissions
s y m b o l i c o r a b s o l u t e f o r m a t ; a n d file-list
a p p l i e d t o . Y o u m u s t o m i t name

is the n a m e o f the user o r
is the permissions i n either

is t h e l i s t o f f i l e s t h e p e r m i s s i o n s a r e t o b e

w h e n y o u s p e c i f y p e r m i s s i o n s f o r o t h e r u s e r s (o).

S y m b o l i c p e r m i s s i o n s use letters t o r e p r e s e n t file p e r m i s s i o n s (rwx, r - x , a n d so o n ) ,
w h e r e a s a b s o l u t e p e r m i s s i o n s u s e a n o c t a l n u m b e r . W h i l e c h m o d u s e s t h r e e sets o f
permissions o r three octal numbers

(one each f o r the owner, group, a n d

other

u s e r s ) , setfacl u s e s a s i n g l e s e t o f p e r m i s s i o n s o r a s i n g l e o c t a l n u m b e r t o r e p r e s e n t
t h e p e r m i s s i o n s b e i n g g r a n t e d t o t h e u s e r o r g r o u p r e p r e s e n t e d b y ugo a n d

name.

See t h e d i s c u s s i o n o f c h m o d o n p a g e 2 1 6 f o r m o r e i n f o r m a t i o n a b o u t s y m b o l i c

and

absolute representations o f file permissions.
F o r e x a m p l e , b o t h o f t h e f o l l o w i n g c o m m a n d s a d d a r u l e t o t h e A C L f o r t h e report
file t h a t gives S a m r e a d a n d w r i t e p e r m i s s i o n t o t h a t file:
$ setfacl --modify u:sam:rw- report

or
$ setfacl --modify u:sam:6 report
$ getfacl report
# file:
report
# o w n e r : max
# g r o u p : max
user::rwuser:sam:rwgroup::r-mask::rwother::r-T h e l i n e c o n t a i n i n g user:sam:rw- s h o w s t h a t t h e u s e r n a m e d sam h a s r e a d

and

w r i t e a c c e s s ( r w - ) t o t h e f i l e . See p a g e 2 1 5 f o r a n e x p l a n a t i o n o f h o w t o r e a d a c c e s s
p e r m i s s i o n s . See t h e f o l l o w i n g o p t i o n a l s e c t i o n f o r a d e s c r i p t i o n o f t h e l i n e

that

s t a r t s w i t h mask.
W h e n a f i l e h a s a n A C L , Is -1 d i s p l a y s a p l u s s i g n ( + ) f o l l o w i n g t h e
even i f the A C L is empty:
$ I s -1 report
- r w - r w - r - - + 1 max max 9 5 3 7 2 0 1 0 - 0 1 - 1 2

23:17

report

permissions,

224

CHAPTER 6

THE LINUX FILESYSTEM

optional EFFECTIVE RIGHTS MASK
T h e l i n e t h a t s t a r t s w i t h m a s k s p e c i f i e s t h e effective

rights

mask.

This mask limits the

effective p e r m i s s i o n s g r a n t e d t o A C L g r o u p s a n d users. I t does n o t affect the o w n e r o f
the file o rthe g r o u p the file is associated w i t h . I no t h e r w o r d s , i t does n o t affect tradit i o n a l L i n u x p e r m i s s i o n s . H o w e v e r , b e c a u s e setfacl a l w a y s sets t h e e f f e c t i v e

rights

m a s k t o the least restrictive A C L p e r m i s s i o n s f o r the file, the m a s k has n o effect unless
y o u set i t e x p l i c i t l y a f t e r y o u set u p a n A C L f o r t h e file. Y o u c a n set t h e m a s k b y speci f y i n g m a s k i n p l a c e o f ugo a n d b y n o t s p e c i f y i n g a name

i n a setfacl c o m m a n d .

T h e f o l l o w i n g e x a m p l e sets t h e e f f e c t i v e r i g h t s m a s k t o read f o r t h e report file:
$ setfacl

-m m a s k : : r - -

report

T h e m a s k l i n e i n t h e f o l l o w i n g getfacl o u t p u t s h o w s t h e e f f e c t i v e r i g h t s m a s k set t o
r e a d ( r — ) . T h e l i n e t h a t d i s p l a y s S a m ' s file access p e r m i s s i o n s s h o w s t h e m still set
to read a n d write. H o w e v e r , the c o m m e n t a tthe right end o fthe line s h o w s that his
effective permission is read.
$ getfacl report
# file:
report
# owner: max
# group: max
user::rwuser:sam:rwgroup::r-mask::r-other::r--

#effective:r--

A s t h e n e x t e x a m p l e s h o w s , setfacl c a n m o d i f y A C L r u l e s a n d c a n set m o r e t h a n o n e
A C L rule ata time:
$ setfacl

-m u : s a m : r - - , u : z a c h : r w -

$ g e t f a c l --omit-header
user::rwuser:sam:r-user:zach:rwgroup::r-mask::rwother::r--

report

report

T h e - x o p t i o n removes A C L rules for a user o r a g r o u p . I t has n oeffect o n

permis-

sions for the o w n e r o fthe file o r the g r o u p that the file is associated w i t h . T h e

next

e x a m p l e s h o w s setfacl r e m o v i n g t h e r u l e t h a t g i v e s S a m p e r m i s s i o n t o access t h e f i l e :
$ setfacl

- x u:sam r e p o r t

$ g e t f a c l --omit-header
user::rwuser:zach:rwgroup::r-mask::rwother::r--

report

A C L s : A C C E S S CONTROL L I S T S 2 2 5
Y o u m u s t n o t s p e c i f y permissions
t h e ugo a n d name.

w h e n y o u use the - xo p t i o n . Instead, specify o n l y

T h e - bo p t i o n , f o l l o w e d b y a filename only, removes all

ACL

rules a n d the A C L itself f r o m the file o r d i r e c t o r y y o u specify.
B o t h s e t f a c l a n d getfacl h a v e m a n y o p t i o n s . U s e t h e — h e l p o p t i o n t o d i s p l a y

brief

lists o f o p t i o n s o r refer t o t h e man pages f o r details.

SETTING DEFAULT RULES FORA DIRECTORY
T h e f o l l o w i n g e x a m p l e s h o w s t h a t t h e dir d i r e c t o r y i n i t i a l l y h a s n o A C L . T h e s e t f a c l
c o m m a n d u s e s t h e - d ( d e f a u l t ) o p t i o n t o a d d t w o d e f a u l t r u l e s t o t h e A C L f o r dir.
T h e s e r u l e s a p p l y t o a l l f i l e s i n t h e dir d i r e c t o r y t h a t d o n o t h a v e e x p l i c i t A C L s .
r u l e s g i v e m e m b e r s o f t h e pubs g r o u p r e a d a n d e x e c u t e p e r m i s s i o n s a n d g i v e

The

mem-

bers o f t h e admin g r o u p r e a d , w r i t e , a n d e x e c u t e p e r m i s s i o n s .
$ Is - I d dir
drwx
2 max max 4 0 9 6 2 0 1 0 - 0 2 - 1 2
$ getfacl d i r
# file: d i r
# owner: max
# group: max
user::rwx
group:: —
other:: —
$ setfacl
The

following

23:15 d i r

-d -m g:pubs:r-x,g:admin:rwx
Is c o m m a n d

shows

dir

t h a t t h e dir d i r e c t o r y n o w

has a n A C L , as

indicated b ythe + t o the right o f the permissions. Each o f the default rules
getfacl d i s p l a y s

starts

with

default:.

The

first

t w odefault

rules

and

that

t h e last

d e f a u l t rule specify the p e r m i s s i o n s f o r the o w n e r o f the file, t h e g r o u p t h a t
file is associated w i t h , a n d a l lother users. These three rules specify the
tional L i n u x permissions and take precedence over other A C L

rules. T h e

the

tradithird

a n d f o u r t h r u l e s s p e c i f y t h e p e r m i s s i o n s f o r t h e pubs a n d admin g r o u p s . N e x t i s
the default effective rights

mask.

$ Is - I d dir
drwx
+ 2 max max 4 0 9 6 2 0 1 0 - 0 2 - 1 2
$ getfacl d i r
# file: d i r
# owner: max
# group: max
user::rwx
group:: —
other:: —
d e f a u l t : u s e r : : rwx
default:group: :
default:group:pubs: r-x
default:group:admin:rwx
default:mask::rwx
default:other::

23:15 d i r

226

CHAPTER 6

THE LINUX FILESYSTEM
R e m e m b e r t h a t t h e d e f a u l t rules p e r t a i n t o files h e l d i n t h e d i r e c t o r y t h a t are

not

a s s i g n e d A C L s e x p l i c i t l y . Y o u c a n also s p e c i f y access rules f o r t h e d i r e c t o r y itself.
W h e n y o u create a file w i t h i n a d i r e c t o r y t h a t has d e f a u l t rules i nits A C L , t h e effect i v e r i g h t s m a s k f o r t h a t file i s c r e a t e d b a s e d o n t h e file's p e r m i s s i o n s . I n s o m e cases
the mask m a y override default A C L
In the next example,

touch c r e a t e s

rules.

a f i l e n a m e d n e w i n t h e dir d i r e c t o r y . T h e

m a n d s h o w s t h a t this file has a n A C L . Based o n the v a l u e o f

umask

Is

com-

(page 459),

b o t h the o w n e r a n d the g r o u p t h a t the file is associated w i t h h a v e r e a d a n d

write

p e r m i s s i o n s f o r t h e file. T h e e f f e c t i v e r i g h t s m a s k i s set t o r e a d a n d w r i t e s o t h a t
t h e e f f e c t i v e p e r m i s s i o n f o r pubs i s r e a d a n d t h e e f f e c t i v e p e r m i s s i o n s f o r admin a r e
read and write. Neither g r o u p has execute

permission.

$ cd d i r
$ touch new
$ I s -1 new
-rw-rw
+ 1 max max 0 2 0 1 0 - 0 2 - 1 3 0 0 : 3 9 new
$ g e t f a c l - - o m i t new
user::rwgroup::—
group:pubs:r-x
#effective:r-group:admin:rwx
#effective:rwmask::rwo t h e r : : —
I f y o u c h a n g e t h e file's t r a d i t i o n a l p e r m i s s i o n s t o r e a d , w r i t e , a n d e x e c u t e f o r
o w n e r a n d the group, the effective rights m a s k changes t o read, write, a n d

the

execute

a n d t h e g r o u p s s p e c i f i e d b y t h e d e f a u l t rules g a i n e x e c u t e access t o t h e file.
$ chmod 770 new
$ I s -1 new
- r w x r w x — + 1 max max 0 2 0 1 0 - 0 2 - 1 3
$ g e t f a c l - - o m i t new
user::rwx
group::—
group:pubs:r-x
group:admin:rwx
mask::rwx
o t h e r : : —

00:39

new

LINKS
A

link i s a p o i n t e r t o a f i l e . E a c h t i m e y o u c r e a t e a f i l e u s i n g vim, touch, cp, o r b y

another other means, y o u are p u t t i n g a pointer i n a directory. This pointer

associ-

ates a f i l e n a m e w i t h a p l a c e o n t h e disk. W h e n y o u specify a f i l e n a m e i n a c o m mand,

y o u are indirectly

information you

want.

pointing

t o t h e place

o n t h e disk

that

holds t h e

LINKS

Figure 6-13

227

U s i n g l i n k s t o cross-classify files

S h a r i n g files c a n be u s e f u l w h e n t w o o r m o r e p e o p l e are w o r k i n g o n t h e

same

p r o j e c t a n d n e e d t o share s o m e i n f o r m a t i o n . Y o u c a n m a k e it easy f o r o t h e r users t o
access o n e o f y o u r files b y c r e a t i n g a d d i t i o n a l l i n k s t o t h e file.
T o share a file w i t h a n o t h e r user, first g i v e t h e user p e r m i s s i o n t o r e a d f r o m

and

w r i t e t o t h e file ( p a g e 2 1 6 ) . Y o u m a y also h a v e t o c h a n g e t h e access p e r m i s s i o n s
of the p a r e n t d i r e c t o r y o f the file t o give the user read, w r i t e , or execute p e r m i s s i o n ( p a g e 2 2 0 ) . O n c e t h e p e r m i s s i o n s are a p p r o p r i a t e l y set, t h e user c a n c r e a t e a
l i n k t o t h e f i l e so t h a t e a c h o f y o u c a n access t h e file f r o m y o u r s e p a r a t e d i r e c t o r y
hierarchies.
A l i n k c a n also be useful t o a single user w i t h a large d i r e c t o r y hierarchy. Y o u c a n
create l i n k s t o cross-classify files i n y o u r d i r e c t o r y h i e r a r c h y , u s i n g d i f f e r e n t classifications f o r different tasks. F o r e x a m p l e , if y o u have the file l a y o u t depicted

in

F i g u r e 6 - 2 o n p a g e 2 0 1 , a file n a m e d to_do m i g h t a p p e a r i n e a c h s u b d i r e c t o r y

of

t h e c o r r e s p o n d d i r e c t o r y — t h a t i s , i n personal, m e m o s , a n d business. I f y o u f i n d i t
difficult to keep track of everything y o u need to do, y o u can create a separate direct o r y n a m e d to_do i n t h e correspond d i r e c t o r y . Y o u c a n t h e n l i n k e a c h s u b d i r e c t o r y ' s
t o - d o list i n t o t h a t d i r e c t o r y . F o r e x a m p l e , y o u c o u l d l i n k t h e file n a m e d to_do i n
t h e memos d i r e c t o r y t o a f i l e n a m e d memos i n t h e to_do d i r e c t o r y . T h i s set o f l i n k s
is s h o w n i n F i g u r e 6 - 1 3 .
A l t h o u g h it m a y s o u n d c o m p l i c a t e d , this t e c h n i q u e keeps all y o u r t o - d o lists c o n v e n i e n t l y i n o n e p l a c e . T h e a p p r o p r i a t e l i s t is e a s i l y a c c e s s i b l e i n t h e t a s k - r e l a t e d d i r e c t o r y w h e n y o u are busy c o m p o s i n g letters, w r i t i n g m e m o s , or h a n d l i n g

personal

business.

About the discussion of hard links
tip Two kinds of links exist: hard links and symbolic (soft) links. Hard links are older and becoming
outdated. The section on hard links is marked as optional; you can skip it, although it discusses
inodes and gives you insight into the structure of the filesystem.

228

CHAPTER 6

THE LINUX FILESYSTEM

optional

HARD LINKS
A h a r d l i n k t o a f i l e a p p e a r s as a n o t h e r f i l e . I f t h e f i l e a p p e a r s i n t h e s a m e d i r e c t o r y
as t h e l i n k e d - t o f i l e , t h e l i n k s m u s t h a v e d i f f e r e n t f i l e n a m e s b e c a u s e t w o f i l e s i n t h e
same d i r e c t o r y c a n n o t have the same n a m e . Y o u c a n create a h a r d l i n k t o a file o n l y
f r o m w i t h i n the filesystem t h a t h o l d s the file.

In: CREATES A HARD LINK
T h e In ( l i n k ) u t i l i t y ( w i t h o u t t h e - s o r — s y m b o l i c o p t i o n ) c r e a t e s a h a r d l i n k t o a n
existing file using the f o l l o w i n g syntax:
In existing-file

new-link

The next c o m m a n d shows Z a c h m a k i n g the link s h o w n in Figure 6-14 by creating a
n e w l i n k n a m e d / h o m e / m a x / l e t t e r t o a n e x i s t i n g f i l e n a m e d draft i n Z a c h ' s

home

directory:
$ pwd
/home/zach
$ In d r a f t /home/max/letter
T h e n e w l i n k a p p e a r s i n t h e / h o m e / m a x d i r e c t o r y w i t h t h e f i l e n a m e letter. I n p r a c tice, M a x m a y need t o c h a n g e d i r e c t o r y p e r m i s s i o n s so Z a c h w i l l be able t o create
the l i n k . E v e n t h o u g h /home/max/letter appears i n M a x ' s d i r e c t o r y , Z a c h is the
o w n e r o f the file because he created i t .
T h e In u t i l i t y c r e a t e s a n a d d i t i o n a l p o i n t e r t o a n e x i s t i n g f i l e b u t i t d o e s not m a k e
a n o t h e r c o p y o f t h e f i l e . B e c a u s e t h e r e is o n l y o n e f i l e , t h e f i l e s t a t u s i n f o r m a t i o n — s u c h
as a c c e s s p e r m i s s i o n s , o w n e r , a n d t h e t i m e t h e f i l e w a s l a s t m o d i f i e d — i s t h e s a m e f o r
all links; o n l y the filenames differ. W h e n Z a c h m o d i f i e s /home/zach/draft, for e x a m p l e , M a x sees t h e c h a n g e s i n / h o m e / m a x / l e t t e r .

Figure 6-14

T w o l i n k s to the same file: /home/max/letter a n d /home/zach/draft

LINKS 2 2 9

cp VERSUS In
T h e f o l l o w i n g c o m m a n d s v e r i f y t h a t In d o e s n o t m a k e a n a d d i t i o n a l c o p y o f a f i l e .
C r e a t e a f i l e , u s e In t o m a k e a n a d d i t i o n a l l i n k t o t h e f i l e , c h a n g e t h e c o n t e n t s o f t h e
file t h r o u g h one l i n k , a n d verify the c h a n g e t h r o u g h the other l i n k :
$ cat f i l e _ a
Thi s i s f i le A.
$ In file_a file_b
$ cat f i l e _ b
Thi s i s f i le A.
$ vim.tiny file_b
$ cat
This i
$ cat
This i

file_b
s file B after
file_a
s file B after

t h e change.
t h e change.

I f y o u t r y t h e s a m e e x p e r i m e n t u s i n g c p i n s t e a d o f In a n d c h a n g e a copy

o f the file,

the difference b e t w e e n the t w o utilities w i l l b e c o m e clearer. O n c e y o u c h a n g e a

copy

o f a file, the t w o files are d i f f e r e n t :
$ cat f i l e _ c
T h i s i s f i l e C.
$ cp f i l e _ c f i l e _ d
$ cat f i l e _ d
T h i s i s f i l e C.
$ vim.tiny file_d
$ cat
This i
$ cat
This i
Is and link counts

file_d
s file D after
file_c
s f i l e C.

t h e change.

Y o u c a n u s e Is w i t h t h e - 1 o p t i o n , f o l l o w e d b y t h e n a m e s o f t h e f i l e s y o u w a n t t o
c o m p a r e , t o c o n f i r m t h a t the status i n f o r m a t i o n is the s a m e f o rt w o links t o the
s a m e file a n d is d i f f e r e n t f o r files t h a t are n o t l i n k e d . I nt h e f o l l o w i n g e x a m p l e ,

the

2 i n t h e l i n k s f i e l d ( j u s t t o t h e l e f t o f m a x ) s h o w s t h e r e a r e t w o l i n k s t o file_a a n d
file_b ( f r o m t h e p r e v i o u s
$ I s -1
-rw-r—r—
-rw-r--r
-rw-r--r
-rw-r--r

example):

file_a file_b
2 max p u b s
- - 2 max p u b s
- - 1 max p u b s
- - 1 max p u b s

file_c file_d
33 2 0 1 0 - 0 5 - 2 4 10:52
33 2 0 1 0 - 0 5 - 2 4 10:52
16 2010-05-24 10:55
33 2 0 1 0 - 0 5 - 2 4 1 0 : 5 7

file_a
file_b
file_c
file_d

A l t h o u g h i t i s e a s y t o g u e s s w h i c h f i l e s a r e l i n k e d t o o n e a n o t h e r i n t h i s e x a m p l e , Is
does n o t explicitly tell you.
Is and ¡nodes

U s e Is w i t h t h e - i o p t i o n t o d e t e r m i n e w i t h o u t a d o u b t w h i c h f i l e s a r e l i n k e d . T h e - i
o p t i o n l i s t s t h e inode

(page 1153) n u m b e r

f o r each file. A n i n o d e is the

control

s t r u c t u r e f o r a file. I f the t w o f i l e n a m e s h a v e the s a m e i n o d e n u m b e r , t h e y share the
s a m e c o n t r o l s t r u c t u r e a n d are l i n k s t o t h e s a m e file. C o n v e r s e l y , w h e n t w o
n a m e s h a v e d i f f e r e n t i n o d e n u m b e r s , t h e y are d i f f e r e n t files. T h e f o l l o w i n g

file-

example

230

CHAPTER 6

THE LINUX FILESYSTEM
s h o w s t h a t file_a a n d file_b h a v e t h e s a m e i n o d e n u m b e r a n d t h a t file_c a n d file_d
have different inode numbers:
$ Is - i file_a file_b file_c
3534 f i l e _ a
3534 f i l e _ b

file_d
5800 f i l e _ c

7328

file_d

A l l links t o a file are o f e q u a l value: T h e o p e r a t i n g system c a n n o t distinguish the
o r d e r i n w h i c h m u l t i p l e links w e r e created. W h e n a file has t w o links, y o u

can

r e m o v e e i t h e r o n e a n d still access t h e file t h r o u g h t h e r e m a i n i n g l i n k . Y o u c a n r e m o v e
t h e l i n k u s e d t o c r e a t e t h e f i l e , f o r e x a m p l e , a n d , as l o n g as o n e l i n k r e m a i n s , s t i l l
access t h e file t h r o u g h t h a t l i n k .

SYMBOLIC LINKS
I n a d d i t i o n t o h a r d l i n k s , L i n u x s u p p o r t s symbolic
symlinks.

links,

a l s o c a l l e d soft

links o r

A h a r d l i n k is a p o i n t e r t o a file (the d i r e c t o r y entry p o i n t s t o the inode),

w h e r e a s a s y m b o l i c l i n k i s a n indirect

p o i n t e r t o a file (the d i r e c t o r y entry c o n t a i n s

the p a t h n a m e o f the p o i n t e d - t o f i l e — a p o i n t e r t o the h a r d l i n k t o the file).
Advantages of

S y m b o l i c links w e r e developed because o f the limitations inherent i n h a r d links. Y o u can-

symbolic links

n o

t create a h a r d l i n k t o a directory, b u t y o u c a n create a s y m b o l i c l i n k t o a directory.

I n m a n y cases t h e L i n u x file h i e r a r c h y e n c o m p a s s e s several f i l e s y s t e m s .

Because

e a c h f i l e s y s t e m k e e p s s e p a r a t e c o n t r o l i n f o r m a t i o n ( t h a t is, s e p a r a t e i n o d e t a b l e s o r
f i l e s y s t e m s t r u c t u r e s ) f o r t h e files i t h o l d s , i t is n o t p o s s i b l e t o create h a r d

links

b e t w e e n files i n d i f f e r e n t filesystems. A s y m b o l i c l i n k c a n p o i n t t o a n y file, r e g a r d less o f w h e r e i t is l o c a t e d i n t h e f i l e s t r u c t u r e , b u t a h a r d l i n k t o a f i l e m u s t b e i n t h e
s a m e filesystem as t h e o t h e r h a r d link(s) t o t h e file. W h e n y o u create l i n k s

only

a m o n g files i n y o u r h o m e d i r e c t o r y , y o u w i l l n o t n o t i c e this l i m i t a t i o n .
A m a j o r a d v a n t a g e o f a s y m b o l i c l i n k is t h a t i t c a n p o i n t t o a n o n e x i s t e n t file. T h i s
a b i l i t y is useful i f y o u need a l i n k t o a file t h a t is p e r i o d i c a l l y r e m o v e d a n d r e created. A h a r d l i n k keeps p o i n t i n g t o a " r e m o v e d " file, w h i c h the l i n k keeps alive
even after a n e w file is created. I n contrast, a s y m b o l i c l i n k a l w a y s p o i n t s t o the
n e w l y created file a n d does n o t interfere w h e n y o u delete t h e o l d file. F o r e x a m p l e ,
a s y m b o l i c l i n k c o u l d p o i n t t o a file t h a t gets c h e c k e d i n a n d o u t u n d e r a s o u r c e
c o d e c o n t r o l s y s t e m , a . o f i l e t h a t is r e - c r e a t e d b y t h e C c o m p i l e r e a c h t i m e y o u r u n
make, o r a l o g f i l e t h a t is r e p e a t e d l y a r c h i v e d .
A l t h o u g h they are m o r e general t h a n h a r d links, s y m b o l i c links have some disadvantages. W h e r e a s all h a r d links t o a file have equal status, s y m b o l i c links d o n o t
h a v e t h e s a m e s t a t u s as h a r d l i n k s . W h e n a f i l e h a s m u l t i p l e h a r d l i n k s , i t i s a n a l o g o u s t o a p e r s o n h a v i n g m u l t i p l e f u l l l e g a l n a m e s , as m a n y m a r r i e d w o m e n d o . I n
contrast, symbolic links are analogous t onicknames. A n y o n e can have one o r m o r e
n i c k n a m e s , b u t these n i c k n a m e s h a v e a lesser status t h a n l e g a l n a m e s . T h e f o l l o w i n g sections describe some o f the peculiarities o fs y m b o l i c links.

In: CREATES SYMBOLIC LINKS
T h e In u t i l i t y w i t h t h e — s y m b o l i c ( o r - s ) o p t i o n c r e a t e s a s y m b o l i c l i n k . T h e f o l l o w i n g
e x a m p l e c r e a t e s a s y m b o l i c l i n k / t m p / s 3 t o t h e f i l e sum i n M a x ' s h o m e d i r e c t o r y . W h e n

LINKS 2 3 1
y o u u s e a n Is - 1 c o m m a n d t o l o o k a t t h e s y m b o l i c l i n k , Is d i s p l a y s t h e n a m e o f t h e l i n k
a n d t h e n a m e o f t h e f i l e i t p o i n t s t o . T h e f i r s t c h a r a c t e r o f t h e l i s t i n g is 1 ( f o r l i n k ) .
$ I n --symbolic /home/max/sum /tmp/s3
$ I s -1 /home/max/sum /tmp/s3
-rw-rw-r-1 max max 3 8 2 0 1 0 - 0 6 - 1 2 0 9 : 5 1 / h o m e / m a x / s u m
lrwxrwxrwx
1 max max 1 4 2 0 1 0 - 0 6 - 1 2 0 9 : 5 2 / t m p / s 3 - > / h o m e / m a x / s u m
$ cat /tmp/s3
T h i s i s sum.
T h e sizes a n d t i m e s o f t h e last m o d i f i c a t i o n s o f t h e t w o files a r e d i f f e r e n t . U n l i k e a
h a r d l i n k , a s y m b o l i c l i n k t o a f i l e d o e s n o t h a v e t h e s a m e s t a t u s i n f o r m a t i o n as t h e
file itself.
Y o u c a n a l s o u s e In t o c r e a t e a s y m b o l i c l i n k t o a d i r e c t o r y . W h e n

y o u use t h e

— s y m b o l i c o p t i o n , In w o r k s a s e x p e c t e d w h e t h e r t h e f i l e y o u a r e c r e a t i n g a l i n k t o
is a n o r d i n a r y f i l e o r a d i r e c t o r y .

Use absolute pathnames with symbolic links
tip Symbolic links are literal and are not aware of directories. A link that points to a relative pathname,
which includes simple filenames, assumes the relative pathname is relative to the directory that
the link was created in (not the directory the link was created from). In the following example, the
link points to the file named sum in the /tmp directory. Because no such file exists, cat gives an
error message:
$ pwd
/home/max
$ I n --symbolic sum /tmp/s4
$ I s -1 sum /tmp/s4
l r w x r w x r w x 1 max max
3 2010-06-12 10:13 /tmp/s4
- r w - r w - r - - 1 max max
3 8 2 0 1 0 - 0 6 - 1 2 0 9 : 5 1 sum
$ cat /tmp/s4
c a t : / t m p / s 4 : No s u c h f i l e o r d i r e c t o r y

- > sum

optional c d A N D S Y M B O L I C L I N K S
When

y o u use a s y m b o l i c

link

as a n a r g u m e n t

t o cdt o c h a n g e d i r e c t o r i e s , t h e

results can be confusing, particularly i f y o u did n o t realize that y o u were using a
symbolic

link.

I f y o u u s e cd t o c h a n g e t o a d i r e c t o r y t h a t i s r e p r e s e n t e d b y a s y m b o l i c l i n k , t h e pwd
shell

builtin

(page 261)

lists

thename

o f the symbolic

link.

T h e pwd

utility

(/bin/pwd) lists t h e n a m e o f t h e l i n k e d - t o d i r e c t o r y , n o t t h e l i n k , regardless o f h o w
y o u got there.
$ I n - s /home/max/grades / t m p / g r a d e s . o l d
$ pwd
/home/max
$ cd / t m p / g r a d e s . o l d
$ pwd
/tmp/grades.old
$ /bin/pwd
/home/max/g rades

232

CHAPTER 6

THE LINUX FILESYSTEM
W h e n y o u change directories back t o the parent, y o u end u pi n the directory
ing the symbolic

hold-

link:

$ cd . .
$ pwd
/tmp
$ /bin/pwd
/tmp

rm: REMOVES A LINK
W h e n y o u create a file, there is o n e h a r d l i n k t o i t . Y o u c a n t h e n delete the file or,
u s i n g L i n u x t e r m i n o l o g y , r e m o v e t h e l i n k w i t h t h e rm u t i l i t y . W h e n y o u r e m o v e

the

last h a r d l i n k t o a file, y o u c a n n o l o n g e r access t h e i n f o r m a t i o n s t o r e d t h e r e a n d t h e
o p e r a t i n g s y s t e m releases the space the file o c c u p i e d o n the disk f o ruse b y o t h e r
files. T h i s space is released e v e n i f s y m b o l i c l i n k s t o t h e file r e m a i n . W h e n t h e r e is
m o r e t h a n o n e h a r d l i n k t o a file, y o u c a n r e m o v e a h a r d l i n k a n d still access t h e file
f r o m any remaining link. Unlike D O S

and W i n d o w s , L i n u x does not provide a n

easy w a y t o u n d e l e t e a file o n c e y o u h a v e r e m o v e d it. A s k i l l e d hacker, h o w e v e r , c a n
s o m e t i m e s piece the file together w i t h t i m e a n d effort.
W h e n y o u r e m o v e a l lh a r d l i n k s t o a file, y o u w i l l n o t b e a b l e t o access t h e

file

t h r o u g h a s y m b o l i c l i n k . I n t h e f o l l o w i n g e x a m p l e , cat r e p o r t s t h a t t h e f i l e total
does n o t exist because i t is a s y m b o l i c l i n k t o a file t h a t has been r e m o v e d :
$ I s -1 sum
- r w - r - - r - - 1 max p u b s 9 8 1
2 0 1 0 - 0 5 - 2 4 11:05 sum
$ I n - s sum t o t a l
$ rm sum
$ cat t o t a l
c a t : t o t a l : No s u c h f i l e o r d i r e c t o r y
$ I s -1 t o t a l
l r w x r w x r w x 1 max p u b s 6 2 0 1 0 - 0 5 - 2 4 1 1 : 0 9 t o t a l - > sum
W h e n y o u r e m o v e a file, be sure t o r e m o v e all s y m b o l i c l i n k s t o it. R e m o v e a s y m b o l i c l i n k i n t h e s a m e w a y y o u r e m o v e o t h e r files:
$ rm t o t a l

CHAPTER

SUMMARY
L i n u x has a hierarchical, o r treelike, file structure t h a t m a k e s i t possible t o o r g a n i z e
files so y o u c a n f i n d t h e m q u i c k l y a n d easily. T h e file s t r u c t u r e c o n t a i n s d i r e c t o r y files
a n d o r d i n a r y files. D i r e c t o r i e s c o n t a i n o t h e r files, i n c l u d i n g o t h e r d i r e c t o r i e s ; o r d i n a r y
files g e n e r a l l y c o n t a i n t e x t , p r o g r a m s , o r i m a g e s . T h e a n c e s t o r o f all files is t h e r o o t
directory a n d isrepresented b y / s t a n d i n g alone o r a tthe left end o fa p a t h n a m e .

CHAPTER SUMMARY

233

M o s t L i n u x f i l e s y s t e m s s u p p o r t 2 5 5 - c h a r a c t e r f i l e n a m e s . N o n e t h e l e s s , i t is a g o o d
idea t o keep filenames simple a n d intuitive. F i l e n a m e extensions c a n help m a k e filenames more meaningful.
W h e n y o u are logged in, y o u are always associated w i t h a w o r k i n g directory. Y o u r
h o m e d i r e c t o r y is t h e w o r k i n g d i r e c t o r y f r o m t h e t i m e y o u l o g i n u n t i l y o u use cd t o
change directories.
A n absolute p a t h n a m e starts w i t h the r o o t d i r e c t o r y a n d contains all the filenames
t h a t trace a p a t h t o a g i v e n file. T h e p a t h n a m e starts w i t h a slash, r e p r e s e n t i n g t h e
r o o t d i r e c t o r y , a n d c o n t a i n s a d d i t i o n a l slashes f o l l o w i n g all t h e d i r e c t o r i e s i n t h e
p a t h , e x c e p t f o r t h e last d i r e c t o r y i n t h e case o f a p a t h t h a t p o i n t s t o a d i r e c t o r y file.
A r e l a t i v e p a t h n a m e is s i m i l a r t o a n a b s o l u t e p a t h n a m e b u t t r a c e s t h e p a t h s t a r t i n g
f r o m t h e w o r k i n g d i r e c t o r y . A s i m p l e f i l e n a m e is t h e l a s t e l e m e n t o f a p a t h n a m e a n d
is a f o r m o f a r e l a t i v e p a t h n a m e ; i t r e p r e s e n t s a f i l e i n t h e w o r k i n g d i r e c t o r y .
A L i n u x filesystem c o n t a i n s m a n y i m p o r t a n t directories, i n c l u d i n g /usr/bin, w h i c h
s t o r e s m o s t o f t h e L i n u x u t i l i t y c o m m a n d s , a n d /dev, w h i c h s t o r e s d e v i c e f i l e s , m a n y o f
which

represent

physical

pieces

of

hardware.

An

important

standard

file

is

/ e t c / p a s s w d ; i t c o n t a i n s i n f o r m a t i o n a b o u t u s e r s , s u c h as e a c h u s e r ' s ID a n d f u l l n a m e .
A m o n g t h e a t t r i b u t e s a s s o c i a t e d w i t h e a c h f i l e a r e access p e r m i s s i o n s . T h e y d e t e r m i n e w h o c a n access t h e f i l e a n d h o w t h e file m a y b e accessed. T h r e e g r o u p s

of

users c a n p o t e n t i a l l y access t h e file: t h e o w n e r , t h e m e m b e r s o f a g r o u p , a n d

all

o t h e r users. A n o r d i n a r y file c a n be accessed i n t h r e e w a y s : read, w r i t e , a n d execute.
T h e Is u t i l i t y w i t h t h e - 1 o p t i o n d i s p l a y s t h e s e p e r m i s s i o n s . F o r d i r e c t o r i e s , e x e c u t e
access is r e d e f i n e d t o m e a n t h a t t h e d i r e c t o r y c a n b e s e a r c h e d .
T h e o w n e r o f a file o r a user w o r k i n g w i t h root privileges c a n use t h e chmod u t i l i t y
t o c h a n g e t h e access p e r m i s s i o n s o f a file. T h i s u t i l i t y specifies r e a d , w r i t e , a n d exec u t e p e r m i s s i o n s f o r t h e file's o w n e r , t h e g r o u p , a n d a l l o t h e r users o n t h e system.
Access C o n t r o l Lists ( A C L s ) p r o v i d e f i n e r - g r a i n e d c o n t r o l over w h i c h users
access s p e c i f i c d i r e c t o r i e s a n d files t h a n d o t r a d i t i o n a l L i n u x p e r m i s s i o n s .

can

Using

A C L s y o u c a n s p e c i f y t h e w a y s i n w h i c h e a c h o f s e v e r a l users c a n access a d i r e c t o r y
o r file. F e w utilities preserve A C L s w h e n w o r k i n g w i t h files.
A n o r d i n a r y f i l e s t o r e s u s e r d a t a , s u c h as t e x t u a l i n f o r m a t i o n , p r o g r a m s , o r i m a g e s .
A d i r e c t o r y is a s t a n d a r d - f o r m a t d i s k f i l e t h a t s t o r e s i n f o r m a t i o n , i n c l u d i n g n a m e s ,
a b o u t o r d i n a r y files a n d o t h e r d i r e c t o r y files. A n i n o d e is a d a t a s t r u c t u r e , s t o r e d o n
d i s k , t h a t d e f i n e s a file's e x i s t e n c e a n d is i d e n t i f i e d b y a n i n o d e n u m b e r . A

directory

relates each o f the filenames it stores t o a n inode.
A l i n k is a p o i n t e r t o a f i l e . Y o u c a n h a v e s e v e r a l l i n k s t o a f i l e so y o u c a n s h a r e t h e
file w i t h o t h e r users o r h a v e the file a p p e a r i n m o r e t h a n o n e d i r e c t o r y . Because o n l y
one c o p y o f a file w i t h m u l t i p l e links exists, c h a n g i n g the file t h r o u g h a n y o n e l i n k
causes the changes t o a p p e a r i n all the links. H a r d l i n k s c a n n o t l i n k directories o r
span filesystems, whereas symbolic links can.

234

CHAPTER 6

THE LINUX FILESYSTEM
Table 6-3 summarizes the utilities introduced in this chapter.

Table 6-3

Utilities Introduced In Chapter 6

Utility

Function

cd

Associates you with another working directory (page 209)

chmod

Changes access permissions on a file (page 216)

getfacl

Displays a file's ACL (page 222)

In

Makes a link to an existing file (page 228)

mkdir

Creates a directory (page 208)

pwd

Displays the pathname of the working directory (page 204)

rmdir

Deletes a directory (page 210)

setfacl

Modifies a file's ACL (page 222)

EXERCISES
1. I s e a c h o f t h e f o l l o w i n g a n a b s o l u t e p a t h n a m e , a r e l a t i v e p a t h n a m e , o r a
simple filename?
a. m i l k _ c o
b. correspond/business/milk_co
c. / h o m e / m a x
d. /home/max/literature/promo
e. . .
f . letter. 0 6 1 0
2. L i s t the c o m m a n d s y o u c a n use t o p e r f o r m these o p e r a t i o n s :
a. M a k e y o u r h o m e d i r e c t o r y t h e w o r k i n g d i r e c t o r y
b. I d e n t i f y t h e w o r k i n g d i r e c t o r y
3 . I f t h e w o r k i n g d i r e c t o r y is / h o m e / m a x w i t h a s u b d i r e c t o r y n a m e d literature, g i v e t h r e e sets o f c o m m a n d s t h a t y o u c a n u s e t o c r e a t e a s u b d i r e c t o r y
n a m e d classics u n d e r literature. A l s o g i v e s e v e r a l s e t s o f c o m m a n d s

you

c a n u s e t o r e m o v e t h e classics d i r e c t o r y a n d i t s c o n t e n t s .
4 . T h e df u t i l i t y d i s p l a y s a l l m o u n t e d f i l e s y s t e m s a l o n g w i t h i n f o r m a t i o n
a b o u t e a c h . U s e t h e df u t i l i t y w i t h t h e - h ( h u m a n - r e a d a b l e ) o p t i o n t o
answer the f o l l o w i n g questions.
a. H o w m a n y f i l e s y s t e m s a r e m o u n t e d o n y o u r L i n u x s y s t e m ?
b. W h i c h filesystem stores y o u r h o m e d i r e c t o r y ?
c . A s s u m i n g t h a t y o u r a n s w e r t o e x e r c i s e 4 a is t w o o r m o r e , a t t e m p t t o
create a h a r d l i n k t o a file o n a n o t h e r filesystem. W h a t error message d o

EXERCISES
y o u get? W h a t h a p p e n s w h e n y o u a t t e m p t t o create a s y m b o l i c l i n k t o
the file instead?
5 . S u p p o s e y o u h a v e a f i l e t h a t is l i n k e d t o a f i l e o w n e d b y a n o t h e r user. H o w
c a n y o u ensure t h a t changes t o the file are n o l o n g e r shared?
6. Y o u s h o u l d h a v e r e a d p e r m i s s i o n f o r t h e /etc/passwd file. T o a n s w e r t h e
f o l l o w i n g q u e s t i o n s , u s e cat o r less t o d i s p l a y / e t c / p a s s w d . L o o k a t t h e
fields o f i n f o r m a t i o n i n /etc/passwd f o r the users o n y o u r system.
a. W h i c h c h a r a c t e r is u s e d t o s e p a r a t e f i e l d s i n /etc/passwd?
b. H o w m a n y fields are used t o describe each user?
c. H o w m a n y u s e r s a r e o n t h e l o c a l s y s t e m ?
d . H o w m a n y d i f f e r e n t l o g i n s h e l l s a r e i n u s e o n y o u r s y s t e m ? (Hint:

Look

at the last field.)
e. T h e s e c o n d f i e l d o f / e t c / p a s s w d s t o r e s u s e r p a s s w o r d s i n e n c o d e d f o r m .
I f t h e p a s s w o r d f i e l d c o n t a i n s a n x, y o u r s y s t e m uses s h a d o w p a s s w o r d s
a n d stores t h e e n c o d e d p a s s w o r d s elsewhere. D o e s y o u r s y s t e m use
shadow passwords?
7. If /home/zach/draft a n d /home/max/letter are l i n k s t o the same file a n d
the f o l l o w i n g sequence o f events occurs, w h a t w i l l be the date i n the o p e n i n g o f the letter?
a. M a x g i v e s t h e c o m m a n d vim.tiny letter.
b . Z a c h g i v e s t h e c o m m a n d vim.tiny draft.
c. Z a c h c h a n g e s t h e d a t e i n t h e o p e n i n g o f t h e l e t t e r t o J a n u a r y 3 1 , 2 0 1 0 ,
w r i t e s t h e f i l e , a n d e x i t s f r o m vim.
d. M a x c h a n g e s t h e d a t e t o F e b r u a r y 1, 2 0 1 0 , w r i t e s t h e file, a n d exits
f r o m vim.
8. S u p p o s e a user b e l o n g s t o a g r o u p t h a t has all p e r m i s s i o n s o n a file n a m e d
jobs_list, b u t t h e u s e r , as t h e o w n e r o f t h e f i l e , h a s n o p e r m i s s i o n s .
Describe w h i c h operations, if any, the user/owner c a n p e r f o r m o n
jobs_list. W h i c h c o m m a n d c a n t h e u s e r / o w n e r g i v e t h a t w i l l g r a n t t h e
u s e r / o w n e r a l l p e r m i s s i o n s o n t h e file?
9 . D o e s t h e r o o t d i r e c t o r y h a v e a n y s u b d i r e c t o r i e s y o u c a n n o t s e a r c h as a n
o r d i n a r y user? D o e s the r o o t d i r e c t o r y h a v e a n y s u b d i r e c t o r i e s y o u c a n n o t
r e a d as a r e g u l a r u s e r ? E x p l a i n .
10. A s s u m e y o u are given the directory structure s h o w n i n Figure 6 - 2 o n
page 2 0 1 and the f o l l o w i n g directory permissions:
d--x--x—
drwxr-xr-x

3 z a c h p u b s 512 2 0 1 0 - 0 3 - 1 0 1 5 : 1 6
2 z a c h p u b s 512 2 0 1 0 - 0 3 - 1 0 1 5 : 1 6

business
business/mi1k_co

For each category of permissions—owner, group, and o t h e r — w h a t happens w h e n y o u r u n each of the f o l l o w i n g c o m m a n d s ? A s s u m e the w o r k i n g

235

236

CHAPTER 6

THE LINUX FILESYSTEM
d i r e c t o r y is t h e p a r e n t o f c o r r e s p o n d a n d t h a t t h e f i l e cheese_co is r e a d a b l e
by everyone.
a. cd c o r r e s p o n d / b u s i n e s s / m i l k _ c o
b . Is -1 c o r r e s p o n d / b u s i n e s s
c . cat c o r r e s p o n d / b u s i n e s s / c h e e s e _ c o

ADVANCED

EXERCISES

1 1 . W h a t is a n i n o d e ? W h a t h a p p e n s t o t h e i n o d e w h e n y o u m o v e a f i l e w i t h i n
a filesystem?
12. W h a t does the . . entry i n a d i r e c t o r y p o i n t to? W h a t does this entry p o i n t
t o i nthe r o o t (/) directory?
13. H o w c a n y o u create a file n a m e d -i? W h i c h t e c h n i q u e s d o n o t w o r k , a n d
w h y d o t h e y n o t w o r k ? H o w c a n y o u r e m o v e t h e file n a m e d -i?
1 4 . S u p p o s e t h e w o r k i n g d i r e c t o r y c o n t a i n s a s i n g l e f i l e n a m e d andor. W h a t
error message d o y o u get w h e n y o u r u n the f o l l o w i n g c o m m a n d line?
$ mv andor and\/or
U n d e r w h a t circumstances isi t possible t or u n the c o m m a n d w i t h o u t p r o ducing an error?
1 5 . T h e Is - i c o m m a n d d i s p l a y s a f i l e n a m e p r e c e d e d b y t h e i n o d e n u m b e r o f
the file (page 2 2 9 ) . W r i t e a c o m m a n d t o o u t p u t i n o d e / f i l e n a m e pairs for
t h e f i l e s i n t h e w o r k i n g d i r e c t o r y , s o r t e d b y i n o d e n u m b e r . (Hint:

Use a

pipe.)
16. D o y o u t h i n k t h e s y s t e m a d m i n i s t r a t o r has access t o a p r o g r a m t h a t c a n
d e c o d e u s e r p a s s w o r d s ? W h y o r w h y n o t ? (See e x e r c i s e 6 . )
17. Is i t p o s s i b l e t o d i s t i n g u i s h a file f r o m a h a r d l i n k t o a file? T h a t is, g i v e n a
f i l e n a m e , c a n y o u t e l l w h e t h e r i t w a s c r e a t e d u s i n g a n In c o m m a n d ?
Explain.
18. E x p l a i n the e r r o r messages displayed i n the f o l l o w i n g sequence o f c o m m a n d s :
$ I s -1
total

1

drwxrwxr-x

2 max p u b s 1 0 2 4 2 0 1 0 - 0 3 - 0 2

$ I s dirtmp
$ rmdir dirtmp
rmdir:

dirtmp:

$ rm di rtmp/*
r m : No m a t c h .

Directory

n o t empty

17:57

dirtmp

7
THE SHELL
IN THIS CHAPTER

T h i s c h a p t e r takes a close l o o k at the shell a n d explains h o w t o
use s o m e o f its features. F o r e x a m p l e , it discusses

The Command Line

238

command-

line syntax. It also describes h o w the shell processes a

com-

m a n d line and initiates execution of a p r o g r a m . I n a d d i t i o n the

Standard Input and Standard
Output

243

chapter explains h o w to redirect input to and output f r o m a

Pipes

251

c o m m a n d , construct pipes a n d filters o n the c o m m a n d line, a n d

Running a Command in the
Background

254

kill: Aborting a Background Job . . 255
Filename Generation/Pathname
Expansion

256

Builtins

261

r u n a c o m m a n d in the background. T h e final section

covers

f i l e n a m e e x p a n s i o n a n d e x p l a i n s h o w y o u c a n use t h i s f e a t u r e
in your everyday w o r k .
T h e exact w o r d i n g o f the shell o u t p u t differs f r o m shell t o shell:
W h a t y o u r shell displays m a y differ slightly f r o m w h a t appears
i n this b o o k . R e f e r t o C h a p t e r 9 f o r m o r e i n f o r m a t i o n o n bash
and to Chapter 2 7 for information on writing and

executing

bash shell scripts.

237

238

CHAPTER 7

THE SHELL

THE C O M M A N D

LINE

T h e shell executes a p r o g r a m w h e n y o u give i t a c o m m a n d

i n response t o its

p r o m p t . F o r e x a m p l e , w h e n y o u g i v e t h e Is c o m m a n d , t h e s h e l l e x e c u t e s t h e u t i l i t y
p r o g r a m n a m e d Is. Y o u c a n c a u s e t h e s h e l l t o e x e c u t e o t h e r t y p e s o f p r o g r a m s —
s u c h as s h e l l s c r i p t s , a p p l i c a t i o n p r o g r a m s , a n d p r o g r a m s y o u h a v e w r i t t e n — i n t h e
same way. T h e line that contains the c o m m a n d , i n c l u d i n g any arguments, is called
t h e command

line. T h i s b o o k u s e s t h e t e r m command

to refer to b o t h the characters

y o u type o n the c o m m a n d line and the p r o g r a m that action invokes.

SYNTAX
C o m m a n d - l i n e syntax dictates the o r d e r i n g a n d separation o f the elements o n a
c o m m a n d l i n e . W h e n y o u p r e s s t h e RETURN k e y a f t e r e n t e r i n g a c o m m a n d , t h e s h e l l
scans t h e c o m m a n d line f o r p r o p e r s y n t a x . T h e s y n t a x f o r a basic c o m m a n d l i n e is
command

[argl]

[arg2]

... [argn]

RETURN

O n e o r m o r e SPACEs m u s t s e p a r a t e e l e m e n t s o n t h e c o m m a n d l i n e . T h e command
t h e n a m e o f t h e c o m m a n d , argl

t h r o u g h argn

is

a r e a r g u m e n t s , a n d RETURN i s t h e k e y -

s t r o k e t h a t terminates all c o m m a n d lines. T h e brackets i nthe c o m m a n d - l i n e s y n t a x
indicate that the a r g u m e n t s they enclose are o p t i o n a l . N o t all c o m m a n d s
arguments: Some commands

require

d o not allow arguments; other commands allow a

variable n u m b e r o f arguments; a n d still others require a specific n u m b e r o f arguments. O p t i o n s , a special k i n d o f a r g u m e n t , are usually preceded b y one o r t w o
h y p h e n s (also called a dash or m i n u s sign: - ) .

COMMAND NAME
Usage message

S o m e useful L i n u x c o m m a n d lines consist o fo n l y the n a m e o f the c o m m a n d w i t h o u t
a n y a r g u m e n t s . F o r e x a m p l e , Is b y i t s e l f l i s t s t h e c o n t e n t s o f t h e w o r k i n g d i r e c t o r y .
C o m m a n d s that require arguments typically give a short error message, called a
usage

message,

w h e n y o u use t h e m w i t h o u t a r g u m e n t s , w i t h i n c o r r e c t a r g u m e n t s , o r

w i t h the w r o n g number o f arguments.

ARGUMENTS
O n t h e c o m m a n d l i n e e a c h s e q u e n c e o f n o n b l a n k c h a r a c t e r s i s c a l l e d a token
word.

A n argument

or

i s a t o k e n , s u c h as a f i l e n a m e , s t r i n g o f t e x t , n u m b e r , o r o t h e r

o b j e c t t h a t a c o m m a n d acts o n . F o r e x a m p l e , t h e a r g u m e n t t o a

vim o r emacs

com-

m a n d is the n a m e o f the file y o u w a n t t o edit.
T h e f o l l o w i n g c o m m a n d l i n e s h o w s cp c o p y i n g t h e f i l e n a m e d t e m p t o t e m p c o p y :
$ cp temp tempcopy
A r g u m e n t s a r e n u m b e r e d s t a r t i n g w i t h t h e c o m m a n d i t s e l f , w h i c h is a r g u m e n t z e r o . I n
t h i s e x a m p l e , cp i s a r g u m e n t z e r o , t e m p i s a r g u m e n t o n e , a n d t e m p c o p y i s a r g u m e n t
t w o . T h e cp u t i l i t y r e q u i r e s a t l e a s t t w o a r g u m e n t s o n t h e c o m m a n d l i n e . A r g u m e n t
o n e is t h e n a m e o f a n e x i s t i n g f i l e . A r g u m e n t t w o is t h e n a m e o f t h e f i l e t h a t cp is c r e a t i n g o r o v e r w r i t i n g . H e r e the a r g u m e n t s are n o t optional; b o t h arguments m u s t b e

THE COMMAND LINE 2 3 9

$ Is
hold
mark
names
oldstuff
temp
zach
house
max o f f i c e
personal
test
$ Is - r
zach
temp
o l d s t u f f names
mark
hold
test
personal
office
max
house
$ I s -x
hold
house
m a r k max
names o f f i ce
oldstuff
personal
temp t e s t
zach
$ Is -rx
zach
test
temp
personal
o l d s t u f f o f f i ce
names m a x m a r k
house
hold

Figure 7-1

Using options

present for the c o m m a n d t ow o r k . W h e n y o u do n o t supply the right n u m b e r o r k i n d
o f a r g u m e n t s , cp d i s p l a y s a u s a g e m e s s a g e . T r y t y p i n g cp a n d t h e n p r e s s i n g RETURN.

OPTIONS
A n option

is a n a r g u m e n t t h a t m o d i f i e s the effects o f a c o m m a n d . Y o u c a n fre-

quently specify m o r e t h a n one o p t i o n , m o d i f y i n g the c o m m a n d i n several different
ways. O p t i o n s are specific to a n d interpreted b y the p r o g r a m that the c o m m a n d line
calls, n o t b y the shell.
B y c o n v e n t i o n options are separate arguments that f o l l o w the n a m e of the c o m m a n d
a n d u s u a l l y p r e c e d e o t h e r a r g u m e n t s , s u c h as f i l e n a m e s . M o s t u t i l i t i e s r e q u i r e y o u t o
p r e f i x o p t i o n s w i t h a s i n g l e h y p h e n . H o w e v e r , t h i s r e q u i r e m e n t is s p e c i f i c t o t h e u t i l i t y a n d n o t the shell. G N U p r o g r a m o p t i o n s are f r e q u e n t l y p r e c e d e d b y t w o h y p h e n s
i n a r o w . F o r e x a m p l e , —help generates a (sometimes extensive) usage message.
F i g u r e 7 - 1 f i r s t s h o w s t h e o u t p u t o f a n Is c o m m a n d w i t h o u t a n y o p t i o n s . B y d e f a u l t
Is l i s t s t h e c o n t e n t s o f t h e w o r k i n g d i r e c t o r y i n a l p h a b e t i c a l o r d e r , v e r t i c a l l y s o r t e d
i n c o l u m n s . N e x t the - r (reverse o r d e r ; because this is a G N U utility, y o u c a n also
u s e — r e v e r s e ) o p t i o n c a u s e s t h e Is u t i l i t y t o d i s p l a y t h e l i s t o f f i l e s i n r e v e r s e a l p h a b e t i c a l o r d e r , s t i l l s o r t e d i n c o l u m n s . T h e - x o p t i o n c a u s e s Is t o d i s p l a y t h e l i s t o f
files i n h o r i z o n t a l l y s o r t e d r o w s .
Combining options

W h e n y o u n e e d t o use several o p t i o n s , y o u c a n u s u a l l y g r o u p m u l t i p l e single-letter
o p t i o n s i n t o o n e a r g u m e n t t h a t s t a r t s w i t h a s i n g l e h y p h e n ; d o n o t p u t SPACES b e t w e e n
the options. Y o u c a n n o t c o m b i n e o p t i o n s t h a t are preceded b y t w o h y p h e n s i n this
way. Specific rules for c o m b i n i n g o p t i o n s d e p e n d o n the p r o g r a m y o u are r u n n i n g .
F i g u r e 7 - 1 s h o w s b o t h t h e - r a n d - x o p t i o n s w i t h t h e Is u t i l i t y . T o g e t h e r t h e s e o p t i o n s
generate a list o f filenames i n h o r i z o n t a l l y sorted c o l u m n s , i n reverse

alphabetical

o r d e r . M o s t u t i l i t i e s a l l o w y o u t o l i s t o p t i o n s i n a n y o r d e r ; t h u s Is - x r p r o d u c e s t h e
s a m e r e s u l t s as Is - r x . T h e c o m m a n d Is - x - r a l s o g e n e r a t e s t h e s a m e l i s t .
Option arguments

S o m e u t i l i t i e s h a v e o p t i o n s t h a t t h e m s e l v e s r e q u i r e a r g u m e n t s . F o r e x a m p l e , t h e gcc
utility has a - o o p t i o n t h a t m u s t be f o l l o w e d b y the n a m e y o u w a n t t ogive the exec u t a b l e f i l e t h a t gcc g e n e r a t e s . T y p i c a l l y a n a r g u m e n t t o a n o p t i o n is s e p a r a t e d f r o m
i t s o p t i o n l e t t e r b y a SPACE:
$ gcc -o prog prog.c

240

CHAPTER 7

THE S H E L L

Displaying readable file sizes: the - h option
tip Most utilities that report on file sizes specify the size of a file in bytes. Bytes work well when you are
dealing with smaller files, but the numbers can be difficult to read when you are working with file sizes
that are measured in megabytes or gigabytes. Use the -h (or —human-readable) option to display
file sizes in kilo-, mega-, and gigabytes. Experiment with the df -h (disk free) and Is -Ih commands.
Arguments that start
with a hyphen

A n o t h e r c o n v e n t i o n a l l o w s u t i l i t i e s t o w o r k w i t h a r g u m e n t s , s u c h as f i l e n a m e s , t h a t
start w i t h a h y p h e n . I f a file's n a m e is-1, t h e f o l l o w i n g c o m m a n d is a m b i g u o u s :
$ I s -1
T h i s c o m m a n d c o u l d m e a n a l o n g l i s t i n g o f all files i n t h e w o r k i n g d i r e c t o r y o r a
l i s t i n g o f t h e f i l e n a m e d - 1 . I t i s i n t e r p r e t e d as t h e f o r m e r . A v o i d c r e a t i n g files w h o s e
names begin w i t h hyphens. I f y o u d o create them, m a n y utilities f o l l o w the convention that a — argument (two consecutive hyphens) indicates the end o fthe

options

(and the b e g i n n i n g o fthe arguments). T o d i s a m b i g u a t e the c o m m a n d , y o u c a n type
$ I s

1

Y o u c a n use a n alternative f o r m a t i n w h i c h the p e r i o d refers t othe w o r k i n g
a n d the slash indicates t h a t the n a m e refers t o a file i nthe w o r k i n g

directory

directory:

$ I s . / - I
A s s u m i n g t h a t y o u are w o r k i n g i n the / h o m e / m a x directory, the preceding

command

is f u n c t i o n a l l y e q u i v a l e n t t o
$ I s /home/max/-1
T h e f o l l o w i n g c o m m a n d displays a l o n g l i s t i n g o fthis file:
$ I s -1

1

These are conventions, n o t hard-and-fast rules, a n d a n u m b e r o futilities d o n o t foll o w t h e m (e.g., find). F o l l o w i n g s u c h c o n v e n t i o n s i s a g o o d i d e a ; i t b e c o m e s

much

easier f o rusers t o w o r k w i t h y o u r p r o g r a m . W h e n y o u w r i t e shell p r o g r a m s
require options, follow the L i n u x option

that

conventions.

PROCESSING THE COMMAND LINE
As y o u enter a c o m m a n d line, the L i n u x tty device driver (part o fthe L i n u x

kernel)

e x a m i n e s e a c h c h a r a c t e r t o see w h e t h e r i t m u s t t a k e i m m e d i a t e a c t i o n . W h e n
p r e s s C0NTR0L-H ( t o e r a s e a c h a r a c t e r ) o r C0NTR0L-U ( t o k i l l a l i n e ) , t h e d e v i c e
i m m e d i a t e l y a d j u s t s t h e c o m m a n d l i n e a s r e q u i r e d ; t h e s h e l l n e v e r sees t h e

charac-

t e r s ) y o u erased o rthe line y o u killed. O f t e n a similar adjustment occurs w h e n
p r e s s C0NTR0L-W ( t o e r a s e a w o r d ) . W h e n t h e c h a r a c t e r y o u e n t e r e d d o e s n o t

you

driver
you

require

i m m e d i a t e action, the device driver stores the character i n a buffer a n d waits f o r
a d d i t i o n a l c h a r a c t e r s . W h e n y o u p r e s s RETURN, t h e d e v i c e d r i v e r p a s s e s t h e
line t o the shell for
Parsing the
command line

command

processing.

W h e n t h e s h e l l p r o c e s s e s a c o m m a n d l i n e , i t l o o k s a t t h e l i n e as a w h o l e a n d

parses

( b r e a k s ) i t i n t o its c o m p o n e n t p a r t s ( F i g u r e 7 - 2 ) . N e x t t h e shell l o o k s f o r t h e n a m e o f
the c o m m a n d . U s u a l l y the n a m e o f the c o m m a n d is the first i t e m o nthe

command

THE COMMAND LINE

241

T h e — h e l p option
tip Many utilities display a (sometimes extensive) help message when you call them with an argument of—help. All utilities developed by the GNU Project (page 4) accept this option. An example
follows.
$ bzip2 --help
bzip2, a block-sorting
usage:

bunzip2

file

[flags

-h
-d
-z
-k
-f

--help
--decompress
--compress
--keep
--force

If

i n v o k e d as
as
as

compressor.

and i n p u t

Version

files

i n any

p r i n t t h i s message
force decompression
force compression
keep ( d o n ' t d e l e t e ) i n p u t
overwrite existing output

'bzip2', default action is
'bunzip2',
default action
'bzcat', default action is

1.0.5,

10-Dec-2007.

order]

files
files

t o compress.
i s t o decompress,
t o decompress t o s t d o u t .

line after the p r o m p t ( a r g u m e n t zero). T h e shell takes the first characters o n the c o m m a n d l i n e u p t o t h e f i r s t b l a n k (TAB o r SPACE) a n d t h e n l o o k s f o r a c o m m a n d w i t h t h a t
name. T h e c o m m a n d n a m e (the first token) can be specified o n the c o m m a n d

Get first word
and save as
command name

no

Execute program - »

Get more
of the
command line

Display

not found

yes

Issue prompt

Figure 7-2

».

Processing the c o m m a n d

line

line

242

CHAPTER 7

THE SHELL
e i t h e r as a s i m p l e f i l e n a m e o r as a p a t h n a m e . F o r e x a m p l e , y o u c a n c a l l t h e Is c o m m a n d i n either of the f o l l o w i n g ways:
$ Is
$ /bin/Is

optional

T h e shell does n o t require that the n a m e of the p r o g r a m appear first o n the c o m m a n d l i n e . T h u s y o u c a n s t r u c t u r e a c o m m a n d l i n e as f o l l o w s :
$ >bb



) instructs the shell t o redirect the o u t p u t o f a c o m -

m a n d to the specified file instead of to the screen (Figure 7-6). T h e f o r m a t of a
c o m m a n d l i n e t h a t r e d i r e c t s o u t p u t is
command

[arguments]

w h e r e command
u t i l i t y ) , arguments

>

filename

i s a n y e x e c u t a b l e p r o g r a m ( s u c h as a n a p p l i c a t i o n p r o g r a m o r a
a r e o p t i o n a l a r g u m e n t s , a n d filename

is t h e n a m e o f t h e o r d i n a r y

file the shell redirects the o u t p u t to.
F i g u r e 7 - 7 u s e s cat t o d e m o n s t r a t e o u t p u t r e d i r e c t i o n . T h i s f i g u r e c o n t r a s t s
F i g u r e 7 - 5 , w h e r e s t a n d a r d i n p u t and

with

s t a n d a r d o u t p u t are associated w i t h the key-

b o a r d a n d screen. T h e i n p u t i n F i g u r e 7 - 7 comes f r o m the k e y b o a r d . T h e

redirect

o u t p u t s y m b o l o n t h e c o m m a n d l i n e c a u s e s t h e s h e l l t o a s s o c i a t e cat's s t a n d a r d o u t p u t w i t h t h e sample.txt f i l e s p e c i f i e d o n t h e c o m m a n d l i n e .

Redirecting output can destroy a file I
caution Use caution when you redirect output to a file. If the file exists, the shell will overwrite it and destroy
its contents. For more information see the tip "Redirecting output can destroy a file II" on page 249.
A f t e r g i v i n g t h e c o m m a n d a n d t y p i n g t h e t e x t s h o w n i n F i g u r e 7 - 7 , t h e sample.txt
f i l e c o n t a i n s t h e t e x t y o u e n t e r e d . Y o u c a n use c a t w i t h a n a r g u m e n t o f sample.txt
t o d i s p l a y t h i s file. T h e n e x t s e c t i o n s h o w s a n o t h e r w a y t o use cat t o d i s p l a y t h e file.
F i g u r e 7 - 7 s h o w s t h a t r e d i r e c t i n g s t a n d a r d o u t p u t f r o m c a t is a h a n d y w a y t o c r e a t e
a f i l e w i t h o u t u s i n g a n e d i t o r . T h e d r a w b a c k is t h a t o n c e y o u e n t e r a l i n e a n d p r e s s
RETURN, y o u c a n n o t e d i t t h e t e x t . W h i l e y o u a r e e n t e r i n g a l i n e , t h e e r a s e a n d k i l l k e y s
w o r k t o d e l e t e t e x t . T h i s p r o c e d u r e is u s e f u l f o r c r e a t i n g s h o r t , s i m p l e files.
F i g u r e 7 - 8 s h o w s h o w t o u s e c a t a n d t h e r e d i r e c t o u t p u t s y m b o l t o catenate

(join one

a f t e r t h e o t h e r — t h e d e r i v a t i o n o f t h e n a m e o f t h e cat u t i l i t y ) several files i n t o

one

STANDARD INPUT AND STANDARD OUTPUT 2 4 7

$ cat > sample.txt
This t e x t i s being entered a t the keyboard and
cat i s copying i t t o a f i l e .
Press CONTROL-D t o i n d i c a t e the
end o f f i l e .
CONTROL-D

s

Figure 7-7

cat w i t h i t s o u t p u t

redirected

l a r g e r f i l e . T h e f i r s t t h r e e c o m m a n d s d i s p l a y t h e c o n t e n t s o f t h r e e f i l e s : stationery,
tape, a n d pens. T h e n e x t c o m m a n d s h o w s cat w i t h t h r e e f i l e n a m e s a s a r g u m e n t s .
W h e n y o u c a l l i t w i t h m o r e t h a n o n e f i l e n a m e , cat c o p i e s t h e f i l e s , o n e a t a t i m e , t o
s t a n d a r d o u t p u t . T h i s c o m m a n d r e d i r e c t s s t a n d a r d o u t p u t t o t h e file supply_orders.
T h e f i n a l cat c o m m a n d s h o w s t h a t supply_orders c o n t a i n s t h e c o n t e n t s o f a l l t h r e e o f
t h e o r i g i n a l files.

REDIRECTING STANDARD INPUT
Just asy o u can redirect standard o u t p u t , s oy o u can redirect standard input.
redirect

input

symbol

The

(<) instructs the shell t o redirect a c o m m a n d ' s i n p u t t o c o m e

f r o m the specified file instead o f f r o m the k e y b o a r d

(Figure 7-9, next page).

The

f o r m a t o fa c o m m a n d line that redirects input is
command

[arguments]

w h e r e command
u t i l i t y ) , arguments

<

filename

is any executable p r o g r a m (such as a napplication p r o g r a m o r a
a r e o p t i o n a l a r g u m e n t s , a n d filename

file the shell redirects the i n p u t

from.

$ cat s t a t i o n e r y
2,000 sheets letterhead ordered:
$ cat tape
1 box masking tape o r d e r e d :
5 boxes f i l a m e n t tape ordered:
$ cat pens
12 d o z . b l a c k p e n s o r d e r e d :

10/7/10
10/14/10
10/28/10
10/4/10

$ cat s t a t i o n e r y tape pens > supply_orders
$ cat supply_orders
2,000 sheets letterhead ordered:
1 box masking tape o r d e r e d :
5 boxes f i l a m e n t tape ordered:
12 d o z . b l a c k p e n s o r d e r e d :
S

Figure 7-8

U s i n g cat t o c a t e n a t e f i l e s

10/7/10
10/14/10
10/28/10
10/4/10

isthe n a m e o fthe o r d i n a r y

248

CHAPTER 7

THE SHELL

Standard
input
i "

Ji
w

Standard
Put

out

Command

Figure 7-9

Redirecting standard input

F i g u r e 7 - 1 0 s h o w s cat w i t h i t s i n p u t r e d i r e c t e d f r o m t h e supply_orders f i l e c r e a t e d
i n F i g u r e 7 - 8 a n d s t a n d a r d o u t p u t g o i n g t o t h e s c r e e n . T h i s s e t u p c a u s e s cat t o d i s p l a y the s a m p l e file o n the screen. T h e system a u t o m a t i c a l l y supplies a n E O F signal
at the end o fa n o r d i n a r y file.
Utilities that take
input from a file or
standard input

G i v i n g a c a t c o m m a n d w i t h i n p u t r e d i r e c t e d f r o m a f i l e y i e l d s t h e s a m e r e s u l t as g i v ¡ng

a ca

cjass

0

t c o m m a n d w i t h t h e f i l e n a m e as a n a r g u m e n t . T h e c a t u t i l i t y i s a m e m b e r o f a
fLi

n u x

utilities t h a t f u n c t i o n i n t h i s m a n n e r . O t h e r m e m b e r s o f t h i s class o f

u t i l i t i e s i n c l u d e Ipr, s o r t , g r e p , a n d P e r l . T h e s e u t i l i t i e s f i r s t e x a m i n e t h e c o m m a n d l i n e
that y o u call t h e m w i t h . I f y o u include a filename o n the c o m m a n d line, the utility
takes its i n p u t f r o m t h e file y o u specify. I f y o u d o n o t specify a f i l e n a m e , t h e u t i l i t y
takes i t s i n p u t f r o m s t a n d a r d i n p u t . I t is the u t i l i t y o r p r o g r a m — n o t the shell o r
operating s y s t e m — t h a t functions in this manner.

n o c l o b b e r : AVOIDS OVERWRITING FILES
T h e s h e l l p r o v i d e s t h e noclobber f e a t u r e t h a t p r e v e n t s o v e r w r i t i n g a f i l e u s i n g r e d i r e c t i o n . E n a b l e t h i s f e a t u r e b y s e t t i n g n o c l o b b e r u s i n g t h e c o m m a n d set - o noclobber.
T h e s a m e c o m m a n d w i t h +o u n s e t s noclobber. W i t h n o c l o b b e r s e t , i f y o u r e d i r e c t
o u t p u t t o a n existing file, the shell displays a n e r r o r message a n d does n o t execute the
c o m m a n d . T h e f o l l o w i n g e x a m p l e c r e a t e s a f i l e u s i n g touch, sets noclobber, a t t e m p t s
t o r e d i r e c t t h e o u t p u t f r o m echo t o t h e n e w l y c r e a t e d f i l e , u n s e t s n o c l o b b e r , a n d p e r forms the same redirection:
$ touch tmp
$ set -o noclobber
$ echo "hi there" > tmp
bash: tmp: cannot o v e r w r i t e
$ set +o noclobber
$ echo "hi there" > tmp

existing

file

Y o u c a n o v e r r i d e n o c l o b b e r b y p u t t i n g a p i p e s y m b o l a f t e r t h e r e d i r e c t s y m b o l (>l).
I n t h e f o l l o w i n g e x a m p l e , t h e u s e r c r e a t e s a f i l e b y r e d i r e c t i n g t h e o u t p u t o f date.

STANDARD INPUT AND STANDARD OUTPUT 2 4 9

$ cat < supply_orders
2,000 sheets letterhead ordered:
1 box masking tape o r d e r e d :
5 boxes f i l a m e n t tape ordered:
12 d o z . b l a c k p e n s o r d e r e d :

Figure 7-10

cat w i t h i t s i n p u t

10/7/10
10/14/10
10/28/10
10/4/10

redirected

N e x t t h e u s e r sets t h e noclobber v a r i a b l e a n d r e d i r e c t s o u t p u t t o t h e s a m e f i l e a g a i n .
T h e shell displays a nerror message. T h e n the user places a pipe s y m b o l after

the

redirect s y m b o l a n d the shell a l l o w s the user t o o v e r w r i t e the file.
$ date > tmp2
$ set - o noclobber
$ date > tmp2
bash: a : cannot o v e r w r i t e
$ date >| tmp2

existing

file

Redirecting output can destroy a file II
caution Depending on which shell you are using and how the environment is set up, a command such as
the following may yield undesired results:
$ cat orange pear > orange
cat: orange: input f i l e i s output

file

Although cat displays an error message, the shell destroys the contents of the existing orange
file. The new orange file will have the same contents as pear because the first action the shell
takes when it sees the redirection symbol (>) is to remove the contents of the original orange file.
If you want to catenate two files into one, use cat to put the two files into a temporary file and then
use mv to rename this third file:
$ cat orange pear > temp
$ mv temp orange

What happens in the next example can be even worse. The user giving the command wants to
search through files a, b, and c for the word apple and redirect the output from grep (page 166)
to the file a.output. Unfortunately the user enters the filename as a output, omitting the period and
inserting a SPACE in its place:
$ grep apple a b c > a output
g r e p : o u t p u t : No s u c h f i l e o r d i r e c t o r y

The shell obediently removes the contents of a and then calls grep. The error message may take
a moment to appear, giving you a sense that the command is running correctly. Even after you see
the error message, it may take a while to realize that you have destroyed the contents of a.

APPENDING STANDARD OUTPUT TO A FILE
T h e append

output symbol

( » ) causes t h e shell t o a d d n e w i n f o r m a t i o n t o t h e e n d

o f a file, l e a v i n g existing i n f o r m a t i o n intact. T h i s s y m b o l p r o v i d e s a c o n v e n i e n t

way

o f c a t e n a t i n g t w o files i n t o o n e . T h e f o l l o w i n g c o m m a n d s d e m o n s t r a t e t h e a c t i o n o f

250

CHAPTER 7

THE S H E L L

$ date > whoson
$ cat whoson
S a t M a r 2 7 1 4 : 3 1 : 1 8 PST 2 0 1 0
$ who » whoson
$ cat whoson
S a t M a r 2 7 1 4 : 3 1 : 1 8 PST 2 0 1 0
sam
console
2010max
pts/4
2010max
pts/5
2010zach
pts/7
2010-

03030303-

27
27
27
26

05
12
12
08

00(:0)
2 3(:0.0)
33(:0.0)
45 ( b r a v o . e x a m p l e . c o m )

Figure 7-11

Redirecting and appending output

the

output

append

symbol.

The

second

command

accomplishes

t h e catenation

described i nthe preceding caution box:
$ cat
this i
$ cat
$ cat
this i
this i

orange
s orange
pear » orange
orange
s orange
s pear

T h e first c o m m a n d d i s p l a y s t h e c o n t e n t s o f t h e orange file. T h e s e c o n d

command

a p p e n d s t h e c o n t e n t s o f t h e p e a r f i l e t o t h e o r a n g e f i l e . T h e f i n a l cat d i s p l a y s t h e r e s u l t .

Do not trust noclobber
caution Appending output is simpler than the two-step procedure described in the preceding caution box
but you must be careful to include both greater than signs. If you accidentally use only one and
the noclobber feature is not set, the shell will overwrite the orange file. Even if you have the
noclobber feature turned on, it is a good idea to keep backup copies of the files you are manipulating in case you make a mistake.
Although it protects you from overwriting a file using redirection, noclobber does not stop you
from overwriting a file using cp or mv. These utilities include the - i (interactive) option that helps
protect you from this type of mistake by verifying your intentions when you try to overwrite a file.
For more information see the tip "cp can destroy a file" on page 164.
T h e n e x t e x a m p l e s h o w s h o w t o create a file t h a t contains the date a n d t i m e

(the

o u t p u t f r o m date), f o l l o w e d b y a l i s t o f w h o i s l o g g e d i n ( t h e o u t p u t f r o m who). T h e
f i r s t l i n e i n F i g u r e 7 - 1 1 r e d i r e c t s t h e o u t p u t f r o m date t o t h e f i l e n a m e d

whoson.

T h e n cat d i s p l a y s t h e f i l e . N e x t t h e e x a m p l e a p p e n d s t h e o u t p u t f r o m who t o t h e
w h o s o n f i l e . F i n a l l y cat d i s p l a y s t h e f i l e c o n t a i n i n g t h e o u t p u t o f b o t h u t i l i t i e s .

/ d e v / n u l l : MAKING DATA DISAPPEAR
T h e /dev/null d e v i c e is a data sink, c o m m o n l y r e f e r r e d t o as a bit bucket.

Y o u can

r e d i r e c t o u t p u t t h a t y o u d o n o t w a n t t o k e e p o r see t o / d e v / n u l l a n d t h e o u t p u t w i l l
disappear w i t h o u t a trace:

STANDARD INPUT AND STANDARD OUTPUT 2 5 1
$ echo "hi there" > / d e v / n u l l
$
W h e n y o u r e a d f r o m / d e v / n u l l , y o u g e t a n u l l s t r i n g . G i v e t h e f o l l o w i n g cat c o m m a n d
t o t r u n c a t e a file n a m e d messages t o z e r o l e n g t h w h i l e p r e s e r v i n g t h e o w n e r s h i p a n d
p e r m i s s i o n s o f the file:
$ I s -1 messages
-rw-r--r-1 max p u b s 2 5 3 1 5 2 0 1 0 - 1 0 - 2 4 1 0 : 5 5 m e s s a g e s
$ cat / d e v / n u l l > messages
$ I s -1 messages
-rw-r--r-1 max p u b s 0 2 0 1 0 - 1 0 - 2 4 1 1 : 0 2 m e s s a g e s

PIPES
T h e s h e l l u s e s a pipe

to connect standard output o fone c o m m a n d t ostandard input

o f a n o t h e r c o m m a n d . A p i p e ( s o m e t i m e s r e f e r r e d t o a s a pipeline)

has the

same

e f f e c t as r e d i r e c t i n g s t a n d a r d o u t p u t o f o n e c o m m a n d t o a f i l e a n d t h e n u s i n g t h a t
f i l e as s t a n d a r d i n p u t t o a n o t h e r c o m m a n d . A p i p e d o e s a w a y w i t h s e p a r a t e c o m m a n d s a n d t h e i n t e r m e d i a t e f i l e . T h e s y m b o l f o r a p i p e is a v e r t i c a l b a r ( I ) . T h e s y n tax o fa c o m m a n d line using a pipe is
command_a

[arguments]

I commandjb

[arguments]

T h e p r e c e d i n g c o m m a n d l i n e uses a p i p e o n a s i n g l e c o m m a n d l i n e t o g e n e r a t e t h e
s a m e r e s u l t as t h e f o l l o w i n g t h r e e c o m m a n d l i n e s :
command_a

[arguments]

> temp

commandjb

[arguments]

< temp

rm

temp

I n the preceding sequence o f c o m m a n d s , the first line redirects standard
f r o m command_a

t o a n i n t e r m e d i a t e f i l e n a m e d temp.

s t a n d a r d i n p u t f o r commandjb

T h e second line

output
redirects

t o c o m e f r o m temp. T h e f i n a l l i n e d e l e t e s temp.

c o m m a n d u s i n g a p i p e is n o t o n l y easier t o t y p e b u t is g e n e r a l l y m o r e

The

efficient

because i t does n o t create a t e m p o r a r y file.
tr

Y o u c a n use a p i p e w i t h a n y o f the L i n u x utilities t h a t accept i n p u t either f r o m a file
specified o n t h e c o m m a n d l i n e o r f r o m s t a n d a r d i n p u t . Y o u c a n also use pipes w i t h
c o m m a n d s t h a t a c c e p t i n p u t o n l y f r o m s t a n d a r d i n p u t . F o r e x a m p l e , t h e tr ( t r a n s l a t e ) u t i l i t y t a k e s i t s i n p u t f r o m s t a n d a r d i n p u t o n l y . I n i t s s i m p l e s t u s a g e tr h a s t h e
following format:
tr stringl

string2

T h e tr u t i l i t y a c c e p t s i n p u t f r o m s t a n d a r d i n p u t a n d l o o k s f o r c h a r a c t e r s t h a t m a t c h
o n e o f t h e c h a r a c t e r s i n stringl.
c h a r a c t e r i n stringl
stringl

U p o n finding a match, i t translates the

t o t h e c o r r e s p o n d i n g c h a r a c t e r i n string2.

t r a n s l a t e s i n t o t h e f i r s t c h a r a c t e r i n string2,

matched

(The first character i n

a n d s o f o r t h . ) T h e tr u t i l i t y

s e n d s i t s o u t p u t t o s t a n d a r d o u t p u t . I n b o t h o f t h e f o l l o w i n g e x a m p l e s , tr d i s p l a y s

252

CHAPTER 7

THE S H E L L

$ 1s > temp
$ l p r temp
$ rm temp

or
$ Is

|

Figure 7-12

lpr
A pipe

t h e c o n t e n t s o f t h e a b s t r a c t f i l e w i t h t h e l e t t e r s a, b, a n d c t r a n s l a t e d i n t o A , B , a n d
C, respectively:
$ cat a b s t r a c t | t r abc ABC
$ t r abc ABC < a b s t r a c t
T h e tr u t i l i t y d o e s n o t c h a n g e t h e c o n t e n t s o f t h e o r i g i n a l f i l e ; i t c a n n o t c h a n g e

the

o r i g i n a l file because i t does n o t " k n o w " the source o fits i n p u t .
lpr

T h e lpr ( l i n e p r i n t e r ) u t i l i t y a l s o a c c e p t s i n p u t f r o m e i t h e r a f i l e o r s t a n d a r d

input.

W h e n y o u t y p e t h e n a m e o f a f i l e f o l l o w i n g lpr o n t h e c o m m a n d l i n e , i t p l a c e s t h a t
f i l e i n t h e p r i n t q u e u e . W h e n y o u d o n o t s p e c i f y a f i l e n a m e o n t h e c o m m a n d l i n e , lpr
takes i n p u t f r o m s t a n d a r d i n p u t . T h i s feature enables y o u t o use a p i p e t o redirect
i n p u t t o lpr. T h e f i r s t s e t o f c o m m a n d s i n F i g u r e 7 - 1 2 s h o w s h o w y o u c a n u s e Is a n d
lpr w i t h a n i n t e r m e d i a t e f i l e ( t e m p ) t o s e n d a l i s t o f t h e f i l e s i n t h e w o r k i n g

directory

t o t h e p r i n t e r . I f t h e temp file exists, t h e first c o m m a n d o v e r w r i t e s its c o n t e n t s .
s e c o n d set o f c o m m a n d s

The

uses a p i p e t o s e n d t h e s a m e list ( w i t h t h e e x c e p t i o n o f

temp) t othe printer.
T h e c o m m a n d s i n F i g u r e 7 - 1 3 r e d i r e c t t h e o u t p u t f r o m t h e who u t i l i t y t o temp

and

t h e n d i s p l a y t h i s f i l e i n s o r t e d o r d e r . T h e sort u t i l i t y ( p a g e 1 6 8 ) t a k e s i t s i n p u t
the file specified o n the c o m m a n d line or, w h e n a file isn o t specified, f r o m

from

standard

i n p u t ; i t s e n d s i t s o u t p u t t o s t a n d a r d o u t p u t . T h e sort c o m m a n d l i n e i n F i g u r e 7 - 1 3
t a k e s its i n p u t f r o m s t a n d a r d i n p u t , w h i c h is r e d i r e c t e d (<) t o c o m e f r o m temp. T h e
o u t p u t t h a t sort s e n d s t o t h e s c r e e n l i s t s t h e u s e r s i n s o r t e d ( a l p h a b e t i c a l )

order.

B e c a u s e sort c a n t a k e i t s i n p u t f r o m s t a n d a r d i n p u t o r f r o m a f i l e n a m e o n t h e c o m m a n d line, o m i t t i n g the < s y m b o l f r o m Figure 7 - 1 3 yields the same result.
F i g u r e 7 - 1 4 achieves t h e s a m e result w i t h o u t c r e a t i n g t h e temp file. U s i n g a p i p e ,
t h e s h e l l r e d i r e c t s t h e o u t p u t f r o m w h o t o t h e i n p u t o f sort. T h e sort u t i l i t y
i n p u t f r o m standard i n p u t because n o filename follows i t o n the c o m m a n d

takes

line.

W h e n m a n y people are using the system a n d y o u w a n t i n f o r m a t i o n a b o u t o n l y

one

o f t h e m , y o u c a n s e n d t h e o u t p u t f r o m who t o grep ( p a g e 1 6 6 ) u s i n g a p i p e . T h e grep
utility

displays t h eline c o n t a i n i n g the string y o u

example:
$ who | grep 'sam'
sam
console

2010-03-24

05:00

specify—sam i n the

following

STANDARD INPUT AND STANDARD OUTPUT 2 5 3

$ who > temp
$ s o r t < temp
max
pts/4
max
pts/5
zach
pts/7
sam
console
$ rm temp

2010201020102010-

03030303-

24
24
23
24

12 23
12 33
08 45
05 00

Figure 7-13 Using a temporary file to store intermediate results
Another way of handling output that is too long to fit on the screen, such as a list of
files in a crowded directory, is to use a pipe to send the output through less or more
(both on page 162).
$ Is

| less

The less utility displays text one screen at a time. To view another screen, press the
SPACE bar. To view one more line, press RETURN. Press h for help and q to quit.
Some utilities change the format of their output when you redirect it. Compare the
output of Is by itself and when you send it through a pipe to less.

FILTERS
A filter is a command that processes an input stream of data to produce an output
stream of data. A command line that includes a filter uses a pipe to connect standard output of one command to the filter's standard input. Another pipe connects
the filter's standard output to standard input of another command. Not all utilities
can be used as filters.
In the following example, sort is a filter, taking standard input from standard output
of who and using a pipe to redirect standard output to standard input of Ipr. This
command line sends the sorted output of who to the printer:
$ who | s o r t

| Ipr

The preceding example demonstrates the power of the shell combined with the versatility of Linux utilities. The three utilities who, sort, and Ipr were not specifically
designed to work with each other, but they all use standard input and standard output in the conventional way. By using the shell to handle input and output, you can
piece standard utilities together on the command line to achieve the results you want.
$ who |
max
max
zach
sam

sort
pts/4
pts/5
pts/7
console

2010201020102010-

03030303-

24
24
23
24

12 23
12 33
08 45
05 00

Figure 7-14 A pipe doing the work of a temporary file

254

CHAPTER 7

THE S H E L L

$ who | tee who.out

sam

console

grep sam

2010-03-24

05 0 0

2010-03-24
2010-03-24
2010-03-24
2010-03-23

05
12
12
08

$ cat who.out

sam
max
max
zach

console
pts/4
pts/5
pts/7

00
23
33
45

Figure 7-15 Using tee

tee: SENDS OUTPUT IN TWO DIRECTIONS
The tee utility copies its standard input both to a file and to standard output. This
utility is aptly named: It takes a single stream of input and sends the output in two
directions. In Figure 7-15 the output of w h o is sent via a pipe to standard input of
tee. The tee utility saves a copy of standard input in a file named w h o . o u t and also
sends a copy to standard output. Standard output of tee goes via a pipe to standard
input of grep, which displays only those lines containing the string s a m . Use the - a
(append) option to cause tee to append to a file instead of overwriting it.

R U N N I N G A C O M M A N D IN THE

BACKGROUND

Foreground All commands up to this point have been run in the foreground. When you run a
command in the foreground,
the shell waits for it to finish before displaying another
prompt and allowing you to continue. When you run a command in the
background,
you do not have to wait for the command to finish before running another command.
Jobs A job is a series of one or more commands that can be connected by pipes. You can
have only one foreground job in a window or on a screen, but you can have many
background jobs. By running more than one job at a time, you are using one of
Linux's important features: multitasking. Running a command in the background
can be useful when the command will run for a long time and does not need supervision. It leaves the screen free so you can use it for other work. O f course, when
you are using a GUI, you can open another window to run another job.
Job number, To run a command in the background, type an ampersand ( & ) just before the RETURN
PID number that ends the command line. The shell assigns a small number to the job and displays this job number between brackets. Following the job number, the shell displays the process identification
(PID) number—a larger number assigned by the
operating system. Each of these numbers identifies the command running in the
background. The shell then displays another prompt and you can enter another
command. When the background job finishes, the shell displays a message giving
both the job number and the command line used to run the command.
The next example runs in the background; it sends the output of Is through a pipe
to Ipr, which sends it to the printer.
$ I s -1

[1]

S

| Ipr &

22092

RUNNING A COMMAND IN THE BACKGROUND 2 5 5
T h e [1] f o l l o w i n g the c o m m a n d line indicates t h a t the shell has assigned j o b n u m b e r
1 t o this job. T h e 2 2 0 9 2 is the P I D n u m b e r o fthe first c o m m a n d i nthe job. W h e n
t h i s b a c k g r o u n d j o b c o m p l e t e s e x e c u t i o n , y o u see t h e m e s s a g e
[ 1 ] + Done

Is -1 |l p r

( I n p l a c e o f Is -1, t h e s h e l l m a y d i s p l a y s o m e t h i n g s i m i l a r t o Is — c o l o r = a l w a y s -1.
T h i s d i f f e r e n c e is d u e t o t h e f a c t t h a t Is i s a l i a s e d [ p a g e 3 4 6 ] t o Is — c o l o r = a l w a y s . )

MOVING A JOB FROM THE FOREGROUND TO THE BACKGROUND
CONTROL-Z Y O U c a n s u s p e n d a f o r e g r o u n d j o b ( s t o p i t f r o m r u n n i n g ) b y p r e s s i n g t h e s u s p e n d
k e y , u s u a l l y CONTROL-Z. T h e s h e l l t h e n s t o p s t h e p r o c e s s a n d d i s c o n n e c t s

standard

input f r o m the keyboard. Y o u can put a suspended job i n the b a c k g r o u n d

and

restart i t by using the bg c o m m a n d f o l l o w e d by the job number. Y o u d o n o t need t o
specify the j o b n u m b e r w h e n there is o n l y one stopped job.
O n l y the foreground job can take input f r o m the keyboard. T o connect the keyboard t o a p r o g r a m r u n n i n g i n the background, y o u must bring i t t o the
g r o u n d . T o d o s o , t y p e fg w i t h o u t

fore-

any arguments w h e n o n l y one job is i n the

b a c k g r o u n d . W h e n m o r e t h a n o n e j o b i s i n t h e b a c k g r o u n d , t y p e fg, o r a p e r c e n t
sign ( % ) , f o l l o w e d by the n u m b e r o fthe job y o u w a n t to b r i n g into the foreground.
T h e s h e l l d i s p l a y s t h e c o m m a n d y o u u s e d t o s t a r t t h e j o b (promptme i n t h e f o l l o w ing example), a n d y o u can enter any i n p u t the p r o g r a m requires t o continue:
b a s h $ fg 1
promptme
Redirect the output o f a job y o u r u n i nthe background t o keep it f r o m interferi n g w i t h w h a t e v e r y o u are w o r k i n g o n i n the f o r e g r o u n d ( o n the screen). Refer
to "Separating and G r o u p i n g C o m m a n d s "

o npage 303 f o r more detail

about

b a c k g r o u n d tasks.

kill: ABORTING A BACKGROUND JOB
T h e i n t e r r u p t k e y ( u s u a l l y C0NTR0L-C) c a n n o t a b o r t a b a c k g r o u n d p r o c e s s ; y o u m u s t
u s e kill ( p a g e 4 5 5 ) f o r t h i s p u r p o s e . F o l l o w kill o n t h e c o m m a n d l i n e w i t h e i t h e r t h e
P I D n u m b e r of the process y o u w a n t t o abort o r a percent sign ( % ) f o l l o w e d by the
job number.
Determining the
PID of a process
using ps

I f y o u f o r g e t a P I D n u m b e r , y o u c a n u s e t h e ps ( p r o c e s s s t a t u s ) u t i l i t y ( p a g e 3 2 8 ) t o
d i s p l a y i t . T h e f o l l o w i n g e x a m p l e r u n s a tail - f outfile c o m m a n d ( t h e - f [ f o l l o w ]
0

pti

0 n

cauS

e s t a i l t o w a t c h outfile a n d d i s p l a y n e w l i n e s as t h e y a r e w r i t t e n t o t h e

f i l e ) a s a b a c k g r o u n d j o b , u s e s ps t o d i s p l a y t h e P I D n u m b e r o f t h e p r o c e s s ,
a b o r t s t h e j o b w i t h kill:
$ tail

-f outfile &

[1] 18228
$ ps | grep t a i l
18228 p t s / 4
00:00:00
$ k i l l 18228
[1]+
Terminated
$

tail
tail

- f outfile

and

256

CHAPTER 7
Determining the
number of a job
using jobs

THE SHELL
I f y o u f o r g e t a j o b n u m b e r , y o u c a n use t h e jobs c o m m a n d t o d i s p l a y a list o f j o b
n u m b e r s . T h e n e x t e x a m p l e is s i m i l a r t o t h e p r e v i o u s o n e e x c e p t i t uses t h e
n u m

b

e r

job

instead o f the P I D n u m b e r t o identify the j o b t o be killed. Sometimes the

m e s s a g e s a y i n g t h e j o b i s t e r m i n a t e d d o e s n o t a p p e a r u n t i l y o u p r e s s RETURN a f t e r t h e
RETURN t h a t e x e c u t e s t h e kill c o m m a n d .
$ tail -f outfile &
[ 1 ] 18236
$ bigjob &
[ 2 ] 18237
$ jobs
[1]Running
[2]+
Running
$ k i n %i
$

tai 1 - f outfi le &
bigjob &

RETURN

[1]S

Terminated

tai 1 - f outfi l e

FILENAME GENERATION/PATHNAME
Wildcards, globbing

EXPANSION

W h e n y o u g i v e t h e s h e l l a b b r e v i a t e d f i l e n a m e s t h a t c o n t a i n special
c a l l e d metacharacters,

characters,

also

the shell c a n generate filenames that m a t c h the names o f

e x i s t i n g f i l e s . T h e s e s p e c i a l c h a r a c t e r s a r e a l s o r e f e r r e d t o as wildcards

because they

a c t m u c h as t h e j o k e r s d o i n a d e c k o f c a r d s . W h e n o n e o f t h e s e c h a r a c t e r s a p p e a r s
i n a n a r g u m e n t o nthe c o m m a n d line, the shell e x p a n d s that a r g u m e n t i n sorted
o r d e r i n t o a list o f f i l e n a m e s a n d passes t h e list t o t h e p r o g r a m called b y t h e c o m m a n d l i n e . F i l e n a m e s t h a t c o n t a i n t h e s e s p e c i a l c h a r a c t e r s a r e c a l l e d ambiguous
references

file

because t h e y d o n o t refer t o a n y o n e specific file. T h e process t h a t t h e

s h e l l p e r f o r m s o n t h e s e f i l e n a m e s i s c a l l e d pathname

expansion

or

globbing.

A m b i g u o u s file references refer t o a g r o u p o f files w i t h s i m i l a r n a m e s q u i c k l y , savi n g the effort o ft y p i n g the n a m e s individually. T h e y c a n also help f i n d a file w h o s e
n a m e y o u d o n o t r e m e m b e r i n its entirety. I f n o f i l e n a m e m a t c h e s t h e a m b i g u o u s file
r e f e r e n c e , t h e shell g e n e r a l l y passes t h e u n e x p a n d e d r e f e r e n c e — s p e c i a l c h a r a c t e r s a n d
all—to the c o m m a n d .

THE ? SPECIAL CHARACTER
T h e q u e s t i o n m a r k (?) is a special c h a r a c t e r t h a t causes t h e shell t o generate filenames. I t m a t c h e s a n y single c h a r a c t e r i n the n a m e o fa n e x i s t i n g file. T h e f o l l o w i n g
c o m m a n d u s e s t h i s s p e c i a l c h a r a c t e r i n a n a r g u m e n t t o t h e Ipr u t i l i t y :
$ l p r memo?
T h e shell e x p a n d s t h e memo? a r g u m e n t a n d generates a list o f files i n t h e w o r k i n g
directory that have names c o m p o s e d of memo f o l l o w e d by any single character. T h e
s h e l l t h e n p a s s e s t h i s l i s t t o Ipr. T h e Ipr u t i l i t y n e v e r " k n o w s " t h e s h e l l g e n e r a t e d t h e
filenames i t w a s called w i t h . I f n o f i l e n a m e m a t c h e s the a m b i g u o u s file reference,

FILENAME GENERATION/PATHNAME EXPANSION 2 5 7
t h e s h e l l p a s s e s t h e s t r i n g i t s e l f ( m e m o ? ) t o Ipr o r , i f i t is s e t u p t o d o s o , p a s s e s a n u l l
s t r i n g ( s e e nullglob o n p a g e 3 5 5 ) .
T h e f o l l o w i n g e x a m p l e u s e s Is f i r s t t o d i s p l a y t h e n a m e s o f a l l f i l e s i n t h e

working

d i r e c t o r y a n d t h e n t o d i s p l a y t h e f i l e n a m e s t h a t memo? m a t c h e s :
$ Is
mem
memol2
memo memo5
S i s memo?
memo5 memo9
The

memo?

memo9
memoa

memomax
memos

memoa

memos

ambiguous

newmemo5

file reference

does

n o tmatch

mem, memo, memo 12,

memomax, o r newmemo5. Y o u c a n also use a q u e s t i o n m a r k i n t h e m i d d l e o f a n
a m b i g u o u s file reference:
$ Is
7may4report
may4report
mayqreport
may_report
mayl4report
may4report.79
mayreport
may.report
S i s may?report
may.report
may4report
may_report
mayqreport
Y o u c a n u s e echo a n d Is t o p r a c t i c e g e n e r a t i n g f i l e n a m e s . T h e echo u t i l i t y d i s p l a y s
t h e a r g u m e n t s t h a t t h e shell passes t o i t :
$ echo may?report
may.report may4report may_report

mayqreport

T h e shell first e x p a n d s t h e a m b i g u o u s file reference i n t o a list o f a l l files i n t h e
w o r k i n g d i r e c t o r y t h a t m a t c h t h e s t r i n g m a y ? r e p o r t . I t t h e n p a s s e s t h i s l i s t t o echo,
j u s t as t h o u g h y o u h a d e n t e r e d t h e l i s t o f f i l e n a m e s as a r g u m e n t s t o echo. T h e echo
u t i l i t y displays the list o f filenames.
A q u e s t i o n m a r k does n o t m a t c h a l e a d i n g p e r i o d (one t h a t indicates a h i d d e n filen a m e ; see p a g e 2 0 4 ) . W h e n y o u w a n t t o m a t c h f i l e n a m e s t h a t b e g i n w i t h a p e r i o d ,
y o u m u s t explicitly i n c l u d e the p e r i o d i n the a m b i g u o u s file reference.

THE * SPECIAL CHARACTER
T h e asterisk ( * ) p e r f o r m s

a function similar t o that o f the question m a r k b u t

m a t c h e s a n y n u m b e r o f c h a r a c t e r s , including

zero

characters,

i na filename. T h e fol-

l o w i n g e x a m p l e first s h o w s all files i n t h e w o r k i n g d i r e c t o r y a n d t h e n s h o w s t h r e e
c o m m a n d s t h a t d i s p l a y all t h e f i l e n a m e s t h a t b e g i n w i t h t h e s t r i n g memo, e n d w i t h
t h e s t r i n g m o , a n d c o n t a i n t h e s t r i n g alx:
$ Is
amemo
memo
memoalx.0620
mem
memo.0612
memoalx.keep
m e m a l x memoa
memorandum
$ echo memo*
memo m e m o . 0 6 1 2 memoa m e m o a l x . 0 6 2 0
$ echo *mo
amemo memo s a l l y m e m o u s e r . m e m o
$ echo * a l x *
memalx memoalx.0620 memoalx.keep

memosally
user.memo
sallymemo
typescript
m e m o a l x . k e e p memorandum

memosally

258

CHAPTER 7

THE SHELL
T h e a m b i g u o u s f i l e r e f e r e n c e m e m o * d o e s n o t m a t c h a m e m o , m e m , sallymemo, o r
u s e r . m e m o . L i k e t h e q u e s t i o n m a r k , a n a s t e r i s k d o e s not m a t c h a l e a d i n g p e r i o d i n a
filename.
T h e - a o p t i o n c a u s e s Is t o d i s p l a y h i d d e n f i l e n a m e s . T h e c o m m a n d echo * d o e s n o t
d i s p l a y . ( t h e w o r k i n g d i r e c t o r y ) , . . ( t h e p a r e n t o f t h e w o r k i n g d i r e c t o r y ) , .aaa, o r
.profile. I n c o n t r a s t , t h e c o m m a n d echo . * d i s p l a y s o n l y t h o s e f o u r n a m e s :
$ Is
aaa
memo.sally
sally.0612
thurs
memo.0612
report
Saturday
$ Is -a
.aaa
aaa
memo.sally
sally.0612
thurs
.profile
memo.0612
report
Saturday
$ echo *
aaa memo.0612 m e m o . s a l l y r e p o r t s a l l y . 0 6 1 2 S a t u r d a y t h u r s
$ echo
. . . . a a a
.profile
I n t h e f o l l o w i n g e x a m p l e , . p * d o e s n o t m a t c h m e m o . 0 6 1 2 , private, reminder, o r
r e p o r t . T h e Is . * c o m m a n d c a u s e s Is t o l i s t .private a n d .profile i n a d d i t i o n t o t h e
contents o f the . d i r e c t o r y (the w o r k i n g d i r e c t o r y ) a n d the .. d i r e c t o r y (the p a r e n t o f
t h e w o r k i n g d i r e c t o r y ) . W h e n c a l l e d w i t h t h e s a m e a r g u m e n t , echo d i s p l a y s

the

n a m e s o f files ( i n c l u d i n g directories) i n t h e w o r k i n g d i r e c t o r y t h a t b e g i n w i t h a d o t
(.), b u t n o t t h e c o n t e n t s o f d i r e c t o r i e s .
$ Is

-a

.private
.profile
$ echo . p *
.private
.profile
$ Is .*
.private
.profile

memo.0612

memo.0612
private

private

$ echo . *
. . . . private

reminder
report

reminder

report

.profi le

Y o u can p l a n to take advantage o f a m b i g u o u s file references w h e n y o u

establish

c o n v e n t i o n s f o r n a m i n g files. F o r e x a m p l e , w h e n y o u e n d all t e x t f i l e n a m e s

with

.txt, y o u c a n r e f e r e n c e t h a t g r o u p o f f i l e s w i t h * . t x t . T h e n e x t c o m m a n d uses t h i s
c o n v e n t i o n t o send all t e x t files i n t h e w o r k i n g d i r e c t o r y t o t h e printer. T h e a m p e r s a n d c a u s e s Ipr t o r u n i n t h e b a c k g r o u n d .
$ lpr

*.txt

&

FILENAME GENERATION/PATHNAME EXPANSION 2 5 9

THE [ ] SPECIAL CHARACTERS
A p a i r o f brackets s u r r o u n d i n g a list o f characters causes the shell t o m a t c h

file-

n a m e s c o n t a i n i n g t h e i n d i v i d u a l characters. W h e r e a s memo? m a t c h e s memo

fol-

l o w e d b y a n y character, memo[17a] is m o r e restrictive: I t m a t c h e s o n l y
m e m o 7 , a n d m e m o a . T h e b r a c k e t s d e f i n e a character

class

c h a r a c t e r s w i t h i n t h e b r a c k e t s . ( G N U c a l l s t h i s a character
class

memol,

that includes a l l the
list;

a GNU

character

is s o m e t h i n g different.) T h e shell e x p a n d s a n a r g u m e n t that includes a charac-

t e r - c l a s s d e f i n i t i o n , b y s u b s t i t u t i n g e a c h m e m b e r o f t h e c h a r a c t e r c l a s s , one at a
time,

i n p l a c e o f t h e b r a c k e t s a n d t h e i r c o n t e n t s . T h e shell t h e n passes t h e list o f

m a t c h i n g f i l e n a m e s t o t h e p r o g r a m i t is c a l l i n g .
Each character-class definition c a n replace o n l y a single character w i t h i n a filename.
T h e brackets a n d their contents are like a question m a r k that substitutes o n l y the
m e m b e r s o f t h e c h a r a c t e r class.
T h e first o f t h e f o l l o w i n g c o m m a n d s lists t h e n a m e s o f all files i n t h e w o r k i n g direct o r y t h a t b e g i n w i t h a , e, i, o , o r u. T h e s e c o n d c o m m a n d d i s p l a y s t h e c o n t e n t s o f
t h e files n a m e d page2.txt, page4.txt, page6.txt, a n d page8.txt.
$ echo [aeiou]*
$ less page[2468].txt

A h y p h e n w i t h i n brackets defines a range o f characters w i t h i n a character-class defi n i t i o n . F o r e x a m p l e , [ 6 - 9 ] r e p r e s e n t s [ 6 7 8 9 ] , [a-z] r e p r e s e n t s a l l l o w e r c a s e l e t t e r s
i n English, a n d [a-zA-Z] represents a l l letters, b o t h uppercase a n d lowercase, i n
English.
T h e f o l l o w i n g c o m m a n d lines s h o w t h r e e w a y s t o p r i n t t h e files n a m e d

partO,

parti, part2, part3, a n d part5. E a c h o f t h e s e c o m m a n d lines causes t h e s h e l l t o c a l l
Ipr w i t h f i v e f i l e n a m e s :
$ Ipr partO p a r t i part2 part3 parts
$ Ipr part[01235]
$ Ipr part[0-35]
T h e first c o m m a n d line e x p l i c i t l y specifies the five filenames. T h e second a n d t h i r d
c o m m a n d lines use a m b i g u o u s file references, i n c o r p o r a t i n g character-class

defini-

tions. T h e shell e x p a n d s the a r g u m e n t o n the second c o m m a n d line t o include a l l
files t h a t h a v e n a m e s b e g i n n i n g w i t h part a n d e n d i n g w i t h a n y o f t h e c h a r a c t e r s i n
t h e c h a r a c t e r c l a s s . T h e c h a r a c t e r c l a s s i s e x p l i c i t l y d e f i n e d as 0 , 1 , 2 , 3 , a n d 5 . T h e
t h i r d c o m m a n d l i n e a l s o uses a c h a r a c t e r - c l a s s d e f i n i t i o n b u t d e f i n e s t h e c h a r a c t e r
class t o be a l l c h a r a c t e r s i n t h e r a n g e 0 - 3 p l u s 5 .

260

CHAPTER 9 THEBOURNEAG INS H E L L

The following command line prints 39 files, partO through part38:
$

l p r

p a r t [ 0 - 9 ]

p a r t [ 1 2 ] [ 0 - 9 ]

p a r t 3 [ 0 - 8 ]

The first of the following commands lists the files in the working directory whose
names start with a through m. The second lists files whose names end with x, y, or z.
$

e c h o

[ a - m ] *

$

e c h o

* [ x - z ]

optional When an exclamation point (!) or a caret ( A ) immediately follows the opening
bracket ([) that defines a character class, the string enclosed by the brackets matches
any character not between the brackets. Thus [ A tsq]* matches any filename that
does not begin with t, s, or q.
The following examples show that * [Aab] matches filenames that do not end with the
letters a or b and that [Ab-d] * matches filenames that do not begin with b, c, or d.
$

I s

aa
$

ab
I s

ac
$

ad
I s

aa

ac

ad

ba

bb

bd

cc

dd

be

bd

cc

dd

* [ A a b ]

be

[ A b - d ] *

ab

ac

ad

You can cause a character class to match a hyphen (-) or a closing bracket (]) by
placing it immediately before the final closing bracket.
The next example demonstrates that the Is utility cannot interpret ambiguous file
references. First Is is called with an argument of ?old. The shell expands ?old into a
matching filename, hold, and passes that name to Is. The second command is the
same as the first, except the ? is quoted (refer to "Special Characters" on page 160).
The shell does not recognize this question mark as a special character and passes it
to Is. The Is utility generates an error message saying that it cannot find a file named
?old (because there is no file named ?old).
$

I s

? o l d

hold
$

I s

Is:

\ ? o l d

?old:

No s u c h f i l e

or

directory

Like most utilities and programs, Is cannot interpret ambiguous file references; that
work is left to the shell.

The shell expands ambiguous file references
tip The shell does the expansion when it processes an ambiguous file reference, not the program that
the shell runs. In the examples in this section, the utilities{\s, cat, echo, lpr) never see the ambiguous file references. The shell expands the ambiguous file references and passes a list of ordinary
filenames to the utility. In the previous examples, echo shows this to be true because it simply
displays its arguments; it never displays the ambiguous file reference.

CHAPTER SUMMARY

261

BUILTINS
A builtin is a utility (also called a command)
that is built into a shell. Each of the
shells has its own set of builtins. When it runs a builtin, the shell does not fork a
new process. Consequently builtins run more quickly and can affect the environment of the current shell. Because builtins are used in the same way as utilities, you
will not typically be aware of whether a utility is built into the shell or is a standalone utility.
The echo utility, for example, is a shell builtin. The shell always executes a shell
builtin before trying to find a command or utility with the same name. See
page 1002 for an in-depth discussion of builtin commands and page 1015 for a list
of bash builtins.
Listing bash To display a list of bash builtins, give the command info bash builtin. To display a
builtins page with more information on each builtin, move the cursor to one of the lines
listing a builtin command and press RETURN. Alternatively, after typing info bash,
give the command /builtin to search the bash documentation for the string builtin.
The cursor will rest on the word Builtin in a menu; press RETURN to display the
builtins menu.
Because bash was written by GNU, the info page has better information than does
the man page. If you want to read about builtins in the man page, give the command
man bash and search for the section on builtins with the command / A SHELL BUILT I N C O M M A N D S (search for a line that begins with SHELL . . . ) .

CHAPTER SUMMARY
The shell is the Linux command interpreter. It scans the command line for proper
syntax, picking out the command name and any arguments. The first argument is
argument one, the second is argument two, and so on. The name of the command
itself is argument zero. Many programs use options to modify the effects of a command. Most Linux utilities identify an option by its leading one or two hyphens.
When you give it a command, the shell tries to find an executable program with the
same name as the command. When it does, the shell executes the program. When it
does not, the shell tells you that it cannot find or execute the program. If the command is a simple filename, the shell searches the directories given in the variable
PATH in an attempt to locate the command.
When it executes a command, the shell assigns one file to the command's standard
input and another file to its standard output. By default the shell causes a command's standard input to come from the keyboard and its standard output to go to
the screen. You can instruct the shell to redirect a command's standard input from
or standard output to any file or device. You can also connect standard output of
one command to standard input of another command using a pipe. A filter is a

262

CHAPTER 9 THEBOURNEAG INS H E L L

command that reads its standard input from standard output of one command and
writes its standard output to standard input of another command.
When a command runs in the foreground, the shell waits for it to finish before it
displays a prompt and allows you to continue. When you put an ampersand ( & ) at
the end of a command line, the shell executes the command in the background and
displays another prompt immediately. Run slow commands in the background
when you want to enter other commands at the shell prompt. The jobs builtin displays a list of suspended jobs and jobs running in the background; it includes the
job number of each.
The shell interprets special characters on a command line to generate filenames. A
question mark represents any single character, and an asterisk represents zero or
more characters. A single character may also be represented by a character class: a
list of characters within brackets. A reference that uses special characters (wildcards)
to abbreviate a list of one or more filenames is called an ambiguous file reference.
A builtin is a utility that is built into a shell. Each shell has its own set of builtins.
When it runs a builtin, the shell does not fork a new process. Consequently builtins
run more quickly and can affect the environment of the current shell.

UTILITIES AND BUILTINS INTRODUCED IN THIS CHAPTER
Table 7-1 lists the utilities introduced in this chapter.

Table 7-1

New utilities

Utility

Function

tr

Maps one string of characters to another (page 251)

tee

Sends standard input to both a file and standard output (page 254)

bg

Moves a process to the background (page 255)

fg

Moves a process to the foreground (page 255)

jobs

Displays a list of suspended jobs and jobs running in the background
(page 256)

EXERCISES
1. What does the shell ordinarily do while a command is executing? What
should you do if you do not want to wait for a command to finish before
running another command?
2. Using sort as a filter, rewrite the following sequence of commands:

EXERCISES

$ sort list > temp
$ Ipr temp
$ rm temp

3. What is a PID number? Why are these numbers useful when you run
processes in the background? Which utility displays the PID numbers of
the commands you are running?
4. Assume that the following files are in the working directory:
$

I s

intro
notesa

notesb
refl

ref2
refB

sectionl
section2

sectionB
section4a

section4b
sentrev

Give commands for each of the following, using wildcards to express
filenames with as few characters as possible.
a. List all files that begin with section.
b. List the sectionl, section2, and section3 files only.
c. List the intro file only.
d. List the sectionl, section3, refl, and ref3 files.
5. Refer to the man pages to determine which command will
a. Output the number of lines in the standard input that contain the word
a or A.
b. Output only the names of the files in the working directory that contain
the pattern $(.
c. List the files in the working directory in reverse alphabetical order.
d. Send a list of files in the working directory to the printer, sorted by size.
6. Give a command to
a. Redirect standard output from a sort command to a file named
phone_list. Assume the input file is named numbers.
b. Translate all occurrences of the characters [ and { t o the character (, and
all occurrences of the characters ] and } to the character ) in the file
permdemos.c. [Hint: Refer to the tr man page.)
c. Create a file named book that contains the contents of two other files:
parti and part2.
7. The Ipr and sort utilities accept input either from a file named on the
command line or from standard input.
a. Name two other utilities that function in a similar manner.
b. Name a utility that accepts its input only from standard input.
8. Give an example of a command that uses grep

263

264

CHAPTER 9 THEBOURNEAG INSHELL

a. With both input and output redirected.
b. With only input redirected.
c. With only output redirected.
d. Within a pipe.
In which of the preceding cases is grep used as a filter?
9. Explain the following error message. Which filenames would a subsequent
Is display?
$

I s

abc
abd abe
abf
abg
$ rm abc a b *
rm: c a n n o t remove ' a b c ' :

abh
No s u c h f i l e

or

directory

ADVANCED EXERCISES
10. When you use the redirect output symbol (>) with a command, the shell
creates the output file immediately, before the command is executed.
Demonstrate that this is true.
11. In experimenting with shell variables, Max accidentally deletes his PATH
variable. He decides he does not need the PATH variable. Discuss some of
the problems he may soon encounter and explain the reasons for these
problems. How could he easily return PATH to its original value?
12. Assume your permissions allow you to write to a file but not to delete it.
a. Give a command to empty the file without invoking an editor.
b. Explain how you might have permission to modify a file that you cannot
delete.
13. If you accidentally create a filename that contains a nonprinting character,
such as a CONTROL character, how can you remove the file?
14. Why does the noclobber variable not protect you from overwriting an
existing file with cp or mv?
15. Why do command names and filenames usually not have embedded SPACES?
How would you create a filename containing a SPACE? How would you
remove it? (This is a thought exercise, not recommended practice. If you
want to experiment, create and work in a directory that contains only
your experimental file.)
16. Create a file named answer and give the following command:
$ > answers.0102 < answer cat

Explain what the command does and why. What is a more conventional
way of expressing this command?

P A R T III
DIGGING INTO UBUNTU LINUX
CHAPTER 8

LINUX GUIs: X AND GNOME
CHAPTER 9
THE BOURNE AGAIN SHELL

267
291

C H A P T E R 10
NETWORKING AND THE INTERNET

371

265

This page intentionally left blank

8
LINUX GUIS: X AND
GNOME
IN THIS CHAPTER
X Window System

268

StartingX from a CharacterBased Display
Remote Computing and Local
Displays
Desktop Environments/
Managers

275

The Nautilus File Browser
Window

276

The Nautilus Spatial View

282

GNOME Utilities

284

Run Application W i n d o w

286

GNOME Terminal Emulator/
Shell

287

270
270

This chapter covers the Linux graphical user interface (GUI). It
continues where Chapter 4 left off, going into more detail
a b 0 u t the X Window System, the basis for the Linux GUI. It
presents a brief history of GNOME and KDE and discusses
some of the problems and benefits of having two major Linux
desktop environments. The section on the Nautilus File
Browser covers the View and Side panes, the control bars, the
menubar, and the Spatial view. The final section explores some
GNOME utilities, including Terminal, the GNOME terminal
emulator.

267

268

CHAPTER 8

LINUX G U I s : X AND G N O M E

X WINDOW SYSTEM
History of X The X Window System (www.x.org) was created in 1984 at the Massachusetts
Institute of Technology (MIT) by researchers working on a distributed computing
project and a campuswide distributed environment, called Project Athena. This system was not the first windowing software to run on a U N I X system, but it was the
first to become widely available and accepted. In 1985, M I T released X (version 9)
to the public, for use without a license. Three years later, a group of vendors formed
the X Consortium to support the continued development of X , under the leadership
of MIT. By 1998, the X Consortium had become part of the Open Group. In 2 0 0 1 ,
the Open Group released X version 11, release 6.6 ( X 1 1 R 6 . 6 ) .
The X Window System was inspired by the ideas and features found in earlier proprietary window systems but is written to be portable and flexible. X is designed to
run on a workstation, typically attached to a LAN. The designers built X with the
network in mind. If you can communicate with a remote computer over a network,
running an X application on that computer and sending the results to a local display
is straightforward.
Although the X protocol has remained stable for a long time, additions to it in the
form of extensions are quite common. One of the most interesting—albeit one that
has not yet made its way into production—is the Media Application Server, which
aims to provide the same level of network transparency for sound and video that X
does for simple windowing applications.
XFree86 and X.org Many distributions of Linux used the XFree86 X server, which inherited its license
from the original M I T X server, through release 4.3. In early 2 0 0 4 , just before the
release of XFree86 4.4, the XFree86 license was changed to one that is more restrictive and not compatible with the GPL (page 6). In the wake of this change, a number of distributions abandoned XFree86 and replaced it with an X.org X server that
is based on a pre-release version of XFree86 4.4, which predates the change in the
XFree86 license. Ubuntu uses the X.org X server, named X; it is functionally equivalent to the one distributed by XFree86 because most of the code is the same. Thus
modules designed to work with one server work with the other.
The X stack The Linux GUI is built in layers (Figure 8-1). The bottom layer is the kernel, which
provides the basic interfaces to the hardware. On top of the kernel is the X server,
which is responsible for managing windows and drawing basic graphical primitives
such as lines and bitmaps. Rather than directly generating X commands, most programs use Xlib, the next layer, which is a standard library for interfacing with an X
server. Xlib is complicated and does not provide high-level abstractions, such as
buttons and text boxes. Rather than using Xlib directly, most programs rely on a
toolkit that provides high-level abstractions. Using a library not only makes programming easier, but also brings consistency to applications.
In recent years, the popularity of X has grown outside the U N I X community and
extended beyond the workstation class of computers it was originally conceived for.
Today X is available for Macintosh computers as well as for PCs running Windows.

X WINDOW S Y S T E M

Figure 8-1

269

The X stack

Client/server Computer networks are central to the design of X. It is possible to run an applicaenvironment tion on one computer and display the results on a screen attached to a different
computer; the ease with which this can be done distinguishes X from other window systems available today. Thanks to this capability, a scientist can run and
manipulate a program on a powerful supercomputer in another building or
another country and view the results on a personal workstation or laptop computer. For more information refer to "Remote Computing and Local Displays" on
page 270.
When you start an X Window System session, you set up a client/server
environment. One process, called the X server, displays a desktop and windows under X.
Each application program and utility that makes a request of the X server is a client
of that server. Examples of X clients include xterm, Compiz, gnome-calculator, and
such general applications as word processing and spreadsheet programs. A typical
request from a client is to display an image or open a window.

The roles of X client and server may be counterintuitive
tip The terms client and server, when referring to X, have the opposite meanings of how you might
think of them intuitively: The server runs the mouse, keyboard, and display; the application program is the client.
This disparity becomes even more apparent when you run an application program on a remote
system. You might think of the system running the program as the server and the system providing the display as the client, but in fact it is the other way around. With X, the system providing
the display is the server, and the system running the program is the client.
Events The server also monitors keyboard and mouse actions (events) and passes them to
the appropriate clients. For example, when you click the border of a window, the
server sends this event to the window manager (client). Characters you type into a
terminal emulation window are sent to that terminal emulator (client). The client
takes appropriate action when it receives an event—for example, making a window
active or displaying the typed character on the server.

270

CHAPTER 8

LINUX G U I s : X AND G N O M E

Separating the physical control of the display (the server) from the processes needing
access to the display (the client) makes it possible to run the server on one computer
and the client on another computer. Most of the time, this book discusses running
the X server and client applications on a single system. "Remote Computing and
Local Displays" describes using X in a distributed environment.
optional

You can run xev (X event) by giving the command x e v from a terminal emulator
window and then watch the information flow from the client to the server and back
again. This utility opens the Event Tester window, which has a box in it, and asks
the X server to send it events each time anything happens, such as moving the
mouse pointer, clicking a mouse button, moving the mouse pointer into the box,
typing, or resizing the window. The xev utility displays information about each
event in the window you opened it from. You can use xev as an educational tool:
Start it and see how much information is processed each time you move the mouse.
Close the Event Tester window to exit from xev.

USING X
This section provides basic information about starting and configuring X from the
command line. For more information see the Xserver man page and the man pages
listed at the bottom of the Xserver man page.

STARTING X FROM A CHARACTER-BASED DISPLAY
Once you have logged in on a virtual console (page 149), you can start an X Window System server by using startx. See "rc-sysinit task and inittab" on page 4 3 9 for
information on creating a /etc/inittab file that causes Linux to boot into recovery
(single-user) mode, where it displays a textual interface. When you run startx, the X
server displays an X screen, using the first available virtual console. The following
command causes startx to run in the background so you can switch back to this virtual console and give other commands:
$ startx &

REMOTE COMPUTING AND LOCAL D I S P L A Y S
Typically the X server and the X client run on the same machine. To identify a
remote X server (display) an X application (client) is to use, you can either set a
global shell variable or use a command-line option. Before you can connect to a
remote X server, you must turn off two security features: You must turn off the X
-nolisten tcp option on the server and you must run xhost on the server to give the
client permission to connect to the X server. Unless you have a reason to leave
these features off, turn them back on when you finish with the examples in this section—leaving them off weakens system security. These tasks must be performed on
the X server because the features protect the server. You do not have to prepare the

X WINDOW SYSTEM

271

client. The examples in this section assume the server is named tiny and the client is
named dog.

Security and the X o r g -nolisten tcp option
security In a production environment, if you need to place an X server and the clients on different systems, it is best to forward (tunnel) X over ssh. This setup provides a secure, encrypted connection. The method described in this section is useful on local, secure networks and for
understanding howX works. See "Forwarding X11" on page 681 for information on setting up
ssh so it forwards X.
THE X -nolisten tcp OPTION
As Ubuntu is installed, the X server starts with the -nolisten tcp option, which protects
the X server by preventing TCP connections to the X server. To connect to a remote X
server, you must turn this option off on the server. To turn it off, while working with
root privileges create a file named /etc/gdm/custom.conf with the following lines:
m a x @ t i n y : ~ $ cat /etc/gdm/custom.conf
[securi ty]
Di s a l 1 o w T C P = f a l se

Reboot the system to restart the X server and gdm (gdm-binary) to effect this change.
See library.gnome.org/admin/gdm/2.28/configuration.html.en#daemonconfig for
more information.
x h o s t GRANTS A C C E S S TO A DISPLAY
As installed, xhost protects each user's X server. A user who wants to grant access to his
X server needs to run xhost. Assume Max is logged in on the system named tiny and
wants to allow a user on dog to use his display (X server). Max runs this command:
m a x @ t i n y : ~ $ x h o s t +dog
dog b e i n g added t o a c c e s s c o n t r o l
list
m a x @ t i n y : ~ $ xhost
access c o n t r o l enabled, only a u t h o r i z e d
INET:dog

clients

can

connect

Without any arguments, xhost describes its state. In the preceding example, INET
indicates an IPv4 connection. If Max wants to allow all systems to access his display, he can give the following command:
$ xhost +
access c o n t r o l

disabled,

clients

can c o n n e c t f r o m any

host

If you frequently work with other users via a network, you may find it convenient
to add an xhost line to your .bash_profile file (page 293)—but see the tip on the next
page regarding security and xhost. Be selective in granting access to your X display
with xhost; if another system has access to your display, you may find your work
frequently interrupted.

272

CHAPTER 8

LINUX G U I s : X AND G N O M E

Security and xhost
security Giving a remote system access to your display using xhost means any user on the remote system can
watch everything you type in a terminal emulation window, including passwords. For this reason, some
software packages, such as the Tcl/Tk development systemfyww.tel.tk),restrict their own capabilities
when xhost permits remote access to the X server. If you are concerned about security or want to take
full advantage of systems such as Tcl/Tk, you should use a safer means of granting remote access to
your X session. See the xauth man page for information about a more secure replacement for xhost.
THE D I S P L A Y VARIABLE
The most common method of identifying a display is to use the DISPLAY shell environment variable to hold the X server ID string. This locally unique identification
string is automatically set up when the X server starts. The DISPLAY variable holds
the screen number of a display:
$ echo $DISPLAY
:0.0

The format of the complete (globally unique) ID string for a display is
[hostname]:display-number[.screen-number]
where hostname is the name of the system running the X server, display-number is
the number of the logical (physical) display (0 unless multiple monitors or graphical
terminals are attached to the system, or if you are running X over ssh), and screennumber is the logical number of the (virtual) terminal (0 unless you are running multiple instances of X). When you are working with a single physical screen, you can
shorten the identification string. For example, you can use tiny:0.0 or tiny:0 to identify the only physical display on the system named tiny. When the X server and the X
clients are running on the same system, you can shorten this identification string
even further to :0.0 or :0. An ssh connection shows DISPLAY as localhost:10.0. You
may have to use ssh - X to see this value. See " X I 1 forwarding" on page 664 for
information on setting up ssh so that it forwards X.
If DISPLAY is empty or not set, the screen you are working from is not running X.
An application (the X client) uses the value of the DISPLAY variable to determine
which display, keyboard, and mouse (collectively, the X server) to use. One way to
run an X application, such as gnome-calculator, on the local system but have it use
the X display on a remote system is to change the value of the DISPLAY variable on
the client system so it identifies the remote X server.
s a m @ d o g : ~ $ export DISPLAY=tiny:0.0
s a m @ d o g : ~ $ gnome-calculator &

The preceding example shows Sam running gnome-calculator with the default X server
running on the system named tiny. After setting the DISPLAY variable to the ID of the
tiny server, all X programs (clients) Sam starts use tiny as their server (i.e., output
appears on tiny's display and input comes from tiny's keyboard and mouse). Try running xterm in place of gnome-calculator and see which keyboard it accepts input from.
If this example generates an error, refer to the two preceding sections, which explain
how to set up the server to allow a remote system to connect to it.

X WINDOW S Y S T E M

273

When you change the value of DISPLAY
tip When you change the value of the DISPLAY variable, all X programs send their output to the new
display named by DISPLAY.
THE -display OPTION
For a single command, you can usually specify the X server on the command line:
s a m @ d o g : ~ $ gnome-calculator -display tiny:0.0

Many X programs accept the -display option. Those that do not accept this option
send their output to the display specified by the DISPLAY variable.
RUNNING MULTIPLE X S E R V E R S
You can run multiple X servers on a single system. The most common reason for running
a second X server is to use a second display that allocates a different number of bits to
each screen pixel (uses a different color depth [page 1141]). The possible values are 8,
16, 24, and 32 bits per pixel. Most X servers available for Linux default to 24 or 32 bits
per pixel, permitting the use of millions of colors simultaneously. Starting an X server
with 8 bits per pixel permits the use of any combination of 2 5 6 colors at the same time.
The maximum number of bits per pixel allowed depends on the computer graphics hardware and X server. With fewer bits per pixel, the system has to transfer less data, possibly
making it more responsive. In addition, many games work with only 256 colors.
When you start multiple X servers, each must have a different ID string. The following command starts a second X server:
$ startx —

:1

The — option marks the end of the startx options and arguments. The startx script
uses the arguments to the left of this option and passes arguments to the right of this
option to the X server. When you give the preceding command in a graphical environment, such as from a terminal emulator, you must work with root privileges;
you will initiate a privileged X session. The following command starts a second X
server running at 16 bits per pixel:
$ startx -- :1 -depth 16 &

"Using Virtual Consoles" on page 149 describes how to switch to a virtual console
to start a second server where you do not have to work with root privileges.
Guest Session When you click the Session Indicator (Figure 4-2, page 101), select Guest Session
and Ubuntu starts a second X server to accommodate the guest user. When the guest
user logs off, the original X server displays the first user's desktop. You can switch
between the X servers (and users) by selecting the virtual console (page 149) that
displays the X server you want to work with.
X over ssh See "Tunneling/Port Forwarding" on page 6 8 1 for information about running X
over an ssh connection.

STOPPING THE X S E R V E R
How you terminate a window manager depends on which window manager is running
and how it is configured. If X stops responding, switch to a virtual terminal, log in from

274

CHAPTER 8

LINUX GUIs: X AND GNOME

another terminal or a remote system, or use ssh to access the system. Then kill
(page 455) the process running X. You can also press CONTROL-ALT-BACKSPACE to quit the X
server. This method may not shut down the X session cleanly; use it only as a last resort.

REMAPPING M O U S E BUTTONS
Throughout this book, each description of a mouse click refers to the button by its
position (left, middle, or right, with left implied when no button is specified)
because the position of a mouse button is more intuitive than an arbitrary name or
number. X numbers buttons starting at the left and continuing with the mouse
wheel. The buttons on a three-button mouse are numbered 1 (left), 2 (middle), and
3 (right). A mouse wheel, if present, is numbered 4 (rolling it up) and 5 (rolling it
down). Clicking the wheel is equivalent to clicking the middle mouse button. The
buttons on a two-button mouse are 1 (left) and 2 (right).
If you are right-handed, you can conveniently press the left mouse button with your
index finger; X programs take advantage of this fact by relying on button 1 for the
most common operations. If you are left-handed, your index finger rests most conveniently on button 2 or 3 (the right button on a two- or three-button mouse).
"Mouse Preferences" on page 105 describes how to use a GUI to change a mouse
between right-handed and left-handed. You can also change how X interprets the
mouse buttons using xmodmap. If you are left-handed and using a three-button
mouse with a wheel, the following command causes X to interpret the right button
as button 1 and the left button as button 3:
$ xmodmap -e 'pointer

= 3 2 1 4 5 '

Omit the 4 and 5 if the mouse does not have a wheel. The following command
works for a two-button mouse without a wheel:
$ xmodmap -e 'pointer = 2

1'

If xmodmap displays a message complaining about the number of buttons, use the
xmodmap - p p option to display the number of buttons X has defined for the mouse:
$ xmodmap -pp
There are 9 p o i n t e r
Physi cal
Button

buttons
Button
Code

1

1

2

2
3
4
5
6
7
8
9

3

4
5
6
7
8
9

defined.

Then expand the previous command, adding numbers to complete the list. If the
- p p option shows nine buttons, give the following command:

X WINDOW S Y S T E M

$ xmodmap -e 'pointer

275

= 3 2 1 4 5 6 7 8 9 '

Changing the order of the first three buttons is critical to making the mouse suitable
for a left-handed user. When you remap the mouse buttons, remember to reinterpret
the descriptions in this book accordingly. When this book asks you to click the left
button or does not specify which button to click, use the right button, and vice versa.

DESKTOP ENVIRONMENTS/MANAGERS
Conceptually X is very simple. As a consequence, it does not provide some of the
more common features found in GUIs, such as the ability to drag windows. The
UNIX/Linux philosophy is one of modularity: X relies on a window manager, such
as Metacity or Compiz, to draw window borders and handle moving and resizing
operations.
Unlike a window manager, which has a clearly defined task, a desktop environment
(manager) does many things. In general, a desktop environment, such as G N O M E
or KDE, provides a means of launching applications and utilities, such as a file manager, that work with a window manager.

G N O M E AND K D E
The KDE project began in 1996, with the aim of creating a consistent, user-friendly
desktop environment for free UNIX-like operating systems. KDE is based on the Qt
toolkit made by Trolltech. When KDE development began, the Qt license was not
compatible with the GPL (page 6). For this reason the Free Software Foundation
decided to support a different project, the GNU Network Object Model Environment (GNOME). More recently Qt has been released under the terms of the GPL,
eliminating part of the rationale for GNOME's existence.
GNOME G N O M E is the default desktop environment for Ubuntu Linux. It provides a simple, coherent user interface that is suitable for corporate use. G N O M E uses G T K
for drawing widgets. GTK, developed for the GNU Image Manipulation Program
(gimp), is written in C, although bindings for C++ and other languages are available.
G N O M E does not take much advantage of its component architecture. Instead, it
continues to support the traditional U N I X philosophy of relying on many small
programs, each of which is good at doing a specific task.
KDE KDE is written in C++ on top of the Qt framework. KDE tries to use existing technology, if it can be reused, but creates its own if nothing else is available or if a
superior solution is needed. For example, KDE implemented an H T M L rendering
engine long before the Mozilla project was born. Similarly, work on KOffice began
a long time before StarOffice became the open-source OpenOffice.org. In contrast,
the G N O M E office applications are stand-alone programs that originated outside
the G N O M E project. KDE's portability is demonstrated by the use of most of its
core components, including Konqueror and KOffice, under M a c OS X .
Interoperability Since the release of version 2, the G N O M E project has focused on simplifying the
user interface, removing options where they are deemed unnecessary, and aiming

276

CHAPTER 8

LINUX G U I s : X AND G N O M E

O V V

sani - File B r o w s e r

File Edit View Go Bookmarks Help
..p Back

»

Lyi* forward

•Menubar

Places T-

•Main toolbar
•Location bar
•Side pane button
Side pane
Handle
•View pane
ubunLu 10.04
alternate- i306,iso

ubuuLu-10.04
desktop-138«. Iso

uburtu-10.04
server-1386, Iso

Status bar

16 items, Free space: 179.2 GB -

Figure 8-2

A Nautilus File Browser window displaying icons

for a set of default settings that the end user will not wish to change. KDE has
moved in the opposite direction, emphasizing configurability.
The freedesktop.org group (freedesktop.org), whose members are drawn from the
G N O M E and KDE projects, is improving interoperability and aims to produce
standards that will allow the two environments to work together. One standard
released by freedesktop.org allows applications to use the notification area of either
the G N O M E or KDE panel without being aware of which desktop environment
they are running in.

GNUSTEP
The GNUStep project (www.gnustep.org), which began before both the KDE and
G N O M E projects, is creating an open-source implementation of the OPENSTEP
API and desktop environment. The result is a very clean and fast user interface.
The default look of WindowMaker, the GNUStep window manager, is somewhat
dated, but it supports themes so you can customize its appearance. The user interface is widely regarded as one of the most intuitive found on a U N I X platform.
Because GNUStep has less overhead than G N O M E and KDE, it runs better on
older hardware. If you are running Linux on hardware that struggles with G N O M E
and KDE or if you would prefer a user interface that does not attempt to mimic
Windows, try GNUStep. WindowMaker is provided in the wmaker package.

THE NAUTILUS FILE BROWSER WINDOW
"Using Nautilus to Work with Files" on page 107 presented an introduction to
using Nautilus. This section discusses the Nautilus File Browser window in
more depth.

THE NAUTILUS FILE B R O W S E R WINDOW

Figure 8-3

277

A Nautilus File Browser window displaying a
List view and a textual location bar

Figure 8-2 shows a File Browser window with a Side pane (sometimes called a sidebar), View pane, menubar, toolbar, location bar, and status bar. To display your
home folder in a File Browser window, select Main menu: PlacesOHome Folder.

THE VIEW PANE
The View pane displays icons or a list of filenames. Select the view you prefer from
the drop-down list at the right end of the location bar. Figure 8-2 shows an Icon
view and Figure 8-3 shows a List view. A Compact view is also available. Objects in
the View pane behave exactly as objects on the desktop do. See the sections starting
on page 101 for information on working with objects.
You can cut/copy and paste objects within a single View pane, between View panes,
or between a View pane and the desktop. The Object context menu (right-click) has
cut, copy, and paste selections. Alternatively, you can use the clipboard (page 124)
to cut/copy and paste objects.

Nautilus can open a terminal emulator
tip When you install the nautilus-open-terminal package (see page 519 for instructions) and log out
and log back in, Nautilus presents an Open in Terminal selection in context menus where appropriate. For example, with this package installed, when you right-click a folder (directory) object
and select Open in Terminal, Nautilus opens a terminal emulator with that directory as the working directory (page 204).

THE SIDE PANE
The Side pane augments the information Nautilus displays in the View pane. Press F9 or
click the X at the top of the Side pane to close it. You can display the Side pane by

278

CHAPTER 8

LINUX G U I s : X AND G N O M E

pressing F9 or by selecting File Browser menubar: Vievv"=>Side Pane. To change the
horizontal size of the Side pane, drag the handle (Figure 8-2, page 276) on its right side.
The Side pane can display six types of information. The button at its top controls
which type it displays. This button is initially labeled Places; click it to display the
Side pane drop-down list, which has the selections described next.
Places Places lists folders. Double-click one of these folders to display that folder in the
View pane. You can open a directory in a new File Browser window by rightclicking the directory in Places and selecting Open in New Window. Right-click and
select Open in New Tab to open the directory in a new tab.
Places contains two parts: The list above the divider is static and holds your home
directory, your desktop, the filesystem, the network, a C D - R O M drive (when it
contains a disk), unmounted filesystems (if present), and the trash. The list below
the divider holds bookmarks. Add a bookmark by displaying the directory you
want to bookmark in the View pane and pressing CONTROL-D or by selecting File
Browser menubar: Bookmarks 1 ^ Add Bookmark. Remove a bookmark by selecting
File Browser menubar: Bookmarks 1 ^ Edit Bookmarks or by right-clicking the
bookmark and selecting Remove. You can also use Edit Bookmarks to reorder
bookmarks.
Information Information presents information about the folder displayed by or highlighted in
the View pane.
Tree Tree presents an expandable tree view of your home folder and each mounted
filesystem. Each directory in the tree has a plus (+) or minus ( - ) sign to its left.
Click a plus sign to expand a directory; click a minus sign to close a directory.
Click a directory in the tree to display that directory in the View pane. Doubleclick a directory to expand it in the Side pane and display it in the View pane.
History History displays a chronological list of the folders that have been displayed in the
View pane, with the most recently displayed folder at the top. Double-click a folder
in this list to display it in the View pane.
Notes Notes provides a place to keep notes about the folder displayed in the View pane.
Emblems Similar to the Emblems tab in the Object Properties window (page 129), Emblems
allows you to drag emblems from the Side pane and drop them on objects in the
View pane. Drag and drop the Erase emblem to erase emblems associated with an
object. You cannot erase emblems that Ubuntu places on objects, such as locked
and link emblems.

CONTROL BARS
This section discusses the four control bars that initially appear in a File Browser
window: the status bar, menubar, Main toolbar, and location bar (Figure 8-2,
page 276). From File Browser menubar: View, you can choose which of these bars
to display—except for the menubar, which Nautilus always displays.

THE NAUTILUS FILE BROWSER WINDOW

279

Menubar The menubar appears at the top of the File Browser window and displays a menu
when you click one of its selections. Which menu selections Nautilus displays
depend on what the View pane is displaying and which objects are selected. The
next section describes the menubar in detail.
Main toolbar The Main toolbar appears below the menubar and holds navigation tool icons:
Back, Forward, Up, Stop, Reload, Home, Computer, Magnification, View, and
Search. If the Main toolbar is too short to hold all icons, Nautilus displays a button
with a triangle pointing down at the right end of the toolbar. Click this button to
display a drop-down list of the remaining icons.
To change the magnification of the display in the View pane, click the plus or minus
sign in a magnifying glass on either side of the magnification percentage. Right-click
the magnification percentage itself to return to the default magnification. Left-click
the magnification percentage to display a drop-down list of magnifications. Click
the button to the right of the right-hand magnifying glass to choose whether to view
files as icons, as a list, or in compact format. Click the magnifying glass at the right
end of the toolbar to change the Location bar into a search text box.
Location bar Below the Main toolbar is the location bar, which displays the name of the directory
that appears in the View pane. It can display this name in two formats: iconic (using
buttons) and textual (using a text box). Press CONTROL-L to switch to textual format.
When you display a different directory in the View pane, Nautilus changes the
Location bar back to iconic format.
In iconic format, each button represents a directory in a pathname (page 205). The
View pane displays the directory of the depressed (darker) button. Click one of
these buttons to display that directory. If the leftmost button holds a triangle that
points to the left, Nautilus is not displaying buttons for all the directories in the
absolute (full) pathname; click the button with a triangle in it to display more directory buttons.
In textual format, the text box displays the absolute pathname of the displayed
directory. To have Nautilus display another directory, enter the pathname of the
directory and press RETURN.
Status bar If no items are selected, the status bar, at the bottom of the window, indicates how
many items are displayed in the View pane. If the directory you are viewing is on
the local system, it also tells you how much free space is available on the device that
holds the directory displayed by the View pane. If an item is selected, the status bar
displays the name of the item and its size.

MENUBAR
The Nautilus File Browser menubar controls which information the File Browser displays and how it displays that information. Many of the menu selections duplicate
controls found elsewhere in the File Browser window. This section highlights some of

280

CHAPTER 8

LINUX GUIs: X AND GNOME

Q

Connect to Server

Service type: Public FTP
Server:

minors.kernel.org|

Optional information:
Port:
Folder
Add bookmark
Bookmark name:

Help

Figure 8-4

Cancel

Connect

The Connect to Server window

the selections on the menubar; click Help on the menubar and select Contents or Get
Help Online for more information. The menubar holds the menus described next.
File The several Open selections and the Property selection of File work with the highlighted object(s) in the View pane. If no objects are highlighted, these selections are
grayed out or absent. Selecting Connect to Server (also available from Main menu:
Places) displays the Connect to Server window (Figure 8-4). This window presents a
Service type drop-down list that allows you to select FTP, SSH, Windows, or other
types of servers. Enter the URL of the server in the text box labeled Server. For an
FTP connection, do not enter the f t p : / / part of the URL. Fill in the optional information as appropriate. Click Connect. If the server requires authentication, Nautilus displays a window in which you can enter a username and password. Nautilus
opens a window displaying a directory on the server and an object, named for the
URL you specified, on the desktop. After you close the window, you can open the
object to connect to and display a directory on the server.
Edit Many of the Edit selections work with highlighted object(s) in the View pane; if no
objects are highlighted, these selections are grayed out or absent. This section discusses
three selections from Edit: Compress, Backgrounds and Emblems, and Preferences.
The Edit^Compress selection creates a single archive file comprising the selected
objects. This selection opens a Compress window (Figure 8-5) that allows you to
specify the name and location of the archive. The drop-down list to the right of the
text box labeled Filename allows you to specify a filename extension that determines the type of archive this tool creates. For example, .tar.gz creates a tar
(page 176) file compressed by gzip (page 175) and .tar.bz2 creates a tar file compressed by bzip2 (page 174). Click the plus sign to the left of Other Objects to specify a password for and/or to encrypt the archive (available only with certain types of
archives). You can also split the archive into several files (volumes).

THE NAUTILUS FILE B R O W S E R WINDOW

O O

281

Compress

Filename: 1 pictures
Location:

] I.tar.bz2

•

jfijsam

i Other Options
Help

Figure 8-5

The Compress window

The Edit^Backgrounds and Emblems selection has three buttons on the left: Patterns, Colors, and Emblems. Click Patterns to display many pattern objects on the
right side of the window. Drag and drop one of these objects on the View pane of a
File Browser window to change the background of all File Browser View panes.
Drag and drop the Reset object to reset the background to its default color and pattern (usually white). The Colors button works the same way as the Patterns button.
The Emblems button works the same way as the Emblems tab in the Side pane
(page 278).
The Edit^Preferences selection displays the File Management Preferences window
(Figure 8-6). This window has six tabs that control the appearance and behavior of
File Browser windows.
O

Ffte Management Preferences

Views Behavior Display List Columns Preview Media
Default View
View newfoldersusing:

Icon View

Arrange items:

By Name

^ Sort folders before files

1*

¿U

show hidden and backup files
Icon View Defaults
Default zoom level:

100%

T

100%

J'l

Use compart layout
f | Text beside Icons
Compact View Defaults
Default ¿oorn level:

w All columns have the same width
List View Defaults
Default ¿oorn level:

50%

Tree view Defaults
& Show only folders
Help

Figure 8-6

close

The File Management Preferences window, Views tab

282

CHAPTER 8

LINUX G U I s : X AND G N O M E

The Views tab sets several defaults, including which view the File Browser displays
(Icon, List, or Compact view), the arrangement of the objects, the default zoom
level, and default settings for the Compact view.
Delete versus The Behavior tab controls how many clicks it takes to open an object and what NauMove to Trash t i l u s d o e s w h e n it opens an executable text object (script). For more confident users,
this tab has an option that includes a Delete selection in addition to the Move to
Trash selection on several menus. The Delete selection immediately removes the
selected object instead of moving it to the Trash folder. This tab also holds the check
box labeled Open each folder in its own window that is described in the next section.
The Display tab specifies which information Nautilus includes in object (icon) captions. The three drop-down lists specify the order in which Nautilus displays information as you increase the zoom level of the View pane. This tab also specifies the
date format Nautilus uses.
The List Columns tab specifies which columns Nautilus displays, and in what order
it displays them, in the View pane when you select List View.
The Preview tab controls when Nautilus displays or plays previews of files (Always,
Local Files Only, Never).
The Media tab specifies which action Nautilus takes when you insert media such as
a CD/DVD, or connect devices such as a USB flash drive, to the system.
View Click the Main Toolbar, Side Pane, Location Bar, and Statusbar selections in the View
submenu to display or remove these elements from the window. The Show Hidden
Files selection displays in the View pane those files with hidden filenames (page 204).
Go The Go selections display various folders in the View pane.
Bookmarks Bookmarks appear at the bottom of this menu and in the Side pane under Places.
The Bookmarks selections are explained under "Places" on page 2 7 8 .
Help The Help selections display local and online information about Nautilus.

optional

THE NAUTILUS SPATIAL VIEW
Nautilus gives you two ways to work with files: the traditional File Browser view
described in the previous section and the innovative Spatial view shown in
Figure 8-7. By default, Ubuntu displays the Browser view.
The Nautilus Spatial (as in "having the nature of space") view has many powerful
features but may take some getting used to. It always provides one window per
folder. By default, when you open a folder, Nautilus displays a new window.
Turn on the Spatial view by selecting File Browser menubar: Edit^Preferences.
Then click the Behavior tab in the File Management Preferences window and put a
tick in the check box labeled Open each folder in its own window, click Close, and
close the File Browser window. Next time you open a File Browser window, it will
display a Spatial view.

THE NAUTILUS S P A T I A L V I E W

0

0

9

s a m

File Edit View Places Help

Parent-folders
button and
pop-up menu

«Elia

echo
ecjio
f ctio

addit

L-

all.tar.bz

Examples

283

u
bailey4.jpg

letter

items. Free space: 179.2 GB
Figure 8-7

The Nautilus Spatial view

To open a Spatial view of your home directory, Select Main menu: Home Folder and
experiment as you read this section. If you double-click the Desktop icon in the Spatial view, Nautilus opens a new window that displays the Desktop folder.

You can turn off the Nautilus Spatial view
To turn off the Nautilus Spatial view, open a File Browser window. From the menubar, open the File
Management Preferences window by selecting EditoPreferences. Click the Behavior tab in this
window and remove the tick from the check box labeled Open each folder its own window.
A Spatial view can display icons, a list of filenames, or a compact view. To select
your preferred format, click View on the menubar and choose Icons, List, or Compact. To create files to experiment with, right-click in the window (not on an icon)
to display the Nautilus context menu and select Create Folder or Create Document.

Use SHIFT to close the current window as you open another window
If you hold the SHIFT key down when you double-click to open a new window, Nautilus closes the
current window as it opens the new one. This behavior may be more familiar and can help keep
the desktop from becoming cluttered. If you do not want to use the keyboard, you can achieve the
same result by double-clicking the middle mouse button.
Window memory Move the window by dragging the titlebar. The Spatial view has window
memory—
that is, the next time you open that folder, Nautilus opens it at the same size and in
the same location. Even the scrollbar will be in the same position.
The key to closing the current window and returning to the window of the parent
button directory is the Parent-folders button (Figure 8-7). Click this button to display the
Parent-folders pop-up menu. Select the directory you want to open from this menu.
Nautilus then displays in a Spatial view the directory you specified.

Parent-folders

From a Spatial view, you can open a folder in a traditional view by right-clicking the
folder and selecting Browse Folder.

284

CHAPTER 8

LINUX GUIs: X AND GNOME

O

Appearance Preferences

Theme Background Font«; Visual Effects
Application font:

Sam

10

Document font;

i

Sans

10

Desktop font

Sans

10

Window title foot:
Fixed width font:

.
|

Sans Bold
Honosp«icc

10

Rendering
Monochiorne

[ a b e f g o p A O abefgop]
Best contrast

a b e f g o p A O abefgop|

Besl shapes

|abcfgop AO

abcfgop\

a Subpixel smoothing (LCDS)

[abefgop A O

abefgop\
Details..

Help

Figure 8-8

dose

The Appearance Preferences window, Fonts tab

G N O M E UTILITIES
G N O M E comes with numerous utilities that can make your work with the desktop
easier and more productive. This section covers several tools that are integral to the
use of G N O M E .

FONT PREFERENCES
The Fonts tab of the Appearance Preferences window (Figure 8-8) enables you to
change the font G N O M E uses for applications, documents, the desktop, window
titles, and terminal emulators (fixed width). To display this window, select Main
menu: SystemOPreferences 1 ^Appearance or enter gnome-appearance-properties on
a command line. Click the Fonts tab. Click one of the five font bars in the upper
part of the window to display the Pick a Font window (discussed next).
Examine the four sample boxes in the lower part of the window and select the one
in which the letters look the best. Subpixel smoothing is usually best for LCD monitors. Click Details to refine the font rendering further, again picking the box in each
section in which the letters look the best.

PICK A FONT WINDOW
The Pick a Font window (Figure 8-9) appears when you need to choose a font; see
the previous section. From this window you can select a font family, a style, and a
size. A preview of your choice appears in the Preview frame in the lower part of the
window. Click OK when you are satisfied with your choice.

G N O M E UTILITIES

0

285

Pick a Font

Family:
Rachana
Rekha

Style:

Size:

Regular

H

Italic

Saab
Sans
Sawasdee
serif

Bold

8

Bold Italic

9

•0

A

=]

10
11
12
1

Standard Symbols L

T

Preview:
abcdefghijk ABCOEFGHIJK
Cancel

Figure 8-9

OK

The Pick a Font window

PICK A COLOR WINDOW
The Pick a Color window (Figure 8-10) appears when you need to specify a color,
such as when you specify a solid color for the desktop background (page 114) or a
panel. To specify a color for a panel, right-click the panel to display its context menu,
select Properties, click the Background tab, click the radio button labeled Solid color,
and click within the box labeled Color. GNOME displays the Pick a Color window.
When the Pick a Color window opens, the bar below the color circle displays the
current color. Click the desired color on the color ring, and click/drag the lightness
of that color in the triangle. As you change the color, the right end of the bar below
the color circle previews the color you are selecting, while the left end continues to
display the current color. You can also use the eyedropper to pick up a color from
the workspace: Click the eyedropper, and then click the resulting eyedropper mouse
pointer on the color you want to select. The color you choose appears in the bar.
Click OK when you are satisfied with the color you have specified.
O

Pick a Color

Figure 8-10

The Pick a Color window

286

CHAPTER 8

LINUX GUIs: X AND GNOME

RUN APPLICATION WINDOW
The Run Application window (Figure 4-4, page 103) enables you to run a program
as though you had initiated it from a command line. To display the Run Application
window, press ALT-F2. Enter a command in the text box. As soon as G N O M E can
uniquely identify the command you are entering, it completes the command and
may display an object that identifies the application. Keep typing if the displayed
command is not the one you want to run. Otherwise, press RETURN to run the command or TAB to accept the command in the text box. You can then continue entering
information in the window. Click Run with file to specify a file to use as an argument to the command in the text box. Put a tick in the check box labeled Run in terminal to run a textual application, such as vim.tiny, in a terminal emulator window.

SEARCHING FOR FILES
The Search for Files window (Figure 8-11) can help you find files whose locations
or names you do not know or have forgotten. To open this window, select Main
menu: Places "^Search for Files or enter gnome-search-tool on a command line from
a terminal emulator or Run Application window (ALT-F2). To search by filename or
partial filename, enter the (partial) filename in the combo box labeled Name contains and then select the folder you want to search in from the drop-down list
labeled Look in folder. When G N O M E searches in a folder, it searches subfolders to
any level (it searches the directory hierarchy). To search all directories in all
mounted filesystems, select File System from the drop-down list labeled Look in
folder. Select Other to search a folder not included in the drop-down list; G N O M E
opens the Browse/Save window (page 110). Once you have entered the search criteria, click Find. G N O M E displays the list of files matching the criteria in the list box
labeled Search results. Double-click a file in this list box to open it.
To refine the search, you can enter more search criteria. Click the plus sign to the
left of Select more options to expand the window and display more search criteria.
O $ O

10 Flies Found - search for Flies

Name contains: [mailbox
Look in folder:

Hie system

* selcct more options
search results:
Name

10 files found
Polder

mal I box. py /usr>11 b/py modul es/python2.6/papyon/event
rndilbox.pyt /um /I i b/py modul ev'pylhui i2,6/papy on/ev ei i L
rndilbox.py fust A i U(py modul es/py lhun2.6/pdpyor i/rnsnp
mail box. pyc fusrA 1 h/py modul es/python2,6/papyon/msnp

Help

Figure 8-11

Close

The Search for Files window

Find

G N O M E

O d d

UTILITIES

2 8 7

s e a r c h for Files

Nftme rontnins:
Look in folder:
:,cle: : m o r e options
c o n t a i n s the
Available opUoifo:

text:
DdLtf modified L^s iIihi i

Kemove
*

Add

11 r e s u l t s .

Help

Figure 8-12

The Search for Files window with Select more options expanded

GNOME initially displays one search criterion and a line for adding another criterion as shown in Figure 8-12. With this part of the window expanded, GNOME
incorporates all visible search criteria when you click Find.
The first line below Select more options holds a text box labeled Contains the text.
If nothing is entered in this text box, the search matches all files. You can leave this
text box as is or remove the line by clicking Remove at the right end of the line. To
search for a file that contains a specific string of characters (text), enter the string in
this text box.
To add search criteria, make a selection from the list box labeled Available options
and click Add to the right of the drop-down list. To remove criteria, click Remove
at the right end of the line that holds the criterion you want to remove.
To select files that were modified fewer than a specified number of days ago, select
Date modified less than from the drop-down list labeled Available options and click
Add. The Search for Files window adds a line with a spin box labeled Date modified
less than. With this spin box showing 0 (zero), as it does initially, no file matches the
search criteria. Change this number as desired and click Find to begin the search.

G N O M E TERMINAL EMULATOR/SHELL
The G N O M E terminal emulator displays a window that mimics a characterbased terminal (page 125). To display a terminal emulator window, select Main
menu: Applications "^Accessories1^Terminal or enter gnome-terminal on a command line or from a Run Application window (ALT-F2). When the G N O M E terminal emulator is already displayed, select Terminal menubar: File^Open Terminal
or right-click within the Terminal window and select Open Terminal to display a
new terminal emulator window.
To open an additional terminal session within the same Terminal window, rightclick the window and select Open Tab from the context menu or select Terminal

288

CHAPTER 8

LINUX G U I s : X AND G N O M E

menubar: File^Open Tab. A row of tabs appears below the menubar as gnometerminal opens another terminal session on top of the existing one. Add as many terminal sessions as you like; click the tabs to switch between sessions.

GNOME terminal emulator shortcuts
tip While using the GNOME terminal emulator, CONTROL-SHIFT-N opens a new window and
CONTROL-SHIFT-T opens a new tab. New windows and tabs open to the working directory. In addition,
you can use CONTROL-PAGE UP and CONTROL-PAGE DOWN to switch between tabs.
A session you add from the context menu uses the same profile as the session you
open it from. When you use the menubar to open a session, G N O M E gives you a
choice of profiles, if more than one is available. You can add and modify profiles,
including the Default profile, by selecting Terminal menubar: Edit^Profiles. Highlight the profile you want to modify or click New to design a new profile.

CHAPTER SUMMARY
The X Window System GUI is portable and flexible and makes it easy to write
applications that work on many different types of systems without having to know
low-level details for the individual systems. This GUI can operate in a networked
environment, allowing a user to run a program on a remote system and send the
results to a local display. The client/server concept is integral to the operation of the
X Window System, in which the X server is responsible for fulfilling requests made
of X Window System applications or clients. Hundreds of clients are available that
can run under X . Programmers can also write their own clients, using tools such as
the GTK+ and GTK+2 G N O M E libraries to write G N O M E programs and the Qt
and KDE libraries to write KDE programs.
The window managers, and virtually all X applications, are designed to help users
tailor their work environments in simple or complex ways. You can designate applications that start automatically, set such attributes as colors and fonts, and even
alter the way keyboard strokes and mouse clicks are interpreted.
Built on top of the X Window System, the G N O M E desktop manager can be used
as is or customized to better suit your needs. It is a graphical user interface to system services (commands), the filesystem, applications, and more. Although not part
of G N O M E , the Metacity and Compiz window managers work closely with
G N O M E and are the default window managers for G N O M E under Ubuntu. A window manager controls all aspects of the windows, including placement, decoration,
grouping, minimizing and maximizing, sizing, and moving.
The Nautilus File Browser window is a critical part of G N O M E ; the desktop is a
modified File Browser window. The File Browser View pane displays icons or a list
of filenames you can work with. The Side pane, which can display six types of
information, augments the information Nautilus displays in the View pane.

ADVANCED E X E R C I S E S

289

GNOME also provides many graphical utilities you can use to customize and work
with the desktop. It supports M I M E types; thus, when you double-click an object,
GNOME generally knows which tool to use to display the data represented by the
object. In sum, GNOME is a powerful desktop manager that can make your job
both easier and more fun.

EXERCISES
1. a. What is Nautilus?
b. List four things you can do with Nautilus.
c. How do you use Nautilus to search for a file?
2. What is a terminal emulator? What does it allow you to do from a GUI
that you would not be able to do without one?
3. How would you search the entire filesystem for a file named today.odt?
4. a. List two ways you can open a file using Nautilus.
b. How does Nautilus "know" which program to use to open different
types of files?
c. What are the three common Nautilus control bars? Which kinds of
tools do you find on each?
d. Discuss the use of the Nautilus location bar in textual mode.

ADVANCED EXERCISES
5. Assume you are using a mouse with nine pointer buttons defined. How
would you reverse the effects of using the mouse wheel?
6. a. How would you use Nautilus to connect to the FTP server at
ftp.ubuntu.com?
b. Open the following folders: ubuntu, dists, and lucid. How would you
copy the file named Contents-i386.gz to the desktop? What type of file
is Contents-i386.gz?
c. How would you open the Contents-i386.gz file on the desktop? How
would you open the Contents-i386.gz file on the FTP server? Which file
opens more quickly? Why? Which file can you modify?
7. Discuss the client/server environment set up by the X Window System.
How does the X server work? List three X clients. Where is the client and
where is the server when you log in on a local system? What is an advantage of this setup?

290

CHAPTER 8

LINUX G U I s : X AND G N O M E

8. Run xwininfo from a terminal emulator window and answer these questions:
a. What does xwininfo do?
b. What does xwininfo give as the name of the window you clicked? Does
that agree with the name in the window's titlebar?
c. What is the size of the window? In which units does xwininfo display this
size? What is the depth of a window?
d. How can you get xwininfo to display the same information without having to click the window?
9. Find and install xeyes (not tuxeyes). Write an xeyes command to display a
window that is 6 0 0 pixels wide and 4 0 0 pixels tall, is located 2 0 0 pixels
from the right edge of the screen and 3 0 0 pixels from the top of the screen,
and contains orange eyes outlined in blue with red pupils. (Hint: Refer to
the xeyes m a n page.)

9
THE BOURNE AGAIN
SHELL
IN THIS CHAPTER
Startup Files

293

Redirecting Standard Error

297

Writing a Simple Shell S c r i p t . . . . 3 0 0
Job Control

307

M a n i p u l a t i n g the Directory
Stack

310

Parameters and Variables

312

Processes

328

History

330

Reexecuting and Editing
Commands

332

Functions

349

Controlling bash: Features and
Options

352

Processing the Command L i n e . . . 3 5 6

This chapter picks up where Chapter 7 left off. Chapter 27
expands on this chapter, exploring control flow commands and
more advanced aspects of programming the Bourne Again Shell
(bash). The bash home page is at www.gnu.org/software/bash.
The bash info page is a complete Bourne Again Shell reference.
The Bourne Again Shell is a command interpreter and high-level
programming language. As a command interpreter, it processes
commands you enter on the command line in response to a
prompt. When you use the shell as a programming language, it
processes commands stored in files called shell scripts. Like other
languages, shells have variables and control flow commands (for
example, for loops and if statements).
When you use a shell as a command interpreter, you can customize the environment you work in. You can make your
prompt display the name of the working directory, create a
function or an alias for cp that keeps it from overwriting certain
kinds of files, take advantage of keyword variables to change
aspects of how the shell works, and so on. You can also write
shell scripts that do your bidding—anything from a one-line

291

292

CHAPTER 9

THE B O U R N E AGAIN S H E L L

script that stores a long, complex command to a longer script that runs a set of
reports, prints them, and mails you a reminder when the job is done. More complex
shell scripts are themselves programs; they do not just run other programs.
Chapter 2 7 has some examples of these types of scripts.
Most system shell scripts are written to run under bash (or dash; see below). If you
will ever work in recovery mode—when you boot the system or perform system
maintenance, administration, or repair work, for example—it is a good idea to
become familiar with this shell.
This chapter expands on the interactive features of the shell described in Chapter 7,
explains how to create and run simple shell scripts, discusses job control, introduces
the basic aspects of shell programming, talks about history and aliases, and
describes command-line expansion. Chapter 2 7 presents some more challenging
shell programming problems.

BACKGROUND
The Bourne Again Shell is based on the Bourne Shell (the early U N I X shell; this
book refers to it as the original Bourne Shell to avoid confusion), which was written
by Steve Bourne of AT&T's Bell Laboratories. Over the years the original Bourne
Shell has been expanded but it remains the basic shell provided with many commercial versions of UNIX.
sh Shell Because of its long and successful history, the original Bourne Shell has been used
to write many of the shell scripts that help manage U N I X systems. Some of these
scripts appear in Linux as Bourne Again Shell scripts. Although the Bourne Again
Shell includes many extensions and features not found in the original Bourne
Shell, bash maintains compatibility with the original Bourne Shell so you can run
Bourne Shell scripts under bash. On U N I X systems the original Bourne Shell is
named sh.
dash Shell The bash executable file is about 8 0 0 kilobytes, has many features, and is well
suited as a user login shell. The dash (Debian Almquist) shell is about 100 kilobytes, offers Bourne Shell compatibility for shell scripts (noninteractive use), and,
because of its size, can load and execute shell scripts much more quickly than
bash. Most system scripts are set up to run sh, which under Ubuntu is a symbolic
link to dash. This setup allows the system to boot and run system shell scripts
quickly.
On many Linux systems sh is a symbolic link to bash, ensuring scripts that require
the presence of the Bourne Shell still run. When called as sh, bash does its best to
emulate the original Bourne Shell.

SHELL BASICS

293

Korn Shell System V U N I X introduced the Korn Shell (ksh), written by David Korn. This shell
extended many features of the original Bourne Shell and added many new features.
Some features of the Bourne Again Shell, such as command aliases and commandline editing, are based on similar features from the Korn Shell.
POSIX The POSIX (Portable Operating System Interface) family of related standards is
being developed by PASC (IEEE's Portable Application Standards Committee,
www.pasc.org). A comprehensive FAQ on POSIX, including many links, appears at
www.opengroup.org/austin/papers/posix_faq.html.
POSIX standard 1003.2 describes shell functionality. The Bourne Again Shell provides the features that match the requirements of this standard. Efforts are under
way to make the Bourne Again Shell fully comply with the POSIX standard. In the
meantime, if you invoke bash with the — p o s i x option, the behavior of the Bourne
Again Shell will closely match the POSIX requirements.

SHELL BASICS
This section covers writing and using startup files, redirecting standard error, writing
and executing simple shell scripts, separating and grouping commands, implementing
job control, and manipulating the directory stack.

chsh: changes your login shell
tip The person who sets up your account determines which shell you use when you first log in on the
system or when you open a terminal emulator window in a GUI environment. Under Ubuntu, bash
is the default shell. You can run any shell you like once you are logged in. Enter the name of the
shell you want to use (bash, tcsh, or another shell) and press RETURN; the next prompt will be
that of the new shell. Give an exit command to return to the previous shell. Because shells you
call in this manner are nested (one runs on top of the other), you will be able to log out only from
your original shell. When you have nested several shells, keep giving exit commands until you
reach your original shell. You will then be able to log out.
Use the chsh utility to change your login shell permanently. First give the command chsh. In
response to the prompts, enter your password and the absolute pathname of the shell you want
to use (/bin/bash, /bin/tcsh, or the pathname of another shell). When you change your login shell
in this manner using a terminal emulator (page 125) under a GUI, subsequent terminal emulator
windows will not reflect the change until you log out of the system and log back in. See page 457
for an example of how to use chsh.

STARTUP FILES
When a shell starts, it runs startup files to initialize itself. Which files the shell runs
depends on whether it is a login shell, an interactive shell that is not a login shell
(such as you get by giving the command bash), or a noninteractive shell (one used to

294

CHAPTER 9

THE BOURNE AGAIN S H E L L

execute a shell script). You must have read access to a startup file to execute the
commands in it. Ubuntu Linux puts appropriate commands in some of these files.
This section covers bash startup files.

LOGIN S H E L L S
The files covered in this section are executed by login shells and shells that you start
with the bash —login option. Login shells are, by their nature, interactive.
/etc/profile

The shell first executes the commands in /etc/profile. A user working with root
privileges can set up this file to establish systemwide default characteristics for users
running bash.

,bash_profile

Next the shell looks for ~/.bash_profile, ~/.bash_login, and -/.profile (-/ is shorthand for your home directory), in that order, executing the commands in the first of
these files it finds. You can put commands in one of these files to override the
defaults set in /etc/profile. A shell running on a virtual terminal does not execute
commands in these files.

.bashjogin
.profile

.bashjogout

When you log out, bash executes commands in the ~/.bash_logout file. This file
often holds commands that clean up after a session, such as those that remove
temporary files.

INTERACTIVE NONLOGIN S H E L L S
The commands in the preceding startup files are not executed by interactive, nonlogin shells. However, these shells inherit values from the login shell variables that
are set by these startup files.
/etc/bashrc

Although not called by bash directly, many - / . b a s h r c files call /etc/bashrc. This
setup allows a user working with root privileges to establish systemwide default
characteristics for nonlogin bash shells.

.bashrc

An interactive nonlogin shell executes commands in the - / . b a s h r c file. Typically a
startup file for a login shell, such as .bash_profile, runs this file, so both login and
nonlogin shells run the commands in .bashrc.

NON INTERACTIVE S H E L L S
The commands in the previously described startup files are not executed by noninteractive shells, such as those that runs shell scripts. However, these shells inherit
login shell variables that are set by these startup files.
BASH_ENV

Noninteractive shells look for the environment variable BASH_ENV (or ENV if the
shell is called as sh) and execute commands in the file named by this variable.

SETTING U P STARTUP FILES
Although many startup files and types of shells exist, usually all you need are the
.bash_profile and .bashrc files in your home directory. Commands similar to the

SHELL BASICS

295

following in .bash_profile run commands from .bashrc for login shells (when
.bashrc exists). With this setup, the commands in .bashrc are executed by login and
nonlogin shells.
if

[ -f

-/.bashrc

];

then

. -/.bashrc;

fi

The [ - f -/.bashrc ] tests whether the file named .bashrc in your home directory
exists. See pages 955 and 957 for more information on test and its synonym [ ]. See
page 296 for information on the . (dot) builtin.

Use .bash_profile to set PATH
tip Because commands in .bashrc may be executed many times, and because subshells inherit
exported variables, it is a good idea to put commands that add to existing variables in the
.bash_profile file. For example, the following command adds the bin subdirectory of the home
directory to PATH (page 319) and should go in ,bash_profile:
PATH=$PATH:$HOME/bi n

When you put this command in .bash_profile and not in .bashrc, the string is added to the PATH
variable only once, when you log in.
Modifying a variable in .bash_profile causes changes you make in an interactive session to propagate to subshells. In contrast, modifying a variable in .bashrc overrides changes inherited from
a parent shell.
Sample .bash_profile and .bashrc files follow. Some commands used in these files
are not covered until later in this chapter. In any startup file, you must export variables and functions that you want to be available to child processes. For more information refer to "Locality of Variables" on page 992.
$ cat ~/.bash_profile
i f [ - f - / . b a s h r c ]; then
. -/.bashrc
fi
PATH=$PATH:.
e x p o r t P S l = ' [ \ h \W \ ! ] \ $ '

# Read l o c a l

startup

file

if

# Add t h e w o r k i n g d i r e c t o r y
# Set prompt

it
to

exists
PATH

The first command in the preceding .bash_profile file executes the commands in the
user's .bashrc file if it exists. The next command adds to the PATH variable
(page 319). Typically PATH is set and exported in /etc/profile so it does not need to
be exported in a user's startup file. The final command sets and exports PS1
(page 321), which controls the user's prompt.
A sample .bashrc file is shown on the next page. The first command executes the
commands in the /etc/bashrc file if it exists. Next the file sets and exports the LANG
(page 326) and VIMINIT (for vim initialization) variables and defines several aliases.
The final command defines a function (page 349) that swaps the names of two files.

296

CHAPTER 9

THE BOURNE AGAIN SHELL
$ cat ~/.bashrc
i f [ - f / e t c / b a s h r c ]; then
source / e t c / b a s h r c
fi

# read g l o b a l

startup

file

if

set -o noclobber
u n s e t MAILCHECK
e x p o r t LANG=C
export VIMINIT='set ai
alias df='df -h'
a l i a s r m = ' rm - i '
a l i a s l t = ' l s - 1 t r h | t: a i 1 '
a l i a s h='hi story | tai 1'
a l i a s c h = ' c h m o d 75 5 '

#
#
#
#
#
#

function
{

# a f u n c t i o n t o exchange the
# o f two f i l e s

switch()

it

prevent overwriting f i l e s
t u r n o f f " y o u h a v e new m a i l "
s e t LANG v a r i a b l e
set vim options
s e t up a l i a s e s
a l w a y s do i n t e r a c t i v e r m ' s

exists

notice

names

local tmp=$$switch
mv " $ 1 " $ t m p
mv " $ 2 " " $ 1 "
mv $ t m p " $ 2 "

}

. (DOT) OR source: RUNS A STARTUP FILE IN THE
CURRENT S H E L L
After you edit a startup file such as .bashrc, you do not have to log out and log in
again to put the changes into effect. Instead, you can run the startup file using the .
(dot) or source builtin (they are the same command). As with all other commands,
the . must be followed by a SPACE on the command line. Using . or source is similar to
running a shell script, except these commands run the script as part of the current
process. Consequently, when you use . or source to run a script, changes you make
to variables from within the script affect the shell you run the script from. If you ran
a startup file as a regular shell script and did not use the . or source builtin, the variables created in the startup file would remain in effect only in the subshell running
the script—not in the shell you ran the script from. You can use the . or source command to run any shell script—not just a startup file—but undesirable side effects
(such as changes in the values of shell variables you rely on) may occur. For more
information refer to "Locality of Variables" on page 992.
In the following example, .bashrc sets several variables and sets PS1, the prompt, to
the name of the host. The . builtin puts the new values into effect.
$ cat
export
export
export
stty k

bashrc
TERM=vtl00
PSl="$(hostname
CDPATH=:SHOME
i l l 'Au'

$ . -/•bashrc
bravo.example.com:

-f):

#
" #
#
#

set
set
add
set

the terminal type
the prompt s t r i n g
HOME t o CDPATH s t r i n g
k i l l line to control-u

SHELL BASICS

297

COMMANDS THAT ARE SYMBOLS
The Bourne Again Shell uses the symbols (, ), [, ], and $ in a variety of ways. To
minimize confusion, Table 9-1 lists the most common use of each of these symbols,
even though some of them are not introduced until later in this book.

Table 9-1

Builtin commands that are symbols

Symbol

Command

0

Subshell (page 306)

$0

Command substitution (page 362)

(( ))

Arithmetic evaluation; a synonym for let (use when the enclosed value contains an equal sign; page 1016)

$(())

Arithmetic expansion (not for use with an enclosed equal sign; page 360)

[]

The test command (pages 955 and 957)

[[]]

Conditional expression; similarto [ ] but adds string comparisons (page 1017)

REDIRECTING STANDARD ERROR
Chapter 7 covered the concept of standard output and explained how to redirect
standard output of a command. In addition to standard output, commands can
send output to standard error. A command can send error messages to standard
error to keep them from getting mixed up with the information it sends to standard
output.
Just as it does with standard output, by default the shell directs standard error to
the screen. Unless you redirect one or the other, you may not know the difference
between the output a command sends to standard output and the output it sends
to standard error. This section describes the syntax used by the Bourne Again
Shell to redirect standard error and to distinguish between standard output and
standard error.
File descriptors A file descriptor is the place a program sends its output to and gets its input from.
When you execute a program, Linux opens three file descriptors for the program: 0
(standard input), 1 (standard output), and 2 (standard error). The redirect output
symbol (> [page 246]) is shorthand for 1>, which tells the shell to redirect standard
output. Similarly < (page 247) is short for 0<, which redirects standard input. The
symbols 2> redirect standard error. For more information refer to "File Descriptors" on page 987.
The following examples demonstrate how to redirect standard output and standard
error to different files and to the same file. When you run the cat utility with the
name of a file that does not exist and the name of a file that does exist, cat sends an
error message to standard error and copies the file that does exist to standard output. Unless you redirect them, both messages appear on the screen.

298

CHAPTER 9

THE BOURNE AGAIN SHELL
$ cat y
This is y.
$ cat x
cat:

x:

No s u c h f i l e

or

directory

or

directory

$ cat x y
cat: x:
This is

No s u c h f i l e
y.

When you redirect standard output of a command, output sent to standard error is
not affected and still appears on the screen.
$ cat x y > hold
c a t : x : No s u c h f i l e
$ cat hold
This is y.

or

directory

Similarly, when you send standard output through a pipe, standard error is not
affected. The following example sends standard output of cat through a pipe to tr,
which in this example converts lowercase characters to uppercase. (See the tr info
page for more information.) The text that cat sends to standard error is not translated because it goes directly to the screen rather than through the pipe.
$ cat x y | tr "[a-z]" "[A-Z]"
c a t : x : No s u c h f i l e o r d i r e c t o r y
THIS I S Y.

The following example redirects standard output and standard error to different
files. The token following 2> tells the shell where to redirect standard error (file
descriptor 2). The token following 1> tells the shell where to redirect standard output (file descriptor 1). You can use > in place of 1>.
$ cat x y 1> holdl 2> hold2
$ cat holdl
This is y.
$ cat hold2
c a t : x : No s u c h f i l e o r d i r e c t o r y

Combining In the next example, the & > token redirects standard output and standard error to
standard output and
standard error

a

single file:

$ cat x y &> hold
$ cat hold
c a t : x : No s u c h f i l e
This is y.

or

directory

Duplicating a file In the next example, first 1> redirects standard output to hold and then 2 > & 1 declares
descriptor file descriptor 2 to be a duplicate of file descriptor 1. As a result, both standard output
and standard error are redirected to hold.
$ cat x y 1> hold 2>&1
$ cat hold
c a t : x : No s u c h f i l e o r
This is y.

directory

In this case, 1> hold precedes 2>&1. If they had been listed in the opposite order, standard error would have been made a duplicate of standard output before standard

SHELL BASICS

299

output was redirected to hold. Only standard output would have been redirected to
hold in that scenario.
The next example declares file descriptor 2 to be a duplicate of file descriptor 1 and
sends the output for file descriptor 1 through a pipe to the tr command.
$ cat x y 2>&1 | tr "[a-z]" "[A-Z]"
CAT: X : NO SUCH F I L E OR DIRECTORY
THIS I S Y.

Sending errors to You can use 1 > & 2 to redirect standard output of a command to standard error,
standard error Shell scripts use this technique to send the output of echo to standard error. In the
following script, standard output of the first echo is redirected to standard error:
$ cat message_demo
e c h o T h i s i s an e r r o r m e s s a g e . 1>&2
e c h o T h i s i s n o t an e r r o r m e s s a g e .

If you redirect standard output of message_demo, error messages such as the one produced by the first echo appear on the screen because you have not redirected standard
error. Because standard output of a shell script is frequently redirected to another file,
you can use this technique to display on the screen any error messages generated by
the script. The Inks script (page 962) uses this technique. You can also use the exec
builtin to create additional file descriptors and to redirect standard input, standard
output, and standard error of a shell script from within the script (page 1007).
The Bourne Again Shell supports the redirection operators shown in Table 9-2.

Table 9-2

Redirection operators

Operator

Meaning

< filename

Redirects standard input from filename.

> filename

Redirects standard output to filename unless filename exists and noclobber
(page 248) is set. If noclobber is not set, this redirection creates filename s it
does not exist and overwrites it if it does exist.

>| filename

Redirects standard output to filename, even if the file exists and noclobber
(page 248) is set.

»filename

Redirects and appends standard output to filename unless filename exists and
noclobber (page 248) is set. If noclobber is not set, this redirection creates
filename if it does not exist.

&> filename

Redirects standard output and standard error to filename.

<&m

Duplicates standard input from file descriptor m (page 988).

[n]>&m

Duplicates standard output or file descriptor n if specified from file descriptor
m (page 988).

[n]<&-

Closes standard input or file descriptor n if specified (page 988).

[n]>&-

Closes standard output or file descriptor n if specified.

300

CHAPTER 9

THE BOURNE AGAIN S H E L L

WRITING A SIMPLE SHELL SCRIPT
A shell script is a file that holds commands that the shell can execute. The commands
in a shell script can be any commands you can enter in response to a shell prompt.
For example, a command in a shell script might run a Linux utility, a compiled program, or another shell script. Like the commands you give on the command line, a
command in a shell script can use ambiguous file references and can have its input or
output redirected from or to a file or sent through a pipe. You can also use pipes and
redirection with the input and output of the script itself.
In addition to the commands you would ordinarily use on the command line, control
flow commands (also called control structures) find most of their use in shell scripts.
This group of commands enables you to alter the order of execution of commands in
a script in the same way you would alter the order of execution of statements using a
structured programming language. Refer to "Control Structures" on page 954 for
specifics.
The shell interprets and executes the commands in a shell script, one after another.
Thus a shell script enables you to simply and quickly initiate a complex series of
tasks or a repetitive procedure.

chmod: M A K E S A FILE EXECUTABLE
To execute a shell script by giving its name as a command, you must have permission
to read and execute the file that contains the script (refer to "Access Permissions" on
page 215). Read permission enables you to read the file that holds the script. Execute
permission tells the shell and the system that the owner, group, and/or public has
permission to execute the file; it implies that the content of the file is executable.
When you create a shell script using an editor, the file does not typically have its
execute permission set. The following example shows a file named whoson that
contains a shell script:
$ cat whoson
date
echo
who

"Users

Currently

Logged

In"

$ ./whoson
bash:

./whoson:

Permission

denied

You cannot execute whoson by giving its name as a command because you do not
have execute permission for the file. The shell does not recognize whoson as an executable file and issues the error message Permission denied when you try to execute it.
(See the tip on the next page if you get a command not found error message.) When
you give the filename as an argument to bash (bash whoson), bash takes the argument to be a shell script and executes it. In this case bash is executable and whoson is
an argument that bash executes so you do not need to have execute permission to
whoson. You must have read permission.

SHELL BASICS

$ Is -1 whoson
-nQ-w-r-1 max g r o u p 4 0 May 2 4 1 1 : 3 0

whoson

$ chmod u+x whoson
$ Is -1 whoson
-n^^w-r-1 max g r o u p 4 0 May 2 4 1 1 : 3 0

whoson

$ ./whoson
Mon May 2 5 1 1 : 4 0 : 4 9 PDT 2 0 1 0
Users C u r r e n t l y Logged I n
zach
pts/7
2010-05-23
his
pts/1
2010-05-24
sam
pts/12
2010-05-24
max
pts/4
2010-05-24

Figure 9-1

18
09
06
09

301

17
59
29 ( b r a v o . e x a m p l e . c o m )
08

Using chmod to make a shell script executable

The chmod utility changes the access privileges associated with a file. Figure 9-1
shows Is with the -1 option displaying the access privileges of whoson before and
after chmod gives execute permission to the file's owner.
The first Is displays a hyphen (-) as the fourth character, indicating that the owner
does not have permission to execute the file. Next chmod gives the owner execute permission: u + x causes chmod to add (+) execute permission (x) for the owner (u). (The u
stands for user, although it means the owner of the file.) The second argument is the
name of the file. The second Is shows an x in the fourth position, indicating that the
owner has execute permission.

Command not found?
tip If you give the name of a shell script as a command without including the leading ./, the shell typically displays the following error message:
$ whoson
bash: whoson:

command n o t

found

This message indicates the shell is not set up to search for executable files in the working directory.
Give this command instead:
$ ./whoson

The ./tells the shell explicitly to look for an executable file in the working directory. To change the
environment so the shell searches the working directory automatically, see the section about PATH
on page 319.
If other users will execute the file, you must also change group and/or public access
permissions for the file. Any user must have execute access to use the file's name as a
command. If the file is a shell script, the user trying to execute the file must have read
access to the file as well. You do not need read access to execute a binary executable
(compiled program).

302

CHAPTER 9

THE BOURNE AGAIN SHELL

The final command in Figure 9-1 shows the shell executing the file when its name is
given as a command. For more information refer to "Access Permissions" on page 2 1 5
as well as the discussions of Is (page 215) and chmod (page 216).

#! S P E C I F I E S A S H E L L
You can put a special sequence of characters on the first line of a shell script to tell
the operating system which shell (or other program) should execute the file. Because
the operating system checks the initial characters of a program before attempting to
execute it using exec, these characters save the system from making an unsuccessful
attempt. If #! are the first two characters of a script, the system interprets the characters that follow as the absolute pathname of the utility that should execute the
script. This can be the pathname of any program, not just a shell. The following
example specifies that bash should run the script:
$ cat bash_script
# ! / b i n/bash
echo " T h i s i s a Bourne Again S h e l l

script."

The #! characters are useful if you have a script that you want to run with a shell
other than the shell you are running the script from. The next example shows a
script that should be executed by tcsh (part of the tcsh package):
$ cat tcsh_script
#!/bi n/tcsh
echo " T h i s i s a t c s h s c r i p t . "
set person = zach
echo "person i s Sperson"

Because of the #! line, the operating system ensures that tcsh executes the script no
matter which shell you run it from.
You can use ps - f within a shell script to display the name of the shell that is executing the script. The three lines that ps displays in the following example show the
process running the parent bash shell, the process running the tcsh script, and the
process running the ps command:
$ cat tcsh_script2
#!/bi n/tcsh
ps - f
$ ./tcsh_script2
UID
PID
PPID
max
B 0 B 1 B0B0
max
9358
3031
max
9375
9358

C
0
0
0

STIME
Novl6
21:13
21:13

TTY
pts/4
pts/4
pts/4

£
£
£

T I M E CMD
-bash
/bin/tcsh
ps - f

./tcsh_script2

If you do not follow #! with the name of an executable program, the shell reports that
it cannot find the command that you asked it to run. You can optionally follow #!
with SPACES. If you omit the #! line and try to run, for example, a tcsh script from bash,
the script will run under bash and may generate error messages or not run properly.

SHELL BASICS

303

# B E G I N S A COMMENT
Comments make shell scripts and all code easier to read and maintain by you and
others. If a hashmark (#) in the first character position of the first line of a script is
not immediately followed by an exclamation point (!) or if a hashmark occurs in
any other location in a script, the shell interprets it as the beginning of a comment.
The shell then ignores everything between the hashmark and the end of the line (the
next NEWLINE character).

EXECUTING A S H E L L S C R I P T
fork and exec A command on the command line causes the shell to fork a new process, creating a
system calls duplicate of the shell process (a subshell). The new process attempts to exec (execute) the command. Like fork, the exec routine is executed by the operating system
(a system call). If the command is a binary executable program, such as a compiled
C program, exec succeeds and the system overlays the newly created subshell with
the executable program. If the command is a shell script, exec fails. When exec fails,
the command is assumed to be a shell script, and the subshell runs the commands in
the script. Unlike a login shell, which expects input from the command line, the subshell takes its input from a file—namely, the shell script.
As discussed earlier, you can run commands in a shell script file that you do not
have execute permission for by using a bash command to exec a shell that runs the
script directly. In the following example, bash creates a new shell that takes its input
from the file named whoson:
$ bash whoson

Because the bash command expects to read a file containing commands, you do not
need execute permission for whoson. (You do need read permission.) Even though
bash reads and executes the commands in whoson, standard input, standard output,
and standard error remain directed from/to the terminal.
Although you can use bash to execute a shell script, this technique causes the script
to run more slowly than giving yourself execute permission and directly invoking the
script. Users typically prefer to make the file executable and run the script by typing
its name on the command line. It is also easier to type the name, and this practice is
consistent with the way other kinds of programs are invoked (so you do not need to
know whether you are running a shell script or an executable file). However, if bash
is not your interactive shell or if you want to see how the script runs with different
shells, you may want to run a script as an argument to bash or tcsh.

SEPARATING AND GROUPING COMMANDS
Whether you give the shell commands interactively or write a shell script, you must
separate commands from one another. This section reviews the ways to separate
commands that were covered in Chapter 7 and introduces a few new ones.

304

CHAPTER 9

THE B O U R N E AGAIN S H E L L

; AND NEWLINE SEPARATE COMMANDS
The NEWLINE character is a unique command separator because it initiates execution
of the command preceding it. You have seen this behavior throughout this book
each time you press the RETURN key at the end of a command line.
The semicolon (;) is a command separator that does not initiate execution of a command and does not change any aspect of how the command functions. You can execute a series of commands sequentially by entering them on a single command line
and separating each from the next with a semicolon (;). You initiate execution of the
sequence of commands by pressing RETURN:
$ x ; y ; z
If x , y, and z are commands, the preceding command line yields the same results as
the next three commands. The difference is that in the next example the shell issues
a prompt after each of the commands ( x , y, and z) finishes executing, whereas the
preceding command line causes the shell to issue a prompt only after z is complete:
S x
$ y
S z
Whitespace Although the whitespace around the semicolons in the earlier example makes the
command line easier to read, it is not necessary. None of the command separators
needs to be surrounded by SPACEs or TABs.

\ CONTINUES A COMMAND
When you enter a long command line and the cursor reaches the right side of the
screen, you can use a backslash (\) character to continue the command on the next
line. The backslash quotes, or escapes, the NEWLINE character that follows it so the
shell does not treat the NEWLINE as a command terminator. Enclosing a backslash
within single quotation marks or preceding it with another backslash turns off the
power of a backslash to quote special characters such as NEWLINE. Enclosing a backslash within double quotation marks has no effect on the power of the backslash.
Although you can break a line in the middle of a word (token), it is typically simpler
to break a line immediately before or after whitespace.
optional

You can enter a RETURN in the middle of a quoted string on a command line without
using a backslash. The NEWLINE (RETURN) you enter will then be part of the string:
$ echo "Please enter the three values
> required to complete the transaction."
Please enter the three values
required to complete the transaction.

In the three examples in this section, the shell does not interpret RETURN as a command
terminator because it occurs within a quoted string. The greater than (>) sign is a secondary prompt (PS2; page 322) indicating the shell is waiting for you to continue the

SHELL BASICS

305

unfinished command. In the next example, the first RETURN is quoted (escaped) so the
shell treats it as a separator and does not interpret it literally.
$ echo "Please enter the three values \
> required to complete the transaction."
Please enter

the

three values

required

to complete

the

transaction.

Single q u o t a t i o n marks cause the shell t o interpret a backslash l i t e r a l l y :
$ echo 'Please enter the three values \
> required to complete the transaction.'
Please enter the three values \
required to complete the transaction.

| AND & SEPARATE COMMANDS AND DO SOMETHING E L S E
The pipe symbol (I) and the background task symbol (&) are also command separators. They do not start execution of a command but do change some aspect of
how the command functions. The pipe symbol alters the source of standard input
or the destination of standard output. The background task symbol causes the
shell to execute the task in the background and display a prompt immediately; you
can continue working on other tasks.
Each of the following command lines initiates a single job comprising three tasks:
$ x | y | z
$ Is -1 | grep tmp | less

In the first job, the shell redirects standard output of task x to standard input of
task y and redirects y's standard output to z's standard input. Because it runs the
entire job in the foreground, the shell does not display a prompt until task z runs to
completion: Task z does not finish until task y finishes, and task y does not finish
until task x finishes. In the second job, task x is an Is -1 command, task y is grep
tmp, and task z is the pager less. The shell displays a long (wide) listing of the files
in the working directory that contain the string tmp, piped through less.
The next command line executes tasks d and e in the background and task f in the
foreground:
$ d & e & f
[1] 14271
[ 2 ] 14272

The shell displays the job number between brackets and the PID number for each
process running in the background. It displays a prompt as soon as f finishes, which
may be before d or e finishes.
Before displaying a prompt for a new command, the shell checks whether any
background jobs have completed. For each completed job, the shell displays its
job number, the word Done, and the command line that invoked the job; the shell
then displays a prompt. When the job numbers are listed, the number of the last
job started is followed by a + character and the job number of the previous job is

306

CHAPTER 9

THE BOURNE AGAIN S H E L L

followed by a - character. Other jobs are followed by a SPACE character. After running the last command, the shell displays the following lines before issuing a
prompt:
[1][2]+

Done
Done

d
e

The next command line executes all three tasks as background jobs. The shell displays
a shell prompt immediately:
$ d
[1]
[2]
[3]

& e & f &
14290
14291
14292

You can use pipes to send the output from one task to the next task and an ampersand (&) to run the entire job as a background task. Again the shell displays the
prompt immediately. The shell regards the commands joined by a pipe as a single
job. That is, it treats all pipes as single jobs, no matter how many tasks are connected with the pipe (I) symbol or how complex they are. The Bourne Again Shell
reports only one process in the background (although there are three):
$ d | e | f &
[ 1 ] 14295

optional ( ) G R O U P S COMMANDS
You can use parentheses to group commands. The shell creates a copy of itself,
called a subshell, for each group. It treats each group of commands as a job and
creates a new process to execute each command (refer to "Process Structure" on
page 328 for more information on creating subshells). Each subshell (job) has its
own environment, meaning that it has its own set of variables whose values can
differ from those found in other subshells.
The following command line executes commands a and b sequentially in the background while executing c in the background. The shell displays a prompt immediately.
$ (a ; b) & c &
[1] 15520
[2] 15521

The preceding example differs from the earlier example d & e & f & in that tasks a
and b are initiated sequentially, not concurrently.
Similarly the following command line executes a and b sequentially in the background and, at the same time, executes c and d sequentially in the background. The
subshell running a and b and the subshell running c and d run concurrently. The
shell displays a prompt immediately.
$ (a ; b) & (c ; d) &
[1] 15528
[ 2 ] 15529

SHELL BASICS

307

The next script copies one directory to another. The second pair of parentheses creates
a subshell to run the commands following the pipe. Because of these parentheses, the
output of the first tar command is available for the second tar command despite the
intervening cd command. Without the parentheses, the output of the first tar command
would be sent to cd and lost because cd does not process input from standard input.
The shell variables S I and S2 represent the first and second command-line arguments
(page 997), respectively. The first pair of parentheses, which creates a subshell to run
the first two commands, allows users to call cpdir with relative pathnames. Without
them, the first cd command would change the working directory of the script (and consequently the working directory of the second cd command). With them, only the
working directory of the subshell is changed.
$ cat cpdir
( c d $ 1 ; t a r - c f - . ) | ( c d $2 ; t a r - x v f - )
$ ./cpdir /home/max/sources /home/max/memo/biblio

The cpdir command line copies the files and directories in the /home/max/sources
directory to the directory named /home/max/memo/biblio. This shell script is
almost the same as using cp with the - r option. Refer to the cp and tar man pages for
more information.

JOB CONTROL
A job is a command pipeline. You run a simple job whenever you give the shell a
command. For example, if you type date on the command line and press RETURN, you
have run a job. You can also create several jobs with multiple commands on a single
command line:
$ find . -print | sort | lpr & grep -1 max /tmp/* > maxfiles &
[ 1 ] 18839
[ 2 ] 18876

The portion of the command line up to the first & is one job consisting of three processes connected by pipes: find, sort (page 168), and Ipr (page 165). The second job is a
single process running grep. The trailing & characters put each job in the background,
so bash does not wait for them to complete before displaying a prompt.
Using job control you can move commands from the foreground to the background
(and vice versa), stop commands temporarily, and list all commands that are running in the background or stopped.

jobs:

LISTS JOBS

The jobs builtin lists all background jobs. Following, the sleep command runs in the
background and creates a background job that jobs reports on:
$ sleep 60 &
[ 1 ] 7809
$ jobs
[1] + Running

s l e e p 60 &

308

CHAPTER 9

THE BOURNE AGAIN SHELL

fg: B R I N G S A JOB TO THE FOREGROUND
The shell assigns a job number to each command you run in the background. For
each job run in the background, the shell lists the job number and PID number
immediately, just before it issues a prompt:
$ xclock &
[ 1 ] 1246
$ date &
[ 2 ] 1247
$ Tue Dec 7 11:44:40 PST 2010
[ 2 ] + Done
date
$ find /usr -name ace -print > findout &
[ 2 ] 1269
$ jobs
[ 1 ] - Running
xclock &
[2]+ Running
f i n d / u s r -name ace - p r i n t

> findout

&

Job numbers, which are discarded when a job is finished, can be reused. When you
start or put a job in the background, the shell assigns a job number that is one more
than the highest job number in use.
In the preceding example, the jobs command lists the first job, xclock, as job 1. The
date command does not appear in the jobs list because it finished before jobs was
run. Because the date command was completed before find was run, the find command became job 2.
To move a background job to the foreground, use the fg builtin followed by the job
number. Alternatively, you can give a percent sign ( % ) followed by the job number
as a command. Either of the following commands moves job 2 to the foreground.
When you move a job to the foregound, the shell displays the command it is now
executing in the foreground.
$ fg 2
find /usr

-name ace - p r i n t

>

findout

-name ace - p r i n t

>

findout

or
$ %2

find /usr

You can also refer to a job by following the percent sign with a string that uniquely
identifies the beginning of the command line used to start the job. Instead of the
preceding command, you could have used either fg %find or fg %f because both
uniquely identify job 2. If you follow the percent sign with a question mark and a
string, the string can match any part of the command line. In the preceding example, fg %?ace also brings job 2 to the foreground.
Often the job you wish to bring to the foreground is the only job running in the
background or is the job that jobs lists with a plus (+). In these cases fg without an
argument brings the job to the foreground.

SHELL BASICS

309

S U S P E N D I N G A JOB
Pressing the suspend key (usually C0NTR0L-Z) immediately suspends (temporarily
stops) the job in the foreground and displays a message that includes the word
Stopped.
C0NTR0L-Z
[2]+
Stopped

find /usr

-name ace - p r i n t

>

findout

For more information refer to "Moving a Job from the Foreground to the Background" on page 255.

bg: S E N D S A JOB TO THE BACKGROUND
To move the foreground job to the background, you must first suspend the job (above).
You can then use the bg builtin to resume execution of the job in the background.
$ bg
[2]+ find /usr

-name ace - p r i n t

> findout

&

If a background job attempts to read from the terminal, the shell stops the program
and displays a message saying the job has been stopped. You must then move the
job to the foreground so it can read from the terminal.
$ (sleep 5; cat > mytext) &
[ 1 ] 1343
$ date
T u e Dec
7 1 1 : 5 8 : 2 0 PST 2 0 1 0
[1]+ Stopped

$ fg

( sleep

5;

cat >mytext

)

( s l e e p 5; c a t > m y t e x t )
Remember to let the cat out!
C0NTR0L-D
$

In the preceding example, the shell displays the job number and PID number of the
background job as soon as it starts, followed by a prompt. Demonstrating that you
can give a command at this point, the user gives the command date and its output
appears on the screen. The shell waits until just before it issues a prompt (after date
has finished) to notify you that job 1 is stopped. When you give an fg command, the
shell puts the job in the foreground and you can enter the data the command is
waiting for. In this case the input needs to be terminated with C0NTR0L-D, which sends
an EOF (end of file) signal to the shell. The shell then displays another prompt.
The shell keeps you informed about changes in the status of a job, notifying you when
a background job starts, completes, or stops, perhaps because it is waiting for input
from the terminal. The shell also lets you know when a foreground job is suspended.
Because notices about a job being run in the background can disrupt your work, the
shell delays displaying these notices until just before it displays a prompt. You can set
notify (page 355) to cause the shell to display these notices without delay.

310

CHAPTER 9

THE BOURNE AGAIN S H E L L

Figure 9-2

The directory structure in the examples

If you try to exit from a shell while jobs are stopped, the shell issues a warning and
does not allow you to exit. If you then use jobs to review the list of jobs or you immediately try to exit from the shell again, the shell allows you to exit. If huponexit
(page 355) is not set (the default), stopped and background jobs keep running in the
background. If it is set, the shell terminates the jobs.

MANIPULATING THE DIRECTORY STACK
The Bourne Again Shell allows you to store a list of directories you are working
with, enabling you to move easily among them. This list is referred to as a stack. It
is analogous to a stack of dinner plates: You typically add plates to and remove
plates from the top of the stack, so this type of stack is named a last in, first out
(LIFO) stack.

dirs:

DISPLAYS THE STACK

The dirs builtin displays the contents of the directory stack. If you call dirs when the
directory stack is empty, it displays the name of the working directory:
$ dirs
~/li terature

Figure 9-3

Creating a directory stack

SHELL BASICS

pushd

Figure 9-4

311

pushd

Using pushd to change working directories

The dirs builtin uses a tilde (~) to represent the name of a user's home directory. The
examples in the next several sections assume that you are referring to the directory
structure shown in Figure 9-2.

pushd: P U S H E S A DIRECTORY ON THE STACK
When you supply the pushd (push directory) builtin with one argument, it pushes the
directory specified by the argument on the stack, changes directories to the specified
directory, and displays the stack. The following example is illustrated in Figure 9-3:
$ pushd ../demo
~/demo - / l i t e r a t u r e
$ pwd
/home/sam/demo
$ pushd ../names
-/names -/demo - / l i t e r a t u r e
$ pwd
/home/sam/names

When you use pushd without an argument, it swaps the top two directories on the
stack, makes the new top directory (which was the second directory) the new working directory, and displays the stack (Figure 9-4):
$ pushd
-/demo -/names - / I i t e r a t u r e
$ pwd
/home/sam/demo

Using pushd in this way, you can easily move back and forth between two directories. You can also use cd - to change to the previous directory, whether or not you
have explicitly created a directory stack. To access another directory in the stack,
call pushd with a numeric argument preceded by a plus sign. The directories in the
stack are numbered starting with the top directory, which is number 0. The following pushd command continues with the previous example, changing the working
directory to literature and moving literature to the top of the stack:
$ pushd +2
- / l i t e r a t u r e -/demo -/names
$ pwd
/home/sam/1i t e r a t u r e

312

CHAPTER 9

THE BOURNE AGAIN SHELL

Figure 9-5

Using popd to remove a directory from the stack

popd: P O P S A DIRECTORY OFF THE STACK
To remove a directory from the stack, use the popd (pop directory) builtin. As the following example and Figure 9-5 show, without an argument, popd removes the top
directory from the stack and changes the working directory to the new top directory:
$ dirs
- / l i t e r a t u r e ~/demo
$ popd
~/demo -/names
$ pwd
/home/sam/demo

-/names

To remove a directory other than the top one from the stack, use popd with a
numeric argument preceded by a plus sign. The following example removes directory number 1, demo. Removing a directory other than directory number 0 does
not change the working directory.
$
-/
$
-/

dirs
literature
popd +1
literature

-/demo

-/names

-/names

PARAMETERS AND VARIABLES
Variables Within a shell, a shell parameter is associated with a value that is accessible to the
user. There are several kinds of shell parameters. Parameters whose names consist of
letters, digits, and underscores are often referred to as shell variables, or simply
variables. A variable name must start with a letter or underscore, not with a number. Thus A76, MY_CAT, and
X
are valid variable names, whereas
69TH_STREET (starts with a digit) and MY-NAME (contains a hyphen) are not.
User-created Shell variables that you name and assign values to are user-created variables. You
variables c a n change the values of user-created variables at any time, or you can make them
readonly so that their values cannot be changed. You can also make user-created
variables global. A global variable (also called an environment variable) is available

PARAMETERS AND VARIABLES

313

to all shells and other programs you fork from the original shell. One naming convention is to use only uppercase letters for global variables and to use mixed-case or
lowercase letters for other variables. Refer to "Locality of Variables" on page 992
for more information on global variables.
To assign a value to a variable in the Bourne Again Shell, use the following syntax:
VARIABLE=value
There can be no whitespace on either side of the equal sign (=). An example assignment follows:
$ myvar=abc

The Bourne Again Shell permits you to put variable assignments on a command
line. This type of assignment creates a variable that is local to the command
shell—that is, the variable is accessible only from the program the command runs.
The my_script shell script displays the value of TEMPDIR. The following command
runs my_script with TEMPDIR set to /home/sam/temp. The echo builtin shows
that the interactive shell has no value for TEMPDIR after running my_script. If
TEMPDIR had been set in the interactive shell, running my_script in this manner
would have had no effect on its value.
$ cat my_script
e c h o STEMPDIR
$ TEMPDIR=/home/sam/temp
/home/sam/temp
$ echo $TEMPDIR

./my_scri pt

$

Keyword variables Keyword shell variables (or simply keyword variables) have special meaning to the
shell and usually have short, mnemonic names. When you start a shell (by logging
in, for example), the shell inherits several keyword variables from the environment.
Among these variables are HOME, which identifies your home directory, and
PATH, which determines which directories the shell searches and in what order to
locate commands that you give the shell. The shell creates and initializes (with
default values) other keyword variables when you start it. Still other variables do
not exist until you set them.
You can change the values of most keyword shell variables. It is usually not necessary to change the values of keyword variables initialized in the /etc/profile or
/etc/csh.cshrc systemwide startup files. If you need to change the value of a bash
keyword variable, do so in one of your startup files (page 293). Just as you can
make user-created variables global, so you can make keyword variables global—a
task usually done automatically in startup files. You can also make a keyword variable readonly.
Positional and The names of positional and special parameters do not resemble variable names,
special parameters Most of these parameters have one-character names (for example, 1, ?, and #) and

314

CHAPTER 9

THE BOURNE AGAIN SHELL

are referenced (as are all variables) by preceding the name with a dollar sign ($1, $?,
and $#). The values of these parameters reflect different aspects of your ongoing
interaction with the shell.
Whenever you give a command, each argument on the command line becomes the
value of a positional parameter (page 996). Positional parameters enable you to
access command-line arguments, a capability that you will often require when you
write shell scripts. The set builtin (page 998) enables you to assign values to positional parameters.
Other frequently needed shell script values, such as the name of the last command
executed, the number of command-line arguments, and the status of the most
recently executed command, are available as special parameters (page 994). You
cannot assign values to special parameters.

USER-CREATED VARIABLES
The first line in the following example declares the variable named person and
initializes it with the value max:
$ person=max
$ echo person
person
$ echo $person
max
Parameter
substitution

Because the echo builtin copies its arguments to standard output, you can use it to
display the values of variables. The second line of the preceding example shows that
person does not represent max. Instead, the string person is echoed as person. The
shell substitutes the value of a variable only when you precede the name of the variable with a dollar sign ($). Thus the command echo Sperson displays the value of
the variable person; it does not display Sperson because the shell does not pass
Sperson to echo as an argument. Because of the leading $, the shell recognizes that
Sperson is the name of a variable, substitutes the value of the variable, and passes
that value to echo. The echo builtin displays the value of the variable—not its
name—never "knowing" that you called it with a variable.

Quoting the $ You can prevent the shell from substituting the value of a variable by quoting the
leading $. Double quotation marks do not prevent the substitution; single quotation
marks or a backslash (\) do.
$ echo
max
$ echo
max
$ echo
Sperson
$ echo
Sperson

Sperson
"Sperson"
'Sperson'
\Sperson

PARAMETERS AND V A R I A B L E S

315

SPACES Because they do not prevent variable substitution but do turn off the special meanings of most other characters, double quotation marks are useful when you assign
values to variables and when you use those values. To assign a value that contains
SPACEs or TABs to a variable, use double quotation marks around the value. Although
double quotation marks are not required in all cases, using them is a good habit.
$ person="max and zach"
$ echo Sperson

max and zach
$ person=max and zach

b a s h : a n d : command n o t f o u n d
W h e n you reference a variable whose value contains TABs or multiple adjacent SPACEs,
you need to use quotation marks to preserve the spacing. If you do not quote the
variable, the shell collapses each string of blank characters into a single SPACE before
passing the variable to the utility:
$ person="max
$ echo Sperson

and

zach"

max and zach
$ echo "Sperson"

max

and

zach

Pathname When you execute a command with a variable as an argument, the shell replaces the
expansion in name of the variable with the value of the variable and passes that value to the proassignments

gram being executed. If the value of the variable contains a special character, such
as * or ?, the shell may expand that variable.

The first line in the following sequence of commands assigns the string max 5 :- to the
variable m e m o . The Bourne Again Shell does not expand the string because bash
does not perform pathname expansion (page 2 5 6 ) when it assigns a value to a variable. All shells process a command line in a specific order. Within this order bash
expands variables before it interprets commands. In the following echo command
line, the double quotation marks quote the asterisk ( * ) in the expanded value of
S m e m o and prevent bash from performing pathname expansion on the expanded
m e m o variable before passing its value to the echo command:
$ memo=max-.'c
$ echo "Smemo"

max*
All shells interpret special characters as special when you reference a variable that
contains an unquoted special character. In the following example, the shell expands
the value of the m e m o variable because it is not quoted:
$

I s

max.report
max.summary
$ echo Smemo

m a x . r e p o r t max.summary

316

CHAPTER 9

THE B O U R N E AGAIN S H E L L

Here the shell expands the Smemo variable to max»:-, expands max»:- to max.report
and max.summary, and passes these two values to echo.

optional

Braces The $VARIABLE syntax is a special case of the more general syntax
${VARIABLEj,
in which the variable name is enclosed by SU- The braces insulate the variable name
from adjacent characters. Braces are necessary when catenating a variable value
with a string:
$
$
$
$

PREF=counter
WAY=$PREFclockwise
FAKE=$PREFfeit
echo $WAY $FAKE

<
J>r
The preceding example does not work as planned. Only a blank line is output
because, although the symbols PREFclockwise and PREFfeit are valid variable
names, they are not set. By default bash evaluates an unset variable as an empty
(null) string and displays this value. To achieve the intent of these statements, refer
to the PREF variable using braces:
$ PREF=counter
$ WAY=${PREFECTockwise
$ FAKE=$-{PREF}-feit
$ echo $WAY $FAKE
counterclockwise counterfeit
The Bourne Again Shell refers to the arguments on its command line by position,
using the special variables $1, $2, S3, and so forth up to $9. If you wish to refer to
arguments past the ninth argument, you must use braces: S{10}. The name of the
command is held in $0 (page 997).

unset: REMOVES A VARIABLE
Unless you remove a variable, it exists as long as the shell in which it was created
exists. To remove the value of a variable but not the variable itself, assign a null
value to the variable:
$ person=
$ echo $person
S
You can remove a variable using the unset builtin. The following command removes
the variable person:
$ unset person

PARAMETERS AND V A R I A B L E S

317

VARIABLE ATTRIBUTES
This section discusses attributes and explains how to assign them to variables.

readonly:

M A K E S THE VALUE OF A VARIABLE PERMANENT

You can use the readonly builtin to ensure that the value of a variable cannot be
changed. The next example declares the variable person to be readonly. You must
assign a value to a variable before you declare it to be readonly; you cannot change
its value after the declaration. When you attempt to unset or change the value of a
readonly variable, the shell displays an error message:
$ person=zach
$ echo Sperson
zach
$ readonly person
$ person=helen
bash: person: r e a d o n l y

variable

If you use the readonly builtin without an argument, it displays a list of all readonly
shell variables. This list includes keyword variables that are automatically set as readonly as well as keyword or user-created variables that you have declared as readonly.
See page 318 for an example (readonly and declare - r produce the same output).

declare

AND

typeset:

A S S I G N A T T R I B U T E S TO V A R I A B L E S

The declare and typeset builtins (two names for the same command) set attributes
and values for shell variables. Table 9-3 lists five of these attributes.

Table 9-3

Variable attributes (typeset or declare)

Attribute

Meaning

-a

Declares a variable as an array (page 990)

-f

Declares a variable to be a function name (page 349)

-i

Declares a variable to be of type integer (page 318)

-r

Makes a variable readonly; also readonly (page 317)

-X

Exports a variable (makes it global); also export (page 992)

The following commands declare several variables and set some attributes. The first
line declares personl and assigns it a value of max. This command has the same
effect with or without the word declare.
$
$
$
$

declare
declare
declare
declare

personl=max
-r person2=zach
-rx person3=helen
-x person4

318

CHAPTER 9

THE BOURNE AGAIN SHELL

The readonly and export builtins are synonyms for the commands declare - r and
declare - x , respectively. You can declare a variable without assigning a value to it,
as the preceding declaration of the variable person4 illustrates. This declaration
makes person4 available to all subshells (i.e., makes it global). Until an assignment
is made to the variable, it has a null value.
You can list the options to declare separately in any order. The following is equivalent
to the preceding declaration of person3:
$ declare -x -r person3=helen

Use the + character in place of - when you want to remove an attribute from a variable. You cannot remove the readonly attribute. After the following command is
given, the variable person3 is no longer exported but it is still readonly.
$ declare +x person3

You can use typeset instead of declare.
Listing variable Without any arguments or options, d e c l a r e lists all shell variables. The same list is
attributes output when you run s e t (page 9 9 8 ) without any arguments.
If you use a declare builtin with options but no variable names as arguments, the
command lists all shell variables that have the indicated attributes set. For example,
the command declare - r displays a list of all readonly shell variables. This list is the
same as that produced by the readonly command without any arguments. After the
declarations in the preceding example have been given, the results are as follows:
$ declare -r
declare - a r BASH_VERSINFO='([0]="3" [ 1 ] = " 2 " [ 2 ] = " 3 9 " [ 3 ] = " 1 " . . . )'
d e c l a r e - i r EUID="500"
declare - i r PPID="936"
declare - r SHELLOPTS="braceexpand:emacs:hashal1:hi stexpand:hi s t o r y : . .
declare - i r UID="500"
declare - r person2="zach"
declare - r x person3="helen"

The first five entries are keyword variables that are automatically declared as readonly. Some of these variables are stored as integers (-i). The - a option indicates that
BASH_VERSINFO is an array variable; the value of each element of the array is
listed to the right of an equal sign.
Integer By default the values of variables are stored as strings. When you perform arithmetic on a string variable, the shell converts the variable into a number, manipulates
it, and then converts it back to a string. A variable with the integer attribute is
stored as an integer. Assign the integer attribute as follows:
$ declare -i COUNT

KEYWORD VARIABLES
Keyword variables either are inherited or are declared and initialized by the shell
when it starts. You can assign values to these variables from the command line or

PARAMETERS AND VARIABLES

319

from a startup file. Typically you want these variables to apply to all subshells you
start as well as to your login shell. For those variables not automatically exported
by the shell, you must use export (page 9 9 2 ) to make them available to child shells.

HOME: YOUR HOME DIRECTORY
By default your home directory is the working directory when you log in. Your
home directory is established when your account is set up; its name is stored in the
/etc/passwd file.
$ grep sam /etc/passwd
s a m : x : 5 0 1 : 5 0 1 : S a m S. x 3 0 1 : / h o m e / s a m : / b i n / b a s h

When you log in, the shell inherits the pathname of your home directory and assigns
it to the variable HOME. When you give a cd command without an argument, cd
makes the directory whose name is stored in H O M E the working directory:
$ pwd
/home/max/laptop
$ echo $HOME
/home/max
$ cd
$ pwd
/home/max

This example shows the value of the H O M E variable and the effect of the cd
builtin. After you execute cd without an argument, the pathname of the working
directory is the same as the value of HOME: your home directory.
Tilde (~) The shell uses the value of H O M E to expand pathnames that use the shorthand
tilde (~) notation (page 2 0 6 ) to denote a user's home directory. The following example uses echo to display the value of this shortcut and then uses Is to list the files in
Max's laptop directory, which is a subdirectory of his home directory:
$ echo ~
/home/max
S i s ~/1aptop
tester
count

lineup

PATH: WHERE THE S H E L L L O O K S FOR PROGRAMS
When you give the shell an absolute or relative pathname rather than a simple filename as a command, it looks in the specified directory for an executable file with
the specified filename. If the file with the pathname you specified does not exist, the
shell reports command not found. If the file exists as specified but you do not have
execute permission for it, or in the case of a shell script you do not have read and
execute permission for it, the shell reports Permission denied.
If you give a simple filename as a command, the shell searches through certain
directories (your search path) for the program you want to execute. It looks in several directories for a file that has the same name as the command and that you have
execute permission for (a compiled program) or read and execute permission for (a
shell script). The PATH shell variable controls this search.

320

CHAPTER 9

THE BOURNE AGAIN SHELL

The default value of PATH is determined when bash is compiled. It is not set in a
startup file, although it may be modified there. Normally the default specifies that
the shell search several system directories used to hold common commands. These
system directories include /bin and /usr/bin and other directories appropriate to the
local system. When you give a command, if the shell does not find the executable—and, in the case of a shell script, readable—file named by the command in
any of the directories listed in PATH, the shell generates one of the aforementioned
error messages.
Working directory The PATH variable specifies the directories in the order the shell should search
them. Each directory must be separated from the next by a colon. The following
command sets PATH so that a search for an executable file starts with the
/usr/local/bin directory. If it does not find the file in this directory, the shell looks
next in /bin, and then in /usr/bin. If the search fails in those directories, the shell
looks in the -/bin directory, a subdirectory of the user's home directory. Finally the
shell looks in the working directory. Exporting PATH makes its value accessible to
subshells:
$ export

PATH=/usr/local/bin:/bin:/usr/bin:~/bin:

A null value in the string indicates the working directory. In the preceding example,
a null value (nothing between the colon and the end of the line) appears as the last
element of the string. The working directory is represented by a leading colon (not
recommended; see the following security tip), a trailing colon (as in the example), or
two colons next to each other anywhere in the string. You can also represent the
working directory explicitly with a period (.).
Because Linux stores many executable files in directories named bin (binary), users
typically put their own executable files in their own -/bin directories. If you put your
own bin directory at the end of your PATH, as in the preceding example, the shell
looks there for any commands that it cannot find in directories listed earlier in PATH.

PATH and security
security Do not put the working directory first in PATH when security is a concern. If you are working as
root, you should never put the working directory first in PATH. It is common for root's PATH to
omit the working directory entirely. You can always execute a file in the working directory by
prepending ./tothe name: ,/myprog.
Putting the working directory first in PATH can create a security hole. Most people type Is as the
first command when entering a directory. If the owner of a directory places an executable file
named Is in the directory, and the working directory appears first in a user's PATH, the user giving
an Is command from the directory executes the Is program in the working directory instead of the
system Is utility, possibly with undesirable results.
If you want to add directories to PATH, you can reference the old value of the
PATH variable in setting PATH to a new value (but see the preceding security tip).
The following command adds /usr/local/bin to the beginning of the current PATH
and the bin directory in the user's home directory (-/bin) to the end:

PARAMETERS AND VARIABLES

321

$ PATH=/usr/loca!/bi n : $ P A T H : ~ / b i n

MAIL: WHERE YOUR MAIL I S KEPT
The MAIL variable contains the pathname of the file that holds your mail (your
mailbox,
usually / v a r / i n a i l / / M w e , where name is your username). If MAIL is set
and MAILPATH (next) is not set, the shell informs you when mail arrives in the file
specified by MAIL. In a graphical environment you can unset MAIL so the shell
does not display mail reminders in a terminal emulator window (assuming you are
using a graphical mail program).
The MAILPATH variable contains a list of filenames separated by colons. If this
variable is set, the shell informs you when any one of the files is modified (for
example, when mail arrives). You can follow any of the filenames in the list with a
question mark (?), followed by a message. The message replaces the you have mail
message when you receive mail while you are logged in.
The M A I L C H E C K variable specifies how often, in seconds, the shell checks for new
mail. The default is 60 seconds. If you set this variable to zero, the shell checks
before each prompt.

P S 1 : U S E R PROMPT (PRIMARY)
The default Bourne Again Shell prompt is a dollar sign ($). When you run bash with
root privileges, bash typically displays a hashmark (#) prompt. The PS1 variable
holds the prompt string that the shell uses to let you know that it is waiting for a
command. When you change the value of PS1, you change the appearance of your
prompt.
You can customize the prompt displayed by PS1. For example, the assignment
$ PS1="[\u@\h \W \!]$ "

displays the following prompt:
[user@bost directory

event]$

where user is the username, host is the hostname up to the first period, directory is
the basename of the working directory, and event is the event number (page 331) of
the current command.
If you are working on more than one system, it can be helpful to incorporate the
system name into your prompt. For example, you might change the prompt to the
name of the system you are using, followed by a colon and a SPACE (a SPACE at the end
of the prompt makes the commands you enter after the prompt easier to read). This
command uses command substitution (page 362) in the string assigned to PS1:
$ PS1="$(hostname): "
b r a v o . e x a m p l e . c o m : echo test
test
bravo.example.com:

322

CHAPTER 9

THE BOURNE AGAIN SHELL

The first example that follows changes the prompt to the name of the local host, a
SPACE, and a dollar sign (or, if the user is running with r o o t privileges, a hashmark).
The second example changes the prompt to the time followed by the name of the
user. The third example changes the prompt to the one used in this book (a hashmark for r o o t and a dollar sign otherwise):
$ PSl='\h \$ '
bravo $
$ PS1='\@ \u $ '
09:44 PM max $
$ PS1='\$ '

s

Table 9-4 describes some of the symbols you can use in PS1. For a complete list of special characters you can use in the prompt strings, open the bash man page and search
for the second occurrence of PROMPTING (give the command /PROMPTING and
then press n).
Table 9-4

PS1 symbols

Symbol

Display in prompt

\$

# if the user is running with root privileges; otherwise, $

\w

Pathname of the working directory

\W

Basename of the working directory

\!

Current event (history) number (page 335)

\d

Date in Weekday Month Date format

Mi

Machine hostname, without the domain

\H

Full machine hostname, including the domain

\u

Username of the current user

\@

Current time of day in 12-hour,

\T

Current time of day in 12-hour HH:MM:SS format

\A

Current time of day in 24-hour HH:MM format

\t

Current time of day in 24-hour HH:MM:SS format

AM/PM

format

PS2: USER PROMPT (SECONDARY)
The PS2 variable holds the secondary prompt. On the first line of the next example,
an unclosed quoted string follows echo. The shell assumes the command is not finished and, on the second line, gives the default secondary prompt (>). This prompt
indicates the shell is waiting for the user to continue the command line. The shell
waits until it receives the quotation mark that closes the string. Only then does it
execute the command:

PARAMETERS AND VARIABLES 3 2 3
$ echo " d e m o n s t r a t i o n o f
>

prompt

string

2 "

demonstration of prompt s t r i n g
2
$ PS2="secondary prompt: "
$ echo " t h i s demonstrates

secondary prompt: prompt string 2"
t h i s demonstrates
prompt s t r i n g 2
The second command changes the secondary prompt to secondary p r o m p t : followed by a SPACE. A multiline echo demonstrates the new prompt.
PS3: MENU PROMPT
The PS3 variable holds the menu prompt for the select control structure (page 984).
PS4: DEBUGGING PROMPT
The PS4 variable holds the bash debugging symbol (page 966).
IFS: SEPARATES INPUT FIELDS ( W O R D SPLITTING)
The IFS (Internal Field Separator) shell variable specifies the characters you can use
to separate arguments on a command line. It has the default value of SPACE TAB NEWLINE.
Regardless of the value of IFS, you can always use one or more SPACE or TAB characters to separate arguments on the command line, provided these characters are not
quoted or escaped. When you assign IFS character values, these characters can also
separate fields—but only if they undergo expansion. This type of interpretation of
the command line is called word splitting.

Be careful when changing IFS
caution Changing IFS has a variety of side effects, so work cautiously. You may find it useful to save the
value of IFS before changing it. Then you can easily restore the original value if you get unexpected
results. Alternatively, you can fork a new shell with a bash command before experimenting with
IFS; if you get into trouble, you can exit back to the old shell, where IFS is working properly.
The following example demonstrates how setting IFS can affect the interpretation
of a command line:
$ a=w:x:y:z
$ c a t $a

cat: w : x : y : z : No such f i l e or d i r e c t o r y
$ IFS=

II . II

$ c a t $a

cat:
cat:
cat:
cat:

w:
x:
y:
z:

No
No
No
No

such
such
such
such

file
file
file
file

or
or
or
or

directory
directory
directory
directory

324

CHAPTER 9

THE B O U R N E AGAIN SHELL

The first time cat is called, the shell expands the variable a, interpreting the string
w : x : y : z as a single word to be used as the argument to cat. The cat utility cannot
find a file named w : x : y : z and reports an error for that filename. After IFS is set to a
colon (:), the shell expands the variable a into four words, each of which is an argument to cat. Now cat reports errors for four files: w , x , y, and z. Word splitting
based on the colon (:) takes place only after the variable a is expanded.
The shell splits all expanded words on a command line according to the separating
characters found in IFS. When there is no expansion, there is no splitting. Consider
the following commands:
$ IFS="p"
$ e x p o r t VAR

Although IFS is set to p, the p on the e x p o r t command line is not expanded, so the
word e x p o r t is not split.
The following example uses variable expansion in an attempt to produce an e x p o r t
command:
$ IFS="p"
$ aa=export
$ echo $aa

ex ort
This time expansion occurs, so the character p in the token e x p o r t is interpreted as
a separator (as the echo command shows). Now when you try to use the value of
the aa variable to export the V A R variable, the shell parses the $aa V A R command
line as ex o r t V A R . The effect is that the command line starts the ex editor with two
filenames: o r t and V A R .
$ Saa VAR

2 f i l e s to e d i t
"ort" [New F i l e ]
Entering Ex mode.

Type " v i s u a l " to go to Normal mode.

:q

E17B: 1 more f i l e to e d i t
:q

s

If you unset IFS, only SPACES and TABs work as field separators.

Multiple separator characters
tip Although the shell treats sequences of multiple SPACE or TAB characters as a single separator, it
treats each occurrence of another field-separator character as a separator.

CDPATH:

B R O A D E N S T H E S C O P E O F cd
The CDPATH variable allows you to use a simple filename as an argument to the cd
builtin to change the working directory to a directory other than a child of the
working directory. If you have several directories you typically work out of, this

PARAMETERS AND VARIABLES

325

variable can speed things up and save you the tedium of using cd with longer pathnames to switch among them.
When CDPATH is not set and you specify a simple filename as an argument to cd, cd
searches the working directory for a subdirectory with the same name as the argument. If the subdirectory does not exist, cd displays an error message. When
CDPATH is set, cd searches for an appropriately named subdirectory in the directories in the CDPATH list. If it finds one, that directory becomes the working directory.
With CDPATH set, you can use cd and a simple filename to change the working
directory to a child of any of the directories listed in CDPATH.
The CDPATH variable takes on the value of a colon-separated list of directory
pathnames (similar to the PATH variable). It is usually set in the ~ / . b a s h _ p r o f i l e
startup file with a command line such as the following:
export CDPATH=$HOME:$H0ME/1i terature
This command causes cd to search your home directory, the l i t e r a t u r e directory, and
then the working directory when you give a cd command. If you do not include the
working directory in CDPATH, cd searches the working directory if the search of
all the other directories in CDPATH fails. If you want cd to search the working
directory first, include a null string, represented by two colons (::), as the first entry
in CDPATH:
export CDPATH=::$HOME:$H0ME/1iterature
If the argument to the cd builtin is an absolute pathname—one starting with a slash
(/)—the shell does not consult CDPATH.
KEYWORD VARIABLES: A S U M M A R Y
Table 9-5 presents a list of bash keyword variables.
Table 9-5

b a s h keyword variables

Variable

Value

BASH_ENV

The pathname of the startup file for noninteractive shells (page 294)

CDPATH

The c d search path (page 324)

COLUMNS

The width of the display used by select (page 983)

FCEDIT

The name of the editor that fc uses by default (page 334)

HISTFILE

The pathname of the file that holds the history list (default: ~/.bash_history;
page 330)

HISTFILESIZE

The maximum number of entries saved in HISTFILE (default: 500; page 330)

HISTSIZE

The maximum number of entries saved in the history list (default: 500;
page 330)

326

CHAPTER 9

THE BOURNE AGAIN SHELL

Table 9-5

b a s h keyword variables (continued)

Variable

Value

HOME

The pathname of the user's home directory (page 319); used as the default
argument for c d and in tilde expansion (page 206)

IFS

Internal Field Separator (page 323); used for word splitting (page 363)

INPUTRC

The pathname of the Readline startup file (default: -/.inputrc; page 343)

LANG

The locale category when that category is not specifically set with an LC_*
variable

LC_*

A group of variables that specify locale categories including LC COLLATE,
LC_CTYPE, LC_MESSAGES, and LC_NUMERIC; use the locale builtin to display a complete list with values

LINES

The height of the display used by select (page 983)

MAIL

The pathname of the file that holds a user's mail (page 321)

MAILCHECK

How often, in seconds, b a s h checks for mail (page 321)

MAILPATH

A colon-separated list of file pathnames that b a s h checks for mail in
(page 321)

PATH

A colon-separated list of directory pathnames that b a s h looks for commands
in (page 319)

PR0MPT_C0MMAND A command that b a s h executes just before it displays the primary prompt
PS1

Prompt String 1; the primary prompt (page 321)

PS2

Prompt String 2; the secondary prompt (default: "> '; page 322)

PS3

The prompt issued by select (page 983)

PS4

The b a s h debugging symbol (page 966)

REPLY

Holds the line that read accepts (page 1004); also used by select (page 983)

SPECIAL CHARACTERS
Table 9-6 lists most of the characters that are special to the bash shell.
Table 9-6

Shell special characters

Character

Use

NEWLINE

Initiates execution of a command (page 304)
Separates commands (page 304)

SPECIAL CHARACTERS

Table 9-6

327

Shell special characters (continued)

Character

Use

0

Groups commands (page 306) for execution by a subshell or identifies a function (page 349)

(( ))

Expands an arithmetic expression (page 360)

&

Executes a command in the background (pages 254 and 305)

1

Sends standard output of the preceding command to standard input of the following command (pipe; page 305)

>

Redirects standard output (page 246)

»

Appends standard output (page 249)

<

Redirects standard input (page 247)

«

Here document (page 985)
Any string of zero or more characters in an ambiguous file reference
(page 257)

»

?

Any single character in an ambiguous file reference (page 256)

\

Quotes the following character (page 160)
Quotes a string, preventing all substitution (page 160)

1
•I

Quotes a string, allowing only variable and command substitution (pages 160
and 314)

\

\

Performs command substitution (page 362)

[ ]

Character class in an ambiguous file reference (page 259)

$

References a variable (page 312)

.

(dot builtin)

Executes a command (page 296)

#

Begins a comment (page 303)

{}

Surrounds the contents of a function (page 349)

:

(null builtin)

&&
(Boolean AND)

Returns true{page

1011)

Executes command on right only if command on left succeeds (returns a zero
exit status; page 1022)

||

(Boolean OR) Executes command on right only if command on left fails (returns a nonzero
exit status; page 1022)

I

(Boolean NOT) Reverses exit status of a command

$0

Performs command substitution (preferred form; page 362)

[]

Evaluates an arithmetic expression (page 360)

328

CHAPTER 9

THE BOURNE AGAIN SHELL

PROCESSES
A process is the execution of a command by the Linux kernel. The shell that starts
when you log in is a command, or a process, like any other. When you give the
name of a Linux utility on the command line, you initiate a process. When you run
a shell script, another shell process is started and additional processes are created
for each command in the script. Depending on how you invoke the shell script, the
script is run either by the current shell or, more typically, by a subshell (child) of the
current shell. A process is not started when you run a shell builtin, such as cd.

PROCESS STRUCTURE
fork system call Like the file structure, the process structure is hierarchical, with parents, children,
and even a root. A parent process forks a child process, which in turn can fork other
processes. (The term fork indicates that, as with a fork in the road, one process
turns into two. Initially the two forks are identical except that one is identified as
the parent and one as the child. You can also use the term spawn; the words are
interchangeable.) The operating system routine, or system call, that creates a new
process is named f o r k ( ) .
When Linux begins execution when a system is started, it starts in it, a single process
called a spontaneous process, with PID number 1. This process holds the same position in the process structure as the root directory does in the file structure: It is the
ancestor of all processes the system and users work with. When a command-line
system is in multiuser mode, init runs getty or mingetty processes, which display
login: prompts on terminals. When a user responds to the prompt and presses
RETURN, getty hands control over to a utility named login, which checks the username
and password combination. After the user logs in, the login process becomes the
user's shell process.

PROCESS IDENTIFICATION
PID numbers Linux assigns a unique PID (process identification) number at the inception of each
process. As long as a process exists, it keeps the same PID number. During one session the same process is always executing the login shell. When you fork a new process—for example, when you use an editor—the PID number of the new (child)
process is different from that of its parent process. When you return to the login
shell, it is still being executed by the same process and has the same PID number as
when you logged in.
The following example shows that the process running the shell forked (is the parent of) the process running ps. When you call it with the - f option, ps displays a
full listing of information about each process. The line of the ps display with bash
in the CMD column refers to the process running the shell. The column headed by
PID identifies the PID number. The column headed PPID identifies the PID number
of the parent of the process. From the PID and PPID columns you can see that the
process running the shell (PID 21341) is the parent of the process running sleep

PROCESSES 3 2 9

(PID 22789). The parent PID number of sleep is the same as the PID number of the
shell (21341).
$ sleep 10 &

[ 1 ] 22789
$ ps

-f

UID
max
max
max

P I D PPID C STIME
21341 21340 3 10:42
22789 21341 3 1 7 : 3 0
22790 21341 3 1 7 : 3 0

TTY
pts/16
pts/16
pts/16

TIME CMD
5 bash
5 s l e e p 10
5 ps - f

Refer to the ps man page for more information on ps and the columns it displays
with the - f option. A second pair of sleep and ps - f commands shows that the shell
is still being run by the same process but that it forked another process to run sleep:
$ sleep 10 &

[ 1 ] 22791
$ ps

UID
max
max
max

-f

P I D PPID C STIME
21341 21340 3 10:42
22791 21341 3 1 7 : 3 1
22792 21341 3 1 7 : 3 1

TTY
pts/16
pts/16
pts/16

TIME CMD
5 bash
5 s l e e p 10
5 ps - f

You can also use pstree (or ps — f o r e s t , with or without the - e option) to see the

parent-child relationship of processes. The next example shows the - p option to
pstree, which causes it to display PID numbers:
$ pstree

-p

init(l)-+-acpid(1395)
|-atd(1758)
| -crond(1702)
-kdeini t(2223)-+-firefox(8914)---run-mozilla.sh(8920)
f i r e f o x - b i n(8925)
gaim(2306)
gqview(14062)
kdei ni t ( 2 2 2 8 )
kdei ni t ( 2 2 9 4 )
kdei n i t ( 2 3 1 4 ) - + - b a s h ( 2 3 2 9 ) — s s h ( 2 5 6 1 )
| -bash(2339)
'-bash(15821)---bash(16778)
kdei ni t ( 1 6 4 4 8 )
kdei ni t ( 2 0 8 8 8 )
oclock(2317)
'-pam-panel-icon(2305)—pam_timestamp_c(2307)
-1ogin(1823)---bash(20986)-+-pstree(21028)
'-sleep(21026)

The preceding output is abbreviated. The line that starts with - k d e i n i t shows a
graphical user running many processes, including f i r e f o x , g a i m , and o c l o c k . The

line that starts with - l o g i n shows a textual user running sleep in the background
and running pstree in the foreground. Refer to " $ $ : PID Number" on page 995 for

a description of how to instruct the shell to report on PID numbers.

330

CHAPTER 9

THE BOURNE AGAIN SHELL

EXECUTING A C O M M A N D
fork and sleep When you give the shell a command, it usually forks [spawns using the f o r k ( ) system call] a child process to execute the command. While the child process is executing the command, the parent process sleeps [implemented as the sleep() system call].
While a process is sleeping, it does not use any computer time; it remains inactive,
waiting to wake up. When the child process finishes executing the command, it tells
its parent of its success or failure via its exit status and then dies. The parent process
(which is running the shell) wakes up and prompts for another command.
Background process When you run a process in the background by ending a command with an ampersand
(&), the shell forks a child process without going to sleep and without waiting for the
child process to run to completion. The parent process, which is executing the shell,
reports the job number and PID number of the child process and prompts for another
command. The child process runs in the background, independent of its parent.
Builtins Although the shell forks a process to run most of the commands you give it, some
commands are built into the shell. The shell does not need to fork a process to run
builtins. For more information refer to "Builtins" on page 261.
Variables Within a given process, such as your login shell or a subshell, you can declare, initialize, read, and change variables. By default, however, a variable is local to a process. When a process forks a child process, the parent does not pass the value of a
variable to the child. You can make the value of a variable available to child processes (global) by using the export builtin (page 992).

HISTORY
The history mechanism, a feature adapted from the C Shell, maintains a list of
recently issued command lines, also called events, that provides a quick way to
reexecute any of the events in the list. This mechanism also enables you to execute
variations of previous commands and to reuse arguments from them. You can use
the history list to replicate complicated commands and arguments that you used
earlier in this login session or in a previous one and enter a series of commands that
differ from one another in minor ways. The history list also serves as a record of
what you have done. It can prove helpful when you have made a mistake and are
not sure what you did or when you want to keep a record of a procedure that
involved a series of commands.
The history builtin displays the history list. If it does not, read the next section,
which describes the variables you need to set.

VARIABLES THAT C O N T R O L H I S T O R Y
The value of the HISTSIZE variable determines the number of events preserved in
the history list during a session. A value in the range of 100 to 1,000 is normal.
When you exit from the shell, the most recently executed commands are saved in the
file whose name is stored in the HISTFILE variable (the default is ~/.bash_history).

HISTORY 3 3 1

The next time you start the shell, this file initializes the history list. The value of the
H I S T F I L E S I Z E variable determines the number of lines of history saved in H I S T F I L E .
See Table 9-7.

h i s t o r y can help track down mistakes
When you have made a mistake on a command line (not an error within a script or program) and
are not sure what you did wrong, look at the history list to review your recent commands. Sometimes this list can help you figure out what went wrong and how to fix things.

Table 9-7

History variables

Variable

Default

Function

HISTSIZE

500 events

Maximum number of events saved during a session

HISTFILE

~/.bash_history

Location of the history file

HISTFILESIZE

500 events

Maximum number of events saved between sessions

Event number The Bourne Again Shell assigns a sequential event number to each command line.
You can display this event number as part of the bash prompt by including \! in PS1
(page 321). Examples in this section show numbered prompts when they help to
illustrate the behavior of a command.
Give the following command manually, or place it in ~ / . b a s h _ p r o f i l e to affect future
sessions, to establish a history list of the 100 most recent events:
$ HISTSIZE=100

The following command causes bash to save the 100 most recent events across login
sessions:
$ HISTFILESIZE=100

After you set H I S T F I L E S I Z E , you can log out and log in again, and the 100 most
recent events from the previous login session will appear in your history list.
Give the command h i s t o r y to display the events in the history list. This list is
ordered so that the oldest events appear at the top. The following history list
includes a command to modify the bash prompt so it displays the history event
number. The last event in the history list is the h i s t o r y command that displayed
the list.
32

$ history

23
24
25
26
27
28
29
30
31
32

|

tail

PS1="\! bash$ "
I s -1
cat temp
rm temp
v i m . t i n y memo
l p r memo
vim. t i n y memo
l p r memo
rm memo
history | t a i l

332

CHAPTER 9

THE BOURNE AGAIN SHELL

As you run commands and your history list becomes longer, it may run off the top
of the screen when you use the history builtin. Pipe the output of history through less
to browse through it, or give the command h i s t o r y 1 0 or h i s t o r y I t a i l to look at the
ten most recent commands.

A handy history alias
tip Creating the following aliases makes working with history easier. The first allows you to give the
command h to display the ten most recent events. The second alias causes the command hg string
to display all events in the history list that contain string. Put these aliases in your -/.bashrc file
to make them available each time you log in. See page 346 for more information.
$ a l i a s 'h=history | t a i l '
$ a l i a s 'hg=history | grep'

REEXECUTING AND EDITING C O M M A N D S
You can reexecute any event in the history list. This feature can save you time,
effort, and aggravation. Not having to reenter long command lines allows you to
reexecute events more easily, quickly, and accurately than you could if you had to
retype the command line in its entirety. You can recall, modify, and reexecute previously executed events in three ways: You can use the fc builtin (covered next), the
exclamation point commands (page 335), or the Readline Library, which uses a
one-line vi- or emacs-like editor to edit and execute events (page 340).

Which method to use?
tip

If you are more familiar with vi or e m a c s and less familiar with the C or TC Shell, use fc or the
Readline Library. If you are more familiar with the C or TC Shell, use the exclamation point commands. If it is a toss-up, try the Readline Library; it will benefit you in other areas of Linux more
than learning the exclamation point commands will.
fc: DISPLAYS, EDITS, A N D REEXECUTES C O M M A N D S
The fc (fix command) builtin enables you to display the history list and to edit and
reexecute previous commands. It provides many of the same capabilities as the
command-line editors.
VIEWING THE HISTORY LIST
When you call fc with the -1 option, it displays commands from the history list.
Without any arguments, fc - 1 lists the 16 most recent commands in a numbered list,
with the oldest appearing first:
$ fc -1
1024
1025
1026
1027
1028
1029
1030

cd
view calendar
v i m . t i n y letter.adams01
a s p e l l - c letter.adams01
v i m . t i n y letter.adams01
l p r letter.adams01
cd ../memos

HISTORY 3 3 3

1031
1032
1033
1034
1035
1036
1037
1038
1039
1040

Is
rm *0405
f c -1
cd
whereis a s p e l l
man a s p e l l
cd / u s r / s h a r e / d o c / * a s p e l 1*
pwd
Is
I s man-html

The fc builtin can take zero, one, or two arguments with the -1 option. The arguments
specify the part of the history list to be displayed:
fc -I [first [last]]
The fc builtin lists commands beginning with the most recent event that matches
first. The argument can be an event number, the first few characters of the command line, or a negative number, which is taken to be the nth previous command.
Without last, fc displays events through the most recent. If you include last, fc displays commands from the most recent event that matches first through the most
recent event that matches last.
The next command displays the history list from event 1030 through event 1035:
$ fc

1030
1031
1032
1033
1034
1035

- 1 1030 1035

cd ../memos
Is
rm *0405
f c -1
cd
whereis a s p e l l

The following command lists the most recent event that begins with v i e w through
the most recent command line that begins with whereis:
$ fc

102 5
1026
1027
1028
1029
1030
1031
1032
1033
1034
1035

- 1 view whereis

view c a l e n d a r
v i m . t i n y letter.adams01
aspell - c letter.adams01
v i m . t i n y letter.adams01
l p r letter.adams01
cd ../memos
Is
rm *0405
f c -1
cd
whereis a s p e l l

To list a single command from the history list, use the same identifier for the first
and second arguments. The following command lists event 1027:
$ fc

1027

- 1 1027 1027

aspell - c letter.adams01

334

CHAPTER 9

THE B O U R N E AGAIN SHELL

EDITING AND REEXECUTING PREVIOUS COMMANDS
You can use fc to edit and reexecute previous commands.
fc [-e editor] [first [last]]
When you call fc with the - e option followed by the name of an editor, fc calls the
editor with event(s) in the Work buffer, assuming the editor you specify is installed.
By default, fc invokes the nano editor. Without first and last, it defaults to the most
recent command. The next example invokes the vim editor to edit the most recent
command:
$ fc

-e

vi

The fc builtin uses the stand-alone vim editor. If you set the FCEDIT variable, you
do not need to use the - e option to specify an editor on the command line. Because
the value of FCEDIT has been changed to /usr/bin/emacs and fc has no arguments,
the following command edits the most recent command using the emacs editor (part
of the emacs package; not installed by default):
$ export
$ fc

FCEDIT=/usr/bin/emacs

If you call it with a single argument, fc invokes the editor on the specified command.
The following example starts the editor with event 1029 in the Work buffer. When
you exit from the editor, the shell executes the command:
$ fc

1029

As described earlier, you can identify commands with numbers or by specifying the
first few characters of the command name. The following example calls the editor
to work on events from the most recent event that begins with the letters v i m
through event 1030:
$ f c vim 1030

Clean up the fc buffer
c a u t i o n When you execute an fc command, the shell executes whatever you leave in the editor buffer, possibly with unwanted results. If you decide you do not want to execute a command, delete everything from the buffer before you exit from the editor.
REEXECUTING COMMANDS WITHOUT CALLING THE EDITOR
You can reexecute previous commands without using an editor. If you call fc with
the - s option, it skips the editing phase and reexecutes the command. The following
example reexecutes event 1029:
$ fc

- s 1029

l p r letter.adams01
The next example reexecutes the previous command:
$ fc

-s

HISTORY 3 3 5

When you reexecute a command, you can tell fc to substitute one string for another.
The next example substitutes the string j o h n for the string adams in event 1029 and
executes the modified event:
$ fc

lpr

- s adams=john 1029

letter.john01

U S I N G A N E X C L A M A T I O N P O I N T (!) TO REFERENCE EVENTS
The C Shell history mechanism uses an exclamation point to reference events. This
technique, which is available under bash, is frequently more cumbersome to use
than fc but nevertheless has some useful features. For example, the !! command
reexecutes the previous event, and the shell replaces the !$ token with the last word
on the previous command line.
You can reference an event by using its absolute event number, its relative event
number, or the text it contains. All references to events, called event designators,
begin with an exclamation point (!). One or more characters follow the exclamation point to specify an event.
You can put history events anywhere on a command line. To escape an exclamation point
so that the shell interprets it literally instead of as the start of a history event, precede the
exclamation point with a backslash (\) or enclose it within single quotation marks.
EVENT DESIGNATORS
An event designator specifies a command in the history list. See Table 9-8 on the
next page for a list of event designators.
!! reexecutes the You can reexecute the previous event by giving a !! command. In the following
previous event example, event 45 reexecutes event 44:
44 $ I s

-1

-rw-rw-r-45 $ ! !
I s -1 t e x t
-rw-rw-r--

text

1 max group 45 2010-04-30 14:53 t e x t
1 max group 45 2010-04-30 14:53 t e x t

The !! command works whether or not your prompt displays an event number. As
this example shows, when you use the history mechanism to reexecute an event, the
shell displays the command it is reexecuting.
\n event number A number following an exclamation point refers to an event. If that event is in the
history list, the shell executes it. Otherwise, the shell displays an error message. A
negative number following an exclamation point references an event relative to the
current event. For example, the command 1-3 refers to the third preceding event.
After you issue a command, the relative event number of a given event changes
(event - 3 becomes event -4). Both of the following commands reexecute event 44:
51 $ !44
I s -1 t e x t
-rw-rw-r-52 $ ! - 8
I s -1 t e x t
-rw-rw-r--

1 max group 45 2010-04-30 14:53 t e x t
1 max group 45 2010-04-30 14:53 t e x t

336

CHAPTER 9

THE B O U R N E AGAIN SHELL

\string event text When a string of text follows an exclamation point, the shell searches for and executes the most recent event that began with that string. If you enclose the string
within question marks, the shell executes the most recent event that contained that
string. The final question mark is optional if a RETURN would immediately follow it.
68

$ h i s t o r y 10

I s

- 1

59 I s -1 t e x t *
60 t a i l text5
61 cat t e x t l text5 > l e t t e r
62 v i m . t i n y l e t t e r
63 cat l e t t e r
64 cat memo
65 l p r memo
66 pine zach
67 I s -1
68 h i s t o r y
69 $ n
70 $ ! l p r
l p r memo
71 $ ! ? l e t t e r ?

cat l e t t e r
Table 9-8

Event designators

Designator

Meaning

!

Starts a history event unless followed immediately by SPACE, NEWLINE, =, or (.

Ü

The previous command.

!/i

Command number n in the history list.

I-/J

The nth preceding command.

I string

The most recent command line that started with string.

\?string[7]

The most recent command that contained string. The last ? is optional.

!#

The current command (as you have it typed so far).

\{event}

The event is an event designator. The braces isolate event from the surrounding text. For example, !{-3}3 is the third most recently executed command followed by a 3.

optional WORD DESIGNATORS
A word designator specifies a word (token) or series of words from an event.
(Table 9-9 on page 338 lists word designators.) The words are numbered starting
with 0 (the first word on the line—usually the command), continuing with 1 (the
first word following the command), and ending with n (the last word on the line).

HISTORY 3 3 7

To specify a particular word from a previous event, follow the event designator
(such as !14) with a colon and the number of the word in the previous event. For
example, ! 14:3 specifies the third word following the command from event 14. You
can specify the first word following the command (word number 1) using a caret ( A )
and the last word using a dollar sign ($). You can specify a range of words by separating two word designators with a hyphen.
72 $ echo a p p l e grape orange pear

apple grape orange pear
73 $ echo

!72:2

echo grape
grape
74 $ echo

!72:A

echo apple
apple
75 $ ! 7 2 : 0

!72:$

echo pear
pear
76 $ echo

!72:2-4

echo grape orange pear
grape orange pear
77 $ ! 7 2 : 0 - $

echo apple grape orange pear
apple grape orange pear

As the next example shows, !$ refers to the last word of the previous event. You can
use this shorthand to edit, for example, a file you just displayed with cat:
$ cat

report.718

$ vim.tiny

vim.tiny

!$

report.718

If an event contains a single command, the word numbers correspond to the argument numbers. If an event contains more than one command, this correspondence
does not hold true for commands after the first. In the following example, event 78
contains two commands separated by a semicolon so the shell executes them
sequentially; the semicolon is word number 5.
78

$ ! 7 2 ; echo he!en zach barbara

echo apple grape orange pear ; echo helen zach b a r b a r a
apple grape orange pear
helen zach b a r b a r a
79 $ echo

!78:7

echo helen
helen
80

$ echo

!78:4-7

echo pear ; echo helen
pear
helen

338

CHAPTER 9

THE B O U R N E AGAIN SHELL

Table 9-9

Word designators

Designator

Meaning

n

The nth word. Word 0 is normally the command name.

A

The first word (after the command name).

$

The last word.

m-n

All words from word number /»through word number n;m defaults to 0 if you
omit it (0-/J).

n*

All words from word number «through the last word.

*

All words except the command name. The same as 1*.

%

The word matched by the most recent Istring? search.

MODIFIERS
On occasion you may want to change an aspect of an event you are reexecuting. Perhaps you entered a complex command line with a typo or incorrect pathname or you
want to specify a different argument. You can modify an event or a word of an event
by putting one or more modifiers after the word designator, or after the event designator if there is no word designator. Each modifier must be preceded by a colon (:).
Substitute modifier The following example shows the substitute modifier correcting a typo in the previous event:
$ car /home/zach/memo.0507

/home/max/letter.0507

bash: car: command not found
$

!!:s/car/cat

cat /home/zach/memo.0507 /home/max/letter.0507
The substitute modifier has the following syntax:
[g]s/old/new/
where old is the original string (not a regular expression) and new is the string that
replaces old. The substitute modifier substitutes the first occurrence of old with
new. Placing a g before the s (as in gs/old/new/) causes a global substitution, replacing all occurrences of old. Although / is the delimiter in the examples, you can use
any character that is not in either old or new. The final delimiter is optional if a
RETURN would immediately follow it. As with the vim Substitute command, the history
mechanism replaces an ampersand (&) in new with old. The shell replaces a null
old string (sllnewl) with the previous old string or string within a command that
you searched for with ?string?.
Quick substitution An abbreviated form of the substitute modifier is quick substitution. Use it to
reexecute the most recent event while changing some of the event text. The quick
substitution character is the caret ( A ). For example, the command

HISTORY

$

339

A o l d A n e w A

produces the same results as
$ !!:s/old/new/
Thus substituting cat for car in the previous event could have been entered as
$ AcarAcat
cat /home/zach/memo.0507 /home/max/letter.0507
You can omit the final caret if it would be followed immediately by a RETURN. As with
other command-line substitutions, the shell displays the command line as it appears
after the substitution.
Other modifiers Modifiers (other than the substitute modifier) perform simple edits on the part of
the event that has been selected by the event designator and the optional word designators. You can use multiple modifiers, each preceded by a colon (:).
The following series of commands uses Is to list the name of a file, repeats the command without executing it (p modifier), and repeats the last command, removing
the last part of the pathname (h modifier) again without executing it:
$ I s /etc/default/locale
/etc/default/locale

S ! ! :p

Is /etc/default/locale

$ ! ! :h:p

I s /etc/default

S

Table 9-10 lists event modifiers other than the substitute modifier.
Table 9-10

Event modifiers

Modifier

Function

e

(extension)

Removes all but the filename extension

h

(head)

Removes the last part of a pathname

p

(print-not)

Displays the command, but does not execute it

q

(quote)

Quotes the substitution to prevent further substitutions on it

r

(root)

Removes the filename extension

t

(tail)

Removes all elements of a pathname except the last

X

Like q but quotes each word in the substitution individually

340

CHAPTER 9

THE BOURNE AGAIN SHELL

THE READLINE LIBRARY
Command-line editing under the Bourne Again Shell is implemented through the
Readline Library, which is available to any application written in C. Any application that uses the Readline Library supports line editing that is consistent with that
provided by bash. Programs that use the Readline Library, including bash, read
- / . i n p u t r c (page 343) for key binding information and configuration settings. The
— n o e d i t i n g command-line option turns off command-line editing in bash.
vi mode You can choose one of two editing modes when using the Readline Library in bash:
emacs or vi(m). Both modes provide many of the commands available in the standalone versions of the emacs and vim editors. You can also use the ARROW keys to
move around. Up and down movements move you backward and forward through
the history list. In addition, Readline provides several types of interactive word
completion (page 342). The default mode is emacs; you can switch to vi mode with
the following command:
$ set

-o

vi

emacs mode The next command switches back to emacs mode:
$ set

-o

emacs

vi E D I T I N G M O D E
Before you start, make sure the shell is in vi mode.
When you enter bash commands while in vi editing mode, you are in Input mode
(page 188). As you enter a command, if you discover an error before you press
RETURN, you can press ESCAPE to switch to vim Command mode. This setup is different
from the stand-alone vim editor's initial mode. While in Command mode you can
use many vim commands to edit the command line. It is as though you were using
vim to edit a copy of the history file with a screen that has room for only one command. When you use the k command or the UP ARROW to move up a line, you access
the previous command. If you then use the j command or the DOWN ARROW to move
down a line, you return to the original command. To use the k and j keys to move
between commands, you must be in Command mode; you can use the ARROW keys in
both Command and Input modes.

The stand-alone editor starts in Command mode
tip The stand-alone vim editor starts in Command mode, whereas the command-line vim editor
starts in Input mode. If commands display characters and do not work properly, you are in Input
mode. Press ESCAPE and enter the c o m m a n d again.

In addition to cursor-positioning commands, you can use the search-backward (?)
command followed by a search string to look back through your history list for the
most recent command containing that string. If you have moved back in your history
list, use a forward slash (!) to search forward toward your most recent command.
Unlike the search strings in the stand-alone vim editor, these search strings cannot

HISTORY

341

contain regular expressions. You can, however, start the search string with a caret ( A )
to force the shell to locate commands that start with the search string. As in vim,
pressing n after a successful search looks for the next occurrence of the same string.
You can also use event numbers to access events in the history list. While you are in
Command mode (press ESCAPE), enter the event number followed by a G to go to the
command with that event number.
When you use /, ?, or G to move to a command line, you are in Command mode,
not Input mode: You can edit the command or press RETURN to execute it.
Once the command you want to edit is displayed, you can modify the command line
using vim Command mode editing commands such as x (delete character), r (replace
character), ~ (change case), and . (repeat last change). To change to Input mode, use
an Insert (i, I ) , Append (a, A), Replace (R), or Change (c, C) command. You do not
have to return to Command mode to execute a command; simply press RETURN, even
if the cursor is in the middle of the command line.

emacs E D I T I N G M O D E
Unlike the vim editor, emacs is modeless. You need not switch between Command
mode and Input mode because most emacs commands are control characters,
allowing emacs to distinguish between input and commands. Like vim, the emacs
command-line editor provides commands for moving the cursor on the command
line and through the command history list and for modifying part or all of a command. However, in a few cases, the emacs command-line editor commands differ
from those in the stand-alone emacs editor.
In emacs you perform cursor movement by using both CONTROL and ESCAPE commands.
To move the cursor one character backward on the command line, press C0NTR0L-B.
Press C0NTR0L-F to move one character forward. As in vim, you may precede these
movements with counts. To use a count you must first press ESCAPE; otherwise, the
numbers you type will appear on the command line.
Like vim, emacs provides word and line movement commands. To move backward
or forward one word on the command line, press ESCAPE b or ESCAPE f. To move several
words using a count, press ESCAPE followed by the number and the appropriate
escape sequence. To move to the beginning of the line, press C0NTR0L-A; to the end of
the line, press CONTROL-E; and to the next instance of the character c, press C0NTR0L-X
C0NTR0L-F followed by c.
You can add text to the command line by moving the cursor to the position you
want to enter text and typing the desired text. To delete text, move the cursor just to
the right of the characters that you want to delete and press the erase key
(page 151) once for each character you want to delete.
CONTROL-D can terminate your screen s e s s i o n
tip

If you want to delete the character directly under the cursor, press CONTROL-D. If you enter CONTROL-

D at the beginning of the line, it may terminate your shell session.

342

CHAPTER 9

THE B O U R N E AGAIN SHELL

If you want to delete the entire command line, type the line kill character (page 151).
You can type this character while the cursor is anywhere in the command line. If you
want to delete from the cursor to the end of the line, press CONTROL-K.
READLINE COMPLETION C O M M A N D S
You can use the TAB key to complete words you are entering on the command line.
This facility, called completion, works in both vi and emacs editing modes. Several
types of completion are possible, and which one you use depends on which part of a
command line you are typing when you press TAB.
COMMAND COMPLETION
If you are typing the name of a command (usually the first word on the command
line), pressing TAB initiates command completion, in which bash looks for a command whose name starts with the part of the word you have typed. If no command
starts with the characters you entered, bash beeps. If there is one such command,
bash completes the command name. If there is more than one choice, bash does
nothing in vi mode and beeps in emacs mode. Pressing TAB a second time causes bash
to display a list of commands whose names start with the prefix you typed and
allows you to continue typing the command name.
In the following example, the user types bz and presses TAB. The shell beeps (the user
is in emacs mode) to indicate that several commands start with the letters bz. The
user enters another TAB to cause the shell to display a list of commands that start
with bz followed by the command line as the user had entered it so far:
$ bz —>TAB (beep) —>TAB
bzcat
bzdiff
bzcmp
bzgrep
$ bzU

bzip2
bzip2recover

bzless
bzmore

Next the user types c and presses TAB twice. The shell displays the two commands that
start with bzc. The user types a followed by TAB. At this point the shell completes the
command because only one command starts with bzca.
$ bzc —>TAB (beep) —>TAB
bzcat
bzcmp
$ b z c a —>TAB — > t •

PATHNAME COMPLETION
Pathname completion, which also uses TABs, allows you to type a portion of a pathname and have bash supply the rest. If the portion of the pathname you have typed
is sufficient to determine a unique pathname, bash displays that pathname. If more
than one pathname would match it, bash completes the pathname up to the point
where there are choices so that you can type more.
When you are entering a pathname, including a simple filename, and press TAB, the
shell beeps (if the shell is in emacs mode—in vi mode there is no beep). It then
extends the command line as far as it can.

HISTORY

$ cat films/dar —^TAB (beep)

343

cat f i lms/dark_B

In the f i l m s directory every file that starts with d a r has k _ as the next characters, so
bash cannot extend the line further without making a choice among files. The shell
leaves the cursor just past the _ character. At this point you can continue typing the
pathname or press TAB twice. In the latter case bash beeps, displays your choices,
redisplays the command line, and again leaves the cursor just after the _ character.
$ cat films/dark_ —>TABfbeepJ —>TAB
dark_passage dark_victory
$ cat f i l m s / d a r k _ B
When you add enough information to distinguish between the two possible files and
press TAB, bash displays the unique pathname. If you enter p followed by TAB after the
_ character, the shell completes the command line:
$ cat films/dark_p —^TAB —Passage
Because there is no further ambiguity, the shell appends a SPACE so you can finish typing the command line or just press RETURN to execute the command. If the complete
pathname is that of a directory, bash appends a slash (!) in place of a SPACE.
VARIABLE COMPLETION
When you are typing a variable name, pressing TAB results in variable
completion,
wherein bash attempts to complete the name of the variable. In case of an ambiguity, pressing TAB twice displays a list of choices:
$ echo $HO —>TAB —>TAB
$HOME
ÍHOSTNAME ÍHOSTTYPE
$ echo $HOM —>TAB —>E

Pressing RETURN executes the command

caution Pressing

RETURN causes the shell to execute the command regardless of where the cursor is on
the command line.

.¡nputrc:

CONFIGURING THE READLINE LIBRARY
The Bourne Again Shell and other programs that use the Readline Library read the
file specified by the INPUTRC environment variable to obtain initialization information. If INPUTRC is not set, these programs read the - / . i n p u t r c file. They ignore
lines of . i n p u t r c that are blank or that start with a hashmark (#).
VARIABLES
You can set variables in . i n p u t r c to control the behavior of the Readline Library
using the following syntax:
set variable value
Table 9-11 (on the next page) lists some variables and values you can use. See
R e a d l i n e Variables in the bash man or info page for a complete list.

344

CHAPTER 9

THE BOURNE AGAIN SHELL

Table 9-11

Readline variables

Variable

Effect

editing-mode

Set to vi to start Readline in vi mode. Set to emacs to start
Readline in e m a c s mode (the default). Similar to the set - o vi
and set - o emacs shell commands (page 340).

horizontal-scroll-mode

Set to on to cause long lines to extend off the right edge of the
display area. Moving the cursor to the right when it is at the
right edge of the display area shifts the line to the left so you can
see more of the line. You can shift the line back by moving the
cursor back past the left edge. The default value is off, which
causes long lines to wrap onto multiple lines of the display.

mark-directories

Set to off to cause Readline not to place a slash (/) at the end of
directory names it completes. The default value is on.

mark-modified-lines

Set to on to cause Readline to precede modified history lines
with an asterisk. The default value is off.

KEY BINDINGS
You can specify bindings that map keystroke sequences to Readline commands, allowing you to change or extend the default bindings. Like the emacs editor, the Readline
Library includes many commands that are not bound to a keystroke sequence. To use
an unbound command, you must map it using one of the following forms:
keyname: command_name
" keystroke_sequence":
command_name
In the first form, you spell out the name for a single key. For example, CONTROL-U would
be written as c o n t r o l - u . This form is useful for binding commands to single keys.
In the second form, you specify a string that describes a sequence of keys that will be
bound to the command. You can use the emacs-style backslash escape sequences to
represent the special keys CONTROL ( \ C ) , M E T A ( \ M ) , and ESCAPE (\e). Specify a backslash
by escaping it with another backslash: \\. Similarly, a double or single quotation
mark can be escaped with a backslash: \" or V.
The k i l l - w h o l e - l i n e command, available in emacs mode only, deletes the current
line. Put the following command in . i n p u t r c to bind the k i l l - w h o l e - l i n e command
(which is unbound by default) to the keystroke sequence C0NTR0L-R:
control-r:

kill-whole-line

bind Give the command b i n d - P to display a list of all Readline commands. If a command is bound to a key sequence, that sequence is shown. Commands you can use
in vi mode start with vi. For example, v i - n e x t - w o r d and v i - p r e v - w o r d move the cursor to the beginning of the next and previous words, respectively. Commands that
do not begin with v i are generally available in emacs mode.
Use b i n d - q to determine which key sequence is bound to a command:

HISTORY 3 4 5
$ bind -q

kill-whole-line

k i l l - w h o l e - l i n e can be invoked v i a " \ C - r " .

You can also bind text by enclosing it within double quotation marks (emacs
mode only):
"QQ": "The Linux Operating System"
This command causes bash to insert the string T h e L i n u x O p e r a t i n g System when
you type QQ.
CONDITIONAL CONSTRUCTS
You can conditionally select parts of the . i n p u t r c file using the $ i f directive. The
syntax of the conditional construct is
$if test[=value]
commands
[Seise
commands]
Sendif
where test is m o d e , t e r m , or bash. If test equals value (or if test is true when value is
not specified), this structure executes the first set of commands. If test does not
equal value (or if test is false when value is not specified), this construct executes
the second set of commands if they are present or exits from the structure if they are
not present.
The power of the $ i f directive lies in the three types of tests it can perform.
1. You can test to see which mode is currently set.
$if

mode=vi

The preceding test is true if the current Readline mode is v i and false otherwise. You can test for v i or emacs.
2. You can test the type of terminal.
$if

term=xterm

The preceding test is true if the T E R M variable is set to x t e r m . You can
test for any value of TERM.
3. You can test the application name.
$if

bash

The preceding test is true when you are running bash and not another program that uses the Readline Library. You can test for any application name.
These tests can customize the Readline Library based on the current mode, the type of
terminal, and the application you are using. They give you a great deal of power and
flexibility when you are using the Readline Library with bash and other programs.

346

CHAPTER 9

THE BOURNE AGAIN SHELL

The following commands in .inputrc cause CONTROL-Y to move the cursor to the beginning of the next word regardless of whether bash is in vi or emacs mode:
$ cat

inputrc

set editing-mode v i
$ i f mode=vi
"\C-y": vi-next-word
$el se
"\C-y": forward-word
$endif
Because bash reads the preceding conditional construct when it is started, you must
set the editing mode in .inputrc. Changing modes interactively using set will not
change the binding of CONTROL-Y.
For more information on the Readline Library, open the bash man page and give the
command / A R E A D L I N E , which searches for the word R E A D L I N E at the beginning
of a line.

If Readline commands do not work, log out and log in again
tip The Bourne Again Shell reads-/.inputrc when you log in. After you make changes to this file, you
must log out and log in again before the changes will take effect.

ALIASES
An alias is a (usually short) name that the shell translates into another (usually
longer) name or (complex) command. Aliases allow you to define new commands
by substituting a string for the first token of a simple command. They are typically placed in the - / . b a s h r c startup files so that they are available to interactive
subshells.
The syntax of the alias builtin is
alias

[name[=value]]

No SPACEs are permitted around the equal sign. If value contains SPACEs or TABs, you
must enclose value within quotation marks. An alias does not accept an argument
from the command line in value. Use a function (page 349) when you need to use
an argument.
An alias does not replace itself, which avoids the possibility of infinite recursion in
handling an alias such as the following:
$ alias

ls='ls

-F'

You can nest aliases. Aliases are disabled for noninteractive shells (that is, shell
scripts). To see a list of the current aliases, give the command alias. To view the alias
for a particular name, give the command alias followed by the name of the alias.
You can use the unalias builtin to remove an alias.

ALIASES 3 4 7

When you give an alias builtin command without any arguments, the shell displays
a list of all defined aliases:
$ alias

alias
alias
alias
alias

ll ='ls -1'
l = ' l s -1 t r '
ls='ls -F'
zap=' rm - i '

Ubuntu Linux defines some aliases. Give an alias command to see which aliases
are in effect. You can delete the aliases you do not want from the appropriate
startup file.

S I N G L E V E R S U S D O U B L E Q U O T A T I O N M A R K S IN A L I A S E S
The choice of single or double quotation marks is significant in the alias syntax
when the alias includes variables. If you enclose value within double quotation
marks, any variables that appear in value are expanded when the alias is created. If
you enclose value within single quotation marks, variables are not expanded until
the alias is used. The following example illustrates the difference.
The P W D keyword variable holds the pathname of the working directory. Max creates two aliases while he is working in his home directory. Because he uses double
quotation marks when he creates the d i r A alias, the shell substitutes the value of the
working directory when he creates this alias. The alias d i r A command displays the
d i r A alias and shows that the substitution has already taken place:
$ echo $PWD

/home/max
$ alias
$ alias

d i r A = " e c h o Working d i r e c t o r y
dirA

i s $PWD"

a l i a s d i r A = ' e c h o Working d i r e c t o r y i s /home/max'

When Max creates the d i r B alias, he uses single quotation marks, which prevent the
shell from expanding the S P W D variable. The alias d i r B command shows that the
d i r B alias still holds the unexpanded S P W D variable:
$ alias
$ alias

d i r B = ' e c h o Working d i r e c t o r y
dirB

i s $PWD'

a l i a s d i r B = ' e c h o Working d i r e c t o r y i s SPWD'

After creating the d i r A and d i r B aliases, Max uses cd to make cars his working
directory and gives each of the aliases as commands. The alias he created using double quotation marks displays the name of the directory he created the alias in as the
working directory (which is wrong). In contrast, the d i r B alias displays the proper
name of the working directory:
$ cd c a r s
$ dirA

Working d i r e c t o r y i s /home/max
$ dirB

Working d i r e c t o r y i s /home/max/cars

348

CHAPTER 9

THE B O U R N E AGAIN SHELL

How to prevent the shell from invoking an alias
t i p The shell checks only simple, unquoted commands to see if they are aliases. Commands given as
relative or absolute pathnames and quoted commands are not checked. When you want to give a
command that has an alias but do not want to use the alias, precede the command with a backslash, specify the command's absolute pathname, or give the command as ./command.

EXAMPLES OF ALIASES
The following alias allows you to type r to repeat the previous command or r a b c to
repeat the last command line that began with abc:
$ alias

r='fc

-s'

If you use the command Is —ltr frequently, you can create an alias that substitutes Is
- l t r when you give the command 1:
$ alias

l = '"ls

S 1
t o t a l 41
-rw-r--r-rw-r
-rw-r--r-rw-r--rdrwxrwxrdrwxrwxr-rwxr-xrdrwxrwxr-

-

X
X
X
X

1
1
1
1
2
2
1
2

-ltr'

max
max
max
max
max
max
max
max

group
group
group
group
group
group
group
group

30015
3089
641
484
1024
1024
485
1024

2009--03--01
2010--02--11
2010--04--01
2010--04--09
2010--08--09
2010--09--10
2010--09--21
2010--09--27

14:: 24
16:: 24
08:: 12
08:: 14
17:: 41
11:: 32
08:: 03
20:: 19

flute.ps
XTe rm.ad
f i x t a x . i cn
maptax.i cn
T i ger
testdi r
floor
Test_Emacs

Another common use of aliases is to protect yourself from mistakes. The following example substitutes the interactive version of the r m utility when you give the command z a p :
$ a l i a s zap='rm - i '
$ zap f *

rm: remove ' f i x t a x . i c n ' ? n
rm: remove ' f l u t e . p s ' ? n
rm: remove ' f l o o r ' ? n
The - i option causes rm to ask you to verify each file that would be deleted, thereby
helping you avoid deleting the wrong file. You can also alias rm with the r m - i command: alias r m = ' r m - i ' .
The aliases in the next example cause the shell to substitute Is - 1 each time you give
an 11 command and Is - F each time you use Is:
$ alias
$ alias

s n

ls='ls
ll='ls

t o t a l 41
drwxrwxrdrwxrwxr-rw-r
-rw-r--r-rw-r--r-rwxr-xr-rw-r--rdrwxrwxr-

X
X
-

X
-

X

2
2
1
1
1
1
1
2

-F'
-T

max
max
max
max
max
max
max
max

group
group
group
group
group
group
group
group

1024 2010- 09- 27 20:19 Test_Emacs/
1024 2010- 08- 09 17:41 T i g e r /
3089 2010- 02- 11 16:24 XTe rm.ad
641 2010- 04- 01 08:12 f i x t a x . i c n
30015 2009 -03 -01 14:24 f l u t e . p s
485 2010- 09- 21 08:03 f l o o r *
484 2010- 04- 09 08:14 maptax.icn
1024 2010- 09- 10 11:32 t e s t d i r /

FUNCTIONS 3 4 9

The - F option causes Is to print a slash (!) at the end of directory names and an
asterisk ( * ) at the end of the names of executable files. In this example, the string
that replaces the alias 11 (Is -1) itself contains an alias (Is). When it replaces an alias
with its value, the shell looks at the first word of the replacement string to see
whether it is an alias. In the preceding example, the replacement string contains the
alias Is, so a second substitution occurs to produce the final command Is - F -1. (To
avoid a recursive plunge, the Is in the replacement text, although an alias, is not
expanded a second time.)
When given a list of aliases without the =value or value field, the alias builtin
responds by displaying the value of each defined alias. The alias builtin reports an
error if an alias has not been defined:
$ alias

alias
alias
alias
alias
bash:

11 1 I s zap wx

ll ='ls -1'
l = ' l s -1 t r '
ls='ls -F'
zap=' rm - i '
a l i a s : wx: not found

You can avoid alias substitution by preceding the aliased command with a backslash (\):
S \ls

Test_Emacs XTerm.ad
Tiger
fixtax.icn

flute.ps
floor

maptax.icn
testdir

Because the replacement of an alias name with the alias value does not change the rest of
the command line, any arguments are still received by the command that gets executed:
$ 11 f-.'c

-rw-r--r--rw-r--r--rwxr-xr-x

1 max
1 max
1 max

group
group
group

641 2010-04-01 08:12 f i x t a x . i c n
30015 2009-03-01 14:24 f l u t e . p s
485 2010-09-21 08:03 f l o o r *

You can remove an alias with the unalias builtin. When the z a p alias is removed, it is no
longer displayed with the alias builtin and its subsequent use results in an error message:
$ unalias
$ alias

zap

alias ll = 'ls -1'
a l i a s l = ' l s -1 t r '
alias ls='ls - F '
$ zap m a p t a x . i c n

bash: zap: command not found

FUNCTIONS
A shell function is similar to a shell script in that it stores a series of commands for
execution at a later time. However, because the shell stores a function in the computer's main memory (RAM) instead of in a file on the disk, the shell can access it
more quickly than the shell can access a script. The shell also preprocesses (parses) a
function so that it starts up more quickly than a script. Finally the shell executes a

350

CHAPTER 9

THE B O U R N E AGAIN SHELL

shell function in the same shell that called it. If you define too many functions, the
overhead of starting a subshell (as when you run a script) can become unacceptable.
You can declare a shell function in the ~ / . b a s h _ p r o f i l e startup file, in the script that
uses it, or directly from the command line. You can remove functions with the unset
builtin. The shell does not retain functions after you log out.

Removing variables and functions
tip

If you have a shell variable and a function with the same name, using unset removes the shell
variable. If you then use unset again with the same name, it removes the function.
The syntax that declares a shell function is
[function] function-name ()
{
commands

}
where the word function is optional, function-name is the name you use to call the
function, and commands comprise the list of commands the function executes when
you call it. The commands can be anything you would include in a shell script,
including calls to other functions.
The opening brace ({) can appear on the same line as the function name. Aliases and
variables are expanded when a function is read, not when it is executed. You can
use the b r e a k statement (page 976) within a function to terminate its execution.
Shell functions are useful as a shorthand as well as to define special commands. The
following function starts a process named process in the background, with the output normally displayed by process being saved in .process.out:
start_process() {
process > .process.out 2>&1 &
}
The next example creates a simple function that displays the date, a header, and a
list of the people who are logged in on the system. This function runs the same commands as the w h o s o n script described on page 300. In this example the function is
being entered from the keyboard. The greater than (>) signs are secondary shell
prompts (PS2); do not enter them.
$ f u n c t i o n whoson

()

> *
>
date
>
echo "Users C u r r e n t l y Logged On"
>
who
> *
$ whoson

Mon Aug 9 15:44:58 PDT 2010
Users Currently Logged On
his
console
2010-08-08 08:59
max
pts/4
2010-08-08 09:33
zach
pts/7
2010-08-08 09:23

(:0)
(0.0)
(bravo.example.com)

FUNCTIONS

3 5 1

Functions in If you want to have the w h o s o n function always be available without having to
startup files enter it each time you log in, put its definition in ~ / . b a s h _ p r o f i l e . Then run
. b a s h _ p r o f i l e , using the . (dot) command to put the changes into effect immediately:
$ cat

~/.bash_profile

export TERM=vtl00
stty k i l l 'Au'
whoson ( )
{
date
echo "Users C u r r e n t l y Logged On"
who

}
$ .

~/.bash_profile

You can specify arguments when you call a function. Within the function these arguments are available as positional parameters (page 996). The following example
shows the a r g l function entered from the keyboard:
$ argl ( ) {
> echo " $ 1 "
>

}

$ argl

first_arg

f i rst_arg

See the function s w i t c h () on page 296 for another example of a function. "Functions" on page 993 discusses the use of local and global variables within a function.

optional The following function allows you to export variables using tcsh syntax. The env
builtin lists all environment variables and their values and verifies that setenv
worked correctly:
$ cat

. bash_profile

# setenv - keep t c s h users happy
function setenv()
{
if

fi

[ $# -eq 2 ]
then
eval $1=$2
export $1
el se
echo "Usage: setenv NAME VALUE" 1>&2

}
$ . ~/.bash_profile
$ setenv TCL_LIBRARY / u s r / l o c a l / 1 i b / t c l
$ env | grep TCL_LIBRARY

TCL_LIBRARY=/us r / 1 o c a l / I i b / t c l

eval The $# special parameter (page 997) takes on the value of the number of commandline arguments. This function uses the eval builtin to force bash to scan the command
$ 1 = $ 2 twice. Because $ 1 = $ 2 begins with a dollar sign ($), the shell treats the entire

352

CHAPTER 9

THE BOURNE AGAIN SHELL

string as a single token—a command. With variable substitution performed, the
command name becomes T C L _ L I B R A R Y = / u s r / l o c a l / l i b / t c l , which results in an
error. Using eval, a second scanning splits the string into the three desired tokens, and
the correct assignment occurs.

CONTROLLING

bash:

FEATURES A N D O P T I O N S

This section explains how to control bash features and options using command-line
options and the set and shopt builtins.

COMMAND-LINE

OPTIONS

Two kinds of command-line options are available: short and long. Short options
consist of a hyphen followed by a letter; long options have two hyphens followed by
multiple characters. Long options must appear before short options on a command
line that calls bash. Table 9 - 1 2 lists some commonly used command-line options.
Table 9-12

Command-line options

Option

Explanation

Syntax

Help

Displays a usage message.

—help

No edit

Prevents users from using the Readline Library
(page 340) to edit command lines in an interactive
shell.

—noediting

Prevents reading these startup files (page 293):

—noprofile

No rc

Prevents reading the -/.bashrc startup file
(page 294). This option is on by default if the shell is
called as sh.

—norc

POSIX

Runs b a s h in POSIX mode.

—posix

Version

Displays b a s h version information and exits.

—version

Login

Causes b a s h to run as though it were a login shell.

- I (lowercase "I")

shopt

Runs a shell with the opt s h o p t option (next page).
A - 0 (uppercase "0") sets the option; +0 unsets it.

[±]0 [opt]

End of options

On the command line, signals the end of options.
Subsequent tokens are treated as arguments even if
they begin with a hyphen (-).

No profile

/etc/profile, ~/.bash_profile, -/.bashjogin, and
-/.profile.

SHELL FEATURES
You can control the behavior of the Bourne Again Shell by turning features on and
off. Different features use different methods to turn features on and off. The set

CONTROLLING

bash:

FEATURES A N D O P T I O N S 3 5 3

builtin controls one group of features, while the shopt builtin controls another group.
You can also control many features from the command line you use to call bash.

Features, options, variables?
tip To avoid confusing terminology, this book refers to the various shell behaviors that you can control
as features. The b a s h info page refers to them as "options" and "values of variables controlling
optional shell behavior."
s e t ±o: T U R N S S H E L L FEATURES O N A N D O F F
The set builtin, when used with the - o or +o option, enables, disables, and lists certain bash features. For example, the following command turns on the noclobber
feature (page 248):
$ set - o

noclobber

You can turn this feature off (the default) by giving the command
$ s e t +o noclobber

The command set - o without an option lists each of the features controlled by set, followed by its state (on or off). The command set +o without an option lists the same features in a form you can use as input to the shell. Table 9-13 (next page) lists bash features.

shopt: T U R N S S H E L L F E A T U R E S O N A N D O F F
The shopt (shell option) builtin enables, disables, and lists certain bash features that
control the behavior of the shell. For example, the following command causes bash
to include filenames that begin with a period (.) when it expands ambiguous file references (the - s stands for set):
$ shopt

-s

dotglob

You can turn this feature off (the default) by giving the following command (the - u
stands for unset):
$ shopt

-u dotglob

The shell displays how a feature is set if you give the name of the feature as the only
argument to shopt:
$ shopt

dotglob

dotglob

off

The command shopt without any options or arguments lists the features controlled
by shopt and their state. The command shopt - s without an argument lists the features controlled by shopt that are set or on. The command shopt - u lists the features
that are unset or off. Table 9-13, next page) lists bash features.

Setting set ±o features using s h o p t
tip You can use s h o p t to set/unset features that are otherwise controlled by set ±o. Use the regular
shopt syntax with - s or - u and include the - o option. For example, the following command turns
on the noclobber feature:
$ shopt

- o - s noclobber

354

CHAPTER 9

Table 9-13

THE BOURNE AGAIN SHELL

b a s h features

Feature

Description

Syntax

Alternate syntax

allexport

Automatically exports all variables and
functions you create or modify after giving
this command.

set-o allexport

set -a

braceexpand

Causes b a s h to perform brace expansion
(the default; page 358).

set-o braceexpand

set -B

cdspell

Corrects minor spelling errors in directory
names used as arguments to cd.

shopt-s cdspell

cmdhist

Saves all lines of a multiline command in
the same history entry, adding semicolons
as needed.

shopt-s cmdhist

dotglob

Causes shell special characters (wildcards;
page 256) in an ambiguous file reference
to match a leading period in a filename. By
default special characters do not match a
leading period. You must always specify
the filenames. and .. explicitly because no
pattern ever matches them.

shopt-s dotglob

emacs

Specifies e m a c s editing mode for
command-line editing (the default;
page 341).

set-o emacs

errexit

Causes b a s h to exit when a simple command (not a control structure) fails.

set-o errexit

execfail

Causes a shell script to continue running
when it cannot find the file that is given as
an argument to exec. By default a script
terminates when e x e c cannot find the file
that is given as its argument.

shopt-s execfail

expand_aliases

Causes aliases (page 346) to be expanded
(by default it is on for interactive shells and
off for noninteractive shells).

shopt-s expand_alias

hashall

Causes b a s h to remember where commands it has found using PATH (page 319)
are located (default).

set-o hashall

histappend

Causes b a s h to append the history list to
the file named by HISTFILE (page 330)
when the shell exits. By default b a s h overwrites this file.

shopt-s histappend

histexpand

Turns on the history mechanism (which
uses exclamation points by default;
page 335). Turn this feature off to turn off
history expansion.

set-o histexpand

set -e

set -h

set -H

CONTROLLING

Table 9-13

bash:

FEATURES A N D O P T I O N S

355

b a s h features (continued)

Feature

Description

Syntax

history

Enables command history (on by default;
page 330).

set-o history

huponexit

Specifies that b a s h send a SIGHUP signal
to all jobs when an interactive login shell
exits.

shopt-s huponexit

ignoreeof

Specifies that b a s h must receive ten EOF
characters before it exits. Useful on noisy
dial-up lines.

set-o ignoreeof

monitor

Enables job control (on by default,
page 307).

set-o monitor

nocaseglob

Causes ambiguous file references
(page 256) to match filenames without
regard to case (off by default).

shopt-s nocaseglob

noclobber

Helps prevent overwriting files (off by
default; page 248).

set-o noclobber

set -C

noglob

Disables pathname expansion (off by
default; page 256).

set-o noglob

set -f

notify

With job control (page 307) enabled,
reports the termination status of background jobs immediately. The default
behavior is to display the status just before
the next prompt.

set -o notify

set -b

nounset

Displays an error and exits from a shell
script when you use an unset variable in an
interactive shell. The default is to display a
null value for an unset variable.

set-o nounset

set -u

nullglob

Causes b a s h to expand ambiguous file
references (page 256) that do not match a
filename to a null string. By default b a s h
passes these file references without
expanding them.

shopt-s nullglob

posix

Runs b a s h in POSIX mode.

set-o posix

verbose

Displays command lines as b a s h reads
them.

set-o verbose

vi

Specifies vi editing mode for commandline editing (page 340).

set-o vi

xpg_echo

Causes the e c h o builtin to expand backslash escape sequences without the need
for the - e option (page 980).

shopt - s xpg_echo

xtrace

Turns on shell debugging (page 966).

set -o xtrace

Alternate syntax

set -m

set - V

set-x

356

CHAPTER 9

THE B O U R N E AGAIN SHELL

PROCESSING THE C O M M A N D LINE
Whether you are working interactively or running a shell script, bash needs to read
a command line before it can start processing it—bash always reads at least one line
before processing a command. Some bash builtins, such as i f and case, as well as
functions and quoted strings, span multiple lines. When bash recognizes a command
that covers more than one line, it reads the entire command before processing it. In
interactive sessions, bash prompts you with the secondary prompt (PS2, > by
default; page 322) as you type each line of a multiline command until it recognizes
the end of the command:
$ echo
> end'

'hi

hi
end
$ function hello

()

{

> echo h e l l o there
> }

S

After reading a command line, bash applies history expansion and alias substitution
to the line.

HISTORY EXPANSION
"Reexecuting and Editing Commands" on page 332 discusses the commands you
can give to modify and reexecute command lines from the history list. History
expansion is the process that bash uses to turn a history command into an executable command line. For example, when you give the command !!, history expansion
changes that command line so it is the same as the previous one. History expansion
is turned on by default for interactive shells; set +o h i s t e x p a n d turns it off. History
expansion does not apply to noninteractive shells (shell scripts).

ALIAS SUBSTITUTION
Aliases (page 346) substitute a string for the first word of a simple command. By
default aliases are turned on for interactive shells and off for noninteractive shells.
Give the command shopt - u expand_aliases to turn aliases off.

PARSING A N D S C A N N I N G THE C O M M A N D LINE
After processing history commands and aliases, bash does not execute the command
immediately. One of the first things the shell does is to parse (isolate strings of characters in) the command line into tokens or words. The shell then scans each token for
special characters and patterns that instruct the shell to take certain actions. These
actions can involve substituting one word or words for another. When the shell parses
the following command line, it breaks it into three tokens (cp, - / l e t t e r , and .):
$ cp - / l e t t e r

.

P R O C E S S I N G THE C O M M A N D LINE 3 5 7

After separating tokens and before executing the command, the shell scans the
tokens and performs command-line expansion.

COMMAND-LINE EXPANSION
Both interactive and noninteractive shells transform the command line using commandline expansion before passing the command line to the program being called. You can
use a shell without knowing much about command-line expansion, but you can use
what a shell has to offer to a better advantage with an understanding of this topic. This
section covers Bourne Again Shell command-line expansion.
The Bourne Again Shell scans each token for the various types of expansion and
substitution in the following order. Most of these processes expand a word into a
single word. Only brace expansion, word splitting, and pathname expansion can
change the number of words in a command (except for the expansion of the variable
seepage 1000).
1. Brace expansion (page 358)
2. Tilde expansion (page 359)
3. Parameter and variable expansion (page 360)
4. Arithmetic expansion (page 360)
5. Command substitution (page 362)
6. Word splitting (page 363)
7. Pathname expansion (page 363)
8. Process substitution (page 365)
Quote removal After bash finishes with the preceding list, it removes from the command line single
quotation marks, double quotation marks, and backslashes that are not a result of
an expansion. This process is called quote removal.
ORDER OF EXPANSION
The order in which bash carries out these steps affects the interpretation of commands. For example, if you set a variable to a value that looks like the instruction
for output redirection and then enter a command that uses the variable's value to
perform redirection, you might expect bash to redirect the output.
$ SENDIT="> / t m p / s a v e i t "
$ echo xxx $SENDIT

xxx > /tmp/saveit
$ cat

/tmp/saveit

c a t : / t m p / s a v e i t : No such f i l e o r d i r e c t o r y

In fact, the shell does not redirect the output—it recognizes input and output redirection before it evaluates variables. When it executes the command line, the shell
checks for redirection and, finding none, evaluates the SENDIT variable. After

358

CHAPTER 9

THE B O U R N E AGAIN SHELL

replacing the variable with > / t m p / s a v e i t , bash passes the arguments to echo, which
dutifully copies its arguments to standard output. No / t m p / s a v e i t file is created.
The following sections provide more detailed descriptions of the steps involved in
command processing. Keep in mind that double and single quotation marks cause
the shell to behave differently when performing expansions. Double quotation
marks permit parameter and variable expansion but suppress other types of expansion. Single quotation marks suppress all types of expansion.
BRACE EXPANSION
Brace expansion, which originated in the C Shell, provides a convenient way to
specify filenames when pathname expansion does not apply. Although brace expansion is almost always used to specify filenames, the mechanism can be used to generate arbitrary strings; the shell does not attempt to match the brace notation with
the names of existing files.
Brace expansion is turned on in interactive and noninteractive shells by default; you
can turn it off with set +o b r a c e e x p a n d . The shell also uses braces to isolate variable
names (page 316).
The following example illustrates how brace expansion works. The Is command does
not display any output because there are no files in the working directory. The echo
builtin displays the strings that the shell generates with brace expansion. In this case
the strings do not match filenames (because there are no files in the working directory).
$

I s

$ echo chap_{one, two, three}- . t x t

chap_one.txt chap_two.txt

chap_three.txt

The shell expands the comma-separated strings inside the braces in the echo command into a SPACE-separated list of strings. Each string from the list is prepended
with the string chap_, called the preamble, and appended with the string . t x t , called
the postscript. Both the preamble and the postscript are optional. The left-to-right
order of the strings within the braces is preserved in the expansion. For the shell to
treat the left and right braces specially and for brace expansion to occur, at least one
comma and no unquoted whitespace characters must be inside the braces. You can
nest brace expansions.
Brace expansion is useful when there is a long preamble or postscript. The following example copies four files—main.c, f l . c , f 2 . c , and tmp.c—located in the
/ u s r / l o c a l / s r c / C directory to the working directory:
$ cp / u s r / " l o c a " l / s r c / C / - { m a i n , f l , f 2 , t m p } - . c

.

You can also use brace expansion to create directories with related names:
$ Is

fi lei

-F

f i le2

fileB

$ mkdir v r s { A , B , C , D , E }
$ I s -F

filel

file2

fileB

vrsA/

vrsB/

vrsC/

vrsD/

vrsE/

P R O C E S S I N G THE C O M M A N D LINE 3 5 9

The - F option causes Is to display a slash (/) after a directory and an asterisk ( * )
after an executable file.
If you tried to use an ambiguous file reference instead of braces to specify the directories, the result would be different (and not what you wanted):
$ rmdir v r s *
$ mkdir v r s [ A - E ]
$ I s -F

fi lei

f i le2

file 3

vrs[A-E]/

An ambiguous file reference matches the names of existing files. In the preceding
example, because it found no filenames matching vrs[A-E], bash passed the ambiguous file reference to mkdir, which created a directory with that name. Brackets in
ambiguous file references are discussed on page 259.
TILDE EXPANSION
Chapter 6 introduced a shorthand notation to specify your home directory or the
home directory of another user. This section provides a more detailed explanation
of tilde expansion.
The tilde (~) is a special character when it appears at the start of a token on a command line. When it sees a tilde in this position, bash looks at the following string of
characters—up to the first slash (/) or to the end of the word if there is no slash—as
a possible username. If this possible username is null (that is, if the tilde appears as
a word by itself or if it is immediately followed by a slash), the shell substitutes the
value of the HOME variable for the tilde. The following example demonstrates this
expansion, where the last command copies the file named letter from Max's home
directory to the working directory:
$ echo $HOME

/home/max
$ echo ~

/home/max
$ echo

~/1etter

/home/max/letter
$ cp - / l e t t e r

.

If the string of characters following the tilde forms a valid username, the shell substitutes the path of the home directory associated with that username for the tilde
and name. If the string is not null and not a valid username, the shell does not make
any substitution:
$ echo ~zach

/home/zach
$ echo ~ r o o t

/ root
$ echo ~xx
-XX

360

CHAPTER 9

THE BOURNE AGAIN SHELL

Tildes are also used in directory stack manipulation (page 310). In addition, ~+ is a
synonym for P W D (the name of the working directory), and — is a synonym for
O L D P W D (the name of the previous working directory).
PARAMETER AND VARIABLE EXPANSION
On a command line, a dollar sign ($) that is not followed by an open parenthesis
introduces parameter or variable expansion. Parameters include both commandline, or positional, parameters (page 996) and special parameters (page 994). Variables include both user-created variables (page 314) and keyword variables
(page 318). The bash man and info pages do not make this distinction.
Parameters and variables are not expanded if they are enclosed within single quotation
marks or if the leading dollar sign is escaped (i.e., preceded with a backslash). If they are
enclosed within double quotation marks, the shell expands parameters and variables.
ARITHMETIC EXPANSION
The shell performs arithmetic expansion by evaluating an arithmetic expression and
replacing it with the result. Under bash the syntax for arithmetic expansion is
$( (expression))
The shell evaluates expression and replaces $((expression)) with the result of the
evaluation. This syntax is similar to the syntax used for command substitution
[$(...)] and performs a parallel function. You can use $((expression)) as an argument
to a command or in place of any numeric value on a command line.
The rules for forming expression are the same as those found in the C programming
language; all standard C arithmetic operators are available (see Table 27-8 on
page 1019). Arithmetic in bash is done using integers. Unless you use variables of
type integer (page 318) or actual integers, however, the shell must convert stringvalued variables to integers for the purpose of the arithmetic evaluation.
You do not need to precede variable names within expression with a dollar sign ($).
In the following example, after read (page 1003) assigns the user's response to age,
an arithmetic expression determines how many years are left until age 60:
$ cat

#!/bi
echo
read
echo
$

age_check

n/bash
- n "How o l d are you? "
age
"Wow, i n $ ( ( 6 0 - a g e ) ) y e a r s , y o u ' l l be 60!"

./age_check

How o l d are you? 55
Wow, i n 5 y e a r s , y o u ' l l be 60!

You do not need to enclose the expression within quotation marks because bash
does not perform filename expansion on it. This feature makes it easier for you to
use an asterisk ( * ) for multiplication, as the following example shows:

P R O C E S S I N G THE C O M M A N D LINE 3 6 1
$ echo There a r e $ ( ( 6 0 * 6 0 * 2 4 * 3 6 5 ) )

seconds i n a n o n - l e a p

year.

There are 31536000 seconds i n a n o n - l e a p y e a r .

The next example uses wc, cut, arithmetic expansion, and command substitution
(page 362) to estimate the number of pages required to print the contents of the file
letter.txt. The output of the wc (word count) utility used with the -1 option is the
number of lines in the file, in columns (character positions) 1 through 4, followed
by a SPACE and the name of the file (the first command following). The cut utility with
the - c l - 4 option extracts the first four columns.
$ wc - 1

letter.txt

351 l e t t e r . t x t
$ wc - 1 l e t t e r . t x t

| cut

-cl-4

351

The dollar sign and single parenthesis instruct the shell to perform command substitution; the dollar sign and double parentheses indicate arithmetic expansion:
$ echo $ ( (

$(wc - 1 l e t t e r . t x t

| cut

- c l - 4 ) / 6 6 + 1))

6

The preceding example sends standard output from wc to standard input of cut via a
pipe. Because of command substitution, the output of both commands replaces the
commands between the $( and the matching ) on the command line. Arithmetic
expansion then divides this number by 66, the number of lines on a page. A 1 is
added because the integer division results in any remainder being discarded.

Fewer dollar signs ($)
tip When you use variables within $(( and )), the dollar signs that precede individual variable references are optional:
$ x=23 y=37
$ echo $( ( 2 * $ x + 3 * $ y ) )

157

$ echo $( ( 2 * x + 3 * y ) )

157

Another way to get the same result without using cut is to redirect the input to wc
instead of having wc get its input from a file you name on the command line. When
you redirect its input, wc does not display the name of the file:
$ wc - 1 <

letter.txt

351

It is common practice to assign the result of arithmetic expansion to a variable:
$ numpages=S(( $(wc - 1 < l e t t e r . t x t ) / 6 6

+1))

letbuiltin The let builtin evaluates arithmetic expressions just as the $(( )) syntax does. The
following command is equivalent to the preceding one:
$ let

"numpages=$(wc - 1 < l e t t e r . t x t ) / 6 6

+ 1"

362

CHAPTER 9

THE B O U R N E AGAIN SHELL

The double quotation marks keep the SPACEs (both those you can see and those that
result from the command substitution) from separating the expression into separate arguments to let. The value of the last expression determines the exit status of
let. If the value of the last expression is 0, the exit status of let is 1; otherwise, its
exit status is 0.
You can supply let with multiple arguments on a single command line:
$ l e t a=5+3 b=7+2
$ echo $a $b

89

When you refer to variables when doing arithmetic expansion with let or $(( )), the
shell does not require a variable name to begin with a dollar sign ($). Nevertheless,
it is a good practice to do so for consistency, as in most places you must precede a
variable name with a dollar sign.
COMMAND SUBSTITUTION
Command substitution replaces a command with the output of that command. The
preferred syntax for command substitution under bash follows:
$ (command)
Under bash you can also use the following, older syntax:
'

command'

The shell executes command within a subshell and replaces command, along with
the surrounding punctuation, with standard output of command.
In the following example, the shell executes pwd and substitutes the output of the
command for the command and surrounding punctuation. Then the shell passes the
output of the command, which is now an argument, to echo, which displays it.
$ echo $(pwd)

/home/max

The next script assigns the output of the pwd builtin to the variable w h e r e and displays a message containing the value of this variable:
$ c a t where

where=$(pwd)
echo "You are using the Swhere d i r e c t o r y . "
$

./where

You are using the /home/zach d i r e c t o r y .
Although it illustrates how to assign the output of a command to a variable, this
example is not realistic. You can more directly display the output of pwd without
using a variable:
$ c a t where2

echo "You are using the $(pwd) d i r e c t o r y . "
$

./where2

You are using the /home/zach d i r e c t o r y .

P R O C E S S I N G T H E C O M M A N D LINE 3 6 3

The following command uses find to locate files with the name R E A D M E in the
directory tree rooted at the working directory. This list of files is standard output of
find and becomes the list of arguments to Is.
$ Is

-1 $ ( f i n d

. -name README - p r i n t )

The next command line shows the older * command * syntax:
$ Is

-1

* find

. -name README - p r i n t '

One advantage of the newer syntax is that it avoids the rather arcane rules for token
handling, quotation mark handling, and escaped back ticks within the old syntax.
Another advantage of the new syntax is that it can be nested, unlike the old syntax.
For example, you can produce a long listing of all R E A D M E files whose size
exceeds the size of . / R E A D M E with the following command:
$ Is

-1 $ ( f i n d

. -name README - s i z e +$(echo $ ( c a t

./README | wc - c ) c

) -print

)

Try giving this command after giving a set - x command (page 9 6 6 ) to see how bash
expands it. If there is no R E A D M E file, you just get the output of Is - 1 .
For additional scripts that use command substitution, see pages 9 6 2 , 9 8 1 , and 1011.

$(( Versus $(
tip The symbols $(( constitute a single token. They introduce an arithmetic expression, not a command substitution. Thus, if you want to use a parenthesized subshell (page 306) within $(), you
must insert a SPACE between the $( and the following (.
W O R D SPLITTING
The results of parameter and variable expansion, command substitution, and arithmetic expansion are candidates for word splitting. Using each character of IFS
(page 323) as a possible delimiter, bash splits these candidates into words or tokens.
If IFS is unset, bash uses its default value (SPACE-TAB-NEWLINE). If IFS is null, bash does
not split words.
PATHNAME EXPANSION
Pathname expansion (page 256), also called filename generation or globbing, is the
process of interpreting ambiguous file references and substituting the appropriate list
of filenames. Unless n o g l o b (page 355) is set, the shell performs this function when it
encounters an ambiguous file reference—a token containing any of the unquoted
characters * , ?, [, or ]. If bash cannot locate any files that match the specified pattern, the token with the ambiguous file reference is left alone. The shell does not
delete the token or replace it with a null string but rather passes it to the program as
is (except see n u l l g l o b on page 355).
In the first echo command in the following example, the shell expands the ambiguous file reference t m p * and passes three tokens ( t m p l , t m p 2 , and t m p 3 ) to echo.
The echo builtin displays the three filenames it was passed by the shell. After r m

364

CHAPTER 9

THE B O U R N E AGAIN SHELL

removes the three t m p * files, the shell finds no filenames that match t m p * when it
tries to expand it. It then passes the unexpanded string to the echo builtin, which
displays the string it was passed.
$

I s

tmpl tmp2 tmpB
$ echo tmp*

tmpl tmp2 tmpB
$ rm tmp*
$ echo tmp*

tmp*

A period that either starts a pathname or follows a slash (/) in a pathname must be
matched explicitly unless you have set d o t g l o b (page 354). The option nocaseglob
(page 355) causes ambiguous file references to match filenames without regard
to case.
Quotation marks Putting double quotation marks around an argument causes the shell to suppress
pathname and all other kinds of expansion except parameter and variable expansion. Putting single quotation marks around an argument suppresses all types of
expansion. The second echo command in the following example shows the variable
Smax between double quotation marks, which allow variable expansion. As a result
the shell expands the variable to its value: sonar. This expansion does not occur in
the third echo command, which uses single quotation marks. Because neither single
nor double quotation marks allow pathname expansion, the last two commands
display the unexpanded argument t m p * .
$ echo tmp* $max

tmpl tmp2 tmp3 sonar
$ echo " t m p * $max"

tmp* sonar
$ echo

'tmp*

$max'

tmp* Smax

The shell distinguishes between the value of a variable and a reference to the variable and does not expand ambiguous file references if they occur in the value of a
variable. As a consequence you can assign to a variable a value that includes special
characters, such as an asterisk ( * ) .
Levels of expansion In the next example, the working directory has three files whose names begin with
letter. When you assign the value l e t t e r * to the variable var, the shell does not
expand the ambiguous file reference because it occurs in the value of a variable (in
the assignment statement for the variable). No quotation marks surround the string
l e t t e r * ; context alone prevents the expansion. After the assignment the set builtin
(with the help of grep) shows the value of var to be l e t t e r * .
$ Is

letter*

letterl

letter2

$ var=letter*
$ s e t | grep var

var=' l e t t e r * '

letterB

CHAPTER S U M M A R Y

$ echo

3 6 5

'$var'

$var
$ echo

"$var"

letter*
$ echo $var

l e t t e r l letter2

letterB

The three echo commands demonstrate three levels of expansion. When Svar is
quoted with single quotation marks, the shell performs no expansion and passes the
character string Svar to echo, which displays it. With double quotation marks, the
shell performs variable expansion only and substitutes the value of the v a r variable
for its name, preceded by a dollar sign. No pathname expansion is performed on
this command because double quotation marks suppress it. In the final command,
the shell, without the limitations of quotation marks, performs variable substitution
and then pathname expansion before passing the arguments to echo.
PROCESS SUBSTITUTION
A special feature of the Bourne Again Shell is the ability to replace filename arguments with processes. An argument with the syntax <(command) causes command
to be executed and the output written to a named pipe (FIFO). The shell replaces
that argument with the name of the pipe. If that argument is then used as the name
of an input file during processing, the output of command is read. Similarly an argument with the syntax >(command) is replaced by the name of a pipe that command
reads as standard input.
The following example uses sort (page 168) with the - m (merge, which works correctly only if the input files are already sorted) option to combine two word lists
into a single list. Each word list is generated by a pipe that extracts words matching
a pattern from a file and sorts the words in that list.
$ sort

-m - f

< ( g r e p "[AA-Z]..$" memol | s o r t )

<(grep " . * a b a . * "

memo2

|sort)

CHAPTER S U M M A R Y
The shell is both a command interpreter and a programming language. As a command interpreter, it executes commands you enter in response to its prompt. As a
programming language, the shell executes commands from files called shell scripts.
When you start a shell, it typically runs one or more startup files.
Running a Assuming the file holding a shell script is in the working directory, there are three
shell script basic ways to execute the shell script from the command line.
1. Type the simple filename of the file that holds the script.
2. Type a relative pathname, including the simple filename preceded by ./.
3. Type b a s h followed by the name of the file.

366

CHAPTER 9

THE BOURNE AGAIN SHELL

Technique 1 requires that the working directory be in the PATH variable. Techniques 1 and 2 require that you have execute and read permission for the file holding the script. Technique 3 requires that you have read permission for the file
holding the script.
Job control A job is one or more commands connected by pipes. You can bring a job running in
the background into the foreground using the fg builtin. You can put a foreground
job into the background using the b g builtin, provided that you first suspend the job
by pressing the suspend key (typically CONTROL-Z). Use the jobs builtin to see which
jobs are running or suspended.
Variables The shell allows you to define variables. You can declare and initialize a variable by
assigning a value to it; you can remove a variable declaration using unset. Variables
are local to a process unless they are exported using the export builtin to make them
available to child processes. Variables you declare are called user-created variables.
The shell defines keyword variables. Within a shell script you can work with the
command-line (positional) parameters the script was called with.
Process Each process has a unique identification (PID) number and is the execution of a single Linux command. When you give it a command, the shell forks a new (child)
process to execute the command, unless the command is built into the shell. While
the child process is running, the shell is in a state called sleep. By ending a command
line with an ampersand (&), you can run a child process in the background and
bypass the sleep state so that the shell prompt returns immediately after you press
RETURN. Each command in a shell script forks a separate process, each of which may
in turn fork other processes. When a process terminates, it returns its exit status to
its parent process. An exit status of zero signifies success; nonzero signifies failure.
History The history mechanism, a feature adapted from the C Shell, maintains a list of
recently issued command lines, also called events, that provides a way to reexecute
previous commands quickly. There are several ways to work with the history list;
one of the easiest is to use a command-line editor.
Command-line When using an interactive Bourne Again Shell, you can edit a command line and
editors commands from the history file, using either of the Bourne Again Shell's command-

line editors (vim or e m a c s ) . When you use the v i m command-line editor, you start in
Input mode, unlike vim. You can switch between Command and Input modes. The
e m a c s editor is modeless and distinguishes commands from editor input by recognizing control characters as commands.
Aliases An alias is a name that the shell translates into another name or (complex) command. Aliases allow you to define new commands by substituting a string for the
first token of a simple command.
Functions A shell function is a series of commands that, unlike a shell script, is parsed prior to
being stored in memory. As a consequence shell functions run faster than shell
scripts. Shell scripts are parsed at runtime and are stored on disk. A function can be
defined on the command line or within a shell script. If you want the function definition to remain in effect across login sessions, you can define it in a startup file.
Like functions in many programming languages, a shell function is called by giving
its name followed by any arguments.

EXERCISES 3 6 7

Shell features There are several ways to customize the shell's behavior. You can use options on the
command line when you call bash. You can use the bash set and shopt builtins to
turn features on and off.
Command-line When it processes a command line, the Bourne Again Shell may replace some
expansion words with expanded text. Most types of command-line expansion are invoked by
the appearance of a special character within a word (for example, a leading dollar
sign denotes a variable). Table 9-6 on page 326 lists these special characters. The
expansions take place in a specific order. Following the history and alias expansions, the common expansions are parameter and variable expansion, command
substitution, and pathname expansion. Surrounding a word with double quotation
marks suppresses all types of expansion except parameter and variable expansion.
Single quotation marks suppress all types of expansion, as does quoting (escaping)
a special character by preceding it with a backslash.

EXERCISES
1. Explain the following unexpected result:
$ whereis

date

date: / b i n/date . . .
$ echo $PATH

. :/usr/local/bin:/usr/bin:/bin
$ cat > date

echo " T h i s i s my own v e r s i o n o f d a t e . "
$

./date

F r i May 21 11:45:49 PDT 2010

2. What are two ways you can execute a shell script when you do not have
execute permission for the file containing the script? Can you execute a
shell script if you do not have read permission for the file containing the
script?
3. What is the purpose of the PATH variable?
a. Set the PATH variable so that it causes the shell to search the following
directories in order:
• /usr/local/bin
• /usr/bin
• /bin
• /usr/kerberos/bin

• The b i n directory in your home directory
• The working directory

368

CHAPTER 9

THE B O U R N E AGAIN SHELL

b. If there is a file named d o i t in / u s r / b i n and another file with the same
name in your - / b i n directory, which one will be executed? (Assume that
you have execute permission for both files.)
c. If your PATH variable is not set to search the working directory, how
can you execute a program located there?
d. Which command can you use to add the directory /usr/games to the end
of the list of directories in PATH?
4. Assume you have made the following assignment:
$ person=zach

Give the output of each of the following commands:
a. e c h o S p e r s o n
b. e c h o ' S p e r s o n '
c. e c h o " S p e r s o n "

5. The following shell script adds entries to a file named j o u r n a l - f i l e in your
home directory. This script helps you keep track of phone conversations
and meetings.
$ cat

journal

# j o u r n a l : add j o u r n a l e n t r i e s t o the f i l e
# SHOME/journal - f i l e
file=$HOME/journal-file
date » S f i l e
echo - n " E n t e r name o f person o r group: "
read name
echo "Sname" » S f i l e
echo » S f i l e
cat » S f i l e
echo "
echo » S f i l e

" »

Sfile

a. What do you have to do to the script to be able to execute it?
b. Why does the script use the read builtin the first time it accepts input
from the terminal and the cat utility the second time?
6. Assume the / h o m e / z a c h / g r a n t s / b i b l i o s and / h o m e / z a c h / b i b l i o s directories
exist. Give Zach's working directory after he executes each sequence of
commands given. Explain what happens in each case.
a.

S

pwd

/home/zach/grants
$ CDPATH=$(pwd)
$ cd
$ cd b i b l i o s

ADVANCED EXERCISES 3 6 9

b.
$ pwd
/home/zach/grant s
$ CDPATH=$(pwd)
$ cd $HOME/biblios

7. Name two ways you can identify the PID number of the login shell.
8. Give the following command:
$ sleep 30 | c a t

/etc/inittab

Is there any output from sleep? Where does cat get its input from? What
has to happen before the shell displays another prompt?

A D V A N C E D EXERCISES
9. Write a sequence of commands or a script that demonstrates variable
expansion occurs before pathname expansion.
10. Write a shell script that outputs the name of the shell executing it.
11. Explain the behavior of the following shell script:
$ cat

quote_demo

twol i ner="Thi s i s l i n e 1.
This i s line 2 . "
echo " $ t w o l i n e r "
echo $ t w o l i n e r

a. How many arguments does each echo command see in this script?
Explain.
b. Redefine the IFS shell variable so that the output of the second echo is
the same as the first.
12. Add the exit status of the previous command to your prompt so that it
behaves similarly to the following:
$

[ 0 ] Is

xxx

I s : x x x : No such f i l e o r d i r e c t o r y
$ [11

13. The dirname utility treats its argument as a pathname and writes to standard output the path prefix—that is, everything up to but not including
the last component:
$ dirname

a/b/c/d

a/b/c

If you give d i r n a m e a simple filename (no / characters) as an argument,
d i r n a m e writes a . to standard output:

370

CHAPTER 9

THE B O U R N E AGAIN SHELL
$ dirname

simple

Implement dirname as a bash function. Make sure that it behaves sensibly
when given such arguments as /.
14. Implement the basename utility, which writes the last component of its
pathname argument to standard output, as a bash function. For example,
given the pathname a / b / c / d , basename writes d to standard output:
$ basename a / b / c / d

d

15. The Linux basename utility has an optional second argument. If you give
the command basename path suffix, basename removes the suffix and the
prefix from path:
$ basename s r c / s h e l l f i l e s / p r o g . b a s h

.bash

$ basename s r c / s h e l l f i l e s / p r o g . b a s h

.c

prog

prog.bash

Add this feature to the function you wrote for exercise 14.

10
NETWORKING AND THE
INTERNET
The communications facilities linking computers are continually
improving, allowing faster and more economical connections. The
earliest computers were unconnected stand-alone systems. To

IN THIS CHAPTER
Types of Networks and How
They Work
Network Protocols

373
379

transfer information from one system to another, you had to store
it in some form (usually magnetic tape, paper tape, or punch

Network Utilities

390

PIConnecHonNetWOr

393

cards—called IBM or Hollerith cards), carry it to a compatible system, and read it back in. A notable advance occurred when computers began to exchange data over serial lines, although the
transfer rate was slow (hundreds of bits per second). People
quickly invented new ways to take advantage of this computing

traceroute: Traces a Route over
394

power, such as email, news retrieval, and bulletin board services.

host and dig: Query Internet
Nameservers

396

With the speed of today's networks, a piece of email can cross the
country or even travel halfway around the world in a few seconds.

Distributed Computing

397

T o d a y it W Q u l d b e

Usenet

407

not include a LAN to link its systems. Linux systems are typi-

WWW: World Wide Web

409

the Internet

difficult to find a computer facility that does

ca

^ y attached to an Ethernet (page 1147) network. Wireless
networks are also prevalent. Large computer facilities usually
maintain several networks, often of different types, and almost
certainly have connections to larger networks (companywide or
campuswide and beyond).
371

372

CHAPTER 1 0

N E T W O R K I N G AND THE INTERNET

Internet The Internet is a loosely administered network of networks (an internetwork) that
links computers on diverse LANs around the globe. An internet (small i) is a generic
network of networks that may share some parts in common with the public Internet. It is the Internet that makes it possible to send an email message to a colleague
thousands of miles away and receive a reply within minutes. A related term, intranet, refers to the networking infrastructure within a company or other institution.
Intranets are usually private; access to them from external networks may be limited
and carefully controlled, typically using firewalls (page 379).
Network services Over the past decade many network services have emerged and become standardized. On Linux and UNIX systems, special processes called daemons (page 1144)
support such services by exchanging specialized messages with other systems over
the network. Several software systems have been created to allow computers to
share filesystems with one another, making it appear as though remote files are
stored on local disks. Sharing remote filesystems allows users to share information
without knowing where the files physically reside, without making unnecessary
copies, and without learning a new set of utilities to manipulate them. Because the
files appear to be stored locally, you can use standard utilities (such as cat, v i m , Ipr,
mv, or their graphical counterparts) to work with them.
Developers have created new tools and extended existing ones to take advantage of
higher network speeds and to work within more crowded networks. The rlogin, rsh,
and telnet utilities, which were designed long ago, have largely been supplanted by
ssh (secure shell, page 663) in recent years. The ssh utility allows a user to log in on
or execute commands securely on a remote computer. Users rely on such utilities as
scp and ftp to transfer files from one system to another across the network. Communication utilities, including email utilities and chat programs (e.g., talk, Internet Relay
Chat [IRC], ICQ, and instant messenger [IM] programs, such as AOL's AIM and
Pidgin) have become so prevalent that many people with very little computer expertise use them on a daily basis to keep in touch with friends, family, and colleagues.
Intranet An intranet is a network that connects computing resources at a school, company,
or other organization but, unlike the Internet, typically restricts access to internal
users. An intranet is very similar to a LAN (local area network) but is based on
Internet technology. An intranet can provide database, email, and Web page access
to a limited group of people, regardless of their geographic location.
The ability of an intranet to connect dissimilar machines is one of its strengths.
Think of all the machines you can find on the Internet: Macintosh systems, PCs running different versions of Windows, machines running UNIX and Linux, and so on.
Each of these machines can communicate via IP (page 380), a common protocol. So
it is with an intranet: Dissimilar machines can all talk to one another.
Another key difference between the Internet and an intranet is that the Internet transmits only one protocol suite: IP. In contrast, an intranet can be set up to use a number
of protocols, such as IP, IPX, AppleTalk, DECnet, XNS, or other protocols developed
by vendors over the years. Although these protocols cannot be transmitted directly
over the Internet, you can set up special gateway boxes at remote sites that tunnel or
encapsulate these protocols into IP packets and then use the Internet to pass them.

TYPES OF N E T W O R K S A N D H O W THEY W O R K

373

You can use an extranet (also called a partner net) or a virtual private network
(VPN) to improve security. These terms describe ways to connect remote sites
securely to a local site, typically by using the public Internet as a carrier and
employing encryption as a means of protecting data in transit.
Following are some terms you may want to become familiar with before you read
the rest of this chapter:
ASP (page 1135)

hub (page 1152)

packet (page 1164)

bridge (page 1138)

internet (page 1154)

router (page 1170)

extranet (page 1147)

Internet (page 1154)

sneakernet

firewall (page 1148)

intranet (page 1154)

switch (page 1175)

gateway (page 1149)

ISP (page 1155)

VPN (page 1180)

(page 1172)

TYPES O F N E T W O R K S A N D H O W T H E Y W O R K
Computers communicate over networks using unique addresses assigned by system
software. A computer message, called a packet, frame, or datagram, includes the
address of the destination computer and the sender's return address. The three most
common types of networks are broadcast, point-to-point, and switched. Once popular, token-based networks (such as FDDI and token ring) are rarely seen anymore.
Speed is critical to the proper functioning of the Internet. Newer specifications
(cat 6 and cat 7) are being standardized for lOOOBaseT (1 gigabit per second, called
gigabit Ethernet, or GIG-E) and faster networking. Some of the networks that form
the backbone of the Internet run at speeds of almost 40 gigabits per second
(OC768) to accommodate the ever-increasing demand for network services.
Table 10-1 lists some of the specifications in use today.
Table 10-1

Network specifications

Specification

Speed

DSO

64 kilobits per second

ISDN

Two DSO lines plus signaling (16 kilobits per second) or 128 kilobits per
second

T-1

1.544 megabits per second (24 DSO lines)

T-3

43.232 megabits per second (28 T-1 s)

0C3

155 megabits per second (100 T-1 s)

0C12

622 megabits per second (4 0C3s)

0C48

2.5 gigabits per seconds (4 0C12s)

OC192

9.6 gigabits per second (4 0C48s)

0C768

38.4 gigabits per second (4 0C192s)

374

CHAPTER 1 0

N E T W O R K I N G AND THE INTERNET

BROADCAST NETWORKS
On a broadcast network, such as Ethernet, any of the many systems attached to the
network cable can send a message at any time; each system examines the address in
each message and responds only to messages addressed to it. A problem occurs on
a broadcast network when multiple systems send data at the same time, resulting
in a collision of the messages on the cable. When messages collide, they can
become garbled. The sending system notices the garbled message and resends it
after waiting a short but random amount of time. Waiting a random amount of
time helps prevent those same systems from resending the data at the same
moment and experiencing yet another collision. The extra traffic that results from
collisions can strain the network; if the collision rate gets too high, retransmissions
may result in more collisions. Ultimately the network may become unusable.

POINT-TO-POINT NETWORKS
A point-to-point link does not seem like much of a network because only two endpoints are involved. However, most connections to WANs (wide area networks) go
through point-to-point links, using wire cable, radio, or satellite links. The advantage
of a point-to-point link is its simplicity: Because only two systems are involved, the
traffic on the link is limited and well understood. A disadvantage is that each system
can typically be equipped for only a small number of such links; it is impractical and
costly to establish point-to-point links that connect each computer to all the rest.
Point-to-point links often use serial lines and modems. The combination of a
modem with a point-to-point link allows an isolated system to connect inexpensively to a larger network.
The most common types of point-to-point links are the ones used to connect to the
Internet. When you use DSL1 (digital subscriber line), you are using a point-to-point
link to connect to the Internet. Serial lines, such as T-l, T-3, ATM links, and ISDN,
are all point-to-point. Although it might seem like a point-to-point link, a cable
modem is based on broadcast technology and in that way is similar to Ethernet.

SWITCHED NETWORKS
A switch is a device that establishes a virtual path between source and destination
hosts in such a way that each path appears to be a point-to-point link, much like a
railroad roundhouse. The switch creates and tears down virtual paths as hosts seek to
communicate with each other. Each host thinks it has a direct point-to-point path to
the host it is talking to. Contrast this approach with a broadcast network, where each
host also sees traffic bound for other hosts. The advantage of a switched network
over a pure point-to-point network is that each host requires only one connection: the
connection to the switch. Using pure point-to-point connections, each host must have
a connection to every other host. Scalability is provided by further linking switches.

1. The term DSL incorporates the x D S L suite o f technologies, which includes A D S L , X D S L , SDSL, and H D S L .

TYPES OF N E T W O R K S A N D H o w THEY W O R K

375

L A N : LOCAL AREA N E T W O R K
Local area networks (LANs) are confined to a relatively small area—a single computer facility, building, or campus. Today most LANs run over copper or fiberoptic
(glass or plastic) cable, but other wireless technologies, such as infrared (similar to
most television remote control devices) and radio wave (wireless, or Wi-Fi), are
becoming more popular.
If its destination address is not on the local network, a packet must be passed on to
another network by a router (page 376). A router may be a general-purpose computer or
a special-purpose device attached to multiple networks to act as a gateway among them.
ETHERNET
A Linux system connected to a LAN usually connects to a network using Ethernet.
A typical Ethernet connection can support data transfer rates from 10 megabits
per second to 1 gigabit per second, with further speed enhancements planned for
the future. As a result of computer load, competing network traffic, and network overhead, file transfer rates on an Ethernet are always slower than the
maximum, theoretical transfer rate.
Cables An Ethernet network transfers data using copper or fiberoptic cable or wireless transmitters and receivers. Originally, each computer was attached to a thick coaxial cable
(called thicknet) at tap points spaced at six-foot intervals along the cable. The thick
cable was awkward to deal with, so other solutions, including a thinner coaxial cable
called thinnet, or 10Base2,2 were developed. Today most Ethernet connections are
either wireless or made over unshielded twisted pair (referred to as UTP, Category 5
[cat 5], Category 5e [cat 5e], Category 6 [cat 6], lOBaseT, or 100BaseT) wire—similar
to the type of wire used for telephone lines and serial data communications.
Segment A network segment is a part of a network in which all systems communicate using
the same physical layer (layer 1) of the IP and OSI models (page 380).
Duplex In half-duplex mode, packets travel in one direction at a time over the cable. In fullduplex mode, packets travel in both directions.
Hub A hub (sometimes called a concentrator) is a device that connects systems so they
are all part of one network segment and share the network bandwidth. Hubs work
at the physical layer of the IP and OSI models (layer 1, page 380).
Switch A switch connects network segments. A switch inspects each data packet and learns
which devices are connected to which of its ports. The switch sorts packets and sends
each packet only to the device it is intended for. Because a switch sends packets only
to their destination devices, it can conserve network bandwidth and perform better
than a hub. A switch may have buffers for holding and queuing packets. Switches
work at the data link layer of the IP and OSI models (layer 2, page 380).

2 . Versions o f Ethernet are classified as X B a s e Y , where X is the d a t a rate in megabits per second, B a s e
means b a s e b a n d (as opposed to radio frequency), and Y is the category o f cabling.

376

CHAPTER 1 0

N E T W O R K I N G AND THE INTERNET

Some Ethernet switches have enough bandwidth to communicate simultaneously, in
full-duplex mode, with all connected devices. A nonswitched (hub-based) broadcast
network can run in only half-duplex mode. Full-duplex Ethernet further improves
things by eliminating collisions. Theoretically, each host on a switched network can
transmit and receive simultaneously at the speed of the network (e.g., 100 megabits
per second) for an effective bandwidth between hosts of twice the speed of the network (e.g., 200 megabits per second), depending on the capacity of the switch.
Router A router connects networks. For example, a router can connect a LAN to a WAN
(such as the Internet). A router determines which path packets should take to travel to
a different network and forwards the packets. Routers work at the network layer of
the IP and OSI models (layer 3, page 380). The next page covers routers in more depth.
WIRELESS
Wireless networks are becoming increasingly common. They are found in offices,
homes, and public places, such as universities, coffee shops, and airports. Wireless
access points provide functionality similar to an Ethernet hub. They allow multiple
users to interact via a common radio frequency spectrum. A wireless, point-to-point
connection allows you to wander about your home or office with a laptop, using an
antenna to link to a LAN or to the Internet via an in-house base station. Linux
includes drivers for many of the common wireless boards. A wireless access point,
or base station, connects a wireless network to a wired network so that no special
protocol is required for a wireless connection. Refer to the Linux Wireless LAN
HO WTO at www.hpl.hp.com/personal/Jean_Tourrilhes/Linux.

W A N : W I D E AREA NETWORK
A wide area network (WAN) covers a large geographic area. In contrast, the technologies (such as Ethernet) used for LANs were designed to work over limited distances and for a certain number of host connections. A WAN may span long
distances over dedicated data lines (leased from a telephone company) or radio or
satellite links. Such networks are often used to interconnect LANs. Major Internet
service providers rely on WANs to connect to their customers within a country and
around the globe.
MAN Some networks do not fit into either the LAN or the WAN designation. A metropolitan area network (MAN) is a network that is contained in a smaller geographic
area, such as a city. Like WANs, MANs are typically used to interconnect LANs.

I N T E R N E T W O R K I N G T H R O U G H GATEWAYS A N D ROUTERS
Gateway A LAN connects to a WAN through a gateway, a generic term for a computer or a
special device with multiple network connections that passes data from one network to another. A gateway converts the data traffic from the format used on the
LAN to that used on the WAN. Data that crosses the country from one Ethernet to
another over a WAN, for example, is repackaged from the Ethernet format to a
different format that can be processed by the communications equipment that

TYPES OF N E T W O R K S A N D H o w THEY W O R K

377

makes up the WAN backbone. When it reaches the end of its journey over the
WAN, the data is converted by another gateway to a format appropriate for the
receiving network. For the most part, these details are of concern only to the network administrators; the end user does not need to know anything about how the
data transfer takes place.
Router A router is the most popular form of gateway. Routers play an important role in
internetworking. Just as you might study a map to plan your route when you need to
drive to an unfamiliar place, so a computer needs to know how to deliver a message
to a system attached to a distant network by passing through intermediary systems
and networks along the way. Although you might envision using a giant network
road map to choose the route that your data should follow, a static map of computer
routes is usually a poor choice for a large network. Computers and networks along
the route you choose may be overloaded or down, without providing a detour for
your message.
Routers instead communicate dynamically, keeping each other informed about
which routes are open for use. To extend the analogy, this situation would be like
heading out on a car trip without consulting a map to find a route to your destination; instead you head for a nearby gas station and ask directions. Throughout the
journey you continue to stop at one gas station after another, getting directions at
each to find the next one. Although it would take a while to make the stops, the
owner of each gas station would advise you of bad traffic, closed roads, alternative
routes, and shortcuts.
The stops made by the data are much quicker than those you would make in your
car, but each message leaves each router on a path chosen based on the most current
information. Think of this system as a GPS (global positioning system) setup that
automatically gets updates at each intersection and tells you where to go next,
based on traffic and highway conditions.
Figure 10-1 (next page) shows an example of how LANs might be set up at three
sites interconnected by a WAN (the Internet). In this type of network diagram,
Ethernet LANs are drawn as straight lines, with devices attached at right angles;
WANs are represented as clouds, indicating that the details have been left out; and
wireless connections are drawn as zigzag lines with breaks, indicating that the connection may be intermittent.
In Figure 10-1, a gateway or a router relays messages between each LAN and the
Internet. Three of the routers in the Internet are shown (for example, the one closest
to each site). Site A has a server, a workstation, a network computer, and a PC sharing a single Ethernet LAN. Site B has an Ethernet LAN that serves a printer and
four Linux workstations. A firewall permits only certain traffic to pass between the
Internet router and the site's local router. Site C has three LANs linked by a single
router, perhaps to reduce the traffic load that would result if the LANs were combined or to keep workgroups or locations on separate networks. Site C also includes
a wireless access point that enables wireless communication with nearby computers.

Figure 10-1

A slice of the Internet

TYPES OF N E T W O R K S A N D H o w THEY W O R K

379

FIREWALL
A firewall in a car separates the engine compartment from the passenger compartment, protecting the driver and passengers from engine fires, noise, and fumes. In
much the same way, computer firewalls separate computers from malicious and
unwanted users.
A firewall prevents certain types of traffic from entering or leaving a network. For
example, a firewall might prevent traffic from your IP address from leaving the
network and prevent anyone except users from selected domains from using FTP to
retrieve data from the network. The implementations of firewalls vary
widely—from Linux machines with two interfaces (page 1154) running custom
software to a router (preceding section) with simple access lists to esoteric, vendorsupplied firewall appliances. Most larger installations have at least one kind of
firewall in place. A firewall is often accompanied by a proxy server/gateway
(page 405) that provides an intermediate point between you and the host you are
communicating with.
In addition to the firewalls found in multipurpose computers, firewalls are becoming increasingly common in consumer appliances. For example, they are built into
cable modems, wireless gateways, routers, and stand-alone devices.
Typically a single Linux machine will include a minimal firewall. A small group of
Linux systems may have an inexpensive Linux machine with two network interfaces
and packet-filtering software functioning as a dedicated firewall. One of the interfaces connects to the Internet, modems, and other outside data sources. The other
connects, normally through a hub or switch, to the local network. Refer to
Chapter 25 for information on gufw, iptables, and setting up a firewall and to
Appendix C for a discussion of security.

NETWORK PROTOCOLS
To exchange information over a network, computers must communicate using a
common language, or protocol (page 1166). The protocol determines the format
of message packets. The predominant network protocols used by Linux systems
are TCP and IP,3 collectively referred to as TCP/IP (Transmission Control Protocol and Internet Protocol). Network services that need highly reliable connections,
such as ssh and scp, tend to use TCP/IP. Another protocol used for some system
services is UDP (User Datagram Protocol). Network services that do not require
guaranteed delivery, such as RealAudio and RealVideo, operate satisfactorily with
the simpler UDP.4

3. All references to IP imply IPv4

(page 1 1 5 5 ) .

4 . Voice and video protocols are delay sensitive, n o t integrity sensitive. T h e h u m a n ear and eye accept and
interpolate loss in an audio o r video stream but c a n n o t deal with variable delay. T h e guaranteed delivery
that T C P provides introduces a delay on a busy n e t w o r k when packets get retransmitted. T h i s delay is n o t
acceptable for video and audio transmissions, whereas less than 1 0 0 percent integrity is acceptable.

380

CHAPTER 1 0

N E T W O R K I N G AND THE INTERNET

IP: INTERNET PROTOCOL
Layering was introduced to facilitate protocol design: Layers distinguish functional
differences between adjacent protocols. A grouping of layers can be standardized
into a protocol model. IP has a model that distinguishes protocol layers. The IP
model differs from the ISO seven-layer protocol model (also called the OSI model)
that is often illustrated in networking textbooks. Specifically IP uses the following
simplified five-layer model:
1. The first layer of the IP protocol, called the physical layer, describes the
physical medium (copper, fiber, wireless) and the data encoding used to
transmit signals on that medium (pulses of light, electrical waves, or radio
waves, for instance).
2. The second layer, called the data link layer, covers media access by network devices and describes how to put data into packets, transmit the
data, and check it for errors. Ethernet is found at this layer, as is 802.11
(page 1134) wireless.
3. The third layer, called the network layer, frequently uses IP and addresses
and routes packets.
4. The fourth layer, called the transport layer, is where TCP and UDP exist.
This layer provides a means for applications to communicate with each
other. Functions commonly performed by the transport layer include guaranteed delivery, delivery of packets in the order of their transmission, flow
control, error detection, and error correction. The transport layer is responsible for dividing data streams into packets. In addition, this layer performs
port addressing, which allows it to distinguish among different services
using the same transport protocol. Port addressing keeps the data from
multiple applications using the same protocol (for example, TCP) separate.
5. Anything above the transport layer is the domain of the application and is
part of the fifth layer. Unlike the ISO model, the Internet model does not
distinguish among application, presentation, and session layers. All of the
upper-layer characteristics, such as character encoding, encryption, and
GUIs, are part of the application. Applications choose the transport characteristics they require as well as the corresponding transport layer protocol
with which to send and receive data.
TCP: TRANSMISSION CONTROL PROTOCOL
TCP is most frequently run on top of IP in a combination referred to as TCP/IP.
This protocol provides error recovery and guaranteed delivery in packet transmission order; it also works with multiple ports so that it can handle more than one
application. TCP is a connection-oriented protocol (page 1142), also known as a
stream-based protocol. Once established, a TCP connection looks like a stream of
data, not individual IP packets. The connection is assumed to remain up and be
uniquely addressable. Every piece of information you write to the connection
always goes to the same destination and arrives in the order it was sent. Because

TYPES OF N E T W O R K S A N D H o w THEY W O R K

381

TCP is connection oriented and establishes a virtual circuit between two systems,
this protocol is not suitable for one-to-many transmissions (see the discussion of
UDP, following). TCP has builtin mechanisms for dealing with congestion (or flow)
control over busy networks and throttles back (slows the speed of data flow) when
it has to retransmit dropped packets. TCP can also deal with acknowledgments,
wide area links, high-delay links, and other situations.
U D P : USER DATAGRAM PROTOCOL
UDP runs at layer 4 of the IP stack, just as TCP does, but is much simpler. Like TCP,
UDP works with multiple ports and multiple applications. It has checksums for
error detection but does not automatically retransmit datagrams (page 1144) that
fail the checksum test. UDP is a datagram-oriented protocol: Each datagram must
carry its own address and port information. Each router along the way examines
each datagram to determine the destination, one hop at a time. You can broadcast
or multicast UDP datagrams to many destinations at the same time by using special
addresses.
PPP: POINT-TO-POINT PROTOCOL
PPP provides serial line point-to-point connections that support IP. This protocol
compresses data to make the most of the limited bandwidth available on serial connections. PPP, which replaces SLIP5 (Serial Line IP), acts as a point-to-point layer
2/3 transport that many other types of protocols can ride on. It is used mostly for
IP-based services and connections, such as TCP or UDP.
XREMOTE AND LBX
Two protocols that speed up data transfer over serial lines are Xremote and LBX.
Xremote compresses the X Window System protocol so that it is more efficient over
slower serial lines. LBX (low-bandwidth X) is based on the Xremote technology
and is part of X Window System release X11R6 and higher.

HOST ADDRESS
Each computer interface has a unique identifier called a MAC address (page 1158).
A system attached to more than one network has multiple interfaces—one for each
network, each with its own MAC address.
Each packet of information that is broadcast over the network has a destination
address. All hosts on the network must process each broadcast packet to see
whether it is addressed to that host.6 If the packet is addressed to a given host, that
host continues to process it. If not, the host ignores the packet.

5. SLIP w a s one o f the first serial line implementations o f IP and has slightly less overhead than PPP. PPP
supports multiple protocols (such as AppleTalk and I P X ) , whereas SLIP supports only IP.
6 . C o n t r a s t b r o a d c a s t p a c k e t s w i t h unicast p a c k e t s : E t h e r n e t h a r d w a r e on a c o m p u t e r filters o u t unic a s t p a c k e t s t h a t are n o t addressed to t h a t m a c h i n e ; the o p e r a t i n g system on t h a t m a c h i n e never sees
these p a c k e t s .

382

CHAPTER 1 0

N E T W O R K I N G AND THE INTERNET

The network address of a machine is an IP address, which, under IPv4, is represented as one number broken into four segments separated by periods (for example,
192.168.184.5). Domain names and IP addresses are assigned through a highly distributed system coordinated by ICANN (Internet Corporation for Assigned Names
and Numbers—www.icann.org) via many registrars (see www.internic.net). ICANN
is funded by the various domain name registries and registrars and by IP address
registries, which supply globally unique identifiers for hosts and services on the
Internet. Although you may not deal with any of these agencies directly, your Internet service provider most assuredly does.
How a company uses IP addresses is determined by the system or network administrator. For example, the leftmost two sets of numbers in an IP address might represent a large network (campuswide or companywide); the third set, a subnetwork
(perhaps a department or a single floor in a building); and the rightmost number, an
individual computer. The operating system uses the address in a different, lower-level
form, converting it to its binary equivalent, a series of Is and Os. See the following
optional section for more information. Refer to "Private address space" on page 642
for information about addresses you can use on a LAN without registering them.
STATIC V E R S U S D Y N A M I C IP A D D R E S S E S
A static IP address is one that always remains the same. A dynamic IP address is one
that can change each time you connect to the network. A dynamic address remains
the same during a single login session. Any server (mail, Web, and so on) must have a
static address so clients can find the machine that is acting as the server. End-user
systems usually work well with dynamic addresses. During a given login session,
they can function as a client (your Web browser, for example) because they maintain
a constant IP address. When you log out and log in again, it does not matter that you
have a different IP address because your computer, acting as a client, establishes a
new connection with a server. The advantage of dynamic addressing is that it allows
inactive addresses to be reused, reducing the total number of IP addresses needed.

optional I P CLASSES
To facilitate routing on the Internet, IP addresses are divided into classes. These
classes, which are labeled class A through class E, allow the Internet address space
to be broken into blocks of small, medium, and large networks that are designed to
be assigned based on the number of hosts within a network.
When you need to send a message to an address outside the local network, your system looks up the address block/class in its routing table and sends the message to
the next router on the way to the final destination. Every router along the way does
a similar lookup and forwards the message accordingly. At the destination, local
routers direct the message to the specific address. Without classes and blocks, your
host would have to know every network and subnetwork address on the Internet
before it could send a message. This setup would be impractical because of the huge
number of addresses on the Internet.

TYPES OF N E T W O R K S A N D H o w THEY W O R K

383

Each of the four numbers in the IP address is in the range 0 - 2 5 5 because each segment of the IP address is represented by 8 bits (an octet), with each bit being capable of taking on two values; the total number of values is therefore 2 s = 256. When
you start counting at 0, the range 1-256 becomes 0 - 2 5 5 . 7 Each IP address is
divided into a net address (netid) portion, which is part of the class, and a host
address (hostid) portion. See Table 10-2.
Table 10-2

IP classes

Class

Start bits

Address range

All bits (including start bits)
0-7

Class A

0

Class B

10

Class C

110

192.000.000.000-223.255.255.000 11 n

Class D (multicast)

1110

224.000.000.000-239.255.255.000 1110

Class E (reserved)

11110

240.000.000.000-255.255.255.000 11110

8-15

001.000.000.000-126.000.000.000 0-netid

16-23

24-31

hostid

129.000.000.000-191.255.000.000 1 0 — - n f îtid

hostid
=hostid=

The first set of addresses, defining class A networks, is reserved for extremely large
corporations, such as General Electric (3.0.0.0) and Hewlett-Packard (15.0.0.0), and
for ISPs. One start bit (0) in the first position designates a class A network, 7 bits
holds the network portion of the address (netid), and 24 bits holds the host portion
of the address (hostid; see Table 10-2). This setup means that GE can have 2 24 , or
approximately 16 million, hosts on its network. Unused address space and subnets
(page 1174) lower this number quite a bit. The 127.0.0.0 subnet (page 387) is
reserved, as are several others (see private address space on page 1166).
Two start bits (10) in the first two positions designates a class B network, 14 bits
holds the network portion of the address (netid), and 16 bits holds the host portion
of the address, for a potential total of 65,534 hosts.8 A class C network uses 3 start

7. Internally, the IP address is represented as a set o f four unsigned 8-bit fields o r a 3 2 - b i t unsigned number, depending on h o w programs are using it. T h e m o s t c o m m o n f o r m a t in C is to represent it as a union
o f an unsigned 3 2 - b i t long integer, four unsigned chars, and t w o unsigned short integers.
8. A 16-bit (class B) address can address 216 = 65,536

hosts, yet the potential number o f hosts is t w o fewer

than that because the first and last addresses on any network are reserved. In a similar manner, an 8-bit (class
C) address can address only 2 5 4 hosts (2 s - 2 = 2 5 4 ) . T h e 0 host address (for example, 1 9 4 . 1 6 . 1 0 0 . 0 for a
class C network or 1 3 1 . 2 0 4 . 0 . 0 for a class B network) is reserved as a designator for the network itself. Several older operating systems use this as a broadcast address. T h e 2 5 5 host address (for example,
1 9 4 . 1 6 . 1 0 0 . 2 5 5 for a class C network or 1 3 1 . 2 0 4 . 2 5 5 . 2 5 5 for a class B network) is reserved as the IP broadcast address. An IP packet (datagram) that is sent to this address is broadcast to all hosts on the network.
T h e netid portion o f a subnet does n o t have the same limitations. Often you are given the choice o f reserving the first and last networks in a range as you would a hostid, but this is rarely done in practice.
M o r e often the first and last n e t w o r k s in the netid range provide more usable address space. Refer t o
" S u b n e t s " on page 3 8 5 .

384

CHAPTER 1 0

NETWORKING AND THE INTERNET

bits ( 1 0 0 ) , 2 1 n e t i d bits (2 m i l l i o n n e t w o r k s ) , a n d 8 h o s t i d bits ( 2 5 4 hosts). T o d a y a
n e w l a r g e c u s t o m e r w i l l n o t r e c e i v e a class A o r B n e t w o r k b u t is l i k e l y t o r e c e i v e a
class C o r several ( u s u a l l y c o n t i g u o u s ) class C n e t w o r k s , i f m e r i t e d .

multicast ( p a g e 1 1 6 1 ) n e t w o r k s . W h e n y o u r u n n e t s t a t - n r o n a L i n u x s y s t e m , y o u c a n
Several o t h e r classes o f n e t w o r k s exist. Class D n e t w o r k s are r e s e r v e d f o r

see w h e t h e r t h e m a c h i n e is a m e m b e r o f a m u l t i c a s t n e t w o r k . A 2 2 4 . 0 . 0 . 0 i n t h e
Destination column that

netstat d i s p l a y s i n d i c a t e s

a class D , m u l t i c a s t

address

( T a b l e 1 0 - 2 ) . A m u l t i c a s t is l i k e a b r o a d c a s t , b u t o n l y h o s t s t h a t s u b s c r i b e t o t h e
m u l t i c a s t g r o u p r e c e i v e t h e m e s s a g e . T o u s e W e b t e r m i n o l o g y , a b r o a d c a s t is l i k e a
" p u s h . " A host pushes a broadcast o n the n e t w o r k , and every host o n the n e t w o r k
m u s t c h e c k e a c h p a c k e t t o see w h e t h e r i t c o n t a i n s r e l e v a n t d a t a . A m u l t i c a s t

is

l i k e a " p u l l . " A h o s t w i l l see a m u l t i c a s t o n l y i f i t r e g i s t e r s i t s e l f as s u b s c r i b e d t o a
multicast g r o u p or service and pulls the a p p r o p r i a t e packets f r o m the n e t w o r k .

Computations for IP address 131.204.027.027

Class B-

netid

hostid

131

.204

.027

83

CC

1B

1000 0011

11001100

0001 1011

255

.255

.255

FF

FF

FF

1111 1111

1111 1111

1111 1111

0000 0000 binary

IP address bitwise AND

1000 0011

11001100

0001 1011

0001 1011

Subnet mask

1111 1111

1111 1111

1111 1111

0000 0000 binary

= Subnet number

1000 0011

11001100

0001 1011

0000 0000

131

.204

.027

83

CC

1B

1000 0011

11001100

0001 1011

131

.204

.27

83

CC

1B

1000 0011

11001100

0001 1011

IP address

Subnet mask

Subnet number

Broadcast address
(set host bits to 1)

.027 decimal
1B hexadecimal
0001 1011 binary
.000 decimal
00 hexadecimal

.000 decimal
00 hexadecimal
0000 0000 binary
.255 decimal
FF hexadecimal
1111 1111 binary

Table 10-3 shows some of the c o m p u t a t i o n s for the IP address

131.204.027.027.

E a c h a d d r e s s is s h o w n i n d e c i m a l , h e x a d e c i m a l , a n d b i n a r y f o r m . B i n a r y is t h e easiest t o w o r k w i t h f o r b i t w i s e ( b i n a r y ) c o m p u t a t i o n s . T h e f i r s t t h r e e l i n e s s h o w t h e I P
address. T h e n e x t three lines s h o w the

subnet mask ( p a g e 1 1 7 5 ) i n t h r e e b a s e s .

N e x t the IP address a n d the subnet m a s k are A N D e d together bitwise to yield the

subnet number

( p a g e 1 1 7 5 ) , w h i c h is s h o w n i n t h r e e bases. T h e l a s t t h r e e

lines

TYPES OF N E T W O R K S A N D H o w THEY W O R K

s h o w the

broadcast address

385

( p a g e 1 1 3 8 ) , w h i c h is c o m p u t e d b y t a k i n g t h e s u b n e t

n u m b e r a n d t u r n i n g the h o s t i d bits to Is. T h e subnet n u m b e r identifies the

local

network. The subnet n u m b e r and the subnet mask determine w h a t range the

IP

address of the m a c h i n e m u s t be in. T h e y are also used b y routers to segment traffic;
see

network segment

(page 1162). A broadcast o n this n e t w o r k goes to all hosts i n

the range 1 3 1 . 2 0 4 . 2 7 . 1 t h r o u g h 1 3 1 . 2 0 4 . 2 7 . 2 5 4 b u t w i l l be acted o n o n l y b y hosts
t h a t h a v e a use f o r it.

SUBNETS
Each host o n a n e t w o r k m u s t process each broadcast packet to determine

whether

t h e i n f o r m a t i o n i n t h e p a c k e t is u s e f u l t o t h a t h o s t . I f t h e n e t w o r k i n c l u d e s n u m e r o u s
hosts, each host m u s t process m a n y packets. T o m a i n t a i n efficiency m o s t n e t w o r k s —
a n d p a r t i c u l a r l y s h a r e d m e d i a n e t w o r k s s u c h as E t h e r n e t — n e e d t o b e s p l i t i n t o s u b n e t w o r k s , o r subnets.9
performance

T h e m o r e hosts o n a n e t w o r k , the m o r e dramatically n e t w o r k

is a f f e c t e d . O r g a n i z a t i o n s

use r o u t e r

and

switch technology

V L A N s (virtual local area n e t w o r k s ) to g r o u p similar hosts into broadcast

called

domains

( s u b n e t s ) b a s e d o n f u n c t i o n . F o r e x a m p l e , i t i s n o t u n c o m m o n t o see a s w i t c h

with

d i f f e r e n t p o r t s b e i n g p a r t o f d i f f e r e n t s u b n e t s . See p a g e 4 6 2 f o r i n f o r m a t i o n o n

how

to specify a subnet.
Subnet mask

A

subnet mask

(or

address mask)

is a b i t m a s k t h a t i d e n t i f i e s w h i c h p a r t s o f a n I P

address correspond to the n e t w o r k address a n d the subnet p o r t i o n of the address.
This m a s k has Is in positions c o r r e s p o n d i n g to the n e t w o r k a n d subnet

numbers

a n d 0s i n t h e h o s t n u m b e r p o s i t i o n s . W h e n y o u p e r f o r m a b i t w i s e A N D

o n an IP

address and a subnet m a s k (Table 10-3), the resulting address contains

everything

except the host address (hostid) portion.
T h e r e are several w a y s to represent a subnet m a s k : A n e t w o r k c o u l d have a subnet
m a s k of 2 5 5 . 2 5 5 . 2 5 5 . 0 (decimal), F F F F F F 0 0 (hexadecimal), or / 2 4 (the n u m b e r

of

bits used f o r t h e s u b n e t m a s k ) . I f it w e r e a class B n e t w o r k ( o f w h i c h 16 bits are
already fixed), this yields 2s (24 total bits works

10

with 2

s

- 2 (256 - 2 = 254) hosts

11

16 fixed bits = 8 bits, 2s = 2 5 6 )

net-

o n each network.

F o r e x a m p l e , w h e n y o u d i v i d e the class C address 1 9 2 . 2 5 . 4 . 0 i n t o e i g h t subnets, y o u
g e t a s u b n e t m a s k o f 2 5 5 . 2 5 5 . 2 5 5 . 2 2 4 , F F F F F F E 0 , o r 127

(27 Is). T h e eight result-

ant n e t w o r k s are 192.25.4.0, 192.25.4.32, 192.25.4.64, 192.25.4.96,
192.25.4.160,
mask

192.25.4.128,

1 9 2 . 2 5 . 4 . 1 9 2 , a n d 1 9 2 . 2 5 . 4 . 2 2 4 . Y o u c a n use a W e b - b a s e d

calculator

to

calculate

subnet masks

(refer to

"Network

subnet

Calculators"

on

p a g e 1 1 0 5 ) . T o use this c a l c u l a t o r t o d e t e r m i n e t h e p r e c e d i n g s u b n e t m a s k , start w i t h
an IP host address of

192.25.4.0.

F o r m o r e i n f o r m a t i o n refer to "Specifying a S u b n e t " o n page 4 6 2 .

9 . Splitting a n e t w o r k is also an issue w i t h o t h e r p r o t o c o l s , p a r t i c u l a r l y A p p l e T a l k .
1 0 . T h e first a n d last n e t w o r k s are reserved in a m a n n e r similar t o the first a n d last hosts, a l t h o u g h the
standard is flexible. Y o u can c o n f i g u r e routers t o r e c l a i m the first a n d last n e t w o r k s in a s u b n e t . D i f f e r e n t
r o u t e r s have different t e c h n i q u e s for r e c l a i m i n g these n e t w o r k s .
1 1 . S u b t r a c t 2 because the first a n d last h o s t addresses o n every n e t w o r k are reserved.

386

CHAPTER 1 0

N E T W O R K I N G AND THE INTERNET

C I D R : CLASSLESS INTER-DO MAIN

ROUTING

C I D R ( p r o n o u n c e d " c i d e r " ) a l l o w s g r o u p s o f addresses t h a t are smaller t h a n a class
C b l o c k to be assigned to a n o r g a n i z a t i o n or ISP a n d then further subdivided

and

parceled out. I n addition, it helps to alleviate the potential p r o b l e m of r o u t i n g tables
o n m a j o r Internet b a c k b o n e a n d peering devices b e c o m i n g t o o large to

manage.

T h e p o o l o f a v a i l a b l e I P v 4 addresses has b e e n d e p l e t e d t o the p o i n t t h a t n o o n e gets
a c l a s s A a d d r e s s a n y m o r e . T h e t r e n d is t o r e c l a i m t h e s e h u g e a d d r e s s b l o c k s , i f p o s sible, a n d recycle t h e m i n t o g r o u p s

of smaller

a d d r e s s e s . A l s o , as m o r e

addresses are assigned, r o u t i n g tables o n the Internet

are filling u p

class

and

C

causing

m e m o r y o v e r f l o w s . T h e s o l u t i o n is t o a g g r e g a t e 1 2 g r o u p s o f a d d r e s s e s i n t o

blocks

a n d allocate t h e m t o ISPs, w h i c h i n t u r n s u b d i v i d e these b l o c k s a n d allocate t h e m t o
t h e i r c u s t o m e r s . T h e address class d e s i g n a t i o n s ( A , B, a n d C ) d e s c r i b e d i n t h e p r e v i o u s s e c t i o n a r e u s e d less o f t e n t o d a y , a l t h o u g h y o u m a y

still encounter

W h e n y o u r e q u e s t a n a d d r e s s b l o c k , y o u r I S P u s u a l l y g i v e s y o u as m a n y

subnets.
addresses

as y o u n e e d — a n d n o m o r e . T h e I S P a g g r e g a t e s s e v e r a l c o n t i g u o u s s m a l l e r
a n d r o u t e s t h e m t o y o u r l o c a t i o n . T h i s a g g r e g a t i o n is C I D R . W i t h o u t
I n t e r n e t as w e k n o w i t w o u l d n o t

blocks

CIDR,

the

function.

For example, y o u m i g h t be allocated the 192.168.5.0/22 IP address block,

which

c o u l d s u p p o r t 2 1 0 h o s t s ( 3 2 - 2 2 = 10). Y o u r I S P w o u l d set its r o u t e r s so t h a t
packets g o i n g to an address i n that b l o c k w o u l d be sent to y o u r n e t w o r k .

any

Internally,

y o u r o w n routers m i g h t further subdivide this b l o c k of 1,024 potential hosts

into

subnets, perhaps into four networks. Four n e t w o r k s require an additional t w o

bits

o f a d d r e s s i n g (22 = 4 ) . Y o u c o u l d t h e r e f o r e set u p y o u r r o u t e r t o s u p p o r t f o u r

net-

w o r k s w i t h this allocation:

and

192.168.5.0/24,

192.168.6.0/24,

192.168.7.0/24,

1 9 2 . 1 6 8 . 8 . 0 / 2 4 . E a c h o f these n e t w o r k s c o u l d t h e n h a v e 2 5 4 hosts. C I D R lets
arbitrarily divide networks and subnetworks into increasingly smaller blocks

you

along

the w a y . E a c h r o u t e r has e n o u g h m e m o r y to k e e p t r a c k o f the addresses it needs t o
direct a n d aggregates the rest.
T h i s s c h e m e uses m e m o r y a n d a d d r e s s space efficiently. F o r e x a m p l e , y o u c o u l d

take

1 9 2 . 1 6 8 . 8 . 0 / 2 4 a n d f u r t h e r divide it i n t o 16 n e t w o r k s w i t h 14 hosts each. T h e 16 networks

require

four

192.168.8.16/28,

more

bits

(24 = 16),

192.168.8.32/28,

and

so

so

you

on,

up

would

have

through

the

192.168.8.240/16, w h i c h w o u l d have the hosts 192.168.8.241 t h r o u g h

192.168.8.0/28,
last

subnet

of

192.168.8.254.

HOSTNAMES
People g e n e r a l l y f i n d it easier t o w o r k

w i t h n a m e s t h a n w i t h n u m b e r s , so

provides several w a y s to associate h o s t n a m e s w i t h IP addresses. T h e oldest

Linux
method

is t o c o n s u l t a l i s t o f n a m e s a n d a d d r e s s e s t h a t a r e s t o r e d i n t h e / e t c / h o s t s f i l e :

1 2 . Aggregate

m e a n s t o j o i n . In C I D R ,

the aggregate

2 0 8 . 1 7 8 . 9 9 . 1 2 4 / 2 3 (the a g g r e g a t i o n o f t w o class C b l o c k s ) .

of 2 0 8 . 1 7 8 . 9 9 . 1 2 4

and 2 0 8 . 1 7 8 . 9 9 . 1 2 5

is

TYPES OF N E T W O R K S A N D H o w THEY W O R K

$ cat /etc/hosts
127.0.0.1
localhost
130.128.52.1 gw-example.example, com
130.128.52.2
bravo.example.com
130.128.52.3
hurrah.example.com
130.128.52.4
kudos.example.com

387

gw-example
bravo
hurrah
kudos

localhost = T h e a d d r e s s 1 2 7 . 0 . 0 . 1 is r e s e r v e d f o r t h e s p e c i a l h o s t n a m e localhost, w h i c h s e r v e s
127.0.0.1

as

a

h o o k for the system's n e t w o r k i n g s o f t w a r e to operate o n the local

machine

w i t h o u t g o i n g o n t o a physical n e t w o r k . T h e names of the other systems are s h o w n
in t w o forms: in a

fully qualified domain name ( F Q D N ) f o r m a t t h a t is u n i q u e o n

t h e I n t e r n e t a n d as a n i c k n a m e t h a t i s l o c a l l y u n i q u e .
NIS A s m o r e h o s t s j o i n e d n e t w o r k s , s t o r i n g t h e s e n a m e - t o - a d d r e s s m a p p i n g s i n a t e x t
f i l e p r o v e d t o b e i n e f f i c i e n t a n d i n c o n v e n i e n t . T h e hosts f i l e g r e w i n c r e a s i n g l y l a r g e r
a n d became impossible to keep up-to-date. T o solve this p r o b l e m L i n u x

supports

N I S ( N e t w o r k I n f o r m a t i o n Service, p a g e 4 0 1 ) , w h i c h w a s d e v e l o p e d f o r use o n S u n
c o m p u t e r s . N I S stores i n f o r m a t i o n i n a database, m a k i n g it easier t o f i n d a specific
a d d r e s s , b u t i t is u s e f u l o n l y f o r h o s t i n f o r m a t i o n w i t h i n a s i n g l e

administrative

d o m a i n . H o s t s o u t s i d e t h e d o m a i n c a n n o t access t h e i n f o r m a t i o n .
DNS T h e s o l u t i o n t o t h i s d i l e m m a i s D N S ( D o m a i n N a m e S e r v i c e , p a g e 3 9 9 ) . D N S e f f e c t i v e l y addresses t h e efficiency a n d u p d a t e issues b y a r r a n g i n g t h e entire
namespace

network

( p a g e 1 1 6 1 ) as a h i e r a r c h y . E a c h d o m a i n i n t h e D N S m a n a g e s i t s

own

namespace (addressing a n d n a m e resolution), a n d each d o m a i n can easily q u e r y f o r
a n y host o r IP address b y f o l l o w i n g the tree u p or d o w n the namespace u n t i l it finds
the appropriate domain. By providing a hierarchical n a m i n g structure, D N S

distrib-

utes n a m e a d m i n i s t r a t i o n across the entire I n t e r n e t .

IPv6
T h e explosive g r o w t h of the Internet has u n c o v e r e d deficiencies i n the design of the
c u r r e n t address p l a n — m o s t n o t a b l y the shortage o f addresses. O v e r the n e x t

few

y e a r s , a r e v i s e d p r o t o c o l , n a m e d I P n g ( I P N e x t G e n e r a t i o n ) , a l s o k n o w n as I P v 6 ( I P
v e r s i o n 6 ) , 1 3 w i l l b e p h a s e d i n . ( I t m a y t a k e l o n g e r — t h e p h a s e - i n is g o i n g

quite

s l o w l y . ) T h i s n e w s c h e m e is d e s i g n e d t o o v e r c o m e t h e m a j o r l i m i t a t i o n s o f t h e c u r r e n t a p p r o a c h a n d c a n b e i m p l e m e n t e d g r a d u a l l y b e c a u s e i t is c o m p a t i b l e w i t h t h e
existing address usage. I P v 6 m a k e s it possible t o assign m a n y m o r e u n i q u e I n t e r n e t
addresses (2128, or 3 4 0

undecillion [ 1 0 3 6 ] ) . I t a l s o s u p p o r t s m o r e a d v a n c e d s e c u r i t y

a n d p e r f o r m a n c e c o n t r o l features:
• I P v 6 e n a b l e s a u t o c o n f i g u r a t i o n . W i t h I P v 4 , a u t o c o n f i g u r a t i o n is a v a i l a b l e
u s i n g o p t i o n a l D H C P ( p a g e 4 7 0 ) . W i t h I P v 6 , a u t o c o n f i g u r a t i o n is m a n d a t o r y , m a k i n g it easy f o r hosts t o c o n f i g u r e t h e i r IP addresses a u t o m a t i c a l l y .

1 3 . I P v 5 r e f e r r e d t o an e x p e r i m e n t a l r e a l - t i m e s t r e a m p r o t o c o l n a m e d S T — t h u s t h e j u m p f r o m I P v 4
to IPv6.

388

CHAPTER 1 0

NETWORKING AND THE INTERNET

• I P v 6 r e s e r v e s 2 4 b i t s i n t h e h e a d e r f o r a d v a n c e d s e r v i c e s , s u c h as r e s o u r c e
reservation protocols, better b a c k b o n e routing, and i m p r o v e d traffic
engineering.
• I P v 6 m a k e s m u l t i c a s t p r o t o c o l s m a n d a t o r y a n d uses t h e m e x t e n s i v e l y . I n
I P v 4 , m u l t i c a s t , w h i c h i m p r o v e s s c a l a b i l i t y , is o p t i o n a l .
• IPv6 aggregates address blocks m o r e efficiently because of the huge
a d d r e s s s p a c e . T h i s a g g r e g a t i o n m a k e s o b s o l e t e NAT

(page 1161), w h i c h

decreased s c a l a b i l i t y a n d i n t r o d u c e d p r o t o c o l issues.
• IPv6 provides a simplified packet header that allows h a r d w a r e accelerators
t o w o r k better.
A s a m p l e I P v 6 a d d r e s s is f e 8 0 : : a 0 0 : 2 0 f f : f e f f : 5 b e 2 / 1 0 . E a c h g r o u p o f f o u r h e x a d e c i m a l d i g i t s is e q u i v a l e n t t o a n u m b e r b e t w e e n 0 a n d 6 5 , 5 3 6 ( 1 6 4 ) . A p a i r o f a d j a c e n t
c o l o n s indicates a h e x v a l u e o f 0 x 0 0 0 0 ; l e a d i n g 0s need n o t be s h o w n . W i t h eight
sets o f h e x a d e c i m a l g r o u p i n g s , 6 5 , 5 3 6 s = 2 1 2 S a d d r e s s e s a r e p o s s i b l e . I n a n
address o n a host w i t h the default autoconfiguration, the first characters i n

IPv6
the

a d d r e s s a r e a l w a y s f e 8 0 . T h e l a s t 6 4 b i t s h o l d a n i n t e r f a c e I D d e s i g n a t i o n , w h i c h is
o f t e n t h e MAC address

(page 1 1 5 8 ) o f the system's Ethernet controller.

C O M M U N I C A T E OVER A N E T W O R K
M a n y c o m m a n d s t h a t y o u c a n use t o c o m m u n i c a t e w i t h o t h e r users o n a single
computer

system

have

been

extended

to

work

over

a network.

Examples

extended utilities include electronic m a i l p r o g r a m s , i n f o r m a t i o n - g a t h e r i n g

of

utilities

( s u c h as f i n g e r , p a g e 1 8 1 ) , a n d c o m m u n i c a t i o n s u t i l i t i e s ( s u c h as t a l k ) . T h e s e u t i l i t i e s
are examples of the U N I X p h i l o s o p h y : Instead of creating a new,

special-purpose

tool, m o d i f y an existing one.
M a n y utilities u n d e r s t a n d a c o n v e n t i o n f o r t h e f o r m a t o f n e t w o r k addresses: user@host
( s p o k e n as " u s e r a t h o s t " ) . W h e n y o u u s e a n @ s i g n i n a n a r g u m e n t t o o n e o f t h e s e u t i l i t i e s , t h e u t i l i t y i n t e r p r e t s t h e t e x t t h a t f o l l o w s as t h e n a m e o f a r e m o t e h o s t . W h e n y o u
o m i t the @ sign, a utility assumes t h a t y o u are requesting i n f o r m a t i o n f r o m or corres p o n d i n g w i t h someone o n the local system.
T h e p r o m p t s s h o w n i n t h e e x a m p l e s i n t h i s c h a p t e r i n c l u d e t h e h o s t n a m e o f t h e syst e m y o u are using. I f y o u f r e q u e n t l y use m o r e t h a n o n e s y s t e m o v e r a n e t w o r k , y o u
m a y f i n d it difficult t o keep t r a c k o f w h i c h system y o u are interacting w i t h at a n y
p a r t i c u l a r m o m e n t . I f y o u set y o u r p r o m p t t o i n c l u d e t h e h o s t n a m e o f t h e c u r r e n t
system, it w i l l a l w a y s be clear w h i c h system y o u are using. T o i d e n t i f y the c o m p u t e r

y o u are u s i n g , r u n h o s t n a m e o r uname - n :
$ hostname
kudos
See p a g e 3 2 1 f o r i n f o r m a t i o n o n h o w y o u c a n c h a n g e t h e p r o m p t .

C O M M U N I C A T E OVER A NETWORK

finger: DISPLAYS INFORMATION A B O U T REMOTE

389

USERS

T h e finger u t i l i t y d i s p l a y s i n f o r m a t i o n a b o u t o n e o r m o r e u s e r s o n a s y s t e m . T h i s
u t i l i t y w a s d e s i g n e d f o r l o c a l use, b u t w h e n n e t w o r k s b e c a m e p o p u l a r , it w a s o b v i o u s t h a t finger s h o u l d b e e n h a n c e d t o r e a c h o u t a n d c o l l e c t i n f o r m a t i o n r e m o t e l y . I n
t h e f o l l o w i n g e x a m p l e s , finger d i s p l a y s i n f o r m a t i o n a b o u t a l l u s e r s l o g g e d i n o n t h e
s y s t e m n a m e d bravo:
[kudos]$ finger ©bravo
[bravo.example.com]
Logi n
Name
s am
Sam the Great
max
Max WiId
max
Max WiId
zach
Zach Brill
his
Helen Simpson
A

Tty
*1
4
5
7
11

Idle
1:35
19
2:24
2d

Login Time
Oct 22
5:00
Oct 22 12:23
Oct 22 12:33
Oct 22 8:45
Oct 20 12:23

Office

Office Phone

(kudos)
(:0)
(:0)
(:0)

u s e r ' s u s e r n a m e i n f r o n t o f t h e C2> s i g n c a u s e s finger to d i s p l a y i n f o r m a t i o n

the r e m o t e system f o r the specified user only. If the r e m o t e system has

from

multiple

m a t c h e s f o r t h a t n a m e , finger d i s p l a y s t h e r e s u l t s f o r a l l o f t h e m :
[kudos]$ finger maxObravo
[bravo.example.com]
Login
Name
max
Max Wild
max
Max Wild

Tty
4
5

Idle
19

Login Time
Office
Oct 22 12:23 (kudos)
Oct 22 12:33 (:0)

Office Phone

T h e finger u t i l i t y w o r k s b y q u e r y i n g a s t a n d a r d n e t w o r k s e r v i c e , t h e in.fingerd d a e m o n , t h a t r u n s o n t h e s y s t e m b e i n g q u e r i e d . A l t h o u g h t h i s s e r v i c e is a v a i l a b l e i n t h e
fingerd p a c k a g e f o r U b u n t u L i n u x , s o m e s i t e s c h o o s e n o t t o r u n i t t o m i n i m i z e t h e
l o a d o n t h e i r s y s t e m s , r e d u c e s e c u r i t y r i s k s , o r m a i n t a i n p r i v a c y . W h e n y o u u s e finger
t o o b t a i n i n f o r m a t i o n a b o u t s o m e o n e a t s u c h a s i t e , y o u w i l l see a n e r r o r m e s s a g e o r
n o t h i n g a t a l l . T h e r e m o t e in.fingerd d a e m o n d e t e r m i n e s h o w m u c h i n f o r m a t i o n t o
share a n d i n w h a t f o r m a t . As a result, the report displayed for a n y given system m a y
differ f r o m that s h o w n in the preceding examples.

The in.fingerd daemon
security The finger daemon (in.fingerd) gives away system account information that can aid a malicious
user. Some sites disable finger or randomize user account IDs to make a malicious user's job
more difficult. Do not install the fingerd package if you do not want to run the finger daemon.
T h e i n f o r m a t i o n f o r r e m o t e finger l o o k s m u c h t h e s a m e a s i t d o e s w h e n finger r u n s
on the local

system, w i t h

one difference:

Before

d i s p l a y i n g t h e r e s u l t s , finger

r e p o r t s t h e n a m e o f t h e r e m o t e s y s t e m t h a t a n s w e r e d t h e q u e r y ( b r a v o , as s h o w n
i n brackets i n the preceding example). T h e n a m e of the host that answers m a y be
different f r o m the system n a m e y o u specified o n the c o m m a n d line, depending o n
h o w t h e finger d a e m o n s e r v i c e i s c o n f i g u r e d o n t h e r e m o t e s y s t e m . I n s o m e c a s e s ,
s e v e r a l h o s t n a m e s m a y b e l i s t e d i f o n e finger d a e m o n c o n t a c t s a n o t h e r t o r e t r i e v e
the information.

390

CHAPTER 1 0

N E T W O R K I N G AND THE INTERNET

S E N D I N G M A I L TO A REMOTE USER
G i v e n a user's u s e r n a m e o n a r e m o t e s y s t e m a n d the n a m e o f the r e m o t e s y s t e m o r
its d o m a i n , y o u c a n use a n e m a i l p r o g r a m t o s e n d a m e s s a g e o v e r t h e n e t w o r k

or

the Internet, using the @ f o r m o f an address:
zachObravo

or
zachOexample.com
A l t h o u g h m a n y L i n u x utilities recognize the @ f o r m o f a n e t w o r k address, y o u

may

find that y o u can reach m o r e remote computers w i t h email than w i t h the other netw o r k i n g utilities d e s c r i b e d i n this chapter. T h i s d i s p a r i t y arises because t h e

email

s y s t e m c a n d e l i v e r a m e s s a g e t o a h o s t t h a t d o e s n o t r u n IP, e v e n t h o u g h i t a p p e a r s
to have an Internet

address. T h e

message m a y

be r o u t e d

over the network,

for

e x a m p l e , u n t i l it reaches a r e m o t e system t h a t has a p o i n t - t o - p o i n t , d i a l - u p

connec-

t i o n t o t h e d e s t i n a t i o n s y s t e m . O t h e r u t i l i t i e s , s u c h as talk, r e l y o n I P a n d

operate

only between networked

hosts.

M A I L I N G LIST SERVERS
A m a i l i n g list server (listserv14) a l l o w s y o u to create a n d m a n a g e a n email
A n electronic m a i l i n g list p r o v i d e s a m e a n s for people interested i n a
topic to participate in an electronic discussion and for a person to
information

periodically

to

a potentially

large

mailing

list.

One

list.

particular

disseminate
of the

most

p o w e r f u l f e a t u r e s o f m o s t l i s t s e r v e r s is t h e i r a b i l i t y t o a r c h i v e e m a i l p o s t i n g s

to

the list, create a n archive i n d e x , a n d a l l o w users to retrieve postings f r o m
archive based on keywords

or discussion threads. Typically you can

the

subscribe

a n d u n s u b s c r i b e f r o m the list w i t h or w i t h o u t h u m a n i n t e r v e n t i o n . T h e

owner

of the list c a n restrict w h o c a n subscribe, unsubscribe, a n d post messages to
list. See p a g e 7 3 4 f o r i n s t r u c t i o n s o n c o n f i g u r i n g t h e M a i l m a n l i s t server.
popular
and

list servers i n c l u d e L I S T S E R V

Majordomo

(www.lsoft.com),

fvww.greatcircle.com/majordomo).

Lyris

Ubuntu

\^ww.lyris.com),

maintains

quite

f e w m a i l i n g lists a n d list archives f o r t h o s e m a i l i n g lists at l i s t s . u b u n t u . c o m .
G o o g l e t o s e a r c h o n l i n u x m a i l i n g list t o f i n d o t h e r

the

Other
a

Use

lists.

NETWORK UTILITIES
T o realize t h e f u l l benefits o f a n e t w o r k e d e n v i r o n m e n t , it m a d e sense t o
certain tools, some of w h i c h have already been described. T h e advent of
also created a need for n e w

utilities to c o n t r o l a n d m o n i t o r

extend

networks

them, spurring

development of n e w tools that t o o k advantage of n e t w o r k speed and

the

connectivity.

This section describes concepts a n d utilities for systems attached to a n e t w o r k .

1 4 . A l t h o u g h the term listserv

is s o m e t i m e s used generically t o include m a n y different list server p r o g r a m s ,

it is a specific p r o d u c t a n d a registered t r a d e m a r k o f L - s o f t I n t e r n a t i o n a l , I n c . : L I S T S E R V (for m o r e inform a t i o n go t o w w w . l s o f t . c o m ) .

TRUSTED

NETWORK UTILITIES

391

S o m e c o m m a n d s , s u c h as r e p a n d r s h , w o r k o n l y i f t h e r e m o t e s y s t e m t r u s t s

your

HOSTS
local computer

( t h a t is, i f t h e r e m o t e s y s t e m k n o w s

your

local computer

and

b e l i e v e s t h a t i t is n o t p r e t e n d i n g t o b e a n o t h e r s y s t e m ) . T h e / e t c / h o s t s . e q u i v f i l e lists
t r u s t e d systems. F o r reasons o f security, t h e root a c c o u n t does n o t r e l y o n this file t o
i d e n t i f y t r u s t e d p r i v i l e g e d users f r o m o t h e r systems.
H o s t - b a s e d t r u s t is l a r g e l y o b s o l e t e . B e c a u s e t h e r e a r e m a n y w a y s t o
trusted

host

security,

including

subverting

DNS

systems

and

IP

circumvent

spoofing

( p a g e 1 1 5 4 ) , a u t h e n t i c a t i o n b a s e d o n I P a d d r e s s is w i d e l y r e g a r d e d as i n s e c u r e a n d
obsolete. I n a small homogeneous n e t w o r k of machines w i t h local D N S control, it
c a n b e " g o o d e n o u g h . " Its g r e a t e r ease o f use i n these s i t u a t i o n s m a y o u t w e i g h t h e
security concerns.

Do not share your login account
security You can use a -/.rhosts file to allow another user to log in as you from a remote system without
knowing your password. This setup is not recommended. Do not compromise the security of your
files or the entire system by sharing your login account. Use s s h and s c p instead of rsh and rep
whenever possible.

O P E N S S H TOOLS
T h e O p e n S S H p r o j e c t p r o v i d e s a set o f t o o l s t h a t r e p l a c e rep, rsh, a n d o t h e r s w i t h
secure equivalents. These tools are installed b y d e f a u l t i n U b u n t u L i n u x a n d c a n be
u s e d as d r o p - i n r e p l a c e m e n t s f o r t h e i r i n s e c u r e c o u n t e r p a r t s . T h e O p e n S S H

tool

s u i t e is c o v e r e d i n d e t a i l i n C h a p t e r 1 8 .

t e l n e t : LOGS IN O N A R E M O T E S Y S T E M
Y o u c a n use t h e T E L N E T p r o t o c o l t o i n t e r a c t w i t h a r e m o t e c o m p u t e r . T h e telnet
u t i l i t y , a u s e r i n t e r f a c e t o t h i s p r o t o c o l , is o l d e r t h a n s s h a n d i s n o t s e c u r e . N e v e r t h e l e s s , i t m a y w o r k w h e r e s s h ( p a g e 6 7 0 ) is n o t a v a i l a b l e ( t h e r e is m o r e

non-UNIX

s u p p o r t f o r T E L N E T access t h a n f o r ssh access). I n a d d i t i o n , m a n y l e g a c y d e v i c e s ,
s u c h as t e r m i n a l s e r v e r s a n d n e t w o r k d e v i c e s , d o n o t s u p p o r t s s h .
[bravo]$ telnet kudos
Trying 172 .19. 52 . 2 . . .
Connected to kudos.example.com
Escape character is 'A]'.
Welcome to SuSE Linux 7.3 (i 386) - Kernel 2.4.10-4GB (2).
kudos login: wild
Password:
You have old mail in /var/mai1/wiId.
Last login: Mon Feb 27 14:46:55 from bravo.example.com
wild@kudos:~>
wild@kudos:~> logout
Connection closed by foreign host.
[bravo]$

392

CHAPTER 1 0

N E T W O R K I N G AND THE INTERNET

telnet versus ssh W h e n y o u c o n n e c t t o a r e m o t e U N I X

o r L i n u x s y s t e m u s i n g telnet, y o u a r e p r e -

s e n t e d w i t h a r e g u l a r , t e x t u a l login: p r o m p t . U n l e s s y o u s p e c i f y d i f f e r e n t l y , t h e ssh
utility assumes that y o u r username o n the remote system matches that o n the local
s y s t e m . B e c a u s e telnet i s d e s i g n e d t o w o r k w i t h n o n - U N I X a n d n o n - L i n u x

systems,

it m a k e s n o such assumptions.

telnet is not secure
security

Whenever you enter sensitive information, such as your password, while you are using t e l n e t , it
is transmitted in cleartext and can be read by someone who is listening in on the session.
A n o t h e r d i f f e r e n c e b e t w e e n t h e s e t w o u t i l i t i e s is t h a t telnet a l l o w s y o u t o c o n f i g u r e
m a n y s p e c i a l p a r a m e t e r s , s u c h as h o w RETURNS o r i n t e r r u p t s a r e p r o c e s s e d . W h e n u s i n g
telnet b e t w e e n U N I X a n d / o r L i n u x s y s t e m s , y o u r a r e l y n e e d t o c h a n g e a n y p a r a m e t e r s .
W h e n y o u d o n o t s p e c i f y t h e n a m e o f a r e m o t e h o s t o n t h e c o m m a n d l i n e , telnet
r u n s i n a n i n t e r a c t i v e m o d e . T h e f o l l o w i n g e x a m p l e is e q u i v a l e n t t o t h e p r e v i o u s
telnet e x a m p l e :
[bravo]$ telnet
telnet> open kudos
Trying 172 .19. 52 . 2 . . .
Connected to kudos.example.com
Escape character is 'A]'.
B e f o r e c o n n e c t i n g y o u t o a r e m o t e s y s t e m , telnet t e l l s y o u w h a t t h e escape
i s ; i n m o s t c a s e s , i t is

A

] (where

A

character

r e p r e s e n t s t h e CONTROL k e y ) . W h e n y o u p r e s s CONTROL-],

y o u e s c a p e t o telnet's i n t e r a c t i v e m o d e . C o n t i n u i n g t h e p r e c e d i n g e x a m p l e :
[ kudos ]$ CONTROL-]
telnet> ?

(displays

help

information)

telnet> close
Connection closed,
[bravo]$
W h e n y o u e n t e r a q u e s t i o n m a r k i n r e s p o n s e t o t h e telnet> p r o m p t , telnet l i s t s i t s
c o m m a n d s . T h e close c o m m a n d e n d s t h e c u r r e n t telnet s e s s i o n , r e t u r n i n g y o u t o t h e
l o c a l s y s t e m . T o g e t o u t o f telnet's i n t e r a c t i v e m o d e a n d r e s u m e c o m m u n i c a t i o n w i t h
t h e r e m o t e s y s t e m , p r e s s RETURN i n r e s p o n s e t o a p r o m p t .
Y o u c a n u s e telnet t o a c c e s s s p e c i a l r e m o t e s e r v i c e s a t s i t e s t h a t h a v e c h o s e n t o m a k e
s u c h s e r v i c e s a v a i l a b l e . H o w e v e r , m a n y o f t h e s e s e r v i c e s , s u c h as t h e U . S . L i b r a r y o f
Congress I n f o r m a t i o n System (LOCIS), have m o v e d to the Web. As a consequence,
y o u can n o w obtain the same i n f o r m a t i o n using a W e b browser.

U S I N G telnet TO C O N N E C T TO OTHER

PORTS

B y d e f a u l t telnet c o n n e c t s t o p o r t 2 3 , w h i c h is u s e d f o r r e m o t e l o g i n s . H o w e v e r , y o u
c a n u s e telnet t o c o n n e c t t o o t h e r s e r v i c e s b y s p e c i f y i n g a p o r t n u m b e r . I n a d d i t i o n t o
s t a n d a r d services, m a n y o f t h e special r e m o t e services a v a i l a b l e o n t h e I n t e r n e t use
u n a l l o c a t e d p o r t n u m b e r s . F o r e x a m p l e , y o u c a n access s o m e m u l t i p l a y e r t e x t g a m e s ,

NETWORK UTILITIES

called M U D s

393

( M u l t i - U s e r D u n g e o n s , o r D i m e n s i o n s ) , u s i n g telnet t o c o n n e c t t o a

s p e c i f i e d p o r t , s u c h as 4 0 0 0 o r 8 8 8 8 . U n l i k e t h e p o r t n u m b e r s f o r s t a n d a r d p r o t o c o l s ,
these p o r t n u m b e r s c a n be p i c k e d a r b i t r a r i l y b y the a d m i n i s t r a t o r o f the game.
W h i l e telnet is n o l o n g e r c o m m o n l y e m p l o y e d t o l o g i n o n r e m o t e s y s t e m s , i t i s s t i l l
used extensively

as a d e b u g g i n g t o o l . T h i s

utility allows

y o u to

communicate

d i r e c t l y w i t h a T C P server. S o m e s t a n d a r d p r o t o c o l s are s i m p l e e n o u g h t h a t
experienced user c a n d e b u g p r o b l e m s b y c o n n e c t i n g t o a r e m o t e service

an

directly

u s i n g telnet. I f y o u a r e h a v i n g a p r o b l e m w i t h a n e t w o r k s e r v e r , a g o o d f i r s t s t e p i s
t o t r y t o c o n n e c t t o i t u s i n g telnet.
I n t h e f o l l o w i n g e x a m p l e , a s y s t e m a d m i n i s t r a t o r w h o is d e b u g g i n g a p r o b l e m w i t h
e m a i l d e l i v e r y u s e s telnet t o c o n n e c t t o t h e S M T P p o r t ( p o r t 2 5 ) o n a t h e s e r v e r a t
e x a m p l e . c o m t o see w h y i t is b o u n c i n g m a i l f r o m t h e s p a m m e r . c o m d o m a i n .

The

f i r s t l i n e o f o u t p u t i n d i c a t e s w h i c h I P a d d r e s s telnet i s t r y i n g t o c o n n e c t t o . A f t e r telnet d i s p l a y s t h e C o n n e c t e d t o s m t p s r v . e x a m p l e . c o m m e s s a g e , t h e u s e r e m u l a t e s

an

S M T P dialog, f o l l o w i n g the standard S M T P protocol. T h e first line, w h i c h

starts

w i t h helo, b e g i n s t h e s e s s i o n a n d i d e n t i f i e s t h e l o c a l s y s t e m . A f t e r t h e S M T P

server

r e s p o n d s , t h e u s e r e n t e r s a l i n e t h a t i d e n t i f i e s t h e m a i l s e n d e r as u s e r @ s p a m m e r . c o m .
T h e S M T P server's r e s p o n s e e x p l a i n s w h y t h e m e s s a g e is b o u n c i n g , so t h e u s e r e n d s
t h e s e s s i o n w i t h quit.
$ telnet smtpsrv 25
Trying 192.168.1.1...
Connected to smtpsrv.example.com.
Escape character is 'A]',
helo example.com
220 smtpsrv.example.com ESMTP Sendmail 8.13.1/8.13.1; Wed, 4 May 2005 00:13:43 -0500 (CDT)
250 smtpsrv.example.com Hello desktop.example.com [192.168.1.97], pleased to meet you
mail from:user@spammer.com
571 5.0.0 Domain banned for spamming
quit
221 2.0.0 smtpsrv.example.com closing connection
T h e telnet u t i l i t y a l l o w s y o u t o u s e a n y p r o t o c o l y o u w a n t , as l o n g as y o u k n o w i t
well enough to type commands manually.

f t p : TRANSFERS FILES OVER A N E T W O R K
T h e F i l e T r a n s f e r P r o t o c o l ( F T P ) is a m e t h o d o f d o w n l o a d i n g f i l e s f r o m a n d u p l o a d i n g
f i l e s t o a n o t h e r s y s t e m u s i n g T C P / I P o v e r a n e t w o r k . F T P is n o t a s e c u r e p r o t o c o l ; u s e
i t o n l y f o r d o w n l o a d i n g p u b l i c i n f o r m a t i o n f r o m a p u b l i c server. M o s t W e b b r o w s e r s
c a n d o w n l o a d files f r o m F T P servers. C h a p t e r 1 9 c o v e r s F T P clients a n d servers.

p i n g : TESTS A N E T W O R K C O N N E C T I O N
T h e ping 15 u t i l i t y ( h t t p : / / f t p . a r l . m i l / ~ m i k e / p i n g . h t m l )

sends a n

ECHO_REQUEST

p a c k e t t o a r e m o t e c o m p u t e r . T h i s p a c k e t causes the r e m o t e system t o send b a c k a

1 5 . The name p i n g mimics the sound o f a sonar burst used by submarines to identify and communicate with each
other. The word p i n g also expands to packet internet groper.

394

CHAPTER 1 0

N E T W O R K I N G AND THE INTERNET

r e p l y . T h i s e x c h a n g e is a q u i c k w a y t o v e r i f y t h a t a r e m o t e s y s t e m i s a v a i l a b l e a n d
t o c h e c k h o w w e l l t h e n e t w o r k i s o p e r a t i n g , s u c h as h o w f a s t i t is o r w h e t h e r i t i s
d r o p p i n g d a t a p a c k e t s . T h e ping u t i l i t y u s e s t h e I C M P ( I n t e r n e t C o n t r o l

Message

P r o t o c o l ) p r o t o c o l . W i t h o u t a n y o p t i o n s , ping t e s t s t h e c o n n e c t i o n o n c e p e r s e c o n d
u n t i l y o u a b o r t e x e c u t i o n w i t h C0NTR0L-C.
$ ping www.slashdot.org
PING www.slashdot.org (216.34.181.48) 56(84) bytes of data.
64 bytes from star.slashdot.org (216.34.181.48) icmp_seq=l ttl=2B8
64 bytes from star.slashdot.org (216.34.181.48) icmp_seq=2 ttl=2B8
64 bytes from star.slashdot.org (216.34.181.48) icmp_seq=3 ttl=238
64 bytes from star.slashdot.org (216.34.181.48) icmp_seq=4 ttl=238
CONTROL-C
—
www.slashdot.org ping statistics
—
4 packets transmitted, 4 received, 0% packet loss, time 3024ms
rtt min/avg/max/mdev = 57.553/67.899/72.605/6.039 ms
This

example

shows

that

a connection

to

time=70.2
time=72.6
time=57.5
time=71.2

www.slashdot.org

is

ms
ms
ms
ms

redirected

to

star.slashdot.org a n d t h a t t h a t s y s t e m i s u p a n d a v a i l a b l e o v e r t h e n e t w o r k .
B y d e f a u l t ping s e n d s p a c k e t s c o n t a i n i n g 6 4 b y t e s ( 5 6 d a t a b y t e s a n d 8 b y t e s o f p r o t o c o l header i n f o r m a t i o n ) . I n the p r e c e d i n g e x a m p l e , f o u r packets w e r e sent t o the
s y s t e m star.slashdot.org b e f o r e t h e u s e r i n t e r r u p t e d ping b y p r e s s i n g CONTROL-C. T h e
f o u r - p a r t n u m b e r i n p a r e n t h e s e s o n e a c h l i n e is t h e r e m o t e s y s t e m ' s I P a d d r e s s .

A

p a c k e t s e q u e n c e n u m b e r ( n a m e d icmp_seq) is a l s o g i v e n . I f a p a c k e t i s d r o p p e d , a
g a p o c c u r s i n t h e s e q u e n c e n u m b e r s . T h e r o u n d - t r i p t i m e is l i s t e d l a s t ; i t r e p r e s e n t s
the t i m e (in milliseconds) t h a t elapsed f r o m w h e n the p a c k e t w a s sent f r o m the local
system to the remote system until the reply f r o m the remote system was received by
t h e l o c a l s y s t e m . T h i s t i m e is a f f e c t e d b y t h e d i s t a n c e b e t w e e n t h e t w o s y s t e m s , n e t w o r k t r a f f i c , a n d t h e l o a d o n b o t h c o m p u t e r s . B e f o r e i t t e r m i n a t e s , ping s u m m a r i z e s
t h e r e s u l t s , i n d i c a t i n g h o w m a n y p a c k e t s w e r e s e n t a n d r e c e i v e d as w e l l as t h e m i n i m u m , average, m a x i m u m , and m e a n deviation r o u n d - t r i p times it measured. Use
ping6 t o t e s t I P v 6 n e t w o r k s .

When p i n g cannot connect
tip

If it is unable to contact the remote system, p i n g continues trying until you interrupt it with
CONTROL-C. A system may not answer for any of several reasons: The remote computer may be
down, the network interface or some part of the network between the systems may be broken,
a software failure may have occurred, or the remote machine may be set up, for reasons of
security, not to return p i n g s (try p i n g i n g www.microsoft.com or www.ibm.com).

t r a c e r o u t e : TRACES A ROUTE OVER THE INTERNET
T h e traceroute u t i l i t y ( t r a c e r o u t e p a c k a g e ) t r a c e s t h e r o u t e t h a t a n I P p a c k e t f o l l o w s ,
i n c l u d i n g a l l i n t e r m e d i a r y p o i n t s t r a v e r s e d ( c a l l e d network

hops), t o i t s d e s t i n a t i o n ( t h e

a r g u m e n t t o traceroute—an I n t e r n e t host). I t displays a n u m b e r e d list o f h o s t n a m e s , i f
available, a n d IP addresses, t o g e t h e r w i t h t h e r o u n d - t r i p t i m e it t o o k f o r a p a c k e t t o r e a c h

NETWORK UTILITIES

395

each r o u t e r a l o n g t h e w a y a n d a n a c k n o w l e d g m e n t t o get b a c k . Y o u c a n p u t this i n f o r m a t i o n t o g o o d use w h e n y o u are t r y i n g t o i d e n t i f y t h e l o c a t i o n o f a n e t w o r k b o t t l e n e c k .
T h e traceroute u t i l i t y h a s n o c o n c e p t o f t h e p a t h f r o m o n e h o s t t o t h e n e x t ; i n s t e a d ,
i t s i m p l y s e n d s o u t p a c k e t s w i t h i n c r e a s i n g T T L ( t i m e t o l i v e ) v a l u e s . T T L is a n I P
header field t h a t indicates h o w m a n y m o r e h o p s the p a c k e t s h o u l d be a l l o w e d t o
m a k e b e f o r e b e i n g d i s c a r d e d o r r e t u r n e d . I n t h e c a s e o f a traceroute p a c k e t ,

the

p a c k e t is r e t u r n e d b y t h e h o s t t h a t h a s t h e p a c k e t w h e n t h e T T L v a l u e i s z e r o . T h e
r e s u l t is a l i s t o f h o s t s t h a t t h e p a c k e t t r a v e l e d t h r o u g h t o g e t t o i t s d e s t i n a t i o n .
T h e traceroute u t i l i t y c a n h e l p y o u s o l v e r o u t i n g c o n f i g u r a t i o n p r o b l e m s a n d l o c a t e
r o u t i n g p a t h f a i l u r e s . W h e n y o u c a n n o t r e a c h a h o s t , u s e traceroute t o d i s c o v e r w h a t
p a t h t h e p a c k e t f o l l o w s , h o w f a r i t gets, a n d w h a t t h e d e l a y is.
T h e n e x t e x a m p l e s h o w s t h e o u t p u t o f traceroute w h e n i t f o l l o w s a r o u t e f r o m a l o c a l
c o m p u t e r t o w w w . l i n u x . o r g . T h e f i r s t l i n e i n d i c a t e s t h e IP a d d r e s s o f t h e t a r g e t , t h e
m a x i m u m n u m b e r o f h o p s t h a t w i l l b e t r a c e d , a n d t h e size o f t h e p a c k e t s t h a t w i l l b e
u s e d . E a c h n u m b e r e d l i n e c o n t a i n s t h e n a m e a n d IP a d d r e s s o f t h e i n t e r m e d i a t e d e s tination, f o l l o w e d b y the t i m e it takes a packet t o m a k e a trip to that destination a n d
b a c k a g a i n . T h e traceroute u t i l i t y s e n d s t h r e e p a c k e t s t o e a c h d e s t i n a t i o n ; t h u s t h r e e
t i m e s a p p e a r o n e a c h l i n e . L i n e 1 s h o w s t h e s t a t i s t i c s w h e n a p a c k e t is s e n t t o t h e
l o c a l g a t e w a y (less t h a n 3 m i l l i s e c o n d s ) . L i n e s 4 - 6 s h o w t h e p a c k e t b o u n c i n g a r o u n d
M o u n t a i n V i e w ( C a l i f o r n i a ) b e f o r e it goes t o S a n Jose. B e t w e e n h o p s 13 a n d 14 t h e
p a c k e t travels across t h e U n i t e d States (San F r a n c i s c o t o s o m e w h e r e i n t h e East). B y
h o p 1 8 t h e p a c k e t h a s f o u n d w w w . l i n u x . o r g . T h e traceroute u t i l i t y d i s p l a y s a s t e r i s k s
w h e n i t d o e s n o t r e c e i v e a r e s p o n s e . E a c h a s t e r i s k i n d i c a t e s t h a t traceroute h a s w a i t e d
t h r e e s e c o n d s . U s e traceroute6 t o t e s t IPv6 n e t w o r k s .
$ /usr/sbin/traceroute www.1inux.org
traceroute to www.linux.org (198.182.196.56), 30 hops max, 38 byte packets
1 gw.localco.com. (204.94.139.65)
2.904 ms 2.425 ms 2.783 ms
2 covad-gw2.meer.net (209.157.140.1)
19.727 ms 23.287 ms 24.783 ms
3 gw-mvl.meer.net (140.174.164.1)
18.795 ms 24.973 ms 19.207 ms
4 dl-4-2.a02.mtvwca01.us.ra.verio.net (206.184.210.241)
5 9 . 0 9 1 m s dl-10-0-0-200.a03.
mtvwca01.us.ra.verio.net (206.86.28.5)
54.948 ms 39.485 ms
5 fa-ll-0-0.a01.mtvwca01.us.ra.verio.net (206.184.188.1)
40.182 ms 44.405 ms 49.362 ms
6 pl-l-0-0.a09.mtvwca01.us.ra.verio.net (205.149.170.66)
78.688 ms 66.266 ms 28.003 ms
7 pl-12-0-0.a01.snjsca01.us.ra.verio.net (209.157.181.166) 32.424 ms 94.337 ms 54.946 ms
8 f4-l-0.sjc0.verio.net (129.2 50.31.81)
38.952 ms 63.111 ms 49.083 ms
9 sjc0.nuq0.verio.net (129.2 50.3.98) 45.031 ms 43.496 ms 44.925 ms
10 mae-westl.US.CRL.NET (198.32.136.10)
48.525 ms 66.296 ms 38.996 ms
11 t3-ames.3.sfo.us.crl.net (165.113.0.249)
138.808ms
78.579ms
68.699ms
12 E0-CRL-SFO-02-E0X0.US.CRL.NET (165.113.55.2) 43.023 ms 51.910 ms 42.967 ms
13 sfo2-vval.ATM.us.crl.net (165.113.0.254)
135.551ms
154.606ms
178.632ms
14 mae-east-02.ix.ai.net (192.41.177.202)
158.351ms
201.811ms
204.560ms
15 ocl2-3-0-0.mae-east.ix.ai.net (205.134.161.2)
202.851ms
155.667ms
219.116ms
16 border-ai.invlogic.com (205.134.175.254)
214.622 ms *
190.423 ms
17 router.invlogic.com (198.182.196.1)
224.378 ms 235.427 ms 228.856 ms
18 www.linux.org (198.182.196.56)
207.964ms
178.683ms
179.483ms

396

CHAPTER 1 0

NETWORKING AND THE INTERNET

h o s t A N D dig: QUERY INTERNET NAMESERVERS
T h e host u t i l i t y l o o k s u p a n IP a d d r e s s g i v e n a n a m e , o r v i c e v e r s a . T h e

following

e x a m p l e s h o w s h o w t o u s e host t o l o o k u p t h e d o m a i n n a m e o f a m a c h i n e , g i v e n a n
IP a d d r e s s :
$ host

64.13.141.6

6.141.13.64.in-addr.arpa domain name pointer ns.meer.net.
Y o u c a n a l s o u s e host t o d e t e r m i n e t h e IP a d d r e s s o f a d o m a i n n a m e :
$ host ns.meer.net
ns.meer.net has address 64.13.141.6
T h e dig ( d o m a i n i n f o r m a t i o n g r o p e r ) u t i l i t y q u e r i e s D N S

servers a n d

individual

m a c h i n e s f o r i n f o r m a t i o n a b o u t a d o m a i n . A p o w e r f u l u t i l i t y , dig h a s m a n y f e a t u r e s
t h a t y o u m a y n e v e r u s e . I t is m o r e c o m p l e x t h a n host.
C h a p t e r 2 4 o n D N S h a s m a n y e x a m p l e s o f t h e u s e o f host a n d dig.

w h o i s : LOOKS U P INFORMATION A B O U T AN INTERNET SITE
T h e whois u t i l i t y (whois p a c k a g e ) q u e r i e s a whois s e r v e r f o r i n f o r m a t i o n a b o u t

an

I n t e r n e t site. T h i s u t i l i t y r e t u r n s site c o n t a c t a n d I n t e r N I C o r o t h e r r e g i s t r y i n f o r m a t i o n t h a t c a n h e l p y o u t r a c k d o w n t h e p e r s o n w h o is r e s p o n s i b l e f o r a s i t e : P e r h a p s t h a t
p e r s o n is s e n d i n g y o u o r y o u r c o m p a n y

spam ( p a g e 1 1 7 3 ) . M a n y s i t e s o n t h e I n t e r n e t

a r e e a s i e r t o u s e a n d f a s t e r t h a n whois. U s e a b r o w s e r a n d s e a r c h e n g i n e t o s e a r c h o n
whois o r g o t o w w w . n e t w o r k s o l u t i o n s . c o m / w h o i s o r w w w . d b . r i p e . n e t / w h o i s t o g e t
started.
W h e n y o u d o n o t s p e c i f y a whois s e r v e r , whois d e f a u l t s t o whois.internic.net. U s e
t h e - h o p t i o n t o whois t o s p e c i f y a d i f f e r e n t whois s e r v e r . See t h e whois info p a g e f o r
m o r e options a n d setup information.
T o o b t a i n i n f o r m a t i o n o n a d o m a i n n a m e , s p e c i f y t h e c o m p l e t e d o m a i n n a m e , as i n
the f o l l o w i n g example:
$ whoi s sobel1.com
Domain Name: SOBELL.COM
Registrar: GODADDY.COM, INC.
Whois Server: whois.godaddy.com
Referral URL: http://registrar.godaddy.com
Name Server: NSl.HUNGERHOST.COM
Registrant:
Sobell Associates Inc
660 Market Street
Fifth Floor
San Francisco, California 94104
United States

DISTRIBUTED COMPUTING

Registered through: GoDaddy.com, Inc.
Domain Name: SOBELL.COM
Created on: 07-Apr-95
Expires on: 08-Apr-lB
Last Updated on: 01-Mar-10

397

(http://www.godaddy.com)

Administrative Contact:
Sobell, Mark
sobell@meer.net
Sobell Associates Inc
660 Market Street
Fifth Floor
SAN FRANCISCO, California 94104
United States
18888446337
Fax -- 18888446337
Technical Contact:
W., Tim
hostmaster@meer.net
meer.net
po box 390804
Mountain View, California 94039
United States
18888446337
Fax -- 18888446337
Domain servers in listed order:
NSl.HUNGERHOST.COM
NS2.HUNGERHOST.COM
Several top-level registries serve v a r i o u s regions o f the w o r l d . Y o u are m o s t l i k e l y t o
use t h e f o l l o w i n g ones:
N o r t h A m e r i c a n r e g i s t r y whois.arin.net
European registry

www.ripe.net

Asia-Pacific registry

www.apnic.net

U.S. m i l i t a r y

whois.nic.mil

U.S. g o v e r n m e n t

www.nic.gov

DISTRIBUTED COMPUTING
W h e n m a n y s i m i l a r s y s t e m s a r e f o u n d o n t h e s a m e n e t w o r k , i t is o f t e n d e s i r a b l e t o
share c o m m o n files a n d utilities a m o n g t h e m . F o r e x a m p l e , a s y s t e m

administrator

might choose to keep a copy of the system documentation o n one computer's

disk

a n d t o m a k e t h o s e files a v a i l a b l e t o r e m o t e systems. I n this case, t h e s y s t e m a d m i n i s t r a t o r c o n f i g u r e s t h e files so users w h o n e e d t o access t h e o n l i n e d o c u m e n t a t i o n a r e
n o t a w a r e t h a t t h e files a r e s t o r e d o n a r e m o t e s y s t e m . T h i s t y p e o f s e t u p , w h i c h is a n
e x a m p l e o f distributed

computing,

n o t o n l y conserves disk space b u t also a l l o w s y o u

to update one central copy of the documentation rather than tracking d o w n
u p d a t i n g copies scattered t h r o u g h o u t the n e t w o r k o n m a n y different systems.

and

398

CHAPTER 1 0

N E T W O R K I N G AND THE INTERNET

/usr/man
/home

Fileserver
Figure 10-2

A

fileserver

fileserver

Figure 10-2 illustrates a

t h a t stores the system m a n u a l pages a n d

users'

h o m e directories. W i t h this a r r a n g e m e n t , a user's files are a l w a y s a v a i l a b l e t o t h a t
u s e r — n o m a t t e r w h i c h system the user logs i n on. E a c h system's disk m i g h t

contain

a directory to hold temporary

system.

Chapter 22
worked

contains instructions

for

setting up N F S

clients a n d

servers i n

net-

configurations.

THE CLIENT/SERVER
Mainframe model

f i l e s as w e l l as a c o p y o f t h e o p e r a t i n g

MODEL

T h e client/server m o d e l w a s n o t the first c o m p u t a t i o n a l m o d e l . First c a m e the m a i n f r a m e , w h i c h f o l l o w s a o n e - m a c h i n e - d o e s - i t - a l l m o d e l . T h a t is, a l l t h e i n t e l l i g e n c e
resides i n o n e system, i n c l u d i n g the data a n d the p r o g r a m t h a t m a n i p u l a t e s

and

reports o n the data. Users connect to a m a i n f r a m e using terminals.
File-sharing model

With

the

introduction

of

PCs,

file-sharing

networks

became

available.

In

this

s c h e m e d a t a is d o w n l o a d e d f r o m a s h a r e d l o c a t i o n t o a user's P C , w h e r e a p r o g r a m
t h e n m a n i p u l a t e s t h e d a t a . T h e f i l e - s h a r i n g m o d e l r a n i n t o p r o b l e m s as n e t w o r k s
e x p a n d e d a n d m o r e users n e e d e d access t o t h e d a t a .
Client/server model

I n t h e c l i e n t / s e r v e r m o d e l , a c l i e n t uses a p r o t o c o l , s u c h as F T P , t o r e q u e s t s e r v i c e s ,
a n d a server p r o v i d e s the services t h a t the client requests. R a t h e r t h a n

providing

d a t a files as t h e f i l e - s h a r i n g m o d e l d o e s , t h e s e r v e r i n a c l i e n t / s e r v e r r e l a t i o n s h i p is a
database that p r o v i d e s o n l y those pieces o f i n f o r m a t i o n that the client needs

or

requests.
T h e client/server m o d e l dominates U N I X and L i n u x system n e t w o r k i n g and underlies m o s t o f t h e n e t w o r k services d e s c r i b e d i n t h i s b o o k . FTP, N F S , D N S ,

email,

a n d H T T P (the W e b b r o w s i n g protocol) all rely o n the client/server model.

Some

s e r v e r s , s u c h as W e b s e r v e r s a n d b r o w s e r c l i e n t s , a r e d e s i g n e d t o i n t e r a c t w i t h s p e c i f i c u t i l i t i e s . O t h e r s e r v e r s , s u c h as t h o s e s u p p o r t i n g D N S , c o m m u n i c a t e w i t h o n e
another, in a d d i t i o n to a n s w e r i n g queries f r o m a variety of clients. Clients
servers c a n reside o n the same or different systems r u n n i n g the same o r

and

different

o p e r a t i n g systems. T h e systems c a n be p r o x i m a t e o r t h o u s a n d s of miles apart.

A

s y s t e m t h a t is a s e r v e r t o o n e s y s t e m c a n t u r n a r o u n d a n d a c t as a c l i e n t t o a n o t h e r .
A s e r v e r c a n r e s i d e o n a s i n g l e s y s t e m o r , as is t h e c a s e w i t h D N S , b e
among

thousands

operating systems.

of geographically

separated

systems

running

many

distributed
different

DISTRIBUTED COMPUTING

Peer-to-peer model

399

T h e peer-to-peer (PTP) model, in w h i c h either p r o g r a m can initiate a transaction,
stands in contrast to the client/server model. PTP protocols are c o m m o n o n small
networks. For example, Microsoft's N e t w o r k Neighborhood and Apple's
Talk b o t h rely o n broadcast-based PTP protocols for browsing and

Apple-

automatic

c o n f i g u r a t i o n . T h e Z e r o c o n f m u l t i c a s t D N S p r o t o c o l is a P T P a l t e r n a t i v e
for

small networks.

The highest-profile

PTP networks

DNS

are those used for

file

s h a r i n g , s u c h as K a z a a a n d G N U t e l l a . M a n y o f t h e s e n e t w o r k s a r e n o t p u r e

PTP

t o p o l o g i e s . P u r e P T P n e t w o r k s d o n o t scale w e l l , so n e t w o r k s s u c h as
and Kazaa employ a hybrid

Napster

approach.

D N S : D O M A I N N A M E SERVICE
D N S is a d i s t r i b u t e d s e r v i c e : N a m e s e r v e r s o n t h o u s a n d s o f m a c h i n e s a r o u n d

the

w o r l d c o o p e r a t e t o keep the database up-to-date. T h e database itself, w h i c h

maps

h u n d r e d s o f t h o u s a n d s of a l p h a n u m e r i c h o s t n a m e s to n u m e r i c IP addresses,

does

n o t e x i s t i n o n e p l a c e . T h a t is, n o s y s t e m h a s a c o m p l e t e c o p y o f t h e

database.

I n s t e a d , e a c h s y s t e m t h a t r u n s D N S k n o w s w h i c h h o s t s are l o c a l t o t h a t site

and

understands h o w to contact other nameservers to learn a b o u t other, n o n l o c a l hosts.
L i k e t h e L i n u x f i l e s y s t e m , D N S is o r g a n i z e d h i e r a r c h i c a l l y . E a c h c o u n t r y h a s a n I S O
(International Organization for Standardization)

c o u n t r y c o d e d e s i g n a t i o n as its

d o m a i n n a m e . ( F o r e x a m p l e , A U r e p r e s e n t s A u s t r a l i a , IL is I s r a e l , a n d J P is J a p a n ;
see w w w . i a n a . o r g / d o m a i n s / r o o t / c c t l d

for

a complete

list.) A l t h o u g h

the

States is r e p r e s e n t e d i n t h e s a m e w a y ( U S ) a n d uses t h e s t a n d a r d t w o - l e t t e r

United
Postal

Service abbreviations to identify the n e x t level o f the d o m a i n , o n l y g o v e r n m e n t s

and

a f e w o r g a n i z a t i o n s use these codes. Schools i n t h e U S d o m a i n are r e p r e s e n t e d b y a
third- (and sometimes second-) level d o m a i n : kl2. For example, the d o m a i n
for M y s c h o o l i n N e w Y o r k state c o u l d be

name

www.myschool.kl2.ny.us.

F o l l o w i n g is a l i s t o f t h e s i x o r i g i n a l t o p - l e v e l d o m a i n s . T h e s e d o m a i n s a r e u s e d
e x t e n s i v e l y w i t h i n t h e U n i t e d States a n d , t o a lesser degree, b y users i n

other

countries:
COM

C o m m e r c i a l enterprises

EDU

Educational institutions

GOV

N o n m i l i t a r y g o v e r n m e n t agencies

MIL

M i l i t a r y g o v e r n m e n t agencies

NET

Networking

ORG

Other (often nonprofit)

organizations
organizations

R e c e n t l y , t h e f o l l o w i n g a d d i t i o n a l t o p - l e v e l d o m a i n s h a v e b e e n a p p r o v e d f o r use:
AERO

Air-transport industry

BIZ

Business

COOP
INFO
MUSEUM
NAME

Cooperatives
U n r e s t r i c t e d use
Museums
N a m e registries

400

CHAPTER 1 0

NETWORKING AND THE INTERNET

Figure 10-3

U.S. top-level d o m a i n s

L i k e Internet addresses, d o m a i n n a m e s w e r e once assigned b y the N e t w o r k

Infor-

m a t i o n Center ( N I C ) ; n o w they are assigned b y several companies. A system's full
n a m e , r e f e r r e d t o as i t s

fully qualified domain name ( F Q D N ) , i s u n a m b i g u o u s i n t h e

w a y t h a t a s i m p l e h o s t n a m e c a n n o t b e . T h e s y s t e m okeeffe.berkeley.edu a t t h e U n i v e r s i t y o f C a l i f o r n i a a t B e r k e l e y ( F i g u r e 1 0 - 3 ) i s n o t t h e s a m e as o n e n a m e d okeeffe.moma.org, w h i c h m i g h t r e p r e s e n t a h o s t a t t h e M u s e u m o f M o d e r n A r t .

The

d o m a i n n a m e n o t o n l y t e l l s y o u s o m e t h i n g a b o u t w h e r e t h e s y s t e m is l o c a t e d b u t
a l s o a d d s e n o u g h d i v e r s i t y t o t h e n a m e s p a c e t o a v o i d c o n f u s i o n w h e n d i f f e r e n t sites
choose similar names for their systems.
U n l i k e the filesystem hierarchy, the top-level d o m a i n n a m e appears last
from

left to

right).

Also,

domain

names

are n o t

case sensitive,

(reading

so t h e

names

okeeffe.berkeley.edu, okeeffe.Berkeley.edu, a n d o k e e f f e . B e r k e l e y . E D U r e f e r t o

the

s a m e c o m p u t e r . O n c e a d o m a i n h a s b e e n a s s i g n e d , t h e l o c a l site is f r e e t o e x t e n d t h e
h i e r a r c h y to meet local needs.
W i t h D N S , e m a i l a d d r e s s e d t o user@example.com c a n b e d e l i v e r e d t o t h e

com-

p u t e r n a m e d example.com t h a t h a n d l e s t h e c o r p o r a t e m a i l a n d k n o w s h o w t o f o r w a r d messages t o user m a i l b o x e s o n i n d i v i d u a l machines. A s the c o m p a n y

grows,

its site a d m i n i s t r a t o r m i g h t d e c i d e t o create o r g a n i z a t i o n a l o r g e o g r a p h i c a l s u b d o m a i n s . T h e n a m e delta.ca.example.com m i g h t r e f e r t o a s y s t e m t h a t s u p p o r t s C a l i f o r n i a o f f i c e s , f o r e x a m p l e , w h i l e alpha.co.example.com is d e d i c a t e d t o
Functional
and

subdomains

might

alpha.dev.example.com

be another

representing

choice, w i t h
the

sales

and

Colorado.

delta.sales.example.com
development

divisions,

respectively.
BIND

O n L i n u x s y s t e m s , t h e m o s t c o m m o n i n t e r f a c e t o t h e D N S is B I N D ( B e r k e l e y I n t e r net N a m e D o m a i n ) . B I N D follows the client/server model. O n any given local netw o r k , one or m o r e systems m a y be r u n n i n g a nameserver, s u p p o r t i n g all the local
h o s t s as c l i e n t s . W h e n i t w a n t s t o s e n d a m e s s a g e t o a n o t h e r h o s t , a s y s t e m q u e r i e s
the nearest nameserver to learn the r e m o t e host's IP address. T h e client, called a
resolver,

m a y b e a p r o c e s s r u n n i n g o n t h e s a m e c o m p u t e r as t h e n a m e s e r v e r , o r i t

m a y pass t h e r e q u e s t o v e r t h e n e t w o r k t o r e a c h a server. T o r e d u c e n e t w o r k t r a f f i c
a n d facilitate n a m e l o o k u p s , the local nameserver m a i n t a i n s s o m e k n o w l e d g e o f distant hosts. If the local server m u s t c o n t a c t a r e m o t e server t o p i c k u p an address,
w h e n t h e a n s w e r c o m e s b a c k , t h e l o c a l server a d d s t h a t address t o its i n t e r n a l t a b l e

DISTRIBUTED COMPUTING

401

a n d reuses it f o r a w h i l e . T h e n a m e s e r v e r deletes the n o n l o c a l i n f o r m a t i o n b e f o r e it
can become outdated. Refer to " T T L " o n page 1178.
T h e s y s t e m ' s t r a n s l a t i o n o f s y m b o l i c h o s t n a m e s i n t o a d d r e s s e s is t r a n s p a r e n t

to

m o s t users; o n l y the system a d m i n i s t r a t o r o f a n e t w o r k e d s y s t e m needs to be c o n c e r n e d w i t h t h e details o f n a m e r e s o l u t i o n . Systems t h a t use D N S f o r n a m e r e s o l u tion

are

generally

capable

of

communicating

with

the

greatest

number

of

h o s t s — m o r e t h a n w o u l d be practical t o m a i n t a i n i n a /etc/hosts file or p r i v a t e N I S
database. Chapter 2 4 covers setting u p a n d r u n n i n g a D N S

server.

T h r e e c o m m o n sources are r e f e r e n c e d f o r h o s t n a m e r e s o l u t i o n : N I S , D N S , a n d syst e m files

( s u c h as / e t c / h o s t s ) .

Linux

does n o t

ask y o u to choose

among

these

sources; rather, the n s s w i t c h . c o n f file (page 4 7 5 ) a l l o w s y o u t o choose a n y o f these
sources, in any c o m b i n a t i o n , a n d i n any order.

PORTS
Ports are logical channels o n a n e t w o r k

interface a n d are n u m b e r e d f r o m

1

to

6 5 , 5 3 5 . E a c h n e t w o r k c o n n e c t i o n is u n i q u e l y i d e n t i f i e d b y t h e I P a d d r e s s a n d p o r t
n u m b e r of each endpoint.
I n a s y s t e m t h a t has m a n y n e t w o r k c o n n e c t i o n s o p e n s i m u l t a n e o u s l y , t h e use
ports keeps

packets

(page 1 1 6 4 )

p r o g r a m that needs to receive data

flowing

binds

to and f r o m the appropriate programs.

of
A

t o a p o r t a n d t h e n uses t h a t p o r t f o r c o m -

munication.
Privileged ports

S e r v i c e s a r e a s s o c i a t e d w i t h s p e c i f i c p o r t s , g e n e r a l l y w i t h n u m b e r s less t h a n
These ports are called

privileged

(or

reserved) ports.

1024.

For security reasons, only

a

process r u n n i n g w i t h r o o t privileges c a n b i n d to privileged ports. A service r u n o n a
p r i v i l e g e d p o r t p r o v i d e s a s s u r a n c e t h a t t h e s e r v i c e is b e i n g p r o v i d e d b y

someone

w i t h a u t h o r i t y over the system, w i t h the e x c e p t i o n t h a t a n y user o n W i n d o w s
a n d earlier W i n d o w s systems can b i n d to any port. C o m m o n l y used ports
2 2 (SSH), 23 ( T E L N E T ) , 80 ( H T T P ) , 111 (Sun RPC), a n d 2 0 1 - 2 0 8

98

include

(AppleTalk).

NIS: NETWORK INFORMATION SERVICE
N I S ( N e t w o r k I n f o r m a t i o n Service) simplifies the m a i n t e n a n c e o f f r e q u e n t l y

used

a d m i n i s t r a t i v e files b y k e e p i n g t h e m i n a c e n t r a l d a t a b a s e a n d h a v i n g clients c o n t a c t
the

database

server

to

retrieve

information

from

the

database.

Just

as

DNS

addresses the p r o b l e m o f k e e p i n g m u l t i p l e copies o f hosts files u p - t o - d a t e , N I S deals
with

the

issue

of

keeping

system-independent

configuration

files

(such

as

/etc/passwd) current. Refer to Chapter 21 for coverage of NIS.

NFS: NETWORK FILESYSTEM
T h e N F S ( N e t w o r k Filesystem) p r o t o c o l a l l o w s a server t o share selected l o c a l d i r e c t o r y
hierarchies w i t h client systems o n a h e t e r o g e n e o u s n e t w o r k . Files o n t h e r e m o t e fileserver
a p p e a r as i f t h e y a r e p r e s e n t o n t h e l o c a l s y s t e m . N F S is c o v e r e d i n C h a p t e r 2 2 .

402

CHAPTER 1 0

NETWORKING AND THE INTERNET

optional
NETWORK

SERVICES
L i n u x I n t e r n e t services are p r o v i d e d b y d a e m o n s t h a t r u n c o n t i n u o u s l y o r b y a daem o n t h a t i s s t a r t e d a u t o m a t i c a l l y b y t h e inetd o r x i n e t d d a e m o n ( p a g e 4 6 4 ) w h e n a
service r e q u e s t c o m e s i n . T h e /etc/services file lists n e t w o r k services ( f o r

example,

telnet, ftp, a n d ssh) a n d t h e i r a s s o c i a t e d n u m b e r s . A n y s e r v i c e t h a t u s e s T C P / I P
U D P / I P has a n e n t r y i n this file. I A N A

(Internet Assigned N u m b e r s

or

Authority)

m a i n t a i n s a d a t a b a s e o f a l l p e r m a n e n t , r e g i s t e r e d services. T h e /etc/services file u s u ally lists a s m a l l , c o m m o n l y used subset o f services.
M o s t o f t h e d a e m o n s (the e x e c u t a b l e files) are s t o r e d i n /usr/sbin. B y c o n v e n t i o n t h e
names of m a n y d a e m o n s end w i t h the letter d to distinguish t h e m f r o m utilities (one
c o m m o n d a e m o n w h o s e n a m e d o e s n o t e n d i n d i s sendmail). T h e p r e f i x in. o r r p c .
i s o f t e n u s e d f o r d a e m o n n a m e s . G i v e t h e c o m m a n d Is / u s r / s b i n / * d t o s e e a l i s t o f
m a n y of the d a e m o n p r o g r a m s o n the local system. Refer to " T h e Upstart

Event-

B a s e d init D a e m o n " o n p a g e 4 3 2 a n d t o " S y s V i n i t (rc) Scripts: S t a r t a n d S t o p S y s t e m
Services" o n page 4 4 0 for i n f o r m a t i o n a b o u t starting a n d s t o p p i n g these d a e m o n s .
T o see h o w a d a e m o n w o r k s , c o n s i d e r w h a t h a p p e n s w h e n y o u r u n s s h . T h e

local

s y s t e m c o n t a c t s t h e s s h d a e m o n (sshd) o n t h e r e m o t e s y s t e m t o e s t a b l i s h a c o n n e c tion. T h e t w o systems negotiate the connection according to a fixed protocol.

Each

s y s t e m identifies itself t o t h e other, a n d t h e n t h e y t a k e t u r n s a s k i n g each o t h e r specific q u e s t i o n s a n d w a i t i n g f o r v a l i d replies. E a c h n e t w o r k service f o l l o w s its

own

protocol.

COMMON

DAEMONS
I n a d d i t i o n to the d a e m o n s that support the utilities described up to this

point,

m a n y o t h e r d a e m o n s s u p p o r t system-level services t h a t y o u w i l l n o t t y p i c a l l y interact w i t h . T a b l e 10-4 lists s o m e o f these d a e m o n s .

Common daemons

Daemon

Used for or by

Function

acpid

Advanced
configuration and
power interface

Flexible daemon for delivering ACPI events. Replaces apmd.

anacron

anacrontab

Used for periodic execution of tasks. This daemon looks in the
/etc/anacrontab file. When a task comes up for execution, anacron
executes it as the user who owns the file that describes the task.

apache2

HTTP

The Web server daemon (Apache, page 899).

DISTRIBUTED COMPUTING

Table 10-4

403

Common daemons (continued)

Daemon

Used for or by

Function

apmd

Advanced power
management

Reports and takes action on specified changes in system power,
including shutdowns. Useful with machines, such as laptops, that
run on batteries.

atd

at

Executes a command once at a specific time and date. See crond for
periodic execution of a command.

automount

Automatic mounting

Automatically mounts filesystems when they are accessed. Automatic mounting is a way of demand-mounting remote directories
without having to hard-configure them into/etc/fstab. See page 792.

cron

crontab

Used for periodic execution of tasks. This daemon looks in the
/var/spool/cron/crontabs directory for files with filenames that correspond to users' usernames. It also looks at the /etc/crontab file
and at files in the /etc/cron.d directory. When a task comes up for
execution, cron executes it as the user who owns the file that
describes the task.

dhcpd

DHCP

Assigns Internet address, subnet mask, default gateway, DNS, and
other information to hosts. This protocol answers DHCP requests
and, optionally, BOOTP requests. Refer to "DHCP: Configures Network Interfaces" on page 470.

exini4

Mail programs

The exim4 daemon came from the University of Cambridge. The the
exim4 daemon listens on port 25 for incoming mail connections and
then calls a local delivery agent, such as /bin/mail. Mail user agents
(MUAs), such as KMail and Thunderbird, typically use exim4 to
deliver mail messages.

ftpd

FTP

Handles FTP requests. Refer to "ftp: Transfers Files over a Network"
on page 393. See also vsftpd (page 687).

gpm

General-purpose
Allows you to use a mouse to cut and paste text on console
mouse or GNU paste applications.
manager

in.fingerd

finger

inetd

Ipd

Handles requests for user information from the f i n g e r utility.
Listens for service requests on network connections and starts up
the appropriate daemon to respond to any particular request.
Because of inetd, a system does not need the daemons running continually to handle various network requests. For more information
refer to page 464. Deprecated in favor of xinetd.

Line printer spooler
daemon

Launched by xinetd when printing requests come to the machine.
Not used with CUPS.

404

CHAPTER 1 0

NETWORKING AND THE INTERNET

Common daemons (continued)

Daemon

Used for or by

Function

named

DNS

Supports DNS (page 821).

nfsd, statd, lockd, NFS
mountd, rquotad

These five daemons operate together to handle NFS (page 773)
operations. The nfsd daemon handles file and directory requests.
The statd and lockd daemons implement network file and record
locking. The mountd daemon converts filesystem name requests
from the m o u n t utility into NFS handles and checks access permissions. If disk quotas are enabled, rquotad handles those.

ntpd

NTP

Synchronizes time on network computers. Requires a/etc/ntp.conf
file. For more information g o t o www.ntp.org.

portmap

RPC

Maps incoming requests for RPC service numbers to TCP or UDP
port numbers on the local system. Refer to "RPC Network Services"
on page 406.

PPPd

PPP

For a modem, this protocol controls the pseudointerface represented by the IP connection between the local computer and a
remote computer. Refer to "PPP: Point-to-Point Protocol" on
page 381.

rexecd

rexec

Allows a remote user with a valid username and password to run
programs on a system. Its use is generally deprecated for security
reasons; certain programs, such as PC-based X servers, may still
have it as an option.

routed

Routing tables

Manages the routing tables so your system knows where to send
messages that are destined for remote networks. If your system
does not have a /etc/defaultrouter file, routed is started automatically to listen to incoming routing messages and to advertise outgoing routes to other systems on the local network. A newer
daemon, the gateway daemon (gated), offers enhanced configurability and support for more routing protocols and is proportionally more complex.

rsyslogd

System log

Transcribes important system events and stores them in files and/or
forwards them to users or another host running the rsyslogd daemon. This daemon is configured with /etc/rsyslog.conf. See
page 625.

sendmail

Mail programs

The sendmail daemon came from Berkeley UNIX and has been available for a long time. The de facto mail transfer program on the Internet, the sendmail daemon always listens on port 25 for incoming
mail connections and then calls a local delivery agent, such as
/bin/mail. Mail user agents (MUAs), such as KMail and Thunderbird,
typically use sendmail to deliver mail messages.

DISTRIBUTED COMPUTING

405

Common daemons (continued)

Daemon

Used for or by

Function

smbd, nmbd

Samba

Allow Windows PCs to share files and printers with UNIX and Linux
computers (page 797).

sshd

ssh, scp

Enables secure logins between remote systems (page 676).

talkd

talk

Allows you to have a conversation with another user on the same or
a remote machine. The talkd daemon handles the connections
between the machines. The talk utility on each system contacts the
talkd daemon on the other system for a bidirectional conversation.

telnetd

TELNET

One of the original Internet remote access protocols (page 391).

tftpd

TFTP

Used to boot a system or get information from a network. Examples
include network computers, routers, and some printers.

timed

Time server

On a LAN synchronizes time with other computers that are also run-

xinetd

Internet superserver

ning timed.
Listens for service requests on network connections and starts up
the appropriate daemon to respond to any particular request.
Because of xinetd, a system does not need the daemons running
continually to handle various network requests. For more information refer to page 464.

PROXY SERVERS
A proxy i s a n e t w o r k s e r v i c e t h a t i s a u t h o r i z e d t o a c t f o r a s y s t e m w h i l e n o t b e i n g
p a r t o f t h a t s y s t e m . A p r o x y s e r v e r o r p r o x y g a t e w a y p r o v i d e s p r o x y s e r v i c e s ; i t is a
transparent

intermediary,

relaying communications

back

and

forth

between

an

a p p l i c a t i o n , s u c h as a b r o w s e r a n d a s e r v e r , u s u a l l y o u t s i d e o f a L A N a n d f r e q u e n t l y
o n t h e I n t e r n e t . W h e n m o r e t h a n o n e p r o c e s s uses t h e p r o x y g a t e w a y / s e r v e r ,
p r o x y m u s t keep track of w h i c h processes are connecting to w h i c h

the

hosts/servers

so t h a t it c a n r o u t e t h e r e t u r n messages t o t h e p r o p e r process. T h e m o s t

commonly

encountered proxies are email a n d W e b proxies.
A p r o x y server/gateway insulates the local c o m p u t e r f r o m all other c o m p u t e r s
f r o m specified d o m a i n s b y u s i n g at least t w o IP addresses: o n e t o c o m m u n i c a t e
t h e l o c a l c o m p u t e r a n d o n e t o c o m m u n i c a t e w i t h a server. T h e p r o x y

or

with

server/gateway

e x a m i n e s a n d c h a n g e s t h e h e a d e r i n f o r m a t i o n o n all p a c k e t s it h a n d l e s so t h a t it c a n
encode, route, and decode t h e m properly. T h e difference between a p r o x y
a n d a p r o x y s e r v e r is t h a t t h e p r o x y s e r v e r u s u a l l y i n c l u d e s

gateway

cache ( p a g e 1 1 3 9 ) t o

s t o r e f r e q u e n t l y u s e d W e b p a g e s s o t h a t t h e n e x t r e q u e s t f o r t h a t p a g e is a v a i l a b l e
l o c a l l y a n d q u i c k l y ; a p r o x y g a t e w a y t y p i c a l l y does n o t use cache. T h e t e r m s
server" a n d " p r o x y g a t e w a y " are frequently used interchangeably.

"proxy

406

CHAPTER 1 0

N E T W O R K I N G AND THE INTERNET

P r o x y s e r v e r s / g a t e w a y s a r e a v a i l a b l e f o r s u c h c o m m o n I n t e r n e t s e r v i c e s as H T T P ,
H T T P S , FTP, S M T P , a n d S N M P . W h e n a n H T T P p r o x y sends queries f r o m

local

systems, it presents a single o r g a n i z a t i o n w i d e IP address (the external IP address of
the p r o x y server/gateway) t o all servers. It funnels all user requests t o the a p p r o p r i ate servers a n d keeps t r a c k o f t h e m . W h e n the responses c o m e b a c k , the

HTTP

p r o x y fans t h e m o u t to the appropriate applications using each machine's u n i q u e IP
address, t h e r e b y p r o t e c t i n g l o c a l addresses f r o m remote/specified servers.
P r o x y servers/gateways are generally just one p a r t of an overall f i r e w a l l strategy to
prevent

intruders

from

stealing i n f o r m a t i o n

or

damaging

an internal

network.

O t h e r functions, w h i c h c a n be either c o m b i n e d w i t h or k e p t separate f r o m

the

p r o x y server/gateway, include packet filtering, w h i c h blocks traffic based o n origin
a n d type, a n d user activity r e p o r t i n g , w h i c h helps m a n a g e m e n t learn h o w the Intern e t is b e i n g u s e d .

RPC NETWORK SERVICES
M u c h o f t h e c l i e n t / s e r v e r i n t e r a c t i o n o v e r a n e t w o r k is i m p l e m e n t e d u s i n g t h e R P C
( R e m o t e P r o c e d u r e C a l l ) p r o t o c o l , w h i c h i s i m p l e m e n t e d as a s e t o f l i b r a r y

calls

t h a t m a k e n e t w o r k access t r a n s p a r e n t t o t h e c l i e n t a n d server. R P C specifies

and

interprets messages b u t does n o t c o n c e r n itself w i t h t r a n s p o r t p r o t o c o l s ; it runs o n
t o p o f T C P / I P a n d U D P / I P . Services t h a t use R P C i n c l u d e N F S a n d N I S . R P C
d e v e l o p e d b y S u n as O N C

RPC

(Open Network

Computing Remote

was

Procedure

Calls) a n d differs f r o m M i c r o s o f t R P C .
I n the client/server m o d e l , a client contacts a server o n a specific p o r t (page 4 0 1 ) to
a v o i d a n y m i x u p b e t w e e n services, clients, a n d servers. T o a v o i d m a i n t a i n i n g a l o n g
list o f p o r t n u m b e r s a n d t o enable n e w clients/servers t o start u p w i t h o u t registering
a p o r t n u m b e r w i t h a c e n t r a l r e g i s t r y , w h e n a server t h a t uses R P C starts, it specifies
the p o r t it expects t o be c o n t a c t e d on. R P C servers t y p i c a l l y use p o r t n u m b e r s t h a t
h a v e been d e f i n e d b y Sun. I f a server does n o t use a p r e d e f i n e d p o r t n u m b e r , it p i c k s
an arbitrary number.

portmap T h e s e r v e r t h e n r e g i s t e r s t h i s p o r t w i t h t h e R P C p o r t m a p p e r ( t h e p o r t m a p d a e m o n )
o n t h e l o c a l s y s t e m . T h e s e r v e r tells t h e d a e m o n w h i c h p o r t n u m b e r i t is l i s t e n i n g o n
a n d w h i c h R P C p r o g r a m n u m b e r s it serves. T h r o u g h these e x c h a n g e s , t h e portmap
d a e m o n learns the location of every registered p o r t o n the host and the p r o g r a m s
t h a t are a v a i l a b l e o n each p o r t . T h e portmap d a e m o n , w h i c h a l w a y s listens o n p o r t
1 1 1 f o r b o t h T C P a n d U D P , m u s t be r u n n i n g to m a k e R P C calls.
Files

T h e / e t c / r p c file (page 4 9 6 ) m a p s R P C services t o R P C n u m b e r s . T h e /etc/services
file (page 4 9 7 ) lists s y s t e m services.

RPC client/server
communication

T h e sequence o f events for c o m m u n i c a t i o n b e t w e e n a n R P C client a n d server occurs
as f o l l o w s :
1. T h e c l i e n t p r o g r a m o n t h e c l i e n t s y s t e m m a k e s a n R P C c a l l t o o b t a i n d a t a
f r o m a ( r e m o t e ) server system. ( T h e c l i e n t issues a " r e a d r e c o r d f r o m a
file" request.)

USENET

407

2. If R P C has n o t yet established a c o n n e c t i o n w i t h the server system for the
client p r o g r a m , it c o n t a c t s portmap o n p o r t 111 o f t h e server a n d asks
w h i c h p o r t t h e d e s i r e d R P C s e r v e r is l i s t e n i n g o n ( f o r e x a m p l e , rpc.nfsd).
3. T h e portmap d a e m o n o n t h e r e m o t e server l o o k s i n its tables a n d r e t u r n s
a U D P or T C P port n u m b e r to the local system, the client (typically 2 0 4 9
f o r nfs).
4. T h e R P C libraries o n the server system receive the call f r o m the client a n d
pass the request to the a p p r o p r i a t e server p r o g r a m . T h e o r i g i n o f the
r e q u e s t is t r a n s p a r e n t t o t h e s e r v e r p r o g r a m . ( T h e f i l e s y s t e m r e c e i v e s t h e
"read record f r o m file" request.)
5. T h e server r e s p o n d s t o the request. ( T h e filesystem reads the record.)
6. T h e R P C libraries o n the r e m o t e server r e t u r n the result over the n e t w o r k
t o t h e c l i e n t p r o g r a m . ( T h e r e a d r e c o r d is r e t u r n e d t o t h e c a l l i n g p r o g r a m . )
U n d e r U b u n t u L i n u x m o s t servers start a n d r u n their o w n d a e m o n s . W h e n

RPC

s e r v e r s a r e s t a r t e d b y t h e xinetd d a e m o n ( p a g e 4 6 4 ) , t h e p o r t m a p d a e m o n m u s t b e
s t a r t e d b e f o r e t h e xinetd d a e m o n is i n v o k e d . T h e i n i t s c r i p t s ( p a g e 4 4 0 ) m a k e s u r e
p o r t m a p s t a r t s b e f o r e xinetd. Y o u c a n c o n f i r m t h i s s e q u e n c e b y l o o k i n g a t

the

n u m b e r s a s s o c i a t e d w i t h /etc/rc.d/ * / S * portmap a n d / e t c / r c . d / * / S * / x i n e t d . I f t h e
portmap d a e m o n stops, y o u m u s t restart all R P C servers o n t h e l o c a l system.

USENET
O n e o f t h e e a r l i e s t i n f o r m a t i o n s e r v i c e s a v a i l a b l e o n t h e I n t e r n e t , U s e n e t is a n elect r o n i c b u l l e t i n b o a r d t h a t a l l o w s users w i t h c o m m o n interests t o e x c h a n g e i n f o r m a tion. Usenet comprises

an informal, loosely connected n e t w o r k

e x c h a n g e e m a i l a n d n e w s i t e m s ( c o m m o n l y r e f e r r e d t o a s netnews).

of systems
It was

that

formed

i n 1 9 7 9 w h e n a f e w sites d e c i d e d t o s h a r e s o m e s o f t w a r e a n d i n f o r m a t i o n o n t o p i c s
o f c o m m o n interest. T h e y agreed t o c o n t a c t o n e a n o t h e r a n d t o pass t h e i n f o r m a t i o n a l o n g o v e r d i a l - u p t e l e p h o n e lines (at t h a t t i m e r u n n i n g at 1 , 2 0 0 b a u d at best),
u s i n g U N I X ' s uucp u t i l i t y ( U N I X - t o - U N I X c o p y p r o g r a m ) .
T h e p o p u l a r i t y o f U s e n e t l e d t o m a j o r c h a n g e s i n uucp t o h a n d l e t h e e s c a l a t i n g v o l u m e o f messages a n d sites. T o d a y m u c h o f t h e n e w s f l o w s o v e r n e t w o r k l i n k s u s i n g
a sophisticated

protocol

designed

especially

for

this purpose:

NNTP

(Network

N e w s Transfer Protocol). T h e n e w s messages are stored in a standard f o r m a t ,

and

the m a n y p u b l i c d o m a i n p r o g r a m s available let y o u r e a d t h e m . A n o l d , simple interf a c e i s n a m e d readnews. O t h e r i n t e r f a c e s , s u c h a s rn, i t s X W i n d o w S y s t e m c o u s i n
xrn, tin, nn, a n d xvnews, h a v e m a n y f e a t u r e s t h a t h e l p y o u b r o w s e t h r o u g h a n d r e p l y
to the articles that are available or create articles of y o u r o w n . I n addition, Netscape
a n d M o z i l l a i n c l u d e a n i n t e r f a c e t h a t y o u c a n use t o r e a d n e w s

(Netscape/Mozilla

N e w s ) as p a r t o f t h e i r W e b b r o w s e r s . O n e o f t h e e a s i e s t w a y s t o r e a d n e t n e w s is t o
g o t o g r o u p s . g o o g l e . c o m . T h e p r o g r a m y o u select t o r e a d n e t n e w s is l a r g e l y a m a t ter o f p e r s o n a l taste.

408

CHAPTER 1 0

NETWORKING AND THE INTERNET

As p r o g r a m s t o read netnews articles have been p o r t e d to n o n - U N I X a n d n o n - L i n u x
systems, t h e c o m m u n i t y o f n e t n e w s users has b e c o m e h i g h l y diversified. I n t h e U N I X
tradition, categories of netnews groups are structured hierarchically. T h e t o p
i n c l u d e s s u c h d e s i g n a t i o n s as c o m p ( c o m p u t e r - r e l a t e d ) ,

level

misc ( m i s c e l l a n e o u s ) ,

rec

( r e c r e a t i o n ) , sci ( s c i e n c e ) , s o c ( s o c i a l i s s u e s ) , a n d t a l k ( o n g o i n g d i s c u s s i o n s ) . U s u a l l y
a t l e a s t o n e r e g i o n a l c a t e g o r y is a t t h e t o p l e v e l , s u c h as ba ( S a n F r a n c i s c o B a y A r e a ) ,
a n d includes i n f o r m a t i o n a b o u t l o c a l events. N e w categories are c o n t i n u a l l y
added to the m o r e than 30,000 newsgroups. The names of newsgroups
domain

names

but

are

read

from

left

to

right

(like

Linux

being

resemble
filenames):

comp.os.unix.misc, comp.lang.c, misc.jobs.offered, rec.skiing, sci.med, soc.singles,
a n d talk.politics a r e b u t a f e w e x a m p l e s .
A g r e a t d e a l o f u s e f u l i n f o r m a t i o n is a v a i l a b l e o n U s e n e t , b u t y o u n e e d p a t i e n c e a n d
perseverance t o f i n d w h a t y o u are l o o k i n g for. Y o u c a n ask a question, a n d s o m e o n e
f r o m h a l f w a y a r o u n d the w o r l d m i g h t a n s w e r it. B e f o r e p o s i n g s u c h a s i m p l e quest i o n a n d causing it to appear o n thousands of systems a r o u n d the w o r l d ,

however,

f i r s t a s k y o u r s e l f w h e t h e r y o u c a n g e t h e l p i n a less i n v a s i v e w a y . T r y t h e f o l l o w i n g :
• R e f e r t o t h e man p a g e s a n d info.
• L o o k t h r o u g h t h e files i n /usr/share/doc.
• A s k the system a d m i n i s t r a t o r or a n o t h e r user f o r help.
• A l l o f t h e p o p u l a r n e w s g r o u p s h a v e F A Q s (lists o f f r e q u e n t l y a s k e d quest i o n s ) . C o n s u l t t h e s e l i s t s a n d see w h e t h e r y o u r q u e s t i o n h a s b e e n
answered. F A Q s are periodically posted to the n e w s g r o u p s ; in addition, all
t h e F A Q s are a r c h i v e d at sites a r o u n d t h e I n t e r n e t , i n c l u d i n g G o o g l e
groups

(groups.google.com).

• Because s o m e o n e has p r o b a b l y a s k e d the same q u e s t i o n earlier, search the
netnews archives for a n answer. T r y l o o k i n g at groups.google.com,

which

has a complete netnews archive.
• U s e a s e a r c h e n g i n e t o f i n d a n a n s w e r . O n e g o o d w a y t o g e t h e l p is t o
search o n an error message.
• R e v i e w s u p p o r t d o c u m e n t s at h e l p . u b u n t u . c o m .
• C o n t a c t a n U b u n t u L i n u x users' g r o u p .
P o s t a q u e r y t o t h e w o r l d w i d e U s e n e t c o m m u n i t y as a l a s t r e s o r t . I f y o u a r e s t u c k
o n a L i n u x q u e s t i o n a n d c a n n o t f i n d a n y o t h e r help, t r y s u b m i t t i n g it t o o n e o f these
newsgroups:

• comp.os.linux.misc
• alt.os.linux
• comp.os.linux.networking
• comp.os.linux.security
• comp.os.linux.setup

WWW: WORLDWIDE WEB

409

O n e w a y t o f i n d o u t a b o u t n e w t o o l s a n d s e r v i c e s is t o r e a d U s e n e t n e w s .

The

c o m p . o s . l i n u x h i e r a r c h y is o f p a r t i c u l a r i n t e r e s t t o L i n u x u s e r s ; f o r e x a m p l e , n e w s
a b o u t n e w l y r e l e a s e d s o f t w a r e f o r L i n u x is p o s t e d t o comp.os.linux.announce. P e o ple o f t e n a n n o u n c e the availability o f free s o f t w a r e there, a l o n g w i t h instructions o n
h o w t o get a c o p y f o r y o u r o w n use u s i n g a n o n y m o u s F T P (page 6 9 4 ) . O t h e r t o o l s
t o h e l p y o u f i n d r e s o u r c e s , b o t h o l d a n d n e w , e x i s t o n t h e n e t w o r k ; see A p p e n d i x B .

W W W : WORLD WIDE WEB
The W o r l d W i d e W e b ( W W W , W 3 , or the W e b ) provides a unified, interconnected
interface to the vast a m o u n t of i n f o r m a t i o n stored o n computers a r o u n d the w o r l d .
T h e idea that spawned the W o r l d W i d e W e b came f r o m the m i n d of T i m BernersLee (www.w3.org/People/Berners-Lee) of the E u r o p e a n Particle Physics L a b o r a t o r y
( C E R N ) in response to a need to i m p r o v e c o m m u n i c a t i o n s t h r o u g h o u t the highenergy physics c o m m u n i t y . T h e first-generation solution consisted of a n o t e b o o k
p r o g r a m n a m e d E n q u i r e , s h o r t f o r Enquire

Within Upon Everything ( t h e n a m e o f a

b o o k f r o m Berners-Lee's childhood), w h i c h he created i n 1 9 8 0 o n a N e X T

com-

puter and w h i c h supported links between n a m e d nodes. N o t until 1989 was
c o n c e p t p r o p o s e d as a g l o b a l h y p e r t e x t p r o j e c t t o b e k n o w n as t h e W o r l d

the

Wide

Web. In 1990, Berners-Lee wrote a proposal for a hypertext project, w h i c h eventually produced H T M L (Hypertext M a r k u p Language), the c o m m o n language of the
Web. The W o r l d W i d e W e b p r o g r a m became available o n the Internet in the summ e r o f 1 9 9 1 . B y d e s i g n i n g t h e t o o l s t o w o r k w i t h e x i s t i n g p r o t o c o l s , s u c h as F T P
a n d g o p h e r , t h e r e s e a r c h e r s w h o c r e a t e d t h e W e b p r o d u c e d a s y s t e m t h a t is g e n e r a l l y
useful for m a n y types of i n f o r m a t i o n a n d across m a n y types of h a r d w a r e a n d operating systems.
The W W W

is a n o t h e r e x a m p l e o f t h e c l i e n t / s e r v e r p a r a d i g m . Y o u u s e a W W W

e n t a p p l i c a t i o n , o r browser,

cli-

t o retrieve a n d display i n f o r m a t i o n stored o n a server

that m a y be located a n y w h e r e o n y o u r local n e t w o r k o r the Internet. W W W

clients

c a n i n t e r a c t w i t h m a n y types o f servers. F o r e x a m p l e , y o u c a n use a W W W c l i e n t t o
c o n t a c t a r e m o t e F T P server a n d d i s p l a y t h e list o f files it offers f o r a n o n y m o u s FTP.
M o s t c o m m o n l y y o u use a W W W

client to contact a W W W

server, w h i c h

offers

s u p p o r t for the special features of the W o r l d W i d e W e b that are described i n the
remainder of this chapter.
T h e p o w e r o f t h e W e b d e r i v e s f r o m i t s u s e o f hypertext,

a w a y to navigate through

i n f o r m a t i o n b y f o l l o w i n g c r o s s - r e f e r e n c e s ( c a l l e d links) f r o m o n e p i e c e o f i n f o r m a t i o n t o a n o t h e r . T o use t h e W e b effectively, y o u n e e d t o r u n i n t e r a c t i v e

network

applications. T h e first G U I for b r o w s i n g the W e b w a s a t o o l n a m e d M o s a i c , w h i c h
w a s released i n F e b r u a r y 1993. Designed at the N a t i o n a l Center for S u p e r c o m p u t e r
Applications

at the U n i v e r s i t y

of

Illinois,

its i n t r o d u c t i o n

sparked

a

dramatic

increase i n the n u m b e r o f users o f the W o r l d W i d e W e b . M a r c Andreessen,
participated i n the M o s a i c project at the U n i v e r s i t y of Illinois, later

who

cofounded

Netscape C o m m u n i c a t i o n s w i t h the founder of Silicon Graphics, J i m Clark.

The

410

CHAPTER 1 0

NETWORKING AND THE INTERNET

pair created Netscape Navigator, a W e b client p r o g r a m that was designed to

per-

f o r m better a n d support m o r e features t h a n the M o s a i c browser. Netscape N a v i g a t o r has e n j o y e d i m m e n s e success a n d has b e c o m e a p o p u l a r c h o i c e f o r e x p l o r i n g t h e
World Wide Web. Important

for Linux

u s e r s is t h e f a c t t h a t f r o m i t s

inception

N e t s c a p e has p r o v i d e d v e r s i o n s o f its t o o l s t h a t r u n o n L i n u x . A l s o , N e t s c a p e crea t e d M o z i l l a ( m o z i l l a . o r g ) as a n o p e n - s o u r c e b r o w s e r p r o j e c t .
These browsers p r o v i d e G U I s that a l l o w y o u to listen to sounds, w a t c h W e b events

hyper-

o r l i v e n e w s r e p o r t s , a n d d i s p l a y p i c t u r e s a s w e l l as t e x t , g i v i n g y o u a c c e s s t o

media.

A picture o n y o u r screen m a y be a l i n k to m o r e detailed, n o n v e r b a l i n f o r m a -

t i o n , s u c h as a c o p y o f t h e s a m e p i c t u r e a t a h i g h e r r e s o l u t i o n o r a s h o r t a n i m a t i o n .
If y o u r system can p r o d u c e a u d i o o u t p u t , y o u can listen to audio clips that

have

been linked to a document.

URL: U N I F O R M RESOURCE LOCATOR
Consider the U R L http://www.w3.org/Consortium/siteindex.
in the U R L
Transfer
HTTP)

T h e first

i n d i c a t e s t h e t y p e o f r e s o u r c e , i n t h i s c a s e http

Protocol).

Other

valid resource names,

component

(HTTP—Hypertext

s u c h a s https

(HTTPS—secure

a n d ftp ( F T P — F i l e T r a n s f e r P r o t o c o l ) , r e p r e s e n t i n f o r m a t i o n a v a i l a b l e

the W e b

using other protocols. N e x t c o m e a c o l o n a n d d o u b l e slash (://).

on
Fre-

q u e n t l y t h e h t t p : / / s t r i n g is o m i t t e d f r o m a U R L i n p r i n t , as y o u s e l d o m n e e d t o
e n t e r i t t o r e a c h t h e U R L . T h e n e x t e l e m e n t is t h e f u l l n a m e o f t h e h o s t t h a t a c t s as
the server f o r the i n f o r m a t i o n (www.w3.org/). T h e rest o f the U R L consists o f a rela t i v e p a t h n a m e t o t h e file t h a t c o n t a i n s t h e i n f o r m a t i o n (Consortium/siteindex). I f
y o u enter a U R L i n the l o c a t i o n bar of a W e b browser, the W e b server returns the
p a g e , f r e q u e n t l y a n HTML
By

convention

many

(page 1 1 5 2 ) file, p o i n t e d t o b y this U R L .

sites i d e n t i f y

their

W W W

servers

by prefixing

a host

d o m a i n n a m e w i t h www. F o r e x a m p l e , y o u c a n r e a c h the W e b server at the

or

New

Jersey Institute o f T e c h n o l o g y at w w w . n j i t . e d u . W h e n y o u use a b r o w s e r t o e x p l o r e
t h e W o r l d W i d e W e b , y o u m a y n e v e r n e e d t o e n t e r a U R L . H o w e v e r , as m o r e i n f o r m a t i o n is p u b l i s h e d i n h y p e r t e x t
where—not

just

online

in

form,

email

you cannot

messages

and

help

Usenet

but

find URLs

articles,

but

everyalso

in

newspapers, i n advertisements, a n d o n p r o d u c t labels.

BROWSERS
M o z i l l a ( w w w . m o z i l l a . o r g ) is t h e o p e n - s o u r c e c o u n t e r p a r t t o N e t s c a p e .
w h i c h was first released in M a r c h

Mozilla,

1998, was based on Netscape 4 code.

Since

then, M o z i l l a has been under continuous development by employees of Netscape
( n o w a division of A O L ) and other companies and by contributors f r o m the community.

Firefox

is t h e W e b

browser

queror, a n a l l - p u r p o s e file m a n a g e r
Epiphany

component
and Web

(projects.gnome.org/epiphany)

of Mozilla.

browser. Other

KDE

offers

browsers

and Opera (www.opera.com).

e a c h W e b b r o w s e r is u n i q u e , a l l o f t h e m a l l o w y o u t o m o v e a b o u t t h e
viewing H T M L

Kon-

include
Although
Internet,

d o c u m e n t s , l i s t e n i n g t o s o u n d s , a n d r e t r i e v i n g files. I f y o u d o

not

CHAPTER S U M M A R Y

use t h e X

Window

System, try

a t e x t b r o w s e r , s u c h a s lynx o r

411

links. T h e

lynx

browser w o r k s well w i t h Braille terminals.

SEARCH ENGINES
Search

engine i s a n a m e t h a t a p p l i e s t o a g r o u p o f h a r d w a r e a n d s o f t w a r e t o o l s t h a t

help y o u search for W o r l d W i d e W e b

sites t h a t c o n t a i n specific i n f o r m a t i o n .

A

s e a r c h e n g i n e r e l i e s o n a d a t a b a s e o f i n f o r m a t i o n c o l l e c t e d b y a Web crawler,

a pro-

g r a m that regularly looks t h r o u g h the millions of pages that m a k e u p the

World

W i d e W e b . A search engine m u s t also have a w a y o f c o l l a t i n g the i n f o r m a t i o n

the

W e b c r a w l e r c o l l e c t s so t h a t y o u c a n access it q u i c k l y , easily, a n d i n a m a n n e r

that

m a k e s i t m o s t u s e f u l t o y o u . T h i s p a r t o f t h e s e a r c h e n g i n e , c a l l e d a n index,

allows

y o u t o search for a w o r d , a g r o u p o f w o r d s , or a concept; it returns the U R L s
W e b pages t h a t p e r t a i n t o w h a t y o u are s e a r c h i n g for. M a n y

different types

s e a r c h e n g i n e s are a v a i l a b l e o n t h e I n t e r n e t , e a c h w i t h its o w n set o f s t r e n g t h s

of
of
and

weaknesses.

CHAPTER S U M M A R Y
A L i n u x s y s t e m a t t a c h e d t o a n e t w o r k is p r o b a b l y c o m m u n i c a t i n g o n a n E t h e r n e t ,
w h i c h m a y i n t u r n be l i n k e d t o other local area n e t w o r k s ( L A N s ) a n d w i d e area netw o r k s ( W A N s ) . C o m m u n i c a t i o n b e t w e e n L A N s a n d W A N s r e q u i r e s t h e use o f gateways and routers. Gateways translate the local data into a f o r m a t suitable for the
W A N , a n d routers m a k e decisions a b o u t the o p t i m a l r o u t i n g of the data along the
w a y . T h e m o s t w i d e l y u s e d n e t w o r k , b y far, is t h e I n t e r n e t .
Basic n e t w o r k i n g tools a l l o w L i n u x users t o l o g i n a n d r u n c o m m a n d s o n

remote

s y s t e m s (ssh, telnet) a n d c o p y f i l e s q u i c k l y f r o m o n e s y s t e m t o a n o t h e r (scp, ftp/sftp).
M a n y tools t h a t w e r e originally designed t o s u p p o r t c o m m u n i c a t i o n o n a singleh o s t c o m p u t e r ( f o r e x a m p l e , finger a n d talk) h a v e s i n c e b e e n e x t e n d e d t o r e c o g n i z e
n e t w o r k addresses, t h u s a l l o w i n g users o n d i f f e r e n t systems t o interact w i t h
a n o t h e r . O t h e r f e a t u r e s , s u c h as t h e N e t w o r k

one

Filesystem (NFS), were created

to

extend the basic U N I X m o d e l a n d to simplify i n f o r m a t i o n sharing.
Concern

is g r o w i n g

about

our

ability

to

protect

the

security

and

privacy

machines connected to networks and of data transmitted over networks.

t h i s e n d , m a n y n e w t o o l s a n d p r o t o c o l s h a v e b e e n c r e a t e d : ssh, scp, H T T P S ,
f i r e w a l l h a r d w a r e a n d s o f t w a r e , V P N , a n d so o n . M a n y o f these t o o l s t a k e

of

Toward
IPv6,
advan-

tage of newer, m o r e impenetrable e n c r y p t i o n techniques. I n addition, some w e a k e r
c o n c e p t s ( s u c h a s t h a t o f t r u s t e d h o s t s ) a n d s o m e t o o l s ( s u c h a s finger a n d rwho) a r e
being discarded i n the n a m e of security.
C o m p u t e r networks offer t w o major advantages over other ways of connecting computers: T h e y enable systems t o c o m m u n i c a t e at h i g h speeds a n d t h e y r e q u i r e

few

physical interconnections (typically one per system, often o n a shared cable).

The

I n t e r n e t P r o t o c o l (IP), the u n i v e r s a l l a n g u a g e o f the I n t e r n e t , has m a d e it possible f o r

412

CHAPTER 1 0

NETWORKING AND THE INTERNET

dissimilar computer

systems a r o u n d the w o r l d to readily c o m m u n i c a t e w i t h

one

another. Technological advances continue to i m p r o v e the performance of computer
systems a n d the n e t w o r k s that link them.
O n e w a y t o g a t h e r i n f o r m a t i o n o n t h e I n t e r n e t is v i a U s e n e t . M a n y L i n u x users r o u tinely peruse Usenet n e w s (netnews) to learn a b o u t the latest resources available for
t h e i r s y s t e m s . U s e n e t n e w s is o r g a n i z e d i n t o n e w s g r o u p s t h a t c o v e r a w i d e r a n g e o f
topics, computer-related and otherwise. To read Usenet news, y o u need to

have

access t o a n e w s server a n d t h e a p p r o p r i a t e c l i e n t s o f t w a r e . M a n y m o d e r n

email

p r o g r a m s , s u c h as M o z i l l a a n d N e t s c a p e , c a n d i s p l a y n e t n e w s .
T h e r a p i d increase o f n e t w o r k c o m m u n i c a t i o n speeds i n recent years has

encour-

aged the d e v e l o p m e n t o f m a n y n e w a p p l i c a t i o n s a n d services. T h e W o r l d W i d e W e b
p r o v i d e s access t o v a s t i n f o r m a t i o n stores o n t h e I n t e r n e t a n d m a k e s e x t e n s i v e use
of hypertext

links to promote

efficient searching t h r o u g h related documents.

It

a d h e r e s t o t h e c l i e n t / s e r v e r m o d e l t h a t is s o p e r v a s i v e i n n e t w o r k i n g . T y p i c a l l y t h e
W W W

c l i e n t is l o c a l t o a s i t e o r is m a d e a v a i l a b l e t h r o u g h a n I n t e r n e t s e r v i c e p r o -

vider. W W W

servers are responsible f o r p r o v i d i n g the i n f o r m a t i o n requested

by

their m a n y clients.
M o z i l l a / F i r e f o x is a W W W

client p r o g r a m that has e n o r m o u s p o p u l a r appeal. Fire-

f o x a n d o t h e r b r o w s e r s use a G U I t o g i v e y o u access t o t e x t , p i c t u r e , a n d
information:

Making

e x t e n s i v e use o f these h y p e r m e d i a

audio

s i m p l i f i e s access t o

enhances the presentation of information.

EXERCISES
1. D e s c r i b e t h e s i m i l a r i t i e s a n d d i f f e r e n c e s b e t w e e n t h e s e u t i l i t i e s :
a . scp a n d ftp

b . ssh a n d telnet
c . rsh a n d ssh
2 . A s s u m i n g rwho i s d i s a b l e d o n t h e s y s t e m s o n y o u r L A N , d e s c r i b e t w o w a y s
t o f i n d o u t w h o is l o g g e d i n o n s o m e o f t h e o t h e r m a c h i n e s a t t a c h e d t o
your

network.

3. E x p l a i n the client/server m o d e l . G i v e three e x a m p l e s o f services o n L i n u x
systems that take advantage of this m o d e l .
4 . A s o f t w a r e i m p l e m e n t a t i o n o f c h e s s w a s d e v e l o p e d b y G N U a n d is a v a i l able f o r free. H o w c a n y o u use t h e I n t e r n e t t o f i n d a c o p y a n d

download

it?
5 . W h a t is t h e d i f f e r e n c e b e t w e e n t h e W o r l d W i d e W e b a n d t h e I n t e r n e t ?
6. I f y o u h a v e access t o t h e W o r l d W i d e W e b , a n s w e r t h e f o l l o w i n g q u e s t i o n s .

and

ADVANCED EXERCISES

a. W h i c h b r o w s e r d o y o u use?
b . W h a t is t h e U R L o f t h e a u t h o r o f t h i s b o o k ' s h o m e p a g e ? H o w

many

links does it have?
c. D o e s y o u r b r o w s e r a l l o w y o u t o c r e a t e b o o k m a r k s ? I f so, h o w d o y o u
create a b o o k m a r k ? H o w can y o u delete one?
7. G i v e o n e a d v a n t a g e a n d t w o disadvantages o f u s i n g a wireless n e t w o r k .

ADVANCED EXERCISES
8 . S u p p o s e t h e l i n k b e t w e e n r o u t e r s 1 a n d 2 is d o w n i n t h e I n t e r n e t s h o w n i n
F i g u r e 1 0 - 1 o n p a g e 3 7 8 . W h a t h a p p e n s i f s o m e o n e at site C sends a m e s sage t o a user o n a w o r k s t a t i o n a t t a c h e d t o t h e E t h e r n e t c a b l e at site A ?
W h a t h a p p e n s i f t h e r o u t e r a t s i t e A is d o w n ? W h a t d o e s t h i s t e l l y o u
about designing n e t w o r k

configurations?

9. I f y o u h a v e a class B n e t w o r k a n d w a n t t o d i v i d e it i n t o subnets, e a c h w i t h
1 2 6 h o s t s , w h i c h s u b n e t m a s k s h o u l d y o u use? H o w m a n y n e t w o r k s
be available? W h a t are the f o u r addresses (broadcast a n d n e t w o r k
ber) for the n e t w o r k starting at

will

num-

131.204.18?

10. Suppose y o u have 3 0 0 hosts a n d w a n t t o have n o m o r e t h a n 5 0 hosts per
s u b n e t . W h a t size o f address b l o c k s h o u l d y o u r e q u e s t f r o m y o u r ISP?
H o w m a n y class C - e q u i v a l e n t addresses w o u l d y o u need? H o w m a n y s u b nets w o u l d y o u have left over f r o m y o u r

allocation?

1 1 . a. O n y o u r s y s t e m , f i n d t w o d a e m o n s r u n n i n g t h a t a r e n o t l i s t e d i n t h i s
c h a p t e r a n d e x p l a i n w h a t p u r p o s e t h e y serve.
b. R e v i e w w h i c h s e r v i c e s / d a e m o n s are a u t o m a t i c a l l y s t a r t e d o n y o u r system, a n d consider w h i c h y o u m i g h t t u r n off. A r e there a n y services/daem o n s i n the list i n T a b l e 1 0 - 4 o n page 4 0 2 t h a t y o u w o u l d c o n s i d e r
adding?

413

This page intentionally left blank

P A R T IV
SYSTEM ADMINISTRATION
CHAPTER 11
SYSTEM ADMINISTRATION: CORE CONCEPTS

417

CHAPTER 12
FILES, DIRECTORIES, AND FILESYSTEMS

487

CHAPTER 13
DOWNLOADING AND INSTALLING SOFTWARE

517

CHAPTER 14
PRINTING WITH C U P S

547

CHAPTER 15
BUILDING A LINUX KERNEL

571

CHAPTER 16
ADMINISTRATION TASKS

593

CHAPTER 17
CONFIGURING AND MONITORING A LAN

637

415

This page intentionally left blank

11
SYSTEM
ADMINISTRATION:
CORE CONCEPTS
IN THIS CHAPTER

T h e j o b o f a s y s t e m a d m i n i s t r a t o r is t o k e e p o n e o r m o r e s y s t e m s
i n a u s e f u l a n d c o n v e n i e n t state f o r users. O n a L i n u x s y s t e m , t h e

Running Commands with root
Privileges

419

p u t e r b e i n g s e p a r a t e d b y o n l y a f e w feet. A l t e r n a t i v e l y , t h e s y s t e m

sudo: Running a Command with
root Privileges

421

n e t w o r k o f systems, w i t h y o u b e i n g o n e o f t h o u s a n d s o f users.

The Upstart Event-Based init
Daemon

432

w o r k s p a r t - t i m e t a k i n g c a r e o f a s y s t e m a n d p e r h a p s is a l s o a

440

w o r k together full-time t o keep m a n y systems r u n n i n g .

SysVinit (rc) Scripts: Start and
Stop System Services

a d m i n i s t r a t o r a n d user m a y b o t h be y o u , w i t h y o u a n d the c o m a d m i n i s t r a t o r m a y be h a l f w a y a r o u n d the w o r l d , s u p p o r t i n g a
O n the one h a n d , a system a d m i n i s t r a t o r c a n be one p e r s o n w h o
user o f the system. O n t h e o t h e r h a n d , several a d m i n i s t r a t o r s c a n

Recovery (Single-User) M o d e . . . . 445
rpcinfo: Displays Information
About portmap

462

TCP Wrappers: Secure a
Server (hosts.allow and
hosts.deny)

465

Setting Up a chroot Jail

466

DHCP: Configures Network
Interfaces

470

417

418

CHAPTER 1 1

SYSTEM ADMINISTRATION: CORE

CONCEPTS

A well-maintained system
• R u n s q u i c k l y e n o u g h so users d o n o t get f r u s t r a t e d w a i t i n g f o r the system
to respond or complete a task.
• H a s e n o u g h storage to a c c o m m o d a t e users' reasonable needs.
• P r o v i d e s a w o r k i n g e n v i r o n m e n t a p p r o p r i a t e t o e a c h user's abilities a n d
requirements.
• Is s e c u r e f r o m m a l i c i o u s a n d a c c i d e n t a l a c t s a l t e r i n g its p e r f o r m a n c e o r
c o m p r o m i s i n g the security of the data it holds a n d exchanges w i t h other
systems.
• Is b a c k e d u p r e g u l a r l y , w i t h r e c e n t l y b a c k e d - u p files b e i n g r e a d i l y a v a i l a b l e
t o users.
• H a s recent copies o f the s o f t w a r e t h a t users need t o get their jobs done.
• Is e a s i e r t o a d m i n i s t e r t h a n a p o o r l y m a i n t a i n e d s y s t e m .
I n a d d i t i o n , a s y s t e m a d m i n i s t r a t o r s h o u l d be available t o h e l p users w i t h all types
of system-related p r o b l e m s — f r o m logging in to obtaining and installing

software

u p d a t e s t o t r a c k i n g d o w n a n d f i x i n g o b s c u r e n e t w o r k issues.
Part I V of this b o o k breaks system a d m i n i s t r a t i o n i n t o seven chapters:
• Chapter 11 covers the core concepts of system administration,

including

w o r k i n g w i t h root ( S u p e r u s e r ) p r i v i l e g e s , s y s t e m o p e r a t i o n , t h e U b u n t u
c o n f i g u r a t i o n tools a n d other useful utilities, general i n f o r m a t i o n a b o u t
setting u p a n d securing a server (including a section o n D H C P ) , a n d

PAM.

• C h a p t e r 1 2 covers files, directories, a n d filesystems f r o m a n a d m i n i s t r a t o r ' s
point of view.
• C h a p t e r 13 covers i n s t a l l i n g s o f t w a r e o n the system, i n c l u d i n g the use o f
A P T (aptitude), t h e D e b i a n p a c k a g e (dpkg) m a n a g e m e n t s y s t e m , B i t T o r r e n t ,

a n d wget.
• C h a p t e r 1 4 d i s c u s s e s h o w t o set u p l o c a l a n d r e m o t e p r i n t e r s t h a t use t h e
CUPS printing system.
• Chapter 15 explains h o w to rebuild the L i n u x kernel.
• Chapter 16 covers additional system administrator tasks a n d tools,
i n c l u d i n g setting u p users a n d g r o u p s , b a c k i n g u p files, s c h e d u l i n g tasks,
printing system reports, and general p r o b l e m solving.
• C h a p t e r 1 7 g o e s i n t o d e t a i l a b o u t h o w t o set u p a L A N , i n c l u d i n g s e t t i n g
up and configuring network hardware and configuring software.
B e c a u s e L i n u x is r e a d i l y c o n f i g u r a b l e a n d r u n s o n a w i d e v a r i e t y o f p l a t f o r m s

(Sun

SPARC, D E C / C o m p a q A l p h a , Intel x 8 6 , A M D , P o w e r P C , a n d more), this chapter

RUNNING C O M M A N D S WITH root PRIVILEGES

c a n n o t discuss every system c o n f i g u r a t i o n or every a c t i o n y o u m i g h t

419

potentially

h a v e t o t a k e as a s y s t e m a d m i n i s t r a t o r . I n s t e a d , t h i s c h a p t e r s e e k s t o f a m i l i a r i z e y o u
w i t h the concepts y o u need t o u n d e r s t a n d a n d the t o o l s y o u w i l l use t o m a i n t a i n a n
U b u n t u s y s t e m . W h e r e i t is n o t p o s s i b l e t o g o i n t o d e p t h a b o u t a s u b j e c t , t h e c h a p ter provides references t o other sources.
T h i s chapter assumes y o u are f a m i l i a r w i t h the f o l l o w i n g terms:

filesystem ( p a g e 1 1 4 8 )
block device ( p a g e 1 1 3 7 )
fork ( p a g e 1 1 4 9 )
daemon ( p a g e 1 1 4 4 )
kernel ( p a g e 1 1 5 6 )
device ( p a g e 1 1 4 5 )
device filename ( p a g e 1 1 4 5 ) login shell ( p a g e 1 1 5 8 )
mount ( p a g e 1 1 6 0 )
disk partition ( p a g e 1 1 4 5 )
process ( p a g e 1 1 6 6 )
environment ( p a g e 1 1 4 7 )

RUNNING C O M M A N D S WITH

root

root filesystem ( p a g e 1 1 7 0 )
runlevel ( p a g e 1 1 7 0 )
signal ( p a g e 1 1 7 2 )
spawn ( p a g e 1 1 7 3 )
system console ( p a g e 1 1 7 6 )
X server ( p a g e 1 1 8 1 )

PRIVILEGES

Some c o m m a n d s can damage the filesystem or crash the operating system.

Other

c o m m a n d s c a n i n v a d e u s e r s ' p r i v a c y o r m a k e t h e s y s t e m less s e c u r e . T o k e e p a
L i n u x s y s t e m u p a n d r u n n i n g as w e l l a s s e c u r e , U b u n t u is c o n f i g u r e d n o t t o p e r m i t
o r d i n a r y users t o e x e c u t e s o m e c o m m a n d s a n d access c e r t a i n files. L i n u x

provides

several w a y s f o r a t r u s t e d user t o e x e c u t e these c o m m a n d s a n d access these files.
T h e d e f a u l t u s e r n a m e o f t h e t r u s t e d u s e r w i t h t h e s e s y s t e m w i d e p o w e r s is r o o t ; a
u s e r w i t h t h e s e p r i v i l e g e s is a l s o s o m e t i m e s r e f e r r e d t o as

Superuser. A s t h i s s e c t i o n

e x p l a i n s , U b u n t u enables specified o r d i n a r y users t o r u n c o m m a n d s w i t h root p r i v i l e g e s w h i l e l o g g e d i n as t h e m s e l v e s .
A user r u n n i n g w i t h root p r i v i l e g e s has t h e f o l l o w i n g p o w e r s — a n d m o r e :
• S o m e c o m m a n d s , s u c h as t h o s e t h a t a d d n e w u s e r s , p a r t i t i o n h a r d d r i v e s ,
a n d c h a n g e s y s t e m c o n f i g u r a t i o n , c a n be e x e c u t e d o n l y b y a user w i t h root
p r i v i l e g e s . S u c h a u s e r c a n c o n f i g u r e t o o l s , s u c h as sudo, t o g i v e s p e c i f i c
users p e r m i s s i o n t o p e r f o r m tasks t h a t are n o r m a l l y reserved f o r a user
r u n n i n g w i t h root privileges.
• R e a d , w r i t e , a n d e x e c u t e file access a n d d i r e c t o r y access p e r m i s s i o n s d o
n o t a f f e c t a user w i t h root privileges. A user w i t h root p r i v i l e g e s c a n r e a d
f r o m , w r i t e t o , a n d e x e c u t e a l l f i l e s , as w e l l as e x a m i n e a n d w o r k i n a l l
directories.
• Some restrictions a n d safeguards that are b u i l t i n t o s o m e c o m m a n d s d o n o t
a p p l y t o a user w i t h root privileges. F o r e x a m p l e , a user w i t h root privileges
c a n c h a n g e a n y user's p a s s w o r d w i t h o u t k n o w i n g t h e o l d p a s s w o r d .

420

CHAPTER 1 1

SYSTEM ADMINISTRATION: CORE

CONCEPTS

Console security
security

Ubuntu Linux is not secure from a person who has physical access to the computer. Additional
security measures, such as setting boot loader and BIOS passwords, can help secure the c o m puter. However, if someone has physical access to the hardware, as system console users typically do, it is very difficult to secure a system from that user.

Least privilege
caution

When you are working on any computer system, but especially when you are working as the system administrator (with root privileges), perform any task while using the least privilege possible.
When you can perform a task logged in as an ordinary user, do so. When you must run a c o m mand with root privileges, do as much as you can as an ordinary user, use s u d o so you have root
privileges, complete the part of the task that has to be done with root privileges, and revert to being
an ordinary user as soon as you can. Because you are more likely to make a mistake when you
are rushing, this concept becomes even more important when you have less time to apply it.
W h e n y o u are r u n n i n g w i t h root p r i v i l e g e s i n a c o m m a n d - l i n e e n v i r o n m e n t , b y c o n v e n t i o n the shell displays a special p r o m p t to r e m i n d y o u o f y o u r status. B y default,
t h i s p r o m p t is ( o r e n d s w i t h ) a h a s h m a r k ( # ) . Y o u c a n g a i n o r g r a n t r o o t p r i v i l e g e s
in a number of ways:
• W h e n y o u b r i n g the system u p in recovery m o d e (page 4 4 5 ) , y o u are
l o g g e d i n as t h e u s e r n a m e d r o o t .
• T h e sudo u t i l i t y a l l o w s s p e c i f i e d u s e r s t o r u n s e l e c t e d c o m m a n d s w i t h r o o t
p r i v i l e g e s w h i l e t h e y a r e l o g g e d i n a s t h e m s e l v e s . Y o u c a n s e t u p sudo t o
a l l o w c e r t a i n users t o p e r f o r m specific tasks t h a t r e q u i r e root privileges
w i t h o u t g r a n t i n g t h e m s y s t e m w i d e r o o t p r i v i l e g e s . See p a g e 4 2 1 f o r m o r e
i n f o r m a t i o n o n sudo.
• S o m e p r o g r a m s a s k f o r your p a s s w o r d w h e n t h e y s t a r t . I f sudo i s s e t u p t o
g i v e y o u root p r i v i l e g e s , w h e n y o u p r o v i d e y o u r p a s s w o r d , t h e p r o g r a m
r u n s w i t h root privileges. W h e n a p r o g r a m requests a p a s s w o r d w h e n it
s t a r t s , y o u s t o p r u n n i n g as a p r i v i l e g e d u s e r w h e n y o u q u i t u s i n g t h e p r o g r a m . T h i s setup keeps y o u f r o m r e m a i n i n g l o g g e d i n w i t h root privileges
w h e n y o u d o n o t need o r i n t e n d t o be.
• A n y u s e r c a n c r e a t e a setuid

(set u s e r I D ) file. S e t u i d p r o g r a m s r u n o n

b e h a l f o f t h e o w n e r o f t h e file a n d h a v e a l l t h e access p r i v i l e g e s t h a t t h e
o w n e r h a s . W h i l e y o u a r e r u n n i n g as a u s e r w i t h r o o t p r i v i l e g e s , y o u c a n
c h a n g e t h e p e r m i s s i o n s o f a file o w n e d b y root t o setuid. W h e n a n o r d i n a r y u s e r e x e c u t e s a f i l e t h a t is o w n e d b y root a n d h a s s e t u i d p e r m i s s i o n s ,
t h e p r o g r a m h a s effective

root privileges.

In other words, the p r o g r a m can

d o a n y t h i n g a user w i t h root privileges c a n d o t h a t t h e p r o g r a m n o r m a l l y
does. T h e user's privileges d o n o t change. T h u s , w h e n t h e p r o g r a m finishes
r u n n i n g , a l l u s e r p r i v i l e g e s a r e as t h e y w e r e b e f o r e t h e p r o g r a m s t a r t e d .
S e t u i d p r o g r a m s o w n e d b y root are b o t h e x t r e m e l y p o w e r f u l a n d
e x t r e m e l y d a n g e r o u s t o s y s t e m s e c u r i t y , w h i c h is w h y a s y s t e m c o n t a i n s

RUNNING C O M M A N D S WITH root PRIVILEGES

421

v e r y f e w o f t h e m . E x a m p l e s o f s e t u i d p r o g r a m s t h a t are o w n e d b y root
i n c l u d e passwd, at, a n d crontab. F o r m o r e i n f o r m a t i o n r e f e r t o " S e t u i d a n d
Setgid Permissions" o n page 218.

root-owned setuid programs are extremely dangerous
security

Because root-owned setuid programs allow someone who does not know the root password and
cannot use s u d o to gain root privileges, they are tempting targets for a malicious user. Also, programming errors that make normal programs crash can become root exploits in setuid programs.
A system should have as few of these programs as possible. You can disable setuid programs at
the filesystem level by mounting a filesystem with the nosuid option (page 508). See page 454 for
a command that lists all setuid files on the local system.

optional

T h e f o l l o w i n g t e c h n i q u e s f o r g a i n i n g root p r i v i l e g e s d e p e n d o n u n l o c k i n g t h e root
a c c o u n t ( s e t t i n g u p a r o o t p a s s w o r d ) as e x p l a i n e d o n p a g e 4 3 1 .
• Y o u c a n g i v e a n su ( s u b s t i t u t e u s e r ) c o m m a n d w h i l e y o u a r e l o g g e d i n as
y o u r s e l f . W h e n y o u t h e n p r o v i d e t h e root p a s s w o r d , y o u w i l l h a v e root
privileges. F o r m o r e i n f o r m a t i o n refer t o "su: G i v e s Y o u A n o t h e r User's
Privileges" o n page 431.
• O n c e t h e s y s t e m is u p a n d r u n n i n g i n m u l t i u s e r m o d e ( p a g e 4 4 8 ) , y o u c a n
l o g i n as r o o t . W h e n y o u t h e n s u p p l y t h e r o o t p a s s w o r d , y o u w i l l b e r u n n i n g w i t h root p r i v i l e g e s .
S o m e t e c h n i q u e s l i m i t h o w s o m e o n e c a n l o g i n as r o o t . F o r e x a m p l e , P A M ( p a g e 4 7 8 )
c o n t r o l s t h e w h o , w h e n , a n d h o w o f l o g g i n g i n . T h e /etc/securetty file c o n t r o l s w h i c h
t e r m i n a l s ( t t y s ) a u s e r c a n l o g i n o n as r o o t . T h e / e t c / s e c u r i t y / a c c e s s . c o n f f i l e a d d s
a n o t h e r d i m e n s i o n t o l o g i n c o n t r o l (see t h e c o m m e n t s i n t h e f i l e f o r d e t a i l s ) .

Do not allow root access over the Internet
security

Prohibiting root logins using l o g i n over a network is the default policy of Ubuntu and is implemented by the PAM securetty module. The /etc/security/access.conf file must contain the names
of all users and terminals/workstations that you want a user to be able to log in as root. Initially
every line in access.conf is commented out.
You can, however, log in as root over a network using s s h (page 663). As shipped by Ubuntu, s s h
does not follow the instructions in securetty or access.conf. In addition, in /etc/ssh/sshd_config,
Ubuntu sets PermitRootLogin to yes to permit root to log in using s s h (page 680).

s u d o : R U N N I N G A C O M M A N D WITH root PRIVILEGES
C l a s s i c a l l y a u s e r g a i n e d r o o t p r i v i l e g e s b y l o g g i n g i n as r o o t o r b y g i v i n g a n su
( s u b s t i t u t e user) c o m m a n d a n d p r o v i d i n g t h e root p a s s w o r d . W h e n a n

ordinary

user e x e c u t e d a p r i v i l e g e d c o m m a n d i n a g r a p h i c a l e n v i r o n m e n t , the s y s t e m w o u l d
p r o m p t f o r t h e r o o t p a s s w o r d . M o r e r e c e n t l y t h e u s e o f sudo ( w w w . s u d o . w s )
t a k e n o v e r these classic t e c h n i q u e s o f g a i n i n g root privileges.

has

422

CHAPTER 1 1

SYSTEM ADMINISTRATION: CORE

CONCEPTS

There is a root account, but no root password
tip

As installed, Ubuntu locks the root account by not providing a root password. This setup prevents
anyone from logging in to the root account (except when you bring the system up in recovery
mode [page 445]). There is, however, a root account (a user with the username root—look at the
first line in /etc/passwd). This account/user owns files (give the command Is - I /bin) and runs
processes (give the command ps -ef and look at the left column of the output). The root account
is critical to the functioning of an Ubuntu system.
The sudo utility enables you to run a command as though it had been run by a user logged in as
root. This book uses the phrase "working with root privileges" to emphasize that, although you
are not logged in as root, when you use sudo you have the powers of the root user.
U b u n t u s t r o n g l y e n c o u r a g e s t h e u s e o f sudo. I n f a c t , as s h i p p e d , U b u n t u l o c k s t h e
root a c c o u n t ( t h e r e is n o p a s s w o r d ) so y o u c a n n o t use t h e classic t e c h n i q u e s . U s i n g
sudo r a t h e r t h a n t h e r o o t a c c o u n t f o r s y s t e m a d m i n i s t r a t i o n o f f e r s m a n y a d v a n t a g e s :
• W h e n y o u r u n sudo, i t r e q u e s t s your p a s s w o r d — n o t t h e root p a s s w o r d —
so y o u h a v e t o r e m e m b e r o n l y o n e p a s s w o r d .
• T h e sudo u t i l i t y l o g s a l l c o m m a n d s i t e x e c u t e s . T h i s l o g c a n b e u s e f u l f o r
r e t r a c i n g y o u r steps i f y o u m a k e a m i s t a k e a n d f o r s y s t e m a u d i t i n g .
• T h e sudo u t i l i t y l o g s t h e u s e r n a m e o f a u s e r w h o i s s u e s a n sudo c o m m a n d .
O n systems w i t h m o r e t h a n o n e a d m i n i s t r a t o r , this l o g tells y o u w h i c h
u s e r s h a v e i s s u e d sudo c o m m a n d s . W i t h o u t sudo, y o u w o u l d n o t k n o w
w h i c h user issued a c o m m a n d w h i l e w o r k i n g w i t h root privileges.
• T h e sudo u t i l i t y a l l o w s i m p l e m e n t a t i o n o f a f i n e r - g r a i n e d s e c u r i t y p o l i c y
t h a n d o e s t h e u s e o f su a n d t h e r o o t a c c o u n t . U s i n g sudo, y o u c a n e n a b l e
specific users t o execute specific c o m m a n d s — s o m e t h i n g y o u c a n n o t d o
w i t h t h e classic root a c c o u n t s e t u p .
• U s i n g sudo m a k e s i t h a r d e r f o r a m a l i c i o u s u s e r t o g a i n a c c e s s t o a s y s t e m .
W h e n t h e r e is a n u n l o c k e d root a c c o u n t , a m a l i c i o u s u s e r k n o w s t h e u s e r n a m e o f t h e a c c o u n t she w a n t s t o c r a c k b e f o r e she starts. W h e n t h e root
a c c o u n t is l o c k e d , t h e u s e r h a s t o d e t e r m i n e t h e u s e r n a m e and t h e p a s s w o r d
to break into a system.
S o m e u s e r s q u e s t i o n w h e t h e r sudo i s l e s s s e c u r e t h a n su. B e c a u s e b o t h r e l y

on

p a s s w o r d s , t h e y s h a r e t h e s a m e s t r e n g t h s a n d w e a k n e s s e s . I f t h e p a s s w o r d is c o m p r o m i s e d , t h e s y s t e m is c o m p r o m i s e d . H o w e v e r , i f t h e p a s s w o r d o f a u s e r w h o is
a l l o w e d b y sudo t o d o o n e t a s k i s c o m p r o m i s e d , t h e e n t i r e s y s t e m m a y n o t b e a t
r i s k . T h u s , if used properly,

t h e f i n e r g r a n u l a r i t y o f sudo's p e r m i s s i o n s

structure

can m a k e i t a m o r e s e c u r e t o o l t h a n su. A l s o , w h e n sudo i s u s e d t o i n v o k e a s i n g l e
c o m m a n d , i t is less l i k e l y t h a t a u s e r w i l l b e t e m p t e d t o k e e p w o r k i n g w i t h root
p r i v i l e g e s t h a n i f t h e u s e r o p e n s a r o o t s h e l l w i t h su.
U s i n g sudo m a y n o t a l w a y s b e t h e b e s t , m o s t s e c u r e w a y t o s e t u p a s y s t e m . O n a
s y s t e m u s e d b y a s i n g l e u s e r , t h e r e i s n o t m u c h d i f f e r e n c e b e t w e e n u s i n g sudo a n d

RUNNING C O M M A N D S WITH root PRIVILEGES

423

Run graphical programs using g k s u d o , not s u d o
caution

Use g k s u d o (or k d e s u d o from KDE) instead of s u d o when you run a graphical program that
requires root privileges. (Try giving this command without an argument.) Although both utilities
run a program with root privileges, s u d o uses your configuration files, whereas g k s u d o uses
root's configuration files. Most of the time this difference is not important, but sometimes it is critical. Some programs will not run when you call them with s u d o . Using g k s u d o can prevent
incorrect permissions from being applied to files related to the X Window System in your home
directory. In a few cases, misapplying these permissions can prevent you from logging back in.
In addition, you can use g k s u d o in a launcher (page 121) on the desktop or on a panel.
c a r e f u l l y u s i n g su a n d a r o o t p a s s w o r d . I n c o n t r a s t , o n a s y s t e m w i t h s e v e r a l u s e r s ,
a n d e s p e c i a l l y o n a n e t w o r k o f s y s t e m s w i t h c e n t r a l a d m i n i s t r a t i o n , sudo c a n b e s e t
u p t o b e m o r e s e c u r e t h a n su. I f y o u a r e a d y e d - i n - t h e - w o o l U N I X / L i n u x u s e r w h o
c a n n o t g e t c o m f o r t a b l e w i t h sudo, i t i s e a s y e n o u g h t o g i v e t h e r o o t a c c o u n t a p a s s w o r d a n d u s e su ( p a g e 4 3 1 ) .
W h e n y o u i n s t a l l U b u n t u , t h e f i r s t u s e r y o u s e t u p i s i n c l u d e d i n t h e admin g r o u p .
A s i n s t a l l e d , sudo is c o n f i g u r e d t o a l l o w m e m b e r s o f t h e admin g r o u p t o r u n

with

r o o t p r i v i l e g e s . B e c a u s e t h e r e is n o r o o t p a s s w o r d , i n i t i a l l y t h e o n l y w a y t o p e r f o r m
p r i v i l e g e d a d m i n i s t r a t i v e t a s k s f r o m t h e c o m m a n d l i n e is f o r t h e f i r s t u s e r t o

run

t h e m u s i n g sudo. G r a p h i c a l p r o g r a m s c a l l o t h e r p r o g r a m s , s u c h as gksudo (see t h e
a d j a c e n t t i p ) , w h i c h i n t u r n c a l l sudo f o r a u t h e n t i c a t i o n .
Timestamp

B y d e f a u l t , sudo a s k s f o r your p a s s w o r d ( n o t t h e root p a s s w o r d ) t h e f i r s t t i m e y o u
r u n i t . A t t h a t t i m e , sudo sets y o u r timestamp.

A f t e r y o u s u p p l y a p a s s w o r d , sudo

w i l l n o t p r o m p t y o u again for a p a s s w o r d for 15 m i n u t e s , based o n y o u r t i m e s t a m p .
I n t h e f o l l o w i n g e x a m p l e , S a m t r i e s t o s e t t h e s y s t e m c l o c k w h i l e w o r k i n g as t h e
u s e r s a m , a n o n p r i v i l e g e d u s e r . T h e date u t i l i t y d i s p l a y s a n e r r o r m e s s a g e f o l l o w e d
b y t h e e x p a n d e d v e r s i o n o f t h e d a t e S a m e n t e r e d . W h e n h e u s e s sudo t o r u n date
t o s e t t h e s y s t e m c l o c k , sudo p r o m p t s h i m f o r h i s p a s s w o r d , a n d t h e

command

succeeds.
$ date 03111424
date: cannot set date: Operation not permitted
Thu Mar 11 14:24:00 PST 2010
$ sudo date 03111424
[sudo] password for sam:
Thu Mar 11 14:24:00 PST 2010
N e x t S a m u s e s sudo t o u n m o u n t a f i l e s y s t e m . B e c a u s e h e g i v e s t h i s c o m m a n d w i t h i n
1 5 m i n u t e s o f t h e p r e v i o u s sudo c o m m a n d , h e d o e s n o t n e e d t o s u p p l y a p a s s w o r d :
$ sudo umount /music

S
N o w S a m u s e s t h e - 1 o p t i o n t o c h e c k w h i c h c o m m a n d s sudo w i l l a l l o w h i m t o r u n .
B e c a u s e h e w a s t h e f i r s t u s e r r e g i s t e r e d o n t h e s y s t e m ( a n d is t h e r e f o r e a m e m b e r o f
t h e admin g r o u p ) , h e i s a l l o w e d t o r u n a n y c o m m a n d as a n y u s e r .

424

CHAPTER 1 1

SYSTEM ADMINISTRATION: CORE CONCEPTS

$ sudo -1
User sam may run the following commands on this host:
(ALL) ALL
Spawning a

root W h e n y o u h a v e s e v e r a l c o m m a n d s y o u n e e d t o r u n w i t h root p r i v i l e g e s , i t m a y b e
she"

e a s i e r t o s p a w n a r o o t s h e l l , g i v e t h e c o m m a n d s w i t h o u t h a v i n g t o t y p e sudo i n
f r o n t o f each one, a n d exit f r o m t h e shell. T h i s t e c h n i q u e defeats s o m e o f t h e safeg u a r d s b u i l t i n t o sudo, s o u s e i t c a r e f u l l y a n d r e m e m b e r t o r e t u r n t o a n o n r o o t s h e l l
as s o o n as p o s s i b l e . (See t h e c a u t i o n o n l e a s t p r i v i l e g e o n p a g e 4 2 0 . ) U s e t h e sudo - i
o p t i o n t o s p a w n a root shell:
$ pwd
/home/sam
$ sudo -i
# id
uid=0(root) gid=0(root)
# pwd
/ root
# exit
$

groups=0(root)

I n t h i s e x a m p l e , sudo s p a w n s a r o o t s h e l l , w h i c h d i s p l a y s a # p r o m p t t o r e m i n d y o u
t h a t y o u a r e r u n n i n g w i t h r o o t p r i v i l e g e s . T h e id u t i l i t y d i s p l a y s t h e i d e n t i t y o f t h e
u s e r r u n n i n g t h e s h e l l . T h e exit c o m m a n d ( y o u c a n a l s o u s e C0NTR0L-D) t e r m i n a t e s t h e
root shell, r e t u r n i n g t h e user t o his n o r m a l status a n d his f o r m e r shell a n d p r o m p t .
sudo's environment

T h e pwd b u i l t i n i n t h e p r e c e d i n g e x a m p l e s h o w s o n e a s p e c t o f t h e m o d i f i e d e n v i r o n m e n t c r e a t e d b y t h e - i o p t i o n ( p a g e 4 2 5 ) . T h i s o p t i o n s p a w n s a root l o g i n s h e l l (a
s h e l l w i t h t h e s a m e e n v i r o n m e n t as a u s e r l o g g i n g i n as r o o t w o u l d h a v e ) a n d e x e c u t e s r o o t ' s s t a r t u p f i l e s ( p a g e 2 9 3 ) . B e f o r e i s s u i n g t h e sudo - i c o m m a n d , t h e pwd
b u i l t i n s h o w s / h o m e / s a m as S a m ' s w o r k i n g d i r e c t o r y ; a f t e r t h e c o m m a n d , i t s h o w s
/ r o o t , r o o t ' s h o m e d i r e c t o r y , as t h e w o r k i n g d i r e c t o r y . U s e t h e - s o p t i o n ( p a g e 4 2 6 )
t o s p a w n a r o o t s h e l l w i t h o u t m o d i f y i n g t h e e n v i r o n m e n t . W h e n y o u c a l l sudo w i t h out an option, it runs the c o m m a n d y o u specify i n an u n m o d i f i e d environment. T o
demonstrate this feature, the f o l l o w i n g

e x a m p l e h a s sudo r u n pwd w i t h o u t

an

option. T h e w o r k i n g directory o f a c o m m a n d r u n i n this m a n n e r does n o t change.
$ pwd
/home/sam
$ sudo pwd
/home/sam
Redirecting output

T h e f o l l o w i n g c o m m a n d f a i l s b e c a u s e , a l t h o u g h t h e s h e l l t h a t sudo s p a w n s e x e c u t e s
Is w i t h r o o t p r i v i l e g e s , t h e n o n p r i v i l e g e d s h e l l t h a t t h e u s e r i s r u n n i n g r e d i r e c t s t h e
o u t p u t . T h e user's shell d o e s n o t h a v e p e r m i s s i o n t o w r i t e t o /root.
$ sudo 1s > /root/1s.sam
-bash: /root/Is.sam: Permission denied
T h e r e a r e s e v e r a l w a y s a r o u n d t h i s p r o b l e m . T h e e a s i e s t is t o p a s s t h e w h o l e c o m m a n d
l i n e t o a s h e l l r u n n i n g u n d e r sudo:

RUNNING C O M M A N D S WITH root PRIVILEGES

425

$ sudo bash -c 'Is > /root/1s.sam'
T h e bash - c o p t i o n s p a w n s a s h e l l t h a t e x e c u t e s t h e s t r i n g f o l l o w i n g t h e o p t i o n a n d
t h e n t e r m i n a t e s . T h e sudo u t i l i t y r u n s t h e s p a w n e d s h e l l w i t h r o o t p r i v i l e g e s .
can quote the string to prevent the n o n p r i v i l e g e d shell f r o m interpreting

You

special

c h a r a c t e r s . Y o u c a n a l s o s p a w n a r o o t s h e l l w i t h sudo - i , e x e c u t e t h e c o m m a n d , a n d
e x i t f r o m t h e p r i v i l e g e d s h e l l . (See t h e p r e c e d i n g s e c t i o n . )

optional

Another w a y to deal w i t h the p r o b l e m of redirecting output of a c o m m a n d r u n by
sudo is t o u s e tee ( p a g e 2 5 4 ) :
$ 1s | sudo tee /root/1s.sam

T h i s c o m m a n d w r i t e s t h e o u t p u t o f Is t o t h e f i l e b u t a l s o d i s p l a y s i t . I f y o u d o n o t w a n t
t o display the o u t p u t , y o u c a n have the n o n p r i v i l e g e d shell redirect the o u t p u t

to

/dev/null ( p a g e 4 8 9 ) . T h e n e x t e x a m p l e uses t h i s t e c h n i q u e t o d o a w a y w i t h t h e s c r e e n
o u t p u t a n d u s e s t h e - a o p t i o n t o tee t o a p p e n d t o t h e f i l e i n s t e a d o f o v e r w r i t i n g i t :
$ Is | sudo tee - a /root/1s.sam > /dev/null

OPTIONS
Y o u c a n u s e c o m m a n d - l i n e o p t i o n s t o c o n t r o l h o w sudo r u n s a c o m m a n d . F o l l o w i n g
is t h e s y n t a x o f a n sudo c o m m a n d l i n e :
sudo

[options]

w h e r e options

[command]

is o n e o r m o r e o p t i o n s a n d command

is t h e c o m m a n d y o u w a n t t o

e x e c u t e . W i t h o u t t h e - u o p t i o n , sudo r u n s command

w i t h root privileges. S o m e o f

t h e m o r e c o m m o n options
-b
-e

(background)
(edit)

f o l l o w ; see t h e sudo man p a g e f o r a c o m p l e t e l i s t .

R u n s command

in the background.

W i t h t h i s o p t i o n , command

is a f i l e n a m e a n d n o t a c o m m a n d . T h i s

c a u s e s sudo t o e d i t t h e f i l e n a m e d command
n a m e d by the S U D O _ E D I T O R , V I S U A L ,

w i t h root privileges u s i n g t h e
or E D I T O R

option
editor

environment variable.

(It

u s e s t h e nano e d i t o r b y d e f a u l t . ) A l t e r n a t i v e l y , y o u c a n u s e t h e sudoedit u t i l i t y w i t h out any options.
-i

(initial login environment)

S p a w n s t h e s h e l l t h a t is s p e c i f i e d f o r r o o t ( o r

another

user s p e c i f i e d b y - u ) i n /etc/passwd, r u n n i n g root's ( o r t h e o t h e r user's) s t a r t u p files,
w i t h s o m e e x c e p t i o n s (e.g., T E R M is n o t c h a n g e d ) . D o e s n o t t a k e a
-k

(kill)

command.

Resets the t i m e s t a m p (page 4 2 3 ) o f the user r u n n i n g the c o m m a n d ,

which

m e a n s t h e u s e r m u s t e n t e r a p a s s w o r d t h e n e x t t i m e s h e r u n s sudo.
-L

(list defaults)

L i s t s t h e p a r a m e t e r s t h a t y o u c a n set o n a D e f a u l t s l i n e ( p a g e 4 2 9 ) i n

t h e sudoers f i l e . D o e s n o t t a k e a
-1

(list c o m m a n d s )

command.

L i s t s t h e c o m m a n d s t h e u s e r w h o i s r u n n i n g sudo i s a l l o w e d t o

r u n o n the local system. Does n o t take a

command.

426

CHAPTER 1 1

-s

SYSTEM ADMINISTRATION: CORE

(shell)

CONCEPTS

S p a w n s a n e w r o o t ( o r a n o t h e r u s e r s p e c i f i e d b y - u ) s h e l l as s p e c i f i e d i n t h e

/etc/passwd file. S i m i l a r t o -i b u t does n o t c h a n g e t h e e n v i r o n m e n t . D o e s n o t t a k e a

command.
- u user

R u n s command

w i t h t h e p r i v i l e g e s o f user. W i t h o u t t h i s o p t i o n , sudo r u n s

command

w i t h root p r i v i l e g e s .

sudoers: CONFIGURING

sudo

A s i n s t a l l e d , sudo i s n o t as s e c u r e a n d r o b u s t as i t c a n b e i f y o u c o n f i g u r e i t c a r e f u l l y . T h e sudo c o n f i g u r a t i o n f i l e i s / e t c / s u d o e r s . T h e b e s t w a y t o e d i t sudoers i s t o
u s e visudo b y g i v i n g t h i s c o m m a n d : sudo visudo. T h e visudo u t i l i t y l o c k s , e d i t s , a n d
c h e c k s t h e g r a m m a r o f t h e sudoers f i l e . B y d e f a u l t , visudo c a l l s t h e nano e d i t o r . Y o u
c a n set t h e S U D O _ E D I T O R , V I S U A L , o r E D I T O R e n v i r o n m e n t v a r i a b l e t o c a u s e
visudo t o c a l l vi w i t h t h e f o l l o w i n g c o m m a n d :
$ export VISUAL=vi
R e p l a c e vi w i t h t h e t e x t u a l e d i t o r o f y o u r c h o i c e . P u t t h i s c o m m a n d i n a s t a r t u p f i l e
( p a g e 2 9 3 ) t o set t h i s v a r i a b l e e a c h t i m e y o u l o g i n .

Always use v i s u d o to edit the sudoers file
caution

A syntax error in the sudoers file can prevent you from using s u d o to gain root privileges. If you
edit this file directly (without using v i s u d o ) , you will not know that you introduced a syntax error
until you find you cannot use s u d o . The v i s u d o utility checks the syntax of sudoers before it
allows you to exit. If it finds an error, it gives you the choice of fixing the error, exiting without saving the changes to the file, or saving the changes and exiting. The last choice is usually a poor one,
so v i s u d o marks the it with (DANGER!).
I n t h e sudoers f i l e , c o m m e n t s , w h i c h s t a r t w i t h a h a s h m a r k ( # ) , c a n a p p e a r

any-

w h e r e o n a line. I n a d d i t i o n t o c o m m e n t s , this file h o l d s t w o types o f entries: aliases
a n d user privilege specifications. E a c h o f these entries occupies a line, w h i c h c a n be
c o n t i n u e d b y t e r m i n a t i n g it w i t h a backslash (\).

USER PRIVILEGE SPECIFICATIONS
T h e f o r m a t o f a l i n e t h a t s p e c i f i e s u s e r p r i v i l e g e s i s as f o l l o w s

(the

whitespace

a r o u n d t h e e q u a l s i g n is o p t i o n a l ) :

user_list host_list = [(runas_list)]
• T h e user_list

command_list

specifies the user(s) this s p e c i f i c a t i o n line applies to. T h i s list

c a n c o n t a i n u s e r n a m e s , g r o u p s ( p r e f i x e d w i t h % ) , a n d user aliases ( n e x t
section).
• T h e bost_list

specifies the host(s) this specification line applies to. T h i s list

c a n c o n t a i n o n e o r m o r e h o s t n a m e s , I P addresses, o r h o s t aliases (discussed i n t h e n e x t section). Y o u c a n use t h e b u i l t i n alias A L L t o cause t h e
l i n e t o a p p l y t o a l l s y s t e m s t h a t r e f e r t o t h i s sudoers f i l e .

RUNNING C O M M A N D S WITH root PRIVILEGES

• T h e runas_list

s p e c i f i e s t h e u s e r ( s ) t h e c o m m a n d s i n t h e command_list

427

can

b e r u n as w h e n sudo i s c a l l e d w i t h t h e - u o p t i o n ( p a g e 4 2 6 ) . T h i s l i s t c a n
c o n t a i n u s e r n a m e s , g r o u p s ( p r e f i x e d w i t h % ) , a n d r u n a s aliases (discussed
i n the n e x t section). It m u s t be enclosed w i t h i n parentheses. W i t h o u t

runasJist,

sudo a s s u m e s root.

• T h e command_list

specifies the utilities this specification line applies to.

T h i s list c a n c o n t a i n names o f utilities, names o f directories h o l d i n g utilities, a n d c o m m a n d aliases (discussed i n t h e n e x t section). A l l n a m e s m u s t
be absolute p a t h n a m e s ; d i r e c t o r y names m u s t end w i t h a slash (/).
I f y o u f o l l o w a n a m e w i t h t w o a d j a c e n t d o u b l e q u o t a t i o n m a r k s ( " " ) , the user w i l l
n o t be able to specify any c o m m a n d - l i n e a r g u m e n t s , i n c l u d i n g options.

Alterna-

tively, y o u c a n specify a r g u m e n t s , i n c l u d i n g w i l d c a r d s , t o l i m i t the a r g u m e n t s a user
is a l l o w e d t o u s e .
Examples

T h e f o l l o w i n g u s e r p r i v i l e g e s p e c i f i c a t i o n a l l o w s S a m t o u s e sudo t o m o u n t

and

u n m o u n t f i l e s y s t e m s ( r u n mount a n d umount w i t h r o o t p r i v i l e g e s ) o n a l l s y s t e m s (as
s p e c i f i e d b y A L L ) t h a t r e f e r t o t h e sudoers f i l e c o n t a i n i n g t h i s s p e c i f i c a t i o n :
sam

ALL=(root) /bin/mount, /bin/umount

T h e ( r o o t ) runas_list

is o p t i o n a l . I f y o u o m i t i t , sudo a l l o w s t h e u s e r t o r u n t h e c o m -

m a n d s i n t h e command_list

w i t h root privileges. I n t h e f o l l o w i n g e x a m p l e ,

Sam

t a k e s a d v a n t a g e o f t h e s e p e r m i s s i o n s . H e c a n n o t r u n umount d i r e c t l y ; i n s t e a d , h e
m u s t c a l l sudo t o r u n i t .
$ whoami
sam
$ umount /music
umount: only root can unmount /dev/sdb7 from /music
$ sudo umount /music
[sudo] password for sam:
$
I f y o u r e p l a c e t h e l i n e i n sudoers d e s c r i b e d a b o v e w i t h t h e f o l l o w i n g l i n e , S a m is n o t
a l l o w e d to u n m o u n t /p03, a l t h o u g h he can still u n m o u n t any other filesystem a n d
can m o u n t any filesystem:
sam

ALL=(root) /bin/mount, /bin/umount,

!/bin/umount /p03

T h e r e s u l t o f t h e p r e c e d i n g l i n e i n sudoers i s s h o w n b e l o w . T h e sudo u t i l i t y d o e s n o t
p r o m p t f o r a p a s s w o r d because S a m has entered his p a s s w o r d w i t h i n the last

15

minutes.
$ sudo umount /p03
Sorry, user sam is not allowed to execute '/bin/umount /p03' as root on localhost.
T h e f o l l o w i n g line limits S a m to m o u n t i n g a n d u n m o u n t i n g filesystems m o u n t e d o n

/pOl, / p 0 2 , / p 0 3 , a n d / p 0 4 :
sam

ALL= /bin/mount /p0[l-4], /bin/umount /p0[l-4]

428

CHAPTER 1 1

SYSTEM ADMINISTRATION: CORE CONCEPTS

T h e f o l l o w i n g c o m m a n d s s h o w the result:
$ sudo umount /music
Sorry, user sam is not allowed to execute '/bin/umount /music' as root on localhost.
$ sudo umount /p03
S
Default privileges A s s h i p p e d , t h e sudoers f i l e c o n t a i n s t h e f o l l o w i n g l i n e s :
for admin group
# Members of the admin group may gain root privileges
%admi n ALL=(ALL) ALL
T h i s u s e r p r i v i l e g e s p e c i f i c a t i o n a p p l i e s t o a l l s y s t e m s (as i n d i c a t e d b y t h e A L L t o
the left of the equal sign). As the c o m m e n t indicates, this line a l l o w s m e m b e r s

of

t h e admin g r o u p ( s p e c i f i e d b y p r e c e d i n g t h e n a m e o f t h e g r o u p w i t h a p e r c e n t
s i g n : % a d m i n ) t o r u n a n y c o m m a n d ( t h e r i g h t m o s t A L L ) as a n y u s e r ( t h e A L L
w i t h i n p a r e n t h e s e s ) . W h e n y o u c a l l i t w i t h o u t t h e - u o p t i o n , t h e sudo u t i l i t y r u n s
t h e c o m m a n d y o u s p e c i f y w i t h r o o t p r i v i l e g e s , w h i c h i s w h a t sudo i s u s e d f o r m o s t
of the time.
I f t h e f o l l o w i n g l i n e a p p e a r e d i n sudoers, i t w o u l d a l l o w m e m b e r s o f t h e wheel
g r o u p t o r u n a n y c o m m a n d as a n y u s e r w i t h o n e e x c e p t i o n : T h e y w o u l d n o t

be

a l l o w e d t o r u n passwd t o c h a n g e t h e r o o t p a s s w o r d .
%wheel ALL=(ALL) ALL,

optional

!/usr/bin/passwd

root

I n t h e % admin A L L = ( A L L ) A L L l i n e , i f y o u r e p l a c e d (ALL) w i t h (root) o r i f y o u
o m i t t e d (ALL), y o u w o u l d s t i l l b e a b l e t o r u n a n y c o m m a n d w i t h root p r i v i l e g e s .
Y o u w o u l d n o t , h o w e v e r , b e a b l e t o u s e t h e - u o p t i o n t o r u n a c o m m a n d as a n o t h e r
user. T y p i c a l l y , w h e n y o u c a n h a v e root p r i v i l e g e s , t h i s l i m i t a t i o n is n o t a n issue.
W o r k i n g as a u s e r o t h e r t h a n y o u r s e l f o r r o o t a l l o w s y o u t o u s e t h e l e a s t p r i v i l e g e
p o s s i b l e t o a c c o m p l i s h a t a s k , w h i c h is a g o o d i d e a .
F o r e x a m p l e , i f y o u a r e i n t h e admin g r o u p , t h e d e f a u l t e n t r y i n t h e sudoers f i l e
a l l o w s y o u to give the f o l l o w i n g c o m m a n d t o create a n d edit a file i n Sam's h o m e
d i r e c t o r y . B e c a u s e y o u a r e w o r k i n g as S a m , h e w i l l o w n t h e f i l e a n d b e a b l e t o r e a d
f r o m a n d w r i t e t o it.
$ sudo -u sam vi ~sam/reminder
$ Is -1 ~sam/reminder
-rw-r--r-- 1 sam sam 15 2010-03-09 15:29 /home/sam/reminder

ALIASES
A n alias enables y o u t o r e n a m e a n d / o r g r o u p users, hosts, o r c o m m a n d s .

Following

is t h e f o r m a t o f a n a l i a s d e f i n i t i o n :
alias_type
where

alias_name

alias_type

is

the

C m n d _ A l i a s ) , alias_name

=

alias_list

type

of

alias

(User_Alias,

Runas_Alias,

Host_Alias,

is t h e n a m e o f t h e a l i a s ( b y c o n v e n t i o n i n a l l u p p e r c a s e

RUNNING C O M M A N D S WITH root PRIVILEGES

l e t t e r s ) , a n d alias_list

429

is a c o m m a - s e p a r a t e d list o f o n e o r m o r e e l e m e n t s t h a t m a k e

u p t h e alias. P r e c e d i n g a n e l e m e n t o f a n alias w i t h a n e x c l a m a t i o n p o i n t (!) negates it.
User_Alias

T h e atias_list f o r a u s e r a l i a s i s t h e s a m e as t h e user_list f o r a u s e r p r i v i l e g e s p e c i f i c a t i o n ( d i s c u s s e d i n t h e p r e v i o u s s e c t i o n ) . T h e f o l l o w i n g l i n e s f r o m a sudoers f i l e
d e f i n e t h r e e user aliases: O F F I C E ,

ADMIN,

and A D M I N 2 .

T h e aliasJist

that

d e f i n e s t h e f i r s t a l i a s i n c l u d e s t h e u s e r n a m e s m a r k , sam, a n d sis; t h e s e c o n d i n c l u d e s
t w o u s e r n a m e s a n d m e m b e r s o f t h e admin g r o u p ; a n d t h e t h i r d i n c l u d e s a l l m e m b e r s o f t h e admin g r o u p e x c e p t M a x .
User_Alias
User_Alias
User_Alias
Runas_Alias

OFFICE = mark, sam, sis
ADMIN = max, zach, %admin
ADMIN2 = %admin, !max

T h e alias_list f o r a r u n a s a l i a s i s t h e s a m e as t h e runas_list f o r a u s e r p r i v i l e g e s p e c i f i c a t i o n (discussed i n the p r e v i o u s section). T h e f o l l o w i n g S M r u n a s alias includes
t h e u s e r n a m e s s a m a n d sis:
Runas_Ali as

Host_Alias

SM = sam, sis

H o s t a l i a s e s a r e m e a n i n g f u l o n l y w h e n t h e sudoers f i l e is r e f e r e n c e d b y sudo r u n n i n g
o n m o r e t h a n o n e s y s t e m . T h e alias_list

f o r a h o s t a l i a s is t h e s a m e as t h e

bost_list

f o r a user privilege specification (discussed i n the p r e v i o u s section). T h e

following

l i n e d e f i n e s t h e L C L a l i a s t o i n c l u d e t h e s y s t e m s n a m e d dog a n d plum:
Host_Ali as

LCL = dog, plum

I f y o u w a n t t o use f u l l y q u a l i f i e d h o s t n a m e s (hosta.example.com i n s t e a d o f j u s t
h o s t a ) i n t h i s l i s t , y o u m u s t s e t t h e fqdn f l a g ( n e x t s e c t i o n ) . H o w e v e r , d o i n g s o m a y
s l o w t h e p e r f o r m a n c e o f sudo.
Cmnd_Alias

T h e alias_list f o r a c o m m a n d a l i a s is t h e s a m e as t h e command_list

f o r a user p r i v -

ilege specification (discussed i n the p r e v i o u s section). T h e f o l l o w i n g c o m m a n d alias
i n c l u d e s t h r e e files a n d , b y i n c l u d i n g a d i r e c t o r y ( d e n o t e d b y its t r a i l i n g / ) , i n c o r p o rates a l l t h e files i n t h a t d i r e c t o r y :
Cmnd_Ali as

BASIC = /bi n/cat, /usr/bin/vi, /bin/df, /usr/local/safe/

DEFAULTS ( O P T I O N S )
You

can change

configuration

options

from

their

default

values

by

using

the

Defaults k e y w o r d . M o s t v a l u e s i n t h i s l i s t a r e f l a g s t h a t a r e i m p l i c i t l y B o o l e a n ( c a n
either be o n or off) or strings. Y o u t u r n o n a flag b y n a m i n g it o n a D e f a u l t s line,
a n d y o u t u r n i t o f f b y p r e c e d i n g i t w i t h a ! . T h e f o l l o w i n g l i n e i n t h e sudoers f i l e
w o u l d t u r n o f f t h e lecture a n d fqdn f l a g s a n d t u r n o n tty_tickets:
Defaults

¡lecture,tty_tickets,Ifqdn

T h i s s e c t i o n l i s t s s o m e c o m m o n f l a g s ; see t h e sudoers man p a g e f o r a c o m p l e t e l i s t .
env_reset

C a u s e s sudo t o r e s e t t h e e n v i r o n m e n t v a r i a b l e s t o c o n t a i n t h e L O G N A M E , S H E L L ,
USER, USERNAME,

and SUDO_*

variables

sudoers man p a g e f o r m o r e i n f o r m a t i o n .

only. T h e

d e f a u l t is o n .

See

the

430

CHAPTER 1 1

fqdn

SYSTEM ADMINISTRATION: CORE

CONCEPTS

(fully qualified d o m a i n n a m e ) P e r f o r m s D N S l o o k u p s o n FQDNs

(page 1149) in the

sudoers f i l e . W h e n t h i s f l a g is s e t , y o u c a n u s e F Q D N s i n t h e sudoers f i l e , b u t d o i n g
s o m a y n e g a t i v e l y a f f e c t sudo's p e r f o r m a n c e , e s p e c i a l l y i f D N S i s n o t w o r k i n g . W h e n
t h i s f l a g is s e t , y o u m u s t u s e t h e l o c a l h o s t ' s o f f i c i a l D N S n a m e , n o t a n a l i a s . I f hostname r e t u r n s a n F Q D N , y o u d o n o t n e e d t o s e t t h i s f l a g . T h e d e f a u l t i s o n .
insults

D i s p l a y s m i l d , h u m o r o u s insults w h e n a user enters a w r o n g p a s s w o r d . T h e d e f a u l t
is o f f . See a l s o passwd_tries.

\ecture=freq

C o n t r o l s w h e n sudo d i s p l a y s a r e m i n d e r m e s s a g e b e f o r e t h e p a s s w o r d p r o m p t . P o s s i b l e v a l u e s o f freq

a r e never ( d e f a u l t ) , once, a n d always. S p e c i f y i n g ¡lecture is t h e

s a m e as s p e c i f y i n g a freq o f never.
mail_always
mail_badpass

S e n d s e m a i l t o t h e mailto u s e r e a c h t i m e a u s e r r u n s sudo. T h e d e f a u l t is o f f .
S e n d s e m a i l t o t h e mailto u s e r w h e n a u s e r e n t e r s a n i n c o r r e c t p a s s w o r d

while

r u n n i n g sudo. T h e d e f a u l t i s o f f .
mail_no_host

S e n d s e m a i l t o t h e m a i l t o u s e r w h e n a u s e r w h o s e u s e r n a m e is i n t h e sudoers f i l e b u t
w h o d o e s n o t h a v e p e r m i s s i o n t o r u n c o m m a n d s o n t h e l o c a l h o s t r u n s sudo. T h e
d e f a u l t is o f f .

mail_no_perms

S e n d s e m a i l t o t h e m a i l t o u s e r w h e n a u s e r w h o s e u s e r n a m e is i n t h e sudoers f i l e b u t
who

does n o t have permission to r u n the requested c o m m a n d

r u n s sudo.

The

d e f a u l t is o f f .
mail_no_user

S e n d s e m a i l t o t h e m a i l t o u s e r w h e n a u s e r w h o s e u s e r n a m e is n o t i n t h e sudoers f i l e
r u n s sudo. T h e d e f a u l t is o n .

mailsub=subj

(mail subject) C h a n g e s t h e d e f a u l t e m a i l s u b j e c t f o r w a r n i n g a n d e r r o r
f r o m t h e d e f a u l t * * * S E C U R I T Y i n f o r m a t i o n for % h * * * t o sub).
i t y e x p a n d s % h w i t h i n subj

messages

T h e sudo u t i l -

t o t h e l o c a l s y s t e m ' s h o s t n a m e . P l a c e subj

between

q u o t a t i o n m a r k s if it contains shell special characters (page 160).
mailto=eadd

S e n d s sudo w a r n i n g a n d e r r o r m e s s a g e s t o eadd
r o o t ) . P l a c e eadd

( a n e m a i l a d d r e s s ; t h e d e f a u l t is

b e t w e e n q u o t a t i o n m a r k s if it contains shell special

characters

(page 160).
passwd_tries=««»i
T h e num

is t h e n u m b e r

o f times the user c a n enter an i n c o r r e c t p a s s w o r d

in

r e s p o n s e t o t h e sudo p a s s w o r d p r o m p t b e f o r e sudo q u i t s . T h e d e f a u l t i s 3 . See a l s o
insults a n d lecture.

Using the root password in place of your password
tip

rootpw

If y o u have set up a root p a s s w o r d (page 4 3 1 ) , y o u can c a u s e g r a p h i c a l p r o g r a m s t h a t r e q u i r e a
p a s s w o r d t o r e q u i r e the root p a s s w o r d in place of t h e p a s s w o r d of t h e user w h o is r u n n i n g t h e
p r o g r a m by t u r n i n g o n rootpw. T h e p r o g r a m s w i l l c o n t i n u e t o a s k f o r your p a s s w o r d , b u t w i l l
a c c e p t o n l y t h e root p a s s w o r d . M a k i n g t h i s c h a n g e c a u s e s a n U b u n t u s y s t e m t o use t h e root p a s s w o r d in a m a n n e r s i m i l a r t o t h e w a y s o m e o t h e r d i s t r i b u t i o n s use t h i s p a s s w o r d .
C a u s e s sudo t o a c c e p t o n l y t h e r o o t p a s s w o r d i n r e s p o n s e t o i t s p r o m p t .

Because

sudo i s s u e s t h e s a m e p r o m p t w h e t h e r i t is a s k i n g f o r y o u r p a s s w o r d o r t h e r o o t

RUNNING C O M M A N D S WITH root PRIVILEGES

431

p a s s w o r d , t u r n i n g t h i s f l a g o n m a y c o n f u s e u s e r s . Do not turn on this flag if

you

have not unlocked the root account (page 4 3 1 ) , as y o u w i l l n o t be a b l e t o use sudo.
To fix this p r o b l e m , b r i n g the system u p i n recovery m o d e (page 445) a n d t u r n o f f
( r e m o v e ) t h i s f l a g . T h e d e f a u l t i s o f f , c a u s i n g sudo t o p r o m p t f o r t h e p a s s w o r d o f
t h e u s e r r u n n i n g sudo. See t h e p r e c e d i n g t i p .
shell_noargs

C a u s e s sudo, w h e n c a l l e d w i t h o u t a n y a r g u m e n t s , t o s p a w n a r o o t s h e l l

without

c h a n g i n g t h e e n v i r o n m e n t . T h e d e f a u l t is o f f . T h i s o p t i o n is t h e s a m e as t h e sudo - s
option.

timestamp_timeout=»«'«s
T h e mins i s t h e n u m b e r o f m i n u t e s t h a t t h e sudo t i m e s t a m p ( p a g e 4 2 3 ) i s v a l i d . T h e
d e f a u l t i s 1 5 ; s e t mins t o - 1 t o c a u s e t h e t i m e s t a m p t o b e v a l i d f o r e v e r .
tty_tickets

C a u s e s sudo t o a u t h e n t i c a t e u s e r s o n a p e r - t t y b a s i s , n o t a p e r - u s e r b a s i s .

The

d e f a u l t is o n .
umask=fal

T h e val i s t h e umask ( p a g e 4 5 9 ) t h a t sudo u s e s t o r u n t h e c o m m a n d t h a t t h e u s e r
s p e c i f i e s . S e t val t o 0 7 7 7 t o p r e s e r v e t h e u s e r ' s umask v a l u e . T h e d e f a u l t i s 0 0 2 2 .

U N L O C K I N G THE root A C C O U N T ( A S S I G N I N G A P A S S W O R D TO root)
E x c e p t f o r a f e w i n s t a n c e s , t h e r e is n o n e e d t o u n l o c k t h e root a c c o u n t o n

an

U b u n t u s y s t e m ; i n f a c t , U b u n t u suggests t h a t y o u d o n o t d o so. T h e f o l l o w i n g c o m m a n d u n l o c k s t h e root a c c o u n t b y a s s i g n i n g a p a s s w o r d t o it:
$ sudo passwd root
Enter new UNIX password:
Retype new UNIX password:
passwd: password updated successfully
Relocking the

root I f y o u d e c i d e y o u w a n t t o l o c k t h e root a c c o u n t a f t e r u n l o c k i n g i t , g i v e t h e c o r n m a n d s u d o p a s s w d -1 root. Y o u c a n u n l o c k i t a g a i n w i t h t h e p r e c e d i n g c o m m a n d .

account

su: GIVES YOU ANOTHER USER'S PRIVILEGES
T o u s e su t o g a i n r o o t p r i v i l e g e s , y o u m u s t u n l o c k t h e r o o t a c c o u n t ( a s d i s c u s s e d i n
the preceding section).
T h e su ( s u b s t i t u t e u s e r ) u t i l i t y c a n s p a w n a s h e l l o r e x e c u t e a p r o g r a m w i t h

the

i d e n t i t y a n d p r i v i l e g e s o f a s p e c i f i e d user. F o l l o w su o n t h e c o m m a n d l i n e w i t h t h e
n a m e o f a user; i f y o u are w o r k i n g w i t h root p r i v i l e g e s o r i f y o u k n o w t h e user's
p a s s w o r d , y o u w i l l t h e n t a k e o n t h e i d e n t i t y o f t h a t u s e r . W h e n y o u g i v e a n su c o m m a n d w i t h o u t a n a r g u m e n t , su d e f a u l t s t o s p a w n i n g a s h e l l w i t h r o o t p r i v i l e g e s
( y o u h a v e t o k n o w t h e root p a s s w o r d ) .
W h e n y o u g i v e a n su c o m m a n d t o w o r k as r o o t , su s p a w n s a n e w s h e l l , w h i c h d i s plays the # p r o m p t . Y o u can r e t u r n to y o u r n o r m a l status (and y o u r f o r m e r

shell

a n d p r o m p t ) b y t e r m i n a t i n g t h i s s h e l l : P r e s s C0NTR0L-D o r g i v e a n e x i t c o m m a n d .

Giv-

i n g a n su c o m m a n d b y i t s e l f c h a n g e s y o u r u s e r a n d g r o u p I D s b u t m a k e s

minimal

c h a n g e s t o t h e e n v i r o n m e n t . F o r e x a m p l e , P A T H h a s t h e s a m e v a l u e as i t d i d b e f o r e

432

CHAPTER 1 1

SYSTEM ADMINISTRATION: CORE

CONCEPTS

y o u g a v e t h e su c o m m a n d . W h e n y o u g i v e t h e c o m m a n d su - ( y o u c a n u s e - 1 o r
— l o g i n i n p l a c e o f t h e h y p h e n ) , y o u g e t a r o o t l o g i n s h e l l : I t i s as t h o u g h

you

l o g g e d i n as r o o t . N o t o n l y d o t h e s h e l l ' s u s e r a n d g r o u p I D s m a t c h t h o s e o f r o o t ,
b u t t h e e n v i r o n m e n t is i d e n t i c a l t o t h a t o f root. T h e l o g i n s h e l l e x e c u t e s t h e a p p r o p r i a t e s t a r t u p files (page 2 9 3 ) b e f o r e d i s p l a y i n g a p r o m p t .
T h e id u t i l i t y d i s p l a y s t h e c h a n g e s i n y o u r u s e r a n d g r o u p I D s a n d i n t h e g r o u p s y o u
are associated w i t h :
$ id
uid=1002(sam) gid=1002(sam) groups=117(admin),1002(sam)
$ su
Password:
# id
uid=0(root) gid=0(root) groups=0(root)
Y o u c a n u s e su w i t h t h e - c o p t i o n t o r u n a c o m m a n d l i n e w i t h r o o t

privileges,

r e t u r n i n g to the o r i g i n a l shell w h e n the c o m m a n d finishes executing. T h e f o l l o w i n g
e x a m p l e f i r s t s h o w s t h a t a u s e r i s n o t p e r m i t t e d t o kill ( p a g e 4 5 5 ) a p r o c e s s . W i t h t h e
u s e o f su - c a n d t h e r o o t p a s s w o r d , h o w e v e r , t h e u s e r i s p e r m i t t e d t o kill t h e p r o c e s s .
T h e q u o t a t i o n m a r k s a r e n e c e s s a r y b e c a u s e su - c t a k e s i t s c o m m a n d as a s i n g l e
argument.
$ k i n -15 4982
-bash: kill: (4982) - Operation not permitted
$ su -c " k i n -15 4982"
Password:
S

S u p e r u s e r , PATH, a n d s e c u r i t y
s e c u r i t y The fewer directories you keep in PATH when you are working as root, the less likely you will be
to execute an untrusted program as root. Never include the working directory in PATH (as . or::
anywhere in PATH, or: as the last element of PATH). For more information refer to "PATH: Where
the Shell Looks for Programs" on page 319.

THE UPSTART EVENT-BASED

¡nit

DAEMON

B e c a u s e t h e t r a d i t i o n a l S y s t e m V init d a e m o n ( S y s V i n i t ) d o e s n o t d e a l w e l l

with

m o d e r n h a r d w a r e , i n c l u d i n g h o t p l u g (page 5 0 2 ) devices, U S B h a r d a n d flash drives,
a n d n e t w o r k - m o u n t e d f i l e s y s t e m s , U b u n t u r e p l a c e d i t w i t h t h e U p s t a r t init d a e m o n
(upstart.ubuntu.com and

upstart.ubuntu.com/wiki).

Several other replacements for SysVinit are also available. O n e o f the m o s t
n e n t i s initng ( i n i t n g . s o u r c e f o r g e . n e t / t r a c ) . I n a d d i t i o n , S o l a r i s u s e s S M F

promi(Service

M a n a g e m e n t F a c i l i t y ) a n d M a c O S u s e s launchd. O v e r t i m e , U b u n t u w i l l i n c o r p o rate features o f each o f these systems i n t o U p s t a r t .
T h e r u n l e v e l - b a s e d S y s V i n i t d a e m o n uses r u n l e v e l s ( r e c o v e r y / s i n g l e - u s e r ,
user, a n d m o r e )

multi-

a n d l i n k s f r o m the /etc/rc?.d directories t o the i n i t scripts

in

THE UPSTART EVENT-BASED init D A E M O N

/etc/init.d t o s t a r t a n d s t o p s y s t e m services ( p a g e 4 4 0 ) . T h e e v e n t - b a s e d

433

Upstart

init d a e m o n u s e s e v e n t s t o s t a r t a n d s t o p s y s t e m s e r v i c e s . W i t h t h e F e i s t y r e l e a s e
( 7 . 0 4 ) , U b u n t u s w i t c h e d t o t h e U p s t a r t init d a e m o n a n d b e g a n m a k i n g t h e t r a n s i t i o n f r o m the S y s V i n i t setup t o the U p s t a r t setup. T h i s section discusses U p s t a r t
a n d t h e p a r t s o f S y s V i n i t t h a t r e m a i n : t h e /etc/rc?.d a n d /etc/init.d d i r e c t o r i e s

and

t h e c o n c e p t o f r u n l e v e l s . See t h e t i p a b o u t t e r m i n o l o g y o n p a g e 4 4 5 .
T h e U p s t a r t init d a e m o n i s e v e n t b a s e d a n d r u n s s p e c i f i e d p r o g r a m s w h e n

some-

t h i n g o n the system changes. These p r o g r a m s , w h i c h are frequently scripts,

start

a n d s t o p services. T h i s s e t u p is s i m i l a r i n c o n c e p t t o t h e l i n k s t o i n i t s c r i p t s t h a t
S y s V i n i t c a l l s as a s y s t e m e n t e r s r u n l e v e l s , e x c e p t U p s t a r t i s m o r e f l e x i b l e . I n s t e a d o f
s t a r t i n g a n d s t o p p i n g services o n l y w h e n the r u n l e v e l changes, U p s t a r t c a n start a n d
stop services u p o n r e c e i v i n g i n f o r m a t i o n t h a t s o m e t h i n g o n the system has c h a n g e d .
S u c h a c h a n g e is c a l l e d a n

event. F o r e x a m p l e , U p s t a r t c a n t a k e a c t i o n w h e n i t

l e a r n s f r o m udev ( p a g e 5 0 2 ) t h a t a f i l e s y s t e m , p r i n t e r , o r o t h e r d e v i c e h a s

been

a d d e d o r r e m o v e d f r o m the r u n n i n g system. It c a n also start a n d stop services w h e n
t h e s y s t e m b o o t s , w h e n t h e s y s t e m is s h u t d o w n , o r w h e n a j o b c h a n g e s s t a t e .
Future of Upstart

C h a n g i n g f r o m SysVinit to U p s t a r t involves m a n y parts of the L i n u x system.

To

m a k e t h e s w i t c h s m o o t h l y a n d t o i n t r o d u c e as f e w e r r o r s as p o s s i b l e , t h e U p s t a r t
t e a m elected t o m a k e this t r a n s i t i o n o v e r several releases.
U b u n t u has been m o v i n g a w a y f r o m the SysVinit setup a n d t o w a r d the

cleaner,

m o r e f l e x i b l e U p s t a r t setup. A s m o r e s y s t e m services are p u t u n d e r t h e c o n t r o l

of

U p s t a r t , e n t r i e s i n t h e /etc/init d i r e c t o r y (see t h e t i p o n p a g e 4 4 0 ) w i l l r e p l a c e t h e
c o n t e n t s o f t h e /etc/init.d a n d /etc/rc?.d d i r e c t o r i e s . R u n l e v e l s w i l l n o l o n g e r be a
f o r m a l feature o f U b u n t u , a l t h o u g h they w i l l be m a i n t a i n e d for c o m p a t i b i l i t y

with

t h i r d - p a r t y s o f t w a r e . E v e n t u a l l y U p s t a r t w i l l a l s o r e p l a c e crond.

S O F T W A R E PACKAGE
T h e U p s t a r t s y s t e m is c o n t a i n e d i n o n e p a c k a g e , w h i c h is i n s t a l l e d b y d e f a u l t :
• u p s t a r t — P r o v i d e s t h e U p s t a r t init d a e m o n a n d initctl u t i l i t y .

DEFINITIONS
Events A n event is a c h a n g e i n s t a t e t h a t c a n b e c o m m u n i c a t e d t o init. A l m o s t a n y c h a n g e i n
state—either internal or external to the s y s t e m — c a n trigger an event. F o r

example,

t h e b o o t l o a d e r t r i g g e r s t h e startup e v e n t (startup man p a g e ) a n d t h e telinit c o m m a n d
( p a g e 4 4 4 ) t r i g g e r s t h e runlevel e v e n t ( p a g e 4 4 4 ) . R e m o v i n g a n d i n s t a l l i n g a h o t p l u g
( p a g e 5 0 2 ) o r U S B d e v i c e ( s u c h as a p r i n t e r ) c a n t r i g g e r a n e v e n t as w e l l . Y o u c a n
a l s o t r i g g e r a n e v e n t m a n u a l l y b y g i v i n g t h e initctl emit c o m m a n d ( p a g e 4 3 6 ) .

For

m o r e i n f o r m a t i o n refer to " E v e n t s " o n page 437.
Jobs A job

i s a s e r i e s o f i n s t r u c t i o n s t h a t init r e a d s . T h e s e i n s t r u c t i o n s t y p i c a l l y i n c l u d e

a p r o g r a m ( b i n a r y f i l e o r s h e l l s c r i p t ) a n d t h e n a m e o f a n e v e n t . T h e U p s t a r t init
d a e m o n r u n s t h e p r o g r a m w h e n t h e e v e n t is t r i g g e r e d . Y o u c a n r u n a n d s t o p a j o b
m a n u a l l y b y g i v i n g t h e initctl start a n d stop c o m m a n d s , r e s p e c t i v e l y ( p a g e 4 3 6 ) .

434

CHAPTER 1 1

SYSTEM ADMINISTRATION: CORE CONCEPTS

J o b s a r e d i v i d e d i n t o t a s k s a n d s e r v i c e s . A j o b is a s e r v i c e b y d e f a u l t ; y o u

must

e x p l i c i t l y s p e c i f y a j o b a s a t a s k f o r i t t o r u n as a t a s k .
Tasks

A task i s a j o b t h a t p e r f o r m s i t s w o r k a n d r e t u r n s t o a w a i t i n g s t a t e w h e n i t i s d o n e .
A task blocks the p r o g r a m / p r o c e s s t h a t e m i t t e d the event t h a t triggered it u n t i l the
p r o g r a m i t s p e c i f i e s is f i n i s h e d r u n n i n g . T h e r c t a s k d e s c r i b e d o n p a g e 4 3 8 is a n
example of a task.

Services

A service i s a j o b t h a t d o e s n o t n o r m a l l y t e r m i n a t e b y i t s e l f . F o r e x a m p l e , t h e logd
d a e m o n a n d g e t t y p r o c e s s e s ( p a g e 4 3 9 ) a r e i m p l e m e n t e d as s e r v i c e s . T h e init d a e m o n m o n i t o r s each service, restarting the service if it fails a n d k i l l i n g the service if it
is s t o p p e d e i t h e r m a n u a l l y o r b y a n e v e n t . A s e r v i c e b l o c k s t h e p r o g r a m / p r o c e s s t h a t
e m i t t e d the event t h a t t r i g g e r e d it u n t i l the p r o g r a m it specifies has started r u n n i n g .

J o b definition files

T h e /etc/init d i r e c t o r y h o l d s job definition

files ( f i l e s d e f i n i n g t h e j o b s t h a t t h e

U p s t a r t init d a e m o n r u n s ) . I n i t i a l l y t h i s d i r e c t o r y is p o p u l a t e d b y t h e U p s t a r t s o f t w a r e p a c k a g e . T h e i n s t a l l a t i o n o f s o m e services a d d s files t o t h i s d i r e c t o r y t o c o n t r o l
t h e service, r e p l a c i n g t h e files t h a t w e r e p r e v i o u s l y p l a c e d i n t h e /etc/rc?.d a n d
/etc/init.d d i r e c t o r i e s w h e n t h e service w a s i n s t a l l e d .
init is a state A t i t s c o r e , t h e U p s t a r t init d a e m o n is a s t a t e m a c h i n e . I t k e e p s t r a c k o f t h e s t a t e o f
machine

j o b s a n d , as e v e n t s a r e t r i g g e r e d , t r a c k s j o b s as t h e y c h a n g e s t a t e s . W h e n init t r a c k s a
j o b f r o m o n e state t o another, it m a y execute t h e job's c o m m a n d s o r t e r m i n a t e t h e j o b .

Runlevel emulation

T h e S y s t e m V init d a e m o n u s e d c h a n g e s i n r u n l e v e l s ( p a g e 4 4 3 ) t o d e t e r m i n e w h e n
t o s t a r t a n d s t o p p r o c e s s e s . U b u n t u s y s t e m s , w h i c h r e l y o n t h e U p s t a r t init d a e m o n ,
h a v e n o c o n c e p t o f r u n l e v e l s . T o ease m i g r a t i o n f r o m a r u n l e v e l - b a s e d s y s t e m t o a n
event-based system, a n d to provide compatibility w i t h software intended for

other

distributions, U b u n t u emulates runlevels using Upstart.
T h e r c t a s k , w h i c h is d e f i n e d b y t h e /etc/init/rc.conf f i l e , r u n s t h e /etc/init.d/rc
s c r i p t . T h i s s c r i p t , i n t u r n , r u n s t h e init s c r i p t s i n / e t c / i n i t . d f r o m t h e l i n k s i n t h e
/etc/rc?.d directories, e m u l a t i n g the f u n c t i o n a l i t y o f these l i n k s u n d e r SysVinit. T h e
r c t a s k r u n s t h e s e s c r i p t s as t h e s y s t e m e n t e r s a r u n l e v e l ; i t n o r m a l l y t a k e s n o a c t i o n
w h e n t h e s y s t e m l e a v e s a r u n l e v e l . See p a g e 4 3 8 f o r a d i s c u s s i o n o f t h e r c t a s k a n d
p a g e 4 4 0 f o r i n f o r m a t i o n o n i n i t s c r i p t s . U p s t a r t i m p l e m e n t s t h e runlevel ( p a g e 4 4 4 )
a n d telinit ( p a g e 4 4 4 ) u t i l i t i e s t o p r o v i d e c o m p a t i b i l i t y w i t h S y s V i n i t s y s t e m s .
initctl T h e initctl (init c o n t r o l ) u t i l i t y c o m m u n i c a t e s w i t h t h e U p s t a r t init d a e m o n . A n o r d i n a r y
u s e r c a n q u e r y t h e U p s t a r t init d a e m o n b y u s i n g t h e initctl list a n d status c o m m a n d s . A
s y s t e m a d m i n i s t r a t o r w o r k i n g w i t h root privileges c a n b o t h q u e r y this d a e m o n
s t a r t a n d s t o p j o b s . F o r e x a m p l e , t h e initctl list c o m m a n d l i s t s j o b s a n d t h e i r s t a t e s :
$ initctl list
alsa-mixer-save stop/waiting
avahi-daemon start/running, process 509
mountall-net stop/waiting
rc stop/waiting
rsyslog start/running, process 463
tty4 start/running, process 695
udev start/running, process 252

and

THE UPSTART EVENT-BASED init D A E M O N

435

See t h e initctl m a n p a g e a n d t h e e x a m p l e s i n t h i s s e c t i o n f o r m o r e i n f o r m a t i o n .

You

c a n g i v e t h e c o m m a n d initctl help ( n o h y p h e n s b e f o r e help) t o d i s p l a y a l i s t o f initctl
c o m m a n d s . Alternatively, y o u can give the f o l l o w i n g c o m m a n d to display

more

i n f o r m a t i o n a b o u t t h e list c o m m a n d :

$ initctl

list

--help

Usage: initctl list
List known jobs.
Opti ons:
--system
--dest=NAME
-q, --quiet
-v, --verbose
--help
--version

[OPTION]...

use D-Bus system bus to connect to init daemon
destination well-known name on system bus
reduce output to errors only
increase output to include informational messages
display this help and exit
output version information and exit

The known jobs and their current status will be output.
Report bugs to 
R e p l a c e list w i t h t h e initctl c o m m a n d f o r w h i c h y o u w a n t t o o b t a i n m o r e

informa-

t i o n . T h e s t a r t , s t o p , r e l o a d , a n d s t a t u s u t i l i t i e s a r e l i n k s t o initctl t h a t r u n t h e initctl
c o m m a n d s they are n a m e d for.

JOBS
E a c h file i n t h e /etc/init d i r e c t o r y d e f i n e s a j o b a n d u s u a l l y c o n t a i n s at least a n e v e n t
a n d a c o m m a n d . W h e n t h e e v e n t i s t r i g g e r e d , init e x e c u t e s t h e c o m m a n d . T h i s s e c t i o n describes examples of b o t h a d m i n i s t r a t o r - d e f i n e d jobs a n d jobs installed w i t h
t h e upstart p a c k a g e .

ADMINISTRATOR-DEFINED JOBS
mudat example

T h e f o l l o w i n g a d m i n i s t r a t o r - d e f i n e d j o b uses t h e e x e c k e y w o r d t o e x e c u t e a shell
c o m m a n d . Y o u c a n also use t h i s k e y w o r d t o e x e c u t e a shell s c r i p t s t o r e d i n a file o r
a b i n a r y e x e c u t a b l e file.
I n t h e f i r s t s t a n z a (start o n runlevel 2 ) , start on is a k e y w o r d ( y o u c a n u s e stop on i n
i t s p l a c e ) , runlevel i s a n e v e n t ( p a g e 4 3 3 ) , a n d 2 i s a n a r g u m e n t t o runlevel.

$ cat /etc/init/mudat.conf
start on runlevel 2
task
exec echo "Entering multiuser mode on " $(date) > /tmp/mudat.out
T h i s f i l e d e f i n e s a t a s k : I t r u n s t h e echo s h e l l c o m m a n d w h e n t h e s y s t e m

enters

multiuser m o d e (runlevel 2). T h i s c o m m a n d writes a message that includes the t i m e
a n d d a t e t o /tmp/mudat.out. T h e s h e l l uses c o m m a n d s u b s t i t u t i o n ( p a g e 3 6 2 )

to

e x e c u t e t h e date u t i l i t y . A f t e r t h i s j o b r u n s t o c o m p l e t i o n , t h e m u d a t t a s k s t o p s a n d
enters a w a i t state.

436

CHAPTER 1 1

SYSTEM ADMINISTRATION: CORE CONCEPTS

I n t h e n e x t e x a m p l e , t h e cat u t i l i t y s h o w s t h e c o n t e n t s o f t h e /tmp/mudat.out file
a n d t h e initctl list c o m m a n d a n d t h e s t a t u s u t i l i t y r e p o r t o n t h i s t a s k :
$ cat /tmp/mudat.out
Entering multiuser mode on

Wed Mar 10 11:58:14 PST 2010

$ initctl list | grep mudat
mudat stop/waiting
$ status mudat
mudat stop/waiting
I f t h e e x e c c o m m a n d l i n e c o n t a i n s s h e l l s p e c i a l c h a r a c t e r s ( p a g e 1 6 0 ) , init e x e c u t e s
/bin/sh (a l i n k t o d a s h [ p a g e 2 9 2 ] ) a n d passes t h e c o m m a n d l i n e t o t h e shell. O t h e r w i s e , exec e x e c u t e s t h e c o m m a n d l i n e d i r e c t l y . T o r u n m u l t i p l e s h e l l

commands,

e i t h e r u s e e x e c t o r u n a s h e l l s c r i p t s t o r e d i n a f i l e o r u s e script...end script ( d i s cussed next).
T h e U p s t a r t init d a e m o n c a n m o n i t o r o n l y j o b s ( s e r v i c e s ) w h o s e p r o g r a m s a r e e x e c u t e d u s i n g exec; i t c a n n o t m o n i t o r j o b s r u n u s i n g script...end script. P u t
w a y , services

another

r e q u i r e t h e u s e o f e x e c w h i l e tasks c a n u s e e i t h e r m e t h o d t o r u n a p r o -

g r a m . F u t u r e v e r s i o n s o f t h e U p s t a r t init d a e m o n w i l l b e a b l e t o m o n i t o r t h e s e j o b s .
myjob example

Y o u c a n a l s o d e f i n e a n e v e n t a n d set u p a j o b t h a t is t r i g g e r e d b y t h a t e v e n t .

The

m y j o b . c o n f j o b d e f i n i t i o n f i l e d e f i n e s a j o b t h a t i s t r i g g e r e d b y t h e hithere e v e n t :
$ cat /etc/init/myjob.conf
start on hithere
scri pt
echo "Hi there, here I am!" > /tmp/myjob.out
date » /tmp/myjob.out
end script
T h e myjob f i l e s h o w s a n o t h e r w a y o f e x e c u t i n g c o m m a n d s : I t i n c l u d e s t w o
m a n d l i n e s b e t w e e n t h e script a n d end script k e y w o r d s . T h e s e k e y w o r d s

comalways

c a u s e init t o e x e c u t e / b i n / s h . T h e c o m m a n d s w r i t e a m e s s a g e a n d t h e d a t e t o t h e
/ t m p / m y j o b . o u t f i l e . Y o u c a n u s e t h e initctl emit c o m m a n d t o t r i g g e r t h e j o b .
initctl emit

$ sudo initctl emit hithere
$ cat /tmp/myjob.out
Hi there, here I am!
Wed Mar 10 11:59:23 PST 2010
$ status myjob
myjob stop/waiting

initctl start and stop I n t h e p r e c e d i n g e x a m p l e , c a t s h o w s t h e o u t p u t t h a t m y j o b g e n e r a t e s a n d initctl d i s p l a y s t h e s t a t u s o f t h e j o b . Y o u c a n r u n t h e s a m e j o b b y g i v i n g t h e c o m m a n d initctl
start m y j o b ( o r j u s t start myjob). T h e initctl start c o m m a n d i s u s e f u l w h e n y o u w a n t
t o r u n a j o b w i t h o u t t r i g g e r i n g a n event. F o r e x a m p l e , y o u c a n use t h e

command

initctl start m u d a t t o r u n t h e m u d a t j o b f r o m t h e p r e v i o u s e x a m p l e w i t h o u t t r i g g e r i n g t h e runlevel e v e n t .

THE UPSTART EVENT-BASED init D A E M O N

437

EVENTS
T h e upstart p a c k a g e d e f i n e s m a n y e v e n t s . T h e f o l l o w i n g c o m m a n d l i s t s e v e n t s a n d
b r i e f d e s c r i p t i o n s o f e a c h . See t h e c o r r e s p o n d i n g m a n p a g e f o r m o r e i n f o r m a t i o n o n
each event.
$ apropos event 2| grep signalling
all-swaps (7)
- event signalling that all swap partitions have been activated
control-alt-delete (7) - event signalling console press of Control-Alt-Delete
filesystem (7)
- event signalling that filesystems have been mounted
keyboard-request (7) - event signalling console press of Alt-UpArrow
local-filesystems (7) - event signalling that local filesystems have been mounted
mounted (7)
- event signalling that a filesystem has been mounted
mounting (7)
- event signalling that a filesystem is mounting
power-status-changed (7) - event signalling change of power status
remote-filesystems (7) - event signalling that remote filesystems have been mounted
runlevel (7)
- event signalling change of system runlevel
started (7)
- event signalling that a job is running
starting (7)
- event signalling that a job is starting
startup (7)
- event signalling system startup
stopped (7)
- event signalling that a job has stopped
stopping (7)
- event signalling that a job is stopping
virtual-filesystems (7) - event signalling that virtual filesystems have been mounted
apropos

T h e a p r o p o s u t i l i t y ( p a g e 1 3 9 ) , w h i c h is a l i n k t o whatis, s e n d s i t s o u t p u t t o s t a n d a r d
e r r o r . T h e 21 o p e r a t o r is a p i p e ( p a g e 2 5 1 ) t h a t s e n d s s t a n d a r d e r r o r ( p a g e 2 9 7 )

of

a p r o p o s t o s t a n d a r d i n p u t o f grep.

optional SPECIFYING EVENTS WITH ARGUMENTS
T h e telinit ( p a g e 4 4 4 ) a n d s h u t d o w n ( p a g e 4 5 0 ) u t i l i t i e s e m i t runlevel e v e n t s
i n c l u d e a r g u m e n t s . F o r e x a m p l e , s h u t d o w n e m i t s runlevel 0 , a n d telinit 2

that
emits

runlevel 2 . Y o u c a n m a t c h t h e s e e v e n t s w i t h i n a j o b d e f i n i t i o n u s i n g t h e f o l l o w i n g
syntax:

start\stop on event [arg [arg...]]
w h e r e event i s a n e v e n t s u c h as runlevel a n d arg i s o n e o r m o r e a r g u m e n t s . T o s t o p
a

job

when

the

system

enters

runlevel

2

from

runlevel

1,

specify

stop

on

runlevel 2 1. Y o u c a n a l s o s p e c i f y [ 2 3 5 ] t o m a t c h 2 , 3 , a n d 5 o r [12] t o m a t c h a n y
value except 2.
Event arguments

A l t h o u g h U p s t a r t ignores a d d i t i o n a l arguments in an event, a d d i t i o n a l arguments i n
a n e v e n t n a m e w i t h i n a j o b d e f i n i t i o n f i l e m u s t e x i s t i n t h e e v e n t . F o r e x a m p l e , runlevel ( n o a r g u m e n t ) i n a j o b d e f i n i t i o n f i l e m a t c h e s a l l runlevel e v e n t s ( r e g a r d l e s s o f
arguments),

whereas

runlevel S a r g l

arg2 d o e s n o t

match

a n y runlevel

event

b e c a u s e t h e runlevel e v e n t t a k e s t w o a r g u m e n t s ( t h e r u n l e v e l t h e s y s t e m i s e n t e r i n g
and the previous runlevel).

438

CHAPTER 1 1

SYSTEM ADMINISTRATION: CORE

CONCEPTS

JOB D E F I N I T I O N FILES IN / e t c / i n i t
A s U b u n t u c o n t i n u e s i t s t r a n s i t i o n f r o m S y s V i n i t t o U p s t a r t init, m o r e j o b s w i l l b e
d e f i n e d i n t h e /etc/init d i r e c t o r y . T h i s s e c t i o n describes s o m e o f t h e j o b s t h a t

the

upstart p a c k a g e p u t s i n t h i s d i r e c t o r y .
rc task and the A runlevel e v e n t [runlevel(7) man p a g e ] s i g n a l s a c h a n g e i n r u n l e v e l a n d i s e m i t t e d b y
runlevel event telinit ( p a g e 4 4 4 ) a n d shutdown ( p a g e 4 5 0 ) . T h i s e v e n t s e t s t h e e n v i r o n m e n t

variable

R U N L E V E L t o t h e v a l u e o f t h e n e w r u n l e v e l a n d sets P R E V L E V E L t o t h e v a l u e o f
the previous runlevel.
T h e /etc/init/rc.conf j o b d e f i n i t i o n file defines t h e rc task. T h i s t a s k m o n i t o r s

the

runlevel e v e n t . T h e k e y w o r d t a s k n e a r t h e e n d o f t h e f i l e s p e c i f i e s t h i s j o b a s a t a s k
a n d n o t a s e r v i c e . B e c a u s e i t i s a t a s k , i t b l o c k s t h e c a l l t h a t e m i t t e d t h e runlevel
event u n t i l t h e rc t a s k has f i n i s h e d r u n n i n g .
T h e exec s t a n z a i n rc.conf calls t h e /etc/init.d/rc s c r i p t ( n o t t h e rc t a s k ) w i t h

an

a r g u m e n t o f R U N L E V E L . T h e rc script calls t h e l i n k s i n t h e /etc/rcn.d d i r e c t o r y ,
w h e r e n is e q u a l t o R U N L E V E L ( p a g e 4 4 0 ) . T h u s t h e r c t a s k , w h e n c a l l e d

with

R U N L E V E L set t o 2, r u n s t h e i n i t s c r i p t s t h a t t h e l i n k s i n t h e / e t c / r c 2 . d d i r e c t o r y
point to.
T h e rc t a s k r u n s the rc script w h e n t h e s y s t e m enters a r u n l e v e l f r o m 0 t h r o u g h

6

(start o n runlevel [ 0 1 2 3 4 5 6 ] ) . N o r m a l l y t h i s t a s k t e r m i n a t e s w h e n i t f i n i s h e s e x e c u t i n g t h e rc script.
T h e s t o p s t a n z a ( s t o p o n runlevel [ ¡ S R U N L E V E L ] ) t a k e s c a r e o f t h e c a s e w h e r e i n a
s e c o n d runlevel e v e n t a t t e m p t s t o s t a r t w h i l e a n r c t a s k i s r u n n i n g t h e r c s c r i p t . I n
t h i s c a s e , t h e v a l u e o f R U N L E V E L is n o t e q u a l t o t h e v a l u e o f R U N L E V E L t h a t t h e
rc t a s k w a s c a l l e d w i t h a n d t h e rc t a s k stops.
$
#
#
#
#

cat / e t c / i n i t / r c . c o n f
rc - System V runlevel

compatibility

This task runs the old System V-style rc script when changing
runlevels.

description
author

"System V runlevel compatibility"
"Scott James Remnant "

start on runlevel [0123456]
stop on runlevel [ISRUNLEVEL]
export RUNLEVEL
export PREVLEVEL
console output
env INIT_VERBOSE
task
exec /etc/init.d/rc

SRUNLEVEL

between

THE UPSTART EVENT-BASED init D A E M O N

tty services

439

F o l l o w i n g i s t h e j o b d e f i n i t i o n f i l e f o r t h e s e r v i c e t h a t s t a r t s a n d m o n i t o r s t h e getty
process (page 448) o n ttyl:
$
#
#
#
#

cat /etc/i ni t/ttyl.conf
ttyl - getty
This service maintains a getty on ttyl from the point the system is
started until it is shut down again.

start on stopped rc RUNLEVEL=[2345]
stop on runlevel [12345]
respawn
exec /sbi n/getty -8 38400 ttyl
T h e e v e n t i n t h e start o n s t a n z a is n a m e d stopped (see t h e stopped man p a g e ) . T h i s
s t a n z a s t a r t s t h e ttyl s e r v i c e w h e n t h e rc t a s k is s t o p p e d w i t h R U N L E V E L e q u a l t o
2 , 3 , 4 , o r 5 . B e c a u s e t h e r c t a s k i s s t o p p e d as t h e s y s t e m f i n i s h e s e n t e r i n g e a c h o f
these runlevels, t h e ttyl service starts w h e n t h e s y s t e m enters a n y o f these runlevels.
T h e e v e n t i n t h e stop on s t a n z a is n a m e d runlevel. T h i s s t a n z a s t o p s t h e t t y l s e r v i c e
w h e n a runlevel e v e n t is e m i t t e d w i t h a n a r g u m e n t o t h e r t h a n 2 , 3 , 4 , o r 5 — t h a t i s ,
w h e n t h e s y s t e m e n t e r s r e c o v e r y m o d e , is s h u t d o w n , o r i s r e b o o t e d .
T h e r e s p a w n k e y w o r d t e l l s init t o r e s t a r t t h e t t y l s e r v i c e i f i t t e r m i n a t e s . T h e e x e c
s t a n z a r u n s a getty p r o c e s s w i t h n o p a r i t y ( - 8 ) o n t t y l a t 3 8 , 4 0 0 b a u d . I n t h e n e x t
e x a m p l e , t h e initctl u t i l i t y r e p o r t s t h a t t h e t t y l s e r v i c e h a s s t a r t e d a n d is r u n n i n g as
p r o c e s s 1 0 6 1 ; ps r e p o r t s o n t h e p r o c e s s :
$ status ttyl
ttyl start/running, process 1061
$ ps - e f | grep 1061
root
1061
1 0 12:26 ttyl
control-alt-delete
task

/sbin/getty -8 38400 ttyl

See p a g e 4 5 1 f o r a d i s c u s s i o n o f t h e control-alt-delete t a s k , w h i c h y o u c a n u s e t o
bring the system down.

rc-sysinit task and U n d e r S y s V i n i t , t h e initdefault e n t r y i n t h e / e t c / i n i t t a b f i l e t e l l s init w h i c h r u n l e v e l
inittab ( p a g e 4 4 3 ) t o b r i n g t h e s y s t e m t o w h e n i t c o m e s u p . U b u n t u d o e s n o t i n c l u d e a n
inittab f i l e ; i n s t e a d , b y d e f a u l t , t h e U p s t a r t init d a e m o n ( u s i n g t h e rc-sysinit t a s k )
boots the system to multiuser m o d e (runlevel 2). If y o u w a n t the system to b o o t to a
d i f f e r e n t r u n l e v e l , m o d i f y t h e f o l l o w i n g l i n e i n t h e rc-sysinit.conf f i l e :
$ cat /etc/init/rc-sysinit.conf
env DEFAULT_RUNLEVEL=2

Do not set the system to boot to runlevel 0 or 6
caution

N e v e r s e t t h e s y s t e m t o b o o t t o r u n l e v e l 0 o r 6, as it w i l l n o t c o m e u p p r o p e r l y . To b o o t t o
m u l t i u s e r m o d e ( r u n l e v e l 2), set D E F A U L T _ R U N L E V E L t o 2. To b o o t t o r e c o v e r y m o d e , set

DEFAULT RUNLEVEL to S.

440

CHAPTER 1 1

SYSTEM ADMINISTRATION: CORE CONCEPTS

C h a n g i n g the v a l u e o f DEFAULT_RUNLEVEL f r o m 2 t o S causes t h e s y s t e m t o
b o o t t o r e c o v e r y m o d e ( r u n l e v e l S; see t h e c a u t i o n o n p a g e 4 4 4 ) . W h e n t h e s y s t e m
comes

up

in

recovery

mode,

if

the

root

account

on

the

system

is

unlocked

( p a g e 4 3 1 ) , init r e q u e s t s t h e r o o t p a s s w o r d b e f o r e d i s p l a y i n g t h e r o o t

prompt.

O t h e r w i s e , it d i s p l a y s t h e root p r o m p t w i t h o u t r e q u e s t i n g a p a s s w o r d .

S Y S V I N I T (rc) SCRIPTS: START A N D S T O P S Y S T E M
rescripts

SERVICES

T h e init (initialization) scripts, also called rc ( r u n c o m m a n d ) scripts, are shell scripts
l o c a t e d i n t h e /etc/init.d d i r e c t o r y . T h e y are r u n v i a s y m b o l i c l i n k s i n t h e /etc/rcn.d
d i r e c t o r i e s , w h e r e n is t h e r u n l e v e l t h e s y s t e m is e n t e r i n g .

Most of the files in the /etc/rcn.d and /etc/init.d directories will go away
tip

As explained on page 434, Ubuntu emulates runlevels using Upstart to aid migration and provide
compatibility with software for other distributions. This section explains how init scripts work with
(emulated) runlevels to control system services. Many of the scripts in the /etc/rcn.d and
/etc/init.d directories described in this section suggest you use the corresponding initctl commands in place of the script because the links in these directories having been replaced by job control files in /etc/init (page 434).
T h e / e t c / r c n . d d i r e c t o r i e s c o n t a i n s c r i p t s w h o s e n a m e s b e g i n w i t h K (K19cupsys,
K20dhcp,

K74bluetooth,

and

so

on)

and

scripts

whose

names

begin

with

S

( S 1 5 b i n d 9 , S18nis, S 2 0 e x i m 4 , a n d s o o n ) . W h e n e n t e r i n g a n e w r u n l e v e l , e a c h K
( k i l l ) s c r i p t is e x e c u t e d w i t h a n a r g u m e n t o f stop, a n d t h e n e a c h S ( s t a r t ) s c r i p t i s
e x e c u t e d w i t h a n a r g u m e n t o f start. E a c h o f t h e K f i l e s i s r u n i n n u m e r i c a l

order.

T h e S files a r e r u n i n s i m i l a r f a s h i o n . T h i s a r r a n g e m e n t a l l o w s t h e p e r s o n w h o sets
u p these files t o c o n t r o l w h i c h services are s t o p p e d a n d w h i c h are started, a n d

in

w h a t o r d e r , w h e n e v e r t h e s y s t e m e n t e r s a g i v e n r u n l e v e l . U s i n g s c r i p t s w i t h start
a n d stop a r g u m e n t s p r o m o t e s

flexibility

because it a l l o w s one script t o b o t h start

a n d k i l l a p r o c e s s , d e p e n d i n g o n w h i c h a r g u m e n t i t is c a l l e d w i t h .
T o c u s t o m i z e s y s t e m i n i t i a l i z a t i o n , y o u c a n a d d s h e l l s c r i p t s t o t h e /etc/init.d d i r e c t o r y a n d p l a c e l i n k s t o these files i n t h e /etc/rcn.d d i r e c t o r i e s ( a l t h o u g h i n p r a c t i c e it
is b e s t t o u s e s y s v - r c - c o n f [ d i s c u s s e d n e x t ] t o c r e a t e t h e l i n k s ) .
T h e f o l l o w i n g e x a m p l e s h o w s s e v e r a l l i n k s t o t h e cups i n i t s c r i p t . T h e s e l i n k s a r e c a l l e d
t o r u n t h e cups i n i t s c r i p t t o s t a r t o r s t o p t h e cupsd d a e m o n s a t v a r i o u s r u n l e v e l s :
$ Is -1 /etc/rc?.d/*cups*
lrwxrwxrwx 1 root root 14
lrwxrwxrwx 1 root root 14
lrwxrwxrwx 1 root root 14
lrwxrwxrwx 1 root root 14
lrwxrwxrwx 1 root root 14
Each

link

2010-02-26
2010-02-26
2010-02-26
2010-02-26
2010-02-26

in

10:19
10:19
10:19
10:19
10:19

/etc/rcl.d/K80cups
/etc/rc2.d/S50cups
/etc/rcB.d/S50cups
/etc/rc4.d/S50cups
/etc/rc5.d/S50cups

/etc/rcn.d p o i n t s

to

a

file

in

->
->
->
->
->

../init.d/cups
../init.d/cups
../init.d/cups
../init.d/cups
../init.d/cups

/etc/init.d. F o r

example,

the

/ e t c / r c 2 . d / S 5 0 c u p s i s a l i n k t o t h e f i l e n a m e d cups i n / e t c / i n i t . d . ( T h e n u m b e r s

file
in

the filenames o f the l i n k s i n the /etc/rcn.d directories m a y c h a n g e f r o m one release
o f U b u n t u t o t h e n e x t , b u t t h e s c r i p t s i n /etc/init.d a l w a y s h a v e t h e s a m e n a m e s . )

THE UPSTART EVENT-BASED init D A E M O N

441

T h e n a m e s o f f i l e s i n t h e init.d d i r e c t o r y a r e f u n c t i o n a l . T h u s , w h e n y o u w a n t

to

t u r n N F S s e r v i c e s o n o r o f f , y o u u s e t h e nfs-kernel-server s c r i p t . S i m i l a r l y , w h e n y o u
w a n t t o t u r n b a s i c n e t w o r k s e r v i c e s o n o r o f f , y o u r u n t h e networking s c r i p t . T h e
cups s c r i p t c o n t r o l s t h e p r i n t e r d a e m o n . E a c h s c r i p t t a k e s a n a r g u m e n t o f stop o r
start, d e p e n d i n g o n w h a t y o u w a n t t o d o . S o m e s c r i p t s a l s o t a k e o t h e r

arguments,

s u c h as restart, reload, a n d status. R u n a s c r i p t w i t h o u t a n a r g u m e n t t o d i s p l a y a
usage message i n d i c a t i n g w h i c h a r g u m e n t s it accepts.
F o l l o w i n g are t h r e e e x a m p l e s o f calls t o i n i t scripts. Y o u m a y f i n d it easier t o use
service ( d i s c u s s e d n e x t ) i n p l a c e o f t h e p a t h n a m e s i n t h e s e c o m m a n d s :
$ sudo /etc/init.d/nfs-kernel-server stop
$ sudo /etc/init.d/networking start
$ sudo /etc/init.d/networking restart
T h e first e x a m p l e stops all N F S server processes (processes related t o serving filesystems over the n e t w o r k ) . T h e second e x a m p l e starts all processes related to basic
n e t w o r k services. T h e t h i r d e x a m p l e stops a n d t h e n restarts these s a m e processes.
/etc/rc.local T h e / e t c / r c . l o c a l f i l e is e x e c u t e d a f t e r t h e o t h e r i n i t s c r i p t s w h e n t h e s y s t e m b o o t s .
P u t c o m m a n d s t h a t c u s t o m i z e t h e s y s t e m i n rc.local. A l t h o u g h y o u c a n a d d

any

c o m m a n d s y o u l i k e t o r c . l o c a l , i t is b e s t t o r u n t h e m i n t h e b a c k g r o u n d ; t h a t w a y , i f
they hang, they w i l l n o t stop the b o o t process.

service: CONFIGURES SERVICES I
U b u n t u p r o v i d e s service, a h a n d y u t i l i t y t h a t c a n r e p o r t o n o r c h a n g e t h e s t a t u s o f
any

of

the

jobs

in

/etc/init

(page 435)

and

any

of

the

system

services

in

/etc/rc.d/init.d (page 4 4 0 ) . U b u n t u i n t r o d u c e d this u t i l i t y f o r c o m p a t i b i l i t y w i t h t h e
F e d o r a / R H E L service u t i l i t y . I n p l a c e o f t h e c o m m a n d s d e s c r i b e d a t t h e e n d o f t h e
previous section, y o u can give the f o l l o w i n g c o m m a n d s f r o m any directory:
$ sudo service nfs nfs-kernel-server stop
$ sudo service networking start
$ sudo service networking restart
T h e c o m m a n d service — s t a t u s - a l l d i s p l a y s t h e s t a t u s o f a l l s y s t e m s e r v i c e s .

The

n e x t section e x p l o r e s yet a n o t h e r w a y t o c o n f i g u r e s y s t e m services.

s y s v - r c - c o n f : C O N F I G U R E S S E R V I C E S II
T h e sysv-rc-conf u t i l i t y (sysv-rc-conf p a c k a g e ) m a k e s i t e a s i e r f o r a s y s t e m a d m i n i s t r a t o r t o m a i n t a i n the /etc/rcn.d d i r e c t o r y hierarchy. T h i s u t i l i t y c a n a d d , r e m o v e ,
a n d list s t a r t u p i n f o r m a t i o n f o r s y s t e m services. Y o u m i g h t also w a n t t o t r y

the

g r a p h i c a l b o o t - u p m a n a g e r , bum ( b u m p a c k a g e ) , w h i c h t h i s b o o k d o e s n o t c o v e r .
Y o u c a n r u n sysv-rc-conf i n p s e u d o g r a p h i c a l o r t e x t u a l m o d e . I n

pseudographical

m o d e , i t m a k e s c h a n g e s t o c o n f i g u r a t i o n f i l e s as y o u e n t e r t h e c h a n g e s a n d c a n a l s o
s t a r t a n d s t o p s e r v i c e s . F o r m o r e i n f o r m a t i o n o n t h i s m o d e , see t h e sysv-rc-conf man
p a g e o r r u n sysv-rc-conf w i t h o u t a n y a r g u m e n t s a n d g i v e t h e c o m m a n d h. T h i s s e c t i o n
d i s c u s s e s u s i n g sysv-rc-conf i n t e x t u a l m o d e i n w h i c h i t c h a n g e s t h e

configuration

442

CHAPTER 1 1

SYSTEM ADMINISTRATION: CORE

CONCEPTS

o n l y — i t does n o t c h a n g e t h e c u r r e n t state o f a n y service. G i v e t h e f o l l o w i n g c o m m a n d
t o see t h e l i s t o f s e r v i c e s :
$ sudo sysv-rc-conf --list
acpi-support l:off
2:on
acpi d
alsa-mi xer-s
anacron
apparmor
S:on
apport
atd
avahi-daemon
binfmt-suppo 2:on
3:on
bluetooth
0:off
l:off

3:on

4:on

5:on

4:on
2:on

5:on
3:on

4:on

5:on

6:off

A l l services t h a t r u n their o w n d a e m o n s are listed, o n e t o a line, f o l l o w e d b y their
c o n f i g u r e d s t a t e f o r e a c h r u n l e v e l . I f a r u n l e v e l is m i s s i n g , i t m e a n s t h a t t h e r e i s n o
e n t r y f o r t h a t service i n the c o r r e s p o n d i n g file i n the /etc/rcn.d directory. W h e n all
r u n l e v e l s a r e m i s s i n g , i t m e a n s t h e s e r v i c e is c o n t r o l l e d b y U p s t a r t . Y o u c a n c h e c k
h o w a s p e c i f i c d a e m o n is c o n f i g u r e d b y a d d i n g i t s n a m e t o t h e p r e v i o u s

command:

$ sudo sysv-rc-conf --list cups
cups

l:off

2:on

3:on

4:on

5:on

The name of the job/init script may differ from name of the daemon it runs
tip

T h e f o l l o w i n g e x a m p l e s h o w s t h a t t h e s s h j o b c o n t r o l s the sshd d a e m o n . Y o u c a n f i n d t h e n a m e
of the j o b t h a t c o n t r o l s a d a e m o n by l i s t i n g t h e c o n t e n t s of t h e /etc/init a n d /etc/init.d d i r e c t o r i e s
a n d s e a r c h i n g f o r a f i l e n a m e t h a t is s i m i l a r t o the n a m e or f u n c t i o n of the d a e m o n y o u w a n t t o
w o r k w i t h . For e x a m p l e , t h e /etc/init.d/cups s c r i p t c o n t r o l s t h e p r i n t i n g d a e m o n .
Frequently, t h e f i r s t f e w lines of a s c r i p t or t h e c o m m e n t s a n d t h e e x e c a n d d e s c r i p t i o n s t a n z a s of
a j o b i d e n t i f y t h e d a e m o n it c o n t r o l s . T h e f o l l o w i n g j o b d e s c r i p t i o n file s h o w s t h e s e lines:
$ cat / e t c / i n i t / s s h . c o n f
# ssh - OpenBSD Secure Shell server
#
# The OpenSSH server provides secure shell access to the system,
description

"OpenSSH server"

exec /usr/sbin/sshd
I n t h e n e x t e x a m p l e , sysv-rc-conf (sysv-rc-conf p a c k a g e ) c o n f i g u r e s t h e / e t c / r c n . d
d i r e c t o r i e s s o t h a t t h e cupsd d a e m o n i s o f f i n r u n l e v e l s 2 , 3 , 4 , a n d 5 a n d

then

c o n f i r m s t h e c h a n g e . T o m a k e these k i n d s o f c h a n g e s , y o u m u s t w o r k w i t h root
privileges:
$ sudo sysv-rc-conf --level 2345 cups off
$ sudo sysv-rc-conf --list cups
cups
l:off
2:off
3:off
4:off

5:off

SYSTEM OPERATION

443

F o r c o n v e n i e n c e , y o u c a n o m i t the —level 2 3 4 5 a r g u m e n t s . W h e n y o u specify a n
i n i t s c r i p t a n d on o r off, sysv-rc-conf d e f a u l t s t o r u n l e v e l s 2 , 3 , 4 , a n d 5 . T h e f o l l o w i n g c o m m a n d is e q u i v a l e n t t o t h e f i r s t o f t h e p r e c e d i n g c o m m a n d s :
$ sudo sysv-rc-conf cups off
T h e ps u t i l i t y c o n f i r m s t h a t e v e n t h o u g h sysv-rc-conf s e t t h i n g s u p s o cups w o u l d b e
o f f i n a l l r u n l e v e l s , i t is s t i l l r u n n i n g . T h e sysv-rc-conf u t i l i t y d i d n o t s h u t d o w n cups.
$ ps - e f | grep cups
root
998
1
zach
5618 1334

0 12:47 ?
0 18:28 pts/0

00:00:00 /usr/sbin/cupsd - C /etc/cups/cupsd.conf
00:00:00 grep --color=auto cups

W i t h t h e p r e c e d i n g c h a n g e s , w h e n y o u r e b o o t t h e s y s t e m , cups w i l l n o t s t a r t .

You

c a n s t o p i t m o r e e a s i l y u s i n g t h e cups i n i t s c r i p t :
$ sudo service cups stop
* Stopping Common Unix Printing System: cupsd
[ OK ]
$ ps - e f | grep cups
zach
5637 1334 0 18:29 pts/0
00:00:00 grep --color=auto cups

SYSTEM OPERATION
T h i s section covers the basics o f h o w the system f u n c t i o n s a n d c a n help y o u m a k e
i n t e l l i g e n t d e c i s i o n s as a s y s t e m a d m i n i s t r a t o r . I t d o e s n o t e x a m i n e e v e r y p o s s i b l e
a s p e c t o f s y s t e m a d m i n i s t r a t i o n i n t h e d e p t h n e c e s s a r y t o e n a b l e y o u t o set u p

or

m o d i f y all system functions. Instead, it provides a guide t o b r i n g i n g a system u p a n d
k e e p i n g it r u n n i n g o n a d a y - t o - d a y basis.

RUNLEVELS
W i t h the i n t r o d u c t i o n of Upstart, true runlevels disappeared f r o m the system. As a
transitional tool, runlevels were replaced w i t h a structure that runs under

Upstart

a n d e m u l a t e s r u n l e v e l s ( p a g e 4 3 4 ) . T a b l e 1 1 - 1 l i s t s t h e s e p s e u d o r u n l e v e l s as t h e y
exist under Upstart.

Table 11-1

Pseudorunlevels

Number

Name/function

0

Brings the system down

1

Brings the system to recovery (S, single-user) mode

S

Recovery (single-user) mode, textual login, few system services running

2

Multiuser mode, graphical login, all scheduled system services running

3, 4, 5

Multiuser mode, graphical login, all scheduled system services running (for
system customization, runlevels 2 - 5 are identical)

6

Reboots the system

444

CHAPTER 1 1

Default runlevel

SYSTEM ADMINISTRATION: CORE CONCEPTS

B y d e f a u l t , U b u n t u s y s t e m s b o o t t o m u l t i u s e r m o d e ( r u n l e v e l 2 ) . See "rc-sysinit task
a n d inittab" o n p a g e 4 3 9 f o r i n s t r u c t i o n s e x p l a i n i n g h o w t o c h a n g e t h i s d e f a u l t .

runlevel

T h e runlevel u t i l i t y [runlevel(8) man p a g e ; d o n o t c o n f u s e i t w i t h t h e runlevel e v e n t
d e s c r i b e d o n p a g e 4 3 8 ] d i s p l a y s t h e p r e v i o u s a n d c u r r e n t r u n l e v e l s . T h i s u t i l i t y is a
transitional tool; it provides c o m p a t i b i l i t y w i t h SysVinit. I n the f o l l o w i n g e x a m p l e ,
the N indicates that the system does n o t k n o w w h a t the previous runlevel was a n d
t h e 2 i n d i c a t e s t h a t t h e s y s t e m is i n m u l t i u s e r m o d e .
$ runlevel
N 2

telinit T h e telinit u t i l i t y (man telinit) a l l o w s a u s e r w i t h r o o t p r i v i l e g e s t o b r i n g t h e s y s t e m
d o w n , r e b o o t the system, or change b e t w e e n recovery (single-user) a n d

multiuser

m o d e s . T h e telinit u t i l i t y i s a t r a n s i t i o n a l t o o l ; i t p r o v i d e s c o m p a t i b i l i t y w i t h S y s V i n i t .
T h i s u t i l i t y e m i t s a runlevel e v e n t ( p a g e 4 3 8 ) b a s e d o n i t s a r g u m e n t . T h e f o r m a t o f a
telinit c o m m a n d i s

telinit

runlevel

w h e r e runlevel
Recovery m o d e and
the

root

password

is o n e o f t h e p s e u d o r u n l e v e l s d e s c r i b e d i n T a b l e 1 1 - 1 ( p r e v i o u s p a g e ) .

W h e n t h e s y s t e m e n t e r s r e c o v e r y ( s i n g l e - u s e r ) m o d e , i f t h e root a c c o u n t i s u n l o c k e d
( p a g e 431), init r e q u e s t s t h e root p a s s w o r d b e f o r e d i s p l a y i n g t h e root

prompt.

O t h e r w i s e , it d i s p l a y s t h e root p r o m p t w i t h o u t r e q u e s t i n g a p a s s w o r d . W h e n

the

s y s t e m enters m u l t i u s e r m o d e , it displays a g r a p h i c a l l o g i n screen.

Do not change runlevels directly into runlevel S
caution

Using telinit to request that the system change to runlevel 1 brings the system first to runlevel 1,
where appropriate system processes (running system services) are killed, and then automatically
to runlevel S. Changing directly to runlevel S puts the system into runlevel S but does not kill any
processes first; it is usually a poor idea.
The Upstart init daemon consults the rc-sysinit.conf file (page 439) only when the system is booting. At that time there are no processes left running from a previous runlevel, so going directly to
runlevel S does not present a problem.

BOOTING THE SYSTEM
Booting
memory

a s y s t e m is t h e p r o c e s s o f r e a d i n g t h e L i n u x kernel
and starting it running. Refer to

(page 1156) i n t o system

"GRUB: The L i n u x Boot L o a d e r "

on

p a g e 5 8 3 f o r m o r e i n f o r m a t i o n o n t h e i n i t i a l steps o f b r i n g i n g a s y s t e m u p .

List the kernel boot messages
tip To save a list of kernel boot messages, run dmesg immediately after booting the system and
logging in:
$ dmesg > d m e s g . b o o t

This command saves the kernel messages in a file named dmesg.boot. This list can be educational;
it can also be useful when you are having a problem with the boot process. For more information
see page 589.

SYSTEM OPERATION

init daemon

As

the last

step

of the

boot

( p a g e 4 3 2 ) as P I D n u m b e r

procedure,

Linux

init

starts the U p s t a r t

445

daemon

1. T h e init d a e m o n i s t h e f i r s t g e n u i n e p r o c e s s t o

run

a f t e r b o o t i n g a n d is t h e p a r e n t o f a l l s y s t e m p r o c e s s e s . ( W h i c h is w h y w h e n y o u k i l l
process 1 w h i l e y o u are w o r k i n g w i t h root privileges, t h e s y s t e m dies.)
O n c e init i s r u n n i n g , t h e s t a r t u p e v e n t t r i g g e r s t h e rc-sysinit t a s k , w h i c h s t o p s w h e n
t h e s y s t e m e n t e r s a n y r u n l e v e l . T h e rc-sysinit t a s k e x e c u t e s telinit w i t h t h e a r g u m e n t
i n t h e rc-sysinit.conf f i l e . See p a g e 4 3 9

specified b y D E F A U L T _ R U N L E V E L
more
Reinstalling the
M B R

for

information.

I f t h e m a s t e r b o o t r e c o r d ( M B R ) is o v e r w r i t t e n , t h e s y s t e m w i l l n o t b o o t i n t o L i n u x
a n d y o u n e e d t o r e w r i t e t h e M B R . See p a g e 5 8 9 f o r d e t a i l s .

RECOVERY (SINGLE-USER)
When

M O D E

t h e s y s t e m is i n r e c o v e r y

enabled. Y o u can r u n programs

(single-user)

mode,

only the system console

is

f r o m t h e c o n s o l e i n r e c o v e r y m o d e j u s t as

you

w o u l d f r o m any t e r m i n a l in multiuser m o d e w i t h three differences: Y o u c a n n o t

run

graphical p r o g r a m s (because y o u are w o r k i n g i n textual m o d e ) , f e w of the system
a r e r u n n i n g , a n d a l l f i l e s y s t e m s a r e m o u n t e d as s p e c i f i e d b y / e t c / f s t a b

daemons

( p a g e 5 1 0 ) , b u t t h e y a r e m o u n t e d readonly.

Y o u c a n u s e t h e mount r e m o u n t a n d r w

o p t i o n s t o e n a b l e w r i t e access t o a f i l e s y s t e m ( p a g e 2 2 2 ) .

U b u n t u u s e s the t e r m recovery

mode,

not single-user

mode

t i p What was classically called single-user mode, Ubuntu refers to as recovery mode. However, some
vestiges of the old terminology remain. For example, you type single at the end of the GRUB linux
line to bring a system up in recovery mode. This book uses these terms interchangeably.
W h e n y o u b o o t t h e s y s t e m t o r e c o v e r y m o d e , t h e U p s t a r t init d a e m o n r u n s t h e j o b
n a m e d rcS ( / e t c / i n i t / r c S . c o n f ) as p a r t o f r e c o v e r y m o d e i n i t i a l i z a t i o n (see t h e c a u t i o n o n p a g e 4 4 4 ) . See t h e n e x t s e c t i o n s f o r i n s t r u c t i o n s o n b o o t i n g a s y s t e m
recovery

mode.

When

you

bring

a

running

system

down

to

recovery

to

mode

( p a g e 4 5 1 ) , t h e U p s t a r t init d a e m o n r u n s j o b s n a m e d r c ( / e t c / i n i t / r c . c o n f ) a n d rcS.
With

the

system in recovery mode,

you can perform

system maintenance

that

requires filesystems to be u n m o u n t e d or that requires just a quiet s y s t e m — n o

one

e x c e p t y o u u s i n g it, so t h a t n o user p r o g r a m s i n t e r f e r e w i t h d i s k m a i n t e n a n c e

and

b a c k u p p r o g r a m s . T h e c l a s s i c a l U N I X t e r m f o r t h i s s t a t e i s quiescent.

You can often

boot to recovery m o d e w h e n the system will not boot normally, allowing y o u
change

or

replace

configuration

files,

check

and

repair

partitions

using

to

fsck

(page 512), rewrite b o o t i n f o r m a t i o n (page 589), a n d more.

B O O T I N G THE SYSTEM TO RECOVERY (SINGLE-USER)

MODE

Y o u can bring a system up to recovery m o d e by booting f r o m the hard disk

and

giving G R U B the appropriate instructions.
Displaying the
GRUBmenu

T h e f i r s t s t e p i n b r i n g i n g a s y s t e m u p i n r e c o v e r y m o d e f r o m t h e h a r d d i s k is t o d i s p j a y ^hg G R U B m e n u (Figure 11-1, n e x t page). B o o t the system n o r m a l l y ( t u r n

on

446

CHAPTER 1 1

SYSTEM ADMINISTRATION: CORE CONCEPTS

GNU GRUB

version

1.98-lUtiUntU5

luburitLi, w i t h L i n u x 2 . 5 . 3 £ - £ 2 - K e r i e r - l c
utiuritLi, Luith L i n u x ï . 6 . 3 2 - 2 ï - g e n e r l d [ r e c o v e r y mode)
utiuritLi, Lulth L i n u x 2 . 6 . 3 2 - 2 1 - g e n e r l d
UtiuritLi, Lulth L i n u x 2 . 6 . 3 2 - 2 1 - g e n e r l d [ r e c o v e r y mode)
Memory l e s t (raemtesl86+)
Memory t e s t (raemtes156+, s e r i a l c o n s o l e 1152:00)

use The T and * Keys "to s e l e c t uihich e n t r y i s h i g h l i g h t e d ,
p r e s s e n t e r to hoot the s e l e c t e d OS, 'e ' to e d i t the doinmands
befdre hodting dr 'c ' f d r a cdmmand-llne.

Figure 11-1

T h e G R U B menu

the power or reboot the system). T h e G R U B menu will be hidden or displayed.
Either way, if you hold down the SHIFT key as the system is booting, G R U B displays
its menu and stops booting the system. If the system is running G R U B legacy
(page 5 8 3 ) , you must press the ESC key to display the menu.
Selecting recovery Unless you have modified the /etc/default/grub file (page 5 8 4 ) , the G R U B menu
mode starts with a few pairs of lines similar to the following:
Ubuntu, with Linux 2 . 6. 32-22-generi c
Ubuntu, with Linux 2.6.32-22-generic (recovery mode)
Typically the first line is highlighted as shown in Figure 11-1. Press the DOWN ARROW
key to highlight the second line, which includes the words recovery mode. Press
RETURN to boot the system to recovery mode. T h e system displays the pseudographical
Recovery menu (Figure 11-2).

Recovery versus rescue modes
tip

Recovery m o d e is the new name for what was f o r m e r l y single-user mode. W h e n y o u bring a syst e m up in recovery mode, U b u n t u boots f r o m the hard disk and displays the pseudographical
Recovery menu. This section explains h o w to bring a s y s t e m up to recovery mode.
W h e n y o u bring a system up to rescue a broken system, y o u boot U b u n t u f r o m a Server CD, an
Alternate CD, or a DVD as explained on page 83 and select Rescue a broken system f r o m the
Ubuntu boot menu. Ubuntu displays the pseudographical Rescue Operations m e n u (Figure 3-24,
page 84).

SYSTEM OPERATION

447

Recouery Menu
•resume
clean
dpkg
grub
Tietroot
root

Resume normal boot
Try to make free space
Repa ir broken packages
Update grub bootloader
Drop to root shell prompt uith netuorking
Drop to root she11 prompt

<0k>

Figure 11-2



T h e Recovery menu

Editing the If there is no line with recovery mode in the menu, follow these instructions:
GRUB menu
1. Highlight the kernel you want to b o o t — G R U B highlights the default kernel
when G R U B displays its menu.
2. Press e to edit the G R U B boot command lines (from / b o o t / g r u b / g r u b . c f g )
for the kernel you selected. GRUB displays the lines in a simple emacs-like
editor with the cursor at the beginning of the line. In this editor, G R U B
wraps the line so it may occupy several physical lines. You can use the
ARROW keys to move the cursor.
3. Press the DOWN ARROW key to highlight the line that begins with linux.
4. Press the RIGHT ARROW key to position the cursor at the right end of the line,
enter SPACE single (following splash in the default setup), and press C0NTR0L-X
to b o o t the system using the modified kernel line. T h e system displays the
pseudographical Recovery menu (Figure 11-2).
Recovery menu T h e Recovery menu is controlled by the files in the /usr/share/recovery-mode
directory hierarchy and presents six selections:
• resume—Resumes booting the system, bypassing the Recovery menu. If
you were booting to recovery mode, this selection will bring the system up
in recovery mode.
• clean—Deletes all package files from the APT cache. Same as the aptitude
clean command (page 5 2 6 ) .
• dpkg—Repairs broken packages and upgrades all packages on the system.
Equivalent to aptitude full-upgrade (page 5 2 6 ) , dpkg —configure - a , and
apt-get - f install.
• grub—Updates the G R U B b o o t loader by running update-grub (page 5 8 7 ) .
• netroot—Runs dhclient (page 4 7 2 ) to start networking and starts a root
shell that displays a prompt.
• root—Starts a root shell (without networking) that displays a prompt.

448

CHAPTER 1 1

SYSTEM ADMINISTRATION: CORE CONCEPTS

root password If the root account on the system is unlocked (page 4 3 1 ) , the system requests the
root password before displaying the root prompt. Otherwise, it displays the root
prompt without requesting a password.

G O I N G TO M U L T I U S E R M O D E
Multiuser/graphical mode (runlevel 2 ) is the default state for an Ubuntu Linux system. In this mode all appropriate filesystems are mounted, and users can log in from
all connected terminals, dial-up lines, and network connections. All support services
and daemons are enabled and running. W i t h the system in multiuser mode, Ubuntu
displays a graphical login screen on the console.
If you booted to recovery mode to fix something, give a reboot c o m m a n d and allow
the system to come up in multiuser mode. If the system entered recovery mode automatically to allow you to repair the filesystem, when you exit from the recovery
shell, init brings the system to the default mode—usually multiuser. Alternatively,
you can give the following command in response to the root prompt to bring the
system to multiuser mode:
# telinit 2
T h e telinit utility (page 4 4 4 ) tells init which runlevel to change to.
W h e n it goes from recovery (single-user) to multiuser mode, the system executes the
K (kill or stop) scripts and then the S (start) scripts in / e t c / r c . d / r c 2 . d . For more
information refer to "SysVinit ( r c ) Scripts: Start and Stop System Services" on
page 4 4 0 . Use s y s v - r c - c o n f (page 4 4 1 ) to stop any of these scripts from running
when the system enters the new runlevel.

L O G G I N G IN
Textual login: init, With a textual login, the system uses init, g e t t y , and l o g i n to allow a user to log in;
getty, and login l o g i n uses P A M modules (page 4 7 8 ) to authenticate a user. Once the system is in
multiuser mode, init is responsible for spawning a g e t t y process on each of the lines
a user can log in on.
W h e n you enter your username, getty establishes the characteristics of the terminal.
It then overlays itself with a login process and passes to the login process whatever
you entered in response to the login: prompt. Using PAM, the login process consults
the / e t c / p a s s w d file to see whether any username there matches the username you
entered. N e x t , P A M examines the / e t c / s h a d o w file to see whether a password is
associated with the username. If it is, login prompts you for a password; if not, it
continues without requiring a password. W h e n your username requires a password,
login verifies the password you enter by checking the / e t c / s h a d o w file again. If either
your username or your password is not correct, login displays Login incorrect,
pauses, and prompts you to log in again.
All passwords in the / e t c / s h a d o w file are hashed using MD5 (page 1 1 5 9 ) . It is not
feasible to recover a hashed password. W h e n you log in, the login process hashes the

SYSTEM OPERATION

449

password you type at the prompt and compares it to the hashed password in
/etc/shadow. If the two passwords match, you are authenticated.
Graphical login With a graphical login, the init process spawns g d m (the G N O M E display manager)
on the first free virtual terminal, providing features similar to those offered by g e t t y
and l o g i n . T h e g d m utility starts an X server and presents a login window. The g d m
display manager then uses P A M to authenticate the user and runs the scripts in the
/etc/gdm/PreSession directory. These scripts inspect the user's ~/.dmrc file, which
stores the user's default session and language, and launch the user's session. T h e
G N O M E desktop environment stores the state of the last saved session and
attempts to restore it when the user logs in again.
With NIS, login compares the username and password with the information in the
appropriate naming service instead of (or in addition to) the passwd and shadow
files. If the system is configured to use both methods (/etc/passwd and NIS), it checks
the /etc/nsswitch.conf file (page 4 7 5 ) to see in which order it should consult them.
P A M (page 4 7 8 ) — t h e Pluggable Authentication M o d u l e facility—gives you greater
control over user logins than the /etc/passwd and /etc/shadow files do. Using P A M ,
you can specify multiple levels of authentication, mutually exclusive authentication
methods, or parallel methods, each of which is by itself sufficient to grant access to
the system. F o r example, you can have different authentication methods for console
logins and for s s h logins. Similarly, you can require modem users to authenticate
themselves using two or more methods (such as a smartcard or badge reader and a
password). P A M modules also provide security technology vendors with a convenient way to interface their hardware or software products with a system.
Initializing the When both the username and the password are correct, l o g i n or the scripts in PreSession
session consult the appropriate services to initialize the user and group IDs, establish the user's
home directory, and determine which shell or desktop manager the user works with.
The login utility and PreSession scripts assign values to variables and look in the
/etc/group file (page 4 9 2 ) to identify the groups the user belongs to. W h e n login has
finished its work, it overlays itself with the login shell, which inherits the variables set
by login. In a graphical environment, the PreSession scripts start the desktop manager.
During a textual login, the login shell assigns values to additional shell variables
and executes the commands in the system startup files /etc/profile and /etc/bashrc.
Some systems have other system startup files as well. Although the actions performed by these scripts are system dependent, they typically display the contents of
the /etc/motd (message of the day) and /etc/issue files, let you k n o w if you have
email, and set u m a s k (page 4 5 9 ) , the file-creation mask.
After executing the system startup commands, the shell executes the commands
from the personal startup files in the user's home directory. These scripts are
described on page 2 9 3 . Because the shell executes the personal startup files after the
system startup files, a sophisticated user can override any variables or conventions
that were established by the system. A new user, by contrast, can remain uninvolved
in these matters.

450

CHAPTER 1 1

LOGGING

SYSTEM ADMINISTRATION: CORE CONCEPTS

OUT
With a shell prompt displayed, you can either execute a program or exit from the
shell. If you exit from the shell, the process running the shell dies and the parent
process wakes up. W h e n the shell is a child of another shell, the parent shell wakes
up and displays a prompt. Exiting from a login shell causes the operating system to
send i n i t a signal that one of its children has died. Upon receiving this signal, i n i t
takes action based on the appropriate job (page 4 3 3 ) . In the case of a process controlling a line for a terminal, i n i t calls the appropriate tty service (page 4 3 9 ) , which
then respawns g e t t y so another user can log in.

BRINGING THE SYSTEM
shutdown

DOWN

T h e s h u t d o w n and r e b o o t utilities perform the tasks needed to bring the system down
safely. These utilities can restart the system, prepare the system to be turned off,
and, on most hardware, power down the system. The p o w e r o f f and halt utilities are
links to r e b o o t .
You must tell s h u t d o w n when you want to bring the system down. This time can be
expressed as an absolute time of day, as in 1 9 : 1 5 , which causes the shutdown to
occur at 7 : 1 5 PM. Alternatively, you can give this time as the number of minutes
from the present time, as in + 1 5 , which means 15 minutes from now. To bring the
system down immediately (recommended for emergency shutdowns only or when
you are the only user logged in), you can give the argument +0 or its synonym, n o w .
W h e n the shutdown time exceeds 5 minutes, all n o n r o o t logins are disabled for the
last 5 minutes before shutdown.

Do not turn the power off before bringing the system down
caution

Do not t u r n the power off on a Linux system w i t h o u t first bringing it d o w n as described in this section. To speed up disk access, Linux keeps buffers in m e m o r y that it writes out to disk periodically
or w h e n s y s t e m use is m o m e n t a r i l y low. W h e n y o u t u r n off or reset the c o m p u t e r w i t h o u t writing
the contents of these buffers to the disk, y o u lose any i n f o r m a t i o n in the buffers. Running the
s h u t d o w n utility forces these buffers to be written. You can force the buffers to be written at any
time by issuing a s y n c c o m m a n d . However, s y n c does not u n m o u n t filesystems, nor does it
bring the s y s t e m d o w n . Also, t u r n i n g off or resetting a system in this manner can destroy filesyst e m s on IDE and SATA hard disks.
Calling s h u t d o w n with the - r option causes the system to reboot (same as r e b o o t ,
except r e b o o t implies n o w ) . Calling s h u t d o w n with the - h option forces the system to
halt (same as halt, except halt implies n o w ) . A message appears once the system has
been safely halted: System halted. Because most A T X systems power off automatically after shutdown, you are unlikely to see this message.
Because Linux is a multiuser system, s h u t d o w n warns all users before taking action.
This warning gives users a chance to prepare for the shutdown, perhaps by writing
out editor files or exiting from applications. You can replace the default shutdown
message with one of your own by following the time specification on the command
line with a message:

SYSTEM OPERATION

451

$ sudo shutdown -h 09:30 Going down 9:30 to install disk, up by 10am.

CONTROL-ALT-DEL: R E B O O T S T H E S Y S T E M
In a t e x t u a l e n v i r o n m e n t , p r e s s i n g t h e k e y s e q u e n c e CONTROL-ALT-DEL ( a l s o r e f e r r e d t o

as the three-finger salute or the Vulcan death grip) on the console causes the kernel t o t r i g g e r a control-alt-delete t a s k ( p a g e 4 3 9 ) t h a t c a u s e s init t o r u n t h e c o m m a n d s in / e t c / i n i t / c o n t r o l - a l t - d e l e t e . T h e s e c o m m a n d s s a f e l y r e b o o t t h e s y s t e m b y
issuing

a shutdown

command.

You can

d i s a b l e t h e CONTROL-ALT-DEL s e q u e n c e

by

r e m o v i n g t h e / e t c / i n i t / c o n t r o l - a l t - d e l e t e file ( o r b y m o v i n g it t o a n o t h e r d i r e c t o r y
for safekeeping).
In a g r a p h i c a l e n v i r o n m e n t , the X W i n d o w S y s t e m traps this k e y s e q u e n c e but the
w i n d o w m a n a g e r does n o t pass it t o the kernel. As a result, CONTROL-ALT-DEL does n o t
w o r k in a g r a p h i c a l e n v i r o n m e n t .

G O I N G TO RECOVERY (SINGLE-USER)

MODE

T h e f o l l o w i n g steps describe a m e t h o d o f m a n u a l l y b r i n g i n g the system d o w n t o
r e c o v e r y m o d e . In s o m e cases it m a y be easier t o simply r e b o o t the system and b r i n g
it up in r e c o v e r y m o d e ; see page 4 4 5 . B e f o r e starting, m a k e sure y o u give o t h e r
users e n o u g h w a r n i n g b e f o r e s w i t c h i n g t o r e c o v e r y m o d e ; o t h e r w i s e , they m a y l o s e
the d a t a t h e y are w o r k i n g o n . B e c a u s e g o i n g f r o m m u l t i u s e r t o r e c o v e r y m o d e c a n
affect o t h e r users, y o u m u s t w o r k w i t h r o o t privileges t o p e r f o r m all o f these t a s k s
e x c e p t the first.
1. U s e wall (page 6 1 5 ) t o w a r n e v e r y o n e w h o is using the system t o log out.
2 . If y o u are s h a r i n g files via N F S , use exportfs - u a t o disable n e t w o r k access
t o the shared filesystems. (Use exportfs w i t h o u t an a r g u m e n t t o see w h i c h
filesystems are being shared.)
3 . C o n f i r m t h a t n o critical processes are r u n n i n g in the b a c k g r o u n d (e.g., an
unattended compile).
4 . Give the c o m m a n d telinit 1 (page 4 4 4 ) t o bring the system d o w n t o r e c o v ery m o d e . T h e system displays messages a b o u t the services it is shutting
d o w n , f o l l o w e d by a r o o t shell p r o m p t (#). In runlevel 1, the system kills
m a n y system services a n d then brings the system t o runlevel S. T h e r u n l e v e l
utility c o n f i r m s the system w a s at runlevel 1 a n d is n o w at runlevel S. See
the c a u t i o n a b o u t c h a n g i n g runlevels o n p a g e 4 4 4 .
$ sudo telinit 1
# runlevel
1 S
5 . U s e u m o u n t - a t o u n m o u n t all m o u n t e d devices t h a t are n o t in use. U s e
m o u n t w i t h o u t an a r g u m e n t t o m a k e sure t h a t n o devices o t h e r t h a n r o o t
(/) are m o u n t e d b e f o r e c o n t i n u i n g .

452

CHAPTER 1 1

SYSTEM ADMINISTRATION: CORE CONCEPTS

TURNING THE POWER OFF
Once the system is in recovery mode, give the command telinit 0 (page 4 4 4 ) or halt
to bring the system down. You can build a kernel with a p m so it turns the machine
off at the appropriate time. If the system is not set up this way, turn the power off
when prompted to do so or when the system starts rebooting.

CRASH
A crash occurs when the system stops suddenly or fails unexpectedly. A crash may
result from software or hardware problems or from a loss of power. As a running
system loses power, it may behave in erratic or unpredictable ways. In a fraction of
a second, some components are supplied with enough voltage; others are not. Buffers are not flushed, corrupt data may be written to hard disks, and so on. I D E and
SATA drives do not behave as predictably as SCSI drives under these circumstances.
After a crash, you must bring the operating system up carefully to minimize possible
damage to the filesystems. O n many occasions, little or no damage will have
occurred.

REPAIRING A FILESYSTEM
Although the filesystems are checked automatically during the b o o t process if
needed, you will have to check them manually if a problem cannot be repaired automatically. By default, when fsck cannot repair a filesystem automatically at b o o t
time, Linux enters recovery mode so that you can run fsck manually. If necessary,
you can explicitly b o o t the system to recovery mode (page 4 4 5 ) .

Back up a badly damaged filesystem before running f s c k on it
caution

W h e n a filesystem is badly broken, f s c k s o m e t i m e s makes the situation w o r s e while t r y i n g to
repair it. In these cases, it m a y b e possible to recover m o r e d a t a by copying the readable data f r o m
the broken filesystem before attempting to repair it. W h e n a damaged filesystem holds i m p o r t a n t
data, use d d (see the d d m a n page) to make a full binary backup before a t t e m p t i n g to repair it
using f s c k .
With the system in recovery mode, use u m o u n t to unmount local filesystems you
want to check. Then run fsck (page 5 1 2 ) on these filesystems, repairing them as
needed. M a k e note of any ordinary files or directories that you repair (and can identify), and inform their owners that these files may not be complete or correct. L o o k
in the lost+found directory (page 4 8 8 ) in each filesystem
for missing files. After successfully running fsck, if the system entered recovery mode automatically, type exit
to exit from the recovery shell and resume booting the system; otherwise, give a
reboot command.
If files are not correct or are missing altogether, you may have to re-create them
from a backup copy of the filesystem. For more information refer to " B a c k i n g Up
Files" on page 5 9 9 .

A V O I D I N G A TROJAN H O R S E

453

W H E N THE SYSTEM DOES N O T B O O T
W h e n a system will not boot from the hard disk, boot the system to rescue mode
(page 8 3 ) or recovery mode (page 4 4 5 ) . If the system comes up, run fsck (page 5 1 2 )
on the root filesystem on the hard disk and try booting from the hard disk again. If
the system still does not boot, you may have to reinstall the master boot record
(page 5 8 9 ) .
W h e n all else fails, go through the install procedure, and preform an " u p g r a d e " to
the current version of Linux. Ubuntu systems can perform a nondestructive upgrade
and can fix quite a bit of damage in the process. F o r more information refer to
page 7 4 .

A V O I D I N G A TROJAN H O R S E
A Trojan horse is a program that does something destructive or disruptive to a system while appearing to be benign. As an example, you could store the following
script in an executable file named mkfs:
while true
do
echo 'Good Morning Mr. Jones. How are you? Ha Ha Ha.' > /dev/console
done
If you are working with root privileges when you run this command, it will continuously write a message to the console. If the programmer were malicious, it could
do something worse. T h e only thing missing in this plot is access permissions.
A malicious user could implement this Trojan horse by changing root's P A T H variable to include a publicly writable directory at the start of the P A T H string. (The
catch is that you need to be able to write to /etc/profile—where the P A T H variable
is set for r o o t — a n d only a user with root privileges can do that.) Then you would
need to put the bogus mkfs program file in that directory. Because the fraudulent
version appears in a directory mentioned earlier than the real one in P A T H , the shell
would run it rather than the real version. Thus, the next time a user working with
root privileges tries to run mkfs, the fraudulent version would run.
Trojan horses that lie in wait for and take advantage of the misspellings that most
people make are among the most insidious types. For example, you might type si
instead of Is. Because you do not regularly execute a utility named si and you may
not remember typing the command si, it is more difficult to track down this type of
Trojan horse than one that takes the name of a more familiar utility.
A good way to help prevent the execution of a Trojan horse is to make sure your
P A T H variable does not contain a single colon (:) at the beginning or end of the P A T H
string or a period (.) or double colon (::) anywhere in the P A T H string. This precaution
ensures that you will not execute a file in the working directory by accident.

454

CHAPTER 1 1

SYSTEM ADMINISTRATION: CORE CONCEPTS

To check for a possible Trojan horse, examine the filesystem periodically for files
with setuid (page 4 2 0 ) permission. T h e following command lists these files:
Listing setuid files

$ sudo find / -perm -4000 -exec Is -lh •{}• \; 2> /dev/null
-rwsr-xr-x
-rwsr-xr-x
-rwsr-xr-x
-rwsr-sr-x
-rwsr-xr-x
-rwsr-xr-x
-rwsr-xr-x

1
1
1
1
1
1
1

root root 125K 2010-03-26 11:24 /usr/bin/sudoedit
root root 14K 2010-03-11 15:12 /usr/bin/arping
root root 31K 2010-01-26 09:09 /usr/bin/chsh
daemon daemon 42K 2010-03-04 18:35 /usr/bin/at
root root 36K 2010-01-26 09:09 /usr/bin/chfn
root root 37K 2010-01-26 09:09 /usr/bin/passwd
root lpadmin 14K 2010-04-09 08:13 /usr/bin/lppasswd

This command uses find to locate all files that have their setuid bit set (mode 4 0 0 0 ) .
T h e hyphen preceding the mode causes find to report on any file that has this bit set,
regardless of h o w the other bits are set. T h e output sent to standard error is redirected to /dev/null so it does not clutter the screen.
Run software only Another way a Trojan horse can enter a system is via a tainted - / . b a s h r c (page 4 8 8 )
from sources file. A bogus sudo command or alias in this file can capture a user's password,
you trust which may then be used to gain r o o t privileges. Because a user has write permission
to this file, any program the user executes can easily modify it. T h e best way to prevent this type of Trojan horse from entering a system is to run software only from
sources you trust.
You can set up a program, such as A I D E (Advanced Intrusion Detection Environment), that will take a snapshot of the system and periodically check files for
changes. For more information see sourceforge.net/projects/aide.

GETTING HELP
T h e Ubuntu Linux distribution comes with extensive documentation (page 136).
For example, the Support tab on the Ubuntu home page (www.ubuntu.com/support) and the Ubuntu wiki (wiki.ubuntu.com) point to many useful sources of support that can help answer many questions. You can also find help on the System
Administrators Guild site (www.sage.org). T h e Internet is another rich source of
information on managing a Linux system; refer to Appendix B (page 1 0 9 9 ) and to
the author's home page (www.sobell.com) for pointers to useful sites.
You need not act as an Ubuntu system administrator in isolation; a large community of
Linux/Ubuntu experts is willing to assist you in getting the most out of your system. O f
course, you will get better help if you have already tried to solve a problem yourself by
reading the available documentation. If you are unable to solve a problem by consulting the documentation, a well-thought-out question posed to the appropriate newsgroup, such as comp.os.linux.misc, or mailing list can often generate useful

TEXTUAL S Y S T E M A D M I N I S T R A T I O N UTILITIES

455

information. Be sure to describe the problem accurately and identify the system carefully. Include information about the version of Ubuntu running on the system and any
software packages and hardware that you think relate to the problem. The newsgroup
comp.os.linux.answers contains postings of solutions to common problems and periodic postings of the most up-to-date versions of FAQs and H O W T O documents. You
can also refer to Ubuntu mailing lists (lists.ubuntu.com), the Ubuntu forum (ubuntuforums.org), system documentation (help.ubuntu.com), community documentation
(help.ubuntu.com/community), and I R C support (#ubuntu on irc.freenode.net). See
www.catb.org/~esr/faqs/smart-questions.html for a helpful paper by Eric S. Raymond
and Rick M o e n titled " H o w to Ask Questions the Smart Way."

TEXTUAL S Y S T E M A D M I N I S T R A T I O N UTILITIES
M a n y tools can help you be an efficient and thorough system administrator. This
section describes a few textual (command-line) tools and utilities; others are
described throughout Part I V of this b o o k .

kill:

S E N D S A S I G N A L TO A PROCESS
T h e kill builtin sends a signal to a process. This signal may or may not terminate
(kill) the process, depending on which signal it is and h o w the process is designed.
Refer to "trap: Catches a Signal" on page 1 0 0 9 for a discussion of the various signals and their interaction with a process. Running kill is definitely not the first
method to try when a process needs to be aborted.
Usually a user can kill a process by working in another window or by logging in on
another terminal. Sometimes, however, you may have to use sudo to kill a process
for a user. To kill a process, you need to k n o w its PID. The ps utility can provide
this information once you determine the name of the program the user is running
and/or the username of the user. T h e top utility (page 6 1 0 ) can also be helpful in
finding and killing a runaway process (use the top k command).

kill: Use the kill signal (-KILL or-9) as a method of last resort
caution When you do need to use kill, send the termination signal (kill -TERM or kill -15) first. Only if
that tactic does not w o r k should y o u attempt to use the kill signal (kill - K I L L or kill - 9 ) .
Because of its inherent dangers, using a kill signal is a m e t h o d of last resort, especially w h e n y o u
are w o r k i n g w i t h root privileges. One kill c o m m a n d issued while w o r k i n g w i t h root privileges can
bring the system d o w n w i t h o u t warning.
In the following example, Sam complains that gnome-calculator is stuck and that he
cannot do anything from the gnome-calculator w i n d o w — n o t even close it. A more
experienced user could open another window and kill the process, but in this case

456

CHAPTER 1 1

SYSTEM ADMINISTRATION: CORE CONCEPTS

you kill it for Sam. First you use ps with the - u option, followed by the name of the
user and the - f (full/wide) option to view all processes associated with that user:
$ ps -u sam -f
UID
PID
sam
2294
sam
2339
sam
2342
sam
2343
sam
2396
sam
2399
sam
2401
sam
2403
sam
2405
sam
2413
sam
2415
sam
2416
sam
2418
sam
2421
sam
2424
sam
2426
sam
2429
sam
2434
sam
2435
sam
2446
sam
2451
sam
2453
sam
2474
sam
2482
sam
3568
sam
3726
sam
3728
sam
3730
sam
3731

PPID
2259
2294
1
1
1
1
2396
1
1
2396
1
2294
1
2396
1
1
2396
2396
2396
2435
2446
2434
1
1
3567
1
1
2424
3568

C
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0

STIME
09 31
09 31
09 31
09 31
09 31
09 31
09 31
09 31
09 31
09 31
09 31
09 31
09 31
09 31
09 31
09 31
09 31
09 31
09 31
09 31
09 31
09 31
09 31
09 32
13 55
14 07
14 07
14 07
14 07

TTY
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
pts/2
?
?
pts/3
?
?
?
pts/3

00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00

TIME
00 00
00 00
00 00
00 00
00 00
00 00
00 00
00 00
00 00
00 00
00 00
00 00
00 00
00 00
00 01
00 01
00 00
00 00
00 00
00 00
00 01
00 00
00 00
00 00
00 00
00 00
00 00
00 00
00 00

CMD
/bin/sh /usr/bin/startkde
/usr/bi n/ssh-agent /usr/bi n/dbus-launch
dbus-daemon --fork --print-pid 8 --prin
/usr/bi n/dbus-launch --exi t-wi th-sessio
kdei ni t Runni ng...
dcopserver [kdeinit] --nosid
klauncher [kdeinit]
kded [kdeinit]
/us r/1i bexec/gam_se rve r
/usr/bin/artsd -F 10 -S 4096 -s 60 -m a
kaccess [kdeinit]
kwrapper ksmserver
ksmserver [kdeinit]
kwin [kdeinit] -session 1070626e6a00011
kdesktop [kdeinit]
kicker [kdeinit]
kio_file [kdeinit] file /tmp/ksocket-ma
konsole [kdeinit] -session 1070626e6a00
/bin/sh /usr/lib/fi refox-1. 5/fi refox -U
/bi n/sh /usr/1i b/fi refox-1.5/run-mozi11
/usr/lib/fi refox-1. 5/fi refox-bin -UILoc
/bi n/bash
/usr/libexec/gconfd-2 10
synergyc jam
-bash
knotify [kdeinit]
/usr/bin/artsd -F 10 -S 4096 -s 60 -m a
gnome-calculator
ps -u sam -f

This list is fairly short, and the process running gnome-calculator is easy to find.
Another way to search for this process is to use ps to produce a long list of all processes and then use grep to find which one is running gnome-calculator:
$ ps -ef | grep gnome-calculator
sam
3730 2424 0 14:07 ?
sam
3766 3568 0 14:14 pts/3

00:00:00 gnome-calculator
00:00:00 grep gnome-calculator

If several people are running gnome-calculator, look in the left column to find the
correct username so you can kill the right process. You can combine the two commands as ps - u sam - f I grep gnome-calculator.
N o w that you k n o w Sam's process running gnome-calculator has a P I D of 3 7 3 0 , you
can use kill to terminate it. T h e safest way to do so is to log in as Sam (perhaps you
could allow him to log in for you) and give any of the following commands (all of
which send a termination signal to process 3 7 3 0 ) :
$ kill 3730

or

TEXTUAL S Y S T E M A D M I N I S T R A T I O N UTILITIES

457

$ kill -15 3730

or
$ kill -TERM 3730
Only if this c o m m a n d fails should you send the kill signal:
$ kill -KILL 3730
The - K I L L option instructs kill to send a S I G K I L L signal, which the process cannot
ignore. Although you can give the same command while you are working with r o o t
privileges, a typing mistake in this situation can have much more far-reaching consequences than if you make the same mistake while you are working as a nonprivileged
user. A nonprivileged user can kill only her own processes, whereas a user with r o o t
privileges can kill any process, including system processes.
As a compromise between speed and safety, you can combine the sudo and kill utilities by using the sudo - u option. T h e following c o m m a n d runs the part of the
c o m m a n d line after the - u s a m with the identity of Sam (Sam's privileges):
$ sudo -u sam k i n -TERM 3730
killall Two useful utilities related to kill are killall and pidof. T h e killall utility is very similar
to kill but uses a c o m m a n d name instead of a PID number. Give the following command to kill all your processes that are running gnome-calculator or vi:
$ k i n all gnome-calculator vi
Running this command while working with r o o t privileges kills all processes running
gnome-calculator or vi.
pidof T h e pidof utility displays the PID number of each process running the command you
specify:
$ pidof apache2
567 566 565 564 563 562 561 560 553
If it is difficult to find the right process, try using top. Refer to the man pages for
these utilities for more information, including lists of options.

OTHER TEXTUAL UTILITIES
This section describes a few textual (command-line) system administration tools
you may find useful. To learn more about most of these utilities, read the man pages.
For information about umask and uname, see the info pages.
chsh

Changes the login shell for a user. W h e n you call chsh without an argument, you
change your login shell. W h e n an ordinary user changes his login shell with chsh,
he must specify an installed shell that is listed in the file /etc/shells, exactly as it is
listed there; chsh rejects other entries. W h e n working with r o o t privileges, you can
change any user's shell to any value by calling chsh with the username as an argument. In the following example, a user working with r o o t privileges changes Sam's
shell to tcsh:

458

CHAPTER 1 1

SYSTEM ADMINISTRATION: CORE CONCEPTS

$ sudo chsh sam
Password:
Changing the login shell for sam
Enter the new value, or press ENTER for the default
Login Shell [/bin/bash]: /bin/tcsh
See page 2 9 3 for more information.
clear

Clears the screen. You can also use CONTROL-L from the b a s h shell to clear the screen.
T h e value of the environment variable T E R M (page 1 1 0 6 ) determines h o w to clear
the screen.

dmesg Displays recent system log messages (page 5 8 9 ) .
e2label Displays or creates a volume label on an ext2, ext3, or ext4 filesystem. You must
run this utility with root privileges. An e2label c o m m a n d has the following format:

ellabel

device [newlabel']

where device is the name of the device (e.g., / d e v / h d a 2 , / d e v / s d b l , /dev/fdO) you
want to work with. W h e n you include the optional newlabel parameter, e2label
changes the label on device to newlabel. Without this parameter, e2label displays
the label. You can also create a volume label with the - L option of tune2fs
(page 5 1 2 ) .
Ishw Lists hardware. This utility provides complete information only when run with root
privileges. Use the - s h o r t option to display a brief listing. See page 6 4 0 for more
information.
mkfs Creates a new filesystem on a device, destroying all data on the device as it does so.
This utility is a front-end for many utilities, each of which builds a different type of
filesystem. By default, mkfs builds an ext2 filesystem and works on either a hard
disk partition or a floppy diskette. Although it can take many options and arguments, you can use mkfs simply as
$ sudo mkfs

device

where device is the name of the device ( / d e v / h d a 2 , / d e v / s d b l , /dev/fdO, and so on)
you want to make a filesystem on. Use the - t option to specify a type of filesystem.
As an example, the following c o m m a n d creates an ext4 filesystem on / d e v / s d a 2 :
$ sudo mkfs -t ext4 /dev/sda2
An example using mkfs to create a filesystem on a floppy diskette appears on page 5 0 9 .
ping Sends packets to a remote system. This utility determines whether you can reach a
remote system through the network and tells you h o w long it takes to exchange
messages with the remote system. Refer to "ping: Tests a N e t w o r k C o n n e c t i o n " on
page 3 9 3 .
reset (link Resets terminal characteristics. T h e value of the T E R M environment variable
totset) (page 1 1 0 6 ) determines h o w the screen will be reset. T h e screen is cleared, the kill
and interrupt characters are set to their default values, and character echo is turned
on. W h e n given from a graphical terminal emulator, this c o m m a n d also changes the
size of the window to its default. T h e reset utility is useful for restoring the screen to

TEXTUAL S Y S T E M A D M I N I S T R A T I O N UTILITIES

459

a sane state after it has been corrupted. In this sense, it is similar to an stty sane
command.
setserial

Gets and sets serial port information. W h e n run with root privileges, this utility can
configure a serial port. T h e following c o m m a n d sets the input address of /dev/ttysO
to 0 x 1 0 0 , the interrupt ( I R Q ) to 5, and the baud rate to 1 1 5 , 0 0 0 baud:
$ sudo setserial /dev/ttys0 port 0x100 irq 5 spd_vhi
You can also check the configuration of a serial port with setserial:
$ sudo setserial /dev/ttys0
/dev/ttyS0, UART: 16550A, Port: 0x0100, IRQ: 5, Flags: spd_vhi
Normally the system calls setserial as it is booting if a serial port needs custom configuration. This utility is part of the setserial package.

stat Displays information about a file or filesystem. Giving the - f (filesystem) option followed by the mount point for a filesystem displays information about the filesystem,
including the maximum number of characters allowed in a filename (Namelen in the
following example). See the stat man page for more information.
$ stat -f /dev/sda
File: "/dev/sda"
ID: 0
Namelen: 255
Type: tmpfs
Block size: 4096
Fundamental block size: 4096
Blocks: Total: 127271
Free: 127207
Available: 127207
Inodes: Total: 127271
Free: 126600
umask A shell builtin that specifies the mask the system uses to set up access permissions
when you create a file. A u m a s k c o m m a n d has the following format:

umask [mask]
where mask is a three-digit octal number or a symbolic value such as you would use
with chmod (page 2 1 6 ) . T h e mask specifies the permissions that are not allowed.
W h e n mask is an octal number, the digits correspond to the permissions for the
owner of the file, members of the group the file is associated with, and everyone
else. Because mask specifies the permissions that are not allowed, the system subtracts each of the three digits from 7 when you create a file. T h e result is three octal
numbers that specify the access permissions for the file (the numbers you would use
with chmod). A mask that you specify using symbolic values specifies the permissions that are allowed.
M o s t utilities and applications do not attempt to create files with execute permissions, regardless of the value of mask-, they assume you do not want an executable
file. As a result, when a utility or application (such as touch) creates a file, the system subtracts each of the three digits in mask from 6. An exception is mkdir, which
assumes you want the execute (access in the case of a directory) bit set.
T h e following commands set the file-creation mask and display the mask and its
effect when you create a file and a directory. T h e mask of 0 2 2 , when subtracted
from 6 6 6 or 7 7 7 , gives permissions of 6 4 4 ( r w - r — r — ) for a file and 7 5 5
( r w x r - x r - x ) for a directory.

460

CHAPTER 1 1

SYSTEM ADMINISTRATION: CORE CONCEPTS

$ umask 022
$ umask
0022
$ touch afile
$ mkdir adirectory
$ Is -Id afile adirectory
drwxr-xr-x 2 sam sam 4096 2010-05-02 23:57 adirectory
-rw-r--r-- 1 sam sam
0 2010-05-02 23:57 afile
T h e next example sets the same mask using symbolic values. T h e - S option displays
the mask symbolically:
$ umask u=rwx,g=rx,o=rx
$ umask
0022
$ umask -S
u=rwx,g=rx,o=rx
uname Displays information about the system. Without arguments, this utility displays the
name of the operating system (Linux). W i t h the - a (all) option, it displays the operating system name, hostname, version number and release date of the operating
system, and type of hardware you are using:
$ uname -a
Linux lynxl 2.6.32-22-generic #33-Ubuntu SMP Wed Apr 28 13:27:30 UTC 2010 i 686 GNU/Linux

SETTING U P A SERVER
This section discusses issues you may need to address when setting up a server: h o w
to write configuration files; h o w to specify hosts and subnets; h o w to use portmap,
rpcinfo, and T C P wrappers (hosts.allow and hosts.deny); and h o w to set up a chroot
jail. Chapters 14 and 1 8 - 2 6 cover setting up specific servers; Chapter 17 discusses
setting up a L A N .

S T A N D A R D RULES IN C O N F I G U R A T I O N FILES
M o s t configuration files, which are typically named * . c o n f , rely on the following
conventions:
• Blank lines are ignored.
• A # anywhere on a line starts a comment that continues to the end of the
line. Comments are ignored.
• W h e n a name contains a SPACE, you must quote the SPACE by preceding it
with a backslash (\) or by enclosing the entire name within single or double quotation marks.
• To make long lines easier to read and edit, you can break them into several
shorter lines. To break a line, insert a backslash (\) immediately followed
by a NEWLINE (press RETURN in a text editor). W h e n you insert the NEWLINE before

SETTING U P A SERVER

461

or after a SPACE, you can indent the following line to make it easier to read.
D o not break lines in this manner while editing on a Windows machine, as
the NEWLINEs may not be properly escaped (Windows uses a RETURN-LINEFEED
combination to end lines).
Configuration files that do not follow these conventions are noted in the text.

SPECIFYING CLIENTS
Table 1 1 - 2 shows some c o m m o n ways to specify a host or a subnet. M o s t of the
time you can specify multiple hosts or subnets by separating their specifications
with SPACES.

Table 11-2

Specifying a client

Client name pattern

Matches

n.n.n.n

One IP address.

name

One hostname, either local or remote.

Name that starts with .

Matches a hostname that ends with the specified string. For
example, .example.com matches the systems named

kudos.example.com and speedy.example.com, among
others.
IP address that ends with .

Matches a host address that starts with the specified numbers.
For example, 192.168.0. matches
192.168.0.0-192.168.0.255. If you omit the trailing period,
this format does not work.

n.n.n.n/m.m.m.m or
n.n.n.n/mm

An IP address and subnet mask specifying a subnet.

Starts with /

An absolute pathname of a file containing one or more names
or addresses as specified in this table.

Wildcard

Matches

*

Matches one (?) or more ( * ) characters in a simple hostname
or IP address. These wildcards do not match periods in a
domain name.

and?

ALL

Always matches.

LOCAL

Matches any hostname that does not contain a period.

Operator
EXCEPT

Matches anything in the preceding list that is not in the following list. For example, a b e d EXCEPT c matches a, b, and d.

Thusyou could use 192.168. EXCEPT 192.168.0.1 to match all
IP addresses that start with 192.168. except 192.168.0.1.

462

CHAPTER 1 1

SYSTEM ADMINISTRATION: CORE CONCEPTS

Examples Each of the following examples specifies one or more systems:
10.10.
.ubuntu.com
localhost
127.0.0.1
192.168.*.l

Matches all systems with IP addresses that start with 1 0 . 1 0 .
Matches all named hosts on the Ubuntu network
M a t c h e s the local system
T h e loopback address; always resolves to localhost
Could match all routers on a network of /24 subnets (discussed
in the next section)

SPECIFYING A SUBNET
W h e n you set up a server, you frequently need to specify which clients are allowed
to connect to it. Sometimes it is convenient to specify a range of IP addresses, called
a subnet. T h e discussion on page 3 8 5 explains what a subnet is and h o w to use a
subnet mask to specify a subnet. Usually you can specify a subnet as
n.n.n.n/m.m.m.m

n.n.n.n/maskbits
where n.n.n.n is the base IP address and the subnet is represented by m.m.m.m
(the
subnet mask) or maskbits (the number of bits used for the subnet mask). F o r example, 1 9 2 . 1 6 8 . 0 . 1 / 2 5 5 . 2 5 5 . 2 5 5 . 0 represents the same subnet as 1 9 2 . 1 6 8 . 0 . 1 / 2 4 . In
binary, decimal 2 5 5 . 2 5 5 . 2 5 5 . 0 is represented by 2 4 ones followed by 8 zeros. The
124 is shorthand for a subnet mask with 2 4 ones. Each line in Table 1 1 - 3 presents
two notations for the same subnet, followed by the range of IP addresses that the
subnet includes.
Table 11-3

rpcinfo:

D i f f e r e n t w a y s to r e p r e s e n t a s u b n e t

Bits

Mask

Range

10.0.0.0/8

10.0.0.0/255.0.0.0

10.0.0.0-10.255.255.255

172.16.0.0/12

172.16.0.0/255.240.0.0

172.16.0.0-172.31.255.255

192.168.0.0/16

192.168.0.0/255.255.0.0

192.168.0.0-192.168.255.255

DISPLAYS INFORMATION A B O U T

portmap

T h e rpcinfo utility displays information about programs registered with portmap
and makes R P C calls to programs to see if they are alive. For more information on
portmap, refer to " R P C N e t w o r k Services" on page 4 0 6 . T h e rpcinfo utility takes
the following options and arguments:
rpcinfo
rpcinfo
rpcinfo

-p [host]
[-n port] -u I -t host program
-b I -d program
version

[version]

SETTING U P A SERVER

of program

463

-b

(broadcast) M a k e s an R P C broadcast to version
that respond.

-d

(delete) R e m o v e s local R P C registration for version
running with r o o t privileges only.

-n

(port number) W i t h - t or - u , uses the port numbered port instead of the port number
specified by portmap.

-p

(probe) Lists all R P C programs registered, with p o r t m a p on host or on the local system when you do not specify host.

-t

( T C P ) M a k e s a T C P R P C call to version
reports whether it receives a response.

(if specified) of program

on host

and

-u

( U D P ) M a k e s a U D P R P C call to version
reports whether it receives a response.

(if specified) of program

on host

and

of program.

and lists those hosts
Available to a user

F o r example, the following c o m m a n d displays the R P C programs registered with
the p o r t m a p daemon on the system n a m e d plum:
$ rpcinfo -p plum
program vers proto
100000
2
tcp
100000
2
udp
100003
2
udp
100003
3
udp
100003
4
udp
100021
1
udp

port
111
111
2049
2049
2049
32768

portmapper
portmapper
nfs
nfs
nfs
nlockmgr

Use the - u option to display a list of versions of a daemon, such as nfs, registered on
a r e m o t e system (plum):
$ rpcinfo -u plum nfs
program 100003 version 2 ready and waiting
program 100003 version 3 ready and waiting
program 100003 version 4 ready and waiting
Specify localhost to display a list o f versions of a d a e m o n registered on the local
system:
$ rpcinfo -u localhost ypbind
program 100007 version 1 ready and waiting
program 100007 version 2 ready and waiting
Locking down Because the p o r t m a p daemon holds information a b o u t which servers are running on
portmap the local system and which port each server is running on, only trusted systems
should have access to this information. O n e way to ensure only selected systems have
access to p o r t m a p is to lock it down in the / e t c / h o s t s . a l l o w and / e t c / h o s t s . d e n y files
(page 4 6 5 ) . Put the following line in hosts.deny to prevent all systems from using
portmap on the local (server) system:
portmap: ALL

464

CHAPTER 1 1

SYSTEM ADMINISTRATION: CORE CONCEPTS

You can test this setup from a remote system by giving the following command:
$ rpcinfo -p hostname
No remote programs registered.
Replace hostname with the name of the remote system that you changed the hosts.deny
file on. The change is immediate; you do not need to kill or restart a daemon.
N e x t add the following line to the hosts.allow file on the server system:
portmap:

host-IP

where host-IP
is the IP address of the trusted, remote system that you gave the preceding rpcinfo command from. Use only IP addresses with portmap in hosts.allow;
do not use system names that portmap could get stuck trying to resolve. If you give
the same command, rpcinfo should display a list of the servers that R P C knows
about, including portmap. See page 7 4 7 for more examples.

Set the clocks
tip The portmap daemon relies on the client's and the server's clocks being synchronized. A simple
DoS attack {page 1146) can be initiated by setting the server's clock to the wrong time.

THE

inetd A N D xinetd

SUPERSERVERS

The inetd (Internet daemon) daemon and its replacement xinetd (extended Internet
daemon; xinetd.org) are called superservers or service dispatchers because they start
other daemons, such as smbd (Samba) and vsftpd (FTP), as necessary. These superservers listen for network connections. When one is made, they identify a server daemon
based on the port the connection comes in on, set the daemon's standard input and
standard output file descriptors to the socket (page 503), and start the daemon.
Using these superservers offers two advantages over having several servers constantly running daemons that monitor ports. First, the superservers avoid the need
for daemons to run when not in use. Second, they allow developers to write servers
that read from standard input and write to standard output; they handle all socket
communication.
T h e inetd superserver, which originally shipped with 4 . 3 B S D , was not particularly
insecure. However, it typically opened a lot of ports and ran many servers, increasing the possibility that exploitable software would be exposed to the Internet. Its
successor, xinetd, introduced access control and logging. This daemon allowed an
administrator to limit the hours a service was available and the origin and number
of incoming connections. W h e n compiled with libwrap, xinetd can take advantage
of T C P wrappers (discussed in the next section).
At a time when CPU power was more limited than it is today and R A M was more
expensive, these superservers offered the advantage of efficient memory and CPU
usage. Systems have slowly moved away from using these superservers over the past
few years. Today a system can easily spare the few megabytes of memory and the
minimal CPU time it takes to keep a daemon running to monitor a port: It takes

SETTING U P A SERVER

465

fewer resources to keep a process in R A M (or swap space) than it does to restart it
periodically. Also, a developer can n o w handle socket communications more easily
using various toolkits.

SECURING A SERVER
Two ways you can secure a server are by using T C P wrappers and by setting up a
chroot jail. This section describes both techniques.

TCP WRAPPERS: SECURE A SERVER

hosts.deny)

(hosts.allow

AND

Follow these guidelines when you open a local system to access from remote systems:
• Open the local system only to systems you want to allow to access it.
• Allow each remote system to access only the data you want it to access.
• Allow each remote system to access data only in the appropriate manner
(readonly, read/write, write only).
libwrap As part of the client/server model, T C P wrappers, which can be used for any daemon that is linked against libwrap, rely on the /etc/hosts.allow and /etc/hosts.deny
files as the basis of a simple access control language (ACL). This access control language defines rules that selectively allow clients to access server daemons on a local
system based on the client's address and the daemon the client tries to access. T h e
output of Idd shows that one of the shared library dependencies of sshd is libwrap:
$ ldd /usr/sbin/sshd | grep libwrap
libwrap.so.0 => /lib/libwrap.so.0

(0xb7ec7000)

hosts.allow and Each line in the hosts.allow and hosts.deny files has the following format:
hosts.deny

daemon_list:

client_list [:

command]

where daemon_list is a comma-separated list of one or more server daemons (such
as portmap, vsftpd, and sshd), client_list is a comma-separated list of one or more
clients (see Table 1 1 - 2 on page 4 6 1 ) , and the optional command is the c o m m a n d
that is executed when a client from client_list tries to access a server daemon from

daemon_list.
W h e n a client requests a connection to a server, the hosts.allow and hosts.deny files
on the server system are consulted in the following order until a match is found:
1. If the daemon/client pair matches a line in hosts.allow, access is granted.
2. If the daemon/client pair matches a line in hosts.deny, access is denied.
3. If there is no match in the hosts.allow or hosts.deny file, access is granted.
T h e first match determines whether the client is allowed to access the server. W h e n
either hosts.allow or hosts.deny does not exist, it is as though that file was empty.

466

CHAPTER 1 1

SYSTEM ADMINISTRATION: CORE CONCEPTS

Although it is not recommended, you can allow access to all daemons for all clients
by removing both files.
Examples For a more secure system, put the following line in hosts.deny to block all access:
$ cat /etc/hosts.deny
ALL : ALL : echo '%c tried to connect to %d and was blocked' »

/var/log/tcpwrappers.log

This line prevents any client from connecting to any service, unless specifically permitted to do so in hosts.allow. W h e n this rule is matched, it adds a line to the file
named /var/log/tcpwrappers.log. T h e % c expands to client information and the
% d expands to the name of the daemon the client attempted to connect to.
With the preceding hosts.deny file in place, you can include
explicitly allow access to certain services and systems. For
hosts.allow file allows anyone to connect to the O p e n S S H
but allows telnet connections only from the same network
users on the 1 9 2 . 1 6 8 . subnet:

lines in hosts.allow that
example, the following
daemon (ssh, s c p , sftp)
as the local system and

$ cat /etc/hosts.allow
sshd: ALL
in.telnet: LOCAL
in.telnet: 192.168.* 127.0.0.1
T h e first line allows connection from any system (ALL) to sshd. T h e second line
allows connection from any system in the same domain as the server ( L O C A L ) . T h e
third line matches any system whose IP address starts with 1 9 2 . 1 6 8 . as well as the
local system.

SETTING UP A

chroot

JAIL

O n early U N I X systems, the root directory was a fixed point in the filesystem. O n
modern U N I X variants, including Linux, you can define the root directory on a perprocess basis. The chroot utility allows you to run a process with a root directory
other than /.
T h e r o o t directory appears at the top of the directory hierarchy and has no parent.
Thus a process cannot access files above the root directory because none exists. If,
for example, you run a program (process) and specify its root directory as
/tmp/jail, the program would have no concept of any files in / t m p or above: jail is
the program's r o o t directory and is labeled / (not jail).
By creating an artificial root directory, frequently called a (chroot) jail, you prevent
a program from accessing, executing, or modifying—possibly maliciously—files
outside the directory hierarchy starting at its root. You must set up a chroot jail
properly to increase security: If you do not set up the chroot jail correctly, you can
make it easier for a malicious user to gain access to a system than if there were no
chroot jail.

SETTING U P A SERVER

467

USING chroot
Creating a chroot jail is simple: Working with root privileges, give the c o m m a n d
/ u s r / s b i n / c h r o o t directory. The directory becomes the root directory and the process attempts to run the default shell. T h e following command sets up a chroot jail in
the (existing) / t m p / j a i l directory:
$ sudo /usr/sbin/chroot /tmp/jail
/usr/sbin/chroot: cannot run command '/bin/bash': No such file or directory
This example sets up a chroot jail, but when the system attempts to run the b a s h shell,
the operation fails. Once the jail is set up, the directory that was named jail takes on
the name of the root directory, /. As a consequence, chroot cannot find the file identified by the pathname /bin/bash. In this situation the chroot jail works correctly but is
not useful.
Getting a chroot jail to work the way you want is more complicated. To have the
preceding example run bash in a chroot jail, create a bin directory in jail
( / t m p / j a i l / b i n ) and copy / b i n / b a s h to this directory. Because the bash binary is
dynamically linked to shared libraries, you need to copy these libraries into jail as
well. T h e libraries go in lib.
T h e next example creates the necessary directories, copies bash, uses Idd to display
the shared library dependencies of bash, and copies the necessary libraries to lib.
T h e linux-gate.so.l file is a dynamically shared object ( D S O ) provided by the kernel
to speed system calls; you do not need to copy it.
$ pwd
/tmp/jai 1
$ mkdir bin lib
$ cp /bin/bash bin
$ Idd bin/bash
linux-gate.so.l => (0x0032c000)
libncurses.so.5 => /lib/libncurses.so. 5 (0x00d4d000)
libdl.so.2 => /Ii b/tls/i 686/cmov/1i bdl. so. 2 (0x0091d000)
1i be.so.6 => /Ii b/tls/i 686/cmov/1i be.so.6 (0x00110000)
/lib/ld-linux.so.2 (0x0026a000)
$ cp /lib/-{libncurses.so.5,ld-linux.so.2}- lib
$ cp /1ib/t1s/i686/cmov/{1ibd1.so.2,1ibc.so.6} lib
N o w start the chroot jail again. Although all the setup can be done by an ordinary
user, you must be working with r o o t privileges to run chroot:
$ sudo /usr/sbin/chroot /tmp/jail
bash-4.1# pwd

/

bash-4.1# Is
bash: Is: command not found
bash-4.1# exit
exi t
$

468

CHAPTER 1 1

SYSTEM ADMINISTRATION: CORE CONCEPTS

This time c h r o o t finds and starts bash, which displays its default prompt (bash-4.1#).
The p w d command works because it is a shell builtin (page 2 6 1 ) . However, b a s h cannot find the Is utility because it is not in the c h r o o t jail. You can copy /bin/Is and its
libraries into the jail if you want users in the jail to be able to use Is. An exit command
allows you to escape from the jail.
If you provide c h r o o t with a second argument, it takes that argument as the name
of the program to run inside the jail. T h e following c o m m a n d is equivalent to the
preceding one:
$ sudo /usr/sbin/chroot /tmp/jail /bin/bash
To set up a useful c h r o o t jail, first determine which utilities the users of the c h r o o t jail
need. Then copy the appropriate binaries and their libraries into the jail. Alternatively, you can build static copies of the binaries and put them in the jail without
installing separate libraries. (The statically linked binaries are considerably larger
than their dynamic counterparts. T h e size of the base system with b a s h and the core
utilities exceeds 5 0 megabytes.) You can find the source code for most c o m m o n utilities in the bash and coreutils source packages.
T h e c h r o o t utility fails unless you run it with root privileges—the preceding examples used s u d o to gain these privileges. T h e result of running c h r o o t with root privileges is a root shell (a shell with root privileges) running inside a c h r o o t jail. Because
a user with root privileges can break out of a c h r o o t jail, it is imperative that you run
a program in the c h r o o t jail with reduced privileges (i.e., privileges other than those
of root).
There are several ways to reduce the privileges of a user. For example, you can put
s u or s u d o in the jail and then start a shell or a daemon inside the jail, using one of
these programs to reduce the privileges of the user working in the jail. A c o m m a n d
such as the following starts a shell with reduced privileges inside the jail:
$ sudo /usr/sbin/chroot jailpath

/usr/bin/sudo -u user

/bin/bash &

where jailpath
is the pathname of the jail directory, and user is the username
under whose privileges the shell runs. T h e problem with this scenario is that s u d o
and s u , as compiled for Ubuntu, call PAM. To run one of these utilities you need to
put all of PAM, including its libraries and configuration files, in the jail, along with
s u d o (or s u ) and the / e t c / p a s s w d file. Alternatively, you can recompile s u or s u d o .
T h e source code calls P A M , however, so you would need to modify the source so it
does not call PAM. Either one of these techniques is time-consuming and introduces
complexities that can lead to an insecure jail.
T h e following C program 1 runs a program with reduced privileges in a chroot jail.
Because this program obtains the U I D and G I D of the user you specify on the command line before calling chrootQ, you do not need to put / e t c / p a s s w d in the jail.

1. T h a n k s to David Chisnall and the fitoile Project (etoileos.com) for the u c h r o o t . c p r o g r a m .

SETTING U P A SERVER

469

T h e program reduces the privileges of the specified program to those of the specified user. This program is presented as a simple solution to the preceding issues so
you can experiment with a c h r o o t jail and better understand h o w it works.
$ cat uchroot.c
/* See svn.gna.org/viewcvs/etoile/trunk/Etoile/LiveCD/uchroot.c for terms of use. */
#include 
#include 
#include 
int main(int argc, char * argv[])
{
if(argc < 4)
{

}

printf("Usage: %s {username} {directory} {program} [arguments]\n", argv[0]);
return 1;

/* Parse arguments */
struct passwd * pass = getpwnam(argv[l]);
i f(pass == NULL)
{

}

printf("Unknown user %s\n", argv[l]);
return 2;

/* Set the required UID */
chdi r(argv[2]);
i f(chroot(argv[2])
I I

setgi d(pass->pw_gi d)
I I

{

}

}

setui d(pass->pw_ui d))
printf("%s must be run as root.
argv[0],
(int)getuid(),
(int)geteuid()
);
return 3;

Current uid=%d, euid=%d\n",

char buf[100];
return execv(argv[3], argv + 3);
T h e first of the following commands compiles uchroot.c, creating an executable file
named u c h r o o t . Subsequent commands move u c h r o o t to / u s r / l o c a l / b i n and give it
appropriate ownership.
$ cc -o uchroot uchroot.c
$ sudo mv uchroot /usr/local/bin
$ sudo chown root:root /usr/local/bin/uchroot
$ Is -1 /usr/local/bin/uchroot
-rwxr-xr-x 1 root root 7922 2010-07-17 08:26 /usr/local/bin/uchroot

470

CHAPTER 1 1

SYSTEM ADMINISTRATION: CORE CONCEPTS

Using the setup from earlier in this section, give the following command to run a
shell with the privileges of the user sam inside a chroot jail:
$ sudo /usr/local/bin/uchroot sam /tmp/jail /bin/bash

Keeping multiple c h r o o t jails
tip

If y o u plan to deploy multiple c h r o o t jails, it is a g o o d idea to keep a clean copy of the bin and lib
directories s o m e w h e r e other than one of the active jails.

RUNNING A SERVICE IN A chroot JAIL
Running a shell inside a jail has limited usefulness. In reality, you are more likely to
want to run a specific service inside the jail. To run a service inside a jail, make sure
all files needed by that service are inside the jail. Using u c h r o o t , the format of a command to start a service in a c h r o o t jail is
$ sudo /usr/local/bin/uchroot user

jailpath

daemonname

where jailpath
is the pathname of the jail directory, user is the username that runs
the daemon, and daemonname is the pathname (inside the jail) of the daemon that
provides the service.
Some servers are already set up to take advantage of c h r o o t jails. For example, you
can set up D N S so that named runs in a jail (page 8 4 7 ) , and the vsftpd FTP server
can automatically start c h r o o t jails for clients (page 7 0 3 ) .
SECURITY CONSIDERATIONS
Some services need to be run by a user or process with root privileges but release
their root privileges once started (Apache, Procmail, and vsftpd are examples). If
you are running such a service, you do not need to use u c h r o o t or put s u or s u d o
inside the jail.
A process run with r o o t privileges can potentially escape from a c h r o o t jail. F o r
this reason, you should reduce privileges before starting a program running
inside the jail. Also, be careful a b o u t which setuid (page 2 1 8 ) binaries you allow
inside a j a i l — a security hole in one of them could c o m p r o m i s e the security of the
jail. In addition, m a k e sure the user c a n n o t access executable files that he
uploads to the jail.

D H C P : C O N F I G U R E S N E T W O R K INTERFACES
Instead of storing network configuration information in local files on each system,
D H C P (Dynamic Host Configuration Protocol) enables client systems to retrieve
the necessary network configuration information from a D H C P server each time
they connect to the network. A D H C P server assigns IP addresses from a pool of
addresses to clients as needed. Assigned addresses are typically temporary but need
not be.
This technique has several advantages over storing network configuration information
in local files:

SETTING U P A SERVER

471

• A new user can set up an Internet connection without having to deal with
IP addresses, netmasks, D N S addresses, and other technical details. An
experienced user can set up a connection more quickly.
• D H C P facilitates assignment and management of IP addresses and related
network information by centralizing the process on a server. A system
administrator can configure new systems, including laptops that connect
to the network from different locations, to use D H C P ; D H C P then assigns
IP addresses only when each system connects to the network. T h e pool of
IP addresses is managed as a group on the D H C P server.
• D H C P facilitates the use of IP addresses by more than one system, reducing the total number of IP addresses needed. This conservation of
addresses is important because the Internet is quickly running out of IPv4
addresses. Although a particular IP address can be used by only one system at a time, many end-user systems require addresses only occasionally,
when they connect to the Internet. By reusing IP addresses, D H C P has
lengthened the life of the IPv4 protocol. D H C P applies to IPv4 only, as
IPv6 (page 3 8 7 ) forces systems to configure their IP addresses automatically (called autoconfiguration) when they connect to a network.
D H C P is particularly useful for an administrator who is responsible for maintaining a large number of systems because individual systems no longer need to store
unique configuration information. W i t h DHCP, the administrator can set up a
master system and deploy new systems with a copy of the master's hard disk. In
educational establishments and other open-access facilities, the hard disk image
may be stored on a shared drive, with each workstation automatically restoring
itself to pristine condition at the end of each day.

MORE

INFORMATION

Web www.dhcp.org
D H C P F A Q : www.dhcp-handbook.com/dhcp_faq.html

HO WTO DHCP Mini HO WTO

H o w DHCP

WORKS

Using dhclient, the client contacts the server daemon, dhcpd, to obtain the IP
address, netmask, broadcast address, nameserver address, and other networking
parameters. In turn, the server provides a lease on the IP address to the client. T h e
client can request the specific terms of the lease, including its duration; the server
can limit these terms. While connected to the network, a client typically requests
extensions of its lease as necessary so its IP address remains the same. This lease
may expire once the client is disconnected from the network, with the server giving
the client a new IP address when it requests a new lease. You can also set up a
D H C P server to provide static IP addresses for specific clients (refer to "Static Versus Dynamic IP Addresses" on page 3 8 2 ) . D H C P is broadcast based, so both client
and server must be on the same subnet (page 3 8 5 ) .

472

CHAPTER 1 1

SYSTEM ADMINISTRATION: CORE CONCEPTS

W h e n you install Ubuntu, the system runs a D H C P client, connects to a D H C P
server if it can find one, and configures its network interface. You can use firestarter
(page 8 6 6 ) to configure and run a D H C P server.

D H C P CLIENT
A D H C P client requests network configuration parameters from the D H C P server
and uses those parameters to configure its network interface.

PREREQUISITES
M a k e sure the following package is installed:
• dhcp3-client

d h c l i e n t : THE D H C P CLIENT
W h e n a D H C P client system connects to the network, dhclient requests a lease from
the D H C P server and configures the client's network interface(s). O n c e a D H C P
client has requested and established a lease, it stores the lease information in a file
named dhclient./rafcifiice.leases, which resides in the / v a r / l i b / d h c p 3 directory. T h e
interface is the name of the interface that the client uses, such as ethO. T h e system
uses this information to reestablish a lease when either the server or the client
needs to reboot. You need to change the default D H C P client configuration file,
/etc/dhcp3/dhclient.conf, only for custom configurations.
T h e following /etc/dhcp3/dhclient.conf file specifies a single interface, ethO:
$ cat /etc/dhcp3/dhclient.conf
interface "eth0"
{
send dhcp-client-identifier
send dhcp-lease-time 86400;
}

l:xx:xx:xx:xx:xx:xx;

In the preceding file, the 1 in the dhcp-client-identifier specifies an Ethernet network
and x x : x x : x x : x x : x x : x x is the MAC address
(page 1 1 5 8 ) of the device controlling
that interface. See page 4 7 4 for instructions on h o w to determine the M A C address
of a device. The dhcp-lease-time is the duration, in seconds, of the lease on the IP
address. While the client is connected to the network, dhclient automatically renews
the lease each time half of the lease time is up. A lease time of 8 6 , 4 0 0 seconds (or one
day) is a reasonable choice for a workstation.

D H C P SERVER
A D H C P server maintains a list of IP addresses and other configuration parameters.
Clients request network configuration parameters from the server.

PREREQUISITES
Install the following package:
• dhcp3-server

SETTING U P A SERVER

473

dhcp3-server init W h e n you install the dhcpd3-server package, the dpkg postinst script attempts to
scri Pt
start the dhcpd3 daemon and fails because dhcpd3 is not configured—see
/ v a r / l o g / s y s l o g for details. After you configure dhcpd3, call the dhcp3-server init
script to restart the dhcpd3 daemon:
$ sudo service dhcp3-server restart

d h c p d : THE D H C P DAEMON
A simple D C H P server (dhcpd) allows you to add clients to a network without
maintaining a list of assigned IP addresses. A simple network, such as a home-based
L A N sharing an Internet connection, can use D H C P to assign a dynamic IP address
to almost all nodes. T h e exceptions are servers and routers, which must be at
k n o w n network locations if clients are to find them. If servers and routers are configured without D H C P , you can specify a simple D H C P server configuration in
/ e t c / d h c p 3 / d h c p d . conf:
$ cat /etc/dhcp3/dhcpd.conf
default-lease-time 600;
max-lease-time 86400;
option
option
option
option
option

subnet-mask 255.255.255.0;
broadcast-address 192.168.1.255;
routers 192.168.1.1;
domain-name-servers 192.168.1.1;
domain-name "example.com";

subnet 192.168.1.0 netmask 255.255.255.0 {
range 192.168.1.2 192.168.1.200;

}
T h e /etc/default/dhcp3-server file specifies the interfaces that dhcpd serves requests
on. By default, dhcpd uses ethO. To use another interface or to use more than one
interface, set the I N T E R F A C E S variable in this file to a S P A C E - s e p a r a t e d list of the
interfaces you want to use; enclose the list within quotation marks.
T h e preceding configuration file specifies a L A N where both the router and the
D N S server are located on 1 9 2 . 1 6 8 . 1 . 1 . T h e default-lease-time specifies the number
of seconds the dynamic IP lease will remain valid if the client does not specify a
duration. T h e max-lease-time is the m a x i m u m time allowed for a lease.
T h e information in the option lines is sent to each client when it connects. T h e
names following the word option specify what the following argument represents.
For example, the option broadcast-address line specifies the broadcast address of
the network. T h e routers and domain-name-servers options can be followed by
multiple values separated by c o m m a s .
T h e subnet section includes a range line that specifies the range o f IP addresses the
D H C P server can assign. In the case of multiple subnets, you can define options,
such as subnet-mask, inside the subnet section. Options defined outside all subnet
sections are global and apply to all subnets.

474

CHAPTER 1 1

SYSTEM ADMINISTRATION: CORE CONCEPTS

T h e preceding configuration file assigns addresses in the range from 1 9 2 . 1 6 8 . 1 . 2 to
1 9 2 . 1 6 8 . 1 . 2 0 0 . T h e D H C P server starts at the b o t t o m of this range and attempts to
assign a new IP address to each new client. Once the D H C P server reaches the top
of the range, it starts reassigning IP addresses that have been used in the past but are
not currently in use. If you have fewer systems than IP addresses, the IP address of
each system should remain fairly constant. Two systems cannot use the same IP
address at the same time.
Once you have configured a D H C P server, restart it using the dhcpd init script
(page 4 7 3 ) . W h e n the server is running, clients configured to obtain an IP address
from the server using D H C P should be able to do so.

STATIC IP ADDRESSES
As mentioned earlier, routers and servers typically require static IP addresses.
Although you can manually configure IP addresses for these systems, it may be
more convenient to have the D H C P server provide them with static IP addresses.
W h e n a system that requires a specific static IP address connects to the network and
contacts the D H C P server, the server needs a way to identify the system so it can
assign the proper IP address to that system. T h e D H C P server uses the M A C
address (page 1 1 5 8 ) of the system's Ethernet card (NIC) as an identifier. W h e n you
set up the server, you must k n o w the M A C address of each system that requires a
static IP address.
Determining a MAC T h e i f c o n f i g utility displays the M A C addresses of the Ethernet cards in a system. In
address the following example, the M A C addresses are the colon-separated series of hexadecimal number pairs following HWaddr:
$ ifconfig | grep -i hwaddr
eth0
Link encap:Ethernet
ethl
Link encap:Ethernet

HWaddr BA:DF:00:DF:C0:FF
HWaddr 00:02:BB:41:35:98

R u n ifconfig on each system that requires a static IP address. Once you have determined the M A C addresses of these systems, you can add a host section to the
/etc/dhcp3/dhcpd.conf file for each one, instructing the D H C P server to assign a
specific address to that system. T h e following host section assigns the address
1 9 2 . 1 6 8 . 1 . 1 to the system with the M A C address of B A : D F : 0 0 : D F : C 0 : F F :
$ cat /etc/dhcp3/dhcpd.conf
host router {
hardware ethernet BA:DF:00:DF:C0:FF;
fixed-address 192.168.1.1;
option host-name router;

}

T h e name following host is used internally by dhcpd. T h e name specified after
option host-name is passed to the client and can be a hostname or an F Q D N . After
making changes to dhcpd.conf, restart dhcpd using the dhcpd init script (page 4 7 3 ) .

nsswitch.conf:

nsswitch.conf:

W H I C H S E R V I C E TO L O O K AT FIRST

475

W H I C H S E R V I C E T O L O O K AT F I R S T

Once NIS and D N S were introduced, finding user and system information was no
longer a simple matter of searching a local file. W h e r e once you looked in
/ e t c / p a s s w d to get user information and in / e t c / h o s t s to find system address information, n o w you can use several methods to obtain this type of information. T h e
/etc/nsswitch.conf (name service switch configuration) file specifies which methods
to use and the order in which to use them when looking for a certain type of information. You can also specify which action the system should take based on whether
a method succeeds or fails.
Syntax Each line in nsswitch.conf specifies h o w to search for a piece of information, such
as a user's password. A line in nsswitch.conf has the following syntax:
info:

method

[[action]]

[method

[[action]]...]

where info is the type of information the line describes, method is the method used to
find the information, and action is the response to the return status of the preceding
method. The action is enclosed within square brackets.

How nsswitch.conf

WORKS

W h e n called upon to supply information that nsswitch.conf describes, the system
examines the line with the appropriate info field. It uses the methods specified on
this line, starting with the method on the left. By default, when it finds the desired
information, the system stops searching. Without an action specification, when a
method fails to return a result, the system tries the next action. It is possible for the
search to end without finding the requested information.

INFORMATION
The nsswitch.conf file commonly controls searches for usernames, passwords, host IP
addresses, and group information. The following list describes most of the types of
information (info in the syntax given earlier) that nsswitch.conf controls searches for:
automount
bootparam
ethers
group
hosts
networks
passwd
protocols
publickey
rpc
services
shadow

Automount ( / e t c / a u t o . m a s t e r and /etc/auto.misc; page 7 9 2 )
Diskless and other booting options (See the bootparam man page.)
M A C address (page 1 1 5 8 )
Groups of users ( / e t c / g r o u p ; page 4 9 2 )
System information (/etc/hosts; page 4 9 3 )
Network information (/etc/networks)
User information (/etc/passwd; page 4 9 4 )
Protocol information (/etc/protocols; page 4 9 5 )
Used for N F S running in secure mode
R P C names and numbers ( / e t c / r p c ; page 4 9 6 )
Services information (/etc/services; page 4 9 7 )
Shadow password information ( / e t c / s h a d o w ; page 4 9 7 )

476

CHAPTER 1 1

SYSTEM ADMINISTRATION: CORE CONCEPTS

METHODS
Following is a list of the types of i n f o r m a t i o n that nsswitch.conf controls searches
for (method in the syntax shown on the previous page). F o r each type of information, you can specify one or m o r e of the following m e t h o d s : 2
files
nis
dns
compat

Searches local files such as / e t c / p a s s w d and /etc/hosts
Searches the N I S database; yp is an alias for nis
Queries the D N S (hosts queries only)
± syntax in passwd, group, and shadow files (page 4 7 7 )

SEARCH ORDER
T h e i n f o r m a t i o n provided by t w o or m o r e methods m a y overlap: F o r example, both
files and nis m a y provide password i n f o r m a t i o n for the same user. W i t h overlapping
information, you need to consider which m e t h o d you w a n t t o be authoritative (take
precedence) and then place that m e t h o d at the left o f the list of methods.
T h e default nsswitch.conf file lists methods without actions, assuming no overlap
(which is normal). In this case, the order is not critical: W h e n one m e t h o d fails, the
system goes to the n e x t one and all that is lost is a little time. O r d e r becomes critical
when you use actions between methods or when overlapping entries differ.
T h e first of the following lines from nsswitch.conf causes the system to search for
password i n f o r m a t i o n in / e t c / p a s s w d and, if that fails, to use NIS to find the inform a t i o n . If the user you are looking for is listed in both places, the information in the
local file is used and is considered authoritative. T h e second line uses NIS to find an
IP address given a hostname; if that fails, it searches / e t c / h o s t s ; if that fails, it checks
with D N S to find the information.
passwd
hosts

files nis
nis files dns

ACTION ITEMS
E a c h m e t h o d can optionally be followed by an action item that specifies w h a t to do
if the m e t h o d succeeds or fails. An action item has the following format:

[[!] STATUS=action]
where the opening and closing square brackets are part of the format and do not
indicate that the contents are optional; STATUS (uppercase by convention) is the
status being tested for; and action is the action to be taken if STATUS matches the
status returned by the preceding m e t h o d . T h e leading e x c l a m a t i o n point (!) is
optional and negates the status.

2 . Other, less c o m m o n l y used methods also exist. See the default /etc/nsswitch.conf file and the
nsswitch.conf man page for m o r e i n f o r m a t i o n . Although NIS+ belongs in this list, it is n o t implemented as
a L i n u x server and is n o t discussed in this b o o k .

nsswitch.conf:
STATUS

STATUS

W H I C H SERVICE

to

LOOK AT FIRST

477

m a y h a v e a n y o f the f o l l o w i n g values:

NOTFOUND—The

m e t h o d w o r k e d but the value being s e a r c h e d f o r w a s

not

f o u n d . T h e default a c t i o n is continue.
S U C C E S S — T h e m e t h o d w o r k e d a n d the value being s e a r c h e d f o r w a s f o u n d ; n o
e r r o r w a s r e t u r n e d . T h e default a c t i o n is return.
TRYAGAIN—The

method

failed b e c a u s e it w a s

temporarily

unavailable.

For

e x a m p l e , a file m a y be l o c k e d or a server o v e r l o a d e d . T h e default a c t i o n is continue.
U N A V A I L — T h e m e t h o d failed b e c a u s e it is p e r m a n e n t l y u n a v a i l a b l e . F o r e x a m p l e ,
the r e q u i r e d file m a y n o t be accessible or the r e q u i r e d server m a y be d o w n . T h e
default a c t i o n is continue.
action T h e r e are t w o p o s s i b l e values f o r

action:

r e t u r n — R e t u r n s to the calling r o u t i n e w i t h or w i t h o u t a value.
c o n t i n u e — C o n t i n u e s w i t h the n e x t m e t h o d . A n y r e t u r n e d value is o v e r w r i t t e n by a
value f o u n d by a s u b s e q u e n t m e t h o d .
Example

T h e f o l l o w i n g line f r o m n s s w i t c h . c o n f causes the system first to use D N S to s e a r c h
f o r the IP address o f a given h o s t . T h e a c t i o n i t e m f o l l o w i n g the D N S m e t h o d tests
w h e t h e r the status r e t u r n e d b y the m e t h o d is n o t (!) U N A V A I L .
hosts

dns [!UNAVAIL=return] files

T h e system t a k e s the a c t i o n a s s o c i a t e d with the STATUS

(return) if the

DNS

m e t h o d does n o t r e t u r n U N A V A I L ( ¡ U N A V A I L ) — t h a t is, if D N S returns S U C C E S S ,
N O T F O U N D , or T R Y A G A I N . As a c o n s e q u e n c e , the f o l l o w i n g m e t h o d (files) is
used o n l y w h e n the D N S server is u n a v a i l a b l e . If the D N S server is not

unavailable

(read the t w o negatives as " i s a v a i l a b l e " ) , the s e a r c h returns the d o m a i n n a m e or
r e p o r t s t h a t the d o m a i n n a m e w a s n o t f o u n d . T h e s e a r c h uses the files m e t h o d
(checks the l o c a l / e t c / h o s t s file) o n l y if the server is n o t available.

compat

M E T H O D : ± IN

passwd, group, A N D shadow

FILES

Y o u c a n p u t special c o d e s in the / e t c / p a s s w d , / e t c / g r o u p , a n d / e t c / s h a d o w files t h a t
c a u s e the system, w h e n y o u specify the c o m p a t m e t h o d in nsswitch.conf, t o c o m bine a n d m o d i f y entries in the l o c a l files a n d the N I S m a p s . T h a t is, a plus sign (+) at
the beginning o f a line in o n e o f these files adds N I S i n f o r m a t i o n ; a m i n u s sign ( - )
removes information.
F o r e x a m p l e , t o use these c o d e s in the passwd file, specify passwd: c o m p a t in the
nsswitch.conf file. T h e system then goes through the passwd file in order, adding or
removing the appropriate N I S entries when it reaches each line that starts with a + or - .
Although you c a n put a plus sign at the end o f the passwd file, specify passwd: c o m p a t
in n s s w i t c h . c o n f to s e a r c h the l o c a l p a s s w d file, a n d t h e n g o t h r o u g h the N I S m a p ,
it is m o r e efficient t o p u t p a s s w d : file nis in n s s w i t c h . c o n f a n d n o t m o d i f y the
passwd file.

478

CHAPTER 1 1

SYSTEM ADMINISTRATION: CORE CONCEPTS

PAM
P A M (Linux-PAM, or Linux Pluggable Authentication Modules) allows a system
administrator to determine h o w applications use authentication
(page 1 1 3 6 ) to verify the identity of a user. P A M provides shared libraries of modules (located in
/lib/security) that, when called by an application, authenticate a user. T h e configuration files kept in the / e t c / p a m . d directory determine the method of authentication
and contain a list (i.e., stack) of calls to the modules. P A M may also use other files,
such as /etc/passwd, when necessary. T h e term "Pluggable" in PAM's name refers
to the ease with which you can add and remove modules from an authentication
stack.
Instead of building the authentication code into each application, P A M provides
shared libraries that keep the authentication code separate from the application
code. T h e techniques of authenticating users stay the same from application to
application. In this way P A M enables a system administrator to change the authentication mechanism for a given application without modifying the application.
P A M provides authentication for a variety of system-entry services (such as login,
ftp, s u , and sudo). You can take advantage of its ability to stack authentication modules to integrate system-entry services with different authentication mechanisms,
such as R S A , D C E , Kerberos, and smartcards.
F r o m login through using sudo to shutting the system down, whenever you are
asked for a password (or not asked for a password because the system trusts you
are who you say you are), P A M makes it possible for the system administrator to
configure the authentication process. It also makes the configuration process essentially the same for all applications that use P A M for authentication.
T h e configuration files stored in / e t c / p a m . d describe the authentication procedure
for each application. These files usually have names that are the same as or similar
to the names of the applications that they authenticate for. F o r example, authentication for the login utility is configured in / e t c / p a m . d / l o g i n . T h e name of the file is the
name of the P A M service 3 that the file configures. Occasionally one file may serve
two programs. P A M accepts only lowercase letters in the names of files in the
/ e t c / p a m . d directory.
P A M warns you about errors it encounters, logging them to / v a r / l o g / m e s s a g e s or
/ v a r / l o g / s e c u r e . Review these files if you are trying to figure out why a changed

3. T h e r e is no relationship between P A M services and the /etc/services file. T h e name o f the P A M service
is an arbitrary string that each application gives to P A M ; P A M then l o o k s up the configuration file with
that name and uses it to c o n t r o l authentication. There is n o central registry o f P A M service names.

PAM

479

P A M file is not w o r k i n g properly. To prevent a malicious user from seeing information a b o u t P A M , P A M sends error messages to a file rather than to the screen.

Do not lock yourself out of the system
caution

Editing PAM c o n f i g u r a t i o n files correctly requires paying careful attention. It is easy t o lock y o u r self o u t of the s y s t e m w i t h a single mistake. To avoid t h i s p r o b l e m , keep backup copies of the PAM
c o n f i g u r a t i o n files y o u edit, test every change t h o r o u g h l y , a n d make sure y o u can still log in once
the change is installed. Keep a root shell open (use sudo - i ) until y o u have finished testing. If a
change fails and y o u cannot log in, use the root shell t o replace the newly edited files w i t h the
backup copies.

MORE INFORMATION
Local / u s r / s h a r e / d o c / l i b p a m *
p a m m a n page
Give the c o m m a n d apropos p a m to list P A M m a n pages.
Web Linux-PAM
System Administrators'
Guide:
www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/Linux-PAM_SAG.html
HO WTO

User Authentication

HO

WTO

C O N F I G U R A T I O N FILES, M O D U L E TYPES, A N D C O N T R O L FLAGS
Following is an example of a P A M configuration file. C o m m e n t lines, which have
been omitted, begin with a h a s h m a r k (#).
Login module

$ grep 'A[A#]' /etc/pam.d/1 ogin
auth
requisite
pam_securetty.so
auth
requisite pam_nologi n . so
session
required
pam_env.so readenv=l
session
required
pam_env.so readenv=l envfile=/etc/default/locale
©include common-auth
auth
optional
pam_group.so
session
required
pam_l imi ts. so
session
optional
pam_lastlog. so
session
optional
pam_motd.so
session
optional
pam_mail.so standard
©include common-account
©include common-session
©include common-password
E a c h line tells P A M to do something as part of the authentication process. T h e first
word on each line is a module type indicator: account, auth, password, or session
(Table 1 1 - 4 , n e x t page). T h e second is a control flag (Table 1 1 - 5 , n e x t page) that
indicates the action P A M should take if authentication fails. T h e rest of the line contains the n a m e of a P A M module (located in /lib/security) and any arguments for
that module. T h e P A M library itself uses the / e t c / p a m . d files to determine which
modules to delegate w o r k to. Lines that begin with @include include the named file.

480

CHAPTER 1 1

SYSTEM ADMINISTRATION: CORE CONCEPTS

Table 11-4

Module type indicators

Module type

Description

Controls

account

Account
management

Determining whether an already authenticated user is
allowed to use the service she is trying to use. (That is, has
the account expired? Is the user allowed to use this service
at this time of day?)

auth

Authentication

Proving that the user is authorized to use the service; uses
passwords or another mechanism.

password

Password
modification

Updating authentication mechanisms such as user
passwords.

session

Session
management

Setting things up when the service is started (as when a
user logs in) and breaking them down when the service is
terminated (as when a user logs out).

You can use one of the control flag keywords listed in Table 1 1 - 5 to set the control flags.

Table 11-5

Control flag keywords

Keyword

Flag function

required

Success is required for authentication to succeed. Control and a failure result
are returned after all modules in the stack have been executed. The technique
of delaying the report to the calling program until all modules have been executed may keep attackers from knowing precisely what caused their authentication attempts to fail and tell them less about the system, making it more
difficult for them to break in.

requisite

Success is required for authentication to succeed. Further module processing
is aborted, and control is returned immediately after a module fails. This technique may expose information about the system to an attacker. However, if it
prevents a user from giving a password over an insecure connection, it might
keep information out of the hands of an attacker.

sufficient

Success indicates that this module type has succeeded, and no subsequent
required modules of this type are executed. Failure is not fatal to the stack of
this module type. This technique is generally used when one form of authentication or another is good enough: If one fails, PAM tries the other. For example, when you use rsh to connect to another computer, pam_rhosts_auth first
checks whether your connection can be trusted without a password. If the
connection can be trusted, the pam_rhosts_auth module reports success, and
PAM immediately reports success to the rsh daemon that called it. You will not
be asked for a password. If your connection is not considered trustworthy,
PAM starts the authentication again and asks for a password. If this second
authentication succeeds, PAM ignores the fact that the pam_rhosts_auth
module reported failure. If both modules fail, you will not be able to log in.

optional

Result is generally ignored. An optional module is relevant only when it is the
sole module on the stack for a particular service.

PAM

481

P A M uses each of the module types as requested by the application. T h a t is, the application asks P A M separately to authenticate, check account status, manage sessions,
and change the password. P A M uses one or more modules from the /lib/security
directory to accomplish each of these tasks.
T h e configuration files in / e t c / p a m . d list the set o f modules to be used for each
application to perform each task. E a c h such set o f the same module types is called a
stack. P A M calls the modules one at a time in order, going f r o m the top o f the stack
(the first module listed in the configuration file) to the b o t t o m . E a c h module reports
success or failure b a c k to P A M . W h e n all stacks of modules (with some exceptions)
within a configuration file have been called, the P A M library reports success or failure b a c k to the application.

EXAMPLE
Part of a sample login service's authentication stack follows:
$ cat /etc/pam.d/1ogin
auth
required
©include
common-auth
auth
requisite

pam_securetty.so
pam_nologin.so

T h e login utility first asks for a username and then asks P A M to run this stack to
authenticate the user. Refer to Table 1 1 - 4 and Table 1 1 - 5 .
1. P A M first calls the pam_securetty (secure tty) module to m a k e sure the
r o o t user logs in only from an allowed terminal. (By default, r o o t is not
allowed to run login over the n e t w o r k ; this policy helps prevent security
breaches.) T h e pam_securetty module is required
to succeed if the authentication stack is to succeed. T h e pam_securetty module reports failure only
if someone is trying to log in as r o o t from an unauthorized terminal.
Otherwise (if the username being authenticated is not r o o t or if the usern a m e is r o o t and the login attempt is being made f r o m a secure terminal),
the pam_securetty module reports success.
Success and failure within P A M are o p a q u e concepts that apply only to
P A M . T h e y do not equate to " t r u e " and " f a l s e " as used elsewhere in the
operating system.
2 . T h e included c o m m o n - a u t h file holds modules that check whether the user
w h o is logging in is authorized to do so. As part of completing this task,
these modules verify the username and password.
3. T h e pam_nologin module makes sure that if the / e t c / n o l o g i n . t x t file exists,
only the r o o t user is allowed to log in. ( T h a t is, the pam_nologin module
reports success only if / e t c / n o l o g i n . t x t does not exist or if the r o o t user is
logging in.) T h u s , when a shutdown has been scheduled to occur in the
near future, the system keeps users from logging in, only to have the system shut down m o m e n t s later.
T h e account module type w o r k s like the auth module type but is called after the
user has been authenticated; it acts as an additional security check or requirement

482

CHAPTER 1 1

SYSTEM ADMINISTRATION: CORE CONCEPTS

that must be met for a user to gain access to the system. F o r example, account m o d ules might enforce a policy that a user can log in only during business hours or
check whether a password has expired.
T h e session module type sets up and tears down the session (perhaps mounting and
unmounting the user's h o m e directory). O n e session module c o m m o n l y found on an
U b u n t u system is pam_mail, which announces you have new mail when a user logs
in to a textual environment.
T h e password module type is a bit unusual: All modules in the stack are called once
and told to get all i n f o r m a t i o n they need to store the password to persistent memory, such as a disk, but n o t actually to store it. If it determines that it c a n n o t or
should not store the password, a module reports failure. If all password modules in
the stack report success, they are called a second time and told to store to persistent
m e m o r y the password they obtained on the first pass. T h e password module is
responsible for updating the authentication i n f o r m a t i o n (i.e., changing the user's
password).
Any one module can act as m o r e than one module type; m a n y modules can act as all
four module types.

M O D I F Y I N G THE P A M

CONFIGURATION

Be cautious when changing PAM files
caution

Unless you understand how to configure PAM, do not change the files in /etc/pam.d. Mistakes in
the configuration of PAM can make the system unusable.
Some U N I X systems require that a user be a m e m b e r of the wheel group to use the
s u c o m m a n d . Although Ubuntu L i n u x is not configured this way by default, P A M
allows you to change this behavior by editing the / e t c / p a m . d / s u file:

$ cat /etc/pam.d/su
# Uncomment this to force users to be a member of group root before they can use 'su'
# auth
required
pam_wheel.so
# Uncomment this if you want wheel members to be able to su without a password.
# auth
sufficient pam_wheel.so trust

T h e lines o f this su m o d u l e c o n t a i n c o m m e n t s t h a t i n c l u d e the lines n e c e s s a r y
t o p e r m i t o n l y users w h o a r e in the wheel g r o u p t o use s u ( r e q u i r e d ) and t o perm i t m e m b e r s o f the wheel g r o u p t o run s u w i t h o u t supplying a p a s s w o r d (suffic i e n t ) . U n c o m m e n t o n e o f these lines w h e n y o u w a n t the system t o f o l l o w o n e
o f these rules.

CHAPTER S U M M A R Y

483

Brackets ([]) in the control flags field
caution

You can set the control flags in a more complex way than described in this section. When you see
brackets ([ ]) in the control flags position in a PAM configuration file, the newer, more complex method
is in use. Each comma-delimited argument is a vaiue=action pair. When the result returned by the function matches value, actionls evaluated. For more information refertothe PAM System
Administrator's
Guide ( w w w . k e r n e l . o r g / p u b / l i n u x / l i b s / p a m / L i n u x - P A M - h t m l / L i n u x - P A M _ S A G . h t m l ) .

CHAPTER S U M M A R Y
A system administrator is someone who keeps the system in a useful and convenient
state for its users. M u c h of the work you do as the system administrator will require
you to work with r o o t privileges. A user with these privileges (sometimes referred to
as Superuser) has extensive systemwide powers that normal users do not have. A
user with r o o t privileges can read from and write to any file and can execute programs that ordinary users are not permitted to execute.
T h e system administrator controls system operation, which includes the following
tasks: configuring the system; booting up; running init scripts; setting up servers;
working in recovery (single-user) and multiuser modes; bringing the system down;
and handling system crashes. Ubuntu Linux provides both graphical and textual
configuration tools.
W h e n you bring up the system in recovery mode, only the system console is functional. While working in recovery mode, you can back up files and use f s c k to check
the integrity of filesystems before you mount them. T h e telinit utility can bring the
system to its default multiuser state. W i t h the system running in multiuser mode,
you can still perform many administration tasks, such as adding users and printers.
As installed, the r o o t account on an Ubuntu system is locked: It has no password.
Ubuntu recommends you use s u d o when you need to perform a task with r o o t privileges. T h e s u d o utility grants r o o t privileges based on your password. A system that
does not have a r o o t password and that relies on s u d o to escalate permissions can be
more secure than one with a r o o t password.
T h e Upstart init daemon, which replaces the traditional System V init daemon (SysVinit), is event based: It can start and stop services upon receiving information that
something on the system has changed (an event). Events include adding devices to
and removing them from the system as well as bringing the system up and shutting
it down.
You can use T C P wrappers to control who can use which system services by editing
the hosts.allow and hosts.deny files in the / e t c directory. Setting up a chroot jail limits
the portion of the filesystem a user sees, so it can help control the damage a malicious user can do.

484

CHAPTER 1 1

SYSTEM ADMINISTRATION: CORE CONCEPTS

You can set up a D H C P server so you do not have to configure each system on a
network manually. D H C P can provide both static and dynamic IP addresses.
Whether a system uses NIS, D N S , local files, or a combination (and in what order)
as a source of information is determined by /etc/nsswitch.conf. L i n u x - P A M enables
you to maintain fine-grained control over who can access the system, h o w they can
access it, and what they can do.

EXERCISES
1. H o w does recovery (single-user) mode differ from multiuser mode?
2. H o w would you communicate each of the following messages?
a. The system is coming down tomorrow at 6 : 0 0 in the evening for periodic
maintenance.
b. T h e system is coming down in 5 minutes.
c. Zach's jobs are slowing the system down drastically, and he should
postpone them.
d. Zach's wife just had a baby girl.
3. H o w would you run a program with Sam's privileges if you did not k n o w
his password but had permission to use sudo to run a command with root
privileges? H o w would you spawn a shell with the same environment that
Sam has when he first logs in?
4. H o w would you allow a user to execute a specific, privileged command
without giving the user the root password or permission to use sudo to run
any command with root privileges?
5. H o w do you kill process 1 6 4 8 ? H o w do you kill all processes running
kmail? In which instances do you need to work with root privileges?
6. W h a t does the /etc/init/rsyslog.conf file do? W h e n does it stop? W h a t does
the respawn keyword in this file mean?
7. Develop a strategy for coming up with a password that an intruder would
not be likely to guess but that you will be able to remember.

ADVANCED EXERCISES
8. Give the command
$ /bin/fuser -uv /

ADVANCED EXERCISES

W h a t does the output list? W h y is it so long? Give the same c o m m a n d
while w o r k i n g with r o o t privileges (or ask the system administrator to do
so and email you the results). H o w does this list differ f r o m the first? W h y
is it different?
9. W h e n it puts files in a lost+found directory, fsck has lost the directory
i n f o r m a t i o n for the files and thus has lost the names o f the files. E a c h file
is given a n e w name, which is the same as the inode n u m b e r for the file:
$ Is -1 lost+found
-rw-r—r—

1 max pubs 110 2010-06-10 10:55 51262

H o w can you identify these files and restore them?
1 0 . Take a l o o k at /usr/bin/lesspipe. E x p l a i n its purpose and describe six ways
it works.
1 1 . W h y are setuid shell scripts inherently unsafe?
12. W h e n a user logs in, you would like the system to first check the local
/ e t c / p a s s w d file for a username and then check NIS. H o w do you implement
this strategy?
1 3 . Some older kernels contain a vulnerability that allows a local user to gain
r o o t privileges. E x p l a i n h o w this kind of vulnerability negates the value of
a chroot jail.

485

This page intentionally left blank

12
FILES, D I R E C T O R I E S ,
AND FILESYSTEMS
IN THIS CHAPTER
Important Files and Directories . . 4 8 8
Device Special Files

501

Filesystems

505

mount: M o u n t s a Filesystem . . . . 506
fstab: Keeps Track of
Filesystems

510

fsck: Checks Filesystem
Integrity

512

Filesystems hold directories o f files. T h e s e structures store
user data and system data t h a t are the basis o f users' w o r k
on the system and the system's e x i s t e n c e . T h i s c h a p t e r discusses i m p o r t a n t files and directories, v a r i o u s types o f files
and w a y s to w o r k with t h e m , and the use and m a i n t e n a n c e
o f filesystems.

487

488

CHAPTER 1 2

FILES, D I R E C T O R I E S , A N D FILESYSTEMS

I M P O R T A N T FILES A N D D I R E C T O R I E S
This section details the files most commonly used to administer the system. For more
information, refer to "Important Standard Directories and Files" on page 2 1 3 .
lost+found Holds pre-allocated disk blocks that f s c k uses to store unlinked files (files that have
lost their directory [and therefore filename] information). Having these blocks
available ensures that f s c k does not have to allocate data blocks during recovery, a
process that could further damage a corrupted filesystem. See page 5 1 2 for more
information on f s c k .
Each ext2, ext3, and ext4 filesystem contains a lost+found directory in the filesystem's root directory. If, for example, a filesystem is mounted at /home, there will
be a /home/lost+found directory. There is always a /lost+found directory. These
directories are normally created by m k f s when it writes an e x t 2 / e x t 3 / e x t 4 filesystem
to a partition. Although rarely necessary, you can create a lost+found directory
manually using m k l o s t + f o u n d .
~/.bash_profile

Contains an individual user's login shell initialization script. By default, Ubuntu
does not create this file when it adds a user. T h e shell executes the commands in this
file in the same environment as the shell each time a user logs in. (For information
on executing a shell script in this manner, refer to the discussion of the . [dot] command on page 2 9 6 . ) T h e file must be located in a user's home directory. It is not run
from terminal emulator windows because you do not log in in those windows.
You can use .bash_profile to specify a terminal type (for vi, terminal emulators, and
other programs), run stty to establish the terminal characteristics, set up aliases, and
perform other housekeeping functions when a user logs in.
A simple .bash_profile file specifying a vtlOO terminal and CONTROL-H as the erase key
follows:
$ cat . bash_profile
export TERM=vtl00
stty erase 'Ah'
For more information refer to "Startup Files" on page 2 9 3 .

~/.bashrc

Contains an individual user's interactive, nonlogin shell initialization script. T h e
shell executes the commands in this file in the same environment as the (new) shell
each time a user creates a new interactive shell, including when a user opens a terminal emulator window. (For information on executing a shell script in this manner,
refer to the discussion of the . [dot] command on page 2 9 6 . ) T h e .bashrc script differs from .bash_profile in that it is executed each time a new shell is spawned, not
just when a user logs in. F o r more information refer to "Startup Files" on page 2 9 3 .

/dev Contains files representing pseudodevices and physical devices that may be attached to
the system. The following list explains the naming conventions for some physical devices:
• /dev/fdO—The first floppy disk. T h e second floppy disk is named
/dev/fdl.

I M P O R T A N T FILES A N D D I R E C T O R I E S

489

• / d e v / h d a — T h e m a s t e r disk on the p r i m a r y I D E controller. T h e slave disk
on the p r i m a r y I D E c o n t r o l l e r is n a m e d / d e v / h d b . T h i s disk m a y be a
C D - R O M drive.
• / d e v / h d c — T h e master disk on the secondary I D E controller. T h e slave
disk on the secondary I D E controller is n a m e d / d e v / h d d . This disk m a y be
a C D - R O M drive.
• / d e v / s d a — T r a d i t i o n a l l y the first SCSI disk; n o w the first n o n - I D E drive,
including SATA and U S B drives. Other, similar drives are n a m e d / d e v / s d b ,
/ d e v / s d c , etc.
These names, such as / d e v / s d a , represent the order of the devices on the bus the
devices are connected to, not the device itself. F o r example, if you swap the data
cables on the disks referred to as / d e v / s d a and / d e v / s d b , the drive's designations
will change. Similarly, if you remove the device referred to as / d e v / s d a , the device
that was referred to as / d e v / s d b will n o w be referred to as / d e v / s d a .
/dev/disk/by-path H o l d s symbolic links to local devices. T h e names of the devices in this directory
identify the devices. E a c h entry points to the device in / d e v that it refers to.
$ I s -1 / d e v / d i s k / b y - p a t h
1 r w x r w x r w x 1 r o o t r o o t 10 2010--04 -09 09 42 p c i - 0 0 0 0 : 0 0 : 1 0 . 0 - s c s i - 0 : 0
1 r w x r w x r w x 1 r o o t r o o t 10 2010--04 -09 09 42 p c i - 0 0 0 0 : 0 0 : 1 0 . 0 - s c s i - 0 : 0
1 r w x r w x r w x 1 r o o t r o o t 10 2010--04 -09 09 42 p c i - 0 0 0 0 : 0 0 : 1 0 . 0 - s c s i - 0 : 0

0:0-partl
0:0-part2
0:0-part5

- >
- >
- >

./sdal
./sda2
./sda5

/de v/di sk/by-uui d
H o l d s symbolic links to local devices. T h e names of the devices in this directory
consist o f the UUID (page 1 1 7 9 ) numbers o f the devices. E a c h entry points to the
device in /dev that it refers to. See page 5 1 0 for m o r e i n f o r m a t i o n .
$ 1s -1 / d e v / d i s k / b y - u u i d
1 r w x r w x r w x 1 r o o t r o o t 10 2 0 1 0 - 0 4 - 0 9
"Irwxrwxrwx 1 r o o t r o o t 10 2 0 1 0 - 0 4 - 0 9

09:42
09:42

bcbfb6cc-fa3d-4acd-857a-9a92abcd3030
eladfa6b-39e8-4658-82ac-6f75ecdb82c4

->
->

../../sda5
../../sdal

/dev/null Also called a bit bucket.
O u t p u t sent to this file disappears. T h e /dev/null file is a
device file. Input that you redirect to c o m e from this file appears as null values, creating an empty file. Y o u can create an empty file n a m e d nothing by giving one of
the following c o m m a n d s :
$ cat /dev/null > nothing
$ cp /dev/null nothing
or, without explicitly using /dev/null,
$ > nothing
T h e last c o m m a n d redirects the output of a null c o m m a n d to the file with the same
result as the previous c o m m a n d s . Y o u can use any of these c o m m a n d s to truncate
an existing file to zero length without changing its permissions. Y o u can also use
/dev/null to get rid of output that you do n o t want:
$ grep portable * 2> /dev/null

490

CHAPTER 1 2

FILES, D I R E C T O R I E S , A N D FILESYSTEMS

This command displays all lines in all files in the working directory that contain the
string portable. Any output to standard error (page 2 9 7 ) , such as a permission or
directory error, is discarded, while output to standard output appears on the screen.
/dev/pts A h o o k into the Linux kernel. This pseudofilesystem is part of the pseudoterminal
support. Pseudoterminals are used by remote login programs, such as ssh and telnet,
as well as xterm and other graphical terminal emulators. The following sequence of
commands demonstrates that Sam is logged in on / d e v / p t s / 2 . After using who am i
to verify the pseudoterminal he is logged in on and using Is to show that this
pseudoterminal exists, Sam redirects the output of an echo command to / d e v / p t s / 2 ,
whereupon the output appears on his screen:
$ who am i
sam
pts/2
$ Is /dev/pts
0

2010-05-31 17:37 (dog.bogus.com)

1 2

$ echo Hi there > /dev/pts/2
Hi there
/dev/random Interfaces to the kernel's random number generator. You can use either file with dd
and to create a file filled with pseudorandom bytes.
/dev/urandom
$ dd if=/dev/urandom of=randfile2 bs=l count=100
100+0 records in
100+0 records out
100 bytes (100 B) copied, 0.000884387 seconds, 113 kB/s
T h e preceding command reads from / d e v / u r a n d o m and writes to the file named
randfile. T h e block size is 1 and the count is 1 0 0 ; thus randfile is 1 0 0 bytes long.
For bytes that are more random, you can read from / d e v / r a n d o m . See the urandom
and random m a n pages for more information.

optional
Wiping a file You can use a similar technique to wipe data from a file before deleting it, making it
almost impossible to recover data from the deleted file. You might want to wipe a
file for security reasons.
In the following example, Is shows the size of the file named secret. Using a block
size of 1 and a count corresponding to the number of bytes in secret, dd wipes the
file. T h e conv=notrunc argument ensures that dd writes over the data in the file and
not another (erroneous) place on the disk.
$ Is -1 secret
-rw-r--r-- 1 sam sam 5733 2010-05-31 17:43 secret
$ dd if=/dev/urandom of=secret bs=l count=5733 conv=notrunc
5733+0 records in
5733+0 records out
5733 bytes (5.7 kB) copied, 0.0358146 seconds, 160 kB/s
$ rm secret
For added security, run s y n c to flush the disk buffers after running dd, and repeat
the two commands several times before deleting the file. See wipe.sourceforge.net
for more information about wiping files.

I M P O R T A N T FILES A N D D I R E C T O R I E S

491

/dev/zero Input you take from this file contains an infinite string of zeros (numerical zeros,
not ASCII zeros). You can fill a file (such as a swap file, page 4 9 8 ) or overwrite a
file with zeros with a c o m m a n d such as the following:
$ dd i f=/dev/zero of=zeros bs=1024 count=
=10
10+0 records in
10+0 records out
10240 bytes (10 kB) copied, 0.00016026B seconds, 63.9 MB/s
$ od -c zeros

0000000
•k

\0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0

0024000

T h e od utility shows the contents of the new file.
W h e n you try to do with / d e v / z e r o what you can do with /dev/null, you fill the
partition in which you are working:
$ cp /dev/zero bigzero
cp: writing 'bigzero': No space left on device
$ rm bigzero
/etc/aliases Used by the mail delivery system to hold aliases for users. Edit this file to suit local
needs. F o r more information refer to /etc/aliases on page 7 2 2 .
/etc/alternatives Holds symbolic links so that you can call a utility by a name other than that of the file
that holds the utility. For example, when you give the command btdownloadcurses,
the shell calls btdownloadcurses.bittorrent using the following links:
$ Is -1 /usr/bin/btdownloadcurses
lrwxrwxrwx ... /usr/bin/btdownloadcurses -> /etc/alternatives/btdownloadcurses
$ Is -1 /etc/alternatives/btdownloadcurses
lrwxrwxrwx ... /etc/alternatives/btdownloadcurses -> /usr/bin/btdownloadcurses.bittorrent
T h e alternatives directory also allows a utility to appear in m o r e than one directory:
$ Is -1 /usr/XHR6/bin/btdownloadcurses /usr/bi n/Xll/btdownloadcurses
lrwxrwxrwx ... /usr/XHR6/bin/btdownloadcurses -> /etc/alternatives/btdownloadcurses
lrwxrwxrwx ... /usr/bin/Xll/btdownloadcurses -> /etc/alternatives/btdownloadcurses
In addition, this directory allows you to call one utility by several names. Although
the alternatives directory does not allow developers to do anything they could not
do without it, it provides an orderly way to keep and update these links. Use whereis
(page 1 7 9 ) to find all links to a utility.
/etc/at. allow, By default, users can use the at and crontab utilities. T h e at.allow and cron.allow
/etc/at. deny, files list the users who are allowed to use at and crontab, respectively. T h e at.deny
/etc/cron. allow, and cron.deny files specify users who are not permitted to use the corresponding
and utilities. As Ubuntu Linux is configured, the at.deny file holds a list of some system
/etc/cron. deny accounts and there is no at.allow file, allowing nonsystem accounts to use at; the
absence of cron.allow and cron.deny files allows anyone to use crontab. To prevent
anyone except a user running with root privileges from using at, remove the
at.allow and at.deny files. To prevent anyone except a user running with root privileges from using crontab, create a cron.allow file with the single entry root. F o r more
information on crontab, refer to "Scheduling T a s k s " on page 6 0 5 .

492

CHAPTER 1 2

FILES, D I R E C T O R I E S , A N D FILESYSTEMS

/etc/bash.bashrc Contains the global interactive, nonlogin shell initialization script. T h e default
Ubuntu /etc/profile (page 4 9 5 ) file executes the commands in this file. A user can
override settings made in this file in her - / . b a s h r c (page 4 8 8 ) file.
/etc/default Holds files that set default values for system services and utilities such as N F S and
useradd. L o o k at the files in this directory for more information.
/etc/dumpdates Contains information about the last execution of dump (part of the dump software
package). For each filesystem, it stores the time of the last dump at a given dump
level. The dump utility uses this information to determine which files to back up
when executing at a particular dump level. Refer to "Backing Up Files" on page 5 9 9
and the dump man page for more information.
Following is a sample /etc/dumpdates file from a system with four filesystems and a
backup schedule that uses three dump levels:
/dev/hdal
/dev/hda8
/dev/hda9
/dev/hdal0
/dev/hdal
/dev/hdal
/dev/hda8
/dev/hda9
/dev/hdal0

5
2
2
2
2
0
0
0
0

Thu
Sun
Sun
Sun
Sun
Sun
Sun
Sun
Sun

Apr
Apr
Apr
Apr
Apr
Mar
Mar
Mar
Mar

22
18
18
18
18
21
21
21
21

03
08
08
08
09
22
22
22
22

53
25
57
58
02
08
33
35
43

55
24
32
06
27
35
40
22
45

2010
2010
2010
2010
2010
2010
2010
2010
2010

T h e first column contains the device name of the dumped filesystem. T h e second
column contains the dump level and the date of the dump.
/etc/event.d Holds files that define Upstart init jobs. See page 4 3 4 for more information.
/etc/fstab filesystem (mount) table—Contains a list of all mountable devices as specified by
the system administrator. Programs do not write to this file; they only read from it.
See page 5 1 0 for more information.
/etc/group Groups allow users to share files or programs without giving all system users access
to those files or programs. This scheme is useful when several users are working
with files that are not public. T h e / e t c / g r o u p file associates one or more usernames
with each group (number). Refer to " A C L s : Access Control Lists" on page 2 2 1 for
a finer-grained way to control file access.
Each entry in the / e t c / g r o u p file has four colon-separated fields that describe one group:

group-name:password:group-ID:login-name-list
T h e group-name
is the name of the group. T h e password is an optional hashed
(page 1 1 5 1 ) password. This field frequently contains an x, indicating that group
passwords are not used. T h e group-ID is a number, with 1 - 9 9 9 reserved for system
accounts. T h e login-name-list
is a comma-separated list of users who belong to the
group. If an entry is too long to fit on one line, end the line with a backslash (\),
which quotes the following RETURN, and continue the entry on the next line. A sample
entry from a group file follows. T h e group is named pubs, has no password, and
has a group ID of 1 1 0 3 :
pubs:x:1103:max,sam,zach,mark

I M P O R T A N T FILES A N D D I R E C T O R I E S

493

You can use the groups utility to display the groups to which a user belongs:
$ groups sam
sam : sam pubs
Each user has a primary group, which is the group that user is assigned in the
/ e t c / p a s s w d file. By default, Ubuntu Linux has user private groups: Each user's primary group has the same name as the user. In addition, a user can belong to other
groups, depending on which login-name-lists
the user appears on in the / e t c / g r o u p
file. In effect, you simultaneously belong both to your primary group and to any
groups you are assigned to in / e t c / g r o u p . W h e n you attempt to access a file you do
not own, Linux checks whether you are a member of the group that has access to
the file. If you are, you are subject to the group access permissions for the file. If you
are not a member of the group that has access to the file and you do not own the
file, you are subject to the public access permissions for the file.
W h e n you create a new file, Linux assigns it to the group associated with the directory the file is being written into, assuming that you belong to that group. If you do
not belong to the group that has access to the directory, the file is assigned to your
primary group.
Refer to page 5 9 7 for information on using users-admin to work with groups.
/etc/hostname

Stores the hostname of the system. Changing the contents of this file changes the
hostname of the system the next time it boots. Give the c o m m a n d hostname name
to change the hostname of the system to name immediately. Without changing
/etc/hostname, the hostname will revert the next time the system boots.

/etc/hosts Stores the names, IP addresses, and optionally aliases of other systems. At the very
least, this file must have the hostname and IP address that you have chosen for the
local system and a special entry for localhost. This entry supports the loopback
service, which allows the local system to talk to itself (for example, for R P C services).
T h e IP address of the loopback service is always 1 2 7 . 0 . 0 . 1 , while 1 2 7 . 0 . 1 . 1 names
the local system. Following is a simple /etc/hosts file:
$ cat /etc/hosts
127.0.0.1
localhost
127.0.1.1
ti ny
jam
192.168.0.9
pi urn
192.168.0.10
dog
192.168.0.12

If you are not using NIS or D N S to look up hostnames (called hostname
resolution),
you must include in / e t c / h o s t s all systems that the local system should be able to
contact by hostname. (A system can always contact another system by using the IP
address of the system.) T h e hosts entry in the /etc/nsswitch.conf file (page 4 7 5 ) controls the order in which hostname resolution services are checked.
/etc/inittab initialization table—Some distributions use this file to control the behavior of the
init process. It is not present on Ubuntu systems. See "rc-sysinit task and inittab" on
page 4 3 9 for more information.

494

CHAPTER 1 2

FILES, D I R E C T O R I E S , A N D FILESYSTEMS

/etc/motd Contains the message of the day, which can be displayed each time someone logs in
using a textual login. This file typically contains site policy and legal information.
Keep this file short because users tend to see the message many times.
/etc/mtab W h e n you call m o u n t without any arguments, it consults this file and displays a list
of mounted devices. Each time you (or an init script) call m o u n t or u m o u n t , these
utilities make the necessary changes to m t a b . Although this is an ASCII text file, you
should not edit it. See also / e t c / f s t a b .

Fixing mtab
tip

The kernel maintains its o w n internal m o u n t table. You can display this table w i t h the c o m m a n d
cat /proc/mounts. S o m e t i m e s the list of files in /etc/mtab may not be synchronized w i t h the partitions in this table. To bring the mtab file in line w i t h the operating system's m o u n t table, y o u can
either reboot the system or replace /etc/mtab w i t h a s y m b o l i c link to /proc/mounts (although
some i n f o r m a t i o n may be lost).
$

sudo

rm

/etc/mtab

$

sudo

In

-s

/proc/mounts

/etc/mtab

/etc/nsswitch.conf
Specifies whether a system uses NIS, D N S , local files, or a combination as the source
of certain information, and in what order it consults these services (page 4 7 5 ) .
/etc/pam.d Files in this directory specify the authentication methods used by P A M (page 4 7 8 )
applications.
/etc/passwd Describes users to the system. D o not edit this file directly; instead, use one of the
utilities discussed in "Configuring User and Group A c c o u n t s " on page 5 9 4 . Each
line in passwd has seven colon-separated fields that describe one user:
login-name:password:user-lD:group-lD:info-.directory-.program
T h e login-name
is the user's username—the name you enter in response to the
login: prompt or on a GUI login screen. T h e value of the password is the character
x. T h e / e t c / s h a d o w file (page 4 9 7 ) stores the real password, which is hashed
(page 1 1 5 1 ) . For security reasons, every account should have a password. By convention, disabled accounts have an asterisk ( * ) in this field.
The user-ID is a number, with 0 indicating the root account and 1 - 9 9 9 being
reserved for system accounts. T h e group-ID identifies the user as a member of a
group. It is a number, with 0 - 9 9 9 being reserved for system accounts; see / e t c / g r o u p
(page 4 9 2 ) . You can change these values and set maximum values in /etc/login.defs.
T h e info is information that various programs, such as accounting and email programs, use to identify the user further. Normally it contains at least the first and last
names of the user. It is referred to as the GECOS (page 1 1 5 0 ) field.
T h e directory is the absolute pathname of the user's home directory. T h e program is
the program that runs once the user logs in to a textual session. If program is not
present, a value of / b i n / b a s h is assumed. You can put / b i n / t c s h here to log in using
the T C Shell or / b i n / z s h to log in using the Z Shell, assuming the shell you specify is
installed. T h e chsh utility (page 4 5 7 ) changes this value.

I M P O R T A N T FILES A N D D I R E C T O R I E S

495

T h e program is usually a shell, but it can be any program. T h e following line in the
passwd file creates a " u s e r " whose only purpose is to execute the w h o utility:
who:x:1000:1000:execute who:/usr:/usr/bi n/who
Logging in with w h o as a username causes the system to log you in, execute the w h o utility, and log you out. The output of w h o flashes by quickly because the new login prompt
clears the screen immediately after w h o finishes running. This entry in the p a s s w d file
does not provide a shell, so you cannot stay logged in after w h o finishes executing.
This technique is useful for providing special accounts that may do only one thing.
T h e ftp account, for example, enables anonymous FTP (page 6 8 7 ) access to an FTP
server. Because no one logs in on this account, the shell is set to /bin/false (which
returns a false exit status) or to /usr/sbin/nologin (which does not permit a nonprivileged user to log in). W h e n you put a message in /etc/nologin, n o l o g i n displays that
message (except it has the same problem as the output of w h o : It is removed so
quickly that it is hard to see).

Do not replace a login shell with a shell script
security Do not use shell scripts as replacements for shells in /etc/passwd. A user may be able to interrupt
a shell script, giving h i m full shell access w h e n y o u did not intend to do so. W h e n installing a
d u m m y shell, use a c o m p i l e d program, not a shell script.
/etc/printcap T h e printer capability database for LPD/LPR (page 5 4 8 ) . It is not used with CUPS
(Chapter 14), Ubuntu's default printing system. This file describes system printers
and is derived from 4 . 3 B S D U N I X .
/etc/profile

Contains a systemwide interactive shell initialization script for environment and
startup programs. W h e n you log in, the shell immediately executes the commands
in this file in the same environment as the shell. (For information on executing a
shell script in this manner, refer to the discussion of the . [dot] command on
page 2 9 6 . ) This file allows the system administrator to establish systemwide environment parameters that individual users can override in their ~/.bash_profile
(page 4 8 8 ) files. F o r example, this file can set shell variables, execute utilities, set up
aliases, and take care of other housekeeping tasks.
The default Ubuntu /etc/profile file sets the shell prompt and executes the commands
in /etc/bash.bashrc (page 4 9 2 ) .
Following is an example of a /etc/profile file that displays the message of the day (the
/ e t c / m o t d file), sets the file-creation mask (umask, page 4 5 9 ) , and sets the interrupt
character to C0NTR0L-C:
# cat /etc/profile
cat /etc/motd
umask 022
stty intr 'Ac'

/etc/protocols Provides protocol numbers, aliases, and brief definitions for D A R P A
TCP/IP protocols. D o not modify this file.
/etc/init Holds Upstart job definition files. See page 4 3 8 for more information.

Internet

496

CHAPTER 1 2

FILES, D I R E C T O R I E S , A N D FILESYSTEMS

/etc/init.d Holds SysVinit initialization scripts. See page 4 4 0 for more information.
/etc/resolv.conf T h e resolver (page 8 2 4 ) configuration file, which is used to provide access to D N S .
By default, this file is rebuilt by resolvconf when you run the bind9 init script. See
"named options" on page 8 3 4 , "resolvconf and resolv.conf" on page 8 3 5 , and the
resolver and resolv.conf man pages for more information.
T h e following example shows the resolv.conf file for the example.com domain. A
resolv.conf file usually contains at least two lines—a search line (optional) and a
nameserver line:
# cat /etc/resolv.conf
search example.com
nameserver 10.0.0.50
nameserver 10.0.0.51
T h e search keyword may be followed by a m a x i m u m of six domain names. T h e first
domain is interpreted as the host's local domain. These names are appended one at
a time to all D N S queries, shortening the time needed to query local hosts. T h e
domains are searched in order in the process of resolving hostnames that are not
fully qualified. See FQDN on page 1 1 4 9 .
W h e n you put search example.com in resolv.conf, any reference to a host within the
example.com domain or a subdomain (such as marketing.example.com) can use the
abbreviated form of the host. For example, instead of issuing the c o m m a n d ping
speedy.marketing.example.com, you can use ping speedy.marketing. T h e following
line in resolv.conf causes the marketing subdomain to be searched first, followed by
sales, and finally the entire example.com domain:
search marketing.example.com sales.example.com example.com
It is a good idea to put the most frequently used domain names first to try to outguess
possible conflicts. If both speedy.marketing.example.com and speedy.example.com
exist, for example, the order of the search determines which one is selected when you
invoke D N S . D o not overuse this feature: T h e longer the search path, the more network D N S requests generated, and the slower the response. Three or four names are
typically sufficient.
T h e nameserver line(s) indicate which systems the local system should query to
resolve hostnames to IP addresses, and vice versa. These machines are consulted in
the order they appear, with a timeout between queries. T h e first timeout is a few
seconds; each subsequent timeout is twice as long as the previous one. T h e preceding file causes this system to query 1 0 . 0 . 0 . 5 0 , followed by 1 0 . 0 . 0 . 5 1 when the first
system does not answer within a few seconds. T h e resolv.conf file may be automatically updated when a PPP- (Point-to-Point Protocol) or D H C P - (Dynamic Host
Configuration Protocol) controlled interface is activated. Refer to the resolv.conf
and resolver man pages for more information.
/etc/rpc M a p s R P C services to R P C numbers. T h e three columns in this file show the name
of the server for the R P C program, the R P C program number, and any aliases.

I M P O R T A N T FILES A N D D I R E C T O R I E S

497

/etc/services Lists system services. T h e three columns in this file show the informal name of the
service, the port number/protocol the service uses most frequently, and any aliases
for the service. This file does not specify which services are running on the local system, nor does it map services to port numbers. T h e services file is used internally to
map port numbers to services for display purposes.
/etc/shadow Contains MD5 (page 1 1 5 9 ) hashed user passwords. Each entry occupies one line
composed of nine fields, separated by colons:

login-name:pass word: last-mod:min:max:warn:

inactive:exp ire: flag

T h e login-name is the user's username—the name that the user enters in response to
the login: prompt or on a GUI login screen. T h e password is a hashed password
that p a s s w d puts in this file. N e w accounts that are not set up with a password are
given a value of ! or * in this field to prevent the user from logging in until you
assign a password to that user (page 5 9 5 ) .
T h e last-mod field indicates when the password was last modified. T h e min is the
minimum number of days that must elapse before the password can be changed; the
max is the m a x i m u m number of days before the password must be changed. T h e
warn field specifies h o w much advance warning (in days) will be given to the user
before the password expires. T h e account will be closed if the number of days
between login sessions exceeds the number of days specified in the inactive field.
T h e account will also be closed as of the date in the expire field. T h e last field in an
entry, flag, is reserved for future use. You can use usermod (page 5 9 8 ) to modify
these fields.
The shadow password file must be owned by root and must not be publicly readable
or writable. Setting ownership and permissions in this way makes it more difficult
for someone to break into the system by identifying accounts without passwords or
by using specialized programs that try to match hashed passwords.
A number of conventions exist for creating special shadow entries. An entry of
* L K -.v or N P in the password field indicates locked or no password,
respectively. No
password
is different from an empty password; no password implies that this is an
administrative account that no one ever logs in on directly. Occasionally programs
will run with the privileges of this account for system maintenance functions. These
accounts are set up under the principle of least privilege (page 4 2 0 ) .
Entries in the shadow file must appear in the same order as in the passwd file. There
must be exactly one shadow entry for each passwd entry.
/etc/hosts.deny As part of the client/server model, T C P wrappers rely on these files as the basis of a
and simple access control language. See page 4 6 5 for more information.
/etc/hosts, allow
/proc Provides a window into the Linux kernel. Through the / p r o c pseudofilesystem you
can obtain information on any process running on the system, including its current

498

CHAPTER 1 2

FILES, D I R E C T O R I E S , A N D FILESYSTEMS

state, memory usage, CPU usage, terminal association, parent, and group. You can
extract information directly from the files in / p r o c . An example follows:
$ sleep 1000 &
[1] 3104
$ cd /proc/3104
$ I s -1
dr-xr-xr-x 2 s am
-r
1 s am
-r--r--r-- 1 s am
—w
1 s am
-r--r--r-- 1 s am
-rw-r--r-- 1 s am
-r--r--r-- 1 s am
1rwxrwxrwx 1 s am
-r
1 s am
1rwxrwxrwx 1 s am
dr-x
2 s am

sam
sam
sam
sam
sam
sam
sam
sam
sam
sam
sam

2010- 04- 09
2010- 04- 09
2010- 04- 09
2010- 04- 09
2010- 04- 09
2010- 04- 09
2010- 04- 09
2010- 04- 09
2010- 04- 09
2010- 04- 09
2010- 04- 09

14
14
14
14
14
14
14
14
14
14
14

00
00
00
00
00
00
00
00
00
00
00

attr
auxv
cgroup
clear_refs
cmdline
coredump_fi1 ter
cpuset
cwd -> /home/sam
envi ron
exe -> /bin/sleep
fd

$ cat status
Name :
sleep
State: S (sleeping)
Tgid:
3104
Pid:
3104
PPid:
1503
TracerPi d :
0
Uid:
1000
1000
1000
1000
Gid:
1000
1000
1000
1000
FDSize 256
Groups : 4 20 24 46 105 119 122 1000
VmPeak
3232 kB
VmSi ze
3232 kB
VmLck:
0 kB
In this example, bash creates a background process (PID 3 1 0 4 ) for sleep. Next the user
changes directories to the directory in / p r o c that has the same name as the PID of the
background process (cd / p r o c / 3 1 0 4 ) . This directory holds information about the process it is named for—the sleep process in the example. The Is -1 command shows that
some entries in this directory are links (cwd is a link to the directory the process was
started from, and exe is a link to the executable file that this process is running) and
some appear to be ordinary files. All appear to be empty. However, when you use cat
to display one of these pseudofiles (status in the example), cat displays output. Obviously it is not an ordinary file.
/sbin/shutdown A utility that brings the system down (see page 4 5 0 ) .
swap Even though swap is not normally a file, swap space can be added and deleted from
the system dynamically. Swap space is used by the virtual memory subsystem of the
kernel. W h e n it runs low on real memory ( R A M ) , the kernel writes memory pages
from R A M to the swap space on the disk. W h i c h pages are written and when they

I M P O R T A N T FILES A N D D I R E C T O R I E S

499

are written are controlled by finely tuned algorithms in the Linux kernel. W h e n
needed by running programs, the kernel brings these pages back into R A M — a technique called paging (page 1 1 6 4 ) . W h e n a system is running very short on memory,
an entire process may be paged out to disk.
Running an application that requires a large amount of virtual memory may result
in the need for additional swap space. If you run out of swap space, you can use
m k s w a p to create a swap file and s w a p o n to enable it. Normally you use a disk partition as swap space, but you can also use a file for this purpose. A disk partition provides much better performance than a file.
If you are creating a file as swap space, first use df to ensure that the partition you
are creating it in has adequate space for the file. In the following sequence of commands, the administrator first uses dd and / d e v / z e r o (page 4 9 1 ) to create an empty
file (do not use cp because you may create a file with holes, which may not work) in
the working directory. N e x t mkswap takes as an argument the name of the file created in the first step to set up the swap space. For security reasons, change the file so
that it cannot be read from or written to by anyone except a user with root privileges. Use swapon with the same argument to turn the swap file on; then use
swapon - s to confirm the swap space is available. T h e final two commands turn off
the swap file and remove it. Because many of the commands in this sequence must
be executed with root privileges, and because typing sudo in front of each c o m m a n d
would be tedious, the administrator spawns a shell with root privileges by giving
the c o m m a n d sudo - i before starting. T h e exit c o m m a n d at the end of the sequence
closes the privileged shell:
$ sudo -i
# dd if=/dev/zero of=swapfile bs=1024 count=65536
65536+0 records in
65536+0 records out
67108864 bytes (67 MB) copied, 0.631809 seconds, 106 MB/s
# mkswap swapfile
Setting up swapspace version 1, size = 67104 kB
no label, UUID=e2e4ec08-77a4-47bl-bcal-59dd9a59dbf7
# chmod 600 swapfile
# swapon swapfile
# swapon -s
Filename
Type
Size
Used
Pri ori ty
/dev/sda3
partition
1951888 33796
/root/swapfile
file
65528
0
# swapoff swapfile
# rm swapfile
# exit
$

-1
-2

/sys A pseudofilesystem that was added in the Linux 2 . 6 kernel to make it easy for programs running in kernelspace, such as device drivers, to exchange information with
programs running in userspace. Refer to u d e v on page 5 0 2 .

500

CHAPTER 1 2

FILES, D I R E C T O R I E S , A N D FILESYSTEMS

/usr/share/file/magic
M o s t files begin with a unique identifier called a magic number. This file is a text
database listing all known magic numbers on the system. W h e n you use the file utility, it consults / u s r / s h a r e / f i l e / m a g i c to determine the type of a file. Occasionally you
may acquire a new tool that creates a new type of file that is unrecognized by the file
utility. In this situation you can add entries to the / e t c / m a g i c file. Refer to the magic
and file m a n pages for more details. See also " m a g i c n u m b e r " on page 1 1 5 8 .
/var/log Holds system log files, many of which are generated by syslogd (page 625). You can use
a text display program such as l e s s , tail, or c a t , or the graphical program g n o m e - s y s t e m log to view the files in this directory. To run g n o m e - s y s t e m - l o g , select System: AdministrationOSystem Log or enter gnome-system-log (use gksudo if you are not a member
of the adm group) from a terminal emulator or in a Run Application window (ALT-F2).
/var/log/messages
Contains messages from daemons, the Linux kernel, and security programs. F o r
example, you will find filesystem full warning messages, error messages from system daemons (NFS, exim4, printer daemons), SCSI and I D E disk error messages,
and more in messages. Check / v a r / l o g / m e s s a g e s periodically to keep informed
about important system events. M u c h of the information displayed on the system
console is also sent to messages. If the system experiences a problem and you cannot
access the console, check this file for messages about the problem. See page 6 2 5 for
information on syslogd, which generates many of these messages.
/var/log/auth.log Holds messages from security-related programs such as sudo and the sshd daemon.

FILE T Y P E S
Linux supports many types of files. This section discusses the following types of files:
• Ordinary files, directories, links, and inodes (next)
• Symbolic links (page 5 0 1 )
• Device special files (page 5 0 1 )
• F I F O special files (named pipes) (page 5 0 3 )
• Sockets (page 5 0 3 )
• Block and character devices (page 5 0 4 )
• R a w devices (page 5 0 4 )

O R D I N A R Y FILES, DIRECTORIES, L I N K S , A N D I N O D E S
Ordinary and An ordinary file stores user data, such as textual information, programs, or images,
directory files s u c h a s a j p e g or tiff file. A directory is a standard-format disk file that stores information, including names, about ordinary files and other directory files.

FILE T Y P E S

Inodes

501

An inode is a data structure (page 1 1 4 4 ) , stored on disk, that defines a file's existence and is identified by an inode number. An inode contains critical information
about a file, such as the name of the owner, where it is physically located on the
disk, and h o w many hard links point to it. Except for directory inodes, inodes do
not contain filenames. An inode that describes a directory file relates each of the
filenames stored in the directory to the inode that describes that file. This setup
allows an inode to be associated with more than one filename and to be pointed to
from more than one directory.
W h e n you move (mv) a file, including a directory file, within a filesystem, you
change the filename portion of the directory entry associated with the inode that
describes the file. You do not create a new inode. If you move a file to another filesystem, mv first creates a new inode on the destination filesystem and then deletes
the original inode. You can also use mv to move a directory recursively from one
filesystem to another. In this case mv copies the directory and all the files in it, and
deletes the original directory and its contents.
W h e n you make an additional hard link (In, page 2 2 8 ) to a file, you add a directory
entry that points to the inode that describes the file. You do not create a new inode.
W h e n you remove (rm) a file, you delete the directory entry that describes the file.
W h e n you remove the last hard link to a file, the operating system puts all blocks
the inode pointed to back in the free list (the list of blocks that are available for use
on the disk) and frees the inode to be used again.

The . and .. Every directory contains at least two entries (. and ..). T h e . entry is a link to the
directory entries directory itself. T h e . . entry is a link to the parent directory. In the case of the root
directory, there is no parent and the . . entry is a link to the root directory itself. It is
not possible to create hard links to directories.
Symbolic links

Because each filesystem has a separate set of inodes, you can create hard links to a
file only from within the filesystem that holds that file. To get around this limitation, Linux provides symbolic links, which are files that point to other files. Files
that are linked by a symbolic link do not share an inode. As a consequence, you can
create a symbolic link to a file from any filesystem. You can also create a symbolic
link to a directory, device, or other special file. For more information refer to " S y m bolic L i n k s " on page 2 3 0 .

D E V I C E S P E C I A L FILES
Device special files (also called device files and special files) represent Linux kernel
routines that provide access to an operating system feature. F I F O (first in, first out)
special files allow unrelated programs to exchange information. Sockets allow unrelated processes on the same or different systems to exchange information. O n e type
of socket, the U N I X domain socket, is a special file. Symbolic links are another type
of special file.
Device files Device files include both block and character special files and represent device drivers
that allow the system to communicate with peripheral devices, such as terminals,

502

CHAPTER 1 2

FILES, D I R E C T O R I E S , A N D FILESYSTEMS

printers, and hard disks. By convention, device files appear in the / d e v directory and its
subdirectories. Each device file represents a device; hence, the system reads from and
writes to the file to read from and write to the device it represents. The following example shows part of the output that an Is -1 command produces for the / d e v directory:
$ Is -1 /dev
crw-rw
+ 1
crw
1
crw-rw
+ 1
drwxr-xr-x 2
drwxr-xr-x 2
drwxr-xr-x 3
1rwxrwxrwx 1
drwxr-xr-x 2
crw
1
1rwxrwxrwx 1
brw-rw
brw-rw
brw-rw

root
root
root
root
root
root
root
root
root
root

audi o
vi deo
audi o
root
root
root
root
root
root
root

1 root disk
1 root disk
1 root disk

14, 12 2010 -04 -09 09 42 adsp
10, 175 2010 -04 -09 09 42 agpgart
4 2010 -04 -09 09 42 audi o
14,
640 2010 -04 -09 09 42 block
80 2010 -04 -09 09 42 bsg
60 2010 -04 -09 09 42 bus
3 2010 -04 -09 09 42 cdrom -> sr0
2980 2010 -04 -09 09 42 char
5,
1 2010 -04 -09 09 33 console
11 2010-04-09 09: 42 core -> /proc/kcore
8,
8,
8,

0 2010 -04 -09 09 42 sda
1 2010 -04 -09 09 42 sdal
2 2010 -04 -09 09 42 sda2

T h e first character of each line is always - , b, c, d, 1, or p, representing the file
type—ordinary (plain), block, character, directory, symbolic link, or named pipe
(see the following section), respectively. T h e next nine characters identify the permissions for the file, followed by the number of hard links and the names of the
owner and the group. W h e r e the number of bytes in a file would appear for an
ordinary or directory file, a device file shows major and minor device
numbers
(page 5 0 3 ) separated by a c o m m a . T h e rest of the line is the same as for any other
Is -1 listing (page 2 1 5 ) .
udev T h e udev utility manages device naming dynamically. It replaces the earlier devfs
and moves the device-naming functionality from the kernel to userspace. Because
devices are added to and removed from a system infrequently, the performance penalty associated with this change is minimal. T h e benefit of the move is that a bug in
udev cannot compromise or crash the kernel.
T h e udev utility is part of the hotplug system (next). W h e n a device is added to or
removed f r o m the system, the kernel creates a device name in the /sys pseudofilesystem and notifies hotplug of the event, which is received by udev. T h e udev utility then creates the device file, usually in the / d e v directory, or removes the device
file from the system. T h e udev utility can also rename n e t w o r k interfaces. See
www.kernel.org/pub/linux/utils/kernel/hotplug/udev.html for m o r e i n f o r m a t i o n .
Hotplug T h e hotplug system allows you to plug a device into a running system and use it
immediately. Although hotplug was available in the Linux 2 . 4 kernel, the 2 . 6 kernel
integrates hotplug with the unified device driver model framework (the driver
model core) so that any bus can report an event when a device is added to or
removed from the system. User software can be notified of the event so it can take
appropriate action. See linux-hotplug.sourceforge.net for more information.

FILE T Y P E S

503

F I F O S P E C I A L FILE ( N A M E D P I P E )
A FIFO special file, also called a named pipe, represents a pipe: You read from and
write to the file to read from and write to the pipe. T h e term FIFO stands for first
in, first out—the way any pipe works. In other words, the first information you put
in one end is the first information that comes out the other end. W h e n you use a
pipe on a c o m m a n d line to send the output of a program to the printer, the printer
outputs the information in the same order that the program produced it and sent it
to the pipe.
Unless you are writing sophisticated programs, you will not be working with F I F O
special files. However, programs that you use on Linux use named pipes for interprocess communication. You can create a pipe using mkfifo:
$ mkfifo AA
$ Is -1 AA
prw-r--r-- 1 sam sam 0 2010-04-09 14:10 AA
T h e p at the left end of the output of Is -1 indicates the file is a pipe.
Both U N I X and Linux systems have included pipes for many generations. Without
named pipes, only processes that were children of the same ancestor could use pipes to
exchange information. Using named pipes, any two processes on a single system can
exchange information. When one program writes to a F I F O special file, another program can read from the same file. The programs do not have to run at the same time or
be aware of each other's activity. The operating system handles all buffering and information storage. This type of communication is termed asynchronous
(async) because
the programs on the opposite ends of the pipe do not have to be synchronized.

SOCKETS
Like F I F O special files, sockets allow asynchronous processes that are not children of
the same ancestor to exchange information. Sockets are the central mechanism of the
interprocess communication that forms the basis of the networking facility. When
you use networking utilities, pairs of cooperating sockets manage the communication between the processes on the local system and the remote system. Sockets form
the basis of such utilities as s s h and scp.

MAJOR AND M I N O R DEVICE N U M B E R S
A major device number points to a driver in the kernel that works with a class of
hardware devices: terminal, printer, tape drive, hard disk, and so on. In the listing of
the /dev directory on page 5 0 2 , all the hard disk partitions have a m a j o r device
number of 3.
A minor device number
identifies a particular piece of hardware within a class.
Although all hard disk partitions are grouped together by their m a j o r device number,
each has a different minor device number (sdal is 1, sda2 is 2, and so on). This setup
allows one piece of software (the device driver) to service all similar hardware, yet
still be able to distinguish among different physical units.

504

CHAPTER 1 2

FILES, D I R E C T O R I E S , A N D FILESYSTEMS

BLOCK AND CHARACTER DEVICES
This section describes typical device drivers. Because device drivers can be changed to
suit a particular purpose, the descriptions in this section do not pertain to every system.

Block device A block

device is an I/O (input/output) device that has the following characteristics:

• Able to perform random access reads
• Has a specific block size
• Handles only single blocks of data at a time
• Accepts only transactions that involve whole blocks of data
• Able to have a filesystem mounted on it
• Has the Linux kernel buffer its input and output
• Appears to the operating system as a series of blocks numbered from 0
through n - 1, where n is the number of blocks on the device
Block devices commonly found on a Linux system include hard disks, floppy diskettes, and CDs.
Character device A character
device is any device that is not a block device. Examples of character
devices include printers, terminals, tape drives, and modems.
T h e device driver for a character device determines h o w a program reads from and
writes to that device. For example, the device driver for a terminal allows a program
to read the information you type on the terminal in two ways. First, a program can
read single characters from a terminal in raw m o d e — t h a t is, without the driver
doing any interpretation of the characters. (This mode has nothing to do with the
raw device described in the following section.) Alternatively, a program can read
one line at a time. W h e n a program reads one line at a time, the driver handles the
erase and kill characters so the program never sees typing mistakes that have been
corrected. In this case, the program reads everything from the beginning of a line to
the RETURN that ends a line; the number of characters in a line can vary.

RAW DEVICES
Device driver programs for block devices usually have two entry points so they can
be used in two ways: as block devices or as character devices. T h e character device
form of a block device is called a raw device. A raw device is characterized by
• Direct I/O (no buffering through the Linux kernel).
• One-to-one correspondence between system calls and hardware requests.
• Device-dependent restrictions on I/O.
fsck An example of a utility that uses a raw device is fsck. It is more efficient for fsck to
operate on the disk as a raw device rather than being restricted by the fixed size of
blocks in the block device interface. Because it has full knowledge of the underlying

FILESYSTEMS

505

filesystem structure, fsck can operate on the raw device using the largest possible
units. When a filesystem is mounted, processes normally access the disk through the
block device interface, which explains why it is important to allow fsck to modify
only unmounted filesystems. O n a mounted filesystem, there is the danger that, while
fsck is rearranging the underlying structure through the raw device, another process
could change a disk block using the block device, resulting in a corrupted filesystem.

FILESYSTEMS
Table 1 2 - 1 lists some types of filesystems available under Linux.

Table 12-1

Filesystems

Filesystem

Features

adfs

Advanced Disc Filing System. Used on Acorn computers. The word Advanced
differentiated this filesystem from its predecessor DFS, which did not support
advanced features such as hierarchical filesystems.

affs

Amiga Fast Filesystem (FFS).

autofs

Automounting filesystem (page 792).

cifs

Common Internet Filesystem (page 1141). Formerly the Samba Filesystem

coda

CODA distributed filesystem (developed at Carnegie Mellon).

devpts

A pseudofilesystem for pseudoterminals (page 490).

ext2

A standard filesystem for Ubuntu systems, usually with the ext4 extension.

ext3

A journaling (page 1155) extension to the ext2 filesystem. It greatly improves
recovery time from crashes (it takes a lot less time to run fsck), promoting
increased availability. As with any filesystem, a journaling filesystem can lose
data during a system crash or hardware failure.

ext4

An extension to the ext3 filesystem. It is backward compatible with ext2/ext3
filesystems and provides improved performance over ext3 the filesystem.

GFS

Global Filesystem. GFS is a journaling, clustering filesystem. It enables a cluster
of Linux servers to share a common storage pool.

hfs

(smbfs).

Hierarchical Filesystem. Used by older Macintosh systems. Newer Macintosh

systems use hfs+.

hpfs

High-Performance Filesystem. The native filesystem for IBM's OS/2.

jffs2

Journaling Flash Filesystem (jffs). A filesystem for flash memory.

iso9660

The standard filesystem for CDs.

minix

Very similar to Linux. The filesystem of a small operating system that was written for educational purposes by Andrew S. Tanenbaum (www.minix3.org).

506

CHAPTER 1 2

FILES, D I R E C T O R I E S , A N D FILESYSTEMS

Table 12-1

mount:

Filesystems (continued)

Filesystem

Features

msdos

Filesystem used by DOS and subsequent Microsoft operating systems. Do not
use msdos for mounting Windows filesystems; it does not read VFAT
attributes.

ncpfs

Novell NetWare NCP Protocol Filesystem. Used to mount remote filesystems
under NetWare.

nfs

Network Filesystem. Developed by Sun Microsystems, this protocol allows a
computer to access remote files over a network as if the files were local
(page 773).

ntfs

NT Filesystem. The native filesystem of Windows NT. Seewww.linux-ntfs.org.

proc

An interface to several Linux kernel data structures (page 1144) that behaves
like a filesystem (page 497).

qnx4

QNX 4 operating system filesystem.

reiserfs

A journaling (page 1155) filesystem, based on balanced-tree algorithms. See
ext4 for more on journaling filesystems.

romfs

A dumb, readonly filesystem used mainly for RAM disks [page 1168) during
installation.

smbfs

Samba Filesystem (deprecated). See cifs.

software RAID

RAID implemented in software. Refer to "RAID" on page 40.

sysv

System V UNIX filesystem.

ufs

Default filesystem under Sun's Solaris operating system and other UNIXs.

umsdos

A full-feature UNIX-like filesystem that runs on top of a DOS FAT filesystem.

vfat

Developed by Microsoft, a standard that allows long filenames on FAT
partitions.

VxFS

Veritas Extended Filesystem. The first commercial journaling (page 1155)
filesystem, popular under HP-UX and Solaris.

xfs

SGI's journaling filesystem (ported from Irix).

M O U N T S A FILESYSTEM
The m o u n t utility connects directory hierarchies—typically filesystems—to the Linux
directory hierarchy. These directory hierarchies can be on remote and local disks,
CDs, D V D s , and floppy diskettes. Linux can also mount virtual filesystems
that have
been built inside ordinary files, filesystems built for other operating systems, and the

FILESYSTEMS

507

special / p r o c filesystem (page 4 9 7 ) , which maps useful Linux kernel information to a
pseudodirectory. This section covers mounting local filesystems; refer to page 7 7 3
for information on using NFS to mount remote directory hierarchies. See /dev on
page 4 8 8 for information on device names.
Mount point The mount point for the filesystem/directory hierarchy that you are mounting is a
directory in the local filesystem. This directory must exist before you can mount a filesystem; its contents disappear as long as a filesystem is mounted on it and reappear
when you unmount the filesystem. See page 3 5 for a discussion of mount points.
Without any arguments, mount lists the currently mounted filesystems, showing the
physical device holding each filesystem, the mount point, the type of filesystem, and
any options set when each filesystem was mounted. T h e mount utility gets this information from the / e t c / m t a b file (page 4 9 4 ) .
$ mount
/dev/sdal on / type ext4 (rw,errors=remount-ro)
proc on /proc type proc (rw,noexec,nosuid,nodev)
/dev/sda2 on /home type ext4 (rw)
/dev/sda5 on /pi 5 type ext4 (rw)
/dev/sda6 on /pl6 type ext4 (rw)
/dev/sdal on /p01 type ext4 (rw)
//jam/C on /jam/c type cifs (rw,mand)
dog:/p04 on /p04 type nfs (rw,addr=192.168.0.12)
/dev/hdb on /media/cdrom0 type iso9660 (ro,noexec,nosuid,nodev,user=sam)
T h e first entry in the preceding example shows the root filesystem, which is
mounted on /. T h e second entry shows the / p r o c pseudofilesystem (page 4 9 7 ) . T h e
next four entries identify disk partitions holding standard Linux ext4 filesystems.
T h e directory / j a m / c has a cifs (Windows) filesystem mounted on it using Samba.
You can use Linux utilities and applications to access the Windows files and directories on this partition as if they were Linux files and directories. T h e line starting
with dog shows a mounted, remote N F S filesystem. T h e last line shows the C D at
/ d e v / h d b mounted on /media/cdromO.
If the list of filesystems in / e t c / m t a b is not correct, see the tip on page 4 9 4 .

Do not mount anything on root (/)
caution

Always m o u n t network directory hierarchies and removable devices at least one level below the root
level of the filesystem. The root filesystem is m o u n t e d on / ; y o u cannot m o u n t t w o filesystems in
the same place. If y o u were to try to m o u n t something on /, all files, directories, and filesystems
that were under the root directory w o u l d no longer be available, and the system w o u l d crash.
W h e n you add a line for a filesystem to the / e t c / f s t a b file (page 4 9 2 ) , you can
mount that filesystem by giving the associated mount point or device name as the
argument to mount. For example, the C D listed earlier was mounted using the following command:
$ mount /media/cdromO

508

CHAPTER 1 2

FILES, D I R E C T O R I E S , A N D FILESYSTEMS

This command worked because /etc/fstab contains the additional information
needed to mount the file. An ordinary user was able to mount the file because of the
user option:
/dev/hdb

/media/cdrom0

udf,iso9660 user,nosuid,noauto

0

0

You can also mount filesystems that do not appear in /etc/fstab. For example, when
you insert a floppy diskette that holds a DOS filesystem into the floppy diskette
drive, you can mount that filesystem using the following command:
$ sudo mount - t msdos /dev/fd0 /media/floppy0
The - t msdos option specifies a filesystem type of msdos. You can mount DOS filesystems only if you have configured the Linux kernel (page 571) to accept DOS
filesystems. You do not need to mount a DOS filesystem to read from and write to
it, such as when you use mcopy (page 173). However, you do need to mount a DOS
filesystem to use Linux commands (other than Mtools commands) on files on the
filesystem (which may be on a diskette).
MOUNT OPTIONS
The mount utility takes many options, which you can specify either on the command line or in the /etc/fstab file (page 5 1 0 ) . For a complete list of mount options
for local filesystems, see the mount man page; for remote directory hierarchies, see
the nfs man page.
The noauto option causes Linux not to mount the filesystem automatically. The
nosuid option forces mounted setuid executables to run with regular permissions
(no effective user ID change) on the local system (the system that mounted the
filesystem).

Mount removable devices with the nosuid option
security Always mount removable devices with the nosuid option so that a malicious user cannot, for
example, put a setuid copy of bash on a disk and have a shell with root privileges. By default,
Ubuntu uses the nosuid option when mounting removable media.
Unless you specify the user, users, or owner option, only a user running with root
privileges can mount and unmount a filesystem. The user option allows any user to
mount the filesystem, but the filesystem can be unmounted only by the user who
mounted it; the users option allows any user to mount and unmount the filesystem.
These options are frequently specified for CD, DVD, and floppy drives. The owner
option, which is used only under special circumstances, is similar to the user option
except that the user mounting the device must own the device.
M O U N T I N G A LINUX FLOPPY DISKETTE
Mounting a Linux floppy diskette is similar to mounting a partition of a hard disk.
If it does not already exist, put an entry similar to the following in /etc/fstab for a
diskette in the first floppy drive:

FILESYSTEMS

/dev/fd0

/media/floppy0

auto

rw,user,nosuid,noauto

509

0

0

Specifying a filesystem type of auto causes the system to probe the filesystem to
determine its type and allows users to mount a variety of diskettes. Create the
/media/floppyO directory if necessary. Insert a diskette and try to mount it. The diskette must be formatted (use fdformat, which deletes all data on a diskette). In the
following example, the error message following the first command usually indicates
there is no filesystem on the diskette. In some cases, the mount command may hang.
If this problem occurs, pop the diskette out to display a prompt. Use mkfs
(page 4 5 8 ) to create a filesystem—but be careful, because mkfs destroys all data on
the diskette.
$ mount /dev/fd0
mount: I c o u l d not d e t e r m i n e the f i l e s y s t e m t y p e , and none was s p e c i f i e d
$ mkfs /dev/fd0
mke2fs 1 . 4 1 . 1 1 ( 1 4 - M a r - 2 0 1 0 )
Filesystem label=
OS t y p e : L i n u x
Block size=1024 (log=0)
Fragment s i z e = 1 0 2 4 ( l o g = 0 )
184 i n o d e s , 1440 b l o c k s
72 b l o c k s ( 5 . 0 0 % ) r e s e r v e d f o r the s u p e r u s e r
Fi r s t d a t a b l o c k = l
Maximum f i l e s y s t e m b l o c k s = 1 5 7 2 8 6 4
1 b l o c k group
8192 b l o c k s per g r o u p , 8192 f r a g m e n t s per group
184 i n o d e s per group
W r i t i n g inode t a b l e s : done
W r i t i n g s u p e r b l o c k s and f i l e s y s t e m a c c o u n t i n g i n f o r m a t i o n :

done

T h i s f i l e s y s t e m w i l l be a u t o m a t i c a l l y checked e v e r y 36 mounts or
180 d a y s , w h i c h e v e r comes f i r s t .
Use t u n e 2 f s - c or - i t o o v e r r i d e .

Now try the mount command again:
$ mount /dev/fd0
$ mount
/ d e v / f d 0 on / m e d i a / f l o p p y 0 type e x t 2
$ df -h /dev/fd0
Filesystem
/dev/fd0

Size
1.4M

(rw,noexec,nosuid,nodev,user=sam)

Used A v a i l Use% Mounted on
19K 1.3M
2% / m e d i a / f 1 o p p y 0

The mount command without any arguments and df - h /dev/fdO show that the
floppy diskette is mounted and ready for use.

umount:

U N M O U N T S A FILESYSTEM
The umount utility unmounts a filesystem as long as it does not contain any files or
directories that are in use (open). For example, a logged-in user's working directory

510

CHAPTER 1 2

FILES, D I R E C T O R I E S , A N D FILESYSTEMS

cannot be on the filesystem you want to unmount. The next command unmounts
the CD mounted earlier:
$ umount /media/cdromO

Unmount a floppy or a remote (NFS) directory hierarchy the same way you would
unmount a partition of a hard drive.
The umount utility consults /etc/fstab to get the necessary information and then
unmounts the appropriate filesystem from its server. When a process has a file open
on the filesystem that you are trying to unmount, umount displays a message similar
to the following:
umount: /home: device i s busy

When you cannot unmount a device because it is in use
tip When a process has a file open on a device you need to unmount, use f user to determine which
process has the file open and to kill it. For example, when you want to unmount a floppy diskette,
give the command fuser - k i /media/floppyO (substitute the mount point for the diskette on the
local system for /media/floppyO). After checking with you, this command kills the process(es)
using the diskette.
Use the - a option to umount to unmount all mounted filesystems that are not in use.
You can never unmount the filesystem mounted at /. You can combine - a with the - t
option to unmount filesystems of a given type (ext4, nfs, or others). For example, the
following command unmounts all mounted nfs directory hierarchies that are not in use:
$ sudo umount -at nfs

fstab:

KEEPS TRACK OF FILESYSTEMS
The system administrator maintains the /etc/fstab file, which lists local and remote
directory hierarchies, most of which the system mounts automatically when it
boots. The fstab file has six columns, where a hyphen is a placeholder for a column
that has no value:
1. Name—The name, label, or UUID number of a local block device
(page 504) or a pointer to a remote directory hierarchy. When you install
the system, Ubuntu uses UUID numbers for fixed devices. It prefaces each
line in fstab that specifies a UUID with a comment that specifies the device
name. Using UUID numbers in fstab during installation circumvents the
need for consistent device naming. Because udev (page 502) manages
device naming dynamically, the installer may not be aware, for example,
that the first disk is not named /dev/hdal but rather /dev/sdal, but it
always knows the UUID number of a device. Using UUID numbers to
identify devices also keeps partitions and mount points correctly correlated when you remove or swap devices. See /dev/disk/by-uuid (page 489)
for more information on UUID numbers. You can use the volume label of

FILESYSTEMS

a local filesystem by using the form L A B E L = x x , where xx is the volume
label. Refer to e2label on page 458.
A remote directory hierarchy appears as hostname:pathname, where hostname is the name of the remote system that houses the filesystem, and
pathname is the absolute pathname (on the remote system) of the directory that is to be mounted.
2. Mount point—The name of the directory file that the filesystem/directory
hierarchy is to be mounted on. If it does not already exist, create this
directory using mkdir. See pages 35 and 507.
3. Type—The type of filesystem/directory hierarchy that is to be mounted.
Local filesystems are generally of type ext2, ext4, or iso9660, and remote
directory hierarchies are of type nfs or cifs. Table 12-1 on page 505 lists
filesystem types.
4. Mount options—A comma-separated list of mount options, such as
whether the filesystem is mounted for reading and writing ( r w , the default)
or readonly (ro). See pages 508 and 778, and refer to the mount and nfs
man pages for lists of options.
5. Dump—Used by dump (page 603) to determine when to back up the
filesystem.
6. Fsck—Specifies the order in which fsck checks filesystems. Root (/) should
have a 1 in this column. Filesystems that are mounted to a directory just
below the root directory should have a 2. Filesystems that are mounted
on another mounted filesystem (other than root) should have a 3. For
example, if local is a separate filesystem from /usr and is mounted on /usr
(as /usr/local), then local should have a 3. Filesystems and directory hierarchies that do not need to be checked (for example, remotely mounted
directory hierarchies and CDs/DVDs) should have a 0.
The following example shows a typical fstab file:
$ cat /etc/fstab
# / e t c / f s t a b : s t a t i c f i l e system information.
# < f i l e system> 
 
 
proc
/proc
proc
defaults
0
0
# / was on /dev/sdal during i n s t a l l a t i o n
UUID=8f3c51c2-a42c-49bl-9f03-db2140cb7eb5 /
ext4
defaults,errors=remount-ro 0
# /home was on /dev/sda2 during i n s t a l l a t i o n
UUID=39fc600f-91d5-4c9f-85 59-727050b27645 /home
ext4
defaults
0
# swap was on /dev/sda3 during i n s t a l l a t i o n
UUID=a68fb957-2ae7-4ae5-8656-23alcf8fcdl4 none
swap
sw
0
/dev/sda5
/pi 5
ext4
defaults
0
2
/dev/sda6
/pl6
ext4
defaults
0
2
/dev/sdb
/media/cdrom0
udf,iso9660 user,nosuid,noauto 0
0
/dev/fd0
/media/floppy0 auto
rw,user,nosuid,noauto 0
0
dog:/p04
/p04
nfs
defaults
0
0

511

512

CHAPTER 1 2

FILES, D I R E C T O R I E S , A N D FILESYSTEMS

In the preceding example, /pl5 and /pl6 do not use UUID numbers because these
devices were added to fstab by the administrator after the system was installed.

fsck:

CHECKS FILESYSTEM INTEGRITY
The fsck (filesystem check) utility verifies the integrity of filesystems and, if possible,
repairs problems it finds. Because many filesystem repairs can destroy data, particularly on nonjournaling filesystems (page 1 1 5 5 ) , such as e x t 2 , by default fsck asks
you for confirmation before making each repair.

Do not run f s c k on a mounted filesystem
caution Do not run fsck on a mounted filesystem. When you attempt to check a mounted filesystem, f s c k
warns you and asks whether you want to continue. Reply no. You can run f s c k with the - N option
on a mounted filesystem because it will not write to the filesystem; as a result, no harm can come
of running it. See page 504 for more information.
When fsck repairs a damaged filesystem, it may find unlinked files: files that have
lost their directory information. These files have no filenames. The fsck utility gives
these files their inode numbers as names and stores them in the lost+found directory
(page 488) in the filesystem that holds the file. You can use file (page 170) to determine the type of these files and less to view readable files. Because Is -1 displays the
name of the owner of these files, you can return them to their owners.
The following command checks all unmounted filesystems that are marked to be
checked in /etc/fstab (page 510) except for the root filesystem:
$ sudo fsck -AR

The - A option causes fsck to check filesystems listed in fstab. When used with the
- A option, the - R option causes fsck not to check the root filesystem. You can check
a specific filesystem with a command similar to one of the following:
$ sudo fsck /home

or
$ sudo fsck /dev/sda2

tune2fs:

CHANGES FILESYSTEM PARAMETERS
The tune2fs utility displays and modifies filesystem parameters on e x t 2 , e x t 3 , and
e x t 4 filesystems. This utility can also set up journaling on an e x t 2 filesystem, turning
it into an e x t 3 filesystem. With the introduction of increasingly more reliable hardware and software, systems tend to be rebooted less frequently, so it is important to
check filesystems regularly. By default, fsck is run on each partition while the system
is brought up, before the partition is mounted. (The checks scheduled by tune2fs are
separate and scheduled differently from the checks that are done following a system
crash or hard disk error [see the previous section].)
Depending on the flags, fsck may do nothing more than display a message saying
the filesystem is clean. The larger the partition, the more time it takes to check it,
assuming a nonjournaling filesystem. These checks are often unnecessary. The
tune2fs utility helps you to find a happy medium between checking filesystems each

FILESYSTEMS

513

time you reboot the system and never checking them. It does so by scheduling when
f s c k checks a filesystem (these checks occur only when the system is booted). 1 You
can use two scheduling patterns: time elapsed since the last check and number of
mounts since the last check. T h e following c o m m a n d causes f s c k to check / d e v / s d a 5
after it has been mounted eight times or after 15 days have elapsed since its last
check, whichever happens first:
$ sudo
tune2fs
Setting
Setting

tune2fs -c 8 -i 15 /dev/sda5
1.41.11 (14-Mar-2010)
maximal mount count t o 8
i n t e r v a l between c h e c k s t o 1296000 s e c o n d s

T h e next tune2fs c o m m a n d is similar but works on a different partition and sets the
current mount count to 4. W h e n you do not specify a current mount count, it is set
to zero:
$ sudo
tune2fs
Setting
Setting
Setting

tune2fs -c 8 -i 15 -C 4 /dev/sda6
1.41.11 (14-Mar-2010)
maximal mount count t o 8
c u r r e n t mount count t o 4
i n t e r v a l between c h e c k s t o 1296000 s e c o n d s

T h e -1 option lists a variety of information about the partition. You can combine
this option with others. A m a x i m u m mount count of - 1 or 0 means f s c k and the
kernel will ignore the mount count information.
$ sudo tune2fs -1 /dev/sda6
tune2fs 1.41.11 (14-Mar-2010)
F i l e s y s t e m volume name:

L a s t mounted on:
/home
F i l e s y s t e m UUID:
eladfa6b-39e8-4658-82ac-6f75ecdb82c4
F i l e s y s t e m magic number:
0xEF53
F i l e s y s t e m r e v i s i o n #:
1 (dynamic)
Filesystem features:
has_journal ext_attr resize_inode dir_index
f i l e t y p e needs_recovery extent flex_bg sparse_super l a r g e _ f i l e h u g e _ f i l e
uninit_bg d i r _ n l i n k e x t r a _ i s i z e
Filesystem f l a g s :
signed_directory_hash
D e f a u l t mount o p t i o n s :
(none)
Filesystem state:
clean
Errors behavior:
Continue
F i l e s y s t e m OS t y p e :
Linux
Inode c o u n t :
1253376
Block count:
5012992
Reserved block count:
250649
Free b l o c k s :
4278628
Free i n o d e s :
1110959
Fi r s t b l o c k :
0
Block s i z e :
4096
Fragment s i z e :
4096

1. F o r systems whose purpose in life is to run continuously, this kind o f scheduling does n o t w o r k . Y o u
must develop a schedule that is n o t based on system r e b o o t s b u t rather on a c l o c k . Each filesystem must
be unmounted periodically, checked with fsck (preceding section), and then remounted.

514

CHAPTER 1 2

FILES, D I R E C T O R I E S , A N D FILESYSTEMS

Set the filesystem parameters on the local system so they are appropriate to the way
you use it. When using the mount count to control when fsck checks filesystems, use
the - C option to stagger the checks to ensure all checks do not occur at the same
time. Always make sure new and upgraded filesystems have checks scheduled as
you desire.
ext2 to ext3 To change an ext2 filesystem to an ext3 filesystem, you must put a journal
(page 1155) on the filesystem, and the kernel must support ext3 filesystems. Use the
-j option to set up a journal on an unmounted filesystem:
$ sudo tune2fs -j /dev/sda5
tune2fs 1.41.11 (14-Mar-2010)
Creating journal inode: done
T h i s f i l e s y s t e m w i l l be automatically checked every 8 mounts or
15 days, whichever comes f i r s t . Use tune2fs - c or - i to override.
Before you can use fstab (page 492) to mount the changed filesystem, you must
modify its entry in the fstab file to reflect its new type. To do so, change the third
column to ext3.
ext3 to ext2 The following command changes an unmounted or readonly ext3 filesystem to an
ext2 filesystem:
$ sudo tune2fs -0 Ahas_journal /dev/sda5
tune2fs 1.41.11 (14-Mar-2010)
Speeding lookups The dir_index option, which is off by default, adds a balanced-tree binary hash
lookup method for directories. This feature improves scalability of directories with
large numbers of files, although it means that the hash needs to be updated each
time a directory changes. Turn on using tune2fs - O dir_index and reboot to create
the hash.
Refer to the tune2fs man page for more details.

R A I D FILESYSTEM
RAID (Redundant Arrays of Inexpensive/Independent Disks) spreads information
across several disks so as to combine several physical disks into one larger virtual
device. RAID improves performance and may create redundancy. For more information see page 40.

CHAPTER S U M M A R Y
Filesystems hold directories of files. These structures store user data and system
data that are the basis of users' work on the system and the system's existence.
Linux supports many types of files, including ordinary files, directories, links, and
special files. Special files provide access to operating system features. The kernel
uses major and minor device numbers to identify classes of devices and specific
devices within each class. Character and block devices represent I/O devices such as

ADVANCED EXERCISES

515

hard disks and printers. Inodes, which are identified by inode numbers, are stored
on disk and define a file's existence.
When the system comes up, the / e t c / f s t a b file controls which filesystems are
mounted and how they are mounted (readonly, read-write, and so on). After a system crash, filesystems are automatically verified and repaired if necessary by fsck.
You can use tune2fs to force the system to cause fsck to verify a filesystem periodically when the system boots.

EXERCISES
1. What is the function of the /etc/hosts file? Which services can you use in
place of, or to supplement, the hosts file?
2. What does the /etc/resolv.conf file do? What do the nameserver lines in
this file do?
3. What is an inode? What happens to the inode when you move a file within
a filesystem?
4. What does the .. entry in a directory point to? What does this entry point
to in the root (/) directory?
5. What is a device file? Where are device files located?
6. What is a FIFO? What does FIFO stand for? What is another name for a
FIFO? How does a FIFO work?

ADVANCED EXERCISES
7. Write a line for the /etc/fstab file that mounts the /dev/hdbl ext4 filesystem on /extra with the following characteristics: The filesystem will not
be mounted automatically when the system boots, and anyone can mount
and unmount the filesystem.
8. Without using rm, how can you delete a file? (Hint: How do you rename a file?)
9. After burning an ISO image file named image.iso to a CD on /dev/hdc,
how can you can verify the copy from the command line?
10. Why should /var reside on a separate partition from /usr?
11. Create a FIFO. Using the shell, demonstrate that two users can use this
FIFO to communicate asynchronously.
12. How would you mount an ISO image so you could copy files from it without burning it to a CD?

This page intentionally left blank

13
DOWNLOADING AND
INSTALLING SOFTWARE
IN THIS CHAPTER
JumpStart: Installing and
Removing Packages
Using aptitude

519

Finding the Package That
Holds a File You Need

521

APT: Keeps the System
Up-to-Date

522

The apt cron Script and APT
Configuration Files

524

A software package is the collection of scripts, programs, files,
and directories required to install and run applications, utilities,
servers, and system software. A package also includes a list of
other packages that the package depends on (dependencies).
Using software packages makes it easier to transfer, install, and
uninstall software. A package contains either executable files or
source code files. Executable files are precompiled for a specific
processor architecture and operating system, whereas source
files need to be compiled but will run on a wide range of
machines and operating systems.

aptitude: Works with Packages
and the Local Package I n d e x . . . 5 2 6
dpkg: The Debian Package
Management System
BitTorrent

532
539

Installing Non-dpkg S o f t w a r e . . . . 5 4 1
wget: Downloads Files
Noninteractively
543

517

518

CHAPTER 1 3

DOWNLOADING AND INSTALLING SOFTWARE

Software package Software packages come in different formats. Ubuntu uses dpkg (page 532), which
formats was the first Linux packaging system to incorporate dependency information; it gets

its name from the Linux distribution it was developed on (Debian). Other formats
include rpm (used on Red Hat, SuSE, and other systems), yum, the GNU Configure
and Build System (page 542), and compressed tar. Formats such as compressed tar,
which were popular before the introduction of dpkg, are used less often today
because they require more work on the part of the installer (you) and do not provide the dependency and compatibility checking that dpkg offers.
dpkg The Debian package management system is referred to as the dpkg management

system, or just dpkg. This system is a collection of more than 20 utilities that manage and report on dpkg packages, both those installed on the system and those
available from online repositories. Give the command dpkgTABTAB (press TAB twice) or
apropos d p k g to display a list of d p k g utilities.

deb files The dpkg utilities work with files whose names end in .deb and are referred to as
deb files (page 533) or (software) packages.
APT APT (Advanced Package Tool) is a collection of utilities that, together with dpkg,

work with software packages. APT downloads software packages, while dpkg
installs, removes, maintains, manages dependencies of, and reports on software
packages. Give the command aptTABTAB or apropos apt to display a list of APT utilities (and a few other things).
Kernel source code See Chapter 15 for information on downloading, compiling, and installing kernel

source code.
Graphical interfaces Several pseudographical and graphical interfaces to dpkg and APT are available.

Among the most popular are Synaptic (page 133), aptitude, and dselect.

Repositories

APT downloads package headers and packages from servers called repositories that can
reside on the Internet, a CD, or a local network. See page 522 for more information.

Bug tracking Ubuntu uses Launchpad, which belongs to a class of programs formally known as

defect tracking systems, to track bugs (launchpad.net for information about
Launchpad and launchpad.net/ubuntu to use it). You can use Launchpad to read
about existing bugs and to report new ones. Ubuntu uses Bazaar for source code
version control (bazaar.canonical.com and wiki.ubuntu.com/Bzr). Launchpad
allows you to track any project that uses Bazaar version control.
Keeping software Of the many reasons to keep software up-to-date, one of the most important is
up-to-date security. Although you may hear about software-based security breaches after the
fact, you rarely hear about the fixes that were available but never installed before
the breach occurred. Timely installation of software updates is critical to system
security. Linux open-source software is the ideal environment to find and fix bugs
and make repaired software available quickly. When you keep the system and application software up-to-date, you keep abreast of bug fixes, new features, support for
new hardware, speed enhancements, and more.
As shipped, most versions of Ubuntu check for updates daily and advise you when
updates are available (page 112). Use the Software Sources window (page 131),
Updates tab to change these options.

JUMPSTART: INSTALLING AND R E M O V I N G PACKAGES U S I N G

aptitude

519

JUMPSTART: INSTALLING AND R E M O V I N G
PACKAGES U S I N G

aptitude

This section explains how to install packages on and remove packages from a system using aptitude, a versatile tool that is part of APT. The aptitude utility has two
interfaces: pseudographical and textual. This chapter covers the textual interface.
Give the command aptitude without arguments to display the pseudographical
interface. Information on this interface is available in the aptitude user's manual
(algebraicthunk.net/~dburrows/projects/aptitude/doc/en).
If you do not know the name of the package you want to install, see page 521. If
you want aptitude to download packages that are not supported by Ubuntu, you
must add the repositories that hold those packages to the sources.list file; see
page 523.
Before using aptitude to install a package, give the command sudo aptitude update
to update the local list of packages (more about this process on page 528). By
default, the apt cron script (page 524) updates this list daily. Even so, it is a good
idea to give this command periodically until you are sure the script is updating
the list.
aptitude install The following example calls aptitude to install the tcsh shell, which is part of the tcsh
package:
$ sudo aptitude install tcsh
Reading package l i s t s . . . Done
Building dependency tree
Reading state i n f o r m a t i o n . . . Done
Reading extended state information
I n i t i a l i z i n g package s t a t e s . . . Done
The following NEW packages w i l l be i n s t a l l e d :
tcsh
0 packages upgraded, 1 newly i n s t a l l e d , 0 to remove and 0 not upgraded.
Need to get 359kB of archives. A f t e r unpacking 733kB w i l l be used.
Writing extended state i n f o r m a t i o n . . . Done
G e t : l http://us.archive.ubuntu.com/ubuntu/ l u c i d / u n i v e r s e tcsh 6.17.00-3 [359kB]
Fetched 359kB i n 4s (80.9kB/s)
Selecting previously deselected package tcsh.
(Reading database . . . 123213 f i l e s and d i r e c t o r i e s c u r r e n t l y i n s t a l l e d . )
Unpacking tcsh (from . . . / t c s h _ 6 . 1 7 . 0 0 - 3 _ i 3 8 6 . d e b ) . . .
Processing t r i g g e r s for man-db . . .
Setting up tcsh (6.17.00-3) . . .
update-alternatives: using / b i n / t c s h to provide /bin/csh (csh) i n auto mode.
The next command installs the apache2.2-common package. Because this package
depends on other packages, and because these packages are not installed, aptitude
lists the packages it will automatically install in addition to the one you asked it to
install. When aptitude is going to install more packages than you requested, it asks if
you want to continue. Reply y if you want to continue or n if you want to quit.

520

CHAPTER 1 3

DOWNLOADING AND INSTALLING SOFTWARE

$ sudo aptitude install apache2.2-common
The f o l l o w i n g NEW p a c k a g e s w i l l be i n s t a l l e d :
a p a c h e 2 - u t i l s { a } a p a c h e 2 . 2 - b i n { a } apache2.2-common l i b a p r l { a }
1ibapruti1l{a} 1ibapruti11-dbd-sqlite3{a} libaprutill-ldap{a}
0 p a c k a g e s upgraded, 7 newly i n s t a l l e d , 0 t o remove and 7 not upgraded.
Need t o g e t 3 , 3 1 8 k B o f a r c h i v e s . A f t e r u n p a c k i n g 9 , 9 9 4 k B w i l l be u s e d .
Do you want t o c o n t i n u e ? [ Y / n / ? ] y

When you install some packages, aptitude lists suggested packages.
Suggested packages
may be useful but are not required with the package you are installing.
aptitude

remove

The aptitude remove command removes a package but leaves its configuration files in
place, allowing you to reinstall the package without having to reconfigure it. Use purge
(discussed next) in place of remove to remove a package and its configuration files.
$ sudo aptitude remove tcsh
The f o l l o w i n g p a c k a g e s w i l l be REMOVED:
tcsh
0 p a c k a g e s upgraded, 0 newly i n s t a l l e d , 1 t o remove and 0 not upgraded.
Need t o g e t 0B o f a r c h i v e s . A f t e r u n p a c k i n g 733kB w i l l be f r e e d .
W r i t i n g extended s t a t e i n f o r m a t i o n . . . Done
( R e a d i n g d a t a b a s e . . . 123237 f i l e s and d i r e c t o r i e s c u r r e n t l y i n s t a l l e d . )
Removi ng t c s h . . .

Automatically W h e n aptitude removes a package, it also removes the dependent packages it autoremoves matically installed when it installed the original package. T h e following example
dependencies r e m o v e s apache2-common and its dependencies:
$ sudo aptitude remove apache2.2-common
The f o l l o w i n g p a c k a g e s w i l l be REMOVED:
a p a c h e 2 - u t i l s { u } a p a c h e 2 . 2 - b i n { u } apache2.2-common l i b a p r l { u }
1ibapruti1l{u} 1ibapruti11-dbd-sqlite3{u} libaprutill-ldap{u}
0 p a c k a g e s upgraded, 0 newly i n s t a l l e d , 7 t o remove and 0 not upgraded.
Need t o g e t 0B o f a r c h i v e s . A f t e r u n p a c k i n g 9 , 9 9 4 k B w i l l be f r e e d .
Do you want t o c o n t i n u e ? [ Y / n / ? ] y
aptitude

purge

T h e next example uses an alternative a p p r o a c h — t h e aptitude purge c o m m a n d — t o
remove apache2-common, its dependencies, and all configuration files. T h e {p}
following apache2.2-common indicates that aptitude is removing (purging)
apache2.2-common's configuration files, as does the last line of the example.
$ sudo aptitude purge apache2.2-common
The f o l l o w i n g p a c k a g e s w i l l be REMOVED:
a p a c h e 2 - u t i l s { u } a p a c h e 2 . 2 - b i n { u } apache2.2-common{p} l i b a p r l { u }
1ibapruti1l{u} 1ibapruti11-dbd-sqlite3{u} libaprutill-ldap{u}
0 p a c k a g e s upgraded, 0 newly i n s t a l l e d , 7 t o remove and 0 not upgraded.
Need t o g e t 0B o f a r c h i v e s . A f t e r u n p a c k i n g 9 , 9 9 4 k B w i l l be f r e e d .

F I N D I N G T H E P A C K A G E T H A T H O L D S A FILE Y O U N E E D

521

Do you want to continue? [Y/n/?] y
Writing extended state i n f o r m a t i o n . . . Done
(Reading database . . . 123778 f i l e s and d i r e c t o r i e s c u r r e n t l y i n s t a l l e d . )
Removing apache2.2-common . . .
Purging configuration f i l e s for apache2.2-common . . .

F I N D I N G T H E P A C K A G E T H A T H O L D S A FILE Y O U N E E D
Finding a package with a name that sounds like...
tip The a p t i t u d e search command looks for packages with names that match a pattern. For example,
the command aptitude search vnc displays a list packages that have vnc in their names. See
page 529 for more information.
You may know the name of a file or utility you need but not know the name of the
package that holds the file. There are several ways that you can locate a package
that holds a file. The Ubuntu Web page, packages.ubuntu.com, allows you to search
for packages based on several criteria. Partway down the page is a section titled
Search that gives you two ways to search for packages. You can use the second,
Search the contents of packages, to search for a package that holds a specific file.
Enter the name of the file in the text box labeled Keyword, click the radio button
labeled packages that contain files named like this, select the distribution and architecture you are working with, and click Search. The browser displays a list of packages that hold the file you are looking for. For example, suppose you are compiling
a program and get the following error message:
xv.h:174:22: e r r o r : X l l / X l i b . h : No such f i l e or d i r e c t o r y
You are working on an Intel x86-compatible system running Lucid and need the file
Xlib.h located in the X I 1 directory. When you enter X l l / X l i b . h in the text box
labeled Keyword (on packages.ubuntu.com), the browser displays the following list:
u s r / i n c l u d e / X l l / X l i b.h
usr/1i b/TenDRA/1i b/i nclude/x5/li b . a p i / X l l / X l i b.h

1i b x l l - d e v
tendra

Click the package name on the right to display more information about the package
holding the file listed on the left. The most likely candidate is the first entry, which
is supported by Ubuntu and is the most generic. You can install this package using
the following command:
$ sudo aptitude install libxll-dev
apt-file You can also use the apt-file utility to search for a package containing a specified file.
Before you can use this utility, you must install it and update the package list on the
local system. Updating the package list takes a few minutes. Because apt-file displays

522

CHAPTER 1 3

DOWNLOADING AND INSTALLING SOFTWARE

multiple, sequential, identical lines, you can pipe its output through uniq (page 168)
to make the job of finding the right package easier:
$ sudo aptitude install apt-file
$ sudo apt-file update
$ apt-file search Xll/Xlib.h | uniq
i vtools-dev: u s r / i n c l u d e / I V - X l l / X l i b. h
1 i b g h c 6 - x l l - d e v : usr/1i b / X l l - 1 . 2 . l / g h c - 6 . 6 . 1 / G r a p h i c s / X l l / X l i b. hi
1i bhugs-xll-bundled: usr/1i b/hugs/packages/Xll/Graphi c s / X l l / X l i b.hs
1i b x l l - d e v : u s r / i n c l u d e / X l l / X l i b.h
tendra: usr/1 i b/TenDRA/1i b/i nclude/x5/li b . a p i / X l l / X l i b.h
Again, the most generic package (the next-to-last one listed) is probably the one you
want. While apt-cache (page 530) searches installed packages only, the aptitude
search command (page 529) and apt-file search all packages from the repositories
listed in /etc/apt/sources.list, including packages that have not been downloaded.
See also dpkg —search (page 538) and dpkg —listfiles (page 538) for other ways of
searching for files.

A P T : KEEPS THE SYSTEM UP-TO-DATE
APT (Advanced Package Tool) is a collection of utilities that download, install,
remove, upgrade, and report on software packages. APT utilities download packages
and call dpkg (page 532) utilities to manipulate the packages once they are on the local
system. For more information refer to www.debian.org/doc/manuals/apt-howto.

REPOSITORIES
Repositories hold collections of software packages and related information, including headers that describe each package and provide information on other packages
the package depends on. Ubuntu maintains repositories for each of its releases.
Software package Software packages from Ubuntu repositories are divided into several categories,
categories including the following:
• main—Ubuntu-supported open-source software
• universe—Community-maintained open-source software
• multiverse—Software restricted by copyright or legal issues
• restricted—Proprietary device drivers
• partner—Packages that are not part of Ubuntu; offered by other vendors
• backports—Packages from later releases of Ubuntu that are not available
for an earlier release
APT selects packages from repositories it searches based on the categories specified
in the sources.list file (next). You do not need to reconfigure APT to install supported
software. You may get the following error message when you try to install a package:

A P T : KEEPS THE S Y S T E M UP-TO-DATE

523

$ sudo aptitude install xxx
Couldn't f i n d package "xxx". However, the following
packages contain "xxx" i n t h e i r name:
mixxx mixxx-data
No packages w i l l be i n s t a l l e d , upgraded, or removed.
This message means that the package you requested does not exist in the repositories
that APT is searching (as specified in sources.list). It may also mean that the package
does not exist; check the spelling. If you are not running the latest version of Ubuntu,
it may be available on a later version; try enabling the backports repository in
sources.list (discussed next).

sources.list:

S P E C I F I E S R E P O S I T O R I E S FOR A P T TO S E A R C H

The /etc/apt/sources.list file specifies the repositories APT searches when you ask it
to find or install a package. You must modify the sources.list file to enable APT to
download software from nondefault repositories. You can use software-properties-gtk
to display the Software Sources window to modify sources.list (as explained on
page 131) or you can use an editor to modify it (as explained in this section).
Each line in sources.list describes one repository and has the following format:
type URI repository category-list
where type is deb (page 533) for packages of executable files and deb-src for packages of source files; URI is the location of the repository, usually cdrom or an Internet
address that starts with http://; repository is the name of the repository that APT is to
search; and category-list is a SPACE-separated list of categories (see "Software package
categories" in the preceding section) that APT selects packages from. When a line
specifies a non-Ubuntu repository, the repository and category-list may have other
values. Comments begin with a hashmark (#) anywhere on a line and end at the end
of the line. The comment #Added by software-properties indicates that software-properties-gtk added the line to sources.list.
The following line from sources.list causes APT to search the Lucid archive located
at us.archive.ubuntu.com/ubuntu for deb packages that contain executable files. It
accepts packages that are categorized as main or restricted:
deb http://us.archive.ubuntu.com/ubuntu/ l u c i d main r e s t r i c t e d
Replacing deb with deb-src causes APT to search in the same manner for packages
of source files. Use the apt-get source command to download source packages
(page 532).
deb-src http://us.archive.ubuntu.com/ubuntu/ l u c i d main r e s t r i c t e d
Default repositories The default sources.list file includes repositories such as lucid (Lucid as originally
released), lucid-updates (major bug fixes after the release of Intrepid), lucid-security
(critical security-related updates), and lucid-backports (newer, less-tested software
that is not reviewed by the Ubuntu security team). Separating security updates from

524

CHAPTER 1 3

DOWNLOADING AND INSTALLING SOFTWARE

other updates enables you to set up a system to automatically install security
updates while allowing you to review other updates before installing them. As
installed, the sources.list file allows you to search for and retrieve packages from the
main, universe, multiverse, and restricted categories (page 522) of the lucid, lucidupdates, and lucid-security repositories. Some repositories in sources.list are commented out. Remove the leading hashmark (#) on the lines of the repositories you
want to enable. After you modify sources.list, give the command aptitude update
(page 528) to update the local package indexes.
The next line, which was added to sources.list, enables APT to search a third-party
repository (but see the following security tip):
deb http://download.skype.com/linux/repos/debian/ stable non-free
In this case, the repository is named stable and the category is non-free. Although
the code is compiled for Debian, it runs on Ubuntu, as is frequently the case.

Use repositories you trust
security There are many repositories of software packages. Search the Internet for ubuntu repositories to
display a sampling of them. Be selective in which repositories you add to sources.list, however:
When you add a repository, you are trusting the person who runs the repository not to put malicious software in packages you may download. In addition, packages that are not supported by
Ubuntu can conflict with other packages and/or cause upgrades to fail.

THE A P T LOCAL PACKAGE INDEXES A N D THE A P T CACHE
APT local package The /var/lib/apt/lists directory holds the local package index and associated files,
indexes p o r g a ^ repository listed in /etc/apt/sources.list (page 523), this directory holds a
file that lists information about the most recent version of each package in that
repository. APT uses these files to determine whether the packages on the system,
and those in its cache, are the most recent versions.
APT cache The /var/cache/apt/archives directory holds recently downloaded deb files
(page 533). By default, the apt cron script (next) limits the size of this directory and
the age of the files in it.

THE

apt cron

S C R I P T A N D A P T C O N F I G U R A T I O N FILES

Traditionally, APT configuration instructions are kept in a single file:
/etc/apt/apt.conf; Ubuntu breaks this file into smaller files that it keeps in the
/etc/apt/apt.conf.d directory. The apt cron script, kept in /etc/cron.daily so it is run
daily, reads the configuration files in apt.conf.d and maintains the APT local package
indexes and the APT cache based on the instructions in those files. APT tools, such as
aptitude, also read these files as they start. This section explains a few of the many
directives you can use to control APT tools. See the apt.conf man page and use zless to
view the /usr/share/doc/apt/examples/configure-index.gz file for more information.
The software-properties-gtk utility, which is part of the software package with the
same name, opens the Software Sources window (page 131), which allows you to

A P T : KEEPS THE S Y S T E M UP-TO-DATE

525

set some APT configuration directives using a graphical interface (Updates tab,
Automatic updates).
The following files, which are part of the update-notifier-common package, control
how the apt cron script maintains the APT local package indexes and the APT cache:
$ cat /etc/apt/apt.conf.d/10periodic
APT::Peri odi c::Update-Package-Li s t s "1";
APT::Peri odi c::Download-Upgradeable-Packages "0";
APT::Peri odi c : : A u t o c l e a n l n t e r v a l "0";
$ cat /etc/apt/apt.conf.d/20archive
APT:¡Archives::MaxAge "30";
APT:¡Archives::MinAge "2";
APT:¡Archives::MaxSize "500";
Working with root privileges, you can edit these files and change the values within
the quotation marks to change what the apt cron script does. Each line must end
with a semicolon. The following list explains each of the directives in these files.
APT::Periodic::Update-Package-Lists "days";
Synchronizes local package indexes with their corresponding
(page 528) every days days. Set days to 0 to disable this directive.

repositories

APT::Periodic::Download-Upgradeable-Packages "days";
Downloads (but does not install) the packages necessary to upgrade all packages on
the system (page 528) every days days. Set days to 0 to disable this directive.
APT::Periodic::Autocleanlnterval "days";
Clears the APT cache (page 524) of packages that can no longer be downloaded
every days days. Set days to 0 to disable this directive.
APT::Periodic::Unattended-Upgrade "days";
Installs upgrades that relate to system security every days days and writes a log to
/var/log/unattended-upgrades. Make sure the unattended-upgrades package is
installed; for more information see /usr/share/doc/unattended-upgrades/README.
Set days to 0 to disable this directive.
APT::Archives::MaxAge "days";
Deletes files from the APT cache (page 524) older than days days. Set days to 0 to
disable this directive.
APT::Archives::MinAge "days";
Causes files younger than days days not to be deleted from the APT cache (page 524).
Set days to 0 to disable this directive.
APT::Archives::MaxSize "MB";
Establishes the maximum size of the APT cache (page 524). When the cache grows
larger than MB megabytes, the apt cron script deletes files until the cache is smaller
than this size. It deletes the largest files first. Set MB to 0 to disable this directive.
KDE and Adept If you are running KDE, the apt.conf.d directory holds two files that work with the
Adept package manager (which is not covered in this book): 15adept-periodic-update

526

CHAPTER 1 3

DOWNLOADING AND INSTALLING SOFTWARE

and 25adept-archive-limits. These files should be the same as their GNOME counterparts: lOperiodic and 20archive. If the Adept files exist on the local system and you
modify their GNOME counterparts, copy lOperiodic to 15adept-periodic-update
and 20archive to 25adept-archive-limits.

aptitude:

W O R K S W I T H PACKAGES A N D THE LOCAL PACKAGE I N D E X
One of the most commonly used APT utilities is aptitude. The JumpStart on
page 519 explains how to use the aptitude install and remove commands to add and
remove packages from the local system. This section describes aptitude in more
detail and explains how to use other of its commands and options.

Logs The aptitude utility keeps very readable logs in /var/log/aptitude.
Virtual package When you install certain packages, aptitude queries you and, if you agree, installs
more than one package. You are either installing a package with dependencies or a
virtual package, also called a metapackage.
A virtual package is not a software
package, but rather a metapackage that depends on other packages. Virtual packages facilitate the installation of software that requires multiple packages.
The format of an aptitude command is
aptitude options command [package-list]
where options is one or more options from the list of options that begins on
page 527, command is a command from the list of commands in the next section,
and package-list is a SPACE-separated list of the names of one or more packages you
want to work with. With the search command, package-list is a list of search patterns (page 529). With other commands, an element of package-list that contains a
tilde (~) is treated as a search pattern. Except when aptitude is only displaying package information, you must work with root privileges. If you call aptitude without
arguments, it displays its pseudographical interface. This section lists more common
commands and options; see the aptitude man page for a complete list.
See page 521 if you need to determine the name of the package that holds a file you
want to install.

aptitude

COMMANDS
This section describes the more common aptitude commands. You must run all these
commands, except search and show, while working with root privileges.
autoclean Clears the APT cache (page 524) of packages that can no longer be downloaded.
Run this command periodically to keep the local cache from becoming cluttered
with useless files.
clean Deletes all packages from the APT cache (page 524).
download Downloads the deb file (page 533) for a package to /var/cache/apt/archives.
full-upgrade Performs the tasks safe-upgrade does and also works with newer packages that have
different dependencies than the ones they are replacing. This command installs new

A P T : KEEPS THE S Y S T E M UP-TO-DATE

527

packages if necessary. It does not upgrade from one release of Ubuntu to another;
see page 74 for information on upgrading Ubuntu to another release.
install Downloads, unpacks, and installs all packages in the package-list as well as all
packages those packages depend on. See page 519 for an example.
purge Removes all packages in the package-list, including their configuration files. See
page 520 for an example of the remove command.
reinstall Downloads, unpacks, and reinstalls an already installed package, upgrading to the
latest version if necessary.
remove Removes all packages in the package-list. This command does not remove configuration files. See page 520 for an example.
safe-upgrade Installs the latest versions of most packages on the system. This command will not
install a package that is not already on the system, nor will it remove an installed
package. It will not install a newer version of a package that cannot be installed
without changing the install status of another package. To make sure the local APT
cache is up-to-date, run aptitude update before giving this command. See page 528
for an example. See also full-upgrade.
search Searches the repositories specified by sources.list for packages whose names are
matched by any element of package-list. For example, a search for apache2 will
yield apache2-dev, apache2-doc, apache2, apache2-mpm, and so on. See page 529
for an example.
show Displays detailed information about package-list. See page 529 for an example.
update Synchronizes the local APT package index files with those in the repositories. See
page 528 for an example.

aptitude O P T I O N S
This section describes some of the options you can use with aptitude commands.
Each description advises you whether the option works with only certain commands.
—show-deps - D Displays information about packages a command would automatically install
or remove.
—download-only -d Does not unpack or install a package after downloading it.
- f Attempts to fix broken dependencies.
—purge-unused
—help
—simulate
—assume-yes

Removes packages that are no longer needed because they were automatically
installed to satisfy a dependency of a package that has been removed.
-h Displays a summary of usage, commands, and options.
-s Displays what command

would do, without taking any action.

-y Assumes a yes response to most prompts so aptitude runs noninteractively. The
aptitude utility still prompts for an extraordinary event, such as removing an
essential package or attempting to install an unauthenticated package.

528

CHAPTER 1 3

DOWNLOADING AND INSTALLING SOFTWARE

aptitude update:

S Y N C H R O N I Z E S LOCAL PACKAGE

INDEXES

WITH REPOSITORIES
The aptitude update command synchronizes local package indexes with their corresponding repositories:
$ sudo aptitude update
H i t h t t p : / / s e c u r i t y . u b u n t u . c o m l u c i d - s e c u r i t y Release.gpg
Ign http://security.ubuntu.com/ubuntu/ lucid-security/main Translation-en_US
G e t : l h t t p : / / u s . a r c h i v e . u b u n t u . c o m l u c i d Release.gpg [189B]
Ign http://us.archive.ubuntu.com/ubuntu/ lucid/main Translation-en_US
Ign http://security.ubuntu.com/ubuntu/ 1 u c i d - s e c u r i t y / r e s t r i c t e d Translation-en_US
Ign http://security.ubuntu.com/ubuntu/ lucid-security/universe Translation-en_US
Ign http://security.ubuntu.com/ubuntu/ lucid-security/multiverse Translation-en_US
H i t h t t p : / / s e c u r i t y . u b u n t u . c o m l u c i d - s e c u r i t y Release
H i t h t t p : / / u s . a r c h i v e . u b u n t u . c o m l u c i d - u p d a t e s / u n i v e r s e Sources
H i t h t t p : / / u s . a r c h i v e . u b u n t u . c o m l u c i d - u p d a t e s / m u l t i v e r s e Packages
H i t h t t p : / / u s . a r c h i v e . u b u n t u . c o m l u c i d - u p d a t e s / m u l t i v e r s e Sources
Fetched 11.1MB i n 31s (353kB/s)
Reading package l i s t s . . . Done
Current s t a t u s :

30 updates [+30], 76 new [+33].

After running this command, APT can determine, without accessing repositories,
whether installed packages and those in its cache are the most recent versions
available.
By default, the apt cron script (page 524) synchronizes local package indexes nightly.
If this script is running and set to update the package index, you need not run the
update command. However, you must run this command after you add repositories
to /etc/apt/sources.list before APT can retrieve files from new repositories.

aptitude safe-upgrade

AND

aptitude full-upgrade:

UPGRADE

THE SYSTEM
There are two aptitude commands that upgrade all packages on the system: safeupgrade, which upgrades all packages on the system that do not require new packages to be installed, and full-upgrade, which upgrades all packages on the system,
installing new packages as needed.
aptitude The following example uses the aptitude safe-upgrade command to upgrade all
packages on the system that depend only on packages that are already installed.
This command will not install new packages (packages that are not already on the
system). Before running this command, run aptitude update (page 528) to make
sure the local package indexes are up-to-date.

safe-upgrade

$ sudo aptitude update
$ sudo aptitude safe-upgrade

A P T : KEEPS THE S Y S T E M UP-TO-DATE

529

The f o l l o w i n g packages w i l l be upgraded:
bash g n o m e - d i s k - u t i l i t y m e d i a - p l a y e r - i n f o x s c r e e n s a v e r - d a t a
4 packages upgraded, 0 newly i n s t a l l e d , 0 to remove and 0 not upgraded.
Need to get l , 2 6 6 k B of a r c h i v e s . A f t e r unpacking 28.7kB w i l l be used.
Do you want to continue? [ Y / n / ? ] y

The aptitude utility lists the changes it will make and asks you whether you want
to continue. Enter y to upgrade the listed packages or n to quit. Packages that are
not upgraded because they depend on packages that are not installed are listed as
kept back.
aptitude Use the aptitude full-upgrade command to upgrade all packages, including packages
that are dependent on packages that are not installed. This command installs new
packages as needed to satisfy dependencies.

full-upgrade

aptitude search:

SEARCHES THE REPOSITORIES FOR PACKAGES

The search command interprets the package-list on the command line as a list of
patterns; all other aptitude commands normally interpret it as a list of package
names. This command searches all packages from the repositories listed in
/etc/apt/sources.list, including packages that have not been downloaded, and displays one line about each package whose name matches one of the elements of
package-list:
$ aptitude search vim
p
firefox-vimperator
v
gvim
p
jvim-canna
p
jvim-doc
p
libtext-vimcolor-perl
p
vim
p
vim-addon-manager
i
vim-common

- Fi refox e x t e n s i o n to make i t have vim look
-

Japanized VIM (Canna v e r s i o n )
Documentation f o r j v i m ( J a p a n i z e d VIM)
s y n t a x c o l o r t e x t i n HTML or XML using Vim
Vi IMproved - enhanced v i e d i t o r
manager of addons f o r the Vim e d i t o r
Vi IMproved - Common f i l e s

The letter in the first column of each entry indicates the status of the package on the
system: i for installed, c for removed except for configuration files, p for purged
(package and configuration files removed), and v for a virtual package (page 526).
A second letter in the first column indicates a stored action that will be performed
on the package. An A appearing as the third letter means the package was automatically installed.

aptitude show:

DISPLAYS PACKAGE

INFORMATION

The aptitude show command displays information about packages in the repositories, including dependency information. See also the apt-cache show command,
which displays more information (page 531), and the dpkg status command
(page 537). On the next page is an example.

530

CHAPTER 1 3

DOWNLOADING AND INSTALLING SOFTWARE

$ aptitude show nfs-common
P a c k a g e : nfs-common
S t a t e : not i n s t a l l e d
Version: l:1.2.0-4ubuntu4
P r i o r i t y : optional
S e c t i o n : net
M a i n t a i n e r : Ubuntu D e v e l o p e r s < u b u n t u - d e v e l - d i s c u s s @ l i s t s . u b u n t u . c o m >
Uncompressed S i z e : 602k
Depends: portmap (>= 6 . 0 - 1 0 u b u n t u l ) , a d d u s e r , u c f , l s b - b a s e (>=
1 . 3 - 9 u b u n t u 3 ) , n e t b a s e (>= 4 . 2 4 ) , i n i t s c r i p t s (>=
2 . 8 6 . d s l - 3 8 . 1 ) , 1i bc6 (>= 2 . 4 ) , l i b c o m e r r 2 (>= 1 . 0 1 ) ,
l i b e v e n t - 1 . 4 - 2 (>= 1 . 4 . 1 3 - s t a b l e ) , 1 i b g s s a p i - k r b 5 - 2 (>=
1 . 6 . d f s g . 2 ) , l i b g s s g l u e l , l i b k 5 c r y p t o 3 (>= 1 . 6 . d f s g . 2 ) ,
l i b k r b 5 - 3 (>= 1 . 6 . d f s g . 2 ) , 1 i b n f s i d m a p 2 , 1 i b r p c s e c g s s 3 ,
l i b w r a p 0 (>= 7 . 6 - 4 ~ ) , u p s t a r t - j o b
Conflicts: nfs-client
R e p l a c e s : mount (< 2 . 1 3 - ) , n f s - c l i e n t , n f s - k e r n e l - s e r v e r (< 1 : 1 . 0 . 7 - 5 )
Provides: n f s - c l i e n t
D e s c r i p t i o n : NFS s u p p o r t f i l e s common t o c l i e n t and s e r v e r
Use t h i s package on any machine t h a t uses NFS, e i t h e r as c l i e n t or
server.
Programs i n c l u d e d : l o c k d , s t a t d , show/mount, n f s s t a t , g s s d and
i dmapd.
Upstream: S o u r c e F o r g e p r o j e c t " n f s " , CVS module
Homepage: h t t p : / / n f s . s o u r c e f o r g e . n e t /

apt-cache:

nfs-utils.

DISPLAYS PACKAGE I N F O R M A T I O N
The a p t - c a c h e utility has many commands—some that manipulate the APT package
cache and others that display information about packages in the cache. This section contains examples of some of the simpler commands that display information. Use apt-file
(page 5 2 1 ) to display information about packages that are not installed on the system.

Displaying package The apt-cache depends command displays the list of packages that a package depends
dependencies o n _ These are forward (normal) dependencies. Use the — r e c u r s e option to display the
packages that the dependencies are dependent on (the dependencies' dependencies).
$ apt-cache depends nfs-common
nfs-common
Depends: portmap
Depends: a d d u s e r
Depends: u c f
Conflicts: 
R e p l a c e s : mount
Replaces: < n f s - c l i e n t >
nfs-common
Replaces: n f s - k e r n e l - s e r v e r
Use the rdepends apt-cache c o m m a n d to display the list of packages that are dependent on a specified package. These are reverse dependencies. Use the — r e c u r s e
option to display the packages that are dependent on the dependent packages.

A P T : KEEPS THE S Y S T E M UP-TO-DATE

531

$ apt-cache rdepends nfs-common
nfs-common
R e v e r s e Depends:
rgmanager
nfs-kernel-server
mount
mount
autofs5
Displaying package T h e a p t - c a c h e show c o m m a n d displays package records from the files in the APT
records local package indexes. See also the a p t i t u d e show command, which displays less

information (page 529), and the dpkg status command (page 537). Following is an
example:
$ apt-cache show nfs-common
P a c k a g e : nfs-common
P r i o r i t y : optional
S e c t i o n : net
I n s t a l l e d - S i z e : 588
M a i n t a i n e r : Ubuntu D e v e l o p e r s < u b u n t u - d e v e l - d i s c u s s O l i s t s . u b u n t u . c o m >
O r i g i n a l - M a i n t a i n e r : A n i b a l Monsalve S a l a z a r < a n i balOdebi an. o r g >
A r c h i t e c t u r e : "i 386
Source: n f s - u t i l s
Version: l:1.2.0-4ubuntu2
R e p l a c e s : mount ( « 2 . 1 3 - ) , n f s - c l i e n t , n f s - k e r n e l - s e r v e r ( « 1 : 1 . 0 . 7 - 5 )
Provides: n f s - c l i e n t
Depends: portmap (>= 6 . 0 - 1 0 u b u n t u l ) , a d d u s e r , u c f , l s b - b a s e (>= 1 . 3 - 9 u b u
n t u 3 ) , n e t b a s e (>= 4 . 2 4 ) , i n i t s c r i p t s (>= 2 . 8 6 . d s l - 3 8 . 1 ) , l i b c 6 (>= 2 . 4 )
, l i b c o m e r r 2 (>= 1 . 0 1 ) , l i b e v e n t - 1 . 4 - 2 (>= 1 . 4 . 1 3 - s t a b l e ) , l i b g s s a p i - k r b
5-2 (>= 1 . 6 . d f s g . 2 ) , l i b g s s g l u e l , l i b k 5 c r y p t o 3 (>= 1 . 6 . d f s g . 2 ) , l i b k r b 5
- 3 (>= 1 . 6 . d f s g . 2 ) , 1 i b n f s i d m a p 2 , 1 i b r p c s e c g s s 3 , l i b w r a p 0 (>= 7 . 6 - 4 ~ ) , up
start-job
Conflicts: nfs-client
F i l e n a m e : pool/mai n / n / n f s - u t i l s / n f s - c o m m o n _ l . 2 . 0 - 4 u b u n t u 2 _ i 386.deb
S i z e : 211256
MD5sum: d047339007b36e2b931cc473edblc21d
SHA1: 4b2f71dcd330d3219a4153c9c597f5095213592b
SHA2 56: 6 5 3 a 6 8 4 f c f 7 5 e 5 e 6 7 6 9 6 2 b a 2 3 7 0 f a 0 e b l 2 a 3 f 4 b 0 e d 5 3 8 4 c b 0 2 4 b l e b 3 8 2 4 c 9 3 f a
D e s c r i p t i o n : NFS s u p p o r t f i l e s common t o c l i e n t and s e r v e r
Use t h i s package on any machine t h a t uses NFS, e i t h e r as c l i e n t or
server.
Programs i n c l u d e d : l o c k d , s t a t d , show/mount, n f s s t a t , g s s d
and idmapd.
Upstream: S o u r c e F o r g e p r o j e c t " n f s " , CVS module
Homepage: h t t p : / / n f s . s o u r c e f o r g e . n e t /
Bugs: h t t p s : / / b u g s . l a u n c h p a d . n e t / u b u n t u / + f i l e b u g
O r i g i n : Ubuntu
S u p p o r t e d : 5y

nfs-utils.

The apt-cache showpkg command displays package version and location information
as well as dependency lists.

532

CHAPTER 1 3

DOWNLOADING AND INSTALLING SOFTWARE

apt-get source:

D O W N L O A D S S O U R C E FILES

The apt-get source ( d p k g - d e v package) command downloads and unpacks in the
working directory source code files from repositories specified with deb-src lines in
sources.list (page 523). APT does not keep index and cache files for source files as it
does for binary files. With the — d o w n l o a d - o n l y option, this command does not
unpack the source code. With the — c o m p i l e option, it unpacks and compiles the
source code. You do not have to run this command with r o o t privileges; it requires
only write access to the working directory. Following is an example:
$ apt-get source adduser
dpkg-source: i n f o : e x t r a c t i n g adduser i n adduser-B.112ubuntul
dpkg-source: i n f o : unpacking adduser_3.112ubuntul.tar.gz
$ Is -Id adduser*
drwxr-xr-x 7 sam sam
4096 2010-01-27 00:54 adduser-B.112ubuntul
- r w - r - - r - - 1 sam sam
1141 2010-01-27 03:04 adduser_3.112ubuntul.dsc
- r w - r - - r - - 1 sam sam 299038 2010-01-27 03:04 adduser_3.112ubuntul.tar.gz

dpkg:

THE D E B Í A N PACKAGE M A N A G E M E N T S Y S T E M
The Debian package ( d p k g ) management system database tracks which software
packages are installed on a system, where each is installed, which version is
installed, and which packages each depends on.
The d p k g management system comprises many utilities. These utilities install, uninstall, upgrade, query, and verify software packages. The original and primary utility
is dpkg (page 534). Although you can use dpkg for most tasks involving the d p k g
management system, other tools can make your job easier. Some of the most commonly used of these tools are described here:
• apt-cache—Displays information about and manipulates the APT cache
(page 530).
• apt-file—Similar to apt-cache except that it works with packages that have
not been installed and packages that have not been downloaded, in addition to those that are installed on the local system (page 521).
• aptitude—Retrieves software packages and calls dpkg to install and remove
them (pages 519 and 526).
• apt-get—A textual interface to APT; similar to aptitude.
• dpkg—The primary d p k g management system utility (page 534).
• dselect—A pseudographical front-end for dpkg.
• Synaptic—A graphical interface to APT (page 133).

dpkg:

THE DEBÍAN PACKAGE M A N A G E M E N T SYSTEM

533

d e b FILES
The dpkg management system works with .deb format files, frequently referred to
as deb files. Because dpkg cannot download deb files from repositories, aptitude
(page 526) typically performs this task. By default, aptitude stores downloaded deb
files in /var/cache/apt/archives. The dpkg management system stores available
package information in /var/lib/dpkg/available and package installation information in /var/lib/dpkg/status.
You can manually locate, download, and install deb files. However, doing so can be
tedious, especially when you find that a package is dependent on several other packages and that some of those packages are dependent on yet other packages.
You can create deb files, as when you build a kernel. Page 579 has an example of
building a kernel deb file; pages 536 and 582 show dpkg installing deb files.
Binary files A binary deb file can contain the following components, which are packed and
unpacked using the ar (archive) utility. All packages contain an executable file; the
other components are optional.
• binary—Binary executable files
• control—Package information including lists of dependent, recommended,
and suggested packages
• conffiles—Package configuration files
• preinst—Preinstall script
• postinst—Postinstall script
• prerm—Preremove script
• postrm—Postremove script
To unpack a deb file, first download it to /var/cache/apt/archives using the command
aptitude download package. Copy the file to a directory with no other files in it and
use ar -xv to unpack the deb file. You can then use tar (page 176) to unpack the tar
files. The example shows how to extract the control files from the nfs-common deb file.
$ Is nfs-commonicdeb
nfs-common_l%3al.2.0-4ubuntu2_i 386.deb
$ sudo ar -xv nfs-commonicdeb
x - debian-binary
x - control.tar.gz
x - data.tar.gz
$ sudo tar -xvf control.tar.gz
•/
./posti nst
./preinst
./prerm

./postrm
./conffi les
./md5sums
./control

534

CHAPTER 1 3

DOWNLOADING AND INSTALLING SOFTWARE

Source files A source file package contains a description file, a source code file, and a diff file
that contains Ubuntu-specific changes to the source file. See page 532 for instructions on how to use apt-get to download and unpack a source file.
Installing a deb file When dpkg installs a binary package (page 536), it takes the following steps:
1. Extracts control files.
2. If another version of the same package is installed on the system, executes
the prerm script of the old package.
3. Runs the preinst script.
4. Backs up the old binary files and unpacks the new binary files, allowing
dpkg to revert to the existing setup if installation fails.
5. If another version of the same package is installed on the system, executes
the postrm script of the old package.
6. Backs up the old configuration files and unpacks the new configuration
files, allowing dpkg to revert to the existing setup if installation fails.
7. Runs the postinst script.
Removing a deb file When dpkg removes a binary package (page 536), it runs the prerm script, removes
the files, and runs the postrm script.

dpkg:

THE F O U N D A T I O N OF THE D E B Í A N PACKAGE

MANAGEMENT SYSTEM
The dpkg (Debian package) utility installs (unpacks and configures), queries, and
removes deb packages. Before querying the software package database, give the
update-avail command (discussed next) to update the list of available packages.

dpkg commands and options both start with hyphens
tip Although command-line arguments that start with one or two hyphens are generally called
options, the dpkg documentation divides these arguments into commands and options. For
example, —purge is a command and —simulate is an option.
Typically you will use one of the tools that acts as a front-end for dpkg and not work
with dpkg itself. In some cases you may find the following dpkg commands useful.
View the dpkg man page or use the —help option for a complete list of commands.

dpkg —update-avail:

UPDATES THE LIST OF AVAILABLE

PACKAGES
The list of available packages is kept in the /var/lib/dpkg/available file. The
—update-avail dpkg command updates this list from files that the APT local package indexes (page 524).
$ sudo dpkg --update-avail /var/1ib/dpkg/avai1able
Replacing a v a i l a b l e packages i n f o , using / v a r / l i b / d p k g / a v a i l a b l e .
Information about 1868 package(s) was updated.

dpkg:

THE DEBÍAN PACKAGE M A N A G E M E N T SYSTEM

535

dpkg—list:

DISPLAYS INFORMATION A B O U T A PACKAGE
The dpkg —list (or -1) command displays a line of information about packages you
name as an argument. Package names can include wildcards as described in "Filename Generation/Pathname Expansion" on page 256. You must quote wildcards on
the command line.
The following command lists all packages whose names begin with apache2. The
first two lines of the header are keys for the first two letters on each line that
describes a package. The first line of the header, labeled Desired, lists the possible
desired package selection states (Table 13-1). The second line, labeled Status, lists
possible package statuses (Table 13-1). The Name column lists the name of the
package, while the Version and Description columns describe the package.
$ sudo dpkg --list "apache2*"
Desi red=Unknown/Instal1/Remove/Purge/Hold
| Status=Not/Installed/Config-files/Unpacked/Failed-config/Half-i nstalled
1/ Err?=(none)/Hold/Reinst-required/X=both-problems ( S t a t u s , E r r : uppercase=bad)
11/ Name
Version
Description
+ + + - = = = = = = = = = = = = = = = = = = = - = = = = = = = = = = = = = = = = = = - = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

pn
rc
ii
un
un
un
un
pn
pn

apache2
apache2-common
apache2-doc
apache2-modules
apache2-mpm-perchi1
apache2-mpm-prefork
apache2-mpm-threadp
apache2-mpm-worker
apache2-uti1s


2.2.14-4ubuntu4
2.2.14-4ubuntu4







(no d e s c r i p t i o n a v a i l a b l e )
next generation, s c a l a b l e , extendable web...
documentation for apache2
(no d e s c r i p t i o n a v a i l a b l e )
(no d e s c r i p t i o n a v a i l a b l e )
(no d e s c r i p t i o n a v a i l a b l e )
(no d e s c r i p t i o n a v a i l a b l e )
(no d e s c r i p t i o n a v a i l a b l e )
(no d e s c r i p t i o n a v a i l a b l e )

In the preceding example, the apache2 package has a desired state of purged (p) and a
status of not installed (n), meaning the package is not installed and has no configuration files on the system. The apache2-common package has a desired state of removed
(r) and currently has only its configuration files installed (c). For apache2-doc, the first
i indicates that the desired state of the package is installed and the second i indicates
that the current state of the package is installed (the package is installed on the system).
For apache2-modules, the desired state of the package is unknown (u) and it is not
installed (n). See page 536 for more examples of the —list command.
Table 13-1
Letter

d p k g letter codes
Means that the package is

Desired (selection state)
u (unknown)

Unknown to dpkg

i (install)

To be installed

r (remove)

To be removed (uninstalled), except for configuration files

P (purge)

To be removed, including configuration files

h (hold)

Not handled by dpkg

536

CHAPTER 1 3

DOWNLOADING AND INSTALLING SOFTWARE

T a b l e 13-1

d p k g letter codes (continued)

Letter

Means that the package is

Status (package state)
n (not installed)

Not installed

i (installed)

Installed

c (config-files)

Not installed; only the configuration files exist on the system

u (unpacked)

Unpacked, but not configured

f (failed-config)

Unpacked, but not configured; configuration failed

h (half-installed)

Partially installed; installation is not complete

dpkg—install:

INSTALLS A

PACKAGE

The dpkg —install (-i) command installs (unpacks and sets up; see page 5 3 4 ) a
package stored in a deb file. It does not search for and download a package from
the Internet. Use aptitude (page 526) for that purpose. The following example shows
dpkg installing the ftp package:
$ sudo dpkg --install /var/cache/apt/archives/ftp_0.17-19_i386.deb
S e l e c t i n g p r e v i o u s l y d e s e l e c t e d package f t p .
(Reading database . . . 173635 f i l e s and d i r e c t o r i e s c u r r e n t l y i n s t a l l e d . )
Unpacking f t p (from . . . / a r c h i v e s / f t p _ 0 . 1 7 - 1 9 _ i 3 8 6 . d e b ) . . .
S e t t i n g up f t p ( 0 . 1 7 - 1 9 ) . . .

dpkg —remove
INSTALLED

AND

dpkg —purge:

REMOVE

AN

PACKAGE

The dpkg —remove (-r) command removes an installed package except for its configuration files. Leaving these files can be useful if you decide to reinstall the package.
Use —purge (-P) to completely remove a package, including configuration files. The
following command displays the status of the ftpd package (it is installed).
$ dpkg --list ftpd
Desi red=Unknown/Instal1/Remove/Purge/Hold
| S t a t u s = N o t / I n s t a l l e d / C o n f i g - f i l e s / U n p a c k e d / F a i l e d - c o n f i g / H a l f - i nstal led
1/ E r r ? = ( n o n e ) / H o l d / R e i n s t - r e q u i r e d / X = b o t h - p r o b l e m s ( S t a t u s , E r r : uppercase=bad)
11/ Name
Version
Description
+ + + - = = = = = = = = = = = = = = = = = - = = = = = = = = = = = = = = = = = = - = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

ii

ftpd

0.17-29

FTP s e r v e r

The next command removes the ftpd package except for its configuration files:
$ sudo dpkg --remove ftpd
(Reading database . . . 113335 f i l e s and d i r e c t o r i e s c u r r e n t l y
Removi ng f t p d . . .
P r o c e s s i n g t r i g g e r s f o r man-db . . .

installed.)

dpkg:

THE DEBÍAN PACKAGE M A N A G E M E N T SYSTEM

537

Next the dpkg —list command shows a status of rc for the ftpd package, indicating
that it has been removed (r) but the configuration files (c) remain.
$ dpkg --list ftpd
rc

ftpd

0.17-29

FTP server

Finally dpkg purges the ftpd package and shows a state of un (unknown, not
installed).
$ sudo dpkg --purge ftpd
(Reading database . . . 113325 f i l e s and d i r e c t o r i e s c u r r e n t l y i n s t a l l e d . )
Removi ng ftpd . . .
Purging configuration f i l e s for ftpd . . .
$ dpkg --list ftpd
un

ftpd


(no d e s c r i p t i o n a v a i l a b l e )
If there are packages dependent on the package you are removing, the command fails.
In the next example, dpkg attempts to remove the apache2.2-common package but
fails because the apache2-mpm-worker package depends on apache2.2-common:
$ sudo dpkg --remove apache2.2-common
dpkg: dependency problems prevent removal of apache2.2-common:
apache2-mpm-worker depends on apache2.2-common (= 2.2.14-5ubuntul).
apache2 depends on apache2.2-common (= 2.2.14-5ubuntul).
dpkg: error processing apache2.2-common (--remove):
dependency problems - not removing
Errors were encountered while processing:
apache2.2-common
You can remove the dependent packages and then remove apache2.2-common. It is
frequently easier to use aptitude to remove a package and its dependencies because
you can do so with a single aptitude remove command (page 520).
When dpkg removes a package, the prerm script stops any running daemons associated with the package. In the case of Apache, it stops the apache2 server.
$ sudo dpkg --remove apache2-mpm-worker apache2
(Reading database . . . 130610 f i l e s and d i r e c t o r i e s c u r r e n t l y i n s t a l l e d . )
Removing apache2 . . .
Removing apache2-mpm-worker . . .
* Stopping web server apache2
. . . wai t i ng
[ OK ]

dpkg—status:

DISPLAYS INFORMATION A B O U T A PACKAGE
The —status (-s) dpkg command displays lengthy information about the installed
package you specify as an argument. This information includes package status,
installed size, architecture it is compiled for, conflicting packages, a description, and
the name of the package maintainer. See also the aptitude show command
(page 529) and the apt-cache show command (page 531).

538

CHAPTER 1 3

DOWNLOADING AND INSTALLING SOFTWARE

$ dpkg --status apache2-mpm-worker
P a c k a g e : apache2-mpm-worker
S t a t u s : i n s t a l l ok i n s t a l l e d
P r i o r i t y : optional
Section: httpd
I n s t a l l e d - S i z e : 80
M a i n t a i n e r : Ubuntu D e v e l o p e r s < u b u n t u - d e v e l - d i s c u s s @ l i s t s . u b u n t u . c o m >
A r c h i t e c t u r e : "i 386
S o u r c e : apache2
Version: 2 . 2.14-5ubuntul
R e p l a c e s : a p a c h e 2 - m p m - p e r c h i I d ( « 2 . 2 . 0 ) , apache2-mpm-threadpool ( « 2 . 0 . 5 3 )
P r o v i d e s : apache2, apache2-mpm, h t t p d , h t t p d - c g i
Depends: apache2.2-common (= 2 . 2 . 1 4 - 5 u b u n t u l ) , a p a c h e 2 . 2 - b i n (= 2 . 2 . 1 4 - 5 u b u n t u l )
C o n f l i c t s : apache2-common, apache2-mpm
D e s c r i p t i o n : Apache HTTP S e r v e r - h i g h speed t h r e a d e d model
Each Apache M u l t i - P r o c e s s i n g Module p r o v i d e s a d i f f e r e n t " f l a v o r " o f
web s e r v e r b i n a r y , c o m p i l e d w i t h a d i f f e r e n t p r o c e s s i n g model.
The worker MPM p r o v i d e s the d e f a u l t t h r e a d e d i m p l e m e n t a t i o n . I t i s
recommended e s p e c i a l l y f o r h i g h - t r a f f i c s i t e s because i t i s f a s t e r
and has a s m a l l e r memory f o o t p r i n t than the t r a d i t i o n a l p r e f o r k MPM.
Homepage: h t t p : / / h t t p d . a p a c h e . o r g /
O r i g i n a l - M a i n t a i n e r : Debian Apache M a i n t a i n e r s < d e b i a n - a p a c h e @ l i s t s . d e b i a n . o r g >
Original-Vcs-Browser:
http://svn.debian.org/wsvn/pkg-apache/trunk/apache2
Ori gi n a l - V c s - S v n : s v n : / / s v n . d e b i an.org/pkg-apache/trunk/apache2
Use the dpkg —info c o m m a n d to display information about a deb file that is on the
system (for example, in the A P T cache) but is not installed. T h e following c o m m a n d
displays information about the ftpd deb file in the archives directory:
$ dpkg --info /var/cache/apt/archives/ftpd_0.17-29_i386.deb

dpkg —search:

DISPLAYS THE N A M E OF THE PACKAGE

CONTAINS A SPECIFIED

THAT

FILE

T h e — s e a r c h (or - S ) option to dpkg displays the name of the package that includes
the file you specify as an argument:
$ dpkg --search /etc/ssh
openssh-client: /etc/ssh

dpkg—listfiles:

LISTS FILES W I T H I N A

PACKAGE

T h e dpkg —listfiles (or - L ) c o m m a n d lists the files that are part of the package you
specify as an argument. T h e following example lists the files in the openssh-server
package:
$ dpkg --listfiles openssh-server
/•
/etc
/ e t c / i ni t
/ e t c / i ni t / s s h . c o n f
/etc/init.d

BITTORRENT

539

Use the dpkg —contents command to list the files contained in a package that is on
the system but not installed. The following command lists the files in the dump deb
file in the archives directory:
$ dpkg --contents

/var/cache/apt/archives/dump_0.4b42-l_i386.deb

BITTORRENT
The easiest way to download a BitTorrent file is to click the torrent file object in a
Web browser or in the Nautilus File Browser. This section describes how BitTorrent
works and explains how to download a BitTorrent file from the command line.
The BitTorrent protocol implements a hybrid client/server and P2P (page 1163)
file transfer mechanism. BitTorrent efficiently distributes large amounts of static
data, such as the Ubuntu installation ISO images. It can replace protocols such as
anonymous FTP, where client authentication is not required. Each BitTorrent client that downloads a file provides additional bandwidth for uploading the file,
thereby reducing the load on the initial source. In general, BitTorrent downloads
proceed faster than FTP downloads. Unlike protocols such as FTP, BitTorrent
groups multiple files into a single package: a BitTorrent file.
Tracker, peer, seed, BitTorrent, like other P2P systems, does not use a dedicated server. Instead, the funcand swarm tions of a server are performed by the tracker, peers, and seeds. The tracker is a
server that allows clients to communicate with each other. Each client—called a peer
when it has downloaded part of the BitTorrent file and a seed once it has downloaded the entire BitTorrent file—acts as an additional source for the BitTorrent file.
Peers and seeds are collectively called a swarm. As with a P2P network, a member of
a swarm uploads to other clients the sections of the BitTorrent file it has already
downloaded. There is nothing special about a seed: It can be removed at any time
once the torrent is available for download from other seeds.
The torrent The first step in downloading a BitTorrent file is to locate or acquire the torrent, a
file with the filename extension of .torrent. A torrent contains pertinent information
(metadata) about the BitTorrent file to be downloaded, such as its size and the location of the tracker. You can obtain a torrent by accessing its URI, or you can acquire
it via the Web, an email attachment, or other means. The BitTorrent client can then
connect to the tracker to learn the locations of other members of the swarm that it
can download the BitTorrent file from.
Manners Once you have downloaded a BitTorrent file (the local system has become a seed),
it is good manners to allow the local BitTorrent client to continue to run so peers
(clients that have not downloaded the entire BitTorrent file) can upload at least as
much information as you have downloaded.

540

CHAPTER 1 3

DOWNLOADING AND INSTALLING SOFTWARE

PREREQUISITES
If necessary, use aptitude (pages 519 and 526) to install the bittorrent package. With
this package installed, the command apropos bittorrent displays a list of BitTorrent
utilities. See /usr/share/doc/bittorrent for more information. You may want to try
BitTornado, an experimental BitTorrent client with additional features (bittornado
package; see bittornado.com)
Because the BitTorrent utilities are written in Python and run on any platform with
a Python interpreter, they are not dependent on system architecture. Python is
installed in /usr/bin/python and is available in the python package.
USING BITTORRENT
The btdownloadcurses utility is a textual BitTorrent client that provides a pseudographical interface. Once you have a torrent, give a command such as the following,
substituting the name of the torrent you want to download for the Ubuntu torrent
in the example:
$ btdownloadcurses

ubuntu-10.04-desktop-i386.iso.torrent

In the preceding command, the torrent specifies that the BitTorrent file be saved as
intrepid-desktop-i386.iso in the working directory. The name of the BitTorrent file
is not always the same as the name of the torrent. In the case of a multifile torrent,
the BitTorrent files may be stored in a directory, also named by the torrent.
Figure 13-1 shows btdownloadcurses running. Depending on the speed of the Internet connection and the number of seeds, downloading a large BitTorrent file can
take from hours to days.
You can abort the download by pressing q or CONTROL-C. The download will automatically resume from where it left off when you download the same torrent to the
same location again.

Make sure you have enough room to download the torrent
c a u t i o n Some torrents are huge. Make sure the partition you are working in has enough room to hold the
BitTorrent file you are downloading.
See the btdownloadcurses man page for a list of options. One of the most useful
options is —max_upload_rate, which limits how much bandwidth the swarm can
use while downloading the torrent from you. The default is 0, meaning there is no
limit to the upload bandwidth. The following command prevents BitTorrent from
using more than 10 kilobytes per second of upstream bandwidth:
$ btdownloadcurses --max_upload_rate 10 ubuntu-10.04-desktop-i386.iso.torrent

BitTorrent usually allows higher download rates for members of the swarm that
upload more data, so it is to your advantage to increase this value if you have spare
bandwidth. You need to leave enough free upstream bandwidth for the acknowledgment packets from your download to get through or else the download will be very
slow. By default, btdownloadcurses uploads to a maximum of seven other clients at

INSTALLING

0 Ô Ô

5am@lynxl:

Tile:
size:
dost:
progress:

NoN-dpkg

SOFTWARE

541

-

ubuntu-10.04-desktop-i386.iso
733,119,520 (699.1
M)
/homo/sam/ubuntu 10.04 desktop
########

i386.iso

status:
f i n i s h i n g in 0:17:31 (Ifi.?^)
speed:
5 8 7 . 2 K / s down 0
lotals:
127.2 H
down 0.
error(s) : |

Figure 13-1

btdownloadcurses working with the Ubuntu desktop torrent

once. You can change this number by using the —max_uploads argument, followed
by the number of concurrent uploads you wish to permit. If you are downloading
over a modem, try setting —max_upload_rate to 3 and —max_uploads to 2.
The name of the file or directory that BitTorrent saves a file or files in is specified
by the torrent. You can specify a different file or directory name by using the —
saveas option. The btshowmetainfo utility displays the name the BitTorrent file will
be saved as, the size of the file, the name of the torrent (metainfo file), and other
information:
$ btshowmetainfo ubuntu-10.04-desktop-i386.iso.torrent
btshowmetainfo 20021207 - decode BitTorrent metainfo f i l e s
metainfo f i l e . :
i n f o hash
:
f i l e name
:
f i l e size
:

INSTALLING

NoN-dpkg

ubuntu-10.04-desktop-i386.iso.torrent
3el6157f0879eb43e9e51f45d485feff90a77283
ubuntu-10.04-desktop-i 386.iso
733419520 (1398 * 524288 + 464896)

SOFTWARE

Most software that is not in dpkg format comes with detailed instructions on how
to configure, build (if necessary), and install it. Some binary distributions (those
containing prebuilt executables) require you to unpack the software from the root
directory.

THE

/opt

AND

/usr/local

DIRECTORIES

Some newer application packages include scripts to install themselves automatically
into a directory hierarchy under /opt, with files in a /opt subdirectory that is named
after the package and executables in /opt/bin or /opt/package/b'm.
Other software packages allow you to choose where you unpack them. Because
many different people develop software for Linux, there is no consistent method for
installing it. As you acquire software, install it on the local system in as consistent

542

CHAPTER 1 3

DOWNLOADING AND INSTALLING SOFTWARE

and predictable a manner as possible. The standard Linux file structure has a directory hierarchy under /usr/local for binaries (/usr/local/bin), manual pages
(/usr/local/man), and so forth. Because many GNU buildtools search the /usr/local
hierarchy by default and may find the wrong version of a utility if you install developer tools there, putting these tools in /opt is a good idea.
To prevent confusion later and to avoid overwriting or losing the software when
you install standard software upgrades, avoid installing nonstandard software in
standard system directories (such as /usr/bin). On a multiuser system, make sure
users know where to find the local software and advise them whenever you install,
change, or remove local tools.

G N U CONFIGURE AND BUILD SYSTEM
The GNU Configure and Build System makes it easy to build a program that is distributed as source code (see www.gnu.org/software/autoconf). This process requires
a shell, make, and gcc (the GNU C compiler). You do not need to work with root
privileges except to install the program.
The following example assumes you have downloaded the GNU which program (
(ftp.gnu.org/pub/gnu/which; page 178) to the working directory. First unpack and
decompress the file and cd to the new directory:
$ tar -xvzf which-2.20.tar.gz
whi ch-2.20/
whi ch-2.20/EXAMPLES
whi c h - 2 . 2 0 / p o s i x s t a t . h
whi ch-2.20/confi gure.ac
which-2.20/COPYING
$ cd which-2.20
After reading the README and INSTALL files, run the configure script, which
gathers information about the local system and generates the Makefile file:
$ ./configure
checking for a BSD-compatible i n s t a l l . . . /usr/bi n/i nstal 1 - c
checking whether build environment i s s a n e . . . yes
checking for a thread-safe mkdi r - p . . . /bin/mkdir -p
checking for gawk... gawk
checking whether make sets $(MAKE)... yes
checking whether to enable m a i n t a i n e r - s p e c i f i c portions of M a k e f i l e s . . . no
config.status:
confi g. s t a t u s :
config.status:
config.status:
config.status:

creating Makefile
creating mai ntMakefi l e
creating t i l d e / M a k e f i l e
creating c o n f i g . h
executing d e p f i l e s commands

Refer to the configure info page, specifically the —prefix option, which causes the
install phase to place the software in a directory other than /usr/local. Next, run make:

wget:

D O W N L O A D S FILES N O N I N T E R A C T I V E L Y

543

$ make
make
all-recursive
m a k e [ l ] : E n t e r i n g d i r e c t o r y Yhome/sam/whi c h - 2 . 20'
Making a l l i n t i l d e
make[2]: Entering d i r e c t o r y Vhome/sam/which-2.20/tilde'
source='tilde.c' object='tilde.o' libtool=no \
D E P D I R = . d e p s depmode=pch / b i n / b a s h ../depcomp \
g c c -DHAVE_CONFIG_H - I . - I . .
- g -02 - c t i l d e . c
source='shell.c' object='shell.o' libtool=no \
D E P D I R = . d e p s depmode=pch / b i n / b a s h ../depcomp \
g c c -DHAVE_CONFIG_H - I . - I . .
- g -02 - c s h e l l . c
rm - f l i b t i l d e . a
ar cru l i b t i l d e . a t i l d e . o s h e l l . o
source='which.c' object='which.o' libtool=no \
D E P D I R = . d e p s depmode=pch / b i n / b a s h ./depcomp \
g c c -DHAVE_CONFIG_H - I .
- g -02 - c w h i c h . c
gcc - g -02
- o which g e t o p t . o g e t o p t l . o b a s h . o w h i c h . o
make[2]: Leaving d i r e c t o r y Vhome/sam/which-2.20'
make[l]: Leaving d i r e c t o r y Vhome/sam/which-2.20'

./tilde/libtilde.a

$ Is which
whi ch
After m a k e finishes, the w h i c h executable is in the working directory. If you want to
install it, give the following command:
$ sudo make install
make
install-recursive
make[l]: Entering directory
Making i n s t a l l i n t i l d e
make[2]: Entering d i r e c t o r y
make[3]: Entering d i r e c t o r y

Vhome/sam/which-2.20'
Vhome/sam/which-2.20/tilde'
Vhome/sam/which-2.20/tilde'

You can complete the entire task with the following command line:
$ sudo ./configure && make && make install
T h e Boolean A N D operator ( & & ) allows the execution of a subsequent command
only if the previous step returned a successful exit status.

wget:

D O W N L O A D S FILES N O N I N T E R A C T I V E L Y
T h e wget utility is a noninteractive, command-line utility that retrieves files from the
Web using H T T P , H T T P S , or FTP. In the example on the next page, wget downloads
the Ubuntu home page, named index.html, to a file in the working directory with
the same name.

544

CHAPTER 1 3

DOWNLOADING AND INSTALLING SOFTWARE

$ wget http://www.ubuntu.com--2010-02-24 13:21:57-- http://www.ubuntu.com/
Resolving www.ubuntu.com... 91.189.90.41
Connecting to www.ubuntu.com|91.189.90.41|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 17903 (17K) [text/html]
Saving to: ~index.html'
1 0 0 % [ = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = > ]

17,903

74.2K/S

i n 0.2s

2010-02-24 13:21:58 (74.2 KB/s) - ~index.html' saved [17903/17903]

With the —recursive (-r) option, wget downloads the directory hierarchy under the
URI you specify. Be careful with this option because it can download a lot of data
(which may completely fill the partition you are working in). The —background
(-b) option runs wget in the background and redirects its standard error to a file
named wget-log:
$ wget --recursive --background http://www.ubuntu.com
Continuing i n background, pid 28839.
Output w i l l be written to ' w g e t - l o g ' .
S
The wget utility does not overwrite log files. When wget-log exists, wget writes subsequent logs to wget-log.l, wget-log.2, and so on.
Running wget in the background is useful when you need to download a large file to
a remote system. You can start it running from an ssh (page 670) session and then
disconnect, allowing the download to complete without any interaction.
The wget —continue (-c) option continues an interrupted download. For example,
if you decide to stop a download so you can run it in the background, you can continue it from where it left off with this option.

CHAPTER S U M M A R Y
As a system administrator, you need to keep applications and system software
current. Of the many reasons to keep the software on a system up-to-date, one of
the most important is system security. The Debian package (dpkg) management
system makes the process of adding and removing deb format software packages
quite easy.
APT utilities, such as aptitude, download software packages and dependencies and
then work with dpkg to install, remove, or update packages. In addition, you can
use the apt-cache and dpkg utilities to query and verify dpkg packages. For packages
distributed as source code, the GNU Configure and Build System enables you to
build executable files.

ADVANCED EXERCISES

545

BitTorrent is a handy tool for downloading large static data files such as the Ubuntu
installation ISO images. It can replace protocols such as anonymous FTP, where client authentication is not required.

EXERCISES
1. Why would you use HTTP or FTP instead of BitTorrent for downloading
large files?
2. Which command would you give to perform a complete upgrade?
3. Why would you build a package from its source code when a (binary) deb
file is available?
4. Suggest two advantages that deb files have over source distributions.

ADVANCED EXERCISES
5. When you compile a package yourself, rather than from a deb file, which
directory hierarchy should you put it in?
6. Which steps should you take before performing an upgrade on a missioncritical server?

This page intentionally left blank

14
PRINTING WITH C U P S
IN THIS CHAPTER
JumpStart I: Configuring a Local
Printer

549

system-config-printer:
Configuring a Printer

550

JumpStart II: Setting Up a Local
or Remote Printer Using the
CUPS Web Interface

555

Traditional UNIX Printing

558

The CUPS Web Interface

560

CUPS on the Command Line

561

Printing from W i n d o w s

566

Printing to W i n d o w s

568

A printing system handles the tasks involved in first getting a
print job from an application (or the command line) through
the appropriate filters (page 1148) and into a queue for a suitable printer and then getting it printed. While handling a job, a
printing system can keep track of billing information so the
proper accounts can be charged for printer use. When a printer
fails, the printing system can redirect jobs to other, similar
printers.

547

548

CHAPTER 1 4

PRINTING WITH C U P S

INTRODUCTION
LPD and LPR Traditionally, UNIX had two printing systems: the BSD Line Printer Daemon (LPD)
and the System V Line Printer system (LPR). Linux adopted those systems at first,
and both UNIX and Linux have seen modifications to and replacements for these
systems. Today CUPS is the default printing system under Ubuntu.
CUPS CUPS (Common UNIX Printing System) is a cross-platform print server built
around IPP (Internet Printing Protocol), which is itself based on HTTP. CUPS
provides many printer drivers and can print different types of files, including
PostScript. Because it is built on IPP and written to be portable, CUPS runs under
many operating systems, including Linux and Windows. Other UNIX variants,
including Mac OS X, use CUPS; recent versions of Windows include the ability
to print to IPP printers. Thus CUPS is an ideal solution for printing in a heterogeneous environment. CUPS provides System V and BSD command-line interfaces
and, in addition to IPP, supports LPD/LPR, HTTP, SMB, and JetDirect (socket)
protocols, among others.
IPP The IPP project (www.pwg.org/ipp) began in 1996, when Novell and several other
companies designed a protocol for printing over the Internet. IPP enables users to
• Determine the capabilities of a printer.
• Submit jobs to a printer.
• Determine the status of a printer.
• Determine the status of a print job.
• Cancel a print job.
IPP is a client/server protocol in which the server side can be a print server or a
network-capable stand-alone printer.
Printers and queues On a modern computing system, when you "send a job to the printer," you actually
add the job to the list of jobs waiting their turn to be printed on a printer. This list is
called a print queue or simply a queue. The phrase configuring (or setting up) a
printer is often used to mean configuring a (print) queue. This chapter uses these
phrases interchangeably.

PREREQUISITES
Installation Install the following packages (most are installed with the base Ubuntu system):
• cups-common
• cups-bsd (optional; BSD printing commands)
• cups-client (optional; System V printing commands)
• openprinting-ppds (PPD files)
• openprinting-ppds-extra (optional; more PPD files)
• system-config-printer-gnome (optional; graphical printer tool)

J U M P S T A R T I: C O N F I G U R I N G A L O C A L P R I N T E R

549

To add, modify, and remove printers from the local system, you must be a member
of the lpadmin group. For more information see the tip on page 550. To use the
CUPS Web interface, you need an X server and a Web browser.
cups init script When you install the cupsys/cups package, the dpkg postinst script starts the cupsd daemon. After you configure CUPS, call the cups init script to restart the cupsd daemon:
$ sudo service cups restart

* R e s t a r t i n g Common Unix P r i n t i n g System:

cupsd

[ OK ]

MORE INFORMATION
Local CUPS Documentation: With the CUPS Web interface up (page 560), point a local
browser at localhost:631/help.
Web www.linux-foundation.org/en/OpenPrinting: Information on printers and printing
under Linux. Hosts a support database with details about many printers,
including notes and driver information; also offers forums, articles, and a
HOWTO document on printing.
CUPS home page: www.cups.org
IPP information: www.pwg.org/ipp
HOWTO The SMB HOWTO
Machines."

has a section titled "Sharing a Windows Printer with Linux

NOTES
Firewall A CUPS server normally uses TCP port 6 3 1 for an IPP connection and port 8 0 for
an LPR/LPD connection. If the CUPS server system is running a firewall, you need
to open one or both of these ports. Using gufw (page 8 7 6 ) , open one or both of these
ports by adding a rule that allows service for port 6 3 1 and/or port 80 from the clients you want to be able to access the server.
PDF printer You can set up a virtual PDF printer by installing the cups-pdf package, or you can
set up this printer manually.

J U M P S T A R T I: C O N F I G U R I N G A L O C A L P R I N T E R
In most cases, when you connect a printer to the local system and turn it on,
Ubuntu sets up the printer and briefly displays a Printer added message
(Figure 14-1). This process can take a couple of minutes. If you want to modify the
new printer's configuration, click Configure on the message or use the Printing window (Figure 14-2, next page), described in the next section. Both techniques display
the Printer Properties window.

Printer added
' HL-21 ID-SiriM' w ready for printing.

Figure 14-1

Printer added message

550

CHAPTER 1 4

PRINTING WITH C U P S

r

Printing - localhost

0 © ©

Server Printer Group View Help
Add v

u

0

Filter: Q^

4

HL-2140-series
[Connected to localhost
Figure 14-2

system-config-printer:

The Printing window

CONFIGURING A PRINTER

You must be a member of the Ipadmin group

tip

To modify a printer using the Printing window (system-config-printer), you must be a member
of the Ipadmin group (the first user is a member of this group). See page 597 for instructions on
how to add a user to a group.
The Printing window (Figure 14-2) enables you to add, remove, and configure local and
remote printers. To display this window, select Main menu: System •=> Administration1^
Printing or give the command system-config-printer from a terminal emulator or Run
Application window (ALT-F2).

Default printer Highlight a printer in the Printing window and select Printer1^ Set as Default from

the window menu to specify the highlighted printer as the default printer. If just one
printer appears in the Printing window, it is the default printer; you do not have to
set it up as such. The tick on the printer in Figure 14-2 indicates the default printer.
Using system-config-printer is very similar to using the CUPS Web interface, which is
discussed on page 555. However, system-config-printer is a native application, not a
Web interface.
Double-click a printer in the Printing window to display the Printer Properties window (Figure 14-3) for that printer.
Server Settings

Click ServerOSettings from the Printing window menu to display the Server Settings window. The top two check boxes specify whether system-config-printer displays printers that are shared by other systems and whether the local system
publishes printers it shares. You control whether a given printer is shared from the
Policies selection (discussed in the next section).

CONFIGURATION SELECTIONS
This section describes the six selections found in the frame at the left side of the
Printer Properties window. These selections allow you to configure the printer you
chose in the Printing window.

system-config-printer:
0

CONFIGURING A PRINTER

5 5 1

Printer Properties - 'HL-2140-series' on local host

Settings
Policies
Access Comtiol
Printer options
job Options
Ink/Timer levels

Settings
Description:

I Brother HL-2140 series

Location:

110D4B2

Device URI:

usb://BrolheT/HL-2140%20series

1
1
Chdiiye...

Make and Model: Brother HL~2140 FoomatiQtipijs... Charge...
Piinier Slate:

Idle

Tests and Maintenance
Print Test Page ü 1 Print seiftest Page 1 Lflean Print Heads

CjticcJ

Figure 14-3

The Printer Properties window

Settings Figure 14-3 shows the Settings selection for a Brother printer. The text boxes
labeled Description and Location hold information for your use; the system does
not use this information. The text boxes labeled Device URI and Make and Model
specify the location and type of the printer.
Policies Under the word State are check boxes labeled Enabled, Accepting jobs, and Shared.
Table 14-1 describes the effects of putting ticks in the first two check boxes. Putting
a tick in the check box labeled Shared shares the printer with other systems if the
local system publishes shared printers (see "Server Settings," previous page). The
Policies tab also controls whether the printer prints banners before and after jobs
and what CUPS does when it encounters an error.
Table 14-1

Accepting jobs

Rejecting jobs

Printer status
Enabled

Disabled

Accepts new jobs into the queue.

Accepts new jobs into the queue.

Prints jobs from the queue.

Does not print jobs from the queue
until the printer is enabled.

Rejects new jobs.

Rejects new jobs.

Prints jobs from the queue.

Does not print jobs from the queue
until the printer is enabled.

Access Control The Access Control tab enables you to set the policy for printer access. By default,
anyone can use the printer. To restrict access, you can create a blacklist of users who
are not allowed to use it. Alternatively, you can prohibit anyone from using the
printer and then create a whitelist of users who are allowed to use it.
Printer Options The Printer Options selection controls image quality, paper size and source (tray),
and other generic printer options.
Job Options The Job Options selection controls the number of copies, orientation (portrait or
landscape), scaling, margins, and more. Options specified by an application sending
a job to the printer override options you set in this tab. Scroll down to see all
options.

552

CHAPTER 1 4

PRINTING WITH C U P S

C O O

New Printer

Select Device
Desc ription

Devices

HPLIP software driving a printer, or the printer
function of a multi-function device.

Brother HL-2140
LPT #1
Serial Port #1
Serial Port #2
Other
-

Network Printer
HP L3SCf]Ct P2Q15 (NPI13A4,

HP Laserjet P2Q55dn (NPIGE!
hp Laserjet P?055x (NPioaci
Kyocera MitaTASKalta 250c
Find Network Printer
AppSockel/H P JetDirect
internet Printing Protocol (ip
LPD/LPR Host or Printer
Windows Printer via SAMBA
--

,

- Connection
Connections
HP Linux Imaging and Punting (HPUP)
LPD network printer via DNS'SD
App5ocket^etDlrect network printer via D N ^ S D
AppSockei/HP JetDirect

Cancel

Figure 14-4

Forward

The New Printer window

Ink/Toner Levels The Ink/Toner Levels selection reports on ink/toner levels and displays status messages.

SETTING UP A REMOTE PRINTER
As explained earlier, system-config-printer recognizes and sets up a printer when you
connect it to the local system and turn it on. This section describes the process of
setting up a printer on another system or on the local network. You can also use the
same technique for setting up a printer on the local system. For more information
on setting up a remote printer, refer to "JumpStart II: Setting Up a Local or Remote
Printer Using the CUPS Web Interface" on page 555. Because of the similarity
between system-config-printer and the CUPS Web interface, many of the explanations
in that section apply here as well.
To add a printer to the local system, click A d d on the toolbar in the Printing window. The system-config-printer utility displays the New Printer window
(Figure 14-4).
To configure a printer, highlight the printer in the frame labeled Select Device.
Click the plus sign (+) to the left of Network Printers to display network printers.
The system-config-printer utility displays a description of the printer you highlight.
Specifying a URI If the printer is not listed, select O t h e r (for a local printer) or one of the selections under
Network Printing (for a remote printer) from the Select Device list; system-config-printer
displays an appropriate text box on the right side of the window. The URI (page 1179)
is the location on the network of the printer; see page 562 for more information. To

system-config-printer:
GOO

CONFIGURING A PRINTER

553

New Printer

C h o o s e Driver
a Select printer from database
Ç Provide PPD tile
Search for a printer driver to download
The foomatic printer database contains various manufacturer provided PostScript Printer
Description (PPDI hies and also can qenerate PPD tiles for a larqe number of {non
PostScript) printers. But in general manufacturer provided PPD hies provide better access
to the specific features of Ihe prinlei.
Makes

*

Fujifilm
Fujitsu
Genicom
Gestetner
Heidelberg
Hitachi
HP
IBM
imagen

J

Figure 14-5

Back

Cancel

Forward

|

Selecting a printer manufacturer

specify an LPD/LPR printer, use the form lpd-J/hostname/printer-name; for an IPP
printer, use the form
/hostname/prmicrs/printer-name;
for an HP JetDirectcompatible network printer, use socket -J/hostname. Replace hostname with the name
of the host the printer is attached to (the server) or, for a network printer, the name of
the printer. You can specify an IP address instead of hostname. Replace printer-name
with the name of the printer on the server. Give the command lpstat - p on the server
to display the names of all printers on that system. After selecting or specifying a
printer, click the button labeled V e r i f y (if present) to make sure the printer is accessible and then click F o r w a r d . The system-config-printer utility searches for a driver for
the printer.
Next the utility may ask you which printer options you want to install. Specify the
options and click F o r w a r d .
If system-config-printer displays the Choose Driver screen of the New Printer window (Figure 1 4 - 5 ) , you can specify a printer manufacturer (such as HP). Typically system-config-printer selects the manufacturer automatically. Alternatively,
you can specify a PPD file (page 5 6 1 ) or search for a driver to download. Click
Forward.
The next screen (Choose Driver; Figure 14-6, next page), which system-config-printer
may not display, allows you to specify the model of the printer and select which
driver you want to use (if more than one is available). Again, these selections are
usually highlighted automatically.

554

CHAPTER 1 4

PRINTING WITH C U P S

0

New Printer

Choose Driver
Models
Laserjet p2Q15d
Laserjet p2Q15dn
Laserjet p2Qlbn
Laserjet p20lix
Laserjet p2Q35
LaserJet p2035n
Laseijet p205S
Laseijet p2G5Sd
LiJSCijd p2055dn
LiiUfJcL p2055x
Lüscijct P3004
Laserjet p3005
Laserjet P3010
Laserjet P4Q1Q
Laserjet p4Ql4
Laserjet p4Ql4dn

Drivers
HP LaserJet p2055dn hf*|s pel3, 3.10.2
Hp Ldv-rlei. p2055dn pel3, hptupi 3.1C

J (

*

(
Back

Figure 14-6

„,

taricei

fxr.varct

Selecting a printer model and driver

If the model of the printer you are configuring is not listed, check whether the
printer can emulate another printer (i.e., if it has an emulation mode). If it can,
check whether the manufacturer and model of the printer it can emulate are listed
and set it up that way. If all else fails, click Back and select Generic (at the top of
the list) as the manufacturer. Then click Forward and choose a type of generic
printer from the list box labeled Models. Choose the PostScript Printer from the
list if the printer is PostScript capable. Then select a PostScript driver from the list
box labeled Drivers. If the printer is not PostScript capable, select text-only
printer; you will not be able to print graphics, but you should be able to print text.
Click Forward.
The system-config-printer utility may display a screen showing installable (printerspecific) options. Generally you do not need to make changes to this screen. Click
Forward.
On the next screen (Describe Printer; Figure 14-7), you must specify a name for the
printer; specifying the description and location is optional. The name of the printer
must start with a letter and cannot contain SPACES. If you use only one printer, the
name you choose is not important. If you use two or more printers, the name
should help users distinguish between them. The printer name is the name of the
print queue on the local system. Click Apply.
At this point, the system-config-printer utility closes the New Printer window, asks if
you want to display a test page, and displays the new printer in the Printing window. If you have more than one print queue and want to set up the new print queue
to be the default, highlight the printer and select PrinterOSet As Default from the
window menu.

JUMPSTART

II: S E T T I N G

UP A LOCAL OR REMOTE

0

PRINTER USING THE C U P S W E B

INTERFACE

5 5 5

New Printer

Describe Printer
Printer Name
Short name for this printer such as "laserjet"
Hewlett- Packard-HP LaserJet P2055dr^
Description (optional)
Human-readable description such as "HP LaserJet with Duplexer*
| Hewlett- Packard H P LaserJet P20S5dn

|

Location (optional)
Human-readable location such as "Lab 1*
[ Sam's Desk

|

Back

Figure 14-7

J || Cancel

Apply

Specifying the name of the printer

J U M P S T A R T II: S E T T I N G U P A LOCAL OR R E M O T E PRINTER
U S I N G T H E C U P S W E B INTERFACE
This JumpStart explains how to use the CUPS Web interface to set up a printer connected to the local system or connected to the local network.
If the printer you are configuring is on an older Linux system or another UNIX-like
operating system that does not run CUPS, the system is probably running LPD/LPR.
Newer versions of Linux and UNIX variants that support CUPS (including Mac
OS X) support IPP. Most devices that connect printers directly to a network support
LPR/LPD; some support IPP.
Printers connected directly to a network are functionally equivalent to printers connected to a system running a print server: They listen on the same ports as systems
running print servers and queue jobs.
lpadmin group At some point the CUPS Web interface will ask for a username and password. Supply

your username and password. (You must be a member of the lpadmin group
[page 597] to change the printer configuration using the CUPS Web interface.)

Remote administration
security When you provide a username and password to the CUPS Web interface, they are transmitted in
cleartext over HTTP. The lack of encryption is a security issue when you are administrating printers
over an unsecure network.

556

CHAPTER 1 4

PRINTING WITH C U P S

0 0 6

Home - CUPS 1.4.3 - Mozilla Firefox

File £dit View History fiookmarfcs Tools Help
w

^

G

6

(J

Home

T

6 I http;//l«alhost63U

© Home -CUPS 1.4.3

"M T I Google

^
Administration

Classes

Online Help

Jobs

Printers

|

CUPS 1.4.3
C U P S is Hie standards based, open source printing system developed by Apple Inc.
lor Mac OS* X and other UN1X*-Iihe operating systems.

C U P S for Users

C U P S for

C U P S for Developers

Administrators

Overview o l C U P S
Command-Line Printing
and Options
What1 s New In C U P S t.4
User Forum

Introdudion io C U P S
Programming

Adding Printers and C l a s s e s

C U P S API

Managing Operation Policies

Filter and Backend Programming

Printer Accounling Basics

H T T P and IPP A P I s

Server Security

PPD API

Using Kerberas Authentication

Raster A P I

Using Network Printers

P P D Compiler Driver Information
File Reference

cupsd.conl Reference

Figure 14-8

The Welcome page

Display the CUPS Web interface by pointing a Web browser at localhost:631 on the
system on which you are configuring the printer (Figure 14-8).
0 0 6

Add Printer - CUPS 1.4.3 - Mozilla Firefox

flic £dit View History fiookmarfcs Tools Help
T

w]

ti

&

e|http;/ilKaH»st;63Uattmin/

*

i:

^

Q Add printer - cups l.fl.3
Ç

Hon»

Administration

Classas

Online H alp

Jobs

Printers

|

Add Printer
Local Printers:

Discovered Network Printers:

Othar Network Printers:
•one

Figure 14-9

Brother HL-2I4Ü series (Brother HL-214Q series!
S C S I Printer
tip Printer ( H P U P )
Serial Port iff 1
Serial Port «2
LPT M
I I P Tan (HPLIP)
HP LaserJet P 2 M 5 Series {13A42B) (HP HP LasetJel P2015 Series)
1 IP LaserJet P2015 Series (t 3A42B) (HP HP LaseiJal P2ÜI5 Series)
HP LaserJet P20S5X [98CD9A] (HP HP LassrJot P2055I)
HP LaserJet P20S5x |98CD9A] (HP HP LassrJot P2055I)
- HP LaserJet P2055dri [BE5303] (HP HP LaserJet P2055dril
1 IP LaserJet P2055dn [6E53Ü3] (HP 1 IP LaserJet P2055dnj
HP LaserJet P 2 0 5 5 I (HP LascrJsl P2066X)
TASKalta 250d (Kyocoia T A S K a l l a 25Ccl)
HP LaserJet P2015 Series (HP LaserJel P201S Series)
I I P LaserJet P2055dn (HP LaserJet P2055dn)
Internet Printing Protocol (ipp)
l U n h u . [,. . • .
'.'.Iii,'

The first Add Printer page

T

JUMPSTART

II: S E T T I N G

C Ö Ö

UP A LOCAL OR REMOTE

PRINTER USING THE C U P S W E B

INTERFACE

5 5 7

Add Printer - CUPS 1.4.3 - Mozilla Firefox

flic £dit View History fiookmarfc*» Tools Help
T

It?

^

6 1 http://1ocalhosfc63iyadm(n

t

£|t
T

ß Add Printer-CUPS 1.4.3
Home

Add

Administration

Classes

Online Help

Jobs

Primers

Printer
Name:

r_np_:..iicr :i-r_p?r ^Mn

(May contain any printable character} except T , T , and apace)
Description:

Location:

p hp l j i ^ j - l P ü i m ü n
(Murrain nuMfcibh: dtsicifptlan inch ;us "HP 1 ¡L'HsJid willi Du|*ku»")

am's Desk.
(Hunsrn mrefciblo location inch « "Lslb

Connection: d^33d^^^P%Z0LaserJet%^0P2055d^%^0%5B6E5303%5D.JJ^i^ter.Jcp.loca^ ,
Sharing: d> Share This Printer
Continue

CUPS and the CUPS logo a n trademarks of Apple Inc. CUPS la copyright 2007-2000 Apple inc. All rights reserved.

Done

Figure 14-10

The second Add Printer page

Clicking the Administration tab near the top of the page displays the Administration page. On this page click Add Printer to display the first Add Printer page
(Figure 14-9). Click the printer you want to install and then click Continue to display the second Add Printer page (Figure 14-10). Enter the name of the printer in
the text box labeled Name; this name must start with a letter and not contain any
S P A C E S . You must supply a name—any name you like. Optionally, you can fill in the
text boxes labeled Description and Location with text that will help users identify
the printer. Put a tick in the check box labeled Sharing if you want to share the
printer. Click Continue.
Specifying a device

The next screen asks you to select the model of the printer you want to set up
(Figure 14-11, next page). Select the printer you want to use. Click Add Printer.
If the printer is PostScript capable but is not listed, select a PostScript printer such
as the Apple LaserWriter 12/640ps. If the printer is not PostScript capable and is
not listed, check whether the printer supports PCL; if it does, select another, similar
PCL printer. If all else fails, determine which listed printer is most similar to the
one you are configuring and specify that printer. You can also try configuring the
printer using system-config-printer (page 550), which offers a different choice of
models.
After you click Add Printer, the CUPS Web interface displays the Set Default
Options page. This page allows you to set printer options and configuration information. Click the buttons at the top of the page, browse through the selections,
and make any changes you like. Frequently you need change nothing. Click Set
Default Options.

558

CHAPTER 1 4

PRINTING WITH C U P S

C O O

Add Printer - CUPS 1.4.3 - Maxilla Firefox

flic £dit View History flookmarfcs Tools Help
T

^

ÜCT

ÎÊ

ß Add Printer-CUPS 1.4.3
@

Home

T

6 |http://1ocalhost631/admin

I [41 » I c-oc-gle

+
Administration

*
Classes

Online Help

Jobs

Printers'

Add Printer
Name: HP_HP_LasofJet_P2055dn
Description: HP HP LaserJet P2Q55dn
Location: Sam's Desk
Connection: dnssd^HP%20LaserJel%20P2055dn%20%5B6E5303%5D. printer. tepJoeal/
Sharing: Share This Printer
Make: HP

select Another Make/Manufacturer

Model: HP Laserjet p2QS5dn hpiis pel3,3.10.2 (en)
HP LaserJet p20S5dii pel 3, hpcups 3.10.2 (en)
HP Laserjet p?0b5x hpijs pcl3, 3.10.2 (en)
HP LaserJet p2QS5x pel3, hpcups 3.10.2 (en)
HP Laserjet P3004 - CUPS+Giitenprinf V5.2.5 (en)
HP Laserjet P3004 - CUPS+Gutenprint V5.2.5 Simplified (en)
HP Laserjet p3004 hpijs pcl3, 3.10.2 ten)
HP Laserjet p3DQ4 pel3, hpcups 3.10.2 
I n f o ColorPtr
DeviceURI p a r a l l e l :/dev/lp0
State I d l e
StateTime 1180495957
Accepting Yes
Shared Yes
JobSheets none none
QuotaPeriod 0
PageLimit 0
KLimit 0
OpPolicy default
ErrorPolicy retry-job

The Ipadmin command decompresses and copies the printer driver information from
the /usr/share/ppd/custom/ file to /etc/cups/ppd. The resulting file is given the
printer's name: /etc/cups/ppd/ColorPtr.ppd.
You can modify a printer configuration with Ipadmin using the same options that
you used to add it. When you specify the name of an existing printer, Ipadmin modifies the printer rather than creating a new one.

564

CHAPTER 1 4

PRINTING WITH C U P S

The next command configures an HP LaserJet-compatible printer with a JetDirect
interface that is connected directly to the LAN at 192.168.1.103 and names this
printer HPLJ. Specifying socket in the protocol part of the URI instructs CUPS to
use the JetDirect protocol, a proprietary protocol developed by HP for printers connected directly to a network.
$ lpadmin -p HPLJ -E -v socket://192.168.1.103 -P /usr/share/ppd/custom/laserjet.ppd.gz

The lpstat utility with the - d option displays the name of the default printer:
$ lpstat -d
system d e f a u l t d e s t i n a t i o n :

MainPrinter

CUPS automatically makes the first printer you define the default printer. The
following command makes HPLJ the default printer:
$ lpadmin -d HPLJ

The following command removes the configuration for the ColorPtr printer:
$ lpadmin -x ColorPtr

PRINTING QUOTAS
CUPS provides rudimentary printing quotas. You can define two forms of quotas:
page count and file size. File size quotas are almost meaningless because a small
PostScript file can take a long time to interpret and can require a lot more ink to
print than a large one. Page quotas are more useful, although their implementation
is flawed. To determine the number of pages in a document, CUPS examines the
PostScript input. If a job is submitted in the printer's native language, such as PCL,
CUPS bypasses this accounting mechanism. Also, if mpage is used to create a PostScript file with multiple pages printed on each sheet, CUPS counts each page in the
original document, rather than each sheet of paper it prints on.
Use job-quota-period and either job-page-limit or job-k-limit to establish a quota
for each user on a given printer. The job-quota-period option specifies the number
of seconds that the quota remains valid. The following command establishes a
quota of 20 pages per day per user for the printer named HPLJ:
$ lpadmin -p HPLJ -o job-quota-period=86400 -o job-page-limit=20

The job-k-limit option works similarly but defines a file size limit in kilobytes. The
limit is the total number of kilobytes that each user can print during the quota
period. Once a user has exceeded her quota, she will not be allowed to print until
the next quota period.
MANAGING PRINT QUEUES
When a printer is operating normally, it accepts jobs into its print queue and prints
those jobs in the order they are received. You can give the command cupsreject followed by the name of a printer to cause a printer to not accept jobs into its print queue;
give the command cupsaccept to reenable it. You can also use system-config-printer to

CONFIGURING PRINTERS

565

control the print queue; refer to "Settings" on page 551. Two factors determine
how a printer handles a job: if the printer is accepting jobs and if it is enabled.
Table 14-1 on page 551 describes what happens with the various combinations of
the two factors.
The utilities that change these factors are cupsdisable, cupsenable, cupsreject, and
cupsaccept. Each utility takes the name of a printer as an argument. The following
commands first disable and then enable the printer named HPLJ:
$ cupsdisable HPLJ
$ cupsenable HPLJ
The next commands cause HPLJ to reject and then accept jobs:
$ cupsreject HPLJ
$ cupsaccept HPLJ

SHARING C U P S PRINTERS
IPP facilitates remote printing. The Listen directive in the CUPS configuration file,
/etc/cups/cupsd.conf, specifies which IP address and port or which domain socket
path CUPS binds to and accepts requests on. The Listen directive has the following
format:
Listen IP.port I path
where IP is the IP address that CUPS accepts connections on, port is the port number that CUPS listens on for connections on IP, and path is the pathname of the
domain socket CUPS uses to communicate with printers. CUPS typically uses port
631. By default, it binds to localhost. Thus it accepts connections from the loopback service of the local system only. CUPS uses /var/run/cups/cups.sock, a local
domain socket, to communicate with local printers. It can also use a Port directive
to specify the port number it listens to for HTTP requests.
$ grep
# Only
Listen
Listen

-i listen /etc/cups/cupsd.conf
l i s t e n f o r connections from the l o c a l machine.
localhost:6Bl
/var/run/cups/cups.sock

To allow other systems to connect to the CUPS server on the local system, you must
instruct CUPS to bind to an IP address that the other systems can reach. The following directive would be appropriate on a CUPS server running on 192.168.0.12:
L i s t e n 192.168.0.12:631
This directive, when placed after the other Listen directives, would cause CUPS to
listen on IP address 192.168.0.12, port 631. When you change cupsd.conf, you
need to call the cups init script to restart the cupsd daemon (page 549).
Some directives in cupsd.conf use the @LOCAL macro, which is internal to CUPS
and specifies the local system. This macro accepts communication from any address
that resolves to the local system.

566

CHAPTER 1 4

PRINTING WITH C U P S

Once you restart cupsd, remote systems can print on the local system's printers
using the IP address and port number specified by the Listen directive. If the server
is running a firewall, you need to allow remote systems to connect through it; see
page 549.
Alternatively, you can use CUPS's access control list to permit only selected
machines to connect to local printers. An access control list is defined inside a
 container (see page 918 for the Apache equivalent). The following
example allows only the system at IP address 192.168.1.101 and the local system to
print to the specified printer:


The /printers indicates that this container refers to all local printers. Alternatively,
you can control access on a per-printer basis by specifying /printers/printer-name,
where printer-name is the printer name, or by specifying /printers/patb.ppd, where
path.ppd is the full pathname of the PPD file (page 561) used by the printer.
The Order Deny,Allow directive allows access by default and denies access only to
clients specified in Deny from directives. The Order Allow,Deny directive denies
print requests by default and allows requests from specified addresses. You can use
domain names, including wildcards, and IP ranges with either wildcards or netmasks in Allow from and Deny from directives. These directives work the same way
they do in Apache. For more information refer to "Order" on page 931.
With the Order Deny,Allow directive, Deny from specifies the only IP addresses
CUPS does not accept connections from. When you use the Order Allow,Deny directive, Allow from specifies the only IP addresses CUPS accepts connections from.

PRINTING FROM W I N D O W S
This section explains how to use printers on Linux CUPS servers from Windows
machines. CUPS is easier to manage and can be made more secure than using
Samba to print from Windows.

PRINTING USING C U P S
Modern versions of Windows (2000 and later) support IPP and, as a result, can
communicate directly with CUPS. To use this feature, you must have CUPS configured on the Linux print server to allow remote IPP printing; you also need to create
a new printer on the Windows system that points to the IP address of the Linux
print server.

PRINTING FROM W I N D O W S

567

First set up the /etc/cups/cupsd.conf file to allow network printing from a client, as
explained in "Sharing CUPS Printers" on page 565. Setting up CUPS to allow printing from a Windows machine is exactly the same as setting it up to allow printing
from a Linux client system. If necessary, open the firewall as explained on page 549.
From Windows XP, go to Control Panel •=>Printers and Faxes and click Add Printer.
Click Next in the introductory window and select A network printer or a printer
attached to another computer. Click Next. Select Connect to a printer on the Internet or on a home or office network and enter the following information in the text
box labeled URL:
http://bostname:631/printers/printer-name
where hostname is the name or IP address of the Linux CUPS server system and
printer-name is the name of the printer on that system. For example, for the printer
named dog88 on the system named dog at IP address 192.168.0.12, you could enter
http://dog:631/printers/dog88 or http://192.168.0.12:631/printers/dog88. If you
use a hostname, it must be defined in the hosts file on the Windows machine. Windows requests that you specify the manufacturer and model of printer or provide a
driver for the printer. If you supply a printer driver, use the Windows version of the
driver.
After Windows copies some files, the printer appears in the Printers and Faxes window. Right-click the printer and select Set as Default Printer to make it the default
printer. You can specify comments, a location, and other attributes of the printer by
right-clicking the printer and selecting Properties.

PRINTING USING SAMBA
This section assumes that Samba (page 797) is installed and working on the Linux
system that controls the printer you want to use from Windows. Samba must be set
up so that the Windows user who will be printing is mapped to a Linux user
(including mapping the Windows guest user to the Linux user nobody). Make sure
these users have Samba passwords. Refer to "Samba Users, User Maps, and Passwords" on page 799.
Windows supports printer sharing via SMB, which allows a printer to be shared
transparently between Windows systems using the same mechanism as file sharing.
Samba allows Windows users to use printers connected to Linux systems just as
they would use any other shared printers. Because all Linux printers traditionally
appear to be PostScript printers, the Linux print server appears to share a PostScript
printer. Windows does not include a generic PostScript printer driver. Instead, Windows users must select a printer driver for a PostScript printer. The Apple LaserWriter 12/640ps driver is a good choice.
When you install Samba, the dpkg postinst script creates a directory named
/var/spool/samba that is owned by the root account and that anyone can read from
and write to. The sticky bit (page 1174) is set for this directory, allowing a Windows

568

CHAPTER 1 4

PRINTING WITH C U P S

user who starts a print job as a Linux user to be able to delete that job, but denying
users the ability to delete the print jobs of other users. Make sure this directory is in
place and has the proper ownership and permissions:
$ Is -Id /var/spool/samba

drwxrwxrwt 2 root root 4096 2010-10-10 12:29 /var/spool/samba
Put the following two lines in the [global] section of the /etc/samba/smb.conf file:
[global]
p r i n t i n g = cups
printcap name = cups
The printer's share is listed in the [printers] section in smb.conf. In the following
example, the path is the path Samba uses as a spool directory and is not a normal
share path. The settings allow anyone, including guest, to use the printer. The
[printers] section in the default smb.conf file has the following entries, which are
appropriate for most setups:
[pri nters]
comment = A l l P r i n t e r s
path = /var/spool/samba
browseable = no
guest ok = no
writable = no
p r i n t a b l e = yes
Ideally each user who plans to print should have an account. Otherwise, when multiple users share the same account (for example, the nobody account), they can
delete one another's print jobs.

P R I N T I N G TO W I N D O W S
CUPS views a printer on a Windows machine exactly the same way it views any
other printer. The only difference is the URI you need to specify when connecting it.
To configure a printer connected to a Windows machine, go to the Printer page in
the CUPS Web interface and select Add Printer, just as you would for a local printer.
When you are asked to select the device, choose Windows Printer via SAMBA.
Enter the URI of the printer in the following format:
smb://windows_system/printer_name
where windows_system can be an IP address or a hostname. Once you have added
the printer, you can use it as you would any other printer.

CHAPTER S U M M A R Y
A printing system such as CUPS sets up printers. It also moves print jobs from an
application or the command line through the appropriate filters and into a queue
for a suitable printer and then prints those jobs.

ADVANCED EXERCISES

569

CUPS is a cross-platform print server built around IPP (Internet Printing Protocol).
It handles setting up and sending jobs through print queues. The easiest way to configure printers is via the Printing window (system-config-printer). You can also configure CUPS using the Web interface, which you can access by pointing a Web
browser at localhost:631 on the system the printer is connected to. From the Web
interface, you can configure print queues and modify print jobs in the queues.
You can use the traditional UNIX commands from a command line to send jobs to
a printer (Ipr/lp), display a print queue (Ipq/lpstat), and remove jobs from a print
queue (Iprm/cancel). In addition, CUPS provides the Ipinfo and Ipadmin utilities,
which allow you to configure printers from the command line.
CUPS and Samba enable you to print on a Linux printer from a Windows machine,
and vice versa.

EXERCISES
1. Which commands can you use from the command line to send a file to the
default printer?
2. Which command would you give to cancel all print jobs on the system?
3. Which commands list your outstanding print jobs?
4. What is the purpose of sharing a Linux printer using Samba?
5. Name three printing protocols that CUPS supports. Which is the CUPS
native protocol?

ADVANCED EXERCISES
6. Which command lists the installed printer drivers available to CUPS?
7. How would you send a text file to a printer connected to the first parallel
port without using a print queue? Why is doing so a bad idea?
8. Assume you have a USB printer with a manufacturer-supplied PostScript
printer definition file named newprinter.ppd. Which command would you
use to add this printer to the system on the first USB port with the name
USBPrinter?
9. How would you define a quota that allows each user to print up to 50
pages per week to the printer named LaserJet?
10. Define a set of access control rules for a  container inside
/etc/cups/cupsd.conf that would allow anyone to print to all printers as
long as they were either on the local system or in the mydomain.com
domain.

This page intentionally left blank

15
BUILDING A LINUX
KERNEL
IN THIS CHAPTER
Downloading the Kernel Source
Code

573

Configuring and Compiling the
Linux Kernel

575

Installing the Kernel, Modules,
and Associated Files

582

GRUB: The Linux Boot Loader . . . 583
dmesg: Displays Kernel
Messages

589

O n c e you have installed Ubuntu Linux, you may want to reconfigure and build a new Linux kernel. Ubuntu Linux comes with a
prebuilt kernel that simplifies the installation process. However,
this kernel may not be properly configured for all system features.
By configuring and building a new kernel, you can create one that
is customized for a system and its unique needs. A customized
kernel is typically smaller than a generic one.
Sometimes you do not need to build a n e w kernel. Instead, you
can dynamically change m a n y things that used to require building a n e w kernel. T w o ways to m a k e these changes are by using
b o o t c o m m a n d - l i n e parameters (page 8 2 ) or by modifying
/ e t c / s y s c t l . c o n f , which sysctl uses when the system boots
(page 5 7 2 ) .
You can add the same parameters you use on the b o o t c o m m a n d
line to the G R U B _ C M D L I N E _ L I N U X _ D E F A U L T variable in
/ e t c / d e f a u l t / g r u b . F o r example, a c p i = o f f prevents a c p i d (the
advanced configuration and power interface daemon) from
starting. See page 8 2 for more information.

571

572

CHAPTER 1 5

sysctl

BUILDING A LINUX KERNEL

T h e sysctl utility m o d i f i e s k e r n e l p a r a m e t e r s w h i l e the system is r u n n i n g . T h i s utility
t a k e s a d v a n t a g e o f the facilities o f / p r o c / s y s , w h i c h defines the p a r a m e t e r s t h a t
sysctl c a n modify.
T h e c o m m a n d s y s c t l - a displays a c o m p l e t e list o f sysctl p a r a m e t e r s . A n e x a m p l e o f
displaying and c h a n g i n g the d o m a i n n a m e k e r n e l p a r a m e t e r f o l l o w s . T h e q u o t a t i o n
m a r k s are n o t required in this e x a m p l e , but y o u m u s t q u o t e a n y c h a r a c t e r s t h a t
w o u l d o t h e r w i s e be interpreted by the shell.
$ /sbin/sysctl kernel.domainname
kernel.domainname = tcorp.com
$ sudo /sbin/sysctl -w kernel.domainname="example.com"
kernel.domainname = example.com
$ /sbin/sysctl kernel.domainname
kernel.domainname = example.com

Have the installation CD/DVD handy when you build a new kernel
caution

W h e n y o u b u i l d a n e w L i n u x kernel t o install a n e w v e r s i o n or t o c h a n g e t h e c o n f i g u r a t i o n of t h e
e x i s t i n g v e r s i o n , m a k e s u r e y o u have t h e i n s t a l l a t i o n C D / D V D handy. T h i s d i s k a l l o w s y o u t o
r e b o o t the s y s t e m , even w h e n y o u have d e s t r o y e d the s y s t e m s o f t w a r e c o m p l e t e l y . H a v i n g t h i s
C D / D V D available can m e a n t h e d i f f e r e n c e b e t w e e n m o m e n t a r y p a n i c a n d a f u l l - s c a l e n e r v o u s
breakdown.
B e f o r e y o u c a n start building a n e w kernel, y o u m u s t d o w n l o a d , install, and c l e a n
the s o u r c e c o d e . Y o u also need t o build a c o n f i g u r a t i o n file t h a t describes the n e w
k e r n e l y o u w a n t to build. T h i s c h a p t e r describes the steps involved in c o m p l e t i n g
these t a s k s .

PREREQUISITES
Install the f o l l o w i n g p a c k a g e s :
• linux-source (the latest released U b u n t u k e r n e l s o u r c e c o d e ; n o t needed if
y o u use git t o d o w n l o a d the c o d e ) A t t e m p t i n g t o install l i n u x - s o u r c e displays the n a m e o f the p a c k a g e h o l d i n g the latest k e r n e l , w h i c h y o u then
install; refer to the n e x t s e c t i o n .
• build-essential ( m e t a p a c k a g e ; includes the p a c k a g e s required t o c o m p i l e
the c o d e ) .
• f a k e r o o t , kernel-package (kernel-specific)
• git-core (to use git t o d o w n l o a d the k e r n e l s o u r c e c o d e )
• ncurses-dev (to c o n f i g u r e the k e r n e l using m a k e m e n u c o n f i g )
• libglade2-dev (to c o n f i g u r e the k e r n e l using m a k e gconfig)
• module-assistant, debhelper (to c r e a t e m o d u l e s )

D O W N L O A D I N G THE KERNEL S O U R C E C O D E

573

Compiling a kernel takes a lot of disk space
tip

M a k e s u r e y o u have e n o u g h d i s k space b e f o r e y o u c o m p i l e a kernel. Once y o u c o m p i l e a d e f a u l t
kernel, it o c c u p i e s a p p r o x i m a t e l y 3.5 g i g a b y t e s . T h i s d i s k space m u s t be available o n t h e f i l e s y s t e m in w h i c h y o u c o m p i l e t h e kernel.

D O W N L O A D I N G THE KERNEL SOURCE CODE
T h i s section describes t w o w a y s t o d o w n l o a d k e r n e l s o u r c e c o d e o n the l o c a l syst e m : a p t i t u d e (or S y n a p t i c , p a g e 1 3 3 ) and git. If y o u w a n t t o d o w n l o a d c o d e t h a t h a s
n o t b e e n c u s t o m i z e d ( p a t c h e d ) b y U b u n t u , visit k e r n e l . o r g or see the section o n git.

aptitude:
SOURCE

D O W N L O A D I N G AND INSTALLING THE KERNEL
CODE
T h e easiest w a y t o d o w n l o a d and install the u p d a t e d k e r n e l s o u r c e c o d e f o r the
m o s t recently released v e r s i o n o f the U b u n t u k e r n e l is t o use a p t i t u d e . T h e f o l l o w i n g
c o m m a n d s m a k e sure t h a t the p a c k a g e i n d e x is u p - t o - d a t e a n d d o w n l o a d the linuxsource p a c k a g e . T h e dpkg postinst script puts the c o m p r e s s e d s o u r c e c o d e in
/usr/src/linux-source*:

$ sudo aptitude update
$ sudo aptitude install

linux-source

T h e f o l l o w i n g NEW p a c k a g e s w i l l be i n s t a l l e d :
1i nux-source 1i n u x - s o u r c e - 2 . 6 . 3 2 { a }
$ Is -1 /usr/src/1inux-source*
- r w - r - - r - - 1 r o o t r o o t 65726108 2010-04-09

18:23

/usr/src/1inux-source-2.6.32.tar.bz2

B e c a u s e / u s r / s r c is a s s o c i a t e d with the src g r o u p , if y o u are a m e m b e r o f this g r o u p
(page 4 9 2 ) , y o u c a n e x t r a c t and build kernels in the / u s r / s r c directory. O t h e r w i s e ,
y o u c a n u n p a c k the k e r n e l in a n y d i r e c t o r y y o u have w r i t e access t o .

Do not work with root privileges
caution

Y o u d o n o t need t o — n o r s h o u l d y o u — w o r k as a user w i t h root p r i v i l e g e s f o r a n y p o r t i o n of c o n f i g u r i n g or b u i l d i n g t h e kernel e x c e p t f o r i n s t a l l a t i o n (the last s t e p ) . T h e kernel R E A D M E file says,
" D o n ' t take t h e n a m e of r o o t in v a i n . " A s l o n g as y o u are a m e m b e r of t h e src g r o u p , y o u can d o w n load, c o n f i g u r e , a n d c o m p i l e the kernel in a d i r e c t o r y u n d e r / u s r / s r c w i t h o u t w o r k i n g w i t h root
privileges.
Y o u c a n add a user t o the src g r o u p using u s e r m o d . T h e f o l l o w i n g c o m m a n d adds
M a x t o the src g r o u p so he c a n w o r k in / u s r / s r c . M a x m u s t log o u t and log in again
t o h a v e the system r e c o g n i z e h i m as a m e m b e r o f the src g r o u p .
$ sudo usermod --append --groups src max

574

CHAPTER 1 5

BUILDING A LINUX KERNEL

If y o u a r e n o t w o r k i n g in / u s r / s r c , y o u m u s t c o p y the l i n u x - s o u r c e * file t o t h e
d i r e c t o r y y o u are w o r k i n g in; o t h e r w i s e , cd t o / u s r / s r c . U s e tar t o u n p a c k t h e L i n u x
s o u r c e file:
$ tar -xjf linux-source-2.6.32.tar.bz2

g i t : O B T A I N I N G T H E LATEST K E R N E L S O U R C E C O D E
T h e git utility ( G N U i n t e r a c t i v e t o o l s , g i t - s c m . c o m ) c a n d o w n l o a d the latest v e r s i o n s
o f the s o u r c e c o d e f o r several different kernels and c a n k e e p t h a t s o u r c e c o d e u p - t o date. If it is n o t a l r e a d y installed, give the f o l l o w i n g c o m m a n d t o install git:
$ sudo aptitude install

git-core

Install the git-core package, not the git package
tip

Make sure to install the git-core package and not the git package. The git package is not useful
for downloading kernel source code.
T h e f o l l o w i n g c o m m a n d uses git to d o w n l o a d a c o p y o f the d e v e l o p m e n t (not the
released) k e r n e l i n t o t h e u b u n t u - 2 . 6 s u b d i r e c t o r y o f the w o r k i n g directory. As a
m e m b e r o f the src g r o u p , y o u c a n w o r k in the / u s r / s r c directory. O t h e r w i s e , y o u
c a n w o r k in a n y d i r e c t o r y y o u h a v e w r i t e access t o . Y o u c a n and s h o u l d w o r k as a
nonprivileged user.

$ git clone git://kernel.ubuntu.com/ubuntu/ubuntu-lucid.git ubuntu-2.6
I n i t i a l i z e d empty G i t r e p o s i t o r y i n / h o m e / s a m / u b u n t u - 2 . 6 / . g i t /
remote: Counting o b j e c t s : 1624172, done.
r e m o t e : C o m p r e s s i n g o b j e c t s : 100% ( 2 9 2 4 5 8 / 2 9 2 4 5 8 ) , d o n e .
remote: T o t a l 1624172 ( d e l t a 1346015), reused 1596040 ( d e l t a 1318584)
R e c e i v i n g o b j e c t s : 100% ( 1 6 2 4 1 7 2 / 1 6 2 4 1 7 2 ) , 4 6 8 . 6 9 Mi B | 392 K i B / s , d o n e .
R e s o l v i n g d e l t a s : 100% ( 1 3 4 6 0 1 5 / 1 3 4 6 0 1 5 ) , d o n e .
C h e c k i n g o u t f i l e s : 100% ( 3 1 2 0 1 / 3 1 2 0 1 ) , d o n e .
See k e r n e l . u b u n t u . c o m / g i t and g i t . k e r n e l . o r g f o r a list o f U b u n t u kernels y o u c a n
d o w n l o a d . Substitute the U R L o f the k e r n e l y o u w a n t t o d o w n l o a d f o r the U R L in
the p r e c e d i n g c o m m a n d and specify the n a m e o f an a p p r o p r i a t e d i r e c t o r y t o h o l d
the files y o u d o w n l o a d . F o r e x a m p l e , the f o l l o w i n g c o m m a n d d o w n l o a d s the latest
J a u n t y k e r n e l i n t o the j a u n t y d i r e c t o r y in the w o r k i n g d i r e c t o r y :
$ git clone git://kernel.ubuntu.com/ubuntu/ubuntu-jaunty.git

jaunty

O n c e y o u h a v e d o w n l o a d e d the k e r n e l , cd t o the d i r e c t o r y t h a t h o l d s the c o d e and
give the f o l l o w i n g c o m m a n d t o u p d a t e the s o u r c e c o d e t o m a t c h t h a t a v a i l a b l e at
the U R L y o u specified in t h e git-clone c o m m a n d :
$ git pull
Already up-to-date.
T h e files y o u just d o w n l o a d e d should be u p - t o - d a t e , as s h o w n in the e x a m p l e . G i v e
this c o m m a n d a n y t i m e y o u w a n t t o s y n c h r o n i z e the c o d e in the w o r k i n g d i r e c t o r y
with the latest s o u r c e c o d e at the U R L .

C O N F I G U R I N G A N D C O M P I L I N G THE LINUX KERNEL

/usr/src/linux:

575

THE W O R K I N G DIRECTORY

Traditionally the source for the kernel that the system is running is kept in
/ u s r / s r c / l i n u x . T h e following c o m m a n d creates the appropriate symbolic link. This
example shows the n a m e of the kernel directory as l i n u x - s o u r c e - 2 . 6 . 3 2 ; the n a m e
on the system you are working on will be slightly different.
# In -s /usr/src/linux-source-2.6.32 /usr/src/linux
After you give these c o m m a n d s , the kernel source is located in / u s r / s r c / l i n u x . T h e
rest of this chapter assumes that the kernel source is in this location.

Now the working directory is /usr/src/linux
tip

All c o m m a n d s in t h i s section on building a kernel are given relative t o the top-level d i r e c t o r y that
holds the kernel source. Traditionally t h i s d i r e c t o r y is/usr/src/linux. Make sure that t h i s d i r e c t o r y
is y o u r w o r k i n g d i r e c t o r y before proceeding. If necessary, link the d i r e c t o r y h o l d i n g the kernel
source in /usr/src t o /usr/src/linux as explained above.

READ THE D O C U M E N T A T I O N
T h e kernel package includes the latest documentation, some of which may not be available in other documents. You may wish to review the R E A D M E file in the top level of
the kernel source directory and the relevant files in the Documentation subdirectory. In
addition, a lot of information is available in the / u s r / s h a r e / d o c / k e r n e l - p a c k a g e directory. Read the Linux Kernel-HO
WTO for a detailed, somewhat dated, generic guide
to installing and configuring the Linux kernel.

C O N F I G U R I N G AND C O M P I L I N G THE LINUX KERNEL
This section describes h o w to configure the kernel, h o w to compile it, and h o w to
download and compile kernel modules.

.config:

CONFIGURES THE KERNEL
Before you c a n compile the code and create a L i n u x kernel, you must decide and
specify which features you w a n t the kernel to support. Y o u can configure the kernel
to support m o s t features in one of t w o ways: by building the feature into the kernel
or by specifying the feature as a loadable kernel module (page 5 8 0 ) , which is loaded
into the kernel only as needed. In deciding which m e t h o d to use, you must weigh
the size of the kernel against the time it takes to load a module. M a k e the kernel as
small as possible while minimizing h o w often modules have to be loaded. D o not
m a k e the S C S I driver modular unless you have a reason to do so.
T h e .config file in the directory you downloaded the source code in controls which
features the n e w kernel will support and h o w it will support them. " C u s t o m i z i n g a

576

CHAPTER 1 5

BUILDING A LINUX KERNEL

K e r n e l " (page 5 7 7 ) e x p l a i n s h o w to c r e a t e a default version o f this file if it does n o t
exist and h o w to edit the file if it does exist.

REPLACING A C U S T O M

KERNEL

If y o u h a v e already c o n f i g u r e d a c u s t o m kernel, y o u m a y w a n t t o replace it with a
similarly c o n f i g u r e d , n e w e r kernel. E a c h k e r n e l p o t e n t i a l l y h a s n e w c o n f i g u r a t i o n
options, h o w e v e r — w h i c h explains w h y it is p o o r p r a c t i c e t o use an old .config file
for c o m p i l i n g a n e w kernel. T h i s section explains h o w to u p g r a d e an existing .config
file so it includes o p t i o n s t h a t are n e w t o the n e w kernel a n d m a i n t a i n s the existing
c o n f i g u r a t i o n for the old o p t i o n s .
W o r k in the d i r e c t o r y y o u d o w n l o a d e d or e x t r a c t e d the s o u r c e c o d e t o . T h e system
keeps a c o p y o f the c o n f i g u r a t i o n file f o r the k e r n e l the l o c a l system is r u n n i n g in
/ b o o t . T h e f o l l o w i n g c o m m a n d c o p i e s this file t o .config in the w o r k i n g d i r e c t o r y :
$ cp /boot/config-$(uname -r) .config
In this c o m m a n d , the shell e x e c u t e s u n a m e - r a n d replaces S ( u n a m e - r ) w i t h the
o u t p u t o f the c o m m a n d , w h i c h is t h e n a m e o f the release o f the k e r n e l r u n n i n g o n
the l o c a l system. F o r m o r e i n f o r m a t i o n refer t o

"Command

Substitution"

on

page 3 6 2 .
N e x t give the c o m m a n d m a k e oldconfig t o p a t c h the .config file w i t h o p t i o n s f r o m
the n e w k e r n e l t h a t are n o t present in the old k e r n e l . T h i s c o m m a n d displays e a c h
k e r n e l o p t i o n t h a t is the s a m e in the n e w a n d old kernels a n d a u t o m a t i c a l l y sets the
state o f the o p t i o n in the n e w k e r n e l the s a m e w a y it w a s set in the old k e r n e l . It
stops w h e n it finds an o p t i o n t h a t a p p e a r s in the n e w k e r n e l but n o t in the old k e r nel. It then displays a p r o m p t , w h i c h is similar t o [ N / y / ? ] ( N E W ) , s h o w i n g p o s s i b l e
r e s p o n s e s a n d i n d i c a t i n g this o p t i o n is new. T h e p r o m p t s h o w s the default r e s p o n s e
as an u p p e r c a s e letter; y o u c a n type this letter (uppercase or l o w e r c a s e ) a n d press
RETURN, or just press RETURN t o select this r e s p o n s e . In t h e e x a m p l e , the T i c k l e s s S y s t e m
o p t i o n is n e w a n d the default r e s p o n s e is Y f o r yes,
kernel.

include

the option

T o select a n o n d e f a u l t r e s p o n s e (n m e a n s no, do not include

m m e a n s include

the option

as a module),

ft

ft L i n u x

ft
ft

Kernel

ft C o d e m a t u r i t y

ft

-o

arch/i386/Kconfig

Configuration

level

options

Prompt f o r

development and/or

ft G e n e r a l

setup

ft

incomplete

code/drivers

new
and

y o u m u s t type the letter a n d press RETURN.

E n t e r ? f o l l o w e d by RETURN t o display m o r e i n f o r m a t i o n a b o u t the o p t i o n .
$ make oldconfig
scripts/kconfig/conf

in the

the option

(EXPERIMENTAL)

[Y/n/?]

y

C O N F I G U R I N G A N D C O M P I L I N G THE LINUX KERNEL

Local

version

Automatically

- append t o

kernel

append v e r s i o n

release

information

(LOCALVERSION)
to version

577

[]

string

(LOCALVERSION_AUTO)

[N/y/?]

n

ft
ft P r o c e s s o r

ft

t y p e and

features

T i c k l e s s S y s t e m ( D y n a m i c T i c k s ) ( N O _ H Z ) [ Y / n / ? ] (NEW) ? ?
This option enables a t i c k l e s s system: timer i n t e r r u p t s w i l l
o n l y t r i g g e r on an a s - n e e d e d b a s i s b o t h when t h e s y s t e m i s
busy and when t h e s y s t e m i s i d l e .
T i c k l e s s S y s t e m ( D y n a m i c T i c k s ) ( N O _ H Z ) [ Y / n / ? ] (NEW) ? RETURN
H i g h R e s o l u t i o n T i m e r S u p p o r t (HIGH_RES_TIMERS) [ Y / n / ? ] y
S y m m e t r i c m u l t i - p r o c e s s i n g s u p p o r t (SMP) [ Y / n / ? ] y
S u b a r c h i t e c t u r e Type
> 1. P C - c o m p a t i b l e (X86_PC)
2 . AMD E l a n ( X 8 6 _ E L A N )
#
# configuration
#

written

to

.config

C U S T O M I Z I N G A KERNEL
Y o u c a n use o n e o f three s t a n d a r d c o m m a n d s t o build t h e .config file t h a t configures
a L i n u x kernel:
$ make config
$ make menuconfig
$ make gconfig
See " P r e r e q u i s i t e s " o n p a g e 5 7 2 f o r a list o f p a c k a g e s r e q u i r e d t o r u n all but the
first o f these c o m m a n d s .
If a .config file d o e s n o t e x i s t in t h e w o r k i n g d i r e c t o r y , e a c h o f t h e s e c o m m a n d s
e x c e p t t h e first sets up a .config file t h a t m a t c h e s t h e k e r n e l t h e l o c a l s y s t e m is
r u n n i n g a n d t h e n a l l o w s y o u t o m o d i f y t h a t c o n f i g u r a t i o n . T h e c o m m a n d s c a n set
up this .config file o n l y if t h e c o n f i g u r a t i o n file f o r t h e l o c a l l y r u n n i n g k e r n e l is in
/ b o o t / c o n f i g - $ ( u n a m e - r ) . See t h e p r e c e d i n g s e c t i o n if y o u w a n t t o b u i l d a n e w
k e r n e l w i t h a c o n f i g u r a t i o n s i m i l a r t o t h a t o f an e x i s t i n g k e r n e l .
T h e m a k e config c o m m a n d is the simplest o f the t h r e e c o m m a n d s , uses a t e x t u a l
i n t e r f a c e , a n d does n o t r e q u i r e a d d i t i o n a l s o f t w a r e . It is, however, the m o s t u n f o r giving a n d h a r d e s t to use o f the c o n f i g u r a t i o n i n t e r f a c e s . T h e m a k e menuconfig
c o m m a n d uses a p s e u d o g r a p h i c a l i n t e r f a c e a n d also displays a t e x t u a l i n t e r f a c e .
T h e m a k e gconfig c o m m a n d uses G T K + ( w w w . g t k . o r g ) a n d displays a g r a p h i c a l
interface.
E a c h c o m m a n d asks the s a m e questions and produces the s a m e result, given the same
responses. T h e first and second c o m m a n d s w o r k in c h a r a c t e r - b a s e d environments; the
third c o m m a n d w o r k s in graphical environments. F o r m a n y administrators w o r k i n g
with a G U I , the third m e t h o d is the easiest t o use.

578

CHAPTER 1 5

BUILDING A LINUX KERNEL

0 O 9

Linux Kernel v2.6.32,114drm33.2 Configuration

rile option« Help

BJik

iäi
Load

i »
i.) vc

• I

!
single

Options
*
•i Control Group stipport (NEW)'

Split

I

Expand

' I

Processor family (NEW)
Jilt. (NfcWi

Kemel Performance Events And

486(NEW)

GCOV-based kernel profiling

• 5SeiK5^*WtJ(8fii«iß6MX (MEW
Pentium-Classic (NEW)

t/ t n a f c loadü b'c
V- Erwb L" the block j y w

Pentlum-MMX (NEW)

IQ Schedultis

Pentium-Pro (NEW)

Pigcenot type und l e n t « «
at* ftwavirtuali/ed guest \uj:pori

-

4

Collapse

OjAiOlft

Configure standard kernel te.j

-

t: I -

Full

Safi.'KSiSjtaS.'flxBfiifixOflMX

Power management and ACPI optit
j ACPt (Atkanced ConfJgurarro

C0fJflG_M566:

df S i l (Simple Firmware Interfa

Select this for an 5flfi or 686 seues process« such as the AMD K5,
the Cyrix 5x86, 6x86 and 6x86MX- This ChoiCC docs not
assume the RDTSC (Read Time Stamp Counter} Instruction.

W H (Advanced Power Manager
CPU Frequency scaling
Bus options I PCI etc.)

Symbol: M i s e [ = y ]
Prompt; 506flC5ftx86/6x06rexB6MX

PCCaid IPCMCIiYCjrdBusI supp

T h e L i n u x Kernel Configuration window, split view

Figure 1 5 - 1

T h e make gconfig c o m m a n d displays the L i n u x Kernel Configuration window,
which you c a n view in three configurations: single, split, or full v i e w C h o o s e a view
by clicking one of the three icons to the right of the floppy diskette on the toolbar.
Figure 1 5 - 1 shows the split view. In this view, the left frame shows the options and
the top-right view lists the features for each option. T h e b o t t o m - r i g h t view describes
the highlighted option or feature. Figure 1 5 - 2 shows the full view.
In any view, you can click the b o x e s and circles next to the choices and subchoices.
An empty box/circle indicates the feature is disabled, a tick indicates it is to be
included in the kernel, and a dot means it is to be compiled as a module. W i t h a
choice or subchoice highlighted, you c a n also press M for module, N for not
included, and Y for compiled into the kernel. Select M e n u b a r : O p t i o n s ^ S h o w All
Options to display all options and features.
0 O 9

Linux Kernel v Z . G . 3 2 . 1 1 + d r m 3 3 . 2 Configuration

File options H d p

ta
Sack

Load

i
Save

Single

h
Split

t

Fiil

-

Collapse

Nanu;

OpUO*4
i P« ores SOI type and features
- Power management and ACPI options
1 J Pbwl'I M.uuqefncilC Sljppod" (NEW)

PM

U Suspend/resume event tracing (NEW)
«
Suspend to HAM itnd standby (NEW)
j Disable Power Management messing with the active console (NEW)
* rf Hibernation (itka 'suspend 10 Quit a n d t h e n

clicking

R e s t a r t . I f y o u a r e w o r k i n g a t t h e c o n s o l e , p r e s s CONTROL-ALT-DEL. Y o u c a n a l s o give a
reboot c o m m a n d from the console, a character-based terminal, or a terminal
emulator.

GRUB:

THE L I N U X B O O T LOADER
MBR

A b o o t l o a d e r is a very small p r o g r a m t h a t the bootstrap

(page 1 1 3 8 ) p r o c e s s uses

as it brings a c o m p u t e r f r o m o f f or reset t o a fully f u n c t i o n a l state. T h e b o o t l o a d e r
f r e q u e n t l y resides o n the starting sectors o f a h a r d disk called t h e m a s t e r

boot

record ( M B R ) .
BIOS T h e BIOS

(page 1 1 3 7 ) , w h i c h is stored in an EEPROM

(page 1 1 4 7 ) o n the system's

m o t h e r b o a r d , gains c o n t r o l o f a system w h e n y o u t u r n o n or reset the c o m p u t e r .
A f t e r testing the h a r d w a r e , the B I O S t r a n s f e r s c o n t r o l t o the M B R , w h i c h usually
passes c o n t r o l t o the p a r t i t i o n b o o t r e c o r d . T h i s t r a n s f e r o f c o n t r o l starts the b o o t
loader, w h i c h is r e s p o n s i b l e f o r l o c a t i n g the o p e r a t i n g system k e r n e l (kept in the
/ b o o t d i r e c t o r y ) , l o a d i n g t h a t k e r n e l i n t o m e m o r y , and starting it r u n n i n g .

The

/ b o o t directory, w h i c h m a y be m o u n t e d o n a s e p a r a t e p a r t i t i o n , m u s t be p r e s e n t f o r
the system t o b o o t L i n u x . R e f e r t o " B o o t i n g the S y s t e m " o n page 4 4 4 f o r m o r e
i n f o r m a t i o n o n w h a t h a p p e n s f r o m this p o i n t f o r w a r d .
LBA addressing All n e w e r h a r d disks s u p p o r t L B A (logical b l o c k addressing) m o d e . L B A p e r m i t s the
mode and the /boot / b o o t d i r e c t o r y t o a p p e a r a n y w h e r e o n the h a r d disk. F o r L B A t o w o r k , it m u s t be
partition s u p p o r t e d b y the h a r d disk, the B I O S , and the o p e r a t i n g system ( G R U B in the case
of Linux). Although both G R U B 2 and G R U B legacy support L B A

addressing

m o d e , s o m e B l O S e s do n o t . F o r this r e a s o n , it is a g o o d idea p l a c e the / b o o t direct o r y in its o w n p a r t i t i o n l o c a t e d n e a r the b e g i n n i n g o f the h a r d disk. W i t h this
setup, the r o o t (/) filesystem c a n be a n y w h e r e o n a n y h a r d drive t h a t L i n u x c a n
access regardless o f L B A s u p p o r t . A l s o , systems w i t h L V M require a s e p a r a t e b o o t
p a r t i t i o n . In s o m e i n s t a n c e s , w i t h o u t a s e p a r a t e / b o o t p a r t i t i o n , the system m a y
b o o t at first, but then fail as y o u u p d a t e the k e r n e l and the k e r n e l files m o v e f u r t h e r
f r o m the b e g i n n i n g o f the disk.
GRUB 2

G R U B stands f o r G r a n d U n i f i e d B o o t loader. W i t h release 9 . 1 0 ( K a r m i c K o a l a ) ,
U b u n t u i n t r o d u c e d G R U B 2 , w h i c h this b o o k refers to simply as G R U B . T h i s b o o k
refers t o the first release as G R U B legacy. G R U B 2 is a c o m p l e t e r e w r i t e o f G R U B
legacy; f e w o f the c o n f i g u r a t i o n files are the s a m e .

584

CHAPTER 1 5

BUILDING A LINUX KERNEL

Upgrading from releases before Karmic Koala (9.10) will not upgrade GRUB
tip Upgrading (page 32) Ubuntu from Karmic Koala (9.10) or a previous release of Ubuntu will not
upgrade GRUB legacy to GRUB 2. Visit wiki.ubuntu.eom/Grub2#lnstalling for instructions on
upgrading from GRUB legacy to GRUB 2.
A p r o d u c t o f the G N U p r o j e c t , the G R U B l o a d e r c o n f o r m s t o the multiboot
cation

specifi-

(page 1 1 6 0 ) , w h i c h a l l o w s it t o l o a d m a n y free o p e r a t i n g systems directly as

well as t o chain

load

(page 1 1 4 0 ) p r o p r i e t a r y o p e r a t i n g systems. T h e G R U B l o a d e r

c a n r e c o g n i z e various types o f filesystems and k e r n e l e x e c u t a b l e f o r m a t s , a l l o w i n g it
t o l o a d an a r b i t r a r y o p e r a t i n g system. W h e n y o u b o o t the system, G R U B c a n display a m e n u o f c h o i c e s t h a t is g e n e r a t e d b y the / b o o t / g r u b / g r u b . c f g file (page 5 8 7 ) .
A t this p o i n t y o u c a n m o d i f y a m e n u selection, c h o o s e w h i c h o p e r a t i n g system or
k e r n e l t o b o o t , or do n o t h i n g and a l l o w G R U B to b o o t the default system.
W h e n y o u install G R U B at t h e t i m e y o u install L i n u x , the i n s t a l l a t i o n p r o g r a m c o n figures G R U B a u t o m a t i c a l l y . See the g r u b info p a g e and www.gnu.org/software/grub
for m o r e information on G R U B .

CONFIGURING G R U B
As m e n t i o n e d earlier, G R U B 2 uses a different set o f files t h a n G R U B legacy. Y o u
control

most

of

the

frequently

changed

aspects

of

GRUB

by

editing

the

/ e t c / d e f a u l t / g r u b file (discussed n e x t ) and r u n n i n g u p d a t e - g r u b (page 5 8 7 ) , w h i c h
generates

the

/ b o o t / g r u b / g r u b . c f g file

(page 5 8 7 ) .

You

can

edit

files

in

the

/ e t c / g r u b . d d i r e c t o r y (page 5 8 6 ) to p e r f o r m a d v a n c e d c o n f i g u r a t i o n o f the G R U B
m e n u . T h e grub.cfg file is c o m p a r a b l e to the G R U B legacy / b o o t / g r u b / m e n u . l s t file,
but it is a p o o r idea t o edit the grub.cfg file b e c a u s e it is g e n e r a t e d by u p d a t e - g r u b
and is o v e r w r i t t e n each t i m e t h a t utility is r u n .

/etc/default/grub:

THE PRIMARY G R U B CONFIGURATION

FILE

C h a n g i n g the values o f variables in the / e t c / d e f a u l t / g r u b file a l l o w s y o u t o m o d i f y
many

aspects

of

how

the

system

boots

and

how

GRUB

displays

its

menu

(Figure 1 1 - 1 , p a g e 4 4 6 ) . In m o s t cases, y o u c a n f o r c e G R U B t o display its m e n u by
h o l d i n g d o w n the SHIFT key as t h e system b o o t s (page 4 4 5 ) .
T h e effects o f s o m e o f the variables y o u c a n set in the / e t c / d e f a u l t / g r u b file depend on
w h e t h e r G R U B finds o n e or m o r e t h a n o n e b o o t a b l e operating systems o n the
m a c h i n e . S o m e variables do n o t need to be set. T o w a r d this end, G R U B does n o t evaluate a line that begins with a h a s h m a r k (#; these lines are c o m m e n t s ) . R e m o v e or add
a h a s h m a r k t o cause G R U B t o evaluate or n o t evaluate an assignment, respectively.
T h e b e g i n n i n g o f the / e t c / d e f a u l t / g r u b file is s h o w n here. T h e first f e w v a r i a b l e s are
set; t h e last f e w are c o m m e n t e d o u t .
$ c a t /etc/default/grub
# I f you change t h i s f i l e ,
# /boot/grub/grub.cfg.

run

'update-grub'

afterwards

to

update

GRUB: THE LINUX B o o T LOADER

GRUB_DEFAULT=0
GRUB_HIDDEN_TIMEOUT=0
GRUB_HIDDEN_TIMEOUT_QUIET=true
GRUB_TIMEOUT="10"
GRUB_DISTRIBUTOR= M s b _ r e l e a s e - i - s 2> / d e v / n u l l
GRUB_CMDLINE_LINUX_DEFAULT="quiet s p l a s h "
GRUB_CMDLINE_LINUX=""
# Uncomment t o d i s a b l e
#GRUB_TERMINAL=console

graphical

terminal

(grub-pc

||

echo

585

Debian'

only)

Y o u c a n assign values to the f o l l o w i n g v a r i a b l e s :
G R U B _ D E F A U L T = « « » i I saved
T h e num

specifies the o r d i n a l n u m b e r o f the default m e n u entry. M e n u entries are

n u m b e r e d starting w i t h 0 , so setting this v a r i a b l e t o 0 specifies the first m e n u entry.
T h e default m e n u entry is the o n e G R U B b o o t s if y o u d o n o t select a different entry
as G R U B b o o t s the system. Setting G R U B _ D E F A U L T t o saved causes G R U B t o
b o o t the m o s t recently b o o t e d m e n u entry.
GRUB_HIDDEN_TIMEOUT=««»i
T h e num

specifies the n u m b e r o f s e c o n d s G R U B waits w i t h a b l a n k screen (the

m e n u is h i d d e n — t h u s it is called a hidden

timeout)

or displays the i m a g e y o u spec-

ify in / e t c / g r u b . d / 0 5 _ d e b i a n _ t h e m e (page 5 8 7 ) b e f o r e b o o t i n g the system. Setting
num t o 0 causes G R U B t o p a u s e just l o n g e n o u g h so t h a t if the user is h o l d i n g d o w n
the SHIFT k e y as the system b o o t s , G R U B displays its m e n u . G R U B ignores this variable o n systems w i t h m o r e t h a n o n e b o o t a b l e system.
GRUB_HIDDEN_TIMEOUT_QUIET=true I false
Specifies w h e t h e r G R U B displays a c o u n t d o w n t i m e r during a h i d d e n t i m e o u t (see
G R U B _ H I D D E N _ T I M E O U T ) . Set to false t o display the t i m e r or true n o t t o display the timer.
GRUB_TIMEOUT=««»i
T h e num

specifies the n u m b e r o f s e c o n d s G R U B w a i t s b e f o r e b o o t i n g the system.

Set num

t o - 1 to c a u s e G R U B t o w a i t until the user selects a m e n u i t e m . Setting

num

t o 0 causes the SHIFT k e y t o lose its effect: T h e user will n o t be able t o display

the G R U B m e n u b e f o r e t h e system b o o t s .
GRUB_DISTRIBUTOR=sin«g
T h e string

specifies the n a m e o f the d i s t r i b u t i o n as displayed by G R U B . T h e

string

as supplied w i t h U b u n t u is e x e c u t a b l e a n d is r e p l a c e d w i t h its o u t p u t b e c a u s e it is
e n c l o s e d w i t h i n b a c k ticks ( c o m m a n d s u b s t i t u t i o n ; p a g e 3 6 2 ) :
*lsb_release

-i

- s 2> / d e v / n u l l

||

echo

Debian*

W i t h the - i a n d - s o p t i o n s , l s b _ r e l e a s e sends the string U b u n t u to s t a n d a r d o u t p u t .
S t a n d a r d e r r o r is discarded ( 2 > / d e v / n u l l ) a n d , if l s b _ r e l e a s e fails, the string D e b i a n
is sent t o s t a n d a r d o u t p u t .

586

CHAPTER 1 5

BUILDING A LINUX KERNEL

GRUB_CMDLINE_LINUX_DEFAULT=sin«g
G R U B appends string to the linux b o o t line that G R U B passes to the kernel at b o o t
time when booting in normal mode (and not recovery mode; page 4 4 5 ) . As supplied
with Ubuntu, the string is quiet splash, which causes Ubuntu to display the splash
screen and no messages as it boots. F o r more information refer to "Seeing W h a t Is
Going O n " on page 5 7 . You can also add b o o t command-line parameters to string;
see page 8 2 for more information. Separate each word from the next with a SPACE
and, if string includes SPACEs, enclose string within double quotation marks.
GRUB_CMDLINE_LINUX=sin«g
G R U B appends string to the linux boot line that G R U B passes to the kernel when
booting in both normal and recovery modes (page 4 4 5 ) . See the discussion of
G R U B _ C M D L I N E _ L I N U X _ D E F A U L T for more information.
GRUB_TERMINAL=console
Commented out by default. Remove the leading hashmark to uncomment this variable and disable the graphical terminal on PCs. Doing so speeds up work with the
screen in G R U B command-line mode.
GRUB_GFXMODE=WxH
Commented out by default. Remove the leading hashmark to uncomment this variable and set the resolution of the display for the b o o t menu. T h e W is the width of
the display and the H is the height of the display, both in pixels. You must set this
variable to a value that is valid for the graphics card. For example, 6 4 0 x 4 8 0 sets the
resolution to 6 4 0 pixels by 4 8 0 pixels.
GRUB_DISABLE_LINUX_UUID=true I false
Commented out by default. Remove the leading hashmark to uncomment this variable and specify whether G R U B passes the r o o t = U U I D = x x x parameter to the kernel. By default, G R U B passes this parameter to the kernel (false). See page 5 1 0 for
more information on identifying partitions using U U I D numbers.
GRUB_DISABLE_LINUX_RECOVERY=true I false
Commented out by default. Remove the leading hashmark to uncomment this variable and specify whether u p d a t e - g r u b generates recovery-mode menu entries. By
default, G R U B generates these entries (false).
GRUB_INIT_TUNE= "beep frequency"
C o m m e n t e d out by default. R e m o v e the leading h a s h m a r k to u n c o m m e n t this
variable and specify that G R U B is to output a beep when it starts. A typical value
for beep frequency is 4 8 0 4 4 0 1. You must enclose beep frequency within double
quotation marks.

/etc/grub.d/*:

G R U B CONFIGURATION TEMPLATES

T h e files in the / e t c / g r u b . d directory determine many aspects of the G R U B menu.
T h e u p d a t e - g r u b utility (discussed next) processes these files in shell expansion order
PAGE, which for the default set of files means numerical order. See the R E A D M E
file in this directory for more information.

GRUB: THE LINUX B o o T LOADER

587

Y o u c a n a d d files t o this d i r e c t o r y a n d m o d i f y the existing files, but it is n o t usually
n e c e s s a r y t o do so. E a c h o f these files m u s t be e x e c u t a b l e if y o u w a n t u p d a t e - g r u b t o
p r o c e s s it. If y o u do n o t w a n t u p d a t e - g r u b to p r o c e s s o n e o f the files, r e m o v e the
e x e c u t e bits f r o m the file. F o r e x a m p l e , if y o u do n o t w a n t m e m t e s t 8 6 + i n c l u d e d o n
the G R U B m e n u , give the f o l l o w i n g c o m m a n d :
$ sudo chmod 644 /etc/grub.d/20_memtest86+
B y default, the / e t c / g r u b . d d i r e c t o r y h o l d s the f o l l o w i n g files:
00_header

R u n s t h e initial G R U B setup a n d provides the h e a d e r i n f o r m a t i o n t h a t a p p e a r s at
the b e g i n n i n g o f the grub.cfg file.

05_debian_theme Sets the t h e m e as well as the b a c k g r o u n d a n d t e x t c o l o r s .
10_linux

C r e a t e s a m e n u entry f o r e a c h k e r n e l specified by a file n a m e d / b o o t / v m l i n u [ x z ] - *
or / v m l i n u [ x z ] - * . If G R U B _ D I S A B L E _ L I N U X _ R E C O V E R Y is set t o false or c o m m e n t e d o u t , this file also creates a r e c o v e r y m e n u entry f o r each o f these k e r n e l s .

20_memtest86+
30_os-prober

C r e a t e s a m e n u entry f o r memtest86+ (page 7 9 ) if the / b o o t / m e m t e s t 8 6 + file exists.
C r e a t e s m e n u s f o r L i n u x a n d o t h e r o p e r a t i n g systems o n p a r t i t i o n s o t h e r t h a n / a n d
/boot.

40_custom

A c c e p t s c u s t o m m e n u entries.

update-grub:

UPDATES THE

grub.cfg

FILE

T h e u p d a t e - g r u b utility is a shell script t h a t runs g r u b - m k c o n f i g w i t h the o u t p u t file
specified as / b o o t / g r u b / g r u b . c f g . T h e g r u b - m k c o n f i g utility creates or updates its
o u t p u t file b a s e d o n the c o n t e n t s o f the / e t c / d e f a u l t / g r u b file (page 5 8 4 ) a n d the
files in the / e t c / g r u b . d d i r e c t o r y (page 5 8 6 ) . A s a m p l e r u n o f u p d a t e - g r u b is s h o w n
here:
$ sudo update-grub
Generating grub.cfg ...
Found l i n u x i m a g e : / b o o t / v m l i n u z - 2 . 6 . 3 2 - 2 2 - g e n e r i c
Found i n i t r d i m a g e :
/boot/initrd.img-2.6.32-22-generic
Found l i n u x i m a g e : / b o o t / v m l i n u z - 2 . 6 . 3 2 - 2 1 - g e n e r i c
Found i n i t r d i m a g e :
/boot/initrd.img-2.6.32-21-generic
Found m e m t e s t 8 6 + i m a g e : / b o o t / m e m t e s t 8 6 + . b i n
done
B y default, u p d a t e - g r u b searches f o r L i n u x a n d o t h e r o p e r a t i n g system k e r n e l files
a n d creates a m e n u entry ( b o o t s p e c i f i c a t i o n ) in grub.cfg f o r e a c h k e r n e l it finds. If
the / b o o t / m e m t e s t 8 6 + . b i n a n d / e t c / g r u b . d / 2 0 _ m e m t e s t 8 6 + files exists a n d the latter file is e x e c u t a b l e , u p d a t e - g r u b includes a m e n u entry f o r t h a t utility. It also adds
an initrd (initial R A M disk) line t o grub.cfg f o r e a c h file in / b o o t w h o s e n a m e starts
with the string i n i t r d - a n d w h o s e version n u m b e r m a t c h e s o n e o f the k e r n e l files it
f o u n d . F o r e x a m p l e , if u p d a t e - g r u b finds the k e r n e l file n a m e d v m l i n u z - 2 . 6 . 3 2 - 1 9 generic in / b o o t a n d t h e n finds i n i t r d . i m g - 2 . 6 . 3 2 - 1 9 - g e n e r i c , it c r e a t e s an initrd line
in grub.cfg f o r t h a t R A M disk i m a g e file.

588

CHAPTER 1 5

Listing installed

BUILDING A LINUX KERNEL

E a c h t i m e u p d a t e - g r u b runs, it searches f o r k e r n e l files. If a k e r n e l file is n o l o n g e r

kernel packages present, it will n o l o n g e r include a m e n u entry f o r t h a t k e r n e l . Similarly, if a n e w
k e r n e l file is present, it will include a m e n u entry f o r t h a t k e r n e l . Y o u c a n r e m o v e a
kernel's m e n u entry by r e m o v i n g the k e r n e l p a c k a g e , w h i c h r e m o v e s the k e r n e l files.
T h e c o m m a n d u n a m e - r displays the n a m e o f the k e r n e l t h e system is r u n n i n g . T h e
f o l l o w i n g c o m m a n d s display the n a m e o f the k e r n e l the system is r u n n i n g a n d list
the installed k e r n e l p a c k a g e s . See p a g e 5 3 5 for m o r e i n f o r m a t i o n a b o u t the d p k g
—list option.
$ uname - r
2.6.32-22-generic
$ d p k g — l i s t "1 i n u x - i mage « g e n e r i c "
Desi r e d = U n k n o w n / I n s t a l l / R e m o v e / P u r g e / H o l d
I
Status=Not/Inst/Cfg-files/Unpacked/Failed-cfg/Half-inst/trig-aWait/Trig-pend
1/ E r r ? = ( n o n e ) / R e i n s t - r e q u i r e d ( S t a t u s , E r r :
uppercase=bad)
1 1 / Name
Version
Description
+ + + - = = = = = = = = = = = = = = = = = = = = = = = = = = = = - = = = = = = = = = = = = = = = = = = - = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

ii
ii
ii

1inux-image-2.6.32-21-generi
1inux-image-2.6.32-22-generi
linux-image-generic

aptitude removes

2.6.32-21.32
2.6.32-22.33
2.6.32.22.23

L i n u x k e r n e l image f o r v e r s i o n
L i n u x k e r n e l image f o r v e r s i o n
Generic Linux kernel image

2.6.32
2.6.32

on
on

T h e easiest w a y t o r e m o v e a k e r n e l p a c k a g e is t o use M a i n m e n u :

x86/x86_64
x86/x86_64

System 1 ^

a kernel A d m i n i s t r a t i o n O C o m p u t e r Janitor. Y o u c a n a l s o use t h e aptitude r e m o v e

com-

m a n d . S u b s t i t u t e the n a m e o f t h e k e r n e l p a c k a g e y o u w a n t t o r e m o v e f o r t h e o n e
in t h e f o l l o w i n g e x a m p l e . As s h o w n a b o v e , the d p k g c o m m a n d t r u n c a t e s t h e n a m e
o f t h e k e r n e l p a c k a g e in t h e c o l u m n l a b e l e d N a m e a n d displays t h r e e e x t r a c h a r a c t e r s in t h e c o l u m n l a b e l e d Version. T h e f o l l o w i n g c o m m a n d r e m o v e s t h e first
k e r n e l p a c k a g e listed b y t h e p r e v i o u s d p k g c o m m a n d :
$ sudo aptitude remove linux-image-2.6.32-19-generic
R e a d i n g p a c k a g e l i s t s . . . Done
B u i l d i n g dependency t r e e
R e a d i n g s t a t e i n f o r m a t i o n . . . Done
Reading extended s t a t e i n f o r m a t i o n
I n i t i a l i z i n g p a c k a g e s t a t e s . . . Done
T h e f o l l o w i n g p a c k a g e s w i l l be REMOVED:
1i n u x - i m a g e - 2 . 6 . 3 2 - 1 9 - g e n e r i c
Removing 1 i n u x - i m a g e - 2 . 6 . 3 2 - 1 9 - g e n e r i c
...
Examining / e t c / k e r n e l / p r e r m . d .
Running postrm hook s c r i p t / u s r / s b i n / u p d a t e - g r u b .
Generating grub.cfg ...
Found l i n u x i m a g e :
/boot/vmlinuz-2.6.32.Il+drm33.21271202298
Found l i n u x i m a g e : / b o o t / v m l i n u z - 2 . 6 . 3 2 - 2 1 - g e n e r i c
Found i n i t r d i m a g e :
/boot/initrd.img-2.6.32-21-generic
Found m e m t e s t 8 6 + i m a g e : / b o o t / m e m t e s t 8 6 + . b i n
done

T h e lines starting w i t h Generating grub.cfg are displayed by u p d a t e - g r u b , w h i c h is
run by the deb p o s t r m script (page 5 3 3 ) . It is g o o d p r a c t i c e t o k e e p at least o n e
k n o w n - g o o d k e r n e l in a d d i t i o n t o the o n e the system is r u n n i n g . See p a g e 5 2 0 f o r
m o r e i n f o r m a t i o n o n the aptitude r e m o v e c o m m a n d .

d m e s g : DISPLAYS KERNEL MESSAGES

grub-install:

589

INSTALLS T H E M B R A N D G R U B FILES

T h e g r u b - i n s t a l l utility installs the M B R (page 5 8 3 ) and the files t h a t G R U B needs t o
b o o t the system. T h i s utility t a k e s a single a r g u m e n t — t h e n a m e o f the device t h a t is
t o h o l d the M B R . Y o u c a n specify the device n a m e as a G R U B device n a m e (e.g.,
hdO) or a device f i l e n a m e (e.g., / d e v / s d a ) . T h e f o l l o w i n g e x a m p l e s h o w s g r u b - i n s t a l l
installing files in the default l o c a t i o n ( / b o o t / g r u b ) and the M B R o n device / d e v / s d a :
$ sudo grub-install /dev/sda
I n s t a l l a t i o n f i n i s h e d . No e r r o r

reported.

REINSTALLING THE M B R
T o reinstall the M B R , as is n e c e s s a r y w h e n it gets o v e r w r i t t e n b y a W i n d o w s install a t i o n , b o o t the system f r o m an A l t e r n a t e C D , a Server C D , or an i n s t a l l a t i o n D V D ,
and select R e s c u e a B r o k e n System (page 8 3 ) . T h e n select Reinstall the G R U B b o o t
loader f r o m the R e s c u e O p e r a t i o n s m e n u (page 8 4 ) .

d m e s g : DISPLAYS KERNEL M E S S A G E S
T h e d m e s g utility displays the k e r n e l - r i n g buffer, w h e r e the k e r n e l stores m e s s a g e s .
W h e n the system b o o t s , the k e r n e l fills this b u f f e r w i t h m e s s a g e s related t o hardw a r e and m o d u l e initialization. M e s s a g e s in the k e r n e l - r i n g buffer are o f t e n useful
f o r d i a g n o s i n g system p r o b l e m s .
W h e n y o u run d m e s g , it displays a lot o f i n f o r m a t i o n . It is f r e q u e n t l y easier t o pipe
the o u t p u t o f d m e s g t h r o u g h l e s s o r g r e p t o find w h a t y o u are l o o k i n g for. F o r
e x a m p l e , if y o u find t h a t y o u r h a r d disks are p e r f o r m i n g poorly, y o u c a n use d m e s g
t o c h e c k w h e t h e r they are r u n n i n g in D M A m o d e :
$ dmesg
[
[

| grep DMA

23.259422]
23.259478]

atal:
ata2:

SATA max U D M A / 1 3 3 cmd 0 x 9 F 0 c t l
SATA max U D M A / 1 3 3 cmd 0 x 9 7 0 c t l

0 x B F 2 bmdma 0 x E 0 0 0 i r q 5
0 x B 7 2 bmdma 0 x E 0 0 8 i r q 5

T h e p r e c e d i n g lines tell y o u w h i c h m o d e e a c h S A T A device is o p e r a t i n g in. If y o u
are h a v i n g p r o b l e m s with the E t h e r n e t c o n n e c t i o n , s e a r c h the d m e s g log f o r eth:
$ dmesg | grep eth
f o r c e d e t h . c : Reverse Engineered nForce e t h e r n e t d r i v e r . V e r s i o n
e t h 0 : f o r c e d e t h . c : subsystem: 0 1 4 7 b : l c 0 0 bound t o 0 0 0 0 : 0 0 : 0 4 . 0
e t h 0 : no I P v 6 r o u t e r s p r e s e n t
If e v e r y t h i n g is w o r k i n g properly, d m e s g

displays t h e h a r d w a r e

0.61.

configuration

information for each n e t w o r k interface.
A n o t h e r c o m m o n s o u r c e o f p r o b l e m s is the D i r e c t R e n d e r i n g I n f r a s t r u c t u r e ( D R I ) ,
w h i c h a l l o w s g r a p h i c s drivers direct access t o the k e r n e l . T h e c o r r e s p o n d i n g k e r n e l

590

CHAPTER 1 5

BUILDING A LINUX KERNEL

c o m p o n e n t is the D i r e c t R e n d e r i n g M o d u l e ( D R M — n o t t o be c o n f u s e d w i t h D i g i t a l
Rights Management).
$ dmesg | grep drm
[ d r m ] AGP 0 . 9 9 A p e r t u r e @ 0 x d 8 0 0 0 0 0 0 64MB
[ d r m ] I n i t i a l i z e d r a d e o n 1 . 7 . 0 2 0 0 2 0 8 2 8 on m i n o r
[ d r m ] L o a d i n g R200 M i c r o c o d e

0

T h i s o u t p u t tells y o u t h a t an ATi R a d e o n g r a p h i c s c a r d is c o n f i g u r e d c o r r e c t l y : A n y
c o n f i g u r a t i o n p r o b l e m s m u s t be in the / e t c / X l l / x o r g . c o n f file. T h e N V I D I A b i n a r y
drivers do n o t use D R I . T h e d m e s g log is a g o o d p l a c e t o start w h e n d i a g n o s i n g
faults. If y o u h a v e c o n f i g u r e d a system service incorrectly, this log q u i c k l y fills up
with errors.

CHAPTER S U M M A R Y
Y o u c a n build a L i n u x k e r n e l f r o m the s o u r c e c o d e . S o m e t i m e s y o u do n o t n e e d t o
build a k e r n e l ; i n s t e a d , y o u c a n c h a n g e m a n y aspects o f the k e r n e l by using b o o t
o p t i o n s in / b o o t / g r u b / m e n u . l s t . Y o u c a n d y n a m i c a l l y c h a n g e o p t i o n s by m o d i f y i n g
/etc/sysctl.conf.
B e f o r e y o u c a n build a L i n u x k e r n e l , y o u m u s t h a v e the k e r n e l s o u r c e files o n the
system. T h e s e files are f r e q u e n t l y l o c a t e d in / u s r / s r c / l i n u x * . O n c e y o u h a v e the
s o u r c e files, y o u need to c o n f i g u r e the k e r n e l , c l e a n the s o u r c e tree, c o m p i l e the k e r nel and the l o a d a b l e m o d u l e s , and install the k e r n e l and l o a d a b l e m o d u l e s .
T h e G R U B b o o t l o a d e r is a small p r o g r a m t h a t c o n t r o l s the p r o c e s s o f bringing the
system up. T h e u p d a t e - g r u b utility updates the grub.cfg file so y o u c a n b o o t the n e w
kernel.
T h e d m e s g utility displays the k e r n e l - r i n g buffer, w h e r e the k e r n e l stores m e s s a g e s .
Y o u c a n use this utility t o help d i a g n o s e b o o t - t i m e p r o b l e m s .

EXERCISES
1. W h a t is the p u r p o s e o f the k e r n e l ?
2 . H o w w o u l d y o u display a list o f all l o a d e d m o d u l e s in the c u r r e n t k e r n e l ?
3 . H o w w o u l d y o u use a p t i t u d e t o d o w n l o a d the s o u r c e c o d e f o r the m o s t
recently released version o f the U b u n t u k e r n e l ? W h e r e and in w h a t f o r m
does the s o u r c e c o d e exist after y o u d o w n l o a d it? H o w and w h e r e w o u l d
y o u u n p a c k the s o u r c e c o d e so t h a t y o u c o u l d w o r k w i t h it?
4 . H o w w o u l d y o u display i n f o r m a t i o n f r o m the k e r n e l a b o u t the h a r d disk
o n the first S A T A c h a n n e l ?

ADVANCED EXERCISES

5. T h e acpi=off kernel argument prevents acpid from starting. H o w would
you use this argument?
6. W h a t is a b o o t loader?

ADVANCED EXERCISES
7. W h y would you use the — a p p e n d - t o - v e r s i o n option to the make-kpkg utility w h e n compiling a kernel?
8. You have just installed an Adaptec S C S I card. H o w can you find out
whether it has been recognized and which entry in /dev represents it?
9. H o w would you obtain a list of all network-related kernel parameters?

591

This page intentionally left blank

16
ADMINISTRATION TASKS
IN THIS CHAPTER
Configuring User and Group
Accounts

594

Backing Up Files

599

System Reports

608

Keeping Users Informed

614

Solving Problems

616

Speeding Up the System

617

Keeping the System Secure

619

T h e system administrator has m a n y responsibilities. This chapter discusses tasks not covered in Chapter 1 1 , including configuring user and group accounts, backing up files, scheduling
tasks, general p r o b l e m solving, and using the system log daem o n , syslogd. T h e chapter concludes with a section on installing and using M y S Q L .

logrotate: Manages Log Files . . . . 622
Disk Quota System

625

rsyslogd: Logs System
Messages

625

MySQL

628

593

5 9 4

CHAPTER 1 6

ADMINISTRATION

TASKS

Users Settings
M a x R.

Z a c h C.

^ ¿I max

Sam Smith

Password; Asked on login

Z a c h C.

Add

j

Account type: Desktop user

Change—
Change...

Delete

Help

Figure 1 6 - 1

Change...

Close

T h e Users Settings window

CONFIGURING USER AND G R O U P ACCOUNTS
M o r e than a username is required for a user to be able to log in and use a system: A
user must have the necessary files, directories, permissions, and usually a password
to log in. At a minimum a user must have an entry in the / e t c / p a s s w d and
/ e t c / s h a d o w files and a home directory. This section describes several ways you can
work with user accounts. Refer to Chapter 2 1 if you want to run NIS to manage the
passwd database.

users-admin:

MANAGES USER ACCOUNTS

T h e Users Settings window (Figure 1 6 - 1 ) enables you to add, delete, and modify
characteristics of system users and groups. To display this window, select Main
menu: SystemOAdministrationOUsers and Groups or give the command
users-admin from a terminal emulator or R u n Application window (ALT-F2).

AUTHENTICATION
Because you can use users-admin to make changes to the system that affect other
users, this utility periodically asks you to authenticate yourself using your password.

A D D I N G A USER
To add a user to the system, click the button labeled Add (below the list of users);
users-admin displays the Create a N e w User window. This window requires you to
enter the full name and username of the new user. If you want to encrypt the user's
home directory, put a tick in the c h e c k b o x labeled Encrypt home folder to protect
sensitive data. W h e n you click OK, users-admin displays the Change User Password
window (Figure 16-2). In this window you can enter the new user's password or
have the system generate a password for you. If you do not want the system to ask

CONFIGURING USER AND GROUP ACCOUNTS

Q

595

C h a n g e User P a s s w o r d

C h a n g i n g user p d b b w o i d fur:

M a x R.

•i set password hy hand
New password

•.

ConlirmdLion:

»»««

(iprri-'Ir ranrio m password
Password set to:
Don't ask for password on login

Figure 1 6 - 2

T h e Change User Password window

for a password when the user logs in, put a tick in the c h e c k b o x labeled D o n ' t a s k
f o r p a s s w o r d o n l o g i n . W h e n you click O K , u s e r s - a d m i n adds the user to the system.

REMOVING A USER
To remove a user from the system, highlight the user you want to remove and click the
button labeled D e l e t e (below the list of users); u s e r s - a d m i n asks if you want to remove
the user's home directory. M a k e a selection and u s e r s - a d m i n removes the user account.

MODIFYING A USER
To modify the properties of a user, highlight the user you want to work with in the
Users Settings window and click one of the text buttons labeled C h a n g e as explained
in this section. See also the next section, titled "Changing Advanced User Settings."
Changing a Click the uppermost text button labeled C h a n g e (at the right side of the window,
username adjacent to the username) to open a window that allows you to change the long
name associated with the highlighted user.
Changing an Click the middle text button labeled C h a n g e (at the right side of the window, adjaaccount type cent to A c c o u n t t y p e ) to open a window that allows you to change the account type
associated with the highlighted user to administrator or desk-top user. Setting the
account type to administrator adds the user to the a d m i n group, which in turn
allows the user to use s u d o (page 4 2 1 ) to gain r o o t privileges.
Changing a Click the lower text button labeled C h a n g e (at the right side of the window, adjapassword cent to P a s s w o r d ) to open the Change User Password window, which is described in
the previous section.

596

CHAPTER 1 6

ADMINISTRATION TASKS

<5 C h a n g e A d v a n c e d User S e t t i n g s
Changing advanced settings for:
M a x R.

Contact Information User Privileges Advanced
y Access external storage devices automatic a ¡by
Administer the system
• Configure printers
ijja Connect to Internet using a modem
Connect to wireless and ethemet networks
¿1 Monitor system logs
Mount usei-space rilesysLjceris (FUSE)
V Send and receive faxes
bhare files with the local network
Use audio devices
¿1 Use CD-ROM drives
V Use floppy drives
¿1 Use modems
¿1 Use tape drives
wi Use video devices

cancel
Figure 16-3

OK

T h e A c c o u n t P r o p e r t i e s w i n d o w , U s e r Privileges t a b

CHANGING ADVANCED USER SETTINGS
W h e n y o u c l i c k the b u t t o n labeled A d v a n c e d Settings, u s e r s - a d m i n displays the
C h a n g e A d v a n c e d U s e r Settings w i n d o w (Figure 1 6 - 3 ) . T h i s w i n d o w h a s the following three tabs:
Contact Information
tab

T h e C o n t a c t I n f o r m a t i o n t a b a l l o w s y o u t o input a l o c a t i o n , w o r k p h o n e ,

and

h o m e p h o n e a s s o c i a t e d w i t h the user.

User Privileges tab T h e U s e r Privileges t a b (Figure 1 6 - 3 ) e n a b l e s y o u to a d d and r e m o v e privileges f o r a
user. P l a c e a t i c k in the c h e c k b o x n e x t t o each o f the privileges y o u w a n t t o g r a n t a
user; r e m o v e the t i c k f r o m t h o s e privileges y o u do n o t w a n t t o g r a n t . T h e m o s t
i m p o r t a n t o f these privileges is Administer the system. Putting a t i c k in this b o x
adds the user t o the admin g r o u p , w h i c h in t u r n a l l o w s the user t o use sudo
(page 4 2 1 ) to gain r o o t privileges. C l i c k O K .
Advanced tab T h e A d v a n c e d t a b a l l o w s y o u t o m o d i f y the h o m e directory, shell, g r o u p , and U I D
o f the user. T h e u s e r s - a d m i n utility fills in these values f o r a n e w user. Typically y o u
do n o t need t o m o d i f y these entries. T h i s t a b also a l l o w s y o u t o disable an a c c o u n t
( e x c e p t f o r the first a c c o u n t t h a t w a s set up).
W h e n y o u are finished entering i n f o r m a t i o n under e a c h o f the t a b s f o r the user,
c l i c k O K . A t this p o i n t u s e r s - a d m i n adds the user t o or m o d i f i e s the user o n the syst e m and closes the w i n d o w , leaving the Users Settings w i n d o w visible.

CONFIGURING USER AND GROUP ACCOUNTS

5 9 7

Groups settings
sys

Add

5y5log

Properties

tape
ILy

Delete

users
uLmp
EJiirp

video
voice

www-data
zach
Uose

Help

Figure 1 6 - 4

T h e Groups Settings window

Working with Click Manage Groups in the Users Settings w i n d o w to w o r k with groups; usersgroups admin displays the G r o u p s Settings w i n d o w (Figure 1 6 - 4 ) . To create a group,
click Add and specify the n a m e and n u m b e r ( G I D ) of the group. Put a tick in the
c h e c k b o x next to each user w h o you w a n t to be a m e m b e r of the group and
click OK. To change the n a m e or n u m b e r of a group or to add or remove users
from a group, highlight the group in the G r o u p s Settings w i n d o w and click
Properties. M a k e the changes you want, and then click OK. To remove a group,
highlight the group and click Delete. See page 4 9 2 for m o r e i n f o r m a t i o n on
groups.
W h e n you are finished adding and modifying users and groups, click Close.

useradd:

ADDS A USER ACCOUNT
T h e useradd utility adds a new user a c c o u n t to the system. By default, useradd
assigns the n e x t highest unused user ID t o a n e w a c c o u n t and specifies b a s h as
the user's login shell. T h e following e x a m p l e adds entries to the / e t c / p a s s w d and
/ e t c / s h a d o w files, creates the user's h o m e directory (in /home), specifies the
user's group I D , and puts the user's full n a m e in the c o m m e n t field. T h e group
ID you specify must exist in / e t c / g r o u p or the c o m m a n d will fail. Use groupadd to
add a group.
$ sudo useradd -g 1105 -c "Max R." max
T h e useradd utility puts a ! in the password field of the shadow file (page 4 9 7 ) to
prevent the user from logging in until you use p a s s w d to assign a password to that
user. Based on the /etc/login.defs file, useradd creates a home directory for the new
user. W h e n doing so, it copies the contents of /etc/skel, which contains bash and
other startup files, to that directory. For more information on adding user information, see the useradd man page.
Under some distributions, adduser is a link to useradd. Under Ubuntu, it is a different program. See the adduser man page for more information.

598

CHAPTER 1 6

userdel:

ADMINISTRATION TASKS

REMOVES A USER ACCOUNT
T h e u s e r d e l utility deletes a user's account. If appropriate, back up the files belonging to the user before deleting them. T h e following c o m m a n d removes M a x ' s
account. T h e — r e m o v e ( - r ) option causes the c o m m a n d to remove his h o m e directory hierarchy:
$ sudo userdel --remove max
See the u s e r d e l man page for m o r e information.

usermod:

MODIFIES A USER ACCOUNT
To turn off a user's account temporarily, you can use u s e r m o d to change the expiration date for the account. Because it specifies that his account expired in the past
(December 3 1 , 2 0 0 9 ) , the following c o m m a n d line prevents M a x from logging in:
$ sudo usermod -e "12/31/09" max
See the u s e r m o d man page for more information.

groupadd:

ADDS A GROUP
Just as u s e r a d d adds a new user to the system, so g r o u p a d d adds a new group by
adding an entry to / e t c / g r o u p (page 4 9 2 ) . T h e following example creates a group
named p u b s :
$ sudo groupadd -g 1024 pubs
Unless you use the - g option to assign a group ID, the system picks the next available sequential number greater than 1 0 0 0 . T h e - o option allows the group ID to be
nonunique, which allows you to assign multiple names to a group I D .

groupdel:

REMOVES A GROUP
T h e analogue of u s e r d e l for groups is g r o u p d e l , which takes a group name as an
argument. You can also use g r o u p m o d to change the name or group I D of a group,
as in the following examples:
$ sudo groupmod -g 1025 pubs
$ sudo groupmod -n manuals pubs
T h e first example gives the previously created p u b s group a new group ID number.
T h e second example renames the p u b s group to m a n u a l s .

Changing group ID numbers
caution

The g r o u p m o d utility does not change g r o u p n u m b e r s in /etc/passwd w h e n y o u r e n u m b e r a
group. Instead, y o u m u s t e d i t / e t c / p a s s w d and change the entries manually. If y o u change the
n u m b e r of a g r o u p , files that are associated w i t h the g r o u p will no longer be associated w i t h the
group. Rather, t h e y m a y be associated w i t h no g r o u p or w i t h another g r o u p w i t h the old g r o u p ID
number.

B A C K I N G U P FILES

599

B A C K I N G U P FILES
O n e of the m o s t oft-neglected tasks of system administration is making b a c k u p
copies of files on a regular basis. T h e backup copies are vital in three instances:
when the system malfunctions and files are lost, when a catastrophic disaster (fire,
earthquake, and so on) occurs, and when a user or the system administrator deletes
or corrupts a file by accident. Even when you set up R A I D (page 4 0 ) , you still need
to b a c k up files. Although R A I D c a n provide fault tolerance (helpful in the event of
disk failure), it does not help when a catastrophic disaster occurs or when a file is
corrupted or removed accidentally. It is a good idea to have a written b a c k u p policy
and to keep copies of backups offsite (in another building, at h o m e , or at a different
facility or campus) in a fireproof vault or safe.
T h e time
titioning
partition
volumes,

to start thinking about backups is when you partition the disk. Refer to "Para D i s k " on page 3 6 . M a k e sure the capacity of the backup device and your
sizes are comparable. Although you can back up a partition onto multiple
it is easier not t o — a n d it is much easier to restore data from a single volume.

You must b a c k up filesystems regularly. B a c k u p files are usually kept on magnetic
tape, external hard disk, or another removable medium. Alternatively, you can keep
backup files on a remote system. H o w often and which files you b a c k up depend on
the system and your needs. Use this criterion when determining a b a c k u p schedule:
If the system crashes, h o w m u c h w o r k are you willing to lose? Ideally you would
b a c k up all files on the system every few minutes so you would never lose m o r e t h a n
a few minutes of w o r k .
O f course, there is a tradeoff: H o w often are you willing to b a c k up the files? T h e
backup procedure typically slows the system for users, takes a certain a m o u n t of
your time, and requires that you have and store the media holding the backup.
Avoid backing up an active filesystem; the results may be inconsistent, and restoring
from the backup may be impossible. This requirement is a function of the b a c k u p
p r o g r a m and the filesystem you are backing up.
Another question is when to run the backup. Unless you plan to kick users off and
bring the system down to recovery m o d e (not a user-friendly practice), you will
w a n t to p e r f o r m this task when the machine is at its quietest. Depending on the use
of the system, sometime in the middle of the night can w o r k well. T h e n the b a c k u p
is least likely to affect users, and the files are not likely to change as they are being
read for backup.
A full b a c k u p makes copies of all files, regardless of when they were created or
accessed. An incremental
b a c k u p makes copies o f those files that have been created
or modified since the last (usually full) backup.
T h e m o r e people using the system, the m o r e often you should b a c k up the filesystems. O n e popular schedule is to perform an incremental b a c k u p one or t w o times a
day and a full b a c k u p one or t w o times a week.

600

CHAPTER 1 6

ADMINISTRATION TASKS

CHOOSING A BACKUP M E D I U M
If the local system is connected to a network, you can write backups to a drive on
another system. This technique is often used with networked computers to avoid
the cost of having a backup drive on each computer in the network and to simplify
management of backing up many computers in a network. Although tapes are still
used for backups, system administrators are using hard disks for this purpose more
frequently. Backing up to a hard disk on a remote system is cost-effective, reliable,
and practical. Because hard disks hold many gigabytes of data, using them simplifies the task of backing up the system, making it more likely that you will take care
of this important task regularly. Other options for holding backups are writable
CDs and D V D s . These devices, although not as cost-effective or able to store as
much information as hard disk or tape systems, offer the benefit of convenience.

BACKUP UTILITIES
A number of utilities are available to help you back up a system, and most work
with any media. M o s t Linux backup utilities are based on one of the archive prog r a m s — t a r or c p i o — a n d augment these basic programs with bookkeeping support
for managing backups conveniently.
You can use any of the tar, c p i o , or d u m p / r e s t o r e utilities to construct full or partial
backups of a system. Each utility constructs a large file that contains, or archives,
other files. In addition to file contents, an archive includes header information for
each file it holds. This header information can be used when extracting files from
the archive to restore file permissions and modification dates. An archive file can
be saved to disk, written to tape, or shipped across the network while it is being
created.
In addition to helping you back up the system, these programs offer a convenient
way to bundle files for distribution to other sites. T h e tar program is often used for
this purpose, and some software packages available on the Internet are bundled as
tar archive files. A d e b file (page 5 3 3 ) is an archive bundled using the ar archive
utility.
amanda The a m a n d a (Advanced Maryland Automatic Network Disk Archiver) utility
(www.amanda.org), which is one of the more popular backup systems, uses d u m p or
tar and takes advantage of Samba to back up Windows systems. T h e a m a n d a utility
backs up a L A N of heterogeneous hosts to a hard disk or tape. Relevant software
packages are a m a n d a - c o m m o n , a m a n d a - c l i e n t , and a m a n d a - s e r v e r .

t a r : A R C H I V E S FILES
T h e t a r (tape archive) utility writes files to and retrieves files from an archive; it can
compress this archive to conserve space. If you do not specify an archive device, t a r
writes to standard output and reads from standard input. With the - f ( — f i l e )
option, tar uses the argument to - f as the name of the archive device. You can use
this option to refer to a device on another system on the network. Although tar has

B A C K I N G U P FILES

601

many options, you need only a few in most situations. T h e following command displays a complete list of options:
$ tar — h e l p | less
M o s t options for tar can be given either in a short form (a single letter) or as a
descriptive word. Descriptive-word options are preceded by two hyphens, as in
— h e l p . Single-letter options can be combined into a single command-line argument
and need not be preceded by a hyphen (for consistency with other utilities, it is good
practice to use the hyphen anyway).
Although the following two commands look quite different, they specify the same
tar options in the same order. T h e first version combines single-letter options into a
single command-line argument; the second version uses descriptive words for the
same options:
$ sudo tar -ztvf /dev/st0
$ sudo tar — g z i p — l i s t — v e r b o s e — f i l e /dev/st0
Both commands tell tar to generate a (v, v e r b o s e ) table of contents (t, list) from the
tape on /dev/stO (f, file), using gzip (z, g z i p ) to decompress the files. Unlike the original U N I X tar utility, the G N U version strips the leading / from absolute pathnames.
T h e options in Table 16-1 tell the tar program what to do. You must include exactly
one of these options in a tar command.
T h e - c , - t , and - x options are used most frequently. You can use many other
options to change h o w tar operates. T h e - j option, for example, compresses or
decompresses the file by filtering it through bzip2 (page 1 7 4 ) .
Table 16-1

t a r options

Option

Effect

—append (-r)

Appends files to an archive

—catenate (-A)

Adds one or more archives to the end of an existing archive

—create (-c)

Creates a new archive

—delete

Deletes files in an archive (not on tapes)

—dereference (-h)

Follows s y m b o l i c links

—diff (-d)

Compares files in an archive w i t h disk files

—extract (-x)

Extracts files f r o m an archive

—help

Displays a help list of t a r options

—list (-t)

Lists the files in an archive

— u p d a t e (—u)

Like the - r option, but the file is not appended if a newer version is
already in the archive

602

CHAPTER 1 6

ADMINISTRATION TASKS

cpio:

A R C H I V E S FILES

T h e cpio (copy in/out) program is similar to tar but can read and write archive files
in various formats, including the one used by tar. Normally cpio reads the names of
the files to add to the archive from standard input and produces the archive file as
standard output. W h e n extracting files from an archive, it reads the archive as standard input.
As with tar, some options can be given in both a short, single-letter form and a more
descriptive word form. However, unlike with tar, the syntax of the two forms in cpio
differs when the option must be followed by additional information. In the short
form, you must include a SPACE between the option and the additional information;
with the word form, you must separate the two with an equal sign and no SPACES.
Running cpio with the — h e l p option displays a complete list of options.

PERFORMING A SIMPLE BACKUP
W h e n you prepare to make a m a j o r change to a system, such as replacing a disk
drive, upgrading to a new release, or updating the Linux kernel, it is a good idea to
archive some or all of the files so you can restore any that become damaged if something goes wrong. F o r this type of backup, tar or cpio works well. For example, if
you have a SCSI tape drive as device /dev/stO (or it could be a hard disk at
/ d e v / h d b ) that is capable of holding all the files on a single tape, you can use the following commands to construct a backup tape of the entire system:
$ cd /
$ sudo tar -cf /dev/st0 .
All the commands in this section start by using c d to change to the root directory so
you are sure to back up the entire system. T h e tar c o m m a n d then creates an archive
(c) on the device /dev/stO (f). To compress the archive, replace the preceding tar
c o m m a n d with the following command, which uses j to call bzip2:
$ sudo tar -cjf /dev/st0 .
You can back up a system with a combination of find and cpio. T h e following commands create an output file and set the I/O block size to 5 1 2 0 bytes (the default is
5 1 2 bytes):
$ cd /
$ sudo find . -depth | cpio -oB > /dev/st0
T h e next c o m m a n d restores the files in the / h o m e directory from the preceding
backup. T h e options extract files from an archive (-i) in verbose mode, keeping the
modification times and creating directories as needed.
$ cd /
$ sudo cpio -ivmd /home/\-.'c < /dev/st0
Although all the archive programs w o r k well for simple backups, utilities such as
a m a n d a (page 6 0 0 ) provide more sophisticated backup and restore systems. For

B A C K I N G U P FILES

603

e x a m p l e , t o determine whether a file is in an archive, you must read the entire
archive. If the archive is split across several tapes, this process is particularly tiresome. M o r e sophisticated utilities, including amanda, assist you in several ways,
including keeping a table of contents of the files in a b a c k u p .

Exclude some directories from a backup
tip

In practice, y o u will likely w a n t t o exclude s o m e directories f r o m the b a c k u p process. For example,
not backing up /tmp or / v a r / t m p can save r o o m in the archive. Also, do not back up the files in
proc. Because the /proc p s e u d o f i l e s y s t e m is not a true disk f i l e s y s t e m but rather a w a y for the
L i n u x kernel t o provide i n f o r m a t i o n about the o p e r a t i n g s y s t e m and s y s t e m m e m o r y , y o u need not
back up /proc; y o u c a n n o t restore it later. Similarly, y o u do not need t o back up f i l e s y s t e m s that
are m o u n t e d f r o m disks on other s y s t e m s on the n e t w o r k . Do not back up FIFOs; the results are
unpredictable. If y o u plan on using a s i m p l e b a c k u p m e t h o d , s i m i l a r t o t h o s e just discussed, create a file n a m i n g the directories to exclude f r o m the backup, and use the appropriate o p t i o n w i t h
the archive p r o g r a m t o read the file.

dump, restore:

BACK UP AND RESTORE

FILESYSTEMS

T h e dump utility (part of the dump package) first appeared in U N I X version 6. It
backs up either an entire e x t 2 , e x t 3 , or e x t 4 filesystem or only those files that have
changed since a recent dump. T h e restore utility can then restore an entire filesystem,
a directory hierarchy, or an individual file. You will get the best results if you perform a b a c k u p on a quiescent system so that the files are not changing as you m a k e
the backup.
T h e next c o m m a n d backs up all files (including directories and special files) on the
r o o t (/) partition to SCSI tape 0. Frequently there is a link to the active tape drive,
named / d e v / t a p e , which you can use in place of the actual entry in the / d e v directory.
$ sudo dump -0uf /dev/st0 /
T h e - 0 option specifies that the entire filesystem is to be backed up (a full backup).
T h e r e are ten dump levels: 0 - 9 . Z e r o is the highest (most complete) level and always
backs up the entire filesystem. E a c h additional level is incremental with respect to
the level above it. F o r example, 1 is incremental to 0 and backs up only those files
that have changed since the last level 0 dump; 2 is incremental to 1 and backs up
only those files that have changed since the last level 1 dump; and so on. Y o u c a n
construct a flexible schedule using this scheme. Y o u do not need to use sequential
numbers for backup levels, however. F o r example, you c a n p e r f o r m a level 0 dump,
followed by level 2 and 5 dumps.
T h e - u option updates the / e t c / d u m p d a t e s file (page 4 9 2 ) with filesystem, date, and
dump level i n f o r m a t i o n for use by the n e x t incremental dump. T h e - f option and its
argument write the backup to the device named /dev/stO.
T h e n e x t c o m m a n d makes a partial backup containing all files that have changed
since the last level 0 dump. T h e first argument ( 1 ) specifies a level 1 dump:
$ sudo dump -luf /dev/st0 /

604

CHAPTER 1 6

ADMINISTRATION TASKS

To restore an entire filesystem from a d u m p backup, first restore the most recent
complete (level 0 ) backup. Perform this operation carefully because r e s t o r e can overwrite the existing filesystem. Change directories to the directory the filesystem is
mounted on ( / x x x in the example) and give a r e s t o r e command as shown following:
$ cd /xxx
$ sudo restore -if /dev/st0
T h e -i option invokes an interactive mode that allows you to choose which files and
directories to restore. As with d u m p , the - f option specifies the name of the device
that the backup medium is mounted on. W h e n r e s t o r e finishes, load the next lowerlevel (higher-number) dump tape and issue the same r e s t o r e c o m m a n d . If multiple
incremental dumps have been made at a particular level, always restore with the
most recent one. You do not need to invoke r e s t o r e with special arguments to
restore an incremental dump; it will restore whatever appears on the tape.
You can also use r e s t o r e to extract individual files from a tape by using the - x
option and specifying the filenames on the c o m m a n d line. Whenever you restore a
file, the restored file appears in the working directory. Before restoring files, make
sure you are working in the correct directory.
T h e following commands restore the e t c / f s t a b file from the tape on / d e v / s t O . T h e
filename of the dumped file does not begin with / because all dumped pathnames
are relative to the filesystem that you dumped—in this case /. Because the r e s t o r e
c o m m a n d is given from the / directory, the file will be restored to its original location of / e t c / f s t a b :
$ cd /
$ sudo restore -xf /dev/st0 etc/fstab
If you use the - x option without specifying a file or directory name to extract, r e s t o r e
extracts the entire dumped filesystem. Use the - r option to restore an entire filesystem without using the interactive interface. The following command restores the
filesystem from the tape on / d e v / s t O to the working directory without interaction:
$ sudo restore -rf /dev/st0
You can also use d u m p and r e s t o r e to access a tape drive or hard disk on another
system. Specify the file/directory as host:file, where host is the hostname of the system the tape or disk is on and file is the file or directory you want to d u m p / r e s t o r e .
Occasionally, r e s t o r e may prompt you with the following message:
You h a v e n o t r e a d a n y v o l u m e s y e t .
U n l e s s y o u know w h i c h v o l u m e y o u r f i l e ( s ) a r e on y o u s h o u l d
w i t h t h e l a s t v o l u m e and w o r k t o w a r d s t h e f i r s t .
S p e c i f y next volume #:

start

Enter 1 (one) in response to this prompt. If the filesystem spans more than one tape
or disk, this prompt allows you to switch tapes.
At the end of the dump, you will receive another prompt:

SCHEDULING TASKS

s e t owner/mode f o r

'.'?

605

[yn]

Answer y to this prompt when you are restoring entire filesystems or files that have
been accidentally removed. Doing so will restore the appropriate permissions to the
files and directories being restored. Answer n if you are restoring a dump to a directory other than the one it was dumped from. T h e working directory permissions
and owner will then be set to those of the user doing the restore (typically root).
A variety of device names can access the /dev/stO device. Each name accesses a different minor device number that controls some aspect of h o w the tape drive is used.
After you complete a dump using /dev/stO, the tape drive automatically rewinds the
tape. Use the nonrewinding SCSI tape device (/dev/nstO) to keep the tape from
rewinding on completion. This feature allows you to back up multiple filesystems to
the same volume.
Following is an example of backing up a system where the /home, /usr, and / v a r
directories reside on different filesystems:
$ sudo dump -0uf /dev/nst0 /home
$ sudo dump -0uf /dev/nst0 /usr
$ sudo dump -0uf /dev/st0 /var
T h e preceding example uses the nonrewinding device for the first two dumps. If you
use the rewinding device, the tape rewinds after each dump, and you are left with
only the last dump on the tape.
You can use mt (magnetic tape), which is part of the c p i o package, to manipulate
files on a multivolume dump tape. T h e following mt command positions the tape
(fsf 2 instructs m t to skip forward past two files, leaving the tape at the start of the
third file). T h e r e s t o r e command restores the / v a r filesystem from the previous
example:
$ sudo mt -f /dev/st0 fsf 2
$ sudo restore rf /dev/st0

SCHEDULING TASKS
It is a good practice to schedule certain routine tasks to run automatically. For
example, you may want to remove old core files once a week, summarize accounting data daily, and rotate system log files monthly.

cron

AND

anacron:

SCHEDULE ROUTINE TASKS

The cron daemon executes scheduled commands periodically. This daemon can execute commands at specific times on systems that are always running. The a n a c r o n
utility executes scheduled commands when it is called. It works well on laptops and
other systems that are not on all the time. The anacron init scrip, which calls a n a c r o n , will not run commands when a system is running on batteries (i.e., not on AC).

606

CHAPTER 1 6

ADMINISTRATION TASKS

C R O N T A B FILES
T h e c r o n d a e m o n reads the c o m m a n d s it is t o e x e c u t e f r o m c r o n t a b files. Users c a n
use the crontab utility t o set up p e r s o n a l c r o n t a b files in / v a r / s p o o l / c r o n / c r o n t a b s .
S y s t e m c r o n t a b files are k e p t in the / e t c / c r o n . d d i r e c t o r y a n d in the / e t c / c r o n t a b
file. ( T h e t e r m crontab

h a s t h r e e m e a n i n g s : It refers t o a t e x t file in a specific f o r m a t

[a c r o n t a b file], it is the n a m e o f a utility [crontab], a n d it is the n a m e o f a file
[/etc/crontab].)
B y default, U b u n t u is set up w i t h n o restrictions o n w h o c a n h a v e c r o n r u n c o m m a n d s in their p e r s o n a l c r o n t a b files. See c r o n . a l l o w a n d c r o n . d e n y o n p a g e 4 9 1 f o r
w a y s o f restricting this access.
System crontab files

C r o n t a b files specify h o w o f t e n c r o n is to r u n a c o m m a n d . A line in a system
c r o n t a b file, such as / e t c / c r o n t a b , h a s the f o l l o w i n g f o r m a t :

minute hour day-of-month month day-of-week user command
T h e first five fields indicate w h e n c r o n will e x e c u t e the command.
n u m b e r o f m i n u t e s after the start o f the hour, the hour
o n a 2 4 - h o u r c l o c k , the day-of-month
week

T h e minute

is the

is the h o u r o f the day b a s e d

is a n u m b e r f r o m 1 t o 3 1 , a n d the

day-of-

is a n u m b e r f r o m 0 t o 7 , w i t h 0 a n d 7 i n d i c a t i n g Sunday. An asterisk ( * ) sub-

stitutes f o r a n y value in a field. T h e user is the u s e r n a m e or user I D o f the user t h a t
the command

will r u n as. F o l l o w i n g are s o m e e x a m p l e s :

20 1 * * *
25 9 1 7 * *
4 0 23 * * 7

root
root
root

/usr/local/bin/checkit
/usr/local/bin/monthly.check
/usr/local/bin/sunday.check

All t h r e e lines run as their c o m m a n d s w i t h r o o t privileges. T h e first line runs checkit
every day at 1 : 2 0 A M . T h e s e c o n d line runs m o n t h l y . c h e c k at 9 : 2 5 A M o n day 1 7 o f
every m o n t h . T h e third line runs sunday.check at 1 1 : 4 0 P M every Sunday. G i v e the
c o m m a n d m a n 5 c r o n t a b t o o b t a i n m o r e i n f o r m a t i o n o n c r o n t a b files.
User crontab files

A user c r o n t a b file h a s the s a m e f o r m a t as a system c r o n t a b file e x c e p t t h a t it does
n o t i n c l u d e the user field b e c a u s e it a l w a y s runs as the user w h o c r e a t e d it. U s e r s
c a n w o r k w i t h their o w n c r o n t a b files by giving the c o m m a n d c r o n t a b f o l l o w e d by
-1 t o list the file, - r t o r e m o v e the file, o r - e t o edit the file. T h i s c o m m a n d uses the
n a n o editor b y default; if y o u prefer, e x p o r t (page 9 9 2 ) a n d set the V I S U A L o r E D I T O R e n v i r o n m e n t v a r i a b l e t o the t e x t u a l editor o f y o u r c h o i c e . See the crontab m a n
page f o r m o r e i n f o r m a t i o n .

/etc/crontab

F o l l o w i n g is the default / e t c / c r o n t a b file. C o m m e n t s begin w i t h a h a s h m a r k (#).
T h e file sets the S H E L L a n d P A T H (page 3 1 9 ) e n v i r o n m e n t v a r i a b l e s .

$
#
#
#
#
#

cat /etc/crontab
/etc/crontab: system-wide crontab
U n l i k e any o t h e r c r o n t a b you d o n ' t have t o run the
'crontab'
command t o i n s t a l l t h e new v e r s i o n when y o u e d i t t h i s
file
and f i l e s i n / e t c / c r o n . d . These f i l e s a l s o have username f i e l d s ,
t h a t none o f t h e o t h e r c r o n t a b s do.

SHELL=/bi n/sh
PATH=/usr/local/sbi n:/usr/1ocal/bin:/sbin:/bi

n:/usr/sbin:/usr/bin

SCHEDULING TASKS

# m h dom mon d o w u s e r
17 >•<
>•< >•< >•<
root
25 6
>•< >•< >•<
root
47 6
>•< >•< 7
root
52 6
1 >•< >•<
root

#

command
c d / &&
test -x
test -x
test -x

run-parts --report /etc/cron
/ u s r / s b i n / a n a c r o n || ( cd /
/ u s r / s b i n / a n a c r o n || ( cd /
/ u s r / s b i n / a n a c r o n || ( cd /

.hourly
&& r u n - p a r t s
&& r u n - p a r t s
&& r u n - p a r t s

--report
--report
--report

607

/ e t c / c r o n .dai l y )
/ e t c / c r o n .weekly )
/etc/cron .monthly )

T h e run-parts utility runs all the e x e c u t a b l e files in the d i r e c t o r y n a m e d as its argu-

run-parts

m e n t . T h e — r e p o r t o p t i o n affects c o m m a n d s t h a t p r o d u c e o u t p u t . It sends the
n a m e o f the c o m m a n d t o s t a n d a r d o u t p u t or s t a n d a r d e r r o r — w h i c h e v e r the c o m m a n d sends its first o u t p u t t o .
T h e c r o n d a e m o n runs t h e line t h a t begins w i t h 1 7 at 1 7 m i n u t e s past every hour.
First the c o m m a n d cds to r o o t (/). T h e A N D B o o l e a n o p e r a t o r ( & & ) then e x e c u t e s
run-parts, w h i c h e x e c u t e s all files in the / e t c / c r o n . h o u r l y directory.
T h e n e x t t h r e e lines first test w h e t h e r t h e / u s r / s b i n / a n a c r o n file is e x e c u t a b l e . If the
file is e x e c u t a b l e , the O R B o o l e a n o p e r a t o r (II) causes the shell t o i g n o r e the rest o f
the line. T h u s , if a n a c r o n is installed and e x e c u t a b l e , this file e x e c u t e s o n l y the files
in the c r o n . h o u r l y directory. If a n a c r o n is n o t installed or is n o t e x e c u t a b l e , e a c h o f
these t h r e e lines c d s to r o o t (/) a n d e x e c u t e s the files in the specified directory.
In addition to the / e t c / c r o n t a b file, c r o n reads the files in / e t c / c r o n . d for c o m m a n d s t o

/etc/cron.d/anacron

execute. T h e following file causes c r o n to run the a n a c r o n init script once a day at
7 : 3 0 A M . This init script runs a n a c r o n if the system is up and n o t running o n batteries):
$ cat

/etc/cron.d/anacron

# /etc/cron.d/anacron:

crontab

entries

for

the

anacron

package

S
P HA ETLHL == // bui s nr // sl oh c a l / s b i n : / u s r / l o c a l / b i n : / s b i n : / b i n : / u s r / s b i n : / u s r / b i
#30 7
30 7

>•< >•< >•<
>•< >•< >•<

root
root

test -x / e t c / i n i t . d / a n a c r o n
s t a r t -q anacron | | :

n

&& / u s r / s b i n / i n v o k e - r c . d

anacron

start

>/dev/null

T h e line t h a t r a n the SysVinit script is c o m m e n t e d o u t a n d r e p l a c e d with a line t h a t
runs the a n a c r o n j o b (defined in / e t c / i n i t . d / a n a c r o n ) , w h i c h is triggered by the
U p s t a r t init d a e m o n (page 4 3 2 ) .
/etc/anacrontab

W h e n a n a c r o n is r u n , it reads the c o m m a n d s it is t o e x e c u t e f r o m the / e t c / a n a c r o n t a b file. T h e a n a c r o n utility keeps t r a c k o f the last t i m e it r a n e a c h o f its j o b s so
w h e n it is called, it c a n tell w h i c h j o b s n e e d to b e run. T h i s file is w h e r e the files in
the cron.daily, cron.weekly, a n d c r o n . m o n t h l y directories get e x e c u t e d o n a system
running anacron.

$ cat /etc/anacrontab
# /etc/anacrontab:
# See a n a c r o n ( 8 )

configuration

file

and a n a c r o n t a b ( 5 )

for

for

anacron

details.

SHELL=/bi n / s h
PATH=/usr/local/sbi n :/usr/local/bi n :/sbi n :/bi n :/usr/sbi n:/usr/bi n
# These r e p l a c e
1
5
7
10
©monthly

cron's entries
cron.daily
nice run-parts --report / e t c / c r o n . d a i l y
cron.weekly
nice run-parts --report /etc/cron.weekly
15
cron.monthly nice run-parts --report /etc/cron.monthly

608

CHAPTER 1 6

ADMINISTRATION TASKS

A n entry in the a n a c r o n t a b file h a s the f o l l o w i n g f o r m a t :
period

delay

identifier

w h e r e t h e period
command,

is the f r e q u e n c y in days ( h o w o f t e n ) t h a t a n a c r o n e x e c u t e s the

the delay

the command,

command

is the n u m b e r o f m i n u t e s after a n a c r o n starts t h a t it e x e c u t e s

and the identifier

is the n a m e o f the file in / v a r / s p o o l / a n a c r o n t h a t

a n a c r o n uses t o k e e p t r a c k o f w h e n it last e x e c u t e d the

command.

T h e cron.daily j o b in a n a c r o n t a b runs t h e e x e c u t a b l e files in / e t c / c r o n . d a i l y every
day,

five m i n u t e s

after

anacron

starts.

If the

system is r u n n i n g

at 7 : 3 0

AM,

/ e t c / c r o n . d / a n a c r o n calls the a n a c r o n init script, and this j o b runs at 7 : 3 5 A M .
W h e n U b u n t u b o o t s , t h e rc scripts call the a n a c r o n init script. If the system is n o t
r u n n i n g at 7 : 3 0 A M , the cron.daily j o b h a s n o t been run f o r at least a day, and the
system is n o t r u n n i n g o n batteries, the j o b runs five m i n u t e s after the system b o o t s .

Running cron jobs at the right time
tip

A s installed, if t h e / u s r / s b i n / a n a c r o n file is p r e s e n t a n d e x e c u t a b l e , cron u s e s a n a c r o n t o r u n
daily, weekly, a n d m o n t h l y c r o n j o b s . T h e a n a c r o n utility a l w a y s r u n s t h e j o b s at 7 : 3 5 in t h e
m o r n i n g , or as s o o n as p o s s i b l e after that. Refer t o " r u n - p a r t s " o n page 6 0 7 a n d t h e s e c t i o n o n
/ e t c / a n a c r o n t a b . A n e a s y w a y t o get cron t o r u n t h e s e j o b s as s c h e d u l e d in / e t c / c r o n t a b is t o
c h a n g e p e r m i s s i o n s o n t h e a n a c r o n file s o it is not e x e c u t a b l e :
$

sudo

chmod

644

/usr/sbin/anacron

If y o u w a n t t o reenable a n a c r o n , c h a n g e its p e r m i s s i o n s b a c k t o 7 5 5 .

at: RUNS OCCASIONAL TASKS
L i k e the cron utility, at runs a j o b s o m e t i m e in the future. U n l i k e c r o n , at runs a j o b
o n l y o n c e . F o r i n s t a n c e , y o u c a n schedule an at j o b t h a t will r e b o o t the system at
3 : 0 0 A M ( w h e n all users are p r o b a b l y logged off):
$ sudo at 3am
w a r n i n g : c o m m a n d s w i l l be e x e c u t e d u s i n g
a t > reboot
a t > C0NTR0L-D 
job 1 at 2010-02-01 03:00

/bin/sh

It is also p o s s i b l e t o r u n an at j o b f r o m w i t h i n an at j o b . F o r i n s t a n c e , an at j o b
m i g h t c h e c k f o r n e w p a t c h e s every 1 8 d a y s — s o m e t h i n g t h a t w o u l d be m o r e difficult w i t h cron. See the at m a n p a g e for m o r e i n f o r m a t i o n .
B y default, U b u n t u is set up w i t h restrictions t h a t p r e v e n t s o m e system a c c o u n t s
f r o m r u n n i n g at. See a t . a l l o w and at.deny o n p a g e 4 9 1 for m o r e i n f o r m a t i o n .

SYSTEM REPORTS
M a n y utilities r e p o r t o n o n e thing o r another. T h e w h o , finger, Is, p s , and o t h e r utilities, f o r e x a m p l e , g e n e r a t e simple end-user r e p o r t s . In s o m e cases, these r e p o r t s c a n
help with system a d m i n i s t r a t i o n . T h i s s e c t i o n describes utilities t h a t g e n e r a t e m o r e
i n - d e p t h r e p o r t s t h a t c a n p r o v i d e g r e a t e r a s s i s t a n c e w i t h system

administration

SYSTEM REPORTS

609

t a s k s . L i n u x h a s m a n y o t h e r r e p o r t utilities, including ( f r o m the sysstat p a c k a g e ) s a r
(system activity r e p o r t ) , i o s t a t (input/output a n d C P U statistics), a n d m p s t a t (processor statistics); ( f r o m the net-tools p a c k a g e ) n e t s t a t ( n e t w o r k r e p o r t ) ; a n d ( f r o m the
n f s - c o m m o n p a c k a g e ) n f s s t a t ( N F S statistics).

vmstat:

REPORTS VIRTUAL M E M O R Y STATISTICS
T h e v m s t a t utility (procps p a c k a g e ) generates virtual m e m o r y i n f o r m a t i o n

along

with (limited) disk a n d C P U activity data. T h e f o l l o w i n g e x a m p l e s h o w s virtual
m e m o r y statistics at t h r e e - s e c o n d intervals f o r seven i t e r a t i o n s ( f r o m the a r g u m e n t s
3 7 ) . T h e first line c o v e r s the t i m e since the system w a s last b o o t e d ; e a c h s u b s e q u e n t
line c o v e r s the p e r i o d since the previous line.
$ vmstat 3 7
procs r
b
swpd
0 2
0
0 2
0
0
3
0
0 2
0
0 2
0
1
2
0
0 2
0

memory
free
684328
654632
623528
603176
575912
549032
523432

buff
33924
34160
34224
34576
34792
35164
35448

cache
219916
248840
279080
298936
325616
351464
376376

—swap-si
so
0
0
0
0
0
0
0
0
0
0
0
0
0
0

no
bi
430
4897
5056
3416
4516
4429
4173

bo
105
7683
8237
141
7267
77
6577

- - s y s t e m - - - - •- - c p u - - —
i n
c s us s y i d wa
1052
134
2 4 86 8
1142
237
0 5 0 95
1094
178
0 4
0 95
1161
255
0 4
0 96
1147
231 0 4
0 96
1120
210
0 4
0 96
1135
234
0 4
0 95

T h e f o l l o w i n g list e x p l a i n s the c o l u m n h e a d s displayed by v m s t a t :
Process information

• procs
• r

N u m b e r o f w a i t i n g , r u n n a b l e processes

• b

N u m b e r o f b l o c k e d processes (in u n i n t e r r u p t a b l e sleep)
M e m o r y i n f o r m a t i o n (in k i l o b y t e s )

• memory
• swpd

U s e d virtual m e m o r y

• free

Idle m e m o r y

• buff

M e m o r y used as buffers

• cache

M e m o r y used as c a c h e

• swap

• io

S y s t e m paging activity (in k i l o b y t e s per s e c o n d )

• si

M e m o r y s w a p p e d in f r o m disk

• so

M e m o r y s w a p p e d o u t t o disk

S y s t e m I/O activity (in b l o c k s per s e c o n d )
• bi

B l o c k s received f r o m a b l o c k device

• bo

B l o c k s sent to a b l o c k device

• system

(Values are per s e c o n d )

• in

I n t e r r u p t s (including the c l o c k )

• cs

C o n t e x t switches

610

CHAPTER 1 6

ADMINISTRATION TASKS

• cpu

P e r c e n t a g e o f t o t a l C P U t i m e spent in e a c h o f these states

• us

User (nonkernel)

• sy

S y s t e m (kernel)

• id

Idle

• wa

W a i t i n g f o r I/O

t o p : LISTS PROCESSES U S I N G THE M O S T RESOURCES
T h e t o p utility is a useful s u p p l e m e n t t o p s . A t its simplest, t o p displays system i n f o r m a t i o n at the t o p and t h e m o s t C P U - i n t e n s i v e p r o c e s s e s b e l o w the system i n f o r m a tion. T h e t o p utility updates itself p e r i o d i c a l l y ; type q t o quit. A l t h o u g h y o u c a n use
c o m m a n d - l i n e o p t i o n s , the i n t e r a c t i v e c o m m a n d s are o f t e n m o r e helpful. R e f e r t o
T a b l e 1 6 - 2 and to the t o p m a n p a g e f o r m o r e i n f o r m a t i o n .

Table 16-2

t o p : interactive commands

Command

Function

A

Sorts processes by age (newest first).

h or?

Displays a Help screen.

k

(kill) Prompts for a PID number and type of signal and sends the process that
signal. Defaults to signal 15 (SIGTERM); specify 9 (SIGKILL) only when 15
does not work.

M

Sorts processes by memory usage.

P

(processor) Sorts processes by CPU usage (default).

q

Quits top.

s

Prompts for time between updates in seconds. Use 0 (zero) for continuous
updates; such updates can slow the system by consuming a lot of resources.

SPACE

Updates the display immediately.

T

Sorts tasks by time.

W

Writes a startup file named -/.toprc so that the next time you start top, it uses
the same parameters it is currently using.

S top
t o p - 1 7 : 5 8 : 5 3 up 3 d a y s ,
4:20,
1 user,
load average: 2.16, 1.61, 0.83
T a s k s : 167 t o t a l ,
5 r u n n i n g , 162 s l e e p i n g ,
0 stopped,
0 zombie
Cpu(s):
1.5%us,
0.5%sy, 1.3%ni, 96.0%id,
0.2%wa,
0.6%hi, 0.0%si, 0.0%st
Mem:
2076092k t o t a l ,
1990652k used,
85440k f r e e ,
18416k b u f f e r s
Swap:
7815580k t o t a l ,
34908k used,
7780672k f r e e ,
1330008k cached
P I D USER
31323 zach

PR
25

NI
0

VIRT
RES
9020 6960

SHR S %CPU %MEM
396 R
63 0 . 3

TIME+
0:17.58

COMMAND
bzip2

p a r t e d : REPORTS ON AND PARTITIONS A HARD DISK

/dev/sda

611

/dev/sda4

Primary 1
/dev/sda1

/
/

Primary 2
/dev/sda2

Logical 5
/dev/sda5

/
Logical 6
/dev/sda6

/
Primary 3
/dev/sda3

Logical 7
/dev/sda7

/

Primary 4
(Extended)

T h e p r i m a r y and e x t e n d e d p a r t i t i o n s f r o m the e x a m p l e

Figure 1 6 - 5
31327
31311
6870
31303
1

zach
root
zach
root
root

18
15
27
15
15

0
0
12
0
0

2092
596
0
0
331m 190m
0
0
2912 1808

492
0
37m
0
488

R
S
R
S
S

57
16
2
2
0

0.0
0:00
0.0
0:00
9.4 198:42
0.0
0:00
0.1
0:01

92
38
98
42
55

cp
pdflush
fi refox-bi n
pdflush
i ni t

parted: REPORTS ON AND PARTITIONS A HARD DISK
T h e p a r t e d ( p a r t i t i o n editor) utility r e p o r t s o n and m a n i p u l a t e s h a r d disk p a r t i t i o n s .
T h e f o l l o w i n g e x a m p l e s h o w s h o w t o use p a r t e d f r o m the c o m m a n d line. It uses the
p r i n t c o m m a n d t o display i n f o r m a t i o n a b o u t the p a r t i t i o n s o n the / d e v / s d a drive:
$ sudo parted /dev/sda print
D i s k g e o m e t r y f o r / d e v / s d a : 0kB
D i s k l a b e l t y p e : msdos
Number
Start
End
Si ze
1
32kB
1045MB 1045MB
2
1045MB
12GB
10GB
3
12GB
22GB
10GB
4
22GB
165GB
143GB
5
22GB
23GB
1045MB
6
23GB
41GB
18GB
7
41GB
82GB
41GB

-

165GB

Type
primary
primary
primary
extended
1ogi cal
1ogi cal
1ogi cal

F i l e system
ext4
ext4
ext4

Flags
boot

1i n u x - s w a p ( v l )
ext4
ext4

F i g u r e 1 6 - 5 g r a p h i c a l l y depicts the p a r t i t i o n s s h o w n in this e x a m p l e . T h e first line
t h a t p a r t e d displays specifies the device being r e p o r t e d o n ( / d e v / s d a ) and its size
( 1 6 5 gigabytes). T h e p r i n t c o m m a n d displays the f o l l o w i n g c o l u m n s :

612

CHAPTER 1 6

ADMINISTRATION TASKS

• N u m b e r — T h e minor device number (page 5 0 3 ) of the device holding the
partition. This n u m b e r is the same as the last number in the device name.
In the example, 5 corresponds to / d e v / s d a 5 .
• S t a r t — T h e location on the disk where the partition starts. T h e parted utility specifies a location on the disk as the distance (in bytes) from the start
of the disk. T h u s partition 3 starts 12 gigabytes from the start of the disk.
• E n d — T h e location on the disk where the partition stops. Although partition 2 ends 12 gigabytes f r o m the start of the disk and partition 3 starts at
the same location, parted takes care that the partitions do n o t overlap at
this single byte.
• Size—The size of the partition in kilobytes (kB), megabytes ( M B ) , or
gigabytes ( G B ) .
• T y p e — T h e partition type: primary, extended, or logical. See Figure 1 6 - 5
and page 3 4 for i n f o r m a t i o n on partitions.
• File s y s t e m — T h e filesystem type: e x t 2 , e x t 3 , ext4, f a t 3 2 , linux-swap, and
so on. See Table 1 2 - 1 on page 5 0 5 for a list o f filesystem types.
• F l a g s — T h e flags that are turned on for the partition, including b o o t , raid,
and lvm. In the example, partition 1 is b o o t a b l e .
In the preceding example, partition 4 defines an extended partition that includes
1 4 3 gigabytes of the 165-gigabyte disk (Figure 1 6 - 5 ) . Y o u c a n n o t m a k e changes to
an extended partition without affecting all logical partitions within it.
In addition to reporting on the layout and size of a hard disk, you c a n use parted
interactively to modify the disk layout. Be extremely
careful when using parted in
this manner, and always b a c k up the system before starting to w o r k with this utility.
Changing the partition i n f o r m a t i o n (the partition
table) on a disk can destroy the
i n f o r m a t i o n on the disk. R e a d the parted info page before you attempt to modify a
partition table.

p a r t e d can destroy everything
caution

Be as careful with p a r t e d as you would be with a utility that formats a hard disk. Changes you
make with p a r t e d can easily result in the loss of large amounts of data. If you are using p a r t e d
and have any question about what you are doing, quit with a q command before making any
changes. Once you give p a r t e d a command, it immediately makes the change you requested.
To partition a disk, give the c o m m a n d parted followed by the n a m e of the device
you w a n t to w o r k with. In the following example, after starting parted, the user
gives a help (or just h) c o m m a n d , which displays a list of parted c o m m a n d s :

$ sudo p a r t e d / d e v / s d a
GNU P a r t e d 2 . 2
Using /dev/sda
W e l c o m e t o GNU P a r t e d ! T y p e

'help'

to

view

a list

of

commands.

p a r t e d : REPORTS ON AND PARTITIONS A HARD DISK

613

(parted) help
a l i g n - c h e c k TYPE N
check p a r t i t i o n N f o r TYPE(min|opt)
alignment
c h e c k NUMBER
do a s i m p l e c h e c k on t h e f i l e
system
c p [ F R O M - D E V I C E ] FROM-NUMBER T O - N U M B E R
copy f i l e system to another
partition
h e l p [COMMAND]
p r i n t g e n e r a l h e l p , o r h e l p o n COMMAND
m k l a b e l , m k t a b l e LABEL-TYPE
c r e a t e a new d i s k l a b e l ( p a r t i t i o n
table)
m k f s NUMBER F S - T Y P E
m a k e a F S - T Y P E f i l e s y s t e m o n p a r t i t i o n NUMBER
m k p a r t P A R T - T Y P E [ F S - T Y P E ] S T A R T END
make a p a r t i t i o n
m k p a r t f s P A R T - T Y P E F S - T Y P E S T A R T END
make a p a r t i t i o n w i t h a f i l e
system
m o v e NUMBER S T A R T END
m o v e p a r t i t i o n NUMBER
n a m e NUMBER NAME
n a m e p a r t i t i o n NUMBER a s NAME
print
[devices|free11ist,allINUMBER]
d i s p l a y the p a r t i t i o n t a b l e , a v a i l a b l e devices, free space,
all found p a r t i t i o n s , or a p a r t i c u l a r
partition
quit
e x i t program
r e s c u e S T A R T END
r e s c u e a l o s t p a r t i t i o n n e a r S T A R T a n d END
r e s i z e NUMBER S T A R T END
r e s i z e p a r t i t i o n NUMBER a n d i t s f i l e
system
r m NUMBER
d e l e t e p a r t i t i o n NUMBER
s e l e c t DEVICE
choose the device t o e d i t
s e t NUMBER F L A G S T A T E
c h a n g e t h e F L A G o n p a r t i t i o n NUMBER
t o g g l e [NUMBER [ F L A G ] ]
t o g g l e t h e s t a t e o f F L A G o n p a r t i t i o n NUMBER
u n i t UNIT
s e t t h e d e f a u l t u n i t t o UNIT
version
d i s p l a y t h e v e r s i o n n u m b e r a n d c o p y r i g h t i n f o r m a t i o n o f GNU
Parted
(parted)

In response to the (parted) prompt, you can give the c o m m a n d help followed by the
name of the c o m m a n d you want more information about. W h e n you give a print
(or just p) command, p a r t e d displays current partition information, just as a print
c o m m a n d on the c o m m a n d line does.
T h e p a r t e d utility will not allow you to set up overlapping partitions (except for logical partitions overlapping their containing extended partition). Similarly, it will not
allow you to create a partition that starts at the very beginning of the disk (cylinder
0). Both of these situations can cause loss of data.
Following are guidelines to remember when defining a partition table for a disk. For
more information refer to "Partitioning a D i s k " on page 3 6 .
• D o not delete or modify the partition that defines the extended partition
unless you are willing to lose all data on all the logical partitions within
the extended partition.
• If you put / b o o t on a separate partition, it is a good idea to put it at the
beginning of the drive (partition 1) so there is no issue of Linux having to
boot from a partition located too far into the drive. W h e n you can afford
the disk space, it is desirable to put each m a j o r filesystem on a separate
partition. M a n y people choose to combine / (root), /var, and /usr into a
single partition, which generally results in less wasted space but can, on
rare occasions, cause problems.
• Although p a r t e d can create some types of filesystems, it is typically easiest
to use p a r t e d to create partitions and then use m k f s and m k s w a p to create
filesystems on the partitions.

614

CHAPTER 1 6

ADMINISTRATION TASKS

T h e f o l l o w i n g s e q u e n c e o f c o m m a n d s defines a 3 0 0 - m e g a b y t e , b o o t a b l e , L i n u x p a r tition as p a r t i t i o n 1 o n a c l e a n disk:
$ sudo /sbin/parted /dev/sdb
Using /dev/sdb
( p a r t e d ) mkpart
P a r t i t i o n type?
p r i m a r y / e x t e n d e d ? primary
F i l e system type?
[ext2]?
Start? 1
End? 300m
( p a r t e d ) help set
s e t NUMBER FLAG STATE
change a f l a g

(create new partition)
(select primary partition)
(default to an ext2 filesystem)
(start at the beginning of the disk)
(specify a 300-megabyte
partition)
(use help to check the syntax of the set
on p a r t i t i o n

command)

NUMBER'

NUMBER i s t h e p a r t i t i o n n u m b e r u s e d b y L i n u x .
On m s d o s d i s k l a b e l s , t h e p r i m a r y
p a r t i t i o n s number f r o m 1 t o 4, l o g i c a l p a r t i t i o n s f r o m 5 o n w a r d s .
FLAG i s o n e o f : b o o t , r o o t , s w a p , h i d d e n , r a i d , l v m , l b a , h p - s e r v i c e , p a l o ,
prep, msftres
STATE i s o n e o f : o n , o f f
( p a r t e d ) set 1 boot on
(turn on the boot flag on partition 1)
( p a r t e d ) print
(verify that the partition is correct)
D i s k g e o m e t r y f o r / d e v / s d b : 0 k B - 250GB
D i s k l a b e l t y p e : msdos
Number
Start
End
Size
Type
F i l e system
Flags
1
lkB
300MB
300MB
primary
ext2
boot
( p a r t e d ) quit
I n f o r m a t i o n : Don't f o r g e t to update / e t c / f s t a b , i f necessary.
W h e n y o u specify a size w i t h i n parted, y o u c a n use a suffix o f k (kilobytes), m
( m e g a b y t e s ) , or g (gigabytes). A f t e r c r e a t i n g a p a r t i t i o n , give a print c o m m a n d t o
see w h e r e the p a r t i t i o n ends. P e r f o r m this t a s k b e f o r e defining the n e x t c o n t i g u o u s
p a r t i t i o n so y o u do n o t w a s t e space. A f t e r setting up all the p a r t i t i o n s , exit f r o m
parted w i t h a quit c o m m a n d .
N e x t m a k e a filesystem ( m k f s , page 4 5 8 ) o n each p a r t i t i o n t h a t is t o h o l d a filesystem (not s w a p ) . M a k e all p a r t i t i o n s , e x c e p t s w a p and / b o o t , o f type e x t 4 , unless
y o u have a r e a s o n t o do o t h e r w i s e . M a k e the / b o o t p a r t i t i o n o f type e x t 2 . U s e
m k s w a p (page 4 9 8 ) t o set up a s w a p area o n a p a r t i t i o n . Y o u c a n use e 2 l a b e l
(page 4 5 8 ) to label a p a r t i t i o n .

KEEPING USERS INFORMED
O n e o f y o u r p r i m a r y responsibilities as a system a d m i n i s t r a t o r is c o m m u n i c a t i n g
with system users. Y o u need t o m a k e a n n o u n c e m e n t s , such as w h e n the system will
be d o w n f o r m a i n t e n a n c e , w h e n a class o n s o m e n e w s o f t w a r e will be held, and
h o w users c a n access the n e w system printer. Y o u c a n even start to fill t h e r o l e o f a
small l o c a l newspaper, letting users k n o w a b o u t n e w e m p l o y e e s , R I F s , births, the
c o m p a n y picnic, a n d so o n .

CREATING PROBLEMS

615

Different communications have different priorities. For example, information about
the company picnic in two months is not as time sensitive as the fact that you are
bringing the system down in five minutes. To meet these differing needs, Linux provides different ways of communicating. T h e most c o m m o n methods are described
and contrasted in the following list. All of these methods are generally available to
everyone, except for the message of the day, which is typically reserved for a user
with root privileges.
write Use the write utility (page 1 8 4 ) to communicate with a user who is logged in on the
local system. You might use it, for example, to ask a user to stop running a program
that is slowing the system; the user might reply that he will be done in three minutes. Users can also use write to ask the system administrator to mount a tape or
restore a file. Messages sent from write may not appear in a graphical environment.
wall T h e wall (write all) utility effectively communicates immediately with all users who
are logged in. This utility takes its input from standard input and works much like
write, except that users cannot use wall to write back to only you. Use wall when you
are about to bring the system down or are in another crisis situation. Users who are
not logged in will not get the message.
R u n wall as a user with r o o t privileges only in a crisis situation; it interrupts anything anyone is doing. Messages sent from wall m a y not appear in a graphical
environment.
Email Email is useful for communicating less urgent information to one or more systems
and/or remote users. W h e n you send mail, you have to be willing to wait for each
user to read it. Email is useful for reminding users that they are forgetting to log
out, their bills are past due, or they are using too much disk space.
Users can easily make permanent records of messages they receive via email, as
opposed to messages received via write, so they can keep track of important details.
For instance, it would be appropriate to use email to inform users about a new,
complex procedure, so each user could keep a copy of the information for reference.
Message of the day Users see the message of the day each time they log in in a textual environment, but
not when they open a terminal emulator window. You can edit the / e t c / m o t d file to
change this message as necessary. T h e message of the day can alert users to upcoming periodic maintenance, new system features, or a change in procedures.

CREATING PROBLEMS
Even experienced system administrators make mistakes; new system administrators
just make more mistakes. Although you can improve your odds of avoiding problems by carefully reading and following the documentation provided with software,
many things can still go wrong. A comprehensive list, no matter h o w long, is not
possible because new and exciting ways to create problems are discovered every
day. This section describes a few of the more c o m m o n techniques.

616

CHAPTER 1 6

ADMINISTRATION TASKS

Failing to perform F e w feelings are m o r e p a i n f u l t o a system a d m i n i s t r a t o r t h a n realizing t h a t i m p o r regular backups t a n t i n f o r m a t i o n is lost forever. If the l o c a l system s u p p o r t s multiple users, h a v i n g a
r e c e n t b a c k u p m a y b e y o u r o n l y p r o t e c t i o n f r o m a p u b l i c lynching. If it is a singleuser system, having a r e c e n t b a c k u p c e r t a i n l y keeps y o u h a p p i e r w h e n y o u lose a
h a r d disk or erase a file by m i s t a k e .
Not reading and
following
instructions

S o f t w a r e developers provide d o c u m e n t a t i o n f o r a r e a s o n . E v e n w h e n y o u h a v e
installed a s o f t w a r e p a c k a g e b e f o r e , carefully read the i n s t r u c t i o n s again. T h e y m a y
have c h a n g e d , or y o u m a y simply r e m e m b e r t h e m incorrectly. S o f t w a r e c h a n g e s
m o r e q u i c k l y t h a n b o o k s are revised, so n o b o o k s h o u l d b e t a k e n as offering foolp r o o f advice. I n s t e a d , l o o k f o r the latest d o c u m e n t a t i o n online. T h e / u s r / s h a r e / d o c
directory h a s i n f o r m a t i o n o n m a n y utilities, libraries, and s o f t w a r e p a c k a g e s .

Failing to ask for If s o m e t h i n g does n o t seem t o m a k e sense, try t o find o u t w h a t does m a k e s e n s e —
help when do n o t a t t e m p t t o guess. See A p p e n d i x B f o r a list o f places y o u m a y b e able t o find
instructions are not
assistance.
clear
Deleting or O n e sure w a y t o give y o u r s e l f n i g h t m a r e s is t o e x e c u t e the c o m m a n d
mistyping
$ sudo rm - r f /etc
< — d o HOt d o
this
information in a
critical file P e r h a p s n o o t h e r c o m m a n d renders a L i n u x system useless so quickly. T h e o n l y
r e c o u r s e is t o r e b o o t i n t o r e c o v e r y m o d e using an i n s t a l l a t i o n C D / D V D (page 4 4 5 )
and r e s t o r e the missing files f r o m a r e c e n t b a c k u p . A l t h o u g h this e x a m p l e depicts
an e x t r e m e case, m a n y files are critical t o p r o p e r o p e r a t i o n o f a system. D e l e t i n g
o n e o f these files or m i s t y p i n g i n f o r m a t i o n in o n e o f t h e m is a l m o s t c e r t a i n t o c a u s e
p r o b l e m s . If y o u directly edit / e t c / p a s s w d , f o r e x a m p l e , entering the w r o n g i n f o r m a t i o n in a field c a n m a k e it i m p o s s i b l e f o r o n e or m o r e users t o log in. D o n o t use
r m - r f w i t h an a r g u m e n t t h a t includes w i l d c a r d c h a r a c t e r s ; do p a u s e after typing
the c o m m a n d , and r e a d it b e f o r e y o u press RETURN. C h e c k everything y o u do c a r e fully, and m a k e a c o p y o f a critical file b e f o r e y o u edit it.

Be careful when using a wildcard character with r m
c a u t i o n When you must use a wildcard character, such as * , in an argument to an rm command, first use
e c h o with the same argument to see exactly which files you will be deleting. This check is especially important when you are working with root privileges.

SOLVING PROBLEMS
As the system a d m i n i s t r a t o r , it is y o u r responsibility t o k e e p the system secure and
r u n n i n g smoothly. W h e n a user is h a v i n g a p r o b l e m , it usually falls t o the a d m i n i s t r a t o r t o help the user get b a c k o n t r a c k . T h i s s e c t i o n suggests w a y s t o k e e p users
h a p p y and the system f u n c t i o n i n g at p e a k p e r f o r m a n c e .

HELPING W H E N A U S E R C A N N O T LOG IN
W h e n a user h a s t r o u b l e logging in o n the system, the s o u r c e m a y b e a user e r r o r o r
a p r o b l e m w i t h the system s o f t w a r e or h a r d w a r e . T h e f o l l o w i n g steps c a n help
d e t e r m i n e w h e r e the p r o b l e m is:

CREATING

PROBLEMS

• C h e c k the log files in / v a r / l o g . T h e / v a r / l o g / m e s s a g e s file accumulates system errors, messages f r o m daemon processes, and other important inform a t i o n . It may indicate the cause or m o r e symptoms o f a problem. Also,
check the system console. Occasionally messages a b o u t system problems
that are not written to / v a r / l o g / m e s s a g e s (for instance, a full disk) are displayed on the system console.
• Determine whether only that one user or only that one user's terminal/
w o r k s t a t i o n has a p r o b l e m or whether the problem is m o r e widespread.
• C h e c k that the user's CAPS LOCK key is not on.
• M a k e sure the user's h o m e directory exists and corresponds to that user's
entry in the / e t c / p a s s w d file. Verify that the user owns her h o m e directory
and startup files and that they are readable (and, in the case of the user's
h o m e directory, executable). C o n f i r m that the entry for the user's login
shell in the / e t c / p a s s w d file is accurate and the shell exists as specified.
• Change the user's password if there is a chance that he has forgotten the
correct password.
• C h e c k the user's startup files (.profile, .login, .bashrc, and so on). T h e user
may have edited one of these files and introduced a syntax error that prevents login.
• C h e c k the terminal or m o n i t o r data cable from where it plugs into the terminal to where it plugs into the c o m p u t e r (or as far as you can follow it).
Try turning the terminal or m o n i t o r o f f and then turning it b a c k on.
• W h e n the p r o b l e m appears to be widespread, c h e c k w h e t h e r y o u c a n log
in f r o m the system c o n s o l e . M a k e sure the system is n o t in recovery
m o d e . If you c a n n o t log in, the system m a y have crashed; r e b o o t it and
p e r f o r m any necessary recovery steps (the system usually does quite a bit
automatically).
• If the user is logging in over a n e t w o r k c o n n e c t i o n , run the appropriate init
script (page 4 4 0 ) to restart the service the user is trying to use (e.g., s s h ) .
• Use df to check for full filesystems. If the / t m p filesystem or the user's
h o m e directory is full, login sometimes fails in unexpected ways. In some
cases you m a y be able to log in to a textual environment but not a graphical one. W h e n applications that start when the user logs in c a n n o t create
t e m p o r a r y files or c a n n o t update files in the user's h o m e directory, the
login process itself may terminate.

SPEEDING U P THE SYSTEM
W h e n the system is running slowly for no apparent reason, perhaps a process did
not exit w h e n a user logged out. S y m p t o m s of this p r o b l e m include p o o r response
time and a system load, as s h o w n by w or uptime, that is greater than 1 . 0 . R u n n i n g
top (page 6 1 0 ) is an excellent w a y to find rogue processes quickly. Use ps - e f to list
all processes. O n e thing to l o o k for in ps - e f output is a large n u m b e r in the T I M E

617

618

CHAPTER 1 6

ADMINISTRATION TASKS

c o l u m n . F o r example, if a F i r e f o x process has a T I M E field greater t h a n 1 0 0 . 0 , this
process has likely run a m o k . However, if the user is doing a lot of J a v a w o r k and
has n o t logged out for a long time, this value m a y be n o r m a l . L o o k at the S T I M E
field t o see w h e n the process was started. If the process has been running for longer
t h a n the user has been logged in, it is a g o o d candidate to be killed.
W h e n a user gets stuck and leaves her terminal unattended without notifying anyone, it is convenient to kill (page 4 5 5 ) all processes owned by that user. If the user is
running a w i n d o w system, such as G N O M E or K D E on the console, kill the wind o w m a n a g e r process. M a n a g e r processes to l o o k for include startkde, x-sessionmanager, or another process n a m e that ends in wm. Usually the w i n d o w m a n a g e r is
either the first or last thing to be run, and exiting from the w i n d o w m a n a g e r logs
the user out. If killing the w i n d o w m a n a g e r does n o t w o r k , try killing the X server
process. This process is typically listed as / u s r / b i n / X or / u s r / X H R 6 / b i n / X . If that
fails, you can kill all processes owned by a user by giving the c o m m a n d kill - 1 5 - 1

or, equivalently, kill - T E R M - 1 while you are logged in as that user. Using - 1 (one)
in place of the process I D tells kill to send the signal to all processes that are owned
by that user. F o r example, you could give the following c o m m a n d :
$ sudo -u zach kill -TERM -1
If this does not kill all processes (sometimes T E R M does n o t kill a process), you can
use the K I L L signal ( - 9 ) . T h e following line will definitely kill all processes o w n e d by
Z a c h and will not be friendly a b o u t it:
$ sudo -u zach kill -KILL -1
If you do not include - u zach, this c o m m a n d brings the system down.

Isof:

F I N D S O P E N FILES
T h e Isof (list open files) utility displays the names of open files. Its options display
only certain processes, only certain file descriptors o f a process, or only certain netw o r k connections (network connections use file descriptors just as n o r m a l files do
and Isof can s h o w these as well). O n c e you have identified a suspect process using ps
- e f , give the following c o m m a n d :
$ sudo Isof -sp pi d
Replace pid with the process I D of the suspect process; Isof displays a list o f file
descriptors that process pid has open. T h e - s option displays the sizes of all open
files and the - p option allows you to specify the PID n u m b e r o f the process of interest. This size i n f o r m a t i o n is helpful in determining whether the process has a very
large file open. If it does, c o n t a c t the owner o f the process or, if necessary, kill the
process. T h e -m option redisplays the output of Isof every n seconds.

KEEPING A M A C H I N E LOG
A m a c h i n e log that includes the i n f o r m a t i o n shown in Table 1 6 - 3 can help you find
and fix system problems. N o t e the time and date for each entry in the log. Avoid the

CREATING

Table 16-3

PROBLEMS

Machine log

Entry

Function

Hardware
modifications

Keep t r a c k of t h e s y s t e m h a r d w a r e c o n f i g u r a t i o n : w h i c h d e v i c e s h o l d w h i c h
p a r t i t i o n s , the m o d e l of t h e n e w NIC y o u a d d e d , a n d s o on.

System software
modifications

Keep t r a c k of t h e o p t i o n s u s e d w h e n b u i l d i n g L i n u x . Print s u c h f i l e s as
/ u s r / s r c / l i n u x / . c o n f i g ( L i n u x kernel c o n f i g u r a t i o n ) . T h e file h i e r a r c h y u n d e r
/etc/default contains valuable information about the network configuration,
a m o n g other things.

Hardware
malfunctions

Keep as a c c u r a t e a list as p o s s i b l e of a n y p r o b l e m s w i t h t h e s y s t e m . M a k e note
of a n y e r r o r m e s s a g e s or n u m b e r s t h a t t h e s y s t e m d i s p l a y s o n t h e s y s t e m
console and identify what users were doing w h e n the problem occurred.

User c o m p l a i n t s

M a k e a list of all r e a s o n a b l e c o m p l a i n t s m a d e by k n o w l e d g e a b l e u s e r s (for
e x a m p l e , " M a c h i n e is a b n o r m a l l y s l o w " ) .

t e m p t a t i o n t o k e e p the log only

o n the c o m p u t e r — i t will be m o s t useful t o y o u

w h e n the system is d o w n . A n o t h e r g o o d idea is t o k e e p a r e c o r d o f all e m a i l dealing
with user p r o b l e m s . O n e strategy is t o save this m a i l t o a s e p a r a t e file or folder as
y o u r e a d it. A n o t h e r a p p r o a c h is t o set up a m a i l alias t h a t users c a n send m a i l t o
w h e n t h e y h a v e p r o b l e m s . T h i s alias c a n then f o r w a r d m a i l t o y o u and also store a
c o p y in an archive file. F o l l o w i n g is an e x a m p l e o f an entry in the / e t c / a l i a s e s file
(page 7 2 2 ) t h a t sets up this type o f alias:
trouble:

admi n , / v a r / m a i 1 / a d m i n . a r c h i ve

E m a i l sent t o the trouble alias will be f o r w a r d e d t o the admin user as well as stored
in the file / v a r / m a i l / a d m i n . a r c h i v e .

KEEPING THE SYSTEM SECURE
N o system w i t h dial-in lines or p u b l i c access t o t e r m i n a l s is a b s o l u t e l y secure. N e v ertheless, y o u c a n m a k e a system as secure as p o s s i b l e b y c h a n g i n g the p a s s w o r d s o f
users w h o are m e m b e r s o f the a d m i n g r o u p (these users c a n use sudo t o gain r o o t
privileges) and the r o o t p a s s w o r d (if there is o n e ) f r e q u e n t l y and by c h o o s i n g passw o r d s t h a t are difficult t o guess. D o n o t tell a n y o n e w h o does n o t absolutely

need

t o k n o w a n y o f these p a s s w o r d s . Y o u c a n also e n c o u r a g e system users t o c h o o s e difficult p a s s w o r d s and to c h a n g e t h e m periodically.
Passwords

B y default, p a s s w o r d s o n U b u n t u L i n u x use MD5
makes

them

more

difficult

to

break

than

(page 1 1 5 9 ) h a s h i n g ,

passwords

encrypted

with

which
DES

(page 1 1 1 2 ) . O f c o u r s e , it m a k e s little difference h o w well encrypted y o u r p a s s w o r d
is if y o u m a k e it easy f o r s o m e o n e to find o u t or guess w h a t the p a s s w o r d is.
A p a s s w o r d t h a t is difficult to guess is o n e t h a t s o m e o n e else w o u l d n o t be likely to
t h i n k y o u w o u l d have c h o s e n . D o n o t use w o r d s f r o m the dictionary (spelled f o r w a r d
or b a c k w a r d ) ; n a m e s o f relatives, pets, or friends; or w o r d s f r o m a foreign language.
A g o o d strategy is t o c h o o s e a c o u p l e o f short w o r d s , include s o m e p u n c t u a t i o n (for

619

620

CHAPTER 1 6

ADMINISTRATION TASKS

e x a m p l e , put a

A

between t h e m ) , m i x the case, and replace s o m e o f the letters in the

w o r d s with n u m b e r s . If it were n o t printed in this b o o k , an e x a m p l e o f a g o o d passw o r d w o u l d be C & y G r a m 5 (candygrams). Ideally y o u w o u l d use a r a n d o m c o m b i n a tion o f A S C I I characters, but t h a t w o u l d be difficult t o remember.
Y o u c a n use o n e o f several p a s s w o r d - c r a c k i n g p r o g r a m s t o find users w h o h a v e
c h o s e n p o o r p a s s w o r d s . T h e s e p r o g r a m s w o r k by repeatedly h a s h i n g w o r d s f r o m
dictionaries, p h r a s e s , n a m e s , a n d o t h e r sources. If the h a s h e d p a s s w o r d m a t c h e s the
o u t p u t o f the p r o g r a m , then the p r o g r a m h a s f o u n d the p a s s w o r d o f the user. O n e
p r o g r a m t h a t c r a c k s p a s s w o r d s is crack (part o f the c r a c k s o f t w a r e p a c k a g e ) . It a n d
m a n y o t h e r p r o g r a m s a n d security tips are a v a i l a b l e f r o m C E R T

(www.cert.org),

w h i c h w a s originally called the C o m p u t e r E m e r g e n c y R e s p o n s e T e a m . Specifically,
l o o k at www.cert.org/tech_tips.
Setuid files

M a k e sure n o o n e e x c e p t a user w i t h r o o t privileges c a n w r i t e t o files c o n t a i n i n g
p r o g r a m s t h a t a r e o w n e d by r o o t a n d r u n in setuid m o d e ( f o r e x a m p l e , passwd a n d
sudo). Also m a k e sure users do n o t t r a n s f e r p r o g r a m s t h a t r u n in setuid m o d e a n d
a r e o w n e d by r o o t o n t o t h e system by m e a n s o f m o u n t i n g t a p e s or disks. T h e s e
p r o g r a m s c a n b e used t o c i r c u m v e n t s y s t e m security. O n e t e c h n i q u e t h a t p r e v e n t s
users f r o m h a v i n g setuid files is t o use the - n o s u i d flag t o mount, w h i c h y o u c a n set
in t h e flags s e c t i o n in the fstab file. R e f e r t o "fstab: K e e p s T r a c k o f F i l e s y s t e m s " o n
page 5 1 0 .

BIOS T h e B I O S in m a n y m a c h i n e s gives y o u s o m e degree o f p r o t e c t i o n f r o m an u n a u t h o rized p e r s o n w h o tries t o m o d i f y the B I O S or r e b o o t the system. W h e n y o u set up
the B I O S , l o o k f o r a section n a m e d Security. Y o u c a n p r o b a b l y a d d a B I O S passw o r d . If y o u depend o n the B I O S p a s s w o r d , l o c k the c o m p u t e r c a s e — i t is usually a
simple m a t t e r t o reset the B I O S p a s s w o r d by using a j u m p e r o n the m o t h e r b o a r d .

LOG FILES A N D M A I L FOR

root

Users f r e q u e n t l y e m a i l r o o t a n d p o s t m a s t e r t o c o m m u n i c a t e with the system a d m i n istrator. If y o u do n o t f o r w a r d r o o t ' s m a i l t o y o u r s e l f ( / e t c / a l i a s e s o n p a g e 7 2 2 ) ,
r e m e m b e r to c h e c k r o o t ' s m a i l periodically. Y o u will n o t receive r e m i n d e r s a b o u t
m a i l t h a t arrives f o r r o o t w h e n y o u use sudo t o p e r f o r m system

administration

t a s k s . H o w e v e r , y o u c a n give the c o m m a n d sudo mail - u r o o t to l o o k at r o o t ' s m a i l .
R e v i e w the system log files regularly for evidence o f p r o b l e m s . S o m e i m p o r t a n t files
are / v a r / l o g / m e s s a g e s , w h e r e the o p e r a t i n g system and s o m e a p p l i c a t i o n s r e c o r d
e r r o r s ; / v a r / l o g / m a i l . e r r ( o r / v a r / l o g / e x i m 4 / m a i n l o g if y o u are r u n n i n g

exim4),

w h i c h c o n t a i n s errors f r o m the m a i l system; a n d / v a r / l o g / s y s l o g , w h i c h c o n t a i n s
messages f r o m the system, including m e s s a g e s f r o m c r o n .

M O N I T O R I N G DISK USAGE
S o o n e r or later y o u will p r o b a b l y start t o run o u t o f disk space. D o n o t fill up a p a r tition; L i n u x c a n w r i t e t o files significantly faster if at least 5 t o 3 0 p e r c e n t o f the

CREATING

PROBLEMS

space in a partition remains free. Using more than the m a x i m u m optimal disk space
in a partition can degrade system performance.
Fragmentation

As a filesystem becomes full, it can become fragmented. This is similar to the D O S
concept of fragmentation but is not nearly as pronounced and is typically rare on
modern Linux filesystems; by design Linux filesystems are resistant to fragmentation. If you keep filesystems from running near full capacity, you may never need to
worry about fragmentation. If there is no space on a filesystem, you cannot write to
it at all.
To check for filesystem fragmentation, unmount the filesystem and run f s c k
(page 5 1 2 ) (with the - f option on ext2, ext3, and ext4 filesystems) on it. T h e output
of f s c k includes a percent fragmentation figure for the filesystem. You can defragment a filesystem by backing it up; using m k f s (page 4 5 8 ) to make a clean, empty
image; and then restoring the filesystem. W h i c h utility you use to perform the
backup and r e s t o r e — d u m p / r e s t o r e , tar, c p i o , or a third-party backup program—is
not important.

Reports Linux provides several programs that report on who is using h o w much disk space
on which filesystems. Refer to the d u , q u o t a , and df m a n pages and the - s i z e option
in the f i n d utility m a n page. In addition to these utilities, you can use the disk quota
system (page 6 2 5 ) to manage disk space.
Four strategies to increase the amount of free space on a filesystem are to compress
files, delete files, grow LVM-based filesystems, and condense directories. This section contains some ideas on ways to maintain a filesystem so that it does not
become overloaded.
Files that Some files, such as log files and temporary files, inevitably grow over time. Core
grow quickly dump files, for example, take up substantial space and are rarely needed. Also,
users occasionally run programs that accidentally generate huge files. As the system administrator, you must review these files periodically so they do not get out
of hand.
If a filesystem is running out of space quickly (that is, over a period of an hour
rather than weeks or months), first figure out why it is running out of space. Use a
p s - e f c o m m a n d to determine whether a user has created a runaway process that is
creating a huge file. W h e n evaluating the output of p s , look for a process that has
consumed a large amount of CPU time. If such a process is running and creating a
large file, the file will continue to grow as you free up space. If you remove the huge
file, the space it occupied will not be freed until the process terminates, so you need
to kill the process. Try to contact the user running the process, and ask the user to
kill it. If you cannot contact the user, use s u d o to kill the process yourself. Refer to
kill on page 4 5 5 for more information.
You can also truncate a large log file rather than removing it, although you can better deal with this recurring situation with logrotate (discussed next). For example, if

621

622

CHAPTER 1 6

ADMINISTRATION TASKS

the / v a r / l o g / m e s s a g e s file h a s b e c o m e very large b e c a u s e a system d a e m o n is misc o n f i g u r e d , y o u c a n use / d e v / n u l l t o t r u n c a t e it:
$ sudo cp /dev/null

/var/log/messages

or
$ sudo cat /dev/null > /var/log/messages
or, w i t h o u t s p a w n i n g a n e w p r o c e s s ,
$ sudo : > /var/log/messages
If y o u r e m o v e / v a r / l o g / m e s s a g e s , y o u h a v e t o r e s t a r t the syslogd d a e m o n . If y o u do
n o t r e s t a r t syslogd, the space o n the filesystem will n o t be released.
W h e n n o single process is consuming the disk space but capacity has instead been used
up gradually, locate unneeded files and delete them. Y o u can archive these files by using
cpio, dump, or t a r before you delete them. Y o u c a n safely r e m o v e m o s t files n a m e d c o r e
that have not been accessed for several days. T h e following c o m m a n d line performs this
function without removing necessary files n a m e d c o r e (such as / d e v / c o r e ) :
$ sudo

find /

-type

f

-name core

| xargs

file

| grep

'B core

file'

| sed

's/:ELF.*//g'

I xargs

rm

-f

T h e f i n d c o m m a n d lists all o r d i n a r y files n a m e d c o r e a n d sends its o u t p u t to x a r g s ,
w h i c h runs f i l e o n e a c h o f the files in the list. T h e f i l e utility displays a string t h a t
includes B c o r e file f o r files c r e a t e d as the result o f a c o r e d u m p . T h e s e files n e e d t o
be r e m o v e d . T h e g r e p c o m m a n d filters o u t f r o m file a n y lines t h a t do n o t c o n t a i n
this string. F i n a l l y s e d r e m o v e s everything f o l l o w i n g t h e c o l o n so t h a t all t h a t is left
o n the line is the p a t h n a m e o f the c o r e file; x a r g s t h e n r e m o v e s the file.
T o free up m o r e disk space, l o o k t h r o u g h the / t m p a n d / v a r / t m p directories f o r old
t e m p o r a r y files a n d r e m o v e t h e m . K e e p t r a c k o f disk usage in / v a r / m a i l , / v a r / s p o o l ,
and /var/log.

logrotate:

M A N A G E S LOG FILES
R a t h e r t h a n deleting or truncating log files, y o u m a y w a n t to keep these files for a
while in case y o u need to refer t o them. T h e l o g r o t a t e utility m a n a g e s system log (and
other) files automatically by rotating

(page 1 1 7 0 ) , compressing, mailing, and remov-

ing each file as y o u specify. T h e l o g r o t a t e utility is controlled by the / e t c / l o g r o t a t e . c o n f
file, which sets default values and c a n optionally specify files to be rotated. Typically
l o g r o t a t e . c o n f has an include statement that points to utility-specific specification files
in / e t c / l o g r o t a t e . d . F o l l o w i n g is the default l o g r o t a t e . c o n f file:
$ cat /etc/logrotate.conf
# see "man l o g r o t a t e " f o r d e t a i l s
# rotate log f i l e s weekly
weekly
# keep 4 weeks w o r t h o f
rotate 4

backlogs

CREATING

# create
create

new ( e m p t y )

# uncomment t h i s
#compress

if

log f i l e s

after

you want your

# packages drop l o g r o t a t i o n
include /etc/logrotate.d

rotating

log f i l e s

information

# n o p a c k a g e s own w t m p , o r b t m p - /var/log/wtmp {
mi s s i n g o k
monthly
c r e a t e 0664 r o o t utmp
rotate 1

we'll

into

old

PROBLEMS

ones

compressed

this

rotate

directory

them

here

}
/var/log/btmp {
mi s s i n g o k
monthly
c r e a t e 0664 r o o t
rotate 1

utmp

}
# system-specific

l o g s may be a l s o

be c o n f i g u r e d

here.

T h e l o g r o t a t e . c o n f file sets default values for c o m m o n p a r a m e t e r s . W h e n e v e r logrotate reads a n o t h e r value f o r o n e o f these p a r a m e t e r s , it resets the default value.
Y o u h a v e a c h o i c e o f r o t a t i n g files daily, weekly, or monthly. T h e n u m b e r f o l l o w i n g
the r o t a t e k e y w o r d specifies the n u m b e r o f r o t a t e d log files y o u w a n t t o k e e p . T h e
create k e y w o r d causes logrotate t o c r e a t e a n e w log file w i t h the s a m e n a m e a n d
a t t r i b u t e s as the n e w l y r o t a t e d log file. T h e c o m p r e s s k e y w o r d ( c o m m e n t e d o u t in
the default file) causes log files to be c o m p r e s s e d using gzip. T h e include k e y w o r d
specifies the s t a n d a r d / e t c / l o g r o t a t e . d d i r e c t o r y f o r p r o g r a m - s p e c i f i c logrotate specif i c a t i o n files. W h e n y o u install a p r o g r a m using dpkg (page 5 3 2 ) or a dpkg-based
utility such as aptitude (page 5 2 6 ) , t h e i n s t a l l a t i o n script puts the logrotate specificat i o n file in this directory.
T h e last sets o f i n s t r u c t i o n s in l o g r o t a t e . c o n f t a k e c a r e o f the / v a r / l o g / w t m p a n d
/ v a r / l o g / b t m p log files ( w t m p h o l d s login r e c o r d s ; y o u c a n view this file with the
c o m m a n d w h o / v a r / l o g / w t m p ) . T h e k e y w o r d missingok overrides the
default value o f nomissingok for this utility

only

implicit

( b e c a u s e the value is w i t h i n b r a c k -

ets). T h i s k e y w o r d causes logrotate t o c o n t i n u e w i t h o u t issuing an e r r o r m e s s a g e if
the log file is missing. T h e k e y w o r d m o n t h l y overrides the default value o f weekly.
T h e create k e y w o r d is f o l l o w e d by the a r g u m e n t s establishing the p e r m i s s i o n s ,
owner, a n d g r o u p f o r the n e w file. F i n a l l y r o t a t e establishes t h a t o n e r o t a t e d log file
s h o u l d be k e p t .
T h e / e t c / l o g r o t a t e . d / c u p s file is an e x a m p l e o f a utility-specific logrotate specificat i o n file:

623

624

CHAPTER 1 6

ADMINISTRATION TASKS

$ cat /etc/1ogrotate.d/cups
/var/log/cups/*log {
dai l y
mi s s i n g o k
rotate 7
sharedscri pts
postrotate
i f [ -e / v a r / r u n / c u p s / c u p s d . p i d ]; then
i n v o k e - r c . d - - q u i e t cups f o r c e - r e l o a d
s l e e p 10
fi
endscri pt
compress
noti fempty
c r e a t e 640 r o o t l p a d m i n

>

/dev/null

}
T h i s file, w h i c h is installed b y the cupsys p a c k a g e install script a n d i n c o r p o r a t e d in
/ e t c / l o g r o t a t e . d b e c a u s e o f the include s t a t e m e n t in l o g r o t a t e . c o n f , w o r k s w i t h e a c h
o f the files in / v a r / l o g / c u p s t h a t h a s a f i l e n a m e ending in log ( * l o g ) . T h e sharedscripts k e y w o r d causes l o g r o t a t e t o e x e c u t e the c o m m a n d ( s ) in the p r e r o t a t e a n d
p o s t r o t a t e s e c t i o n s o n e t i m e o n l y — n o t o n e t i m e f o r e a c h log t h a t is r o t a t e d .
A l t h o u g h it does n o t a p p e a r in this e x a m p l e , the c o p y t r u n c a t e k e y w o r d causes l o g r o t a t e t o t r u n c a t e the original log file i m m e d i a t e l y after it c o p i e s it. T h i s k e y w o r d is
useful f o r p r o g r a m s t h a t c a n n o t be i n s t r u c t e d t o close a n d r e o p e n their log files
b e c a u s e they m i g h t c o n t i n u e w r i t i n g t o the original file even after it h a s

been

m o v e d . T h e l o g r o t a t e utility e x e c u t e s the c o m m a n d s b e t w e e n p r e r o t a t e a n d endscript b e f o r e the r o t a t i o n begins. Similarly, c o m m a n d s b e t w e e n p o s t r o t a t e a n d endscript are e x e c u t e d after the r o t a t i o n is c o m p l e t e . T h e notifempty k e y w o r d c a u s e s
l o g r o t a t e n o t t o r o t a t e the log file if it is empty, overriding the default a c t i o n o f r o t a t ing e m p t y log files.
T h e l o g r o t a t e utility w o r k s w i t h a variety o f k e y w o r d s , m a n y o f w h i c h t a k e argum e n t s a n d have side effects. R e f e r t o the l o g r o t a t e m a n p a g e f o r details.

R E M O V I N G U N U S E D SPACE FROM DIRECTORIES
A d i r e c t o r y t h a t c o n t a i n s t o o m a n y f i l e n a m e s is inefficient. T h e p o i n t at w h i c h a
d i r e c t o r y o n an e x t 2 , e x t 3 , o r e x t 4 filesystem b e c o m e s inefficient varies, d e p e n d i n g
p a r t l y o n the length o f the filenames it c o n t a i n s . B e s t p r a c t i c e is to keep directories
relatively small. H a v i n g fewer t h a n several h u n d r e d files (or directories) in a direct o r y is generally a g o o d idea, and h a v i n g m o r e t h a n several t h o u s a n d is generally a
b a d idea. Additionally, L i n u x uses a c a c h i n g m e c h a n i s m f o r f r e q u e n t l y a c c e s s e d files
t h a t speeds the p r o c e s s o f l o c a t i n g an i n o d e f r o m a f i l e n a m e . T h i s c a c h i n g m e c h a n i s m w o r k s o n l y o n filenames o f up t o 3 0 c h a r a c t e r s in length, so a v o i d giving freq u e n t l y a c c e s s e d files e x t r e m e l y l o n g f i l e n a m e s .
W h e n a d i r e c t o r y b e c o m e s t o o large, y o u c a n usually b r e a k it i n t o several smaller
directories b y m o v i n g its c o n t e n t s t o t h o s e n e w directories. M a k e sure y o u r e m o v e
the o r i g i n a l d i r e c t o r y o n c e y o u h a v e m o v e d all o f its c o n t e n t s .

CREATING

PROBLEMS

Because Linux directories do not shrink automatically, removing a file from a directory does not shrink the directory, even though it frees up space on the disk. To
remove unused space and make a directory smaller, you must copy or move all the
files to a new directory and remove the original directory.
T h e following procedure removes unused directory space. First remove all unneeded
files from the large directory. T h e n create a new, empty directory. N e x t move or
copy all remaining files from the old large directory to the new empty directory.
R e m e m b e r to copy hidden files. Finally delete the old directory and rename the new
directory.
$
$
$
$

sudo
sudo
sudo
sudo

mkdir /home/max/new
mv /home/max/1 arge/.'c /home/max/large/. [A-z]-.'c /home/max/new
rmdir /home/max/large
mv /home/max/new /home/max/large

optional

DISK QUOTA SYSTEM
T h e disk quota system (supplied by the q u o t a software package) limits the disk
space and number of files owned by individual users. You can choose to limit each
user's disk space, the number of files each user can own, or both. Each resource that
is limited has two limits: a lower limit and an upper limit. T h e user can exceed the
lower limit, or quota, although a warning is given each time the user logs in when
he is above the quota. After a certain number of warnings (set by the system administrator), the system behaves as if the user had reached the upper limit. O n c e the
upper limit is reached or the user has received the specified number of warnings, the
user will not be allowed to create any more files or use any more disk space. T h e
user's only recourse at that point is to remove some files.
Users can review their usage and limits with the q u o t a utility. Using s u d o , you can
use q u o t a to obtain information about any user. You can turn on quotas only if the
filesystem is mounted with the u s r q u o t a and/or g r p q u o t a options ( e x t 3 and e x t 4
filesystems).
First you must decide which filesystems to limit and h o w to allocate space among
users. Typically only filesystems that contain users' home directories, such as
/ h o m e , are limited. Use the e d q u o t a utility to set the quotas, and then use q u o t a o n to
start the quota system. Unmounting a filesystem automatically disables the quota
system for that filesystem.

rsyslogd:

LOGS SYSTEM MESSAGES
Traditionally U N I X programs sent log messages to standard error. If a more permanent log was required, the output was redirected to a file. Because of the limitations of this approach, 4 . 3 B S D introduced the system log daemon (rsyslogd) n o w
used by Linux. This daemon listens for log messages and stores them in the

625

626

CHAPTER 1 6

ADMINISTRATION TASKS

/ v a r / l o g h i e r a r c h y . In a d d i t i o n t o p r o v i d i n g l o g g i n g facilities, rsyslogd a l l o w s a single m a c h i n e t o serve as a log r e p o s i t o r y f o r a n e t w o r k a n d a l l o w s a r b i t r a r y p r o g r a m s t o p r o c e s s specific log m e s s a g e s .
rsyslog.conf

T h e / e t c / r s y s l o g . c o n f file stores c o n f i g u r a t i o n i n f o r m a t i o n f o r rsyslogd w h i l e the
/ e t c / r s y s l o g . d / 5 0 - d e f a u l t . c o n f file stores default rules f o r rsyslogd. E a c h line in the
5 0 - d e f a u l t . c o n f file c o n t a i n s o n e or m o r e selectors

a n d an action,

s e p a r a t e d by

w h i t e s p a c e . T h e selectors define t h e origin a n d type o f the m e s s a g e s ; the a c t i o n
specifies h o w rsyslogd processes the m e s s a g e . S a m p l e lines f r o m rsyslog.conf f o l l o w
(a # indicates a c o m m e n t ) :
# F i r s t some s t a n d a r d l o g f i l e s .
Log by f a c i l i t y ,
kern.*
-/var/log/kern.log
lpr.*
-/var/log/lpr.log
mail.*
- / v a r / l o g / m a i 1. l o g
#
# Some " c a t c h - a l l " l o g f i l e s .
*.=debug;\
auth,authpriv.none;\
news.none;mail.none
-/var/log/debug
* . = i n f o ; * .=noti ce;*.=warni ng;\
auth,authpriv.none;\
cron,daemon.none; \
mail,news.none
-/var/log/messages
#
# Emergencies are sent to everybody logged i n .
*.emerg
*
Selectors

A s e l e c t o r is split i n t o t w o p a r t s , a facility

a n d a priority,

which are separated by a

p e r i o d . T h e f a c i l i t y i n d i c a t e s t h e o r i g i n o f the m e s s a g e . F o r e x a m p l e , kern m e s sages c o m e f r o m t h e k e r n e l a n d mail m e s s a g e s c o m e f r o m t h e m a i l s u b s y s t e m . F o l l o w i n g is a list o f f a c i l i t y n a m e s used by rsyslogd a n d t h e s y s t e m s t h a t g e n e r a t e
these messages:
Facilities

auth

A u t h o r i z a t i o n a n d security systems including l o g i n

authpriv

S a m e as auth, but s h o u l d be l o g g e d t o a secure l o c a t i o n

cron

cron

daemon

S y s t e m a n d n e t w o r k d a e m o n s w i t h o u t their o w n c a t e g o r i e s

kern

Kernel

lpr

Printing s u b s y s t e m

mail

M a i l subsystem

news

N e t w o r k news subsystem

user

D e f a u l t facility; all user p r o g r a m s use this facility

uucp

T h e U N I X - t o - U N I X copy protocol subsystem

localO t o l o c a l 7 R e s e r v e d f o r l o c a l use
T h e p r i o r i t y indicates the severity o f the m e s s a g e . T h e f o l l o w i n g list o f the p r i o r i t y
n a m e s a n d the c o n d i t i o n s they represent a p p e a r s in p r i o r i t y order:

CREATING

Priorities

debug

Debugging information

info

I n f o r m a t i o n t h a t does n o t r e q u i r e i n t e r v e n t i o n

notice

Conditions that may require intervention

warning

Warnings

err

Errors

crit

Critical c o n d i t i o n s such as h a r d w a r e failures

alert

Conditions that require immediate attention

emerg

Emergency conditions

PROBLEMS

A selector c o n s i s t i n g o f a single facility a n d priority, such as kern.info, causes the
c o r r e s p o n d i n g a c t i o n t o be applied t o every m e s s a g e f r o m t h a t facility w i t h t h a t priority or

higher

( m o r e urgent). U s e .= t o specify a single p r i o r i t y ; f o r

example,

kern.=info applies the a c t i o n t o k e r n e l m e s s a g e s o f info priority. A n e x c l a m a t i o n
p o i n t specifies t h a t a p r i o r i t y is n o t m a t c h e d . T h u s kern.!info m a t c h e s k e r n e l m e s sages w i t h a p r i o r i t y l o w e r t h a n info a n d kern.!=info m a t c h e s k e r n e l m e s s a g e s w i t h
a p r i o r i t y o t h e r t h a n info.
A line with multiple selectors, s e p a r a t e d by s e m i c o l o n s , applies the a c t i o n if a n y o f
the selectors is m a t c h e d . E a c h o f the selectors o n a line w i t h m u l t i p l e selectors c o n strains the m a t c h , w i t h s u b s e q u e n t selectors f r e q u e n t l y t i g h t e n i n g the c o n s t r a i n t s .
F o r e x a m p l e , the selectors mail.info;mail.!err m a t c h m a i l s u b s y s t e m m e s s a g e s w i t h
debug, info, notice, or w a r n i n g priorities.
Y o u c a n r e p l a c e either p a r t o f the selector w i t h an asterisk t o m a t c h a n y t h i n g . T h e
k e y w o r d n o n e in either p a r t o f the selector indicates n o m a t c h is p o s s i b l e . T h e select o r * . c r i t ; k e r n . n o n e m a t c h e s all critical or higher-priority m e s s a g e s , e x c e p t t h o s e
f r o m the k e r n e l .
Actions

T h e a c t i o n specifies h o w rsyslogd processes a m e s s a g e t h a t m a t c h e s the selector. T h e
simplest a c t i o n s are o r d i n a r y files, w h i c h are specified by their a b s o l u t e p a t h n a m e s ;
rsyslogd a p p e n d s messages to these files. Specify / d e v / c o n s o l e t o send m e s s a g e s t o
the system c o n s o l e . If y o u w a n t a h a r d c o p y r e c o r d o f messages, specify a device file
t h a t represents a d e d i c a t e d printer. P r e c e d e a f i l e n a m e w i t h a h y p h e n ( - ) t o k e e p
rsyslogd f r o m w r i t i n g each m e s s a g e t o the file as it is g e n e r a t e d (syncing). D o i n g so
m a y i m p r o v e p e r f o r m a n c e , but y o u m a y lose d a t a if the system c r a s h e s after the
m e s s a g e is g e n e r a t e d b u t b e f o r e it gets w r i t t e n t o a file.
Y o u c a n w r i t e i m p o r t a n t m e s s a g e s to users' t e r m i n a l s by specifying o n e or m o r e
u s e r n a m e s s e p a r a t e d b y c o m m a s . V e r y i m p o r t a n t messages c a n be w r i t t e n t o every
logged-in t e r m i n a l by using an asterisk.
T o f o r w a r d m e s s a g e s t o rsyslogd o n a r e m o t e system, specify the n a m e o f the system
p r e c e d e d b y @ . It is a g o o d idea t o f o r w a r d critical messages f r o m the k e r n e l t o
a n o t h e r system b e c a u s e these m e s s a g e s o f t e n p r e c e d e a system c r a s h a n d m a y n o t be
saved t o the l o c a l disk. T h e f o l l o w i n g line f r o m syslog.conf sends critical k e r n e l
messages t o plum:
kern. cri t

@pl um

627

628

CHAPTER 1 6

ADMINISTRATION TASKS

MYSQL
M y S Q L ( M y S t r u c t u r e d Q u e r y L a n g u a g e ) is t h e w o r l d ' s m o s t p o p u l a r o p e n - s o u r c e
d a t a b a s e . It is the M in L A M P ( L i n u x , A p a c h e , M y S Q L , PHP/Perl/Python), an
o p e n - s o u r c e enterprise s o f t w a r e s t a c k . M a n y p r o g r a m m i n g l a n g u a g e s p r o v i d e an
i n t e r f a c e t o M y S Q L (e.g., C , PHP, Perl).
M i c h a e l W i d e n i u s and D a v i d A x m a r k started d e v e l o p m e n t o f M y S Q L in

1994.

T o d a y the M y S Q L d a t a b a s e is o w n e d and s u p p o r t e d by O r a c l e C o r p o r a t i o n ( w h i c h
a c q u i r e d the f o r m e r owner, Sun M i c r o s y s t e m s , in 2 0 1 0 ) .

This section explains how to set up and work with MySQL; it does not explain SQL
tip SQL (Structured Query Language) is the language used to work with SQL databases, including
MySQL. This chapter explains how to install and set up MySQL in a Fedora/RHEL environment.
Although it includes some SQL statements in this explanation, it makes no attempt to explain SQL.
See dev.mysqi.com/doc for SQL documentation.

MORE INFORMATION
H o m e page: w w w . m y s q l . c o m
M y S Q L d o c u m e n t a t i o n : dev.mysql.com/doc
Introduction:

dev.mysql.com/tech-resources/articles/mysql_intro.html

B a c k i n g up d a t a b a s e s :

www.webcheatsheet.com/SQL/mysql_backup_restore.php

TERMINOLOGY
T h i s s e c t i o n briefly describes s o m e b a s i c t e r m s used w h e n w o r k i n g w i t h a r e l a t i o n a l
d a t a b a s e . See also F i g u r e 1 6 - 6 o n p a g e 6 3 2 .
database
table

A structured set o f persistent data c o m p r i s i n g o n e or m o r e t a b l e s .
A c o l l e c t i o n o f r o w s in a r e l a t i o n a l d a t a b a s e .

row A n o r d e r e d set o f c o l u m n s in a t a b l e . A l s o
column

record.

A set o f o n e type o f values, o n e per r o w in a t a b l e . A l s o

field.

SYNTAX A N D C O N V E N T I O N S
A M y S Q L p r o g r a m c o m p r i s e s o n e o r m o r e s t a t e m e n t s , each t e r m i n a t e d with a
s e m i c o l o n (;). A l t h o u g h k e y w o r d s in s t a t e m e n t s a r e n o t c a s e sensitive, this b o o k
s h o w s k e y w o r d s in u p p e r c a s e letters f o r clarity. D a t a b a s e and t a b l e n a m e s a r e case
sensitive.
T h e following example shows a multiline M y S Q L

s t a t e m e n t t h a t includes b o t h the

p r i m a r y interpreter p r o m p t (mysql>) a n d the s e c o n d a r y interpreter p r o m p t ( - > ) .
T h i s s t a t e m e n t displays the values o f t h r e e c o l u m n s f r o m the t a b l e n a m e d people in
r o w s t h a t m e e t specified criteria.
m y s q l > SELECT person,password,executeperm
-> FROM people
-> WHERE password IS NULL AND executeperm=true;

MYSQL

629

PREREQUISITES
Install the f o l l o w i n g p a c k a g e s :
• mysql-client
• mysql-server
W h e n y o u install the mysql-server p a c k a g e , the dpkg postinst script displays a
p s e u d o g r a p h i c a l w i n d o w t h a t asks y o u t o p r o v i d e a p a s s w o r d f o r the M y S Q L user
n a m e d r o o t . T h i s user is n o t the system r o o t user. P r o v i d e a p a s s w o r d .
mysqld init script Give the f o l l o w i n g initctl c o m m a n d (page 4 3 4 ) as n e e d e d t o r e s t a r t M y S Q L :
$ sudo restart mysql
mysql s t a r t / r u n n i n g , process

3433

NOTES
U n l i k e O r a c l e , w h e n y o u c r e a t e a user, M y S Q L does n o t a u t o m a t i c a l l y c r e a t e a
d a t a b a s e . U n d e r M y S Q L , users a n d d a t a b a s e s are n o t as rigidly b o u n d as they are
under O r a c l e .
M y S Q L h a s a s e p a r a t e set o f users f r o m L i n u x users. As installed, the n a m e o f the
M y S Q L a d m i n i s t r a t o r is r o o t . B e c a u s e the M y S Q L r o o t user is n o t the s a m e as the
L i n u x r o o t user, it c a n h a v e a different p a s s w o r d .

JUMPSTART: SETTING UP M Y S Q L
M y S Q L is installed with an a n o n y m o u s user and the p a s s w o r d y o u supplied f o r the
M y S Q L user n a m e d r o o t . F o r a m o r e secure setup, r e m o v e the a n o n y m o u s user. T h e
m y s q l _ s e c u r e j n s t a l l a t i o n utility asks a series o f questions t h a t allows y o u t o r e m o v e
the a n o n y m o u s user and p e r f o r m other housekeeping tasks. In response to the
p r o m p t for the current p a s s w o r d for r o o t , enter the p a s s w o r d y o u assigned t o the
M y S Q L user n a m e d r o o t . M y S Q L generates an error w h e n y o u a s k it to r e m o v e the
test d a t a b a s e because U b u n t u does n o t install this d a t a b a s e w h e n y o u install M y S Q L .
$ /usr/bi n/mysql_secure_i nstal1ation
You a l r e a d y have a r o o t p a s s w o r d s e t ,
Change t h e r o o t p a s s w o r d ? [ Y / n ] n
. . . s k i ppi ng.
Remove a n o n y m o u s
Disallow

root

users?

login

[Y/n]

remotely?

so you can s a f e l y answer

y
[Y/n]

y

Remove t e s t d a t a b a s e a n d a c c e s s t o i t ? [ Y / n ] y
- Dropping t e s t database...
ERROR 1 0 0 8 ( H Y 0 0 0 ) a t l i n e 1 : C a n ' t d r o p d a t a b a s e
doesn't exist
... Failed!
Not c r i t i c a l , keep m o v i n g . . .
Reload p r i v i l e g e

tables

now?

'n'.

[Y/n]

y

'test';

database

630

CHAPTER 1 6

ADMINISTRATION TASKS

OPTIONS
T h i s s e c t i o n describes s o m e o f the o p t i o n s y o u c a n use o n the mysql c o m m a n d line.
T h e o p t i o n s p r e c e d e d by a single h y p h e n a n d t h o s e p r e c e d e d by a d o u b l e h y p h e n
are equivalent.
—disable-reconnect
D o e s n o t a t t e m p t t o c o n n e c t to the server again if the c o n n e c t i o n is d r o p p e d .
See — r e c o n n e c t .
—host=hostname - h

hostname
Specifies the address o f the M y S Q L server as hostname.

W i t h o u t this o p t i o n

M y S Q L c o n n e c t s t o the server o n the l o c a l system ( 1 2 7 . 0 . 0 . 1 ) .
— p ass we > rd | =passwtl \

- p [passwd]
Specifies the M y S Q L p a s s w o r d as passwd.

F o r i m p r o v e d security, d o n o t spec-

ify the p a s s w o r d o n the c o m m a n d line; M y S Q L will p r o m p t f o r it. B y default,
M y S Q L does n o t use a p a s s w o r d . In the s h o r t f o r m o f this o p t i o n , do n o t put a
SPACE b e t w e e n the - p a n d
—reconnect

passwd.

A t t e m p t s to c o n n e c t to the server again if the c o n n e c t i o n is d r o p p e d (default).
D i s a b l e this b e h a v i o r using — d i s a b l e - r e c o n n e c t .

—user=«sr

—U list
Specifies the M y S Q L user as usr. W h e n y o u first install M y S Q L , there is o n e
user, r o o t , a n d t h a t user does n o t h a v e a p a s s w o r d .

—verbose

-v

I n c r e a s e s the a m o u n t o f i n f o r m a t i o n M y S Q L displays. U s e this o p t i o n m u l t i p l e
times t o further i n c r e a s e verbosity.

THE

.my.cnf

C O N F I G U R A T I O N FILE

Y o u c a n use the - / . m y . c n f file t o set M y S Q L o p t i o n s . T h e f o l l o w i n g e x a m p l e s h o w s
M a x ' s .my.cnf file. T h e [mysql] specifies the M y S Q L g r o u p . T h e n e x t line sets M a x ' s
p a s s w o r d t o m p a s s w o r d . W i t h this setup, M a x does n o t h a v e t o use - p o n the c o m m a n d line; M y S Q L logs h i m in a u t o m a t i c a l l y .
$ cat /home/max/.my.cnf
[mysql]
password="mpassword"

WORKING WITH M Y S Q L
Adding a user

B e f o r e starting t o w o r k w i t h the d a t a b a s e , create a user so y o u do n o t have t o w o r k
as the M y S Q L r o o t user. If the M y S Q L u s e r n a m e y o u add is the s a m e as y o u r L i n u x
u s e r n a m e , y o u will n o t h a v e to specify a u s e r n a m e o n the M y S Q L c o m m a n d line. In
the f o l l o w i n g e x a m p l e , M a x w o r k s as the M y S Q L r o o t ( - u r o o t ) user t o c r e a t e a
d a t a b a s e n a m e d m a x d b and a d d the M y S Q L user n a m e d m a x with a p a s s w o r d o f
m p a s s w o r d . In r e s p o n s e to the E n t e r p a s s w o r d p r o m p t , M a x supplies the p a s s w o r d
f o r the M y S Q L user n a m e d r o o t . T h e G R A N T s t a t e m e n t gives M a x the p e r m i s s i o n s
he needs t o w o r k with the m a x d b d a t a b a s e . Y o u m u s t w o r k as the M y S Q L r o o t user
to set up a M y S Q L user. T h e - p o p t i o n causes M y S Q L t o p r o m p t for the p a s s w o r d .

MYSQL

631

W h e n using the M y S Q L interpreter, Q u e r y O K indicates t h a t the preceding statem e n t w a s syntactically c o r r e c t . Y o u m u s t enclose all c h a r a c t e r a n d date data w i t h i n
single q u o t a t i o n m a r k s .
$ mysql -u root -p
Enter password:
W e l c o m e t o t h e MySQL m o n i t o r .
Commands e n d w i t h
Y o u r MySQL c o n n e c t i o n i d i s 12
Server v e r s i o n : 5.1.40 Source d i s t r i b u t i o n
Type ' h e l p ; '
statement.

or

'\h'

for

help.

Type

m y s q l > CREATE DATABASE maxdb;
Q u e r y OK, 1 r o w a f f e c t e d ( 0 . 0 0

sec)

m y s q l > GRANT ALL PRIVILEGES
-> ON maxdb.* to 'max'
-> IDENTIFIED BY 'mpasswd'
-> WITH GRANT OPTION;
Q u e r y OK, 0 r o w s a f f e c t e d ( 0 . 0 0

'\c'

; or

to clear

\g.

the current

input

sec)

m y s q l > SELECT user, password
-> FROM mysql.user;
user

1 password

root
1 *96D4C5B9348F896B0B593EA4DC1B653156799FDD
max
1 * 3 4 4 3 2 5 5 5 D D 6 C 7 7 8 E 7 C B 4 A 0 E E 4 5 5 1 4 2 5CE3AC0E16
d e b i a n - s y s - m a i n t 1 *E41C8008AE5D3C42D15447ABC5330BE62 505ADF1
3 rows i n s e t

(0.00

sec)

m y s q l > quit
Bye
$
In the p r e c e d i n g e x a m p l e , after c r e a t i n g the d a t a b a s e a n d setting up the n e w user,
M a x queries the user t a b l e o f the mysql d a t a b a s e t o display the user a n d p a s s w o r d
c o l u m n s . T w o users n o w exist: r o o t a n d m a x . M a x gives the c o m m a n d quit t o exit
f r o m t h e M y S Q L interpreter.
W o r k i n g as the M y S Q L user m a x , M a x c a n n o w set up a simple d a t a b a s e t o k e e p
t r a c k o f users. H e does n o t n e e d to use the - u o p t i o n o n the c o m m a n d line b e c a u s e
his L i n u x u s e r n a m e a n d his M y S Q L u s e r n a m e are the s a m e .
Specifying the
default database

F o r s u b s e q u e n t c o m m a n d s , if y o u do n o t tell M y S Q L w h i c h d a t a b a s e y o u are w o r k ¡ng

with,

y o u m u s t p r e f i x the n a m e s o f tables w i t h the n a m e o f the d a t a b a s e . F o r

e x a m p l e , y o u w o u l d n e e d t o specify t h e people t a b l e in the m a x d b d a t a b a s e as
m a x d b . p e o p l e . W h e n y o u specify the m a x d b d a t a b a s e w i t h a U S E s t a t e m e n t , y o u
c a n refer t o the s a m e t a b l e as people. In the f o l l o w i n g e x a m p l e , M a x
m a x d b as the d a t a b a s e he is w o r k i n g w i t h :
m y s q l > USE maxdb;
Database changed

specifies

632

CHAPTER 1 6

ADMINISTRATION TASKS

Creating a table Next M a x creates a table named people in the maxdb database. This table has six
columns of various types. After creating the table, M a x uses a DESCRIBE statement
to display a description of the table.
mysql> CREATE TABLE people ( person VARCHAR(20), password CHAR(41),
-> created DATE, readperm BOOL, writeperm BOOL, executeperm BOOL);
Query OK, 0 rows affected (0.01 sec)
mysql> DESCRIBE people;
| Field

| Type

person
password
created
readperm
wri teperm
executeperm

varchar(20)
char(41)
date
ti nyi nt(l)
ti nyi nt(l)
ti nyi nt(l)

I Null I Key | Default | Extra |
YES
YES
YES
YES
YES
YES

1
1
1
1
1
1

|
|
|
|
|
|

NULL
NULL
NULL
NULL
NULL
NULL

6 rows in set (0.00 sec)

MySQL changed the columns M a x specified as B O O L (Boolean) to type tinyint(l),
an 8-bit integer, because MySQL does not have native (bit) Boolean support. With
tinyint(l), 0 evaluates as FALSE and 1 - 2 5 5 evaluate as TRUE. Figure 16-6 shows
part of the people table after data has been entered in it.
Modifying a table M a x decides that the readperm, writeperm, and executeperm columns should default
to 0. He uses an ALTER TABLE statement to modify the table so he does not have to
delete it and start over. He then checks his work using a DESCRIBE statement.
-Columnsperson

password

created

1

topsy

31fdca655659...

2009-12-08

Rows

bailey

NULL

2009-12-08

1

percy

NULL

2009-12-08

Figure 16-6

Part of the people table in the maxdb database

mysql> ALTER TABLE people
-> MODIFY readperm BOOL DEFAULT 0,
-> MODIFY writeperm BOOL DEFAULT 0,
-> MODIFY executeperm BOOL DEFAULT 0;
Query OK, 0 rows affected (0.01 sec)
Records: 0 Duplicates: 0 Warnings: 0
mysql> DESCRIBE people;

MYSQL

633

tField

Type

Null

person
password
created
readperm
wri teperm
executeperm

varchar(20)
char(41)
date
ti nyi nt(l)
ti nyi nt(l)
ti nyi nt(l)

YES
YES
YES
YES
YES
YES

Key | Default
|
|
|
1
1
1

NULL
NULL
NULL
0
0
0

6 rows in set (0.00 sec)
Entering data You can enter information into a database using several techniques. T h e following
c o m m a n d adds three rows to maxdb from a Linux text file. In the file, each row is
on a separate line, a TAB separates each column from the next, and \N specifies a null
character. T h e file is not terminated with a NEWLINE.
$ cat /home/max/people_to_add
max
\N
2008-02-17
zach
\N
2009-03-24
sam
\N
2009-01-28
mysql> LOAD
-> INTO
Query OK, 3
Records: 3

1
1
1

DATA LOCAL INFILE '/home/max/people_to_add'
TABLE people;
rows affected (0.00 sec)
Deleted: 0 Skipped: 0 Warnings: 0

T h e next command adds a r o w using an I N S E R T statement:
mysql> INSERT INTO people
-> VALUES ('topsy',NULL,CURDATEO,1,1,1);
Query OK, 1 row affected (0.01 sec)
Within an I N S E R T statement you can specify which columns you want to enter
data into:
mysql> INSERT INTO people (person,created,readperm)
-> VALUES ('bailey',CURDATEO,1), ('percy',CURDATEO ,0) ;
Query OK, 2 rows affected (0.01 sec)
Records: 2 Duplicates: 0 Warnings: 0
mysql> SELECT * FROM people;
| person | password | created
max
zach
sam
topsy
bai ley
percy

NULL
NULL
NULL
NULL
NULL
NULL

|
|
|
|
|
|

2008--02--17
2009--03--24
2009--01--28
2010--03--05
2010--03--05
2010--03--05

rows i n set (0.0 0 sec)

I readperm | writeperm | executeperm |

634

CHAPTER 1 6

ADMINISTRATION TASKS

The CURDATEQ function returns today's date. Because the default values for readperm, writeperm, and executeperm are 0, you do not have to specify values for
those fields.
Deleting rows using Next a DELETE F R O M statement deletes rows that meet the specified criteria,
a WHERE clause Here the criteria are specified using equalities in a W H E R E clause:
mysql> DELETE FROM people
-> WHERE person='bailey' OR person='percy';
Query OK, 2 rows affected (0.02 sec)

Selecting rows You can also use a LIKE clause to specify criteria. The following SELECT statement
using LIKE displays all rows that contain the letter m. The % operators are wildcards; they
match any characters.
mysql> SELECT * FROM people
-> WHERE person LIKE '%m%';
| person | password | created
|
| max
sam

| NULL
|
NULL

| readperm | writeperm | executeperm |

|
| 2008-02-17
2009-01-28 |
|

1
1

1 |
0

1 I|
0

2 rows in set (0.00 sec)

Modifying data In the next example, the PASSWORDQ function returns a hash (page 1151) from
the text given as its argument. The UPDATE statement assigns this hash to the password column in rows in which the person column holds a value of sam. This example does not change the MySQL password information because that information is
kept in the database named mysql; this statement works with the maxdb database.
mysql> UPDATE people
-> SET password=PASSWORD("sampass")
-> WHERE person='sam';
Query OK, 1 row affected (0.00 sec)
Rows matched: 1 Changed: 1 Warnings: 0

More queries The next query searches for rows where the password is null (IS NULL) and (AND)
executeperm is true (=true).
mysql> SELECT person,password,executeperm
-> FROM people
-> WHERE password IS NULL AND executeperm=true;
| person

| password | executeperm |

| max
| topsy

| NULL
| NULL

|
|

1 |
1 |

2 rows in set (0.00 sec)

Because PASSWORDQ is a one-way hash function (page 1163), you cannot retrieve
the plaintext password from the password hash. However, you can check whether
any users have their username as their password:

CHAPTER S U M M A R Y

635

mysql> SELECT * FROM people
-> WHERE password=PASSWORD(person);
| person | password

I created

| topsy

| 2010-03-05 |

| *8E5E773736B8F836F58A...

| readperm | writeperm | executeperm |
1

1 I

1I

1 row in set (0.00 sec)

Use an UPDATE statement to give Topsy a NULL password:
mysql> UPDATE people
-> SET password=NULL
-> WHERE person="topsy";
Query OK, 1 row affected (0.00 sec)
Rows matched: 1 Changed: 1 Warnings: 0
mysql> SELECT person,password
-> FROM people
-> WHERE password IS NULL;
person

| password

max
zach
topsy

| NULL
| NULL
| NULL

3 rows in set (0.00 sec)

CHAPTER S U M M A R Y
The users-admin utility adds new users and groups to the system and modifies existing users' accounts. You can also use the equivalent command-line tools ( u s e r a d d ,
u s e r m o d , userdel, g r o u p a d d , and g r o u p m o d ) to work with user accounts.
Backing up files on the system is a critical but often-overlooked part of system
administration. Linux includes the tar, cpio, d u m p , and restore utilities to back up
and restore files. You can also use more sophisticated packages such as a m a n d a and
various commercial products.
The system scheduling daemon, cron, periodically executes scheduled tasks. You
can schedule tasks using crontab and at.
System reports present information on the health of the system. Two useful tools
that generate these reports are v m s t a t , which details virtual memory, I / O , and CPU
usage, and top, which reports on how the system is performing from moment to
moment and can help you figure out what might be slowing it down.
Another aspect of system administration is solving problems. Linux includes several
tools that can help track down system problems. One of the most important of these
tools is syslogd, the system log daemon. Using /etc/syslogd.conf, you can control

636

CHAPTER 1 6

ADMINISTRATION TASKS

which error messages appear on the console, which are sent as email, and which go
to one of several log files.
System administrators are frequently called upon to set up and administrate
MySQL databases. MySQL is the M in LAMP (Linux, Apache, MySQL,
PHP/Perl/Python), an open-source enterprise software stack. Many programming
languages provide an interface to MySQL (e.g., C, PHP, Perl).

EXERCISES
1. How would you list all the processes running vi?
2. How would you use kill to cause a server process to reread its configuration files?
3. From the command line, how would you create a user named John Doe
who has the username jd and who belongs to group 6 5 5 3 5 ?
4. How would you notify users that you are going to reboot the system in ten
minutes?
5. Give a command that creates a level 0 dump of the /usr filesystem on the
first tape device on the system. Which command would you use to take
advantage of a drive that supports compression? Which command would
place a level 3 dump of the /var filesystem immediately after the level 0
dump on the tape?

ADVANCED EXERCISES
6. If the system is less responsive than normal, what is a good first step in figuring out where the problem is?
7. A process stores its PID number in a file named process.pid. Write a command line that terminates this process.
8. Working with root privileges, you are planning to delete some files but
want to make sure that the wildcard expression you use is correct. Suggest
two ways you could make sure you delete the correct files.
9. Create a crontab file that will regularly perform the following backups:
a. Perform a level 0 backup once per month.
b. Perform a level 2 dump one day per week.
c. Perform a level 5 dump every day on which neither a level 0 nor a level
2 dump is performed.
In the worst-case scenario, how many restore commands would you have
to give to recover a file that was dumped using this schedule?

17
CONFIGURING AND
MONITORING A LAN
IN THIS CHAPTER

Networks allow computers to communicate and share
resources. A local area network (LAN) connects computers at
o n e s ite, such as an office, home, or library, and can allow the

Setting Up the Hardware

638

Routers

638

connected computers to share an Internet connection, files, and

NIC- Network Interface Card

639

Configuring the Systems

641

P r i n t e r - Of course, one of the most important reasons to set
up a L A N is to allow systems to communicate while users enjoy
m u l t i p l a y e r games.

Setting Up Servers
Introduction to Cacti

646
647

a

y j ^ c ] l a p t : e r c o v e r s the two aspects of configuring a LAN: setting up the hardware and configuring the software. It is not
necessarily organized in the order you will perform the tasks
involved in setting up a particular LAN. Instead, read the chapter through, figure out how you will set up your LAN, and then
read the parts of the chapter in the order appropriate to your
setup. The final section discusses how to monitor devices on a
network using Cacti.

637

638

CHAPTER 1 7

CONFIGURING AND MONITORING A LAN

SETTING U P THE HARDWARE
Each system, or node, on a LAN must have a network interface card (NIC). Each
system must connect to a central hub or switch. If the LAN is connected to another
network, such as the Internet, it must also have a router.

CONNECTING THE COMPUTERS
Computers are connected to a network using cables (wired; page 375) or radio
waves (wireless or Wi-Fi, page 376). The cables can connect to a variety of devices,
some of which are described in this section. See "LAN: Local Area Network" on
page 375 for an explanation of cables and definitions of hub, switch, and router.
In the simple network shown in Figure 17-1, four computers are connected to a single hub or switch. Assume computers 1 and 2 are communicating at the same time
as computers 3 and 4. With a hub (page 375), each conversation is limited to a
maximum of half the network bandwidth. With a switch (page 375), each conversation can theoretically use the full network bandwidth.
Hubs are usually less expensive than switches, although switches are getting
cheaper all the time and hubs are becoming less available. If you plan to use the network for sharing an Internet connection and light file sharing, a hub is likely to be
fast enough. If systems on the network will exchange files regularly, a switch may be
a better choice.
Wireless access A wireless access point (WAP) connects a wireless network to a wired one. Typically
point (WAP) a WAP acts as a transparent bridge, forwarding packets between the two networks
as if they were one. If you connect multiple WAPs in different locations to the same
wired network, wireless clients can roam transparently between the WAPs.
Wireless networks do not require a hub or switch, although a WAP can optionally
fill the role of a hub. In a wireless network, the bandwidth is shared among all nodes
within range of one another; the maximum speed is limited by the slowest node.

ROUTERS
A router (page 377) connects a LAN to another network, such as the Internet. A
router can perform several functions, the most common of which is allowing several
systems to share a single Internet connection and IP address (NAT, page 881). When
a router uses NAT, the packets from each system on the LAN appear to come from
a single IP address; the router passes return packets to the correct system. A router
can also act as a firewall.
You have several choices for routers:
• A simple hardware router is relatively cheap and does most of the things
required by a small network.

SETTING U P THE HARDWARE

Figure 17-1

639

A simple network

• You can set up an Ubuntu system as a router. The Linux kernel can use
g u f w (page 8 7 6 ) or iptables (page 8 8 0 ) to implement a firewall to help protect a system.
• You can use a special-purpose distribution/operating system tailored for
use as a router. For example, SmoothWall (www.smoothwall.org), pfSense
(www.pfsense.com), and mOnOwall (mOnO.ch/wall) provide browser-based
configurations in the style of a hardware router.

N I C : N E T W O R K INTERFACE C A R D
Each system's NIC may be a separate Ethernet card (wired or wireless) or the NIC
may be built into the motherboard.
Supported NICs Linux supports most wired and many wireless Ethernet NICs.
Unsupported If a wireless network card is not supported under Linux directly, you may be able to get
wireless NICs it to work with NdisWrapper (sourceforge.net/projects/ndiswrapper; ndiswrapper-

common, ndiswrapper-utils-1.9, and ndisgtk packages), which uses Win32 drivers.
NdisWrapper is a kernel module that provides a subset of the Windows network driver
API. See help.ubuntu.com/community/WifiDocs/Driver/Ndiswrapper for instructions
on installing a Windows driver.
Wireless bridge An alternative to a wireless NIC is a wireless bridge. A wireless bridge forwards
packets between wired and wireless interfaces, eliminating the need for wireless
drivers. This simple device has an Ethernet port that plugs into a NIC and an
802.11 (wireless) controller. While carrying a bridge around is usually not feasible
for mobile users, a wireless bridge is an easy way to migrate a desktop computer to
a wireless configuration.

640

CHAPTER 1 7

CONFIGURING AND MONITORING A LAN

Ad hoc and Wireless networks operate in either ad hoc or infrastructure mode. In ad hoc mode,
infrastructure individual nodes in the network communicate directly with one another. In inframodes s t r u c t u r e m o J e , nodes communicate via a WAP (page 6 3 8 ) . Infrastructure mode is
generally more reliable if the wireless L A N must communicate with a wired L A N .
If you do not want to use a WAP, it may be possible to set up a W L A N card so it
acts as a WAP. Consult the NIC/driver documentation for more information.

TOOLS
This section describes two of the tools you can use to examine system hardware.

Ispci:

LISTS PCI I N F O R M A T I O N

T h e Ispci utility lists PCI device information:
$ Ispci
00:00.0
00:00.1
00:00.2
00:00.3
00:00.4
00:00.5
00:01.0
00:01.1
00:02.0

Host bridge: nVidia Corporation nForce2 AGP (different version?) (rev cl)
RAM memory: nVidia Corporation nForce2 Memory Controller 1 (rev cl)
RAM memory: nVidia Corporation nForce2 Memory Controller 4 (rev cl)
RAM memory: nVidia Corporation nForce2 Memory Controller 3 (rev cl)
RAM memory: nVidia Corporation nForce2 Memory Controller 2 (rev cl)
RAM memory: nVidia Corporation nForce2 Memory Controller 5 (rev cl)
ISA bridge: nVidia Corporation nForce2 ISA Bridge (rev a4)
SMBus: nVidia Corporation nForce2 SMBus (MCP) (rev a2)
USB Controller: nVidia Corporation nForce2 USB Controller (rev a4)
W i t h the - v option, Ispci is more verbose. You can use the - v v or - v v v option to
display even more information.

$ Ispci - V
00:00.0 Host bridge: nVidia Corporation nForce2 AGP (different version?) (rev cl)
Subsystem: ABIT Computer Corp. Unknown device lc00
Flags: bus master, 66MHz, fast devsel, latency 0
Memory at e0000000 (32-bit, prefetchable) [size=64M]
Capabilities: 
00:00.1 RAM memory: nVidia Corporation nForce2 Memory Controller 1 (rev cl)
Subsystem: nVidia Corporation Unknown device 0cl7
Flags: 66MHz, fast devsel
00:00.2 RAM memory: nVidia Corporation nForce2 Memory Controller 4 (rev cl)
Subsystem: nVidia Corporation Unknown device 0cl7
Flags: 66MHz, fast devsel

Ishw:

LISTS HARDWARE INFORMATION

T h e Ishw utility lists information about the hardware configuration of the local system. R u n this utility with root privileges to display a more detailed report. T h e
- s h o r t option displays a brief report.

C O N F I G U R I N G THE S Y S T E M S

$ sudo lshw -short
H/W path
system
/0
/0/0
/0/4
/0/4/lc
/0/4/0
/0/4/1

Device

Class

VMware Virtual Platform
bus
memory
processor
memory
memory
memory

/0/100/f
/0/100/10
/0/100/10/0.Í).0
/0/100/10/0.Í).0/l
/0/100/10/0.Í). 0/2
/0/100/10/0.Í 0/2/5
/0/100/11

scsi 2
/dev/sda
/dev/sdal
/dev/sda2
/dev/sda5

di splay
storage
di sk
volume
volume
volume
bri dge

641

Description
440BX Desktop Reference Platform
87Ki B BIOS
AMD Athlon 64 X2 Dual Core Processor 5600+
16Ki B LI cache
128Ki B LI cache
IMiB L2 cache
SVGA II Adapter
53cl030 PCI-X Fusion-MPT Dual Ultra320 SCSI
214GB SCSI Disk
197Gi B EXT4 volume
2934MiB Extended partition
2934MiB Linux swap / Solaris partition
pf PCI bridge

You can also use Ishal to display hardware information, where the report is based
on the HAL (hardware abstraction layer) device database. See www.freedesktop.org/wiki/Software/hal.

Isusb:

LISTS U S B DEVICES

The Isusb utility displays information about USB buses and USB devices. Use the -v
(—verbose) option to display additional information.
$ Isusb
Bus 002
Bus 002
Bus 002
Bus 002

Device
Device
Device
Device

005:
004:
003:
002:

ID
ID
ID
ID

04f9:0033
051d:0002
045e:00dd
046d:c018

Brother Industries, Ltd
American Power Conversion Uninterruptible Power Supply
Microsoft Corp.
Logitech, Inc.

C O N F I G U R I N G THE SYSTEMS
Once the hardware is in place, you need to configure each system so it knows about
the NIC that connects it to the network. Normally Ubuntu detects and configures
new hardware automatically when you install Ubuntu or the first time you boot the
system after you install a NIC. You can use nm-connection-editor (page 643) to augment the information Ubuntu collects.
System information In addition to information about the NIC, each system needs the following data:
• The system's IP address
• The netmask (subnet mask) for the system's address (page 462)
• The IP address of the gateway (page 638)

642

CHAPTER 1 7

CONFIGURING AND MONITORING A LAN

• The IP addresses of the nameservers (DNS addresses—specify two or three)
• The system's hostname (set when you install Ubuntu Linux)
If a DHCP server (page 470) distributes network configuration information to systems on the LAN, you do not need to specify the preceding information on each
system. Instead, you just specify that the system is using DHCP to obtain this
information (which Ubuntu does by default). You must specify this information
when you set up the DHCP server.
Private address When you set up a LAN, the IP addresses of the systems on the LAN are generspace a l l y n o t m a d e public on the Internet. Special IP addresses, which are part of the
private address space defined by IANA (page 1153), are reserved for private use
and are appropriate to use on a LAN (Table 17-1). Unless you have been
assigned IP addresses for the systems on the LAN, choose addresses from the
private address space.
Table 17-1

Private IP ranges (defined in RFC 1918)

Range of IP addresses

From IP address

To IP address

10.0.0.0/8

10.0.0.1

10.255.255.254

172.16.0.0/12

172.16.0.1

172.31.255.254

192.168.0.0/16

192.168.0.1

192.168.255.254

NETWORKMANAGER: CONFIGURES NETWORK
CONNECTIONS
By default, the NetworkManager daemon (projects.gnome.org/NetworkManager)
manages the network. When it detects a new wired or wireless connection, it starts
the appropriate interface. For a wireless connection, it prompts for and stores keys
and passphrases. It also detects new hardware—for example, when you plug a USB
wireless adapter into the system.

THE N E T W O R K M A N A G E R APPLET
The NetworkManager applet appears toward the right end of the Top panel. It
appears as two arrows when the system is using a wired connection and as a series
of radiating waves when the system is using a wireless connection (Figure 17-2).
Exactly what appears when you click the NetworkManager applet depends on the
system hardware and the items that you have previously set up. Right- and leftclicking the NetworkManager applet display different menus.

NETWORKMANAGER: CONFIGURES NETWORK CONNECTIONS

643

N e t w o r k M a n a g e r applet (wired)
N e t w o r k M a n a g e r applet (wireless)

Figure 17-2

The NetworkManager applet on the Top panel

THE N E T W O R K M A N A G E R APPLET RIGHT-CLICK M E N U
Right-click the NetworkManager applet to display a menu that allows you to turn
on/off networking and, if available, wireless (networking). See Figure 17-3. Click
either Enable Networking or Enable Wireless to place or remove a tick next to the
entry; a tick indicates the service is enabled. You can also select Connection Information to display a window showing information about the active connection or
you can select Edit Connections (next).
THE N E T W O R K C O N N E C T I O N S W I N D O W

(nm-connection-editor)

Selecting Edit Connections from the NetworkManager applet right-click menu runs
the nm-connection-editor utility, which opens the Network Connections window
(Figure 17-4, next page). Alternatively, you can give the command nm-connectioneditor from a terminal emulator or Run Application window (ALT-F2). From this window you can modify the configuration of wired and wireless NICs.
The Network Connections window has tabs that allow you to configure wired, wireless, and other types of network connections. After the system identifies and configures new network hardware, you can use this window to modify the configuration.
f

Q . mark

(1) ® 6 3

DF

J Enable Networking
J Enable Wireless
J Enable Notifications
Connection Information
Edit C o n n e c t i o n s . . .
About
Figure 17-3

The Network Manager applet right-click menu

644

CHAPTER 1 7

CONFIGURING AND M O N I T O R I N G A LAN

. Wired

Wireless

lan' Mobile B r o a d b a n d

Q VPN

%

DSL

Add

Name

Last Used

Auto Ethernet

8 minutes ago

Edit
Delete

The Network Connections window

Figure 17-4

To modify the configuration of a NIC, select the appropriate tab, highlight the
description of the connection you want to configure, and click Edit; nm-connectioneditor displays the Editing window (Figure 17-5). The IPv4 Settings tab allows you
to select DHCP or manual configuration of the connection. When you are finished
working in the Editing window, click Apply.
Wireless settings It is usually easier to configure a wireless connection using the NetworkManager
applet (next section) than it is to use the Editing window. To use the Editing window
Connection name:

Auto Barcoast Open Access

l¿ Connect automatically
wireless wireless security IPv4 settings IPv6 settings

SSID;

Bar(.oabl Open Access

Mode:

Infrastructure

bssio:
MAC address: |
MTU:

Available to all users

Figure 17-5

A

automatic

Cancel

bytes

Apply

The Editing window (wireless connection)

NETWORKMANAGER: CONFIGURES NETWORK CONNECTIONS

645

Auto Ethernet
Disconnect

Barcoast Open Access

Ta

Disconnect
Available
2WIR.E643

•A

6330 7027

Ta

Barbary Coast Secure
hpsetup

-a
S

linksys

?

More networks

•

VPN Connections

P-

Connect t o Hidden Wireless Network,
Create New Wireless Network.,.
Figure 17-6

The NetworkManager applet left-click menu

to configure wireless settings, click the Wireless tab, click Add (or highlight the connection and click Edit), and enter the appropriate information. When you are finished
entering information in the Editing window, click Apply.

THE N E T W O R K M A N A G E R APPLET LEFT-CLICK M E N U
Left-clicking the NetworkManager applet displays a menu that lists the available
wireless networks. It also displays selections labeled More networks, Connect to
Hidden Wireless Network, and Create New Wireless Network (if the system has a
wireless connection), Wired Network, Disconnect, and VPN Connections. In
Figure 17-6, Auto Ethernet appears below Wired Network and Disconnect appears
below Wireless Networks, meaning that the system is using the Ethernet wired connection and is not using a wireless connection.
Click the name of the wired network (e.g., Auto Ethernet) or the name of a wireless
network (under the word Available) to connect to a network. The NetworkManager
applet shows activity while it connects to the new network. It then displays either the
wireless or wired icon, as appropriate (Figure 17-2, page 643). To disable a network,
click Disconnect below the name of the connection you want to disable.

646

CHAPTER 1 7

CONFIGURING AND MONITORING A LAN

SETTING U P SERVERS
Setting up local clients and servers can make a LAN both easier to use and more
useful. The following list briefly describes some of these tools and references the
pages that describe them in detail.
Firewall Although not a server, a firewall—which is typically installed on the router—is an
important part of a LAN. See gufw (page 876) and iptables (page 880) for more
information.
NIS NIS can provide a uniform login regardless of which system you log in on. The NIS
authentication server is covered on page 7 5 0 and the client on page 744. NIS is
often combined with home directories that are mounted using NFS.
NFS NFS allows you to share directory hierarchies. Sharing directories using NFS
requires that the server export the directory hierarchy (page 7 8 5 ) and that clients
mount the hierarchy (page 777).
Using NFS, you can store all home directories on one system and mount them from
other systems as needed. This configuration works well with NIS login authentication. With this setup, it can be convenient to create a world-writable directory—for
example, /home/shared—that users can use to exchange files. If you set the sticky
bit (page 1174) on this directory (chmod 1 7 7 7 /home/shared), users can delete only
files they created. If you do not set the sticky bit, any user can delete any file.
OpenSSH OpenSSH tools include ssh (logs in on a remote system; page 670) and scp (copies
files to and from a remote system; page 672). You can also set up automatic logins
with OpenSSH: If you set up a shared home directory with NFS, each user's ~/.ssh
directory (page 6 6 6 ) is the same on each system; a user who sets up a personal
authentication key (page 6 7 7 ) will be able to use OpenSSH tools between systems
without entering a password. See page 6 7 7 for information on how to set up an
OpenSSH server. You can just use the ssh and scp clients—you do not have to set
them up.
DNS cache Setting up a local cache can reduce the traffic between the LAN and the Internet
and can improve response times. For more information refer to "JumpStart: Setting
Up a DNS Cache" on page 834.
DHCP DHCP enables a client system to retrieve network configuration information from a
server each time it connects to a network. See page 4 7 0 for more information.
LDAP LDAP is a database server that can hold names and addresses, authentication
information, and other types of data. See page 7 5 8 for more information.
Samba Samba allows Linux systems to participate in a Windows network, sharing directories and printers, and accessing those directories and printers shared by Windows
systems. Samba includes a special share for accessing users' home directories. For
more information refer to "The [homes] Share: Sharing Users' Home Directories"
on page 814.

I N T R O D U C T I O N T O OPENSSH 6 4 7

You can also use Samba to set up a shared directory similar to the one described
under " N F S . " To share a Linux directory with Windows computers, the value of
Workgroup in /etc/samba/smb.conf must be the same as the Windows workgroup
(frequently M S H O M E or W O R K G R O U P by default). Place the following code in
smb.conf (page 808):
[publi c]
comment = Public file space
path = /home/shared
read only = no
public = yes
browseable = yes

Any Windows or M a c user can access this share, which can be used to exchange
files between users and between Linux, Mac, and Windows systems.

I N T R O D U C T I O N TO CACTI
Cacti (cacti.net) is a network monitoring tool that graphs system and network
information over time (time-series data) and provides a comprehensive Web interface for browsing and examining the ongoing performance of the devices on a
network.
For example, you can configure Cacti to monitor the network traffic passing
through the network ports on local servers and the switch and router ports on the
local network. Cacti graphs provide information on traffic levels on the various
parts of the network. When the network is slow, for example, you can refer to the
historical graphs and see if anything out of the ordinary has occurred. In addition to
network traffic levels, Cacti can collect data on CPU utilization, disk space usage,
page views on a Web server, and almost any other data points available on the local
network.
Cacti collects baseline (typical) data over time. You can use that information to gain
insight into the ongoing behavior of a system and network and help you resolve
problems. The information can even predict what may happen in the future (e.g.,
when a disk is likely to become full).
Once installed and configured, Cacti periodically polls devices on a network for
the data it needs and stores the data in R R D files for use with RRDtool (roundrobin database tool; oss.oetiker.ch/rrdtool). The Cacti Web interface allows you to
browse a list of devices and graphs, and see visual representations of the devices
over time.
Cacti is part of the next generation of monitoring tools. It builds on the lessons
learned from tools such as M R T G (oss.oetiker.ch/mrtg; page 948) and Cricket
(sourceforge.net/projects/cricket). Each of these tools has the following capabilities:

648

CHAPTER 1 7

CONFIGURING AND MONITORING A LAN

• Periodically polls tracked devices for data. The tool most commonly used
to collect this data is SNMP (Simple Network Management Protocol;
www. net-snmp. org).
• Stores the data in an R R D file.
• Has a Web interface that allows you to examine graphs generated from the
stored data. These graphs typically display daily, weekly, monthly, and
yearly information.
Cacti's configuration is performed through its Web interface, whereas M R T G and
Cricket are configured by editing text files.
R R D files and RRDtool are the key to much of Cacti's functionality. The Cacti Web
site describes Cacti as "the complete RRDtool-based graphing solution." R R D files
store time-series data efficiently and, through the use of aggregation functions,
make it easy to keep a lot of detail for recent time periods but progressively less
detail as the data in the files ages. RRDtool easily generates both simple and complex graphs from R R D files.
Extending Cacti Many extensions and plugins are available for Cacti. Once you are familiar with
the basic use and operation of Cacti, visit cacti.net/additional_scripts.php for a partial list of these additions. Also visit the documentation and the user forums to
obtain more information about Cacti and to learn how you can add functionality
and support for different devices and data sources.

CONFIGURING

SNMP

If you want to monitor data sources on the local system, install and run the SNMP
daemon on the local system as explained under "Setting Up a Remote Data Source"
on page 6 5 4 .

SETTING UP L A M P
Cacti is a LAMP (Linux, Apache, MySQL, PHP) application; you must install and
configure these applications before you can configure Cacti. This section explains
how to set up the software on the system running Cacti. See "Setting Up a Remote
Data Source" on page 6 5 4 for an explanation of how to set up a system that Cacti
will query and report on. By default, Cacti sets up the local system to run Cacti and
be a data source.

NOTES
When you set up LAMP, you use the MySQL databases named mysql and cacti.
Ubuntu sets up the mysql database when you install MySQL. You set up and populate the cacti database as explained under "Configuring M y S Q L " on page 650.
You need to set up the following database users. Each of these accounts should have
a password:

I N T R O D U C T I O N T O OPENSSH 6 4 9

• A user named root for the database named mysql. This user must be
named root. The MySQL installation script sets up this user and prompts
for a password.
• A user named cactiuser for the database named mysql. You can change
this username, but as installed, Cacti is set up to use cactiuser.
• A Cacti administrative user for the database named cacti. As set up when
you install Cacti, this user has the name admin and the password admin.
You can set up additional Cacti user accounts.
As of this writing, Ubuntu 10.04 has Cacti 0.8.7e-2 in its repositories. Do not be
misled by the pre-1.0 version number: Cacti is stable and in use on many systems.

PREREQUISITES
Install the following packages:
• cacti
• mysql-client (page 6 2 8 )
• mysql-server (page 6 2 8 )
• php5-cli
• apache2 (Apache; page 899)
• rrdtool
• snmp
When you install the cacti package, APT installs all packages necessary to run Cacti.
It also runs the MySQL installation script (page 6 2 9 ) and asks if you want to run
the Cacti installation script.
During installation, the M y S Q L installation script displays a pseudographical
window that includes the following prompt:
New password for the MySQL "root" user:

Respond to this prompt with the password for the mysql database user named root
and click OK. The script prompts you to reenter the password.
Next the PHP installation script displays a message (which you can ignore) about
the location of libphp-adodb.
The next pseudographical window asks which Web server you want Cacti to use.
Select Apache2. After installing some packages, the Cacti installation script asks if
you want to use dbconfig-common to configure the database for Cacti. Respond
with No. As of this writing the script did not work; the next sections explain how to
configure the Cacti database manually.

650

CHAPTER 1 7

CONFIGURING AND MONITORING A LAN

Firewall The snmpd daemon, which runs on systems monitored by Cacti, uses UDP port
161. If the monitored system is running a firewall, you need to open this port
(page 876). If you want to work with Cacti from a browser on a system other than
the one running Cacti, you need to open TCP port 80 on the system running Cacti
(refer to "Firewall" on page 901). For more general information, see Chapter 25,
which details the iptables utility.

CONFIGURING

MYSQL

For a more secure installation, run mysql_secure_installation as explained under
"JumpStart: Setting Up M y S Q L " on page 6 2 9 .

Two databases, two users: the cactiuser in the mysql database and
the admin user in the cacti database
caution

Do not confuse the databases and users.
The mysql database has a user named cactiuser. This user sets up and administrates the cacti
database using MySQL. You assign a password to this user when you set up the cacti database.
The cacti database has a user named admin. Cacti sets up this user when you populate the cacti
database using the cacti.sql script. It automatically assigns the password admin to this user, but
then requires you to change the password when you first log in on Cacti.

Create the cacti Issue the following commands to create a database named cacti, create a mysql
database database user named cactiuser, grant that user the necessary privileges, and assign a
password to that user. Replace cacti password in the following example with your
choice of a password. Although the FLUSH PRIVILEGES statement is not required,
it is good practice to include it.
$ sudo mysql -p
Enter password:
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 5
Server version: 5.1.41-3ubuntul2.1 (Ubuntu)
Type 'help;' or '\h' for help. Type '\c' to clear the current
input statement.
mysql> CREATE DATABASE cacti;
Query OK, 1 row affected (0.00 sec)
mysql> GRANT ALL ON cacti.«
-> TO cactiuserOlocalhost
-> IDENTIFIED BY 'cactipassword';
Query OK, 0 rows affected (0.00 sec)
mysql> FLUSH PRIVILEGES;
Query OK, 0 rows affected (0.00 sec)
mysql> exit
Bye
Set up and populate Give the following commands to set up and populate the database named cacti.
the cacti database When MySQL prompts for a password, provide the password for the MySQL user
named root (not the MySQL user named cactiuser).

I N T R O D U C T I O N T O OPENSSH 6 5 1

$ zcat /usr/share/doc/cacti/cacti.sql.gz > cacti.sql
$ sudo -s mysql -p cacti < cacti.sql
Enter password:
$ rm cacti.sql
Edit debian.php Working with root privileges, edit the /etc/cacti/debian.php file so that it looks like
the following example. Assign cactiuser to Sdatabase_username, assign the value of
cacti password from the preceding step to Sdatabase_password (the password for
the mysql database user named cactiuser), and assign cacti to Sdatabase_default.
D o not change any other values.
$database_username='cacti user';
$database_password='cacti password';
$basepath='';
$database_default='cacti';
$database_hostname='';
$database_port='';
$dbtype='mysql';

CONFIGURING APACHE
After Apache is installed, modify the configuration files as explained on page 9 0 3 ; if
you do not make these modifications, Apache will display errors when it starts but
will work anyway. Use the apache2 init script to restart the httpd daemon
(page 9 0 2 ) . Cacti supplies the content.
T h e / e t c / c a c t i / a p a c h e . c o n f file controls the location and accessibility of Cacti on the
Apache server. You do not have to modify this file. By default, Cacti is available as
localhost/cacti or, from a remote system, as IP/cacti, where IP is the IP address of
the system running Cacti. T h e default cacti.conf file follows:
$ cat /etc/cacti/apache.conf
Alias /cacti /usr/share/cacti/site

Options +FollowSyml_i nks
AllowOverride None
order allow,deny
allow from all
AddType application/x-httpd-php .php
php_flag magic_quotes_gpc Off
php_flag short_open_tag On
php_flag register_globals Off
php_flag register_argc_argv On
php_flag track_vars On
# this setting is necessary for some locales
php_value mbstring.func_overload 0
php_value include_path .
Directorylndex index.php

See " A l i a s " (page 9 2 3 ) and " A l l o w " (page 9 3 0 ) for more information.

652

CHAPTER 1 7

CONFIGURING AND MONITORING A LAN

O O 0

csctl - Mozilla F Ircfox

£i(C Edit V i e w
•^pl

T

H i j t o r y B o o k m a r k s Tools
v

Most V i s i t e d *

^

»

Qdp
,

http;, 1 'jlocalhösücactiftnstall,Index,php

t i .

• Getting Skirted g j L a t e s t Headlines T

•1 c a c t i

+

»

Please se leet me i>pe of *iHB*Mon

rrte tenowing mlwmalKxi tas been delermned torn C a d * oxilguraDon Me. If it «snot
correct please edit lrrduaeitofiftg .php' befcxe conOnuing
Databas« User; c a c t l u s e r
Databas« Mcstnane:
Databas«: c a c t i
Server Operating S y s t e e Type: u n l x

Figure 17-7

The Cacti Installation Guide screen

THE CACTI POLLER
The Cacti poller is run by the /etc/cron.d/cacti crontab file. The * / 5 entry in this
file causes crond to execute the script every five minutes. For more information
refer to "Crontab Files" on page 6 0 6 .
$ cat

/etc/cron.d/cacti

MAILTO=root
* / 5 >•< >•< >•< >•< www-data php / u s r / s h a r e / c a c t i / s i t e / p o l l e r . p h p >/dev/nu~n

2>/var/~log/cacti/po~ner-error.log

C O N F I G U R I N G CACTI
Point a Web browser on the machine running Cacti at localhost/cacti; Apache redirects the browser to the Cacti installation page at localhost/cacti/install and displays
the Cacti Installation Page screen. Click Next.
Confirm the information on the Cacti Installation Guide screen (Figure 17-7) and
click Next.
The next screen displays several file pathnames and information about which versions of Net-SNMP and RRDTool are installed. Review this information and click
Finish.
Next Cacti displays the User Login screen. Log in with the username admin and the
password admin. Cacti then forces you to change the password for the cacti database user named admin. After you change the password, Cacti displays the main
Console screen (Figure 17-8). The name of the screen appears just below the Console
tab at the upper-left corner of the screen.

BASIC CACTI A D M I N I S T R A T I O N
By default, Cacti collects data from localhost (the system it is installed on). Once a
few poller cycles have passed (approximately 15 minutes after you installed Cacti),
Cacti will display this information. You must install snmpd on the local system if
you want to monitor the local system (page 654).

I N T R O D U C T I O N T O OPENSSH 6 5 3

OA* Ctctl - Mozilla Flrelox

01« tfew Ninety Boefcrr*** Bol» u*fp
"
r

w^Mim

c i n i o i ^

II 1 \

»

w*ftFHwligp(4Mii>C'<:i<. yw(i»MniMttbtM iH|»nfHnuH4
*

Figure 17-8

t.n ynur nro dmcn

The Cacti main Console screen

You must install snmpd on the local system to monitor the local system
tip You must install and configure snmpd on the local system, just as you would on a remote system,
if you want to monitor the local system. For more information refer to "Setting Up a Remote Data
Source" on page 654.
From the main Console screen, click View your new graphs or click the Graphs tab
at the top of the screen. Cacti displays the default graphs in tree mode for localhost
(Figure 17-9, next page).
Cacti creates graphs for the following data sources: memory usage, load average,
logged-in users, and number of processes. If you click one of the graphs, Cacti displays a
page with four graphs for the data source you clicked: daily, weekly, monthly, and
yearly. These graphs will mostly be blank until Cacti collects sufficient data to fill them.
To store the data it collects and to display graphs, Cacti uses RRDTool. Cacti
graphs show more detail over short time spans, and less detail (averaged, or otherwise aggregated) over longer time spans.
To zoom in on a graph, click the magnifying glass icon on the right side of a graph;
Cacti displays a single graph and the mouse pointer changes to a cross hairs. Drag
the cross hairs horizontally over the part of the graph that represents the time period
you are interested in. In response, Cacti regenerates the graph for that time period.

654

CHAPTER 1 7

CONFIGURING AND MONITORING A LAN

0 6* Cacti - Mozilla Flralox
£>K Edl yi I Hip
J'y--: ^uttitHtKHintit
+

m^M-lgtn^Mt.id- IfrtaH.tLMu»-!

T T. •:•

(\|
»

' "»«' 1" " " " I

Figure 17-10

Adding a new device

A D D I N G A DEVICE
In the Web browser connected to Cacti, click the Console tab and select Configuration "^Settings, and then click the General tab and select Version 1 from the
drop-down list labeled SNMP Version (not SNMP Utility Version). By default,
SNMP runs with community set to public; do not change this setting unless you
have reason to do so. Click Save.
Next select Management^Devices and click the word Add (it is small) at the upperright corner of the screen. Alternatively, you can select Create^New Graphs and
then click Create New Host. Cacti displays a screen that allows you to specify a
new device (Figure 17-10).
If you have set the SNMP Version as just explained (i.e., Version 1), the SNMP settings will appear as shown in Figure 17-10. Fill in the text box labeled Description
with an appropriate description of the system to be monitored. Enter the IP address
or fully qualified domain name in the text box labeled Hostname. Select an appropriate item from the drop-down list labeled Host Template. The example uses
Generic SNMP-enabled Host. Alternatively, you can use Local Linux Machine.
Make sure Downed Device Detection is set to SNMP and SNMP Version is set to
Version 1. Click Create.

I N T R O D U C T I O N T O OPENSSH 6 5 7

9W

t»eO - Meuill* Flrcfox

file Mi yi«tftfwyBoctmírti jsoH ueip

Figure 17-11

Information about the new system

Cacti uses SNMP to collect information from the device. If all goes well, it will
report Save Successful and display the information about the new system near the
top of the screen (Figure 17-11).
Creating a graph Click Create Graphs for this Host. Cacti displays a list of queries and data sources
that it can graph (Figure 17-12, next page). Put a tick in the check box at the right
end of each line that holds a data source you want to create a graph for. Click
Create. Cacti displays a message at the top of the screen that tells you which
graphs it created.
Adding a node to Select Managements Graph Trees and click Add to add a node to the graph tree,
the graph tree Enter a name for the new node (e.g., Servers) and click Create.
Now click Add (on the right) to add a Tree Item, select Host from the drop-down
list labeled Tree Item Type, select the host you just added (Cacti may add Host for
you), and click Create.
Wait Take a break for 10 or 15 minutes to allow Cacti to poll the new device a few times.
Displaying the graph Click the Graphs tab. The name for the new node appears in the device tree on the
left side of the screen. When you click the plus sign (+) that appears to the left of the

658

CHAPTER 1 7

CONFIGURING AND MONITORING A LAN

4 0 • Cacti - Hon IIa Flrelox
Eile (die yi«eifi

It so * »

KmewXi

O
I OKOOO

»»«(UOSJI

l«l«»l

WfigupftlH» i-—--»-

D«W

Figure 17-12

A list of queries and data sources for the new device

node name, Cacti expands the tree and displays the node you just added. Click the
node name to display the graphs for that device (Figure 17-13).
You can now browse through the graphs that are being generated, choose time
periods you are interested in, and learn more about the behavior of the devices and
networks.

MORE INFORMATION
Web Router operating systems: www.smoothwall.org,www.pfsense.com, mOnO.ch/wall
NdisWrapper: help.ubuntu.com/communityAVifiDocs/Driver/Ndiswrapper,
sourceforge.net/projects/ndiswrapper
Cacti: cacti.net, cacti.net/additional_scripts.php
Cacti manual: cacti.net/downloads/docs/html
Cacti forums: forums.cacti.net
RRDTool: oss.oetiker.ch/rrdtool
SNMP: www.net-snmp.org
HOWTOs Linux Wireless Lan HOWTO:
Wireless HOWTO
Linux Hardware Compatibility

www.hpl.hp.com/personal/Jean_Tourrilhes/Linux
HOWTO

CHAPTER S U M M A R Y

O A *

659

Cacti - Mezilla Fícelo*

£>K Edit yiute6veej4-2fiie*fjd-*

dfjrl

I 1-3'

• Getting Sía*ted 0 U t « t Headlines »

\ 4\\i\
U«Day

»

t™

; I]f (i .• •'

— TO ¿010-05-28 12:2ii • *

1CU M "

1 Day

fi«ll «Or 1

' >

fIf»>1

1

elur

dog - Traffic - ethO

I Inbound Curfiflt: 7. A? k Average; IS,» k li¿*imm:
k
• CottiCHjfif) Current:
k Average: 11.3l k Hdsimjn: 530.02 k

Figure 17-13

Cacti graphs for new devices

CHAPTER S U M M A R Y
A local area network (LAN) connects computers at one site and can allow the connected computers to share an Internet connection, files, and a printer. Each system,
or node, on a LAN must have a network interface card (NIC). NICs can be connected to the network via cables (wired) or radio waves (wireless).
An Ethernet-based LAN has a connection between each computer and a central hub
or switch. Hubs are generally slower than switches, but either is usually satisfactory
for a small LAN. A wireless access point (WAP) connects a wireless network to a
wired one. If the LAN you are setting up is connected to another network, such as
the Internet, the LAN requires a router. A router can perform several functions, the
most common of which is allowing several systems to share a single Internet connection and IP address; this function is called NAT.
Several tools are useful when you are setting up a LAN. In particular, the Network
Connections window (nm-connection-editor) and the nm-applet enable you to configure NICs (wired or wireless).
You can configure the systems on the LAN to use NIS as a login server so you do
not have to set up accounts on each system. You can use NFS, which allows you to

660

CHAPTER 1 7

CONFIGURING AND MONITORING A LAN

mount remote directory hierarchies, to set up a universal home directory. Samba is
an important part of many LANs: It allows Linux systems to participate in a Windows network, sharing directories and printers, and accessing those directories and
printers shared by Windows systems.
Cacti is a network monitoring tool that graphs system and network information
over time and provides a comprehensive Web interface for browsing and examining
the ongoing performance of the devices on a network.

EXERCISES
1. What advantage does a switch have over a hub?
2. Which server would you set up to allow users to log in with the same
username and password on all computers on a LAN?
3. Name two servers that allow you to share directories between systems.
4. What is a WAP and what does it do?
5. What is a common function of a router? What is this function called?
6. What does a wireless bridge do?
7. Name two tools you can use to configure a wireless NIC (rather than having it be configured automatically). What is the difference between the
two?
8. What is the private address space? When would you use a private address?

ADVANCED EXERCISES
9. If you set a system's subnet mask to 255.255.255.0, how many computers
can you put on the network without using a router?
10. Which file stores information about which DNS servers the system uses?

PART

V

USING CLIENTS A N D SETTING
U P SERVERS
CHAPTER 1 8
O P E N S S H : SECURE NETWORK COMMUNICATION

663

CHAPTER 19
F T P : T R A N S F E R R I N G FILES A C R O S S A N E T W O R K

687

CHAPTER 20

exim4: S E T T I N G U P M A I L S E R V E R S , C L I E N T S , A N D M O R E

CHAPTER 2 1
NISANDLDAP

713

741

CHAPTER 2 2
NFS: SHARING FILESYSTEMS

773

CHAPTER 23
S A M B A : L I N U X A N D W I N D O W S FILE A N D P R I N T E R
SHARING

797

CHAPTER 24
D N S / B I N D : TRACKING D O M A I N NAMES AND ADDRESSES

821

CHAPTER 25

firestarter, gufw, A N D iptables: S E T T I N G U P A F I R E W A L L

863

CHAPTER 2 6
APACHE: SETTING U P A W E B SERVER

899

661

This page intentionally left blank

18
O P E N S S H : SECURE
NETWORK
COMMUNICATION
IN THIS CHAPTER
Introduction to OpenSSH

664

Running the ssh, scp, and sftp
OpenSSH Clients

667

JJumpStart: Using ssh and scp
to Connect to an OpenSSH
Server

667

Setting Up an OpenSSH
Server (sshd)

OpenSSH is a suite of secure network connectivity tools that
replaces telnet/telnetd, rep, rsh/rshd, rlogin/rlogind, and ftp/ftpd.
Unlike the tools they replace, OpenSSH tools encrypt all traffic, including passwords. In this way they thwart malicious
users who attempt to eavesdrop, hijack connections, and steal
passwords.
This chapter covers the following OpenSSH tools:
• scp—Copies files to and from another system

676

JumpStart: Starting an OpenSSH
Server
677
Troubleshooting

680

Tunneling/Port Forwarding

681

• sftp—Copies files to and from other systems (a secure
replacement for ftp)
• ssh—Runs a command on or logs in on another system
• sshd—The OpenSSH daemon (runs on the server)
• ssh-keygen—Creates, manages, and converts RSA or
DSA host/user authentication keys

663

664

CHAPTER 1 8

O P E N S S H : SECURE NETWORK

COMMUNICATION

INTRODUCTION TO O P E N S S H
Using public key encryption (page 1111), OpenSSH provides two levels of authentication: server and client/user. First the client verifies that it is connected to the correct
server. Then OpenSSH encrypts communication between the systems. Once a secure,
encrypted connection has been established, OpenSSH makes sure the user is authorized to log in on or copy files to and from the server. After verifying the system and
user, OpenSSH allows different services to be passed through the connection. These
services include interactive shell sessions (ssh), remote command execution (ssh), file
copying (scp), FTP services (sftp), X I 1 client/server connections, and TCP/IP port
tunneling.
SSH1 versus SSH2 SSH protocol version 2 (SSH2) is a complete rewrite of SSH protocol version 1
(SSH1) that offers improved security, performance, and portability. The two protocols
are not compatible. Because SSH1 is being rapidly supplanted by SSH2 and because
SSH1 is vulnerable to a man-in-the-middle attack (footnote 3 on page 1114), this
chapter does not discuss SSH1. Because version 2 is floating-point intensive, version 1
does have a place on systems without FPUs (floating-point units or accelerators), such
as old 486SX systems. As installed, the OpenSSH tools supplied with Ubuntu Linux
support SSH2 only.
ssh The ssh utility allows you to log in on a remote system over a network. You might
choose to use a remote system to access a special-purpose application or to take
advantage of a device that is available only on that system, or you might use a
remote system because you know it is faster or less busy than the local system.
While traveling, many businesspeople use ssh on a laptop to log in on a system at
company headquarters. From a GUI you can use several systems simultaneously by
logging in on each one from a different terminal emulator window.
X11 forwarding Once you turn on trusted X I 1 forwarding, it is a simple matter to run an X I 1 program over an ssh connection: Run ssh from a terminal emulator running on an X I 1
server and give an X I 1 command such as xclock; the graphical output appears on
the local display. For more information refer to "Forwarding X I 1 " on page 681.

H o w OPENSSH WORKS
When OpenSSH starts, it first establishes an encrypted connection and then
authenticates the user. Once these two tasks are completed, OpenSSH allows the
two systems to send information back and forth.
keys OpenSSH uses two key pairs to negotiate an encrypted session: a host key pair and
a session key pair. The host key pair is a set of public/private keys that is established
when you install the openssh-server package (page 676). The session key pair is a
set of public/private keys that changes hourly.
The first time an OpenSSH client connects with an OpenSSH server, you are asked
to verify that it is connected to the correct server (see "First-time authentication"
on page 668). After verification, the client makes a copy of the server's public host

I N T R O D U C T I O N TO O P E N S S H

665

key. On subsequent connections, the client compares the key provided by the
server with the original key it stored. Although this test is not foolproof, the next
one is quite secure.
The client then generates a random key, which it encrypts with both the server's
public host key and the session key. The client sends this encrypted key to the server.
The server, in turn, uses its private keys to decrypt the encrypted key. This process
creates a key that is known only to the client and the server and is used to encrypt
the rest of the session.

FILES
OpenSSH clients and servers rely on many files. Global files are kept in /etc/ssh
and user files in ~/.ssh. In this section, the first word in the description of each file
indicates whether the client or the server uses the file.

rhost authentication is a security risk
caution

Although OpenSSH can get authentication information from /etc/hosts.equiv, /etc/shosts.equiv,
-/.rhosts, and -/.shosts, this chapter does not cover the use of these files because they are security risks. The default settings in the /etc/ssh/sshd_config configuration file prevent their use.

/etc/ssh:

G L O B A L FILES

Global files listed in this section appear in the /etc/ssh directory. They affect all
users, but a user can override them with files in her ~/.ssh directory.
moduli client and server Contains key exchange information that OpenSSH uses to establish
a secure connection. Do not modify this file.
ssh_config client The global OpenSSH configuration file (page 674). Entries here can be
overridden by entries in a user's ~/.ssh/config file.
sshd_config server

The configuration file for sshd (page 679).

ssh_host_dsa_key,
ssh_host_dsa_key.pub
server SSH protocol version 2 DSA host keys. Both files should be owned by root.
The ssh_host_dsa_key.pub public file should be readable by anyone but writable
only by its owner (644 permissions). The ssh_host_dsa_key private file should not
be readable or writable by anyone except its owner (600 permissions).
ssh_host_rsa_key,
ssh_host_rsa_key.pub
server SSH protocol version 2 RSA host keys. Both files should be owned by root.
The ssh_host_rsa_key.pub public file should be readable by anyone but writable
only by its owner (644 permissions). The ssh_host_rsa_key private file should not
be readable or writable by anyone except its owner (600 permissions).
ssh_known_hosts client Contains public RSA (by default) keys of hosts that users on the local system can connect to. This file contains information similar to that found in
~/.ssh/known_hosts, but is set up by the administrator and is available to all users.

666

CHAPTER 1 8

O P E N S S H : SECURE NETWORK

COMMUNICATION

This file should be owned by root and should be readable by anyone but writable
only by its owner (644 permissions).
sshrc server Contains initialization routines. When a user on a client connects to a
server, if ~/.ssh/rc is not present, OpenSSH runs this script on the server after
~/.ssh/environment and before the user's shell starts.

~/.ssh:

U S E R FILES

OpenSSH creates the ~/.ssh directory and the known_hosts file therein automatically
when a user connects to a remote system.
authorized_keys server Enables a user to log in on or copy files to and from another system without
supplying a user login password (page 677). However, the user may need to supply a
passphrase, depending on how the key was set up. No one except the owner should
be able to write to this file.
config client A user's private OpenSSH configuration file (page 674). Entries here override
those in /etc/ssh/ssh_config.
environment server Contains assignment statements that define environment variables on a
server when a user logs in using ssh.
id_dsa, client User authentication DSA keys generated by ssh-keygen (page 677). Both
id_dsa.pub files should be owned by the user in whose home directory they appear. The
id_dsa.pub public file should be readable by anyone but writable only by its owner
(644 permissions). The id_dsa private file should not be readable or writable by
anyone except its owner (600 permissions).
id_rsa, client User authentication RSA keys generated by ssh-keygen (page 677). Both files
id_rsa.pub should be owned by the user in whose home directory they appear. The id_rsa.pub
public file should be readable by anyone but writable only by its owner (644 permissions). The id_rsa private file should not be readable or writable by anyone except its
owner (600 permissions).
known_hosts client Contains public RSA keys (by default) of hosts the user has connected to.
OpenSSH automatically adds entries each time the user connects to a new server
(page 668). Refer to "HostKeyAlgorithms" (page 675) for information on using
DSA keys. If HashKnownHosts (page 675) is set to yes, the hostnames and addresses
in this file are hashed to improve security.
rc server Contains initialization routines. When a user on a client connects to a
server, OpenSSH runs this script on the server after environment and before the
user's shell starts. If this file is not present, OpenSSH runs /etc/ssh/sshrc; if that file
does not exist, OpenSSH runs xauth.

MORE INFORMATION
Local man pages: ssh, scp, sftp, ssh-keygen, ssh_config, sshd, sshd_config
Web OpenSSH home page: www.openssh.com
Search on ssh to find various H O W T O s and other documents: tldp.org

R U N N I N G THE

ssh, scp,

AND

sftp

O P E N S S H CLIENTS

667

Books Implementing SSH: Strategies for Optimizing the Secure Shell by Dwivedi; John
Wiley & Sons (October 2003)
SSH, The Secure Shell: The Definitive Guide by Barrett, Silverman, & Byrnes;
O'Reilly Media (May 2005)

R U N N I N G THE

ssh, scp, A N D sftp

O P E N S S H CLIENTS

This section covers setting up and using the ssh, scp, and sftp clients.

PREREQUISITES
The openssh-client package is installed by default. You do not need to install any
packages to run an OpenSSH client. There is no init script for OpenSSH clients.

JUMPSTART: U S I N G s s h A N D s c p TO C O N N E C T TO AN
O P E N S S H SERVER
The ssh and scp clients do not require setup beyond installing the requisite package,
although you can create and edit files that facilitate their use. To run a secure shell
on or securely copy a file to and from a remote system, the following criteria must
be met: The remote system must be running the OpenSSH daemon (sshd), you must
have an account on the remote system, and the server must positively identify itself
to the client.
ssh The following example shows Zach using ssh to log in on the remote host named
plum and giving an exit command to return to the shell on the local system:
$ ssh zachSplum
zachOplurn's password:
Linux plum 2.6.27-1-generic #1 SMP Sat Aug 23 23:20:09 UTC 2008 i 686
Last login: Mon Jan 18 21:58:22 2010 from 192.168.0.12
zach@plum:~$ exit
logout
Connection to plum closed.

scp You can omit user@ (zach@ in the preceding example) from the command line if
you want to log in as yourself and you have the same username on both systems.
The first time you connect to a remote OpenSSH server, ssh or scp asks you to confirm that you are connected to the right system. Refer to "First-time authentication"
on page 668.
The following example uses scp to copy tyl from the working directory on the local
system to Zach's home directory on plum:
$ scp tyl zachSplum:
zachOplurn's password:
tyl

100%

162

0.2KB/S

00:00

668

CHAPTER 1 8

O P E N S S H : SECURE NETWORK

COMMUNICATION

C O N F I G U R I N G O P E N S S H CLIENTS
This section describes how to set up OpenSSH on the client side.

RECOMMENDED SETTINGS
X11 forwarding The configuration files provided by Ubuntu establish a mostly secure system and
may or may not meet your needs. One OpenSSH parameter you may want to
change is ForwardXllTrusted, which is set to yes by default. To increase security,
and in some cases reduce usability, set ForwardXllTrusted (page 675) to no in the
Ubuntu /etc/ssh/ssh_config configuration file. See page 681 for more information
about X I 1 forwarding.

SERVER A U T H E N T I C A T I O N / K N O W N

HOSTS

knownjiosts, Two files list the hosts the local system has connected to and positively identified:
ssh_known_hosts ~/.ssh/known_hosts (user) and /etc/ssh/ssh_known_hosts (global). No one except
the owner (root in the case of the second file) should be able to write to either of
these files. No one except the owner should have any access to a ~/.ssh directory.
First-time When you connect to an OpenSSH server for the first time, the OpenSSH client
authentication prompts you to confirm that you are connected to the right system. This check can
help prevent a man-in-the-middle attack (footnote 3 on page 1114):
The authenticity of host 'plum (192.168.0.10)' can't be established.
RSA key fingerprint is dl:9d:lb:5b:97:5c:80:e9:4b:41:9a:b7:bc:la:ea:al.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'pi urn,192.168.0.10' (RSA) to the list of
known hosts.
Before you respond to the preceding query, make sure you are logging in on the correct
system and not on an imposter. If you are not sure, a telephone call to someone who logs
in on that system locally can help verify that you are on the intended system. When you
answer yes (you must spell it out), the client appends the server's public host key (the single line in the /etc/ssh/ssh_host_rsa_key.pub or /etc/ssh/ssh_host_dsa_key.pub file on
the server) to the user's ~/.ssh/known_hosts file on the local system, creating the ~/.ssh
directory if necessary. So that it can keep track of which line in known_hosts applies to
which server, OpenSSH prepends the name of the server and the server's IP address to
the line.
When you subsequently use OpenSSH to connect to that server, the client verifies
that it is connected to the correct server by comparing this key to the one supplied by the server. You can display the local system's RSA key fingerprint using
ssh-keygen:
$ ssh-keygen -1f /etc/ssh/ssh_host_rsa_key.pub
2048 dl:9d:lb:5b:97:5c:80:e9:4b:41:9a:b7:bc:la:ea:al /etc/ssh/ssh_host_rsa_key.pub (RSA)
knownjiosts file The known_hosts file uses one or two very long lines to identify each host it keeps
track of. Each line starts with the hostname and IP address of the system the line corresponds to, followed by the type of encryption being used and the server's public

R U N N I N G THE

ssh, scp,

AND

sftp

O P E N S S H CLIENTS

669

host key. When HashKnownHosts (page 675) is set to yes (the default), OpenSSH
hashes the system name and address for security. Because it hashes the hostname and
IP address separately, OpenSSH puts two lines in known_hosts for each host. The
following lines (they are two logical lines, each of which wraps on to several physical
lines) from known_hosts are used to connect to a remote system using RSA
(page 1170) encryption:
$ cat
ssh/known_hosts
|1|PrVUqXFVnnVLrkymqlByCnmXaZc=|TVRAtwaqil5EJ9guFR5js3flAR8= ssh-rsa
AAAAB3NzaClyc2EAAAABIwAAAQEA7egm4YaOOj 5/JtGUlt3jqC5RfcJ8/RAUi xKzDAqJ 5fE
|1|Pnu8B9UUqe7sGIWCiCIUT18qysc=|Ldm5/7LK6v84ds2129mzw29jqb8= ssh-rsa
AAAAB3NzaClyc2EAAAABIwAAAQEA7egm4YaOOj 5/JtGUlt3jqC5RfcJ8/RAUi xKzDAqJ 5fE
You can use ssh-keygen with the - R option followed by the hostname to remove a
hashed entry. The - F option to ssh-keygen displays a line in a known_hosts file that
corresponds to a specified system, even if the entry is hashed:
$ ssh-keygen -F plum
# Host plum found: line 1 type RSA
|1|PrVUqXFVnnVLrkymqlByCnmXaZc=|TVRAtwaqil5EJ9guFR5js3flAR8= ssh-rsa
AAAAB3NzaClyc2EAAAABIwAAAQEA7egm4YaOOj 5/JtGUlt3jqC5RfcJ8/RAUi xKzDAqJ 5fE
OpenSSH automatically stores keys from servers it has connected to in user-private
files (~/.ssh/known_hosts). These files work only for the user whose directory they
appear in. Working with root privileges and using a text editor, you can copy nonhashed lines from a user's private list of known hosts to the public list in
/etc/ssh/ssh_known_hosts to make a server known globally on the local system.
The following example shows how Sam, who has administrative privileges, puts
the hashed entry from his known_hosts file into the global ssh_known_hosts file.
First, working as himself, Sam sends the output of ssh-keygen through tail to strip
off the Host plum found line and redirects the output to a file named
tmp_known_hosts. Next, working with root privileges, Sam appends the contents
of the file he just created to /etc/ssh/ssh_known_hosts. This command creates this
file if it does not exist. Finally, Sam removes the temporary file he created and
returns to working as himself.
sam@dog:~$ ssh-keygen -F plum | tail -1 > tmp_known_hosts
sam@dog:~$ sudo -i
rootOdog:~# cat ~sam/tmp_known_hosts » /etc/ssh/ssh_known_hosts
root@dog:~# exit
samOdog:~$ rm ~sam/tmp_known_hosts
Because the output from cat is redirected, Sam creates a shell with root privileges
(sudo -i) to execute the command. See page 4 2 4 for a discussion of redirecting the
output of a command run under sudo.

670

CHAPTER 1 8

O P E N S S H : SECURE NETWORK

COMMUNICATION

If, after a remote system's public key is stored in one of the known-hosts files, the
remote system supplies a different fingerprint when the systems connect, OpenSSH
displays the following message and does not complete the connection:
@

WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!

@

IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that the RSA host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
fl:6f:ea:87:bb:lb:df:cd:e3:45:24:60:d3:25:bl:0a.
Please contact your system administrator.
Add correct host key in /home/sam/.ssh/known_hosts to get rid of this message.
Offending key in /home/sam/.ssh/known_hosts:1
RSA host key for plum has changed and you have requested strict checking.
Host key verification failed.

If you see this message, you may be the subject of a man-in-the-middle attack. More
likely, however, something on the remote system has changed, causing it to supply a
new fingerprint. Check with the remote system's administrator. If all is well, remove
the offending key from the specified file (the third line from the bottom in the preceding example points to the line you need to remove) and try connecting again.
You can use ssh-keygen with the - R option followed by the name of a host to
remove a hashed entry. You will be subject to first-time authentication (page 668)
again as OpenSSH verifies that you are connecting to the correct system. Follow the
same steps as when you initially connected to the remote host.

s s h : C O N N E C T S TO O R EXECUTES C O M M A N D S O N A
REMOTE SYSTEM
The format of an ssh command line is
ssh [options] [user@]bost [command]
where host, the name of the OpenSSH server (the remote system) you want to connect to, is the only required argument. The host can be a local system name, the
FQDN (page 1149) of a system on the Internet, or an IP address. Give the command ssh host to log in on the remote system host with the same username you are
using on the local system. Include user@ when you want to log in with a username
other than the one you are using on the local system. Depending on how the server
is set up, you may need to supply your password.
Opening a Without command, ssh logs you in on host. The remote system displays a shell
remote shell prompt and you can run commands on host. Give the command exit to close the
connection to host and return to the local system's prompt.
In the following example, Sam, who is logged in on dog, uses ssh to log in on
plum, gives a who am i command that shows the IP address of the system he is

R U N N I N G THE

ssh, scp,

AND

sftp

O P E N S S H CLIENTS

671

logged in from, and uses exit to close the connection to plum and return to the
local system's prompt:
sam@dog:~$ ssh plum
sam@plurn's password:
Linux plum 2.6.27-1-generic #1 SMP Sat Aug 23 23:20:09 UTC 2008 i 686
Last login: Mon Jan 18 22:00:13 2010 from 192.168.0.12
sam@plum:~$ who am i
sam
pts/0
2010-01-23 14:19 (192.168.0.12)
sam@plum:~$ exit
logout
Connection to plum closed.
samOdog:~$
Running commands When you include command,
ssh logs in on host, executes command,
closes the
remotely connection to host, and returns control to the local system. The remote system
never displays a shell prompt.
The following example runs Is in the memos directory on the remote system plum.
The example assumes that the user running the command (Sam) has a login on
plum and that the memos directory is in Sam's home directory on plum:
sam@dog:~$ ssh plum Is memos
sam@plurn's password:
memo.0921
memo.draft
samOdog:~$
For the next example, assume the working directory on the local system (dog) holds
a file named memos.new. You cannot remember whether this file contains certain
changes or whether you made these changes to the file named memo.draft on plum.
You could copy memo.draft to the local system and run diff (page 1 6 8 ) on the two
files, but then you would have three similar copies of the file spread across two systems. If you are not careful about removing the old copies when you are done, you
may just become confused again in a few days. Instead of copying the file, you can
use ssh:
sam@dog:~$ ssh plum cat memos/memo.draft | diff memos.new When you run ssh, standard output of the command run on the remote system is
passed to the local shell as though the command had been run in place on the local
system. As with all shell commands, you must quote special characters you do not
want the local system to interpret. In the preceding example, the output of the c a t
command on plum is sent through a pipe on dog to diff (running on dog), which
compares the local file memos.new to standard input ( - ) . The following command
line has the same effect but causes diff to run on the remote system:
sam@dog:~$ cat memos.new | ssh plum diff - memos/memo.draft
Standard output from diff on the remote system is sent to the local shell, which
displays it on the screen (because it is not redirected).

672

CHAPTER 1 8

O P E N S S H : SECURE NETWORK

COMMUNICATION

OPTIONS
This section describes some of the options you can use with ssh.
-C

(compression) Enables compression. (In the commercial version of ssh, - C disables
compression and +C enables compression.)

-f (not foreground) Sends ssh to the background after asking for a password and
before executing the command. Useful when you want to run the command in the
background but must supply a password. Implies -n.
- L Forwards a port on the local system to a remote system. For more information refer
to "Tunneling/Port Forwarding" on page 6 8 1 .
-1 user (login) Attempts to log in as user.
-n

(null) Redirects standard input to ssh to come from /dev/null. Required when running
ssh in the background (-f option).

- o option (option) Specifies option in the format used in configuration files (page 674).
-p

(port) Specifies the port on the remote host that the connection is made to. Using
the host declaration (page 6 7 5 ) in the configuration file, you can specify a different
port for each system you connect to.

- R Forwards a port on the remote system to the local client. For more information
refer to "Tunneling/Port Forwarding" on page 681.
-t

(tty) Allocates a pseudo-tty (terminal) to the ssh process on the remote system.
Without this option, when you run a command on a remote system, ssh does not
allocate a tty (terminal) to the process. Instead, it attaches standard input and
standard output of the remote process to the ssh session—which is normally, but
not always, what you want. This option forces ssh to allocate a tty on the remote
system so programs that require a tty will work.

-v (verbose) Displays debugging messages about the connection and transfer. Useful if
things are not going as expected.
-X

( X I 1 ) Turns on nontrusted X I 1 forwarding. This option is not necessary if you turn
on X I 1 nontrusted forwarding in the configuration file. For more information refer
to "Forwarding X l l " on page 6 8 1 .

-x

( X l l ) Turns off X l l forwarding.

-Y

(Xlltrusted) Turns on trusted X l l forwarding. This option is not necessary if you
turn on trusted X l l forwarding in the configuration file. For more information
refer to "Forwarding X l l " on page 6 8 1 .

s c p : C O P I E S FILES TO A N D F R O M A R E M O T E S Y S T E M
The scp (secure copy) utility copies an ordinary or directory file from one system to
another (including two remote systems) over a network. This utility uses ssh to transfer files and employs the same authentication mechanism as ssh; thus it provides the

R U N N I N G THE

ssh, scp,

AND

sftp

O P E N S S H CLIENTS

673

same security as ssh. The scp utility asks for a password when one is required. The
format of an scp command is
scp [[user®]from-bost:]source-file

[[user@]to-host:][destination-file]

where from-bost is the name of the system you are copying files from and to-bost is
the system you are copying to. The from-bost and to-bost arguments can be local
system names, FQDNs (page 1149) of systems on the Internet, or IP addresses.
When you do not specify a host, scp assumes the local system. The user on either
system defaults to the user on the local system who is giving the command; you can
specify a different user with user®.
The source-file is the file you are copying, and the destination-file is the resulting
copy. Make sure you have read permission for the file you are copying and write
permission for the directory you are copying it into. You can specify plain or directory files as relative or absolute pathnames. (A relative pathname is relative to the
specified or implicit user's home directory.) When the source-file is a directory, you
must use the - r option to copy its contents. When the destination-file is a directory,
each of the source files maintains its simple filename. When the destination-file is
missing, scp assumes the user's home directory.
Suppose Sam has an alternate username, sis, on plum. In the following example, Sam
uses scp to copy memo.txt from the home directory of his sis account on plum to the
allmemos directory in the working directory on the local system. If allmemos was
not the name of a directory, memo.txt would be copied to a file named allmemos in
the working directory.
sam@dog:~$ scp sis@plum:memo.txt allmemos
sis@plurn's password:
memo.txt
100% 4084KB

4.0MB/s

00:01

As the transfer progresses, the percentage and number of bytes transferred increase
and the time remaining decreases.
In the next example, Sam, while working from peach, copies the same file as in the
previous example to the directory named old in his home directory on speedy. For
this example to work, Sam must be able to use ssh to log in on speedy from plum
without using a password. For more information refer to "Authorized Keys: Automatic Login" on page 677.
sam@peach:~$ scp sis@plum:memo.txt speedy:old
sam@plurn's password:

OPTIONS
This section describes some of the options you can use with scp.
-C

(compression) Enables compression,

- o option (option) Specifies option in the format used in configuration files (discussed shortly).

674

CHAPTER 1 8

O P E N S S H : SECURE NETWORK

COMMUNICATION

-P port (port) Connects to port port on the remote host. This option is given in uppercase
for scp and in lowercase for ssh.
-p

(preserve) Preserves the modification and access times as well as the modes of the
original file.

-q

(quiet) Does not display the progress information as scp copies a file.

-r

(recursive) Recursively copies a directory hierarchy.

-v (verbose) Displays debugging messages about the connection and transfer. Useful if
things are not going as expected.

sftp:

A SECURE FTP CLIENT
As part of OpenSSH, Ubuntu Linux provides sftp, a secure alternative to ftp
(page 687). Functionally the same as ftp, sftp maps ftp commands to OpenSSH
commands. You can replace ftp with sftp when you are logging in on a server that
is running the OpenSSH daemon, sshd. Once you are connected to a system with
sftp, give the command ? to display a list of commands. For secure communication, use sftp or scp to perform all file transfers requiring authentication. Refer to
the sftp man page for more information.
Iftp Ubuntu also offers Iftp, which is more sophisticated than sftp and supports sftp. The
Iftp utility provides a shell-like command syntax that has many features, including
support for tab completion and the ability to run jobs in the background. Use
/etc/lftp.conf to configure Iftp and see the Iftp man page for more information.

~/.ssh/config

AND

/etc/ssh/ssh_config

C O N F I G U R A T I O N FILES

It is rarely necessary to modify OpenSSH client configuration files. For a given user
there may be two configuration files: ~/.ssh/config (user) and /etc/ssh/ssh_config
(global). These files are read in this order and, for a given parameter, the first one
found is the one that is used. A user can override a global parameter setting by setting the same parameter in her user configuration file. Parameters given on the ssh
or scp command line take precedence over parameters set in either of these files.
A user's ~/.ssh/config file must be owned by the user (the owner of the - / directory)
and must not be writable by anyone except the owner; if it is, the client will exit
with an error message. This file is typically set to mode 6 0 0 as there is no reason for
anyone except its owner to be able to read it.
Lines in the configuration files contain declarations. Each of these declarations
starts with a keyword that is not case sensitive, followed by whitespace, followed by
case-sensitive arguments. You can use the Host keyword to cause declarations to
apply to a specific system. A Host declaration applies to all the lines between it and
the next Host declaration.
CheckHostIP yes I no
Identifies a remote system using the IP address in addition to a hostname from the
knownjiosts file when set to yes (default). Set it to no to use a hostname only. Setting CheckHostIP to yes can improve system security.

R U N N I N G THE

ssh, scp,

AND

sftp

O P E N S S H CLIENTS

675

ForwardXll yes I no
When set to yes, automatically forwards X I 1 connections over a secure channel in nontrusted mode but does not set the DISPLAY shell variable. If ForwardXll Trusted is
also set to yes, the connections are made in trusted mode. Alternatively, you can use
- X on the command line to redirect X I 1 connections in nontrusted mode. The
default value for this parameter is no; set it to yes to enable X I 1 forwarding. For X I 1
forwarding to work, you must also set X l l F o r w a r d i n g to yes in the /etc/sshd_config
file on the server (page 680). For more information refer to "Forwarding X I 1 " on
page 681.
ForwardXllTrusted yes I no
Works in conjunction with F o r w a r d X l l , which must be set to yes for this declaration to have any effect. When this declaration is set to yes (as it is on Ubuntu Linux
systems) and F o r w a r d X l l is set to yes, this declaration sets the DISPLAY shell variable and gives remote X I 1 clients full access to the original (server) X I 1 display.
Alternatively, you can use - Y on the command line to redirect X I 1 connections in
trusted mode. The default value for this declaration is no but Ubuntu Linux sets it
to yes. For X I 1 forwarding to work, X l l F o r w a r d i n g must also be set to yes in the
/etc/sshd_config file on the server (page 680). For more information refer to "Forwarding X I 1 " on page 681.
HashKnownHosts
Causes OpenSSH to hash hostnames and addresses in the ~/.ssh/known_hosts file
when set to yes. The hostnames and addresses are written in cleartext when it is set
to no. Ubuntu Linux sets this declaration to yes to improve system security. See
page 6 6 8 for more information on the known_hosts file.
Host hostnames Specifies that the following declarations, until the next Host declaration, apply only
to hosts that hostnames matches. The hostnames can include ? and * wildcards. A
single * specifies all hosts. Without this keyword, all declarations apply to all hosts.
HostbasedAuthentication yes I no
Tries rhosts authentication when set to yes. For a more secure system, set to no (default).
HostKeyAlgorithms algorithms
The algorithms is a comma-separated list of algorithms the client uses in order of
preference. Choose algorithms from ssh-rsa or ssh-dss. The default is ssh-rsa,ssh-dss.
Port num Causes OpenSSH to connect to the remote system on port num. The default is 22.
StrictHostKeyChecking yes I no I ask
Determines whether and how OpenSSH adds host keys to a user's known_hosts file.
Set this option to ask to ask whether to add a host key when connecting to a new
system, set it to no to add a host key automatically, and set it to yes to require that
host keys be added manually. The yes and ask arguments cause OpenSSH to refuse
to connect to a system whose host key has changed. For a more secure system, set
this option to yes or ask. The default is ask.
TCPKeepAlive yes I no
Periodically checks whether a connection is alive when set to yes (default). Checking causes the ssh or scp connection to be dropped when the server crashes or the

676

CHAPTER 1 8

O P E N S S H : SECURE NETWORK

COMMUNICATION

connection dies for another reason, even if it is only temporary. This option tests
the connection at the transport (TCP) layer (page 380). Setting this parameter to
no causes the client not to check whether the connection is alive.
This declaration uses the TCP keepalive option, which is not encrypted and is susceptible to IP spoofing (page 1154). Refer to "ClientAlivelnterval" on page 6 7 9 for
a server-based nonspoofable alternative.
User name

Specifies a username to use when logging in on a system. You can specify a system
with the Host declaration. This option means that you do not have to enter a username on the command line when you are using a username that differs from your
username on the local system.

VisualHostKey yes I no
(Ubuntu 8.10 and later) Displays an ASCII art representation of the key of the
remote system in addition to displaying the hexadecimal representation of the key
when set to yes. See ssh-keygen on page 6 7 7 for an example. When set to no
(default), this declaration displays the hexadecimal key only.

SETTING U P AN O P E N S S H SERVER

(sshd)

This section describes how to set up an OpenSSH server.

PREREQUISITES
Installation Install the following package:
• openssh-server
When you install the openssh-server package, the dpkg postinst script creates the
host key files in /etc/ssh (OpenSSH uses these files to identify the server; page 6 6 5 )
and starts the sshd daemon:
Unpacking openssh-server (from .../openssh-server_l%3a5.3pl-3ubuntu3_i386.deb) ...
Setting up openssh-server (1:5.3pl-3ubuntu3) ...
Creating SSH2 RSA key; this may take some time ...
Creating SSH2 DSA key; this may take some time ...
* Stopping OpenBSD Secure Shell server sshd
[ OK ]
ssh start/running, process 1741
ssh init script After you configure the OpenSSH server, give the following initctl restart command
(page 4 3 4 ) to restart the sshd daemon:
$ sudo restart ssh
ssh start/running, process 1434

NOTE
Firewall An OpenSSH server normally uses TCP port 2 2 . If the OpenSSH server system is
running a firewall, you need to open this port. To do so, use gufw (page 876) to set a
policy that allows the SSH service.

SETTING UP AN O P E N S S H SERVER

(sshd)

677

JUMPSTART: STARTING AN O P E N S S H SERVER
Installing the requisite package starts the OpenSSH server (sshd) daemon. Look in
/var/log/auth.log to make sure everything is working properly.

RECOMMENDED SETTINGS
The configuration files provided by Ubuntu establish a mostly secure system and
may or may not meet your needs. The Ubuntu /etc/ssh/sshd_config file turns on
X I 1 forwarding (page 681). It is important to set PermitRootLogin (page 680) to
no, which prevents a known-name, privileged account from being exposed to the
outside world with only password protection. If the root account is locked, the setting of this declaration is not an issue.

A U T H O R I Z E D KEYS: A U T O M A T I C LOGIN
You can configure OpenSSH so you do not have to enter a password each time you
connect to a server (remote system). To set up this feature, you need to generate a
personal authentication key on the client (local system), place the public part of the
key on the server, and keep the private part of the key on the client. When you connect to the server, it issues a challenge based on the public part of the key. The private part of the key must then respond properly to this challenge. If the client
provides the appropriate response, the server logs you in.
The first step in setting up an a u t o m a t i c login is to generate your personal authentication keys. First check whether these authentication keys already exist on the
local system (client) by looking in ~/.ssh for either id_dsa and id_dsa.pub or id_rsa
and id_rsa.pub. If one of these pairs of files is present, skip the next step (do not create a new key).
On the client, the ssh-keygen utility creates the public and private parts of an RSA
key. The key's randomart image is a visual representation of the public key; it is
designed to be easy to recall. Display of the randomart image by a client is controlled by the VisualHostKey declaration (page 6 7 6 ) in the ssh_config file.
ssh-keygen

$ ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/home/sam/.ssh/id_rsa):RETURN
Enter passphrase (empty for no passphrase):RETURN
Enter same passphrase again ¡RETURN
Your identification has been saved in /home/sam/.ssh/id_rsa.
Your public key has been saved in /home/sam/.ssh/id_rsa.pub.
The key fingerprint is:
f2:eb:c8:fe:ed:fd:32:98:e8:24:5a:76:ld:0e:fd:ld samOpeach
The key's randomart image is:
+--[ RSA 2048]
+
I
oE|
|
o .
. o|
|
. o +
|
.
+0
OI

678

CHAPTER 1 8

O P E N S S H : SECURE NETWORK

COMMUNICATION

Replace rsa with dsa to generate DSA keys. In this example, the user pressed RETURN
in response to each query. You have the option of specifying a passphrase ( 1 0 - 3 0
characters is a good length) to encrypt the private part of the key. There is no way
to recover a lost passphrase. See the following security tip for more information
about the passphrase.

When you encrypt your personal key
security The private part of the key is kept in a file that only you can read. If a malicious user compromises
your account, an account that can use s u d o to gain root privileges, or the root account on the
local system, that user then has access to your account on the remote system because she can
read the private part of your personal key.
Encrypting the private part of your personal key protects the key and, therefore, restricts access to the
remote system should someone compromise your local account. However, if you encrypt your personal key, you must supply the passphrase you used to encrypt the key each time you use the key,
negating the benefit of not having to type a password when logging in on the remote system. Also,
most passphrases that you can remember can be cracked quite quickly by a powerful computer.
A better idea is to store the private keys on a removable medium, such as a USB flash drive, and
use your ~/.ssh directory as the mount point for the filesystem stored on this drive. You may want
to encrypt these keys with a passphrase in case you lose the flash drive.
The ssh-keygen utility generates two keys: a private key or identification in ~/.ssh/id_rsa
and a public key in ~/.ssh/id_rsa.pub. No one except the owner should be able to
write to either of these files, and only the owner should be able to read from the private key file.
authorized_keys To enable you to log in on or copy files to and from another system without supplying
a password, first create a ~/.ssh directory with permissions set to 7 0 0 on the server
(remote system). Next copy ~/.ssh/id_rsa.pub from the client (local system) to a file
named ~/.ssh/authorized_keys on the server (remote system). Set its permissions to
6 0 0 so that no one except the owner can read from or write to this file. Now when
you run ssh or scp to access the server, you do not have to supply a password. To
make the server even more secure, you can disable password authentication by setting
PasswordAuthentication to no in /etc/ssh/sshd_config (remove the # from the beginning of the PasswordAuthentication line and change the yes to no; page 6 8 0 ) .

COMMAND-LINE

OPTIONS

Command-line options override declarations in the configuration files. Following
are descriptions of some of the more useful sshd options.
-d (debug) Sets debug mode so that sshd sends debugging messages to the system log
and the server stays in the foreground (implies - D ) . You can specify this option a
maximum of three times to increase the verbosity of the output. See also -e. (The
ssh client uses - v for debugging; see page 6 7 2 . )
-e (error) Sends output to standard error, not to the system log. Useful with -d.
-f file Specifies file as the default configuration file instead of /etc/ssh/sshd_config.

SETTING U P AN O P E N S S H SERVER

-t

(sshd)

679

(test) Checks the configuration file syntax and the sanity of the key files.

-D (noDetach) Keeps sshd in the foreground. Useful for debugging; implied by -d.

/etc/ssh/sshd_config

C O N F I G U R A T I O N FILE

The /etc/ssh/sshd_config configuration file contains one-line declarations. Each of
these declarations starts with a keyword that is not case sensitive, followed by whitespace,
followed by case-sensitive arguments. You must reload the sshd server before these
changes will take effect.
AllowUsers userlist
The userlist is a SPACE-separated list of usernames that specifies which users are
allowed to log in using sshd. This list can include * and ? wildcards. You can specify a user as user or user@host. If you use the second format, make sure you specify
the host as returned by hostname. Without this declaration, any user who can log in
locally can log in using an OpenSSH client.
ClientAliveCountMax n
The n specifies the number of client-alive messages that can be sent without receiving a response before sshd disconnects from the client. See ClientAlivelnterval. The
default is 3.
ClientAlivelnterval n
Sends a message through the encrypted channel after n seconds of not receiving a
message from the client. See ClientAliveCountMax. The default is 0, meaning that
no messages are sent.
This declaration passes messages over the encrypted channel (application layer;
page 3 8 0 ) and is not susceptible to IP spoofing (page 1154). It differs from TCPKeepAlive, which uses the TCP keepalive option (transport layer; page 3 8 0 ) and is
susceptible to IP spoofing.
DenyUsers userlist
The userlist is a SPACE-separated list of usernames that specifies users who are not
allowed to log in using sshd. This list can include * and ? wildcards. You can specify a user as user or user@host. If you use the second format, make sure you specify
the host as returned by hostname.
HostbasedAuthentication yes I no
Tries rhosts and /etc/hosts.equiv authentication when set to yes. For a more secure
system, set this declaration to no (default).
IgnoreRhosts yes I no
Ignores .rhosts and .shosts files for authentication. Does not affect the use of
/etc/hosts.equiv and /etc/ssh/shosts.equiv files for authentication. For a more
secure system, set this declaration to yes (default).
LoginGraceTime n
Waits n seconds for a user to log in on the server before disconnecting. A value of 0
means there is no time limit. The default is 120 seconds.

680

CHAPTER 1 8

O P E N S S H : SECURE NETWORK

COMMUNICATION

LogLevel val Specifies how detailed the log messages are. Choose val from QUIET, FATAL,
ERROR, INFO (default), and VERBOSE.
PasswordAuthentication

Permits a user to use a password for authentication. For a more secure system, set
up automatic login (page 677) and set this declaration to no. The default is yes.
PermitEmptyPasswords

Permits a user to log in on an account that has an empty password. The default
is no.
PermitRootLogin Permits root to log in using an OpenSSH client. Given the number of brute-force
attacks on a typical system connected to the Internet, it is important to set this declaration to no. (How you set this declaration is not an issue if the root account is
locked.) The default is yes.
Port mint Specifies that the sshd server listen on port num. It may improve security to change
num to a nonstandard port. The default is port 22.
StrictModes yes I no

Checks modes and ownership of the user's home directory and files. Login fails for
users other than the owner if the directories and/or files can be written to by anyone
other than the owner. For a more secure system, set this declaration to yes (default).
TCPKeepAlive yes I no

Periodically checks whether a connection is alive when set to yes (default). Checking
causes the ssh or scp connection to be dropped when the client crashes or the connection dies for another reason, even if it is only temporary. This option tests the
connection at the transport (TCP) layer (page 380). Setting this parameter to no
causes the server not to check whether the connection is alive.
This declaration uses the TCP keepalive option, which is not encrypted and is susceptible to IP spoofing (page 1154). Refer to ClientAlivelnterval (page 679) for a
nonspoofable alternative.
XllForwarding yes I no

Allows X l l forwarding when set to yes. The default is no, but Ubuntu Linux sets
XllForwarding to yes. For trusted X l l forwarding to work, the ForwardXll and
the ForwardXllTrusted declarations must also be set to yes in either the
~/.ssh/config or /etc/ssh/ssh_config client configuration file (page 675). For more
information refer to "Forwarding X l l " on page 681.

TROUBLESHOOTING
Log files There are several places to look for clues when you have a problem connecting with
ssh or scp. First look for sshd entries in /var/log/auth.log on the server. Following
are messages you may see when you are using an AllowUsers declaration but have
not included the user who is trying to log in (page 679). The messages that are
marked (pam_unix) originate with PAM (page 478).

TUNNELING/PORT FORWARDING

681

$ sudo grep sshd /var/1og/auth.1og
plum sshd[6927]: Invalid user sam from 192.168.0.12
plum sshd[6927]: Failed none for invalid user sam from 192.168.0.12 port 37134 ssh2
plum sshd[6927]: (pam_unix) check pass; user unknown
plum sshd[6927]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
rhost=192.168.0.12
plum sshd[6927]: Failed password for invalid user sam from 192.168.0.12 port 37134 ssh2
Debug the client If entries in these files do not help solve the problem, try connecting with the - v
option (either s s h or s c p — t h e results should be the same). O p e n S S H displays a lot
of debugging messages, one of which may help you figure out what the problem is.
You can use a m a x i m u m of three - v options to increase the number of messages
that O p e n S S H displays.
$ ssh -v plum
0penSSH_5.3pl Debian-3ubuntu3, OpenSSL 0.9.8k 25 Mar 2009
debugl: Reading configuration data /etc/ssh/ssh_config
debugl: Applying options for *
debugl: Connecting to plum [192.168.0.10] port 22.
debugl: Connection established.
debugl: identity file /home/sam/.ssh/identity type -1
debugl: identity file /home/sam/.ssh/id_rsa type 1
debugl: Host 'plum' is known and matches the RSA host key.
debugl: Found key in /home/sam/.ssh/known_hosts:1
debugl: ssh_rsa_verify: signature correct
debugl: Authentications that can continue: publickey,password
debugl: Next authentication method: publickey
debugl: Trying private key: /home/sam/.ssh/identity
debugl: Offering public key: /home/sam/.ssh/id_rsa
debugl: Authentications that can continue: publickey,password
debugl: Trying private key: /home/sam/.ssh/id_dsa
debugl: Next authentication method: password
samOplurn's password:
Debug the server

You can debug from the server side by running sshd with the - d e options. T h e
server will run in the foreground and its display may help you solve the problem.

TUNNELING/PORT FORWARDING
T h e s s h utility can forward a port (port forwarding;
page 1 1 6 5 ) through the
encrypted connection it establishes. Because the data sent across the forwarded port
uses the encrypted s s h connection as its data link layer (page 3 8 0 ) , the term tunneling (page 1 1 7 8 ) is applied to this type of connection: " T h e connection is tunneled
through s s h . " You can secure protocols—including POP, X , IMAP, V N C , and
W W W — b y tunneling them through s s h .
Forwarding X11 T h e s s h utility m a k e s it easy to tunnel the X l l p r o t o c o l . F o r X l l tunneling to
w o r k , you must enable it on both the server and the client, and the client must

682

CHAPTER 1 8

O P E N S S H : SECURE NETWORK

COMMUNICATION

be running the X Window System. On the ssh server, enable X l l forwarding by
setting the X l l F o r w a r d i n g declaration (page 6 8 0 ) to yes (the default) in the
/etc/ssh/sshd_config file.
Trusted clients On a client, enable trusted X l l forwarding by setting the F o r w a r d X l l (default is
no; see page 675) and ForwardXllTrusted (default is no, but set to yes as installed;
see page 6 7 5 ) declarations to yes in the /etc/ssh/ssh_config or ~/.ssh/ssh_config file.
When you enable trusted X l l forwarding on a client, the client connects as a
trusted client, which means that the client trusts the server and is given full access to
the X l l display. With full access to the X l l display, in some situations a client may
be able to modify other clients of the X l l display. Make a trusted connection only
when you trust the remote system. (You do not want someone tampering with your
client.) If this concept is confusing, see the tip "The roles of X client and server may
be counterintuitive" on page 2 6 9 .
Nontrusted clients An ssh client can connect to an ssh server as a trusted client or as a nontrusted client.
A nontrusted client is given limited access to the X l l display and cannot modify
other clients of the X l l display.
Few clients work properly when they are run in nontrusted mode. If you are running
an X l l client in nontrusted mode and encounter problems, try running in trusted
mode (assuming you trust the remote system). Ubuntu Linux sets up ssh clients to
run in nontrusted mode by default.
Running ssh When you start an ssh client, you can use the - Y option (page 6 7 2 ) on the command line to start the client in trusted mode. Alternatively, you can set the
F o r w a r d X l l and F o r w a r d X l l trusted declarations to yes in a user's ~/.ssh/config
configuration file (page 675) or, working with root privileges, in the global
/etc/ssh/ssh_config file (page 6 7 5 ) on the client to enable trusted X l l tunneling.
To use nontrusted tunneling, you can use the - X option (page 6 7 2 ) or set the
F o r w a r d X l l declaration to yes and set the F o r w a r d X l l trusted declaration to no in
one of the configuration files (page 6 7 5 ) on the server.
With trusted X l l forwarding turned on, ssh tunnels the X l l protocol, setting the
DISPLAY environment variable on the system it connects to and forwarding the
required port. Typically you will be running from a GUI, which usually means that
you are using ssh on a terminal emulator to connect to a remote system. When you
give an X l l command from an ssh prompt, OpenSSH creates a new secure channel
that carries the X l l data and the graphical output from the X l l program appears
on the screen. Typically you will need to start the client in trusted mode.
sam@dog:~$ ssh plum
samOplurn's password:

sam@plum:~$ echo $DISPLAY
localhost:10.0

By default, ssh uses X Window System display numbers 10 and higher (port numbers
6 0 1 0 and higher) for forwarded X sessions. Once you connect to a remote system

TUNNELING/PORT FORWARDING

683

using ssh, you can give a command to run an X application. The application will then
run on the remote system with its display appearing on the local system, such that it
appears to run locally.
Port forwarding You can forward arbitrary ports using the - L and - R options. The - L option forwards a local port to a remote system, so a program that tries to connect to the
forwarded port on the local system transparently connects to the remote system.
The - R option does the reverse: It forwards remote ports to the local system. The
- N option, which prevents ssh from executing remote commands, is generally
used with - L and - R . When you specify - N , ssh works only as a private network
to forward ports. An ssh command line using the - L or - R option has the following format:
$ ssh -N -L I -R local-port:remote-bost:remote-port

target

where local-port is the number of the local port that is being forwarded to or from
remote-host, remote-host is the name or IP address of the system that local-port
gets forwarded to or from, remote-port is the number of the port on remote-host
that is being forwarded from or to the local system, and target is the name or IP
address of the system ssh connects to.
As an example, assume that there is a POP mail client on the local system and that
the POP server is on a remote network, on a system named pophost. POP is not a
secure protocol; passwords are sent in cleartext each time the client connects to the
server. You can make it more secure by tunneling POP through ssh (POP-3 connects
on port 110; port 1 5 5 0 is an arbitrary port on the local system):
$ ssh -N -L 1550:pophost:110 pophost

After giving the preceding command, you can point the POP client at localhost: 1550. The connection between the client and the server will then be encrypted.
(When you set up an account on the POP client, specify the location of the server as
localhost, port 1550; details vary with different mail clients.)
Firewalls In the preceding example, remote-host and target were the same system. However,
the system specified for port forwarding (remote-host) does not have to be the same
as the destination of the ssh connection (target). As an example, assume the POP
server is behind a firewall and you cannot connect to it via ssh. If you can connect
to the firewall via the Internet using ssh, you can encrypt the part of the connection
over the Internet:
$ ssh -N -L 1550:pophost:110 firewall

Here remote-host (the system receiving the port forwarding) is pophost, and target
(the system that ssh connects to) is firewall.
You can also use ssh when you are behind a firewall (that is running sshd) and want
to forward a port into your system without modifying the firewall settings:
$ ssh -R 1678¡localhost:80 firewall

684

CHAPTER 1 8

O P E N S S H : SECURE NETWORK

COMMUNICATION

The preceding command forwards connections from the outside to port 1678 on
the firewall to the local Web server. Forwarding connections in this manner allows
you to use a Web browser to connect to port 1678 on the firewall when you connect
to the Web server on the local system. This setup would be useful if you ran a Webmail program (page 731) on the local system because it would allow you to check
your mail from anywhere using an Internet connection.
Compression Compression, which is enabled with the - C option, can speed up communication
over a low-bandwidth connection. This option is commonly used with port forwarding. Compression can increase latency to an extent that may not be desirable
for an X session forwarded over a high-bandwidth connection.

CHAPTER S U M M A R Y
OpenSSH is a suite of secure network connectivity tools that encrypts all traffic,
including passwords, thereby helping to thwart malicious users who might otherwise eavesdrop, hijack connections, and steal passwords. The components discussed
in this chapter were sshd (the server daemon), ssh (runs a command on or logs in on
another system), scp (copies files to and from another system), sftp (securely
replaces ftp), and ssh-keygen (creates, manages, and converts authentication keys).
To ensure secure communications, when an OpenSSH client opens a connection, it
verifies that it is connected to the correct server. Then OpenSSH encrypts communication between the systems. Finally OpenSSH makes sure that the user is authorized
to log in on or copy files to and from the server. You can secure many protocols—
including POP, X , IMAP, V N C , and W W W — b y tunneling them through ssh.
OpenSSH also enables secure X l l forwarding. With this feature, you can run
securely a graphical program on a remote system and have the display appear on
the local system.

EXERCISES
1. What is the difference between the scp and sftp utilities?
2. How can you use ssh to find out who is logged in on a remote system?
3. How would you use scp to copy your -/.bashrc file from the system
named plum to the local system?
4. How would you use ssh to run xterm on plum and show the display on the
local system?
5. What problem can enabling compression present when you are using ssh
to run remote X applications on a local display?

ADVANCED EXERCISES

6. When you try to connect to another system using an OpenSSH client and
you see a message warning you that the remote host identification has
changed, what has happened? What should you do?

ADVANCED EXERCISES
7. Which scp command would you use to copy your home directory from
plum to the local system?
8. Which single command could you give to log in as root on the remote
system named plum, if plum has the root account unlocked and remote
root logins disabled?
9. How could you use ssh to compare the contents of the - / m e m o s directories
on plum and the local system?

685

This page intentionally left blank

19
FTP: TRANSFERRING
FILES A C R O S S A
NETWORK
IN T H I S C H A P T E R
FTP Clients

689

JumpStart I: D o w n l o a d i n g Files
Using ftp

690

A n o n y m o u s FTP

694

Automatic Login

694

Binary Versus ASCII Transfer
Mode

694

Setting Up an FTP Server
(vsftpd)

699

JumpStart II: Starting a v s f t p d
FTP Server

700

Configuring a v s f t p d Server

701

File Transfer Protocol is a method of downloading files from
and uploading files to another system using TCP/IP over a
network. File Transfer Protocol is the name of a client/server
protocol (FTP) and a client utility (ftp) that invokes the protocol. In addition to the original ftp utility, there are many
textual and graphical FTP client programs, including most
browsers, that run under many different operating systems.
There are also many FTP server programs.

687

688

CHAPTER 1 9

F T P : T R A N S F E R R I N G FILES A C R O S S A N E T W O R K

I N T R O D U C T I O N TO FTP
This chapter starts with an introduction to FTP which discusses security, describes
types of FTP connections, and presents a list of FTP clients. The first JumpStart section covers basic ftp commands and includes a tutorial on using the ftp client. Next
is a section that presents more details of ftp. The final section describes how to set
up a vsftpd FTP server.
History First implemented under 4.2BSD, FTP has played an essential role in the propagation of Linux; this protocol/program is frequently used to distribute free software.
The term FTP site refers to an FTP server that is connected to a network, usually the
Internet. FTP sites can be public, allowing anonymous users to log in and download
software and documentation. In contrast, private FTP sites require you to log in
with a username and password. Some sites allow you to upload programs.
ftp and vsftpd Although most FTP clients are similar, the servers differ quite a bit. This chapter
describes the ftp client with references to sftp, a secure FTP client. It also covers the
FTP server available under Ubuntu, which is named vsftpd (very secure FTP daemon).
ftp utility The ftp utility is a user interface to FTP, the standard protocol used to transfer files
between systems that communicate over a network.

SECURITY
FTP is not a secure protocol: All usernames and passwords exchanged in setting up
an FTP connection are sent in cleartext, data exchanged over an FTP connection is
not encrypted, and the connection is subject to hijacking. Given these facts, FTP is
best used for downloading public files. In most cases, the OpenSSH clients, ssh
(page 670), scp (page 672), and sftp (page 674), offer secure alternatives to FTP

Use FTP only to download public information
security FTP is not secure. The sftp utility provides better security for all FTP functions other than allowing
anonymous users to download information. Because sftp uses an encrypted connection, user
passwords and data cannot be sniffed when you use this utility. You can replace all instances of
ftp in this chapter with sftp because sftp uses the same commands as ftp. See page 674 for more
information on sftp.
The vsftpd server does not make usernames, passwords, data, and connections
more secure. However, it is secure in that a malicious user finds it more difficult to
compromise directly the system running it, even if vsftpd is poorly implemented.
One feature that makes vsftpd more secure than ftpd is the fact that it does not run
with root privileges. See also "Security" on page 699.

FTP

CONNECTIONS
FTP uses two connections: one for control (you establish this connection when you
log in on an FTP server) and one for data transfer (FTP sets up this connection when

I N T R O D U C T I O N TO FTP

689

you ask it to transfer a file). An FTP server listens for incoming connections on port
21 by default and handles user authentication and file exchange.
Passive versus A client can ask an FTP server to establish either a PASV (passive—give the command
active connections ftp _p o r pftp) or a PORT (active—the default when you use ftp) connection for data
transfer. Some servers are limited to one type of connection. The difference between a
passive and an active FTP connection lies in whether the client or the server initiates
the data connection. In passive mode, the client initiates the connection to the server
(on port 20 by default); in active mode, the server initiates the connection (there is no
default port; see "Connection Parameters" on page 708 for the parameters that determine which ports a server uses). Neither approach is inherently more secure than the
other. Passive connections are more common because a client behind a NAT
(page 881) can connect to a passive server and it is simpler to program a scalable passive server.

FTP CLIENTS
ftp Ubuntu supplies several FTP clients, including ftp (an older version of the BSD ftp
utility). This section discusses ftp because most other FTP clients, including sftp and
Iftp, provide a superset of ftp commands.
sftp Part of the OpenSSH suite, sftp (openssh-client package) is a secure and functionally
equivalent alternative to ftp. The sftp utility is not a true FTP client—it does not
understand the FTP protocol. It maps ftp commands to OpenSSH commands. See
page 674 for more information.
Iftp The Iftp utility (lftp package) provides the same security as sftp but offers more features.
See the Iftp man page for more information.
gFTP The gftp utility (gftp package) is a graphical client that works with FTP, SSH, and
HTTP servers. This client has many useful features, including the ability to resume
an interrupted file transfer. See www.gftp.org and freshmeat.net/projects/gftp for
more information.
NcFTP The ncftp utility (ncftp package) is a textual client that offers many more features
than ftp, including filename completion and command-line editing. For details see
www.ncftp.com and freshmeat.net/projects/ncftp.

MORE INFORMATION
Local Type help or ? at an ftp> prompt to display a list of commands. Follow the ? with a
SPACE and an ftp command to display information about that command.
Files: / u s r / s h a r e / d o c / v s f t p d / *
m a n pages: ftp, sftp, Iftp, n e t r c , v s f t p d . c o n f

Web vsftpd home page: vsftpd.beasts.org
HO WTO FTP

mini-HOWTO

690

CHAPTER 1 9

F T P : T R A N S F E R R I N G FILES A C R O S S A N E T W O R K

R U N N I N G THE

ftp A N D sftp

FTP CLIENTS

This section describes how to use the ftp and sftp FTP clients. The commands covered
here work with both utilities.

PREREQUISITES
The ftp and sftp utilities are installed on most Ubuntu systems. You can check for
their presence by giving either of these utilities' names as commands:
S ftp
ftp> quit
S sftp
usage: sftp [-lCv] [-B buffer_size] [-b batchfile] [-F ssh_config]
[-o ssh_option] [-P sftp_server_path] [-R num_requests]
[-S program] [-s subsystem | sftp_server] host
sftp [[user®]host[:file [file]]]
sftp [[user@]host[:dir[/]]]
sftp -b batchfile [user@]host

Install the ftp (contains ftp and pftp) or openssh-client (contains sftp) package if
needed.

J U M P S T A R T I: D O W N L O A D I N G F I L E S U S I N G f t p
This JumpStart section is broken into two parts: a description of the basic commands
and a tutorial session that shows a user working with ftp. Before you start, make sure
ftp or sftp is installed on the local system as explained in the previous section.

BASIC C O M M A N D S
Give the command
$ ftp

hostname

where hostname is the name of the FTP server you want to connect to. If you have an
account on the server, log in with your username and password. If it is a public system,
log in as the user anonymous (or ftp) and give your email address as your password.
Use the Is and cd ftp commands on the server as you would use the corresponding utilities from a shell. The command get file copies file from the server to the local system,
put file copies file from the local system to the server, status displays information
about the FTP connection, and help displays a list of commands.
The preceding commands, except for status, are also available in sftp, Iftp, and ncftp.

TUTORIAL SESSION
Following are two ftp sessions wherein Sam transfers files from and to a vsftpd server
named dog. When Sam gives the command p f t p dog, the local ftp client connects to

R U N N I N G THE

ftp

AND

sftp

FTP CLIENTS

691

the server in passive (PASV) mode, which asks for a username and password.
Because he is logged in on his local system as sam, ftp suggests that Sam log in on dog
as sam. To log in as sam, he could just press RETURN. Because his username on dog is
sis, however, he types sis in response to the Name (dog:sam): prompt. After Sam
responds to the Password: prompt with his normal system password, the vsftpd
server greets him and informs him that it is Using binary mode to transfer files. With
ftp in binary mode, Sam can transfer ASCII and binary files (page 694).
Connect and log in

sam@plum:~$ pftp dog
Connected to dog.bogus.com.
220 (vsFTPd 2.2.2)
Name (dog:sam): s i s
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp>

After logging in, Sam uses the ftp Is command to see what is in his remote working
directory, which is his home directory on dog. Then he cds to the memos directory
and displays the files there.
Is and cd

ftp> 1 s
227 Entering Passive Mode (192,168,0,12,130,201)
150 Here comes the directory listing.
drwxr-xr-x
2 1001
1001
4096 Jan 25 04: 51 expenses
drwxr-xr-x
2 1001
1001
4096 Jan 25 04: 53 memos
drwxr-xr-x
2 1001
1001
4096 Jan 25 04: 51 tech
226 Directory send OK
ftp> cd memos
250 Directory successfully changed.
ftp> I s
227 Entering Passive Mode (192,168,0 ,12,48,84)
150 Here comes the directory listing
-rw-r--r-1 1001
1001
3430 Jan
-rw-r--r-1 1001
1001
6581 Jan
-rw-r--r-1 1001
1001
2801 Jan
-rw-r--r-1 1001
1001
7351 Jan
-rw-r--r-1 1001
1001
14703 Jan
226 Directory send OK.
ftp>

25
25
25
25
25

04: 52
04: 52
04: 52
04: 53
04: 53

memo.0514
memo.0628
memo.0905
memo.0921
memo.1102

Next Sam uses the ftp get command to copy memo. 1102 from the server to the local
system. His use of binary mode ensures that he will get a good copy of the file
regardless of whether it is binary or ASCII. The server confirms that the file was
copied successfully and reports on its size and the time required to copy it. Sam then
copies the local file memo. 1114 to the remote system. This file is copied into his
remote working directory, memos.

692

CHAPTER 1 9

get and put

F T P : T R A N S F E R R I N G FILES A C R O S S A N E T W O R K

ftp> get memo. 1102

local: memo.1102 remote: memo.1102
227 Entering Passive Mode (192,168,0,12,53,74)
150 Opening BINARY mode data connection for memo.1102 (14703 bytes).
226 File send OK.
14703 bytes received in 0.00 sees (11692.5 kB/s)
ftp> put memo.1114
local: memo.1114 remote: memo.1114
227 Entering Passive Mode (192,168,0,12,182,124)
150 Ok to send data.
226 File receive OK.
11903 bytes sent in 0.00 sees (23294.6 kB/s)
ftp>

Now Sam decides he wants to copy all the files in the m e m o directory on d o g to a
new directory on his local system. He gives an Is command to make sure he will
copy the right files, but ftp has timed out. Instead of exiting from ftp and giving
another ftp command from the shell, he gives ftp an open dog command to reconnect
to the server. After logging in, he uses the ftp cd command to change directories to
memos on the server.
Timeout and open

ftp> Is
No control connection for command: Success
Passive mode refused.
ftp> open dog
Connected to dog.bogus.com.
220 (vsFTPd 2.2.2)
Name (dog:sam): sis
ftp> cd memos
250 Directory successfully changed.
ftp>

Local cd (led) At this point, Sam realizes he has not created the new directory to hold the files he
wants to download. Giving an ftp m k d i r command would create a new directory on
the server, but Sam wants a new directory on his local system. He uses an exclamation point (!) followed by a m k d i r m e m o s . h o l d command to invoke a shell and run
mkdir on the local system, thereby creating a directory named memos.hold in his
working directory on the local system. (You can display the name of the working
directory on the local system with ! p w d . ) Next, because Sam wants to copy files
from the server to the m e m o s . h o l d directory on his local system, he has to change
his working directory on the local system. Giving the command !cd m e m o s . h o l d
will not accomplish what Sam wants to do because the exclamation point will
spawn a new shell on the local system and the cd command would be effective only
in the new shell, which is not the shell that ftp is running under. For this situation, ftp
provides the led (local cd) command, which changes the working directory for ftp
and reports on the new local working directory:

R U N N I N G THE

ftp

AND

sftp

FTP CLIENTS

693

ftp> ¡ m k d i r memos.hold
ftp> l e d memos.hold
Local directory now /home/sam/memos.hold
ftp>

Sam uses the ftp m g e t (multiple get) command followed by the asterisk ( * ) wildcard
to copy all files from the remote m e m o s directory to the m e m o s . h o l d directory on
the local system. When ftp prompts him for the first file, Sam realizes that he forgot
to turn off the prompts, so he responds with n and presses CONTROL-C to stop copying
files in response to the second prompt. The server checks whether he wants to continue with his m g e t command.
Next Sam gives the ftp p r o m p t command, which toggles the prompt action (turns it
off if it is on and turns it on if it is off). Now when he gives a m g e t * command, ftp
copies the files without prompting him. After getting the desired files, Sam gives a
q u i t command to close the connection with the server, exit from ftp, and return to
the local shell prompt.
mget and prompt

f t p > mget *
mget memo.0514? n
mget memo.0628?CONTROL-C
Continue with mget? n
ftp>
ftp> p r o m p t
Interactive mode off.
ftp> mget *
local: memo.0514 remote: memo.0514
227 Entering Passive Mode (192,168,0,12,216,239)
150 Opening BINARY mode data connection for memo.0514 (3430 bytes).
226 File send OK.
3430 bytes received in 0.00 sees (9409.0 kB/s)
local: memo.0628 remote: memo.0628
227 Entering Passive Mode (192,168,0,12,134,149)
150 Opening BINARY mode data connection for memo.0628 (6581 bytes).
226 File send OK.
150 Opening BINARY mode data connection for memo.1114 (11903 bytes).
226 File send OK.
11903 bytes received in 0.00 sees (11296.4 kB/s)
ftp> quit
221 Goodbye.
sam@plum:~$

Notes A Linux system running ftp can exchange files with any of the many operating systems that support FTP. Many sites offer archives of free information on an FTP
server, although for many it is just an alternative to an easier-to-access Web site (see,
for example, ftp://ftp.ibiblio.org/pub/Linux and http://www.ibiblio.org/pub/Linux).
Most browsers can connect to and download files from FTP servers.
The ftp utility makes no assumptions about filesystem nomenclature or structure
because you can use ftp to exchange files with non-UNIX/Linux systems (which may
use different filenaming conventions).

694

CHAPTER 1 9

F T P : T R A N S F E R R I N G FILES A C R O S S A N E T W O R K

This section explains how to use the ftp FTP client. Although it describes ftp, many
other command-line FTP clients are based on ftp and use the same commands.

A N O N Y M O U S FTP
Many systems—most notably those from which you can download free software—
allow you to log in as anonymous. Most systems that support anonymous logins
accept the name ftp as an easier-to-spell and quicker-to-enter synonym for anonymous. An anonymous user is usually restricted to a portion of a filesystem set aside to
hold files that are to be shared with remote users. When you log in as an anonymous
user, the server prompts you to enter a password. Although any password may be
accepted, by convention you are expected to supply your email address.
Many systems that permit anonymous access store interesting files in the pub directory. Most browsers, such as Firefox, log in on an anonymous FTP site and transfer
a file when you click on the filename.

AUTOMATIC LOGIN
You can store server-specific FTP username and password information so you do
not have to enter it each time you visit an FTP site. Each line of -/.netrc identifies a
server. When you connect to an FTP server, ftp reads the -/.netrc file to determine
whether you have an automatic login set up for that server. The format of a line in
-/.netrc is
machine server login username password

passwd

where server is the name of the server, username is your username, and passwd is
your password on server. Replace machine with default on the last line of the file to
specify a username and password for systems not listed in -/.netrc. The default line
is useful for logging in on anonymous servers. A sample -/.netrc file follows:
$ cat
netrc
machine dog login sam password mypassword
default login anonymous password sam@example.com

To protect the account information in .netrc, make it readable only by the user whose
home directory it appears in. Refer to the netrc man page for more information.

BINARY VERSUS A S C I I TRANSFER M O D E
The vsftpd FTP server can—but does not always—provide two modes to transfer
files. Binary mode transfers always copy an exact, byte-for-byte image of a file and
never change line endings. Transfer all binary files using binary mode. Unless you
need to convert line endings, use binary mode to transfer ASCII files as well.
ASCII files, such as text or program source code, when created under Linux with a
text editor such as vi, use a single NEWLINE character (CONTROL-J, written as \n) to mark
the end of each line. Other operating systems mark the ends of lines differently.

R U N N I N G THE

ftp A N D sftp

FTP CLIENTS

695

Windows marks the end of each such line with a RETURN (CONTROL-M, written as \r) followed by a NEWLINE (two characters). Macintosh uses a RETURN by itself. These descriptions do not apply to files created by word processors such as Word or OpenOffice
because those programs generate binary files. The vsftpd server can map Linux line
endings to Windows line endings as you upload files and Windows line endings to
Linux line endings as you download files.
To use ASCII mode on an FTP server that allows it, give an ascii command
(page 697) after you log in and set cr to ON (the default; page 697). If the server
does not allow you to change line endings as you transfer a file, you can use the
todos (page 173) or fromdos (page 173) utility before or after you transfer a file in
binary mode.
Security When run against a very large file, the ftp size command, which displays the size of a
file, consumes a lot of server resources and can be used to initiate a DoS attack
(page 1146). To enhance security, by default vsftpd transfers every file in binary
mode, even when it appears to be using ASCII mode. On the server side, you can
enable real ASCII mode transfers by setting the ascii_upload_enable and
ascii_download_enable parameters (page 706) to YES. With the server set to allow
ASCII transfers, the client controls whether line endings are mapped by using the
ascii, binary, and cr commands (page 697).

ftp S P E C I F I C S
This section covers the details of using ftp.

FORMAT
An ftp command line has the following format:
ftp [options] [ftp-server]
where options is one or more options from the list in the next section and ftp-server
is the name or network address of the FTP server you want to exchange files with. If
you do not specify an ftp-server, you will need to use the ftp open command to connect to a server once ftp is running.

COMMAND-LINE OPTIONS
-g (globbing) Turns off globbing. See glob (page 697).
-i (interactive) Turns off prompts during file transfers with mget (page 696) and mput
(page 696). See also prompt (page 697).
-n (no automatic login) Disables automatic logins (page 694).
-v (verbose) Tells you more about how ftp is working. Responses from the remote
computer are displayed, and ftp reports information on how quickly files are
transferred. See also verbose (page 698).

696

CHAPTER 1 9

F T P : T R A N S F E R R I N G FILES A C R O S S A N E T W O R K

ftp C O M M A N D S
The ftp utility is interactive: After you start ftp, it prompts you to enter commands
to set parameters or transfer files. You can abbreviate commands as long as the
abbreviations are unique. Enter a question mark (?) in response to the ftp> prompt
to display a list of commands. Follow the question mark by a SPACE and a command
to display a brief description of what the command does:
ftp> ? mget
mget

get multiple files

SHELL C O M M A N D

![command] Without command, escapes to (spawns) a shell on the local system. Use CONTROL-D or
exit to return to ftp when you are finished using the local shell. Follow the exclamation point with command to execute that command only; ftp will display an ftp>
prompt when execution of the command finishes. Because the shell that ftp spawns
with this command is a child of the shell that is running ftp, no changes you make in
this shell are preserved when you return to ftp. Specifically, when you want to copy
files to a local directory other than the directory that you started ftp from, you need
to use the ftp led command to change the local working directory: Issuing a cd command in the spawned shell will not make the change you desire. See "Local cd (led)"
on page 692 for an example.
TRANSFER FILES

In the following descriptions, remote-file and local-file can be pathnames.
append local-file

[remote-file]

Appends local-file to the file with the same name on the remote system or to remotefile if specified.
get remote-file

[local-file]

Copies remote-file to the local system under the name local-file. Without local-file,
ftp uses remote-file as the filename on the local system.
mget remote-file-list

(multiple get) Copies several files to the local system, with each file maintaining its
original filename. You can name the remote files literally or use wildcards (see
glob). Use prompt (page 697) to turn off the prompts during transfers.
mput local-file-list

(multiple put) Copies several files to the server, with each file maintaining its original filename. You can name the local files literally or use wildcards (see glob). Use
prompt (page 697) to turn off the prompts during transfers.
newer remote-file

[local-file]

If the modification time of remote-file is more recent than that of local-file or if
local-file does not exist, copies remote-file to the local system under the name localfile. Without local-file, ftp uses remote-file as the filename on the local system. This
command is similar to get, but will not overwrite a newer file with an older one.

R U N N I N G THE

ftp A N D sftp

FTP CLIENTS

697

put local-file [remote-file]

Copies local-file to the remote system under the name remote-file. Without remotefile, ftp uses local-file as the filename on the remote system.
reget remote-file [local-file]

If local-file exists and is smaller than remote-file, assumes that a previous get of
local-file was interrupted and continues from where the previous get left off. Without
local-file, ftp uses remote-file as the filename on the local system. This command can
save time when a get of a large file fails partway through the transfer.
STATUS

ascii Sets the file transfer type to ASCII. The cr command must be O N for ascii to work
(page 694).
binary Sets the file transfer type to binary (page 694).
bye Closes the connection to the server and terminates ftp. Same as quit.
case Toggles and displays the case mapping status. The default is OFF. When it is ON,
for get and mget commands, this command maps filenames that are all uppercase
on the server to all lowercase on the local system.
close Closes the connection to the server without exiting from ftp.
cr (carriage RETURN) Toggles and displays the (carriage) RETURN stripping status. Effective
only when the file transfer type is ascii. Set cr to O N (default) to remove RETURN characters from RETURN/LINEFEED line termination sequences used by Windows, yielding the
standard Linux line termination of LINEFEED. Set cr to OFF to leave line endings
unmapped (page 694).
debug [n] Toggles/sets and displays the debugging status/level, where n is the debugging level.
OFF or 0 (zero) is the default. When n > 0, this command displays each command
ftp sends to the server.
glob Toggles and displays the filename expansion (page 2 5 6 ) status for
(page 698), mget (page 696), and mput (page 6 9 6 ) commands.

mdelete

hash Toggles and displays the hashmark (#) display status. When it is ON, ftp displays one
hashmark for each 1024-byte data block it transfers.
open [hostname]
Specifies hostname as the name of the server to connect to. Without hostname,
prompts for the name of the server. This command is useful when a connection
times out or otherwise fails.
passive Toggles between active (PORT—the default) and passive (PASV) transfer modes
and displays the transfer mode. For more information refer to "Passive versus active
connections" on page 689.
prompt Toggles and displays the prompt status. When it is O N (default), mdelete (page 698),
mget (page 696), and mput (page 696) ask for verification before transferring each
file. Set prompt to OFF to turn off these prompts.

698

CHAPTER 1 9

F T P : T R A N S F E R R I N G FILES A C R O S S A N E T W O R K

quit Closes the connection to the server and terminates ftp. Same as bye.
umask [nnn] Changes the umask (page 459) applied to files created on the server to nnn. Without
nnn, displays the umask.
user [username]

[password]

Prompts for or accepts the username and password that enable you to log in on the
server. When you call it with the - n option, ftp prompts you for a username and password automatically. For more information refer to "Automatic Login" on page 694.
DIRECTORIES
cd

remote-directory

Changes the working directory on the server to

remote-directory.

cdup Changes the working directory on the server to the parent of the working directory.
led [local_directory]

(local change directory) Changes the working directory on the local system to
hcaljdirectory. Without an argument, this command changes the working directory
on the local system to your home directory (just as the cd shell builtin does without
an argument). See "Local cd (led)" on page 692 for an example.
FILES
chmod mode

remote-file

Changes the access permissions of remote-file on the server to mode. See chmod on
page 216 for more information on how to specify the mode.
delete remote-file Removes remote-file from the server.
mdelete remote-file-list
(multiple delete) Deletes the files specified by remote-file-list from the server.
DISPLAY INFORMATION
dir [remote-directory]

[file]

Displays a listing of remote-directory from the server. When you do not specify
remote-directory, displays the working directory. When you specify file, the listing
is saved on the local system in a file named file.
help [command] Displays information about command. Without command,
ftp commands.
Is [remote-directory]

displays a list of local

[file]

Similar to dir but produces a more concise listing from some servers. When you
specify file, the listing is saved on the local system in a file named file.
pwd Displays the pathname of the working directory on the server. Use !pwd to display
the pathname of the local working directory.
status Displays ftp connection and status information.
verbose Toggles and displays verbose mode, which displays responses from the server and
reports how quickly files are transferred. The effect of this command is the same as
specifying the - v option on the command line.

SETTING U P AN FTP SERVER

SETTING U P AN FTP SERVER

(vsftpd)

699

(vsftpd)

This section explains how to set up an FTP server implemented by the vsftpd daemon
as supplied by Ubuntu.

PREREQUISITES
Install the following package:
• vsftpd
vsftpd init script When you install the vsftpd package, the dpkg postinst script starts the vsftpd daemon. After you configure vsftpd, give the following initctl command (page 434) to
restart the vsftpd daemon:
$ sudo restart vsftpd
vsftpd start/running, process 1546

After changing the vsftpd configuration on an active server, use reload in place of
restart to reload the vsftpd configuration files without disturbing clients that are
connected to the server.

NOTES
The vsftpd server can run in normal mode (the xinetd daemon, which is not
installed by default, calls vsftpd each time a client tries to make a connection) or it
can run in stand-alone mode (vsftpd runs as a daemon and handles connections
directly).
Stand-alone mode Although by default vsftpd runs in normal mode, Ubuntu sets it up to run in standalone mode by setting the listen parameter (page 701) to YES in the vsftpd.conf file.
Under Ubuntu Linux, with vsftpd running in stand-alone mode, you start and stop
the server using the vsftpd init script.
Normal mode The xinetd superserver (page 464) must be installed and running and you must
install an xinetd control file to run vsftpd in normal mode. A sample control file is
located at /usr/share/doc/vsftpd/examples/INTERNET_SITE/vsftpd.xinetd. Copy
the sample file to the /etc/xinetd.d directory, rename it vsftpd, edit the file to change
the no_access and banner_fail parameters as appropriate, and restart xinetd. With
the listen parameter in vsftpd.conf set to NO, xinetd starts vsftpd as needed.
Security The safest policy is not to allow users to authenticate against FTP: Instead, use FTP
for anonymous access only. When you install vsftpd, it allows anonymous access
only; you must modify its configuration to allow users to log in by name on the
vsftpd server. If you do allow local users to authenticate and upload files to the
server, be sure to put local users in a chroot jail (page 703). Because FTP sends usernames and passwords in cleartext, a malicious user can easily sniff (page 1173)
them. Armed with a username and password, the same user can impersonate a local
user, upload a Trojan horse (page 1177), and compromise the system.

700

CHAPTER 1 9

F T P : T R A N S F E R R I N G FILES A C R O S S A N E T W O R K

Firewall An FTP server normally uses TCP port 2 1 . If the FTP server system is running a firewall, you need to open this port. To do so, use gufw (page 876) to set a policy that
allows FTP service.

JUMPSTART II: STARTING A

vsftpd

FTP SERVER

By default, under Ubuntu Linux vsftpd allows anonymous users only to log in on
the server; it does not set up a guest account nor does it allow users to log in on the
vsftpd server. When someone logs in as an anonymous user, that person works in
the /srv/ftp directory. You do not have to configure anything.

TESTING THE SETUP
Make sure vsftpd is working by logging in from the system running the server. You
can refer to the server as localhost or by using its hostname on the command line.
Log in as a user and provide that user's password:
$ ftp localhost
Connected to local host.localdomain.
220 (vsFTPd 2.2.2)
Name (localhost:sam):anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> quit
221 Goodbye.

If you are not able to connect to the server, first make sure the server is running:
$ ps -ef | grep vsftpd
root
5681
1 0 12:22 ?
sam
6629 6596 0 14:49 pts/2

00:00:00 /usr/sbin/vsftpd
00:00:00 grep vsftpd

If you want to allow users to log in as anonymous or ftp, you must set
anonymous_enable to YES in /etc/vsftpd.conf (page 7 0 2 ) and restart the vsftpd daemon (page 699). Any password is acceptable with these login names.
If an anonymous user cannot log in, check that permissions on /srv/ftp, or the home
directory of ftp as specified in /etc/passwd, are set to 7 5 5 and that the directory is
not owned by ftp. If the ftp user can write to /var/ftp, connections will fail.
$ Is -Id /srv/ftp

drwxr-xr-x 2 root ftp 4096 2010-04-01 14:56 /srv/ftp
Once you are able to log in from the local system, log in from another system—
either one on the LAN or another system with access to the server. On the command line, use the hostname from within the LAN or the FQDN (page 1149) from
outside the LAN. The dialog should appear the same as in the previous example. If
you cannot log in from a system that is not on the LAN, use ping (page 3 9 3 ) to test
the connection and make sure the firewall is set up to allow FTP access. See "FTP
Connections" on page 6 8 8 for a discussion of active and passive modes and the
ports that each mode uses.

SETTING U P AN FTP SERVER

CONFIGURING A

vsftpd

(vsftpd)

701

SERVER

The configuration file for vsftpd, /etc/vsftpd.conf, lists Boolean, numeric, and string
name-value pairs of configuration parameters, called directives. Each name-value
pair is joined by an equal sign with no SPACES on either side. Ubuntu Linux provides
a well-commented vsftpd.conf file that changes many of the compiled-in defaults.
This section covers most of the options, noting their default values and their values
as specified in the vsftpd.conf file supplied with Ubuntu Linux.
Set Boolean options to YES or N O and numeric options to a nonnegative integer.
Octal numbers, which are useful for setting umask options, must have a leading 0
(zero). Numbers without a leading zero are treated as base 10 numbers. Following
are examples from vsftpd.conf of setting each type of option:
anonymous_enable=YES
local_umask=022

xferlog_file=/var/log/vsftpd.log
Descriptions of the directives are broken into the following groups:
• Stand-alone mode (page 701)
• Logging in (page 7 0 2 )
• Working directory and the chroot jail (page 703)
• Downloading and uploading files (page 7 0 4 )
• Messages (page 707)
• Display (page 707)
• Logs (page 708)
• Connection parameters (page 708)

STAND-ALONE M O D E
Refer to " N o t e s " on page 6 9 3 for a discussion of normal and stand-alone modes.
This section describes the parameters that affect stand-alone mode.
listen YES runs vsftpd in stand-alone mode; N O runs it in normal mode.
Default: N O
Ubuntu: YES
listen_address In stand-alone mode, specifies the IP address of the local interface that vsftpd listens
on for incoming connections. When this parameter is not set, vsftpd uses the default
network interface.
Default: none
listen_port In stand-alone mode, specifies the port that vsftpd listens on for incoming connections.
Default: 21

702

CHAPTER 1 9

F T P : T R A N S F E R R I N G FILES A C R O S S A N E T W O R K

max_clients In stand-alone mode, specifies the maximum number of clients. Zero (0) indicates
unlimited clients.
Default: 0
max_per_ip In stand-alone mode, specifies the maximum number of clients from the same IP
address. Zero (0) indicates unlimited clients from the same IP address.
Default: 0

L O G G I N G IN
Three classes of users can log in on a vsftpd server: anonymous, local, and guest. The
guest user is rarely used and is not covered in this chapter. Local users log in with
their system username and password. Anonymous users log in with anonymous or
ftp, using their email address as a password. You can control whether each of these
classes of users can log in on the server and what they can do once they log in. You
can also specify what a local user can do on a per-user basis; for more information
refer to user_config_dir on page 710.
LOCAL U S E R S

userlist_enable The /etc/vsftpd.user_list file (page 711), or another file specified by userlist_file,
contains a list of zero or more users. YES consults this list and takes action based
on userlist_deny, either granting or denying users in the list permission to log in on
the server. To prevent the transmission of cleartext passwords, access is denied
immediately after the user enters her username. NO does not consult the list. For a
more secure system, set this parameter to NO.
Default: NO
userlist_deny YES prevents users listed in /etc/vsftpd.user_list (page 711) from logging in on the
server. NO allows only users listed in /etc/vsftpd.user_list to log in on the server.
Use userlist_file to change the name of the file that this parameter consults. This
parameter is checked only when userlist_enable is set to YES.
Default: YES
userlist_file The name of the file consulted when userlist_enable is set to YES.
Default: /etc/vsftpd.user_list
local_enable YES permits local users (users listed in /etc/passwd) to log in on the server.
Default: NO
A N O N Y M O U S USERS

anonymous_enable
YES allows anonymous logins. NO disables anonymous logins.
Default: YES
Ubuntu: NO

SETTING U P AN FTP SERVER

(vsftpd)

703

no_anon_p as sword
YES skips asking anonymous users for passwords.
Default: N O
deny_email_enable
YES checks whether the password (email address) that an anonymous user enters is
listed in /etc/vsftpd.banned_emails or another file specified by banned_email_file. If
it is, the user is not allowed to log in on the system. N O does not perform this
check. Using gufw (page 876) or iptables (page 863) to block specific hosts is generally more productive than using this parameter.
Default: N O
banned_email_file
The name of the file consulted when deny_email_enable is set to YES.
Default: /etc/vsftpd.banned_emails

THE W O R K I N G DIRECTORY A N D THE

chroot

JAIL

When a user logs in on a vsftpd server, standard filesystem access permissions control
which directories and files the user can access and how the user can access them.
Three basic parameters control a user who is logged in on a vsftpd server:
• The user ID (UID)
• The initial working directory
• The root directory
By default, the vsftpd server sets the user ID of a local user to that user's username
and sets the user ID of an anonymous user to ftp. A local user starts in her home
directory and an anonymous user starts in /srv/ftp.
By default, anonymous users are placed in a chroot jail for security; local users are
not. For example, when an anonymous user logs in on a vsftpd server, his home
directory is /srv/ftp. All that user sees, however, is that his home directory is /.
The user sees the directory at /srv/ftp/upload as /upload. The user cannot see, or
work with, for example, the /home, /usr/local, or /tmp directory because the user
is in a chroot jail. For more information refer to "Setting Up a chroot J a i l " on
page 4 6 6 .
You can use the chroot_local_user option to put each local user in a chroot jail
whose root is the user's home directory. You can use chroot_list_enable to put
selected local users in chroot jails.
chroot_list_enable
Upon login, YES checks whether a local user is listed in /etc/vsftpd.chroot_list
(page 7 1 1 ) or another file specified by chroot_list_file.

704

CHAPTER 1 9

F T P : T R A N S F E R R I N G FILES A C R O S S A N E T W O R K

When a user is in the list and chroot_local_user is set to NO, the user is put in a
chroot jail in his home directory. Only users listed in /etc/vsftpd.chroot_list are put
in chroot jails.
When a user is in the list and chroot_local_user is set to YES, that user is not put in
a chroot jail. Users not listed in /etc/vsftpd.chroot_list are put in chroot jails.
Default: NO
chroot_local_user
See chroot_list_enable. Set to NO for a more open system, but remember to add
new users to the chroot_list_file as needed when you add users to the system. Set to
YES for a more secure system. New users are automatically restricted unless you
add them to chroot_list_file.
Default: NO
chroot_list_file The name of the file consulted when chroot_list_enable is set to YES.
Default: /etc/vsftpd.chroot_list
passwd_chroot_enable
YES enables you to change the location of the chroot jail that the chroot_list_enable
and chroot_local_user settings impose on a local user.
The location of the chroot jail can be moved up the directory structure by including
a /./ within the home directory string for that user in/etc/passwd. This change has
no effect on the standard system login, just as a cd . command has no effect on the
working directory.
For example, changing the home directory field in /etc/passwd (page 494) for Sam
from /home/sam to /home/./sam allows Sam to cd to /home after logging in using
vsftpd. Given the proper permissions, Sam can now view files and collaborate with
another user.
Default: NO
secure_chroot_dir The name of an empty directory that is not writable by the user ftp. The vsftpd
server uses this directory as a secure chroot jail when the user does not need access to
the filesystem.
Default: /var/run/vsftpd/empty
local_root After a local user logs in on the server, this directory becomes the user's working
directory. No error results if the specified directory does not exist.
Default: none

D O W N L O A D I N G A N D U P L O A D I N G FILES
By default, any user—whether local or anonymous—can download files from the
vsftpd server, assuming proper filesystem access and permissions. You must change
write_enable from NO (default) to YES to permit local users to upload files. By
default, local_umask is set to 077, giving uploaded files 600 permissions
(page 215). These permissions allow only the user who created a file to download

SETTING U P AN FTP SERVER

(vsftpd)

705

and overwrite it. Change local_umask to 0 2 2 to allow users to download other
users' files.
Security Refer to "Security" on page 6 9 9 for information on the security hole that is created
when you allow local users to upload files.
The following actions set up vsftpd to allow anonymous users to upload files:
1. Set write_enable (page 7 0 5 ) to YES.
2. Create a directory under /srv/ftp that an anonymous user can write to but
not read from (mode 333). You do not want a malicious user to be able to
see, download, modify, and upload a file that another user originally
uploaded. The following commands create a /srv/ftp/uploads directory
that anyone can write to but no one can read from:
$ sudo mkdir /srv/ftp/uploads
$ sudo chmod 333 /srv/ftp/uploads
Because of the security risk, vsftpd prevents anonymous connections when
an anonymous user (ftp) can write to /srv/ftp.
3. Set anon_upload_enable (page 706) to YES.
4. See the other options in this section.
D O W N L O A D / U P L O A D FOR LOCAL USERS
local_umask The u m a s k (page 4 5 9 ) setting for local users.
Default: 0 7 7
file_open_mode Uploaded file permissions for local users. The u m a s k (page 4 5 9 ) is applied to this
value. Change to 0 7 7 7 to make uploaded files executable.
Default: 0 6 6 6
write_enable

YES permits users to create and delete files and directories (assuming appropriate
filesystem permissions). N O prevents users from making changes to the filesystem.
Default: N O
A N O N Y M O U S USERS

anon_mkdir_write_enable
YES permits an anonymous user to create new directories when write_enable=YES
and the anonymous user has permission to write to the parent directory.
Default: N O
anon_other_write_enable
YES grants an anonymous user write permission in addition to the permissions
granted by anon_mkdir_write_enable and anon_upload_enable. For example, YES
allows an anonymous user to delete and rename files, assuming she has permission to
write to the parent directory. For a more secure site, do not set this parameter to YES.
Default: N O

706

CHAPTER 1 9

F T P : T R A N S F E R R I N G FILES A C R O S S A N E T W O R K

anon_root After an anonymous user logs in on the server, this directory becomes the user's
working directory. No error results if the specified directory does not exist.
Default: none
anon_umask

The u m a s k (page 4 5 9 ) setting for anonymous users. The default setting gives only
anonymous users access to files uploaded by anonymous users; set this parameter to
0 2 2 to give everyone read access to these files.
Default: 0 7 7

anon_upload_enable
YES allows anonymous users to upload files when write_enable=YES and the
anonymous user has permission to write to the directory.
Default: N O
anon_world_readable_only
YES limits the files that a user can download to those that are readable by the
owner of the file, members of the group the file is associated with, and others. It
may not be desirable to allow one anonymous user to download a file that another
anonymous user uploaded. Setting this parameter to YES can avoid this scenario.
Default: YES
ascii_download_enable
YES allows a user to download files using ASCII mode. Setting this parameter to
YES can create a security risk (page 695).
Default: N O
ascii_upload_enable
YES allows a user to upload files using ASCII mode (page 694).
Default: N O
chown_uploads

YES causes files uploaded by anonymous users to be owned by root (or another
user specified by chown_username). To improve security, change chown_username
to a name other than root if you set this parameter to YES.
Default: N O

chown_username See chown_uploads.
Default: root
ftp_username The username of anonymous users.
Default: ftp
nopriv_user

The name of the user with minimal privileges, as used by vsftpd. Because other programs use nobody, to enhance security you can replace nobody with the name of a
dedicated user such as ftp.
Default: nobody

SETTING U P AN FTP SERVER

(vsftpd)

707

MESSAGES
You can replace the standard greeting banner that vsftpd displays when a user logs in
on the system (banner_file and ftpd_banner). You can also display a message each
time a user enters a directory (dirmessage_enable and message_file). When you set
dirmessage_enable=YES, each time a user enters a directory using cd, vsftpd displays
the contents of the file in that directory named .message (or another file specified by
message_file).
dirmessage_enable
YES displays .message or another file specified by message_file as an ftp user enters
a new directory by giving a cd command.
Default: N O
Ubuntu: YES
message_file See dirmessage_enable.
Default: .message
banner_file The absolute pathname of the file that is displayed when a user connects to the
server. Overrides ftpd_banner.
Default: none
ftpd_banner

Overrides the standard vsftpd greeting banner displayed when a user connects to
the server.
Default: none; uses standard vsftpd banner

DISPLAY
This section describes parameters that can improve security and performance by
controlling how vsftpd displays information.
hidejds YES lists all users and groups in directory listings as ftp. N O lists the real owners.
Default: N O
setproctitle_enable
N O causes ps to display the process running vsftpd as vsftpd. YES causes ps to
display what vsftpd is currently doing (uploading and so on). Set this parameter to
N O for a more secure system.
Default: N O
text_userdb_names
NO improves performance by displaying numeric UIDs and GIDs in directory listings. YES displays names.
Default: N O
usejocaltime

N O causes the Is, mis, and modtime F T P commands to display UTC (page 1 1 7 9 ) .
YES causes these commands to display the local time.
Default: N O

708

CHAPTER 1 9

F T P : T R A N S F E R R I N G FILES A C R O S S A N E T W O R K

ls_recurse_enable YES permits users to give Is - R commands. Setting this parameter to YES may pose
a security risk because giving an Is - R command at the top of a large directory hierarchy can consume a lot of system resources.
Default: N O

LOGS
By default, logging is turned off. However, the vsftpd.conf file distributed with
Ubuntu Linux turns it on. This section describes parameters that control the details
and locations of logs.
log_ftp_protocol YES logs FTP requests and responses, provided that xferlog_std_format is set to NO.
Default: N O
xferlog_enable YES maintains a transfer log in /var/log/vsftpd.log (or another file specified by
xferlog_file). NO does not create a log.
Default: N O
Ubuntu: YES
xferlog_std_format
YES causes a transfer log (not covering connections) to be written in standard
xferlog format, as used by wu-ftpd, as long as xferlog_file is explicitly set. If
xferlog_std_format is set to YES and xferlog_file is not explicitly set, logging is
turned off. The default vsftpd log format is more readable than xferlog format, but it
cannot be processed by programs that generate statistical summaries of xferlog files.
Search for xferlog on the Internet to obtain more information on this command.
Default: N O
xferlog_file See xferlog_enable and xferlog_std_format.
Default: /var/log/vsftpd.log

CONNECTION

PARAMETERS

You can allow clients to establish passive and/or active connections (page 689).
Setting timeouts and maximum transfer rates can improve server security and performance. This section describes parameters that control the types of connections
that a client can establish, the length of time vsftpd will wait while establishing a
connection, and the speeds of connections for different types of users.
PASSIVE ( P A S V ) C O N N E C T I O N S

pasv_enable NO prevents the use of PASV connections.
Default: YES
pasv_promiscuous
N O causes PASV to perform a security check that ensures that the data and control
connections originate from a single IP address. YES disables this check; it is not
recommended for a secure system.
Default: N O

SETTING U P AN FTP SERVER

pasv_max_port

(vsftpd)

709

The highest port number that vsftpd will allocate for a PASV data connection; useful
in setting up a firewall.
Default: 0 (use any port)

pasv_min_port

The lowest port number that vsftpd will allocate for a PASV data connection; useful
in setting up a firewall.
Default: 0 (use any port)

pasv_address Specifies an IP address other than the one used by the client to contact the server.
Default: none; the address is the one used by the client
ACTIVE ( P O R T ) C O N N E C T I O N S
port_enable NO prevents the use of P O R T connections.
Default: YES
port_promiscuous
NO causes P O R T to perform a security check that ensures that outgoing data connections connect only to the client. YES disables this check; it is not recommended
for a secure system.
Default: N O
connect_from_port_20
YES specifies port 2 0 (ftp-data, a privileged port) on the server for P O R T connections, as required by some clients. N O allows vsftpd to run with fewer privileges (on
a nonprivileged port).
Default: N O
Ubuntu: YES
ftp_data_port With connect_from_port_20 set to N O , specifies the port that vsftpd uses for P O R T
connections.
Default: 2 0
TIMEOUTS
accept_timeout The number of seconds the server waits for a client to establish a PASV data connection.
Default: 60
connect_timeout

The number of seconds the server waits for a client to respond to a PORT data connection.

Default: 60
data_connection_timeout
The number of seconds the server waits for a stalled data transfer to resume before
disconnecting.
Default: 3 0 0
idle_session_timeout
The number of seconds the server waits between FTP commands before disconnecting.
Default: 3 0 0

710

CHAPTER 1 9

local_max_rate

F T P : T R A N S F E R R I N G FILES A C R O S S A N E T W O R K

For local users, the maximum data transfer rate in bytes per second. Zero (0) indicates no limit.
Default: 0

anon_max_rate

For anonymous users, the maximum data transfer rate in bytes per second. Zero (0)
indicates no limit.
Default: 0

one_proce s s_model
YES establishes one process per connection, which improves performance but
degrades security. NO allows multiple processes per connection. N O is recommended
to maintain a more secure system.
Default: N O

MISCELLANEOUS
This section describes parameters not discussed elsewhere.
pam_service_name
The name of the PAM service used by vsftpd.
Default: vsftpd
rsa_cert_file

Specifies where the RSA certificate for SSL-encrypted connections is kept.
Default: /usr/share/ssl/certs/vsftpd.pem
Ubuntu: /etc/ssl/private/vsftpd.pem

rsa_private_key_file
Specifies where the RSA key for SSL-encrypted connections is kept.
Default: none
tcp_wrappers

YES causes incoming connections to use tcp_wrappers (page 4 6 5 ) if vsftpd was
compiled with tcp_wrappers support. When tcp_wrappers sets the environment
variable VSFTPD_LOAD_CONF, vsftpd loads the configuration file specified by
this variable, allowing per-IP configuration.
Default: N O

user_config_dir

Specifies a directory that contains files named for local users. Each of these files,
which mimic vsftpd.conf, contains parameters that override, on a per-user basis,
default parameters and parameters specified in vsftpd.conf. For example, assume that
user_config_dir is set to /etc/vsftpd/user_conf. Further suppose that the default configuration file, /etc/vsftpd/vsftpd.conf, sets idlesession_timeout=300 and Sam's individual configuration file, /etc/vsftpd/user_conf/sam, sets idlesession_timeout=1200.
Then all users' sessions except for Sam's will time out after 3 0 0 seconds of inactivity.
Sam's sessions will time out after 1,200 seconds.
Default: none

CHAPTER S U M M A R Y

711

O T H E R C O N F I G U R A T I O N FILES
In addition to /etc/vsftpd.conf, the following files control the functioning of vsftpd.
The directory hierarchy that user_config_dir points to is not included in this list
because it has no default name.
/etc/ftpusers

Lists users, one per line, who are never allowed to log in on the FTP server, regardless
of how userlist_enable (page 702) is set and regardless of the users listed in the
user_list file. The default file lists root, bin, daemon, and others.
/etc/vsftpd.user_list

Lists either the only users who can log in on the server or the only users who are
not allowed to log in on the server. The userlist_enable (page 702) option must be
set to YES for vsftpd to examine the list of users in this file. Setting userlist_enable
to YES and userlist_deny (page 702) to YES (or not setting it) prevents listed users
from logging in on the server. Setting userlist_enable to YES and userlist_deny to
NO permits only the listed users to log in on the server.
/etc/vsftpd.chroot_list

Depending on the chroot_list_enable (page 703) and chroot_local_user (page 704)
settings, lists either users who are forced into a chroot jail in their home directories
or users who are not placed in a chroot jail.
/var/log/vsftpd.log

Log file. For more information refer to "Logs" on page 708.

CHAPTER S U M M A R Y
File Transfer Protocol is a protocol for downloading files from and uploading files to
another system over a network. FTP is the name of both a client/server protocol
(FTP) and a client utility (ftp) that invokes this protocol. Because FTP is not a secure
protocol, it should be used only to download public information. You can run the
vsftpd FTP server in the restricted environment of a chroot jail to make it significantly
less likely that a malicious user can compromise the system.
Many servers and clients implement the FTP protocol. The ftp utility is the original client
implementation; sftp and Iftp are secure implementations that use OpenSSH facilities to
encrypt the connection. Although they do not understand the FTP protocol, they map
ftp commands to OpenSSH commands. The vsftpd daemon is a secure FTP server; it
better protects the server from malicious users than do other FTP servers.
Public FTP servers allow you to log in as anonymous or ftp. By convention, you
supply your email address as a password when you log in as an anonymous user.
Public servers frequently have interesting files in the pub directory.
FTP provides two modes of transferring files: binary and ASCII. It is safe to use
binary mode to transfer all types of files, including ASCII files. If you transfer a
binary file using ASCII mode, the transfer will fail.

712

CHAPTER 1 9

F T P : T R A N S F E R R I N G FILES A C R O S S A N E T W O R K

EXERCISES
1. What changes does FTP make to an ASCII file when you download it in
ASCII mode to a Windows machine from a Linux server? What changes
are made when you download the file to a Mac?
2. What happens if you transfer an executable program file in ASCII mode?
3. When would ftp be a better choice than sftp?
4. How would you prevent local users from logging in on a vsftpd server
using their system username and password?
5. What advantage does sftp have over ftp?
6. What is the difference between cd and led in ftp?

ADVANCED EXERCISES
7. Why might you have problems connecting to an FTP server in P O R T
mode?
8. Why is it advantageous to run vsftpd in a chroot jail?
9. After downloading a file, you find that it does not match the M D 5
checksum provided. Downloading the file again gives the same incorrect
checksum. What have you done wrong and how would you fix it?
10. How would you configure vsftpd to run through xinetd, and what would
be the main advantage of this approach?

20
exim4:

SETTING UP
M A I L SERVERS,
CLIENTS, AND M O R E
IN T H I S CHAPTER
Introduction to exim4

714

JumpStart I: Configuring exim4
to Use a Smarthost
JumpStart II- Configuring exim4

716

to Send and Receive Mail
c .
Configuring an exim4 Mail
Server

718
724

SpamAssassin
Webmail
Mailing Lists

727
731
733

Setting Up an IMAP or P0P3
Mail Server

735

Authenticated Relaying

736

Sending and receiving email require three pieces of software. At
each end, there is a client, called an MUA (mail user agent),
which is a bridge between a user and the mail system. Common
MUAs are mutt, Evolution, KMail, Thunderbird, and Outlook.
When you send an email, the MUA hands it to an MTA (a mail
transfer agent, such as exim4 or sendmail), which transfers it to
the destination server. At the destination, an M D A (a mail
delivery agent, such as procmail) puts the mail in the recipient's
r
... 1
'
.
, „,.
,
. .
mailbox tile. On Linux systems, the MUA on the receiving system either reads the mailbox file or retrieves mail from a remote
MUA or MTA, such as an ISP's SMTP (Simple Mail Transfer
Protocol) server, using POP (Post Office Protocol) or IMAP
(Internet Message Access Protocol).

713

714

CHAPTER 2 0

exim4: SETTING U P M A I L SERVERS, CLIENTS, A N D M O R E

SMTP Most Linux MUAs expect a local MTA such as exim4 to deliver outgoing email. On
some systems, including those with a dial-up connection to the Internet, the MTA
sends email to an ISP's mail server. Because most MTAs use SMTP to deliver email,
they are often referred to as SMTP servers. By default, when you install exim4 on an
Ubuntu system, exim4 uses its own builtin MDA to deliver email to the recipient's
mailbox file.

You do not need to set up exim4 to send and receive email
tip Most MUAs can use POP or IMAP to receive email from an ISP's server. These protocols do not
require an MTA such as exim4. As a consequence, you do not need to install or configure exim4 (or
another MTA) to receive email. Although you still need SMTP to send email, the SMTP server can be
at a remote location, such as your ISP. Thus you may not need to concern yourself with it, either.

I N T R O D U C T I O N TO

exim4

When the network that was to evolve into the Internet was first set up, it connected a
few computers, each serving a large number of users and running several services. Each
computer was capable of sending and receiving email and had a unique hostname,
which was used as a destination for email.
Today the Internet has a large number of transient clients. Because these clients do
not have fixed IP addresses or hostnames, they cannot receive email directly. Users
on these systems usually maintain an account on an email server run by their
employer or an ISP, and they collect email from this account using POP or IMAP.
Unless you own a domain where you want to receive email, you will not need to set
up exim4 to receive mail from nonlocal systems.
Smarthost You can set up exim4 on a client system so it sends mail bound for nonlocal systems
to an SMTP server that relays the mail to its destination. This type of server is called
a smarthost. Such a configuration is required by organizations that use firewalls to
prevent email from being sent out on the Internet from any system other than the
company's official mail servers. As a partial defense against spreading viruses, some
ISPs block outbound port 25 to prevent their customers from sending email directly
to a remote computer. This configuration is required by these ISPs.
You can also set up exim4 as a server that sends mail to nonlocal systems and does
not use an ISP as a relay. In this configuration, exim4 connects directly to the SMTP
servers for the domains receiving the email. An ISP set up as a smarthost is configured this way.
You can set up exim4 to accept email for a registered domain name as specified in
the domain's DNS M X record (page 828). However, most mail clients (MUAs) do
not interact directly with exim4 to receive email. Instead, they use POP or IMAP—
protocols that include features for managing mail folders, leaving messages on the
server, and reading only the subject of an email without downloading the entire
message. If you want to collect your email from a system other than the one running
the incoming mail server, you may need to set up a POP or IMAP server, as discussed on page 735.

SETTING U P A M A I L SERVER (exim4)

ALTERNATIVES TO
sendmail

715

exim4

The most popular MTA today, sendmail (sendmail package) first appeared in
4.1 BSD. The sendmail system is complex, but its complexity allows sendmail to be
flexible and to scale well. On the downside, because of its complexity, configuring
sendmail can be a daunting task. See www.sendmail.org for more information.

Postfix Postfix (postfix package) is an alternative MTA. Postfix is fast and easy to administer, but is compatible enough with sendmail/exim4 to not upset sendmail/exim4
users. Postfix has a good reputation for ease of use and security and is a drop-in
replacement for sendmail. Point a browser at www.postfix.org/docs.html for Postfix
documentation.
Qmail Qmail is a direct competitor of Postfix and has the same objectives. By default,
Qmail stores email using the maildir format as opposed to the mbox format that
other MTAs use (page 720). The Qmail Web site is www.qmail.org.

MORE INFORMATION
Web exim4: www.exim.org (includes the complete exim4 specification),
www.exim-new-users.co.uk,wiki.debian.org/PkgExim4
SpamAssassin: spamassassin.apache.org, wiki.apache.org/spamassassin
Spam database: razor.sourceforge.net
Mailman: www.list.org
procmail: www.procmail.org
SquirrelMail: www. squirrelmail. org
IMAP: www.imap.org
Dovecot: www.dovecot.org
Postfix: www.postfix.org/docs.html (alternative MTA)
Qmail: www.qmail.org/top.html
Local exim4: / u s r / s h a r e / d o c / e x i m 4 * / *
SpamAssassin: /usr/share/doc/spam*
Dovecot: /usr/share/doc/dovecot*
m a n pages: exim4 exim4_files update-exim4.conf update-exim4defaults s p a m a s s a s s i n
s p a m c spamd
SpamAssassin: Install the perl-doc and spamassassin packages and give the
following command:
$ perldoc Mail::SpamAssassin::Conf

SETTING U P A M A I L SERVER

(exim4)

This section explains how to set up an exim4 mail server.

PREREQUISITES
Install the following packages:
• exim4 (a virtual package)
• eximon4 (optional; monitors exim4)

716

CHAPTER 2 0

exim4: SETTING U P M A I L SERVERS, CLIENTS, A N D M O R E

• mailutils (optional; installs mail, which is handy for testing exim4 from the
command line)
• exim4-doc-html (optional; exim4 documentation in HTML format)
• exim4-doc-info (optional; exim4 documentation in info format)
exim4

init script When you install the exim4 package, the dpkg postinst script minimally configures

exim4 and starts the exim4 daemon. After you configure exim4, call the exim4 init
script to restart exim4:
$ sudo service exim4 restart

After changing the exim4 configuration on an active server, use reload in place of
restart to reload exim4 configuration files without interrupting the work exim4 is
doing. The exim4 init script accepts several nonstandard arguments:
$ service exim4
Usage: /etc/i nit.d/exim4

{start|stop|restart|reload|status|what|force-stop}

The status and what arguments display information about exim4. The force-stop
argument immediately kills all exim4 processes.

NOTES
Firewall An SMTP server normally uses TCP port 25. If an SMTP server system that
receives nonlocal mail is running a firewall, you need to open this port. To do so,
use gufw (page 876) to set a policy that allows SMTP service.
Log files You must be a member of the adm group or work with root privileges to view the
log files in /var/log/exim4.
sendmail

and Although it does not work the same way sendmail does, Ubuntu configures exim4

exim4

drop-in replacement for sendmail. The exim4-daemon-light package, which is
part of the exim4 virtual package, includes /usr/sbin/sendmail, which is a link to
exim4. Because the exim4 daemon accepts many of sendmail's options, programs
that depend on sendmail will work with exim4 installed in place of sendmail.

as a

Local and nonlocal The exim4 daemon sends and receives email. A piece of email that exim4 receives
systems c a n originate on a local system or on a nonlocal system. Similarly, email that exim4
sends can be destined for a local or a nonlocal system. The exim4 daemon processes
each piece of email based on its origin and destination.
The local system The local system is the one exim4 is running on. Local systems are systems that are
versus 0 n the same LAN as the local system.
local systems

As it is installed, exim4 delivers mail to the local system only.

J U M P S T A R T I: C O N F I G U R I N G

exim4

TO USE A S M A R T H O S T

This JumpStart configures an exim4 server that sends mail from users on local systems to local and nonlocal destinations and does not accept mail from nonlocal
systems. This server

SETTING U P A M A I L SERVER (exim4)

717

• Accepts email originating on local systems for delivery to local systems.
• Accepts email originating on local systems for delivery to nonlocal systems,
delivering it using an SMTP server (a smarthost)—typically an ISP—to
relay email to its destination.
• Does not deliver email originating on nonlocal systems. As is frequently
the case, you need to use POP or IMAP to receive email.
• Does not forward email originating on nonlocal systems to other nonlocal
systems (does not relay email).
To set up this server, you need to change the values of a few configuration variables in
/etc/exim4/update-exim4.conf.conf (page 724) and restart exim4. The dpkg-reconfigure
utility (page 726) guides you in editing this file; this JumpStart uses a text editor.
Working with root privileges, use a text editor to make the following changes to
update-exim4. conf. conf:
dc_eximconfi g_confi gtype='smarthost'

smarthost='mai1.example.net'

Configuration type Set the dc_eximconfig_configtype configuration variable to smarthost to cause
exim4 to send mail bound for nonlocal systems to the system that the smarthost
configuration variable specifies. This line should appear exactly as shown in the
preceding example.
Smarthost With dc_eximconfig_configtype set to smarthost, set smarthost to the FQDN or IP
address (preferred) of the remote SMTP server (the smarthost) that exim4 uses to
relay email to nonlocal systems. Replace mail .example.net
with this FQDN or IP
address. For Boolean variables in update-exim4.conf.conf, exim4 interprets the null
value (specified by " ) as a value of false. With these changes, the file should look
similar to this:
$ cat /etc/exim4/update-exim4.conf.conf
dc_eximconfi g_confi gtype='smarthost'
dc_othe r_hostnames='example.com'
dc_local_i nterfaces='127.0.0.1 ; ::1 *
dc_readhost=''
dc_relay_domains=''
dc_minimaldns='false'
dc_relay_nets=''
dc_smarthost='mai1.example.net'
CFILEMODE='644'
dc_use_spli t_confi g='false'
dc_hi de_mai1name=''
dc_mai1name_i n_oh='true'
dc_localdelivery='mail_spool'

The exim4 server does not use the value of the dc_local_interfaces variable in a
smarthost configuration, so you can leave it blank. However, in other configurations, the value of 1 2 7 . 0 . 0 . 1 ; ::1 prevents exim4 from accepting email from nonlo-

718

CHAPTER 2 0

exim4: SETTING U P M A I L SERVERS, CLIENTS, A N D M O R E

cal systems. It is a good idea to configure exim4 this way and change this variable
only when you are ready to accept mail from other systems.
To minimize network accesses for DNS lookups, which can be helpful if you are
using a dial-up line, change the value of the dc_minimaldns configuration variable
to true.
/etc/mailname

The /etc/mailname file initially holds the node name (uname -n) of the server. The
string stored in /etc/mailname appears as the name of the sending system on the
envelope-from and From lines of email that originates on the local system. If you
want email to appear to come from a different system, change the contents of this
file. You can modify this file using a text editor; the dpkg-reconfigure utility can also
change it.
The following file causes mail sent from the local system to appear to come from
Msemawe@example.com, where username is the username of the user who is sending
the email:
$ cat /etc/mailname
example.com

See page 7 2 4 for more information on exim4 configuration variables. After making
these changes, restart exim4 (page 716).
Test Test exim4 with the following command:
$ echo "my exim4 test" | exim4

user@remote.host

Replace user@remote.host with an email address on another system where you
receive email. You need to send email to a remote system to make sure that exim4 is
sending email to the remote SMTP server (the smarthost). If the mail is not delivered, check the email of the user who sent the email (on the local system) for errors.
Also check the log file(s) in the /var/log/exim4 directory.

JUMPSTART II: C O N F I G U R I N G

exim4

TO S E N D A N D RECEIVE M A I L

To receive email sent from a nonlocal system to a registered domain (that you
control), you need to configure exim4 to accept email from nonlocal systems. This
JumpStart describes how to set up a server that
• Accepts email from local and nonlocal systems.
• Delivers email that originates on local systems to a local system or directly
to a nonlocal system, without using a relay.
• Delivers email that originates on nonlocal systems to a local system only.
• Does not forward email originating on nonlocal systems to other nonlocal
systems (does not relay email).
This server does not relay email originating on nonlocal systems. (You must set the
dc_relay_domains variable [page 726] for the local system to act as a relay.) For this

SETTING U P A M A I L SERVER (exim4)

719

configuration to work, you must be able to make outbound connections and receive
inbound connections on port 25 (see "Firewall" on page 716).
Working with root privileges, use a text editor to set the following configuration
variables in /etc/exim4/update-exim4.conf.conf:
dc_eximconfi g_confi gtype='i nternet'

dc_other_hostnames='myc/om. example, com'
dc_local_interfaces=''

Configuration type Set dc_eximconfig_configtype to internet to cause exim4 to send mail directly to
nonlocal systems as specified by the DNS M X record (page 828) for the domain the
mail is addressed to and to accept email on the interfaces specified by
dc_local_interfaces (next page). This line should appear exactly as shown above.
Other hostnames The dc_other_hostnames configuration variable specifies the FQDNs or IP addresses
that the local server receives mail addressed to. Replace mydom.example.com with
these FQDN or IP addresses. You must separate multiple entries with semicolons. These values do not necessarily include the FQDN or the IP address of
the local server.
Local interfaces Set dc_local_interfaces to the interface you want exim4 to listen on. Set it to the null
value ( " ) to listen on all interfaces.
As in JumpStart I, you may need to change the value of /etc/mailname (page 718).
For Boolean variables in this file, exim4 interprets the null value (specified by " ) as
false. The file should look similar to this:
$ cat /etc/exim4/update-exim4.conf.conf
dc_eximconfi g_confi gtype='i nternet'
dc_othe r_hostnames='mydom.example.com'
dc_local_interfaces=''
dc_readhost=''
dc_relay_domains=''
dc_minimaldns='false'
dc_relay_nets=''
dc_smarthost=''
CFILEMODE='644'
dc_use_spli t_confi g='false'
dc_hi de_mai1name=''
dc_mai1name_i n_oh='true'
dc_localdelivery='mail_spool'

See page 724 for more information on exim4 configuration variables. Once you
have restarted exim4, it will accept mail addressed to the local system. To receive
email addressed to a domain, the DNS M X record (page 828) for that domain must
point to the IP address of the local system. If you are not running a DNS server, you
must ask your ISP to set up an M X record or else receive mail at the IP address of
the server. If you receive email addressed to an IP address, set dc_other_hostnames
to that IP address.

720

exim4: SETTING U P M A I L SERVERS, CLIENTS, A N D M O R E

CHAPTER 2 0

WORKING WITH

exim4

MESSAGES

When exim4 receives email, from both local and nonlocal systems, it creates in the
/var/spool/exim4/input directory two files that hold the message while exim4 processes it. To identify a particular message, exim4 generates a 16-character message
ID and uses that string in filenames pertaining to the email. The exim4 daemon
stores the body of the message in a file named by the message ID followed by - D
(data). It stores the headers and envelope information in a file named by the message
ID followed by - H (header).
Frozen messages If exim4 cannot deliver a message, it marks the message as frozen and makes no further attempt to deliver it. Once it has successfully delivered an email, exim4
removes all files pertaining to that email from /var/spool/exim4/input.
Mail addressed to By default, exim4 delivers email addressed to the local system to users' files in the
the local system mail spool directory, /var/mail, in mbox format. Within this directory, each user has
a mail file named with the user's username. Mail remains in these files until it is collected, typically by an MUA. Once an MUA collects the mail from the mail spool,
the MUA stores the mail as directed by the user, usually in the user's home directory.
Mail addressed to The scheme that exim4 uses to process email addressed to a nonlocal system
nonlocal systems depends on how it is configured: It can send the email to a smarthost, it can send
the email to the system pointed to by the DNS M X record of the domain the email
is addressed to, or it can refuse to send the email.
m b o x versus
maildir

The mbox format holds all messages for a user in a single file. To prevent corruption,
process must lock this file while it is adding messages to or deleting messages from
the file; thus the MUA cannot delete a message at the same time the MTA is adding
messages. A competing format, maildir, holds each message in a separate file. This
format does not use locks, allowing an MUA to delete messages from a user at the
same time as mail is delivered to the same user. In addition, the maildir format is better able to handle larger mailboxes. The downside is that the maildir format adds
overhead when you are using a protocol such as IMAP to check messages. The
exim4 daemon supports both mbox and maildir formats (see dcjocaldelivery on
page 725). Qmail (page 715), an alternative to sendmail and exim4, uses maildirformat mailboxes.

a

M A I L LOGS
By default, exim4 sends normal log messages to /var/exim4/mainlog, with other
messages going to other files in the same directory. The following lines in a mainlog
file describe an email message sent directly to a remote system's SMTP server. The
exim4 daemon writes one line each time it receives a message and one line each time
it attempts to deliver a message. The Completed line indicates that exim4 has completed its part in delivering the message. Each line starts with the date and time of
the entry followed by the message ID.

W O R K I N G WITH exim4 MESSAGES

721

$ tail -3 /var/1og/exim4/mainlog
2010-07-19 23:13:12 1IB1jk-0000t8-lZ <= zachs@example.com U=sam P=local S=304
2010-07-19 23:13:17 1IB1jk-0000t8-lZ => zachs@example.com R=dnslookup T=remote_smtp
H=fiIter.mx.meer.net
[64.13.141.12]
2010-07-19 23:13:17 1IB1jk-0000t8-lZ Completed

The next entry on each line except the Completed line is a two-character status flag
that tells you which kind of event the line describes:
<=
=>
->
*>
* *
==

Received a message
Delivered a message normally
Delivered a message normally to an additional address (same delivery)
Did not deliver because of a - N command-line option
Did not deliver because the address bounced
Did not deliver because of a temporary problem

Information following the flag is preceded by one of the following letters, which
indicates the type of the information, and an equal sign:
H
U
P
R
T
S

Name of remote system (host)
Username of the user who sent the message
Protocol used to receive the message
Router used to process the message
Transport used to process the message
Size of the message in bytes

The first line in the preceding example indicates that exim4 received a 304-byte
message to be delivered to zachs@example.com from sam on the local system. The
next line indicates that exim4 looked up the address using DNS (dnslookup) and
delivered it to the remote SMTP server (remote_smtp) at filter.mx.meer.net, which
has an IP address of 6 4 . 1 3 . 1 4 1 . 1 2 .
The following log entries describe a message that exim4 received from a remote
system and delivered to the local system:
2010-07-19 23:13:32 1IB1k4-0000tL-8L <= zachs@gmail.com H=wx-out-0506.google.com
[66.249.82.229]
P=esmtp S=1913 id=7154255d0707192313y304alb27t39f...@mai1.gmai1.com
2010-07-19 23:13:32 1IB1k4-0000tL-8L => sam  R=local_user T=mail_spool
2010-07-19 23:13:32 1IB1k4-0000tL-8L Completed

See the exim4 specification for more information on log files. If you send and
receive a lot of email, the mail logs can grow quite large. The logrotate (page 622)
exim4-base file archives and rotates these files regularly.

WORKING WITH MESSAGES
You can call exim4 with many different options to work with mail that is on the
system and to generate records of mail that has passed through the system. Most of
these options begin with - M and require the message ID (see the preceding section)

722

CHAPTER 2 0

exim4: SETTING U P M A I L SERVERS, CLIENTS, A N D M O R E

of the piece of email you want to work with. The following command removes a
message from the queue:
$ sudo exim4 -Mrm lIEKKj-0006CQ-LM
Message lIEKKj-0006CQ-LM has been removed

Following are some of the exim4 options you can use to work with a message. Each
of these options must be followed by a message ID. See the exim4 man page for a
complete list.
-Mf
-Mrm
-Mt
-Mvb
-Mvh

Mark message as frozen
Remove message
Thaw message
Display message body
Display message header

ALIASES AND FORWARDING
You can use the aliases and .forward (page 723) files to forward email.
/etc/aliases

Most of the time when you send email, it goes to a specific person; the recipient,
user@system, maps to a real user on the specified system. Sometimes, however, you
may want email to go to a class of users and not to a specific recipient. Examples of
classes of users include postmaster, webmaster, root, and tech_support. Different
users may receive this email at different times or the email may go to a group of
users. You can use the /etc/aliases file to map local addresses and classes to local
users, files, commands, and local as well as to nonlocal addresses.
Each line in /etc/aliases contains the name of a local (pseudo)user, followed by a
colon, whitespace, and a comma-separated list of destinations. Because email sent to
the root account is rarely checked, the default installation includes an entry similar
to the following that redirects email sent to root to the initial user:
root:

sam

You can set up an alias to forward email to more than one user. The following line
forwards mail sent to abuse on the local system to sam and max:
abuse:

sam, max

You can create simple mailing lists with this type of alias. For example, the following
alias sends copies of all email sent to admin on the local system to several users,
including Zach, who is on a different system:
admin:

sam, helen, max,

zach@example.com

You can direct email to a file by specifying an absolute pathname in place of a destination address. The following alias, which is quite popular among less conscientious
system administrators, redirects email sent to complaints to /dev/null (page 489),
where it disappears:
complaints:

/dev/null

W O R K I N G WITH exim4 MESSAGES

723

You can also send email to standard input of a command by preceding the command
with the pipe character (I). This technique is commonly used by mailing list software
such as Mailman (page 734). For each list it maintains, Mailman has entries, such as
the following one for painting_class, in the aliases file:
painting_class:

" l/var/lib/mailman/mail/mailman post pai nti ng_class"

See the exim4_files man page for information on exim4 files, including aliases.
newaliases After you edit /etc/aliases, you must run newaliases while you are working with
root privileges. The /usr/bin/newaliases file is a symbolic link to exim4. Running
newaliases calls exim4, which rebuilds the exim4 alias database.
-/.forward

Systemwide aliases are useful in many cases, but nonroot users cannot make or
change them. Sometimes you may want to forward your own mail: Maybe you want
mail from several systems to go to one address or perhaps you want to forward your
mail while you are working at another office. The -/.forward file allows ordinary
users to forward their email.
Lines in a .forward file are the same as the right column of the aliases file explained
earlier in this section: Destinations are listed one per line and can be a local user, a
remote email address, a filename, or a command preceded by the pipe character (I).
Mail that you
mail and keep
preceded by a
Sam's email to

forward does not go to your local mailbox. If you want to forward
a copy in your local mailbox, you must specify your local username
backslash to prevent an infinite loop. The following example sends
himself on the local system and on the system at example.com:

Scat ~sam/.forward
sams@example.com
\sam

RELATED P R O G R A M S
exim4

The exim4 packages include several programs. The primary program, exim4, reads
from standard input and sends an email to the recipient specified by its argument.
You can use exim4 from the command line to check that the mail delivery system is
working and to email the output of scripts. See "Test" on page 718 for an example.
The command apropos exim4 displays a list of exim4-related files and utilities. In
addition, you can call exim4 with options (page 721) or through links to cause it to
perform various tasks.

exim4-bp

When you call exim4 with the -bp option, or when you call the mailq utility (which
is a symbolic link to exim4), it displays the status of the outgoing mail queue. When
there are no messages in the queue, it displays nothing. Unless they are transient,
messages in the queue usually indicate a problem with the local or remote MTA
configuration or a network problem.
$ sudo exim4 -bp
24h
262 H B h Y I - 0 0 0 6 i T - 7 Q  * * * frozen
zachs@example.com

***

724

CHAPTER 2 0

exim4: SETTING U P M A I L SERVERS, CLIENTS, A N D M O R E

eximstats The eximstats utility displays statistics based on exim4 log files. Call this utility with an
argument of the name of a log file, such as /var/log/mainlog or /var/log/mainlog2.gz.
Without any options, eximstats sends information based on the log file in text format
to standard output. When you include the -html option, eximstats generates output in
H T M L format, suitable for viewing with a browser:
$ eximstats -html /var/log/exim4/mainlog.2.gz

> exim.0720.html

If you are not a member of the adm group, you must run the preceding command
with root privileges. See the eximstats man page for more information.
eximon Part of the e x i m o n 4 package, eximon displays a simple graphical representation of
the e x i m 4 queue and log files.

CONFIGURING AN

exim4

M A I L SERVER

The exim4 daemon is a complex and capable MTA that is configured by
/etc/default/exim4 and the files in the /etc/exim4 directory hierarchy. The former
allows you to specify how the daemon is to be run; the latter configures all other
aspects of exim4. You can configure exim4 by editing its configuration files with a
text editor (discussed in the next section) or by using dpkg-reconfigure (page 726).
/etc/default/exim4

The default /etc/default/exim4 file sets QUEUERUNNER to combined, which
starts one daemon that both runs the queue and listens for incoming email. It sets
QUEUEINTERVAL to 30m, which causes the daemon to run the queue (that is,
check whether the queue contains mail to be delivered) every 30 minutes. See the
comments in the file for more information.

U S I N G A TEXT E D I T O R TO C O N F I G U R E

exim4

The files in the /etc/exim4 directory hierarchy control how exim4 works—which
interfaces it listens on, whether it uses a smarthost or sends email directly to its destination, whether and for which systems it relays email, and so on. You can also create an exim4.conf.localmacros file to turn on/off exim4 functions (see page 7 3 7 for
an example). Because of its flexibility, exim4 uses many configuration variables.
You can establish the values of these variables in one of two ways: You can edit a
single file, as the JumpStart sections of this chapter explain, or you can work with
the approximately 4 0 files in the /etc/exim4/conf.d directory hierarchy. For many
configurations, working with the single file update-exim4.conf.conf is sufficient.
This section describes the variables in that file but does not discuss working with
the files in conf.d. Refer to the exim4 specification if you need to set up a more
complex mail server.

THE

update-exim4.conf.conf

C O N F I G U R A T I O N FILE

update- The update-exim4.conf utility reads the exim4 configuration files in /etc/exim4, includexim4.conf ¡ n g update-exim4.conf.conf, and generates the /var/lib/exim4/config.autogenerated

CONFIGURING AN exim4 M A I L SERVER

725

file. When exim4 starts, it reads this file for configuration information. Typically you
do not need to run update-exim4.conf manually because the exim4 init script
(page 716) runs this utility before it starts, restarts, or reloads exim4.
Split configuration Setting the dc_use_split_config variable in update-exim4.conf.conf to false specifies
an unsplit configuration, wherein update-exim4.conf merges the data from
exim4.conf.localmacros, update-exim4.conf.conf, and exim4.conf.template to create config.autogenerated. Setting this variable to true specifies a split configuration, wherein update-exim4.conf merges the data from exim4.conf.localmacros,
update-exim4.conf.conf, and all the files in the conf.d directory hierarchy to create
config.autogenerated.
Following is the list of configuration variables you can set in updateexim4.conf.conf. Enclose all values within single quotation marks. For Boolean variables, exim4 interprets the null value (specified by " ) as false.
CFILEMODE=' perms'

Sets the permissions of config.autogenerated to the octal value perms, typically 644.
dc_eximconfig_configtype=' type'

Specifies the type of configuration that exim4 will run, where type is one of the
following:
internet Sends and receives email locally and remotely. See "JumpStart II" on
page 7 1 8 for an example.
smarthost Sends and receives email locally and remotely, using a smarthost to
relay messages to nonlocal systems. See "JumpStart I " on page 7 1 6 for an example.
satellite Sends email remotely, using a smarthost to relay messages; does not
receive mail locally.
local

Sends and receives local messages only.

none

No configuration; exim4 will not work.

dc_hide_mailname='fcoo/'

Controls whether exim4 displays the local mailname (from /etc/mailname,
page 718) in the headers of email originating on local systems. Set boot to true to
hide (not display) the local mailname or false to display it. When you set this variable to true, exim4 uses the value of dc_readhost in headers.
dc_local_interfaces -interface-list'

The interface-list is a semicolon-separated list of interfaces that exim4 listens on.
Set interface-list to the null value ( " ) to cause exim4 to listen on all interfaces. Set it
to 127.0.0.1 to prevent exim4 from accepting email from other systems.
dc_loca\de\ivery='Icl-transport'

Set Icl-transport to mail_spool to cause exim4 to store email in mbox format; set it
to maildir_home for maildir format. See page 7 2 0 for more information.
dc_mailname_in_oh='bool'

Used internally by exim4. Do not change this value.

726

CHAPTER 2 0

exim4: SETTING U P M A I L SERVERS, CLIENTS, A N D M O R E

dc_m in im al d n s=7) oo/'

Set boot to true to minimize DNS lookups (useful for dial-up connections) or to
false to perform DNS lookups as needed.
dc_other_hostnames='/josi-/i'si'

The bost-list is a semicolon-separated list of IP addresses and/or FQDNs the local
system accepts (but does not relay) email for; localhost (127.0.0.1) is assumed to be
in this list.
dc_readhost

-hostname'

The hostname replaces the local mailname in the headers of email originating on
local systems. This setting is effective only if dc_hide_mailname is set to true and
dc_eximconfig_configtype is set to smarthost or satellite.
dc_rc I ay_d< > m ai n s=' bust-Iist'

The bost-list is a semicolon-separated list of IP addresses and/or FQDNs the local
system accepts mail for, but does not deliver to local systems. The local system
relays mail to these systems. For example, the local system may be a secondary
server for these systems.
dc_relay_nets=' host-list'

The bost-list is a semicolon-separated list of IP addresses and/or FQDNs of systems
that the local system relays mail for. The local system is a smarthost (page 717) for
these systems.
dc_smarthost='/josi-/i'si'

The bost-list is a semicolon-separated list of IP addresses (preferred) and/or FQDNs
the local system sends email to for relaying to nonlocal systems (a smarthost;
page 717). See "JumpStart I " on page 7 1 6 for an example.
dc_use_split_config='fcoo/'

Controls which files update-exim4.conf uses to generate the configuration file for
exim4. See "Split configuration" (page 725) for more information.

dpkg-reconfigure:

CONFIGURES

exim4

The dpkg-reconfigure utility reconfigures the installed copy of a software package. It
displays a pseudographical window that can be used from any character-based
device, including a terminal emulator. The following command enables you to
reconfigure exim4 interactively:
$ sudo dpkg-reconfigure exim4-config

The first window this command displays briefly explains the differences between the
split and unsplit configurations (page 725), tells you where you can find more information on this topic, and asks if you want to set up the split configuration (Figure 20-1).
If you choose to set up a split configuration, dpkg-reconfigure assigns a value of true to
dc_use_split_config (see "Split configuration" on page 725) and continues as though
you had chosen to use an unsplit configuration: It does not modify files in the
/etc/exim4/conf.d directory hierarchy. This setup causes update-exim4.conf to read the
files in the /etc/exim4/conf.d directory hierarchy, incorporating any changes you
make to those files.

SPAMASSASSIN

Q $

727

sam@lO: -

Ffte Edit View Terminal Help
Package

configuration
| Hail Server configuration )

The Debian exim4 packages can either use "unsplit configuration', a
single monolithic file {/etc/exim4/exim4*conf.template) or "split
configuration', where the actual Exim configuration files are built from
about 50 smaller files in /etc/exim4/conf.d/.
Unsplit configuration is better suited for large modifications and is
generally more stable, whereas split configuration offers a comfortable
way to make smaller modifications but is more fragile and might break if
modified carelessly,
A more detailed discussion of split and unsplit configuration can be
found in the Debian-specific README files in /usr/5hare/doc/exim4-base.
Split configuration into small files?


Figure 20-1

5?EB

Using dpkg-reconfigure on exim4-config

The dpkg-reconfigure utility continues providing information, asking questions, and
assigning values to the variables in /etc/exim4/update-exim4.conf.conf (page 724).
It may also change the string in /etc/mailname (page 718). When it is finished, it
restarts exim4, running update-exim4.conf in the process.

SPAMASSASSIN
Spam—or more correctly UCE (unsolicited commercial email)—accounts for more
than three-fourths of all email. SpamAssassin evaluates each piece of incoming
email and assigns it a number that indicates the likelihood that the email is spam.
The higher the number, the more likely that the email is spam. You can filter email
based on its rating. SpamAssassin is effective as installed, but you can modify its
configuration files to make it better fit your needs. See page 7 1 5 for sources of more
information on SpamAssassin.

H o w SPAMASSASSIN WORKS
spamc and spamd

SpamAssassin comprises the s p a m d daemon and the s p a m c client. Although it
includes the s p a m a s s a s s i n utility, the SpamAssassin documentation suggests using
s p a m c and not s p a m a s s a s s i n to filter mail because s p a m c is much quicker to load than
s p a m a s s a s s i n . While s p a m a s s a s s i n works alone, s p a m c calls s p a m d . The s p a m d
daemon spawns children; when s p a m d is running, ps displays several s p a m d c h i l d
processes in addition to the parent s p a m d process:

$ ps -ef | grep
root
5073
root
5106
root
5107
zach
16080

spam
1
5073
5073
6225

0
0
0
0

10: 53
10: 53
10: 53
12: 58

?
?
?
pts/0

/usr/sbi n/spamd
spamd child
spamd child
grep spam

-create-prefs

728

CHAPTER 2 0

exim4: SETTING U P M A I L SERVERS, CLIENTS, A N D M O R E

The spamc utility is a filter. That is, it reads each piece of email from standard input,
sends the email to spamd for processing, and writes the modified email to standard
output. The spamd daemon uses several techniques to identify spam:
• Header analysis—Checks for tricks that people who send spam use to
make you think email is legitimate.
• Text analysis—Checks the body of an email for characteristics of spam.
• Blacklists—Checks lists to see whether the sender is known for sending spam.
• Database—Checks the signature of the message against Vipul's Razor
(razor.sourceforge.net), a spam-tracking database.

PREREQUISITES
Packages Install the following packages:
• spamassassin
• spamc
• procmail (needed to run SpamAssassin on a mail server; page 730)
When you install the spamassassin package, the dpkg postinst script does not start
the spamd daemon. Before you can start spamd, you must change the value
assigned to ENABLED to 1 in /etc/default/spamassassin. Typically you do not need
to make other changes to this file.
$ cat /etc/default/spamassassin
# Change to one to enable spamd
ENABLED=1
init After making this change, start the spamd daemon with the following command:
script
,
$ sudo service spamassassin start
S t a r t i n g SpamAssassin Mail F i l t e r Daemon: spamd.

spamassassin

After modifying any system SpamAssassin configuration files, give the same command,
but replacing start with reload, to cause spamd to reread its configuration files.

TESTING S P A M A S S A S S I N
With spamd running, you can see how spamc works by sending it a string:
$ echo "hi there" | spamc
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on 10.04B1
X-Spam-Flag: YES
X-Spam-Level:ftftftftftft
X-Spam-Status: Yes, score=6.9 required=5.0 tests=EMPTY_MESSAGE,MISSING_DATE,
MISSING_HEADERS,MISSING_MID,MISSING_SUBJ ECT,NO_HEADERS_MESSAGE,NO_RECEIVED,
N0_RELAYS autolearn=no version=3.3.1
Content analysis details:

(6.9 points, 5.0 required)

SPAMASSASSIN
pts

rule

name

d e s c r i pti o n

-0.0 NO_RELAYS
1.2 M I S S I N G _ H E A D E R S
0.1 MISSING_MID
1.8 M I S S I N G _ S U B J ECT
2.3
-0.0
1.4
0.0

729

EMPTY_MESSAGE
NO_RECEIVED
MISSING_DATE
NO_HEADERS_MESSAGE

Informational: message was not
Missing To: header
Missing Message-Id: header
Missing Subject: header

relayed v i a

SMTP

M e s s a g e a p p e a r s to h a v e no t e x t u a l p a r t s a n d no
Subject: text
I n f o r m a t i o n a l : m e s s a g e h a s no R e c e i v e d h e a d e r s
Missing Date: header
Message

appears

to be m i s s i n g

most RFC-822

headers

O f c o u r s e , S p a m A s s a s s i n c o m p l a i n s b e c a u s e t h e string y o u g a v e it did n o t

contain

s t a n d a r d email headers. T h e logical line that starts w i t h X - S p a m - S t a t u s c o n t a i n s the
h e a r t o f t h e r e p o r t o n t h e s t r i n g h i t h e r e . F i r s t i t s a y s Y e s (it c o n s i d e r s t h e m e s s a g e t o
be s p a m ) . S p a m A s s a s s i n uses a rating system t h a t assigns a n u m b e r o f hits to a piece
of email.

If the

email

receives

more

than

the

required

number

o f hits

(5.0

d e f a u l t ) , S p a m A s s a s s i n m a r k s it a s s p a m . T h e s t r i n g f a i l e d f o r m a n y r e a s o n s
are e n u m e r a t e d o n this status line. T h e r e a s o n s are detailed in t h e s e c t i o n

by
that

labeled

C o n t e n t analysis details.
T h e f o l l o w i n g l i s t i n g is f r o m a r e a l p i e c e o f s p a m p r o c e s s e d b y S p a m A s s a s s i n .
r e c e i v e d 2 4 . 5 h i t s , i n d i c a t i n g t h a t i t is a l m o s t c e r t a i n l y s p a m .
X-Spam-Status: Yes, h i t s = 2 4 . 5 r e q u i r e d = 5 . 0
tests=DATE_IN_FUTURE_06_12,INVALID_DATE_TZ_ABSURD,
MSGID_0E_SPAM_4ZER0,MSGID_OUTLOOK_TIME,
MSGID_SPAMSIGN_ZEROES,RCVD_IN_DSBL,RCVD_IN_NJABL,
RCVD_IN_UNCONFIRMED_DSBL,REMOVE_PAGE,VACATION_SCAM,
X_NJABL_OPEN_PROXY
version=2.55
X - S p am - L e v e 1 : >•<>•<>•<>•< >•< >•< >•< >•< >•< >•< >•< >•< >•< >•< >•< >•< >•< >•< >•< >•< >•< >•< >•< >•<
X-Spam-Checker-Version: SpamAssassin 2.55 ( 1 . 1 7 4 . 2 . 1 9 - 2 0 0 3 - 0 5 - 1 9 - e x p )
X-Spam-Report:
T h i s m a i l i s p r o b a b l y spam.
The o r i g i n a l message has been a t t a c h e d
a l o n g w i t h t h i s r e p o r t , so y o u can r e c o g n i z e o r b l o c k s i m i l a r u n w a n t e d
mail in f u t u r e .
See h t t p : / / s p a m a s s a s s i n . o r g / t a g / f o r m o r e d e t a i l s .
Content preview:
P a r a d i s e SEX I s l a n d A w a i t s ! T r o p i c a l 1 w e e k v a c a t i o n s
w h e r e a n y t h i n g g o e s ! We h a v e l o t s o f WOMEN, SEX, ALCOHOL, ETC! E v e r y
m a n ' s dream a w a i t s on t h i s i s l a n d o f p l e a s u r e .
[...]
Content analysis d e t a i l s :
(24.50 points, 5 required)
MSGID_SPAMSIGN_ZEROES ( 4 . 3 p o i n t s )
M e s s a g e - I d g e n e r a t e d b y spam t o o l ( z e r o e s v a r i a n t )
INVALID_DATE_TZ_ABSURD ( 4 . 3 p o i n t s )
I n v a l i d D a t e : header ( t i m e z o n e does n o t e x i s t )
MSGID_0E_SPAM_4ZER0 ( 3 . 5 p o i n t s )
M e s s a g e - I d g e n e r a t e d b y spam t o o l ( 4 - z e r o e s v a r i a n t )
VACATION_SCAM
(1.9 points)
BODY: V a c a t i o n O f f e r s
REM0VE_PAGE
(0.3 points)
U R I : URL o f p a g e c a l l e d " r e m o v e "
MSGID_0UTL00K_TIME ( 4 . 4 p o i n t s )
Message-Id i s fake ( i n Outlook Express format)
DATE_IN_FUTURE_06_12 ( 1 . 3 p o i n t s )
D a t e : i s 6 t o 12 h o u r s a f t e r R e c e i v e d : d a t e
RCVD_IN_NJABL
(0.9 points)
RBL: R e c e i v e d v i a a r e l a y i n d n s b l . n j a b l . o r g
[RBL c h e c k : f o u n d 9 4 . 9 9 . 1 9 0 . 2 0 0 . d n s b l . n j a b l . o r g . ]
RCVD_IN_UNCONFIRMED_DSBL ( 0 . 5 p o i n t s )
RBL: R e c e i v e d v i a a r e l a y i n u n c o n f i r m e d . d s b l . o r g
[RBL c h e c k : f o u n d 9 4 . 9 9 . 1 9 0 . 2 0 0 . u n c o n f i r m e d . d s b l . o r g . ]
X_NJABL_0PEN_PROXY ( 0 . 5 p o i n t s )
RBL: N J A B L : s e n d e r i s p r o x y / r e l a y / f o r m m a i 1 / s p a m - s o u r c e
RCVD_IN_DSBL
(2.6 points)
RBL: R e c e i v e d v i a a r e l a y i n l i s t . d s b l . o r g
[RBL c h e c k : f o u n d 2 1 1 . 1 5 7 . 6 3 . 2 0 0 . l i s t . d s b l . o r g . ]
X - S p a m - F l a g : YES
S u b j e c t : [SPAM] r e : s t a t e m e n t

It

730

CHAPTER 2 0

exim4: SETTING U P M A I L SERVERS, CLIENTS, A N D M O R E

CONFIGURING

SPAMASSASSIN

SpamAssassin looks in many locations for configuration files; for details, refer to
the s p a m a s s a s s i n m a n page. The easiest configuration file to work with is
/etc/mail/spamassassin/local.cf. You can edit this file to configure SpamAssassin
globally. Users can override these global options and add their own options in the
~/.spamassassin/user_prefs file. You can put the options discussed in this section in
either of these files.
For example, you can configure SpamAssassin to rewrite the Subject line of email
that it rates as spam. The rewrite_header keyword in the configuration files controls
this behavior. The word Subject following this keyword tells SpamAssassin to
rewrite Subject lines. Remove the # from the following line to turn on this behavior:
# rewri te_header Subject

The required_score keyword specifies the minimum score a piece of email must
receive before SpamAssassin considers it to be spam. The default is 5.00. Set the
value of this keyword to a higher number to cause SpamAssassin to mark fewer
pieces of email as spam.
required_score 5.00

Sometimes mail from addresses that should be marked as spam is not, or mail from
addresses that should not be marked as spam is. Use the whitelist_from keyword to
specify addresses that should never be marked as spam and blacklist_from to specify
addresses that should always be marked as spam:
whitelist_from sams@example.com
blacklist_from ^©spammer, net

You can specify multiple addresses, separated by SPACEs, on the whitelist_from and
blacklist_from lines. Each address can include wildcards. To whitelist everyone
sending email from the example.com domain, use whitelist_from *@example.com.
You can use multiple whitelist_from and blacklist_from lines.

R U N N I N G S P A M A S S A S S I N ON A M A I L SERVER
This section explains how to set up SpamAssassin on a mail server so that it will
process all email being delivered to local systems before it is sent to users. It shows
how to use procmail as the M D A and have procmail send email through spamc.
Also make sure the procmail package is installed on the server system. Next, if the
/etc/procmailrc configuration file does not exist, create it so that this file is owned
by root and has 6 4 4 permissions and the following contents. If it does exist, append
the last two lines from the following file to it:
$ cat /etc/procmailrc
DR0PPRIVS=yes
: 0 fw
| /usr/bin/spamc

ADDITIONAL EMAIL TOOLS

731

The first line of this file ensures that procmail runs with the least possible privileges.
The next two lines implement a rule that pipes each user's incoming email through
spamc. The :0 tells procmail that a rule follows. The f flag indicates a filter; the w
flag causes procmail to wait for the filter to complete and check the exit code. The
last line specifies that the /usr/bin/spamc utility will be used as the filter.
With this file in place, all email that the server system receives for local delivery
passes through SpamAssassin, which rates it according to the options in the global
configuration file. Users with accounts on the server system can override the global
SpamAssassin configuration settings in their ~/.spamassassin/user_prefs files.
When you run SpamAssassin on a server, you typically want to rate the email conservatively so that fewer pieces of good email are marked as spam. Setting required_hits
in the range of 6 - 1 0 is generally appropriate. Also, you do not want to remove any
email automatically because you could prevent a user from getting a piece of nonspam
email. When the server marks email as possibly being spam, users can manually or
automatically filter the spam and decide what to do with it.

ADDITIONAL EMAIL TOOLS
This section covers Webmail and mailing lists. In addition, it discusses how to set up
IMAP and POP3 servers.

WEBMAIL
Traditionally you read email using a dedicated email client such as mail or Evolution. Recently it has become more common to use a Web application to read email.
If you have an email account with a commercial provider such as Gmail, HotMail,
or Yahoo! Mail, you use a Web browser to read email. Email read in this manner is
called Webmail. Unlike email you read on a dedicated client, you can read Webmail
from anywhere you can open a browser on the Internet: You can check your email
from an Internet cafe or a friend's computer, for example.
SquirrelMail SquirrelMail provides Webmail services. It is written in PHP and supports the IMAP
and SMTP protocols. For maximum compatibility across browsers, SquirrelMail
renders pages in HTML 4.0 without the use of JavaScript.
SquirrelMail is modular, meaning that you can easily add functionality using plugins. Plugins can allow you to share a calendar, for example, or give you the ability to
change passwords using the Webmail interface. See the plugins section of the
SquirrelMail Web site (www.squirrelmail.org) for more information.
To use SquirrelMail, you must run IMAP (page 735) because SquirrelMail uses
IMAP to receive and authenticate email. You must also run Apache (Chapter 26)
so a user can use a browser to connect to SquirrelMail. Because the squirrelmail
package depends on several Apache packages, APT installs apache2 when it installs
squirrelmail. You need to install an IMAP package manually.

732

CHAPTER 2 0

exim4: SETTING U P M A I L SERVERS, CLIENTS, A N D M O R E

Installation Install the following packages:
• squirrelmail
• apache2 (page 902; installed as a dependency when you install squirrelmail)
• exim4 (page 714) or sendmail
• php5-cgi
• dovecot-imapd (page 735) or another IMAP server
Startup You do not need to start SquirrelMail, nor do you have to open any ports for it. However, you need to configure, start, and open ports (if the server is running on a system
with a firewall) for exim4 (page 718), IMAP (page 735), and Apache (page 903).
Configuration The SquirrelMail files reside in /usr/share/squirrelmail. Create the following link to
make SquirrelMail accessible from the Web:
$ sudo In -s /usr/share/squirrelmail /var/www/mai1

Give the following command to configure SquirrelMail:
$ sudo squirrelmail-configure
SquirrelMail Configuration : Read: config.php (1.4.0)
Main Menu -1. Organization Preferences
2. Server Settings
3. Folder Defaults
4. General Options
5. Themes
6. Address Books
7. Message of the Day (MOTD)
8. Plugins
9. Database
10. Languages
D.

Set pre-defined settings for specific IMAP servers

C
S
Q

Turn color on
Save data
Quit

Command

»

This menu has multiple levels. When you select a setting (and not a submenu),
squirrelmail-configure displays information that can help you decide how to answer
the question it poses. Set the server's domain name (number 1 on the Server Settings
page) and the name of the IMAP server you are using (D on the main menu).
SquirrelMail provides several themes; if you do not like the way SquirrelMail looks,
choose another theme from Themes (number 5). When you are finished making
changes, exit from squirrelmail-configure. Run squirrelmail-configure whenever you
want to change the configuration of SquirrelMail.
SquirrelMail provides a Web page that tests its configuration. Point a browser on the
server at localhost/mail/src/configtest.php. Replace localhost with the IP address or

ADDITIONAL EMAIL TOOLS

733

' • • 9 S q u i r r e l M a i l e o f l f l g t a i t - Mozilla F i r t f o x
ETM ÎLE«

Qtt

^

JaOi ÜDP

» Ç

_

^

hfcpJflrcalhwt'nviilAreAwfttfest php

m

T

• StpJimHMail c o n t e n t
S M T P SERVER O K (ÍM :D ML HKTF I N . < 7I FU.raJ » I O LI

C h e c k i n g IMAP s e r v i c e . . . .
I M A P s e r v e r r e a d y (• « t e v w t f n W N ^ I

IL ÚTÍPJ)

VS.-»

»i

C a p a b i l i t i e s : • CÍPWILITY IWUMNVI LITHUL. SASL-IR LOGIH FS=EPP4J_S IO BUBLE SOFT
MHI-OP« AT 1>H I W I I M W •. 1>H U:-M I •. NA LIINI IC IHJLI cr :a I a m TW H KJW •/•ta UIHTLJ.
UST.F«7FWFD ELFHFKB-1 COMKTCHF QFFÍLTK FSF1ÄW FÍCHT 5 F « H € S "CTHTH CCHTFIT-IFTFKH S T K M . 5

C h i c k i n g IntiirnationnllwiUon lilJini snltlnijs...
cfitUjut • GlrttiKl functions AfC a v a i l a b l e . On s o m e systiims y o u mu.%1t h a v e

r e c o d e • i l e e o d e functions a r e unai'alLabte.
Iconv • Iconv functions a r e available;.
timp-Tone • Webmall u s e r s c a n c h a n g e t h e i r time Tone settings.
C h e c k i n g d a t a b a s e functions...
n o t using d a t a b a s e functionality.
Congratulations., y o u r ScpilrrclMall s e t u p l o o k s linn u> mn!
Login now
Done

SquirrelMail running a configuration test

Figure 20-2

FQDN of the server to view the page from another system. SquirrelMail checks its
configuration and displays the results on this page. Figure 20-2 shows that SquirrelMail cannot connect to the IMAP server on the local system, probably because
IMAP has not been installed.
Logging in Point a Web browser at localhost/mail or localhost/mail/src/login.php to display
the SquirrelMail login page (Figure 20-3). Replace localhost with the IP address or
FQDN of the server to view the page from another system. Enter the username and
password of a user who has an account on the server system.

M A I L I N G LISTS
A mailing list can be an asset if you regularly send email to the same large group of
people. It offers several advantages over listing numerous recipients in the To or Cc
field of an email or sending the same email individually to many people:
• Anonymity—None of the recipients of the email can see the addresses of
the other recipients.
•« '
Sk

*

S q u i r r e l M a i l - L o g i n - Mozilla Fi retan

t o t yiew kùjtory ftookmwks IH y d p
»

Ç

v

* SquimHMail • Login

Ê

* hfipJfloMlhwt'mâilAroloçivphp

T

0> '

+
SquirrelMail

Sfguim>!Mii=] wruon I .J M
By th» SqiiirrnlMvul Pmjort Tiuun
SquirrelMail Login
Nam«!:
Password:
h i t t u

l « ~

Figure 20-3

1

SquirrelMail login page

734

CHAPTER 2 0

exim4: SETTING U P M A I L SERVERS, CLIENTS, A N D M O R E

• Archiving—Email sent to the list is stored in a central location where list
members or the public, as specified by the list administrator, can browse
through it.
• Access control—You can specify who can send email to the list.
• Consistency—When you send mail to a group of people using To or Cc, it
is easy to forget people who want to be on the list and to erroneously
include people who want to be off the list.
• Efficiency—A mailing list application spreads email transmissions over
time so it does not overload the mail server.
Mailman Mailman, the GNU list manager, is written mostly in Python and manages email
discussions and email newsletter lists. Because it is integrated with the Web, Mailman makes it easy for users to manage their accounts and for administrators to
manage lists. See the Mailman home page (www.list.org) and the files in the
/usr/share/doc/mailman directory for more information.
Prerequisites Install the mailman package and an M T A such as exim4 (page 715). To use the Web
interface you must install Apache (page 902).
Installing Mailman When you install the mailman package, the dpkg postinst script displays a pseudographical interface that asks you to specify the language you want Mailman to display
and tells you that you must create a site list. Give the following newlist command to
create a site list, substituting the name of your mailing site for painting_class:
$ sudo newlist painting_class
Enter the email of the person running the list: helen@example.com
Initial pai nti ng_class password:
To finish creating your mailing list, you must edit your /etc/aliases (or
equivalent) file by adding the following lines, and possibly running the
'newaliases' program:
## pai nti ng_class mailing list
painting_class:
pai nti ng_class-admi n:
pai nti ng_class-bounces:
pai nti ng_class-confi rm:
pai nti ng_class-joi n:
pai nti ng_class-1eave:
pai nti ng_class-owner:
pai nti ng_class-request:
pai nti ng_class-subscri be:
pai nti ng_class-unsubscri be:

/var/1ib/mailman/mai1/mailman
/var/1ib/mailman/mai1/mailman
/var/1ib/mailman/mai1/mailman
/var/1 i b/mai lman/mai 1/mai lman
/var/1 i b/mai lman/mai 1/mai lman
/var/1ib/mailman/mai1/mailman
/var/1ib/mailman/mai1/mailman
/var/1ib/mailman/mai1/mailman
/var/1 i b/mai lman/mai 1/mai lman
/var/1 i b/mai lman/mai 1/mai lman

post painting_class"
admin painting_class"
bounces painting_class"
confirm pai nti ng_class"
join pai nti ng_class"
leave painting_class"
owner painting_class"
request painting_class"
subscribe pai nti ng_class"
unsubscribe pai nti ng_class'

Hit enter to notify pai nti ng_class owner...

Before users on the list can receive email, you need to copy the lines generated by
newlist (the ones that start with the name of your mailing site) to the end of
/etc/aliases (page 722) and run newaliases (page 723).
mailman

site list Before you can start Mailman, you must create a site list named mailman. Give the

command sudo newlist mailman, copy the lines to the aliases file, and run newaliases.

ADDITIONAL EMAIL TOOLS

mailman

735

init script After setting up the mailman site list and a site list of your choice, start the Mailman

qrunner daemon with the following command:
$ sudo service mailman start
* Starting Mailman master qrunner mailmanctl

[ OK ]

After modifying any Mailman configuration files or adding a new site list, give the
same command, but replacing start with reload, to cause Mailman to reread its
configuration files.
mm_cfg.py

The main Mailman configuration file is /etc/mailman/mm_cfg.py. When you install
Mailman, it automatically assigns values to DEFAULT_EMAIL_HOST (the default
domain for mailing lists) and DEFAULT_URL_HOST (the default Web server for
Mailman). Change the value of these variables as needed and restart Mailman.
$ cat /etc/mailman/mm_cfg.py
# Default domain for email addresses of newly created MLs
DEFAULT_EMAIL_HOST = 'example.com'
# Default host for web interface of newly created MLs
DEFAULT_URL_HOST
= 'example.com'

Web interface Assuming the host for the Web interface is example.com, anyone can point a
browser at example.com/cgi-bin/mailman/listinfo to display a list of available
mailing lists. Click the name of a mailing list to display a page that allows you to
view the list's archives, send a message, or subscribe to the list. At the bottom of
the page is a link to the administrative interface for the list.

SETTING U P AN I M A P OR P 0 P 3 M A I L SERVER
Dovecot IMAP (Internet Message Access Protocol) and POP (Post Office Protocol) allow
users to retrieve and manipulate email remotely. This section explains how to set
up servers for these protocols. Dovecot (www.dovecot.org and wiki.dovecot.org)
provides the imap-login and pop3-login daemons that implement these protocols.
Prerequisites Install the dovecot-pop3d (for a POP3 server) and/or dovecot-imapd (for an IMAP
server) packages. APT installs the dovecot-common package automatically when
you install one of these packages. When you install either package, the dpkg postinst
script for the dovecot-common package generates self-signed SSL certificates if they
do not already exist.
Configuration Dovecot will not start until you specify in the /etc/dovecot/dovecot.conf configuration file which servers you want to run. Near the beginning of this long file is a line
that starts with protocols =. Put the names of the servers you want to run at the end
of this line. Possible servers, depending on which packages you have installed, are
imap (IMAP on port 143), imaps (IMAP over SSL on port 993), pop3 (POP3 on
port 110), and pop3s (POP3 over SSL on port 995). See /usr/share/doc/dovecot*
for more information.

736

CHAPTER 2 0

dovecot ¡nit script

exim4: SETTING U P M A I L SERVERS, CLIENTS, A N D M O R E

After configuring Dovecot, start the Dovecot daemon(s) with the following command:
$ sudo service dovecot start

After modifying a Dovecot configuration file, give the same command, but replacing start with restart, to cause Dovecot to reread its configuration files.

AUTHENTICATED RELAYING
If you travel with a portable computer such as a laptop, you may connect to the
Internet through a different connection at each location where you work. Perhaps
you travel for work, or maybe you just bring your laptop home at night.
This section does not apply if you always dial in to the network through your ISP. In
that case, you are always connected to your ISP's network and it is as though you
never moved your computer.
On a laptop you do not use a local instance of exim4 to send email. Instead, you use
SMTP to connect to an ISP or to a company's SMTP server (a smarthost), which
then relays your outgoing mail. To avoid relaying email for anyone, including malicious users who would send spam, SMTP servers restrict who they relay email for,
based on IP address. By implementing authenticated relaying, you can cause the
SMTP server to authenticate, based on user identification. In addition, SMTP can
encrypt communication when you send mail from your email client and use an
SMTP server.
An authenticated relay provides several advantages over a plain connection:
• You can send email from any Internet connection.
• The secure connection makes it more difficult to intercept email as it
traverses the Internet.
• The outgoing mail server requires authentication, preventing it from being
used for spam.
You set up authenticated relaying by creating an SSL certificate or using an existing
one, enabling SSL in exim4, and telling your email client to connect to the SMTP
server using SSL. If you have an SSL certificate from a company such as VeriSign,
you can skip the next section, in which you create a self-signed certificate.

CREATING A S E L F - S I G N E D CERTIFICATE FOR

exim4

Typically, installing Dovecot generates self-signed certificates. If necessary, give the
following command to create SSL certificates for exim4. The keys are stored in
exim.key and exim.crt in the /etc/exim4 directory. Apache uses a similar procedure
for creating a certificate (page 943).
$ sudo /usr/share/doc/exim4-base/examples/exim-gencert
[*] Creating a self signed SSL certificate for Exim!

AUTHENTICATED RELAYING

737

This may be sufficient to establish encrypted connections but for
secure identification you need to buy a real certificate!
Please enter the hostname of your MTA at the Common Name (CN) prompt!
Generating a 1024 bit RSA private key

writing new private key to '/etc/exim4/exim. key'
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Code (2 letters) [US]:
State or Province Name (full name) []¡California
Locality Name (eg, city) []:San Francisco
Organization Name (eg, company; recommended) []:Sobell Associates Inc.
Organizational Unit Name (eg, section) []:
Server name (eg. ssl.domain.tld; required!!!) []:sobell.com
Email Address []:mgsOsobell.com
[*] Done generating self signed certificates for exim!
Refer to the documentation and example configuration files
over at /usr/share/doc/exim4-base/ for an idea on how to enable TLS
support in your mail transfer agent.

You can enter any information you wish in the certificate.

ENABLING S S L IN

exim4

Once you have a certificate, create a file named exim4.conf.localmacros in the
/etc/exim4 directory (you have to work with root privileges). With the following
contents, this file instructs exim4 to use SSL certificates:
$ cat /etc/exim4/exim4.conf."localmacros
MAIN_TLS_ENABLE = 1

Because exim4 will be relaying email, you need to add the name of the system you
will be sending email from to the dc_relay_nets variable (page 726). Restart exim4
(page 716).

E N A B L I N G S S L IN THE M A I L CLIENT
Enabling SSL in a mail client is usually quite simple. For example, Evolution provides the Edit^Preferences^Mail Accounts "^Sending Email^Security^Use Secure
Connection combo box that allows you to choose the type of encryption you
want to use: No encryption, SSL encryption, or TLS encryption. Clicking the
Check for Supported Types button (found just below this combo box) queries the
server and sets Evolution to use the type of security and authentication the server
supports.

738

exim4: SETTING U P M A I L SERVERS, CLIENTS, A N D M O R E

CHAPTER 2 0

CHAPTER S U M M A R Y
The exim4 daemon is an MTA (mail transfer agent). When you send a message,
exim4 works with other software to get the email to the proper recipients. You can set
up exim4 to send email to an SMTP server that then relays the email to its destination
or you can have exim4 send email directly to the SMTP servers for the domains
receiving the email. By default, exim4 stores incoming messages in the mail spool
directory, /var/mail.
The /etc/exim4/update-exim4.conf.conf file controls many aspects of how exim4
works. After you edit this file, you must use the exim4 init script to restart exim4 so
it rereads its configuration files. The system administrator can use the /etc/aliases
file and ordinary users can use -/.forward files to reroute email to one or more local
or remote addresses, to files, or as input to programs.
You can use a program such as SpamAssassin to grade and mark email as to the
likelihood of it being spam. You can then decide what to do with the marked email:
You can look at each piece of potential spam and decide where to put it, or you can
have your MUA automatically put potential spam in a special mailbox for spam.
Other programs that can help with email include SquirrelMail, which provides Webmail services, and Mailman, which provides mailing list support. IMAP (Internet
Message Access Protocol) and POP (Post Office Protocol) allow users to retrieve and
manipulate email remotely. The Dovecot system provides IMAP and POP servers.

EXERCISES
1. By default, email addressed to system goes to root. How would you also
save a copy in /var/logs/systemmail?
2. How would Max store a copy of his email in - / m b o x and send a copy to
max@example.com?
3. If your firewall allowed only the machine with the IP address 192.168.1.1
to send email outside the network, how would you instruct the local copy
of exim4 to use this server as a relay?
4. Describe how setting the dc_eximconfig_configtype variable in
/etc/exim4/update-exim4.conf.conf to smarthost affects exim4 behavior.
What happens when you set this variable to internet?
5. SpamAssassin is installed on your mail server, with the threshold set to an
unusually low value of 3, resulting in a lot of false positives. What rule
could you give to your mail client to allow it to identify spam with a score
of 5 or higher?

ADVANCED EXERCISES

6. Describe the software and protocols used when M a x sends an email to
Sam on a remote Linux system.

ADVANCED EXERCISES
7. Explain the differences between configuring exim4 to use a split configuration
and configuring it to use an unsplit configuration. Which files would you
modify to set up each type of configuration? Name two files that are read by
both configurations.
8. Assume a script stores certain information in a variable named RESULT.
What line could you put in the script that would send the contents of
RESULT to the email address specified by the first argument on the
command line?
9. Give a simple way of reading your email that does not involve the use of
an MUA.
10. Describe the relationship between s p a m a s s a s s i n , s p a m d , and s p a m c . How
does each work? Why not use the s p a m a s s a s s i n utility by itself?

739

This page intentionally left blank

21
NIS AND LDAP
NIS (Network Information Service) simplifies the maintenance
of common administrative files by keeping them in a central

IN THIS CHAPTER
How NIS Works

742

database

Running an NIS Client
yppasswd- Changes NIS
Passwords

744

retrieve information from the database. Developed by Sun
Microsystems, NIS is an example of the client/server paradigm.
Just as DNS addresses the problem of keeping multiple copies of

Setting Up an NIS Server
.. T1 „,,_„
.
y p p a s s w d d : The NIS Password
Update Daemon

750

LDAP

758

Setting Up an LDAP Server

760

748

757

Other Tools for Working with
LDAP

server

to

/etc/hosts files up-to-date, so NIS deals with the issue of keeping
system-independent configuration files (such as /etc/passwd)
'
^,
,
,
,
.
current. Most networks today are heterogeneous
(page 1151);
even though they run different varieties of UNIX or Linux, they
have certain common attributes, such as a passwd file.
^
c a n

767

and h a v i n g clients c o n t a c t the d a t a b a s e

LDAP (Lightweight Directory Access Protocol) directory
h0ld

m a n y types o f i n f o r m a t i o n ,

including n a m e s

and

addresses, lists of network services, and authentication data.
Another example of a client/server setup, LDAP is appropriate
for any kind of relatively static, structured information where
fast lookups are required. Many types of clients are set up to
communicate with LDAP servers, including email clients,
browsers, and authentication servers.

741

742

CHAPTER 2 1

N I S AND LDAP

INTRODUCTION TO N I S
A primary goal of a LAN administrator is to make the network transparent to
users. One aspect of this transparency is presenting users with similar environments,
including usernames and passwords, when they log in on different machines. From
the administrator's perspective, the information that supports a user's environment
should not be replicated but rather should be kept in a central location and distributed as required. NIS simplifies this task.
As with DNS, users need not be aware that NIS is managing system configuration
files. Setting up and maintaining NIS databases are tasks for the system administrator; individual users and users on single-user Linux systems rarely need to work
directly with NIS.
Yellow Pages NIS used to be called the Yellow Pages, and some people still refer to it by this
name. Sun renamed the service because another corporation holds the trademark to
the Yellow Pages name. The names of NIS utilities and files, however, are reminiscent of the old name: ypcat displays and ypmatch searches an NIS file, and the server
daemon is named ypserv.

H o w NIS WORKS
No encryption NIS does not encrypt data it transfers over the network—it transfers data as plain text.
NIS domain NIS makes a common set of information available to systems on a network. The
network, referred to as an NIS domain, is characterized by each system having the
same NIS domain name (different than a DNS domain name [page 1146]). Technically an NIS domain is a set of NIS maps (database files).
Master and slave Each NIS domain must have exactly one master server; larger networks may have
servers s l a v e servers. Each slave server holds a copy of the NIS database from the master.
The need for slave servers is based on the size of the NIS domain and the reliability
of the systems and network. A system can belong to only one NIS domain at a time.
nsswitch.conf

Whether a system uses NIS, DNS, local files, or a combination of these as the source
of certain information, and in what order, is determined by the /etc/nsswitch.conf
file (page 475). When it needs information from the NIS database, a client requests
the information from the NIS server. For example, when a user attempts to log in,
the client system may authenticate the user with username and password information from the NIS server.
You can configure nsswitch.conf to cause /etc/passwd to override NIS password
information for the local system. When you do not export the root account to NIS
(and you should not), this setup allows you to have a unique root password (or no
root password, if the root account is locked) for each system.

Source files Under Ubuntu Linux, NIS derives the information it offers—such as usernames,
passwords, and local system names and IP addresses—from local ASCII configuration files such as /etc/passwd and /etc/hosts. These files are called source files or
master files. (Some administrators avoid confusion by using different files to hold

I N T R O D U C T I O N TO N I S

743

local configuration information and NIS source information.) An NIS server can
include information from as many of the following source files as is appropriate:
/etc/group
/etc/gshadow
/etc/hosts
/etc/passwd
/etc/printcap
/etc/rpc
/etc/services
/etc/shadow

Defines groups and their members
Provides shadow passwords for groups
Maps local systems and IP addresses
Lists user information
Lists printer information
Maps RPC program names and numbers
Maps system service names and port numbers
Provides shadow passwords for users

The information that NIS offers is based on files that change from time to time. NIS
is responsible for making the updated information available in a timely manner to
all systems in the NIS domain.
NIS maps Before NIS can store the information contained in a source file, it must be converted
to a dbm (page 1144) format file called a map. Each map is indexed on one field
(column). Records (rows) from a map can be retrieved by specifying a value from the
indexed field. Some files generate two maps, each indexed on a different field. For
example, the /etc/passwd file generates two maps: one indexed by username, the
other indexed by UID. These maps are named passwd.byname and passwd.byuid,
respectively.
optional

NIS maps correspond to C library functions. The getpwnamQ and getpwuid() functions obtain username and UID information from /etc/passwd on non-NIS systems.
On NIS systems, these functions place RPC calls to the NIS server in a process that
is transparent to the application calling the function.

Map names The names of the maps NIS uses correspond to the files in the /var/yp/nisdomainname directory on the master server, where nisdomainname is the name of the NIS
domain. The examples in this chapter use the NIS domain named mgs:
$ 1s /var/yp/mgs
group.bygid
netgroup.byhost
group.byname netgroup.byuser
hosts.byaddr neti d.byname
hosts.byname passwd.byname
passwd.byui d
netgroup

protocols.byname
protocols.bynumber
rpc.byname
rpc.bynumber
services, byname

servi ces.byservi cename
shadow.byname
ypservers

Map nicknames To make it easier to refer to NIS maps, you can assign nicknames to them. The
/var/yp/nicknames file on both clients and servers holds a list of commonly used
nicknames:
$ cat /var/yp/nicknames
passwd
passwd.byname
group
group.byname
networks
networks.byaddr
hosts
hosts.byname
protocols
protocols.bynumbe r
servi ces
servi ces.byname
ali ases
mai1.ali ases
ethers
ethers.byname

744

CHAPTER 2 1

NIS AND LDAP

You can also use the command y p c a t - x to display the list of nicknames. Each line
in n i c k n a m e s contains a nickname followed by whitespace and the name of the map
corresponding to the nickname. You can add, remove, or modify nicknames by
changing the n i c k n a m e s file.
Displaying maps The ypcat and y p m a t c h utilities display information from the NIS maps on the
server. Using the nickname p a s s w d , the following command, which you can run on
any NIS client in the local domain, displays the information contained in the
p a s s w d . b y n a m e map:
$ ypcat passwd
sam:x:1000:1000:Sam,,,,:/home/sam:/bin/bash
sis:x:1001:1001:Sam the G r e a t , , , , : / h o m e / s i s : / b i n / b a s h
By default, NIS stores passwords only for users with UIDs greater than or equal to
1000 (see MINUID on page 753). Thus ypcat does not display lines for r o o t , b i n ,
and other system entries. You can display password information for a single user
with y p m a t c h :
$ ypmatch sam passwd
sam:x:1000:1000:Sam,,,,:/home/sam:/bi n/bash
You can retrieve the same information by filtering the output of ypcat through grep,
but y p m a t c h is more efficient because it searches the map directly, using a single process. The y p m a t c h utility works on the key for the map only. To match members of
the group or other fields not in a map, such as the GECOS (page 1150) field in
p a s s w d , you need to use ypcat and grep:
$ ypcat passwd | grep -i great
sis:x:1001:1001:Sam the G r e a t , , , , : / h o m e / s i s : / b i n / b a s h
Terminology This chapter uses the following definitions:
N I S s o u r c e files The ASCII files that NIS obtains information from
N I S m a p s The dbm-format files created from NIS source files
N I S d a t a b a s e The collection of NIS maps

MORE INFORMATION
Local m a n pages: d o m a i n n a m e , m a k e d b m , n e t g r o u p , revnetgroup, y p b i n d , y p c a t , ypinit,
y p m a t c h , y p p a s s w d , yppoll, y p p u s h , ypset, y p s e r v , y p s e r v . c o n f , y p w h i c h , ypxfr,
ypxfrd
Web www.linux-nis.org
NIS-HO WTO

R U N N I N G AN N I S CLIENT
This section explains how to set up an NIS client on the local system.

R U N N I N G AN N I S CLIENT

745

PREREQUISITES
Install Install the following packages:
• nis
• portmap (installs automatically with nis)
When you install the nis package, the dpkg postinst script starts an NIS client. See
the "nis init script" section below if you want to start an NIS server or do not want
to start an NIS client. The dpkg postinst script asks you to specify the NIS domain
name of the local system if it does not find one in /etc/defaultdomain. If necessary,
the script creates this file and stores the NIS domain name in that file. If this file
does not exist, the NIS client (ypbind) will not start. If there is a server for the
domain you specify, the client quickly binds to that server.
No server If there is no NIS server for the NIS client to bind to when you install or start an
NIS client or boot the system, the client spends several minutes trying to find a
server, displaying the following message while doing so:
Setting up nis (B.17-14ubuntu2) ...
* Setting NIS domainname to: mgs
* Starting NIS services
* binding to YP server...
A

. . . .

Broadcast mode Finally the client (ypbind) gives up on finding a server and runs in the background
in broadcast mode:
$ ps -ef | grep ypbind
root
168B2
1 0 19:33 ?
sam
17390 5839 0 19:38 pts/0

00:00:00 /usr/sbin/ypbind -broadcast
00:00:00 grep ypbind

Broadcast mode is less secure than other modes because it exposes the system to
rogue servers by broadcasting a request for a server to identify itself. If ypbind starts
in this mode, it is a good idea to restart it after you set up an NIS server (page 750)
and configure an NIS client as explained in the next section.
nis init script After you configure nis, call the nis init script to restart nis. However, as explained
earlier, starting nis takes a while if it cannot connect to a server. The /etc/default/nis
file specifies whether this script starts an NIS client, server, or both:
$ sudo service nis restart

After changing the nis configuration on an active server, use reload in place of restart
to reload nis configuration files without disturbing clients connected to the server.

NOTES
If there is no NIS server for the local system's NIS domain, you need to set one up
(page 750). If there is an NIS server, you need to know the name of the NIS domain

746

CHAPTER 2 1

NIS AND LDAP

the system belongs to and (optionally) the name or IP address of one or more NIS
servers for the NIS domain.
An NIS client can run on the same system as an NIS server.
/etc/default/nis The /etc/default/nis file controls several aspects of NIS running on the local system,
including whether the nis init script starts a client, a server, or both. As installed,
this file causes the nis init script to start an NIS client (ypbind) and not to start an
NIS server (ypserv). Set NISSERVER to false if the local system is not an NIS server
or to master or slave as appropriate if it is a server. Set NISCLIENT to true if the
local system is an NIS client; otherwise set it to false.
$ head /etc/default/nis
# Are we a NIS server and if so what kind (values: false, slave, master)?
NISSERVER=false
# Are we a NIS client?
NISCLIENT=true

In the nis file you can also specify which ports the NIS server uses (refer to "Firewall"
on page 751) and control which values in /etc/passwd users can modify (refer to
"Allow GECOS and Login Shell Modification" on page 757).

CONFIGURING AN NIS

CLIENT

This section lists the steps involved in setting up and starting an NIS client.

/etc/defaultdomain:

SPECIFIES THE N I S D O M A I N N A M E

A DNS domain name is different from an NIS domain name
t i p The DNS domain name is used throughout the Internet to refer to a group of systems. DNS maps
these names to IP addresses to enable systems to communicate with one another.
The NIS domain name is used strictly to identify systems that share an NIS server and is normally
not seen or used by users and other programs. Although some administrators use one name as
both a DNS domain name and an NIS domain name, this practice can degrade security.
The /etc/defaultdomain file stores the name of the NIS domain the local system
belongs to. If you change this value, you need to reload the client and/or server daemon to get NIS to recognize the change. The nis init script reads the defaultdomain
file and sets the name of the system's NIS domain. If the defaultdomain file does not
exist when you install NIS, the dpkg postinst script prompts for it (refer to "Install"
on page 745). You can use the n i s d o m a i n n a m e utility to set or view the NIS domain
name, but setting it in this manner does not maintain the name when the nis init
script is executed (for example, when the system is rebooted):
$ sudo nisdomainname
(none)
$ sudo nisdomainname mgs
$ sudo nisdomainname
mgs

R U N N I N G AN N I S CLIENT

747

To avoid confusion, use nisdomainname, not domainname
tip The d o m a i n n a m e and n i s d o m a i n n a m e utilities do the same thing: They display or set the system's NIS domain name. Use n i s d o m a i n n a m e to avoid confusion when you are also working
with DNS domain names.

You must set the local system's NIS domain name
tip

If the /etc/defaultdomain file is not present, the NIS server and client will not start.

/etc/yp.conf:

SPECIFIES AN N I S SERVER

Edit /etc/yp.conf to specify one or more NIS servers (masters and/or slaves). You
can use one of three formats to specify each server:
domain nisdomain server

server_name

domain nisdomain broadcast
ypserver

(do not use)

server_name

where nisdomain is the name of the NIS domain that the local (client) system
belongs to and server_name is the hostname of the NIS server that the local system
queries. It is best to specify server_name as an IP address or a hostname from
/etc/hosts. If you specify a hostname that requires a DNS lookup and DNS is down,
NIS will not find the server. The second format puts ypbind in broadcast mode and
is less secure than the first and third formats because it exposes the system to rogue
servers by broadcasting a request for a server to identify itself. Under Ubuntu
Linux, if you do not specify an NIS server, or if the server you specify is not available, an NIS client runs in broadcast mode.
Following is a simple yp.conf file for a client in the mgs domain with a server at
192.168.0.10:
$ cat /etc/yp.conf
domain mgs server 192.168.0.10

You can use multiple lines to specify multiple servers for one or more domains.
Specifying multiple servers for a single domain allows the system to change to
another server when its current server is slow or down.
When you specify more than one NIS domain, you must set the system's NIS domain
name before starting ypbind so the client queries the proper server. Specifying the
NIS domain name in /etc/defaultdomain before running the ypbind init script takes
care of this issue (page 746).

TESTING THE SETUP
After starting ypbind, use nisdomainname to make sure the correct NIS domain name is
set. Refer to " / e t c / d e f a u l t d o m a i n : Specifies the NIS Domain Name" on page 746 if you
need to set the NIS domain name. Next use ypwhich to check whether the system is set up
to connect to the proper server; the name of this server is set in /etc/yp.conf (page 747):
$ ypwhich
pi urn

748

CHAPTER 2 1

NIS AND LDAP

Use r p c i n f o to make sure the N I S server is up and running (replace plum with the
name of the server that y p w h i c h returned):
$ rpcinfo -u plum ypserv
program 100004 version 1 ready and waiting
program 100004 version 2 ready and waiting
After starting ypbind, check that it is registered with portmap:
$ rpcinfo -u localhost ypbind
program 100007 version 1 ready and waiting
program 100007 version 2 ready and waiting
If r p c i n f o does not report that ypbind is ready and waiting, check that ypbind is running:
$ ps -ef | grep ypbind
root
23144
1 0 18:10 ?
sam
23670 5553 0 18:31 pts/2

00:00:00 /usr/sbin/ypbind
00:00:00 grep ypbind

If NIS still does not work properly, stop the NIS server and start ypbind with debugging
turned on:
$ sudo service nis stop
$ sudo /usr/sbin/ypbind -debug
7607: parsing config file
7607: Trying entry: domain mgs server 192.168.0.10
7607: parsed domain 'mgs' server '192.168.0.10'
7607: add_server() domain: mgs, host: 192.168.0.10, slot: 0
7607: [Welcome to ypbind-mt, version 1.20.1]
7607: ping interval is 20 seconds
7609: NetworkManager is running.
7609: Are already online
7609: interface: org.freedesktop.DBus, object path:
/org/freedesktop/DBus, method: NameAcquired
7610: ping host '192.168.0.10', domain 'mgs'
7610: Answer for domain 'mgs' from server '192.168.0.10'
7610: Pinging all active servers.
7610: Pinging all active servers.
T h e - d e b u g option keeps ypbind in the foreground and causes it to send error messages and debugging output to standard error. Use CONTROL-C to stop ypbind when it is
running in the foreground.

yppasswd:

CHANGES NIS PASSWORDS
T h e y p p a s s w d utility—not to be confused with the yppasswdd daemon (two d's; see
page 7 5 7 ) that runs on the NIS server—replaces the functionality of p a s s w d on clients when you use NIS for passwords. W h e r e p a s s w d changes password information in the / e t c / s h a d o w file on the local system, y p p a s s w d changes password

R U N N I N G AN N I S CLIENT

749

information in the /etc/shadow file on the NIS master server and in the NIS
shadow.byname map. Optionally, yppasswd can also change user information in the
/etc/passwd file and the passwd.byname map.
The yppasswd utility changes the way you log in on all systems in the NIS domain that
use NIS to authenticate passwords. It cannot change root and system passwords; by
default, NIS does not store passwords of users with UIDs greater than or equal to
1000. You have to use passwd to change these users' passwords locally.
To use yppasswd, the yppasswdd daemon must be running on the NIS master server.

passwd V E R S U S yppasswd
When a user who is authenticated using NIS passwords runs passwd to change her
password, all appears to work properly, yet the user's password is not changed: The
user needs to use yppasswd. The root and system accounts, in contrast, must use
passwd to change their passwords. A common solution to this problem is first to
rename passwd—for example, to rootpasswd—and then to change its permissions so
only root can execute it. 1 Second, create a link to yppasswd named passwd:
$ Is -1 /usr/bin/passwd
-rwsr-xr-x 1 root root 29104 2009-12-19 12:35
$ sudo -i
# mv /usr/bin/passwd /usr/bin/rootpasswd
# chmod 700 /usr/bin/rootpasswd
# In -s /usr/bin/yppasswd /usr/bin/passwd
# exit
logout
$ Is -1 /usr/bin/{yppasswd,passwd,rootpasswd}
lrwxrwxrwx 1 root root
17 2010-05-08 18:42
-rwx
1 root root 29104 2009-12-19 12:35
-rwxr-xr-x 1 root root 20688 2010-03-07 12:45

/usr/bin/passwd

/usr/bin/passwd -> /usr/bin/yppasswd
/usr/bin/rootpasswd
/usr/bin/yppasswd

The preceding example uses sudo - i to open a shell with root permissions so the
administrator does not have to type sudo several times in a row. The administrator
returns to using a normal shell as soon as possible.
With this setup, a nonroot user changing his password using passwd will run yppasswd,
which is appropriate. If root or a system account user runs passwd (really yppasswd),
yppasswd displays an error that reminds the administrator to run rootpasswd.

MODIFYING USER INFORMATION
As long as the yppasswdd daemon is running on the NIS master server, a user can
use the yppasswd utility from an NIS client to change her NIS password while a user

1. T h e passwd utility has setuid permission with read and execute permissions for all users and read, write,
and execute permissions for r o o t . If, after changing its name and permissions, you w a n t to restore its original
name and permissions, first change its name and then give the c o m m a n d c h m o d 4 7 5 5 /usr/bin/passwd.
(You must w o r k with r o o t privileges to make these changes.)

750

CHAPTER 2 1

NIS AND LDAP

running with r o o t privileges can change any user's password (except that of r o o t or
a system account). A user can also use y p p a s s w d to change his login shell and
GECOS (page 1150) information if the y p p a s s w d d daemon is set up to permit these
changes. Refer to " y p p a s s w d d : The NIS Password Update Daemon" on page 7 5 7
for information on how to configure y p p a s s w d d to permit users to change these values. Use the - p option with y p p a s s w d to change the password, - f to change GECOS
information, and -1 to change the login shell:
$ yppasswd -1
Changing NIS account information for sam on plum.
Please enter password:
To accept the default, simply press return. To use the
system's default shell, type the word "none".
Login shell [/bin/bash]: /bin/sh
The login shell has been changed on plum.
$ ypmatch sam passwd
sam:x:1000:1000:Sam,,,,:/home/sam:/bi n/sh
If y p p a s s w d does not work and the server system is running a firewall, refer to "Firewall" on page 751.

ADDING AND REMOVING USERS
There are several ways to add and remove users from the NIS p a s s w d map. The
simplest approach is to keep the / e t c / p a s s w d file on the NIS master server synchronized with the p a s s w d map. You can keep these files synchronized by first making
changes to the p a s s w d file using standard tools such as adduser and deluser, or their
graphical counterparts, and then running ypinit (page 755) to update the map.

SETTING U P AN N I S SERVER
This section explains how to set up an NIS server.

PREREQUISITES
Installation Decide on an NIS domain name (page 7 4 6 ) and install the following packages:
• nis
• p o r t m a p (installs automatically with n i s )
nis init script When you install the n i s package, the d p k g p o s t i n s t script starts an NIS client. See
"Install" on page 7 4 5 for information on how to start a server, a client, or both.
The / e t c / d e f a u l t / n i s configuration file controls whether an NIS server starts as a
master or a slave (page 746). You may also want to specify the ports for the NIS
server and y p p a s s w d d to run on (see "Firewall," next page). After you configure the
server you can start, restart, or reload it with the n i s init script:
$ sudo service nis restart

SETTING U P AN N I S SERVER

751

NOTES
An NIS client can run on the same system as an NIS server.
There must be only one master server for each domain.
You can run multiple NIS domain servers (for different domains) on a single system.
An NIS server serves the NIS domains listed in /var/yp. For a more secure system,
remove the maps directories from /var/yp when disabling an NIS server.
Firewall The NIS server (ypserv) and the NIS password daemon (yppasswdd) use portmap
(page 462) to choose which ports they accept queries on. The portmap server
hands out a random unused port below 1024 when a service, such as ypserv,
requests a port. Having ypserv and yppasswdd use random port numbers makes it
difficult to set up a firewall on an NIS server. You can specify ports by editing the
ypserv and yppasswdd option lines in /etc/default/nis (choose any unused ports less
than 1024):
YPSERVARGS='--port 114'
YPPASSWDDARGS='--port 112'

If the NIS server system is running a firewall, open the ports you specify. Using
gufw (page 876), open these ports by setting two policies: one that allows service
on each of these ports. If you follow the preceding example, allow service on ports
114 and 112.

CONFIGURING THE SERVER
This section lists the steps involved in setting up and starting an NIS server.

/etc/default/nis:

A L L O W S THE N I S SERVER TO START

Edit the /etc/default/nis file as described on page 746 so that the nis init script starts
the NIS server. You can also specify ports for the NIS server and yppasswdd to listen
on in this file; refer to "Firewall" above.

SPECIFY THE SYSTEM'S N I S D O M A I N

NAME

Specify the system's NIS domain name as explained on page 746. This step is taken
care of when you install the nis package.

/etc/ypserv.conf:

CONFIGURES THE N I S SERVER

The /etc/ypserv.conf file, which holds NIS server configuration information, specifies
options and access rules. Option rules specify server options and have the following
format:
option: value

752

CHAPTER 2 1

NIS AND LDAP

OPTIONS

Following is a list of options and their default values:
files Specifies the maximum number of map files that ypserv caches. Set to 0 to turn off
caching. The default is 30.
trusted_master On a slave server, the name/IP address of the master server from which the slave
accepts new maps. The default is no master server, meaning no new maps are
accepted.
xfer_check_port YES (default) requires the master server to run on a privileged
NO allows it to run on any port.

port (page 1166).

ACCESS RULES

Access rules, which specify which hosts and domains can access which maps, have
the following format:
bost:domain:map:security
where host and domain specify the IP address and NIS domain this rule applies to;
map is the name of the map this rule applies to; and security is either none (always
allow access), port (allow access from a privileged port), or deny (never allow
access).
The following lines appear in the ypserv.conf file supplied with Ubuntu Linux:
$ cat /etc/ypserv.conf
* This is the default - restrict access to the shadow password file,
* allow access to all others.
*
: *
: shadow.byname
: port
*
: *
: passwd.adjunct.byname : port
*
: *
: *
: none

These lines restrict the shadow.byname and passwd.adjunct.byname (the passwd
map with shadow [asterisk] entries) maps to access from ports numbered less than
1024. However, anyone using a DOS or early Windows system on the network can
read the maps because they can access ports numbered less than 1024. The last line
allows access to the other maps from any port on any host.
The following example describes a LAN with some addresses you want to grant
NIS access from and some that you do not; perhaps you have a wireless segment or
some public network connections you do not want to expose to NIS. You can list
the systems or an IP subnet that you want to grant access to in ypserv.conf. Anyone
logging in on another IP address will then be denied NIS services. The following line
from ypserv.conf grants access to anyone logging in from an IP address in the range
of 192.168.0.1 to 192.168.0.255 (specified as 192.168.0.1 with a subnet mask
[page 462] of/24):
$ cat /etc/ypserv.conf
192.168.0.1/24 : * : * : none

SETTING U P AN N I S SERVER

/var/yp/securenets:

753

ENHANCES SECURITY

To enhance system security, you can create the /var/yp/securenets file, which prevents
unauthorized systems from sending RPC requests to the NIS server and retrieving NIS
maps. Notably securenets prevents unauthorized users from retrieving the shadow
map, which contains encrypted passwords. When securenets does not exist or is
empty, an NIS server accepts requests from any system.
Each line of securenets lists a netmask and IP address. NIS accepts requests from
systems whose IP addresses are specified in securenets; it ignores and logs requests
from other addresses. You must include the (local) server system as localhost
(127.0.0.1) in securenets. A simple securenets file follows:
$ cat /var/yp/securenets
# you must accept requests from localhost
255.255.255.255
127.0.0.1
#
# accept requests from IP addresses 192.168.0.1 - 192.168.0.62
255.255.255.192
192.168.0.0
#
# accept requests from IP addresses starting with 192.168.14
255.255.255.0
192.168.14.0

/var/yp/Makefile:

CREATES M A P S

The make utility, which is controlled by / v a r / y p / M a k e f i l e , uses m a k e d b m to create the
NIS maps that hold the information distributed by NIS. When you run ypinit (page 755)
on the master server, ypinit calls make: You do not need to run make manually.
Edit /var/yp/Makefile to set options and specify which maps to create. The following sections discuss /var/yp/Makefile in more detail.
VARIABLES
Following is a list of variables you can set in /var/yp/Makefile. The values following
Ubuntu are the values set in the file distributed by Ubuntu.
B Do not change.
Ubuntu: not set
NOPUSH Specifies that ypserv is not to copy (push) maps to slave servers. Set to TRUE if you
do not have any slave NIS servers; set to FALSE to cause NIS to copy maps to slave
servers.
Ubuntu: T R U E
YPPUSHARGS

Specifies arguments for y p p u s h . See the y p p u s h m a n page for more information.
Ubuntu: not set

MINUID,
MINGID Specify the lowest UID and GID numbers, respectively, to include in NIS maps. In the
/etc/passwd and /etc/group files, lower ID numbers belong to root and system
accounts and groups. To enhance security, NIS does not distribute password and group

754

CHAPTER 2 1

NIS AND LDAP

information about these users and groups. Set MINUID to the lowest UID number
you want to include in the NIS maps and set MINGID to the lowest GID number you
want to include.
Ubuntu: 1000/1000
NFSNOBODYUID,
NFSNOBODYGID
Specify the UID and GID, respectively, of the user named nfsnobody. NIS does not
export values for this user. Set to 0 to export maps for nfsnobody.
Ubuntu: 4 2 9 4 9 6 7 2 9 5 / 4 2 9 4 9 6 7 2 9 5
MERGE_PASSWD,
MERGE_GROUP
When set to TRUE, merge the /etc/shadow and /etc/passwd files and the
/etc/gshadow and /etc/group files in the passwd and group maps, respectively,
enabling shadow user passwords and group passwords.
Ubuntu: FALSE/FALSE
FILE LOCATIONS
The next sections of /var/yp/Makefile specify standard file locations; you do not
normally need to change these entries. This part of the makefile is broken into the
following groups:
Commands Locates a w k ( m a w k ) and make and sets a value for u m a s k (page 4 5 9 )
Source directories Locates directories that contain NIS source files
NIS source files Locates NIS source files used to build the NIS database
Servers Locates the file that lists NIS servers
THE ALL TARGET
The A L L target in /var/yp/Makefile specifies the maps that make is to build for NIS:
ALL =
#ALL +=
#ALL +=
#ALL +=

passwd group hosts rpc services netid protocols netgrp
publickey mail ethers bootparams printcap
amd.home auto.master auto.home auto.local
timezone locale networks netmasks

The first line of the A L L target lists the maps that make builds by default. This line
starts with the word A L L , followed by an equal sign and a TAB. The last three lines
are commented out. Uncomment lines and delete or move map names until the list
matches your needs.
As your needs change, you can edit the A L L target in Makefile and run make in the
/var/yp directory to modify the list of maps distributed by NIS.

START THE SERVERS
Restart the master server (page 7 4 5 ) and then the slave servers after completing the
preceding steps. On a master server, the nis init script starts the ypserv, yppasswdd,

SETTING U P AN N I S SERVER

755

and ypxfrd daemons. If you are running an NIS client on the local system, it also
starts ypbind. On a slave server, the nis init script starts only the ypserv daemon
and, optionally, the ypbind daemon.
When you start the master server before running ypinit (discussed in the next section), as you must do to avoid getting errors, it takes a long time to start as
explained in " N o server" on page 7 4 5 . After running ypinit, you must restart the
server (page 745).
ypxfrd:

the map The ypxfrd daemon speeds up the process of copying large NIS databases from the
server m a s t e r server to slaves. It allows slaves to copy the maps, thereby avoiding the need
for each slave to copy the raw data and then compile the maps. When an NIS slave
receives a message from the server saying there is a new map, it starts ypxfr, which
reads the map from the server.
The ypxfrd daemon runs on the master server only; it is not necessary to run it on
slave servers. For more information refer to "Prerequisites" on page 7 5 0 .

ypinit:

B U I L D S OR I M P O R T S THE M A P S

The ypinit utility builds or imports and then installs the NIS database. On the master
server, ypinit gathers information from the passwd, group, hosts, networks, services,
protocols, netgroup, and rpc files in /etc and builds the database. On a slave server,
ypinit copies the database from the master server.
You must run ypinit by giving its absolute pathname (/usr/lib/yp/ypinit). Use the - m
option to create the domain subdirectory under / v a r / y p and build the maps that go
in it on the master server; use the - s master option on slave servers to import maps
from the master server named master. In the following example, ypinit asks for the
name of each of the slave servers; it already has the name of the master server
because this command is run on the system running the master server (plum in the
example). Terminate the list with C0NTR0L-D on a line by itself. After you respond to
the query about the list of servers being correct, ypinit builds the ypservers map and
calls make with /var/yp/Makefile, which builds the maps specified in Makefile.
$ sudo /usr/lib/yp/ypinit -m
At this point, we have to construct a list of the hosts which will run NIS
servers, dog is in the list of NIS server hosts. Please continue to add
the names for the other hosts, one per line. When you are done with the
list, type a .
next host to add: plum
next host to add : C0MTR0L-D
The current list of NIS servers looks like this:
pi urn
Is this correct? [y/n: y] y
We need a few minutes to build the databases...
Building /var/yp/mgs/ypservers...
Running /var/yp/Makefile...

756

C H A P T E R23SAMBA:LINUXA N DWINDOWSFILEANDPRINTERSHARING

make[l]:
Updating
Updating
Updating
Updating
Updating
Updating
Updati ng
Updating
Updating
Updating
Updati ng
Updating
Updati ng
Updating
Updating
Updating
Updating
make[l]:

Entering directory '/var/yp/mgs'
passwd.byname...
passwd.byuid.
group.byname
group.bygid.
hosts.byname
hosts.byaddr.
rpc.byname...
rpc.bynumber...
services.byname...
services.byservicename...
neti d.byname...
protocols.bynumber...
protocols.byname...
netgroup...
netgroup.byhost...
netgroup.byuser...
shadow.byname...
Leaving directory '/var/yp/mgs'

plum has been set up as a NIS master server.
Now you can run ypinit -s plum on all slave server.
After running ypinit, you must restart the server (page 7 4 5 ) .

If you are starting an NIS client, be sure to edit yp.conf
tip

If y o u are starting ypbind (the NIS client) on the same system on w h i c h y o u are running ypserv
(the NIS server), y o u m u s t edit /etc/yp.conf to specify a server as explained on page 747. If y o u
do not do so, the server will start properly but the client will take a long time to c o m e up and will
start in broadcast mode. For more i n f o r m a t i o n refer to "No server" on page 745.

TESTING THE SERVER
F r o m the server, check that ypserv is connected to portmap:
$ rpcinfo -p

100004
100004
100004
100004

2
1
2
1

| grep y p s e r v

udp
udp
tcp
tcp

770
770
771
771

ypserv
ypserv
ypserv
ypserv

Again from the server system, make sure the NIS server is up and running:
$ rpcinfo -u localhost

ypserv

program 100004 version 1 ready and waiting
program 100004 version 2 ready and waiting
If the server is not working properly, use the nis init script to stop the NIS server.
Then start ypserv in the foreground with debugging turned on:
$ sudo s e r v i c e n i s

stop

$ sudo / u s r / s b i n / y p s e r v

[ypserv (ypserv) 2.19]

--debug

S E T T I N G U P A N LDAP S E R V E R

757

Find securenet: 255.0.0.0 127.0.0.0
Find securenet: 0.0.0.0 0.0.0.0
ypserv.conf: 0.0.0.0/0.0.0.0:*:shadow.byname:2
ypserv.conf: 0.0.0.0/0.0.0.0:*:passwd.adjunct.byname:2
ypserv.conf: 0.0.0.0/0.0.0.0:* : * : 0
ypserv.conf: 192.168.0.1/192.168. 0.1: *:* :0
CONTROL-C
T h e — d e b u g option keeps ypserv in the foreground and causes it to send error messages and debugging output to standard error. Press CONTROL-C to stop ypserv when it
is running in the foreground.

yppasswdd:

THE N I S PASSWORD UPDATE D A E M O N

T h e NIS password update daemon, yppasswdd, runs only on the master server; it is
not necessary to run it on slave servers. (If the master server is down and you try to
change your password from a client, yppasswd displays an error message.) W h e n a
user runs yppasswd (page 7 4 8 ) on a client, this utility exchanges information with
the yppasswdd daemon to update the user's password (and optionally other) information in the NIS shadow (and optionally passwd) map and in the / e t c / s h a d o w
(and optionally /etc/passwd) file on the NIS master server. Password change
requests are sent to syslogd (page 6 2 5 ) .
If the server system is running a firewall, open a port for yppasswdd. Refer to "Firew a l l " on page 7 5 1 .

START

yppasswdd

T h e nis init script starts yppasswdd (the daemon is named rpc.yppasswdd) on an
NIS server. For more information refer to "Prerequisites" on page 7 5 0 .

ALLOW G E C O S AND LOGIN SHELL MODIFICATION
The /etc/default/nis file controls whether yppasswdd allows users to change
GECOS (page 1 1 5 0 ) information and/or the login shell when they run yppasswd. As
shipped, yppasswdd allows users to change their login shell but not their G E C O S
information. You can change these settings with options on the command line when
you start yppasswdd or, more conveniently, by modifying the /etc/default/nis configuration file. T h e - e chfn option to yppasswdd allows users to change their G E C O S
information; - e chsh allows users to change their login shell. When you set the
options in /etc/default/nis, these values are set automatically each time yppasswdd is
run. Set Y P C H A N G E O K as explained in the comments.
$ cat /etc/default/nis
# Do we allow the user to use ypchsh and/or ypchfn ? The YPCHANGEOK
# fields are passed with -e to yppasswdd, see it's manpage.
# Possible values: "chsh", "chfn", "chsh,chfn"
YPCHANGEOK=chsh

758

CHAPTER 2 1

NIS AND LDAP

LDAP
L D A P (Lightweight Directory Access Protocol) is an alternative to the older X . 5 0 0
DAP (Directory Access Protocol). It runs over TCP/IP and is network aware, standards based, and available on many platforms. A client queries an L D A P server,
specifying the data it wants. F o r example, a query could ask for the first names and
email addresses of all people with a last name of Smith who live in San Francisco.
Directory Because L D A P is designed to work with data that does not change frequently, the
server holds a search and read optimized database, called a directory.
L D A P clients
query and update this directory.
In addition to name and address information, an L D A P directory can hold lists of
network services. Or, other services can use it for authentication. L D A P is appropriate for any kind of relatively static structured information where fast lookups are
required. M a n y types of clients are set up to communicate with L D A P servers,
including LDAP-specific clients (page 7 6 7 ) , email clients, and authentication servers.
OpenLDAP Ubuntu provides the O p e n L D A P (www.openldap.org) implementation of LDAP.
O p e n L D A P uses the Sleepycat Berkeley Database (Berkeley D B , or B D B , now owned
by Oracle), which meets the needs of an L D A P database. It supports distributed
architecture, replication, and encryption. B D B differs from a relational database
( R D B M S ) : Instead of holding information in rows and columns, B D B implements an
L D A P directory as a hierarchical data structure that groups information with similar
attributes. This section describes OpenLDAP.
In addition to B D B , Ubuntu supplies H D B , which is based on B D B but which organizes data in a true hierarchical fashion. H D B provides faster writes than does B D B .
It also supports subtree renaming, which allows subtrees to be moved efficiently
within a database. Under Ubuntu, H D B is the default L D A P database.
Entries and An entry (a node in the LDAP directory hierarchy, or a container) is the basic unit of
attributes information in an LDAP directory. Each entry holds one or more attributes.
Each
attribute has a name (an attribute type or description) and one or more values.
Attribute names come from a standard schema that is held in files found in the
/ e t c / l d a p / s c h e m a directory. This schema is standard across many implementations of
LDAP, enabling LDAP clients to obtain data from many LDAP servers. Although it is
not usually necessary or advisable, you can augment or modify the standard schema.
DN A Distinguished N a m e ( D N ) uniquely identifies each entry in an L D A P directory. A
D N comprises a Relative Distinguished N a m e ( R D N ) , which is constructed from
one or more attributes in the entry, followed by the D N of the parent entry. Because
a D N can change (e.g., a w o m a n may change her last name), and because a consistent, unique identifier is sometimes required, the server assigns a U U I D (an unambiguous identifier) to each entry.
DSE and DC T h e D S E (DSA-Specific Entry) is the root, or top-level, entry in an L D A P directory.
(DSA stands for Directory System Agent.) T h e D S E specifies the domain name of
the server and is defined in the /etc/ldap/slapd.d hierarchy. L D A P defines a domain

LDAP 7 5 9

name in terms of its component parts. T h e following line defines the D S E comprising the D o m a i n Component (DC) sobell and the D C com:
$ sudo grep - r

sobell

/ e t c / 1 dap/*

/etc/1dap/slapd.d/cn=config/olcDatabase={l}hdb.ldif:olcSuffix:

dc=sobell,dc=com

LDIF and CN T h e L D A P directory specified by the example D S E could contain the following
entry, which is specified in L D A P Data Interchange F o r m a t (LDIF; see the ldif m a n
page for more information):
dn: cn=Samuel Smith,dc=sobel1,dc=com
cn: Samuel Smith
cn: Sam
cn: SLS
givenName: Samuel
sn: Smith
mail: sls@example.com
objectClass: inetOrgPerson
objectClass: organi zati onal Person
objectClass: person
objectClass: top
Each line except the first specifies an attribute. The word on each line preceding the
colon is the attribute name. Following the colon and a SPACE is the attribute value.
T h e first line in this example specifies the D N of the entry. T h e attribute value used
in the R D N is a C N ( C o m m o n Name) from the entry: Samuel Smith. This secondlevel entry is a child of the top-level entry; thus the D N of the parent entry is the D N
of the top-level entry (dc=sobell,dc=com). You can uniquely identify this entry by its
D N : cn=Sarnuel Smith,dc=sobell,dc=com.
Because this entry defines three CNs, a search for Samuel Smith, Sam, or SLS will
return this entry. This entry also defines a given name, a surname (sn), and an email
address (mail).
objectClass Entries inherit object class attributes from their parents. In addition, each entry
attribute m u s t have at least one objectClass attribute (the preceding entry has four). Each
objectClass value must be a class defined in the schema. T h e schema specifies both
mandatory and optional (allowed) attributes for an object class. F o r example, the
following entry in the schema defines the object class named person. T h e M U S T
and M A Y lines specify which attributes the person object class requires (sn [surname] and cn; attribute names are separated by a dollar sign) and which attributes
are optional (userPassword, telephoneNumber, seeAlso, and description).
$ c a t / e t c / 1 dap/schema/core.schema

objectclass ( 2.5.6.6 NAME 'person'
DESC 'RFC2256: a person'
SUP top STRUCTURAL
MUST ( sn $ cn )
MAY ( userPassword $ telephoneNumber $ seeAlso $ description ) )

760

CHAPTER 2 1

Abbreviations

N I S AND LDAP

T h e following list summarizes the abbreviations mentioned in this section.
CN
DC
DN
DSE
LDIF
RDN

Common Name
D o m a i n Component
Distinguished N a m e
DSA-Specific Entry
L D A P Data Interchange F o r m a t
Relative Distinguished N a m e

MORE INFORMATION
Local man pages: ldap.conf, Idapmodify, Idapsearch, ldif, slapd, slapd.conf, s l a p p a s s w d
Web L D A P home page: www.openldap.org
Administrator's Guide: www.openldap.org/doc/admin24
Ubuntu: help.ubuntu.com/10.04/serverguide/C/openldap-server.html
O p e n L D A P F a q - O - M a t i c : www.openldap.org/faq
book: www.zytrax.com/books/ldap
gq: gq-project.org

HO WTO LDAP Linux HO WTO

SETTING U P AN L D A P SERVER
This section explains the steps involved in setting up an L D A P server.

PREREQUISITES
Install the following packages:
• slapd
• ldap-utils
slapd init script After you manually configure slapd, call the slapd init script to restart slapd:
$ sudo s e r v i c e slapd

restart

Stopping OpenLDAP: slapd.
Starting OpenLDAP: slapd.

NOTES
DB_CONFIG You can modify parameters in the / v a r / l i b / l d a p / D B _ C O N F I G file to improve the performance of an L D A P server. See thwww.openldap.org/faq/data/cache/1072.html Web
page for more information. See also the / u s r / s h a r e / d o c / s l a p d / e x a m p l e s / D B _ C O N F I G
and / u s r / s h a r e / d o c / s l a p d / R E A D M E . D B _ C O N F I G . g z files on the local system.
Firewall The slapd L D A P server normally listens on T C P port 3 8 9 , which is not encrypted. I f
you are using L D A P for authentication, use L D A P over SSL on port 6 3 6 . I f the
L D A P server system is running a firewall, you need to open one of these ports. Using

SETTING U P AN L D A P SERVER

7 6 1

gufw (page 8 7 6 ) , open one of these ports by adding a rule that allows service for port
3 8 9 or port 6 3 6 from the clients you want to be able to access the server.

SET UP THE SERVER
Backend

O p e n L D A P uses the Directory Information Tree (DIT) hierarchy with its root at
/etc/ldap/slapd.d/cn=config (the equal sign is part of the directory name) to configure the slapd daemon. This setup allows the slapd daemon to be configured dynamically (without having to restart the daemon). You must configure this DIT, referred
to as the back end, before you can add user data to the L D A P database.

Front end T h e front end of the database also needs to be configured before you can add user
data. You must set it up to hold the kinds of data the user wants to store. " S e t Up
the Front E n d " on page 7 6 2 describes h o w to set up a database that is compatible
with many address b o o k applications.
Once you have set up the back end and the front end, you can add user data as
explained in the section " A d d Entries to the D i r e c t o r y " on page 7 6 4 .
This section lists the steps involved in setting up an L D A P server at the sobell.com
domain. W h e n you set up an L D A P server, substitute the domain name of the server
you are setting up for sobell.com in the examples.
To experiment with and learn about LDAP, set up and run locally the example server
described in this section. Although the example uses sobell.com, when working from
the server system you can refer to the L D A P server as localhost.

SET U P THE BACK END
You need to add three schema files and one setup file to the back end before you can
add information to the front end of the L D A P database. Installing L D A P installs the
three schema files. Give the following commands t o add these files t o the L D A P
directory:
$ sudo ldapadd -Y EXTERNAL -H l d a p i : / / /

-f

/ e t c / 1 dap/schema/cosine.Idif

SASL/EXTERNAL authentication started
SASL username: gi dNumber=0+ui dNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=cosine,cn=schema,cn=config"
$ sudo ldapadd -Y EXTERNAL -H l d a p i : / / /

-f

/etc/1dap/schema/nis.ldif

$ sudo ldapadd -Y EXTERNAL -H I d a p i : / / /

-f

/etc/1dap/schema/inetorgperson.Idif

T h e following file sets up the back end of the L D A P database with a D S E comprising the D C sobell and the D C com (page 7 5 8 ) and an administrative user named
admin with a password of porcupine. Change these values as is appropriate for the
database you are setting up. (Note the fourth line from the bottom is long and is
wrapped in the following display. This file is available on the Web at
www.sobell.com/UB3/code/chapter_21/backend.setup.ldif.)

762

C H A P T E R23SAMBA:LINUXA N DWINDOWSFILEANDPRINTERSHARING
$ cat

backend.setup.ldif

dn: cn=module,cn=config
objectClass: olcModuleList
cn: module
olcModulepath: /usr/lib/ldap
olcModuleload: back_hdb
dn: olcDatabase=hdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: {l}hdb
olcSuffix: dc=sobel1,dc=com
olcDbDirectory: /var/lib/ldap
olcRootDN: cn=admi n,dc=sobel1,dc=com
olcRootPW: porcupine
olcDbConfig: set_cachesize 0 2097152 0
olcDbConfig: set_lk_max_objects 1500
olcDbConfig: set_lk_max_locks 1500
olcDbConfig: set_lk_max_lockers 1500
olcDblndex: objectClass eq
olcLastMod: TRUE
olcDbCheckpoint: 512 30
olcAccess: to attrs=userPassword by dn="cn=admin,dc=sobel1,dc=com"
write by anonymous auth by self write by * none
olcAccess: to attrs=shadowLastChange by self write by * read
olcAccess: to dn.base="" by * read
olcAccess: to * by dn="cn=admin,dc=sobel1,dc=com" write by * read
Give the following c o m m a n d to load this file:
$ sudo ldapadd -Y EXTERNAL -H l d a p i : / / /

-f

backend.setup.ldif

SASL/EXTERNAL authentication started
SASL username: gi dNumber=0+ui dNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=module,cn=config"
adding new entry "olcDatabase=hdb,cn=config"

SET U P THE FRONT END
T h e following file sets up the D S E (the top-level entry in the L D A P directory;
page 7 5 8 ) for the example database. Substitute the domain name you want to use
for dc=sobell,dc=com.
$ cat

til.ldif

dn: dc=sobel1,dc=com
changetype: add
objectClass: top
objectClass: dcObject
objectclass: organization
o: Sobell Associates
dc: Sobell
description: Sobell Example

SETTING U P AN L D A P SERVER

7 6 3

Give the following c o m m a n d to add this information to the L D A P directory:
$ ldapmodify -xD "cn=admin,dc=sobe"n ,dc=com" -w porcupine - f

tll.ldif

adding new entry "dc=sobel1,dc=com"
N e x t , set up an administrative user. Substitute the password you want to use for
porcupine in the example.
$ cat

tl2.1dif

dn: cn=admin,dc=sobel1,dc=com
changetype: add
objectClass: simpleSecuri tyObject
objectClass: organizationalRole
cn: admin
description: LDAP administrator
userPassword: porcupine
$ ldapmodify -xD "cn=admin,dc=sobe"n ,dc=com" -w porcupine - f

tl2.1dif

adding new entry "cn=admin,dc=sobel1,dc=com"

TEST THE SERVER
After you have set up the back end and front end of the database, test the server
with the following query (you may need to reboot before this query will work):
$ ldapsearch - x - s base namingContexts

#
#
#
#
#
#
#

extended LDIF
LDAPvB
base <> (default) with scope baseObject
filter: (objectclass=*)
requesting: namingContexts

#
dn:
namingContexts: dc=sobel1,dc=com
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
T h e - x on the c o m m a n d line specifies simple authentication, - s base specifies the
scope of the search as the base object, and namingContexts is the attribute you are
searching for. T h e output of this c o m m a n d should look similar to that shown in the
preceding example. T h e namingContexts returned by the search should be the same
as the D S E you specified when you set up the front end (page 7 6 2 ) .
slapcat T h e slapcat utility, which must run as a privileged user (not the L D A P administrator), retrieves information from a slapd database and displays it in L D I F format

764

C H A P T E R23SAMBA:LINUXA N DWINDOWSFILEANDPRINTERSHARING

(page 7 5 9 ) . Although slapcat is a useful tool, be careful i f you use it to back up a
database: Other users may be changing the data as you are backing it up. Following, slapcat shows that the basic L D A P directory contains the two entries set up in
the previous sections of this chapter.
$ sudo

slapcat

dn: dc=sobel1,dc=com
objectClass: top
objectClass: dcObject
objectClass: organization
o: Sobell Associates
dc: Sobell
description:: U29iZWxsIEV4YWlwbGUg
structuralObjectClass: organi zati on
entryUUID: 42d49 5ba-0785-102f-8764-434c5 5dbcc7e
creatorsName: cn=admi n,dc=sobel1,dc=com
createTimestamp: 20100608200751Z
entryCSN: 20100608200751.367377Z#000000#000#000000
modifiersName: cn=admin,dc=sobel1,dc=com
modifyTimestamp: 20100608200751Z
dn: cn=admin,dc=sobel1,dc=com
objectClass: simpleSecuri tyObject
objectClass: organizationalRole
cn: admin
description: LDAP administrator
userPassword:: cG9yY3VwaW51
T h e first line of each entry specifies the D N for that entry. T h e line that starts with
dc specifies the D C (domain component). T h e objectClass lines specify the object
classes this entry belongs to. T h e line that starts with o (short for organizationName) specifies the name of the organization this entry is part of.
T h e server adds more information t o the entry, including a U U I D number that
remains constant throughout the life of the entry, timestamps, and the names of the
users who created and modified the entry.

A D D ENTRIES TO THE DIRECTORY
You can use many tools, both graphical and textual, to add information to and query
an L D A P directory. This section explains h o w to use the Idapmodify command-line
utility to set up an employee L D A P directory. See page 7 6 7 for descriptions of other
tools.
W h e n you specify the following file on an Idapmodify c o m m a n d line, Idapmodify adds
a second-level entry (one level below the D S E entry) to the L D A P directory. This file
adds the object class organizationalUnit named employees (ou=employees). T h e
D N is ou=employees followed by the D S E .

SETTING U P AN L D A P SERVER 7 6 5
$ cat

sal.ldif

dn: ou=employees,dc=sobel1,dc=com
changetype: add
objectClass: organizationalUni t
ou: employees
T h e first line of sal.ldif specifies the D N for the entry you are adding. T h e changetype instruction tells ldapmodify to add the entry to the directory. You can omit this
instruction if you use the - a option on the ldapmodify c o m m a n d line or if you use the
ldapadd utility instead of ldapmodify. T h e objectClass line specifies the object classes
this entry belongs to. T h e ou (short for organizationalUnitName) specifies the name
of the organizational unit this entry is part of.
T h e following c o m m a n d modifies the L D A P directory based on the sal.ldif file. T h e
ldif filename extension is commonly used but is not required for files holding L D I F
entries.
$ l d a p m o d i f y -xD "cn=admin,dc=sobell,dc=com"

-w porcupine - f

sal.ldif

adding new entry "ou=employees,dc=sobell,dc=com"
T h e - x option causes the server to use simple authentication. T h e argument following - D specifies the D N of the L D A P administrator of the directory the c o m m a n d is
to work with. By specifying this user, this argument also specifies the D S E of the
L D A P directory. (The D N of the parent of the L D A P administrator's entry specifies
the D S E . ) T h e argument following - w is the password for the L D A P administrator.
T h e name of the input file follows the - f option. T h e ldapmodify utility reports the
D N of the new entry.
With this object class in place, you can add employees to the L D A P directory. T h e
following file adds an employee:
$ cat

sa2.1dif

dn: cn=Samuel Smith,ou=employees,dc=sobel1,dc=com
changetype: add
cn: Samuel Smith
cn: smith
objectClass: inetOrgPerson
mail: sls@example.com
givenName: Samuel
surname: Smith
displayName: Samuel L Smith
telephoneNumber: 999 999 9999
homePhone: 000 000 0000
initials: SLS
T h e following c o m m a n d uses - W t o cause ldapmodify t o prompt for the L D A P
administrator password. Specifying a password in response to a prompt instead of
on the c o m m a n d line can improve security by not making the password visible to a
user running ps.

766

CHAPTER 2 1

N I S AND LDAP
$ I d a p m o d i f y -xD "cn=admin,dc=sobell,dc=com"

Enter LDAP Password:
adding new entry "cn=Samuel

-W - f

sa2.1dif

Smith,ou=employees,dc=sobell,dc=com"

N o w slapcat shows the employee you just added:
$ sudo

slapcat

dn: dc=sobel1,dc=com
dn: cn=Samuel Smith,ou=employees,dc=sobell ,dc=com
cn: Samuel Smith
cn: smith
objectClass: inetOrgPerson
mail: sls@example.com
givenName: Samuel
sn: Smith
displayName: Samuel L Smith
telephoneNumber: 999 999 9999
homePhone: 000 000 0000
initials: SLS
T h e D N shows that the new employee is at the third level of the directory structure:
T h e first level is dc=sobell,dc=com; ou=employees,dc=sobell,dc=com is at the second level; and cn=Samuel Smith,ou=employees,dc=sobell,dc=com, the employee, is
at the third level.
You can put as many entries in a file as you like, but each must be separated from the
next by a blank line. For clarity, the examples in this section show one entry per file.
T h e following example adds another employee at the third level:
$ cat

sa3.1dif

dn: cn=Helen Simpson,ou=employees,dc=sobell,dc=com
changetype: add
cn: Helen Simpson
cn: simpson
objectClass: inetOrgPerson
mail: helen@sobell.com
givenName: Helen
surname: Simpson
displayName: Helen L Simpson
telephoneNumber: 888 888 8888
homePhone: 111 111 1111
initials: HLS
$ I d a p m o d i f y -xD "cn=admin,dc=sobell,dc=com"

Enter LDAP Password:
adding new entry "cn=Helen

-W - f

sa3.1dif

Simpson,ou=employees,dc=sobell,dc=com"

O T H E R T O O L S FOR W O R K I N G W I T H L D A P

7 6 7

T h e next example uses the ldapmodify modify instruction t o replace the mail
attribute value and add a title attribute for the employee named Helen Simpson.
Because the file specifies Helen's D N , the server knows which entry to modify.
$ cat

sa4.1dif

dn: cn=Helen Simpson,ou=employees,dc=sobell,dc=com
changetype: modify
replace: mail
mail: hls@sobell.com
add: title
title: CTO
$ l d a p m o d i f y -xD "cn=admin,dc=sobell,dc=com"

Enter LDAP Password:
modifying entry "cn=Helen

-W - f

sa4.1dif

Simpson,ou=employees,dc=sobell,dc=com"

You can use slapcat to verify the change. T h e final example deletes Helen from the
L D A P directory:
$ cat

saS.ldif

dn: cn=Helen Simpson,ou=employees,dc=sobell,dc=com
changetype: delete
$ l d a p m o d i f y -xD "cn=admin,dc=sobell,dc=com"

Enter LDAP Password:
deleting entry "cn=Helen

-W - f

saS.ldif

Simpson,ou=employees,dc=sobell,dc=com"

O T H E R T O O L S FOR W O R K I N G W I T H L D A P
You can use a variety of tools to work with LDAP. For example, most email clients
are able to retrieve data from an L D A P database.

EVOLUTION M A I L
This section explains h o w to use Evolution (Mail) to retrieve data from the example
L D A P database created earlier. It assumes you have configured Evolution on the
local system. If you are running K D E , you can use KAddressBook, which is integrated into many K D E tools, including Kontact.
Open the Mail-Evolution window by selecting Main menu: Appli cations OOfficeOEvolution Mail and Calendar or by giving the command evolution from a terminal
emulator or Run Application window (ALT-F2). To query an LDAP database, select
File ,= >New ,= >Address B o o k from the menubar. Evolution displays the General tab of
the N e w Address B o o k window (Figure 2 1 - 1 , next page).

768

CHAPTER 2 1

NIS AND LDAP

©

New Address Book

General Details
Address Book
lype: un LDAP servers
Name: |employees
• Copy book content locally for offline operation
• Mark as default address book
Server Information
Server; I oca [host
Port:

389

Use secure connection: No encryption
Authentication
Login method: Using distinguished name (DN) T
Login:

| cn=admin,dc=sobell,dc=com
Cancel

Figure 2 1 - 1

T h e N e w Address B o o k window, General tab

General tab Select On LDAP Servers from the drop-down list labeled Type. Enter the name Evolution M a i l will use to refer to this L D A P directory in the text b o x labeled Name;
the example uses employees. Enter the F Q D N of the L D A P server in the text b o x
labeled Server. If you are experimenting on the local system, enter localhost in this
box. If appropriate, change the value in the text b o x labeled Port. To follow the
example in this chapter, select N o encryption from the drop-down list labeled Use
secure connection.
In the section labeled Authentication, select Using distinguished name (DN) from
the drop-down list labeled Login method. Enter the D N of the L D A P administrator
in the text b o x labeled Login (the example uses cn=admin,dc=sobell,dc=com).
Details tab N e x t click the tab labeled Details (Figure 2 1 - 2 ) . Click Find Possible Search Bases. If
all is working properly, Evolution will display the Supported Search Bases window.
Highlight the D N of the directory you want to use and click OK. Evolution displays
the selected D N in the text b o x labeled Search base. Select Sub from the drop-down
list labeled Search scope to enable searches at all levels of the directory. Click OK.
N e x t click the Contacts button at the lower-left corner of the Mail-Evolution window. CouchDB, O n This Computer, and On LDAP Servers appear at the left side of
the window. If the name of the address b o o k you specified (employees in the example) does not appear below On LDAP servers, click the plus sign (+) to the left of
this label. Then click the name of the address b o o k you want to work with. Evolution prompts for the L D A P administrator password. Enter the password and click

OTHER TOOLS FOR W O R K I N G W I T H L D A P

0

769

New Address Book

General Details
Searching
5edrc.li base:

| dc=sobe I! ,dc=t.om
| Q, Find Possible Search Bases

Search scope:

1 Sub

Yl

5edrc.li filler:

1

1

Downloading
Timeout:

1 —

•

ii .

5 minutes

Download limit: 100

cards

• Browse this book until limit reached

^Cancel ^

Figure 21-2

^

OK

T h e N e w Address B o o k window, Details tab

O K . Evolution highlights the n a m e of the address b o o k ; y o u can n o w search the
L D A P database.
E n t e r the n a m e o f a n entry in the t e x t b o x labeled Search at the upper-right c o r n e r
o f t h e w i n d o w a n d p r e s s RETURN. E v o l u t i o n d i s p l a y s t h e e n t r y . F i g u r e 2 1 - 3

shows

the result o f f o l l o w i n g the e x a m p l e in this c h a p t e r a n d entering S a m in the Search
text box.
ctx • Evolution
Ulions StMnh Help
Y

1

U •mployvH
-

Send / Rue vive
1 contact Show, 1 Any c a t c g w y

CouchDB
ubuntu One
On This Computer
On LDAP Servers
employe«

;

Search:

Smith. SMnuH
Full Name:
Nidcname:
other Email:
business Phone:
Home phone:

Samuel Smltfi
S a m u d L Smith
s 1 v § e x a mptc-Com
999 999 9999
000 000 0000

Smith, Samuel
¡ ^ Mail
1 Corvraets
.

Email:
Ntckrvame:

slageMample-caffl (Other)
Samuel L Smith

CnlcndW

Hem«

Work
Phaie:

9M 9M « W

Pirunal
Ptwve:

OOOOOOOOOO

K
Figure 21-3

1
Contacts - Evolution window

770

C H A P T E R23SAMBA:LINUXA N DWINDOWSFILEANDPRINTERSHARING

KONQUEROR
If you are running K D E , you can use Konqueror to examine the contents of an LDAP
directory. Enter the following string in the Konqueror location bar and press RETURN:

ldap://server-name/DN
where server-name is the name or IP address of the L D A P server (or localhost if you
are running Konqueror on the server system) and DN is the D N of the entry you
want to view. Konqueror displays all entries below the D N you specify. Doubleclick an entry to display it. F o r example, to work with the L D A P directory created
earlier, enter ldap://localhost/ou=employee,dc=sobell,dc=com in the location bar. In
response, Konqueror will display the entries with this R D N . You can then click one
of these entries to display that entry in its entirety.

CHAPTER S U M M A R Y
NIS (Network Information Service) simplifies the management of c o m m o n administrative files by maintaining them in a central database and having clients contact
the database server to retrieve information from the database. T h e network that
NIS serves is called an NIS domain. Each NIS domain has one master server; larger
networks may have slave servers.
NIS derives the information it offers from local configuration files, such as
/ e t c / p a s s w d and /etc/hosts. These files are called source files or master files. Before
NIS can store the information contained in a source file, it must be converted to
dbm-format files, called maps. T h e ypcat and ypmatch utilities display information
from NIS maps.
T h e yppasswd utility replaces the functionality of passwd on clients when you use
NIS to authenticate passwords. T h e /etc/ypserv.conf file, which holds NIS server
configuration information, specifies options and access rules for the NIS server. To
enhance system security, you can create a /var/yp/securenets file, which prevents
unauthorized systems from retrieving NIS maps.
An L D A P (Lightweight Directory Access Protocol) server holds a search- and readoptimized database, called a directory. L D A P clients, such as email clients, query
and update this directory. In addition, authentication servers can use an L D A P
directory to authenticate users.
Ubuntu provides the O p e n L D A P implementation of LDAP. O p e n L D A P uses the
Sleepycat Berkeley Database, which supports distributed architecture, replication,
and encryption.

ADVANCED EXERCISES

EXERCISES
1. W h a t is the difference between the p a s s w d and y p p a s s w d utilities?
2. H o w would you prevent NIS from exporting the r o o t user and other system users to clients?
3. H o w would you make NIS user information override local user information
on client systems?
4. W h y does the /etc/passwd file need two NIS maps?
5. H o w does an L D A P directory differ from a relational database system?
6. W h a t is the basic unit of information in an L D A P directory? W h a t is the
structure of an attribute?

ADVANCED EXERCISES
7. H o w can you use NIS to mirror the functionality of a private D N S server for
a small network? W h y should NIS not be used this way on a large network?
8. H o w can you determine whether the working directory is the home directory of an NIS user?
9. a. W h a t advantage does NIS provide when you use it with NFS?
b. Suggest a way to implement NIS maps so they can be indexed on more
than one field.
10. W h e r e is the L D A P device object class defined? W h i c h of its attributes are
mandatory and which are optional?
11. H o w would you determine the longer name for the 1 (lowercase " 1 " ) L D A P
object class?

771

This page intentionally left blank

22
NFS: SHARING
FILESYSTEMS
IN T H I S C H A P T E R
Running an NFS Client

776

JumpStart I: M o u n t i n g a Remote
Directory Hierarchy

777

Improving Performance

780

Setting Up an NFS Server

782

JumpStart II: Configuring an NFS
Server Using s h a r e s - a d m i n . . . . 783
Manually Exporting a Directory
Hierarchy

785

a u t o m o u n t : M o u n t s Directory
Hierarchies on Demand

792

T h e N F S (Network Filesystem) protocol, a U N I X de facto standard developed by Sun Microsystems, allows a server to share
selected local directory hierarchies with client systems on a heterogeneous network. N F S runs on U N I X , D O S , W i n d o w s , V M S ,
Linux, and more. Files on the remote computer (the
fileserver)
appear as if they are present on the local system (the client). M o s t
of the time, the physical location of a file is irrelevant to an N F S
user; all standard L i n u x utilities w o r k with N F S remote files the
same way as they operate with local files.
N F S reduces storage needs and system administration workload.
As an example, each system in a company traditionally holds its
own copy of an application program. To upgrade the program,
the administrator needs to upgrade it on each system. N F S allows
you to store a copy of a program on a single system and give other
users access to it over the network. This scenario minimizes storage requirements by reducing the number of locations that need
to maintain the same data. In addition to boosting efficiency, N F S
gives users on the network access to the same data (not just application programs), thereby improving data consistency and reliability. By consolidating data, it reduces administrative overhead
and provides a convenience to users. This chapter covers N F S v 3 .
773

774

CHAPTER 2 2

NFS: SHARING FILESYSTEMS

INTRODUCTION TO N F S
Figure 2 2 - 1 shows the flow of data in a typical N F S client/server setup. An NFS
directory hierarchy appears to users and application programs as just another directory hierarchy. By looking at it, you cannot tell that a given directory holds a
remotely mounted NFS directory hierarchy and not a local filesystem. The N F S
server translates commands from the client into operations on the server's filesystem.
Diskless systems In many computer facilities, user files are stored on a central fileserver equipped
with many large-capacity disk drives and devices that quickly and easily m a k e
backup copies of the data. A diskless system boots from a fileserver ( n e t b o o t s —
discussed next) or a CD/DVD and loads system software from a fileserver. T h e
Linux Terminal Server Project (LTSP.org) Web site says it all: " L i n u x makes a great
platform for deploying diskless workstations that b o o t from a network server. T h e
LTSP is all about running thin client computers in a Linux environment." Because
a diskless workstation does not require a lot of computing power, you can give
older, retired computers a second life by using them as diskless systems.
Netboot/PXE

You can netboot
(page 1 1 6 1 ) systems that are appropriately set up. Ubuntu Linux
includes the P X E (Preboot Execution Environment; pxe package) server package for
netbooting Intel systems. Older systems sometimes use tftp (Trivial File Transfer Protocol; tftp and tftpd packages) for netbooting. Non-Intel architectures have historically included netboot capabilities, which Ubuntu Linux also supports. In addition,
you can build the Linux kernel so it mounts root (/) using N F S . Given the many
ways to set up a system, the one you choose depends on what you want to do. See

the Remote-Boot

mini-HOWTO

for more information.

Dataless systems Another type of Linux system is a dataless system, in which the client has a disk but
stores no user data (only Linux and the applications are kept on the disk). Setting
up this type of system is a matter of choosing which directory hierarchies are
mounted remotely.
df: shows where T h e df utility displays a list of the directory hierarchies available on the system,
directory hierarchies along with the amount of disk space, free and used, on each. The -h (human)
are mounted option makes the output more intelligible. Device names in the left column that are
prepended with hostname: specify filesystems that are available through N F S .
zach@plum:~$ cd;pwd
/dog.home/zach
zach@plum:~$ df -h
Filesystem
/dev/sdal

Size
28G

Used Avail Use% Mounted on
8.9G
18G 35% /

/dev/sda2
/dev/sda5
/dev/sda6
dog:/home/zach
grape:/gcl
grape:/gc5

28G
9.2G
1.4G
19G
985M
3.9G

220M
150M
35M
6.7G
92M
3.0G

26G
8.6G
1.3G
11G
844M
738M

1%
2%
3%
39%
10%
81%

/home
/pi 5
/pl6
/dog.home/zach
/grape.gel
/grape.gc5

I N T R O D U C T I O N T O SAMBA 7 7 5

Figure 2 2 - 1

Flow of data in a typical N F S client/server setup
In the preceding example, Zach's home directory, / h o m e / z a c h , is on the remote system dog. Using NFS, the / h o m e / z a c h directory hierarchy on dog is mounted on plum;
to make it easy to recognize, it is mounted as / d o g . h o m e / z a c h . The / g e l and / g c 5
filesystems on grape are mounted on plum as / g r a p e . g c l and /grape.gc5, respectively.
You can use the - T option to df to add a Type column to the display. T h e following
command uses - t nfs to display N F S filesystems only:
zach@plum:~$ df
Filesystem
dog:/home/zach
grape:/gcl
grape:/gc5

-ht

nfs
Size
19G
985M
B.9G

Used Avail Use% Mounted on
6.7G
11C 39% /dog.home/zach
92M 844M 10% /grape.gcl
B.0C 738M 81% /grape.gc5

Errors Sometimes a client may lose access to files on an NFS server. For example, a network
problem or a remote system crash may make these files temporarily unavailable. If you
try to access a remote file in these circumstances, you will get an error message, such as

776

CHAPTER 2 2

NFS: SHARING FILESYSTEMS

NFS server dog not responding. When the local system can contact the remote server
again, NFS will display another message, such as NFS server dog OK. A stable network and server (or not using NFS) is the best defense against this problem.
Security N F S is based on the trusted-host paradigm (page 3 9 1 ) , so it has all the security
shortcomings that plague other services based on this paradigm. In addition, N F S is
not encrypted. Because of these issues, you should implement N F S on a single L A N
segment only, where you can be (reasonably) sure systems on the L A N segment are
what they claim to be. M a k e sure a firewall blocks N F S traffic from outside the
L A N and never use N F S over the Internet.
To improve security, make sure UIDs and GIDs are the same on the server and clients
(page 7 8 8 ) .
NFSv4 N F S v 4 addresses many of these security issues, including the problem of users having different UIDs on different systems (NFSv4 uses usernames, not U I D numbers).
T h e new version of N F S adds Kerberos authentication, provides for encrypted file
transfers, and increases W A N performance.

MORE INFORMATION
Web G o o d information on NFS, including the Linux NFS-HOWTO:
Running N F S behind a firewall: wiki.debian.org/SecuringNFS
autofs tutorial: www.linuxhq.com/lg/issue24/nielsen.html

nfs.sourceforge.net

Local m a n pages: a u t o f s , automount, auto.master, e x p o r t f s , exports, nfs (provides fstab
information), rpc.idmapd, rpc.mountd, rpc.nfsd, and s h o w m o u n t

HO WTO Linux NFS-HOWTO: nfs.sourceforge.net
Netboot and PXE: Remote-Boot
mini-HOWTO
Automount mini-HO WTO
Book NFS Illustrated

by Callaghan, Addison-Wesley (January 2 0 0 0 )

R U N N I N G AN N F S CLIENT
This section describes h o w to set up an N F S client, mount remote directory hierarchies, and improve N F S performance.

PREREQUISITES
Installation Install the following package:
• nfs-common
portmap T h e portmap utility (which is part of the portmap package and is installed as a
dependency when you install nfs-common; page 4 0 6 ) must be running to enable
reliable file locking.
nfs-common in it W h e n you install the nfs-common package, the dpkg postinst script starts the daescrlpt mons that an N F S client requires (not all daemons are always required): rpc.statd,

R U N N I N G AN N F S CLIENT 7 7 7

rpc.lockd (does not run but starts the N F S lock manager if necessary), rpc.idmapd,
and rpc.gssd. You do not normally need to restart any of these daemons.

JUMPSTART I: M O U N T I N G A REMOTE DIRECTORY HIERARCHY
To set up an N F S client, mount the remote directory hierarchy the same way you
mount a local directory hierarchy (page 5 0 6 ) .
T h e following examples show two ways to mount a remote directory hierarchy,
assuming dog is on the same network as the local system and is sharing / h o m e and
/ e x p o r t with the local system. T h e / e x p o r t directory on dog holds two directory
hierarchies you want t o mount: / e x p o r t / p r o g s and / e x p o r t / o r a c l e . T h e example
mounts dog's / h o m e directory on /dog.home on the local system, / e x p o r t / p r o g s on
/apps, and / e x p o r t / o r a c l e on /oracle.
First run mkdir on the local (client) system t o create the directories that are the
mount points for the remote directory hierarchies:
$ sudo mkdir /dog.home / a p p s

/oracle

You can mount any directory hierarchy from an exported directory hierarchy. In
this example, dog exports / e x p o r t and the local system mounts / e x p o r t / p r o g s and
/ e x p o r t / o r a c l e . T h e following commands manually mount the directory hierarchies
one time:
$ sudo mount dog:/home /dog.home
$ sudo mount - o r o , n o s u i d d o g : / e x p o r t / p r o g s /apps
$ sudo mount - o r o d o g : / e x p o r t / o r a c l e / o r a c l e

If you receive the error mount: R P C : Program not registered, it may mean N F S is
not running on the server.
By default, directory hierarchies are mounted read-write, assuming the N F S server
is exporting them with read-write permissions. T h e first of the preceding commands
mounts the / h o m e directory hierarchy from dog on the local directory /dog.home.
T h e second and third commands use the - o ro option to force a readonly mount.
T h e second command adds the nosuid option, which forces setuid (page 2 1 8 ) executables in the mounted directory hierarchy to run with regular permissions on the
local system.
nosuid option If a user has the ability to run a setuid program, that user has the power of a user
with root privileges. This ability should be limited. Unless you k n o w a user will
need to run a program with setuid permissions from a mounted directory hierarchy,
always mount a directory hierarchy with the nosuid option. For example, you
would need to mount a directory hierarchy with setuid privileges when the root partition of a diskless workstation is mounted using N F S .
nodev option M o u n t i n g a device file creates another potential security hole. Although the best
policy is not to m o u n t untrustworthy directory hierarchies, it is not always possible t o implement this policy. Unless a user needs t o use a device on a mounted
directory hierarchy, m o u n t directory hierarchies with the nodev option, which

778

CHAPTER 2 2

NFS: SHARING FILESYSTEMS

prevents character and block special files (page 5 0 4 ) on the mounted directory
hierarchy from being used as devices.
fstab file If you mount directory hierarchies frequently, you can add entries for the directory
hierarchies to the / e t c / f s t a b file (page 7 8 1 ) . (Alternatively, you can use automount;
see page 7 9 2 . ) T h e following / e t c / f s t a b entries automatically mount the same directory hierarchies as in the previous example at the same time that the system mounts
the local filesystems:
$

cat

/etc/fstab

dog:/home
dog:/export/progs
dog:/export/oracle

/dog.home
/apps
/oracle

nfs
nfs
nfs

rw
ro,nosuid
ro

0
0
0

0
0
0

A file mounted using NFS is always of type nfs on the local system, regardless of
what type it is on the remote system. Typically you do not run fsck on or back up an
N F S directory hierarchy. T h e entries in the third, fifth, and sixth columns of fstab
are usually nfs (filesystem type), 0 (do not back up this directory hierarchy with
dump [page 6 0 3 ] ) , and 0 (do not run fsck [page 5 1 2 ] on this directory hierarchy).
T h e options for mounting an N F S directory hierarchy differ from those for mounting an ext4 or other type of filesystem. See the section on mount (below) for details.
Unmounting Use u m o u n t to unmount a remote directory hierarchy the same way you unmount a
directory hierarchies l o c a l filesystem (page 5 0 9 ) .

mount:

M O U N T S A DIRECTORY HIERARCHY
The mount utility (page 5 0 6 ) associates a directory hierarchy with a mount point (a
directory). You can use mount to mount an N F S (remote) directory hierarchy. This
section describes some mount options. It lists default options first, followed by nondefault options (enclosed in parentheses). You can use these options on the command
line or set them in /etc/fstab (page 7 8 1 ) . For a complete list of options, refer to the
mount and nfs man pages.

ATTRIBUTE CACHING
A file's inode (page 5 0 1 ) stores file attributes that provide information about a file,
such as file modification time, size, links, and owner. File attributes do not include
the data stored in a file. Typically file attributes do not change very often for an
ordinary file; they change even less often for a directory file. Even the size attribute
does not change with every write instruction: W h e n a client is writing to an N F S mounted file, several write instructions may be given before the data is transferred
to the server. In addition, many file accesses, such as that performed by Is, are readonly operations and, therefore, do not change the file's attributes or its contents.
Thus a client can cache attributes and avoid costly network reads.
T h e kernel uses the modification time of the file to determine when its cache is outof-date. If the time the attribute cache was saved is later than the modification time
of the file itself, the data in the cache is current. T h e server must periodically refresh

R U N N I N G AN N F S CLIENT

779

the attribute cache of an NFS-mounted file to determine whether another process
has modified the file. This period is specified as a minimum and m a x i m u m number
of seconds for ordinary and directory files. Following is a list of options that affect
attribute caching:
ac (noac)

(attribute cache) Permits attribute caching (default). T h e noac option disables
attribute caching. Although noac slows the server, it avoids stale attributes when
two N F S clients actively write to a c o m m o n directory hierarchy.

acdirmax=w

(attribute cache directory file maximum) The n is the number of seconds, at a maximum, that N F S waits before refreshing directory file attributes (default is 6 0 seconds).

acdirmin=w

(attribute cache directory file minimum) The n is the number of seconds, at a minimum, that N F S waits before refreshing directory file attributes (default is 3 0 seconds).

acregmax=w

(attribute cache regular file maximum) T h e n is the number of seconds, at a maximum, that N F S waits before refreshing regular file attributes (default is 6 0 seconds).

acregmin=w

(attribute cache regular file minimum) T h e n is the number of seconds, at a minimum, that NFS waits before refreshing regular file attributes (default is 3 seconds).

actimeo=w

(attribute cache timeout) Sets acregmin, acregmax, acdirmin, and acdirmax to n
seconds (without this option, each individual option takes on its assigned or default
value).

ERROR HANDLING
T h e following options control what N F S does when the server does not respond or
when an I/O error occurs. To allow for a mount point located on a mounted device,
a missing mount point is treated as a timeout.
fg (bg) (foreground) Retries failed N F S mount attempts in the foreground (default). T h e bg
(background) option retries failed N F S mount attempts in the background.
hard (soft) Displays N F S server not responding on the console on a m a j o r timeout and keeps
retrying (default). T h e soft option reports an I/O error to the calling program on a
m a j o r timeout. In general, it is not advisable to use soft. As the mount man page says
of soft, "Usually it just causes lots of t r o u b l e . " For more information refer to
"Improving Performance" on page 7 8 0 .
nointr (intr)

(no interrupt) Does not allow a signal to interrupt a file operation on a hardmounted directory hierarchy when a m a j o r timeout (see retrans) occurs (default).
T h e intr option allows this type of interrupt.

retrans=w

(retransmission value) After n minor timeouts, N F S generates a major timeout
(default is 3). A major timeout aborts the operation or displays server not responding
on the console, depending on whether hard or soft is set.

retry=«

(retry value) The number of minutes that NFS retries a mount operation before giving
up (default is 1 0 , 0 0 0 ) .

timeo=w

(timeout value) T h e n is the number of tenths of a second that N F S waits before
retransmitting following an R P C , or minor, timeout (default is 7). The value is

780

CHAPTER 2 2

NFS: SHARING FILESYSTEMS

increased at each timeout to a m a x i m u m of 6 0 seconds or until a m a j o r timeout
occurs (see retrans). O n a busy network, in case of a slow server, or when the
request passes through multiple routers, increasing this value may improve performance. See " T i m e o u t s " below for more information.

MISCELLANEOUS

OPTIONS

Following are additional useful options:
lock (nolock) Permits N F S locking (default). The nolock option disables NFS locking (does not start
the lockd daemon) and is useful with older servers that do not support NFS locking.
nodev

(no device) Causes mounted device files not to function as devices (page 7 7 7 ) .

port=« T h e port used to connect to the N F S server (defaults to 2 0 4 9 if the N F S daemon is
not registered with portmap). W h e n n is set to 0 (default), N F S queries portmap on
the server to determine the port.
rsizc=w (read block size) T h e number of bytes read at one time from an N F S server. T h e
default block size is 4 0 9 6 . Refer to "Improving Performance."
vvsizc=w (write block size) T h e number of bytes written at one time to an N F S server. T h e
default block size is 4 0 9 6 . Refer to "Improving Performance."
tcp Uses T C P in place of the default U D P protocol for an N F S mount. This option may
improve performance on a congested network; however, some N F S servers support
U D P only.
udp Uses the default U D P protocol for an N F S mount.

IMPROVING

PERFORMANCE

hard/soft Several parameters can affect the performance of N F S , especially over slow connections such as a line with a lot of traffic or a line controlled by a modem. If you have
a slow connection, make sure hard (page 7 7 9 ) is set (this setting is the default) so
that timeouts do not abort program execution.
Block size O n e of the easiest ways to improve N F S performance is to increase the block
size—that is, the number of bytes NFS transfers at a time. T h e default of 4 0 9 6 is
low for a fast connection using modern hardware. Try increasing rsize and wsize
(both above) to 8 1 9 2 or higher. Experiment until you find the optimal block size.
Unmount and mount the directory hierarchy each time you change an option. See
the Linux NFS-HOWTO
for more information on testing different block sizes.
Timeouts N F S waits the amount of time specified by the timeo (timeout, page 7 7 9 ) option for
a response to a transmission. If it does not receive a response in this amount of time,
N F S sends another transmission. T h e second transmission uses bandwidth that,
over a slow connection, may slow things down even more. You may be able to
increase performance by increasing timeo.
T h e default value of timeo is seven-tenths of a second ( 7 0 0 milliseconds). After a
timeout, N F S doubles the time it waits to 1 4 0 0 milliseconds. O n each timeout it
doubles the amount of time it waits to a m a x i m u m of 6 0 seconds. You can test the

R U N N I N G AN N F S CLIENT

7 8 1

speed of a connection with the size of packets you are sending (rsize and wsize; both
on page 7 8 0 ) by using ping with the - s (size) option:
$ ping

PING
4104
4104
4104

- s 4096 dog

dog (192.168.0.12) 4096(4124) bytes of data.
bytes from dog (192.168.0.12) icmp_seq=l ttl=64 time=0.823 ms
bytes from dog (192.168.0.12) icmp_seq=2 ttl=64 time=0.814 ms
bytes from dog (192.168.0.12) icmp_seq=3 ttl=64 time=0.810 ms

4104 bytes from dog (192.168.0.12)
4104 bytes from dog (192.168.0.12)
4104 bytes from dog (192.168.0.12)

icmp_seq=28 ttl=64 time=0.802 ms
icmp_seq=29 ttl=64 time=0.802 ms
icmp_seq=30 ttl=64 time=0.801 ms

—
dog.bogus.com ping statistics
—
30 packets transmitted, 30 received, 0% packet loss, time 28999ms
rtt min/avg/max/mdev = 0.797/0.803/0.823/0.020 ms
T h e preceding example uses Ubuntu Linux's default packet size of 4 0 9 6 bytes and
shows a fast average packet round-trip time of slightly less than 1 millisecond. Over
a modem line, you can expect times of several seconds. If the connection is dealing
with other traffic, the time will be even longer. R u n the test during a period of heavy
traffic. Try increasing timeo to three or four times the average round-trip time (to
allow for unusually bad network conditions, such as when the connection is made)
and see whether performance improves. R e m e m b e r that the timeo value is given in
tenths of a second ( 1 0 0 milliseconds = one-tenth of a second).

/etc/fstab:

M O U N T S DIRECTORY HIERARCHIES AUTOMATICALLY
T h e / e t c / f s t a b file (page 5 1 0 ) lists directory hierarchies that the system mounts
automatically as it comes up. You can use the options discussed in the preceding
sections on the c o m m a n d line or in the fstab file.
T h e following line from fstab mounts grape's / g e l filesystem on the / g r a p e . g c l
mount point:
grape:/gcl

/grape.gcl

nfs

rsize=8192,wsize=8192

0 0

A mount point should be an empty, local directory. (Files in a mount point are hidden when a directory hierarchy is mounted on it.) T h e type of a filesystem mounted
using NFS is always nfs, regardless of its type on its local system. You can increase
the rsize and wsize options to improve performance. Refer to "Improving Perform a n c e " on page 7 8 0 .
T h e next example from fstab mounts a filesystem from dog:
dog:/export

/dog.export

Because the local system connects to
to 5 seconds (50-tenths of a second).
hard is set to make sure N F S keeps
m a j o r timeout. Refer to " h a r d / s o f t "

nfs

timeo=50,hard

0 0

dog over a slow connection, timeo is increased
Refer to " T i m e o u t s " on page 7 8 0 . In addition,
trying to communicate with the server after a
on page 7 8 0 .

782

CHAPTER 2 2

NFS: SHARING FILESYSTEMS

T h e final example from fstab shows a remote-mounted home directory. Because dog
is a local server and is connected via a reliable, high-speed connection, timeo is
decreased and rsize and wsize are increased substantially:
dog:/home

/dog.home

nfs

timeo=4,rsize=16384,wsize=16384 0 0

SETTING U P A N NFS SERVER
PREREQUISITES
Installation Install the following package:
• nfs-kernel-server
portmap T h e portmap utility (which is part o f the portmap package and is installed as a
dependency when you install nfs-kernel-server; page 4 0 6 ) must be running to enable
reliable file locking.
nfs-kernel-server W h e n you install the nfs-kernel-server package, the dpkg postinst script starts the
init script n f s d (the NFS kernel) daemon. After you configure NFS, call the nfs-kernel-server
init script to reexport directory hierarchies and restart the nfsd daemon:
S sudo s e r v i c e n f s - k e r n e l - s e r v e r

*
*
*
*

restart

Stopping NFS kernel daemon
Unexporting directories for NFS kernel daemon...
Exporting directories for NFS kernel daemon...
Starting NFS kernel daemon

1 OK ]
1 OK ]
1 OK ]
OK

After changing the NFS configuration on an active server, use reload in place of restart
to reexport directory hierarchies without disturbing clients connected to the server.

NOTES
Firewall An NFS server normally uses T C P port 1 1 1 for portmap and T C P port 2 0 4 9 for
nfsd. In addition, unless you instruct it otherwise, the NFS server uses portmap to
assign (almost) r a n d o m ports for the services it provides: rpc.statd, rpc.mountd,
and (optionally) rpc.quotad. It is difficult to set up a firewall to protect a server
from queries from random ports; it is much easier to specify which port each o f
these services uses. To specify the ports that NFS services use, modify the lines in
the following files as shown:
$ grep STATD / e t c / d e f a u l t / n f s - c o m m o n

NEED_STATD=
STATDOPTS="--port 32765 --outgoing-port 32766"
$ grep MOUNTD / e t c / d e f a u l t / n f s - k e r n e l - s e r v e r

RPCMOUNTDOPTS="-p 32767"
$ grep QUOTAD / e t c / d e f a u l t / q u o t a

RPCQUOTADOPTS="-p 32769"

S E T T I N G U P A N LDAP S E R V E R

783

If you are not running rpc.quotad, you do not need to create or modify the quota file.
The ports used in the example are the ones suggested in the Linux
NFS-HOWTO,
but you can use any unused ports you like. See wiki.debian.org/SecuringNFS for more
information.
If the NFS server system is running a firewall, you need to open ports 111 and
2 0 4 9 . To do so, use gufw (page 8 7 6 ) to set a policy that allows NFS service. In addition, open the ports you specified in the files in /etc/default, as explained earlier.
Because gufw has no defined policy for these ports, you need to specify the ports
manually when you add a rule in gufw.
Security T h e rpc.mountd
As explained on
to specify which
T h e name of the

daemon uses T C P wrappers to control client access to the server.
page 4 6 5 , you can set up /etc/hosts.allow and /etc/hosts.deny files
clients can contact rpc.mountd on the server and thereby use N F S .
daemon to use in these files is mountd.

JUMPSTART II: C O N F I G U R I N G AN N F S SERVER
USING

shares-admin
T h e Shared Folders window (Figure 2 2 - 2 ) enables the local system to share directory hierarchies using Samba (Chapter 2 3 ) and/or NFS. To display this window,
give the command shares-admin from a terminal emulator or R u n Application window (ALT-F2). Click the lock icon labeled Click to make changes and enter your password to enable you to use this window to set up shares.
As part of the process of setting up an N F S server, the Shared Folders window modifies the / e t c / e x p o r t s file. If the system is running a firewall, see " F i r e w a l l " on
page 7 8 2 . T h e shares-admin utility allows you to specify which directory hierarchies
you want to share and h o w they are shared using N F S . Each exported hierarchy is
called a share—terminology
that is borrowed from Samba.
O

shared Folders

Shored Folders General Properties Users

d * '

Properties
Delete

Help

Figure 2 2 - 2

v Click to make changes

Shared Folders window

_

Close

784

CHAPTER 2 2

NFS: SHARING FILESYSTEMS

O

Share Folder

Shared Folder
Path:

-1
* J

Share through:
Allowed Hosts
Allowed host/network Read

Add
Dried?

.

f

T - „
cancel

Figure 2 2 - 3

Share

T h e Share Folder window

To add a share, click Add, which displays the Share Folder window (Figure 2 2 - 3 ) .
This window has two sections: Shared Folder and Allowed Hosts. In the first section, choose the pathname of the directory hierarchy you want to share from the list
b o x labeled Path. If the directory you want is not listed, click Other; then doubleclick File System in the Places column and double-click the directory you want in
the N a m e column. Continue selecting directories in the N a m e column until the buttons at the top of the window display the pathname of the directory hierarchy you
want to share. Click Open to select the directory hierarchy. T h e n select Unix networks (NFS) from the list b o x labeled Share through.
In the Allowed Hosts section of the Share Folder window, click Add to display the
Add Allowed Hosts window (Figure 2 2 - 4 ) . Select Specify hostname, Specify IP
address, or Specify network from the list b o x labeled Allowed hosts and specify the
system in the text b o x labeled Host name, IP address, or Network. Put a tick in the
check b o x labeled Read only if you do not want users on the remote system to be
able to write to the mounted directory hierarchy. Click O K . T h e shares-admin utility
stores this information in / e t c / e x p o r t s . Click Add and repeat this process for each
system you want to be able to access the directory hierarchy specified in the list b o x
labeled Path. Click Share.
To modify a share, highlight the object representing the share in the Shared Folders
window and click Properties, or double-click the object. T h e shares-admin utility
displays the Settings for Folder share-name
window. To modify an existing host,
you must delete it from the Allowed Hosts list and then add it again. M a k e the
changes you want and click O K .
To remove a share, highlight the object representing the share in the Shared Folders
window and click Delete.
Click Close when you are finished setting up shares. There is no need to restart any
daemons. After running shares-admin, give the following command from a terminal
emulator:
$ sudo e x p o r t f s

-r

S E T T I N G U P A N LDAP S E R V E R

0

785

Add allowed hosts

Allowed Hosts
Allowed hosts; LpSpecify hostname T
Host name:

[ 10.10.4.15

|

Hosts Settings
Read only
Cancel

Figure 22-4

OK

T h e Add Allowed Hosts window

You can ignore error messages that refer to subtree_check. For more information on
this parameter, see page 7 8 7 .
Give the command exportfs without any options to display a list of exported directory hierarchies and the systems each is exported to:
$

exportfs

/pi 6

192.168.0.12

See page 7 9 1 for more information on exportfs.

MANUALLY EXPORTING A DIRECTORY HIERARCHY
Exporting a directory hierarchy makes the directory hierarchy available
for mounting by designated systems via a network. " E x p o r t e d " does not mean " m o u n t e d " :
W h e n a directory hierarchy is exported, it is placed in the list of directory hierarchies that can be mounted by other systems. An exported directory hierarchy may
be mounted (or not) at any given time.

Exporting symbolic links and device files
tip

W h e n y o u export a directory hierarchy that contains a s y m b o l i c link, make sure the object of the
link is available on the client (remote) system. If the object of the link does not exist on a client
system, y o u m u s t export and m o u n t it along w i t h the exported link. Otherwise, the link will not
point to the same file it points to on the server.
A device file refers to a Linux kernel interface. W h e n y o u export a device file, y o u export that interface. If the client system does not have the same type of device available, the exported device will
not w o r k . To improve security on a client, y o u can use m o u n t ' s nodev option (page 777) to prevent device files on m o u n t e d directory hierarchies f r o m being used as devices.
A mounted directory hierarchy whose mount point is within an exported partition
is not exported with the exported partition. You need to explicitly export each
directory hierarchy you want exported, even if it resides within an already exported
directory hierarchy. For example, assume two directory hierarchies, / o p t / a p p s and
/ o p t / a p p s / o r a c l e , reside on two partitions. You must export each directory hierarchy explicitly, even though oracle is a subdirectory of apps. M o s t other subdirectories and files are exported automatically.

786

CHAPTER 2 2

NFS: SHARING FILESYSTEMS

/etc/exports:

H O L D S A LIST OF EXPORTED

DIRECTORY HIERARCHIES
T h e / e t c / e x p o r t s file is the access control list for exported directory hierarchies that
N F S clients can mount; it is the only file you need to edit to set up an N F S server.
T h e exportfs utility (page 7 9 1 ) reads this file when it updates the files in / v a r / l i b / n f s
(page 7 8 9 ) , which the kernel uses to keep its mount table current. T h e exports file
controls the following N F S characteristics:
• W h i c h clients can access the server (see also " S e c u r i t y " on page 7 7 6 )
• W h i c h directory hierarchies on the server each client can access
• H o w each client can access each directory hierarchy
• H o w client usernames are mapped to server usernames
• Various N F S parameters
Each line in the exports file has the following format:
export-point

clientl(option-list)

[client2(option-list)...

]

where export-point
is the absolute pathname of the root directory of the directory
hierarchy to be exported. T h e clientl-n
are the names or IP addresses of one or
more clients, separated by SPACEs, that are allowed to mount the export-point.
The
option-list, described in the next section, is a comma-separated list of options that
applies to the preceding client; it must not contain any SPACEs. There must not be any
SPACE between each client name and the open parenthesis that starts the option-list.
You can either use shares-admin (page 7 8 3 ) to make changes to exports or edit this
file manually. T h e following exports file gives grape read and write access to /home,
and jam and the system at 1 9 2 . 1 6 8 . 0 . 1 2 read and write access to /pl6:
$ cat

/home
/pl6

/etc/exports

grape(rw,no_subtree_check)
192.168.0.12(rw,no_subtree_check)

jam(rw,no_subtree_check)

T h e specified directories are on the local server. In each case, access is implicitly
granted for the directory hierarchy rooted at the exported directory. You can specify
IP addresses or hostnames and you can specify more than one client system on a
line. By default, directory hierarchies are exported in readonly mode. T h e current
version o f exportfs complains when you do not specify either subtree_check or
no_subtree_check (page 7 8 7 ) .
GENERAL O P T I O N S
T h e left column of this section lists default options, followed by nondefault options
enclosed in parentheses. Refer to the exports man page for more information.
auth_nlm (no_auth_nlm) or sccurclocks (insccurclocks)
Causes the server to require authentication of lock requests (using the N L M [NFS
L o c k Manager] protocol). Use no_auth_nlm for older clients when you find that
only files that anyone can read can be locked.

S E T T I N G U P A N LDAP S E R V E R

787

mou n t poi n 11 =path |
Allows a directory to be exported only if it has been mounted. This option prevents
a mount point that does not have a directory hierarchy mounted on it from being
exported and prevents the underlying mount point from being exported. Also mp.
nohide (hide) W h e n a server exports two directory hierarchies, one of which is mounted on the
other, a client has to mount both directory hierarchies explicitly to access both.
W h e n the second (child) directory hierarchy is not explicitly mounted, its mount
point appears as an empty directory and the directory hierarchy is hidden. T h e
nohide option causes the underlying second directory hierarchy to appear when it is
not explicitly mounted, but this option does not work in all cases.
ro (rw) (readonly) Permits only read requests on an N F S directory hierarchy. Use rw to
permit read and write requests.
secure (insecure) Requires NFS requests to originate on a privileged
port (page 1 1 6 6 ) so a program
running without root privileges cannot mount a directory hierarchy. This option
does not guarantee a secure connection.
no_subtree_check (subtree_check)
Checks subtrees for valid files. Assume you have an exported directory hierarchy
that has its root below the root of the filesystem that holds it (that is, an exported
subdirectory of a filesystem). W h e n the N F S server receives a request for a file in
that directory hierarchy, it performs a subtree check to confirm the file is in the
exported directory hierarchy.
Subtree checking can cause problems with files that are renamed while opened and,
when no_root_squash is used, files that only a process running with root privileges
can access. T h e no_subtree_check option disables subtree checking and can improve
reliability in some cases.
For example, you may need to disable subtree checking for home directories. H o m e
directories are frequently subtrees (of /home), are written to often, and can have files
within them frequently renamed. You would probably not need to disable subtree
checking for directory hierarchies that contain files that are mostly read, such as /usr.
Because the default has changed (it is n o w no_subtree_check), exportfs displays a
warning when you do not specify either subtree_check or no_subtree_check.
sync (async) (synchronize) Specifies that the server should reply to requests only after disk
changes made by the request are written to disk. T h e async option specifies that the
server does not have to wait for information to be written to disk and can improve
performance, albeit at the cost of possible data corruption if the server crashes or
the connection is interrupted.
wdelay (write delay) Causes the server to delay committing write requests when it antici(no_wdelay) pates that another, related request will follow, thereby improving performance by
committing multiple write requests within a single operation. T h e no_wdelay
option does not delay committing write requests and can improve performance
when the server receives multiple, small, unrelated requests.

788

CHAPTER 2 2

NFS: SHARING FILESYSTEMS

USER ID M A P P I N G OPTIONS
Each user has a U I D number and a primary G I D number on the local system. T h e
local / e t c / p a s s w d and / e t c / g r o u p files may map these numbers to names. W h e n a
user makes a request of an N F S server, the server uses these numbers to identify the
user on the remote system, raising several issues:
• T h e user may not have the same ID numbers on both systems. As a consequence, the user may have owner access to files of another user and not
have owner access to his own files (see " N I S and N F S " for a solution).
• You may not want a user with root privileges on the client system to have
owner access to root-owned files on the server.
• You may not want a remote user to have owner access to some important
system files that are not owned by root (such as those owned by bin).

Critical files in NFS-mounted directories should be owned by root
security

Despite the m a p p i n g done by the root-squash option, a user w i t h root privileges on a client system
can use s u d o or s u to a s s u m e the identity of any user on the system and then access that user's
files on the server. Thus, w i t h o u t resorting to all-squash, y o u can protect only files o w n e d by root
on an NFS server. Make sure that r o o t — a n d not bin or another u s e r — o w n s and is the only user
w h o can m o d i f y or delete critical files within any NFS-mounted directory hierarchy.
Taking this precaution does not completely protect the system against an attacker with root privileges, but it can help t h w a r t an attack f r o m a less experienced malicious user.
Owner access to a file means that the remote user can execute o r — w o r s e — m o d i f y
the file. N F S gives you two ways to deal with these cases:
• You can use the root_squash option to map the ID number of the root
account on a client to U I D 6 5 5 3 4 on the server.
• You can use the all-squash option to map all N F S users on the client to
U I D 6 5 5 3 4 on the server.
Use the anonuid and anongid options to override these values.

NIS and NFS W h e n you use NIS (page 7 4 1 ) for user authorization, users automatically have the
same UIDs on both systems. If you are using N F S on a large network, it is a good
idea to use a directory service such as NIS or L D A P (page 7 5 8 ) for authorization.
Without such a service, you must synchronize the passwd files on all the systems
manually.
root_squash (no_root_squash)
M a p s requests from root on a remote system so they appear to come from the U I D
6 5 5 3 4 , a nonprivileged user on the local system, or as specified by anonuid. This
option does not affect other sensitive UIDs such as bin. T h e no_root_squash option
turns off this mapping so that requests from root appear to come from root.

S E T T I N G U P A N LDAP S E R V E R 7 8 9

no_all_squash Does not change the mapping o f users making requests o f the N F S server. T h e
(all_squash) all_squash option maps requests from all users—not just r o o t — o n remote systems
to appear to come from the U I D 6 5 5 3 4 , a nonprivileged user on the local system, or
as specified by anonuid. This option is useful for controlling access to exported
public FTP, news, and other directories.
anonuid=M« and Set the U I D or the G I D of the anonymous account to un or gn, respectively. N F S
anongid=gw uses these accounts when it does not recognize an incoming U I D or G I D and when
it is instructed to do so by root_squash or all_squash.

W H E R E THE SYSTEM KEEPS N F S M O U N T I N F O R M A T I O N
A server holds several lists of directory hierarchies it can export. T h e list that you as
a system administrator work with is / e t c / e x p o r t s . T h e following discussion assumes
that the local server, plum, is exporting these directory hierarchies:
$ cat

/home
/pl6

/etc/exports

grape(rw,no_subtree_check)
192.168.0.12(rw,no_subtree_check)

jam(rw,no_subtree_check)

As explained in more detail on page 7 9 1 , exportfs displays the list of exported directory hierarchies:
$ exportfs

/home
/pi 6
/pi 6

grape
jam
192.168.0.12

T h e important files and pseudofiles that NFS works with are described next.
/var/lib/nfs/etab

(export table) O n the server, lists the directory hierarchies that are exported (can be
mounted, but are not necessarily mounted at the moment) and the options they are
exported with:
$ cat

/var/lib/nfs/etab

/home grape(rw,sync,wdelay,hi de,nocrossmnt,secure,root_squash,no_all_s
quash,no_subtree_check,secure_locks,acl,mappi ng=i denti ty,anonui d=65 534,
anongid=65534)
/pi 6 jam(rw,sync,wdelay,hi de,nocrossmnt,secure,root_squash,no_all_squa
sh,no_subtree_check,secure_locks,acl,mappi ng=i denti ty,anonui d=65534,ano
ngld=65 534)
/pi 6 192.168.0.12(rw,sync,wdelay,hi de,nocrossmnt,secure,root_squash,no
_all_squash,no_subtree_check,secure_locks,acl,mappi ng=i denti ty,anonui d=
65534,anongid=65534)
The preceding output shows that grape
1 9 2 . 1 6 8 . 0 . 1 2 can mount /pl6. T h e etab file
system is brought up, read by mountd when
chy, and modified by exportfs (page 7 9 1 ) as
changes.

can mount / h o m e and that jam and
is initialized from / e t c / e x p o r t s when the
a client asks to mount a directory hierarthe list of exported directory hierarchies

790

CHAPTER 2 2

NFS: SHARING FILESYSTEMS

/var/lib/nfs/rmtab
(remote mount table) O n the server, lists the directory hierarchies that are mounted
by client systems:
$ cat

/var/lib/nfs/rmtab

192.168.0.12:/pi 6:0x00000002
T h e preceding output shows / p l 6 is mounted by 1 9 2 . 1 6 8 . 0 . 1 2 . T h e rmtab file is
updated by mountd as it mounts and unmounts directory hierarchies. This file is
"mostly o r n a m e n t a l " (from the mountd man page) and may not be accurate.
/proc/mounts O n the client, this pseudofile displays the kernel mount table, which lists filesystems
mounted by the local system. In the following example, grep displays lines that contain the string nfs followed by a SPACE. T h e SPACE, which you must quote, eliminates
lines with the string nfs that do not pertain to mounted filesystems.
$ grep n f s \

/proc/mounts

plum:/pl6 /mnt nfs rw,vers=3,rsize=131072,wsize=131072,hard,intr,proto=
tcp,timeo=600,retrans=2,sec=sys,addr=plum 0 0

showmount:

DISPLAYS N F S STATUS INFORMATION

Without any options, the showmount utility displays a list o f systems that are
allowed to mount local directories. You typically use showmount to display a list of
directory hierarchies that a server is exporting. To display information for a remote
system, give the name of the remote system as an argument. T h e information showmount provides may not be complete, however, because it depends on mountd and
trusts that remote servers are reporting accurately.
In the following example, 1 9 2 . 1 6 8 . 0 . 1 2 is allowed to mount local directories, but
you do not k n o w which ones:
$ showmount

Hosts on plum:
192.168.0.12
If showmount displays an error such as R P C : Program not registered, NFS is not running on the server. Start NFS on the server with the nfs-kernel-server init script
(page 7 8 2 ) .
-a

(all) Displays a list of client systems and indicates which directories each client system can mount. This information is stored in / e t c / e x p o r t s . In the following example, showmount lists the directories that 1 9 2 . 1 6 8 . 0 . 1 2 can mount from the local
system:
$ /sbin/showmount

-a

All mount points on plum:
192.168.0.12:/pi 6
-e

(exports) Displays a list of exported directories and the systems that each directory
is exported to.
$ showmount

-e

Export list for plum:
/pi 6 192.168.0.12

S E T T I N G U P A N LDAP S E R V E R

exportfs:

7 9 1

M A I N T A I N S THE LIST OF EXPORTED

DIRECTORY HIERARCHIES
T h e exportfs utility maintains the / v a r / l i b / n f s / e t a b file (page 7 8 9 ) . W h e n mountd is
called, it checks this file to see if it is allowed to mount the requested directory hierarchy. Typically exportfs is called with simple options and modifies the etab file
based on changes in / e t c / e x p o r t s . W h e n called with client and directory arguments,
it can add to or remove the directory hierarchies specified by those arguments from
the list kept in etab, without reference to the exports file. An exportfs c o m m a n d has
the following format:
/usr/sbin/exportfs

[options]

[client:dir...]

where options is one or more options (as discussed in the next section), client is the
name of the system that dir is exported to, and dir is the absolute pathname of the
directory at the root of the directory hierarchy being exported. Without any arguments, exportfs reports which directory hierarchies are exported to which systems:
$ exportfs

/home
/pi 6
/pi 6

grape
jam
192.168.0.12

T h e system executes the following c o m m a n d when it comes up (it is in the nfskernel-server init script). This c o m m a n d reexports the entries in / e t c / e x p o r t s and
removes invalid entries from / v a r / l i b / n f s / e t a b so etab is synchronized with
/etc/exports:
$ sudo e x p o r t f s

-r

OPTIONS
-a (all) Exports directory hierarchies specified in /etc/exports. This option does not
unexport
entries you have removed from exports (that is, it does not remove invalid
entries from / v a r / l i b / n f s / e t a b ) ; use - r to perform this task.
-f

(flush) Removes everything from the kernel's export table.

-i

(ignore) Ignores /etc/exports; uses what is specified on the c o m m a n d line only.

-o

(options) Specifies options. You can specify options following - o the same way you
do in the exports file. F o r example, exportfs - i - o r o d o g : / h o m e / s a m exports
/ h o m e / s a m on the local system to dog for readonly access.

-r (reexport) Reexports the entries in / e t c / e x p o r t s and removes invalid entries from
/ v a r / l i b / n f s / e t a b so / v a r / l i b / n f s / e t a b is synchronized with / e t c / e x p o r t s .
-u

(unexport) M a k e s an exported directory hierarchy no longer exported. I f a directory hierarchy is mounted when you unexport it, users see the message Stale NFS
file handle when they try to access the directory hierarchy from a remote system.

-v

( v e r b o s e ) Provides more information. Displays export options when you use exportfs
to display export information.

792

CHAPTER 2 2

NFS: SHARING FILESYSTEMS

TESTING THE SERVER SETUP
F r o m the server, run the nfs-kernel-server init script with an argument of status. If
all is well, the system displays the following:
$ service nfs-kernel-server

status

nfsd running
Also check that mountd is running:
$ ps - e

| grep mountd

29609 ?

00:00:00 rpc.mountd

N e x t , from the server, use rpcinfo to make sure N F S is registered with portmap:
rpcinfo

100003
100003
100003
100003
100003
100003

- p l o c a l host

2
3
4
2
3
4

udp
udp
udp
tcp
tcp
tcp

1 grep n f s

2049
2049
2049
2049
2049
2049

nfs
nfs
nfs
nfs
nfs
nfs

Repeat the preceding c o m m a n d from the client, replacing localhost with the name
of the server. T h e results should be the same.
Finally, try mounting directory hierarchies from remote systems and verify access.

automount:

M O U N T S DIRECTORY HIERARCHIES

ON DEMAND
In a distributed computing environment, when you log in on any system on the network, all your files—including startup scripts—are available. All systems are also
commonly able to mount all directory hierarchies on all servers: Whichever system
you log in on, your home directory is waiting for you.
As an example, assume / h o m e / z a c h is a remote directory hierarchy that is
mounted on demand. W h e n you issue the c o m m a n d Is / h o m e / z a c h , autofs goes to
w o r k : It l o o k s in the / e t c / a u t o . h o m e map, finds zach is a key that says to m o u n t
p l u m : / e x p o r t / h o m e / z a c h , and mounts the r e m o t e directory hierarchy. O n c e the
directory hierarchy is mounted, Is displays the list of files in that directory. If you
give the c o m m a n d Is / h o m e after this mounting sequence, Is shows that zach is
present within the / h o m e directory. T h e df utility shows that zach is mounted
from plum.

PREREQUISITES
Installation Install the following package:
• autofs

a u t o m o u n t : M O U N T S DIRECTORY HIERARCHIES ON D E M A N D 7 9 3

autofs init script W h e n you install the autofs package, the dpkg postinst script starts the automount
daemon. After you configure automount, call the autofs init script to restart the
automount daemon:
$ sudo s e r v i c e a u t o f s

restart

After changing the automount configuration on an active server, use reload in place
of restart to reload automount configuration files without disturbing automatically
mounted filesystems.

autofs: A U T O M A T I C A L L Y

M O U N T E D DIRECTORY HIERARCHIES

An autofs directory hierarchy is like any other directory hierarchy but remains
unmounted until it is needed, at which time the system mounts it automatically
(,demand mounting).
T h e system unmounts an autofs directory hierarchy when it
is n o longer needed—by default, after 5 minutes o f inactivity. Automatically
mounted directory hierarchies are an important part of managing a large collection of systems in a consistent way. T h e automount daemon is particularly useful
when an installation includes a large number o f servers o r a large number o f
directory hierarchies. It also helps t o remove server-server dependencies (discussed next).
When you boot a system that uses traditional fstab-based mounts and an N F S server
is down, the system can take a long time to come up as it waits for the server to time
out. Similarly, when you have two servers, each mounting directory hierarchies from
the other, and both systems are down, both may hang as they are brought up while
each tries to mount a directory hierarchy from the other. This situation is called a
server-server
dependency.
T h e automount facility gets around these issues by
mounting a directory hierarchy from another system only when a process tries to
access it.
When a process attempts t o access one o f the directories within an unmounted
autofs directory hierarchy, the kernel notifies the automount daemon, which mounts
the directory hierarchy. You must give a command, such as cd / h o m e / z a c h , that
accesses the autofs mount point (in this case / h o m e / z a c h ) to create the demand that
causes automount to mount the autofs directory hierarchy; only then can the system
display or use the autofs directory hierarchy. Before you issue this cd command, zach
does not appear in / h o m e .
T h e main file that controls the behavior of automount is /etc/auto.master. A simple
example follows:
$ cat

/freel
/plum

/etc/auto.master

/etc/auto.misc
/etc/auto.plum

--timeout=60

T h e auto.master file has three columns. T h e first column names the parent of the
autofs mount point—the
location where the autofs directory hierarchy is t o be
mounted. (The / f r e e l and /plum directories in the example are not mount points
but will hold the mount points when the directory hierarchies are mounted.) T h e

794

CHAPTER 2 2

NFS: SHARING FILESYSTEMS

second column names the files, called map files, that store supplemental configuration information. T h e optional third column holds mount options for map entries.
In the preceding example, the first line sets the timeout (the length of time a directory stays mounted when it is not in use) to 6 0 seconds; the default timeout value is
3 0 0 seconds. You can change autofs default values in /etc/default/autofs.
Although the map files can have any names, one is traditionally named auto.misc.
Following are the two map files specified in auto.master:
$ cat

/etc/auto.misc

music

-fstype=ext4

$ c a t / e t c / a u t o . p i urn

pi 6

-fstype=nfs

:/dev/sdb7
pi urn:/pi 6

T h e first column of a map file holds the relative autofs mount point (music and pl6
in the preceding files). This mount point is appended to the corresponding autofs
mount point from column 1 of the auto.master file t o create the absolute autofs
mount point. In this example, music (from auto.misc) is appended to / f r e e l (from
auto.master) to make / f r e e l / m u s i c ; pl6 is appended to /plum to make / p l u m / p l 6 .
T h e second column holds options, and the third column shows the server and directory hierarchy to be mounted. T h e first example shows a local drive ( / d e v / s d b 7 ) .
You can tell it is local because its filesystem type is specified as ext4 and no system
name appears before the colon. T h e second example shows a filesystem on a remote
system. It has a filesystem type of nfs and specifies the name of the remote system, a
colon, and the name the filesystem is mounted under on the remote system.
Before the new setup can work, you must reload the automount daemon using the
autofs init script (page 7 9 3 ) . This script creates the directories that hold the mount
points ( / f r e e l and /plum in the example) when you start, restart, or reload autofs
and removes those directories when you stop it.
In the following example, the first Is c o m m a n d shows that the / f r e e l and /plum
directories do not exist. T h e next c o m m a n d , running with root privileges, runs the
autofs init script to reload autofs. N o w the directories exist but do not hold any
files. W h e n the user lists the contents of / p l u m / p l 6 , autofs mounts pl6 and Is displays its contents:
Sis

/freel

/plum

Is: /freel: No such file or directory
Is: /plum: No such file or directory
$ sudo s e r v i c e a u t o f s

reload

Reloading automounter: checking for changes ...
Reloading automounter map for: /freel
Reloading automounter map for: /plum
Sis

/freel

/plum

/freel:
/plum:
$ Is

/pium/pl6

lost+found

memo

ADVANCED EXERCISES

795

CHAPTER S U M M A R Y
N F S allows a server to share selected local directory hierarchies with client systems
on a heterogeneous network, thereby reducing storage needs and administrative
overhead. N F S defines a client/server relationship in which a server provides directory hierarchies that clients can mount.
O n the server, the / e t c / e x p o r t s file typically lists the directory hierarchies that the
system exports. Each line in exports specifies a directory hierarchy and the client
systems that are allowed to mount it, including options for each client (readonly,
read-write, and so on). An exportfs - r command causes N F S to reread this file.
F r o m a client, a mount command mounts an exported N F S directory hierarchy.
Alternatively, you can put an entry in / e t c / f s t a b to have the system automatically
mount the directory hierarchy when it boots.
Automatically mounted directory hierarchies help manage large groups of systems
containing many servers and filesystems in a consistent way and can help remove
server-server dependencies. T h e automount daemon automatically mounts autofs
directory hierarchies when they are needed and unmounts them when they are no
longer needed.

EXERCISES
1. W h a t are three reasons to use N F S ?
2. W h i c h command would you give to mount on the local system the / h o m e
directory hierarchy that resides on the file server named plum? Assume the
mounted directory hierarchy will appear as /plum.home on the local system. H o w would you mount the same directory hierarchy if it resided on
the fileserver at 1 9 2 . 1 6 8 . 1 . 1 ? H o w would you unmount / h o m e ?
3. H o w would you list the mount points on the remote system named plum
that the local system named grape can mount?
4. Which command line lists the currently mounted NFS directory hierarchies?
5. W h a t does the / e t c / f s t a b file do?
6. F r o m a server, how would you allow readonly access to / o p t for any system
in example.com?

ADVANCED EXERCISES
7. W h e n is it a good idea to disable attribute caching?

796

CHAPTER 2 2

NFS: SHARING FILESYSTEMS

8. Describe the difference between the root_squash and all_squash options in
/etc/exports.
9. W h y does the secure option in / e t c / e x p o r t s not really provide any security?
10. Some diskless workstations use N F S as swap space. W h y is this approach
useful? W h a t is the downside?
11. N F S maps users on the client to users on the server. Explain why this mapping is a security risk.
12. W h a t does the mount nosuid option do? W h y would you want to use this
option?

23
SAMBA: LINUX AND
W I N D O W S FILE A N D
PRINTER S H A R I N G
IN T H I S C H A P T E R
Introduction to Samba
JumpStart: Configuring a
Samba Server Using
system-config-samba

798

S a m b a is a suite o f programs that enables U N I X - l i k e operating
systems, including L i n u x , Solaris, F r e e B S D , and M a c O S X , to
w o r k with other operating systems, such as OS/2 and W i n dows, as b o t h a server and a client.

800

ssmb.conf: Manually Configuring
a Samba Server
807
Working with Linux Shares from
Windows

814

Working with W i n d o w s Shares
from Linux

815

Troubleshooting

817

As a server, S a m b a shares L i n u x files and printers with W i n dows systems. As a client, S a m b a gives L i n u x users access to
files on W i n d o w s systems. Its ability to share files across operating systems makes S a m b a an ideal tool in a heterogeneous
computing environment.
Refer to pages 5 6 6 and 5 6 8 for i n f o r m a t i o n a b o u t printing
using S a m b a .

797

798

CHAPTER 2 3

S A M B A : L I N U X A N D W I N D O W S FILE A N D P R I N T E R S H A R I N G

I N T R O D U C T I O N TO S A M B A
This chapter starts by providing a list of S a m b a tools followed by some basic inform a t i o n . T h e J u m p S t a r t section discusses h o w to set up a simple S a m b a server using
the Shared Folders window. T h e section following that covers h o w to use swat, a
W e b - b a s e d advanced configuration tool, to set up a S a m b a server. T h e final server
section discusses h o w to set up a S a m b a server by using a text editor to manually
edit the files that control S a m b a . T h e n e x t t w o sections of this chapter, " W o r k i n g
with L i n u x Shares from W i n d o w s " (page 8 1 4 ) and " W o r k i n g with W i n d o w s Shares
from L i n u x " (page 8 1 5 ) , explain h o w to w o r k with L i n u x and W i n d o w s files and
printers. T h e final section, " T r o u b l e s h o o t i n g " (page 8 1 7 ) , offers tips on w h a t to do
when S a m b a does not w o r k properly.
Table 2 3 - 1 lists some of the utilities and daemons that m a k e up the S a m b a suite of
programs. See the s a m b a m a n page for a complete list.

Table 23-1

Samba utilities and daemons

Utility or daemon

Function

net

This utility has the same syntax as the DOS net command and, over time, will
eventually replace other Samba utilities such as s m b p a s s w d .

nmbd

The NetBIOS (page 1161) nameserver program, run as a daemon by
default. Provides NetBIOS over IP naming services for Samba clients. Also
provides browsing support (as In the Windows Network Neighborhood or
My Network Places view).

nmblookup

Queries the NetBIOS (page 1161) name; see page 818.

pdbedit

Maintains Samba user database.

smbclient

Displays shares on a Samba server such as a Windows machine; uses ftplike commands (page 815).

smbd

The Samba program, run as a daemon by default. Provides file and print
services for Samba clients.

smbpasswd

Changes Windows NT password hashes on Samba and Windows NT servers (page 803).

smbstatus

Displays Information about current smbd connections.

smbtar

Backs up and restores data from Samba servers; similar to tar.

smbtree

Displays a hierarchical diagram of available shares (page 815).

swat

Samba Web Administration Tool. A browser-based editor for the smb.conf
file (page 804).

testparm

Checks syntax of the smb.conf file (page 817).

I N T R O D U C T I O N TO S A M B A

799

MORE INFORMATION
Local Samba/swat home page has links to local Samba documentation (page 8 0 4 )
Documentation: / u s r / s h a r e / d o c / s a m b a - d o c *
Web Samba: www.samba.org (mailing lists, documentation, downloads, and more)
CIFS: www.samba.org/cifs

HO WTO Unofficial Samba HOWTO:

hr.uoregon.edu/davidrl/samba.html

Samba Documentation
Collection:
Point a browser at / u s r / s h a r e / d o c / s a m b a - d o c /
htmldocs/index.html; if you have installed the samba-doc-pdf package, look in
/usr/share/doc/samba-doc-pdf.

NOTES
Firewall T h e Samba server normally uses U D P ports 1 3 7 and 1 3 8 and T C P ports 1 3 9 and
4 4 5 . If the Samba server system is running a firewall, you need to open these ports.
Using gufw (page 8 7 6 ) , open these ports by setting a policy that allows service for
Samba.
Share Under Samba, an exported directory hierarchy is called a
Mapping a share T h e Samba term mapping

a share

share.

is equivalent to the Linux term mounting

a

direc-

tory hierarchy.
Samba T h e name Samba is derived from SMB (page 1 1 7 2 ) , the protocol that is the native
method of file and printer sharing for Windows.
swat You must set up a r o o t password to use swat to change the Samba configuration; see
page 4 3 1 for instructions.

SAMBA USERS, USER M A P S , AND PASSWORDS
For a Windows user to access Samba services on a Linux system, the user must provide a Windows username and a Samba password. In some cases, Windows supplies
the username and password for you. It is also possible to authenticate using other
methods. F o r example, Samba can use LDAP (page 1 1 5 6 ) or P A M (page 4 7 8 )
instead of the default password file. Refer to the Samba documentation for more
information on authentication methods.
Usernames T h e username supplied by Windows must be the same as a Linux username or must
map to a Linux username.
User maps You can create a file, typically named /etc/samba/smbusers, to map Windows usernames to Linux usernames. F o r more information see username map on page 8 1 1 .
Passwords By default, Samba uses Linux passwords to authenticate users. However, Ubuntu
sets passdb backend (page 8 0 9 ) to tdbsam, causing Samba to use trivial database
passwords. Change this parameter to smbpasswd in smb.conf (page 8 0 7 ) to cause
Samba to use Linux passwords.

800

CHAPTER 2 3

S A M B A : L I N U X A N D W I N D O W S FILE A N D P R I N T E R S H A R I N G

SETTING U P A S A M B A SERVER
This section describes h o w to install and configure a Samba server using both the
shares-admin utility and the swat browser-based configuration tool.

PREREQUISITES
Installation Install the following packages:
• samba
• samba-client
• smbfs (the only package needed to mount a Windows share)
• system-config-samba (optional)
• swat (optional, but useful)
• openbsd-inetd (needed to run swat; installed as a swat dependency)
• samba-doc (optional documentation; installed with swat)
• samba-doc-pdf (optional; documentation in PDF format)
smbd init script W h e n you install the samba package, the dpkg postinst script configures Samba to
run as a normal daemon (not from inetd), copies all Linux users to the list of Samba
users, sets up Samba t o use encrypted passwords, and starts the smbd and nmbd
daemons. After you configure samba, give the following command (page 4 3 4 ) t o
restart the smbd and nmbd daemons:
$ sudo s e r v i c e smbd r e s t a r t

smbd s t a r t / r u n n i n g ,

process

4662

JUMPSTART: C O N F I G U R I N G A S A M B A SERVER U S I N G

system-config-samba
T h e system-config-samba utility can set up only basic features of a Samba server. It
is, however, the best tool to use if you are not familiar with Samba and you want to
set up a simple Samba server quickly. T h e system-config-samba utility performs three
basic functions: configuring the server, configuring users, and setting up shares
(directory hierarchies) that are exported to Windows machines.

Make a copy of smb.conf
tip

As installed, the /etc/samba/smb.conf file has extensive c o m m e n t s (page 807). The s y s t e m c o n f i g - s a m b a utility overwrites this file. Make a c o p y of smb.conf for safekeeping before y o u
run this utility for the first time.
To display the Samba Server Configuration window (Figure 2 3 - 1 ) , select Main
menu: System •=> Administrai on O S a m b a or enter sudo system-config-samba from a
terminal emulator or Run Application window (ALT-F2). Printers are shared by default.

S E T T I N G U P AN LDAP S E R V E R

C O O

801

Samba Server Configuration

File Preferences Help

*
Directory

©
Share name Permissions Visibility

/v a r/l i b/s a m ba/pn Titers prints

Figure 2 3 - 1

Readonly

Visible

Description
Printer Drivers

Samba Server Configuration window

Select Menubar: Preferences ^ S e r v e r Settings to display the Server Settings window Basic tab (Figure 2 3 - 2 ) . Change the w o r k g r o u p to the one in use on the
W i n d o w s machines. Change the description of the server if you like. Click the
Security tab and m a k e sure Authentication M o d e is set to User; you do not need
to specify an Authentication Server or a Kerberos R e a l m . If you are using W i n dows 9 8 or later, set Encrypt Passwords to Yes. W h e n you specify a username in
the Guest A c c o u n t , anyone logging in on the S a m b a server as guest maps to that
user's ID. Typically the guest a c c o u n t maps to the UID of the L i n u x user named
nobody. Click OK.
Samba users Select Menubar: Preferences 1 ^Samba Users to display the Samba Users window
(Figure 2 3 - 3 , next page). If the user you want to log in as is not already specified in
this window, click Add User. W h e n you have the proper permissions, the Create
N e w Samba User window displays a c o m b o b o x labeled Unix Username that allows
you to select a Linux user; otherwise, your username is displayed as the U n i x Username. T h e Windows Username is the Windows username that you want to map to
the specified Linux ( U N I X ) username. T h e Samba Password is the password this
user or Windows enters to gain access to the Samba server.
O O O

Server Settings

Basic Security
Wo it group;

workgroup

Description: %h server (Samba, Uburtu)

Cancel
Figure 2 3 - 2

OK

Server Settings window, Basic tab

802

CHAPTER 2 3

S A M B A : L I N U X A N D W I N D O W S FILE A N D P R I N T E R S H A R I N G

! Q Q
.

nobody
sam

S a m b a Users
Add User

1

Edit User
Delete User

OK
Figure 2 3 - 3

Samba Users window

If Sam has accounts named sam on both the Windows and Linux systems, you
would select sam from the U n i x Username c o m b o b o x , enter sam in the Windows
Username text box, and enter Sam's Windows password in the two Samba Password text boxes. Click O K to close the Create N e w Samba User window and click
O K to close the Samba Users window.

Adding a Samba password for the Linux user nobody
tip

Because the user nobody exists in smbusers w h e n y o u install Samba, y o u cannot add the user
nobody, nor can y o u add a p a s s w o r d for nobody f r o m s y s t e m - c o n f i g - s a m b a . Instead, y o u
m u s t use s m b p a s s w d f r o m the c o m m a n d line as follows:
$ sudo smbpasswd - a nobody
New SMB p a s s w o r d :
Retype new SMB p a s s w o r d :
Normally the user nobody does not have a p a s s w o r d because It is the guest login. Press RETURN
(without typing any characters) In response to each of the SMB password p r o m p t s to add nobody
to the Samba password file w i t h o u t a password.

Linux shares N e x t you need to add a share, which is the directory hierarchy you export from the
Linux system to the Windows system. Click the green plus sign (+) on the toolbar to
display the Basic tab in the Create Samba Share window (Figure 2 3 - 4 ) . In the Directory text b o x , enter the absolute pathname of the directory you want to share ( / t m p
is an easy directory to practice with). Enter a description if you like. It can be useful
to enter the Linux hostname and the pathname of the directory you are sharing
here. Specify Writable if you want to be able to write to the directory from the Windows machine; Visible allows the share to be seen from the Windows machine.
Click the Access tab and specify whether you want to limit access to specified users

S E T T I N G U P AN LDAP S E R V E R 8 0 3

0 © Q

Create Samba Share

Basic Access
Directory:

[|

Browse...

Share name; |

\

Description: |

|

r writable
• Visible
Cancel
Figure 2 3 - 4

OK

Create Samba Share window, Basic tab

or whether you want t o allow anyone t o access this share. Click OK. Close the
Samba Server Configuration window.
You should n o w be able to access the share from a Windows machine (page 8 1 4 ) .
There is no need to restart the Samba server.
smbpasswd Working with root privileges, you can use s m b p a s s w d t o change a Linux user's
Samba password.
$ sudo smbpasswd sam

New SMB password:
Retype new SMB password:
This example assumes Sam was a user on the
installed. W h e n you install Samba, it copies all
users. If you add a user after you install Samba,
instruct s m b p a s s w d to add the user to the list of
mand adds a new Linux user, M a x , to the list of
password to M a x :

Linux system before Samba was
Linux users t o the list of Samba
you need to use the - a option to
Samba users. T h e following comSamba users and assigns a Samba

$ sudo smbpasswd - a max

New SMB password:
Retype new SMB password:
Added user max.
Once a user has a Samba password, he can use s m b p a s s w d without any arguments
to change his password.
If a user has different usernames on the Linux and Windows systems, you must map
the Windows username to a Linux username (see username map on page 8 1 1 ) .
M a k e sure all Linux users who will log in using Samba have Samba passwords.
You should n o w be able t o access the new shares from a Windows machine
(page 8 1 4 ) . There is no need to restart the Samba server.

804

CHAPTER 2 3

swat:

S A M B A : L I N U X A N D W I N D O W S FILE A N D P R I N T E R S H A R I N G

CONFIGURES A S A M B A SERVER
Make a copy of smb.conf
tip

As installed, the /etc/samba/smb.conf file contains extensive c o m m e n t s (page 807). The s w a t
utility overwrites this file, r e m o v i n g the c o m m e n t s . Make a c o p y of smb.conf for safekeeping
before y o u run this utility for the first time.
T h e swat (Samba Web Administration Tool, swat package) utility is a browser-based
graphical editor for the / e t c / s a m b a / s m b . c o n f file. F o r each o f the configurable
parameters, it provides Help links, default values, and a text b o x t o change the
value. T h e swat utility is a well-designed tool in that it remains true to the lines in
the smb.conf file you edit: You can use and learn from swat, so that, if you want to
use a text editor to modify smb.conf, the transition will be straightforward.
T h e swat utility is run from inetd (openbsd-inetd package). W h e n you install the
swat package, it installs openbsd-inetd as a dependency and places the following
line in /etc/inetd.conf:
swat

stream

tcp nowait.400

root

/usr/sbin/tcpd

/usr/sbin/swat

This line enables swat when inetd is running. If necessary, give the following command to restart inetd so that it rereads its configuration file:
$ sudo s e r v i c e o p e n b s d - i n e t d

restart

* Restarting internet superserver inetd

[ OK ]

O O d samba Web Administration Tool - Mozilla Firefox
file Edit View History Bookmarks "l&ols Help

O

Ô [jS I http;/flocalhost:9Ql/

I« Samba Web Administration Tool

^

€Ê

&

©

HOME

ftMAneii

printers

//

WI7ABH

#

STATOS

a,

VIEW

m
fA&S wöftO

Welcome to SWAT!

Pleuae choose a configuration action using one of Hie above buttons
Samba Documentation
• Daemons

o 5HLk£l • the SMD daemon
o nmbd - the NetBIOS nameservcr
o winblndd - the winbind daemon

• Configuration Flies

o smb.conf - the main Samba configuration file
o Imhosts - NetBIOS hosts file
o smbpasswd - SMB password file

• Administrative Utilities

Figure 23-5

The local swat home page

S E T T I N G U P AN LDAP S E R V E R

805

N o w you should be able to run swat: F r o m the local system, open a browser and
enter either h t t p : / / 1 2 7 . 0 . 0 . 1 : 9 0 1 or h t t p : / / l o c a l h o s t : 9 0 1 in the location bar. W h e n
prompted, enter the username root and the root password. (You must set up a root
password to use swat to change the Samba configuration; see page 4 3 1 for instructions.) If you provide a username other than root, you will be able to view some
configuration information but will not be able to make changes. F r o m a remote system, replace 1 2 7 . 0 . 0 . 1 with the IP address of the server (but see the adjacent security tip). If a firewall is running on the local system and you want to access swat
from a remote system, open T C P port 9 0 1 using gufw (page 8 7 6 ) .

Do not allow unencrypted remote access to s w a t
security

Do not allow access to s w a t f r o m a remote system on an insecure network. W h e n y o u do so and
log in, the root password is sent in cleartext over whatever connection y o u are using and can easily
be sniffed. If y o u want to access s w a t over an insecure network, use s s h to f o r w a r d port 901
(page 681).
T h e browser displays the local Samba/swat home page (Figure 2 3 - 5 ) . This page
includes links to local Samba documentation and the buttons listed below.

HOME

Links to local Samba documentation. W h e n you click the word Samba (not the
logo, but the one just before the word Documentation in the Samba/swat home
page), swat displays the Samba man page, which defines each Samba program.

GLOBALS Edits global parameters (variables) in smb.conf.
SHARES Edits share information in smb.conf.
PRINTERS

Edits printer information in smb.conf.

WIZARD

Rewrites the smb.conf file, removing all comment lines and lines that specify default
values.

STATUS

Shows the active connections, active shares, and open files. Stops and restarts the
smbd and nmbd daemons.

VIEW Displays a subset (click Full View) or all of the configuration parameters as determined by the default values and settings in smb.conf (click Normal View).
PASSWORD

Manages Samba passwords.
It is quite easy to establish a basic Samba setup so you can work with a Linux directory hierarchy from a Windows system. M o r e work is required to set up a secure
connection or one with special features. T h e following example creates a basic setup
based on the sample smb.conf file included with Ubuntu Linux.

swat Help and Each of the parameters swat displays has a button labeled Help next to it. Click
defaults Help to open a new browser window containing an explanation of that parameter.
Each parameter also has a Set Default button that sets the parameter to its default
value (not necessarily the initial value as supplied by Ubuntu).
For this example, do not click any of the Set Default buttons. M a k e sure to click
Commit Changes at the top of each page after you finish making changes on a page

806

CHAPTER 2 3

S A M B A : L I N U X A N D W I N D O W S FILE A N D P R I N T E R S H A R I N G

O O d samba Web Administration Tool - Mozilla Firefox
File Edit View History Bookmarks Tools Help

^

T

O

[OT T | fel

áí [ ÜÍ I http://1ocalhost:»l/shares

I«' Samba Web Administration Tool

mm

HOME

©

SHARES

PFUNTERS

W//
I7ABH

#

STATOS

a,
VIEW

m

RASSWftftO

Share Parameters
Current View Is: & Basic Advanced
change View To: Basic Advanced

chooseshare
create ¡share

Figure 2 3 - 6

Share Parameters page

but before you click a menu button at the top of the page. Otherwise, swat will discard your changes.
GLOBALS page To follow this example, first click G L O B A L S at the top of the Samba/swat home
page. Leave everything at its current setting with two exceptions: hosts allow and
hosts deny. Setting these parameters makes the server more secure by limiting the
clients that Samba responds to. Scroll to the bottom of the Security Options and set
hosts allow to the names or IP addresses of systems you want to allow to access the
local system's shares and printers. If there are any addresses in hosts allow or if you
set hosts deny to ALL, you must also add 1 2 7 . 0 . 0 . 1 to hosts allow to be able to use
swat. Separate the entries with SPACEs or commas. See page 8 0 9 for more information
on the various ways you can set hosts allow. Set hosts deny to ALL. Click Commit
Changes (near the top of the page) when you are done with the G L O B A L S page.
SHARES page N e x t click SHARES at the top of the page. Three buttons and two text boxes
appear near the bottom of the page (Figure 2 3 - 6 ) . In the text b o x adjacent to the
Create Share button, enter the name you want to assign to the share you are setting
up. You will use this share name from Windows when you map (mount) the share.
Click Create Share. To modify an existing share, display the name of the share in
the drop-down list labeled Choose Share, and click Choose Share. Either of these
actions expands the Share Parameters page so it displays information about the
selected share.
Set path to the absolute pathname on the Linux server of the share and, if you like,
set comment to a string that will help you remember where the share is located. T h e

S E T T I N G U P AN LDAP S E R V E R

807

If you can no longer use s w a t
tip

If y o u can no longer use s w a t , y o u probably changed the hosts allow setting Incorrectly. In this case
you need to edit/etc/samba/smb.conf manually and tlx the line with the w o r d s hosts allow In It:
$ grep hosts smb.conf
hosts allow = 127.0.0.1, 192.168.0.8
hosts deny = ALL
The preceding entries allow access f r o m 192.168.0.8 only. They also allow s w a t to w o r k . You do
not need to restart Samba after changing smb.conf.
values for hosts allow and hosts deny, if any, are taken from the global parameters.
M a k e sure read only, guest ok, and browseable are set as you desire. Set available to
Y E S or you will not have access to the share. Click Commit Changes when you are
done with the S H A R E S page. If you want to see h o w many parameters there really
are, click Advanced near the top of the page. Switching between the Basic and
Advanced views removes any changes you have not committed.
F r o m a Windows machine, you should n o w be able to access the share you just
created (page 8 1 4 ) .

You do not need to restart Samba when you change smb.conf
tip

smb.conf:

Samba rereads Its configuration files each t i m e a client connects. Unless y o u change the security
parameter (page 810), y o u do not need to restart S a m b a w h e n y o u change smb.conf.

MANUALLY C O N F I G U R I N G A S A M B A SERVER
The / e t c / s a m b a / s m b . c o n f file controls most aspects of how Samba works and is
divided into sections. Each section begins with a line that holds some text between
brackets ([...]). The text within the brackets identifies the section. Typical sections are
[globals]
[printers]
[homes]
[share name]

Defines
Defines
Defines
Defines

global parameters
printers
shares in the homes directory
a share (you can have more than one of these sections)

smb.conf As installed on an Ubuntu Linux system, the smb.conf sample configuration file
comments contains extensive comments and commented-out examples. Comment lines start
with either a hashmark (#) or a semicolon (;). T h e sample file uses hashmarks to
begin lines that are intended to remain as comments. Semicolons begin lines that
you may want to mimic or use as is by removing the semicolons. The following segment of smb.conf contains three lines of true comments and three lines beginning
with semicolons that you may want to uncomment and change:
# Un-comment the following (and tweak the other settings below to suit)
# to enable the default home directory shares. This will share each
# user's home directory as \\server\username
[homes]
comment = Home Directories
browseable = no

808

CHAPTER 2 3

S A M B A : L I N U X A N D W I N D O W S FILE A N D P R I N T E R S H A R I N G

As Ubuntu sets the global parameters in smb.conf, you need simply add a share for
a Windows system to be able to access a directory on the Linux server. Add the following simple share to the end of the smb.conf file to enable a user on a Windows
system to be able to read from and write to the local / t m p directory:
[tmp]
comment = temporary directory
path = /tmp
writable = YES
guest ok = YES
T h e name of the share under Windows is tmp; the path under Linux is / t m p . Any
Windows user who can log in on Samba, including guest, can read from and write
to this directory, assuming the user's Linux permissions allow it. To allow a user to
log in on Samba, you must run smbpasswd (page 8 0 3 ) . Because browseable defaults
to Y E S , unless you specify browseable = N O , the share appears as a share on the
server without explicitly being declared browseable. T h e Linux permissions that
apply to a Windows user using Samba are the same permissions that apply to the
Linux user that the Windows user maps to.

PARAMETERS IN THE

smbd.conf

FILE

T h e smb.conf man page and the Help feature of swat list all the parameters you can
set in smb.conf. T h e following sections identify some of the parameters you are
likely to want to change.
GLOBAL PARAMETERS
interfaces A SPACE-separated list of networks Samba uses. Specify as interface names (such as
ethO) or as IP address/net mask pairs (page 4 6 2 ) .
Default: all active interfaces except 1 2 7 . 0 . 0 . 1
server string T h e string that the Windows machine displays in various places. Within the string,
Samba replaces % v with the Samba version number and % h with the hostname.
Default: Samba % v
Ubuntu: % h server (Samba, Ubuntu)
workgroup

T h e workgroup the server belongs to. Set to the same workgroup as the Windows
clients that use the server. This parameter controls the domain name that Samba
uses when security (page 8 1 0 ) is set to D O M A I N .
Default: W O R K G R O U P
SECURITY PARAMETERS

encrypt Y E S accepts only encrypted passwords from clients. Windows 9 8 and Windows N T
passwords 4 . 0 Service Pack 3 and later use encrypted passwords by default. This parameter
uses smbpasswd to authenticate passwords unless you set security to S E R V E R or
D O M A I N , in which case Samba authenticates using another server.
Default: Y E S

S E T T I N G U P AN LDAP S E R V E R

809

guest account T h e username that is assigned to users logging in as guest or mapped to guest; applicable only when guest ok (page 8 1 3 ) is set to Y E S . This username should be present
in / e t c / p a s s w d but should not be able to log in on the system. Typically guest
account is assigned a value of nobody because the user nobody can access only files
that any user can access. If you are using the nobody account for other purposes on
the Linux system, set this parameter to a name other than nobody.
Default: nobody
hosts allow Analogous to the /etc/hosts.allow file (page 4 6 5 ) ; specifies hosts that are allowed to
connect to the server. Overrides hosts specified in hosts deny. A good strategy is to
specify A L L in hosts deny and to specify the hosts you want to grant access to in
this file. Specify hosts in the same manner as in hosts.allow.
Default: none (all hosts permitted access)
hosts deny Analogous to the /etc/hosts.deny file (page 4 6 5 ) ; specifies hosts that are not
allowed to connect to the server. Overridden by hosts specified in hosts allow. If you
specify A L L in this file, remember to include the local system ( 1 2 7 . 0 . 0 . 1 ) in hosts
allow. Specify hosts in the same manner as in hosts.deny.
Default: none (no hosts excluded)
invalid users Lists users who are not allowed to log in using Samba.
Default: none (all users are permitted to log in)
Ubuntu: none (all users are permitted to log in)
map to guest Defines when a failed login is mapped to the guest account. Useful only when
security (page 8 1 0 ) is not set to S H A R E .
Never: Allows guest to log in only when the user explicitly provides guest as the
username and a blank password.
Bad User: Treats any attempt to log in as a user who does not exist as a guest login.
This parameter is a security risk because it allows a malicious user to retrieve a list
of users on the system quickly.
Bad Password: Silently logs in as guest any user who incorrectly enters her password. This parameter may confuse a user when she mistypes her password and is
unknowingly logged in as guest because she will suddenly see fewer shares than she
is used to.
Default: Never
Ubuntu: Bad User
passdb backend Specifies h o w Samba stores passwords. Set to ldapsam for LDAP, smbpasswd for
Samba, or tdbsam for T D B (trivial database) password storage. See page 8 0 3 for
instructions on using s m b p a s s w d to change Samba passwords.
Default: smbpasswd
Ubuntu: tdbsam

810

CHAPTER 2 3

S A M B A : L I N U X A N D W I N D O W S FILE A N D P R I N T E R S H A R I N G

passwd chat T h e chat script Samba uses to converse with the passwd program. If this script is not
followed, Samba does not change the password. Used only when unix password
sync (page 8 1 0 ) is set to Y E S .
Default: * n e w * p a s s w o r d * % n \ n * n e w * p a s s w o r d * %n\n * changed«
Ubuntu: *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:*
%n\n *password\supdated\ssuccessfully * .
passwd program T h e program Samba uses to set Linux passwords. Samba replaces % u with the
user's username.
Default: none
Ubuntu: / u s r / b i n / p a s s w d % u
security Specifies if and h o w clients transfer user and password information to the server.
Choose one of the following:
U S E R : Causes Samba to require a username and password from Windows users
when logging in on the Samba server. With this setting you can use
• username map (page 8 1 1 ) to map Samba usernames to Linux usernames
• encrypt passwords (page 8 0 8 ) to encrypt passwords (recommended)
• guest account (page 8 0 9 ) to map users to the guest account
S H A R E : Causes Samba not to authenticate clients on a per-user basis. Instead,
Samba uses the Windows 9x setup, in which each share can have an individual password for either read or full access. This option is not compatible with more recent
versions of Windows.
S E R V E R : Causes Samba to use another S M B server to validate usernames and
passwords. If the remote validation fails, the local Samba server tries to validate
usernames and passwords as though security were set to U S E R .
D O M A I N : Samba passes an encrypted password to a Windows N T domain controller for validation. T h e workgroup parameter (page 8 0 8 ) must be properly set in
smb.conf for D O M A I N to work.
ADS: Instructs Samba to use an Active Directory server for authentication, allowing
a Samba server to participate as a native Active Directory member. (Active Directory is the centralized information system that Windows 2 0 0 0 and later use. It
replaces Windows Domains, which was used by Windows N T and earlier.)
Default: U S E R
unix password Y E S causes Samba to change a user's Linux password when the associated user
sync changes the encrypted Samba password.
Default: N O
Ubuntu: Y E S
update Y E S allows users to migrate from cleartext passwords to encrypted passwords withencrypted out logging in on the server and using smbpasswd. To migrate users, set to Y E S and

S E T T I N G U P AN LDAP S E R V E R

8 1 1

set encrypt passwords to N O . As each user logs in on the server with a cleartext
Linux password, smbpasswd encrypts and stores the password. Set to N O and set
encrypt passwords to Y E S after all users have been converted.
Default: N O
username map T h e name of the file, typically /etc/samba/smbusers, that maps usernames from a
Windows client to usernames on the Linux server. This parameter is effective only
when security (page 8 1 0 ) is set to U S E R . Each line of the map file starts with a
server (Linux) username, followed by a SPACE, an equal sign, another SPACE, and one
or more SPACE-separated client (Windows) usernames. An asterisk ( * ) on the client
side matches any client username.
This file frequently maps Windows usernames t o Linux usernames and/or maps
multiple Windows usernames to a single Linux username to facilitate file sharing.
Following is a sample map file:
$ cat

/etc/samba/smbusers

# Unix_name = SMB_namel SMB_name2 ...
root = administrator admin
nobody = guest pcguest smbguest
T h e first entry maps the two Windows usernames (administrator and admin) to the
Linux username root (you must change the Ubuntu value f o r invalid users
[page 8 0 9 ] to be able to log in as root). T h e second entry maps three Windows usernames, including guest, t o the Linux username nobody: W h e n a Windows user
attempts to log in on the Samba server as guest, Samba authenticates the Linux user
named nobody. Each user, including nobody, must have a Samba password (refer to
s m b p a s s w d on page 8 0 3 ) , even if it is blank.
Add the following line to the file this parameter points to, creating the file if necessary, to map the Windows username sam to the Linux username sis:
sis = sam
After you add a user t o this file, you must give the user a password using
s m b p a s s w d . W h e n Sam logs in as sam, Samba n o w maps sam to sis and looks up sis
in the Samba password database. Assuming Sam provides the correct password, he
logs in on the Samba server as sis.
Default: no map
LOGGING PARAMETERS
log file T h e name of the Samba log file. Samba replaces % m with the name of the client system, allowing you to generate a separate log file for each client.
Default: none
Ubuntu: / v a r / l o g / s a m b a / l o g . % m
log level Sets the log level, with 0 (zero) being off and higher numbers being more verbose.
Default: 0 (off)

812

CHAPTER 2 3

S A M B A : L I N U X A N D W I N D O W S FILE A N D P R I N T E R S H A R I N G

max log size An integer specifying the m a x i m u m size of the log file in kilobytes. A 0 (zero) specifies no limit. W h e n a file reaches this size, Samba appends .old to the filename and
starts a new log, deleting any old log file.
Default: 5 0 0 0
Ubuntu: 1 0 0 0
BROWSER PARAMETERS
T h e domain
master browser
is the system responsible for maintaining the list of
machines on a network used when browsing a Windows N e t w o r k Neighborhood
or M y N e t w o r k Places. SMB (page 1 1 7 2 ) uses weighted elections every 1 1 - 1 5 minutes to determine which machine is the domain master browser.
Whether a Samba server wins this election depends on two parameters:
• Setting domain master to YES instructs the Samba server to enter the election.
• T h e os level determines h o w much weight the Samba server's vote receives.
Setting os level to 2 should cause the Samba server to win against any Windows 9x
machines. N T Server series domain controllers—including Windows 2 0 0 0 , XP, and
2 0 0 3 — u s e an os level of 3 2 . T h e m a x i m u m setting for os level is 2 5 5 , although setting it to 6 5 should ensure that the Samba server wins.
domain master Y E S causes nmbd to attempt to be the domain master browser. If a domain master
browser exists, then local master browsers will forward copies of their browse lists
to it. If there is no domain master browser, then browse queries may not be able to
cross subnet boundaries. A Windows P D C (primary domain controller) will always
try to become the domain master and may behave in unexpected ways if it fails.
Refer to the preceding discussion for more information.
Default: A U T O
local master

Y E S causes nmbd to enter elections for the local master browser on a subnet. A
local master browser stores a cache of the NetBIOS
(page 1 1 6 1 ) names of entities
on the local subnet, allowing browsing. Windows machines automatically enter
elections; for browsing to work, the network must have at least one Windows
machine or one Samba server with local master set to Y E S . It is poor practice to set
local master to N O . If you do not want a computer to act as a local master, set its os
level to a lower number, allowing it to be used as the local master if all else fails.
Default: Y E S

os level An integer that controls h o w much Samba advertises itself for browser elections and
h o w likely nmbd is to become the local master browser for its workgroup. A higher
number increases the chances of the local server becoming the local master browser.
Refer to the discussion at the beginning of this section for more information.
Default: 2 0
preferred master Y E S forces nmbd to hold an election for local master and enters the local system
with a slight advantage. With domain master set to YES, this parameter helps ensure
the local Samba server becomes the domain master. Setting this parameter to Y E S on
more than one server causes the servers to compete to become master, generating a

S E T T I N G U P AN LDAP S E R V E R

813

lot of network traffic and sometimes leading to unpredictable results. A Windows
P D C automatically acts as if this parameter is set.
Default: A U T O
C O M M U N I C A T I O N PARAMETERS
dns proxy W h e n acting as a WINS
BIOS

server

(page 1 1 8 1 ) , Y E S causes nmbd to use D N S if Net-

(page 1 1 6 1 ) resolution fails.

Default: Y E S
Ubuntu: N O
socket options Tunes the network parameters used when exchanging data with a client. Adding
S O _ R C V B U F = 8 1 9 2 S O _ S N D B U F = 8 1 9 2 to this parameter may improve network
performance.
Default: T C P _ N O D E L A Y
wins server T h e IP address of the W I N S server nmbd should register with.
Default: not enabled
wins support Y E S specifies nmbd is to act as a W I N S server.
Default: N O
SHARE PARAMETERS
Each of the following parameters can appear many times in smb.conf, once in each
share definition.
available

Y E S specifies the share as active. Set this parameter to N O to disable the share but
continue logging requests for it.
Default: Y E S

browseable

Determines whether the share can be browsed, for example, in Windows M y Network Places.
Default: Y E S
Ubuntu: Y E S , except for printers

comment A description of the share, shown when browsing the network from Windows.
Default: none
Ubuntu: varies
guest ok Allows a user who logs in as guest to access this share.
Default: N O
path T h e path of the directory being shared.
Default: none
Ubuntu: various
read only Does not allow write access. Use writable to allow read-write access.
Default: Y E S

814

CHAPTER 2 3

S A M B A : L I N U X A N D W I N D O W S FILE A N D P R I N T E R S H A R I N G

THE [ H O M E S ] SHARE: S H A R I N G USERS' H O M E DIRECTORIES
Frequently users want to share their Linux home directories with a Windows
machine. To make this task easier, Samba provides the [homes] share, which
Ubuntu comments out. W h e n you define this share, each user's home directory is
shared with the specified parameters. In most cases, the following parameters are
adequate:
[homes]
comment = Home Directories
browseable = NO
writable = YES
These settings prevent users other than the owners from browsing home directories
while allowing logged-in owners full access.

WORKING WITH LINUX SHARES FROM W I N D O W S
This section describes h o w to access Linux directories from a Windows machine.

BROWSING SHARES
To access a share on a Samba server from Windows, open M y Computer or
Explorer on the Windows system and, in the text b o x labeled Address, enter \\ followed by the N e t B I O S name (or just the hostname if you have not assigned a different N e t B I O S name) of the Samba server. Windows then displays the directories the
Linux system is sharing. To view the shares on the Linux system named dog, for
example, enter Wdog. F r o m this window, you can view and, if permitted, browse
the shares available on the Linux system. If you set a share so it is not browseable,
you need to enter the path of the share using the format \\servernameKsharename
to display the share.

MAPPING A SHARE
Another way to access a share on a Samba server is by mapping (mounting) a share.
Open M y Computer or Explorer on the Windows system and click M a p Network
Drive from one of the drop-down lists on the menubar (found on the Tools menu
on Windows X P ) . Windows displays the M a p N e t w o r k Drive window. Select an
unused Windows drive letter from the list b o x labeled Drive and enter the Windows
path to the share you want to map in the text b o x labeled Folder. T h e format of the
windows path is \\hostname\sharename. F o r example, to map / t m p on dog to
Windows drive J, assuming the share is named tmp on the Linux system, select J in
the list b o x labeled Drive, enter \\dog\tmp in the text b o x labeled Folder, and click
Finish. After supplying a username and password, you should be able to access the

W O R K I N G WITH W I N D O W S SHARES FROM LINUX 8 1 5

/ t m p directory from dog as J (tmp) on the Windows machine. If you cannot map the
drive, refer to " T r o u b l e s h o o t i n g " on page 8 1 7 .

WORKING WITH W I N D O W S SHARES FROM LINUX
Samba enables you to view and work with files on a Windows system (client) from
a Linux system (server). This section discusses several ways of accessing Windows
files from Linux.

smbtree:

DISPLAYS W I N D O W S SHARES
T h e smbtree utility displays a hierarchical diagram of available shares. W h e n you
run smbtree, it prompts you for a password; do not enter a password if you want to
browse shares that are visible to the guest user. T h e password allows you to view
restricted shares, such as a user's home directory in the [homes] share. Following is
sample output from smbtree:
$ smbtree

Password: RETURN
MGS
\\JAM

(do not enter a password)
\\JAM\C$
\\JAM\ADMIN$
\\JAM\F
\\JAM\E

\\DOG
\\DOG\dogpri nter
\\DOG\pri nt$
\\DOG\home
\\DOG\p01
\\DOG\p02

Default share
Remote Admi n

Samba 3.0.22
HP LaserJet 1320
Printer Drivers
common backed-up directory
common backed-up directory

In the preceding output, M G S is the name of the workgroup, J A M is the name of
the Windows machine, and D O G is the name of the Samba server that the smbtree
utility is run from. Workgroup and machine names are always shown in uppercase
letters. If smbtree does not display output, set the workgroup (page 8 0 8 ) and wins
server (page 8 1 3 ) parameters in smb.conf. Refer to the smbtree man page for more
information.

smbclient:

C O N N E C T S TO W I N D O W S S H A R E S
The smbclient utility functions similarly to ftp (page 6 8 7 ) and connects to a Windows
share. However, smbclient uses Linux-style forward slashes (/) as path separators
rather than Windows-style backslashes (\). T h e next example connects to one of the
shares displayed in the preceding example:

816

CHAPTER 2 3

S A M B A : L I N U X A N D W I N D O W S FILE A N D P R I N T E R S H A R I N G

$ smbclient

//JAM/D

Enter sam's password: RETURN (do not enter a
password)
Anonymous login successful
Domain=[JAM] OS=[Windows 5.1] Server=[Windows 2000 LAN Manager]
smb: \> I s
audi t
D
0 Tue May 4 18:: 46::33 2010
data
D
0 Tue May 4 18:: 47::09 2010
laptop.data
D
0 Tue May 4 19:: 12::16 2010
Li nux
D
0 Tue May 4 18:: 57:
: 49 2010
oldfonts
D
0 Wed May 5 00:: 02::17 2010
PSFONTS
D
0 Tue May 4 18:: 45::36 2010
RECYCLER
DHS
0 Thu May 6 20:: 05::21 2010
System Volume Information
DHS
0 Tue May 4 18:: 45::32 2010
46547 blocks of size 1048576. 42136 blocks available
smb: \>
You can use most ftp commands from smbclient. Refer t o "Tutorial Session" on
page 6 9 0 for some examples. Alternatively, give the command help to display a list of
commands or help followed by a command for information on a specific command:
smb:

\ > help

history

HELP history:
displays the command history

BROWSING WINDOWS

NETWORKS

Browsing Windows shares using smbtree and smbclient is quite awkward compared
with the ease of browsing a network from Windows; G N O M E provides a more
user-friendly alternative. F r o m Nautilus, enter s m b : / / / in the location bar to browse
the Windows shares on the network.
Nautilus uses virtual filesystem add-ons, which are part of the desktop environment
and not part of the native Linux system. As a consequence, only native G N O M E applications can open files on remote shares; normal Linux programs cannot. For example,
gedit can open files on remote shares, while OpenOffice, mplayer, and xedit cannot.

M O U N T I N G W I N D O W S SHARES
T h e mount utility (page 5 0 6 ) with a - t cifs option mounts a Windows share as if it
were a Linux directory hierarchy. See page 1 1 4 1 for more information on the CIFS
protocol. W h e n you mount a Windows share, you can write t o the files on the
share; you cannot write to files on a share using smbclient.
A mount c o m m a n d that mounts a Windows share has the following syntax (you
must run this command with r o o t privileges):

mount -t cifs //host/share dir
where host is the name of the system the share is on, share is the name of the Windows share that you want to mount, and dir is the absolute pathname of the Linux
directory that you are mounting the share on (the mount point).

TROUBLESHOOTING

8 1 7

T h e following command, when run with root privileges, mounts on the /share
directory the share used in the preceding example:
$ sudo mount - t

c i f s / / j a m / d / s h a r e - o username=sam

Password:
$ Is

/share

Linux
PSFONTS

RECYCLER
System Volume Information

audit
data

laptop.data
oldfonts

You can omit the username argument and provide a blank password t o mount
shares that are visible to the guest user. Use the uid, file_mode, and dir_mode mount
options with type cifs filesystems t o establish ownership and permissions o f
mounted files.
$ sudo mount - t

c i f s / / j a m / d /share -o

username=sam,uid=sam,file_mode=0644,dir_mode=0755

Permissions must be expressed as octal numbers preceded by a zero. F o r more information refer to the mount.cifs man page.

TROUBLESHOOTING
Samba provides two utilities that can help troubleshoot a connection: testparm
checks the syntax of / e t c / s a m b a / s m b . c o n f and displays its contents; smbstatus displays a report on open Samba connections.
T h e following steps can help you narrow down the problem when you cannot get
Samba to work.
1. Restart the Samba daemons. M a k e sure smbd is running.
$ sudo s e r v i c e smbd r e s t a r t

smbd start/running, process 4420
testparm

2 . R u n testparm to confirm that the s m b . c o n f file is syntactically correct:
$ testparm

Load smb config files from /etc/samba/smb.conf
Processing section "[printers]"
Processing section "[print$]"
Processing section "[pl2]"
Loaded services file OK.
Server role: ROLE_STANDALONE
Press enter to see a dump of your service definitions
You can ignore an error message about rlimit_max. If you misspell a keyword in smb.conf, you get an error such as the following:
$ testparm

Load smb config files from /etc/samba/smb.conf
Unknown parameter encountered: "workgruop"
Ignoring unknown parameter "workgruop"

8 1 8

CHAPTER 2 3

ping

S A M B A : L I N U X A N D W I N D O W S FILE A N D P R I N T E R

SHARING

3 . U s e ping ( p a g e 3 9 3 ) f r o m b o t h s i d e s o f t h e c o n n e c t i o n t o m a k e s u r e t h e
n e t w o r k is u p .

Firewall

4 . C o n f i r m t h e f i r e w a l l o n t h e s e r v e r is n o t b l o c k i n g t h e S a m b a c o n n e c t i o n
(page 799).

Password

5. M a k e s u r e y o u h a v e set u p a p a s s w o r d f o r t h e S a m b a u s e r y o u a r e t r y i n g
t o l o g i n as.

net view

6 . F r o m a W i n d o w s c o m m a n d p r o m p t , u s e net v i e w t o d i s p l a y a l i s t o f s h a r e s
a v a i l a b l e f r o m t h e s e r v e r (dog i n t h i s e x a m p l e ) :
C:>net view \\dog
Shared resources at
Samba

\\dog

3.0.24

S h a r e name

Type

backup
dogprinter
homes
p04

Disk
Print
Disk
Disk

Used a s

Comment

0:

The backup p a r t i t i o n
HP L a s e r j e t 1320
Home D i r e c t o r i e s
common b a c k e d - u p d i r e c t o r y

T h e command c o m p l e t e d
net use

successfully.

7. T r y to m a p ( m o u n t ) the d r i v e f r o m a W i n d o w s c o m m a n d p r o m p t . T h e foll o w i n g c o m m a n d a t t e m p t s t o m o u n t t h e s h a r e n a m e d p 0 4 o n dog as d r i v e
X:
C:>net use x: \\dog\p04
T h e command c o m p l e t e d s u c c e s s f u l l y .

nmblookup

8. F r o m t h e S a m b a server, q u e r y t h e nmbd server, u s i n g t h e s p e c i a l n a m e
SAMBA

f o r the server's N e t B I O S n a m e . T h e - d 2 o p t i o n t u r n s the

d e b u g g e r o n at level 2 , w h i c h generates a m o d e r a t e a m o u n t o f o u t p u t . T h e
- B o p t i o n specifies the server y o u are q u e r y i n g .
$ nmblookup -d 2 -B local host __SAMBA__
added i n t e r f a c e i p = 1 9 2 . 1 6 8 . 0 . 1 0 b c a s t = 1 9 2 . 1 6 8 . ( . 1 2 7 nmask=2 5 5 . 2 5 5 . 2 5 5 . 1 2 8
.1 ( 1 9 2 . 1 6 8 . 0 . 1 0 )
querying
SAMBA
on 1 2 7 . 0 . 0 . 1
G o t a p o s i t i v e name q u e r y r e s p o n s e f r o m 1 2 7 . 0 . (
192.168.0.10
SAMBA < 0 0 >
T h e n e x t e x a m p l e uses n m b l o o k u p , w i t h o u t s e t t i n g t h e d e b u g level, t o
query the local system for all N e t B I O S names.
$ nmblookup -B local host
q u e r y i n g * on 1 2 7 . 0 . 0 . 1
1 9 2 . 1 6 8 . 0 . 1 0 *<00>
T o q u e r y f o r t h e m a s t e r b r o w s e r f r o m t h e l o c a l server, r u n nmblookup w i t h
the - A o p t i o n f o l l o w e d localhost or the n a m e o f the server:

CHAPTER S U M M A R Y

819

$ nmblookup -A local host

Looking up s t a t u s of 1 2 7 . 0 . 0 . 1
PLUM
<00> H 
PLUM
<03> H 
PLUM
<20> H 
. . MSBROWSE . <01> -  H 
MGS
 H 
MGS
< l e > -  H 
MGS
<00> -  H 
MAC Address = 0 0 - 0 0 - 0 0 - 0 0 - 0 0 - 0 0
smbclient

9 . F r o m t h e S a m b a s e r v e r , u s e smbclient w i t h t h e - L o p t i o n f o l l o w e d b y t h e
n a m e o f the server t o generate a list o f shares o f f e r e d b y the server:

$ smbclient -L local host
Password: RETURN (do not enter a

password)
Anonymous l o g i n s u c c e s s f u l
Domai n=[MGS] OS=[Unix] Server=[Samba 3 . 0 . 2 4 ]
Sharename

Type

Comment

IPC$
IPC
IPC S e r v i c e (plum s e r v e r (Samba, Ubuntu))
tmp
Disk
mgs comment tmp
pi 5
Disk
print$
Disk
Printer Drivers
Anonymous l o g i n s u c c e s s f u l
Domai n=[MGS] OS=[Unix] Server=[Samba 3 . 0 . 2 4 ]

CHAPTER

Server

Comment

PLUM

plum s e r v e r (Samba, Ubuntu)

Workgroup

Master

MGS

PLUM

SUMMARY
S a m b a is a s u i t e o f p r o g r a m s t h a t e n a b l e s L i n u x a n d W i n d o w s t o s h a r e d i r e c t o r y
h i e r a r c h i e s a n d p r i n t e r s . A d i r e c t o r y h i e r a r c h y o r p r i n t e r t h a t is s h a r e d

between

L i n u x a n d W i n d o w s s y s t e m s is c a l l e d a s h a r e . T o access a s h a r e o n a L i n u x s y s t e m ,
a Windows

user m u s t s u p p l y a u s e r n a m e a n d p a s s w o r d . U s e r n a m e s m u s t

corre-

s p o n d t o L i n u x u s e r n a m e s e i t h e r d i r e c t l y o r as m a p p e d b y t h e f i l e t h a t is p o i n t e d t o

b y t h e username m a p p a r a m e t e r i n smb.conf, o f t e n / e t c / s a m b a / s m b u s e r s . S a m b a
p a s s w o r d s are g e n e r a t e d b y smbpasswd.
T h e m a i n S a m b a c o n f i g u r a t i o n f i l e is /etc/samba/smb.conf, w h i c h y o u c a n

edit

u s i n g t h e S h a r e d F o l d e r s w i n d o w , swat ( a W e b - b a s e d a d m i n i s t r a t i o n u t i l i t y ) , o r a

820

CHAPTER 2 3

S A M B A : L I N U X A N D W I N D O W S FILE A N D P R I N T E R

SHARING

t e x t e d i t o r . T h e swat u t i l i t y is a p o w e r f u l c o n f i g u r a t i o n t o o l t h a t p r o v i d e s i n t e g r a t e d
o n l i n e d o c u m e n t a t i o n a n d c l i c k a b l e d e f a u l t v a l u e s t o h e l p y o u set u p S a m b a .
From a Windows

m a c h i n e , y o u c a n access a s h a r e o n a L i n u x S a m b a server

by

o p e n i n g M y C o m p u t e r o r E x p l o r e r a n d , i n t h e t e x t b o x l a b e l e d Address, e n t e r i n g \ \
f o l l o w e d b y t h e n a m e o f t h e server. I n response, W i n d o w s d i s p l a y s t h e shares o n t h e
server. Y o u c a n w o r k w i t h t h e s e s h a r e s as t h o u g h t h e y w e r e W i n d o w s files.
F r o m a L i n u x s y s t e m , y o u c a n use a n y o f several S a m b a t o o l s t o access

Windows

smbtree ( d i s p l a y s s h a r e s ) , smbclient ( s i m i l a r t o ftp), a n d
mount w i t h t h e - t cifs o p t i o n ( m o u n t s s h a r e s ) . I n a d d i t i o n , y o u c a n e n t e r s m b : / / / i n

shares. These tools i n c l u d e

the N a u t i l u s l o c a t i o n bar a n d b r o w s e the shares.

EXERCISES
1. W h i c h t w o d a e m o n s a r e p a r t o f t h e S a m b a s u i t e ? W h a t d o e s e a c h d o ?
2. W h a t steps are r e q u i r e d f o r m a p p i n g a W i n d o w s user t o a L i n u x user?
3. H o w c a n a s y s t e m a d m i n i s t r a t o r a d d a S a m b a p a s s w o r d f o r a n e w user?
4. W h a t is t h e p u r p o s e o f t h e [homes] s h a r e ?

ADVANCED

EXERCISES
5. D e s c r i b e h o w Samba's h a n d l i n g o f users differs f r o m t h a t o f N F S .
6. W h i c h c o n f i g u r a t i o n changes w o u l d y o u need t o a p p l y t o r o u t e r s if y o u
w a n t e d to a l l o w S M B / C I F S b r o w s i n g across m u l t i p l e subnets w i t h o u t configuring master browsers?
7 . H o w c o u l d y o u u s e swat s e c u r e l y f r o m a r e m o t e l o c a t i o n ?
8. W I N S r e s o l u t i o n a l l o w s h o s t s t o d e f i n e t h e i r o w n n a m e s . Suggest a w a y t o
use S a m b a t o assign n a m e s f r o m a c e n t r a l i z e d list.

24
D N S / B I N D : TRACKING
DOMAIN NAMES AND
ADDRESSES
DNS

IN T H I S C H A P T E R

to

IP

addresses, a n d vice versa. It reduces the need for h u m a n s

(Domain

Name

System)

maps

domain

names

to

I n t r o d u c t i o n to DNS

822

w o r k w i t h IP addresses, w h i c h , w i t h the i n t r o d u c t i o n o f IPv6,

JumpStart: S e t t i n g Up a DNS
Cache

834

purpose database that holds Internet host i n f o r m a t i o n . It also

C o n f i g u r i n g a DNS Server

836

Troubleshooting

849

are c o m p l e x . T h e D N S specification defines a secure, generals p e c i f i e s a p r o t o c o l t h a t is u s e d t o e x c h a n g e t h i s

information.

Further, D N S defines library routines that i m p l e m e n t the p r o t o col. Finally, D N S provides a means for r o u t i n g email.

A Full-Functioned N a m e s e r v e r . . . 8 5 0

D N S , nameservers

A Slave Server

854

t r i b u t e h o s t i n f o r m a t i o n i n t h e f o r m o f resource

A Split Horizon Server

855

w o r k w i t h c l i e n t s , c a l l e d resolvers,

Under
to

dis-

records i n a

t i m e l y m a n n e r as n e e d e d .
This chapter describes B I N D (Berkeley Internet N a m e

Domain)

version 9, a p o p u l a r open-source i m p l e m e n t a t i o n of D N S . Part
of the U b u n t u

Linux

distribution,

BIND

includes

the

s e r v e r d a e m o n (named), a D N S r e s o l v e r l i b r a r y , a n d t o o l s

DNS
for

w o r k i n g w i t h D N S . A l t h o u g h D N S c a n be used for p r i v a t e netw o r k s , t h i s c h a p t e r c o v e r s D N S as u s e d b y t h e I n t e r n e t .

8 2 1

822

CHAPTER 2 4

D N S / B I N D : TRACKING DOMAIN NAMES AND ADDRESSES

INTRODUCTION TO

DNS

Y o u t y p i c a l l y use D N S w h e n y o u d i s p l a y a W e b page. F o r e x a m p l e , t o
Ubuntu's

h o m e page, y o u enter its n a m e , w w w . u b u n t u . c o m ,

display

in a browser;

the

b r o w s e r t h e n d i s p l a y s t h e p a g e y o u w a n t . Y o u n e v e r e n t e r o r see t h e I P a d d r e s s f o r
the displayed page. H o w e v e r , w i t h o u t the IP address, the b r o w s e r c o u l d n o t display
t h e page. D N S w o r k s b e h i n d t h e scenes t o f i n d t h e I P a d d r e s s w h e n y o u enter t h e
n a m e i n t h e b r o w s e r . T h e D N S d a t a b a s e is
• Hierarchical, s o i t p r o v i d e s q u i c k r e s p o n s e s t o q u e r i e s . D N S h a s a r o o t ,
branches, and nodes.
• Distributed, s o i t o f f e r s f a s t a c c e s s t o s e r v e r s . T h e D N S d a t a b a s e i s s p r e a d
a c r o s s t h o u s a n d s o f s y s t e m s w o r l d w i d e ; e a c h s y s t e m i s r e f e r r e d t o as a

DNS server (or a domain server or

nameserver).

• Replicated, t o e n h a n c e r e l i a b i l i t y . B e c a u s e m a n y s y s t e m s h o l d t h e s a m e
i n f o r m a t i o n , w h e n some systems fail, D N S does n o t stop f u n c t i o n i n g .
A s i m p l e m e n t e d , D N S is
• Secure, s o y o u r b r o w s e r o r e m a i l i s d i r e c t e d t o t h e c o r r e c t l o c a t i o n .
• Flexible, s o i t c a n a d a p t t o n e w n a m e s , d e l e t e d n a m e s , a n d n a m e s w h o s e
i n f o r m a t i o n changes.
• Fast, s o I n t e r n e t c o n n e c t i o n s a r e n o t d e l a y e d b y s l o w D N S
History

lookups.

T h e m a p p i n g t h a t D N S d o e s w a s o r i g i n a l l y h a n d l e d s t a t i c a l l y i n a /etc/hosts file
(page 4 9 3 ) o n each s y s t e m o n a n e t w o r k . S m a l l L A N s still m a k e use o f this file. A s
networks—specifically

the

Internet—grew,

a

dynamic

mapping

system

was

required. D N S was specified i n 1983 and B I N D became part of B S D i n 1985. T o d a y
B I N D is b y f a r t h e m o s t p o p u l a r i m p l e m e n t a t i o n o f D N S .
Security

H i s t o r i c a l l y B I N D has n o t been v e r y secure. Recently, h o w e v e r , developers h a v e focused
o n i m p r o v i n g the security of B I N D . Y o u m a y w a n t to r u n B I N D inside a chroot jail
(page 8 4 7 ) a n d use t r a n s a c t i o n s i g n a t u r e s ( T S I G , p a g e 8 4 5 ) t o i m p r o v e security.

host and dig T h e host a n d dig u t i l i t i e s ( p a g e 3 9 6 ) q u e r y D N S s e r v e r s . T h e host u t i l i t y is s i m p l e r , is
e a s i e r t o u s e , a n d r e t u r n s l e s s i n f o r m a t i o n t h a n dig. T h i s c h a p t e r u s e s b o t h t o o l s t o
explore D N S .

NODES, DOMAINS, AND SUBDOMAINS
Node

E a c h n o d e i n t h e h i e r a r c h i c a l D N S d a t a b a s e i s c a l l e d a domain

a n d is l a b e l e d w i t h a

( d o m a i n ) n a m e . As w i t h the L i n u x file structure, the n o d e at the t o p o f the
h i e r a r c h y is c a l l e d t h e root node o r root domain.

DNS

W h i l e t h e L i n u x file s t r u c t u r e sep-

arates t h e n o d e s ( d i r e c t o r y a n d o r d i n a r y files) w i t h slashes ( / ) a n d labels t h e r o o t
n o d e ( d i r e c t o r y ) w i t h a slash, t h e D N S s t r u c t u r e uses p e r i o d s i n p l a c e o f t h e file
structure's slashes ( F i g u r e 2 4 - 1 ) .
Y o u read a n absolute p a t h n a m e i n a L i n u x filesystem f r o m left t o right: It starts
w i t h t h e r o o t d i r e c t o r y ( r e p r e s e n t e d b y / ) a t t h e l e f t a n d , as y o u r e a d t o t h e r i g h t ,

I N T R O D U C T I O N T O firestarter 8 2 3

Figure 24-1

T h e D N S d o m a i n structure ( F Q D N s are s h o w n b e l o w hostnames.)

describes the p a t h t o the file b e i n g i d e n t i f i e d (for e x a m p l e , /var/spool/cups). U n l i k e
a L i n u x p a t h n a m e , y o u read a D N S d o m a i n n a m e f r o m right to left: It starts w i t h
t h e r o o t d o m a i n a t t h e r i g h t ( r e p r e s e n t e d b y a p e r i o d [ . ] ) a n d , as y o u r e a d t o t h e l e f t ,
w o r k s its w a y d o w n t h r o u g h the t o p - l e v e l a n d second-level d o m a i n s t o a s u b d o m a i n o r h o s t . F r e q u e n t l y t h e n a m e o f t h e r o o t d o m a i n ( t h e p e r i o d a t t h e r i g h t ) is
omitted from a domain name.
Domain

T h e t e r m domain

refers b o t h to a single n o d e i n the D N S d o m a i n structure a n d to a

catenated, period-separated list (path) o f d o m a i n names t h a t describes the l o c a t i o n
of a domain.
FQDN A

fully qualified domain name ( F Q D N )

is t h e D N S

equivalent of a

filesystem's

a b s o l u t e p a t h n a m e : I t is a p o i n t e r t h a t p o s i t i v e l y l o c a t e s a d o m a i n o n t h e I n t e r n e t .
J u s t as y o u ( a n d L i n u x ) c a n i d e n t i f y a n a b s o l u t e p a t h n a m e b y i t s l e a d i n g s l a s h ( ! )
t h a t represents t h e r o o t d i r e c t o r y , so a n F Q D N c a n be i d e n t i f i e d b y its
p e r i o d (.) t h a t n a m e s t h e r o o t d o m a i n ( F i g u r e 2 4 - 2 ) .

wi k i . u b u ntu.com.
L Root d o m a i n
Top-level d o m a i n
P e r i o d s e p a r a t i n g p a r t s of a n F Q D N
Second-level domain
Subdomain or hostname
Figure 2 4 - 2

A fully qualified domain name

(FQDN)

trailing

824

CHAPTER 2 4

Resolver

D N S / B I N D : TRACKING DOMAIN NAMES AND ADDRESSES

T h e resolver comprises the routines that t u r n an unqualified d o m a i n n a m e into an
F Q D N t h a t is p a s s e d t o D N S t o b e m a p p e d t o a n I P a d d r e s s . T h e r e s o l v e r

can

a p p e n d several d o m a i n s , one at a time, to a n u n q u a l i f i e d d o m a i n n a m e , p r o d u c i n g
several F Q D N s t h a t it t h e n passes, o n e at a t i m e , t o D N S . F o r each F Q D N ,

DNS

r e p o r t s s u c c e s s ( i t f o u n d t h e F Q D N a n d is r e t u r n i n g t h e c o r r e s p o n d i n g I P a d d r e s s )
or failure (the F Q D N does n o t exist).
T h e r e s o l v e r a l w a y s a p p e n d s t h e r o o t d o m a i n (.) t o a n u n q u a l i f i e d d o m a i n
f i r s t , t h e r e b y a l l o w i n g y o u t o t y p e www.sobell.com i n s t e a d o f

name

www.sobell.com.

(including the trailing period) i n a browser. Y o u can specify other d o m a i n s for the
resolver t o t r y if the r o o t d o m a i n fails. P u t the d o m a i n n a m e s , i n the o r d e r y o u w a n t
t h e m t r i e d , a f t e r t h e search k e y w o r d i n / e t c / r e s o l v . c o n f ( p a g e 4 9 6 ) . F o r e x a m p l e , i f
your

search

domains

include

ubuntu.com.,

then

the

domains

wiki

and

wiki.ubuntu.com. w i l l r e s o l v e t o t h e s a m e a d d r e s s .
Subdomains

E a c h n o d e i n t h e d o m a i n h i e r a r c h y is a d o m a i n . E a c h d o m a i n t h a t h a s a p a r e n t ( t h a t
i s , e v e r y d o m a i n e x c e p t t h e r o o t d o m a i n ) is a l s o a s u b d o m a i n , r e g a r d l e s s o f w h e t h e r
i t h a s c h i l d r e n . A l l s u b d o m a i n s can r e s o l v e t o h o s t s — e v e n t h o s e w i t h c h i l d r e n . F o r
e x a m p l e , t h e ubuntu.com. d o m a i n resolves t o t h e h o s t t h a t serves t h e U b u n t u W e b
site, w i t h o u t

preventing

its c h i l d r e n — d o m a i n s

such

wiki.ubuntu.com—from

as

r e s o l v i n g . T h e l e f t m o s t p a r t o f a n F Q D N is o f t e n c a l l e d t h e
Hostnames

hostname.

I n t h e p a s t , h o s t n a m e s c o u l d c o n t a i n o n l y c h a r a c t e r s f r o m t h e set a - z , A - Z ,
and -.

As

of

March

2004,

however,

hostnames

can

include

various

0-9,

accents,

u m l a u t s , a n d so o n ( w w w . s w i t c h . c h / i d / i d n ) . D N S c o n s i d e r s u p p e r c a s e a n d

lower-

c a s e l e t t e r s t o b e t h e s a m e ( i t i s n o t c a s e s e n s i t i v e ) , s o w w w . s o b e l l . c o m i s t h e s a m e as
WWW.sObEll.coM.

ZONES
F o r a d m i n i s t r a t i v e purposes, d o m a i n s are g r o u p e d i n t o zones that e x t e n d

down-

w a r d f r o m a d o m a i n ( F i g u r e 2 4 - 3 ) . A s i n g l e D N S s e r v e r is r e s p o n s i b l e f o r ( h o l d s t h e
i n f o r m a t i o n r e q u i r e d t o resolve) all d o m a i n s w i t h i n a zone. T h e D N S server for a
zone also h o l d s pointers t o D N S servers t h a t are responsible f o r the zones i m m e d i a t e l y b e l o w t h e z o n e i t is r e s p o n s i b l e f o r . I n f o r m a t i o n a b o u t z o n e s o r i g i n a t e s i n z o n e
files, o n e z o n e per file.
Root domain

The highest zone—the

one containing the root

domain—does

not contain

hosts. Instead, this d o m a i n delegates t o the D N S servers f o r the top-level

any

domains

(Figure 24-1, page 823).
Authority

E a c h z o n e has at least o n e a u t h o r i t a t i v e D N S server. T h i s server h o l d s all i n f o r m a t i o n
about the zone. A D N S

query returns information about a d o m a i n and

specifies

w h i c h D N S s e r v e r is a u t h o r i t a t i v e f o r t h a t d o m a i n .
D N S employs a hierarchical structure to keep track of names and authority. A t the top
o r r o o t o f t h e s t r u c t u r e is t h e r o o t d o m a i n , w h i c h e m p l o y s 1 3 a u t h o r i t a t i v e n a m e s e r v ers. T h e s e a r e t h e o n l y servers t h a t a r e a u t h o r i t a t i v e f o r t h e r o o t a n d t o p - l e v e l d o m a i n s .

I N T R O D U C T I O N T O firestarter 8 2 5

Figure 24-3

D N S structure s h o w i n g zones

Delegation of W h e n r e f e r r i n g t o D N S , t h e t e r m delegation
authority

m e a n s delegation

of authority.

ICANN

(Internet C o r p o r a t i o n for Assigned N a m e s a n d N u m b e r s , w w w . i c a n n . o r g ) delegates
a u t h o r i t y t o t h e r o o t a n d t o p - l e v e l d o m a i n s . I n o t h e r w o r d s , I C A N N says

which

s e r v e r s a r e a u t h o r i t a t i v e f o r t h e s e d o m a i n s . A u t h o r i t y is d e l e g a t e d t o e a c h d o m a i n
b e l o w the top-level d o m a i n s b y the authoritative server at the

next-higher-level

d o m a i n . I C A N N is n o t a u t h o r i t a t i v e f o r m o s t s e c o n d - l e v e l d o m a i n s . F o r
U b u n t u is a u t h o r i t a t i v e f o r t h e u b u n t u . c o m d o m a i n . T h i s s c h e m e o f

example,
delegating

authority allows for local control over segments of the D N S database while m a k i n g
all segments available to the public.

QUERIES
T h e r e a r e t w o t y p e s o f D N S q u e r i e s : iterative a n d
Iterative queries

recursive.1

A n iterative q u e r y sends a d o m a i n n a m e t o a D N S server a n d asks the server t o
r e t u r n e i t h e r t h e I P a d d r e s s o f t h e d o m a i n o r t h e n a m e o f t h e D N S s e r v e r t h a t is
a u t h o r i t a t i v e f o r the d o m a i n o r o n e o f its parents: T h e server does n o t q u e r y o t h e r
servers w h e n seeking a n answer. N a m e s e r v e r s t y p i c a l l y send each o t h e r

iterative

queries.
Recursive queries

A recursive q u e r y sends a d o m a i n n a m e t o a D N S server a n d asks the server

to

r e t u r n the IP address o f the d o m a i n . T h e server m a y need t o q u e r y o t h e r servers t o
get the answer.
B o t h i t e r a t i v e a n d r e c u r s i v e queries c a n fail. I n this case, t h e server r e t u r n s a message
s a y i n g i t is u n a b l e t o l o c a t e t h e d o m a i n .

1. A third type o f q u e r y is n o t c o v e r e d in this b o o k : inverse.

A n inverse q u e r y provides a d o m a i n n a m e

given a r e s o u r c e r e c o r d . R e v e r s e n a m e r e s o l u t i o n (page 8 3 1 ) , n o t an inverse query, is used t o query for a
d o m a i n n a m e given an IP address.

8 2 6

CHAPTER 2 4

D N S / B I N D :

TRACKING

D O M A I N

N A M E S A N D

ADDRESSES

2. D o y o u k n o w t h e a d d r e s s
of f t p . s i t e l . e x a m p l e . c o m . ?

^

3. N o . b u t D N S s e r v e r 1 s h o u l d .

4. D o y o u k n o w the a d d r e s s
of f t p . s i t e l . e x a m p l e . c o m . ?

Resolver

^

5. N o . b u t D N S s e r v e r 2 s h o u l d .

6. D o y o u k n o w t h e a d d r e s s
of f t p . s i t e l . e x a m p l e . c o m . ?

^
^

7. N o , b u t D N S s e r v e r 3 s h o u l d .

8. D o y o u k n o w t h e a d d r e s s
of f t p . s i t e l . e x a m p l e . c o m . ?
9. Y e s , h e r e it is.

Figure 2 4 - 4

A recursive q u e r y t h a t starts several iterative queries t o f i n d the a n s w e r

W h e n a c l i e n t , s u c h as a b r o w s e r , n e e d s t h e I P a d d r e s s t h a t c o r r e s p o n d s t o a d o m a i n
n a m e , the client queries a resolver. M o s t resolvers are quite simple a n d require a
DNS

server t o d o m o s t o f the w o r k — t h a t

is, t h e y s e n d r e c u r s i v e q u e r i e s .

The

resolver c o m m u n i c a t e s w i t h a single D N S server, w h i c h c a n p e r f o r m m u l t i p l e iterative queries in response to the resolver's recursive query.
A l l D N S s e r v e r s m u s t a n s w e r i t e r a t i v e q u e r i e s . D N S s e r v e r s c a n a l s o b e set u p t o
a n s w e r r e c u r s i v e q u e r i e s . A D N S s e r v e r t h a t is n o t set u p t o a n s w e r r e c u r s i v e q u e r i e s
t r e a t s a r e c u r s i v e q u e r y as t h o u g h i t i s a n i t e r a t i v e q u e r y .
I n F i g u r e 2 4 - 4 , t h e r e s o l v e r o n a c l i e n t s y s t e m is t r y i n g t o d i s c o v e r t h e I P a d d r e s s o f
the server f t p . s i t e l . e x a m p l e . c o m . o n the n e t w o r k w i t h the D N S l a y o u t s h o w n

in

F i g u r e 2 4 - 3 o n page 8 2 5 . T h e resolver o n the client sends a recursive q u e r y t o its
p r i m a r y D N S server. T h i s server i n t e r r o g a t e s t h e r o o t server a n d o n e

additional

server f o r each zone u n t i l it receives a n answer, w h i c h it returns t o the resolver

on

the client. I n practice, the q u e r y w o u l d n o t start w i t h the r o o t server because m o s t
servers h a v e the l o c a t i o n o f the a u t h o r i t a t i v e nameserver

f o r t h e com.

domain

stored in cache (memory).

SERVERS
T h e r e are three m a i n types o f D N S servers: p r i m a r y (master), s e c o n d a r y (slave), a n d
caching-only.
• A primary master server, a l s o c a l l e d a primary server o r master server, i s
the a u t h o r i t a t i v e server t h a t h o l d s the master c o p y o f zone data. It copies
i n f o r m a t i o n f r o m t h e zone o r master file, a l o c a l f i l e t h a t t h e s e r v e r a d m i n istrator m a i n t a i n s . F o r security a n d efficiency, a p r i m a r y master server
s h o u l d p r o v i d e iterative answers only. A p r i m a r y master server t h a t p r o v i d e s r e c u r s i v e a n s w e r s i s m o r e e a s i l y s u b v e r t e d b y a DoS
(page 1146) t h a n one that provides iterative answers only.

attack

I N T R O D U C T I O N T O firestarter 8 2 7

• Slave servers, a l s o c a l l e d secondary

servers, a r e a u t h o r i t a t i v e a n d c o p y

z o n e i n f o r m a t i o n f r o m t h e p r i m a r y m a s t e r server o r a n o t h e r slave server.
O n s o m e systems, w h e n i n f o r m a t i o n o n the p r i m a r y master server
changes, the p r i m a r y master server notifies t h e slave servers. W h e n a slave
r e c e i v e s s u c h a m e s s a g e , i t u s e s a p r o c e s s c a l l e d zone transfer t o c o p y t h e
n e w z o n e i n f o r m a t i o n f r o m the m a s t e r server t o itself.

• DNS caches, a l s o c a l l e d caching-only

servers, a r e n o t a u t h o r i t a t i v e . T h e s e

servers store a n s w e r s t o p r e v i o u s queries i n cache ( m e m o r y ) . W h e n a D N S
cache receives a query, it a n s w e r s it f r o m cache i f it can. I f the D N S cache does
n o t h a v e t h e a n s w e r i n c a c h e , it f o r w a r d s t h e q u e r y t o a n a u t h o r i t a t i v e server.
I t is p o s s i b l e — b u t f o r r e a s o n s o f s e c u r i t y n o t r e c o m m e n d e d — f o r t h e s a m e s e r v e r t o
be the p r i m a r y master server (authoritative) for s o m e zones a n d a D N S cache for
o t h e r s . W h e n t h e s a m e s e r v e r a c t s as b o t h a D N S c a c h e a n d a m a s t e r s e r v e r , i f a m a l i cious local user o r m a l f u n c t i o n i n g resolver o n the local n e t w o r k f l o o d s the

DNS

c a c h e w i t h m o r e t r a f f i c t h a n i t c a n h a n d l e (a D o S a t t a c k ) , users m a y b e p r e v e n t e d
f r o m accessing t h e p u b l i c servers h a n d l e d b y t h e p r i m a r y m a s t e r server. C o n v e r s e l y ,
i f t h e a u t h o r i t a t i v e s e r v e r is c o m p r o m i s e d , t h e a t t a c k e r c a n s u b v e r t a l l t r a f f i c l e a v i n g
the n e t w o r k .

RESOURCE RECORDS
Resource records store i n f o r m a t i o n about nodes (domains) i n the D N S

database

a n d a r e k e p t i n z o n e files ( p a g e 8 3 8 ) . T h e z o n e t h a t a r e s o u r c e r e c o r d p e r t a i n s t o is
d e f i n e d b y t h e z o n e f i l e t h a t c o n t a i n s t h e r e s o u r c e r e c o r d . T h e z o n e is n a m e d i n t h e
named.conf file ( p a g e 8 3 6 ) t h a t r e f e r e n c e s t h e z o n e file.
A resource r e c o r d has the f o l l o w i n g fields:
• N a m e — T h e d o m a i n n a m e o r IP a d d r e s s
• T T L — T i m e t o l i v e ( n o t i n a l l r e s o u r c e r e c o r d s ; see p a g e 1 1 7 8 )
• C l a s s — A l w a y s I N f o r I n t e r n e t (the o n l y class s u p p o r t e d b y D N S )
• Type—Record type (discussed i n the n e x t section)
• Data—Varies w i t h record type
I f t h e N a m e f i e l d is m i s s i n g , t h e r e s o u r c e r e c o r d i n h e r i t s t h e n a m e f r o m t h e p r e v i o u s
resource r e c o r d i n the same file. C a c h e d resource records b e c o m e o u t - o f - d a t e w h e n
t h e i n f o r m a t i o n i n t h e r e c o r d c h a n g e s o n t h e a u t h o r i t a t i v e server. T h e T T L

field

indicates the m a x i m u m a m o u n t o f t i m e a server m a y keep a r e c o r d i n cache before
c h e c k i n g w h e t h e r a n e w e r o n e is a v a i l a b l e . T y p i c a l l y t h e T T L is o n t h e o r d e r

of

days. A T T L o f 0 (zero) m e a n s t h a t the resource r e c o r d s h o u l d n o t be cached.
M o r e t h a n 3 0 t y p e s o f r e s o u r c e r e c o r d s e x i s t , r a n g i n g f r o m c o m m o n t y p e s , s u c h as
address records that store the address o f a host, to those that c o n t a i n geographical
i n f o r m a t i o n . T h e f o l l o w i n g paragraphs describe the types of resource records
are m o s t likely to encounter.

you

8 2 8

CHAPTER 2 4

A

D N S / B I N D : TRACKING DOMAIN NAMES AND ADDRESSES

IPv4 Address M a p s a d o m a i n n a m e t o t h e I P v 4 a d d r e s s o f a h o s t . T h e r e m u s t b e a t
least one address r e c o r d f o r each d o m a i n ; m u l t i p l e address records c a n p o i n t to the
s a m e I P a d d r e s s . T h e N a m e f i e l d h o l d s t h e d o m a i n n a m e , w h i c h is a s s u m e d t o b e i n
t h e s a m e z o n e as t h e d o m a i n . T h e D a t a f i e l d h o l d s t h e I P a d d r e s s a s s o c i a t e d

with

t h e n a m e . T h e f o l l o w i n g a d d r e s s r e s o u r c e r e c o r d m a p s t h e ns d o m a i n i n t h e z o n e t o
192.168.0.1:

ns
AAAA

IN

A

192.168.0.1

IPv6 Address M a p s a d o m a i n n a m e t o t h e I P v 6 a d d r e s s o f a h o s t . T h e

following

a d d r e s s r e s o u r c e r e c o r d m a p s t h e ns d o m a i n i n t h e z o n e t o a n I P v 6 a d d r e s s :

ns
CNAME

IN

AAAA

2001:630:d0:131:a00:20ff:feb5:efle

Canonical N a m e M a p s a n alias o r n i c k n a m e t o a d o m a i n n a m e . T h e N a m e
h o l d s the alias or n i c k n a m e ; the D a t a field h o l d s the official or c a n o n i c a l

field
name.

C N A M E is u s e f u l f o r s p e c i f y i n g a n e a s y - t o - r e m e m b e r n a m e o r m u l t i p l e n a m e s

for

t h e s a m e d o m a i n . I t is a l s o u s e f u l w h e n a s y s t e m c h a n g e s n a m e s o r I P a d d r e s s e s . I n
this case the alias c a n p o i n t t o the real n a m e t h a t m u s t resolve t o a n IP address.
W h e n a query returns a C N A M E , a client or D N S tool performs a D N S l o o k u p o n the
d o m a i n n a m e r e t u r n e d w i t h t h e C N A M E . I t is a c c e p t a b l e t o p r o v i d e m u l t i p l e l e v e l s o f
C N A M E r e c o r d s . T h e f o l l o w i n g r e s o u r c e r e c o r d m a p s ftp i n t h e z o n e t o w w w . s a m . n e t . :

ftp
MX

IN

CNAME

Mail Exchange Specifies

www.sam.net.
a destination

records must always point to A

for

mail

(or A A A A )

addressed to the

records. The N a m e

domain.

M X

field holds

the

d o m a i n n a m e , w h i c h is a s s u m e d t o b e i n t h e z o n e ; t h e D a t a f i e l d h o l d s t h e n a m e o f
a m a i l server p r e c e d e d b y its p r i o r i t y . U n l i k e A r e c o r d s , M X r e c o r d s c o n t a i n a p r i o r ity n u m b e r t h a t allows m a i l delivery agents to fall b a c k to a b a c k u p server if the prim a r y s e r v e r is d o w n . S e v e r a l m a i l s e r v e r s c a n b e r a n k e d i n p r i o r i t y o r d e r , w h e r e t h e
lowest n u m b e r has the highest priority. D N S

selects r a n d o m l y f r o m a m o n g

mail

servers w i t h the same priority. T h e f o l l o w i n g resource records f o r w a r d m a i l sent t o
speedy i n t h e z o n e f i r s t t o m a i l i n t h e z o n e a n d t h e n , i f t h a t a t t e m p t

fails,

to

m a i l . s a m . n e t . . T h e v a l u e o f speedy i n t h e N a m e f i e l d o n t h e s e c o n d l i n e i s i m p l i c i t .

speedy IN
IN
NS

MX
MX

10 mail
20 m a i l . s a m . n e t .

Nameserver Specifies t h e n a m e o f t h e s y s t e m t h a t p r o v i d e s d o m a i n service

(DNS

records) for the domain. T h e N a m e field holds the d o m a i n name; the D a t a
h o l d s t h e n a m e o f t h e D N S server. E a c h d o m a i n m u s t h a v e at least o n e N S

field

record.

D N S s e r v e r s d o n o t n e e d t o r e s i d e i n t h e d o m a i n a n d , i n f a c t , i t is b e t t e r i f a t l e a s t
o n e d o e s n o t . T h e s y s t e m n a m e ns i s f r e q u e n t l y u s e d t o s p e c i f y a n a m e s e r v e r ,
t h i s n a m e is n o t r e q u i r e d a n d d o e s n o t h a v e
humans

in

identifying

a

nameserver.

The

any

significance

following

resource

but

beyond

assisting

record

specifies

ns.max.net. as a n a m e s e r v e r f o r peach i n t h e z o n e :
peach

IN

NS

ns.max.net.

PTR P o i n t e r M a p s a n I P a d d r e s s t o a d o m a i n n a m e a n d i s u s e d f o r r e v e r s e n a m e r e s o l u tion. T h e N a m e field holds the IP address; the D a t a field holds the d o m a i n

name.

D o n o t use P T R r e s o u r c e r e c o r d s w i t h aliases. T h e f o l l o w i n g r e s o u r c e r e c o r d m a p s

I N T R O D U C T I O N T O firestarter 8 2 9

3

in

a

reverse

zone

(for

example,

3

in

the

0.168.192.in-addr.arpa

zone

is

1 9 2 . 1 6 8 . 0 . 3 ) t o peach i n t h e z o n e :

3

IN

PTR

peach

For m o r e i n f o r m a t i o n refer to "Reverse N a m e R e s o l u t i o n " o n page 831.
SOA

Start o f A u t h o r i t y D e s i g n a t e s t h e s t a r t o f a z o n e . E a c h z o n e m u s t h a v e e x a c t l y o n e
S O A r e c o r d . A n a u t h o r i t a t i v e s e r v e r m a i n t a i n s t h e S O A r e c o r d f o r t h e z o n e i t is
a u t h o r i t a t i v e for.
A l l z o n e files m u s t h a v e o n e S O A r e s o u r c e r e c o r d , w h i c h m u s t be t h e first r e s o u r c e
r e c o r d i n t h e file. T h e N a m e f i e l d h o l d s t h e n a m e o f t h e d o m a i n at t h e start o f t h e
zone. The Data field holds the name of the host the data was created on, the email
address of the person responsible for the zone, a n d the f o l l o w i n g

information,

w h i c h m u s t be enclosed w i t h i n parentheses if the r e c o r d does n o t fit o n one line. If
t h i s i n f o r m a t i o n is e n c l o s e d w i t h i n p a r e n t h e s e s

( a n d it u s u a l l y is), t h e

parenthesis m u s t appear o n the first physical line of the S O A

opening

record:

serial A v a l u e i n t h e r a n g e 1 t o 2 , 1 4 7 , 4 8 3 , 6 4 7 . A c h a n g e i n t h i s n u m b e r i n d i c a t e s t h e
z o n e d a t a h a s c h a n g e d . B y c o n v e n t i o n , t h i s f i e l d is set t o t h e s t r i n g y y y y m m d d n n
(year, m o n t h , d a y , c h a n g e n u m b e r ) . A l o n g w i t h t h e d a t e , t h e f i n a l t w o d i g i t s — t h a t is,
the change n u m b e r — s h o u l d be incremented each t i m e y o u change the S O A record.
refresh T h e e l a p s e d t i m e a f t e r w h i c h t h e p r i m a r y m a s t e r s e r v e r n o t i f i e s s l a v e ( s e c o n d a r y ) servers t o refresh the record; the a m o u n t o f t i m e b e t w e e n updates.
retry T h e t i m e t o w a i t a f t e r a r e f r e s h f a i l s b e f o r e t r y i n g t o r e f r e s h a g a i n .
expiry T h e e l a p s e d t i m e a f t e r w h i c h t h e z o n e is n o l o n g e r a u t h o r i t a t i v e a n d t h e r o o t
servers m u s t be queried. T h e e x p i r y applies t o slave servers only.

minimum T h e negative

caching

( p a g e 1 1 6 1 ) T T L , w h i c h is t h e a m o u n t o f t i m e t h a t

a n o n e x i s t e n t d o m a i n e r r o r ( N X D O M A I N ) c a n be h e l d i n a slave server's cache.

A

n e g a t i v e c a c h i n g T T L is t h e s a m e as a n o r m a l T T L e x c e p t t h a t i t a p p l i e s t o d o m a i n s
that d o n o t exist rather t h a n to d o m a i n s that d o exist.
The

$TTL

directive

(page 839)

specifies

the

default

zone

TTL

(the

maximum

a m o u n t o f t i m e d a t a stays i n a slave server's cache). Jointly, the d e f a u l t z o n e

TTL

a n d the negative c a c h i n g T T L encompass all types o f replies the server c a n generate.
I f y o u w i l l b e a d d i n g s u b d o m a i n s o r m o d i f y i n g e x i s t i n g d o m a i n s f r e q u e n t l y , set t h e
negative c a c h i n g T T L to a l o w n u m b e r . A short T T L increases traffic to D N S for clients r e q u e s t i n g d o m a i n s t h a t d o n o t exist, b u t a l l o w s n e w d o m a i n s t o

propagate

quickly, albeit at the expense of increased traffic.
T h e f o l l o w i n g t w o S O A resource records are equivalent (the parentheses i n the first
r e c o r d are o p t i o n a l because the r e c o r d fits o n o n e p h y s i c a l line):

@ IN SOA n s . z a c h . n e t . mgs@sobell.com.
@

IN

SOA

( 2010111247 8H 2H 4W ID )

n s . z a c h . n e t . mgs@sobell.com. (
2010111247
s e n al
refresh
8H
retry
2H
expi re
4W
mi ni mum
ID )

830

CHAPTER 2 4

D N S / B I N D : TRACKING DOMAIN NAMES AND ADDRESSES

T h e s e c o n d f o r m a t is m o r e r e a d a b l e b e c a u s e o f its l a y o u t a n d t h e c o m m e n t s . T h e a t
s y m b o l (@) at t h e s t a r t o f t h e S O A r e s o u r c e r e c o r d s t a n d s f o r t h e z o n e n a m e (also
c a l l e d t h e o r i g i n ) as s p e c i f i e d i n t h e n a m e d . c o n f f i l e . B e c a u s e t h e n a m e d . c o n f f i l e
s p e c i f i e s t h e z o n e n a m e t o b e z a c h . n e t , y o u c o u l d r e w r i t e t h e f i r s t l i n e as f o l l o w s :

zach.net.

IN

SOA

n s . z a c h . n e t . mgs@sobell.com.

(

T h e host u t i l i t y r e t u r n s s o m e t h i n g c l o s e r t o t h e f i r s t f o r m a t w i t h e a c h o f t h e t i m e s
specified i n seconds:
$ host -t soa zach.net

z a c h . n e t . SOA n s . z a c h . n e t . mgs\@sobell.com. 03111 28800 7200 2419200 86400
TXT

Text A s s o c i a t e s a c h a r a c t e r s t r i n g w i t h a d o m a i n . T h e N a m e f i e l d h o l d s t h e d o m a i n
n a m e . T h e data field c a n c o n t a i n u p t o 2 5 6 characters a n d m u s t be enclosed w i t h i n
q u o t a t i o n m a r k s . T X T r e c o r d s c a n c o n t a i n a n y a r b i t r a r y t e x t v a l u e . A s w e l l as g e n e r a l i n f o r m a t i o n , t h e y c a n b e u s e d f o r t h i n g s s u c h as p u b l i c k e y d i s t r i b u t i o n .

Fol-

l o w i n g is a T X T r e s o u r c e r e c o r d t h a t s p e c i f i e s a c o m p a n y n a m e :

zach.net

IN

TXT

"Sobell Associates

Inc."

D N S QUERIES AND RESPONSES
Queries

A D N S query has three parts:
1. N a m e — D o m a i n n a m e , F Q D N , o r I P a d d r e s s f o r r e v e r s e n a m e r e s o l u t i o n
2. T y p e — T y p e of r e c o r d requested (page 827)
3. C l a s s — A l w a y s I N f o r I n t e r n e t class

Cache

M o s t D N S servers store i n cache m e m o r y the q u e r y responses f r o m other

DNS

servers. W h e n a D N S server receives a query, it first tries t o resolve the

query

f r o m its cache. I f t h a t a t t e m p t fails, the server m a y q u e r y o t h e r servers t o get a n
a n s w e r . B e c a u s e D N S uses c a c h e , w h e n y o u m a k e a c h a n g e t o a D N S r e c o r d , t h e
change takes t i m e — s o m e t i m e s
DNS
Responses

a matter of days—to propagate throughout

the

hierarchy.

A D N S message sent i n response t o a q u e r y c a n h o l d the f o l l o w i n g records:
• H e a d e r r e c o r d — I n f o r m a t i o n a b o u t this message
• Q u e r y record—Repeats the query
• A n s w e r records—Resource records that answer the query
• A u t h o r i t y r e c o r d s — R e s o u r c e records f o r servers t h a t h a v e a u t h o r i t y f o r
the answers
• A d d i t i o n a l r e c o r d s — A d d i t i o n a l r e s o u r c e r e c o r d s , s u c h as N S r e c o r d s
T h e dig u t i l i t y d o e s n o t c o n s u l t / e t c / n s s w i t c h . c o n f ( p a g e 4 7 5 ) t o d e t e r m i n e

which

s e r v e r t o q u e r y . T h e f o l l o w i n g e x a m p l e u s e s dig t o q u e r y a D N S s e r v e r . T h e +all
o p t i o n c a u s e s dig t o q u e r y f o r a l l r e c o r d s .

I N T R O D U C T I O N T O firestarter 8 3 1

$ dig +all

ubuntu.com

; « » DiG 9 . 7 . 0 - P 1 « » + a l l ubuntu.com
; ; g l o b a l o p t i o n s : +cmd
; ; Got answer:
; ; - » H E A D E R « - o p c o d e : QUERY, s t a t u s : NOERROR, i d :
; ; f l a g s : q r rd r a ; QUERY: 1 , ANSWER: 1 , A U T H O R I T Y :

51842
3, A D D I T I O N A L :

3

; ; QUESTION S E C T I O N :
;ubuntu.com.

IN

A

; ; ANSWER S E C T I O N :
ubuntu.com.

600

IN

A

91.189.94.156

; ; AUTHORITY
u b u n t u . , com.
u b u n t u . , com.
u b u n t u . , com.

50715
50715
50715

IN
IN
IN

NS
NS
NS

n s 2 , . c a n o n i c a l . com
n s 3 , . c a n o n i c a l . com
n s l , . c a n o n i c a l . com

78819
78819
78819

IN
IN
IN

A
A
A

91.189.94.173
91.189.94.219
209.6.3.210

SECTION:

; ; ADDITIONAL SECTION:
n s l . , c a n o n i c a l . com.
n s 2 . , c a n o n i c a l . com.
n s 3 . , c a n o n i c a l . com.

REVERSE NAME RESOLUTION
reverse name resolution ( a l s o r e f e r r e d t o as inverse mapping o r reverse mapping) s o y o u c a n l o o k u p

In addition to n o r m a l or f o r w a r d name resolution, D N S provides

d o m a i n names given an IP address. Because resource records i n the f o r w a r d

DNS

database are i n d e x e d h i e r a r c h i c a l l y b y d o m a i n n a m e , D N S c a n n o t p e r f o r m a n efficient search by IP address o n this database.
DNS

implements

reverse n a m e resolution by means

of special d o m a i n s

named

i n - a d d r . a r p a ( I P v 4 ) a n d ip6.int ( I P v 6 ) . R e s o u r c e r e c o r d s i n t h e s e d o m a i n s

have

N a m e fields that h o l d IP addresses; the records are i n d e x e d hierarchically b y

IP

address. T h e D a t a fields h o l d the F Q D N s t h a t c o r r e s p o n d to these IP addresses.
R e v e r s e n a m e r e s o l u t i o n c a n v e r i f y t h a t s o m e o n e is w h o h e s a y s h e i s o r a t l e a s t i s
f r o m t h e d o m a i n h e says h e is f r o m . I n g e n e r a l , i t a l l o w s a s e r v e r t o r e t r i e v e

and

r e c o r d the d o m a i n n a m e s o f the clients it p r o v i d e s services t o . F o r e x a m p l e , legitim a t e m a i l contains the d o m a i n o f the sender a n d the IP address o f the

sending

m a c h i n e . A m a i l server c a n verify the stated d o m a i n o f a sender b y c h e c k i n g the
d o m a i n associated w i t h the IP address. Reverse n a m e r e s o l u t i o n c a n also be used b y
a n o n y m o u s F T P s e r v e r s t o v e r i f y t h a t a d o m a i n s p e c i f i e d i n a n e m a i l a d d r e s s u s e d as
a p a s s w o r d is l e g i t i m a t e .
For example, to determine the d o m a i n n a m e that corresponds to the IP

address

8 2 . 2 1 1 . 8 1 . 1 5 0 i n Figure 24-5 o n the next page, a resolver w o u l d query D N S
i n f o r m a t i o n about the d o m a i n n a m e d

150.81.211.82.in-addr.arpa.

for

832

CHAPTER 2 4

D N S / B I N D : TRACKING DOMAIN NAMES AND ADDRESSES

Figure 24-5

R e v e r s e n a m e r e s o l u t i o n a n d t h e in-addr.arpa d o m a i n

T h e f o l l o w i n g e x a m p l e u s e s dig t o q u e r y D N S f o r t h e I P a d d r e s s t h a t c o r r e s p o n d s t o
w w w . s o b e l l . c o m , w h i c h is 2 0 9 . 1 5 7 . 1 2 8 . 2 2 . T h e s e c o n d c o m m a n d l i n e u s e s t h e dig
utility t o query the same IP address, reversed and appended w i t h
(22.128.157.209.in-addr.arpa)

.in-addr.arpa

to display a P T R resource record (page 828).

The

d a t a p o r t i o n o f t h e r e s u l t a n t r e s o u r c e r e c o r d is t h e d o m a i n n a m e f r o m t h e o r i g i n a l
query: www.sobell.com.
$ dig www.sobell.com
; ; QUESTION S E C T I O N :
;www.sobell.com.
; ; ANSWER S E C T I O N :
www.sobell.com.

IN

2274

IN

209.157.128.22

$ dig 22.128.157.209.in-addr.arpa PTR
; ; QUESTION S E C T I O N :
; 22.128.157.209.in-addr.arpa.
; ; ANSWER S E C T I O N :
22.128.157.209.in-addr.arpa.

IN

2244

PTR

IN

PTR

www.sobell.com.

I n s t e a d o f r e f o r m a t t i n g t h e I P a d d r e s s as i n t h e p r e c e d i n g e x a m p l e , y o u c a n u s e t h e
- x o p t i o n t o dig t o p e r f o r m a r e v e r s e q u e r y :
$ dig -x 209.157.128.22

I N T R O D U C T I O N T O firestarter 8 3 3

; ; QUESTION S E C T I O N :
;22.128.157.209.i n-addr.arpa.
; ; ANSWER S E C T I O N :
22.128.157.209.in-addr.arpa.

IN

PTR

2204 I N

PTR

www.sobell.com.

A l t e r n a t i v e l y , y o u c a n j u s t u s e host:
$

host

209.157.128.22

22.128.157.209.in-addr.arpa

domain name p o i n t e r

www.sobell.com.

H o w D N S WORKS
Application

programs

do

not

issue

DNS

queries

directly

but

rather

use

the

gethostbyname() s y s t e m call. H o w t h e s y s t e m c o m e s u p w i t h t h e c o r r e s p o n d i n g I P
a d d r e s s is t r a n s p a r e n t t o t h e c a l l i n g p r o g r a m . T h e g e t h o s t b y n a m e ( ) c a l l e x a m i n e s t h e
hosts l i n e i n / e t c / n s s w i t c h . c o n f ( p a g e 4 7 5 ) t o d e t e r m i n e w h i c h f i l e s i t s h o u l d e x a m i n e
a n d / o r w h i c h services it s h o u l d q u e r y a n d i n w h a t o r d e r t o o b t a i n t h e I P address c o r r e s p o n d i n g t o a d o m a i n n a m e . W h e n i t n e e d s t o q u e r y D N S , t h e l o c a l s y s t e m (i.e., t h e
D N S c l i e n t ) q u e r i e s t h e D N S d a t a b a s e b y c a l l i n g t h e r e s o l v e r l i b r a r y o n t h e l o c a l system. This call returns the required i n f o r m a t i o n to the application p r o g r a m .

MORE INFORMATION
DNS

for Rocket

S c i e n t i s t s is a n e x c e l l e n t site t h a t m a k e s g o o d u s e o f l i n k s

to

p r e s e n t i n f o r m a t i o n o n D N S i n a v e r y d i g e s t i b l e f o r m . T h e s a m e i n f o r m a t i o n is

Pro DNS and BIND b o o k .

available in the
Local

Bind Administrator Reference

Manual:

/usr/share/doc/bind9-doc/arm/Bv9ARM.html.
Web

D N S f o r R o c k e t Scientists:
BIND:

www.zytrax.com/books/dns

www.isc.org/products/BIND

D N S security:

www.sans.org/reading_room/whitepapers/dns/1069.php

( d o w n l o a d a b l e P D F file)
HO WTO
Book

DNS HO WTO
DNS & BIND, f i f t h e d i t i o n , b y A l b i t z & L i u , O ' R e i l l y & A s s o c i a t e s ( M a y 2 0 0 6 )
Pro DNS and BIND, f i r s t e d i t i o n , b y R o n A i t c h i s o n , A p r e s s ( A u g u s t 2 0 0 5 )

NOTES
Terms:
DNS and named

T h e n a m e o f t h e D N S s e r v e r is n a m e d . T h i s c h a p t e r u s e s " D N S "

and

"named"

interchangeably.
T h e named server n o r m a l l y accepts q u e r i e s o n T C P a n d U D P p o r t 5 3 . I f t h e server

Firewall

s y s t e m is r u n n i n g a f i r e w a l l , y o u n e e d t o o p e n t h e s e p o r t s . U s i n g gufw ( p a g e 8 7 6 ) ,
o p e n this p o r t b y setting a p o l i c y t h a t a l l o w s service f o r D N S .
T h e bind-chroot.sh s c r i p t sets u p n a m e d t o r u n i n a chroot j a i l . A f t e r y o u r u n t h i s

chroot jail

script, a l l files t h a t c o n t r o l B I N D are l o c a t e d w i t h i n this jail. I n this case t h e filen a m e s u s e d i n t h i s c h a p t e r a r e s y m b o l i c l i n k s t o t h e f i l e s i n t h e chroot j a i l . See
page 8 4 7 for m o r e information.

834

CHAPTER 2 4

named options

D N S / B I N D : TRACKING DOMAIN NAMES AND ADDRESSES

T h e / e t c / d e f a u l t / b i n d 9 f i l e is i n s t a l l e d w i t h t h e r e s o l v c o n f p a c k a g e . I f t h i s p a c k a g e
is i n s t a l l e d , w h e n t h e b i n d 9 i n i t s c r i p t s t a r t s o r r e s t a r t s t h e n a m e d s e r v e r , b u t

not

when

the

it

just

reloads

the

configuration

files,

it

reads

the

options

in

/ e t c / d e f a u l t / b i n d 9 f i l e . I f t h e R E S O L V C O N F v a r i a b l e i s s e t t o yes (as i t is

by

d e f a u l t ) , t h e s c r i p t r u n s resolvconf, w h i c h r e b u i l d s / e t c / r e s o l v . c o n f . Y o u c a n c a u s e
t h e s c r i p t n o t t o r u n resolvconf b y s e t t i n g R E S O L V C O N F t o no. T h e - u bind o p t i o n
c a u s e s n a m e d t o r u n as t h e u s e r n a m e d bind.
$ cat /etc/default/bi nd9
# run r e s o l v c o n f ?
RESOLVCONF=yes
# s t a r t u p o p t i o n s f o r the
OPTIONS="-u bind"

SETTING UP A D N S

server

SERVER

T h i s s e c t i o n s t a r t s w i t h a n e x p l a n a t i o n o f h o w t o set u p t h e s i m p l e s t t y p e o f

DNS

server, a D N S cache.

PREREQUISITES
Installation I n s t a l l t h e f o l l o w i n g p a c k a g e s :
• b i n d 9 ( a u t o m a t i c a l l y i n s t a l l s bind9utils)
• b i n d 9 - d o c ( o p t i o n a l ; i n s t a l l s bind d o c u m e n t a t i o n )
• dnsutils ( i n s t a l l e d b y d e f a u l t ; i n c l u d e s dig, n s l o o k u p , a n d n s u p d a t e )
bind9 init script W h e n y o u i n s t a l l t h e b i n d 9 p a c k a g e , t h e dpkg postinst s c r i p t s t a r t s t h e n a m e d d a e m o n .
A f t e r y o u c o n f i g u r e B I N D , c a l l t h e bind9 i n i t s c r i p t t o r e s t a r t t h e named d a e m o n :
$ sudo service bind9 restart
A f t e r c h a n g i n g t h e B I N D c o n f i g u r a t i o n o n a n a c t i v e s e r v e r , use reload i n p l a c e o f
restart t o r e l o a d n a m e d c o n f i g u r a t i o n f i l e s w i t h o u t d i s t u r b i n g c l i e n t s c o n n e c t e d t o
t h e s e r v e r . B y d e f a u l t , s t a r t i n g o r r e s t a r t i n g — b u t n o t r e l o a d i n g — n a m e d r u n s resolvconf, w h i c h r e b u i l d s t h e / e t c / r e s o l v . c o n f f i l e . See " n a m e d o p t i o n s " a b o v e f o r

more

information.

JUMPSTART: SETTING UP A D N S CACHE
A s e x p l a i n e d e a r l i e r , a D N S c a c h e is a b r i d g e b e t w e e n a r e s o l v e r a n d

authoritative

D N S s e r v e r s : I t is n o t a u t h o r i t a t i v e , b u t s i m p l y s t o r e s t h e r e s u l t s o f i t s q u e r i e s i n
m e m o r y . M o s t ISPs p r o v i d e a D N S c a c h e f o r t h e use o f t h e i r c u s t o m e r s . S e t t i n g u p a
local cache can reduce the traffic between the L A N and the outside w o r l d , thereby
i m p r o v i n g r e s p o n s e t i m e s . W h i l e i t is p o s s i b l e t o set u p a D N S c a c h e o n e a c h s y s t e m
o n a L A N , setting u p a single D N S cache o n a L A N prevents m u l t i p l e systems

on

the L A N f r o m h a v i n g t o q u e r y a r e m o t e server f o r the same i n f o r m a t i o n .
After installing B I N D , y o u have most of a caching-only nameserver ready to run.
R e f e r t o " S e t t i n g U p a D N S C a c h e " o n page 8 3 9 f o r a n e x p l a n a t i o n o f w h i c h files
t h i s n a m e s e r v e r uses a n d h o w it w o r k s .

SETTING UP A D N S SERVER

resolvconf and
resolv.conf

Before y o u

start the D N S

cache, y o u

need to

835

t h e /etc/resolv.conf f i l e

modify

( p a g e 4 9 6 ) . H o w y o u g o a b o u t m o d i f y i n g t h i s f i l e d e p e n d s o n w h e t h e r t h e resolvc o n f p a c k a g e is i n s t a l l e d a n d s e t u p t o r u n o n t h e l o c a l s y s t e m . W h e n y o u g i v e t h e
c o m m a n d resolvconf, a u s a g e m e s s a g e t e l l s y o u t h e p a c k a g e is i n s t a l l e d , w h e r e a s a
n o t installed m e s s a g e t e l l s y o u i t i s n o t i n s t a l l e d .
I f resolvconf is not

i n s t a l l e d o r y o u h a v e t u r n e d i t o f f as e x p l a i n e d i n

"named

o p t i o n s , " p u t t h e f o l l o w i n g l i n e i n /etc/resolv.conf, b e f o r e o t h e r n a m e s e r v e r l i n e s :
nameserver

127.0.0.1

I f resolvconf is i n s t a l l e d a n d is s e t u p t o r e b u i l d resolv.conf w h e n y o u r u n t h e b i n d 9
i n i t s c r i p t ( p a g e 8 3 4 ) , p u t t h e p r e c e d i n g l i n e i n /etc/resolvconf/resolv.conf.d/head,
f o l l o w i n g the c o m m e n t s a n d before a n y o t h e r nameserver lines. Y o u c a n i g n o r e the
c o m m e n t t e l l i n g y o u n o t t o e d i t t h e f i l e : T h i s c o m m e n t is i n t e n d e d f o r

someone

w h o is t r y i n g t o e d i t / e t c / r e s o l v . c o n f . Y o u m u s t p u t t h i s l i n e i n t h e h e a d f i l e s o
resolvconf p u t s i t i n resolv.conf b e f o r e a n y o t h e r n a m e s e r v e r l i n e s ; o t h e r w i s e

the

l o c a l D N S c a c h e w i l l n e v e r b e u s e d . P u t o t h e r n a m e s e r v e r l i n e s i n base i n t h e s a m e
d i r e c t o r y as n e e d e d .
The

nameserver

line

tells

the

resolver

to

use

the

local

system

(localhost

or

1 2 7 . 0 . 0 . 1 ) as t h e p r i m a r y n a m e s e r v e r . T o e x p e r i m e n t w i t h u s i n g t h e l o c a l s y s t e m as
t h e o n l y n a m e s e r v e r , c o m m e n t o u t o t h e r n a m e s e r v e r l i n e s i n resolv.conf o r base b y
p r e c e d i n g each w i t h a h a s h m a r k (#).
F i n a l l y , r u n t h e bind9 i n i t s c r i p t t o r e s t a r t t h e named d a e m o n ( p a g e 8 3 4 ) .

When

y o u d o s o , i f resolvconf is i n s t a l l e d a n d s e t u p t o r u n , t h e b i n d 9 i n i t s c r i p t

will

r e b u i l d resolv.conf. See t h e resolver a n d resolv.conf m a n p a g e s f o r m o r e i n f o r m a t i o n
o n resolv.conf.
R e f e r t o " T r o u b l e s h o o t i n g " o n p a g e 8 4 9 f o r w a y s t o c o n f i r m t h a t t h e D N S c a c h e is
w o r k i n g . O n c e y o u h a v e r e s t a r t e d n a m e d , y o u c a n see t h e e f f e c t o f t h e c a c h e
u s i n g dig t o l o o k u p t h e I P a d d r e s s o f a r e m o t e s y s t e m :
$ dig www.ubuntu.com
; « » DiG 9. 7 . 0 - P I « »
www.ubuntu.com
; ; g l o b a l o p t i o n s : +cmd
; ; Got answer:
; ; - » H E A D E R « - o p c o d e : QUERY, s t a t u s : NOERROR, i d :
; ; f l a g s : q r rd r a ; QUERY: 1 , ANSWER: 1 , A U T H O R I T Y :

19622
3, A D D I T I O N A L :

; ; QUESTION S E C T I O N :
;www.ubuntu.com.
; ; ANSWER S E C T I O N :
www.ubuntu.com.

585

IN

; ; Q u e r y t i m e : 496 msec
; ; SERVER: 1 2 7 . 0 . 0 . 1 # 5 3 ( 1 2 7 . 0 . 0 . 1 )
; ; WHEN: Mon A p r
5 1 6 : 4 5 : 3 8 2010
; ; MSG S I Z E
r c v d : 112

IN

A

A

91.189.90.40

0

by

836

CHAPTER 2 4

D N S / B I N D : TRACKING DOMAIN NAMES AND ADDRESSES

T h e f o u r t h line f r o m the b o t t o m of the example o n the preceding page shows that
this query t o o k 4 9 6 milliseconds (about one-half of a second). W h e n y o u r u n the
same q u e r y again, it runs m o r e q u i c k l y because the D N S cache has saved the information locally in memory:
$ dig www.ubuntu.com

;;
;;
;;
;;

Query time: 1 msec
SERVER: 1 2 7 . 0 . 0 . 1 # 5 3 ( 1 2 7 . 0 . 0 . 1 )
WHEN: Mon Apr 5 16:45:46 2010
MSG S I Z E rcvd: 112

CONFIGURING A D N S SERVER
T h i s section discusses t h e /etc/bind/named.conf file, z o n e files, i m p l e m e n t a t i o n o f a
D N S c a c h e , a n d r u n n i n g D N S i n s i d e a chroot j a i l .

named.conf:

THE

named

CONFIGURATION FILE

C o n f i g u r a t i o n i n f o r m a t i o n f o r named is k e p t i n /etc/bind/named.conf. B y

default,

t h e z o n e f i l e s r e s i d e i n / e t c / b i n d . I f y o u a r e r u n n i n g n a m e d i n a chroot j a i l , t h e s e f i l e s
are k e p t i n /var/lib/named/etc/bind, w i t h a l i n k i n /etc/bind (page 8 4 7 ) .

Try not to modify named.conf
tip The Ubuntu bind9 package breaks the named.conf file distributed with BIND Into four files:
named.conf, named.conf.default-zones, named.conf.local, and named.conf.options. There are
two motivations for breaking this file apart. First, It makes the configuration files easier to understand.
Second, It enables you to configure named without modifying named.conf. This setup allows the
bind9 package to be upgraded, Including changes to named.conf, without requiring you to modify
the local configuration.
When you configure named, try to put your changes in the named.conf.options and
named.conf.local files. For more complex setups It may be easier to modify named.conf and
carry those changes forward when bind9 is upgraded.

IP-list
In

the

descriptions

in

this

section,

IP-list

is

a semicolon-separated

list

of

IP

a d d r e s s e s , w h e r e e a c h I P a d d r e s s is o p t i o n a l l y f o l l o w e d b y a s l a s h a n d a s u b n e t
m a s k l e n g t h ( p a g e 4 6 2 ) . P r e f i x a n IP-list w i t h a n e x c l a m a t i o n p o i n t ( ! ) t o n e g a t e i t .
B u i l t i n n a m e s y o u c a n u s e i n IP-list

i n c l u d e any, none, a n d localhost. Y o u

must

enclose these b u i l t i n n a m e s w i t h i n d o u b l e q u o t a t i o n m a r k s .
COMMENTS
W i t h i n n a m e d . c o n f , s p e c i f y a c o m m e n t b y p r e c e d i n g i t w i t h a h a s h m a r k ( # ) as i n a
P e r l o r s h e l l p r o g r a m , p r e c e d i n g i t w i t h a d o u b l e s l a s h ( / / ) as i n a C + + p r o g r a m , o r

SETTING UP A D N S SERVER

8 3 7

a n d * / as i n a C p r o g r a m . W i t h i n a D N S d b . * f i l e , a c o m -

enclosing it between / *

m e n t s t a r t s w i t h a s e m i c o l o n (;).
I N C L U D E D FILES
A n include s t a t e m e n t w i t h i n t h e n a m e d . c o n f f i l e i n c l u d e s t h e f i l e n a m e d as
argument
default

as t h o u g h

Ubuntu

its c o n t e n t s

named.conf

appeared

file

includes

inline
the

named.conf file.

in the

/etc/bind/named.conf.options,

/etc/bind/named.conf.local, a n d

/etc/bind/named.conf.default-zones f i l e s .

named.conf.options

the

file

holds

Options

clause

of

T h e named.conf.default-zones f i l e d e f i n e s t h e d e f a u l t

Options

The

named.conf.

named.conf.local f i l e g i v e s y o u a p l a c e t o p u t l o c a l c o n f i g u r a t i o n

OPTIONS

its
The

The

information.

zones.

CLAUSE
statements

can

appear

in

two

named.conf.options a n d i n t h e Z o n e

places:

in

the

clauses f o u n d i n

Options

clause

found

in

named.conf.default-zones.

O p t i o n s t a t e m e n t s w i t h i n t h e O p t i o n s clause a p p l y g l o b a l l y . W h e n a n o p t i o n statem e n t appears in a Z o n e clause, the o p t i o n applies to the zone, a n d w i t h i n that zone,
overrides a corresponding global option.
A n O p t i o n s c l a u s e s t a r t s w i t h t h e k e y w o r d options a n d c o n t i n u e s w i t h b r a c e s s u r r o u n d i n g t h e s t a t e m e n t s . F o l l o w i n g is a l i s t o f s o m e o p t i o n s t a t e m e n t s .

Statements

that can appear o n l y in an O p t i o n s clause a n d statements that cannot appear in a
V i e w clause (page 8 5 5 ) are so n o t e d .

allow-query {IP-list}
A l l o w s q u e r i e s f r o m IP-list

only. W i t h o u t this o p t i o n , the server responds t o all queries.

allow-recursion {IP-list}
Specifies systems for w h i c h this server w i l l p e r f o r m recursive queries (page 825).
F o r s y s t e m s n o t i n IP-list,

the server p e r f o r m s iterative queries only. W i t h o u t

this

o p t i o n , the server p e r f o r m s recursive queries for a n y system. T h i s statement m a y be
o v e r r i d d e n b y t h e recursion s t a t e m e n t .

allow-transfer {IP-list}
Specifies systems t h a t are a l l o w e d t o p e r f o r m z o n e transfers f r o m this server. Specify
a n IP-list

o f "none" ( i n c l u d e the q u o t a t i o n m a r k s ) t o p r e v e n t z o n e transfers. F o r a

m o r e s e c u r e n e t w o r k , i n c l u d e o n l y t r u s t e d s y s t e m s i n IP-list

because systems o n the

list c a n o b t a i n a list o f all systems o n the n e t w o r k .
directory path

Specifies the a b s o l u t e p a t h n a m e

o f t h e d i r e c t o r y c o n t a i n i n g t h e z o n e files.

Under

U b u n t u L i n u x , t h i s d i r e c t o r y is i n i t i a l l y / v a r / c a c h e / b i n d . R e l a t i v e p a t h n a m e s s p e c i f i e d
i n named.conf are relative t o this directory. O p t i o n s clause o n l y ; n o t i n V i e w clause.

forward ONLYIFIRST
O N L Y f o r w a r d s all queries a n d fails if it does n o t receive a n answer. FIRST
w a r d s all queries and, if a query does n o t receive a n answer, attempts t o f i n d
a n s w e r u s i n g a d d i t i o n a l q u e r i e s . V a l i d w i t h t h e forwarders s t a t e m e n t o n l y .

foran

8 3 8

CHAPTER 2 4

D N S / B I N D : TRACKING DOMAIN NAMES AND ADDRESSES

f o r w a r d e r s {IP ¡port] [; ...]}
Specifies IP addresses a n d o p t i o n a l l y p o r t n u m b e r s t h a t queries are f o r w a r d e d to.
See t h e f o r w a r d s t a t e m e n t .
notify YESINO

Y E S sends a message t o slave servers for the zone w h e n zone i n f o r m a t i o n changes.
M a s t e r s e r v e r s o n l y . See p a g e 8 5 4 .

recursion Y E S I N O
Y E S (default) provides recursive queries (page 8 2 5 ) if the client requests. N O

provides

i t e r a t i v e q u e r i e s o n l y ( p a g e 8 2 5 ) . A n a n s w e r is a l w a y s r e t u r n e d i f i t a p p e a r s i n t h e
s e r v e r ' s c a c h e . T h i s s t a t e m e n t o v e r r i d e s allow-recursion s t a t e m e n t s . O p t i o n s c l a u s e o n l y .
ZONE CLAUSE
A Z o n e clause defines a zone a n d can include any of the statements listed for the
O p t i o n s c l a u s e e x c e p t as n o t e d . A Z o n e c l a u s e i s i n t r o d u c e d b y t h e k e y w o r d zone,
t h e n a m e o f t h e z o n e e n c l o s e d w i t h i n d o u b l e q u o t a t i o n m a r k s , a n d t h e class ( a l w a y s
I N ) . T h e b o d y of the Z o n e clause consists of a pair of braces s u r r o u n d i n g one or
m o r e z o n e s t a t e m e n t s . See t h e l i s t i n g o f n a m e d . c o n f . d e f a u l t - z o n e s o n p a g e 8 4 0 f o r
e x a m p l e s o f Z o n e c l a u s e s . F o l l o w i n g is a l i s t o f s o m e z o n e s t a t e m e n t s :
a l l o w - u p d a t e {IP-list}
Specifies systems t h a t are a l l o w e d to u p d a t e this z o n e d y n a m i c a l l y . T h i s

statement

m a y be useful w h e n h o s t i n g a master D N S server for a d o m a i n o w n e d b y s o m e o n e
o t h e r t h a n the l o c a l a d m i n i s t r a t o r because it a l l o w s a r e m o t e user t o u p d a t e

the

D N S e n t r y w i t h o u t g r a n t i n g t h e user access t o t h e server.
file

zone file—the f i l e t h a t s p e c i f i e s t h e c h a r a c t e r i s t i c s o f t h e z o n e . T h e filename i s r e l a t i v e t o t h e d i r e c t o r y s p e c i f i e d b y t h e directory s t a t e m e n t i n t h e O p t i o n s

filename S p e c i f i e s t h e

c l a u s e . T h e file s t a t e m e n t is m a n d a t o r y f o r m a s t e r a n d h i n t z o n e s . I n c l u d i n g i t f o r
s l a v e z o n e s is a g o o d i d e a (see type).
m a s t e r s (IP-list) S p e c i f i e s s y s t e m s t h a t a s l a v e z o n e c a n u s e t o u p d a t e z o n e f i l e s . S l a v e z o n e s o n l y .
type

ztype S p e c i f i e s t h e t y p e o f z o n e d e f i n e d b y t h i s c l a u s e . C h o o s e ztype f r o m t h e f o l l o w i n g l i s t :
• forward—Specifies a f o r w a r d zone, w h i c h f o r w a r d s queries directed to this
z o n e . See t h e f o r w a r d a n d / o r f o r w a r d e r s s t a t e m e n t s i n t h e O p t i o n s c l a u s e .
• hint—Specifies a h i n t z o n e . A h i n t z o n e lists r o o t servers t h a t t h e l o c a l
server queries w h e n it starts a n d w h e n it c a n n o t f i n d a n a n s w e r i n its cache.
• m a s t e r — S p e c i f i e s t h e l o c a l s y s t e m as a p r i m a r y m a s t e r s e r v e r ( p a g e 8 2 6 )
for this zone.
• s l a v e — S p e c i f i e s t h e l o c a l s y s t e m as a s l a v e s e r v e r ( p a g e 8 2 6 ) f o r t h i s z o n e .

ZONE FILES
Z o n e files d e f i n e z o n e c h a r a c t e r i s t i c s . T h e n a m e o f t h e z o n e is t y p i c a l l y s p e c i f i e d i n
named.conf.default-zones. I n c o n t r a s t t o n a m e d . c o n f a n d n a m e d . c o n f . l o c a l ,

zone

f i l e s u s e p e r i o d s a t t h e e n d s o f d o m a i n n a m e s . See p a g e 8 4 1 f o r e x a m p l e z o n e f i l e s .

SETTING UP A D N S SERVER

TIME

839

FORMATS

A l l t i m e s i n B I N D files are g i v e n i n seconds, unless t h e y are f o l l o w e d b y o n e o f these
letters (uppercase or lowercase): S (seconds), M
W

(minutes), H

(hours), D

(days), or

(weeks). Y o u can c o m b i n e formats. For example, the time 2 h 2 5 m 3 0 s means

h o u r s , 2 5 m i n u t e s , a n d 3 0 s e c o n d s a n d is t h e s a m e as 8 , 7 3 0
DOMAIN

2

seconds.

QUALIFICATION

A n u n q u a l i f i e d d o m a i n i n a z o n e f i l e is a s s u m e d t o b e i n t h e c u r r e n t z o n e ( t h e z o n e
d e f i n e d b y t h e z o n e f i l e a n d n a m e d b y t h e named.conf.default-zones f i l e t h a t r e f e r s
t o t h e z o n e file). T h e n a m e zach i n t h e z o n e file f o r myzone.com, f o r
w o u l d be e x p a n d e d t o t h e F Q D N zach.myzone.com.. U s e a n F Q D N

example,

(include

t r a i l i n g p e r i o d ) t o s p e c i f y a d o m a i n t h a t is n o t i n t h e c u r r e n t z o n e . A n y n a m e

the
that

d o e s n o t e n d w i t h a p e r i o d is r e g a r d e d as a s u b d o m a i n o f t h e c u r r e n t z o n e .
ZONE

NAME

W i t h i n a z o n e f i l e , a n a t s i g n (@) is r e p l a c e d w i t h t h e z o n e n a m e as s p e c i f i e d b y t h e
n a m e d . c o n f f i l e t h a t r e f e r s t o t h e z o n e f i l e . T h e z o n e n a m e is a l s o r e f e r r e d t o as t h e

origin.

See " $ O R I G I N " i n t h e n e x t s e c t i o n .

Z O N E FILE D I R E C T I V E S
T h e f o l l o w i n g d i r e c t i v e s c a n a p p e a r w i t h i n a z o n e file. E a c h d i r e c t i v e is i d e n t i f i e d b y
a l e a d i n g d o l l a r s i g n . T h e $ T T L d i r e c t i v e is m a n d a t o r y a n d m u s t b e t h e f i r s t e n t r y i n
a z o n e file.
$TTL

Defines the default t i m e to live for all resource records i n the zone. T h i s
must

appear

in a zone

file before

resource record can include a T T L

any resource records

directive

that it applies to.

value that overrides this value, except for

Any
the

r e s o u r c e r e c o r d i n t h e r o o t z o n e (.).
SORIGIN

C h a n g e s t h e z o n e n a m e f r o m t h a t s p e c i f i e d i n t h e named.conf.default-zones

file.

This n a m e , or the zone n a m e if this directive does n o t appear i n the zone

file,

replaces an @ sign i n the N a m e field of a resource record.
SINCLUDE

I n c l u d e s a f i l e as t h o u g h i t w e r e p a r t o f t h e z o n e f i l e . T h e s c o p e o f a n

$ORIGIN

d i r e c t i v e w i t h i n a n i n c l u d e d f i l e is t h e i n c l u d e d file. T h a t is, a n $ O R I G I N
w i t h i n a n i n c l u d e d file does n o t affect the file that h o l d s the $ I N C L U D E

directive

directive.

SETTING UP A D N S CACHE
Y o u install a D N S
install

cache (also called a resolving, c a c h i n g nameserver) w h e n

t h e bind9 p a c k a g e .

The

section

"JumpStart:

Setting U p

a DNS

you

Cache"

(page 8 3 4 ) e x p l a i n s h o w t o r u n this server. T h i s s e c t i o n describes h o w t h e files p r o v i d e d b y U b u n t u L i n u x i m p l e m e n t this server.

named.conf:

THE

named

CONFIGURATION

FILE

T h e d e f a u l t / e t c / b i n d / n a m e d . c o n f f i l e is s h o w n o n t h e n e x t p a g e . T h i s f i l e
i n c l u d e s t h e t h r e e o t h e r B I N D c o n f i g u r a t i o n files.

simply

840

CHAPTER 2 4

D N S / B I N D : TRACKING DOMAIN NAMES AND ADDRESSES

$ cat /etc/bind/named.conf
/ / T h i s i s the primary c o n f i g u r a t i o n f i l e f o r the BIND DNS s e r v e r named.
//
/ / Please read /usr/share/doc/bind9/README.Debian.gz f o r i n f o r m a t i o n on the
/ / s t r u c t u r e of BIND c o n f i g u r a t i o n f i l e s i n Debian, *BEF0RE* you customize
// this configuration f i l e .

//

/ / I f you are j u s t adding zones, please do t h a t i n
/ e t c / b i nd/named.conf.local
i nclude " / e t c / b i nd/named.conf.opti ons";
i nclude " / e t c / b i n d / n a m e d . c o n f . l o c a l " ;
i nclude " / e t c / b i n d / n a m e d . c o n f . d e f a u l t - z o n e s " ;

named.conf.default-zones:

DEFAULT Z O N E S FILE

T h e named.conf.default-zones f i l e , w h i c h t h e named.conf f i l e i n c o r p o r a t e s w i t h a n
i n c l u d e s t a t e m e n t , h o l d s f i v e Z o n e c l a u s e s , e a c h o f w h i c h uses a n a b s o l u t e f i l e n a m e
t o l o c a t e its z o n e file. A n y r e l a t i v e f i l e n a m e s a p p e a r i n g i n this file w o u l d be r e l a t i v e

t o /var/cache/bind, w h i c h t h e d i r e c t o r y s t a t e m e n t i n named.conf.options p o i n t s t o .
$ cat named.conf.default-zones
/ / prime the s e r v e r with knowledge of the root s e r v e r s
zone " . " {
type h i n t ;
f i l e "/etc/bind/db.root";

};

/ / be a u t h o r i t a t i v e f o r the l o c a l h o s t forward and reverse zones, and f o r
/ / broadcast zones as per RFC 1912
zone " l o c a l h o s t " {
type master;
f i l e "/etc/bind/db.local";

};

zone " 1 2 7 . i n - a d d r . a r p a " {
type master;
f i l e "/etc/bind/db.127";

};

zone " 0 . i n - a d d r . a r p a " {
type master;
f i l e "/etc/bind/db.0";

};

zone " 2 5 5 . i n - a d d r . a r p a " {
type master;
f i l e " / e t c / b i nd/db.2 5 5";

};

SETTING UP A D N S SERVER

841

T h e named.conf.default-zones f i l e h o l d s t h e f o l l o w i n g Z o n e clauses:
• . — ( T h e n a m e o f t h e z o n e is a p e r i o d . ) T h e h i n t z o n e . S p e c i f i e s t h a t w h e n
the server starts or does n o t k n o w w h i c h server t o query, it s h o u l d l o o k i n
the /etc/bind/db.root file t o f i n d the addresses o f a u t h o r i t a t i v e servers f o r
the root

domain.

• localhost—Sets u p t h e n o r m a l server o n t h e l o c a l system.
• 127.in-addr.arpa—Sets u p I P v 4 reverse n a m e r e s o l u t i o n .
• O . i n - a d d r . a r p a — S p e c i f i e s t h a t t h e l o c a l s e r v e r h a n d l e r e v e r s e l o o k u p f o r IP
addresses starting w i t h 0, thereby p r e v e n t i n g the local server f r o m l o o k i n g
u p s t r e a m for this i n f o r m a t i o n .
• 255.in-addr.arpa—Specifies that the local server h a n d l e reverse l o o k u p for
IP addresses starting w i t h 2 5 5 , p r e v e n t i n g the local server f r o m l o o k i n g
u p s t r e a m for this i n f o r m a t i o n .

named.conf.options:

O P T I O N S FILE

T h e named.conf.options file, w h i c h named.conf i n c o r p o r a t e s w i t h a n i n c l u d e statement, holds mostly comments w i t h the following u n c o m m e n t e d

statements:

d i r e c t o r y " / v a r / c a c h e / b i nd";
auth-nxdomain no;
l i s t e n - o n - v 6 { any;

# conform to RFC10B5
};

T h e directory s t a t e m e n t s p e c i f i e s t h e d i r e c t o r y t h a t a l l r e l a t i v e p a t h n a m e s i n t h i s
f i l e , named.conf, a n d a l l o t h e r files i n c o r p o r a t e d i n named.conf a r e r e l a t i v e t o .
you

are

running

named

in

a

chroot

jail,

this

directory

is

located

/ v a r / l i b / n a m e d ( p a g e 8 4 7 ) . T h e auth-nxdomain no s t a t e m e n t d o e s n o t a l l o w
server to a n s w e r a u t h o r i t a t i v e l y o n N X D O M A I N

negative

caching

If

under
the

( n o n e x i s t e n t d o m a i n e r r o r ; see

[ p a g e 1 1 6 1 ] ) a n s w e r s . T h e listen-on-v6 { any; } s t a t e m e n t

enables

t h e s e r v e r t o l i s t e n f o r I P v 6 q u e r i e s o n a n y a d d r e s s . C h a n g e any t o none t o c a u s e t h e
server n o t to listen for I P v 6 queries.
Z O N E FILES
T h e r e are five z o n e files i n /etc/bind, e a c h o f w h i c h c o r r e s p o n d s t o o n e o f t h e Z o n e
c l a u s e s i n named.conf.default-zones. T h i s s e c t i o n d e s c r i b e s t h r e e o f t h e s e z o n e files.
The root zone:

T h e h i n t z o n e f i l e , d b . r o o t , i s s i m i l a r t o t h e o u t p u t o f a dig @ a . r o o t - s e r v e r s . n e t .

db.root

c o m m a n d , w h i c h d o e s n o t c h a n g e f r e q u e n t l y ( c h e c k t h e d a t e o n t h e last u p d a t e l i n e
near t h e b e g i n n i n g o f the file). It specifies a u t h o r i t a t i v e servers f o r the r o o t
T h e D N S server initializes its cache f r o m this file a n d c a n d e t e r m i n e a n
tive server for a n y d o m a i n f r o m this i n f o r m a t i o n .

domain.

authorita-

842

CHAPTER 2 4

D N S / B I N D : TRACKING DOMAIN NAMES AND ADDRESSES

T h e r o o t z o n e is r e q u i r e d o n l y f o r s e r v e r s t h a t a n s w e r r e c u r s i v e q u e r i e s : I f a s e r v e r
r e s p o n d s t o r e c u r s i v e q u e r i e s , i t n e e d s t o p e r f o r m a series o f i t e r a t i v e q u e r i e s starti n g at the r o o t d o m a i n . W i t h o u t the r o o t d o m a i n h i n t file, it w o u l d n o t k n o w w h e r e
t o f i n d the r o o t d o m a i n servers.

$ cat /etc/bind/db.root
;
T h i s f i l e h o l d s the i n f o r m a t i o n on r o o t name s e r v e r s needed t o
;
i n i t i a l i z e cache o f I n t e r n e t domain name s e r v e r s
;
( e . g . r e f e r e n c e t h i s f i l e i n the " c a c h e
.
"
;
c o n f i g u r a t i o n f i l e o f BIND domain name s e r v e r s ) .
T h i s f i l e i s made a v a i l a b l e by I n t e r N I C
under anonymous FTP as
file
/domain/named.root
on s e r v e r
FTP.INTERNIC.NET
-ORRS.INTERNIC.NET
l a s t update:
Dec 12, 2008
r e l a t e d v e r s i o n of root zone:
formerly

2008121200

NS.INTERNIC.NET

A.ROOT-SERVERS.NET.
A.ROOT-SERVERS.NET.

3600000
3600000
3600000

IN

NS
A
AAAA

A.ROOT-SERVERS.NET.
198.41.0.4
2001:503:BA3E::2:30

3600000
3600000

NS
A

B.ROOT-SERVERS.NET.
192.228.79.201

3600000
3600000

NS
A

C.ROOT-SERVERS.NET.
192.33.4.12

3600000
3600000

NS
A

D.ROOT-SERVERS.NET.
128.8.10.90

3600000
3600000

NS
A

E.ROOT-SERVERS.NET.
192.203.230.10

3600000
3600000
3600000

NS
A
AAAA

F.ROOT-SERVERS.NET.
192.5.5.241
2001:500:2F::F

3600000
3600000

NS
A

G.ROOT-SERVERS.NET.
192.112.36.4

FORMERLY N S 1 . I S I . E D U
B.ROOT-SERVERS.NET.
FORMERLY C . P S I . N E T
C.ROOT-SERVERS.NET.
FORMERLY TERP.UMD.EDU
D.ROOT-SERVERS.NET.
FORMERLY NS.NASA.GOV
E.ROOT-SERVERS.NET.
FORMERLY N S . I S C . O R G
F.ROOT-SERVERS.NET.
F.ROOT-SERVERS.NET.
FORMERLY N S . N I C . D D N . M I L
G.ROOT-SERVERS.NET.

SETTING UP A D N S SERVER

843

FORMERLY AOS.ARL.ARMY.MIL
H.ROOT-SERVERS.NET.
H.ROOT-SERVERS.NET.

3600000
3600000
3600000

NS
A
AAAA

H.ROOT-SERVERS.NET.
128.63.2.53
2001:500:1::803F:235

3600000
3600000

NS
A

I.ROOT-SERVERS.NET.
192.36.148.17

3600000
3600000
3600000

NS
A
AAAA

3.ROOT-SERVERS.NET.
192.58.128.30
2001:503 : C 2 7 : : 2 : 30

3600000
3600000
3600000

NS
A
AAAA

K.ROOT-SERVERS.NET.
193.0.14.129
2001:7FD:: 1

3600000
3600000
3600000

NS
A
AAAA

L.ROOT-SERVERS.NET.
199.7.83.42
2001:500:3::42

3600000
3600000
3600000

NS
A
AAAA

M.ROOT-SERVERS.NET.
202.12.27.33
2 0 0 1 : D C 3 : : 35

FORMERLY NIC.NORDU.NET
I.ROOT-SERVERS.NET.
OPERATED BY V E R I S I G N ,
J.ROOT-SERVERS.NET.
J.ROOT-SERVERS.NET.

INC.

OPERATED BY R I P E NCC
K.ROOT-SERVERS.NET.
K.ROOT-SERVERS.NET.
OPERATED BY ICANN
L.ROOT-SERVERS.NET.
L.ROOT-SERVERS.NET.
OPERATED BY WIDE
M.ROOT-SERVERS.NET.
M.ROOT-SERVERS.NET.
; End o f F i l e
db.local

T h e db.local z o n e f i l e d e f i n e s t h e localhost z o n e , t h e n o r m a l s e r v e r o n t h e l o c a l s y s tem. It starts w i t h a $ T T L directive a n d holds f o u r resource records: S O A , N S , A ,
a n d A A A A . T h e $ T T L directive i n the f o l l o w i n g file specifies t h a t the d e f a u l t t i m e
t o l i v e f o r t h e r e s o u r c e r e c o r d s s p e c i f i e d i n t h i s f i l e is 6 0 4 , 8 0 0 s e c o n d s ( o n e w e e k ) :

$ cat /etc/bind/db.local
BIND d a t a f i l e f o r l o c a l l o o p b a c k
STTL
@

604800
IN

SOA

localhost.
2

604800
86400
2419200
604800 )
@
@
@

IN
IN
IN

NS
A
AAAA

localhost
127.0.0.1
: :1

interface
root.localhost. (
Seri al
Refresh
Retry
Expi re
N e g a t i v e Cache T T L

844

CHAPTER 2 4

D N S / B I N D : TRACKING DOMAIN NAMES AND ADDRESSES

A s e x p l a i n e d e a r l i e r , t h e @ s t a n d s f o r t h e o r i g i n ( t h e n a m e o f t h e z o n e ) , w h i c h is
localhost, as s p e c i f i e d i n n a m e d . c o n f . T h e l a s t t h r e e l i n e s a r e t h e N S r e s o u r c e r e c o r d
t h a t s p e c i f i e s t h e n a m e s e r v e r f o r t h e z o n e as localhost, t h e A r e s o u r c e r e c o r d t h a t
s p e c i f i e s t h e I P v 4 a d d r e s s o f t h e h o s t as 1 2 7 . 0 . 0 . 1 , a n d t h e A A A A r e s o u r c e r e c o r d
t h a t s p e c i f i e s t h e I P v 6 a d d r e s s o f t h e h o s t as : : 1 .
db.127 T h e

db.127

zone

file p r o v i d e s

information

about

the

127.in-addr.arpa

reverse

l o o k u p z o n e . I t f o l l o w s t h e s a m e p a t t e r n as t h e localhost z o n e f i l e , w i t h o n e e x c e p t i o n : Instead o f the A resource r e c o r d , this file has a P T R r e c o r d t h a t p r o v i d e s the
n a m e the z o n e associates w i t h the IP address. T h e P T R resource r e c o r d specifies the
n a m e 1.0.0, w h i c h equates the system at address 1.0.0 i n the z o n e ( 1 2 7 . i n - a d d r . a r p a )
w i t h t h e n a m e localhost, w h i c h h a s a n I P a d d r e s s o f 1 2 7 . 0 . 0 . 1 :
$ cat /etc/bi nd/db.127

BIND reverse d a t a f i l e f o r l o c a l loopback i n t e r f a c e
STTL
@

604800
IN

SOA

localhost.
1
604800
86400
2419200
604800 )

@
1.0.0

IN
IN

NS
PTR

localhost.
localhost.

root.localhost. (
Seri al
Refresh
Retry
Expi re
Negative Cache TTL

T h e o t h e r z o n e f i l e s p e r f o r m s i m i l a r f u n c t i o n s as d e s c r i b e d o n p a g e 8 4 0 .
named is s t a r t e d ( p a g e 8 3 4 ) , y o u c a n use t h e tests d e s c r i b e d u n d e r

Once

"Troubleshoot-

i n g " o n p a g e 8 4 9 t o m a k e s u r e t h e s e r v e r is w o r k i n g .

D N S GLUE RECORDS
I t is c o m m o n p r a c t i c e t o p u t t h e n a m e s e r v e r f o r a z o n e i n s i d e t h e z o n e i t s e r v e s . F o r
example, y o u m i g h t p u t the nameserver for the zone starting at

sitel.example.com

(Figure 2 4 - 3 , page 8 2 5 ) i n n s . s i t e l . e x a m p l e . c o m . W h e n a D N S cache tries t o resolve
w w w . s i t e l . e x a m p l e . c o m , the a u t h o r i t a t i v e server f o r e x a m p l e . c o m gives it the

NS

record p o i n t i n g to ns.sitel.example.com. I n an attempt to resolve

ns.sitel.exam-

ple.com, the D N S cache again queries the authoritative server for

example.com,

w h i c h points b a c k to ns.sitel.example.com. This l o o p does n o t a l l o w ns.sitel.examp l e . c o m t o be resolved.
T h e s i m p l e s t s o l u t i o n t o t h i s p r o b l e m is t o p r o h i b i t a n y n a m e s e r v e r f r o m r e s i d i n g
i n s i d e t h e z o n e i t p o i n t s t o . B e c a u s e e v e r y z o n e is a c h i l d o f t h e r o o t z o n e , t h i s
s o l u t i o n means every d o m a i n w o u l d be served by the r o o t server a n d w o u l d
scale at all.

not

SETTING UP A D N S SERVER

A b e t t e r s o l u t i o n is t o u s e

845

glue r e c o r d s . A g l u e r e c o r d i s a n A r e c o r d f o r a n a m e s e r v e r

t h a t i s r e t u r n e d i n a d d i t i o n t o t h e N S r e c o r d w h e n a n N S q u e r y is

performed.

Because the A r e c o r d provides a n IP address for the nameserver, it does n o t need to
be resolved a n d does n o t create the p r o b l e m a t i c l o o p .
T h e n a m e s e r v e r s e t u p f o r u b u n t u . c o m i l l u s t r a t e s t h e use o f g l u e r e c o r d s . W h e n

you

q u e r y for N S records for u b u n t u . c o m , D N S returns three N S records. I n a d d i t i o n , it
returns three A records t h a t p r o v i d e the IP addresses for the three hosts t h a t the N S
records point to:
$ dig - t NS ubuntu.com
; ; QUESTION S E C T I O N :
;ubuntu.com.

IN

NS

; ; ANSWER S E C T I O N :
ubuntu.com.
ubuntu.com.
ubuntu.com.

78941
78941
78941

IN
IN
IN

NS
NS
NS

nsl.canonical.com.
ns2.canonical.com.
ns3.canonical.com.

; ; ADDITIONAL SECTION:
nsl.canonical.com.
ns2.canonical.com.
ns3.canonical.com.

9538
9538
9538

IN
IN
IN

A
A
A

91.189.94.173
91.189.94.219
209.6.3.210

Y o u can create a glue record by p r o v i d i n g an A record for the nameserver inside the
delegating d o m a i n ' s z o n e file:
sitel.example.com
ns.sitel.example.com

IN
IN

NS
A

ns.sitel.example.com
1.2.3.4

T S I G s : TRANSACTION SIGNATURES
I n t e r a c t i o n b e t w e e n D N S c o m p o n e n t s is b a s e d o n t h e q u e r y - r e s p o n s e m o d e l :

One

p a r t queries a n o t h e r a n d receives a reply. T r a d i t i o n a l l y a server determines w h e t h e r
and

how

to

reply

to

a query

based

on

the

client's

IP

address.

IP

spoofing

( p a g e 1 1 5 4 ) is r e l a t i v e l y e a s y t o c a r r y o u t , m a k i n g t h i s s i t u a t i o n less t h a n

ideal.

Recent versions of B I N D support transaction signatures (TSIGs), w h i c h a l l o w

two

systems t o establish a t r u s t r e l a t i o n s h i p b y u s i n g a s h a r e d secret key.
T S I G s p r o v i d e a n a d d i t i o n a l layer o f a u t h e n t i c a t i o n b e t w e e n master a n d slave serve r s f o r a z o n e . W h e n a s l a v e s e r v e r is l o c a t e d a t a d i f f e r e n t s i t e t h a n t h e m a s t e r
s e r v e r (as i t s h o u l d b e ) , a m a l i c i o u s p e r s o n o p e r a t i n g a r o u t e r b e t w e e n t h e sites c a n
s p o o f t h e I P a d d r e s s o f t h e m a s t e r s e r v e r a n d c h a n g e t h e D N S d a t a o n t h e s l a v e (a
man-in-the-middle

scenario). W i t h TSIGs, this person w o u l d need to k n o w

secret k e y t o c h a n g e the D N S d a t a o n the slave.

the

846

CHAPTER 2 4

D N S / B I N D : TRACKING DOMAIN NAMES AND ADDRESSES

CREATING A SECRET KEY
A s e c r e t k e y is a n e n c o d e d s t r i n g o f u p t o 5 1 2 b i t s . T h e d n s s e c - k e y g e n u t i l i t y , w h i c h is
i n c l u d e d w i t h B I N D , generates this key. T h e f o l l o w i n g c o m m a n d , w h i c h m a y t a k e a
w h i l e t o r u n , g e n e r a t e s a 5 1 2 - b i t r a n d o m k e y u s i n g M D 5 , a one-way

hash

function

(page 1163):
$ /usr/sbin/dnssec-keygen - a hmac-md5 -b 512 -n HOST
Kkeyname.+157+47586
I n t h e p r e c e d i n g c o m m a n d , r e p l a c e keyname

keyname

w i t h a s t r i n g t h a t is u n i q u e y e t m e a n -

i n g f u l . T h i s c o m m a n d c r e a t e s a k e y i n a f i l e w h o s e n a m e is s i m i l a r t o t h e
K & e y n a m e . + 1 5 7 + 4 7 5 8 6 . p r i v a t e , w h e r e keyname

string

is r e p l a c e d b y t h e n a m e o f t h e k e y ,

+ 1 5 7 i n d i c a t e s t h e a l g o r i t h m u s e d , a n d + 4 7 5 8 6 is a h a s h o f t h e k e y . I f y o u r u n t h e
same c o m m a n d again, the h a s h p a r t w i l l be different.
T h e k e y f i l e i s n o t u s e d d i r e c t l y . U s e cat w i t h a n a r g u m e n t o f t h e p r i v a t e f i l e n a m e t o
d i s p l a y the a l g o r i t h m a n d k e y i n f o r m a t i o n y o u w i l l n e e d i n the n e x t step:
$ cat K/ceyname.+157+47586.private
Private-key-format: vl.B
A l g o r i t h m : 157 (HMAC_MD5)
Key: uNPDouqVwR7fvo/zFyjkqKbQhcTd6Prm...

U S I N G THE SHARED SECRET
T h e n e x t s t e p is t o t e l l t h e n a m e s e r v e r s a b o u t t h e s h a r e d s e c r e t b y i n s e r t i n g t h e f o l l o w i n g c o d e i n t h e /etc/named.conf f i l e o n b o t h s e r v e r s . T h i s c o d e is a t o p - l e v e l
clause; insert

it at the

e n d o f t h e named.conf.local

file

(which

is i n c l u d e d

in

named.conf):
k e y keyname {
a l g o r i t h m "hmac-md5";
s e c r e t "uNPDouqVwR7fvo/zFyjkqKbQhcTd6Prm...";

};

T h e keyname

i s t h e n a m e o f t h e k e y y o u c r e a t e d . T h e algorithm i s t h e s t r i n g t h a t

f o l l o w s algorithm i n t h e o u t p u t o f cat, a b o v e . T h e secret i s t h e s t r i n g t h a t
secret i n t h e o u t p u t o f cat. Y o u m u s t e n c l o s e e a c h s t r i n g w i t h i n d o u b l e

follows

quotation

m a r k s . B e c a r e f u l w h e n y o u c o p y t h e k e y ; a l t h o u g h i t is l o n g , y o u m u s t n o t b r e a k i t
i n t o m u l t i p l e lines.
Because k e y n a m e s are u n i q u e , y o u c a n insert a n y n u m b e r o f K e y s clauses

into

n a m e d . c o n f . T o k e e p t h e k e y a s e c r e t , m a k e s u r e u s e r s o t h e r t h a n bind c a n n o t r e a d
i t : E i t h e r g i v e n a m e d . c o n f . l o c a l p e r m i s s i o n s s u c h t h a t n o o n e e x c e p t bind h a s a c c e s s
to it or

put

the key

in

a file t h a t

only

bind c a n r e a d a n d i n c o r p o r a t e

it

in

n a m e d . c o n f . l o c a l u s i n g a n include s t a t e m e n t .
O n c e b o t h s e r v e r s k n o w a b o u t t h e k e y , u s e a server s t a t e m e n t i n n a m e d . c o n f . l o c a l
t o tell t h e m w h e n t o use it:

SETTING UP A D N S SERVER

8 4 7

server 1.2.3.4 {
# 1 . 2 . 3 . 4 i s the I P address of the other s e r v e r u s i n g t h i s key
keys {
"keyname";

};

};

E a c h server m u s t have a Server clause, each c o n t a i n i n g the IP address o f the other
server. T h e servers w i l l n o w c o m m u n i c a t e w i t h e a c h o t h e r o n l y i f t h e y first a u t h e n ticate each o t h e r u s i n g the secret key.

RUNNING BIND IN A chroot JAIL
T o i n c r e a s e s e c u r i t y , y o u c a n r u n B I N D i n a chroot j a i l . See p a g e 4 6 6 f o r i n f o r m a t i o n
a b o u t t h e s e c u r i t y a d v a n t a g e s o f , a n d w a y s t o s e t u p , a chroot j a i l . T h e bind-chroot.sh
s h e l l s c r i p t ( b e l o w ) , w h i c h s e t s u p B I N D t o r u n i n a chroot j a i l , c r e a t e s a d i r e c t o r y
n a m e d /var/lib/named t h a t takes the place o f the r o o t d i r e c t o r y (/) f o r all

BIND

files. T h e bind-chroot.sh s h e l l i n s t a l l s t h e bind9 a n d resolvconf p a c k a g e s i f t h e y are
n o t a l r e a d y i n s t a l l e d a n d t h e n r u n s t h e bind9 a n d resolvconf i n i t s c r i p t s t o

stop

named. I t t h e n a d d s t h e - t o p t i o n t o t h e named o p t i o n s i n /etc/default/bind9 so
named chroots t o t h e /var/lib/named d i r e c t o r y b e f o r e i t r e a d s its c o n f i g u r a t i o n files.
T h e named d a e m o n is a l r e a d y set u p t o r u n as t h e user bind ( - u bind).
A f t e r c r e a t i n g t h e necessary directories i n /var/lib/named, t h e script m o v e s t h e files

f r o m /etc/bind t o /var/lib/named, creates a s y m b o l i c l i n k f r o m /var/lib/named b a c k
t o / e t c / b i n d , a n d c r e a t e s a n d sets p e r m i s s i o n s o n d e v i c e s B I N D m a y n e e d .

Next,

bind-chroot.sh disables apparmor p r o t e c t i o n f o r named. F i n a l l y , t h e s c r i p t starts
named a n d resolvconf, a n d d i s p l a y s t h e e n d o f t h e syslog file.
$ cat bind-chroot.sh
# ! / b i n/bash
# i n s t a l l and stop bind
a p t i t u d e - y i n s t a l l bind9
s e r v i c e bind9 stop
# i n s t a l l and stop r e s o l v c o n f
aptitude - y i n s t a l l resolvconf
s e r v i c e r e s o l v c o n f stop
# add - t / v a r / l i b / n a m e d to OPTIONS i n / e t c / d e f a u l t / b i n d 9
sed - i ' s : O P T I O N S = " \ ( . * \ ) " : 0 P T I 0 N S = " \ 1 \ - t / v a r / l i b / n a m e d " : '

/etc/default/bind9

# make the chroot d i r e c t o r i e s
mkdi r - p / v a r / 1 i b / n a m e d / { e t c , d e v , v a r / c a c h e / b i n d , v a r / r u n / b i nd/run}
# move the c o n f i g u r a t i o n to the chroot and l i n k back to / e t c
mv / e t c / b i n d / v a r / l i b / n a m e d / e t c
In - s /var/lib/named/etc/bind /etc/bind

8 4 8

CHAPTER 2 4

D N S / B I N D : TRACKING DOMAIN NAMES AND ADDRESSES

# c r e a t e d e v i c e s and s e t p e r m i s s i o n s
mknod / v a r / l i b / n a m e d / d e v / n u l l c 1 3
mknod / v a r / l i b / n a m e d / d e v / r a n d o m c 1 8
chmod 666 / v a r / l i b / n a m e d / d e v / { n u l l , r a n d o m }
chown - R b i n d : b i n d / v a r / l i b / n a m e d / v a r / *
chown - R b i n d : b i n d / v a r / l i b / n a m e d / e t c / b i n d
# d i s a b l e apparmor p r o t e c t i o n o f / u s r / s b i n / n a m e d and r e s t a r t apparmor
cd / e t c / a p p a r m o r . d / d i s a b l e
In - s /etc/apparmor.d/usr.sbin.named .
s e r v i c e apparmor r e s t a r t
# s t a r t b i n d and r e s o l v c o n f
service resolvconf start
s e r v i c e bind9 s t a r t
# check t h a t e v e r y t h i n g s t a r t e d
tail /var/log/syslog

fine

F o l l o w i n g i s t h e o u t p u t o f t h e e x e c u t i o n o f bind-chroot.sh. Y o u m u s t r u n t h i s s c r i p t
w h i l e w o r k i n g w i t h root privileges. Y o u m u s t also h a v e e x e c u t e p e r m i s s i o n t o

run

t h e s c r i p t . I n t h e e x a m p l e , t h e bind-chroot.sh f i l e is i n t h e w o r k i n g d i r e c t o r y .

$ sudo ./bind-chroot.sh
Reading package l i s t s . . . Done
B u i l d i n g dependency t r e e
Reading s t a t e i n f o r m a t i o n . . . Done
Reading extended s t a t e i n f o r m a t i o n
I n i t i a l i z i n g package s t a t e s . . . Done
No p a c k a g e s w i l l be i n s t a l l e d , upgraded, or removed.
0 p a c k a g e s upgraded, 0 newly i n s t a l l e d , 0 t o remove and 0 not upgraded.
Need t o g e t 0B o f a r c h i v e s . A f t e r u n p a c k i n g 0B w i l l be used.
W r i t i n g extended s t a t e i n f o r m a t i o n . . . Done
Reading package l i s t s . . . Done
B u i l d i n g dependency t r e e
Reading s t a t e i n f o r m a t i o n . . . Done
Reading extended s t a t e i n f o r m a t i o n
I n i t i a l i z i n g package s t a t e s . . . Done
* S t o p p i n g domain name s e r v i c e . . . b i n d 9
Reading package l i s t s . . . Done
B u i l d i n g dependency t r e e
Reading s t a t e i n f o r m a t i o n . . . Done
Reading extended s t a t e i n f o r m a t i o n
I n i t i a l i z i n g package s t a t e s . . . Done
No p a c k a g e s w i l l be i n s t a l l e d , upgraded, or removed.
0 p a c k a g e s upgraded, 0 newly i n s t a l l e d , 0 t o remove and 0 not upgraded.
Need t o g e t 0B o f a r c h i v e s . A f t e r u n p a c k i n g 0B w i l l be used.
W r i t i n g extended s t a t e i n f o r m a t i o n . . . Done
Reading package l i s t s . . . Done
B u i l d i n g dependency t r e e
Reading s t a t e i n f o r m a t i o n . . . Done
Reading extended s t a t e i n f o r m a t i o n
I n i t i a l i z i n g package s t a t e s . . . Done
Stopping r e s o l v c o n f . . .
R e l o a d i n g AppArmor p r o f i l e s

[ OK ]

[ OK ]

SETTING UP A D N S SERVER

S k i p p i n g p r o f i l e i n / e t c / a p p a r m o r . d / d i s a b l e : u s r . bi n. f i refox
S k i p p i n g p r o f i l e i n / e t c / a p p a r m o r . d / d i s a b l e : usr.sbin.named
* S e t t i n g up r e s o l v c o n f . . .
* S t a r t i n g domain name s e r v i c e . . . bind9
Apr 5 11:28:21
named[4138] command channel l i s t e n i n g on ::1#953
Apr 5 11:28:21
named[4138] zone 0 . i n - a d d r . a r p a / I N : loaded s e r i a l 1
Apr 5 11:28:21
named[4138] zone 1 2 7 . i n - a d d r . a r p a / I N : loaded s e r i a l
Apr 5 11:28:21
named[4138] zone 2 5 5 . i n - a d d r . a r p a / I N : loaded s e r i a l
Apr 5 11:28:21
named[4138] zone l o c a l h o s t / I N : loaded s e r i a l 2
Apr 5 11:28:21
named[4138] runni ng

849

[ OK ]
[ OK ]
[ OK ]

A f t e r y o u r u n this s c r i p t , all files t h a t c o n t r o l B I N D are l o c a t e d w i t h i n this chroot
jail a n d t h e f i l e n a m e s used i n this c h a p t e r are s y m b o l i c l i n k s t o the files i n t h e chroot
j a i l . See t h e c o m m a n d a n d o u t p u t o n t h e n e x t p a g e .

$ Is -1 /etc/bind /var/1ib/named/etc/bind
lrwxrwxrwx 1 root root
23 2010-04-05 11:28 / e t c / b i n d
/var/1 i b/named/etc/bi nd :
- r w - r - - r - - 1 bind bi nd 601
- r w - r - - r - - 1 bind bi nd 237
- r w - r - - r - - 1 bind bi nd 271
- r w - r - - r - - 1 bind bi nd 237
- r w - r - - r - - 1 bind bi nd 353
- r w - r - - r - - 1 bind bi nd 270
- r w - r - - r - - 1 bind bi nd 2940
- r w - r - - r - - 1 bind bi nd 463
- r w - r - - r - - 1 bind bi nd 490
- r w - r - - r - - 1 bind bi nd 165
- r w - r - - r - - 1 bind bi nd 572
-rw-r1 bind bi nd
77
- r w - r - - r - - 1 bind bi nd 1317

2010-03-22
2010-03-22
2010-03-22
2010-03-22
2010-03-22
2010-03-22
2010-03-22
2010-03-22
2010-03-22
2010-03-22
2010-03-22
2010-04-05
2010-03-22

12:59
12:59
12:59
12:59
12:59
12:59
12:59
12:59
12:59
12:59
12:59
11:26
12:59

/ v a r / 1 i b/named/etc/bi nd

bind.keys
db.0
db.127
db.255
db.empty
db.local
db.root
named.conf
named.conf.default-zones
named.conf.1ocal
named.conf.options
rndc.key
zones.rfcl918

B I N D is r u n n i n g i n a chroot j a i l i n /var/lib/named. Because t h e /etc/bind d i r e c t o r y is
n o w a l i n k t o /var/lib/named, y o u c a n m a k e changes to B I N D f r o m either l o c a t i o n .

TROUBLESHOOTING
W h e n y o u start a D N S c a c h e , t h e /var/log/syslog file c o n t a i n s lines s i m i l a r t o t h e
f o l l o w i n g . O t h e r types o f D N S servers display s i m i l a r messages.

$ cat /var/log/syslog
Apr
Apr
Apr
Apr
Apr
Apr
Apr
Apr
Apr
Apr
Apr
Apr
Apr

26
26
26
26
26
26
26
26
26
26
26
26
26

11
11
11
11
11
11
11
11
11
11
11
11
11

00
00
00
00
00
00
00
00
00
00
00
00
00

02
02
02
02
02
02
02
02
02
02
02
02
02

pi um
pi um
pi um
pi um
pi um
pi um
pi um
pi um
pi um
pi um
pi um
pi um
pi um

named[9301]
named[9301]
named[9301]
named[9301]
named[9301]
named[9301]
named[9301]
named[9301]
named[9301]
named[9301]
named[9301]
named[9301]
named[9301]

s t a r t i n g 9 . 7 . 0 - P 1 - u bind
found 1 CPU, u s i n g 1 worker thread
l o a d i n g c o n f i g u r a t i o n from ' / e t c / b i n d / n a m e d . c o n f '
l i s t e n i n g on I P v 6 i n t e r f a c e s , port 53
l i s t e n i n g on IPv4 i n t e r f a c e l o , 1 2 7 . 0 . 0 . 1 # 5 3
l i s t e n i n g on IPv4 i n t e r f a c e eth0, 192.168.0.10#53
command channel l i s t e n i n g on 127.0.0.1#953
command channel l i s t e n i n g on ::1#953
zone 0 . i n - a d d r . a r p a / I N : loaded s e r i a l 1
zone 1 2 7 . i n - a d d r . a r p a / I N : loaded s e r i a l 1
zone 2 5 5 . i n - a d d r . a r p a / I N : loaded s e r i a l 1
zone l o c a l h o s t / I N : loaded s e r i a l 1
runni ng

850

CHAPTER 2 4

D N S / B I N D : TRACKING DOMAIN NAMES AND ADDRESSES

W h e n y o u create or update D N S

i n f o r m a t i o n , y o u c a n u s e dig o r host t o

test

w h e t h e r t h e s e r v e r w o r k s as p l a n n e d . T h e m o s t u s e f u l p a r t o f t h e o u t p u t f r o m dig i s
usually the a n s w e r section, w h i c h gives the nameserver's reply t o y o u r query:
$ dig example.com
; ; ANSWER S E C T I O N :
example.com.

172800

IN

A

192.0.32.10

T h e preceding o u t p u t s h o w s that the example.com. d o m a i n has a single A

record

t h a t p o i n t s t o 1 9 2 . 0 . 3 2 . 1 0 . T h e T T L o f this r e c o r d , w h i c h tells y o u h o w l o n g t h e
r e c o r d c a n b e h e l d i n c a c h e , is 1 7 2 , 8 0 0 s e c o n d s ( t w o d a y s ) . Y o u c a n a l s o u s e dig t o
query other record types by using the - t o p t i o n f o l l o w e d by the type of record y o u
w a n t t o q u e r y f o r ( - t w o r k s w i t h host, t o o ) :
$ dig - t MX ubuntu.com
; ; ANSWER S E C T I O N :
ubuntu.com.

3587

IN

MX

10

mx.canonical.com.

I f y o u q u e r y f o r a d o m a i n t h a t d o e s n o t e x i s t , dig r e t u r n s t h e S O A r e c o r d f o r t h e
a u t h o r i t y section o f the highest-level d o m a i n i n y o u r q u e r y t h a t does exist:
$ dig domaindoesnotexist. info
; ; AUTHORITY S E C T I O N :
info.
900 I N SOA

a0.info.afi1ias-nst.info.

noc.afi1ias-nst.info.

...

Because it tells y o u t h e last z o n e t h a t w a s q u e r i e d correctly, this i n f o r m a t i o n c a n be
useful in tracing faults.
TSIGs

I f t w o s e r v e r s u s i n g T S I G s ( p a g e 8 4 5 ) f a i l t o c o m m u n i c a t e , c o n f i r m t h a t t h e t i m e is
t h e s a m e o n b o t h s e r v e r s . T h e T S I G a u t h e n t i c a t i o n m e c h a n i s m is d e p e n d e n t o n t h e
c u r r e n t time. I f the clocks o n the t w o servers are n o t s y n c h r o n i z e d , T S I G w i l l fail.
C o n s i d e r s e t t i n g u p NTP

(page 1 1 6 3 ) o n the servers to p r e v e n t this p r o b l e m .

SETTING U P DIFFERENT TYPES OF D N S

SERVERS

T h i s s e c t i o n d e s c r i b e s h o w t o set u p a f u l l - f u n c t i o n e d n a m e s e r v e r , a s l a v e server, a n d
a s p l i t - h o r i z o n server.

A FULL-FUNCTIONED NAMESERVER
B e c a u s e t h e I P a d d r e s s e s u s e d i n t h i s e x a m p l e a r e p a r t o f t h e private

address

space

(page 1166), y o u c a n c o p y the e x a m p l e a n d r u n the server w i t h o u t affecting g l o b a l
D N S . A l s o , t o p r e v e n t c o n t a m i n a t i o n o f t h e g l o b a l D N S , e a c h z o n e h a s t h e notify
o p t i o n s e t t o N O . W h e n y o u b u i l d a n a m e s e r v e r t h a t is i n t e g r a t e d w i t h t h e I n t e r n e t ,

SETTING U P DIFFERENT TYPES OF D N S SERVERS

y o u w i l l w a n t t o use I P addresses t h a t are u n i q u e t o y o u r i n s t a l l a t i o n . Y o u

851

may

w a n t t o c h a n g e t h e s e t t i n g s o f t h e notify s t a t e m e n t s .
named.conf

T h e named.conf f i l e i n t h i s e x a m p l e l i m i t s t h e I P a d d r e s s e s t h a t named a n s w e r s
q u e r i e s f r o m a n d sets u p l o g g i n g ( n e x t p a g e ) .

$ cat /etc/bind/named.conf
options {
directory "/etc/bind";
/ / r e c u r s i o n NO;
allow-query {127.0.0.1;

};

192.168.0.0/24;};

zone " . " IN {
type
hint;
file
"db.root";

};

zone " 0 . 1 6 8 . 1 9 2 . i n - a d d r . a r p a " IN {
type
master;
file
"named.conf.local";
n o t i f y NO;

};
zone "sam.net" IN {
type
master;
file
"sam.net";
n o t i f y NO;

};
l o g g i ng{
channel "misc" {
f i l e " / v a r / l o g / b i n d / m i s c . l o g " v e r s i o n s 4 s i z e 4m;
p r i n t - t i m e YES;
p r i n t - s e v e r i t y YES;
p r i n t - c a t e g o r y YES;

};

channel "query" {
f i l e " / v a r / l o g / b i n d / q u e r y . l o g " v e r s i o n s 4 s i z e 4m;
p r i n t - t i m e YES;
p r i n t - s e v e r i t y NO;
p r i n t - c a t e g o r y NO;

};

category d e f a u l t {
"mi s c " ;

};

category q u e r i e s {
"query";

};

};

T h e allow-query s t a t e m e n t i n t h e O p t i o n s c l a u s e s p e c i f i e s t h e I P a d d r e s s e s o f s y s tems

the

server

answers

queries

from.

You

must

include

the

local

system

as

1 2 7 . 0 . 0 . 1 i f i t w i l l b e q u e r y i n g t h e server. T h e s e r v e r is a u t h o r i t a t i v e f o r t h e z o n e

sam.net; t h e z o n e f i l e f o r sam.net is /etc/bind/sam.net.

852

CHAPTER 2 4

Logging

D N S / B I N D : TRACKING DOMAIN NAMES AND ADDRESSES

L o g g i n g i s t u r n e d o n b y t h e L o g g i n g c l a u s e . L o g g i n g is s e p a r a t e f r o m n a m e d m e s s a g e s , w h i c h g o t o syslogd. T h e L o g g i n g c l a u s e i n t h e p r e c e d i n g e x a m p l e o p e n s t w o
l o g g i n g channels: o n e t h a t logs i n f o r m a t i o n t o /var/log/bind/misc.log a n d one t h a t
logs i n f o r m a t i o n t o /var/log/bind/query.log. W h e n either o f these logs g r o w s t o 4
m e g a b y t e s (size 4 m i n t h e f i l e s t a t e m e n t ) , i t i s r e n a m e d b y a p p e n d i n g . 1 t o i t s f i l e n a m e a n d a n e w l o g is s t a r t e d . T h e n u m b e r s a t t h e e n d s o f o t h e r , s i m i l a r l y

named

logs are incremented. A n y l o g that w o u l d have a larger n u m b e r t h a n that specified
b y t h e versions k e y w o r d (4 i n t h e e x a m p l e ) i s r e m o v e d . See logrotate ( p a g e 6 2 2 ) f o r
a n o t h e r w a y t o m a i n t a i n l o g files.
T h e p r i n t statements d e t e r m i n e w h e t h e r the t i m e , severity, a n d category o f the i n f o r m a t i o n a r e s e n t t o t h e l o g ; s p e c i f y e a c h as Y E S o r N O . T h e c a t e g o r y d e t e r m i n e s w h a t
i n f o r m a t i o n is l o g g e d t o t h e c h a n n e l . I n t h e p r e v i o u s e x a m p l e , d e f a u l t i n f o r m a t i o n is
s e n t t o t h e misc c h a n n e l a n d q u e r i e s a r e s e n t t o t h e query c h a n n e l . R e f e r t o

the

named.conf man p a g e f o r m o r e c h o i c e s .
named.conf.local

T h e o r i g i n f o r t h e r e v e r s e z o n e f i l e (named.conf.local) is

0.168.192.in-addr.arpa

(as s p e c i f i e d i n t h e Z o n e c l a u s e t h a t r e f e r s t o t h i s f i l e i n named.conf).

Following

the S O A a n d N S resource records, the first three P T R resource records

equate

address

names

1 in the subnet 0.168.192.in-addr.arpa

(192.168.0.1)

w i t h the

gw.sam.net., www.sam.net., a n d ftp.sam.net., r e s p e c t i v e l y . T h e n e x t t h r e e

PTR

r e c o r d s e q u a t e 1 9 2 . 1 6 8 . 0 . 3 w i t h mark.sam.net., 1 9 2 . 1 6 8 . 0 . 4 w i t h mail.sam.net.,
a n d 1 9 2 . 1 6 8 . 0 . 6 w i t h ns.sam.net..
$ cat /etc/bind/named.conf.local

sam.net

STTL
@

3D
IN

SOA

1
1
1
3
4
6

IN
IN
IN
IN
IN
IN
IN

NS
PTR
PTR
PTR
PTR
PTR
PTR

n s . s a m . n e t . mgs@sobell.com. (
2010110501
seri al
8H
refresh
2H
retry
4W
expi re
mi ni mum
ID)
ns.sam.net.
gw.sam.net.
www.sam.net.
ftp.sam.net.
mark.sam.net.
mail.sam.net.
ns.sam.net.

T h e z o n e f i l e f o r sam.net t a k e s a d v a n t a g e o f m a n y B I N D f e a t u r e s a n d i n c l u d e s
(page 830), C N A M E (page 828), a n d M X

TXT

(page 828) resource records. W h e n

you

q u e r y f o r r e s o u r c e r e c o r d s , named r e t u r n s t h e T X T r e s o u r c e r e c o r d a l o n g w i t h t h e
records y o u requested. T h e first o f the t w o N S records specifies a n

unqualified

n a m e (ns) t o w h i c h B I N D a p p e n d s t h e z o n e n a m e (sam.net), y i e l d i n g a n F Q D N
ns.sam.net. T h e s e c o n d n a m e s e r v e r i s s p e c i f i e d w i t h a n F Q D N n a m e t h a t

of

BIND

does n o t alter. T h e M X r e c o r d s specify m a i l servers i n a s i m i l a r m a n n e r a n d i n c l u d e
a p r i o r i t y n u m b e r at the start o f the d a t a field, w h e r e l o w e r n u m b e r s i n d i c a t e pref e r r e d servers.

SETTING U P DIFFERENT TYPES OF D N S SERVERS

853

$ cat sam.net
; zone " s a m . n e t "
STTL
@

3D
IN

SOA

n s . s a m . n e t . mgs@sobell.com. (
2010110501
seri al
refresh
8H
retry
2H
e x p i re
4W
mi n i mum
ID )

TXT
NS
NS
MX
MX

"Sobell Associates I n c . "
ns
; Nameserver address ( u n q u a l i f i e d )
n s . m a x . n e t . ; Nameserver a d d r e s s ( q u a l i f i e d )
10 m a i l
; Mail exchange ( p r i m a r y / u n q u a l i f i e d )
20 m a i l . m a x . n e t . ; M a i l e x c h a n g e ( 2 n d / q u a l i f i e d )

l o c a l h o s t IN

A

127.0.0.1

www
ftp

IN
IN

CNAME
CNAME

ns
ns

gw

IN

A
TXT

192.168.0.1
"Router"

ns

IN

A
MX
MX

192.168.0.6
10 m a i l
20 m a i l . m a x . n e t .

mark

IN

A
MX
MX
TXT

192.168.0.3
10 m a i l
20 m a i l . m a x . n e t .
"MGS"

mail

IN

A
MX
MX

192.168.0.4
10 m a i l
20 m a i l . m a x . n e t .

Some resource records have a value in the N a m e field; those w i t h o u t a n a m e inherit
the name f r o m the previous resource record. In a similar manner, the

previous

r e s o u r c e r e c o r d m a y h a v e a n i n h e r i t e d n a m e v a l u e , a n d so o n . T h e five r e s o u r c e
records f o l l o w i n g the S O A resource r e c o r d i n h e r i t the @, o r z o n e n a m e , f r o m the
S O A r e s o u r c e r e c o r d . T h e s e r e s o u r c e r e c o r d s p e r t a i n t o t h e z o n e as a w h o l e . I n t h e
p r e c e d i n g e x a m p l e , t h e first T X T r e s o u r c e r e c o r d i n h e r i t s its n a m e f r o m t h e

SOA

r e s o u r c e r e c o r d ; i t is t h e T X T r e s o u r c e r e c o r d f o r t h e s a m . n e t z o n e ( g i v e t h e c o m m a n d host - t T X T s a m . n e t t o d i s p l a y t h e T X T r e s o u r c e r e c o r d ) .
F o l l o w i n g these five resource records are resource records t h a t p e r t a i n t o a d o m a i n
w i t h i n the zone. For example, the M X

resource records that f o l l o w the A

resource

r e c o r d w i t h t h e N a m e f i e l d set t o mark a r e r e s o u r c e r e c o r d s f o r t h e mark.sam.net.
domain.

854

CHAPTER 2 4

D N S / B I N D : TRACKING DOMAIN NAMES AND ADDRESSES

T h e A r e s o u r c e r e c o r d f o r localhost i s f o l l o w e d b y t w o C N A M E r e s o u r c e r e c o r d s
that

specify

ns.sam.net..

www(.sam.net.)
For

example,

and
a

user

ftp(.sam.net.)
connecting

as
to

aliases

for

ftp.sam.net

the
will

nameserver
connect

1 9 2 . 1 6 8 . 0 . 6 . T h e r e s o u r c e r e c o r d s n a m e d gw, ns, m a r k , a n d mail a r e

to

resource

r e c o r d s f o r d o m a i n s w i t h i n t h e sam.net z o n e .
Log files

B e f o r e r e s t a r t i n g named, c r e a t e t h e d i r e c t o r y f o r t h e l o g files a n d g i v e i t p e r m i s s i o n s
a n d o w n e r s h i p as s h o w n b e l o w . I f y o u a r e r u n n i n g n a m e d i n a chroot j a i l , c r e a t e t h e
bind d i r e c t o r y i n / v a r / l i b / n a m e d / v a r / l o g .
$ sudo mkdir /var/1og/bind
$ sudo chown bind:bind /var/1og/bind
$ Is -Id /var/1 og/bi nd
d r w x r - x r - x 2 b i n d b i n d 4096 2 0 1 0 - 0 4 - 2 6 1 7 : 4 3

/var/1og/bind

W i t h t h e l o g d i r e c t o r y i n p l a c e , a n d t h e named.conf, db.root, named.conf.local, a n d
sam.net z o n e f i l e s i n / e t c / b i n d ( o r i n / v a r / l i b / n a m e d / e t c / b i n d i f y o u a r e

running

n a m e d i n a chroot j a i l ) , r e s t a r t n a m e d a n d c h e c k t h e l o g f i l e s . T h e f i l e / v a r / l o g / s y s l o g
s h o u l d s h o w s o m e t h i n g l i k e t h e f o l l o w i n g ( t h e e x a m p l e s h o w s named s t a r t e d i n a
chroot j a i l ) :
# cat
Apr
Apr
Apr
Apr
Apr
Apr
Apr

26
26
26
26
26
26
26

/var/log/syslog
18:05:19
18:05:19
18:05:19
18:05:19
18:05:19
18:05:19
18:05:19

plum
plum
plum
plum
plum
plum
plum

named[22119]
named[22119]
named[22119]
named[22119]
named[22119]
named[22119]
named[22119]

9 . 7 . 0 - P 1 -u bind - t /var/1ib/named
f o u n d 1 CPU, u s i n g 1 w o r k e r t h r e a d
l o a d i n g c o n f i g u r a t i o n from ' / e t c / b i n d / n a m e d . c o n f '
l i s t e n i n g on I P v 4 i n t e r f a c e l o , 1 2 7 . 0 . 0 . 1 # 5 3
l i s t e n i n g on I P v 4 i n t e r f a c e e t h 0 , 1 9 2 . 1 6 8 . 0 . 1 0 # 5 3
command c h a n n e l l i s t e n i n g on 1 2 7 . 0 . 0 . 1 # 9 5 3
command c h a n n e l l i s t e n i n g on : : 1 # 9 5 3

T h e misc.log f i l e m a y s h o w e r r o r s t h a t d o n o t a p p e a r i n t h e syslog f i l e :
# cat /var/1og/bi
. . . 01:05:19.932
. . . 01:05:19.933
. . . 01:05:19.933

nd/mi sc.1og
g e n e r a l : i n f o : zone 0 . 1 6 8 . 1 9 2 . i n - a d d r . a r p a / I N : loaded s e r i a l
g e n e r a l : i n f o : zone s a m . n e t / I N : l o a d e d s e r i a l 2010110501
general: notice: running

2010110501

A SLAVE SERVER
TO set u p a s l a v e server, c o p y t h e /etc/bind/named.conf f i l e f r o m t h e m a s t e r s e r v e r
t o t h e s l a v e s e r v e r , r e p l a c i n g t h e type m a s t e r s t a t e m e n t w i t h type slave a n d a d d i n g a
masters { 1.2.3.4;

}; d i r e c t i v e . R e m o v e a n y z o n e s t h e s l a v e s e r v e r w i l l n o t b e a c t i n g

as a s l a v e f o r , i n c l u d i n g t h e r o o t ( . ) z o n e , i f t h e s l a v e s e r v e r w i l l n o t r e s p o n d

to

r e c u r s i v e q u e r i e s . I f n e c e s s a r y , c r e a t e t h e / v a r / l o g / b i n d d i r e c t o r y f o r l o g f i l e s as
explained at the e n d of the previous section.
n o t i f y statement

Slave servers c o p y z o n e i n f o r m a t i o n f r o m the p r i m a r y master server o r

another

s l a v e s e r v e r . T h e notify s t a t e m e n t s p e c i f i e s w h e t h e r y o u w a n t a m a s t e r s e r v e r

to

n o t i f y slave servers w h e n i n f o r m a t i o n o n t h e m a s t e r s e r v e r c h a n g e s . Set t h e ( g l o b a l )

SETTING U P DIFFERENT TYPES OF D N S SERVERS

855

v a l u e o f notify i n t h e O p t i o n s c l a u s e o r s e t i t w i t h i n a Z o n e c l a u s e , w h i c h o v e r r i d e s
a g l o b a l s e t t i n g f o r a g i v e n z o n e . T h e f o r m a t is

notify YES I NO I

EXPLICIT

YES c a u s e s t h e m a s t e r s e r v e r t o n o t i f y a l l s l a v e s l i s t e d i n N S r e s o u r c e r e c o r d s f o r t h e
z o n e as w e l l as s e r v e r s a t IP a d d r e s s e s l i s t e d i n a n also-notify s t a t e m e n t . W h e n
s e t notify t o EXPLICIT,
o n l y . NO

you

t h e s e r v e r n o t i f i e s s e r v e r s l i s t e d i n t h e also-notify s t a t e m e n t

turns off notification.

I f y o u s p e c i f y notify Y E S o n t h e m a s t e r s e r v e r , t h e z o n e f i l e s o n t h e s l a v e s e r v e r
w i l l be u p d a t e d each t i m e y o u change the serial field of the S O A resource record
in a zone. Y o u m u s t m a n u a l l y

d i s t r i b u t e c h a n g e s t o /etc/bind/named.conf a n d

i n c l u d e d files.

A SPLIT HORIZON SERVER
A s s u m e y o u w a n t t o set u p a L A N t h a t p r o v i d e s a l l o f its s y s t e m s a n d services t o
l o c a l users o n i n t e r n a l systems, w h i c h m a y be b e h i n d a f i r e w a l l , b u t o n l y

certain

split
horizon ( a l s o c a l l e d DMZ) D N S s e r v e r t a k e s c a r e o f t h i s s i t u a t i o n b y t r e a t i n g q u e -

p u b l i c s e r v i c e s — s u c h as W e b , F T P , a n d m a i l — t o I n t e r n e t ( p u b l i c ) u s e r s . A

ries f r o m i n t e r n a l systems d i f f e r e n t l y f r o m queries f r o m p u b l i c systems (systems o n
the Internet).
View clauses

B I N D 9 i n t r o d u c e d V i e w c l a u s e s i n named.conf. V i e w c l a u s e s f a c i l i t a t e t h e i m p l e m e n t a t i o n o f a split D N S server. E a c h v i e w p r o v i d e s a d i f f e r e n t p e r s p e c t i v e o f t h e
D N S n a m e s p a c e t o a g r o u p o f c l i e n t s . W h e n t h e r e is n o V i e w c l a u s e , a l l z o n e s s p e c i f i e d i n named.conf a r e p a r t o f t h e i m p l i c i t d e f a u l t v i e w .
A s s u m e t h a t a n office has several systems o n a L A N a n d p u b l i c W e b , FTP, D N S , a n d
m a i l s e r v e r s . T h e s i n g l e c o n n e c t i o n t o t h e I n t e r n e t is N A T e d ( p a g e 1 1 6 1 ) so i t is
shared b y the l o c a l systems a n d the servers. T h e system c o n n e c t e d directly t o the
I n t e r n e t is a r o u t e r , f i r e w a l l , a n d server. T h i s s c e n a r i o t a k e s a d v a n t a g e o f t h e V i e w
clauses i n named.conf a n d s u p p o r t s s e p a r a t e s e c o n d a r y n a m e s e r v e r s f o r l o c a l a n d
p u b l i c u s e r s . A l t h o u g h p u b l i c u s e r s n e e d a c c e s s t o t h e D N S s e r v e r as t h e a u t h o r i t y
o n the d o m a i n t h a t supports the servers, they d o n o t r e q u i r e the D N S server t o supp o r t recursive queries. N o t s u p p o r t i n g r e c u r s i o n f o r p u b l i c users l i m i t s the l o a d o n
the D N S server a n d the I n t e r n e t c o n n e c t i o n . F o r security reasons, p u b l i c users m u s t
n o t h a v e access t o i n f o r m a t i o n a b o u t l o c a l systems o t h e r t h a n t h e servers.

Local

users s h o u l d h a v e access t o i n f o r m a t i o n a b o u t l o c a l s y s t e m s a n d s h o u l d b e a b l e t o
use t h e D N S server recursively.
Figure 2 4 - 6 (next page) s h o w s t h a t the server responds differently t o queries

from

the L A N and f r o m the Internet.
T h e g u f w ( p a g e 8 7 6 ) o r iptables u t i l i t y ( p a g e 8 8 0 ) c o n t r o l s w h i c h p o r t s o n

which

s y s t e m s users o n i n t e r n a l a n d e x t e r n a l s y s t e m s c a n access. D N S c o n t r o l s w h i c h syst e m s are a d v e r t i s e d t o w h i c h users.

856

CHAPTER 2 4

D N S / B I N D : TRACKING DOMAIN NAMES AND ADDRESSES

Figure 2 4 - 6

A split h o r i z o n D N S server

T h e named.conf file h a s f o u r clauses: a n O p t i o n s c l a u s e , t w o V i e w clauses, a n d a
L o g g i n g clause. T h e O p t i o n s clause specifies t h a t t h e z o n e files be l o c a t e d i n t h e
/etc/bind d i r e c t o r y . T h e V i e w clauses specify t h e c h a r a c t e r i s t i c s a n d zones t h a t a
r e s o l v e r is g i v e n a c c e s s t o , w h i c h d e p e n d o n t h e r e s o l v e r ' s a d d r e s s . O n e z o n e i s f o r
use b y t h e L A N / l o c a l u s e r s ; t h e o t h e r is u s e d b y I n t e r n e t / p u b l i c users. T h e L o g g i n g
c l a u s e sets u p t h e misc2.log f i l e f o r d e f a u l t m e s s a g e s .
There

are

several

ways

to

specify

which

clients

see

a

view.

n a m e d . c o n f f i l e u s e s match-clients s t a t e m e n t s :
$ cat /etc/bind/named.conf
options {
directory "/etc/bind";
}; //end options

view " l o c a l " IN
match-clients {
recursion YES;

{
// start
127.0.0.1; 192.168.0.0/24;};

zone"zach.net" IN {
type
master;
fi le
" l o c a l . net" ;
n o t i f y YES;

};
zone " 0 . 1 6 8 . 1 9 2 . i n - a d d r . a r p a "
type
master;
file
"named.local";
n o t i f y YES;

IN

};
zone " . " I N {
type
hint;
file
"named.ca";

};

/ / end l o c a l

view

{

local

view

The

following

SETTING U P DIFFERENT TYPES OF D N S SERVERS

view " p u b l i c " IN {
match-clients { " a l l " ; } ;
r e c u r s i o n NO;

// start

public

8 5 7

view

zone"zach.net" IN {
type
master;
file
"public.net";
n o t i f y YES;

};
zone " 0 . 1 6 8 . 1 9 2 . i n - a d d r . a r p a "
type
master;
file
"named.public";
n o t i f y YES;

IN

{

};
zone " . " I N {
type
hint;
file
"named.ca";

};
};

/ / end p u b l i c

l o g g i ng{
channel "misc" {
f i l e "/var/log/bind/misc2.1og"
print-time YES;
p r i n t - s e v e r i t y YES;
print-category YES;

versions

view

2 size

lm;

};
category default
"mi s c " ;
};

{

};

//end

logging

T h e o r d e r i n g o f V i e w c l a u s e s w i t h i n named.conf is c r i t i c a l b e c a u s e t h e v i e w t h a t is
presented

to

a client

is t h e

first

view

that

the

client

matches.

The

preceding

named.conf file h o l d s t w o V i e w clauses: o n e f o r l o c a l users a n d o n e f o r p u b l i c users,
i n t h a t order. L o c a l users are d e f i n e d t o be those o n the 1 9 2 . 1 6 8 . 0 . 0 / 2 4 s u b n e t o r
localhost ( 1 2 7 . 0 . 0 . 1 ) ; p u b l i c u s e r s a r e d e f i n e d t o b e a n y u s e r s . I f y o u r e v e r s e d t h e
o r d e r o f the V i e w clauses, all u s e r s — i n c l u d i n g local u s e r s — w o u l d get the

view

i n t e n d e d f o r t h e p u b l i c a n d n o u s e r s w o u l d see t h e l o c a l v i e w .
M a n y statements f r o m the O p t i o n s clause c a n be used w i t h i n V i e w clauses, w h e r e
t h e y o v e r r i d e s t a t e m e n t s i n t h e ( g l o b a l ) O p t i o n s c l a u s e . T h e recursion

statement,

w h i c h c a n appear w i t h i n a n O p t i o n s clause, appears i n each V i e w clause.

This

named.conf f i l e sets u p a s e r v e r t h a t p r o v i d e s r e c u r s i v e a n s w e r s t o q u e r i e s t h a t o r i g inate locally a n d iterative answers to queries f r o m the public. This setup

provides

q u i c k , c o m p l e t e answers t o local users, l i m i t i n g the n e t w o r k a n d processor

band-

w i d t h t h a t is d e v o t e d t o o t h e r users w h i l e c o n t i n u i n g t o p r o v i d e a u t h o r i t a t i v e

name

service f o r the local servers.

8 5 8

CHAPTER 2 4

D N S / B I N D : TRACKING DOMAIN NAMES AND ADDRESSES

T o m a k e named.conf easier t o u n d e r s t a n d a n d m a i n t a i n , z o n e s i n d i f f e r e n t

View

clauses c a n h a v e t h e s a m e n a m e b u t d i f f e r e n t z o n e files. B o t h t h e l o c a l a n d p u b l i c
V i e w c l a u s e s i n t h e e x a m p l e h a v e z o n e s n a m e d zach.net: T h e p u b l i c zach.net z o n e
f i l e is n a m e d public.net a n d t h e l o c a l o n e i s n a m e d local.net.
T h e L o g g i n g c l a u s e is d e s c r i b e d o n p a g e 8 5 2 .
T h e z o n e f i l e s d e f i n i n g zach.net a r e s i m i l a r t o t h e o n e s i n t h e p r e v i o u s e x a m p l e s ; t h e
p u b l i c f i l e is a s u b s e t o f t h e l o c a l o n e . F o l l o w i n g t h e S O A r e s o u r c e r e c o r d i n b o t h
files is a T X T , t w o N S , a n d t w o M X

resource records. N e x t are three

CNAME

resource records that direct queries addressed to w w w . z a c h . n e t , f t p . z a c h . n e t ,

and

m a i l . z a c h . n e t t o t h e s y s t e m n a m e d ns.zach.net. T h e n e x t f o u r r e s o u r c e r e c o r d s s p e c i f y t w o n a m e s e r v e r addresses a n d t w o m a i l servers f o r the ns.zach.net d o m a i n .
T h e f i n a l f o u r r e s o u r c e r e c o r d s a p p e a r i n t h e l o c a l zach.net z o n e f i l e a n d n o t
the p u b l i c zone file; t h e y are address

(A) resource records for local

I n s t e a d o f k e e p i n g t h i s i n f o r m a t i o n i n /etc/hosts files o n e a c h s y s t e m , y o u
k e e p it o n the D N S server, w h e r e it c a n be u p d a t e d easily. W h e n y o u use
instead

of

(page 475)

/etc/hosts,

must

change

the

hosts

line

in

can
DNS

/etc/nsswitch.conf

accordingly.

$ cat 1oca1.net
; zach.net local
STTL
@

you

in

systems.

zone

file

3D
IN

SOA

n s . z a c h . n e t . m g s @ s o b e l l com. (
201011118
seri al
8H
refresh
2H
retry
4W
e x p i re
ID )
mi n i mum

IN
IN
IN
IN
IN

TXT
NS
NS
MX
MX

"Sobel1 A s s o c i a t e s I n c . "
ns
; Nameserver address ( u n q u a l i f i e d )
n s . s p e e d y . n e t . ; Nameserver address ( q u a l i f i e d )
10 mai 1
; Mail exchange ( p r i m a r y / u n q u a l i f i e d )
20 mai 1,. m a x . n e t . ; M a i l e x c h a n g e ( 2 n d / q u a l i f i e d )

www
ftp
mai 1

IN
IN
IN

CNAME
CNAME
CNAME

ns
ns
ns

ns

IN
IN
IN
IN

A
A
MX
MX

192.168.. 0 . 1
192.168.. 0 . 6
10 mai 1
20 mai 1,. m a x . n e t .

speedy
grape
potato
peach

IN
IN
IN
IN

A
A
A
A

192.168.. 0 . 1
192.168.. 0 . 3
192.168.. 0 . 4
192.168.. 0 . 6

SETTING U P DIFFERENT TYPES OF D N S SERVERS

859

T h e p u b l i c v e r s i o n o f t h e zach.net z o n e f i l e f o l l o w s :

$ cat public.net
; z a c h . n e t p u b l i c zone
STTL

file

3D
IN

SOA

n s . z a c h . n e t . mgs@sobell com. (
201011118
s e n al
8H
refresh
2H
retry
4W
e x p i re
ID )
mi ni mum

IN
IN
IN

TXT
NS
NS

"Sobel1 A s s o c i a t e s I n c . "
ns
; Nameserver a d d r e s s ( u n q u a l i f i e d )
n s . s p e e d y . n e t . ; Nameserver a d d r e s s ( q u a l i f i e d )

IN
IN

MX
MX

10 mai 1 ; Mail exchange ( p r i m a r y / u n q u a l i f i e d )
20 mai 1,. m a x . n e t . ; Mail exchange ( 2 n d / q u a l i f i e d )

www
ftp
mai 1

IN
IN
IN

CNAME
CNAME
CNAME

ns
ns
ns

ns

IN
IN
IN
IN

A
A
MX
MX

192.168. . 0 . 1
192.168. . 0 . 6
10 mai 1
20 mai 1,. m a x . n e t .

@

H e r e there are t w o

reverse z o n e files, each o f w h i c h starts w i t h S O A

and

NS

resource records, f o l l o w e d by P T R resource records for each of the names of the
servers. T h e l o c a l v e r s i o n o f this file also lists t h e n a m e s o f t h e l o c a l systems:

$ cat named.local
; " 0 . 1 6 8 . 1 9 2 . i n - a d d r . a r p a " r e v e r s e zone
STTL
@

3D
IN

SOA

IN
IN
IN
IN
IN
IN
IN
IN
IN
IN

NS
NS
PTR
PTR
PTR
PTR
PTR
PTR
PTR
PTR

file

n s . z a c h . n e t . mgs@sobell.com. (
2010110501
s e n al
refresh
8H
retry
2H
e x p i re
4W
mi ni mum
ID)
ns.zach.net.
ns.speedy.net.
gw.zach.net.
www.zach.net.
ftp.zach.net.
mail.zach.net.
speedy.zach.net.
grape.zach.net.
potato.zach.net.
peach.zach.net.

860

CHAPTER 2 4

D N S / B I N D : TRACKING DOMAIN NAMES AND ADDRESSES

CHAPTER

SUMMARY
D N S m a p s d o m a i n n a m e s t o I P a d d r e s s e s , a n d v i c e v e r s a . I t i s i m p l e m e n t e d as a
hierarchical, distributed, and replicated database o n the Internet. Y o u can improve
the security o f B I N D , w h i c h i m p l e m e n t s D N S , b y r u n n i n g it inside a chroot jail a n d
using transaction signatures (TSIGs).
W h e n a p r o g r a m o n the local system needs to l o o k u p a n IP address that

corre-

sponds t o a d o m a i n n a m e , it calls the resolver. T h e resolver queries the local

DNS

cache, if available, a n d t h e n queries D N S servers o n the L A N or Internet. T h e r e are
t w o types o f queries: iterative a n d recursive. W h e n a server responds to a n iterative
query, it returns w h a t e v e r i n f o r m a t i o n it has at h a n d ; it does n o t q u e r y other servers. R e c u r s i v e q u e r i e s cause a server t o q u e r y o t h e r servers i f n e c e s s a r y t o

respond

w i t h an answer.
T h e r e are three types o f servers. M a s t e r servers, w h i c h h o l d the m a s t e r c o p y o f z o n e
data, are a u t h o r i t a t i v e f o r a zone. Slave servers are also a u t h o r i t a t i v e a n d c o p y their
data f r o m a m a s t e r server or o t h e r slave servers. D N S caches are n o t

authoritative

a n d e i t h e r a n s w e r queries f r o m c a c h e o r f o r w a r d queries t o a n o t h e r server.
The D N S

database holds resource records for domains. M a n y

records exist, i n c l u d i n g A (address), M X
(pointer

for p e r f o r m i n g reverse n a m e

types of

resource

(mail exchange), N S (nameserver),

resolution),

and

SOA

(start of

PTR

authority,

w h i c h describes the zone) records.

EXERCISES
1. W h a t k i n d o f s e r v e r r e s p o n d s t o r e c u r s i v e q u e r i e s ? H o w d o e s t h i s s e r v e r w o r k ?
2 . W h a t k i n d o f D N S r e c o r d is l i k e l y t o b e r e t u r n e d w h e n a W e b

browser

tries to resolve the d o m a i n p a r t o f a U R I ?
3. W h a t are M X

resource records for?

4. H o w w o u l d y o u f i n d the IP address o f e x a m p l e . c o m f r o m the c o m m a n d line?
5. H o w w o u l d y o u i n s t r u c t a L i n u x s y s t e m to use the l o c a l n e t w o r k ' s

DNS

c a c h e , l o c a t e d at 1 9 2 . 1 6 8 . 1 . 2 5 4 , o r t h e ISP's D N S c a c h e , l o c a t e d at
1 . 2 . 3 . 4 , i f t h e L A N n a m e s e r v e r is u n a v a i l a b l e ?
6. H o w w o u l d y o u i n s t r u c t a D N S server t o r e s p o n d o n l y t o queries f r o m the
1 3 7 . 4 4 . * IP range?
7. H o w m i g h t a resolver a t t e m p t t o f i n d the IP address of the e x a m p l e d o m a i n ?

ADVANCED EXERCISES

ADVANCED

EXERCISES
8. H o w w o u l d y o u set u p a p r i v a t e d o m a i n n a m e h i e r a r c h y t h a t d o e s n o t
include any of the official InterNIC-assigned d o m a i n names?
9 . W h i c h p a r t o f D N S is m o s t v u l n e r a b l e t o a n a t t a c k f r o m a m a l i c i o u s u s e r
and why?

1 0 . I t is o f t e n i r r i t a t i n g t o h a v e t o w a i t f o r D N S r e c o r d s t o u p d a t e a r o u n d t h e
w o r l d w h e n y o u c h a n g e D N S e n t r i e s . Y o u c o u l d p r e v e n t t h i s d e l a y b y sett i n g t h e T T L t o a s m a l l n u m b e r . W h y is s e t t i n g t h e T T L t o a s m a l l n u m b e r
a b a d idea?
11. O u t l i n e a m e t h o d b y w h i c h D N S c o u l d be used t o s u p p o r t

encryption.

861

This page intentionally left blank

25
firestarter, gufw, AND
iptables: S E T T I N G U P

A

FIREWALL
The

IN T H I S C H A P T E R

gufw a n d

firestarter u t i l i t i e s

are

user-friendly,

graphical

f r o n t - e n d s f o r iptables; iptables b u i l d s a n d m a n i p u l a t e s

network

I n t r o d u c t i o n to firestarter

864

packet filtering ( p a g e 1 1 6 4 ) r u l e s i n t h e L i n u x k e r n e l . Y o u c a n

firestarter: S e t t i n g Up a n d
M a i n t a i n i n g a Firewall

866

t e c t s a s y s t e m f r o m m a l i c i o u s u s e r s a n d t o s e t u p NAT

u f w : The U n c o m p l i c a t e d
Firewall

u s e firestarter, o r iptables d i r e c t l y , t o c r e a t e a f i r e w a l l t h a t p r o (Net-

w o r k Address Translation, page 1161), w h i c h can a l l o w several
874

s y s t e m s t o s h a r e a s i n g l e I n t e r n e t c o n n e c t i o n . I n a d d i t i o n , firestarter c a n c o n t r o l a D H C P s e r v e r .

g u f w : The G r a p h i c a l Interface
to u f w

876

T h e iptables u t i l i t y is f l e x i b l e a n d e x t e n s i b l e , a l l o w i n g y o u t o s e t

Rules, matches, targets, a n d
chains

880

It provides connection t r a c k i n g (stateful packet filtering), a l l o w -

A n a t o m y o f an i p t a b l e s
Command

884

up b o t h simple and complex n e t w o r k packet filtering solutions.
i n g y o u t o h a n d l e packets

B u i l d i n g a Set of Rules U s i n g
iptables

885

Copying Rules to a n d f r o m t h e
Kernel

891

S h a r i n g an Internet C o n n e c t i o n
Using NAT

892

connection.

For

(page 1 1 6 4 ) based o n the state o f their

example,

that

reject

i n b o u n d packets trying to open a n e w connection and

you

can

set

up

rules

accept

i n b o u n d packets t h a t are responses to locally initiated connect i o n s . M a n y features n o t i n c l u d e d i n the base iptables p a c k a g e
a r e a v a i l a b l e as p a t c h e s v i a t h e p a t c h - o - m a t i c p r o g r a m .

8 6 3

864

CHAPTER 2 5

f i r e s t a r t e r , g u f w , AND i p t a b l e s : SETTING UP A FIREWALL
T h e firestarter u t i l i t y i s f r e q u e n t l y s u f f i c i e n t t o p r o t e c t a s i n g l e s y s t e m o r a s m a l l

L A N

b u t , b e c a u s e o f its u s e r - f r i e n d l y n a t u r e , it d o e s n o t p r o v i d e access t o t h e f u l l c o m p l e x i t y a n d p o w e r o f iptables. M o s t o f t h e c o n c e p t s i n v o l v i n g firestarter w i l l p r o b a b l y b e f a m i l i a r , o r e a s y t o l e a r n , f o r s o m e o n e w h o is f a m i l i a r w i t h b a s i c n e t w o r k i n g .
S o m e o f t h e c o n c e p t s r e q u i r e d t o f u l l y u n d e r s t a n d iptables a r e b e y o n d t h e s c o p e o f
t h i s b o o k . A l t h o u g h y o u c a n u s e iptables a t d i f f e r e n t l e v e l s , t h i s c h a p t e r

presents

o n l y the f u n d a m e n t a l s . T h e r e are, h o w e v e r , s o m e sections o f this c h a p t e r t h a t delve
i n t o a r e a s t h a t m a y r e q u i r e a d d i t i o n a l u n d e r s t a n d i n g o r e x p l a n a t i o n . I f a c o n c e p t is
n o t clear, refer t o o n e o f the resources i n " M o r e I n f o r m a t i o n " o n p a g e 8 8 3 .
ufwand gufw

U b u n t u h a s a d d e d ufw ( u n c o m p l i c a t e d f i r e w a l l ) a n d i t s g r a p h i c a l i n t e r f a c e g u f w t o i t s
security arsenal. A s these p r o d u c t s m a t u r e , y o u m a y w a n t to consider

experimenting

w i t h a n d u s i n g t h e m i n p l a c e o f firestarter. S e e p a g e 8 7 4 (ufw) a n d p a g e 8 7 6 ( g u f w ) f o r
more information.

Routers have firewalls too
tip

Many systems are already protected by a firewall located In a router. If you use a router that has
a firewall, you may need to open ports on the router firewall In addition to opening ports on any
firewall you set up on an Ubuntu system.

I N T R O D U C T I O N TO firestarter
T h e firestarter u t i l i t y i s a s o p h i s t i c a t e d , g r a p h i c a l t o o l f o r b u i l d i n g a n d m a i n t a i n i n g a
f i r e w a l l . A l t h o u g h i t w o r k s w i t h G T K a n d is d e s i g n e d t o r u n u n d e r G N O M E , i t is
equally at h o m e u n d e r K D E . This utility enables a system to share an Internet connect i o n w i t h o t h e r s y s t e m s o n a L A N . I t c a n a l s o set u p a n d c o n t r o l a D H C P ( p a g e 4 7 0 )
server. I t p r o v i d e s a r e a l - t i m e v i e w o f i n t r u s i o n a n d o t h e r events a n d a l l o w s y o u t o
tune

ICMP

(page 1153)

parameters

to

help

stop

DoS

attacks

(page 1146).

As

i n s t a l l e d , firestarter a l l o w s o u t b o u n d c o n n e c t i o n s a n d b l o c k s a n d d i s p l a y s i n f o r m a t i o n
a b o u t i n b o u n d c o n n e c t i o n s t h a t o r i g i n a t e o u t s i d e t h e s y s t e m o r L A N i t is p r o t e c t i n g
( t h a t is, c o n n e c t i o n s t h a t o r i g i n a t e o n t h e I n t e r n e t ) . A s y o u v i e w these events, y o u c a n
set u p r u l e s t o a l l o w t h e m , f a c i l i t a t i n g f i r e w a l l c u s t o m i z a t i o n .
T h e firestarter u t i l i t y c a n p r o t e c t t h e s i n g l e s y s t e m i t r u n s o n ( t h e f i r e w a l l h o s t ) o r i t
c a n p r o t e c t t h e s y s t e m i t r u n s o n as w e l l as o t h e r c l i e n t s y s t e m s o n a L A N t h a t c o n nect to the Internet t h r o u g h the firewall host. Figure 25-1 shows a typical
where

all n e t w o r k

traffic to and f r o m

a L A N

must

pass t h r o u g h the

e n a b l i n g t h e f i r e w a l l t o c o n t r o l access b e t w e e n t h e I n t e r n e t a n d t h e L A N

setup

firewall,
(including

t h e f i r e w a l l h o s t ) . I n t h i s s e t u p t h e f i r e w a l l h o s t a c t s as a r o u t e r ( p a g e 3 7 7 ) .

NOTES
Terminology

T h i s s e c t i o n e x p l a i n s w h a t s o m e o f t h e w o r d s u s e d t o e x p l a i n firestarter m e a n i n t h i s
c o n t e x t . T h e t e r m s firewall

a n d firestarter a r e u s e d i n t e r c h a n g e a b l y .

• (Firewall) h o s t ( s y s t e m ) — T h e s y s t e m t h e f i r e w a l l i s r u n n i n g o n .

I N T R O D U C T I O N TO f i r e s t a r t e r

865

0 Internet

Figure 25-1

Firewall host
(router)

LAN
(client systems)

A typical firewall setup

• Client s y s t e m s — S y s t e m s t h a t a r e o n t h e s a m e L A N as t h e f i r e w a l l h o s t a n d
w h o s e packets to and f r o m systems outside the L A N (specifically the Internet) pass t h r o u g h the f i r e w a l l host.
• P o l i c y — T h e set o f r u l e s t h a t t h e f i r e w a l l a p p l i e s .
• R u l e — A statement t h a t specifies w h a t the f i r e w a l l does w i t h specific types
o f p a c k e t s it receives f r o m specific systems o n its n e t w o r k interface(s).
• Connection—Under TCP, the p a t h t h r o u g h w h i c h t w o systems exchange
data. A client system opens a c o n n e c t i o n w i t h a server system b y sending it
a S Y N ( s y n c h r o n i z a t i o n ) packet. T h e server sends a n A C K

(acknowledge)

packet b a c k to the client a n d the t w o systems exchange data. T h e client
closes the c o n n e c t i o n w i t h a S Y N p a c k e t . A l t h o u g h U D P w o r k s d i f f e r e n t l y
because it has n o concept o f a connection, for the purposes of this discuss i o n t h e c o n c e p t o f a U D P c o n n e c t i o n is a p p r o p r i a t e .
• Inbound c o n n e c t i o n s — I n c l u d e c o n n e c t i o n s t h a t o r i g i n a t e f r o m t h e I n t e r n e t
a n d c l i e n t s y s t e m s w i t h t h e f i r e w a l l h o s t as t h e d e s t i n a t i o n .
• Outbound c o n n e c t i o n s — I n c l u d e c o n n e c t i o n s t h a t o r i g i n a t e f r o m t h e
f i r e w a l l h o s t a n d c l i e n t s y s t e m s w i t h t h e I n t e r n e t as t h e d e s t i n a t i o n .
Default policy

B y d e f a u l t , firestarter i m p l e m e n t s a u s e r - f r i e n d l y p o l i c y t h a t p r o t e c t s t h e f i r e w a l l h o s t
a n d client systems. I n general, it a l l o w s o u t b o u n d traffic a n d blocks i n b o u n d traffic
t h a t is n o t s e n t i n r e s p o n s e t o o u t b o u n d t r a f f i c . S p e c i f i c a l l y , t h e d e f a u l t firestarter p o l i c y
• Blocks n e w i n b o u n d connections f r o m the Internet that are destined for
the firewall host or the client systems.
• A l l o w s i n b o u n d packets t h a t are sent i n response to c o n n e c t i o n s initiated
by the firewall host or client systems to the Internet.
• A l l o w s the firewall host to establish connections.

866

CHAPTER 2 5

f i r e s t a r t e r , g u f w , AND i p t a b l e s : SETTING UP A FIREWALL
• A l l o w s client systems to establish connections to the Internet.
• Does n o t a l l o w client systems to establish connections to the firewall host.
A f t e r y o u s e t u p firestarter w i t h t h e F i r e w a l l W i z a r d , y o u c a n m o d i f y t h e d e f a u l t p o l i c y
to meet y o u r needs.

iptables and
firestarter

A l t h o u g h firestarter i s a f r o n t - e n d f o r i p t a b l e s , i t d o e s n o t s t o r e i t s r u l e s t h e w a y iptables
J o g g ( u s i n g iptables-save [ p a g e 8 9 1 ] ) . I n s t e a d , i t k e e p s c o n f i g u r a t i o n i n f o r m a t i o n i n its
o w n f o r m a t i n t h e /etc/firestarter d i r e c t o r y h i e r a r c h y .

MORE INFORMATION
Web

www.fs-security.com

firestarter: SETTING U P A N D M A I N T A I N I N G A FIREWALL
T h i s s e c t i o n d e s c r i b e s h o w t o s e t u p a f i r e w a l l u s i n g t h e firestarter F i r e w a l l

Wizard

a n d h o w t o m a i n t a i n t h e f i r e w a l l o n c e i t is set u p .

PREREQUISITES
Install the following package:
• firestarter
• d h c p 3 - s e r v e r (needed o n l y i f y o u w a n t firestarter t o r u n D H C P ; p a g e 4 7 2 )
W h e n y o u i n s t a l l t h e firestarter p a c k a g e , y o u m u s t r u n t h e F i r e w a l l W i z a r d

before

firestarter w i l l s t a r t ( s e e t h e J u m p S t a r t s e c t i o n , n e x t ) . A f t e r y o u c o n f i g u r e i t , firestarter s t a r t s r u n n i n g e a c h t i m e y o u b o o t t h e s y s t e m . A l t h o u g h t h e r e i s a firestarter
i n i t f i l e , y o u n e v e r n e e d t o r u n i t m a n u a l l y ; u s e t h e firestarter G U I t o t u r n t h e f i r e w a l l
o n o r o f f o r t o l o c k the s y s t e m so n o n e t w o r k t r a f f i c c a n enter o r leave it. W h e n

you

b r i n g t h e s y s t e m u p , firestarter c o m e s u p i n t h e s t a t e i t w a s i n w h e n y o u s h u t t h e s y s t e m d o w n . T h e firestarter u t i l i t y r u n s r e g a r d l e s s o f w h e t h e r i t s G U I i s d i s p l a y e d .
O

Firewall Wizard

nA«sTfi«9Ti!)9

Welcome to

Firestarter

This wizard will help you to set up a firewall for your
Linux machine. Nbu will be asked some questions
about your network setup in order to customize the
firewall for your system.
T i p . If y o u a r c u n c e r t a i n o f h o w t o a n s w e r a q u e s t i o n it i s
h r ^ t tr> u v ttir rfrfnnlt vnliu* M i p p l i r d

Pltfdbtf pi ess the forward button to continue.

|

Figure 25-2

Pack

| forward j

Gave

^

Quit

T h e Firewall W i z a r d : W e l c o m e to Firestarter screen

f i r e s t a r t e r : SETTING U P A N D M A I N T A I N I N G A FIREWALL

867

JUMPSTART: CONFIGURING A FIREWALL USING THE
firestarter FIREWALL WIZARD
The

Firewall Wizard

and Firestarter

windows

(Figure 25-2

and Figure 25-6

on

p a g e 8 6 9 ) e n a b l e y o u t o s e t u p a n d c o n t r o l firestarter. T o d i s p l a y t h i s w i n d o w , s e l e c t

Main menu: System 1 ^AdministrationOfirestarter o r g i v e t h e c o m m a n d gksudo fires t a r t e r f r o m a t e r m i n a l e m u l a t o r o r R u n A p p l i c a t i o n w i n d o w (ALT-F2).
When

you

run

firestarter

for

the

first

time,

it

opens

the

Firewall

Wizard

( F i g u r e 2 5 - 2 ) , w h i c h h e l p s y o u c o n f i g u r e firestarter. Y o u c a n r e r u n t h i s w i z a r d a t a n y
t i m e b y s e l e c t i n g F i r e s t a r t e r m e n u : Firewall•=>Run W i z a r d . T h e l a s t s t e p o f t h e w i z ard allows y o u to start the firewall a n d display the Firestarter
Device setup

window.

T h e f i r s t F i r e w a l l W i z a r d s c r e e n w e l c o m e s y o u t o firestarter; c l i c k F o r w a r d t o g e t
started.

The

Firewall

Wizard

displays

the

Network

device

setup

screen

( F i g u r e 2 5 - 3 ) . I n t h i s s c r e e n y o u select t h e d e v i c e t h a t is c o n n e c t e d t o t h e I n t e r n e t .
Y o u can also specify that y o u w a n t the firewall to start w h e n y o u dial o u t f r o m the
system (if y o u are u s i n g a m o d e m t o c o n n e c t to the Internet) a n d / o r t h a t y o u

want

firestarter t o u s e D H C P ( p a g e 4 7 0 ) t o a s s i g n I P a d d r e s s e s a n d p r o v i d e o t h e r n e t w o r k
c o n f i g u r a t i o n i n f o r m a t i o n to the client systems.
F r o m t h e d r o p - d o w n l i s t l a b e l e d D e t e c t e d device(s), s e l e c t t h e d e v i c e t h a t i s c o n n e c t e d t o t h e I n t e r n e t . I f t h e l o c a l s y s t e m is f u n c t i o n i n g as a r o u t e r , m a k e s u r e t o
select t h e d e v i c e t h a t is c o n n e c t e d t o t h e I n t e r n e t , n o t t h e d e v i c e t h a t is c o n n e c t e d t o
the L A N . If the local system connects to the Internet using a m o d e m only, put a tick

i n t h e c h e c k b o x l a b e l e d Start the firewall on dial-out.
DHCP

I f y o u w a n t t o r u n D H C P , p u t a t i c k i n t h e c h e c k b o x l a b e l e d IP address is assigned v i a
DHCP. ( Y o u c a n a l s o c o n f i g u r e D H C P u s i n g Firestarter menu: Edit1^Preferences.) I f
firestarter i s g o i n g t o c o n t r o l D H C P , y o u m u s t i n s t a l l t h e D H C P p a c k a g e ( p a g e 8 6 6 ) .

C l i c k Forward.
0_ Firewall Wizard

Network device setup
Please sol cet your internet connected network device from the drop down
list of available devices.
Detected device(s):

Ethernet device (etfril) »

T i p : I f y u u u s e d m u d e r n Lhe d e v i c e n a m e is l i k e l y p f j p O . If y o u l i d v e a c a b l e m o d e m t>i a
D S L c o n n e c t i o n , c h o o s e e t f t O . C h o o s e p p p O If y o u k n o w y o u r c a b l e o r D S L o p e r a t o r u s e s
che PPPoE p r o t o c o l .

Start the firewall on dial-out
IP address Is assigned via DHCP
I

Figure 25-3

Back

I forward |

Gave

T h e N e t w o r k device setup screen

^

Quit

868

CHAPTER 2 5

f i r e s t a r t e r , g u f w , AND i p t a b l e s : SETTING UP A FIREWALL

Internet connection sharing setup
Fin:n1;irlr:r c i i r i

h . . 11 • y • i j r nLH• rrM-1 canrH-clinn Willi l h i L [ : n n i p L d i : r : n r i y n u r Im ,i 11.-".-.• •• •

u s i n g a E i n g l a public IP a d d r e s E a i d a m e t h o d c a l l e d H t b H r l f A d d r e s s ¡ r a n s l a t l o n .
[-

Enable Internet connection sharing

L o c a l a r e a network d»/ice:

¡Ethernet device ( e t h l j

•

FfH]]lir> hi n m

Fn:tl]li! H H

fur

ll n n t w a r k

*1|

furictinn...

T D H C P server detaHs
( j K e e p e v i s l i n g en ICP c o n f i g u r e t r o n
© CTR.TR nirw D H f P c n n l i g u i ; i t n n :
l ™ * i s ; L IP o d d r C S S l g K S i g r V

|lS?.lfii.0.1M

H i g h e s t IP a d d r e s s t o a s s i g n :

|lB^.ll?H.0.ZLi4

N a m e server:

|« d y n a m l o

•W
Figure 25-4
NAT (connection
sharing)

I

[J

I qa1"' I

T h e Internet c o n n e c t i o n s h a r i n g setup screen

T h e I n t e r n e t c o n n e c t i o n s h a r i n g s e t u p s c r e e n ( F i g u r e 2 5 - 4 ) a l l o w s y o u t o set
N A T (page 1 1 6 1 ) so systems o n the L A N c a n share a single I n t e r n e t

up

connection.

T h i s w i n d o w appears o n l y if the system y o u are installing the firewall o n has at
l e a s t t w o n e t w o r k c o n n e c t i o n s . P u t a t i c k i n t h e c h e c k b o x l a b e l e d E n a b l e Internet
c o n n e c t i o n sharing i f t h e f i r e w a l l h o s t is t o f u n c t i o n as a r o u t e r

(Figure 25-1,

page 8 6 5 ) a n d share a n I n t e r n e t c o n n e c t i o n ; o t h e r w i s e skip this screen. W h e n

you

p u t a t i c k i n t h i s c h e c k b o x , firestarter e n a b l e s y o u t o s e l e c t t h e d e v i c e t h a t is c o n n e c t e d t o t h e L A N ( n o t t h e o n e t h a t is c o n n e c t e d t o t h e I n t e r n e t ) . P u t a t i c k i n t h e
c h e c k b o x l a b e l e d E n a b l e D H C P for local n e t w o r k t o c a u s e firestarter t o r u n D H C P .
W h e n y o u p u t a t i c k i n t h i s c h e c k b o x , c l i c k t h e p l u s s i g n a d j a c e n t t o D H C P server
details t o c h o o s e w h e t h e r t o k e e p a n e x i s t i n g D H C P c o n f i g u r a t i o n o r c r e a t e a n e w
o n e . T h e S e r v e r n a m e c a n b e t h e I P a d d r e s s o r n a m e o f t h e D H C P server. I f y o u set
t h e n a m e t o < d y n a m i c > , firestarter d e t e r m i n e s t h e I P a d d r e s s o f t h e D H C P s e r v e r a t
r u n t i m e , w h i c h c a n b e u s e f u l i f t h e s e r v e r is a s s i g n e d a n I P a d d r e s s u s i n g

DHCP.

C l i c k Forward.
Starting the firewall I n t h e R e a d y t o s t a r t y o u r f i r e w a l l s c r e e n ( F i g u r e 2 5 - 5 ) , y o u c a n c h o o s e t o s t a r t t h e
firewall. T h e f i r e w a l l starts i n secure m o d e , w h i c h protects the L A N b u t m a y cause
p r o b l e m s f o r s o m e users a n d does n o t a l l o w s y s t e m s o n t h e I n t e r n e t t o access servers
b e h i n d the firewall. If y o u are c o n f i g u r i n g the firewall f r o m a r e m o t e system,

you

w i l l n o t b e a b l e t o w o r k w i t h firestarter o n c e y o u s t a r t t h e f i r e w a l l . P u t a t i c k i n t h e
c h e c k b o x l a b e l e d Start firewall n o w i f y o u w a n t t o s t a r t t h e f i r e w a l l i m m e d i a t e l y .
C l i c k Save.

MAINTAINING A FIREWALL USING firestarter
A f t e r y o u c o n f i g u r e firestarter, y o u c a n m a k e c h a n g e s t o t h e p o l i c y f r o m t h e F i r e s t a r t e r
w i n d o w . A f t e r y o u r u n t h e F i r e w a l l W i z a r d , firestarter d i s p l a y s t h i s w i n d o w . Y o u c a n
display this w i n d o w at any time b y f o l l o w i n g the instruction at the start of the J u m p Start section o n page 867. T h e firewall runs regardless of w h e t h e r the Firestarter

firestarter: SETTING U P A N D M A I N T A I N I N G A FIREWALL

0

869

Firewall Wizard

R e a d y to start your firewall
T h e w i z a r d is n o w r e a d y t o s t a r t y o u r

firewall.

press 01 e save button to continue, or trie back button to review your choices.
i

Start firewall now

T i p : ir y o u a r e c o n n e c t i n g t o t h e f i r e w a l l h o s t r e m o t e l y y o u m i g h t w e n t t o
d e f e r starting t h e f i r e w a l l until y o u h a v e c r e a t e d a d d i t i o n a l

^

Figure 25-5

^

^

policy.

I

Forward

|

^ ^ y g ^

T h e R e a d y to start y o u r firewall screen

w i n d o w is d i s p l a y e d . W h e n y o u b r i n g t h e s y s t e m u p , t h e f i r e w a l l r e s u m e s t h e s t a t u s
it h a d ( r u n n i n g , stopped, or locked) w h e n y o u b r o u g h t the system d o w n .

T H E S T A T U S TAB
T h e Firestarter w i n d o w

Status tab (Figure 25-6) displays an o v e r v i e w of the

wall. This tab can display active connections to the firewall. T h e toolbar allows

Figure 25-6

T h e Status tab w i t h Active connections

expanded

fireyou

870

CHAPTER 2 5

f i r e s t a r t e r , g u f w , AND i p t a b l e s : SETTING UP A FIREWALL

S O O

F i r e s t a r t e r 10.04B1

Firewall Edit Event» Policy H e l p

£

J C

Status Events

Policy

Blocked Connections
nc

» Pon

r 7 12:47:50 22

i-ouitc

nwflc.0«

ircrvicc

192.168.0.12 TCP

SSH

r 7 12:4g:09 2 1
192.168.0.12 TCP
Allow Connections From Source

FTP

Allow Inbound SttVtC* (or Everyone
A l l o w inbound Scrvice for Source
Disable Event* 1 torn Soince
Disable Events o n POrl
Lookup H o s t n a m e s

Figure 25-7

Events tab, right-click m e n u

t o c h a n g e the state o f the f i r e w a l l a n d specify preferences. T h e large r o u n d i c o n i n
the F i r e w a l l f r a m e of the w i n d o w indicates the status of the firewall:

• Disabled—The f i r e w a l l is t u r n e d o f f — i t is as t h o u g h firestarter w a s n o t i n s t a l l e d .
• A c t i v e — T h e f i r e w a l l is u p a n d r u n n i n g a n d i m p l e m e n t i n g t h e p o l i c y y o u
h a v e set u p ( o r t h e d e f a u l t p o l i c y ) .
• L o c k e d — T h e f i r e w a l l is u p a n d r u n n i n g a n d b l o c k i n g a l l p a c k e t s . N o t h i n g c a n get in or o u t o f the f i r e w a l l host over the n e t w o r k interfaces that

firestarter c o n t r o l s .
C l i c k the a p p r o p r i a t e i c o n o n the t o o l b a r t o c h a n g e the state o f the firewall.
Events

A n event o c c u r s w h e n t h e f i r e w a l l b l o c k s a p a c k e t b a s e d o n a r u l e . T h e E v e n t s c o l u m n s i n the F i r e w a l l f r a m e list the n u m b e r o f i n b o u n d a n d o u t b o u n d events the
firewall has blocked a n d indicate h o w m a n y of those were of a serious

nature.

Events are c o n s i d e r e d serious if t h e y c o u l d h a v e been a t t e m p t s b y m a l i c i o u s users
t o g a i n a c c e s s t o t h e s y s t e m . F o r e x a m p l e , a b l o c k e d a t t e m p t t o l o g i n u s i n g s s h is a
s e r i o u s e v e n t ; a b l o c k e d ping is n o t .
T h e N e t w o r k f r a m e s h o w s the activity o n each of the system's n e t w o r k connections.
W h e n y o u c l i c k t h e p l u s s i g n t o t h e l e f t o f Active connections, firestarter d i s p l a y s a
scrollable list o f active connections; l e n g t h e n the w i n d o w t o display m o r e connect i o n s . C l i c k o n a line i n this list t o select it a n d t h e n r i g h t - c l i c k a n d select Lookup

Hostnames t o c h a n g e t h e v a l u e i n t h e S o u r c e a n d D e s t i n a t i o n c o l u m n s f r o m I P
addresses t o h o s t n a m e s . T h e P o r t c o l u m n lists the p o r t o n t h e t a r g e t h o s t t h a t t h e
c o n n e c t i o n uses. T h e S e r v i c e c o l u m n i n d i c a t e s t h e s e r v i c e t h a t is a s s o c i a t e d

with

the specified port. T h e P r o g r a m c o l u m n shows the n a m e the p r o g r a m r u n n i n g the
s e r v i c e i f i t is l o c a l a n d k n o w n t o firestarter.

THE EVENTS TAB
T h e F i r e s t a r t e r w i n d o w E v e n t s t a b ( F i g u r e 2 5 - 7 ) is t h e k e y t o m o d i f y i n g t h e d e f a u l t
f i r e w a l l policy. It displays a list o f b l o c k e d c o n n e c t i o n s . E a c h line i n this list specifies
a n event that the firewall blocked based o n a rule. Events displayed in black
a t t e m p t s to c o n n e c t t o a r a n d o m p o r t a n d are t y p i c a l l y n o t o f concern. Events

are
in

g r a y are harmless, consisting m o s t l y o f b r o a d c a s t traffic. Events i n r e d are a t t e m p t s

f i r e s t a r t e r : SETTING U P A N D M A I N T A I N I N G A FIREWALL

Figure 2 5 - 8

l:bV 22

l!ß.168.0.12 TCP

8:09

192.168.0.12

21

871

TCP

Selecting c o l u m n s for the B l o c k e d C o n n e c t i o n s list

t o access a s e r v i c e t h a t is n o t p r o v i d e d t o t h e p u b l i c a n d m a y i n d i c a t e t h a t a m a l i c i o u s u s e r is a t t e m p t i n g t o g a i n a c c e s s t o t h e f i r e w a l l h o s t o r a c l i e n t s y s t e m .
Y o u c a n m o d i f y this list i n several w a y s .
• To display a h o s t n a m e i n place of an IP address, highlight the entry y o u
w a n t t o c h a n g e , r i g h t - c l i c k , a n d select Lookup Hostnames ( F i g u r e 2 5 - 7 ) .
• B y default, the B l o c k e d C o n n e c t i o n s list does n o t i n c l u d e r e d u n d a n t
entries. T o display r e d u n d a n t entries, r e m o v e the tick f r o m the check b o x

at Firestarter menu: Edi t •=> Preferences •=> Even ts"=>Skip redundant entries.
• Y o u c a n s p e c i f y t h e c o l u m n s t h a t firestarter i n c l u d e s i n t h e B l o c k e d

Con-

n e c t i o n s l i s t b y s e l e c t i n g f r o m t h e m e n u d i s p l a y e d b y Firestarter m e n u :

Events"^Show Column ( F i g u r e 2 5 - 8 ) .
As Figure 2 5 - 7 shows, the right-click m e n u also allows y o u to change the rule for
the highlighted

system and port

(service). I n b o u n d

and

outbound

connections

present different m e n u s . T h e i n b o u n d m e n u includes the f o l l o w i n g selections:

• Allow Connections from Source—Enables t h e o r i g i n a t i n g s y s t e m o n t h e
Internet that the highlighted event blocked to m a k e any type of connection
t o c l i e n t s y s t e m s o r t h e f i r e w a l l h o s t . Set t h i s r u l e o n l y i f y o u c o m p l e t e l y
trust the source system.

• Allow Inbound Service for Everyone—Enables a n y s y s t e m o n t h e I n t e r n e t
t o c o n n e c t t o t h e s e r v i c e ( p o r t ) t h a t t h e h i g h l i g h t e d e v e n t b l o c k e d . Set t h i s
r u l e t o a l l o w t h e p u b l i c t o access servers b e h i n d t h e f i r e w a l l .

• Allow Inbound Service for Source—Enables t h e o r i g i n a t i n g s y s t e m o n t h e
Internet to c o n n e c t to the service (port) t h a t the h i g h l i g h t e d event blocked.
T h e p o r t p r o t e c t e d b y t h i s r u l e i s c a l l e d a stealth port b e c a u s e i t is i n v i s i b l e
to all systems o n the Internet except the specified system.

872

CHAPTER 2 5

f i r e s t a r t e r , g u f w , AND i p t a b l e s : SETTING UP A FIREWALL

Figure 25-9

The Policy tab

T h e o u t b o u n d m e n u includes the f o l l o w i n g selections:
• Allow Connections to D e s t i n a t i o n — E n a b l e s t h e f i r e w a l l h o s t a n d c l i e n t
systems to establish a c o n n e c t i o n w i t h the destination system that the
highlighted event blocked.
• A l l o w O u t b o u n d Service for E v e r y o n e — E n a b l e s t h e f i r e w a l l h o s t a n d c l i e n t
systems t o establish a c o n n e c t i o n t o the service (port) t h a t the h i g h l i g h t e d
event blocked.

• Allow Outbound Service for Source—Enables t h e f i r e w a l l h o s t o r a specific client t h a t the event b l o c k e d to establish a c o n n e c t i o n t o the service
that the highlighted event blocked.
I n a d d i t i o n , b o t h m e n u s i n c l u d e these t w o selections:
• Disable Events f r o m S o u r c e — P r e v e n t s t h e h i g h l i g h t e d o r i g i n a t i n g s y s t e m
o n the Internet f r o m connecting to client systems or the firewall host.
• Disable Events on P o r t — P r e v e n t s a n y s y s t e m o n t h e I n t e r n e t f r o m c o n necting t o the service (port) t h a t the h i g h l i g h t e d event b l o c k e d .

Events tab: ease of use
tip

It is easiest to set up rules from the Events tab and view them in the Policy tab. However, you cannot set up certain rules, such as forwarding rules, from the Events tab. Also, you cannot edit rules
from the Events tab.

T H E P O L I C Y TAB
T h e Policy tab (Figure 25-9) displays the firewall rules a n d allows y o u to

add,

r e m o v e , a n d e d i t r u l e s . T h e d r o p - d o w n l i s t l a b e l e d Editing a l l o w s y o u t o

select

w h e t h e r firestarter d i s p l a y s ( a n d y o u c a n e d i t ) i n b o u n d o r o u t b o u n d r u l e s .
T h e Policy tab displays three frames each for i n b o u n d and o u t b o u n d groups

of

rules. Right-click w i t h the m o u s e pointer i n a f r a m e to display a c o n t e x t m e n u w i t h
these selections: A d d R u l e , R e m o v e R u l e , a n d E d i t R u l e . T o use t h e last t w o selections, y o u must highlight a rule before right-clicking.

firestarter: SETTING U P A N D M A I N T A I N I N G A FIREWALL

873

Applying changes B y d e f a u l t , firestarter d o e s n o t a p p l y c h a n g e s y o u m a k e i n t h i s t a b u n t i l y o u c l i c k
Apply Policy a t t h e t o p o f t h e w i n d o w . Y o u c a n c a u s e firestarter t o a p p l y c h a n g e s
i m m e d i a t e l y b y s e l e c t i n g Firestarter m e n u : E d i t O Preferences 1 ^ Policy a n d p u t t i n g a
t i c k i n t h e c h e c k b o x l a b e l e d Apply policy changes immediately.
I N B O U N D POLICY
T h e d e f a u l t i n b o u n d p o l i c y is t o b l o c k a l l i n b o u n d c o n n e c t i o n s e x c e p t c o n n e c t i o n s
t h a t a r e r e s p o n d i n g t o o u t b o u n d c o n n e c t i o n s . W h e n y o u s e l e c t I n b o u n d traffic policy, firestarter d i s p l a y s t h r e e f r a m e s t h a t e n a b l e y o u t o w o r k w i t h r u l e s t h a t

are

exceptions to the default policy:
• A l l o w connections f r o m h o s t — S p e c i f i e s a h o s t o r n e t w o r k t h a t firestarter
accepts a n y i n c o m i n g c o n n e c t i o n f r o m . M a k e sure y o u trust this system o r
n e t w o r k completely.
• A l l o w s e r v i c e — S p e c i f i e s a s e r v i c e ( p o r t ) t h a t firestarter a c c e p t s i n b o u n d
c o n n e c t i o n s o n . Y o u c a n s p e c i f y t h a t firestarter a c c e p t i n b o u n d c o n n e c t i o n s
o n the specified p o r t f r o m anyone, all clients, or a specific host or n e t w o r k
o n the Internet.
• F o r w a r d s e r v i c e — S p e c i f i e s a s e r v i c e ( p o r t ) t h a t firestarter w i l l a c c e p t
i n b o u n d c o n n e c t i o n s o n . T h e firestarter f i r e w a l l f o r w a r d s t h e s e c o n n e c tions t o the client y o u specify o n the p o r t y o u specify. F o r w a r d i n g a service
is a p p r o p r i a t e i f y o u a r e r u n n i n g a s e r v e r o n a c l i e n t s y s t e m a n d w a n t s y s t e m s o n t h e I n t e r n e t t o be a b l e t o c o n n e c t t o t h e server.
OUTBOUND

POLICY

W h e n y o u s e l e c t O u t b o u n d traffic policy, firestarter d i s p l a y s t w o r a d i o b u t t o n s t h a t
e n a b l e y o u t o set t h e d e f a u l t o u t b o u n d p o l i c y :
• Permissive by default, blacklist t r a f f i c — T h e d e f a u l t o u t b o u n d p o l i c y .
A l l o w s all o u t b o u n d connections that originate f r o m the firewall host or
c l i e n t s . Y o u m u s t set u p s p e c i f i c p o l i c i e s (a b l a c k l i s t ) t o b l o c k

outbound

requests f o r specific services a n d / o r requests f r o m specific systems.
• Restrictive b y default, whitelist t r a f f i c — B l o c k s a l l o u t b o u n d t r a f f i c e x c e p t
c o n n e c t i o n s t h a t y o u set u p r u l e s t o a l l o w (a w h i t e l i s t ) .
Permissive by W i t h t h e d e f a u l t p o l i c y o f Permissive by default, f i r e s t a r t e r d i s p l a y s t h r e e f r a m e s t h a t
default

enable y o u t o d e n y c o n n e c t i o n s a n d / o r services:
• D e n y connections t o h o s t — S p e c i f i e s s y s t e m s o n t h e I n t e r n e t t h a t t h e f i r e w a l l
host a n d all client systems are n o t a l l o w e d to connect to.
• D e n y connections f r o m L A N h o s t — S p e c i f i e s c l i e n t s y s t e m s t h a t a r e n o t
allowed to connect to any system o n the Internet.
• D e n y s e r v i c e — S p e c i f i e s a s e r v i c e a n d / o r p o r t t h a t firestarter b l o c k s o u t b o u n d c o n n e c t i o n s o n . Y o u c a n s p e c i f y t h a t firestarter b l o c k

outbound

connections o n the specified p o r t f r o m anyone, clients, the firewall host,
or a specific host or n e t w o r k o n the Internet.

874

CHAPTER 2 5

f i r e s t a r t e r , g u f w , AND i p t a b l e s : SETTING UP A FIREWALL

Restrictive by W i t h t h e Restrictive by default p o l i c y , firestarter d i s p l a y s t h r e e f r a m e s t h a t

enable

default y o u t o a l l o w c o n n e c t i o n s a n d / o r s e r v i c e s :
• A l l o w connections t o h o s t — S p e c i f i e s s y s t e m s o n t h e I n t e r n e t t h a t t h e
f i r e w a l l host a n d all client systems are a l l o w e d to c o n n e c t to.
• A l l o w connections f r o m L A N h o s t — S p e c i f i e s c l i e n t s y s t e m s t h a t a r e
allowed to connect to any system o n the Internet.
• A l l o w s e r v i c e — S p e c i f i e s a s e r v i c e a n d / o r p o r t t h a t firestarter a l l o w s o u t b o u n d c o n n e c t i o n s o n . Y o u c a n s p e c i f y t h a t firestarter a l l o w

outbound

connections o n the specified p o r t f r o m anyone, clients, the firewall host,
or a specific host or n e t w o r k o n the Internet.

u f w : THE UNCOMPLICATED

FIREWALL

T h e ufw ( u n c o m p l i c a t e d f i r e w a l l ) u t i l i t y is a s i m p l e , e a s y - t o - u s e , c o m m a n d - l i n e i n t e r f a c e t o iptables. I t is i n s t a l l e d as p a r t o f t h e b a s e s y s t e m . T h e g u f w ( g u f w . t u x f a m i l y . o r g ;
p a g e 8 7 6 ) u t i l i t y is a g r a p h i c a l i n t e r f a c e t o ufw a n d is a v a i l a b l e i n t h e gufw p a c k a g e .
A s i n s t a l l e d , ufw i s t u r n e d o f f . T h e status c o m m a n d r e p o r t s ufw i s i n a c t i v e :
$ sudo ufw status
Status: inactive
U s e t h e enable c o m m a n d t o t u r n ufw o n ( a n d u s e disable t o t u r n i t o f f ) . W h e n

you

e n a b l e ufw, i t s t a r t s e a c h t i m e y o u b o o t t h e s y s t e m . B y d e f a u l t , ufw s t a r t s w i t h a
d e f a u l t p o l i c y t h a t b l o c k s a l l i n b o u n d t r a f f i c (ufw default deny) a n d a l l o w s

out-

b o u n d traffic. If y o u w a n t to a l l o w all i n b o u n d traffic, give the c o m m a n d

ufw

default allow. I f y o u a r e w o r k i n g f r o m a r e m o t e s y s t e m , y o u m u s t o p e n t h e p o r t y o u
are using t o connect t o the f i r e w a l l system or y o u w i l l n o t be able t o reconnect t o
the system once y o u start the firewall a n d log off.
I n t h e f o l l o w i n g e x a m p l e , f i r s t t h e allow c o m m a n d o p e n s a p o r t f o r s s h a n d t h e n
enable t u r n s o n ufw. A l t e r n a t i v e l y , y o u c a n s p e c i f y t h e p o r t n u m b e r i n t h e allow
c o m m a n d (ufw allow 2 2 ) . B e c a u s e t h e enable c o m m a n d is g i v e n b y a u s e r l o g g e d i n
f r o m a r e m o t e s y s t e m u s i n g s s h , i t w a r n s t h a t t u r n i n g o n ufw m a y d i s c o n n e c t

you

f r o m the system a n d asks w h e t h e r y o u w a n t t o proceed. It t h e n r e p o r t s t h a t the firew a l l h a s b e e n s t a r t e d a n d is s e t u p t o b e e n a b l e d e a c h t i m e t h e s y s t e m s t a r t s .
$ sudo ufw allow ssh
R u l e s updated
$ sudo ufw enable
Command may d i s r u p t e x i s t i n g s s h c o n n e c t i o n s . P r o c e e d w i t h o p e r a t i o n
F i r e w a l l i s a c t i v e and e n a b l e d on s y s t e m s t a r t u p

(y|n)?

y

M a n y s e r v i c e s t h a t a r e u f w - a w a r e (e.g., A p a c h e , C U P S , a n d O p e n S S H ) i n s t a l l a set
o f f i r e w a l l r u l e s i n / e t c / u f w / a p p l i c a t i o n s . d . T h e c o m m a n d u f w a p p list l i s t s t h o s e
services t h a t h a v e f i r e w a l l rules installed o n the l o c a l system.
$ sudo ufw app list
Available applications:
CUPS
OpenSSH

u f w : THE U N C O M P L I C A T E D FIREWALL

875

W h e n y o u s p e c i f y t h e n a m e o f a s e r v i c e ( s s h i n t h e p r e c e d i n g e x a m p l e ) i n a ufw c o m m a n d , ufw s e a r c h e s / e t c / s e r v i c e s t o f i n d t h e p o r t n u m b e r u s e d b y t h e s e r v i c e . W h e n
y o u s p e c i f y t h e n a m e o f t h e a p p l i c a t i o n as l i s t e d b y u f w a p p list ( O p e n S S H i n t h e
p r e c e d i n g l i s t ) , ufw r e a d s t h e r u l e s f r o m t h e f i l e i n a p p l i c a t i o n s . d . T h e

difference

b e t w e e n t h e s e t e c h n i q u e s is i m p o r t a n t w i t h s e r v i c e s / a p p l i c a t i o n s t h a t u s e m u l t i p l e
p o r t s o r a r a n g e o f p o r t s . T h e /etc/services f i l e c a n n o t r e p r e s e n t t h i s

information;

t h e r u l e s i n t h e files i n applications.d c a n .
W h e n y o u g i v e a status c o m m a n d w i t h a n a r g u m e n t o f verbose, i t r e p o r t s t h a t ufw i s
l o a d e d , l o g g i n g is t u r n e d o n , a n d t h e d e f a u l t p o l i c y i s t o d e n y i n c o m i n g c o n n e c t i o n s
a n d a l l o w o u t g o i n g c o n n e c t i o n s . W i t h o r w i t h o u t verbose, status r e p o r t s t h a t ufw
a l l o w s c o n n e c t i o n s o n p o r t 2 2 (the p o r t ssh uses).
$ sudo ufw status verbose
Status: active
L o g g i n g : on ( l o w )
D e f a u l t : deny ( i n c o m i n g ) , a l l o w
New p r o f i l e s : s k i p

(outgoing)

To

Action

From

22

ALLOW I N

Anywhere

If y o u log in o n the firewall system f r o m one remote system only, y o u can m a k e the
f i r e w a l l system m o r e secure b y l i m i t i n g those systems y o u c a n l o g i n f r o m . T h e f o l l o w i n g allow c o m m a n d o p e n s p o r t 2 2 t o c o n n e c t i o n s f r o m t h e s y s t e m a t 1 0 . 1 0 . 4 . 1 5 o n l y :
$ sudo ufw allow from 10.10.4.15 port 22
R u l e added
Y o u r e m o v e a r u l e b y g i v i n g t h e s a m e c o m m a n d as y o u u s e d t o e s t a b l i s h t h e r u l e ,
p r e c e d e d b y t h e w o r d delete:
$ sudo ufw delete allow ssh
Rule deleted
$ sudo ufw status
Status: active
To

Action

From

Anywhere

ALLOW

10.10.4.15

22

B y d e f a u l t , l o g g i n g is t u r n e d o n (ufw logging on) a n d ufw s e n d s m e s s a g e s

about

i n t r u s i o n a t t e m p t s t o t h e kern syslogd f a c i l i t y ( p a g e 6 2 5 ) . T h e s e m e s s a g e s g o t o t h e
f i l e n a m e d / v a r / l o g / k e r n . l o g . T h e s a m e i n f o r m a t i o n i s a v a i l a b l e f r o m t h e dmesg
utility (page 589).
$ sudo tail -1 /var/log/kern.log
Apr
8 1 4 : 2 7 : 0 5 1004B2 k e r n e l : [ 2 0 9 5 . 4 0 5 B 9 5 ] [UFW BLOCK] I N = e t h 0 0UT= M A C = 0 0 : . . .
S R C = 1 0 . 1 0 . 4 . 1 6 D S T = 1 0 . 1 0 . 4 . 1 0 0 LEN=44 T O S = 0 x 0 0 P R E C = 0 x 0 0 T T L = 6 4 I D = 1 9 4 6 6 DF PR0T0=TCP
S P T = 5 1 0 1 6 DPT=22 WINDOW=5840 R E S = 0 x 0 0 SYN URGP=0

876

CHAPTER 2 5

f i r e s t a r t e r , g u f w , AND i p t a b l e s : SETTING UP A FIREWALL
I f y o u w a n t t o set u p a n A p a c h e W e b s e r v e r t h a t a c c e p t s r e q u e s t s o n p o r t 8 0 o n t h e
local system, y o u need to open p o r t 80. T h e f o l l o w i n g c o m m a n d s open p o r t 80 and
verify the n e w rule:
$ sudo ufw allow 80
Rule added
$ sudo ufw status
80

ALLOW

Anywhere

See t h e ufw m a n p a g e f o r m o r e i n f o r m a t i o n .

g u f w : THE G R A P H I C A L INTERFACE TO u f w
T h e g u f w u t i l i t y is a g r a p h i c a l i n t e r f a c e t o ufw ( p a g e 8 7 4 ) , t h e u n c o m p l i c a t e d

fire-

wall. A n y changes y o u m a k e using one interface are reflected b y the other, a l t h o u g h
y o u m a y h a v e t o c l o s e a n d r e o p e n t h e gufw F i r e w a l l w i n d o w t o u p d a t e its c o n t e n t s .
Y o u m u s t i n s t a l l t h e gufw s o f t w a r e p a c k a g e t o r u n gufw.

Read the section on u f w first
t i p The section of this chapter starting on page 874 describes how ufw works. This section describes
gufw, the graphical interface to ufw. The former section provides a good background for understanding this section.

TH E FI REWALL WI N DOW
B e f o r e y o u e n a b l e ufw a n d a d d r u l e s , t h e g u f w F i r e w a l l w i n d o w a p p e a r s as s h o w n i n
Figure 2 5 - 1 0 ; the shield i n the w i n d o w appears i n shades o f gray. T o display this w i n -

d o w , select Main menu: System •=> Administration 1 ^ Fire wall configuration o r enter
t h e c o m m a n d gufw f r o m a t e r m i n a l e m u l a t o r o r R u n A p p l i c a t i o n w i n d o w (ALT-F2).
T o e n a b l e t h e ufw f i r e w a l l , p u t a t i c k i n t h e c h e c k b o x l a b e l e d E n a b l e d ( u n d e r t h e
w o r d s A c t u a l Status). W h e n y o u enable the firewall, the shield takes o n colors. Disable the firewall b y r e m o v i n g the tick.
T h e t w o d r o p - d o w n lists i n t h i s w i n d o w a r e l a b e l e d Incoming a n d Outgoing. E a c h
o f these lists p r o v i d e s three selections:
A l l o w — A l l o w n e t w o r k t r a f f i c t o pass i n the d i r e c t i o n i n d i c a t e d b y the label.
D e n y — D e n y n e t w o r k traffic a t t e m p t i n g t o pass i n the d i r e c t i o n i n d i c a t e d b y the label.
R e j e c t — D e n y n e t w o r k t r a f f i c a t t e m p t i n g t o pass i n the d i r e c t i o n i n d i c a t e d b y the
label a n d i n f o r m the o r i g i n a t i n g system that the traffic has been denied.
I n i t i a l l y I n c o m i n g is s e t t o D e n y a n d O u t g o i n g is s e t t o A l l o w . T h i s s e t u p s t o p s a l l
traffic c o m i n g to the local system f r o m the n e t w o r k and allows all traffic originati n g o n the local system o u t t o the n e t w o r k . I n c o m i n g packets sent i n response t o
o u t g o i n g packets are a l l o w e d i n to the local system.

g u f w : THE GRAPHICAL INTERFACE TO u f w

Q O O

8 7 7

Firewall

File Edit Help

Actual Status
Enabled
Incoming:

Deny

Outgoing:

Alfow

Rules
To A c t i o n

From

Add
Disabled firewall
Figure 2 5 - 1 0

T h e Firewall w i n d o w s h o w i n g n o rules

W i t h this setup, n o n e t w o r k traffic originating outside o f the local system c a n enter
t h e l o c a l s y s t e m . Y o u m u s t set u p r u l e s t o a l l o w t h i s t r a f f i c t o pass. T h e n e x t s e c t i o n
covers setting u p rules. Y o u c a n change the default setup b y c h a n g i n g the selections i n
t h e I n c o m i n g a n d O u t g o i n g d r o p - d o w n lists. T h i s s e c t i o n assumes t h e d e f a u l t setup.

ADDING RULES
T o a d d a r u l e , c l i c k t h e b u t t o n l a b e l e d A d d ; gufw d i s p l a y s t h e A d d R u l e

window

( F i g u r e 2 5 - 1 1 ) . T h i s w i n d o w h a s a c h e c k b o x l a b e l e d S h o w extended options a n d

t h r e e t a b s l a b e l e d Preconfigured, Simple, a n d Advanced.
0
.

Add Rule

Preronfirjiirerl simple Advanced
Allow

*

In

v

PruyjdfTi t

Amule
Deluge

r Show extended actions

Klorrent
Nicotine
qBittomsnt
Transmission

Figure 2 5 - 1 1

The A d d Rule w i n d o w

1
lose

Add

1

878

CHAPTER 2 5

f i r e s t a r t e r , g u f w , A N D i p t a b l e s : SETTING U P A FIREWALL

C

O

$

Firewall

File Edit Help
Actual Status
v Enabled
incoming: jjpcny

r

Outgoing; Allow

•

Rules
To
??

"

^m

Action
rrom
Al 10W TN Anywhere

Hcmovc

Add
Rule added
[ A
|

Add Rute

Pietonfigured simple Advanced
Allow | T

| In

T

j Sen/ice

T | ssh

Show extended actions

Figure 2 5 - 1 2

1 T

Close

Add

A d d i n g a rule t o a l l o w ssh traffic

THE PRECONFIGURED TAB
I n i t i a l l y , this w i n d o w d i s p l a y s t h e P r e c o n f i g u r e d t a b w i t h f o u r d r o p - d o w n lists t h a t
are n o t labeled. F r o m left t o r i g h t t h e y are:
Disposition—Specifies w h a t t h e f i r e w a l l does w i t h t h e t r a f f i c this r u l e

controls.

Choices are A l l o w , Deny, Reject, a n d L i m i t . A l l o w a n d D e n y a l l o w the traffic

to

pass t h r o u g h the f i r e w a l l a n d d e n y the t r a f f i c passage t h r o u g h the f i r e w a l l , respectively. Reject denies traffic a n d sends a message to the source o f the traffic

saying

t h e t r a f f i c w a s rejected. L i m i t a l l o w s t r a f f i c t o pass t h r o u g h t h e f i r e w a l l unless t h e
o r i g i n a t i n g IP address has a t t e m p t e d to connect six or m o r e times i n 3 0 seconds, i n
w h i c h case it denies t h e t r a f f i c .
D i r e c t i o n — S p e c i f i e s t h e d i r e c t i o n o f t h e t r a f f i c . I n i n d i c a t e s t h e t r a f f i c is i n b o u n d
f r o m t h e n e t w o r k t o t h e l o c a l s y s t e m . O u t i n d i c a t e s t h e t r a f f i c is o u t b o u n d t o t h e
n e t w o r k f r o m the local system.
S o u r c e — S p e c i f i e s i f t h e s o u r c e o f t h e t r a f f i c is a p r o g r a m o r a s e r v i c e . T h e s e l e c t i o n
i n this list affects w h a t appears i n the N a m e list.
Name—Specifies the n a m e o f the p r o g r a m o r service.
Opening the firewall
for ssh

I f t h e s y s t e m i s s e t u p as a n s s h s e r v e r ( p a g e 6 7 6 ) , y o u n e e d t o s e t u p t h e f i r e w a l l t o
a l l o w i n b o u n d ssh t r a f f i c . T o d o so, first enable t h e f i r e w a l l b y p u t t i n g a t i c k i n the
check b o x labeled Enabled i n the Firewall w i n d o w . ( Y o u cannot add rules w h e n the
f i r e w a l l is d i s a b l e d . ) N e x t c l i c k A d d t o o p e n t h e A d d R u l e w i n d o w . T h e n set t h e
f o u r d r o p - d o w n l i s t s as a p p r o p r i a t e : Y o u w a n t t o ( 1 ) a l l o w t r a f f i c ( 2 ) i n t o t h e l o c a l

g u f w : THE GRAPHICAL INTERFACE TO u f w

0 0 O

879

Firewall

File Filit Help
Actual Status
Enabled
Incoming: | Deny | T |
Oulqoinq: | Allow

*

Rules
To

Action

From

10.10.4.31 22/tcp ALLOW IN 10.10.4.1b

Add

Remove

Rule added
Add Rule
Preconfigured simple Advanced
Ai lew

T

—

In

,

.
T

ftp

Show extended actions

Figure 2 5 - 1 3

.

v
—

. From 110.10.4.15
~

To 110.10.4.01

close

Add

The Advanced tab of the A d d Rule

window

s y s t e m . Y o u a r e s e t t i n g u p a (3) service n a m e d (4) ssh. W h e n y o u c l i c k A d d i n t h e
A d d R u l e w i n d o w , gufw w r i t e s t h e r u l e t o t h e F i r e w a l l w i n d o w ( F i g u r e 2 5 - 1 2 ) . I n a
similar manner, y o u can o p e n the firewall to a l l o w H T T P traffic if y o u are r u n n i n g
a n A p a c h e server.

THE SIMPLE TAB
T h e S i m p l e t a b o f t h e A d d R u l e w i n d o w h o l d s t h r e e d r o p - d o w n lists a n d a t e x t b o x .
T h e f i r s t t w o d r o p - d o w n l i s t s a r e t h e s a m e as t h e f i r s t t w o i n t h e P r e c o n f i g u r e d t a b : D i s p o s i t i o n a n d D i r e c t i o n . See t h e p r e v i o u s s e c t i o n f o r i n f o r m a t i o n o n t h e s e l i s t s . T h e t h i r d
d r o p - d o w n list specifies t h e P r o t o c o l : T C P , U D P , o r B o t h . T h e t e x t b o x specifies the P o r t
t h e r u l e c o n t r o l s . I n t h i s b o x y o u c a n s p e c i f y a s e r v i c e s u c h as s s h , a p o r t s u c h as 2 2 ,
s e v e r a l p o r t s s e p a r a t e d b y c o m m a s s u c h as 2 2 , 2 4 , 2 6 ( p o r t s 2 2 , 2 4 , a n d 2 6 ) , o r a r a n g e
o f p o r t s s e p a r a t e d b y a c o l o n s u c h as 1 3 5 : 1 3 9 ( p o r t s 1 3 5 t h r o u g h 1 3 9 , i n c l u s i v e ) .

THE ADVANCED TAB
T h e A d v a n c e d t a b o f t h e A d d R u l e w i n d o w h o l d s t h e s a m e t h r e e d r o p - d o w n l i s t s as
the Simple tab: Disposition, Direction, a n d Protocol (Figure 25-13). T o the right of
t h e s e lists a r e t w o r o w s o f t w o t e x t b o x e s . T h e f i r s t r o w is l a b e l e d F r o m a n d t h e seco n d is l a b e l e d T o . T h e b o x o n t h e l e f t i n e a c h r o w s p e c i f i e s a n I P a d d r e s s o r h o s t n a m e . T h e b o x o n the r i g h t specifies a service, p o r t , o r r a n g e o f p o r t s i n the same
m a n n e r as t h e t e x t b o x i n t h e S i m p l e t a b . U s i n g t h e s e t e x t b o x e s , y o u c a n s p e c i f y t h e
origin and destination of the traffic the rule applies to.

8 8 0

CHAPTER 2 5

firestarter, gufw,

AND

iptables:

frKuuliyuced

SETTING UP A

FIREWALL

Simple Attiianeed
From m.io.4.15

[o

[*

^A l l o w

» i n

» j

TCP

t

To

10,10.4.31

d, Show extended actions

Figure 25-14

The Extended Actions boxes

The rule shown in Figure 2 5 - 1 3 allows inbound traffic from any port (there is no
entry in the upper-right text box) on the system with the IP address of 10.10.4.15 to
port 2 2 on the system with an IP address of 10.10.4.91 (the local system in this case).

THE S H O W EXTENDED A C T I O N S CHECK B O X
Putting a tick in the check box labeled Show extended actions adds two items to the
Add Rule window: A spin box on the left and a drop-down list between the Direction and Protocol lists (Figure 25-14). The spin box specifies the ordinal number of
the rule you are adding. It allows you to place rules before other rules when you are
adding more than one rule. It is not useful when you are adding a single rule.
Because the first rule that matches traffic controls the traffic, the order of rules can
be important. The drop-down list specifies the type of Log you want the rule to create. You can specify N o log, L o g , and L o g all. The second choice specifies minimal
logging, while the last choice specifies extensive logging.

INTRODUCTION TO

iptables

netfilter and The functionality referred to as iptables is composed of two components: netfilter
iptables a n c J iptables. Running in kernelspace
(page 1156), the netfilter component is a set of
tables that hold rules that the kernel uses to control network packet filtering. Running in userspace (page 1179), the iptables utility sets up, maintains, and displays
the rules stored by netfilter.
Rules, matches, A rule comprises one or more criteria ( m a t c h e s or classifiers) and a single action (a
targets, and chains target). If, when a rule is applied to a network packet, the packet matches all the criteria, the action is applied to the packet. Rules are stored in chains. Each rule in a
chain is applied, in order, to a packet until a match is found. If there is no match,
the chain's policy, or default action, is applied to the packet (page 886).
History In the kernel, iptables replaces the earlier ipchains as a method of filtering network
packets. It provides multiple chains for increased filtration flexibility. The iptables
utility also provides stateful packet inspection (page 882).
Example rules As an example of how rules work, assume a chain has two rules (Figure 25-15). The
first rule tests whether a packet's destination is port 23 (TELNET) and drops the
packet if it is. The second rule tests whether a packet was received from the IP address
192.168.1.1 and alters the packet's destination if it was. When a packet is processed by
the example chain, the kernel applies the first rule in the chain to see whether the
packet arrived on port 23. If the answer is yes, the packet is dropped and that is the

I N T R O D U C T I O N TO

Ç

Packet

No

Drop
Figure 2 5 - 1 5

firestarter 8 8 1

T C P stack

Alter
destination

Example of h o w rules in a chain work

end of processing for that packet. If the answer is no, the kernel applies the second rule
in the chain to see whether the packet came from the specified IP address. If the answer
is yes, the destination in the packet's header is changed and the modified packet is sent
on its way. If the answer is no, the packet is sent on without being changed.
Chains are collected in three tables: Filter, NAT, and Mangle. Each of these tables
has builtin chains (described next). You can create additional, user-defined chains in
Filter, the default table.
Filter table T h e default table. This table is mostly used to D R O P or A C C E P T packets based on
their content; it does not alter packets. Builtin chains are INPUT, F O R W A R D , and
O U T P U T . All user-defined chains go in this table.
NAT table T h e Network Address Translation table. Packets that create new connections are
routed through this table, which is used exclusively to translate the source or destination fields of packets. Builtin chains are P R E R O U T I N G , O U T P U T , and P O S T R O U T I N G . Use this table with DNAT, SNAT, and M A S Q U E R A D E targets only.
• D N A T (destination NAT) alters the destination IP address of the first
inbound packet in a connection so it is rerouted to another host. Subsequent
packets in the connection are automatically DNATed. D N A T is useful for
redirecting packets from the Internet that are bound for a firewall or a
NATed server (page 8 9 6 ) .
• S N A T (source N A T ) alters the source IP address of the first outbound
packet in a connection so it appears to come from a fixed IP a d d r e s s —
for example, a firewall or router. Subsequent packets in the connection
are automatically SNATed. Replies to SNATed packets are automatically
de-SNATed so they go b a c k to the original sender. S N A T is useful for
hiding L A N addresses from systems outside the L A N and using a single
IP address to serve multiple local hosts.
• M A S Q U E R A D E differs from SNAT only in that it checks for an IP address
to apply to each outbound packet, making it suitable for use with dynamic
IP addresses such as those provided by D H C P (page 4 7 0 ) . M A S Q U E R A D E
is slightly slower than SNAT.
Mangle table Used exclusively to alter the T O S (type of service), T T L (time to live), and M A R K
fields in a packet. Builtin chains are P R E R O U T I N G and O U T P U T .

882

CHAPTER 2 5

firestarter, g u f w ,

Figure 2 5 - 1 6

AND

iptables:

SETTING U P A FIREWALL

Filtering a packet in the kernel

Network packets W h e n a packet from the network enters the kernel's network protocol stack, it is
given some basic sanity tests, including checksum verification. After passing these
tests, the packet goes through the P R E R O U T I N G chain, where its destination
address may be changed (Figure 2 5 - 1 6 ) .
Next the packet is routed based on its destination address. If it is bound for the local
system, it first goes through the I N P U T chain, where it can be filtered (accepted,
dropped, or sent to another chain) or altered. If the packet is not addressed to the
local system (the local system is forwarding the packet), it goes through the F O R W A R D and P O S T R O U T I N G chains, where it can again be filtered or altered.
Packets created locally pass through the O U T P U T and P O S T R O U T I N G chains,
where they can be filtered or altered before being sent to the network.
State T h e connection tracking machine (also called the state machine) provides information on the state of a packet, allowing you to define rules that match criteria based
on the state of the connection the packet is part of. F o r example, when a connection
is opened, the first packet is part of a N E W connection, whereas subsequent packets
are part of an E S T A B L I S H E D connection. Connection tracking is handled by the
c o n n t r a c k module.
T h e O U T P U T chain handles connection tracking for locally generated packets. T h e
P R E R O U T I N G chain handles connection tracking for all other packets. For more
information refer to " S t a t e " on page 8 8 9 .
Before the advent of connection tracking, it was sometimes necessary to open many
or all nonprivileged ports to make sure that the system accepted all R E T U R N and
R E L A T E D traffic. Because connection tracking allows you to identify these kinds of
traffic, you can keep many more ports closed to general traffic, thereby increasing
system security.

I N T R O D U C T I O N TO

iptables

8 8 3

Jumps and targets A jump or target (page 890) specifies the action the kernel takes if a network packet
matches all the match criteria (page 884) for the rule being processed.

MORE INFORMATION
Web Documentation, H O W T O s , FAQs, patch-o-matic, security information:
www.netfilter.org
Tutorial: www.faqs.org/docs/iptables
Multicast DNS: www.multicastdns.org
Scripts and more: www.yourwebexperts.com/forum/viewforum.php?f=35
HO WTO KernelAnalysis-HO
WTO
IP-Masquerade-HOWTO
(contains useful scripts)
Netfilter Extensions HOWTO:
www.netfilter.org
Netfilter Hacking-HOWTO:
www.netfilter.org
Book TCP/IP Illustrated

by W. Richard Stevens, Addison-Wesley, January 2 0 0 2

PREREQUISITES
Installation Install the following package:
• iptables
iptables init script The iptables package does not include an init script because, under Ubuntu, it is generally called from gufw. This chapter includes instructions for configuring and running iptables. You can save and reload iptables rules as explained in "Saving rules" below.

NOTES
Startup The iptables utility is a tool that manipulates rules in the kernel. It differs from daemons (servers) in its setup and use. Whereas Linux daemons such as Apache, vsftpd,
and sshd read the data that controls their operation from a configuration file, you
must provide iptables with a series of commands that build a set of packet filtering
rules that are kept in the kernel.
Saving rules You can save and reload iptables rules as explained on page 891. Run iptables with
the - L option to display the packet filtering rules the kernel is using. You can put a
command to load iptables rules in /etc/rc.local. Or, if you want to start iptables earlier in the boot process, you can write a simple init script, put it in /etc/init.d, and
use sysv-rc-conf (page 4 4 1 ) to tell init when to run it.
Resetting iptables If you encounter problems related to the firewall rules, you can return the packet
processing rules in the kernel to their default state without rebooting by giving the
following commands:
$ sudo i p t a b l e s
$ sudo i p t a b l e s

--flush
--delete-chain

These commands flush all chains and delete any user-defined chains, leaving the
system without a firewall.

884

CHAPTER 2 5

firestarter, gufw,

A N A T O M Y OF AN

AND

iptables:

iptables

S E T T I N G U P A FIREWALL

COMMAND

Command line This section lists the components of an iptables command line that follow the name
of the utility, iptables. Except as noted, the iptables utility is not sensitive to the
positions of arguments on the command line. The examples in this chapter reflect a
generally accepted syntax that allows commands to be easily read, understood, and
maintained. Not all commands have all components.
Many tokens on an iptables command line have two forms: a short form, consisting
of a single letter preceded by a single hyphen, and a long form, consisting of a word
preceded by two hyphens. Most scripts use the short forms for brevity; lines using
the long forms can get unwieldy. The following iptables command lines are equivalent and are used as examples in this section:
$ sudo
$ sudo

i p t a b l e s --append FORWARD - - i n - i n t e r f a c e e t h l
i p t a b l e s -A FORWARD - i e t h l - o eth0 - j ACCEPT

- o u t - i n t e r f a c e eth0 - - j u m p ACCEPT

Table Specifies the name of the table the command operates on: Filter, NAT, or Mangle.
You can specify a table name in any iptables command. When you do not specify a
table name, the command operates on the Filter table. Most examples in this chapter do not specify table names and, therefore, work on the Filter table. Specify a
table as - t tablename or —table tablename.
Command Tells iptables what to do with the rest of the command line—for example, add or
delete a rule, display rules, or add a chain. The example commands, - A and
— a p p e n d , append the rule specified by the command line to the specified table
(defaults to Filter table) and chain. See page 8 8 5 for a list of commands.
Chain Specifies the name of the chain that this rule belongs to or that this command works
on. The chain is INPUT, OUTPUT, FORWARD, P R E R O U T I N G , P O S T R O U T I N G ,
or the name of a user-defined chain. Specify a chain by putting the name of the
chain on the command line without any preceding hyphens. The examples at the
beginning of this section work with the FORWARD chain.
Match criteria There are two kinds of match criteria: packet match criteria, which match a network packet, and rule match criteria, which match an existing rule.
Packet match Packet match criteria identify network packets and implement rules that take action
criteria/rule on packets that match the criteria. The combination of packet match criteria and an
specifications action is called a rule specification.
Rule specifications form the basis for packet filtering. The first example at the beginning of this section uses the —in-interface ethl
—out-interface ethO rule match criteria. The second example uses the short form of
the same criteria: - i ethl - o ethO. Both of these rules forward packets that come in
on device ethl and go out on device ethO.
Rule match criteria Rule match criteria identify existing rules. An iptables command can modify,
remove, or position a new rule adjacent to a rule specified by a rule match criterion.
There are two ways to identify an existing rule: You can use the same rule specification that was used to create the rule or you can use the rule's ordinal number, called
a rule number. Rule numbers begin with 1, signifying the first rule in a chain, and

B U I L D I N G A SET OF RULES U S I N G

iptables

8 8 5

can be displayed with iptables - L (or —line-numbers). The first command below
deletes the rule listed at the beginning of this section; the second command replaces
rule number 3 in the INPUT chain with a rule that rejects all packets from IP
address 1 9 2 . 1 6 8 . 0 . 1 0 :
$ sudo i p t a b l e s
$ sudo i p t a b l e s

- - d e l e t e -A FORWARD - i e t h l - o eth0 - j ACCEPT
-R INPUT 3 - - s o u r c e 1 9 2 . 1 6 8 . 0 . 1 0 - - j u m p REJECT

A jump or target specifies what action the kernel takes on packets that match all
match criteria for a rule. Specify a jump or target as - j target or — j u m p target. The
examples at the beginning of this section specify the ACCEPT target using the following commands: — j u m p ACCEPT and - j ACCEPT.
Jumps A jump transfers control to a different chain within the same table. The following
command adds (—append) a rule to the INPUT chain that transfers packets that
use the TCP protocol (—protocol tcp) to a user-defined chain named tcp_rules
(—jump tcp_rules):
$ sudo i p t a b l e s

--append INPUT - - p r o t o c o l

tcp --jump

tcp_rules

When the packet finishes traversing the tcp_rules chain, assuming it has not been
dropped or rejected, it continues traversing the INPUT chain from the rule following the one it jumped from.
Targets A target specifies an action the kernel takes on the packet; the simplest actions are
ACCEPT, DROP, and REJECT. The following command adds a rule to the F O R WARD chain that rejects packets coming from the FTP port (/etc/services, the file
iptables consults to determine which port to use, shows that FTP uses port 21):
$ sudo i p t a b l e s

--append FORWARD - - s p o r t

ftp

- - j u m p REJECT

Some targets, such as L O G , are nonterminating:
Control passes to the next rule
after the target is executed. See page 8 9 0 for information on how to use targets.

BUILDING A SET OF RULES U S I N G

iptables

To specify a table, it is common practice to put the table declaration on the command line immediately following iptables. For example, the following command
flushes (deletes all the rules from) the NAT table:
$ sudo i p t a b l e s

-t

NAT - F

COMMANDS
Following is a list of iptables commands:
—append - A Adds rule(s) specified by rule-specifications
to the end o f chain.
packet matches all of the rule-specifications, target processes it.
iptables

-A chain rule-specifications

— j u m p target

When a

886

CHAPTER 2 5

firestarter, gufw,

AND

iptables:

SETTING U P A FIREWALL

—delete - D Removes one or more rules from chain, as specified by the rule-numbers
rule-specifications.
iptables

-D chain rule-numbers

I

or

rule-specifications

—insert - I Adds rule(s) specified by rule-specifications and target to the location in chain
specified by rule-number. If you do not specify rule-number, it defaults to 1, the
head of the chain.
iptables

-I chain rule-number

rule-specifications

— j u m p target

—replace - R Replaces rule number rule-number in chain with rule-specification and target.
The command fails if rule-number or rule-specification resolves to more than one
address.
iptables

-R chain rule-number

rule-specification

— j u m p target

—list - L Displays the rules in chain. Omit chain to display the rules for all chains. Use
—line-numbers to display rule numbers or select other display criteria from the list
on page 887.
iptables
—flush - F

-L [chain]

display-criteria

Deletes all rules from chain. Omit chain to delete all rules from all chains.
iptables

-F

[chain]

—zero - Z Changes to zero the value of all packet and byte counters in chain or in all
chains when you do not specify chain. Use with - L to display the counters before
clearing them.
iptables

-Z [-L]

[chain]

—delete-chain - X Removes the user-defined chain named chain. If you do not specify chain,
removes all user-defined chains. You cannot delete a chain that a target points to.
iptables

-X

chain

—policy - P
Sets the default target or policy builtin-target for the builtin chain builtinchain. This policy is applied to packets that do not match any rule in the chain. If a
chain does not have a policy, unmatched packets are ACCEPTed.
iptables
-rename-chain - E

builtin-target

Changes the name of the chain old to new.
iptables

—help - h

-P builtin-chain

-E old new

Displays a summary of the iptables command syntax.
iptables

-h

Follow a match extension protocol with - h to display options you can use with that
protocol. For more information refer to "Help with extensions" on page 888.

BUILDING A SET OF RULES U S I N G

iptables

887

PACKET M A T C H C R I T E R I A
T h e following criteria match network packets. W h e n you precede a criterion with
an exclamation point (!), the rule matches packets that do not match the criterion.
—protocol [!] proto
- p Matches if the packet uses the proto protocol. This criterion is a match extension (below).
—source [!] address[/mask]
- s or — s r c M a t c h e s if the packet came from address. T h e address can be a name
or IP address. See page 4 6 2 for formats of the optional mask (only with an IP
address).
—destination [!] address[/mask]
- d or — d s t Matches if the packet is going to address. T h e address can be a name
or IP address. See page 4 6 2 for formats of the optional mask (only with an IP
address).
—in-interface [!] iface[+]
- i F o r the INPUT, F O R W A R D , and P R E R O U T I N G chains, matches if iface is the
name of the interface the packet was received from. Append a plus sign (+) to iface
to match any interface whose name begins with iface. W h e n you do not specify ininterface, the rule matches packets coming from any interface.
—out-interface [!] iface[+]
- o For the O U T P U T , F O R W A R D , and P O S T R O U T I N G chains, matches if iface
is the interface the packet will be sent to. Append a plus sign (+) to iface to match
any interface whose name begins with iface. W h e n you do not specify out-interface,
the rule matches packets going to any interface.
[!] -fragment - f M a t c h e s the second and subsequent fragments of fragmented packets. Because
these packets do not contain source or destination information, they do not match
any other rules.

DISPLAY CRITERIA
T h e following criteria display information. All packets match these criteria.
—verbose - v

Displays additional output.

—numeric - n

Displays IP addresses and port numbers as numbers, not names.

—exact - x

Use with - L to display exact packet and byte counts instead of rounded values.

—line-numbers Displays line numbers when listing rules. These line numbers are also the rule numbers that you can use in rule match criteria (page 8 8 4 ) .

MATCH EXTENSIONS
Rule specification (packet match criteria) extensions, called match extensions,
add
matches based on protocols and state to the matches described previously. Each of
the protocol extensions is kept in a module that must be loaded before that match

888

CHAPTER 2 5

firestarter, g u f w ,

AND

iptables:

SETTING U P A FIREWALL

extension can be used. The c o m m a n d that loads the module must appear in the
same rule specification as, and to the left of, the command that uses the module.
There are two types of match extensions: implicit and explicit.

IMPLICIT MATCH EXTENSIONS
Help with Implicit extensions are loaded (somewhat) automatically when you use a — p r o t o c o l
extensions command (described below). Each protocol has its own extensions. Follow the protocol with - h to display extensions you can use with that protocol. For example, the
following command displays T C P extensions at the end of the Help output:
$ iptables -p tcp -h
t c p match o p t i o n s :
- - t c p - f l a g s [ ! ] mask comp
[!]

--syn

--source-port
--sport . . .

[ ! ] port[:port]

--destination-port
--dport . . .
--tcp-option

m a t c h when TCP f l a g s & mask = = comp
( F l a g s : SYN ACK F I N RST URG PSH ALL NONE)
m a t c h when o n l y SYN f l a g s e t
( e q u i v a l e n t t o - - t c p - f l a g s SYN,RST,ACK SYN)

match source
[ ! ] port[:port]

[ ! ] number

port(s)

match d e s t i n a t i o n p o r t ( s )
m a t c h i f TCP o p t i o n s e t

This section does not describe all extensions. Use - h , as in the preceding example, to
display a complete list.
—protocol [!] proto
- p Loads the proto module and matches if the packet uses the proto protocol. T h e
proto can be a name or number from /etc/protocols, including tcp, udp, and icmp
(page 1 1 5 3 ) . Specifying all or 0 (zero) matches all protocols and is the same as not
including this match in a rule.
T h e following criteria load the T C P module and match T C P protocol packets coming from port 2 2 (ssh packets):
--protocol

t c p - - s o u r c e - p o r t 22

T h e following c o m m a n d expands the preceding match to cause the kernel to drop
all incoming ssh packets. This c o m m a n d uses ssh, which iptables looks up in
/etc/services, in place of 2 2 :
$ sudo iptables --protocol tcp --source-port ssh --jump DROP
TCP
T h e extensions in this section are loaded when you specify — p r o t o c o l tcp.
—destination-port [!] ¡port] [xport]]
— d p o r t M a t c h e s a destination port number o r service name (see /etc/services).
You can also specify a range of port numbers. Specifically, -.port specifies ports 0
through port, and port: specifies ports port through 6 5 5 3 5 .

BUILDING A SET OF RULES U S I N G

iptables

8 8 9

—source-port [!] ¡port] [xport]]
— s p o r t M a t c h e s a source port number or service name (see /etc/services). You can
also specify a range of port numbers. Specifically, -.port specifies ports 0 through
port, and port: specifies ports port through 6 5 5 3 5 .
[!] —syn Matches packets with the S Y N bit set and the A C K and F I N bits cleared. This
match extension is shorthand for —tcp-flags S Y N , R S T , A C K S Y N .
—tcp-flags [!] mask comp
Defines which T C P flag settings constitute a match. Valid flags are S Y N , A C K , F I N ,
RST, U R G , PSH, ALL, and N O N E . T h e mask is a comma-separated list of flags to
be examined; comp is a comma-separated subset of mask that specifies the flags
that must be set for a match to occur. Flags not specified in mask must be unset.
—tcp-option [!] n Matches a T C P option with a decimal value of n.
UDP
W h e n you specify — p r o t o c o l udp, you can specify a source and/or destination port
in the same manner as described under " T C P " on the preceding page.
ICMP
T h e extension in this section is loaded when you specify — p r o t o c o l icmp.
(page 1 1 5 3 ) packets carry messages only.
—icmp-type [!] name
Matches when the packet is an I C M P packet of type name.
numeric I C M P type or one of the names returned by
$ iptables

- p icmp

T h e name

ICMP

can be a

-h

EXPLICIT MATCH EXTENSIONS
Explicit match extensions differ from implicit match extensions in that you must
use a - m or — m a t c h option to specify a module before you can use the extension.
M a n y explicit match extension modules are available; this section covers state, one
of the most important.
STATE
T h e state extension matches criteria based on the state of the connection the packet
is part of (page 8 8 2 ) .
—state state Matches a packet whose state is defined by state, a comma-separated list of states
from the following list:
• E S T A B L I S H E D — A n y packet, within a specific connection, following the
exchange of packets in both directions for that connection.
• I N V A L I D — A stateless or unidentifiable packet.
• N E W — T h e first packet within a specific connection, typically a S Y N
packet.

890

firestarter, g u f w , A N D iptables: S E T T I N G U P A FIREWALL

CHAPTER 2 5

• R E L A T E D — A n y packets exchanged in a connection spawned from an
E S T A B L I S H E D connection. For example, an FTP data connection might
be related to the FTP control connection. (You need the ip_conntrack_ftp
module for FTP connection tracking.)
T h e following c o m m a n d loads the state extension and establishes a rule that
matches and drops both invalid packets and packets from new connections:
$ sudo i p t a b l e s

--match s t a t e - - s t a t e INVALID,NEW - - j u m p DROP

TARGETS
All targets are built in; there are no user-defined targets. This section lists some of
the targets available with iptables. Applicable target options are listed following
each target.
ACCEPT

Continues processing the packet.

DNAT Destination Network Address Translation
packet (page 8 8 1 ) .
—to-destination

Rewrites the destination address of the

ip[-ip][:port-port]
Same as S N A T with to-source, except that it changes the destination addresses o f
packets to the specified addresses and ports and is valid only in the P R E R O U T I N G
or O U T P U T chains of the N A T table and any user-defined chains called from those
chains. T h e following c o m m a n d adds to the P R E R O U T I N G chain of the N A T table
a rule that changes the destination in the headers of T C P packets with a destination
of 6 6 . 1 8 7 . 2 3 2 . 5 0 to 1 9 2 . 1 6 8 . 0 . 1 0 :

$ sudo iptables -t NAT -A PREROUTING -p tcp -d 66.187.232.50 -j DNAT --to-destination 192.168.0.10

DROP Ends the packet's life without notice.
LOG Turns on logging for the packet being processed. T h e kernel uses syslogd (page 6 2 5 )
to process output generated by this target. L O G is a nonterminating target, so processing continues with the next rule. Use two rules t o L O G packets that you
R E J E C T or D R O P , one each with the targets L O G and R E J E C T or D R O P , with the
same matching criteria.
—log-level n

Specifies logging level n as per syslog.conf (page 6 2 6 ) .

—log-prefix string
Prefixes log entries with string, which can be a m a x i m u m of 14 characters long.
—log-tcp-options Logs options from the T C P packet header.
—log-ip-options

Logs options from the IP packet header.

MASQUERADE

Similar to SNAT with — t o - s o u r c e , except that it grabs the IP information from the
interface on the specified port. For use on systems with dynamically assigned IP
addresses, such as those using DHCP, including most dial-up lines. Valid only in
rules in the P O S T R O U T I N G chain of the N A T table.

C O P Y I N G RULES TO A N D F R O M THE KERNEL

891

—to-ports port[-port]
Specifies the port for the interface you want to masquerade. Forgets connections
when the interface goes down, as is appropriate for dial-up lines. You must specify
the T C P or U D P protocol ( — p r o t o c o l tcp or udp) with this target.
REJECT

Similar to D R O P , except that it notifies the sending system that the packet was
blocked.

—reject-with type Returns the error type to the originating system. The type can be any of the following,
all of which return the appropriate ICMP (page 1 1 5 3 ) error: icmp-net-unreachable,
icmp-host-unreachable, icmp-port-unreachable, icmp-proto-unreachable, icmp-netprohibited, or icmp-host-prohibited. You can specify type as echo-reply from rules
that require an I C M P ping (page 3 9 3 ) packet to return a ping reply. You can specify
tcp-reset from rules in or called from the I N P U T chain to return a T C P R S T packet.
This parameter is valid in the INPUT, F O R W A R D , and O U T P U T chains and userdefined chains called from these chains.
RETURN

Stops traversing this chain and returns the packet to the calling chain.

SNAT Source Network Address Translation Rewrites the source address of the packet.
Appropriate for hosts on a L A N that share an Internet connection.
—to-source

ip[-ip][:port-port]
Alters the source IP address of an outbound packet,
all future packets in this connection, to ip. Skips
Returning packets are automatically de-SNATed so
host. Valid only in the P O S T R O U T I N G chain of the

and the source IP addresses of
additional rules, if any exist.
they return to the originating
N A T table.

W h e n you specify a range of IP addresses (ip-ip) or use multiple to-source targets,
iptables assigns the addresses in a round-robin fashion, cycling through the
addresses, one for each new connection.
W h e n the rule specifies the T C P or U D P protocol ( - p tcp or - p udp), you can specify a range of ports. W h e n you do not specify a range of ports, the rule matches all
ports. Every connection on a NATed subnet must have a unique IP address and port
combination. If two systems on a NATed subnet try to use the same port, the kernel
maps one of the ports to another (unused) port. Ports less than 5 1 2 are mapped to
other ports less than 5 1 2 , ports from 5 1 2 to 1 0 2 4 are mapped to other ports from
5 1 2 to 1 0 2 4 , and ports above 1 0 2 4 are mapped to other ports above 1 0 2 4 .

C O P Y I N G RULES TO A N D F R O M THE KERNEL
T h e iptables-save utility copies packet filtering rules from the kernel to standard output so you can save them in a file. T h e iptables-restore utility copies rules from standard input, as written by iptables-save, to the kernel. Sample output from iptablessave appears on the next page.

892

CHAPTER 2 5

firestarter, gufw,

AND

iptables:

SETTING U P A FIREWALL

$ sudo i p t a b l e s - s a v e
# G e n e r a t e d by i p t a b l e s - s a v e v l . 4 . 4 on Thu A p r
8 1 3 : 4 7 : 2 7 2010
*fi 1 ter
I N P U T ACCEPT [ 3 7 1 : 2 9 7 6 2 ]
FORWARD ACCEPT [ 0 : 0 ]
OUTPUT ACCEPT [ 2 8 8 : 2 8 7 2 0 ]
- A I N P U T - s 1 9 8 . 1 4 4 . 1 9 2 . 2 / 3 2 - p t c p - m t c p ! - - t c p - f l a g s F I N , S Y N , R S T , A C K SYN - j ACCEPT
- A I N P U T - s 1 9 8 . 1 4 4 . 1 9 2 . 2 / 3 2 - p u d p - j ACCEPT
- A I N P U T - s 2 0 9 . 1 5 7 . 1 5 2 . 2 3 / 3 2 - p t c p - m t c p ! - - t c p - f l a g s F I N , S Y N , R S T , A C K SYN - j ACCEPT
- A I N P U T - s 2 0 9 . 1 5 7 . 1 5 2 . 2 3 / 3 2 - p u d p - j ACCEPT
- A I N P U T - i l o - j ACCEPT
COMMIT
# C o m p l e t e d on Thu A p r
8 1 3 : 4 7 : 2 7 2010

Most lines that iptables-save writes are iptables command lines without the iptables
at the beginning. Lines that begin with a hashmark (#) are comments. Lines that
begin with an asterisk ( * ) are names of tables that the following commands work
on; the commands in the preceding example work on the Filter table. The COMM I T line must appear at the end of all commands for a table; it executes the preceding commands. Lines that begin with colons specify chains in the following format:

where chain is the name of the chain, policy is the policy (default target) for the
chain, and packets and bytes are the packet and byte counters, respectively. The
square brackets must appear in the line; they do not indicate optional parameters.
Visit www.faqs.org/docs/iptables/iptables-save.html for more information.

S H A R I N G AN INTERNET CONNECTION U S I N G NAT
Many scripts that set up Internet connection sharing using iptables are available on
the Internet. Each of these scripts boils down to the same few basic iptables commands, albeit with minor differences. This section discusses those few statements to
explain how a connection can be shared. You can use the statements presented in
this section or refer to the Linux IP Masquerade
HO WTO for complete scripts.
The tldp.org/HOWTO/IP-Masquerade-HOWTO/firewall-examples.html Web page
holds the simplest of these scripts.
There are two ways you can share a single connection to the Internet (one IP
address), both of which involve setting up NAT to alter addresses in packets and
then forward them. The first allows clients (browsers, mail readers, and so on) on
several systems on a LAN to share a single IP address to connect to servers on the
Internet. The second allows servers (mail, Web, FTP, and so on) on different systems
on a LAN to provide their services over a single connection to the Internet. You can
use iptables to set up one or both of these configurations. In both cases, you need to
set up a system that is a router: It must have two network connections—one connected to the Internet and the other to the LAN.

S H A R I N G AN INTERNET C O N N E C T I O N U S I N G N A T 8 9 3

For optimal security, use a dedicated system as a router. Because data transmission
over a connection to the Internet—even over a broadband connection—is relatively
slow, using a slower, older system as a router does not generally slow down a LAN.
This setup also offers some defense against intrusion from the Internet. A workstation on the LAN can function as a router as well, but this setup means that you
maintain data on a system that is directly connected to the Internet. The following
sections discuss the security of each setup.
The examples in this section assume that the device named ethO connects to the
Internet on 1 0 . 2 5 5 . 2 5 5 . 2 5 5 and that ethl connects to the LAN on 1 9 2 . 1 6 8 . 0 . 1 .
Substitute the devices and IP addresses that the local systems use. If you use a
modem to connect to the Internet, you need to substitute pppO (or another device)
for ethO in the examples.
For the examples in this section to work, you must turn on IP forwarding. First give
the following command and make sure everything is working:
$ sudo s y s c t l -w n e t . i p v 4 . i p _ f o r w a r d = l
net.ipv4.ip_forward = 1

If you want to forward IPv6 packets, give this command instead:
$ sudo s y s c t l -w
net.ipv6.conf.all.forwarding=lnet.ipv6.conf.all.forwarding

= 1

Once you know that iptables is working correctly, follow the instructions in
/etc/sysctl.conf and uncomment one or both of the following assignments to make
the kernel always perform IP forwarding for IPv4 and/or IPv6:
# Uncomment t h e n e x t l i n e
#net.i pv4.i p_forward=l

t o enable

packet

forwarding

f o r IPv4

# Uncomment t h e n e x t l i n e t o e n a b l e
#net.ipv6.conf.all.forwarding=l

packet

forwarding

f o r IPv6

After making this change, give the command /sbin/sysctl - p to apply the change
and to make sure that there are no typographical errors in the configuration file.

C O N N E C T I N G SEVERAL CLIENTS TO A S I N G L E
INTERNET CONNECTION
Configuring the kernel of the router system to allow clients on multiple local systems on the LAN to connect to the Internet requires you to set up IP
masquerading,
or SNAT (source NAT). IP masquerading translates the source and destination
addresses in the headers of network packets that originate on local systems and the
packets that remote servers send in response to those packets. These packets are
part of connections that originate on a local system. The example in this section
does nothing to packets that are part of connections that originate on the remote

894

CHAPTER 2 5

firestarter, gufw,

AND

iptables:

S E T T I N G U P A FIREWALL

systems (on the Internet): These packets cannot get past the router system, which
provides some degree of security.
The point of rewriting the packet headers is to allow systems with different local IP
addresses to share a single IP address on the Internet. The router system translates
the source or origin address of packets from the local systems to that of the Internet
connection, so that all packets passing from the router to the Internet appear to
come from a single s y s t e m — 1 0 . 2 5 5 . 2 5 5 . 2 5 5 in the example. All packets sent in
response by remote systems on the Internet to the router system have the address of
the Internet c o n n e c t i o n — 1 0 . 2 5 5 . 2 5 5 . 2 5 5 in the example—as their destination
address. The router system remembers each connection and alters the destination
address of each response packet to that of the local, originating system.
The router system is established by four iptables commands, one of which sets up a
log of masqueraded connections. The first command puts the first rule in the F O R WARD chain of the Filter (default) table ( - A FORWARD):
$ sudo i p t a b l e s

-A FORWARD - i

eth0 - o e t h l

-m s t a t e

--state

ESTABLISHED,RELATED - j ACCEPT

To match this rule, a packet must be
1. Received on ethO (coming in from the Internet): - i ethO.
2. Going to be sent out on ethl (going out to the LAN): - o ethl.
3. Part of an established connection or a connection that is related to an
established connection: —state E S T A B L I S H E D , R E L A T E D .
The kernel accepts (-j A C C E P T ) packets that meet these three criteria. Accepted
packets pass to the next appropriate chain or table. Packets from the Internet that
attempt to create a new connection are not matched and, therefore, are not
accepted by this rule. Packets that are not accepted pass to the next rule in the F O R WARD chain.
The second command puts the second rule in the F O R W A R D chain of the Filter
table:
$ sudo i p t a b l e s

-A FORWARD - i

ethl

- o eth0 - j ACCEPT

To match this rule, a packet must be
1. Received on ethl (coming in from the LAN): - i ethl.
2. Going to be sent out on ethO (going out to the Internet): - o ethO.
The
that
pass
next

kernel accepts packets that meet these two criteria, which means all packets
originate locally and are going to the Internet are accepted. Accepted packets
to the next appropriate chain/table; packets that are not accepted pass to the
rule in the F O R W A R D chain.

The third command puts the third rule in the F O R W A R D chain of the Filter table:

S H A R I N G AN INTERNET C O N N E C T I O N U S I N G N A T 8 9 5
$ sudo i p t a b l e s

-A FORWARD - j LOG

Because this rule has no match criteria, it acts on all packets it processes. This rule's
action is to log packets—that is, it logs packets from the Internet that attempt to
create a new connection.
Packets that reach the end of the F O R W A R D chain of the Filter table are done with
the rules set up by iptables and are handled by the local T C P stack. Packets from the
Internet that attempt to create a new connection on the router system are accepted
or returned, depending on whether the service they are trying to connect to is available on the router system.
The fourth command puts the first rule in the P O S T R O U T I N G chain of the NAT
table. Only packets that are establishing a new connection are passed to the NAT
table. Once a connection has been set up for SNAT or M A S Q U E R A D E , the headers
on all subsequent ESTABLISHED and R E L A T E D packets are altered the same way
as the header of the first packet. Packets sent in response to these packets automatically have their headers adjusted so that they return to the originating local system.
$ sudo i p t a b l e s

-t

NAT -A POSTROUTING - o eth0 - j MASQUERADE

To match this rule, a packet must be
1. Establishing a new connection (otherwise it would not have come to the
NAT table).
2. Going to be sent out on ethO (going out to the Internet): - o ethO.
The kernel M A S Q U E R A D E s all packets that meet these criteria. In other words, all
locally originating packets that are establishing new connections have their source
address changed to the address that is associated with ethO ( 1 0 . 2 5 5 . 2 5 5 . 2 5 5 in the
example).
The following example shows all four commands together:
$
$
$
$

sudo
sudo
sudo
sudo

iptables
iptables
iptables
iptables

-A
-A
-A
-t

FORWARD - i eth0 - o e t h l -m s t a t e - - s t a t e ESTABLISHED,RELATED - j ACCEPT
FORWARD - i e t h l - o eth0 - j ACCEPT
FORWARD - j LOG
NAT -A POSTROUTING - o eth0 - j MASQUERADE

See page 8 8 3 for instructions on how to save these rules so that the firewall comes
up each time the system boots. To limit the local systems that can connect to the
Internet, you can add a - s (source) match criterion to the last command:
$ sudo i p t a b l e s

-t

NAT -A POSTROUTING - o eth0 - s 1 9 2 . 1 6 8 . 0 . 0 - 1 9 2 . 1 6 8 . 0 . 3 2

- j MASQUERADE

In the preceding command, - s 1 9 2 . 1 6 8 . 0 . 0 - 1 9 2 . 1 6 8 . 0 . 3 2 causes only packets from
an IP address in the specified range to be M A S Q U E R A D E d .

896

CHAPTER 2 5

firestarter, gufw,

AND

iptables:

S E T T I N G U P A FIREWALL

C O N N E C T I N G SEVERAL SERVERS TO A S I N G L E
INTERNET CONNECTION
DNAT (destination NAT) can set up rules that allow clients from the Internet to
send packets to servers on the LAN. This example sets up an SMTP mail server on
1 9 2 . 1 6 8 . 1 . 3 3 and an Apache (Web) server on 1 9 2 . 1 6 8 . 1 . 3 4 . Both protocols use
TCP. SMTP uses port 25 and Apache uses port 80, so the rules match TCP packets
with destination ports of 25 and 80. The example assumes that the mail server does
not make outgoing connections and uses another server on the LAN for DNS and
mail relaying. Both commands put rules in the P R E R O U T I N G chain of the NAT
table ( - A P R E R O U T I N G - t NAT):
$ sudo i p t a b l e s
$ sudo i p t a b l e s

-A PREROUTING - t
-A PREROUTING - t

NAT - p t c p - - d p o r t
NAT - p t c p - - d p o r t

25 - - t o - s o u r c e
80 - - t o - s o u r c e

1 9 2 . 1 6 8 . 0 . 3 3 : 2 5 - j DNAT
1 9 2 . 1 6 8 . 0 . 3 4 : 8 0 - j DNAT

To match these rules, the packet must use the TCP protocol ( - p tcp) and have a destination port of either 25 (first rule, — d p o r t 25) or 80 (second rule, — d p o r t 80).
The —to-source is a target specific to the P R E R O U T I N G and OUTPUT chains of
the NAT table; it alters the destination address and port of matched packets as specified. As with MASQUERADE and SNAT, subsequent packets in the same and
related connections are altered the same way.
The fact that the servers cannot originate connections means that neither server can be
exploited to participate in a DDoS attack (page 1144) on systems on the Internet, nor
can they send private data from the local system back to a malicious user's system.

CHAPTER S U M M A R Y
A firewall, such as iptables, gufw, or firestarter, is designed to prevent unauthorized
access to a system or network. The firestarter and gufw utilities are sophisticated,
graphical tools for building and maintaining a firewall. Each can protect just the
single system it runs on or can protect the system it runs on plus other systems on a
LAN that connect to the Internet through the system running firestarter or gufw.
An iptables command sets up or maintains in the kernel rules that control the flow
of network packets; rules are stored in chains. Each rule includes a criteria part and
an action part, called a target. When the criteria part matches a network packet, the
kernel applies the action from the rule to the packet.
Chains are collected in three tables: Filter, NAT, and Mangle. Filter (the default
table) DROPs or ACCEPTs packets based on their content. NAT (the Network
Address Translation table) translates the source or destination field of packets.
Mangle is used exclusively to alter the TOS (type of service), T T L (time to live), and
M A R K fields in a packet. The connection tracking machine, which is handled by
the conntrack module, defines rules that match criteria based on the state of the
connection a packet is part of.

ADVANCED EXERCISES

EXERCISES
1. H o w would you remove all iptables rules and chains?
2. What is firestarter? H o w is it related to iptables?
3. What is the easiest way to set up a rule using firestarter?
4. H o w would you list all current iptables rules?
5. How is configuring iptables different from configuring most Linux services?
6. Define an iptables rule that will reject incoming connections on the TELN E T port.
7. What does NAT stand for? What does the NAT table do?

ADVANCED EXERCISES
8. What does the conntrack module do?
9. What do rule match criteria do? What are they used for?
10. What do packet match criteria do? What are they used for?
11. Which utilities copy packet filtering rules to and from the kernel? H o w do
they work?
12. Define a rule that will silently block incoming S M T P connections from
spmr.com.

897

This page

intentionally

left

blank

26
APACHE: SETTING U P A
W E B SERVER
IN T H I S C H A P T E R
JumpStart: Getting Apache
Up and Running

903

Configuring Apache

905

Configuration Directives

909

Contexts and Containers

915

The Ubuntu apache2.conf File . . . 932
Redirects

935

Content Negotiation

935

Type Maps

935

MultiViews

936

Virtual Hosts

937

Troubleshooting

940

T h e World Wide Web ( W W W or Web for short), is a collection
of servers that hold material, called content, that Web browsers
(or just browsers) can display. Each of the servers on the Web is
connected to the Internet, a network of networks (an internetwork). M u c h of the content on the Web is coded in H T M L
(Hypertext M a r k u p Language, page 1 1 5 2 ) . Hypertext,
the
links you click on a Web page, allows browsers to display and
react to links that point to other Web pages on the Internet.
Apache is the most popular Web server on the Internet. It is
both robust and extensible. T h e ease with which you can
install, configure, and run it in the Linux environment makes it
an obvious choice for publishing content on the World Wide
Web. The Apache server and related projects are developed and
maintained by the Apache Software Foundation (ASF), a notfor-profit corporation formed in June 1 9 9 9 . T h e ASF grew out
of the Apache Group, which was established in 1 9 9 5 to develop
the Apache server.

899

900

CHAPTER 2 6

APACHE: SETTING U P A W E B SERVER

This chapter starts by providing introductory information about Apache. Following
this information is the JumpStart section, which describes the minimal steps needed
to get Apache up and running. N e x t is "Filesystem L a y o u t , " which tells you where
the various Apache files are located.
Configuration directives (referred to simply as directives) are a key part of Apache
and are discussed starting on page 9 0 9 . This section includes coverage of contexts
and containers, two features/concepts that are critical to understanding Apache.
T h e next section, which starts on page 9 3 2 , explains the main Apache configuration file, apache2.conf, as distributed by Ubuntu. T h e final pages of the chapter
cover virtual hosts, troubleshooting, and modules you can use with Apache,
including C G I and SSL.

INTRODUCTION
Apache is a server that responds to requests from Web browsers, or clients, such as
Firefox, Netscape, lynx, and Internet Explorer. W h e n you enter the address of a W e b
page (a URI, page 1 1 7 9 ) in a Web browser's location bar, the browser sends a
request over the Internet to the (Apache) server at that address. In response, the
server sends (serves) the requested content back to the browser. T h e browser then
displays or plays the content, which might be a song, picture, video clip, or other
information.
Content Aside from add-on modules that can interact with the content, Apache looks only
at the type of data it is sending so that it can specify the correct
MIME
(page 1 1 6 0 ) type; otherwise it remains oblivious to the content itself. Server
administration and content creation are two different aspects of bringing up a
W e b site. This chapter concentrates on setting up and running an Apache server; it
spends little time discussing content creation.
Modules Apache, like the Linux kernel, uses external modules to increase load-time flexibility
and allow parts of its code to be recompiled without recompiling the whole program.
Rather than being part of the Apache binary, modules are stored as separate files that
can be loaded when Apache is started.
Apache uses external modules, called dynamic shared objects ( D S O s ) , for basic
and advanced functions; there is not much to Apache without these modules.
Apache also uses modules to extend its functionality. F o r example, modules can
process scripts written in Perl, PHP, Python, and other languages; use several different methods to authenticate users; facilitate publishing content; and process
nontextual content, such as audio. T h e list of modules written by the A S F and
third-party developers is constantly growing. F o r more information refer to
" M o d u l e s " on page 9 4 1 .
Setup T h e Debian/Ubuntu Apache team provides one of the easiest-to-use Apache setups
of any distribution. M o s t packages that provide a Web interface and that depend on
Apache run as installed; typically you do not need to modify the configuration files.

INTRODUCTION

901

For example, installing phpmyadmin (sourceforge.net/projects/phpmyadmin) makes
it available to a browser as /phpmyadmin.
This section describes the packages you need to install and provides references for
the programs covered in this chapter. The " N o t e s " section introduces terminology
and other topics that may help you make better sense of this chapter. The JumpStart
section (page 9 0 3 ) gets Apache up and running as quickly as possible.

MORE INFORMATION
Local Apache HTTP Server Version 2.2 Documentation:
With Apache running and
apache2-doc installed, point a browser at serfer/manual, where server is localhost
or the name or IP address of the Apache server.
Apache directives:
server/manual/mod/directives.html
SSI directives:
server/manual/howto/ssi.html
Web Apache documentation: httpd.apache.org/docs/2.2
Apache directives: httpd.apache.org/docs/2.2/mod/directives.html
Apache Software Foundation (newsletters, mailing lists, projects, module registry,
and more): www.apache.org
webalizer: www.mrunix.net/webalizer
awstats: awstats.sourceforge.net
Hbapache2-mod-perl2: perl.apache.org (mod_perl)
Hbapache2-mod-php5: www.php.net (mod_php)
libapache2-mod-python: www.modpython.org (mod_python)
SSL: www.modssl.org (mod_ssl)
M R T G : mrtg.hdl.com/mrtg
SNMP: net-snmp.sourceforge.net
SSI directives: httpd.apache.org/docs/2.2/howto/ssi.html

NOTES
Terms: Apache Apache is the name of a server that serves H T T P and other content. The name of the
and apache2 Apache 2 daemon is apache2. This chapter uses Apache and apache2 interchangeably.
Terms: server and An Apache server is the same thing as an Apache process. An Apache child process
process exists to handle incoming client requests; hence it is referred to as a server.
Firewall An Apache server normally uses TCP port 80; a secure server uses
the Apache server system is running or behind a firewall, you must
of these ports. To get started, open port 80 (HTTP). Using gufw
these ports by setting a policy that allows service for H T T P and/or

TCP port 4 4 3 . If
open one or both
(page 876), open
HTTPS.

Running with root Because Apache serves content on privileged ports, you must start it running with
privileges root privileges. For security reasons, Ubuntu sets up Apache to spawn processes
that run as the user and group www-data.
Locale The apache2 daemon starts using the C locale by default. You can modify this behavior—for example, to use the configured system locale—by setting the L A N G variable
(in the line that starts with ENV="env -i LANG=C ...) in the /etc/init.d/apache2 file.

902

CHAPTER 2 6

A P A C H E : S E T T I N G U P A W E B SERVER

Document root T h e root of the directory hierarchy that Apache serves content from is called the
document
root and is controlled by the D o c u m e n t R o o t directive (page 9 1 3 ) . This
directive defines a directory on the server that maps to /. This directory appears to
users who are browsing a Web site as the root directory. As distributed by Ubuntu,
the document root is / v a r / w w w .
Modifying content With the default Ubuntu configuration of Apache, only a user working with root
privileges (using sudo) can add or modify content in / v a r / w w w . To avoid having
people work as root when they are manipulating content, create a group (webwork,
for example), put people who need to work with Web content in this group, and
make the directory hierarchy starting at / v a r / w w w (or another document root)
writable by that group. In addition, if you give the directory hierarchy setgid permission, all new files created within this hierarchy will belong to the group, which
facilitates sharing files. The first three commands below add the new group, change
the mode of the document root to setgid, and change the group that the document
root belongs to. T h e last command adds username to the webwork group; you must
repeat this command for each user you want to add to the group.
$ sudo addgroup webwork
$ sudo chmod g+s /var/www
$ sudo chown ¡webwork /var/www
$ sudo usermod -aG webwork

username

See page 5 9 7 for more information about working with groups.
Versions Ubuntu runs Apache version 2 . 2 .

R U N N I N G A W E B SERVER (APACHE)
This section explains h o w to install, test, and configure a basic Web server.

PREREQUISITES
Minimal installation Install the following package:
• apache2
apache2 init script When you install the apache2 package, the dpkg postinst script starts the apache2 daemon. After you configure Apache, call the apache2 init script to restart the apache2
daemon:
$ sudo s e r v i c e apache2

restart

After changing the Apache configuration on an active server, use reload in place of
restart to reload Apache configuration files without disturbing clients connected to
the server.
Optional packages T h e mod_ssl package is installed as part of the apache2 package—you do not need
to install it separately. You may want to install the following optional packages:

R U N N I N G A W E B SERVER (APACHE)

903

• apache2-doc—The Apache manual
• webalizer—Web server log analyzer (page 948)
• awstats—Web server log analyzer
• Hbapache2-mod-perl2—Embedded Perl scripting language (mod_perl)
• libapache2-mod-python—Metapackage that installs the embedded Python
scripting language (mod_python)
• Hbapache2-mod-php5—Embedded PHP scripting language, including
IMAP and LDAP support (mod_php)
• m r t g — M R T G traffic monitor (page 9 4 8 )

The a p a c h e 2 c t l utility and restarting Apache gracefully
t i p The apache2 ¡nit script calls a p a c h e 2 c t l to start and stop Apache. The reload argument calls this
utility with an argument of graceful, which does not disturb clients that are connected to the
server. The restart and force-reload arguments call it with arguments of stop and then start; this
pair of commands shuts down the server completely before restarting it.

JUMPSTART: GETTING APACHE U P AND R U N N I N G
To get Apache up and running, modify the /etc/apache2/sites-available/default configuration file as described in this section. "Directives I: Directives You May Want
to Modify as You Get Started" on page 9 1 0 explains more about this file and
explores other changes you may want to make to it.

M O D I F Y I N G THE C O N F I G U R A T I O N FILES
Apache runs as installed, but it is a good idea to add the three lines described in this
section to the /etc/apache2/sites-available/default configuration file. If you do not
add these lines, Apache will assign values that may not work for you. After you
modify this file, you must restart Apache (page 902).
The ServerName line establishes a name for the server. Add one of the following
lines to /etc/apache2/sites-available/default to set the name of the server to the
domain name of the server or, if you do not have a domain name, to the IP address
of the server. Add the line just below the ServerAdmin line near the top of the file.
ServerName

example.com

or
ServerName

IP_address

where example.com
is the domain name of the server and IP_address is the IP
address of the server. If you are not connected to a network, you can use the localhost
address, 127.0.0.1, so you can start the server and experiment with it. See page 9 3 4
for more information on the ServerName directive.

904

CHAPTER 2 6

APACHE: SETTING U P A W E B SERVER

When a client has trouble getting information from a server, the server typically
displays an error page that identifies the problem. For example, when Apache cannot find a requested page, it displays a page that says Error 4 0 4 : Not Found. Each
error page can include a mailto: link that the user can click to send mail to the
server's administrator. The ServerSignature directive can specify that you want an
email link on error pages. This link appears as the domain name the user called in
the Browser. The ServerAdmin directive specifies the email address that the server
sends mail to when a user clicks the link on an error page. Add these two lines to
the file named default.
Add both directives following the ServerAdmin directive.
ServerAdmin
ServerSignature

email_address
EMail

where email_address is the email address of the person who needs to know when
people are having trouble using the server. Make sure that someone checks this
email account frequently. But also see the tip "ServerAdmin attracts spam" on
page 9 1 2 .
It can make system administration much easier if you use a role alias (for example,
webmaster@example.com) instead of a specific username (e.g., max@example.com)
as an email_address. See the discussion of email aliases on page 7 2 2 .
After making the changes to the file named default, restart apache2 as explained on
page 902.

TESTING APACHE
Once you restart the apache2 daemon, you can confirm that Apache is working correctly by pointing a browser on the local (server) system to http://localhost/. From
a remote system, point a browser to http:// followed by the ServerName you specified in the previous section. If you are displaying a page from a system other than
the local one, the local system must know how to resolve the domain name you
enter (e.g., by using DNS or the /etc/hosts file). For example, you might use either
of these URI formats: h t t p : / / 1 9 2 . 1 6 8 . 0 . 1 6 or http://example.org.
When you point a browser at a directory that holds a file named index.html,
Apache causes the browser to display the contents of that file (otherwise it displays
a directory listing). In response to your request, the browser should display the page
stored at /var/www/index.html on the server. In this case, the browser should display It works!
If the server is behind a firewall, open TCP port 80 (page 901). If you are having
problems getting Apache to work, see "Troubleshooting" on page 940.

R U N N I N G A W E B SERVER (APACHE) 9 0 5

P U T T I N G Y O U R C O N T E N T IN PLACE
Place the content you want Apache t o serve in / v a r / w w w . As shown previously,
Apache automatically displays the file named index.html in this directory. Give the
following c o m m a n d to create such a page, replacing the default page:
$ sudo tee /var/www/index.html
Thi s i s my
This i s my
C0NTR0L-D

test
test

page.

page.


T h e tee utility (page 2 5 4 ) copies standard input (page 2 4 3 ) to the file you give as its
argument and to standard output (page 2 4 3 ) . Because of this redirection, tee repeats
each line you type after you press RETURN. After you create this file, either refresh the
page on the browser (if it is still running) or start it again and point it at the server.
T h e browser should display the page you just created.

CONFIGURING APACHE
This section describes configuration tools you can use to make your job easier. It
also tells you where you can find many of the files you may need to work with as
you set up and modify an Apache server. M o s t of the configuration files are in the
/ e t c / a p a c h e 2 hierarchy.

CONFIGURATION TOOLS
This section describes the utilities that manage some of the files in the / e t c / a p a c h e 2
hierarchy. These utilities are part o f the apache2.2-common package, which is
installed as a dependency when you install apache2.
a2enmod and The a2enmod (Apache 2 enable module) and a2dismod (Apache 2 disable module) utilia2dismod t ies enable and disable an Apache module. The /etc/apache2/mods-available directory
holds files that contain LoadModule directives (page 9 2 8 ) and options for modules that
are installed on the local system. The /etc/apache2/mods-enabled directory holds symbolic links to the files in mods-available. Apache incorporates these links into its configuration files by using Include directives (next section). The a2enmod utility creates
symbolic links in the mods-enabled directory from configuration files in the modsavailable directory. It works on files whose basename is given as its argument.
$ sudo - i
# cd /etc/apache2
# Is mods-available/userdir*
mods-available/userdi r.conf
mods-available/userdi r.load
# I s mods-enabled/userdir*
I s : m o d s - e n a b l e d / u s e r d i r * : No s u c h f i l e o r d i r e c t o r y
# a2enmod u s e r d i r
Enabling module u s e r d i r .
Run ' / e t c / i n i t . d / a p a c h e 2 r e s t a r t ' t o a c t i v a t e new c o n f i g u r a t i o n !
# I s mods-enabled/userdir*
mods-enabled/userdi r.conf
mods-enabled/userdi r.load
# exit

$

906

CHAPTER 2 6

APACHE: SETTING U P A W E B SERVER

The a2dismod utility removes the symbolic links that a2enmod creates. You must
reload Apache (page 9 0 2 ) after you give one or more of these commands before
they will take effect.
The a2enmod and a2dismod utilities simplify Apache administration. Instead of adding or commenting out a LoadModule directive in the httpd.conf or apache2.conf
file, you can use these programs to enable or disable a module. This setup
enables APT or Synaptic, after it installs a package, to call a2enmod via a dpkg
postinst script and then reload Apache so that the package is functional upon
installation.
a2ensite and The a2ensite (Apache 2 enable site) and a2dissite (Apache 2 disable site) utilities
a2dissite enable and disable an Apache virtual host (page 937). These commands work similarly to the module commands described earlier. First you design a virtual host in a file
in the /etc/apache2/sites-available directory. Then you call a2ensite with the name of
the site as an argument to create a symbolic link in the /etc/apache2/sites-enabled
directory. The a2dissite utility removes the symbolic link, disabling the virtual host.

INCLUDE DIRECTIVES
Under Ubuntu, the primary configuration file is /etc/apache2/apache2.conf. This
file incorporates other files using Include directives (page 927):
$ grep ' A i n c l u d e '
Include
Include
Include
Include
Include
Include

/etc/apache2/apache2.conf

/etc/apache2/mods-enabled/*.load
/etc/apache2/mods-enabled/*.conf
/etc/apache2/httpd.conf
/etc/apache2/ports.conf
/etc/apache2/conf.d/
/etc/apache2/si tes-enabled/

apache2.conf Typically, when you configure Apache, you do not make changes to apache2.conf;
instead, you modify files that are specified in Include directives. You can also use
the configuration tools described in the previous section. This setup allows updates
to Apache to change apache2.conf without affecting the server.
When Apache reads its configuration files, if it finds more than one occurrence of the
same directive, even in an Include file, it uses the value assigned by the last directive
it encounters.
In the apache2.conf file, the Include directive for the httpd.conf file occurs after
directives that set up the global environment, which includes various timeouts and
limits as shown in Table 26-1. To change any of these directives, copy them to
httpd.conf and make the changes there. You must change directives that appear after
the Include httpd.conf directive in other included files as explained in this section.
The Include directive for /etc/apache2/conf.d (it includes all files in this directory)
appears after the Include directive for httpd.conf, with only a few lines and the
Include directive for /etc/apache2/ports.conf separating them. This directory is a
good place to put small configuration snippets, or break out parts of httpd.conf if it
is growing too large.

R U N N I N G A W E B SERVER (APACHE)

Table 26-1

907

Directives that you can override in httpd.conf

AccessFileName

MaxRequestsPerChild

DefaultType

MaxSpareThreads

ErrorLog

MinSpareThreads

Group

PidFile

HostnameLookups

ServerRoot

KeepAlive

StartServers

KeepAliveTimeout

ThreadsPerChild

LockFile

Timeout

LogLevel

TypesConfig

MaxClients

User

MaxKeepAliveRequests
Directives that control log formats, indexing options, M I M E handling, and browser
bug handling appear after the Include directive for httpd.conf, but before the Include
directive for /etc/apache2/sites-enabled, which is the last line in apache2.conf. You
can override these directives on a per-site basis by copying them to individual site
files in the sites-enabled directory and modifying them there.
If you manage more than one Ubuntu Web server, it is nice to keep all the customized configuration code separate from the main configuration. That way you can
use scp to copy the files to each new server. Or you can keep the custom code under
a version control system and check it out to configure a new system. This technique
is much easier than using diff to find out what you changed from system to system.

FILESYSTEM LAYOUT
This section lists the locations and uses of files you will work with to configure
Apache and serve Web pages.
Binaries, scripts, The Apache server and related binary files are kept in several directories:
and modules
.
,
/usr/sbin/apache2—The Apache server (daemon).
/usr/sbin/apache2ctl—Starts and stops Apache. The apache2 init script calls apachectl.
/usr/bin/htpasswd—Creates and maintains the password files used by the Apache
authentication module (page 945).
/usr/sbin/rotatelogs—Rotates Apache log files so that these files do not get too
large. See logrotate (page 6 2 2 ) for information about rotating log files.
/etc/apache2/mods-available—Holds files containing LoadModule directives
(page 9 2 8 ) for their respective modules. The alias.conf file is kept in this directory

908

CHAPTER 2 6

APACHE: SETTING U P A W E B SERVER

and is enabled by default. Two of the most frequently used module binary files are
mod_perl (part of the libapache2-mod-perl2 package) and mod_python (part of the
libapache2-mod-python metapackage). The *.load files in this directory load modules from the /usr/lib/apache2/modules directory (page 941). The *.conf files configure the modules for use. See page 9 0 5 for information on using a2enmod to
enable a module.
/etc/apache2/mods-enabled—Holds links to files in mods-available. Use a2enmod
to create links and a2dismod to remove links (page 905).
Configuration files Apache configuration files are kept in the / e t c / a p a c h e 2 hierarchy:
/etc/apache2/apache2.conf—Holds configuration directives. This file is the main
Apache configuration file. You do not typically make changes to this file, but rather
put any configuration directives in httpd.conf and other files.
/etc/apache2/envvars—Holds variables that modify the environment Apache runs in.
/etc/apache2/ports.conf—Holds the Listen directive (page 910), which controls
which IP address(es) and port(s) Apache listens on.
/etc/apache2/sites-available—Holds files containing the code that describes virtual
hosts. See page 9 0 6 for information on using a2ensite to enable a site.
/etc/apache2/sites-enabled—Holds links to files in sites-available. Use a2ensite to
create links and a2dissite to remove links (page 906).
/etc/apache2/httpd.conf—Holds local configuration directives. This file augments
the apache2.conf file in the same directory. The discussion of configuration directives starts on page 9 0 9 .
/etc/apache2/conf.d—Holds configuration files.
Logs Logs are kept in /var/log/apache2:
/var/log/apache2/access_log—Logs requests made to the server.
/var/log/apache2/error_log—Logs request and runtime server errors.
Web documents Web documents (including the Web pages displayed by client browsers), custom
error messages, and CGI scripts are kept in / v a r / w w w by default:
/usr/lib/cgi-bin—Holds CGI scripts (page 942). This directory is aliased to /cgi-bin/.
/usr/share/apache2/error—Holds default error documents. You can modify these
documents to conform to the style of your Web site. This directory is aliased to
/error/. See ErrorDocument (page 924).
/usr/share/apache2/icons—Holds icons used to display directory entries. This directory is aliased to /icons/.
/usr/share/doc/apache2-doc/manual/index.html—Apache HTTP Server
Version
2.2 Documentation.
With Apache running and apache2-doc installed, point a

CONFIGURATION DIRECTIVES

browser at server!manual,
Apache server.

909

where server is localhost or the name or IP address of the

Document root By default, the document root (page 9 0 2 ) is /var/www. You can change this location with the DocumentRoot directive (page 913). In addition to content for the
Web pages that Apache serves, this directory can house the webalizer directory,
which holds webalizer (page 948) output.
.htaccess files A .htaccess file contains configuration directives and can appear in any directory in
the document root hierarchy. The location of a .htaccess file is critical: The directives
in a .htaccess file apply to all files in the hierarchy rooted at the directory that holds
the .htaccess file. The AllowOverride directive (page 930) controls whether Apache
examines .htaccess files. Because the default site contains AllowOverride None
directives, you must use an AllowOverride directive to cause Apache to examine
.htaccess files and process directives in those files. This protection is duplicated and
enhanced in the apache2.conf file distributed by Ubuntu, where a directive instructs
Apache not to serve files whose names start with .ht. Because of this directive,
Apache does not serve .htaccess files (nor does it serve .htpassword files).

CONFIGURATION DIRECTIVES
Configuration
directives, or simply directives, are lines in a configuration file that
control some aspect of how Apache functions. A configuration directive is composed of a keyword followed by one or more arguments (values) separated by SPACEs.
For example, the following configuration directive sets Timeout to 3 0 0 (seconds):
Timeout

300

You must enclose arguments that contain SPACEs within double quotation marks.
Keywords are not case sensitive, but arguments (pathnames, filenames, and so on)
often are.
apache2.conf

The main file that holds Apache configuration directives is, by default,
/etc/apache2/apache2.conf. This file holds global directives that affect all content
served by Apache. Include directives (pages 9 0 6 and 927) within apache2.conf incorporate the contents of other files as though they were part of apache2.conf.

.htaccess

Local directives can appear in .htaccess files. A .htaccess file can appear in any
directory within the document root hierarchy; it affects files in the directory hierarchy rooted at the directory it appears in.

Pathnames When you specify an absolute pathname in a configuration directive, the directive
uses that pathname without modifying it. When you specify a relative pathname,
such as a simple filename or the name of a directory, Apache prepends to that name
the value specified by the ServerRoot (page 9 2 6 ) directive (/etc/apache2 by default).

910

CHAPTER 2 6

APACHE: SETTING U P A W E B SERVER

D I R E C T I V E S I: D I R E C T I V E S Y o u M A Y W A N T T O M O D I F Y A S
Y O U GET STARTED
When it starts, Apache reads the /etc/apache2/apache2.conf configuration file (by
default) for instructions governing every aspect of how Apache runs and serves content.
The apache2.conf file shipped by Ubuntu is more than 600 lines long. As explained
under apache2.conf on page 906, you do not normally make changes to this file.
This section details some directives you may want to add to the
/etc/apache2/httpd.conf file, or change in one of the other configuration files, as
you are getting started with Apache. You can use each of the following directives in
httpd.conf to override the corresponding directive in apache2.conf. Or you can
change the directive if it appears in another configuration file. In this chapter, the
Specify in line near the end of each explanation tells you in which configuration file
in the /etc/apache2 hierarchy you typically specify that directive. If the directive
already appears in a file, you must specify the new directive after the one you want
to override. See apache2.conf (page 9 0 6 ) for more information. The Context line in
each explanation tells you which locations the directives can appear in; contexts are
explained on page 9 1 5 . The section titled "Directives II: Advanced Directives" on
page 9 1 9 describes more directives.
Listen Specifies
Listen

the port(s)

that Apache

listens for requests

on.

[IP-address:]portnumber

where IP-address is the IP address that Apache listens on and portnumber is the
number of the port that Apache listens on for the given IP-address. When IP-address
is absent or is set to 0.0.0.0, Apache listens on all network interfaces. At least one
Listen directive must appear in the configuration files or Apache will not work.
The following minimal directive from the ports.conf file listens for requests on all
interfaces on port 80:
Listen

80

The next directive changes the port from the default value of 80 to 8 0 8 0 :
Listen

8080

When you specify a port other than 80, each request to the server must include a
port number (as in www.example.org:8080) or the kernel will return a Connection
Refused message. Use multiple Listen directives to have Apache listen on multiple IP
addresses and ports. For example,
Listen
Listen
Listen

80
192.168.1.1:8080
192.168.1.2:443

accepts connections on all network interfaces on port 80, on 1 9 2 . 1 6 8 . 1 . 1 on port
8080, and on 1 9 2 . 1 6 8 . 1 . 2 on port 4 4 3 .
Context: server config
Specify in ports.conf

CONFIGURATION DIRECTIVES

911

Default: none (Apache will not start without this directive)
Ubuntu: Listen 80
Redirect Tells the client to fetch a requested
Redirect

[status] requested-path

resource

from a different,

specified

location.

[new-URI]

where status is the status that Apache returns along with the redirect. If you omit
status, Apache assumes temp. The status can be an Apache error code in the range
3 0 0 - 3 9 9 or one of the following:
permanent
temp
seeother
gone

Returns status 301 (the resource
Returns status 3 0 2 (the resource
Returns status 3 0 3 (the resource
Returns status 4 1 0 (the resource
take a new-URI argument

has
has
has
has

moved permanently)
moved temporarily)
been replaced)
been removed—does not

The requested-path is the absolute pathname of the ordinary file or directory that
Apache is to redirect requests for. Apache redirects all requests that start with the absolute pathname specified by requested-path. (See the example below.) Use RedirectMatch
(discussed next) if you want to use a regular expression in this argument.
The new-URI is the URI that Apache redirects requests to. If the new-URI starts
with a slash (/) and not h t t p : / / , f t p : / / , or a similar prefix, Apache uses the same prefix that it was called with. Most Redirect directives require a new-URI argument.
A request must match all segments of the requested-path
lowing directive:
Redirect

/www.example.com/pictures

argument. Assume the fol-

http://pictures.example.com/

Apache will redirect a request for http://www.example.com/pictures/mom.jpg to
http://pictures.example.com/mom.jpg but, because the final segment does not match,
it will not redirect a request for http://www.example.com/pictures_mom.jpg.
Contexts: server config, virtual host, directory, .htaccess
Specify in sites-available/*
Default: none
Ubuntu: none
RedirectMatch Tells the client to fetch a requested
regular
expression.
RedirectMatch

resource

[status] requested-path-re

from a different

location

specified

by a

[new-URI]

This directive is the same as Redirect (discussed above), except that you can use a
regular expression (Appendix A) in requested-path-re.
Contexts: server config, virtual host, directory, .htaccess
Specify in sites-available/*
Default: none
Ubuntu: none

912

CHAPTER 2 6

APACHE: SETTING U P A W E B SERVER

ServerAdmin Sets the email address
ServerAdmin

used in mailto: links on error

pages.

email-address

where email-address is the email address of the person who is responsible for managing the Web content. Apache includes this address as a link on Apache-generated
error pages. However, Ubuntu Linux sets ServerSignature (page 927) to On, which
causes Apache to display information about the server—rather than a link to an
email address—on error pages. If you want to display the link on error pages, set
ServerSignature to EMail. Make sure email-address points to an email account
that someone checks frequently. Users can use this address to get help with the
Web site or to inform the administrator of problems. There is no default value for
ServerAdmin; if you do not use this directive and ServerSignature is set to EMail,
the mailto: link on error pages points to [no address given].

ServerAdmin attracts spam
security

The email address you put in ServerAdmin often attracts spam. Use a spam-guarded address such
as "mgs at sobell dot com" (you must use the quotation marks) or use a custom error page to
point to a Web page with a form for sending mail to the right person.
You can use a role alias such as webmaster at your domain and use a mail alias to
forward mail that is sent to webmaster to the person who is responsible for maintaining the Web site. See the discussion of mail aliases on page 7 2 2 .
Contexts: server config, virtual host
Specify in sites-available/*
Default: none
Ubuntu: webmaster@localhost

ServerName Specifies

the server's name and the port it listens

ServerName

FQDN

on.

[:port]

where FQDN is the fully qualified domain name or IP address of the server and port
is the optional port number Apache listens on. The domain name of the server must
be able to be resolved (by DNS or /etc/hosts) and may differ from the hostname of
the system running the server. If you do not specify a ServerName, Apache performs
a DNS reverse name resolution (page 831) on the system's IP address and assigns
that value to ServerName. If the reverse lookup fails, Apache assigns the system's IP
address to ServerName.
In the following example, substitute the F Q D N or IP address of the server for
www.example.com. Change the 80 to the port number Apache listens on (if it is not
port 80).
ServerName

www.example.com:80

The ports specified by ServerName and Listen (page 910) must be the same if you
want the F Q D N specified by ServerName to be tied to the IP address specified by
the Listen directive.

CONFIGURATION DIRECTIVES

913

Apache uses ServerName to construct a URI when it redirects a client (page 935).
See also UseCanonicalName (page 922).
Contexts: server config, virtual host
Specify in sites-available/*
Default: none
Ubuntu: none
DocumentRoot Points to the root of the directory
DocumentRoot

hierarchy

that holds the server's

content.

dirname

where dirname is the absolute pathname of the directory at the root of the directory
hierarchy that holds the content Apache serves. Do not use a trailing slash. You can
put the document root wherever you like, as long as the user www-data has read
access to the ordinary files and execute access to the directory files in the directory
hierarchy. The FHS (page 2 1 3 ) specifies /srv as the top-level directory for this purpose. The following directive puts the document root at /srv/www:
DocumentRoot

/srv/www

Contexts: server config, virtual host
Specify in sites-available/*
Default: /usr/local/apache/htdocs
Ubuntu: / v a r / w w w
UserDir Allows users to publish

content from their home

UserDir dirname I disabled

I enabled

directories.

user-list

where dirname is the name of a directory that, if it appears in a local user's home
directory, Apache publishes to the Web. The disabled keyword prevents content
from being published from users' home directories; enabled causes content to be
published from the home directories of users specified in the SPACE-separated user-list.
When you do not specify a dirname, Apache publishes content to ~/public_html.
Apache can combine the effects of multiple UserDir directives. Suppose you have
the following directives:
UserDi r d i s a b l e d
UserDir enabled userl
U s e r D i r web

user2

userB

The first directive turns off user publishing for all users. The second directive
enables user publishing for three users. The third directive makes web the name of
the directory that, if it appears in one of the specified users' home directories,
Apache publishes to the Web.
To cause a browser to display the content published by a user, specify in the location bar
the name of the Web site followed by a /~ and the user's username. For example, if Sam
published content in the public_html directory in his home directory and the URI of the
Web site was www.example.com, you would enter http://www.example.com/~sam

914

CHAPTER 2 6

APACHE: SETTING U P A W E B SERVER

to display Sam's Web page. To display a user's Web page, Apache must have execute
permission (as user www-data) for the user's home directory and the directory holding
the content, and read permission for the content files.
Ubuntu Linux provides the following configuration for user directories in the
/etc/apache2/mods-available/userdir.conf file, which is disabled by default:
UserDir
UserDir

public_html
disabled root

Give the command a2enmod userdir to enable user directories.
Contexts: server config, virtual host
Specify in mods-available/userdir.conf
Default: none
Ubuntu: public_html, disabled root
Directory Index Specifies

which file Apache

serves when a user requests

Directory Index filename [filename

a

directory.

...]

where filename is the name of the file that Apache serves.
This directive specifies a list of filenames. When a client requests a directory,
Apache attempts to find a file in the specified directory whose name matches a file
in the list. When Apache finds a match, it returns that file. When this directive is
absent or when none of the files specified by this directive exists in the specified
directory, Apache displays a directory listing as specified by the IndexOptions directive (page 924).
The following Directorylndex directive, which Ubuntu Linux provides in the modsenabled/dir.conf file, is enabled by default:
Directorylndex

index.html

index.cgi

index.pl

index.php

index.xhtml

index.htm

This directive causes Apache to search the specified directory and return the file
named index.html, index.cgi, index.pl, index.php, index.xhtml, or index.htm, where
index.html, index.htm, and index.xhtml are the names of the standard, default
H T M L and X H T M L documents; index.cgi is a CGI document; index.pl is a Perl document; and index.php is a PHP document. The name index is standard but arbitrary.
Using headers, a client can communicate a language preference to a server. If the
server can handle the preference, it determines the best response from among its
resources. The .var is an Ubuntu addition (a line in apache2.conf, AddHandler
type-map var, makes the .var extension a type map, one of the forms of content
negotiation; MultiViews is the other form). For more information refer to "Content Negotiation" on page 9 3 5 .
Contexts: server config, virtual host
Specify in mods-available/dir.conf
Default: index.html
Ubuntu: index.html index.cgi index.pl index.php index.xhtml index.htm

CONFIGURATION DIRECTIVES

915

CONTEXTS AND CONTAINERS
To make it flexible and easy to customize, Apache uses configuration directives,
contexts, and containers. Configuration directives were covered in the previous section. This section discusses contexts and containers, which are critical to managing
an Apache server.

CONTEXTS
Four locations, called contexts, define where configuration directives can appear.
This chapter marks each configuration directive to indicate which context(s) it can
appear in. Table 26-2 describes each of these contexts.

Table 26-2

Contexts

Context

Location(s) directives can appear in

server config

In apache2.conf or included files only, but not inside  or
 containers (next section) unless so marked

virtual host

Inside  containers in apache2.conf or included files only

directory

Inside , , and  containers in apache2.conf or
included files only

.htaccess

In .htaccess files (page 909) only

Directives in files incorporated by means of an Include directive (page 9 2 7 ) are part
of the context they are included in and must be allowed in that context.
Putting a directive in the wrong context generates a configuration error and can
cause Apache not to serve content correctly or not to start.

CONTAINERS
Containers, or special directives, are directives that group other directives. Containers are delimited by XML-style tags. Three examples are shown here:



...
...





...



Look in apache2.conf and sites-available/default for examples of containers. Like
other directives, containers are limited to use within specified contexts. This section
describes some of the more frequently used containers.
 Applies

directives

 ...

within the specified

directory

hierarchies.



where directory is an absolute pathname specifying the root of the directory hierarchy that holds the directories the directives in the container apply to. The directory
can include wildcards; a * does not match a /.

916

CHAPTER 2 6

APACHE: SETTING U P A W E B SERVER

A  container provides the same functionality as a .htaccess file. While an
administrator can use a  container in Apache configuration files, regular users
cannot. Regular users can use .htaccess files to control access to their own directories.
The directives in the  container shown in the following example apply
to the / v a r / w w w / h t m l / c o r p directory hierarchy. The Deny directive denies access to
all clients, the Allow directive grants clients from the 1 9 2 . 1 6 8 . 1 0 . subnet access,
and the AllowOverride directive (page 9 3 0 ) enables Apache to process directives in
.htaccess files in the hierarchy:

Deny f r o m a l l
Allow from 192.168.10.
AllowOverride All


Contexts: server config, virtual host
 Applies

directives

to specified

ordinary

files.

 ... 
where directory is an absolute pathname specifying the root of the directory hierarchy that holds the ordinary files the directives in the container apply to. The
directory can include wildcards; a * does not match a /. This container is similar
to  but applies to ordinary files rather than to directories.
The following directive, from the Ubuntu apache2.conf file, denies access to all files
whose filenames start with .ht, meaning that Apache will not serve these files. The
tilde (~) changes how Apache interprets the following string. Without a tilde, the
string is a simple shell match that interprets shell special characters (page 256).
With a tilde, Apache interprets the string as a regular expression (page 1089):

Order allow,deny
Deny f r o m a l l


Contexts: server config, virtual host, directory, .htaccess
 Applies

directives



module
...

is

loaded.



where module-name is the name of the module (page 9 4 1 ) that is tested for. Apache
executes the directives in this container if module-name is loaded or with ! if
module-name is not loaded.
Apache will not start if you specify a configuration directive that is specific to a
module that is not loaded.
The following  container, which is located in the Ubuntu file named
mods-available/mime_magic.conf, depends on the mod_mime_magic.c module

CONFIGURATION DIRECTIVES

917

being loaded. If this module is loaded, Apache runs the MIMEMagicFile directive,
which tells the mod_mime_magic.c module where its hints file is located.
< I f M o d u l e mod_irnme_magic.c>
MIMEMagi c F i l e / u s r / s h a r e / f i l e / m a g i c . m i m e


See page 9 3 3 for another example of an  container.
Contexts: server config, virtual host, directory, .htaccess
 Limits access-control

directives

 ...

to specified

HTTP

methods.



where method is an H T T P method. An H T T P method specifies which action is to be
performed on a URI. The most frequently used methods are GET, PUT, POST, and
OPTIONS; method names are case sensitive. G E T (the default method) sends any
data indicated by the URI. PUT stores data from the body section of the communication at the specified URI. POST creates a new document containing the body of the
request at the specified URI. OPTIONS requests information about the capabilities
of the server.
The  container binds a group of access-control directives to specified HTTP
methods: Only methods named by this container are affected by this group of directives.
The following example disables H T T P uploads (PUTs) from systems that are not in
a subdomain of example.com:
< L i m i t PUT>
order deny,allow
deny from a l l
allow from .example.com


Contexts: server config, virtual host, directory, .htaccess

Use  instead of 
caution

It is safer to use the  container than to use the  container, as the former protects against arbitrary methods. When you use , you must be careful to name explicitly all
possible methods that the group of directives could affect.
It is safer still not to put access-control directives in any container.

 Limits access-control
 ...

HTTP

methods.



where method is an H T T P method. See  for a discussion of methods.
This container causes a group of access-control directives not to be bound to specified
HTTP methods. Thus methods not named in  are affected by this
group of directives.

918

CHAPTER 2 6

APACHE: SETTING U P A W E B SERVER

The access-control directives within the following  container affect
H T T P methods other than GET, POST, and OPTIONS. You could put this container in a  container to limit its scope:
< L i m i t E x c e p t GET POST O P T I O N S >
Order deny,allow
Deny f r o m a l l


Contexts: server config, virtual host, directory, .htaccess
 Applies

directives

 ...

URIs.



where URI points to content; it specifies a file or the root of the directory hierarchy
that the directives in the container apply to. While the  container points
within the local filesystem,  points outside the local filesystem. The URI
can include wildcards; a * does not match a /.
The following  container limits access to http^/serfer/pop to clients
from the example.net domain, where server is the F Q D N of the server:

Order deny,allow
Deny f r o m a l l
Allow from .example.net
< / L o c a t i on>

Contexts: server config, virtual host

Use  with care
caution

Use this powerful container with care. Do not use it to replace the  container: When
several URIs point to the same location in a filesystem, a client may be able to circumvent the
desired access control by using a URI not specified by this container.

cLocationMatch> Applies

directives

 ...

by a regular

expression.



where regexp is a regular expression that matches one or more URIs. This container
works the same way as , except that it applies to any URIs that regexp
matches.
Contexts: server config, virtual host
 Applies

directives

 ...



where addr is the IP address (or F Q D N , although it is not recommended) of the virtual host (or * to represent all addresses) and port is the port that Apache listens on

CONFIGURATION DIRECTIVES

919

for the virtual host. This directive does not control which addresses and ports
Apache listens on; use a Listen directive (page 9 1 0 ) for that purpose. This container
holds commands that Apache applies to a virtual host. For more information see
"NameVirtualHost" on page 9 2 0 and "Virtual Hosts" on page 937.
Context: server config

D I R E C T I V E S 11: A D V A N C E D D I R E C T I V E S
This section discusses configuration directives that you may want to use after you
have gained some experience with Apache.

DIRECTIVES THAT CONTROL PROCESSES
MaxClients Specifies

the maximum

MaxClients

number

of child

processes.

num

where num is the maximum number of child processes (servers) Apache runs at one
time, including idle processes and processes that are serving requests. When Apache
is running num processes and there are no idle processes, Apache issues Server too
busy errors to new connections; it does not start new child processes. A value of
150 is usually sufficient, even for moderately busy sites.
Context: server config
Change in httpd.conf
Default: 2 5 6
Ubuntu: 150
MaxRequestsPerChild
Specifies

the maximum

MaxRequestsPerChild

number

of requests

a child process

can

serve.

num

where num is the maximum number of requests a child process (server) can serve
during its lifetime. After a child process serves num requests, it does not process
any more requests but dies after it finishes processing its current requests. Apache
can start another child process to replace the one that dies. Additional requests are
processed by other processes from the server pool.
Set num to 0 to not set a limit on the number of requests a child can process, except
for the effects of MinSpareServers. By limiting the lives of processes, this directive
can prevent memory leaks from consuming too much system memory. However,
setting MaxRequestsPerChild to a too-small value can hurt performance by causing
Apache to create new child servers constantly.
Context: server config
Specify in httpd.conf
Default: 1 0 0 0 0
Ubuntu: 0

920

CHAPTER 2 6

APACHE: SETTING U P A W E B SERVER

MaxSpareServers Specifies

the maximum

MaxSpareServers

number

of idle

processes.

num

where num is the maximum number of idle processes (servers) Apache keeps running
to serve requests as they come in. Do not set this number too high, as each process
consumes system resources.
Context: server config
Specify in httpd.conf
Default: 10
Ubuntu: 10
MinSpareServers Specifies

the minimum

MinSpareServers

number

of idle

processes.

num

where num is the minimum number of idle processes (servers) Apache keeps running
to serve requests as they come in. More idle processes occupy more computer
resources; increase this value for busy sites only.
Context: server config
Specify in httpd.conf
Default: 5
Ubuntu: 5
NameVirtualHost
Specifies

the address

NameVirtualHost

and port for a name-based

(host-by-name)

virtual

host.

addr[:port]

where addr is the IP address (or FQDN, although it is not recommended) that Apache
will use for serving a name-based virtual host and port is the port that Apache listens
on for that virtual host. Specify addr as * to cause the server to process requests on
all interfaces as name-based virtual hosts.
This directive does not control which addresses and ports Apache listens on; use a Listen directive (page 910) for that purpose. For more information see ""
on page 918 and "Virtual Hosts" on page 937.
Context: server config
Specify in sites-available/*
Default: none
Ubuntu: *
StartServers Specifies

the number

StartServers

of child processes

that Apache

starts

with.

num

where num is the number of child processes (servers) that Apache starts when it is
brought up. This value is significant only when Apache starts; MinSpareServers and
MaxSpareServers control the number of idle processes once Apache is up and running. Starting Apache with multiple servers ensures that a pool of servers is waiting
to serve requests immediately.

CONFIGURATION DIRECTIVES

921

Context: server config
Specify in httpd.conf
Default: 5
Ubuntu: 5 (prefork M P M ) or 2 (worker M P M )

NETWORKING DIRECTIVES
HostnameLookups
Specifies

whether

Apache

HostnameLookups

puts a client's hostname

or its IP address

in the logs.

On I Off I Double

On: Performs DNS reverse name resolution (page 831) to determine the hostname
of each client for logging purposes.
Off: Logs each client's IP address.
Double: To provide greater security, performs DNS reverse name resolution
(page 831) to determine the hostname of each client, performs a forward DNS
lookup to verify the original IP address, and logs the hostname. Denies access if it
cannot verify the original IP address.
Contexts: server config, virtual host, directory
Specify in httpd.conf
Default: Off
Ubuntu: Off

Lookups can consume a lot of system resources
tip

Use the On and Double options with caution: They can consume a lot of resources on a busy system. You can use a program such as l o g r e s o l v e to perform reverse name resolution offline for
statistical purposes.
If you perform hostname resolution offline, you run the risk that the name may have changed;
you usually want the name that was current at the time of the request. To minimize this problem,
perform the hostname resolution as soon as possible after writing the log.

Timeout Specifies
Timeout

the amount

of time Apache

waits for network

operations

to

complete.

num

where num is the number of seconds that Apache waits for network operations to
finish. You can usually set this directive to a lower value; five minutes is a long time
to wait on a busy server. The Apache documentation says that the default is not
lower "because there may still be odd places in the code where the timer is not reset
when a packet is sent."
Context: server config
Specify in httpd.conf
Default: 3 0 0
Ubuntu: 3 0 0

922

CHAPTER 2 6

APACHE: SETTING U P A W E B SERVER

UseCanonicalName
Specifies

the method

UseCanonicalName

the server uses to identify

itself.

On I Off I DNS

On: Apache uses the value of the ServerName directive (page 912) as its identity.
Off: Apache uses the name and port from the incoming request as its identity.
DNS: Apache performs a DNS reverse name resolution (page 831) on the IP address
from the incoming request and uses the result as its identity. Rarely used.
This directive is important when a server has more than one name and needs to perform a redirect. Ubuntu does not set this directive because it does not set the ServerName directive (page 912). Once you set ServerName, change UseCanonicalName
to On. See page 9 3 5 for a discussion of redirects and this directive.
Contexts: server config, virtual host, directory
Specify in sites-available/*
Default: Off
Ubuntu: none

LOGGING DIRECTIVES
ErrorLog Specifies
ErrorLog

where Apache

sends error

filename I

syslog[:facility]

messages.

where filename specifies the name of the file, relative to ServerRoot (page 926), that
Apache sends error messages to. The syslog keyword specifies that Apache send
errors to syslogd (page 625); facility specifies which syslogd facility to use. The
default facility is local7.
Contexts: server config, virtual host
Specify in httpd.conf or sites-available/*
Default: logs/error_log
Ubuntu: /var/log/apache2/error.log
LogLevel Specifies
LogLevel

the level of error messages

that Apache

logs.

level

where level specifies that Apache log errors of that level and higher (more urgent).
Choose level from the following list, which is presented here in order of decreasing
urgency and increasing verbosity:
emerg
alert
crit
error
warn

System unusable messages
Need for immediate action messages
Critical condition messages
Error condition messages
Nonfatal warning messages

CONFIGURATION DIRECTIVES

notice
info
debug

923

Normal but significant messages
Operational messages and recommendations
Messages for finding and solving problems

Contexts: server config, virtual host
Specify in httpd.conf or sites-available/*
Default: warn
Ubuntu: warn

DIRECTIVES THAT CONTROL CONTENT
AddHandler Creates a mapping
AddHandler

between

filename

extensions

handler extension [extension]

and a builtin Apache

handler.

...

where handler is the name of a builtin handler and extension is a filename extension that maps to the handler. Handlers are actions that are built into Apache and
are directly related to loaded modules. Apache uses a handler when a client requests
a file with a specified filename extension.
For example, the following AddHandler directive causes Apache to process files
that have a filename extension of .cgi with the cgi-script handler:
AddHandler

cgi-script

.cgi

See "Type M a p s " on page 9 3 5 for another example of an AddHandler directive.
Contexts: server config, virtual host, directory, .htaccess
Specify in httpd.conf
Default: none
Ubuntu: type-map var
Alias Maps a URI to a directory
Alias alias

or file.

pathname

where alias must match part of the URI that the client requested to invoke the
alias. The pathname is the absolute pathname of the target of the alias, usually a
directory.
For example, the following alias causes Apache to serve /usr/local/pix/milk.jpg
when a client requests http://www.example.com/pix/milk.jpg:
Alias

/pix

/usr/local/pix

In some cases, you need to use a  container (page 915) to grant access to
aliased content.
Contexts: server config, virtual host
Specify in httpd.conf, sites-available/5:-, or mods-available/alias.conf
Default: None
Ubuntu: /icons/ /usr/share/apache2/icons/ and /doc/ /usr/share/doc/

924

CHAPTER 2 6

APACHE: SETTING U P A W E B SERVER

ErrorDocument Specifies

the action Apache

ErrorDocument

takes when the specified

error

occurs.

code action

where code is the error code (page 9 4 8 ) that this directive defines a response for and
action is one of the following:
string: Defines the message that Apache returns to the client.
absolute pathname: Points to a local script or other content that Apache redirects
the client to.
URI: Points to an external script or other content that Apache redirects the client to.
When you do not specify this directive for a given error code, Apache returns a
hardcoded error message when that error occurs.
Some examples of ErrorDocument directives follow:
ErrorDocument
ErrorDocument
ErrorDocument

403 " S o r r y , access i s f o r b i d d e n . "
403 / c g i - b i n / u h - u h . p i
403 h t t p : / / e r r o r s . e x a m p l e . c o m / n o t _ a l l o w e d . h t m l

Contexts: server config, virtual host, directory, .htaccess
Specify in httpd.conf
Default: none; Apache returns hardcoded error messages
Ubuntu: none (but see the comments in apache2.conf)
IndexOptions Specifies

how Apache

IndexOptions

displays

directory

[±]option [[±]option]

listings.

...

where option can be any combination of the following:
DescriptionWidth=n: Sets the width of the description column to n characters. Use
* in place of n to accommodate the widest description.
Fancylndexing: In directory listings, displays column headers that are links. When
you click one of these links, Apache sorts the display based on the content of the
column. Clicking the link a second time reverses the order.
FoldersFirst: Sorts the listing so that directories come before plain files. Use only
with Fancylndexing.
HTMLTable: Displays a directory listing in a table.
IconsAreLinks: Makes the icons clickable. Use only with Fancylndexing.
IconHeight=n: Sets the height of icons to n pixels. Use only with IconWidth.
IconWidth=n: Sets the width of icons to n pixels. Use only with IconHeight.
IgnoreCase: Ignores case when sorting names.
IgnoreClient: Ignores options the client supplied in the URI.

CONFIGURATION DIRECTIVES

925

NameWidth=n: Sets the width of the filename column to n characters. Use * in
place of n to accommodate the widest filename.
ScanHTMLTitles: Extracts and displays titles from H T M L documents. Use only
with Fancylndexing. Not normally used because it is CPU and disk intensive.
SuppressColumnSorting: Suppresses clickable column headings that can be used for
sorting columns. Use only with Fancylndexing.
SuppressDescription: Suppresses file descriptions. Use only with Fancylndexing.
SuppressHTMLPreamble: Suppresses the contents of the file specified by the HeaderName directive, even if that file exists.
Suppression: Suppresses icons. Use only with Fancylndexing.
SuppressLastModified: Suppresses the modification date. Use only with FancyIndexing.
SuppressRules: Suppresses horizontal lines. Use only with Fancylndexing.
SuppressSize: Suppresses file sizes. Use only with Fancylndexing.
VersionSort: Sorts version numbers (in filenames) in a natural way; character
strings, except for substrings of digits, are not affected.
As an example, suppose a client requests a U R I that points to a directory (such as
http://www.example.com/support/) and none of the files specified by the DirectoryIndex directive (page 9 1 4 ) is present in that directory. If the directory hierarchy is
controlled by a .htaccess file and AllowOverride (page 9 3 0 ) has been set to allow
indexes, then Apache displays a directory listing according to the options specified
by this directive.
When this directive appears more than once within a directory, Apache merges the
options from the directives. Use + and - to merge IndexOptions options with
options from higher-level directories. (Unless you use + or - with all options,
Apache discards any options set in higher-level directories.) For example, the following directives and containers set the options for /custsup/download to VersionSort; Apache discards Fancylndexing and IgnoreCase in the download directory
because there is no + or - before VersionSort in the second  container:

IndexOptions Fancylndexing
IndexOptions IgnoreCase

IndexOptions VersionSort


Because + appears before VersionSort, the directives and containers on the next page set
the options for /custsup/download to Fancylndexing, IgnoreCase, and VersionSort.

926

CHAPTER 2 6

APACHE: SETTING U P A W E B SERVER


IndexOptions Fancylndexing
IndexOptions IgnoreCase

IndexOptions +VersionSort


Contexts: server config, virtual host, directory, .htaccess
Specify in httpd.conf
Default: none; lists only filenames
Ubuntu: Fancylndexing VersionSort HTMLTable NameWidth= *
DescriptionWidth= * Charset=UTF-8
ServerRoot Specifies

the root directory

ServerRoot

for server files (not

content).

directory

where directory specifies the pathname of the root directory for the files that make up
the server. Apache prepends directory to relative pathnames in httpd.conf. This directive does not specify the location of the content that Apache serves; the DocumentRoot
directive (page 913) performs that function. Do not change this value unless you move
the server files.
Context: server config
Specify in httpd.conf
Default: /usr/local/apache
Ubuntu: /etc/apache2
ServerTokens Specifies

the server information

ServerTokens

Prod I Major

that Apache

returns to a client.

I Minor I Min I OS I Full

Prod: Returns the product name: Apache. Also

ProductOnly.

Major: Returns the major release number of the server: Apache/2.
Minor: Returns the major and minor release numbers of the server: Apache/2.2.
Min: Returns the complete version: Apache/2.2.4. Also Minimal.
OS: Returns the name of the operating system and the complete version:
Apache/2.2.4 (Ubuntu). Provides less information that might help a malicious user
than Full does.
Full: Same as OS, except that Full also sends the names and versions of non-ASF
modules: Apache/2.2.4 (Ubuntu) P H P / 5 . 1 . 2 .
Unless you want clients to know the details of the software you are running, set
ServerTokens to reveal as little as possible.
Context: server config
Specify in httpd.conf
Default: Full
Ubuntu: Full

CONFIGURATION DIRECTIVES

ServerSignature Adds a line to server-generated
ServerSignature

927

pages.

On I Off I EMail

On: Turns the signature line on. The signature line contains the server version as
specified by the ServerTokens directive (discussed on the precedig page) and the
name specified by the  container (page 918).
Off: Turns the signature line off.
EMail: To the signature line, adds a mailto: link to the server email address. This
option produces output that can attract spam. See ServerAdmin (page 9 1 2 ) for
information on specifying an email address.
Contexts: server config, virtual host, directory, .htaccess
Specify in httpd.conf or sites-available/*
Default: Off
Ubuntu: On

CONFIGURATION

DIRECTIVES

Group Sets the GID of the processes
Group

that run the

servers.

#groupid I groupname

where groupid is a GID value, preceded by #, and groupname is the name of a
group. The processes (servers) that Apache spawns are run as the group specified by
this directive. See the User directive (page 9 2 9 ) for more information.
Context: server config
Specify in httpd.conf
Default: # - 1
Ubuntu: www-data
Include Loads
Include

directives

from

files.

filename I directory

where filename is the relative pathname of a file that contains directives. Apache
prepends ServerRoot (page 9 2 6 ) to filename. The directives in filename are
included in the file holding this directive at the location of the directive. Because
filename can include wildcards, it can specify more than one file.
The directory is the relative pathname that specifies the root of a directory hierarchy that holds files containing directives. Apache prepends ServerRoot to directory.
The directives in ordinary files in this hierarchy are included in the file holding this
directive at the location of the directive. The directory can include wildcards.
Ubuntu Linux categorizes and splits Apache configuration information into files
and directories related to virtual hosts, server configuration, ports, modules, and
miscellaneous configuration options. These files are incorporated into the main
apache2.conf file using Include directives; see page 9 0 6 for more information.

928

CHAPTER 2 6

APACHE: SETTING U P A W E B SERVER

Contexts: server config, virtual host, directory
Specify anywhere
Default: none
Ubuntu: /etc/apache2/mods-enabled/ * .load
/etc/apache2/mods-enabled/ * . conf
/ etc/apache2/httpd. conf
/ etc/apache2/ports.conf
/ etc/apache2/conf.d/
/ etc/apache2/sites-enabled/
LoadModule Loads

a

module.

LoadModule

module

filename

where module is the name of an external DSO module and filename is the relative
pathname of the named module. Apache prepends ServerRoot (page 926) to filename
and loads the external module specified by this directive. Use a2enmod (page 905) to
enable modules. For more information refer to "Modules" on page 941.
Context: server config
Specify in mods-available/ 5 :-.load
Default: none; nothing is loaded by default if this directive is omitted
Ubuntu: see the *.load files in the mods-enabled directory
Options Controls
Options

server features

by

[±]option [[±]option

directory.
...]

This directive controls which server features are enabled for a directory hierarchy.
The directory hierarchy is specified by the container this directive appears in. A + or
the absence of a - turns an option on, and a - turns it off.
The option may be one of the following:
None—None of the features this directive can control are enabled.
All—All of the features this directive can control are enabled, except for MultiViews,
which you must explicitly enable.
ExecCGI—Apache can execute CGI scripts (page 942).
FollowSymLinks—Apache follows symbolic links.
Includes—Permits SSIs (server-side includes). SSIs are containers embedded in
H T M L pages that are evaluated on the server before the content is passed to the client.
IncludesNOEXEC—The same as Includes but disables the #exec and #exec cgi
commands that are part of SSIs. Does not prevent the #include command from referencing CGI scripts.
Indexes—Generates a directory listing if Directorylndex (page 9 1 4 ) is not set.

CONFIGURATION DIRECTIVES

929

MultiViews—Allows MultiViews (page 936).
SymLinksIfOwnerMatch—The same as FollowSymLinks but follows the link only
if the file or directory being pointed to has the same owner as the link.
The following Options directive from the Ubuntu sites-available/default file sets the
Indexes, FollowSymLinks, and MultiViews options and, because the 
container specifies the / v a r / w w w directory hierarchy (the document root), affects
all content:

Options Indexes FollowSymLinks

MultiViews

Context: directory
Specify in httpd.conf or sites-available/*
Default: All
Ubuntu: various
ScriptAlias Maps a URI to a directory
Script Alias alias

or file and declares

the target to be a server (CGI)

script.

pathname

where alias must match part of the URI the client requested to invoke the ScriptAlias.
The pathname is the absolute pathname of the target of the alias, usually a directory.
Similar to the Alias directive, this directive specifies the target is a CGI script
(page 942).
The following ScriptAlias directive from the Ubuntu default file maps client
requests that include /cgi-bin/ to the /var/lib/cgi-bin directory (and indicates that
these requests will be treated as CGI requests):
ScriptAlias

/cgi-bin/

"/usr/lib/cgi-bin/"

Contexts: server config, virtual host
Specify in sites-available/*
Default: none
Ubuntu: /cgi-bin/ /usr/lib/cgi-bin/
User Sets the UID of the processes

that run the

servers.

User #userid I username
where userid is a UID value, preceded by #, and username is the name of a local user.
The processes that Apache spawns are run as the user specified by this directive.

Do not set User to root or 0
security

For a more secure system, do not set User to root or 0 (zero) and do not allow the www-data user
to have write access to the DocumentRoot directory hierarchy (except as needed for storing data),
especially not to configuration files.

930

CHAPTER 2 6

APACHE: SETTING U P A W E B SERVER

Apache must start with root privileges to listen on a privileged port. For reasons of
security, Apache's child processes (servers) run as nonprivileged users. The default
UID of - 1 does not map to a user under Ubuntu Linux. Instead, Ubuntu's apache2
package creates a user named www-data during installation and sets User to that user.
Context: server config
Specify in httpd.conf
Default: # - 1
Ubuntu: www-data via the APACHE_RUN_USER variable (page 933)

SECURITY DIRECTIVES
Allow Specifies

which clients can access specified

Allow from All I host [host...]

I env=var

content.
[env=var...]

This directive, which must be written as Allow from, grants access to a directory
hierarchy to the specified clients. The directory hierarchy is specified by the container
or .htaccess file this directive appears in.
All: Serves content to any client.
host: Serves content to the client(s) specified by host, which can take several forms:
an FQDN, a partial domain name (such as example.com), an IP address, a partial IP
address, or a network/netmask pair.
var: Serves content when the environment variable named var is set. You can set a variable with the SetEnvIf directive. See the Order directive (page 931) for an example.
Contexts: directory, .htaccess
Specify in httpd.conf or sites-available/*
Default: none; default behavior depends on the Order directive
Ubuntu: various
AllowOverride Specifies whether Apache
those files it processes.
AllowOverride

examines

.htaccess files and which classes of directives

All I None I directive-class

[directive-class

in

...]

This directive specifies whether Apache examines .htaccess files in the directory
hierarchy specified by its container. If Apache does examine .htaccess files, this
directive specifies which classes of directives within .htaccess files Apache processes.
All: Processes all classes of directives in .htaccess files.
None: Ignores directives in .htaccess files. However, Apache will still serve the content of .htaccess files, possibly exposing sensitive information. This choice does not
affect .htpasswrd files. The example in the description of the  container
(page 916) shows how to prevent Apache from serving the content of files whose
names begin with .ht.
The directive-class is one of the following directive class identifiers:

CONFIGURATION DIRECTIVES

931

AuthConfig: Class of directives that control authorization (AuthName, AuthType,
Require, and so on). This class is used mostly in .htaccess files to require a username
and password to access the content. For more information refer to "Authentication
Modules and .htaccess" on page 9 4 5 .
Filelnfo: Class of directives that controls document types (DefaultType, ErrorDocument, SetHandler, and so on).
Indexes: Class of directives relating to directory indexing (Directorylndex, FancyIndexing, IndexOptions, and so on).
Limit: Class of client-access directives (Allow, Deny, and Order).
Options: Class of directives controlling directory features.
Context: directory
Specify in httpd.conf or sites-available/*
Default: All
Ubuntu: various
Deny Specifies

which clients are not allowed

Deny from All I host [host...]

to access specified

I env=var

content.

[env=var...]

This directive, which must be written as Deny from, denies access to a directory
hierarchy to the specified clients. The directory hierarchy is specified by the container or .htaccess file this directive appears in. See the Order directive (next) for an
example.
All: Denies content to all clients.
host: Denies content to the client(s) specified by host, which can take several forms:
an F Q D N , a partial domain name (such as example.com), an IP address, a partial IP
address, or a network/netmask pair.
var: Denies content when the environment variable named var is set. You can set a
variable with the SetEnvIf directive.
Contexts: directory, .htaccess
Specify in mods-available/proxy.conf, httpd.conf, and sites-available/*
Default: none
Ubuntu: All
Order Specifies the default
evaluated.
Order Deny,Allow

access
I

and the order

in which

Allow

and Deny directives

are

Allow,Deny

Deny,Allow: Allows access by default; denies access only to clients specified in Deny
directives. (First evaluates Deny directives, then evaluates Allow directives.)
Allow,Deny: Denies access by default; allows access only to clients specified in
Allow directives. (First evaluates Allow directives, then evaluates Deny directives.)

932

CHAPTER 2 6

APACHE: SETTING U P A W E B SERVER

There must not be SPACEs on either side of the c o m m a . Access defaults to the second
entry in the pair (Deny,Allow defaults to Allow) if there is no Allow from or Deny
from directive that matches the client. If a single Allow from or Deny from directive
matches the client, that directive overrides the default. If multiple Allow from and
Deny from directives match the client, Apache evaluates the directives in the order
specified by the Order directive; the last match takes precedence.
Access granted or denied by this directive applies to the directory hierarchy specified by the container or .htaccess file this directive appears in. Although Ubuntu
Linux has a default of Allow,Deny, which denies access to all clients not specified by
Allow directives, the next directive in sites-available/default, Allow from all, grants
access to all clients:
Order
Allow

allow,deny
from a l l

You can restrict access by specifying Deny,Allow to deny all access and then specifying only those clients you want to grant access to in an Allow directive. T h e following directives grant access to clients from the example.net domain only and would
typically appear within a  container (page 9 1 5 ) :
Order deny,allow
Deny f r o m a l l
Allow from .example.net

Contexts: directory, .htaccess
Specify in httpd.conf or sites-available/*
Default: Deny,Allow
Ubuntu: Allow,Deny (for / v a r / w w w )

C O N F I G U R A T I O N FILES
This section describes the apache2.conf and default configuration files.

THE U B U N T U

apache2.conf

FILE

This section highlights some of the important features of the Ubuntu version of the
/ e t c / a p a c h e 2 / a p a c h e 2 . c o n f file, which is based on the httpd.conf file distributed by
Apache. T h e version of this heavily commented file that is distributed by Apache is
broken into three parts, of which Ubuntu uses the first (Section 1: Global Environment) as apache2.conf. Ubuntu distributes the contents of the other two sections
among other configuration files, including the sites-available/default configuration
file, which is described in the next section.
Include directives

See page 9 0 6 for information on Include directives in the apache2.conf file.

ServerRoot T h e ServerRoot directive (page 9 2 6 ) is set to / e t c / a p a c h e 2 , which is the pathname
that Apache prepends to relative pathnames in the configuration files:
ServerRoot

"/etc/apache2"

C O N F I G U R A T I O N FILES

933

Do not modify apache2.conf
t i p Typically, when you configure Apache, you do not make changes to apache2.conf; instead, you
modify files that are specified in Include directives (page 906). You can also use the configuration
tools described on page 905. This setup allows updates to Apache to change apache2.conf without affecting the server.
 The  containers (page 916) allow you to use the same apache2.conf file
with different multiprocessing modules (MPMs, page 947). Apache executes the
directives in an  container only if the specified module is loaded. The
apache2.conf file holds two  containers that configure Apache differently, depending on which module—prefork or worker—is loaded. Ubuntu ships
with the more efficient worker M P M loaded.
## S e r v e r - P o o l

Size Regulation

(MPM

specific)


StartServers
5
Mi n S p a r e S e r v e r s
5
MaxSpareServers
10
MaxCli ents
150
MaxRequestsPerChiId
0

< I f M o d u l e mpm_worker_module>
StartServers
2
MinSpareThreads
25
MaxSpareThreads
75
ThreadLimit
64
ThreadsPerChild
25
MaxCli ents
150
MaxRequestsPerChiId
0


For more information refer to "Multiprocessing Modules ( M P M s ) " on page 9 4 7 .
User The User directive causes Apache to run as the user specified by the variable named
APACHE_RUN_USER:
User

${APACHE_RUN_USER}

In the /etc/apache2/envvars file, the APACHE_RUN_USER variable is assigned a
value of www-data:
export

APACHE_RUN_USER=www-data

TypesConfig The TypesConfig directive specifies the file that defines the MIME (page 1160)
types that Apache uses for content negotiation (page 935). It is used to match filename extensions with M I M E types (e.g., .png with image/png).
TypesConfig

/etc/mime.types

DefaultType Defines the content-type Apache sends if it cannot determine a type.
DefaultType

text/plain

934

CHAPTER 2 6

APACHE: SETTING U P A W E B SERVER

Modules Instead of having a lot of L o a d M o d u l e directives (page 9 2 8 ) in the apache2.conf
file, Ubuntu puts the following Include directives in that file:
Include
Include

/etc/apache2/mods-enabled/*.load
/etc/apache2/mods-enabled/*.conf

These directives include all the * . l o a d and * . c o n f files in the mods-enabled directory. For more information on how to enable modules, see the discussion of a2enmod
on page 9 0 5 .
There are many more directives in the apache2.conf file; the comments in the file
provide a guide as to what they do. There is nothing here you need to change as you
get started using Apache.

THE U B U N T U

default

C O N F I G U R A T I O N FILE

This section highlights some of the important features of the Ubuntu default configuration file, which is located in the /etc/apache2/sites-available directory.
ServerAdmin and As Ubuntu Linux is shipped, the ServerAdmin directive is set to webmaster@localhost.
ServerName Add a ServerName directive and change ServerAdmin to a useful value as suggested
under ServerAdmin (page 9 1 2 ) and ServerName (page 912).
DocumentRoot

T h e D o c u m e n t R o o t directive (page 9 1 3 ) appears as follows:
DocumentRoot

/var/www/

Modify this directive only if you want to put content somewhere other than in the
/ v a r / w w w directory.
 T h e following  container (page 9 1 5 ) sets up a restrictive environment
for the entire local filesystem (specified by /):

O p t i o n s F o l 1 owSymLi n k s
A l l o w O v e r r i d e None

T h e Options directive (page 9 2 8 ) allows Apache to follow symbolic
lows many options. T h e AllowOverride directive (page 9 3 0 ) causes
process directives in .htaccess files. You must explicitly enable
options if you want them, but be aware that doing so can expose the
and compromise system security.

links but disalApache not to
less restrictive
root filesystem

Next, another  container sets up less restrictive options for the DocumentR o o t ( / v a r / w w w ) . The code in default is interspersed with many comments. Without
the comments it looks like this:

Options Indexes FoilowSymLinks
A l l o w O v e r r i d e None
Order allow,deny
allow from a l l


MultiViews

ADVANCED CONFIGURATION

935

The Indexes option in the Options directive allows Apache to display directory listings. The Order (page 9 3 1 ) and Allow (page 930) directives combine to allow
requests from all clients. This container is slightly less restrictive than the preceding
one, although it still does not allow Apache to follow directives in .htaccess files.

ADVANCED CONFIGURATION
This section describes how to configure some advanced features of Apache.

REDIRECTS
Apache can respond to a request for a URI by asking the client to request a different
URI. This response is called a redirect. A redirect works because redirection is part
of the H T T P implementation: Apache sends the appropriate response code and the
new URI, and a compliant browser requests the new location.
The Redirect directive can establish an explicit redirect that sends a client to a different page when a Web site is moved. Or, when a user enters the URI of a directory
in a browser but leaves off the trailing slash, Apache can automatically redirect the
client to the same URI terminated with a slash.
UseCanonicalName The ServerName directive (page 912), which establishes the name of the server, and
the UseCanonicalName directive (page 922) are both important when a server has
more than one name and needs to perform an automatic redirect. For example,
assume the server with the name zach.example.com and the alias www.example.com
has ServerName set to www.example.com. When a client specifies a URI of a directory but leaves off the trailing slash (zach.example.com/dir), Apache has to perform a
redirect to determine the URI of the requested directory. When UseCanonicalName is
set to On, Apache uses the value of ServerName and returns www.example.com/dir/.
With UseCanonicalName set to Off, Apache uses the name from the incoming request
and returns zach.example.com/dir/.

CONTENT NEGOTIATION
Apache can serve multiple versions of the same page, using a client's preference to
determine which version to send. The process Apache uses to determine which version of a page (file) to send is called content negotiation.
Apache supports two
methods of content negotiation: MultiViews search and type maps, which can work
together.

TYPE M A P S
The following AddHandler directive from apache2.conf tells Apache to use any filename ending in .var as a type map:
AddHandler

type-map

var

936

CHAPTER 2 6

APACHE: SETTING U P A W E B SERVER

To see how type maps work, create the following files in / v a r / w w w :
$ cat /var/www/i ndex.html.en
Hel lo
$ cat /var/www/i n d e x . h t m l . f r
Bonjour
$ cat /var/www/i ndex.html.var
URI: i n d e x . h t m l . e n
Content-Language: en
Content-type: text/html;
charset=ISO-8859-l
URI:
index.html.fr
Content-Language: f r
Content-type: text/html;

charset=ISO-8859-l

If your browser's preferred language is set to English (en), it will display the Hello
page when you browse to http://localhost/index.html.var. If your browser's preferred language is set to French (fr), it will display the Bonjour page. (With the
MultiViews option turned on, as it is by default, the browser displays the correct
page when you browse to http://localhost. See the next section.) You can change the
default language in Firefox by selecting Edit^Preferences from the menubar, clicking
the Advanced icon and then the General tab, and finally clicking Choose from the
Languages frame. Select a language from the Select a language to add combo box, if
necessary, and then move the preferred language to the top of the list. In the example, the charset assignments are not necessary. However, they would be helpful if you
were sending pages using different encodings such as English, Russian, and Korean.
Type maps are used for more than selecting among different languages. Instead of
matching Content-Language as in the preceding example, the map could match
Content-type and send jpeg or png images depending on how the browser's preferences are set.

MULTIVIEWS
When you set the MultiViews option on a directory, Apache attempts to deliver the
correct page when a requested resource does not exist. The following lines in the
sites-available/default file set MultiViews for the document root (/):

Options Indexes FoilowSymLinks

MultiViews

To see how MultiViews work, remove the /var/www/index.html.var type map file
that you created in the preceding section. N o w browse to http://localhost. The
proper language page is displayed, but why?
When a browser sends Apache a request for a directory, Apache looks for a file
named index.html in that directory. In the example, Apache does not find the file. If
MultiViews is enabled, as it is by default, Apache looks for files named index.html. * .

ADVANCED CONFIGURATION

gin

£cM

Vii-w

*

Hi£t«y

- &

f t G e t t m g Started

I n d e x

Bookmarks

^

Inois

9 3 7

Hnlp

: 1 hltpi/flca.lhnMydc.cy

M H IEH:": '

1^1

© Latest HBt Headlines

o f

/ d o c
Namu

Lusl muriilR'tl

Size Du&criplivu

Parait Diiwtwy
1 g Dec 2[>[>d 04:37
Q acpi-supportf

03-Sep-2007 15; 23
D3-Sep-2007 00:18

l^jacpid/

03-Sep-2007 CtklEi
03-Sep-2007 00:14
03-Sep-2DD7 0&28

Q titkluseri
F~1 alacarte/

—

DCHIC!

Figure 26-1

A server-generated directory listing

In the example it finds index.html.en and index.html.fr. Apache effectively creates a
type map on the fly, mapping the index.html. * files to various languages, and sends
its best guess as to the page you want.
MultiViews provides an easy way to serve multiple versions of the same file without
having to create a type map. However if you require finer-grained control over
which version of a resource should be sent, type maps are a better solution.

SERVER-GENERATED DIRECTORY LISTINGS (INDEXING)
When a client requests a directory, the Apache configuration determines what is
returned to the client. Apache can return a file as specified by the Directorylndex directive (page 914), a directory listing if no file matches Directorylndex and the Options
Indexes directive (page 928) is set, or an error message if no file matches DirectoryIndex and Options Indexes is not set. Figure 26-1 shows the server-generated directory
listing that results from pointing a local browser at http://localhost/doc/ (you must
include the trailing slash) on the server system (assuming the default configuration).

VIRTUAL HOSTS
Apache supports virtual hosts, which means that one instance of Apache can
respond to requests directed to multiple IP addresses or hostnames as though it
were multiple servers. Each IP address or hostname can then provide different content and be configured differently.

SETTING UP A VIRTUAL HOST
To improve portability and make software upgrades easier, Ubuntu provides two directories that can hold the code to support virtual hosts. The apache2.conf file has an Include
directive (page 906) that incorporates the files in the /etc/apache2/sites-enabled
directory.
To create a new virtual host, you can create a file that defines the virtual host in
/etc/apache2/sites-available. Then run a2ensite (page 906) with the name of the file

938

CHAPTER 2 6

APACHE: SETTING U P A W E B SERVER

you created as an argument and reload Apache. Running a2ensite enables the virtual host by creating a link in /etc/apache2/sites-enabled.

TYPES OF V I R T U A L H O S T S
There are two types of virtual hosts: host-by-name
(also called host-based)
and hostby-IP. Host-by-name relies on the F Q D N the client uses in its request to Apache—
for example, www.example.com versus www2.example.com. Host-by-IP examines
the IP address the host resolves as and responds according to that match.
Host-by-name is handy if there is only one IP address, but Apache must support
multiple FQDNs. Although you can use host-by-IP if a given Web server has aliases,
Apache should serve the same content regardless of which name is used.
The VirtualHost container and the ServerName directive control which kind of virtual host you are running. The NameVirtualHost directive specifies which IP
address supports host-by-name virtual hosting. You can specify many virtual hosts
for a single instance of Apache.

THE

default V I R T U A L

HOST

Ubuntu ships with the host-by-name virtual host named default defined in
/etc/apache2/sites-available/default. This virtual host displays a server-generated
directory listing (page 937) of /var/www. This directory includes the apache2default directory. When you click this directory, Apache serves the index.html file,
which displays It works! If you uncomment the RewriteMatch directive in the
default file, Apache serves the apache2-default directory in response to a request for
/ and automatically displays It works! Alternatively, if you put your content in
/var/www, the default configuration will serve your site as you would expect. It is
safe to remove the apache2-default directory.

EXAMPLES
The following examples of host-by-name virtual hosting use wildcards ( * ) to remain
as flexible as possible. You may want to replace the wildcards with the IP address of
the server for more precise control when Apache is serving multiple virtual hosts.
The first  container sets up host-by-name for the site named example.com.
This virtual host handles requests that are directed to example.com. The ServerAlias
directive allows it to also process requests directed to www.example.com.

ServerName
example.com
S e r v e r A l i a s www.example.com
ServerAdmin webmasterOexample.com
DocumentRoot /var/www/example.com
CustomLog
/var/log/apache2/example.com.log
ErrorLog
/var/lo,
e2/example.com.err


combined

ADVANCED CONFIGURATION

939

The next example is similar to the previous one. It adds a Directory directive that
prevents remote users (users not coming from the 1 9 2 . 1 6 8 . subnet) from accessing
the Web site.

ServerName i n t r a n e t . e x a m p l e . c o m
ServerAdmi n webmasterOexample.com
DocumentRoot /var/www
ErrorLog /var/1og/apache2/i ntra.error_log
CustomLog / v a r / l o g / a p a c h e 2 / e x a m p l e . c o m . l o g combined

Order deny,allow
Deny f r o m a l l
Allow from 192.168.
# allow from private subnet



only

The next example sets up two virtual hosts. The VirtualHost containers accept all
traffic directed to the server by specifying * . The ServerName directives accept traffic
for sam.example.com (or the alias www.example.com/sam) and mail.example.com.
The first virtual host serves documents from Sam's public_html directory; the second
is a Webmail server with its content at /var/www/squirrelmail. This example works
because all three addresses resolve to the IP address of the server.
NameVirtualHost * :

ServerName sam.example.com
ServerAdmi n webmasterOexample.com
DocumentRoot /home/sam/publi c_html



If the user specifies an IP address and not a URI, that address may match more than
one of the virtual hosts, as in the example. In this case, Apache serves the virtual
host that best matches. If none of the virtual host addresses matches the IP address
better than another, Apache serves the first virtual host. In the preceding example,
both virtual hosts match an IP address the same way; neither is a better match, so
Apache serves the first virtual host (sam.example.com). If mail.example.com was
defined as  and a user specified that IP address,
Apache would serve mail.example.com because it is a better match for the IP
address than the wildcard that the other virtual host specifies.
The next example shows VirtualHost containers for a host-by-IP server. The example assumes that 1 1 1 . 1 1 1 . 0 . 0 and 1 1 1 . 1 1 1 . 0 . 1 point to the local server. Here each
virtual host has its own IP/port combination. The third virtual host is distinguished
from the first by the port that a request comes in on.

940

CHAPTER 2 6

APACHE: SETTING U P A W E B SERVER


DocumentRoot /var/www/www0


DocumentRoot /var/www/wwwl


DocumentRoot /var/www/www2
L i s t e n 8080
# this


directive

should

go i n ports.conf

The final example sets up a virtual server for Webmail that can be accessed only
over SSL. It would be appropriate to put the code for this example in a file named
/etc/apache2/sites-available/mail.example.com. To use this example you must create an SSL certificate (page 943), enable the ssl module (included in the default
Apache installation) with a2enmod (page 905), and enable the virtual domain using
a2ensite (page 906).

Redirect permanent /
https://mail.example.com/


Se r v e r N a m e
mai1.example.com
ServerAdmi n postmasterOexample.com
DocumentRoot /var/www/mai1.example.com
ErrorLog
/var/log/apache2/mai1.example.com.err
CustomLog / v a r / 1 o g / a p a c h e 2 / m a i 1 . e x a m p l e . c o m . l o g
S S L E n g i n e On
SSLCerti f ic a t e F i l e


combined

/etc/apache2/ssi/apache.pem

TROUBLESHOOTING
The apache2 init script checks the syntax of the Apache configuration files and
logs an error if there is a problem. You can also call apache2ctl directly to check the
syntax:
$ apache2ctl
S y n t a x OK

configtest

Once you start the apache2 daemon, you can confirm that Apache is working correctly by pointing a browser on the local system at http://localhost/. From a remote
system, use http-J/server/, substituting the hostname of the server for server. In
response, Apache displays a directory listing for / v a r / w w w unless you have added
an index file or changed the default virtual host.

MODULES

9 4 1

If the browser does not display the directory listing, it will display one of two
errors: Connection refused or an error page. If you get a Connection refused error,
make sure that port 80 is not blocked by a firewall (page 901) and check that the
server is running:
$ ps - e f
max
root
www-data
www-data
www-data

I grep apache2
3479 12869 0
5031
1 0
5032 5 0 3 1 0
5088 5 0 3 1 0
5092 5 0 3 1 0

16:55
Mar26
Mar26
Mar26
Mar26

pts/1
?
?
?
?

grep apache2
/usr/sbin/apache2
/usr/sbin/apache2
/usr/sbin/apache2
/usr/sbin/apache2

-

k
k
k
k

s
s
s
s

t
t
t
t

a
a
a
a

r
r
r
r

t
t
t
t

If the server is running, confirm that you did not specify a port other than 80 in a
Listen directive. If you did, the URI you specify in the browser must reflect this port
number (http://localhost-.port specifies port port). Otherwise, check the error log
(/var/log/httpd/error_log) for information about what is not working.
To verify that the browser is not at fault, use telnet to try to connect to port 80 of
the server:
$ t e l n e t www.example.com 80
Trying
192.0.34.166...
Connected t o www.example.com.
Escape c h a r a c t e r i s ' A ] ' .
CONTROL-]
t e l n e t > quit
Connection closed.

If telnet displays Connection refused, it means that the local system cannot connect
to the server.

MODULES
Apache is a skeletal program that relies on external modules, called dynamic shared
objects (DSOs), to provide most of its functionality. In addition to the modules
included with Ubuntu Linux, many other modules are available. See
httpd.apache.org/modules for more information. See a2enmod on page 9 0 5 for
information on enabling modules.

Configuring modules
tip You can configure some modules by editing their corresponding «.conf file in the mods-available
directory.
The names of the files that hold modules start with the prefix libapache2-mod-. The
following command displays a complete list of modules. You can pipe the list through
grep to find the module you want. See page 5 3 0 for information on apt-cache.

942

CHAPTER 2 6

APACHE: SETTING U P A W E B SERVER

$ apt-cache search 1ibapache2-mod
1ibapache2-mod-auth-kerb - apache2 module for Kerberos authentication
1ibapache2-mod-auth-mysql - Apache 2 module for MySQL authentication
1ibapache2-mod-auth-pam - module for Apache2 which authenticate using PAM
1ibapache2-mod-auth-pgsql - Module for Apache2 which provides pgsql authentication
libapache2-mod-auth-plain - Module for Apache2 which provides plaintext authentication
1ibapache2-mod-auth-sys-group - Module for Apache2 which checks user against system group
1ibapache2-mod-macro - Create macros inside apache2 config files
1ibapache2-mod-perl2 - Integration of perl with the Apache2 web server
1ibapache2-mod-perl2-dev - Integration of perl with the Apache2 server - development files
1ibapache2-mod-perl2-doc - Integration of perl with the Apache2 web server - documentation
1ibapache2-mod-php5 - server-side, HTML-embedded scripting language (apache 2 module)
1ibapache2-mod-php5fi1ter - server-side, HTML-embedded scripting language (apache 2...)
1ibapache2-mod-python - Apache 2 module that embeds Python within the server

$ apt-cache search 1ibapache2-mod | grep ruby
libapache2-mod-ruby - Embedding Ruby in the Apache2 web server

mod_cgi

AND CGI SCRIPTS
The CGI (Common Gateway Interface) allows external application programs to
interface with Web servers. Any program can be a CGI program if it runs in real
time (at the time of the request) and relays its output to the requesting client. Various kinds of scripts, including shell, Perl, Python, and PHP, are the most commonly
encountered CGI programs because a script can call a program and reformat its
output in H T M L for a client.
Apache can handle requests for CGI programs in several different ways. The most
common method is to put a CGI program in the cgi-bin directory and then enable its
execution from that directory only. The location of the cgi-bin directory, as specified
by the ScriptAlias directive (page 929), is /usr/lib/cgi-bin. Alternatively, an AddHandler directive (page 923) can identify the filename extensions of scripts, such as
.cgi or .pi, within the regular content (for example, AddHandler cgi-script .cgi). If
you use AddHandler, you must also specify the ExecCGI option in an Options directive within the appropriate  container. The mod_cgi module must be
loaded to access and execute CGI scripts.
The following Perl CGI script displays the Apache environment. This script should be
used for debugging only because it presents a security risk if remote clients can access it:
#!/usr/bi n/perl
##
##
##

printenv -- demo CGI program that prints its environment

print "Content-type: text/plain\n\n";
foreach Svar (sort(keys(%ENV))) {
Sval = $ENV{$var};
Sval =~ s|\n|\\n|g;
Sval =~ s|"|\\"I 91
print "${var}=\"${val}\"\n";

}

MODULES

943

mod_ssl
SSL (Secure Sockets Layer), which is implemented by the mod_ssl module, has two
functions: It allows a client to verify the identity of a server and it enables secure
two-way communication between a client and a server. SSL is used on Web pages in
conjunction with forms that require passwords, credit card numbers, or other sensitive data.
Apache uses the HTTPS protocol—not HTTP—for SSL communication. When
Apache uses SSL, it listens on a second port (443 by default) for a connection
and performs a handshaking sequence before sending the requested content to
the client.
Server verification is critical for financial transactions. After all, you do not want to
give your credit card number to a fraudulent Web site posing as a known company.
SSL uses a certificate to positively identify a server. Over a public network such as
the Internet, the identification is reliable only if the certificate contains a digital signature from an authoritative source such as VeriSign or Thawte. SSL Web pages are
denoted by a URI beginning with https://.
Data encryption prevents malicious users from eavesdropping on Internet connections and copying personal information. To encrypt communication, SSL sits
between the network and an application and encrypts communication between the
server and the client.

SETTING UP

mod_ssl

The mod_ssl package is installed as part of the apache2 package—you do not need
to install it separately. The /etc/apache2/mods-available/ssl.conf file configures
mod_ssl; ssl.load, which is in the same directory, loads it. You must enable the module with the command a2enmod ssl. The first few directives in this file set various
parameters for SSL operation.
You can set up a virtual host for SSL in the sites-available directory and enable it
using a2ensite (page 906). As with any virtual host, a virtual host for SSL holds
directives such as ServerName and ServerAdmin that need to be configured. In addition, it holds some SSL-related directives. See the example on page 940.

U S I N G A S E L F - S I G N E D CERTIFICATE FOR E N C R Y P T I O N
If you require SSL for encryption and not verification—that is, if the client already
trusts the server—you can generate and use a self-signed certificate, bypassing the
time and expense involved in obtaining a digitally signed certificate. Self-signed certificates generate a warning when you connect to the server: Most browsers display
a dialog box that allows you to examine and accept the certificate. The exim4 daemon also uses certificates (page 736).
The following example creates a self-signed certificate. (See the procedure at
www.modssl.org/docs/2.8/ssl_faq.html#ToC28if apache2-ssl-certificate is missing from
the system. You do not need to send in the CSR for a self-signed certificate.)

944

CHAPTER 2 6

APACHE: SETTING U P A W E B SERVER

$ sudo apache2-ssl-certificate
creating selfsigned certificate
replace it with one signed by a certification authority (CA)
enter your ServerName at the Common Name prompt
If you want your certificate to expire after x days call this program
with -days x
Generating a 1024 bit RSA private key
++++++
writing new private key to

'/etc/apache2/ssl/apache.pern'

You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) [GB]:US
State or Province Name (full name) [Some-State]:California
Locality Name (eg, city) []:San Francisco
Organization Name (eg, company; recommended) []:Sobell Associates Inc.
Organizational Unit Name (eg, section) []:
server name (eg. ssl.domain.tld; required!!!) []:www.sobel1.com
Email Address []:mgsOsobel1.com

The answers to the first five questions are arbitrary: They can help clients identify a
site when they examine the certificate. The answer to the sixth question (server name)
is critical. Because certificates are tied to the name of the server, you must enter the
server's FQDN accurately. If you mistype this information, the server name and the
name of the certificate will not match. A browser will then generate a warning message each time a connection is made.
Now you must create an SSL-enabled virtual host in /etc/apache2/sites-available.
Host-by-name virtual hosting will not work with SSL because the HTTP Host header sent by the client that Apache uses to differentiate between host-by-name virtual
hosts is encrypted. You can use only one SSL certificate, matching one domain per
IP address. You can have multiple virtual hosts on that IP address, but if they are
accessed over HTTPS, the client will receive an error saying that the certificate does
not match the domain name. After you enable the new virtual host and restart
Apache, the new certificate will be in use.
Following is an example wildcard setup for /etc/apache2/sites-available/ssl. Enable
it with sudo a2ensite ssl:

Redirect permanent / https://www.sobell.com/


MODULES

945


ServerName www.sobell.com
SSLEngine On
SSLCerti ficateFile /etc/apache2/ssl/apache.pem
DocumentRoot /var/www


This example directs all non-SSL traffic to the SSL site. You must add a Listen 443
directive to /etc/apache2/ports.conf if you want Apache to listen on the default
HTTPS port.

NOTES ON CERTIFICATES
• Although the server name is part of the certificate, the SSL connection is
tied to the IP address of the server: You can have only one certificate per IP
address. For multiple virtual hosts to have separate certificates, you must
specify host-by-IP rather than host-by-name virtual hosts (page 937).
• As long as the server is identified by the name for which the certificate was
issued, you can use the certificate on another server or IP address.
• A root certificate is the certificate that identifies the root certificate authority
(root CA). Every browser contains a database of the public keys for the root
certificates of the major signing authorities, including VeriSign and Thawte.
• It is possible to generate a root certificate and sign all your server certificates with this root CA. Regular clients can import the public key of the
root CA so that they recognize every certificate signed by that root CA.
This setup is convenient for a server with multiple SSL-enabled virtual
hosts and no commercial certificates. For more information see
www.modssl.org/docs/2.8/ssl_faq.html#ToC29.
• A self-signed certificate does not enable clients to verify the identity of the server.

AUTHENTICATION MODULES AND

.htaccess

To restrict access to a Web page, Apache and third parties provide authentication
modules and methods that can verify a user's credentials, such as a username and
password. Some modules support authentication against various databases including LDAP (page 1156) and NIS (page 741).
User authentication directives are commonly placed in a .htaccess file. A basic .htaccess
file that uses the Apache default authentication module (mod_auth) follows. Substitute
appropriate values for the local server.
$ sudo cat .htaccess
AuthUserFile /var/www/.htpasswd
AuthGroupFile /dev/null
AuthName "Browser dialog box query"
AuthType Basic
requi re valid-user

946

CHAPTER 2 6

APACHE: SETTING U P A W E B SERVER

The /var/www/.htpasswd is a typical absolute pathname of a .htpasswd file and
Browser dialog box query is the string that the user will see as part of the dialog
box that requests a username and password.
The second line of the preceding .htaccess file turns off the group function. The
fourth line specifies the user authentication type Basic, which is implemented by the
default mod_auth module. The last line tells Apache which users can access the protected directory. The entry valid-user grants access to the directory to any user whose
username appears in the Apache password file and who enters the correct password.
You can put the Apache password file anywhere on the system, as long as Apache
can read it. It is safe to put this file in the same directory as the .htaccess file because,
by default, Apache will not answer any requests for files whose names start with .ht.
The following command creates a .htpasswd file in the working directory for Sam:
$ htpasswd -c .htpasswd sam
New password:
Re-type new password:
Adding password for user sam

The default virtual host includes an AllowOverride None directive (page 930) for
/var/www. You must change this directive to at least AllowOverride AuthConfig in
sites-available/default or remove it to enable Apache to process user authentication
directives.

SCRIPTING MODULES
Apache can process content before serving it to a client. In earlier versions of
Apache, only CGI scripts could process content. In the current version, scripting
modules can work with scripts embedded in HTML documents.
Scripting modules manipulate content before Apache serves it to a client. Because
they are built into Apache, scripting modules are fast. Scripting modules are especially efficient at working with external data sources such as relational databases.
Clients can pass data to a scripting module that modifies the information that
Apache serves.
Scripting modules stand in contrast to CGI scripts that are run externally to
Apache. In particular, CGI scripts do not allow client interaction and are slow
because they must make external calls.
Ubuntu provides packages that allow you to embed Perl (mod_perl), Python
(mod_python), and PHP (mod_php) code in HTML content. Perl and Python,
which are general-purpose scripting languages, are encapsulated for use directly in
Apache and are available in the Hbapache2-mod-perl2 and libapache2-mod-python
packages, respectively.
PHP, which was developed for manipulating Web content, outputs HTML by default.
Implemented in the mod_php module and available in Hbapache2-mod-php5, this

MODULES

947

language is easy to set up, has a syntax similar to that of Perl and C, and comes with
a large number of Web-related functions.

MULTIPROCESSING MODULES

(MPMS)

If Apache were to execute in only one process, every time a client requested a page,
Apache would have to ignore other requests while it read that page from disk (or
waited for a CGI script to generate it). After it read the page, it could send the page
to the client and respond to the next request. With this setup, Apache could serve
only one client at a time.
prefork MPM

Apache 1.3 and earlier forked servers to respond to multiple clients. Apache 2
moved the forking behavior to the prefork multiprocessing module (MPM). MPMs
introduced the ability to switch between various multiprocessing techniques.
The prefork MPM uses the fork() system call to create an exact copy of the running
Apache process to serve each request. The MaxServers, MaxSpareServers, and similar directives control how many copies of Apache run at the same time. Because the
operating system has to spend time context switching between Apache processes,
and because each process has its own memory, the prefork MPM generates considerable overhead on a busy server.

worker MPM The worker MPM reduces this overhead by using threads. A thread is similar to a
process in that it can execute independently of other threads or processes. Waiting
for a read to complete in one thread does not stop (block) other threads from executing. The difference between threads and processes is that all the threads running
under one process share the same memory, and the program—rather than the operating system—is responsible for managing the threads. The worker MPM maintains
a pool of threads it can use to serve each request. Instead of the parent Apache process forking a child to serve each request for content as in prefork, the worker
MPM uses threads to serve requests for content.
Ihreads Because all these threads run under the same process, they share the same memory.
Code that is not thread safe (see reentrant on page 1168) can return inconsistent
results. For example, some PHP library functions use the strtokQ C function to convert a string to tokens. This function maintains internal variables. If it is called by
multiple threads sharing the same memory, strtokQ's internal variables are put in an
inconsistent state.
PHP If you want to use PHP, either you must use the prefork MPM or, if you want to use
the worker MPM and PHP, you must remove Hbapache2-mod-php5 and run PHP
as a CGI script (page 942).
MPMs Available MPMs include
• apache2-mpm-prefork—Traditional MPM.
• apache2-mpm-worker—High-speed threaded MPM.
• apache2-mpm-event—Event driven MPM.

948

CHAPTER 2 6

APACHE: SETTING U P A W E B SERVER

The apache2-mpm-worker, apache2-mpm-event, and apache2-mpm-prefork packages each supply the apache2 binary and conflict with one another. You cannot have
more than one of these modules installed at the same time. When you install one of
these packages, the installer automatically removes the existing M P M .

webalizer:

A N A L Y Z E S W E B TRAFFIC

The webalizer package creates a directory at /var/www/webalizer and a cron file
(page 6 0 5 ) at /etc/cron.daily/webalizer. Once a day, the cron file generates usage
data and puts it in the webalizer directory; you can view this data by pointing a
browser at httpi/Zserfer/webalizer/, where server is the hostname of the server.
The /etc/webalizer/webalizer.conf file controls the behavior of the webalizer utility.
If you change the location of the DocumentRoot or log files, you must edit this file
to reflect those changes. For more information on webalizer, refer to the webalizer
man page and the sites listed under " M o r e Information" on page 901.

M R T G : M O N I T O R S TRAFFIC L O A D S
Multi Router Traffic Grapher ( M R T G ; mrtg package) is an open-source application
that graphs statistics available through SNMP (Simple Network Management Protocol). SNMP information is available on all high-end routers and switches as well
as on some other networked equipment, such as printers and wireless access points.
Once M R T G is installed and running, you can view the reports at
h t t p : / / s m w / m r t g , where server is the hostname of the server. For more information
see the mrtg man page and the sites listed under " M o r e Information" on page 901.

ERROR CODES
Following is a list of Apache error codes:
100
101
200
201
202
203
204
205
206
300
301

Continue
Switching Protocols
OK
Created
Accepted
Non-Authoritative Info...
No Content
Reset Content
Partial Content
Multiple Choices
Moved Permanently

404
405
406
407
408
409
410
411
412
413
414

Not Found
Method Not Allowed
Not Acceptable
Proxy Authentication Required
Request Timed out
Conflict
Gone
Length Required
Precondition Failed
Request Entity Too Large
Request-URI Too Large

CHAPTER S U M M A R Y

302
303
304
305
400
401
402
403

Moved Temporarily
See Other
Not Modified
Use Proxy
Bad Request
Unauthorized
Payment Required
Forbidden

415
500
501
502
503
504
505

949

Unsupported Media Type
Internal Server Error
Not Implemented
Bad Gateway
Service Unavailable
Gateway Time-out
HTTP Version Not Supported

CHAPTER S U M M A R Y
Apache is the most popular Web server on the Internet today. It is both robust and
extensible. The /etc/apache2/apache2.conf configuration file controls many aspects
of how Apache runs. This file, which is based on the first part of the httpd.conf file
distributed by Apache, is heavily commented. Ubuntu also puts some configuration
directives in the /etc/apache2/sites-available/default file.
Content to be served is typically placed in /var/www, called the document root.
Apache automatically displays the file named index.html in this directory.
Configuration directives, or simply directives, are lines in a configuration file that
control some aspect of how Apache functions. Four locations, called contexts,
define where a configuration directive can appear: server config, virtual host,
directory, and .htaccess. Containers, or special directives, are directives that group
other directives.
To restrict access to a Web page, Apache and third parties provide authentication
modules and methods that can verify a user's credentials, such as a username and
password. Some modules enable authentication against various databases, including
LDAP and NIS.
Apache can respond to a request for a URI by asking the client to request a different
URI. This response is called a redirect. Apache can also process content before serving it to a client using scripting modules that work with scripts embedded in H T M L
documents.
Apache supports virtual hosts, which means that one instance of Apache can
respond to requests directed to multiple IP addresses or hostnames as though it
were multiple servers. Each IP address or hostname can provide different content
and be configured differently.
The CGI (Common Gateway Interface) allows external application programs to
interface with Web servers. Any program can be a CGI program if it runs in real
time and relays its output to the requesting client.
SSL (Secure Sockets Layer) has two functions: It allows a client to verify the identity
of a server and it enables secure two-way communication between a client and server.

950

CHAPTER 2 6

APACHE: SETTING U P A W E B SERVER

EXERCISES
1. How would you tell Apache that your content is in /usr/local/www?
2. How would you instruct an Apache server to listen on port 81 instead of
port 80?
3. How would you enable Sam to publish Web pages from his -/website
directory but not allow anyone else to publish to the Web?
4. Apache must be started with root privileges. Why? Why does this action
not present a security risk?

A D V A N C E D EXERCISES
5. If you are running Apache on a firewall system, perhaps to display a Web
front-end for firewall configuration, how would you make sure that it is
accessible only from inside the local network?
6. Why is it more efficient to run scripts using mod_php or mod_perl than to
run them through CGI?
7. What two things does SSL provide and how does this situation differ if the
certificate is self-signed?
8. Some Web sites generate content by retrieving data from a database and
inserting it into a template using PHP or CGI each time the site is accessed.
Why is this practice often a poor idea?
9. Assume you want to provide Webmail access for employees on the
same server that hosts the corporate Web site. The Web site address is
example.com, you want to use mail.example.com for Webmail, and the
Webmail application is located in /var/www/webmail. Describe two
ways you can set up this configuration.
10. Part of a Web site is a private intranet. Describe how you would prevent
people outside the company's internal 192.168.0.0/16 network from
accessing this site. The site is defined as follows:

ServerName example.com
DocumentRoot /var/www

AllowOverride AuthConfig



PART VI
P R O G R A M M I N G TOOLS
CHAPTER 2 7
P R O G R A M M I N G THE B O U R N E A G A I N SHELL

953

CHAPTER 2 8
THE PERL S C R I P T I N G LANGUAGE

1041

951

This page intentionally left blank

27
P R O G R A M M I N G THE
BOURNE AGAIN SHELL
IN THIS CHAPTER

Chapter 7 introduced the shells and Chapter 9 went into detail
about the Bourne Again Shell. This chapter introduces additional Bourne Again Shell commands, builtins, and concepts

Control Structures

954

File Descriptors
Parameters and Variables

987
990

Array Variables

990

that carry shell programming to a point where it can be useful.
Although you may make use of shell programming as a system
administrator, you do not have to read this chapter to perform
system administration tasks. Feel free to skip this chapter and

Locality of Variables

992

c o m e b a c k t o it if and w h e n y o u like.

Special Parameters

994

The first part of this chapter covers programming control struc-

Positional Parameters
„Builtin
... C^o m m a n d ,s

996
1002

Expressions

1016

tures, also called control flow constructs. These structures allow
y ° u, t 0 , write
arguments,
&
• •scripts
, , that can, loop, overr command-line
...
make decisions based on the value of a variable, set up menus,
a n c j m ore. The Bourne Again Shell uses the same constructs

Shell Programs

1024

found in such high-level programming languages as C.

A Recursive Shell Script

1025

The next part o f this chapter discusses parameters and variables,

The quiz Shell Script

1028

g°i n g i n t 0 detail about array variables, local versus global variables, special parameters, and positional parameters. The exploration of builtin commands covers type, which displays
information about a command, and read, which allows a shell
953

954

CHAPTER 2 7

P R O G R A M M I N G THE B O U R N E AGAIN SHELL

script to accept user input. The section on the exec builtin demonstrates how to use
exec to execute a command efficiently by replacing a process and explains how to
use exec to redirect input and output from within a script.
The next section covers the trap builtin, which provides a way to detect and respond
to operating system signals (such as the signal generated when you press CONTROL-C).
The discussion of builtins concludes with a discussion of kill, which can abort a process, and getopts, which makes it easy to parse options for a shell script. Table 27-6
on page 1015 lists some of the more commonly used builtins.
Next the chapter examines arithmetic and logical expressions as well as the operators that work with them. The final section walks through the design and implementation of two major shell scripts.
This chapter contains many examples of shell programs. Although they illustrate certain concepts, most use information from earlier examples as well. This overlap not
only reinforces your overall knowledge of shell programming but also demonstrates
how you can combine commands to solve complex tasks. Running, modifying, and
experimenting with the examples in this book is a good way to become comfortable
with the underlying concepts.

Do not name a shell script test
tip You can unwittingly create a problem if you give a shell script the name test because a Linux utility
has the same name. Depending on how the PATH variable is set up and how you call the program,
you may run either your script or the utility, leading to confusing results.
This chapter illustrates concepts with simple examples, which are followed by more
complex ones in sections marked "Optional." The more complex scripts illustrate
traditional shell programming practices and introduce some Linux utilities often
used in scripts. You can skip these sections without loss of continuity. Return to
them when you feel comfortable with the basic concepts.

CONTROL STRUCTURES
The control flow commands alter the order of execution of commands within a shell
script. Control structures include the if...then, for...in, while, until, and case statements. In addition, the break and continue statements work in conjunction with the
control structures to alter the order of execution of commands within a script.

if...then
The if...then control structure has the following syntax:
if test-command.
then
commands

fi

CONTROL STRUCTURES

Figure 27-1

955

An if...then flowchart

The bold words in the syntax description are the items you supply to cause the
structure to have the desired effect. The nonbold words are the keywords the shell
uses to identify the control structure.
test builtin Figure 27-1 shows that the if statement tests the status returned by the test-command
and transfers control based on this status. The end of the if structure is marked
by a fi statement (if spelled backward). The following script prompts for two
words, reads them, and then uses an if structure to execute commands based on
the result returned by the test builtin when it compares the two words. (See the
test info page for information on the test utility, which is similar to the test
builtin.) The test builtin returns a status of true if the two words are the same
and false if they are not. Double quotation marks around S w o r d l and $word2
make sure test works properly if you enter a string that contains a SPACE or other
special character:
$ cat ifl
echo -n "word 1: "
read wordl
echo -n "word 2: "
read word2
if test "$wordl" = "$word2"
then
echo "Match"
fi
echo "End of program."

956

CHAPTER 2 7

P R O G R A M M I N G THE B O U R N E AGAIN SHELL

$ ,/ifl

word 1: peach
word 2: peach
Match
End of program.

In the preceding example the test-command, is test "Swordl" = "Sword2". The test
builtin returns a true status if its first and third arguments have the relationship
specified by its second argument. If this command returns a true status (= 0), the
shell executes the commands between the then and fi statements. If the command
returns a false status (not = 0), the shell passes control to the statement following fi
without executing the statements between then and fi. The effect of this if statement
is to display Match if the two words are the same. The script always displays End of
program.
Builtins In the Bourne Again Shell, test is a builtin—part of the shell. It is also a stand-alone
utility kept in /usr/bin/test. This chapter discusses and demonstrates many Bourne
Again Shell builtins. You typically use the builtin version if it is available and the
utility if it is not. Each version of a command may vary slightly from one shell to the
next and from the utility to any of the shell builtins. See page 1002 for more information on shell builtins.
Checking arguments The next program uses an if structure at the beginning of a script to confirm that you
have supplied at least one argument on the command line. The test -eq operator
compares two integers; the S# special parameter (page 997) takes on the value of the
number of command-line arguments. This structure displays a message and exits
from the script with an exit status of 1 if you do not supply at least one argument:
$ cat chkargs
if test $# -eq 0
then
echo "You must supply at least one argument."
exi t 1
fi
echo "Program running."
$ ./chkargs
You must supply at least one argument.
$ ./chkargs abc
Program running.

A test like the one shown in chkargs is a key component of any script that requires
arguments. To prevent the user from receiving meaningless or confusing information from the script, the script needs to check whether the user has supplied the
appropriate arguments. Some scripts simply test whether arguments exist (as in
chkargs). Other scripts test for a specific number or specific kinds of arguments.
You can use test to verify the status of a file argument or the relationship between
two file arguments. After verifying that at least one argument has been given on the
command line, the following script tests whether the argument is the name of an

CONTROL STRUCTURES

957

ordinary file (not a directory or other type of file) in the working directory. The t e s t
builtin with the - f option and the first command-line argument ( S I ) checks the file:
$ cat is_ordfile
if test $# -eq 0
then
echo "You must supply at least one argument."
exi t 1
fi
if test -f "$1"
then
echo "$1 is an ordinary file in the working directory"
el se
echo "$1 is NOT an ordinary file in the working directory"
fi
You can test many other characteristics of a file using t e s t options; see Table 27-1.
T a b l e 27-1

Options to the t e s t builtin

Option

Tests file to see if it

-d

Exists and is a directory file

-e

Exists

-f

Exists and is an ordinary file (not a directory)

-r

Exists and is readable

-s

Exists and has a size greater than 0 bytes

-w

Exists and is writable

-X

Exists and is executable

Other t e s t options provide ways to test relationships between two files, such as
whether one file is newer than another. Refer to later examples in this chapter for
more information.

Always test the arguments
tip To keep the examples in this book short and focused on specific concepts, the code to verify arguments is often omitted or abbreviated. It is good practice to test arguments in shell programs that
other people will use. Doing so results in scripts that are easier to run and debug.
[] is a synonym The following example—another version of c h k a r g s — c h e c k s for arguments in a
for test w a y thgt i s m o r e traditional for Linux shell scripts. This example uses the bracket
([]) synonym for test. Rather than using the word t e s t in scripts, you can surround
the arguments to t e s t with brackets. The brackets must be surrounded by whitespace (SPACES or TABs).

958

CHAPTER 2 7

P R O G R A M M I N G THE B O U R N E AGAIN SHELL

$ cat chkargs2
if [ $# -eq 0 ]
then
echo "Usage: chkargs2 argument..." 1>&2
exi t 1
fi
echo "Program running."
exi t 0
$ ./chkargs2
Usage: chkargs2 argument...
$ ./chkargs2 abc
Program running.

Usage messages The error message that chkargs2 displays is called a usage message and uses the
1>&2 notation to redirect its output to standard error (page 297). After issuing the
usage message, chkargs2 exits with an exit status of 1, indicating an error has
occurred. The exit 0 command at the end of the script causes chkargs2 to exit with
a 0 status after the program runs without an error. The Bourne Again Shell returns a
0 status if you omit the status code.
The usage message is commonly employed to specify the type and number of arguments the script takes. Many Linux utilities provide usage messages similar to the
one in chkargs2. If you call a utility or other program with the wrong number or
wrong kind of arguments, it will often display a usage message. Following is the
usage message that cp displays when you call it without any arguments:
$ cp
cp: missing file operand
Try 'cp --help' for more information.

if...then...else
The introduction of an else statement turns the if structure into the two-way branch
shown in Figure 27-2. The if...then...else control structure has the following syntax:
if test-command,
then
commands
else
commands
ft

Because a semicolon (;) ends a command just as a NEWLINE does, you can place then on
the same line as if by preceding it with a semicolon. (Because if and then are separate builtins, they require a command separator between them; a semicolon and NEWLINE work equally well [page 304].) Some people prefer this notation for aesthetic
reasons; others like it because it saves space.
if test-command; then
commands
else
commands
ft

CONTROL STRUCTURES

Figure 27-2

959

An if...then...else flowchart

If the test-command returns a true status, the if structure executes the commands
between the then and else statements and then diverts control to the statement following fi. If the test-command returns a false status, the if structure executes the
commands following the else statement.
When you run the out script with arguments that are filenames, it displays the files
on the terminal. If the first argument is - v (called an option in this case), out uses
less (page 162) to display the files one screen at a time. After determining that it
was called with at least one argument, out tests its first argument to see whether it is
-v. If the result of the test is true (the first argument is - v ) , out uses the shift builtin
(page 998) to shift the arguments to get rid of the - v and displays the files using
less. If the result of the test is false (the first argument is not - v ) , the script uses cat
to display the files:
$ cat out
if [ $# -eq 0 ]
then
echo "Usage: out [-v] filenames..." 1>&2
exi t 1
fi
if [ "$1" = "-v" ]
then
shift
less -el se
cat -fi

960

CHAPTER 2 7

P R O G R A M M I N G THE B O U R N E AGAIN SHELL

Figure 27-3

An if...then...elif flowchart

CONTROL STRUCTURES

961

if...then...elif
The if...then...elif control structure (Figure 27-3) has the following syntax:
if test-command,
then
commands
elif test-command
then
commands
else
commands

fi
The elif statement combines the else statement and the if statement and enables you
to construct a nested set of if...then...else structures (Figure 27-3). The difference
between the else statement and the elif statement is that each else statement must be
paired with a fi statement, whereas multiple nested elif statements require only a single closing fi statement.
The following example shows an if...then...elif control structure. This shell script compares three words that the user enters. The first if statement uses the Boolean AND operator (-a) as an argument to test. The test builtin returns a true status only if the first and
second logical comparisons are true (that is, wordl matches word2 and word2 matches
word3). If test returns a true status, the script executes the command following the next
then statement, passes control to the statement following fi, and terminates:
$ cat i f3
echo -n "word 1: "
read wordl
echo -n "word 2: "
read word2
echo -n "word B: "
read wordB
if [ "Swordl" = "$word2" -a "$word2" = "SwordB" ]
then
echo "Match: words 1, 2, & 3"
elif [ "Swordl" = "Sword2" ]
then
echo "Match: words 1 & 2"
elif [ "Swordl" = "SwordB" ]
then
echo "Match: words 1 & 3"
elif [ "Sword2" = "SwordB" ]
then
echo "Match: words 2 & 3"
else
echo "No match"

fi

962

CHAPTER 2 7

P R O G R A M M I N G THE B O U R N E AGAIN SHELL

$ ./if3
word 1: apple
word 2: orange
word 3: pear
No match
$ ./if3
word 1: apple
word 2: orange
word 3: apple
Match: words 1 & 3
$ ./if}
word 1: apple
word 2: apple
word 3: apple
Match: words 1, 2, & 3

If the three words are not the same, the structure passes control to the first elif,
which begins a series of tests to see if any pair of words is the same. As the nesting
continues, if any one of the if statements is satisfied, the structure passes control
to the next then statement and subsequently to the statement following fi. Each
time an elif statement is not satisfied, the structure passes control to the next elif
statement. The double quotation marks around the arguments to echo that contain ampersands (&) prevent the shell from interpreting the ampersands as special
characters.

optional T H E

Inks

SCRIPT

The following script, named Inks, demonstrates the if...then and if...then...elif control structures. This script finds hard links to its first argument, a filename. If you
provide the name of a directory as the second argument, Inks searches for links in
the directory hierarchy rooted at that directory. If you do not specify a directory,
Inks searches the working directory and its subdirectories. This script does not
locate symbolic links.
$ cat Inks
#!/bi n/bash
# Identify links to a file
# Usage: Inks file [directory]
if [ $# -eq 0 -o $# -gt 2 ]; then
echo "Usage: Inks file [directory]" 1>&2
exi t 1
fi
if [ -d "$1" ]; then
echo "First argument cannot be a directory." 1>&2
echo "Usage: Inks file [directory]" 1>&2
exi t 1
el se
file="$l"

fi

CONTROL STRUCTURES

963

if [ $# -eq 1 ]; then
di rectory="."
elif [ -d "$2" ]; then
di rectory="$2"
el se
echo "Optional second argument must be a directory." 1>&2
echo "Usage: Inks file [directory]" 1>&2
exi t 1

# Check that file exists and is an ordinary file
if [ ! -f "$file" ]; then
echo "Inks: $file not found or special file" 1>&2
exi t 1
fi
# Check link count on file
set -- $(ls -1 "$file")
1i nkcnt=$2
if [ "$1i nkcnt" -eq 1 ]; then
echo "Inks: no other hard links to $file" 1>&2
exi t 0

# Get the inode of the given file
set $(ls -i "$fi le")
i node=$l
# Find and print the files with that inode number
echo "Inks: using find to search for links..." 1>&2
find "$di rectory" -xdev -inum $inode -print

Max has a file named letter in his home directory. He wants to find links to this file
in his and other users' home directory file trees. In the following example, Max
calls Inks from his home directory to perform the search. The second argument to
Inks, /home, is the pathname of the directory where he wants to start the search.
The Inks script reports that /home/max/letter and /home/zach/draft are links to
the same file:
$ ./Inks letter /home
Inks: using find to search for links...
/home/max/letter
/home/zach/draft

In addition to the if...then...elif control structure, Inks introduces other features
that are commonly used in shell programs. The following discussion describes Inks
section by section.
Specify the shell The first line of the Inks script uses #! (page 302) to specify the shell that will execute
the script:
#!/bi n/bash

964

CHAPTER 2 7

P R O G R A M M I N G THE B O U R N E AGAIN SHELL

In this chapter, the #! notation appears only in more complex examples. It ensures
that the proper shell executes the script, even when the user is running a different
shell or the script is called from a script running a different shell.
Comments The second and third lines of Inks are comments; the shell ignores text that follows
a hashmark (#) up to the next NEWLINE character. These comments in Inks briefly identify what the file does and explain how to use it:
# Identify links to a file
# Usage: Inks file [directory]

Usage messages The first if statement tests whether Inks was called with zero arguments or more
than two arguments:
if [ $# -eq 0 -o $# -gt 2 ]; then
echo "Usage: Inks file [directory]" 1>&2
exi t 1
fi

If either of these conditions is true, Inks sends a usage message to standard error
and exits with a status of 1. The double quotation marks around the usage message
prevent the shell from interpreting the brackets as special characters. The brackets
in the usage message indicate that the directory argument is optional.
The second if statement tests whether the first command-line argument (SI) is a
directory (the - d argument to test returns true if the file exists and is a directory):
if [ -d "$1" ]; then
echo "First argument cannot be a directory." 1>&2
echo "Usage: Inks file [directory]" 1>&2
exi t 1
el se
file="$l"
fi

If the first argument is a directory, Inks displays a usage message and exits. If it is
not a directory, Inks saves the value of SI in the file variable because later in the
script set resets the command-line arguments. If the value of SI is not saved before
the set command is issued, its value is lost.
lest the arguments The next section of Inks is an if...then...elif statement:
if [ $# -eq 1 ]; then
di rectory="."
elif [ -d "$2" ]; then
di rectory="$2"
el se
echo "Optional second argument must be a directory." 1>&2
echo "Usage: Inks file [directory]" 1>&2
exi t 1

fi

CONTROL STRUCTURES

965

The first test-command determines whether the user specified a single argument on
the command line. If the test-command returns 0 (true), the directory variable is
assigned the value of the working directory (.). If the test-command returns false, the
elif statement tests whether the second argument is a directory. If it is a directory, the
directory variable is set equal to the second command-line argument, $2. If S2 is not
a directory, Inks sends a usage message to standard error and exits with a status of 1.
The next if statement in Inks tests whether $file does not exist. This test keeps Inks
from wasting time looking for links to a nonexistent file. The test builtin, when
called with the three arguments!, -f, and $file, evaluates to true if the file $file does
not exist:
[ ! -f "$file" ]

The ! operator preceding the - f argument to test negates its result, yielding false if
the file $file does exist and is an ordinary file.
Next Inks uses set and Is -1 to check the number of links $file has:
# Check link count on file
set -- $(ls -1 "$file")
1i nkcnt=$2
if [ "$1i nkcnt" -eq 1 ]; then
echo "Inks: no other hard links to $file" 1>&2
exi t 0
fi

The set builtin uses command substitution (page 362) to set the positional parameters to the output of Is -1. The second field in this output is the link count, so the
user-created variable linkcnt is set equal to $2. The — used with set prevents set
from interpreting as an option the first argument produced by Is -1 (the first argument is the access permissions for the file and typically begins with -). The if statement checks whether Slinkcnt is equal to 1; if it is, Inks displays a message and exits.
Although this message is not truly an error message, it is redirected to standard error.
The way Inks has been written, all informational messages are sent to standard error.
Only the final product of Inks—the pathnames of links to the specified file—is sent
to standard output, so you can redirect the output as you please.
If the link count is greater than 1, Inks goes on to identify the inode (page 1153) for
Sfile. As explained on page 229, comparing the inodes associated with filenames is
a good way to determine whether the filenames are links to the same file. The Inks
script uses set to set the positional parameters to the output of Is -i. The first argument to set is the inode number for the file, so the user-created variable named
inode is assigned the value of SI:
# Get the inode of the given file
set $(ls -i "$fi le")
i node=$l

966

CHAPTER 2 7

P R O G R A M M I N G THE B O U R N E AGAIN SHELL

Finally Inks uses the find utility to search for files having inode numbers that match
Sinode:
# Find and print the files with that inode number
echo "Inks: using find to search for links..." 1>&2
find "$di rectory" -xdev -inum $inode -print

The find utility searches the directory hierarchy rooted at the directory specified by
its first argument (Sdirectory) for files that meet the criteria specified by the remaining arguments. In this example, the remaining arguments send the names of files
having inodes matching Sinode to standard output. Because files in different filesystems can have the same inode number yet not be linked, find must search only directories in the same filesystem as Sdirectory. The -xdev (cross-device) argument
prevents find from searching directories on other filesystems. Refer to page 2 2 6 for
more information about filesystems and links.
The echo command preceding the find command in Inks, which tells the user that find
is running, is included because find can take a long time to run. Because Inks does not
include a final exit statement, the exit status of Inks is that of the last command it
runs, find.

DEBUGGING SHELL SCRIPTS
When you are writing a script such as Inks, it is easy to make mistakes. You can use
the shell's - x option to help debug a script. This option causes the shell to display
each command before it runs the command. Tracing a script's execution in this way
can give you information about where a problem lies.
You can run Inks as in the previous example and cause the shell to display each
command before it is executed. Either set the - x option for the current shell (set - x )
so all scripts display commands as they are run or use the - x option to affect only
the shell running the script called by the command line.
$
+
+
+
+
+
+
+

bash -x Inks letter /home
'[' 2 -eq 0 -o 2 -gt 2 ']'
'[' -d letter ']'
file=letter
'[' 2 -eq 1 ']'
'[' -d /home ']'
directory=/home
'[' '!' -f letter ']'

PS4 Each command the script executes is preceded by the value of the PS4 variable—a
plus sign (+) by default, so you can distinguish debugging output from scriptproduced output. You must export PS4 if you set it in the shell that calls the script.
The next command sets PS4 to » » followed by a SPACE and exports it:
$ export P S 4 = ' » » '

CONTROL STRUCTURES

967

You can also set the - x option of the shell running the script by putting the following
set command near the beginning of the script:
set -x

Put set - x anywhere in the script you want to turn debugging on. Turn the debugging
option off with a plus sign:
set +x

The set - o xtrace and set +o xtrace commands do the same things as set - x and set
+x, respectively.

for...in
The for...in control structure has the following syntax:
for loop-index in argument-list
do
commands
done

Figure 27-4

A for...in flowchart

968

CHAPTER 2 7

P R O G R A M M I N G THE B O U R N E AGAIN SHELL

The for...in structure (Figure 27-4, previous page) assigns the value of the first argument in the argument-list to the loop-index and executes the commands between
the do and done statements. The do and done statements mark the beginning and
end of the for loop.
After it passes control to the done statement, the structure assigns the value of the
second argument in the argument-list to the loop-index and repeats the commands.
It then repeats the commands between the do and done statements one time for
each argument in the argument-list. When the structure exhausts the argument-list,
it passes control to the statement following done.
The following for...in structure assigns apples to the user-created variable fruit and
then displays the value of fruit, which is apples. Next the structure assigns oranges
to fruit and repeats the process. When it exhausts the argument list, the structure
transfers control to the statement following done, which displays a message.
$ cat fruit
for fruit in apples oranges pears bananas
do
echo "Sfruit"
done
echo "Task complete."
$ ./fruit
apples
oranges
pears
bananas
Task complete.

The next script lists the names of the directory files in the working directory by
looping through the files in the working directory and using test to determine which
are directory files:
$ cat dirfiles
for i in *
do
if [ -d "$i" ]
then
echo "$i"
fi
done

The ambiguous file reference character * matches the names of all files (except hidden files) in the working directory. Prior to executing the for loop, the shell expands
the * and uses the resulting list to assign successive values to the index variable i.

for
The for control structure has the following syntax:
for
do

loop-index
commands

done

CONTROL STRUCTURES

In the for structure, the loop-index
line arguments, one at a time. The
ture (Figure 27-4, page 967) except
index. The for structure performs
each argument in turn.

969

takes on the value of each of the commandfor structure is the same as the for...in strucin terms of where it gets values for the loopa sequence of commands, usually involving

The following shell script shows a for structure displaying each command-line argument. The first line of the script, for arg, implies for arg in "S@", where the shell
expands "S@" into a list of quoted command-line arguments "SI" " $ 2 " " $ 3 " and
so on. The balance of the script corresponds to the for...in structure.
$ cat for_test
for arg
do
echo "$arg"
done
$ for_test candy gum chocolate
candy
gum
chocolate

optional T H E

whos

SCRIPT

The following script, named whos, demonstrates the usefulness of the implied " $@"
in the for structure. You give whos one or more users' full names or usernames as
arguments, and whos displays information about the users. The whos script gets the
information it displays from the first and fifth fields in the /etc/passwd file. The first
field contains a username, and the fifth field typically contains the user's full name.
You can provide a username as an argument to whos to identify the user's name or
provide a name as an argument to identify the username. The whos script is similar
to the finger utility, although whos delivers less information.
$ cat whos
#!/bi n/bash
if [ $# -eq 0 ]
then
echo "Usage: whos id..." 1>&2
exi t 1
fi
for id
do
mawk -F: '{print $1, $5}' /etc/passwd |
grep -i "$id"
done

In the next example, whos identifies the user whose username is chas and the user
whose name is Marilou Smith:
$ ./whos chas "Marilou Smith"
chas Charles Casey
msmith Marilou Smith

970

CHAPTER 2 7

P R O G R A M M I N G THE B O U R N E AGAIN SHELL

Use of "$@" The whos script uses a for statement to loop through the command-line arguments.
In this script the implied use of " S @ " in the for loop is particularly beneficial
because it causes the for loop to treat an argument that contains a SPACE as a single
argument. This example encloses Marilou Smith in quotation marks, which causes
the shell to pass it to the script as a single argument. Then the implied " $ @ " in the
for statement causes the shell to regenerate the quoted argument Marilou Smith so
that it is again treated as a single argument.
mawk For each command-line argument, whos searches the /etc/passwd file. Inside the for
loop, the mawk utility extracts the first ($1) and fifth ($5) fields from each line in
/etc/passwd. The - F : option causes mawk to use a colon (:) as a field separator when
it reads /etc/passwd, allowing it to break each line into fields. The mawk command
sets and uses the $1 and $5 arguments; they are included within single quotation
marks and are not interpreted by the shell. Do not confuse these arguments with
positional parameters, which correspond to command-line arguments. The first and
fifth fields are sent to grep (page 166) via a pipe. The grep utility searches for $id (to
which the shell has assigned the value of a command-line argument) in its input.
The - i option causes grep to ignore case as it searches; grep displays each line in its
input that contains Sid.
| at the end of a line A n interesting syntactical exception that bash makes for the pipe symbol (I) appears
on the line with the mawk command: You do not have to quote a NEWLINE that immediately follows a pipe symbol (that is, a pipe symbol that is the last character on a
line) to keep the NEWLINE from executing a command. Try giving the command who I
and pressing RETURN. The shell displays a secondary prompt. If you then enter sort
followed by another RETURN, you see a sorted who list. The pipe works even though a
NEWLINE follows the pipe symbol.

while
The while control structure has the following syntax:
while test-command.
do
commands
done
As long as the test-command (Figure 27-5) returns a true exit status, the while
structure continues to execute the series of commands delimited by the do and done
statements. Before each loop through the commands, the structure executes the testcommand. When the exit status of the test-command is false, the structure passes
control to the statement after the done statement.
test builtin The following shell script first initializes the number variable to zero. The test builtin
then determines whether number is less than 10. The script uses test with the - I t
argument to perform a numerical test. For numerical comparisons, you must use -ne
(not equal), - e q (equal), - g t (greater than), - g e (greater than or equal to), - I t (less
than), or -le (less than or equal to). For string comparisons, use = (equal) or != (not
equal) when you are working with test. In this example, test has an exit status of 0
(true) as long as number is less than 10. As long as test returns true, the structure

CONTROL STRUCTURES

Figure 27-5

971

A while flowchart

executes the commands between the do and done statements. See page 9 5 5 for information on the test builtin.
$ cat count
#!/bi n/bash
number=0
while [ "$number" -It 10 ]
do
echo -n "$number"
((number +=1))
done
echo
$ ./count
0123456789

The echo command following do displays number. The - n prevents echo from issuing a NEWLINE following its output. The next command uses arithmetic evaluation
[((...)); page 1 0 1 6 ] to increment the value of number by 1. The done statement terminates the loop and returns control to the while statement to start the loop over
again. The final echo causes count to send a NEWLINE character to standard output,
so the next prompt occurs in the leftmost column on the display (rather than
immediately following 9).

optional T H E

spell_check

SCRIPT

The aspell utility checks the words in a file against a dictionary of correctly spelled
words. With the list command, aspell runs in list mode: Input comes from standard
input and aspell sends each potentially misspelled word to standard output. The following command produces a list of possible misspellings in the file letter.txt:
$ aspell list < letter.txt
qui kly
porti ble
frendly

972

CHAPTER 2 7

P R O G R A M M I N G THE B O U R N E AGAIN SHELL

The next shell script, named spell_check, shows another use of a while structure. To
find the incorrect spellings in a file, spell_check calls aspell to check a file against a
system dictionary. But it goes a step further: It enables you to specify a list of correctly spelled words and removes these words from the output of aspell. This script
is useful for removing words that you use frequently, such as names and technical
terms, that do not appear in a standard dictionary. Although you can duplicate the
functionality of spell_check by using additional aspell dictionaries, the script is
included here for its instructive value.
The spell_check script requires two filename arguments: the file containing the list
of correctly spelled words and the file you want to check. The first if statement verifies that the user specified two arguments. The next two if statements verify that
both arguments are readable files. (The exclamation point negates the sense of the
following operator; the - r operator causes test to determine whether a file is readable. The result is a test that determines whether a file is not readable.)
$ cat spell_check
#!/bi n/bash
# remove correct spellings from aspell output
if [ $# -ne 2 ]
then
echo "Usage: spell_check filel file2" 1>&2
echo "filel: list of correct spellings" 1>&2
echo "file2: file to be checked" 1>&2
exi t 1
fi
if [ I -r "$1" ]
then
echo "spell_check: $1 is not readable" 1>&2
exi t 1
fi
if [ I -r "$2" ]
then
echo "spell_check: $2 is not readable" 1>&2
exi t 1
fi
aspell list < "$2" |
while read line
do
if I grep "A$line$" "$1" > /dev/null
then
echo $line
fi
done

The spell_check script sends the output from aspell (with the list argument, so it
produces a list of misspelled words on standard output) through a pipe to standard
input of a while structure, which reads one line at a time (each line has one word on

CONTROL STRUCTURES

973

it) from standard input. The test-command (that is, read line) returns a true exit status as long as it receives a line from standard input.
Inside the while loop, an if statement 1 monitors the return value of grep, which
determines whether the line that was read is in the user's list of correctly spelled
words. The pattern grep searches for (the value of Sline) is preceded and followed
by special characters that specify the beginning and end of a line ( A and $, respectively). These special characters ensure that grep finds a match only if the Sline variable matches an entire line in the file of correctly spelled words. (Otherwise, grep
would match a string, such as paul, in the output of aspell if the file of correctly
spelled words contained the word paulson.) These special characters, together with
the value of the Sline variable, form a regular expression (Appendix A).
The output of grep is redirected to /dev/null (page 250) because the output is not
needed; only the exit code is important. The if statement checks the negated exit status of grep (the leading exclamation point negates or changes the sense of the exit
status—true becomes false, and vice versa), which is 0 or true (false when negated)
when a matching line is found. If the exit status is not 0 or false (true when negated),
the word was not in the file of correctly spelled words. The echo builtin sends a list
of words that are not in the file of correctly spelled words to standard output.
Once it detects the EOF (end of file), the read builtin returns a false exit status,
control passes out of the while structure, and the script terminates.
Before you use spell_check, create a file of correct spellings containing words you use
frequently but that are not in a standard dictionary. For example, if you work for a
company named Blinkenship and Klimowski, Attorneys, you would put Blinkenship
and Klimowski in the file. The following example shows how spell_check checks the
spelling in a file named memo and removes Blinkenship and Klimowski from the
output list of incorrectly spelled words:
$ aspell list < memo
B1 i nkenshi p
Klimowski
targat
hte
$ cat worcLlist
B1 i nkenshi p
Klimowski
$ ./spell_check worcLlist memo
targat
hte

Refer to the aspell manual (in the /usr/share/doc/aspell directory or at aspell.net)
for more information.

1. T h i s i f s t a t e m e n t can also be w r i t t e n as
if

! grep -qw " $ l i n e "

"$1"

T h e - q o p t i o n suppresses the o u t p u t f r o m grep so it returns o n l y an e x i t c o d e . T h e - w o p t i o n causes grep
to match only a whole word.

974

CHAPTER 2 7

until

P R O G R A M M I N G THE B O U R N E AGAIN SHELL

The until and while structures are very similar, differing only in the sense of the test
performed at the top of the loop. Figure 27-6 shows that until continues to loop
until the test-command returns a true exit status. The while structure loops while
the test-command continues to return a true or nonerror condition. The until control structure has the following syntax:
until test-command
do
commands
done
The following script demonstrates an until structure that includes read. When the
user enters the correct string of characters, the test-command is satisfied and the
structure passes control out of the loop.
$ cat until 1
secretname=zach
name=noname
echo "Try to guess the secret name!"
echo
until [ "$name" = "$secretname" ]
do
echo -n "Your guess: "
read name
done
echo "Very good."
$ ./until 1
Try to guess the secret name!
Your
Your
Your
Your
Very

guess:
guess:
guess:
guess:
good

helen
barbara
rachael
zach

CONTROL STRUCTURES

975

The following locktty script is similar to the lock command on Berkeley U N I X and
the Lock Screen menu selection in G N O M E . The script prompts for a key (password) and uses an until control structure to lock the terminal. The until statement
causes the system to ignore any characters typed at the keyboard until the user types
the key followed by a RETURN on a line by itself, which unlocks the terminal. The
locktty script can keep people from using your terminal while you are away from it
for short periods of time. It saves you from having to log out if you are concerned
about other users using your login.
$ cat locktty
#! /bin/bash
trap '' 1 2 3 18
stty -echo
echo -n "Key: "
read key_l
echo
echo -n "Again: "
read key_2
echo
key_3=
if [ "Skey_l" = "$key_2" ]
then
tput clear
until [ "$key_3" = "$key_2" ]
do
read key_3
done
el se
echo "locktty: keys do not match" 1>&2
fi
stty echo

Forget your password for locktty?
tip

If you forget your key (password), you will need to log In from another (virtual) terminal and kill
the process running locktty.

trap builtin The trap builtin (page 1009) at the beginning of the locktty script stops a user from
being able to terminate the script by sending it a signal (for example, by pressing
the interrupt key). Trapping signal 18 means that no one can use C0NTR0L-Z (job control, a stop from a tty) to defeat the lock. Table 2 7 - 5 on page 1009 provides a list
of signals. The stty - e c h o command causes the terminal not to display characters
typed at the keyboard, preventing the key the user enters from appearing on the
screen. After turning off keyboard echo, the script prompts the user for a key, reads
it into the user-created variable key_l, prompts the user to enter the same key
again, and saves it in key_2. The statement key_3= creates a variable with a NULL
value. If key_l and key_2 match, locktty clears the screen (with the tput command)

976

CHAPTER 2 7

P R O G R A M M I N G THE B O U R N E AGAIN SHELL

and starts an until loop. The until loop keeps attempting to read from the terminal
and assigning the input to the key_3 variable. Once the user types a string that
matches one of the original keys (key_2), the until loop terminates and keyboard
echo is turned on again.

break AND continue
You can interrupt a for, while, or until loop by using a break or continue statement.
The break statement transfers control to the statement after the done statement,
thereby terminating execution of the loop. The continue command transfers control
to the done statement, continuing execution of the loop.
The following script demonstrates the use of these two statements. The for...in
structure loops through the values 1 - 1 0 . The first if statement executes its commands when the value of the index is less than or equal to 3 (Sindex -le 3). The
second if statement executes its commands when the value of the index is greater
than or equal to 8 (Sindex -ge 8). In between the two ifs, echo displays the value
of the index. For all values up to and including 3, the first if statement displays
continue, executes a continue statement that skips echo Sindex and the second if
statement, and continues with the next for statement. For the value of 8, the second if statement displays break and executes a break statement that exits from the
for loop.
$ cat brk
for index in 1 2 3 4 5 6 / 8 9 10
do
if [ Sindex -le 3 ] ; then
echo "continue"
conti nue
fi
#
echo Sindex
#
if [ Sindex -ge 8 ] ; then
echo "break"
break
fi
done
$ ./brk
conti nue
conti nue
conti nue
4
5
6
7
8
break

CONTROL STRUCTURES

case

977

The case structure (Figure 27-7, next page) is a multiple-branch decision mechanism.
The path taken through the structure depends on a match or lack of a match between the
test-string and one of the patterns. The case control structure has the following syntax:
case test-string in
pattern-1)
commands-1
}}
pattern-2)
commands-2
}}
pattern-3)
commands-3

esac
The following case structure examines the character the user enters as the test-string.
This value is held in the variable letter. If the test-string has a value of A, the structure executes the command following the pattern A. The right parenthesis is part of
the case control structure, not part of the pattern. If the test-string has a value of B
or C, the structure executes the command following the matching pattern. The asterisk ( * ) indicates any string of characters and serves as a catchall in case there is no
match. If no pattern matches the test-string and if there is no catchall ( * ) pattern,
control passes to the command following the esac statement, without the case structure taking any action.
$ cat easel
echo -n "Enter A, B, or C: "
read letter
case "Sletter" in
A)
echo "You entered A"
B)

C)

*)

echo "You entered B"

echo "You entered C"

echo "You did not enter A, B, or C"

esac
$ ./easel
Enter A, B, or C: B
You entered B

978

CHAPTER 2 7

P R O G R A M M I N G THE B O U R N E AGAIN SHELL

Figure 27-7

A case flowchart

The next execution of easel shows the user entering a lowercase b. Because the teststring b does not match the uppercase B pattern (or any other pattern in the case
statement), the program executes the commands following the catchall pattern and
displays a message:
$ ./easel
Enter A, B, or C: b
You did not enter A, B, or C

The pattern in the case structure is analogous to an ambiguous file reference. It can
include any special characters and strings shown in Table 27-2.
The next script accepts both uppercase and lowercase letters:

CONTROL STRUCTURES

979

$ cat case2
echo -n "Enter A, B, or C: "
read letter
case "$letter" in
a I A)
echo "You entered A"
b|B)"
echo "You entered B"
c|C)"
echo "You entered C"
*)

echo "You did not enter A, B, or C"

esac
$ ./case2
Enter A, B, or C: b
You entered B

Table 27-2

Patterns

Pattern

Function

*

Matches any string of characters. Use for the default case.

?

Matches any single character.

[...]

Defines a character class. Any characters enclosed within brackets are tried,
one at a time, in an attempt to match a single character. A hyphen between two
characters specifies a range of characters.
Separates alternative choices that satisfy a particular branch of the case structure.

optional The following example shows how you can use the

case structure to create a simple
menu. The command_menu script uses echo to present menu items and prompt the
user for a selection. (The select control structure [page 983] is a much easier way of
coding a menu.) The case structure then executes the appropriate utility depending
on the user's selection.
$ cat command_menu
#!/bi n/bash
# menu interface to simple commands
echo
echo
echo
echo
echo
echo
read
echo

-e "\n
COMMAND MENU\n"
" a. Current date and time"
" b. Users currently logged in"
" c. Name of the working directory"
-e " d. Contents of the working directory\n"
-n "Enter a, b, c, or d: "
answer

980

CHAPTER 2 7

PROGRAMMING THE BOURNE AGAIN SHELL
#
case "$answer" in

a)

date

b)
who

c)

pwd

d)
Is
*)
echo "There is no selection:

$answer"

esac
$ ./command_menu

a.
b.
c.
d.

COMMAND MENU
Current date and time
Users currently logged in
Name of the working directory
Contents of the working directory

Enter a, b, c, or d: a
Wed Jan

6 12:31:12 PST 2010

echo -e The - e option causes echo to interpret \ n as a NEWLINE character. If you do not include
this option, echo does not output the extra blank lines that make the menu easy to
read but instead outputs the (literal) two-character sequence \ n . The - e option causes
echo to interpret several other backslash-quoted characters (Table 27-3). Remember
to quote (i.e., place double quotation marks around the string) the backslash-quoted
character so the shell does not interpret it but passes the backslash and the character
to echo. See x p g _ e c h o (page 355) for a way to avoid using the - e option.
Special characters in e c h o (must use - e )
Quoted
character

e c h o displays

\a

Alert (bell)

\b

BACKSPACE

\c

S u p p r e s s t r a i l i n g NEWLINE

\f

FORMFEED

\n

NEWLINE

\r

RETURN

CONTROL STRUCTURES

Table 27-3

981

Special characters in e c h o (must use - e ) (continued)

Quoted
character

e c h o displays

\t

Horizontal IAB

\v

Vertical IAB

\\

Backslash

\nnn

The character with the ASCII octal code nnn; if nnn is not valid, e c h o displays
the string literally

You can also use the case control structure to take various actions in a script, depending on how many arguments the script is called with. The following script, named
safedit, uses a case structure that branches based on the number of command-line
arguments ($#). It saves a backup copy of a file you are editing with vim.
$ cat safedit
#!/bi n/bash
PATH=/bi n:/usr/bi n
script=$(basename $0)
case $# in
0)

vim. ti ny
exi t 0

if [ ! -f "$1" ]
then
vim.tiny "$1"
exi t 0
fi
if [ ! -r "$1" -o ! -w "$1" ]
then
echo "$script: check permissions on $1" 1>&2
exi t 1
el se
editfile=$l
fi
if [ ! -w "." ]
then
echo "$script: backup cannot be " \
"created in the working directory" 1>&2
exi t 1
fi
*)
echo "Usage: $script [file-to-edit]" 1>&2
exi t 1
esac

982

CHAPTER 2 7

P R O G R A M M I N G THE B O U R N E AGAIN SHELL

tempfile=/tmp/$$.$scri pt
cp $editf~ile $tempfile
if vim.tiny $editfile
then
mv $tempfile bak.$(basename $editfile)
echo "$script: backup file created"
el se
mv $tempfile editerr
echo "$script: edit error--copy of " \
"original file is in editerr" 1>&2
fi
If you call safedit without any arguments, the case structure executes its first branch
and calls vim without a filename argument. Because an existing file is not being
edited, safedit does not create a backup file. If you call safedit with one argument, it
runs the commands in the second branch of the case structure and verifies that the
file specified by S I does not yet exist or is the name of a file for which the user has
read and write permission. The safedit script also verifies that the user has write
permission for the working directory. If the user calls safedit with more than one
argument, the third branch of the case structure presents a usage message and exits
with a status of 1.
Set PATH In addition to using a case structure for branching based on the number of
command-line arguments, the safedit script introduces several other features. At the
beginning of the script, the PATH variable is set to search / b i n and /usr/bin. Setting
PATH in this way ensures that the commands executed by the script are standard
utilities, which are kept in those directories. By setting this variable inside a script,
you can avoid the problems that might occur if users have set PATH to search their
own directories first and have scripts or programs with the same names as the utilities the script calls. You can also include absolute pathnames within a script to
achieve this end, although this practice can make a script less portable.
Name of the The next line creates a variable named script and uses command substitution to
program assign the simple filename of the script to it:
script=$(basename $0)
The basename utility sends the simple filename component of its argument to standard output, which is assigned to the script variable, using command substitution.
The $0 holds the command the script was called with (page 997). No matter which
of the following commands the user calls the script with, the output of basename is
the simple filename safedit:
$ /home/max/bin/safedit memo
$ ./safedit memo
$ safedit memo
After the script variable is set, it replaces the filename of the script in usage and
error messages. By using a variable that is derived from the command that invoked
the script rather than a filename that is hardcoded into the script, you can create

CONTROL STRUCTURES

983

links to the script or rename it, and the usage and error messages will still provide
accurate information.
Naming Another feature of safedit relates to the use of the S$ parameter in the name of a
temporary files temporary file. The statement following the esac statement creates and assigns a
value to the tempfile variable. This variable contains the name of a temporary file
that is stored in the /tmp directory, as are many temporary files. The temporary filename begins with the PID number of the shell and ends with the name of the script.
Using the PID number ensures that the filename is unique. Thus safedit will not
attempt to overwrite an existing file, as might happen if two people were using
safedit at the same time. The name of the script is appended so that, should the file
be left in /tmp for some reason, you can figure out where it came from.
The PID number is used in front of—rather than after—Sscript in the filename
because of the 14-character limit placed on filenames by some older versions of
UNIX. Linux systems do not have this limitation. Because the PID number ensures
the uniqueness of the filename, it is placed first so that it cannot be truncated. (If the
Sscript component is truncated, the filename is still unique.) For the same reason,
when a backup file is created inside the if control structure a few lines down in the
script, the filename consists of the string bak. followed by the name of the file being
edited. On an older system, if bak were used as a suffix rather than a prefix and the
original filename were 14 characters long, .bak might be lost and the original file
would be overwritten. The basename utility extracts the simple filename of Seditfile
before it is prefixed with bak.
The safedit script uses an unusual test-command in the if structure: vim.tiny
Seditfile. The test-command calls vim to edit Seditfile. When you finish editing
the file and exit from vim, vim returns an exit code. The if control structure uses
that exit code to determine which branch to take. If the editing session completed successfully, vim returns 0 and the statements following the then statement
are executed. If vim does not terminate normally (as would occur if the user killed
[page 4 5 5 ] the vim process), vim returns a nonzero exit status and the script executes the statements following else.

select
The select control structure is based on the one found in the Korn Shell. It displays a
menu, assigns a value to a variable based on the user's choice of items, and executes
a series of commands. The select control structure has the following syntax:
select varname [in arg. . . ]
do
commands
done
The select structure displays a menu of the arg items. If you omit the keyword in
and the list of arguments, select uses the positional parameters in place of the arg

984

CHAPTER 2 7

P R O G R A M M I N G THE B O U R N E AGAIN SHELL

items. The menu is formatted with numbers before each item. For example, a select
structure that begins with
select fruit in apple banana blueberry kiwi orange watermelon STOP

displays the following menu:
1) apple
2) banana

3) blueberry
4) kiwi

5) orange
6) watermelon

7) STOP

The select structure uses the values of the LINES and COLUMNS variables to specify the size of the display. (LINES has a default value of 24; COLUMNS has a
default value of 80.) With COLUMNS set to 20, the menu looks like this:
1)
2)
3)
4)
5)
6)
7)

apple
banana
blueberry
kiwi
orange
watermelon
STOP

PS3 After displaying the menu, select displays the value of PS3, the select prompt. The
default value of PS3 is ?#, but it is typically set to a more meaningful value. When
you enter a valid number (one in the menu range) in response to the PS3 prompt,
select sets varname to the argument corresponding to the number you entered. An
invalid entry causes the shell to set varname to null. Either way select stores your
response in the keyword variable REPLY and then executes the commands between
do and done. If you press RETURN without entering a choice, the shell redisplays the
menu and the PS3 prompt.
The select structure continues to issue the PS3 prompt and execute the commands
until something causes it to exit—typically a break or exit statement. A break statement exits from the loop and an exit statement exits from the script.
The following script illustrates the use of select:
$ cat fruit2
#!/bi n/bash
PS3="Choose your favorite fruit from these possibilities: "
select FRUIT in apple banana blueberry kiwi orange watermelon STOP
do
if [ "SFRUIT" == "" ]; then
echo -e "Invalid entry.\n"
conti nue
el if [ SFRUIT = STOP ]; then
echo "Thanks for playing!"
break
fi
echo "You chose SFRUIT as your favorite."
echo -e "That is choice number $REPLY.\n"
done

CONTROL STRUCTURES

985

$ ./fruit2
1) apple
3) blueberry
5) orange
7) STOP
2) banana
4) kiwi
6) watermelon
Choose your favorite fruit from these possibilities: 3
You chose blueberry as your favorite.
That is choice number 3.
Choose your favorite fruit from these possibilities: 99
Invalid entry.
Choose your favorite fruit from these possibilities: 7
Thanks for playing!

After setting the PS3 prompt and establishing the menu with the select statement,
fruit2 executes the commands between do and done. If the user submits an invalid
entry, the shell sets varname (SFRUIT) to a null value. If SFRUIT is null, echo displays an error; continue then causes the shell to redisplay the PS3 prompt. If the entry
is valid, the script tests whether the user wants to stop. If so, echo displays a message
and break exits from the select structure (and from the script). If the user enters a
valid response and does not want to stop, the script displays the name and number of
the user's response. (See page 980 for information about the echo -e option.)

HERE D O C U M E N T
A Here document allows you to redirect input to a shell script from within the shell
script itself. A Here document is so named because it is here—immediately accessible
in the shell script—instead of there, perhaps in another file.
The following script, named birthday, contains a Here document. The two less
than symbols ( « ) in the first line indicate a Here document follows. One or more
characters that delimit the Here document follow the less than symbols—this
example uses a plus sign. Whereas the opening delimiter must appear adjacent to
the less than symbols, the closing delimiter must be on a line by itself. The shell
sends everything between the two delimiters to the process as standard input. In
the example it is as though you have redirected standard input to grep from a file,
except that the file is embedded in the shell script:
$ cat birthday
grep -i "$1" « +
Max
June 22
Barbara February 3
Darlene May 8
Helen
March 13
Zach
January 23
Nancy
June 26
+

$ ./birthday Zach
Zach
January 23
$ ./birthday june
Max
June 22
Nancy
June 26

986

CHAPTER 2 7

P R O G R A M M I N G THE B O U R N E A G A I N SHELL

When you run birthday, it lists all the Here document lines that contain the argument you called it with. In this case the first time birthday is run, it displays Zach's
birthday because it is called with an argument of Zach. The second run displays all
the birthdays in June. The - i argument causes grep's search not to be case sensitive.

optional The next script, named bundle, 2 includes a clever use of a Here document. The

bundle

script is an elegant example of a script that creates a shell archive (shar) file. The script
creates a file that is itself a shell script containing several other files as well as the code
to re-create the original files:
$ cat bundle
#!/bi n/bash
# bundle: group files into distribution package
echo "# To unbundle, bash this file"
for i
do
echo "echo $i 1>&2"
echo "cat >$i « ' E n d of $i'"
cat $i
echo "End of $i"
done

Just as the shell does not treat special characters that occur in standard input of a
shell script as special, so the shell does not treat the special characters that occur
between the delimiters in a Here document as special.
As the following example shows, the output of bundle is a shell script, which is
redirected to a file named bothfiles. It contains the contents of each file given as an
argument to bundle (filel and file2 in this case) inside a Here document. To
extract the original files from bothfiles, you simply give it as an argument to a
bash command. Before each Here document is a cat command that causes the
Here document to be written to a new file when bothfiles is run:
$ cat filel
This is a file.
It contains two lines.
$ cat file2
This is another file.
It contains
three lines.
$ ./bundle filel file2 > bothfiles
$ cat bothfiles
# To unbundle, bash this file
echo filel 1>&2
cat >fi lei « ' E n d of filel'

2 . T h a n k s to Brian W. Kernighan and R o b Pike, The Unix Programming
N . J . : Prentice-Hall, 1 9 8 4 ) , 9 8 . Reprinted with permission.

Environment

(Englewood Cliffs,

FILE D E S C R I P T O R S

987

This is a file.
It contains two lines.
End of filei
echo file2 1>&2
cat >file2 « ' E n d of file2'
This is another file.
It contains
three lines.
End of file2

In the next example, filel and file2 are removed before bothfiles is run. The bothfiles
script echoes the names of the files it creates as it creates them. The Is command then
shows that bothfiles has re-created filel and file2:
$ rm filel file2
$ bash bothfiles
filel
file2
$ Is
bothfiles
filel
file2

FILE D E S C R I P T O R S
As discussed on page 297, before a process can read from or write to a file, it must
open that file. When a process opens a file, Linux associates a number (called a file
descriptor) with the file. A file descriptor is an index into the process's table of open
files. Each process has its own set of open files and its own file descriptors. After
opening a file, a process reads from and writes to that file by referring to its file
descriptor. When it no longer needs the file, the process closes the file, freeing the
file descriptor.
A typical Linux process starts with three open files: standard input (file descriptor 0),
standard output (file descriptor 1), and standard error (file descriptor 2). Often these
are the only files the process needs. Recall that you redirect standard output with the
symbol > or the symbol 1> and that you redirect standard error with the symbol 2>.
Although you can redirect other file descriptors, because file descriptors other than
0, 1, and 2 do not have any special conventional meaning, it is rarely useful to do so.
The exception is in programs that you write yourself, in which case you control the
meaning of the file descriptors and can take advantage of redirection.
Opening a file The Bourne Again Shell opens files using the exec builtin as follows:
descriptor

exec n> outfile
exec m< infile
The first line opens outfile for output and holds it open, associating it with file
descriptor n. The second line opens infile for input and holds it open, associating it
with file descriptor m.

988

CHAPTER 2 7

P R O G R A M M I N G THE B O U R N E AGAIN SHELL

Duplicating a The < & token duplicates an input file descriptor; > & duplicates an output file
file descriptor descriptor. You can duplicate a file descriptor by making it refer to the same file as
another open file descriptor, such as standard input or output. Use the following
format to open or redirect file descriptor n as a duplicate of file descriptor m:
exec

n<&m

Once you have opened a file, you can use it for input and output in two ways. First,
you can use I/O redirection on any command line, redirecting standard output to a
file descriptor with >8cn or redirecting standard input from a file descriptor with
<8cn. Second, you can use the read (page 1003) and echo builtins. If you invoke
other commands, including functions (page 349), they inherit these open files and
file descriptors. When you have finished using a file, you can close it using
exec

n<&-

When you invoke the shell function in the next example, named mycp, with two
arguments, it copies the file named by the first argument to the file named by the
second argument. If you supply only one argument, the script copies the file named
by the argument to standard output. If you invoke mycp with no arguments, it
copies standard input to standard output.

A function is not a shell script
tip The mycp example is a shell function; it will not work as you expect if you execute it as a shell
script. (It will work: The function will be created in a very short-lived subshell, which is probably
of little use.) You can enter this function from the keyboard. If you put the function in a file, you
can run it as an argument to the . (dot) builtin (page 296). You can also put the function in a
startup file if you want it to be always available (page 351).
function mycp ()
{
case $# in
0)
# Zero arguments
# File descriptor 3 duplicates standard input
# File descriptor 4 duplicates standard output
exec 3<&0 4<&1
1)
# One argument
# Open the file named by the argument for input
# and associate it with file descriptor 3
# File descriptor 4 duplicates standard output
exec 3< $1 4<&1

2)
# Two arguments
# Open the file named by the
# and associate it with file
# Open the file named by the
# and associate it with file
exec 3< $1 4> $2

first argument for input
descriptor 3
second argument for output
descriptor 4

FILE D E S C R I P T O R S

989

*)
echo "Usage: mycp [source [dest]]"
return 1
esac
# Call cat with input coming from file descriptor 3
# and output going to file descriptor 4
cat <&3 >&4
# Close file descriptors 3 and 4
exec 3<&- 4<&}
T h e real w o r k of this function is done in the line that begins with cat. T h e rest of the
script arranges for file descriptors 3 and 4 , which are the input and output of the cat
c o m m a n d , to be associated with the appropriate files.
optional

T h e n e x t p r o g r a m takes t w o filenames on the c o m m a n d line, sorts both, and sends
the output to t e m p o r a r y files. T h e p r o g r a m then merges the sorted files to standard
output, preceding each line by a n u m b e r that indicates which file it c a m e from.
$ cat sortmerg
#!/bi n/bash
usage ()
{
if [ $# -ne 2 ]; then
echo "Usage: $0 filel file2" 2>&1
exi t 1
fi

}

# Default temporary directory
: ${TEMPDIR:=/tmp}
# Check argument count
usage
# Set up temporary files for sorting
filel=$TEMPDIR/$$.filel
fi1e2=$TEMPDIR/$$.fi1e2
# Sort
sort $1 > $filel
sort $2 > $file2
# Open $filel and $file2 for reading. Use file descriptors 3 and 4.
exec 3<$filel
exec 4<$file2
# Read the first line from each file to figure out how to start,
read Linel <&3
statusl=$?
read Line2 <&4
status2=$?

990

CHAPTER 2 7

P R O G R A M M I N G THE B O U R N E AGAIN SHELL

# Strategy: while there is still input left in both files:
#
Output the line that should come first.
#
Read a new line from the file that line came from.
while [ $statusl -eq 0 -a $status2 -eq 0 ]
do
if [[ "$Li ne2" > "$Linel" ]]; then
echo -e "l.\t$Linel"
read -uB Linel
statusl=$?
el se
echo -e "2.\t$Line2"
read -u4 Line2
status2=$?
fi
done
# Now one of the files is at end-of-file.
# Read from each file until the end.
# First fi lei:
while [ $statusl -eq 0 ]
do
echo -e "l.\t$Linel"
read Linel <&3
statusl=$?
done
# Next file2:
while [[ $status2 -eq 0 ]]
do
echo -e "2.\t$Line2"
read Line2 <&4
status2=$?
done
# Close and remove both input files
exec 3<&- 4<&rm -f $fi lei $file2
exi t 0

PARAMETERS AND VARIABLES
Shell parameters and variables were introduced on page 312. This section adds to
the previous coverage with a discussion of array variables, global versus local variables, special and positional parameters, and expansion of null and unset variables.

ARRAY VARIABLES
The Bourne Again Shell supports one-dimensional array variables. The subscripts
are integers with zero-based indexing (i.e., the first element of the array has the
subscript 0). The following format declares and assigns values to an array:

PARAMETERS AND VARIABLES

name=(elementl

991

element2 ...)

The following example assigns four values to the array NAMES:
$ NAMES=(max helen sam zach)

You reference a single element of an array as follows:
$ echo $ {NAMES[ 2 ] }•
sam

The subscripts [ * ] and [@] both extract the entire array but work differently when
used within double quotation marks. An @ produces an array that is a duplicate of
the original array; an * produces a single element of an array (or a plain variable)
that holds all the elements of the array separated by the first character in IFS (normally a SPACE). In the following example, the array A is filled with the elements of
the NAMES variable using an
and B is filled using an @. The declare builtin
with the - a option displays the values of the arrays (and reminds you that bash
uses zero-based indexing for arrays):
$ A=("${NAMES[*]D
$ B= ("$-{NAMES [ @]}")
$ declare -a
declare -a A='([0]="max helen sam zach")'
declare -a B='([0]="max" [l]="helen" [2]="sam" [B]="zach")'
declare -a NAMES='([0]="max" [l]="helen" [2]="sam"

[3]="zach")'

From the output of declare, you can see that NAMES and B have multiple elements.
In contrast, A, which was assigned its value with an * within double quotation
marks, has only one element: A has all its elements enclosed between double quotation marks.
In the next example, echo attempts to display element 1 of array A. Nothing is displayed because A has only one element and that element has an index of 0. Element
0 of array A holds all four names. Element 1 of B holds the second item in the array
and element 0 holds the first item.
$ echo ${A[1]}
$ echo $-{A[0] }•
max helen sam zach
$ echo $-{B[ 1] }•
helen
$ echo $-{B[0] }•
max

You can apply the ${#name[*]} operator to array variables, returning the number
of elements in the array:
$ echo $-{#NAMES[ ~ ] }•
4

992

CHAPTER 2 7

P R O G R A M M I N G THE B O U R N E AGAIN SHELL

The same operator, when given the index of an element of an array in place of * ,
returns the length of the element:
$ echo $-{#NAMES[ 1] }•
5

You can use subscripts on the left side of an assignment statement to replace
selected elements of the array:
$ NAMES[l]=max
$ echo $•{NAMES[*]}
max max sam zach

LOCALITY OF VARIABLES
By default variables are local to the process in which they are declared. Thus a shell
script does not have access to variables declared in your login shell unless you
explicitly make the variables available (global). Under bash, export makes a variable
available to child processes.
export Once you use the export builtin with a variable name as an argument, the shell
places the value of the variable in the calling environment of child processes. This
call by value gives each child process a copy of the variable for its own use.
The following extestl shell script assigns a value of american to the variable named
cheese and then displays its filename (extestl) and the value of cheese. The extestl
script then calls subtest, which attempts to display the same information. Next
subtest declares a cheese variable and displays its value. When subtest finishes, it
returns control to the parent process, which is executing extestl. At this point
extestl again displays the value of the original cheese variable.
$ cat extestl
cheese=ameri can
echo "extestl 1: Scheese"
subtest
echo "extestl 2: Scheese"
$ cat subtest
echo "subtest 1: Scheese"
cheese=swi ss
echo "subtest 2: Scheese"
$ ./extestl
extestl 1 a m e n can
subtest 1
subtest 2 SWT s s
extestl 2 a m e n can

The subtest script never receives the value of cheese from extestl, and extestl never
loses the value. In bash—unlike in the real world—a child can never affect its parent's attributes. When a process attempts to display the value of a variable that has
not been declared, as is the case with subtest, the process displays nothing; the value
of an undeclared variable is that of a null string.

PARAMETERS AND VARIABLES

993

The following extest2 script is the same as extestl except it uses export to make
cheese available to the subtest script:
$ cat extest2
export cheese=american
echo "extest2 1: Scheese"
subtest
echo "extest2 2: Scheese"
$ ./extest2
extest2 1: american
subtest 1: american
subtest 2: swiss
extest2 2: american

Here the child process inherits the value of cheese as american and, after displaying
this value, changes its copy to swiss. When control is returned to the parent, the
parent's copy of cheese retains its original value: american.
An export builtin can optionally include an assignment:
export cheese=american

The preceding statement is equivalent to the following two statements:
cheese=ameri can
export cheese

Although it is rarely done, you can export a variable before you assign a value to it.
You do not need to export an already-exported variable a second time after you
change its value.

FUNCTIONS
Because functions run in the same environment as the shell that calls them, variables
are implicitly shared by a shell and a function it calls.
$ function nam () •{
> echo Smyname
> myname=zach
>

*

$ myname=sam
$ nam
sam
$ echo Smyname
zach

In the preceding example, the myname variable is set to sam in the interactive shell.
The nam function then displays the value of myname (sam) and sets myname to
zach. The final echo shows that, in the interactive shell, the value of myname has
been changed to zach.

994

CHAPTER 2 7

P R O G R A M M I N G THE B O U R N E AGAIN SHELL

Function local Local variables are helpful in a function written for general use. Because the funcvariables tion is called by many scripts that may be written by different programmers, you
need to make sure the names of the variables used within the function do not conflict with (i.e., duplicate) the names of the variables in the programs that call the
function. Local variables eliminate this problem. When used within a function, the
typeset builtin declares a variable to be local to the function it is defined in.
The next example shows the use of a local variable in a function. It features two
variables named count. The first is declared and assigned a value of 10 in the interactive shell. Its value never changes, as echo verifies after count_down is run. The
other count is declared, using typeset, to be local to the function. Its value, which is
unknown outside the function, ranges from 4 to 1, as the echo command within the
function confirms.
The example shows the function being entered from the keyboard; it is not a shell
script. See the tip "A function is not a shell script" on page 988.
$
>
>
>
>
>
>
>
>
>

function count_down () •{
typeset count
count=$l
while [ $count -gt 0 ]
do
echo "$count..."
((count=count-l))
sleep 1
done
echo "Blast Off."

>

*

$ count=10
$ count_down 4
4. . .
B. . .
2. . .

1. . .
Blast Off.
$ echo $count
10

The ((count=count-l)) assignment is enclosed between double parentheses, which
cause the shell to perform an arithmetic evaluation (page 1016). Within the double
parentheses you can reference shell variables without the leading dollar sign ($).

SPECIAL PARAMETERS
Special parameters enable you to access useful values pertaining to command-line
arguments and the execution of shell commands. You reference a shell special
parameter by preceding a special character with a dollar sign ($). As with positional parameters, it is not possible to modify the value of a special parameter by
assignment.

PARAMETERS AND VARIABLES

995

$$: PID NUMBER
The shell stores in the S $ parameter the PID number of the process that is executing it. In the following interaction, echo displays the value of this variable and the
ps utility confirms its value. Both commands show that the shell has a PID number
of 5 2 0 9 :
$ echo $$
5209
$ ps
PID TTY
5209 pts/1
6015 pts/1

TIME CMD
00:00:00 bash
00:00:00 ps

Because echo is built into the shell, the shell does not create another process when
you give an echo command. However, the results are the same whether echo is a
builtin or not, because the shell substitutes the value of S $ before it forks a new
process to run a command. Try using the echo utility (/bin/echo), which is run by
another process, and see what happens. In the following example, the shell substitutes the value of S$ and passes that value to cp as a prefix for a filename:
$ echo $$
8232
$ cp memo $$.memo
$ Is
8232.memo memo

Incorporating a PID number in a filename is useful for creating unique filenames
when the meanings of the names do not matter; this technique is often used in shell
scripts for creating names of temporary files. When two people are running the same
shell script, having unique filenames keeps the users from inadvertently sharing the
same temporary file.
The following example demonstrates that the shell creates a new shell process when
it runs a shell script. The i d 2 script displays the PID number of the process running
it (not the process that called it—the substitution for $ $ is performed by the shell
that is forked to run id2):
$ cat id2
echo "$0 PID= $$"
$ echo $$
8232
$ id2
,/id2 PID= 8362
$ echo $$
8232

The first echo displays the PID number of the interactive shell. Then i d 2 displays its
name (SO) and the PID number of the subshell that it is running in. The last echo
shows that the PID number of the interactive shell has not changed.

996

CHAPTER 2 7

P R O G R A M M I N G THE B O U R N E AGAIN SHELL

$! The shell stores the value of the PID number of the last process that ran in the background in $!. The following example executes sleep as a background task and uses
echo to display the value of $!:
$ sleep 60 &
[1] 8B76
$ echo $!
8B76

$?: EXIT STATUS
When a process stops executing for any reason, it returns an exit status to its parent
process. The exit status is also referred to as a condition code or a return code. The
S? variable stores the exit status of the last command.
By convention a nonzero exit status represents a false value and means the command
failed. A zero is true and indicates the command executed successfully. In the following example, the first Is command succeeds and the second fails, as demonstrated by
the exit status:
$ Is es
es
$ echo $?
0

S i s xxx
Is: xxx: No such file or directory
$ echo $?
1

You can specify the exit status that a shell script returns by using the exit builtin, followed by a number, to terminate the script. If you do not use exit with a number to terminate a script, the exit status of the script is that of the last command the script ran.
$ cat es
echo This program returns an exit status of 7.
exi t 7
$ es
This program returns an exit status of 7.
$ echo $?
7
$ echo $?
0

The es shell script displays a message and terminates execution with an exit command that returns an exit status of 7, the user-defined exit status in this script. The
first echo then displays the value of the exit status of es. The second echo displays
the value of the exit status of the first echo. This value is 0, indicating the first echo
was successful.

POSITIONAL PARAMETERS
Positional parameters comprise the command name and command-line arguments.
These parameters are called positional because within a shell script, you refer to

PARAMETERS AND VARIABLES

997

them by their position on the command line. Only the set builtin (page 9 9 8 ) allows
you to change the values of positional parameters. However, you cannot change the
value of the command name from within a script.

$ # : N U M B E R OF C O M M A N D - L I N E A R G U M E N T S
The S # parameter holds the number of arguments on the command line (positional
parameters), not counting the command itself:
$ cat num_args
echo "This script was called with $# arguments."
$ ./num_args sam max zach
This script was called with 3 arguments.

$ 0 : N A M E OF THE CALLING P R O G R A M
The shell stores the name of the command you used to call a program in parameter
SO. This parameter is numbered zero because it appears before the first argument
on the command line:
$ cat abc
echo "The command used to run this script is $0"
$ ./abc
The command used to run this script is ./abc
$ /home/sam/abc
The command used to run this script is /home/sam/abc

The preceding shell script uses echo to verify the name of the script you are executing.
You can use the basename utility and command substitution to extract and display
the simple filename of the command:
$ cat abc2
echo "The command used to run this script is $(basename $0)"
$ /home/sam/abc2
The command used to run this script is abc2

$ L - $ / 7 ; COMMAND-LINE ARGUMENTS
The first argument on the command line is represented by parameter $1, the second
argument by $2, and so on up to $n. For values of n greater than 9, the number
must be enclosed within braces. For example, the twelfth command-line argument
is represented by S{12}. The following script displays positional parameters that
hold command-line arguments:
$ cat display_5args
echo First 5 arguments are $1 $2 $3 $4 $5
$ ./display_5args zach max helen
First 5 arguments are zach max helen

The display_5args script displays the first five command-line arguments. The shell
assigns a null value to each parameter that represents an argument that is not

998

CHAPTER 2 7

P R O G R A M M I N G THE B O U R N E AGAIN SHELL

present on the command line. Thus the $4 and $5 parameters have null values in
this example.

shift:

PROMOTES COMMAND-LINE ARGUMENTS

The shift builtin promotes each command-line argument. The first argument
(which was SI) is discarded. The second argument (which was $2) becomes the
first argument (now $1), the third becomes the second, and so on. Because no
"unshift" command exists, you cannot bring back arguments that have been discarded. An optional argument to shift specifies the number of positions to shift
(and the number of arguments to discard); the default is 1.
The following demo_shift script is called with three arguments. Double quotation
marks around the arguments to echo preserve the spacing of the output. The program displays the arguments and shifts them repeatedly until no more arguments
are left to shift:
$ cat demo_shi ft
echo "argl= $1
arg2= $2
arg3=
shift
echo "argl= $1
arg2= $2
arg3=
shift
echo "argl= $1
arg2= $2
arg3=
shift
echo "argl= $1
arg2= $2
arg3=
shift
$ ./demo_shift alice he!en zach
argl= alice
arg2= helen
arg3=
argl= helen
arg2= zach
arg3=
argl= zach
arg2=
arg3=
argl=
arg2=
arg3=

$3"
$3"
$3"
$3"
zach

Repeatedly using shift is a convenient way to loop over all command-line arguments
in shell scripts that expect an arbitrary number of arguments. See page 9 5 9 for a
shell script that uses shift.

set: INITIALIZES C O M M A N D - L I N E A R G U M E N T S
When you call the set builtin with one or more arguments, it assigns the values of
the arguments to the positional parameters, starting with $1. The following script
uses set to assign values to the positional parameters $1, $2, and $3:
$ cat set_it
set this is it
echo $3 $2 $1
$ ./set_it
it is this

Combining command substitution (page 362) with the set builtin is a convenient
way to get standard output of a command in a form that can be easily manipulated
in a shell script. The following script shows how to use date and set to provide the

PARAMETERS AND VARIABLES

999

date in a useful format. The first command shows the output of date. Then cat displays the contents of the dateset script. The first command in this script uses command substitution to set the positional parameters to the output of the date utility.
The next command, echo $ * , displays all positional parameters resulting from the
previous set. Subsequent commands display the values of parameters $1, $2, $3,
and $6. The final command displays the date in a format you can use in a letter or
report:
$ date
Wed Aug 14 17:35:29 PDT 2010
$ cat dateset
set $(date)
echo $*
echo
echo "Argument 1: $1"
echo "Argument 2: $2"
echo "Argument 3: $3"
echo "Argument 6: $6"
echo
echo "$2 $3, $6"
$ ./dateset
Wed Aug 14 17:35:34 PDT 2010
Argument
Argument
Argument
Argument

1:
2:
3:
6:

Wed
Aug
14
2010

Aug 14, 2010

You can also use the + format argument to date to modify the format of its output.
When used without any arguments, set displays a list of the shell variables that are
set, including user-created variables and keyword variables. Under bash, this list is
the same as that displayed by declare and typeset when they are called without any
arguments.
The set builtin also accepts options that let you customize the behavior of the shell.
For more information refer to "set ±0: Turns Shell Features On and Off" on
page 353.

$ * AND $ @ : REPRESENT ALL C O M M A N D - L I N E A R G U M E N T S
The $ * parameter represents all command-line arguments, as the display_all program demonstrates:
$ cat display_all
echo All arguments are $*
$ ./display_all a b c d e f g h i j k l
m n o p
All arguments are a b c d e f g h i j k l m n o p

1000

CHAPTER 2 7

P R O G R A M M I N G THE B O U R N E A G A I N SHELL

It is a good idea to enclose references to positional parameters between double quotation marks. The quotation marks are particularly important when you are using
positional parameters as arguments to commands. Without double quotation
marks, a positional parameter that is not set or that has a null value disappears:
$ cat showargs
echo "$0 was called with $# arguments, the first is :$1:."
$ ./showargs

a b c

./showargs was called with 3 arguments, the first is :a:.
$ echo $xx
$ ./showargs $xx a b c
./showargs was called with 3 arguments, the first is :a:.
$ ./showargs "$xx" a b c
./showargs was called with 4 arguments, the first is ::.

The showargs script displays the number of arguments ($#) followed by the value of
the first argument enclosed between colons. In the preceding example, showargs is
initially called with three simple arguments. Next the echo command demonstrates
that the $xx variable, which is not set, has a null value. In the final two calls to
showargs, the first argument is $xx. In the first case the command line becomes
showargs a b c ; the shell passes showargs three arguments. In the second case the
command line becomes showargs "" a b c, which results in calling showargs with
four arguments. The difference in the two calls to showargs illustrates a subtle
potential problem that you should keep in mind when using positional parameters
that may not be set or that may have a null value.
"$*" versus "$@" The $ * and $@ parameters work the same way except when they are enclosed within
double quotation marks. Using " $ * " yields a single argument (with SPACES or the value
of the first character of IFS [page 323] between the positional parameters), whereas
using " $ @ " produces a list wherein each positional parameter is a separate argument.
This difference typically makes " $ @ " more useful than " $ * " in shell scripts.
The following scripts help explain the difference between these two special parameters. In the second line of both scripts, the single quotation marks keep the shell from
interpreting the enclosed special characters so they are passed to echo and displayed
as themselves. The bbl script shows that set " $ * " assigns multiple arguments to the
first command-line parameter:
$ cat bbl
set "$*"
echo $# parameters with '"$*"'
echo 1: $1
echo 2: $2
echo 3: $3
$ ./bbl a b c
1 parameters with "$*"
1: a b c
2:
3:

The bb2 script shows that set " $ @ " assigns each argument to a different commandline parameter:

PARAMETERS AND VARIABLES

1001

$ cat bb2
set
echo $# parameters with '
echo 1: $1
echo 2: $2
echo 3: $3
$ ./bb2 a b c
3 parameters with
1: a
2: b
3: c

EXPANDING NULL AND UNSET VARIABLES
The expression ${name} (or just Sname if it is not ambiguous) expands to the value
of the name variable. If name is null or not set, bash expands ${name} to a null
string. The Bourne Again Shell provides the following alternatives to accepting the
expanded null string as the value of the variable:
• Use a default value for the variable.
• Use a default value and assign that value to the variable.
• Display an error.
You can choose one of these alternatives by using a modifier with the variable
name. In addition, you can use set - o nounset (page 355) to cause bash to display
an error and exit from a script whenever an unset variable is referenced.

: - U S E S A DEFAULT VALUE
The : - modifier uses a default value in place of a null or unset variable while allowing
a nonnull variable to represent itself:
${name:-default}
The shell interprets : - as "If name is null or unset, expand default and use the
expanded value in place of name; else use name." The following command lists the
contents of the directory named by the L I T variable. If L I T is null or unset, it lists
the contents of /home/max/literature:
$ Is $•{ LIT:-/home/max/literature}-

The default can itself have variable references that are expanded:
$ Is ${LIT: -$H0ME/1 iterature}-

: = A S S I G N S A DEFAULT VALUE
The : - modifier does not change the value of a variable. However, you can change
the value of a null or unset variable to its default in a script by using the := modifier:
${name:=default}

1002

CHAPTER 2 7

P R O G R A M M I N G THE B O U R N E A G A I N SHELL

The shell expands the expression
expands $ {name :-de fault} but also
of default. If a script contains a line
the time this line is executed, L I T is

${name:=defaultj
in the same manner as it
sets the value of name to the expanded value
such as the following and L I T is unset or null at
assigned the value /home/max/literature:

$ Is ${LIT:=/home/max/literature}: (null) builtin Shell scripts frequently start with the : (null) builtin followed on the same line by the
:= expansion modifier to set any variables that may be null or unset. The : builtin
evaluates each token in the remainder of the command line but does not execute
any commands. Without the leading colon (:), the shell evaluates and attempts to
execute the "command" that results from the evaluation.
Use the following syntax to set a default for a null or unset variable in a shell script
(a SPACE follows the first colon):
:

${name:=default}

When a script needs a directory for temporary files and uses the value of T E M P D I R
for the name of this directory, the following line assigns to T E M P D I R the value
/tmp if T E M P D I R is null:
: ${TEMPDIR:=/tmp}

:? D I S P L A Y S A N E R R O R M E S S A G E
Sometimes a script needs the value of a variable but you cannot supply a reasonable
default at the time you write the script. If the variable is null or unset, the :? modifier causes the script to display an error message and terminate with an exit status
of 1:
${name: ? message}
If you omit message, the shell displays the default error message (parameter null or
not set). Interactive shells do not exit when you use :?. In the following command,
T E S T D I R is not set so the shell displays on standard error the expanded value of
the string following :?. In this case the string includes command substitution for
date with the % T format, followed by the string error, variable not set.
cd ${TESTDIR:?$(date +%T) error, variable not set.}
bash: TESTDIR: 16:16:14 error, variable not set.

BUILTIN C O M M A N D S
Builtin commands, which were introduced in Chapter 7, do not fork a new process
when you execute them. This section discusses the type, read, exec, trap, kill, and
getopts builtins. Table 2 7 - 6 on page 1015 lists many bash builtin commands.

BUILTIN C O M M A N D S

type:

1003

DISPLAYS INFORMATION A B O U T A C O M M A N D
The type builtin provides information about a command:
$ type cat echo who i f 11
cat is hashed (/bin/cat)
echo is a shell builtin
who is /usr/bin/who
if is a shell keyword
It is aliased to 'Is -ltrh | tail'

The
as a
hash
that

read:

preceding output shows the files that would be executed if you gave cat or who
command. Because cat has already been called from the current shell, it is in the
table (page 1151) and type reports that cat is hashed. The output also shows
a call to echo runs the echo builtin, if is a keyword, and It is an alias.

ACCEPTS USER INPUT
One of the most common uses for user-created variables is storing information that
a user enters in response to a prompt. Using read, scripts can accept input from the
user and store that input in variables. The read builtin reads one line from standard
input and assigns the words on the line to one or more variables:
$ cat readl
echo -n "Go ahead: "
read fi rstli ne
echo "You entered: Sfirstline"
$ ./readl
Go ahead: This is a line.
You entered: This is a line.

The first line of the readl script uses echo to prompt for a line of text. The - n
option suppresses the following NEWLINE, allowing you to enter a line of text on the
same line as the prompt. The second line reads the text into the variable firstline.
The third line verifies the action of read by displaying the value of firstline. The variable is quoted (along with the text string) in this example because you, as the script
writer, cannot anticipate which characters the user might enter in response to the
prompt. Consider what would happen if the variable were not quoted and the user
entered * in response to the prompt:
$ cat readl_no_quote
echo -n "Go ahead: "
read fi rstli ne
echo You entered: Sfirstline
$ ./readl_no_quote
Go ahead: *
You entered: readl readl_no_quote script.1
$ Is
readl
readl_no_quote
script.1

1004

CHAPTER 2 7

P R O G R A M M I N G THE B O U R N E A G A I N SHELL

The Is command lists the same words as the script, demonstrating that the shell
expands the asterisk into a list of files in the working directory. When the variable
Sfirstline is surrounded by double quotation marks, the shell does not expand the
asterisk. Thus the readl script behaves correctly:
$ ./readl
Go ahead: *
You entered: *

REPLY The read builtin includes several features that can make it easier to use. For example, when you do not specify a variable to receive read's input, bash puts the input
into the variable named REPLY. You can use the - p option to prompt the user
instead of using a separate echo command. The following readla script performs
exactly the same task as readl:
$ cat readla
read -p "Go ahead: "
echo "You entered: SREPLY"

The read2 script prompts for a command line, reads the user's response, and assigns
it to the variable cmd. The script then attempts to execute the command line that
results from the expansion of the cmd variable:
$ cat read2
read -p "Enter a command: " cmd
$cmd
echo "Thanks"

In the following example, read2 reads a command line that calls the echo builtin.
The shell executes the command and then displays Thanks. Next read2 reads a
command line that executes the who utility:
$ ./read2
Enter a command: echo Please display this message.
Please display this message.
Thanks
$ ./read2
Enter a command: who
max
pts/4
2010-06-17 07:50 (:0.0)
sam
pts/12
2010-06-17 11:54
(bravo.example.com)
Thanks

If cmd does not expand into a valid command line, the shell issues an error message:
$ ./read2
Enter a command: xxx
./read2: line 2: xxx: command not found
Thanks

The read3 script reads values into three variables. The read builtin assigns one word
(a sequence of nonblank characters) to each variable:
$ cat read3
read -p "Enter something: " wordl word2 wordB
echo "Word 1 is: Swordl"
echo "Word 2 is: $word2"
echo "Word B is: $word3"

BUILTIN C O M M A N D S

1005

$ ./read3
Enter something: this is something
Word 1 is: this
Word 2 is: is
Word B is: something

When you enter more words than read has variables, read assigns one word to each
variable, assigning all leftover words to the last variable. Both readl and read2
assigned the first word and all leftover words to the one variable the scripts each
had to work with. In the following example, read assigns five words to three variables: It assigns the first word to the first variable, the second word to the second
variable, and the third through fifth words to the third variable.
$ ./read3
Enter something: this is something else, really.
Word 1 i s : thi s
Word 2 i s : i s
Word 3 i s : something else, really.

Table 2 7 - 4 lists some of the options supported by the read builtin.

Table 27-4

r e a d options

Option

Function

- a aname

(array) Assigns each word of input to an element of array aname.

- d delim

(delimiter) Uses delim to terminate the input instead of NEWLINE.

-e

(Readline) If input is coming from a keyboard, uses the Readline Library
(page 340) to get input.

- n num

(number of characters) Reads /Ji/mcharacters and returns. As soon as the user
types num characters, r e a d returns; there is no need to press RETURN.

- p prompt

( p r o m p t ) Displays prompt on standard error w i t h o u t a terminating NEWLINE
before reading input. Displays prompt only when input comes f r o m the
keyboard.

-s

(silent) Does not echo characters.

—U/J

(file descriptor) Uses the integer n as the file descriptor that r e a d takes its
input from. Thus
read -u4 argl arg2

is equivalent to
read argl arg2 <&4

See "File Descriptors" (page 987) for a discussion of redirection and file
descriptors.
The read builtin returns an exit status of 0 if it successfully reads any data. It has a
nonzero exit status when it reaches the E O F (end of file).

1006

CHAPTER 2 7

P R O G R A M M I N G THE B O U R N E A G A I N SHELL

The following example runs a while loop from the command line. It takes its input
from the names file and terminates after reading the last line from names.
$ cat names
Alice Jones
Robert Smith
Alice Paulson
John Q. Public
$ while read first rest
> do
> echo $rest, $first
> done < names
Jones, Alice
Smith, Robert
Paulson, Alice
Q. Public, John
S

The placement of the redirection symbol (<) for the while structure is critical. It is
important that you place the redirection symbol at the done statement and not at
the call to read.
optional

Each time you redirect input, the shell opens the input file and repositions the read
pointer at the start of the file:
$ read linel < names; echo $linel; read line2 < names; echo $line2
Alice Jones
Alice Jones

Here each read opens names and starts at the beginning of the names file. In the following example, names is opened once, as standard input of the subshell created by
the parentheses. Each read then reads successive lines of standard input:
$ (read linel; echo $linel; read line2; echo $line2) < names
Alice Jones
Robert Smith

Another way to get the same effect is to open the input file with exec and hold it
open (refer to "File Descriptors" on page 987):
$ exec 3< names
$ read -u3 linel; echo $linel; read -u3 line2; echo $line2
Alice Jones
Robert Smith
$ exec 3<&-

exec:

E X E C U T E S A C O M M A N D O R R E D I R E C T S FILE D E S C R I P T O R S
The exec builtin has two primary purposes: to run a command without creating a
new process and to redirect a file descriptor—including standard input, output, or
error—of a shell script from within the script (page 987). When the shell executes a
command that is not built into the shell, it typically creates a new process. The new
process inherits environment (global or exported) variables from its parent but does
not inherit variables that are not exported by the parent. (For more information refer

BUILTIN C O M M A N D S

1007

to "Locality of Variables" on page 992.) In contrast, exec executes a command in
place of (overlays) the current process.
exec: EXECUTES A C O M M A N D
The exec builtin used for running a command has the following syntax:
exec command
arguments
exec versus . (dot) Insofar as exec runs a command in the environment of the original process, it is similar to the . (dot) command (page 296). However, unlike the . command, which can
run only shell scripts, exec can run both scripts and compiled programs. Also,
whereas the . command returns control to the original script when it finishes running, exec does not. Finally, the . command gives the new program access to local
variables, whereas exec does not.
exec does not Because the shell does not create a new process when you use exec, the command
return control r u n s m o r e quickly. However, because exec does not return control to the original
program, it can be used only as the last command in a script. The following script
shows that control is not returned to the script:
$ cat exec_demo
who
exec date
echo "This line is never displayed."
$ ./exec_demo
zach
pts/7
May 20 7:05 (bravo.example.com)
his
pts/1
May 20 6:59 (:0.0)
Mon May 24 11:42:56 PDT 2010
The next example, a modified version of the out script (page 959), uses exec to execute the final command the script runs. Because out runs either cat or less and then
terminates, the new version, named out2, uses exec with both cat and less:
$ cat out2
if [ $# -eq 0 ]
then
echo "Usage: out2 [-v] filenames" 1>&2
exi t 1
fi
if [ "$1" = "-v" ]
then
shift
exec less
else
exec cat -fi
exec: REDIRECTS I N P U T A N D O U T P U T
The second major use of exec is to redirect a file descriptor—including standard
input, output, or error—from within a script. The next command causes all subsequent input to a script that would have come from standard input to come from the
file named infile:
exec < infile

1008

CHAPTER 2 7

P R O G R A M M I N G THE B O U R N E A G A I N SHELL

Similarly the following command redirects standard output and standard error to
outfile and errfile, respectively:
exec > outfile 2> errfile

When you use exec in this manner, the current process is not replaced with a new
process, and exec can be followed by other commands in the script.
/dev/tty When you redirect the output from a script to a file, you must make sure the user
sees any prompts the script displays. The /dev/tty device is a pseudonym for the
screen the user is working on; you can use this device to refer to the user's screen
without knowing which device it is. (The tty utility displays the name of the device
you are using.) By redirecting the output from a script to /dev/tty, you ensure that
prompts and messages go to the user's terminal, regardless of which terminal the
user is logged in on. Messages sent to /dev/tty are also not diverted if standard output and standard error from the script are redirected.
The to_screenl script sends output to three places: standard output, standard error,
and the user's screen. When run with standard output and standard error redirected, to_screenl still displays the message sent to /dev/tty on the user's screen.
The out and err files hold the output sent to standard output and standard error.
$ cat to_screenl
echo "message to standard output"
echo "message to standard error" 1>&2
echo "message to the user" > /dev/tty
$ ./to_screenl > out 2> err
message to the user
$ cat out
message to standard output
$ cat err
message to standard error

The following command redirects the output from a script to the user's screen:
exec > /dev/tty

Putting this command at the beginning of the previous script changes where the output goes. In to_screen2, exec redirects standard output to the user's screen so the >
/dev/tty is superfluous. Following the exec command, all output sent to standard
output goes to /dev/tty (the screen). Output to standard error is not affected.
$ cat to_screen2
exec > /dev/tty
echo "message to standard output"
echo "message to standard error" 1>&2
echo "message to the user" > /dev/tty
$ ./to_screen2 > out 2> err
message to standard output
message to the user

One disadvantage of using exec to redirect the output to /dev/tty is that all subsequent output is redirected unless you use exec again in the script.

BUILTIN C O M M A N D S

1009

You can also redirect the input to read (standard input) so that it comes from
/dev/tty (the keyboard):
read name < /dev/tty

or
exec < /dev/tty

trap:

CATCHES A S I G N A L
A signal is a report to a process about a condition. Linux uses signals to report
interrupts generated by the user (for example, pressing the interrupt key) as well as
bad system calls, broken pipes, illegal instructions, and other conditions. The trap
builtin catches (traps) one or more signals, allowing you to direct the actions a
script takes when it receives a specified signal.
This discussion covers six signals that are significant when you work with shell scripts.
Table 27-5 lists these signals, the signal numbers that systems often ascribe to them, and
the conditions that usually generate each signal. Give the command kill -1 (lowercase
"ell"), trap -1 (lowercase "ell"), or man 7 signal to display a list of all signal names.

Table 27-5

Signals

Type

Name

Number

Generating condition

Not a real signal

EXIT

0

Exit because of exit command or reaching the
end of the program (not an actual signal but useful in trap)

Hang up

SIGHUPor
HUP

1

Disconnect the line

Terminal
interrupt

SIGINT or
INT

2

Press the interrupt key (usually CONTROL-C)

Quit

SIGQUIT or
QUIT

3

Kill

SIGKILL or
KILL

9

The kill builtin with the - 9 option (cannot be
trapped; use only as a last resort)

Software
termination

SIGTERMor
TERM

15

Default of the kill command

Stop

SIGTSTP or
TSTP

20

Press the suspend key (usually CONTROL-Z)

Debug

DEBUG

Executes commands specified in the trap statement after each command (not an actual signal
but useful in trap)

Error

ERR

Executes commands specified in the trap statement after each command that returns a nonzero
exit status (not an actual signal but useful in trap)

Press the quit key (usually COI\ITROL-SHIFT-| or
C0NTR0L-SHIFTA)

1010

CHAPTER 2 7

P R O G R A M M I N G THE B O U R N E A G A I N SHELL

When it traps a signal, a script takes whatever action you specify: It can remove
files or finish other processing as needed, display a message, terminate execution
immediately, or ignore the signal. If you do not use trap in a script, any of the six
actual signals listed in Table 27-5 (not EXIT, DEBUG, or ERR) will terminate the
script. Because a process cannot trap a KILL signal, you can use kill - K I L L (or kill
- 9 ) as a last resort to terminate a script or other process. (See page 1012 for more
information on kill.)
The trap command has the following syntax:
trap ['commands'] [signal]
The optional commands specifies the commands that the shell executes when it
catches one of the signals specified by signal. The signal can be a signal name or
number—for example, INT or 2. If commands is not present, trap resets the trap to
its initial condition, which is usually to exit from the script.
Quotation marks The trap builtin does not require single quotation marks around commands as shown
in the preceding syntax, but it is a good practice to use them. The single quotation
marks cause shell variables within the commands to be expanded when the signal
occurs, rather than when the shell evaluates the arguments to trap. Even if you do not
use any shell variables in the commands, you need to enclose any command that
takes arguments within either single or double quotation marks. Quoting commands
causes the shell to pass to trap the entire command as a single argument.
After executing the commands, the shell resumes executing the script where it left
off. If you want trap to prevent a script from exiting when it receives a signal but
not to run any commands explicitly, you can specify a null (empty) commands
string, as shown in the locktty script (page 975). The following command traps
signal number 15, after which the script continues:
trap '' 15

The following script demonstrates how the trap builtin can catch the terminal interrupt signal (2). You can use SIGINT, INT, or 2 to specify this signal. The script
returns an exit status of 1:
$ cat inter
#!/bi n/bash
trap 'echo PROGRAM INTERRUPTED; exit 1' INT
while true
do
echo "Program running."
sleep 1
done
$ ./inter
Program running.
Program running.
Program running.
C0NTR0L-C
PROGRAM INTERRUPTED
$

BUILTIN C O M M A N D S

1011

: (null) builtin The second line of inter sets up a trap for the terminal interrupt signal using INT.
When trap catches the signal, the shell executes the two commands between the single quotation marks in the trap command. The echo builtin displays the message
P R O G R A M I N T E R R U P T E D , exit terminates the shell running the script, and the
parent shell displays a prompt. If exit were not there, the shell would return control
to the while loop after displaying the message. The while loop repeats continuously
until the script receives a signal because the true utility always returns a true exit status. In place of true you can use the : (null) builtin, which is written as a colon and
always returns a 0 (true) status.
The trap builtin frequently removes temporary files when a script is terminated prematurely, thereby ensuring the files are not left to clutter the filesystem. The following
shell script, named addbanner, uses two traps to remove a temporary file when the
script terminates normally or owing to a hangup, software interrupt, quit, or software
termination signal:
$ cat addbanner
#!/bi n/bash
script=$(basename $0)
if [ I -r "SHOME/banner" ]
then
echo "Sscript: need readable SHOME/banner file" 1>&2
exi t 1
fi
trap 'exit 1' 1 2 3 15
trap 'rm /tmp/$$.Sscript 2> /dev/null' 0
for file
do
if [ -r "$file" -a -w "Sfile" ]
then
cat SHOME/banner Sfile > /tmp/$$.Sscript
cp /tmp/$$.Sscript Sfile
echo "Sscript: banner added to Sfile" 1>&2
else
echo "Sscript: need read and write permission for Sfile" 1>&2
fi
done

When called with one or more filename arguments, addbanner loops through the
files, adding a header to the top of each. This script is useful when you use a standard format at the top of your documents, such as a standard layout for memos, or
when you want to add a standard header to shell scripts. The header is kept in a file
named -/banner. Because addbanner uses the H O M E variable, which contains the
pathname of the user's home directory, the script can be used by several users without modification. If M a x had written the script with / h o m e / m a x in place of
S H O M E and then given the script to Zach, either Zach would have had to change it
or addbanner would have used Max's banner file when Zach ran it (assuming Zach
had read permission for the file).

1012

CHAPTER 2 7

P R O G R A M M I N G THE B O U R N E A G A I N SHELL

The first trap in addbanner causes it to exit with a status of 1 when it receives a
hangup, software interrupt (terminal interrupt or quit signal), or software termination signal. The second trap uses a 0 in place of signal-number, which causes trap to
execute its command argument whenever the script exits because it receives an exit
command or reaches its end. Together these traps remove a temporary file whether
the script terminates normally or prematurely. Standard error of the second trap is
sent to /dev/null whenever trap attempts to remove a nonexistent temporary file. In
those cases r m sends an error message to standard error; because standard error is
redirected, the user does not see the message.
See page 9 7 5 for another example that uses trap.

kill: A B O R T S

A PROCESS

The kill builtin sends a signal to a process or job. The kill command has the following
syntax:
kill [-signal]

PID

where signal is the signal name or number (for example, I N T or 2) and PID is the
process identification number of the process that is to receive the signal. You can
specify a job number (page 2 5 4 ) as %n in place of PID. If you omit signal, kill sends
a T E R M (software termination, number 15) signal. For more information on signal
names and numbers, see Table 2 7 - 5 on page 1009.
The following command sends the T E R M signal to job number 1, regardless of
whether it is in the foreground (running) or in the background (running or stopped):
$ kill -TERM %1

Because T E R M is the default signal for kill, you can also give this command as kill
% 1 . Give the command kill -1 (lowercase "1") to display a list of signal names.
A program that is interrupted can leave matters in an unpredictable state: Temporary
files may be left behind (when they are normally removed), and permissions may be
changed. A well-written application traps, or detects, signals and cleans up before
exiting. Most carefully written applications trap the INT, QUIT, and T E R M signals.
To terminate a program, first try I N T (press C0NTR0L-C, if the job running is in the
foreground). Because an application can be written to ignore these signals, you may
need to use the KILL signal, which cannot be trapped or ignored; it is a "sure kill."
For more information refer to "kill: Sends a Signal to a Process" on page 4 5 5 .

getopts:

PARSES O P T I O N S
The getopts builtin parses command-line arguments, making it easier to write programs that follow the Linux argument conventions. The syntax for getopts is
getopts

optstring varname

[arg...]

where optstring is a list of the valid option letters, varname is the variable that
receives the options one at a time, and arg is the optional list of parameters to be
processed. If arg is not present, getopts processes the command-line arguments. If
optstring starts with a colon (:), the script must take care of generating error messages; otherwise, getopts generates error messages.

BUILTIN C O M M A N D S

1013

The getopts builtin uses the O P T I N D (option index) and OPTARG (option argument) variables to track and store option-related values. When a shell script starts,
the value of O P T I N D is 1. Each time getopts is called and locates an argument, it
increments O P T I N D to the index of the next option to be processed. If the option
takes an argument, bash assigns the value of the argument to O P T A R G .
To indicate that an option takes an argument, follow the corresponding letter in
optstring with a colon (:). The option string d x o : l t : r indicates that getopts should
search for - d , - x , - o , -1, - t , and - r options and that the - o and - t options take
arguments.
Using getopts as the test-command in a w h i l e control structure allows you to loop
over the options one at a time. The getopts builtin checks the option list for options
that are in optstring. Each time through the loop, getopts stores the option letter it
finds in varname.
Suppose that you want to write a program that can take three options:
1. A - b option indicates that the program should ignore whitespace at the
start of input lines.
2 . A - t option followed by the name of a directory indicates that the program
should store temporary files in that directory. Otherwise, it should use / t m p .
3. A - u option indicates that the program should translate all output to
uppercase.
In addition, the program should ignore all other options and end option processing
when it encounters two hyphens (—).
The problem is to write the portion of the program that determines which options
the user has supplied. The following solution does not use getopts:
SKIPBLANKS=
TMPDIR=/tmp
CASE=lower
while [[ "SI" = - * ] ] # [ [ = ]] does pattern match
do
case $1 in
-b)
SKIPBLANKS=TRUE ; ;
-t)
if [ -d "$2" ]
then
TMPDIR=$2
shift
else
echo "$0: -t takes a directory argument." >&2
exi t 1
fi ;;
-u)
CASE=upper ; ;
--)
break
;;
# Stop processing options
*)
echo "$0: Invalid option $1 ignored." >&2 ;;
esac
shift
done

1014

CHAPTER 2 7

P R O G R A M M I N G THE B O U R N E A G A I N SHELL

This program fragment uses a loop to check and shift arguments while the argument
is not — . As long as the argument is not two hyphens, the program continues to
loop through a case statement that checks for possible options. The — case label
breaks out of the while loop. The * case label recognizes any option; it appears as
the last case label to catch any unknown options, displays an error message, and
allows processing to continue. On each pass through the loop, the program uses
shift to access the next argument. If an option takes an argument, the program uses
an extra shift to get past that argument.
The following program fragment processes the same options, but uses getopts:
SKIPBLANKS=
TMPDIR=/tmp
CASE=lower
while getopts :bt:u arg
do
case $arg in
b)
SKIPBLANKS=TRUE ;;
t)
if [ -d "SOPTARG" ]
then
TMPDIR=$OPTARG
else
echo "$0: SOPTARG is not a directory." >&2
exi t 1
fi ;;
u)
CASE=upper ; ;
:)
echo "$0: Must supply an argument to -SOPTARG." >&2
exi t 1 ; ;
\?)
echo "Invalid option -SOPTARG ignored." >&2 ;;
esac
done
In this version of the code, the while structure evaluates the getopts builtin each time
control transfers to the top of the loop. The getopts builtin uses the OPTIND variable to keep track of the index of the argument it is to process the next time it is
called. There is no need to call shift in this example.
In the getopts version of the script, the case patterns do not start with a hyphen
because the value of arg is just the option letter (getopts strips off the hyphen). Also,
getopts recognizes — as the end of the options, so you do not have to specify it
explicitly, as in the case statement in the first example.
Because you tell getopts which options are valid and which require arguments, it can
detect errors in the command line and handle them in two ways. This example uses
a leading colon in optstring to specify that you check for and handle errors in your
code; when getopts finds an invalid option, it sets varname to ? and OPTARG to the
option letter. When it finds an option that is missing an argument, getopts sets varname to : and OPTARG to the option lacking an argument.
The \? case pattern specifies the action to take when getopts detects an invalid
option. The : case pattern specifies the action to take when getopts detects a missing

BUILTIN C O M M A N D S

1015

option argument. In both cases getopts does not write any error message but rather
leaves that task to you.
If you omit the leading colon from optstring, both an invalid option and a missing
option argument cause varname to be assigned the string ?. OPTARG is not set and
getopts writes its own diagnostic message to standard error. Generally this method is less
desirable because you have less control over what the user sees when an error occurs.
Using getopts will not necessarily make your programs shorter. Its principal advantages are that it provides a uniform programming interface and that it enforces
standard option handling.

A PARTIAL LIST OF B U I L T I N S
Table 2 7 - 6 lists some of the bash builtins. You can use type (page 1003) to see if a
command runs a builtin. See "Listing bash builtins" on page 2 6 1 for instructions on
how to display complete lists of builtins.
Table 2 7 - 6

b a s h builtins

Builtin

Function

:

Returns 0 or true (the null builtin; page 1011 )

. (dot)

Executes a shell script as part of the current process (page 296)

bg

Puts a suspended job in the background (page 309)

break

Exits from a looping control structure (page 976)

cd

Changes to another working directory (page 209)

continue

Starts with the next iteration of a looping control structure (page 976)

echo

Displays its arguments (page 171 )

eval

Scans and evaluates the command line (page 351 )

exec

Executes a shell script or program in place of the current process (page 1006)

exit

Exits from the current shell (usually the same as CONTROL-D from an interactive
shell; page 996)

export

Places the value of a variable in the calling environment (makes it global;
page 992)

fg

Brings a job from the background into the foreground (page 308)

getopts

Parses arguments to a shell script (page 1012)

jobs

Displays a list of background jobs (page 307)

kill

Sends a signal to a process or job (page 455)

pwd

Displays the name of the working directory (page 204)

1016

CHAPTER 2 7

P R O G R A M M I N G THE B O U R N E A G A I N SHELL

Table 2 7 - 6

b a s h builtins (continued)

Builtin

Function

read

Reads a line from standard input (page 1003)

readonly

Declares a variable to be readonly (page 317)

set

Sets shell flags or command-line argument variables; with no argument, lists
all variables (pages 353 and 998)

shift

Promotes each command-line argument (page 998)

test

Compares arguments (page 955)

times

Displays total times for the current shell and its children

trap

Traps a signal (page 1009)

type

Displays how each argument would be interpreted as a command (page 1003)

umask

Returns the value of the file-creation mask (page 459)

unset

Removes a variable or function (page 316)

wait

Waits for a background process to terminate

EXPRESSIONS
An expression comprises constants, variables, and operators that the shell can process to return a value. This section covers arithmetic, logical, and conditional
expressions as well as operators. Table 27-8 on page 1 0 1 9 lists the bash operators.

A R I T H M E T I C EVALUATION
The Bourne Again Shell can perform arithmetic assignments and evaluate many different types of arithmetic expressions, all using integers. The shell performs arithmetic assignments in a number of ways. One is with arguments to the let builtin:
$ let "VALUE=VALUE * 10 + NEW"

In the preceding example, the variables VALUE and N E W contain integer values.
Within a let statement you do not need to use dollar signs ($) in front of variable
names. Double quotation marks must enclose a single argument, or expression, that
contains SPACEs. Because most expressions contain SPACEs and need to be quoted, bash
accepts ((expression)) as a synonym for let "expression", obviating the need for
both quotation marks and dollar signs:
$ ((VALUE=VALUE * 10 + NEW))

You can use either form wherever a command is allowed and can remove the SPACEs
if you like. In the following example, the asterisk ( * ) does not need to be quoted
because the shell does not perform pathname expansion on the right side of an
assignment (page 3 1 5 ) :
$ let VALUE=VALUE*10+NEW

EXPRESSIONS

1017

Because each argument to let is evaluated as a separate expression, you can assign
values to more than one variable on a single line:
$ let "COUNT = COUNT + 1" VALUE=VALUE*10+NEW

You need to use commas to separate multiple assignments within a set of double
parentheses:
$ ((COUNT = COUNT + 1, VALUE=VALUE*10+NEW))

Arithmetic evaluation versus arithmetic expansion
tip

Arithmetic evaluation differs from arithmetic expansion. As explained on page 360, arithmetic
expansion uses the syntax $((expression)), evaluates expression, and replaces $((expression))m\h
the result. You can use arithmetic expansion to display the value of an expression or to assign that
value to a variable.
Arithmetic evaluation uses the let expression or ((expression)) syntax, evaluates expression, and
returns a status code. You can use arithmetic evaluation to perform a logical comparison or an
assignment.

Logical expressions You can use the ((expression)) syntax for logical expressions, although that task is frequently left to [[expression]].
The next example expands the a g e _ c h e c k script
(page 360) to include logical arithmetic evaluation in addition to arithmetic expansion:
$ cat age2
#!/bi n/bash
echo -n "How old are
read age
if ((30 < age && age
echo "Wow, in
el se
echo "You are
fi

you? "
< 60)); then
$((60-age)) years, you'll be 60!"
too young or too old to play."

$ ./age2
How old are you? 25
You are too young or too old to play.

The test-statement for the if structure evaluates two logical comparisons joined by a
Boolean AND and returns 0 [true) if they are both true or 1 (false) otherwise.

LOGICAL EVALUATION ( C O N D I T I O N A L EXPRESSIONS)
The syntax of a conditional expression is
[[ expression

]]

where expression is a Boolean (logical) expression. You must precede a variable
name with a dollar sign (S) within expression. The result of executing this builtin, as
with the test builtin, is a return status. The conditions allowed within the brackets
are almost a superset of those accepted by test (page 955). Where the test builtin uses
- a as a Boolean AND operator, [[ expression ]] uses & & . Similarly, where test uses
- o as a Boolean O R operator, [[ expression ]] uses II.

1018

CHAPTER 2 7

P R O G R A M M I N G THE B O U R N E A G A I N SHELL

To see how conditional expressions work, replace the line that tests age in the age2 script
with the following conditional expression. You must surround the [[ and ]] tokens with
whitespace or a command terminator, and place dollar signs before the variables:
if [[ 30 < $age && $age < 60 ]]; then

You can also use test's relational operators -gt, -ge, -It, -le, -eq, and -ne:
if [[ 30 -It $age && $age -It 60 ]]; then

String comparisons The test builtin tests whether strings are equal. The [[ expression ]] syntax adds
comparison tests for string operators. The > and < operators compare strings for
order (for example, "aa" < "bbb"). The = operator tests for pattern match, not just
equality: [[ string = pattern ]] is true if string matches pattern. This operator is not
symmetrical; the pattern must appear on the right side of the equal sign. For example, [[ artist = a* ]] is true (= 0), whereas [[ a* = artist ]] is false (= 1):
$
$
0
$
$
1

[[ artist = a* ]]
echo $?
[[ a* = artist ]]
echo $?

The next example uses a command list that starts with a compound condition. The
condition tests that the directory bin and the file src/myscript.bash exist. If this is
true, cp copies src/myscript.bash to bin/myscript. If the copy succeeds, chmod
makes myscript executable. If any of these steps fails, echo displays a message.
$ [[ -d bin && -f src/myscript.bash ]] && cp src/myscript.bash \
bin/myscript && chmod +x bin/myscript || echo "Cannot make \
executable version of myscript"

S T R I N G PATTERN M A T C H I N G
The Bourne Again Shell provides string pattern-matching operators that can manipulate pathnames and other strings. These operators can delete from strings prefixes
or suffixes that match patterns. Table 27-7 lists the four operators.
Table 2 7 - 7

String operators

Operator

Function

#

Removes minimal matching prefixes

##

Removes maximal matching prefixes

%

Removes minimal matching suffixes

%%

Removes maximal matching suffixes

The syntax for these operators is
${varname op pattern}

EXPRESSIONS

1019

where op is one of the operators listed in Table 27-7 and pattern is a match pattern
similar to that used for filename generation. These operators are commonly used to
manipulate pathnames to extract or remove components or to change suffixes:
$ SOURCEFILE=/usr/loca!/src/prog.c
$ echo $ -{SOURCEFI LE#/*/}

local/src/prog.c

$ echo ${SOURCEFILE##/*/}

prog.c

$ echo $ -{SOURCEFI LE%/* }•

/usr/local/src

$ echo ${SOURCEFILE%%/*}
$ echo ${SOURCEFILE%.c}

/usr/local/src/prog

$ CHOPFIRST=${SOURCEFILE#/*/}$ echo $CHOPFIRST

local/src/prog.c

$ NEXT= S {CHOPFIRST%%/-.'c}
$ echo $NEXT

local

Here the string-length operator, ${#name],
in the value of n a m e :

is replaced by the number of characters

$ echo $SOURCEFILE

/usr/local/src/prog.c

$ echo ${#SOURCEFILE}
21

OPERATORS
Arithmetic expansion and arithmetic evaluation in bash use the same syntax, precedence, and associativity of expressions as in the C language. Table 2 7 - 8 lists
operators in order of decreasing precedence (priority of evaluation); each group of
operators has equal precedence. Within an expression you can use parentheses to
change the order of evaluation.

Table 27-8

Operators

Type of operator/operator

Function

Post
var++ Postincrement
var—

Postdecrement

Pre
++var Preincrement
—var

Predecrement

1020

CHAPTER 2 7

P R O G R A M M I N G THE B O U R N E A G A I N SHELL

Table 2 7 - 8

Operators (continued)

Type of operator/operator

Function

Unary
- Unary minus
+ Unary plus
Negation
! Boolean NOT (logical negation)
~ Complement (bitwise negation)
Exponentiation
* * Exponent
Multiplication, division,
remainder
* Multiplication
/ Division
% Remainder
Addition, subtraction
- Subtraction
+ Addition
Bitwise shifts
«

Left bitwise shift

»

Right bitwise shift

Comparison
<= Less than or equal
>= Greater than or equal
< Less than
> Greater than
Equality, inequality
== Equality
!= Inequality
Bitwise
& Bitwise AND
A

Bitwise XOR (exclusive OR)

I Bitwise OR

EXPRESSIONS

Table 2 7 - 8

1021

Operators (continued)

Type of operator/operator

Function

Boolean (logical)
& & Boolean AND
Boolean OR
Conditional evaluation
: Ternary operator
Assignment
=, * = , /=, %=, +=,
- = , Assignment
« = , » = , &=, A =, |=
Comma
Comma
Pipe The pipe token has higher precedence than operators. You can use pipes anywhere
in a command that you can use simple commands. For example, the command line
$ cmdl | cmd2 || cmd3 | cmd4 && cmd5 | cmd6

is interpreted as if you had typed
$ ((cmdl | cmd2) || (cmd3 | cmd4)) && (cmd5 | cmd6)

Do not rely on rules of precedence: use parentheses
tip

Do not rely on the precedence rules when you use compound commands. Instead, use parentheses to explicitly state the order in which you want the shell to interpret the commands.

Increment and The postincrement, postdecrement, preincrement, and predecrement operators
decrement w o r k with variables. The pre- operators, which appear in front of the variable name
(as in ++COUNT and —VALUE), first change the value of the variable (++ adds 1;
— subtracts 1) and then provide the result for use in the expression. The post- operators appear after the variable name (as in COUNT++ and VALUE—); they first
provide the unchanged value of the variable for use in the expression and then
change the value of the variable.
$ N=10
$ echo
10
$ echo
12
$ echo
9
$ echo
6
$ echo
10

$N
$((--N+3))
$N
$((N++ - 3))
$N

1022

CHAPTER 2 7

P R O G R A M M I N G THE B O U R N E A G A I N SHELL

Remainder The remainder operator (%) yields the remainder when its first operand is divided
by its second. For example, the expression $((15%7)) has the value 1.
Boolean The result of a Boolean operation is either 0 (false) or 1 (true).
The & & (AND) and II (OR) Boolean operators are called short-circuiting operators.
If the result of using one of these operators can be decided by looking only at the left
operand, the right operand is not evaluated. The & & operator causes the shell to test
the exit status of the command preceding it. If the command succeeded, bash executes the next command; otherwise, it skips the remaining commands on the command line. You can use this construct to execute commands conditionally.
$ mkdir bkup && cp -r src bkup

This compound command creates the directory bkup. If mkdir succeeds, the contents
of directory src is copied recursively to bkup.
The II separator also causes bash to test the exit status of the first command but has
the opposite effect: The remaining command(s) are executed only if the first one
failed (that is, exited with nonzero status).
$ mkdir bkup || echo "mkdir of bkup failed" »

/tmp/log

The exit status of a command list is the exit status of the last command in the list.
You can group lists with parentheses. For example, you could combine the previous
two examples as
$ (mkdir bkup && cp -r src bkup) || echo "mkdir failed" »

/tmp/log

In the absence of parentheses, & & and II have equal precedence and are grouped
from left to right. The following examples use the true and false utilities. These utilities do nothing and return true (0) and false (1) exit statuses, respectively:
$ false; echo $?
1

The S? variable holds the exit status of the preceding command (page 996). The
next two commands yield an exit status of 1 (false):
$
$
1
$
$

1

true || false && false
echo $?
(true || false) && false
echo $?

Similarly the next two commands yield an exit status of 0 (true):
$
$
0
$
$
0

false && false || true
echo $?
(false && false) || true
echo $?

EXPRESSIONS

1023

Because II and & & have equal precedence, the parentheses in the two preceding
pairs of examples do not change the order of operations.
Because the expression on the right side of a short-circuiting operator may never be
executed, you must be careful when placing assignment statements in that location.
The following example demonstrates what can happen:
$ ((N=10,Z=0))
$ echo $((N || ((Z+=l)) ))

1
$ echo $Z
0

Because the value of N is nonzero, the result of the II ( O R ) operation is 1 {true), no
matter what the value of the right side is. As a consequence, ( ( Z + = l ) ) is never evaluated and Z is not incremented.
Ternary The ternary operator, ? :, decides which of two expressions should be evaluated,
based on the value returned by a third expression:
expressionl

? expression2

:

expression3

If expressionl
produces a false (0) value, expression3 is evaluated; otherwise,
expression2
is evaluated. The value of the entire expression is the value of
expression2 or expression3, depending on which is evaluated. If expressionl is true,
expression3 is not evaluated. If expressionl is false, expression2 is not evaluated.
$ ((N=10,Z=0,COUNT=1))
$ ((T=N>COUNT?++Z:--Z))
$ echo $T

1
$ echo $Z

1

Assignment The assignment operators, such as +=, are shorthand notations. For example, N + = 3
is the same as ( ( N = N + 3 ) ) .
Other bases The following commands use the syntax base#n to assign base 2 (binary) values.
First v l is assigned a value of 0 1 0 1 (5 decimal) and then v 2 is assigned a value of
0 1 1 0 (6 decimal). The echo utility verifies the decimal values.
$
$
$
5

((vl=2#0101))
((v2=2#0110))
echo "$vl and $v2"
and 6

Next the bitwise AND operator (8c) selects the bits that are on in both 5 (0101
binary) and 6 (0110 binary). The result is binary 0 1 0 0 , which is 4 decimal.
$ echo $(( vl & v2 ))
4

1024

CHAPTER 2 7

P R O G R A M M I N G THE B O U R N E A G A I N SHELL

The Boolean AND operator ( & & ) produces a result of 1 if both of its operands are
nonzero and a result of 0 otherwise. The bitwise inclusive O R operator (I) selects
the bits that are on in either 0 1 0 1 or 0 1 1 0 , resulting in 0 1 1 1 , which is 7 decimal.
The Boolean O R operator (II) produces a result of 1 if either of its operands is nonzero and a result of 0 otherwise.

s
1
s

e c h o

$((

v l

& &

e c h o

$((

v l

1

e c h o

$((

v l

I I

1

7

v 2

v 2

) )

) )

/

s

1

v 2

) )

Next the bitwise exclusive O R operator ( A ) selects the bits that are on in either, but
not both, of the operands 0 1 0 1 and 0 1 1 0 , yielding 0 0 1 1 , which is 3 decimal. The
Boolean N O T operator (!) produces a result of 1 if its operand is 0 and a result of 0
otherwise. Because the exclamation point in $(( ! v l )) is enclosed within double
parentheses, it does not need to be escaped to prevent the shell from interpreting the
exclamation point as a history event. The comparison operators produce a result of
1 if the comparison is true and a result of 0 otherwise.

0

))

e c h o

$((

V l

A

e c h o

$((

!

v l

e c h o

$((

v l

<

v 2

))

e c h o

$((

v l

>

v 2

))

v 2

))

SHELL PROGRAMS
The Bourne Again Shell has many features that make it a good programming language. The structures that bash provides are not a random assortment, but rather
have been chosen to provide most of the structural features that are found in
other procedural languages, such as C or Perl. A procedural language provides the
following abilities:
• Declare, assign, and manipulate variables and constant data. The Bourne
Again Shell provides string variables, together with powerful string operators, and integer variables, along with a complete set of arithmetic operators.
• Break large problems into small ones by creating subprograms. The Bourne
Again Shell allows you to create functions and call scripts from other
scripts. Shell functions can be called recursively; that is, a Bourne Again
Shell function can call itself. You may not need to use recursion often, but it
may allow you to solve some apparently difficult problems with ease.
• Execute statements conditionally, using statements such as if.
• Execute statements iteratively, using statements such as while and for.

SHELL PROGRAMS

1025

• Transfer data to and from the program, communicating with both data
files and users.
Programming languages implement these capabilities in different ways but with the
same ideas in mind. When you want to solve a problem by writing a program, you
must first figure out a procedure that leads you to a solution—that is, an algorithm.
Typically you can implement the same algorithm in roughly the same way in different programming languages, using the same kinds of constructs in each language.
Chapter 9 and this chapter have introduced numerous bash features, many of which
are useful for both interactive use and shell programming. This section develops
two complete shell programs, demonstrating how to combine some of these features
effectively. The programs are presented as problems for you to solve, with sample
solutions provided.

A RECURSIVE SHELL SCRIPT
A recursive construct is one that is defined in terms of itself. Alternatively, you
might say that a recursive program is one that can call itself. This concept may seem
circular, but it need not be. To avoid circularity, a recursive definition must have a
special case that is not self-referential. Recursive ideas occur in everyday life. For
example, you can define an ancestor as your mother, your father, or one of their
ancestors. This definition is not circular; it specifies unambiguously who your
ancestors are: your mother or your father, or your mother's mother or father or
your father's mother or father, and so on.
A number of Linux system utilities can operate recursively. See the - R option to the
chmod, chown, and cp utilities for examples.
Solve the following problem by using a recursive shell function:
Write a shell function named makepath that, given a pathname, creates all components in that pathname as directories. For example, the command makepath
a / b / c / d should create directories a, a/b, a / b / c , and a / b / c / d . (The mkdir - p option
creates directories in this manner. Solve the problem without using mkdir -p.)
One algorithm for a recursive solution follows:
1. Examine the path argument. If it is a null string or if it names an existing
directory, do nothing and return.
2. If the path argument is a simple path component, create it (using mkdir)
and return.
3. Otherwise, call makepath using the path prefix of the original argument.
This step eventually creates all the directories up to the last component,
which you can then create using mkdir.
In general, a recursive function must invoke itself with a simpler version of the
problem than it was given until it is finally called with a simple case that does not
need to call itself. Following is one possible solution based on this algorithm:

1026

CHAPTER 2 7

makepath

P R O G R A M M I N G THE B O U R N E A G A I N SHELL

# This is a function
# Enter it at the keyboard, do not run it as a shell script
#
function makepath()
{

}

if [[ ${#1} -eq 0 || -d "$1" ]]
then
return 0
# Do nothing
fi
if [[ "${1%/*}" = "$1" ]]
then
mkdi r $1
return $?
fi
makepath ${1%/*} || return 1
mkdi r $1
return $?

In the test for a simple component (the if statement in the middle of the function),
the left expression is the argument after the shortest suffix that starts with a / character has been stripped away (page 1018). If there is no such character (for example, if SI is max), nothing is stripped off and the two sides are equal. If the
argument is a simple filename preceded by a slash, such as /usr, the expression
$ { 1 % / * } evaluates to a null string. To make the function work in this case, you
must take two precautions: Put the left expression within quotation marks and
ensure that the recursive function behaves sensibly when it is passed a null string as
an argument. In general, good programs are robust: They should be prepared for
borderline, invalid, or meaningless input and behave appropriately in such cases.
By giving the following command from the shell you are working in, you turn on
debugging tracing so that you can watch the recursion work:
$ set -o xtrace

(Give the same command, but replace the hyphen with a plus sign (+) to turn debugging off.) With debugging turned on, the shell displays each line in its expanded
form as it executes the line. A + precedes each line of debugging output.
In the following example, the first line that starts with + shows the shell calling
makepath. The makepath function is initially called from the command line with
arguments of a/b/c. It then calls itself with arguments of a / b and finally a. All the
work is done (using mkdir) as each call to makepath returns.
$ ./makepath a/b/c
+ makepath a/b/c
+ [[ 5 -eq 0 ]]
+ [ [ - d a/b/c ]]
+ [ [ a/b = \a\/\b\/\c ]]
+ makepath a/b
+ [[ 3 -eq 0 ]]

+ [ [ - d a/b ] ]
+ [[ a = \ a \ / \ b 11

SHELL PROGRAMS

+
+
+
+
+
+
+
+
+
+

1027

makepath a
[[ 1 -eq 0 ]]
[[ -d a ]]
[ [ a = \a ] ]
mkdi r a
return 0
mkdi r a/b
return 0
mkdi r a/b/c
return 0

The function works its way down the recursive path and back up again.
It is instructive to invoke makepath with an invalid path and see what happens. The
following example, which is run with debugging turned on, tries to create the path
/ a / b . Creating this path requires that you create directory a in the root directory.
Unless you have permission to write to the root directory, you are not permitted to
create this directory.
$ ./makepath /a/b
+ makepath /a/b
+ [[ 4 -eq 0 ]]
+ [[ -d /a/b ]]
+ [[ /a = \/\a\/\b ]]
+ makepath /a
+ [[ 2 -eq 0 ]]
+ [[ -d /a ]]
+ [ [ " = \/\a 11
+ makepath
+ [[ 0 -eq 0 ]]
+ return 0
+ mkdi r /a
mkdir: cannot create directory '/a': Permission denied
+ return 1
+ return 1

The recursion stops when makepath is denied permission to create the / a directory.
The error returned is passed all the way back, so the original makepath exits with
nonzero status.

Use local variables with recursive functions
t i p The preceding example glossed over a potential problem that you may encounter when you use a
recursive function. During the execution of a recursive function, many separate instances of that
function may be active simultaneously. All but one of them are waiting for their child invocation to
complete.
Because functions run in the same environment as the shell that calls them, variables are implicitly
shared by a shell and a function it calls. As a consequence, all instances of the function share a
single copy of each variable. Sharing variables can give rise to side effects that are rarely what you
want. As a rule, you should use t y p e s e t to make all variables of a recursive function be local variables. See page 994 for more information.

1028

CHAPTER 2 7

THE

quiz

P R O G R A M M I N G THE B O U R N E A G A I N SHELL

SHELL SCRIPT
Solve the following problem using a bash script:
Write a generic multiple-choice quiz program. The program should get its questions
from data files, present them to the user, and keep track of the number of correct
and incorrect answers. The user must be able to exit from the program at any time
and receive a summary of results to that point.
The detailed design of this program and even the detailed description of the problem depend on a number of choices: How will the program know which subjects are
available for quizzes? How will the user choose a subject? How will the program
know when the quiz is over? Should the program present the same questions (for a
given subject) in the same order each time, or should it scramble them?
Of course, you can make many perfectly good choices that implement the specification
of the problem. The following details narrow the problem specification:
• Each subject will correspond to a subdirectory of a master quiz directory.
This directory will be named in the environment variable QUIZDIR, whose
default will be -/quiz. For example, you could have the following directories
correspond to the subjects engineering, art, and politics: -/quiz/engineering,
~/quiz/art, and -/quiz/politics. Put the quiz directory in /usr/games if you
want all users to have access to it (requires root privileges).
• Each subject can have several questions. Each question is represented by a
file in its subject's directory.
• The first line of each file that represents a question holds the text of the
question. If it takes more than one line, you must escape the NEWLINE with a
backslash. (This setup makes it easy to read a single question with the read
builtin.) The second line of the file is an integer that specifies the number
of choices. The next lines are the choices themselves. The last line is the
correct answer. Following is a sample question file:
Who discovered the principle of the lever?
4
Euclid
Archimedes
Thomas Edison
The Lever Brothers
Archimedes

• The program presents all the questions in a subject directory. At any point
the user can interrupt the quiz with C0NTR0L-C, whereupon the program will
summarize the results so far and exit. If the user does not interrupt the
program, the program summarizes the results and exits when it has asked
all questions for the chosen subject.
• The program scrambles the questions in a subject before presenting them.

SHELL PROGRAMS

1029

Following is a top-level design for this program:
1. Initialize. This involves a number of steps, such as setting the counts of the
number of questions asked so far and the number of correct and wrong
answers to zero. It also sets up the program to trap C0NTR0L-C.
2. Present the user with a choice of subjects and get the user's response.
3. Change to the corresponding subject directory.
4. Determine the questions to be asked (that is, the filenames in that directory). Arrange them in random order.
5. Repeatedly present questions and ask for answers until the quiz is over or
is interrupted by the user.
6. Present the results and exit.
Clearly some of these steps (such as step 3) are simple, whereas others (such as step
4) are complex and worthy of analysis on their own. Use shell functions for any
complex step, and use the trap builtin to handle a user interrupt.
Here is a skeleton version of the program with empty shell functions:
function initialize
{
# Initializes variables.
}
function choose_subj
{
# Writes choice to standard output.
}
function scramble
{
# Stores names of question files, scrambled,
# in an array variable named questions.
}
function ask
{
# Reads a question file, asks the question, and checks the
# answer. Returns 1 if the answer was correct, 0 otherwise. If it
# encounters an invalid question file, exit with status 2.
}
function summarize
{
# Presents the user's score.
}
# Main program
initialize

# Step 1 in top-level design

subject=$(choose_subj)
[[ $? -eq 0 ]] I I exit 2

# Step 2
# If no valid choice, exit

1030

CHAPTER 2 7

P R O G R A M M I N G THE B O U R N E A G A I N SHELL

cd Ssubject | | exi t 2
echo
scramble

# Step 3
# Ski
Skipp a line
# Step 4

for ques in ${questions[*]}; do
ask Sques
result=$?
(( num_ques=num_ques+l ))
if [[ Sresult == 1 ]]; then
(( num_correct += 1 ))
fi
echo
sleep ${QUIZDELAY:=1}
done

# Step 5

summarize
exi t 0

# Step 6

# Skip a line between questions

To make reading the results a bit easier for the user, a sleep call appears inside the
question loop. It delays SQUIZDELAY seconds (default = 1) between questions.
Now the task is to fill in the missing pieces of the program. In a sense this program
is being written backward. The details (the shell functions) come first in the file but
come last in the development process. This common programming practice is called
top-down design. In top-down design you fill in the broad outline of the program
first and supply the details later. In this way you break the problem up into smaller
problems, each of which you can work on independently. Shell functions are a great
help in using the top-down approach.
One way to write the initialize function follows. The cd command causes QUIZDIR
to be the working directory for the rest of the script and defaults to - / q u i z if
QUIZDIR is not set.
function initialize ()
{
trap 'summarize ; exit 0' INT
num_ques=0
num_correct=0
fi rst_time=true
cd ${QUIZDIR:=~/quiz} || exit 2
}

#
#
#
#

Handle user interrupts
Number of questions asked so far
Number answered correctly so far
true until first question is asked

Be prepared for the cd command to fail. The directory may be unsearchable or conceivably another user may have removed it. The preceding function exits with a
status code of 2 if cd fails.
The next function, choose_subj, is a bit more complicated. It displays a menu using
a select statement:

SHELL PROGRAMS

1031

function choose_subj ()
{
subjects=($(ls))
PSB="Choose a subject for the quiz from the preceding list: "
select Subject in ${subjects[*]}; do
if [[ -z "SSubject" ]]; then
echo "No subject chosen. Bye." >&2
exi t 1
fi
echo SSubject
return 0
done
}
The function first uses an Is command and command substitution to put a list of subject directories in the subjects array. Next the select structure (page 983) presents the
user with a list of subjects (the directories found by Is) and assigns the chosen directory name to the Subject variable. Finally the function writes the name of the subject
directory to standard output. The main program uses command substitution to
assign this value to the subject variable [subject=$(choose_subj)].
The scramble function presents a number of difficulties. In this solution it uses an
array variable (questions) to hold the names of the questions. It scrambles the entries
in an array using the RANDOM variable (each time you reference RANDOM, it has
the value of a [random] integer between 0 and 32767):
function scramble ()
{
typeset -i index quescount
questions=($(ls))
quescount=${#questions[*]}
((i ndex=quescount-l))
while [[ Sindex > 0 ]]; do
((target=RANDOM % index))
exchange Starget Sindex
((index -= 1))
done
}

# Number of elements

This function initializes the array variable questions to the list of filenames (questions)
in the working directory. The variable quescount is set to the number of such files. Then
the following algorithm is used: Let the variable index count down from quescount - 1
(the index of the last entry in the array variable). For each value of index, the function
chooses a random value target between 0 and index, inclusive. The command
((target=RANDOM % index))
produces a random value between 0 and index - 1 by taking the remainder (the %
operator) when $RANDOM is divided by index. The function then exchanges the
elements of questions at positions target and index. It is convenient to take care of
this step in another function named exchange:

1032

CHAPTER 2 7

P R O G R A M M I N G THE B O U R N E A G A I N SHELL

function exchange ()
{
temp_value=${questi ons[SI]}
questi ons[$l]=${questi ons[$2]}
questi ons[$2]=$temp_value
}

The ask function also uses the select structure. It reads the question file named in its
argument and uses the contents of that file to present the question, accept the
answer, and determine whether the answer is correct. (See the code that follows.)
The ask function uses file descriptor 3 to read successive lines from the question file,
whose name was passed as an argument and is represented by $1 in the function. It
reads the question into the ques variable and the number of questions into
num_opts. The function constructs the variable choices by initializing it to a null
string and successively appending the next choice. Then it sets PS3 to the value of
ques and uses a select structure to prompt the user with ques. The select structure
places the user's answer in answer, and the function then checks that response
against the correct answer from the file.
The construction of the choices variable is done with an eye toward avoiding a
potential problem. Suppose that one answer has some whitespace in it—then it
might appear as two or more arguments in choices. To avoid this problem, make
sure that choices is an array variable. The select statement does the rest of the work:
quiz

$ cat quiz
#!/bi n/bash
# remove the # on the following line to turn on debugging
# set -o xtrace
#==================
function initialize ()
{
trap 'summarize ; exit 0' INT
num_ques=0
num_correct=0
fi rst_time=true
cd ${QUIZDIR:=~/quiz} || exit 2
}

#
#
#
#

Handle user interrupts
Number of questions asked so far
Number answered correctly so far
true until first question is asked

# = = = = = = = = = = = = = = = = = =

function choose_subj ()
{
subjects=($(ls))
PS3="Choose a subject for the quiz from the preceding list: "
select Subject in ${subjects[*]}; do
if [[ -z "SSubject" ]]; then
echo "No subject chosen.
Bye." >&2
exi t 1
fi
echo SSubject
return 0
done

}

SHELL PROGRAMS

1033

# = = = = = = = = = = = = = = = = = =

function exchange ()
{
temp_value=${questi ons[$1]}
questi ons[$l]=${questi ons[$ 2]}
questi ons[$2]=$temp_value
}
# = = = = = = = = = = = = = = = = = =

function scramble ()
{
typeset -i index quescount
questions=($(ls))
quescount=${#questions[*]}
((i ndex=quescount-l))
while [[ Sindex > 0 ]]; do
((target=RANDOM % index))
exchange Starget Sindex
((index -= 1))
done
}

# Number of elements

#==================

function ask ()
{
exec 3<$1
read -u3 ques || exi t 2
read -u3 num_opts || exit 2
i ndex=0
choi ces=()
while (( index < num_opts )) ; do
read -u3 next_choice || exit 2
choi ces=("${choi ces[@]}" "$next_choi ce")
((index += 1))
done
read -u3 correct_answer || exit 2
exec 3<&if [[ $first_time = true ]]; then
fi rst_time=false
echo -e "You may press the interrupt key at any time to quit.\n"
fi
PS3=$ques"

# Make Sques the prompt for select
# and add some spaces for legibility,
select answer in "${choices[@]}"; do
if [[ -z "Sanswer" ]]; then
echo Not a valid choice. Please choose again,
elif [[ "Sanswer" = "$correct_answer" ]]; then
echo "Correct!"
return 1
else
echo "No, the answer is $correct_answer."
return 0
fi
done

}

"

1034

CHAPTER 2 7

P R O G R A M M I N G THE B O U R N E A G A I N SHELL

# = = = = = = = = = = = = = = = = = =

function summarize ()
{
echo
# Skip a line
if (( num_ques == 0 )); then
echo "You did not answer any questions"
exi t 0
(( percent=num_correct*100/num_ques ))
echo "You answered $num_correct questions correctly, out of \
$num_ques total questions."
echo "Your score is $percent percent."
}
# = = = = = = = = = = = = = = = = = =

# Main program
i ni ti al i ze

# Step 1 in top-level desi gn

subject=$(choose_subj)
[[ $? -eq 0 ]] | | exit 2

# Step 2
# If no valid choice, exi t

cd îsubject | | exi t 2
echo
scramble

# Step 3
# Skip a line
# Step 4

for ques in ${questions[*]}; do
ask $ques
result=$?
(( num_ques=num_ques+l ))
if [[ $result == 1 ]]; then
(( num_correct += 1 ))
fi
echo
sleep ${QUIZDELAY:=1}
done

# Step 5

summarize
exi t 0

# Skip a line between questions

# Step 6

CHAPTER S U M M A R Y
The shell is a programming language. Programs written in this language are called
shell scripts, or simply scripts. Shell scripts provide the decision and looping control
structures present in high-level programming languages while allowing easy access
to system utilities and user programs. Shell scripts can use functions to modularize
and simplify complex tasks.
Control structures The control structures that use decisions to select alternatives are if...then,
if...then...else, and if...then...elif. The case control structure provides a multiway
branch and can be used when you want to express alternatives using a simple
pattern-matching syntax.
The looping control structures are for...in, for, until, and while. These structures
perform one or more tasks repetitively.

CHAPTER S U M M A R Y

1035

The break and continue control structures alter control within loops: break transfers control out of a loop, and continue transfers control immediately to the top of
a loop.
The Here document allows input to a command in a shell script to come from
within the script itself.
File descriptors The Bourne Again Shell provides the ability to manipulate file descriptors. Coupled
with the read and echo builtins, file descriptors allow shell scripts to have as much
control over input and output as do programs written in lower-level languages.
Variables The typeset builtin assigns attributes, such as readonly, to bash variables. The Bourne
Again Shell provides operators to perform pattern matching on variables, provide
default values for variables, and evaluate the length of variables. This shell also supports array variables and local variables for functions and provides built-in integer
arithmetic, using the let builtin and an expression syntax similar to that found in the
C programming language.
Builtins Bourne Again Shell builtins include type, read, exec, trap, kill, and getopts. The type
builtin displays information about a command, including its location; read allows a
script to accept user input.
The exec builtin executes a command without creating a new process. The new
command overlays the current process, assuming the same environment and PID
number of that process. This builtin executes user programs and other Linux commands when it is not necessary to return control to the calling process.
The trap builtin catches a signal sent by Linux to the process running the script and
allows you to specify actions to be taken upon receipt of one or more signals. You
can use this builtin to cause a script to ignore the signal that is sent when the user
presses the interrupt key.
The kill builtin terminates a running program. The getopts builtin parses commandline arguments, making it easier to write programs that follow standard Linux
conventions for command-line arguments and options.
Utilities in scripts In addition to using control structures, builtins, and functions, shell scripts generally call Linux utilities. The find utility, for instance, is commonplace in shell scripts
that search for files in the system hierarchy and can perform a vast range of tasks,
from simple to complex.
Expressions There are two basic types of expressions: arithmetic and logical. Arithmetic expressions allow you to do arithmetic on constants and variables, yielding a numeric result.
Logical (Boolean) expressions compare expressions or strings, or test conditions to
yield a true or false result. As with all decisions within Linux shell scripts, a true status
is represented by the value zero; false, by any nonzero value.
Good programming A well-written shell script adheres to standard programming practices, such as specpractices ifying the shell to execute the script on the first line of the script, verifying the number and type of arguments that the script is called with, displaying a standard usage
message to report command-line errors, and redirecting all informational messages
to standard error.

1036

CHAPTER 2 7

P R O G R A M M I N G THE B O U R N E A G A I N SHELL

EXERCISES
1. Rewrite the journal script of Chapter 9 (exercise 5, page 3 6 8 ) by adding
commands to verify that the user has write permission for a file named
journal-file in the user's home directory, if such a file exists. The script
should take appropriate actions if journal-file exists and the user does not
have write permission to the file. Verify that the modified script works.
2. The special parameter " S @ " is referenced twice in the out script (page 959).
Explain what would be different if the parameter " $ * " was used in its place.
3. Write a filter that takes a list of files as input and outputs the basename
(page 9 8 2 ) of each file in the list.
4. Write a function that takes a single filename as an argument and adds execute
permission to the file for the user.
a. When might such a function be useful?
b. Revise the script so it takes one or more filenames as arguments and
adds execute permission for the user for each file argument.
c. What can you do to make the function available every time you log in?
d. Suppose that, in addition to having the function available on subsequent
login sessions, you want to make the function available in your current
shell. How would you do so?
5. When might it be necessary or advisable to write a shell script instead of a
shell function? Give as many reasons as you can think of.
6. Write a shell script that displays the names of all directory files, but no
other types of files, in the working directory.
7. Write a script to display the time every 15 seconds. Read the date man page
and display the time, using the %r field descriptor. Clear the window
(using the clear command) each time before you display the time.
8. Enter the following script named savefiles, and give yourself execute
permission to the file:
$ cat savefiles
#! /bin/bash
echo "Saving files in current directory in file savethem."
exec > savethem
for i in *
do
echo "===================================================
echo "File: $i"
echo "===================================================
cat "$i"
done

EXERCISES

a. Which error message do you get when you execute this script? Rewrite
the script so that the error does not occur, making sure the output still
goes to savethem.
h. What might be a problem with running this script twice in the same
directory? Discuss a solution to this problem.
9. Read the bash m a n or info page, try some experiments, and answer the
following questions:
a. How do you export a function?
b. What does the hash builtin do?
c. What happens if the argument to exec is not executable?
1 0 . Using the find utility, perform the following tasks:
a. List all files in the working directory and all subdirectories that have
been modified within the last day.
b. List all files that you have read access to on the system that are larger
than 1 megabyte.
c. Remove all files named core from the directory structure rooted at your
home directory.
d. List the inode numbers of all files in the working directory whose
filenames end in .c.
e. List all files that you have read access to on the root filesystem that have
been modified in the last 30 days.
11. Write a short script that tells you whether the permissions for two files,
whose names are given as arguments to the script, are identical. If the permissions for the two files are identical, output the common permission
field. Otherwise, output each filename followed by its permission field.
(Hint: Try using the cut utility.)
12. Write a script that takes the name of a directory as an argument and
searches the file hierarchy rooted at that directory for zero-length files.
Write the names of all zero-length files to standard output. If there is no
option on the command line, have the script delete the file after displaying
its name, asking the user for confirmation, and receiving positive confirmation. A - f (force) option on the command line indicates that the script
should display the filename but not ask for confirmation before deleting
the file.

1037

1038

CHAPTER 2 7

P R O G R A M M I N G THE B O U R N E A G A I N SHELL

A D V A N C E D EXERCISES
13. Write a script that takes a colon-separated list of items and outputs the
items, one per line, to standard output (without the colons).
14. Generalize the script written in exercise 13 so that the character separating
the list items is given as an argument to the function. If this argument is
absent, the separator should default to a colon.
15. Write a function named funload that takes as its single argument the name
of a file containing other functions. The purpose of funload is to make all
functions in the named file available in the current shell; that is, funload
loads the functions from the named file. To locate the file, funload
searches the colon-separated list of directories given by the environment
variable FUNPATH. Assume that the format of FUNPATH is the same as
PATH and that searching FUNPATH is similar to the shell's search of the
PATH variable.
16. Rewrite bundle (page 986) so the script it creates takes an optional list of
filenames as arguments. If one or more filenames are given on the command line, only those files should be re-created; otherwise, all files in the
shell archive should be re-created. For example, suppose all files with the
filename extension .c are bundled into an archive named srcshell, and you
want to unbundle just the files testl.c and test2.c. The following command
will unbundle just these two files:
$ bash srcshell testl.c test2.c

17. What kind of links will the Inks script (page 962) not find? Why?
18. In principle, recursion is never necessary. It can always be replaced by an
iterative construct, such as while or until. Rewrite makepath (page 1026)
as a nonrecursive function. Which version do you prefer? Why?
19. Lists are commonly stored in environment variables by putting a colon (:)
between each of the list elements. (The value of the PATH variable is an
example.) You can add an element to such a list by catenating the new element to the front of the list, as in
PATH=/opt/bi n:$PATH

If the element you add is already in the list, you now have two copies of it
in the list. Write a shell function named addenv that takes two arguments:
(1) the name of a shell variable and (2) a string to prepend to the list that is
the value of the shell variable only if that string is not already an element
of the list. For example, the call
addenv PATH /opt/bin

ADVANCED EXERCISES

would add /opt/bin to PATH only if that pathname is not already in
PATH. Be sure that your solution works even if the shell variable starts out
empty. Also make sure that you check the list elements carefully. If
/usr/opt/bin is in PATH but /opt/bin is not, the example just given should
still add /opt/bin to PATH. (Hint: You may find this exercise easier to
complete if you first write a function locate_field that tells you whether a
string is an element in the value of a variable.)
20. Write a function that takes a directory name as an argument and writes to
standard output the maximum of the lengths of all filenames in that directory. If the function's argument is not a directory name, write an error
message to standard output and exit with nonzero status.
21. Modify the function you wrote for exercise 20 to descend all subdirectories
of the named directory recursively and to find the maximum length of any
filename in that hierarchy.
22. Write a function that lists the number of ordinary files, directories, block
special files, character special files, FIFOs, and symbolic links in the working
directory. Do this in two different ways:
a. Use the first letter of the output of Is -1 to determine a file's type.
b. Use the file type condition tests of the [[ expression ]] syntax to determine
a file's type.
23. Modify the quiz program (page 1032) so that the choices for a question
are randomly arranged.

1039

This page intentionally left blank

28
T H E PERL S C R I P T I N G
LANGUAGE
IN THIS CHAPTER
Introduction to Perl
Help

1042
1043

.

r, i n

n
Running
a Perl Program

1046

Syntax

1047

Variables
Control Structures

1049
1057

Working with Files

1066

Larry Wall created the Perl (Practical Extraction and Report
Language) programming language for working with text. Perl
u s e s syntax and concepts from awk, sed, C , the Bourne Shell,
Smalltalk, Lisp, and English. It was designed to scan and extract
information from text files and generate reports
based on that
F
.

.

.

.

1 0 0

„

„

,,

, ,

information. Since its introduction in 1987, Peri has expanded
enormously—its documentation growing up with it. Today, in
addition to text processing, Perl is used for system administration, software development, and general-purpose programming.

Subroutines
Regular Expressions

1071
1073

P e r l c °de is portable because Perl has been implemented on many
operating systems (see www.cpan.org/ports). Perl is an informal,
practical, robust, easy-to-use, efficient, and complete language. It
¿s a down-and-dirty language that supports procedural and
object-oriented programming. It is not necessarily elegant.

CPAN Modules

1079

One of the things that distinguishes Perl from many other lan-

Examples

1081

g u a g e s is its linguistic origins. In English you say, "I will buy a
car if I win the lottery." Perl allows you to mimic that syntax.
Another distinction is that Perl has singular and plural variables, the former holding single values and the latter holding
lists of values.

Sort

1041

1042

CHAPTER 2 8

THE PERL S C R I P T I N G LANGUAGE

I N T R O D U C T I O N TO PERL
A couple of quotes from the manual shed light on Perl's philosophy:
Many of Perl's syntactic elements are optional. Rather than requiring you to put parentheses around every function call and declare
every variable, you can often leave such explicit elements off and
Perl will frequently figure out what you meant. This is known as
Do What I Mean, abbreviated D W I M . It allows programmers to
be lazy and to code in a style with which they are comfortable.
The Perl motto is "There's more than one way to do it." Divining
how many more is left as an exercise to the reader.
One of Perl's biggest assets is its support by thousands of third-party modules. The
Comprehensive Perl Archive Network (CPAN; www.cpan.org) is a repository for
many of the modules and other information related to Perl. See page 1079 for information on downloading, installing, and using these modules in Perl programs.

Install perl-doc
t i p The perl-doc package holds a wealth of information. Install this package before you start using
Perl; see the next page for more information.
The best way to learn Perl is to work with it. Copy and modify the programs in this
chapter until they make sense to you. Many system tools are written in Perl. The
first line of most of these tools begins with #!/usr/bin/perl, which tells the shell to
pass the program to Perl for execution. Most files that contain the string
/usr/bin/perl are Perl programs. The following command uses grep to search the
/usr/bin and /usr/sbin directories recursively (-r) for files containing the string
/usr/bin/perl; it lists many local system tools written in Perl:
$ grep -r /usr/bin/perl /usr/bin /usr/sbin | head -4
/usr/bin/defoma-user:#! /usr/bin/perl -w
/usr/bi n/pod21atex:#I/usr/bi n/perl
/usr/bin/pod21atex:
eval 'exec /usr/bin/perl -S $0 ${l+"$@"}'
/usr/bi n/splai n:#!/usr/bi n/perl

Review these programs—they demonstrate how Perl is used in the real world. Copy
a system program to a directory you own before modifying it. Do not run a system
program while running with root privileges unless you know what you are doing.

MORE INFORMATION
Local man pages: See the perl and perltoc man pages for lists of Perl man pages
Web Perl home page: www.perl.com
CPAN: www.cpan.org
blog: perlbuzz.com

I N T R O D U C T I O N TO PERL

1043

Book Programming Perl, third edition, by Wall, Christiansen, & Orwant, O'Reilly &
Associates (July 2000)

HELP
Perl is a forgiving language. As such, it is easy to write Perl code that runs but
does not perform as you intended. Perl includes many tools that can help you
find coding mistakes. The - w option and the use warnings statement can produce
helpful diagnostic messages. The use strict statement (see the perldebtut man
page) can impose order on a program by requiring, among other things, that you
declare variables before you use them. When all else fails, you can use Perl's
builtin debugger to step through a program. See the perldebtut and perldebug man
pages for more information.

perldoc
You must install the perl-doc package before you can use perldoc.
The perldoc utility locates and displays local Perl documentation. It is similar to man
(page 136) but specific to Perl. It works with files that include lines of pod (plain
old documentation), a clean and simple documentation language. When embedded
in a Perl program, pod enables you to include documentation for the entire program, not just code-level comments, in a Perl program.
Following is a simple Perl program that includes pod. The two lines following =cut
are the program; the rest is pod-format documentation.
$ cat pod.exl.pl
#!/usr/bi n/perl
=headl A Perl Program to Say I
This simple Perl program includes documentation in B format.
The following B<=cut> command tells B that what follows
is not documentation.
=cut
# A Perl program
print "Hi there.\n";
=headl pod Documentation Resumes with Any pod Command
See the B page for more information
on B and B for complete Perl documentation.

You can use Perl to run the program:
$ perl pod.exl.pl
Hi there.

1044

CHAPTER 2 8

THE PERL S C R I P T I N G LANGUAGE

O r you can use perldoc to display the documentation:
$ perldoc pod.exl.pl
POD.EXl(l)

User Contributed Perl Documentation

POD.EXl(l)

A Perl Program to Say Hi there.
This simple Perl program includes documentation in pod format. The
following =cut command tells perldoc that what follows is not documentât! on.
pod Documentation Resumes with Any pod Command
See the perldoc.perl.org/perlpod.html page for more information on pod
and perldoc.perl.org for complete Perl documentation.

perl V5.10.0

2008-10-14

POD.EXl(l)

M o s t publicly distributed modules and scripts, as well as Perl itself, include
embedded p o d - f o r m a t documentation. For example, the following command displays information about the Perl p r i n t function:
$ perldoc -f print
print FILEHANDLE LIST
print LIST
print
Prints a string or a list of strings. Returns true if successful. FILEHANDLE may be a scalar variable name, in which case
the variable contains the name of or a reference to the filehandle, thus introducing one level of indirection.
(NOTE: If
FILEHANDLE is a variable and the next token is a term, it may
O n c e you have installed a module (page 1 0 7 9 ) , you can use p e r l d o c to display documentation for that module. T h e following example shows p e r l d o c displaying
information on the locally installed T i m e s t a m p : : S i m p l e module:
$ perldoc Timestamp:¡Simple
Timestamp: :Simple(B) User Contributed Perl Documentation Timestamp: : Simple(B)
Timestamp: ¡Simple - Simple methods for timestamping
SYNOPSIS
use Timestamp:: Simple qw(stamp);
print stamp, "\n";
Give the command m a n p e r l d o c or p e r l d o c p e r l d o c to display the p e r l d o c man page
and read more about this tool.

Make Perl programs readable
tip

Although Perl has m a n y shortcuts that are good choices for one-shot p r o g r a m m i n g , the code in
this chapter presents code that is easy to understand and easy to maintain.

I N T R O D U C T I O N TO PERL

1045

TERMINOLOGY
This section defines some of the terms used in this chapter.
Module A Perl module is a self-contained chunk of Perl code, frequently containing several
functions that work together. A module can be called from another module or
from a Perl program. A module must have a unique name. To help ensure unique
names, Perl provides a hierarchical namespace (page 1161) for modules, separating components of a name with double colons (::). Example module names are
Timestamp::Simple and WWW::Mechanize.
Distribution A Perl distribution is a set of one or more modules that perform a task. You can
search for distributions and modules at search.cpan.org. Examples of distributions
include Timestamp-Simple (the Timestamp-Simple-l.01.tar.gz archive file contains
the Timestamp::Simple module only) and WWW-Mechanize (WWW-Mechanize1.34.tar.gz contains the WWW::Mechanize module, plus supporting modules
including WWW::Mechanize::Link and WWW::Mechanize::Image).
Package A package defines a Perl namespace. For example, in the variable with the name
SWWW::Mechanize::ex, Sex is a scalar variable in the WWW::Mechanize package,
where "package" is used in the sense of a namespace. Using the same name, such as
WWW::Mechanize, for a distribution, a package, and a module can be confusing.
Block A block is zero or more statements, delimited by curly braces ({}), that defines a
scope. The shell control structure syntax explanations refer to these elements as
commands. See the if...then control structure on page 954 for an example.
Package variable A package variable is defined within the package it appears in. Other packages can
refer to package variables by using the variable's fully qualified name (for example,
$Text::Wrap::columns). By default, variables are package variables unless you
define them as lexical variables.
Lexical variable A lexical variable, which is defined by preceding the name of a variable with the keyword my (see the tip on page 1050), is defined only within the block or file it appears
in. Other languages refer to a lexical variable as a local variable. Because Perl 4 used
the keyword local with a different meaning, Perl 5 uses the keyword lexical in its
place. When programming using bash, variables that are not exported (page 992) are
local to the program they are used in.
List A list is a series of zero or more scalars. The following list has three elements—two
numbers and a string:
(2, 4, 'Zach')

Array An array is a variable that holds a list of elements in a defined order. In the following line of code, @a is an array. See page 1053 for more information about array
variables.
@a = (2, 4, 'Zach')
Compound A compound statement is a statement made up of other statements. For example,
statement the if compound statement (page 1057) incorporates an if statement that normally

includes other statements within the block it controls.

1046

CHAPTER 2 8

THE PERL S C R I P T I N G LANGUAGE

R U N N I N G A PERL P R O G R A M
There are several ways you can run a program written in Perl. The - e option
enables you to enter a program on the command line:
$ perl -e 'print "Hi there.\n'"
Hi there.

The - e option is a good choice for testing Perl syntax and running brief, one-shot
programs. This option requires that the Perl program appear as a single argument
on the command line. The program must immediately follow this option—it is an
argument to this option. An easy way to write this type of program is to enclose the
program within single quotation marks.
Because Perl is a member of the class of utilities that take input from a file or standard
input (page 248), you can give the command perl and enter the program terminated
by C0NTR0L-D (end of file). Perl reads the program from standard input:
$ perl
print "Hi there.\n";
C0NTR0L-D
Hi there.

The preceding techniques are useful for quick, one-off command-line programs but
are not helpful for running more complex programs. Most of the time, a Perl program
is stored in a text file. Although not required, the file typically has a filename extension of .pi. Following is the same simple program used in the previous examples
stored in a file:
$ cat simple.pl
print "Hi there.\n";

You can run this program by specifying its name as an argument to Perl:
$ perl simple.pl
Hi there.

Most commonly and similarly to most shell scripts, the file containing the Perl program is executable. In the following example, chmod (page 300) makes the simple2.pl
file executable. As explained on page 302, the #! at the start of the first line of the file
instructs the shell to pass the rest of the file to /usr/bin/perl for execution.
$ chmod 755 simple2.pl
$ cat simple2.pl
#!/usr/bi n/perl -w
print "Hi there.\n";
$ ./simple2.pl
Hi there.

In this example, the simple2.pl program is executed as ./simple2.pl because the
working directory is not in the user's PATH (page 319). The - w option tells Perl to
issue warning messages when it identifies potential errors in the code.

I N T R O D U C T I O N TO PERL

PERL V E R S I O N

1047

5.10

All examples in this chapter were run under Perl 5.10. Give the following command
to see which version of Perl the local system is running:
$ perl -v
This is perl, V5.10.0 built for i486-1inux-gnu-thread-multi

use feature 'say' The say function is a Perl 6 feature that is available in Perl 5.10. It works the same
way as print, except it adds a NEWLINE (\n) at the end of each line it outputs. Some versions of Perl require you to tell Perl explicitly that you want to use say. The use
function in the following example tells Perl to enable say. Try running this program
without the use line to see if the local version of Perl requires it.
$ cat 5.10.pi
use feature 'say';
say 'Output by say.';
print 'Output by print.';
say 'End.'
$ perl 5.10.pi
Output by say.
Output by print.End.
$

Earlier versions If you are running an earlier version of Perl, you will need to replace say in the
of Perl examples in this chapter with print and terminate the print statement with a
quoted \n:
$ cat
print
print
pri nt

5.8.pi
'Output by print in place of say.', "\n";
'Output by print.';
'End.', "\n";

$ perl 5.8.pi
Output by print in place of say.
Output by print.End.

SYNTAX
This section describes the major components of a Perl program.
Statements A Perl program comprises one or more statements, each terminated by a semicolon
(;). These statements are free-form with respect to whitespace (page 1180), except
for whitespace within quoted strings. Multiple statements can appear on a single
line, each terminated by a semicolon. The following programs are equivalent. The
first occupies two lines, the second only one; look at the differences in the spacing
around the equal and plus signs. See use feature 'say' (above) if these programs
complain about say not being available.

1048

CHAPTER 2 8

THE PERL S C R I P T I N G LANGUAGE

$ cat statementl.pl
$n=4;
say "Answer is ", $n + 2;
$ perl statementl.pl
Answer is 6
$ cat statement2.pl
$n = 4; say "Answer is ", $n+2;
$ perl statement2.pl
Answer is 6

Expressions The syntax of Perl expressions frequently corresponds to the syntax of C expressions
but is not always the same. Perl expressions are covered in examples throughout this
chapter.
Quotation marks All character strings must be enclosed within single or double quotation marks. Perl
differentiates between the two types of quotation marks in a manner similar to the
way the shell does (page 314): Double quotation marks allow Perl to interpolate
enclosed variables and interpret special characters such as \n (NEWLINE), whereas single quotation marks do not. Table 28-1 lists some of Perl's special characters.
The following example demonstrates how different types of quotation marks, and
the absence of quotation marks, affect Perl in converting scalars between numbers
and strings. The single quotation marks in the first print statement prevent Perl
from interpolating the Sstring variable and from interpreting the \n special character. The leading \n in the second print statement forces the output of that statement
to appear on a new line.
$ cat stringl.pl
$string="5";

# Sstring declared as a string, but it will not matter

print 'Sstring+5\n';

#
#
print "\n$string+5\n"; #
#
print $string+5, "\n"; #
#
#

Perl displays $string+5 literally because of
the single quotation marks
Perl interpolates the value of Sstring as a string
because of the double quotation marks
Lack of quotation marks causes Perl to interpret
Sstring as a numeric variable and to add 5;
the \n must appear between double quotation marks

$ perl stringl.pl
Sstri ng+5\n
5+5
10

Slash By default, regular expressions are delimited by slashes (/). The following example
tests whether the string hours contains the pattern our; see page 1074 for more
information on regular expression delimiters in Perl.
$ perl -e 'if ("hours" =~ /our/) {say "yes";}'

The local version of Perl may require use feature 'say' (page 1047) to work properly:
$ perl -e 'use feature "say"; if ("hours" =~ /our/) -{say "yes";}-'

VARIABLES

1049

Backslash

Within a string enclosed between double quotation marks, a backslash escapes
(quotes) another backslash. Thus Perl displays "\\n" as \n. Within a regular expression, Perl does not expand a metacharacter preceded by a backslash. See the
stringl.pl program on the previous page.

Comments

As in the shell, a comment in Perl begins with a hashmark (#) and ends at the end of
the line (just before the NEWLINE character).

Special characters Table 28-1 lists some of the characters that are special within strings in Perl. Perl

interpolates these characters when they appear between double quotation marks
but not when they appear between single quotation marks. Table 28-3 on
page 1076 lists metacharacters, which are special within regular expressions.
Table 2 8 - 1

Some Perl special characters

Character

When within double quotation marks, interpolated as

\0JC*(zero)

The ASCII character whose octal value i s * *

\a

An alarm (bell or beep) character (ASCII 7)

\e

A n ESCAPE c h a r a c t e r (ASCII 2 7 )

\n

A NEWUNE c h a r a c t e r ( A S C I 1 1 0 )

\r

A RETURN c h a r a c t e r ( A S C I 1 1 3 )

\t

A TAB character (ASCII 9)

VARIABLES
Like human languages, Perl distinguishes between singular and plural data. Strings
and numbers are singular; lists of strings or numbers are plural. Perl provides three
types of variables: scalar (singular), array (plural), and hash (plural; also called
associative arrays). Perl identifies each type of variable by a special character preceding its name. The name of a scalar variable begins with a dollar sign ($), an array
variable begins with an at sign (@), and a hash variable begins with a percent sign
(%). As opposed to the way the shell identifies variables, Perl requires the leading
character to appear each time you reference a variable, including when you assign a
value to the variable:
$ name="Zach" ; echo "$name"
Zach

(bash)

$ perl -e '$name="Zach" ; print "$name\n";'
Zach

(perl)

Variable names, which are case sensitive, can include letters, digits, and the underscore
character (_). A Perl variable is a package variable (page 1045) unless it is preceded by

1050

CHAPTER 2 8

THE PERL SCRIPTING LANGUAGE

the keyword my, in which case it is a lexical variable (page 1 0 4 5 ) that is defined only
within the block or file it appears in. See "Subroutines" on page 1 0 7 1 for a discussion
of the locality of Perl variables.

Lexical variables overshadow package variables
caution

If a lexical variable and a package variable have the same name, within the block or file in which
the lexical variable is defined, the name refers to the lexical variable and not to the package
variable.
A Perl variable comes into existence when you assign a value to it—you do not need
to define or initialize a variable, although it may make a program more understandable to do so. Normally, Perl does not complain when you reference an uninitialized
variable:
$ cat variablel.pl
#!/usr/bi n/perl
my $name = 'Sam';
print "Hello, $nam, how are you?\n"; # Typo, e left off of name
$ ./variablel.pl
Hello, , how are you?

use strict Include use strict to cause Perl to require variables to be declared before being
assigned values. See the perldebtut man page for more information. When you
include use strict in the preceding program, Perl displays an error message:
$ cat variablelb.pl
#!/usr/bi n/perl
use strict;
my $name = 'Sam';
print "Hello, $nam, how are you?\n"; # Typo, e left off of name
$ ./variablelb.pl
Global symbol "$nam" requires explicit package name at ./variablelb. pi line 4.
Execution of ./variablelb.pi aborted due to compilation errors.

Using my: lexical versus package variables
tip

In variable1.pl, $name is declared to be lexical by preceding its name with the keyword my; its
name and value are known within the file variablel .pi only. Declaring a variable to be lexical limits
its scope to the block or file it is defined in. Although not necessary in this case, declaring variables
to be lexical is good practice. This habit becomes especially useful when you write longer programs, subroutines, and packages, where it is harder to keep variable names unique. Declaring all
variables to be lexical is mandatory when you write routines that will be used within code written
by others. This practice allows those who work with your routines to use whichever variable
names they like, without regard to which variable names you used in the code you wrote.
The shell and Perl scope variables differently. In the shell, if you do not e x p o r t a variable, it is local
to the routine it is used in (page 992). In Perl, if you do not use my to declare a variable to be lexical, it is defined for the package it appears in.

VARIABLES

1051

-w and The - w option and the use warnings statement perform the same function: They
cause Perl to generate an error message when it detects a syntax error. In the following example, Perl displays two warnings. The first tells you that you have used
the variable named Snam once, on line 3, which probably indicates an error. This
message is helpful when you mistype the name of a variable. Under Perl 5.10, the
second warning specifies the name of the uninitialized variable. This warning
refers to the same problem as the first warning. Although it is not hard to figure
out which of the two variables is undefined in this simple program, doing so in a
complex program can take a lot of time.

use warnings

$ cat variab1ela.pl
#!/usr/bi n/perl -w
my Sname = 'Sam';
print "Hello, Snam, how are you?\n"; # Prints warning because of typo and -w
$ ./variablela.pl
Name "main::nam" used only once: possible typo at ./variablela.pl line 3.
Use of uninitialized value Snam in concatenation (.) or string at ./variablela.pl line 3.
Hello, , how are you?

You can also use - w on the command line. If you use - e as well, make sure the argument that follows this option is the program you want to execute (e.g., - e - w does
not work). See the tip on page 1074.
$ perl -w -e 'my Sname = "Sam"; print "Hello, $nam, how are you?\n"'
Name "main::nam" used only once: possible typo at -e line 1.
Use of uninitialized value Snam in concatenation (.) or string at -e line 1.
Hello, , how are you?
undef

and

defined

An undefined variable has the special value undef, which evaluates to zero (0) in a
numeric expression and expands to an empty string ( " " ) when you print it. Use the
defined function to determine whether a variable has been defined. The following
example, which uses constructs explained later in this chapter, calls defined with an
argument of Sname and negates the result with an exclamation point (!). The result
is that the print statement is executed if Sname is not defined.
$ cat variab1e2.pl
#!/usr/bi n/perl
if (Idefined(Sname)) {
print "The variable '\$name' is not defined.\n"

};

$ ./variab1e2.p1
The variable 'Sname' is not defined.

Because the - w option causes Perl to warn you when you reference an undefined
variable, using this option would generate a warning.

SCALAR VARIABLES
A scalar variable has a name that begins with a dollar sign ($) and holds a single
string or number: It is a singular variable. Because Perl converts between the two

1052

CHAPTER 2 8

THE PERL SCRIPTING LANGUAGE

when necessary, you can use strings and numbers interchangeably. Perl interprets
scalar variables as strings when it makes sense to interpret them as strings, and as
numbers when it makes sense to interpret them as numbers. Perl's judgment in these
matters is generally good.
The following example shows some uses of scalar variables. The first two lines of
code (lines 3 and 4) assign the string Sam to the scalar variable $name and the
numbers 5 and 2 to the scalar variables $nl and $n2, respectively. In this example,
multiple statements, each terminated with a semicolon (;), appear on a single line.
See use feature 'say' on page 1047 if this program complains about say not being
available.
$ cat scalarsl.pl
#!/usr/bi n/perl -w
Sname = "Sam";
$nl = 5; $n2 = 2;
say
say
say
say
say

"Sname Snl Sn2";
"Snl + $n2";
'Sname Snl Sn2';
Snl + Sn2, " ", Snl * Sn2;
Sname + Snl;

$ ./scalarsl.pl
Sam 5 2
5 + 2
Sname Snl Sn2
7 10
Argument "Sam" isn't numeric in addition ( + ) at ./scalersl. pi line 11.
5

Double quotation The first say statement sends the string enclosed within double quotation marks to
marks standard output (the screen unless you redirect it). Within double quotation marks,
Perl expands variable names to the value of the named variable. Thus the first say
statement displays the values of three variables, separated from each other by SPACEs.
The second say statement includes a plus sign (+). Perl does not recognize operators
such as + within either type of quotation marks. Thus Perl displays the plus sign
between the values of the two variables.
Single quotation The third say statement sends the string enclosed within single quotation marks to
marks standard output. Within single quotation marks, Perl interprets all characters literally, so it displays the string exactly as it appears between the single quotation
marks.
In the fourth say statement, the operators are not quoted, and Perl performs the
addition and multiplication as specified. Without the quoted SPACE, Perl would catenate the two numbers (710). The last say statement attempts to add a string and a
number; the - w option causes Perl to display an error message before displaying 5.
The 5 results from adding Sam, which Perl evaluates as 0 in a numerical context, to
the number 5 (0 + 5 = 5).

VARIABLES

1053

ARRAY VARIABLES
An array variable is an ordered container of scalars whose name begins with an at
sign (@) and whose first element is numbered zero (zero-based indexing). Because
an array can hold zero or more scalars, it is a plural variable. Arrays are ordered;
hashes (page 1056) are unordered. In Perl, arrays grow as needed. If you reference
an uninitialized element of an array, such as an element beyond the end of the array,
Perl returns undef.
The first statement in the following program assigns the values of two numbers
and a string to the array variable named @arrayvar. Because Perl uses zero-based
indexing, the first say statement displays the value of the second element of the
array (the element with the index 1). This statement specifies the variable
Sarrayvar[l] as a scalar (singular) because it refers to a single value. The second
say statement specifies the variable @arrayvar[l,2] as a list (plural) because it refers
to multiple values (the elements with the indexes 1 and 2).
$ cat arrayvarl.pl
#!/usr/bi n/perl -w
Oarrayvar = (8, 18, "Sam");
say $arrayvar[l];
say "@arrayvar[l,2]";
$ perl arrayvarl.pl
18
18 Sam

The next example shows a couple of ways to determine the length of an array and
presents more information on using quotation marks within print statements. The
first assignment statement in arrayvar2.pl assigns values to the first six elements of
the @arrayvar2 array. When used in a scalar context, Perl evaluates the name of an
array as the length of the array. The second assignment statement assigns the number of elements in @arrayvar2 to the scalar variable Snum.
$ cat arrayvar2.pl
#!/usr/bi n/perl -w
@arrayvar2 = ("apple", "bird", 44, "Tike", "metal", "pike");
Snum = @arrayvar2;
print "Elements: ", Snum, "\n";
print "Elements: $num\n";

# number of elements in array
# two equivalent print statements

print "Last: $#arrayvar2\n";

# index of last element in array

$ ./arrayvar2.pl
Elements: 6
Elements: 6
Last: 5

The first two print statements in arrayvar2.pl display the string Elements:, a SPACE,
the value of Snum, and a NEWLINE, each using a different syntax. The first of these

1054

CHAPTER 2 8

THE PERL SCRIPTING LANGUAGE

statements displays three values, using commas to separate them within the print
statement. The second print statement has one argument and demonstrates that Perl
expands a variable (replaces the variable with its value) when the variable is
enclosed within double quotation marks.
$#array The final print statement in arrayvar2.pl shows that Perl evaluates the variable
S#array as the index of the last element in the array named array. Because Perl uses
zero-based indexing by default, this variable evaluates to one less than the number
of elements in the array.
The next example works with elements of an array and uses a dot (.; the string catenation operator). The first two lines assign values to four scalar variables. The
third line shows that you can assign values to array elements using scalar variables,
arithmetic, and catenated strings. The dot operator catenates strings, so Perl evaluates Sva . Svb as Sam catenated with uel—that is, as Samuel (see the output of the
last print statement).
$ cat arrayvar3.pl
#!/usr/bi n/perl -w
$vl = 5; Sv2 = 8;
Sva = "Sam"; Svb = "uel";
@arrayvar3 = (Svl, Svl * 2, Svl * Sv2, "Max", "Zach", Sva . Svb);
print Sarrayvar3[2], "\n";
print @arrayvar3[2,4], "\n";
print @arrayvar3[2..4], "\n\n";

# one element of an array is a scalar
# two elements of an array are a list
# a sii ce

print "@arrayvar3[2,4]", "\n";
print "@arrayvar3[2..4]", "\n\n"

# a list, elements separated by SPACEs
# a slice, elements separated by SPACEs

print "@arrayvar3\n";

# an array, elements separated by SPACEs

$ ./arrayvar3.pl
40
40Zach
40MaxZach
40 Zach
40 Max Zach
5 10 40 Max Zach Samuel

The first print statement in arrayvar3.pl displays the third element (the element with
an index of 2) of the @arrayvar3 array. This statement uses $ in place of @ because
it refers to a single element of the array. The subsequent print statements use @
because they refer to more than one element. Within the brackets that specify an
array subscript, two subscripts separated by a comma specify two elements of an
array. The second print statement, for example, displays the third and fifth elements
of the array.

VARIABLES

1055

Array slice When you separate two elements of an array with two dots (..; the range operator),

Perl substitutes all elements between and including the two specified elements. A
portion of an array comprising elements is called a slice. The third print statement
in the preceding example displays the elements with indexes 2, 3, and 4 (the third,
fourth, and fifth elements) as specified by 2..4. Perl puts no SPACEs between the elements it displays.
Within a print statement, when you enclose an array variable, including its subscripts,
within double quotation marks, Perl puts a SPACE between each of the elements. T h e
fourth and fifth print statements in the preceding example illustrate this syntax. T h e
last print statement displays the entire array, with elements separated by SPACEs.
shift, push,
pop, and splice

The next example demonstrates several functions you can use to manipulate arrays.
The example uses the @colors array, which is initialized to a list of seven colors. The
shift function returns and removes the first element of an array, push adds an element to the end of an array, and pop returns and removes the last element of an
array. The splice function replaces elements of an array with another array; in the
example, splice inserts the @ins array starting at index 1 (the second element),
replacing two elements of the array. See use feature 'say' on page 1047 if this program complains about say not being available. See the perlfunc man page for more
information on the functions described in this paragraph.

$ cat ./shiftl.pl
#!/usr/bi n/perl -w
©colors = ("red", "orange", "yellow", "green", "blue", "indigo", "violet");
say "
Display array: ©colors";
say " Display and remove first element of array: ", shift (©colors);
say "
Display remaining elements of array: ©colors";
push (©colors, "WHITE");
say "
Add element to end of array and display: ©colors";
say "
say "

Display and remove last element of array: ", pop (©colors);
Display remaining elements of array: ©colors";

©ins = ("GRAY", "FERN");
splice (©colors, 1, 2, ©ins);
say "Replace second and third elements of array: ©colors";
$ ./shiftl.pl
Display array:
Display and remove first element of array:
Display remaining elements of array:
Add element to end of array and display:
Display and remove last element of array:
Display remaining elements of array:
Replace second and third elements of array:

red orange yellow green blue indigo violet
red
orange yellow green blue indigo violet
orange yellow green blue indigo violet WHITE
WHITE
orange yellow green blue indigo violet
orange GRAY FERN blue indigo violet

1056

CHAPTER 2 8

THE PERL SCRIPTING LANGUAGE

HASH VARIABLES
A hash variable, sometimes called an associative array variable, is a plural data
structure that holds an array of key-value pairs. It uses strings as keys (indexes) and
is optimized to return a value quickly when given a key. Each key must be a unique
scalar. Hashes are unordered; arrays (page 1053) are ordered. When you assign a
hash to a list, the key-value pairs are preserved, but their order is neither alphabetical nor the order in which they were inserted into the hash; instead, the order is
effectively random.
Perl provides two syntaxes to assign values to a hash. The first uses a single assignment
statement for each key-value pair:
$ cat hashl.pl
#!/usr/bi n/perl -w
$hashvarl{boat} = "tuna";
$hashvarl{"number five"} = 5;
$hashvarl{4} = "fish";
Oarrayhashl = %hashvarl;
say "Oarrayhashl";
$ ./hashl.pl
boat tuna 4 fish number five 5
Within an assignment statement, the key is located within braces to the left of the
equal sign; the value is on the right side of the equal sign. As illustrated in the preceding example, keys and values can take on either numeric or string values. You do
not need to quote string keys unless they contain SPACEs. This example also shows
that you can display the keys and values held by a hash, each separated from the
next by a SPACE, by assigning the hash to an array variable and then printing that
variable enclosed within double quotation marks.

The next example shows the other way of assigning values to a hash and illustrates
how to use the keys and values functions to extract keys and values from a hash. After
assigning values to the %hash2 hash, hash2.pl calls the keys function with an argument of %hash2 and assigns the resulting list of keys to the @array_keys array. The
program then uses the values function to assign values to the @array_values array.
$ cat hash2.pl
#!/usr/bi n/perl -w
%hash2 = (
boat => "tuna",
"number five" => 5,
4 => "fish",
);
@array_keys = keys(%hash2);
say " Keys: @array_keys";
@array_values = values(%hash2);
say "Values: @array_values";

CONTROL STRUCTURES

1057

$ ./hash2.pl
Keys: boat 4 number five
Values: tuna fish 5

Because Perl automatically quotes a single word that appears to the left of the =>
operator, you do not need quotation marks around boat in the third line of this program. However, removing the quotation marks from around number five would
generate an error because the string contains a SPACE.

CONTROL STRUCTURES
Control flow statements alter the order of execution of statements within a Perl
program. Starting on page 954, Chapter 27 discusses bash control structures in
detail and includes flow diagrams. Perl control structures perform the same functions as their bash counterparts, although the two languages use different syntaxes.
The description of each control structure in this section references the discussion of
the same control structure under bash.
In this section, the bold italic words in the syntax description are the items you supply to cause the structure to have the desired effect, the nonbold italic words are the
keywords Perl uses to identify the control structure, and {...} represents a block
(page 1045) of statements. Many of these structures use an expression, denoted as
expr, to control their execution. See if/unless (next) for an example and explanation
of a syntax description.

if/unless
The if and unless control structures are compound statements that have the following
syntax:
if (expr) {...}
unless (expr) {...}
These structures differ only in the sense of the test they perform. The if structure
executes the block of statements if expr evaluates to true-, unless executes the block
of statements unless expr evaluates to true (i.e., if expr is false).
The if appears in nonbold type because it is a keyword; it must appear exactly as
shown. The expr is an expression; Perl evaluates it and executes the block
(page 1045) of statements represented by {...} if the expression evaluates as required
by the control structure.
File test operators The expr in the following example, - r memol, uses the - r file test operator to
determine if a file named memol exists in the working directory and if the file is
readable. Although this operator tests only whether you have read permission
for the file, the file must exist for you to have read permission; thus it implicitly
tests that the file is present. (Perl uses the same file test operators as bash; see
Table 27-1 on page 957.) If this expression evaluates to true, Perl executes the

1058

CHAPTER 2 8

THE PERL SCRIPTING LANGUAGE

block of statements (in this case one statement) between the braces. If the
expression evaluates to false, Perl skips the block of statements. In either case,
Perl then exits and returns control to the shell.
$ cat ifl.pl
#!/usr/bi n/perl -w
if (-r "memol") {
say "The file 'memol' exists and is readable.";
}
$ ./ifl.pl
The file 'memol' exists and is readable.

Following is the same program written using the postfix if syntax. Which syntax you
use depends on which part of the statement is more important to someone reading
the code.
$ cat ifla.pl
#!/usr/bi n/perl -w
say "The file 'memol' exists and is readable." if (-r "memol");

The next example uses a print statement to display a prompt on standard output
and uses the statement Sentry = <>; to read a line from standard input and assign
the line to the variable Sentry. Reading from standard input, working with other
files, and use of the magic file handle (<>) for reading files specified on the command line are covered on page 1066.
Comparison Perl uses different operators to compare numbers from those it uses to compare
operators strings. Table 28-2 lists numeric and string comparison operators. In the following
example, the expression in the if statement uses the == numeric comparison operator
to compare the value the user entered and the number 28. This operator performs a
numeric comparison, so the user can enter 28, 28.0, or 00028 and in all cases the
result of the comparison will be true. Also, because the comparison is numeric, Perl
ignores both the whitespace around and the NEWLINE following the user's entry. The - w
option causes Perl to issue a warning if the user enters a nonnumeric value and the
program uses that value in an arithmetic expression; without this option Perl silently
evaluates the expression as false.
$ cat if2.pl
#!/usr/bi n/perl -w
print "Enter 28: ";
Sentry = <>;
if (Sentry == 28) {
# use == for a numeric comparison
print "Thank you for entering 28.\n";
}
print "End.\n";
$ ./if2.pl
Enter 28: 28.0
Thank you for entering 28.
End.

CONTROL STRUCTURES

Table 2 8 - 2

1059

Comparison operators

Numeric
operators

String
operators

Value returned based on the relationship between the
values preceding and following the operator

==

eq

True if equal

!=

ne

True if not equal

<

It

True if less than

>

gt

True if greater than

<=

le

True if less than or equal

>=

ge

True if greater than or equal

<=>

cmp

0 if equal, 1 if greater than, - 1 if less than

The next program is similar to the preceding one, except it tests for equality
between two strings. The chomp function (page 1067) removes the trailing NEWLINE
from the user's entry—without this function the strings in the comparison would
never match. The eq comparison operator compares strings. In this example the
result of the string comparison is true when the user enters the string five. Leading
or trailing whitespace will yield a result of false, as would the string 5, although
none of these entries would generate a warning because they are legitimate strings.
$ cat if2a.pl
#!/usr/bi n/perl -w
print "Enter the word 'five': ";
Sentry = <>;
chomp (Sentry);
if (Sentry eq "five") {
# use eq for a string comparison
print "Thank you for entering 'five'.\n";
}
print "End.\n";
$ ./if2a.pl
Enter the word 'five': five
Thank you for entering 'five'.
End.

if...else
The if...else control structure is a compound statement that is similar to the bash
if...then...else control structure (page 958). It implements a two-way branch using
the following syntax:
if (expr) {...} else {...}
die The next program prompts the user for two different numbers and stores those
numbers in Snuml and Snum2. If the user enters the same number twice, an if
structure executes a die function, which sends its argument to standard error and
aborts program execution.

1060

CHAPTER 2 8

THE PERL SCRIPTING LANGUAGE

If the user enters different numbers, the if...else structure reports which number is
larger. Because expr performs a numeric comparison, the program accepts numbers
that include decimal points.
$ cat ifelse.pl
#!/usr/bi n/perl -w
print "Enter a number: ";
Snuml = <>;
print "Enter another, different number: ";
$num2 = <>;
if (Snuml == $num2) {
die ("Please enter two different numbers.\n");
}
if (Snuml > $num2) {
print "The first number is greater than the second number.\n";
}
else {
print "The first number is less than the second number.\n";
}
$ ./ifelse.pl
Enter a number: 8
Enter another, different number: 8
Please enter two different numbers.
$ ./ifelse.pl
Enter a number: 5.5
Enter another, different number: 5
The first number is greater than the second number.

if...elsif...else
Similar to the bash if...then...elif control structure (page 961), the Perl if...elsif...else
control structure is a compound statement that implements a nested set of if...else
structures using the following syntax:
if (expr) {...} elsif {...}...

else {...}

The next program implements the functionality of the preceding ifelse.pl program
using an if...elsif...else structure. A print statement replaces the die statement
because the last statement in the program displays the error message; the program
terminates after executing this statement anyway. You can use the STDERR handle
(page 1066) to cause Perl to send this message to standard error instead of standard
output.
$ cat ifelsif.pl
#!/usr/bi n/perl -w
print "Enter a number: ";
Snuml = <>;
print "Enter another, different number: ";
$num2 = <>;

CONTROL STRUCTURES

1061

if (Snuml > $num2) {
print "The first number is greater than the second number.\n";
}
elsif (Snuml < $num2) {
print "The first number is less than the second number.\n";
}
else {
print "Please enter two different numbers.\n";
}

fo reach/for
The Perl foreach and for keywords are synonyms; you can replace one with the other
in any context. These structures are compound statements that have two syntaxes.
Some programmers use one syntax with foreach and the other syntax with the for,
although there is no need to do so. This book uses foreach with both syntaxes.

f o r e a c h : SYNTAX 1
The first syntax for the foreach structure is similar to the shell's for...in structure
(page 967):
foreach\for

[var] (list) {...}

where list is a list of expressions or variables. Perl executes the block of statements
once for each item in list, sequentially assigning to var the value of one item in list
on each iteration, starting with the first item. If you do not specify var, Perl assigns
values to the $_ variable (page 1065).
The following program demonstrates a simple foreach structure. On the first pass
through the loop, Perl assigns the string Mo to the variable $item and the say statement displays the value of this variable followed by a NEWLINE. On the second and
third passes through the loop, $item is assigned the value of Larry and Curly. When
there are no items left in the list, Perl continues with the statement following the
foreach structure. In this case, the program terminates. See use feature 'say' on
page 1047 if this program complains about say not being available.
$ cat foreach.pl
foreach Sitem ("Mo", "Larry", "Curly") {
say "Sitem says hello.";
}
$ perl foreach.pl
Mo says hello.
Larry says hello.
Curly says hello.

Using $_ (page 1065), you can write this program as follows:
$ cat foreacha.pl
foreach ("Mo", "Larry", "Curly") {
say "$_ says hello.";
}

1062

CHAPTER 2 8

THE PERL SCRIPTING LANGUAGE

Following is the program using an array:
$ cat foreachb.pl
©stooges = ("Mo", "Larry", "Curly");
foreach (©stooges) {
say "$_ says hello.";
}

Following is the program using the foreach postfix syntax:
$ cat foreachc.pl
©stooges = ("Mo", "Larry", "Curly");
say "$_ says hello." foreach ©stooges;

The loop variable (Sitem and S_ in the preceding examples) references the elements
in the list within the parentheses. When you modify the loop variable, you modify
the element in the list. The uc function returns an upshifted version of its argument.
The next example shows that modifying the loop variable Sstooge modifies the
@stooges array:
$ cat foreachd.pl
©stooges = ("Mo", "Larry", "Curly");
foreach Sstooge (©stooges) {
Sstooge = uc Sstooge;
say "Sstooge says hello.";
}
say "Sstoogesfl] is uppercase"
$ perl foreachd.pl
MO says hello.
LARRY says hello.
CURLY says hello.
LARRY is uppercase

See page 1069 for an example that loops through command-line arguments.

last AND next
Perl's last and next statements allow you to interrupt a loop; they are analogous to the
Bourne Again Shell's break and continue statements (page 976). The last statement
transfers control to the statement following the block of statements controlled by the
loop structure, terminating execution of the loop. The next statement transfers control
to the end of the block of statements, which continues execution of the loop with the
next iteration.
In the following program, the if structure tests whether Sitem is equal to the string
two; if it is, the structure executes the next command, which skips the say statement
and continues with the next iteration of the loop. If you replaced next with last, Perl
would exit from the loop and not display three. See use feature 'say' on page 1047 if
this program complains about say not being available.

CONTROL STRUCTURES

1063

$ cat foreachl.pl
foreach Sitem ("one", "two", "three") {
if (Sitem eq "two") {
next;
}
say "Sitem";
}
$ perl foreachl.pl
one
three

f o r e a c h : SYNTAX 2
The second syntax for the foreach structure is similar to the C for structure:
foreach\for

(exprl;

exprl;

expr3)

{...}

The exprl initializes the foreach loop; Perl evaluates exprl one time, before it executes
the block of statements. The expr2 is the termination condition; Perl evaluates it before
each pass through the block of statements and executes the block of statements if
expr2 evaluates as true. Perl evaluates expr3 after each pass through the block of
statements—it typically increments a variable that is part of expr2.
In the next example, the foreach2.pl program prompts for three numbers; displays
the first number; repeatedly increments this number by the second number, displaying each result until the result would be greater than the third number; and quits.
See page 1 0 6 6 for a discussion of the magic file handle (<>).
$ cat ./foreach2.p1
#!/usr/bi n/perl -w
print "Enter starting number: ";
Sstart = <>;
print "Enter ending number: ";
Send = <>;
print "Enter increment: ";
Sincr = <>;
if (Sstart >= Send || Sincr < 1) {
die ("The starting number must be less than the ending number\n",
"and the increment must be greater than zero.\n");
}
foreach (Scount = Sstart+0; Scount <= Send; Scount += Sincr) {
say "Scount";
}

1064

CHAPTER 2 8

THE PERL SCRIPTING LANGUAGE

$ ./foreach2.pl
Enter starting number: 2
Enter ending number: 10
Enter increment: 3
2
5
8

After prompting for three numbers, the preceding program tests whether the starting
number is greater than or equal to the ending number or if the increment is less than
1. The II is a Boolean OR operator; the expression within the parentheses following if
evaluates to true if either the expression before or the expression after this operator
evaluates to true.
The foreach statement begins by assigning the value of Sstart+0 to Scount. Adding
0 (zero) to the string Sstart forces Perl to work in a numeric context, removing the
trailing NEWLINE when it performs the assignment. Without this fix, the program
would display an extra NEWLINE following the first number it displayed.

while/until
The while (page 970) and until (page 974) control structures are compound statements
that implement conditional loops using the following syntax:
while (expr) {...}
until (expr) {...}
These structures differ only in the sense of their termination conditions. The while
structure repeatedly executes the block of statements while expr evaluates to true;
until continues until expr evaluates to true (i.e., while expr remains false).
The following example demonstrates one technique for reading and processing
input until there is no more input. Although this example shows input coming from
the user (standard input), the technique works the same way for input coming from
a file (see the example on page 1068). The user enters C0NTR0L-D on a line by itself to
signal the end of file.
In this example, expr is Sline = <>. This statement uses the magic file handle (<>;
page 1066) to read one line from standard input and assigns the string it reads to
the Sline variable. This statement evaluates to true as long as it reads data. When it
reaches the end of file, the statement evaluates to false. The while loop continues to
execute the block of statements (in this example, only one statement) as long as
there is data to read.
$ cat whilel.pl
#!/usr/bi n/perl -w
Scount = 0;
while (Sline = <>) {
print ++$count, ". Sline";
}
print "\n$count lines entered.\n";

CONTROL STRUCTURES

1065

$ ./whilel.pl
Good Morning.
1. Good Morning.
Today is Monday.
2. Today is Monday.
C0NTR0L-D
2 lines entered.

In the preceding example, Scount keeps track of the number of lines the user enters.
Putting the ++ increment operator before a variable (++Scount; called a preincrement operator) increments the variable before Perl evaluates it. Alternatively, you
could initialize Scount to 1 and increment it with $count++ (postincrement), but
then in the final print statement Scount would equal one more than the number of
lines entered.
$. The $. variable keeps track of the number of lines of input a program has read.
Using $. you can rewrite the previous example as follows:
$ cat whilela.pl
#!/usr/bi n/perl -w
while (Sline = <>) {
pri nt $. , " . $1 i ne" ;
}
print "\n$. lines entered.\n";

$_ Frequently you can simplify Perl code by using the $_ variable. You can use $_
many places in a Perl program—think of $_ as meaning it, the object of what you
are doing. It is the default operand for many operations. For example, the following
section of code processes a line using the Sline variable. It reads a line into Sline,
removes any trailing NEWLINE from Sline using chomp (page 1067), and checks
whether a regular expression matches Sline.
while (my Sline = <>) {
chomp Sline;
if (Sline =~ /regex/) ...

}

You can rewrite this code by using $_ to replace Sline:
while (my $_ = <>) {

}

chomp $_;
if ($_ =~ /regex/) . .

Because $_ is the default operand in each of these instances, you can also omit $.
altogether:
while (<>) {
chomp;
if (/regex/) ...

}

# read into $_
# chomp $_
# if $_ matches regex

1066

CHAPTER 2 8

THE PERL SCRIPTING

LANGUAGE

W O R K I N G W I T H FILES
Opening a file and A handle is a name that you can use in a Perl program to refer to a file or proassigning a handle c e s s that i s 0 pen for reading and/or writing. When you are working with the
shell, handles are referred to as file descriptors (page 987). As when you are
working with the shell, the kernel automatically opens handles for standard
input (page 243), standard output (page 243), and standard error (page 297)
before it runs a program. The kernel closes these descriptors after a program
finishes running. The names for these handles are STDIN, STDOUT, and
STDERR, respectively. You must manually open handles to read from or write
to other files or processes. The syntax of an open statement is
open (file-handle, ['mode',]

"file-ref");

where file-handle is the name of the handle or a variable you will use in the program to refer to the file or process named by file-ref. If you omit mode or specify a
mode of <, Perl opens the file for input (reading). Specify mode as > to truncate and
write to a file or as » to append to a file.
See page 1082 for a discussion of reading from and writing to processes.
Writing to a file The print function writes output to a file or process. The syntax of a print statement is
print [file-handle]

"text";

where file-handle is the name of the handle you specified in an open statement and
text is the information you want to output. The file-handle can also be STDOUT
or STDERR, as explained earlier. Except when you send information to standard
output, you must specify a handle in a print statement. Do not place a comma after
file-handle. Also, do not enclose arguments to print within parentheses because
doing so can create problems.
Reading from a file The following expression reads one line, including the NEWLINE (\n), from the file or
process associated with file-handle:

This expression is typically used in a statement such as
$1i ne = ;

which reads into the variable Sline one line from the file or process identified by the
handle IN.
Magic file To facilitate reading from files named on the command line or from standard input,
handle (<>) p e r l provides the magic file handle. This book uses this file handle in most examples. In place of the preceding line, you can use
$line = <>;

W O R K I N G W I T H FILES

1067

This file handle causes a Perl program to work like many Linux utilities: It reads
from standard input unless the program is called with one or more arguments, in
which case it reads from the files named by the arguments. See page 248 for an
explanation of how this feature works with cat.
The print statement in the first line in the next example includes the optional handle STDOUT; the next print statement omits this handle; the final print statement
uses the STDERR file handle, which causes print's output to go to standard error.
The first print statement prompts the user to enter something. The string that this
statement outputs is terminated with a SPACE, not a NEWLINE, so the user can enter
information on the same line as the prompt. The second line then uses a magic file
handle to read one line from standard input, which it assigns to Suserline. Because
of the magic file handle, if you call filel.pl with an argument that is a filename, it
reads one line from that file instead of from standard input. The command line
that runs filel.pl uses 2> (see "File descriptors" on page 297) to redirect standard
error (the output of the third print statement) to the filel.err file.
$ cat filel.pl
print STDOUT "Enter something: ";
Suserline = <>;
print "l»>$userl i n e « < \ n " ;
chomp (Suserline);
print "2»>$userl i n e « < \ n " ;
print STDERR "3. Error message.\n";
$ perl filel.pl 2> filel.err
Enter something: hi there
l » > h i there
«<
2»>hi there«<
$ cat filel.err
3. Error message.
chomp/chop

The two print statements following the user input in filel.pl display the value of
Suserline immediately preceded by greater than signs (>) and followed by less than
signs (<). The first of these statements demonstrates that Suserline includes a NEWLINE:
The less than signs following the string the user entered appear on the line following
the string. The chomp function removes a trailing NEWLINE, if it exists, from a string.
After chomp processes Suserline, the print statement shows that this variable no
longer contains a NEWLINE. (The chop function is similar to chomp, except it removes
any trailing character from a string.)
The next example shows how to read from a file. It uses an open statement to assign
the lexical file handle Sinfile to the file /usr/share/dict/words. Each iteration of the
while structure evaluates an expression that reads a line from the file represented by
Sinfile and assigns the line to Sline. When while reaches the end of file, the expression evaluates to false; control then passes out of the while structure. The block of
one statement displays the line as it was read from the file, including the NEWLINE.

1068

CHAPTER 2 8

THE PERL SCRIPTING

LANGUAGE

This program copies /usr/share/dict/words to standard output. A pipe (I; page 170)
is then used to send the output through head (page 166), which displays the first
four lines of the file (the first line is blank).
$ cat file2.pl
open (my $infile, "/usr/share/dict/words") or die "Cannot open dictionary: $!\n";
while ($line = <$infile>) {
print $line;
}
$ perl file2.pl

| head -4

$! The $! variable holds the last system error. In a numeric context, it holds the system
error number; in a string context, it holds the system error string. If the words file is
not present on the system, file2.pl displays the following message:
Cannot open dictionary: No such file or directory

If you do not have read permission for the file, the program displays this message:
Cannot open dictionary: Permission denied

Displaying the value of $! gives the user more information about what went wrong
than simply saying that the program could not open the file.

Always check for an error when opening a file
t i p When a Perl program attempts to open a file and fails, the program does not display an error
message unless it checks whether open returned an error. In file2.pl, the or operator in the
open statement causes Perl to execute die (page 1059) if open fails. The die statement sends
the message Cannot open the dictionary followed by the system error string to standard error
and terminates the program.
@ARGV

The @ A R G V array holds the arguments from the command line Perl was called
with. When you call the following program with a list of filenames, it displays the
first line of each file. If the program cannot read a file, die (page 1059) sends an
error message to standard error and quits. The foreach structure loops through the
command-line arguments, as represented by @ARGV, assigning each argument in
turn to Sfilename. The foreach block starts with an open statement. Perl executes
the open statement that precedes the O R Boolean operator (or) or, if that fails, Perl
executes the statement following the or operator (die). The result is that Perl either
opens the file named by Sfilename and assigns IN as its handle or, if it cannot open
that file, executes the die statement and quits. The print statement displays the
name of the file followed by a colon and the first line of the file. When it accepts
Sline =  as an argument to print, Perl displays the value of $line following the
assignment. After reading a line from a file, the program closes the file.

SORT

1069

$ cat file3.pl
foreach $filename (OARGV) {
open (IN, Sfilename) or die "Cannot open file '$filename': $!\n";
print "Sfilename: ", $line = ;
close (IN);
}
$ perl file3.pl fl f2 f3 f4
fl: Fi rst line of file fl.
f 2 : Fi rst line of file f 2 .
Cannot open file 'fB': No such file or directory

The next example is similar to the preceding one, except it takes advantage of several
Perl features that make the code simpler. It does not quit when it cannot read a file.
Instead, Perl displays an error message and continues. The first line of the program
uses my to declare Sfilename to be a lexical variable. Next, while uses the magic file
handle to open and read each line of each file named by the command-line arguments; SARGV holds the name of the file. When there are no more files to read, the
while condition [(<>)] is false, while transfers control outside the while block, and
the program terminates. Perl takes care of all file opening and closing operations;
you do not have to write code to take care of these tasks. Perl also performs error
checking.
The program displays the first line of each file named by a command-line argument.
Each time through the while block, while reads another line. When it finishes with
one file, it starts reading from the next file. Within the while block, if tests whether
it is processing a new file. If it is, the if block displays the name of the file and the
(first) line from the file and then assigns the new filename (SARGV) to Sfilename.
$ cat file3a.pl
my Sfilename;
while (<>) {
if ($ARGV ne Sfilename) {
print "$ARGV: $_";
Sfilename = $ARGV;

}

}

$ perl file3a.pl fl f2
fl: Fi rst line of file
f 2 : Fi rst line of file
Can't open fB: No such
f4: First line of file

f3 f4
fl.
f2 .
file or directory at file3a.pl line B, <> line 3.
f4.

SORT
reverse The sort function returns elements of an array ordered numerically or alphabetically, based on the locale (page 1157) environment. The reverse function is not
related to sort; it simply returns the elements of an array in reverse order.

1070

CHAPTER 2 8

THE PERL SCRIPTING

LANGUAGE

The first two lines of the following program assign values to the @colors array and
display these values. Each of the next two pairs of lines uses sort to put the values in
the @colors array in order, assign the result to @scolors, and display @scolors. These

sorts put uppercase letters before lowercase letters. Observe the positions of Orange
and Violet, both of which begin with an uppercase letter, in the sorted output. The
first assignment statement in these two pairs of lines uses the full sort syntax, including the block {$a cmp $b} that tells Perl to use the cmp subroutine, which compares
strings, and to put the result in ascending order. When you omit the block in a sort
statement, as is the case in the second assignment statement, Perl also performs an
ascending textual sort.
$ cat sort3.pl
©colors = ("red", "Orange", "yellow", "green", "blue", "indigo", "Violet");
say "©colors";
©scolors = sort {$a cmp $b} ©colors;
say "©scolors";

# ascending sort with
# an explicit block

©scolors = sort ©colors;
say "©scolors";

# ascending sort with
# an implicit block

©scolors = sort {$b cmp $a} ©colors;
say "©scolors";

# descending sort

©scolors = sort {lc($a) cmp lc($b)} ©colors;
say "©scolors";

# ascending folded sort

$ perl sort3.pl
red Orange yellow green blue indigo
Orange Violet blue green indigo red
Orange Violet blue green indigo red
yellow red indigo green blue Violet
blue green indigo Orange red Violet

Violet
yellow
yellow
Orange
yellow

The third sort in the preceding example reverses the positions of Sa and Sb in the
block to specify a descending sort. The last sort converts the strings to lowercase
before comparing them, providing a sort wherein the uppercase letters are folded
into the lowercase letters. As a result, Orange and Violet appear in alphabetical
order.
To perform a numerical sort, specify the <=> subroutine in place of cmp. The following
example demonstrates ascending and descending numerical sorts:
$ cat sort4.pl
©numbers = (22, 188, 44, 2, 12);
print "@numbers\n";
©snumbers = sort {$a <=> $b} ©numbers;
print "@snumbers\n";
©snumbers = sort {$b <=> $a} ©numbers;
print "@snumbers\n";

SUBROUTINES

1071

$ perl sort4.pl
22 188 44 2 12
2 12 22 44 188
188 44 22 12 2

SUBROUTINES
All variables are package variables (page 1045) unless you use the my function to
define them to be lexical variables (page 1045). Lexical variables defined in a subroutine are local to that subroutine.
The following program includes a main part and a subroutine named add(). This
program uses the variables named Sone, Stwo, and Sans, all of which are package
variables: They are available to both the main program and the subroutine. The call
to the subroutine does not pass values to the subroutine and the subroutine returns
no values. This setup is not typical: It demonstrates that all variables are package
variables unless you use my to declare them to be lexical variables.
The subroutinel.pl program assigns values to two variables and calls a subroutine.
The subroutine adds the values of the two variables and assigns the result to
another variable. The main part of the program displays the result.
$ cat subroutinel.pl
$one = 1;
$two = 2;
add();
print "Answer is $ans\n";
sub add {
$ans =$one + $two
}
$ perl subroutinel.pl
Answer is 3

The next example is similar to the previous one, except the subroutine takes advantage of a return statement to return a value to the main program. The program
assigns the value returned by the subroutine to the variable Sans and displays that
value. Again, all variables are package variables.
$ cat subroutine2.pl
$one = 1;
$two = 2;
$ans = add();
print "Answer is $ans\n";
sub add {
return ($one + $two)
}
$ perl subroutine2.pl
Answer is 3

1072

CHAPTER 2 8

THE PERL SCRIPTING

LANGUAGE

Keeping variables local to a subroutine is important in many cases. The subroutine in
the next example changes the values of variables and insulates the calling program
from these changes by declaring and using lexical variables. This setup is more typical.
@_ When you pass values in a call to a subroutine, Perl makes those values available in
the array named @_ in the subroutine. Although @_ is local to the subroutine, its
elements are aliases for the parameters the subroutine was called with. Changing a
value in the @_ array changes the value of the underlying variable, which may not
be what you want. The next program avoids this pitfall by assigning the values
passed to the subroutine to lexical variables.
The subroutine3.pl program calls the addplusoneQ subroutine with two variables as
arguments and assigns the value returned by the subroutine to a variable. The first
statement in the subroutine declares two lexical variables and assigns to them the
values from the @_ array. The my function declares these variables to be lexical.
(See the tip on lexical and package variables on page 1050.) Although you can use
my without assigning values to the declared variables, the syntax in the example is
more commonly used. The next two statements increment the lexical variables
$lcl_one and $lcl_two. The print statement displays the value of $lcl_one within the
subroutine. The return statement returns the sum of the two incremented, lexical
variables.
$ cat subroutine3.pl
Sone = 1;
$two = 2;
Sans = addplusone($one, $two);
print "Answer is $ans\n";
print "Value of 'lcl_one' in main: $lcl_one\n";
print "Value of 'one' in main: $one\n";
sub addplusone {
my ($lcl_one, $lcl_two) =
$lcl_one++;
$lcl_two++;
print "Value of 'lcl_one' in sub: $lcl_one\n";
return ($lcl_one + $lcl_two)
}
$ perl subroutine3.pl
Value of 'lcl_one' in sub: 2
Answer is 5
Value of 'lcl_one' in main:
Value of 'one' in main: 1

After displaying the result returned by the subroutine, the print statements in the
main program demonstrate that $lcl_one is not defined in the main program (it is
local to the subroutine) and that the value of Sone has not changed.
The next example illustrates another way to work with parameters passed to a subroutine. This subroutine does not use variables other than the @_ array it was
passed and does not change the values of any elements of that array.

REGULAR EXPRESSIONS

1073

$ cat subroutines pi
$one = 1;
$two = 2;
$ans = addplusone($one, $two);
print "Answer is $ans\n";
sub addplusone {
return ($_[0] + $_[1] + 2);
}
$ perl subroutines pi
Answer is 5

The final example in this section presents a more typical Perl subroutine. The subroutine max() can be called with any number of numeric arguments and returns the
value of the largest argument. It uses the shift function to assign to Sbiggest the
value of the first argument the subroutine was called with and to shift the rest of the
arguments. After using shift, argument number 2 becomes argument number 1 (8),
argument 3 becomes argument 2 (64), and argument 4 becomes argument 3 (2).
Next, foreach loops over the remaining arguments (@_). Each time through the
foreach block, Perl assigns to S_ the value of each of the arguments, in order. The
Sbiggest variable is assigned the value of $_ if $_ is bigger than Sbiggest. When
max() finishes going through its arguments, Sbiggest holds the maximum value,
which max() returns.
$ cat subroutines.pi
$ans = max (16, 8, 64, 2);
print "Maximum value is $ans\n";
sub max {
my Sbiggest = shift; # Assign first and shift the rest of the arguments to max()
foreach (@_) {
# Loop through remaining arguments
Sbiggest = $_ if $_ > Sbiggest;
}
return (Sbiggest);

}

$ perl subroutines.pi
Maximum value is 64

REGULAR

EXPRESSIONS
Appendix A defines and discusses regular expressions as you can use them in many
Linux utilities. All of the material in Appendix A applies to Perl, except as noted. In
addition to the facilities described in Appendix A, Perl offers regular expression features that allow you to perform more complex string processing. This section
reviews some of the regular expressions covered in Appendix A and describes some
of the additional features of regular expressions available in Perl. It also introduces
the syntax Perl uses for working with regular expressions.

1074

CHAPTER 2 8

THE PERL SCRIPTING

SYNTAX A N D THE = ~

LANGUAGE

OPERATOR

The -I option The Perl -1 option applies chomp to each line of input and places \n at the end of
each line of output. The examples in this section use the Perl -1 and - e (page 1046)
options. Because the program must be specified as a single argument, the examples
enclose the Perl programs within single quotation marks. The shell interprets the
quotation marks and does not pass them to Perl.

Using other options with - e
tip When you use another option with - e , the program must immediately follow the - e on the command line. Like many other utilities, Perl allows you to combine options following a single hyphen;
if - e is one of the combined options, it must appear last in the list of options. Thus you can use
perl - I - e or perl - l e but not perl - e - I or perl -el.
/ is the default By default, Perl delimits a regular expression with slashes (/). The first program uses
delimiter
= „ operator to search for the pattern ge in the string aged. You can think of the
=~ operator as meaning "contains." Using different terminology, the =~ operator
determines whether the regular expression ge has a match in the string aged. The
regular expression in this example contains no special characters; the string ge is
part of the string aged. Thus the expression within the parentheses evaluates to true
and Perl executes the print statement.
$ perl -le 'if ("aged" =~ /ge/) {print "true";}'
true

You can achieve the same functionality by using a postfix if statement:
$ perl -le 'print "true" if "aged" =~ /ge/'
true

!~ The !~ operator works in the opposite sense from the =~ operator. The expression in
the next example evaluates to true because the regular expression x y does not
match any part of aged:
$ perl -le 'print "true" if ("aged" !~ / x y / ) '
true

As explained on page 1091, a period within a regular expression matches any single
character, so the regular expression a..d matches the string aged:
$ perl -le 'print "true" if ("aged" =~ /a..d/)'
true

You can use a variable to hold a regular expression. The following syntax quotes
string as a regular expression:
qr/string/

REGULAR EXPRESSIONS

1075

The next example uses this syntax to assign the regular expression /a..d/ (including the delimiters) to the variable Sre and then uses that variable as the regular
expression:
$ perl -le '$re = qr/a..d/; print "true" if ("aged" =~ $re)'
true

If you want to include the delimiter within a regular expression, you must quote
it. In the next example, the default delimiter, a slash (/), appears in the regular
expression. To keep Perl from interpreting the / in /usr as the end of the regular
expression, the / that is part of the regular expression is quoted by preceding it
with a backslash (\). See page 1093 for more information on quoting characters in
regular expressions.
$ perl -le 'print "true" if ("/usr/doc" =~ A / u s r / ) '
true

Quoting several characters by preceding each one with a backslash can make a
complex regular expression harder to read. Instead, you can precede a delimited
regular expression with m and use a paired set of characters, such as {}, as the
delimiters. In the following example, the caret ( A ) anchors the regular expression to
the beginning of the line (page 1092):
$ perl -le 'print "true" if ("/usr/doc" = ~ m^A/usr})'
true

You can use the same syntax when assigning a regular expression to a variable:
$ perl -le '$pn = q r { A / U s r } ; print "true" if ("/usr/doc" =~ $pn)'
true

Replacement string Perl uses the syntax shown in the next example to substitute a string (the replacement
and assignment string) for a matched regular expression. The syntax is the same as that found in vim
and sed. In the second line of the example, an s before the regular expression instructs
Perl to substitute the string between the second and third slashes (worst; the replacement string) for a match of the regular expression between the first two slashes (best).
Implicit in this syntax is the notion that the substitution is made in the string held in
the variable on the left of the =~ operator.
$ cat rel0a.pl
$stg = "This is the best!";
$stg =~ s/best/worst/;
print "$stg\n";
$ perl rel0a.pl
This is the worst!

Table 28-3 (on the next page) list some of the characters, called metacharacters,
that are considered special within Perl regular expressions. Give the command
perldoc perlre for more information.

1076

CHAPTER 2 8

THE PERL SCRIPTING

Table 28-3
Character
(caret)

A

LANGUAGE

Some Perl regular expression metacharacters
Matches
Anchors a regular expression to the beginning of a line (page 1092)

$ (dollar sign)

Anchors a regular expression to the end of a line (page 1092)

(...)

Brackets a regular expression (page 1077)

. (period)

Any single character except NEWLINE (\n; page 1091)

\\

A backslash (\)

\b

A word boundary (zero-width match)

\B

A nonword boundary ([ A \b])

\d

A single decimal digit ([0-9])

\D

A single nondecimal digit ([ A 0-9] or [ A \d])

\s (lowercase)

A s i n g l e w h i t e s p a c e c h a r a c t e r SPACE, NEWLINE, RETURN, TAB, FORMFEED

\S (uppercase)

A single nonwhitespace character ([ A \s])

\w (lowercase)

A single word character (a letter or digit; [a-zA-ZO-9])

\W (uppercase)

A single nonword character ([ A \w])

GREEDY MATCHES
By default Perl performs greedy matching, which means a regular expression
matches the longest string possible (page 1093). In the following example, the regular expression /{.*} / matches an opening brace followed by any string of characters,
a closing brace, and a SPACE ({remove me} may have two {keep me} ). Perl substitutes
a null string (//) for this match.
$ cat 5ha.pl
$string = "A line {remove me} may have two {keep me} pairs of braces.";
$string =~ s/{.*} //;
print "$string\n";
$ perl 5ha.pl
A line pairs of braces.

Nongreedy matches The next example shows the classic way of matching the shorter brace-enclosed string
from the previous example. This type of match is called nongreedy or parsimonious
matching. Here the regular expression matches
1. An opening brace followed by
2. A character belonging to the character class (page 1091) that includes all
characters except a closing brace ([ A }]) followed by

REGULAR EXPRESSIONS

1077

3. Zero or more occurrences of the preceding character ( * ) followed by
4. A closing brace followed by
5. A SPACE.

(A caret as the first character of a character class specifies the class of all characters
that do not match the following characters, so [ A J] matches any character that is not
a closing brace.)
$ cat re5b.pl
Sstring = "A line {remove me} may have two {keep me} pairs of braces.";
Sstring =~ S / { [ A } ] * }
/ / ;
print "$string\n";
$ perl re5b.pl
A line may have two {keep me} pairs of braces.

Perl provides a shortcut that allows you to specify a nongreedy match. In the following example, the question mark in { . * ? } causes the regular expression to match the
shortest string that starts with an opening brace followed by any string of characters
followed by a closing brace.
$ cat re5c.pl
Sstring = "A line {remove me} may have two {keep me} pairs of braces.";
Sstring =~ s/{.*?} //;
print "$string\n";
$ perl re5c.pl
A line may have two {keep me} pairs of braces.

BRACKETING EXPRESSIONS
As explained on page 1094, you can bracket parts of a regular expression and
recall those parts in the replacement string. Most Linux utilities use quoted parentheses [i.e., \( and \)] to bracket a regular expression. In Perl regular expressions,
parentheses are special characters. Perl omits the backslashes and uses unquoted
parentheses to bracket regular expressions. To specify a parenthesis as a regular
character within a regular expression in Perl, you must quote it (page 1093).
The next example uses unquoted parentheses in a regular expression to bracket part
of the expression. It then assigns the part of the string that the bracketed expression
matched to the variable that held the string in which Perl originally searched for the
regular expression.
First the program assigns the string My name is Sam to $stg. The next statement
looks for a match for the regular expression /My name is (.*)/ in the string held by
$stg. The part of the regular expression bracketed by parentheses matches Sam; the
$1 in the replacement string matches the first (and only in this case) matched bracketed portion of the regular expression. The result is that the string held in $stg is
replaced by the string Sam.

1078

CHAPTER 2 8

THE PERL SCRIPTING

LANGUAGE

$ cat rell.pl
$stg = "My name is Sam";
$stg =~ s/My name is (,*)/$l/;
print "Matched: $stg\n";
$ perl rell.pl
Matched: Sam

The next example uses regular expressions to parse a string for numbers. Two variables are initialized to hold a string that contains two numbers. The third line of the
program uses a regular expression to isolate the first number in the string. The \D*
matches a string of zero or more characters that does not include a digit: The \D
special character matches any single nondigit character. The trailing asterisk makes
this part of the regular expression perform a greedy match that does not include a
digit (it matches What is ). The bracketed regular expression \d+ matches a string of
one or more digits. The parentheses do not affect what the regular expression
matches; they allow the S I in the replacement string to match what the bracketed
regular expression matched. The final . * matches the rest of the string. This line
assigns the value of the first number in the string to Sstring.
The next line is similar but assigns the second number in the string to $string2. The
print statements display the numbers and the result of subtracting the second number from the first.
$ cat re8.pl
Sstring = "What is 488 minus 78?";
Sstring2 = Sstring;
Sstring =~ s/\D*(\d+).*/$l/;
Sstri ng2 =~ s/\D*\d+\D*(\d+).*/$l/;
print "$string\n";
print "Sstri ng2\n";
print Sstring - Sstring2, "\n";
$ perl re8.pl
488
78
410

The next few programs show some of the pitfalls of using unquoted parentheses in
regular expressions when you do not intend to bracket part of the regular expression. The first of these programs attempts to match parentheses in a string with
unquoted parentheses in a regular expression, but fails. The regular expression ag(e
matches the same string as the regular expression age because the parenthesis is a
special character; the regular expression does not match the string ag(ed).
$ perl -le 'if ("ag(ed)" =~ /ag(ed)/) {print "true";} else {print "false";}'
false

The regular expression in the next example quotes the parentheses by preceding
each with a backslash, causing Perl to interpret them as regular characters. The
match is successful.

CPAN MODULES

1079

$ perl -le 'if ("ag(ed)" =~ /ag\(ed\)/) {print "true";} else {print "false";}'

Next, Perl finds an unmatched parenthesis in a regular expression:
$ perl -le 'if ("ag(ed)" =~ /ag(e/) {print "true";} else {print "false";}'
Unmatched ( in regex; marked by <-- HERE in m/ag( <-- HERE e/ at -e line 1.

When you quote the parenthesis, all is well and Perl finds a match:
$ perl -le 'if ("ag(ed)" =~ /ag\(e/) {print "true";} else {print "false";}'

CPAN

MODULES
CPAN (Comprehensive Perl Archive Network) provides Perl documentation, FAQs,
modules (page 1045), and scripts on its Web site (www.cpan.org). It holds more
than 16,000 distributions (page 1045) and provides links, mailing lists, and versions
of Perl compiled to run under various operating systems (ports of Perl). One way to
locate a module is to visit search.cpan.org and use the search box or click one of the
classes of modules listed on that page.
This section explains how to download a module from CPAN and how to install
and run the module. Perl provides a hierarchical namespace for modules, separating
components of a name with double colons (::). The example in this section uses the
module named Timestamp::Simple, which you can read about and download from
search.cpan.org/dist/Timestamp-Simple. The timestamp is the date and time in the
format Y Y Y Y M M D D H H M M S S
To use a Perl module, you first download the file that holds the module. For this
example, the search.cpan.org/~shoop/Timestamp-Simple-l.01/Simple.pmWeb page
has a link on the right side labeled Download. Click this link and save the file to the
directory you want to work in. You do not need to work as a privileged user until
the last step of this procedure, when you install the module.
Most Perl modules come as compressed tar files (page 176). With the downloaded
file in the working directory, decompress the file:
$ tar xzvf Timestamp-Simple-l.01.tar.gz
Timestamp-Simple-1.01/
Timestamp-Simple-1.01/Simple. pm
Timestamp-Simple-1.01/Makefile.PL
Timestamp-Simple-1.01/README
Timestamp-Simple-1.01/test.pi
Timestamp-Simple-1.01/Changes
Timestamp-Simple-1.01/MANIFEST
Timestamp-Simple-1.01/ARTISTIC
Timestamp-Simple-1.01/GPL
Timestamp-Simple-1.01/META.yml

1080

CHAPTER 2 8

THE PERL SCRIPTING

LANGUAGE

The README file in the newly created directory usually provides instructions for
building and installing the module. Most modules follow the same steps.
$ cd Timestamp-Simple-1.01
$ perl Makefile.PL
Checking if your kit is complete...
Looks good
Writing Makefile for Timestamp: : Simple

If the module you are building depends on other modules that are not installed on
the local system, running perl Makefile.PL will display one or more warnings about
prerequisites that are not found. This step writes out the makefile even if modules
are missing. In this case the next step will fail, and you must build and install missing modules before continuing.
The next step is to run make on the makefile you just created. After you run make,
run make test to be sure the module is working.
$ make
cp Simple, pm bli b/1 i b/Timestamp/Sitriple. pm
Mani fyi ng bli b/manB/Timestamp::Si mple.3pm
$ make test
PERL_DL_N0NLAZY=1 /usr/bin/perl "-Iblib/lib" "-Iblib/arch" test.pl
1. .1

# Running under perl version 5.100000 for linux
# Current time local: Fri Sep B 18:20:41 2010
# Current time GMT:
Sat Sep 4 01:20:41 2010
# Using Test.pm version 1.25
ok 1
ok 2
ok 3

Finally, running with root privileges, install the module:
$ sudo make install
Installi ng /usr/local/share/perl/5.10.0/Timestamp/Simple.pm
Instal1i ng /usr/local/man/man3/Ti mestamp::Simple.3pm
Wri ti ng /usr/local/li b/perl/5 .10. 0/au to/Times tamp/Si mple/. packlist
Appending installation info to /usr/local/lib/perl/5.10.0/perllocal .pod

Once you have installed a module, you can use perldoc to display the documentation
that tells you how to use the module. See page 1043 for an example.
Some modules contain SYNOPSIS sections. If the module you installed includes
such a section, you can test the module by putting the code from the SYNOPSIS section in a file and running it as a Perl program:
$ cat times.pl
use Timestamp::Simple qw(stamp);
print stamp, "\n";
$ perl times.pl
20100904182627

EXAMPLES

1081

You can then incorporate the module in a Perl program. The following example
uses the timestamp module to generate a unique filename:
$ cat fn.pl
use Timestamp::Simple qw(stamp);
# Save timestamp in a variable
$ts = stamp, "\n";
# Strip off the year
$ts =~ s/....(.*)/\l/;
# Create a unique filename
$fn = "myfile." . $ts;
# Open, write to, and close the file
open (OUTFILE, '>', "$fn");
print OUTFILE "Hi there.\n";
close (OUTFILE);
$ perl fn.pl
$ I s myf-.'c
myfile.0905183010

substr You can use the substr function in place of the regular expression to strip off the
year. To do so, replace the line that starts with $ts =~ with the following line. Here,
substr takes on the value of the string $ts starting at position 4 and continuing to
the end of the string:
$ts = substr ($ts, 4);

EXAMPLES
This section provides some sample Perl programs. First try running these programs
as is, and then modify them to learn more about programming with Perl.
The first example runs under Linux and displays the list of groups that the user
given as an argument is a member of. Without an argument, it displays the list of
groups that the user running the program is a member of. In a Perl program, the
%ENV hash holds the environment variables from the shell that called Perl. The
keys in this hash are the names of environment variables; the values in this hash are
the values of the corresponding variables. The first line of the program assigns a
username to Suser. The shift function (page 1055) takes on the value of the first
command-line argument and shifts the rest of the arguments, if any remain. If the
user runs the program with an argument, that argument is assigned to Suser. If no
argument appears on the command line, shift fails and Perl executes the statement
following the Boolean O R (II). This statement extracts the value associated with
the USER key in %ENV, which is the name of the user running the program.

1082

CHAPTER 2 8

THE PERL SCRIPTING

LANGUAGE

Accepting output The third statement initializes the array @list. Although this statement is not
from a process required, it is good practice to include it to make the code easier to read. The next
statement opens the $fh lexical handle. The trailing pipe symbol (I) in the file-ref
(page 1066) portion of this open statement tells Perl to pass the command line preceding the pipe symbol to the shell for execution and to accept standard output
from the command when the program reads from the file handle. In this case the
command uses grep to filter the /etc/group file (page 492) for lines containing the
username held in Suser. The die statement displays an error message if Perl cannot
open the handle.
$ cat groupfind.pl
Suser = shift || $ENV{"USER"};
say "User Suser belongs to these groups:";
©list = ();
open (my $fh, "grep Suser /etc/group |") or die "Error: $!\n";
while (Sgroup = <$fh>) {
chomp Sgroup;

Sgroup =~

s/(.*?):.*/$l/;

push ©list, Sgroup;

}

close Sfh;
Oslist = sort ©list;
say "Oslist";
$ perl groupfind.pl
User sam belongs to these groups:
adm admin audio cdrom dialout dip floppy kvm lpadmin ...

The while structure in groupfind.pl reads lines from standard output of grep and
terminates when grep finishes executing. The name of the group appears first on
each line in /etc/group, followed by a colon and other information, including the
names of the users who belong to the group. Following is a line from this file:
sam:x:1000:max,zach,helen

The line
Sgroup =~ s/(.*?):.*/$l/;

uses a regular expression and substitution to remove everything except the name of
the group from each line. The regular expression . * : would perform a greedy match
of zero or more characters followed by a colon; putting a question mark after the
asterisk causes the expression to perform a nongreedy match (page 1076). Putting
parentheses around the part of the expression that matches the string the program
needs to display enables Perl to use the string that the regular expression matches in
the replacement string. The final
matches the rest of the line. Perl replaces the SI
in the replacement string with the string the bracketed portion of the regular expression (the part between the parentheses) matched and assigns this value (the name of
the group) to Sgroup.

EXAMPLES

1083

The chomp statement removes the trailing NEWLINE (the regular expression did not
match this character). The push statement adds the value of Sgroup to the end of
the @list array. Without chomp, each group would appear on a line by itself in the
output. After the while structure finishes processing input from grep, sort orders
©list and assigns the result to @slist. The final statement displays the sorted list of
groups the user belongs to.
opendir

and

readdir

The next example introduces the opendir and readdir functions. The opendir function opens a directory in a manner similar to the way open opens an ordinary file. It
takes two arguments: the name of the directory handle and the name of the directory to open. The readdir function reads the name of a file from an open directory.
In the example, opendir opens the working directory (specified by .) using the
Sdir lexical directory handle. If opendir fails, Perl executes the statement following the or operator: die sends an error message to standard error and terminates
the program. With the directory opened, while loops through the files in the
directory, assigning the filename that readdir returns to the lexical variable
Sentry. An if statement executes print only for those files that are directories (-d).
The print function displays the name of the directory unless the directory is
named . or ... When readdir has read all files in the working directory, it returns
false and control passes to the statement following the while block. The closedir
function closes the open directory and print displays a NEWLINE following the list of
directories the program displayed.
$ cat dirs2a.pl
#!/usr/bi n/perl
print "The working directory contains these di rectories:\n";
opendir my Sdir, '.' or die "Could not open directory: $!\n";
while (my Sentry = readdir Sdir) {
if (-d Sentry) {
pri nt Sentry, ' ' unless (Sentry eq '.' || Sentry eq '..');

}

}

closedi r Sdi r;
print "\n";
$ ./dirs2a.pl
The working directory contains these directories:
two one

split The split function divides a string into substrings as specified by a delimiter. The
syntax of a call to split is
split (Irel, string);
where re is the delimiter, which is a regular expression (frequently a single regular
character), and string is the string that is to be divided. As the next example shows,
you can assign the list that split returns to an array variable.

1084

CHAPTER 2 8

THE PERL SCRIPTING

LANGUAGE

The next p r o g r a m runs under Linux and lists the usernames of users with UIDs
greater than or equal to 100 listed in the /etc/passwd (page 4 9 4 ) file. It uses a while
structure to read lines from passwd into Suser, and it uses split to break the line into
substrings separated by colons. The line that begins with @row assigns each of these
substrings to an element of the @row array. The expression the if statement evaluates is true if the third substring (the UID) is greater than or equal to 100. This
expression uses the >= numeric comparison operator because it compares two numbers; an alphabetic comparison would use the ge string comparison operator.
The print statement sends the UID number and the associated username to the
Ssortout file handle. The open statement for this handle establishes a pipe that sends
its output to sort - n . Because the sort utility (page 168) does not display any output
until it finishes receiving all of the input, split3.pl does not display anything until it
closes the Ssortout handle, which it does when it finishes reading the passwd file.
$ cat split3.pl
#!/usr/bi n/perl -w
open (Spass, "/etc/passwd");
open (Ssortout, "| sort -n");
while (Suser = <$pass>) {
@row = split (/:/, Suser);
if ($row[2] >= 100) {
print Ssortout "$row[2] $row[0]\n";
}

}

close
close

(Spass);
(Ssortout);

$ ./split3.pl
100 libuuid
101 syslog
102 klog
103 avahi-autoipd
104 pulse

The next example counts and displays the arguments it was called with, using
@ A R G V (page 1068). A foreach structure loops through the elements of the
@ A R G V array, which holds the command-line arguments. The ++ preincrement
operator increments Scount before it is displayed.
$ cat 10.pl
#!/usr/bi n/perl -w
Scount = 0;
Snum = OARGV;
print "You entered Snum arguments on the command line:\n";
foreach Sarg (OARGV) {
print ++$count, ". $arg\n";
}

EXERCISES

1085

$ ./10-pl apple pear banana watermelon
You entered 4 arguments on the command line:
1. apple
2. pear
3. banana
4. watermelon

CHAPTER

SUMMARY
Perl was written by Larry Wall in 1987. Since that time Perl has grown in size and
functionality and is now a very popular language used for text processing, system
administration, software development, and general-purpose programming. One of
Perl's biggest assets is its support by thousands of third-party modules, many of
which are stored in the CPAN repository.
The perldoc utility locates and displays local Perl documentation. It also allows you
to document a Perl program by displaying lines of p o d (plain old documentation)
that you include in the program.
Perl provides three types of variables: scalar (singular variables that begin with a $),
array (plural variables that begin with an @), and hash (also called associative
arrays; plural variables that begin with a %). Array and hash variables both hold
lists, but arrays are ordered while hashes are unordered. Standard control flow
statements allow you to alter the order of execution of statements within a Perl program. In addition, Perl programs can take advantage of subroutines that can include
variables local to the subroutines (lexical variables).
Regular expressions are one of Perl's strong points. In addition to the same facilities
that are available in many Linux utilities, Perl offers regular expression features that
allow you to perform more complex string processing.

EXERCISES
1. What are two different ways to turn on warnings in Perl?
2. What is the difference between an array and a hash?
3. In each example, when would you use a hash and when would you use an
array?
a. Counting the number of occurrences of an IP address in a log file.
b. Generating a list of users who are over disk quota for use in a report.
4. Write a regular expression to match a quoted string, such as
He said, "Go get me the wrench," but I didn't hear him.

1086

CHAPTER 2 8

THE PERL SCRIPTING

LANGUAGE

5. Write a regular expression to match an IP address in a log file.
6. Many configuration files contain many comments, including commentedout default configuration directives. Write a program to remove these
comments from a configuration file.

ADVANCED

EXERCISES
7. Write a program that removes
and *.ico files from a directory hierarchy.
(Hint: Use the File::Find module.)
8. Describe a programming mistake that Perl's warnings do not report on.
9. Write a Perl program that counts the number of files in the working
directory and the number of bytes in those files, by filename extension.

10. Describe the difference between quoting strings using single quotation
marks and using double quotation marks.
11. Write a program that copies all files with a .ico filename extension in a
directory hierarchy to a directory named icons in your home directory.
(Hint: Use the File::Find and File::Copy modules.)
12. Write a program that analyzes Apache logs. Display the number of bytes
served by each path. Ignore unsuccessful page requests. If there are more
than ten paths, display the first ten only.
Following is a sample line from an Apache access log. The two numbers
following the HTTP/1.1 are the response code and the byte count. A
response code of 200 means the request was successful. A byte count of means no data was transferred.
DATA
92.50.103.52 - - [19/Aug/2008:08:26:43 -0400] "GET /perl/automated-testi ng/next_acti ve.gi f
HTTP/1.1" 200 980 "http://example.com/perl/automated-testing/navigation_bar.htm"
"Mozilla/5.0 (Xll; U; Linux x86_64; en-US; rv:1.8.1.6) Gecko/20061201 Firefox/3.0.0.6
(Fedora); Blazer/4.0"

PART

VII

APPENDIXES
APPENDIX A
REGULAR EXPRESSIONS
APPENDIX

1089

B

HELP

1099

APPENDIX C
SECURITY
APPENDIX

1109

D

THE FREE S O F T W A R E D E F I N I T I O N

1129

This page intentionally left blank

A
REGULAR EXPRESSIONS

Characters

1090

A regular expression
defines a set of one or more strings of
characters. A simple string of characters is a regular expression
that defines one string of characters: itself. A more complex

Delimiters
Simple Strings

1090
1090

t0

Special Characters

1090

Rules

1093

Bracketing Expressions
The Replacement String
Extended Regular
Expressions

1094
1094

IN T H I S A P P E N D I X

1095

regular expression uses letters, numbers, and special characters
define manY different strings of characters. A regular expression is said to match any string it defines.

This appendix describes the regular expressions used by ed,
v i m , e m a c s , grep, m a w k / g a w k , sed, Perl, and many other utilities. Refer to page 1 0 7 3 for more information on Perl regular
expressions. The regular expressions used in shell ambiguous
r e ^ e r e n c e s a r e different and are described in "Filename
Generation/Pathname Expansion" on page 2 5 6 .

1089

1090

APPENDIXA

REGULAR

EXPRESSIONS

CHARACTERS
As used in this appendix, a character is any character except a NEWLINE. Most characters represent themselves within a regular expression. A special character, also called
a metacharacter,
is one that does not represent itself. If you need to use a special
character to represent itself, you must quote it as explained on page 1093.

DELIMITERS
A character called a delimiter usually marks the beginning and end of a regular
expression. The delimiter is always a special character for the regular expression it
delimits (that is, it does not represent itself but marks the beginning and end of the
expression). Although vim permits the use of other characters as a delimiter and grep
does not use delimiters at all, the regular expressions in this appendix use a forward
slash (!) as a delimiter. In some unambiguous cases, the second delimiter is not
required. For example, you can sometimes omit the second delimiter when it would
be followed immediately by RETURN.

SIMPLE STRINGS
The most basic regular expression is a simple string that contains no special characters except the delimiters. A simple string matches only itself (Table A-l). In
the examples in this appendix, the strings that are matched are underlined and
look like this.
Table A-1

Simple strings

Regular
expression

Matches

Examples

/ring /

ring

ring, spring, ringing.
stringing

/Thursday/

Thursday

Thursday. Thursday's

/or not/

or not

or not. poor nothina

SPECIAL CHARACTERS
You can use special characters within a regular expression to cause the regular
expression to match more than one string. A regular expression that includes a

SPECIAL CHARACTERS

1091

special character always matches the longest possible string, starting as far toward
the beginning (left) of the line as possible.

PERIODS
A period (.) matches any character (Table A-2).

Table A-2
Regular
expression

Periods
Matches

Examples

/ .alk/

All strings consisting of a SPACE followed by
any character followed by alk

will talk, may balk

/.ing/

All strings consisting of any character preceding ing

singsong, ping.
beforejnglenook

BRACKETS
Brackets ([]) define a character class1 that matches any single character within
the brackets (Table A-3). If the first character following the left bracket is a caret
( A ), the brackets define a character class that matches any single character not
within the brackets. You can use a hyphen to indicate a range of characters. Within
a character-class definition, backslashes and asterisks (described in the following
sections) lose their special meanings. A right bracket (appearing as a member of the
character class) can appear only as the first character following the left bracket. A
caret is special only if it is the first character following the left bracket. A dollar sign
is special only if it is followed immediately by the right bracket.

Table A-3
Regular
expression

Brackets
Matches

Examples

/[bB] ill/

Member of the character class b and B followed by ill

M i , M i , Mied

/t[aeiou].k/

t followed by a lowercase vowel, any character, and a k

talkative, stink, teak, tanker

/# [6-9]/

# followed by a SPACE and a member of the
character class 6 through 9

# 6 0 , #8:, g e t # 9

/[ A a-zA-Z]/

Any character that is not a letter (ASCII
character set only)

1,1

,, 1, Stop!

1. G N U d o c u m e n t a t i o n calls these L i s t O p e r a t o r s a n d defines C h a r a c t e r C l a s s o p e r a t o r s as e x p r e s s i o n s
t h a t m a t c h a predefined g r o u p o f c h a r a c t e r s , such as all n u m b e r s (page 1 1 4 0 ) .

1092

APPENDIXA

REGULAR

EXPRESSIONS

ASTERISKS
An asterisk can follow a regular expression that represents a single character
(Table A-4). The asterisk represents zero or more occurrences of a match of the regular expression. An asterisk following a period matches any string of characters. (A
period matches any character, and an asterisk matches zero or more occurrences of
the preceding regular expression.) A character-class definition followed by an asterisk matches any string of characters that are members of the character class.

Table A-4
Regular
expression

Asterisks
Matches

Examples

/ab,vc/

a followed by zero or more b's followed by
ac

ac. abc. abbe, debbcaabbbc

/ab.,vc/

ab followed by zero or more characters followed by c

abc. abxe. ab45c.
xab 756.345 x cat

/t.,ving/

t followed by zero or more characters followed by infl

thina. tina. Ithouaht of aoina

/[a-zA-Z ] * /

A string composed only of letters and
SPACES

1. any strina without
numbers or punctuation!

/(.*)/

As long a string as possible between {and }

Get (this) and (that):

/([*)]*)/

The shortest string possible that starts
withXand ends w i t h )

(this). Get (this and that)

CARETS A N D DOLLAR S I G N S
A regular expression that begins with a caret ( A ) can match a string only at the
beginning of a line. In a similar manner, a dollar sign ($) at the end of a regular
expression matches the end of a line. The caret and dollar sign are called anchors
because they force (anchor) a match to the beginning or end of a line (Table A-5).
Table A-5

Carets and dollar signs

Regular
expression

Matches

Examples

/ A T/

A T at the beginning of a line

This line...,
IhatTime...,
In Time

/A+[0-9]/

A plus sign followed by a digit at the beginning of a line

±5 +45.72,
+759 Keep this...

/:$/

A colon that ends a line

...below:

RULES

1093

Q U O T I N G SPECIAL CHARACTERS
You can quote any special character (but not parentheses [except in Perl; page 1077]
or a digit) by preceding it with a backslash (Table A-6). Quoting a special character
makes it represent itself.
Table A-6

Quoted special characters

Regular
expression

Matches

Examples

/end\./

All strings that contain end followed by a
period

The end., send., pretendmail

/\\/

A single backslash

i.

/ w

An asterisk

*.c, an asterisk ( * )

/ \[5\] /

151

it was five [5]

/andVor/

and/or

and/or

RULES
The following rules govern the application of regular expressions.

LONGEST MATCH

POSSIBLE

A regular expression always matches the longest possible string, starting as far
toward the beginning of the line as possible. Perl calls this type of match a greedy
match (page 1076). For example, given the string
This (rug) is not what it once was (a long time ago), is it?

the expression /Th.*is/ matches
This (rug) is not what it once was (a long time ago), is

and /(.*)/ matches
(rug) is not what it once was (a long time ago)

However, /([A)]*)/ matches
(rug)

Given the string
singing songs, singing more and more

the expression /s.*ing/ matches
singing songs, singing

and /s.*ing song/ matches
singing song

1094

APPENDIXA

REGULAR

EXPRESSIONS

EMPTY REGULAR EXPRESSIONS
Within some utilities, such as v i m and less (but not grep), an empty regular expression
represents the last regular expression that you used. For example, suppose you give
v i m the following Substitute command:
:s/nri ke/robert/

If you then want to make the same substitution again, you can use the following
command:
:s//robert/

Alternatively, you can use the following commands to search for the string mike and
then make the substitution
/mi ke/
:s//robert/

The empty regular expression (//) represents the last regular expression you used
(/mike/).

BRACKETING

EXPRESSIONS

You can use quoted parentheses, \( and \), to bracket a regular expression. (However, Perl uses unquoted parentheses to bracket regular expressions; page 1077.)
The string that the bracketed regular expression matches can be recalled, as
explained in "Quoted Digit." A regular expression does not attempt to match
quoted parentheses. Thus a regular expression enclosed within quoted parentheses
matches what the same regular expression without the parentheses would match.
The expression A(rexp\)/ matches what /rexp/ would match; /a\(b*\)c/ matches
what / a b * c / would match.
You can nest quoted parentheses. The bracketed expressions are identified only by
the opening \(, so no ambiguity arises in identifying them. The expression
A([a-z]\([A-Z] *\)x\)/ consists of two bracketed expressions, one nested within the
other. In the string 3 t d M N O R x 7 1 u, the preceding regular expression matches
dMNORx, with the first bracketed expression matching d M N O R x and the second
matching M N O R .

THE REPLACEMENT STRING
The v i m and s e d editors use regular expressions as search strings within Substitute
commands. You can use the ampersand ( & ) and quoted digits (\n) special characters
to represent the matched strings within the corresponding replacement string.

EXTENDED REGULAR EXPRESSIONS

1095

AMPERSAND
Within a replacement string, an ampersand (&) takes on the value of the string that
the search string (regular expression) matched. For example, the following vim Substitute command surrounds a string of one or more digits with NN. The ampersand
in the replacement string matches whatever string of digits the regular expression
(search string) matched:
:s/[0-9][0-9]*/NN&NN/

Two character-class definitions are required because the regular expression [0-9]*
matches zero or more occurrences of a digit, and any character string constitutes
zero or more occurrences of a digit.

QUOTED DIGIT
Within the search string, a bracketed regular expression, \(xxx\) [(xxx) in Perl],
matches what the regular expression would have matched without the quoted
parentheses, xxx. Within the replacement string, a quoted digit, \n, represents the
string that the bracketed regular expression (portion of the search string) beginning
with the nth \( matched. Perl accepts a quoted digit for this purpose, but the preferred style is to precede the digit with a dollar sign ($n; page 1077). For example,
you can take a list of people in the form
last-name, first-name initial

and put it in the form
first-name initial last-name

with the following vim command:
:1.$SA([A.]*\). \(-*\)/\2 \1/

This command addresses all the lines in the file (1,$). The Substitute command (s)
uses a search string and a replacement string delimited by forward slashes. The first
bracketed regular expression within the search string, \([ A ,]*\), matches what the
same unbracketed regular expression, [ A , ] * , would match: zero or more characters
not containing a comma (the last-name). Following the first bracketed regular
expression are a comma and a SPACE that match themselves. The second bracketed
expression, \(.*\), matches any string of characters (the first-name and initial).
The replacement string consists of what the second bracketed regular expression
matched (\2), followed by a SPACE and what the first bracketed regular expression
matched (\1).

EXTENDED REGULAR

EXPRESSIONS

This section covers patterns that use an extended set of special characters. These patterns are called full regular expressions or extended regular expressions. In addition

1096

APPENDIXA

REGULAR

EXPRESSIONS

to ordinary regular expressions, Perl and v i m provide extended regular expressions.
The three utilities egrep, grep when run with the - E option (similar to egrep), and
m a w k / g a w k provide all the special characters included in ordinary regular expressions,
except for \( and \), as well those included in extended regular expressions.
Two of the additional special characters are the plus sign (+) and the question mark
(?). They are similar to * , which matches zero or more occurrences of the previous
character. The plus sign matches one or more occurrences of the previous character,
whereas the question mark matches zero or one occurrence. You can use any one of
the special characters * , +, and ? following parentheses, causing the special character to apply to the string surrounded by the parentheses. Unlike the parentheses in
bracketed regular expressions, these parentheses are not quoted (Table A - 7 ) .
Table A-7

Extended regular expressions

Regular
expression

Matches

Examples

/ab+c/

a followed by one or more b's followed by
ac

yabcw, abbc57

/ab?c/

a followed by zero or one b followed by c

back, abcdef

/(ab)+c/

One or more occurrences of the string ab
followed by c

zabcd. ababc!

/(ab)?c/

Zero or one occurrence of the string ab followed by c

xc, abcc

In full regular expressions, the vertical bar (1) special character is a Boolean O R
operator. Within v i m , you must quote the vertical bar by preceding it with a backslash to make it special (\l). A vertical bar between two regular expressions causes a
match with strings that match the first expression, the second expression, or both.
You can use the vertical bar with parentheses to separate from the rest of the regular
expression the two expressions that are being ORed (Table A - 8 ) .

Table A-8

Full regular expressions

Regular
expression

Meaning

Examples

/ab|ac/

Either ab or ac

ab, ac, abac (abac is two
matches of the regular
expression)

/ A Exit| A Quit/

Lines that begin with Exit or Quit

Exit.
Quit.
No Exit

/(D|N)\. Jones/

D. Jones or N. Jones

P.D. Jones. N. Jones

APPENDIX SUMMARY

APPENDIX

1097

SUMMARY
A regular expression defines a set of one or more strings of characters. A regular
expression is said to match any string it defines.
In a regular expression, a special character is one that does not represent itself. Table A-9
lists special characters.
Table A - 9

Special characters

Character

Meaning
Matches any single character

*

Matches zero or more occurrences of a match of the preceding character

A

Forces a match to the beginning of a line

$

A match to the end of a line

\

Quotes special characters

\<

Forces a match to the beginning of a word

\>

Forces a match to the end of a word

Table A-10 lists ways of representing character classes and bracketed regular
expressions.

Table A-10

Character classes and bracketed regular expressions

Class

Defines

[xyz]

Defines a character class that matches x, y, or z

[ A *J

Defines a character class that matches any character except x, y, or z

Ix-z]

Defines a character class that matches any character / t h r o u g h z inclusive

\(xyz\)

Matches what xyz matches (a bracketed regular expression; not Perl)

(xyz)

Matches what xyz matches (a bracketed regular expression; Perl only)

In addition to the preceding special characters and strings (excluding quoted parentheses, except in vim), the characters in Table A - l l are special within full, or
extended, regular expressions.
Table A-11

Extended regular expressions

Expression

Matches

+

Matches one or more occurrences of the preceding character
Matches zero or one occurrence of the preceding character

1098

APPENDIXA

REGULAR

Table A-11

EXPRESSIONS

Extended regular expressions (continued)

Expression

Matches

(xyz)+

Matches one or more occurrences of what xyz matches

(xyz)?

Matches zero or one occurrence of what xyz matches

(xyz)*

Matches zero or more occurrences of what xyz matches

xyz\abc

Matches either what xyz or what afic matches (use \| in v i m )

{xy\ah)c

Matches either what xyc or what abc matches (use \| in v i m )

Table A - 1 2 lists characters that are special within a replacement string in sed and vim.

Table A-12

Replacement strings

String

Represents

&

Represents what the regular expression (search string) matched

\n

A quoted number, n, represents what the /rth bracketed regular expression in
the search string matched

$/?

A number preceded by a dollar sign, n, represents what the /rth bracketed regular expression in the search string matched (Perl only)

B
HELP
IN THIS APPENDIX

YOU need not be a user or system administrator in isolation. A
large community of Linux experts is willing to assist you in
learning about, helping you solve problems with, and getting

Solving a Problem

1100

Finding Linux-Related
Information
Documentation

1101
1101

se u mux ites
Linux Newsgroups

1102
1103

the most out of a Linux system. Before you ask for help, however, make sure you have done everything you can to solve the
problem yourself. No doubt, someone has experienced the
same problem before you and the answer to your question
exists somewhere on the Internet. Your job is to find it. This
appendix lists resources and describes methods that can help

M a i l i n g Lists

1103

you i n t h a t t a s k .

Words

1104

Software

1104

Office Suites a n d W o r d
Processors

1106

S p e c i f y i n g a Terminal

1106

1099

1100

APPENDIX B

HELP

SOLVING A PROBLEM
Following is a list of steps that can help you solve a problem without asking someone
for help. Depending on your understanding of and experience with the hardware and
software involved, these steps may lead to a solution.
1. Ubuntu Linux comes with extensive documentation. Read the documentation on the specific hardware or software you are having a problem with. If
it is a GNU product, use info; otherwise, use man to find local information.
Also look in /usr/share/doc for documentation on specific tools. For more
information refer to "Where to Find Documentation" on page 136.
2. When the problem involves some type of error or other message, use a
search engine, such as Google (www.google.com/linux) or Google Groups
(groups.google.com), to look up the message on the Internet. If the message
is long, pick a unique part of the message to search for; 10 to 20 characters
should be enough. Enclose the search string within double quotation
marks. See "Using the Internet to Get Help" on page 143 for an example of
this kind of search.
3. Check whether the Linux Documentation Project (www.tldp.org) has a
HO W T O or mini-HOWTO on the subject in question. Search its site for
keywords that relate directly to the product and problem. Read the FAQs.
4. See Table B - l for other sources of documentation.
5. Use Google or Google Groups to search on keywords that relate directly
to the product and problem.
6. When all else fails (or perhaps before you try anything else), examine the
system logs in /var/log. First look at the end of the messages file using the
following command:
$ sudo tail -20 /var/log/messages

If messages contains nothing useful, run the following command. It displays the names of the log files in chronological order, with the most
recently modified files appearing at the bottom of the list:
$ Is -ltr /var/log

Look at the files at the bottom of the list first. If the problem involves a
network connection, review the auth.log file on the local and remote systems. Also look at messages on the remote system.
7. The /var/spool directory contains subdirectories with useful information:
cups holds the print queues, mail or exim4 holds the user's mail files, and
so on.

FINDING LINUX-RELATED INFORMATION

1101

If you are unable to solve a problem yourself, a thoughtful question to an appropriate
newsgroup (page 1103) or mailing list (page 1103) can elicit useful information. When
you send or post a question, make sure you describe the problem and identify the local
system carefully. Include the version numbers of Ubuntu Linux and any software packages that relate to the problem. Describe the hardware, if appropriate. There is an etiquette to posting questions—see www.catb.org/~esr/faqs/smart-questions.html for a
good paper by Eric S. Raymond and Rick Moen titled "How To Ask Questions the
Smart Way."
The author's home page (www.sobell.com) contains corrections to this book,
answers to selected chapter exercises, and pointers to other Linux sites.

FINDING LINUX-RELATED

INFORMATION

Ubuntu Linux comes with reference pages stored online. You can read these documents by using the m a n or info (page 139) utility. You can read m a n and info pages to
get more information about specific topics while reading this book or to determine
which features are available with Linux. To search for topics, use a p r o p o s (see
page 139 or give the command m a n a p r o p o s ) .

DOCUMENTATION
Good books are available on various aspects of using and managing U N I X systems
in general and Linux systems in particular. In addition, you may find the sites listed
in Table B - l useful. 1

Table B-1

Documentation

Site

About the site

URL

freedesktop.org

Creates standards for interoperability
between open-source desktop
environments.

freedesktop.org

GNOME

GNOME home page.

www.gnome.org

GNU Manuals

GNU manuals.

www.gnu.org/manual

info

Instructions for using the info utility.

w w w . g n u .0 r g / s o f t w a r e / t e x i n f o / m a n u a l / i n f o

Internet FAQ
Archives

Searchable FAQ archives.

www.faqs.org

1. T h e right-hand c o l u m n s o f m o s t o f the tables in this a p p e n d i x s h o w Internet addresses ( U R L s ) . All sites
have an implicit http:// prefix unless ftp:// o r https:// is s h o w n . R e f e r t o " U R L s (Web addresses)" on page 2 1 .

1102

APPENDIX B

Table B-1

HELP

Documentation (continued)

Site

About the site

URL

KDE
Documentation

KDE documentation.

kde.org/documentation

KDE News

KDE news.

dot.kde.org

Linux
Documentation
Project

All things related to Linux documentation (in many languages): HOWTOs,
guides, FAQs, m a n pages, and magazines. This is the best overall source
for Linux documentation. Make sure
to visit the Links page.

www.tldp.org

Ubuntu
Documentation
and Support

These URIs have links to many pages
that provide documentation and support.

www.ubuntu.com/support
help.ubuntu.com/community
ubuntuforums.org

RFCs

Requests for comments; see RFC
(page 1169).

www.rfc-editor.org

System
Administrators
Guild (SAGE)

SAGE is a group for system
administrators.

www.sage.org

USEFUL LINUX SITES
Sometimes the sites listed in Table B-2 are so busy that you cannot connect to them.
In this case, you are usually given a list of alternative, or mirror, sites to try.
Table B - 2

Useful Linux sites

Site

About the site

URL

DistroWatch

A survey of many Linux distributions,
including news, reviews, and articles.

distrowatch.com

GNU

GNU Project Web server.

www.gnu.org

Hardware
compatibility

User-written hardware reviews for
Ubuntu Linux.

www.ubuntuhcl.org

ibiblio

A large library and digital archive. Formerly Metalab; formerly Sunsite.

www.ibiblio.org
www.ibiblio.org/pub/linux
www.ibiblio.org/pub/historic-linux

Linux Standard
Base (LSB)

A group dedicated to standardizing
Linux.

www.linuxfoundation.org/en/LSB

FINDING LINUX-RELATED INFORMATION

Table B - 2

Useful Linux sites (continued)

Site

About the site

URL

Sobell

The author's home page contains useful links, errata for this book, code for
many of the examples in this book,
and answers to selected exercises.

www.sobell.com

USENIX

A large, well-established UNIX group.
This site has many links, including a
list of conferences.

www.usenix.org

X.Org

The X Window System home.

www.x.org

LINUX

1103

NEWSGROUPS
One of the best ways of getting specific information is through a newsgroup (refer
to "Usenet" on page 407). You can often find the answer to a question by reading
postings to the newsgroup. Try using Google Groups (groups.google.com) to search
through newsgroups to see whether the question has already been asked and
answered. Or open a newsreader program and subscribe to appropriate newsgroups. If necessary, you can post a question for someone to answer. Before you do
so, make sure you are posting to the correct group and that your question has not
already been answered.
The newsgroup comp.os.linux.answers provides postings of solutions to common
problems and periodic postings of the most up-to-date versions of FAQ and
HO W T O documents. The comp.os.linux.misc newsgroup has answers to miscellaneous Linux-related questions.

MAILING

LISTS
Subscribing to a mailing list (page 733) allows you to participate in an electronic
discussion. With most lists, you can send and receive email dedicated to a specific
topic to and from a group of users. Moderated lists do not tend to stray as much as
unmoderated lists, assuming the list has a good moderator. The disadvantage of a
moderated list is that some discussions may be cut off when they get interesting if
the moderator deems that the discussion has gone on for too long. Mailing lists
described as bulletins are strictly unidirectional: You cannot post information to
these lists but can only receive periodic bulletins. If you have the subscription
address for a mailing list but are not sure how to subscribe, put the word help in the
body and/or header of email you send to the address. You will usually receive
instructions via return email. Ubuntu hosts several mailing lists; go to
lists.ubuntu.com for more information. You can also use a search engine to search
for mailing list linux.

1104

APPENDIX B

HELP

WORDS
Many dictionaries, thesauruses, and glossaries are available online. Table B-3 lists a
few of them.
Table B - 3

Looking up w o r d s

Site

About the site

URL

DICT.org

Multiple-database search for words

www.dict.org

Dictionary.com

Everything related to words

dictionary.reference.com

F0LD0C

The Free On-Line Dictionary of
Computing

foldoc.org

GNOME Controls

Defines many GUI controls (widgets)

developer.gnome.org/projects/gup/hig/2.0/controls.html

The Jargon File

An online version of The New
Hacker's
Dictionary

www.catb.org/~esr/jargon

Merriam-Webster

English language

www.merriam-webster.com

OneLook

Multiple-site word search with a
single query

www.onelook.com

Roget's
Thesaurus

Thesaurus

humanities.uchicago.edu/torms_unrest/ROGET.html

Webopedia

Commercial technical dictionary

www.webopedia.com

Wikipedia

An open-source (user-contributed)
encyclopedia project

wikipedia.org

Wordsmyth

Dictionary and thesaurus

www.wordsmyth.net

Yahoo Reference

Search multiple sources at the same
time

education.yahoo.com/reterence

SOFTWARE
There are many ways to learn about interesting software packages and their availability on the Internet. Table B-4 lists sites you can download software from. For
security-related programs, refer to Table C - l on page 1124. Another way to learn
about software packages is through a newsgroup (page 1103).

Table B-4

Software

Site

About the site

URL

BitTorrent

BitTorrent efficiently distributes large
amounts of static data

azureus.sourcetorge.net
help.ubuntu.com/community/BitTorrent

CVS

CVS (Concurrent Versions System) is
a version control system

www.nongnu.org/cvs

FINDING LINUX-RELATED INFORMATION

Table B - 4

Software (continued)

Site

About the site

URL

ddd

The d d d utility is a graphical frontend for command-line debuggers
such as g d b

www.gnu.org/software/ddd

Firefox

Web browser

www.mozilla.com/firefox

Free Software
Directory

Categorized, searchable lists of free
software

directory.fsf.org

Freshmeat

A large index of UNIX and crossplatform software and themes

freshmeat.net

gdb

The g d b utility is a command-line
debugger

w w w . g n u. o r g / s o f t w a r e / g d b

GNOME Project

Links to all GNOME projects

www.gnome.org/projects

IceWALKERS

Categorized, searchable lists of free
software

www.icewalkers.com

kdbg

The k d b g utility is a graphical user
interface to g d b

freshmeat.net/projects/kdbg

Linux Software
Map

A database of packages written for,
ported to, or compiled for Linux

www.boutell.com/lsm

Mtools

A collection of utilities to access DOS
floppy diskettes from Linux without
mounting the diskettes

mtools.linux.lu

Network
Calculators

Subnet mask calculator

www.subnetmask.info

NTFS driver

Driver that enables Linux to read
from and write to Windows NTFS
filesystems (available in the ntfs-3g
package)

www.ntfs-3g.org

Savannah

Central point for development, distribution, and maintenance of free
software

savannah.gnu.org

Source Forge

A development Web site with a large
repository of open-source code and
applications

sourceforge.net

strace

The s t r a c e utility is a system call
trace debugging tool

http://sourceforge.net/

Thunderbird

Mail application

www.mozilla.com/thunderbird

ups

The u p s utility is a graphical sourcelevel debugger

ups.sourceforge.net

1105

1106

APPENDIX B

HELP

OFFICE SUITES AND W O R D

PROCESSORS

Several office suites and many word processors are available for Linux. Table B-5
lists a few of them. If you are exchanging documents with people using Windows,
make sure the import from/export to MS Word functionality covers your needs.
Table B - 5

Office suites and w o r d processors

Product name

What it does

URL

AbiWord

Word processor

www.abisource.com

KOffice

Integrated suite of office applications,
including the KWord word processing
program

www.koffice.org

OpenOffice

A multiplatform and multilingual
office suite

www.openoffice.org
www.gnome.org/projects/ooo

SPECIFYING A TERMINAL
Because vim, emacs, and other textual and pseudographical programs take advantage of features specific to various kinds of terminals and terminal emulators, you
must tell these programs the name of the terminal you are using or the terminal
your terminal emulator is emulating. Most of the time the terminal name is set for
you. If the terminal name is not specified or is not specified correctly, the characters
on the screen will be garbled or, when you start a program, the program will ask
which type of terminal you are using.
Terminal names describe the functional characteristics of a terminal or terminal
emulator to programs that require this information. Although terminal names are
referred to as either Terminfo or Termcap names, the difference relates to the
method each system uses to store the terminal characteristics internally—not to the
manner in which you specify the name of a terminal. Terminal names that are often
used with Linux terminal emulators and with graphical monitors while they are run
in textual mode include ansi, linux, vtlOO, v t l 0 2 , v t 2 2 0 , and xterm.

When you are running a terminal emulator, you can specify the type of terminal you
want to emulate. Set the emulator to either vtlOO or vt220, and set T E R M to the
same value.
When you log in, you may be prompted to identify the type of terminal you are using:
TERM = (vtl00)

You can respond to this prompt in one of two ways. First you can press RETURN to set
your terminal type to the name in parentheses. If that name does not describe the
terminal you are using, you can enter the correct name and then press RETURN.
TERM = (vtl00) ansi

SPECIFYING A TERMINAL

1107

You may also receive the following prompt:
TERM = (unknown)

This prompt indicates that the system does not know which type of terminal you
are using. If you plan to run programs that require this information, enter the name
of the terminal or terminal emulator you are using before you press RETURN.
TERM

If you do not receive a prompt, you can give the following command to display the
value of the T E R M variable and check whether the terminal type has been set:
$ echo $TERM

If the system responds with the wrong name, a blank line, or an error message, set
or change the terminal name. From the Bourne Again Shell (bash), enter a command
similar to the following to set the T E R M variable so the system knows which type
of terminal you are using:
export

TERM=name

Replace name with the terminal name for the terminal you are using, making sure
you do not put a SPACE before or after the equal sign. If you always use the same type
of terminal, you can place this command in your -/.bashrc file (page 293), causing
the shell to set the terminal type each time you log in. For example, give the following command to set your terminal name to vtlOO:
$ export TERM=vtl00
LANG

For some programs to display information correctly, you may need to set the LANG
variable (page 326). Frequently you can set this variable to C. Under bash use the
command
$ export LANG=C

This page intentionally left blank

c
SECURITY

Encryption

1110

Security is a major part of the foundation of any system that is
not totally cut off from other machines and users. Some aspects
0 f security have a place even on isolated machines. Examples of

File Security
Email Security

1115
1115

these measures include periodic system backups, BIOS or
power-on passwords, and self-locking screensavers.

Network Security

1116

Host Security
Login Security

1119
1120

^ system that is connected to the outside world requires other
mechanisms to secure it: tools to check files (tripwire), audit tools
(tiger/cops), secure access methods (kerberos/ssh), services that
monitor logs and machine states (swatch/watcher), packet-filtering

Remote Access Security

1121

a n d routing tools (ipfwadm/iptables/gufw), and more.

Viruses and Worms
Physical Security

1122
1122

Security Resources

1124

System security has many dimensions. The security of a system as
depends on the security of individual components, such
as email, files, network, login, and remote access policies, as well
gs ^
p h y s i c a l seC urity of the host itself. These dimensions frequently overlap, and their borders are not always static or clear.
For instance, email security is affected by the security of both
files and the network. If the medium (the network) over which
you send and receive your email is not secure, then you must take
extra steps to ensure the security of your messages. If you save

IN T H I S A P P E N D I X

a wh°le

1109

1110

APPENDIX C

SECURITY

your secure email in a file on the local system, then you rely on the filesystem and host
access policies for file security. A failure in any one of these areas can start a domino
effect, diminishing reliability and integrity in other areas and potentially compromising system security as a whole.
This short appendix cannot cover all facets of system security in depth, but provides
an overview of the complexity of setting up and maintaining a secure system. This
appendix offers some specifics, concepts, guidelines to consider, and many pointers
to security resources (Table C-l on page 1124).

Other sources of system security information
security

Depending on how important system security is to you, you may want to purchase one or more
books dedicated to system security, visit some of the Internet sites that are dedicated to security,
or hire someone who is an expert in the field.
Do not rely on this appendix

as your sole source of information

on system

security.

ENCRYPTION
One of the building blocks of security is encryption, which provides a means of
scrambling data for secure transmission to other parties. In cryptographic terms, the
data or message to be encrypted is referred to as plaintext, and the resulting
encrypted block of text as ciphertext. Processes exist for converting plaintext into
ciphertext through the use of keys, which are essentially random numbers of a specified length used to lock and unlock data. This conversion is achieved by applying
the keys to the plaintext according to a set of mathematical instructions, referred to
as the encryption
algorithm.
Developing and analyzing strong encryption software is extremely difficult.
Many nuances exist, many standards govern encryption algorithms, and a background in mathematics is requisite. Also, unless an algorithm has undergone
public scrutiny for a significant period of time, it is generally not considered
secure; it is often impossible to know that an algorithm is completely secure but
possible to know that one is not secure. Ultimately time is the best test of any
algorithm. Also, a solid algorithm does not guarantee an effective encryption
mechanism because the fallibility of an encryption scheme frequently arises from
problems with its implementation and distribution.
An encryption algorithm uses a key that is a certain number of bits long. Each bit
added to the length of a key effectively doubles the key space (the number of combinations allowed by the number of bits in the key—2 to the power of the length of
the key in bits1) and means it will take twice as long for an attacker to decrypt a
message (assuming the scheme lacks any inherent weaknesses or vulnerabilities to

1. A 2 - b i t key w o u l d have a key space o f 4 (22), a 3 - b i t key w o u l d have a key space o f 8 ( 2 3 ) , a n d so o n .

ENCRYPTION

1111

exploit). However, it is a mistake to compare algorithms based only on the number
of bits used. In some cases an algorithm that uses a 64-bit key can be more secure
than an algorithm that uses a 128-bit key.
The two primary classifications of encryption schemes are public key encryption
and symmetric key encryption. Public key encryption, also called asymmetric
encryption, uses two keys: a public key and a private key. These keys are uniquely
associated with a specific user. Public key encryption schemes are used mostly to
exchange keys and signatures. Symmetric key encryption, also called symmetric
encryption or secret key encryption, uses one key that you and the person you are
communicating with (hereafter referred to as your friend) share as a secret. Symmetric key encryption is typically used to encrypt large amounts of data. Public key
algorithm keys typically have a length of 512 bits to 2,048 bits, whereas symmetric
key algorithms use keys in the range of 64 bits to 512 bits.
When you are choosing an encryption scheme, realize that security comes at a price.
There is usually a tradeoff between resilience of the cryptosystem and ease of
administration.
The practicality of a security solution is a far greater factor in encryption, and in
security in general, than most people realize. With enough time and effort, nearly
every algorithm can be broken. In fact, you can often unearth the mathematical
instructions for a widely used algorithm by flipping through a cryptography book,
reviewing a vendor's product specifications, or performing a quick search on the
Internet. The challenge is to ensure the effort required to follow the twists and turns
taken by an encryption algorithm and its resulting encryption solution outweighs
the worth of the information it is protecting.

How much time and money should you spend on encryption?
tip When the cost of obtaining the information exceeds the value realized by its possession, the solution is an effective one.

PUBLIC KEY ENCRYPTION
To use public key encryption, you must generate two keys: a public key and a private key. You keep the private key for yourself and give the public key to the world.
In a similar manner, each of your friends will generate a pair of keys and give you
their public keys. Public key encryption is marked by two distinct features:
1. When you encrypt data with someone's public key, only that person's private key can decrypt it.
2. When you encrypt data with your private key, anyone can decrypt it with
your public key.
You may wonder why the second point is useful: Why would you want everyone
else to be able to decrypt something you just encrypted? The answer lies in the purpose of the encryption. Although encryption changes the original message into
unreadable ciphertext, its purpose is to provide a digital signature. If the message

1112

APPENDIX C

SECURITY

can be properly decrypted with your public key, only you could have encrypted it
with your private key, proving the message is authentic. Combining these two
modes of operation yields privacy and authenticity. You can sign a message with
your private key so it can be verified as authentic, and then you can encrypt it with
your friend's public key so that only your friend can decrypt it.
Public key encryption has three major shortcomings:
1. Public key encryption algorithms are generally much slower than symmetric key algorithms and usually require a much larger key size and a way to
generate large prime numbers to use as components of the key, making
them more resource intensive.
2. The private key must be stored securely and its integrity safeguarded. If a
person's private key is obtained by another party, that party can encrypt,
decrypt, and sign messages while impersonating the original owner of the
key. If the private key is lost or becomes corrupted, any messages previously encrypted with it are also lost, and a new keypair must be generated.
3. It is difficult to authenticate the origin of a key—that is, to prove whom it
originally came from. This so-called key-distribution problem is the raison
d'être for such companies as VeriSign (www.verisign.com).
Algorithms such as RSA, Diffie-Hellman, and El-Gamal implement public key encryption methodology. Today a 512-bit key is considered barely adequate for RSA encryption
and offers marginal protection; 1,024-bit keys are expected to hold off determined
attackers for several more years. Keys that are 2,048 bits long are now becoming commonplace and are rated as espionage strength. A mathematical paper published in late
2001 and reexamined in spring 2002 describes how a machine can be built—for a very
large sum of money—that could break 1,024-bit RSA encryption in seconds to minutes
(this point is debated in an article at wwwschneier.com/crypto-gram-0203.html#6).
Although the cost of such a machine exceeds the resources available to most individuals and smaller corporations, it is well within the reach of large corporations and
governments.

S Y M M E T R I C KEY ENCRYPTION
Symmetric key encryption is generally fast and simple to deploy. First you and your
friend agree on which algorithm to use and a key that you will share. Then either of
you can decrypt or encrypt a file with the same key. Behind the scenes, symmetric key
encryption algorithms are most often implemented as a network of black boxes,
which can involve hardware components, software, or a combination of the two.
Each box imposes a reversible transformation on the plaintext and passes it to the
next box, where another reversible transformation further alters the data. The security of a symmetric key algorithm relies on the difficulty of determining which boxes
were used and the number of times the data was fed through the set of boxes. A good
algorithm will cycle the plaintext through a given set of boxes many times before
yielding the result, and there will be no obvious mapping from plaintext to ciphertext.

ENCRYPTION

1113

The disadvantage of symmetric key encryption is that it depends heavily on the
availability of a secure channel through which to send the key to your friend. For
example, you would not use email to send your key; if your email is intercepted, a
third party is in possession of your secret key, and your encryption is useless. You
could relay the key over the phone, but your call could be intercepted if your phone
were tapped or someone overheard your conversation.
Common implementations of symmetric key algorithms include DES (Data Encryption Standard), 3-DES (triple DES), IDEA, RC5, Blowfish, and AES (Advanced
Encryption Standard). AES is the new Federal Information Processing Standard
(FIPS-197) algorithm endorsed for governmental use and has been selected to
replace DES as the de facto encryption algorithm. AES uses the Rijndael algorithm,
chosen after a thorough evaluation of 15 candidate algorithms by the cryptographic
research community.
None of the aforementioned algorithms has undergone more scrutiny than DES,
which has been in use since the late 1970s. However, the use of DES has drawbacks
and it is no longer considered secure because the weakness of its 56-bit key makes it
unreasonably easy to break. Given the advances in computing power and speed
since DES was developed, the small size of this algorithm's key renders it inadequate
for operations requiring more than basic security for a relatively short period of
time. For a few thousand dollars, you can link off-the-shelf computer systems so
they can crack DES keys in a few hours.
The 3-DES application of DES is intended to combat its degenerating resilience by
running the encryption three times; it is projected to be secure for years to come.
DES is probably sufficient for such tasks as sending email to a friend when you need
it to be confidential or secure for only a few days (for example, to send a notice of a
meeting that will take place in a few hours). It is unlikely anyone is sufficiently interested in your email to invest the time and money to decrypt it. Because of 3-DES's
wide availability and ease of use, it is advisable to use it instead of DES.

ENCRYPTION

IMPLEMENTATION

Most of today's commercial software packages use both public and symmetric key
encryption algorithms, taking advantage of the strengths of each and avoiding their
weaknesses. The public key algorithm is used first, as a means of negotiating a randomly generated secret key and providing for message authenticity. Then a secret key
algorithm, such as 3-DES, IDEA, AES, or Blowfish, encrypts and decrypts the data
on both ends for speed. Finally a hash algorithm, such as DSA (Digital Signature
Algorithm), generates a message digest that provides a signature that can alert you to
tampering. The digest is digitally signed with the sender's private key.

GNUPG/PGP
The most popular personal encryption packages available today are GnuPG (GNU
Privacy Guard, also called GPG; www.gnupg.org) and PGP (Pretty Good Privacy;
www.pgp.com). GNU Privacy Guard was designed as a free replacement for PGP, a

1114

APPENDIX C

SECURITY

security tool that made its debut during the early 1990s. Phil Zimmerman developed PGP as a Public Key Infrastructure (PKI), featuring a convenient interface,
ease of use and management, and the security of digital certificates. One critical
characteristic set PGP apart from the majority of cryptosystems then available: PGP
functions entirely without certification authorities (CAs). Until the introduction of
PGP, PKI implementations were built around the concept of CAs and centralized
key management controls.
Both PGP and GnuPG rely on the notion of a web of trust:2 If you trust someone
and that person trusts someone else, the person you trust can provide an introduction to the third party. When you trust someone, you perform an operation called
key signing. By signing someone else's key, you verify that the person's public key is
authentic and safe for you to use to send email. When you sign a key, you are asked
whether you trust this person to introduce other keys to you. It is common practice
to assign this trust based on several criteria, including your knowledge of a person's
character or a lasting professional relationship with the person. The best practice is
to sign someone's key only after you have met face to face to avert any chance of a
man-in-the-middle3 scenario. The disadvantage of this scheme is the lack of a central registry for associating with people you do not already know.
PGP is available without cost for personal use but its deployment in a commercial
environment requires the purchase of a license. This was not always the case: Soon
after its introduction, PGP was available on many bulletin board systems, and users
could implement it in any manner they chose. PGP rapidly gained popularity in the
networking community, which capitalized on its encryption and key management
capabilities for secure transmission of email.
After a time, attention turned to RSA and IDEA, the two robust cryptographic algorithms that form an integral part of PGP's code. These algorithms are privately
owned. The wide distribution of and growing user base for PGP sparked battles
over patent violation and licenses, resulting in the eventual restriction of PGP's use.
Enter GnuPG, which supports most of the features and implementations made
available by PGP and complies with the OpenPGP Message Format standard.
Because GnuPG does not use the patented IDEA algorithm but rather relies on
BUGS (Big and Useful Great Security; www.gnu.org/directory/bugs.html), you can
use it almost without restriction: It is released under the GNU GPL (refer to "The
Code Is Free" on page 5). PGP and GnuPG are considered to be interchangeable

2. For more information, see the section of The GNU Privacy

Handbook

(www.gnupg.org/documenta-

tion) titled "Validating Other Keys on Your Public Keyring."
3. Man-in-the-middle: If M a x and Zach try to carry on a secure email exchange over a network, M a x first
sends Zach his public key. However, suppose Mr. X sits between M a x and Zach on the network and intercepts M a x ' s public key. Mr. X then sends his public key to Zach. Zach then sends his public key to M a x ,
but once again Mr. X intercepts it and substitutes his public key and sends that to M a x . Without some
kind of active protection (a piece of shared information), Mr. X , the man-in-the-middle,
can decrypt all
traffic between M a x and Zach, reencrypt it, and send it on to the other party.

NETWoRK S E C U R I T Y

1115

and interoperable. The command sequences for and internal workings of these two
tools are very similar.

The GnuPG system includes the gpg program
tip GnuPG is frequently referred to as g p g , but g p g Is actually the main program for the GnuPG
system.
GNU offers a good introduction to privacy, The GNU Privacy Handbook, which is
available in several languages and listed at www.gnupg.org (click Documentation1^
Guides). Click DocumentationOHOWTOs on the same Web page to view the
GNU Privacy Guard (GnuPG) Mini Howto, which steps through the setup and use
of gpg. And, of course, there is a gpg info page.
In addition to providing encryption, gpg is useful for authentication. For example,
you can use it to verify that the person who signed a piece of email is the person
who sent it.

FILE S E C U R I T Y
From an end user's perspective, file security is one of the most critical areas of security. Some file security is built into Linux: chmod (page 216) gives you basic security
control. ACLs (Access Control Lists) allow more fine-grained control of file access
permissions. ACLs are part of Solaris, Windows NT/2000/XP, VAX/VMS, and
mainframe operating systems. Ubuntu Linux supports ACLs (page 221). Even these
tools are insufficient, however, when your account is compromised (for example, by
someone watching your fingers on the keyboard as you type your password). To
provide maximum file security, you must encrypt your files. Then even someone
who knows your password cannot read your files. (Of course, if someone knows
your key, that person can decrypt your files if she can get to them.)

EMAIL SECURITY
Email security overlaps file security and, as discussed later, network security.
GnuPG is the tool most frequently used for email security, although you can also
use PGP PEM (Privacy Enhanced Mail) is a standard rather than an algorithm and
is used less frequently.

MTAs

( M A I L TRANSFER AGENTS)
An increasingly commonplace MTA is STARTTLS (Start Transport Layer Security;
www.sendmail.org/~ca/email/starttls.html). TLS itself usually refers to SSL (Secure
Sockets Layer) and has become the de facto method for encrypting TCP/IP traffic on the
Internet. The sendmail and exim4 daemons can be built to support STARTTLS, and

1116

APPENDIX C

SECURITY

much documentation exists on how to do so. STARTTLS enhancements are also available for Qmail (page 715) and Postfix (page 715) and other popular MTAs. It is important to recognize that this capability provides encryption between two mail servers but
not necessarily between your machine and the mail server. Also, the advantages of using
TLS are negated if the email must pass through a relay that does not support TLS.

MUAs

(MAIL USER AGENTS)
Many popular mail user agents, such as mutt, elm, Thunderbird, and e m a c s , include
the ability to use PGP or GnuPG for encryption. Evolution, the default Ubuntu
Linux MUA, has built-in GnuPG support. This approach has become the default
way to exchange email securely.

NETWORK SECURITY
Network security is a vital component for ensuring the security of a computing site.
However, without the right infrastructure, providing network security is difficult, if
not impossible. For example, if you run a shared network topology, 4 such as Ethernet, and have in public locations jacks that allow anyone to plug in to the network
at will, how can you prevent someone from plugging in a machine and capturing all
the packets (page 1164) that traverse the network? 5 You cannot—so you have a
potential security hole. Another common security hole relates to the use of telnet for
logins. Because telnet sends and receives cleartext, anyone "listening in" on the line
can easily capture usernames and passwords, compromising security.
Do not allow any unauthenticated PC (any PC that does not require users to supply
a local name and password) on a network. With a Windows 9x PC, any user on the
network is effectively working with r o o t privileges for the following reasons:
• A PC does not recognize the concept of r o o t privileges. All users, by
default, have access to and can watch the network, capture packets, and
send packets.
• On UNIX/Linux, only a user working with r o o t privileges can put the network interface in promiscuous mode and collect packets. On U N I X and
Linux, ports numbered less than 1 0 2 4 6 are privileged—that is, normal
user protocols cannot bind to these ports. This is an important but regrettable means of security for some protocols, such as NIS, NFS, RSH, and

4 . S h a r e d n e t w o r k t o p o l o g y : A n e t w o r k in w h i c h each p a c k e t m a y be seen by m a c h i n e s o t h e r t h a n its dest i n a t i o n . " S h a r e d " m e a n s t h a t the 1 0 0 m e g a b i t s per second b a n d w i d t h is shared by all users.
5 . D o n o t m a k e the m i s t a k e o f a s s u m i n g t h a t you have security j u s t b e c a u s e you have a s w i t c h . S w i t c h e s
are designed t o a l l o c a t e b a n d w i d t h , n o t t o g u a r a n t e e security.
6 . T h e term port

has m a n y meanings; here it is a n u m b e r assigned t o a p r o g r a m . T h i s n u m b e r links i n c o m -

ing d a t a w i t h a specific service. F o r e x a m p l e , p o r t 2 1 is used by FTP traffic, and p o r t 2 3 is used b y T E L N E T .

NETWORK SECURITY

1117

LPD. Normally a data switch on a LAN automatically protects machines
from people snooping on the network for data. In high-load situations,
switches have been known to behave unpredictably, directing packets to
the wrong ports. Certain programs can overload the switch tables that
hold information about which machine is on which port. When these
tables are overloaded, the switch becomes a repeater and broadcasts all
packets to all ports. The attacker on the same switch as you can potentially see the traffic your system sends and receives.

NETWORK SECURITY SOLUTIONS
One solution to shared-network problems is to encrypt messages that travel
between machines. IPSec (Internet Protocol Security Protocol) provides an appropriate technology. IPSec is commonly used to establish a secure point-to-point virtual network (VPN, page 1180) that allows two hosts to communicate securely
over an unsecure channel, such as the Internet. This protocol provides integrity,
confidentiality, authenticity, and flexibility of implementation that supports multiple vendors.
IPSec is an amalgamation of protocols (IPSec = AH + ESP + IPComp + IKE):
• Authentication Header (AH)—A cryptographically secure, irreversible
checksum (page 1140) for an entire packet. AH guarantees that the packet
is authentic.
• Encapsulating Security Payload (ESP)—Encrypts a packet to make the
data unreadable.
• IP Payload Compression (IPComp)—Compresses a packet. Encryption
can increase the size of a packet, and IPComp counteracts this increase
in size.
• Internet Key Exchange (IKE)—Provides a way for the endpoints to negotiate a common key securely. For AH to work, both ends of the exchange
must use the same key to prevent a "man-in-the-middle" (see footnote 3
on page 1114) from spoofing the connection.
While IPSec is an optional part of IPv4, IPv6 (page 387) mandates its use. It may be
quite some time before IPv6 is widely implemented, however.

NETWORK SECURITY GUIDELINES
Some general guidelines for establishing and maintaining a secure system follow.
This list is not complete but rather is meant as a guide.
• Fiberoptic cable is more secure than copper cable. Copper is subject to
both active and passive eavesdropping. With access to copper cable, all a
data thief needs to monitor your network traffic is a passive device for
measuring magnetic fields. In contrast, it is much more difficult to tap a

1118

APPENDIX C

SECURITY

fiberoptic cable without interrupting the signal. Sites requiring top security
keep fiberoptic cable in pressurized conduits, where a change in pressure
signals that the physical security of the cable has been breached.
• Avoid leaving unused ports available in public areas. If a malicious user
can plug a laptop into the network without being detected, you are at risk
of a serious security problem. Network drops that will remain unused for
extended periods should be disabled at the switch, preventing them from
accepting or passing network traffic.
• Many network switches have provisions for binding a hardware address to
a port for enhanced security. If someone unplugs one machine and plugs in
another machine to capture traffic, chances are that the second machine
will have a different hardware address. When it detects a device with a different hardware address, the switch can disable the port. Even this solution is no guarantee, however, as some programs enable you to change or
mask the hardware address of a network interface.

Install a small kernel and run only the programs you need
security

Linux systems contain a huge number of programs that, although useful, significantly reduce the
security of the host. Install the smallest operating system kernel that meets your needs. For Web
and FTP servers, install only the needed components and do not install a graphical interface. Users
may require additional packages.
• Do not allow NFS or NIS access outside the local network. Otherwise, it is
a simple matter for a malicious user to steal the password map. Default
NFS security is marginal to nonexistent (a common joke is that NFS
stands for No File Security or Nightmare File System) so such access
should not be allowed outside your network to machines that you do not
trust. Experimental versions of NFS for Linux that support much better
authentication algorithms are now becoming available. Use IPSec, NFSv4
(which includes improved authentication), or firewalls to provide access
outside of your domain.
• Support for VPN configuration is often built into new firewalls or provided as a separate product, enabling your system to join securely with the
systems of your customers or partners. If you must allow business partners, contractors, or other outside parties to access local files, consider
using a secure filesystem, such as NFS with Kerberos (page 1156), secure
NFS (encrypts authentication, not traffic), NFS over a VPN such as IPSec,
or cfs (cryptographic filesystem).
• Specify /usr as readonly (ro) in /etc/fstab. Following is an example of such
a configuration:
/dev/sda6

/usr

ext2

ro

0

0

This approach may make your machine difficult to update, so use this tactic with care.

NETWORK

SECURITY

1119

• Mount filesystems other than / and /usr nosuid to prevent setuid programs
from executing on this filesystem. For example:
/dev/sda4
/dev/sda5

/var
/usr/local

ext4
ext4

nosuid
nosuid

0
0

0
0

• Use a barrier or firewall product between the local network and the Internet. Several valuable mailing lists cover firewalls, including the comp.security.firewalls newsgroup and the free firewalls Web site (www.freefire.org).
Ubuntu Linux includes firestarter (page 864), gufw (page 876), and iptables
(page 880), which allow you to implement a firewall.

HOST SECURITY
Your host must be secure. Simple security steps include preventing remote logins and
leaving the /etc/hosts.equiv and individual users' -/.rhosts files empty (or not having
them at all). Complex security steps include installing IPSec for VPNs between hosts.
Many other security measures, some of which are discussed in this section, fall somewhere between these extremes. See Table C - l on page 1124 for relevant URLs.
• Although potentially tricky to implement and manage, intrusion detection
systems (IDSs) are an excellent way to keep an eye on the integrity of a
device. An IDS can warn of possible attempts to subvert security on the
host on which it runs. The great-granddaddy of intrusion detection systems is tripwire. This host-based system checks modification times and
integrity of files by using strong algorithms (cryptographic checksums or
signatures) that can detect even the most minor modifications. A commercial version of tripwire is also available. Another commercial IDS is DragonSquire. Other free, popular, and flexible IDSs include samhain and
AIDE. The last two IDSs offer even more features and means of remaining
invisible to users than tripwire does. Commercial IDSs that are popular in
enterprise environments include Cisco Secure IDS (formerly NetRanger),
Enterasys Dragon, and ISS RealSecure.
• Keep Ubuntu systems up-to-date by downloading and installing the
latest updates. Use the Update Notifier to update the system regularly
(page 112). You can set the system up to automatically install security
updates using the Software Sources window, Updates tab (page 131).
• Complementing host-based IDSs are network-based IDSs. The latter programs monitor the network and nodes on the network and report suspicious occurrences (attack signatures) via user-defined alerts. These
signatures can be matched based on known worms, overflow attacks
against programs, or unauthorized scans of network ports. Such programs
as snort, klaxon, and NFR are used in this capacity. Commercial programs,
such as DragonSentry, also fill this role.

1120

APPENDIX C

SECURITY

• Provided with Ubuntu Linux is PAM, which allows you to set up different
methods and levels of authentication in many ways (page 478).
• Process accounting—a good supplement to system security—can provide a
continuous record of user actions on your system. See the accton m a n page
(part of the acct package) for more information.
• Emerging standards for such things as Role-Based Access Control (RBAC)
allow tighter delegation of privileges along defined organizational boundaries. You can delegate a role or roles to each user as appropriate to the
access required.
• General mailing lists and archives are useful repositories of security information, statistics, and papers. The most useful are the bugtraq mailing list
and CERT. 7 The bugtraq site and email service offer immediate notifications about specific vulnerabilities, whereas CERT provides notice of
widespread vulnerabilities and useful techniques to fix them, plus links to
vendor patches.
• The syslogd facility can direct messages from system daemons to specific
files such as those in /var/log. On larger groups of systems, you can send
all important syslogd information to a secure host, where that host's only
function is to store syslogd data so it cannot be tampered with. See
page 4 0 4 and the syslogd man page for more information.

LOGIN SECURITY
Without a secure host, good login security cannot add much protection. Table C - l
on page 1124 lists some of the best login security tools, including replacement daemons for telnetd, rlogind, and rshd. Many sites use ssh, which comes as both freeware and a commercially supported package that works on UNIX/Linux, Windows,
and Macintosh platforms.
The PAM facility (page 4 7 8 ) allows you to set up multiple authentication methods
for users in series or in parallel. In-series PAM requires multiple methods of authentication for a user. In-parallel PAM uses any one of a number of methods for
authentication.
Although not the most popular choice, you can configure a system to take advantage of one-time passwords. S/Key is the original implementation of one-time passwords by Bellcore. OPIE (one-time passwords in everything), which was developed
by the U.S. Naval Research Labs, is an improvement over the original Bellcore system. In one permutation of one-time passwords, the user gets a piece of paper listing
a set of one-time passwords. Each time a user logs in, she enters a password from
the piece of paper. Once used, a password becomes obsolete, and the next password

7 . C E R T is slow b u t useful as a m e d i u m for c o o r d i n a t i o n b e t w e e n sites. It a c t s as a t r a c k i n g a g e n c y t o
d o c u m e n t t h e spread o f security p r o b l e m s .

NETWoRK

SECURITY

1121

in the list is the only one that will work. Even if a malicious user compromises the
network and sees your password, this information will be of no use because the
password can be used only once. This setup makes it very difficult for someone to
log in as you but does nothing to protect the data you type at the keyboard. Onetime passwords is a good solution if you are at a site where no encrypted login is
available. A truly secure (or paranoid) site will combine one-time passwords and
encrypted logins.
Another type of secure login that is becoming more common is facilitated by a token
or a smartcard. Smartcards are credit-card-like devices that use a challenge-response
method of authentication. Smartcard and token authentication rely on something
you have (the card) and something you know (a pass phrase, user ID, or PIN). For
example, you might enter your username in response to the login prompt and get a
password prompt. You would then enter your PIN and the number displayed on the
access token. The token has a unique serial number that is stored in a database on
the authentication server. The token and the authentication server use this serial
number as a means of computing a challenge every 30 to 60 seconds. If the PIN and
token number you enter match what they should be as computed by the access
server, you are granted access to the system.

REMOTE ACCESS SECURITY
Issues and solutions surrounding remote access security overlap with those pertaining to login and host security. Local logins may be secure with simply a username
and password, whereas remote logins (and all remote access) should be made more
secure. Many break-ins can be traced back to reusable passwords. It is a good idea
to use an encrypted authentication client, such as ssh or kerberos. You can also use
smartcards for remote access authentication.
Modem pools can also be an entry point into a system. Most people are aware of
how easy it is to monitor a network line but they may take for granted the security
of the public switched telephone network (PSTN, also known as POTS—plain old
telephone service). You may want to set up an encrypted channel after dialing in to
a modem pool. One way to do so is by running ssh over PPP
There are ways to implement stringent modem authentication policies so unauthorized users cannot use local modems. The most common techniques are PAP (Password Authentication Protocol), CHAP (Challenge Handshake Authentication
Protocol), and Radius. PAP and CHAP are relatively weak as compared to Radius,
so the latter has rapidly gained in popularity. Cisco also provides a method of
authentication called TACACS/TACACS+ (Terminal Access Controller Access Control System).
One or more of these authentication techniques are available in a RAS (remote
access server—in a network, a computer that provides network access to remote
users via modem). Before purchasing a RAS, check what kind of security it provides
and decide whether that level of security meets your needs.

1122

APPENDIX C

SECURITY

Two other techniques for remote access security can be built into a modem (or RAS
if it has integrated modems). One is callback: After you dial in, you get a password
prompt. Once you type your password, the modem hangs up and calls you back at
a phone number it has stored internally. Unfortunately this technique is not foolproof. Some modems have a built-in callback table that holds about ten entries, so
this strategy works for small sites with only a few modems. If you use more
modems, the RAS software must provide the callback.
The second technique is to use CLID (caller line ID) or ANI (automatic number identification) to decide whether to answer the call. Depending on your wiring and the local
phone company, you may or may not be able to use ANI. ANI information is provided
before the call, whereas CLID information is provided in tandem with the call.

VIRUSES AND W O R M S
Examples of UNIX/Linux viruses include the Bliss virus/worm released in 1997 and
the RST.b virus discovered in December 2 0 0 1 . Both are discussed in detail in articles on the Web. Viruses spread through systems by infecting executable files. In the
cases of Bliss and RST.b, the Linux native executable format, ELF, was used as a
propagation vector.
Just after 5 PM on November 2, 1988, Robert T. Morris, Jr., a graduate student at
Cornell University, released the first big virus onto the Internet. Called an Internet
worm, this virus was designed to propagate copies of itself over many machines on
the Internet. The worm was a piece of code that exploited four vulnerabilities,
including one in finger, to force a buffer to overflow on a system. Once the buffer
overflowed, the code was able to get a shell and then recompile itself on the remote
machine. The worm spread around the Internet very quickly and was not disabled,
despite many people's efforts, for 36 hours.
The chief characteristic of any worm is propagation over a public network, such as
the Internet. A virus propagates by infecting executables on the machine, whereas a
worm tends to prefer exploiting known security holes in network servers to gain
root access and then tries to infect other machines in the same way.
UNIX/Linux file permissions help to inoculate systems against many viruses. Windows NT is resistant for similar reasons. You can easily protect the local system
against many viruses and worms by keeping its system patches up-to-date, not executing untrusted binaries from the Internet, limiting PATH (page 319) to include
only necessary system directories, and doing as little as possible while working with
root privileges. You can prevent a disaster in case a virus strikes by backing up your
system frequently.

PHYSICAL SECURITY
Often overlooked as a defense against intrusion, physical security covers access to
the computer itself and to the console or terminal attached to the machine. If the

NETWoRK

SECURITY

1123

machine is unprotected in an unlocked room, there is very little hope for physical
security. (A simple example of physical vulnerability is someone walking into the
room where the computer is, removing the hard drive from the computer, taking it
home, and analyzing it.) You can take certain steps to improve the physical security
of a computer.
• Keep servers in a locked room with limited access. A key, a combination,
or a swipe card should be required to gain access. Protect windows as well
as doors. Maintain a single point of entry. (Safety codes may require multiple exits, but only one must be an entry.)
• For public machines, use a security system, such as a fiberoptic security
system, that can secure a lab full of machines. With such a system, you run
a fiberoptic cable through each machine such that the machine cannot be
removed (or opened) without cutting the cable. When the cable is cut, an
alarm goes off. Some machines—for example, PCs with plastic cases—are
much more difficult to secure than others. Although it is not a perfect solution, a fiberoptic security system may improve local security enough to
persuade a would-be thief to go somewhere else.
• Most modern PCs have a BIOS password. You can set the order in which a
PC searches for a boot device, preventing the PC from being booted from a
floppy disk or CD/DVD. Some BIOSs can prevent the machine from booting altogether without a proper password. The password protects the
BIOS from unauthorized modification. Beware, however: Many BIOSs
have well-known back doors (page 1136). Research this issue if the BIOS
password is an important feature for you. In addition, you can blank the
BIOS password by setting the clear-CMOS jumper on a PC motherboard;
if you are relying on a BIOS password, lock the case.
• Run only fiberoptic cable between buildings. This strategy is not only
more secure but also safer in the event of lightning strikes and is required
by many commercial building codes.
• Maintain logs of who goes in and out of secure areas. Sign-in/out sheets
are useful only if everyone uses them. Sometimes a guard is warranted.
Often a simple proximity badge or smartcard can tell when anyone has
entered or left an area and keep logs of these events, although these can be
expensive to procure and install.
• Anyone who has access to the physical hardware has the keys to the palace. Someone with direct access to a computer system can do such things
as swap components and insert boot media, all of which are security
threats.
• Avoid having activated, unused network jacks in public places. Such jacks
provide unnecessary risk.

1124

APPENDIX C

SECURITY

• Many modern switches can lock a particular switch port so it accepts only
traffic from an NIC (network interface card) with a particular hardware
address and shuts down the port if another address is seen. However, commonly available programs can enable someone to reset this address.
• Make periodic security sweeps. Check doors for proper locking. If you
must have windows, make sure they are locked or are permanently sealed.
• Waste receptacles are often a source of information for intruders. Have
policies for containment and disposal of sensitive documents.
• Use a UPS (uninterruptable power supply). Without a clean source of
power, your system is vulnerable to corruption.

SECURITY RESOURCES
Many free and commercial programs can enhance system security. Some of these are
listed in Table C - l . Many of these sites have links to other, interesting sites that are
worth looking at.
Table C - 1

Security resources

Tool

What it does

Where to get it

AIDE

Advanced Intrusion Detection
Environment. Similar to tripw i r e with extensible verification
algorithms.

sourceforge.net/projects/aide

bugtraq

A moderated mailing list for the
announcement and detailed discussion of all aspects of computer security vulnerabilities.

www.securitytocus.com/archive/1

CERT

Computer Emergency
Response Team. A repository of
papers and data about major
security events and a list of
security tools.

www.cert.org

chkrootkit

Checks for signs of a rootkit
indicating that the machine has
been compromised.

www.chkrootkit.org

dsniff

Sniffing and network audit tool
suite. Free.

monkey.org/~dugsong/dsnift

freefire

Supplies free security solutions
and supports developers of free
security solutions.

www.freefire.org

SECURITY RESOURCES

Table C - 1

Security resources (continued)

Tool

What it does

Where to get it

fwtk

Firewall toolkit. A set of proxies
that can be used to construct a
firewall.

www.fwtk.org

GI AC

A security certification and
training Web site.

www.giac.org

hping

Multipurpose network auditing
and packet analysis tool. Free.

www.hping.org

ISC2

Educates and certifies industry
professionals and practitioners
under an international standard.

www.isc2.org

John

John the Ripper: a fast, flexible,
weak password detector.

www.openwall.com/john

Kerberos

Complete, secure network
authentication system.

web.mit.edu/kerberos/www

L6

Verifies file integrity; similar to
t r i p w i r e (French and English).

www.pgci.ca/l6.html

Launchpad

Tracks Ubuntu Linux bugs.

bugs.launchpad.net/ubuntu

LIDS

Intrusion detection and active
defense system.

www.lids.org

LinuxSecurity.com A solid news site dedicated to
Linux security issues.

www.linuxsecurity.com

LWN.net

lwn.net/Alerts

Security alert database for all
major Linux distributions.

Microsoft Security Microsoft security information.

www.microsoft.com/security

nessus

A plugin-based remote security
scanner that can perform more
than 370 security checks. Free.

www.nessus.org

netcat

Explores, tests, and diagnoses
networks.

freshmeat.net/projects/netcat

nmap

Scans hosts to see which ports
are available. It can perform
stealth scans, determine operating system type, find open
ports, and more.

nmap.org

1125

1126

APPENDIX C

Table C-1

SECURITY

Security resources (continued)

Tool

What it does

Where to get it

RBAC

Role-Based Access Control.
Assigns roles and privileges
associated with the roles.

csrc.nist.gov/rbac

SAINT

Security Administrator's Integrated Network Tool. Assesses
and analyzes network vulnerabilities. This tool follows s a t a n .

www.saintcorporation.com

samhain

A file integrity checker. Has a
GUI configurator, client/server
capability, and real-time reporting capability.

www.la-samhna.de

SANS

Security training and
certification.

www.sans.org

SARA

The Security Auditor's Research
Assistant security analysis tool.

www-arc.com/sara

Schneier, Bruce

Security visionary.

www.schneier.com

Secunia

Monitors a broad spectrum of
vulnerabilities.

secunia.com

SecurityFocus

Home for security tools, mail
lists, libraries, and cogent
analysis.

www.securitytocus.com

snort

A flexible IDS.

www.snort.org

srp

Secure Remote Password.
Upgrades common protocols,
such as TELNET and FTP, to use
secure password exchange.

srp.stantord.edu

ssh

A secure rsh, ftp, and rlogin
replacement with encrypted
sessions and other options.
Supplied with Ubuntu Linux.

openssh.org
www.ssh.com

swatch

A Perl-based log parser and
analyzer.

swatch.sourcetorge.net

Treachery

A collection of tools for security
and auditing.

www.treachery.net/tools

tripwire

Checks for possible signs of
intruder activity. Supplied with
Ubuntu Linux.

www.tripwire.com

wireshark

Network protocol analyzer. Free.

www.wireshark.org

APPENDIX SUMMARY

APPENDIX

1127

SUMMARY
Security is inversely proportional to usability. There must be a balance between
users' requirements to get their work done and the amount of security that is implemented. It is often unnecessary to provide top security for a small business with
only a few employees. By contrast, if you work for a government military contractor, you are bound to have extreme security constraints and an official audit policy
to determine whether security policies are being implemented correctly.
Review your own security requirements periodically. Several of the tools mentioned
in this appendix can help you monitor a system's security measures. Tools such as
nessus, s a m h a i n , and SAINT, for example, provide auditing mechanisms.
Some companies specialize in security and auditing. Hiring one of them to examine
your site can be costly but may yield specific recommendations for areas you may
have overlooked in your initial setup. When you hire someone to audit your security,
recognize you may be providing both physical and r o o t access to local systems.
Make sure the company that you hire has a good history, has been in business for
several years, and has impeccable references. Check up on the company periodically:
Things change over time. Avoid the temptation to hire former system crackers as
consultants. Security consultants should have an irreproachable ethical background
or you will always have doubts about their intentions.
Your total security package is based on your risk assessment of local vulnerabilities.
Strengthen those areas that are most important for your business. For example,
many sites rely on a firewall to protect them from the Internet, whereas internal
hosts may receive little or no security attention. Crackers refer to this setup as "the
crunchy outside surrounding the soft chewy middle." Yet this setup is entirely sufficient to protect some sites. Perform your own risk assessment and address your
needs accordingly. If need be, hire a full-time security administrator whose job it is
to design and audit local security policies.

This page intentionally left blank

D
THE FREE S O F T W A R E
DEFINITION1
We maintain this free software definition to show clearly what
must be true about a particular software program for it to be
considered free software.
"Free software" is a matter of liberty, not price. To understand
the concept, you should think of "free" as in "free speech," not
as in "free beer."
Free software is a matter of the users' freedom to run, copy, distribute, study, change and improve the software. More precisely, it refers to four kinds of freedom, for the users of the
software:
• The freedom to run the program, for any purpose
(freedom 0).

1. This material is at www.gnu.org/philosophy/free-sw.html on the G N U W e b
site. Because G N U requests a verbatim copy, links remain in place (underlined).
View the document on the Web to ensure you are reading the latest copy and to
follow the links.

1129

1130

APPENDIX D

T H E FREE S O F T W A R E D E F I N I T I O N

• The freedom to study how the program works, and adapt it to your needs
(freedom 1). Access to the source code is a precondition for this.
• The freedom to redistribute copies so you can help your neighbor (freedom 2).
• The freedom to improve the program, and release your improvements to
the public, so that the whole community benefits (freedom 3). Access to
the source code is a precondition for this.
A program is free software if users have all of these freedoms. Thus, you should be
free to redistribute copies, either with or without modifications, either gratis or
charging a fee for distribution, to anyone anywhere. Being free to do these things
means (among other things) that you do not have to ask or pay for permission.
You should also have the freedom to make modifications and use them privately in
your own work or play, without even mentioning that they exist. If you do publish
your changes, you should not be required to notify anyone in particular, or in any
particular way.
The freedom to use a program means the freedom for any kind of person or organization to use it on any kind of computer system, for any kind of overall job, and
without being required to communicate subsequently with the developer or any
other specific entity.
The freedom to redistribute copies must include binary or executable forms of the
program, as well as source code, for both modified and unmodified versions. (Distributing programs in runnable form is necessary for conveniently installable free
operating systems.) It is ok if there is no way to produce a binary or executable
form for a certain program (since some languages don't support that feature), but
you must have the freedom to redistribute such forms should you find or develop a
way to make them.
In order for the freedoms to make changes, and to publish improved versions, to be
meaningful, you must have access to the source code of the program. Therefore,
accessibility of source code is a necessary condition for free software.
One important way to modify a program is by merging in available free subroutines
and modules. If the program's license says that you cannot merge in an existing
module, such as if it requires you to be the copyright holder of any code you add,
then the license is too restrictive to qualify as free.
In order for these freedoms to be real, they must be irrevocable as long as you do
nothing wrong; if the developer of the software has the power to revoke the license,
without your doing anything to give cause, the software is not free.
However, certain kinds of rules about the manner of distributing free software are
acceptable, when they don't conflict with the central freedoms. For example, copyleft (very simply stated) is the rule that when redistributing the program, you cannot
add restrictions to deny other people the central freedoms. This rule does not conflict with the central freedoms; rather it protects them.

T H E FREE S O F T W A R E D E F I N I T I O N

1131

You may have paid money to get copies of free software, or you may have obtained
copies at no charge. But regardless of how you got your copies, you always have the
freedom to copy and change the software, even to sell copies.
"Free software" does not mean "non-commercial". A free program must be available for commercial use, commercial development, and commercial distribution.
Commercial development of free software is no longer unusual; such free commercial software is very important.
Rules about how to package a modified version are acceptable, if they don't substantively block your freedom to release modified versions, or your freedom to
make and use modified versions privately. Rules that "if you make your version
available in this way, you must make it available in that way also" can be acceptable
too, on the same condition. (Note that such a rule still leaves you the choice of
whether to publish your version at all.) Rules that require release of source code to
the users for versions that you put into public use are also acceptable. It is also
acceptable for the license to require that, if you have distributed a modified version
and a previous developer asks for a copy of it, you must send one, or that you identify yourself on your modifications.
In the GNU project, we use "copvleft" to protect these freedoms legally for everyone. But non-copvlefted free software also exists. We believe there are important
reasons why it is better to use copvleft. but if your program is non-copylefted free
software, we can still use it.
See Categories of Free Software for a description of how "free software," "copylefted software" and other categories of software relate to each other.
Sometimes government export control regulations and trade sanctions can constrain your freedom to distribute copies of programs internationally. Software
developers do not have the power to eliminate or override these restrictions, but
what they can and must do is refuse to impose them as conditions of use of the program. In this way, the restrictions will not affect activities and people outside the
jurisdictions of these governments.
Most free software licenses are based on copyright, and there are limits on what
kinds of requirements can be imposed through copyright. If a copyright-based
license respects freedom in the ways described above, it is unlikely to have some
other sort of problem that we never anticipated (though this does happen occasionally). However, some free software licenses are based on contracts, and contracts
can impose a much larger range of possible restrictions. That means there are many
possible ways such a license could be unacceptably restrictive and non-free.
We can't possibly list all the ways that might happen. If a contract-based license
restricts the user in an unusual way that copyright-based licenses cannot, and which
isn't mentioned here as legitimate, we will have to think about it, and we will probably conclude it is non-free.
When talking about free software, it is best to avoid using terms like "give away" or
"for free", because those terms imply that the issue is about price, not freedom. Some
common terms such as "piracy" embody opinions we hope you won't endorse. See
Confusing Words and Phrases that are Worth Avoiding for a discussion of these
terms. We also have a list of translations of "free software" into various languages.

1132

APPENDIX D

T H E FREE S O F T W A R E D E F I N I T I O N

Finally, note that criteria such as those stated in this free software definition require
careful thought for their interpretation. To decide whether a specific software
license qualifies as a free software license, we judge it based on these criteria to
determine whether it fits their spirit as well as the precise words. If a license includes
unconscionable restrictions, we reject it, even if we did not anticipate the issue in
these criteria. Sometimes a license requirement raises an issue that calls for extensive
thought, including discussions with a lawyer, before we can decide if the requirement is acceptable. When we reach a conclusion about a new issue, we often update
these criteria to make it easier to see why certain licenses do or don't qualify.
If you are interested in whether a specific license qualifies as a free software license,
see our list of licenses. If the license you are concerned with is not listed there, you
can ask us about it by sending us email at licensing@gnu.org.
If you are contemplating writing a new license, please contact the FSF by writing to
that address. The proliferation of different free software licenses means increased
work for users in understanding the licenses; we may be able to help you find an
existing Free Software license that meets your needs.
If that isn't possible, if you really need a new license, with our help you can ensure
that the license really is a Free Software license and avoid various practical problems.
Another group has started using the term "open source" to mean something close
(but not identical) to "free software". We prefer the term "free software" because,
once you have heard it refers to freedom rather than price, it calls to mind freedom.
The word "open" never does that.
Other Texts to Read
Translations of this page:
[ Catalá I Chinese (Simplified) I Chinese (Traditional) I Czech I Dansk I Deutsch I
English I Español I Persian/Farsi I Francais I Galego I Hebrew I Hrvatski I Bahasa
Indonesia I Italiano I Japanese I Korean I Magyar I Nederlands I Norsk I Polski I Portugués I Romana I Russian I Slovinsko I Serbian I Tagalog I Tiirkce ]
Return to the GNU Project home page.
Please send FSF & GNU inquiries to gnu@gnu.org. There are also other ways to
contact the FSF.
Please send broken links and other corrections (or suggestions) to
webmasters@gnu.org
Please see the Translations README for information on coordinating and submitting translations of this article.
Copyright (C) 1996, 1997, 1998, 1999, 2000, 2001, 2002, 2003, 2004 Free Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110, USA
Verbatim copying and distribution of this entire article is permitted in any medium
without royalty provided this notice is preserved.
• Updated: $Date: 2005/11/26 13:16:40 $ $Author: rms $

GLOSSARY
All entries marked with FOLDOC are based on definitions in the Free
On-Line Dictionary of Computing (www.foldoc.org), Denis
Howe, editor. Used with permission.

1133

1134

GLOSSARY

10.0.0.0

See private

address

space on page 1166.

172.16.0.0

See private

address

space on page 1166.

192.168.0.0

See private address

space on page 1166.

802.11

A family of specifications developed by IEEE for wireless LAN technology, including 802.11 ( 1 - 2 megabits per second), 8 0 2 . 1 1 a (54 megabits per second), 8 0 2 . 1 1 b
(11 megabits per second), and 8 0 2 . l l g (54 megabits per second).

absolute
pathname

A pathname that starts with the root directory (represented by /). An absolute pathname locates a file without regard to the working directory.

access

In computer jargon, a verb meaning to use, read from, or write to. To access a file
means to read from or write to the file.

Access Control
List

See ACL.

access
permissions

Permission to read from, write to, or execute a file. If you have write access permission to a file (usually just called write permission),
you can write to the file. Also
access
privilege.

ACL

Access Control List. A system that performs a function similar to file permissions
but with much finer-grain control.

active window

On a desktop, the window that receives the characters you type on the keyboard.
Same as focus, desktop (page 1149).

address mask

See subnet mask on page 1175.

alias

A mechanism of a shell that enables you to define new commands.

alphanumeric
character

One of the characters, either uppercase or lowercase, from A to Z and 0 to 9, inclusive.

ambiguous file
reference

A reference to a file that does not necessarily specify any one file but can be used to
specify a group of files. The shell expands an ambiguous file reference into a list of
filenames. Special characters represent single characters (?), strings of zero or more
characters (*), and character classes ([]) within ambiguous file references. An
ambiguous file reference is a type of regular expression (page 1168).

angle bracket

A left angle bracket (<) and a right angle bracket (>). The shell uses < to redirect a
command's standard input to come from a file and > to redirect the standard output. The shell uses the characters « to signify the start of a Here document and »
to append output to a file.

animate

When referring to a window action, means that the action is slowed down so the
user can view it. For example, when you minimize a window, it can disappear all at
once (not animated) or it can slowly telescope into the panel so you can get a visual
feel for what is happening (animated).

GLOSSARY

1135

anti-aliasing

Adding gray pixels at the edge of a diagonal line to get rid of the jagged appearance
and thereby make the line look smoother. Anti-aliasing sometimes makes type on a
screen look better and sometimes worse; it works best on small and large fonts and
is less effective on fonts from 8 to 15 points. See also subpixel hinting (page 1175).

API

Application program interface. The interface (calling conventions) by which an
application program accesses an operating system and other services. An API is
defined at the source code level and provides a level of abstraction between the
application and the kernel (or other privileged utilities) to ensure the portability of
the code.FOLDOC

append

To add something to the end of something else. To append text to a file means to
add the text to the end of the file. The shell uses » to append a command's output
to a file.

applet

A small program that runs within a larger program. Examples are Java applets that
run in a browser and panel applets that run from a desktop panel.

archive

A file that contains a group of smaller, typically related, files. Also, to create such a
file. The tar and cpio utilities can create and read archives.

argument

A number, letter, filename, or another string that gives some information to a command and is passed to the command when it is called. A command-line argument is
anything on a command line following the command name that is passed to the
command. An option is a kind of argument.

arithmetic
expression

A group of numbers, operators, and parentheses that can be evaluated. When you
evaluate an arithmetic expression, you end up with a number. The Bourne Again
Shell uses the expr command to evaluate arithmetic expressions; the T C Shell uses
@, and the Z Shell uses let.

array

An arrangement of elements (numbers or strings of characters) in one or more
dimensions. The Bourne Again, TC, and Z Shells and awk/mawk/gawk can store and
process arrays.

ASCH

American Standard Code for Information Interchange. A code that uses seven bits
to represent both graphic (letters, numbers, and punctuation) and CONTROL characters.
You can represent textual information, including program source code and English
text, in ASCII code. Because ASCII is a standard, it is frequently used when
exchanging information between computers. See the file /usr/pub/ascii or give the
command man ascii to see a list of ASCII codes.
Extensions of the ASCII character set use eight bits. The seven-bit set is common;
the eight-bit extensions are still coming into popular use. The eighth bit is sometimes referred to as the metabit.

ASCH terminal A textual terminal. Contrast with graphical
ASP

display

(page 1150).

Application service provider. A company that provides applications over the Internet.

1136

GLOSSARY

asynchronous
event

An event that does not occur regularly or synchronously with another event. Linux
system signals are asynchronous; they can occur at any time because they can be initiated by any number of nonregular events.

attachment

A file that is attached to, but is not part of, a piece of email. Attachments are frequently opened by programs (including your Internet browser) that are called by
your mail program so you may not be aware that they are not an integral part of an
email message.

authentication

The verification of the identity of a person or process. In a communication system,
authentication verifies that a message comes from its stated source. Methods of
authentication on a Linux system include the /etc/passwd and /etc/shadow files,
LDAP, Kerberos 5, and SMB authentication.FOLDOC

automatic
mounting

A way of demand mounting directories from remote hosts without having them
hard configured into /etc/fstab. Also called
automounting.

avoided

An object, such as a panel, that should not normally be covered by another object,
such as a window

back door

A security hole deliberately left in place by the designers or maintainers of a system.
The motivation for creating such holes is not always sinister; some operating systems, for example, come out of the box with privileged accounts intended for use by
field service technicians or the vendor's maintenance programmers.
Ken Thompson's 1 9 8 3 Turing Award lecture to the A C M revealed the existence, in
early U N I X versions, of a back door that may be the most fiendishly clever security
hack of all time. The C compiler contained code that would recognize when the
login command was being recompiled and would insert some code recognizing a
password chosen by Thompson, giving him entry to the system whether or not an
account had been created for him.
Normally such a back door could be removed by removing it from the source code
for the compiler and recompiling the compiler. But to recompile the compiler, you
have to use the compiler, so Thompson arranged that the compiler would recognize
when it was compiling a version of itself. It would insert into the recompiled compiler the code to insert into the recompiled login the code to allow Thompson entry,
and, of course, the code to recognize itself and do the whole thing again the next
time around. Having done this once, he was then able to recompile the compiler
from the original sources; the hack perpetuated itself invisibly, leaving the back
door in place and active but with no trace in the sources.
Sometimes called a wormhole. Also trap

background
process

door.mLDOC

A process that is not run in the foreground. Also called a detached process, a background process is initiated by a command line that ends with an ampersand (8c).
You do not have to wait for a background process to run to completion before giving the shell additional commands. If you have job control, you can move background processes to the foreground, and vice versa.

GLOSSARY

1137

basename

The name of a file that, in contrast with a pathname, does not mention any of the
directories containing the file (and therefore does not contain any slashes [/]). For
example, hosts is the basename of /etc/hosts.FOLDOC

baud

The maximum information-carrying capacity of a communication channel in symbols (state transitions or level transitions) per second. It coincides with bits per second only for two-level modulation with no framing or stop bits. A symbol is a
unique state of the communication channel, distinguishable by the receiver from all
other possible states. For example, it may be one of two voltage levels on a wire for
a direct digital connection, or it might be the phase or frequency of a carrier.FOLDOC
Baud is often mistakenly used as a synonym for bits per second.

baud rate

Transmission speed. Usually used to measure terminal or modem speed. Common
baud rates range from 110 to 3 8 , 4 0 0 baud. See baud.

Berkeley
UNIX

One of the two major versions of the U N I X operating system. Berkeley U N I X was
developed at the University of California at Berkeley by the Computer Systems
Research Group and is often referred to as BSD (Berkeley Software Distribution).

BIND

Berkeley Internet Name Domain. An implementation of a DNS (page 1145) server
developed and distributed by the University of California at Berkeley.

BIOS

Basic Input/Output System. On PCs, EEPROM-based
(page 1147) system software
that provides the lowest-level interface to peripheral devices and controls the first
stage of the bootstrap (page 1138) process, which loads the operating system. The
BIOS can be stored in different types of memory. The memory must be nonvolatile
so that it remembers the system settings even when the system is turned off. Also
BIOS R O M . Refer to page 28 for instructions on how to open the BIOS screens for
maintenance.

bit

The smallest piece of information a computer can handle. A bit is a binary digit:
either 1 or 0 (on or o f f ) .

bit depth

Same as color depth (page 1141).

bit-mapped
display

A graphical display device in which each pixel on the screen is controlled by an
underlying representation of zeros and ones.

blank
character

Either a SPACE o r a TAB c h a r a c t e r , a l s o c a l l e d whitespace

block

A section of a disk or tape (usually 1,024 bytes long but shorter or longer on some
systems) that is written at one time.

block device

A disk or tape drive. A block device stores information in blocks of characters. A
block device is represented by a block device (block special) file. Contrast with
character device (page 1140).

block number

Disk and tape blocks
device.

(page 1180). In s o m e c o n -

t e x t s , NEWLINEs a r e c o n s i d e r e d b l a n k c h a r a c t e r s .

are numbered so that Linux can keep track of the data on the

1138

GLOSSARY

blocking
factor

The number of logical blocks that make up a physical block on a tape or disk.
When you write I K logical blocks to a tape with a physical block size of 3OK, the
blocking factor is 30.

Boolean

The type of an expression with two possible values: true and false. Also, a variable
of Boolean type or a function with Boolean arguments or result. The most common
Boolean functions are AND, OR, and NOT.FOLDOC

boot

See

boot loader

A very small program that takes its place in the bootstrap
process that brings a
computer from off or reset to a fully functional state. See "GRUB: The Linux Boot
Loader" on page 583.

bootstrap

Derived from "Pull oneself up by one's own bootstraps," the incremental process of
loading an operating system kernel into memory and starting it running without
any outside assistance. Frequently shortened to boot.

bootstrap.

Bourne Again
Shell

bash. GNU's command interpreter for UNIX, bash is a POSIX-compliant shell with
full Bourne Shell syntax and some C Shell commands built in. The Bourne Again
Shell supports emacs-style command-line editing, job control, functions, and online
helpFOLDOC

Bourne Shell

sh. This U N I X command processor was developed by Steve Bourne at A T & T Bell
Laboratories.

brace

A left brace ({) and a right brace (}). Braces have special meanings to the shell.

bracket

A square bracket

branch

In a tree structure, a branch connects nodes, leaves, and the root. The Linux filesystem hierarchy is often conceptualized as an upside-down tree. The branches connect files and directories. In a source code control system, such as SCCS or RCS, a
branch occurs when a revision is made to a file and is not included in subsequent
revisions to the file.

bridge

Typically a two-port device originally used for extending networks at layer 2 (data
link) of the Internet Protocol model.

broadcast

A transmission to multiple, unspecified recipients. On Ethernet a broadcast packet
is a special type of multicast packet that has a special address indicating that all
devices that receive it should process it. Broadcast traffic exists at several layers of
the network stack, including Ethernet and IP Broadcast traffic has one source but
indeterminate destinations (all hosts on the local network).

broadcast
address

The last address on a subnet (usually 255), reserved as shorthand to mean all hosts.

broadcast
network

A type of network, such as Ethernet, in which any system can transmit information
at any time, and all systems receive every message.

(page 1174) or an angle bracket

(page 1134).

GLOSSARY

1139

BSD

See Berkeley

buffer

An area of memory that stores data until it can be used. When you write information to a file on a disk, Linux stores the information in a disk buffer until there is
enough to write to the disk or until the disk is ready to receive the information.

bug

An unwanted and unintended program property, especially one that causes the program to malfunction.FOLDOC

builtin
(command)

A command that is built into a shell. Each of the three major shells—the Bourne
Again, TC, and Z Shells—has its own set of builtins. Refer to "Builtins" on page 261.

byte

C
programming
language

UNIX on page 1137.

A component in the machine data hierarchy, usually larger than a bit and smaller
than a word; now most often eight bits and the smallest addressable unit of storage.
A byte typically holds one character.FOLDOC
A modern systems language that has high-level features for efficient, modular programming as well as lower-level features that make it suitable for use as a systems
programming language. It is machine independent so that carefully written C programs can be easily transported to run on different machines. Most of the Linux
operating system is written in C, and Linux provides an ideal environment for programming in C.

C Shell

csh. The C Shell command processor was developed by Bill Joy for BSD UNIX. It
was named for the C programming language because its programming constructs
are similar to those of C. See shell on page 1171.

cable modem

A type of modem that allows you to access the Internet by using your cable television connection.

cache

Holding recently accessed data, a small, fast memory designed to speed up subsequent access to the same data. Most often applied to processor-memory access but
also used for a local copy of data accessible over a network, from a hard disk, and
so on.FOLDOC

calling
environment

A list of variables and their values that is made available to a called program. Refer
to "Executing a Command" on page 3 3 0 .

cascading
stylesheet

See CSS on page 1143.

cascading
windows

An arrangement of windows such that they overlap, generally with at least part of
the title bar visible. Opposite of tiled windows (page 1177).

case sensitive

Able to distinguish between uppercase and lowercase characters. Unless you set the
ignorecase parameter, vim performs case-sensitive searches. The grep utility performs case-sensitive searches unless you use the - i option.

catenate

To join sequentially, or end to end. The Linux cat utility catenates files: It displays
them one after the other. Also
concatenate.

1140

GLOSSARY

chain loading

The technique used by a boot loader to load unsupported operating systems. Used
for loading such operating systems as DOS or Windows, it works by loading
another boot loader.

characterbased

A program, utility, or interface that works only with ASCII (page 1135) characters.
This set of characters includes some simple graphics, such as lines and corners, and
can display colored characters. It cannot display true graphics. Contrast with GUI
(page 1150).

characterbased terminal

A terminal that displays only characters and very limited graphics. See

character class

In a regular expression, a group of characters that defines which characters can
occupy a single character position. A character-class definition is usually surrounded by square brackets. The character class defined by [abcr] represents a character position that can be occupied by a, b, c, or r. Also list operator.

character-based.

In POSIX, used to refer to sets of characters with a common characteristic, denoted
by the notation [-.class:]; for example, [:upper:] denotes the set of uppercase letters.
This book uses the term character class as explained under "Brackets" on page 1091.
character
device

A terminal, printer, or modem. A character device stores or displays characters one
at a time. A character device is represented by a character device (character special)
file. Contrast with block device (page 1137).

check box

A GUI widget, usually the outline of a square box with an adjacent caption, that a
user can click to display or remove a tick (page 1177). When the box holds a tick,
the option described by the caption is on or true. Also tick box.

checksum

A computed value that depends on the contents of a block of data and is transmitted or stored along with the data to detect corruption of the data. The receiving system recomputes the checksum based on the received data and compares this value
with the one sent with the data. If the two values are the same, the receiver has
some confidence that the data was received correctly.
The checksum may be 8, 16, or 32 bits, or some other size. It is computed by summing the bytes or words of the data block, ignoring overflow The checksum may be
negated so that the total of the data words plus the checksum is zero.
Internet packets use a 32-bit checksum.FOLDOC

child process

A process that is created by another process, the parent process. Every process is a
child process except for the first process, which is started when Linux begins execution. When you run a command from the shell, the shell spawns a child process to
run the command. See process on page 1166.

CIDR

Classless Inter-Domain Routing. A scheme that allocates blocks of Internet
addresses in a way that allows summarization into a smaller number of routing
table entries. A CIDR block is a block of Internet addresses assigned to an ISP by
the Internic. Refer to " C I D R : Classless Inter-Domain Routing" on page 386.FOLDOC

GLOSSARY

1141

CIFS

Common Internet File System. An Internet filesystem protocol based on SMB
(page 1172). CIFS runs on top of TCP/IP, uses DNS, and is optimized to support
slower dial-up Internet connections. SMB and CIFS are used interchangeably.FOLDOC

CIPE

Crypto IP Encapsulation
(page 1147). This protocol (page 1166) tunnels (page 1178)
IP packets within encrypted UDP (page 1178) packets, is lightweight and simple, and
works over dynamic addresses, NAT (page 1161), and SOCKS (page 1173) proxies
(page 1166).

cipher (cypher) A cryptographic system that uses a key to transpose/substitute characters within a
message, the key itself, or the message.
ciphertext

Text that is encrypted. Contrast with plaintext
on page 1110.

(page 1165). See also "Encryption"

Classless
Inter-Domain
Routing

See CIDR on page 1140.

cleartext

Text that is not encrypted. Also plaintext.
"Encryption" on page 1110.

CLI

Command-line interface. See also character-based

client

A computer or program that requests one or more services from a server.

CODEC

Coder/decoder or compressor/decompressor. A hardware and/or software technology that codes and decodes data. M P E G is a popular C O D E C for computer video.

color depth

The number of bits used to generate a pixel—usually 8, 16, 24, or 32. The color
depth is directly related to the number of colors that can be generated. The number
of colors that can be generated is 2 raised to the color-depth power. Thus a 24-bit
video adapter can generate about 16.7 million colors.

color quality

See color

combo box

A combination of a drop-down
list (page 1146) and text box (page 1176). You can
enter text in a combo box. Or, you can click a combo box, cause it to expand and
display a static list of selections for you to choose from.

command

What you give the shell in response to a prompt. When you give the shell a command, it executes a utility, another program, a builtin command, or a shell script.
Utilities are often referred to as commands. When you are using an interactive utility, such as vim or mail, you use commands that are appropriate to that utility.

command line

A line containing instructions and arguments that executes a command. This term
usually refers to a line that you enter in response to a shell prompt on a characterbased terminal or terminal emulator (page 125).

command
substitution

Replacing a command with its output. The shells perform command substitution
when you enclose a command between $( and ) or between a pair of back ticks
(* *), also called grave accent marks.

Contrast with ciphertext.
(page 1140). Also textual

See also
interface.

depth.

1142

GLOSSARY

component
architecture

A notion in object-oriented programming where "components" of a program are completely generic. Instead of having a specialized set of methods and fields, they have
generic methods through which the component can advertise the functionality it supports to the system into which it is loaded. This strategy enables completely dynamic
loading of objects. JavaBeans is an example of a component architecture.FOLDOC

concatenate

See catenate

condition code

See exit status on page 1147.

connectionoriented
protocol

A type of transport layer data communication service that allows a host to send
data in a continuous stream to another host. The transport service guarantees that
all data will be delivered to the other end in the same order as sent and without
duplication. Communication proceeds through three well-defined phases: connection establishment, data transfer, and connection release. The most common example is TCP (page 1176).

on page 1139.

Also called connection-based protocol and stream-oriented protocol. Contrast with
connectionless
protocol and datagram (page 1144).FOLDOC
connectionless
protocol

The data communication method in which communication occurs between hosts
with no previous setup. Packets sent between two hosts may take different routes.
There is no guarantee that packets will arrive as transmitted or even that they will
arrive at the destination at all. UDP (page 1178) is a connectionless protocol. Also
called packet switching. Contrast with circuit switching and
connection-oriented
protocol.FOLDOC

console

The main system terminal, usually directly connected to the computer and the one
that receives system error messages. Also system console and console
terminal.

console
terminal

See

control
character

A character that is not a graphic character, such as a letter, number, or punctuation
mark. Such characters are called control characters because they frequently act to
control a peripheral device. RETURN and FORMFEED are control characters that control a
terminal or printer.

console.

The word CONTROL is shown in this book in THIS FONT because it is a key that appears on
most terminal keyboards. Control characters are represented by ASCII codes less
than 32 (decimal). See also nonprinting character on page 1162.
control
structure

A statement used to change the order of execution of commands in a shell script or
other program. Each shell provides control structures (for example, if and while) as
well as other commands that alter the order of execution (for example, exec). Also
control flow
commands.

cookie

Data stored on a client system by a server. The client system browser sends the
cookie back to the server each time it accesses that server. For example, a catalog
shopping service may store a cookie on your system when you place your first

GLOSSARY

1143

order. When you return to the site, it knows who you are and can supply your
name and address for subsequent orders. You may consider cookies to be an invasion of privacy.
CPU

Central processing unit. The part of a computer that controls all the other parts.
The CPU includes the control unit and the arithmetic and logic unit (ALU). The
control unit fetches instructions from memory and decodes them to produce signals
that control the other parts of the computer. These signals can cause data to be
transferred between memory and ALU or peripherals to perform input or output. A
CPU that is housed on a single chip is called a microprocessor. Also processor
and
central
processor.

cracker

An individual who attempts to gain unauthorized access to a computer system.
These individuals are often malicious and have many means at their disposal for
breaking into a system. Contrast with hacker (page 1150).FOLDOC

crash

The system suddenly and unexpectedly stops or fails. Derived from the action of
the hard disk heads on the surface of the disk when the air gap between the two
collapses.

cryptography

The practice and study of encryption and decryption—encoding data so that only a
specific individual or machine can decode it. A system for encrypting and decrypting data is a cryptosystem. Such systems usually rely on an algorithm for combining
the original data (plaintext) with one or more keys—numbers or strings of characters known only to the sender and/or recipient. The resulting output is called ciphertext (page 1141).
The security of a cryptosystem usually depends on
on the supposed secrecy of an algorithm. Because a
range of keys, it is not possible to try all of them.
standard statistical tests and resists known methods

the secrecy of keys rather than
strong cryptosystem has a large
Ciphertext appears random to
for breaking codes.FOLDOC

.cshrc file

In your home directory, a file that the T C Shell executes each time you invoke a new
TC Shell. You can use this file to establish variables and aliases.

CSS

Cascading stylesheet. Describes how documents are presented on screen and in
print. Attaching a stylesheet to a structured document can affect the way it looks
without adding new H T M L (or other) tags and without giving up device independence. Also stylesheet.

current
(process, line,
character,
directory,
event, etc.)

The item that is immediately available, working, or being used. The current process
is the program you are running, the current line or character is the one the cursor is
on, and the current directory is the working directory.

cursor

A small lighted rectangle, underscore, or vertical bar that appears on a terminal
screen and indicates where the next character will appear. Differs from the mouse
pointer (page 1160).

1144

GLOSSARY

daemon

A program that is not invoked explicitly but lies dormant, waiting for some condition^) to occur. The perpetrator of the condition need not be aware that a daemon
is lurking (although often a program will commit an action only because it knows
that it will implicitly invoke a daemon). From the mythological meaning, later rationalized as the acronym Disk And Execution MONitor. See Table 10-4 on page 4 0 2
for a list of daemons.FOLDOC

data structure

A particular format for storing, organizing, working with, and retrieving data. Frequently, data structures are designed to work with specific algorithms that facilitate
these tasks. Common data structures include trees, files, records, tables, arrays, etc.

datagram

A self-contained, independent entity of data carrying sufficient information to be
routed from the source to the destination computer without reliance on earlier
exchanges between this source and destination computer and the transporting network. UDP (page 1178) uses datagrams; IP (page 1154) uses packets (page 1164).
Packets are indivisible at the network layer; datagrams are not.FOLDOC See also frame
(page 1149).

dataless

A computer, usually a workstation, that uses a local disk to boot a copy of the operating system and access system files but does not use a local disk to store user files.

dbm

A standard, simple database manager. Implemented as gdbm (GNU database manager), it uses hashes to speed searching. The most common versions of the dbm
database are dbm, ndbm, and gdbm.

DDoS attack

Distributed denial of service attack. A DoS attack (page 1146) from many systems
that do not belong to the perpetrator of the attack.

debug

To correct a program by removing its bugs (that is, errors).

default

Something that is selected without being explicitly specified. For example, when
used without an argument, Is displays a list of the files in the working directory by
default.

delta

A set of changes made to a file that has been encoded by the Source Code Control
System (SCCS).

denial of
service

See DoS attack

on page 1146.

dereference

When speaking of symbolic links, follow the link rather than working with the reference to the link. For example, the - L or —dereference option causes Is to list the
entry that a symbolic link points to rather than the symbolic link (the reference) itself.

desktop

A collection of windows, toolbars, icons, and buttons, some or all of which appear
on your display. A desktop comprises one or more workspaces
(page 1181). Refer
to " A Tour of the Ubuntu Desktop" on page 99.

desktop
manager

An icon- and menu-based user interface to system services that allows you to run applications and use the filesystem without using the system's command-line interface.

GLOSSARY

1145

detached
process

See background

device

A disk drive, printer, terminal, plotter, or other input/output unit that can be
attached to the computer. Short for peripheral
device.

device driver

Part of the Linux kernel that controls a device, such as a terminal, disk drive, or printer.

device file

A file that represents a device. Also special

device
filename

The pathname of a device file. All Linux systems have two kinds of device files:
block and character device files. Linux also has FIFOs (named pipes) and sockets.
Device files are traditionally located in the /dev directory.

device number

See major

DHCP

Dynamic Host Configuration Protocol. A protocol that dynamically allocates IP
addresses to computers on a LAN. Refer to " D H C P : Configures Network Interfaces" on page 470.FOLDOC

dialog box

In a GUI, a special window, usually without a titlebar, that displays information.
Some dialog boxes accept a response from the user

directory

Short for directory

directory
hierarchy

A directory, called the root of the directory hierarchy, and all the directory and ordinary files below it (its children).

directory
service

A structured repository of information on people and resources within an organization, facilitating management and communication.FOLDOC

disk partition

See partition

diskless

A computer, usually a workstation, that has no disk and must contact another computer (a server) to boot a copy of the operating system and access the necessary system files.

distributed
computing

A style of computing in which tasks or services are performed by a network of
cooperating systems, some of which may be specialized.

DMZ

Demilitarized zone. A host or small network that is a neutral zone between a LAN
and the Internet. It can serve Web pages and other data to the Internet and allow
local systems access to the Internet while preventing LAN access to unauthorized
Internet users. Even if a D M Z is compromised, it holds no data that is private and
none that cannot be easily reproduced.

DNS

Domain Name Service. A distributed service that manages the correspondence of
full hostnames (those that include a domain name) to IP addresses and other system
characteristics.

DNS domain
name

See domain

process

device number

on page 1136.

file.

(page 1158) and minor device number

(page 1160).

file. A file that contains a list of other files.

on page 1164.

name on page 1146.

1146

GLOSSARY

document
object model

See DOM.

DOM

Document Object Model. A platform-/language-independent interface that enables
a program to update the content, structure, and style of a document dynamically.
The changes can then be made part of the displayed document. Go to
www.w3.org/DOM for more information.

domain name

A name associated with an organization, or part of an organization, to help identify
systems uniquely. Technically, the part of the FQDN (page 1149) to the right of the
leftmost period. Domain names are assigned hierarchically. The domain
berkeley.edu refers to the University of California at Berkeley, for example; it is part
of the top-level edu (education) domain. Also DNS domain name. Different than
NIS domain name (page 1162).

Domain Name
Service

See DNS.

door

An evolving filesystem-based RPC (page 1170) mechanism.

DoS attack

Denial of service attack. An attack that attempts to make the target host or network
unusable by flooding it with spurious traffic.

DPMS

Display Power Management Signaling. A standard that can extend the life of CRT
monitors and conserve energy. DPMS supports four modes for a monitor: Normal,
Standby (power supply on, monitor ready to come to display images almost
instantly), Suspend (power supply off, monitor takes up to ten seconds to display an
image), and Off.

drag

The motion part of

drag-and-drop

To move an object from one position or application to another within a GUI. To
drag an object, the user clicks a mouse button (typically the left one) while the
mouse pointer hovers (page 1152) over the object. Then, without releasing the
mouse button, the user drags the object, which stays attached to the mouse pointer,
to a different location. The user can then drop the object at the new location by
releasing the mouse button.

drag-and-drop.

drop-down list A widget (page 1180) that displays a static list for a user to choose from. When the
list is not active, it appears as text in a box, displaying the single selected entry.
When a user clicks the box, a list appears; the user can move the mouse cursor to
select an entry from the list. Different from a list box (page 1157).
druid

In role-playing games, a character that represents a magical user. Red Hat uses the
term druid at the ends of names of programs that guide you through a task-driven
chain of steps. Other operating systems call these types of programs wizards.

DSA

Digital Signature Algorithm. A public key cipher used to generate digital signatures.

GLOSSARY

1147

DSL

Digital Subscriber Line/Loop. Provides high-speed digital communication over a
specialized, conditioned telephone line. See also xDSL (page 1182).

Dynamic Host
Configuration
Protocol

See DHCP

editor

A utility, such as vim or emacs, that creates and modifies text files.

EEPROM

Electrically erasable, programmable, readonly memory. A PROM
can be written to.

effective user
ID

The user ID that a process appears to have; usually the same as the user ID. For
example, while you are running a setuid program, the effective user ID of the process running the program is that of the owner of the program.

element

One thing; usually a basic part of a group of things. An element of a numeric array
is one of the numbers stored in the array.

emoticon

See smiley on page 1172.

encapsulation

See tunneling

environment

See calling environment

EOF

End of file.

EPROM

Erasable programmable readonly memory. A PROM
ten to by applying a higher than normal voltage.

escape

See quote on page 1167.

Ethernet

A type of LAN (page 1156) capable of transfer rates as high as 1,000 megabits per
second. Refer to "Ethernet" on page 3 7 5 .

event

An occurrence, or happening, of significance to a task or program—for example,
the completion of an asynchronous input/output operation, such as a keypress or
mouse click.FOLDOC

exabyte

2 6 0 bytes or about 10 18 bytes. See also large number

exit status

The status returned by a process; either successful (usually 0) or unsuccessful (usually 1).

exploit

A security hole or an instance of taking advantage of a security hole.FOLDOC

expression

See logical expression

extranet

A network extension for a subset of users (such as students at a particular school or
engineers working for the same company). An extranet limits access to private
information even though it travels on the public Internet.

on page 1145.

(page 1166) that

on page 1178.
on page 1139.

(page 1158) and arithmetic

(page 1166) that can be writ-

(page 1156).

expression

(page 1135).

1148

GLOSSARY

failsafe session

A session that allows you to log in on a minimal desktop in case your standard login
does not work well enough to allow you to log in to fix a login problem.

FDDI

Fiber Distributed Data Interface. A type of LAN (page 1156) designed to transport
data at the rate of 100 million bits per second over fiberoptic cable.

file

A collection of related information referred to with a filename and frequently stored
on a disk. Text files typically contain memos, reports, messages, program source
code, lists, or manuscripts. Binary or executable files contain utilities or programs
that you can run. Refer to "Directory Files and Ordinary Files" on page 2 0 0 .

filename

The name of a file. A filename refers to a file.

filename
completion

Automatic completion of a filename after you specify a unique prefix.

filename
extension

The part of a filename following a period.

filename
generation

What occurs when the shell expands ambiguous file references. See ambiguous
reference on page 1134.

filesystem

A data structure (page 1144) that usually resides on part of a disk. All Linux systems have a root filesystem, and many have other filesystems. Each filesystem is
composed of some number of blocks, depending on the size of the disk partition
that has been assigned to the filesystem. Each filesystem has a control block, named
the superblock, that contains information about the filesystem. The other blocks in
a filesystem are inodes, which contain control information about individual files,
and data blocks, which contain the information in the files.

filling

A variant of maximizing in which window edges are pushed out as far as they can
go without overlapping another window.

filter

A command that can take its input from standard input and send its output to standard output. A filter transforms the input stream of data and sends it to standard
output. A pipe usually connects a filter's input to standard output of one command,
and a second pipe connects the filter's output to standard input of another command. The grep and sort utilities are commonly used as filters.

firewall

A device for policy-based traffic management used to keep a network secure. A firewall can be implemented in a single router that filters out unwanted packets, or it
can rely on a combination of routers, proxy servers, and other devices. Firewalls are
widely used to give users access to the Internet in a secure fashion and to separate a
company's public W W W server from its internal network. They are also employed
to keep internal network segments more secure.

file

Recently the term has come to be defined more loosely to include a simple packet
filter running on an endpoint machine.
See also proxy server on page 1167.

GLOSSARY

1149

firmware

Software built into a computer, often in ROM (page 1169). May be used as part of
the bootstrap (page 1138) procedure.

focus, desktop

On a desktop, the window that is active. The window with the desktop focus receives
the characters you type on the keyboard. Same as active window (page 1134).

footer

The part of a format that goes at the bottom (or foot) of a page. Contrast with
header (page 1151).

foreground
process

When you run a command in the foreground, the shell waits for the command to
finish before giving you another prompt. You must wait for a foreground process to
run to completion before you can give the shell another command. If you have job
control, you can move background processes to the foreground, and vice versa. See
job control on page 1155. Contrast with background
process (page 1136).

fork

To create a process. When one process creates another process, it forks a process.
Also spawn.

FQDN

Fully qualified domain name. The full name of a system, consisting of its hostname
and its domain name, including the top-level domain. Technically the name that
gethostbyname(2) returns for the host named by gethostname(2). For example,
speedy is a hostname and speedy.example.com is an F Q D N . An F Q D N is sufficient
to determine a unique Internet address for a machine on the Internet.FOLDOC

frame

A data link layer packet that contains, in addition to data, the header and trailer
information required by the physical medium. Network layer packets are encapsulated to become frames.FOLDOC See also datagram
(page 1 1 4 4 ) and
packet
(page 1164).

free list

In a filesystem, the list of blocks that are available for use. Information about the
free list is kept in the superblock of the filesystem.

free software

Refer to Appendix D, "The Free Software Definition."

free space

The portion of a hard disk that is not within a partition. A new hard disk has no
partitions and contains all free space.

full duplex

The ability to receive and transmit data simultaneously. A network
switch
(page 1162) is typically a full-duplex device. Contrast with
half-duplex
(page 1150).

fully qualified
domain name

See

function

See shell function

gateway

A generic term for a computer or a special device connected to more than one dissimilar type of network to pass data between them. Unlike a router, a gateway often
must convert the information into a different format before passing it on. The historical usage of gateway to designate a router is deprecated.

FQDN.
on page 1171.

1150

GLOSSARY

GCOS

See

GECOS

General Electric Comprehensive Operating System. For historical reasons, the user
information field in the /etc/passwd file is called the GECOS field. Also GCOS.

gibibyte

Giga binary byte. A unit of storage equal to 2 3 0 bytes = 1 , 0 7 3 , 7 4 1 , 8 2 4 bytes = 1024
mebibytes (page 1159). Abbreviated as GiB. Contrast with gigabyte.

gigabyte

A unit of storage equal to 10 9 bytes. Sometimes used in place of gibibyte.
ated as GB. See also large number on page 1156.

glyph

A symbol that communicates a specific piece of information nonverbally. A smiley
(page 1172) is a glyph.

GMT

Greenwich Mean Time. See UTC on page 1179.

graphical
display

A bitmapped monitor that can display graphical images. Contrast with ASCII
minal (page 1135).

graphical user
interface

See GUI.

group (of
users)

A collection of users. Groups are used as a basis for determining file access permissions. If you are not the owner of a file and you belong to the group the file is
assigned to, you are subject to the group access permissions for the file. A user can
simultaneously belong to several groups.

group (of
windows)

A way to identify similar windows so they can be displayed and acted on similarly.
Typically windows started by a given application belong to the same group.

group ID

GUI

GECOS.

Abbrevi-

ter-

A unique number that identifies a set of users. It is stored in the password and
group databases (/etc/passwd and /etc/group files or their NIS equivalents). The
group database associates group IDs with group names. Also GID.
Graphical user interface. A GUI provides a way to interact with a computer system
by choosing items from menus or manipulating pictures drawn on a display screen
instead of by typing command lines. Under Linux, the X Window System provides a
graphical display and mouse/keyboard input. G N O M E and KDE are two popular
desktop managers that run under X . Contrast with character-based
(page 1140).

hacker

A person who enjoys exploring the details of programmable systems and learning
how to stretch their capabilities, as opposed to users, who prefer to learn only the
minimum necessary. One who programs enthusiastically (even obsessively) or who
enjoys programming rather than just theorizing about programming.FOLDOC Contrast
with cracker (page 1143).

half-duplex

A half-duplex device can only receive or transmit at a given moment; it cannot do
both. A hub (page 1152) is typically a half-duplex device. Contrast with full duplex
(page 1149).

GLOSSARY

1151

hard link

A directory entry that contains the filename and inode number for a file. The inode
number identifies the location of control information for the file on the disk, which
in turn identifies the location of the file's contents on the disk. Every file has at least
one hard link, which locates the file in a directory. When you remove the last hard
link to a file, you can no longer access the file. See link (page 1157) and symbolic
link (page 1176).

hash

A string that is generated from another string. See one-way hash function on
page 1163. When used for security, a hash can prove, almost to a certainty, that a
message has not been tampered with during transmission: The sender generates a
hash of a message, encrypts the message and hash, and sends the encrypted message
and hash to the recipient. The recipient decrypts the message and hash, generates a
second hash from the message, and compares the hash that the sender generated to
the new hash. When they are the same, the message has probably not been tampered with. Hashed versions of passwords can be used to authenticate users. A hash
can also be used to create an index called a hash table. Also hash value.

hash table

An index created from hashes of the items to be indexed. The hash function makes
it highly unlikely that two items will create the same hash. To look up an item in the
index, create a hash of the item and search for the hash. Because the hash is typically shorter than the item, the search is more efficient.

header

When you are formatting a document, the header goes at the top, or head, of a
page. In electronic mail the header identifies who sent the message, when it was
sent, what the subject of the message is, and so forth.

Here

A shell script that takes its input from the file that contains the script.

document
hesiod

The nameserver of project Athena. Hesiod is a name service library that is derived
from BIND (page 1137) and leverages a DNS infrastructure.

heterogeneous

Consisting of different parts. A heterogeneous network includes systems produced
by different manufacturers and/or running different operating systems.

hexadecimal
number

A base 16 number. Hexadecimal (or hex) numbers are composed of the hexadecimal digits 0 - 9 and A-F. See Table G - l , next page.

hidden
filename

A filename that starts with a period. These filenames are called hidden because the
Is utility does not normally list them. Use the - a option of Is to list all files, including
those with hidden filenames. The shell does not expand a leading asterisk ( * ) in an
ambiguous file reference to match files with hidden filenames. Also hidden
file,
invisible file.

hierarchy

An organization with a few things, or thing—one at the top—and with several
things below each other thing. An inverted tree structure. Examples in computing
include a file tree where each directory may contain files or other directories, a hierarchical network, and a class hierarchy in object-oriented programming.FOLDOC Refer
to " T h e Hierarchical Filesystem" on page 2 0 0 .

1152

GLOSSARY

Table G-1

Decimal, octal, and hexadecimal numbers

Decimal

Octal

Hex

1

1

1

2

2

2

Decimal

Octal

Hex

17

21

11

18

22

12

3

3

3

19

23

13

4

4

4

20

24

14

5

5

5

21

25

15

6

6

6

31

37

IF

7

7

7

32

40

20

8

10

8

33

41

21

9

11

9

64

100

40

10

12

A

96

140

60

11

13

B

100

144

64

12

14

C

128

200

80

13

15

D

254

376

FE

14

16

E

255

377

FF

15

17

F

256

400

100

16

20

10

257

401

101

history

A shell mechanism that enables you to modify and reexecute recent commands.

home
directory

The directory that is the working directory when you first log in. The pathname of
this directory is stored in the HOME shell variable.

hover

To leave the mouse pointer stationary for a moment over an object. In many cases
hovering displays a tooltip (page 1177).

HTML

Hypertext Markup Language. A hypertext document format used on the World
Wide Web. Tags, which are embedded in the text, consist of a less than sign (<), a
directive, zero or more parameters, and a greater than sign (>). Matched pairs of
directives, such as  and , delimit text that is to appear in a special
place or style.FOLDOC For more information on HTML, go to www.htmlhelp.com/faq/
html/all.html.

HTTP

Hypertext Transfer Protocol. The client/server TCP/IP protocol used on the World
Wide Web for the exchange of HTML documents.

hub

A multiport repeater. A hub rebroadcasts all packets it receives on all ports. This
term is frequently used to refer to small hubs and switches, regardless of the device's
intelligence. It is a generic term for a layer 2 shared-media networking device.
Today the term hub is sometimes used to refer to small intelligent devices, although
that was not its original meaning. Contrast with network switch (page 1162).

GLOSSARY

1153

hypertext

A collection of documents/nodes containing (usually highlighted or underlined)
cross-references or links, which, with the aid of an interactive browser program,
allow the reader to move easily from one document to another.FOLDOC

Hypertext
Markup
Language

See

HTML.

Hypertext
Transfer
Protocol

See

HTTP.

i/o device

Input/output device. See device on page 1145.

IANA

Internet Assigned Numbers Authority. A group that maintains a database of all permanent, registered system services (www.iana.org).

ICMP

Internet Control Message Protocol. A type of network packet that carries only messages, no data.

icon

In a GUI, a small picture representing a file, directory, action, program, and so on.
When you click an icon, an action, such as opening a window and starting a program or displaying a directory or Web site, takes place. From miniature religious
statues.FOLDOC

iconify

To change a window into an icon. Contrast with restore

(page 1169).

ignored
window

A state in which a window has no decoration and therefore no buttons or titlebar to
control it with.

indentation

See

indention

The blank space between the margin and the beginning of a line that is set in from
the margin.

inode

A data structure (page 1144) that contains information about a file. An inode for a
file contains the file's length, the times the file was last accessed and modified, the
time the inode was last modified, owner and group IDs, access privileges, number of
links, and pointers to the data blocks that contain the file itself. Each directory entry
associates a filename with an inode. Although a single file may have several filenames (one for each link), it has only one inode.

input

Information that is fed to a program from a terminal or other file. See
input on page 1174.

installation

A computer at a specific location. Some aspects of the Linux system are installation
dependent. Also site.

interactive

A program that allows ongoing dialog with the user. When you give commands in
response to shell prompts, you are using the shell interactively. Also, when you give
commands to utilities, such as vim and mail, you are using the utilities interactively.

indention.

standard

1154

GLOSSARY

interface

The meeting point of two subsystems. When two programs work together, their
interface includes every aspect of either program that the other deals with. The user
interface (page 1179) of a program includes every program aspect the user comes
into contact with: the syntax and semantics involved in invoking the program, the
input and output of the program, and its error and informational messages. The
shell and each of the utilities and built-in commands have a user interface.

International
See ISO on page 1155.
Organization
for
Standardization
internet

A large network that encompasses other, smaller networks.

Internet

The largest internet in the world. The Internet (uppercase " I " ) is a multilevel hierarchy composed of backbone networks (ARPANET, NSFNET, MILNET, and others),
midlevel networks, and stub networks. These include commercial (.com or .co), university (.ac or .edu), research (.org or .net), and military (.mil) networks and span
many different physical networks around the world with various protocols, including the Internet Protocol (IP). Outside the United States, country code domains are
popular (.us, .es, .mx, .de, and so forth), although you will see them used within the
United States as well.

Internet
Protocol

See IP.

Internet
service
provider

See ISP.

intranet

An inhouse network designed to serve a group of people such as a corporation or
school. The general public on the Internet does not have access to the intranet. See
page 372.

invisible file

See hidden filename

IP

Internet Protocol. The network layer for TCP/IP IP is a best-effort, packet-switching, connectionless
protocol
(page 1142) that provides packet routing, fragmentation, and reassembly through the data link layer. IPv4 is slowly giving way to
IPV6.towoc

IP address

Internet Protocol address. A four-part address associated with a particular network
connection for a system using the Internet Protocol (IP). A system that is attached to
multiple networks that use the IP will have a different IP address for each network
interface.

IP multicast

See multicast

IP spoofing

A technique used to gain unauthorized access to a computer. The would-be intruder
sends messages to the target machine. These messages contain an IP address indicat-

on page 1151.

on page 1161.

GLOSSARY

1155

ing that the messages are coming from a trusted host (page 391). The target machine
responds to the messages, giving the intruder (privileged) access to the target.
IPC

Interprocess communication. A method to communicate specific
between programs.

information

IPv4

IP version 4. See IP and IPv6.

IPv6

IP version 6. The next generation of Internet Protocol, which provides a much
larger address space (2 128 bits versus 2 3 2 bits for IPv4) that is designed to accommodate the rapidly growing number of Internet addressable devices. IPv6 also has
built-in autoconfiguration, enhanced security, better multicast support, and many
other features.

iSCSI

Internet Small Computer System Interface. A network storage protocol that encapsulates SCSI data into TCP packets. You can use this protocol to connect a system
to a storage array using an Ethernet connection.

ISDN

Integrated Services Digital Network. A set of communications standards that allows
a single pair of digital or standard telephone wires to carry voice, data, and video at
a rate of 64 kilobits per second.

ISO

International Organization for Standardization. A voluntary, nontreaty organization founded in 1946. It is responsible for creating international standards in many
areas, including computers and communications. Its members are the national standards organizations of 89 countries, including the American National Standards
Institute.FOLDOC

IS09660

The ISO standard defining a filesystem for CD-ROMs.

ISP

Internet service provider. Provides Internet access to its customers.

job control

A facility that enables you to move commands from the foreground to the background and vice versa. Job control enables you to stop commands temporarily.

journaling
filesystem

A filesystem that maintains a noncached log file, or journal, which records all transactions involving the filesystem. When a transaction is complete, it is marked as
complete in the log file.
The log file results in greatly reduced time spent recovering a filesystem after a
crash, making it particularly valuable in systems where high availability is an
issue.

JPEG

Joint Photographic Experts Group. This committee designed the standard imagecompression algorithm. JPEG is intended for compressing either full-color or gray-scale
digital images of natural, real-world scenes and does not work as well on nonrealistic images, such as cartoons or line drawings. Filename extensions: .jpg, .jpeg.FOLDOC

justify

To expand a line of type in the process of formatting text. A justified line has even
margins. A line is justified by increasing the space between words and sometimes
between letters on the line.

1156

GLOSSARY

Kerberos

An MIT-developed security system that authenticates users and machines. It does
not provide authorization to services or databases; it establishes identity at logon,
which is used throughout the session. Once you are authenticated, you can open as
many terminals, windows, services, or other network accesses as you like until your
session expires.

kernel

The part of the operating system that allocates machine resources, including memory, disk space, and CPU (page 1143) cycles, to all other programs that run on a
computer. The kernel includes the low-level hardware interfaces (drivers) and manages processes (page 1166), the means by which Linux executes programs. The kernel is the part of the Linux system that Linus Torvalds originally wrote (see the
beginning of Chapter 1).

kernelspace

The part of memory (RAM) where the kernel resides. Code running in kernelspace
has full access to hardware and all other processes in memory. See the
KernelAnalysis-HO
WTO.

key binding

A keyboard key is said to be bound to the action that results from pressing it. Typically keys are bound to the letters that appear on the keycaps: When you press A, an
A appears on the screen. Key binding usually refers to what happens when you
press a combination of keys, one of which is CONTROL, ALT, META, or SHIFT, or when you
press a series of keys, the first of which is typically ESCAPE.

keyboard

A hardware input device consisting of a number of mechanical buttons (keys) that
the user presses to input characters to a computer. By default a keyboard is connected to standard input of a shell.FOLDOC

kilo-

In the binary system, the prefix kilo- multiplies by 2 1 0 (i.e., 1,024). Kilobit and kilobyte are common uses of this prefix. Abbreviated as k.

Korn Shell

LAN
large number
LDAP

leaf

ksh. A command processor, developed by David Korn at A T & T Bell Laboratories,
that is compatible with the Bourne Shell but includes many extensions. See also
shell on page 1171.
Local area network. A network that connects computers within a localized area
(such as a single site, building, or department).
Visit mathworld.wolfram.com/LargeNumber.html for a comprehensive list.
Lightweight Directory Access Protocol. A simple protocol for accessing online
directory services. LDAP is a lightweight alternative to the X . 5 0 0 Directory Access
Protocol (DAP). It can be used to access information about people, system users,
network devices, email directories, and systems. In some cases, it can be used as an
alternative for services such as NIS. Given a name, many mail clients can use LDAP
to discover the corresponding email address. See directory service on page 1145.
In a tree structure, the end of a branch that cannot support other branches. When
the Linux filesystem hierarchy is conceptualized as a tree, files that are not directories are leaves. See node on page 1162.

GLOSSARY

least privilege,
concept of

1157

Mistakes made by a user working with root privileges can be much more devastating than those made by an ordinary user. When you are working on the computer,
especially when you are working as the system administrator, always perform any
task using the least privilege possible. If you can perform a task logged in as an ordinary user, do so. If you must work with root privileges, do as much as you can as an
ordinary user, log in as root or give an su or sudo command so you are working
with root privileges, do as much of the task that has to be done with root privileges,
and revert to being an ordinary user as soon as you can.
Because you are more likely to make a mistake when you are rushing, this concept
becomes more important when you have less time to apply it.

Lightweight
Directory
Access
Protocol

See

link

A pointer to a file. Two kinds of links exist: hard links (page 1151) and symbolic
links (page 1176) also called soft links. A hard link associates a filename with a
place on the disk where the contents of the file is located. A symbolic link associates
a filename with the pathname of a hard link to a file.

Linux-PAM

See PAM on page 1164.

LinuxPluggable
Authentication
Modules

See PAM on page 1164.

list box

A widget (page 1180) that displays a static list for a user to choose from. The list
appears as multiple lines with a scrollbar (page 1171) if needed. The user can scroll
the list and select an entry. Different from a drop-down
list (page 1146).

loadable
kernel module

See loadable

loadable
module

A portion of the operating system that controls a special device and that can be
loaded automatically into a running kernel as needed to access that device. See
"Using Loadable Kernel Modules" on page 5 8 0 .

local area
network

See LAN on page 1156.

locale

The language; date, time, and currency formats; character sets; and so forth that
pertain to a geopolitical place or area. For example, en_US specifies English as spoken in the United States and dollars; en_UK specifies English as spoken in the
United Kingdom and pounds. See the locale man page in section 5 of the system
manual for more information. Also the locale utility.

LDAP.

module.

1158

GLOSSARY

log in

To gain access to a computer system by responding correctly to the login: and Password: prompts. Also log on, login.

log out

To end your session by exiting from your login shell. Also log o f f .

logical
expression

A collection of strings separated by logical operators (>, >=, =, !=, <=, and <) that
can be evaluated as true or false. Also Boolean (page 1138)
expression.

.login file

A file in a user's home directory that the T C Shell executes when you log in. You
can use this file to set environment variables and to run commands that you want
executed at the beginning of each session.

login name

See username

login shell

The shell that you are using when you log in. The login shell can fork other processes that can run other shells, utilities, and programs.

.logout file

MAC address

on page 1179.

A file in a user's home directory that the T C Shell executes when you log out,
assuming that the T C Shell is your login shell. You can put in the .logout file commands that you want run each time you log out.
Media Access Control address. The unique hardware address of a device connected
to a shared network medium. Each network adapter has a globally unique M A C
address that it stores in R O M . MAC addresses are 6 bytes long, enabling 2 5 6 6
(about 3 0 0 trillion) possible addresses or 6 5 , 5 3 6 addresses for each possible IPv4
address.
A M A C address performs the same role for Ethernet that an IP address performs for
TCP/IP: It provides a unique way to identify a host.

machine
collating
sequence

The sequence in which the computer orders characters. The machine collating
sequence affects the outcome of sorts and other procedures that put lists in alphabetical order. Many computers use ASCII codes so their machine collating
sequences correspond to the ordering of the ASCII codes for characters.

macro

A single instruction that a program replaces by several (usually more complex)
instructions. The C compiler recognizes macros, which are defined using a #define
instruction to the preprocessor.

magic number

A magic number, which occurs in the first 5 1 2 bytes of a binary file, is a 1-, 2-, or 4byte numeric value or character string that uniquely identifies the type of file (much
like a DOS 3-character filename extension). See /usr/share/magic and the magic
man page for more information.

main memory

Random access memory (RAM), an integral part of the computer. Although disk
storage is sometimes referred to as memory, it is never referred to as main memory.

major device
number

A number assigned to a class of devices, such as terminals, printers, or disk drives.
Using the Is utility with the -1 option to list the contents of the /dev directory displays the major and minor device numbers of many devices (as major, minor).

GLOSSARY

1159

MAN

Metropolitan area network. A network that connects computers and
(page 1156) at multiple sites in a small regional area, such as a city.

LANs

masquerade

To appear to come from one domain or IP address when actually coming from
another. Said of a packet (iptables) or message (exim4). See also NAT on page 1161.

MD5

Message Digest 5. A one-way hash function (page 1163). The SHA1 (page 1171)
algorithm has supplanted MD5 in many applications.

MDA

Mail delivery agent. One of the three components of a mail system; the other two
are the MTA (page 1160) and MUA (page 1160). An MDA accepts inbound mail
from an MTA and delivers it to a local user.

mebibyte

Mega binary byte. A unit of storage equal to 2 2 0 bytes = 1,048,576 bytes = 1,024
kibibytes. Abbreviated as MiB. Contrast with megabyte.

megabyte

A unit of storage equal to 10 6 bytes. Sometimes used in place of mebibyte.
ated as MB.

memory

See RAM on page 1167.

menu

A list from which the user may select an operation to be performed. This selection is
often made with a mouse or other pointing device under a GUI but may also be controlled from the keyboard. Very convenient for beginners, menus show which commands are available and facilitate experimenting with a new program, often reducing
the need for user documentation. Experienced users usually prefer keyboard commands, especially for frequently used operations, because they are faster to use.FOLDOC

merge

To combine two ordered lists so that the resulting list is still in order. The sort utility
can merge files.

META k e y

On the keyboard, a key that is labeled META or ALT. Use this key as you would the SHIFT
key. While holding it down, press another key. The emacs editor makes extensive

Abbrevi-

use o f the META key.

metacharacter

A character that has a special meaning to the shell or another program in a particular context. Metacharacters are used in the ambiguous file references recognized by
the shell and in the regular expressions recognized by several utilities. You must
quote a metacharacter if you want to use it without invoking its special meaning.
See regular character (page 1168) and special character (page 1173).

metadata

Data about data. In data processing, metadata is definitional data that provides
information about, or documentation of, other data managed within an application
or environment.
For example, metadata can document data about data elements or attributes (name,
size, data type, and so on), records or data structures (page 1144) (length, fields,
columns, and so on), and data itself (where it is located, how it is associated, who
owns it, and so on). Metadata can include descriptive information about the context, quality and condition, or characteristics of the data.FOLDOC

1160

GLOSSARY

metropolitan
area network

See M A N on page 1159.

MIME

Multipurpose Internet Mail Extension. Originally used to describe how specific
types of files that were attached to email were to be handled. Today M I M E types
describe how a file is to be opened or worked with, based on its contents, determined by its magic number (page 1158), and filename extension. An example of a
M I M E type is image/jpeg: The M I M E group is image and the M I M E subtype is
jpeg. Many M I M E groups exist, including application, audio, image, inode, message, text, and video.

minimize

See iconify on page 1153.

minor device
number

A number assigned to a specific device within a class of devices. See major
number on page 1158.

modem

Modulator/demodulator. A peripheral device that modulates digital data into analog data for transmission over a voice-grade telephone line. Another modem
demodulates the data at the other end.

module

See loadable

mount

To make a filesystem accessible to system users. When a filesystem is not mounted,
you cannot read from or write to files it contains.

mount point

A directory that you mount a local or remote filesystem on. See page 35.

mouse

A device you use to point to a particular location on a display screen, typically so
you can choose a menu item, draw a line, or highlight some text. You control a
pointer on the screen by sliding a mouse around on a flat surface; the position of the
pointer moves relative to the movement of the mouse. You select items by pressing
one or more buttons on the mouse.

mouse pointer

In a GUI, a marker that moves in correspondence with the mouse. It is usually a
small black x with a white border or an arrow Differs from the cursor (page 1143).

mouseover

The action of passing the mouse pointer over an object on the screen.

MTA

Mail transfer agent. One of the three components of a mail system; the other two
are the MDA and MUA. An M T A accepts mail from users and MTAs.

MUA

Mail user agent. One of the three components of a mail system; the other two are
the MDA (page 1159) and MTA. An MUA is an end-user mail program such as
KMail, mutt, or Outlook.

multiboot
specification

Specifies an interface between a boot loader and an operating system. With compliant boot loaders and operating systems, any boot loader should be able to load any
operating system. The object of this specification is to ensure that different operating systems will work on a single machine. For more information, go to
odin-os.sourceforge.net/guides/multiboot.html.

module

device

on page 1157.

GLOSSARY

1161

multicast

A multicast packet has one source and multiple destinations. In multicast, source
hosts register at a special address to transmit data. Destination hosts register at the
same address to receive data. In contrast to broadcast (page 1138), which is LANbased, multicast traffic is designed to work across routed networks on a subscription basis. Multicast reduces network traffic by transmitting a packet one time, with
the router at the end of the path breaking it apart as needed for multiple recipients.

multitasking

A computer system that allows a user to run more than one job at a time. A multitasking system, such as Linux, allows you to run a job in the background while running a job in the foreground.

multiuser
system

A computer system that can be used by more than one person at a time. Linux is a
multiuser operating system. Contrast with single-user system (page 1172).

namespace

A set of names (identifiers) in which all names are unique.FOLDOC

NAT

Network Address Translation. A scheme that enables a LAN to use one set of IP
addresses internally and a different set externally. The internal set is for LAN (private) use. The external set is typically used on the Internet and is Internet unique.
NAT provides some privacy by hiding internal IP addresses and allows multiple
internal addresses to connect to the Internet through a single external IP address.
See also masquerade
on page 1159.

NBT

NetBIOS over TCP/IP A protocol that supports NetBIOS services in a TCP/IP environment. Also NetBT.

negative
caching

Storing the knowledge that something does not exist. A cache normally stores information about something that exists. A negative cache stores the information that
something, such as a record, does not exist.

NetBIOS

Network Basic Input/Output System. An API (page 1135) for writing networkaware applications.

netboot

To boot a computer over the network (as opposed to booting from a local disk).

netiquette

The conventions of etiquette—that is, polite behavior—recognized on Usenet and in
mailing lists, such as not (cross-)posting to inappropriate groups and refraining
from commercial advertising outside the business groups.
The most important rule of netiquette is "Think before you post." If what you
intend to post will not make a positive contribution to the newsgroup and be of
interest to several readers, do not post it. Personal messages to one or two individuals should not be posted to newsgroups; use private email instead.FOLDOC

netmask

A 32-bit mask (for IPv4), that shows how an Internet address is to be divided into
network, subnet, and host parts. The netmask has ones in the bit positions in the
32-bit address that are to be used for the network and subnet parts and zeros for the
host part. The mask should contain at least the standard network portion (as determined by the address class). The subnet field should be contiguous with the network portion.FOLDOC

1162

GLOSSARY

network
address

The network portion (netid) of an IP address. For a class A network, it is the first
byte, or segment, of the IP address; for a class B network, it is the first two bytes; and
for a class C network, it is the first three bytes. In each case the balance of the IP
address is the host address (hostid). Assigned network addresses are globally unique
within the Internet. Also network number. See also "Host Address" on page 381.

Network
Filesystem

See NFS.

Network
Information
Service

See NIS.

network
number

See network

network
segment

A part of an Ethernet or other network on which all message traffic is common to
all nodes; that is, it is broadcast from one node on the segment and received by all
others. This commonality normally occurs because the segment is a single continuous conductor. Communication between nodes on different segments is via one or
more routers.FOLDOC

network
switch

A connecting device in networks. Switches are increasingly replacing shared media
hubs in an effort to increase bandwidth. For example, a 16-port lOBaseT hub
shares the total 10 megabits per second bandwidth with all 16 attached nodes. By
replacing the hub with a switch, both sender and receiver can take advantage of the
full 10 megabits per second capacity. Each port on the switch can give full bandwidth to a single server or client station or to a hub with several stations. Network
switch refers to a device with intelligence. Contrast with hub (page 1152).

Network Time
Protocol

See NTP on page 1163.

NFS

Network Filesystem. A remote filesystem designed by Sun Microsystems, available
on computers from most U N I X system vendors.

NIC

Network interface card (or controller). An adapter circuit board installed in a computer to provide a physical connection to a network.FOLDOC

NIS

Network Information Service. A distributed service built on a shared database to
manage system-independent information (such as usernames and passwords).

NIS domain
name

A name that describes a group of systems that share a set of NIS files. Different
from domain name (page 1146).

NNTP

Network News Transfer Protocol. Refer to "Usenet" on page 4 0 7 .

node

In a tree structure, the end of a branch that can support other branches. When the
Linux filesystem hierarchy is conceptualized as a tree, directories are nodes. See leaf
on page 1156.

nonprinting
character

See control

address.

character

on page 1142. Also nonprintable

character.

GLOSSARY

1163

nonvolatile
storage

A storage device whose contents are preserved when its power is off. Also NVS and
persistent storage. Some examples are C D - R O M , paper punch tape, hard disk,
ROM (page 1169), PROM (page 1166), EPROM
(page 1147), and
EEPROM
(page 1147). Contrast with RAM (page 1167).

NTP

Network Time Protocol. Built on top of TCP/IP, NTP maintains accurate local time
by referring to known accurate clocks on the Internet.

null string

A string that could contain characters but does not. A string of zero length.

octal number

A base 8 number. Octal numbers are composed of the digits 0 - 7 , inclusive. Refer to
Table G - l on page 1152.

one-way hash
function

A one-way function that takes a variable-length message and produces a fixedlength hash. Given the hash, it is computationally infeasible to find a message with
that hash; in fact, you cannot determine any usable information about a message
with that hash. Also message digest function. See also hash (page 1151).

open source

A method and philosophy for software licensing and distribution designed to
encourage use and improvement of software written by volunteers by ensuring that
anyone can copy the source code and modify it freely.
The term open source is now more widely used than the earlier term free
software
(promoted by the Free Software Foundation; www.fsf.org) but has broadly the same
meaning—free of distribution restrictions, not necessarily free of charge.

OpenSSH

A free version of the SSH (secure shell) protocol suite that replaces TELNET, rlogin,
and more with secure programs that encrypt all communication—even passwords—over a network. Refer to "OpenSSH: Secure Network Communication" on
page 663.

operating
system

A control program for a computer that allocates computer resources, schedules
tasks, and provides the user with a way to access resources.

option

A command-line argument that modifies the effects of a command. Options are
usually preceded by hyphens on the command line and traditionally have singlecharacter names (such as - h or -n). Some commands allow you to group options
following a single hyphen (for example, -hn). GNU utilities frequently have two
arguments that do the same thing: a single-character argument and a longer, more
descriptive argument that is preceded by two hyphens (such as —show-all and
—invert-match).

ordinary file

A file that is used to store a program, text, or other user data. See
(page 1145) and device file (page 1145).

output

Information that a program sends to the terminal or another file. See standard
put on page 1174.

P2P

Peer-to-Peer. A network that does not divide nodes into clients and servers. Each
computer on a P2P network can fulfill the roles of client and server. In the context
of a file-sharing network, this ability means that once a node has downloaded (part
of) a file, it can act as a server. BitTorrent implements a P2P network.

directory
out-

1164

GLOSSARY

packet

A unit of data sent across a network. Packet is a generic term used to describe a unit
of data at any layer of the OSI protocol stack, but it is most correctly used to
describe network or application layer (page 380) data units ("application protocol
data unit," APDU). foldoc See also frame (page 1 1 4 9 ) and datagram (page 1 1 4 4 ) .

packet filtering A technique used to block network traffic based on specified criteria, such as the
origin, destination, or type of each packet. See also firewall (page 1148).
packet sniffer

A program or device that monitors packets on a network. See sniff on page 1173.

pager

A utility that allows you to view a file one screen at a time (for example, less and more).

paging

The process by which virtual memory is maintained by the operating system. The
contents of process memory is moved (paged out) to the swap space (page 1175) as
needed to make room for other processes.

PAM

Linux-PAM or Linux-Pluggable Authentication Modules. These modules allow a
system administrator to determine how various applications authenticate users.
Refer to " P A M " on page 4 7 8 .

parent process

A process that forks other processes. See process
(page 1140).

partition

A section of a (hard) disk that has a name so you can address it separately from
other sections. A disk partition can hold a filesystem or another structure, such as
the swap area. Under DOS and Windows, partitions (and sometimes whole disks)
are labeled C:, D:, and so on. Also disk partition and slice.

passive FTP

Allows FTP to work through a firewall by allowing the flow of data to be initiated
and controlled by the client FTP program instead of the server. Also called PASV
FTP because it uses the FTP PASV command.

passphrase

A string of words and characters that you type in to authenticate yourself. A passphrase differs from a password only in length. A password is usually short—6 to 10
characters. A passphrase is usually much longer—up to 100 characters or more.
The greater length makes a passphrase harder to guess or reproduce than a password and therefore more secure.FOLDOC

password

To prevent unauthorized access to a user's account, an arbitrary string of characters
chosen by the user or system administrator and used to authenticate the user when
attempting to log in.FOLDOC See also passphrase.

PASV FTP

See passive

pathname

A list of directories separated by slashes (/) and ending with the name of a file,
which can be a directory. A pathname is used to trace a path through the file structure to locate or identify a file.

pathname, last
element of a

The part of a pathname following the final /, or the whole filename if there is no /.
A simple filename. Also basename.

pathname
element

One of the filenames that forms a pathname.

(page 1166) and child

process

FTP.

GLOSSARY

1165

peripheral
device

See device on page 1145.

persistent

Data that is stored on nonvolatile media, such as a hard disk.

phish

An attempt to trick users into revealing or sharing private information, especially
passwords or financial information. The most common form is email purporting to
be from a bank or vendor that requests that a user fill out a form to "update" an
account on a phoney Web site disguised to appear legitimate. Generally sent as
spam (page 1173).

physical device A tangible device, such as a disk drive, that is physically separate from other, similar
devices.
PID

Process identification, usually followed by the word number. Linux assigns a unique
PID number as each process is initiated.

pipe

A connection between programs such that standard output of one program is connected to standard input of the next. Also pipeline.

pixel

The smallest element of a picture, typically a single dot on a display screen.

plaintext

Text that is not encrypted. Also cleartext.
also "Encryption" on page 1110.

Pluggable
Authentication
Modules

See PAM on page 1164.

point-to-point
link

A connection limited to two endpoints, such as the connection between a pair of
modems.

port

A logical channel or channel endpoint in a communications system. The TCP
(page 1176) and UDP (page 1178) transport layer protocols used on Ethernet use
port numbers to distinguish between different logical channels on the same network
interface on the same computer.

Contrast with ciphertext

(page 1141). See

The /etc/services file (see the beginning of this file for more information) or the NIS
(page 1162) services database specifies a unique port number for each application
program. The number links incoming data to the correct service (program). Standard,
well-known ports are used by everyone: Port 80 is used for HTTP (Web) traffic. Some
protocols, such as T E L N E T and HTTP (which is a special form of TELNET), have
default ports specified as mentioned earlier but can use other ports as well.FOLDOC
port
forwarding

The process by which a network port on one computer is transparently connected to
a port on another computer. If port X is forwarded from system A to system B, any
data sent to port X on system A is sent to system B automatically. The connection
can be between different ports on the two systems. See also tunneling (page 1178).

portmapper

A server that converts TCP/IP port numbers into RPC (page 1170) program numbers. See " R P C Network Services" on page 4 0 6 .

1166

GLOSSARY

printable
character

One of the graphic characters: a letter, number, or punctuation mark. Contrast with
a nonprintable, or CONTROL, character. Also printing
character.

private address
space

IANA (page 1153) has reserved three blocks of IP addresses for private internets or
LANs:
10.0.0.0 - 10.255.255.255
172.16.0.0 - 172.31.255.255
192.168.0.0 - 192.168.255.255

You can use these addresses without coordinating with anyone outside of your LAN
(you do not have to register the system name or address). Systems using these IP
addresses cannot communicate directly with hosts using the global address space
but must go through a gateway. Because private addresses have no global meaning,
routing information is not stored by DNSs and most ISPs reject privately addressed
packets. Make sure that your router is set up not to forward these packets onto the
Internet.
privileged port

A port (page 1165) with a number less than 1024. On Linux and other UNIX-like
systems, only a process running with root privileges can bind to a privileged port.
Any user on Windows 98 and earlier Windows systems can bind to any port. Also
reserved
port.

procedure

A sequence of instructions for performing a particular task. Most programming languages, including machine languages, enable a programmer to define procedures that
allow the procedure code to be called from multiple places. Also
subroutine.mumc

process

The execution of a command by Linux. See "Processes" on page 3 2 8 .

.profile file

A startup file in a user's home directory that the Bourne Again or Z Shell executes
when you log in. The T C Shell executes .login instead. You can use the .profile file
to run commands, set variables, and define functions.

program

A sequence of executable computer instructions contained in a file. Linux utilities,
applications, and shell scripts are all programs. Whenever you run a command that
is not built into a shell, you are executing a program.

PROM

Programmable readonly memory. A kind of nonvolatile storage. ROM (page 1169)
that can be written to using a P R O M programmer.

prompt

A cue from a program, usually displayed on the screen, indicating that it is waiting
for input. The shell displays a prompt, as do some of the interactive utilities, such as
mail. By default the Bourne Again and Z Shells use a dollar sign ($) as a prompt, and
the TC Shell uses a percent sign (%).

protocol

A set of formal rules describing how to transmit data, especially across a network.
Low-level protocols define the electrical and physical standards, bit and byte
ordering, and transmission, error detection, and correction of the bit stream. Highlevel protocols deal with data formatting, including message syntax, terminal-tocomputer dialog, character sets, and sequencing of messages.FOLDOC

proxy

A service that is authorized to act for a system while not being part of that system.
See also proxy gateway and proxy
server.

GLOSSARY

1167

proxy gateway A computer that separates clients (such as browsers) from the Internet, working as a
trusted agent that accesses the Internet on their behalf. A proxy gateway passes a
request for data from an Internet service, such as HTTP from a browser/client, to a
remote server. The data that the server returns goes back through the proxy gateway to the requesting service. A proxy gateway should be transparent to the user.
A proxy gateway often runs on a firewall (page 1148) system and acts as a barrier
to malicious users. It hides the IP addresses of the local computers inside the firewall
from Internet users outside the firewall.
You can configure browsers, such as Mozilla/Firefox and Netscape, to use a different proxy gateway or to use no proxy for each URL access method including FTP,
netnews, SNMP, HTTPS, and HTTP See also proxy.
proxy server

A proxy gateway that usually includes a cache (page 1139) that holds frequently
used Web pages so that the next request for that page is available locally (and therefore more quickly). The terms proxy server and proxy gateway are frequently interchanged so that the use of cache does not rest exclusively with the proxy server. See
also proxy.

Python

A simple, high-level, interpreted, object-oriented, interactive language that bridges
the gap between C and shell programming. Suitable for rapid prototyping or as an
extension language for C applications, Python supports packages, modules, classes,
user-defined exceptions, a good C interface, and dynamic loading of C modules. It
has no arbitrary restrictions. For more information, see www.python.org.FOLDOC

quote

When you quote a character, you take away any special meaning that it has in the
current context. You can quote a character by preceding it with a backslash. When
you are interacting with the shell, you can also quote a character by surrounding it
with single quotation marks. For example, the command echo
or echo V displays * . The command echo * displays a list of the files in the working directory. See
ambiguous file reference (page 1134), metacharacter (page 1159), regular character
(page 1168), regular expression (page 1168), and special character (page 1173). See
also escape on page 1147.

radio button

In a GUI, one of a group of buttons similar to those used to select the station on a
car radio. Radio buttons within a group are mutually exclusive; only one button
can be selected at a time.

RAID

Redundant array of inexpensive/independent disks. Two or more (hard) disk drives
used in combination to improve fault tolerance and performance. RAID can be
implemented in hardware or software.

RAM

Random access memory. A kind of volatile storage. A data storage device for which
the order of access to different locations does not affect the speed of access. Contrast with a hard disk or tape drive, which provides quicker access to sequential
data because accessing a nonsequential location requires physical movement of the
storage medium and/or read/write head rather than just electronic switching. Contrast with nonvolatile storage (page 1163). Also memory.FOLDOC

RAM that is made to look like a floppy diskette or hard disk. A RAM disk is frequently used as part of the boot (page 1138) process.
Remote access server. In a network, a computer that provides access to remote users
via analog modem or ISDN connections. RAS includes the dial-up protocols and
access control (authentication). It may be a regular fileserver with remote access
software or a proprietary system, such as Shiva's LANRover. The modems may be
internal or external to the device.
Resource Description Framework. Being developed by W3C (the main standards
body for the World Wide Web), a standard that specifies a mechanism for encoding and transferring metadata (page 1159). RDF does not specify what the metadata should or can be. It can integrate many kinds of applications and data, using
X M L as an interchange syntax. Examples of the data that can be integrated
include library catalogs and worldwide directories; syndication and aggregation
of news, software, and content; and collections of music and photographs. Go to
www.w3.org/RDF for more information.
The process of directing standard input for a program to come from a file rather
than from the keyboard. Also, directing standard output or standard error to go to
a file rather than to the screen.
Code that can have multiple simultaneous, interleaved, or nested invocations that
do not interfere with one another. Noninterference is important for parallel processing, recursive programming, and interrupt handling.
It is usually easy to arrange for multiple invocations (that is, calls to a subroutine)
to share one copy of the code and any readonly data. For the code to be reentrant,
however, each invocation must use its own copy of any modifiable data (or synchronized access to shared data). This goal is most often achieved by using a stack and
allocating local variables in a new stack frame for each invocation. Alternatively,
the caller may pass in a pointer to a block of memory that that invocation can use
(usually for output), or the code may allocate some memory on a heap, especially if
the data must survive after the routine returns.
Reentrant code is often found in system software, such as operating systems and
teleprocessing monitors. It is also a crucial component of multithreaded programs,
where the term thread-safe is often used instead of reentrant.FOLDOC
A character that always represents itself in an ambiguous file reference or another
type of regular expression. Contrast with special character.
A string—composed of letters, numbers, and special symbols—that defines one or
more strings. See Appendix A.
A pathname that starts from the working directory. Contrast with absolute
name (page 1134).

path-

GLOSSARY

1169

remote access
server

See RAS on page 1168.

remote
filesystem

A filesystem on a remote computer that has been set up so that you can access (usually over a network) its files as though they were stored on your local computer's
disks. An example of a remote filesystem is NFS.

remote

See RPC on page 1170.

procedure call
resolver

The TCP/IP library software that formats requests to be sent to the
(page 1145) for hostname-to-internet address conversion.FOLDOC

Resource
Description
Framework

See RDF on page 1168.

restore

The process of turning an icon into a window Contrast with iconify

return code

See exit status on page 1147.

RFC

Request for comments. Begun in 1969, one of a series of numbered Internet informational documents and standards widely followed by commercial software and
freeware in the Internet and UNIX/Linux communities. Few RFCs are standards
but all Internet standards are recorded in RFCs. Perhaps the single most influential
RFC has been RFC 822, the Internet electronic mail format standard.

DNS

(page 1153)

The RFCs are unusual in that they are floated by technical experts acting on their
own initiative and reviewed by the Internet at large rather than being formally promulgated through an institution such as ANSI. For this reason they remain known as
RFCs, even after they are adopted as standards. The RFC tradition of pragmatic,
experience-driven, after-the-fact standard writing done by individuals or small working groups has important advantages over the more formal, committee-driven process
typical of ANSI or ISO. For a complete list of RFCs, go to www.rfc-editor.org.FOLDOC
roam

To move a computer between wireless access points (page 1181) on a wireless network without the user or applications being aware of the transition. Moving
between access points typically results in some packet loss, although this loss is
transparent to programs that use T C P

ROM

Readonly memory. A kind of nonvolatile storage. A data storage device that is manufactured with fixed contents. In general, R O M describes any storage system whose
contents cannot be altered, such as a phonograph record or printed book. When
used in reference to electronics and computers, R O M describes semiconductor integrated circuit memories, of which several types exist, and C D - R O M .
R O M is nonvolatile storage—it retains its contents even after power has been
removed. R O M is often used to hold programs for embedded systems, as these usually have a fixed purpose. R O M is also used for storage of the BIOS (page 1137) in
a computer. Contrast with RAM (page 1167).FOLDOC

1170

GLOSSARY

root directory

The ancestor of all directories and the start of all absolute pathnames. The root
directory has no name and is represented by / standing alone or at the left end of a
pathname.

root filesystem

The filesystem that is available when the system is brought up in recovery mode.
This filesystem is always represented by /. You cannot unmount or mount the root
filesystem. You can remount root to change its mount options.

root login

Usually the username of Superuser

root (user)

Another name for Superuser

root window

Any place on the desktop not covered by a window, object, or panel.

rotate

When a file, such as a log file, gets indefinitely larger, you must keep it from taking
up too much space on the disk. Because you may need to refer to the information
in the log files in the near future, it is generally not a good idea to delete the contents of the file until it has aged. Instead you can periodically save the current log
file under a new name and create a new, empty file as the current log file. You can
keep a series of these files, renaming each as a new one is saved. You will then
rotate the files. For example, you might remove xyzlog.4, xyzlog.3—>xyzlog.4,
xyzlog.2^tyzlog.3, xyzlog.l—>xyzlog.2, xyzlog—>xyzlog.l, and create a new
xyzlog file. By the time you remove xyzlog.4, it will not contain any information
more recent than you want to remove.

router

A device (often a computer) that is connected to more than one similar type of network to pass data between them. See gateway on page 1149.

RPC

Remote procedure call. A call to a procedure
(page 1166) that acts transparently
across a network. The procedure itself is responsible for accessing and using the network. The RPC libraries make sure that network access is transparent to the application. RPC runs on top of TCP/IP or UDP/IP

RSA

A public key encryption (page 1111) technology that is based on the lack of an efficient way to factor very large numbers. Because of this lack, it takes an extraordinary amount of computer processing time and power to deduce an RSA key. The
RSA algorithm is the de facto standard for data sent over the Internet.

run

To execute a program.

runlevel

Before the introduction of Upstart daemon, runlevels specified the state of the system, including recovery (single-user) and multiuser. For more information refer to
"Runlevel emulation" on page 4 3 4 .

Samba

A free suite of programs that implement the Server Message Block (SMB) protocol.
See SMB (page 1172).

schema

Within a GUI, a pattern that helps you see and interpret the information that is
presented in a window, making it easier to understand new information that is presented using the same schema.

(page 1175).

(page 1175).

GLOSSARY

1171

scroll

To move lines on a terminal or window up and down or left and right.

scrollbar

A widget (page 1180) found in graphical user interfaces that controls (scrolls)
which part of a document is visible in the window. A window can have a horizontal
scrollbar, a vertical scrollbar (more common), or both.FOLDOC

server

A powerful centralized computer (or program) designed to provide information to
clients (smaller computers or programs) on request.

session

The lifetime of a process. For a desktop, it is the desktop session manager. For a
character-based terminal, it is the user's login shell process. In KDE, it is launched
by kdeinit. A session may also be the sequence of events between when you start
using a program, such as an editor, and when you finish.

setgid

When you execute a file that has setgid (set group ID) permission, the process executing the file takes on the privileges of the group the file belongs to. The Is utility
shows setgid permission as an s in the group's executable position. See also setuid.

setuid

When you execute a file that has setuid (set user ID) permission, the process executing the file takes on the privileges of the owner of the file. As an example, if you run
a setuid program that removes all the files in a directory, you can remove files in any
of the file owner's directories, even if you do not normally have permission to do so.
When the program is owned by root, you can remove files in any directory that a
user working with root privileges can remove files from. The Is utility shows setuid
permission as an s in the owner's executable position. See also setgid.

sexillion

In the British system, 10 36 . In the American system, this number is named undecillion. See also large number (page 1156).

SHA1

Secure Hash Algorithm 1. The SHA family is a set of cryptographic hash
(page 1151) algorithms that were designed by the National Security Agency (NSA).
The second member of this family is SHA1, a successor to MD5 (page 1159). See
also cryptography on page 1143.

share

A filesystem hierarchy that is shared with another system using SMB (page 1172).
Also Windows share (page 1181).

shared
network
topology

A network, such as Ethernet, in which each packet may be seen by systems other
than its destination system. Shared means that the network bandwidth is shared by
all users.

shell

A Linux system command processor. The three major shells are the Bourne
Shell (page 1138), the TC Shell (page 1176), and the Z Shell (page 1182).

shell function

A series of commands that the shell stores for execution at a later time. Shell functions are like shell scripts but run more quickly because they are stored in the computer's main memory rather than in files. Also, a shell function is run in the
environment of the shell that calls it (unlike a shell script, which is typically run in a
subshell).

Again

1172

GLOSSARY

shell script

An ASCII file containing shell commands. Also shell

signal

A very brief message that the UNIX system can send to a process, apart from the
process's standard input. Refer to " t r a p : Catches a Signal" on page 1009.

simple
filename

A single filename containing no slashes (/). A simple filename is the simplest form
of pathname. Also the last element of a pathname. Also basename (page 1137).

single-user
system

A computer system that only one person can use at a time. Contrast with multiuser
system (page 1161).

slider

A widget (page 1180) that allows a user to set a value by dragging an indicator
along a line. Many sliders allow the user also to click on the line to move the indicator. Differs from a scrollbar (page 1171) in that moving the indicator does not
change other parts of the display.

SMB

Server Message Block. Developed in the early 1980s by Intel, Microsoft, and IBM,
SMB is a client/server protocol that is the native method of file and printer sharing
for Windows. In addition, SMB can share serial ports and communications abstractions, such as named pipes and mail slots. SMB is similar to a remote procedure call
(RPC, page 1170) that has been customized for filesystem access. Also Microsoft
Networking,FOLDOC

SMP

Symmetric multiprocessing. Two or more similar processors connected via a highbandwidth link and managed by one operating system, where each processor has
equal access to I/O devices. The processors are treated more or less equally, with
application programs able to run on any or all processors interchangeably, at the
discretion of the operating system.FOLDOC

smiley

A character-based glyph (page 1150), typically used in email, that conveys an emotion. The characters :-) in a message portray a smiley face (look at it sideways).
Because it can be difficult to tell when the writer of an electronic message is saying
something in jest or in seriousness, email users often use :-) to indicate humor. The
two original smileys, designed by Scott Fahlman, were :-) and :-(. Also emoticon,
smileys, and smilies. For more information search on smiley on the Internet.

smilies

See smiley.

SMTP

Simple Mail Transfer Protocol. A protocol used to transfer electronic mail between
computers. It is a server-to-server protocol, so other protocols are used to access the
messages. The SMTP dialog usually happens in the background under the control of
a message transport system such as exim4.FOLDOC

snap
(windows)

As you drag a window toward another window or edge of the workspace, it can
move suddenly so that it is adjacent to the other window/edge. Thus the window
snaps into position.

sneakernet

Using hand-carried magnetic media to transfer files between machines.

program.

GLOSSARY

1173

sniff

To monitor packets on a network. A system administrator can legitimately sniff
packets and a malicious user can sniff packets to obtain information such as usernames and passwords. See also packet sniffer (page 1164).

SOCKS

A networking proxy protocol embodied in a SOCKS server, which performs the
same functions as a proxy gateway (page 1167) or proxy server (page 1167).
SOCKS works at the application level, requiring that an application be modified to
work with the SOCKS protocol, whereas a proxy (page 1166) makes no demands
on the application.
SOCKSv4 does not support authentication or UDP proxy. SOCKSv5 supports a
variety of authentication methods and UDP proxy.

sort

To put in a specified order, usually alphabetic or numeric.

SPACE character

A character that appears as the absence of a visible character. Even though you
cannot see it, a SPACE is a printable character. It is represented by the ASCII code 32
(decimal). A SPACE character is considered a blank or whitespace (page 1180).

spam

Posting irrelevant or inappropriate messages to one or more Usenet newsgroups or
mailing lists in deliberate or accidental violation of netiquette (page 1161). Also,
sending large amounts of unsolicited email indiscriminately. This email usually promotes a product or service. Another common purpose of spam is to phish
(page 1165). Spam is the electronic equivalent of junk mail. From the Monty
Python "Spam" song.FOLDOC

sparse file

A file that is large but takes up little disk space. The data in a sparse file is not dense
(thus its name). Examples of sparse files are core files and dbm files.

spawn

See fork on page 1149.

special
character

A character that has a special meaning when it occurs in an ambiguous file reference
or another type of regular expression, unless it is quoted. The special characters
most commonly used with the shell are * and ?. Also metacharacter
(page 1159)
and wildcard.

special file

See device file on page 1145.

spin box

In a GUI, a type of text box (page 1176) that holds a number you can change by
typing over it or using the up and down arrows at the end of the box. Also spinner.

spinner

See spin box.

spoofing

See IP spoofing

spool

To place items in a queue, each waiting its turn for some action. Often used when
speaking about printers. Also used to describe the queue.

SQL

Structured Query Language. A language that provides a user interface to relational
database management systems (RDBMS). SQL, the de facto standard, is also an ISO
and ANSI standard and is often embedded in other programming languages.FOLDOC

on page 1154.

1174

GLOSSARY

square bracket

A left square bracket ([) or a right square bracket (]). These special characters
define character classes in ambiguous file references and other regular expressions.

SSH

The company that created the original SSH (secure
(www.ssh.com). Linux uses OpenSSH (page 1163).

Communications Security

shell)

protocol

suite

standard error

A file to which a program can send output. Usually only error messages are sent to
this file. Unless you instruct the shell otherwise, it directs this output to the screen
(that is, to the device file that represents the screen).

standard input

A file from which a program can receive input. Unless you instruct the shell otherwise, it directs this input so that it comes from the keyboard (that is, from the device
file that represents the keyboard).

standard
output

A file to which a program can send output. Unless you instruct the shell otherwise, it
directs this output to the screen (that is, to the device file that represents the screen).

startup file

A file that the login shell runs when you log in. The Bourne Again and Z Shells run
.profile, and the T C Shell runs .login. The T C Shell also runs .cshrc whenever a new
T C Shell or a subshell is invoked. The Z Shell runs an analogous file whose name is
identified by the ENV variable.

status line

The bottom (usually the twenty-fourth) line of the terminal. The vim editor uses the
status line to display information about what is happening during an editing session.

sticky bit

Originally, an access permission bit that caused an executable program to remain
on the swap area of the disk. Today, Linux kernels do not use the sticky bit for this
purpose but rather use it to control who can remove files from a directory. In this
new capacity, the sticky bit is called the restricted deletion flag. If this bit is set on a
directory, a file in the directory can be removed or renamed only by a user who is
working with root privileges or by a user who has write permission for the directory
and who owns the file or the directory.

streaming tape

A tape that moves at a constant speed past the read/write heads rather than speeding up and slowing down, which can slow the process of writing to or reading from
the tape. A proper blocking factor helps ensure that the tape device will be kept
streaming.

streams

See connection-oriented

string

A sequence of characters.

stylesheet

See CSS on page 1143.

subdirectory

A directory that is located within another directory. Every directory except the root
directory is a subdirectory.

subnet

Subnetwork. A portion of a network, which may be a physically independent network segment, that shares a network address with other portions of the network

protocol

on page 1142.

GLOSSARY

1175

and is distinguished by a subnet number. A subnet is to a network as a network is to
an internet.FOLDOC
subnet address

The subnet portion of an IP address. In a subnetted network, the host portion of an
IP address is split into a subnet portion and a host portion using a subnet mask (also
address mask). See also subnet
number.

subnet mask

A bit mask used to identify which bits in an IP address correspond to the network
address and subnet portions of the address. Called a subnet mask because the network portion of the address is determined by the number of bits that are set in the
mask. The subnet mask has ones in positions corresponding to the network and
subnet numbers and zeros in the host number positions. Also address
mask.

subnet number The subnet portion of an IP address. In a subnetted network, the host portion of an
IP address is split into a subnet portion and a host portion using a subnet
mask.
Also address mask. See also subnet
address.
subpixel
hinting

Similar to anti-aliasing
(page 1135) but takes advantage of colors to do the antialiasing. Particularly useful on LCD screens.

subroutine

See procedure

subshell

A shell that is forked as a duplicate of its parent shell. When you run an executable
file that contains a shell script by using its filename on the command line, the shell
forks a subshell to run the script. Also, commands surrounded with parentheses are
run in a subshell.

superblock

A block that contains control information for a filesystem. The superblock contains
housekeeping information, such as the number of inodes in the filesystem and free
list information.

superserver

The extended Internet services daemon. Refer to xinetd on page 4 0 5 .

Superuser

A user working with root privileges. This user has access to anything any other system user has access to and more. The system administrator must be able to become
Superuser (work with root privileges) to establish new accounts, change passwords,
and perform other administrative tasks. The username of Superuser is usually root.
Also root or root user.

swap

The operating system moving a process from main memory to a disk, or vice versa.
Swapping a process to the disk allows another process to begin or continue execution. Refer to "swap" on page 4 9 8 .

swap space

An area of a disk (that is, a swap file) used to store the portion of a process's memory that has been paged out. Under a virtual memory system, the amount of swap
space—rather than the amount of physical memory—determines the maximum size
of a single process and the maximum total size of all active processes. Also swap
area or swapping area.mLDOC

switch

See network

on page 1166.

switch on page 1162.

1176

GLOSSARY

symbolic link

A directory entry that points to the pathname of another file. In most cases a symbolic link to a file can be used in the same ways a hard link can be used. Unlike a
hard link, a symbolic link can span filesystems and can connect to a directory.

system

The person responsible for the upkeep of the system. The system administrator has the
ability to log in as root or use sudo to work with root privileges. See also Superuser.

administrator
system console
system mode

See console

on page 1142.

The designation for the state of the system while it is doing system work. Some
examples are making system calls, running NFS and autofs, processing network
traffic, and performing kernel operations on behalf of the system. Contrast with
user mode (page 1179).

System V

One of the two major versions of the U N I X system.

T C Shell

tcsh. An enhanced but completely compatible version of the BSD U N I X C shell, csh.

TCP

Transmission Control Protocol. The most common transport layer protocol used on
the Internet. This connection-oriented protocol is built on top of IP (page 1154)
and is nearly always seen in the combination TCP/IP (TCP over IP). TCP adds reliable communication, sequencing, and flow control and provides full-duplex, process-to-process connections. UDP (page 1178), although connectionless, is the
other protocol that runs on top of IP.FOLDOC

tera-

In the binary system, the prefix tera- multiplies by 2 4 0 ( 1 , 0 9 9 , 5 1 1 , 6 2 7 , 7 7 6 ) . Terabyte is a common use of this prefix. Abbreviated as T. See also large number on
page 1156.

termcap

Terminal capability. On older systems, the /etc/termcap file contained a list of various types of terminals and their characteristics. System V replaced the function of
this file with the terminfo system.

terminal

Differentiated from a workstation
(page 1181) by its lack of intelligence, a terminal
connects to a computer that runs Linux. A workstation runs Linux on itself.

terminfo

Terminal information. The /usr/lib/terminfo directory contains many subdirectories, each containing several files. Each of those files is named for and holds a summary of the functional characteristics of a particular terminal. Visually oriented
textual programs, such as vim, use these files. An alternative to the termcap file.

text box

A GUI widget

theme

Defined as an implicit or recurrent idea, theme is used in a GUI to describe a look that
is consistent for all elements of a desktop. Go to themes.freshmeat.net for examples.

thicknet

A type of coaxial cable (thick) used for an Ethernet network. Devices are attached
to thicknet by tapping the cable at fixed points.

thinnet

A type of coaxial cable (thin) used for an Ethernet network. Thinnet cable is smaller
in diameter and more flexible than thicknet cable. Each device is typically attached

(page 1180) that allows a user to enter text.

GLOSSARY

1177

to two separate cable segments by using a T-shaped connector; one segment leads to
the device ahead of it on the network and one to the device that follows it.
thread-safe

See reentrant

on page 1168.

thumb

The movable button in the scrollbar (page 1171) that positions the image in the
window The size of the thumb reflects the amount of information in the buffer.
Also bubble.

tick

A mark, usually in a check box (page 1140), that indicates a positive response. The
mark can be a check mark (•) or an x . Also check mark or check.

TIFF

Tagged Image File Format. A file format used for still-image bitmaps, stored in
tagged fields. Application programs can use the tags to accept or ignore fields,
depending on their capabilities.FOLDOC

tiled windows

An arrangement of windows such that no window overlaps another. The opposite
of cascading windows (page 1139).

time to live

See TTL.

toggle

To switch between one of two positions. For example, the ftp glob command toggles
the glob feature: Give the command once, and it turns the feature on or off; give the
command again, and it sets the feature back to its original state.

token

A basic, grammatically indivisible unit of a language, such as a keyword, operator,
or identifier.FOLDOC

token ring

A type of LAN (page 1156) in which computers are attached to a ring of cable. A
token packet circulates continuously around the ring. A computer can transmit
information only when it holds the token.

tooltip

A minicontext help system that a user activates by allowing the mouse pointer to
hover (page 1152) over an object (such as those on a panel).

transient
window

A dialog or other window that is displayed for only a short time.

Transmission
Control
Protocol

See TCP on page 1176.

Trojan horse

A program that does something destructive or disruptive to your system. Its action
is not documented, and the system administrator would not approve of it if she
were aware of it. See "Avoiding a Trojan Horse" on page 4 5 3 .
The term Trojan
horse was coined by MIT-hacker-turned-NSA-spook Dan
Edwards. It refers to a malicious security-breaking program that is disguised as
something benign, such as a directory lister, archive utility, game, or (in one notorious 1 9 9 0 case on the Mac) a program to find and destroy viruses. Similar to back
door (page 1136).FOLDOC

Time to live.
1. All DNS records specify how long they are good for—usually up to a week
at most. This time is called the record's time to live. When a DNS server or
an application stores this record in cache (page 1139), it decrements the
TTL value and removes the record from cache when the value reaches
zero. A DNS server passes a cached record to another server with the current (decremented) TTL guaranteeing the proper TTL, no matter how
many servers the record passes through.
2. In the IP header, a field that indicates how many more hops the packet
should be allowed to make before being discarded or returned.
Teletypewriter. The terminal device that UNIX was first run from. Today T T Y
refers to the screen (or window, in the case of a terminal emulator), keyboard, and
mouse that are connected to a computer. This term appears in UNIX, and Linux has
kept the term for the sake of consistency and tradition.
Encapsulation of protocol A within packets carried by protocol B, such that A
treats B as though it were a data link layer. Tunneling is used to transfer data
between administrative domains that use a protocol not supported by the internet
connecting those domains. It can also be used to encrypt data sent over a public
internet, as when you use ssh to tunnel a protocol over the Internet.FOLDOC See also
VPN (page 1180) and port forwarding (page 1165).
User Datagram Protocol. The Internet standard transport layer protocol that provides simple but unreliable datagram services. UDP is a connectionless
protocol
(page 1142) that, like TCP (page 1176), is layered on top of IP (page 1154).
Unlike TCP, UDP neither guarantees delivery nor requires a connection. As a result
it is lightweight and efficient, but the application program must handle all error
processing and retransmission. UDP is often used for sending time-sensitive data
that is not particularly sensitive to minor loss, such as audio and video data.FOLDOC
User ID. A number that the passwd database associates with a username.
In the American system, 10 36 . In the British system, this number is named sexillion.
See also large number (page 1156).
A packet sent from one host to another host. Unicast means one source and one
destination.
A character encoding standard that was designed to cover all major modern written
languages with each character having exactly one encoding and being represented
by a fixed number of bits.
See ignored window on page 1153.

GLOSSARY

1179

URI

Universal Resource Identifier. The generic set of all names and addresses that are
short strings referring to objects (typically on the Internet). The most common kinds
of URIs are URLS.TOLDOC

URL

Uniform (was Universal) Resource Locator. A standard way of specifying the location of an object, typically a Web page, on the Internet. URLs are a subset of URIs.

usage message

A message displayed by a command when you call the command using incorrect
command-line arguments.

User
Datagram
Protocol

See

UDP.

User ID

See

UID.

user interface

See interface

user mode

The designation for the state of the system while it is doing user work, such as running a user program (but not the system calls made by the program). Contrast with
system mode (page 1176).

username

The name you enter in response to the login: prompt. Other users use your username when they send you mail or write to you. Each username has a corresponding
user ID, which is the numeric identifier for the user. Both the username and the user
ID are stored in the passwd database (/etc/passwd or the NIS equivalent). Also
login name.

userspace

The part of memory (RAM) where applications reside. Code running in userspace
cannot access hardware directly and cannot access memory allocated to other applications. Also userland. See the KernelAnalysis-HO
WTO.

UTC

Coordinated Universal Time. UTC is the equivalent to the mean solar time at the
prime meridian (0 degrees longitude). Also called Zulu time (Z stands for longitude
zero) and G M T (Greenwich Mean Time).

UTF-8

An encoding that allows Unicode
sequences of 8-bit bytes.

utility

A program included as a standard part of Linux. You typically invoke a utility
either by giving a command in response to a shell prompt or by calling it from
within a shell script. Utilities are often referred to as commands. Contrast with
builtin (command) (page 1139).

UUID

Universally Unique Identifier. A 128-bit number that uniquely identifies an object
on the Internet. Frequently used on Linux systems to identify an ext2, ext3, or ext4
disk partition.

on page 1154.

(page 1178) characters to be represented using

1180

GLOSSARY

variable

A name and an associated value. The shell allows you to create variables and use
them in shell scripts. Also, the shell inherits several variables when it is invoked, and
it maintains those and other variables while it is running. Some shell variables
establish characteristics of the shell environment; others have values that reflect different aspects of your ongoing interaction with the shell.

viewport

Same as workspace

virtual console

Additional consoles, or displays, that you can view on the system, or physical, console. See page 149 for more information.

virus

A cracker (page 1143) program that searches out other programs and "infects"
them by embedding a copy of itself in them, so that they become Trojan horses
(page 1177). When these programs are executed, the embedded virus is executed as
well, propagating the "infection," usually without the user's knowledge. By analogy
with biological viruses.FOLDOC

VLAN

Virtual LAN. A logical grouping of two or more nodes that are not necessarily on
the same physical network segment but that share the same network number. A
VLAN is often associated with switched Ethernet.FOLDOC

VPN

Virtual private network. A private network that exists on a public network, such as
the Internet. A VPN is a less expensive substitute for company-owned/leased lines
and uses encryption (page 1110) to ensure privacy. A nice side effect is that you can
send non-Internet protocols, such as AppleTalk, IPX, or NetBIOS (page 1161), over
the VPN connection by tunneling (page 1178) them through the VPN IP stream.

W2K

Windows 2000 Professional or Server.

W3C

World Wide Web Consortium (www.w3.org).

WAN

Wide area network. A network that interconnects LANs (page 1156) and MANs
(page 1159), spanning a large geographic area (typically states or countries).

WAP

Web ring

whitespace
wide area
network
widget
wildcard

(page 1181).

Wireless access point. A bridge or router between wired and wireless networks.
WAPs typically support some form of access control to prevent unauthorized clients
from connecting to the network.
A collection of Web sites that provide information on a single topic or group of
related topics. Each home page that is part of the Web ring has a series of links that
let you go from site to site.
A collective n a m e f o r SPACEs a n d / o r TABs a n d occasionally NEWLINEs. Also white

space.

See WAN.
The basic objects of a graphical user interface. A button, combo
and scrollbar (page 1171) are examples of widgets.
See metacharacter

on page 1159.

box (page 1141)

GLOSSARY

1181

Wi-Fi

Wireless Fidelity. A generic term that refers to any type of 802.11
less network.

(page 1134) wire-

window

On a display screen, a region that runs or is controlled by a particular program.

window
manager

A program that controls how windows appear on a display screen and how you
manipulate them.

Windows
share

See share on page 1171.

WINS

Windows Internet Naming Service. The service responsible for mapping NetBIOS
names to IP addresses. WINS has the same relationship to NetBIOS names that
DNS has to Internet domain names.

WINS server

The program responsible for handling WINS requests. This program caches name
information about hosts on a local network and resolves them to IP addresses.

wireless access
point

See WAP.

word

A sequence of one
SPACEs, or NEWLINEs.
word is similar to
ters bounded by a

Work buffer

A location where vim stores text while it is being edited. The information in the
Work buffer is not written to the file on the disk until you give the editor a command to write it.

working
directory

The directory that you are associated with at any given time. The relative pathnames you use are relative to the working directory. Also current
directory.

workspace

A subdivision of a desktop

workstation

A small computer, typically designed to fit in an office and be used by one person
and usually equipped with a bit-mapped graphical display, keyboard, and mouse.
Differentiated from a terminal (page 1176) by its intelligence. A workstation runs
Linux on itself while a terminal connects to a computer that runs Linux.

worm

A program that propagates itself over a network, reproducing itself as it goes.
Today the term has negative connotations, as it is assumed that only
crackers
(page 1143) write worms. Compare to virus (page 1180) and Trojan
horse
(page 1177). From Tapeworm in John Brunner's novel, The Shockwave
Rider, Ballantine Books, 1 9 9 0 (via X E R O X P A R C ) . ™ c

WYSIWYG

What You See Is What You Get. A graphical application, such as a word processor,
whose display is similar to its printed output.

X server

The X server is the part of the X Window System that runs the mouse, keyboard,
and display. (The application program is the client.)

or more nonblank characters separated from other words by TABs,
Used to refer to individual command-line arguments. In vim, a
a word in the English language—a string of one or more characpunctuation mark, a numeral, a TAB, a SPACE, or a NEWLINE.

(page 1144) that occupies the entire display. See page 118.

1182

GLOSSARY

X terminal

A graphics terminal designed to run the X Window System.

X Window
System

A design and set of tools for writing flexible, portable windowing applications, created jointly by researchers at MIT and several leading computer manufacturers.

XDMCP

X Display Manager Control Protocol. XDMCP allows the login server to accept
requests from network displays. XDMCP is built into many X terminals.

xDSL

Different types of DSL (page 1147) are identified by a prefix, for example, ADSL,
HDSL, SDSL, and VDSL.

Xinerama

An extension to X.org. Xinerama allows window managers and applications to
use the two or more physical displays as one large virtual display. Refer to the
Xinerama-HOWTO.

XML

Extensible Markup Language. A universal format for structured documents and
data on the Web. Developed by W3C (page 1180), X M L is a pared-down version of
SGML. See www.w3.org/XML and www.w3.org/XML/1999/XML-in-10-points.

XSM

X Session Manager. This program allows you to create a session that includes certain applications. While the session is running, you can perform a checkpoint (saves
the application state) or a shutdown (saves the state and exits from the session).
When you log back in, you can load your session so that everything in your session
is running just as it was when you logged off.

Z Shell

zsh. A shell (page 1171) that incorporates many of the features of the Bourne Again
Shell (page 1138), Korn Shell (page 1156), and TC Shell (page 1176), as well as
many original features.

Zulu time

See UTC on page 1179.

JUMPSTART INDEX

M
Apache: Getting Apache Up and Running 903
APT: Installing and Removing Packages Using
aptitude 519

Mail: Configuring exim4 to Send and Receive
Mail 718
Mail: Configuring exim4 to Use a Smarthost 716
MySQL: Setting Up MySQL
629

CUPS: Configuring a Local Printer 549
CUPS: Setting Up a Local or Remote Printer Using
the CUPS Web Interface 5 5 5

NFS: Configuring an NFS Server Using
shares-admin 7 8 3 - 7 8 5
NFS: Mounting a Remote Directory
Hierarchy 7 7 7 - 7 8 0

DNS: Setting Up a DNS Cache 834

OpenSSH: Starting an OpenSSH Server 677
OpenSSH: Using ssh and scp to Connect to an
OpenSSH Server 667

firestarter: Configuring a Firewall Using the Firewall
Wizard 867
FTP: Downloading Files using ftp 690
FTP: Starting a vsftpd FTP Server 700

Samba: Configuring a Samba Server Using
system-config-samba 8 0 0

1183

This page intentionally left blank

FILE TREE I N D E X

A light page number such as
/bin 213
echo 995
false 4 9 5
/boot 3 8 , 2 1 3 , 5 8 2 , 5 8 3 , 6 1 3
grub
grub.cfg 4Z , ¡87
menu.lst 5 8 4
/dev 2 1 3 , 2 4 4 , 4 8 8 , 5 0 2
disk
by-path 489
by-uuid 489
id« 4 8 8
hdw 489
null 250, 489, 62 , »73
pts 490
random 490
sdw 489
tty 1008
urandom 4 9 0
zero 491
/etc 214
aliases 619, 722
alternatives 491
anacrontab 402, 607
apache2
apache2.conf 906, 9 3 2 - 9 3 4
conf.d 908

5< indicates a brief
/etc, continued
envvars 908
httpd.conf 908
mods-available 905, 907
mods-available/alias.conf 907
mods-enabled 905, 908
ports.conf 908
sites-available 906, 908
sites-available/default 934
sites-enabled 906, 908
apt
apt.conf 524
apt.conf.d 5 2 4
sources.list 523
at.allow 491
at.deny 491
auto.master 793
bash.bashrc 4 9 2
bashrc 2 9 4
bind 836, 841
db.127 844
db.local 843
db.root 841
named.conf 836, 8 3 9 - 8 4 1 , 851, 856
named.conf.options 841

1185

1186

FILE TREE I N D E X

/etc, continued
cacti
apache.conf 651
debian.php 651
cron.allow 491
cron.d 403, 606, 607
cron.daily 607
cron. deny 491
cron.monthly >07
cron.weekly 607
crontab 403, 606
cups
cupsd.conf 565
ppd 563
default
default 4 9 2
autofs 794
bind9 834
dhcp3-server 473
exim4 724
grub 5 8 4 - 5 8 6
nis 746, 751, 757
snmpd 655
defaultdomain 745, 746
dhcp3
dhclient.conf 472
dhcpd.conf 473, 4 7 4
dovecot
dovecot.conf 735
dumpdates 492, 603
event.d/ttyl 439
exim4 724
exim.crt 736
exim.key 736
exim4.conf.localmacros 737
update-exim4.conf.conf 724
exports 783, 7 8 6 - 7 8 9
firestarter 866
fstab 507, 510, 778, 781
ftpusers 711
custom.conf 271
PreSession 449
group 492, 91, 1082
grub.d 586
hostname 493
hosts 386, 493
hosts.allow 46: , 4 6 5 ^ 6 6
hosts.deny 463, 4 6 5 - 4 6 6
hosts.equiv 391, 1119
init 434, 4 3 8

/etc, continued
init.d 4 4 0
anacron 607
apache2 901
init
control-alt-delete 451
rc.conf 438, 445
rcS.conf 445
rc-sysinit.conf 439
inittab 439, 493
issue 147
ldap
schema 758
slapd.d/cn=config 761
lftp.conf 674
login.defs 494, 5 9 7
logrotate.conf 6 2 2 - 6 2 4
logrotate.d 622, 624
magic 5 0 0
mailman
mm_cfg.py 735
mailname 718
mold 494, 615
mtab 494
nologin 495
nologin.txt 481
nsswitch.conf 4 7 5 ^ 7 7 , 742
ntp.conf 404
opt 2 1 4
pam.d 478
passwd 44: , 4 9 4 - 4 9 5
printcap 495
profile 294, 4 9 5
protocols 495, 888
rc.local 441
rcw.d 4 4 0 - 4 4 3
resolv.conf 496, 834, 835
rpc 4 9 6
rsyslog.conf 6 2 6 - 6 2 7
samba
smb.conf 804, 8 0 7 - 8 1 4
smbusers 799
securetty 421
security
access.conf 421
services 402, 497
shadow 14 , 4 9 7
shells 4 5 7
skel 5 9 7
ssh 665

FILE TREE I N D E X

/etc, continued
ssh
ssh_config 674
ssh_known_hosts 6 6 8 - 6 7 0
sshd_config 679
ssl
sslvsftpd.pem 710
sudoers 426^131
termcap 1176
ufw
applications, d 874
vsftpd.banned_emails 703
vsftpd.conf 701
vsftpd.userjist 702, 711
X l l 214
yp.conf 747
ypserv.conf 751
/home 3 9 , 2 1 4
ftp 700, 703, 705
/lib 214
modules 214, 5 8 0
security 478
/lost+found 4 8 8
/mnt 2 1 4
/opt 39, 214, 541
/proc 214, 497
mounts 494, 790
sys 572
/root 214
/sbin 214
/srv
ftp 700, 703, 705
/sys 214, 499
/target 36, 84
/tmp 214, 983
/usr 39, 214
bin 2 1 4
htpasswd 907
test 956
games 214
include 2 1 4
lib 2 1 4
cgi-bin 908
terminfo 1176
local 3 9 , 2 1 4 , 5 4 2
pub
ascii 1135
sbin 2 1 4
apache2 907
apache2ctl 907
nologin 495
rotatelogs 907

/usr, continued
share 214
shareerror 908
shareicons 908
doc 143, 215, 408, 616, 1100
shareapache2-doc/manual
shareapache2-docindex.html. * 908
file
sharemagic 500
info 2 1 5
magic 1158
man 2 1 5
ppd
sharecustom 563
recovery-mode 447
src 2 1 5
linux 575
srcDocumentation 143
/var 38, 2 1 5
cache
apt
cachearchives 524, 533
exim4
mainlog 720
lib
apt
liblists 5 2 4
dhcp3 472
dpkg
libavailable 533, 5 3 4
libstatus 533
exim4
libconfig.autogenerated 724
libDB_CONFIG 760
named 847
libetc
lib bind 836
nfs
libetab 789
librmtab 790
log 39, 215, 500, \U , 1100
apache2 908
logaccess_log 908
logerror_log 908
aptitude 526
auth.log 500, 1100
messages 500, 61 , 1 1 0 0
syslog 849
vsftpd.log 708, 711
wtmp 523

1187

1188

FILE T R E E I N D E X

/var, continued
mail 720
name 321
spool 215, 1100
cron
spoolcrontabs 403, 606
www 902, 905, 909
yp
Makefile 753
nicknames 743
nisdomainname
743
securenets 753
- / (a user's home directory)
•bash_history 330
.hash login 294
•bash_logout 2 9 4
•bash_profile 294, 331, 55 , 488

- / (a user's home directory), continued
•bashrc 294, 488
•cshrc 1143
•dmrc 449
.forward 723
•inputrc 343
.login 1158
•logout 1158
•netrc 694
•pgpkey 182
•plan 182
•profile 294, 1166
•project 182
•rhosts 391
•ssh/config 674
•ssh/known_hosts 6 6 8 - 6 7 0
•toprc 610

UTILITY INDEX

A light page number such as 456 indicates a
refer to tables.
SYMBOLS
. (dot) 296, 1007
: (null) 1 0 0 2 , 1 0 1 1

[[...]] 1018

a2dismod 9 0 5
a2dissite 9 0 6
a2enmod 9 0 5
a2ensite 9 0 6
accton [ 1 2 0
adduser 5 9 7
AIDE
119
alias 3 4 6
amanda 6 0 0
anacron 6 0 7
anacrontab 102
apache2ctl 9 0 3 , 9 4 0
apropos 1 3 9 , 4 3 7
apt-cache 5 3 0
apt-file 5 2 1
apt-get see aptitude
aptitude 5 1 9 - 5 2 0 , 5 2 6 - 5 2 9 , 5 7 3

mention. Page numbers followed by the letter t

ash see dash shell
aspell 9 7 1
at 4 0 , 4 9 1 , 6 0 8
awk see mawk

basename 9 8 2
bash see bash i n t h e M a i n I n d e x (page 1 1 9 5 )
bg 2 5 5 , 3 0 9
bind 3 4 4
btdownloadcurses 5 4 0
btshowmetainfo 5 4 1
builtins 1015t
bunzip2 1 7 5
bzcat 1 7 5
bzip2 1 7 4 , 502
bzip2recover 1 7 5

cancel 5 5 9
cat 1 6 2 , 2 4 5 , 2 4 7 , 9 6 0
cd 2 0 9 , 2 3 1 , 3 2 4
chkrootkit 1 1 2 4

1189

1190

UTILITY INDEX

chmod 2 1 6 , 2 1 8 t , 2 1 8 , 3 0 1
chroot 4 6 6 - 4 7 0
chsh 2 9 3 , 4 5 7
clear 4 5 8
compress 1 7 6 , 2 0 3
cp 1 6 3 , 2 1 2
cpio 6 0 2 , 6 0 2
crack 6 2 0
crontab 4 0 3 , 4 9 1
cupsaccept 5 6 4
cupsdisable 5 6 5
cupsenable 5 6 5
cupsreject 5 6 4
cut 3 6 1

D
dash 1 5 , 2 9 2
date 1 7 2 , 9 9 9
dd 4 9 0
declare 3 1 7 - 3 1 8 , 9 9 1
depmod 5 8 2
df 7 7 4
dhclient 4 7 1 , 4 7 2
diff 1 6 8
dig 3 9 6 , 8 3 2 - 8 3 3 , 8 3 5
dirs 3 1 0
dmesg 4 4 4 , 5 8 9
dpkg 5 3 4 , 5 3 5 t , 5 3 6 - 5 3 9
dpkg-reconfigure 7 2 6
DragonSquire 1 1 1 9
dump 4 9 2 , 51 , 6 0 3 - 6 0 5

E
e2label 4 5 8
echo 1 7 1 , >8(, 9 9 5
echo b u i l t i n 9 8 0 t
ed 1 6 6
edquota 6 2 5
egrep 1 0 9 6
empathy 1 1 7
env 3 5 1
eval 3 5 1
exec 9 8 7 , 1 0 0 6 - 1 0 0 9
eximon 7 2 4
eximstats 7 2 4
exit 1 1 7 , 9 5 8 , '96
export 3 1 8 , 9 9 2
exportfs 7 8 5 , 7 9 1

F
false 4 9 5 , 0 2 2
fc 3 3 2 - 3 3 5
fdformat 5 0 9
fg 2 5 5
file 1 7 0 , ¡0' , 6 2 2
find 4 5 4 , 6 2 2 , 9 6 6
finger 1 8 1 , 1 8 3 t , 3 8 9 ,
firestarter 8 6 4
fromdos 1 7 3
fsck 5 0 4 , 5 1 2
ftp 6 8 8 , 6 9 5 - 6 9 8
fuser 5 1 0
fwtk 1 1 2 5

03

G
gawk see mawk
getfacl 2 2 2 - 2 2 6
getopts 1 0 1 2 - 1 0 1 5
getty 3 2 8 , 4 4 8
git 5 7 4
gksudo 4 2 3
gnome-search-tool 2 8 6
gnome-terminal 2 8 7
gopher 109
gparted 6 4 - 6 6
grep 1 6 6 , 9 7 3 , 9 8 5 , 1 0 4 2
groupadd 5 9 8
groupdel 5 9 8
groupmod 5 9 8
groups 4 9 3
grub-install 5 8 9
grub-mkconfig 5 8 7
gufw 8 7 6 - 8 8 0
gunzip 1 7 5
gzip 1 7 5

H
halt 4 5 0 , 4 5 2
head 1 6 6
history 3 3 0 , 3 3 1
host 3 9 6 , 8 3 3
hostname 1 6 3 ,
hping 1 1 2 5

UTILITY INDEX

id 4 2 4 , 4 3 2
ifconfig 4 7 4
info 1 3 9 - 1 4 2
init 3 2 8
initctl 4 3 4
insmod 5 8 2
ipchains 8 8 0
iptables-restore 8 9 1
iptables-save 8 9 1
ispell seeaspell

jobs .5 , 2 5 6 , 3 0 7 , 3 0 8
John the Ripper 1 1 2 5

kdesudo 4 2 3
kerberos [ 1 2 1
kill 15 , 2 5 5 , 4 5 5 ^ 1 5 7 , 6 1 ^ , 1 0 0 9 , 1 0 1 0 , 1 0 1 2
killall 4 5 7

Idapadd 7 6 5
Idapmodify 7 6 4
Idd 4 6 5
less 13: , 1 6 2 , 9 6 0
let 3 6 1 , 1 0 1 6
Iftp 6 7 4
links 1 1 1
In 2 2 8 , 2 3 0 , 5 0 1
login 3 2 8 , 4 4 8
logresolve 9 2 1
logrotate 6 2 2 - 6 2 4
Ip 5 5 9
Ipadmin 5 6 2 - 5 6 4
Ipinfo 5 6 1
Ipq 1 6 5 , 5 5 9
Ipr 1 6 5 , 2 5 2 , 5 5 9
Iprm 1 6 5 , 5 5 9
Ipstat 1 6 5 , 5 5 9
Is 1 6 1 , 2 1 5 , 5 0 2
lsb_release 585
Ishal 6 4 1
Ishw 6 4 0
Ismod 5 8 2

Isof 6 1 8
Ispci 6 4 0
Isusb 6 4 1
lynx 4 1 1

M
m-a 5 8 1
mailq 7 2 3
make 1 0 8 0
makedbm 7 5 3
man 1 3 6 - 1 3 8
mandb 1 3 9
mawk 9 7 C , 1 0 9 6
memtest86+ 5 8 7
mesg 1 8 5
mingetty 3 2 8
mkdir 2 0 8 - 2 0 9
mkfifo 5 0 3
mkfs 4 5 8 , 8 i , 5 0 9
mklost+found 4 8 8
mkswap 4 9 9
mlocate 1 8 0
modinfo 5 8 2
modprobe 5 8 2
module-assistant 5 8 1
more 1 6 2
mount 4 9 ' , 5 0 6 - 5 0 9 , 7 7 7 , 7 7 8 - 7 8 0 , 8 1 6
mt 6 0 5
mv 1 6 4 , 2 1 2 , 5 0 1
mysqLsecureJnstallation 6 2 9

nano 42 , -26
nessus 1 1 2 5
net 7 9 8
net use (Windows) 8 1 8
net view (Windows) 8 1 8
netcat 1 1 2 5
netstat 584
newaliases 7 2 3
newlist 7 3 4
nisdomainname 7 4 6
nmap 1 1 2 5
nmblookup 8 1 8
nm-connection-editor 6 4 2 - 6 4 3
nn 1 0 7
nologin 4 9 5

1191

1192

UTILITY INDEX

0
od 4 9 1
OPIE 1120

P
palimpsest 6 6 - 7 0
parted 6 1 1 - 6 1 4
passwd 7 4 9
pdbedit 7 9 8
perldoc 1 0 4 3
pidof 4 5 7
pinfo 1 4 1
ping 3 9 3 , 4 5 8
ping6 3 9 4
popd 3 1 2
portmap 7 7 6 , 7 8 2 , 7 9 2
ps 2 5 5 , 0 , , 3 2 8 , 4 5 6 , 9 9 5
pstree 3 2 9
pushd 3 1 1
pwd 2 0 4 , 2 3 1
pwgen 1 4 9

Q
Qmail 1 1 1 6
quota 6 2 5
quotaon 6 2 5

R
read 37 , 1 0 0 3 - 1 0 0 6
read builtin 1005t
readnews 4 0 7
readonly 3 1 7 , 3 1 8
reboot 4 5 0
reload 4 3 5
reset 4 5 8
resolvconf 4 9 6 , 8 3 4 , 8 3 5
restore 6 0 3 - 6 0 5
rexec 4 0 4
rm 1 6 2 , 2 3 2 , 5 0 1
rmdir 2 1 0
rmmod 5 8 2
rn 4 0 7
rpcinfo 4 6 2 - 4 6 4 , 7 4 8
runlevel 4 4 4 , 1 5 1
run-parts 6 0 7

S/Key 1 1 2 0
samhain 1 1 1 9
scp 6 6 7 , 6 7 2 - 6 7 4
scp see also OpenSSH in the Main Index (page 1 1 9 5 )
script 1 7 2
sed 6 2 2
service 4 4 1
set 3 5 3 , >6 , 9 6 5 , 9 9 8
setfacl 2 2 2 - 2 2 6
setserial 4 5 9
sftp 6 7 4
sh 2 9 2 , 1 1 3 8
shalsum 4 7
shares-admin 7 8 3 - 7 8 5 , 7 8 6
shift 95: , 9 9 8
shopt 3 5 3
showmount 7 9 0
shutdown 4 3 7 , 4 5 0
slapcat 7 6 3
sleep 9 9 6
smbclient 8 1 5 , 8 1 9
smbpasswd 7 9 8 , 8 0 3
smbstatus 7 9 8
smbtar 7 9 8
smbtree 8 1 5
snort 1 1 2 6
software-properties-gtk 5 2 4
sort 1 6 8 , 25 , 16. , 9 8 9
source 2 9 6
SpamAssassin 7 2 7 - 7 3 1
spamc 7 2 7
squirrelmail-configure 7 3 2
srp 1 1 2 6
ssh 6 6 4 , 6 6 7 , 6 7 0 - 6 7 2 , . 1 2 1
ssh see also OpenSSH in the Main Index (page 1 1 9 5 )
ssh-keygen 6 6 8 - 6 7 0 , 6 7 7
start 135
startx 2 7 0
stat 4 5 9
status 4 3 . ' , 4 3 6
stty 1 5 1 , 4 8 8
su 4 2 1 , 4 3 1
sudo 9 8 , 4 2 1 - 4 3 1
sudoedit 4 2 5
swapon 4 9 9
swat 8 0 4 , 8 0 7
synaptic 1 3 3 - 1 3 6

UTILITY INDEX

sysctl 5 7 2
system-config-printer 5 5 0 - 5 5 4
system-config-samba 8 0 0
sysv-rc-conf 4 4 1 , 4 4 3

tail 1 6 7
talk 4 0 5
tar 1 7 6 - 1 7 8 , 3 0 7 , 6 0 0 , 6 0 1 t , 6 0 2
tee 2 5 4 , 12 , 9 0 5
telinit 4 3 7 , 13 , 4 4 4 , 4 4 8 , 5 1
telnet 3 9 1 - 3 9 3 , 9 4 1 , 1 1 1 6
test 9 5 5 - 9 5 7 , 9 5 7 , 9 6 1 , 96 , 96S, 96 , 9 7 0 , 9 7 6
test b u i l t i n 9 5 7 t
testparm 8 1 7
tftp 7 7 4
tin 1 0 7
todos 1 7 3
top 6 1 0 , 6 1 Ot
touch 2 1 1
tput 9 7 5
tr 1 7 3 , 2 5 1 , 2 9 8
traceroute 3 9 4
traceroute6 395
trap 9 7 5 , 1 0 0 9 - 1 0 1 2
tripwire 111: , 1 1 2 6
true 1 0 1 1 , 1022
tset 4 5 8
tune2fs 5 1 2 - 5 1 4
type 1 0 0 3
typeset 3 1 7 - 3 1 8 , 9 9 4

ubiquity 5 7 - 6 3 , 7 0 - 7 4
udev 5 0 2
ufw 8 7 4 - 8 7 6
umask 4 5 9
umount 4 9 4 , 5 0 9
unalias 3 4 6 , 3 4 9
uname 4 6 0 , 5 8 8
uncompress 2 0 3
uniq 1 6 8 , 5 2 2
unset 3 1 6
updatedb 1 8 0
update-exim4.conf 7 2 4
update-grub 8 ' , 5 8 7 - 5 8 8
uptime 1 8 3

useradd 5 9 7
userdel 5 9 8
usermod >7 , 5 9 8
users-admin 5 9 4 - 5 9 7
uucp 4 0 7

V
vim 1 8 6 - 1 9 3
vimtutor 1 8 6
visudo 4 2 6
vmstat 6 0 9

w
w 183, 183t
wall 6 1 5
wc 1 7 0 , 561
webalizer 9 4 8
wget 5 4 3
whatis 1 3 9 , 4 3 7
whereis 1 7 9
which 1 7 8
who 1 8 0 , 1 8 3 t
whois 3 9 6
wireshark 1 1 2 6
write 1 8 4 , ¡15

X
X 268
xargs 6 2 2
xev 2 7 0
xhost 2 7 1
xmodmap 2 7 4
xrn 4 0 7
xvnews 4 0 7

Y
ypcat 7 4 4
ypinit 7 5 5
ypmatch 7 4 4
yppasswd 7 4 8 - 7 5 0
ypwhich 7 4 7
ypxfr 7 5 5

z
zcat 1 7 5

1193

This page intentionally left blank

M A I N INDEX

An italic page number such as 123 indicates a definition. A light page number such as 456 indicates a
brief mention. Page numbers followed by the letter t refer to tables. O n l y variables that must always
appear with a leading dollar sign are indexed with a leading dollar sign. O t h e r variables are indexed
without a leading dollar sign.

SYMBOLS
! (NOT) Boolean operator 1024
!! reexecutes the previous event 335
# comment symbol 303, 964
# prompt 420
#! specifies a script shell 302, '63
$ bash parameters 9 9 4 - 9 9 9
$ in regular expressions 1092
$ in variable names 314
$! parameter 996
$# parameter 997
$$ parameter 98 , 995
$((...)) see arithmetic, expansion
$(...) see command, substitution
$ * parameter 999
$? parameter 996
$@ parameter 96 , 7 0 , 1 0 0 0
${} expands variables 1001
$0 parameter 997
$« parameters 997
& (AND) bitwise operator 1023

&C background process 254, 330, 1136
8c command separator 305
&C in replacement strings (regular expressions) 1095
&C&C (AND) Boolean operator 1017, 1 0 2 2 - 1 0 2 3 ,
1024
((...)) see arithmetic, evaluation
() command grouping 306
* in regular expressions 1092
* special character 2 5 7
+ in extended regular expressions 1096
, (comma) operator 1021
. (dot) builtin 296, 1007
.directory 2 1 0 , 5 0 1
. in regular expressions 1091
./ executes a file in the working directory 301, 320
.. directory 210, 501
•jpg filename extension 1155
/ (root) directory 35, 37, 205, 213
/ within pathnames 35
null) builtin 1002, 1011
substitutes default values for a variable 1001
= assigns default values for a variable 1001

1195

1196

MAIN INDEX

:? displays an error message for a variable 1 0 0 2
; command separator 3 0 4
< redirects input 2 4 7 , 1134
« Here document 9 8 5 - 9 8 7 , 1134
> redirects output 2 4 6 , 1134
>&c duplicates output file descriptor 2 9 8 , 2 9 9 , 9 5 8
» appends output 2 4 9 , 1134
>1 redirects output without clobber 2 4 8
> 1 redirects standard output 2 9 7
? in extended regular expressions 1 0 9 6
? special character 2 5 6
@ in a network address 3 8 8
[] character class (regular expressions) 1 0 9 1 , 1140
[] special characters 2 5 9
[...] see test utility
[[...]] builtin 1 0 1 8
\ escape character 160, 3 0 4 , 3 1 4
\( in regular expressions 1 0 9 4
\) in regular expressions 1 0 9 4
A in regular expressions 1 0 9 2
A quick substitution character 338
I (OR) bitwise operator 1 0 2 4
I (OR) Boolean operator 1 0 9 6
I command separator 305
I in extended regular expressions 1 0 9 6
I see pipe
II (OR) Boolean operator 1 0 1 7 , 1 0 2 2 - 1 0 2 3 , 1 0 2 4
— synonym for O L D P W D 3 6 0
~ (tilde) expansion 2 0 6 , 3 5 9
~ expansion 319, 359
~ in directory stack manipulation 3 6 0
~ see also home directory
synonym for P W D 3 6 0
1
. . . 1 see command, substitution

NUMERICS
0< redirects standard input 2 9 7
1 0 . 0 . 0 . 0 (IP address) 1 1 3 4
10Base2 cable 375
lOBaseT cable 3 7 5
100BaseT cable 375
1 2 7 . 0 . 0 . 1 ( I P address) 387, 4 9 3
1 2 7 . 0 . 1 . 1 ( I P address) 4 9 3
1 7 2 . 1 6 . 0 . 0 (IP address) 1 1 3 4
1 9 2 . 1 6 8 . 0 . 0 (IP address) 1 1 3 4
2> redirects standard error 2 9 7
32-bit versus 64-bit Ubuntu 2 9
3-DES encryption 1 1 1 3

64-bit PC processor architecture 30
64-bit versus 32-bit Ubuntu 2 9
8 0 2 . 1 1 wireless specification 1134

A 1158
- a (AND) Boolean operator 9 6 1 , 1 0 1 7
a2dismod utility 9 0 5
a2dissite utility 9 0 6
a2enmod utility 9 0 5
a2ensite utility 9 0 6
aborting execution 151
absolute pathnames 205, 2 4 2 , 1134
access 1134
Access Control Lists see ACLs
access permissions 2 1 5 - 2 2 6 , 1134
change using chmod 2 1 6 - 2 1 8
directory 2 2 0 - 2 2 1
display using Is 2 1 6
execute 3 0 0 - 3 0 2
Nautilus 1 2 9
setgid see setgid
setuid see setuid
a c c e s s . c o n f file 4 2 1
accton utility 1 1 2 0
ACLs 2 2 1 - 2 2 6 , 1134
access rules 2 2 2 - 2 2 6
default rules 2 2 5
effective rights mask 2 2 4
enabling 2 2 2
getfacl utility 2 2 2 - 2 2 6
setfacl utility 2 2 2 - 2 2 6
a c p i boot parameter 82
a c p i d daemon 4 0 2
active window
153,1134
ad hoc mode, wireless 6 4 0
a d d b a n n e r shell script 1 0 1 1
addition operators 1 0 2 0
address mask see subnet, mask
address see the type of address you are looking
for
(e.g., MAC address, IP address) or see the
specific address (e.g.,
127.0.0.1)
adduser utility >97
Adept package manager 5 2 5
a d f s filesystem 5 0 5
a d m i n group and sudo 4 2 8
Administration submenu 1 2 2
AES (Advanced Encryption Standard) 1 1 1 3

M A I N INDEX

affs filesystem 5 0 5
AIDE utility 45 , 119
algorithm 1025
alias 3 4 6 - 3 4 9 , 1134
examples 34! - \9
mail 722
quotation marks in 347
recursion 346
recursive plunge 349
substitution 356
alias builtin 346
alias.conf file 907
aliases file 61 , 722
Almquist Shell see Debian Almquist Shell
alphanumeric character 1134
Alternate CD see installation, CD/DVD
alternatives directory 491
amanda utility 600
ambiguous file references 256, 1134
AMD64 processor architecture 30
anacron daemon 4 0 2
anacron file 607
anacron init script 605
anacron utility 607
anacrontab file 402, 607
anacrontab utility 4 0 2
AND bitwise operator 1023
AND Boolean operator 961, 1017
Andreessen, Marc 409
angle bracket 1134
ANI 1122
animate 1134
anonymous FTP 694
ANSI 11
ansi terminal name 1106
antialiasing 1135
Apache 8 9 9 - 9 0 1
see also Apache containers; Apache directives
a2dismod utility 905
a2dissite utility 906
a2enmod utility 905
a2ensite utility 906
adding content 905
alias.conf file 907
apache2 daemon 902
apache2 file 901
apache2 init script 902
apache2.conf file 906, 9 3 2 - 9 3 4
apache2ctl utility 903, 940

1197

authentication modules 945
CGI (Common Gateway Interface) 942, 946
configuring (Cacti) 651
content negotiation 935
contexts 915
default file 934
directory context 915
directory listings 937
document root 902
DSOs (dynamic shared objects) 900, 941
error codes 948
filename extensions 914
filesystem layout 905
.htaccess context 915
.htaccess file 909, 945
.htpasswd file 946
HTTPS protocol 943
indexing 937
JumpStart: getting Apache up and running 903
logresolve utility 921
logs 908
modifying content 902
mods-available directory 905
mods-enabled directory 905
modules 900, 905, 941
MPMs (multiprocessing modules) 947
M R T G (Multi Router Traffic Grapher) 948
MultiViews option 936
Perl code 946
PHP code 946
prerequisites 902
privileged port 901
process 901
public_html directory 913
Python code 946
redirects 935
reverse name resolution 921
role alias 912
root privileges 901
scripting modules 946
self-signed certificate 9 4 3 - 9 4 5
server 901
server config context 915
sites-available directory 906
sites-enabled directory 906
Software Foundation 899
SSL 9 4 3 - 9 4 5
telnet utility 941
terminology 901

1198

MAIN INDEX

Apache, continued
testing 904
troubleshooting 940
type maps 935
user content, publishing 913
.var filename extension 935
virtual host context 915
virtual hosts 906, 937, 9 3 7 - 9 4 0
webalizer utility 948
w w w directory 902, 905, 909
w w w - d a t a group 901
Apache containers 9 1 5 - 9 1 9
 915, 934
 916
 916, 933
 917
 917
 918
 918
 918
Apache directives 909, 9 0 9 - 9 3 2
AddHandler 923, 935
Alias 923
Allow 930
AllowOverride 930
Deny 931
Directorylndex 914
DocumentRoot 913, 934
ErrorDocument 924
ErrorLog 922
Group 927
HostnameLookups 921
Include 906, 927
IndexOptions 924
Listen 910
LoadModule 928, 934
LogLevel 922
MaxClients 919
MaxRequestsPerChild 919
MaxSpareServers 920
MinSpareServers 920
NameVirtualHost 920
Options 928
Order 931
Redirect 911
RedirectMatch 911
ScriptAlias 929
security 930
ServerAdmin 904, 912, 934

ServerName 903, 912, 934
ServerRoot 926, 932
ServerSignature 927
ServerTokens 926
special 9 1 5 - 9 1 9
StartServers 920
Timeout 921
UseCanonicalName 922, 935
User 929
UserDir 913
apache.conf file (Cacti) 651
apache2 daemon 902
apache2 file 901
apache2 init script 902
apache2.conf file 906, 9 3 2 - 9 3 4
apache2ctl utility 903, 940
API 1135
apic boot parameter 82
apm boot parameter 82
apmd daemon 403
Appearance Preferences window 113
append 1135
append standard output using » 249
applet 121, 1135
clock 105
Window List 121
Workspace Switcher 104
Application, Run window 2 8 6
application, terminating 107
Applications menu 122
applications.d directory 874
apropos utility 1 3 9 , 4 3 7
APT 518, 5 2 2
see also aptitude; software packages
apt cron script 524
apt.conf file 5 2 4
apt.conf.d file 5 2 4
apt-cache utility 530
apt-file utility 521
apt-get utility see aptitude
cache 5 2 4
configuration files 5 2 4
dependencies see software packages, dependencies
local package indexes 524
repositories see repositories
software-properties-gtk utility 524
source code, download using apt-get 532
sources.list file 523
update-notifier 5 2 5

M A I N INDEX

apt cron script 524
apt.conf file 5 2 4
apt.conf.d file 5 2 4
apt-cache utility 530
apt-file utility 521
apt-get utility see aptitude
aptitude 5 1 9 - 5 2 0 , 526-529
commands, list of 5 2 6
dependencies 520
full-upgrade command 529
install error 5 2 2
JumpStart: installing and removing packages using
aptitude 519
kernel, downloading source code for 5 7 3
log file, aptitude 526
options 5 2 7
packages, suggested 520
purge command 5 2 0
remove command 5 2 0
safe-upgrade command 5 2 8
search command 529
show command 529
update command 528
updating the index 528
aptitude file 5 2 6
archive 1135
archive, shell 986
archives file (APT) 524, 5 3 3
archiving files 1 7 4 - 1 7 8
arguments 238, 1135
command line 999
testing 956, 964
arithmetic
evaluation (bash) 36C,97 , '9' , 1 0 1 6 - 1 0 1 7
expansion (bash) 3 6 0 - 3 6 2 , 1021
expression 1135
A R M processor architecture 30
Armel processor architecture 30
array 1045, 1135
ASCII 1135
ascii file 1135
ASCII terminal 1135
ash see dash shell
ASLR (Address Space Layout Randomization) 29
ASP 1135
aspell utility 971
assembly language 11
assignment operators 1021
asterisk special character 257, 1092

1199

asymmetric encryption see encryption, public key
asynchronous communication 503
asynchronous event 1136
at utility 4C , 491, 608
A T & T Bell Laboratories 3, 2 9 2
at.allow file 491
at.deny file 491
atd daemon 4 0 3
Athena, Project 2 6 8
A T M link 374
attachments 1136
attribute, LDAP 758
auth.log file 500, 1100
authenticated relaying, mail 736
authentication 1136
Apache 945
OpenSSH 664, 668
auto.master file 793
autofs directory hierarchy 793
autofs file 794
autofs init script 793
automatic mounting 1136
automount 7 9 2 - 7 9 4
auto.master file 793
autofs file 794
autofs init script 793
home directory 792
available file (dpkg) 533, 5 3 4
avoided 1136
awk utility see gawk utility

B language 11
backdoor 1136
b a c k t i c k s see

command,

substitution

background
c o m m a n d , r u n n i n g in the

jobs

254

254

f o r e g r o u n d versus

254-256

p r o c e s s e s 330,

1136

backports s o f t w a r e p a c k a g e c a t e g o r y
BACKSLASH e s c a p e c h a r a c t e r

160, 304,
1095

BACKSLASH i n r e p l a c e m e n t s t r i n g s
BACKSPACE k e y ( e r a s e c h a r a c t e r )

151

backup 599-605
amanda u t i l i t y 6 0 0
cpio u t i l i t y 6 0 2 ,

>02

dump/restore u t i l i t i e s 6 0 3 - 6 0 5

522
314

1200

MAIN INDEX

backup, continued
dumpdates file 603
full 599
incremental 599
media 600
mt utility 605
partition planning and 39
simple 602
tar utility 600, 601t, S02
utilities 600
base operators 1023
basename 205, 1137
basename utility >82
bash 292, 1138
see also alias; bash history; bash variables;
command; command line; commands;
operators; shell scripts
alias see alias
archive 986
arguments 999
arithmetic evaluation 360, 971, 99 , 1 0 1 6 - 1 0 1 7
arrays see bash variables, array
background process 330
builtins see builtins
calling program, name of 997
command line see command line
command not found error message 242, 301, 319
command substitution 965, >82
commands see command
conditional expressions 1017
control structures see control structures
debugging prompt 323, 966
directory stack 3 1 0 - 3 1 2
expressions 1 0 1 6 - 1 0 2 4
features 3 5 2 - 3 5 3 , 354t
file descriptors 987, 9 8 7 - 9 9 0
functions 3 4 9 - 3 5 2 , »8: , 9 9 3 - 9 9 4
globbing 363
history see bash history
logical evaluation 1017
menu 983
operators see operators
options, command line 352
pathname expansion 315
Permission denied error message 242, 300, 319
prompt (PS1) 321
prompt (PS2) 322
prompt (PS3) 3 2 3 , 9 8 4
prompt (PS4) 323, 966

q u i z shell script 1032
quotation mark removal 357
recursion 1025
redirection operators 299t
set, turns features on and off 353
shopt, turns features on and off 353
special characters 160, 326, 326t
standard error see standard error
standard input see standard input
standard output see standard output
startup files 2 9 3 - 2 9 6
string operators 1018t
variables see bash variables
word splitting 323
-x option 966, 1026
bash history 330, 3 3 0 - 3 4 6
bind builtin 344
C Shell mechanism, classic 3 3 5 - 3 3 9
commands
editing 3 3 4 - 3 3 5 , 3 4 0 - 3 4 6
reexecuting 3 3 2 - 3 3 9
viewing 3 3 2 - 3 3 3
event 330
designators 336t
modifiers 339t
numbers 331, 335
reference using ! 3 3 5 - 3 3 9
expansion 356
history builtin 330, 331
INPUTRC variable 343
quick substitution 338
Readline Library 3 4 0 - 3 4 6
Readline variables 344t
substitute modifier 338
variables 330, 331t
word designators 336, 338t
bash parameters 312, 3 1 2 - 3 2 5
see also bash variables
$! 996
$# 997
$$ 983, 995
$ * 999
$? 996
$@ 9 6 5 , 9 ' , 1000
$0 997
$« 997
parameter n u l l or not set error message 1002
positional 996, 9 9 6 - 9 9 9
special 9 9 4 - 9 9 6
substitution 314

M A I N INDEX

bash variables 312, 3 1 2 - 3 2 5
see also bash parameters
* subscript 991
@ subscript 991
array 990
assigning values to 313
attributes 317, 317t, 3 1 7 - 3 1 8
attributes, listing 318
BASH_ENV 294
braces around 316
call by value 992
CDPATH 324
COLUMNS 984
completion 343
default values, assigning 1001
default values, substituting 1001
DEFAULT_RUNLEVEL 440, 445
DISPLAY 272
EDITOR 425, 426
ENV 294
environment 312
error messages, displaying 1002
expansion 360
FCEDIT 334
global 992
HISTFILE 331
HISTFILESIZE 331
history 330, 331t
HISTSIZE 330
HOME 319
IFS 3 2 3 - 3 2 4
INPUTRC 343
keyword 313, 3 1 8 - 3 2 5 , 325t
LANG 1107
LINES 984
local 992
MAIL 321
MAILCHECK 321
MAILPATH 321
naming 312
noclobber 2 4 8 - 2 5 0
null, expanding 1001
OLDPWD 360
OPTARG 1013
OPTIND 1013
parameter substitution 314
PATH 295, 3 1 9 - 3 2 1 , 453, 82
PREVLEVEL 438
PS1 321, 322t

PS2 322
PS3 3 2 3 , 9 8 4
PS4 323, 966
PWD 360
quoting 314
RANDOM 1031
Readline 344t
readonly 317
removing 316
REPLY 984, 1004
RUNLEVEL 438
SUDO_EDITOR 425, 426
syntax 316
T E R M 147
unset using unset 316
unset, expanding 1001
user created 3 1 2 , 3 1 4 - 3 1 6
VISUAL 425, 426
bash.bashrc file 492
BASH_ENV variable 294
.bash_history file 330
.bash_login file 294
.bash_logout file 294
.bash_profile file 2 9 4 - 2 9 5 , 331, 35 , 488
.bashrc file 2 9 4 - 2 9 5 , 488
bashrc file 294
baud 1137
baud rate 1137
Bazaar version control 518
BCPL language 11
BDB 758
Bell Laboratories 3, 292
Berkeley DB 758
Berkeley Internet Name Domain see DNS
Berkeley UNIX 3, 1137
Berners-Lee, Tim 409
bg builtin 255, 309
/bin directory 213
bin directory 214
bind builtin 344
bind directory 836, 841
BIND see DNS
bind9 file 834
binding, key 1156
BIOS 583, 1137
CD/DVD, set to boot from 28
security 620
birthday shell script 985

1201

1202

MAIN INDEX

bit 1137
bucket 250, 489
depth see color depth
bit-mapped display 1137
BitTornado 5 4 0
BitTorrent 5 3 9 - 5 4 1
BitTorrent, download Ubuntu using 44, 4 6
bitwise operators 1020, 1023
blank characters 315, 1137, 1173
blanks 160
block
device 504, 1137
disk 1137
number 1137
Perl 1045
special file 1137
blocking factor 1138
Blowfish encryption 1113
.bmp filename extension 203
Boolean operators 1138
! (NOT) 1024
& & (AND) 1017, 1 0 2 2 - 1 0 2 3 , 1 0 2 4
I 1096
II (OR) 1017, 1 0 2 2 - 1 0 2 3 , 1024
- a (AND) 961, 1017
- o (OR) 1017
short-circuiting 1022
boot 53, 1138
failure 4 5 3
flag 90
loader 1138, see also GRUB
netboot 1161
options 57, 82
parameters 57, 82
system 53, 4 4 4
/boot directory 38, 213, 582, 583, 613
bootable flag 90
bootstrap 1138
Bourne, Steve 292, 1138
Bourne Again Shell see bash
Bourne Shell (original) 292, 1138
brace 1138
brace expansion 358
braces, variables and 316
bracket 1138
bracket, character class 1091
branch 1138
break control structure 976
bridge, network 1138

broadcast 1138
address 1138
network 374, 1138
packets 381
Browse/Save window 110
browsers 409, 410
file see Nautilus
Firefox 117
Mosaic 409
Mozilla 410
BSD see Berkeley UNIX
btdownloadcurses utility 540
btshowmetainfo utility 541
buffer 1139
copy 124
disk 4 5 0
primary 124
selection 124
bug 1139
bugtraq mailing list 1120
defect tracking systems 518
Launchpad 5 1 8
builtins 261, 1 0 0 2 - 1 0 1 5 , 1015t, 1139
. 1007
. (dot) 296
: (null) 1 0 0 2 , 1 0 1 1

[[...]] 1018
alias 346
bg 255, 309
bind 344
cd 2 0 9 , 2 3 1 , 324
commands that are symbols 297t
declare 3 1 7 - 3 1 8 , 991
dirs 310
echo 171, '8( , 980t, 995
env 351
eval 351
exec 987, 1 0 0 6 - 1 0 0 9
executing 330
exit 117, 958, '96
export 318, 992
fc 3 3 2 - 3 3 5
fg 255, 308
getopts 1 0 1 2 - 1 0 1 5
history 330, 331
jobs 15. , 2 5 6
kill 15 , 255, 455^157, 1009, 1010, 1012
let 361, 1016
list using info 261

M A I N INDEX

popd 3 1 2
pushd 311
pwd 2 0 4
read ~-)7 , 1 0 0 3 - 1 0 0 5 , 1 0 0 5 t , 1 0 0 5 - 1 0 0 6
readonly 3 1 7 , 3 1 8
set 353, ^6 , 96S, 9 9 8
shift 9 9 8
shopt 3 5 3
source 2 9 6
symbols as commands 2 9 7 t
test 9 5 5 - 9 5 7 , 957t, 9 5 7 , 96 , '6- , 9 6 5 , >6 , 9 7 0 ,
976
tput 9 7 5
trap 9 7 5 , 1 0 0 9 - 1 0 1 2
type 1 0 0 3
typeset 3 1 7 - 3 1 8 , 9 9 4
umask 4 5 9
unalias 3 4 6 , 3 4 9
unset 3 1 6
utilities versus 9 5 6
bundle shell script 9 8 6
bunzip2 utility 1 7 5
Busybox 84
button, Session Indicator 1 1 7
buttons 121
by-path file 4 8 9
byte 1139
by-uuidfile 4 8 9
.bz2 filename extension 174, 2 0 3
bzcat utility 1 7 5
bzip2 utility 1 7 4 , 6 0 2
bzip2recover utility 1 7 5

.c filename extension 2 0 3
C programming language 10, 11,
C++ programming language 12
C89 programming language 11
cable modems 1139
cables 3 7 5
cache 1139

1139

cache, DNS see DNS, cache; DNS servers, cache
Cacti 6 4 7 - 6 5 8
apache.conf file 651
configuring 6 5 2
debian.php file 6 5 1
remote data source 6 5 4
SNMP 654

1203

calling environment 1139
cancel utility 5 5 9
Canonical 31
caret in regular expressions 1 0 9 2
cascading stylesheet see CSS
cascading windows 1139
case control structure 9 7 7 - 9 7 9 , 979t, 9 7 9 - 9 8 3
case-sensitive 1139
cat utility 1 6 2 , 2 4 5 , 2 4 7 , 9 6 0
categories, software package 1 3 1 , 5 2 2
category n cables 3 7 5
catenate
162,246,1139
cd builtin 2 0 9 , 2 3 1 , 3 2 4
CD see installation, CD/DVD
C D P A T H variable 3 2 4
CERN 409
CERT 1120
.cgi filename extension 9 1 4
CGI scripts (Apache) 9 4 2
chain loading 1140
character
alphanumeric 1134
blank 160, 315, 1137, 1173
classes 259, 1 0 9 7 t , 1140
control 1142
device 504, 1140
escaping 1 6 0 , 3 0 4
list see character, classes
meta 1159, see also special characters
nonprinting 1162
printable 1166
quoting 160, 3 0 4
regular 1168
special see special characters
special file 1140
typeface conventions 2 0
character based 1140
character-based interface see command line; textual,
interface
character-based terminal 1140
check see tick
c h e c k b o x 1140
check mark see tick
checksum 1140
child directories 2 0 1 , 2 0 2
child processes
328,1140
chkargs shell script 9 5 6 , 9 5 8
chkrootkit utility 1 1 2 4
chmod utility 2 1 6 - 2 1 8 , 2 1 8 t , 301

1204

MAIN INDEX

chroot jail 466^170
BIND 847
DNS 847
FTP 703
named daemon 847
uchroot.c program 469
chsh utility 293, 457
CIDR 386, 1140
CIFS 1141
CIPE 1141
cipher 1141
ciphertext
1110,1141
Clark, Jim 409
class, character 1140
Classless Inter-Domain Routing see CIDR
clean install 32
clear utility 4 5 8
cleartext 1141
CLI 1141, see also command line; textual, interface
click and right-click 101
click object 102
click-to-focus 153
CLID 1122
client 1141
client, specifying 461t
client/server model 398
clipboard 125
clock applet 105
CMOS setup 28
CN, LDAP 759
cn=config directory 761
coaxial cable 375
coda filesystem 505
code, reentrant 1168
CODEC 1141
collating sequence, machine 1158
color, Pick a Color window 2 8 5
color depth 273, 1141
color quality see color depth
column 628
COLUMNS variable 984
combo box 1141
Comer, Doug 6
comma operator 1021
command 238,1141,
see also builtins; command
line
argument 238
completion 3 4 2 - 3 4 3
continuing 304

control flow see control structures
editing/repeating 152
execute using exec 1 0 0 6 - 1 0 0 9
executing 330
grouping 306
- h option 2 4 0
—help option 241
human-readable option 2 4 0
interpreter, shell 126
line see command line
names 2 3 8
network extension 388
run remotely using ssh 671
separating 3 0 3 - 3 0 6
substitution 362, 3 6 2 - 3 6 3 , 8: , 965, 98 ,1141
command line 150, 238, 2 3 8 - 2 4 3 , 1141
see also command; shell
arguments 238, 997
arguments, initialize using set 998
arguments, promote using shift 998
editing 152, 3 4 0 - 3 4 6
executing 2 4 3
expansion 3 5 7 - 3 6 5
interface 1141, see also textual, interface
mistakes, correcting 150
options 239, 2 3 9 - 2 4 0 , 352, 352t
parse 240, 356
print utilities 559t
printing from 558
processing 2 4 0 - 2 4 2 , 356
syntax 238
tokens 238, 356
whitespace on the 304
words 238, 356
command not found error message 242, 301, 319
command_menu shell script 979
comments, shell scripts 303, 964
Common Name, LDAP 759
Common UNIX Printing System see CUPS
communication, asynchronous 503
communication, interprocess 170, 503
comparison operators 1020
Compiz window manager 1 1 5 , 1 5 5
completion
command 3 4 2 - 3 4 3
filename 1148
pathname 342
Readline 342
Readline commands 3 4 2 - 3 4 3
variable 343

M A I N INDEX

component architecture 1142
compressing files 1 7 4 - 1 7 8
bunzip2 utility 175
bzcat utility 175
bzip2 utility 174, 602
bzip2recover utility 175
compress utility 176, 2 0 3
gunzip utility 175
gzip utility 175
OpenSSH 684
uncompress utility 2 0 3
utilities 194t
zcat utility 175
computer, diskless 1145
computing, distributed 1145
concatenate see catenate
concentrator see hub
condition code see exit status
conditional evaluation operators 1021
conditional expressions 1017
.conf filename extension 4 6 0
.config file (kernel) 5 7 5 - 5 7 9
config file (OpenSSH) 674
config.autogenerated file (exim4) 724
configuration file rules 460
Configure and Build System, GNU 542
configure shell script 5 4 2
connectionless protocol 1142
connection-oriented protocols 380, 1142
console 1142
recovery mode 4 4 5
security 420
virtual
83,149,1180
context menu 104
context menu, Object 104, 126, 127t
continue control structure 976
control bars, Nautilus 278
control character 1142
control flow see control structures
CONTROL k e y

20

control structures 9 5 4 - 9 8 7 , 1142
break 976
case 9 7 7 - 9 7 9 , 979t, 9 7 9 - 9 8 3
continue 976
for 9 6 8 - 9 7 0
for...in 9 6 7 - 9 6 8
Here document 9 8 5 - 9 8 7
if...then 9 5 4 - 9 5 8
if...then...elif 9 6 1 - 9 6 6

if...then...else 9 5 8 - 9 6 0
select 9 8 3 - 9 8 5
until 9 7 4 - 9 7 6
while 9 7 0 - 9 7 3
CONTROLS key (quit) 152
control-alt-delete event 451
control-alt-delete file 451
C0NTR0L-C key (copy) 124
C0NTR0L-C key (interrupt)
C0NTR0L-D k e y ( E O F )

C0NTR0L-D key
C0NTR0L-H key
C0NTR0L-Q key
C0NTR0L-U key

152

245

(exit) 117
(erase character) 151, 2 4 0
(Xoff) 147
(line kill) 1 5 1 , 2 4 0

C0NTR0L-V key (paste)

124

C0NTR0L-V key (quote CONTROL keys) 160
C0NTR0L-W key (delete word) 151
C0NTR0L-W key (erase word) 2 4 0
C0NTR0L-X k e y ( c u t )

124

C0NTR0L-X key (line kill) 151
C0NTR0L-Z key (suspend) 1 5 1 , 2 5 5
convention, end line key 20
conventions, in this book 1 9 - 2 1
cookie 1142
Coordinated Universal Time see UTC
copy buffer 124
copyleft 6
core file 522
correcting typing mistakes 150
count shell script 971
count_down function 994
country code domain name designation 399
cp utility 163, 212
cp versus In 229
CPAN 1079
cpdir shell script 307
cpio utility 602, 02
CPU 1143
installation requirements 28
intensive processes, report on using top 610
crack utility 620
cracker 1143
crash 452, 1143
creation date of files, display using Is 2 1 6
cron daemon 403, 605, 606
cron daemon, run-parts utility 607
cron.allow file 491
cron.d directory 403, 606, 607
cron.deny file 491

1205

1206

MAIN INDEX

crontab 606
crontab file 403, 606
crontab files 606
crontab utility 4 0 ; , 491
crontabs directory 4 0 3
crontabs file 606
cryptography 1143, see also encryption
csh Shell 1139
.cshrc file 1143
CSRG (Computer Systems Research Group) 3
CSS 1143
CUPS 548
see also printer; printing
command-line interface 5 6 1 - 5 6 5
configuring a printer 5 6 0 - 5 6 1
cups init script 549
cupsd.conf file 565
cupsdisable utility 565
cupsenable utility 5 6 5
cupsys init script 549
custom directory 5 6 3
drivers, display using Ipinfo 561
firewall setup 549
IPP protocol 5 4 8
JumpStart: configuring a local printer 549
JumpStart: setting up a local or remote printer
using the CUPS Web interface 5 5 5
more information 549
ppd directory 5 6 3
PPD files 561
prerequisites 5 4 8
print queue, managing 551, 564
URIs 552, 562
Web interface 5 5 5 - 5 5 8 , 5 6 0 - 5 6 1
cups init script 549
cupsaccept utility 564
cupsd.conf file 5 6 5
cupsdisable utility 565
cupsenable utility 5 6 5
cupsreject utility 564
cupsys init script 549
current 1143
current directory see working directory
cursor 1143
custom directory (CUPS) 5 6 3
custom.conf file 271
cut and paste 124, 4 0 3
cut utility 361
cycling, window 124
cypher 1141

daemons 402t, 1144
in. prefix 4 0 2
messages 5 0 0
network 372, 4 0 2
NetworkManager 642
rpc. prefix 4 0 2
start and stop using sysv-rc-conf 4 4 1 ^ - 4 3
superserver see inetd daemon; xinetd daemon
daily file 607
dash shell 1 5 , 2 9 2
data link layer, IP model protocol 380
data sink 2 5 0
data structure 1144
database 628
Berkeley 758
dbm 1144
gdbm 1144
ndbm 1144
NIS 1162
printcap 495
Sleepy cat 758
SQL 1173
whatis 139
datagram, network 373, 1144
datagram-oriented protocol 381
dataless system
774,1144
date utility 172, »99
db. 127 file (DNS) 844
db.local file (DNS) 843
db.root file (DNS) 841
DB_CONFIG file 760
dbm database 1144
DC, LDAP 758
dd utility 4 9 0
DDoS attack 1144
.deb filename extension 533
deb files 533
Debian Almquist Shell 15, 2 9 2
Debian package management system see dpkg
debian.php file (Cacti) 651
debian-installer 8 5 - 9 1
debug 1144
bash prompt 323, 966
FTP 697
NIS 748, 756
nmblookup 8 1 8
OpenSSH using-e 681

M A I N INDEX

OpenSSH using-v 681
scp using - v 674
server using telnet 393
shell scripts 966
shell scripts using xtrace 1026
ssh using - v 672
sshd using - d 678
DEBUG signal 1009
declare builtin 3 1 7 - 3 1 8 , 991
decorations, window 155
decrement operators 1021
default 1144
default directory 4 9 2
default file (Apache) 934
DEFAULT_RUNLEVEL variable 440, 445
defaultdomain file (NIS) 745, 746
defect tracking systems 518
DEL key (erase character) 151
delete character using BACKSPACE 151
delete line using C0NTR0L-U 151
delete word using C0NTR0L-W 151
delimiter, regular expression 1090
delta, SCCS 1144
demand mounting, filesystem 793
denial of service see DoS attack; DDoS attack
dependencies see software packages, dependencies
depmod utility >82
dereference 1144
DES (Data Encryption Standard) 1113
descriptors, file 2 9 7
desktop 17, 9 9 - 1 1 7 ,
117,1144
see also installation, CD/DVD
appearance 113
focus 1149
font preferences 284
manager 17, 1144
panel see panel
resolution, changing the 154
terminology 117
theme 113
visual effects 115
window see window
workspace 101
Xfce 2
Desktop CD see installation, CD/DVD
Desktop directory 1 0 8 - 1 1 1
detached process see background, process
/dev directory 213, 244, 4 8 8 ^ 9 1 , 502
devfs filesystem 5 0 2

1207

device 1145
block 504, 1137
character 504, 1140
drivers 501, 504, 1145
filename 1145
files 244,501,1145,
see also special files and /dev
in the File Tree Index (page 1185)
files, exporting 785
floppy diskette 488
hotplug 502
IDE disk 489
independence 16
major number 1158
M D 92
multidisk 92
names, dynamic (udev) 5 0 2
non-IDE disk 489
nonrewinding 605
null 250, 489
number, major 503, 1158
number, minor 503, 1160
physical 1165
pseudoterminal 4 9 0
raw 504
raw mode 504
special files see device, files; special files
terminal 1008
UUID numbers 489
devpts filesystem 505
df utility 774
dhclient utility 471, 4 7 2
dhclient.conf file 4 7 2
dhclient.interfaceAeases file 4 7 2
DHCP 4 7 0 - 4 7 4 , 1 1 4 5
dhclient utility 471, 4 7 2
dhclient.conf file 4 7 2
dhclient.interfaceAeases file 4 7 2
dhcp3 file 472
dhcp3-server file 473
dhcpd daemon 471, 473
dhcpd.conf file 473, 4 7 4
dhcpd3-server init script 473
MAC addresses 4 7 4
more information 471
prerequisites, client 4 7 2
prerequisites, server 4 7 2
running from firestarter 867
static IP addresses 4 7 4
dhcp3 file 472

1208

MAIN INDEX

dhcp3-server file 473
dhcpd daemon 471, 4 7 3
dhcpd.conf file 473, 474
dialog box 1145
dial-up connection 147
die, process 330
diff utility 168
Diffie-Hellman encryption 1112
dig utility 396, 8 3 2 - 8 3 3 , 835
digital signature 1111
Direct Rendering Infrastructure (DRI) 589
Direct Rendering Module (DRM) 590
directory 13, 161, 201, 500, 1145, see also the File
Tree Index (page 1195)
. 210, 501
.. 210, 501
/(root) 2 0 5 , 2 1 3
~ (home) see home directory
access permissions 2 2 0 - 2 2 1
access, speed up using tune2fs 5 1 4
change using cd 209
child 201, 202
compacting 624
create using mkdir 2 0 8 - 2 0 9
current see working directory
delete using rmdir 210
encrypted home 90
file 201, 1145
folder and 107
hierarchy 35, 1145
home see home directory
important 488
LDAP 758, 758
links to 2 2 6 - 2 3 2
list using Is 161
make using mkdir 2 0 8 - 2 0 9
mount remote using NFS 7 7 7 - 7 8 0
move using mv 2 1 2
moving (inodes) 501
parent 201, 202
pathname 201
remove using rmdir 2 1 0
rename using mv 212
root 200,213,
1170
root (/) 35, 37, 2 0 5
service 1145
stack 310, 3 1 0 - 3 1 2 , 360
standard 2 1 3 - 2 1 5
tree see directory, hierarchy
working see working directory

dirs builtin 310
disk
block 1137
buffer 450
filesystem 34
floppy see floppy diskette
formatting, low-level 33
fragmentation 621
free space 33, 621, 1149
IDE, device name 489
LBA addressing mode 5 8 3
monitor using SMART 69
non-IDE, device name 489
partition see partition
quotas 625
RAM 43
space, installation requirements 28
usage, monitoring 620
utility, gparted 6 4 - 6 6
utility, palimpsest 6 6 - 7 0
utility, ubiquity 7 0 - 7 4
volume label 458
diskette, floppy see floppy diskette
diskless 1145
diskless system 774
display
bit-mapped 1137
color depth 273, 1141
graphical 1150
number, X Window System 2 7 2
problems when booting 82
resolution, changing 154
-display option, X Window System 273
DISPLAY variable 2 7 2
displaying
see also displaying a file
date using date 172
GID using id 4 3 2
hidden filenames 2 5 8
kernel messages using dmesg 444, 589
machine name 163
PID using pidof 457
text using echo 171
UID using id 4 3 2
displaying a file
beginning of, using head 166
end of, using tail 167
group, using Is 216
hidden, using Is 2 5 8

M A I N INDEX

links, number of using Is 2 1 6
owner of, using Is 2 1 6
size of, using Is 2 1 6
sorted, using sort 168
type of, using Is 2 1 6
using cat 162
using less 162
using more 162
distributed computing 397, 1145
distribution, Linux 6
distribution, Perl 1045
division operator 1020
dmesg utility 444, 589
dmraid boot parameter 82
.dmrc file 449
D M Z 1145
DN, LDAP 758
DNS 3 9 9 - 4 0 1 , 8 2 1 - 8 3 3 , 1145
see also DNS records; DNS servers; DNS zones
address, look up using host 396
authority 824
BIND 4 0 0
bind directory 836, 841
bind9 init script 834
cache 830
cache, setting up 8 3 9 - 8 4 4
chroot jail 847
configuring 8 3 6 - 8 3 9
database 827
db.127 file 844
dbdocal file 843
db.root file 841
delegation 825
dig utility 396, 8 3 2 - 8 3 3 , 835
domain 822
domain name see domain, name
domain qualification 839
firewall setup 833
FQDN 823
host utility 396, 833
in-addr.arpa domain 831
inverse mapping see DNS, reverse name resolution
ip6.int domain 831
iterative queries 825
JumpStart: setting up a DNS cache 834
log 849, 852, 854
more information 833
name, look up using host 396
named daemon 833

1209

named directory 847
named.conf file 836, 8 3 9 - 8 4 1 , 851, 856
named.conf.options file 841
node 822
notify statement 854
nsswitch.conf file 833
origin see DNS zones, name
prerequisites 834
queries 825, 830
resolv.conf file 834, 835
resolvconf utility \9• , 834, 835
RESOLVCONF variable 834
resolver 824
reverse mapping see DNS, reverse name resolution
reverse name resolution 8 3 1 - 8 3 3
root domain 823, 824
security 822
subdomain 824
time format 839
troubleshooting 849
TSIGs (transaction signatures) 8 4 5 - 8 4 7 , 850
T T L value 829
view clauses 855
DNS records
A (address) 828
AAAA (address, IPv6) 828
CNAME 828
glue 844
M X 828
NS 828
PTR 828
resource 8 2 7 - 8 3 0
SOA 829
T X T 830
DNS servers
cache 827, 834
full-functioned nameserver 8 5 0 - 8 5 4
primary master 826
secondary 827
slave 827, 854
split horizon 8 5 5 - 8 5 9
types of 826
DNS zones 824
clause, named.conf 838
files 838, 841
hints 841
name 838, 839
root 842
doc directory 143, 215, 616, 1100

1210

MAIN INDEX

doc file 408
Document Object Model see D O M
Documentation file (kernel) 143
documentation see help
dollar sign in regular expressions 1092
D O M 1146
domain
see also DNS
in-addr.arpa 831
ip6.int 831
name 1146
country code 399
not case-sensitive 400
NIS 742
root 824
Domain Name Service see DNS
door 1146
DoS attack 1146
DOS files, convert from/to Linux format 173
DOS, mounting filesystems 508
double quotation marks see quotation marks
double-click timeout, mouse 106
Dove processor architecture 30
Dovecot IMAP and POP servers 735
downloading Ubuntu 27, 4 3 ^ - 6
dpkg 518, 5 3 2 - 5 3 9
deb files 533
dpkg utility 534, 535t, 5 3 6 - 5 3 9
postinst script 533
preinst script 5 3 3
source files 534
dpkg utility 534, 5 3 6 - 5 3 9 , see also dpkg
dpkg-reconfigure utility 726
DPMS 1146
drag 1146
drag-and-drop 1146
dragging an object 106
DragonSquire IDS utility 1119
drawers 121
DRI (Direct Rendering Infrastructure) 589
drivers, device 501, 1145
drivers, NTFS 1105
D R M (Direct Rendering Module) 5 9 0
drop-down list 1146
druid 1146
DSA (Digital Signature Algorithm) 1113, 1146
DSA, LDAP 758
DSE, LDAP 758
DSL 374, 1147

dsniff utility 1124
DSO, Apache 900
dual-boot system 76
dump utility 492, 511, 6 0 3 - 6 0 5
dumpdates file 492, 603
duplex network 375
DVD, live/install see installation, CD/DVD
Dynamic Host Configuration Protocol see DHCP
dynamic IP address 382
dynamic shared objects, Apache 900

e2label utility 458
echo builtin 171, 980, 980t, 395
echo utility 995
ed utility 166
edd boot parameter 82
editions, Ubuntu 32
EDITOR variable 425, 4 2 6
editors 1147
command line 3 4 0 - 3 4 6
ed 1 6 6
EDITOR variable 425, 4 2 6
gparted 6 4 - 6 6
palimpsest 6 6 - 7 0
parted 6 1 1 - 6 1 4
Readline Library 3 4 0 - 3 4 6
SUDO_EDITOR variable 425, 4 2 6
ubiquity 7 0 - 7 4
vi see vim
vim see vim
VISUAL variable 425, 426
edquota utility 625
Edubuntu 2
Edwards, Dan 1177
EEPROM 1147
effective user ID 1147
egrep utility 1096
element 1147
El-Gamal encryption 1112
email see mail; exim4
emblems, Nautilus 129, 278
emoticon 1147
Empathy IM client 117
empty regular expressions 1094
emulator, operating system 8
emulator, terminal 125, 147, 287
encapsulation see tunneling

M A I N INDEX

encryption J J JO, 1 1 1 0 - 1 1 1 5
3-DES 1113
AES 1113
algorithm 1110
asymmetric see encryption, public key
Blowfish 1113
DES 1113
Diffie-Hellman 1112
digital signature 1111
DSA 1113
El-Gamal 1112
GnuPG 1113
home directory 90
IDEA 1113
implementation 1113
key 1110
OpenSSH 664
PEM 1115
PGP 1113
private key 1111
public key 664, 1111, 1111
RC5 1113
RSA 1112, 1170
secret key see encryption, symmetric key
symmetric key
1111,1112
web of trust 1114
end line key 20
end of file see EOF
Enquire program 409
ENTER k e y

20

enter-exit focus 154
enter-only input focus 153
Entry, LDAP 758
env builtin 351
ENV variable 2 9 4
environment see calling environment
environment, variables 312
EOF 1147
EOF signal, send using C0NTR0L-D 245
E P R O M 1147
-eq relational operator 1018
equality operators 1020
erase key (C0NTR0L-H) 151,

240

erase word key (C0NTR0L-W) 240
erasing a file completely 4 9 0
E R R signal 1009
error messages
see also messages; usage messages
404 Not Found (Apache) 948

1211

Apache 948
command not found 242, 301, 319
display for a variable using :? 1002
Login incorrect 4 4 8
mount: RPC: Program not registered 777
NFS server xxx not responding 776, 779
parameter null or not set 1002
Permission denied 242, 300, 319
redirecting to standard error 299, 958
rlimit_max 817
RPC: Program not registered 790
Stale NFS file handle 791
standard error see standard error
system 5 0 0
error, standard see standard error
errors, correcting typing mistakes 150
escape a character 160, see also quotation marks;
quoting
etabfile 789
/ e t c directory 214, 4 9 1 ^ 9 7
Ethernet network 374, 375, 1147
eval builtin S51
event 437, 1147
asynchronous 1136
bash history see bash history
control-alt-delete 451
firestarter 870
Upstart 433
X Window System 269
Evolution LDAP client 767
exabyte 1147
exec builtin 987, 1 0 0 6 - 1 0 0 9
exec() system call 303
execute
access permission 215, 3 0 0 - 3 0 2
commands 243, 330
files in the working directory 301
shell scripts 303
exim.crt file 736
exim.key file 736
exim4 7 1 4 - 7 2 7
see also mail
aliases 722
config.autogenerated file 724
configuration type 717, 719
configuration variables 725
configuring 7 2 4 - 7 2 7
dpkg-reconfigure utility 726
exim.crt file 736

1212

MAIN INDEX

exim4, continued
exim.key file 736
exim4 directory 724
exim4 file (default) 724
exim4.conf.localmacros file 724, 737
eximon utility 724
eximstats utility 724
firewall setup 716
.forward file 723
frozen messages 720, 722
functionality 720
init script 716
JumpStart: configuring exim4 to send and receive
mail 718
JumpStart: configuring exim4 to use a
smarthost 716
local and nonlocal systems 716
logs 716, 720
mail file 720
mailname file 718
mailq utility 723
masquerade 1159
message ID 720
messages, removing 722
options 721
prerequisites 715
self-signed certificates 736
sendmail and 716
smarthost 714, 717
split configuration 725
SSL 736
testing 718
update-exim4.conf utility 724
update-exim4.conf.conf file 724
exim4 directory 724
exim4 file (default) 724
exim4.conf.localmacros file 724, 737
eximon utility 724
eximstats utility 724
exit builtin 117, 958, 996
EXIT signal 1009
exit status 36 , 5< , 958, 996, 1147
expansion
arithmetic (bash) 3 6 0 - 3 6 2 , 1021
command line 3 5 7 - 3 6 5
pathname 256
tilde 2 0 6
explicit focus 153
exploit 1147

exponentiation operator 1020
export builtin 318, 992
export, device files 785
export, links 785
exportfs utility 785, 791
exports file 783, 7 8 6 - 7 8 9
expressions 1147
arithmetic 1135
logical 1158
regular see regular expression
ext2/ext3/ext4 filesystem 505, 5 1 2
extended regular expressions see regular
expressions, extended
Extensible Markup Language see X M L
extensions, filename see filename, extensions
extranet 1147

Fahlman, Scott 1172
failsafe login 146
failsafe session 1148
failsafe terminal 146
fake RAID 41
false utility 495, 1022
fc builtin 3 3 2 - 3 3 5
FCEDIT variable 334
FDDI network 1148
fdformat utility 509
fdisk utility see parted utility
{An file 4 8 8
fg builtin 255, 308
FHS (Linux Filesystem Hierarchy Standard) 14, 213
Fiber Distributed Data Interface see FDDI
FIFO special file 503
fifth layer, IP model protocol 380
file 13, 1148
see also displaying a file; filename
access permissions see access permissions
ambiguous references 256
archiving 1 7 4 - 1 7 8
backup see backup
block special 1137
browser see Nautilus
character special 1140
compare using diff 168
compress see compressing files
configuration, rules 4 6 0
contents, identify using file 170

M A I N INDEX

convert from/to Linux/Windows format 173
copy using cp 1 6 3 , 2 1 2
create using cat 2 4 6
creation date, display using Is 2 1 6
creation mask, specify using umask 459
crontab 606
deb 533
descriptors 297, 987, 9 8 7 - 9 9 0
device see /dev directory; device files; special files
directory see directory
display see display file
download using wget 5 4 3
duplicate lines in, remove using uniq 168
edit using vim 1 8 6 - 1 9 3
erasing completely 4 9 0
file utility 1 7 0 , 5C , ',22
group assignment 4 9 3
group, display using Is 2 1 6
growing quickly 621
hidden 204, 1151
important 488
inode see inodes
invisible see filename, hidden
ISO image 43
job definition (Upstart) 434
links to 2 2 6 - 2 3 2
links, display number of using Is 216
log, checking 620
manager see Nautilus
map 794
move using mv 2 1 2
moving (inodes) 501
names see filename
open using Nautilus 118
open, locate using Isof 618
order using sort 168
ordinary 201,500,
1163
owner, display using Is 216
pathname 201
permissions see access permissions
PPD 561
print using Ipr 165
reference, ambiguous 1134
remove using rm 162
rename using mv 212
rotate 1170
search for using mlocate 180
search for using Search for Files window 2 8 6
security 1115

1213

sharing model 398
size, display using Is 2 1 6
size, displaying easily readable 2 4 0
software package containing, search for 521, 538
sort using sort 168
sparse 1173
special see /dev directory; device, files
standard 2 1 3 - 2 1 5
startup 204, 2 9 3 - 2 9 6 , 1174
tar 176
temporary 983
terminal 244
trash, moving to 111
truncating 621
type of, display using Is 2 1 6
utilities 194t
wiping 4 9 0
File Browser versus Spatial windows, Nautilus 108
File Browser window 107
file utility 170, 5C , 122
filename 205, 1148
/(root) 205
ambiguous references 256
basename 205, 1137
case-sensitivity 20, 2 0 2
change using mv 164
characters allowed in 2 0 2
completion 1148
conventions 20
device 1145
extensions 203, 203t, 1148
extensions, remove using an event modifier 339
generation 15, 2 5 6 - 2 6 0 , 363, 1148
hidden 204, 1151
length 201, 202, 459, 983
root directory (/) 2 0 5
simple 205, 242, 1172
temporary 983
typeface 20
unique 983, 995
Windows 2 0 2
filesystem 34, 199, 505t, 1148
access, speed up using tune2fs 5 1 4
autofs 793
bootable flag 90
create using mkfs 4 5 8
demand mounting 793
devfs 502
ext2/ext3/ext4 505, 5 1 2

1214

MAIN INDEX

filesystem, continued
filename length 459
free list 501, 1149
hierarchy 200
independence 36
integrity check 512
journaling 505, 514, 1155
mount
automatically 793
on demand 793
point 36, 89, 507, 793, 1160
remote 7 7 7 - 7 8 0
table 5 1 0
using mount 5 0 6 - 5 0 9
naming 36
proc 497
RAID see RAID
remote 1169
repair 452
Standard, Linux (FSSTND) 213
structure 13
superblock 1175
swap 3 7 , 4 9 8
sys 499
tune using tune2fs 5 1 2 - 5 1 4
unmount using umount 509
Filesystem, Standard, Linux (FSSTND) 14
Filesystems Hierarchy Standard, Linux (FHS) 14
filling 1148
filters 16, 253, 1148
find utility 15 , 622, 966
finger utility 181, 183t, 389, 103
fingerd daemon 389, 4 0 3
Firefox 117
firestarter 864
see also gufw; iptables; ufw
configure using Firewall Wizard 8 6 7 - 8 6 8
default policy 865
DHCP, running from 867
firestarter directory 866
Internet connection sharing 868
iptables compared to 866
JumpStart: configuring a firewall using the
firestarter Firewall Wizard 867
NAT, running from 868
policy (editing rules) 8 7 2 - 8 7 4
prerequisites 866
window (GUI) 8 6 8 - 8 7 4
firestarter directory 866

firewall 379,1148,
see also firestarter; gufw; iptables;
ufw; "firewall setup" under the protocol you
are running (e.g., NFS, firewall setup)
firewall terminology 864
Firewall toolkit 1125
firmware 1149
floppy diskette, device name 4 8 8
floppy diskette, format using fdformat 509
floppy diskette, mounting 508
focus, desktop 1149
focus, input 124, 153
focus-strictly-under-mouse 154
focus-under-mouse 153
folder 107, see also directory
font preferences, G N O M E 2 8 4
font, antialiasing 1135
font, Pick a Font window 284
footer 1149
for control structure 9 6 8 - 9 7 0
for...in control structure 9 6 7 - 9 6 8
foreground 254, 1149
foreground, background versus 2 5 4
fork 328, 1149
fork() system call 303, 328, 330, 947
.forward file 723
FQDN 3 8 7 , 4 0 0 , 823, 1149
fragmentation, disk 621
frame, network 373, 1149
framebuffer boot parameter 82
free list, filesystem 501, 1149
free software definition 1129
free space, disk 33, 621, 1149
Free Standards Group (FSG) 213
freedesktop.org group 276
fromdos utility 173
fsck utility 504, 5 1 2
FSG (Free Standards Group) 213
FSSTND (Linux Filesystem Standard) 14, 2 1 3
fstab file 5 0 7 , 5 1 0 , 778, 781
FTP
see also FTP clients; vsftpd
ASCII transfer mode 694
binary transfer mode 694
debugging 697
ftp directory 700
ftp utility 688, 6 9 5 - 6 9 8
ftpd daemon 403
ftpusers file 711
JumpStart: downloading files using ftp 690

M A I N INDEX

JumpStart: starting a vsftpd FTP server 700
Iftp client 674
more information 689
PASV (passive) connection 689, 1164
P O R T (active) connections 689
prerequisites 690, 699
pub directory 694
security 688, 695, 699, 705
sftp client 674
FTP clients
anonymous login 694
automatic login 694
basic commands 690
list of 689
prerequisites 690
tutorial 6 9 0 - 6 9 3
using 6 9 4 - 6 9 8
ftp directory 700, 703, 705
ftp file 700, 703, 705
ftp utility 688, 6 9 5 - 6 9 8
ftpd daemon 403
ftpusers file 711
full backup 599
full duplex 1149
full regular expressions see regular expressions,
extended
full-duplex network 375
fully qualified domain name see FQDN
function keys, initial install screen 79
functions 1149
bash 3 4 9 - 3 5 2 , 988, 9 9 3 - 9 9 4
count_down 994
makepath 1026
mycp 988
shell 1171
fuser utility 5 1 0
fwtk utility 1125

G
Gaim see Empathy IM client
games directory 214
gateway 1149
gateway, network 376
gateway, proxy 4 0 5
gawk see mawk
gcc see C programming language
GCOS see GECOS
gdbm database 1144

-ge relational operator 1018
GECOS 757, 1150
generic operating system 10
getfacl utility 2 2 2 - 2 2 6
gethostbyname() system call 833
getopts builtin 1 0 1 2 - 1 0 1 5
getpwnam() function 743
getpwuid() function 743
getty utility 328, 4 4 8
GFS filesystem 505
gibibyte
37,1150
GID 492, 1150
GID in passwd file 4 9 4
GID, display using id 4 3 2
.gif filename extension 2 0 3
gigabyte
37,1150
git utility 5 7 4
gksudo utility 423
globbing 256, 363
glyph 1150
G M T see UTC
G N O M E 99, 2 7 5
desktop see desktop
font preferences 2 8 4
GTK 2 7 5
Nautilus see Nautilus
object see object
panel see panel
terminal emulator 287
terminology 117
window see window
workspace see workspace
gnome-search-tool utility 2 8 6
gnome-terminal utility 2 8 7
GNU
Configure and Build System 5 4 2
General Public License (GPL) 6
GNUStep window manager 276
manuals 1101
GnuPG encryption 1113
gopher utility 409
gparted utility 6 4 - 6 6
GPG 1113
GPL (GNU General Public License) 6
gpm daemon 4 0 3
Grand Unified Boot Loader see GRUB
graphical display 1150

1215

1216

MAIN INDEX

graphical installation
see also installation; installation CD/DVD;
installation disk
documents and settings, migrating 60
guided partitioning 70
installer 5 7 - 6 3
installer language 58
keyboard layout 59
keyboard, using 58
mouse, using 58
partitioning 60, 7 0 - 7 4
partitioning, guided 60
partitioning, manual 72
Ready to install screen 62
system 5 7 - 6 3
time zone 59
ubiquity utility 5 7 - 6 3 , 7 0 - 7 4
user, first 61
graphical user interface see GUI
grave accent see command, substitution
grep utility 166, '7 , 985, 1042
group 4 9 2
access permission 215
admin and sudo 4 2 8
display name using Is 216
file assigned to 493
ID see GID
password 4 9 2
user private 4 9 3
users 1150
wheel 4 8 2
windows 1150
www-data (Apache) 901
group file 492, 5 9 8 , 1 0 8 2
groupadd utility 598
groupdel utility 598
groupmod utility 5 9 8
groups utility 493
GRUB 5 8 3 - 5 8 9
grub.cfg file 587
GRUB_CMDLINE_LINUX_DEFAULT
variable 571
grub-install utility 589
grub-mkconfig utility 5 8 7
hidden timeout 585
M B R (master boot record) 84, 91, 583, 589
menu 445^148
menu.lst file 584
quiet boot parameter 57

splash boot parameter 57
update-grub utility 8 , 5 8 7 - 5 8 8
GRUB 2 see GRUB
grub file 5 8 4 - 5 8 6
grub.cfg file 14 , 87
grub.d directory 586
grub-install utility 589
grub-mkconfig utility 5 8 7
gssd daemon 777
-gt relational operator 1018
GTK 2 7 5
guest (virtual machine) 8
gufw utility 8 7 6 - 8 8 0
GUI 30, 30, 1150
checkbox 1140
check mark see GUI, tick
check see GUI, tick
combo box 1141
dialog box 1145
drag 1146
drag-and-drop 1146
drop-down list 1146
list box see GUI, drop-down list
radio button 1167
root privileges and 423
scrollbar 1171
slider 1172
spin box 1173
spinner see GUI, spin box
text box 1176
thumb 1177
tick 1177
tick box see GUI, check box
tooltip 1177
W Y S I W Y G 1181
X Window System 17
guided partitioning 36, 60, 60, 70
gunzip utility 175
.gz filename extension 175, 2 0 3
gzip utility 175

H
- h option 1 4 2 , 2 4 0
hacker 1150
HAL (hardware abstraction layer) 641
half duplex 1150
half-duplex network 375
halt utility 450, 4 5 2

M A I N INDEX

hang up signal 1009
hard disk see disk
hard links see links, hard
hardware
installation requirements 27
list using Ishal 641
list using Ishw 640
PCI devices, list using Ispci 640
USB devices, list using Isusb 641
visual effects, required for 28
hash 1151
one-way 1163
SHA1 algorithm 1171
table 1151
hdn file 489
head utility 166
header, document 1151
help
documentation 1 3 6 - 1 4 4 , l l O l t
error messages 143
GNU manuals 144
- h option 142
-help option 142
—help option 142, 241
H O W T O s 142
info utility 1 3 9 - 1 4 2
Internet 143
Linux Documentation Project 144
Linux sites, helpful 1102t
local 143
log files 1100
mailing lists 1103t
man pages 1 3 6 - 1 3 8
newsgroups 1103
obtaining 1 3 6 - 1 4 4 , 408, 454, 1 1 0 1 - 1 1 0 6
office suites and word processors 1106t
problem solving 1100
security 1124
software, downloading 1104t
system manuals 1 3 6 - 1 4 2
Ubuntu Help Center 136
Ubuntu Web site 144
words, looking up 1104t
Help Center window, Ubuntu 116, 136
-help option 142
—help option 142, 241
Here document control structure 9 8 5 - 9 8 7 , 1151
hesiod 1151
heterogeneous 1151

hexadecimal number 1151
hfs filesystem 505
hidden file 1151
hidden filenames 204
hidden filenames, display using Is 258
hidden timeout 585
hierarchy 1151
hierarchy, filesystem 2 0 0
hinting, subpixal 1175
HISTFILE variable 331
HISTFILESIZE variable 331
history 1152, see also bash history
history builtin 330, 331
HISTSIZE variable 330
/home directory 39, 2 1 4
home directory 161, 204,
319,1152
shorthand for 206, 319
automount 792
passwd file and 4 9 4
.ssh 666
startup files 204
working directory versus 2 1 0
home directory 90
H O M E variable 319
host
address 381
based trust 391
key, OpenSSH 664
nickname 387
security 1 1 1 9 - 1 1 2 4
specifying 461t
trusted 391
virtual machine 8
host utility 396, 833
hostname 3 8 6 - 3 8 8 , 4 9 3
changing 4 9 3
characters allowed in 824
symbolic 401
hostname file 4 9 3
hostname utility 163, 388, 4 9 3
hosts file 386, 493
hosts.allow file 4 6 ; , 4 6 5 - 4 6 6
hosts.deny file At , 4 6 5 - 4 6 6
hosts.equiv file 391
hotplug system 5 0 2
hover
102,1152
H O W T O s 142
hpfs filesystem 5 0 5
hping utility 1125

1217

1218

MAIN INDEX

.htaccess file 909, 945
.htm filename extension 914
HTML 4 0 9 , 1 1 5 2
.html filename extension 914
.htpasswd file 946
HTTP protocol 1152
HTTPS protocol 943
hub 375, 1152
human-readable option 2 4 0
humor 6, 1118, 1172
hunks (diff) 169
HUP signal 1009
hypermedia 410
hypertext 409, 1153
Hypertext Markup Language see H T M L
Hypertext Transfer Protocol see HTTP
hypervisor 8

I/O device see device
IANA (Internet Assigned Numbers Authority) 402,
1153
ICANN (Internet Corporation for Assigned Names
and Numbers) 382
ICMP packet 394, 1153
icmp_seq 394
icon 1153
iconify 1153
ID string, X Window System 2 7 2
id utility 424, 4 3 2
IDEA encryption 1113
idmapd daemon 777
IDSs 1119, 1126
if...then control structure 9 5 4 - 9 5 8
if...then...elif control structure 9 6 1 - 9 6 6
if...then...else control structure 9 5 8 - 9 6 0
ifconfig utility 4 7 4
IFS variable 3 2 3 - 3 2 4
ignored window 1153
IM client (Empathy) 117
IMAP server (Dovecot) 735
imap-login daemon 735
in.fingerd daemon 389, 4 0 3
in-addr.arpa domain 831
include directory 2 1 4
increment operators 1021
incremental backup 599
indentation see indention

indention 1153
inequality operator 1020
i n e t d daemon 4 6 4
i n f o directory 2 1 5
info utility 1 3 9 - 1 4 2
infrastructure mode, wireless 640
i n i t daemon see Upstart
i n i t directory 434, 4 3 8
init scripts 440
init utility 328
i n i t . d directory 4 4 0
initctl utility 434
i n i t n g daemon 4 3 2
i n i t t a b f i l e 439, 4 9 3
inodes 501, 1153
alter using mv 501
create reference using In 501
delete reference using rm 501
display using Is 229
locate using find f 6 6
input 1153
input focus 1 2 4 , 1 5 3
input, standard see standard input
input/output device see device
. i n p u t r c file 343
INPUTRC variable 343
insmod utility 582
installation 2 5 ^ - 8
see also graphical installation; installation
CD/DVD; installation disk
basic 5 3 - 6 3
BIOS, set to boot from CD/DVD 28
boot parameters 57, 82
clean install 32
clean install versus upgrade 32
CMOS setup 28
computer 1153
CPU requirements 28
Desktop CD/DVD menus 78
dual-boot system 76
Expert mode 82
function keys 79
gparted partition editor 6 4 - 6 6
hardware requirements 27
interface 31
KDE 75
Kubuntu 75
live session 52
palimpsest partition editor 6 6 - 7 0

M A I N INDEX

planning 27
processor architecture 29
RAID 40, 91
RAM (memory) requirements 28
RAM (memory), test using memtest86+ 79
SHA1SUMS file 46
steps 42
textual installer 77, 8 5 - 9 1
textual system 80
ubiquity partition editor 5 7 - 6 3 , 7 0 - 7 4
upgrade 33
virtual consoles 83
installation CD/DVD 32
Alternate 32, 77
basic installation 53
BIOS, set to boot from 28
burning 47
checking for defects 79
Desktop 26, 32
F4 menu selections 811
function keys 79
ISO image, downloading 4 3 - 4 6
ISO image, verifying 4 6
live/install 26, 32, 55, 77
menu 54
menu selections 78t
Minimal 32
Server 32, 77
software, installing from 1 3 1
installation disk
formatting 3 3
free space 33
guided partitioning 3 6
partition
create using ubiquity 7 0
delete using gparted 6 6
delete using palimpsest 6 9
display using palimpsest 6 7
resize using gparted 6 5
set up 3 3
set up using gparted 6 4 - 6 6
set up using palimpsest 6 6 - 7 0
set up using ubiquity 7 0 - 7 4
setup, guided 3 6
setup 60
space requirements 28
INT signal 1009
Integrated Services Digital Network see ISDN
interactive 1153

1219

interface 1154
character-based see command line; textual,
interface
command line see command line; textual, interface
graphical user see GUI
pseudographical 30, 150
textual see command line; textual, interface
user 1179
internal field separator see IFS variable
International Organization for Standardization see
ISO
Internet 372, 1154
Assigned Numbers Authority see IANA
browsers 4 1 0
connection sharing 868, 8 9 2 - 8 9 6
Control Message Protocol see ICMP
look up site information using jwhois 396
multiple clients on a single connection 893
multiple servers on a single connection 896
netiquette 1161
netnews see netnews; newsgroup
Printing Protocol see IPP
Protocol Security see IPSec
Protocol see IP; TCP/IP
search engines 411
service provider see ISP
services 4 0 7 ^ 0 9
URI 1179
URLs
410,1179
internet (lowercase "i") 1154
internetwork 372
InterNIC 396
interprocess communication 16, 170, 503, 503
interrupt key 151, 152
intranet 372, 1154
intrusion detection system see IDS
invisible files see hidden filenames
IP 1154
see also IP address; IPv6
classes 382, 383t, 3 8 3 - 3 8 6
dynamic address 382
IPng 387
IPv6 387
masquerading 881, 890, 893
multicast see multicast
protocol model 380
spoofing 1154
static address 382
T T L header field 395
version 6 see IP, IPv6

1220

MAIN INDEX

IP address 1154
client, specifying 4611
computations 384t
loopback service 493
representation 382
static 474
ip6.int domain 831
IPC 1155
ipchains utility 880
IPP protocol 5 4 8
IPSec 1117
iptables 8 8 0 - 8 8 3
see also firestarter; gufw; iptables rules; ufw
chain 880
chain policy 886
classifiers 880
command line 8 8 4 - 8 8 5
commands 885
connection tracking 882, 889
conntrack module 882
display criteria 887
DNAT targets 8 8 1 , 8 9 0
Filter table 881
firestarter compared to 866
Internet connection sharing 8 9 2 - 8 9 6
IP masquerading 893
ipchains utility 880
iptables-restore utility 891
iptables-save utility 891
jumps 885
Mangle table 881
masquerade 1159
MASQUERADE targets 8 8 1 , 8 9 0
match criteria 884
match extensions 8 8 7 - 8 9 0
matches 880
more information 883
NAT table 881
NAT, running from 8 9 2 - 8 9 6
netfilter 880
network packets 882
packet match criteria 8 8 4 , 8 8 7
policy command 886
prerequisites 883
protocols file 888
resetting rules 883
router 892, 896
SNAT targets 8 8 1 , 8 9 1
state machine 882, 889
targets 880, 881, 885, 8 9 0 - 8 9 1

iptables rules 880
building a set of 885
example 880
match criteria 884
number 884
saving 891
specification 884
iptables-restore utility 891
iptables-save utility 891
IPv6 387, 1155
see also IP
address records, DNS 828
ping6 394
traceroute6 395
IRC, Ubuntu channels 144
irqpoll boot parameter 82
is_regfile shell script 957
ISDN 374, 1155
ISO 1155
ISO image file 43
ISO protocol model 380
I S 0 9 6 6 0 filesystem 505, 1155
ISP 1155
issue file 147

JeOS 80
jffs2 filesystem 505
job
254,307
control 16, 254, 3 0 7 - 3 1 0 , 1155
jobs builtin 256
number 2 5 4
number, determining using jobs 2 5 6
suspend using C0NTR0L-Z 255
Upstart 433, 434, 435^136
jobs builtin 152
John the Ripper utility 1125
journaling filesystem 505, 514, 1155
Joy, Bill 1139
JPEG 1155
•jpeg filename extension 2 0 3 , 1 1 5 5
•jpg filename extension 203, 1155
justify 1155

K
K & R 12
KDE 99, 2 7 5
Adept package manager 5 2 5
desktop 17

M A I N INDEX

installing 75
Kubuntu 2
portability 275
Qt toolkit 275
kdesudo utility 423
Kerberos 1156
kerberos utility 1121
kernel 6, 1156
see also Linux
booting 444
compiling 579
.config file 5 7 5 - 5 7 9
configuring 5 7 5 - 5 7 9
depmod utility >82
insmod utility 582
installing compiled 582
loadable module
580,1157
Ismod utility >82
m-a utility 581
messages, display using dmesg 4 4 4 , 5 8 9
messages, saving 4 4 4
modinfo utility ¡82
modprobe utility 5 8 2
module 580, 1157
module-assistant utility 581
modules file 5 8 0
modules, tools for working with 582t
packages, list installed using dpkg 588
packages, remove using aptitude 588
packet filtering see firestarter; gufw; iptables; ufw
parameters, modify using sysctl 5 7 2
proc pseudofilesystem 4 9 7
programming interface 12
rebuilding prerequisites 5 7 2
rmmod utility 5 8 2
source code, download using aptitude 5 7 3
source code, download using git 5 7 4
space 1156
version, display using uname 5 8 8
kernelspace 1156
Kernighan & Ritchie 12
key binding 1156
k e y , META

CONTROLS (quit) 152
C0NTR0L-C (copy) 124
C0NTR0L-C (interrupts)
C0NTR0L-D ( E O F )

C0NTR0L-D
C0NTR0L-H
C0NTR0L-Q
C0NTR0L-U

152

245

(exit) 117
(erase character) 151, 2 4 0
(Xoff) 147
(line kill) 151, 2 4 0

C0NTR0L-V (paste)

124

C0NTR0L-W (delete word) 151
C0NTR0L-W (erase word) 2 4 0
C0NTR0L-X ( c u t )

124

C0NTR0L-X (line kill) 151
C0NTR0L-Z (suspend) 1 5 1 , 1 5 2 , 2 5 5

DEL (erase character) 151
encryption 1110
end line 20
ENTER 2 0

erase 151
interrupt 152
kill (line) 151
line kill 151
NEWLINE

20

RETURN 2 0 , 2 4 0

typeface 20
keyword variables 313
keywords, search for using apropos 139
kill builtin 15. , 255, 4 5 5 - 4 5 7 , 1009, 1010, 1012
kill line key (C0NTR0L-U) 151, 2 4 0
kill process 4 5 5 - 4 5 7
KILL signal 1009
kill utility 618
killall utility 4 5 7
kilo- 1156
known_hosts file 6 6 8 - 6 7 0
Konqueror as an LDAP client 770
Korn, David 293, 1156
Korn Shell 293, 1156
ksh shell 293, 1156
Kubuntu 2, 75, 99
KVM 9

1159

keyboard 1156
keyboard as standard input 244
keyboard layout, graphical installation 59
keys
BACKSPACE (erase character) 151
CONTROL 2 0

1221

LAMP 32, 7 i , 648
LAN 375, 1156
configuring 637
more information 658
setting up 6 3 8 - 6 4 1

1222

MAIN INDEX

LANG variable 1107
language, used by the system 145
lapic boot parameter 82
large number 1156
launchd daemon 4 3 2
launchers 121, 122
Launchpad 518, 1125
LBA addressing mode, disk 5 8 3
LBX 381
LCD monitor, subpixel smoothing 284
LDAP 7 5 8 - 7 7 0 , 1156
back end 761
DB_CONFIG file 760
directory 758
Evolution client 767
front end 762
Konqueror client 770
LDIF 759
objectClass 759
schema directory 758
setting up a server 760
slapcat utility 763
Idapadd utility 765
Idapmodify utility 764
Idd utility 465
.ldif filename extension 759
LDIF, LDAP 759
-le relational operator 1018
leaf 1156
least privilege 4 2 0 , 1 1 5 7
left-click 101
left-handed mouse 105, 274
less utility 13 , 162, 960
let builtin 361, 1016
lexical variable 1045
Iftp utility 674
lftp.conf file 674
/lib directory 214
lib directory 2 1 4
libraries called by executable, list using Idd 465
library, libwrap 465
libwrap library 4 6 5
Lightweight Directory Access Protocol see LDAP
line kill key (C0NTR0L-U)
151,240
Line Printer Daemon see lpd daemon
LINES variable 984
links
14,226,226-232,1157
alternatives directory 491
delete using rm 232, 501

display using Is 229
exporting 785
find using Inks 962
hard 2 2 8 - 2 3 0 ,
1151,1157
hard versus symbolic 227, 2 3 0
hard, create using In 228, 501
hypertext 409
inode 501
number of, display using Is 216
point-to-point 1165
remove using rm 2 3 2
soft see links, symbolic
symbolic 230, 501, 1157, 1176
cd and 231
create using In 2 3 0
dereference 1144
versus hard 227, 2 3 0
symlinks see links, symbolic
utility names 491
links utility 411
Linux
see also kernel
benefits 6 - 9
distribution 6
documentation 1 3 6 - 1 4 4
Documentation Project 144
FHS (Filesystem Hierarchy Standard) 14, 213
file namespace 35
Foundation 2 1 3
FSSTND (Filesystem Standard) 14, 2 1 3
history 1 - 6
LSB (Linux Standard Base) 213
manual sections 138
newsgroups 454, 1103
overview 1 2 - 1 9
PAM see PAM
Pluggable Authentication Modules see PAM
Software Map database 1105
standards 7
Terminal Server Project 774
UNIX heritage 3
linux directory 5 7 5
linux terminal name 1106
linux-gate.so.l file 4 6 7
list box see drop-down list
list operator see character, class
list, Perl 1045
lists file (APT) 524
listserv 390

M A I N INDEX

live session 52
live/install CD/DVD see installation CD/DVD
In utility 228, 230, 501
In utility versus cp 229
Inks shell script 962
load average, display using w 183
loadable modules
580,1157
loader, boot see GRUB
local area network see LAN
/local directory 39
local directory 214, 5 4 2
local variables 330
locale 1157
localhost 387
location bar, Nautilus 279
lockd daemon 404, 777
locktty shell script 975
log
analyze using swatch 1126
DNS 849, 852, 854
files, checking 620
files, obtain help using 1100
files, rotate using logrotate 6 2 2 - 6 2 4
FTP 708
in see login
log directory 500, S26
machine 618, 619t
OpenSSH 680
out 450, 1158
log directory 215, 1100
logical
evaluation 1017
expressions 1158
operators see Boolean operators
volumes (LV) 41
Logical Volume Manager (LVM) 41
login 448, 1158
automatic using OpenSSH 6 7 7 - 6 7 8
failsafe G N O M E 146
failsafe terminal 146
GUI 145
name see username
options 100
problems 146, 616
prompt 4 4 8
remote 147
root 1170
screen 100, 145

security 1120
shell 328, 1158
.login file 1158
Login incorrect error message 4 4 8
login utility 3 2 8 , 4 4 8
login.defs file 494, 597
.logout file 1158
logresolve utility 921
logrotate utility 6 2 2 - 6 2 4
logrotate.conf file 6 2 2 - 6 2 4
logrotate.d directory 6 2 2 - 6 2 4
logvsftpd.log file 711
loopback service 493
lost+found directory 452, 4 8 8
Ip utility 559
Ipadmin utility 5 6 2 - 5 6 4
lpd daemon 403, 548
Ipinfo utility 561
Ipq utility 165, 559
LPR line printer system 5 4 8
Ipr utility 1 6 5 , 2 5 2 , 5 5 9
Iprm utility 1 6 5 , 5 5 9
Ipstat utility 165, 559
Is utility 1 6 1 , 2 1 5 , 5 0 2
LSB (Linux Standard Base) 2 1 3
lsb_release utility 5 8 5
Ishal utility 641
Ishw utility 640
Ismod u t i l i t y >82
Isof utility 618
Ispci utility 640
Isusb utility 641
-It relational operator 1018
LTS release 31
LVM 41
lynx utility 411

M
m-a utility 581
MAC address 474, 1158
Mac processor architecture 30
machine collating sequence 1158
machine log 618, 619t
machine name, display using hostname 163
macro 1158
magic file 500, 1158
magic number 500, 1158

1223

1224

MAIN INDEX

mail
see also exim4
aliases 491, 722
authenticated relaying 736
checking root's 620
communicating with users 615
Dovecot 735
IMAP server (Dovecot) 735
JumpStart: configuring exim4 to send and receive
mail 718
JumpStart: configuring exim4 to use a
smarthost 716
list server 390
mail file 720
MAIL variable 321
mailbox 321
MAILCHECK variable 321
maildir format 720
mailing list 733
Mailman 7 3 4 - 7 3 5
MAILPATH variable 321
mailq utility 723
mbox format 720
MDA 713, 1159
more information 715
M T A 713, 1115, 1160
MUA 713, 1116, 1160
network addresses 186
newaliases utility 723
POP3 server (Dovecot) 735
Postfix 715
postmaster 620
Qmail 715
security 1115
self-signed certificates 736
sending to a remote user 390
sendmail daemon 404
SMTP 714
spam see spam
SpamAssassin see SpamAssassin
SquirrelMail 731
SSL 736
utilities 186
Webmail 7 3 1 - 7 3 3
mail file 720
MAIL variable 321
mailbox 321
MAILCHECK variable 321
maildir format 720

mailing list 733
Mailman 7 3 4 - 7 3 5
mailname file (exim4) 718
MAILPATH variable 321
mailq utility 723
main memory 1158
Main menu 102, 122
main software package category 5 2 2
Main toolbar, Nautilus 279
mainframe computer 10
mainframe model 398
mainlog directory (exim4) 720
major device number 503, 1158
make utility 1080
makedbm utility 753
makepath function 1026
MAN 376, 1159
man directory 2 1 5
man utility 1 3 6 - 1 3 8
manager, file see Nautilus
manager, session 116
manager, window 155
mandb utility 139
man-in-the-middle 1114, 3224
manuals see help
map files 794
Marvell 30
masquerading, IP 881, 890, 893, 1159
Massachusetts Institute of Technology see MIT
mawk utility >7 , 1 0 9 6
mbox format 720
M B R (master boot record) 84, 91, 583, 589
M D device 92
M D 5 encryption 1159
M D A 713, 1159
mebibyte
37,1159
megabyte 1159
memory
see also R A M
main 1158
paging 499
testing 79
virtual and swap space 4 9 8
virtual, report on using vmstat 609
memtest86+ utility 79, 87
menu 1159
Administration 122
bash 983
context 104, 126, 127t

M A I N INDEX

Main 122
Object context 104, 126, 127t
objects 121
Panel (context) 119
Panel Object context 121
panel see panel
Preferences 122
shell script 979
System 122
Window Operations 124
menu.lst file 584
menubar, Nautilus 279
merge 1159
mesg utility 185
message
see also error messages; usage messages
daemon 500, 6 2 5 - 6 2 7
deny using mesg 185
messages directory 5 0 0
messages file 617
of the day see motd file
rsyslog.conf file 6 2 6 - 6 2 7
rsyslogd daemon 6 2 5 - 6 2 7
security 5 0 0
send using motd 615
send using wall 615
send using write 184, 615
system 5 0 0
usage see usage message
Message Digest 5 see M D 5
messages file 1100
META k e y

1159

metabit 1135
metacharacters 1159, see also special characters
Metacity window manager 1 1 5 , 1 5 5
metadata 1159
metapackages see software packages, virtual
metropolitan area network 376, 1159
microprocessor 11
Microsoft Windows see Windows
middle mouse button 124
M I M E 130, 1160
mingetty utility 328
minicomputer 10
mini-HOWTOs 142
minimal install CD 32
minimal system 80

minimize window 1160
MINIX 6
minix filesystem 5 0 5
minor device number 503, 1160
mirrors, Ubuntu 45
mistakes, correct typing 150
M I T 17
MIT, Project Athena 268
MIT, X Consortium 2 6 8
M I T M see man-in-the-middle
mkdir utility 2 0 8 - 2 0 9
mkfifo utility 5 0 3
mkfs utility 458, 18 , 509
mklost+found utility 488
mkswap utility 499
mlocate utility 180
mm_cfg.py file (Mailman) 735
/mnt directory 2 1 4
modem 1160
modem, cable 1139
modinfo utility ¡82
modprobe utility 5 8 2
mods-available directory 905
mods-enabled directory 905
module, kernel 580
module, Perl 1045
module-assistant utility 581
modules directory 214
modules file 5 8 0
monitor, LCD, subpixel smoothing 2 8 4
monthly file 607
more utility 162
Morris, Robert T., Jr. 1122
Mosaic Web browser 409
motd file 494, 615
mount 1160
automatic 793, 1136
DOS filesystem 5 0 8
filesystem using mount 5 0 6 - 5 0 9
floppy diskette 508
point 36, 89, 507, 793, 1160
remote filesystems 7 7 7 - 7 8 0
table 494, 510
mount utility 49 , 5 0 6 - 5 0 9 , 777, 7 7 8 - 7 8 0 , 816
mount: RPC: Program not registered error
message 777
mountd daemon 4 0 4
mounts file 494, 790

1225

1226

MAIN INDEX

mouse 1160
click 101, 102
double-click timeout 106
focus-strictly-under 154
focus-under 153
left-handed 1 0 5 , 2 7 4
middle button 124
mouseover 1160
pointer 1160
pointer, hover 102, 1152
preferences, setting 105
remapping buttons 2 7 4
right-click 104
right-handed 2 7 4
wheel 2 7 4
mouseover 1160
Mozilla 410
Mozilla, netnews 4 0 7
msdos filesystem 506
mt utility 605
M T A 713, 1115, 1160
mtab file 494
MUA 713, 1116, 1160
multiboot specification 1160
multicast 1161
multidisk device 92
multiplication operator 1020
Multipurpose Internet Mail Extension see M I M E
multitasking 13, 1161
multiuser 13, 1161
multiuser mode 4 4 8
multiverse software package category 5 2 2
mv utility 1 6 4 , 2 1 2 , 5 0 1
M X records, DNS 828
my 630
.my.cnf file 630
mycp function 988
MySQL 6 2 8 - 6 3 5
.my.cnf file 630
column 628
configuring 650
database 628
Jumpstart: Setting Up MySQL 629
row 628
table 628
mysqLsecurejnstallation utility 629

N
name
command 2 3 8
daemon 402
domain see domain, name
login see username
servers 399, 4 0 0
space 1161
named daemon 833
named directory 847
named pipe 503
named.conf file 836, 8 3 9 - 8 4 1 , 851, 856
named.conf.options file 841
namespace 35, 1161
nano utility 425, 426
NAT 1161
rounters and 638
running from firestarter 868
running from iptables 8 9 2 - 8 9 6
table, iptables 881
National Center for Supercomputer
Applications 409
Nautilus 1 0 7 - 1 1 2 , 2 8 2 - 2 8 3
access permissions 129
control bars 2 7 8
emblems 1 2 9 , 2 7 8
File Browser versus Spatial windows 108
File Browser window 107, 2 7 6 - 2 8 2
file, open with 118
hidden files, displaying 282
history 2 7 8
location bar 279
Main toolbar 279
menubar 279
Open With selection 130
places 2 7 8
Side pane 277
spatial view 282
status bar 279
trash 2 8 2
View pane 2 7 7
NBT 1161
ncpfs filesystem 506
ndbm database 1144
-ne relational operator 1018
negation operator 1020
nessus utility 1125
net use utility (Windows) 818

M A I N INDEX

net utility 798
net view utility (Windows) 818
NetBIOS 1161
netboot 774, 1161
netcat utility 1125
netiquette 1161
netmask 1161
netnews 407, see also newsgroups
.netrc file 694
Netscape 407, 409
netstat utility 384
network
see also IP address; protocols; wireless network
address 1162
@ in 388
mail 186
mask 385
space, private 1166
analyze using wireshark 1126
boot 1161
bottleneck, find using traceroute 395
broadcast 374, 1138
address 1138
packet 381
unicast, compared 381
cables see cables
client/server model 398
concentrator see network, hub
configure using NetworkManager 6 4 2 - 6 4 5
connection, test using ping 393
daemons 372, 402
datagram
373,1144
diagnose using netcat 1125
DNS see DNS
duplex 375
Ethernet 374, 375, 1147
extranet 1147
FDDI 1148
file sharing model 398
firewall see firewall
frame
373,1149
full-duplex 375
gateway 376, 1149
half-duplex 375
hops 394
host address 381
hostname, FQDN see FQDN
hosts file 386
hub 375, 1152

ICMP packet 1153
interface card see network, NIC
internet (lowercase "i") 1154
Internet see Internet
internetwork 372
intranet 372
layer, IP model protocol 380
local area see LAN
mainframe model 398
metropolitan area 376, 1159
monitor with Cacti 6 4 7 - 6 5 8
multicast 1161
nameservers 399, 400
netmask 1161
netnews see netnews; newsgroups
NIC 639
nm-connection-editor utility 643
node 638
number see network, address
packet filtering 1164, see also firestarter; gufw;
iptables; ufw
packet sniffer 1164
packets
373,882,1164
point-to-point link 374
port forwarding 1165
private address space 642, 642t, 1166
privileged port 1166
PTP (peer-to-peer) model 399
resolver 400
route, display using traceroute 394
router 376,377,
638, 1170
security 1 1 1 6 - 1 1 1 9
security guidelines 1117
segment 375, 1162
services 372, 4 0 2
setting up 6 3 8 - 6 4 1
sniff 1173
sockets 503
specifications 373t
subnet 3 8 5 , 3 8 5 , 1 1 7 4
addresses 1175
masks 385, 1175
numbers 1175
specifying 462, 462t
switch 3 7 4 , 3 7 5 , 1 1 6 2
token ring 1177
topology, shared 1171
trusted hosts 391
tunneling 1178

1227

1228

MAIN INDEX

network, continued
UDP 1178
unicast 1178
unicast versus broadcast packets 381
VPN 1180
WAN see WAN
wide area see WAN
Wi-Fi 1181, see also wireless
wireless see wireless
Network Address Translation see NAT
Network File System see NFS
Network Information Service see NIS
Network Time Protocol see NTP
NetworkManager applet 6 4 2 - 6 4 5
NetworkManager daemon 642
newaliases utility 723
NEWLINE (command separator) 304
NEWLINE k e y

20

NEWLINE, q u o t e u s i n g a b a c k s l a s h

304

newlist u t i l i t y 734
news, Internet see netnews; newsgroups
newsgroups 4 0 8 , 1 1 0 3 , 1 1 1 9 , see also netnews
N F S 773-776,
1162
all_squash option 789
attribute caching options 778
block size 780
data flow 775
df utility 774
error handling options 779
error messages 776, 777, 779, 790, 791
etabfile 789
exportfs u t i l i t y

785, 791

exporting device files 785
exporting directory hierarchies 7 8 5 - 7 8 9
exporting links 785
exports file 783, 7 8 6 - 7 8 9
filesystem 5 0 6
firewall setup 782
fstab file 778, 781
gssd daemon 777
idmapd daemon 777
JumpStart: configuring an N F S server using sharesadmin 7 8 3 - 7 8 5
JumpStart: mounting a remote directory
hierarchy 7 7 7 - 7 8 0
line speed, testing 780
lockd daemon 404, 777
more information 776
mount utility 777, 7 7 8 - 7 8 0

mountd daemon 4 0 4
mounting remote directory hierarchies 7 7 7 - 7 8 0
mounts file 790
nfs-common init script 776
nfsd daemon 4 0 4
nfs-kernel-server init script 782
NIS and 788
options 7 8 6 - 7 8 9
all_squash 789
attribute caching 778
error handling 779
miscellaneous 780
root_squash 788
performance, improving 780
portmap utility 776, 782, 792
prerequisites 776, 782
rmtab file 790
rpc.gssd daemon 777
rpc.idmapd daemon 777
rpc.lockd daemon 776
rpc.statd daemon 776
rquotad daemon 4 0 4
running clients 776
security 776, 783, 788
server xxx not responding error message 779
server-server dependency 793
setuid 777
shares-admin utility 7 8 3 - 7 8 5 , 786
showmount utility 790
statd daemon 404, 776
testing 792
timeout 779, 780
version 4 776
nfsd daemon 4 0 4
NIC 639, 1162
nickname, host 387
nicknames file (NIS) 743
NIS 7 4 2 - 7 4 4 , 1162
client, setting up 7 4 4 - 7 5 0
debugging 748, 756
defaultdomain file 745, 746
domain 742
domain name 746, 1162
firewall setup 751
GECOS 757
makedbm utility 753
Makefile file 753
maps 743
master servers 742

M A I N INDEX

more information 744
NFS and 788
nicknames file 743
nis file (default) 746, 751, 757
nis init script 745, 750
nisdomainname utility 746
nsswitch.conf file 742
passwd utility 749
prerequisites 745, 750
rpcinfo utility 748
securenets file 753
server, setting up 7 5 0 - 7 5 6
server, specifying 747
slave servers 742
source files 742
testing 747, 756
users, adding and removing 750
Yellow Pages 742
yp.conf file 747
ypbind daemon 748
ypinit utility 755
yppasswd utility 7 4 8 - 7 5 0
yppasswdd init script 757
ypserv.conf file 751
ypwhich utility 747
ypxfr utility 755
ypxfrd daemon 755
nis file (default) 746, 751, 757
nmap utility 1125
nmbd daemon 798, 818
nmblookup utility 818
nm-connection-editor utility 643
nn utility 4 0 7
NNTP (Network News Transfer Protocol) 407,
1162
noacpi boot parameter 82
noapic boot parameter 82
noapm boot parameter 82
noclobber variable 2 4 8 - 2 5 0
node 638, 1162
nodmraid boot parameter 82
noirqpoll boot parameter 82
nolapic boot parameter 82
-nolisten tcp option (X Window System) 271
nologin file 495
nologin utility 4 9 5
nologin.txt file 481
nonprinting character 1162
nonvolatile storage 1163

N O T Boolean operator 1024
nsswitch.conf file 4 7 5 - 4 7 7
NTFS driver 1105
ntfs filesystem 506
NTP 1163
ntp.conf file 4 0 4
ntpd daemon 404
null device 2 5 0
null file 250, 489, 52 , 73
null string 1163
number
block 1137
gibibyte 1150
gigabyte 1150
hexadecimal 1151
kilo- 1156
large 1156
magic 500, 1158
mebibyte 1159
megabyte 1159
octal 1163
sexillion 1171
tera- 1176
undecillion 1178

0
- o (OR) Boolean operator 1017
.o filename extension 203
object 101
click 102
Clock 105
copying 111, 124
cut and paste 124
dragging 106
moving on a panel 121
panel see panel
preferences, setting 104
right-click 104
selecting 111
trash, moving to 111
Object context menu 104, 126, 127t
Object Properties window 1 2 8 - 1 3 0
objectClass, LDAP 759
octal number 1163
od utility 491
OLDPWD variable 360
one-time passwords 1120
one-way hash 1163

1229

1230

MAIN INDEX

Open Group 2 6 8
open source 1163
OpenLDAP 7 5 8
OpenOffice.org 10 , 1 1 6
OpenPGP Message Format 1 1 1 4
OpenSSH 6 6 4 - 6 6 5 , 1163
authentication 6 6 4 , 6 6 8
authorized keys 6 7 7 - 6 7 8
automatic login 6 7 7 - 6 7 8
client, setting up 6 6 8 - 6 7 0
clients 6 6 7 - 6 7 6
compression 6 8 4
configuration files 6 6 5 - 6 6 6 , 6 7 4 , 6 7 9
debugging 6 7 2 , 6 7 4 , 6 7 8 , 6 8 1
encryption 6 6 4
firewall setup 6 8 3
JumpStart: starting an OpenSSH server 6 7 7
JumpStart: using ssh and scp to connect to an
OpenSSH server 6 6 7
keys 6 6 4
known_hosts file 6 6 8 - 6 7 0
log file 6 8 0
more information 6 6 6
opening a remote shell 6 7 0
port forwarding 6 8 1 - 6 8 3
prerequisites 6 6 7 , 6 7 6
protocol versions (1 and 2) 6 6 4
public key encryption 6 6 4
recommended settings 6 6 8 , 6 7 7
rhost authentication 6 6 5
running commands remotely 671
security 6 6 3
server, setting up 6 7 6 - 6 8 0
ssh_known_hosts file 6 6 8 - 6 7 0
sshd daemon 6 7 6 - 6 8 0
ssh-keygen utility 6 6 8 - 6 7 0 , 6 7 7
troubleshooting 6 8 0
tunneling 6 8 1 - 6 8 3
X I 1 forwarding 6 6 8 , 6 7 5 , 6 8 0 , 6 8 1
operating system 1163
operating system, generic/proprietary 10
Operations menu, Window 1 2 4
operators 1 0 1 9 - 1 0 2 4
bash 1 0 1 9 t
Boolean see Boolean operators
list see character, class
logical see Boolean operators
redirection (bash) 2 9 9 , 2 9 9 t
relational 1 0 1 8

remainder 1 0 2 2
short-circuiting 1022
string 1 0 1 8 t
ternary 1 0 2 3
OPIE utility 1120
/opt directory 39, 2 1 4
opt directory 2 1 4 , 5 4 1
O P T A R G variable 1 0 1 3
O P T I N D variable 1 0 1 3
options 239, 1163
boot 57, 82
command line 2 3 9 - 2 4 0 , 352
O R bitwise operator 1 0 2 4
O R Boolean operator 1 0 1 7
ordinary file 201, 500, 1163
O S D L (Open Source Development Labs) 2 1 3
other access permission 215
out shell script 9 5 9
output 1163
output, standard see standard output
owner access permission 215
owner of file, display using Is 2 1 6

P2P 1163
package variable, Perl 1045
package see software packages
package, Perl 1045
packets 1164
broadcast 381
filtering 1164, see also firestarter; gufw; iptables; ufw
network 373
sequence number (icmp_seq) 3 9 4
sniffer 1164
unicast 381
page breaks 1 9 3
pagers 138, 162, 1164
paging 499, 1164
palimpsest partition editor 6 6 - 7 0
PAM 4 7 8 - 4 8 2 , 1 1 6 4
control flag keywords 4 8 0 t
features 4 4 9
login security 1 1 2 0
module type indicators 4 8 0 t
more information 4 7 9
pam.d file 4 7 8
security file 4 7 8
stack 481

M A I N INDEX

p a m . d file 478
panel 101, 117
moving objects on a 121
objects
118,120
objects, adding 119
orientation 120
Panel (context) menu 119
Panel Object context menus 121
Panel Properties window 119
parameter expansion 360
p a r a m e t e r n u l l o r n o t set error message 1002
parameters 312, see also bash parameters
parameters, boot 57, 82
parent directories 201, 202
parent process 3 2 8 , 1 1 6 4
parentheses, group commands using 306
parse 240, 356
parted utility 6 1 1 - 6 1 4
partition 33, 1164
see also name of partition (e.g., / v a r [indexed under
v a r directory])
create manually (graphical) 60, 72
create manually (textual) 87
create using parted 6 1 1 - 6 1 4
create, guided 36, 60, 60, 70
creating, about 36
delete using gparted 66
delete using palimpsest 69
display using palimpsest 67
extended 34
filesystem 34
logical 34
naming 36
primary 34
RAID see RAID
resize using gparted 65
sizes, minimum 39t
sizes, suggested 37
swap 37
table 33
type 88
UUID number 510
work with using gparted 6 4 - 6 6
work with using palimpsest 6 6 - 7 0
work with using ubiquity 7 0 - 7 4
p a r t n e r software package category 522
PASC (Portable Application Standards
Committee) 293
passive FTP see FTP, PASV

passphrase 1164
passwd file 44£, 4 9 4 - 4 9 5
passwd utility 749
passwords 1164
break using crack 620
changing 148
choosing 619
generating using pwgen 149
group 492
hashed 497
John the Ripper utility 1125
one-time 1120
passwd file 448, 4 9 4 - 4 9 5
r o o t account 422
r o o t account and sudo 430
r o o t account, assigning to 431
Samba 799, 803
secure remote using srp 1126
PASV FTP see FTP, PASV
path, search 178
PATH variable 29!, 3 1 9 - 3 2 1 , 453, 382
pathnames 201, 205, 211, 1164
/ within 35
~ (tilde) in a 206
absolute 205, 242, 1134
completion 342
elements 1164
expansion 256, 2 5 6 - 2 6 0 , 315, 363
last element of 1164
relative 206, 242, 1168
PC processor architecture 30
PC, r o o t privileges from a 1116
PCI devices, list using Ispci 640
pdbedit utility 798
.pdf filename extension 203
PDF printer, setting up a virtual 549
peer, BitTorrent 539
period special character 1091
peripheral device see device
Perl 1 0 4 1 - 1 0 8 4
$! variable 1068
$#array variable 1054
$. variable 1065
$_ variable 1065
. (dot) operator 1054
.. (range) operator 1055
::, use of 1045, 1079
@_ array 1072
Apache, scripts called from 946

1231

1232

MAIN INDEX

Perl, continued
array 1045
block 1045
CGI script 942
chomp function 105Î , 1067
chop function 1067
closedir function 1083
comparison operators 1058, 1059t
compound statement 1045
CP AN 1079
defined function 1051
die function 1059, 1068
distribution 1045
-e option 1074
error checking 1068
file handle, magic 1066
file test operators 1057
for control structure 1 0 6 1 - 1 0 6 4
foreach control structure 1 0 6 1 - 1 0 6 4
foreach statement, postfix syntax 1062
greedy matching 1076
handle 1066
if control structure 1057
if statement, postfix syntax 1058, L074
if...else control structure 1059
if...elsif...else control structure 1060
keys function 1056
-1 option 1074
last statement 1062
lexical variable 1045
list 1045
magic file handle 1066
metacharacters 1076t
module 1045, 1079
my function 1071
namespace 1045, 1079
next statement 1062
nongreedy matching 1076
numeric operators 1059t
opendir function 1083
operators
comparison 1058, 1059t
numeric 1059t
string 1059t
options, combining 1074
package 1045
package variable 1045
parsimonious matching 1076
perldoc utility 1043

pop function 1055
postfix syntax 1058, 1062
push function 1055
readdir function 1083
regular expression metacharacters 1076t
regular expressions 1 0 7 3 - 1 0 7 9
replacement string 1075
reverse function 1069
say function 1047
shift function 1055, 1 0 7 : , 1082
slice, array 1055
sort function 1069
special characters 1049t
splice function 1055
split function 1083
statement, compound 1045
statements 1047
string operators 1059t
subroutines 1 0 7 1 - 1 0 7 3
substr function 1081
syntax 1047
uc function 1062
unless control structure 1057
until control structure 1064
use feature 'say' 1047
use function 1047
use strict statement 1043
use warnings statement 1043, 1051
values function 1056
- w option 1051
while control structure 1064
perldoc utility 1043
Permission denied error message 242, 300, 319
permissions see access permissions
persistent 1165
PGP encryption 1113
.pgpkey file 182
philosophy, UNIX 388
phish 1165
.php filename extension 914
physical
device 1165
layer, IP model protocol 380
security 1122
volumes (LVM) 42
Pick a Color window 285
Pick a Font window 2 8 4
PID 1165
$! variable 996
$$ variable 995

M A I N INDEX

background process 2 5 4
fg 2 9 1
number 1 3 2 8 , 4 4 5
numbers 328
process, display using ps 2 5 5
Pidgin see Empathy I M client
pidof utility 4 5 7
pinfo utility 141
ping utility 393, 458
ping6 utility 394
pipelines see pipes
pipes
16,170,251,251-254,1165
I symbol and n o c l o b b e r 2 4 8
I symbol in extended regular expressions 1096
at the end of line 970
create using mkfifo 503
filters 253
named 503
pixel 1165
.pi filename extension 914
Places menu 122
plaintext
1110,1165
.plan file 182
Pluggable Authentication Module see PAM
plus sign in extended regular expressions 1096
point-to-point link 374, 1165
Point-to-Point Protocol see PPP protocol
POP3 server (Dovecot) 735
pop3-login daemon 735
popd builtin 312
portable 10
portmap daemon 406, 4 6 2 - 4 6 4
portmap utility 776, 782, 792
portmapper 406, 1165
ports 401, 1165
connect to using telnet 392
forwarding 1165
forwarding using OpenSSH 6 8 1 - 6 8 3
privileged 401, 1116
scan for open using nmap 1125
setting serial information 459
stealth 871
positional parameters 996, 9 9 6 - 9 9 9
POSIX 7, 293
Postfix daemon 7 1 5 , 1 1 1 6
postinst script (dpkg) 5 3 3
postmaster 620
PostScript Printer Definition see PPD
power management 402, 4 0 3

power, turning off 4 5 2
poweroff utility 4 5 0
PowerPC processor architecture 30
ppd directory (CUPS) 5 6 3
PPD files 561
PPID see parent process
PPP (point-to-point) protocol 381
pppd daemon 4 0 4
Preboot Execution Environment 774
Preferences submenu 122
preferences, setting 104
preinst script (dpkg) 5 3 3
PreSession directory 449
Pretty Good Privacy see PGP
PREVLEVEL variable 4 3 8
primary buffer 124
printable character 1166
printer
see also CUPS; printing
accepting/rejecting jobs 5 5 I t
capability database 4 9 5
classes 561
configure using Ipadmin 5 6 2 - 5 6 4
configure using system-config-printer 5 5 0 - 5 5 4
disable using cupdisable 565
disable using cupsreject 564
enable using cupsaccept 5 6 4
enable using cupsenable 5 6 5
enable/disable 551t
IPP protocol 548
page breaks 193
PDF, virtual 549
print files using Ipr 165
print queue 548
printcap file 4 9 5
queue, managing 551, 564
remote, configuring 5 5 2 - 5 5 4
sharing 5 6 5
status 5 5 I t
printing
see also CUPS; printer
command line, from the 558
command-line utilities 559t
quotas 564
system 547
UNIX traditional 558
Windows, from using CUPS 5 6 6
Windows, from using Samba 567
Windows, to using CUPS 568

1233

1234

MAIN INDEX

Privacy Enhanced Mail see PEM encryption
private address space 642, 642t, 1166
private key 1111
privilege, least 420, 1157
privileged ports 401, 1116, 1166
privileges, root see root privileges
problem solving 1100
/proc directory 214, 497, 5 0 6
procedure 1166
process 243, 328, 3 2 8 - 3 3 0 , 1166
background 330, 1136
child
328,1140
die 330
files held open by, locate using Isof 618
first 445
foreground 1149
fork 328
ID see PID
identification see PID
init 4 4 5
kill 4 5 5 - 4 5 7
numbers, display using pidof 4 5 7
parent 328, 1164
parent of all 4 4 5
search for using ps and grep 4 5 6
sleep 330
spawn see process, fork
spontaneous 328
structure 328
substitution 365
wake up 330
processor architecture 29
procmail daemon 730
.profile file 294, 1166
profile file 294, 4 9 5
program 1166
see also builtins; Utilities Index (page 1189)
name of calling 997
running 1 0 2 - 1 0 3
terminating 107, 151
.project file 182
Project Athena 268
P R O M 1166
prompts 1166
# 420
$ 20
bash 3 2 1 - 3 2 3
login 448
representation 20

root account 420
shell 20
proprietary operating systems 10
protocols 379, 3 7 9 - 3 8 1 , 1166
connectionless 1142
connection-oriented 380, 1142
datagram-oriented 381
DHCP 4 7 0 - 4 7 4
HTTPS 943
ICMP 394
IP model 380
IPP 5 4 8
IPSec 1117
ISO model 380
LBX 381
NNTP 4 0 7
PPP 381
protocols file 495
SLIP 381
stream-based 380
TCP 380
TCP/IP 379
UDP 379, 381
Xremote 381
protocols file 888
proxy 405, 1166
proxy gateway 405, 1167
proxy server 405, 1167
.ps filename extension 203
ps utility 255, 50 , 328, 456, '95
PS1 variable 321, 322t
PS2 variable 322
PS3 variable 323, 984
PS4 variable 323, 966
pseudographical interface 30, 150
pseudoterminal 4 9 0
pstree utility 329
PTP (peer-to-peer) model 399
pts directory 244, 490
pub directory (FTP) 694
public key encryption see encryption, public key
public_html directory 913
pushd b u i l t i n 311
pwd builtin 204
pwd utility 231
PWD variable 360
pwgen utility 149
PXE 774
Python 1167

M A I N INDEX

Q
Qemu 9
Qmail 7 1 5 , 1 1 6
qnx4 filesystem 5 0 6
qrunner daemon 7 3 5
Qt toolkit 2 7 5
question mark in extended regular expressions 1 0 9 6
quiescent 445
quiet boot parameter 5 7
QUIT signal 15 , 1 0 0 9
quota utility 6 2 5
quotaon utility 6 2 5
quotation marks
see also quoting
around variables 3 1 4
around whitespace 315
double 9 5 5
in aliases 3 4 7
in pathname expansion 3 6 4
in Perl 1 0 4 8
removal of 3 5 7
single 1 6 0
quoting 1167
see also quotation marks
characters 1 6 0
let arguments 3 6 2
NEWLINE characters using \ 3 0 4
parentheses in regular expressions 1 0 9 4
shell variables using \ 3 1 4
special characters in regular expressions 1 0 9 3 ,
1093t
trap, arguments to 1 0 1 0

radio button 1167
RAID 4 0 , 9 1 , 5 1 4 , 1167
backups, does not replace 5 9 9
fake 41
R A M 1167
disk 4 3 , 1168
installation requirements 2 8
swap and 3 8 , 4 9 8
testing 79
random access memory see R A M
random file 4 9 0
random number generator 4 9 0
R A N D O M variable 1031

1235

RAS 1 1 2 1 , 1168
raw devices 504
raw mode, device 504
rc script see init script
rc.conf file 4 3 8 , 145
rc.local file 4 4 1
R C 5 encryption 1 1 1 3
rcw.d directory 4 4 0 - 4 4 3
rcS.conf file 145
rc-sysinit task 4 3 9
rc-sysinit.conf file 4 3 9
R D F 1168
read access permission 215
read builtin 9 7 4 , 1 0 0 3 - 1 0 0 5 , 1 0 0 5 t , 1 0 0 5 - 1 0 0 6
Readline completion commands 3 4 2 - 3 4 3
Readline Library command editor 3 4 0 - 3 4 6
Readline variables 3 4 4 t
readnews utility 4 0 7
readonly builtin 3 1 7 , 3 1 8
readonly memory see R O M
reboot system 4 5 1
reboot utility 4 5 0
recovery mode 445, 4 4 5 ^ 1 4 8
Alternate CD, from 83
from multiuser mode 4 5 1
rescue mode, versus 83
root password 4 4 4
root privileges 4 2 0
recovery-mode directory 4 4 7
recursion, infinite (aliases) 349
redirect
see also redirection
and append standard output using »
249
output of sudo using > 4 2 4
output of sudo using tee 4 2 5
output using a pipe (I) 1 7 0
standard input using < 2 4 7 - 2 4 8
standard input/output/error using exec 1 0 0 7
standard output using > 2 4 6 - 2 4 7
standard output using tee 2 5 4
redirection 15,245,1168,
see also redirect
redirection operators (bash) 2 9 9 t
redundant array of inexpensive disks see RAID
reentrant code 1168
regular character 1168
regular expression
1089,1168
\(..A) brackets expressions 1 0 9 4
ampersand in replacement strings 1 0 9 5
anchors 1 0 9 2

1236

MAIN INDEX

regular expression, continued
asterisks 1 0 9 2 , 1 0 9 2 t
brackets 1 0 9 1 , 1 0 9 1 t , 1 0 9 4
carets 1 0 9 2
carets and dollar signs 1 0 9 2 t
character class 1140
character classes and bracketed 1 0 9 7 t
characters 1090
delimiters 1 0 9 0
dollar signs 1 0 9 2
empty 1 0 9 4
extended 1 0 9 5 , 1 0 9 6 t , 1 0 9 7 t
pipes 1 0 9 6
plus signs 1 0 9 6
question marks 1 0 9 6
summary 1 0 9 7
full 1 0 9 5 , 1 0 9 6 t
list operator see character, class
longest match 1 0 9 3
periods 1 0 9 1 , 1 0 9 1 t
Perl 1 0 7 3 - 1 0 7 9
quoted digits 1 0 9 5
quoted parentheses 1 0 9 4
quoting special characters 1 0 9 3 , 1 0 9 3 t
replacement strings 1 0 9 4 , 1 0 9 8 t
rules 1 0 9 3
simple strings 1 0 9 0 , 1 0 9 0 t
special characters 1090, 1 0 9 0 , 1 0 9 3 , 1 0 9 7 t
summary 1 0 9 7
reiserfs filesystem 5 0 6
relational operators 1 0 1 8
relative pathnames 2 0 6 , 2 4 2 , 1168
relaying, authenticated mail 7 3 6
release, upgrading 7 4
releases, Ubuntu 31
religious statue, miniature see icon
reload utility 135
remainder operators 1 0 2 0 , 1 0 2 2
remapping mouse buttons 2 7 4
remote
access security 1 1 2 1
computing and local displays 2 7 0
filesystem 1169
login 1 4 7
procedure call see RPC
replacement strings in regular expressions 1 0 9 4
R E P L Y variable 9 8 4 , 1 0 0 4
reports, system 6 0 8 , 621
repositories 131, 5 2 2 , 5 2 2 - 5 2 4

request for comments see R F C
rescue mode versus recovery mode 83
rescue versus recovery mode 4 4 6
reserved ports see privileged ports
reset utility 4 5 8
resolution of display, changing 1 5 4
resolv.conf file 4 9 6 , 834, 8 3 5
resolvconf utility 49< , 834, 835
R E S O L V C O N F variable 8 3 4
resolver 4 0 0 , 4 9 6 , 8 2 4 , 1169
Resource Description Framework 1168
resource records, DNS 8 2 7 - 8 3 0
restore 1169
restore u t i l i t y 6 0 3 - 6 0 5
restricted deletion flag see sticky bit
restricted software package category 5 2 2
return code see exit, status
RETURN k e y

20, 160, 2 4 0

reverse name resolution, DNS 8 3 1 - 8 3 3
rexec utility 4 0 4
rexecd daemon 4 0 4
R F C 1169
rhost authentication, OpenSSH 6 6 5
.rhosts file 391, 1 1 1 9
right-click, mouse 1 0 4
right-handed mouse 2 7 4
Ritchie, Dennis 11
rm utility 1 6 2 , 2 3 2 , 5 0 1
rmdir utility 2 1 0
rmmod utility 5 8 2
rmtab file 7 9 0
rn utility 4 0 7
roam 1169
role alias (Apache) 9 1 2
R O M 1169
romfs filesystem 5 0 6
root
see also root account; root privileges
directory (/) 35, 37, 2 0 0 , 2 0 5 , 2 1 3 , 4 6 6 ,
domain, DNS 8 2 4
filesystem (/) 1170
login 1170
window
118,125,1170
root account
see also root privileges
locked 98, 4 2 2
password and recovery mode 4 4 4
password and sudo 4 3 0
prompt 4 2 0
unlocking 4 3 1

1170

M A I N INDEX

/root directory 214
root privileges 98, 4 1 9 - 4 3 2
see also root account
admin group and 428
gain using gksudo 423
gain using kdesudo 4 2 3
gain using su 421, 431
gain using sudo 4 2 1 - 4 3 1
gain using various methods 420
graphical programs and 4 2 3
PATH and security 4 3 2
PC, from a 1116
recovery mode 4 2 0
setuid see setuid
shell with 4 2 4
root user see root account
rotate files 1170
router 638, 1170
network 376, 377
set up using iptables 8 9 2 - 8 9 6
row 628
RPC 406, 1170
display information about portmap using
rpcinfo 4 6 2 - 4 6 4
portmap daemon 4 0 6
rpc file 4 9 6
rpc.gssd daemon 777
rpc.idmapd daemon 777
rpc.lockd daemon 776
rpc.statd daemon 776
RPC: Program not registered error message 790
rpcinfo utility 4 6 2 - 4 6 4 , 748
rquotad daemon 4 0 4
RSA encryption 1 1 1 2 , 1 1 7 0
rsyslog.conf file 6 2 6 - 6 2 7
rsyslogd daemon 6 2 5 - 6 2 7
run 1170
Run Application window 103, 286
run command scripts 440
runlevel 443, 443t, 1170
DEFAULT_RUNLEVEL variable 440, 4 4 5
emulation in Upstart 434
event 438
initdefault, and 439
PREVLEVEL variable 4 3 8
RUNLEVEL variable 4 3 8
runlevel utility 444
RUNLEVEL variable 4 3 8
runlevels utility 451
run-parts utility 607

1237

S/Key utility 1120
safedit shell script 981
Samba
797,799,1170
see also Samba parameters
configure using swat 8 0 4 - 8 0 7
configure using system-config-samba 8 0 0 - 8 0 3
debug nmblookup 818
firewall setup 799
home directories, sharing 814
[homes] share 814
JumpStart: configuring a Samba server using
system-config-samba 8 0 0
Linux shares, setting up 802
Linux shares, working with from Windows 814
manual configuration 8 0 7 - 8 1 4
more information 799
mount utility 816
NBT 1161
net use utility (Windows) 818
net utility 798
net view utility (Windows) 818
NetBIOS 1161
nmbd daemon 798, 818
nmblookup utility 818
parameters see Samba parameters
passwords 799, 803
pdbedit utility 798
ping utility 818
prerequisites 800
printing from Windows 5 6 7
share 799, 1171
shared directory 647
SMB 1172
smb.conf file 804, 8 0 7 - 8 1 4
smbclient utility 815, 819
smbd daemon 798
smbd init script 800
smbpasswd utility 798, 803
smbstatus utility 798
smbtar utility 798
smbtree utility 815
smbusers file 799
swat utility 8 0 4 - 8 0 7
system-config-samba utility 800
testparm utility 817
troubleshooting 817

1238

MAIN INDEX

Samba, continued
user
adding 801
nobody 802
user map 799
username 799
utilities 798
Web administration tool 8 0 4 - 8 0 7
Windows shares 8 1 5 - 8 1 7 , 1 1 7 1
WINS 1181
Samba parameters
communication 813
domain master browser 812
global 808
logging 811
security 808
share 813
samhain IDS utility 1119
sandbox 9
Save window 110
/sbin directory 214
sbin directory 2 1 4
schema 1170
schema directory 758
Schneier, Bruce 1126
scp utility 667, 6 7 2 - 6 7 4 , see also OpenSSH
screen 243
as standard output 244
number, X Window System 2 7 2
screen, login 145
script utility 172
scripts, shell see shell scripts
scroll 1171
scrollbar 1171
sdn file 489
search
engines 411
for files held open by a process using Isof 618
for files using gnome-search-tool 286
for files using mlocate 180
for files using Search for Files window 2 8 6
for inodes using find 566
for keywords using apropos 139
for open files using Isof 618
for process using ps and grep 4 5 6
for setuid files using find 454
for software package containing a file 521, 538
for software package containing a file using
dpkg 5 3 8

for software package using aptitude 529
for strings using grep 166
for utilities using whereis 178
for utilities using which 178
path 178
Search for Files window 286
secret key encryption see encryption, symmetric key
Secure Sockets Layer see SSL
securenets file 753
securetty file 421
security
see also firewall
access permissions 2 1 5 - 2 2 6
accton utility 1120
ACL 1134
admin group 619
AIDE utility 45 , 119
ANI 1122
Apache directives 930
authentication 1136
backdoor 1136
BIOS 620
bugtraq mailing list 1120
CERT 1120
checksum 1140
chkrootkit utility 1124
chroot jail see chroot jail
cipher 1141
ciphertext
1110,1141
cleartext 1141
CLID 1122
console 4 2 0
cookie 1142
cracker 1143
cryptography 1143
cypher 1141
DDoS attack 1144
digital signature 1111
DNS 822
DoS attack 1146
DragonSquire IDS utility 1119
dsniff utility 1124
email 1115
encryption see encryption
file 1115
finger utility 389
Firewall toolkit 1125
FTP 688, 695, 699, 705
fwtk utility 1125

M A I N INDEX

host 1 1 1 9 - 1 1 2 4
host-based trust 391
hping utility 1125
IP spoofing 1154
IPng 387
IPSec 1117
IPv6 387
John the Ripper utility 1125
Kerberos 1156
kerberos utility 1121
Linux features 14
login 1120
login shell 4 9 5
login, last 148
man-in-the-middle 1 1 1 4 , 1 1 1 4
M D 5 encryption 1159
messages 5 0 0
M I T M see security, man-in-the-middle
more information 1124
M T A 1115
MUA 1116
nessus utility 1125
netcat utility 1125
network 1 1 1 6 - 1 1 1 9
newsgroups 1119
NFS 776, 783, 788
NIS 753
nmap utility .125
OpenSSH 663
OPIE utility 1120
PAM 449, 1120
passphrase 1164
password 148, 494, 1164
password, one-time 1120
PATH and r o o t privileges 432
PATH variable 3 2 0 , 4 5 3
physical 1122
plaintext 1110
privileged ports 1116
Qmail utility [116
RAS 1121
remote access 1121
resources 1124t
.rhosts file 1119, 391
r o o t password 619
RSA encryption 1170
S/Key utility 1120
samhain IDS utility 1119
Schneier, Bruce 1126

1239

server, securing a 4 6 5 - 4 7 0
setgid files 219
setuid files 219, 620
SHA1 hash algorithm 1171
smartcards 1121
snort utility 1126
software, keeping up-to-date 518
spoofing 1154
srp utility 1126
ssh see ssh
SSL 1115
STARTTLS 1115
swatch utility 1126
syslogd daemon 1120
system 619
TCP wrappers 4 6 5 - 4 6 6
telnet utility 392, 1116
TLS 1115
tripwire utility 111 , 126
Trojan horse 453, 453^154, 1177
trusted hosts 391
virus 1122, 1180
web of trust 1114
wiping a file 4 9 0
wireshark utility 1126
worm 1122, 1181
xhost 2 7 2
security file 4 7 8
sed utility >22
seed, BitTorrent 539
segment 375
segment, network 375, 1162
select control structure 9 8 3 - 9 8 5
selection buffer 124
self-signed certificates 736, 9 4 3 - 9 4 5
sendmail daemon 404, 715, 716
serial ports, setting information 459
Server CD see installation, CD/DVD
Server Message Block protocol see Samba, SMB
servers 1171
debug using telnet 393
mail list 390
name 399, 4 0 0
proxy 4 0 5
securing 4 6 5 - 4 7 0
setting up 4 6 0 - 4 7 0 , 646
superserver see inetd daemon; xinetd daemon
X 269, 2 7 3 , 1 1 8 1
service utility 441

1240

MAIN INDEX

service, directory 1145
services
chroot jail, running in a 470
configuring 4 4 1 - 4 4 3
Internet 4 0 7 - 4 0 9
network 402
nsswitch.conf file 4 7 5 - 4 7 7
RPC 406
Upstart 434
services file 402, 4 9 7
session 1171
failsafe 1148
initialize 449
key, OpenSSH 664
manager 116
record using script 172
Session Indicator button 117
set builtin 3 5 3 , 9 6 : , 96
,998
set group ID see setgid
set user id see setuid
set utility 965
setfacl utility 2 2 2 - 2 2 6
setgid 2 1 8 - 2 1 9 , 1171
setserial utility 459
setuid 2 1 8 - 2 1 9 , 420, 1171
files, locate using find 454
files, security 420, 620
NFS 777
nosuid option to mount 508, 777
sexillion 1171
sftp utility 674
sh Shell 292, 1138
SHA1 hash algorithm 1171
shal sum utility 47
SHA1SUMS file 4 6
shadow file 44: , 4 9 7
sharfile 986
share
783,1171
share directory 2 1 4
share, Samba 799
shared network topology 1171
Shares, adding Linux (Samba) 802
shares-admin utility 7 8 3 - 7 8 5 , 786
shell 1 4 - 1 6 , 2171
see also bash; bash parameters; bash variables;
command line; job control; shell features; shell
scripts; usage messages
~ (tilde) expansion 206
archive file 986

Bourne (original) 1138
changing default 4 5 7
command interpreter 126
csh 1139
dash 1 5 , 2 9 2
Debian Almquist 15, 2 9 2
default, change using chsh 2 9 3
features 3 5 2 - 3 5 3
filename generation 2 5 6 - 2 6 0
functions 1171, see also bash, functions
job control see job, control
ksh 293
login 3 2 8 , 1 1 5 8
OpenSSH 670
options 3 5 2 - 3 5 3
parameters 312, 3 1 2 - 3 2 5
pathname expansion 2 5 6 - 2 6 0
prompt 20
quoting special characters 315
root privileges see root privileges
sh 292, 1138
sleep 243
subshell 306
variables see bash variables
shell scripts 300, 3 0 0 - 3 0 3 , 1172
see also bash, functions; usage messages
addbanner 1011
arguments, testing 964
bash 1 0 2 4 - 1 0 3 4
birthday 985
bundle 986
chkargs 956, 958
chmod, using to make executable 3 0 0 - 3 0 2
command_menu 979
comments, begin using # 303, 964
configure 542
count 971
count_down 994
cpdir 307
debug using xtrace 1026
debugging 966
executing 303
exit status 95 , 9 5 8
Here document 9 8 5 - 9 8 7
input, read using read 1 0 0 3 - 1 0 0 6
is_regfile 957
Inks 962
locktty 975
makepath function 1026

M A I N INDEX

menu 979
out 959
positional parameters 996, 9 9 6 - 9 9 9
quiz 1032
recursion 1025
safedit 981
shell, specify using #! 302, 963
sortmerg 989
spell_check 972
temporary filenames 995
temporary files 983
whos 969
shells file 4 5 7
shift builtin 998
shift utility 959
shopt builtin 353
short-circuiting operators 1022
shortcut see link
showmount utility 790
shutdown utility 43 /, 450
Shuttleworth, Mark 2, 3
Side pane, Nautilus 277
signals 1009, 1009t, 1172, see also signal name
(e.g., KILL)
signals, display list of using kill 1012
Silicon Graphics 409
simple filenames 205, 242, 1172
single quotation marks see quotation marks
single-user mode 445
single-user mode see recovery mode
single-user system 1172
sites-available directory 906
sites-enabled directory 906
skel directory 5 9 7
sladp init script 760
slapcat utility 763
sleep, shell 243
sleep utility 996
sleep() system call 330
slice see partition
slider 1172
SLIP (Serial Line IP) 381
sloppy focus 153
SMART disk monitoring 69
smartcards 1121
smarthost (exim4) 714, 717
SMB see Samba, SMB
smb.conf file 804, 8 0 7 - 8 1 4
smbclient utility 815, 819

1241

smbd daemon 798
smbfs filesystem 5 0 6
smbpasswd utility 798, 803
smbstatus utility 798
smbtar utility 798
smbtree utility 815
smbusers file 799
SMF 4 3 2
smiley 1172
smilies, plural of smiley
SmoothWall, Linux router distribution 639
SMTP 714, 1172
snap, window 1172
sneakernet 1172
sniff 1173
SNMP 654
snmpd daemon 655
snmpd file 655
snort utility 1126
SOA records, DNS 829
sockets 503
SOCKS 1173
soft links see links, symbolic
software
see also software packages
bug tracking 518
downloading 1104t
free, definition 1129
GNU Configure and Build System 542
keeping up-to-date 5 1 8
termination signal 1009
Update Manager 112
updating 112
software packages 517
see also APT; apt-cache; apt-file; aptitude; dpkg; dpkg;
software
adding/removing 1 3 1 - 1 3 6
categories 131, 5 2 2
contents of 533
dependencies 527, 5 3 0
display information about using aptitude 5 3 0 - 5 3 1
file, search for the package containing using
dpkg 5 3 8
files, listing 5 3 8
finding 521
information about 529, 535, 5 3 7
install using dpkg 5 3 6
install/remove using aptitude 5 1 9 - 5 2 0
installing from a CD/DVD 131

1242

MAIN INDEX

software packages, continued
metapackages see software packages, virtual
remove configuration files using aptitude 520
remove using dpkg 5 3 6
repositories see repositories
search for using aptitude 529
source code 5 3 4
source code, download using apt-get 532
suggested 520
Ubuntu Software Center window 132
update list of available using dpkg 5 3 4
virtual 526
Software Sources window 131
software-properties-gtk utility 524
sort 1173
sort utility 168, 252, 36 , '89
s o r t m e r g shell script 989
source builtin 2 9 6
source code, download kernel using aptitude 5 7 3
source code, download using apt-get 532
source code, d p k g files 534
sourcesdist file 523
SPACE 1173
SPACE b a r 160
spam 1173, see also SpamAssassin
SpamAssassin 727
see also spam
configuring 730
prerequisites 728
running on a mail server using p r o c m a i l 730
spamassassin init script 728
spamc utility 727
s p a m d daemon 727
testing 728
spamc utility 727
s p a m d daemon 727
SPARC processor architecture 30
sparse file 1173
Spatial versus File Browser windows, Nautilus 108
spawn see fork
special characters 160, 256, 1090, 1173
* 257
? 256

[1 259
bash 326t
filename generation 2 5 6 - 2 6 0
pathname expansion 2 5 6 - 2 6 0
quoting 315
regular expressions 1089, 1097t

special files 501, 1140, see also device files
spell_check shell script 972
spin box 1173
spinner see spin box
splash boot parameter 57
spontaneous process 328
spoofing, IP 1154
spool 1173
spool directory 215, 1100
SQL 1173
square brackets 1174
square brackets, using in place of test 957
SquirrelMail 731
squirrelmail-configure utility 732
src directory 2 1 5
srp utility 1126
.ssh file 666
ssh directory 665
ssh init script 676
ssh utility 664, 667, 6 7 0 - 6 7 2 , 112 , see also
OpenSSH
ssh_config file 674
ssh_known_hosts file 6 6 8 - 6 7 0
sshd daemon 6 7 6 - 6 8 0
sshd_config file 679
ssh-keygen utility 6 6 8 - 6 7 0 , 677
SSL
Apache 9 4 3 - 9 4 5
mail 736
security 1115
stack, directory 310, 3 1 0 - 3 1 2 , 360
stack, PAM 481
Stale NFS file handle error message 791
Stallman, Richard 4
standard error 244, 297, 1174
duplicate file descriptor using 1 > & 2 299, 958
file descriptor 297, 987
redirect 2 9 7 - 2 9 9
redirect error messages to 299, 958
redirect using 2> 2 9 7
redirect using exec 1007
redirect while redirecting standard output 2 9 8
standard input 244, 1174
file descriptor 297, 987
keyboard as 2 4 4
redirect using < 2 4 7 - 2 4 8
redirect using 0 < 2 9 7
redirect using exec 1007

M A I N INDEX

standard output 243, 1174
append using » 249
duplicate file descriptor using 2 > & 1 2 9 8
file descriptor 297, 987
redirect output of sudo using tee 425
redirect using > 2 4 6 - 2 4 7
redirect using 1> 2 9 7
redirect using exec 1007
redirect using tee 254
redirect while redirecting standard error 2 9 8
screen as 2 4 4
standards
directories and files 2 1 3 - 2 1 5
FHS (Linux Filesystem Hierarchy Standard) 2 1 3
FSG (Free Standards Group) 2 1 3
FSSTND (Linux Filesystem Standard) 2 1 3
Linux 7
LSB (Linux Standard Base) 2 1 3
OpenPGP Message Format 1114
option handling 1015
POSIX 7, 2 9 3
start utility 4 3 5
STARTTLS M T A 1115
startup files 204, 1174
bash 2 9 3 - 2 9 6
bash.bashrc 4 9 2
BASH_ENV variable 294
•bash_login 294
•bash_logout 294
•bash_profile 2 9 4 - 2 9 5 , 151, 4 8 8
•bashrc 2 9 4 - 2 9 5 , 4 8 8
bashrc 2 9 4
•cshrc 1143
•dmrc 449
ENV variable 2 9 4
•inputrc 343
.login 1158
.logout 1158
•netrc 694
•profile 294, 1166
profile 294, 4 9 5
rc.local 441
•toprc 610
startx utility 2 7 0
stat utility 459
statd daemon 404, 776
statements, Perl 1047
static IP address 382
status bar, Nautilus 279
status file 533

status line 1174
status utility 13 , 436
status, exit 1147
stealth port 871
sticky bit 1174
stop utility 435
stopping a program 151
stream-based protocols 380
streaming tape 1174
streams see connection-oriented protocol
strings 1174
comparing 1018
null 1163
operators 1018t
pattern matching 1018
search for using grep 166
within double quotation marks 315
Stroustrup, Bjarne 12
strtok() system call 947
Structured Query Language see SQL; MySQL
stty utility 1 5 1 , 4 8 8
stylesheet see CSS
su utility 421, 431
subdirectories 200, 1174
subdomain, DNS 824
subnet 385, 385, 1174
address 1175
mask 385, 1175
number 1175
specifying 462, 462t
subpixel hinting 1175
subpixel smoothing 284
subroutine see procedure
subshell 306, 1175
subtraction operator 1020
sudo utility 98, 4 2 1 - 4 3 1
see also root privileges
admin group 4 2 8
configuring 4 2 6 - 4 3 1
defaults (options) 429
edit sudoers file using visudo 4 2 6
editing a file using - e or sudoedit 425
environment 4 2 4
options 4 2 5
redirecting output 424
redirecting output using tee 4 2 5
root account password and 430
root shell, spawning 4 2 4
sudoers file 426^131
timestamps 4 2 3

1243

1244

MAIN INDEX

SUDO_EDITOR variable 425, 4 2 6
sudoedit utility 425
suggested packages 520
Sun Microsystems 741, 773
superblock 1175
superserver see inetd daemon; xinetd daemon
Superuser 1175, see also root account; root
privileges
suspend key (CONTROL-Z) 1 5 1 , 1 5 2 , 2 5 5

SVID see System V Interface Definition
swap 1175
filesystem 37, 4 9 8
RAM and 38
space 499, 1175
swapon utility 499
swarm, BitTorrent 539
swat utility 8 0 4 - 8 0 7
swatch utility 1126
switch, network 3 7 4 , 3 7 5 , 1 1 6 2
Switcher, Workspace 104
symbolic hostname 401
symbolic links as special files 501
symbolic links see links, symbolic
symlinks see links, symbolic
synaptic utility 1 3 3 - 1 3 6
/sys directory 214, 499
sys directory 572
sysctl utility 572
syslog file 849
syslogd daemon 1120
system
see also system calls
boot failure 4 5 3
booting 444
characteristics of a well-maintained 4 1 8
console see console
crash 452
dataless 774, 1144
diskless 774
initialization, customize 440
logging in 100
logs 6 2 5 - 6 2 7
messages 5 0 0
messages, rsyslogd daemon 6 2 5 - 6 2 7
minimal 80
mode 1176
powering down 452
rebooting 451
reports 608, 621

security 619
shutting down 4 5 0
single-user 1172
slow 617
upgrading 74
system calls 12
exec() 303
fork() 303, 328, 330, 947
gethostbyname () 833
sleep() 330
strtokf) 947
Systemmenü 122
System V 1176
init daemon 4 3 2
init script see init script
Interface Definition 7
system-config-printer utility 5 5 0 - 5 5 4
system-config-samba utility 800
sysv filesystem 5 0 6
SysVinit 432
SysVinit scripts see init script
sysv-rc-conf utility 4 4 1 - 4 4 3

T - l line 374
T-3 line 374
TAB key 160
table 628
table, hash 1151
tail utility 167
talk utility 105
talkd daemon 4 0 5
Tanenbaum, Andrew 6, 505
tape archive see tar utility
tape, manipulate using mt 605
tape, streaming 1174
tar file 176
tar utility 1 7 6 - 1 7 8 , 3 0 : , 600, 601t, ¡02
.tar.bz2 filename extension 177
.tar.gz filename extension 1 7 7 , 2 0 3
.tar.Z filename extension 177
tarball 176
task, Upstart 434
.tbz filename extension 177
TC Shell 1176
TCP 1176
TCP wrappers 4 6 5 - 4 6 6
TCP/IP 379

M A I N INDEX

tcsh 1176
tee utility 254, 425, '05
teletypewriter 1178
telinit utility 4 3 : , 4: , 444, 448, 151
telnet utility 3 9 1 - 3 9 3 , 941, 1116
temporary file 983
tera- 1176
T E R M signal 15. , 1009
T E R M variable 147
Termcap 1106
termcap file 1176
terminal 1176
ASCII 1135
character-based 1140
device 1008
emulator 125, 147, 244, 2 8 7
failsafe 146
files 2 4 4
interrupt signal 1009
names 1106
pseudo 4 9 0
reset using reset 4 5 8
specifying 1106
standard input 244
standard output 244
virtual 83
X 1182
Terminal Server Project, Linux 774
terminating execution 151
Terminfo 1106
terminfo file 1176
terminology
Apache 901
desktop 117
filesystem naming 36
firewall 864
G N O M E 117
partition name 36
screen 243
single-user versus recovery modes 4 4 5
Upstart daemon 4 3 3
ternary operator 1023
test builtin 9 5 5 - 9 5 7 , 957t, 96 , 16- , 965, '6 , 970,
976
testparm utility 817
text box 1176
textual
application, running from a GUI 103
installer 8 5 - 9 1

interface 30, 30
partitioning, manual 87
system, installing 80
tftp utility 774
tftpd daemon 4 0 5
•tgz filename extension 203
theme 113, 1176
thicknet 375, 1176
thinnet 375, 1176
Thompson, Ken 11, 1136
thread safe see reentrant code
three-finger salute 451
thumb 1177
tick 1177
tick box see check box
•tif filename extension 2 0 3 , 1 1 7 7
.tiff filename extension 203, 1177
tilde expansion 206, 319, 359
tildes in directory stack manipulation 360
tiled windows 1177
time series data 647
time to live see TTL
time zone, graphical installation 59
time, synchronize using ntpd 4 0 4
timed daemon 405
tin utility 4 0 7
titlebar 106, 123
TLS, security 1115
/tmp directory 214, 383
todos utility 173
toggle 1177
token ring network 1177
tokens 238, 356, 1177
toolbar 124
toolbar, Nautilus 279
tooltip
118,1177
top utility 610, 61 Ot
•toprc file 610
.torrent filename extension 539
torrent, BitTorrent 539
Torvalds, Linus 2, 5, 7, 1156
touch utility 211
tput builtin 975
tr utility 1 7 3 , 2 5 1 , 2 9 8
traceroute utility 394
traceroute6 utility 395
tracker, BitTorrent 539
transaction signatures, DNS see DNS, TSIG
transient window 1177

1245

1246

MAIN INDEX

Transmission Control Protocol see TCP
Transmission Control Protocol/Internet Protocol see
TCP/IP
Transport Layer Security see TLS
transport layer, IP model protocol 380
trap builtin 975, 1 0 0 9 - 1 0 1 2
trap door see back door
trash, emptying 111
trash, Nautilus 282
tripwire utility 111 , 126
Trojan horse 453, 4 5 3 ^ 5 4 , 1177
Trolltech 275
true 1022
true utility L O I 1 0 2 2
trusted hosts 391
tset utility 458
TSTP signal 1009
T T L 395, 829, 1178
tty file 1008
T T Y see teletypewriter
ttyl file 439
tune2fs utility 5 1 2 - 5 1 4
tunneling 1178
tunneling using OpenSSH 6 8 1 - 6 8 3
tutorial, ftp 6 9 0 - 6 9 3
twisted pair cable 375
.txt filename extension 203
type builtin 1003
typeface conventions 20
typescript file 172
typeset builtin 3 1 7 - 3 1 8 , 994
.tz filename extension 177

ubiquity utility 5 7 - 6 3 , 7 0 - 7 4
Ubuntu 29
see also graphical installation; installation;
installation CD/DVD
32-bit versus 64-bit 29
64-bit versus 32-bit 29
booting 53
Canonical 31
documentation 1 3 6 - 1 4 4
downloading 27, 4 3 - 4 6
editions 32
Edubuntu 2
governance 3
Help Center window 116, 136

history 2
installation steps 42
IRC channels 144
Kubuntu 2, 75
Launchpad 1125
LTS release 31
minimal system 80
mirrors 45
recovery mode see recovery mode
releases 31
Shuttleworth, Mark 2, 3
Software Center window 132
upgrading 74
Web site, obtaining help from 144
Xubuntu 2
UCE see spam
uchroot.c program 469
udev utility 5 0 2
UDP (User Datagram Protocol) 379, 381, 1178
ufs filesystem 506
ufw utility 8 7 4 - 8 7 6
UID 1178
display using id 432
effective 1147
passwd file, in 4 9 4
umask builtin 459
umount utility 49^, 509
umsdos filesystem 5 0 6
unalias builtin 346, 349
uname utility 460, >88
unary operators 1020
undecillion 1178
unicast packet 3 8 1 , 1 1 7 8
U n i c o d e 1178
uniq utility 168, : 22
universe software package category 5 2 2
University of Illinois 409
UNIX
Bourne Shell 292
Linux roots in 3
philosophy 388
printing, traditional 5 5 8
System V 3, 1176
System V Interface Definition 7
unlocking the root account 431
unmanaged window 1178
unmount a filesystem using umount 509
unset builtin 316
unshielded twisted pair see UTP

M A I N INDEX

until control structure 9 7 4 - 9 7 6
Update Manager 112
Update Manager window 113
updatedb utility 180
update-exim4.conf utility 724
update-grub utility 8 , 5 8 7 - 5 8 8
upgrade installation 33
upgrading Ubuntu 74
Upstart
DEFAULT_RUNLEVEL variable 440, 4 4 5
event 437
initctl utility 434
r c - s y s i n i t task 439
reload utility 435
start utility 4 3 5
status utility 135
stop utility 435
Upstart daemon 4 3 2 - 4 4 0
a n a c r o n and 607
communicate with Upstart using initctl 434
event 433
job definition files 438^140
jobs 433, 4 3 5 - 4 3 6
rc task 438
rc-default task 439
runlevel emulation 4 3 4
runlevel event 4 3 8
runlevel utility 444
service 434
shutdown utility 4 3 7
starting 4 4 5
status utility 4 3 6
task 434
telinit utility 437, 438, 4 4 4
terminology 4 3 3
tty« tasks 439
uptime, display using w 183
uptime utility 183
urandom file 4 9 0
URIs 1179
URLs 410, 1179
usage messages 238,958,
»5 , 9 6 4 , 97 ,1179,
also error messages; messages
USB devices, list using Isusb 641
Usenet 4 0 7 - 4 0 9
user
see also user accounts
display information about using finger 181

1247

ID see UID
interface 1179
list using w 183
list using who 180
map, Samba 799
mode 1179
name see username
nobody, Samba 802
private groups 4 9 3
Samba 801
Superuser see root account
user accounts
see also user
add using useradd 597
graphical installation 61
manage using users-admin 5 9 4 - 5 9 7
modify using usermod utility 598
remove using userdel 5 9 8
User Datagram Protocol see UDP
usermod utility 573
username 494, 1179
username, Samba 799
users-admin utility 5 9 4 - 5 9 7
userspace 1179
/usr directory 39, 2 1 4
UTC 1179
UTF-8 1179
utilities 1179
see also commands; the Utilities index (page 1189)
alternative names 491
backup 600
builtin 261
builtins versus 956
links to 491
locate using whereis 178
locate using which 178
mail 186

see

names, typeface 20
UTP cable 375
uucp utility 4 0 7
UUID 1179
device 489
fstab, in 5 1 0

/var directory 38, 2 1 5
.var filename extension 914, 935

1248

MAIN INDEX

variable 1180
see also bash variables
completion 343
Perl lexical 1045
Perl package 1045
VeriSign 1112
version control, Bazaar 5 1 8
vfat filesystem 506
vi see vim
video card see graphics card
View pane, Nautilus 277
viewport see workspace
vim 1 8 6 - 1 9 3
case sensitivity 1139
Command mode 188
correcting a mistake 192
correcting text 190
deleting text 192
exit, emergency 187
help system 190
Input mode 188, 189
inserting text 192
Last Line mode 188
moving the cursor 191
Normal mode see vim, Command mode
page breaks 193
quitting 193
safedit script 981
starting 186
terminal, specifying 1106
undoing changes 192
vimtutor utility 186
Work buffer 193
virtual
consoles 8 3 , 1 4 9 , 1 1 8 0
machines 8 - 9
memory and swap space 4 9 8
memory, report on using vmstat 609
package 526
private network see VPN
software packages 526
terminal see virtual, consoles
virtualBox 9
viruses 1 1 2 2 , 1 1 8 0
visual effects 28, 115
VISUAL variable 425, 426
visudo utility 426
VLAN 1180

V M M (virtual machine monitor) 8
VMs (virtual machines) 8 - 9
vmstat utility 609
VMware 9
volume group (LVM) 42
volume label 458
VPN 1180
vsftpd
see also FTP
configuration files 701, 711
configuration parameters
connection 708
display 707
download 704
log 708
logging in 702
message 707
miscellaneous 710
stand-alone mode 701
upload 704
daemon 699
firewall, setting up 700
ftp directory 703, 705
ftp file 700, 703, 705
init script 699
logvsftpddog file 711
more information 689
prerequisites 699
running in a chroot jail 703
setting up 6 9 9 - 7 1 1
stand-alone mode 699
testing 700
vsftpd.banned_emails file 703
vsftpd.chrootlist file 711
vsftpd.conf file 701
vsftpddog file 708
vsftpd.pem file 710
vsftpd.userjist file 702, 711
vsftpd.banned_emails file 703
vsftpd.chroot list file 711
vsftpddog file 708
vsftpd.pem file 710
vsftpd.userjist file 702
vtlOO terminal 1106
v t l 0 2 terminal 1106
vt220 terminal 1106
Vulcan death grip 451
VxFS filesystem 506

M A I N INDEX

W
w utility 183, 183t
W2K 1180
W3 see World Wide Web
W 3 C 1180
wall utility 615
Wall, Larry 1041
WAN 376, 1180
WAP 638, 1180
wc utility 17C, 361
Web
see also World Wide Web
crawler 411
ring 1180
web of trust 1114
webalizer utility 948
Webmail 7 3 1 - 7 3 3
weekly file 607
wget utility 5 4 3
whatis database 139
whatis utility 1 3 9 , 4 3 7
wheel group 4 8 2
whereis utility 179
which utility 178
while control structure 9 7 0 - 9 7 3
whitespace 160, 1180
on the command line 304
quoting 315
who utility 180, 183t
whois utility 396
whois utility see jwhois utility
whos shell script 969
wide area network see WAN
widget 1180, see also GUI
Wi-Fi 1181, see also wireless
wiggly windows 115
wildcards 256,1180,
see also special characters
window 118, 123, 1 2 3 - 1 2 6 , 1181
see also screens
active 153
Add/Ubuntu Software Center 132
Appearance Preferences 113
Browse/Save 110
cascading 1139
clipboard 125
cut and paste 124
cycling 124
decorations 155

1249

File Browser see Nautilus
focus, input 124, 153
ignored 1153
input focus 153
manager 18, 155, 2 7 5 - 2 7 6 , 1181
Compiz 115, 155
GNUStep 2 7 6
Metacity 1 1 5 , 1 5 5
WindowMaker 2 7 6
minimize 1160
moving 106
Nautilus File Browser see Nautilus File Browser
Object Properties 1 2 8 - 1 3 0
Panel Properties 119
Pick a Color 285
Pick a Font 2 8 4
resizing 106
root 118, 125, 1170
Run Application 103, 2 8 6
Save 110
scrollbar 1171
Search for Files 2 8 6
slider 1172
snap 1172
Software Sources 131
thumb 1177
tiled 1177
titlebar 106, 123
toolbar 124
transient 1177
Ubuntu Help Center 116, 136
unmanaged 1178
Update Manager 113
wiggly 115
Window Preferences 154
working with 106
Workspace Switcher 104
Workspace Switcher Preferences 104
Window List applet 121
Window Operations menu 124
Window Preferences window 154
WindowMaker window manager 276
Windows
see also Samba
convert files from/to Linux format 173
dual-boot system 76
file namespace versus Linux 35
filename limitations 202
formatting 33

1250

M A I N INDEX

Windows,
continued
integration see Samba
net use utility (Samba) 8 1 8
net view utility (Samba) 8 1 8
networks, browse using Samba 8 1 6
NTFS driver 1 1 0 5
print from, using CUPS 5 6 6
print from, using Samba 5 6 7
print to, using CUPS 5 6 8
shares
see also Samba, share
mounting 8 1 6
working with using Samba 815
WINS 1181
wiping a file 4 9 0
wire see cable
wireless
8 0 2 . 1 1 specification 1134
access point 6 3 8 , 1181
ad hoc mode 6 4 0
bridge 6 3 9
configuring 6 4 5
infrastructure mode 6 4 0
network 3 7 6
wireshark utility 1 1 2 6
words
151,238,1181
count using wc 1 7 0
delete using C0NTR0L-W 151
erase key (C0NTR0L-W) 2 4 0

looking up 1 1 0 4 t
on the command line 3 5 6
splitting 323, 3 6 3
W o r k buffer 1181
working directory 204, 1181
change to another using cd 2 0 9
executing a file in 3 0 1 , 3 2 0
relative pathnames and 2 0 6
significance of 2 0 6
versus home directory 2 1 0
workspace 118, 1181
desktop, and the 101
G N O M E 18
Workspace Switcher 1 0 4
workstation 1 0 , 1 1 8 1
World Wide Web 4 0 9
browsers 409, 4 1 0
Consortium 1180
hypermedia 410
hypertext 409

Mosaic browser 4 0 9
Netscape Navigator 4 1 0
search engines 411
URLs 410
Web crawler 411
worms 1 1 2 2 , 1 1 8 1
write access permission 215
write utility 184, 515
w t m p file 6 2 3
w w w directory 9 0 2 , 9 0 5 , 9 0 9
W W W see World Wide Web
W Y S I W Y G 1181

X
X
X
X
X

Consortium 2 6 8
server 1181
terminal 1182
utility 2 6 8 , see also X Window System
Window System 17, 2 6 8 , 1182
client and server 2 6 9
color depth 2 7 3
display number 2 7 2
- d i s p l a y option 2 7 3
DISPLAY variable 2 7 2
display, access to 2 7 1
emergency exit 2 7 4
events 269
exiting from 2 7 3
freedesktop.org group 2 7 6
ID string 2 7 2
library 155
mouse see mouse
- n o l i s t e n t c p option 2 7 1
remote computing and local displays 2 7 0
screen number 2 7 2
server 2 6 9
starting 2 7 0
startx utility 2 7 0
X servers, running multiple 2 7 3
X stack 2 6 8
X terminal 1182
X I 1 forwarding, OpenSSH 6 6 8 , 6 7 5 , 6 8 0 , 6 8 1
xev utility 2 7 0
XFree86 versus X.org 2 6 8
xhost utility 2 7 1
Xinerama 1182
Xlib 2 6 8
xmodmap utility 2 7 4

M A I N INDEX

X l l directory 214
x86 processor architecture 30
xargs utility 622
X D M C P 1182
xDSL 1182
Xen 9
xev utility 2 7 0
Xfce desktop 2
xfs filesystem 506
xhost utility 271
.xhtml filename extension 914
Xinerama 1182
xinetd daemon 405, 464, .99
XINU 6
Xlib 2 6 8
X M L 1182
xmodmap utility 2 7 4
Xremote 381
xrn utility 4 0 7
X S M 1182
xterm terminal name 1106
Xubuntu 2, 28
xvnews utility 4 0 7

Y
Yellow Pages 742
yp.conf file 747
ypbind daemon 748
ypcat utility 744
ypinit utility 755
ypmatch utility 744
yppasswd utility 7 4 8 - 7 5 0
yppasswdd init script 757
ypserv.conf file 751
ypwhich utility 747
ypxfr utility 755
ypxfrd daemon 755

z
.Z filename extension 176, 2 0 3
Z Shell 1182
zcat utility 175
zero file 491
Zimmerman, Phil 1114
zones, DNS 824
zsh shell 1182
zulu time see UTC

1251
Source Exif Data: 
File Type                       : PDF
File Type Extension             : pdf
MIME Type                       : application/pdf
PDF Version                     : 1.7
Linearized                      : No
Page Count                      : 1292
Modify Date                     : 2012:04:30 12:29:27+05:30
Creator                         : Nitro Pro 7
EXIF Metadata provided by EXIF.tools

Navigation menu