Friday, June 08, 2012

Umask confusion

I've been studying for the LPI LPIC-1 test, which is a basic introduction to Linux certification. So far it's been a very interesting experience, really finding out so much more about the nuts and bolts of Linux. But there are some confusion I'm having, and find it best to write it out to solve the problem.

One confusion is with the Umask function and command. Here's a short summary on the subject.

In the Linux and UNIX system, new files and directories are created with a default permission. Keep in mind the following.

  • Read - 4
  • Write - 2
  • Execute - 1

  • Files - 666
    • Owner - Read, Write
    • Group - Read, Write
    • Other - Read, Write
  • Directories - 777
    • Owner - Read, Write, Execute
    • Group - Read, Write, Execute
    • Other - Read, Write, Execute
The owner is the user account who created the account, the group is the group associated with the file (most times it's the same as the user name), and the other is anyone who is authenticated on the system. 

Now the issue is that on a system shared by multiple users, these settings leave little to be secured. How can the Linux system have the files locked down but still allow others access? This is where the command umask comes in. Umask allows the system to follow a default setting of security across the system, sort of a lock down depending upon how secure you want it. 

Let's first find out what is the current umask setting. 
  1. From your command prompt, run the following command
    1. #umask
  2. You should see a value such as "0022"
For most Linux distributions, the default is 0022. Only the last three values are used, the first "0" is not used. For this detail the settings of umask are as follows. 
  • umask setting of "0022"
    • First "0" - Not used
    • Second "0" - Amount to remove from default settings of owner permission
    • Third "2" - Amount to remove from default settings of group permission
    • Fourth "2" - Amount to remove from default settings of other permission
Sounds confusing but here's how this is calculated. 
  • umask setting of "0022"
    • Files - default is 666
      • Owner - 666 - 0 = 666 
      • Group - 666 - 2 = 664
      • Other - 666 - 2 = 664
    • Directories - default is 777
      • Owner - 777 - 0 = 777
      • Group - 777 - 2 = 775
      • Other - 777 - 2 = 775
As you can see, the setting of "0022" (more commonly reported as 022 since we drop the first zero since it's not used) will remove permissions for Group and Other. This change is not so impacting but if we wanted we could make the system more secure by using higher amounts of umask. For example, 077 would give only the owner of the files the right to read, write and execute. 

Now that we know the basics of the umask command, how can we change this? There's really two methods, one is from the command umask.
  1. From your command prompt, run the following command
    1. #umask 0026
  2. Now create a directory and file
    1. #mkdir testdir
    2. #touch testfile
  3. Let's see if the permissions are different than before
    1. #ls -l
  4. You should see the following permissions
    1. Testdir - 751 (rwx-rx-x)
    2. Testfile - 640 (rw-r--)
But the change done by umask is not permanent, to do that you need to edit the /etc/profile. You can view the file and find out that there's actually two values given in the file (here we are using CentOS). Why are there two values in the file? 

The file script checks for the user account UID, and depending on the number, the user will either receive a umask of 002 or 022. Remember that service accounts are typically UID's under 200, while regular user accounts have UID's starting at 500 (typically). Also root has the UID of 1, so basically the system is giving a less enforced policy for more important accounts. 

To view the account UID, in two methods. 

  1. From the command prompt, run the following command
    1. #id -u useraccount
      1. Number returned will be your UID
    2. #cat /etc/passwd
      1. A full listing of all accounts on the system, showing UID
For more information about umask here are some very good links to read up on. 

Tuesday, June 05, 2012

Script to help with timing issues on virtual guests

There's an issue when running a virtual machine that the time gets incorrectly updated. The problem is that when you suspend the computer, the virtual machine will suspend and return with the incorrect time, instead of updating from the Internet. I have seen this issue more so on Linux than on Windows, but for Linux it's easily fixed by a simple script. Here's the basic steps to get it working.

  1. Open up Vi or your favorite editor on your virtual machine
  2. Type in the following details
    1. #!/bin/bash
      service ntpd stop
      sleep 5
      sleep 5
      service ntpd start
  3. Save you file
  4. Change the permissions to all the file to be executable
    1. Run the following command
    2. #chmod 755 filename
  5. Test the command
    1. Run the following command
    2. #date
    3. You should see an incorrect time
    4. Run the script, note the "./" before the script name
    5. #./yourtimescriptname
    6. Run the following command
    7. #date
    8. You should see the correct time
  6. Now your virtual machine is updated
  7. You can add this script to a cron job or login script to automate the process
So far I just run this manually since I rarely reboot the virtual machine or login or out. You can make a symbolic link or an alias to make things easier to manage. 

Sunday, June 03, 2012

Adding a drive to VMware Workstation Linux guest without restarting

Recently I was working on a CentOS 6.2 guest on VMware Workstation 8 and I wanted to add an additional hard drive. From VMware Workstation I knew how to do this but not from the Linux side. Being unfamiliar with this, searched and found a few handy steps to add the drive without rebooting the Linux guest.

First, let's see what drives are showing up for the Linux guest. From the host we're going to check the /dev directory and see what drives are showing up.

#cd /dev

Here we can see that there is three drives, sda, sdb and sdc listed on the guest. Under these two drives is three partitions titled sda1 and sda2, plus sdb1. Notied that drive sdc does not have any partitions. This breaks down like this.

  • SDA
    • SDA1
    • SDA2
  • SDB
    • SDB1
  • SDC
    • No partitions
So now, we want to add an additional hard drive then add an partition.

From VMware Workstation, we're going to add the drive to the guest.

  1. Right click the guest, and click the "Settings"
  2. The Virtual Machine Settings window will open
  3. Click the "add" button
  4. The "Add Hardware Wizard" window will open
  5. Select "Hard Disk" then click the "Next" button
  6. Under the "Select a Disk" leave the default as "Create a new virtual disk", then click the "Next" button
  7. Under the "Select a Disk Type" leave the default as "SCSI", then click the "Next" button
  8. Under the "Specify Disk Capacity", change the value for "Maximum disk size (GB)" to the amount you want. For this example, I will be using 5GB. Then click the "Next" button
  9. Under the "Specify Disk File" leave the file name as default and then click the "Finish" button
  10. Back at the "Virtual Machine Settings" window, click the "OK" button to complete
  11. The new drive has been added to the guest
 If you check the guest again, you will notice that the new drive does not show up automatically under the /dev directory. There are two solutions to this, one is restarting the guest, the other is a little bit longer method. We're going to follow the second step, which is handy if you wish to keep the system up.

These commands were posted on another blog, Cyberciti's how to add a new VMware hard disk article.

First we're going to scan the system for the new drives. We need the host numbers on the guest machine first.

  1. First find the host number on your system
    1. Run the following command
    2. #ls /sys/class/scsi_host
    3. You should see the return of "host0" or more 
  2.  Force the system to scan the drives
    1. The host number you found in the previous step will be used here.
    2. Run the following command
    3. #echo "- - -" > /sys/class/scsi_host/host2/scan (note on my system it's "host2")
    4. After this you may see a message of the drive scanned on the machine
  3. To confirm, check the logs for messages of new drive
    1. Run the following command
    2. #tail /var/log/messages
    3.  This will be sequential from the last drives. For example, if you see in /dev drives SDA, SDB, then you should see logs for drive SDC
  4. From fdisk we're going to also validate it's showing up
    1. Run the following command
    2. #fdisk -l
    3. You should see the drive showing up that matches the drive from step 3
  5. From /dev you should also see the new drive listed
    1. Run the following command
    2. #ls /dev
    3. You should see the drive showing up that you just added
Now that we have the drive installed and viewed from the guest, let's create the partition and format. We are going to be using the steps as mentioned in the blog Cyberciti's how to add Linux hard disk.

  1. First find the drive has been discovered on the system
    1. Run the following command
    2. #fdisk -l | grep 'Disk'
    3. You should see the drive you added in the previous steps shown near the end of the list
    4. Save this information for the next steps. 
  2. Run fdisk to create the partition on the new disk (if anytime you get lost on commands, type "m" for the command menu
    1. Run the following command
    2. #fdisk /dev/sdd (your drive may be different)
      1. In fdisk, type "n" to create a new partition
      2. Type "p" for a primary partition
      3. Type "1" for a partition number
      4. Type "1" for a first cylinder number
      5. Type "1G" for size (this can be adjusted for your needs)
      6. Type "w" to write and save the information
      7. This will automatically close fdisk
  3. Validate the partition is now showing up in /dev directory
    1. Run the following command
    2. #ls /dev
    3. You should see the new partition showing up under the drive you just created
  4. We're now going to format the partition with ext3 so that it's usable 
    1. Run the following command 
    2.  #mkfs.ext3 /dev/sdd1
    3. You should see confirmation the command was successful
  5. Finally we are going to mount the drive
    1. Run the following commands
    2. #mkdir /disk1
    3. #mount /dev/sdd1 /disk1 (your drive may be different)
  6. Confirm the drive is showing up
    1. Run the following command
    2. #df -H
    3. You should see your new drive mounted
  7. Test the new mount
    1. Run the following commands
    2. #touch  /disk1/testfile
    3. #ls /disk1
    4. You should see your file written to the new mount
  8. Now set the mount at boot
    1. Run the following command
    2. #vi /etc/fstab
    3. Add the following line to the fstab file (note, I'm not going to show basic Vi commands here, you can find them across the Internet)
    4. /dev/sdd1         /disk1      ext3     defaults    1    2
    5. Save the file
  9. Done!
Now you should have a new drive on your virtual machine without restarting the guest. If you don't mind restarting then you can skip steps scanning steps. Also be careful of editing the /etc/fstab file, this can lead to problems with the boot of the machine.