3.1 Searching the course notesIndex

The previous term’s course notes are always available on the Internet here: CST8207 GNU/Linux Operating Systems I.

All the current and previous terms notes files are also stored on the CLS. You can learn about how to read and search these notes files using the command line on the CLS under the heading Copies of the CST8207 course notes near the bottom of the page Course Linux Server. The current CST8177 term notes are searchable there, too!

3.2 The Source DirectoryIndex

All references to the “Source Directory” below are to the CLS directory ~idallen/cst8177/13w/assignment07/ and that name starts with a tilde character “~” followed by a userid with no intervening slash. The leading tilde indicates to the shell that the pathname starts with the HOME directory of the account idallen.

4.1 Set UpIndex

1. On the Course Linux Server, make the directory Assignments/assignment07, in which some information will be stored related to this assignment.

2. Create the check symbolic link needed to run the Checking Program, as described in the section Checking Program below.

3. Complete your CentOS 5.8 VM Installation and Verification.

   • Make sure it passes the checks for disk sizes and package counts.

4. Before you begin this assignment, create a snapshot of your CentOS 5.8 VM.

   • Enter a comment explaining where and when you took this snapshot.
   • You can restore back to this snapshot if anything goes wrong.

4.2 Review of CST8207 account managementIndex

1. Review your use of account management in CST8207:
   • In this assignment you will need to remember how to use: passwd, useradd, userdel, groupadd, gpasswd, usermod, chown, chgrp, chmod, chsh
   • Users and Groups - /etc/passwd and /etc/group
   • Worksheet #09 PDF
   • Worksheet #10 PDF

4.3 Creating a sudoers groupIndex

We will create a special sudoers group. The sudo command will be configured to permit any account in this group to become the root user and run any command with full privileges.

1. If necessary, login to your CentOS 5.8 VM as the root user (the only user).

2. Create a special group for users who will be permitted to use the sudo command, as follows:

   1. In the CentOS man groupadd manual page:
      • Read about the Red Hat -r system account option.
   2. Create a new system group account called sudoers
      • Make sure the group is created as a system account group
   3. Check you work: make sure the new group appears in the group file. If not, get help.

3. Enable sudo to use the new sudoers group, as follows:

   1. Make a backup of /etc/sudoers (for example, /etc/sudoers.bak)
   2. Edit the sudoers file with the visudo command.
      • Refer to the course notes on how to use an editor other than vi with this command.
   3. Search for the line # %wheel ALL=(ALL) ALL
      • Read the line directly above it to see what this line does.
   4. Following the model of the commented-out line for the group wheel, create a new line (and a comment above it) that allows anyone in the sudoers group to run all commands.
   5. Ensure there is no comment character # at the front of the line from the previous step. The line must start with % followed by the new group name (not wheel).
   6. Save the /etc/sudoers file and quit the editor.

4. Do a file difference between your backup file /etc/sudoers.bak and the new /etc/sudoers file. Make sure that the only changes you see are the ones you intended to make. If not, restore the file (or restore a previous snapshot) and make the changes again.

4.4 Setting Up a System Administrator AccountIndex

Do not add extensive customization to the root account on a system, since such customization may not suit all root users of the system and may break automated programs that need to become the root user.

Leave the root account on your CentOS 5.8 VM alone.

In this section you will create your own system administration account on your CentOS 5.8 VM. All work is done on your CentOS 5.8 VM.

References to man pages will be to CentOS man pages, not CLS man pages. Since CentOS Linux and Ubuntu Linux are different distributions, they sometimes have different documentation and programs.

1. If necessary, login to your CentOS 5.8 VM as the root user (the only user).

2. Make sure you have configured the sudoers group in the previous section.

3. Take a VMware snapshot that you can return to if things go wong.

   • Enter a comment explaining where and when you took this snapshot.

4. Create a system administrator account as follows:

   1. In the CentOS man useradd manual page:
      • Note where the LOGIN name must be used on the useradd command line.
      • Read about the -c option.
      • Read about the Red Hat -r system account option and how it will require you to use the -m option as well.
      • Read about the -m option.
   2. Following the SYNOPSIS syntax given in the useradd man page, add a new system account with the following settings:
      • LOGIN: Use your eight-character College/Blackboard username
      • COMMENT: Copy the exact text used for the fifth field of your own account line in /etc/passwd on the CLS.
        • The fifth field in /etc/passwd is called the GECOS field or user’s name or comment field.
        • The text you must copy from the CLS and use as a comment field on CentOS is in the form: “Firstname Lastname (CST8177-13W 40N)” where Firstname and Lastname are your name and 40N must be your own three-digit lab section number (401 through 405).
        • Warning: Parentheses are shell meta-characters.
      • Make sure the account is created as a system account with no password expiry.
      • Make sure the HOME directory is created at the same time.
   3. Search for the newly created account in the password file and make sure it has the correct GECOS/comment/name field.
   4. Make sure the newly created account also has a HOME directory created in the file system. Note that some default hidden files have been put into the HOME directory, copied from /ets/skel.
   5. If you didn’t succeed in creating the account and HOME directory correctly, you may restore your snapshot and try again.

5. Adjust permissions of the new account directory, as follows:

   1. Set the permissions (mode) of the new HOME directory for this new account such that:
      • the owner (that is, you) can do everything, but
      • group and other users can do nothing (no permissions)

6. Set a password for the new account, as follows:

   1. Review the section “Choose a hard-to-guess password” in man passwd.
   2. Assign your new account a strong password that you can remember.

7. Enable sudo for the new account, as follows:

   1. Review the CentOS man gpasswd manual page.
   2. Add your new account to the sudoers group.
   3. Check you work: make sure your account name appears beside the new group name in the group file. If not, get help.

8. Test your new account’s ability to use sudo, as follows:

   1. Log out from the root account.
   2. Log in to your new system admin account.
   3. Look at man sudo, or search the course notes, for how to “gain root privileges” when you are a sudoer.
   4. Obtain root privileges using the sudo command to start a root privilege shell:
      • Use the -i option to set a correct root PATH that includes system administration paths such as /sbin.
      • Your shell prompt should change from $ to include the # character that indicates root privileges.
   5. If the previous step was unsuccessful, check the following:
      • Did you type your own password (not root’s) when prompted by the sudo command?
      • Is your sysadmin (non-root) user in the sudoers group?
      • Is there a line in the /etc/sudoers file that allows anyone in the sudoers group to run all commands? (Check your work.)
   6. Type whoami or id to confirm that you are the root user.
   7. Type ip route. If you see “command not found”, you have not used the correct sudo option to set the root PATH. Try again.
      • The full root PATH inclues system paths such as /sbin
   8. You must not proceed until you are able to obtain root shell privileges as your sysadmin (non-root) user, because you are about to disallow root logins.
   9. You may remove /etc/sudoers.bak if everything is working correctly.

4.5 Prevent root loginsIndex

Many systems increase security by making it impossible to become the root user directly using a root account password, forcing people to first login with their own account name and only then use sudo to execute privileged commands.

1. Log in to your new system administration account, if necessary, and obtain root shell privileges using the sudo command, if necessary.

   • Your shell prompt should change from $ to include the # character that indicates root privileges.
   • Make sure you have the full root PATH that includes /sbin

2. Type whoami or id to confirm that you are the root user.

3. Take a VMware snapshot that you can return to if things go wong.

   • Enter a comment explaining where and when you took this snapshot.

4. Lock the root account password using the correct option of the passwd command.

5. Exit your current shell to release root privileges, so that you return to your system admin account and see a regular prompt (no # character).

6. Verify that you cannot use su to become root any more using the locked root account password.

4.6 Arrange to keep your system clock accurateIndex

Your CentOS virtual machine clock is not synchronized to the Internet time servers. This section configures network time.

NOTE1: Changing the time of a system running in full muti-user mode is dangerous. If system accounting is being used to charge users for computer time, changing the time can cost users real money. Where possible, only change the system time in single-user mode, when all non-system programs are stopped and nobody is logged in.

NOTE2: Pausing and resuming a virtual machine that is not running VMware tools may cause the VM clock to be wrong, and the time difference may be too large for the Network Time Package to correct using the default settings. You may have to set the clock manually.

1. Log in to your new system administration account, if necessary, and obtain root shell privileges using the sudo command, if necessary.

   • Your shell prompt should change from $ to include the # character that indicates root privileges.
   • Make sure you have the full root PATH that includes /sbin

2. Type whoami or id to confirm that you are the root user.

3. Take a VMware snapshot that you can return to if things go wong.

   • Enter a comment explaining where and when you took this snapshot.

4. Send the machine to down to single-user mode, as follows:

   1. Ensure you have direct access to the system console (remote login will not work in single-user mode).
   2. Run: shutdown now (without the -h halting option!)

5. On the console in single-user mode, manually set your CentOS VM clock close to the current time carefully, as follows:

   1. Read the man page for the date command and note the second SYNOPSIS syntax line used to set the current date/time.
   2. Use the date command to set your CentOS VM date/time close to the actual date/time (within a few seconds). You can use the time on the CLS as an accurate reference.
   3. Run the date command to verify that your system time is close to the actual time (within a few seconds), and try again if needed.
   4. When your system clock is close to accurate (within a few seconds), take your machine back to multi-user mode (runlevel 3, in our case) by typing exit at the single-user shell.
   5. The system will come back up in the default multi-user mode, which in our case is Run Level 3 (text mode, no GUI).

6. When your system reaches runlevel 3, you will need to log in again, and obtain root privileges again.

   • Make sure you have the full root PATH that includes /sbin

7. Use yum to install the ntp package. (Refer to the lecture notes.)

8. Use chkconfig to configure the ntpd daemon to start in runlevels 2,3,4,and 5.

   • Verify that you succeeded.

9. Start the ntpd daemon using the correct service command for this purpose.

   • You won’t need to start the daemon manually after a reboot, if you have correctly configured the ntpd with thechkconfig command.

10. Verify that the ntpd service is running.

    • Use the correct service command for this purpose.
    • Look for ntpd messages at the end of /var/log/messages

4.7 Copy your files from the CLS to your CentOS VM accountIndex

Your new system admin account is missing the shell prompt, options, and aliases of your account on the CLS. Let’s bring some selected files from the CLS to your CentOS sysadmin account.

1. Log in to your new CentOS system administration account, if necessary.

   • Exit from the root shell, if you are running as root.

2. Type whoami or id to confirm that you are not running as root.

3. Take a VMware snapshot that you can return to if things go wong.

   • Enter a comment explaining where and when you took this snapshot.

4. Copy your .bashrc and .bash_profile from your account on the CLS to the HOME directory of your account on your CentOS VM, as follows:

   1. Use the “preserves modification times” option to the scp command.
   2. Make sure you copy in the correct direction, or you will wipe out your files on the CLS!
   3. After the copy, create another alias in your account that always uses this “preserve” option when you type the scp command name.

5. Log out of CentOS and log back in to make your shell environment the same as it would be on the CLS. All the options and aliases should be the same now.

   • In these updated CST8207 Startup Files notes, see the updated PS1 prompt string and note that it uses \$ instead of just $ in the prompt! RTFM man bash)

6. Fetch an exact copy of your CLS Assignments directory into the HOME directory of your sysadmin account on your CentOS VM, as follows:

   1. Use one single rsync command with the archive options that preserve all timestamps, ownership, permissions, hard links, etc.
   2. Make sure you copy in the correct direction, or you will wipe out your files on the CLS and have to restore them from backups!
   3. Note that you will not have permission to copy pathnames that you cannot read on the CLS, including some pathnames from assignment01. Ignore these few errors.

4.8 Creating a few new users “by hand”Index

You will use the standard account management tools to create a few ordinary (non-admin) accounts, just as you did last term. You will force password expiry so that the users must change their passwords when they first log in.

1. Log in to your new system administration account, if necessary, and obtain root shell privileges using the sudo command, if necessary.

   • Your shell prompt should change from $ to include the # character that indicates root privileges.
   • Make sure you have the full root PATH that includes /sbin

2. Type whoami or id to confirm that you are the root user.

3. Take a VMware snapshot that you can return to if things go wong.

   • Enter a comment explaining where and when you took this snapshot.

4. Create three new users by running the appropriate command three times:

   1. Usernames: user001, user002, user003
   2. Full Names (GECOS comment field): User One, User Two, User Three
   3. Verify that the new accounts appear in the password file and that the HOME directories all exist.

5. Set different, good initial passwords for the three users.

6. Force these users to change their password upon first login.

   • Search the lecture slides for how to force passwd change on login.

7. Set their HOME directory permissions to be full permissions for owner and no permissions for group or other.

4.9 Create many more users in bulkIndex

In this section, you will be creating a text file suitable for input to the newusers command, then using newusers to quickly create almost a hundred new accounts.

1. Log in to your new CentOS system administration account, if necessary.

   • Exit from the root shell, if you are running as root.

2. Type whoami or id to confirm that you are not running as root.

3. Take a VMware snapshot that you can return to if things go wong.

   • Enter a comment explaining where and when you took this snapshot.

4. Copy the file userlist.csv from the Source Directory on the CLS to the Assignments/assignment07/ directory in your account on your CentOS machine.

   • Did you remember to preserve the time stamp on the file?
   • Imagine that the userlist.csv file was given to you from the Human Resources department by someone who created it with a spreadsheet.
   • Examine this file, and notice that it is in Colon-Separated-Value format. It contains a header line and a username and a real name for each of 97 new users that need an account on your system.
   • You must modify this file for input to the newusers command, as follows:

5. Create a new file called userlist.newusers based on userilst.csv, as follows:

   1. Every line in the new file must be suitable for input to the newusers command. Every line must have these seven colon-separated fields:

      username:password:::Real Name:/home/username:/bin/bash

   2. The above seven fields are copied from userlist.csv into userlist.newusers with the following small changes:

      1. username is the user’s username (unchanged)
      2. password is a single new clear-text (unencrypted) password for all the new accounts, created as follows:
         • You must change this password from the dummy value given in userlist.csv
         • Make up a single, common password that all of these new users will get. (This is not very secure, but it’s the best you can do without writing a more complex script.)
         • Do not choose any obvious password such as password.
         • To make this change, use an invocation of the sed command to read this file and change the word password to the single unencrypted password that you made up, redirecting the output of that sed command to the target file userlist.newusers
      3. the UID field is blank (unchanged)
      4. the GID field is blank (unchanged)
      5. Real Name is the user’s real name (unchanged)
      6. /home/username is the user’s HOME directory (unchanged)
      7. /bin/bash is the user’s shell (unchanged)

   3. The first header line in userlist.csv is not a user to be created and must not appear in the new userlist.newusers output file.

   4. Verify that your output file is 97 lines (no header line) and the only field that has changed in each line is the new password field.

6. Use sudo to run the newusers command to create all of these 97 new users.

7. Check to make sure all the new users and HOME directories exist.

   • Use pipelines to count the accounts in the password, group, and shadow files.
   • Use pipelines to count the account HOME directories.

4.10 Management of the bulk usersIndex

This reviews the account management commands you learned above and in your previous term. Links to previous term notes and worksheets are given above under Review of CST8207 account management. None of the items below require you to text-edit any system files using a text editor. Actions can be performed using the correct account management commands. Most account management commands will require root permissions to run.

1. Create a new group called common.

   • Verify the change by looking in the group file.

2. Create a directory called /home/common owned by your sysadmin user, and group-owned by the new common group.

3. Change the permissions on /home/common so that your sysadmin user can read/write/search, members of the common group can read/write/search, and it is not accessible in any way to other users.

4. Add users user004 and user005 to the common group.

   • Verify the change by looking in the group file.

5. Become user004 without using a password (using your sysadmin powers) and as that user, create a group-writeable file in the common group called /home/common/README containing the text This common directory is for members of the common group.

   • Note the permissions on the file when you create it.
   • Make sure you change only the group and group permissions of this file.
   • Do not remove any existing permissions on the file.
   • Exit from this user004 shell to revert back to your superuser-self.

6. Become user005, and ensure that as user005 you can edit the file /home/common/README and change the text “for members” to “for all members”.

   • If you can’t edit and save this file, check the group and group permissions.
   • Exit from this user005 shell to revert back to your superuser-self.

7. Become user006 and ensure that as user006 you have no access to the /home/common/ directory.

   • Exit from this user006 shell to revert back to your superuser-self.

8. Change the “real name” (GECOS/comment field) of user005 to CommonUser 005.

   • Verify the change by looking in the password file.

9. Lock the password for user006 and user007.

   • Verify the change by looking in the shadow file.

10. Change the shell for user008 and user009 to /bin/sh.

    • Verify the change by looking in the password file.

11. Delete the accounts for User 010 and User 011 without deleting their HOME directories.

    • Verify the change by looking in the password file.
    • Make sure their HOME directories still exist in the file system.

12. Delete the accounts for User 012 and User 013 using the option that also deletes the HOME directory at the same time.

    • Verify the change by looking in the password file.
    • Make sure their HOME directories are gone from the file system.

None of the items above require you to text-edit any system files using a text editor. Actions can be performed using the correct account management commands. Most account management commands will require root permissions to run.

4.11 Creating a tar archive backup and listingIndex

1. As your sysadmin account, in your CentOS Assignments directory, create a compressed tar archive of your assignment07 directory named assignment07_YYYYMMDD.tgz (no spaces), where YYYYMMDD is the date you created the archive backup.

2. Generate a verbose listing of your tar archive file, showing the contents of the archive including all the owners and date/time stamps, into file tar_tvzf.txt under your assignment07 directory.

3. Optional: Read the mouse-over text in this XKCD tar-related comic.

The pathnames in the tar file must not include any parent directories of the assignment07 directory you were asked to save.

4.12 When you are doneIndex

When you are finished, run the Checking Program to create an overall mark. Submit the output to Blackboard in the correct location.

Since we also do manual marking of student assignments, your final mark may not be the same as the mark submitted using the current version of the Checking Program. We do not guarantee that any version of the Checking Program will find all the errors in your work. Complete your assignments according to the specifications, not according to the incomplete set of the mistakes detected by the Checking Program.

1. Optional: Keeping your base CentOS 5.8 VM snapshot, remove any intermediate snapshots you no longer require, to free up disk space.
   • Be careful not to remove your current work!

5.1 Part I - Fetch and CheckIndex

Do all the following steps on your CentOS 5.8 VM. Read through the whole list before you start typing anything.

1. Log in to CentOS as your non-root account (same userid as Blackboard).

2. Create a directory in your account named Assignments/assignment07 (exactly the same directory hierarchy as you already have on the CLS), unless you already have this directory.

3. Change to your above assignment07 directory.

4. As shown below, use wget to get a copy of the Fetch program from this URL into a file named do.sh: http://teaching.idallen.com/cst8177/13w/notes/data/assignment07wget.sh

   CentOS$ wget -O do.sh http://teaching.idallen.com/cst8177/13w/notes/data/assignment07wget.sh
   Saving to: `do.sh'

   Make sure you have a file named do.sh in your directory. You only need to download this once.

5. Become the root user on CentOS.

6. As shown below, use sh to run the do.sh script you just downloaded to CentOS with the USER environment variable set to your own CLS account userid. (Do not use abcd0001.)

   CentOS# USER=abcd0001 sh do.sh     # use your *own* userid *not* abcd0001

7. This Fetch program will connect from CentOS to the CLS using your account name. It will copy files from CentOS to your assignment07 directory on the CLS. It will then run the checking program on the CLS to check your work. You will need to answer one question about your IP address, and then wait and type in your CLS password.

It will look something like this:

CentOS$ whoami
abcd0001
CentOS$ pwd
/home/abcd0001/Assignments/assignment07
CentOS$ wget -O do.sh http://teaching.idallen.com/cst8177/13w/notes/data/assignment07wget.sh
Saving to: `do.sh'
CentOS$ su
Password:
CentOS# USER=abcd0001 sh do.sh       # use your *own* userid *not* abcd0001
---------------------------------------------------------------------------
abcd0001: FETCH version 1.  Connecting to CLS as USER='abcd0001' using ssh
---------------------------------------------------------------------------
abcd0001: Use local Algonquin IP cst8177-alg.idallen.ca [y/N]? n
abcd0001: Please wait; using ssh to connect to user 'abcd0001' on cst8177.idallen.ca ...
*** COURSE LINUX SERVER ***
abcd0001@cst8177.idallen.ca's password:         # enter your CLS password
---------------------------------------------------------------------------
idallen-ubuntu assignment07fetch_server.sh version 0 run by abcd0001.
Please wait; collecting info from abcd0001 Virtual Machine
---------------------------------------------------------------------------
VM files collected into Assignments/assignment07/abcd0001.tar.bz on CLS.
Now running check program for abcd0001 on CLS:
----------------------------------------------------------------------------
idallen-ubuntu check: Assignments/assignment07 check program version 00
*** Checking account for abcd0001 on idallen-ubuntu ***
[... checking program output appears here ...]

5.2 Part II - Check and SubmitIndex

When you are done with your assignment, you need to run the checking program one last time on the CLS and submit the output file, as follows:

Do all this on the Course Linux Server:

1. There is a Checking Program named assignment07check in the Source Directory on the CLS. Create a Symbolic Link to this program named check under your new assignment07 directory so that you can easily run the program to check your work and assign your work a mark. Note: You can create a symbolic link to this executable program but you do not have permission to read or copy the program file.

2. Execute the above “check” program on the CLS using its symbolic link. (Review the CST8207 Search Path notes if you forget how to run a program by pathname from the command line.) This program will check your work, assign you a mark, and display the output on your screen. (You may want to paginate the long output so you can read all of it.)

   You may run the “check” program as many times as you wish, to correct mistakes and get the best mark. Some tasks sections require you to finish the whole section before running the checking program at the end; you may not always be able to run the checking program successfully after every single task step.

3. When you are done with checking this assignment, and you like what you see on your screen, redirect the output of the Checking Program into the text file assignment07.txt under your assignment07 directory on the CLS. Use the exact name assignment07.txt in your assignment07 directory. You only get one chance to get the name correct. Case (upper/lower case letters) matters. Be absolutely accurate, as if your marks depended on it. Do not edit the file.

4. Transfer the above assignment07.txt file from the CLS to your local computer and verify its contents. Do not edit this file! No empty files, please! Edited or damaged files will not be marked. You may want to refer to this term’s updated File Transfer notes.

5. Submit the assignment07.txt file under the correct Assignment area on Blackboard (with the exact name) before the due date. Upload the file via the assignment07 “Upload Assignment” facility in Blackboard: click on the underlined assignment07 link in Blackboard. Use “Attach File” and “Submit” to upload your plain text file.

   No word-processor documents. Do not send email. Use only “Attach File”. Do not enter any text into the Submission or Comments boxes on Blackboard; I do not read them. Use only the “Attach File” section followed by the Submit button. (If you want to send me comments about your assignment, use email.)

6. Your instructor may also mark the assignment07 directory in your CLS account after the due date. Leave everything there on the CLS. Do not delete any assignment work from the CLS until after the term is over!

Use the exact file name given above. Upload only one single file of plain text, not HTML, not MSWord. No fonts, no word-processing. Plain text only.

Did I mention that the format is plain text (suitable for VIM/Nano/Pico/Gedit or Notepad)?

NO EMAIL, WORD PROCESSOR, PDF, RTF, or HTML DOCUMENTS ACCEPTED.

No marks are awarded for submitting under the wrong assignment number or for using the wrong file name. Use the exact name given above.

WARNING: Some inattentive students don’t read all these words. Don’t make that mistake! Be exact.

READ ALL THE WORDS. OH PLEASE, PLEASE, PLEASE READ ALL THE WORDS!