Access controls were easier to manage in the past. With a few commands (e.g chown, chmod) we were manipulating file permissions. There were a few attributes to manage and security wasn’t much of a concern as we have now. As the security threats increase we have to add additional levels of protection. What I am telling you now is how you can change permissions of files in Linux with a different method.

In order to use POSIX access control lists, your kernel must have this feature enabled.  In order to understand you have this feature or not, you can have a look at into your kernel config file in the first place for the string “POSIX_ACL”. If you see a similar output in which the attributes are set to “y”, then you have the feature.

If you are using a redhat based system, you should have it by default. Shortly if you file system has been mounted with the option “acl” then you can use POSIX ACLs. Here is a brief explanation of how you can use ACLs with examples.

1) I have a test folder which belongs to root user only but I want also the user “accountant” to have read,write and execute permissions on this folder by keeping the current permission.

2) First run setfacl command as follows;

and check the permissions;

Have you seen the difference? A plus sign has been added into the flags. Now lets display the new permissions with getfacl tool.

Bu yazıda bir örnekle Linux altında nasıl GRE tünel oluşturacağımızı anlatmaya çalışacağım.

Birbirine Internet üzerinden erişebilen iki Linux cihaz düşünelim. (IP adresleri yine de Internet üzerinde kullanılmayan bloktan verilmiştir)

IP TANIMLARI

node1 (eth0 internet, eth1 iç ağa bakan kısım olsun)
eth0 : 192.168.200.150/24
eth1:  10.1.1.1/24
tunel arayuzu (tonode2): 172.16.151.1/30

node2 (eth0 internet, eth1 iç ağa bakan kısım olsun)
eth0:  10.10.10.150/24
eth1:  10.2.1.1/24
tunnel arayuzu (tonode1): 172.16.151.2/30

node1 ve node2 cihazlarının birbirlerine eth0 arayüzleri üzerinde Interneti kullanarak erişebildiğini düşünelim. Sırasıyla cihazları yapılandıralım.

Continue Reading »

If you have a problem of frequent disconnection from your SSH server, you can enable the following setting in your sshd_config file and restart SSHD.

The exact description of what this does is

VNC server configuration is pretty straight forward in redhat. Here are the steps that you should complete in order to run a functional VNC server in a few minutes.

Our test user is : mert

1) Adjust /etc/sysconfig/vncservers config file as below:

2) Login to mert account and set vncpassword

3) Start vnc service and add it into the startup.

However if you connect via VNC client now, you won’t see default GNOME but twm instead.

Open the file /home/mert/.vnc/xstartup and uncomment the following lines (remove the hash in front)

Restart VNC server to have the new changes affected.

4) Below is a step by step login into VNC server from my windows OS

a) connection screen

b) Password screen

c) GNOME screen

I hadn’t used screen much in the past but I see that it is a very handy tool. I just would like to add some tips about screen command.

It is very useful to use the option “-t” in screen as it allows you to mark your instances. If you run a new screen sheel with the command;

Then when you run Ctrl-a “ to list the windows, you will recognize your tailing window with the title “/var/log/local6″

This is a very short article about screen. I hope on the way I use this tool, I may improve this it.

As network cards or links may fail, we may solve this problem by creating multiple links to our network devices. One way is interface bonding which we will configure one in our example.  I assume that your linux have three interfaces eth0,eth1 and eth2. We will use two of the interfaces;

Slave Interfaces : eth1 and eth2
Bonding interface: bond0

1) First add the followings into /etc/modprobe.conf file to provide module paramaters:

With this configuration, we use active backup mode. By that, if the primary interface goes down for some reason, bonding system will fail over into the other interface. If you want to use round robin load balancing which will enable to use both interfaces actively use “balanced_rr” instead of “active-backup”

2) Configure slave and bonding interfaces.

/etc/sysconfig/network-scripts/ifcfg-bond0

3) Now bring up the bonding interface and look at “ip addr” output

#ifup bond0

You might have noticed that both eth1 and eth2 use the same MAC address which actually what we expect and how it works.

In order to see the bonding status and current active slave interface, issue the following;

Here you can see the real mac addresseses of the interfaces.

4) Fail over test

You can actually test how fail over works. In my vmware test system, I have disconnected eth1 and active slave (eth1)  failed over into eth2 at around 3 secs. (I was pinging at the same time) It switches over quite fast but what I have realized is, system keeps the previous mac address even though the interface having that MAC failed. For example in my setup (according to the previous bond0 output), eth1 is failed and eth2 is active slave however other nodes in the network know my 10.0.0.230 IP of having 00:0c:29:47:49:8d MAC. It is quite reasonable indeed. We don’t have to change mac and send unnecessary gratitous arp requests. Once one of your interfaces goes down in your bonding you will see a similar output in your dmesg.

That is all for this article, please drop your comments if you have anything to add or questions.

You can find quite a lot of information about bonding at the following address. I recommend you to read it

http://www.linuxfoundation.org/collaborate/workgroups/networking/bonding

You can find quite a lot of files in /etc/sysconfig however in configuring them you may have trouble but there is a file that you can use to understand what attributes you can use for each file. It is sysconfig.txt. In my current Redhat 5.4 system the file is at the following location as it comes with the package initscripts.

For example if you want to set ethernet options into your ifcfg-eth0 file below is the quote from this file;

One day you may have to install an RPM file into a different root folder. For example under rescue mode though you can chroot as an option. Here is the handy option for you to do it.

In the event that partition table is corrupted or boot loader has gone, here are some steps that you can take in order to boot the system as normal.

I hope that you have taken the backup of partition table previously with the command;

Or if you also want to backup the whole MBR to a file do this;

From now on, I assume that you have booted the system in rescue mode with networking support.

1) The first thing is to paste this partition table back into its original space. Presumably, you have copied the partition table from network and put it under /tmp/sda_partition_table.out

This will fix your partition table. Now time to fix MBR

2) As the MBR has gone, we have to write MBR again. Do the followings;

The root (hd0,0) command assumes that your boot partition is in /dev/sda1

After these commands, you should be able to boot your system as before.

One day it may happen to you that either MBR is corrupted or partition table has gone then you will need rescue mode. However there is one problem,  what if you use LVM in your system. Because redhat does everything for us we don’t actually know what it does for initialization unless you have looked inside the init scripts.

In my rescue environment when I issue “lvm vgdisplay” , I was able to display the configuration but there was no device files under /dev. To overcome this problem do the followings:

The first command “vgscan” scans all disks for volume groups and the second one “vgchange” makes the logical volumes known to the kernel. To deactivate you should but “n” instead of “y” on the command line.

Now you can access logical volumes.