Unix System Administration (A Beginner's Guide) Steve Maxwell

User Manual:

Open the PDF directly: View PDF PDF.
Page Count: 697

DownloadUnix System Administration (A Beginner's Guide) - Steve Maxwell
Open PDF In BrowserView PDF
TE
AM
FL
Y

UNIX System
Administration:
A Beginner’s Guide

This page intentionally left blank.

UNIX System
Administration:
A Beginner’s Guide

Steve Maxwell

McGraw-Hill/Osborne
New York Chicago San Francisco
Lisbon London Madrid Mexico City
Milan New Delhi San Juan
Seoul Singapore Sydney Toronto

Copyright © 2002 by The McGraw-Hill Companies, Inc. All rights reserved. Manufactured in the United States of
America. Except as permitted under the United States Copyright Act of 1976, no part of this publication may be
reproduced or distributed in any form or by any means, or stored in a database or retrieval system, without the prior
written permission of the publisher.
0-07-222833-4
The material in this eBook also appears in the print version of this title: 0-07-219486-3
All trademarks are trademarks of their respective owners. Rather than put a trademark symbol after every occurrence of a trademarked name, we use names in an editorial fashion only, and to the benefit of the trademark
owner, with no intention of infringement of the trademark. Where such designations appear in this book, they
have been printed with initial caps.
McGraw-Hill eBooks are available at special quantity discounts to use as premiums and sales promotions, or for
use in corporate training programs. For more information, please contact George Hoare, Special Sales, at
george_hoare@mcgraw-hill.com or (212) 904-4069.

TERMS OF USE
This is a copyrighted work and The McGraw-Hill Companies, Inc. (“McGraw-Hill”) and its licensors reserve all
rights in and to the work. Use of this work is subject to these terms. Except as permitted under the Copyright Act
of 1976 and the right to store and retrieve one copy of the work, you may not decompile, disassemble, reverse
engineer, reproduce, modify, create derivative works based upon, transmit, distribute, disseminate, sell, publish
or sublicense the work or any part of it without McGraw-Hill’s prior consent. You may use the work for your
own noncommercial and personal use; any other use of the work is strictly prohibited. Your right to use the work
may be terminated if you fail to comply with these terms.
THE WORK IS PROVIDED “AS IS”. McGRAW-HILL AND ITS LICENSORS MAKE NO GUARANTEES
OR WARRANTIES AS TO THE ACCURACY, ADEQUACY OR COMPLETENESS OF OR RESULTS TO BE
OBTAINED FROM USING THE WORK, INCLUDING ANY INFORMATION THAT CAN BE ACCESSED
THROUGH THE WORK VIA HYPERLINK OR OTHERWISE, AND EXPRESSLY DISCLAIM ANY WARRANTY, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO IMPLIED WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. McGraw-Hill and its licensors do not
warrant or guarantee that the functions contained in the work will meet your requirements or that its operation
will be uninterrupted or error free. Neither McGraw-Hill nor its licensors shall be liable to you or anyone else for
any inaccuracy, error or omission, regardless of cause, in the work or for any damages resulting therefrom.
McGraw-Hill has no responsibility for the content of any information accessed through the work. Under no circumstances shall McGraw-Hill and/or its licensors be liable for any indirect, incidental, special, punitive, consequential or similar damages that result from the use of or inability to use the work, even if any of them has been
advised of the possibility of such damages. This limitation of liability shall apply to any claim or cause whatsoever whether such claim or cause arises in contract, tort or otherwise.
DOI: 10.1036/0072228334

This page intentionally left blank.

About the Author
Steve Maxwell has been actively involved with UNIX and computer networking
for the last 20 years. He has worked for a number of companies, institutions,
and organizations in a variety of capacities that have included network design,
software development, and training. Recently, Steve decided that it was time
to join another start-up company, and he now works at FineGround Networks,
Inc., where he is responsible for ensuring that the company delivers quality
software products. Steve welcomes your feedback on any aspect of this book—
please send comments, questions, and suggestions to sjmaxwell@worldnet.att.net.

About the Technical Reviewers
John Tiso is a senior consultant for NIS, a Boston-based integrator of Sun
Microsystems and Cisco Systems. He has a B.S. degree from Adelphi University
and is certified in UNIX from HP, Sun, and IBM. John is also a Cisco CCIE
(CCIE #5162), MCSE, and MCNE. He has published papers in several leading
technical journals, such as Element K and SysAdmin, and has served as a technical
editor for a variety of books. John can be reached at johnt@jtiso.com.
Jim Minatel is a freelance writer and editor with more than 13 years of publishing
experience in mathematics, statistics, and computing. He has authored and
co-authored several books about the Internet and World Wide Web in the early
Netscape era, and most recently served as Editor in Chief for two magazines for
networking professionals and IT managers. He holds undergraduate degrees in
mathematics and physics, and an M.S. in mathematics.

For more information about this title, click here.

Contents
ACKNOWLEDGMENTS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvii
INTRODUCTION . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xix
1 Introduction to UNIX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1. Uncover the History of the UNIX System . . . . . . . . . . . . . . . . . . . . . . . . .
2. Explore the Elements of a Computer System . . . . . . . . . . . . . . . . . . . . . .
3. Show the UNIX Timeline . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
AT&T Invents UNIX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
BSD Is Born . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
The System V Releases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
AT&T/Sun Deal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
The Internet Worm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
OSF/1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Mach . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Linux Is Introduced . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Red Hat . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Versions of UNIX Today . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Why UNIX Is Popular . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Modular UNIX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
The Kernel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
4. Discover the Roles of the UNIX System Administrator . . . . . . . . . . . . . .
Support the Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

vii
Copyright 2002 by The McGraw-Hill Companies, Inc. Click Here for Terms of Use.

1
2
3
7
7
8
8
9
9
9
10
10
10
10
11
15
15
18
19

viii

UNIX System Administration: A Beginner’s Guide

Handle Peripherals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Manage System Upgrades . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Actively Monitor System Security . . . . . . . . . . . . . . . . . . . . . . . . . . .
Maintain System Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Advance Your Knowledge . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Teacher . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Politician . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Parent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Police Officer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Friend . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Mastery Check . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

19
20
20
21
21
22
22
23
23
24
25

2 Basic UNIX Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1. Explore the UNIX Shell . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
2. Investigate Basic UNIX Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
cat . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
date . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
hostname . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
find . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
strings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
uname . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Project 2-1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Mastery Check . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

27
28
31
34
35
37
38
42
49
52
59
62
63

3 Using System Administration Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1. Managing Solaris Using Admintool . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Add a New User . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
UNIX Account Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Modifying a User . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Deleting a User . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Adding a New Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Modifying a Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Deleting a Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
2. Manage Linux Accounts with Userconf . . . . . . . . . . . . . . . . . . . . . . . . . .
Add a New User . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Modifying a User . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Delete an Existing User . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Adding a New Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
3. Manage HP-UX Using SAM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Add a New User . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Modifying a User . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Delete an Existing User . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

65
67
67
72
73
74
76
79
79
80
80
86
88
90
92
94
98
99

Contents

Adding a New Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Deleting an Existing Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
4. Set Up Better Account Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Expiring a Password Using Admintool . . . . . . . . . . . . . . . . . . . . . . .
Expiring a Password Using Userconf . . . . . . . . . . . . . . . . . . . . . . . .
Expiring a Password Using SAM . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Regular Password Changes Using Admintool . . . . . . . . . . . . . . . . . .
Regular Password Changes Using Userconf . . . . . . . . . . . . . . . . . . .
Turning Off an Account Using Admintool . . . . . . . . . . . . . . . . . . . .
Turning Off an Account Using Userconf . . . . . . . . . . . . . . . . . . . . . .
Automatic Account Expiration Using Userconf . . . . . . . . . . . . . . . .
Mastery Check . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

101
103
105
106
106
107
109
110
111
113
114
116

4 Software Package Management Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1. Discover Solaris Package Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
pkginfo . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
pkgadd . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
pkgrm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
2. Discover HP-UX Package Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
swlist . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
swinstall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Project 4-1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
swremove . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Project 4-2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
3. Discover Linux Package Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Project 4-3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Mastery Check . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

117
119
119
123
124
126
126
130
130
133
133
136
137
139

5 Maintaining UNIX Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1. Discover the /etc/passwd File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
2. Discover the /etc/group File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
3. Discover the /etc/shadow File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
4. Explore UNIX Account Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
passwd . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
pwck . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
grpck . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
useradd . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
userdel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
usermod . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
groupadd . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
groupdel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
groupmod . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
logins . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
vipw . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

141
142
146
149
152
153
156
159
159
161
162
163
164
164
164
166

ix

UNIX System Administration: A Beginner’s Guide

Project 5-1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166
Mastery Check . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168

AM
FL
Y

6 File Systems, Disks, and Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1. Explore a UNIX File System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
2. Uncover a Disk Partition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
3. Determine a Mounted File System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Creating a New File System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Using the Solaris Format Tool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Using the Linux fdisk Tool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
4. Create a New File System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Checking the New File System . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Mounting UNIX File Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Unmounting a UNIX File System . . . . . . . . . . . . . . . . . . . . . . . . . . .
Project 6-1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Mastery Check . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

171
172
176
179
180
180
186
187
188
191
193
193
195

7 System Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1. Define a Security Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
2. Maintain System Patches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
3. Uncover System Hardening . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Elimination of Unnecessary Services . . . . . . . . . . . . . . . . . . . . . . . . .
Configuration System Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
3. Investigate Security Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
The NMAP Tool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Project 7-1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
The Secure Shell Facility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ssh . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
scp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ssh-keygen . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ssh-agent/ssh-add . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
The Sudo Tool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Project 7-2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Mastery Check . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

197
199
200
201
201
202
205
206
218
220
222
223
223
225
226
228
229

8 Backup and Restore . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1. Define Backup Elements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
User Perspective . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Density and Form Factor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Network Bandwidth . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Remote Sites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Backup Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
2. Explore Backup Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
dump . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

231
232
233
233
235
236
236
238
238

TE

x

Contents

dd . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
restore . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
tar . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Project 8-1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Mastery Check . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

240
240
241
243
244

9 System Operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1. Determine the Boot Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
2. Explore the Shutdown Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Halting the System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Rebooting the System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Normal System Shutdown . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Determining When the System Was Halted . . . . . . . . . . . . . . . . . . .
3. Uncover UNIX Operating Levels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
The Default Run Level . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
List the Current Run Level . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Single-User Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Boot to Single-User Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Project 9-1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Mastery Check . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

247
248
249
251
252
255
256
257
261
261
262
263
263
265

10 The TCP/IP Suite . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1. Uncover the General Seven-Layer OSI Network Model . . . . . . . . . . . . . .
Application Layer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Presentation Layer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Session Layer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Transport Layer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Network Layer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Link Layer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Physical Layer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
2. Discover the TCP/IP Protocol Architecture . . . . . . . . . . . . . . . . . . . . . . .
Process Layer Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
End-User Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Additional Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
System Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Additional Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Host-to-Host Layer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Internet Layer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Internet Control Message Protocol . . . . . . . . . . . . . . . . . . . . . . . . . .
3. Discover the Address Resolution Protocol . . . . . . . . . . . . . . . . . . . . . . . .
Packet Format . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ARP Cache . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Link Address Format . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Mastery Check . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

267
270
270
270
271
271
271
271
271
272
273
274
274
275
280
281
292
299
304
306
307
308
312

xi

xii

UNIX System Administration: A Beginner’s Guide

11 Basic Network Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1. Explore the Network Address Table on a UNIX System Using arp . . . . . . . .
Displaying the ARP Cache . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Deleting an ARP Cache . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Adding an ARP Cache Entry . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
2. Control Network Interfaces Using Ifconfig . . . . . . . . . . . . . . . . . . . . . . . .
Listing Available Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Controlling Interface State . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Modifying Interface Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Special Configurations Parameters . . . . . . . . . . . . . . . . . . . . . . . . . .
Logical Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
3. Monitor Network Operations using Netstat . . . . . . . . . . . . . . . . . . . . . . .
Displaying Active Network Sessions . . . . . . . . . . . . . . . . . . . . . . . . .
Displaying Interface Information . . . . . . . . . . . . . . . . . . . . . . . . . . .
Display Routing Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Display Multicast Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Display Protocol Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
4. Verify Network Connectivity Using Ping . . . . . . . . . . . . . . . . . . . . . . . . .
Determine System Availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Show Basic Network Performance . . . . . . . . . . . . . . . . . . . . . . . . . . .
Additional Command Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
5. Gather Network Information with Lanscan . . . . . . . . . . . . . . . . . . . . . . .
Project 11-1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Mastery Check . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

315
316
317
321
322
324
325
328
329
331
332
334
335
340
342
344
345
346
347
350
354
356
357
358

12 Advanced Network Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1. Monitor Network Traffic with the tcpdump Tool . . . . . . . . . . . . . . . . . .
Operating Modes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Display Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Using Packet Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Address Primitives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Protocol Primitives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Operators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Miscellaneous Primitives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Qualifiers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Tcpdump Command Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
2. Execute the traceroute Command to Show Network Connectivity . . . . .
Reading Output . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Changing Characteristics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Display Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
3. Verify Basic Operations Using the landiag Command . . . . . . . . . . . . . . .
Project 12-1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Mastery Check . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

361
362
364
368
371
372
374
375
377
378
379
382
384
387
389
390
392
393

Contents

13 Overview of SNMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1. Discover SNMP Basics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
SNMP Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
2. Uncover MIBs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Object Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Sample MIB Object . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
SNMP Tables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Accessing Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Standard and Private MIBs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
SNMP Communities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
3. Explore SNMP Versions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
SNMP Protocol Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
SNMP Response Codes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Transmission of an SNMP Message . . . . . . . . . . . . . . . . . . . . . . . . . .
Connectionless Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
4. Investigate SNMP Master and Subagent . . . . . . . . . . . . . . . . . . . . . . . . . .
Mastery Check . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

395
397
399
399
401
404
406
410
410
411
412
416
422
423
424
424
427

14 Using the Domain Name System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1. Discover How the Domain Name System Works . . . . . . . . . . . . . . . . . . .
2. Explore Both DNS Server and Client Components . . . . . . . . . . . . . . . . . .
Domain Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Processes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
DNS Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Explore DNS Client Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Project 14-1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Mastery Check . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

431
432
435
435
442
444
449
451
452

15 Using NIS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1. Overview of Network Information Services . . . . . . . . . . . . . . . . . . . . . . .
2. Discover NIS Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Databases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Processes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
3. Setting Up a NIS Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Project 15-1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
4. Configure a NIS Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
5. Setting Up a Secondary NIS Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Mastery Check . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

453
454
456
456
457
458
463
463
466
467
469

16 SNMP System Management Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1. Discover Elements of System Management . . . . . . . . . . . . . . . . . . . . . . .
System Heartbeat . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
System Up/Down Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

471
472
473
473

xiii

xiv

UNIX System Administration: A Beginner’s Guide

System Process Activity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Network Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
System Configuration Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
2. Explore the UCD SNMP Package . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Common Command-Line Options . . . . . . . . . . . . . . . . . . . . . . . . . .
Environment Variables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
3. Use the UCD Magement Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Snmpdelta Command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Snmpget Command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Snmpgetnext Command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Snmpnetstat Command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Snmpset Tool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Snmpstatus Tool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Snmptable Tool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Snmptest Tool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Snmptranslate Tool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Snmptrap Tool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Snmptrapd Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Snmpwalk Tool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Snmpbulkwalk Tool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Mastery Check . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

474
474
474
475
476
482
482
482
483
485
486
491
496
497
497
498
499
500
502
505
507

17 Using Network File System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Versions of NFS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1. NFS Server Uncovered . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
The nfsd Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
The lockd Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
The statd Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
The mountd Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
2. Mounting Remote File System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
The dfstab/export Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Share/Export File Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
3. Exploring NFS Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
exportfs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
share/unShare (Solaris Only) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
showmount . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
nfsstat . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
4. Configuring NFS Clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
5. Controlling the File System Mount Table . . . . . . . . . . . . . . . . . . . . . . . . .
Mastery Check . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

511
512
513
513
514
515
515
515
516
517
519
519
520
521
522
526
528
531

18 File Transfer Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1. Explore a Sample FTP Session . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Obtaining a Directory Listing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configuration Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

533
535
537
539

Contents

Retrieving a File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Sending a File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Monitoring File Transfers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
2. Discover FTP Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
3. Controlling FTP Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
4. Configure Anonymous FTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Setting Up Anonymous Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
5. Log FTP Activity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Enable FTP logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Enable the syslog Facility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Project 18-1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Mastery Check . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

539
540
541
542
543
546
548
549
549
551
553
554

19 Important System Administration Tasks/Information . . . . . . . . . . . . . . . . .
1. Communicate with Users on the System . . . . . . . . . . . . . . . . . . . . . . . . .
2. Increase System Swap Space . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
List Swap Space . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Add More Swap Space . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
3. Control Root Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
4. Display System Configuration Information . . . . . . . . . . . . . . . . . . . . . . .
The /proc Directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Project 19-1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Mastery Check . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

555
556
558
558
559
560
561
564
568
569

20 Using DHCP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1. Use The Solaris DHCP Configuration Manager . . . . . . . . . . . . . . . . . . . .
Starting the Solaris DHCP Configuration Manager . . . . . . . . . . . . . .
Configuring DHCP Services for the First Time . . . . . . . . . . . . . . . . .
Using the Configuration Manager . . . . . . . . . . . . . . . . . . . . . . . . . . .
Adding IP Addresses to the DHCP Server . . . . . . . . . . . . . . . . . . . . .
2. Configure DHCP Clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Manual DHCP Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Set Up Automatic and Permanent DHCP Configuration . . . . . . . . .
Obtain DHCP Agent Status Information . . . . . . . . . . . . . . . . . . . . . .
Configuration of DHCP Clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Viewing Network Information on Windows . . . . . . . . . . . . . . . . . . .
Mastery Check . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

571
574
574
575
583
585
593
593
594
595
596
598
604

21 Using rdist . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1. Create an rdist Distribution File for Synchronizing Files . . . . . . . . . . . .
2. Debug an rdist Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
3. Investigate rdist Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Task Notifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Excluding Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Invoking Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

607
609
611
612
614
616
617

xv

xvi

UNIX System Administration: A Beginner’s Guide

4. Explore an rdist Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 618
Project 21-1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 620
Mastery Check . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 623
A Answers to Mastery Checks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Module 1: Introduction to UNIX . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Module 2: Basic UNIX Commands . . . . . . . . . . . . . . . . . . . . . . . . . .
Module 3: Using System Administration Tools . . . . . . . . . . . . . . . . .
Module 4: Software Package Management Tools . . . . . . . . . . . . . . .
Module 5: Maintaining UNIX Users . . . . . . . . . . . . . . . . . . . . . . . . .
Module 6: File Systems, Disks, and Tools . . . . . . . . . . . . . . . . . . . . .
Module 7: System Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Module 8: Backup and Restore . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Module 9: System Operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Module 10: The TCP/IP Suite . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Module 11: Basic Network Tools . . . . . . . . . . . . . . . . . . . . . . . . . . .
Module 12: Advanced Network Tools . . . . . . . . . . . . . . . . . . . . . . . .
Module 13: Overview of SNMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Module 14: Using Domain Name System . . . . . . . . . . . . . . . . . . . . .
Module 15: Using NIS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Module 16: SNMP System Management Tools . . . . . . . . . . . . . . . . .
Module 17: Using Network File System . . . . . . . . . . . . . . . . . . . . . .
Module 18: File Transfer Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . .
Module 19: Important System Administration Tasks/Information . .
Module 20: Using DHCP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Module 21: Using rdist . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

625
626
626
626
627
627
628
628
629
629
629
630
630
631
632
632
632
633
633
634
634
635

B Tools at a Glance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 637
C Overview of MIB-II . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Discover MIB-II . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
System Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Interfaces Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

641
642
643
647

Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 657

Acknowledgments
I

wish to thank my darling wife, Nita, known also as my better half, corporate
buddy, main squeeze, partner in crime, and overall the best companion I have
ever known. You truly are a gift from above! To JC for again talking and walking
with (and sometimes carrying) me when you were the only one that could help.
I also wish to thank the McGraw-Hill production staff for their
outstanding efforts in preparing the manuscript for production. Thanks go
to Lisa Wolters-Broder for handing the many details of chapter preparation
and to Emma Acker for coordinating the book process. Special thanks to
Franny Kelly, my acquistitions editor, for managing the Osborne UNIX series
and coordinating the fine art of book publishing. Thanks also to John Tiso for
reviewing the manuscript and providing critical feedback. Thanks to Jim Minatel
for adding important book elements to the chapters! Finally, special thanks to
Sam Yu for reviewing elements of the manuscript.

xvii
Copyright 2002 by The McGraw-Hill Companies, Inc. Click Here for Terms of Use.

This page intentionally left blank.

Introduction
T

his book addresses the fundamentals of UNIX system administration and
focuses on the important elements of maintaining a small, medium, or large
network of UNIX systems. It tells you everything you need to know to be
a successful system administrator or manager. Even non-networked environments
are covered so that you are prepared to address the many different issues and
problems that are typically encountered with them.
Enterprise networks (or clusters) of UNIX systems have become the critical
link and key component of the information landscape for corporate America.
UNIX systems have been deployed within every corporate function and within
a broad section of businesses and markets. This widespread acceptance and
deployment means that UNIX systems are now more on the critical path than
ever before. In many corporations and institutions, a system failure or network
outage can have serious implications for the organization’s ability to conduct
standard business activities or communicate with their customers or key partners.
In the financial community as well as other market segments, even a relatively
small system failure or outage can result in significant financial impact or have
other far-reaching implications.
Many of today’s corporate and institutional UNIX sites are characterized
by significant growth in the diversity and the total number of systems installed.
In these heterogeneous computing environments, it is difficult to effectively

xix
Copyright 2002 by The McGraw-Hill Companies, Inc. Click Here for Terms of Use.

UNIX System Administration: A Beginner’s Guide

AM
FL
Y

manage the many different computer systems and peripherals because much
of the system administration tasks are done in an ad-hoc manner, or lack
comprehensive tools. Sometimes tasks must even be done manually. A critical
system or network failure can significantly impact the use of corporate services
and affect the day-to-day operations of an organization. Many systems have
also been deployed with very little regard for their manageability or upgrade
capabilities. This makes the tasks of the system administrator that much harder
due to the added requirements of legacy systems, where key system tools are
not available with the basic system.
This book will give you the knowledge of important tools, step-by-step
procedures, and the skills necessary to effectively administer UNIX systems. It
is meant to be very practical in nature, and focuses on only the more important
elements to system administration, not esoteric subjects that have little relevance
to the important issues faced by today’s UNIX administrator.

Audience

The primary audience for this book is the beginning system administrator or
network manager, as the title suggests. If you already know the difference
between the netstat and mount commands, then this book might not be
up to your speed. On the other hand, if you have used some of these commands
before, but don’t really understand the bigger picture, or if you want additional
information about the commands or options, then this book will help guide
you. The book focuses more on how to use software tools and administration
procedures than on lengthy descriptions of operating system design or system
architecture. However, where appropriate, some theory of operation and/or
design is provided to ensure that you fully understand the mechanics of critical
services or functions.

TE

xx

UNIX Versions
All of the tools discussed in this book and the examples provided are from
Solaris and Linux, with some tools that are also based on the HP-UX operating
system. Because many of the UNIX tools are available across a wide variety of
versions of UNIX, you will have little difficulty adapting and using the tools in
other environments.

Module

1

Introduction
to UNIX
Critical Skills
1.1

Uncover the History of the UNIX System

1.2

Explore the Elements of a Computer System

1.3

Show the UNIX Timeline

1.4

Discover the Roles of the UNIX System Administrator

Copyright 2002 by The McGraw-Hill Companies, Inc. Click Here for Terms of Use.

2

UNIX System Administration: A Beginner’s Guide

B

efore you jump in and type your first UNIX command, you’ll benefit from
understanding some general background on how computer architecture is
organized. When you combine that knowledge with a brief history of UNIX and
what features UNIX provides, you’ll begin to understand some of the advantages
UNIX provides over other operating systems. From there, you are ready to learn
what a UNIX system administrator does, and you’ll see not all of those duties are
technical. So to start at the most basic level, you want to know what UNIX is.

1.1 Uncover the History
of the UNIX System
The UNIX system was introduced more than 30 years ago and is still one of the
most widely used and popular operating systems to this day. UNIX is used in
businesses, universities, institutions, and even individual homes to support a
variety of applications and functions. UNIX is quite universal and is used all
over the world by many different types of people for a host of different purposes.
UNIX is supported on a wide range of computer systems—from a single personal
computer to very large, high-end workstations and servers and even mainframe
class systems.
Certainly as expected, UNIX has gone through a myriad of changes and
modifications, which involved a large number of individuals, institutions,
and companies. UNIX has improved in many significant ways and as a result is
much more functional and provides a large pool of applications, tools, utilities,
and other software. The UNIX operating system has been ported to pretty much
every major computing platform and system architecture popular within
the computer industry. UNIX is available for just about all general-purpose
computer systems.
Typically, UNIX can be found on many common computer platforms and
users have direct interaction with the operating system. However, many turnkey
systems simply use UNIX to support one or more applications. The users of
these specialized systems generally interact with the application, but not UNIX
itself. It is very possible that many users of UNIX systems do not actually know
they are using UNIX, because their view of the system is restricted to the
application running on top of the operating system. UNIX has also found its
way and gained popularity in the embedded world, which means, like the

Module 1:

Introduction to UNIX

turnkey approach, UNIX is hidden from the user community. The embedded
world contains a plethora of devices like cameras, controllers, handheld
devices, and just about anything else that supports a computer processor, and
UNIX can be used to provide a scalable, flexible system that can expand as the
device’s capabilities improve over time.
UNIX is constantly being improved, refined, and retooled. In other words,
it is still going through changes and enhancements. That is the beauty of
UNIX; like a fine wine, it gets better with age! As a system administrator, you
will be able to grow with UNIX—as it gets better, so will you as you become
more familiar with the system and specific tools. UNIX is many things to many
people. For the software writer, UNIX is a development platform to build
software. For general users of the system, it is using whatever applications they
need to accomplish their job. For the administrator, it is a system that changes
and must be maintained and improved over time. However, with these changes
comes challenges, and as a system administrator you will need to maintain your
knowledge of UNIX on a consistent basis in order to be effective.

1.2 Explore the Elements
of a Computer System
Every general-purpose computer system, no matter where it was designed or
manufactured, can be divided into functional areas or different modules so that
it can be explained and understood. Today, there is a large selection of computers
on the market. However, despite many different “brands” of systems, many
of them are based on a small number of common components and computer
architecture types. For example, in the personal computer space, the Intel
Pentium processor (and various clones) is one of the most popular throughout
the world. Despite this popularity, other computer systems such as the Apple
Macintosh and others continue to flourish. Generally speaking, every time a
dealer or maker sells a computer, it is shipped with both an operating system
and a set of applications. Without such software, the computer system would be
virtually useless because the user would have no way to interact with the system.
Figure 1-1 shows a diagram of the typical computer system, which contains
the different functional areas or modules within a computer. At the highest
level, applications are designed and written to accomplish very specific business
functions for users. At the lowest level, we have the physical hardware of the

3

1

4

UNIX System Administration: A Beginner’s Guide

Figure 1-1

A diagram of the typical computer system

computer. At this level all of the hardware-related services are available, such
as connecting to a network, saving information to secondary storage (that is,
hard disk drive), accessing the CPU, and so forth. Typically, these functions
are very specific to the type or architecture of the system as well as the different
kind of peripheral devices used. For instance, the way memory is allocated for
applications can be somewhat different for the different types of computers
available on the market today.
An operating system or OS can be generally described as software that
provides an interface layer for applications so that they can interact with the
hardware components of the computer. Some examples of popular operating
systems include the Macintosh OS, Windows 2000, Palm OS, and UNIX. Although
each of the operating systems mentioned are different in design and may contain
alternative user interfaces, they all provide most of the same basic features. At
the middle layer or operating system level, many of the hardware functions are
made available for the upper application level. For example, many computers today
come with a DVD or CD drive that can be used to view movies or play compact
discs (CDs) on the computer. The computer provides the ability to play music
though the internals of the system. However, in order to listen to your favorite
music CDs, the operating system must provide some user application that permit
access and control of the DVD or CD drive. The application must provide the
ability to play, stop, skip between tracks, eject the disc, and so forth when
necessary. Thus, the software application must control the hardware in order
for the user to experience the full use of the hardware. Additional examples of
operating system support for hardware include control and access to peripheral
devices such as printers, modems, networks, computer monitors, keyboard,
pointing devices, etc.

Module 1:

Introduction to UNIX

It is important to note that not all hardware functions are always completely
supported by the operating system—or even with certain applications. This
can be due to several factors such as operating system vendors not wishing to
support proprietary hardware designs or even functional defects within the
computer hardware itself. However, sometimes, one of the most common reasons
is that hardware development improvements are not completely synchronized
with operating system releases. In other words, when new computers are sold
and provide newer features and functions, the operating system may not
completely support these improvements because the software may have been
released before the hardware. In this case, the hardware wasn’t available while
the software was being written. As a result, the operating system vendor
might release a “patch” or upgrade, which is a smaller subset of software
(also sometimes called a module) that gives the operating system the means
to exploit the desired new hardware feature. Patches and/or upgrades are also
used to address software defects or other problems within the operating system.
The user must install the new software in order for the operating system to
support the new hardware. Generally speaking, because operating systems
are quite complex, certain patches have been known to cause additional or
unanticipated problems. This is where things can get quite interesting, because
a specific patch may be needed to support some application, but at the same
time it also causes some other problem, which must be addressed as well—
possibly by yet another patch or upgrade!
The operating system provides a set of core functions for applications such
as memory management, peripheral access, device interfaces, process scheduling,
and the like. Figure 1-2 contains a pictorial view of a typical operating system.
Each area of the operating system (or module) is responsible for that aspect
of the system, but is usually controlled by a single master program or process.
Instead of applications talking directly to hardware devices, the operating system
layer is defined to make it easier for application designers and writers to produce
less complex software. For example, consider an application that must have
the capability of producing reports to an output device such as a laser printer.
Without an operating system, the application must support the required
functionality by printing to these types of devices. Also, given that many different
kinds of laser printers are available on the market, it is very difficult to support
each of the manufacturers’ models within an application. To remedy this situation,
the operating system can provide a database of laser printers’ description types
and applications can simply use one of the predefined templates.

5

1

6

UNIX System Administration: A Beginner’s Guide

Figure 1-2

Diagram of a typical operating system

As you can see from the figure, many low-level functions are supported
within a typical operating system. Also, of equal importance is the user
interface that is provided. The user interface usually comes in two different
flavors for most operating systems: command line and graphical. The graphical
user interface (GUI) also makes the operating system more “user friendly” by
insulating the details or automating specific tasks or functions. The GUI is
typically used by new users or even by experienced users that choose not to
use the command line. The GUI provides a windowing system or some other
graphical elements to represent functions and tasks within the operating
system. For instance, should the user wish to delete one or more files, a series
of file and/or folder icons are displayed and the user simply selects the files
they wish to remove and uses the appropriate menu item.
The alternative interface, typically called the “command line”, provides a single
“prompt” to the system. Generally, the user must know more details about
the system in order to use this interface, which is usually used to bypass the

Module 1:

Introduction to UNIX

Ask the Expert
Question Why does the operating system layer make it easier
for programmers to write applications to use computer hardware
resources?
Answer Because most personal computers on the market use an
open architecture (the hardware specifications are public and many
vendors can produce various components) there are thousands of
different hard drives, memory modules, video cards, and motherboards
and other components that should all work together if you assemble
them into a system. Very few programmers or application vendors
would have the resources to write code to interact directly with each
of these different pieces of hardware. So, the operating system includes
the programming so it can interface with any one of thousands of hard
drives, but an application programmer can write just one set of code to
access any hard drive throughout the operating system.
GUI to accomplish a very specific task. A “power user” sometimes uses this
method. Power users are individuals who have mastered the system and can
typically use the system without the GUI.

1.3 Show the UNIX Timeline
The UNIX operating system has a long and varied history, which is one of the
major reasons why it is alive and well today. The history behind UNIX and
the many individuals and organizations that helped mold and shape its past
can be quite detailed. As an alternative to providing a rather mundane detailed
listing involving all of the historical events surrounding UNIX, a time line
and description showing the most significant and key events will be provided
instead. Figure 1-3 shows this time line and each of the major events is
described below.

AT&T Invents UNIX
AT&T invented UNIX back in the early 1970s to support their internal
development efforts and to integrate a scalable operating system within their

7

1

8

UNIX System Administration: A Beginner’s Guide

Figure 1-3

The UNIX timeline

communication products. They also released a version of UNIX to corporations
and universities, which supported software development, text processing, and
other user-level applications. One particularly popular release of UNIX was
known as the Programmer Work Bench (PWB). This release provided a wide
variety of development and text processing tools, which became very popular
in the university community.

BSD Is Born
The University of California at Berkeley was contracted by the government to
port AT&T UNIX to the Digital VAX architecture. The subsequent release of
this version of UNIX became known as the Berkeley Standard Distribution (BSD)
release. The BSD operating system introduced many new features and tools,
which played an important role in the future of UNIX. BSD added important
networking features such as TCP/IP networking facilities and virtual memory
support. Among some of the most popular tools included are the Vi editor, a
program called more, the termcap terminal facility and many others. The “r”
family of utilities that provides networking capabilities between UNIX systems
and users was also introduced with BSD.

The System V Releases
AT&T released several major operating system versions of UNIX, which became
known as “System V”. Several large computer manufacturers licensed these

Module 1:

Introduction to UNIX

operating systems and provided ports to their own computer hardware platforms.
It was these ports (plus software from BSD) that later would become UNIX
products such as AIX, HP-UX, and Solaris.

AT&T/Sun Deal
Due to industry pressures and other important factors, both AT&T and Sun
Microsystems formed a partnership where Sun would port the System V release
of UNIX onto Sun computer systems. At that time, Sun supported both Motorolaand Sparc-based computer systems. Over time, however, Sun discontinued
support for Motorola-based computers and focused quite heavily on their Sparc
systems. The porting effort by Sun resulted in the formation of the Solaris
operating system that we have today. Prior to the System V port, Sun used the
BSD release of UNIX, which was called Sun OS. Over time the Sun OS release
was discontinued and Solaris became the dominant operating system. Solaris
incorporates AT&T System V, Sun-specific software enhancements, plus BSD
packages and tools. Today, Solaris is one of the most popular UNIX operating
system in the world.

The Internet Worm
Although the Internet worm of 1988 had much to do with system and network
security, it also involved UNIX in a significant way since this security attack
demonstrated the vulnerabilities of the UNIX operating system and networking
infrastructure of the Internet at that time. The Worm was responsible for
infecting many UNIX systems and used the Internet as the connecting medium.
It was so virulent that is caused many systems to crash due to the high CPU
load that the software consumed when running. Despite the fact that the Worm
didn’t actually corrupt data files on the systems it penetrated, it did cause major
problems since each of the operating systems of the infected systems had to be
reinstalled. This was no small task for system administrators. This was certainly
a major issue for many since automatic software installation wasn’t as good as it
is today and many installations were done manually. As a result of the Worm,
UNIX and the Internet became more secure.

OSF/1
Due to the activities surrounding the AT&T/Sun partnership, several prominent
computer manufactures (HP, Digital Equipment Corporation (DEC), IBM,

9

1

10

UNIX System Administration: A Beginner’s Guide

and others) decided to attempt to even the playing field by forming a new
organization called the Open Software Foundation (OSF). The organization
was tasked with developing a version of UNIX that would compete with the
AT&T/Sun operating system. The product that ultimately was developed was
called OSF/1, which was based on the Mach operating system. DEC, among
other computer companies, offered the OSF/1 release to their customers. Due
to the popularity of the AT&T/Sun operating system, and changes within the
UNIX industry, OSF/1 was never widely adopted.

Mach

AM
FL
Y

The Mach operating system, developed at Carnegie Mellon University, was
derived from a port of the BSD version of UNIX and introduced in 1985. Mach
provided much needed support for multiprocessors and also included other
important improvements. Several ports of Mach were made by different computer
manufactures, and for a time Mach enjoyed some popularity, but in the long
run the operating system wasn’t widely adopted.

Linux Is Introduced

Red Hat

TE

Back in 1985, Touvus Linus introduced a version of UNIX for the Intel
processor—Linux. Today, Linux (and the variations) stands as a pinnacle
of the open source movement and the achievement of many individuals who
have contributed to the Linux effort.

Released in 1995, the Red Hat Linux operating system combines several aspects
of the Linux system in a popular package. The Red Hat operating system provides
a host of important features, contains many third-party tools and utilities, and
is one of the most popular Linux variants available today.

Versions of UNIX Today
With most things in life, where there is active competition the best will ultimately
survive and triumph. This is the case with several different versions or flavors

Module 1:

Introduction to UNIX

of UNIX. Although many different versions exist, a common design and/or code
base is present in most of them. Also, two major kinds of UNIX operating system
software markets exist today. The commercial market is where customers
generally have to pay for the operating system software and generally may not
get any source code (well, not for free anyway!). The other market is also
commercial, but is considered open source. Open source means that you get full
access to the source code of the system or programs and can make changes or
modifications to that source code as long as you maintain the rights of the
original software owner.
Today, the UNIX leaders include Solaris, Linux, HP-UX, AIX, and SCO.

Why UNIX Is Popular
Many people ask why UNIX is so popular or why it is used so much, in so many
different ways and in so many computing environments. The answer lies with
the very nature of UNIX and the model that was used to design, build, and
continuously improve the operating system.

Availability of Source Code
One of the most significant points of UNIX is the availability of source code for
the system. (For those new to software, source code contains the programming
elements that, when passed through a compiler, will produce a binary program—
which can be executed.) The binary program contains specific computer
instructions, which tells the system “what to do.” When the source code is
available, it means that the system (or any subcomponent) can be modified
without consulting the original author of the program. Access to the source
code is a very positive thing and can result in many benefits. For example, if
software defects (bugs) are found within the source code, they can be fixed
right away—without perhaps waiting for the author to do so.
Another great reason is that new software functions can be integrated into
the source code, thereby increasing the usefulness and the overall functionality
of the software. Having the ability to extend the software to the user’s requirements
is a massive gain for the end user and the software industry as a whole. Over
time, the software can become much more useful. One downside to having
access to the source code is that it can become hard to manage, because it is
possible that many different people could have modified the code in unpredictable
(and perhaps negative) ways. However, this problem is typically addressed by

11

1

12

UNIX System Administration: A Beginner’s Guide

having a “source code maintainer,” which reviews the source code changes
before the modifications are incorporated into the original version.
Another downside to source code access is that individuals may use this
information with the goal in mind of compromising system or component
security. The Internet Worm of 1988 is one such popular example. The author,
who was a graduate student at Cornell University at the time, was able to
exploit known security problems within the UNIX system to launch a software
program that gained unauthorized access to systems and was able to replicate
itself to many networked computers. The Worm was so successful in attaching
and attacking systems that it caused many of the computers to crash due to the
amount of resources needed to replicate. Although the Worm didn’t actually
cause significant permanent damage to the systems it infected, it opened the
eyes of the UNIX community about the dangers of source code access and
security on the Internet as a whole.

Flexible Design
UNIX was designed to be modular, which makes it a very flexible architecture.
The modularity helps provide a framework that makes it much easier to
introduce new operating system tools, applications, and utilities, or to help
in the migration of the operating system to new computer platforms or other
devices. Although some might argument that UNIX isn’t flexible enough for
their needs, it is quite adaptable and can handle most requirements. This is
evidenced by the fact that UNIX runs on more general computer platforms
and devices than any other operating system.

GNU
The GNU project, started in the early 1980s, was intended to act as a
counterbalance to the widespread activity of corporate greed and adoption
of license agreements for computer software. The “GNU is not UNIX” project
was responsible for producing some of the world’s most popular UNIX software.
This includes the Emacs editor and the gcc compiler. They are the cornerstones
of the many tools that a significant number of developers use every day.

Open Software
UNIX is open, which basically means that no single company, institution, or
individual owns UNIX—nor can it be controlled by a central authority. However,
the UNIX name remains a trademark. Anyone using the Internet may obtain

Module 1:

Introduction to UNIX

open source software, install it, and modify it, and then redistribute the software
without ever having to shell out any money in the process. The open source
movement has gained great advances and has clearly demonstrated that quality
software can, in fact, be free. Granted, it is quite true that certain versions of
UNIX are not open, and you do indeed need to pay to use these operating systems
in the form of an end-user licensing agreement. Generally speaking, vendors
that charge for UNIX represent only a portion of the total number of UNIX
releases available within the UNIX community.

Programming Environment
UNIX provides one of the best development environments available by providing
many of the important tools software developers need. Also, there are software
tools such as compilers and interpreters for just about every major programming
language known in the world. Not only can one write programs in just about
any computer language, UNIX also provides additional development tools such
as text editors, debuggers, linkers, and related software. UNIX was conceived
and developed by programmers for programmers, and it stands to reason that it
will continue to be the programmer’s development platform of choice now and
in the future.

Availability of Many Tools
UNIX comes with a large number of useful applications, utilities, and programs,
which many people consider to be one of UNIX’s greatest strengths. They are
collectively known or commonly referred to as UNIX “tools,” and they cover
a wide range of functions and purposes. One of the most significant aspects of
UNIX is the availability of software to accomplish one or more very specific
tasks. You will find throughout this text that the concept of tools is quite
universal and is used repeatedly. This book not only discusses the subject of
system administration but also provides detailed descriptions of UNIX-based
tools. As a system administrator, you will come to depend on certain tools to
help you do your job. Just as construction workers rely on the tools they use,
so too will the administrator rely on the software that permits them to handle
a wide range of functions, tasks, issues, and problems.
There are tools to handle many system administration tasks that you
might encounter. Also, there are tools for development, graphics manipulation,
text processing, database operations—just about any user- or system-related

13

1

14

UNIX System Administration: A Beginner’s Guide

requirement. If the basic operating system version doesn’t provide a particular
tool that you need, chances are that someone has already developed the tool
and it would be available via the Internet.

Hint

There are several popular Web sites that contain a large collection of public
domain and open source tools and applications that are available. These links
can be found in an appendix of this book.

System Libraries
A system library is a collection of software that programmers use to augment
their applications. UNIX comes with quite a large collection of functions
or routines that can be accessed from several different languages to aid the
application writer with a variety of tasks. For example, should the need arise
to sort data, UNIX provides several different sort functions.

Well Documented
UNIX is well documented with both online manuals and with many reference
books and user guides from publishers. Unlike some operating systems, UNIX
provides online main page documentation of all tools that ship with the system.
Also, it is quite customary that open source tools provide good documentation.
Further, the UNIX community provides journals and magazine articles about
UNIX, tools, and related topics of interest.

1-Minute Drill

●
●

●

Why is source code availability a valuable advantage to UNIX users?

●

What are some downsides of source code availability?

Users can modify the code to fit their own needs, such as fixing bugs immediately or implementing
new features.
Tracking and managing multiple versions of code changes can be difficult. Source code availability makes
it easier for unscrupulous users to exploit programming errors, particularly relating to security. (However,
source code availability means users can patch these bugs quickly, even if the original author or vendor
isn’t available to patch them.)

Module 1:

Introduction to UNIX

Modular UNIX
Like all operating systems, UNIX can be divided into functional areas
(components) where each part is responsible for a given set of services.
This modularity is what gives UNIX its appeal and why it is one of the most
popular operating systems in the world. Figure 1-4 shows the overall picture
of where the individual components of the UNIX system fit together. Each of
the major elements is described in more detail below.

The Kernel
Perhaps the most critical element of the operating system, the kernel is
responsible for many of the operating system tasks and services that applications
and users require. The Kernel is the main program that interfaces with all
hardware components, supports the execution of applications, and provides
an environment for users. Very little can be done on a UNIX system without
accessing some Kernel function or resource. It is the controlling entity of

Figure 1-4

UNIX operating system picture

15

1

16

UNIX System Administration: A Beginner’s Guide

the system. The kernel itself consists of several parts. From a high-level
standpoint, the kernel performs the following services and functions:
●

Interfaces with the computer hardware Using modules called device
drivers, the kernel uses these software components to talk directly to
hardware-level devices. For example, when an application wants to write
data to a secondary storage device such as a hard drive, the kernel “calls” the
driver to write the information specific to that device. Thus, for every hardware device, the kernel must have an associated driver. Since every hardware
device (such as a disk drive or sound card, for example) is vendor specific,
the kernel driver must also be vendor and/or product specific. However,
there are times when a common driver will support a family of products
or devices. This driver concept is used extensively throughout the system;
interfaces to all hardware components use this approach. Some additional
examples of drivers include serial port drivers, printer port drivers,
keyboard and mouse drivers, video display drivers, sound drivers, and
network interface drivers.

●

Provides time-sharing services The kernel is responsible for providing
the resources necessary to handle multiple users, applications, and other
processes in what seems like a concurrent, real-time fashion. In other words,
UNIX supports a time-share model where users and applications run all
at the same time regardless of the underlying hardware characteristics.
Computers that support a single processor are said to be uniprocessor
machines, while multiprocessor machines contain more than one processor.
Thus, UNIX supports concurrent logins of different users and these
users may execute different applications or software all at the same time.
However, this reality is an illusion; the kernel makes it appear to the users
that everything is happening in a concurrent fashion, but the hardware may
not support parallel processing or concurrent processing. The kernel was
designed to provide this service regardless of the physical processing
characteristics of the machine in question. When the kernel is running on a
machine that supports more than one processor, the effects are pretty much
the same—multiple users and applications can run in a concurrent fashion.

Module 1:

●

Introduction to UNIX

Implements security model The kernel supports the notion of users and
profiles. All users must be defined on the system before they are permitted
to access or log in to the system, and each user has a particular profile.
User accounts contain information about the user and are used to track
the users’ activities once they are on the system. The kernel ensures that
security between users and between the system and users is always
maintained. For example, it is not possible for one user to delete the files
of another user if the first user protects his or her files. Similarly, a user
will not be able to delete or remove system-related files unless the
administrator permits such activity.

Hint

Within UNIX, a special account, called the superuser, is defined. Known as the
“root” account, this is the one login that is usually set up by default on most
systems to have unrestricted access to every service or file within the system.
There isn’t any service, file, directory, or information that the superuser can’t
access. Typically, the system administrator becomes the superuser and uses
this account on a regular basis.

APIs
UNIX provides a large number of application programming interfaces (APIs),
which help programmers write applications or tools that help to take advantage
of the system. Using UNIX APIs makes it easier to write programs and helps
software to integrate with the system.

The Shell
UNIX provides a mechanism for a user to log in to the system using what is
known as a command-line prompt or shell. The shell is a command interpreter,
which takes what the user types in and executes commands, manipulates files,
and so forth on behalf of the user. A large number of different shells are
available for UNIX, and users have the ability to customize the shell to suit
their own personal preferences.

17

1

18

UNIX System Administration: A Beginner’s Guide

1.4 Discover the Roles of the
UNIX System Administrator
The job of the system administrator is one of the best in the entire world! It
basically means that you look after the computer systems, and in some cases
the network that interconnects those systems as well. The phrase “looking
after” actually can mean quite a number of different things. From the system
administrator point of view, they are totally responsible for not only the
successful operation of the computers themselves—including the hardware,
operating system, and applications—but must also ensure that the users of
those systems are happy and are using the systems to their full extent. This is
a tall order considering the sheer number of users that systems can support
and also because users have different requirements and individual needs.
From a technical standpoint, the systems administrator will handle one or
more of the following depending on the size, organization structure, and type
of company in which they are employed:
●

Manage the computer hardware This includes dealing with hardwarerelated problems such as faulty or failed system boards, disk drives,
CPUs, printers, and so forth. Also, if the hardware is covered by a vendor
maintenance contract, you will need to handle the details of maintaining
the coverage and managing the vendor relationship when problems occur.
You might need to “watch over” their activity when they are on-site to
ensure that they address the real problem or don’t cause problems in other
areas. For example, they might replace the wrong disk drive when multiple
drives are contained within a single system.

●

System backups You will be responsible for ensuring that regular
backups/archiving of the important system and critical data files are
done. This is perhaps one of the most important functions of the system
administrator and should not be overlooked from a job duty standpoint.
It is also one of the most boring parts of being a system administer!
Successful administrators typically will automate the backup function
so that they might spend more time on more interesting tasks. With the
deployment of specialized network backup systems, storage area networks
(SANs), and other backup solutions, ensuring correct backup procedures
have never been so easy.

Module 1:

●

Introduction to UNIX

Maintain system capacities Typically, memory, CPU, and disk storage
are the key components that are upgraded when the user base of the systems
increases or the system application functions are expanded. The most
common is that the disk storage might need to be upgraded more often
due to increasing data processing or the addition of users.

Support the Network
With the ever-increasing dependence on computer networking and with the
growth of the largest network (the Internet), administrators are continuously
faced with handling network-related issues and problems. As a result,
administrators not only need to understand their systems but the network
and associated components as well. With this in mind, the administrator must
“bone up” on the networking protocols, devices, and particular network
applications. For example, having a very good understanding of TCP/IP can
come in handy when dealing with interaction between applications or general
network communication problems related to the Internet or a local network.
You might also need to handle hardware-related problems within the network,
such as dealing with failed network components, misconfigured devices, cabling
problems, and so forth. This might include dealing with Internet service
providers (ISPs) or phone companies, depending on how the network topology
and Internet services have been implemented.

Handle Peripherals
In many cases, the administrator will be required to handle the support of
associated devices that might be used with the primary systems. These devices
might include printers, modems, scanners, and just about anything else that
could be used with a UNIX system. Often, systems are purchased with these
add-on devices at the same time, but sometimes they are not—in which case,
the administrator must integrate or install one or more of the peripheral
devices. Printers are one such example, where they might be obtained after the
primary UNIX system was installed. With this in mind, the administrator must
ensure that the UNIX system is configured to use the printers correctly. If
the printer is going to be shared across a number of different systems, the
configuration must be replicated to each system supporting the printer. Equally
important, the printer devices must be set up and configured to work with the
UNIX systems as well. Thus, not only must the administrator understand UNIX,

19

1

UNIX System Administration: A Beginner’s Guide

but she or he must also have the ability to learn how other devices function and
be able to configure them. Don’t be alarmed—no administrator is expected to
know every type of device that can be integrated with a UNIX system. Rather,
the administrator must be able to learn how to do this when necessary, with the
aid of product manuals, technical support, and other resources.

Manage System Upgrades

AM
FL
Y

Due to the nature of computer technology and the need to support more
functions and perhaps more users, the administrator might be asked to perform
certain (if not all) system upgrades. This will include installing more memory,
disk storage, CPUs, updating the computer firmware, and a host of other
hardware-related tasks. If the UNIX systems are covered under a vendor
maintenance support agreement, the vendor may perform some of the upgrades.
For instance, the firmware, which is used to handle lower-level system functions
and diagnostics, might be upgraded automatically by the system vendor.
Upgrades are not just made to the hardware components of the system, but
also to the operating system, applications, tools, or utilities. Sometimes, dealing
with software upgrades can be more difficult than the hardware due to the
dependencies on different software components. For example, if the operating
system was upgraded to a newer version, it might cause one or more applications
to not function correctly. Normally, application vendors do a good job of
testing their software on different operating system releases to avoid these types
of problems. However, no vendor can guarantee that their product will never
crash or experience problems, regardless of which particular operating system
release is being used.

TE

20

Actively Monitor System Security
In certain organizations, the system administrator is responsible for handling
all aspects of system security. This includes, for example, ensuring that external
attacks (say, from the Internet) as well as internal ones (from local users) are
prevented as much as possible. There are many aspects of system security—
from running monthly security reports to installing security patches. The most
important component of security is being prepared when security-related issues
or problems strike. Just as when natural disasters hit a particular city, so too
it is very important to be prepared. For example, if it becomes necessary to

Module 1:

Introduction to UNIX

restore user files due to corruption caused by a malicious program, these files
must be restored quickly and accurately. Further, it will be very important
to take steps to prevent security problems in the first place. For example, if
one or more security vulnerabilities have been found with a software module,
application, or utility that is currently being used on the system, that software
should be upgraded in order to minimize any potential security risk.
If you demonstrate a positive security model and communicate the need for
security, others will follow. The administrator has to set the stage and promote
security as a way of life for all users of the system. For example, you might need
to teach users not to leave their workstations logged in while they are away for
extended periods of time. The users of the system will help to implement and
conform to specific security rules, policies, and procedures that you define. In
larger companies or organizations, security might rest with a particular securitycentric group, which is not typically a part of those that administer the systems.
However, the individuals within the security department must work hand in
hand with the administrator to ensure that specific policies and security
measures are implemented on a system wide-basis.

Maintain System Accounts
As part of general security and administration of UNIX, you will need to maintain
a close eye on user accounts, which is the primary way to control access to the
system. UNIX uses a system account files to permit users to gain access to
the system, and it will be your direct responsibility to ensure that only authorized
users are permitted access and that they are set with the correct profiles and
access parameters. Also, it will be important that you delete user profiles when
employees leave or move to another part of the company, or you might need to
adjust user profiles as user access policies change.

Advance Your Knowledge
Believe it or not, you will be asked to learn new technologies, products,
applications, and perhaps a host of other interesting subjects related to your
job. You will be most valuable to your organization when you know just as
much as (or even more than) the vendors that provide your products and
systems. You will need to attend professional development classes, vendoroffered training, and other training programs and courses. Also, depending on
the company, you might need to seek one or more vendor certification programs,

21

1

22

UNIX System Administration: A Beginner’s Guide

such as from Red Hat or Sun Microsystems. Also, you may need to supplement
your understanding and technology knowledge by reading great books (such as
from this series!!), trade magazines, journals, and other publications. Further,
you might need to attend special conferences and trade shows to gain more
insight into a particular technology or product, or to learn more about a vendor.
As you can see, being a system administrator means handling many technical
details of the computer systems within your environment. One very interesting
aspect of this is that should the computer environment contain different versions
of UNIX, in what we call a heterogeneous network, this can complicate the
administrator’s job to some degree. In general, UNIX is fairly standard, but
different vendors provide unique tools just for their platform. As a result, it
might be difficult to do certain tasks the same way across different vendors’
UNIX machines. However, in most cases this isn’t a problem because many
of the tools work the same way for most different flavors of UNIX.
The successful administrator not only handles the details of the system but
also in certain cases must be a teacher, police officer, politician, parent, and
friend, and have good organizational skills and a cheerful disposition. Bear in
mind that not all of these skills are absolutely necessary, since many companies
define the job of system administrator in different ways. As a result, different
skills and tasks may be required.

Teacher
As an administrator, you will find yourself showing the users how to use the
system and perhaps giving classes on a wide range of subjects related to the use
or operation of a particular application or system capability. For example, new
users might not know how to log in and access certain applications in order for
them to complete their jobs. You might also need to show experienced users the
best way to archive their files or how to use a new system utility or a recently
installed application.

Politician
Being an administrator means that you must handle and solve a large number of
problems. In certain cases, this might require you to be a politician due to the
issues and people involved. Some of these problems can be a conflict between one
or more users or can be related to how the system is supported or maintained.
The system administrator usually deals with many individuals at all levels of the

Module 1:

Introduction to UNIX

company. For example, they may deal with administrative assistants, technical
staff, managers, and vice presidents, as well as outside customers, suppliers,
and vendors. As a result, good negotiation and people skills are necessary.

Parent
Sometimes users can be like children, and they require a strong parent to rein
them in. For instance, some users insist that they keep every file they ever used,
and as a result the system disks are filled to capacity. This can be unacceptable
behavior if every user did this because of the amount of time and trouble caused
by having to clean up after these users. Also, since the administrator knows the
system, they might need to give advice to users about how best to solve or
address some particular issue or problem. For instance, a user might need to
obtain a large amount of data for a particular purpose and it must be transferred
from one system to another. In this case, you might need to step in and provide
assistance.

Police Officer
Sometimes being a politician or parent isn’t enough; you might need to become
a police officer to enforce some general rules of behavior or exercise critical
control of the system. For example, you will need to restrict physical access
to the computer system to only those individuals that require it. A curious
user attempting to fix a hardware-related problem could spell disaster for the
administrator, given the complexity and sensitivity of hardware components.
Another good example is system security—should the administrator detect
unauthorized access to the system, then the administrator must take immediate
action to protect the integrity of the system and users. It might, for example,
mean that users are audited to ensure they are not doing bad things on
the system.

Hint

Generally, security measures are more successful if they are planned in advance
before you need them. For example, user audit trails are most useful when
they capture bad behavior when it is happening.

23

1

24

UNIX System Administration: A Beginner’s Guide

Friend
If the above duties aren’t enough, you might actually need to be a friend to
your users. For example, one user might be working on a critical project that
requires you to help them with a system-related problem (such as the printer
not functioning correctly) at an unpopular time—say, during the weekend or
in the wee hours of the morning. You might have the option to tell the user to
wait until the official workday starts or handle the issue on the spot. In general,
users are good-natured and happy individuals, but other times they might be
nasty, outrageous, and demanding. It may be in your best interest to help the
individual because you want to be helpful, and that is expected. As with most
things in life, a simple smile and thick skin (for really difficult users) can go
a long way to ensure that a bad situation goes smoothly.
Also, goodwill can flow in both directions. If you help users out of tough
situations, they might help you in turn at some point in the future! You may
find that having friends on the “inside” can work in your favor. Sometimes,
the job of system administrator isn’t very popular because you might need to
make some decisions that affect users in a negative or unpleasant way. Take,
for example, the moment you need to bring the system down for some critical
maintenance task. You will need to ask all the users to log off the system, and
this can be an unpopular thing to do since users might not want to log off—
because, for example, they have their own deadline or other things they must
complete, and this downtime can cause them pain. However, having users who
understand can help to bolster your position about the system outage and
smooth things over for users that might not fully appreciate your need to bring
the system down when it is not convenient for them—they may come to realize
that in the long run it is in their best interest.
The bottom line is that being a system administrator sometimes requires
that one be both technical and have a reasonable knack for dealing with
individuals (users) and all levels of management. Certainly this is the ideal
situation, but the world is full of situations that are far from perfection. As a
result, many successful administrators don’t need to deal with the softer side,
but more the technical. Conversely, some administrators work within teams
where they might not be handling the day-to-day tasks, but rather deal with
more of the management aspects of the job. As you can see, your mileage may
vary and the exact system administrator requirements will be different depending
on the company or the exact job position.

Module 1:

Introduction to UNIX

Mastery Check
1. Name the three functional areas or layers of any computer system,

regardless of brand.
2. Which UNIX component interacts with the system hardware?
A. Kernel
B. APIs
C. Shell
D. Hardware Administrator
3. Which of the following is not a key reason for UNIX’s popularity?
A. Flexible design
B. Proprietary software
C. GNU
D. Well documented
4. A __________ is a collection of software that programmers use to

augment their applications.
5. Which of the following is not a function of the UNIX kernel?
1. Interfaces with the computer hardware
2. Provides time-sharing services
3. Implements security model
4. Maintains system capacities
6. The UNIX __________ is responsible for regular backups/archiving

of important system and critical data files.

25

1

This page intentionally left blank.

Module

2

Basic UNIX
Commands
Critical Skills
2.1

Explore the UNIX Shell

2.2

Investigate Basic UNIX Commands

Copyright 2002 by The McGraw-Hill Companies, Inc. Click Here for Terms of Use.

28

UNIX System Administration: A Beginner’s Guide

T

his module provides an introduction into using the standard shell and some
of the basic operating system tools that administrators will need to know to
help them maintain UNIX systems. As the system administrator, you will need
to learn about a variety of utilities and tools to help accomplish administrative
tasks and make your job easier. It will be important that you get familiar with
many of the commands within this module and you are encouraged to try
running these programs within your own environment just so that you get a
feel for the behavior and to begin learning the many program parameters and
command-line options.

2.1 Explore the UNIX Shell
The shell is a rather unique component of the UNIX operating system since it
is one of the primary ways to interact with the system. It is typically through
the shell that users execute other commands or invoke additional functions.
The shell is commonly referred to as a command interpreter and is responsible
for executing tasks on behalf of the user. Figure 2-1 shows a pictorial view of
how the shell fits with the UNIX system. As you can see, the shell operates within
the framework just like any other program. It provides an interface between the
user, the operating system functions, and ultimately the system Kernel.

Figure 2-1

The UNIX shell

Module 2:

Basic UNIX Commands

Another powerful feature of the UNIX shell is the ability to support the
development and execution of custom shell scripts. The shell contains a mini
programming language that provides a lightweight way to develop new tools
and utilities without having to be a heavyweight software programmer. A UNIX
shell script is a combination of internal shell commands, regular UNIX
commands, and some shell programming rules.
UNIX supports a large number of different shells, and also many of the
popular ones are freely available on the Internet. Also, many versions of UNIX
come with one or more shells and as the system administrator, you can install
additional shells when necessary and configure the users of the system to use
different shells, depending on specific preferences or requirements. Table 2-1
below lists many of the popular shells and a general description of each.
Once a user has logged into the system, the default shell prompt appears
and the shell simply waits for input from the user. Thus, logging into a Solaris
system as the root user for example, the standard Bourne shell prompt will be
#

The system echoes this prompt to signal that it is ready to receive input from
the keyboard. At this point, this user is free to type in any standard UNIX
command, application, or custom script name and the system will attempt to
execute or run the command. The shell assumes that the first argument given

Shell Name

General Description

Sh

Standard Bourne shell, which is one of the most popular shells
around.
Standard shell with C like language support.
GNU Bourne-Again shell that includes elements from the Korn
shell and C shell.
Standard C shell with command-line editing and filename
completion capabilities.
The Korn shell combines the best features of the Bourne and C
shells and includes powerful programming tools.
Korn shell like, but also provides many more features such as
built-in spell correction and programmable command completion.

Csh
Bash
Tcsh
Ksh
Zsh

Table 2-1

Descriptions of Different UNIX Shells

29

2

UNIX System Administration: A Beginner’s Guide

on the command line is a program or a special character sequence that is
interpreted by the shell as a command. UNIX supports a large number of
commands, which can be classified into several different groupings that include
generic user-level commands, superuser-level commands, and built-in shell
commands.
User-level commands are those programs that can be run by any user,
regardless of their access level or other user account parameters. The date
command is one such example; generally speaking, no special permission is
required to display the local date and time with the command. UNIX contains a
very large number of these types of commands and they are usually contained
within standard directories such as /usr/bin or /usr/local/bin.

Hint

AM
FL
Y

Anyone can peruse these directories to obtain a list of the all the available
commands contained within the locations. However, the administrator can
define restricted users, which can’t access common directories or execute a
generic program, but this is something the administrator must purposely do.

The superuser commands, which can be found in several different system
directories (/usr/bin/usr/sbin, and so forth) are those that require
system-level or privileged access to invoke or execute. For instance, the format
program is used to format storage media such as disk drives. Typically, this type
of administration function is restricted and can’t be invoked by typical UNIX
users due to the destructive nature of the command; it can completely delete
all information from a storage device. Thus, only the superuser can run this
command. UNIX provides a special account called the superuser account,
or also known as root, which is used to permit system or administrative
access. The UNIX administrator will use this account when performing system
maintenance and other important administrative tasks. The superuser account
is a sacred cow—it provides complete and total access to all aspects of the system,
and this account must be guarded at all times; only the administrator will use this
account, and it is usually protected by a secret password.
The built-in shell commands are defined as those functions, which are
not part of the UNIX command set, but instead are interpreted and supported
directly by the shell. They are not stand-alone programs such as date, but are
executed within the shell. For example, the set command, which is used to
define environment variables, is one such internal command. An environment
variable, for example, is one way to pass a program a parameter, which can be

TE

30

Module 2:

Basic UNIX Commands

used to control the behavior of the software to achieve some desired result. For
example, you can use an environment variable to contain the user’s default
printer, so that any application can use this information to print to the correct
output device.

2.2 Investigate Basic UNIX
Commands
As you will see in this book, UNIX comes with a large number of commands
that fall under each of the categories listed above for both the generic user and
the system administrator. It is quite hard to list and explain all of the available
UNIX functions and/or commands in a single book. Therefore, a review of some
of the more important user-level commands and functions has been provided
and subsequent modules provide a more in-depth look at system-level
commands. All of the commands discussed below can be run by generic users
and of course by the system administrator. However, one or more subfunctions
of a command may be available only to the system administrator.
Table 2-2 provides a list of standard commands, which are available across
many different versions of UNIX. For example, if we wanted to get a listing of all
the users that are currently logged into the system, the who command can be used.
UNIX Command

Meaning

cat
date
hostname
find
grep
ls
more
ps
strings
uname
who

Show the content of file.
Show system date and time.
Display name of system.
Search for a specific file.
Search a file for specified pattern.
List files in a directory.
Another command to show content of file.
Show status of processes.
Show strings within a file.
Show system-related information.
Show current users on the system.

Table 2-2

Basic UNIX Commands

31

2

32

UNIX System Administration: A Beginner’s Guide

Thus,
# who

will produce a list of the login names for all users presently on the system, such as
bill
root
sjmaxwell

pts/1
pts/10
pts/2

Sep
Sep
Sep

9 06:41
9 09:11
9 08:02

(pebbles)
(fred)
(wilma)

You can find this command (and, of course, many others) on Linux, HP-UX,
Solaris, AIX, and many other versions of UNIX. However, depending on the
version of UNIX, the output might slightly be different. Naturally, this output
shouldn’t really match what is displayed when you execute this command on one
of your systems since the environment and users will be quite different. Despite
this, the command displays basically the same information regardless of which
UNIX system it is executed on. The who command is very interesting because
it shows when the users were logged into the system and from which terminal,
and, if networking services is active, the name of the computer system that the
user originated the connection from. In the example above, bill is logged in
from a system called pebbles, while root and sjmaxwell (yes, that is me!)
are from the systems known as fred and wilma, respectively. Knowing and
understanding commands like who (and many others) makes it much easier
to administer UNIX-based systems. Next to the login name is the terminal
associated with that login. In the example, pts followed by a number indicates
the terminal device number. When a real terminal or network connection is made
to the system, a terminal (real or pseudo if network) is assigned automatically by
the system to the user that logged into the system.
Like most UNIX commands, the who utility provides a number of commandline arguments, which control the behavior and output of the program. However,
it is not necessary to know all of these arguments to use the basic functions.
Having said that, one of the more useful functions of this program is to identify
the username of the current shell. In other words, which user account am I
logging under? Using the command
# who am i
root
pts/8

Dec 27 15:21

(dhcpclient-202)

Module 2:

Basic UNIX Commands

will display the login username and other information. This is most useful if
you have started to use a terminal or login session and you don’t know which
user is in fact logged into the system.
Finally, another important function of the who command is to report the
system run mode with the use of the –r option. This argument displays the
current system run level, which can be multiuser, single user, or some
additional level as defined in the /etc/inittab file. See Module 9
for additional information. Thus,
# who -r
.

run-level 3

Dec

8 10:41

3

0

S

shows that the system is at run level 3, which is the multiuser mode that the
system typically uses during normal everyday operations.
Those new to operating systems find it strange that UNIX doesn’t provide
positive acknowledgement, with some kind of printed message of successful
execution of a command. For example, when the user removes a file using the rm
command, the system doesn’t respond with a specific message when it is finished,
but instead simply removes the file and returns the shell prompt. Thus, when
# rm records.dat
#

is run, it removes the records.dat file and issues the shell prompt again.

Hint

The command didn’t respond by displaying a successful message other than
displaying the prompt again. Alternatively, the user could check to see if the
command did what it was supposed to do. For instanced by running the
following command:
# ls records.dat
records.dat: No such file or directory
#

Error Message

When the ls command is used against a nonexisting file, it produces an error
message because the file could not be found. Seasoned UNIX administrators
don’t typically check that certain commands were in fact executed because should

33

2

34

UNIX System Administration: A Beginner’s Guide

any type of error have occurred during the execution of the rm command, it
would have issued a message stating that a problem had been encountered. For
example, if the records.dat couldn’t be removed because of a file permission
problem, a message would be generated that gives a clue to the problem:
# rm records.dat
rm: records.dat not removed: Permission denied
#

Generally speaking, most UNIX commands give some kind of error/status
message when a problem has been encountered.

cat
The cat command will display the content of one or more text-based files. It
is considered “more-lite” since it doesn’t support fancy scrolling functions like
the more command. The cat program is a fairly simple-minded tool, which
supports a small number of command-line options. However, the most useful
ones are listed in Table 2-3. Note that the above error message typically
wouldn’t be displayed if the command was run by the superuser.

Option

Definition

-n
-b
-u

Number each line of output.
Same as –n, but don’t number blank lines.
When displaying text, don’t use buffering (Solaris and
HP-UX only).
Don’t display an error when attempting to process nonexisting
files (Solaris only).
Display non-printable characters in visual form.
Display list of supported command-line options
(Linux only).

-s
-v
--help

Table 2-3

Cat Command-Line Options

Module 2:

Basic UNIX Commands

35

To show the contents of a sample /etc/passwd file with associated line
numbers, issue the following command:
-n option to number
output lines

directory and
filename to list

# cat -n /etc/passwd
1 root:x:0:1:Super-User:/:/sbin/sh
2 smaxwell:x:0:1:Super-User:/:/usr/bin/bash
3 daemon:x:1:1::/:
4 bin:x:2:2::/usr/bin:
5 sys:x:3:3::/:
6 adm:x:4:4:Admin:/var/adm:
7 lp:x:71:8:Line Printer Admin:/usr/spool/lp:
8 uucp:x:5:5:uucp Admin:/usr/lib/uucp:
9 nuucp:x:9:9:uucp Admin:/var/spool/uucppublic:/usr/lib/uucp/uucico
10 listen:x:37:4:Network Admin:/usr/net/nls:
11 nobody:x:60001:60001:Nobody:/:
12 noaccess:x:60002:60002:No Access User:/:
13 nobody4:x:65534:65534:SunOS 4.x Nobody:/:
14 syu:x:100:111::/home/syu:/bin/sh
15 anonymous:x:101:1::/home/anonymous:/bin/sh
16 anonymou:x:102:1::/home/anonymou:/bin/sh
17 samc:x:20001:10:Mr Sam Clinton:/homes/samc:/bin/sh
18 stevem:x:20003:10:Mr. Steve Maxwell:/homes/stevem:/usr/bin/bash
19 anitat:x:20004:102:Ms. Anita Tognazzini:/homes/anitat:/bin/sh
20 samyu:x:20005:10:Mr Samual Yu:/homes/samyu:/bin/sh
Numbers at beginning of each line are from -n
option, not part of the /etc/passwd file

The cat program can be used to display any UNIX file. However, it is not
that practical for displaying other types of files such as a software program or
binary file. Why? Because programs or other binary data can’t be displayed in a
meaningful way like text can be. A UNIX tool such as strings is more suited
for this purpose.

date
The date command is used to display the system date and time. Also,
sometimes it is necessary to alter the date or time on the system, and the
command can be used for this purpose as well. Typing the command
# date

2

36

UNIX System Administration: A Beginner’s Guide

will show output formatting like the following:
Thu Dec 27 16:59:15 PST 2001

As with most UNIX commands, the date command supports different
command-line options and arguments, which can be used to alter what is
displayed or to control additional functions. For example, to alter the date and
time on the system, and set it to November 5, 2005 at 9:30 AM, the administrator
can use the following command:

# date 110509302005
Sat Nov 5 09:30:00 PST 2005

11 This denotes the month of the year
05 This denotes the date of the month
09 This denotes the hour of the day
30 This denotes the minute of the hour
2005 This denotes the year

When the date command is given a correctly formatted date string, it
assumes that the system date should be altered and echoes back the new date.
Due to security concerns, only the superuser (root account) may alter the date
and/or time settings.

Ask the Expert
Question

Why can only the superuser alter the date or time settings?

Answer Well, the view from many system administrators is that
typical users shouldn’t be able to alter the date because it could impact
the system in negative and unexpected ways. For example, some
software license keys are coded to expire on some future date. If
someone changes the date and advances the clock, it could invalidate
the licenses and stop these software packages from operating. Also,
changing the date vicariously can cause problems when files and
directories are created or modified, because they pick up time stamp
information that is not accurate. It could lead, for example, to files
having a future or past date that is in conflict with reality. Also,
consider if an order entry system application is running on a system
where the date was advanced significantly. This action will negatively
impact the ability to handle delivery dates and schedules because of the
incorrect date and time information.

Module 2:

Basic UNIX Commands

37

hostname
The hostname command shows the name of the host when it is typically
attached to a network. However, a UNIX system can have a valid hostname
without networking services actually configured or when the system is not
attached to a network. This name can either be a fully qualified domain name
(FQDN) or another name known as a host alias. The FQDN is what has been
defined within the Domain Name System (DNS) server for that particular
system. An alias is simply another name for the FQDN and can be used
interchangeably with the fully qualified name.
To display the hostname of a system, type the following:
# hostname

If the hostname is defined, a string is displayed as in the following example:
pebbles.home.com

In this case, the hostname pebbles.home.com is the defined system
name, and it is this name that should be used when accessing the system over
the network. For example, if the administrator wants to determine if the system
is reachable from another node on the network, this hostname can be used with
the ping command. See Module 11 for additional information on this network
command. Thus,
# ping pebbles.home.com
pebbles.home.com is alive

shows that the system is available on the network.

Hint

This name is known as a fully qualified name because it contains both the
hostname and the domain name. As previously suggested, the hostname may
also be the system alias. Thus, a hostname of pebbles would be just as valid
or correct.

The hostname command can also be used to name the host or rename
the host if it already has a defined system name. However, on Solaris and other
systems, just running this command doesn’t permanently alter the name of the

2

38

UNIX System Administration: A Beginner’s Guide

machine across system reboots, nor does it completely change the name of
the machine. In other words, using this command on the command line only
alters the name of the system until the system is rebooted, and without additional
steps would cause the system to not function correctly on the network.

1-Minute Drill
●

As a UNIX system administrator, why don’t you need to check to see
if a command executed after issuing it?

●

Why isn’t the cat command appropriate for listing the contents of
program files?

find
The find command is used to search the UNIX system for specific files and/or
directories. This command is very useful to recursively search a file system
when you don’t know exactly where a file (or group of files) is located. One
very practical use of this command is to clean up file systems by removing
unneeded files and thus reclaiming disk space. Additional practical uses include
●

Identifying files that contain possible security concerns or problems

●

Identifying very large files that consume much disk space

●

Identifying files that are owned by specific users

●

Identifying files that haven’t been accessed in a long time and can be
archived off the system

To search for specific files—for example, all files named core—use the
following command:
# find / -name core

●
●

You don’t need to check to see if a command executed because if it didn’t, UNIX will return an error
message.
The cat command only displays text characters properly and doesn’t handle special characters in program
files well.

Module 2:

Basic UNIX Commands

39

and if one or more core files are found, a list of files will be produced as
shown in the following example:
/home/sjmaxwell/bin/tools/core
/tmp/core1
/usr/local/utils/core
/var/stream/bin/core

2

When attempting to clean up disk space, files with the name of core are
particularly useful to locate and remove because they tend to be rather larger
in size. Generally, core files are generated as a result of a binary program that
has stopped under some abnormal condition. The file contains program data
and other information that is useful for tracking down software problems.
Unfortunately, core files can hang around within a file system soaking up
large amounts of disk space and without some kind of cleaning process can
cause a file system to become full and subsequently unusable.
The output of this command shows a series of fully qualified files, each
matching the file string arguments shown in the find command. In this case,
a total of four files have been found. The output of the command is very helpful
when additional inspection of the files is necessary. For example, you can further
examine the file using the ls command with the –al options. The ls command
shows several very useful aspects of a UNIX file as discussed below. Thus, to
see the amount of space the file uses, use the following command:
filesize

# ls -al /var/stream/bin/core
-rw------1 root
other
/var/stream/bin/core

678876 Jun 29 16:34

In our example, we wanted to see the amount of disk space the file consumed.
In this case, the file is using approximately 678K (that is 678,000 bytes, or
more than half of a megabyte) of disk.
The arguments and syntax of the find command include the following:
find path expression

The path argument tells find where to begin searching and will
recursively descend the specified path until it reaches the last directory. Many
times, the / (root) file system is specified, thus telling find to start at the

40

UNIX System Administration: A Beginner’s Guide

highest level within the system. The find command will continue to search
each additional mounted file system (because each mounted file system from /)
in order.
The expression argument includes two components: directives and
associated arguments. Directives are action verbs, which tell find what to do
or modify an action or behavior. Table 2-4 shows these directives and any
associated command arguments.
Definition

-atime
-cpio

Checks to see if the file was accessed by n number of days.
Writes the current file on the specified device in the 5120-byte
record format known as cpio (Solaris only).
Checks to see if the file’s status was changed n days ago.
Controls how directories are searched.
Executes a command once a file is found.
Causes find to follow symbolic links.
Search for a file that belongs to a specific file system.
Search for a file that belongs to a specific group ID.
Display appreciated help on command-line arguments
(Linux only).
Search for a file that contains a specific inode number.
Search for a file that has n number of file links.
Searches for a file that is on a local file system (Solaris and
HP-UX only).
Prints current path name and any associated stats.
Restricts the search to a specific mounted file system.
Checks to see if the file’s data was changed n days ago.
Search for a file with a specified name.
Search for a file that has been modified more recently than file
argument.
Search for a file with the group name not contained with the
/etc/group system file.
Search for a file with the owner not contained with the
/etc/passwd system file.
Prompts the user to input a positive response to continue with
the specific find command.
Searches for a file that contains a specific file permission pattern.

-inum
-links
-local
-ls
-mount
-mtime
-name
-newer
-nogroup
-nouser
-ok
-perm

Table 2-4

TE

-ctime
-depth
-exec
-follow
-fstype
-group
-help

AM
FL
Y

Command

Find Action Commands

Module 2:

Basic UNIX Commands

Command

Definition

-path

Same as –name, but the full path is used instead of the name
string (HP-UX only).
Causes find to print the current path name and is the default
option in some versions of UNIX.
Stops find from entering a directory hierarchy.
Searches for a file that is n blocks long using 512 bytes per block.
Searches a specific type of file such as block special, character
special, directory, or plain file.
Search a specific file owned by a given system user.
Same as the -mount command.

-print
-prune
-size
-type
-user
-xdev

Table 2-4

Find Action Commands (continued)

Sometimes, it is not desirable to search every file system, but instead to
scan only a specific one. In this case, use the –mount option to restrict the
scan operation to only a single file system tree. For example, the command
# find /var -mount -name core –print
/core

will search the /var file system for all occurrences of the filename core.

Ask the Expert
Question

Why would you want to search just a specified file system?

Answer One of the biggest reasons is that you may not want to
search file systems that are mounted over the network from other
systems such as NFS volumes. Searching on remote file systems can
take longer if traffic on the network is high or even if the remote system
is overloaded. Even if the remote file system is relatively fast, it just may
not make sense to search a file system due to other considerations such
as it is a NFS read-only file system or in the case of locally mounted
read-only file system contained on a CD-ROM. Searching the contents
of a CD-ROM that contains product documentation when you are
looking for example, user files is totally a waste of time.

41

2

42

UNIX System Administration: A Beginner’s Guide

Now that we have a command that searches for core files, let’s assume we
would like to remove those files when they are found. The following command
will accomplish this task:
# find / -name core -atime +10 -exec rm {} \;

It searches the system looking for core files that haven’t been accessed for
at least 10 days and once it finds one, it will remove it.

ls
The ls command is used to list files and/or directories within one or more file
systems. The basic syntax includes
ls [options] [file/directory]

Like other UNIX commands, the ls program has a fairly large number of
command-line options. However, only the most useful ones are presented in
this section. These options are described and summarized in Table 2-5, and
some of them are explained below.

Option

Definition

-a
-b
-c
-C
-d

List all files within a directory, including . and ..
Display nonprinting characters in octal format.
Use modification time when displaying files in sort order.
Multicolumn output.
If the file is a directory, list only its name not its subdirectories
or subfiles.
Mark each directory with a trailing “/“ character, an “*“ if file
executable, “@“ if symbolic link, and “|“ if FIFO.
For each file/directory, list its corresponding i-node number.
Give more verbose output, which includes more information
about file/directory attributes.

-F
-i
-l

Table 2-5

ls Command-Line Options

Module 2:

Basic UNIX Commands

Option

Definition

-L
-R
-t
-u
-1

If the file is a symbolic link, list the referenced file—not the link itself.
Recursively descend and list each subdirectory.
Sort by time stamp information instead of by filename.
Use last file access time when displaying in sort order.
Display one line for each file shown.

Table 2-5

ls Command-Line Options (continued)

Issuing this command in the current directory will list all files and/or
directories contained with that directory. Thus, if the administrator was
within the /usr directory, issuing the command would yield the following
sample output:
# ls
4lib
5bin
X
bin
ccs
demo
dict
dt

games
include
java
java1.1
java1.2
kernel
kvm
lib

local
mail
man
net
news
old
openwin
perl5

perl5_readme
platform
preserve
proc
pub
sadm
sbin
share

snadm
spool
src
tmp
ucb
ucbinclude
ucblib
xpg4

The output above includes both individual files and directories, but it is
difficult to draw a distinction between them because no additional information
is provided. To solve this problem, we can use the –l option, which shows a
long listing of file and directory attributes. Thus, running the above command
using this option produces the following:
The d at the beginning of this
line shows this is a directory
# ls –l
total 132
drwxr-xr-x
2 root
lrwxrwxrwx
1 root
lrwxrwxrwx
1 root
gdrwxr-xr-x
4 root

bin
root
root
bin

1024 Mar 16 2001 4lib
5 Mar 16 2001 5bin -> ./bin
9 Mar 16 2001 X -> ./openwin
8704 Jul 13 15:03 bin

43

2

44

UNIX System Administration: A Beginner’s Guide

drwxr-xr-x
drwxr-xr-x
lrwxrwxrwx
drwxrwxr-x
drwxr-xr-x
drwxr-xr-x
lrwxrwxrwx
drwxrwxr-x
drwxr-xr-x
drwxr-xr-x
drwxr-xr-x
drwxr-xr-x
drwxr-xr-x
lrwxrwxrwx
lrwxrwxrwx
drwxr-xr-x
lrwxrwxrwx
drwxr-xr-x
drwxr-xr-x
drwxr-xr-x
-rw-r--r-drwxr-xr-x
lrwxrwxrwx
drwxr-xr-x
lrwxrwxrwx
drwxr-xr-x
drwxr-xr-x
drwxr-xr-x
drwxr-xr-x
lrwxrwxrwx
lrwxrwxrwx
lrwxrwxrwx
drwxr-xr-x
drwxr-xr-x
drwxr-xr-x
drwxr-xr-x

4
8
1
10
2
23
1
6
7
9
2
54
8
1
1
4
1
2
8
5
1
15
1
3
1
8
5
6
5
1
1
1
4
4
4
5

root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root

bin
bin
root
bin
bin
bin
other
bin
bin
sys
bin
bin
sys
root
root
sys
root
bin
bin
bin
other
sys
root
bin
root
bin
bin
sys
bin
root
root
root
bin
bin
bin
bin

512
512
16
512
512
4096
9
512
512
512
512
12288
512
11
11
512
11
512
512
512
104
1024
15
512
15
512
5120
512
512
12
11
10
2048
512
1024
512

Mar
Mar
Mar
Mar
Mar
Mar
Mar
Mar
Mar
Mar
Mar
Mar
Sep
Mar
Mar
Mar
Mar
Mar
Mar
Mar
Sep
Mar
Mar
Mar
Mar
Mar
Mar
Mar
Mar
Mar
Mar
Mar
Mar
Mar
Mar
Mar

16 2001 ccs
16 2001 demo
16 2001 dict -> ./share/lib/dict
16 2001 dt
16 2001 games
19 2001 include
16 2001 java -> ./java1.2
16 2001 java1.1
16 2001 java1.2
16 2001 kernel
16 2001 kvm
19 2001 lib
25 15:24 local
16 2001 mail -> ../var/mail
16 2001 man -> ./share/man
16 2001 net
16 2001 news -> ../var/news
16 2001 old
The - at the beginning of this
16 2001 openwin
line shows this is a regular file
16 2001 perl5
25 18:10 perl5_readme
19 2001 platform
16 2001 preserve -> ../var/preserve
16 2001 proc
16 2001 pub -> ./share/lib/pub
16 2001 sadm
19 2001 sbin
16 2001 share
16 2001 snadm
16 2001 spool -> ../var/spool
16 2001 src -> ./share/src
16 2001 tmp -> ../var/tmp
16 2001 ucb
16 2001 ucbinclude
The l at the beginning of
16 2001 ucblib
this line and the -> show
16 2001 xpg4
this is a symbolic link

Although the output above looks quite daunting, each directory and file
contains a fixed number of fields, which is illustrated by Figure 2-2.

Figure 2-2

Elements of a UNIX file

Module 2:

Basic UNIX Commands

As you can see, each element within the listing contains a set of file type and
permission bits, a link count, ownership fields, size, modification date/time,
and name. The first field represents the file type attribute, of which there are two
major types. The first is a directory and the second is a regular file. A directory is
defined as a special file that contains additional file elements. A directory is noted
by a letter “d” in the first field. A regular file contains no flags information and
contains a “-” character. The “-” character can be seen by examining the
perl5_readme file, which is a regular text file.
UNIX supports additional file types, which are shown in Table 2-6. The
block special files are used for access to hardware type devices such as disks
(floppies, hardware drives, and CD-ROMs). These types of devices typically
access information using a certain size, such as 8K worth of information. The
character special files are used for devices such as terminals or printers where
information may be output in units of a single character. The symbolic link file
is simply a pointer to another file, which can span across a different file system.
Both socket and pipe files are used for interprocess communication among
cooperating programs so that they may share information and data.
The remaining bits of the file permission field represent the fundamental
access control mechanism for the file. A total of 9 bits are used to define three
levels of access that include the owner, group, and world. The owner level
represents the actual username associated with the file, such as root. The
group is the group name associated with the file, such as other, and the world
represents everyone else defined on the system.
Within each of these levels, three additional access rights are defined as
shown in Table 2-7.
File Flag

Meaning

b
c
d
l
s
p

No specific flag; indicates a regular text file
Block special file, which is used for hardware-related devices
Character special file, which is used for hardware-related devices
Directory
Symbolic link
A socket file
A pipe file

Table 2-6

Standard UNIX File Types

45

2

46

UNIX System Administration: A Beginner’s Guide

Access Bit

Meaning

r
w
x

The file is readable.
The file is writable.
The file can be executed or run as a program. If a directory,
it can be searched.

Table 2-7

File Access Bits

Please note that additional access bits are supported on UNIX. These
include l for mandatory locking, s for user/group set-ID, and t for sticky bit.
The mandatory locking is related to the file’s ability to have reading or writing
permission locked while a program is accessing the file. The s indicates the file
can be executed with the ownership of the file, such as root. This is a way for
the administrator to give normal users access to privileged commands in a
controlled way. The sticky bit provides the ability to have the file referenced
more efficiently.
Each file supports access bits for three security elements for a file or
directory. The first group of three denotes the owner, the next three are the
group, and the final three are for others. This is shown in Figure 2-3. The
administrator can use these permission bits to control access to the file. Also,
the owner of the file may control these permission bits.
Each of the bits controls how the file can be accessed. When the r bit
is present, the file can be read; when the w bit is present, the file is writable;
and when the x bit is present, the file can be executed. In the case of a
directory, the x indicates that the directory can be searched. Of course, the
execution bit is only meaningful when the file represents a binary program
or some type of script.
Table 2-8 contains a few examples of different file permissions that are
possible with UNIX files and/or directories.

Figure 2-3

File access bits

Module 2:

Basic UNIX Commands

Permission Mode

Meaning

-rw-r--r--

The file is readable/writable by the owner and only readable
by the group and everyone else.
The file is readable/writable only by the owner.
The file is both readable/writable only by the owner and
group.
The file (or directory) is readable, writable, and executable
by the owner and both readable/executable by the group
and everyone else.
The file (or directory) is readable, writable, and executable
by the owner and only executable by the group and
everyone else.

-rw-------rw-rw----rwxr-xr-x

-rwx--x--x

Table 2-8

Example File Permission Modes

The next field corresponds to the number of links associated with this file,
and in the above example no additional links have been created. This type of
link permits the creation of another file from the original, but they share the
same contents of the first file. A file link appears to be another copy, but in fact
it simply is a pointer to the same file. A modification to one of the files updates
the other one as well. This link is known as a hard link and can’t be used across
different file systems. Symbolic links, as denoted with the “l” character,
accomplish the same thing, but can be used across file systems. The other
difference with symbolic links is that they are one-directional. The symbolically
linked file points to the master file and not vice versa; the master doesn’t point
to the copy.
Note that several files in the above example are symbolic links and are
denoted as such with the “->” string, including ../var/tmp. See Figure 2-2.
Next, the ownership fields represent both the name of the owner and group
membership for the file. Both of these names should be defined within the
/etc/passwd and /etc/group administrative files. If not, then just the user
identification number (UID) and group identification (GID) are shown instead.
The next field shows the actual number of bytes contained within the file,
which is the same as saying how much disk space is used to store the contents
of the file. Typically, only with regular files does this field have meaning; all
other file types (directories, for example) only contain pointers to other files or

47

2

48

UNIX System Administration: A Beginner’s Guide

information—not user data. Administrators will use this field to determine the
amount of disk space that is consumed by each file. In fact, monitoring disk
space and cleaning up unneeded and/or unused files can occupy a significant
amount of time if not completely automated. The next field that follows is the
file modification field, and it shows when the file was last updated. The
remaining file attribute is the name of the file.
One very powerful argument for the ls command is the –R option. This
tells the program to recursively display all lower directories/files within a given
path name. For example, consider the directory structure shown in Figure 2-4.
When the ls –R command is issued against this directory, we get
# ls –alR local
local:
total 4
drwxr-xr-x
2 root
drwxr-xr-x
2 root

other
other

512 Sep 25 19:09 bin
512 Sep 25 19:09 etc

local/bin:
total 854
-r-xr-xr-x
-rwx------

1 root
1 root

other
other

18844 Sep 25 19:09 ls
409600 Sep 25 19:08 ssh

local/etc:
total 2
-r--r--r--

1 root

other

97 Sep 25 19:09 hosts

With this example, we list a top-level directory called local, and within
this directory we see two subdirectories called bin and etc. Within the bin
directory, two additional files are located, and the etc directory contains a
single file. If we didn’t use the –R option, the ls command would have only

Figure 2-4

Sample directory structure

Module 2:

Basic UNIX Commands

49

listed the top-level directory local, and not any additional subdirectories
underneath:
# ls -al local
total 8
drwxr-xr-x
4
drwxr-xr-x
3
drwxr-xr-x
2
drwxr-xr-x
2

2
root
root
root
root

other
other
other
other

512
512
512
512

Sep
Sep
Sep
Sep

25
25
25
25

19:09
19:08
19:09
19:09

.
..
bin
etc

1-Minute Drill
●

Explain what it means that a symbolic link is “one-directional.”

●

What are the three categories of permissions for a file and what are the three
possible permissions for each category?

strings
The strings command is used to search for ACSII strings within a software
program or binary file. This command is quite helpful when you need to see
within a binary file or program or if you are searching for a specific string
sequence. Normally, if you were to attempt to display a binary file or program
using such UNIX tools as more or cat, you would have difficulty. For
example, imagine that you issue the following command to view the contents
of the ls program:
# more /bin/ls

When this command is executed, the following output would be shown:
Bl°/usr/lib/ld.so.1SbEM'<]^_3
C*Z[a92/KL

●
●

One-directional means that a symbolically linked file points to the master file it is a copy of, but the master
file doesn’t point to the symbolically linked copy.
Categories: owner, group, others; permissions: read, write, execute.

UNIX System Administration: A Beginner’s Guide

Unfortunately, this isn’t the desired result since the more program has
trouble showing binary data to the user’s display, and that is why the strange
output is presented. Also, depending on the display device (that is, terminal)
involved, the characters shown could lock up the terminal, which may result
in the user needing to reset the device or log in from another terminal and kill
their old session.
However, issuing the following strings command would yield the
following:

AM
FL
Y

# strings /bin/ls
SUNW_OST_OSCMD
RaAdC1xmnlogrtucpFbqisfL
usage: ls -1RaAdCxmnlogrtucpFbqisfL [files]
COLUMNS
total %llu
%llu
%3ld
%-8s
%-8lu
%-8s
%-8lu
%3ld,%3ld
%b %e %Y
%b %e %H:%M
->
%s%s
%s%s
%-8lu
%-8lu
%10llu
%llu
%lld
%4lld
%lld
%7lld
%lld

TE

50

Notice that this command displays all strings within the file and doesn’t
generate strange characters on the display. The command supports a few
command line options, as listed in Table 2-9.

Module 2:

Basic UNIX Commands

Command

Definition

-a

Examine the entire file, not just the initialized data area of an
object file.
Use the specific number as the default string length, rather than
the value of 4.
Abbreviated option for –t d.
Display each string with a byte offset in one of the following
formats: d for decimal, o for octal, and x for hexadecimal.
Display version information (Linux only).

-n
-o
-t
-v

Table 2-9

Strings Command-Line Options

Ask the Expert
Question

Why display the contents of a program?

Answer Well, one very good reason is that you might need to search
for some specific information within a program that you might not be
able to obtain any other way. For example, suppose you wanted to find
out which files are used by a given command—say, the more program.
The following command would provide that information:
# strings /usr/bin/more | grep /
Usage: %s [-cdflrsuw] [-lines] [+linenumber] [+/pattern]
[filename ...].
/usr/lib/locale/%s/LC_MESSAGES/more.help
/usr/lib/more.help
/usr/bin/sh

In this example, we search the more binary program and pipe (send
the results to) the output to the grep command to search for a particular
pattern. In this case, we searched for the “/” character, which is used
to denote the start of a file or directory path. As you can see from the
sample output, the more program uses three files.

51

2

52

UNIX System Administration: A Beginner’s Guide

If we are interested in knowing where in the file a specific pattern is located,
we can use the –o option, which displays the byte offset from the beginning of
the file. For example, the command
# strings -o /usr/bin/more | grep /
25216 Usage: %s [-cdflrsuw] [-lines] [+linenumber] [+/pattern] [filename ...].
25620 /usr/lib/locale/%s/LC_MESSAGES/more.help
25672 /usr/lib/more.help
27260 /usr/bin/sh
The numbers at the beginning of these
lines show the bytes where the pattern
can be found in the file

now displays the bytes where the patterns were found within the file. The –o
option is an abbreviation for the –t option. This command-line option takes
either d, o, or x arguments, which represent decimal, octal, or hexadecimal
display values. To list the byte offset in hexadecimal, use the -t with x
parameter:
# strings -t x /usr/bin/more | grep /
6280 Usage: %s [-cdflrsuw] [-lines] [+linenumber] [+/pattern] [filename ...].
6414 /usr/lib/locale/%s/LC_MESSAGES/more.help
6448 /usr/lib/more.help
6a7c /usr/bin/sh
The numbers at the beginning of these
lines show the bytes (in hexadecimal
format) where the pattern /usr/bin/more
is found in each file

ps
The process status, or ps, command is used to report on currently executing
programs or processes running on the system. System administrators will use
this command to monitor the running processes on the system. Sometimes it
becomes necessary to stop or kill one or more processes because they may be
negatively impacting the system and affecting other processes or the general
heath of the system. For example, a particular process may consume too much
CPU time because it might have encountered an unexpected condition, and as
a result starve other processing on the system. In this case, the administrator
might need to stop this rogue process in order to permit other processes to
continue or complete.

Module 2:

Basic UNIX Commands

53

To obtain a snapshot of all the currently executing processes, use the –e
command-line option. Thus,
# ps –e
PID TTY
0 ?
1 ?
2 ?
3 ?
326 ?
340 ?
175 ?
59 ?
127 ?
333 ?
206 ?
149 ?
342 ?
197 ?
189 ?
329 ?
163 ?
164 ?
212 ?
225 ?
250 ?
257 ?
235 ?
253 ?
259 ?
327 console
346 ?
306 ?
298 ?
300 ?
337 ?
335 ?
317 ?
345 ?
347 ?
349 pts/1

TIME
0:07
0:00
0:00
0:12
0:00
0:00
0:00
0:00
0:00
0:00
0:00
0:00
0:00
0:00
0:00
0:00
0:00
0:00
0:00
0:00
0:00
0:00
0:00
0:25
0:00
0:00
0:00
0:00
0:00
0:00
0:00
0:00
0:00
0:00
0:00
0:00

CMD
sched
init
pageout
fsflush
sac
blender
automoun
sysevent
rpcbind
ttymon
nscd
inetd
ffssh-ag
cron
syslogd
sendmail
lockd
statd
lpsched
powerd
sh
cimomboo
utmpd
smanager
vold
ttymon
stamper
dtlogin
mountd
nfsd
xntpd
xntpd
dmispd
ffsshd
in.telne
sh

2

54

UNIX System Administration: A Beginner’s Guide

389 pts/1
448 pts/1

0:00 bash
0:00 ps

displays a list of all the known processes in a very simple format. A total of
four columns are shown that include PID, TTY, TIME, and CMD. The process
identification (PID) is a reference number to help identify the process and it is
assigned by the system automatically when a new program is started. The PID
is a unique number and can be used to control the process. Specifically, a
process may be stopped, started, killed, or sent additional signals, which can
modify its behavior in some predetermined fashion. The TTY field shows which
terminal device the process started from. When the system first boots, a number
of standard processes are started automatically. As a result, no terminal is
involved when these processes start and that is why a question mark (?) is
assigned in the TTY field for most of the processes listed above. The TIME field
shows how much elapsed CPU time the process has consumed. Finally, the
CMD field shows the command name or process name. With HP-UX, this field is
labeled as COMMAND. Typically, this will be the command name of the program,
which might be a binary program or shell script.
This command has a fairly large number of command-line options.
However, only the most useful ones are presented in this section. These options are
described and summarized in Table 2-10 and some of them are explained below.

Command

Definition

-a

Display a listing of all of the most frequently desired processes
currently active on the system (Solaris only).
Display information for all processes known to the
system—the same as the –e option.
Select those processes executing a particular command with
the name supplied after the argument (HP-UX only).
Display a listing about every process currently known to
the system.
Display a full listing for all processes known to the system.
Display only those group leader IDs that correspond to
specified IDs.
Display only those processes that correspond to the specified
group ID.

-A
-C
-e
-f
-g
-G

Table 2-10

Ps Command-Line Options

Module 2:

Basic UNIX Commands

Command

Definition

--help
-l

Displays help screen (Linux only).
Display long listing of processes that include a large amount
of information.
List only those process IDs that are specified (Solaris only).
HP-UX, just use –p option.
Format output according to specific parameters.
Display only those processes that match specified terminal.
Display only those processes that match effective user ID or
username.
Display only those processes that match real user ID or
username.
When –l is used, omits the obsolete F and ADDR columns
and shows an RSS column that reports the resident set size
of the process in kilobytes (Solaris only).
Display version information (Linux only).

-ps
-o
-t
-u
-U
-y

--version

Table 2-10

Ps Command-Line Options (continued)

The –e option lists every process currently known by the system; by
default, without any additional options, just an abbreviated process list is
shown. To capture a full list of not only all processes, but a significant number
of process attributes, use the –f option. Command-line options for this
command may be stacked—that is, they can be grouped together using only
a single “-” symbol. So, the commands
ps –ef and

ps –e –f

are functionally the same and produce identical output, as shown in the sample
output below:
UID
root
root
root
root
root
root
root

PID
0
1
2
3
326
329
206

PPID
0
0
0
0
1
1
1

C
0
0
0
0
0
0
0

STIME
06:42:05
06:42:05
06:42:05
06:42:05
06:44:18
06:44:18
06:43:36

TTY
?
?
?
?
?
?
?

TIME
0:07
0:00
0:00
0:00
0:00
0:00
0:00

CMD
sched
/etc/init pageout
fsflush
/usr/lib/saf/sac -t 300
/usr/lib/sendmail -bd -q15m
/usr/sbin/nscd

55

2

56

UNIX System Administration: A Beginner’s Guide

root
59
1 0 06:42:10 ?
0:00 /usr/lib/sysevent/syseventd
root
212
1 0 06:43:37 ?
0:00 /usr/lib/lpsched
root
127
1 0 06:42:14 ?
0:00 /usr/sbin/rpcbind
root
151
1 0 06:42:15 ?
0:00 /usr/sbin/inetd –s
root
175
1 0 06:43:35 ?
0:00 /usr/lib/autofs/automountd
root
336
335 0 06:44:19 ?
0:00 /usr/lib/inet/xntpd
root
197
1 0 06:43:36 ?
0:00 /usr/sbin/cron
root
189
1 0 06:43:36 ?
0:00 /usr/sbin/syslogd
root
163
1 0 06:42:15 ?
0:00 /usr/lib/nfs/lockd
daemon
164
1 0 06:42:15 ?
0:00 /usr/lib/nfs/statd
root
225
1 0 06:43:37 ?
0:00 /usr/lib/power/powerd
root
250
1 0 06:43:38 ?
0:00 /bin/sh
root
257
1 0 06:43:43 ?
0:00 /usr/sadm/lib/wbem/cimomboot start
root
235
1 0 06:43:37 ?
0:00 /usr/lib/utmpd
root
259
1 0 06:43:43 ?
0:00 /usr/sbin/vold
root
335
1 0 06:44:19 ?
0:00 /usr/lib/inet/xntpd
root
317
1 0 06:43:47 ?
0:00 /usr/lib/dmi/dmispd
root
298
1 0 06:43:45 ?
0:00 /usr/lib/nfs/mountd
root
300
1 0 06:43:45 ?
0:00 /usr/lib/nfs/nfsd -a 16
root
307
1 0 06:43:46 ?
0:00 /usr/dt/bin/dtlogin –daemon
root
332
326 0 06:44:18 ?
0:00 /usr/lib/saf/ttymon
root
327
1 0 06:44:18 console 0:00 /usr/lib/saf/ttymon -g -h -p pebb
les.home.com console login: -T vt100 -d /dev/
root
347
151 0 06:48:15 ?
0:00 in.telnetd
root
349
347 0 06:48:20 pts/1
0:00 –sh
root
371
349 0 06:53:15 pts/1
0:00 ps -e –f

Additional columns that are displayed include: UID, PPID, C, and STIME.
The UID column represents the user identification or current owner of the
process. When a process is started, the user that started that process typically
assumes ownership of that process. However, there are instances when a
process starts that it assumes the ownership of root regardless of which user
started the process.
The PPID column shows the parent process identification for each process.
UNIX supports the concept of parent/child relationships within the process
structure. As a result, should a process invoke additional subprocesses, they
are said to be children of the master or parent process. The PPID field identifies
which parent started a given process. Typically, a value of 1 means that the
master program known as init started the process, when the system was first
initialized or rebooted. Also, if you examine the output more closely, you will
see additional processes with the PPID value of 0. These system-related
processes were started by the system very early in the boot process and are vital
to basic system operations.

Module 2:

Basic UNIX Commands

The C field indicates an obsolete and unused scheduling flag.
The STIME fields shows when the process was started. If the process was
started within a 24-hour period, it shows hours, minutes, and seconds. If the
process had begun more than 24 hours before, both the month and day are
given instead.
If you are interested in displaying much of the available process information
for all processes running on the system, use the –l option. This option is very
useful because it provides a significant amount of detail for each process. For
example, the command
# ps –efl

shows the following output:
F
19
8
19
19
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8

S
T
S
S
S
S
S
S
S
S
S
S
S
S
S
S
S
S
S
S
S
S
S
S
S
S
S
S
S
S
S
S
S

UID
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
1
0
0
0
0
0
0
0
0
0
0
0
0
0
0

PID
0
1
2
3
326
329
206
59
212
127
151
175
336
197
189
342
163
164
345
225
250
257
235
253
259
335
340
317
298
300
307
346

PPID
0
0
0
0
1
1
1
1
1
1
1
1
335
1
1
253
1
1
253
1
1
1
1
250
1
1
253
1
1
1
1
253

C PRI NI
0
0 SY
0 41 20
0
0 SY
0
0 SY
0 41 20
0 41 20
0 41 20
0 88 20
0 59 20
0 41 20
0 59 20
0 41 20
0
0 RT
0 49 20
0 89 20
0 41 20
0 59 20
0 50 20
0 47 20
0 69 20
0 99 20
0 49 20
0 40 20
1 41 20
0 51 20
0
0 RT
0 40 20
0 57 20
0 69 20
0 46 20
0 59 20
0 67 20

ADDR
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?

SZ
0
98
0
0
219
365
332
164
382
278
297
367
268
238
412
222
234
336
306
171
130
199
127
1008
326
268
289
381
334
233
614
231

WCHAN TTY
?
? ?
? ?
? ?
? ?
? ?
? ?
? ?
? ?
? ?
? ?
? ?
? ?
? ?
? ?
? ?
? ?
? ?
? ?
? ?
? ?
? ?
? ?
? ?
? ?
? ?
? ?
? ?
? ?
? ?
? ?
? ?

TIME
0:07
0:00
0:00
0:00
0:00
0:00
0:00
0:00
0:00
0:00
0:00
0:00
0:00
0:00
0:00
0:00
0:00
0:00
0:00
0:00
0:00
0:00
0:00
0:29
0:00
0:00
0:00
0:00
0:00
0:00
0:00
0:00

CMD
sched
init
pageout
fsflush
sac
sendmail
nscd
sysevent
lpsched
rpcbind
inetd
automoun
xntpd
cron
syslogd
ffssh-ag
lockd
statd
ffsshd
powerd
sh
cimomboo
utmpd
smanager
vold
xntpd
blender
dmispd
mountd
nfsd
dtlogin
stamper

57

2

58

UNIX System Administration: A Beginner’s Guide

8
8
8
8
8

S
S
S
R
O

0
0
0
0
0

332
327
347
349
412

326
1
151
347
349

0
0
0
0
0

41
61
54
51
41

20
20
20
20
20

?
?
?
?
?

219
218
223
38
235

? ?
? console
? ?
pts/1
pts/1

0:00
0:00
0:00
0:00
0:00

ttymon
ttymon
in.telne
sh
ps

This command option shows additional columns that include F, S, PRI,
NI, ADDR, SZ, and WCHAN. The F field is not used and should be ignored. The
S field shows the state of the process and contains one of several different flags,
as shown in Table 2-11.
It is interesting to note that during the life of a process, it can bounce
between one or more states in a relatively short period of time. Depending on
the activities of the system and other factors that impact system load, a process
can toggle between the S and O states. Generally speaking, most processes
remain in the S state since on a uniprocessor system, a single process is running
at any given point in time. A zombie is a process for which the parent is no
longer waiting for the process to terminate and as a result, can’t be terminated
normally. Given the right circumstances, one or more zombie processes can
be created that are largely due to software defects with certain applications.
When this happens, the process (or application) can’t be killed using the kill
program. Instead, the system must be rebooted to clear these processes.

State Flag

Meaning

O
S
R
Z

The process is running.
The process is in sleep state, waiting for an event to complete.
The process is in the run queue.
The process has terminated abnormally; the parent is not waiting for this
process to finish. This is known as a zombie process.
The process has stopped either by a signal (via the kill command or job
control) or because the process is being traced.

T

Table 2-11

Process Status Flags

Module 2:

Basic UNIX Commands

59

uname
The uname command displays more detailed information and characteristics
about the system. It can be used to determine basic operating system
information, such as
●

The O/S version and name

●

The name of the system

●

Computer hardware type

●

Hardware processor type

When this command is executed without any command-line options, the
name of the operating system is displayed. For example, typing
# uname
SunOS

on a Solaris system will yield the operating system name of SunOS. One of the
most popular options, -a, is used to display basic information in a concise
form. Thus,
# uname -a
SunOS pebbles.home.com 5.8 Generic_108528-06 sun4u sparc
SUNW,UltraAX-i2

shows a string which contains series of fields. The first field is the name of the
operating system, as shown in the previous example. Next, the fully qualified
hostname of the system is displayed, which is the same information as shown
from the hostname command. The third field is the name of the currently
installed kernel. The fourth field displays the machine hardware (class) name as
defined by the computer system vendor. The fifth field is the type of computer
processor. The above example shows that the system is based on Sun’s Sparc
architecture. If this command were run on a Solaris Intel platform, it would
display a processor type of i686. The final field shows the hardware platform
information, which gives more information about the system architecture or
processor type.

2

60

UNIX System Administration: A Beginner’s Guide

The uname command is very useful to the system administrator because
each of the fields listed above can be obtained separately from all other fields by
using command-line options. Table 2-12 shows the available command-line
options for this command.
To display just the hostname of the system, use the –n option:
# uname –n
pebbles.home.com

If you are interested in just seeing the name of the operating system, use the
–s option:

AM
FL
Y

# uname –s
SunOS

Definition

-a
-I

Displays basic information about the system.
Displays the hardware platform information such as Sparc or
i386. For HP-UX, display the system identification number.
Display operating license information (HP-UX only).
Displays the system hardware name or class of machine.
Displays the hostname of the system.
Displays the current processor type (Solaris and Linux only).
Displays the operating system revision number or level.
Displays the name of the operating system such as SunOS,
HP-UX, or Linux.
Used to change the hostname of the system.
Displays kernel/system version information.
Displays system information in concise format separated by
equal signs (Solaris only).

-l
-m
-n
-p
-r
-s
-S
-v
-X

Table 2-12

TE

Command

uname Command-Line Options

Module 2:

Basic UNIX Commands

61

Hint

The –S option on certain releases of Solaris doesn’t actually work. This option
does change the name of the host, once the system is rebooted, the old
name still applies. This is because the uname command doesn’t update the
/etc/nodename file, which stores the system hostname.

Unlike the other operating systems, Solaris provides one additional option
(-X), which can be used to display more concise information about the system
in a format that is more suitable for parsing with a shell script. Thus, the command
# uname –X

would make it very easy to parse the output of uname with a shell script
because the information is separated by a command character, which is the =
(equals) sign as shown below:
System = SunOS
Node = pebbles.home.com
Release = 5.8
KernelID = Generic_108528-06
Machine = sun4u
BusType = 
Serial = 
Users = 
OEM# = 0
Origin# = 1
NumCPU = 1

With HP-UX, the –l and -i options are supported. The –i option displays
the system identification number, or the node name if the ID can’t be
determined. The –l argument is used to display software license information.
Thus, the command
uname –a

is a shorthand way of listing the fields from the following arguments: -s, -n,
-r, -v, -m, -i, and –l.

2

62

UNIX System Administration: A Beginner’s Guide

This would yield output similar to
HP-UX socrates B.11.00 U 9000/800 545770578 unlimited-user license

The last two fields correspond to the –i (545770578) and –l
(unlimited-user license) fields accordingly.

Project 2-1
This project will familiarize you with the commands from this module and give
you firsthand experience with them on your own system.

Step-by-Step
1. At the default shell prompt, type the following command to determine your
system’s operating system name, hostname, currently installed kernel name,
machine hardware (class) name, processor type, and hardware platform
information. You’ll want to remember this in case your operating system
supports special commands or options mentioned in this book.
# uname -a

2. Use the who command to determine all the users logged onto the system:
# who

3. Determine what user you are currently logged on as using this command:
# who am i

4. List the files in the current directory, including file attribute information:
# ls -l

5. From the list of files, display the smallest normal file onscreen:
# cat filename

6. Find all the files on your system that belong to the admin group and list them:
# find / -group admin

7. Display all the currently running processes on your system that belong to you:
# ps -u yourusername

Module 2:

Basic UNIX Commands

63

Mastery Check
1. Which of the following is not a UNIX shell?
A. sh
B. csh
C. bash
D. ps
2. What is the command and option syntax to list a text file’s contents,

numbering each line but not numbering blank lines?
3. What is the command and option to change the system date and time to

October 4, 2002 3:30 P.M.?
4. What command do you use just to display a UNIX system’s name?
A. fqdn
B. ps
C. hostname
D. system
5. What command and option syntax would you use to find all the files on

your system you haven’t accessed in the last year?
6. What kind of file and what permissions does this set of attributes indicate:

drwxr-x--x?
7. Which of the following user types’ permissions are not defined by the 9-bit

permission attributes?
A. Administrator
B. Owner
C. Group
D. Others

2

64

UNIX System Administration: A Beginner’s Guide

Mastery Check
8. What does the ? in the following command output indicate?
# ps –ef
UID
root
root

PID
0
1

PPID
0
0

C
STIME TTY
0 06:42:05 ?
0 06:42:05 ?

TIME CMD
0:07 sched
0:00 /etc/init -

9. What command do you use to display a system’s operating system revision

number?

Module

3

Using System
Administration Tools
Critical Skills
3.1

Manage Solaris with Admintool

3.2

Manage Linux with Userconf

3.3

Manage HP-UX Using SAM

3.4

Set Up Better Account Security

Copyright 2002 by The McGraw-Hill Companies, Inc. Click Here for Terms of Use.

66

UNIX System Administration: A Beginner’s Guide

T

his section reviews how to perform specific UNIX administration tasks such as
adding new users to the system. As such, it is more procedure oriented versus
providing complicated details about the underlying structure of configuration
files or low-level system function. As the system administrator, it will be very
important that you know which tools to use for a given system administration
function or task. Also, it would be very good for the tools available to be easy to
use in order to help you to be very effective. Sometimes UNIX tools are not easy
to use, nor are they documented very well. However, as with most versions of
UNIX available today, one or more general-purpose GUI-based administration
tools are available—either with the basic operating system or they can be installed
after the operating system has been set up. For example, the Solaris system
provides the admintool program, which can be used to accomplish a variety
of important system administration tasks.
This module reviews the following tools:
admintool (Solaris)
control-panel (Linux)
sam (HP-UX)

Generally, these utilities provide a large number of functions; however,
only the addition and modification of users, accounts will be reviewed.
The tools described in this section share common features: They were
designed to be used by administrators with little experience, and they can
perform important system administration tasks. These tools are most useful
when used against a single system, or in a situation where many systems are
networked to use a single set of system files on a single host and the tools are
used against that single host—in other words, in a computing environment
where the system account files (/etc/passwd, /etc/group, and /etc/shadow)
are locally available and maintained. Additional configuration is necessary
where Network Information Services (NIS) or some other authentication
mechanism is used in conjunction with these local account files. See Module 15
on NIS for more specific information.
Each of the administration tools is a GUI-based program that uses the
X-Window system to display a series of windows for each administrative
function they support. In order to run this command, you will need an
X-Window- compliant workstation, such as a Sun workstation or X-terminal,
or a personal computer running some X-Window-compatible software. Note,
the HP-UX sam tool also supports basic CRT displays as well; thus, an X-Window
system is not required. A very good X-Window-based software package for UNIX

Module 3:

Using System Administration Tools

67

and the PC is called VNC. This package is available on the Internet and you
can consult Appendix A for additional information. You must also set the
DISPLAY environment variable to the workstation you want the application
windows to appear.

Hint

Since VNC is a shareware package, it may not be acceptable to use such
software in certain corporate environments.

3.1 Managing Solaris
Using Admintool
To invoke the admintool command, simply type the following on the
command line:
# admintool&

Once this command is run, it will display the base window, as shown in
Figure 3-1. This window contains a total of four menu items: File, Edit, Browse,
and Help. When the window first appears, it shows a scrollable list of defined
users that are contained within the /etc/passwd file.
The Browse menu contains a number of items that correspond to the
specific system administration tasks that the application supports. Table 3-1
lists the Browse menu items and their associated functions. Selecting one of
the items within this menu causes the application to redisplay the main window
with information associated with the menu item.
For example, clicking the Groups item, cause the main window to display a
scrollable list of the all the groups defined within the /etc/group file.

Add a New User
To add a new user to the system, use the following procedure:
1. From the Browse Menu, select the Users item.
2. From the Edit Menu, select the Add item. This will cause another window,

labeled Admintool: Add User, to appear, as shown in Figure 3-2.

3

68

UNIX System Administration: A Beginner’s Guide

List of
Defined
Users

Figure 3-1

Main admintool window

The window that appears is used to add a new user to the system and
contains a semiblank form of text box for which the administrator must
input information about the new user. This window contains three sections:
User Identity, Account Security, and Home Directory. In general, most of the
Account Security options are optional, while the other sections are required
and must be completed in order to create a valid UNIX user. The user identity
section contains the following input fields: User Name, User ID, Primary
Group, Secondary Groups, and Comment, which are typical elements for a
UNIX account.

Enter the Account Username
The username is the name of the UNIX account, which should represent the
name of the user or purpose of the account. Typically, the name may contain
Users
Groups
Host
Printers
Serial Ports
Software

Table 3-1

Create/modify system users.
Create /modify system groups.
Create/modify the entries in the /etc/hosts file.
Create/modify system printers.
Configure serial interfaces.
Administer packages for the system.

Browser Menu Items

Module 3:

Using System Administration Tools

69

3

Figure 3-2

New User window

letters of the alphabet, plus numbers, and is usually limited to eight characters
in length. Many sites use the first initial, middle initial, and last name for the
account name if it represents an actual person. Thus, Bill Jefferson Clinton
would have the associated UNIX login of bjclinton. If the total number of
users on the system is quite small, it is possible to simply use the first name of
the user as the account name. Obviously, if a site has more then one person
named bill, this approach will be a problem. As an alternative, the first name
plus last name initial could be used. So, using our previous example, the new
account would be billc. This approach has been used at many sites. If
the account doesn’t represent a real person—but a group, for example—then
names like support, sales, or eng may be acceptable. Bear in mind that
group type accounts, where multiple individuals share a single account, are
not a very good way to go since you lose the ability to know for certain who
is really using the account at any given time.

UNIX System Administration: A Beginner’s Guide

Enter the User ID
This field represents the identification number associated with the User Name
field; the application obtains the next available number. This number is used to
track the activity and to associate which files this particular account owns.

Enter the Primary Group ID

AM
FL
Y

Input the primary group for which this account will be a member. Either the
group name or ID number can be used. Groups are used to define a class of
users that may have something in common. Groups can help control access to
both programs and other files on the system. For example, users from the same
department or those that perform the same type of job may be members of the
same group, where they need access to one or more text or database files. On a
new system, only a small handful of standard groups are defined and are usually
related to system groups. As a result, you will need to create additional user
groups when additional groups are needed. See below for additional information
on group creation.
If you have additional groups defined on the system and the user should
have one or more secondary groups defined by the account, simply list them
in the Secondary Groups text box. The purpose of secondary groups is to
further provide user access to additional groups, since each UNIX account
may only have one primary group membership. Note that in both the Primary
Group and Secondary Group text boxes, an integer is required, not the string
name of the group.

TE

70

Enter a Comment about the Account
Every account can have some associated free text that can be used to explain
the purpose of the account or establish the true identity of the account holder.
Since this field is simply a string of text, any important information may be
included. For example, the field is often used to store the real full name of
the account holder, such as Steve Maxwell’s Account or The
Department’s Pager Account.

Select a Login Shell
The Login Shell field is used to specify which command interpreter should be
started when the user logs in to the system. The selection list contains four
different choices: Bourne, C, Korn shells, and Other. Using the Other classification
permits the inclusion of the path name of an alternative shell. The administrator
simply inputs the location of the shell.

Module 3:

Using System Administration Tools

71

Select the Desired Password Option
The admintool program permits the administrator to control the access to the
account with one of four options as listed and defined in Table 3-2.
Simply choosing the default (thus, no change to the selection field is
needed), Cleared Until First Login, means that once the user has logged into
the system for the first time, they will be required to change their password
before general access to the system is granted. This option is most useful
because it permits the administrator to define a standard temporary password
for each user—and once the user has accessed the system, they will change
their password to their own liking. Note that should the administrator wish to
disable a UNIX account, they simply update the Password text field with the
Account Is Locked option. This will stop the account from being accessed
because it alters the password information. When the user attempts to access
this account with this option, they get a permission denied response.

Input the Home Directory Path
The remaining element that needs to be included is the path to the user’s home
directory. This is the location on a file system where the user will store files and
obtain account configuration information. Note that a Create Home Dir check
box has been provided if the directory doesn’t presently exist.

Selecting the OK Button Will Create This UNIX Account
Any errors will be displayed in a separate dialog box.
Please note: Many administrators copy certain environmental configuration
files to the user’s home directory as this point. These configuration files may
include, for example, a startup file for the shell and other installed utilities.
Also, the system recognizes special initialization files, which can be used to
Account Option
Cleared Until First Login

Account Is Locked
No Password – Setuid Only
Normal Password

Table 3-2

Meaning
No password is assigned to the account until the user first
logs in to the system and is prompted automatically for a
password.
Disables access to the UNIX account.
No password is assigned to the account, which is generally
not used.
The admintool prompts for a standard password when
the account is created.

Account Security Options

3

72

UNIX System Administration: A Beginner’s Guide

customize the user’s environment. Among these files are the .login and
.profile files, for example. The .login file is one of the first configuration
files executed when the user first logs in to the system. The .profile file
contains a free format of text that can be used to describe more about the user
of the account, such as the projects they are working on and other related
information. Using the UNIX .finger command will display the contents
of the .profile file associated with the user.

UNIX Account Example
The following section has been provided to further demonstrate using the
“admintool to add a new user to the system. Figure 3-3 shows the Admintool:
Add User window with the required text fields filled in.

Figure 3-3

Sample UNIX account

Module 3:

Using System Administration Tools

As you can see, the account called stevem has input with all the required
and associated fields completed. Note the use of the Other category for the
login shell. In this case, the user has been set up to use the bash shell instead
of the other available shells.
We can verify to make sure that the stevem account has been added to
the system as expected. Execute the following command to list the account
information:
# grep stevem /etc/passwd /etc/group

The grep command searches the string stevem in both the /etc/passwd
and /etc/group files. If the user account was added successfully, the following
output should be displayed and should match the information that was displayed
in Figure 3-3.
/etc/passwd:stevem:x:20001:101:Steve Maxwell's Account:/homes/stevem:/usr/bin/bash
/etc/group:betagrp::104:stevem

Also, you can inspect that the home directory was created as well. Thus,
to determine that a directory exists, type the following:
# ls -ald /homes/stevem
drwxr-xr-x
2 stevem
dev

512 Oct 22 13:01 /homes/stevem

Using the –d option of the ls command, you can show a directory without
having to issue the change directory command (cd) or list the contents of it. As
you can see, the directory is owned by the stevem, and the group ownership is
configured to be dev, which matches our sample account.

Modifying a User
The admintool is also used to make a variety of changes to user accounts that
have already been established on the system. To make a modification to an
existing account, do the following:
1. Select an account name from the scrollable list and access the Modify…

menu item from the Edit Menu.
2. Or, double-click the account name.

73

3

74

UNIX System Administration: A Beginner’s Guide

Once done, the user account information will be displayed in new window
labeled Admintools: Modify User. Just about all account information can
be altered using this window. However, the one notable exception is the
User ID field. Figure 3-4 shows an example account named billc. As
you can see, the User ID field is not editable and thus can’t be altered
using admintool.
3. Make the necessary modification(s).
4. Select the OK button to save the changes.

If you want to actually alter the user ID of an existing account, you will have
to edit the /etc/passwd file directly by hand. However, if the account is new,
another approach is that you can delete the user from the system and reenter
the account information using the new user ID. This user is considered bad
practice if the account was older and contained existing files, and you just
randomly changed this account information. Since the ownership of any
existing files would remain with the older user ID, the administrator would
have to change the ownership of these files to reflect the new user information.

Deleting a User
Deleting an existing user is very easy. However, care should be taken when doing
so since the admintool has the capability of removing the user’s directory.
To remove a user, do the following:
1. Select an account name from the scrollable list and access the Delete

menu item from the Edit menu.
2. You will be presented a dialog box, as shown in Figure 3-4.

Hint

Exercise extreme caution when removing users; as an important step in
account removal, backing up home directories to secondary storage is a
requirement. Even if you have a relatively new backup, it is very important
that a fresh copy be made to capture any files/directories that have been
modified after the last backup was taken.

Module 3:

Using System Administration Tools

75

3
Figure 3-4

Delete User warning message

Clicking the Delete button will remove the account entry from the system.
Also, if you select the Delete Home Directory check box, the home directory
will be removed as well.
3. Once you have determined that, in fact, the account has been backed up

and can be removed, select the Delete button.
If you choose to remove an existing account without deleting the home
directory, then the home directory and any files underneath will be owned by the
user that assumes the previous user’s ID or just the user ID number. For example,
consider the account name of billc with the user ID of 20002. Before the
account is removed, the directory and associated files might look like this:
# ls -al /homes/billc
total 1370
drwxr-xr-x
2 billc
drwxr-xr-x
4 root
-rw-r--r-1 billc
-rw-r--r-1 billc
-rw-r--r-1 billc
-rw-r--r-1 billc
-rw-r--r-1 billc
-rw-r--r-1 billc

exec
other
exec
exec
exec
exec
exec
exec

512
512
338
582
192411
230477
230477
338

Oct
Oct
Oct
Oct
Oct
Oct
Oct
Oct

22
22
22
22
22
22
22
22

15:30
15:29
15:30
15:29
15:29
15:29
15:29
15:29

.
..
.login
.profile
figure3_1
figure3_2
figure3_3
sig

76

UNIX System Administration: A Beginner’s Guide

However, after the account has been removed (but not the home directory),
the files will now look like this:
# ls -al /homes/billc
total 1370
drwxr-xr-x
2 20002
drwxr-xr-x
4 root
-rw-r--r-1 20002
-rw-r--r-1 20002
-rw-r--r-1 20002
-rw-r--r-1 20002
-rw-r--r-1 20002
-rw-r--r-1 20002

exec
other
exec
exec
exec
exec
exec
exec

512
512
338
582
192411
230477
230477
338

Oct
Oct
Oct
Oct
Oct
Oct
Oct
Oct

22
22
22
22
22
22
22
22

15:30
15:29
15:30
15:29
15:29
15:29
15:29
15:29

.
..
.login
.profile
figure3_1
figure3_2
figure3_3
sig

billc replaced
with 20002

The reason for this is that within UNIX, the ownership of the directories and
files use the user identification number—not the name—and in this case, 20002
is the numerical identification for the account billc. UNIX maps the name of
the account with the defined user ID within the /etc/passwd file. So, when
this mapping is broken—that is, the account name has been removed from the
/etc/passwd file—UNIX no longer knows how to map the name and just
displays the actual account ID instead. Note also that the group name remains
intact. However, should we remove the exec group from the /etc/group file,
we would encounter a similar mapping problem where only the group ID number
will be displayed.

Adding a New Group
The primary purpose of a group is to associate similar users together to
make it easier for those users to share information. Groups are defined with
the /etc/group file and contain a mapping between a group name and all
members of that particular group. To create a new UNIX group, do the following:
1. Select the Groups menu item from the Browser menu. A list of defined

groups will be displayed in a scrollable list, as shown in Figure 3-5.
2. Select the Add menu item from the Edit menu. At this point, a new

window appears labeled Admintool: Add Group, as shown in Figure 3-6.
This window contains three text boxes: Group Name, Group ID, and
Members List. All of the text fields must be filled in before a new group may

Module 3:

Using System Administration Tools

77

3

Figure 3-5

Admintool Groups window

be added to the system. Note that the Group ID field has been automatically
updated with the next-higher numeric value as derived from the /etc/group file.

Enter the Group Name
The group name is simply the name of the group you wish to define. Like the
UNIX account name, the group name is also limited to just eight characters.
The group name can be any string that represents a collection of users. For
example, the group name of devel can represent the development staff within
a particular department. Choose a group name and enter the string within the
Group Name text box.

Figure 3-6

List of Groups window

78

UNIX System Administration: A Beginner’s Guide

Accept the Default Group ID Number
or Alter It to Match Your Requirements
The group ID number can range from 1 to 2137483647. In practice, the
number of groups defined on a given system can be quite small—say, fewer
than 100. Therefore, it is reasonable to start numbering group IDs after the
100 starting point.

Input the Group Members
The Members List text box is used to input all the existing account names that
should be a part of this group. You must use commas to separate each of the
account names. Please note that Admintool is quite finicky about the use of
white spaces when more than one string is supplied. As a result, when inputting
more than one account name, don’t include spaces between the names. For
example, consider the following group member lists:
Wrong:
Members List: stevem, anitat, irinav,samyu

Correct:
Members List: stevem,anitat,irinav,samyu

If you use spaces when entering multiple strings, Admintool will display
an error message similar to that shown in Figure 3-6. Just click the OK button
and remove the spaces between each group name.

Figure 3-7

Admintool error regarding white spaces

Module 3:

Using System Administration Tools

79

Modifying a Group
Making changes to a group is similar to making a changes to an established
UNIX account name. To make a modification to an existing group, do the
following:
1. While the groups are being displayed within the “Admintool

main window, select a group name from the scrollable list and
access the Modify menu item from the Edit menu.
2. Or, double-click the group name.
3. Modify the group member information.
4. Apply the changes.

Deleting a Group
Deleting an existing user is also similar to deleting an existing UNIX account. As
an added safeguard, just like deleting an existing UNIX account, Admintool
prompts before actually deleting a predefined group.

1-Minute Drill

●
●

●

Why is the Cleared Until First Login option useful when
creating new UNIX user accounts?

●

What is the important step to take before deleting a user?

It is useful because it permits the administrator to define a standard temporary password for each user—
and once the user has accessed the system, they will change their password to their own liking.
Back up all the associated files and directories for the user.

3

80

UNIX System Administration: A Beginner’s Guide

3.2 Manage Linux Accounts
with Userconf
Based on the X-Windows system, the userconf tool provides a GUI facility
for managing both user and group accounts on a Linux system. This tool can
be invoked two ways. First, it can be started from the linuxconf application.
Clicking the Users Account selection tab will start the userconf tool. The
second way is from the command line. To start this application, issue the
following command:
userconf&

TE

AM
FL
Y

Using either approach, the userconf application window will appear.
Shown in Figure 3-8, this main window contains four selection tabs and several
functional buttons, and is labeled User Account Configurator. The tabs include
Normal, Special Accounts, Email Aliases, and Policies. The Normal tab, which
is shown by default, provides access to create what are considered normal UNIX
users and groups. Also, the root account password can be changed.
The Special Accounts tab is used to create application specific or special
accounts such as PPP/SLIP, UUCP, and POP accounts for mail. They are special
because they are used for a particular purpose to support a system service,
unlike general login accounts. The Email Aliases tab is used to set up aliases
related to electronic e-mail such as with sendmail. The Policies tab provides
access to define UNIX account policies such as the default base for home
directories and minimum length for passwords.

Add a New User
To add a new user to the system, use the following procedure:

Click the User Accounts Button
This is next to the single penguin. Once this is done, a new window is displayed
as shown in Figure 3-9.

Module 3:

Using System Administration Tools

81

3

Figure 3-8

Main userconf window

82

UNIX System Administration: A Beginner’s Guide

Figure 3-9

Users Accounts window

Click the Add Button on the Users Accounts Window
This is the middle button located at the bottom of the window. When you click
it, another window called the User Account Creation window is presented, as
shown in Figure 3-10.

Hint

This window contains four selection tabs: Base Info, Params, Mail Settings,
and Privileges. The Base Info tab is used to begin the login creation process.

Input the UNIX Login Name
The login name is the name of the UNIX account, which should represent the
name of the user or purpose of the account. Typically, the name may contain
letters of the alphabet and numbers, and is usually limited to eight characters
in length. Many sites use the first initial, middle initial, and last name for the
account name if it represents an actual person. Thus, George W. Bush would

Module 3:

Using System Administration Tools

83

3

Figure 3-10

User Account Creation window

have the associate UNIX login of gwbush. If the total number of users on
the system is quite small, it is possible to simply use the first name of the user
as the account name. Obviously, if a site has more than one person named
george, this approach will be a problem. As an alternative, the first name
plus last name initial could be used. So, using our previous example, the new
account would be georgeb. This approach has been used at many sites. If the
account doesn’t represent a real person—but a group, for example—then names
like support, sales, or eng may be acceptable. Bear in mind that group
type accounts, where multiple individuals share a single account, are not a very
good way to go since you lose the ability to know for certain who is really using
the account at any given time.

84

UNIX System Administration: A Beginner’s Guide

Hint

Some of the fields within the User Account Creation window are optional, as
depicted with the (opt) string next to the text box label. If you leave these
fields blank, they will be assigned default or appropriate values. For example,
if you leave the Home Directory field empty, the default base directory of
/home plus the username will be used instead. The default home directory
base can be altered under the Policies tab.

Add the Full Name of the User
The Full Name field represents the actual name of the account holder. This field
corresponds to the Comment field within the password file. Every account can have
some associated free text that can be used to explain the purpose of the account or
establish the true identify of the account holder. Since this field is simply a string of
text, any important information may be included. For example, the field is often
used to store the real full name of the account holder, such as James Bond’s
Account or The MIS department’s Pager Account.

Select the Account Group
Select the primary group for which this account will be a member using
the pop-up menu. Groups are used to define a class of users that may have
something in common. Groups can help control access to both programs and
other files on the system. For example, users from the same department or
those that perform that same type of job may be members of the same group,
where they need access to one or more text or database files. On a new system,
only a small handful of standard groups are defined and are usually related
to system groups. As a result, you will need to create additional user groups
when additional groups are needed. See the following section for additional
information on group creation.

Add Additional Group Memberships
If you have additional groups defined on the system and the user should have
one or more secondary groups defined by the account, simply list them in the
Supplementary Groups text box. The purpose of secondary groups is to further
provide user access to additional groups since each UNIX account may only
have one primary group membership.

Add the Home Directory
This field defines the location of the home directory for the user. This is the
location on a file system where the user will store files and obtain account
configuration information.

Module 3:

Using System Administration Tools

85

Select the Login Shell
The Command Interpreter field is used to specify which command shell
should be started when the user logs in to the system. The selection list contains
several different choices that include /bin/bash (bash shell), /bin/sh (Bourne
shell), and /bin/csh (C shell). If you have an alternative shell, you can simply
input the absolute path in the text box.

Input the User ID
This field represents the identification number associated with the login name
and the application obtains the next available number. This number is used to
track the activity and to associate which files this particular account owns.

Hint

If you want to disable a newly created account, deselect the The Account Is
Enabled selection box. This action causes the userconf tool to place a login
expiration date within the /etc/shadow file.

Click the Accept Button.
You will then be prompted for the account password when the Changing
Password dialog box is displayed, as shown in Figure 3-11.

Enter the Password
Enter the password for this account. If no errors occurred, the new account will
be added to the list of accounts within the Users Accounts window.

Figure 3-11

The Changing Password dialog box

3

86

UNIX System Administration: A Beginner’s Guide

Modifying a User
The userconf tool can be used to make a variety of changes to user accounts
that have already been established on the system. To make a modification to an
existing account, do the following:
1. Click on the User Accounts button in the User Account Configurator main

window. The User Accounts window that contains a list of the defined
users will be displayed, as in Figure 3-12.

Figure 3-12

User Account Configurator window

Module 3:

Using System Administration Tools

87

2. Select the account you wish to modify by clicking it. A new window

displaying the account information is displayed, as shown in Figure 3-13.
In this example, the user account sjmaxwell has been selected.
3. Make the appropriate account change and then click the Accept button.

For instance, change the default login shell to /bin/csh.

3

Figure 3-13

User information for the sjmaxwell account

88

UNIX System Administration: A Beginner’s Guide

Delete an Existing User
To delete an existing user from the system, use the following procedure:
1. Click on the User Accounts button in the User Account Configurator

main window.
2. Click the account entry in the User Accounts window that you wish to

delete. By way of example, assume we would like to remove the gwbush
account. Clicking a user account causes the User Information window to
appear, as shown in Figure 3-14 for that account.

Figure 3-14

User Information window

Module 3:

Using System Administration Tools

89

3. Click the Del button and another window asking for more information

about how to delete the account will be displayed, as shown in Figure 3-15.
In the example, the account of gwbush will be deleted.
The Delete Account window contains three selection items: Archive the
Account’s Data, Delete the Account’s Data, and Leave the Account’s Data in
Place. The default, Archive the Account’s Data, will make a copy of the files
stored in the home directory and the mailbox file of the user and then delete
the account. The userconf tool builds a compressed tar archive of the
home directory (and contents) and places it in the /home/oldaccounts
directory.
The Delete the Account’s Data option will delete the home directory and
all associated files and then delete the account. The Leave the Account’s
Data in Place option will not touch the home directory or its contents,
but will delete the account from the system.
4. Select the desired account deletion option and then click the Accept

button.

Figure 3-15

Delete Account window

3

90

UNIX System Administration: A Beginner’s Guide

Adding a New Group
The primary purpose of a group is to associate similar users together to
make it easier for those users to share information. Groups are defined with
the /etc/group file and contain a mapping between a group name and all
members of that particular group. To create a new UNIX group, do the following:
1. Click the Group Definitions button located on the User Account

Configurator main window. As a result, a list of groups defined
on the system will be displayed, as shown in Figure 3-16.
2. Click the Add button and a new window, labeled the Group Specification

TE

AM
FL
Y

window, is displayed, as shown in Figure 3-17.

Figure 3-16

User Groups window

Module 3:

Using System Administration Tools

91

3

Figure 3-17

Group Specification window

This window contains three text box fields: Group Name, Group ID, and
Alternate Members. The group name is simply the name of the group you
wish to define. Like the UNIX account name, the group name should be
limited to just eight characters. The group name can be any string that
represents a collection of users. For example, the group name of eng
can represent the development staff within a particular department. The
Alternate Members field is used to contain additional UNIX users that are
members of the group.
3. Type the name of the new group in the Group Name text box.
4. You can accept the default group ID or type a new value. If you input a

new value, make sure that it doesn’t conflict with any existing groups.
5. Add additional UNIX account names to the new group using the Alternate

Members field. For instance, in Figure 3-18 the group name devel is
defined with two members: gwbush and smaxwell.

92

UNIX System Administration: A Beginner’s Guide

Figure 3-18

The Group devel name is defined.

1-Minute Drill
●

By default, what does the Linux userconf tool do with user data
when you delete a user account?

●

What is the limit for username and group name length?

3.3 Manage HP-UX Using SAM
The sam system management tool provides a one-stop shopping experience for
the system administrator. It supports both the standard X-Windows interface
and also the regular terminal interface. Thus, it can be used with or without a

●

●

The userconf tool makes a copy of the files stored in the user’s home directory and mailbox file. It builds a
compressed tar archive of the home directory (and contents) and places it in the /home/oldaccounts
directory.
Eight characters.

Module 3:

Using System Administration Tools

93

GUI, which makes this a very powerful application. The software contains a large
number of functions that help with a large variety of system administration
tasks. However, this section will review both user administration.
To run sam in the X-Windows mode and to display the console window
on the networked host called ts-hp6, issue the following command:
sam –display ts-hp6:0.0&

If you want to run using the standard non-GUI, just issue the following
command:
sam

When this program is run in X-Windows mode, it displays the main sam
window, as shown in Figure 3-19.

Figure 3-19

Main sam application window

3

94

UNIX System Administration: A Beginner’s Guide

This main sam window contains four menu items and a number of icons.
The icons represent functional modules or component areas, and double-clicking
the icons will access the feature or function. The functions of the menu items
are listed in Table 3-3.

Add a New User
To add a new user to the system, use the following procedure:
1. Click the Accounts for Users and Groups button from the main sam

window. Once this has been done, a new screen is displayed as shown
in Figure 3-20.
2. Click on the Users icon and then another new window is displayed as

shown in Figure 3-21. This window shows a list of all the defined users
on the system.
3. Select the Add… item from the Actions menu. This will cause the Add a

User Account window to be displayed, as shown in Figure 3-22. Notice
that much of the account information has been filled in on the window
using the system defaults.
4. Input the name of the account in the Login Name field. Optionally, you

can add additional information about the account such as the real user’s
name, office location, and so forth. This information is added to the
optional fields listed at the bottom of the window.

Menu Item
File
View
Options
Actions

Table 3-3

Meaning
Search sam for specific string and the exit item to close the
application.
You can change the views of the window by altering the columns.
You can also sort and view by name or icon if desired.
Provides access to the sam log, controls logging options, and refreshes
the display.
Contains item-specific actions that can be done against selected
objects. Also, provides access to application customization functions.

The sam Main Menus

Module 3:

Using System Administration Tools

95

3

Figure 3-20

Group/Users window

Figure 3-21

List of UNIX accounts

96

UNIX System Administration: A Beginner’s Guide

Figure 3-22

New User Account window

5. By default, the home directory is taken from the account name, which is

added to the /home entry automatically. Also, the default behavior of sam
is to create the home directory for the user.
6. If you want to change the primary group for this user, type in the group

name or select the group by clicking the Primary Group Name button and
then selecting the appropriate group entry.
7. If you want to change the default login shell, type in the new shell path

and name or select the shell by clicking the Start-Up Program button and
then selecting the appropriate shell entry.
8. Add a password to the account by clicking on the Set Password Options

button. This action will cause a dialog window to be displayed, which is
shown in Figure 3-23.

Module 3:

Using System Administration Tools

97

3

Figure 3-23

Password Dialog window

Type the new password in the Password field. Note the password won’t
be echoed or displayed on the screen when you are typing. Click the OK
button and then you will be prompted to confirm the new password by typing
it in again. Click the OK button when you have entered the password for the
second time.
Assuming that no errors were encountered when the account was added to
the system, sam will display a dialog box showing the confirmation of the new
account, as shown in Figure 3-24.
Once the account has been added to the system, the list of UNIX accounts
will be updated to include the new account. For instance, when the smaxwell
user was added, this name appeared in the account list, as shown in Figure 3-25.

Figure 3-24

New account confirmation

98

UNIX System Administration: A Beginner’s Guide

Figure 3-25

The smaxwell account is displayed in the account list.

Modifying a User
The sam application can be used to alter an existing UNIX account. To make a
change to a user, do the following:
1. Click the Accounts for Users and Groups button from the main sam

window. When the list of accounts appears, select the account and access
the Modify menu item from the Actions menu.
2. A new window is displayed that contains detailed information about the

account you selected. Figure 3-26 shows detailed information for the
smaxwell account.
3. Make the appropriate account changes.
4. Save the changes by clicking the OK button.

Module 3:

Using System Administration Tools

99

3

Figure 3-26

Detailed account information

Delete an Existing User
To delete an existing user from the system, use the following procedure:
1. Select the user you want to delete from the list of accounts contained in

the Accounts for Users and Groups window (shown in Figure 3-25).
2. From the Action menu, select the Remove menu item. The Remove a User

dialog window is shown in Figure 3-27.

Hint

Exercise extreme caution when removing users; as an important step in account
removal, backing up home directories to secondary storage is a requirement.
Even if you have a relatively new backup, it is very important that a fresh backup
be made to capture any files/directories that have been modified since the last
backup was taken.

100

UNIX System Administration: A Beginner’s Guide

Remove a User window

AM
FL
Y

Figure 3-27

TE

This window permits the system administrator to have more exact control
over the user’s home directory when the account is removed from the
system. The window contains four choices that include leaving the home
directory untouched (Left Where They Are), deleting the home contents
only (Removed from User’s Home Directory Only), removing all user’s
files within the system (Removed from All Local File Systems), and
assigning the files to another user (Assigned to Another User).
If you select the Removed from User’s Home Directory Only, then only
the files and subdirectories from the home directory will be removed,
but not other files contained in other directories or other file systems.
Selecting the Removed from All Local File Systems means that all files
owned by the user will be deleted from the system, regardless of where
the files are located. If the Assigned to Another User item is selected, a
new field is added to the window to permit you to add the name of the
user that should be assigned the files from the deleted user. This is shown
in Figure 3-28 and as you can see, you can input the username or select it
from a list of defined users by clicking the New Owner button.
3. Click the OK button and the note, as shown in Figure 3-29, will be

displayed, showing that the removal of the account has been done.

Module 3:

Using System Administration Tools

101

3

Figure 3-28

Remove a User window

Adding a New Group
To create a new UNIX group, do the following:
1. Click the Accounts for Users and Groups button from the main sam

window.
2. Click on the Groups icon and then another new window is displayed,

as shown in Figure 3-30. This window shows the list of all the defined
groups on the system.

Figure 3-29

Removal Confirmation window

102

UNIX System Administration: A Beginner’s Guide

Figure 3-30

Defined Groups window

3. When the list of defined groups appears, select the Add menu item

from the Actions menu; a new window is displayed, which is depicted
in Figure 3-31.
4. Input the new group name in the Group Name field.
5. Accept the default group identification number, or input a new value.

Make sure that the new value added doesn’t conflict with any existing
groups already defined on the system.
6. As an option, you can add existing users to the new group by selecting

users from the list of defined users.
7. Click OK to save the new group.
8. Assuming no errors have occurred, a confirmation window will be

displayed, as shown in Figure 3-32, stating that the group was added
successfully.

Module 3:

Using System Administration Tools

103

3

Figure 3-31

New Group window

Deleting an Existing Group
To delete an existing group from the system, use the following procedure:
1. Select the group you want to delete from the list of groups contained in

the Accounts for Users and Groups window (shown in Figure 3-30).

Figure 3-32

Group Confirmation window

104

UNIX System Administration: A Beginner’s Guide

2. From the Action menu, select the Remove menu item. The Remove

Selected Group dialog window is shown in Figure 3-33.
When deleting a group, you must determine the consequences should files
or directories use this group definition. The Remove Selected Group window
contains three options: Leave the files that use the group untouched (Left
Undisturbed), reassign each file with the primary group of the user (Reassigned
to Primary Group of Each File’s Owner), and assign the files to a new group
(Reassigned to a Specified Group). If you leave the files untouched and remove
the group, the group’s identification number will be used when group
information is displayed.
1. Choose the appropriate action when the group is removed or simply

accept the default, which is the Left Undisturbed item.
2. Click the OK button and then dismiss the Group Confirmation window.

Figure 3-33

Remove the Group support window

Module 3:

Using System Administration Tools

105

3.4 Set Up Better Account Security
In certain situations and computing environments, it may be necessary to have
the users change their passwords on a more frequent basis. Often, this may be
a part of a larger security regime that involves addressing security on a much
larger scale. No doubt, forcing users to change their passwords on some regular
basis is important, but one overriding factor is choosing the best frequency to
do this. Obviously, changing passwords, say, every week is quite excessive.
Equally unreasonable is permitting users to have the same passwords for many
years. A balance must be struck between maintaining a reasonable level of
security and total chaos. The answer will ultimately depend on the environment,
the view of key management, and the system administrator. The best approach
to account security is to set up a policy and enforce that policy with specific
procedures. For example, assume your policy suggests that every 90 days all
individual account passwords must be changed. As a result, you would use the
admintool, sserconf, or sam to configure accounts accordingly.
Each provides flexible control over how the administration of account
passwords is handled. In particular, you can control the expiration of passwords
for individual user accounts, disable one or more accounts, place boundaries
over the use of accounts, and warn the user of pending password changes.

Ask the Expert
Question Why is forcing the users to change their passwords on
a regular basis important?
Answer If users use the same password a long time without changing
it, this increases the chance their password will be compromised either
accidentally or through others intentionally trying to gain unauthorized
access to their account.

3

106

UNIX System Administration: A Beginner’s Guide

Expiring a Password Using Admintool
To control the expiration of an account password, thus forcing the user to
change the password the next time they log into the system, do the following:
1. Select an account name from the scrollable list and access the Modify

menu item from the Edit menu.
2. Or, double-click the account name and the Admintool: Modify User

window will be displayed.
3. The expiration date for an account can be selected from the Expiration

Date option boxes. The format is day, month, and then year. Use the
mouse to select each of the items until you have a valid date. Also, you
can warn the user ahead of the expiration by adding a positive number in
the Warning text box. This will give the user a “heads up” that they will
need to change their password in the near future. Figure 3-34 shows the
stevem account, which has been configured to expire the password on
October 22, 2002.

Expiring a Password Using Userconf
To control the expiration of an account password, thus forcing the user to
change the password the next time they log into the system, do the following:
1. Select the account from the list of defined UNIX accounts shown in the

Users Accounts window you wish to expire, which is from the User
Accounts button on the main userconf window.
2. Select the Params tab from the User Information window.
3. Input the desired number of days to expire the password in the Must

Keep # Days field, as shown in Figure 3-35.
4. De-select the Ignored item.
5. Click the Accept button.

In the example, the number of days entered was 30. This means that 30 days
from the current date, the system will prompt for a new password automatically.

Module 3:

Using System Administration Tools

107

3

Figure 3-34

Modify User window with expiration of password

Expiring a Password Using SAM
To control the expiration of an account password, thus forcing the user to
change the password the next time they log into the system, do the following:
1. Select an account name from the scrollable list, which is found from the

Accounts for Users and Groups window, and select the Modify option
from the Action menu.
2. Click the Set Password Options button on the User Account window.

A new window is displayed, as shown in Figure 3-36.

108

UNIX System Administration: A Beginner’s Guide

Figure 3-35

Params panel

3. Select Enable Password Aging from the Password Options field if it is not

already selected.
4. Enter the expiration time in the Password Expiration Time (1-63 weeks)

field that you require for this account. In this example, two weeks was
entered.
5. Click the OK button to dismiss this window and accept the change.

Module 3:

Using System Administration Tools

109

3

Figure 3-36

Password Options window

Regular Password Changes Using Admintool
To incorporate automatic password aging for user accounts, do the following:
1. Select an account name from the scrollable list and access the Modify

menu item from the Edit menu.
2. Or, double-click the account name and the Admintool: Modify User

window will be displayed.
3. Enter the number of days that represents the period of time for the

password to expire in the Max Change field. For example, assume
that you want the password to be changed every 60 days, enter 60
in this field, as shown in Figure 3-37.
4. Enter the number of days to warn the user about the impending

password change.
5. Click the OK button to save this change.

Figure 3-37

AM
FL
Y

UNIX System Administration: A Beginner’s Guide

Modify User window with 60-day expiration

TE

110

Regular Password Changes Using Userconf
To set up automatic password aging for user accounts, do the following:
1. Select the account from the list of defined UNIX accounts shown in the

Users Accounts window you wish to change, which is from the User
Accounts button on the main userconf window.
2. Select the Params tab from the User Information window.
3. Input the number of days that the password must be changed in

the Must Change After # Days field.
4. Figure 3-38 shows the value of 45 in this field, which indicates that

every 45 days the user will be prompted to change the password.
5. Click the Accept button.

Module 3:

Using System Administration Tools

111

3

Figure 3-38

Force password change every 45 days

Turning Off an Account Using Admintool
Sometimes it may become necessary to disable one or more accounts so that
those users don’t have access to the system. This might be due to an employee
leaving the company or department, or even because they simply haven’t used
the system in such a long time that you might need to investigate if they should
have an account at all.
To disable an existing account, do the following procedure:
1. Select an account name from the scrollable list and access the Modify

menu item from the Edit menu.
2. Or, double-click the account name and the Admintool: Modify User

window will be displayed.

112

UNIX System Administration: A Beginner’s Guide

3. From the Password Selection box, select the Account Is Locked item,

as shown in Figure 3-39. In the example, the account named billc has
been locked.
4. Select the OK button to save the change.

Hint

When a user attempts to access an account that has been locked, no special
message will appear to the user. Instead, they will simple get a Login Incorrect
message. This is a generic message, which can mean other things as well—for
example, that no account is actually present on the system. It will be up to the
user to request additional information as to the actual reason why the account
no longer functions.

Figure 3-39

Locking the billc UNIX account

Module 3:

Using System Administration Tools

113

Hint

To unlock a locked account select Normal Passwd selection item and input the
new password for this account.

Turning Off an Account Using Userconf
To disable an existing account, do the following:
1. Select the account from the list of defined UNIX accounts shown in the

Users Accounts window you wish to change, which is from the User
Accounts button on the main userconf window.
2. Click the The Account Is Enabled selection box located on the top of

the User Information window, as shown in Figure 3-40.
3. Click the Accept button.

Figure 3-40

Disabling the smaxwell UNIX account

3

114

UNIX System Administration: A Beginner’s Guide

Hint

To unlock a disabled account, click the The Account Is Enabled selection box.

Automatic Account Expiration Using Userconf
You can automatically expire one or more accounts after some fixed period
of time has elapsed. This means that the system administrator can plan to
have an account disabled in the future. For instance, the account could be
used by a temporary employee that will leave the company after their contract
is complete, and you want to ensure that they no longer have access to the
system. To set up a future expiration date for a UNIX account, do the following:
1. Select the account from the list of defined UNIX accounts shown in the

Users Accounts window you wish to change, which is from the User
Accounts button on the main userconf window.
2. Select the Params tab from the User Information window.
3. Input the future expiration date in the Expiration Date

(yyyy/mm/dd) field.
4. Click the Accept button.

In the example, the expiration date of September 1, 2002
(2002/09/01) has been entered, as shown in Figure 3-41. This means
that on this date, the login will not be accessible any longer.

Hint

Another expiration parameter can be entered that includes the number of days
to warn the user before the expiration occurs (Warn # Days Before Expiration).
Also, instead of using a fixed date, you can use the number of future days to
determine when the account should expire. This information is added to the
Account Expire After # Days field.

Module 3:

Using System Administration Tools

115

3

Figure 3-41

Account Expiration From User Information window

116

UNIX System Administration: A Beginner’s Guide

Mastery Check
1. True or False: When using admintool to add group members, include a

space between each member in the list.
2. When you add a new user account named gwsmith in Linux using the

userconf& tool and don’t specify a home directory, what directory will
userconf& use as the home directory?
3. Which window do you use in admintool to set a password expiration date

for a user?
4. In userconf, which tab and window do you use to set up regular password

change intervals for a user?
5. In userconf, which button do you click to open the window to create a

new group?
6. In HP-UX SAM, what are the menu commands to delete an existing user

account?
7. True or False: When using admintool to add new users, admintool

automatically selects the next available user ID.
8. In the User Accounts window in userconf, the __________ field is used to

specify which command shell should be started when the user logs in to
the system.
9. Which of the following is not an option for what to do with the users files

when deleting a user account in HP-UX with SAM?
A. Left Where They Are
B. Archive the Account’s Data
C. Removed from ALL Local File Systems
D. Assigned to Another User
10. Which UNIX file contains the list of users for the system?
11. Which UNIX file contains the list of groups and the group members for

the system?

Module

4

Software Package
Management Tools
Critical Skills
4.1

Discover Solaris Package Tools

4.2

Discover HP-UX Package Tools

4.3

Discover Linux Package Tools

Copyright 2002 by The McGraw-Hill Companies, Inc. Click Here for Terms of Use.

118

UNIX System Administration: A Beginner’s Guide

T

his module provides an introduction into using the standard package
management tools that are native to the different versions of UNIX. As such,
it provides a step-by-step approach for doing actual package management
functions that include installing, removing, and verifying installed software.
In the early days of UNIX, many of the third-party tools, public domain
software, and commercial applications vendors used to distribute their software
using standard package formats such as tar or cpio. These utilities were great
for handling the archiving of a large number of files, but they failed as a generalpurpose software management mechanism. Today, many UNIX system vendors
use package distribution formats to make it easier to move self-contained software
modules from distribution media, such as CD-ROMs to the system instead of
using tools such as tar. Unfortunately, many of the UNIX vendors support their
own particular format and these are typically not compatible with other vendors’
package structures. As a result, when you purchase a product, say for HP-UX, you
must use the HP-UX installation tools to get the product installed.
Generally speaking, you must use the operating system package utilities to
maintain system level software since many software vendors and public domain
tools support the native package format. However, many public domain tools
generally provide an operating system package and other formats as well. For
example, the SSH secure shell software is available in several package formats,
including for Solaris, HP-UX, and Linux.
Table 4-1 shows a breakdown of the package management tools that are
available for Solaris, HP-UX, and Linux. These individual tools, for each of the
operating systems, are described in the following sections.

Operating System
Solaris
HP-UX
Linux

Table 4-1

Package Tools
Installation

Removal

Informational

pkgadd
swinstall
rpm –-install

pkgrm
swremove
rpm –-erase

pkginfo
swlist
rpm --query

UNIX Software Package Management Tools

Module 4:

Software Package Management Tools

119

4.1 Discover Solaris Package Tools
The Solaris system provides the basic package tools that include
pkginfo
pkgadd
pkgrm

pkginfo

4

The package information tool pkginfo is used to list all of the installed
packages on a system or query information about a package in general, regardless
if it has already been installed. This is most useful if you are not sure if a
particular package is installed or if you want to obtain a working inventory of
packages installed on a series of machines. You must have root privileges to
execute the Solaris package commands.
To see all the packages on a given system, use the following command:
# pkginfo | more

Sample output might include
system
FFNrand
application FFNsman
application NSCPcom
application NSCPdecom
application NSCPescom
application NSCPfrcdo
application NSCPfrcom
application NSCPitcom
application NSCPsvcom
utility
OPENssh
system
SMEvplr
system
SMEvplu
system
SUNW1251f
ALE
SUNW5ttf
ALE
SUNW5xmft
required Fonts Package
system
SUNWaccr
system
SUNWaccu
system
SUNWadmap

Package name
Package description
ffrandom-0.6
FastForward Networks service manager
Netscape Communicator
Package type
German Netscape Communicator
classification
Spanish Netscape Communicator
French Netscape Communicator (U.S. security)
French Netscape Communicator (International security)
Italian Netscape Communicator
Swedish Netscape Communicator
OpenSSH 2.2.0p1 sparc
SME platform links
SME usr/platform links
Russian 1251 fonts
Traditional Chinese BIG5 True Type Fonts Package
Chinese/Taiwan BIG5 X Windows Platform minimum
System Accounting, (Root)
System Accounting, (Usr)
System administration applications

120

UNIX System Administration: A Beginner’s Guide

system
system
system
--More--

SUNWadmc
SUNWadmfw
SUNWadmj

System administration core libraries
System & Network Administration Framework
Admin/Install Java Extension Libraries

AM
FL
Y

When invoked, it shows all the available Solaris packages installed, sorted
by the classification of package types. The output of this command is sent to
the more command, which permits the user to peruse the output one screen
full at a time. Hitting the SPACEBAR on the keyboard displays another screen of
text. When packages are created, they contain a primary category parameter,
which denotes the classification of application the software represents. The
most common categories are system, application, and utility. For
example, as you can see from the preceding output, the Netscape package falls
under the application package calls, which makes complete sense given that
Netscape is a Web browser application. A quick scan of the available packages
installed on a generic system reveals that both system and application are
the most widely installed types of software.
The pkginfo tool (as well as the other tools) supports several important
and common command line options as shown in Table 4-2.
Definition

-a
-c
-d

Display the architecture of the package.
Display all packages that match the specified category.
Defines the device, directory name, or individual package name
to query for package information.
Display information on complete installed packages.
Display additional package information in a long format.
Display information on only partially installed packages.
Used by an external program to determine if a package is installed.
Doesn’t show any output.
Display the installation directory base for any packages that have
been relocated.
Defines the directory to be used as the root path for packages.
Display packages with the specified version information.
Display extract listing information from a package.

-i
-l
-p
-q
-r
-R
-v
-x

Table 4-2

TE

Command

pkginfo Command-Line Options

Module 4:

Software Package Management Tools

121

One of the most important is the –d option, which tells the program
where to look to determine information about one or more packages. This
option is used to specify the hardware device, which contains the packages
(that is, CD-ROMs) or other media. However, it can also be used when a single
package is specified, or even a directory name. For example, let’s assume we
would like to examine the contents of the Solaris 8 Companion CD-ROM,
which contains useful tools and utilities. In general, we need to specify the
directory where the packages are located. The command
# pkginfo -d /cdrom/s8_software_companion/components/i386/Package

shows all the packages available under the /cdrom/s8_software_companion/
components/i386/Package directory. The following output shows a partial
list of the available packages:
system
system
system
system
system
system
system
system
system
system
system
system
system
system
system
system
system
system
system
system
system
system
system
system
system
system
system

SFWaalib
SFWaconf
SFWamake
SFWasclk
SFWastep
SFWaufl
SFWbdb
SFWbison
SFWcdrec
SFWcvs
SFWddd
SFWdiffu
SFWemacs
SFWenscr
SFWesd
SFWethrl
SFWexpct
SFWfile
SFWflex
SFWfnlib
SFWftype
SFWfvwm
SFWgawk
SFWgbin
SFWgcal
SFWgcc
SFWgcmn

aalib - ASCII Art Library
autoconf - GNU autoconf
automake - GNU automake
asclock - the AfterStep clock
afterstep - X11 window manager
audiofile - audio library
Berkeley DB - database library
GNU bison - a better yacc
cdrecord - record audio or data Compact Discs
cvs - version control system
DDD - GNU Data Display Debugger
diffutils - GNU diffutils
GNU Emacs - Editor
GNU enscript - convert text files to PostScript
esound - The Enlightened Sound Daemon
Ethereal - Interactively browse network traffic
expect - programmed dialogue with programs
file - determine file type
GNU flex - a lex replacement
fnlib - X11 font rendering library
Freetype - Free TrueType Rendering Engine
fvwm - X11 virtual window manager
gawk - pattern scanning and processing language
binutils - GNU binary utilities
gcal - the GNU Gregorian calendar program
gcc - GNU Compiler Collection
gcmn - Common GNU package

4

122

UNIX System Administration: A Beginner’s Guide

system
system
system
system
system
system
system
system
system
system
system
system
system
system
system

SFWgdb
SFWgfile
SFWgfind
SFWgimp
SFWglib
SFWgm4
SFWgmake
SFWgnome
SFWgplot
SFWgrep
SFWgroff
SFWgs
SFWgsfot
SFWgsfst
SFWgtar

gdb - GNU source-level debugger
fileutils - GNU file management utilities
findutils - GNU find utilities
gimp - GNU Image Manipulation Program
GLIB - Library of useful routines for C programming
GNU m4 - macro processor
gmake - GNU make
Gnome - X11 Windowing Environment
gnuplot - The Gnuplot Plotting Utility
grep - GNU grep utilities
GNU groff - document formatting system
GNU Ghostscript - postscript interpreter
GNU Ghostscript Fonts - Other Fonts
GNU Ghostscript Fonts - Standard Fonts
gtar - GNU tar

We can also obtain information on individual packages on the command
line. Thus,
# pkginfo -d /cdrom/s8_software_companion/components/i386/Packages SFWtop
system
SFWtop
top - display information about processes

In this case, we specified the top (SFTop) system-monitoring package, which
provides additional information about the package. To learn even more about
a particular package, the –l option, which displays a long listing, can be used:
# pkginfo -l
PKGINST:
NAME:
CATEGORY:
ARCH:
VERSION:
BASEDIR:
VENDOR:
DESC:
PSTAMP:
HOTLINE:
STATUS:
FILES:

-d /cdrom/s8_software_companion/components/i386/Packages SFWtop
SFWtop
top - display information about processes
system
i386
3.5_12,REV=2001.02.19.04.12
Directory where package
/opt
will be installed
ftp://ftp.groupsys.com/pub/top
top - display and update information about the top cpu processes
freeware20010219074803
Please contact the owners of this software
spooled
10 spooled pathnames
4 directories
1 executables
4 package information files
99 blocks used (approx)
2425 blocks used (approx)

Module 4:

Software Package Management Tools

123

The output displayed shows much more information about the package, and
includes information about where the package will be installed, the size of the
package, and other important details.

1-Minute Drill
●

Why is the more command useful in conjunction with pkginfo?

pkgadd
When it is necessary to install a new package or upgrade an existing one, the
pkgadd command can be used. This tool uses the same command-line arguments
as pkginfo. For example, to install a single package that is specified on the
command line, we could use the following command:
# pkgadd -d /cdrom/s8_software_companion/components/i386/Packages SFWtop
Processing package instance  from 
top - display information about processes
Package name to install
(i386) 3.5_12,REV=2001.02.19.04.12
Top users/processes display for Unix
Version 3
This program may be freely redistributed,
but this entire comment MUST remain intact.
Copyright (c) 1984, 1989, William LeFebvre, Rice University
Copyright (c) 1989 - 1994, William LeFebvre, Northwestern University
Copyright (c) 1994, 1995, William LeFebvre, Argonne National Laboratory
Copyright (c) 1996, William LeFebvre, Group sys Consulting
DISCLAIMER
"top" is distributed free of charge. It should not be considered an
official product of Group sys Consulting. William LeFebvre supports
"top" in his spare time and as time permits.
NO WARRANTY:
BECAUSE "top" IS DISTRIBUTED FREE OF CHARGE, THERE IS ABSOLUTELY NO
WARRANTY PROVIDED, TO THE EXTENT PERMITTED BY APPLICABLE STATE LAW.
EXCEPT WHEN OTHERWISE STATED IN WRITING, GROUP SYS CONSULTING, ARGONNE
NATIONAL LABORATORY, NORTHWESTERN UNIVERSITY, WILLIAM N. LeFEBVRE
AND/OR OTHER PARTIES PROVIDE "top" "AS IS" WITHOUT WARRANTY OF ANY
KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE
IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE
PROGRAM IS WITH YOU. SHOULD THE "top" PROGRAM PROVE DEFECTIVE, YOU
ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION.

●

If you have a lot of packages installed on your system, piping the results of pkginfo to more makes it easier
to read them by displaying them one screen at a time.

4

124

UNIX System Administration: A Beginner’s Guide

IN NO EVENT WILL GROUP SYS CONSULTING, ARGONNE NATIONAL LABORATORY,
NORTHWESTERN UNIVERSITY, WILLIAM N. LeFEBVRE, AND/OR ANY OTHER PARTY
WHO MAY MODIFY AND REDISTRIBUTE "top", BE LIABLE TO YOU FOR DAMAGES,
INCLUDING ANY LOST PROFITS, LOST MONIES, OR OTHER SPECIAL, INCIDENTAL
OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE
(INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED
INACCURATE OR LOSSES SUSTAINED BY THIRD PARTIES OR A FAILURE OF THE
PROGRAM TO OPERATE WITH OTHER PROGRAMS) THE PROGRAM, EVEN IF YOU HAVE
BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES, OR FOR ANY CLAIM BY
ANY OTHER PARTY.
So there!
YOU MUST OBSERVE ANY AUTHORS' CONDITIONS WITH RESPECT TO
INDIVIDUAL COMPONENTS PROVIDED WITHIN THIS CODE. SUPPORT
FOR THE TECHNOLOGIES AND DOCUMENTATION IS NOT PROVIDED
BY SUN MICROSYSTEMS, INC.

Installer message
informing you
where the package
is being installed.

THE TECHNOLOGIES AND DOCUMENTATION ARE PROVIDED "AS IS" WITHOUT TECHNICAL
SUPPORT OR WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT
LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A
PARTICULAR PURPOSE, OR NON-INFRINGEMENT.
Using  as the package base directory.
## Processing package information.
## Processing system information.
## Verifying package dependencies.
## Verifying disk space requirements.
## Checking for conflicts with packages already installed.
## Checking for setuid/setgid programs.
This package contains scripts which will be executed with super-user
permission during the process of installing this package.
Do you want to continue with the installation of  [y,n,?] y
Installing top - display information about processes as 
## Installing part 1 of 1.
Installation of  was successful.

Installer prompt waiting for your input before continuing.

The above command installs the top utility on a Solaris system, and as you
can see, a fair amount of output was generated showing all the steps involved
with the installation process. Note that the Solaris package tools are sophisticated
enough to prompt the user should it be necessary to query for additional
information. This is one of the most powerful features of these tools—to install
software components in an intelligent manner regardless of the target platform.

pkgrm
In order to remove one or more packages, use the pkgrm command. The basic
syntax of this command requires the name of the package that should be
removed. For example, to remove the FTP client application, SMCxftp, issue
the following command:
# pkgrm SMCxftp

Module 4:

Software Package Management Tools

125

The resulting output is shown:
The following package is currently installed:
SMCxftp
xftp
(sparc) 2.1

Prompt asking
you to confirm
removing package

Your response to prompt
Do you want to remove this package? yes
## Removing installed package instance 
## Verifying package dependencies.
## Processing package information.
## Removing pathnames in class 
/usr/local/man/man1/xftp.1
/usr/local/man/man1 
/usr/local/man 
/usr/local/lib/XFtp.ad
/usr/local/lib
/usr/local/doc/xftp/README
/usr/local/doc/xftp/NEW_FEATURES
/usr/local/doc/xftp/CHANGES
/usr/local/doc/xftp/BUGS
/usr/local/doc/xftp
/usr/local/doc
/usr/local/bin/xftp
/usr/local/bin 
## Updating system information.

Removal of  was successful.

As you can see from this output, the pkgrm tool prompts the user to ensure that
removal of the specified package is in fact desired. Once done, it also displays all the
files that are being removed from the system that are associated with this package. Please
note that the pkgrm command must be supplied with the actually package name,
not the file that was used to contain the package. For example,
# pkgrm xftp
pkgrm: ERROR: no package associated with 

doesn’t work and produces an associated error message. If you don’t know the
actually package name, use the pkginfo command to find out:
# pkginfo -d xftp-2.1-sol8-sparc-local
application SMCxftp
xftp

Note that once a package has been removed from the system, any associated
files and/or programs are permanently removed.

4

126

UNIX System Administration: A Beginner’s Guide

4.2 Discover HP-UX Package Tools
The HP-UX system provides the basic package management tools that include
swlist
swinstall
swremove

swlist
To display information about the installed product on a HP-UX system, use the
swlist package management command. This command has a large number of
command line arguments, but the most common ones are listed in Table 4-3.
You must have root privileges to execute the HP-UX package commands.
The most basic use of the command is to show the currently installed
products on a system. The command that you would use is
# swlist

Option

Meaning

-a
-d

Display a list of products by attribute.
Display a list of products that are available from a depot, not from the
local system.
Invoke the interactive user interface, which can be used on regular terminals.
Display a list of objects that correspond to a specific level. This is how to
show the detailed components that make up a particular package.
Display a list of products that are installed on an alternative root file system.
Display more detailed information regarding products.

-I
-l
-r
-v

Table 4-3

Common swlist Command-Line Options

Module 4:

Software Package Management Tools

127

When this command is executed, it displays a list of the currently installed
products on the local system. The example output generated includes
#
#
#
#
#

Initializing...
Contacting target "boston-srv"...
Target: boston-srv:/
Bundle(s):

A4929A
A5158A
B3701AA
B3901BA
B3913DB
B3919EA_2A5
B3929BA
B5456CA
B8342AA
B8723AA
B8725AA
HPUXEng64RT
OnlineDiag
XSWECO226
XSWGR1100
XSWHWCR1100
2000
#
# Product(s) not
#
PHCO_21492
PHKL_22209
PHNE_22397
perl

B.11.00.11
B.11.00.02
C.02.40.000
B.11.01.20
C.03.25
B.11.00
B.11.00
C.01.18.01
B.11.00.03
A.01.02
A.01.02
B.11.00
B.11.00.13.16
A.1.0
B.11.00.49.3
B.11.00.49.3

1000Base-T PCI Gigabit Ethernet Driver
HP PCI Tachyon TL Fibre Channel
HP GlancePlus/UX Pak for s800 11.0
HP C/ANSI C Developer's Bundle for HP-UX 11.00 (S800)
HP aC++ Compiler (S800)
Special Edition HP-UX Unlimited-User Lic
HP OnLineJFS (Advanced VxFS)
HP-UX Development Kit for Java*
Netscape Communicator 4.72
CIFS/9000 Client Lic. for 9000 Servers
CIFS/9000 Server Lic. for 9000 Servers
English HP-UX 64-bit Runtime Environment
HPUX 11.0 Support Tools Bundle
Patch Replacement bundle
HP-UX General Release Patches, June 2000
HP-UX Hardware Enablement and Critical Patches, June

contained in a Bundle:
1.0
1.0
1.0
5.6.0

Software Distributor (SD-UX) Cumulative Patch
fix f_cred, fork DPFs & accept(2) errors
cumulative ARPA Transport patch
perl

In this example, the system boston-srv was probed with the swlist
command, and it shows that a variety of software packages have been installed
on the system. The list of packages are broken down into two categories:
products contained with a bundle and products that are stand-alone. Products
within a bundle simply mean that the package contains a series of files or
other objects and the name of the bundle is a container. As you can see from
the output, the B8342AA bundle, for instance, corresponds to the Netscape
Communicator 4.72 application, while the nonbundle applications include
the perl 5.6.0 module.

4

128

UNIX System Administration: A Beginner’s Guide

Specifying a package to swlist command, the administrator can drill
down and obtain more detailed information about a product or bundle. Thus,
the command
# swlist A4929A

shows the elements of the A4929A package:
#
#
#
#
#
#
#

Initializing...
Contacting target " boston-srv "...
Target:

boston-srv:/

A4929A
A4929A.GE-DRV
A4929A.GE-DRV.GE-KRN
A4929A.GE-DRV.GE-RUN

B.11.00.11
B.11.00.11
B.11.00.11
B.11.00.11

1000Base-T PCI Gigabit Ethernet Driver
HP PCI/GSC Gigabit Ethernet Driver
Gigabit Ethernet Kernel Software Distribution
Gigabit Ethernet Runtime Software Distribution

If we desire even more information and details about this package, we can use
the –v option, which provides quite a fair amount of information for each
element within the package. The command
swlist -v A4929A

will produce the following output for the network driver:

Hint

The output below was shortened for brevity since several pages were
generated by the above command.
# Initializing...
# Contacting target "boston-srv"...
#
# swlist
Installed Software Table of Contents
#
# For host: boston-srv:/
# Date: Mon Dec 31 00:17:38 2001
#
# A4929A
vendor
tag
HP
uuid
title
"Hewlett-Packard Company"
description
"Hewlett-Packard Company
"
end
bundle

Module 4:

Software Package Management Tools

tag
A4929A
software_spec
A4929A,r=B.11.00.11,a=HP-UX_B.11.00_32/64,v=HP
data_model_revision
2.40
instance_id
1
control_directory
A4929A
size
1370913
revision
B.11.00.11
title
1000Base-T PCI Gigabit Ethernet Driver
description
"Vendor Name
Hewlett-Packard Company
This bundle contains the software drivers for the HP 1000Base-SX/T
cards A4924A HSC, A4925A HSC EISA, A4926 PCI and A4929A PCI .
This is for systems running version 11.** of the HP-UX operating system.
The bundle has the Gigabit Ethernet product which contains:
Subproduct: Runtime
Filesets : GE-KRN, GE-RUN"
mod_date
Thu Oct 26 14:31:27 PDT 2000
mod_time
972595887
create_date
Fri Apr 28 16:45:28 PDT 2000
create_time
956965528
install_date
200010261731.27
architecture
HP-UX_B.11.00_32/64
machine_type
*
os_name
HP-UX
os_release
?.11.00
os_version
*
install_source
m2403jrw.nsr.hp.com:/var/opt/ignite/depots/Rel_B.11.00/apps_800
is_patch
false
supersedes
category_tag
OrderedApps
vendor_tag
HP
directory
/
qualifier
layout_version
1.0
is_locatable
true
location
copyright
number
contents
GE-DRV,r=B.11.00.11,a=HP-UX_B.11.00_32/64,v=HP
is_protected
false
is_reference
true
associated_bundles
hp_ii
"factory_integrate=TRUE;
title=GELAN;
desktop=FALSE"
hp_srdo
"swtype=I;user=B;bundle_type=C"

One extremely useful function of the HP-UX package management tool is
that the administrator can query one or more networked remote hosts. It would
be great to scan a series of systems from a central system. For example, consider
the case where we would like to scan two systems called newyork and chicago.
The appropriate swlist command syntax would be
swlist

@ newyork chicago

129

4

UNIX System Administration: A Beginner’s Guide

As a result, two listings are generated for each of the hosts provided on the
command line. Because of this feature, it is very easy to automate the inventory
of installed software across a network of systems.

swinstall
The swinstall utility is used to install or inspect packages that have been
installed on the system. This tool is fairly sophisticated in its approach to
package management. For example, when program is started, it automatically
scans the system to see if it can find any packages to install.

Project 4-1

Step-by-Step

AM
FL
Y

Let’s imagine that we would like to install a software program called ethereal.
This tool provides a GUI-based facility to capture a network package. The package
name is ethereal-0.8.20-sd-11.00.depot.

1. Start the swinstall program, using the command
swinstall –i

The –i option tells the program to run using the interactive user interface; this
interface will function with a regular term or X-term. We could have ran the
program without the –i option, since the default mode is to use the user
interface. When swinstall is first executed, it displays the following screen:

TE

130

Starting the terminal version of swinstall...
To move around in swinstall:
- use the "Tab" key to move between screen elements
- use the arrow keys to move within screen elements
- use "Ctrl-F" for context-sensitive help anywhere in swinstall
On screens with a menubar at the top like this:
-----------------------------------------------------|File View Options Actions
Help|
| ---- ---- ------- ------------------------------- ---|
- use "Tab" to move from the list to the menubar
- use the arrow keys to move around
- use "Return" to pull down a menu or select a menu item
- use "Tab" to move from the menubar to the list without selecting a menu item
- use the spacebar to select an item in the list
On any screen, press "CTRL-K" for more information on how to use the keyboard.
Press "Return" to continue...

Module 4:

131

Software Package Management Tools

2. You must hit the ENTER key to continue.
At this point, the swinstall utility checks the local CD-ROM device and
after a short amount of time you are prompted to specify the source of the
package to install. If you have software on the CD-ROM you would like to
install, select it or give the location of a directory that contains the software
package(s). In this example, we are attempting to install the ethereal tool,
which is located in the /tmp directory.
The screen below shows the window contents that will be displayed when it
prompts for the package source:
Specify Source (boston-srv)
Specify the source type, then host name, then path on that host.

Source Depot Type:

[ Local Directory

->]

[ Source Host Name... ] boston-srv
[ Source Depot Path... ]
[ Software Filter... ] None
[

OK

]

[ Cancel ]

[

Help

]

3. You must navigate to the Source Depot Path… Name item using the TAB key
and then enter the full path name and file of the package. Next, TAB to the
OK item and then hit ENTER. Once this has been done, the main window is
displayed with the ethereal package:
SD Install - Software Selection (boston-srv) (1)
File View Options Actions

Help

Press CTRL-K for keyboard help.
Source: boston-srv:/tmp/ethereal-0.8.20-sd-11.00.depot
Target:

boston-srv:/

Only software compatible with the target is available for selection.
Top (Bundles and Products)
Marked?

0 of 1 selected

Name
ethereal

->

Revision

Information

0.8.20

ethereal

Size(Kb)
7414

4

132

UNIX System Administration: A Beginner’s Guide

4. Next, you must mark the package so that it will be installed, by selecting the
package using the TAB key and then accessing the Actions menu and selecting
the Mark For Install menu item. Once done, the Marked item on the main
window will indicate that the ethereal package has been marked by with YES
in the field.
5. Using the TAB key, navigate to the ethereal package and use the SPACEBAR to
select it.
6. Then, select the Install (analyze)… menu item from the Actions menu and
a new screen will be displayed to confirm the installation.
7. The installation begins and the following screen is displayed with the status
of the progress:
Install Window (boston-srv) (3)
Press 'Products' and/or 'Logfile' for more target information.
Target
:
Status
:
Percent Complete
:
Kbytes Installed
:
Time Left (minutes):
Loading Software
:

boston-srv:/
Completed
100%
902 of 902
0

[ Products... ] [ Logfile... ]
[

Done

]

[

Help ]

The Status field will indicate the completion or failure of the installation.
If there were errors, inspect the log file for additional details.

Hint

You can view detailed package information by selecting the package with
the SPACEBAR and then accessing the Show Description of Software item
from the Actions menu. If the ethereal package was selected, the following
screen is displayed:
Descripton of package..
Software Description Dialog (boston-srv)
[ Description...
Product: ethereal
Revision: 0.8.20

]

Module 4:

Software Package Management Tools

ethereal
Size: 7414 Kbytes
Vendor:
Product Number:
Product executes on: HP-UX_B.11.00_700/800
Category:
Product may not be relocated
Default Directory: /opt/ethereal
Will be installed at: /opt/ethereal
Date Copied: Mon Oct 15 07:46:48 2001
Machine: 9000/[678]??
Operating System Name: HP-UX
Operating System Release: ?.11.??
[
OK
]

[ Dependencies... ]

[

Bundles...

]

[

Copyright...

]

[

Vendor...

]

[

Readme...

]

[

]

Help

4

To exit the swinstall application, TAB to the OK item, hit ENTER. Then
using the File menu, select EXIT and hit ENTER.

swremove
To remove one or more packages from a HP-UX system, use the swremove
command.

Project 4-2
Continuing our example from Project 4-1, let’s assume we want to remove the
ethereal utility that was just installed.

Step-by-Step
1. Execute the swremove utility:
swremove

When this tool is invoked, it shows the same screen information as the
swinstall program does. Then, it probes the system to determine all
the installed packages and displays a list as shown here:
SD Remove - Software Selection (boston-srv) (1)
File View Options Actions
Press CTRL-K for keyboard help.
Target: boston-srv:/
Target Displaying Software: boston-srv:/

133

Help

134

UNIX System Administration: A Beginner’s Guide

Top (Bundles and Products)
Marked?

0 of 21 selected

Name
A4929A
A5158A
B3701AA
B3901BA
B3913DB
B3919EA_2A5
B3929BA
B5456CA
B8342AA
B8723AA

->
->
->
->
->
->
->
->
->
->

Revision

Information

B.11.00.11
B.11.00.02
C.02.40.000
B.11.01.20
C.03.25
B.11.00
B.11.00
C.01.18.01
B.11.00.03
A.01.02

1000Base-T PCI Gigabit E
HP PCI Tachyon TL Fibre
HP GlancePlus/UX Pak for
HP C/ANSI C Developer's
HP aC++ Compiler (S800)
Special Edition HP-UX Un
HP OnLineJFS (Advanced V
HP-UX Development Kit fo
Netscape Communicator 4.
CIFS/9000 Client Lic. Fo

2. Navigate to the ethereal package using the DOWN ARROW key and then select
the package using the SPACEBAR. Using the menu shortcut, type the m key to
mark the package selection. Alternatively, you could have navigated to the
Actions menu and selected the Mark For Remove menu item. Once done,
the screen should look like the following:
SD Remove - Software Selection (boston-srv) (1)
File View Options Actions
Target: boston-srv:/

Help

Target Displaying Software: boston-srv:/

Top (Bundles and Products)
Marked?

YES

1 of 21 selected

Name
HPUXEng64RT
OnlineDiag
PHCO_21492
PHKL_22209
PHNE_22397
XSWECO226
XSWGR1100
XSWHWCR1100
ethereal
perl

Revision
->
->
->
->
->
->
->
->
->
->

B.11.00
B.11.00.13.16
1.0
1.0
1.0
A.1.0
B.11.00.49.3
B.11.00.49.3
0.8.20
5.6.0

Information

x

English HP-UX 64-bit Run ^ x
HPUX 11.0 Support Tools
x
Software Distributor (SD
x
fix f_cred, fork DPFs &
x
cumulative ARPA Transpor
x
Patch Replacement bundle
x
HP-UX General Release Pa
x
HP-UX Hardware Enablemen
x
ethereal
x
perl

Module 4:

Software Package Management Tools

135

3. Navigate to the Actions menu and select the Remove (analysis)… menu item.
4. Once done, the Remove Analysis screen is displayed. Once the Status field
indicates “Ready,” select the OK item.
5. Next, When the confirm screen is displayed, hit the ENTER key.
6. Next, a new screen is displayed which shows the progress of the removal.
If the removal was successful, the Status field will show the “Complete”
message as shown here. If errors occurred, examine the log file for additional
information.
Remove Window (boston-srv) (3)
Press 'Products' and/or 'Logfile' for more target information.
Target
:
Status
:
Percent Complete
:
Kbytes Removed
:
Time Left (minutes):
Removing Software :

boston-srv:/
Completed
100%
902 of 902
0

[ Products... ] [ Logfile... ]
[

Done

]

[

Help

]

1-Minute Drill

●
●

●

Why is the HP-UX package management tool’s ability to query remote
machines useful?

●

Why is the interactive mode useful in swinstall?

It makes it easy to inventory packages on remote systems without having to physically touch those systems.
Interactive mode is useful if you want to select the package to install using onscreen menus and prompts
rather than specifying all the necessary options on the command line.

4

136

UNIX System Administration: A Beginner’s Guide

4.3 Discover Linux Package Tools
The Linux operating system (and most of the other different versions as well)
supports the Red Hat Package Manager (RPM) format. All the system
administrator’s requirements for package management are contained within
a single utility called rpm. This tool has a large number of command-line
arguments, but only a few options are necessary to maximize the use of the
tool. Therefore, the most common options are listed in Table 4-4. You must
have root privileges to execute this command.
To display a list of the currently installed packages, use the –q or –-query
option. Since the number of packages installed on a given system can be quite
large, it is reasonable to filter the query of packages. For example, assume we
would like to see all the packages that are related to file transfer. Thus, the
command
rpm --query -a | grep ftp

would show the following output from a standard version of RH7.0:
anonftp-3.0-9
ncftp-3.0.1-7
tftp-server-0.17-5
ftp-0.17-6
wu-ftpd-2.6.1-6
gftp-2.0.8-ximian.2

Option

Meaning

--help
--install -I
--query -q
-a
--erase -e
-v
--version

Display a detailed list of command-line arguments.
Install the specified package.
Query mode—displays information about packages.
Used with --query option to specify all packages.
Erase or uninstall a package.
Enable verbose output.
Display the software version of rpm.

Table 4-4

Common rpm Command-Line Options

Module 4:

Software Package Management Tools

137

If we didn’t filter this command in some manner, we would obtain a rather
larger number of packages. For example, let’s send the output from the rpm
command to the wc command. Thus,
[root@socrates /root]# rpm --query -a | wc -l
375

The result from the rpm command is piped to the word count program that
will count each line (-l) to give us a total number of installed packages, which
is 375. Note too, we used the –a option to indicate the all packages should be
displayed; this parameter is required with that --query option.
To install a new rpm, use the –i or –-install command option. For
example, to install the xchat program, do the following:
rpm --install xchat-1.6.3-4.i386.rpm

If no errors occurred during the installation, the prompt would be returned
to you without displaying any error messages. The name of the rpm contains a
few fields to quickly identify the version and supported platform as noted in the
xchat example.
To delete a package, use the –e or –-erase command-line argument.
Thus, to delete the xchat tool from the system, use
rpm --erase xchat-1.6.4

If no errors occurred during the removal process, the prompt would be
returned to you without displaying any error messages.

Project 4-3
This project will help you find all the installed packages on your system.

Step-by-Step
If you are using a Solaris system:
1. Display all the packages on your system.
# pkginfo | more

4

138

UNIX System Administration: A Beginner’s Guide

2. Choose a package from the step 1 output and display longer information
about it:
# pkginfo -l packagename

3. Choose a CD-ROM and display all the packages on it:
# pkginfo -d /cdrom/path | more

If you are using a HP-UX system:
1. Display all the packages on your system.
# swlist

2. Choose a package from the step 1 output and display longer information
about it:
# swlist -v packagename

3. Choose a depot and display all the packages on it:
# swlist -d @ pathtodepot

If you are using a Linux system:
1. Display all the packages on your system a page at a time.
# rpm --query -a | more

2. Choose a package from the step 1 output and display longer information
about it:
# rpm -qv packagename

3. Display more information about the rpm command:
#rpm --help

Module 4:

Software Package Management Tools

139

Mastery Check
1. What is the Solaris command to list all the installed packages in the

system category?
2. You must have __________ privileges to execute the package information

commands discussed in this module.
3. The RPM format and rpm utility are used to (choose all that apply):
A. Display information about installed packages
B. Transfer files
C. Install a new package
D. Remove an installed package
4. What would this command do: rpm --erase XFree86?
5. In Solaris, the command to install the SFWgimp package from the

/cdrom/s8_software_companion/components/i386/Package CDROM
path is
A. # pkgadd -d /cdrom/s8_software_companion/components/i386/

Packages SFWgimp
B. # swinstall -d /cdrom/s8_software_companion/components/i386/

Packages SFWgimp
C. # pkginfo -d /cdrom/s8_software_companion/components/i386/

Packages SFWgimp
D. # pkgadd -a /cdrom/s8_software_companion/components/i386/

Packages SFWgimp
6. In HP-UX, what command do you use to install a package in

interactive mode?
A. swinstall
B. swinstall -i
C. swinstall -l
D. swinfo -i

4

TE

AM
FL
Y

This page intentionally left blank.

Module

5

Maintaining
UNIX Users
Critical Skills
5.1

Discover the /etc/passwd File

5.2

Discover the /etc/group File

5.3

Discover the /etc/shadow File

5.4

Explore UNIX Account Tools

Copyright 2002 by The McGraw-Hill Companies, Inc. Click Here for Terms of Use.

142

UNIX System Administration: A Beginner’s Guide

T

his module focuses on maintaining UNIX user accounts from a nuts and bolts
perspective. As a result, the associated system configuration files, which
UNIX uses to maintain users, are fully described. Further, the additional tools
that are used to manipulate these files directly are discussed.
UNIX is a multifaceted operating system; it provides more than one way to
accomplish a specific task or administrative function. It contains a plethora of
tools for solving a wide range of system-related problems and issues. For instance,
users can be added to the system using a graphical user interface program, and
other tools that operate on the command line can be used as well. Despite the
fact that perhaps these tools provide overlapping functionality and are meant to
address the same problem, they clearly provide a different approach to solving
the particular problem.
Bear in mind also that the administrator isn’t restricted in using the specific
user accounts tools to maintain system accounts. Rather, since the configuration
files are based on normal text, a standard text editor may be used instead—
provided the administrator understands the file formats and can use an editor
to input the required information.
The relevant UNIX account system configuration files are
●

/etc/passwd

●

/etc/group

●

/etc/shadow

5.1 Discover the /etc/passwd File
The /etc/passwd file is the main configuration file for all UNIX users. It
contains an entry for each user defined on the system; a single line within this
file represents a single user. To view a single account, simply use the grep
command to search the file for a specific account. Thus, to view the user
account called stevem, do the following:
# grep stevem /etc/passwd
stevem:x:20003:10:Mr. Steve Maxwell:/homes/stevem:/usr/bin/bash

Module 5:

Maintaining UNIX Users

143

The format of the account entry includes seven fields, which are separated
by a colon (:) character. Each field within the file represents one element of the
UNIX account entry. Table 5-1 shows these fields and associated examples.

Username
The username must be a unique string that can consist of both letters and numbers,
and usually can’t be longer than eight characters on most systems. The username
should represent the actual name of the user as much as possible. For example,
Steve Maxwell could be maxwell, smaxwell, stevem, or just steve.
This account name will appear when a list of users is displayed using a command
such as who or ps. Also, once the user has logged into the system, the name is
used to track any account activity. This username will also appear when files

Field

Example

Meaning

Username

stevem

Password

X

Account UID
Group ID

20003
10

Comment

Mr. Steve Maxwell

Home Directory

/homes/stevem

Shell

/usr/bin/bash

This is name of the UNIX account. This is
the name that will be shown when the
user logs into the system.
This is where the password of the account
is stored. If the /etc/shadow file is used,
then this field contains an “x”.
This is the user identification number.
This is the group identification number
that indicates the primary group
membership for this user.
Comments about the account, which
typically contains the real name of the
account holder.
The default directory where the user will
store files and will be placed after logging
into the system.
The program that will be run for the user
when logged into the system. Typically,
this field contains the desired shell, which
acts as the basic command interpreter.

Table 5-1

Fields Within the /etc/passwd File

5

144

UNIX System Administration: A Beginner’s Guide

and directories are displayed using the long format. For instance, we can examine
the ownership of the /etc/passwd itself:
# ls -al /etc/passwd
-r--r--r-1 root

sys

861 Oct 22 21:22 /etc/passwd

In this case, the /etc/passwd is owned by the root user, as shown by the
third field in the preceding sample output.

Hint

When adding new users to the system, it will be important that a scan be done
to ensure that no duplicate names are added. To minimize the chance of this
happening, use one of the UNIX administrative tools to add the user directly.
However, if the account is being added manually, simply use the grep
command to ensure that the account doesn’t currently exist.

Typically, the username is also the same as the home directory. Thus, in the
example above, the username of sjmaxwell would have the home directory of
the same name. However, this is just a convention—there is no technical reason for
this to be the case. It makes system administration easier if they are the same.

User Password
The Password field holds an encrypted and encoded password string for the
account. This password must be supplied when the user logs into the system.
Without the password, the user can’t log into the system. The exception to this is
that the root user can access any UNIX account without knowing the password.
Normal users can access the root account by using the su command. This
command stands for “substitute user” and running it without any options defaults
to accessing the root account, but you must supply the correct password first.
When creating a new user, this field is left blank and the administrator uses
another program to add the password for the account file. In the example account,
stevem, the Password field contained a single “x” character. This indicates
that the password is stored within the /etc/shadow file instead of the /etc/
passwd file. Once the UNIX account has been set up, the administrator can
add a new password to the account by executing the passwd command. This
command is described later in this module.

Module 5:

Maintaining UNIX Users

145

User Identification
The user ID (UID) is a unique integer number that is used as the primary
mechanism to track the user. The UID is contained within every file and
directory associated with the user account and is how user account activity
is logged by the system. To examine the mapping between the UID and the
account name, use the id command:
# id
UID=0(root) GID=1(other)

As you can see from the output example, the UID of 0 maps directly to the
root user. The maximum value of the UID is 2147483647, while the minimum
value is 0. The value of 0 is reserved and indicates the superuser or root account.
As a result, non-superuser accounts should start above this number.

User Comment
This field contains information about the account and contains any general
information associated with the login. Typically, this field is used to specify
the owner of the account. For example, in the previous example, the string
Mr. Steve Maxwell represents the real name of the account stevem.

Home Directory
This field contains the home directory for the user and is where the users will
typically store all their files. Also, once the system has logged the user in, this
directory is their starting point within the file system. In other words, when the
user executes the pwd command right after logging in, it should display their
home directory. Thus,
# pwd
/homes/stevem

shows the home directory of the user stevem if he just logged into the system
based on the earlier sample /etc/passwd entry.

User Login Shell
This field holds the name of the shell that will be executed when the user logs
into the system. The shell is responsible for providing a facility to execute
additional UNIX commands for the user. The system supports a number of

5

146

UNIX System Administration: A Beginner’s Guide

different shells such as bash (Bourne Again shell), csh (C shell), tcsh
(newer C shell), and sh (Standard shell). If no shell is supplied within this
field, the default shell of sh is used. Sometimes this field may contain a
/bin/false entry, which means that user will never obtain a login shell
because the value returned is always not true.
Also, in certain cases, no shell is included within this field, but another
UNIX program. For example, consider the nuucp UNIX account:
nuucp:x:9:9:uucp Admin:/var/spool/uucppublic:/usr/lib/uucp/uucico

In this case, the shell field contains a path to the uucico program, instead of a
standard shell program that we have seen before. This entry is the file transport
program for the UNIX-to-UNIX copy (UUCP) system. This is by no means a
standard UNIX account since no user will actually use this account—but it is
actually accessed by programs. UUCP provides a facility to transfer files from
one system to another using one or more network or serial communication
mechanisms. When the nuucp login name is accessed, the uucico program is
run to initiate the file transfer, instead of just running a command prompt for a
normal UNIX account.

5.2 Discover the /etc/group File
The /etc/group file contains definitions of groups and their corresponding
group members. Groups provide a way to establish collections of users that share
one or more things in common. For example, the group devel may contain all
the users that are responsible in some way for the development of a particular
product. If a user must be a member of more than one group, the associated
account name can be added to additional groups that are defined within the
/etc/group file A sample group, called devel, is shown here:
devel::107:samyu,irinav,anitat,stevem

Each line within this file represents a single group entry and contains four
fields. The required group fields are described in Table 5-2. Like the /etc/
passwd entries, the fields within the /etc/group file are also separated by
the colon (:) character.

Module 5:

Maintaining UNIX Users

Field

Example

Meaning

Group Name
Group Password

devel
(blank)

Group ID
Group Members

107
samyu, irinav, anitat, stevem

The name of the group.
The password for the group is stored
in this field.
The group identification.
A comma-separated list of group
members are listed in this field.

Table 5-2

147

Fields Within the /etc/group File

Group Name
The group name is a string that can consist of both letters and numbers, and
is typically not more than eight characters wide. This group name will appear
within the output of any UNIX program that displays group information. For
example, you can use ls –l command to obtain additional file information on
/etc/group file:
# ls -al /etc/group
-rw-r--r-1 root

sys

504 Oct 28 16:30 /etc/group

As you can see, the output shows that the file contains the group ownership of
sys. The sys group represents the system group, which is the main group for
UNIX programs and configuration files that generally need root access to
operate correctly or be accessed.

Group Password
This field holds the group password. In practice, a password is not normally
defined for groups.

Group Identification
The group ID (GID) is a unique integer number that is used as the primary
mechanism to track the group. The GID is contained within every file and directory
associated with the user account and is the way group account activity is logged by
the system. The maximum value of the GID is 2147483647, while the minimum
value is 0. The value of 0 is reserved and indicates the superuser or root account.
As a result, non-superuser accounts should start above this number.

5

148

UNIX System Administration: A Beginner’s Guide

Group Members
The list of individual members within a group is listed within this field. A
comma-separated list of account names can be added to a group entry, thereby
adding these accounts to the membership of the group. In the example above,
the devel group has the following members: samyu, irinav, anitat,
and stevem.

How Group Membership Work
Consider three users (fred, barney, and bambam), and two groups
(flintstone and rubble). The user fred is a member of the flintstone
group while both barney and bambam are members of the rubble group.
Thus, we would see the following entries within the /etc/group file:
flintstone::201:fred
rubble::204:barney,bambam

Let’s also assume that the home directories and file permissions for these users
are defined as follows:
drwxrwx--drwxrwx--drwxrwx---

2 barney
2 bambam
2 fred

rubble
rubble
flintstone

512 Oct 2 16:07 barney
512 Oct 27 18:28 bambam
512 Nov 22 15:27 fred

Don’t be alarmed; home directories typically will be named the same name as
the login account name. That is why, for instance, the barney directory is
owned by the user barney.
Note in this example, all the directories are owned by their respective
account names and the directory access permissions are set to rwxrwx----.
These permission modes indicate that both the owner and group have complete
access to search, read, and write files within these directories. In other words,
the users barney and bambam have access to not only their own accounts, but
to each other’s as well. This is made possible because both barney and bambam
belong to the rubble group. Also note, the user fred doesn’t have any access to
either the barney or bambam directories. The same is also true of both barney
and bambam—they can’t access any of the files within the fred directory either.
If we choose to remove the group restrictions as stated above, the following
can be done:

Module 5:

●

Maintaining UNIX Users

149

Add fred to the rubble group. Thus, the rubble group will look like the
following:
rubble::204:barney,bambam,fred

●

Change the access permission of the barney and bambam directories to
include other users. In other words, change the directory ownership to
drwxrwxrwx
drwxrwxrwx

2 barney
2 bambam

rubble
rubble

In this case, fred can now have full access to
both the barney and bambam directories.
However, bear in mind that this might not be the
best solution since this opens access to a larger
pool of users, which may not be the desired
action. Also, we would need to alter the fred
directory in order to give both barney and
bambam access as well.

512 Oct 2 16:07 barney
512 Oct 27 18:28 bambam

Hint

It is entirely reasonable
for a UNIX user to be in
more than one group at
the same time.

5.3 Discover the /etc/shadow File
The /etc/shadow file is used to store account password information and
contains password aging information. In particular, it contains an encrypted
password and related parameters that control elements about the password—
for example, when the account password should expire. Unlike both the /etc/
passwd and /etc/group files, which can be read by any user, the /etc/
shadow file is restricted; only the superuser may list the content of the file. This
is because of the relatively sensitive nature of the information stored within this
file; it is unreasonable to give important account information to just any user.
The contents of the /etc/shadow includes nine fields separated by colons.
Password aging simply means that the password will expire or become invalid
at some future date and the user will be forced to input a new password, which
will correspond to the password policy that the system administrator has set up.

5

150

UNIX System Administration: A Beginner’s Guide

Ask the Expert
Question Why are there separate /etc/passwrd and
/etc/shadow files?
Answer From a historical perspective, account passwords used to
be stored in the /etc/passwd file exclusively. Based on additional
improvements within the area of UNIX security, user accounts now
contain new security features as defined within the /etc/shadow file.

A sample password entry for the /etc/shadow file is shown here:

AM
FL
Y

stevem:JcpRL1Irplkuw:11624:::::11615:

This entry is associated with the UNIX account stevem as listed in the
previous examples. All of the fields from the /etc/shadow file are described
in Table 5-3.
Example

Account Name

stevem

Password
Last Changed
Min Days

JcpRL1Irplkuw
11624
(blank)

Max Days

(blank)

Warn Days

(blank)

Inactive Days

(blank)

Expire Date

11615

Flag

(blank)

Table 5-3

TE

Field

Meaning

The name of the associated UNIX account as
defined within the /etc/passwd file.
This field contains the encrypted password.
When the entry was last modified.
The minimum number of days for the password
to be changed.
The maximum number of days that the
password will retain value.
The number of days to warn the user of a
pending password expiration.
The number of days for the account to be
inactive before the account will expire.
The date when the account will no longer be
accessible by the user.
Reserved for future use and is currently not used.

Fields Within the /etc/shadow File

Module 5:

Maintaining UNIX Users

151

Account Name
This is the name of a valid UNIX account as found within the /etc/passwd
file. It is important that the order of account names match those within the
/etc/shadow file. In other words, both entries should be in the same place
within each file. If you use automated account generation tools such as
admintool or useradd, name ordering shouldn’t be a problem However,
if you edit the account files manually, you will need to specifically watch for
account name ordering.

Password
This field contains a 13-character encrypted password associated with the
account name. The account is locked when the string *LK* is listed within this
field. The passwd command is used to add or modify passwords within this field.
The password string as shown in the example above bears no resemblance to
the actual password string that was used to generate this encrypted form.

Last Changed
This field shows the number of days since this entry was changed. The number
of days is measured from 1/1/1970. Thus, in the example above, a total of
11,624 days have elapses since the 1/1/1970 date.

Min Days
This field dictates the minimum number of days between account password
changes. This is a handy way to control, on a regular basis, when users should
change their passwords.

Max Days
This controls the maximum number of days that a password can remain valid.

Warn Days
This field denotes the number of days that the user will be warned pending an
expired password.

Inactive Days
This is the number of days the account can be inactive before the password will
expire. This metric is reset if the account is accessed before the actual inactivity
timer has expired.

5

152

UNIX System Administration: A Beginner’s Guide

Expire Date
This field denotes the absolute date when the account can’t be used any more.
This type of configuration may be useful for temporary accounts used by
vendors or contractors that are involved with a project where the start and
stop points are known in advance. This number is also in the same format as
the Last Changed field.

1-Minute Drill
●

Why can only the superuser display the /etc/shadow file contents?

●

Why does reading the password field in the /etc/shadow file not tell you
what the password is?

5.4 Explore UNIX Account Tools
UNIX provides a number of command-line tools to help with account maintenance.
These particular tools are for the “power user” or the advanced administrator,
because they assume a certain level of knowledge and understanding. However,
with the explanations and information presented here, you can effectively use
these tools.
The following tools will be discussed in this section:

●
●

●

passwd

●

pwck

●

grpck

●

useradd

●

userdel

●

usermod

●

groupadd

The /etc/shadow file contains sensitive password information about all users that shouldn’t be read by
anyone other than the superuser.
The original password is encrypted, and only the encrypted form is saved in the /etc/shadow file.

Module 5:

●

groupdel

●

groupmod

●

logins (Solaris only)

●

vipw

Maintaining UNIX Users

153

Hint

These tools operate on the local system and they modify or update the files
listed above on the system that these tools are executed on. If you are using
NIS, you must specify alterative files that these tools will operate against the
NIS-related files. See Module 15 for information about using NIS.

5

passwd
The most common account tool is the passwd command. This utility is used
to change the password of an established account and can be invoked by
generic system users as well as the system administrator. For instance, to
change a password, which is the default behavior, the following procedure
would be followed:
System prompt to enter current password

# passwd
passwd: Changing password for stevem
Enter login password:
System prompt to enter
New password:
new password twice
Re-enter new password:
passwd (SYSTEM): passwd successfully changed for stevem

System response that
password was changed

Hint

This example should show
what the system will display
when the stevem user
changes his password.

●

The user stevem is asked for the old login
password, plus the new password twice. If the
password change is complete, a message is
displayed indicating success.
When selecting a new password, the following
can be used as a general set of guidelines:

Each user account password must be a minimum number of characters
long. This minimum is defined within the /etc/default/passwd file.
The PASSLENGTH variable defined within this file is set to 6 on Solaris

154

UNIX System Administration: A Beginner’s Guide

systems. However, the system administrator can change it. Making this
value smaller means that passwords won’t be as tough to forge, while
making it larger means that users will have a harder time remembering
their passwords. This option is system wide; there is currently no way to
alter this variable for individual users.
●

A password must have at least one number or special character, plus at
least two alphabetic characters. These characters may include both
uppercase and lowercase.

●

A password must be different from the login name or any standard deviation
from the login name. This includes using uppercase letters as well.

●

New account passwords must be sufficiently different from the old ones.

Hint

If an account password is
changed by root, the old
password is not
requested.

The passwd program supports a number of
powerful command-line options. These can be
divided into three categories: those that permit
the user to alter some information within the
account configuration files, those that control
the login account system in some way, and those
that report account information.

Modification to Account Fields
The command-line options, which control modification to the account
configuration files, are listed in Table 5-4.
One of the other really interesting uses of the passwd program is to alter
specific account text fields within either the /etc/passwd or /etc/shadow

Option

Meaning

-e
-F
-g
-h
-r

Change the login shell of the user.
Use an alternative password file (HP-UX only).
Change the comment field of the user.
Change the home directory of the user.
Specify which repository the change should be made in (HP-UX only).
The supported locations include files, nis, and nisplus.

Table 5-4

passwd Account Modification Options

Module 5:

Maintaining UNIX Users

155

files. For example, to change the comment field of a particular user, use the –g
option. Thus, given the sample account
stevem:x:20003:10:Mr Stevee Maxwell:/homes/stevem:/usr/bin/bash

we notice that the user’s name is misspelled. To fix this situation, we can use the
passwd command with the option that permits updates to the Comment field:
# passwd -g stevem
Default values are printed inside of '[]'.
To accept the default, type .
To have a blank entry, type the word 'none'.
Name [Mr Stevee Maxwell]: Mr. Steve Maxwell

As shown above, we type in the fully corrected string. To check to ensure that
the change was made, we can do the following:
# grep stevem /etc/passwd
stevem:x:20003:10:Mr. Steve Maxwell:/homes/stevem:/usr/bin/bash

Displaying of Account Information
The command-line options, which show specific information from the account
files, are listed in Table 5-5.
To show the password attributes for all the /etc/passwd account entries,
use the –a and –s options. Thus,
# passwd -a -s
root PS
smaxwell PS
daemon LK
bin LK
sys LK
syu NP
anonymous LK
anonymou LK

Normal password accounts

Locked accounts

Option

Meaning

-a
-s

Show password attributes for all entries within the /etc/passwd file.
Show password attributes for the specified login name.

Table 5-5

passwd Account Display Options

5

156

UNIX System Administration: A Beginner’s Guide

The attributes listed from the output include LK for locked account, PS for
normal password, and NP for no password. Also, the –s option can be used to
list a specific login account name, which must be given on the command line.

Controlling Account Access
The command-line options, which can be used to provide a finer grain of control
over user accounts, are listed in Table 5-6.
To lock out a particular user from the system, you can use the –l option
followed by the user name. Thus,
# passwd -l stevem

locks the stevem account. We can examine the account to see if the lockout
actually occurred:
# grep stevem /etc/shadow
stevem:*LK*:11624:::::11644:

As you can see, the string *LK* has been replaced within the Password field,
which indicates the account has been locked.

pwck
The pwck utility performs a consistence check on the UNIX /etc/passwd
administrative file to ensure that it remains free from syntax errors or doesn’t
contain invalid information. This utility can be used to detect the following:
●

Syntax errors

●

Invalid fields information

●

Incorrect number of fields

Typically, this program would be executed after the /etc/passwd file was
updated. However, if the administrator uses standard tools to manipulate the
password file, then no consistency check is really need. With many of the
system-supplied tools—for example, admintool—it would be very difficult to
introduce a syntax error since these programs were written to catch and resolve
such problems. The only time it would be needed is when /etc/passwd file

Module 5:

Maintaining UNIX Users

Option

Meaning

-d
-f

Delete the password from the specified user account (Solaris only).
This option forces the user to change their password the next time they
log in to the system.
Locks the specified user account immediately.
Sets the minimum number of days between password changes.
Sets the numbers of days to warn the user of a pending password change.
Sets the maximum number of days for the password to be valid.

-l
-n
-w
-x

Table 5-6

157

passwd Account Controlling Options

5

Ask the Expert
Question
selection?

Why are so many guidelines necessary for password

Answer All of these guidelines are intended to make it more difficult
for another user to guess your password and gain access to your account.
Specifically, mixing numbers, special characters, and alphabetic characters
makes it more difficult to match your password by using a dictionary or
list of common words. Keeping your password very different from your
login name makes it difficult to guess your password by using a list of
variations on your login. And making your new password different from
any old one makes it difficult to guess your current password should
one of your old passwords ever be compromised.
Question Why is it important for a UNIX system administrator to
set password expiration limits for all system users?
Answer The longer a user uses the same password without changing
it, the more chance they will accidentally divulge the password to
someone else (for example, writing it on a sticky note that someone else
finds) or the more chance someone intentionally trying to break into
the system will have enough time to systematically guess until they find
a user’s password, if the user isn’t periodically changing it on their own.

158

UNIX System Administration: A Beginner’s Guide

is updated manually. In this case, because the human element is involved, it would
be possible to add an invalid character, which could make the file unusable. It
would also be possible to overlook an important field or have too much
information. If you manually manipulate the /etc/passwd file, it is
recommended that you invoke the pwck utility as the last step in the process.
To perform a scan of the local passwd file, issue the following command:
pwck

Depending on if any problems have been encountered with the file, one or
more messages will be displayed. For example, if a particular entry contains too
many fields, the following message will be shown:
billc:x:20002:10:Mr. Bill Clinton:/homes/billc:::/usr/bin/bash
Too many/few fields

To remedy this problem, edit the passwd file and delete the extra field
separators.
If a UNIX account doesn’t contain a valid home directory, the following
message will be displayed:
stevem:x:20001:10:Mr. Steve Maxwell:/homes/stevem:/usr/bin/bash
Login directory not found

To solve this problem, simply create the necessary directory—or, if the account is
no longer used, delete it.
If you are using a password file that resides in another directory, simply
include the path as an argument to the pwck command:
pwck /var/etc/passwd

The Linux version of pwck is more sophisticated than the UNIX password file
checker; it has the capabilities to delete invalid entries on the fly as they are
encountered. For example, given the invalid UNIX /etc/passwd entry of
jsmith:x:550:100:Joe Smith, which is missing part of the login account
information, the following error output is displayed:
invalid password file entry
delete line ` jsmith:x:550:100:Joe Smith'?

Module 5:

Maintaining UNIX Users

159

As shown in the output above, the program prompts for the deletion of the
incorrect line, and answering the question with a y will delete the line, while
any other input will cause the tool to exit without performing any other actions.
With HP-UX, the –s option is supported, which tells pwck to check the
Protected Password database—this provides another level of protection over
and above the /etc/passwd database.

grpck
The grpck utility performs a consistence check on the UNIX /etc/group
administrative file and operates in the same manner as the pwck tool. It
performs similar syntax and field checks on the group file. The syntax is the
same as pwck—simply execute the grpck tool on the command line and it
will scan and report any problems it finds. The Linux version of this tool also
prompts for removal of incorrect or invalid entries.

1-Minute Drill
●

Why are the pwck and grpck utilities nice to have available but generally
not needed?

●

Why is w1Lma not a good password for an account named wilma?

useradd
The useradd tool provides the ability to add a new UNIX user to the system
from the command line. Each of the required Account fields are specified on
the command line with designated options. This tool has a large number of
command-line arguments, and the most common ones are listed in Table 5-7. This
tool is very useful if you must add a user to the system but don’t have access to a
workstation that can display a GUI tool. Also, if you have the need to automate the
adding of users, this tool can be used as the basis of such automation.

●

●

pwck and grpck are nice to have to perform consistency checks on /etc/passwd and /etc/group in case
you edit these files manually or use scripts to add and modify users and groups. However, you’ll usually use
standard tools to make these changes, and the tools will make the modifications correctly without requiring
a consistency check.
w1Lma is easily derived from wilma.

5

UNIX System Administration: A Beginner’s Guide

Option

Meaning

-c
-d
-e
-f
-g
-G
-k

Specifies the account comment
Specifies the account home directory
Specifies account expiration
Specifies the interval for account deactivation
Specifies the group of the account
Specifies additional account groups
Specifies the directory that contains the skeleton information that will be
copied to a new user’s account
Instructs to create the user’s home directory if it doesn’t already exist
Specifies the full pathname of the login shell
Specifies the UID for the user

Table 5-7

Common useradd Command-Line Options

AM
FL
Y

-m
-s
-u

To illustrate the function of the useradd tool, consider that the following
user must be added to the system:
●

Login name: tjones

●

Comment: Tom Jones

●

Shell: /usr/bin/bash

TE

160

The syntax of the useradd command is as follows:
useradd -u 345 -g 10 -d /home/tjones -s /bin/bash -c "Tom's
Account" tjones

In this case, this command specified both the user ID (345) and the group ID
(10) for the user tjones. However, you can have the system select these
values if necessary. On Solaris, the user ID is defined as the next-highest value
currently within the /etc/passwd file used. For the group ID, the default
value of 1 is used. For instance, assume that the highest user ID value already
contained within the /etc/passwd file is 25000. If the above command was
executed without the –u and –g options, such as
useradd -d /home/tjones -s /bin/bash -c "Tom's Account" tjones

Module 5:

Maintaining UNIX Users

161

then the UNIX account for tjones would be defined as follows:
tjones:x:25001:1:Tom's Account:/home/tjones:/usr/bin/bash

With Linux, when the –g option is not specified, it takes the group ID from the
user ID instead. So, the entry would look like this:
tjones:x:25001:25001:Tom's Account:/home/tjones:/bin/bash

Note that the bash shell on Linux is located in the /bin directory, whereas on
Solaris and HP-UX it is located in the /usr/bin directory. The above example
includes the use of the bash from the correct location.

5

userdel
The userdel tool provides the ability to remove a UNIX user from the system
using the command line. The command supports a single command-line option—
r—which will force the program to remove the home directory of the user.

Hint

The removal of users shouldn’t be done lightly, and all user accounts should
not only be backed up on a continued basis. However, when deleting one or
more accounts, these should be backed up just before they are removed.

To remove the tjones account in the previous example, issue the following
command:
userdel tjones

In this case, the home directory for the tjones account (/home/tjones)
was not removed. To remove it when deleting the account use the –r option:
userdel –r tjones

When the above command is run, it will delete the account and remove the
home directory without any prompts. Again, back up the accounts before removal,
unless no user-defined files are there or the user simply doesn’t want the files
anymore. (However, be on the safe side and make a copy just in case.)

162

UNIX System Administration: A Beginner’s Guide

usermod
The usermod tool is used to make changes to already-defined UNIX accounts.
It uses many of the same command-line arguments as the useradd command
and also supports a few new ones. As a result, only those parameters not listed
in the previous table have been included in Table 5-8.
The usermod tool can be used to alter any of the UNIX account fields. All
account changes should be made when the account is inactive—that is, when
the user is currently not logged into the system. Also, if you are going to change
the user ID of an account, make sure that that user isn’t running any programs
since changing the ID will affect any running processes.
To change the Comment field of the user account named stevex, issue the
following command:
usermod –c "Mr Steve's Account"

stevex

To disable the account tjones on a Linux system, do the following:
usermod -L tjones

Next, examine the results with the following command:
# grep tjones /etc/shadow
tjones:!$1$K98bVe3s$1NnaEYqFw8XRF6r25S/A:11690:0:99999:7:::

As you can see, a bang (!) character has been placed in the password file at the
beginning of the Password field entry. This effectively disables the account
Option

Meaning

-l
-L
-m
-U
-u

Change the existing user name to a new name.
Lock the user account (Linux only).
Move the user’s mode directory.
Unlock the user account (Linux only).
Modify the UID.

Table 5-8

The usermod Command-Line Arguments

Module 5:

Maintaining UNIX Users

163

because the password supplied by the user will never match the one with the
new character. To enable the account, use the –U option:
usermod -U tjones

and then examine the account again:
# grep tjones /etc/shadow
tjones:$1$K98bVe3s$1NnaEYqFw8XRF6r25S/A:11690:0:99999:7:::

The bang character is now gone.

Hint

Using the –U option on a Red Hat Linux 7.0 system with a new account didn’t
completely remove the bang characters the first time. Instead, the command
needed to be repeated a second time before they were removed. This is
because two bang characters are used when no password has been assigned
to a new account.

groupadd
The groupadd command provides the ability to add a new group to the
system using the command line. The command-line options include the –g and
–o arguments. The -g option permits the specification of the group ID number
instead of using the next-highest number defined by the system. The –o option
permits the inclusion of a duplicate group ID number. To add a new group
called support to the system, issue the following command:
groupadd support

To verify the new group, do the following:
bash-2.03# grep support /etc/group
support::1001:

5

164

UNIX System Administration: A Beginner’s Guide

groupdel
The groupdel command provides the inverse of the groupadd command; it
removes an existing UNIX account group. For instance, to remove the support
group that was created above, execute the following command:
groupdel support

To verify the new group was in fact deleted:
# grep support /etc/group

groupmod
The groupmod tool is used to alter the name of an existing group. For example,
if you wanted to change the name of an existing group, you could issue the
following command:
groupmod -n devel support

This would rename the support group to the devel group while keeping the
group membership (that is, the list of account names) intact. The –n option is
used to indicate the name of the new group. This command also supports the
–g and –o options, and they have the same meaning as those options from the
groupadd command.

logins
The Solaris system supports a tool call logins that displays a list of all the
defined users on the system. The tool supports a few command-line options,
and the most useful ones are listed in Table 5-9.
Issuing the logins command without any command-line arguments
displays a list of all the defined accounts on the system sorted by the user ID.
Thus, the command
logins

Module 5:

Maintaining UNIX Users

165

will show
root
smaxwell
daemon
bin
sys
adm
uucp
nuucp
listen
lp
syu
anonymous
anonymou
stevex
anitat
Tognazzini
stevem
billc
samc
jjwalker
nobody
noaccess
nobody4

0
0
1
2
3
4
5
9
37
71
100
101
102
345
1001
20001
20002
20110
25000
60001
60002
65534

bin
sys
adm
uucp
nuucp
adm
lp

staff
staff
staff
staff
staff
nobody
noaccess
nogroup

1
1
1
2
3
4
5
9
4
8
111
1
1
10
10

Super-User
Super-User

10
10
10
1
60001
60002
65534

Mr. Steve Maxwell
Mr. Bill Clinton
Mr Sam Clinton
Mr JJ Walker
Nobody
No Access User
SunOS 4.x Nobody

Admin
uucp Admin
uucp Admin
Network Admin
Line Printer Admin

5
Steve's Account
Ms. Anita

Option

Meaning

-a
-d
-g
-l
-m
-o
-p
-s
-t
-x

Displays two additional password expiration fields to the output
Displays only logins with duplicate IDs
Displays all accounts matching the specified group name
Displays the specified user
Shows multiple group members information
Displays the information using colon-separated fields with one entry per line
Displays logins that contain no passwords
Displays only system logins
Displays entries sorted by login and not the user ID
Displays additional information about each user

Table 5-9

The logins Command-Line Options

166

UNIX System Administration: A Beginner’s Guide

The output includes the username of the account in the first field, and the second
is the user identification. The third field is the primary group, the fourth field is
the group ID, and the fifth is the Comment field.
If we wanted to tighten the output from above, we can use the –o option.
We could also use it if we only wanted to display generic user accounts (that is,
no system accounts). We could use the following command:
logins -o –u

This command would show
syu:100::111:
anonymous:101::1:
anonymou:102::1:
stevex:345:staff:10:Steve's Account
anitat:1001:staff:10:Ms. Anita Tognazzini
stevem:20001:staff:10:Mr. Steve Maxwell
billc:20002:staff:10:Mr. Bill Clinton
samc:20110:staff:10:Mr Sam Clinton
jjwalker:25000::1:Mr JJ Walker
nobody:60001:nobody:60001:Nobody
noaccess:60002:noaccess:60002:No Access User
nobody4:65534:nogroup:65534:SunOS 4.x Nobody

Thus, the output has been reduced and only the generic user accounts have
been displayed. A user account is one that contains a user ID above 99.

vipw
The vipw command provides a quick way to edit the password file. Running
the command starts the vi editor with the /etc/passwd file so that you can
edit the contents. Thus, you will need to know how to use the vi editor to
make changes to this file. The Linux system also provides the vigr command,
which provides the same service but with the /etc/group file.

Project 5-1
In this project you learn about your own permissions and group memberships
on your system, and how to manage them and make changes.

Module 5:

Maintaining UNIX Users

167

Step-by-Step
1. Display your user account from the /etc/passwd file:
# grep yourusername /etc/passwd

2. Find and display all the groups you belong to:
# grep yourusername /etc/group

3. Create a new group name flintstones:
#groupadd flintstones

4. Display the group information about the flintstones group:
# grep flintstones /etc/group

5. Create a new user, wilma, with the comment Wilma Flintstone, and make the
home directory for the user /homes/wilma. Let the system specify the user
ID. Make wilma part of the flintstones group you created in the previous steps.
useradd -g flintstones -d /home/wilma -m -c "Wilma Flintstone" wilma

6. Change the wilma user account name to wilmaf:
usermod -l wilmaf wilma

7. Display the group information about the flintstones group to see if wilmaf is
a member:
# grep flintstones /etc/group

8. Delete the wilmaf account and her home directory:
userdel -r wilmaf

9. Delete the flintstones group:
groupdel flintstones

5

168

UNIX System Administration: A Beginner’s Guide

Mastery Check
1. What account has the user ID value 0?
A. Yours
B. Root
C. Admin
D. Shell
2. What shell will be used by default if no shell is specified for a given user

account in the /etc/passwd file?
A. bash
B. csh
C. tcsh
D. sh
3. __________ provide a way to establish collections of users that share one

or more things in common.
4. In this example from an /etc/shadow file, barney:LtyH4YUn3swer:

11764:30:45:5::11800:, how many days warning will the user get before
the password expires?
A. 30
B. 45
C. 5
D. 0
5. What command would you use to force user wilma to change her

password the next time she logs in?

Module 5:

Maintaining UNIX Users

169

Mastery Check
6. Which file stores information defining the minimum character length for a

password?
A. /etc/default/passwd
B. /etc/passwd
C. /etc/shadow
D. /etc/group
7. In Linux, what command would you use to lock the wilma user account?
8. What is the command to display password attributes for your account?
9. Which of the following is the best new password for the barney account based

on the password criteria in this module if his current password is po82Yq?
A. ruBBle
B. po38Yq
C. KpF4j7
D. bARn3y

5

TE

AM
FL
Y

This page intentionally left blank.

Module

6

File Systems, Disks,
and Tools
Critical Skills
6.1

Explore a UNIX File System

6.2

Uncover a Disk Partition

6.3

Determine a Mounted File System

6.4

Create a New File System

Copyright 2002 by The McGraw-Hill Companies, Inc. Click Here for Terms of Use.

172

UNIX System Administration: A Beginner’s Guide

P

erhaps one of the most important and somewhat complicated aspects of a
UNIX system administrator involves file systems, peripheral disks, and the
tools used to maintain these file systems, which are placed on storage devices.
As the system administrator, you will be required to handle file system related
problems – such as repairing a corrupt or creating a new file system. Further,
you will need to know how to add additional storage devices to the system and
be able to configure them correctly. The bottom line is that you must be ready
to handle issues, and problems quickly and this module prepares you to address
some of the more common problems and situation that may occur during
day-to-day system operations.
This section covers the software aspect of adding and configuring new storage
to the system; due to the scope of this book, no physical hardware details will
be covered. If you have hardware related questions, you should consult the
documentation materials that were provided by the hardware manufacturer of
the system or peripheral device you are using. Also, as a general rule, when
attempting to determine the source of a problem on UNIX, it becomes paramount
that as the system administrator, you determine if the problem is hardware
based or software. For example, if for some reason one or more particular UNIX
files are not available on the system, several different issues could cause this
problem. Some of the issues could, in fact, be hardware related. Thus, determining
faulty hardware quickly can save valuable time up front instead of assuming the
problem must be related to the configuration or some system software issue.

6.1 Explore a UNIX File System
A file system is simply a collection of objects (files or directories, for example)
that are organized to include the following elements: optimal data access, ensures
data integrity, provides manageable, and can be scalability to support many objects.
UNIX file systems provide these elements and more; they are the foundation
and capstone for all file access on the system, and without a file system, the
UNIX system wouldn’t be that useful.
A file system supports objects or containers such as files, directories, and
hidden data structure elements. A high level view of a file system is shown in
Figure 6-1. Files are defined as individual containers that are used to access text
or data. The text of a file can simply be a collection of strings. As we have already
seen, we have accessed standard text files on UNIX already. For example, the
/etc/passwd file contains a list of users in the form text strings. Files can also

Module 6:

Figure 6-1

File Systems, Disks, and Tools

File system view

be used to store data. Data within a file can represent almost anything; a UNIX
program, for example, can be considered a data file. In addition, data can take
other forms as well; a database may contain lists of names and addresses or
statistical information.
As the figure above shows, the definition of a file resides within the context
of a directory, which in turn is defined within a file system, and the file system
is stored on a disk drive.
A directory is a container of files and with many operating systems,
directories may contain additional sub-directories. Thus, a directory permits the
file system to become hierarchical. That is to say, directories and sub-directories
can be formed in such a manner as to build a reverse tree-like like structure as
shown in Figure 6-2. As you can see, the root (base) of the tree is at the top and

Figure 6-2

173

Tree structure of a file system

6

174

UNIX System Administration: A Beginner’s Guide

as additional directories are added, the tree becomes larger by expanding
the branches or leaves at the bottom of the tree.
The remaining file system elements consist of specific data structures that
are used to support and maintain the file system or provide for “housekeeping”
tasks and routines. One of the common data structures that you will hear about
is the i-node table and super block. The i-node table is used to keep track of
all the files within the file system. The i-node contains many of the attributes of
the file (such as the size of the file) and pointers to where the actual data of the
file is located. When you issue the ls command, many of the items contained
within the file’s i-node are displayed.
The super block is an area on the disk which contains important file system
information, such as the state of the file system, the number of i-nodes used, and
when the system was last error-checked. Since the super block is important, it is
automatically replicated to other areas on the disk to ensure that the information
will be available should the disk driver encounter some hardware-related problems
and the file system require repair.
All operating systems support some type of file system organization or
structure. Thus, all operating systems share this element. Since different file
systems exist, in many instances they are incompatible because the structure
and format differ. For example, the file system layout of an IBM mainframe
system contains a different operating system from what is supported on HP-UX.
However, in practice, some of these incompatibilities are minimized by the use
of specialized tools and software. File conversion utilities can be used in some
cases. Also, due to the extreme popularity of networks, many disparate systems
are interconnected and file system objects can be transported from one system
to another without the explicit conversion from different file systems. This
aspect of networking will be covered in detail with modules on FTP and NFS.
You can view all the currently available file systems on the system by issuing
the df –k command. A sample is shown below:
Filesystem
kbytes
/dev/dsk/c0d0s0
480815
/dev/dsk/c0d0s6
1587078
/dev/dsk/c0d0p0:boot
10484
/dev/dsk/c0d0s1
384847

used
38088
628757
1668
22020

avail capacity
394646
9%
910709
41%
8816
16%
324343
7%

Mounted on
/
/usr
/boot
/var
File system name

Module 6:

File Systems, Disks, and Tools

swap
1007100
384 1006716
/dev/dsk/c0d0s5
480815
7016 425718
/dev/dsk/c0d0s7
4225774
268 4183249
/vol/dev/dsk/c1t0d0/s8_software_companion
622422 622422
0
/cdrom/s8_software_companion
#

1%
2%
1%

175

/tmp
/opt
/export/home

100%

The –k option changes the default output of the df command to be more
useful. The output includes the file system name, the size, bytes used, bytes
available, current capacity used, and the mount point. The Filesystem name
presents the actual partition name defined for the disk that file system resides
on. With the first entry, the file system name is /dev/dsk/c0d0s0. With
UNIX, many hardware elements of the system are represented and accessed
with special files. These files don’t contain text or user data. Instead, they are
access points into the drivers that control the hardware components. In the case
of a file system, the special file determines which partition on the disk should
be used when accessing the file system.
The Kbytes represents the total size of the file system that can be used
to store information, while the used column indicates the amount of space
currently used by all files. The avail is the total available space that can be
used for new files. The capacity shows the totally used space as a parentage.
The Mounted on shows which directory each file system is mounted to.
Depending on UNIX operating system version, the file system name or
partition access point can be different. Two major formats are used; for HP-UX
and Solaris, the area on the disk is described with the format c0d0s0, while on
Linux the standard partition name of /dev/hd is used. The meaning of the
first format is shown in Figure 6-3.
The disk controller (c) number corresponds to the interface for which this
particular disk is attached. The disk (d) number identifies which disk out of
the entire attached disks for that particular
controller. The slice (s) number means which
The naming convention
particular partition given all the defined
of file system access
partitions on the disk. Thus, c0d0s0 is
points is from the UNIX
interpreted as the first partition or slice (s0)
system V releases; BSD
on the first disk drive (d0) from the first disk
derived release uses a
controller (c0).
different standard.
The Linux output of the df command is
quite similar to both HP-UX and Solaris and

Hint

6

176

UNIX System Administration: A Beginner’s Guide

File system access point

Figure 6-3

contains basically the same fields. However, the major difference is the name of
the file system device files or access points. Thus, when the same df command
is run on Linux, we see
Partition number

Filesystem
/dev/hda6
/dev/hda1
/dev/hda5
/dev/hda7
/dev/hda9

1k-blocks
2071384
2071384
2071384
1035660
521748

Used Available Use% Mounted on
1111760
854400 57% /
497108
1469052 26% /rh62
391036
1575124 20% /rh61
20
983032
1% /ffn
79504
415740 17% /home

Hard drive letter

The hd simply means “hard drive” and is followed by a letter to indicate
which drive in the system. Next, we see that the partition number is appended
to the end of the file system file name. Thus, the root (/) file system is
contained within the sixth partition of the first drive known as “a”.

6.2 Uncover a Disk Partition
A file system typically is defined within the boundaries of a disk partition. A
disk partition is a fixed area defined on a storage medium for the purposes of
data access. Figure 6-4 shows the high level view of disk partitions. A partition
is also known as the disk layout, partition map, or logical drive. For example,
on Linux, / is the root file system. This particular file system resides within a
physical partition on one of the disks contained in a system. As you can see
from the figure, a disk can have a number of partitions and/or file systems.

Module 6:

Figure 6-4

File Systems, Disks, and Tools

177

View of disk partitions

However, most systems limit the number of partitions that can be configured,
and for good reason: attempting to manage a large number of partitions on a
single disk can be difficult. Also, in some cases, the upper limit of the number
of partitions is controlled by the architecture of system in question.
Typically, disk partitions are defined during system installation and
configuration. However, there are times when you need to modify the partition
map or to display all the defined partitions on disk. UNIX provides tools for the
purpose and depending on which UNIX version, the tool will be different. For
example, on the Linux system, the fdisk tool can be used to display the
partition table for a particular disk, while Solaris uses the format command.
Thus, the command
fdisk -l /dev/hda

will show on output similar to
Disk /dev/hda: 255 heads, 63 sectors, 3737 cylinders
Units = cylinders of 16065 * 512 bytes
Bootable partition indicated by *
Device Boot
/dev/hda1
*
/dev/hda2
/dev/hda5
/dev/hda6
/dev/hda7
/dev/hda8
/dev/hda9

Start
1
263
263
525
787
918
984

End
262
1049
524
786
917
983
1049

Blocks
2104483+
6321577+
2104483+
2104483+
1052226
530113+
530113+

Id
83
f
83
83
83
82
83

System
Linux
Win95 Ext'd (LBA)
Linux
Linux
Linux
Linux swap
Linux

The output shows each of the partition names (Device), the start
and stop ranges (Start and End), the total size of the partition in blocks
(Blocks), the id for the partition (Id), and the type of file system or use
for the partition (System). The Boot field indicates which partition is

6

178

UNIX System Administration: A Beginner’s Guide

bootable, with an asterisk, so that when the system is restarted, it boots with
the correct partition. In the example, the /dev/hda1 partition (which is the
root file system) is bootable.
Solaris provides the prtvtoc command, which displays the geometry or
layout of the disk with all the defined partitions. For example, the command
# prtvtoc /dev/dsk/c0d0s0

provides the following information:
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*

/dev/dsk/c0d0s0 partition map
Dimensions:
512 bytes/sector
63 sectors/track
16 tracks/cylinder
1008 sectors/cylinder
16654 cylinders
16652 accessible cylinders
Flags:
1: unmountable
10: read-only
Unallocated space:
First
Sector
Last
Sector
Count
Sector
16784208
1008 16785215

Partition
0
1
2
3
5
6
7
8
9

Tag
2
7
5
3
0
4
8
1
9

Flags
00
00
00
01
00
00
00
01
01

First
Sector
Last
Sector
Count
Sector
3024
1024128
1027151
1027152
819504
1846655
0 16785216 16785215
1846656
2048256
3894911
3894912
1024128
4919039
4919040
3277008
8196047
8196048
8588160 16784207
0
1008
1007
1008
2016
3023

Mount Directory
/
/var

/opt
/usr

This command provides the same information as the fdisk utility, which
includes the mapping of each partition defined on the disk. It also includes more
information about the size of the disk and related information. The prtvtoc

Module 6:

File Systems, Disks, and Tools

179

command requires a special file (or access point) that represents the disk to
probe for the partition information.

1-Minute Drill
●

What are some common components of a file system?

●

Describe two methods for systems with different operating system file systems
to communicate and exchange files

6.3 Determine a Mounted
File System
In order to use a file system that has been defined, a connection must be made
between the file system itself and the system which will be made available. This
is known as mounting and each file system must be mounted onto the system
before it can be used. Mounting a file system requires two basic components,
the file system and a directory that is used as the access point for the file system.
For example, assume that a file system has been created on the /dev/hda6
partition to store user files, and you would like to make this file system
available to users of the system. We need to mount the partition under the root
(/) file system. Assume also that we would like to associate the home directory
with this file system. So, when users access this file system, the UNIX path
would begin with: /home. Figure 6-5 illustrates the high level view of two
mounted file systems.
Figure 6-5 shows two mounted file systems; hda6 (which is the root file
system) and hda1 (which is for user files). These are combined together, with
what appears to be a single file system. In reality they are two separate file systems.
As you recall, the df command displays information about the file system
and also the mount point. Thus the entry
/dev/hda9

521748

79504

415740

17% /home

shows that the /dev/hda9 file system is mounted on the /home directory.
●
●

Files, directories, subdirectories, hidden data file structures
They could communicate through special file conversion hardware or software tools. Or they could
exchange data through a common network facility such as FTP or NFS.

6

180

UNIX System Administration: A Beginner’s Guide

Figure 6-5

Mounting File Systems

Creating a New File System

AM
FL
Y

Setting up a new file system is a straightforward process. However, having said
that, care must be taken to ensure that you fully understand what you are doing.
Assuming that you already have the partition map defined, do the following
high level tasks:
1. Determine which partition will contain the file system.
2. Alter the partition map for the file system.
3. Create the file system.

TE

4. Verify that the file system is functional.

5. Make the file system available by mounting it.

To complete steps 1 and 2, consult the sections “Using the Solaris Format Tool”
or “Using the Linux fdisk Tool” depending on the operating system you have.
Steps 3 and 4 are described in this section, “Creating a New File System,” while the
remaining step is covered in “Mounting UNIX File Systems.”
As previously discussed, the partition table could be viewed using various
UNIX commands. On Solaris and HP-UX, use the format command to view
partitions for each disk drive. For Linux, use the fdisk command.

Using the Solaris Format Tool
The format command is used to both modify/define/display a partition table
and also format a disk drive. In this example, the command will be used to

Module 6:

File Systems, Disks, and Tools

181

Ask the Expert
Question Why should you make changes to the system when it is
not in use and can be taken "off-line" if at all possible?
Answer Making disk changes to a live or production system can be
a very dangerous thing to do! A small change could render the system
unusable. However, sometimes you must make modifications to one or
more critical systems even during peak usage. For example, you might
need to create a new file system for additional users in the middle of the
day because you are out of disk space. In cases like these, please make
sure that you double check your work and also ensure that adequate
backups have been done.
display and modify the partition table. To run the command, type the following
at the shell prompt as the super user:
# format

The command displays the following depending on the number of disks
installed on the system:
Searching for disks...done
Two disks available to select

AVAILABLE DISK SELECTIONS:
0. c0t0d0 
/pci@1f,0/pci@1,1/scsi@2/sd@0,0
1. c0t1d0 
/pci@1f,0/pci@1,1/scsi@2/sd@1,0
Specify disk (enter its number):

In this case, the system contains two disk drives (c0t0d0) and (c0t1d0)
and one must be selected to continue with executing the format command.
Assume that the second disk (disk number 1) is selected. As a result of
selecting this disk, this command outputs the following:
selecting c0t1d0
[disk formatted]

6

182

UNIX System Administration: A Beginner’s Guide

FORMAT MENU:
disk
type
partition
current
format
repair
label
analyze
defect
backup
verify
save
inquiry
volname
!
quit
format>

-

select a disk
select (define) a disk type
select (define) a partition table
describe the current disk
format and analyze the disk
repair a defective sector
write label to the disk
surface analysis
defect list management
search for backup labels
read and display labels
save new disk/partition definitions
show vendor, product and revision
set 8-character volume name
execute , then return

Display the Partition Table
To show the partition table, type the partition command at the format>
prompt:
format> partition

This command can be abbreviated and the “p” character could have
been used to save on keystrokes. Once this command is input, another
menu is displayed:
PARTITION MENU:
0
1
2
3
4
5
6
7
select modify name
print -

change `0' partition
change `1' partition
change `2' partition
change `3' partition
change `4' partition
change `5' partition
change `6' partition
change `7' partition
select a predefined table
modify a predefined partition table
name the current table
display the current table

Module 6:

File Systems, Disks, and Tools

183

label - write partition map and label to the disk
! - execute , then return
quit
partition>

Use the print command to display the current partition table. Thus,
partition> print

will show the following:
Current partition table (original):
Total disk cylinders available: 4924 + 2 (reserved cylinders)
Part
Tag
0
root
1
swap
2
backup
3 unassigned
4 unassigned
5 unassigned
6
usr
7 unassigned

Flag
wm
wu
wu
wm
wm
wm
wm
wm

Cylinders
0 73
74 - 147
0 - 4923
0
0
0
148 - 4923
0

Size
129.75MB
129.75MB
8.43GB
0
0
0
8.18GB
0

8 definable partitions

Blocks
(74/0/0)
265734
(74/0/0)
265734
(4924/0/0) 17682084
(0/0/0)
0
(0/0/0)
0
(0/0/0)
0
(4776/0/0) 17150616
(0/0/0)
0

partition>

The output includes six fields that describe each of the partitions. A total of
eight partition slots are available for this disk; and they are numbered 0 through
7 as displayed in the Part column. Thus, the with Solaris operating system, a
total of eight partitions can be defined per each disk drive. The Tag field indicates
the type of file system or use for the partition. For instance, the first partition
(0) is used as the root file system. This file system is used to boot the system.
The second partition is used for swap space, etc. The unassigned tag means
that the partition is empty or not defined; that is why the remaining fields do
not contain any values. The Flag field is used to specify the access permission
for each partition. The Cylinders field specifies the range of disk offsets that
define the size of the partition. The unit in this case is cylinder groups, which
are vertical addresses of the disk drive. The Size field shows the total storage
capacity of the partition and the Block field specifies the total number of
blocks based on the total size of the partition, which is the rightmost value

6

184

UNIX System Administration: A Beginner’s Guide

displayed in the Blocks field. The values in parentheses are the absolute block
numbers/cylinder group pairs.

Modify Partition Size
To alter the size of an existing partition, type the partition number at the
partition> prompt. For example, assume that partition 6 will be reduced
in size from approximately 8 gigabytes (GB) to 4 gigabytes:
partition> 6
Part
Tag
6
usr

Flag
wm

Cylinders
148 - 4923

Size
8.18GB

Blocks
(4776/0/0) 17150616

When the partition number is typed, the format program echos the
partition definition and then prompts for new information:
Enter partition id tag[usr]: Enter

Keep hitting the Enter key to proceed through the prompts until you are
at the Enter partition size prompt.
Enter partition permission flags[wm]: Enter
Enter new starting cyl[148]: Enter
Enter partition size[17150616b, 4776c, 8374.32mb, 8.18gb]: 4.0gb

At this point we have accepted the previous values and the size of the
partition can be reduced by inputting the desired size. In this case, 4.0 gb has
been added to make the partition roughly half the size it was before. Use the p
command to display the partition map and note the change for partition
number 6:
6

usr

wm

148 - 2484

4.00GB

(2337/0/0)

8392167

New partition size

The output shows the expected partition size. Note that the partition size
could be expressed in several different values to include the total number of
blocks, the number of cylinders, in megabytes, and even gigabytes. You must
include one of the unit description characters with the value. For example, to
specify megabytes use the mb character string. The other description strings are
b for block, c for cylinder, and gb for gigabytes.

Module 6:

File Systems, Disks, and Tools

185

Create a New Partition
Defining a new partition is a very simple process. For example, assume that
another new partition must be defined to contain additional space for system
users. With Solaris, the partition maps have been predefined based on the
type of disk installed within the system. As a result, when a new partition must
be set up for an existing pre-installed disk, the process includes specifying
partition parameters and saving the new partition table. For example, based on
the disk partition table shown below, partition number 7 is currently unassigned
and thus unused.
Total disk size

Two partitions use ~ 260 MB

Current partition table (original):
Total disk cylinders available: 4924 + 2 (reserved cylinders)
Part
Tag
0
root
1
swap
2
backup
3 unassigned
4 unassigned
5 unassigned
6
usr
7 unassigned

Flag
wm
wu
wu
wm
wm
wm
wm
wm

Cylinders
0 73
74 - 147
0 - 4923
0
0
0
148 - 2484
0

Size
129.75MB
129.75MB
8.43GB
0
0
0
4.00GB
0

Blocks
(74/0/0)
265734
(74/0/0)
265734
(4924/0/0) 17682084
(0/0/0)
0
(0/0/0)
0
(0/0/0)
0
(2337/0/0) 8392167
(0/0/0)
0

Unassigned, unused partition

We would like to define this partition for the purposes of creating a new
file system. Also, notice that approximately 4 GB of storage is available for this
new partition. This is be determined by examining the total amount of space
reported with the backup partition (2) and comparing this information with
the existing partition’s total disk space sizes. The backup partition (or partition c
on other older systems) typically is defined to cover the entire disk drive. Based
on the total size of this partition, we see the total space is approximately 8.4 GB
of storages. The type of disk and the total disk space was also displayed when
the format command was first invoked.

Save Partition Changes
The next step is to save any partition changes to the disk and this can be done
with the label command. Executing this command will update the disk

6

186

UNIX System Administration: A Beginner’s Guide

partition that is currently located in a reserved area of the disk, which is usually
the first block.
When you run the label command, the format tool prompts for verification:
partition> label
Ready to label disk, continue? Y

Using the Linux fdisk Tool
The fdisk command is used to make changes to the partition table on the
system. Specifying the special disk file, followed by /dev on the command line,
tells fdisk which disk should be modified:
fdisk /dev/hda

When run, this will display the following:
Command (m for help):

To display a list of the available commands with this tool, use the m
command. When this command is run, it will display the following:
Command action
a
toggle a bootable flag
b
edit bsd disklabel
c
toggle the dos compatibility flag
d
delete a partition
l
list known partition types
m
print this menu
n
add a new partition
o
create a new empty DOS partition table
p
print the partition table
q
quit without saving changes
s
create a new empty Sun disklabel
t
change a partition's system id
u
change display/entry units
v
verify the partition table
w
write table to disk and exit
x
extra functionality (experts only)

Module 6:

File Systems, Disks, and Tools

187

Display the Partition Table
To show the partition table, type the p command at the command prompt:
Disk /dev/hda: 255 heads, 63 sectors, 3737 cylinders
Units = cylinders of 16065 * 512 bytes
Device Boot
/dev/hda1
*
/dev/hda2
/dev/hda5
/dev/hda6
/dev/hda7
/dev/hda8
/dev/hda9

Start
1
263
263
525
787
918
984

End
262
1049
524
786
917
983
1049

Blocks
2104483+
6321577+
2104483+
2104483+
1052226
530113+
530113+

Id
83
f
83
83
83
82
83

System
Linux
Win95 Ext'd (LBA)
Linux
Linux
Linux
Linux swap
Linux

Command (m for help):

6.4 Create a New File System
There are at least two ways to create a new file system: the easy way and the
hard way. The easy way involves using the newfs command, while the hard
way is to use the mkfs command. Both accomplish the same thing, but the
mkfs command is much harder to use because it requires the administrator
to input the required file system parameters, whereas the newfs requires little
input from the system administrator. The easy way will be shown here. The
required command line option for the newfs command is the special file that
represents the partition the new file system should be created. Assume the new
file system will be set up using the special file c0t1d0s6. The command
newfs /dev/rdsk/c0t1d0s6

will create a new file system, using all the default values. Output of the
command will include
newfs: construct a new file system /dev/rdsk/c0t1d0s6: (y/n)? y

The newfs command will prompt to confirm the procedure and the
administrator must input the required response for the command to continue.
The output of the command includes
Warning: 1 sector(s) in last cylinder unallocated
/dev/rdsk/c0t1d0s6:
8392166 sectors in 2337 cylinders of 27 tracks, 133 sectors

6

188

UNIX System Administration: A Beginner’s Guide

4097.7MB in 147 cyl groups (16 c/g, 28.05MB/g, 3392 i/g)
super-block backups (for fsck -F ufs -o b=#) at:
32, 57632, 115232, 172832, 230432, 288032, 345632, 403232, 460832, 518432,
576032, 633632, 691232, 748832, 806432, 864032, 921632, 979232, 1036832,
1094432, 1152032, 1209632, 1267232, 1324832, 1382432, 1440032, 1497632,
1555232, 1612832, 1670432, 1728032, 1785632, 1838624, 1896224, 1953824,
2011424, 2069024, 2126624, 2184224, 2241824, 2299424, 2357024, 2414624,
2472224, 2529824, 2587424, 2645024, 2702624, 2760224, 2817824, 2875424,
2933024, 2990624, 3048224, 3105824, 3163424, 3221024, 3278624, 3336224,
3393824, 3451424, 3509024, 3566624, 3624224, 3677216, 3734816, 3792416,
3850016, 3907616, 3965216, 4022816, 4080416, 4138016, 4195616, 4253216,
4310816, 4368416, 4426016, 4483616, 4541216, 4598816, 4656416, 4714016,
4771616, 4829216, 4886816, 4944416, 5002016, 5059616, 5117216, 5174816,
5232416, 5290016, 5347616, 5405216, 5462816, 5515808, 5573408, 5631008,
5688608, 5746208, 5803808, 5861408, 5919008, 5976608, 6034208, 6091808,
6149408, 6207008, 6264608, 6322208, 6379808, 6437408, 6495008, 6552608,
6610208, 6667808, 6725408, 6783008, 6840608, 6898208, 6955808, 7013408,
7071008, 7128608, 7186208, 7243808, 7301408, 7354400, 7412000, 7469600,
7527200, 7584800, 7642400, 7700000, 7757600, 7815200, 7872800, 7930400,
7988000, 8045600, 8103200, 8160800, 8218400, 8276000, 8333600, 8391200,

This command displays the disk configuration information, plus a long series of block
numbers. These numbers represent the locations
of backup copies of the super block. Recall, the
super block is the master record for a file system
and contains vital information about the state
and configuration of the file system.
In the example, above, the total disk space
for this file system is 4GB (4097.7 MBs to be
more exact).

Hint

To use one of the backup
supers, you must specify
the block number (location) when checking the
file system with fsck.
This tool is discussed in
the next section.

Checking the New File System
When a new file system has been created, it is wise to check the file system for
integrity using the file system consistency check (fsck) program. The fsck
program is necessary because a file system can become corrupt for a variety of
reasons and a specialized program is necessary to repair the file system when
necessary. The reason a file system can experience problems is that hardware or
configuration failures can affect the file system in a negative way. For example,
if the physical disk driver media (of which the file system is stored) becomes
unstable due to a hardware problem, and can no longer access parts of the disk,
the file system will be severely affected. This is an extreme case; one that is
more common is that the system crashes before the file system was able to

Module 6:

File Systems, Disks, and Tools

update itself with any changes that were made. This basically means that the
version of the information stored on the disk is now out of sync and will cause
problems unless the situation is rectified.
Typically, during normal system operations, the fsck program is run automatically or when a problem is detected. This is usually when the system is being
rebooted. However, in some situations, it will become necessary to run this
program manually if the errors encountered are serious enough to warrant
this action. This may, for instance, be the case if the root file system is having
problems and requires more attention from the system administrator.
The file system scanned by fsck should be quiescent, that is to say, the file
system shouldn’t be used during the fsck scan process, which means that no
users should be accessing the file system. To ensure that normal system users are
not using the file system, the system can be placed in single user mode. It is
possible to scan a file system during normal system operations; the administrator must ensure that no users will access the system until the scan is complete.
To examine each of the file systems configured on the system, running
the fsck command without any command line arguments will scan each file
system in turn. However, to scan a single file system, include the special file for
that file system on the command line.
fsck

/dev/dsk/c0t1d0s6

When run, the following is displayed:
** /dev/rdsk/c0t1d0s6
** Last Mounted on
** Phase 1 - Check Blocks and Sizes
** Phase 2 - Check Pathnames
** Phase 3 - Check Connectivity
** Phase 4 - Check Reference Counts
** Phase 5 - Check Cyl groups
2 files, 9 used, 4131375 free (15 frags, 516420 blocks,

0.0% fragmentation)

The fsck program does a 5-point scan against the file system, which
involves checking various aspects of the file system for problems. These
scanning and checking phases are described in Table 6-1.
The output shows each of the phases, and when no errors are displayed for
that phase, it indicates the phase was completed successfully. When the scan is

189

6

190

UNIX System Administration: A Beginner’s Guide

Phase

Description

1
2
3
4
5

Determines if the file system i-nodes are consistent
Determines if directory entries are correct and file i-nodes are consistent
Checks to ensure that all directories are connected to the file system
Makes a comparison of link of (files and directories) counts from Phase 2 and 3
Checks the free block list and used i-nodes for consistency

Table 6-1

Scanning Phases of fsck Program

TE

AM
FL
Y

complete, the number of files is displayed along with the total free disk space
and additional information about the file system.
The fsck program has a number of command line options depending
on the operating system. These are listed in Table 6-2 list the most common
options for each system.
One of the most useful command line arguments is the y or Y option.
When fsck is run and a significant number of problems are encountered,
using these arguments will cause all questions prompted by fsck to be answered
in the positive. This is very useful when the system administrator must multitask
between several important duties and also doesn’t want to continue inputting the
same response. Of equal value is the n (or N) command line option that does the
opposite; it answers negatively to any questions posed by fsck.

Ask the Expert
Question
systems?

Why should you only use fsck to scan unmounted file

Answer Because if the file system is changing during the scan
process, it will detect inconsistencies with the file system structures,
which will promote more headaches. Since fsck can both detect and fix
problems, using it when the file system is active will cause additional
severe problems over and above the problems that were first encountered
before the scan was started.

Module 6:

File Systems, Disks, and Tools

Option

Description

-A

Examine the /etc/fstab and attempt to scan each file system listed in
this file (Linux only)
Specify the file system type when scanning (Solaris only)
Scan the file system, but don’t repair any encountered problems
Answer all fsck generated questions with a “no” response (Linux: -N will
display what will be done only and doesn’t execute any repairs)
Perform the fsck scanning process in a serial fashion (Linux Only)
Specify the file system type when scanning (Linux Only)
Display the command line but not execute the command
Answer all fsck generated questions with a “yes” response
Provide values to specific fsck options
Supply an alternate location for the super block
Verbose output (Linux only)

-F
-m
-n -N
-s
-t
-V
-y -Y
-o
-o b
-V

Table 6-2

6

Command Line Options

If the super block of a file system gets
corrupt (which is not a common occurrence)
it will be necessary to supply an alternative
location that contains a copy of the original
super block. When the newfs command is
executed to build a new file system, it makes
a series of copies of the super block and places
them in various block locations on the partition.
Using the –o b option, the administrator can
supply the location of one of the copies of the
super block.

191

Hint

Care must be taken
when using the positive
response with fsck,
since you are approving
that ALL questions be
answered the same way,
which in some cases may
not be what is needed.

Mounting UNIX File Systems
In order for users to access a file system, it must be explicitly made available on
the system for users. The term that is commonly used to describe this step is to
“mount the file system.” Mounting a file system means an association is created
between a specific directory from the root file system and the file system that
is to be mounted. To mount a file system or to display the currently available

192

UNIX System Administration: A Beginner’s Guide

mounted file systems, use the mount command. Without any arguments, this
command will show all of the existing mounted file systems. The command
mount

displays all the mounted file systems on a Solaris machine called bedrock:
/ on /dev/dsk/c0t0d0s0
read/write/setuid/intr/largefiles/onerror=panic/dev=80000
0 on Mon Jan 21 20:10:53 2002
/proc on /proc read/write/setuid/dev=3600000 on Mon Jan 21 20:10:52 2002
/dev/fd on fd read/write/setuid/dev=36c0000 on Mon Jan 21 20:10:54 2002
/tmp on swap read/write/setuid/dev=2 on Mon Jan 21 20:10:57 2002
/export/home on /dev/dsk/c0t0d0s7
read/write/setuid/intr/largefiles/onerror=pani
c/dev=800007 on Mon Jan 21 20:10:57 2002

The mount command requires two pieces of information when mounting
a file system: the special file of the file system and a directory. The directory
becomes the “mount point” for the file system. For example, to mount the file
system contained with the /dev/dsk/c0t1d0s6 partition:
mount /dev/dsk/c0t1d0s6 /src

In this example, this file system is mounted onto the directory called /src.
Note: the target mount point directory must exist before the mount is
executed. This is because the mount will not create the directory before you.
Thus, you must run the following:
mkdir /src

before the mount command is executed. Otherwise, the mount will fail and
an error message similar to “mount: mount-point /src does not
exist.” will be displayed.
Once the mount is done, the file system can be accessed just like any other
file or directory contained on the system. From a user’s standpoint, this new file
system has been plugged into the root file hierarchy and the integration of the
mounted file system appears as an extension to the existing directory branch.
In other words, a mounted file system is connected to the system so that it
appears like a normal directory. The major exception to this rule is a read-only

Module 6:

File Systems, Disks, and Tools

193

file system. For example, when a fixed CD-ROM device is mounted on the
system, no data can be written onto the devices. Thus, should a user attempt to
create, remove, or modify a file, an error message will be generated stating that
the file system is “read-only.”
The mount command supports the –a option, which indicates that all file
systems contained within the /etc/vfstab file will be mounted. On Linux,
the file is known as /etc/fstab.

Unmounting a UNIX File System
To do the opposite of mounting a file system, use the umount command. This
command will disassociate the mount point from the file system and as a result
the file system will no longer be available to the system. Typically, a file system
is “un”mounted when the system is halted or when the file system needs some
maintenance performed (during the invocation of the fsck command, for
example). The umount command accepts either the mount point directory of
the special file. For example, assume the following mounted file system:
/mnt

(/dev/dsk/c0t1d0s6 ): 8262750 blocks

498620 files

Thus, the command
Umount /mnt

will umount the file system associated with /mnt directory. Also, note that the
command below will accomplish the same thing:
umount /dev/dsk/c0t1d0s6

To unmount all the mounted file systems instead of a single one, use the –a
option. Using this option implies that all file systems defined within the /etc/
vfstab are unmounted. On the Linux system, the /etc/fstab contains the
defined file systems.

Project 6-1
Because making changes to a live file system is not advisable except as absolutely
necessary, in this project you'll focus on gathering information about the file

6

194

UNIX System Administration: A Beginner’s Guide

systems on your system rather than on making changes. If you are the
administrator for this system, you might find it useful to keep the information
you gather in a safe place in case you ever need to refer to it for system
information to recover from a catastrophic failure or to determine if damage
was done during a system intrusion.

Step-by-Step
1. Display all the file systems on your system:
df -k

2. From these results, determine if any of the file systems are dangerously close
to being out of unused space.
3. For each drive, determine how many partitions are in use and how much
unused space (if any) isn't allocated to a partition. For Linux do this with
the command
fdisk -l

4. Or if you are using Solaris, perform step 3 with the command
# prtvtoc /dev/dsk/c0d0s0

repeating it for each drive.

Module 6:

File Systems, Disks, and Tools

195

Mastery Check
1. A __________ is simply a collection of objects (files or directories, for

example) that are organized to include the following elements: optimal
data access, ensures data integrity, provides manageable, and can be
scalability to support many objects.
2. What keeps track of all the files within the file system?
A. Super block
B. Root
C. i-node table
D. Partition

6

3. A __________ is a fixed area defined on a storage medium for

the purposes of data access.
4. In this output from the df command on a Linux system, what is the

file system's drive letter and partition number?
/dev/hda9

521748

79504

415740

17% /home

5. In Solaris, which command shows a disk's layout with all of its

defined partitions?
6. What is the term for making a connection between a file system and

the system which the file system will be made available to?
A. Mount
B. Partition
C. Format
D. fdisk

196

UNIX System Administration: A Beginner’s Guide

Mastery Check
7. To create a new file system using default values and not entering

additional command line options, which command would you use?
A. mkfs
B. newfs
C. format
D. fdisk
8. What user mode is best to put the system in when running the

fsck command?
9. What command do you use to display all the mounted file systems on

your system?
A. df
B. format
C. mount
D. umount
10. True or false: If the target mount point directory does not exist before you

execute the mount command, mount will create the directory for you.

Module

7

System Security

Critical Skills
7.1

Define a Security Policy

7.2

Maintain System Patches

7.3

Uncover System Hardening

7.4

Investigate Security Tools

Copyright 2002 by The McGraw-Hill Companies, Inc. Click Here for Terms of Use.

198

UNIX System Administration: A Beginner’s Guide

T

his module provides an overview and description of key elements to establishing
a secure computing environment with the UNIX operating system. It provides
procedures, configuration recommendations, and descriptions of tools that will
help make the UNIX computing environment more secure.
In general, there are two broad approaches to maintaining and delivering
on system security. First, the network that interconnects systems can be made
secure by the use of firewalls, proxies, and other mechanisms to ensure that
hackers and other malicious users are barred from accessing protected systems.
The second approach involves focusing the security on the individual systems,
instead of the network. In this case, the system administrator attempts to limit
system access and control access to files and directories, along with other related
measures. The fact of the matter is that both approaches are necessary when
addressing security within the enterprise. Why? Well, the answer is very simple:
Security breaches can come from outside the company (over the Internet or via
dial-up services), internally from the general user community, or even from
business partners.
When the WORM of 1998 struck the Internet, it exposed critical vulnerabilities
to a wider audience, which raised the awareness of both network and system
security. There are certainly more recent examples of security problems on the
Internet, but the WORM was the first of many to follow.

Hint

At that time, many of the UNIX security vulnerabilities were understood and
accepted. However, at the same time, the WORM redefined the critical duties
of the system administrator because they could no longer ignore operating
system security issues. Today, one of the primary roles of the system
administrator is to ensure that their systems contain the most up-to-date
security and operating system patches available.

As the system administrator, you will be responsible for ensuring security for
the systems you control; however, depending on the company’s organizational
structure and other factors, the system administrator will need to work with
others to help with the security efforts. For example, in many corporations
security may be handled by a separate security department—or is handled as
part of a network design and/or support group. In any event, complete security
is a team or group effort, and if security is lacking in one important area (say
from a network standpoint), that makes all the attached systems more vulnerable.

Module 7:

System Security

199

The system administrator will need to determine how best to implement
security in their computing environment, which certainly may involve using
both security methods stated above. With this in mind, here are the high-level
steps that are involved with providing robust system security regardless of the
specific computing environment or organization:
1. Develop and publish a security policy (and revisit on a periodic basis).
2. Maintain system patches.
3. Continuously harden the systems.
4. Use security tools.
5. Repeat steps 2, 3, and 4.

7.1 Define a Security Policy
A good security policy has a few basic elements. First, it should clearly define
what is and what is not acceptable behavior with respect to the use of both
network and computing systems. For example, users should not attempt to read
files from other users when they have no business need, and users shouldn’t
leave their workstations unattended when they remain logged into the system.

Ask the Expert
Question How can a security policy help make my systems
more secure?
Answer A security policy can’t make your systems more secure
intrinsically, but it can help you in other ways—which can impact your
security approach or determine how successful you will be in
implementing some of the steps listed above. For example, having a
good policy means it can raise the awareness of senior management of
how important security can be, and as a result you may find it easier to
acquire the funding to purchase security-monitoring tools or hire extra
personnel to help in implementing security tools and procedures.

7

200

UNIX System Administration: A Beginner’s Guide

AM
FL
Y

Second, the policy should clearly state what are guidelines for general-purpose
computing. For example, users should not install modems and connect phone
lines on their system to provide remote access, but should use the corporate
dial-up services—which can be more secure. A how-to of the most common
issue or problem should be listed. Finally, the policy should define the roles,
responsibilities, and procedures to follow when a security issue or incident has
occurred. For instance, when an unauthorized user has gained access to a system,
who should be alerted and how? What kind of documentation is necessary to
record the security breach? These and related questions should be answered
and spelled out in the policy.
The security policy should be published in such a way as to ensure that
everyone knows about it and can access it when necessary. Thus, placing it on the
company’s internal Web site or intranet is the best approach. To ensure that
users in fact read the policy, include it as part of the user account setup
procedures so that before a user account is set up, the user has both read and
understood the policy. Then, they can be granted access to the system.

7.2 Maintain System Patches

TE

One of the most important jobs of the system administrator is to consistently
maintain up-to-date patches on the systems. Maintaining software upgrades and
maintenance releases has positive benefits that include warding off potential
problems, providing a stable computing environment, and simplifying
troubleshooting of system problems and issues.
When system patches are applied on a regular basis, certain problems can
be avoided. For example, installing a security patch that closes one or more
particular security vulnerabilities—say, with the TCP/IP protocol—reduces the
overall security exposure of the system.
In general, installing the required system patches should provide for a more
stable and secure environment. Typically, the administrator is asked to install
the required patches in order for technical support to begin troubleshooting a
particular problem. On the other hand, depending on the vendor, installing
certain patches can cause system problems if the patch is applied incorrectly or
contains one or more software defects. This certainly is the exception and not
the rule, but it can happen. For this reason, it is always best to install any
patches on a test system to determine any potential impact or problem.

Module 7:

System Security

201

Vendors include in their support policies the provisions about limiting
technical support for systems that are not running the latest version of their
software or don’t contain the correct system-level patches.

7.3 Uncover System Hardening
The concept of system hardening is not new; the military and other organizations
have used this phase for quite some time as it relates to fortifying their equipment
or armaments and making it less likely that a physical attack will cause serious
damage. In the context of computer systems, it basically means the same thing—
to reduce the vulnerabilities and also fortify the system against known security
issues or attacks.
Limiting any unnecessary system services and also implementing standard
operating system configurations accomplish system hardening. Further,
substituting a better service for an inferior one is also a part of making sure
that systems are secure. For example, the UNIX system supports the Telnet
service, which provides basic terminal accessibility from one system to another
remote system. This particular service has been around for quite some time and
is used by many system administrators. However, the Telnet service has one
significant flaw: The communication path between the client and servers is
unsecured. As a result, using this service poses a security threat that many
consider too risky. To address this problem, Telnet is disabled and the Secure
Shell (SSH) is enabled to provide secure access. SSH provides encryption, which
makes the communication path secure.
The basic goal of system hardening is to eliminate any unnecessary system
services that might pose a security threat, and to configure the system for maximum
security without seriously impacting the user community. Thus, two broad
categories of hardening exist: elimination of nonessential services and
implementing a specific conservative operating profile or configuration. These
classifications are described below.

Elimination of Unnecessary Services
One of the best ways to ensure a basic level of security is to remove unused or
unneeded services that may represent a potential system security risk. For example,
if unrestricted FTP is enabled on a system, but that particular machine doesn’t
really need file transfer capabilities, then it might be prudent to shut off this

7

202

UNIX System Administration: A Beginner’s Guide

particular service. Table 7-1 lists some of the most common services that can
be either be disabled or replaced with another more secure package or a newer
version of the software, which contain later security features.

Configuration System Profiles
Deploying a set of configuration profiles for how each of the systems will be
configured and maintained is an important element to overall security. For
instance, many organizations install different kinds of systems for various
projects and functions, and as a result, the configuration of those systems will
be set up to match specific user requirements. Consider the system and security
equipment for a software development group versus a sales team. Since these
groups do different things and have different requirements, one or more system
configuration profiles may be necessary. A system configuration profile consists
of specific configuration parameters (such as permitting the root to access the
Service

Action
Disable

Replace

New Service
Upgrade

√

inetd

Xinetd
with tcp
wrappers

√

fingerd

√

NIS

√

Upgrade to
latest version
NIS+

R family of tools
(rsh, rcp, and
rlogin)
rexd

√

SSH

majordomo

√
√

rpc.statd
√

telnetd
tftp

√

uucp

√

Table 7-1

System Services That Require Hardening

Upgrade to
latest version
SSH

Module 7:

System Security

203

console device over the network or the frequency of password expirations for
normal users). Some of the possible configuration profiles are listed below:

Low-Security Profile
This profile represents systems that will have a modest amount of system security
because they are isolated from the network or because they are stand-alone or
maybe contained behind a firewall. These systems also may fall “under the radar”
of corporate security policy, which means that they may not be required to
implement all standard security measures or a high-security profile configuration.
The security configuration of the low-security profile may include a smaller
amount of operating system hardening, no password aging, no security scanning
or auditing, and so forth. Clearly, these types of systems can be a nightmare for
maintaining a robust corporate security model. However, having said that, there
are a small number of instances where using the low-security profile makes sense.

Medium-Security Profile
This profile represents systems that are several layers above the low-security
system in terms of system security. System security is a priority for this system
profile, but is not the only major issue addressed. For example, systems that are
deployed within the customer support or professional services teams may use this
profile type. This profile would contain a fairly robust hardening configuration
and support many of the security logging/scanning software packages, and use
password aging and a variety of other security measures.

High-Security Profile
This profile represents the highest level of security available. The type of system this
profile should be applied to is production systems that handle credit cards or
other highly sensitive information for customers, suppliers, and vendors. This
profile pulls out all the stops in terms of hardening configuration, scanning and
reporting tools, robust authentication, and so forth. It is not uncommon for
corporations to purchase security products to enhance the basic security supported
by the system. For instance, products are available that provide additional password
authentication using tokens and other methods that can increase the user-level
security model quite significantly.
Certainly, additional security profile types may be defined, and modification
to the ones listed above can be set up to closely match your specific environmental requirement. Also, what one site considers medium security may in fact

7

204

UNIX System Administration: A Beginner’s Guide

be low security to another, depending on the security goals of the organization.
One important point: Whatever profiles you use, apply them consistently to
all systems—that way, you will be in a position to better understand where your
systems are from a security perspective.
Now that a set of security profiles has been defined, it is quite straightforward
to inventory and classify the level of security for each system. In Table 7-2, a small
number of systems have been included to show this example. It is recommended
that a similar table be developed for the systems that you support.
As noted in the table, each type of system will have different system services
and one of the security profiles. With many corporations, it is possible that three
security profiles are not enough; additional ones need to be defined to handle
special cases or additional types of systems. As a system administrator, you will
need to take charge of defining the security attitude and strategy for your area of
control, and compiling an inventory of systems is a great place to start.

Host Name

Team

Profile Characteristics
Low

station1

Medium
√

√

omega

Software
development
Software
development
Software
development
Software
development
Marketing

salessrv1

Sales

√

salessrv2

Sales

mailserv
bedrock
barney

Table 7-2

Service(s)

High
C compiler
√

Mail server

√
√

NFS, NIS,
and DNS
CVS source code
repository
Mail server

√

Web server
Sales intranet
Sales support

Inventory of Systems with Security Profile Types

Module 7:

System Security

205

1-Minute Drill
●

How does writing a security policy help you make your systems more secure?

●

What are some of the key principles of system hardening?

7.3 Investigate Security Tools
One key component to a successful security model is to deploy security
monitoring/scanning tools that can probe the system on a regular basis and
provide detailed reports of potential vulnerabilities or other security issues.
There are some very powerful monitoring and scanning tools that are available
today from both the commercial and public domain sectors. However, a review
of specific commercial packages is beyond the scope of this book. On the other
hand, some of the more common public domain tools are discussed in the
section. Table 7-3 lists the tools that will be covered.
The tools listed in this table are all available for Solaris, HP-UX, and Linux.
However, not all of them are shipped with the basic operating system package.
As a result, they must be installed separately. In the case of Linux, all of the
tools are available on the product CDs. For both Solaris and HP-UX, you will
obtain the software from the prospective Internet sites and install them
individually. Each of the packages provides detailed installation instructions.
Naturally, a large number of additional security tools are available for UNIX
to solve a variety of security-related issues and problems.
Tool

Purpose

nmap
SSH
sudo

Network port scanner and remote host identification program
Provides a remote shell and file copy to specified host using secure connection
Permits regular users to execute privileged commands

Table 7-3

●

●

Common Security Tools

A written security policy helps raise awareness of security issues, it clearly defines what are and aren’t
allowable system uses so there is no ambiguity or uncertainty among users, and it defines roles and
responsibilities for ensuring security and recovering from any potential security breaches.
System hardening includes establishing a set of standard operating system configurations, eliminating
unnecessary system services, and substituting a more secure service for an inferior one.

7

206

UNIX System Administration: A Beginner’s Guide

The NMAP Tool
The nmap tool is a utility that locates and identifies all available TCP and UDP
ports on a target host system. Also known as a port scanner, this tool will scan
TCP ports from 0 to 1024 (by default) and attempt to determine the service
listening on those ports that will accept a connection. This is a very robust
security tool because it identifies services running on a system so that you can
be alerted about possible security issues or vulnerability.

Hint

The nmap tool is used by those wishing to break into remote computer
systems; thus, when you identify security issues on your systems, you are
proactively short-circuiting the efforts of those that want to cause destruction
to your systems!

This tool was designed to help the system administrator determine security
problems on their systems, but if you intend to use this tool on networks,
systems, or sites that you do not control, you should seek permission first.
Remember, having respect for the privacy of networks and systems that you
don’t own means that the favor may be returned to you someday.
On occasion, devices that interfere with normal network operations may be
added to the network. Also, the origin and configuration of these systems may
not be apparent and may represent a potential
security risk. It may become necessary to scan
The ping command
the devices to learn more about the services they
is fully described in
provide. For instance, let’s assume a device is
Module 11.
added to the network, but because the device
doesn’t seem to support services like telnet, it
is difficult to identify the device.
A ping can be an issue against the device, but this doesn’t really provide
much information about the device itself. The ping command checks to see if
basic network services from the device are operational:

Hint

# ping 216.155.202.110
PING 216.155.202.110 (216.155.202.110) from 216.155.202.163 : 56(84) bytes of data.
Warning: time of day goes back, taking countermeasures.
64 bytes from 216.155.202.110: icmp_seq=0 ttl=255 time=1.035 msec
64 bytes from 216.155.202.110: icmp_seq=1 ttl=255 time=229 usec
--- 216.155.202.110 ping statistics ---

Module 7:

System Security

207

2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max/mdev = 0.229/0.632/1.035/0.403 ms

As you can see, the device is operational on the network, but we don’t really
have much additional information about the device. We can now attempt to
connect to the device via telnet or ssh, but the connection never makes it
because the device may refuse this type access:
# telnet 216.155.202.110
Trying 216.155.202.110...
telnet: connect to address 216.155.202.110: Connection refuse

Scanning a Host
When it is necessary to find more information about the device, the nmap tool
can be used to probe and inventory the services running, which can give a better
picture about the device in general. Running the command
nmap -O 216.155.202.110

7

provides the details we need:
Starting nmap V. 2.54BETA22 ( www.insecure.org/nmap/ )
Interesting ports on (216.155.202.110):
(The 1540 ports scanned but not shown below are in state: closed)
Port
State
Service
Two services running
139/tcp
open
netbios-ssn
6000/tcp
open
X11
Remote OS guesses: Windows Me or Windows 2000 RC1 through final release,
Windows Millenium Edition v4.90.3000
Nmap run completed -- 1 IP address (1 host up) scanned in 28 seconds
nmap guess for operating
system on the remote device

The -O option used here tells nmap that we would like it to attempt to
identify the target system using what it calls TCP/IP fingerprinting. What this
basically means is that several different techniques are used to detect differences
within operating systems or the running software contained within the target
device. Using the data obtained from probing the TCP/IP protocols and other
attributes, nmap compares this information with the fingerprints of known
devices and systems. Every device that nmap attempts to identify is compared
to the data stored in a file called nmap-os-fingerprints, which is located

208

UNIX System Administration: A Beginner’s Guide

in the directory /usr/share/nmap by default. This file contains a large number
of fingerprints for systems and networking devices.
As noted in the output from nmap, two network services are running on the
system, plus it has identified the type of system as a Windows Me or Windows
2000 workstation. We are now in a position to
determine if this system represents a security
risk to other systems or the network as a whole.
If you encounter a device
In this case, since the device is configured to
that doesn’t match the
support NETBIOS services, which provides file
entries in the fingerprints
sharing, we should make sure that the system
file, you may want to
doesn’t contain any viruses that may be
consider sending the scan
to the nmap author.
transmitted within shared documents. Also,
nmap has detected that X Windows (X server)
software is running on the system, which may
not represent a security concern unless the user of this system is accessing
sensitive information without using ssh or some other security software. This
bears some additional investigation with the owner of this system.
Normally, it wouldn’t be easy to determine that a device was a Windows
workstation, but using nmap, most systems can be identified fairly quickly and
easily. The nmap tool can also examine the networking services running on
known systems within the network. This is useful in determining which system
services are available to assist with system hardening efforts. For instance, using
nmap on a Solaris system known as bedrock produced the following output:

Hint

Starting nmap V. 2.54BETA22 ( www.insecure.org/nmap/ )
Interesting ports on bedrock.home.com (216.155.202.100):
(The 1511 ports scanned but not shown below are in state: closed)
Port
State
Service
7/tcp
open
echo
9/tcp
open
discard
13/tcp
open
daytime
19/tcp
open
chargen
21/tcp
open
ftp
23/tcp
open
telnet
25/tcp
open
smtp
37/tcp
open
time
79/tcp
open
finger
111/tcp
open
sunrpc
512/tcp
open
exec
513/tcp
open
login
514/tcp
open
shell
515/tcp
open
printer

Module 7:

540/tcp
587/tcp
898/tcp
2049/tcp
4045/tcp
6000/tcp
6112/tcp
7100/tcp
32774/tcp
32775/tcp
32776/tcp
32777/tcp
32778/tcp
32779/tcp
32780/tcp
32786/tcp
32787/tcp

open
open
open
open
open
open
open
open
open
open
open
open
open
open
open
open
open

System Security

209

uucp
submission
unknown
nfs
lockd
X11
dtspc
font-service
sometimes-rpc11
sometimes-rpc13
sometimes-rpc15
sometimes-rpc17
sometimes-rpc19
sometimes-rpc21
sometimes-rpc23
sometimes-rpc25
sometimes-rpc27

Nmap run completed -- 1 IP address (1 host up) scanned in 0 seconds

As you can see, this system contains a large number of services, some of
which can be deactivated.

Scanning Methods
The nmap software supports a number of important functions and a number
of command-line options. Also, it provides a large number of system scanning
techniques, as shown in Table 7-4. This table also includes the associated
command options and a general description of the process involved with each
scanning method.

Scanning Method

Command-Line
Parameters

FTP proxy

-b

ACK scan
FIN

-sA
-sF

Reverse indent

-I

Table 7-4

Nmap Scanning Techniques

Description
FTP bounce scan; uses proxy feature in FTP
services to attempt connection.
Used to scan firewalls to determine the type.
Known as stealth FIN, this scanning
option uses FIN TCP packet in an attempt
to elicit a response. FIN is used to close
a TCP connection.
Enables TCP reverse ident scanning,
which requests that the ident server
be running; when enabled, permits the
identification of the owner of the process
that uses a TCP port.

7

UNIX System Administration: A Beginner’s Guide

Command-Line
Parameters

Null scan
Ping sweep

-sN
-sP

RPC scan

-sR

TCP SYN (half)

-sS

TCP connect

-sT

UDP port

-sU

Window scan

-sW

Xmas tree

-sX

Table 7-4

Description
Similar to FIN, but turns off all TCP flags.
Uses ICMP when scanning probing
systems. This is equivalent to issuing
a ping request.
Scans to determine Remote Procedure
Call services.
Scans TCP ports using the half-open
technique, which means only one side
of a TCP connection is open and waiting
for acknowledgment.
Scans available TCP ports in the range
of 1 to 1024, plus ports listed within
the nmap-services file; uses low-level
connect system call in attempt to establish
connection to target system.
Scans available UDP ports in the range
of 1 to 1024, plus ports listed within the
nmap-services file.
Scans for defects within the window sizing
protocol of TCP.
Similar to FIN but turns on FIN, URG, and
PUSH bits within the TCP packet.

AM
FL
Y

Scanning Method

Nmap Scanning Techniques (continued)

TE

210

The nmap tool was designed to work very efficiently when probing a large
number of hosts, even if they are on different networks. Also, it is considered
one of the fastest port scanners available within the public domain, and it even
rivals some commercial products.

NMAP Command Options
The command-line options are divided into two categories; the first control the
scanning technique of nmap, and are listed in Table 7-5. The second category is
additional options, which refine or control general behavior of the tool.
Because nmap supports a large number of command-line arguments and
options, use the -help option to list a synopsis of the supported command
arguments. Thus, the command
# nmap -help

will display a list of available commands options and associated meanings.

Module 7:

System Security

Option

Description

-F
-iL

Fast scan mode; nmap only scans the ports found in the nmap-services file.
Obtains target information from a specified file as compared to specifying the
hosts on the command line.
Logs program results to specified file.
Uses specified port or port range instead of default values.
Enables verbose mode, which provides more detailed information.

-o
-p
-v

Table 7-5

211

General nmap Command Options

One of the strengths of nmap is that it supports many different scanning
methodologies. Some scanners only support TCP scanning, which is very useful
but has limitations. For instance, some networking devices don’t provide generic
TCP networking services as traditional UNIX systems do; they may only support
a limited set of UDP services. In this instance, using a port scanner that only
supports TCP would be useless. Consider the following scan and associated output:
# nmap -sT probe.home.com
Starting nmap V. 2.54BETA22 ( www.insecure.org/nmap/ )
Interesting ports on probe.home.com (10.0.2.50):
(Not showing ports in state: filtered)
Port
State
Protocol Service
Nmap run completed -- 1 IP address (1 host up) scanned in 66 seconds
No services detected

As you can see in this output, nmap didn’t detect any services on the target
system. However, scanning using the -sU option instructs nmap to scan a
range of UDP ports instead of the default TCP port range. Thus, interestingly
enough, the following:
# nmap -sU probe.home.com

yields the following output when executed:
WARNING: -sU is now UDP scan -- for TCP FIN scan use -sF
Starting nmap V. 2.54BETA22 ( www.insecure.org/nmap/ )
Interesting ports on probe.home.com (10.0.2.50):

7

212

UNIX System Administration: A Beginner’s Guide

Port
161

State
open

Protocol
udp

Service
snmp

SNMP service detecting using UDP scan

Nmap run completed -- 1 IP address (1 host up) scanned in 12 seconds

The scan reveals an SNMP process listening on the standard 161 port. This
tells us that this device only supports SNMP and nothing else. If necessary, the
device could be further queried using SNMP-based tools to determine more
information about the agent that resides within the device. See Module 13 for
additional information about SNMP or related tools.

Scanning TCP and UDP Ports
The default behavior of nmap is to use the TCP port scanning method on the
standard TCP ports that have been included within the associated services file.
Normally the file nmap-services is located in the /usr/share/nmap
directory, and nmap will use these ports plus scan all ports within the range
of 1 to 1024. Using just the default values can be very useful. Consider the
following command:
# nmap rocks

It shows a large amount of information on the host known as rocks:
Starting nmap V. 2.54BETA22 ( www.insecure.org/nmap/ )
Interesting ports on rocks (216.155.202.117):
(The 1515 ports scanned but not shown below are in state: closed)
Port
State
Service
7/tcp
open
echo
9/tcp
open
discard
13/tcp
open
daytime
19/tcp
open
chargen
21/tcp
open
ftp
22/tcp
open
ssh
23/tcp
open
telnet
25/tcp
open
smtp
37/tcp
open
time
79/tcp
open
finger
111/tcp
open
sunrpc
512/tcp
open
exec
513/tcp
open
login
514/tcp
open
shell
515/tcp
open
printer
540/tcp
open
uucp

Module 7:

System Security

213

4045/tcp
open
lockd
6112/tcp
open
dtspc
7100/tcp
open
font-service
32771/tcp open
sometimes-rpc5
32772/tcp open
sometimes-rpc7
32773/tcp open
sometimes-rpc9
32774/tcp open
sometimes-rpc11
Unidentified services
32775/tcp open
sometimes-rpc13
32776/tcp open
sometimes-rpc15
32777/tcp open
sometimes-rpc17
32778/tcp open
sometimes-rpc19
Nmap run completed -- 1 IP address (1 host up) scanned in 0 seconds

The output above was derived from a scan of a Solaris 8 system. As you can
see, this scan shows that many of the standard UNIX services are running. Only
TCP services are listed because this is the default mode; this is equivalent to
using the command-line –sT option. The services running the system include
ftp, telnet, smtp, finger, and many others. From a security standpoint,
some of the services should be disabled and/or replaced with utilities such as
SSH. Also, several ports were not completely identified, and these are marked as
sometimes-rpc because they don’t support the standard RPC functions.
To scan both UDP and TCP ports at the same time, use the -sU and -sT
options together. The command
# nmap -sU -sT rocks

will yield the following:
Starting nmap V. 2.54BETA22 ( www.insecure.org/nmap/ )
Interesting ports on rocks (216.155.202.117):
(The 3076 ports scanned but not shown below are in state: closed)
Port
State
Service
7/tcp
open
echo
TCP port
7/udp
open
echo
9/tcp
open
discard
UDP port
9/udp
open
discard
13/tcp
open
daytime
13/udp
open
daytime
19/tcp
open
chargen
19/udp
open
chargen
21/tcp
open
ftp
22/tcp
open
ssh
23/tcp
open
telnet
25/tcp
open
smtp
37/tcp
open
time

7

214

UNIX System Administration: A Beginner’s Guide

37/udp
42/udp
67/udp
79/tcp
111/tcp
111/udp
123/udp
161/udp
177/udp
512/tcp
512/udp
513/tcp
514/tcp
514/udp
515/tcp
517/udp
540/tcp
6112/tcp
7100/tcp
32771/tcp
32771/udp
32772/tcp
32772/udp
32773/tcp
32773/udp
32774/tcp
32774/udp
32775/tcp
32775/udp
32776/tcp
32776/udp
32777/tcp
32777/udp
32778/tcp
32778/udp
32779/udp
32786/udp

open
open
open
open
open
open
open
open
open
open
open
open
open
open
open
open
open
open
open
open
open
open
open
open
open
open
open
open
open
open
open
open
open
open
open
open
open

time
nameserver
bootps
finger
sunrpc
sunrpc
ntp
snmp
xdmcp
exec
biff
login
shell
syslog
printer
talk
uucp
dtspc
font-service
sometimes-rpc5
sometimes-rpc6
sometimes-rpc7
sometimes-rpc8
sometimes-rpc9
sometimes-rpc10
sometimes-rpc11
sometimes-rpc12
sometimes-rpc13
sometimes-rpc14
sometimes-rpc15
sometimes-rpc16
sometimes-rpc17
sometimes-rpc18
sometimes-rpc19
sometimes-rpc20
sometimes-rpc22
sometimes-rpc26

Nmap run completed -- 1 IP address (1 host up) scanned in 226 seconds

Note that now both UDP and TCP ports are displayed, sorted by port number.

Isolating a Specific Service
As with any good port scanner, the ability to scan a particular port is
paramount. One good way to determine if all the systems on a network have a
standard set of network services or a particular function is to scan the network
hosts with a specific port number in mind. For example, assume we would like

Module 7:

System Security

215

to determine if all the systems on the 216.155.202.0 network support some sort
of SNMP agent. Since SNMP can be a security hole, depending on how it has
been configured, the network should be scanned to determine which device
supports this protocol. The command
# nmap -p 161 -sU -o results 216.155.202/24

tells nmap to scan port 161 (the SNMP port) on network 216.155.202.0 using
UDP and then save the output information in a file called results. If we
display this file, we find the following sample output:
# nmap (V. 2.54BETA22) scan initiated Sat Jan 26 17:01:01 2002 as: nmap -p 161 sU -o results 216.155.202.0/24
Host
(216.155.202.0) seems to be a subnet broadcast address (returned 2 extra
pings). Skipping host.
Interesting ports on bedrock.home.com (216.155.202.100):
Port
State
Service
The system is found in the
161/udp
open
snmp

address range scanned

Interesting ports on dino.home.com (216.155.202.110):
Port
State
Service
161/udp
open
snmp
161 (SNMP) port found open
The 1 scanned port on didymus.home.com (216.155.202.163) is: closed
The 1 scanned port on (216.155.202.202) is: closed
The 1 scanned port on (216.155.202.204) is: closed
Host
(216.155.202.255) seems to be a subnet broadcast address (returned 2 extra
pings). Skipping host.
# Nmap run completed at Sat Jan 26 17:02:21 2002 -- 256 IP addresses (5 hosts up)
scanned in 80 seconds

As it turns out, this is a very reasonable mechanism to use to inventory services
on a grand scale. Any TCP or UDP service can be queried using this approach.
This example demonstrates another powerful feature of this tool. Namely,
we can specify the target systems or networks using a few different notations.
First, we can specify an IP address using a list or ranges for each part of the
address. Thus we can scan an entire IP class with the “*” character. For instance,
128.197.*.* permits the scanning of the whole B class network. Another way to
express this is to use the dash character. Thus 128.197.1-255.1-255 is functionally
the same as using the 128.197.*.* syntax. Second, we can use the mask notation
as shown in the previous nmap command example. Namely, 128.197.0.0/16 will
mask and is equivalent to the two examples using either the “*” or “-” characters.
Finally, we can use a numbered sequence combined with the range syntax.

7

216

UNIX System Administration: A Beginner’s Guide

Thus 128.197.90.1, 2, 3, 4, 5, 100-105 will scan the following addresses:
128.197.90.1, 128.197.90.2, 128.197.90.3, 128.197.90.4, and 128.197.90.5,
as well as addresses 128.197.90.100 through 128.197.90.105. Using these IP
formats greatly improves the ease of scanning entire subnets or networks.
When scanning networks, it is sometimes helpful to know exactly what nmap
is doing at all times. For this reason, the -v option has been provided. Bear in
mind that a fair amount of output may be generated as a result, so it might be
important to use this option with caution. In the previous example, we scanned
an entire subnet. If we added the -v option when attempting to scan a single
host, more detailed information is displayed. For example, the command
nmap -v -sU -p 161 bedrock rocks spoons

shows the following sample output:
Starting nmap V. 2.54BETA22 ( www.insecure.org/nmap/ )
Host bedrock.home.com (216.155.202.100) appears to be up ... good.
Initiating UDP Scan against bedrock.home.com (216.155.202.100)
The UDP Scan took 0 seconds to scan 1 ports.
Interesting ports on bedrock.home.com (216.155.202.100):
Port
State
Service
161/udp
open
snmp
Host
Host

(216.155.202.101) appears to be down, skipping it.
(216.155.202.102) appears to be down, skipping it.

Nmap run completed -- 3 IP addresses (1 host up) scanned in 2 seconds

As you can see, more detailed specifics about the port scan are provided.
Also, nmap identified a single device that supports SNMP agent and is
reachable on the network, as noted by the lines containing the string
Host bedrock.home.com (216.155.202.100) appears to be up ... good

Both rocks and spoon are down, and nmap can’t probe the system
for information

Network Ports
The nmap program attempts to probe a standard set of network ports on the
target system. Also, it scans the entire range of ports from 0 to 1024 by default.
The standard TCP/IP and related protocol ports that nmap scans are listed in
Table 7-6 along with the service name and a general description of the network
service or function.

Module 7:

System Security

217

Ask the Expert
Question
be down?

Why does nmap skip a system if it initially appears to

Answer nmap is very smart about probing nonexistent or
down systems; it doesn’t spend much time or resources probing
nonresponsive systems. Before nmap attempts to scan a device, it first
determines if it is reachable on the network by performing a ping on
it. This not only reduces the amount of time required to perform the
scan and lessens system resources needed, but it helps to preserve
network bandwidth as well. It is important not to underestimate the
impact that scanning can have on a network, and nmap does a good
job of reducing the network requirements while probing.

Port

Service Name

Description

7

echo

8

discard

13

daytime

19

chargen

21
22
23
25

ftp
ssh
telnet
smtp

37
53
79

time
domain
finger

80
111
199

http
sunrpc
smux

Echoes characters sent to this port; service provided by the
inetd or xinetd process; primarily used for testing
Discards any data sent to it; acts like /dev/null for
networking services and other networking applications;
primarily used for testing
Provides time in human-readable format; primarily used
for testing
Character generator; produces ASCII character set;
primarily used for testing
File Transfer Protocol server
Secure Shell server
Telnet server; provides remote login services
Simple Mail Transfer Protocol; usually sendmail or similar
server is listening on this port
Provides machine-readable time
Domain Name Server process
Finger server process, which provides more information
about a particular user
Web server process
Sun Remote Procedure Calls service
SNMP master agent

Table 7-6

Standard NMAP Ports

7

218

UNIX System Administration: A Beginner’s Guide

Port

Service Name

Description

382

hp-managed-node

512
513
514
515
540
4045
6000

exec
login
shell
printer
uucp
lockd
x-windows

This process provides network management services for
HP network manager products.
Remote execution server with authentication
Remote login with authentication
Remote shell server with authentication
Remote printer server
UUCP server
Lock daemon (for NFS)
X-Windows server

Table 7-6

Standard NMAP Ports (continued)

When nmap sees that a port is active and can’t identify services running on
the port, it specifies the port as "unknown."

1-Minute Drill
●

What are some of the key pieces of information you can obtain with the
nmap tool?

●

How is nmap useful in helping secure your systems?

Project 7-1
In this project you will create or revise a security policy and you will determine
the port and service usage on your system or any systems in your control. You’ll
then disable any unnecessary ports and services and save the results of a repeat
port scan as documentation to compare against future port scans.

●

●

nmap can tell you which systems in a network are up and accepting connections, which ports are open,
whether the ports are running TCP or UDP, what services are running on the open ports, and in some cases
what operating system the system is running.
Hackers might use nmap (or other similar tools) to search for open systems and ports to launch attacks.
By using it to scan your own networks and systems, you can determine what systems and ports should be
open and accepting connections and if there are systems and ports open that shouldn’t be, harden them by
shutting off those services.

Module 7:

System Security

219

Step-by-Step
1. Find your company’s current security policy. (If your company doesn’t have a
security policy, find example security policies [possible from CERT or other
organizations] and create a draft security policy.) Study the policy for any
weaknesses, outdated sections, or overlooked areas and submit a revised
draft to your IT department manager.
2. Create an inventory of all the current open ports on your system and save
this list to a file (such as portsystemname, where systemname is the name of
your system).
# nmap -sU -sT -o portsystemname

3. Study the results of step 2 and look for any ports running services you don’t
recognize. Be suspicious of any services running on non-standard port numbers
(numbers other than the ones listed for them in table 7-6). Look for any obsolete
or insecure services you can replace with newer or more secure services.
4. Disable any services that you don’t need running after your step 3 investigation.
5. Rerun the command from step 2 and keep the results from this in a secure
place so you can refer to them as a “baseline” to compare results of the same
command to in the future to see if other services have been added or ports
opened without your knowledge.
6. If you are responsible for more than one system, or a group of systems on
a network, repeat step 2 and specify the system names for all the systems
(if there are just a few) or the IP address range (if there are several systems
in the same range). If there are other systems in this IP address range that
you are not the administrator for, don’t use the IP address range method,
as the administrator for those systems probably doesn’t want you running
the nmap command against those systems. The format for this command
would be
# nmap -sU -sT -o portsnetwork systemname1 systemname2 ...

where systemname1 systemname2 ... are the names of the systems to scan, or
# nmap -sU -sT -o portsnetwork ipaddressrange

where ipaddressrange is the range of IP addresses to scan using one of the
formats demonstrated earlier.

7

220

UNIX System Administration: A Beginner’s Guide

7. Repeat steps 3 and 4 for each individual system you are responsible for. If
you notice patterns of ports that are open or services in use that don’t need
to be, these may provide you with information to improve your system
security profiles in your security policy.
8. Repeat step 5 for each system individually, saving the results in a separate
baseline file for each system.
# nmap -sU -sT -o portsystemnamex systemnamex

The Secure Shell Facility

TE

AM
FL
Y

The secure shell service provides strong security features for remote system
access to include file copy and terminal access. It also can be used to provide a
secure connection for X-Windows and other services. SSH is the ideal replacement
for such tools as rsh, rlogin, rcp, and telnet because it provides the same
services, plus it provides a secure connection when passing data so that information
between the client and server is private. For example, as shown in Figure 7-1,
a workstation can access sensitive information from a server, while the data is
traversing the unsecure network, without the worry that a would-be hacker
might capture the information flowing between the workstation and server.
Assuming that the information was in fact captured by someone in the middle,
eavesdropping on the connection, the information captured would be of little
value since the information is encrypted and it would require a significant effort
to decrypt the information to make it useful. This is a powerful feature and
opens up many possibilities for the systems administrator because they can
provide secure access regardless of the client location or level of security within
the network.
In addition, based on the use of host keys, client and server authentication
is greatly enhanced over existing services with the r-commands (rlogin, for
instance) or telnet. The SSH model for establishing security requires the
user to validate her or his identity on the remote system. SSH uses two broad
approaches when authenticating users, which are known as SSH protocol
version 1 and 2. These are described in Table 7-7.
The implementation of SSH is meant to be easy; as a result, SSH supports
the old style of authentication based on trusted hosts (this is described as
Version 1–Option A and B). This was the security model of the r-commands
that were introduced in the BSD version of UNIX many years ago—namely,

Module 7:

Figure 7-1

System Security

221

SSH secure network

7
SSH
Authentication
Version 1–Option A

Version 1–Option B

Version 1–Option C

Table 7-7

Description

Files Consulted

If the machine the user is logging
from is listed in one of these files
on the remote system, and the
usernames are the same, the user
is granted access.
If the machine the user is logging
from is listed in one of the user’s files
on the remote system, and contains
the username, the user is granted
access. Note: This may not be true
for all implementations of SSH.
Uses RSA-based host authentication
combined with Version 1–Option A
and Version 1–Option B.

/etc/hosts.equiv
/etc/ssh/shosts.equiv

SSH Authentication Methods

$HOME/.rhosts
$HOME/.shosts

/etc/hosts.equiv
/etc/ssh/shosts.equiv
$HOME/.rhosts
$HOME/.shosts
$HOME/.ssh/identity.pub

222

UNIX System Administration: A Beginner’s Guide

the use of $HOME/.rhosts and /etc/hosts.equiv files. These files can
contain either a username/host ($HOME/.rhosts) pair or just a hostname
(/etc/hosts.equiv), which was compared to the client’s username and
local hostname. If there is a match, the user is granted access to the remote
system. Although SSH supports these older authentication methods, they
are inherently insecure and their use is severely discouraged. The security
limitations of the r-commands and associated files are widely known (and
have been for quite some time), and have been the cause of a large number
of security-related problems and issues.
The components of SSH are listed in Table 7-8 and the software package is
available for all major operating systems, including Microsoft operating systems.
With SSH support for so many operating systems, it is one of the best choices
for providing secure client/server connectivity.

ssh
The ssh tool provides the capability for logging into a remote machine and
for executing arbitrary commands on the remote system. It provides the same
remote shell access features as the standard rsh or telnet connectivity tools
and also supports strong security elements so that it is possible to permit
sensitive information to flow through an insecure network, such as the Internet.
Like rsh or telnet, when ssh is supplied a valid SSH server name on the
command line, it attempts to make a connection and provide a shell on the
remote machines, if successful. For example, if the remote server called dino
has to be configured to support an SSH server, the command
ssh dino

Tool

Purpose

ssh
scp
ssh-keygen
ssh-agent
ssh-add

Provides a remote shell to the specified host using secure connection
Provides remote copy facility using secure connection
Generates an SSH key for authentication of the remote system
Provides a way to preload an SSH key for authentication
Adds a passphrase to a running ssh-agent

Table 7-8

SSH Core Elements

Module 7:

System Security

223

would provide a remote shell to the system, once authentication from the client
to the server has been established. Thus, before a remote shell was made
available, the user would need to authenticate by supplying the remote user’s
password. The following example shows sample output generated when
running the ssh as the root user:
Password prompt
root@dino's password:
Last login: Fri Jan 25 13:25:39 2002 from didymus.home.com
Sun Microsystems Inc.
SunOS 5.8
Generic February 2000
No mail.
# dino>

As you can see, the user was required to input the root account password for
the connection to succeed. If the user didn’t know this password, the request
would have been denied after the ssh prompted for the password three times:
root@dino's password:
Permission denied, please try again.
root@dino's password:
Permission denied, please try again.
root@dino's password:
Permission denied.

SSH provides a shortcut for busy system administrators; by placing the
client’s host key on the remote host, it is possible to prevent SSH from
prompting for the remote account password. For example, Figure 7-2 shows a
single client and several SSH servers. By placing the user’s host key on the other
server’s system, whenever the user uses SSH to gain access to those servers, the
user will need to valid her or his identity further.

scp
The scp command provides remote file copy facilities between a client system
and an SSH server. The command provides the same basic features as the rcp
command, plus the data is encrypted to ensure privacy.

ssh-keygen
The ssh-keygen command is used to create an SSH host key for the local
system. This program does a couple of things. First, it generates both a public

7

224

UNIX System Administration: A Beginner’s Guide

Figure 7-2

SSH host key placement

and private key pair associated with a particular user—the user is responsible
for running this command. The private key is stored under the .ssh directory
in a file called .identity (note the dot “.” at the beginning), which is
located within the user’s home directory. It stores the public key in the
identity.pub file under the same directory. These keys are used as part
of the authentication process when the user makes a request to an SSH server.
When a user executes the ssh-keygen program, it asks to specify
which file should be used to save the private key. Typically, the default path
($HOME/.ssh) and filename (identity) are suggested. Then, it prompts
twice for the SSH passphrase (the second is to confirm the first prompt).
Depending on which system this command is invoked on, the output can be
somewhat different. On Solaris, for example, ssh-keygen also displays the
entire public key string, while other systems don’t.

Module 7:

System Security

225

To generate an SSH host key pair, issue the following command
# ssh-keygen

The example shows the output that was generated from a Solaris system:
Initializing random number generator...
Generating p: ............++ (distance 190)
Generating q: ...............................................++ (distance 730)
Computing the keys...
Testing the keys...
Key generation complete.
Enter file in which to save the key (//.ssh/identity):
Enter passphrase:
Enter the same passphrase again:
Your identification has been saved in //.ssh/identity.
Your public key is:
1024 33
1310027470808505525984351817590366936660983333030447140662790561230497737560235105780
3082576600113762558121351675124104962600689209801039269327397031784881422946150905334
0467209527663138399850223963639073057061948822295225599426944591345678523218150262932
928070176515462990304575837519065722636254119188580761 root@dino
Your public key has been saved in //.ssh/identity.pub

When the same command is run from a Linux system, the following sample
output is shown:
Generating public/private rsa1 key pair.
Enter file in which to save the key (/root/.ssh/identity):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/identity.
Your public key has been saved in /root/.ssh/identity.pub.
The key fingerprint is:
2e:0f:a0:97:6a:62:6b:c8:56:89:00:fa:5c:43:bd:2f root@didymus

The major reason for output differences has to do with the versions of SSH.
The SSH release running on Solaris is the newer Version 2, while Version 1 is
running on the Linux system.

ssh-agent/ssh-add
The ssh-agent program is used to hold one or more user authentication keys
on the user’s behalf. The ssh-add command will preload the user’s passphrase

7

226

UNIX System Administration: A Beginner’s Guide

into a running ssh-agent. When ssh or scp are invoked, these tools check
to see if an ssh-agent is running and queries to see if a user’s host key has
been added. If so, it uses the host key that the ssh-agent provides; otherwise,
the user is prompted for their passphrase. To manually run the ssh-agent,
do the following:
eval `ssh-agent`

Then issue the ssh-add command to add the user’s passphrase:
# ssh-add

The Sudo Tool
The sudo command provides the facility for a generic UNIX user to execute
privileged commands that normally can only be run by the root user. This
security command solves the problem of having different classifications of
system accounts; one or more users can be given access to certain privileged
commands that they must be able to invoke, but without the assistance of the
local system administrator. Figure 7-3 provides a high-level view of how the
sudo command works. By defining sudo users, the administrator can reduce
the total number of tasks that he or she must perform by giving other lessimportant duties to others or meet the requirements of certain power users so
that they can perform their jobs satisfactorily. The sudo command provides
detailed logging capabilities so that all commands executed through sudo are
recorded for later inspection and review.
The sudo command uses a single configuration file (/etc/sudousers),
which is used to define users and any associated commands they can invoke.
For example, to give the users anitat and stevem permission to do account
administration on the system, the following entry can be used:
User_Alias
Cmnd_Alias
SPECIALUSERS

SPECIALUSERS = stevem, anitat
USERADMIN = /usr/sbin/useradd, /usr/sbin/userdel, /usr/sbin/usermod
ALL = USERADMIN

For the users (stevem and anitat) to add a new user account to the
system (via the useradd command) using sudo, they would need to execute
the command as follows:
sudo /usr/sbin/useradd

Module 7:

Figure 7-3

System Security

High-level function of sudo

Thus, to add the user georgew to the system, the command
sudo /usr/sbin/useradd georgew

would need to be executed.
The sudo configuration file supports keyword/value directives that control
basic operation and functions. These keywords have associated values or
parameters and are assigned with the equals (=) character. Keywords can be
either aliases or flags. There are four alias types, as listed in Table 7-9. A sudo
alias is a list of elements separated by a comma (,) and contains a group of
strings (such as username). Flags can be variable definitions or options that
alter some default behavior, characteristic, or value.
In the example above, two aliases are defined: User_Alias and Cmnd_
Alias. In the first case, the alias SPECIALUSERS is defined, which contains
the list of users that should be granted privileges. The example includes
two UNIX users (stevem and anitat). Of course, a longer list could have
been constructed.

227

7

228

UNIX System Administration: A Beginner’s Guide

Keyword

Purpose

User_Alias
Runas_Alias
Host_Alias
Cmnd_Alias

Defines a list of users that can (or can’t) execute a specific command.
Defines a username to run a specific command.
Defines a list of hosts that a user can (or can’t) execute a specific command on.
Defines a list of commands for invocation by sudo users.

Table 7-9

Sudo Keyword Aliases

Hint

When using sudo, it will be important to determine which types of commands
should be made available. Also, classifying the users will be important.

Project 7-2
In this project you will lock down your system security by finding and removing
any sudo permissions that give users accesses and permissions they don’t need.

Step-by-Step
1. Examine the /etc/sudousers file on your system.
2. Look for any users or commands that you don’t want other users to have
and remove them.

Module 7:

System Security

229

Mastery Check
1. Which of these commands lists open ports and associated services

on a system?
A. nmap
B. find
C. sudo
D. ssh
2. What is the command to probe ports with both TCP and UDP scan and

direct the results to a file named probeports?
3. What word in the services column of an nmap scan indicates nmap wasn’t

able to identify the service on this port?
4. Which of the following would be a correct way to TCP scan all systems on

a network with addresses beginning 192.168.1., checking all ports from
1–1024 and any additional ports in the nmap-services file? (Choose
all that apply.)
A. # nmap -sT 192.168.1.*
B. # nmap -sU 192.168.1.*
C. # nmap -sU 192.168.1.1-255
D. # nmap -sT 192.168.1.1-1024
5. The sudo command provides the facility for a generic UNIX user to

execute __________ commands that normally can only be run by the
root user.
6. Which of the following is not one of the general steps for providing robust

system security?
A. Develop and publish a security policy.
B. Maintain system patches.
C. Do system backups.
D. Use security tools.

7

UNIX System Administration: A Beginner’s Guide

Mastery Check
7. __________ is the ideal replacement for such tools as rsh, rlogin, rcp,

and telnet because it provides the same services, plus it provides a
secure connection when passing data so that information between the
client and server is private.
8. What is the correct command to log in securely to the remote system

named bedrock as the user named barney?
A. rlogin bedrock barney
B. ssh barney

AM
FL
Y

C. sudo barney
D. scp bedrock barney

9. What is the Linux command to generate a secure key pair for SSH?
10. A __________ defines what actions groups of users may use their systems

for, how to administer security, and how to recover from security breaches.

TE

230

Module

8

Backup and Restore

Critical Skills
8.1

Define Backup Elements

8.2

Explore Backup Tools

Copyright 2002 by The McGraw-Hill Companies, Inc. Click Here for Terms of Use.

232

UNIX System Administration: A Beginner’s Guide

O

ne of the most important (but least enjoyed) duties of the system administrator
is performing backups and retrieving (restoring) users’ files. Having said
that, it is possible to have the entire backup process completely automated to
such a degree that these tasks are not that painful to perform. This, of course,
requires that you develop your own backup scripts or purchase scripts and/or
backup tools that provide these types of services. In fact, many great products
are available on the market today that solve many important backup-related
problems. However, it is beyond the scope of this book to review third-party
commercial tools. Instead, this section reviews some of the standard backup-related
tools that are available with the basic operating system.
The funny thing about system backups is that you typically only need them
when something goes wrong—a faulty hard drive, a user mistakenly deletes
important files, a system crashes and can’t be repaired quickly, and so forth.
These events are not likely to happen every day or even every week, but we
know that eventually the need will arise to retrieve information from backup
tapes or other media. Like car insurance, backups protect against future disasters
and problems when they strike. We don’t know the day or hour when something
is going to happen, so that is why it is important to be prepared.
Before attempting to evaluate backup software, develop backup scripts, or learn
new backup commands, it is important to determine the exact backup and restore
requirements for the computing environment and user community. For example,
the requirements for a stand-alone system with a single user will be different versus
a large system that supports a critical application with many users. In addition to
the user and/or system requirements, there are other important factors that can
impact the backup strategy, such as can the corporate and/or individual subnetwork
handle the backup traffic or will the network require an upgrade to handle the new
load? In most environments, some type of backup solution may already be in place
and any new solution might need to provide backward compatibility.
As you can see, the subject of backups can be a complex one. However,
information contained within this section can be used to develop a backup
approach to address requirements for many different computing environments
and organizations.

8.1 Define Backup Elements
This section reviews some of the specific elements when attempting to
formulate a backup strategy or approach. Like most things in life, having a plan
in place before doing any work is a good thing, since the planning process can
identify critical components and issues that may otherwise not be uncovered

Module 8:

Backup and Restore

233

until the project is well along, which in some situations can be quite disastrous.
When formulating a backup plan, the following elements should be examined:
●

User perspective

●

Density and form factors

●

Network bandwidth

●

Remote sites

User Perspective
Regardless of the tools used to perform backups, it is extremely important that
users understand the backup policies and procedures and any duties that are
required of them. For example, given a network of workstations and servers,
how are the workstations going to be backed up? What happens when a user
reboots her or his system in the middle of the backup process? What should
be done in these cases? These types of questions and associated answers should be
documented for all users. Should a user need to retrieve one or more files from
the backup system, what is the procedure that should be followed? Going further,
what is the response time for retrieving the requested information? Certainly, if
information is needed for some production service, then the response is related
to the importance of the information being retrieved.
In some situations, a user may request that their individual account be
backed up so that the information can be made available to another system.
How should this be done? If the new system is only available on the network
and connectivity can be established between both systems, a simple file transfer
might be sufficient. However, suppose the second system is not on the network.
Then some other approach to getting the user’s information on the system is
needed. Thus, the backup plan should include this if users will be making these
types of requests.
To address some of the above concerns, it is recommended that a FAQ be
developed and made available to the user community. However, this is just
documentation—the user requirements must be taken into consideration
when determining the backup plan.

Density and Form Factor
Determining the amount of information that will need to be backed up is an
important element to the overall backup approach, but this can sometimes be

8

234

UNIX System Administration: A Beginner’s Guide

difficult to measure or forecast. Why? Because requirements can change very
quickly as the company changes to meet new challenges. However, this is where
having some instincts can come in handy. Since it is not possible to know what
will happen in the future, it is reasonable to make an educated guess about the
backup storage needs given answers to certain questions. For example, how
many systems need to be backed up, what is the total amount of storage on
each system, and on what basis will backups be done. This is the who, what,
and when approach to determining total storage capacity.
The who is how many systems will be a part of the backup plan. This should
include workstations, PCs, servers, and so forth. Let’s assume the following:
20 workstations, 10 PCs, and 4 servers. The what relates to the total disk capacity
of each system that will be backed up. For example, let’s assume that each of
the workstation contains a total of 20 gigabytes of storage, each PC contains
5 gigabytes, and each server has 40 gigabytes. Also, it would be helpful to know
the amount of available disk space. Use the df and du commands to determine
total disk space, plus what is being used. The when is the frequency for when
the backup will be performed on some or on all of the target systems. Will the
systems be backed up every day or on some other interval? Certainly, in the case
of a much-used production system, a very stringent regime will be needed to
ensure the best possible coverage for backups. However, this comes with a price,
because more backup storage will be needed.
Once the total amount of backup capacity has been determined, you must
figure out what kind of backup media to use. Table 8-1 lists some of the
common formats that are available today.

Storage Format

Description

Tape

Liner magnetic tape; large densities are available such as 80GB of
data with compression. Storage tape comes in all sizes and shapes.
Removable media such as Zip, Jazz, and so forth are quite popular.
Storage capacity ranges from 250MB to over 2GB. CD-ROMs and
DVDs are another good example of this type of media.
It is becoming more common to back up systems using regular
hard drives contained within a special storage unit. These units
can be magnetic or optical.

Removable disk

Fixed hard drive

Table 8-1

Different Storage Formats

Module 8:

Backup and Restore

235

Network Bandwidth
One factor that is sometimes overlooked when performing backups is the
amount of network bandwidth that is required to back up all the required
systems. This is particularly important when the backup server is centrally
located within the “core” of the network and when most of the systems that are
being backed up are on the “edge” of the network. The edge is defined as being
closest to the user community but farthest from the core of the network. Edge
devices consist of workstations, printers, and so forth, and depending on the
network infrastructure, the performance from the edge to the core may not be
able to handle backup traffic while other activities are in progress. This is one
of the major reasons that many sites do backups at night—because the network
is least busy due to the systems not being used.
One very good way to determine the potential bandwidth that might be used
during a backup session is to examine the performance of the backup server
itself. For example, modern backup systems boast of transferring approximately
20GB per hour onto storage media. This is impressive performance given the
capabilities of systems just a few years ago. However, despite this transfer rate,
the total overall bandwidth is limited by the network interfaces from the backup
server and associated target systems (the systems that need to be backed up).
Thus, if the backup system is attached to the network using relatively seasoned
equipment, network performance will affect how much time it will take to
perform a backup.
Consider a standard 10 MB/s network. You can only get about 1.4 GB per
hour of data transfer. Why? Well, for starters, a 10 MB/s network doesn’t really
deliver that kind of performance. Instead, based on the operating system,
network protocols, and other factors, the performance might be in the range
of 3–4 MB/s, and this might be on the high side. Next, a consideration must
be made for the load on both the server and workstations. This will affect how
network requests are handled by each of these systems. On a heavily loaded
system, the network traffic may suffer because the system can’t keep up with
the network traffic. Finally, local area networks (LANs) are shared resources,
and typically no single device gets all the available network bandwidth, which
means that the backup system will compete with other applications. Of course,
if the backups are done during nonpeak times when other applications are not
running, this issue is negated.
Luckily, newer LAN technology is available, which significantly increases the
network bandwidth and performance that is available for applications such as
backups. However, many corporations haven’t upgraded to the new technology.
Regardless, consideration for the network must be made when determining when
and how to perform backups.

8

236

UNIX System Administration: A Beginner’s Guide

Remote Sites
If it is necessary to back up systems that are located within one or more
remote sites, where network connectivity is limited, then additional planning and
examination of the computing environment is necessary. For example, would it
be possible to install a backup server at the remote site instead of attempting to
back up using a central server located at the corporate site? Another approach
is to upgrade the network connection between the remote site and the corporate
site to support the backup traffic.

Backup Methods
In general, there are several different kinds of backups that you can perform,
and depending on the specific goals you have in mind, you might choose one
method over another. However, it is not uncommon for one or more methods
to be used for different types of systems. Table 8-2 contains a description of the
different backup methods.

Image Backup
These types of backups bypass the file system and access the information using
what is known as “raw” mode. This mode simply copies all the data of a file
system without knowing any specific details of the components and/or elements,
such as files or directories and so forth. Image backups are much faster than
other backup types because no interpretation of the information must be done.
With UNIX, backup tools access the raw version of the file system by using
a special device file.

Backup Type

Description

Image (raw)
File system – full

Copies the raw bits from the disk without using the file system.
Using the file system, copies all files and directories regardless
of when the last backup was done.
File system – incremental Using the file system, copies only the files that have changes
since the last time a backup was taken.
File archive
Using the file system, copies all files and directories regardless
of previous backups.

Table 8-2

Backup Approaches

Module 8:

Backup and Restore

237

File System (Full)
Some backup tools access the file system directly when performing backup
activities, which means that they understand the internals of the file system and
maintain complete integrity of the information. This is in contrast to other tools,
which access the raw version of the file system. Such tools lack the understanding
of the specific file system structure and associated elements. Tools that back up
the file system directly usually support one more file system types. For example,
the extdump command supports the EXT file system. Thus, not all tools that
perform file system backups are complete compatible.

File System (Incremental)
An incremental backup is one that captures all of the changes made within a file
system since the last backup was taken. The purpose of incremental backups is
to reduce the amount of time and storage requirements, since only the changes
are captured. As compared to full backups, this can significantly reduce the
backup resources needed. The only problem with doing incremental backups
is that when retrieving files, it can be difficult to find the necessary files, since
they can be located on different incremental backups.

File Archive
The file archive method is the simplest backup format, since it just archives
individual files and directories onto a regular file or other storage media. UNIX
tools that support this backup type are the tar and gnuzip commands.

1-Minute Drill

●

●

●

Why might you use more than one backup type in your backup plan?

●

If you are performing network backups, what factors will limit the amount
of data you can back up in one session?

To conserve backup time but still maximize backup coverage, you might use different backup types. For
example, your plan might implement full file system backups once a week on weekends (or another low
usage time) and daily incremental backups at night. This minimizes the amount of data to back up each
night, ensures a recent backup of all data, and keeps the number of different incremental tapes you’d need
to search to just a week’s worth when restoring.
In addition to your backup device’s rated speed, the network’s overall speed, the operating system’s ability
to utilize the network, the user and application load on the network during the backup, and competition
for bandwidth between other network devices will all limit network backup performance.

8

238

UNIX System Administration: A Beginner’s Guide

8.2 Explore Backup Tools
The UNIX system provides a powerful set of robust backup tools and for the most
part the same set of tools are available for most of the UNIX versions currently
available on the market today. Some of the most common tools are listed in
Table 8-3. The major benefits for common availablity of the tools are consistency
and compatibility. For instance, the basic operation of the commands is the same
so that if the administrator develops custom scripts, those scripts can be used
across a variety of UNIX systems with major operating system changes. Second,
if the backed up data is compatible with different UNIX versions, backups can be
made on one system and restored on another. This sort of thing isn’t something that
would be done every day, but administrators might like the option of doing so.

Hint

Both Linux and HP-UX have an official dump command. However, the Solaris
system uses the ufsdump command instead, but it provides the same basic
services and even supports many of the same command-line arguments. For
simplicity, all of these backup tools will be referred to as just dump. In the cases
where an important command-line or functional difference exists between the
operating system commands, it will be noted.

dump
The dump command provides one of the best ways to perform file system
backups. It can be used to provide both full and incremental backups of a
number of different file systems. It supports a large number of options to
control how backups should be done. Table 8-4 contains the most common
options. This tool is used at more sites than any other single backup tool.
Tool

Description

dump

Performs full and incremental backups of file systems (Solaris, ufsdump—
for Linux and HP-UX, the command is known as dump).
Can be used to perform image-type backups.
Used to retrieve file and directories from backups taken with the dump
command (Solaris uses ufsrestore; restore for the other operating
systems).
General-purpose archiving tool.
Performs full image backup of a file system for the Solaris platform.

dd
restore

tar
volcopy

Table 8-3

Backup/Restore Tools

Module 8:

Backup and Restore

Option

Description

0-9
-D

The backup dump level to use; this controls which files will be saved.
Save the backup to a diskette device. This is somewhat limited since
diskettes are quite small and can’t store much information.
Determine the total size of a backup, without actually doing the backup.
Specify the archive file to use so that when a restore is performed, it can
be searched to determine if a particular file/directory is contained within
the backup.
Use the blocking factor when making the backup. The default is 20 and
is specific to the storage media used.
Specifies the dump file, which is usually a storage device such as tape
or disk. When the “-“ character is used, the standard output should be
used instead.
Control the backup storage media so that when the dump is complete,
dump will pause to give the storage device time to automatically reload
a new tape or media.
Inform the operator when dump requests attention, such as mounting
a new tape.
Controls the amount of time to wait for the storage device to autoload
another tape. Used with the –l option.
Perform a verification on the backup media as the last step in the process.
Issue a warning when dump detects a file system that hasn’t been
backed up.

-S
-a

-b
-f

-l

-n
-t
-v
-w

Dump Command-Line Options

Table 8-4

Hint

When performing full backups of the system, it is important the system not be
used and the file system be unmounted during this time. Failure to unmount
the file system during a system backup can lead to problems!

To perform a full backup of the / file system to a local tape unit, use the
following command:
ufsdump 0f /dev/st0 /

When this command is invoked, the following output is generated:
DUMP:
DUMP:
DUMP:
DUMP:

Writing
Date of
Date of
Dumping

32 Kilobyte records
this level 0 dump: Wed Jan 30 11:13:41 2002
last level 0 dump: the epoch
/dev/rdsk/c0d0s0 (bedrock:/) to /dev/st0.

239

8

240

UNIX System Administration: A Beginner’s Guide

DUMP:
DUMP:
DUMP:
DUMP:
DUMP:
DUMP:
DUMP:

Mapping (Pass I) [regular files]
Mapping (Pass II) [directories]
Estimated 78032 blocks (38.10MB).
Dumping (Pass III) [directories]
Dumping (Pass IV) [regular files]
78014 blocks (38.09MB) on 1 volume at 638 KB/sec
DUMP IS DONE

dd

AM
FL
Y

The dd command can be used to perform image-level backups. However, this is
just one of the many uses for this command. Its primary use is to convert from
different file formats (like ASCIII or EBCDIC). Like dump, this command also
has a large number of command-line options. The most common ones are
described in Table 8-5.
To perform an image-level copy of the root file system to the local tape
drive, do the following:
dd if=/dev/dsk/c0d0s0 of=/dev/rmt/1

When the command has completed, the following will be displayed:
1024128+0 records in
1024128+0 records out

restore

TE

which shows the amount of data that was both read and written.

The restore command is used to retrieve files and directories that were
created using the dump command. One powerful feature of this command is
that it has an interface mode, which can help with restoring specific files and/or
directories. Like dump, this command also has a large number of command line
options. The most common ones are described in Table 8-6.
Option

Description

bs
if
ibs
of
obs

Determine both the input and output block size.
The file (device) to read.
Specify the input block size.
The file (device) to write.
Specify the output block size.

Table 8-5

dd Command-Line Options

Module 8:

Backup and Restore

Option

Description

-C
-i
-r
-t
-x

Permits the comparison of the files that have been backed up using dump.
Use interactive mode.
Restores a complete backup onto a new file system.
List specific files and/or directories contained on a backup.
Retrieve a specific file or directory.

Table 8-6

241

Restore Command-Line Options

To restore a complete file system backup onto a brand new file system
(assume the new file system is contained within c0d0s5 partition), do the
following:
newfs /dev/dsk/c0d0s5
fsck /dev/dsk/c0d0s5
mount /dev/dsk/ c0d0s5 /mnt
restore rf /dev/mnt/1

8

tar
The tar command can be used to build an archive of files and directories within
a file system. It really isn’t the best approach to performing system backups, but it
does provide some powerful backup-like features. The most common commandline arguments are described in Table 8-7.
To make an archive of all the files on the system on a local tape, use the
following command:
# tar -cvf /dev/mnt/1 /

Option

Description

-c
-f
-X
-v

Create a new archive file.
Specifies the file (or backup media) to archive the information onto.
Extract files from the archive.
Enable verbose mode.

Table 8-7

Common tar Command-Line Options

242

UNIX System Administration: A Beginner’s Guide

In this example, the tar command will recursively copy all the files and
directories encountered from the root file system. Using the verbose mode
option v, tar produces a list of all the files/directories that have been copied
successfully to the tape:
a
a
a
a
a
a
a
.
.

// 0K
//lost+found/ 0K
//usr/ 0K
//usr/lost+found/ 0K
//usr/X symbolic link to ./openwin
//usr/lib/ 0K
//usr/lib/libICE.so symbolic link to ./libICE.so.6

Because this command produces a significant amount of output, it has been
reduced to save on space.
To extract the archive, use the x option as shown below:
tar -xvf /dev/mnt/1

To list the contents of an existing archive, use the t option, which shows the
contents within the archive:
# tar -tvf /dev/mnt/1

It will show the following:
drwxr-xr-x
0/0
0 Jan 30
drwx-----0/0
0 Nov 11
drwxr-xr-x
0/3
0 Nov 11
drwx-----0/0
0 Nov 11
lrwxrwxrwx
0/0
9 Nov 11
drwxr-xr-x
0/2
0 Nov 11
lrwxrwxrwx
0/0
13 Nov 11
link to ./libICE.so.6
lrwxrwxrwx
0/0
26 Nov 11
to ../openwin/lib/libICE.so.6

11:20
16:00
16:55
16:01
16:01
16:59
16:01

2002
2001
2001
2001
2001
2001
2001

//
//lost+found/
//usr/
//usr/lost+found/
//usr/X symbolic link to ./openwin
//usr/lib/
//usr/lib/libICE.so symbolic

16:01 2001 //usr/lib/libICE.so.6 symbolic link

Module 8:

Backup and Restore

243

Project 8-1
This project will familiarize you with the backup and restore commands and
give you some practice preparing a backup.

Step-by-Step
1. Determine the amount of data on your system that you need to back up.
Display all the file systems on your system and the amount of data used by each:
df –k

2. Determine if you have a backup device to create a backup on or if you have
an unused partition with enough free space for a backup.
3. If so, create a full system backup to the device or partition with the dump
command. You’ll use level 0 to indicate a complete backup of all files and
use the appropriate options to create the backup on your backup device
or partition. (Remember, don’t do this at a time when the system is in
heavy use.)
4. After modifying or adding some files (create or copy some dummy test files)
create an incremental backup of just the files created or changed since your
level 0 backup in step 1. Do this as a level 1 dump, with the appropriate
options for your backup device or location.
5. Use the restore command to restore just the files from your level 1
incremental dump, working in interactive mode and follow the prompts:
#restore -i

8

244

UNIX System Administration: A Beginner’s Guide

Mastery Check
1. What type of backup copies the bits from the disk without using the

file system?
A. Image
B. File system - full
C. Dump
D. File archive
2. A __________backup is one that captures all of the changes made within

a file system since the last backup was taken.
3. Which command is the primary UNIX command most often used for

backup tasks?
A. dump
B. dd
C. restore
D. tar
4. Which command is used to retrieve files backed up with UNIX’s primary

backup command?
A. dump
B. dd
C. restore
D. tar
5. Which command is used primarily to convert data between different

formats but also performs backups?
A. dump
B. dd
C. restore
D. tar

Module 8:

Backup and Restore

245

Mastery Check
6. In the following set of steps, what action does each of the first 3 steps

perform?
newfs /dev/dsk/c0d0s5
fsck /dev/dsk/c0d0s5
mount /dev/dsk/ c0d0s5 /mnt
restore rf /dev/mnt/1

7. In this command, what device is the file system being backed up to?
dump 0f /dev/st0 /

8

This page intentionally left blank.

Module

9

System Operations

Critical Skills
9.1

Determine the Boot Process

9.2

Explore the Shutdown Process

9.3

Uncover UNIX Operating Levels

Copyright 2002 by The McGraw-Hill Companies, Inc. Click Here for Terms of Use.

248

UNIX System Administration: A Beginner’s Guide

T

he UNIX system is a complex arrangement of tools, applications, and
processes. When the system has booted and is operating normally, certain
key processes and services are automatically activated. As the administrator,
you will need to control and/or alter how the system boots, as well as monitor
and control system processes and services. Sometimes when critical system
administration tasks must be performed, the system will need to be brought
into maintenance mode. This mode provides an environment where the tasks
can be performed while keeping users off the system. When the required
administration tasks are complete, the system can be brought back to the
normal operating mode. Also, depending on the nature of the administration
tasks, it is not always necessary to change the operating mode of the system.

9.1 Determine the Boot Process
When a UNIX system is started, it goes through a series of steps to bring the
system to the desired operating mode. This is known as the UNIX boot process
and is controlled by automated scripts that can be modified by the system
administrator. Typically, the system’s boot process doesn’t change that much
once the system has been set up and configured. However, if new services are
added or removed, the system boot configuration can be modified. Also, if the
system is having problems, the boot process can be altered on the fly so that
the problem can be fixed and system restored to normal operations.
Booting the system basically involves loading
and executing the operating system so that the
The standard boot
normal system is available to the users. As you
process presented may
might imagine, every operating system contains
not include boot services
booting elements that are different. Despite this,
or functions, which can
all operating systems follow the same generic
be found in different
procedure to start the system. The difference is
releases of UNIX today.
in the specifics of how the bootstrap process is
accomplished for each system. For example, the
System V variant operating systems are really
different as compared to the BSD-related versions. Luckily for the system
administrator, most versions of UNIX have a standard boot process, which
is shown in Figure 9-1.
The boot process involves several important steps; first, the UNIX Kernel
program is started which is the master controlling entity within the system.

Hint

Module 9:

Figure 9-1

System Operations

249

UNIX boot process

Under Linux, for example the LILO boot loader can be used to boot the kernel.
Next, the Kernel starts the init process. This process has the process id of 1 and
is known as the father or master system process. The init process is responsible
for starting all the correct processes by executing specific startup scripts (script
files that begin with “S”) that reside in the /etc directory. Finally, any additional
system processes (such as checking the file systems) are done and the system
starts normal operations.

9.2 Explore the Shutdown Process
The UNIX shutdown process is not completely the reverse of the boot process;
instead, the administrator executes a specific command, which brings the
system down in a graceful fashion. There are several ways to bring the system
down; it really depends on what you really want to accomplish. Table 9-1
shows some of the most common ways to either reboot or halt the system.
Figure 9-2 shows the generic steps involved with bring a UNIX system shutting
down a system. One of the commands listed in the table is executed by the

9

250

UNIX System Administration: A Beginner’s Guide

Command

Description

halt

Halts the computer; it kills all processes and brings the system to the
boot prompt level.
Controls the master system process; given a valid run-level argument,
places the system in that run level.
Restarts the system; brings the system down and then restarts the
system, and returns it to default normal operating mode.
Brings the system to the single-user mode level. All users are asked
to log in off the system.

init
reboot
shutdown

Table 9-1

Commands to Shut Down the System

TE

AM
FL
Y

system administrator, which causes a chain reaction to bring the system down.
First, the shutdown scripts (script files that begin with “K”) are invoked in the
/etc directory, which basically stops all the system processes. Next the file
systems are checked (unless the administrator explicitly doesn’t have them
checked) and then the system is halted. Typically, the system is brought to the
boot prompt or boot loader level. At this point, the power to the computer system
can be turned off.

Figure 9-2

UNIX shutdown process

Module 9:

System Operations

251

Halting the System
To halt the system basically means to bring the system to lowest boot level.

Hint

This is not the preferred way to bring the system down when users are logged in.
For many systems, this means placing the system at the computer firmware level
so that the system can be powered down or rebooted in a different manner.
Halting the system when users are logged in and are active is not the best way
to bring the system down.

For example, boot an upgrade program from CD-ROM so that the system
can be updated with newer operating system software. Using this command is
typically one of the fastest ways to safely turn off the system without shutting
down the power. To bring the system down or to halt the system using the
halt command, do the following:
# /etc/halt

When executed on a Solaris Sparc system called dino, the following will be
displayed:
Feb 3 13:50:25 dino halt: halted by root
Feb 3 13:50:25 dino syslogd: going down on signal 15
syncing file systems... done
Root user executed
Program terminated
the halt command
Important step where
Ok
system updates file systems

The example shows that the root user halted the system, a similar message
was logged to the syslog logging facility, and the file systems were synced.
The most important step here is that the file systems were synced or updated
by the system. This means that all information (data) that was contained within
system buffers was flushed (or written) to all associated disk files.
When this command is executed on Intel Linux system called didymus,
the following is displayed:
Red Hat Linux release 7.2 (Enigma)
Kernel 2.4.7-10 on an i686

9

252

UNIX System Administration: A Beginner’s Guide

didymus login: cardmgr[626]: shutting down socket 0
cardmgr[628]: executing: 'modprobe –r 3c5745_cs'
unloading Kernel Card Services
md:recovery thread got woken up…
md:recovery thread finished …
md:recovery(8) flushed signals.
Md: stopping all md devices.
System halted.

The halt command provides a few command-line arguments that can
further refine how the system is brought down. The command options are
listed in Table 9-2.
If you need to shut down the system down in the quickest manner possible,
use the –q option.The init command can also be used to halt the system, by
issuing the
init 0

command. The system will be halted in the same manner as when halt command
is used. The init command permits the administrator to control the run-level
the system will be operating under. When the above command is run, the
following will be displayed:
INIT: New run level: 0
The system is coming down. Please wait.
System services are now being stopped.
Print services stopped.
Feb 3 13:44:50 dino syslogd: going down on signal 15
The system is down.
syncing file systems... done
Program terminated

Rebooting the System
The system can be shut down and then restarted using the reboot system
command.

Hint

The reboot command is not the preferred way to bring the system down
when users are logged into the system. This command is very handy because
the administrator is given a little more control about how the system is restarted.

Module 9:

System Operations

Option

Description

-d

Instruct the system to perform a system crash dump before the system
is restarted (Solaris and HP-UX only).
Don’t call the shutdown command when bringing the system down
(Linux only).
Don’t log a message to the system when halting.
Don’t run the sync command before halting the system.
Don’t gracefully shut down the system; just do it fast.
Don’t reboot or halt the system; just update the log file (Linux only).

-f
-l
-n
-q
-w

Table 9-2

253

The halt Command-Line Options

When invoked, the reboot command displays the same basic information
as the halt command. The difference between the reboot command and the
halt command is that with reboot, it will automatically restart the system

Ask the Expert
Question Why would you need to shut down the system as
quickly as possible with the halt -q command without going through
a complete proper shutdown process?
Answer Only in a rare situation would the administrator need to
halt the system without doing a complete and proper shutdown—for
instance, when a hardware problem has occurred and must be corrected
quickly. Also, if you have physical access to the system, hitting the
power off button would also be necessary.
Question

Why would you need to restart the system?

Answer There are a number of reasons for why the system will need
to be shut down and brought back up again. One reason for example,
the administrator introduced some configuration changes to the system
and wants to ensure that the system will boot with no problems despite
these changes.

9

254

UNIX System Administration: A Beginner’s Guide

after it is brought down. One very useful feature of reboot is that it accepts
additional command-line arguments, which control how the system should be
started back up. For example, to restart the system and place it in single-user
mode, use the following command:
reboot -- -s

In this case, the –s option was preceded by the two dashes (--) to instruct
this command to pass the –s option to the boot process when the system is
restarted. The –s option tells the boot loader program to bring the system up to
single-user(s) mode. Thus, the following output was generated by the command
when run on a Solaris Sparc system:
Feb 3 15:54:09 dino reboot: rebooted by root
Feb 3 15:54:09 dino syslogd: going down on signal 15
syncing file systems... done
After restarting, the system
rebooting...
executes the -s option for
Resetting ...
single user mode
Netra t1 (UltraSPARC-IIi 440MHz), No Keyboard
OpenBoot 3.10.25 ME, 512 MB memory installed, Serial #14242136.
Ethernet address 8:0:20:d9:51:58, Host ID: 80d95158.
Executing last command: boot –s
Boot device: /pci@1f,0/pci@1,1/scsi@2/disk@0,0:a File and args: -s
SunOS Release 5.8 Version Generic_108528-03 64-bit
Copyright 1983-2000 Sun Microsystems, Inc. All rights reserved.
configuring IPv4 interfaces: hme0.
Hostname: dino
System notification that
it is in single user mode
INIT: SINGLE USER MODE
Type control-d to proceed with normal startup,
System Prompt
(or give root password for system maintenance):
for root password

When the system is placed in single-user mode, the system prompts for the
root password. The output above would be comparable when run on either
the Linux or HP-UX systems. However, the Linux reboot command doesn’t
support the –- option, nor can it pass additional command-line options to the
boot loader program.
The init command can also be used to reboot the system, using the
init 6

Module 9:

System Operations

255

command. Again, this isn’t the preferred way to reboot the system when the
system has active users.

Normal System Shutdown
When the system is in multi-user mode, users are logged into the system, and
are actively working on the system; the best way to shut the system down is
with the shutdown command. This command provides the users with the
ability to schedule the shutdown at a fixed point in the future, knowing when
the system will become unavailable. Also, a warning message or information
about why the system is coming down can be included with the shutdown
command. For example, assume the system bedrock must be shut down for
some disk maintenance one hour from the current time. On Solaris and HP-UX,
use this command:
shutdown –g 3600 "###### Down for Disk Maintenance: System back in
two hours ######"

The –g option is used to tell the command to wait the supplied number of
seconds before proceeding with shutting down the system. In this example, the
value 3600 is given to represent one hour.

Hint

In practice, the administrator should give more time than just an hour to the
user community when bringing the system down. However, if the maintenance
task is very important and must be done right away—say, to fix an important
disk failure—giving advance notice to a pending shutdown can’t be done.

Each user that is logged into the system will be notified for the pending
shutdown. When the shutdown command is first executed, a message like
the following will be sent to all users currently on the system:
Broadcast Message from root (console) on dino Sun Feb 3 15:23:55...
The system dino will be shut down in 1 hour
###### Down for Disk Maintenance: System back in two hours #####

When the time for the system to be brought down approaches, the users are
notified on a periodic basis. The format is similar to the message above.

9

256

UNIX System Administration: A Beginner’s Guide

Hint

if you want to cancel the shutdown command once it has started, simply type
a ^C (CTRL-C). If the command was placed in the background when executed,
bring it to the foreground or use the kill command with the associated
process ID.

The shutdown command also supports the –i option and controls which
run level the system will be placed in when it reboots.
On Linux, the shutdown command is more functional and supports a number
of useful command-line arguments, as listed in Table 9-3.
For instance, to have the system rebooted and not have the file systems
checked on startup, use the following:
shutdown –r -f

Down for Disk Maintenence: System back in two hours

Determining When the System Was Halted
When the system is shut down, a record is kept in the /var/adm/messages
file. Simply search for the keyword halt or other related strings. Thus, the
command
# grep halt /var/adm/messages

will yield similar output if the system has been halted in the past:
Oct 30 23:09:31 dino halt: [ID 662345 auth.crit] halted by root
Nov 1 22:51:22 dino halt: [ID 662345 auth.crit] halted by root
Feb 3 13:50:25 dino halt: [ID 662345 auth.crit] halted by root

Option

Description

-F
-f
-c
-k

Make sure that the fsck is done when the system is rebooted.
Don’t perform a fsck on the file systems when the system is restarted.
Stop a shutdown that is already in progress.
Don’t actually shut down the system. Instead, send a warning message
to all users logged into the system.
Reboot the system after it has shut down.

-r

Table 9-3

Shutdown Command-Line Options

Module 9:

System Operations

257

1-Minute Drill
●

What are the key steps in the startup process?

●

When might you need to change the system boot settings?

9.3 Uncover UNIX Operating Levels
The UNIX system is a multi-user, time-sharing system that supports different
operating levels or service levels. The system supports a number of different
operating or run-level modes. In general, the system is operating in what is
known as multi-user mode. More specifically, the multi-user mode maps to
run level 2, which is usually the default mode configured when the system
boots. This run level is defined as permitting users to access the system, and
also critical system processes and resources are available. Table 9-4 lists the
available run levels within UNIX.
The UNIX system uses a standard init configuration file to control run
levels and which services are started (or stopped when the system is brought
down) when the system is booted. The /etc/inittab is read by the init
Run Level

Description

S or s

Place the system in single-user mode. This mode is used for system
maintenance.
Causes the system to be halted.
Places the system in single-user mode (Linux only).
Multi-user mode without NFS (Linux). Multi-user mode, but without
network services (Solaris and HP-UX).
Multi-user mode; typically the default run level with full system services.
X11 workstation (Linux only) Shut down the system so that the power
can be off (Solaris and HP-UX). This is the default run level for Linux.
Causes the system to be rebooted.

0
1
2
3
5
6

Table 9-4

●
●

Standard UNIX Operating (Run) Levels

First the UNIX kernel starts, then the kernel starts the init process. The init starts all the correct processes by
executing startup scripts, and finally additional system processes are done.
When you add or change services or if you are having system problems and need to reconfigure to correct
the problems.

9

258

UNIX System Administration: A Beginner’s Guide

process during system startup or shutdown. Also, when the system
administrator modifies this file, the init process can reread this file when
necessary. The /etc/inittab files for Solaris, HP-UX, and Linux differ not
so much in syntax, but in contents. In other words, the services started for their
run levels are different, but the basic structure of the files is the same.
On Solaris, the /etc/inittab file contains the following entries:
1 ap::sysinit:/sbin/autopush -f /etc/iu.ap
2 ap::sysinit:/sbin/soconfig -f /etc/sock2path
3 fs::sysinit:/sbin/rcS sysinit
>/dev/msglog 2<>/dev/msglog
/dev/msglog
2<>/dev/msglog
6 sS:s:wait:/sbin/rcS
>/dev/msglog 2<>/dev/msglog
/dev/msglog 2<>/dev/msglog
/dev/msglog 2<>/dev/msglog
/dev/msglog 2<>/dev/msglog
/dev/msglog 2<>/dev/msglog
/dev/msglog 2<>/dev/msglog
/dev/msglog 2<>/dev/msglog
/dev/msglog 2<>/dev/msglog
/dev/msglog 2<>/dev/msglog
/dev/msglog 2<>/dev/msglog
 mtu 8232 index 1
inet 127.0.0.1 netmask ff000000
elxl1: flags=1000843 mtu 1500 index 2
inet 216.155.202.100 netmask ffffff00 broadcast 216.155.202.255
ether 0:10:4b:1f:8d:ef
lo0: flags=2000849 mtu 8252 index 1
inet6 ::1/128

The -a option indicates that all interfaces installed within the system,
regardless of their present configuration or operational state, should be shown.
The examples displayed above indicate that a number of interfaces are
defined. Note that the system output above is quite similar regardless of which
operating system the command was run against. On Linux, the first eth0 entry
represents the physical hardware interfaces for 10-Mbps Ethernet using the

Module 11:

Basic Network Tools

327

3Com Ethernet driver. The second, lo, is the loopback interface, primarily
used for internal communication and diagnostics. The loopback interface can
be used to determine if the TCP/IP software is operating correctly on a local
level. For instance, it is possible to ping the loopback address to determine
valid responses. The final (ppp0) interface represents a point-to-point dial-up
link for connectivity to a local Internet service provider (ISP).
For Solaris, the elxl interface is shown, which represents the Fast Ethernet
interface.

Hint

The Solaris output shows two entries for the loopback interface because one is
for IPv4 IP addresses while the second one is for IPv6 IP addresses.

For each interface, the display includes the following fields:
●

Link encap This specifies the link encapsulation protocol that the
interface will use when transmitting data link frames. Supported types
include Ethernet, Local Loopback, and Point-to-Point Protocol.

●

HWaddr This is the data link address for the encapsulation.

●

protocol Ethernet uses the hexadecimal notation, such as in the
entry for the eth0 interface: 00:10:5A:28:5D:7C.

●

inet addr This is the IP address associated with this interface.

●

Bcast This represents the network layer broadcast address.

●

Mask This represents the subnet mask address.

In addition, the display includes the operational parameters for the interface.
These include UP, BROADCAST, RUNNING, PROMISC, and MULTICAST. These
options show the mode and current state of the interface.
Next, the display includes fields that represent the statistical counters,
such as received packets (RX), transmitted packets (TX), number of collisions
(collisions), and so forth. These provide a relatively easy way to benchmark
the performance of the interface. Finally, the remaining fields show the interrupt
number and I/O base address of the interface hardware. Notice, too, that not all
interfaces have an associated interrupt number and I/O address. The loopback
interface lacks these fields because it uses no specific hardware within the system.

11

328

UNIX System Administration: A Beginner’s Guide

Controlling Interface State
With ifconfig, it is possible to disable an active interface or enable a disabled
interface while the system is running. In the disabled state, no packets will be
permitted across the interface. This is equivalent to disconnecting the interface
from the network. When an interface is disabled, it is considered down from an
administrative standpoint. To place an interface in the down state, invoke the
ifconfig command with the appropriate interface and the down keyword
option as shown:
# ifconfig eth0 down

The administrator can use the ifconfig command with the interface
name instead of the -a option to list an individual interface. The following
command displays the configuration of the interface that we shut down with
the previous command:
# arp eth0
etho
Link encap:Ethernet HWaddr 08:00:20:04:CF:2C
inet addr:10.0.3.127 Bcast:10.0.3.255 Mask:255.255.255.0
BROADCAST MULTICAST MTU:1500 Metric:1
RX packets:3452 errors:0 dropped:0 overruns:0 frame:0
TX packets:3212 errors:1 dropped:0 overruns:0 carrier:1
collisions:0 txqueuelen:100
Interrupt:38 Base address:0x3200
Keywords UP and RUNNING are
gone from here now that we
shut this down.

Notice the keywords up and running are now missing from the output.
This is how ifconfig indicates that an interface has been disabled and is not
available for use. To enable or activate this interface, we simply use the up
command option:
# ifconfig eth0 up

When the interface is up, it is available on the network and receiving network
information. Without the indication of the up flag, the interface is operational
and perhaps connected to the network, but no information is flowing to or from
the network.

Module 11:

Basic Network Tools

329

Modifying Interface Parameters
Three methods can be used to modify network interface parameters. First, using
ifconfig directly, changes can be made on the command line and will take
effect immediately. The second approach involves modifying the system startup
and/or system files that ifconfig uses to configure the interface. This approach
ensures that interface changes are made permanently and won’t disappear across
system reboots. Sometimes both approaches are used. Often, a configuration change
must be implemented quickly before the system can be rebooted at a convenient
time. As a result, ifconfig can be used to make the immediate changes.
Normally, when a new interface is installed on a system, this configuration may
be handled by the installation procedure. The third method involves using the
GUI control panel applications, control-panel for Linux and SAM for HP-UX,
to make the changes.
Using ifconfig, the following important information can be changed for
an interface:
●

IP address

●

Network mask

●

Broadcast address

●

Data link address

●

MTU

The IP address is specified in the normal dotted decimal notation and
represents the unique address for the host on the network to which the system
is attached. The network subnet mask (or netmask) specifies the filter used to
calculate the network and host portions for the subnet. The broadcast address
specifies the IP address to which broadcast packets should be directed. The data
link address represents the unique low-level hardware address used by Ethernet
or FDDI, and is associated with the hardware itself. The maximum transfer unit
(MTU) denotes the maximum message size that the interface can handle. The
standard message size is 1500 for Ethernet, 4096 for FDDI, and 2048 for token
ring. The MTU is rarely modified, and when it is, it can’t be configured to
support values higher than what the hardware will support; only lower values
may be used.

11

UNIX System Administration: A Beginner’s Guide

Let’s suppose that the IP address of a system must be changed because the
system is moved to a different subnet. In this case, the netmask and broadcast
information remain the same. The move to the new network involves changing
the IP address of the interface only. The old IP address is 128.197.9.10
and the new IP address is 128.197.10.1. The following command would
be used to change the network information on the fly:
# ifconfig eth0 128.197.10.1

# ifconfig eth0 fred

AM
FL
Y

To make this change permanent, we must modify the /etc/hosts file.
This file contains the mapping between hostname and the associated IP address.
On system startup, the IP address is derived from the file and applied to the
interface. The netmask and broadcast information are the same; we can use
the existing values. The hostname could also be specified on the command line
instead of the IP address. Thus, the command

accomplishes the same result, assuming that fred has been assigned the IP
address of 128.197.10.1, either in the /etc/hosts file, DNS, or the NIS
hosts database.
As you can see, changing the IP address for an interface is relatively
straightforward. However, changing other interface characteristics requires a
bit more work. To extend the preceding example, let us now assume that we
must change the netmask and broadcast information. To change the interface,
the administrator could use

TE

330

# ifconfig eth0 128.197.10.1 netmask 255.255.0.0 broadcast 128.197.255.255

In the example above, the netmask and broadcast keywords must be
used to identify the information that follows each keyword. The netmask contains
1s in the bit positions of the 32-bit address that are to be used for the network
and subnet (if applicable) parts, and 0s for the host portion. The netmask/subnet
portion must occupy at least as many bits as is standard for the particular network
class. If no subnets are defined, the standard netmask is used. When using subnets,
they require that more bits than what is normally the host portion of the address
be reserved to identify the subnet. A netmask can be specified in two different
ways: dotted decimal notation and hexadecimal notation.

Module 11:

Basic Network Tools

331

The dotted decimal notation is expressed in four single-byte numbers
separated by dots (for example, 255.255.255.0). The hexadecimal format
includes using the 0x prefix followed by a hexadecimal string value. For example,
the hexadecimal value for 255.255.255.0 is 0xffffff00. Since ifconfig
supports both formats, they can be used interchangeably. Each of the standard IP
class addresses has associated default netmask addresses, as shown in Table 11-4.

Hint

The addresses in Table 11-4 are just the standard ones used if no subnetting is
implemented. The specific subnet mask addresses used in many sites will differ
from these because the subnets defined use more bits than the standard for
that class.

The broadcast address can be specified in the same ways as the netmask
address. However, the broadcast address is usually formed by turning all the
bits in the host portion of an address to 1s. For example, the broadcast address
for the 128.197.0.0 network is 128.197.255.255.

Special Configurations Parameters
The ifconfig command supports additional parameters. These include
●

arp

●

multicast

●

promiscuous mode

●

media type

●

point-to-point

11

Class

Dotted Decimal Notation

Hexadecimal Notation

A
B
C

255.0.0.0
255.255.0.0
255.255.255.0

0xff000000
0xffff0000
0xffffff00

Table 11-4

Standard Netmask Addresses

332

UNIX System Administration: A Beginner’s Guide

The arp keyword specifies that the interface should support an ARP-style
IP address resolution. When an interface is created with ifconfig, the default
is to support ARP. To disable ARP on an interface, use the -arp keyword. On
most networks, ARP must be turned on.
The allmulti keyword enables or disables (-allmulti) all multicast
traffic modes. If enabled, multicast packets (that is, packets with Class D network
addresses) will be received by the interface. Despite the fact that multicast traffic
is available on the interface, an application that supports multicast traffic will
need to be running to make use of this type of traffic. Multicast is used by
multimedia applications to transport packets that contain real-time video and
audio data.
The promisc keyword will enable the interface to receive all network traffic.
It is known as promiscuous mode when all traffic is read, not just the normal
traffic sent to it by other systems on the network. Use the -promisc command
to disable this mode. Certain networking tools such as tcpdump will enable
this mode automatically when in operation.
The media keyword changes the physical connectivity type for the interface.
Not all interfaces support the ability to dynamically change interface media
types. For those that do, many of the most common types may be used, such
as 10Base2 for thin Ethernet, 10BaseT for twisted pair Ethernet, and AUI which
is associated with 10Base5 Ethernet.
The pointtopoint keyword enables the use of a point-to-point link layer
encapsulation protocol, which generally means that direct connectivity will exist
between two systems. The commonly supported protocols, such as PPP or SLIP,
can be used.

Logical Interfaces
The ifconfig command creates and configures logical (also known as virtual
or pseudo) interfaces. These interfaces behave like physical interfaces and can
be used to assign multiple IP addresses to the same system. From a configuration
standpoint, logical interfaces are configured independently but share the same
physical address and interface characteristics as the real physical interface.
To configure a pseudointerface, combine the physical interface with a
logical interface reference number, separated by a colon. For example, to
configure the first logical interface for eth0, use the following command:
# ifconfig eth1:1 10.0.2.128 netmask 0xffffff00 broadcast 10.0.2.255

Module 11:

Basic Network Tools

333

Logical interfaces are displayed just like the physical ones using the
ifconfig -a command. The following output shows one logical interface
defined from the physical interface eth1:
eth1

Link encap:Ethernet HWaddr 08:00:20:04:CF:2C
inet addr:10.0.2.127 Bcast:10.0.2.255
Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:1810 errors:0 dropped:0 overruns:0 frame:0
TX packets:1173 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
Interrupt:55 Base address:0x3000
Logical interface

eth1:1

Link encap:Ethernet HWaddr 08:00:20:04:CF:2C
inet addr:10.0.2.128 Bcast:10.0.2.255
Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
Interrupt:55 Base address:0x3000
Physical interface

Notice the pseudointerface, eth1:1 contains the same Ethernet hardware
address (08:00:20:04:CF:2C) and the same interrupt level (55) as the real
interface. These are additional clues that indicate that this interface is the same
as the eth1 interface.
To remove a logical interface, use the down keyword. Thus, the command
ifconfig -a eth1:1 down

will remove the eth1:1 interface from the system. If this logical interface was
created during system startup, the interface will be configured again when the
system is restarted.

1-Minute Drill

●
●

●

Why is the loopback interface useful?

●

Explain the use of logical interfaces.

The loopback address is provided so you can run diagnostics on your own computer.
A logical interface assigns an additional IP address to a system on the same physical network interface.
A logical interface shares all the characteristics of the physical interface except for the different address.

11

334

UNIX System Administration: A Beginner’s Guide

11.3 Monitor Network Operations
using Netstat
The netstat command provides a wealth of information regarding the present
status of network connections, routing information, and other important networkrelated data. This tool, short for network status, is strictly for monitoring and is
one of the most popular debugging aids available on UNIX. Different commandline options control the display behavior of netstat. Given this, the functionality
can be divided into a number of categories and used to accomplish the following:
●

List active network sessions

●

Show interface information and statistics

●

Display routing table information

This tool also provides specific options that control the operation and
output formatting. Table 11-5 contains the major keywords that control the
network information that will be displayed. On Linux, some of the command
options/keywords have a single-character option and a mnemonic string. For
instance, the -h and --help options, which display command-line summary
help, can be used interchangeably.
Option

Description

-i

Shows network interface parameters and statistical information
(--interface Linux only).
Displays multicast group membership information (--groups Linux only).
Lists all sessions that use the masqueraded capabilities within FTP
(--masquerade Linux only).
Shows the network routing tables (--route Linux only).
Lists connection information for specific network protocol. Supported
protocols include ip, ipv6, icmp, icmpv6, igmp, udp, and rawip
(Solaris and HP-UX).
Displays active TCP socket connections. The -tcp option will continuously
display these connections until interrupted by the user (Linux only).

-g
-M
-r
-P

-t

Table 11-5

Netstat Output Data Options

Module 11:

Basic Network Tools

335

Table 11-6 contains command-line modifiers that either provide additional
information or modify the output when used with the keyword options shown
in the previous table.

Displaying Active Network Sessions
One of the significant services provided by netstat is the ability to view active
connections between systems. Any TCP session between the local host and any
other system can be monitored. Also, any stream sockets that have been created
will be displayed. Streams are used as a program-to-program communication
channel. To display the currently established connections, issue the netstat
command with the –t (Linux only) option as shown here:
# netstat -t
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address
Foreign Address
tcp
0
0 110.orlando-11-12r:1052 192.215.123.37:www
tcp
1
0 110.orlando-11-12r:1051 192.215.123.37:www
tcp
0
6 110.orlando-11-12r:1050 postoffice.worldn:pop-3
tcp
0
0 110.orlando-11-12r:1049 www3.yahoo.com:www
tcp
0
0 socrates.home.co:telnet durer.home.com:1033
tcp
0
0 socrates.home.co:telnet durer.home.com:1032

State
ESTABLISHED
CLOSE
ESTABLISHED
ESTABLISHED
ESTABLISHED
ESTABLISHED

Table 11-5 shows that the -t option will display TCP socket activity. As
indicated, the output of the above command includes the connections on the local
system. Each connection includes information regarding the local and remote
Option

Description

-a
-c

Shows status of all network connections or sockets.
(Linux only) Causes the output to be continuously displayed until the user
interrupts the output (–-continue is supported as well).
(Linux only) Displays command-line summary information to the user
(--help is supported as well).
Displays numeric information (for example, IP addresses) instead of
attempting to resolve to a host, port, or username (--numeric Linux only).
(Linux only) Shows the process name and identifier for each network socket
listed (--program is supported as well).
(Linux only) Prints additional information (--verbose is supported as well).

-h
-n
-p
-v

Table 11-6

Command Modification Options

11

336

UNIX System Administration: A Beginner’s Guide

addresses, statistical information, and connection status. The local and
remote addresses are displayed to include hostname and port information
in the format:
host.port

where host can either be an assigned hostname from /etc/hosts (or from
another host resolution mechanism such as NIS or DNS) or a valid IP address.
The port represents either a reserved port, as defined in /etc/services, or a
socket allocated by the system. The local address is the source and the remote
address is the destination.
To obtain the same information from either Solaris or HP-UX, use the –P
option. This option requires adding a network protocol keyword, to be supplied
to show connections based on the network protocol. For example, to show all
connections based on the TCP transport protocol use the following:
netstat –P tcp
TCP: IPv4
Local Address
Remote Address
Swind Send-Q Rwind Recv-Q State
-------------------- -------------------- ----- ------ ----- ------ ------bedrock.home.com.32794 bedrock.home.com.32777 73620
0 73620
0 ESTABLISHED
bedrock.home.com.32777 bedrock.home.com.32794 73620
0 73620
0 ESTABLISHED
localhost.32797
localhost.32792
73620
0 73620
0 ESTABLISHED
localhost.32792
localhost.32797
73620
0 73620
0 ESTABLISHED
localhost.32800
localhost.32799
73620
0 73620
0 ESTABLISHED

The other supported protocol keywords are ip, ipv6, icmp, icmpv6, igmp,
udp, and rawip. As shown above, the output is consistent with the previous
Linux output in terms of information that is displayed.
Recall from Module 10 that TCP uses four elements to make up a connection
and uses a state machine model as part of TCP’s overall transport mechanism.
As a result, monet.telnet and rembrandt.1036, for example, are
considered one connection. From the State field, we can see that this
connection is in the ESTABLISHED state, which means that everything is
operating normally.
Since TCP uses a state machine to control each of the defined states, we can
use the netstat command to track and display the state of each TCP connection.
Table 11-7 shows the most common states and includes a general description
of each.
The preceding netstat command only displayed connections that are or
were in the ESTABLISHED state. Sometimes it is helpful to list all services that
are available and active on a system. This can be accomplished by using netstat

Module 11:

Basic Network Tools

State

Description

ESTABLISHED
LISTEN
SYN_SENT
SYN_RCVD
FIN_WAIT_1
FIN_WAIT_2
CLOSE_WAIT
LAST_ACK
TIMED_WAIT
UNKNOWN

The connection is operational.
A service or application is waiting for a client connection.
Local system wants to open a remote connection.
Remote system wants to open a connection.
Local system is in the process of closing a connection.
Local system is in the process of closing a connection.
Remote system wants to close a connection.
Final step to CLOSE_WAIT.
Final step to FIN_WAIT_1 or FIN_WAIT_2.
The state of the socket is unknown.

Table 11-7

337

TCP States Displayed with netstat

with the -a option, as shown below. Please note that the following output
has been reduced to make it more readable. Executing this command on most
systems will produce a larger list because it will include the stream interfaces as
well. However, on Linux, we can use the -t and -u options to further refine the
output to only include TCP and UDP sockets. The following output provides a
list of both UDP and TCP services, regardless of their connection states. This is
useful because it is not always obvious which transport protocol a particular
service uses.
#netstat -a -t -u
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address
Foreign Address
tcp
0
0 socrates.home.co:telnet durer.home.com:1033
tcp
0
0 110.orlando-11-1:domain *:*
tcp
0
0 *:1048
*:*
tcp
0
0 *:1047
*:*
tcp
0
0 *:1046
*:*
tcp
0
0 *:1045
*:*
tcp
0
0 *:1044
*:*
tcp
0
0 *:1037
*:*
tcp
0
710 socrates.home.co:telnet durer.home.com:1032
tcp
0
0 *:6000
*:*
tcp
0
0 *:nntp
*:*
tcp
0
0 *:www
*:*
tcp
0
0 *:smtp
*:*
tcp
0
0 *:713
*:*
tcp
0
0 *:1024
*:*
tcp
0
0 *:683
*:*

State
ESTABLISHED
LISTEN
LISTEN
LISTEN
LISTEN
LISTEN
LISTEN
LISTEN
ESTABLISHED
LISTEN
LISTEN
LISTEN
LISTEN
LISTEN
LISTEN
LISTEN

11

338

UNIX System Administration: A Beginner’s Guide

tcp
tcp
tcp
tcp
tcp
tcp
tcp
tcp
tcp
tcp
tcp
tcp
tcp
tcp
tcp
tcp
udp
udp
udp
udp
udp
udp

0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0

0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0

*:678
*:673
*:652
*:printer
10.0.2.205:domain
10.0.2.202:domain
socrates.home.co:domain
localhost:domain
*:linuxconf
*:auth
*:finger
*:login
*:shell
*:telnet
*:ftp
*:sunrpc
110.orlando-11-1:domain
*:xdmcp
localhost:1119
*:800
*:1022
*:714

*:*
*:*
*:*
*:*
*:*
*:*
*:*
*:*
*:*
*:*
*:*
*:*
*:*
*:*
*:*
*:*
*:*
*:*
*:*
*:*
*:*
*:*

LISTEN
LISTEN
LISTEN
LISTEN
LISTEN
LISTEN
LISTEN
LISTEN
LISTEN
LISTEN
LISTEN
LISTEN
LISTEN
LISTEN
LISTEN
LISTEN

Under the TCP heading, not only are the two TCP connections displayed
from the previous example, but additional services are included as well. Any
services listed in the LISTEN state are waiting for incoming connections and
are usually known as server-based resources. When a service is waiting for
requests from the network, it is free to access connections from any remote
address. That is why *.* is listed under the Foreign Address field. Servers
also generally place * in the local host portion to further indicate that the server
is free to establish a connection if a client request is made. When a request from
a client is sent to a server, the server makes a copy of itself to handle the request
and continues listening for additional client requests. Thus when this occurs,
netstat displays multiple instances of the same service, as shown here:
netstat -a | grep ftp
tcp
0
0 socrates.home.:ftp-data durer.home.com:1034 TIME_WAIT
tcp
0
0 socrates.home.com:ftp
durer.home.com:1033 ESTABLISHED
tcp
0
0 *:ftp
*:*
LISTEN

The above command issues a netstat and pipes the output into the grep
command, which scans the input for the ftp string. As a result, all lines with
the ftp string are displayed. In the output above, the FTP server is still listening
for incoming connection requests while an FTP session is established to a system
called socrates.

Module 11:

Basic Network Tools

339

Under the UDP heading in the previous output example, only a local
address and state field have been displayed; the foreign address is not specified.
This is because UDP is a connectionless protocol and therefore doesn’t list
remote address information. Also, notice that no statistical information is available
for UDP. This is another indication that UDP is fundamentally different by
design and does not produce this type of information.
Despite the rather large amount of information provided with the -a option,
netstat can be used to provide a quick check to ensure that the correct services
are running on a given system. By scanning the output of netstat, the network
administrator can easily notice any service that shouldn’t be running. For
example, many organizations consider the finger facility to be a security risk
because it can provide user account information to anyone requesting it. Once
detected with netstat, the finger service can be disabled by modifying the
/etc/inetd.conf (Solaris) or /etc/xinetd.conf (Linux) network
configuration file.
If you are interested in displaying the streams defined on the system, issue
the netstat command with the --unix option (Linux) or –P with the
rawip option (Solaris and HP-UX). The output includes the UNIX streams
socket interfaces. Since these connections are mainly used for interprocess
communication, their specific use and function won’t be described in great
detail. Since the number of streams used on a UNIX system can be significant,
the output from the netstat command can be rather long. As a result, the
following output shows on a Linux system, just a few lines versus what would
typically be displayed:
unix 1
[ ]
STREAM
CONNECTED
unix 1
[ ]
STREAM
CONNECTED
unix 1
[ N ]
STREAM
CONNECTED
unix 1
[ ]
STREAM
CONNECTED
/tmp/orbit-root/orb-11931020341330722701
unix 1
[ ]
STREAM
CONNECTED
/tmp/orbit-root/orb-2122911451756745208
unix 1
[ ]
STREAM
CONNECTED
/tmp/orbit-root/orb-16956010373298973
unix 1
[ ]
STREAM
CONNECTED
unix 1
[ ]
STREAM
CONNECTED
/tmp/orbit-root/orb-2122911451756745208

2399
2384
2364
2220

/dev/log
/tmp/.ICE-unix/963
/tmp/.X11-unix/X0

11

2217
2213
2206
2202

/tmp/.X11-unix/X0

System programs and other applications create streams as a mechanism to
communicate between themselves and other programs.

UNIX System Administration: A Beginner’s Guide

Hint

The -p option is not
supported on either
HP-UX or Solaris.

One extremely useful feature of netstat
on Linux is the -p option, which will show the
associated process or program name that has run
with the parts opened. The command

# netstat -t -p -a

produces this output:

AM
FL
Y

Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address
Foreign Address
name
tcp
0
285 socrates.home.co:telnet durer.home.com:1032
906/in.telnetd
tcp
0
0 *:1036
*:*
846/gnomepager_appl
tcp
0
0 *:1035
*:*
843/gen_util_applet
tcp
0
0 *:1034
*:*
tcp
0
0 *:1033
*:*
823/gnome-name-serv
tcp
0
0 *:1032
*:*
tcp
0
0 *:1025
*:*
766/gnome-session
tcp
0
0 *:6000
*:*
tcp
0
0 *:nntp
*:*
tcp
0
0 *:www
*:*
455/lpd
tcp
0
0 10.0.2.205:domain
*:*
tcp
0
0 10.0.2.202:domain
*:*
tcp
0
0 socrates.home.co:domain *:*

TE

340

State PID/Program
ESTABLISHED
LISTEN
LISTEN
LISTEN 821/gmc
LISTEN
LISTEN 812/panel
LISTEN
LISTEN 738/X
LISTEN 685/innd
LISTEN 602/httpd
LISTEN 441/named
LISTEN 441/named
LISTEN 441/named

Once executed, additional columns are added to the normal output of
netstat. They include the PID (process identification) and the Program
name fields. As clearly seen from the output above, it is now very easy to track
down sockets and find which process and/or program is using them.

Displaying Interface Information
The netstat command can obtain details on the configuration of the network
interface and rudimentary packet counts as well. The -i command-line option
obtains a list of each defined interface on the system, one interface per line:

Module 11:

Basic Network Tools

341

Linux:
#netstat -I
Kernel Interface table
Iface
MTU Met
RX-OK RX-ERR RX-DRP RX-OVR
TX-OK TX-ERR TX-DRP TX-OVR Flg
eth0
1500
0
0
0
0
0
0
1
0
0 BRU
eth0: 1500
0
- no statistics available BRU
eth1
1500
0
3946
0
0
0
138
0
0
0 BRU
lo
3924
0
192
0
0
0
192
0
0
0 LRU

Solaris:
Name Mtu Net/Dest
Address
Ipkts Ierrs Opkts Oerrs Collis Queue
lo0
8232 loopback
localhost
1162897 0
1162897 0
0
0
elxl1 1500 216.155.202.0 bedrock.home.com 9663
0
5464
0
12
0
Name Mtu Net/Dest
Oerrs Collis
lo0
8252 localhost
1162897 0
0

Address

Ipkts

Ierrs Opkts

localhost

1162897 0

As you can see, the command displays some of the same information
that the ifconfig command provides, plus some basic statistics regarding
operating characteristics of each interface—specifically, the name of the interface,
the maximum transfer unit (MTU), the network or destination address, and the
address of the interface. Also, it displays a count of the total number of input
packets, input error packets, input dropped packets, and input overflow counter.
It contains the same counters for transmitted packets as well. The Flg field
contains a condensed listing of the interface configuration options as enabled
and reported by the ifconfig command.
The RX-OK (received) and TX-OK (transmitted) fields (Ipkts and Opkts
on Solaris/HP-UX) represent the reception and transmission of valid traffic across
the interface, respectively. The next fields, RX-ERR and TX-ERR (Ierrs and
Oerrs on Solaris/HP-UX), indicate any input and output error packets that
have occurred on the interface; this includes, for example, any runt packets
(those that are smaller than the standard size) and other errors. The RX-DRP
and TX-DRP fields are counters that represent problems with the transmission
of packets on the interface. In the output above, note that the interface eth0
reports a number of output packet errors. In this case, these errors are being
generated because the interface is not physically attached to a network, yet the
system is attempting to send out packets. Some UNIX systems can’t detect when
an interface is actually attached to a network. This is also the reason that the
RX-OK and TX-OK fields are zero; this indicates that no traffic has been sent
or received across this interface.

11

342

UNIX System Administration: A Beginner’s Guide

The TX-ERR field indicates the number of collisions (or other transmission
errors) that have occurred as recorded by the system. A collision is when two
or more devices attempt to transmit packets at nearly the same time. After this
happens, a jam signal is sent to inform all devices on the network that a collision
has occurred and that any transmission should stop briefly and then, after randomly
determined intervals of time, be tried again. This is known as back-off and is
the mechanism used by devices to resume normal operations. Collisions only
occur on broadcast network technologies such as Ethernet. When the TX-ERR
field is nonzero, it indicates that the interface has recorded collisions for which
it was directly involved.

Hint

The TX-ERR field does not represent all collisions that have occurred on the
network because the system may not always count the number of jam messages
transmitted as a result of a collision caused by other systems.

The RX-DRP and TX-DRP fields represent packets that were discarded before
being received or transmitted. These fields are useful in situations when the
system is performing routing functions where lost or discarded packets could
cause connectivity problems between systems or networks. Another instance
when it may be important to monitor these counters is when the system is a
server, where the network traffic can be significant. In practice, the fields aren’t
that important for a system that may be used as a single-user workstation. The
RX-OVR and TX-OVR fields provide counters for packets that caused overflow
conditions for the networking software. Again, these are only critical when the
system being monitored is considered critical.
When logical (or pseudo) interfaces are defined on the system, netstat
lists each interface as a separate entry. However, you will notice that given
the example above, netstat doesn’t collect statistical information for these
interfaces. As a result, the message “no statistics available” is displayed. In all
other respects, netstat shows logical interfaces with the same information as
normal interfaces. This includes, for example, the interface (Flg) field codes.

Display Routing Information
The system uses the routing table to determine the path that will be used to send
IP packets to particular hosts or networks. Normally, systems are configured
with a default router so that routing decisions are straightforward and simple.

Module 11:

Basic Network Tools

343

However, there may be instances when a machine has more than one interface
and each is attached to a different IP network. In this case, the system might
also be forwarding IP packets (routing) between these networks. As a result, the
routing function becomes a bit more complex. As part of the overall routing
system, a routing table is defined that can be displayed as the need arises. One
of the primary ways to examine this table is with the -r option:
# netstat -r
Kernel IP routing table
Destination
Gateway
199.70.195.41
*
10.0.2.201
*
10.0.2.0
*
127.0.0.0
*
default
199.70.195.41

Genmask
255.255.255.255
255.255.255.255
255.255.255.0
255.0.0.0
0.0.0.0

Flags
UH
UH
U
U
UG

MSS
0
0
0
0
0

Window
0
0
0
0
0

irtt
0
0
0
0
0

Iface
ppp0
eth0
eth0
lo
ppp0

The output above was obtained from a server system that contains two
separate network interfaces. In this example, the routing table includes a
destination network, gateway (or router), network mask, some status flags, two
size fields, a metric value, and the interface with which the route is associated.
The Destination field specifies the network for which the route has been
established. The Gateway field shows the IP address or hostname of the router
that forwards packets to the IP address listed in the Destination column. A
* indicates that the router has not been configured for the associated network.
If an IP address or hostname is shown in this field, a router has been configured.
The Genmask field shows the network mask that has been configured for
this interface. This mask is used like a subnet mask to calculate the network
address specified in the Destination column. The Flags field displays
status information regarding the route. The U flag indicates that the route is up
and active. The H flag shows that the route entry refers to a host system, not an
actual router. With UNIX, there is always a route to the local system, which is
used internally by the networking software. The
G flag indicates that the route is via an external
gateway or router.
The terms “route” and
“gateway” are used
When the routing tables are displayed from
interchangeably.
a workstation that contains a single interface,
we may see the following entries:

Hint

# netstat -r
Kernel IP routing table
Destination
Gateway

Genmask

Flags Metric Ref

Use Iface

11

344

UNIX System Administration: A Beginner’s Guide

199.70.195.41
10.0.2.201
10.0.2.0
127.0.0.0
default

*
*
*
*
199.70.195.41

255.255.255.255
255.255.255.255
255.255.255.0
255.0.0.0
0.0.0.0

UH
UH
U
U
UG

0
0
0

0
0
0
0

0

0
0

0 ppp0
0 eth0
0 eth0
0 lo
0 ppp0

In this case, a default route has been set to 199.70.195.41, which
happens to be a connection to a local ISP using the Point-to-Point Protocol
(PPP). When a system contains a single interface, a default route can be used as
a shorthand method to specify the only way out of the local network. Without
the default entry, every network for which the system must connect will require
a separate routing entry. When the ppp0 link is activated (either manually or
automatically), the default route is installed automatically by the PPP software
that is used.
The MMS field represents the maximum segment size (MSS) for a TCP session
or connection. Normally with netstat, this field contains a zero value. The
Window field controls the TCP window size for a connection using this route;
typically, this is for certain WAN protocols or other network drivers that have
a hard time handling back-to-back frames. Again, this field normally has a value
of zero.
The irtt field shows the initial round-trip time (IRTT) for a TCP session
or connection—again, used for WAN network protocols. The netstat
command shows the value zero. The final field (Iface) shows the network
interface to which that route belongs. It is important to note that within the
routing tables, many routes could use the same interface. In fact, the previous
example shows no less than three routes using the same interface. This is
normal and proper because the routing function is concerned with forwarding
IP packets from one network to another, regardless of which physical network
may be involved or the path that is traversed. This, albeit, in a small way, illustrates
the modularity of the TCP/IP protocols and networking software.

Display Multicast Information
Multicast is a mechanism that supports the delivery of high-volume traffic to
a network and associated workstations in a very efficient manner. A multicast
group is a defined collection of workstations and multicast routers that forward
traffic using a special multicast IP address. The -g option displays multicast
routing information that is related to the routing groups and interfaces that
have been defined on the system. Using this option, the netstat -g command
will show the currently configured multicast groups:

Module 11:

IPv6/IPv4 Group
Interface
--------------lo
eth0

Basic Network Tools

345

Memberships
RefCnt Group
------ --------------------1
224.0.0.1
1
224.0.0.1

In this example, each of the defined interfaces on this system is
a member of the default multicast group known as 224.0.0.1 or
(ALL-SYSTEMS.MCAST.NET, which is defined on some systems). The
Solaris and HP-UX system provides the same basic output. This group, which
is a standard multicast group, is used to send multicast traffic to all systems
on a local network. So, if any application uses the address of 224.0.0.1 to
transmit traffic, this system would receive the information. When multicast is
deployed using standard multicast applications, additional multicast groups
may be defined to restrict the multicast traffic to only those systems for which
the information is required.

Display Protocol Statistics
The netstat command can be used to display protocol statistics. The
--statistics option, by itself, will display the supported protocols, including
TCP, UDP, and RAW. RAW is a combination of both IP and ICMP packets and
can be displayed separately using the keyword raw.
# netstat -s
Ip:
3003 total packets received
0 forwarded
0 incoming packets discarded
212 incoming packets delivered
2847 requests sent out
Icmp:
489 ICMP messages received
0 input ICMP message failed.
ICMP input histogram:
destination unreachable: 486
echo replies: 3
487 ICMP messages sent
0 ICMP messages failed
ICMP output histogram:
destination unreachable: 487
Tcp:

11

346

UNIX System Administration: A Beginner’s Guide

0 active connections openings
0 passive connection openings
0 failed connection attempts
0 connection resets received
1 connections established
2295 segments received
1700 segments send out
2 segments retransmitted
0 bad segments received.
0 resets sent
Udp:
171 packets received
2 packets to unknown port received.
0 packet receive errors
657 packets sent:

1-Minute Drill
●

What’s a situation when the routing table for a system will be complex and it’s
useful to use the netstat -r command to display the routing information?

11.4 Verify Network Connectivity
Using Ping
The ping command provides two basic services. First, it can be used to
determine whether a basic level of connectivity is available between one or
more endpoints or systems. The ping tool can be used to determine if a remote
device is reachable on a network from the local system and help debug connectivity
problems among systems. Second, it can provide rudimentary network performance
statistics, which can be used to diagnose traffic-related network problems. The
term “ping” is derived from the phrase packet internet groper. The ping tool
can be used in one of two ways: by specifying a valid hostname or IP address, or
by using command-line options with a hostname or IP address. Using the first
form, ping provides a handy way to determine that a remote device is available
on the network.
●

A system with more than one interface connected to separate networks will have a more complex routing
table than a single interface system with routing between the two (or more) interfaces.

Module 11:

Basic Network Tools

347

As discussed in Module 10, ping uses the Internet Control Message Protocol
(ICMP) to emit ICMP requests and waits for valid ICMP replies. Because ICMP
is a required protocol within the TCP/IP family, ping can generally be used
with every device that supports TCP/IP, and is available on many operating
systems and other networking devices. For instance, a Cisco router or UNIX
host provides the capability to ping other devices on the network. The ping
program is a client-side application only; no additional software is needed or
required for it to function and interact directly with the remote system’s
protocol layer to accomplish its task.

Determine System Availability
The ping tool can be used to determine general availability of any TCP/IP device,
even if it doesn’t specifically have a general operating system. For example, to
determine if the host durer is reachable, issue the following ping command:
#ping durer
PING durer.home.com (10.0.2.10): 56
64 bytes from 10.0.2.10: icmp_seq=0
64 bytes from 10.0.2.10: icmp_seq=1
64 bytes from 10.0.2.10: icmp_seq=2
64 bytes from 10.0.2.10: icmp_seq=3

data bytes
ttl=128 time=0.9
ttl=128 time=0.8
ttl=128 time=0.8
ttl=128 time=0.8

ms
ms
ms
ms

--- durer.home.com ping statistics --4 packets transmitted, 4 packets received, 0% packet loss
round-trip min/avg/max = 0.8/0.8/0.9 ms

In this case, ping displays no packet loss to durer, which happens to be
a printer. This basically states that durer is alive and operating normally from
an IP perspective. The default behavior of ping on Linux means that the user
must type ^c (CTRL- C) to stop the output. This message generally means that
the TCP/IP software is operational. Although alive indicates that the system is
visible on the network, it is no guarantee that other network services, such as
ftp or telnet, are available. This is an important distinction. The ping tool
can only be used to determine basic protocol connectivity—not the availability
of higher-level applications or services. In fact, some systems will answer a ping
request even before they are fully booted. Keep in mind that no single piece of
software can determine that every TCP/IP application or service is installed and
operating on a system.

11

348

UNIX System Administration: A Beginner’s Guide

The Solaris and HP-UX systems display the following:
durer.home.com is alive

On Linux, if the host durer is not reachable, ping will display the following
message after ^c (CTRL-C)is typed:
PING rubens.home.com (10.0.2.220): 56 data bytes
--- rubens.home.com ping statistics --2 packets transmitted, 0 packets received, 100% packet loss

Normally, the Linux ping issues ICMP requests forever, and if no reply is
received, it generates the message shown above only after the user has interrupted
the command. This is somewhat unfortunate, because other versions of ping
will eventually time out without the user having to manually interrupt the
command. Luckily, a maximum number or count of the total number of requests
can be specified, which has the effect of controlling ping so that the user doesn’t
need to manually intervene. On Linux, use the -c command-line option with
an argument of 1 and the ping command will issue a single request to rubens:
# ping -c 1 rubens

and will generate the following output if this host is down:
0 packets received and 100% packet
loss is an indication the host is down

PING rubens.home.com (10.0.2.220): 56 data bytes
--- rubens.home.com ping statistics --1 packets transmitted, 0 packets received, 100% packet loss

This is useful so that the user can quickly determine reachability of a host
without wasting additional time or network bandwidth. Reducing the number
of ping requests is generally a good thing for the network. Specifying the count
in this manner is sometimes preferable when using ping within a shell script
where issuing a ^c (CTRL-C) would be difficult or inconvenient. Using the
count option is an ideal way to obtain a very good round-trip delay average
and to determine performance over time.
It is interesting to note that if the host rubens isn’t on the same subnet as
the host issuing the ping, it is possible that the host is functioning correctly,

Module 11:

Basic Network Tools

349

but that an intermediate device, such as a network router, is responsible for the
lack of connectivity. I term this problem “connectivity fussiness.” In this case,
ping can’t determine why rubens is not reachable. To further understand
this problem, consider the sample network in Figure 11-1.
This network diagram shows several devices attached to two different
networks that are interconnected via Router Z. When a ping request is issued
from node B on network A to node C on network B, the request is passed via
router Z. If router Z should stop functioning, the requests will never reach node C.
As a result, node C becomes unreachable from the perspective of node B.
Because ping can check reachability of any TCP/IP device, we can now
issue a ping for router Z to further diagnose the problem. By probing the
router closest to node C, we will learn that the loss of connectivity is most likely
being caused by router Z’s network interface to network B, and not node C itself.
Also, if we ping other devices on network B, this would confirm that all
devices are unreachable and lead us to conclude that there is a problem with
router Z. This example demonstrates that network problems can be caused by

11

Figure 11-1

Using ping to determine node availability

UNIX System Administration: A Beginner’s Guide

devices other than those easily identified as being the problem. Tools such as
ping help to isolate the sources of routing and many other network failures
or problems.
The second form of the ping command provides a number of options to
control additional functionality. Table 11-8 provides a list of the most popular
command-line options available.

Show Basic Network Performance

AM
FL
Y

The ping command can be used to measure the amount of time required to
transmit a message to a remote destination and the time required to obtain a
response. This use of this command in essence measures the relative performance
of the path between the two devices at a given point in time. It does not, by any
means, provide a detailed analysis of the devices or connectivity between them.
Rather, it provides a glimpse of the general condition of the path at the point it
is measured. It could be said that network performance is like the stock market.
One day it is up and the next it is down. The primary difference with respect to
volatility is whether we are talking in terms of days or milliseconds. A large
number of factors can cause network performance to vary. These include users
that are overly aggressive about using network resources, hardware problems,
software configuration problems, and so forth.

TE

350

Option

Description

-R
-U
-a
-c
-f
-i

Use record route information.
Use UDP packet instead of ICMP packet (Solaris only).
Issue a ping to all addresses on a multi-home host (Solaris only).
Send only a certain number of packets (Linux only).
Flood the network with packets.
Delay the number of seconds between each request (Linux only).
Specify the outgoing interface (Solaris and HP-UX only).
Show network addresses instead of hostname.
Specify up to 16 bytes to pad a packet with customized data (Linux only).
Set the base UDP port to use (Solaris only).
Issue a single ICMP request per second and collect round-trip statistics
(Solaris and HP-UX only).

-n
-p
-s

Table 11-8

ping Command-Line Options

Module 11:

Basic Network Tools

351

The ping command provides a means of determining system response
times as well, but it takes a little more work to determine if the observed
performance problem is related to a specific slow system or a delay in some
other network component. The ping tool shows output that can be used to
measure and report round-trip time and provide packet-loss statistics. By
default, ping issues an ICMP request every second to the destination supplied
on the command line and reports the status of each ICMP reply. Sample output
includes the following:
Target IP address

Round trip time

# ping –s didymus
PING didymus.home.com (10.0.2.127): 56 data bytes
64 bytes from 10.0.2.127: icmp_seq=0 ttl=255 time=1.2
64 bytes from 10.0.2.127: icmp_seq=1 ttl=255 time=1.1
64 bytes from 10.0.2.127: icmp_seq=2 ttl=255 time=1.2
64 bytes from 10.0.2.127: icmp_seq=3 ttl=255 time=1.2

ms
ms
ms
ms

4 packets sent
and received

ICMP sequence number

--- didymus.home.com ping statistics --4 packets transmitted, 4 packets received, 0% packet loss
round-trip min/avg/max = 1.1/1.1/1.2 ms
Packet size

This report provides the packet size, the hostname or IP address of the
target device, a sequence number, round-trip time value, and a statistical
summary. The time value shows the round-trip time in milliseconds (1000ths
of a second) for each reply received. The bottom of the report calculates the
minimum, average, and maximum trip times for all replies, also displayed in
milliseconds. The total length of the ICMP packet transmitted to didymus is
64 bytes. This is the default size, which is usually sufficient. However, it might
be necessary to increase the packet size to get a better measure of throughput.
In this case, a large packet size may be specified using the -s command-line
option on Linux. For example, the command
# ping -s 100 didymus

issues the ICMP requests with a packet size of 100 bytes to the target host
didymus. This might be required to obtain a better picture of performance

11

352

UNIX System Administration: A Beginner’s Guide

because network throughput may differ for larger packet sizes versus smaller
values. When executed, this command shows the following:
PING didymus.home.com (10.0.2.127): 100 data bytes
108 bytes from 10.0.2.127: icmp_seq=0 ttl=255 time=2.7
108 bytes from 10.0.2.127: icmp_seq=1 ttl=255 time=1.5
108 bytes from 10.0.2.127: icmp_seq=2 ttl=255 time=1.3
108 bytes from 10.0.2.127: icmp_seq=3 ttl=255 time=1.3
108 bytes from 10.0.2.127: icmp_seq=4 ttl=255 time=1.3
108 bytes from 10.0.2.127: icmp_seq=5 ttl=255 time=1.3
108 bytes from 10.0.2.127: icmp_seq=6 ttl=255 time=1.3
108 bytes from 10.0.2.127: icmp_seq=7 ttl=255 time=1.3

ms
ms
ms
ms
ms
ms
ms
ms

--- didymus.home.com ping statistics --8 packets transmitted, 8 packets received, 0% packet loss
round-trip min/avg/max = 1.3/1.5/2.7 ms
Packet size equals the 100 bytes specified on
the command line plus 8 bytes overhead

On Solaris and HP-UX, use following command to accomplish the same thing:
ping –s didymus 100

In this case, specifying the size of the packet comes after the hostname.
As you can see from this output above, ping adds 8 bytes of overhead for
each packet sent; this is determined by subtracting the 100 bytes specified with
the -s option from the 108 bytes transmitted by ping. Notice that the response
times didn’t change much, despite the fact that we used a large data size. We
would need to increase the size significantly to observe a larger delay in
processing the packets.
You may have noticed that the hostname didymus was used on the command
line, but when ping echoed back the hostname, it showed a different name,
like didymus.home.com. The reason for this is that didymus is an alias of
didymus.home.com and using the alias with many UNIX commands results
in the official name being used instead.
The ping tool uses a sequence number to keep track of requests and
replies. Each request is given the next number in sequence and is then matched

Module 11:

Basic Network Tools

353

with the corresponding reply. This sequencing is used to determine packet loss
if any requests do not receive an appropriate reply. Generally speaking, packet
loss on a small network should be very rare, and if it does occur, it might indicate
a network- or system-related problem. However, on a large network or internet
(internet with a lowercase i), or on the Internet, packet loss is common and
represents a normal state of affairs. Given a popular Internet site as shown
below, a certain amount of packet loss may be observed:
ping -c 10 www.whitehouse.gov
PING www.whitehouse.com (209.67.27.247): 56 data bytes
64 bytes from 209.67.27.247: icmp_seq=7 ttl=244 time=240.1 ms
64 bytes from 209.67.27.247: icmp_seq=8 ttl=244 time=240.1 ms
64 bytes from 209.67.27.247: icmp_seq=9 ttl=244 time=240.1 ms
--- www.whitehouse.com ping statistics --10 packets transmitted, 3 packets received, 70% packet loss
round-trip min/avg/max = 240.1/240.1/240.1 ms

The report above indicates that 70 percent of the packets sent to the
www.whitehouse.gov system did not have corresponding replies! They
were lost. In other words, the program sent ten packets, but only received three
back; seven out of ten is 70 percent. One possible reason for this noticeable
packet loss is that some of the critical Internet routers might be quite busy or
even overloaded with network traffic. As a result, some of the ICMP requests
might be discarded because the requests expired before they were delivered to
the final destination. Also, the relative load of the target device can be a factor
because these systems might not have the computing resources to answer all
network requests as required. Because of the popularity of this site, it is not
unreasonable to think that both the servers and the networks that connect them
are all quite busy or even overloaded. An overloaded condition will occur when
too many users are using resources from the system or network at the same time.
Sometimes it is desirable to provide additional time for acknowledging each
ping request instead of using the default value of one second. If additional time
is desired between successive ICMP requests, the -i option can be used, followed
by the desired value. The interval should be long enough to provide the required
amount of time for the remote system to respond. When we increase the timeout
value as suggested, we will generally notice less packet loss. The command
ping -c 10 www.whitehouse.gov -i 5

11

354

UNIX System Administration: A Beginner’s Guide

adds a five-second delay to each request, thus providing additional time for the
processing of the requests through the network and to the destination server.
Using the command above, the following was produced:
PING www.whitehouse.com (209.67.27.247): 56 data bytes
64 bytes from 209.67.27.247: icmp_seq=1 ttl=244 time=240.1
64 bytes from 209.67.27.247: icmp_seq=2 ttl=244 time=240.1
64 bytes from 209.67.27.247: icmp_seq=3 ttl=244 time=240.1
64 bytes from 209.67.27.247: icmp_seq=4 ttl=244 time=240.0
64 bytes from 209.67.27.247: icmp_seq=5 ttl=244 time=250.1
64 bytes from 209.67.27.247: icmp_seq=6 ttl=244 time=240.1
64 bytes from 209.67.27.247: icmp_seq=7 ttl=244 time=240.1
64 bytes from 209.67.27.247: icmp_seq=8 ttl=244 time=240.2
64 bytes from 209.67.27.247: icmp_seq=9 ttl=244 time=250.1

ms
ms
ms
ms
ms
ms
ms
ms
ms

--- www.whitehouse.com ping statistics --10 packets transmitted, 9 packets received, 10% packet loss
round-trip min/avg/max = 240.0/242.3/250.1 ms

As noted from the output, the packet loss to this site was reduced to 10 percent.
Bear in mind that other factors could have also contributed to the reduction, such
as users leaving the site or the network not being used. In general, increasing the
amount of time for each request should reduce the overall load on the system.
However, this is not guaranteed to always be the case because the system may be
overloaded to the point that no additional amount of time would really help.

Additional Command Options
With the -n option, ping displays IP addresses rather than hostnames. This
is useful, for example, when network problems involving DNS impact the use
of ping. This option instructs ping not to invoke hostname resolution, thus
permitting the tool to function while the name service is slow or temporarily
disabled.
The -R option enables the record route option with the IP protocol. Toggling
the record route informs each router along a path to place its IP address in the
IP header. As a result, a list of routers that were used to reach the final destination
can be obtained. This is the chief mechanism that the traceroute command
utilizes. Another interesting option is flood mode using the -f option, which is

Module 11:

Basic Network Tools

355

available on Linux. This option tells ping to attempt to flood the network with
ICMP requests approximately 100 times per second or as fast as the remote
destination can process each request.
By the way, a note of caution is in order here: The -f option can be a
dangerous thing. It can consume a significant amount of network bandwidth
and cause systems to disappear from the network because they are too heavily
loaded to respond to other network requests. It is not recommended that this
option be used on a live network when loss of connectivity could impact the
business operations of the individuals that use the network. Also, it is not
reasonable to flood other networks that you are not associated with.
Having said all this, the command
ping -c 100 -f bedrock

displays the following output:
PING bedrock.home.com (216.155.202.100) from 216.155.202.163 : 56(84) bytes of data.
.
--- bedrock.home.com ping statistics --100 packets transmitted, 100 packets received, 0% packet loss
round-trip min/avg/max/mdev = 0.203/0.244/0.427/0.040 ms

This sends 100 packets to the host bedrock.

Ask the Expert
Question

Why use the flood capability anyway?

Answer The reason is simple—attempt to produce a significant
amount of traffic on the network and see what happens. You will find
that in networking, determining how things work sometimes includes
attempting to break things or do things in such a way as to exceed the
practical limitations of a device or system. In the case of networking
devices such as routers or UNIX systems, industry experts and users
want to know what will happen to the device if it is exposed to
high-traffic patterns. Measuring performance and other networking
characteristics when the network is under tremendous load will help
the network manager truly understand the behavior of critical networking
devices and systems when they are deployed in their networks. The
flood option is one easy way to do this.

11

356

UNIX System Administration: A Beginner’s Guide

11-5 Gather Network Information
with Lanscan
The lanscan command available on HP-UX provides a very quick and easy
way to gather network configuration and performance information from all the
system network interfaces. Issuing the command
# lanscan

displays the following:
Hardware Station
Crd Hdw
Net-Interface
Path
Address
In# State NamePPA
0/0/0/0 0x00306E060662 0
UP
lan0 snap0

NM
ID
1

MAC
Type
ETHER

HP-DLPI DLPI
Support Mjr#
Yes
119

As shown above, the output is very similar to what the ifconfig
command provides, but in this case more information is given about the
low-level data link support (for example, it shows that lan0 is of type ETHER,
which represents Ethernet).

Note
Since the HP-UX version doesn’t support the –a option, this command can be
used to determine the name of all the network interfaces on the system. Using
the –v (verbose) option of the lanscan command, additional information can
be obtained about the system network interfaces:
# lanscan -v
------------------------------------------------------------------------------Hardware Station
Crd Hdw
Net-Interface NM MAC
HP-DLPI DLPI
Path
Address
In# State NamePPA
ID Type
Support Mjr#
0/0/0/0 0x00306E060662 0
UP
lan0 snap0
1
ETHER
Yes
119
Extended Station
Address
0x00306E060662

LLC Encapsulation
Methods
IEEE HPEXTIEEE SNAP ETHER NOVELL

Driver Specific Information
btlan3

This option shows the additional supported data link methods, such as NOVELL
and also the Ethernet driver information (btlan3).

Module 11:

Basic Network Tools

357

Project 11-1
This project steps you through documenting the network settings on your
system and testing your current network connectivity.

Step-by-Step
1. ping your local loopback address to verify that TCP/IP is functional on
your system:
# ping 127.0.0.1

2. Display your ARP table:
# arp

3. If you are using Linux, display the ARP table in numeric format in verbose mode:
# arp -n -v

4. List all the available interfaces for your system:
#ifconfig –a

5. Display all the current network connections:
# netstat -a

6. Search the results of the netstat command to look for instances of specific
services. For example, are you running an FTP server on this system?
netstat -a | grep ftp

7. ping several major hosts to determine your connectivity to them. For example:
ping 198.192.196.56
ping 4.17.168.6

11

358

UNIX System Administration: A Beginner’s Guide

Mastery Check
1. The _________ contains a complete list of all data link protocol to

IP address mappings for the local network.
2. Which command provides information regarding the present status

of network connections, routing information, and other important
network-related data?
A. ifconfig
B. arp
C. netstat
D. ping
3. Which command can be used to determine if a remote device is reachable

on a network from the local system and help debug connectivity problems
among systems?
A. ifconfig
B. arp
C. netstat
D. ping
4. What does this output from the ping command tell you about the status

of the system pinged?
4 packets transmitted, 4 packets received, 0% packet loss

A. The system is reachable.
B. The system is not available.
C. The system is taking too long to respond to ping requests.
D. No information can be determined from this output.

Module 11:

Basic Network Tools

359

Mastery Check
5. What function is performed with this command?
# arp -s bruegel 08:00:20:82:be:05

A. Displaying the ARP table for the bruegel system
B. Deleting the bruegel system from the ARP table
C. Changing the hardware address in the ARP table for the bruegel system
D. Adding the bruegel system to the ARP table
6. What is the command to disable the interface ppp0?
7. What type of interface does this output from the ifconfig -a

command indicate?
eth1

Link encap:Ethernet
inet addr:10.0.2.127

HWaddr 08:00:20:04:CF:2C
Bcast:10.0.2.255

A. Physical
B. Logical
C. Active
D. Inactive
8. What type of interface does this output from the ifconfig -a

command indicate?
UP BROADCAST RUNNING MULTICAST

A. Physical
B. Logical
C. Active
D. Inactive

MTU:1500

Metric:1

11

UNIX System Administration: A Beginner’s Guide

Mastery Check
9. What is the command to show all network connections and show them in

numeric format?
10. What command would have produced the following two lines of output?
tcp
udp

0
0

0 *:sunrpc
*:*
0 110.orlando-11-1:domain *:*

LISTEN

A. netstat -a | grep ftp
B. netstat -a -t -u
C. netstat -a -n

AM
FL
Y

D. netstat -t -p -a

11. What is the command to record each router’s IP address in a ping,

similar to the long lines command?

TE

360

Module

12

Advanced
Network Tools
Critical Skills
12.1

Monitor Network Traffic with the tcpdump Tool

12.2

Execute the traceroute Command to Show Network Connectivity

12.3

Verify Basic Operations Using the landiag Command

Copyright 2002 by The McGraw-Hill Companies, Inc. Click Here for Terms of Use.

362

UNIX System Administration: A Beginner’s Guide

12.1 Monitor Network Traffic
with the tcpdump Tool
The tcpdump command is a general-purpose network traffic monitor that can
capture and display packets and their contents. This command can be used as a
protocol analyzer, providing one of the best ways to investigate communication
and/or connectivity problems among systems and networking devices. Most of
the time, network troubleshooting focuses on network configuration problems
and diagnosing hardware-related failures. Every once in a while, however, you
will be faced with a protocol-related problem and be forced to delve into the
heart of the particular networking stack to resolve the problem. With tcpdump,
the packets scanned will be displayed with information in either a short or long
format, depending on the command-line options used. Also, this command has
a very powerful filtering mechanism that can search for packets that match
a specific string or criteria.
Depending on the installation options selected, this command will be
available on Linux by default. On Solaris, this command is available on the Solaris
Companion Software CD. When tcpdump is installed from this CD, the default
command path is /opt/sfw/sbin. For HP-UX, it must be downloaded from
the Internet.
Two primary capture modes are provided by this command: promiscuous
and nonpromiscuous. In promiscuous mode, every packet transmitted on the
network is captured, whether or not the packet was sent to the system on which
tcpdump is listening. This is the mode, for instance, that network probes use
when monitoring network traffic. Network probes listen on the network for
traffic and collect protocol information and statistics. Because local area network
(LAN) protocols such as Ethernet are broadcast-based, every frame transmitted
can be seen by any network interface attached to the LAN. Any device can read
every frame transmitted if that device chooses and is configured to do so. When
a device or interface reads every frame from the network, it is said to be in
promiscuous mode. In practice, the interface must be configured for promiscuous
operation and is only used on special occasions when network diagnosis is
required. For this reason, only root may enable promiscuous mode on an
interface. This is the primary reason that nonroot users are not permitted to
invoke tcpdump. When the attempt is made by a nonroot user to execute the
command, the following message is displayed:
tcpdump: socket: Operation not permitted

Module 12:

Advanced Network Tools

363

If you want to give a regular user the ability to invoke the tcpdump command,
you can setuid the program to run as root or install and configure a program like
sudo. This utility gives specific users access to privileged programs as deemed
appropriate by the system administrator. See Module 7 for more information
about the sudo command.
With nonpromiscuous mode, only broadcast frames and frames addressed to
the local system will be available to the interface. The term “broadcast” actually
refers to both normal broadcast (with all 1s in the destination field) and multicast
traffic. Under normal circumstances, the interface is in nonpromiscuous mode.
When tcpdump is invoked without command-line options, it opens the
primary network interface and begins capturing frames from the local network
and displaying their contents. Because this command can produce a significant
amount of output, the quiet option (-q ) is used to reduce the amount of output
displayed. When executed by root, the command
# tcpdump -q

will display all network frames (packets) in the single-line, nonverbose format.
The format of the output will include a timestamp, source and destination hosts
(or address), the high-level network protocol, some flags, and additional protocol
information, as shown in the following example:
timestamp

source host

destination host

packet summary

tcpdump: listening on elxl1
15:41:58.055268 durer.home.com.1032 > socrates.home.com.telnet: tcp 0 (DF)
[tos0x50]
15:41:58.055446 socrates.home.com.telnet > durer.home.com.1032: tcp 28 (DF)
15:41:58.274933 durer.home.com.1032 > socrates.home.com.telnet: tcp 0 (DF)
[tos0x50]
15:41:58.275115 socrates.home.com.telnet > durer.home.com.1032: tcp 164 (DF)
15:41:58.494694 durer.home.com.1032 > socrates.home.com.telnet: tcp 0 (DF)
[tos0x50]
15:41:58.494880 socrates.home.com.telnet > durer.home.com.1032: tcp 165 (DF)
15:41:58.544828 socrates.home.com > didymus-gw2.home.com: icmp: echo request
15:41:58.545719 didymus-gw2.home.com > socrates.home.com: icmp: echo
reply5:34:10.601950 socrates.home.com.telnet > durer.home.com.1032: tcp 165
(DF)
8 packets received by filter
0 packets dropped by kernel

The output includes the time, source/destination, protocol port, protocol
contained with the frame, and additional protocol information. In this example,

12

364

UNIX System Administration: A Beginner’s Guide

durer, the source host, and socrates, the destination host, have a Telnet
session established. We can tell this by looking at the destination port, which
is Telnet. By default, tcpdump captures packets until the user interrupts the
program by issuing ^c. Also, socrates has issued a ping request to didymusgw2, and it has responded with a reply. The -> string indicates the direction of
the communication path. Note that tcpdump always orients the communication
path to point to the right, as in the case of the ICMP echo request above. To
indicate communication in the other direction, tcpdump reverses the hosts (not
the pointer), as shown with the ICMP Echo reply entry. The tcpdump command
displays the higher-level protocols in lowercase, as in tcp and icmp, followed
by more specific information pertaining to the protocol, which might include
ports, additional protocol information, and data. The output also includes a
summary of the number of packets obtained before the user terminated the
command.
The end of the output includes a count of the number of packets captured
by and the number of packets that were dropped. In this case, a total of eight
packets were captured and zero packets were discarded.
The tcpdump tool provides a large number of command-line options to
select capture modes, control output, specify filter specifications, and specify
additional operating characteristics. These options are grouped according to
their function and include the following categories:
●

Operating modes

●

Display options

●

Packet filter options

Operating Modes
These options are used to control how tcpdump will capture and display network
traffic. The available options are summarized in Table 12-1 and described
fully below.
Normally, tcpdump will listen for traffic on the primary network interface.
Usually the primary interface has the smallest numeric identifier if the system
contains two or more interfaces of the same type. For example, eth0 is
considered the primary when the system contains two Ethernet interfaces:
eth0 and eth1. However, if you want to run tcpdump on a different

Module 12:

Advanced Network Tools

Option

Description

-c
-F
-I
-p
-r
-w

Captures specified number of packets and then quits
Uses file as source for filter expression
Captures packets using alternate network interface
Disables capturing in promiscuous mode
Reads capture file instead of network interface
Saves raw packets to file

Table 12-1

365

tcpdump Operating Mode Common Options

interface, use the -i option and the device name to specify the alternate interface.
For example, to select the point-to-point (ppp0) interface, use the following
command:
# tcpdump -i ppp0
tcpdump: listening on ppp0

As previously indicated, tcpdump will capture packets until ^c is typed
from the controlling terminal (or if placed in the background, until the process
is terminated with the kill command). If you wish to specify the number of
packets to be captured, use the -c option followed by a packet count value. To
capture ten packets from the eth1 interface, use the following command:
socrates initiates snmp query

10 lines captured corresponds to 10 packets

tcpdump -t -q -i eth1 -c 10
tcpdump: listening on eth1
chips.home.com > didymus-gw2.home.com: icmp: echo request
didymus-gw2.home.com > chips.home.com: icmp: echo reply
chips.home.com > didymus-gw2.home.com: icmp: echo request
didymus-gw2.home.com > chips.home.com: icmp: echo reply
socrates.home.com.1032 > switch.home.com.snmp: udp 44
switch.home.com.snmp > socrates.home.com.1032: udp 111
socrates.home.com.1032 > switch.home.com.snmp: udp 51
switch.home.com.snmp > socrates.home.com.1032: udp 61
socrates.home.com.1032 > switch.com.snmp: udp 51
switch.com.snmp > socrates.home.com.1032: udp 54

12

366

UNIX System Administration: A Beginner’s Guide

In this case, tcpdump has captured a ping session between socrates
and didymus-gw2, as detected by the first four lines. Also, socrates was
querying a device called switch using SNMP, as denoted by the SNMP port and
the UDP protocol used (the remaining lines). We can confirm the number of
captured packets by counting the number of lines displayed. Specifying the
number of packets to capture is useful when the intent is to monitor a critical
network transaction that uses a fixed number of packet exchanges. This option
is also useful when monitoring packets within a shell script because you don’t
have to be concerned about stopping tcpdump after it has been started. The
-t option, which removes the packet timestamp information, was used in this
example as well.
As previously indicated, tcpdump, by default, opens the network interface
in promiscuous mode to capture all network traffic. Promiscuous mode
means that all network traffic, regardless of the destination of the packet, will
be captured. Sometimes, it is more effective to examine packets delivered to a
specified host than it is to read all packets on the network. If we want to capture
those packets addressed to the host that tcpdump is running on, the -p option
is used to disable promiscuous mode capture. You will see later that we can
tell tcpdump to capture packets coming from or going to a particular host
using filters.
# tcpdump -p
tcpdump: listening on eth0

Unfortunately, the tcpdump command doesn’t confirm the use of the
-p option. As a result, the user has no way of knowing after the command was
executed which mode it is capturing with, except to examine the output to see
the destination addresses. In other words, any packet that isn’t a broadcast or
sent to a local address indicates that tcpdump is capturing with promiscuous
mode enabled.
On a very active network or a busy system, and when using certain commandline options, tcpdump can produce a large amount of output. To help manage
this, the -w option can be used to redirect the captured information into a file.
One reason to use a file is to save the captured data for later inspection and analysis.
This could include manipulating the data in other ways, possibly using the data
to build specialized reports, and the like.

Module 12:

Advanced Network Tools

367

Ask the Expert
Question Why would you disable promiscuous mode with the
-p option anyway?
Answer Sometimes it becomes necessary to examine just the traffic
that arrives normally at a particular system. With this option, we can
see every packet that is destined by the local system, and nothing more.
This can be used to easily detect (by monitoring the incoming packets),
for example, whether a request for a particular service is reaching the
system. Given a client/server environment, we can determine if requests
from client systems are reaching the server (by running tcpdump on
the server) or if a particular client is transmitting requests in the first
place (by running tcpdump on the client). It is true that we can use
filters to accomplish the same thing, but it is more efficient and easier
to just reduce the number of packets in the first place.
To capture network traffic and save it to a file called traffic-data, use
the following command:
# tcpdump -w traffic-data
tcpdump: listening on eth0

The file, traffic-data, is created in the local directory once the command
above is invoked. However, the data captured isn’t written to the file until the
user interrupts the program or the -c option is used. Once the user does this,
the following is displayed:
48 packets received by filter
0 packets dropped by kernel

Hint

The traffic-data file created is not an ordinary text file, but rather a
specially formatted data file that only tcpdump and certain other programs
understand. One such program, called tcpslice, can cut out or splice
different tcpdump files together.

12

368

UNIX System Administration: A Beginner’s Guide

To learn a little bit more about the tcpdump file, use the UNIX file
command. If this is run against the traffic-data file, it reports that it
is associated with the tcpdump command, the version of the software, and
that the data contains packets that are of type Ethernet, with a frame length
of 68 bytes. It is not a human-readable text file. The UNIX command
# file traffic-data

shows the following:
traffic-data: tcpdump capture file (little-endian) - version 2.4 (Ethernet,
capture length 68)

As previously mentioned, it is interesting that tcpdump labels the frame
types that are contained with the data file. In the previous example, the label
indicates that Ethernet frames are stored in this file. Additional types include
raw IP, FDDI, and others. Thus, if a packet capture were done on a point-to-point
link, as in the ppp0 interface, the raw IP packet type would be displayed. If
you were trying to view the file, it would appear to be a long series of strange
characters. However, this file can be read by such programs as the ethereal
tool, which provides a GUI-based approach to protocol capture and analysis.
The tcpdump command does a reasonable job of compressing data stored
in files. For instance, over 3,000 packets consume approximately 260K worth
of disk space. If you are going to save a significant amount of captured data, it
may be necessary to compress the data further using either compress or gzip.
The compress utility manages to reduce the size of this data file to a little over
33K, while the gzip program reduces the byte count down even more to just
over 18K. Not bad from a byte size of over 260K!
To display the packets that have been saved in a data file, use the -r option
followed by the name of the packet capture file. For instance, to replay the
packets saved within the traffic-data file, issue the following command:
# tcpdump -r traffic-data

Display Options
These options control how tcpdump will display packets from the network.
The list of the available options under this category is summarized in Table 12-2.

Module 12:

Advanced Network Tools

Option

Description

-e
-v
-q
-t
-s
-x

Prints link-level header information on each line
Specifies verbose mode
Specifies quick mode, displays short packet information
Disables printing of the timestamp
Limits the size of packets captured
Displays both hexadecimal and ASCII format

Table 12-2

369

Display Options for tcpdump

Sometimes it is useful to determine the length of data link frames. This can
be helpful, for example, when investigating performance problems related to
higher-level applications. The tcpdump tool provides a way to obtain the size
of each frame, including both the header and data portion, with the -e commandline option. The following sample command and output show a file transfer
session using FTP and ARP broadcasts:
Length field
# tcpdump -t -e
0:10:5a:28:5d:7c Broadcast arp 42: arp who-has
didymus-gw2.home.com tell socrates.home.com
0:10:5a:28:5d:7c Broadcast arp 42: arp who-has
didymus-gw2.home.com tell socrates.home.com
0:10:5a:28:5d:7c Broadcast arp 42: arp who-has
didymus-gw2.home.com tell socrates.home.com
0:10:5a:28:5d:7c 0:60:97:e:a3:6 1514: socrates.home.com.ftp-data
durer.home.com.1036: tcp 1448 (DF) [tos 0x8]
0:10:5a:28:5d:7c 0:60:97:e:a3:6 1514: socrates.home.com.ftp-data
durer.home.com.1036: tcp 1448 (DF) [tos 0x8]

As you can see, the length field is displayed next to the protocol, or if no
protocol is shown, after the destination address. It shows the total size of the
frame in bytes. The reason the packets from socrates to durer are greater
than 1,500 bytes is because FTP fills the packet with as much data as it can
hold. Ethernet has a data capacity of approximately 1,500 bytes, not including
the header portion of the frame.
The -x option provides a way to display a hexadecimal dump of network
frames. It displays link-level header information such as source and destination

12

370

UNIX System Administration: A Beginner’s Guide

address. Consider the series of packet exchanges when the host rembrandt
attempts to open an FTP session to a system called durer. The tcpdump command
tcpdump -d le1 -x 0 tcp and port 21

will capture any FTP activity on the network. When this command is executed
and an FTP session is started, the packets will be captured and displayed as follows:
TCP source port
Datalink destination address
Datalink source address

IP Destination Host

TE

AM
FL
Y

0:60:97:e:a3:6 0:10:5a:28:5d:7c ip 78: durer.home.com.1044 >
socrates.home.com.ftp:
S 9262138:9262138(0) win 8192  1106589[|tcp]> (DF) (ttl 64, id 490)
4500 003c 01ea 4000 4006 2000 0a00 02c9
0a00 020a 0015 0414 40d4 a281 008d 543b
a012 7d78 92b7 0000 0204 05b4 0402 080a
0010 e29d 0000
0:60:97:e:a3:6 0:10:5a:28:5d:7c ip 66: durer.home.com.1044 >
socrates.home.com.ftp: .ack 1 win 8760 
(DF) [tos 0x1d] (ttl 128,id 20226)
451d 0034 4f02 4000 8006 92d2 0a00 020a
0a00 02c9 0414 0015 008d 543b 40d4 a282
8010 2238 d35b 0000 0101 080a 0001 4960
0010 e29d
0:10:5a:28:5d:7c 0:60:97:e:a3:6 ip 163: socrates.home.com.ftp
durer.home.com.1044: P 1:98(97) ack 1 win 32120  (DF) [tos 0x10] (ttl 64, id 493)
4510 0095 01ed 4000 4006 1f94 0a00 02c9
0a00 020a 0015 0414 40d4 a282 008d 543b
8018 7d78 b4a1 0000 0101 080a 0010 e2a3
0001 4960 3232
0:60:97:e:a3:6 0:10:5a:28:5d:7c ip 66: durer.home.com.1044
socrates.home.com.ftp: . ack 98 win 8663 
(DF) [tos 0x1d] (ttl 128, id 20994)
451d 0034 5202 4000 8006 8fd2 0a00 020a
0a00 02c9 0414 0015 008d 543b 40d4 a2e3
8010 21d7 d352 0000 0101 080a 0001 4963
0010 e2a3

Module 12:

Advanced Network Tools

371

Please note that some unwanted information has been manually removed
from the output to make it more readable.
As you can see, the output shows a summary lines that contains the Datalink
Source Address, Datalink Destination Address, Highlevel Protocol, Frame Size,
IP Source Host, TCP Source Port, IP Destination Host, and TCP Destination
Port in the first packet in the preceding example.
After the TCP destination port, we see the TCP packet flags. These map to
the standard TCP packet types listed in Module 10. The S indicates that the
packet is a SYN, or start of a TCP connection, while the P means it is a push of
data. The ack indicates an acknowledgment. The next part of the listing shows
the entire frame in hexadecimal. Unfortunately, it doesn’t do a good job of
showing us the ASCII version of the frame where appropriate. For instance,
when a user starts an FTP session to a host, some valuable information is
displayed along with a login prompt:
# ftp Socrates
220 socrates.home.com FTP server (Version wu-2.4.2-VR17(1) Mon Apr 19 09:21:53 E
DT 1999) ready.
Name (socrates:root):

This information is contained within the frames shown above, but tcpdump
doesn’t show us this information in ASCII.

Using Packet Filters
One very important aspect of network protocol debugging involves the use
of packet filters. A packet filter is a predefined pattern that is compared to
incoming packets and consists of a series of one or more primitives that may be
combined with operators such as and, or, and not. When the pattern is matched,
that packet is captured and displayed, or else the packet is discarded and not
displayed. Packet filters are useful in searching for a particular protocol type or
any other specific information available within the packet. We first used a packet
filter in the previous example by telling tcpdump that we were interested in
displaying packets that were related to a file transfer.
The tcpdump command supports user-defined packet filters. A filter is
installed by tcpdump when a filter expression is given on the command line.
This filter is placed in memory and will filter according to the rules that have
been defined using the keywords and primitives. Every packet is compared to
the filter, and when a match is found, the packet is displayed. Otherwise, the
packet is discarded. Figure 4-1 shows a high-level overview of a packet filter.

12

372

UNIX System Administration: A Beginner’s Guide

Figure 12-1

Packet filter diagram

Normally, network packets are read from the network interface by the
associated driver on behalf of the kernel. Next, tcpdump requests the information
from the kernel using system calls. The tcpdump tool provides a large number
of predefined expressions or primitives that can be used to build very powerful
packet filters. These expressions can be divided into three groups. The first
group, called address primitives, operates on packets using address information
such as IP or data link addresses; the second group, known as protocol primitives,
operates on packets that use different protocols, including IP, AppleTalk, and
others. The final group includes Boolean and arithmetic primitives (or operators)
that can be used with the first two expression types to produce compound
filters. Compound filters include more than one expression type separated by
reserve words such as and, not, and or. These filters can also include arithmetic
operators such as +, -, *, and others. These expressions are evaluated to be
either true or false, and the result will determine what action tcpdump will
take. A description of the primitives follows.

Address Primitives
Expressions that operate on the addressing portions of a packet are listed in
Table 12-3 and described in more detail next.

Module 12:

Advanced Network Tools

Primitive

Description

gateway

Selects packets that have been used by a specified host acting
as a gateway
Select packets from a specified host or IP address

host
ipaddr
etheraddr
broadcast
multicast
net
port

Table 12-3

373

Selects packets from either IP or data link addresses
Selects broadcast packets that contain all 1s or Fs in either source
or destination fields
Selects packets that are sent to multicast addresses
Selects packets that contain specified network portions used with
the IP protocol
Selects packets that contain specified port addresses used with
the IP protocol

Address-Related Primitives

The gateway primitive selects packets that have been forwarded by a
router. This indicates that the data link address of the packet (either source or
destination) matches that of the router, while the IP address matches that of
the host. Normally, a router will not change the IP address information when
forwarding packets, but the data link address will match the device that forwards
the packet.
The host primitive followed by a valid hostname can select packets that are
either sent to or received from the specified hostname. The host keyword is
mainly used to avoid ambiguity that might arise if you were to specify a hostname
that just happens to be the same as one of the tcpdump existing keywords. For
example, when monitoring the host called gateway, the host keyword must
be used because the gateway keyword will be interpreted as a keyword rather
than as a valid hostname. Thus, the tcpdump command listed next produces
an error because the gateway string is assumed to specify a local gateway:
# tcpdump gateway
tcpdump: parse error

The way to specify the capture of packets from a host called gateway would
be the following:
# tcpdump host gateway

12

374

UNIX System Administration: A Beginner’s Guide

The ipaddr and etheraddr options specify actual IP addresses and data link
addresses in dotted and colon formats, respectively. For example, to capture all
packets from the IP address 10.0.2.100, the following command would be used:
# tcpdump ipaddr 10.0.2.100

The ipaddr and etheraddr primitives will match either the source or
destination address. Some data link addresses begin with a letter and will cause
tcpdump to misinterpret these as hostnames rather than true addresses. To avoid
this problem, insert a zero in front when specifying these types of addresses.
To capture broadcast packets, use the broadcast primitive. A broadcast
is a special address that designates that all devices should receive the message.
Several network protocols and services such as ARP, NIS, and RIP use broadcasts
to propagate information across the network. Using broadcast will result in the
capture of broadcast packets from the data link level. This means that any address
that contains 255 or FF values within the source or destination field will be
captured. This includes data link packets that contain broadcasts (such as ARP
requests) and high-level protocol broadcasts (such as an IP broadcast). This
primitive could be used to capture routing data from the Routing Information
Protocol (RIP) because routers periodically broadcast routing updates.
Also, to obtain multicast traffic such as Internet radio, use the multicast
primitive. The standard multicast address of 224.0.0.1 supports this type
of traffic as defined by the multicast standard. Additional addresses (both
physical or IP) can be used at your site. It may be necessary to determine the
exact multicast addresses before you start filtering these types of packets.

Protocol Primitives
The tcpdump application provides protocol primitives as a shorthand way
to select specific network traffic, without requiring or knowing the low-level
protocol information. For example, the ip primitive can be used to capture all
IP traffic. Without this keyword, you would need to use the IP type of x0800,
which is harder to remember. These primitives support the TCP/IP, AppleTalk,
and DECnet family of protocols. Table 12-4 lists and describes these protocol
keywords.

Module 12:

Advanced Network Tools

Protocol Primitive

Description

apple
arp
fddi
ethertype
decnet
ip
icmp

AppleTalk protocol family
Address Resolution Protocol—includes both request and reply
FDDI data link protocol
Another protocol type (used with a type code)
DECnet protocol family
Internet Protocol
Internet Control Message Protocol—includes both echo
and reply
Reverse Address Resolution Protocol—includes both request
and reply
Transmission Control Protocol
User Datagram Protocol

rarp
tcp
udp

Table 12-4

375

Protocol Primitives Supported by tcpdump

To select a protocol family or type that isn’t provided directly by tcpdump,
use the ethertype primitive along with the type code for the desired protocol.
For example, to monitor Novell NetWare packets, which have a type code of
0x8137, use the following command:
# tcpdump ethertype 0x8137

Please note that because tcpdump doesn’t support the Novell protocol
family directly, no packet information can be displayed beyond the data link
layer. If tcpdump finds packets that contain a Novell header, it will list the
data link information only. However, despite this disadvantage, tcpdump is
still useful for identifying certain packet types and providing rudimentary
packet count information.

12

Operators
The tcpdump command supports several expression (or operator) types and
can be combined with primitives and qualifiers to produce compound filters.

376

UNIX System Administration: A Beginner’s Guide

These expressions include the arithmetic and Boolean operators listed in
Table 12-5. Operators can build powerful expressions to search for specific
packets. Expressions can be composed of numbers, packet field selections,
length primitives, and arithmetic operators. To use the value of a field in an
expression within a packet, use the following syntax:
primitive [offset [: size] ]

where the word primitive is replaced with ether, ip, udp, tcp, or icmp.
The offset is used in the base of the protocol primitive, and the size specifies
the length of the field. If not supplied, they default to 1.
Packet field sections can be used in a variety of ways. Consider the
following example:
tcpdump "ether[1:4]&0xffffffff = 0xffffffff"

In this example, tcpdump will display all broadcast packets transmitted on
the local network—this means all frames with a destination address of all
Operator

Description

>
<
>=
<=
=
!=
+
*
/
&
|
^
and or &&
or or ||
not or !

Greater than
Less than
Greater than or equal to
Less than or equal to
Equal to
Not equal
Plus
Minus
Multiply
Divide
Bitwise AND
Bitwise inclusive OR
Bitwise exclusive OR
Concatenation
Alternation
Negation

Table 12-5

tcpdump Arithmetic Operators

Module 12:

Advanced Network Tools

377

1s (255 in decimal, 0xff in hexadecimal). The 1 in ether[1:4] indicates the
first addressable byte of the frame (the destination address), and the 4 value
specifies the length of this field. Despite the fact that Ethernet addresses are six
bytes, we can examine the first four bytes to determine if it is a broadcast address.
To display all packets that originate from a particular Sun system, for example,
use this command:
tcpdump "ether[6:4]&0xffffffff = 0x08002004"

This tells tcpdump to examine the sixth byte of the frame (the source frame
address) and compare it to the 0x08002004 addresses using the & (and) operator.
This data link address represents the address of a local system called monet.
Recall that Ethernet addresses are six bytes in length, and we can use the first
four bytes to identify the system desired. As a result, all packets transmitted
from monet will be displayed. To identify another system, obtain the data link
address of the system, convert it to hexadecimal, and place it on the right side
of the preceding command.

Miscellaneous Primitives
A few additional primitives are also available from tcpdump that can’t be
classified as either address or protocol primitives. These include the following:
●

greater

●

less

●

length

The greater and less primitives are used in conjunction with other
tcpdump commands to filter, based on the total length of the packet. For
example, to display all packets that are greater than 56 bytes, invoke the
following command:
# tcpdump greater 56

To display all packets that are less than 60 bytes, use the less primitive:
# tcpdump -x less 60

12

378

UNIX System Administration: A Beginner’s Guide

Ask the Expert
Question

Why would you use the greater or less commands?

Answer The primary reason is to search for packets based on size,
rather than content. Another primitive, length, can also be used to
handle capturing packets based on their exact size. The length can be
used when the need to capture packets is based on some calculation.
For example, the following command will display any packet that is
not equal to 56:
# tcpdump length != 56

This command will display all frames that are less than 60 bytes. For instance,
ARP (Address Resolution Protocol) request frames are smaller than 60 bytes.
Executing this command will display any ARP messages, as shown here:
tcpdump: listening on eth0
23:45:29.240364 arp who-has durer.home.com tell socrates.home.com
0001 0800 0604 0001 0010 5a28 5d7c 0a00
02c9 0000 0000 0000 0a00 020a

Qualifiers
Three qualifiers may be used in conjunction with the primitives listed in the
preceding tables. A qualifier can further define search characteristics to pinpoint
specific network traffic. These qualifiers include the following:
●

from or src

●

to or dst

The from and src qualifiers are used with the host, net, ipaddr,
etheraddr, port, or rpc primitives to filter based on a specific destination
address or network port. The qualifiers to or dst modify the primitives just
mentioned, but will result in the captured packets going to a particular address
or port. The ether modifier resolves a name to a data link address when used

Module 12:

Advanced Network Tools

379

with the host primitive. To illustrate the use of the host keyword, let’s suppose
we want to capture traffic from a particular host only. The following tcpdump
command could be used:
# tcpdump from host monet

Contrast the command above with the following:
# tcpdump host monet

In the latter example, all the traffic involving monet, which includes packets
being sent to and received from monet, will be displayed. In the former example,
only traffic received from monet will be displayed. As you can see, this can
make a big difference when attempting to isolate a network problem.

Tcpdump Command Examples
Listed below are command examples and associated descriptions of actual
tcpdump command syntax. It is hoped that these commands will provide
a quick reference on using tcpdump in real-world situations.
tcpcumpd –w data-file host 216.155.43.1

Captures traffic sent or received by the host with the IP address of 216.155.43.1
and saves that packet information to the file called. data-file.
tcpdump host barney

Will capture and display traffic sent from or delivered to the system called
barney. This command examines both the source and destination address
fields of the IP header.
tcpdump host not barney

Will capture and display traffic from all hosts on the network, except the
system called barney.
tcpdump host barney and host fred and \ (not pebbles\)

12

UNIX System Administration: A Beginner’s Guide

Will capture and display traffic from hosts barney and fred, but not from the
system called pebbles. The parentheses were added to make the command
more readable. However, each of the tcpdump arithmetical and Boolean
operators has precedence and the parentheses can be used to define command
interpretation ordering.

Hint

Because the parentheses are special to some shells, they must be escaped
using the backslash (\).
tcpdump arp

AM
FL
Y

Will capture and display all Address Resolution Protocol (ARP) packets. This
includes both requests and replies.
tcpdump host durer and tcp

Will capture and display all Transmission Control Protocol (TCP) packets
from/to the host durer.
tcpdump host vectra and port 23

Will capture and display all packets using port 23 from or to host vectra. This
amounts to inspecting all Telnet packets going to this system from others on
the network. Recall that port 23 is the Telnet service port for all incoming packets.

TE

380

tcpdump ether multicast

Will capture and display multicast packets. See the next command for
alternatives.
tcpdump 'ip[16] >= 224'

Module 12:

Advanced Network Tools

381

Will capture and display all packets that use the multicast address. This
command compares the 16th byte (which is the destination address) of the
IP packet to the value of 224. This prefix is for the standard multicast address
of 224.0.0.1, which means all hosts within the default multicast group.
tcpdump 'ether[0] & 1 = 1'

Will capture and display all broadcast packets. The sequence ether[0]
provides access to the first field of the Ethernet data link destination field and
is compared to the value of 1. If the destination fields contain all 1s (which will
be true if broadcast address, when expressed in binary) and when the and (&)
operator is applied to a positive value, it will yield a value of 1. In this case, the
expression is true and the packets are displayed.
tcpdump 'ip[2:2] > 512'

Will capture and display all IP packets that are larger than 512 bytes. The
sequence ip[2:2] identifies the second byte of the IP header (which is the size
of the packet) and compares this value of 512. The 2: indicates the offset of
the IP packet, while the remaining 2 is the number of bytes within that field.

1-Minute Drill

●

●

●

When reading tcpdump output, what direction is the communication between
the source and destination oriented in the output lines?

●

What are the three main groups of predefined expressions or primitives for
filtering tcpdump results?

The source and destination are always read left to right and indicated by the > character. If the
communication direction between systems is reversed, the source and host will swap order on
the output line and you still read left to right.
Address, protocol, operators.

12

382

UNIX System Administration: A Beginner’s Guide

12.2 Execute the traceroute
Command to Show
Network Connectivity
The traceroute command examines and records the path to a specified
network destination. Within a traditional IP network, one or more routers are
used to provide connectivity between different IP networks. IP routers come in
different shapes and sizes, from a simple multi-homed UNIX system with two
interfaces to an industrial-strength Cisco router series that contains a large
number of interfaces. In each of these cases, the routing function is primarily
the same; it forwards IP packets from one interface to another based on
established routing information.
The traceroute command uses the Time-To-Live (TTL) field contained
within an IP packet and attempts to obtain an ICMP TIME_EXCEEDED message
from each host along the route to the destination. Coupled with an attempt
to attach to the destination at an unreachable port, it will cause a systematic
response from every router along the path to the ultimate destination. It
accomplishes this task by sending out requests (or probes) with a TTL of 1
and increases the TTL by 1 until it either reaches the desired host or exceeds
the maximum TTL value. By default, the TTL is set to 30 hops, but this can
be changed.
This command has a large number of command-line options, but the only
required argument is either a hostname or an IP address of the destination. For
example, to display the IP path between the local system running traceroute
and the destination system called vermeer, issue the following command:
# traceroute vermeer

Figures 12-2 and 12-3 show a sample network that consists of one router and
two network nodes. When the above traceroute command is executed on
monet, the following output will be displayed:
# traceroute Vermeer
traceroute to vermeer (128.197.2.200), 30 hops max, 40 byte packets
1 Router-Z (10.0.2.129) 4.256 ms * 2.899 ms
2 vermeer (128.197.2.200) 7.340 ms 7.433 ms 7.526 ms

Module 12:

Advanced Network Tools

383

By default, traceroute sends a total of three probes, each with a different
TTL value, to every hop. The first line of the output includes the destination
along with the IP address, the default number of hops used, and the size of the
packets being sent. The second line (with a 1) displays the first hop encountered
by traceroute (see Figure 12-2).
Because vermeer is on a different physical network than monet, a router
must be used to reach this system. Because the default router in this example is
Router-Z, the first packet is sent there. The first packet sent is an ICMP request
packet with the TTL field set to 1. With IP, any packet that reaches the router
decrements the TTL by 1, which makes it zero. When a router gets a packet and
the TTL is zero, it is supposed to discard the packet and notify the sender. This
forces the router to respond with a TIME_EXCEEDED message back to monet.
After this happens, traceroute measures the amount of time between when it
sent the packet and when it obtained the reply. This is known as the round-trip
time, or RTT, and is displayed in milliseconds (1,000th of a second) as shown
after the hostname and IP address information. This implies that the RTT of
the first series of probe packets took 4.25 milliseconds (or .004 seconds), and the
third series took 2.89 milliseconds (or .028 seconds).
The second line details the second routing hop and shows that traceroute
reached the destination system vermeer with slower RTT times than the first
(see Figure 12-3). When the second probe was sent, the router decremented the

12

Figure 12-2

Using traceroute with single hop in network

384

UNIX System Administration: A Beginner’s Guide

Figure 12-3

Using traceroute with two hops in network

TTL, and then passed this packet to vermeer. Because traceroute is attempting
to access an unused port, vermeer responds with the PORT UNREACHABLE
error. In fact, as a general rule on large (and sometimes small) networks,
performance between systems and networks can (and will) vary a significant
amount even from one moment to the next.
There is no restriction on what constitutes a destination; it can be any kind
of device that ranges from a simple host system to an Internet router. The only
requirement is that it must support IP.

Reading Output
Due to variations and problems with router devices along certain paths, the
general fluctuations of network routes can lead to unpredictable and strange
traceroute output. As a result, certain codes might appear after the timing
information is displayed. Table 12-6 lists these codes and their associated
meanings.

Module 12:

Advanced Network Tools

Code

Meaning

*
!
!H
!N
!P
!S

No response to probe packets.
TTL in the received packet is set to 1.
Destination host is unreachable.
Destination network is unreachable.
Destination protocol is unreachable.
The source route option has failed. In practice, this shouldn’t happen,
and if it does, it indicates a bug or problem with the router that generated
the error.
Fragmentation was needed for a probe packet. In practice, this shouldn’t
happen, and if it does, it indicates a bug or problem with the router that
generated the error.
The path is blocked due to communication being disabled from an
administrative standpoint. In other words, the path is shut down or
blocked from a software standpoint.
An ICMP error code where N is that number.

!F

!X

!N>

Table 12-6

385

Display Codes for Traceroute

Some of these display codes come in handy when you debug network problems.
For example, if a destination is not reachable (like www.whitehouse.gov)
by the system that is running the traceroute command, executing
monet# traceroute www.whitehouse.gov

will produce
traceroute to www.whitehouse.gov (198.137.240.91), 30 hops max, 40 byte
packets
1 monet (10.0.2.126) 4.281 ms !N * 1.896 ms !N

In this example, the network 198.137.240 can’t be reached from the local
system, and traceroute displays the error string !N to indicate this problem.
In this particular case, monet can’t send any packets to 198.137.240 because
no route to that network exists. The * means that the particular probe packet
never received a response; the * is used as a time-out indicator. To further

12

386

UNIX System Administration: A Beginner’s Guide

verify these results, use the ping command with the same destination. Thus,
the command
monet# ping www.whitehouse.gov

will show the same problem, except the error is a little more descriptive:
ICMP Net Unreachable from gateway monet (10.0.2.126)
for icmp from monet (10.0.2.126) to www.whitehouse.gov

In the same way, both !H and !P error codes are also used to debug
general network problems. However, in these two cases !H reports when
a host is unreachable and the !P reports when the protocol is unreachable.
The host unreachable message will be displayed, for example, when the
network is also unreachable.
Given the fact that at any point in time the performance or RTT between
networks and systems can change significantly, a trace to the Web site of the
Louvre Museum first reveals the following:
# traceroute 198.137.240.91
traceroute to 198.137.240.91 (198.137.240.91), 30 hops max, 40 byte packets
1 10.0.2.76 (10.0.2.76) 19.906 ms 9.801 ms 8.174 ms
2 199.70.195.38 (199.70.195.38) 197.460 ms 188.000 ms 181.029 ms
3 12.77.194.1 (12.77.194.1) 166.802 ms 184.713 ms 185.857 ms
4 12.127.12.205 (12.127.12.205) 245.026 ms 270.253 ms 266.718 ms
5 12.127.15.145 (12.127.15.145) 215.191 ms 211.920 ms 208.979 ms
6 192.205.31.165 (192.205.31.165) 217.875 ms 232.610 ms 222.274 ms
7 204.6.117.65 (204.6.117.65) 266.797 ms 239.000 ms 215.671 ms
8 38.1.4.69 (38.1.4.69) 235.431 ms 225.447 ms 301.119 ms
9 38.1.25.5 (38.1.25.5) 235.369 ms 236.134 ms 263.557 ms
10 38.1.25.5 (38.1.25.5) 252.172 ms 238.984 ms 263.013 ms
11 38.146.148.45 (38.146.148.45) 241.956 ms 248.091 ms 243.300 ms
12 198.137.240.33 (198.137.240.33) 249.361 ms 228.717 ms 252.927 ms
13 198.137.240.91 (198.137.240.91) 238.799 ms 259.967 ms 236.384 ms

When the trace is repeated later, it shows the following:
traceroute to 198.137.240.91 (198.137.240.91),
1 10.0.2.76 (10.0.2.76) 7.619 ms 5.863 ms
2 199.70.195.42 (199.70.195.42) 177.685 ms
3 12.77.242.129 (12.77.242.129) 170.712 ms
4 12.127.12.205 (12.127.12.205) 260.239 ms
5 12.127.15.145 (12.127.15.145) 219.767 ms

30 hops max, 40 byte packets
6.206 ms
177.691 ms 177.842 ms
177.096 ms 173.517 ms
248.072 ms 252.829 ms
215.645 ms 232.399 ms

Module 12:

6
7
8
9
10
11
12
13

Advanced Network Tools

387

192.205.31.165 (192.205.31.165) 232.259 ms 225.243 ms 219.236 ms
204.6.117.65 (204.6.117.65) 228.997 ms 218.067 ms 219.365 ms
38.1.4.69 (38.1.4.69) 445.758 ms 232.797 ms 276.249 ms
Significant
RTT delays
38.1.25.5 (38.1.25.5) 245.674 ms 443.611 ms 577.309 ms
38.1.25.5 (38.1.25.5) 432.994 ms 222.527 ms 242.844 ms
38.146.148.45 (38.146.148.45) 257.668 ms 249.923 ms 263.074 ms
198.137.240.33 (198.137.240.33) 276.658 ms 242.361 ms *
198.137.240.91 (198.137.240.91) 248.266 ms 245.006 ms 251.071 ms

As you can see, most of the response times are very close. However, significant
delays can be observed with hops 8, 9, and 11. In these cases, the RTT is almost
doubled, which further indicates that performance on a large routed network
(such as the Internet) can and does vary over time.

Changing Characteristics
The traceroute command contains a number of operational parameters
that can be used to affect how it traces a path to the specified destination. Each
of these parameters has an associated command-line option that can alter its
default values. Table 12-7 lists these options.

Option

Meaning

-I
-p
-g
-f
-s

Specifies an alternate interface
Sets the alternate port to send probe packets
Specifies a router for loose source routing
Sets the initial TTL value to be used (Linux only)
Uses the specified address as the source address in transmitting
probe packets
Sets the number of probe queries
Sets the maximum hops
Enables debug flag (SO_DEBUG)—this enables socket-level debugging
Specifies not to fragment
Sets the type of service (TOS) flag
Sets the wait time for probe packets
Specifies not to calculate checksums
Enable verbose mode

-q
-m
-d
-F
-t
-w
-x
-v

Table 12-7

traceroute Operational Command-Line Options

12

388

UNIX System Administration: A Beginner’s Guide

When the traceroute command is executed on a system that is multihomed (that is, a system that contains more than one network interface), it
selects the first interface it encounters. Unfortunately, this might not be the
desired action because the destination network can only be accessed from
another interface. To address this issue, the -i option can be used to force
traceroute to send probe packets using the interface specified with this
option. Thus, the command
traceoute -i hem0
traceroute: Warning: Multiple interfaces found; using 10.0.2.126 @ hme0

will cause traceroute to use the Fast Ethernet interface instead of the default
interface.
In certain situations, the default TTL value of 30 is not enough to reach a
destination that might contain a larger number of routes. When this occurs,
traceroute will never reach the destination. In this situation, use the -m option
to increase the hop count.
When you do a traceroute to certain devices, it might sometimes fail, despite
the fact that the path to the device is operational. Further, using the ping
command against the device will indicate that it is working correctly as well.
Why? Before we answer this question, let’s look at an example:
# traceroute -m 5 128.197.2.200
traceroute to 128.197.2.200 (128.197.2.200), 5 hops max, 40 byte packets
1 rodin (10.0.2.129) 10.193 ms * 2.158 ms
2 * * *
3 * * *
4 * * *
5 * * *

This traceroute produces no response to the probe packets. Note the use of
the -m option to keep the number of probe packets small.
The answer to this problem lies in the fact that, by default, traceroute
sends probe packets based on the UDP protocol. It is most likely that the
destination in question does not support this protocol directly or can’t handle
the UDP destination port used. Also, there could be a firewall device that is
blocking the probe packets. From a TCP/IP standpoint, not all devices are
required to support UDP, and if they do support UDP, they do not necessarily
support the port number used by traceroute.
When traceroute sends out probe packets, it uses, by default, the UDP port
of 33434 and assumes that this port isn’t being used by any other application or

Module 12:

Advanced Network Tools

389

network service. It uses this high port number in hopes that the destination will
respond with a port unreachable message, thus terminating the route tracing. On
the other hand, if that port is being used, it will cause problems for traceroute.
If this happens, use the -p option followed by another port number, and
traceroute will use that port instead of the default.
# traceroute -p 10 -m 5 128.197.2.200
traceroute to 128.197.2.200 (128.197.2.200), 5 hops max, 40 byte packets
1 rodin (10.0.2.129) 10.193 ms * 2.158 ms
2 * * *
3 * * *
4 * * *
5 * * *

If this still doesn’t do the trick, attempt to use the -I option, which will
instruct traceroute to use the ICMP protocol instead of UDP when sending
probe packets. So, the command
monet# traceroute -m 5 -I 128.197.2.200

with the -I option produces the correct results:
traceroute to 128.197.2.200 (128.197.2.200), 5 hops max, 40 byte packets
1 rodin (10.0.2.129) 4.412 ms * 2.235 ms
2 vermeer (128.197.2.200) 6.875 ms 6.955 ms 6.935 ms

As you can see, this took a bit of trial and error to obtain the desired result.
However, this is not a contrived example; rather, vermeer represents an actual
device—a laser printer. The real point here is that when tracing the route to a
particular destination, there can be many reasons why traceroute fails to reach
a destination. Failure might not mean that the device is down or disconnected
from the network.

Display Options
Two options are available to modify the output of traceroute. The first, -v,
displays for each hop the size and destination of the response packets. The
following shows an example:
# traceroute -v rembrandt
traceroute to rembrandt (10.0.2.75), 30 hops max, 40 byte packets
1 rembrandt (10.0.2.75) 56 bytes to 10.0.2.1 3.450 ms 2.085 ms 2.094 ms

12

390

UNIX System Administration: A Beginner’s Guide

The second option, -n, displays addresses in numerical form rather than using
the symbolic name. This removes the added task from traceroute of having
to resolve each router’s hostname.

12.3 Verify Basic Operations
Using the landiag Command
The landiag command, which is available only on HP-UX, provides a quick
and easy way to test and verify basic operations of the local network interfaces
on the system.
To run the command, use the following:

AM
FL
Y

# landiag

As a result, the following output will be displayed:

LOCAL AREA NETWORK ONLINE ADMINISTRATION, Version 1.0
Sat, Feb 9,2002 18:02:05

lan
menu
quit
terse
verbose

=
=
=
=
=

TE

Copyright 1994 Hewlett Packard Company.
All rights are reserved.
Test Selection mode.
LAN Interface Administration
Display this menu
Terminate the Administration
Do not display command menu
Display command menu

Enter command:

A list of menu items is presented to the administrator. To review additional
features for LAN interfaces, type the lan command and the following will
be shown:
LAN Interface test mode. LAN Interface PPA Number = 0
clear
display
end
menu
ppa
quit
reset
Enter command:

=
=
=
=
=
=
=

Clear statistics registers
Display LAN Interface status and statistics registers
End LAN Interface Administration, return to Test Sele
Display this menu
PPA Number of the LAN Interface
Terminate the Administration, return to shell
Reset LAN Interface to execute its selftest

Module 12:

Advanced Network Tools

391

Use the display option to show detailed information about the configuration
and operation state of the system interfaces:
LAN INTERFACE STATUS DISPLAY
Sat, Feb 9,2002 18:02:36
PPA Number
Description
500
Type (value)
MTU Size
Speed
Station Address
Administration Status (value)
Operation Status (value)
Last Change
Inbound Octets
Inbound Unicast Packets
Inbound Non-Unicast Packets
Inbound Discards
Inbound Errors
Inbound Unknown Protocols
Outbound Octets
Outbound Unicast Packets
Outbound Non-Unicast Packets
Outbound Discards
Outbound Errors
Outbound Queue Length
Specific

= 0
= lan0 Hewlett-Packard 10/100 TX Full-Duplex Manual TT = 1
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=

ethernet-csmacd(6)
1500
100000000
0x306e060662
up(1)
up(1)
21486
3271707541
338351587
6257857
0
60
256
1179449614
312586275
167
0
0
0
655367

=
=
=
=
=
=
=
=
=
=
=
=

1
0
0
0
0
0
0
0
0
0
0
0

Press  to continue
Ethernet-like Statistics Group
Index
Alignment Errors
FCS Errors
Single Collision Frames
Multiple Collision Frames
Deferred Transmissions
Late Collisions
Excessive Collisions
Internal MAC Transmit Errors
Carrier Sense Errors
Frames Too Long
Internal MAC Receive Errors

Due to the length of the output, the administrator is prompted to continue
to display the information. The command output above reveals important
information about the configuration of the interface. For instance, the type of
Ethernet hardware is shown in the description field. Also, important statistics
are shown such as the number of bytes read (Inbound Octets) and written
(Outbound Octets) on the network.

12

392

UNIX System Administration: A Beginner’s Guide

Project 12-1
This project familiarizes you with using tcpdump and traceroute on
your system.

Step-by-Step
1. Use the tcpdump command, configured in nonpromiscuous mode, to
capture all the packets to your system’s Web port 80.
# tcpdump -p port 80

2. Open a Web browser and let it load your default home page.
3. Switch to the tcpdump window and examine its output.
4. In the Web browser, navigate to another Web site such as www.whitehouse
.gov and again examine the output in the tcpdump window.
5. Stop the tcpdump capture with ^c.
6. Perform a traceroute without converting the addresses to hostnames
from your system to each of these systems: sans.org and cert.org.
# traceroute -d sans.org
# traceroute -d cert.org

7. Examine the number of hops in the output for each to see which of these
sites your system is more closely connected to on the Internet. Also, compare
them to see if the RTT values for one are significantly slower than the other.
You can use this method to compare other resources—for example, if you
are considering a hosting provider and want to see how well connected you
are to their server compared to another server.

Module 12:

Advanced Network Tools

393

Mastery Check
1. What is the tcpdump command to run in quiet mode capturing

15 packets from the ppp0 interface?
2. True or False: By default, nonroot users are not permitted to invoke

tcpdump.
3. The __________ command examines and records the path to a specified

network destination.
4. What is the command to display tcpdump data captured to a file named

dump-data?
A. file dump-data
B. tcpdump -r dump-data
C. tcpdump -F dump-data
D. tcpdump -x dump-data
5. Which of the following is not an address primitive for tcpdump filtering?
A. etheraddr
B. ipaddr
C. ethertype
D. port
6. What is the tcpdump syntax to capture traffic from all hosts on the

network, except the system called fred?
7. The __________ primitives group operates on packets that use different

protocols including IP, TCP, FDDI, UDP, and others.
8. What is the command to display the IP path between the local system and

the destination system called barney?
9. What is the command to display the IP path between the local system and

the destination system called www.whitehouse.gov using a maximum
of 20 hops?

12

394

UNIX System Administration: A Beginner’s Guide

Mastery Check
10. In the LAN Interface Test Mode of the HP-UX command, what is the

command to show detailed information about the configuration and
operation state of the system interfaces?
A. display
B. lan
C. ppa
D. interface
11. What tcpdump address primitive filter selects packets that contain all

1s or Fs in either source or destination fields?
12. True or False: The only restriction for a traceroute destination is

that the device must support TCP/IP.

Module

13

Overview of SNMP

Critical Skills
13.1

Discover SNMP Basics

13.2

Uncover MIBs

13.3

Explore SNMP Versions

13.4

Investigate SNMP Master and Subagent

Copyright 2002 by The McGraw-Hill Companies, Inc. Click Here for Terms of Use.

396

UNIX System Administration: A Beginner’s Guide

T

he Simple Network Management Protocol (SNMP) provides the low-level
framework for many network management systems. SNMP is widely
implemented and can be found in a large variety of different networking devices
and systems. Today, SNMP is considered the management protocol of choice
for system administrators, network hardware vendors, network management
vendors, software application developers, and many others that are required to
manage UNIX and other networked systems.
SNMP is popular for several reasons and continues to be enhanced as time
goes on. SNMP is simple to implement compared to other network management
architectures or protocols. The protocol, MIBs, and associated framework can
be run on anything from low-end personal computers (PCs) to high-end
mainframes, servers, and network devices such as routers and switches. An
SNMP agent component doesn’t need to occupy a large footprint in terms of
memory and doesn’t require significant processing power. SNMP can generally
be developed very quickly on target systems, thus increasing the time to market
for new products and enhancements. When SNMP was first introduced, other
management mechanisms were available, but SNMP proved to be more flexible
and easier to implement. It is true that SNMP lacks certain features found in
other network management protocols (such as OSI, for example), but its simple
design, extensibility, and ease of use minimize any possible drawbacks.
SNMP is free and in the public domain. As a result, no single vendor can
claim ownership of the protocol, nor can it be copy protected by any company
or individual. The only way to influence or change SNMP is to engage in the
standards process of the Internet Engineering Task Force (IETF). The IETF
is one of the standards bodies for the Internet. Vendors may choose to make
proprietary changes to SNMP. Such changes may prove futile, however, because
these vendors must lobby other vendors and users to support their nonstandard
enhancements, which defeats the purpose of having a standard in the first place.
SNMP is well documented (via RFCs, articles, and textbooks) and well
understood in the networking and systems industry. This provides an established
foundation for continued enhancement and adoption. Finally, SNMP can be
used to control a variety of devices. It is even finding its way into nontraditional
equipment such as telephone systems, environmental control equipment, and
just about anything else that can be attached to a network and requires
management or control.

Module 13:

Overview of SNMP

397

13.1 Discover SNMP Basics
SNMP defines the packet format and information exchange between a network
manager and associated agents. At its core, SNMP manipulates objects within
the MIB of the agent and, as a result, can manage a variety of tasks defined
within the agent. The SNMP protocol and related components are described
in a number of RFCs. Any SNMP-compliant agent can communicate with any
network management system that supports SNMP. The management system is
responsible for asking questions of the agents. This is also known as “polling
the agent.” If the agent supports standard MIBs, then the management system
simply requests one or more objects from the agent. If the agent supports
nonstandard MIBs (that is, vendor-specific MIBs), the manager must have
a copy of the agent MIB to correctly interpret the supported agent objects.
One of the reasons SNMP is considered simple is because it provides three
general-purpose operations that can be applied to agent objects. These operations,
or functions, are at the heart of SNMP; they are set, get, and trap:
●

Set A management system may update or change the value of an object
that is contained in an agent. The set operation is a privileged command
because, for example, it can be used to alter a device configuration or
control its operating state.

●

Get A management system may obtain or read the value of an object that
is contained within an agent. The get function is the most common SNMP
operation because this is the primary mechanism used to obtain management
information from devices.

●

Trap An agent may send an unsolicited message to a network manager.
The purpose of the trap service is to notify a network management system
of a special condition or problem without the management system specifically
requesting this information.

SNMP defines the relationship and message flow between manager and
agent with respect to communications, as shown in Figure 13-1. As you can
see, in most instances the SNMP manager directs the message exchange with
the agent. This is accomplished via either the get or set function. A management
application requests information; the message is translated to SNMP using the
SNMP layer, passed to the network interface layer, and eventually transmitted

13

398

UNIX System Administration: A Beginner’s Guide

Figure 13-1

Relationship of SNMP agent and manager

on the network. The agent receives the message on the network interface layer,
passes the message to the SNMP for translation, and accesses the desired object
information. The reverse process is used when the agent sends the reply to the
manager.
SNMP provides the ability for the agent to send the manager asynchronous
messages without specifically being polled. This is known as a trap. The trap
provides a convenient and important way for agents to communicate without
specifically being asked, and also to communicate important information, or
special circumstances or events.
SNMP doesn’t define any additional mechanisms outside of the above-listed
SNMP commands to control or issue commands to device agents. The only actions
that can be applied to MIB objects are to set or get a value. For instance, there
is no reboot function defined in SNMP. Instead, agent software can implement
specific commands by associating MIB objects with the internal commands
supported within the device. To reboot a device, the management station would
alter (via the set operation) a specific MIB object to 1, for example. This would
signal the agent to reboot the device and reset the MIB reboot object to its previous
state. Note that no standard set of interfaces (or MIB objects) are currently available
that can manipulate all aspects of device control. Instead, each vendor is
responsible for providing this access using his or her own collection of MIB objects.

Module 13:

Overview of SNMP

399

SNMP Applications
There are a number of both commercial and public domain SNMP applications
that are available on many different platforms including UNIX and MS Windows.
Several of the commercial SNMP packages are geared toward providing a host
of SNMP management tools for both small and large network enterprise
environments. For example, HP OpenView provides a wide range of functions
that includes management of hosts, network devices such as switches and
routers, and other devices such as printers. On the public domain side, a large
number of tools are available that address many system and network management
functions. For example, the University of California at Davis (UCD) SNMP
agent is available. The SNMP application tools are described in Module 16.
Many of the UNIX operating system vendors provide one or more SNMP
agents that support both standard and vendor-specific MIBs. For example, on
the Solaris system, the Sun SNMP agent is provided and supports both MIB-II
and the Sun enterprise-specific MIBs. For Linux, the UCD SNMP agent is available
and supports standard MIBs like MIB-II. These SNMP agents are described in
Appendix C.

1-Minute Drill
●

What are some advantages to SNMP over other network management protocols?

●

What is a disadvantage of SNMP compared to some other network management
protocols?

13.2 Uncover MIBs
As previously mentioned, the Management Information Base (MIB) is a
storehouse of information related to configuration, performance, and other
data contained within an agent. MIBs have an organization and common
structure, and may contain a large number of objects separated into groups.
MIB objects are organized in a hierarchical tree structure in which each
branch has a unique name and numeric identifier. Figure 13-2 shows the
●

●

SNMP is free and in the public domain. It is simple to implement. It runs on a wide variety of computers,
network devices, and even devices not traditionally associated with computing such as telephones that are
now increasingly networked. Its memory and processor requirements are small and it is easy to develop
applications for SNMP. SNMP is well documented.
Some other network management protocols offer more features than SNMP.

13

Figure 13-2

AM
FL
Y

UNIX System Administration: A Beginner’s Guide

MIB organization and structure

TE

400

standard MIB organization from the root to additional branches. The branches
of the tree serve as logical groupings of related objects. The leaves, or nodes as
they are often called, represent individual objects. Also, subtrees are formed and
represent both additional intermediate branches and connecting leaves. Objects
within a MIB can be referenced by specifying each of the numeric identifiers
starting with the top of the tree (or root) and proceeding to the individual leaf
or object. The root of the branch is commonly written with a “.”(dot).

Hint

Accessing MIBs is similar to referencing files within the UNIX operating system.
However, one key difference is that UNIX pathnames can be expressed in
absolute or relative terms. MIB objects can only be accessed in an absolute
manner; the relative format is not available.

Module 13:

Overview of SNMP

401

For example, Figure 13-2 shows root (.) at the topmost position of the
tree and sysDescr(1) as the leaf. The common method of expressing object
identifiers is to use the dotted notation. This notation requires that a dot separate
each branch name or identifier. Often the root is not expressed, as it is implied.
To access the sysDescr(1) object, the fully qualified identifier would be
written as
iso.org.dod.internet.mgmt.mib-2.system.sysDescr

This identifier is read from left to right. Objects can also be expressed in a
short form by substituting the branch name with the numeric identifier associated
with each identifier name. Thus, iso.org.dod.internet.mgmt.mib2.system.sysDescr can also be expressed as 1.3.6.1.2.1.1.1. These
two expressions are functionally equivalent and reference the same MIB object.

Hint

The reason to choose one identifier form over the other is a matter of
preference, although the numeric identifier is much more concise. However,
MIB browsers can display MIB objects in either format, thus making it easy to
convert from one format to the other. After using SNMP and MIBs for a short
while, you will become familiar with both methods and have the opportunity
to choose which style is best for you.

By using the structure shown in the figure, an SNMP manager (or MIB
browser tool) can drill down into the MIB in an easy yet concise manner. A
MIB browser is a software application that traverses a MIB tree, usually showing
a graphical display of branches, leaf objects, and associated values. MIB browsers
are great for probing an agent for specific information or learning the structure
and format of new MIBs.

Object Types
Within a MIB, different object types represent data structures or values contained
in an agent. The objects can represent physical agent attributes, configuration
information, or other data. These object types are derived from the Abstract
Syntax Notation (ASN.1) standard rules. ASN.1 provides a detailed standard for
the implementation and encoding of basic data types that are machine independent
and can be transmitted over the network in an unambiguous way.

13

402

UNIX System Administration: A Beginner’s Guide

Ask the Expert
Question Why are machine independence and unambiguous
network transmission important to SNMP or network management?
Answer Because network management must address a heterogeneous
network environment, a standard way must be provided to ensure that
SNMP messages can be transmitted and understood on different systems
and devices. Because various computer platforms store information
differently, ASN.1 provides a common format. For example, an integer
on one system can be expressed with the most significant digit first,
while on others it might be expressed with the least significant digit
first. Also, ASN.1 data types are found in MIBs.
Question Why is it so important to learn the MIB details in
this module?
Answer The sections in the succeeding modules will focus on using
network management tools that manipulate MIB objects. So it seems
reasonable to present the types of objects that might be encountered. It
is important that the reader understands the different types of objects
and why values from these objects are in a certain format or structure.
Of equal importance is the access mode of MIB objects, which is
discussed in the next section, “Sample MIB Object.”
For us to understand network management, we must be able to read and
understand MIB objects. Without a good grasp of MIBs, it will be difficult to
use SNMP tools and software to manage a network effectively.
Two object data type classes are defined using ASN.1:
●

Universal types

●

Application types

The universal class consists of primitive types that can be used to build
additional data types of objects within a MIB. Table 13-1 lists some of the
available simple data types found in the universal class.

Module 13:

Overview of SNMP

ASN.1 Data Type

Description

INTEGER

A data type representing a cardinal number, where no
limitation is made on the level of precision that might be
required to represent an integer value.
A data type representing zero or more octets, where each octet
may take any value from 0 to 255.
A data type meant as a placeholder, but currently not used.
A data type representing an authoritatively named object that
consists of a sequence of values that specify a MIB tree.
A data type used to denote an ordered list of zero or more
elements that contain other ASN.1 types.
SEQUENCE OF contains an ordered list of the same ASN.1 type.

OCTET STRING
NULL
OBJECT IDENTIFIER
SEQUENCE
SEQUENCE OF

Table 13-1

403

SNMP Universal Data Types

SNMP derives some application data types from the universal class
type. These application types define additional sub-types that can be used to
represent specific values customized for use within the network management
environment. Table 13-2 describes some of the application data types presently
available in the application class.
ASN.1 Data Type

Description

Counter
Counter32

A data type that represents a non-negative integer that increases
until it reaches a maximum value and then resets to zero. A
counter is an INTEGER that can take a value between 0 and
4294967295. A counter has no defined starting value.
Just like a counter object except that a counter64 is an
INTEGER that can take a value between 0 and
18446744073709551615.
A data type representing zero or more octets, where each octet
may take any value from 0 to 255. A DisplayString is like an
OctetString object.
A data type that represents a non-negative integer that may
increase or decrease and will trigger at a maximum value.
A gauge is like a counter in every other aspect.
Represents an OCTET STRING that has a length of 4 bytes (32 bits)
and where each of the four octets relates to the four bytes of a
standard IP address.

Counter64

DisplayString

Gauge
Gauge32
IpAddress

Table 13-2

SNMP Application Data Types

13

404

UNIX System Administration: A Beginner’s Guide

ASN.1 Data Type

Description

Opaque

A data type that provides the ability to pass arbitrary information
that uses the OCTET STRING data type.
Represents an address from one of several network protocol
address standards. Presently, it is the same as IpAddress.
Represents a non-negative integer that counts time in hundredths
of a second since some established epoch. TimeTicks is like
a counter in every other aspect.

NetworkAddress
TimeTicks

Table 13-2

SNMP Application Data Types (continued)

Sample MIB Object
MIB objects are important components of network management, and some of
the modules in this book specifically describe MIB definitions as they relate to
system agents and network management tools. Therefore, when discussing
MIBs, the common format shown below will be used:
●

Object Name sysDescr

●

OID system.1

●

Object Type Octet String

●

Access Mode read-only

●

Status current

●

Description A description of the agent device or entity. This value should
include the full name, identification of the system, hardware type, operating
system, and network software. It is mandatory that this object type contain
only printable ASCII characters. A sample of this object includes the following
obtained for a Solaris system: Sun SNMP Agent.

This format includes the object name, OID string, object type, access mode,
status, and description. The object name is the name used when querying an
agent for this particular object. In this example, the sysDescr object is a
string that contains a general description of the device or agent contained
within the device. The object identifier string, or OID string, shows which
group the object is contained in and its logical position in that MIB hierarchy.

Module 13:

Overview of SNMP

405

In this case, it is the first object in the system group. This group can be found
within the standard MIB-II definition.
The object type is OctetString and can be as long as 255 characters.
Recall that Table 13-2 lists the definitions of these ASN.1 types. The access
mode indicates how the manager or other tools may manipulate the object.

Hint

It is very common for those new to SNMP to attempt to alter nonwritable
objects. In this case, attempting to alter the sysDescr object will cause the
agent to respond with not writable or another error message.

The status field indicates the current status of the object, for example,
current or historic. The current status means that the object is presently
available within the agent as described within the MIB. That is, if the MIB
represents that agent, then all objects labeled as current will be implemented
within that agent. Other values can also be used to indicate additional states of
the objects. For example, the obsolete reference indicates that the object is
no longer supported within the MIB. The deprecated reference can be used
to aid interoperability with older versions or implementations of the agent.
The description field provides an overview of the object, purpose, and a
sample value if appropriate. In the above example, when the sysDescr object
is queried, it returns the agent operating system (for example, Solaris), the
hostname the agent resides within (socrates), operating system version
information, and date information.
Another way this book describes MIBs is with a hierarchical graph showing
each of the objects laid out in a tree structure. Figure 13-3 shows the general
format that represents a MIB tree. In particular, it shows the MIB-II objects
found under the system group. As you can see, the formatting includes the
use of closed circles (
) and closed squares ( ). The squares represent
discrete objects such as INTEGER and OCTET STRING, but not tables or
other groups of objects. The circles represent groups of objects or tables.
Also, gray lines and objects that are peripheral further indicate the structure
needed to navigate to the group in question. These objects and associated lines
that are of interest are drawn in black. Included with these objects is the member
index (in parentheses) that shows the relative position of each object within
the tree structure. Thus, sysContact(4) is the fourth object within the
system group.

13

406

UNIX System Administration: A Beginner’s Guide

Figure 13-3

General MIB format

SNMP Tables
As noted above, an MIB may contain objects that represent physical characteristics
of a device or other information contained within an agent. These objects can
either be in the form of discrete elements (i.e., individual objects like sysDescr)
or, in some cases, two-dimensional tables. Tables store related information that
might contain several instances or copies of an MIB object. The best way to
illustrate the use of a table is by examining a table within an actual MIB.
Defined in the MIB-II standard is the interface group that has the object
identifier defined as 1.3.6.1.2.1.2 or iso.org.dod.internet.mgmt
.mib-2.interface. Objects within this group represent physical network
interfaces and related information installed within a networking device.
Performance-related information is also collected and stored within this group.
For each interface within a network device, the following information is used
to describe the characteristics of the interface and associated configuration:
●

Description

●

Type The type of interface, such as Ethernet or token ring

●

Mtu The maximum transmission size

General description of the interface

Module 13:

●

Speed

●

Physical address

●

Administration status

●

Operational status

●

Last change

Overview of SNMP

407

The transmission speed of the interface
The data link protocol or hardware address
The current administrative status of the interface

The actual operating status of the interface

The time when the interface became operational

Additional objects within the table store the following performancemonitoring information:
●

Number of octets (bytes) received or sent

●

Number of unicast packets delivered to or sent from higher-level software

●

Number of non-unicast packets delivered to or sent from higher-level software

●

Number of inbound/outbound packets discarded

●

Number of inbound/outbound packets containing errors

●

Number of inbound/outbound packets discarded due to bad protocol

●

Length of the output packet queue

Figure 13-4 shows the structure of the interface group. Tables are used
to contain interface information because networking devices can contain more
than one interface. For example, a router or switch device can contain literally
dozens of interfaces, often supporting different network protocols such as Ethernet,
ATM, or FDDI. Using a table provides a straightforward and convenient way to
access individual objects within a given interface definition.
The interface group includes the ifNumber object, which contains
the total number of network interfaces within the networking device. Using the
sample data contained in Table 13-3, the ifNumber value would be 2. In this
case, the device reports two interfaces: one defined as a pseudointerface and the
other defined as an Ethernet. It is common for networking UNIX systems to
contain a pseudointerface for internal diagnostic purposes.
The rest of the interface group consists of a table called ifTable,
which contains a row for each interface defined within the device. This table is

13

408

UNIX System Administration: A Beginner’s Guide

Figure 13-4

Interface group from MIB-II

indexed by ifIndex, which contains a value between the range of 1 and the
value of ifNumber. The ifIndex object uniquely addresses each column of
the table that represents the interface.
Table 13-3 shows the entire interface group in the first column
and associated values taken from an actual network device in the remaining
columns. Each row corresponds to each of the specific MIB objects contained
within the ifEntry table. Each ifEntry instance represents an interface
defined in the table. To access the object ifDescr for the first interface, one
would use the following object identifier (OID)
1.3.6.1.2.1.2.2.1.1

Module 13:

Overview of SNMP

MIB Objects

IfEntry
(1.3.6.1.2.1.2.2.1)

IfEntry
(1.3.6.1.2.1.2.2.2)

IfIndex
ifDescr
ifType
ifMtu
IfSpeed
ifPhysAddress
IfAdminStatus
IfOperStatus
IfLastChange
IfInOctets
IfInUcastPkts
IfInNUcastPkts
IfInDiscards
IfInErrors
IfInUnknown-Protos
IfOutOctets
IfOutUcastPkts
IfOutNUcastPkts
IfOutDiscards
IfOutErrors
IfOutQLen
ifSpecific

1
Pseudo Interface
1
1500
10000000
None
1
1
0
0
445
0
0
0
0
0
445
0
0
0
0
null

2
Ethernet
6
1500
10000000
0x00040010ee5d
1
1
0
42617
680
19
0
5
0
42600
570
94
0
87
0
null

Table 13-3

409

Interface Group Instance Table

or
iso.org.dod.internet.mgmt.mib-2.interface.ifTable.ifEntry.ifDescr

The ifDescr object provides a general description of the interface.
The objects starting from IfInOctets to IfOutQLen represent traffic
counters for device interfaces and can be used to measure network and system
performance.

13

UNIX System Administration: A Beginner’s Guide

Accessing Objects
MIB objects are defined with access control information that specifies what
kind of operation can be performed on the object. SNMP includes the following
access control information for MIB objects:
●

Not-accessible

●

Accessible-for-notify

●

Read-only

●

Read-write

●

Read-create

AM
FL
Y

Not-accessible objects defined within the MIB usually reference object
definitions, or other object descriptions that are not objects themselves, that
can be manipulated by an SNMP manager. One good example is the table data
structure, where an object describes the shape or size of the table but not the
actual rows or columns.
Accessible-for-notify objects are only available via a notification to
a network manager or another agent. No direct polling of the object is permitted.
Read-only objects are not alterable by the network management system, but
values may be obtained via a get or trap operation.
Read-write access is necessary when a particular object must be altered
to accomplish some specific goal or must be configured in a certain way. For
example, it might be necessary to disable a router port due to a large number of
errors detected on one of its interfaces. In this case, the network management
system must change the operational status of the interface to 0, thus shutting
down the physical connection until the cause of the errors is determined.
Read-create objects have the same access permission as read-only
and read-write objects. Read-create access is used for objects that may
be created on the fly. Such objects may include table row (also called conceptual
row) instances, for example.

TE

410

Standard and Private MIBs
As previously mentioned, MIBs are organized under a hierarchical tree structure,
and a number of standard MIBs have been developed and placed under the

Module 13:

Overview of SNMP

411

mgmt(2) branch. Many of these MIBs were developed via the RFC process.
Many different individuals or vendors assisted with their development but don’t
actually own them, nor can they arbitrarily make changes to them. However,
many vendors and third-party software developers have developed additional
MIBs to address specific functionality or services for their particular products.
Many of these MIBs, known as enterprise MIBs, start under the private(4)
branch of the standard MIB tree. Figure 13-5 shows several popular MIBs that
can be found under this branch.
The Internet Assigned Numbers Authority (IANA; www.iana.org) maintains
a list of assigned enterprise numbers. Those wishing to obtain a number make a
request to this organization and obtain a valid number. Table 13-4 shows a small
sample of the numbers that have already been assigned.

SNMP Communities
Typically, a network management system will be deployed in a large network
environment that contains a collection of many different groups of networks
and devices. Thus, it is reasonable for an enterprise network to be divided into

13
Figure 13-5

Enterprise tree from private branch

412

UNIX System Administration: A Beginner’s Guide

Number

Vendor

2
9
11
42
43
52
1588
1598
1751/3729
4475

IBM
Cisco Systems
Hewlett-Packard
Sun Microsystems
3Com Corporation
Cabletron Systems
Brocade Communications Systems
Tivoli Systems
Lucent Technologies
Rainbow Software Solutions

Table 13-4

Assigned Enterprise MIB Numbers

zones or communities of users in order to partition responsibility. As a result,
a community name can be assigned to a class of devices and provide a security
boundary that helps to implement the desired communities or zones. SNMP
supports this kind of security model based on community string information,
which is physically added to each device within the selected community. Some
practical examples include selecting a community that represents all the Cisco
backbone routers or selecting another community that includes devices in just
the sales department.
The current SNMP community-based authentication model is considered
very weak and poses a significant security problem. The major reason is that
older SNMP versions don’t provide any encryption facilities or other mechanisms
to ensure that the community information is not simply copied from the network
during an SNMP packet exchange. Using a packet capture tool, the entire SNMP
packet could be decoded, thus revealing the community name. As a result of this
limitation, many sites disable set operations to many of the agent devices. This
has the unfortunate side effect of limiting SNMP usefulness because it can then
only monitor object values and not alter them.

13.3 Explore SNMP Versions
SNMP became generally available in 1988. Since then, it has seen widespread
use and been implemented in virtually all local area networking (LAN) devices

Module 13:

Overview of SNMP

413

Ask the Expert
Question

Why would a change to an MIB object be prohibited?

Answer Certain MIB information will never change during the life
of a product. For example, the MIB object sysDescr, which stands
for system description, contains vendor information for the agent. An
SNMP manager should not modify this information because it would
disassociate the device with the actual product vendor, thus making
agent identification difficult. Also, it can adversely affect the accuracy
of any software-based network inventory mechanisms. Another reason
to make objects read-only is to ensure that performance information
or other statistical data remains accurate rather than getting altered
unintentionally.
Read-write access is necessary when a particular object must be
altered to accomplish some specific goal or must be configured in a
certain way. For example, it might be necessary to disable a router port
due to a large number of errors detected on one of its interfaces. In this
case, the network management system must change the operational
status of the interface to 0, thus shutting down the physical connection
until the cause of the errors is determined.
Question

Why develop enterprise MIBs?

Answer Many vendors do so because they may need specific objects
for their devices that may not be defined or available within the standard
MIBs. Also, vendor-specific MIBs don’t need to become standards, since
only that vendor and their customers actually need to use the MIBs. It
only makes sense to develop standard MIBs when many vendors can
implement the same collection of MIBs across a large number of
different devices.

and on many computer operating systems. This popular version, known as
SNMPv1, accounts for a significant portion of the installed base of agents today.
Despite its popularity, SNMPv1 has several fundamental problems. First, because
it lacks a robust security mechanism, it can’t be used to its full potential.

13

414

UNIX System Administration: A Beginner’s Guide

As a result, many vendors limit the set operations on agents to minimize
the potential risk of a security breach. Second, SNMPv1 doesn’t optimize the
processing of large amounts of information, thus further restricting the use of
SNMP. Third, SNMPv1’s relationship between network manager and agent are
well defined— agents play only a single, simplistic role of accepting commands
from more management systems. This significantly limits SNMPv1 when smart
agents are needed to address specific requirements for distributed network
management functions. SNMPv1 also specifies a collection of MIB objects
known as MIB-II. The goal of MIB-II was to provide a collection of objects that
all SNMP agents can support, regardless of which vendor implemented the agent.
To summarize, SNMPv1 provides
●

Basic network management framework

●

Definition of the MIB-II standard

●

Descriptions of the Protocol Data Units (PDUs), which include
GetRequest, GetNextRequest, SetRequest, GetResponse, and Trap

●

Description of ASN.1 encoding language

To address some of the deficiencies in SNMPv1, a significant amount of
effort has been made over the past few years to enhance SNMP. The first series
of improvements came in 1993 when a series of 12 RFCs (1441–1452) was
introduced, proposing to add PDUs and enhancements to the SNMP architecture
and security model. This collection of RFCs was known as SNMPv2 Classic. At
that time, many users of SNMP were anticipating these improvements and planned
to implement the new version as soon as it became available.
Unfortunately, there was still much debate about SNMPv2 security and
remote configuration. When it became apparent that not all the original SNMPv2
proposals were going to be widely adopted, additional work was done to define
SNMP security and remote configuration management components. This led to
additional proposals that included a new protocol and new MIB structure elements
(documented in RFCs 1901–1908). These proposals were more popular than
SNMPv2 Classic and became known as community-based SNMPv2 or SNMPv2c.
The problem with SNMPv2c was that, though it was endorsed by the IETF, it
lacked robust security and administration facilities.
Additional improvements to the remote management capability of SNMPv1
resulted in proposals known as SNMPv2usec and SNMPv2, documented in

Module 13:

Overview of SNMP

415

RFCs 1909–1910 and RFC 2222, respectively. The SNMPv2usec recommends a
robust security model and administrative framework. One of the problems with
SNMPv2usec is that it lacks endorsement of the IETF, which relinquished the
proposal to a nonstandard. The major functions of SNMPv2 include
●

Expanded data types, such as 64-bit counters

●

Improved performance and efficiency with the get-bulk PDU

●

Event notification with the inform PDU

●

Better error handling

●

More efficient row creation and deletion

Finally, in an attempt to reach some agreement between the various remote
management and security proposals, another series of RFCs was written, which
later became known as SNMPv3. These RFCs (2271–2275) have been put forth
by the IETF as Proposed Standards, which means that they are available to the
general public for review and discussion. SNMPv3 is SNMPv2c plus provisions
for robust security and administration; it draws upon the SNMPv2c RFCs
(1902–1908). At a high level, the SNMPv3 proposal attempts to
●

Put forth a security model based on DES, MD5, and other authentication
protocols

●

Define a view-based access control model

●

Redefine some of the SNMP concepts and terms

SNMPv3 has enjoyed a certain level of success in the industry at this point,
but the protocols are still quite new. Major networking hardware and software
companies already support SNMPv3. However, SNMPv3 has yet to be deployed
widely within the industry; this is perhaps just a matter of time. One of the
major delays for adoption of this new protocol is the cost-to-benefit ratio.
For those sites that require better security today, they can upgrade to the new
protocols as vendors make their implementation available. However, it may not
be justifiable for everyone to upgrade all existing equipment to support SNMPv3.
The most likely approach will be to migrate slowly over time as newer products
that contain SNMPv3 support are deployed. Eventually, new products will replace
the older ones, and deploying the new management protocols will simply be
a matter of configuration.

13

416

UNIX System Administration: A Beginner’s Guide

SNMP Protocol Operation
An SNMPv1 message contains three major components: a version field, a
community field, and an SNMP protocol data unit (PDU) field. Unlike other
TCP/IP protocols, SNMP packets are not of a fixed length and, instead, rely
on ASN.1 formatting. Figure 13-6 shows this basic SNMP packet structure
and a description of the fields (and sizes) follows.
The format includes field names, shown in bold text, and formatting labels
(type), as shown on the top in gray text. The type shows the basic format for
each of the fields. For instance, the version information is an INTEGER object.
The field names are defined as follows:
●

version This field indicates which version of the SNMP protocol is being
used. Presently, version 1 is the most widely implemented and supported
SNMP protocol.

●

community name The community is used as the primary security
mechanism to establish authentication from a network manager to agents
within the SNMP. The community name or string is used as a password
for access to objects. This is based on the condition that the network
manager knows the agent’s password. If the agent has been configured
to emit traps, an authenticationFailure trap is generated when a network
manager queries an agent with an invalid community string.

●

protocol data units SNMPv1 PDUs can be one of five different types and
consist of request and response components. They include
●

GetRequest

●

GetNextRequest

●

SetRequest

●

GetResponse

●

Trap

Figure 13-6

SNMP master/subagent diagram

Module 13:

Overview of SNMP

417

SNMPv2 defines these additional PDUs:
●

GetBulkRequest

●

InformRequest

Each of the GetRequest, GetNextRequest, and SetRequest components
elicits from the responding agent a GetResponse that might contain valid data
or an error status.

GetRequest
The GetRequest PDU is issued by an SNMP manager or application to obtain one
or more MIB objects from an SNMP agent. The fields for this packet type include
●

pdu type Indicates the PDU type is a GetRequest.

●

request-id Unique identifier that permits the SNMP manager to match
paired requests and responses. It also aids in detecting duplicate messages
that may be received when using an unreliable transport service.

●

variable-bindings

A list of requested MIB objects.

The GetRequest operation is the primary way to obtain information from
agents when the objects in question are known beforehand. For example, should
the network manager decide to retrieve sysDescr and sysUpTime objects
from an agent, we can think of the request as simply a function to include
GetRequest (sysDescr, sysUpTime)

In this case, both of these objects are placed within the variable-binding
field when sent. The sysDescr object represents a string that contains a
general description of the agent, and sysUptime reflects the amount of time
that an agent has been running.
When the agent receives the above message and no errors have occurred, it
will respond with the values of the MIB objects requested via a GetResponse
PDU. The GetRequest operation is atomic. That is, either all the values requested
are returned or no values are returned. When the receiving entity responds to
the GetRequest, it includes the values in the GetResponse variable-binding field.
If, for some reason, at least one of the values cannot be supplied, no values will
be provided.

13

418

UNIX System Administration: A Beginner’s Guide

If the values requested from a manager cannot be returned by the agent, the
agent will respond with an error. For example, the management system might
have requested an MIB object that isn’t implemented in the agent. In this case,
the agent can’t possibly satisfy the request, and thus an error is returned. Also,
in certain situations, returning the value of a requested object fails because it
might be too large to be processed by the manager.
The variable-bindings field includes a list of objects for which values are
requested. When the agent responds via GetResponse, the variable binding
includes the requested objects and associated values. Given the example above,
the following GetResponse would be sent by the agent:
GetResponse(sysDescr="3Com Enterprise Monitor", sysUpTime=0000154477)

In this example, the agent is a 3Com enterprise RMON monitor (or network
probe), as indicated by the sysDescr field. This device collects network
performance and packet contents information for later analysis and reporting.
The sysUpTime object contains the amount of time the agent has been up and
running. The value shown in the example indicates that the device was running
for approximately 15 minutes and 44 seconds.

GetNextRequest
The GetNextRequest PDU is similar to the GetRequest PDU, and the packet
formats are identical. However, the GetNextRequest PDU has one difference: It
is used to retrieve objects when the structure of the MIB tree is unknown. The
GetNextRequest can be a great asset when it is used to discover the exact MIB
structure of an agent. Why would an agent’s MIB structure be unknown to an
SNMP manager? SNMP provides no direct way to determine which MIBs or
MIB structures are supported within an agent. Vendors are, of course, are free
to implement whichever MIBs their devices need. Therefore, the network
manager must discover the supported MIBs by walking the MIB tree in an
automated fashion. When the GetNextRequest is sent with a particular object,
the GetResponse returns the requested object’s value, plus the instance of the
next lexicographic object in the MIB tree. As a result, each GetNextRequest will
reveal the next object within the MIB without the manager knowing what the
next object will be. The GetNextRequest operation also provides a more efficient
mechanism to retrieve objects from an agent than GetRequest because it requires
fewer request/response exchanges.

Module 13:

Overview of SNMP

419

SetRequest
The SetRequest operation is used to alter agent information such as the value of
a MIB object. The packet format is the same as GetRequest and GetNextRequest.
Unlike GetRequest or GetNextRequest, SetRequest is used to alter the value of
a MIB object. As mentioned before, the SetRequest requires security privileges,
which are presently mapped via the community string for the SNMPv1 protocol.
Therefore, the agent must validate the SetRequest community string provided
before the operation is permitted. The SetRequest is also atomic; either all the
values can be altered or none can. If the SetRequest is successful, a GetResponse
is returned and the variable-binding list contains the objects with their new
values. This is how the network manager can determine that the set operation
was successful. If the SetRequest was unsuccessful, an error is returned in the
GetResponse.

GetResponse
Each of the SNMP operations, with the exception of the trap, receives a
GetResponse from the agent of the GetResponse packet, which includes the
following fields:
●

pdu type Indicates the PDU type, which is GetResponse.

●

request-id Unique identifier that permits the pairing of requests
and responses.

●

error-status Indicates that an exception condition occurred while
processing the request.

●

error-index When an error occurs, indicates which object variable in
the variable-binding list caused the error.

●

variable-bindings A list of MIB objects that are involved in the operation.

Trap
A Trap is an unsolicited message from an agent directed to a network management
station that represents a significant event or condition for which notification
to the manager is considered necessary. This type of communication from the
agent is asynchronous as compared to the polling from the manager. The Trap
PDU is quite different from that of the other PDUs defined in SNMP. Unlike the

13

420

UNIX System Administration: A Beginner’s Guide

other SNMP PDUs, Trap does not warrant a response from the receiving network.
The fields from a Trap include
●

PDU type Indicates that the PDU type is a Trap.

●

Enterprise Contains the MIB object sysObjectID of the sending
agent. The sysObjectID object includes information regarding the
vendor of the agent that sent the Trap.

●

Agent-address

●

Generic-trap

●

Specific-trap More detailed information about the Trap. This is usually
zero unless the generic-trap is an enterpriseSpecific Trap.
Enterprise Traps are vendor specific and may contain additional agent
information about the condition that caused the Trap in the first place.

●

Time-stamp The amount of time between the generation of the Trap and
when the device was last initialized, expressed in tenths of a millisecond.

●

Variable-binding

Represents the IP address of the sending agent.

AM
FL
Y

One of the predefined Trap values listed in Table 13-5.

Vendor-specific information related to the Trap.

TE

Table 13-5 lists the seven predefined general Trap types. The
enterpriseSpecific Trap type is provided as a mechanism to define
custom or proprietary traps that do not fit within the other generic types.

Trap Type

Description

ColdStart (0)

WarmStart (1)

LinkDown (2)

Table 13-5

The device is restarting or reinitializing itself such
that the agent or configuration may be changed.
Usually, this indicates a crash or other reboot
condition.
The device is restarting or reinitializing itself
such that no changes are made to the agent or
configuration. Usually, this implies a simple refresh
or reboot of the operating system environment.
Indicates a failure on one of the device’s
communications (interface) links.

SNMP Predefined Trap Types

Module 13:

Overview of SNMP

Trap Type

Description

LinkUp (3)

Indicates that a device’s communication (interface)
link is now up and running.
An authentication or security failure has occurred on
the device. Typically, this indicates that an invalid
SNMP community string has been used.
Indicates that External Gateway Protocol (EGP)
neighbor, of which the device is a peer, has been
labeled down and the relationship no longer is valid.
Indicates that some vendor-specific event has
occurred. Vendors use this generic trap type to
represent their own proprietary traps.

AuthenticationFailure (4)

EgpNeighborLoss (5)

EnterpriseSpecific (6)

Table 13-5

421

SNMP Predefined Trap Types (continued)

GetBulkRequest
This PDU is issued by an SNMPv2 manager or application to minimize network
interaction and permit the agent to return larger packets (as compared to
GetNextRequest or GetRequest), thus improving the efficiency of obtaining a
large number of objects from an agent. This uses the same PDU format as most
other SNMPv1 operators. The only difference is the renaming of the error-status
and error-index (from the Response PDU) fields to non-repeaters and maxrepetitions, respectively. These fields are defined as follows:
●

non-repeaters
once at most

●

max-repetitions The maximum number of times other MIB objects
should be retrieved

The number of MIB objects that should be retrieved

InformRequest
The InformRequest PDU is issued by an SNMPv2 entity acting in a manager role
to another SNMPv2 entity acting in the same role for the purpose of providing
network management information. The major function of this PDU is to provide
distributed SNMP management capabilities. Thus, an agent can implement this
PDU to provide management-like services and functions. The format of this PDU
is the same as for GetRequest and other related PDUs.

13

422

UNIX System Administration: A Beginner’s Guide

1-Minute Drill
●

What are the advantages of SNMPv3 over previous versions and what are its
major current limitations?

●

Why is a trap message useful?

SNMP Response Codes
The error codes returned from an SNMPv1 agent are very limited. For
example, if an SNMP manager requested the set operation on a MIB object,
and the agent can’t perform the operation as requested, the agent replies with
noSuchName. With the addition of more error codes in SNMPv2, the agent
will reply with notWritable in this situation. Table 13-6 lists the SNMP
response codes.

Response Code
SNMPv1
tooBig
noSuchName

badValue
Read-only
genError

Table 13-6

●
●

Description
Returned by the agent if the response to a request would be
too large to send.
Returned by the agent in either of these two cases: 1) if a set
operation is attempted for an object that is not in the MIB
view, or 2) if a set operation is attempted for an object that
is in the MIB view, but its object is read-only.
Returned by the agent that has detected an error in the PDU
variable binding list.
Returned by the agent.
Returned by the agent when processing of a PDU fails for
a reason other than what is listed in this table.

SNMP Response Codes

SNMPv3 increases security over older standards.
A trap message can inform a network management station about an unexpected problem that the agent
might not otherwise find out about in a timely fashion.

Module 13:

Response Code

Overview of SNMP

423

Description

SNMPv2/v3
noAccess

The variable is outside the defined MIB view for this operation
to succeed.
notWritable
The variable exists within the agent, but the agent is unable to
modify the object.
WrongType
The value supplied is of the wrong data type, as defined
by ASN.1.
WrongLength
The value supplied is of the wrong length.
WrongEncoding
The value supplied was not encoded correctly.
WrongValue
The value supplied is not within the range required for the
object type.
NoCreation
The object doesn’t exist and the agent is unable to create an
instance of this object.
InconsistentName
The object doesn’t exist and the agent is unable to create an
instance of this object because the name is inconsistent with
the values of other related objects.
InconsistentValue
The object provided is inconsistent with the values of the
managed objects.
resourceUnavailable A needed resource within the agent can’t be reserved to
complete the request.

Table 13-6

SNMP Response Codes (continued)

Hint

These codes are important because they can help you track down problems
and issues when using SNMP agents and tools that communicate with agents.
Determining the solution to SNMP problems is aided by knowing these
message codes and understanding the difference between configuration errors
with the agent versus connectivity problems between the manager and agent.

Transmission of an SNMP Message
The following series of events occurs when a network manager formulates an
SNMP message:
1. The basic PDU is constructed.
2. The PDU is passed to the security service layer if available.

13

424

UNIX System Administration: A Beginner’s Guide

3. The protocol layer formats the message, including the version and

community information.
4. The entire message is now encoded using ASN.1 rules.
5. The message is passed to the transport service so that it will be delivered

to the receiving entity.
The following series of events occurs when an agent device receives an
SNMP message:
1. A basic check is performed to ensure the message is formatted correctly.

The message is discarded if any errors are encountered.
2. The protocol version information is verified. If there is a mismatch, the

message is discarded.
3. The security service attempts to verify the sending entity. If this fails,

a trap is generated and the message is discarded.
4. The PDU is decoded.
5. The PDU is processed.

Connectionless Protocol
SNMP is a connectionless protocol, which means that it doesn’t support the
concept of establishing and controlling a dedicated connection like Telnet or
FTP. SNMP transmits information between an agent and a manager by the use
of requests and return responses. This removes the burden from agents of
having to support additional protocols and processes associated with connectionbased schemes. Therefore, SNMP provides its own mechanism to address
reliability and error detection.

13.5 Investigate SNMP Master and Subagent
When deploying network management software, it is common to have a single
agent installed on each system that will be managed. In the case of networking
devices such as network routers and switches, usually only a single agent is
available. In either case, the agents will communicate with one or more network

Module 13:

Overview of SNMP

managers using the standard SNMP port of 161. For most needs, a single agent
approach makes sense and is appropriate. However, there are instances when
more than one agent is necessary to achieve the desired level of manageability.
For example, workstation manufacturers will often provide an SNMP agent
within their operating system. In the case of both Solaris and HP-UX, the vendor
provides a master agent and one or more subagents. A single agent is available
on the Linux platform.
Most system agents will usually support a limited number of operating
system functions and parameters. If we wish to manage database services on
this same system via SNMP, this will require that we install another agent to
specifically monitor the database functions. This poses a problem because both
agents will typically be accessed by the SNMP manager using the same SNMP
standard port. Further, when the agents are started by the system, the first agent
will start and open the port 161 and will operate normally. However, when the
second agent starts and attempts to do the same, it will get an error stating that
the port is busy and it should abort operation.
Two possible approaches can be taken to address this port contention problem.
First, one of the agents can be configured to use an alternative port instead of the
standard 161. This solution will work if the agent can be made to support another
port when it is started by the system. Many system agents do support alternative
ports, but this is by no means the rule. The major drawback to this solution is
that any SNMP managers used to poll the agent must now be configured to use
this new port as well. This doesn’t pose a significant problem when only a small
number of nonstandard ports are used. However, if this solution is used on a
large scale—say, with many agents using all nonstandard ports across a large
number of systems—the approach loses its appeal because of the administrative
burden it introduces.
The other solution might be considered more elegant because it involves
using a master agent and one or more subagents. A master agent solves the port
conflict problem by becoming the keeper of the standard SNMP port and forwards
all the SNMP traffic to the appropriate subagent. Subagents are normal SNMP
agents, but they are registered with the master agent and assigned nonstandard
ports that are used to communicate with the master agent. SNMP messages from
managers are sent to the master agent, who in turn delivers the messages to the
correct subagent using the port it assigned to the subagent. Figure 13-6 shows a
diagram of the master/subagent architecture. One major benefit of this solution
is that it alleviates the administration task of modifying the SNMP managers

425

13

426

UNIX System Administration: A Beginner’s Guide

cited in the first solution. Also, this solution can scale very well because new
subagents can be added in a straightforward manner.
On the negative side, the master agent can pose a problem because it can crash
or otherwise become inoperative. This would have the adverse effect of disabling
the connectivity to all the subagents. Because this particular problem can be
said of other software systems as well, the risk (although not zero) isn’t
necessarily a significant factor. Also, because the master agent is responsible
for delivering the SNMP to the appropriate subagent, it takes a certain amount
of processing time and overhead. This might be a factor in time-critical
management functions.

Module 13:

Overview of SNMP

427

Mastery Check
1. Which MIB object class consists of primitive types that can be used to

build additional data types of objects?
2. Which SNMP function notifies a network management system of a special

condition or problem without the management system specifically requesting
this information?
A. Get
B. Set
C. Trap
D. MIB
3. Which class does the IpAddress data type belong to?
4. Which of the following elements does SNMPv1 not provide?
A. Basic network management framework
B. Robust security model
C. Definition of the MIB-II standard
D. Description of ASN.1 encoding language
5. What are the three main components of a SNMPv1 message?
6. In the MIB hierarchical tree structure, the __________ represent

individual objects.
7. What type of objects are not alterable by the network management system,

but allow their values to be obtained with a get operation?
A. Not-accessible
B. Accessible-for-notify
C. Read-only
D. Read-write

13

428

UNIX System Administration: A Beginner’s Guide

Mastery Check
8. What does an SNMP manager or application issue to obtain one or more

MIB objects from a SNMP agent?
9. What does an SNMP manager or application issue to obtain a MIB object

from a SNMP agent when the structure of the MIB tree is unknown?
10. Match each of the data types in the first list (A-D) with its description

from the second list (i-iv):
A. INTEGER
B. NULL
C. OBJECT IDENTIFIER
D. SEQUENCE
i. A data type used to denote an ordered list of zero or more elements that

contain other ASN.1 types
ii. A data type representing a cardinal number
iii. A data type meant as a placeholder, but currently not used
iv. A data type representing an authoritatively named object that consists

of a sequence of values that specify a MIB tree
11. Which of the following is information that would be contained in an SNMP

table for each interface within a network device to describe the nature of the
interface and associated configuration? (choose all that apply)
A. Desciption
B. MTU
C. Protocol data unit
D. Physical address
12. A __________ is an unsolicited message from an agent directed to a

network management station that represents a significant event or
condition for which notification to the manager is considered necessary.

Module 13:

Overview of SNMP

429

Mastery Check
13. What might you assign to a class of devices to provide a security boundary

for a desired group of devices?
A. Boundary name
B. Community name
C. Security model
D. Encryption facilities
14. Which SNMP operation doesn’t receive a GetResponse from the agent?
15. Which SNMPv2 operation helps minimize network interaction and permits

the agent to return larger packets relative to GetRequest or GetNextRequest?
16. What response code will an SNMPv2 agent receive if the object doesn’t

exist and the agent is unable to create an instance of this object?

13

TE

AM
FL
Y

This page intentionally left blank.

Module

14

Using the Domain
Name System
Critical Skills
14.1

Discover How the Domain Name System Works

14.2

Explore Both DNS Server and Client Components

Copyright 2002 by The McGraw-Hill Companies, Inc. Click Here for Terms of Use.

432

UNIX System Administration: A Beginner’s Guide

O

ne major issue with TCP/IP networking is how to provide mappings
between system names and their corresponding network addresses.
UNIX provides several ways to facilitate the mapping between hostnames
and IP addresses.

14.1 Discover How the
Domain Name System Works
First, the traditional method involves the use of the /etc/hosts file.
When a network application wishes to resolve a name, it invokes a standard
library routine that looks up the name from this file. The file provides simple
mappings of hostnames on the local level; this particular method has several
problems. The chief issue is that it doesn’t scale well; in other words, it would
be impossible for the system administrator to maintain an /etc/host file
that contains all the possible systems that one would need. When the Internet
was much smaller, it used the /etc/host file approach for name resolution.
However, because of operational problems it became clear that another
mechanism was needed.
The second approach is to use Network Information Services (NIS). Today,
this method is deployed within many companies, largely to handle internal
name resolution for a company. This approach, too, suffers from the same basic
problem as /etc/hosts—scalability. NIS doesn’t provide for host resolution
for a significant number of hosts, such as that contained on the Internet.
The third method uses DNS for name resolution. DNS provides a hierarchical
namespace that contains domains, subdomains, and hostnames. A domain is a
collection or grouping of hostnames strategically defined within the namespace
so that no conflicts arise among different domains. For example, it is possible
that two different companies may have picked identical hostnames for some
of their systems. However, this doesn’t represent a problem because the both
companies are in different domains; thus, the system name overlay is negated.
The Domain Name System (DNS) provides a very critical element for the
Internet—it provides mappings between hostnames and their corresponding
Internet Protocol (IP) addresses. For example, when the URL of the form

Module 14:

Using the Domain Name System

433

http://www.whitehouse.gov is entered within a Web browser, the
browser in turn requests the IP address of this host from a DNS server in order
for the communication between the user’s system (browser) and the remote
Web site to commence. Why does the browser do this? Because communication
between systems on the Internet, for example, must use an Internet Protocol
address. This is true for any TCP/IP network and must include the use of IP
addresses when specifying systems. The term that refers to converting from
a hostname to an IP address is known as host resolution and is completely
transparent for the user. The DNS system available on most UNIX versions is
known as the Berkeley Internet Name Domain (BIND) package and is used
quite extensively on the Internet. BIND has been placed in the public domain
and is freely available at www.isc.org. This module is based on the BIND
version of DNS.
The DNS namespace can be clearly explained by using an inverted tree
structure, which is similar to a UNIX file system. The UNIX file system starts
at the base or root, which is represented with a leading “/”. Within DNS, a
dot “.” is used to represent the base of the tree. Figure 14-1 shows a sample
of the DNS namespace. As you can see from the figure, several of the common
DNS domains are defined that include edu, com, and net. These are known
as “top level” or root domains, and any objects defined below these top levels
are known as subdomains. The placement of companies, corporations, or
institutions largely depends on the type of business the organization is engaged
in. For instance, if a university called Zippy wants to join the Internet, a new
subdomain called zippy will be defined under the edu domain because it is an
education establishment. Standard DNS domains are listed in Table 14-1.

Figure 14-1

DNS namespace

14

434

UNIX System Administration: A Beginner’s Guide

Domain

Purpose

Educational: universities, colleges, prep schools, etc.
Institutions and other organizations that engage in commercial activities
Government organizations and institutions
International organizations
Military organizations or those that work with such organizations
Internet service providers and other network support centers
Organizations that are noncommercial in nature, such as a nonprofit
institution
country code Each country code based on geographic location
edu
com
gov
int
mil
net
org

Table 14-1

Top-Level DNS Domains

Note that two systems have been assigned the name socrates; one in the
edu domain and the other in the com domain. This is a perfectly acceptable
and reasonable thing to do; that is, there is no conflict. The UNIX file system
works the same way; two files with the same name can be defined within two
different directories. One reads or interprets a domain and hostname in the
opposite order as a UNIX file and pathname—from right to left. For example,
the host
socrates.mis.zippy.edu

reads as follows: within the edu root domain, an organization called zippy
defines a subdomain called mis, which contains a host called socrates. The
DNS character separator is the dot (“.”), and a dot is implied after each top-level
domain. However, in practice the rightmost dot is not used.
DNS consists of two major elements: the server and the client. The server
provides DNS services to one or more client systems. Whenever the client must
obtain the IP address of a host, it makes a request to a DNS server. The server
responds with a valid answer and the client continues to process the transaction.
Typically, several servers are deployed so that should a failure occur with a
particular DNS server, other backup systems will respond to the client request.
This approach works well and provides a reasonable amount of fault tolerance.

Module 14:

Using the Domain Name System

435

14.2 Explore Both DNS Server
and Client Components
A DNS server contains the following elements:
●

Domain files

●

Processes

●

Tools

Domain Files
A DNS server is configured to service one or more domains. A domain is a
collection of individual hosts that are grouped according to some arbitrary
criteria. For example, all the systems within a particular department or team
can be defined within a DNS domain. When a new domain is defined on the
DNS server, a new domain file is created that contains records for each host.
When the DNS server is started, it reads each domain file and then knows
how to resolve mapping between names and IP addresses for that domain.

DNS Example
One of the best ways to understand the DNS system is to review an example
configuration. The following listing contains a sample (but fully functional)
domain file for the fictitious home.com domain. Comments can be placed
with the file using the “//”, “#” or “ /* */” characters.
1
2
3
4
5
6
7
8
9
10
11

//
// home.com DNS named.conf file
//
options {
directory "/var/named";
allow-transfer {
216.155.202.163;
216.155.202.100;
};
};

Specifying the allow
transfer option means
only the two nodes listed
here are allowed to query
this server

The directory option
specifies which UNIX
directory the DNS server
will use to find additional
configuration files and
zone information

14

436

UNIX System Administration: A Beginner’s Guide

12
13
14
15
16
17
18
19
20
21
22

//
// Our Primary DNS Information
//
zone "home.com" {
type master;
file "home.com";
};
zone "202.155.216.in-addr.arpa" {
type master;
file "reverse-home.com";
};

This listing represents a minimal DNS configuration that would be placed in
the named.conf file. By default the DNS server will look for this file within
the /etc directory, but this can be changed by using the –c command-line
argument. The basic syntax of this DNS configuration includes
statement_keyword “string” {
option keyword;
option Keyword;
};

The statement keywords include high-level directives that define DNS services
and control operational aspects of the server. Table 14-2 lists the supported
keywords.
The basic named.conf file (as shown earlier) includes several sections
that include configuration options, basic initialization, and individual zone

Statement Keyword

Meaning

acl

Provides an access control mechanism to form an IP address
match list
Includes another file
Controls server logging
Specific and control global server configuration options
Determines how to communicate with the rndc utility
Defines a new server for a particular
Defines a DNS zone. May contain either master or secondary
keywords

include
logging
options
controls
server
zone

Table 14-2

DNS Server Statement Keywords

Module 14:

Using the Domain Name System

437

configurations. The option section includes operational aspects of the DNS
server. For example, use the directory (lines 4–9) option to specify which
UNIX directory the DNS server will use to find additional configuration files
and zone information. Some of the most common configuration keywords
supported by the DNS server are listed in Tables 14-3 and 14-4. The DNS server
options are divided into two groups: those options that control how the server
interacts on the network (Table 14-3) with other systems, and configuration
options (Table 14-4), which control how the server operates on the local system.
The configuration includes support for two zones: the home.com and the
associated reverse IP domain. The home.com domain is defined within lines
15–18; the reverse domain, 202.155.216.in-addr.arpa is contained
within lines 19–22. Defining a new domain is very simple; all that is required is
Option Keyword

Meaning

allow-query IP Addresses

Determines which IP addresses are permitted to
query the server. The default is all hosts are allowed.
Determines which IP addresses are permitted to
do a zone transfer from the DNS server. By default,
any node can do a zone transfer.
The default value is yes; this tells the server to answer
authoritatively for domain queries on domains that
have SOA records.
Tells the server to verify the integrity of domain names.
The default value is no; the server will simulate the
support for the IQUERY option type.
The default value is yes; tells the server to query and
cache the necessary DNS records about domains to
which is it not authoritative
The default value is first; this causes the server to
forward to another DNS server when a client’s query
can’t be resolved.
Provides a list of IP addresses for the DNS server
to query when it doesn’t have information about
a client request.
The default value is no; this permits the server to
support CNAMES and point to other CNAMES.
The default value is yes; this tells the server to emit
a notify message to all secondaries when a zone has
been updated on the server.
The default value is yes; this instructs the server to
query other DNS servers to resolve a client DNS request.

allow-transfer
IP Addresses
auth-mxdomain yes/no

check-names type action
fake-iquery yes/no
fetch-glue yes/no

forward first only

forwarders ip list

multiple-cnames yes/no
notify yes/no

recursion yes/no

Table 14-3

Server Interaction Options

14

438

UNIX System Administration: A Beginner’s Guide

Option Keyword

Meaning

directory path
name-xfer path

Specifies the working directory for the DNS server.
Specifies the path for the name-xfer program. This
program is responsible for doing a zone transfer.
Specifies the path name for where the DNS server should
write database information when it receives a special signal.
Specifies the name of the file to dump usage statistics when
the DNS server exits, when the deallocate-on-exit
option is set to yes. The default filename is
named.memstats.

dump-file path
memstatistics-file

Table 14-4

Server Operational Options

the name of the domain to determine the relationship between the domain
and the DNS server and the resource file, which contains the specific hosts for
that domain.
In this example, the zone keyword is used to tell the server that a new
domain (zone) is being defined. The zone keyword defines a forward mapping
between IP addresses and names. This specific configuration information is
contained within the home.com file. The brackets ({}) are used to delimit
or include additional optional keywords for that domain. The type keyword
defines the relationship between the domain and the DNS server, and in this
case the master word is used.
When a DNS server is a master for a
domain, no other DNS server anywhere will
“Zone” is another term
answer authoritative requests for that domain.
that means DNS domain.
In other words, the master DNS server is
supposed to be the definitive source for the
domain. However, there are cases when additional DNS servers appear to be
answering requests for a domain for which they are not the master. A DNS
server need not be a master for a domain, but rather can be a secondary server.
A secondary DNS server is one that obtains DNS records from a master, but can
answer DNS client queries for that domain. This approach is a great way to
address performance factors in a larger network and by adding load-balancing
features into the DNS namespace.

Hint

Module 14:

Using the Domain Name System

439

Next, the reverse map is defined and is called the 202.155.216.inaddr.arpa domain. The specifics of this zone are contained within
reverse-home.com file. The reverse map is used to convert from an IP
address to hostname. This domain is simply the IP address of a network
for the forward domain plus the in-addr.arpa extension tacked on the
end. Although this domain isn’t strictly required to operate a DNS server,
other sites require the ability to review maps from a particular host to ensure
that an individual system is from a particular domain. This forms the basis
of a rudimentary security policy for DNS servers.
Certain security measures can be implemented using the allow-transfer
keyword (lines 6–9) to control which other systems can “talk” to the DNS
server to obtain wholesale information about one or more domains. In this case,
two nodes (216.155.202.163 and 216.155.202.100) have permission to query
the DNS server.

Hint

allow-transfer is not for generic DNS resolver (client) queries, but for
other systems that may wish to interrogate the DNS server. Later in this
module, you will learn to use debugging tools to query DNS servers for
a variety of useful and important information.

DNS Records
A DNS server contains one or more host records, which contain information so
that correct mappings between hostnames and IP addresses can be done and
also records to provide mappings in the opposite direction. Further, the DNS
server can be used to provide additional information to clients that include
additional fields about host records. For example, the DNS server can provide
the name of the mail server that should be used when attempting to send mail
to a system contained within the DNS namespace. The standard DNS record
types are listed in Table 14-5.

Digging Deeper
At this point, both of the associated zone files listed in the example above haven’t
been discussed. In the previous example, lines 17 and 21 refer to external files:
home.com and reverse-home.com. The home.com file contains the
forward DNS records of this domain, while the reverse-home.com contains
the reverse mappings. It is typical to place each zone within a separate file; this

14

440

UNIX System Administration: A Beginner’s Guide

Description

A

An address record; used to provide a mapping between
a hostname and IP address
A conical name record; used to designate an alias for an
A record
Name server records define a new DNS server that will provide
authoritative information about a particular domain
Mail exchanger record; used to indicate the mail server for
a particular domain
A pointer record; used to provide reverse mapping between
an IP address and hostname
Responsible person record; specifies the contact information
about a particular host
A text record; can be used to provide additional information
about a host

CNAME
NS
MX
PTR
RP
TXT

Table 14-5

AM
FL
Y

DNS Record Type

DNS Record Types

makes administration of the domain that much easier. The home.com file
contains the following:
$TTL 86400
@
IN

SOA

home.com sjmaxwell.home.com. (
2002021500;
serial number
Start of Authority
10800;
refresh every 3 hours
(SOA) record
1800;
retry every 30 minutes
1209600;
rexpire in 2 weeks
604800);
mimimum 1 week
NS
didymus.home.com.
MX 10
mail.home.com.
A
216.155.202.100 ; NIS server
A
216.155.202.101 ; web server
A
216.155.202.110 ; web server
A
216.155.202.163 ; name server

TE

1
2
3
4
5
6
7
8
9
10
11
12
13

Domain administrator
email address (see Hint)

bedrock
rocks
dino
didymus

IN
IN
IN
IN
IN
IN

Whenever a DNS server is master for a particular domain, it must contain a
Start of Authority (SOA) record. The SOA record is contained within lines 2–7
in the example above and is used to specify the operational parameters for the
domain, such as the email address for the administrator and other important
timing elements. The SOA records contains the following:
●

Email address of domain administrator

●

Serial number of the domain

●

Zone refresh metric

Module 14:

●

Zone retry metric

●

Zone expiration metric

Using the Domain Name System

441

Hint

In the email address, the @ that is usually in the address is replaced by a period
(.), so in this example the email address sjmaxwell.home.com corresponds
to sjmaxwell@home.com.

This information controls the interface between the primary DNS server and
any secondary servers that have been configured.
The reverse-home.com file contains the following:
1
2
3
4
5
6
7
8
9
10
11
12

$TTL 86400
@
IN

SOA

100
101
110
163

202.155.216.in-addr.arpa sjmaxwell.home.com (
2002021500;
serial number
10800;
refresh every 3 hours
1800;
retry every 30 minutes
1209600;
rexpire in 2 weeks
604800 ) ;
mimimum 1 week
IN
NS
didymus.home.com.
IN
PTR bedrock.home.com.
IN
PTR rocks.home.com.
IN
PTR dino.home.com.
IN
PTR didymus.home.com.

As you can see, the format used is the same as the forward mapping home.com
file, but instead of using A records, PTR records are used. Also, the name of each
record is the last byte of the IP address, not the hostname of the system.

1-Minute Drill

●
●
●

●

What benefit does the Domain Name System (DNS) provide for mappings
between system names and their corresponding network addresses that both
a UNIX /etc/host file approach and Network Information Service (NIS) lack
for a system like the Internet?

●

What is the DNS reverse map used for?

●

Explain a DNS master server.

Scalability
The DNS reverse map converts from an IP address to hostname.
When DNS server is a master for a domain, that means that no other DNS server anywhere will answer
authoritative requests for that domain by clients.

14

442

UNIX System Administration: A Beginner’s Guide

Processes
On the DNS server, a program listens on port 53 and waits for DNS client
requests. For Linux, the server is called named, but on both Solaris and
HP-UX the server is known as in.named. Despite the name difference, each
of the servers provides the same basic functions and also each of the programs
supports many of the command-line options. The DNS servers are available by
default for each platform; however, this will depend on the type of installation
that was performed. To ensure that DNS server has been installed, do the
following:
Linux: ls –al /usr/sbin/named
Solaris/HP-UX: ls –al /usr/sbin/in.named

If the DNS server program is not found within these locations, the package
hasn’t been installed. Use the native installation programs to install the DNS
package—for Linux, use gnoprm; for Solaris, use pkgadd; and for HP-UX use
swinstall. See Module 4 for additional information on these tools.
When the system is started and DNS services have been installed, the
DNS server is typically started as one of the standard processes. On Linux,
/etc/rc.d/init.d/named is the primary startup script. Symbolic links
are placed within each of the run-level directories to this script; this includes
both S and K scripts. Thus, the following (for example) should be installed:
/etc/rc.d/rc5.d/K45named
/etc/rc.d/rc5.d/S45named

On Solaris and HP-UX, the script /etc/init.d/inetsvc brings up the
DNS server when the system boots and contains the following linked files:
/etc/rc0.d/K42inetsvc
/etc/rc2.d/S72inetsvc

Verify DNS Server Is Running
As the administrator, you can verify that the server is running and listening on
the correct network port.

Module 14:

Using the Domain Name System

443

To verify that the server is running on the system, use the ps command
(Linux):
# ps -ef | grep name
named
867
1
named
869
867
named
870
869
named
871
869
named
872
869

0
0
0
0
0

21:53
21:53
21:53
21:53
21:53

?
?
?
?
?

00:00:00
00:00:00
00:00:00
00:00:00
00:00:00

named
named
named
named
named

-u
-u
-u
-u
-u

named
named
named
named
named

The named process for Linux is multithreaded, which when listed with the ps
command, shows the command with multiple processes. However, only a single
process is actually running.
For Solaris/HP-UX, use the following:
# ps -ef | grep in.named
root
220
1 0 23:53:10 ?

0:00 /usr/sbin/in.named

To show which ports the DNS server is listening on, use the following
commands (Linux):
# netstat -p -a | grep name
Proto Recv-Q Send-Q Local Address
PID/Program name
tcp
0
0 didymus.home.com:domain
867/named
tcp
0
0 localhost:domain
867/named
udp
0
0 didymus.home.com:domain
867/named
udp
0
0 localhost:domain
867/named

Foreign Address

State

*:*

LISTEN

*:*

LISTEN

*:*
*:*

The output above may suggest that several different named processes are
running when, in fact, only a single process is running. Examine the PID field—
it shows a single process ID, which in this case is 867. Using the netstat
command, both the port and DNS process can be listed. In the output above,
processes are listed for both TCP and UDP ports. This means that DNS
requests are available using both TCP and UDP transport protocols. The string
didymus.home.com:domain contains both the local address hostname (or
address) and port component. In this example, domain refers to port 53, which
is mapped in the /etc/services file.

14

444

UNIX System Administration: A Beginner’s Guide

The Foreign Address indicates which remote address the network
connection is attached to. Here we see that “*:*” is used, and this means that
any remote address will be accepted.

Hint

On Linux, the –p option is available, which gives the name of the program
that is listening on a specific port. The other versions of UNIX don’t support
this option.

For Solaris/HP-UX, use the following:
# netstat -a | grep domain
localhost.domain
bedrock.home.com.domain
localhost.domain
bedrock.home.com.domain

*.*
*.*

Idle
Idle
0
0

0 65536
0 65536

0 LISTEN
0 LISTEN

The output for both Solaris and HP-UX systems looks different from
the Linux output, but the same basic information is provided, just using
a modified format.

DNS Tools
The BIND package includes several useful tools for debugging and verifying
DNS server operations. The tools include
●

nslookup

●

dig

●

host

nslookup
The nslookup command provides a mechanism to query a DNS server from
the command line. The nslookup command is available across a wide number
of UNIX systems; however, on Linux it is being depreciated and will be replaced
by other tools such as host and dig. On Solaris and HP-UX nslookup ships

Module 14:

Using the Domain Name System

445

with the basic operating system and is the standard DNS debugging tool for
these platforms. The command has two basic modes: simple query and complex
command interface mode. To use simple query mode, provide a hostname for
DNS resolution as an option to the command (Linux):
# nslookup dino.home.com
Note: nslookup is deprecated and may be removed from future releases.
Consider using the `dig' or `host' programs instead. Run nslookup with
the `-sil[ent]' option to prevent this message from appearing.
Server:
216.155.202.163
Address:
216.155.202.163#53
Name:
dino.home.com
Address: 216.155.202.110

On Linux, we get a warning message about the fate of the nslookup command,
but on Solaris and HP-UX, the following is displayed:
# nslookup dino.home.com
Server: didymus.home.com
Address: 216.155.202.163
Name:
dino.home.com
Address: 216.155.202.110

In the examples above, we obtain the same basic information about the
dino.home.com host: the IP address of the host called dino.home.com.
This is the fundamental purpose of simply query mode.
To use complete query mode; issue the nslookup command without
any options:
# nslookup
Default Server: didymus.home.com
Address: 216.155.202.163
>

As a result, the command displays the default DNS server, associated IP address
of the DNS server, and a command prompt (>). At this point, nslookup will

14

446

UNIX System Administration: A Beginner’s Guide

accept command options that control how and what to query from the DNS
server. Typing the ? command (help) will show all the supported commands:
> ?
Commands:
(identifiers are shown in uppercase, [] means optional)
NAME
- print info about the host/domain NAME using default server
NAME1 NAME2
- as above, but use NAME2 as server
help or ?
- print info on common commands; see nslookup(1) for details
set OPTION
- set an option
all
- print options, current server and host
[no]debug
- print debugging information
[no]d2
- print exhaustive debugging information
[no]defname - append domain name to each query
[no]recurse - ask for recursive answer to query
[no]vc
- always use a virtual circuit
domain=NAME - set default domain name to NAME
srchlist=N1[/N2/.../N6] - set domain to N1 and search list to N1,N2,
etc.
root=NAME
- set root server to NAME
retry=X
- set number of retries to X
timeout=X
- set initial time-out interval to X seconds
querytype=X - set query type, e.g.,
A,ANY,CNAME,HINFO,MX,PX,NS,PTR,SOA,TXT,WKS
port=X
- set port number to send query on
type=X
- synonym for querytype
class=X
- set query class to one of IN (Internet), CHAOS, HESIOD or
ANY
server NAME
- set default server to NAME, using current default server
lserver NAME
- set default server to NAME, using initial server
finger [USER]
- finger the optional USER at the current default host
root
- set current default server to the root
ls [opt] DOMAIN [> FILE] - list addresses in DOMAIN (optional: output to
FILE)
-a
- list canonical names and aliases
-h
- list HINFO (CPU type and operating system)
-s
- list well-known services
-d
- list all records
-t TYPE
- list records of the given type (e.g., A,CNAME,MX, etc.)
view FILE
- sort an 'ls' output file and view it with more
exit
- exit the program, ^D also exits

Although the list of command-line options appears complicated, using
nslookup in this mode is quite easy. At the command prompt, a hostname
can be typed to obtain DNS resolution:
> bedrock
Server: didymus.home.com
Address: 216.155.202.163
Name:
bedrock.home.com
Address: 216.155.202.100
>

Module 14:

Using the Domain Name System

447

As the output shows, the nslookup command displays the DNS server
information and the resolution for a host called bedrock.home.com. Two
very useful features of nslookup are that another DNS server can be queried
and different types of information can be obtained from the specified server.
To change the DNS server while in command mode, do the following:
> server 216.155.202.100
Default Server: bedrock.home.com
Address: 216.155.202.100

Either the IP address or the hostname of an alternate DNS server can be
specified using the server command. The example above shows the
IP address. To instruct nslookup to display the SOA record for a particular
domain, change the query type:
> set type=soa
>

This tells the server to request the Start of Authority record instead of a host
record. Then, type a domain name:
> home.com
Server: bedrock.home.com
Address: 216.155.202.100
home.com
origin = home.com
mail addr = sjmaxwell.home.com
serial = 2002021500
refresh = 10800 (3H)
retry
= 1800 (30M)
expire = 1209600 (2W)
minimum ttl = 604800 (1W)
home.com
nameserver = didymus.home.com
didymus.home.com
internet address = 216.155.202.163

The information obtained about the SOA record will match what has been
placed with the zone file for this domain.

dig
The dig command provides a mechanism to query a DNS server from the
command line, just like the nslookup command. However, it provides much

14

448

UNIX System Administration: A Beginner’s Guide

more information about the underlying interaction between the client and DNS
server. This command is available with the BIND package, but it doesn’t come
standard on either Solaris or HP-UX. It is available out of the box for Linux:
# dig dino.home.com
; <<>> DiG 9.1.3 <<>> dino.home.com
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19633
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
;; QUESTION SECTION:
;dino.home.com.

IN

A

;; ANSWER SECTION:
dino.home.com.

86400

IN

A

216.155.202.110

;; AUTHORITY SECTION:
home.com.

86400

IN

NS

didymus.home.com.

;; ADDITIONAL SECTION:
didymus.home.com.

86400

IN

A

216.155.202.163

;;
;;
;;
;;

Query time: 22 msec
SERVER: 216.155.202.163#53(216.155.202.163)
WHEN: Mon Feb 18 23:30:55 2002
MSG SIZE rcvd: 85

host
The host command is relatively new to the DNS community and comes with the
basic Linux operating system. It provides the same basic services as both
nslookup and dig. However, it provides a few handy command-line options
to make it easier to obtain DNS information. For example, it supports the –l
option that will list all the hosts within a specified domain. It also supports basic
hostname resolution. Thus, using this command with a valid DNS name yields
# host dino
dino.home.com. has address 216.155.202.110

Typing the host command without any arguments causes a listing of the
command-line arguments to be displayed:

Module 14:

Using the Domain Name System

449

# host
Usage: host [-aCdlrTwv] [-c class] [-n] [-N ndots] [-t type] [-W time]
[-R number] hostname [server]
-a is equivalent to -v -t *
-c specifies query class for non-IN data
-C compares SOA records on authoritative nameservers
-d is equivalent to -v
-l lists all hosts in a domain, using AXFR
-n Use the nibble form of IPv6 reverse lookup
-N changes the number of dots allowed before root lookup is done
-r disables recursive processing
-R specifies number of retries for UDP packets
-t specifies the query type
-T enables TCP/IP mode
-v enables verbose output
-w specifies to wait forever for a reply
-W specifies how long to wait for a reply

Explore DNS Client Components
In order for a UNIX client to use a DNS server, two files must be configured
correctly. The first is the /etc/nsswitch.conf file and the second is the
/etc/resolv.conf file. The nsswitch.conf file determines how the system
should obtain important information such as login information and host
information. Consider a partial file listing from the default nsswitch.conf
file from Solaris:
passwd:
group:
hosts:

files
files
files

The file includes a string label, which represents a network or system service
(or system database) and a number of associated arguments. The arguments include
the directives that tell the system to use one or more mechanisms to obtain the
needed information. For example, the entry passwd: files means that when
login information is needed (when a user logs in to the system, for instance),
the system should consult the local files for user authentication. The entry
passwd: nisplus files now means that the system should first attempt
to authenticate the user using NIS+ services, and if that fails use the local files.
Table 14-6 lists all the supported nsswitch.conf directives.

14

UNIX System Administration: A Beginner’s Guide

Directive

Meaning

files

Consult the local database files that include /etc/passwd,
/etc/group, /etc/shadow, and /etc/hosts.
Query a NIS server for authentication or other database information.
Query a NIS+ server for authentication or other database information.
Query an LDAP database for authentication or other database
information.
Use a DNS server when attempting to resolve hostnames or IP addresses.
Used with both the /etc/passwd and /etc/group files that support
the “+” and “-“ directives.

nis
nisplus
ldap
dns
compat

Table 14-6

The nsswitch.conf Directives

In the same way, before the UNIX client will use a DNS server, the hosts;
entry must include a dns directive:
hosts; dns files

AM
FL
Y

450

TE

The /etc/resolv.conf file is used to provide specific information
about the DNS configuration for the local machine. The basic syntax of the
file includes adding which domain the client is a member of and one or
more nameservers to query. The example
domain home.com
nameserver 216.155.202.163

indicates that the local machine should use the home.com domain when
making queries to the DNS server with the IP address of 216.155.202.163.
In practice, usually two DNS server entries are added to this file so that the
client may query the second server should the first one be unavailable.

Hint

The nameserver command must be accomplished by a valid IP address
of the DNS server and not the hostname of the server. Why? Because if the
hostname of the DNS were supplied, there would be no way to resolve the
name to an IP address since this entry is supposed to provide DNS resolution
for the system. When nslookup or other DNS tools are invoked, they consult
this file for nameserver and domain information.

Module 14:

Using the Domain Name System

451

You can place one or more nameserver entries in the file so that should
one of the primary DNS servers fail, another one may be used so that client
request will be answered. Typically, each client system should have at least
two nameserver definitions to ensure a reasonable amount of redundancy.

Project 14-1
In this project, you will examine the DNS configuration on your system and
practice using DNS tools.

Step-by-Step
1. Display the contents of your system's DNS configuration file:
# more /etc/named.conf

2. Identify the directory where additional DNS configuration files are stored on
your system by looking for a directory option line.
3. Display the contents of your system's master zone file and reverse zone
file, substituting your correct directory for /var/named and your correct
domain name and reverse domain name for sjmaxwell.org and
192.168.1.in-addr.arpa, remembering to use the IP address for
your network in the latter:
# more /var/named/sjmaxwell.org
# more /var/named/192.168.1.in-addr.arpa

4. Verify that your system's DNS server is running. For Linux systems, use
# ps -ef |

grep name

For Solaris, use
# ps -ef | grep in.named

5. Display the ports your system's DNS server is listening on. For Linux systems, use
# netstat -p -a | grep name

For Solaris, use
# netstat -a | grep domain

6. Display the hostname and IP address for your system:
# nslookup

14

452

UNIX System Administration: A Beginner’s Guide

Mastery Check
1. DNS provides a __________namespace that contains domains,

subdomains, and hostnames.
2. True or False: If two companies with different domains choose the same

hostnames for some of their systems, one of the companies will need to
change the hostnames to avoid DNS conflicts.
3. Converting from a hostname to an IP address is __________.
4. What are the domain, organization, subdomain, and host in this

hostname?
www.athletics.indiana.edu

5. Which command provides a mechanism to query a DNS server from the

command line?
6. When using nslookup in command mode, what is the command to

change the DNS server to the DNS server at 192.168.1.215?
7. What two commands might you consider using instead of nslookup

that both provide the same information as nslookup as well as
additional DNS information?
8. Which DNS configuration file provides specific information about the

DNS configuration for the local machine?
9. Which DNS configuration file determines the how the system should

obtain important system information such as login information and
host information?

Module

15

Using NIS

Critical Skills
15.1

Overview of Network Information Services

15.2

Discover NIS Components

15.3

Setting Up a NIS Server

15.4

Configure a NIS Client

15.5

Setting Up a Secondary NIS Server

Copyright 2002 by The McGraw-Hill Companies, Inc. Click Here for Terms of Use.

454

UNIX System Administration: A Beginner’s Guide

I

n previous modules, the administration of user accounts was reviewed with
particular emphasis on manipulation of text files on stand-alone UNIX systems. In
this section, the Network Information Services (NIS) facility, which was developed
by Sun Microsystems, is explored and discussed. NIS supports a centralized
management approach to such things as account management and hostname
resolution. The NIS service provides a distributed database for UNIX accounts as
well as other important services. NIS is a general text file lookup facility. In general,
NIS provides a namespace domain where objects elements are defined on a server
and are then made available across a network in a distributed fashion. The
information can be stored on several servers to build a robust, mission-critical
database service that can be used across a large enterprise of systems. Clients make
requests for objects (such as a UNIX login) from the network and one of the NIS
servers answers and responds with the correct information.

15.1 Overview of Network
Information Services
A NIS server can be configured to serve a variety of database files that include
/etc/hosts, /etc/passwd, and /etc/group. A default list of NIS
services is shown in Table 15-1 along with any associated configuration files.
The NIS databases are derived from the standard UNIX configuration files.
To support these NIS services, one or more NIS
servers are installed on the network and are used to
support a cluster or domain of machines, which
A NIS server doesn’t
consist of servers and clients. When NIS systems
necessarily have to
serve all of the database
are set up, a NIS domain must be defined, which
files listed in the table,
determines the scope of machines involved. For
but rather only those
example, if the engineering department wishes
deemed required by the
to deploy a number of NIS servers and clients,
administrator. It will be
a domain call eng can be defined on each of the
up to the administrator to
machines. A NIS domain is simply a collection
determine which databases
of machines that have something in common.
are needed within the
Each server is configured to support one
NIS domain.
or more NIS domains that service requests for
information from NIS clients within that domain.
However, a NIS server may support more than one NIS domain, but there should
be only a single NIS master as primary per domain. A NIS master is simply a
machine that acts as an authorative server for a partner NIS domain. In a typical

Hint

Module 15:

Using NIS

455

Hint

When NIS was first introduced, it was called “Yellow Pages,” but due to a
conflict with a company that already has the right to that name, Sun changed
the service to NIS. However, many of the tools and software programs still
contain the “yp” string, which stood for “Yellow Pages.”

Hint

This section describes version 2 of the NIS system; a newer version of NIS
is available, but not reviewed in this module. The new version of NIS (called
NIS+) provides increased security, the ability to scale to larger networks, and
enhanced administrative functions.

configuration, at least two NIS servers are deployed for each domain: one as
a primary master and the other as secondary. The secondary contains the exact
same information as the primary, but all changes are made on the primary.

Services

Description

Hostname resolution

Maps name to IP addresses and IP addresses to names;
replaces the local /etc/hosts database file; reverse
mapping that replaces the local /etc/ethers file.
Provides UNIX login services with central account
authentication; replaces the /etc/passwd,
/etc/group, and /etc/shadow local files.
Provides rudimentary authentication based on groups.
Provides a mapping between subnet networks and
their corresponding network masks; replaces the
/etc/netmasks file.
Maps network names to IP networks; replaces the
local /etc/networks file.
Supports mail aliases, which are obtained from the
local /etc/aliases file.
Maps network protocol names to numbers.
Maps network services to network ports.
Contains the time zone of the local network; uses
the /etc/timezone file.

UNIX account
authentication
Group level security
IP network masks

IP networks name
Mail aliases
Network protocols
Network services
Time zone definition

Table 15-1

NIS Services and Associated UNIX Files

15

456

UNIX System Administration: A Beginner’s Guide

When a change is made on the primary NIS server, the information is “pushed” to
the secondary automatically.
When a client system boots, it binds to one of the NIS servers within the client’s
domain. All requests for database information, such as UNIX authentication or host
resolution, are sent to the server for which the client is bound.

15.2 Discover NIS Components
A NIS server contains the following:
●

Databases

●

Processes

●

Tools

Databases
The NIS server maintains a database for each type of file or network service
available on UNIX. For example, for name resolution, the /etc/hosts file is
used and NIS database files are constructed from this file. When the NIS server
is set up, each of the local files on the NIS server is used as the basis for the NIS
databases. Each NIS database served by a NIS server is known as a NIS map and
these maps are located within the /var/yp directory. For each NIS service, one
or more DBM database files are created to provide very quick access to the contents.
For instance, for the /etc/hosts file, the following DBM files are created:
-rw-------rw-------rw-------rw-------

1
1
1
1

root
root
root
root

1
1
1
1

4096
4096
4096
3072

Feb
Feb
Feb
Feb

25
25
25
25

22:06
22:06
22:06
22:06

hosts.byaddr.dir
hosts.byaddr.pag
hosts.byname.dir
hosts.byname.pag

These files support key/content pairs that make up the database. The .dir
files contain a bit map of the file data, while the actual data is stored with the
.pag files. In the case of the /etc/hosts file, two separate database files are
maintained: one that sorts the database by IP address (hosts.byaddr), while
the other does so by hostname (host.byname).
To determine which services and/or files are supported by a particular NIS
server, examine the /var/yp/ directory, where  is the
NIS domain—for example, home.com. Thus, the command
ls -l /var/yp/home.com/*.pag

Module 15:

Using NIS

457

shows all the maps for the home.com domain:
/var/yp/home.com/auto.home.pag
/var/yp/home.com/auto.master.pag
/var/yp/home.com/group.bygid.pag
/var/yp/home.com/group.byname.pag
/var/yp/home.com/hosts.byaddr.pag
/var/yp/home.com/hosts.byname.pag
/var/yp/home.com/ipnodes.byaddr.pag
/var/yp/home.com/ipnodes.byname.pag
/var/yp/home.com/mail.aliases.pag
/var/yp/home.com/mail.byaddr.pag
/var/yp/home.com/netgroup.byhost.pag
/var/yp/home.com/netgroup.byuser.pag
/var/yp/home.com/netgroup.pag
/var/yp/home.com/netid.byname.pag
/var/yp/home.com/netmasks.byaddr.pag
/var/yp/home.com/networks.byaddr.pag
/var/yp/home.com/networks.byname.pag
/var/yp/home.com/passwd.byname.pag
/var/yp/home.com/passwd.byuid.pag
/var/yp/home.com/protocols.byname.pag
/var/yp/home.com/protocols.bynumber.pag
/var/yp/home.com/publickey.byname.pag
/var/yp/home.com/rpc.bynumber.pag
/var/yp/home.com/services.byname.pag
/var/yp/home.com/services.byservicename.pag
/var/yp/home.com/timezone.byname.pag
/var/yp/home.com/ypservers.pag

Processes
A NIS server is a machine that has been configured to run NIS server software
and contains one or more NIS databases files. The configuration of a NIS server
involves the ypinit script which builds NIS databases and starts the appropriate
NIS processes. On a standard NIS server, the following processes are necessary:
●

ypserv

●

ypxfrd

●

ypbind

●

rpc.yppasswdd

A NIS client will typically run a subset of these processes. The programs
are started automatically when the NIS server is configured. Thus, manual

15

458

UNIX System Administration: A Beginner’s Guide

manipulation of these processes is not normally necessary. However, on Solaris
and HP-UX, a script called /usr/lib/netsvc/yp/ypstart is provided to
start the NIS server manually. To stop the server, use ypstop. On Linux, use
the /etc/rc.d/init.d/ypbind script with the stop option.

ypserv
This is the main NIS server process; it listens on the network for NIS requests
and performs database lookups on objects, and returns responses to clients. The
interaction between the client and server are by means of remote procedure
calls (RPCs).

ypxfrd
When it becomes necessary to transfer an entire NIS map from one host to
another, the ypxfrd process is the most efficient means of doing so. It is
typically run when the ypserv is started to handle any transfer of database
maps between the primary and any secondary servers.

ypbind
This process is typically run on client systems and is the vehicle by which clients
talk to NIS servers. A client system is said to be bound to a particular NIS server
when the ypbind process is started; this is usually at system startup. A client
may bind to a specific server or whichever server responds to a bind request.

rpc.yppasswdd
This program is used to handle UNIX password changes across the NIS domain.
This program is run on each client system (and any NIS server if necessary) to
process passwd requests on the behalf of normal UNIX users.

Tools
NIS provides a standard set of tools for managing NIS servers, verifying NIS
operations, and debugging problems. Table 15-2 show the most important and
relevant NIS tools sorted by generic functional types.

ypcat
The ypcat command is used to retrieve a NIS map from a server. When supplied
with a name of a map filename, it obtains the latest copy of the NIS map from the

Module 15:

NIS Tools

Using NIS

Description

Verification and Lookup
ypcat
ypwhich
ypmatch

Retrieves the contents of a NIS map.
Shows to which NIS server a client is bound.
Displays the values of the keys from one or more
NIS maps.

General Operations
yppasswd
ypmake
ypxfr
ypset
yppush

Changes a user’s NIS password.
Updates the NIS maps across all NIS servers.
Transfers a entire NIS map.
Forces a NIS client to bind to a specific server.
Pushes out update maps to all NIS servers.

Debugging
yppoll

Determines information about a specific NIS map.

Table 15-2

459

Standard NIS Tools

server to which the local system is bound. For example, the following command
can be used to obtain the passwd map from the NIS server:
# ypcat passwd

The sample output includes
anonymou:*LK*:102:1::/home/anonymou:/bin/sh
nobody:ZVgYQwi9shwvI:60001:60001:Nobody:/:
daemon:NP:1:1::/:
anitat::1001:10:Ms. Anita Tognazzini:/home/anita:/bin/sh
nuucp:NP:9:9:uucp Admin:/var/spool/uucppublic:/usr/lib/uucp/uucico
root:gFcK3fd1xU8K6:0:1:Super-User:/:/sbin/sh
adm:NP:4:4:Admin:/var/adm:
noaccess:NP:60002:60002:No Access User:/:
jjwalker:*LK*:25000:1:Mr JJ Walker:/home/jj:/bin/sh
nobody4:NP:65534:65534:SunOS 4.x Nobody:/:
stevem:2OsoeROlKBFLQ:20001:10:Mr. Steve
Maxwell:/homes/stevem:/usr/bin/bash
listen:*LK*:37:4:Network Admin:/usr/net/nls:
billc:88kn2zz5.roeE:20002:10:Mr. Bill
Clinton:/homes/billc:/usr/bin/bash

15

UNIX System Administration: A Beginner’s Guide

uucp:NP:5:5:uucp Admin:/usr/lib/uucp:
samc::20110:10:Mr Sam Clinton:/homes/samc:/bin/sh
sys:NP:3:3::/:
bin:NP:2:2::/usr/bin:
lp:NP:71:8:Line Printer Admin:/usr/spool/lp:

This NIS map will contain all the UNIX accounts that have been established
on the NIS server. Assuming this command was run on a NIS client, the fact
that the transfer was successful means that the NIS server is able to deliver this
particular NIS map to the requesting system.

Hint

AM
FL
Y

Being able to retrieve a particular map from the NIS server does indicate that
the server is functional. However, it doesn’t mean that other maps can be
retrieved or that a map contains correct information.

ypwhich

The ypwhich command is used to show to which NIS server a client is bound;
it provides a handy way to determine if the client is connected to a NIS server.
The command
ypwhich

TE

460

will show the name of a valid NIS server if the client was able to bind to a NIS
server during the boot process or if the bind was invoked after booting. This
command can also be used to list all the defined NIS map nicknames. A NIS
nickname is simply another name for the NIS map. The –x option displays all
the defined NIS nicknames:
# ypwhich -x
Use "ethers"
Use "aliases"
Use "services"
Use "protocols"
Use "hosts"
Use "networks"
Use "group"
Use "passwd"

for
for
for
for
for
for
for
for

map
map
map
map
map
map
map
map

"ethers.byname"
"mail.aliases"
"services.byname"
"protocols.bynumber"
"hosts.byname"
"networks.byaddr"
"group.byname"
"passwd.byname"

These nicknames are found in the /var/yp/nickname file. On Linux, this
file by default contains the above mapping, while on Solaris and HP-UX the file
is empty.

Module 15:

Using NIS

461

yppasswd
The yppasswd command is used to change a UNIX account password on the
NIS master server. Actually, on Solaris this command is a link to the passwd
command. Normally, when the passwd command is used it will change the
user’s password on the local system. This is not what is needed since the
password change is only for the local machine. As the administrator, it will
be your job to instruct users to use the yppasswd command to change their
passwords for the NIS environment. The following example shows the output
when the NIS user stevem changes his password:
# yppasswd stevem
New password:
Re-enter new password:
NIS passwd/attributes changed on bedrock

In this case, bedrock is a NIS master server.

ypmake
The ypmake command doesn’t actually exist; it is just a shorthand reference
to update the NIS maps on the NIS master. The administrator must invoke the
make command within the /var/yp directory. Executing the make command
within this directory causes the NIS Makefile to be parsed, which results in
NIS maps being updated and pushed to secondary (slave) NIS servers.
This command would be run after one or more of the UNIX system files
have been updated on the NIS master so that the changes can take effect and be
pushed out to the other NIS servers. For example, when a new user is added to
the /etc/passwd file on the NIS master and the make command is executed,
the following would be displayed:
# make
updated passwd
pushed passwd

The output of this command means the passwd NIS map was updated
successfully.

ypxfr
The ypxfr command is used to retrieve one or more NIS maps from a NIS server
to another host on the network. Typically, this command is run from the root
crontab file to transfer NIS maps automatically on a periodic basis. Several scripts

15

462

UNIX System Administration: A Beginner’s Guide

are provided with NIS to aid in automating the NIS map transfer function.
The scripts are located within the /usr/lib/netsvc/yp directory.

ypset
The ypset command is used to force a client to bind to a particular NIS server.
This command is used in situations where no NIS server exists on the local
network and the NIS broadcast option is not used or the network infrastructure
doesn’t support broadcast facilities.

yppush
This command is used to push or update all secondary NIS servers with changes
from the master. It is not normally invoked by the administrator; instead, the make
command via the NIS update process invokes this command.

yppoll
The yppoll command is used to determine the order number for a NIS map.
This can be used to determine when maps are being updated either on the NIS
master or any secondary. For example, the command
# yppoll group.byname

shows the following:
Domain home.com is supported.
Map group.byname has order number 1014880132.
The master server is bedrock.

The order number is used like a serial number so that a new version of NIS
maps can be detected. In this example, the order number for the group map is
1014880132. Thus, when this map is updated on the NIS master, such as
# touch /etc/group
# cd /var/yp;make
updated group
pushed group
updated netid
pushed netid

and we again run the yppoll command, we see that the order number has
been incremented:
# yppoll group.byname
Domain home.com is supported.

Module 15:

Map group.byname has order number 1014880550.
The master server is bedrock.

Using NIS

463

Order number is
incremented from
first example

1-Minute Drill
●

If you are a system administrator using NIS on your network for account
authentication, what is something you need to let users know about
their accounts?

●

What three components does a NIS server have?

15.3 Setting Up a NIS Server
When configuring one or more NIS servers, use the ypinit command to
configure the NIS server. This command is used to set up both NIS master and
secondary servers. This command creates the /var/yp directory structure and
the NIS database files.

Project 15-1
In this project, you’ll set up a NIS server. You should substitute the names of
your domains and NIS servers for the NIS domain home.com and the NIS
servers bedrock and dino used in the example.

Step-by-Step
1. Set the system domain name:
On Solaris and HP-UX, edit the /etc/defaultdomain file and add the
NIS domain name. In this case, the home.com name is added to this file. On
Linux, add the NIS_DOMAIN variable to the /etc/sysconfig/network file.

Hint

Certain versions of Linux don’t support this method. As a result, add the
command nisdomainname with the appropriate domain string to the
/etc/rc.d/init.t/ypserv file. For example, the line nisdomainname
home.com added to the beginning of the ypserv script ensures that when
this startup script is executed during system boot, the NIS domain name is
set automatically.

●
●

You need to let them know to change their password with the yppasswd command instead of passwd.
Databases, processes, tools

15

464

UNIX System Administration: A Beginner’s Guide

2. Execute the ypinit –m command on the NIS master machine. When done,
similar output will be displayed:
In order for NIS to operate sucessfully, we have to construct a list of the
NIS servers. Please continue to add the names for YP servers in order of
preference, one per line. When you are done with the list, type a 
or a return on a line by itself.
next host to add: bedrock
next host to add:
The current list of yp servers looks like this:
bedrock
Is this correct?

[y/n: y]

Installing the YP database will require that you answer a few questions.
Questions will all be asked at the beginning of the procedure.
Do you want this procedure to quit on non-fatal errors? [y/n: n]
OK, please remember to go back and redo manually whatever fails. If you
don't, some part of the system (perhaps the yp itself) won't work.
The yp domain directory is /var/yp/home.com
Can we destroy the existing /var/yp/home.com and its contents? [y/n: n] yes
There will be no further questions. The remainder of the procedure should take
5 to 10 minutes.
Building /var/yp/home.com/ypservers...
Running /var/yp /Makefile...
updated passwd
updated group
updated hosts
updated ipnodes
updated ethers
updated networks
updated rpc
updated services
updated protocols
updated netgroup
/var/yp/home.com/mail.aliases: 4 aliases, longest 25 bytes, 80 bytes total
/usr/lib/netsvc/yp/mkalias /var/yp/`domainname`/mail.aliases
/var/yp/`domainname`/mail.byaddr;
updated aliases
updated publickey
updated netid
/usr/sbin/makedbm /etc/netmasks /var/yp/`domainname`/netmasks.byaddr;
updated netmasks
updated timezone
updated auto.master
updated auto.home
bedrock has been set up as a yp master server without any errors.
If there are running slave yp servers, run yppush now for any data bases
which have been changed. If there are no running slaves, run ypinit on
those hosts which are to be slave servers. Enter the NIS server and answer
the remaining questions.

Module 15:

Using NIS

465

3. Reboot the NIS server, or on Solaris and HP-UX, run the command /usr/lib
/netsvc/yp/ypstart. For Linux, run the /etc/rc.d/init.d/ypserv
command. When executed, the following will be displayed:
Solaris:
starting NIS (YP server) services: ypserv ypbind ypxfrd rpc.yppasswdd done.

Linux:
Starting YP server services:

[

OK

]

Errors may be encountered when the ypinit command is executed, such as
the following:
make: Warning: Don't know how to make target `/etc/ethers'
make: Warning: Target `all' not remade because of errors
Current working directory /var/yp
*** Error code 1
make: Fatal error: Command failed for target `k'
Error running Makefile.
bedrock has been set up as a yp master server with errors.
to figure out what went wrong, and fix it.

Please remember

This error is displayed because one of the local files (/etc/ethers, in this
case) can’t be found on the system. However, the administrator can choose
which files are maintained by the NIS server; thus, it is not necessary to have
the /etc/ethers file. The problem can be fixed in one of two ways: create
a dummy /etc/ethers file or edit the NIS Makefile that is located within
the /var/yp directory and strip out the ethers entry.
4. Verify NIS server functionality. On a NIS client system, execute the following
commands: ypwhich and ypcat. Thus,
dino# ypwhich
bedrock

This command shows to which NIS server the client is bound, and in this
example the client dino is bound to the NIS server called bedrock. The
ypcat command displays the contents of a NIS map that is located on
the NIS primary server. For example, to view the contents of the group
map database, use the following command:
ypcat group

If the ypwhich command shows the correct server and the ypcat command
yields the correct contents, the NIS server is functional. Note that any NIS
map database name can be supplied with the ypcat command.

15

466

UNIX System Administration: A Beginner’s Guide

15.4 Configure a NIS Client
Many versions of UNIX support NIS client functionality. In particular, the setup
of clients for HP-UX and Solaris is the same. However, the configuration needed
for Linux is different. In general, the configuration of a NIS client system is a
very straightforward procedure as compared to the server setup. The process
includes the following for Solaris and HP-UX:
1. Set the NIS domain.
2. Make sure the client can talk to the NIS server via ping.
3. Modify the /etc/nsswitch.conf file to use NIS services.
4. Execute the ypinit script—just run the ypinit script with the –c

option for Solaris and HP-UX. Thus, the command
# ypinit -c

shows the following:
In order for NIS to operate sucessfully, we have to construct a list of
the
NIS servers. Please continue to add the names for YP servers in order of
preference, one per line. When you are done with the list, type a

or a return on a line by itself.
Add a server name as
next host to add: bedrock
here when prompted
next host to add:
The current list of yp servers looks like this:

Type control D here to
end adding list entries

bedrock
Is this correct?

[y/n: y]

y

For Linux, do the following:
1. Modify the /etc/yp.conf file and set the NIS domain and server.
2. Modify the /etc/nsswitch.conf file to use NIS services.
3. Execute lete/rc.d/init.d/ypbnd.

To ensure that the NIS client can talk to the NIS server, do the following:
●

Execute the ypwhich command to ensure that the correct server is reported.

Module 15:

Using NIS

467

15.5 Setting Up a
Secondary NIS Server
Although a NIS secondary or slave server is not specifically required, it is highly
recommended that at least one secondary system be set up to ensure that no
single point of failure causes NIS clients to become inoperable should a NIS
server fail. In practice, it is common to deploy several secondary NIS servers
within a corporate enterprise network to increase resiliency and to handle
rudimentary load balancing for NIS clients.
To set up a NIS secondary, do the following:
1. Make sure the NIS domain has been set up on the NIS secondary server.
2. Make sure that the secondary can talk to the primary NIS server via ping.
3. Execute the ypinit script on the NIS secondary server and supply the

NIS master machine using the –s option:
# ypinit -s bedrock

bedrock is the NIS master server

Installing the YP database will require that you answer a few questions.
Questions will all be asked at the beginning of the procedure.
Do you want this procedure to quit on non-fatal errors? [y/n: n]
OK, please remember to go back and redo manually whatever fails. If you
don't, some part of the system (perhaps the yp itself) won't work.
The yp domain directory is /var/yp/home.com
Can we destroy the existing /var/yp/home.com and its contents? [y/n: n] yes
There will be no further questions. The remainder of the procedure should take
a few minutes, to copy the data bases from bedrock.
Transferring auto.home...
Transferring auto.master...
Transferring timezone.byname...
Transferring netmasks.byaddr...
Transferring netid.byname...
Transferring mail.byaddr...
Transferring mail.aliases...
Transferring netgroup.byhost...
Transferring netgroup.byuser...
Transferring netgroup...
Transferring protocols.byname...
Transferring protocols.bynumber...
Transferring services.byservicename...
Transferring services.byname...
Transferring rpc.bynumber...
Transferring networks.byaddr...
Transferring networks.byname...
Transferring ethers.byname...
Transferring ethers.byaddr...

15

468

UNIX System Administration: A Beginner’s Guide

Transferring
Transferring
Transferring
Transferring
Transferring
Transferring
Transferring
Transferring
Transferring
Transferring

ipnodes.byaddr...
publickey.byname...
ipnodes.byname...
hosts.byaddr...
hosts.byname...
group.bygid...
group.byname...
passwd.byuid...
passwd.byname...
ypservers...

dino's nis data base has been set up
without any errors.

In this example installation, the machine called dino has been set up as a
NIS secondary server for the home.com domain. All of the NIS maps have
been transferred to the secondary, as shown by the “Transferring”
messages.
4. Finally, on the NIS master, add the hostname of the NIS secondary

to the ypservers file, which on Solaris and HP-UX is located in the
/var/yp/binding// directory, while on Linux
the location of the file is /var/yp. This file contains a list of all the
NIS servers (including the master itself) that the master should push
updates to when NIS maps are modified. For the home.com domain,
the file contains the following:
bedrock
dino

Hint

By default, when the NIS master has been set up (when the ypinit –m
command has been executed), this file is automatically created and contains
the name of the NIS master server; thus, when adding NIS secondary servers,
the file should already be available for editing.

Module 15:

Using NIS

469

Mastery Check
1. True/False: The ypmake command updates the NIS maps on the

NIS master.
2. What command is used to change a UNIX account password on the NIS

master server?
3. For NIS database files, the actual data is stored within _________ files.
4. For NIS database files, the _________ files contain a bit map of the

file data.
5. What is the command that shows which server a client is bound to?
6. What is the command to configure a secondary NIS server if the secondary

server is named barney and the master server is fred?
A. # ypinit -s fred
B. # ypinit -s barney
C. # ypinit -m barney
D. # ypinit -m
7. What is the command to configure a NIS client named barney if the

master NIS server is named fred?
A. # ypinit -c fred
B. # ypinit -c barney
C. # ypinit -m barney
D. # ypinit -c
8. What command discussed in this module produces the following line

of output?
Use "protocols" for map "protocols.bynumber"

15

UNIX System Administration: A Beginner’s Guide

Mastery Check
9. What command discussed in this module produces the following line

of output?
Transferring protocols.byname...

10. The __________ is used in situations where no NIS server exists on the

AM
FL
Y

local network and the NIS broadcast option is not used or the network
infrastructure doesn’t support broadcast facilities.

TE

470

Module

16

SNMP System
Management Tools
Critical Skills
16.1

Discover Elements of System Management

16.2

Explore the UCD SNMP Package

16.3

Use the UCD Management Tools

Copyright 2002 by The McGraw-Hill Companies, Inc. Click Here for Terms of Use.

472

UNIX System Administration: A Beginner’s Guide

W

hen addressing system management from a more global or even group
basis, it is important that robust and scalable solutions be available to
handle the many different aspects of system management. For example, consider
the potential impact of a UNIX server failure, which means that an important
system is unusable until it can be fixed and brought back in service.

16.1 Discover Elements of
System Management
Every moment the system is down, it can financially impact the company. If the
failed system went down in the middle of the night, this might not be detected
until the next morning when users attempted to access the system. In this case,
a significant amount of time has gone by and the problem should have been
detected much earlier (just as the system went down). This is the job of a system
or network management application.
As previously mentioned, SNMP is a powerful protocol that provides both
system and network management functions. However, SNMP by itself is just
a set of rules for how to obtain information and provide control for systems
and network devices; the administrator needs specific tools to help manage
systems that support SNMP. Due to the popularity of SNMP, several robust
and functional SNMP applications are available for UNIX. These tools can be
used to provide system management functions such as system heartbeat, system
up/down messages, system process activity, network information (protocol
statistics, interface performance, and routing information), system information,
and configuration control.
Although the subject of the book is
centered on UNIX system administration,
From a network management
standpoint, the management of
it is helpful to review some elements of
UNIX systems is very similar
networking that involve other devices,
to the management of
since more and more system administrators
networking devices such as
are called upon to manage networking
routers, switches, and other
components as well. Thus, some of the
networking components that
examples provided involve configuration
support SNMP.
of networking devices such as routers.

Hint

Module 16:

SNMP System Management Tools

Hint

The SNMP tools described here come standard on Linux, but must be installed
on other UNIX versions such as Solaris and HP-UX.

System Heartbeat
A system heartbeat is used to determine the general health of a system. In the
case of SNMP, a system manager application uses a get request message to
determine the general reachability of an agent and the system. For example,
the system administrator may poll the system
clock MIB variable of the agent to determine that
Specific MIB agent
each successive poll is more recent than the
information is available in
previous one. Each successive poll should
Appendix C under “Using
indicate that time is moving forward. The MIB
UNIX SNMP Agents.”
variable that may be polled is the unixTime
object, which is part of the sunSystem group
of the Sun system agent. As an alternative, the sysUpTime object may be
polled from the MIB-2 system group, which should be supported on all
SNMP agents.

Hint

Hint

Polling a single SNMP MIB object can serve as the means by which a system
heartbeat can be established. Thus, when a series of polls fail, either the
SNMP agent isn’t working or the system is having trouble communicating
on the network.

System Up/Down Messages
Should the system be brought down and rebooted for any reason, a message
will be sent to the designated network management system in the form of
an SNMP trap. Recall that a trap is an unsolicited message emitted from the
agent indicating some special condition or event. By receiving these messages,
the manager is informed (for example) of system outages and can take
appropriate action. The Linux agent, for example, uses a configuration file,
and additional tools can be used to forward trap messages to one or more
network management systems.

473

16

474

UNIX System Administration: A Beginner’s Guide

System Process Activity
The SNMP agents support the management of critical system activities and
other aspects of system administration. With the Sun MIB and the UCD agent,
the monitoring of system processes is possible. Thus, with the SNMP agent,
the administrator may obtain a detailed list of processes on the system. This
functionality is analogous to executing the ps command remotely. Additional
agent functions can establish the overall health of the system or the condition
of an individual component by monitoring critical processes and other related
information.

Network Information
Many SNMP agents support the MIB-II standard, which means that protocol
performance monitoring and basic system monitoring are possible. This includes
monitoring of IP, ICMP, TCP, SNMP, network interface counters, and additional
agent system performance objects. Also, additional network protocol MIBs are
supported by the agents, which provide even greater information and control of
the network and system elements. For example, route-monitoring MIB objects
can report the routing configuration of a system and report any errors found.
Or, if an organization has determined that each UNIX workstation must have
a default route, this can be verified by probing the SNMP agent within these
systems. Agents also provide objects that contain performance information for
each of the network interfaces installed within the system. With this information,
it is possible to report on network performance of all active interfaces.

System Configuration Control
Many networked systems (for example, UNIX workstations, printers, and so
forth) must be configured before they can be effectively used. For example,
the configuration of important services like DNS client configuration can be
managed with an SNMP agent. Also, as network requirements change, so too
the configurations within these systems must change. SNMP tools can be used
to alter system configuration in an automated fashion, thus reducing the interaction
and tasks from the system administrator’s point of view. Today, most versions
of UNIX support one or more SNMP agents. With
Linux, the UCD package is provided by default,
All of these agents
while on Solaris the Sun SNMP agent is available.
support MIB-II objects.
On HP-UX, the Emanate SNMP agent is provided.

Hint

Module 16:

SNMP System Management Tools

16.2 Explore the
UCD SNMP Package

16

The University of California at Davis (UCD) package provides not only a robust
and powerful SNMP agent, but it also provides a series of handy tools that can
be used to manage SNMP-enabled systems and query any SNMP agent. These
tools support SNMPv1, SNMPv2, and SNMPv3 management protocols, and
each SNMP version is available using command-line options. These command-line
tools can be used to build scripts or other programs
to accomplish management functions or other
customized tasks. For example, the snmpget
Only the most common
command can monitor critical server network
UCD package tools are
interfaces to determine if one or more of them
fully described in this
become inoperable. In such a case, the system
module.
administrator can be notified automatically should
a failure occur. The UCD package includes tools
that obtain MIB information and also tools to alter MIB objects. Table 16-1 lists
all the commands that are provided by the UCD package.

Hint

Command

Description

snmpconf
snmpdelta
snmpget
snmpgetnext

Configures SNMP agent based on configuration file.
Monitors changes of SNMP variables.
Obtains one or more MIB object values.
Continuously walks an SNMP MIB tree and obtains
MIB object values.
Obtains agent interface configuration information.
Sets one or more MIB objects to specified value.
Obtains important MIB object information.
Obtains a complete SNMP table.
Communicates with an SNMP agent entity.
Converts MIB objects into more meaningful information.
Sends SNMP trap messages to one or more managers.
Retrieves SNMP traps from the network.
Obtains a group of related MIB objects.
Obtains a MIB object with SNMP bulk request.

snmpnetstat
snmpset
snmpstatus
snmptable
snmptest
snmptranslate
snmptrap
snmptrapd
snmpwalk
snmpbulkwalk

Table 16-1

UCD SNMP Applications

475

476

UNIX System Administration: A Beginner’s Guide

Hint

Instead of using the native SNMP agents from different vendors, and because
the UCD SNMP package is functional on many different releases of UNIX, it is
recommended that this agent can be deployed across most (if not all) of the
important systems. Using a single agent will simplify many aspects of system
management and configuration.

The basic syntax of most of the UCD tools includes the following:
snmpcmd protocol_version [additional_options] hostname community object [object]

The snmpcmd is a placeholder and represents one of the commands
listed in Table 16-1. The word protocol_version determines which SNMP
protocol version should be used and can be 1, 2c, or 3. The command-line
option 1 represents the standard SNMPv1 format, which includes the use of a
simple password for authentication. The 2c option indicates differences within
the supported SNMP protocol data units, but uses the same community-based
approach as in SNMPv1. The final option, 3, indicates the use of the SNMPv3
security model, which provides the most advanced security model available
for SNMP.
The additional_options placeholder represents options that control
both display attributes and operational behavior of the tools. The most commonly
used command-line options are described next. Luckily, most of the tools support
these common options. The hostname can be replaced with the name of
any system on the network that contains an SNMP agent that matches the
protocol_version information specified on the command line. Also,
a valid IP address, expressed in dotted notation, may be used instead of a
hostname. The community represents the password strings for authentication
if version 1 or 2c is used.
The object represents the MIB OID that should be retrieved (in the case
of an SNMP get request) or altered (in the case of an SNMP set request). It may
be expressed in either dotted numeric or dotted named notation. In the case of
an SNMP set request operation, additional object information will be required.
Note that one or more MIB objects may be specified on the command line.

Common Command-Line Options
UCD tools share a number of common command-line arguments. Having a core
set of options makes them easier to remember and use. The arguments supported
by all the commands are divided into two categories: operational options and
display options. The operational options control the behavior of each of the
tools, while the display options control how the MIB objects, associated values,
and other information are displayed.

Module 16:

SNMP System Management Tools

Application Display Options
Table 16-2 lists the display arguments that control some aspect of the output.
Note that the table does not fully describe each of the available options. For
instance, the -h option, which displays a help string of the command-line
arguments, is not described because it is fairly intuitive.
Three of these options provide control over how MIB object path information
is formatted and displayed: -f, -s, and -S. The -f option displays the full
object identifier path information. Thus, this option will display the object
system.sysContact.0

with the full MIB path
.iso.org.dod.internet.mgmt.mib-2.system.sysContact.0

The -s option permits only the suffix component of the OID to be printed;
the last symbolic portion of the MIB object identifier will be shown. For example,
the –s option will display the object
.iso.org.dod.internet.mgmt.mib-2.system.sysName.0

in the following format:
sysName.0

Option

Description

-D
-S
-V
-d
-f
-h
-q
-s

Displays debugging information.
Displays both suffix identifiers and MIB name.
Displays version information for the tools.
Dumps SNMP packets to the display.
Displays the full object identifier path.
Displays a help message.
Makes the output easier to parse for programs.
Displays only suffix identifiers.

Table 16-2

Common UCD Application Command-Line Options

477

16

478

UNIX System Administration: A Beginner’s Guide

Finally, the -S option requests that the MIB object be printed with both
suffix and the MIB name. Thus, when this option is displayed,
.iso.org.dod.internet.mgmt.mib-2.system.sysUpTime.0

the following will be shown:
SNMPv2-MIB:sysUpTime.0

Note
In this example, the sysUpTime object is found within the SNMPv2-MIB; this is
true when the UCD tools are used. Traditionally, however, this object is found in
the MIB-II tree.

Hint

Use the –q option to format the output so that it will be suitable as input to
other UNIX tools and programs.

If you need to collect SNMP information from a system and use this
information as input into another program, the -q option will come in handy.
Normally, MIB object information is displayed as shown:
system.sysObjectID.0 = OID: enterprises.9.1.17
system.sysUpTime.0 = Timeticks: (139494644) 16 days, 3:29:06.44
system.sysContact.0 = Matthew Maxwell
system.sysName.0 = remote-gw5
system.sysLocation.0 = Remote Sales Office (San Jose)
system.sysServices.0 = 6

This option, which stands for quick format, causes the output from the
UCD tools to be formatted differently. First, the equal sign (=) is removed; this
makes it easier to parse because the data is now in columnar format. Second,
notice that both the sysObjectID and sysUptime formats have been altered.
The information for these two objects in the preceding example is interpreted,
while, in the following example, only the raw data is displayed:
system.sysObjectID.0 enterprises.9.1.17
system.sysUpTime.0 16:3:24:11.44
system.sysContact.0 Matthew Maxwell

Module 16:

SNMP System Management Tools

system.sysName.0 remote-gw5
system.sysLocation.0 Remote Sales Office (San Jose)
system.sysServices.0 6

16

To display debugging information, use the -d option. This shows the packet
information, including the size and destination, and also provides a hexadecimal
and ASCII dump of the packet. The output shown here is the result of an SNMP
get request of the system.sysContact MIB object:
sending 51 bytes to 10.0.2.220:161:
0000: 30 82 00 2F 02 01 00 04 06 70 75 62
0016: 82 00 20 02 04 41 C9 4A 92 02 01 00
0032: 82 00 10 30 82 00 0C 06 08 2B 06 01
0048: 00 05 00
received 60 bytes from 10.0.2.220:161:
0000: 30 82 00 38 02 01 00 04 06 70 75
0016: 2B 02 04 41 C9 4A 92 02 01 00 02
0032: 1B 06 08 2B 06 01 02 01 01 04 00
0048: 74 68 65 77 20 4D 61 78 77 65 6C
system.sysContact.0 = Matthew Maxwell

62
01
04
6C

6C 69 63 A0
02 01 00 30
02 01 01 04

0../.....public.
.. ..A.J.......0
...0.....+......
...

6C 69 63 A2
00 30 1D 30
0F 4D 61 74

0..8.....public.
+..A.J.......0.0
...+.........Mat
thew Maxwell

The first part of the output is the request packet, as indicated by the string
sending 51 bytes to 10.0.2.220:161, which are in the standard SNMP
packet format. Note the echoing of the community string of public. The
receiving packet is the response from the agent and it, too, uses the standard
SNMP packet format. In this case, we see both the community string public
and the sysContact object string. The second part is the response, which
starts with the string receiving 60 bytes from 10.0.2.220:161.

Operational Options
Table 16-3 lists many of the available operational arguments for the UCD
applications.

Hint

479

Some of the options in Table 16-3 are not fully described because their use is
somewhat limited. For instance, the -c option, which controls the ability to
define the clock values with SNMPv2 authentication messages, is not a critical
function for using the tools and is not described. However, some of the more
useful options are described.

480

UNIX System Administration: A Beginner’s Guide

Option

Description

-R
-c
-m
-M
-p
-r
-t
-v

Requests random access to the agent MIB table.
Sets the clock values.
Specifies a list of MIB modules to load.
Specifies a list of directories in which to search for MIB files.
Uses the specified port to communicate with the agent.
Specifies the number of retries.
Specifies the time-out between retry attempts.
Specifies the protocol version.

Table 16-3

SNMP Application Operational Options

AM
FL
Y

By default, MIB objects are located in standard, well-known places within
the MIB tree. Consider, for example, the system.sysContact.0 MIB
object, which is normally found within the following tree:
.iso.org.dod.internet.mgmt.mib-2 tree

TE

The UCD tools support a concept of random access MIBs. Using this approach,
the system.sysContact MIB object may be entered as sysContact—
without the system group name prefix. To specify a single search of a MIB object,
because it might appear more than once, specify the name of the MIB followed
by the object, such as SNMPv2-MIB:sysContact.0. To enable random access,
use the -R command-line option. This feature is most useful when searching
for MIB objects that are not located in standard places and when more than one
instance of the same object name exists within the agent.
As with any software tool that communicates with an SNMP agent, some
method must be provided to convert the numeric dotted notation (such as
.1.3.6.1) of the MIB object tree into the notation that uses names (such
as .iso.org.dod.internet.mgmt.mib-2). Normally, without the MIB
files, the UCD tools display MIB information using the numeric form. This is
because these tools obtain only the numeric form from the agent; they don’t
know how to map these identifiers into the corresponding string names. For
example, when an SNMP get request is done against an agent with the MIB files
not available, the following output snippet may be displayed:
.iso.3.6.1.2.1.1.1.0
.iso.3.6.1.2.1.1.2.0
.iso.3.6.1.2.1.1.3.0
.iso.3.6.1.2.1.1.4.0
.iso.3.6.1.2.1.1.5.0

=
=
=
=
=

"Linux didymus 2.4.7-10 #1 Thu Sep 6 17:27:27 EDT 2001 i686"
OID: .iso.3.6.1.4.1.2021.250.10
Timeticks: (219939) 0:36:39.39
"Anita Maxwell"
"didymus"

Module 16:

SNMP System Management Tools

.iso.3.6.1.2.1.1.6.0 = "Graphics Lab"
.iso.3.6.1.2.1.1.8.0 = Timeticks: (0) 0:00:00.00

This output is from a query of a UNIX server, and, as you can see, the MIB
object path information contains numeric strings only after the iso name. This
string was included in the output because the UCD tools know only the starting
point of the MIB tree. When it comes to nonstandard or vendor-specific MIBs,
only the numeric form is available. To address this issue, the -m and -M options
are provided. The -m option specifies a list of MIB modules that should be loaded
before the UCD tool attempts any SNMP queries on an agent. When more than
one MIB module is listed, the modules must be separated by a colon (:). A MIB
module is just a file that contains the MIB definitions for an agent. Using the
-m option, we can supply the correct MIB modules so that our output snippet
above will contain all string names. This option helps because we can supply
a list of directories in which to search for MIB files. Thus, the command
# snmpwalk -M /var/mibs cisco-gw1 public system

will search the directory /var/mibs. Assuming that it finds the standard MIB
files, it will display the following:
system.sysDescr.0 = Cisco Internetwork Operating System Software
IOS (tm) 4500 Software (C4500-J-M), Version 11.1(5), RELEASE SOFTWARE (fc1)
Copyright (c) 1986-1996 by cisco Systems, Inc.
Compiled Mon 05-Aug-96 13:17 by mkamson
system.sysObjectID.0 = OID: enterprises.9.1.50
system.sysUpTime.0 = Timeticks: (99487614) 11 days, 12:21:16.14
system.sysContact.0 = Nita Maxwell
system.sysName.0 = remote-gw
system.sysLocation.0 = Remote Sales Office (Florida)
system.sysServices.0 = 78

There is also a shorthand way to specify all MIB modules (as opposed to
supplying a list)—by using the all command. This overrides the MIBS
environment variable, which is discussed in the next section.

1-Minute Drill

●
●

●

What is a system heartbeat used for?

●

What are the two categories of arguments supported by all the UCD tool
commands?

To determine the general system health
Operational and display

481

16

482

UNIX System Administration: A Beginner’s Guide

Environment Variables
Each of the UCD applications uses a small set of environment variables that
help establish global values for certain operating parameters and shortcuts for
command-line options. These include the following variables:
●

MIBS

●

MIBDIR

●

PREFIX

●

SUFFIX

The MIBS and MIBDIR variables provide a way to load in additional MIB
modules. The variable MIBS provides the same function as the -m command-line
option. The MIBDIR variable functions the same as the -M option. Both are
convenient because they work with all UCD management applications.
The SUFFIX variable toggles the -s command-line option, which displays
the suffix, or last, component of the MIB object path. The PREFIX variable
provides a standard way to define the prefix of MIB object identifiers. The
default value is
.iso.org.dod.internet.mgmt.mib-2

If this variable is defined, the contents of the variable are added to the
beginning of the MIB object being referenced when using one of the UCD tools.
Defining this value will help in situations where nonstandard MIBs are used.

16.3 Use the UCD Magement Tools
The following tools are provided within the UCD package; these applications
make up the bulk of services provided by the UCD software.

Snmpdelta Command
The snmpdelta command collects changes in MIB integer values from an
SNMP agent entity. This command monitors the specified integer objects and
displays changes to the objects that occur over time. This is very useful in
tracking networking errors. It might be necessary, for example, to determine the
number of packets discarded from an interface—as with the ifInDiscards

Module 16:

SNMP System Management Tools

MIB-II object. When the number of discarded packets is high on an interface, this
could indicate trouble for the system. To monitor this object from the device
called bedrock, the following command may be used:
# snmpdelta -IR bedrock public ifInDiscards.1

When invoked, this command will produce the following:
ifInDiscards.1
ifInDiscards.1
ifInDiscards.1
ifInDiscards.1
ifInDiscards.1
ifInDiscards.1
ifInDiscards.1
ifInDiscards.1
ifInDiscards.1

/1
/1
/1
/1
/1
/1
/1
/1
/1

sec:
sec:
sec:
sec:
sec:
sec:
sec:
sec:
sec:

12
0
0
0
3
0
0
8
2

Without user interaction, the above command continually polls the agent
until a CTRL-C (^c) is issued by the user. Note that in the command we have
used, the -IR option activates random access to the agent MIB. This makes it
easy to obtain the desired MIB objects. A high discard rate may indicate trouble
with the interface. This trouble could be caused by a hardware problem related
to cabling or even a software configuration error. In the example above, the
discard rate is changed and is not zero, thus indicating a problem.

Snmpget Command
The snmpget command retrieves information from an SNMP agent entity. It
uses the SNMP get request with one or more MIB object names as arguments
and returns their associated MIB values. If an error occurs, a descriptive message
will be shown to help pinpoint the problem. If a list of objects is specified on
the command line, only those objects that are contained within the agent’s MIB
will be returned.
The command syntax is as follows:
snmpget [common arguments] host community_string MIB-object [MIB-object]

To retrieve the MIB objects sysDescr and sysContact from a Solaris
system, the following command could be used:
# snmpget bedrock public system.sysDescr.0 system.sysUpTime.0

483

16

484

UNIX System Administration: A Beginner’s Guide

Depending on the model and configuration, this command would display
output like the following:
system.sysDescr.0 = Sun SNMP Agent, Netra 1 Server
system.sysUpTime.0 = Timeticks: (69212467) 8 days, 0:15:24.67

In this example, the system bedrock is a Netra server and has been up for
the last eight days.
Sometimes when accessing objects from certain devices, errors may be
encountered that might lead us to believe that the device is not working, For
example, consider the following command that is executed against a Linux
system called monet:
# snmpget monet private-write system.sysDescr.0

The command produces the following:
system.sysDescr.0 = Linux monet 2.4.7-10 #1 Thu Sep 6 17:27:27 EDT 2001 i686

However, running the same command against the same system but using
a different community string produces the following:
# snmpget monet bad-password system.sysDescr.0
Timeout: No Response from monet

In the last example, the error message isn’t clear about what is going on; the
message suggests that the object being requested does not exist within the agent.
Obviously, from the first example, the object (system.sysDescr.0) does
exist and has an associated MIB value. This error message is displayed because
when the community string doesn’t match the password configured within it, an
SNMPv1 agent disregards the request. If authentication traps are enabled, it then
sends an associated trap. The important thing to remember is that when polling
for specific objects, don’t assume that objects are not available despite the
generation of error messages suggesting that they are unavailable. It might be
helpful to execute an snmpwalk against the agent if questions come up regarding
which objects are indeed supported by the agent.

Hint

When querying a device that doesn’t respond to SNMP requests, try to ping
the device to see if it is reachable on the network. If the device responds with
ping, but not with SNMP, then either the agent isn’t running or you are using
the wrong SNMP authentication—such as an incorrect community string.

Module 16:

SNMP System Management Tools

Snmpgetnext Command
The snmpgetnext command retrieves one or more MIB objects using the SNMP
getnext request. For each object specified on the command line, snmpgetnext
gets the next lexicographical MIB object found in the MIB tree. This tool is very
useful for returning a series of objects when the exact structure of the MIB
object that is being retrieved is unknown. For example, the SNMP command
# snmpgetnext probe public system.sysContact.0

will obtain the next MIB object after the sysContact.0 object:
system.sysName.0 = "AXON" Hex: 41 58 4F 4E

The sysName.0 object is displayed because it is lexicographically next to
the sysContract.0 object. How do we know this for sure? Well, the simplest
approach is to display the entire system group. An snmpwalk of the group
displays the following:
system.sysDescr.0 = "AXON LANServant - Ethernet (4.16)"
system.sysObjectID.0 = OID: enterprises.370.2.2
system.sysUpTime.0 = Timeticks: (868306) 2:24:43.06
system.sysContact.0 = "3Com Corporation"
next object
system.sysName.0 = "AXON" Hex: 41 58 4F 4E
system.sysLocation.0 = ""
system.sysServices.0 = 15

The primary purpose of the snmpwalk command is to retrieve an agent
table in a more effective manner. Consider the udp table from MIB-II, which
contains information related to any open sockets using the User Datagram
Protocol. Polling this SNMP table on a Linux system displays the partial output
shown here:
1
2
3
4
5

udp.udpInDatagrams.0 = 860
udp.udpNoPorts.0 = 5
udp.udpInErrors.0 = 0
udp.udpOutDatagrams.0 = 911
udp.udpTable.udpEntry.udpLocalAddress.0.0.0.0.111 = IpAddress: 0.0.0.0

Note that the line numbers in this output were not generated by the same
command.

485

16

486

UNIX System Administration: A Beginner’s Guide

6
7
8
9
10
11
12
13
14
15
16
17
18
19
20

udp.udpTable.udpEntry.udpLocalAddress.0.0.0.0.161 = IpAddress:
udp.udpTable.udpEntry.udpLocalAddress.0.0.0.0.162 = IpAddress:
udp.udpTable.udpEntry.udpLocalAddress.0.0.0.0.177 = IpAddress:
udp.udpTable.udpEntry.udpLocalAddress.0.0.0.0.517 = IpAddress:
udp.udpTable.udpEntry.udpLocalAddress.0.0.0.0.518 = IpAddress:
udp.udpTable.udpEntry.udpLocalAddress.0.0.0.0.624 = IpAddress:
udp.udpTable.udpEntry.udpLocalAddress.0.0.0.0.635 = IpAddress:
udp.udpTable.udpEntry.udpLocalPort.0.0.0.0.111 = 111
udp.udpTable.udpEntry.udpLocalPort.0.0.0.0.161 = 161
udp.udpTable.udpEntry.udpLocalPort.0.0.0.0.162 = 162
udp.udpTable.udpEntry.udpLocalPort.0.0.0.0.177 = 177
udp.udpTable.udpEntry.udpLocalPort.0.0.0.0.517 = 517
udp.udpTable.udpEntry.udpLocalPort.0.0.0.0.518 = 518
udp.udpTable.udpEntry.udpLocalPort.0.0.0.0.624 = 624
udp.udpTable.udpEntry.udpLocalPort.0.0.0.0.635 = 635

0.0.0.0
0.0.0.0
0.0.0.0
0.0.0.0
0.0.0.0
0.0.0.0
0.0.0.0

The listing above includes table objects that contain related information, but
don’t have an associated index to retrieve each object when needed. As you can
see, the objects are referenced by the IP address (0.0.0.0) being used—as
shown on line 5, for example. This entry contains the local IP and port address
for this socket. The IP is used as an index into the object listed in line 13,
which contains the UDP port information. The ability to retrieve MIB objects
based on lexicographical ordering is the only way to discover each object in
order as indexed from the MIB.

Snmpnetstat Command
The snmpnetstat command is similar to the UNIX netstat utility and
provides some of the same basic information about attached device interfaces
and routing. What is remarkable about this tool is that it provides an easy
way to obtain interface information from any SNMP-compliant system. This
includes, for example, devices such as UNIX workstations and servers, printers,
networking devices, and other devices that support the MIB-II standard. This
is a very powerful tool because interface information can be collected without
the use of complicated command sequences. Also, it removes the barrier requiring
the use of vendor-specific interfaces when a network consists of a large number
of different vendor products. In other words, regardless of the vendor system
or device, the information obtained is similar and in the same format.
Like its UNIX counterpart, snmpnetstat supports a number of commandline options that control basic operations and output. Table 16-4 lists the available
command options. As you can see, many of these options are consistent with
those of the netstat command.

Module 16:

SNMP System Management Tools

Option

Description

-I
-a
-i
-o
-n
-p
-r
-s

Displays information on the specified network interface.
Shows the state of all socket connections.
Shows the state of all interfaces defined on the system.
Displays an abbreviated status of interfaces.
Displays network addresses as numbers.
Shows statistics sorted by the network protocol.
Displays routing table information.
Shows per-protocol network statistics.

Table 16-4

16

Command-Line Options for the snmpnetstat Command

Displaying Interface Information
To show the configuration of all the functional network interfaces on the system,
use the -i option. In the following example, the snmpnetstat command
queries a HP-UX system called nfs-server:
# snmpnetstat -i nfs-server public
Name
Mtu
Network
Address Ipkts
Ierrs Opkts Oerrs Queue
Ethern 1500
10.0.2
10.0.2.1
13377
315 132503 501

15

The output should be familiar; it mirrors the UNIX netstat command
output. The only major differences are the names of the interfaces and the removal
of the column that represents the total number of collisions on the interface.
To list the available interfaces in an abbreviated form, use the -s option.
As you can see from the following output, only the columns of incoming and
outgoing octets (bytes) are listed. Compare this to what is displayed with the
-i option in the previous example.
# snmpnetstat -o nfs-server public
Name
Network
Address
Ioctets
Ethern
10.0.2
10.0.2.1
487708

487

Ooctets
12778317

The nfs-server device contains a single interface: called Ethern, which
represents an Ethernet interface. If we query a network device such as a network

488

UNIX System Administration: A Beginner’s Guide

router, we might see a large number of interfaces. Typically, Cisco routers
and switches (and other vendor devices, too) may contain a large number of
interfaces. For example, executing the above snmpnetstat command on
a Cisco 7000 router will yield the following:
Name
Fddi0/
Fddi1/
Ethern
Ethern*
Ethern*
Ethern*
Ethern*
Ethern*
Fddi3/
Serial
Serial*
Serial*
Serial*
FastEt
FastEt
FastEt
FastEt*

Network
10.10.1
10.11.2
10.0.2
none
none
none
none
none
10.14.1
10.250.10
none
none
none
19.80.8
19.80.9
19.80.10
none

Address
Ioctets
10.10.1.1 3723440280
10.11.2.1 2560994642
10.0.2.254 2141819815
none
0
none
0
none
0
none
0
none
0
10.14.1.1
2248945512
10.250.10.1 1401691701
none
592331671
none
0
none
0
19.82.8.1
4086327200
19.82.9.1
4017448469
19.82.10.1 269162560
none
0

Ooctets
1783534532
2783361340
1555401237
0
0
0
0
0
2083011069
870256641
3226921185
0
0
421590301
3080615899
1781784403
0

The actual number of interfaces will depend on the model of the router and
installed interface cards. In this example, 17 interfaces have been listed. In the
output, four different interface types have been listed: Serial, Ether, Fast,
and FDDI. This output was polled from a core backbone router, which explains
the high utilization on many of the interfaces.
To list an individual interface, use the -I option followed by the interface
name. This option is also used in conjunction with the interval option. When
snmpnetstat is invoked with the interval argument, it shows a running
count of network statistics relating to the interface specified. The information
displayed includes one column for the specified interface and another column
summarizing information for all other interfaces. The first line of output
presents a summary of information since the device was last rebooted. All
additional lines represent values that are changing over the specified interval.
The command
# snmpnetstat -I Ethernet cisco-gw3 public 10

Module 16:

SNMP System Management Tools

will show the following:

16

input
(Ether)
output input (Total)
output
packets errs packets errs colls
packets errs packets errs colls
68355 39800 131733 198 0 499131
3924
648945
730
178
62
93
68
0
376
236
22
0
46
58
142
84
0
167
268
42
0
93
63
67
60
0
134
359
14
0
119
49
169
85
0
187
385
18
0

0
255
172
210
326

This display includes a running count of packet activity on the Ether
interface contained in the cisco-gw3. The command will continue displaying
this output until a CTRL-C (^c) is typed. The first two columns represent the
number of input packets and input errors, while the next two represent the number
of output packets and output errors. The fifth column provides the number of
collisions. The remaining five columns are cumulative totals for all interfaces
defined within the device.

Display Routing Information
To display the routing information from the same device, use the -r option, as
in the following example:
# snmpnetstat -r cisco-gw3 public

The option will display the following:
Routing tables
Destination
default
155.161.75/25
155.161.114.128/26
161.135
161.135.59/26
161.135.59.64/26
161.135.59.128/26
170.5

489

Gateway
161.135.59.1
161.135.59.9
rembrandt
161.135.59.1
161.135.59.9
161.135.59.8
rembrandt
161.135.59.1

Flags
UG
U
U
UG
U
UG
U
UG

Interface
if0
Serial0
Ethernet0
if0
Serial0
if0
Ethernet0
if0

UNIX System Administration: A Beginner’s Guide

The statistics for each network protocol are supported with this command.
Thus, the -s (shows statistics for each protocol) and -P (shows statistics sorted
by each protocol) options can be used to show detailed protocol performance
data. To see just the statistics for each protocol, use the following command:
# snmpnetstat -s monet public

This command will produce the following sample output:
udp:
8606737 total datagrams received
7727372 datagrams to invalid port
1 datagram dropped due to errors
851929 output datagram requests
tcp:

This unusually high
number of datagrams
to an invalid port
indicates some kind
of problem

icmp:

AM
FL
Y

0 active opens
8 passive opens
0 failed attempts
1 reset of established connections
0 current established connections
645 segments received
476 segments sent
0 segments retransmitted

9741 total messages received
0 messages dropped due to errors
10042 ouput message requests
0 output messages discarded
Output Histogram:
Destination unreachable: 310
Echo Reply: 9732
Input Histogram:
Destination unreachable: 9
Echo Request: 9732

TE

490

ip:
22222667 total datagrams received
0 datagrams with header errors
0 datagrams with an invalid destination address
0 datagrams forwarded
0 datagrams with unknown protocol
0 datagrams discarded
22222673 datagrams delivered
0 output datagram requests

Module 16:

0
0
0
0
0
0
0
0

SNMP System Management Tools

output datagrams discarded
datagrams with no route
fragments received
datagrams reassembled
reassembly failures
datagrams fragmented
fragmentation failures
fragments created

This output provides a quick snapshot of the network performance and the
activity of each of the networking protocols. Many of the counters appear to
represent normal network usage. However, one metric value, 7727372 datagrams
to an invalid port, may represent a significant problem. For some unknown
reason, data is arriving into this system, from possibly several other machines,
to one or more UDP ports that are invalid. One possible cause for this situation
is that an application that should receive data from another source is not running,
but the other end hasn’t been able to detect this condition. Another reason might
be that a remote application is attempting to send information to this system
but is misconfigured and attempting to send information to a nonexistent port.
One positive way to track down the cause of this problem is to capture
traffic on the same network as this system and attempt to learn which remote
device is sending the traffic. Once you get the identity of the remote system,
investigating which application is causing this problem is simply a matter of
notifying the owner of the system. It is easy to see why using the snmpnetstat
command is a good way to determine potential network problems before they
get out of hand.

Snmpset Tool
The snmpset command is one of the most useful and powerful commands
within the UCD package. Many of the tools in this module focus on obtaining
object values from an SNMP agent. However, this tool is used to alter modifiable
(writable) MIB agent objects. The ability to alter a MIB object is profound in
its implications because doing so changes the configuration or operating state
of a system.
This tool represents a power mechanism for controlling agents on a global
scale. The ability to change the configuration of a large number of devices
provides an important facility that every network manager or system administrator

491

16

492

UNIX System Administration: A Beginner’s Guide

must have. Having the power to control many devices can represent a liability
as well. Consider, for example, a router with several interfaces that serve as
remote connection points between important distant office networks. A single
snmpset command (with the appropriate security password) executed against
one or more interfaces on this router could disable network connectivity
between the local network and the remote office(s). Obviously, this could have
disastrous consequence for business, to say nothing of your reputation. This
same problem can happen for a cluster of UNIX systems; a single setting could
result in some loss of system service.

Hint

When attempting to configure a service or object using SNMP, use a test
system or test agent before attempting to implement the management
function on a production or live system.

Another liability is related to making a global change to a series of systems
when the new configuration is incorrect or causes some service outage due to
the nature of the change. Because the snmpset command is powerful, exercise
caution when using this command on an active network. It can never be said
too often that the first rule of thumb in networking is to review the proposed
changes in a test environment first. That way, when the changes are deployed
on the real network, failures and other nasty surprises are kept to a minimum.
The basic syntax of the snmpset command is as follows:
snmpset [common arguments] MIB-objectID type value [MIB-objectID type value]

The MIB-objectID is the MIB object that
will be given a new value. The type argument
Module 13 presents and
represents the type of object that should be
discusses these object types.
altered, and the value represents the new
object value. The type is a single character that
represents one of the object types listed in Table 16-5.
From a system administration or general networking standpoint, SNMP can be
used to handle a variety of management tasks. For example, SNMP can be used to

Hint

●

Disable or enable a network interface.

●

Update a device with new administration information (sysContact,
for example).

Module 16:

SNMP System Management Tools

●

Reset certain network traffic counters.

●

Restart a device or agent.

●

Modify some configuration parameter.

●

Monitor critical processes.

●

Monitor system logs

You may recall an earlier scenario in which a disabled interface caused a
network problem. There are also situations when not disabling an interface can
cause additional network problems. For example, during a broadcast storm or
when a cracker is attempting to penetrate a UNIX system, shutting down a network
or interface might be the only way to prevent the problem from spreading to
other parts of the company. However, before resorting to turning off interfaces,
watch out for the “set of no return” syndrome. Consider the sample network
shown in Figure 16-1.
In this sample network, we have two routers, R1 and R2. R2 is located in the
San Francisco Office, while the other is located in the Chicago Office. Our only
access to R2 is via router R1, using the serial1 interface. From device Node A,
we issue an snmpset command to disable the serial of R1 interface. This stops
the broadcast storm but also causes a connectivity loss from the remote office.
The problem is now: How do we enable the interface on R1 after the broadcast
storm has been fixed? The “set of no return” means that the only means of
access to the device has been cut off. Remote access to the router has been lost,
unless some out-of-band management capability such as dial-up can be used.
Code

Object Type

I
s
x
d
n
o
t
a

INTEGER
STRING
HEXADECIMAL STRING
DECIMAL STRING
NULL OBJECT
OBJECTID
TIMETICKS
IPADDRESS

Table 16-5

Snmpset Object Types

493

16

494

UNIX System Administration: A Beginner’s Guide

Figure 16-1

Problem of SNMP “Set of no return”

In this case, the port must be enabled from the local side, which could require
instructing an assistant to enable the port or reboot the device to reset the port.
The best way to avoid the “set of no return” is to disable the local serial2
interface on R2 or the remote ethernet1 interface on R1. This way, the broadcast
problem is contained, yet we still maintain access to the devices. To disable
a serial interface on router R1, a modification to the ifOperStatus object
must be made. This includes setting the object to zero (0) to disable the interface
from an administrative perspective. Set this object using the following command:
# snmpset router1 private interfaces.ifTable.ifEntry.ifAdminStatus.2 i 0\
interfaces.ifTable.ifEntry.ifAdminStatus.3 = 0

Module 16:

SNMP System Management Tools

When executed, the command will disable the flow of traffic to and from
this interface. With most agents, this object change is not permanent, meaning
that a system reboot will reset this object back to the default (enabled) value.
However, without a system reset, the only other way to restore network
connectivity will be to enable the interface using the snmpset command.
The snmpset command can alter other MIB objects within the agent. For
example, consider the sysContact and sysLocation objects that are
contained with one of the UNIX SNMP agents. Let’s assign new values to these
objects using a single snmpset command:
# snmpset bedrock private system.sysContact.0 s "NCC Support"\
system.sysLocation.0 s "3rd Floor Closet"

Due to the nature of UNIX SNMP agents, the MIB assignments made above may
not be permanent and thus, when the system is rebooted, these values may pick
their default values.
When the above command has been executed, it returns the following:
system.sysContact.0 = "NCC Support"
system.sysLocation.0 = "3rd Floor Closet"

Hint

These MIB objects can also be assigned values using the SNMP agent
configuration file.

1-Minute Drill

●

●

●

Name three useful features of the snmpnetstat tool.

●

What is the “set of no return” problem?

1) It provides an easy way to obtain interface information from any SNMP-compliant system. 2) Interface
information can be collected without the use of complicated command sequences. 3) It makes it easier to
work with multi-vendor networks.
“Set of no return” means making a change to a network device remotely via SNMP such as disabling an
interface that prevents you from further communicating with the device remotely, thus requiring local
access to make additional configuration changes.

495

16

496

UNIX System Administration: A Beginner’s Guide

Snmpstatus Tool
The snmpstatus command obtains important information from an SNMP
network entity using the SNMP get request operation. The syntax of the
command is as follows:
snmpstatus host community

When the remote agent utilizes the generic community string of public,
the string need not be specified from the SNMP commands because public is
used by default. By the way, the use of the public community string is highly
discouraged, because it is very unsecure.
When the snmpstatus command is used against a device, it displays the
following information:
●

IP address of the device

●

sysDescr MIB object

●

sysUpTime MIB object

●

Number of packets received and transmitted on all active interfaces (that is,
the sum of ifInUCastPkts.* and ifInNUCastPkts.* objects)

●

Number of IP packets received and transmitted (that is, ipInReceives.0
and ipOutRequests.0)

●

Number of active interfaces

●

Number of interfaces that have been disabled
Thus, running the command

# snmpstatus didymus private

on the UNIX system called didymus displays the output as shown below:
[216.155.202.100]=>[Sun SNMP Agent, Netra 1 Server] Up: 11 days, 7:13:30.52
Interfaces: 2, Recv/Trans packets: 1177200/1144224 | IP: 89044/65055

Using this command is a good way to obtain a quick snapshot of a network
device without knowing a lot about the node or some of the specific MIB objects

Module 16:

SNMP System Management Tools

to poll. The device has been running for over 10 days. Notice that snmpstatus
has detected two interfaces, which is common for the Netra series of systems.

Snmptable Tool
The snmptable command probes an agent and displays a MIB table using the
SNMP getnext request operation. The syntax of the command is as follows:
snmptable [common options ] [additional options] host community tableID

The minimum required arguments include host, community, and tableID.
The tableID must be a real SNMP table, such as interfaces.ifTable.
The ifTable table contains a series of MIB objects that contain performance
information and other characteristics of the interfaces within a device. The basic
purpose of this command is to give the user the ability to display SNMP tables
and import the data into other programs for additional reporting and manipulation.

Snmptest Tool
The snmptest command provides a simple shell-like facility that makes it
easy to communicate with a network entity using SNMP. Unlike most other
SNMP tools, this command is interactive, prompting for information to accomplish
one or more tasks.
The software supports three operating modes—snmp-get, snmp-getnext,
and snmp-set—and uses a simple command structure to issue tasks. Issuing the
$N command will place snmptest in snmp-getnext mode, while using the $S
puts the command in snmp-set mode. To get back to snmp-get mode, use the
$G command. By default, snmptest is placed in snmp-get mode, in which
the user is prompted for a MIB object to retrieve from an SNMP agent.
For example, the following command sequence will obtain the sysUpTime
object from a system called monet:
# snmptest monet stevewrite
Variable: system.sysUpTime.0
Variable:
Received Get Response from monet
requestid 0x4362F60A errstat 0x0 errindex 0x0
system.sysUpTime.0 = Timeticks: (379613) 1:03:16.13
Variable: ^c

497

16

498

UNIX System Administration: A Beginner’s Guide

Clearly, this is a rudimentary interface for issuing basic SNMP operations to
SNMP agents. It is somewhat useful if a large number of tasks must be performed
against the same network target. Note that to exit the program, you simply use
the CTRL-C (^c) command sequence.

Snmptranslate Tool
The snmptranslate tool translates SNMP MIB objects into a more userfriendly and readable format. When this command is run with a MIB object, it
will translate the object into either the SMI value or symbolic form. When no
options are specified, it defaults to displaying the SMI value. The primary use of
the command is to help display the full characteristics of MIB objects, without
resorting to reading the appropriate MIB definition files.
By default, snmptranslate displays the numeric dotted object notation.
Thus, translation of the system.sysDescr MIB object can be accomplished
with the command
# snmptranslate system.sysDescr

which results in the following:
.1.3.6.1.2.1.1.1

To display a fairly complete description of a MIB object, use the -Td option.
For example, consider the following command:
# snmptranslate -Td system.sysDescr

When executed, the command will produce the following:
.1.3.6.1.2.1.1.1
sysDescr OBJECT-TYPE
-- FROM
SNMPv2-MIB, RFC1213-MIB
-- TEXTUAL CONVENTION DisplayString
SYNTAX
OCTET STRING (0..255)
DISPLAY-HINT "255a"
MAX-ACCESS
read-only
STATUS
current
DESCRIPTION
"A textual description of the entity. This value should
include the full name and version identification of the
system's hardware type, software operating-system, and
networking software."
::= { iso(1) org(3) dod(6) internet(1) mgmt(2) mib-2(1) system(1) 1 }

Module 16:

SNMP System Management Tools

As shown, a complete reference of the MIB object can be obtained. This
information is taken from the MIB definition files that the agent references. In
this case, the file RFC1213-MIB.txt, which is located in the /usr/share/
snmp/mibs directory, was used.

Snmptrap Tool
The snmptrap command will emit an SNMP trap to one or more designated
SNMP manager applications or systems. This tool is very useful when embedded
within a shell script or other program that handles traps. One or more object
identifiers can be specified on the command line, plus the type and value must
accompany each object. Recall that an SNMP trap is an unsolicited message sent
by an SNMP agent to a network manager application or system. The basic syntax
of the command is as follows:
snmptrap -v 1 [command arguments] enterprise-oid agent generic-trap\ specific-trap
uptime [object ID type value]

The enterprise-oid field identifies the network management subsystem
that generated the trap. The agent is the host that emits the trap. The generic-trap
corresponds to one of the predefined SNMP traps listed in Module 13. The
specific-trap value indicates more specifically the nature of the trap.
The uptime field is used as a timestamp between the last initialization of the
device and the issuance of the trap. The object ID, type, and value fields
provide additional information relating to the trap. These additional fields are
known as the variable binding and may contain any type of information that
is related to the trap.
The enterprise-oid, agent, and uptime fields need not be specified
on the command line. Instead, the empty character sequence ‘‘ may be used to
specify the default values for these fields. The default agent value is the hostname
of the machine running the snmptrap command. The uptime is obtained from
the local system’s MIB object system.sysUpTime.0.
Consider, for example, that we would like to emit a link-down trap to a network
management system called rembrandt. Further, if we want to communicate
that a particular port has gone down, we include the port within the variable
bindings of the trap. We can use the following command:
# snmptrap -v 1 public '' monet 2 0 '' interfaces.iftable.ifentry.\
ifindex.1 i 1

499

16

UNIX System Administration: A Beginner’s Guide

In this example, we use the default values for the enterprise-oid
and uptime fields. Also, we specify the particular interface (ifindex.1)
and set the value to 1 (which indicates the second interface with the device).
The 2 represents the link-down trap, and 0 provides a null value for the
specific-trap value.
If we review the traps on rembrandt, we will see output like the
following:
Feb 24 17:51:27 monet snmptrapd[385]: 10.0.2.201: Link Down
Trap (0) Uptime:2:26:59, interfaces.ifTable.ifEntry.
ifIndex.1 = 1

AM
FL
Y

In practice, most link-down messages are not that meaningful or interesting.
However, when they come from critical devices, such as core routers or switches,
a disabled interface could spell disaster for the network.
Care should be taken when configuring traps from network devices because
doing so can cause a trap flood. This condition occurs when a large number of
traps are sent in response to a particular recurring event. For example, within a
LAN Ethernet switch, a port’s link state may bounce up and down many times
per second due to a hardware malfunction. This type of problem can yield a
large number of traps. In practice, trap notification should be enabled only on
critical devices or UNIX systems. In this case, if possible, traps should be disabled
for linkup/link-down events from generic network devices.

TE

500

Snmptrapd Server

The snmptrapd server will receive and log SNMP traps obtained from
other devices. Traps that are sent on port 162 are either logged to the UNIX
syslog facility or displayed on the terminal. These messages are sent using
LOG_WARNING and the LOG_LOCAL0 logging levels. The snmptrapd
command must be run as superuser because it listens on a reserved system
port. Executing the command without any options will cause it to be placed
in the background and detached from the calling shell.
The snmptrapd command supports several command-line arguments,
including -P (display trap), -D (more debugging), -d (detailed packet
information), and –q (verbose output). The -P option will instruct snmptrapd

Module 16:

SNMP System Management Tools

501

to display any traps received on the standard output, and the -d option will
display a detailed dump of the trap packet. Thus, to show received traps
and display the contents of trap packets, use the following command:

16

# snmptrapd -P -d

Executing this command, using the previous example on the host
rembrandt, will display the following output:
Bytes in the trap packet
When snmptrapd was run

Host trap was sent from
SNMP version

2002-02-27 22:56:47 UCD-snmp version 4.0.1
received 69 bytes from 10.0.3.126:-32566:
0000: 30 82 00 41 02 01 00 04 06 70 75 62 6C 69 63 A4
0016: 82 00 32 06 08 2B 06 01 04 01 03 01 01 40 04 0A
0032: 00 03 7E 02 01 02 02 01 00 43 03 24 5C 96 30 82
0048: 00 13 30 82 00 0F 06 0A 2B 06 01 02 01 02 02 01
0064: 01 01 02 01 01
1999-11-27 22:56:51 monet [10.0.3.126] enterprises.3.1.1:
Link Down Trap (0) Uptime: 6:37:09
interfaces.ifTable.ifEntry.ifIndex.1 = 1
end annotated syntax

0..A.....public.
..2..+.......@..
..~......C.$\.0.
..0.....+.......
.....

Trap contents

The first line shows the current version and when the snmptrapd process
was run. Next, the output displays the number of bytes in the trap packet, the
host the trap was sent from (monetIP:10.0.3.126), and the UDP port
(32566, in this case). The contents of the trap include both hexadecimal and
ASCII characters. Finally, the trap information, including the variable-binding
information, is shown.
The -D option will display additional debugging information that includes
the parsing of MIB files. The -q option provides a more verbose output.
The snmptrapd command can be used as a focal point for reception of traps
for a large number of UNIX systems. However, it must be running continuously
in order to receive traps from the network. By default, this tool is not started by

Port

502

UNIX System Administration: A Beginner’s Guide

the system. To enable this command on system startup, you should add it to the
existing UCD agent startup script called snmpd.

1-Minute Drill
●

What does the snmptrapd server do?

●

What command provides a good way to obtain a quick snapshot of a network
device without knowing a lot about the node or some of the specific MIB
objects to poll?

Snmpwalk Tool
The snmpwalk command will walk an agent MIB tree using the SNMP getnext
request. Why use this command instead of the snmpget tool? Well, the
snmpwalk command can discover the entire MIB store contained within the agent
automatically. With snmpget, you need to explicitly specify an object to obtain
a value. With the snmpwalk command, you can start at a given point and
move through the agent’s MIB to the end. An object variable may be given on
the command line to specify with which portion of the MIB space the search
will begin. Without a MIB object argument, snmpwalk searches and starts
with the MIB-II object store. Thus, the command
# snmpwalk monet public

will walk the entire system agent on the device monet. Since MIB-II contains a
large number of objects, the command will produce a rather long listing. Instead
of listing every object supported by the agent, we can limit the search and
display only a single group of objects. Thus, we can list all the objects found
within the MIB-II system group using the following command:
# snmpwalk bedrock public system

●
●

It receives and logs SNMP traps obtained from other devices.
snmpstatus

Module 16:

SNMP System Management Tools

Executing this command against a UNIX system generates the following
sample output:
system.sysDescr.0 = Linux didymus 2.4.7-10 #1 Thu Sep 6 17:27:27 EDT 2001 i686
system.sysObjectID.0 = OID: enterprises.ucdavis.ucdSnmpAgent.linux
system.sysUpTime.0 = Timeticks: (168468) 0:28:04.68
system.sysContact.0 = Steve Maxwell (sjmaxwell@worldnet.att.net)
system.sysName.0 = didymus
system.sysLocation.0 = Graphics Lab
system.sysORLastChange.0 = Timeticks: (0) 0:00:00.00
system.sysORTable.sysOREntry.sysORID.1 = OID: ifMIB
system.sysORTable.sysOREntry.sysORID.2 = OID:
.iso.org.dod.internet.snmpV2.snmpModules.snmpMIB
system.sysORTable.sysOREntry.sysORID.3 = OID: tcpMIB
system.sysORTable.sysOREntry.sysORID.4 = OID: ip
system.sysORTable.sysOREntry.sysORID.5 = OID: udpMIB
system.sysORTable.sysOREntry.sysORID.6 = OID:
.iso.org.dod.internet.snmpV2.snmpModules.snmpVacmMIB.vacmMIBConformance.vacmMIBGroups
.vacmBasicGroup
system.sysORTable.sysOREntry.sysORID.7 = OID: .iso.org.dod.internet.snmpV2.snmpM
odules.snmpFrameworkMIB.snmpFrameworkMIBConformance.snmpFrameworkMIBCompliances.snmpF
rameworkMIBCompliance
system.sysORTable.sysOREntry.sysORID.8 = OID: .iso.org.dod.internet.snmpV2.snmpM
odules.snmpMPDMIB.snmpMPDMIBConformance.snmpMPDMIBCompliances.snmpMPDCompliance
system.sysORTable.sysOREntry.sysORID.9 = OID: .iso.org.dod.internet.snmpV2.snmpM
odules.snmpUsmMIB.usmMIBConformance.usmMIBCompliances.usmMIBCompliance
system.sysORTable.sysOREntry.sysORDescr.1 = The MIB module to describe generic o
bjects for network interface sub-layers
system.sysORTable.sysOREntry.sysORDescr.2 = The MIB module for SNMPv2 entities
system.sysORTable.sysOREntry.sysORDescr.3 = The MIB module for managing TCP impl
ementations
system.sysORTable.sysOREntry.sysORDescr.4 = The MIB module for managing IP and ICMP
implementations
system.sysORTable.sysOREntry.sysORDescr.5 = The MIB module for managing UDP
implementations
system.sysORTable.sysOREntry.sysORDescr.6 = View-based Access Control Model for SNMP.
system.sysORTable.sysOREntry.sysORDescr.7 = The SNMP Management Architecture MIB.
system.sysORTable.sysOREntry.sysORDescr.8 = The MIB for Message Processing and D
ispatching.
system.sysORTable.sysOREntry.sysORDescr.9 = The management information definitions
for the SNMP User-based Security Model.
system.sysORTable.sysOREntry.sysORUpTime.1 = Timeticks: (0) 0:00:00.00
system.sysORTable.sysOREntry.sysORUpTime.2 = Timeticks: (0) 0:00:00.00
system.sysORTable.sysOREntry.sysORUpTime.3 = Timeticks: (0) 0:00:00.00
system.sysORTable.sysOREntry.sysORUpTime.4 = Timeticks: (0) 0:00:00.00
system.sysORTable.sysOREntry.sysORUpTime.5 = Timeticks: (0) 0:00:00.00
system.sysORTable.sysOREntry.sysORUpTime.6 = Timeticks: (0) 0:00:00.00
system.sysORTable.sysOREntry.sysORUpTime.7 = Timeticks: (0) 0:00:00.00
system.sysORTable.sysOREntry.sysORUpTime.8 = Timeticks: (0) 0:00:00.00
system.sysORTable.sysOREntry.sysORUpTime.9 = Timeticks: (0) 0:00:00.00
End of MIB

503

16

504

UNIX System Administration: A Beginner’s Guide

To walk the entire MIB within a given agent and save the output to a file,
use the following command:
# snmpwalk bedrock public .1 > walk.out

This command uses the .1 as the starting point to begin listing objects.
Doing this ensures that every object will be displayed because .1 is the root
of the entire MIB tree and all objects are accessible from this point. Walking
the entire MIB tree with an agent helps identify certain MIB objects or gives
you an idea of exactly how many objects a particular agent may support. To see
the approximate number of objects that the Linux agent supports, count the
number of lines in the file. Because the snmpwalk command displays each MIB
object on its own line (unless the line is longer than the maximum number
of characters for a line), we can then use the UNIX wc command to total the
number of lines within the walk.out file. Thus, the command
# wc -l walk.out

produces the following output:
2242 walk.out

This command output shows that the agent contained within the Linux
agent supports roughly 2242 MIB objects. When no object is specified with the
snmpwalk command, it will search the MIB-II object tree by default. When
the snmpwalk command reaches the end of the MIB within the agent, it will
display the message End of MIB.
Note that the use of this command is a rather inefficient means to obtain
a large number of MIB objects from an agent. This is because the command
continuously queries a single MIB object to obtain an associated value. It is
recommended that the snmpbulkwalk command be used whenever possible
to reduce network traffic and load on the agent system. This command significantly
reduces the work involved, from a lower-level standpoint, to obtain a large amount
of information from an agent. See the following snmpbulkwalk section for
additional information.

Module 16:

SNMP System Management Tools

Snmpbulkwalk Tool
The snmpbulkwalk tool communicates with a network entity using the SNMPv2
bulk request. Like the snmpwalk tool, snmpbulkwalk will walk a MIB tree
until the end of the MIB is reached or an error occurs. The bulk request provides
a more efficient mechanism to transfer a large amount of data than the regular
SNMPv1 get request. For example, assume we would like to retrieve the entire
MIB-II interface group from a Linux server. We would issue the following
command:
# snmpwalk monet public interfaces

This command will result in a series of SNMP getnext requests to the interface’s
MIB group against a network node called monet. The SNMPv1 snmpwalk
(which uses a normal get request) command will obtain the information using
136 packets. How do we know this? Just before the snmpwalk command was
executed, a packet capture was started using the following command:
# tcpdump host monet -w output.file

The tcpdump command, which is described in Module 12, will capture all
packets coming from or going to the host called monet. These packets are saved
in the file called output.file. Once the snmpwalk command has finished,
the tcpdump command is manually stopped. Next, we simply count the number
of packets that were captured within the output.file file. Thus, with
# tcpdump -r output.file | wc -l
136

we see that a total of 136 packets were captured. This is the number of packets
needed to retrieve the interfaces table. Please note that depending on the
number of interfaces defined within a device, more or fewer packets would be
required. However, if we query the same device using the snmpbulkwalk
command instead,
# snmpbulkwalk -v 2c monet public interfaces

we will poll the same interface’s group information but only use two packets!

505

16

506

UNIX System Administration: A Beginner’s Guide

This is a tremendous savings in terms of network bandwidth and increased
SNMP performance for both the agent and manager. The SNMP bulk-request
option is efficient because it attempts to place as many MIB OID values as possible
within the variable-binding field of the SNMP response packet(s). The
only limit to the amount of data that can be placed within the SNMP packet is
the maximum packet size of the underlying protocols.
To walk the entire MIB tree of the device called cisco-gw1, use the
following command:
# snmpbulkwalk -v 2c CISCO-gwl public

The snmpbulkwalk command only works with SNMPv2 or SNMPv3 agents.
This is because the bulk-request facility specification came after the widespread
deployment of SNMPv1. Using this command on an SNMPv1 agent will,
therefore, generate an error.
For instance, the following command attempts to walk the MIB tree of a
device called -gw starting from the system group. In this example, monet
supports only the SNMPv1:
# snmpbulkwalk -v 2c monet public system

Since this device doesn’t understand the SNMP bulk request, it eventually
times out, and the following message is displayed following the snmpbulkwalk
command:
Timeout: No Response from monet

A timeout error condition occurs because the requests are issued to the
device, but the agent residing in the device doesn’t understand the SNMP
bulk-request format. As a result, the packet is not answered by the agent and
the command simply times out. In practice, many networking devices have
been upgraded to support the bulk-request operation. Therefore, this problem
will diminish over time as older devices are replaced or upgraded.
Note that snmpbulkwalk requires that you use either the 2c or 2p security
options. If you attempt to invoke snmpbulkwalk without specifying which
version of the SNMP protocol is to be used, the following error will be displayed:
snmpbulkwalk: Cannot send V1 PDU on V2 session

Module 16:

SNMP System Management Tools

By default, the snmpbulkwalk command will search the entire MIB-II
tree if a MIB object or group isn’t specified on the command line. From a
practical standpoint, this makes the tool a little easier to use if the complete
MIB-II objects store is desired.

Mastery Check
1. In the following command example, what is the -M /var/mibs option

used for?
# snmpwalk -M /var/mibs cisco-gw1 public system

A. Specifies a list of MIB modules to load.
B. Supplies a list of directories for the command to search for MIB files.
C. Directs output to the specified directory.
D. Runs the SNMP scripts found in the specified directory.
2. The __________command collects changes in MIB integer values from an

SNMP agent entity.
3. If a device doesn’t respond to SNMP requests, what command might you

try to see if the device is reachable on the network?
A. snmpwalk
B. snmptrap
C. snmpnetstat
D. ping
4. What command is similar to the UNIX netstat utility and provides

some of the same basic information about attached device interfaces and
routing information?

507

16

508

UNIX System Administration: A Beginner’s Guide

Mastery Check
5. Which of the following management tasks isn’t something SNMP is

useful for?
A. Reset a user password
B. Disable or enable a network interface
C. Restart a device or agent
D. Monitor critical processes
6. What is the correct syntax for the snmpstatus command?
A. snmpstatus host community
B. snmpstatus community host
C. snmpstatus interface community
D. snmpstatus community interface
7. The snmptrapd server will receive and log SNMP __________ obtained

from other devices.
8. What command option is used to generate output shown in the second

example line instead of the first, using the same input command?
system.sysUpTime.0 = Timeticks: (139494644) 16 days, 3:29:06.44
system.sysUpTime.0 16:3:24:11.44

A. -S
B. -s
C. -f
D. -q
9. True/False: It might be helpful to execute an snmpwalk against the

agent if questions come up regarding which objects are indeed supported
by the agent.

Module 16:

SNMP System Management Tools

Mastery Check
10. The __________ tool will walk a MIB tree until the end of the MIB is

reached or an error occurs and provides a more efficient mechanism
to transfer a large amount of data than the snmpwalk tool.
11. True/False: snmpnetstat only works with Unix workstations

and servers.

509

16

TE

AM
FL
Y

This page intentionally left blank.

Module

17

Using Network
File System
Critical Skills
17.1

NFS Server Uncovered

17.2

Mounting Remote File System

17.3

Exploring NFS Tools

17.4

Configuring NFS Clients

17.5

Controlling the File System Mount Table

Copyright 2002 by The McGraw-Hill Companies, Inc. Click Here for Terms of Use.

512

UNIX System Administration: A Beginner’s Guide

T

he Network File System (NFS) is a service that provides file sharing across
a network of systems. NFS was first implemented by Sun Microsystems and
was supported only on the Sun version of UNIX, which at the time was called
SunOS. Today, it is supported across most, if not all, versions of UNIX that are
available today. Also, NFS is supported on a number of non-UNIX platforms
such as Windows and Macintosh. On UNIX systems, NFS behaves and is
configured in much the same way regardless of which version of UNIX is used.
In recent years, network appliance servers have been developed, which are
systems that provide NFS services on dedicated, high-performance hardware
platforms. Typically, these servers are built to support only a smaller number of
services (such as NFS) and are not meant to support a wide range of additional
network services.
File sharing is a concept that has been around for quite some time; it means
that one or more files may be shared across a number of different systems
and by any number of users. The basic premise is that read-only file access can
be shared by any number of users when the file in question is stored within
NFS. Updating or writing to a file with multiple users is an entirely different
issue, and NFS provides the same services that are available with the operating
system. NFS files appear to the system as if they were stored locally. In other
words, NFS is implemented in such as way as to provide the same facilities for
files as if they were stored on the local file system.
NFS can be divided into two broad sections: the server and client. The server
component consists of several elements that include server processes and
configuration files. The client component includes a single-server process. The
details of the server and client are described below.

Versions of NFS
NFS has seen some important improvements since it was first introduced back
in 1984. The features and improvements of the protocols are presented here:
●

Version 1 This version only existed within Sun Microsystems and was
never actually released as a product.

●

Version 2 The first official release of the protocol was shipped with
SunOS 2.0, and it had the following limitations:
●

Didn’t support files greater than 2GB

●

Maximum transfer rate of only 8K

●

Limitation on performance due to client/server interaction

●

Poor security features

Module 17:

●

Using Network File System

Version 3 This version has been out for a number of years and addresses
some of the most important issues that plagued version 2. In addition,
version 3 handles the following:
●

Reliable asynchronous write

●

Reduces protocol overhead

●

Maintains backward compatibility with version 2

However, security remained a significant problem for the earlier
versions of NFS.
●

513

Version 4 Back in 1999, Sun published a technical brief describing new
features for NFS. Also, RFC3010 was developed, which described technical
details regarding this new version. Basically, version 4 will provide better
security, improve operation over WAN networks, provide better crossplatform interoperability, and include extensions to the protocol.

17.1 NFS Server Uncovered
The NFS server consist of several programs and services, which include
●

nfsd

●

lockd

●

statd

●

mountd

Also, the server contains a standard NFS configuration file, which lists all
the file systems that are made available to NFS clients. The process of making
one or more file systems available to NFS clients on the network is called “file
system exporting” or “sharing.”

The nfsd Process
The nfsd process handles NFS remote file system requests from client systems.
Typically, this process is started automatically on system startup. On Solaris,
the /etc/init.d/nfs.server startup script is used, while on Linux the
/etc/rc.d/init.d/nfsd script is used. For HP-UX, the /etc/init.d/
nfs.server is used. By default, NFS servers use both TCP and UDP transport

17

514

UNIX System Administration: A Beginner’s Guide

protocols. However, depending on site requirements, the transport protocol may
be selected using the -p option, followed by the protocol (such as tcp or udp).
One of the most important aspects of the NFS server configuration is the
number of concurrent requests that it can handle from clients. In large networks
or otherwise demanding computing environments, where many systems will
access NFS servers, it is important to ensure that each server is operating in the
most efficient manner possible. One way to increase server performance is to set
the maximum number of parallel NFS servers that should be run to handle NFS
requests. The number of NFS servers that are used is derived from the commandline parameter within the server startup script. By default, only a single server
instance is started.

Note
Depending on the implementation of the NFS server, it may use lightweight
processes (kernel threads) which, when the ps or top commands are used to
inspect processes, system usage will not appear for the NFS server. Thus, either
zero CPU or a smaller amount than was actually used may be displayed. In general,
it is not uncommon to have as many as 10 or more NFS processes in a demanding
environment.

To increase the number of NFS server instances, edit the startup script
and place the desired number of instances after the nfsd process command
line. For example, to instruct the NFS server to start with eight instances, the
following would be used:
nfsd 8

To have this change take effect, restart the NFS process using the appropriate
startup script.

The lockd Process
The lockd process implements record locks for NFS files. Record locking
is a mechanism to restrict access to an individual file record or the entire file
when changes are being made. This is necessary when more than one user
or application is updating a file. The lockd process is also known as the lock
manager and handles lock requests from the fcntl system call, which is issued
from client systems.

Module 17:

Using Network File System

515

The statd Process
The statd process is used in conjunction with the lockd process to handle
cases when the NFS server crashes and requires recovery. The statd process
keeps track of clients that spawn processes that hold locks on files from the
NFS server. Should the NFS server reboot after a crash, statd sends a message
to each client indicating that the NFS server has rebooted. Then, the lockd
process on the client attempts to reclaim any pending locks from the server.

The mountd Process
The mountd process is used to handle remote NFS mount requests from
clients. It is responsible for determining which file systems are available and
interacts with the client to provide file and directory information. By default,
this service is running when NFS services are activated.
If the system supports auto-mounting, such as in Solaris, the automountd
process is also active and provides the same basic services for clients as mountd.
The auto-mount facility provides a way to set up automatic mounting of file
systems when users access one or more files or directories.

17.2 Mounting Remote File System
One very interesting aspect of NFS is that it provides complete transparency of
remote file systems for the average user. In fact, from a file system perspective,
there is no difference between a remotely mounted file system and one that is
mounted from a local disk. For example, consider the following listing from
/usr/docs directory:
drwxr-xr-x
drwxr-xr-x
drwxr-xr-x
drwxr-xr-x
drwxr-xr-x
drwxr-xr-x

6
6
2
2
2
2

root
root
root
root
root
root

root
1
root
root
root
root

4096
512
4096
4096
4096
4096

Apr
Apr
Apr
Apr
Apr
Apr

1
1
1
1
1
1

22:01
23:03
22:01
22:00
22:00
22:00

.
..
html
man
pdf
postscript

In the list above, four directories are shown using the ls –al command.
Can you identify which directories are stored locally versus those that are
actually stored on a remote NFS server? From this listing, it is impossible for

17

516

UNIX System Administration: A Beginner’s Guide

anyone to determine which directories are made available via NFS—they all
appear as if they are from the local file system.
To show which file systems are mounted locally versus remotely using NFS,
use the df command. This command shows interesting file system information
for all mounted file systems on the system. For example, issuing this command
on the system that contained the above /usr/docs directory shows
Filesystem
/dev/dsk/c0d0s0
/dev/dsk/c0d0s6
/dev/dsk/c0d0s1
/dev/dsk/c0d0s5
didymus:/docs

kbytes
used
480815
39338
1587078 811771
384847 117108
480815 337833
2522552 1665304

avail capacity
393396
10%
727695
53%
229255
34%
94901
79%
729108
70%

Mounted on
/
/usr
/var
/opt
/usr/docs/pdf

As you can see from the output, the pdf directory is a remotely mounted
NFS file system from the system called didymus.
Just as when mounting a file system that is stored on a local disk, the mount
command can be used to connect NFS volumes to the local system. To mount the
file system called /share from the NFS server bedrock on the local directory
called /files, use the following command:
mount bedrock:/share /files

The mount command shown here does provide only a temporary mount
of this volume. This means that the /share volume will not be mounted
automatically when the system is rebooted; thus, this NFS volume will go away
should the system called didymus be restarted. To address this issue, the
NFS mount must be defined within the standard NFS configuration file, such
as /etc/exports. Review the next section, “Share/Export File Options,” to
find out how to set up permanent NFS mounts.

The dfstab/export Files
In order for a UNIX NFS server to make local files available to clients,
each file system must be exported or shared on the network. On Solaris,
the /etc/dfs/dfstab is used to specify that the file systems should be
made available to clients on a permanent basis. On Linux and HPUX, the
/etc/exports file is used instead. Both of these files contain pretty much
the same information; however, the supported command options do differ.

Module 17:

Using Network File System

For example, the way to indicate if the file system access should be read-only
would be to use the string –o ro for dfstab, while (ro) is used for exports
file. A file system is exported or shared when it is made available to other systems
for mounting across the network. The process of exporting or sharing a file
system includes adding the designated file system to the exports or dfstab
and then issuing a command to make the file system “live” on the network.
A sample /etc/dfs/dfstab file is shown below:
share -F nfs -o rw /usr
share -F nfs -o ro /docs

In this example, two file systems, /usr and /docs, are being exported.
Note that the share string is included, which is the actual command that
makes the file system available. The share command on Solaris is used to
provide access to the file system resource for remote clients. The /usr file
system contains the file access option of rw. This indicates that both read and
write file access will be granted to NFS clients. The /docs file system is made
available read only due to the ro option.
A sample /etc/exports file includes the following:
/ (rw)
/docs (ro)

Share/Export File Options
Both the /etc/dfs/dfstab and /etc/exportfs configuration files are
used to provide automatic setup of NFS volumes to client systems. Each of
these files supports a number of similar options and also some unique ones.
Table 17-1 shows some of the most important command line options.
Option

Description

anon=uid

Sets the UID on the server to be the effective user ID of any unknown
users. By default, all unknown users are given the UID of 60001.
(dfstab) Specifies the type of file system for the NFS volume. Use
the keyword nfs for NFS-type file systems.
(dfstab) Provides a descriptive string of the NFS volume.
(dfstab) Enables NFS logging for the given file system.

-F
-d
log

Table 17-1

Share/Export NFS Options

517

17

518

UNIX System Administration: A Beginner’s Guide

Option

Description

(Both) The associated pathname is read/write to all clients; this is
the default behavior if no option is provided (This default behavior
is for Solaris)
rw=client_host (dfstab) A client system name may be specified with the NFS
volume permission. For Linux, the syntax includes client(rw).
ro
(Both) The associated pathname is read-only to all clients.
ro=client_host (dfstab) A client system name may be specified with the NFS
volume permission. For Linux, the syntax includes client(rw).
root_squash
(exportfs) Maps any requests from the root user (UID of 0) to the
anonymous UID.
secure
(dfstab) Requires that NFS client requests originate on a network
port that is less than 1024. By default this option is enabled. Disable
by using the insecure option.
sync
Requests that all file write transactions be completed to the underlying
hardware before the write request has been completed. This means
that requests are buffered before the write requests are returned.
rw

Table 17-1

Share/Export NFS Options (continued)

In order to gain a better understanding of some possible dfstab and
exports configuration options, a series of examples are provided in Table 17-2.
Each example shows the necessary options for both configuration files.
/etc/dfs/dfstab Configuration

/etc/exports Configuration

/usr

share –F nfs –o rw=chips,ro=didymus /usr

didymus(ro) chips(rw)

Explanation Provide read-only access to the client called didymus and read-write access to the
client called chips for the /usr file system.
/src

(rw,anonuid=70000)

share –F nfs –o rw,anon=70000 /src

Explanation Provide read-write access to all clients for the /src file system and also map the
anonymous users to the UID of 70000.
/home

(rw,log,root=bedrock)

share –F nfs –o rw,log,root=bedrock /home

Explanation Provide read-write access to all clients for the /home file system, enable NFS logging,
and also permit root access from the host called bedrock.

Table 17-2

Configuration File Options

Module 17:

Using Network File System

519

17.3 Exploring NFS Tools
UNIX provides additional tools for monitoring and controlling NFS services.
These tools include
●

exportfs

●

share/unshare

●

showmount

●

nfsstat

exportfs
The exportfs command is provided on Linux to make one or more file
systems available to clients on an NFS server. The file systems must be specified
within the /etc/exports file. The command supports a few command-line
options and they are shown in Table 17-3.
To export all file systems contained within the /etc/exports file, issue
the following command:
exportfs –a

If you wanted to unexport all the file systems, issue the above command
again; this will assume that file systems have already been exported. If not, it
Option

Description

-a
-o

Export or unexport all file systems contained within the /etc/exports file.
Specify a list of options when exporting file systems. See Table 17-1 for
additional information.
Reexport all file systems contained within the /etc/exports file.
Unexport one or more file systems.
Provide verbose output when exporting or unexporting file systems.

-r
-u
-v

Table 17-3

Export Command-Line Options

17

520

UNIX System Administration: A Beginner’s Guide

simply exports them. The other approach is to use the –u option. You can also
specify the individual file systems that you want to export without having to
add them to the /etc/export file. Just list the file system as an option to the
exportfs command. For example, to provide NFS access to the /prod file
system to the client didymus, use the following command:
exportfs didymus:/prod

To display a list of all exported file systems, just issue the exportfs
command without any options. Note that issuing this command doesn’t make
the export permanent. In order to make it last across reboots, the lete/export
file must be updated. Thus, the command

AM
FL
Y

exportfs

will show all file systems that are available to clients:
/docs
/
/prod

dino.home.com
bedrock.home.com
*.home.com

TE

In this example, the * character is shown; this is a shorthand notation to specify
a wildcard, which is interpreted as all hosts within the home.com domain.

share/unShare (Solaris Only)
Use the share command on the Solaris system to make NFS volumes available
over the network to client systems. To make NFS volumes available on a permanent
basis, use the /etc/dfs/dfstab file. To remove shared file systems, use the
unshare command.
Issuing the share command without any arguments shows the currently
available NFS volumes that are being shared. For example, the command
share

shows the following sample file systems:
-

/usr
/docs
/src

rw
ro
rw

"user home directories"
"system documentation"
"source tree"

Module 17:

Using Network File System

521

To share a particular volume, specify it on the command line with the share
command. Also, the shareall command is provided to share all the NFS
volumes currently defined within the /etc/dfs/dfstab configuration file.

Note
Sharing a file system without it being defined within the dfstab file means that it
will not be shared when the NFS server is rebooted.

To remove or unshare a volume, use the unshared or unshareall
commands. Thus, either command would prohibit NFS client access. If one or
more client’s systems were accessing an NFS volume when it was unshared, the
client would get a stale NFS file handle and the operation would not
complete; thus, care should be taken when removing NFS access from critical
file systems.

showmount
The showmount command is used to provide information about clients that
have mounted any file systems on the NFS server. For example, to display all
the clients that have mounted the file systems on a Solaris system called bedrock,
issue the following command:
showmount –a

The –a option formats the output to show hostname: directory for
each file system and client. The sample output
didymus.home.com:/usr
didymus.home.com:/docs
chips.home.com:/usr
chips.home.com:/src

shows two client systems that have mounted file systems from bedrock. The
first client, didymus, has mounted both the /usr and /docs file systems.
The second system, called chips, mounted the /usr and /src file systems,
respectively. The showmount command can also be used to show the available
mounted file systems on the local NFS server. For example, if the showmount

17

522

UNIX System Administration: A Beginner’s Guide

command is run with the –d option, on the system bedrock, the following
would be shown:
/docs
/usr

The output above shows all the file systems that have been made available
to NFS clients. In this case, the output is similar to what is provided with the
share command.

nfsstat
The nfsstat command provides NFS server-based statistic and performance
information on NFS activities. The following categories of information can be
displayed:
●

Server RPC statistics

●

Server NFS statistics

●

Client RPC statistics

●

Client NFS statistics

The statistics that are displayed are determined by the command-line options,
which are listed in Table 17-4. Issuing the command without any parameters
will result in the-csnrc options being activated and the corresponding output
displayed for each statistic.
Option

Description

-a
-c
-m
-n
-r
-s
-z

Show NFS access control list (ACL) information.
Show client-side information for NFS, RPC, and ACL.
Show configuration and stats for each NFS mounted file system.
Show both client and server NFS information.
Show only remote procedure call (RPC) information.
Show only server information.
Reset all statistic counters. This can only be run by the superuser.

Table 17-4

The nfsstat Command-Line Options

Module 17:

Using Network File System

The output of nfsstat is not that user friendly, but it does contain some
important information on the activities and configuration of the NFS server.
For example, the –m option displays statistical information on each mounted
file system, such as
/mnt/bedrock/docs from bedrock:/docs
Flags:
vers=3,proto=tcp,sec=sys,hard,intr,link,symlink,acl,rsize=32768,\
wsize=32768,retrans=5,timeo=600
Attr cache: acregmin=3,acregmax=60,acdirmin=30,acdirmax=60

In this example, the /mnt/bedrock/docs file system is mounted from
the server called bedrock and the associated file system configuration
information is also displayed. The Flags fields shows specific configuration
(either by default or manually configured) from the NFS server. From the
output we notice that, for instance, this file system is mounted with the hard
option on the client. A hard mount is one that ensures that a client system will
block any pending NFS activity should the file system become unavailable. This
is meant to ensure a certain level of file system integrity on the client system.
The Attr field contains file system cache attributes, which are used to control
the amount of time certain file elements (such as file’s owner) are stored in the
NFS server cache. The remaining mount flag options and associated descriptions
are listed in Table 17-5.
NFS Mount
Options
vers
proto
sec

hard

soft

Table 17-5

Description
The version of the NFS protocol.
The NFS lower-layer transport protocol. Can be either Transmission
Control Protocol (TCP) or User Datagram Protocol (UDP).
The security model used; values include none (no authentication),
sys (standard UNIX authentication based on UID and GID), short
(alternative UNIX-style authentication), dh (DES-based authentication),
and kbr (Kerberos v4, v5, or v5i).
Hard NFS mount; ensures that should the NFS server not respond due to
some kind of failure, the client will block file transactions until the server
file system is restored.
soft NFS mount; does the inverse of a hard mount; instructs the client to
not block NFS transactions to the server, but lets them time out, instead.

The nfsstat Mount Options

523

17

524

UNIX System Administration: A Beginner’s Guide

NFS Mount
Options
intr
link
acl
rsize
wsize
retrans
timeo
acregmin
acregmax
acdirmin
acdirmax

Table 17-5

Description
Permits the client to interrupt a process when a transaction is pending
on the server.
The server supports file links.
Access control list (ACL) that applies to the file system; no assignment
means no authentication is used.
The size of the read buffer.
The size of the write buffer.
The retransmission delay in tenths of a second.
The transaction timeout in tenths of a second.
The minimum amount of time (in seconds) to store cached file attributes.
The maximum amount of time (in seconds) to store cached file attributes.
The minimum amount of time (in seconds) to store cached directory
attributes.
The maximum amount of time (in seconds) to store cached directory
attributes.

The nfsstat Mount Options (continued)

Note
With regard to hard versus soft mounts, when hard mounts are used on client
systems, and the server experiences a problem that causes an interruption of
NFS services, the client can lock up until the server problem has been fixed.
The solution to address this is to use soft mounts. However, although using
soft mounts will help with the lockup problem, it doesn’t specifically address
any server problem since any pending NFS activity will simply time out. When
a timeout occurs, the client system will generate one or more error messages.
This could result in application-related problems.

To show specific NFS activity, use the following command:
nfsstat –n

The –n option displays NFS stats for both clients and the server. Sample
output is shown below and can be divided into two broad categories: specific
stats from the NFS server and from the client standpoint. The first part of
the listing includes server information that contains stats for both versions
2 and 3 of the NFS protocol. For each type of activity received by the server,

Module 17:

Using Network File System

a counter is maintained. Also, for each counter, the percent of the total number
of transactions received is calculated. For example, the getattr attribute
consists of 35 percent of the total number of transactions received by the server.
The getattr is used when the specific file information is needed by a NFS
client system.
Server nfs:
calls
badcalls
478088
5
Version 2: (14 calls)
null
getattr
setattr
0 0%
5 35%
0 0%
read
wrcache
write
0 0%
0 0%
0 0%
link
symlink
mkdir
0 0%
0 0%
0 0%
Version 3: (478074 calls)
null
getattr
setattr
1 0%
23 0%
0 0%
read
write
create
0 0%
0 0%
0 0%
remove
rmdir
rename
0 0%
0 0%
0 0%
fsstat
fsinfo
pathconf
24 0%
21 0%
0 0%

root
0 0%
create
0 0%
rmdir
0 0%

lookup
0 0%
remove
0 0%
readdir
3 21%

readlink
0 0%
rename
0 0%
statfs
6 42%

lookup
57321 11%
mkdir
0 0%
link
0 0%
commit
0 0%

access
414682 86%
symlink
0 0%
readdir
3943 0%

readlink
2058 0%
mknod
0 0%
readdirplus
1 0%

A listing and description of the individual counter fields are provided in
Table 17-6.
Client nfs:
calls
badcalls
79
1
Version 2: (63 calls)
null
getattr
0 0%
55 87%
read
wrcache
0 0%
0 0%
link
symlink
0 0%
0 0%
Version 3: (15 calls)
null
getattr
0 0%
3 20%
read
write
0 0%
0 0%
remove
rmdir
0 0%
0 0%
fsstat
fsinfo
8 53%
2 13%

clgets
79

cltoomany
0

setattr
0 0%
write
0 0%
mkdir
0 0%

root
0 0%
create
0 0%
rmdir
0 0%

lookup
7 11%
remove
0 0%
readdir
0 0%

readlink
0 0%
rename
0 0%
statfs
1 1%

setattr
0 0%
create
0 0%
rename
0 0%
pathconf
0 0%

lookup
0 0%
mkdir
0 0%
link
0 0%
commit
0 0%

access
1 6%
symlink
0 0%
readdir
0 0%

readlink
0 0%
mknod
0 0%
readdirplus
1 6%

525

17

526

UNIX System Administration: A Beginner’s Guide

Field

Description

calls
badcalls
null
getattr

The total number of NFS calls received.
The total number of NFS call that were rejected.
The total number of times an NFS call was made but not received.
The total number of file attribute lookup calls that were made. For
example, obtaining information about the size of a file.
The total number of file set attribute calls that were made. For example,
updating the modification date of a file.
The total number of root user requests that were made.
The total number of file/directory lookup requests that were made.
The total number of readlink (file link) requests that were made.
The total number of read requests that were made.
The total number of write to cache requests that were made.
The total number of write requests that were made.
The total number of create (file or directory) requests that were made.
The total number of remove requests that were made.
The total number of rename requests that were made.
The total number of link (hard) requests that were made.
The total number of link (symbolic) requests that were made.
The total number of create directory requests that were made.
The total number of delete directory requests that were made.
The total number of read directory requests that were made.
The total number of file system status requests that were made.
The total number of read directory requests that were made.
The total number of file status operation requests that were made.
The total number of file system status queries that were made.
The total number of read path requests that were made.
The total number of commit requests that were made.

setattr
root
lookup
readlink
read
wrcache
write
create
remove
rename
link
symlink
mkdir
rmdir
readdir
statfs
readdirplus
fsstat
fsinfo
pathconf
commit

Table 17-6

The nfsstat NFS Field Descriptions

17.4 Configuring NFS Clients
The client component consists of a single background process, standard UNIX
directories for the mounts, and a configuration file. The mountd process must
be running on the client systems that issue NFS mount requests to the NFS

Module 17:

Using Network File System

server. In order for the client to use the remote file system, it must be mounted
onto an existing UNIX directory and the client has to have the associated
permission on the NFS server to access the remote file system. Finally, a
configuration file is needed to have the NFS mounts remembered between
system reboots.
Typically, the administrator doesn’t need to worry about any associated
processes for client NFS systems, because any required services are started
automatically when client requests are issued. Instead, the main area of concern
are making sure a client can access the NFS server if security has been enabled
and that the client is configured to mount one or more file systems automatically.
The mounting of a file system on a standard UNIX client from an NFS server
involves several simple steps. These steps are described in the following procedure.
In particular, the example shows the /docs file system being mounted on the
client system called chips, from the NFS server called bedrock.

Note
Assume the system chips has already been installed on the network and network
connectivity and services are fully operational. For example, chips has been
placed within the NIS or DNS services and can talk to the NFS server bedrock
using such tools as ping.
1. Create the target directory that will be used for the associated mount point

from the remote file system. For example, the remote file system is called
/docs. As the administrator, you must determine the name of the local
directory that will be used to access the files from the docs directory. In
our example, let’s assume we are going to use the new target directory
called /usr/docs.
Thus, the UNIX command mkdir /usr/docs must be executed on the
client system; this will create the target directory mount point for the client.
2. Attempt to mount the file system manually using the UNIX command line.

The following command would be used:
mount bedrock:/docs /usr/docs

When mounting an NFS file system, the hostname is specified in front of
the name of the remote file system, followed by the target directory. In this
example, bedrock:/docs specifies the name of the NFS server, plus the
file system name.

527

17

528

UNIX System Administration: A Beginner’s Guide

3. Verify access to the newly mounted system by listing the files using the

ls-1/usr/docs command. If you see files, the mount was successful.
4. Edit the associated system configuration file to make the NFS mount

permanent across system reboots. For Linux, the /etc/fstab file
is used, and for both Solaris and HP-UX, the /etc/vfstab is used.
Regardless which operating system is involved, the NFS mount entry is
very similar. Consider the file syntax depending on the UNIX system:
●

Linux (/etc/fstab):

bedrock:/docs

●

/mnt/bedrock/docs

nfs

bg,soft

nfs

-

0 0

Solaris/HP-UX (/etc/vfstab):

didymus:/docs -

/mnt/didymus/docs

yes

bg,soft

Review the section “Controlling the File System Mount Table” below for
additional information on the syntax of these files.

17.5 Controlling the File System
Mount Table
The syntax of the file system table is used to indicate which local and remote
file systems should be mounted when the system is brought from single-user
mode to multi-user mode or when the system is rebooted and brought to
normal operational status. For Linux, the /etc/fstab file is used, while on
both Solaris and HP-UX, the /etc/vfstab file is used. In both cases, the
contents of these files are static by nature and will be maintained by the system
administrator. When new file systems are added to the system, or when new
NFS volumes are made available on the network, these files must be updated
for the client system to use these new file systems.
The file system mount table consists of several fields, which describe the file
systems that are either mounted locally or from remote NFS servers. In the case
of NFS, additional options are used to control how the file systems are mounted.
In general, the mount table consist of the following fields:
●

file_system [NFS host:file system] mount_point type
additional_options Some fields may contain one or more optional
parameters or keywords. The fields include
●

file_system This represents the name of the file system or
partition name—for example, the entry /dev/dsk/c1d0s2. With

Module 17:

Using Network File System

529

NFS, this contains the name of the NFS server followed by the name
of the remote file system—for instance, the entry bedrock:/usr.

Note
The colon character (:) is needed as a string separator.
●

mount_point The mount point represents the directory that the
file system will be mounted on—for instance, /usr/docs. The target
directory should be empty and the administrator should check to
determine the status of an existing directory before mounting.

Note
If a file system is mounted onto a directory that contains additional directories or
files, these become invisible while the new file system is mounted. Thus, to gain
access to these files or directories, the file system should be unmounted.

The mount point is the directory that the file system will be associated
with and that is used by the users to navigate the mounted file system.
The purpose of the target directory is the same regardless if the file
system is local or from an NFS server.
●

type The type field represents the type of file system that should
be mounted. For example, the keyword ufs represents a local file
system, while the nfs keyword is used for remote NFS file systems.
Additional keyword types are supported, and the most common ones
are listed in Table 17-7.

●

additional_options The additional options section represents
a few fields that further control the mounting of file systems. For
example, for NFS file systems, the client can mount the volume using

File system

Description

auto

(Linux only) File systems that are mounted via the automounter (for
example, floppy disk).
(Linux only) Extended file system.
The process file system, which maps both system and process information
onto directories and files.
Network File System.
Swap file.
Universal File System—this file system will be local to the system.

ext3
proc
nfs
swap
ufs

Table 17-7

File System Types

17

UNIX System Administration: A Beginner’s Guide

either hard or soft modes. The NFS hard mode instructs the client
system to cause any pending process to sleep when the NFS volume
becomes unavailable. This might be necessary, for example, to ensure
that a critical transaction will complete when the NFS volume is made
available again. The soft mode causes the inverse to occur—any pending
process will simply time out due to an NFS volume that becomes
unavailable. In general, the soft mode can be used in most cases and
computing environments.
A sample /etc/fstab that was obtained from a Linux system contains the
following:
/
/mnt/floppy
/proc
/dev/shm
/dev/pts
swap
/mnt/bedrock/docs
/mnt/bedrock/usr

ext3
auto
proc
tmpfs
devpts
swap
nfs
nfs

AM
FL
Y

LABEL=/
/dev/fd0
none
none
none
/dev/hda5
bedrock:/docs
bedrock:/usr

defaults
1 1
noauto,owner
0 0
defaults
0 0
defaults
0 0
gid=5,mode=620 0 0
defaults
0 0
bg,soft
0 0
bg,soft
0 0

A sample /etc/vfstab file that is available on a Solaris system contains
the following:
#device
device
mount
FS
fsck
mountmount
#to mount
to fsck
point
type
pass
at boot options
#
#/dev/dsk/c1d0s2 /dev/rdsk/c1d0s2 /usr
ufs
1
yes
fd
/dev/fd fd
no
/proc
/proc
proc
no
/dev/dsk/c0d0s3 swap
no
/dev/dsk/c0d0s0 /dev/rdsk/c0d0s0
/
ufs
1
no
/dev/dsk/c0d0s6 /dev/rdsk/c0d0s6
/usr
ufs
1
no
/dev/dsk/c0d0s1 /dev/rdsk/c0d0s1
/var
ufs
1
no
/dev/dsk/c0d0p0:boot
/boot
pcfs
no
/dev/dsk/c0d0s7 /dev/rdsk/c0d0s7
/export/home
ufs
2
/dev/dsk/c0d0s5 /dev/rdsk/c0d0s5
/opt
ufs
2
yes
swap
/tmp
tmpfs
yes
didymus:/
- /mnt/didymus/root
nfs
yes bg,soft
didymus:/docs - /mnt/didymus/docs
nfs
yes bg,soft

TE

530

-

no -

Module 17:

Using Network File System

531

Mastery Check
1. What command would you use in the NFS startup script to start the server

with four processes?
2. The __________process restricts access to an individual file record or the

entire file when changes are being made.
3. True/False: From a file system perspective there is a difference between a

remotely mounted file system and one that is mounted from a local disk.
4. On a Solaris NFS server, what configuration file specifies which file

systems should be made available to clients on a permanent basis?
A. /etc/dfs/dfstab
B. /etc/exports
C. /etc/fstab
D. /etc/vfstab
5. What command provides NFS server-based statistics and performance

information on NFS activities?
6. On a Linux system, what is the file system table used to indicate which

local and remote file systems should be mounted when the system is
brought from single-user mode to multi-user mode or when the system
is rebooted and brought to normal operational status?
A. /etc/dfs/dfstab
B. /etc/exports
C. /etc/fstab
D. /etc/vfstab

Please refer to the following output for questions 7-8:
Server nfs:
calls
badcalls
478088
5
Version 2: (14 calls)
null
getattr

setattr

root

lookup

readlink

17

532

UNIX System Administration: A Beginner’s Guide

Mastery Check
0 0%

5 35%

0 0%

0 0%

0 0%

0 0%

read

wrcache

write

create

remove

rename

0 0%

0 0%

0 0%

0 0%

0 0%

0 0%

link

symlink

mkdir

rmdir

readdir

statfs

0 0%
0 0%
0 0%
Version 3: (478074 calls)
null
getattr
setattr

0 0%

3 21%

6 42%

lookup

access

readlink

1 0%

23 0%

0 0%

57321 11%

414682 86%

2058 0%

read

write

create

mkdir

symlink

mknod

0 0%

0 0%

0 0%

0 0%

0 0%

0 0%

remove

rmdir

rename

link

readdir

readdirplus

0 0%

0 0%

0 0%

0 0%

3943 0%

1 0%

fsstat
24 0%

fsinfo
21 0%

pathconf
0 0%

commit
0 0%

7. How many version 3 read directory requests were made?
8. What percent of the total version 2 requests were write to cache requests?

Please refer to the following configuration file for questions 9-11:
LABEL=/
/dev/fd0
none
none
none
/dev/hda5
bedrock:/docs
bg,soft

/
/mnt/floppy
/proc
/dev/shm
/dev/pts
swap
/mnt/bedrock/docs

ext3
auto
proc
tmpfs
devpts
swap
nfs

defaults
noauto,owner
defaults
defaults
gid=5,mode=620
defaults

1
0
0
0
0
0

1
0
0
0
0
0

0 0

9. What is the system name of the device that is being mounted with NFS?
10. What is the mount point for the file system mounted with NFS?
11. Is the NFS mount in this example a hard or a soft mount?

Module

18

File Transfer
Protocol
Critical Skills
18.1

Explore a Sample FTP Session

18.2

Discover FTP Commands

18.3

Controlling FTP Access

18.4

Configure Anonymous FTP

18.5

Log FTP Activity

Copyright 2002 by The McGraw-Hill Companies, Inc. Click Here for Terms of Use.

534

UNIX System Administration: A Beginner’s Guide

T

he File Transfer Protocol (FTP) is a widely implemented file transfer
mechanism that provides access to files on a central server from one or more
FTP client applications. FTP itself is a collection of rules on how to physically
transfer files (either text or binary) from one system to another, without the
worry about file system differences or the operating systems involved. For
example, a Windows PC can transfer a file from a UNIX system, despite that
fact that both operating systems involved catalog and store files differently.
The FTP server consists of one or more FTP server processes that handle
requests for each FTP session. A session is one that has been issued by an FTP
client to a server; there is a corresponding match between the number of clients
and the FTP server process. Every time a client makes a new session, a new FTP
process is started to handle the client connection.
The FTP server and client application are built using the standard client/
server model, where the client issues one or more requests and the server
attempts to fulfill those requests. The basic FTP interaction includes the
following:
1. A user invokes a client FTP application that requests to log in to an FTP

server; the application opens a connection to the server.
2. The user specifies the authentication parameters (such as login name and

password) to the server.
3. The server validates the authentication information, and if acceptable,

permits the user to access the server.
4. The user accesses the files on the FTP server and can list, retrieve, or place

files on the server, depending specific permissions and configuration options.
5. The user logs off the FTP server and closes the session connection.

Many FTP sites that support FTP provide general anonymous login access,
which basically means that any user can access files on the server when they
use the anonymous username. This is done to provide a general server without
the need of defining specific user accounts.

Module 18:

File Transfer Protocol

535

Note
In general, anonymous FTP access can be dangerous. It is important that
anonymous FTP access be set up correctly; otherwise, the server can be more
susceptible to increased security-related problems from malicious Internet users.

The Linux FTP server software is from Washington University and is typically
referred to as wu.ftpd. However, on later releases of Linux (such as Red Hat 7.2),
the server is simply called ftpd. On Solaris and HP-UX, the FTP server is called
in.ftpd and comes directly from the operating system provider. However, it
is quite common for the system administrator to download the wu-ftpd software
to run on these environments instead of the default packages.

Hint

On many (if not all) UNIX systems, the FTP server is not started automatically
when the system boots, like other network services such as DHCP. Instead, the
FTP server is invoked from the inetd network master service found on both
HP-UX and Solaris (or xnetd on Linux). Once a client FTP session is activated, a
server process is started to handle the client connection, and when the client
closes the connection, the server exits and no longer runs. Configuration of
the FTP server using either inetd or xnetd is discussed later in this module.

1.1 Explore a Sample FTP Session
To further understand the basic operation of FTP services, a sample FTP session
has been provided. In this example, a FTP server is running on a system called
bedrock, while the client session is invoked from a system called didymus.
This is shown in Figure 18-1.
In this example, both systems are UNIX systems, but it doesn’t always have
to be that way; the client system can be running any software that supports FTP
client software. For example, Windows ships with an FTP client. On the server
side, again, any operating system can be used provided that an FTP server is
running on the system.

18

536

UNIX System Administration: A Beginner’s Guide

Figure 18-1

Sample FTP session

On the client side (didymus), the user invokes the FTP session to the
server (bedrock) using the standard UNIX ftp client program:
[root@didymus /]# ftp bedrock
Connected to bedrock (216.155.202.100).
220 bedrock FTP server (Eng Server) ready.
Name (bedrock:root): root
331 Password required for root.
Password:
230 User root logged in.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp>

In the example above the ftp command includes the name of the FTP
server to access. Once the connection has been made, the server responds with
some server-side information to include the name of the server (for instance,
Connected to bedrock (216.155.202.100).) and a login prompt
(Name (bedrock:root):). At this point, it is up to the user, via the client
software, to provide authentication information (login name and password) to
gain access to the FTP server.
In the output above, the root account and associated password was used
to gain access to the FTP server. This demonstrates that the FTP server works
with the standard UNIX account login procedures. Typically, it you are going
to provide FTP over the Internet, you will set up an anonymous account access;
otherwise, you will need to create accounts for FTP only users.

Module 18:

File Transfer Protocol

537

Note
By default, many UNIX systems permit users to access FTP services without
additional configuration or setup. Configuring anonymous access for FTP will be
discussed later in this module.

Once the user has been authenticated to the FTP server, it echoes a message
indicating the user has been logged in like the following:
230 User root logged in.

At this point, the FTP server indicates the type of system the server is
running on (Remote system type is UNIX.) and provides some additional
configuration information on the connection (Using binary mode to
transfer files.). The “binary mode” message indicates that any file
transfer will be done in such a way as to ensure that binary data is transferred
accurately.
Finally, the standard FTP server prompt is provided: ftp>, which indicates
the FTP client shell. This informs the user that the server is ready to accept FTP
commands. At the prompt, the user may list available FTP commands, obtain
a directory listing of either the remote or local current directories, get a remote
file from the server, or put a local file on the server. Some of these activities
depend on having certain privileges or configuration parameters set on the FTP
server side.

Obtaining a Directory Listing
The FTP service provides the ability to navigate the directories on the remote
FTP server using the dir FTP command. For example, the following output
shows this command:
ftp> dir
227 Entering Passive Mode (216,155,202,100,128,164)
150 ASCII data connection for /bin/ls (216.155.202.163,1048) (0 bytes).
total 28
drwxrwxr-x
7 root
sys
512 Feb 2 13:37 .
drwxr-xr-x 32 root
root
1024 Apr 19 12:39 ..
drwxr-xr-x
6 root
sys
512 Nov 11 16:37 SUNWebnfs

18

538

UNIX System Administration: A Beginner’s Guide

drwxrwxr-x
3 bin
bin
drwxr-xr-x
3 root
1
drwx-----2 root
root
drwxr-xr-x 20 root
sys
-r--r--r-1 root
1
-r--r--r-1 root
1
226 ASCII Transfer complete.
ftp>

512
512
8192
512
916
1016

Nov
Feb
Nov
Jan
Apr
Apr

11
2
11
24
20
20

16:11
13:37
16:00
23:20
17:09
15:10

SUNWits
answerbooks
lost+found
sfw
xtrace
yellow

The output generated is from the /bin/ls command; thus, this file listing
should be familiar to the reader at this point. The ftp client program supports
wildcard matching and other regular expressions characters such as “[]“, “*“,
and “?“. The dir command can be combined with UNIX expressions to list
only certain files and/or directories. Thus, the command
ftp> dir SUN*

will yield the following output, which is based on the directory listing from above:
227 Entering Passive Mode (216,155,202,100,128,172)
150 ASCII data connection for /bin/ls (216.155.202.163,1049) (0 bytes).
SUNWebnfs:
total 524
drwxr-xr-x
6 root
sys
512 Nov 11 16:37 .
drwxrwxr-x
7 root
sys
512 Feb 2 13:37 ..
drwxr-xr-x
4 root
sys
512 Nov 11 16:37 JFileChooser-patch
drwxr-xr-x
4 root
sys
512 Nov 11 16:37 demos
drwxr-xr-x
3 root
sys
512 Nov 11 16:37 javadoc
drwxr-xr-x
2 root
sys
512 Nov 11 16:37 sample
-rw-r--r-1 root
sys
122052 May 28 1999 webnfs.zip
-rw-r--r-1 root
sys
121613 May 28 1999 xfilechooser.jar
SUNWits:
total 6
drwxrwxr-x
3 bin
bin
512 Nov 11 16:11 .
drwxrwxr-x
7 root
sys
512 Feb 2 13:37 ..
drwxrwxr-x
3 bin
bin
512 Nov 11 16:11 Graphics-sw
226 ASCII Transfer complete.
ftp>

As you can see, the contents of the directories named SUNWebnfs and
SUNWits were listed. In addition, other expressions are supported, such as
listing just certain files using file range name matching. The command
ftp> dir [x-y]*

Module 18:

File Transfer Protocol

539

will show only those files (or any directories) that start with x through y
characters:
227 Entering Passive Mode (216,155,202,100,128,184)
150 ASCII data connection for /bin/ls (216.155.202.163,1061) (0 bytes).
-r--r--r-1 root
1
916 Apr 20 17:09 xtrace
-r--r--r-1 root
1
1016 Apr 20 15:10 yellow
226 ASCII Transfer complete.
ftp>

In this case, both the xtrace and yellow files were listed. The “?“ character
is used to match a single character within a filename.

Configuration Options
The FTP client application in conjunction with the remote FTP service can
negotiate certain file transfer options or configuration parameters. For example,
the client can request that a file transfer should be done in binary mode versus
text (ASCII) mode. Binary mode file transfer means that the contents of a file
are sent to the remote server without any conversion of characters. This mode
is also called raw or image mode, and is used to transfer files that contain
programs or other files that must not be converted to the ASCII character set.
By default, most FTP servers configure the connection to support ASCII
transfer mode. Thus, to set the connection to binary mode, use the binary
command:
ftp> binary

Once executed, the ftp client issues a response indicating that its transfer
mode is now image:
200 Type set to I.

To go back to ASCII mode, use the ascii command.

Retrieving a File
When obtaining or retrieving files from the server, it is helpful to think of the server
as the “remote” end of the FTP connection, while the client side is the “local”
end. In our example above, the remote end is bedrock, while the local end is

18

UNIX System Administration: A Beginner’s Guide

didymus. With FTP, to transfer a file from the remote end to the local end,
you would use the get FTP command. Thus, to transfer the file yellow from
the bedrock server to the local system, use the following command while in the
FTP shell:
ftp> get yellow

The client session will show the following:
227 Entering Passive Mode (216,155,202,100,128,206)
150 ASCII data connection for yellow (216.155.202.163,1047) (916 bytes).
226 ASCII Transfer complete.
938 bytes received in 0.000418 secs (2.2e+03 Kbytes/sec)
ftp>

AM
FL
Y

As you can see, the output includes the name of the file, the size of the file,
and the amount of time it took to transfer the contents of the file. Also, the
relative network performance was shown.
To verify that the file was actually transferred, inspect the local system by
using the !ls –l yellow command. The ! (bang) character is supported
on many UNIX FTP client programs, which permits the execution of a local
command (in this case, the ls –l command, which lists files and/or directories).
Thus, when this command is run within the FTP client shell, and when no
errors were generated during the file transfer, the following should be displayed:
-rw-r--r--

Note

TE

540

1 root

root

916 Apr 25 02:03 yellow

The byte counts for the file yellow match the number of bytes transferred with
the FTP program.

Sending a File
To send a local file to the remote host, use the put FTP command. Thus,
to place a new file called steve.dat onto the bedrock system, use the
following command:
ftp> put steve.dat

Module 18:

File Transfer Protocol

541

When the command is executed, the following is displayed by the client
program:
local: steve.dat remote: steve.dat
227 Entering Passive Mode (216,155,202,100,128,208)
150 ASCII data connection for steve.dat (216.155.202.163,1050).
226 Transfer complete.
18396 bytes sent in 0.0124 secs (1.5e+03 Kbytes/sec)
ftp>

Again, much of the same information is shown as in the previous transfer
example. To verify the file was sent (which, in most cases, is not necessary),
use the dir command with the filename:
ftp> dir steve.dat
227 Entering Passive Mode (216,155,202,100,128,210)
150 ASCII data connection for /bin/ls (216.155.202.163,1052) (0 bytes).
-rw-r--r-1 root
1
17884 Apr 24 15:23 steve.dat
226 ASCII Transfer complete.
ftp>

As you can see, the file is listed on the remote end, confirming the transfer.

Monitoring File Transfers
When transferring very large files, it is hard to determine if the transfer is
progressing or has stopped for some reason. As a result, most FTP clients
support the hash command. When enabled, the hash command tells the FTP
client to echo a “#“ character every time a block of information was successfully
retrieved. For example, the command
ftp> hash

shows the following:
Hash mark printing on (1024 bytes/hash mark).

Thus, when each chunk of the file is transferred, a new pound sign is displayed.
Here is what will be shown when a file called records.dat is transferred:
ftp> put record.dat
local: record.dat remote: record.dat

18

542

UNIX System Administration: A Beginner’s Guide

227 Entering Passive Mode (216,155,202,100,128,213)
150 ASCII data connection for record.dat (216.155.202.163,1055).
############################################################################
############################################################################
############################################################################
######
226 Transfer complete.
240902 bytes sent in 0.257 secs (9.1e+02 Kbytes/sec

Due to the size of the file, a number of hash characters were displayed—thus
providing a visual way to see the FTP activity. Use the byte command to close
the FTP session. This logs you off the server and exits the FTP client program.

18.2 Discover FTP Commands
The FTP facility supports a large number of commands. However, the most
important and popular ones are listed and described in Table 18-1. Note, too,
that some of the listed commands may or may not be supported on either the
FTP client or server end. Typing the “?“ (or help) command will provide a list

FTP Command

Description

ascii

Enable ASCII transfer mode; this mode is used to copy regular
text files.
Enable binary transfer mode; this is used to copy programs and
other data files—for example, tar or gzip archive files.
Log off the FTP server.
Change working directory.
Change the mode of a file or directory.
Close the FTP session.
Delete a file or directory.
Enable debug mode, which will display more information about
each transaction.
Display the current directory listing or individual file.
Same as bye.
Transfer a file from the remote server to the local client.
Enable specific character matching for files and directories.

binary
bye
cd
chmod
close
delete
debug
dir
exit
get
glob

Table 18-1

Command FTP Commands

Module 18:

File Transfer Protocol

FTP Command

Description

hash

Enable hash mode; displays a # character for each 8K block of
data that has been transferred.
Display a list of FTP commands.
Same as binary command.
Change working directory on local client system.
Like dir command.
Delete multiple files and directories.
Transfer multiple files from the remote server to the local client.
Transfer multiple files from the client to the server.
Open a new FTP session.
Toggle the prompting of confirmation before transfer begins.
When enabled, it will prompt for each file before transfer begins.
Print the working directory.
Same as bye.
Remove a directory on the server side.
Same as put.
Show the FTP session status.
Display additional information for each transaction (like debug,
but not as much information).

help
image
lcd
ls
mdelete
mget
mput
open
prompt
pwd
quit
rmdir
send
status
verbose

Table 18-1

Command FTP Commands (continued)

of supported commands for the client side, but these may not all be available on
the server side.

18.3 Controlling FTP Access
On the FTP server, the /etc/ftpusers file can be used to control access to
the FTP server.

Note
On Linux, this file is replaced by the /etc/ftpaccess configuration file.

On Solaris, by default, the file contains the following entries:
●

daemon

●

bin

543

18

544

UNIX System Administration: A Beginner’s Guide

●

sys

●

adm

●

lp

●

uucp

●

nuucp

●

listen

●

nobody

●

noaccess

●

nobody4

Each of the login names defined within this file is blocked from using the
FTP facility. Note that each name is on a separate line by itself and there is no
special ordering—the file is simply processed from beginning to end whenever
a user accesses the FTP server. If a user that is listed within this file attempts
to access the FTP server, they get a login incorrect message. When a
change is made to the /etc/ftpuser file, it takes effect immediately and no
additional steps are necessary to restrict users.
When the wu-ftpd server is deployed, the /etc/ftpaccess file can be
used to replace the function of the /etc/ftpusers file. Also, the /etc/
ftpaccess provides additional configuration options as well. The wu-ftpd
server comes standard with Linux. The /etc/ftpaccess configuration file
can be used to control the following:
●

Access to the FTP server

●

Which command a user may execute

●

The logging of FTP access

●

General FTP configuration
The default entries for this file are shown here:

# This file controls the behavior of the wu-ftpd
# ftp server.

Module 18:

File Transfer Protocol

545

#
# If you're looking for a graphical frontend to
# editing it, try kwuftpd from the kdeadmin
# package.
# Don't allow system accounts to log in over ftp
#deny-uid %-99 %65534#deny-gid %-99 %65534allow-uid ftp
allow-gid ftp
# The ftpchroot group doesn't exist by default, this
# entry is just supplied as an example.
# To chroot a user, modify the line below or create
# the ftpchroot group and add the user to it.
#
# You will need to setup the required applications
# and libraries in the root directory (set using
# guest-root).
#
# Look at the anonftp package for the files you'll need.
guestgroup ftpchroot
# User classes...
class
all
real,guest,anonymous

*

# Set this to your email address
email root@localhost
# Allow 5 mistyped passwords
loginfails 5
# Notify the users of README files at login and when
# changing to a different directory
readme README*
login
readme README*
cwd=*
# Messages displayed to the user
message /welcome.msg
login
message .message
cwd=*
# Allow on-the-fly compression and tarring
compress
yes
all
tar
yes
all

18

546

UNIX System Administration: A Beginner’s Guide

# Prevent anonymous users (and partially guest users)
# from executing dangerous commands
chmod
no
guest,anonymous
delete
no
anonymous
overwrite
no
anonymous
rename
no
anonymous
# Turn on logging to /var/log/xferlog
log transfers anonymous,guest,real inbound,outbound
# If /etc/shutmsg exists, don't allow logins
# see ftpshut man page
shutdown /etc/shutmsg
# Ask users to use their email address as anonymous
# password
passwd-check rfc822 warn

18.4 Configure Anonymous FTP
On the Internet, many sites offer free FTP access to the public; this is known
as anonymous FTP. Basically, anyone can log in an FTP service using a generic
login and password. This type of access can be dangerous, since you really don’t
know the true identity of the user accessing the server.
Here is an anonymous login session using the "ftp.cisco.com" server:
# ftp ftp.cisco.com
Connected to ftp.cisco.com.
220220- Cisco Connection Online
|
|
Cisco Systems, Inc.
220- Email: cco-team@cisco.com |||
|||
170 West Tasman Drive
220- Phone: +1.800.553.2447 .:|||||:..:|||||:. San Jose, CA 95134
220220- You may login with:
220+ Your CCO username and password, or
220+ A special access code followed by your e-mail address, or
220+ "anonymous" followed by your e-mail address for guest access.
220220220 ftp-poc-2 FTP server (CIOESD #422 Wed May 1 14:15:23 PDT 2002) ready.

Module 18:

File Transfer Protocol

547

At this point, the anonymous username is entered and the FTP server responds
with the standard password which is typical of the e-mail address of the user:
User (ftp.cisco.com:(none)): anonymous
331 Guest login ok, send your complete e-mail address as password.
Password:

If the login name and password are accepted, the FTP server grants access to
the system, and displays a welcome message.

Note
Not all FTP servers display these types of informative messages.

230- <======[+]> FTP.CISCO.COM <[+]=======>
230230-Welcome to the Cisco Systems CCO FTP server.
230230-Local time is currently Wed May 8 23:03:09 2002.
230230-There are currently 20 users out of 120 maximum logged in.
230230-This server has a number of restrictions. If you are not familiar
230-with these, please first get and read the /README or /README.TXT file.
230230-If you have any odd problems, try logging in with a minus sign (-) as
230-the first character of your password. This will turn off a feature that
230-may be confusing your ftp client program.
230230-Please send any questions, comments, or problem reports about this
230-server to cco-team@cisco.com.
230230-You are logged in with guest (anonymous) level access.
230230230-Please read the file README
230- it was last modified on Mon Jul 5 21:31:32 1999 - 1037 days ago
230 Guest login ok, access restrictions apply.

Once logged into the system, you can retrieve or place files according to the
corresponding site permissions and/or directory structure.

18

548

UNIX System Administration: A Beginner’s Guide

Setting Up Anonymous Access
Configuring anonymous FTP access on a server is a fairly straightforward
process. However, having said that, care must be taken to ensure that every
step is executed correctly and that no configuration-related problems result.

Note
Providing anonymous FTP on the Internet or even locally can be a potential security
risk. The risk is even compounded when the configuration is not complete or has
not been done correctly. One good way to minimize problems is to have other
knowledgeable people help test the final configuration before going live. Also,
continuously consult the relevant security web sites (such as www.cert.org) about
FTP security issues and problems. Using these approaches, you may help to reduce
the number of problems that would-be hackers might exploit.

The basic process for anonymous account setup includes the following:
1. Create the FTP login in the /etc/passwd and /etc/shadow files.
2. Make sure the FTP account name does not appear in the /etc/

ftpusers file.
3. Set up the required FTP environment.
4. Test the account.

Some of the above procedure need not be executed manually. For example,
the setup of the FTP environment can be done with an automated script. On
Solaris, the ftpd manual (that is, man ftpd) gives a listing of a script to handle
all the required steps. Just copy this output and save it to a file for execution.
Other operating systems such as Linux provide a list of steps via the ftpd man
page and provide an RPM (anonftp-4.0.9.i386.sp) to handle the details
of setting up the correct configuration.
Once the anonymous account and configuration has been set up, test the
account to ensure that basic FTP services are functional and work as expected
(such as retrieving files). Next, make sure that the anonymous user can’t do
things such as remove system files or execute unauthorized commands. Finally,
monitor the FTP log file for any suspicious activities, such as a larger number of
requests for login within a short period of time. This could indicate that someone

Module 18:

File Transfer Protocol

549

is attempting to log in to the server using a program or script, which may
indicate an attempted denial service attack being done against your server.

18.5 Log FTP Activity
One important aspect of system administration is keeping track of activity on
your systems. That is why, for example, critical services like FTP should be
monitored on a continued basis. As a result, FTP activity should be logged to
a special file so that later inspection and monitoring can be done in the most
efficient manner. Most of the available FTP servers support robust logging
facilities. In particular, the ability to monitor each FTP session is important.
Also, some FTP servers (for example, the Linux wu-ftpd server) provide a
way to view each FTP command executed by a FTP user. With this capability,
it becomes much easier to identify possible nonfriendly behavior toward your
FTP services.
To activate FTP logging, the following will need to be done:
1. Enable FTP server logging.
2. Enable logging via the syslog facility.
3. Test that logging is functional.

Enable FTP logging
To activate FTP logging, the proper command-line argument(s) must be supplied
to the FTP server process when it is invoked by the system. For example, on
Solaris, the in.ftpd FTP server supports the –l option, which tells the server
to record every active session when a user logs into the FTP server. Typically,
the FTP server will send this monitoring information to the general-purpose
system logging process via the syslogd process. See below for additional
details about syslog logging facility.
To enable logging on Solaris and HP-UX, edit the /etc/inetd.conf
network services configuration file and modify the in.ftpd entry. For
example, the default FTP entry on Solaris contains the following:
ftp

stream

tcp6

nowait

root

/usr/sbin/in.ftpd

in.ftpd

18

UNIX System Administration: A Beginner’s Guide

In order to have logging, place a –l option in front of the in.ftpd command.
Thus, the new entry should be
ftp

stream

tcp6

nowait

root

/usr/sbin/in.ftpdin.ftpd –l

In order for this change to take effect, the inetd process must be told to reread
its configuration file. Thus, to find the process identification of the inetd
process, issue the following command:
ps -ef | grep inetd | grep -v grep

This will show
209

1

0 14:48:39 ?

0:00 /usr/sbin/inetd –s

AM
FL
Y

root

Then, when you have the process ID, issue the following:
kill -SIGHUP 209

Thus, any changes made to the inetd.conf file should now be active.
To activate logging on Linux, edit the /etc/xinetd.d/wu-ftpd
configuration file and alter the relevant line as shown here:
server_args

Note

= -a

TE

550

Depending on the version of Linux you have, the –l option may already be in this
file. If that is the case, you are all set for session logging. However, if you want
more detailed logging in addition to session logging, add the –L option. The –L
option will provide logging for each FTP command that is typed by the user after
they log into the server. Thus, the new wu-ftpd configuration should be as follows:
server_args

= -a –l –L

In order for this change to take effect, the xinetd process must be told to reread
its configuration file. Thus, to find the process identification of the xinetd process,
issue the following command:
ps -ef | grep inetd | grep -v grep

Module 18:

File Transfer Protocol

551

Note
The Linux xinetd program requires the SIGUSR2 signal to be issued to reread its
configuration file.

Then, determine the process identification and supply it on the command
line as shown here:
kill –SIGUSR2 [pid]

Enable the syslog Facility
Now that the FTP servers are configured to log activity, we need to set up the
system to support FTP activity from a syslog facility point of view. This is
because the FTP servers will forward logging information onto syslog
automatically, but unless we set up the syslog configuration to specifically
process FTP messages, we may not see the logging output.
The syslog logging facility is a general-purpose log aggregator, which
funnels messages from many different operating system components on to
small number of log files, with both the component name and time stamp
information included. For example, a typical FTP session message might
include the following:
Apr 17 14:55:46 bedrock in.ftpd[605]: [ID 373804 daemon.info] connection
from didymus.home.com at Wed Apr 17 14:55:46 2002

The syslog server (syslogd) handles the processing of messages that
have been sent by other programs; in the example above, the message was sent
by the in.ftpd server. As you can see from the message, the relevant information
includes the date and time that the transaction was initiated and also the
systems involved.
The syslogd process uses the /etc/syslog.conf configuration file
for how to funnel messages. The logging of messages is divided into different
categories and levels depending on the type of message and associated severity.
Table 18-2 shows the logging categories and their associated meanings.
The syslog facility includes severity or levels of priority for each category;
these range from emergency (emerg) to debug (debug), and can be thought
of as the type of message. For example, the emerg category is used to denote
very critical panic types of conditions, which informs the administrator of some
important event. Additional types include alert for situations that should be

18

552

UNIX System Administration: A Beginner’s Guide

Category

Meaning

auth

Messages related to system authorization from such programs as
login, su, and getty. (getty is used on Solaris and HP-UX, and
agetty is used on Linux.)
Messages related to cron or at services from such programs crontab,
at, and cron.
Messages related to server processes in.ftpd and in.dhcpd.
Messages generated by the kernel
Messages generated by the printer spooler system from programs as
lpr, lpc, and lpd.
Messages related to the mail system.
Messages related to the news system.
Message levels for custom applications.
Messages related to the uucp system.

cron
daemon
kern
lpr
mail
news
local0-7
uucp

Table 18-2

Syslog Message Categories

corrected immediately; crit for warnings about important conditions, such
as hardware errors; err for other types of errors, and warning messages
about important problems; notice messages that reflect an important
situation, but may require special handling; info, which are information
types of messages; debug messages that represent debug information within
a program; and none messages, where no types of messages are sent.
To make it easier to identify FTP and other related activities with the
logging facility, group FTP server (and related daemon processes) messages
into a single file. For example, the syslog.conf file, which has been
configured to capture FTP transactions, can include the following:
daemon.notice
daemon.info

/var/adm/services
/var/adm/services

In this case, the /var/log/services file is used to store messages that
come from the daemon message category, using both notice and info
messages types. To verify that messages are flowing to this file, access the FTP
server from another client and then inspect the file for log activity. Thus, the
command
grep ftp /var/log/services

Module 18:

File Transfer Protocol

553

will show lines containing FTP transactions, like the following:
May 11 14:51:07 bedrock in.ftpd[1395]: [ID 373804 daemon.info]
connection from socs.home.com at Sat May 11 14:51:07 2002
May 11 14:56:00 bedrock in.ftpd[1399]: [ID 373804 daemon.info]
connection from socs.home.com at Sat May 11 14:56:00 2002
May 11 14:56:28 bedrock in.ftpd[1402]: [ID 373804 daemon.info]
connection from socs.home.com at Sat May 11 14:56:28 2002
May 11 15:18:28 bedrock in.ftpd[1453]: [ID 373804 daemon.info]
connection from socs.home.com at Sat May 11 15:18:28 2002
May 11 15:23:00 bedrock in.ftpd[1461]: [ID 373804 daemon.info]
connection from socs.home.com at Sat May 11 15:23:00 2002
May 11 15:23:11 bedrock in.ftpd[1464]: [ID 373804 daemon.info]
connection from bedrock.home.com at Sat May 11 15:23:11 2002
May 11 15:38:11 bedrock in.ftpd[1464]: [ID 639925 daemon.info]
User unknown timed out after 900 seconds at Sat May 11 15:38:11 2002

Project 18-1
This project will help you check your FTP server configuration and also help you
make sure it is current with the latest versions and security patches.

Step-by-Step
1. Is there an FTP server currently running on your system? To check, do:
# ps -ef | grep ftp

2. If you don’t want FTP running on this system, comment out or remove the
FTP line in /etc/inetd.conf so that it won’t run the next time you restart
the system.
3. If there is an FTP server running, check to see if anonymous access is enabled
by using another system and attempting to FTP anonymously to your system.
4. If anonymous FTP access is enabled and you don’t want it to be, add
ftp

on a line by itself in the /etc/ftpusers file (or in the /etc/ftpaccess
file in Linux).
5. If you are using the FTP server supplied with your operating system, check
your operating system’s vendor’s Web site to ensure you have the latest
version and patches. If you have installed a different FTP server, such as
wu-ftpd, check frequently for updates and check security sites for new
vulnerabilities you need to patch for.

18

554

UNIX System Administration: A Beginner’s Guide

Mastery Check
1. What type of FTP server access allows access without requiring

a specific account?
2. What is the FTP command syntax to list the files and directories

that start with the letters J-M?
3. What FTP command do you use to send a file from a client to an

FTP server?
A. send
B. get
C. put
D. ascii
4. The __________ command tells the FTP client to echo a "#" character

every time a block of information was successfully retrieved.
5. What is the purpose of each entry in the Solaris /etc/ftpusers file?
A. Grant access to that user
B. Deny access to that user
C. Define that user’s account
D. Define user groups
6. With the wu-ftpd server, what configuration file controls access to the

FTP server, determines commands a user may execute, and specifies FTP
access logging?
7. What does the -l entry at the end of this Solaris /etc/inetd.conf

network services configuration file do?
ftp
stream
in.ftpd –l

tcp6

nowait

root

/usr/sbin/in.ftpd

8. What syslog category do login messages belong to?

Module

19

Important System
Administration
Tasks/Information
Critical Skills
19.1

Communicate with Users on the System

19.2

Increase System Swap Space

19.3

Control Root Access

19.4

Display System Configuration Information

Copyright 2002 by The McGraw-Hill Companies, Inc. Click Here for Terms of Use.

556

UNIX System Administration: A Beginner’s Guide

U

nlike many of the other modules contained within this book that focus on
a specific topic or area, this module provides solutions to specific UNIX
system tasks and administrative problems.

19.1 Communicate with Users
on the System
As the system administrator, you will need to, on occasion, communicate
with users on the system, using the talk, wall, or write commands. The
talk command provides a visual mechanism to “talk” to a single user,
the wall command can send a message to a number of users at once,
and the write command can also be used to talk to an individual user,
using line-by-line mode.
The talk syntax includes
talk user [@hostname]

where user is an existing UNIX user currently logged into the system. If user
is on a different system as compared to local originator, the user’s hostname
must be specified.
Assuming the root user would like to talk with the user billc that is
currently on the local system, the following command would be used:
talk billc

Once this command has been executed, the following will be displayed:
[Waiting for your party to respond]

_______________________________________________________________________

The command clears the screen and places a line in the middle of display to
divide the screen. The top portion is use to contain the text that root will send
to billc, while the bottom part is for billc’s responses to root.
On billc’s terminal, the following is displayed:
Message from Talk_Daemon@socrates at 11:27 ...
talk: connection requested by root@socrates.
talk: respond with: talk root@socrates

Module 19:

Important System Administration Tasks/Information

557

Once billc responds using the above comand, his screen is updated and
the message [Connection established] is displayed to indicate that
communication is now possible.
Here is what the root’s screen will look like when the question is asked
“How are you?”
How are you?

_______________________________________________________________________

Bill responds with:
I'm fine! and you?
_______________________________________________________________________

Note
Either party may close the talk session by issuing a control-c (^-c).

To communicate to all users on the system at the same time, use the wall
command. For example, the command
wall –a
system needs to be rebooted; back in 20 minutes....
(^d)
Issue Control D to end the wall session.

The administrator types the above message after the wall command,
followed by control-c (^-c).
The –a option tells wall to send the message to all users attached via
pseudo-terminals and to the system console. When this command is run, the
following will be displayed to all users logging in:
Broadcast Message from root (pts/8) on bedrock Mon May 27 19:40:55...
system needs to be rebooted; back in 20 minutes....

Note
You must end the wall command with a CONTROL-d (^D) to tell the command
you entered the desired message.

19

558

UNIX System Administration: A Beginner’s Guide

19.2 Increase System Swap Space
A file system or swap file represents a location on a disk drive that is used to
support swap space and other important temporary storage functions for UNIX.
In many instances, the swap area was defined when the system was first installed
and configured. It is quite common for the system administrator to increase the
amount of swap space for a system after it has been set up. In fact, sometimes
the sizing of critical resources like swap space are much more accurate only
after the system has been deployed and is actively being used.
For most versions of UNIX, the requirements for swap space are the same;
the versions discussed all require a minimum amount of space for the system
to operate. The actual size of the swap area is highly dependent on the number
of users of the system and the actual services or applications being supported.
Also, the tools used to manage swap space are somewhat different. Table 19-1
shows the relevant swap management commands for each operating system.

List Swap Space
It is important to know how much swap space is actually being used. Use either
the swapon command for Linux or the swap command for Solaris. For HP-UX,
use the swapinfo command. Each of these commands will show information
about how much space has been defined on the system and any associated use.
For example, the Solaris swap command will show the following when used
with the –s option:
Total kbytes swap space currently used

total: 39488k bytes allocated + 12520k reserved = 52008k used,
1062656k available
Total kbytes space configured as swap space

Function

Linux

Solaris

HP-UX

Add swap space
Create swap area using
a regular file
List swap usage
Delete swap area

swapon -a
mkswap

swap
mkfile

swapon -a

swapon -s
swapoff

swap -l
swap -d

swapinfo -ta

Table 19-1

UNIX Swap Commands

Module 19:

559

Important System Administration Tasks/Information

This shows the total amount of swap space currently used on the system—in
this case, 52,008K (or 52008000 bytes). The total amount of configured swap on
the system is 1,062,656K. When the used space approaches the total amount of
available space on the system, it is time to increase the amount of swap space. Also,
it is not uncommon to increase swap space even if the currently used space is quite
a bit smaller than that available—perhaps because the system administrator wants
additional performance gains, one or more additional drives are configured to
support swapping. In this way, the swap activities are spread across additional
physical disk drive, thereby increasing system performance.
Using the swapon -s command on Linux shows the available and swap
space sizes:
Filename
/dev/hda5

Type
partition

Size
740840

Used
14048

Priority
-1

Add More Swap Space
To add more space to the system, use either the swapon or swap commands,
depending on the system in question. Adding more swap space can be
accomplished by increasing the size of the current swap area or by adding an
additional swap file or disk partition. In general, the installation procedures for
most UNIX systems describe implementing swap space using a separate disk
partition. For example, given the snippet of the /etc/fstab file from a Linux
system, we see the following:
none
none
none
/dev/hda5
bedrock:/docs
bedrock:/usr

/proc
/dev/shm
/dev/pts
swap
/mnt/bedrock/docs
/mnt/bedrock/usr

proc
tmpfs
devpts
swap
nfs
nfs

defaults
defaults
gid=5,mode=620
defaults
bg,hard
bg,soft

0
0
0
0
0
0

The swap partition is defined by /dev/hda5, and it is possible to use
tools such as fdisk (for Linux, for instance) to increase the size of the
partition, assuming that extra unused space is available on the disk.
Another approach to increasing the swap space is to define another partition
that should be used for swap and simply add the partition to the mounted file

Hint

The system should be placed in single-user mode when attempting to adjust
the size of the swap partition; this precaution should be standard procedure
for making critical types of changes to the system.

0
0
0
0
0
0

19

560

UNIX System Administration: A Beginner’s Guide

system table, such as /etc/vfstab (Solaris). Using this approach, the system
would need to be rebooted before the new swap area could be used. On the other
hand, if you want to use the space without rebooting the system, use the swap
command. For example, assume that you would like to use the /dev/dsk/
c0d0s0 partition for swapping. Thus, this command (on Solaris) could be used:
# swap -a /dev/dsk/c0d0s0

When the swap –l command is run, it shows the total mount of swap space
allocated and used, and we see additional swap has been added to the system:
swapfile
/dev/dsk/c0d0s3
/dev/dsk/c0d0s7

dev
102,3
102,7

swaplo blocks
free
8 2048248 2048248
8 4194288 4194288

New swap allocated

AM
FL
Y

The final approach to increasing swap space is to create a simple UNIX file
using the mkfile (on Solaris) command, which creates a file the size of the
swap space that is needed. Once this has been done, issue the swap command
with the file as the argument instead of the disk partition.

19.3 Control Root Access

TE

Most versions of UNIX have a mechanism to control when the root user can
access the system from the network versus just from the system console. For
example, by default, it is not possible for the root user to access a Solaris
system over the network when first installed. In other words, when attempting
to telnet to a Solaris system and log in as root, this account is blocked. Why?
Well, there are those who believe that accessing the root account over the
network represents a security concern. There are a few ways to handle this
problem. First, one solution is to install the SSH package and use the ssh
program to provide remote connectivity for root access. Second, connect the
system to a terminal server and access the console over the network as supported
by the terminal server. Third, enable root access to the system over the network
by modifying the /etc/default/login file. This file contains a single-line
parameter that controls if root can access non-console ports.
A portion of this file is shown here:
# If CONSOLE is set, root can only login on that device.
# Comment this line out to allow remote login by root.
#
CONSOLE=/dev/console

Module 19:

Important System Administration Tasks/Information

561

As you can see from the comments, the CONSOLE variable should be
commented out with a # character, should the administrator desire to enable
remote login for the root user.

19.4 Display System
Configuration Information
Sometimes, when attempting to debug system problems or if it is necessary to
determine a specific software version and/or other system information, it will
be necessary use one or more system tools. Also, with many newer versions of
UNIX, the /proc file system has been introduced, which makes it very easy
to probe the system for a host of configuration and operating information.
On Solaris, the prtconf tool can be used, which provides both low-level and
operating system configuration information. When the tool is run without any
command-line arguments, the following is produced:
System Configuration: Sun Microsystems i86pc
Memory size: 128 Megabytes
System Peripherals (Software Nodes):
i86pc
+boot (driver not attached)
memory (driver not attached)
aliases (driver not attached)
chosen (driver not attached)
i86pc-memory (driver not attached)
i86pc-mmu (driver not attached)
openprom (driver not attached)
options, instance #0
packages (driver not attached)
delayed-writes (driver not attached)
itu-props (driver not attached)
isa, instance #0
motherboard (driver not attached)
asy, instance #0 (driver not attached)
lp (driver not attached)
asy, instance #1 (driver not attached)
fdc, instance #0
fd, instance #0
fd, instance #1 (driver not attached)
i8042, instance #0

System Info. (system
architecture and memory)

19

562

UNIX System Administration: A Beginner’s Guide

keyboard, instance #0
mouse, instance #0
bios (driver not attached)
bios (driver not attached)
pci, instance #0
pci8086,7190 (driver not attached)
pci8086,7191, instance #0
display, instance #0
pci8086,7110 (driver not attached)
pci-ide, instance #0
ide, instance #0
cmdk, instance #0
ide, instance #1
sd, instance #0
pci8086,7112, instance #0
pci8086,7113 (driver not attached)
pci10b7,9050, instance #1
used-resources (driver not attached)
objmgr, instance #0
cpu, instance #0 (driver not attached)
pseudo, instance #0

Not all the information generated from this command is really useful.
However, the command does provide some general information about the system
architecture and installed memory, and detailed information about the number
of different devices installed on the system. In general, the message “driver not
attached” indicates that no device was found and thus no driver was loaded to
handle the hardware component. The prtconf tool provides a fair number of
command-line options, but only the most common options are listed in Table 19-2.

Command Option

Description

-B
-F
-v

Shows device driver information.
Shows frame buffer information.
Enables verbose mode.

Table 19-2

prtconf Command-Line Options

Module 19:

Important System Administration Tasks/Information

563

Another very useful Solaris command is showrev. This is the output of
this command:
Hostname: bedrock
Hostid: 1e056f4b
Release: 5.8
Kernel architecture: i86pc
Application architecture: i386
Hardware provider:
Domain: home.com
Kernel version: SunOS 5.8 Generic 108529-07 February 2001

As seen from the output, this command provides some useful information
about the system. In addition, one very good command-line option with this
command is –c. This instructs the command to list detailed version information
about a particular UNIX command when specified. For example, the command
showrev -c ls

Determine information about a UNIX command.

shows the following:
PATH is:
/usr/sbin:/usr/bin:/usr/dt/bin:/usr/openwin/bin:/bin:/usr/ucb
PWD is:
/
LD_LIBRARY_PATH is not set in the current environment
________________________________________________________________________
File: /usr/bin/ls
=================
File type: ELF 32-bit LSB executable 80386 Version 1, dynamically linked, stripped
Command version: SunOS 5.8 Generic February 2000
File mode: r-xr-xr-x
User owning file: root
Group owning file: bin
Library information:
libc.so.1 =>
/usr/lib/libc.so.1
libdl.so.1 =>
/usr/lib/libdl.so.1
Sum: 43151
________________________________________________________________________
File: /bin/ls
=============
File type: ELF 32-bit LSB executable 80386 Version 1, dynamically linked, stripped
Command version: SunOS 5.8 Generic February 2000
File mode: r-xr-xr-x
User owning file: root
Group owning file: bin
Library information:
libc.so.1 =>
/usr/lib/libc.so.1

19

564

UNIX System Administration: A Beginner’s Guide

libdl.so.1 =>
/usr/lib/libdl.so.1
Sum: 43151
________________________________________________________________________
File: /usr/ucb/ls
=================
File type: ELF 32-bit LSB executable 80386 Version 1, dynamically linked, stripped
Command version: SunOS 5.8 Generic February 2000
File mode: rwxr-xr-x
User owning file: root
Group owning file: bin
Library information:
libc.so.1 =>
/usr/lib/libc.so.1
libdl.so.1 =>
/usr/lib/libdl.so.1
Sum: 42882
________________________________________________________________________

This might be more information than most people want, but when tracking
down problems, having this kind of detail can be quite invaluable.

The /proc Directory
The /proc directory or file system is another very good way to obtain
important configuration and other information from the system. The /proc
directory is a tree hierarchy, which contains both additional subdirectories and
individual files that represent some aspect of the system or running process.
When the ls command is used to list the contents of the /proc file system
on Linux, you may see something like this:
Each number in this list corresponds to a
PID for a currently running process (which
you can see with the ps command)
1
1102
1121
1139
1185
12
1214
1254
1255
1256
1257
1258
1259
1266

1267
1268
1269
1270
1271
1272
1279
1280
1291
1417
1419
1432
1450
1454

1456
1458
1460
1462
1464
1466
1469
1470
1471
1472
1473
1474
1475
1481

1589
1593
1622
1624
1629
1630
1631
1632
1633
1654
1655
1656
1657
1658

1662
1663
1664
1919
1921
1923
1924
2
2077
2102
2108
3
4
5

512
517
537
565
589
6
664
669
674
675
676
677
678
679

680
681
682
683
7
710
8
87
880
897
899
900
901
902

922
940
975
982
bus
cmdline
cpuinfo
devices
dma
driver
execdomains
fb
filesystems
fs

ide
interrupts
iomem
ioports
irq
kcore
kmsg
ksyms
loadavg
locks
mdstat
meminfo
misc
modules

mounts
mtrr
net
partitions
pci
self
slabinfo
stat
swaps
sys
sysvipc
tty
uptime
version

Module 19:

Important System Administration Tasks/Information

What is shown is a series of directories (for example, 1102), which represent
the currently running processes on the system. These are the directories that have
numbers as the names. Naturally, when you examine the /proc directory on your
system, you will see different directories. Other directories—such as mounts, for
instance—show specific system configurations
instead of running processes.
To see how the /proc directory can be
The /proc directory
useful, let’s examine several examples The
on Solaris only shows
processes, not system
directory 2120 represents a system process.
configuration files, like
When we list the contents of this directory
other versions of UNIX.
using the ls –l command, we see the
following files:

565

Hint

total 0
dr-xr-xr-x
dr-xr-xr-x
-r--r--r-lrwxrwxrwx
-r-------lrwxrwxrwx
dr-x------r--r--r--rw------lrwxrwxrwx
-r--r--r--r--r--r--r--r--r--

3
112
1
1
1
1
2
1
1
1
1
1
1

root
root
root
root
root
root
root
root
root
root
root
root
root

root
root
root
root
root
root
root
root
root
root
root
root
root

0
0
0
0
0
0
0
0
0
0
0
0
0

May
May
May
May
May
May
May
May
May
May
May
May
May

16
16
16
16
16
16
16
16
16
16
16
16
16

11:37
01:16
11:42
11:42
11:42
11:42
11:42
11:42
11:42
11:42
11:42
11:42
11:42

.
..
cmdline
cwd -> /etc/default
environ
exe -> /bin/vi
fd
maps
mem
root -> /
stat
statm
status

If we wanted to see which command was running, the cmdline command
can be examined. Thus, using the command
more cmdline

will show the following:
vi/etc/ftpusers

As shown, the process 2102 represents an edit session for the /etc/ftpuser
file. If it was necessary to validate this process, to really see what was running,
the ps command followed by the process ID (which in the case is 1102) could
be used.

19

566

UNIX System Administration: A Beginner’s Guide

Thus, the command
ps 1102

shows
PID TTY
1102 pts/5

STAT
S

TIME COMMAND
0:00 vi /etc/ftpusers

which is exactly what would be expected.
Additional information can be obtained about processes such as the shell
environment that the command has been run in, the status of the process,
and so on.
To view the process status, which is similar to what can be obtained with
the ps command, examine the status file.
This file contains the following:
Name:
vi
State: S (sleeping)
Pid:
1102
PPid:
1923
TracerPid:
0
Uid:
0
0
0
Gid:
0
0
0
FDSize: 256
Groups: 0 1 2 3 4 6 10
VmSize:
2216 kB
VmLck:
0 kB
VmRSS:
968 kB
VmData:
208 kB
VmStk:
20 kB
VmExe:
332 kB
VmLib:
1364 kB
SigPnd: 0000000000000000
SigBlk: 0000000000000000
SigIgn: 8000000000003000
SigCgt: 000000004f804eff
CapInh: 0000000000000000
CapPrm: 00000000fffffeff
CapEff: 00000000fffffeff

0
0

Module 19:

Important System Administration Tasks/Information

567

Hint

Many of the directories and files, with few exceptions, show a byte size greater
than 0; this is because these are not really normal directories or files in the
typical file system sense. Instead, they represent pointers to where specific
information is stored.

As far as system configuration is concerned, the /proc directory provides
a generous amount of information. Table 19-3 lists some of the most useful
directories and/or filenames and their corresponding information. Note that
all versions of UNIX support each to the file or directories.
By way of example, the /proc file system can show some very interesting
information. For example, the interrupts file shows all the system’s devices
and their associated interrupt vectors:
0:
1:
2:
3:
5:
8:
9:
14:
15:
NMI:
ERR:

CPU0
1340342
525
0
39351
1904
1
0
40799
293668
0
1

XT-PIC timer
XT-PIC keyboard
XT-PIC cascade
XT-PIC 3c574_cs
XT-PIC usb-uhci, Allegro
XT-PIC rtc
XT-PIC Texas Instruments PCI1410 PC card Cardbus Controller
XT-PIC ide0
XT-PIC ide1

Directory/File

Description

devices
ioports

Shows a detailed list of all the installed devices.
Contains a listing of all the memory vectors used by each
system device.
Shows the low-level device interrupts for the system.
Provides a detailed breakdown of system memory.
Shows a detailed listing of the defined partition maps
on system.
Shows swap information.
Displays system version information.

interrupts
meminfo
partitions
swaps
version

Table 19-3

Subdirectories of the /proc Directory

19

568

UNIX System Administration: A Beginner’s Guide

Another example is the partitions file, which shows all the defined disk
partitions on the system:
major minor
3
0
3
1
3
2
3
3
3
5

#blocks
5866560
2562808
2562840
1
740848

name
rio rmerge rsect ruse wio wmerge wsect wuse running use aveq
hda 28345 16900 361900 461290 12600 22212 279128 1546840 0 520430 2008490
hda1 8 0 16 110 0 0 0 0 0 110 110
hda2 28162 15377 348354 454620 12388 19340 254456 1444150 0 517910 1899130
hda3 0 0 0 0 0 0 0 0 0 0 0
hda5 172 1517 13512 6500 212 2872 24672 102690 0 14960 109190

Project 19-1
In this project you’ll familiarize yourself with your system and the toolbox of
commands presented in this module.

Step-by-Step
1. List your current swap space configuration and usage.
Linux:
# swapon -s

Solaris/HP-UX:
# swap -l

2. Check your /etc/default/login file. Unless you have a specific reason
to allow remote root access, ensure that the CONSOLE=/dev/console line
exists and is not commented out.
3. You may find it helpful to keep some basic system information handy in
printed form in case you ever have major system problems and need to
know, for example, your kernel version. Print the results of this command
and keep it in a safe place:
Solaris:
# showrev

For Linux users, this command will produce similar but less detailed results:
# uname -a

Module 19:

Important System Administration Tasks/Information

569

4. Generate a list of your currently running processes:
# ps a

5. Show the contents of the /proc directory:
# ls /proc

19

Mastery Check
1. Which command can an admin use to communicate with all currently

logged in users at once?
a. talk
b. write
c. wall
d. email
2. Referring to the following output line, how much swap space is

currently used?
total: 39488k bytes allocated + 12520k reserved = 52008k used, 1062656k available

3. What is the Linux command to create a swap file?
a. mkswap
b. swapon
c. swapoff
d. mkfile
4. What Linux file system tool is useful in adjusting swap files?
5. On Solaris, the _________ tool can be used, which provides both low-level

and operating system configuration information.

UNIX System Administration: A Beginner’s Guide

Mastery Check
6. Which command discussed in this module would have generated the

following line of output?
Kernel version: SunOS 5.8 Generic 108529-07 February 2001

a. prtconf
b. showrev
c. showrev -c
d. ls /proc

a. User IDs
b. Group IDs
c. Process IDs
d. Protocol IDs

AM
FL
Y

7. In the /proc directory, what do numbered subdirectories represent?

8. The /proc/__________ directory shows a detailed listing of the defined

partition maps on the system.

TE

570

Module

20

Using DHCP

Critical Skills
20.1

Use the Solaris DHCP Configuration Manager

20.2

Configure DHCP Clients

Copyright 2002 by The McGraw-Hill Companies, Inc. Click Here for Terms of Use.

572

UNIX System Administration: A Beginner’s Guide

T

he Dynamic Host Configuration Protocol (DHCP) is a facility that supports
Internet Protocol (IP) allocation and diskless boot capabilities to network
client systems. In both small and large organizations, DHCP is one of the best
ways to manage the corporate IP address space. This facility is responsible for
dynamically assigning addresses to client host systems as they are brought on
the network, thus making it much easier to manage connectivity to the corporate
network. DHCP can be used to support both local and remote systems that range
from dial-up to LAN-based connectivity. When configured, the DHCP server also
supports the BootP protocol, which means that client systems can obtain boot
information from the server. In certain situations, having clients boot from a
server can be both an effective and a cost-effective deployment strategy.
The DHCP service can be divided into two sections: the client and the server.
The client portion makes requests to a server for IP address information specific
to the local network to which the client is attached and network and/or booting
information or data. The client obtains network information by negotiation with
the server. For example, the server will determine how long the information can
be used on the network, thus placing an expiration date for client access. This is
known as a “lease”—the client can only use the information for a fixed period
of time. In practice, for generic LAN-based connectivity, the server is configured
to support an open-end lease—that is, one that really never expires.
The DHCP client component available on Solaris is known as dhcpagent
and is used to make requests from the network. The dhcpagent program has
been integrated with the ifconfig command. As you recall, ifconfig is
used to set up one or more network interfaces on the local system. Thus, when
the system normally boots, the appropriate network information is obtained
from a DHCP server (via the ifconfig command) and then the system
continues to boot normally.
Because DHCP support is available on a wide variety of systems, any
compatible DHCP client can request services from the DHCP server.
For example, a Windows system that has been configured to request an
IP address from the network can be supported using the Solaris DHCP server.
The server component consists of several different modules: the server
process, a configuration file, and the configuration manager. The server process
receives DHCP/BootP requests from the network and emits responses back to

Module 20:

Using DHCP

clients. The server, known as in.dhcpd (on Solaris) continuously runs in
the background, waiting to service DHCP requests. The DHCP server generally
behaves like many of the other network-related processes—it provides commandline arguments that control, for example, both logging and debugging facilities.
The server supports two modes of operation: normal DHCP/BootP mode and
BootP relay mode. The BootP relay mode is used to provide client connection
across one or more subnetworks.
The Solaris DHCP server uses a configuration file called /var/dhcp/
dhcptab, which contains information about the address space that clients will
use when they become active on the network. Before basic DHCP services can
be used, this file must be updated to include IP addresses that will be allocated
to clients. However, the DHCP configuration need not be defined manually;
rather, a configuration manager tool has been provided that can assist the
administrator when setting up DHCP services.
A number of applications and tools are used to support DHCP on each of
the different operating systems. Table 20-1 lists each of the tools and provides
a quick summary.
As you can see from the table, several different tools are available for the
management of DHCP services. For example, to show the DHCP client information
on the Linux system, the pump utility is provided. To view the same type of
information on Solaris, use the ifconfig command. The tools used to configure
and manage DHCP services are described in the following sections.

DHCP Service
Operating
System
Solaris
HP-UX
Linux

Table 20-1

DHCP Server

Configuration
Application

Tools

in.dhcpd
dhcpd
dhcpd

dhcpmgr
sam
none

ifconfig
lanscan
pump

DHCP Tools by Operating System

573

20

574

UNIX System Administration: A Beginner’s Guide

20.1 Use The Solaris DHCP
Configuration Manager
The configuration manager can be used to define and control DHCP services for
client systems. The configuration manager provides an X-Windows-compatible
GUI tool that maintains configuration information for a local and/or NIS DHCP
database. The manager can be used to accomplish the following:
●

Configure DHCP services

●

Configure BootP relay services

●

Control DHCP/BootP processes

●

Manage DHCP addresses

The DHCP configuration manager provides a wizard-like interface to handle
many of the configuration aspects for deploying a DHCP server. If the DHCP
facility is not set up when the configuration manager is invoked, it begins the
configuration process by guiding you through the steps necessary to set up a
functional server. This procedure is presented only when a DHCP server hasn’t
been configured on this system. If you start the configuration manager after the
basic DHCP services are set up, you will see a different window that shows
the defined IP address ranges and not the DHCP Configuration Wizard.

Starting the Solaris DHCP
Configuration Manager
To invoke the DHCP configuration manager, issue the following command:
/usr/sadm/admin/bin/dhcpmgr

Since this program supports X-Windows, it can be run either from a system
that contains an attached display or from a system that doesn’t have a display
device, and the display is redirected (using the DISPLAY variable) to another
system that does support X-Windows and has an attached display device. When
this command is executed before any basic DHCP services have been configured,
you should see a window, as shown in Figure 20-1. Otherwise, if the DHCP

Module 20:

Figure 20-1

Using DHCP

575

Initial DHCP configuration manager window

service has been set up, a different window will appear. See “Configuring
DHCP Service for the First Time” for more information about how to provide
an initial configuration for DHCP services.

Configuring DHCP Services for the First Time
In Figure 20-1, the window displayed asks how you would like to configure
the DHCP server. Two options exist: as a normal DHCP server or as a relay for
BootP requests. The BootP option basically means that you can forward BootP
requests from one or more networks. For the purposes of understanding the
DHCP facility, we want to set up a normal DHCP server. Thus, to configure
normal DHCP services, make sure the Configure as DHCP Server item is
selected and click the OK button.
Once this has been done, a new window is displayed that replaces the
previous one. This window represents the DHCP Configuration Wizard,
which will provide a step-by-step process to configure basic DHCP services.
This window is labeled the “DHCP Configuration Wizard,” and is shown
in Figure 20-2.
The Configuration Wizard window is divided into two sections: the list of
required steps is on the left, and specific questions that must be answered are on
the right. As you can see, a total of eight steps are required to define basic DHCP
services. When the wizard goes through each step, that step is highlighted. Thus,

20

576

UNIX System Administration: A Beginner’s Guide

Figure 20-2

DHCP Configuration Wizard window

the first step (selecting the data storage location) is marked with a colored bar.
Using the control buttons at the bottom, you can navigate between each of the
defined steps. Complete the following to set up the basic DHCP server:
1. Choose the location to store the DHCP configuration data.
2. Determine the DHCP lease policy.
3. Provide the DNS domain servers.
4. Provide basic network address information.
5. Determine network configuration.
6. Provide NIS or NIS+ domain server information.
7. Review the configuration.

Module 20:

Using DHCP

577

Step 1: DHCP Configuration Location
In this step, the wizard asks at which location it should store the DHCP
configuration information. If NIS is not running, a local directory is preselected
for you. However, if NIS is operational, you can use a NIS location instead. The
default is the /var/dhcp directory, and when NIS isn’t running, it should be
used unless there is some overwhelming reason to change it. If you desire to
change the directory location, type the new name in the text box and click the >
button to accept this configuration option and proceed to the next step.

Note
In the examples provided in this section, it is assumed that NIS is not running and
only a local DHCP configuration is necessary.

Step 2: Determine the DHCP Lease Policy
At this point, the wizard wants the administrator to determine the length of the
address lease for each client that will request an IP address. The lease indicates
how long a client may use an IP address once it has been assigned. Once the
lease is up, the IP address will become invalid and the client will need to
request another IP address.
As an option, the DHCP server can permit a client to renew their existing
lease for the allocated IP address. In this case, the client sends a renew notice to
the server so that the client may continue to use the existing IP address. Without
this option selected, when the client’s lease expires, the client will be forced to
request another IP address. Permitting clients to renew leases effectively means
that they don’t have to obtain a new IP address every time the address expires.
The only exception to this is when the client boots, it must request a new IP
address (or it can request to use its previous assigned IP address).
The lease section is shown in Figure 20-3. The lease value may be expressed
in hours, days, or weeks. The default value is one day, which is reasonable when
the Renew check box is selected. From a practical standpoint, using a lease of
either days or weeks might be the best way to go, but you will need to determine
the best configuration as dictated by the requirements of your site. In general,
unless you want to maintain fairly tight control over the IP assignment process,
the best configuration would be to renew the IP address on a weekly or monthly
basis. In Figure 20-3, the lease value has been configured for one week.

20

578

UNIX System Administration: A Beginner’s Guide

Figure 20-3

Lease Value window

Step 3: Provide the DNS Domain Servers
Next, you must provide DNS information if the DHCP server is going to use
DNS services, as shown in Figure 20-4. See Module 14 on DNS for more
information about setting up or configuring a domain name server.
As you can see, two different elements are needed to complete this step.
First, the DNS domain is required, and one or more DNS server IP addresses
are needed. In the example, the DNS domain is called home.com and two
DNS servers have been defined: 216.155.202.10 and 216.155.202.11.
The DNS name refers to the domain to which the local system belongs.
sWhen the Configuration Wizard window is displayed, it includes any DNS
information found within the /etc/resolv.conf file.
When adding a DNS server, type the IP address of the server in the
appropriate text box and click the ADD button. You must include a valid IP
addresses within this field; hostnames are not permitted. If you have added
more than one DNS server, you can change the order in which the servers are
queried. You can use the ∧ or ∨ buttons to reposition the servers within the list
as required.
Click the > button to accept any DNS information entered and move to the
next step to continue configuring DHCP services.

Module 20:

Using DHCP

579

20
Figure 20-4

Supply DNS information

Step 4: Provide Basic Network Address Information
The next window displayed, as shown in Figure 20-5, is used to specify the IP
network and associated subnet mask for the network served by the DHCP
server. See Module 10 for additional information on IP networking that
includes a description of IP addresses and subnet masks. The network address
information is obtained from the defined system network interfaces. This is
used to tell the DHCP server which IP network should be used to allocate IP
addresses to clients.

Hint

You don’t actually need any DNS facilities running to configure or use DHCP
services. Without any DNS, the DHCP server would simply use IP addresses
when displaying information about DHCP clients. However, it is recommended
that you use domain name resolution services because it will make DHCP
administration easier.

UNIX System Administration: A Beginner’s Guide

Figure 20-5

AM
FL
Y

580

Network Address Information window

TE

If the system only has a single network interface, only a single network
entry will be displayed in the Network Address selection box. By default, the
entry contains the network address of the primary network interface. If multiple
IP networks are defined on the system, you can only select one from a list of
addresses. Once the basic configuration setup of the DHCP server have been
accomplished, additional IP networks may be assigned.
Input the desired subnet mask value within the Subnet Mask text box. By
default, the assigned subnet mask is taken from the previously defined network
configuration parameters as reported by the ifconfig command.
Click the > button to accept the network information shown in the window
and move to the next step in the process.

Step 5: Determine Network Configuration
The next step involves selecting the type of network and additional routing
parameters that will be used with the DHCP server and for associated DHCP
clients, as shown in Figure 20-6. The Network Type box includes either localarea (LAN) or point-to-point selections. The local-area (LAN) selection

Module 20:

Using DHCP

581

20
Figure 20-6

Network Type/Routing Information window

indicates that DHCP will operate under the local data link protocols (such as
Ethernet or FDDI).
By default, the LAN network type is selected, and this should be what is
used unless you are configuring DHCP to operate within a fixed point-topoint network topology. Next, the window provides the option to specify a
default network router to obtain routing information. This information is
provided to the client systems when they request DHCP services. If you
don’t know a default router, then select to use the router discovery process.
This way, the clients, when necessary, will discover all local routers. If you
have a default router attached to the local system, enter the IP address of
the device within the Use Router text box.
Click the > button to accept the network information and proceed to the
next step.

Step 6: Provide NIS or NIS+ Domain Server Information
The next two steps involve specifying the NIS or NIS+ domain names and any
associated NIS/NIS+ servers. This is very useful for those sites that use NIS,

582

UNIX System Administration: A Beginner’s Guide

because this information can be supplied to any client when they request DHCP
services. If you have either NIS or NIS+ operating within your network, add this
information to this window. Otherwise, leave the fields blank. Click the >
button to proceed to the final configuration step.

Step 7: Review the Configuration
The final step involves verifying all the information that has been entered from
the previous steps. If you find that something must be changed, use the < button
to go to the step where the incorrect information can be changed. When the
configuration information is correct, click the > button to the review step and
click the Finish button to accept the information. Figure 20-7 shows the review
step with all the configuration information from the preceding examples.
Next, a dialog box will be displayed, as shown in Figure 20-8, which
indicates that you must configure a list of addresses for allocation to
clients, and it asks if it should start the Address Wizard for this purpose.

Figure 20-7

The DHCP Configuration Summary window

Module 20:

Figure 20-8

Using DHCP

Start Address Wizard Dialog window

Answering Yes to the dialog box question causes another window to be
displayed. This window represents another setup wizard, which will guide
you through the process of adding IP addresses to the DHCP server. See the
section “Adding IP Addresses to the DHCP Server” later in this module for
a detailed description and explanation of the Address Wizard.

1-Minute Drill
●

What are the UNIX DHCP server component modules?

●

What does the DHCP lease policy define?

Using the Configuration Manager
The DHCP configuration manager is used to administer and configure DHCP
services. This section reviews the menus and functions that this application
supports. The high-level menus are listed in Table 20-2.
The application contain the following submenus.

File Menu
Contains just a single menu element—Exit. This item is the standard way to
close the configuration manager.

●
●

583

Server process, configuration file, configuration manager
How long a client’s DHCP-obtained IP address is valid before the client must recontact the server for a
new address

20

584

UNIX System Administration: A Beginner’s Guide

Menu
File
Edit
View
Service
Help

Description
Contains the Exit menu item; used to quit the configuration manager
Used to manage the IP address space for DHCP clients
Toggles IP address and grid elements
Controls the DHCP server process and configuration
Online help facility.

Configuration Manager Menu Items

Table 20-2

Edit Menu
The Edit menu contains the following items:
Create Set up a new IP address range for DHCP client systems.
Delete Remove an existing IP address range.
Duplicate Make a copy of an existing IP address range.
Properties Display the properties of an existing IP address range.
Address Wizard Step-by-step process for IP address range creation.
Release Addresses Clear the lease of an existing assigned IP address.
Network Wizard Step-by-step process for creating a new network that can
be used with the DHCP server.
Delete Networks Delete an existing network.

View Menu
The View menu contains the following items:
●

Refresh

●

Show Addresses
of hostnames.

●

Show Grid Displays grid lines for the main DHCP configuration screen.
These lines make it easier to view each DHCP client entry.

Refreshes the display.
Displays the IP address of the DHCP clients instead

Service Menu
The Services menu contains the following items:
●

Restart

●

Stop

Restarts an already existing dhcpd process.

Shuts down the dhcpd process.

Module 20:

Using DHCP

●

Start Enables the dhcpd process.

●

Disable

Permanently disables the dhcp process from executing.

●

Enable

Reverses the disable function.

●

Modify

Alters some of the DHCP server options.

●

Unconfigure
the system.

585

Removes DHCP server configuration information from

Help Menu
The Help menu contains on-line help for the configuration manager. The help
facility uses HTML, which means you will need to have a Web browser installed
on the system to view the help files. The submenu items include the following:
●

Overview

●

How To Provides a topical index to how to accomplish specific tasks
with the configuration manager.

●

Index Provides an index to all of the help sections with links so that
the administrator can navigate the entire online book.

●

On Service Explains what the DHCP or BootP facilities do, and how
to use and configure them.

●

On Addresses
DHCP clients.

Provides an overview of DHCP configuration manager.

Shows how to configure and use IP addresses for

Adding IP Addresses to the DHCP Server
Before the DHCP server can allocate addresses for DHCP clients, a range of IP
addresses must be configured within the server. If you are configuring the DHCP
server for the first time, you were prompted to start the Address Wizard or you
have selected the Address Wizard from the main Edit menu. After you have
started the wizard, you will see a window similar to that shown in Figure 20-9.
As you can see, this wizard will help you configure an address range for
DHCP clients; like the previous wizard, the specific steps are on the left while
the questions are located on the right-hand side of the window. A total of six
steps are necessary to accomplish the IP address configuration, and they are
described in the following sections.

20

586

UNIX System Administration: A Beginner’s Guide

Figure 20-9

Address Wizard window

Step 1: Determine the Number of IP Addresses
Within the Number of IP Addresses text box, you must indicate the total
number of addresses you will need to support all the DHCP clients for this IP
network. Several factors can affect how many addresses are allocated for DHCP
services. For example, are all the clients active during the same period of time,
or how many addresses are currently unallocated within the network? That is,
if this IP network is used for other purposes and addresses have already been
assigned to systems, how many IP addresses are available for DHCP? If the
clients represent nomadic users that access the network on an infrequent or
ad hoc basis, the total number of IP address may be much lower as compared
to users that access the network on a more regular and frequent basis.
Note that the total number of addresses for DHCP must be contiguous within
an IP network. That is, they must all be within a specific range of addresses.
For example, as shown in Figure 20-9, if you entered 20 within the Number
of IP Addresses text box, then you are saying that 20 continuous addresses
are available within the network, such as 216.155.202.200 through
216.155.202.219. This is an important point, since you can’t specify gaps

Module 20:

Using DHCP

587

of ranges within an IP network. Also, notice that the range above (200-219)
represents 20 addresses. One might think that this only represents 19 addresses,
but in fact, we must count 216.155.202.200 as the first address.
Once the number of addresses has been determined, the configuration
manager provides a comment field to help track when changes are made to the
configuration. Use this field to record any changes to the ranges of IP addresses
that have been configured with the DHCP server.
Selecting the > button will move the wizard to the next step.

Step 2: Select the Starting IP Address
Once the wizard has moved to the next step, a new window is displayed.
This window will be similar to what is shown in Figure 21-10. As you can see,
several important configuration parameters are required. First, you must
make sure that the correct DHCP server is listed within the Managed by
Server text field. By default, the hostname of the system, which is running the
configuration manager, is added to this text box. Using Figure 20-10 as
the example, we see that the system called bedrock is the DHCP server.

Figure 20-10

Starting IP Address window

20

588

UNIX System Administration: A Beginner’s Guide

Second, the administrator must determine the starting point or first IP
address that will be used for DHCP clients. In other words, what is the start of
the address range that the DHCP server will be using when allocating addresses
to clients? Also, remember that we specified the total number of addresses that
will be allocated with the IP address range. Thus, the DHCP server simply
determines the IP address range by adding the total number of addresses to the
address starting point.
Third, as an option, the configuration manager can automatically assign
hostnames to the range of IP addresses for DHCP clients. Select the Generate
Client Names check box if you want to enable this option. As you can see, the
administrator can configure a prefix string that will be added to the beginning
for each hostname. In this example, the Root Name text box contains the string
dhcpclient. This tells the DHCP server to add this string to the start of
each hostname. The DHCP server will automatically number each of the hosts
defined. Thus, if ten systems were specified with the IP address range, then
the DHCP server will define the following hostnames:
●

dhcpclient-1

●

dhcpclient-2

●

dhcpclient-3

●

dhcpclient-4

●

dhcpclient-5

●

dhcpclient-6

●

dhcpclient-7

●

dhcpclient-8

●

dhcpclient-9

●

dhcpclient-10
Selecting the > button will move the wizard to the next step.

Step 3: Confirm the IP Address List
The wizard now asks the administrator to confirm the list of added IP addresses
and corresponding hostnames. Assuming that a total of 20 addresses were

Module 20:

Using DHCP

589

defined with the starting IP address of 216.155.202.200 and that the
dhcpclient string was added to the Root Name text box from the last step,
you should see a window similar to that shown in Figure 20-11.
As previously indicated, for each IP address, a hostname was defined. The
hostname string name contains the last byte of the IP address so that it is very
easy to identify the IP address from the hostname itself. Selecting the > button
will accept this configuration and move the wizard to the next step.

Step 4: Define Client Information
The configuration manager supports the concept of a configuration macro, and
basically a macro provides the specific parameter information to each DHCP
client. The next step using the wizard is shown in Figure 20-12. A default
macro name, which represents the network address, is set up automatically.

20

Figure 20-11

The IP address list with associated hostnames

UNIX System Administration: A Beginner’s Guide

DHCP server macro

TE

Figure 20-12

AM
FL
Y

590

Examples of a macro include DNS information, lease configuration, and so
forth. Click the View item to see the details information contained with the
macro. Figure 20-13 shows the default bedrock macro. Select the default
configuration by selecting the clicking the > button.

Step 5: Select the DHCP Lease Type
You have the option of selecting either a dynamic lease or a permanent
(static) lease, as depicted in Figure 20-14. A dynamic lease means that it can
be assigned to different clients over a period of time, whereas the static lease
is assigned to a single client just once. However, you can alter the lease types
after you have configured the DHCP server. The most common type is the
dynamic lease.
Click the > button to move to the next and final step in the Add Address
Wizard process.

Module 20:

Figure 20-13

Using DHCP

591

Detailed macro information

20

Figure 20-14

Select the appropriate DHCP lease type

592

UNIX System Administration: A Beginner’s Guide

Step 6: Review the DHCP Configuration
The final step is to review the DHCP configuration information. A window is
displayed that contains all of the configuration details that were specified in the
previous steps. The example configuration is shown in Figure 20-15.
Click the Finish button to accept the configuration or use the < button to
move back through the process to alter any necessary parameters.
Once the wizard process is complete and the new address range is added,
the main configuration window is updated with a new network icon.

Hint

One of the more important things to check is the assignment of IP addresses
and hostnames. You can use the window to scroll through the list of IP
addresses to make sure the range that was selected is correct.

Figure 20-15

Review window

Module 20:

Using DHCP

593

20.2 Configure DHCP Clients
This section reviews the procedures involved with both manually and
automatically configuring UNIX systems as DHCP clients. Depending on the
operating system, different sets of steps will be necessary.

Manual DHCP Configuration
If you would like to manually configure DHCP on UNIX, you must use the
appropriate DHCP network tools. For instance, on Solaris, you must use the
ifconfig tool to configure an interface that uses DHCP. On Linux, you
would use the dhcpcd command, and on HP-UX, you would use the
dhcpclient command.
To manually configure DHCP on Solaris, execute the ifconfig with the
interface name followed by the dhcp keyword. Thus, the command
ifconfig hem0 dhcp

will manually configure the hme0 interface (100-Mbps Ethernet interface on
most Sparc systems).
On Linux, use the dhcpcd command:
dhcpcd eth0

Hint

The Linux dhcpcd command will only function when the interface is being set
up for the first time or when the dhcpcd process is not running. Normally, the
system starts this process automatically when the system detects an interface
that has been configured to use DHCP.

The HP-UX system works the same way, but the command to use is
dhcpclient. The same rule applies to this tool as to the dhcpcd command
on Linux when attempting to run the command manually.

20

594

UNIX System Administration: A Beginner’s Guide

Set Up Automatic and Permanent
DHCP Configuration
Configuring DHCP client services on UNIX to be both automatic and
permanent (that is, it will persist across system reboots) generally is a
straightforward and simple process. On the Solaris system, if the machine
has already been installed on the network, the procedure is quite easy—
simply create a special file within the /etc directory. The filename is
important—the format is dhcp.interface, where interface is the
name of the UNIX network interface which DHCP services should be
configured. For example, on Solaris, the first 100-Mbps Ethernet interface
might be eri0. Thus, the command
touch /etc/dhcp.eri0

will create an empty file called dhcp.eri0. When the system is rebooted,
the existence of this file will tell the system to issue DHCP requests to the
network for network configuration information.
When the system boots, you should see the following message on
the console:
starting DHCP on primary interface eri0

For HP-UX, modify the value of the keyword DHCP_ENABLE that is
contained within the /etc/rc.config.d/netconf file. Assigning the
value of 1 to this keyword enables DHCP on the associated network interface.
The sample output of this file is shown here:
HOSTNAME=mb-auto-1
OPERATING_SYSTEM=HP-UX
LOOPBACK_ADDRESS=127.0.0.1
INTERFACE_NAME[0]=lan0
IP_ADDRESS[0]=216.155.202.171
SUBNET_MASK[0]=
BROADCAST_ADDRESS[0]=216.155.202.255
INTERFACE_STATE[0]=up
Set to "r" to enable DHCP client
DHCP_ENABLE[0]=0

As you can see, the variables are self-explanatory based on the individual name.
For example, the HOSTNAME variable represents the name of the host.
On Linux, modify the value of the keyword BOOTPROTO that is contained
within the /etc/sysconfig/network-scripts/ifcfg-eth0 file. This

Module 20:

Using DHCP

595

file, ifcfg-eth0, corresponds to the first Ethernet interface on the system.
Your system may have multiple interfaces, in which case you will see more than
one of these files. Select the appropriate file when configuring DHCP client
services. If the interface was previously configured with an IP address, you must
change the keyword from static to dhcp. If the keyword isn’t present in the
file, simply add it with the correct keyword of dhcp. The sample output shows
the correct entry in the ifcfg-eth0 file:
DEVICE=eth0
BOOTPROTO=dhcp
ONBOOT=yes
TYPE=Ethernet
PEERDNS=no

When the system reboots, it will attempt to obtain DHCP configuration for
the eth0 interface. If you want to stop using DHCP, change the BOOTPROTO
keyword to have the value of static and add the following additional
keywords if they are not present in the file:
IPADDR=216.155.202.163
IPGATEWAY=216.155.202.129
NETMASK=255.255.255.0

Assign the appropriate keyword values that match your network environment.

Obtain DHCP Agent Status Information
Once the interface has been configured to use DHCP, the administrator can
view the status of the interface using the ifconfig command. For example,
to view the status on Solaris, use the following:
This interface is not
configured to use DHCP.

-a option returns results
for all network interfaces

# ifconfig -a dhcp status
ifconfig: lo0: interface is not under DHCP control
Interface State
Sent Recv Declined Flags
eri0
BOUND
2
1
0 [PRIMARY]
(Began, Expires, Renew) = (12/11/2001 22:47, 12/18/2001 22:47, 12/15/2001
10:47)
ifconfig: eri1: interface is not under DHCP control
The eri0 interface is configured to use
DHCP and is the primary network interface.

another network interface
not using DHCP

20

596

UNIX System Administration: A Beginner’s Guide

On Linux, the pump command is used to obtain status and configuration
information about the interface that is using DHCP. Thus, the command
pump –s

when executed, will shown all the information for each interface that is
configured to use DHCP. The sample pump output might look like this:
Device eth0
IP: 216.155.202.200
Netmask: 255.255.255.0
Broadcast: 216.155.202.255
Network: 216.155.202.0
Boot server 216.155.202.100
Next server 0.0.0.0
Gateway: 216.155.202.1
Hostname: dhcpclient-200
Domain: home.com
Nameservers: 216.155.202.10 216.155.202.11
Renewal time: Fri Jan 18 01:39:23 2002
Expiration time: Fri Jan 18 03:09:23 2002

In this example, all the relevant DHCP information is obtained for eth0
interface and, naturally, the IP address, network, and lease information will be
different depending on which network the DHCP server is running on.
On the Windows family of operating systems, the ipconfig command can
be used just like the UNIX ifconfig command, which is discussed next.

1-Minute Drill
●

What type of DHCP lease assigns an IP address to different clients over a period
of time?

●

In Linux, how does the dhcpcd process normally start?

Configuration of DHCP Clients
This section will help you configure client DHCP services on other platforms.
More specifically, Linux and Windows operating systems will be covered. Like
●
●

Dynamic
The system starts this process automatically if an interface is configured to use DHCP.

Module 20:

Using DHCP

597

other UNIX operating systems, DHCP is supported on Microsoft’s family of
operating systems. In particular, Windows 98, Windows Me, Windows 2000,
and Windows XP are all supported. Although these operating systems provide
different features and run on a large number of computer systems, the DHCP
support is generally uniform. To configure a Windows 2000 system to support
DHCP, perform the following steps.

Hint

The assumption in these steps is that you have already installed a NIC and that
basic networking services are already operational.

Step 1: Access the Network and Dial-up Connections Panel
Using the Start menu, select the Network and Dial-up Connections item from
the Setting submenu. When done, a new window will be displayed that
contains at least one network icon and a Make New Connection icon. A LAN
connection known as Local Area Connection 5 has been defined. This
window is used to add new networking connections or display configuration
information for one or more existing network interfaces.

Step 2: Display the Status of the LAN Connection
Double-click the network icon appropriate for your system. When done, a new
window is displayed. This window shows basic network status and performance
information and can be used to navigate to more detailed network information.

Step 3: Display the Properties of the LAN Connection
Next, select the Properties button on the Local Area Connection window.
Once this has been done, a new window is displayed. This window provides
information about the higher-level protocols and services that are bound to
the network interface. The 3com3cs74 TXFast EthernetPC card is the
LAN interface that is used. Note that three different services are configured
for this card: Microsoft Networks Client software, file and printer sharing
software, and TCP/IP.

Step 4: Display the Properties of the TCP/IP
Highlight the Internet Protocol (TCP/IP) item and then click the Properties
button. When this is done, the Internet Protocol (TCP/IP) Properties window
is displayed.

20

598

UNIX System Administration: A Beginner’s Guide

Click the Obtain an IP Address Automatically selection (if it isn’t already
checked) and then click the OK button. This instructs Windows to request an
IP address for the DHCP server using the DHCP protocol.
Next, select the OK button and close the LAN Properties window. Then,
close the LAN Status window by clicking the Close button.
You should reboot the system for this networking change to take effect, and
when the system reboots it will attempt to obtain network information from a
DHCP server.

Viewing Network Information on Windows
The Windows family of systems provides the means to display network
configuration information using a command-line tool called ipconfig. This
utility provides two basic services: to show network configuration information
and to exercise limited control over the behavior of the DHCP client. Depending on the version of Windows you are using, the ipconfig options will be
slightly different. However, the basic options are supported on most of the
versions of Windows. This tool can show both static and dynamic (such as
from a DHCP server) networking parameters for all defined interfaces on the
system. This command is basically equivalent to the UNIX ifconfig utility,
but it provides only a small number of services as compared to the UNIX
version. To invoke this tool, open a command prompt window and type the
ipconfig command.
The ipconfig command was invoked with the /help option, which
displays a list of the available command-line options that are supported. This
command provides a small number of command-line arguments, as described
in Table 20-3.
Option

Meaning

/?
/help
/all
/release
/renew
/Batch
/renew_all
/release_all

Displays a list of command-line options.
Displays a list of command-line options.
Displays all the configuration information available.
Releases the IP address for the specified network interface.
Obtains (renews) a new expiration date for the assigned IP address.
Writes the output to a file.
Renews all interfaces that are configured with DHCP.
Releases each IP address for all interfaces configured with DHCP.

Table 20-3

ipconfig command-line options

Module 20:

Using DHCP

599

View DHCP Information
To view network configuration for each defined interface on the system, such
as IP addresses, DHCP information, or generic networking parameters, use the
/all option. For example, issuing the command
C:\WINDOWS>ipconfig /all

displays output similar to that shown next.
Although the second Ethernet adapter is configured to use DHCP, the
missing IP address and lease information indicates this dial-up adapter is not
currently connected to the network and therefore has not obtained an address
through DHCP lease information.
C:\WINDOWS>ipconfig /all
Windows IP Configuration
Host Name . . . . . . . . . : SOCRATES.home.com
DNS Servers . . . . . . . . : 216.155.202.10
216.155.202.11
Node Type . . . . . . . . . : Broadcast
NetBIOS Scope ID. . . . . . :
IP Routing Enabled. . . . . : No
WINS Proxy Enabled. . . . . : No
NetBIOS Resolution Uses DNS : No
0 Ethernet adapter :
Description . . . . .
NDIS5 Driver
Physical Address. . .
DHCP Enabled. . . . .
IP Address. . . . . .
Subnet Mask . . . . .
Default Gateway . . .
DHCP Server . . . . .
Primary WINS Server .
Secondary WINS Server
Lease Obtained. . . .
Lease Expires . . . .
1 Ethernet adapter :
Description . . . . .
Physical Address. . .
DHCP Enabled. . . . .
IP Address. . . . . .
Subnet Mask . . . . .
Default Gateway . . .
DHCP Server . . . . .
Primary WINS Server .
Secondary WINS Server
Lease Obtained. . . .
Lease Expires . . . .

20

. . . : Linksys LNE100TX Fast EtheE100TX v4)
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.

:
:
:
:
:
:
:
:
:
:

00-20-78-0E-77-5E
Yes
216.155.202.202
255.255.255.0
216.155.202.1
216.155.202.100

.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.

:
:
:
:
:
:
:
:
:
:
:

PPP Adapter.
44-45-53-54-00-00
Yes
0.0.0.0
0.0.0.0

Uses DHCP

12 23 01 12:15:38 AM
12 30 01 12:15:38 AM

255.255.255.255

Doesn't use
DHCP

UNIX System Administration: A Beginner’s Guide

●

Description

●

Physical address

●

DHCP flag

●

IP address

●

Subnet mask

●

Default gateway

●

Lease obtained date

●

Lease expiration date

AM
FL
Y

In the example output, three sections are displayed: Windows IP
Configuration, 0 Ethernet adapter, and 1 Ethernet adapter. The
first section lists generic network information related to the system. For instance,
the system name and DNS servers are shown, which are socrates.home.com,
216.155.202.10, and 216.155.202.11, respectively. The next two
sections show specific configuration information related to each of the defined
network interfaces on the system. This includes

Description The description string includes the type of interface hardware
that has been installed on the system. In this case, the ipconfig command
identifies a Linksys LNE100TX Fast EtheE100TX as the type of card.

TE

600

Physical Address This shows the physical data link protocol address
associated with the network interface hardware. In this example, the type of
hardware supports the Ethernet data link protocol and has the address of
00-20-78-0E-77-5E.
DHCP Flag This flag indicates if the network interface has been configured
to use DHCP. If so, then DHCP should be configured to Yes, and IP lease
information should also be listed.
IP Address If DHCP has been configured on the interface, the IP address
has been assigned dynamically from a DHCP server. Otherwise, the IP address has
been assigned statically using the Network Control Panel icon. The IP address is
used to communicate with the local network.

Module 20:

Using DHCP

601

Subnet Mask If DHCP has been configured on the interface, the subnet
mask has been assigned dynamically from a DHCP server. Otherwise, it has
been assigned statically using the Network Control Panel icon. The subnet
mask is used to determine how to interpret the IP address for the local network.
Default Gateway The default gateway is used to permit the local system
to communicate with other nodes on remote networks. If DHCP has been
configured on the interface, generally the default gateway has been assigned
dynamically from a DHCP server. Otherwise, it has been assigned statically
using the Network Control Panel icon.
Lease Obtained Date When DHCP is used, the Lease Obtained field
indicates when the network configuration for this interface was obtained from
the DHCP server. In the earlier example, the 12 23 02 12:15:38 AM string is
read as December 23, 2002 at 12:15:38 A.M.
Lease Expiration Date When DHCP is used, the Lease Expires field
indicates when the network configuration for this interface expires; that is,
when the configuration information will no longer be valid and the DHCP
client must request newer configuration information from the DHCP server.
The other two fields, Primary WINS Server and Secondary WINS Server,
are used to support Microsoft-specific networking services and protocols.

Moving a Workstation Between Networks
In an environment where users move to different parts of the network, it is very
common for DHCP to be deployed across the entire network enterprise. Thus, if a
user moves from one building to another (or even one floor to another), DHCP
services can be used to provide connectivity—regardless of physical location for
mobile users. However, if, for example, a workstation has been attached to
different parts of the network when DHCP is used, it is important to reconfigure
the network interface when a workstation is moved around.
For example, consider the diagram shown in Figure 20-16 that shows two
networks and one workstation. Both networks have DHCP services enabled;
Network A uses the IP network of 216.155.202, while Network B uses the
IP network of 216.155.203. When the workstation was attached to Network
A, it obtained the address of 216.155.202.100. Over some period of time,
the user moves the workstation to Network B with rebooting the system.
Unfortunately, without any network reconfiguration, the workstation won’t be

20

602

UNIX System Administration: A Beginner’s Guide

Figure 20-16

DHCP network with moved workstation

able to communicate on Network B because Network B uses a different network
address and the workstation is still using the addresses it obtained from
Network A.
To resolve this problem, issue the ipconfig with the /release option
and then execute the ipconfig, again with the /renew option. This tells the
DHCP client to release (or let go of) the existing DHCP configuration and then
to request a new IP address and associated configuration from the local DHCP
server. Thus,
C:\WINDOWS>ipconfig /release 0

will drop or delete the existing DHCP configuration (that is, the IP address of
216.155.202.100 and so forth) from the first network interface, which is
expressed with zero. When using the /release option, ipconfig must be
given which interface to release. When this command is executed, it should
display the interfaces with empty values:
Windows IP Configuration
0 Ethernet adapter :
IP Address. . . . . . . . . : 0.0.0.0
Subnet Mask . . . . . . . . : 0.0.0.0
Default Gateway . . . . . . :

Module 20:

Using DHCP

603

1 Ethernet adapter :
IP Address. . . . . . . . . : 0.0.0.0
Subnet Mask . . . . . . . . : 0.0.0.0

Hint

Sometimes, despite running the ipconfig /release, the DHCP configuration
isn’t always released right away, and therefore it may be necessary to run this
command more than once to ensure that this step is complete.

Once the IP address and associated information has been released, we can
now request a new IP address from the local DHCP server by using the /renew
option. When using /renew, the network interface must be supplied. Thus,
the command

20
C:\WINDOWS>ipconfig /renew 0

indicates that ipconfig should attempt to obtain up-to-date DHCP
configuration information for the first interface on the system. When executed,
this command would show output similar to this:
Windows IP Configuration
0 Ethernet adapter :
IP Address. . . . . . . . . : 216.155.203.100
Subnet Mask . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . : 216.155.203.1
1 Ethernet adapter :
IP Address. . . . . . . . . : 0.0.0.0
Subnet Mask . . . . . . . . : 0.0.0.0
Default Gateway . . . . . . :

The “release/renew” steps are depicted in Figure 20-17, and when the
ipconfig command is executed with the /renew option, it displays the new
DHCP configuration obtained from the DHCP server. In this example, the new IP
address will permit the mobile workstation to communicate with all nodes on
Network B because it now contains the correct address.

604

UNIX System Administration: A Beginner’s Guide

Figure 20-17

The DHCP release/renew steps

Mastery Check
1. True/False: A Windows system cannot get an IP address from a

UNIX-based DHCP server.
2. What is the default directory for Solaris DHCP configuration information?
a. /etc/resolv.conf
b. /var/dhcp
c. /etc/dhcp
d. /etc/dhcpd.conf
3. The __________ indicates how long a client may use an IP address once it

has been assigned by a DHCP server.
4. True/False: When adding IP addresses for a DHCP server to assign, you

can use any available valid addresses on your network.

Module 20:

Using DHCP

605

Mastery Check
5. A __________ DHCP lease is assigned to a single client just once.
6. By default, what Linux file contains DHCP configuration information?
a. /etc/resolv.conf
b. /var/dhcp
c. /etc/dhcp
d. /etc/dhcpd.conf
7. What is the proper tool for manual DHCP client configuration on each of

these platforms: Solaris? Linux? HP-UX?
8. On a Solaris client, what is the command to configure DHCP permanently,

so it persists when the system reboots, assuming the interface to configure
it for is named ei0?
9. On a Windows 2000 client, what is the TCP/IP option to use DHCP to

obtain an IP address?
a. Obtain an IP address automatically
b. Configure DHCP
c. ipconfig
d. Use the following IP address
10. On a Windows 2000 client, what is the command to view DHCP and

IP information?
a. Obtain an IP address automatically
b. Configure DHCP
c. ipconfig
d. Use the following IP address

20

This page intentionally left blank.

Module

21

Using rdist

Critical Skills
21.1

Create an rdist Distribution File for Synchronizing Files

21.2

Debug an rdist Configuration

21.3

Investigate rdist Commands

21.4

Explore an rdist Example

Copyright 2002 by The McGraw-Hill Companies, Inc. Click Here for Terms of Use.

608

UNIX System Administration: A Beginner’s Guide

T

he rdist tool provides a software distribution facility for a cluster of
UNIX systems. In particular, it ensures that files and/or directories are
synchronized based on a configuration file stored on the software distribution
server. The tool pushes new files when one or more file elements, such as file
access time, have been changed on the master copy. Maintaining up-to-date
files across a number of different systems is a challenge for the system
administrator. Why is this type of synchronization important? Consider, for
example, a cluster of systems that all use DNS. To configure DNS client
services, a correct /etc/resolv.conf file must be placed on every system.
Now, suppose that you have to make periodic changes to one or more entries
within this file. Without some sort of software distribution mechanism, you
would have to manually copy the updated file to each of the target systems.
It is simply not efficient to maintain a set of files using a manual approach based
on the number of systems deployed at many sites. For example, to manually
copy files when they are modified is both time-consuming and error prone.
Certainly, a manual approach is possible when the number of systems are quite
small. However, when a larger number of systems are involved, things become
much harder and more complex. Consider, for instance, having to update a file
on a bunch of systems on a regular basis, not
just one time. Why not automate the task and
make life easy, versus having to do this
Due to the incompatibilities
particular function over and over?
of this tool with both Linux
The rdist tool supports a number of
and HP-UX, only the Solaris
command-line options. However, the most
version has been covered.
important ones are described and listed in
Table 21-1.

Hint

Command Option

Meaning

-b

Do a binary comparison of the target files rather than
comparing both the size and date of the source files.
Turn on verbose debugging output.
Process symbolic link so that the target file is copied rather
than the link itself.
Echo the rdist commands without actually doing any work.
This is used for debugging purposes.
Does not display any of the files being processed; quiet mode.

-D
-h
-n
-q

Table 21-1

rdist Command-Line Options

Module 21:

Using rdist

Command Option

Meaning

-R

Removes unnecessary files on the target system, which don’t
match entries on the local system. This is used to maintain the
exact directory structure from the master to each target system.
Verification mode; checks to see if all files are updated on the
target systems and any discrepancies are displayed. However,
no files are updated on the target systems, nor is any
notification sent.
Does not update remote files on the target systems that are
younger than the files located on the server system. This is
known as younger mode.
Defines a macro with a specific value. This causes the
macroname to be overridden with a new definition value,
which is contained within the distribution file.
Specifies the distribution file to be processed. If no distribution
file is specified on the command line, the tool looks into the
current directory for a distribution file called distfile.

-V

-y

-d macroname=value

-f distfile

Table 21-1

rdist Command-Line Options (continued)

21.1 Create an rdist Distribution
File for Synchronizing Files
The rdist command supports a configuration file that can be used to
automate the software distribution mechanism. The rdist configuration file is a
self-contained description of the hosts, files, and specific directives for keeping
files up-to-date across a number of target systems. The command directives are
keyword strings and associated values, which then can be used like macros or
shell variables. A working sample distribution file has been included here:
HOSTS = ( dino fred )
FILES = ( /etc/hosts
/etc/resolv.conf )
(${FILES}) -> (${HOSTS})
install -R ;

In this example, we have defined two string variables—HOSTS and
FILES—and associated values. The HOSTS variable contains a list of target

609

21

UNIX System Administration: A Beginner’s Guide

AM
FL
Y

remote hosts that should be updated with the list of files contained within
the FILES variable. In this case, the target hosts are dino and fred. The
list of files defined with the FILES variable copied to the remote hosts are
/etc/hosts and. /etc/resolv.conf. Naturally, these hosts must be
official node names that are contained within /etc/hosts, NIS, or DNS.
Also, the files must exist on the local system, which is the system where the
rdist command will be executed.
The way rdist variables are accessed by enclosing the variable name within
brackets and adding the dollar sign in front of the name, thus ${FILES} or
${HOSTS} are both valid. Additional parentheses, such as (${FILES}) are
needed around variables when they are used with certain rdist directives, as
shown in the above example.
We use the rdist string -> to signify that we would like to copy the contents
of the FILES variable to the target machines contained with the HOSTS variable.
The install keyword string indicates that the files should be installed on
the remote hosts. To invoke the above configuration, assume that we have
saved this information to a text file called network-dist and use the rdist
command as shown here:
# rdist -f network-dist
updating host dino
updating: /etc/hosts
updating: /etc/resolv.conf
updating host fred
updating: /etc/hosts
updating: /etc/resolv.conf

TE

610

The –f option informs rdist to read the accompanying configuration file
from the command line. By default, rdist will search the local directory for a file
called distfile and, if found, will attempt to process this file for software
distribution directives. Thus, if we rename the network-dist file to distfile
and run the rdist command again without any arguments, it will accomplish
the same work as shown in the above example. As you can see from the output,
both hosts are listed and the associated files were updated on each host. If we
were to execute the command again, we would find different output:
# rdist -f network-dist-3
updating host dino
updating host barney

Module 21:

Using rdist

611

The reason for this is that rdist automatically checks to see if the local files
have changed with respect to the remote copies. If no change has been made
to the local files, and the command is run again, the result of the rdist
command differs from the first rdist example because it hasn’t updated the
remote files. Instead, it simply displays that each host has been updated, but
in actuality the rdist tool found that it didn’t really need to sync up the files
because they didn’t change.
How does rdist determine if a file has changes? That is a very good question!
By default, it uses two methods—first, if the file size has been altered since the
last copy, and second, if the modification time of the file has changed with
respect to the last copy.

21.2 Debug an rdist Configuration
If we are having trouble getting a particular rdist configuration working, we
have two ways to debug the problem. First, we can use the –n option that
shows the steps rdist will take when supplied a configuration file. Second, we
can use the –D option to display a verbose listing of debugging output during
execution of the rdist command.
If we are interested in only displaying which files would be updated on a
given target versus actually doing the software syncing, we can use the –n
option. This option just outputs the files that would be updated versus actually
physically copying these files over. Thus,
# rdist -n -f network-dist-5
updating host barney
install -R /etc/hosts /etc/hosts
install -R /etc/resolv.conf /etc/resolv.conf
updating host fred
install -R /etc/hosts /etc/hosts
install -R /etc/resolv.conf /etc/resolv.conf

From this example, you can see that both systems (barney and fred) would
be updated with both /etc/hosts and /etc/resolv.conf files. The
–D option shows much more information about the steps rdist follows when
doing work. Unfortunately, some of the displayed messages can be rather
cryptic, which make them hard to interpret. For example, the rdist command
from the previous example is run with the debug command-line option. This

21

612

UNIX System Administration: A Beginner’s Guide

command-line option is most useful in debugging rdist when more advanced
or complex directives or options are used.
bash-2.03# rdist -D -f network-dist-7 | cat -n
1 lookup(HOSTS, 1, 33860)
2 lookup(FILES, 1, 338a0)
3 expand(338c0, 3)
4 list = ( ${FILES} )
5 lookup(FILES, 0, 0)
6 expanded list = ( /etc/hosts /etc/resolv.conf )
7 expand(338d0, 7)
8 list = ( ${HOSTS} )
9 lookup(HOSTS, 0, 0)
10 expanded list = ( dino barney )
11 insert: files = ( /etc/hosts /etc/resolv.conf )
insert: hosts = ( dino barney )
13 insert: cmds NULL
14 docmds: cmds c_type ARROW, c_name dino, c_label NULL, c_files (
/etc/hosts /etc/resolv.conf )
15 sc_type INSTALL, sc_options 16, sc_name NULL, sc_args ( )
16 c_type ARROW, c_name barney, c_label NULL, c_files ( /etc/hosts
/etc/resolv.conf )
17 sc_type INSTALL, sc_options 16, sc_name NULL, sc_args ( )
18 doarrow(338e0, dino, 350d0)
19 makeconn(dino)
20 updating host dino
21 port = 514, luser = root, ruser = root
22 buf = /usr/ucb/rdist -Server
23 install -R /etc/hosts /etc/hosts
24 target = /etc/hosts, rname = hosts

In this example, the rdist command is run and the output is sent to the
cat command using the –n option. Recall that this option displays the associated
line number within the output, which makes it easier to read. As you can see,
the output is quite verbose and has been truncated to only a portion of lines
that were actually displayed. However, the output can be used to get a general
idea of how the rdist tool is parsing and handling the configuration file.

21.3 Investigate rdist Commands
As previously mentioned, rdist supports a number of directives that control
how the installation of remote files is done and helps determine whether other
related tasks should be done as well. All of the supported rdist command
directives are listed in Table 21-2.

Module 21:

Using rdist

Directive

Meaning

install [options]

Copy any out-of-date files and/or directories to the
target systems.
Send email to the specified users.
Exclude a file from being updated. This file is supplied
with the filename argument.
Exclude one or more files from being updated that
match a specific regular expression listed in pattern.
Invoke a shell command on the remote target machine
when one or more files have been successfully copied.

notify address
except filename
except_pat pattern
special [commandgrep ]

Table 21-2

613

rdist Command Directives

We have seen the install directive at work in previous examples. However,
this rdist command supports a few options that correspond to the regular
rdist command-line options—namely, the –b, -h, -i, -R, -v, -w, and –y
options, which are listed in Table 21-1 above. One of the more useful options,
-R, provides the ability for rdist to maintain truly identical copies of directory
structures from the local system to the remote target systems. Consider the
following example configuration:
HOSTS = ( dino barney )
FILES = ( /stream/bin
/stream/etc
/stream/movies)
(${FILES}) -> (${HOSTS})
install -R ;

In this case, we are syncing three different directories under the /stream
directory and when we run rdist—these three directories (and their contents)
will be copied to the remote systems dino and barney. Let’s display the
contents of the /stream/movies directory on the system called dino:
# rsh dino ls -al /stream/movies
total 196604
drwxr-xr-x
2 root
root
512
drwxr-xr-x
5 root
other
512
-rw-r--r-1 root
root
6662846
-rw-r--r-1 root
root
62020733
-rw-r--r-1 root
root
91878
-rw-r--r-1 root
root
91878

Nov
Nov
Oct
Oct
Oct
Oct

3 16:16 .
3 16:16 ..
11 2000 matrix-1.mov
11 2000 powers.mov
30 2000 rtspam.mov
12 2000 sample.mov

21

614

UNIX System Administration: A Beginner’s Guide

-rw-r--r--rw-r--r--rw-r--r-#

1 root
1 root
1 root

root
root
root

5893937 Oct 12
5863261 Oct 12
19929586 Oct 12

2000 swtrailer-1.mov
2000 swtrailer-2.mov
2000 swtrailer-3.mov

Let’s now assume that we have removed some of the files stored within
the /stream/moves directory on the local system and we would like to
resynchronize the other target systems. When we rerun the rdist command,
we get the following:
# rdist -f directory-dist
updating host dino
removed /stream/movies/swtrailer-1.mov
removed /stream/movies/swtrailer-2.mov
removed /stream/movies/swtrailer-3.mov
updating host barney
removed /stream/movies/swtrailer-1.mov
removed /stream/movies/swtrailer-2.mov
removed /stream/movies/swtrailer-3.mov

As you can see, rdist reported that these files were removed from the remote
systems as expected. Sure enough, if we again display the contents of the
/stream/movies directory on one of the target systems, we get
# rsh barney
total 134620
drwxr-xr-x
drwxr-xr-x
-rw-r--r--rw-r--r--rw-r--r--rw-r--r--

ls -al /stream/movies
2
5
1
1
1
1

root
root
root
root
root
root

root
other
root
root
root
root

512 Nov 4 11:37 .
512 Nov 3 16:13 ..
6662846 Oct 11 2000 matrix-1.mov
62020733 Oct 11 2000 powers.mov
91878 Oct 30 2000 rtspam.mov
91878 Oct 12 2000 sample.mov

Task Notifications
You can use the notify directive to send email when one or more tasks are
completed. Email can be sent when a specific task is complete or a group of
tasks have been done. For instance, using the example above, we can add the
following directive to the end of the rdist configuration file:
notify root@pebbles ;

Module 21:

Using rdist

615

This instructs rdist to send email to the root user on the host pebbles.
When we resynchronized the /stream/movies directory for the dino host,
the following email was sent:
From root Mon Nov 5 17:04:37 2001
Date: Mon, 5 Nov 2001 17:04:37 -0800 (PST)
From: rdist (Remote distribution program)
To: root@pebbles.home.com
Subject: files updated by rdist from pebbles.home.com to dino
removed /stream/movies/swtrailer-1.mov
removed /stream/movies/swtrailer-2.mov
removed /stream/movies/swtrailer-3.mov

The output clearly shows what the rdist command has accomplished; it
shows that it removed three movies files from the remote target called dino.
Also, a duplicate message was sent for the other host barney. Thus, rdist is
fairly verbose about what tasks it reports when sending email.
If you wanted to send to several users, you can simply add the required
number of notify directives, such as
notify root@bedrock ;
notify anitat@bedrock ;
notify stevem@pebbles ;

However, if you find that a larger number of users might be interested in
receiving rdist-specific messages, it might be easier to use a mail alias. For
instance, we might create a new alias called dist-list. In this case, we
update the /etc/mail/aliases file with the following entry:
dist-list:root@bedrock,anitat@bedrock,stevem@pebbles

Once done, we can update the rdist configuration file with notify
dist-list@mail-host, where mail-host is the name of the mail server.
If a notify directive doesn’t contain a host portion of an email address,
rdist uses the target system as the destination host to send the mail. Thus,
HOSTS = ( peaches cream )
FILES = ( /src )
(${FILES}) -> (${HOSTS})

21

616

UNIX System Administration: A Beginner’s Guide

install -R ;
notify root ;
notify dist-list ;

will send mail to the accounts of root and dist-list on both systems called
peaches and cream.

1-Minute Drill
●

Why is using rdist preferable to manually copying files when many systems
are involved?

●

What is the point of the notify directive?

Excluding Files
The rdist command is great for copying entire directories to remote systems.
However, suppose you want to copy most of the files within a directory, but not
all files? One approach would be to include every file you wanted. However,
this might be both time-consuming and hard to maintain going forward because
if files are added and/or deleted on a regular basis, this will be hard to track.
Also, consider if the directory contains a larger number of files. We need a
better solution, and fortunately rdist provides one! The best way to address this
type of problem is to simply exclude the files you don’t want copied to the
target systems. For example, consider the following:
HOSTS = (peaches cream)
FILES = ( /src/package
Directories to synchronize
/src/bin )
(${FILES}) -> (${HOSTS})
except /src/package/a.out ;
install -R ;
notify root@pebbles ;
Excluded file within synchronized directory

●

●

rdist saves time and reduces the possibility of error when more than a few files or systems are involved. The
time savings are multiplied if the systems need to be synchronized repeatedly, such as a regularly scheduled
nightly or weekly synchronization.
To inform users or administrators when rdist makes changes on their systems so they aren’t surprised by the
file changes.

Module 21:

Using rdist

617

On the previous page, two directories (/src/packages and /src/bin)
are being synchronized on target systems peaches and cream. However, the
/src/package/a.out file is exclude from the list of files that are copied to
both systems. If we find that a larger number of files must be excluded from a
particular directory, we can define a variable similar to the HOSTS or FILES
objects. Thus,
EXCLUDE_FILES = (/src/package/a.out
/src/package/libc.ar
/usr/package/libc_test.ar
/usr/package/message.o
/usr/package/message.as)

Here, the variable EXCLUDE_FILES is defined with the files that should
not be copied to any target systems. We can use this variable with the except
rdist directive:
except (${EXCLUDE_FILES})

;

You can also exclude files that match a particular pattern using the
except_pat command directive. This command supports matching on
shell-type regular expressions. However, the characters “\” and “$” must be
escaped if they are going to be used in the rdist configuration file. Typical
examples include except_pat “*.h” and except_pat “.??*”,
which will not copy any files that have an .h extension and no files that begin
with leading dot (.) followed by a number of characters (which is usually
the case with initialization files).

Invoking Commands
Sometimes it might be necessary to invoke a specific UNIX command when a
particular file or a group of files has been updated on a remote system. Consider an
example where you synchronize a configuration file that a process requires, and
once the file has been updated the process must be restarted in order to use the new
configuration file. Several UNIX system programs use this model; you must inform
or kill a system process before it will pick up any changes made to its configuration
file. To expand on this, note the following rdist configuration file:
HOSTS = ( dino wilma )
FILES = ( /etc/inet/inetd.conf )

21

618

UNIX System Administration: A Beginner’s Guide

(${FILES}) -> (${HOSTS})
install -R ;
notify root@pebbles ;
special "/usr/bin/pkill -HUP inetd" ;

This configuration will push the /etc/inet/inetd.conf configuration
file to both dino and wilma. Once done, it will execute the pkill command
on both systems using the special rdist directive. This special
command takes a single command argument and executes it on all target
systems. The UNIX pkill command will send a signal to the inetd process,
which causes this process to reread its configuration. Thus, any changes to the
newly pushed /etc/inet/inetd.conf file will take effect immediately. As
you can see, the rdist tool makes it very easy to execute a specific function as
part of the overall file distribution mechanism.

21.4 Explore an rdist Example
To further explain how rdist might be used in a real world and even perhaps
in a product-like environment, a more elaborate example has been provided.
Naturally, this configuration example file represents one possible way of
addressing the requirements that a typical UNIX shop might have. Some of
the requirements for this example include
●

Sync a different set of files to different systems

●

Provide notification when files change and when synchronization is
complete
To address these requirements, the following rdist configuration is supplied:
1
2
3
4
5
6
7
8
9
10
11

SERVERS = ( dino pebbles barney )
WORKSTATIONS = ( pebbles1 pebbles2 pebbles3 pebbles4 )
NETWORK_FILES = (
/etc/foo
/etc/hosts
/etc/resolv.conf
/etc/defaultrouter
/etc/nsswitch.conf
/etc/inetd.conf
/etc/netmasks
Defining two different sets of systems for
/etc/networks
different synchronization requirements

Module 21:

12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56

Using rdist

619

/etc/inet/ntp.conf
/etc/inet/ntp.server
/etc/snmp
)
GENERAL_FILES = (
/bar
/etc/passwd
/etc/group
/etc/shadow
/etc/aliases
/etc/profile
/etc/projects
/etc/syslog.conf

Defining one
of several sets
of files for the
different
synchronization
requirements

)
SECURITY_FILES = (
/me
/etc/ftpusers
/etc/default/login
/etc/hosts.equiv
/.rhosts

21

)
MEDIA_FILES

= (
/streams/mov
/streams/asf

APPS

)
= (
/packages/vnc
/packages/ssh
/packages/mrgt
)

(${NETWORK_FILES}) -> (${SERVERS})
install -R ;
notify root@pebbles ;
special "/usr/bin/pkill -HUP xinetd" ;
(${GENERAL_FILES}) -> (${SERVERS})
install -R ;
notify root@pebbles ;
(${MEDIA_FILES})
-> (${WORKSTATIONS})
install -R ;
notify root@pebbles ;
${SECURITY_FILES} :: /dist/timestamp
notify dist-list@pebbles ;

Sending a
notification
for each
synchronization

Synchronizing the different sets of files to different sets of systems

UNIX System Administration: A Beginner’s Guide

AM
FL
Y

One clear requirement for most environments is to copy a set of files for a
given class, type, or functional system on the network. For example, let’s say
you want to copy certain security-related files to only key file servers, or you
may want to maintain a specific system configuration for just Web servers.
To accomplish this with rdist, it is simply a matter of creating one or more
variables to hold the files for each category. In the example above, the following
file classifications are defined: NETWORK_FILES, GENERAL_FILES, SECURITY_
FILES, MEDIA_FILES, and APP_FILES. Each of these groupings is defined
and contains a collection of associated files, as shown in lines 3–43.
Next, we need to define one or more different types of target systems, and in
the example we have both servers and workstations—rdist variables SERVERS
and WORKSTATIONS, respectively—which are defined on lines 1–2.
Naturally, the breakdown of systems can be any arbitrary classification that you
can imagine. The point here is to define the classification that most suits your
particular environment and that you feel most comfortable with.
Once the systems and files are defined, we need to determine the exact
requirements for the copy component and also how the notification will be
handled. Based on the way rdist works, we must have redundant sections for
each file list definition. In other words, each copy action directive (->) must
have its own install and notify commands. The notify portion is
optional, but the install isn’t. If you want to sync the files, you must have
this command.
Further, rdist supports the ability to detect when files have changed
based on a particular milestone or baseline. This is used, for example, to
send notification when files have been updated since a given time. Thus,
in the example, whenever any security-related files (defined within the
SECURITY_FILES variable) have been updated after the date stamp of the
/dist/timestamp file, notification is sent to dist-list@pebble.

TE

620

Project 21-1
This project provides a template for you to use to create your own rdist
configuration file to control distribution for several different system types.

Step-by-Step
Refer to the following code listing for all the steps in this project. The line
numbers are for reference only. Do not include them in your configuration file.
Please note that some numbers are intentionally skipped in this line numbering.

Module 21:

1
2
3
4
10
11
12
20
21
22
30
31
32
40
41
42
43
44
51
52
53
54
61
62
63
64

Using rdist

621

SYSTEMTYPE1 = ( )
SYSTEMTYPE2 = ( )
FILEGROUP1 = (
)
FILEGROUP2 = (
)
FILEGROUP3 = (

EXCLUDEFILES1

)
= (

)
(${FILEGROUP1}) -> (${SYSTEMTYPE1})
except (${EXCLUDEFILES1}) ;
install -R ;
notify ;
(${FILEGROUP2}) -> (${SYSTEMTYPE2})
except (${EXCLUDEFILES2}) ;
install -R ;
notify ;
(${FILEGROUP3}) -> (${SYSTEMTYPE1})
except (${EXCLUDEFILES3}) ;
install -R ;
notify ;

1. On line 1, enter the names of all the systems to include in the first
synchronization category between the parentheses. If you want, change
the name systemtype1 to a more meaningful name for this group.
2. Repeat step 1 on line 2 for the second group of systems.
3. If you need to define more than two system types, add additional lines
like 1 and 2 with the additional group names and system names.
4. Beginning on line 4, add a directory of files to be synchronized for
SYSTEMTYPE1. Add as many additional lines as needed between lines 4
and 10. If you want, change the FILEGROUP1 name on line 3 to a more
meaningful name.
5. Repeat step 4 to define additional synchronization directory groupings on
lines 12, and 22, renaming the groups on line 11 and 21 if desired and
adding as many lines after lines 12 and 22 as needed for each group.

21

622

UNIX System Administration: A Beginner’s Guide

6. If you need additional file groupings, add additional sections modeled after
steps 4 and 5.
7. If you need to exclude files from the directories in any of the groups, add
the first set of files, using a filename or pattern matching on line 32. Add
additional lines after line 32 for any additional exclusions for this grouping
and rename line 31 to something more meaningful if needed.
8. If needed, add and name additional exclusion sets modeled after step 7.
9. On lines 41, 51, and 61, change the names of the file groups and system
names to match the files you want synchronized to each group.
10. If you have exclusions to make, change the name of the exclusion groups on
lines 42, 52, and 62 to match the set of files you defined to exclude for that
group. If you don’t have any files to exclude for a particular synchronization,
you can delete that line.
11. On lines 43, 53, and 63, leave the -R option on if you want extra files in the
target directories removed. Remove this -R option if you don’t want extra
files deleted.
12. On lines 44, 54, and 64, specify the user account (or distribution list) to send
a notification to for each synchronization.

Module 21:

Using rdist

623

Mastery Check
1. What is the command to send an email that rdist has made an update to a

system?
A. install
B. notify
C. host
D. file

Please refer to the following rdist configuration file example for questions 2-5.
HOSTS = ( dino barney )
FILES = ( /stream/bin
/stream/etc
/stream/movies)
(${FILES}) -> (${HOSTS})
install -R ;

2. What systems will this configuration file synchronize files to?
3. What directories will be synchronized on the target systems?
4. On the target systems, what will happen to files in the synchronization

directories that aren’t in the synchronization directories in the local system?
5. Who will email be sent to for each system when a synchronization is

executed?
6. What is the rdist directive to exclude specific files in a synchronization

directory from being synchronized?
7. What is the command to execute a system command within an rdist

configuration file?
A. install
B. command
C. execute
D. special

21

624

UNIX System Administration: A Beginner’s Guide

Mastery Check
8. By default, what does rdist compare to determine if a file on a target

system has changed and needs to be synchronized?
A. File size and modification time
B. Binary content
C. Modification time and binary contents
D. Owner and permissions
9. What does the -h command-line option for the rdist command copy?
A. Process symbolic link so that the target file is copied rather than the

link itself.
B. Copy the symbolic link rather than the target file.
C. Copy all files modified by the currently logged on user.
D. Copy only files matching the specified pattern, in this case beginning

with “h”.
10. What rdist command-line option checks to see if all files are updated on

the target systems and displays any discrepancies, but doesn’t update any
files on the target systems or send any notification?

Appendix

A

Answers to
Mastery Checks

Copyright 2002 by The McGraw-Hill Companies, Inc. Click Here for Terms of Use.

626

UNIX System Administration: A Beginner’s Guide

Module 1: Introduction to UNIX
1. Physical hardware, operating system, and applications
2. A. Kernel
3. B. Proprietary software
4. System Library
5. D. Maintains system capacities
6. System administrator

Module 2: Basic UNIX Commands
1. D. ps
2. cat -b
3. date 100415302002
4. C. hostname
5. find/-atime+365
6. File type is directory. Permissions are read, write, and executable for owner,
read and executable for group, and only executable for others.
7. A. Administrator
8. The ? designates that no terminal was involved when a process started.
9. uname -r

Module 3: Using System Administration Tools
1. False
2. /home/gwsmith
3. Modify user
4. Params tab in the User Information window

Appendix A:

Answers to Mastery Checks

627

5. Group definitions button
6. On the Action menu, select the Remove item
7. True
8. Command Interpreter
9. B. Archive the Account’s Data
10. /etc/passwrd
11. /etc/group

Module 4: Software Package
Management Tools
1. pkginfo -c system
2. root
3. A, C, D
4. This would delete the XFree86 package from your system if it is installed
5. A. pkgadd -d /cdrom/s8_software_companion/components/
i386/Packages SFWgimp
6. B. swinstall -i (A. swinstall is also correct because the interactive
mode is the default mode for swinstall)

Module 5: Maintaining UNIX Users
1. B. root
2. D. sh
3. Groups
4. B. 45
5. passwd -f wilma
6. /etc/default/passwd
7. usermod -L wilma

A

628

UNIX System Administration: A Beginner’s Guide

8. passwd -s yourusername
9. C. KpF4j7. (A is a bad choice because it doesn’t contain any numbers or
special characters. B is a bad choice because it is too similar to the current
password. D is a bad choice because it is based on the username.)

Module 6: File Systems, Disks, and Tools
1. file system
2. C. i-node table
3. disk partition
4. drive letter a, partition 9
5. prtvtoc
6. A. mount
7. B. newfs
8. Single user mode
9. C. mount
10. False

Module 7: System Security
1. A. nmap
2. nmap -sU -sT -o proberes
3. sometimes
4. A. nmap -sT 192.168.1.*
5. privileged
6. C. configure the firewall
7. SSH
8. B. ssh barney
9. ssh-keygen
10. security policy

Appendix A:

Answers to Mastery Checks

629

Module 8: Backup and Restore
1. A. Image
2. Incremental
3. A. dump
4. C. restore
5. B. dd
6. First step creates a new file system, second step checks the file system,
and third step mounts the file system.
7. /dev/st0

Module 9: System Operations
1. B. single user mode
2. multi-user mode
3. A. init
4. A. respawn
5. multi-user mode
6. C. reboot
7. B. /etc
8. A. init 0

Module 10: The TCP/IP Suite
1. Open Standard Interconnect
2. C. Interface
3. A. Application
4. Internet layer
5. False. Some TCP/IP layers map to more than one OSI layer.
6. Domain Name System
7. C. DHCP

A

UNIX System Administration: A Beginner’s Guide

8. Host-to-host layer
9. /etc/services
10. False. The flow provided by the Internet layer is described as “unreliable.”
11. Class C
12. Subnetting
13. ifconfig
14. 255.255.255.192 will work providing 62 addresses, and the next smallest
subnet, 255.255.255.224, only provides 30 addresses.
15. ping

AM
FL
Y

16. B. ARP

Module 11: Basic Network Tools
1. Address Resolution Protocol table or ARP cache
2. C. netstat
3. D. ping

4. A. The system is reachable.

TE

630

5. D. Adding the bruegel system to the ARP table
6. ifconfig ppp0 down
7. A. Ethernet
8. C. Active
9. netstat -a -n
10. B. netstat -a -t -u
11. ping -R

Module 12: Advanced Network Tools
1. tcpdump -q -i ppp0 -c 15
2. True
3. traceroute

Appendix A:

Answers to Mastery Checks

631

4. B. tcpdump -r dump-data
5. C. ethertype
6. tcpdump host not fred
7. protocol
8. traceroute barney
9. traceroute -m 20 www.whitehouse.gov
10. A. display
11. Broadcast
12. False. The only restriction is that it must support IP.

Module 13: Overview of SNMP
1. Universal
2. Application
3. C. Trap
4. B. Robust security model
5. version field, community field, SNMP protocol data unit (PDU) field
6. nodes
7. C. read-only
8. GetRequest
9. GetNextRequest
10. A: ii; B: iii; C: iv; D: i
11. A. Description; B. MTU; D. Physical address
12. trap
13. B. Community name
14. trap
15. GetBulkRequest
16. NoCreation

A

632

UNIX System Administration: A Beginner’s Guide

Module 14: Using Domain Name System
1. Hierarchical
2. False. Because the companies have different domains, DNS will not
have conflicts.
3. Host Resolution
4. Domain: edu; organization: indiana; subdomain: athletics; host: www
5. nslookup
6. Server 192.168.1.215
7. host and dig
8. /etc/resolv.conf
9. /etc/nsswitch.conf

Module 15: Using NIS
1. False. The ypmake command doesn’t actually exist. Updating the NIS maps
on the NIS master is done by running make in the /var/yp directory.
2. yppasswd
3. .pag
4. .dir
5. ypwhich
6. A. # ypinit -s fred
7. D. #ypinit -c
8. ypwhich
9. ypinit -s
10. ypset

Module 16: SNMP System Management Tools
1. B. Supplies a list of directories for the command to search for MIB files.
2. snmpdelta

Appendix A:

Answers to Mastery Checks

633

3. D. ping
4. snmpnetstat
5. A. Reset a user password
6. A. snapstatus host community
7. traps
8. D. -q
9. True
10. snmpbulkwalk
11. False. snmpnetstat also works with printers, network devices, and any
other device that supports the MIB-II standard.

Module 17: Using Network File System
1. nfsd 4
2. lockd
3. False
4. A. /etc/dfs/dfstab
5. nfsstat
6. C. /etc/fstab
7. 3943
8. 0%
9. bedrock
10. /mnt/bedrock/docs
11. Soft

Module 18: File Transfer Protocol
1. anonymous
2. dir [j-m]*
3. C. put

A

634

UNIX System Administration: A Beginner’s Guide

4. hash
5. B. Deny access to that user
6. /etc/ftpaccess
7. Turns on logging of all FTP activity
8. auth

Module 19: Important System Administration
Tasks/Information
1. C. wall
2. 52,008KB
3. A. mkswap
4. fdisk
5. prtconf
6. B. showrev
7. C. process IDs
8. partitions

Module 20: Using DHCP
1. False
2. B. /var/dhcp
3. Lease
4. False. The IP addresses must be contiguous, no skips or gaps.
5. Static

Appendix A:

Answers to Mastery Checks

635

6. D. /etc/dhcpd.conf
7. Solaris: ifconfig; Linux: dhcpcd; HP-UX: dhcpclient
8. touch /etc/dhcp.ei0
9. A. Obtain an IP address automatically
10. C. ipconfig

Module 21: Using rdist
1. B. notify
2. dino, barney
3. /stream/bin, /stream/etc, /stream/movies
4. Extra files will be removed from the target synchronization directories.
5. No one. No notify command is specified.
6. except
7. D. special
8. A. file size and modification time
9. A. Process symbolic link so that the target file is copied rather than the
link itself.
10. -v

A

This page intentionally left blank.

Appendix

B

Tools at a Glance

Copyright 2002 by The McGraw-Hill Companies, Inc. Click Here for Terms of Use.

638

UNIX System Administration: A Beginner’s Guide

T

his section contains a quick summary of the tools reviewed and discussed
within this book.

Name

Description

admintool
arp
cat
control-panel
date
dd
dhcpmgr
dig
dump
exportfs
fdisk
find
format
fsck
ftp
grep
groupadd
groupdel
groupmod
grpck
halt
host
hostname
landiag
lanscan
ifconfig
init
logins
ls
netstat
nfsstat
nmap

Solaris administration tool.
Monitors and controls ARP cache.
Show the content of file.
Linux administration tool.
Show system date and time.
Image backup tool.
Solaris GUI tool for managing DHCP server.
Query DNS server for information.
Performs backups of a file system.
Make a file system available over the network.
Linux disk partition tool.
Search for a specific file.
Disk partition tool on Solaris.
File system check program.
Client File transfer protocol program.
Search a file for specified pattern.
Add a new group to the system.
Delete an existing group from the system.
Make changes to an existing group.
Consistence check for the /etc/group file.
Halt the system.
Look up DNS host information.
Display name of system.
Show network diagnostic information on HP-UX.
Show network information on HP-UX system.
Interface configuration.
Control the master system program.
Show user on a Solaris system.
List files in a directory.
Display network connections.
Show NFS stats.
Network port scanner.

Table B-1

Tools Found in this Book

Module
3
11
2
3
2
8
20
14
8
17
6
2
6
6
18
2
5
5
5
5
9
14
2
12
11
11
9
5
2
12
17
7

Appendix B:

Tools at a Glance

Name

Description

nslookup
more
mount
mkfs
newfs
passwd
ping
pkgadd
pkgrm
pkginfo
prtconf
prtvtoc
ps
pump
pwck
rdist
reboot
restore
rpm
sam
scp
share
showmount
showrev
snmpbulkwalk
snmpconf
snmpdelta
snmpget
snmpgetnext
snmpnetstat
snmpset
snmpstatus
snmptable
snmptest
snmptranslate

Look up DNS entry.
Show the content of file.
Make a file system available.
Make a new file system.
Simple command to make a new file system.
Change a user password.
Determine network node reachability.
Add a package on Solaris.
Remove a package on Solaris.
Query a Solaris package.
Display configuration information on Solaris system.
Show disk partition information on Solaris.
Show status of processes.
Show DHCP information on Linux system.
Consistency check for the /etc/passwd file.
Automatic distribution of directories/files.
Restart the system.
Retrieve a backup from a dump archive.
Red Hat package manager.
HP-UX administration tool.
Secure copy command.
Make a file system available over the network.
Show which clients have mounted NFS file systems.
Show version information for Solaris command.
Obtains a MIB object with SNMP bulk request.
Automated SNMP configurations.
Formats SNMP data.
Regular SNMP retrieval.
Retrieves multiple SNMP objects in order.
Retrieves network statistics from SNMP entity.
Alters SNMP configuration information.
Retrieves important SNMP data.
Retrieves SNMP table objects.
Tests SNMP connectivity.
Converts MIB objects into more meaningful
information.
Sends an SNMP trap message.

snmptrap

Table B-1

Tools Found in this Book (continued)

639

Module
14
2
6
6
6
5
11
4
4
4
19
6
2
20
5
21
9
8
4
3
7
17
17
19
16
16
16
16
16
16
16
16
16
16
16
16

B

UNIX System Administration: A Beginner’s Guide

Description

snmptrapd
snmpwalk
ssh
shutdown
strings
swap
swapon
swapoff
swinstall
swlist
swremove
sudo
talk
tar
tcpdump
traceroute
tripwire
umount
uname
useradd
userdel
usermod
vipw
volcopy
who
ypbind
ypcat
yppasswd
ypmatch
ypmake
yppoll
yppush
ypxfr
ypwhich
unshare

Receipt of SNMP traps from network.
Retrieves either a group or entire MIB tree of objects.
Secure remote shell.
Place the system to single-user mode.
Show strings within a file.
Control swap space on Solaris/HPUX systems.
Add swap space on the system.
Remove swap space from the system.
Add an HP-UX package.
Show HP-UX package information.
Remove an HP-UX package.
Execute privileged commands.
Communicate with a user on the system.
General-purpose file archiving tool.
Show network packets.
Show network path between two nodes.
Detect and report file system change.
Remove access to a file system.
Show system-related information.
Add a new user to the system.
Delete an existing user from the system.
Modify an existing user.
Edit the /etc/passwd file using the Vi editor
Image backup tool for Solaris.
Show current users on the system.
Force NIS client to bind to a specific server.
Show contents of NIS map.
Change password field of NIS passwd file.
Show the values of a key from a NIS server.
Update one or more NIS maps.
Show information about a NIS map.
Push out updates to NIS servers.
Transfer a NIS map.
Show to which NIS server a client is bound.
Stop sharing a file system over the network.

Table B-1

AM
FL
Y

Name

TE

640

Tools Found in this Book (continued)

Module
16
16
7
9
2
19
19
19
4
4
4
7
19
8
12
12
7
6
2
5
5
5
5
8
2
15
15
15
15
15
15
15
15
15
17

Appendix

C

Overview of MIB-II

Copyright 2002 by The McGraw-Hill Companies, Inc. Click Here for Terms of Use.

642

UNIX System Administration: A Beginner’s Guide

Discover MIB-II
This section provides a short overview of SNMP MIB-II. Since MIB-II is a standard,
the MIB objects are available from a wide variety of sources, including Sun,
Linux Red Hat and many others such as 3Com and Cisco. In fact, any device
that claims to support SNMP is required to support MIB-II. Important information
about a particular device or group of devices can be obtained by querying specific
MIB-II objects. The objects contained within MIB-II provide both system
configuration and network performance information.
The SNMP standards define a collection of Management Information Base
(MIB) objects that each SNMP agent supports. The first set of objects was
known as MIB-I and was documented in RFC 1156. Over time, these objects
were expanded and the collection of objects became known as MIB-II, described
in RFC 1213. The MIB-II objects provide generic information about the state
of the networking aspect of the device. This MIB is divided into a collection of
groups, described in Table C-1.
Group Name

Description

system

Provides overall information about the device or system on which
the agent is running.
Contains information about the operating network interfaces
contained within the system.
Address translation table for Internet IP addresses to data link
addresses. Note that this is a deprecated group.
Contains statistical information about the Internet Protocol (IP) of
the device.
Contains statistical information about the Internet Control Message
Protocol (ICMP) of the device.
Contains statistical information about the Transmission Control
Protocol (TCP) of the device.
Contains statistical information about the User Datagram Protocol
(UDP) of the device.
Contains statistical information about the Exterior Gateway Protocol
(EGP) of the device.
Provides information regarding the transmission and access
protocols for each network interface.
Contains statistical information about the Simple Network
Management Protocol (SNMP) of the device.

interfaces
at
ip
icmp
tcp
udp
egp
dot3
snmp

Table C-1

MIB-II Object Groups

Appendix C:

Overview of MIB-II

643

The collection of MIB-II groups can also be displayed graphically. The
mib-2 group is shown as a tree structure with group members branching off
to the right. The associated number or index for each object identifies the
location within the tree hierarchy. Each of the associated mib-2 groups
described in this appendix have additional subgroups or objects beneath them
and are displayed in the tree view format. The use of circles next to the object
represents a subgroup (where additional subgroups or individual objects may
be defined), while the square represents individual discrete objects. This makes
it easy to distinguish a collection of objects from individual objects.

System Group
The system group consists of objects that provide generic information
about the device or system on which the agent is running. The sysServices,
sysUpTime, and sysOR prefixed objects require additional explanation.
The sysServices object represents a 7-bit code that corresponds to the
value of the combined services the device provides. Each bit within the code is
associated with one of the layers of the OSI model, and if the device offers a service
on a particular layer, the bit for that layer is set. For example, consider a device
that provides routing functions. The associated sysServices value for this
device is 72. The value of sysServices is the sum of the bit values, where
the value of any particular bit is 2 raised to the power L−1 (where L is the layer).
Thus, for a UNIX system that is a layer 4 and 7 device, we get

For a network switch device that is a layer 1 and 2 device, we get

We include layer 4 in this equation because an application server (such as
a UNIX system) provides services on both layer 7 and layer 4.

Hint

Definitions for layers 5 and 6 do not currently exist.

Functional layers used to determine sysServices are listed in Table C-2.

C

644

UNIX System Administration: A Beginner’s Guide

Layer Number

Device Functionality

1

Physical: A device that operates on this layer is known as
a network repeater.
Data link and/or subnetwork layer: A device that operates
on this layer includes a network bridge or switch.
Internet/network: A device that operates on this layer is
a gateway or router.
End-to-end services, such as an IP host.
Application services, such as mail relays, DNS server, and
so forth.

2
3
4
7

Table C-2

SysServices Layer Definitions

The sysUpTime object indicates the amount of time that has transpired
since the network management agent was last started. This doesn’t necessarily
mean that the device itself has been operating since that time. Take, for example,
an agent running on top of an operating system. The agent can be restarted
independently of the system, and therefore may not represent the true amount
of time the system has been in operation. However, with some devices, the
agent can’t be started or stopped independent of the system. In this case, this
object agent should be more accurate.
The system group also contains a few objects related to SNMPv2 devices
acting in an agent role. These objects have names that begin with the prefix
sysOR and are supported with SNMPv2 (or later) agents. The objects control
the dynamic configuration of agent resources. Because these objects were
introduced with the SNMPv2 standards, SNMPv1 agents don’t support them.
The system group contains the following set of objects:
Object Name:
OID:
Object Type:
Access Mode:
Description:

sysDescr
system.1
Display String [255]
read-only
A description of the device or entity, such as the type
of device, hardware characteristics, operating system
information, and so forth

Appendix C:

Overview of MIB-II

Object Name:
OID:
Object Type:
Access Mode:
Description:

sysObjectID
system.2
Object Identifier
read-only
The authoritative identification of the vendor of the device

Object Name:
OID:
Object Type:
Access Mode:
Description:

sysUpTime
system.3
TimeTick
read-only
The amount of time since the network management portion
of the system (agent) was last reinitialized

Object Name:
OID:
Object Type:
Access Mode:
Description:

sysContact
system.4
Display String [255]
read-write
Information noting the contact person and/or other
organization that provides support for this device

Object Name:
OID:
Object Type:
Access Mode:
Description:

sysName
system.5
Display String [255]
read-write
The name of the device; may be the official hostname or
another administratively assigned name

Object Name:
OID:
Object Type:
Access Mode:
Description:

sysLocation
system.6
Display String [255]
read-write
The physical location where the device has been installed

Object Name:
OID:
Object Type:
Access Mode:
Description:

sysServices
system.7
Integer
read-only
The services this device provides

645

C

646

UNIX System Administration: A Beginner’s Guide

Object Name:
OID:
Object Type:
Access Mode:
Description:

sysOrLastChange
system.8
TimeStamp
read-only
The value of the sysUpTime object at the time of the most
recent change made in any instance of the sysORID object

Object Name:
OID:
Object Type:
Access Mode:
Description:

sysORTable
system.9
Sequence of SysOREntry
read-only
A table of dynamically configurable object resources within
an SNMPv2 system acting in an agent role

Object Name:
OID:
Object Type:
Access Mode:
Description:

sysOREntry
SysORTable.1
Sequence
read-only
Information on a specific configurable object

Object Name:
OID:
Object Type:
Access Mode:
Description:

sysORIndex
sysOREntry.1
Object Identifier
read-only
Used as an index into the sysORTable

Object Name:
OID:
Object Type:
Access Mode:
Description:

sysORID
sysOREntry.2
Display String [255]
read-only
The OID of this entry, analogous to the sysObjectID object

Object Name:
OID:
Object Type:
Access Mode:
Description:

sysORDescr
sysOREntry.3
Display String [255]
read-only
A description of the object resource, analogous to the
sysDescr object

Appendix C:

Object Name:
OID:
Object Type:
Access Mode:
Description:

Overview of MIB-II

647

sysORUpTime
sysOREntry.4
TimeStamp
read-only
Contains the value of the sysUpTime object at the time
this instance (row) was last updated or instantiated

When the system group from a Linux system is queried, the following
objects with their associated values are returned:
system.sysDescr.0 = Linux didymus 2.4.7-10 #1 Thu Sep 6 17:27:27 EDT 2001 i686
system.sysObjectID.0 = OID: enterprises.ucdavis.ucdSnmpAgent.linux
system.sysUpTime.0 = Timeticks: (107689) 0:17:56.89
system.sysContact.0 = Steve Maxwell (sjmaxwell@worldnet.att.net)
system.sysservices.0 = 72
system.sysLocation.0 = Graphics Lab

In this example, the sysDescr object includes information about the
system on which the agent is running. The string provides the same basic
information that is obtained from the UNIX uname command:
uname -a
Linux didymus 2.4.7-10 #1 Thu Sep 6 17:27:27 EDT 2001 i686 unknown

The sysObject object contains an OID of the Linux branch that identifies
the agent. The sysContact shows that the agent has been running for
approximately 17 minutes and 56 seconds. The sysContact, sysName, and
sysLocation objects contain specific information about the owner (Steve
Maxwell), name (didymus), and location (Graphics Lab) of the device.
Finally, the sysServices object shows that the device provides layer 4 and
layer 7 services.

Interfaces Group
The interfaces group provides both configuration and statistical information
regarding the network interfaces installed within the device. As discussed in
Module 13, this group has an ifNumber object that contains the total number
of network interfaces installed on the system, regardless of the operating state
of any particular interface. The other object, ifTable, is a table that contains
a row for each interface. The table is indexed by the ifIndex object and

C

648

UNIX System Administration: A Beginner’s Guide

contains a value between 1 and the value of the ifNumber object. The ifIndex
number can address each column or interface directly. The ifTable contains 22
objects that provide the following:
●

Type, capacity, and other interface characteristics

●

Operational information

●

Performance and statistical information

Querying the interfaces table against a Linux system displays output similar
to the following:
Maximum speed for
each interface
Two interfaces defined on the system
interfaces.ifNumber.0 = 2
interfaces.ifTable.ifEntry.ifIndex.1 = 1
interfaces.ifTable.ifEntry.ifIndex.2 = 2
interfaces.ifTable.ifEntry.ifDescr.1 = lo0
interfaces.ifTable.ifEntry.ifDescr.2 = hme0
interfaces.ifTable.ifEntry.ifType.1 = softwareLoopback(24)
interfaces.ifTable.ifEntry.ifType.2 = ethernet-csmacd(6)
interfaces.ifTable.ifEntry.ifMtu.1 = 3924
Maximum data unit
size for each interface
interfaces.ifTable.ifEntry.ifMtu.2 = 1500
interfaces.ifTable.ifEntry.ifSpeed.1 = Gauge: 10000000
interfaces.ifTable.ifEntry.ifSpeed.2 = Gauge: 10000000
interfaces.ifTable.ifEntry.ifPhysAddress.1 = ""
interfaces.ifTable.ifEntry.ifPhysAddress.2 = Hex: 0 10 5A 28 5D 7C
interfaces.ifTable.ifEntry.ifAdminStatus.1 = up(1)
Administrative and
interfaces.ifTable.ifEntry.ifAdminStatus.2 = up(1)
operational status
interfaces.ifTable.ifEntry.ifOperStatus.1 = up(1)
of each interface
interfaces.ifTable.ifEntry.ifOperStatus.2 = up(1)
interfaces.ifTable.ifEntry.ifLastChange.1 = Timeticks: (0) 0:00:00.00
interfaces.ifTable.ifEntry.ifLastChange.2 = Timeticks: (0) 0:00:00.00
interfaces.ifTable.ifEntry.ifInOctets.1 = 373912
interfaces.ifTable.ifEntry.ifInOctets.2 = 50204
interfaces.ifTable.ifEntry.ifInUcastPkts.1 = 1218
interfaces.ifTable.ifEntry.ifInUcastPkts.2 = 163
interfaces.ifTable.ifEntry.ifInNUcastPkts.1 = 0
interfaces.ifTable.ifEntry.ifInNUcastPkts.2 = 0
interfaces.ifTable.ifEntry.ifInDiscards.1 = 0
interfaces.ifTable.ifEntry.ifInDiscards.2 = 0
interfaces.ifTable.ifEntry.ifInErrors.1 = 0
interfaces.ifTable.ifEntry.ifInErrors.2 = 0
interfaces.ifTable.ifEntry.ifInUnknownProtos.1 = 0
interfaces.ifTable.ifEntry.ifInUnknownProtos.2 = 0

Appendix C:

Overview of MIB-II

649

interfaces.ifTable.ifEntry.ifOutOctets.1 = 381304
interfaces.ifTable.ifEntry.ifOutOctets.2 = 174020
interfaces.ifTable.ifEntry.ifOutUcastPkts.1 = 1242
interfaces.ifTable.ifEntry.ifOutUcastPkts.2 = 565
interfaces.ifTable.ifEntry.ifOutNUcastPkts.1 = 0
interfaces.ifTable.ifEntry.ifOutNUcastPkts.2 = 0
interfaces.ifTable.ifEntry.ifOutDiscards.1 = 0
interfaces.ifTable.ifEntry.ifOutDiscards.2 = 0
interfaces.ifTable.ifEntry.ifOutErrors.1 = 0
interfaces.ifTable.ifEntry.ifOutErrors.2 = 0
interfaces.ifTable.ifEntry.ifOutQLen.1 = Gauge: 0
interfaces.ifTable.ifEntry.ifOutQLen.2 = Gauge: 0
interfaces.ifTable.ifEntry.ifSpecific.1 = OID: .ccitt.nullOID
interfaces.ifTable.ifEntry.ifSpecific.2 = OID: .ccitt.nullOID

Notice that the ifNumber object equals 2 because a total of two interfaces
are defined on the system. As a result, the ifIndex.1 and ifIndex.2 objects
are set to 1 and 2, respectively, so that they can be used to index each interface
separately. The ifDescr object contains the name of the interface as it is known
by the agent running within the device. For instance, using the output above, the
first Ethernet interface is known as eth0. As a result, the ifDescr object will
contain this interface name, with each character converted to hexadecimal
(“eth0” Hex: 65 74 68 30 ). Thus the hexadecimal value of eth0 is 65 74 68 30.
The interface names provided by the agent are the same strings displayed when
using the ifconfig or netstat commands.
The ifType object records the type of the network interface using a single
integer identifier. The number can be mapped to a keyword string that gives
more descriptive information regarding the actual interface used. A large number
of network interface types have been defined by the MIB-II standard. Consult
RFC 1213 for a complete list. The ifMtu object, or the maximum transfer unit
(MTU), identifies the maximum size of the protocol data unit (PDU) or frame
that is allowed for the interface. Standard Ethernet is 1500, while the software
loopback is much higher at 3924. Different systems may implement the MTU
for the software loopback with various values as deemed appropriate for each
system. The ifSpeed object shows the maximum capacity of the interface. In
the example, both interfaces contain the same speed of 10000000. This value
represents the theoretical performance of an Ethernet LAN that is 10 Mbps.
Other interfaces will show either higher or lower capacities, depending on
the interface type. Here is a case in point: A serial interface that supports PPP
contains an ifSpeed of 9600, which represents 9,600 bits per second that can
be supported, given the hardware characteristics of a serial RS-232 interface.

C

UNIX System Administration: A Beginner’s Guide

AM
FL
Y

The ifPhysAddress object identifies the data link protocol address (where
appropriate) for the interface. The eth0 interface has an ifPhysAddress of
00 10 5A 28 5D 7C, while the ifPhysAddress contains a null string value
(“”). The reason for this is that the software loopback doesn’t use any hardware,
and no data link address is needed or required. The address contained within
the ifPhysAddress is used for low-level network communications between
systems. Every time a packet is emitted from this interface, this address is used
as the source of the packet.
The ifAdminStatus and ifOperStatus objects show the administrative
status and operational status of the interface. The network administrator uses
the administrative status to control the interface. This object provides the ability
to control when the interface is marked as up or down. Also, a third state,
testing, can be set. The up state means that packets are permitted to flow across
the interface, while the down state implies that no packets are to be received or
sent from this interface. This is regardless of the state of the physical connection
to the interface. In other words, a network interface may be connected to an
operating network, but if it is marked down, no network traffic will be read
by the interface. The testing state enables internal interface diagnostics to
validate the correct operation of the interface. The ifOperStatus object
shows the current status of the interface, which is one of the defined states
represented by the ifAdminStatus object. This object obtains the state of
a particular interface.
The access of the ifAdminStatus object is read-write; all of the other
objects in the interface group can’t be modified by a network manager because
they have read-only access. The reason for this is quite natural and straightforward.
It is reasonable that counters and descriptive information about an interface
should not be changed, because it is important to maintain interface type
information to avoid networking configuration problems and because it
provides accurate performance metrics.

TE

650

Hint

The ifSpecific objects contain the value of ccitt.nullOID, which
represents a valid but null OID string.

The interfaces group contains the following set of objects:

Appendix C:

Overview of MIB-II

Object Name:
OID:
Object Type:
Access Mode:
Description:

ifNumber
interfaces.1
Integer
read-only
The total number of network interfaces contained within the
local system

Object Name:
OID:
Object Type:
Access Mode:
Description:

ifTable
interfaces.2
Sequence of ifEntry
not accessible
A list or row of the interface entries for this table

Object Name:
OID:
Object Type:
Access Mode:
Description:

ifEntry
interface.ifTable
Sequence
not accessible
A specific interface entry that contains all the objects defined
below it

Object Name:
OID:
Object Type:
Access Mode:
Description:

ifIndex
ifEntry.1
Integer
read-only
An MIB reference definition that is specific to a particular
media type that is used to access the network interface

Object Name:
OID:
Object Type:
Access Mode:
Description:

ifDescr
ifEntry.2
DisplayString [255]
read-only
A string description of the interface that includes the name of
the interface from an operating system standpoint; possible
values include eth0, ppp0, and lo0

651

C

652

UNIX System Administration: A Beginner’s Guide

Object Name:
OID:
Object Type:
Access Mode:
Description:

ifType
ifEntry.3
DisplayString [255]
read-only
The type of interface. Table 6-3 lists specific types.

Object Name:
OID:
Object Type:
Access Mode:
Description:

ifEntry.4
Integer
read-only
The maximum transmission unit of the interface. This
represents the largest frame that can be sent and/or received
on the interface.

Object Name:
OID:
Object Type:
Access Mode:
Description:

ifSpeed
ifEntry.5
Gauge
read-only
The data rate (capacity) of the interface

Object Name:
OID:
Object Type:
Access Mode:
Description:

ifPhysAddress
ifEntry.6
PhysAddress
read-only
The data link address of the interface

Object Name:
OID:
Object Type:
Access Mode:
Description:

ifAdminStatus
ifEntry.7
Integer
read-only
The administrative status of the interface, which is one of the
defined states listed in the ifOpe0rStatus object. The owner
of the device can control the interface with this object.

Appendix C:

Overview of MIB-II

Object Name:
OID:
Object Type:
Access Mode:
Description:

ifOperStatus
ifEntry.8
Integer
read-only
The present operational state of the interface. The defined
states include up(1), down(2), and testing(3).

Object Name:
OID:
Object Type:
Access Mode:
Description:

ifLastChange
ifEntry.9
TimeTicks
read-only
The time when the interface was last updated to its present
operating state

Object Name:
OID:
Object Type:
Access Mode:
Description:

ifInOctets
ifEntry.10
Counter
read-only
The number of octets (bytes) received on the interface,
including any data link framing bytes

Object Name:
OID:
Object Type:
Access Mode:
Description:

ifInUcastPkts
ifEntry.11
Counter
read-only
The number of unicast packets delivered via a higher-level
protocol to a subnet

Object Name:
OID:
Object Type:
Access Mode:
Description:

ifInNUcastPkts
ifEntry.12
Counter
read-only
The number of non-unicast packets that were delivered to
a higher-level networking protocol

653

C

654

UNIX System Administration: A Beginner’s Guide

Object Name:
OID:
Object Type:
Access Mode:
Description:

ifInDiscards
ifEntry.13
Counter
read-only
The number of inbound packets discarded (despite no
errors), and that will not be delivered to a higher-level
networking protocol

Object Name:
OID:
Object Type:
Access Mode:
Description:

ifInErrors
ifEntry.14
Counter
read-only
The number of inbound packets with errors that caused them
not to be delivered to a higher-level networking protocol

Object Name:
OID:
Object Type:
Access Mode:
Description:

ifInUnknownProtos
ifEntry.15
Counter
read-only
The number of inbound packets discarded due to an
unknown or unsupported networking protocol

Object Name:
OID:
Object Type:
Access Mode:
Description:

ifOutOctets
ifEntry.16
Counter
read-only
The number of octets (bytes) transmitted on the interface.
This includes any data link framing bytes as well.

Object Name:
OID:
Object Type:
Access Mode:
Description:

ifOutUcastPkts
ifEntry.17
Counter
read-only
The number of packets that higher-level protocols (such as
IP) requested be transmitted to a network unicast address.
This includes those that were discarded or otherwise not sent.

Appendix C:

Overview of MIB-II

Object Name:
OID:
Object Type:
Access Mode:
Description:

ifOutNUcastPkts
ifEntry.18
Counter
read-only
The number of packets that higher-level protocols (such as
IP) requested to be transmitted to a non-unicast address. This
also includes packets that were discarded or, for some other
reason, not sent.

Object Name:
OID:
Object Type:
Access Mode:
Description:

ifOutDiscards
ifEntry.19
Counter
read-only
The number of packets that could not be transmitted due to
some reason unrelated to a specific error condition. This
could be caused, for example, by the TTL of a packet
expiring.

Object Name:
OID:
Object Type:
Access Mode:
Description:

ifOutErrors
ifEntry.20
Counter
read-only
The number of packets that could not be transmitted due
to errors

Object Name:
OID:
Object Type:
Access Mode:
Description:

ifOutQLen
ifEntry.21
Gauge
read-only
The length of the output packet queue on the device

Object Name:
OID:
Object Type:
Access Mode:
Description:

ifSpecific
ifEntry.22
Object Identifier
read-only
The MIB reference definition that is specific to the particular
media type used to realize the network interface

655

C

This page intentionally left blank.

Index
$home/identity.pub file, 224
$home/.identity file, 224
$home/.rhosts file, 221-222
$home/.shosts file, 221
$home/.ssh/identity.pub file, 221
/bin/false entry, 146
/dev/hda5, 559
/etc directory
shutdown (K) scripts in, 250, 442
startup (S) scripts in, 249
/etc/default/login file, modifying, 560
/etc/dfs/dfstab file, 516-518
/etc/exports file, 516-518
/etc/fstab file, 193, 528-530
/etc/ftpaccess file, 543-544
/etc/ftpusers file, 543-544
/etc/group file, 76-77, 90, 146-149
consistency check on, 159
editing with vigr, 166
fields in, 147-148
/etc/hostname.device file, 269
/etc/hosts file, 330, 432, 610-611
/etc/hosts.equiv file, 221-222
/etc/inetd.conf file, 339, 549, 618
/etc/init.d/inetsvc, 442

/etc/inittab file, 257-260
action keywords, 260
default run level in, 261
entries, 259-260
entry format, 260
/etc/mail/aliases file, 615
/etc/passwd file, 142-146
vs. /etc/shadow file, 150
consistency check on, 156, 158-159
editing with vipw, 166
fields in, 143-146
/etc/rc.config.d/netconf file, 594
/etc/rc.d/init.d/named, 442
/etc/resolv.conf file, 450, 608, 610-611
/etc/services file, 282, 443
/etc/shadow file, 149-152
vs. /etc/password file, 150
fields in, 150-152
passwords stored in, 144, 149
/etc/ssh/shosts.equiv file, 221
/etc/sudousers file, 226
/etc/syslog.conf file, 551-552
/etc/vfstab file, 193, 528-530
/etc/xinetd.conf file, 339
/proc (directory/file system), 561, 564-568
/proc subdirectories, 567
/var/adm/messages file, 256
/var/dhcp/dhcptab file, 573

Copyright 2002 by The McGraw-Hill Companies, Inc. Click Here for Terms of Use.

658

UNIX System Administration: A Beginner’s Guide

A
Access bits, 46
Access permissions (directory), 148-149
Account Name field (/etc/shadow), 151
Account UID field (/etc/passwd), 145
Accounts (user). See Users (user accounts)
ACK message segment (TCP), 286, 288
Active network sessions, displaying, 335-340
Address primitives (tcpdump), 372-374
Address Wizard (DHCP server), 585-586
Address Wizard window (DHCP server), 586
Administration tools, 65-116
Admintool Groups window, 77
Admintool main window, 68
Admintool Modify User window with password
expiration, 107
Admintool Modify User window with 60-day
expiration, 110
Admintool New User window, 69
admintool utility
account security options, 71
adding a new group, 76-78
adding a new user, 67-73
browser menu items, 68
Delete User warning message, 75
deleting a group, 79
deleting a user, 74-76
entering an account comment, 70
entering a primary group ID, 70
entering a user ID, 70
entering a username, 68-69
error regarding white spaces, 78
expiring a password, 106-107, 110
group ID number, 78
group members, 78
inputting the home directory path, 71
modifying a group, 79
modifying a user, 73-74
selecting a login shell, 70
selecting a password option, 71
turning off an account, 111-112
using to manage Solaris, 67-79
AIM, 280
allmulti keyword (with ifconfig), 332
allow-transfer keyword, 439
AND operator, 295, 297
Anonyomus FTP, 280, 534-535, 546-549
Answers to Mastery Checks, 625-635
APIs, 17
Apple Macintosh, 3
Application data types (ASN.1), 402-404
Application layer (OSI), 270
ARCHIE, 280

Archiving system files to a local tape, 241
Arithmetic operators (tcpdump), 376
ARP (Address Resolution Protocol), 276, 304-311, 378
address bindings, 307-308, 316, 323
binding expiration, 308
data link address format, 308-311
dynamic resolution, 306
packet fields, 306
packet format, 306
reply example, 305
request example, 305
ARP cache, 307-308, 316
deleting, 321-322
displaying, 317-321
ARP cache entry, adding, 322-324
arp command, 316-324
arp command-line options, 318
-a option, 317, 320
-d option, 322
-i option, 321
-n option, 320
-s option, 323
ARP entries, permanent/static, 319
ARP flag meanings, 318
arp keyword (with ifconfig), 332
ARP messages, 378
ARP packets, tcpdump capture and display of, 380
ARP table, 316
ARP/RARP message format, 307
ASCII file transfer mode, 539
ASCII strings, searching for, 49
ASN.1 (Abstract Syntax Notation) standard, 401
ASN.1 object data type classes, 402
AT&T, UNIX and, 7-8
Authenticating users
in SNMP, 412
with SSH, 220-222
Authentication keys, holding for users, 225

B
Backup capacity, 234
Backup elements, 232-237
Backup media, 234
Backup methods, 236-237
Backup partition, 185
Backup policies and procedures, 233
Backup and restore, 231-245
Backup and restore tools, 238-242
Backup strategy, 232
Backups
density and form factor, 233-234
managing, 18

Index

and network bandwidth, 235
remote sites and, 236
Back-off, explained, 342
Back-off algorithm, 291
Bang (!) character, 162, 540
Best-effort packet delivery (IP), 299
Binary mode file transfer, 539
BIND package for DNS server, 433, 444-449
Binding (ARP), 307-308, 316, 323
Block special files, 45
Boolean AND operator, 295, 297
Boolean operators, tcpdump use of, 376
Boot process, 248-249
Booting the kernel, 248-249
Booting to single-user mode, 263
Booting the system, explained, 248-249
BootP (Boot Protocol), 276, 572
BootP option (DHCP services), 575
BootP relay mode (.dhcpd server), 573
BOOTPROTO keyword, 594
Broadcast address, 294, 331
Broadcast frames, 363
Broadcast keyword, 330
Broadcast on a LAN segment, 305
Broadcast packets, capture and display of, 381
broadcast primitive (tcpdump), 374
BSD (Berkeley Standard Distribution) UNIX, 8
Built-in shell commands, 30-31

C
cat command, 34-35
cat command-line options, 34
cd (change directory) command, 73
Character special files, 45
Chesapeake Subnet Calculator, 297, 299
Cisco routers, 382
Class A IP addressing, 293
Class B IP addressing, 293, 296-297
Class C IP addressing, 293, 297-298
Class D IP addressing, 294
Class E IP addressing, 294
cmdline command, 565
Code bits field (TCP segment), 290
Collisions, explained, 342
Colon notation to represent hardware addresses, 308
Command directives are keyword strings and
values, 609
Command interpreter. See Shells (UNIX)
Command-line interface, 6
Commands (basic UNIX), 27-64
Comment field (/etc/passwd), 145
Communities of users, 412

Community name (SNMP), 412, 416
Community string (SNMP), 412
Community-based SNMPv2, 412-416
Complete query mode (nslookup), 445
compress utility, 368
Computer hardware, managing, 18
Computer system
diagram of typical, 4
elements of, 3-7
Configuration profiles (system), 202-204
Congestion (network), causes of, 301
Connectionless protocol
IPv4 as, 293
SNMP as, 424
Connectivity
displaying, 382-390
verifying with ping, 346-355
Connectivity fussiness, 349
Containers, explained, 172-173
Control-C (^C), 256, 347-348, 557
Control-D (^D), 263, 557
Copy action directive (->), rdist, 610, 620
Copying files. See rdist
Core files, searching for, 39-41
cpio utility, 118

D
Data delivery (IP), 299
Data file, 173
Data link address format, 308-311
Data link addresses, 308-311, 329, 377
Data link frames, determining length of, 369
Data link and IP address mapping, 304-311
Data link layer (OSI), 271
Data link protocol address (physical), 600
Data structures, 174
Databases (NIS), 456
date command, 35-36
dd command, 240
dd command-line options, 240
Default gateway, 601
Description strings, 184
Destination unreachable (ICMP), 301
Device drivers, 16
Device information, from MIB-II object queries, 642
Devices and interrupt vectors, displaying, 567
df command, 174-176, 234, 516
for file system and mount point, 179
on Linux, 176
df -k command, 174-175
DHCP agent status information, obtaining, 595-596
DHCP client, 572

659

UNIX System Administration: A Beginner’s Guide

Directory structure, 48
Disabling a UNIX account, 113
Disk changes, to live or production system, 181
Disk layout, 176
Disk partition table, 185
Disk partitions, 176-179
adding, 559
creating, 185
displaying, 177, 568
limit on number of, 177
use of first and second, 183
Disk space, monitoring, 48
Diskless boot capabilities, 572
Distribution file (rdist), creating, 609-611
DNS client, 434, 449-451
DNS client components, 449-451
DNS (Domain Name System), 276, 431-452, 608
DNS domain servers, setting up, 578
DNS namespace, 433
DNS record types, 440
DNS records, 439-440
DNS resolution, 446, 450
DNS server, 37, 434
as a standard process, 442
BIND package for, 444-449
configuration zones, 437
determining installed, 442
domain files, 435-441
interaction options, 437
operational options, 438
processes on, 442-444
querying, 444-447
statement keywords, 436
verifying that it is running, 442-444
DNS server components, 435-449
DNS tools, 444-449
DNS top-level domains, 434
Domain files (DNS server), 435-441
Domains, top-level DNS, 434
Dotted decimal notation, 331, 401
down keyword (with ifconfig), 333
Driver concept (devices), 16
du command, 234
dump command, 238-239
dump command-line options, 239

AM
FL
Y

DHCP client configuration, automatic and
permanent, 594-595
DHCP client configuration (Windows), 596-598
DHCP client information, defining, 589-591
DHCP clients, configuring, 593-604
DHCP configuration
DNS domain servers, 578
lease policy, 577
location, 577
manual, 593
network address information, 579-580
network configuration, 580-581
NIS or NIS+ domain server, 581-582
reviewing, 582-583, 592
DHCP configuration manager, 574-592
initial window, 575
menus and functions, 583-585
starting, 574-575
DHCP Configuration Summary window, 582
DHCP Configuration Wizard window, 575-576
DHCP (Dynamic Host Configuration Protocol),
276, 571-605
DHCP flag, 600
DHCP information, viewing on Windows, 599-601
DHCP interface file, in /etc directory, 594
DHCP lease, 572, 577-578, 591, 601
DHCP lease expiration date, 601
DHCP lease obtained date, 601
DHCP lease policy, setting up, 577
DHCP lease type, selecting, 591
DHCP release/renew, 602-604
DHCP server, 572-573
adding IP addresses, 585-592
setup steps, 576-583
DHCP server macro, 590-591
DHCP server modules, 572
DHCP services, configuring, 575-583
DHCP tools by operating system, 573
dhcpagent program, 572
DHCP/BootP mode (.dhcpd server), 573
dhcpcd command, 593
dhcpclient command, 593
.dhcpd server, 573
.dhcpd server modes, 573
DHCP_ENABLE keyword, 594
dig command, 447-448
dir command (FTP), 537-538
Directories
as mount points, 192
defined, 45, 173
searching for, 38-42
synchronizing, 608
Directory access permissions, 148-149
Directory listing, obtaining, 537-539

TE

660

E
Edge devices, 235
Edit menu (DHCP configuration manager), 584
Emacs editor, 12
Encrypted password, 149
Enterprise MIB assigned numbers, 412

Index

Enterprise MIBs, use of, 412-413
Enterprise network, zones/communities of users, 412
Enterprise tree from private branch, 411
Equals (=) sign, 61
Error message facility for IP. See ICMP
etheraddr primitive (tcpdump), 374
ethereal tool, 368
Ethernet addresses, 377
Ethernet data capacity, 369
ethertype primitive (tcpdump), 375
EXCLUDE_FILES variable (rdist), 617
Expire Date field (/etc/shadow), 152
exportfs command, 519-520
exportfs command-line options, 519

F
fdisk tool (Linux), 177-178, 186, 559
File access bits, 46
File archive, 237
file command, 368
File copying. See rdist
File links, 47
File menu (DHCP configuration manager), 583
File permission modes, 47
File permissions, 46-47
File synchronization. See rdist
File system access point, 175-176
File system access point names, 175
File system backup, 237
File system information, df command for, 179
File system master record, 188
File system mount table, controlling, 528-530
File system names, 175
File system types, 529
File system (UNIX), 172-176. See also NFS
capacity of, 175
checking, 188-191
compatibility of, 174
corrupted, 188
creating, 187-193
defined, 172
mounted, 175, 179-187
mounting, 191-193
mounting remote, 515-518
quiescent, 189
repairing, 188
root (/), 176
searching in, 41
in single user mode, 189
synced or updated by the system, 251
total disk space for, 188
total size of, 175

tree structure of, 173
unmounting, 193
viewing currently available, 174
File system view, 173
File system-related problems, 172
File transfer modes (FTP), 539
File transfers. See FTP
File types, standard UNIX, 45
File updates, listing, 48
Files
available space for new, 175
defined, 172
elements of, 44
searching for, 38-42
up-to-date across the system, 608
FILES variable (rdist), 609-610
filesystem name, 175
Filter expression, 371
FIN message segment (TCP), 287-288
find command, 38-42
actions (directives), 40-41
-mount option, 41
finger services, 276
Flood mode (ping), 354-355
format command (Solaris), 177, 180-186
FQDN (fully qualified domain name), 37
Frame, defined, 273
Friend, system administrator as, 24
from qualifier, with tcpdump primitives, 378-379
fsck (file system consistency check) program,
188-191
command-line options, 191
n (or N) option, 190
scanning phases of, 190
using on an active file system, 190
y (or Y) option, 190
FTP client program, 268
ftp command, 536
FTP (File Transfer Protocol), 268, 274, 277, 533-554
activity logging, 549-553
anonymous, 548-549, 534-535
basic interaction, 534
command list, 542-543
configuration options, 539
configuring anonymous, 546-549
controlling access, 543-546
file transfer modes, 539
monitoring file transfers, 541-542
obtaining a directory listing, 537-539
retrieving a file, 539-540
sample session, 535-542
sending a file, 540-541
setting up anonymous access, 548-549
FTP logging, enabling, 549-551

661

662

UNIX System Administration: A Beginner’s Guide

FTP server, 277, 534, 537
FTP server prompt, 537
FTP sites, 280
ftpd server, 535
Full backup, 237
Full-duplex mode (TCP), 285

G
Gateway
default, 601
explained, 343
gateway primitive (tcpdump), 373
gcc compiler, 12
get command (FTP), 540
get function (SNMP), 397
GetBulkRequest PDU (SNMPv2), 421
GetNextRequest PDU (SNMPv2), 418
GetRequest PDU (SNMPv2), 417-418
GetResponse PDU (SNMPv2), 419
GID (group ID), 47, 147
GNU project, 12
GOPHER, 280
greater primitive (tcpdump), 377-378
grep command, 73, 142, 338
Group ID field (/etc/group), 147
Group level of access, 45
Group Members field (/etc/group), 148
Group membership, explained, 148-149
Group name, entering with admintool, 77
Group Name field (/etc/group), 147
Group Password field (/etc/group), 147
Group (of users)
adding with admintool, 76-78
adding with groupadd, 163
adding with sam, 101, 102-103
adding with userconf, 90-92
deleting with admintool, 79
deleting with groupdel, 164
deleting with sam, 103-104
modifying with admintool, 79
naming, 69, 83, 91-92
renaming with groupmod, 164
use of, 70
groupadd command, 163
-g option, 163
-o option, 163
groupdel command, 164
groupmod tool, 164
grpck utility, 159
GUI (graphical user interface), 6
gzip program, 368

H
Half-duplex mode (TCP), 285
halt command, 251-252
-q option, 252-253
vs. reboot command, 253
halt command-line options, 252-253
halt keyword, 256
Halted system, determining when it stopped, 256
Halting the system, 251-253, 256
Hard links (file), 47
Hardening, categories of, 201
Hardening (system), 201-205
Hardware interface, 16
Hardware processor type, viewing, 59
Hardware type, viewing, 59
Hardware upgrades, managing, 20
Hardware-related vs. software-related problem, 172
hash command (FTP), 541-542
Heartbeat (system), 473
Hexadecimal dump of network frames, 369-370
Hexadecimal format, 331
High-security configuration profiles, 203
History of the UNIX system, 2-3, 7-10
Home directory
keeping for deleted user, 75-76
username and, 144
Home Directory field (/etc/passwd), 145
home.com, 437, 439-440, 450
host command, 448-449
Host key, placing on another server, 223
host primitive (tcpdump), 373
Host resolution, explained, 433
hostname command, 37-38
HOSTS variable (rdist), 609-610
Host-to-host layer (TCP/IP), 273, 281-291
HP OpenView, 399
HP-UX package tools, 126-135
HP-UX-specific information
/etc/rc.config.d/netconf file, 594
configuring a NIS client, 466
dhcpclient command, 593
in.named server, 442
landiag command, 390-391
sam management, 92-104
swapinfo command, 558
HTTP (Hypertext Transfer Protocol), 277

I
IANA (Internet Assigned Numbers Authority), 411
ICMP echo reply, 364
ICMP echo request, 364

Index

ICMP error message types, 300
ICMP (Internet Control Message Protocol), 277,
299-304, 347
destination unreachable, 301
echo request and reply primitives, 300
redirect message, 301-303
source quench redirect, 301-302
time exceeded, 303-304, 382-383
TIME_EXCEEDED message, 382-383
traceroute using, 389
ICMP request and reply, 351, 364
ICMP Router Discovery Protocol (RDISC), 278
id command, 145
IEEE OUI search page, 310
IEEE Web site, 309
IETF (Internet Engineering Task Force), 396
IETF SNMPv3 proposed standard, 415
IETF standards, 396
ifAdminStatus object, 650, 652
ifcfg-eth0 file, 595
ifconfig -a command, 294, 325-326
ifconfig command-line options, 294, 325-326
ifconfig tool, 295, 324-333, 572-573, 593
additional parameters, 331-332
controlling interface state, 328
data link address format, 308-311
listing available interfaces, 325-327
for logical interfaces, 332-333
modifying interface parameters, 329-331
uses for, 324
ifDescr object, 649, 651
ifEntry object, 651
ifIndex object, 647-648, 651
ifInDiscards object, 654
ifInErrors object, 654
ifInNUcastPkts object, 653
ifInOctets object, 653
ifInUcastPkts object, 653
ifInUnknownProtos object, 654
ifLastChange object, 653
ifMtu object, 649
ifNumber object, 647-649, 651
ifOperStatus object, 650, 653
ifOutDiscards object, 655
ifOutErrors object, 655
ifOutNUcastPkts object, 655
ifOutOctets object, 654
ifOutQLen object, 655
ifOutUcastPkts object, 654
ifPhysAddress object, 650, 652
ifSpecific object, 655
ifSpeed object, 649, 652
ifTable object, 647-648, 651
ifType object, 649, 652

Image backup, 236
Inactive days field (/etc/shadow), 151
Incremental backup, 237
inetd operation with a Telnet request, 284
inetd process, 284
in.fingerd server, 276
InformRequest PDU (SNMPv2), 421
in.ftpd server, 277, 550
init command
q option, 261
s option, 262
using to halt the system, 252
using to reboot the system, 254-255
init configuration file, to control run levels, 257
init process, 249, 257-258
in.named server, 442
i-node table, 174
install directive (rdist), 610, 613, 620
Intel Pentium processor, 3
in.telnetd server, 279
Interface group instance table (MIB-II), 409
Interface group (MIB-II), 406-409
Interface information, displaying with netstat,
340-342
Interface information (Windows), 600-601
Interface parameters, modifying with ifconfig,
329-331
Interface state, controlling with ifconfig, 328
Interfaces
configuring, 324-333
listing available, 325-327
Interfaces group (MIB-II), 647-655
Interfaces table, querying, 648-650
Internet layer (TCP/IP), 273, 292-298
Internet Worm (of 1998), 9, 198
Interrupt vectors for devices, displaying, 567
Interrupts file, 567
Inventory of system (for security), 204
IP address assignment, 294
IP address list, confirming, 588-589
IP address list with associated hostnames, 589
IP address resolution with ARP, 304-311
IP address space, managing, 572
IP addresses, 269, 276, 329
adding to DHCP server, 585-592
changing for an interface, 330
determining the number of, 586-587
DHCP, 600
selecting starting, 587-588
specifying with nmap, 215-216
with subnet mask, 295-298, 329-331, 601
IP addressing (IPv4), 293-294
IP allocation, 572
IP and data link address mapping, 304-311

663

664

UNIX System Administration: A Beginner’s Guide

IP error message facility. See ICMP
IP (Internet Protocol), 268, 292-293. See also IPv4
IP packet delivery (IPv4), 293
IP packets
tcpdump capture and display of, 381
TTL (time-to-live) field, 303, 382, 388
IP primitive (tcpdump), 374
IP routers, 382
IP vs. TCP, 292-293
ipaddr primitive (tcpdump), 374
ipconfig command, 596
/all option, 599
/release option, 602-603
/renew option, 602-604
ipconfig command-line options, 598
IPv4
assignment of IP addresses, 294
characteristics and services, 292-299
classes, 293-294
a connectionless protocol, 293
IP addressing, 293-294
packet delivery, 293
reserved addresses, 294
subnetting, 295-299
unreliable delivery, 292-293
IPv6, 292
IRC (Internet Relay Chat), 280
IRTT (initial round-trip time), 344
ISPs (Internet service providers), 294, 327

K
K (shutdown) scripts, 250, 442
Kbytes, 175
Kernel, 15-17
booting, 248-249
interface with computer hardware, 16
security model implementation, 17
services and functions, 16-17
time-sharing services, 16
Key pair, public and private, 223-225
kill command, 256

L
label command, 185-186
lan command, 390
LAN connection properties (Windows), 597
LAN connection status (Windows), 597
LAN (local area network) protocols, 362
landiag command, 390-391
lanscan command, 356

lanscan -v command, 356
Last Changed field (/etc/shadow), 151
Lease (DHCP), 572, 577-578, 591, 601
Lease expiration date (DHCP), 601
Lease obtained date (DHCP), 601
Lease policy (DHCP), 577
Lease type (DHCP), selecting, 591
Lease Value window (DHCP), 578
length primitive (tcpdump), 378
less primitive (tcpdump), 377-378
Levels of access, 45
LILO boot loader, 249
Links (file), 47
Linux, introduction of, 10
Linux package tools, 136-138
linux -s command, 263
Linux-specific commands and features
account management with userconf, 80-92
arp -a command, 317, 320
arp -n command, 320
command options/keywords, 334
configuring a NIS client, 466
dhcpcd command, 593
fdisk command, 177-178, 186
FTP server, 535
ifcfg-eth0 file, 594-595
ifconfig -a command, 326
inittab file, 258-259
named server, 442
netstat -p command, 336, 339-340
netstat -t command, 335, 337
pump utility, 573, 596
querying the interfaces table, 648-650
runlevel command, 262
SSH host key pair on, 225
swapon command, 558-559
use of command options or keywords, 317
vigr command, 166
List of Groups window, 77
lockd process (NFS server), 514
Locking, mandatory, 46
Locking a UNIX account, 46, 112
Log aggregator, 551-552
Logical drive, 176
Logical interfaces (pseudointerfaces), 332-333, 342
ifconfig for, 332-333
removing, 333
.login file, 72
Login shell. See Shells (UNIX)
logins command-line options, 165
-o option, 166
-u option, 166
logins tool (Solaris), 164-166
Loopback address, 294, 327

Index

Loopback interface, 327
Loopback network, explained, 294
Lost or discarded packets, 342
Low-security configuration profiles, 203
LPD (Line Printer Daemon), 277
ls command, 33, 42-49, 174, 564
ls command-line options, 42-43
-al options, 39
-d option, 73
-l option, 43, 565
-R option, 48

M
m command, 186
Mach operating system, 10
Maintenance mode (system), 248
Maintenance releases, 200
Maintenance tasks, in single-user mode, 262
Management, system administrator and, 24
Mandatory locking, 46
Mapping (ARP), 316
Master record for a file system, 188
Master system process, 249
Mastery Check answers, 625-635
Max Days field (/etc/shadow), 151
media keyword (with ifconfig), 332
Medium-security configuration profiles, 203
MIB agent, 418, 473
MIB agent structure, 418
MIB (Management Information Base), 399
MIB object types, 401-404
MIB tree, 406
MIB-I, 642
MIBs (MIB objects), 399-412, 642
accessed in absolute format, 400
accessible-for-notify objects, 410
accessing, 410
actions that can be applied to, 398
altering the value of, 419
assigned numbers, 412
with changes prohibited, 413
common format, 404-406
not-accessible objects, 410
OID string, 404, 408
organization and structure, 399-400
polling, 473
read-create objects, 410
read-only objects, 410
read-write objects, 410
standard and private, 410-411
tables within, 406-409
types of, 401-404

MIB-II, 641-655
explained, 414
interface group, 406-409, 647-655
object group, 642
object querying, 642
system group, 643-647
Min Days field (/etc/shadow), 151
mkfile command, 560
mkfs command vs. newfs command, 187
Modular UNIX, 15
more utility, 49-50
mount -a command, 193
mount command, 192-193, 516
Mount point, directory as, 192
Mount point information, df command for, 179
Mount table (file system), 528-530
mountd process (NFS server), 515
Mounted file systems, 179-187
Mounting a file system, 179, 191-193, 515-518
Mounting a remote file system, 515-518
MSL (maximum segment lifetime), 288-289
MSS (maximum segment size), 344
MTU (maximum transfer unit), 291, 329, 341, 649
Multicast information, displaying with netstat,
344-345
Multicast packets, capture and display of, 380-381
multicast primitive (tcpdump), 374
Multicast traffic, 363
Multi-homing, explained, 321
Multiprocessor machines, 16
Multi-user mode, 257

N
named server (Linux), 442
named.conf file, 436
nameserver command, 450
Netmask addresses, 331
netmask keyword, 330
Netmasks (subnet masks), 295-298, 329-331, 601
netstat command-line options, 335
-a option, 337, 339
-g option, 344
-i option, 340
-p option, 336, 339-340
-r option, 343
-s option, 345
-t option, 335, 337
-u option, 337, 339
netstat tool, 289, 334-346
displaying active sessions, 335-340
displaying interface information, 340-342
displaying multicast information, 344-345

665

666

UNIX System Administration: A Beginner’s Guide

displaying protocol statistics, 345-346
displaying routing information, 342-344
output data options, 334
vs. snmpnetstat, 487
TCP states displayed with, 337
Network access layer (TCP/IP), 273
Network Address Information window (DHCP), 580
Network address (IP), 294
Network address table, 316-324
Network bandwidth, backups and, 235
Network connectivity
displaying, 382-390
verifying with ping, 346-355
Network and Dial-Up Connections panel
(Windows), 597
Network information
from lanscan, 356
from SNMP, 474
viewing on Windows, 598-603
Network interfaces. See Interfaces
Network layer of the OSI model, 271, 292
Network management application. See SNMP
Network operations, monitoring with netstat,
334-346
Network performance, showing with ping, 350-354
Network probes, 362
Network security. See Security
Network tools (basic), 315-360
Network traffic, monitoring, 362-381
Network Type/Routing Information window
(DCHP), 581
Networking services. See Services
Networks, moving a workstation between, 601-604
newfs command, 187, 191
newfs vs. mkfs command, 187
NFS activity, displaying, 524-525
NFS clients, configuring, 526-528
NFS (Network File System), 277, 511-532
NFS server, 513-515
NFS tools, 519-526
NFS versions, 512-513
nfsstat command, 522-526
command-line options, 522
mount options, 523-524
NFS field descriptions, 526
NICs (Network Information Centers), 294, 308
NIS client, configuring, 466
NIS databases, 456
NIS DHCP database, 574
NIS domains, 454
NIS (Network Information Services), 66, 153, 277,
432, 453-470
components of, 456-463
previously named Yellow Pages, 455

NIS or NIS+ domain server, 581-582
NIS processes, 457-458
NIS server, 454
setting up, 463-465
setting up secondary, 467-468
verifying functionality, 465
NIS services and associated UNIX files, 455
NIS tools, 458-462
nmap command-line options, 210-212
-help option, 210
-O option, 207
-sT option, 213
-sU option, 211, 213
-v option, 216
nmap tool, 206-220
examining running networking services, 208
getting detailed specifics, 216
host scanning, 207-209
identifying systems, 208
isolating a specific service, 214-216
listing command arguments, 210
network port scanning, 216-218
and ports specified as unknown, 218
probing nonexistent or down systems, 217
scan revealing SNMP process, 212
scanning methods, 209-211
on Solaris, 208-209
specifying target systems or networks, 215
standard ports, 217-218
nmap-os-fingerprints file, 207
nmap-services file, 212
NNTP (Network News Transfer Protocol), 281
Node availability, determining with ping, 349
Nodes (in MIB structure), 400
Nonpromiscuous mode (tcpdump), 363
notify directive (rdist), 614-616, 620
Novell Netware packet monitoring, 375
nsfd process (NFS server), 513-514
nslookup command, 444-447, 450
nslookup query modes, 445
nsswitch.conf directives, 450
nsswitch.conf file, 449-450
NTP (Network Time Protocol), 277
Numeric identifier, in dotted notation, 401

O
OID (object identifier) string, 404, 408
Open software, 12-13
Open source, defined, 11
Open source movement, 13
Operating levels. See Run levels (system)
Operating mode of the system, changing, 248

Index

Operating system security, 198
Operating system version and name, viewing, 59
Operating systems (OSs), 4-7
diagram of typical, 6
patches and upgrades, 5
user interface, 6
Operators (tcpdump), 375-377
OSF (Open Software Foundation), 10
OSF/1, 9-10
OSI networking model, TCP/IP and, 272
OSI (Open Standard Interconnect), 270-271
OSI seven-layer model, 270-271
OUIs (organization unique identifiers), 308-311
Out-of-band or urgent message, 291
Owner level of access, 45

P
p command, 187
Package management tools, 117-139
Packet, defined, 273
Packet delivery (IPv4), 293
Packet filter, defined, 371
Packet filter diagram, 372
Packet loss, determining, 353-354
Parent to users, system administrator as, 23
Partition access point names, 175
Partition changes, saving, 185-186
partition command, 182
Partition map, 176
displaying, 184
modifying, 177
Partition size, changing, 184
Partition slots, 183
Partition table
changing with fdisk, 186
displaying, 182, 187
Partitions (disk), 176-179
adding, 559
creating, 185
displaying, 177, 568
limit on number of, 177
use of first and second, 183
partitions file, 568
passwd command, 144, 153-156
account control options, 157
account display options, 155
account modification options, 154
passwd command-line options
-a option, 155
-g option, 155
-l option, 156
-s option, 155

Password aging, explained, 149
Password field (/etc/passwd), 144
Password field (/etc/shadow), 151
Password security, 105-111
Passwords
changing, 153
encrypted, 149
expiring using admintool, 106-107
expiring using sam, 107-109
expiring using userconf, 106
forcing changes using admintool, 109-110
forcing changes using userconf, 110-111
guidelines for, 153-154
need for expiration, 157
need for strict guidelines, 157
setting temporary, 71
storing in etc/shadow file, 144, 149
Patches (software and OS), 5, 200-201
Pattern matching (rdist), 617
PDUs (protocol data units), 416-421, 649
Performance
of the network, 350-354
of the path between two devices, 350
Peripherals, handling, 19-20
Permanent (P) ARP entries, 319
Permission bits, 46
Permission modes (file), 47
Permissions (file), 46-47
Physical layer (OSI), 271
PID (process ID), 54, 340, 443, 551
ping command-line options, 350
-c option, 348, 353
-f option, 354-355
-i option, 353
-n option, 354
-R option, 354
-s option, 352
ping (packet internet groper) tool, 206, 346-355, 386
determining node availability, 349
determining system availability, 347-350
showing basic network performance, 350-354
use of ICMP, 300-301
pkgadd tool, 123-124
pkginfo command-line options, 120
-d option, 121
-l option, 122
pkginfo tool, 119-123
pkgrm tool, 124-125
pkill command, 618
Point-to-point dial-up link, 327
pointtopoint keyword (with ifconfig), 332
Point-to-Point Protocol (PPP), 344
Police officer, system administrator as, 23
Politician, system administrator as, 22-23

667

668

UNIX System Administration: A Beginner’s Guide

Polling the agent (SNMP), 397
Port contention, SNMP agent, 425
Port scanner (nmap), 206-220
PORT UNREACHABLE error, 384
Ports
displaying all packets using specific, 380
finding which one DNS server is listening
on, 443
Positive acknowledgement (TCP), 285-286
Power user account tools, 152-166
Power users, 7
PPID column/field (ps command output), 56
Presentation layer (OSI), 270
print command, 183
Printers, handling, 19
Process id of 1, 249
Process layer services (TCP/IP), 273
Process status, viewing, 566
Process status flags, 58
Process/application layer (TCP/IP), 272-273
Processes, 249, 474
on DNS server, 442-444
NIS, 457-458
S and O states of, 58
snapshot of executing, 53, 55
zombie, 58
Professional development classes, 21
.profile file, 72
Programming environment (UNIX), 13
promisc keyword (with ifconfig), 332
Promiscuous mode capture, disabling, 366-367
Promiscuous mode (tcpdump), 362, 366-367
Prompt (OS), 6
Prompt (shell), 29
Protocol analyzer. See tcpdump tool
Protocol connectivity, determining, 347
Protocol primitives (tcpdump), 374-375
Protocol statistics, displaying with netstat, 345-346
Protocol-related problems, 362
prtconf command-line options, 562
prtconf tool, 561-562
prtvtoc command (Solaris), 178-179
ps command-line options, 54
-e option, 53, 55
-f option, 55
-l option, 57
ps (process status) command, 52-58, 443, 565
Pseudointerfaces (logical interfaces), 332-333, 342
Public and private key pair, 223-225
pump command, 573, 596
pump -s command, 596
put command (FTP), 540
pwck utility, 156, 158-159

R
RADIO, 279
RARP (Reverse Address Resolution Protocol),
276, 304
Raw mode backup, 236
RDISC protocol, 278
rdist, 607-624
copy action directive (- >), 610, 620
detecting when files have changed, 620
example configuration file, 618-620
excluding files, 616-617
invoking commands, 617-618
notification of synchronization, 619
pattern matching, 617
synchronization requirements, 619
task notifications, 614-616
rdist command directives, 613
rdist command-line options, 608-609
-D option, 611
-f option, 610
-n option, 611-612
-R option, 613
rdist commands, 612-618
rdist configuration, debugging, 611-612
rdist distribution file, creating, 609-611
rdist variables, 609-610
Read-only file system, 192-193
reboot command, 252, 254
vs. halt command, 253
-s option, 254
Rebooting the system, 252-255
Red Hat Linux, 10, 136-137
Redirect message (ICMP), 301-303
Remote file system, mounting, 515-518
Remote sites, backups and, 236
Restarting the system, need for, 253
restore command, 240-241
restore command-line options, 241
Reverse map, 439
reverse-home.com file, 437, 439, 441
REXEC (Remote Execution Service), 278
RFCs (Request for Comments) papers, 269
RIP (Routing Information Protocol), 278, 303
RLOGIN (Remote Login Service), 278
rm command, 33-34
Root (/) file system, 176
Root access, controlling, 560-561
Root account password, 223
Root account (superuser account), 17, 223, 560
Root user, 223, 362, 560
Route, explained, 343

Index

Routers
detecting host using nonoptimal route, 302
ICMP time exceeded message, 303
SNMP agents for, 424
Routing information, displaying with netstat,
342-344
Routing problems or errors, detecting, 301
RPC (Remote Procedure Call), 278
rpc.yppasswdd process, 458
rpm command-line options, 136
-e option, 137
-q option, 136-137
RPM (Red Hat Package Manager), 136
RSA-based host authentication, 221
RSH (Remote Shell Service), 278
RTT (round-trip time), 351, 383, 386-387
Run level modes, 257
Run level 2, 257
Run levels (system), 257-263
bringing system to default, 263
changing the default, 261
default, 261
determining, 33
listing current, 261
runlevel command (Linux), 262
RWALL, 279
RWHO, 278

S
S (Startup) scripts, 249, 442
sam (system management tool), 92-104
account displayed in account list, 98
adding a group, 101-103
adding a new user, 94-98
Defined Groups window, 102
deleting a group, 103-104
deleting a user, 99-101
detailed account information, 99
expiring a password, 107-109
Group Confirmation window, 103
Group/Users window, 95
listing UNIX accounts, 95
main application window, 93
main menus, 94
managing HP-UX using, 92-104
modifying a user, 98
New account confirmation, 97
New Group window, 103
New User Account window, 96
Password Dialog window, 97
Password Options window, 109
Removal Confirmation window, 101
Remove the Group support window, 104
Remove a User window, 100-101

scp command (remote file copy), 223
Searching for ASCII strings, 49-52
Searching for files or directories, 38-42
Security, 197-230
account, 105-115
actively monitoring, 20-21
as a team or group effort, 198
high level steps for system, 199
kernel implementation of, 17
password, 105-111
SNMP communities and, 412
SNMPv1 and, 413
SNMPv2 and, 414
Security monitoring/scanning tools, 205-228
Security options (admintool account), 71
Security policy, defining, 199-200
Security profile types, 203-204
Security role of system administrator, 23
Security threats, 198, 201
Security tools (public domain), 205-228
Segment, defined, 273
Sequenced data (TCP), 282-283
SERVERS variable (rdist), 620
Service levels, 257
Service menu (DHCP configuration manager),
584-585
Services
elimination of unnecessary, 201-202
examining running with nmap, 208
TCP/IP, 275-280
that require hardening, 202
Session layer (OSI), 271
set function (SNMP), 397
Set of no return syndrome (SNMP), 493-494
SetRequest PDU (SNMPv2), 419
Seven-layer OSI network model, 270-271
sh default shell, 146
share command, 520-521
shareall command, 521
share/export NFS options, 517-518
Shell commands, built-in, 30-31
Shell field (/etc/passwd), 145-146
Shell prompt, 29
Shell scripts, 29
Shells (UNIX), 17, 28-31
list of, 29
sh default, 146
showmount command, 521-522
showrev -c command, 563
showrev command, 563
Shutdown, giving advance notice of pending, 255
shutdown command, 255-256
shutdown command-line options, 255-256
-g option, 255
-i option, 256

669

UNIX System Administration: A Beginner’s Guide

command-line options, 487
displaying interface information, 487-489
displaying routing information, 489-491
vs. netstat, 487
snmpset command object types, 493
snmpset command (UCD SNMP), 491-495
snmpstatus command (UCD SNMP), 496-497
snmptable command (UCD SNMP), 497
snmptest command (UCD SNMP), 497-498
snmptranslate command (UCD SNMP), 498-499
snmptrap command (UCD SNMP), 499-500
snmptrapd server (UCD SNMP), 500-502
SNMPv1
lack of robust security, 413
major functions of, 414
response/error codes, 422
SNMPv1 message, major components of, 416
SNMPv3 proposal, 415
cost-to-benefit ratio, 415
features of, 415
SNMPv2
major functions of, 415
PDUs, 416-421
response/error codes, 422
security and remote configuration, 414
SNMPv2 Classic, 414
SNMPv2 devices, 644
SNMPv2c, 414
SNMPv2usec, 414-415
snmpwalk command (UCD SNMP), 485, 502-504
SOA (Start of Authority) record, 440, 447
Socket numbers, 285
Sockets, explained, 285
Software, running the latest verison of, 201
Software distribution. See rdist
Software package management tools, 117-139
Software upgrades, 20, 200
Software-related vs. hardware-related problem, 172
Solaris, 9
Solaris 8 system scan, 213
Solaris package tools, 119-125
Solaris-specific commands and features
configuring a NIS client, 466
DHCP configuration manager, 574-592
format command, 177, 180-186
hostname.device file, 269
ifconfig -a command, 326
ifconfig tool, 326, 593
inittab file, 258
in.named server, 442
logins tool, 164
managing using admintool, 67-79
nmap on, 208-209
prtconf tool, 561-562

AM
FL
Y

Shutdown (K) scripts, 250, 442
Shutdown process, 249-257
Shutting down the system, commands for, 250
Simple query mode (nslookup), 445
Single-user boot commands, 263
Single-user (S) mode, 261-263
booting to, 263
file system in, 189
maintenance tasks in, 262
rebooting in, 254
SMTP (Simple Mail Transfer Protocol), 279
Snapshot of executing processes, 53, 55
SNMP agents, 396
and management objects/applications, 398
master and subagents, 424-426
receiving an SNMP message, 424
SNMP applications, 399
SNMP communities, 411-412
SNMP message, transmission of, 423-424
SNMP MIB objects. See MIBs
SNMP MIB-II standard. See MIB-II
SNMP package (UCD). See UCD SNMP package
SNMP process, nmap scan revealing, 212
SNMP (Simple Network Management Protocol),
395-429
application data types, 402-404
as a connectionless protocol, 424
community-based authentication model, 412
free and in the public domain, 399
master and subagents, 416, 424-426
master/subagent diagram, 416
message exchange diagram, 398
network information, 474
packet formatting, 416
PDUs, 416-421
polling the agent, 397
predefined trap types, 420-421
protocol operation, 416-422
response/error codes, 422-423
scanning for devices supporting, 215
set of no return syndrome, 493-494
system agents, 425
system configuration control, 474
system management tools, 471-510
system process activity, 474
universal data types, 402-403
versions, 412-424
SNMP tables, 406-409
SNMP trap, 473, 499-502
snmpbulkwalk command (UCD SNMP), 505-507
snmpdelta command (UCD SNMP), 482-483
snmpget command (UCD SNMP), 483-484
snmpgetnext command (UCD SNMP), 485-486
snmpnetstat command (UCD SNMP), 486-491

TE

670

Index

prtvtoc command, 178-179
rdist on, 607-624
showrev command, 563
SSH host key pair on, 225
swap command, 558
ufsdump command, 238-239
Source code, availability of, 11-12, 14
Source quench redirect (ICMP), 301-302
Sparc systems, 9
special directive (rdist), 618
src qualifier, with tcpdump primitives, 378
ssh command, 207, 560
SSH protocol versions 1 and 2, 220-221
SSH (Secure Shell), 201, 220-226, 279
authenticating users, 220-222
authentication methods, 221-222
core elements, 222
creating a local system host key, 223
host key pair, 225
host key placement, 224
host keys, 220, 224-225
passphrase, 224
running as the root user, 223
trusted hosts, 220, 222
versions of, 225
ssh-add command, 225-226
ssh-agent program, 225-226
ssh-keygen program, 223-225
Start Address Wizard window (DHCP), 583
Starting IP Address window, 587
Startup (S) scripts, 249, 442
statd process (NFS server), 515
State machine model (TCP), 287-289
Static (P) ARP entries, 319
Status file, viewing, 566
Sticky bit, 46
STIME fields (ps command output), 57
Storage capacity, backups and, 234
Storage formats for backups, 234
Stream abstraction interface (TCP), 282
Stream sockets, 335
Streams, 335, 339
strings command, 49-52
-o option, 52
-t option, 52
strings command-line options, 51-52
su (substitute user) command, 144
Sub-directories, 173
Subnet Calculator (Chesapeake), 297, 299
Subnet (mask) address, 295-298
Subnet masks (netmasks), 295-298, 329-331, 601
Subnets (IP subnetworks)
diagrammed, 296
explained, 295

Subnetting (IPv4), 295-299
sudo keyword aliases, 227-228
sudo tool, 226-228, 363
high level function of, 227
keyword/value directives, 227
sudo users, 226
Sun OS, 9
Sun SNMP agent, 399
Sun system, displaying all packets from, 377
Super block, 174, 188, 191
Superserver (super Internet server), 284
Superuser account (root account), 17, 223, 560
Superuser commands, 30
Swap area, 558
Swap area size, increasing, 559
swap command, 558, 560
Swap file, adding, 559
swap -l command, 560
Swap partition, 559
swap -s command, 558
Swap space
adding, 559-560
increasing, 558-560
knowing when to increase, 559
listing, 558-559
swapinfo command, 558
swapon command, 558
swapon -s command (Linux), 559
swinstall -i command, 130
swinstall utility, 130-133
Switches, SNMP agents for, 424
swlist command-line options, 126, 128
swlist tool, 126-130
swlist -v command, 128
swremove utility, 133-135
Symbolic links, 45, 47, 442
SYN message segment (TCP), 286, 288
SYN packet (TCP), 287
Synchronized files and directories, 608
Synchronizing files. See rdist
sysContact object, 645, 647
sysDescr object, 644, 647
sysLocation object, 645, 647
syslog logging, enabling, 551-552
syslog message categories, 552
syslog.conf file, 551-552
syslogd process, 551
syslogd server, 551
sysName object, 645, 647
sysObject object, 647
sysObjectID object, 645
sysORDescr object, 646
sysOREntry object, 646
sysORID object, 646
sysORIndex object, 646

671

672

UNIX System Administration: A Beginner’s Guide

SysORLastChange object, 646
sysORTable object, 646
sysORUpTime object, 647
sysServices layer definitions, 644
sysServices object, 643-645
System account files, 21
System administration tools, 65-116
System administrator
advancing your knowledge, 21-22
roles of, 18-24
System availability, determining, 347-350
System backup and restore, 18, 231-245
System capacities, maintaining, 19
System configuration control, SNMP, 474
System configuration information, displaying,
561-568
System configuration profiles, 202-204
System domain name, setting, 463
System V UNIX releases, 8-9
System group (MIB-II), 643-647
System hardening, 201-205
System heartbeat, 473
System libraries (UNIX), 14
System maintenance tasks, in single-user mode, 262
System management, elements of, 472-474
System name, viewing, 59
System operation, 247-266
System patches, maintaining, 200-201
System processes, 249, 474
on DNS server, 442-444
NIS, 457-458
S and O states of, 58
snapshot of executing, 53, 55
zombie, 58
System prompt, 6
System response times, determining, 351
System run level, 257, 261
bringing system to default, 263
changing the default, 261
default, 261
determining, 33
listing current, 261
System security. See Security
System services. See Services
System shutdown (normal), 255-256
System swap space. See Swap space
System up/down messages, 473
sysUptime object, 644-645

T
talk command, 279, 556
tar command, 118, 241-242

tar command-line options, 241
-t option, 242
-v option, 242
-x option, 242
Task notifications (rdist), 614-616
TCP heading, 338
TCP options field (TCP segment), 291
TCP packet flags, 371
TCP packets, tcpdump capture and display of, 380
TCP ports, 282, 284, 443
identifying on a system, 206
scanning, 212-214
TCP segment code types, 290
TCP services, 284
TCP sessions, displaying active, 335
TCP states displayed with netstat, 337
TCP (Transmission Control Protocol), 268
closing a connection, 287
confirmation of messages, 285
connection-oriented model, 285
establishing a connection, 286-287
vs. IP, 292-293
ports/sockets/connections, 282
positive acknowledgement, 285-286
segment fields, 289-291
segment format, 289
segment size, 291
sequence format, 289-291
sequence numbers, 282-283
session identification, 285
sessions diagram, 286
state machine, 287-289
state machine diagram, 288
stream abstraction interface, 282
three-way handshake protocol, 286
virtual connections, 281
TCP transport protocols, 443
tcpdump command-line options, 364-372
-c option, 365, 367
-e option, 369
-i option, 365
-p option, 366-367
-q option, 363
-r option, 368
-t option, 366
-w option, 366
-x option, 369-370
tcpdump tool, 362-381
address primitives, 372-374
arithmetic operators, 376
capture modes, 362-363
command examples, 379-381
command-line options, 364-372
determining length of data link frames, 369

Index

disabling promiscuous mode capture, 366-367
display options, 368-371
displaying saved packets, 368
expressions/primitives, 372-379
hexadecimal dump of network frames,
369-370
labeling frame types, 368
listening on primary network interface, 364
only root user can invoke, 362
operating mode common options, 365
operating modes, 364-368
operators, 375-377
packet filter options, 371-372
protocol primitives, 374-375
qualifiers used with primitives, 378-379
redirecting captured information to a file, 366
removing packet timestamp information, 366
specifying an alternate interface, 365
specifying number of packets to capture, 365
TCP/IP
end-user tools, 274
host-to-host layer, 273, 281-291
independence from data link protocol, 269
independence from OS or platform, 268
indirect use of, 268
Internet layer, 273, 292-298
network access layer, 273
and the OSI networking model, 272
process/application layer, 272-273
protocols, 274-275
services, 274-275, 280-281
system services, 275-280
TCP/IP applications, 280-281
TCP/IP fingerprinting, 207
TCP/IP model, layers of, 272-273
TCP/IP properties (Windows), 597-598
TCP/IP protocol architecture, 272-304
TCP/IP protocols and services, list of, 275
TCP/IP services, disabling, 274
TCP/IP suite, 267-313
TCP/IP suite and model, diagram of, 274
Teacher, system administrator as, 22-23
telnet request, inetd operation with, 284
telnet service, unsecured communication with, 201
telnet session, 364
telnet utility, 201, 207, 279, 284, 364
Text editor, using to maintain accounts, 142
TFTP (Trivial File Transfer Protocol), 279
Three-way handshake protocol (TCP), 286
TIME_EXCEEDED message, 382-383
Time-sharing services (kernel), 16
Tools in this book, 638-640
Tools (UNIX), 13-14, 638-640
traceroute command, 303-304, 382-390

changing characteristics of, 387-389
display codes for, 385
display options for, 389-390
on a multihomed system, 388
operational command-line options, 387
reading output, 384-387
required argument, 382
with single hop in network, 383
TIME_EXCEEDED message, 382-383
unreachable port, 389
using ICMP protocol, 389
using UDP protocol, 388
when destination is unreachable, 385
when host is unreachable, 386
when protocol is unreachable, 386
with two hops in network, 384
traceroute command-line options
-i option, 388-389
-m option, 388
-n option, 390
-p option, 389
-v option, 389
Transport layer (OSI), 271
trap function (SNMP), 397
Trap PDU (SNMPv2), 419-421
Trap (SNMP), 398, 473, 499-502
Tree structure of a file system, 173
TTL (time-to-live) field, in IP packet, 303, 382, 388
TTY field (ps command output), 54

U
UCD SNMP agent, 399
UCD SNMP applications, 475
UCD (University of California Davis) SNMP package,
475-507
application display options, 477-479
application operational options, 479-481
command syntax, 476
command-line options, 476-481
environment variables, 482
snmpbulkwalk command, 505-507
snmpdelta command, 482-483
snmpget command, 483-484
snmpgetnext command, 485-486
snmpnetstat command, 486-491
snmpset command, 491-495
snmpstatus command, 496-497
snmptable command, 497
snmptest command, 497-498
snmptranslate command, 498-499
snmptrap command, 499-500
snmptrapd server, 500-502

673

674

UNIX System Administration: A Beginner’s Guide

snmpwalk command, 485, 502-504
using, 482-507
UDP heading, 339
UDP ports, 443
identifying, 206
scanning, 212-214
UDP transport protocols, 388, 443
ufsdump command (Solaris), 238-239
UID column/field (ps command output), 56
UID (user ID), 47, 56, 145
umount -a command, 193
umount command, 193
uname command, 59-62, 647
uname command-line options, 60
-a option, 59, 61
-i option, 61
-l option, 61
-n option, 60
-s option, 60
-x option, 61
Uniprocessor machines, 16
Unit description characters, 184
Universal data types (ASN.1), 402-403
UNIX
as well documented, 14
AT&T invention of, 7-8
availability of source code, 11-12, 14
components of, 15
current versions of, 10-17
flexible design of, 12
history of, 2-3, 7-10
introduction to, 1-25
open software, 12-13
popularity of, 11-14
programming environment, 13
system libraries, 14
timeline, 7-10
UNIX commands (basic), 27-64
UNIX file, elements of, 44
UNIX file system. See File system (UNIX)
UNIX file types, standard, 45
UNIX operating system picture, 15
UNIX shells, 17, 28-31
list of, 29
sh default, 146
UNIX software package management tools, 117-139
UNIX system administrator
gaining knowledge, 21-22
roles of, 18-24
UNIX System V releases, 8-9
UNIX tools, 13-14
Unmounting a UNIX file system, 193
unshareall command, 521
unshared command, 521

Updates (of files), listing, 48
Up-to-date files across the system, 608
URG bit (TCP), 291
Urgent pointer (TCP), 291
URL (Universal Resource Locator), 310
User authentication
in SNMP, 412
with SSH, 220-222
User authentication keys, 225
User group. See Group (of users)
User interface (OS), 6
User profiles, 17
useradd command-line options, 160-161
-g option, 160-161
-u option, 160
useradd tool, 159-161
userconf (Linux account management), 80-92
adding a home directory, 84
adding a new group, 90-92
adding a new user, 80-85
additional group memberships, 84
automatic account expiration, 114-115
Changing Password dialog box, 85
Delete Account window, 89
deleting a user, 88-89
entering a password, 85
expiring a password, 106, 111
full name of user, 84
Group Specification window, 91
main window, 81
modifying a user, 86-87
Params panel, 108
selecting the account group, 84
selecting the login shell, 85
turning off an account, 113
UNIX login name, 82-83
User Account configurator window, 86
User Account Creation window, 83
User Accounts button, 80
User Accounts window, 82
User Accounts window Add button, 82
User Groups window, 90
user ID, 85
user information for an account, 84, 87-88
User Information window, 88
User-defined packet filters, 371
userdel -r command, 161
userdel tool, 161
User-level commands, 30
usermod command-line arguments, 162
usermod tool, 162-163
usermod -U command, 163
Username field (/etc/passwd), 143-144

Index

usernames
avoiding duplicate, 144
home directory and, 144
Users (end-users)
communicating to all, 557
communicating with, 556-557
giving advance notice of pending
shutdown, 255
security policy for, 199-200
system administrator and, 23-24
TCP/IP tools for, 274
Users (user accounts). See also Passwords
adding with admintool, 67-73
adding with sam, 94-98
adding with useradd, 159-161
adding with userconf, 80-85
automatic expiration using userconf, 114-115
controlling access to, 156
deleting with admintool, 74-76
deleting with sam, 99-101
deleting with userconf, 88-89
deleting with userdel, 161
disabling, 162
displaying information about, 155
enabling disabled, 163
listing with logins tool, 164-166
locking, 112
maintaining, 141-169
modifying with admintool, 73-74
modifying with sam, 98
modifying with userconf, 86-87
modifying with usermod, 162-163
naming, 69, 83
security, 71, 105-115
tools for, 152-166
turning off using admintool, 111-112
turning off using userconf, 113
viewing, 142
uucico program, 146
UUCP (UNIX-to-UNIX copy), 146

V
Variables (rdist), 609-610
Vendor certification programs, 21
Vendor OUI codes, 308-311
Versions of UNIX today, 10-17
View menu (DHCP configuration manager), 584
vigr command (Linux), 166
vipw command, 166
Virtual connections (TCP), 281
VNC shareware package, 67

W
WAIS, 281
wall -a command, 557
wall command, 557
Warn Days field (etc/shadow), 151
Well-known address ports, 282
who am i command, 32
who command, 32-33, 261
WHOIS lookup utility, 280
Window field (TCP segment), 290-291
Windows
DHCP client configuration, 596-598
viewing network information, 598-603
Workstation, moving between networks, 601-604
WORKSTATIONS variable (rdist), 620
World level of access, 45
wu.ftpd server, 535
WWW (World Wide Web), 280

X
X11 support, at run level 5, 261
xinetd program, 284, 550-551
X-Windows, 66, 574

Y
yp string, 455
ypbind process, 458
ypcat command, 458, 460
ypinit -m command, 464
ypinit script on secondary server, 467
ypmake command, 461
yppasswd command, 460-461
yppoll command, 462
yppush command, 462
ypserv process, 458
ypset command, 461
ypwhich command, 460
ypxfr command, 461
ypxfrd process, 458

Z
Zombie processes, 58
Zone (DNS domain), 438
zone keyword, 438
Zones/communities of users, 412

675

INTERNATIONAL CONTACT INFORMATION
AUSTRALIA
McGraw-Hill Book Company Australia Pty. Ltd.
TEL +61-2-9415-9899
FAX +61-2-9415-5687
http://www.mcgraw-hill.com.au
books-it_sydney@mcgraw-hill.com

SINGAPORE (Serving Asia)
McGraw-Hill Book Company
TEL +65-863-1580
FAX +65-862-3354
http://www.mcgraw-hill.com.sg
mghasia@mcgraw-hill.com

CANADA
McGraw-Hill Ryerson Ltd.
TEL +905-430-5000
FAX +905-430-5020
http://www.mcgrawhill.ca

SOUTH AFRICA
McGraw-Hill South Africa
TEL +27-11-622-7512
FAX +27-11-622-9045
robyn_swanepoel@mcgraw-hill.com

GREECE, MIDDLE EAST,
NORTHERN AFRICA
McGraw-Hill Hellas
TEL +30-1-656-0990-3-4
FAX +30-1-654-5525

UNITED KINGDOM & EUROPE
(Excluding Southern Europe)
McGraw-Hill Education Europe
TEL +44-1-628-502500
FAX +44-1-628-770224
http://www.mcgraw-hill.co.uk
computing_neurope@mcgraw-hill.com

MEXICO (Also serving Latin America)
McGraw-Hill Interamericana Editores S.A. de C.V.
TEL +525-117-1583
FAX +525-117-1589
http://www.mcgraw-hill.com.mx
fernando_castellanos@mcgraw-hill.com

ALL OTHER INQUIRIES Contact:
Osborne/McGraw-Hill
TEL +1-510-549-6600
FAX +1-510-883-7600
http://www.osborne.com
omg_international@mcgraw-hill.com



Source Exif Data:
File Type                       : PDF
File Type Extension             : pdf
MIME Type                       : application/pdf
PDF Version                     : 1.4
Linearized                      : Yes
Create Date                     : 1999:05:17 00:46:04Z
Modify Date                     : 2003:07:14 08:16:13+08:00
Page Count                      : 697
Has XFA                         : No
Creation Date                   : 1999:05:17 00:46:04Z
Producer                        : Acrobat Distiller 4.0 for Windows
Mod Date                        : 2003:07:14 08:16:13+08:00
Metadata Date                   : 2003:07:14 08:16:13+08:00
EXIF Metadata provided by EXIF.tools

Navigation menu