Linux with Operating System Concepts

Download 5,65 Mb.

Pdf ko'rish

bet	164/254
Sana	22.07.2022
Hajmi	5,65 Mb.
	#840170

1 ... 160 161 162 163 164 165 166 167 ... 254

Bog'liq
Linux-with-Operating-System-Concepts-Fox-Richard-CRC-Press-2014

Source
is an individual file, files indicated via wildcards, or a directory.
Destination
is a
directory. The username can be omitted if your user account is the same on both remote
and local computers. You are asked to provide
username’s
password. If you omit the desti-
nation, rsync merely outputs the list of course files and does no copying.
Here are a few simple examples.
•
rsync /home/foxr/* /home/foxr/backup
—same as
cp /home/foxr/*
/home/foxr/backup
•
rsync foxr@10.11.12.13:/home/foxr/* .
—copy remote files to current directory
•
rsync foxr@10.11.12.13:/home/foxr
—display all files of that remote directory
The rsync program’s power comes from an algorithm it utilizes to compare source files
to any at the destination location. Rsync can perform three types of comparisons: last
modification date, size, and checksums. If the source file has either been modified since the
last copy or is larger, it is copied over. To use checksums instead of modification time and
size, add the option -c. Other options control whether links are followed, whether a copy is
done recursively, and whether permissions, ownership, and so on are preserved.
The rsync command is built to perform copies across the network. Neither tar nor cpio
does this unless you are copying from or to a remotely mounted file system. If you are only
creating a backup on your local machine, you are not affording yourself much protection.
The best way to perform a backup is to store the archived material elsewhere.
As specified earlier, one alternative to backing up a file system is to use redundancy in
the form of RAID. Aside from needing specialized hardware (multiple disks), you need
RAID software. In Linux, the program for interacting with RAID hardware is called
md
,
multiple device driver, also known as Linux Software RAID. It is located under /dev/md.
The md program can handle any of RAID levels 0, 1, 4, 5, 6, or 10 (it does not handle RAID
2 or 3).
RAID level 4 is generally not used because all redundancy information is placed on a
single drive. If two or more disk accesses are attempted across the RAID device, only one
can be accommodated because the redundancy drive becomes a bottleneck. RAID levels
0, 1, 5, 6, and 10 have the potential for handling two or more accesses at a time because
data and redundancy information are divided across multiple disks. We will not go into
any more detail on md because it is a complex process that would take a chapter unto itself
to explore adequately. The interested system administrator should read md’s man page as
well as mdadm and dmraid. RAID technology is discussed in more detail in Chapter 14.

434
◾
Linux with Operating System Concepts
Another form of data protection is through permissions. As a system administrator,
you may not be responsible for examining user directories and files to see if they are using
adequate permissions. However, if you feel that users have information that should remain
secure, or if the organization has a policy that requires that files have secure permissions,
you might explore this. There are many ways to search user directories and files for bad
permissions. We explored the find command in Chapter 3 and saw that it could search for
files of a given permission. For instance, we might issue a command like the following:
find / -perm 666 –or –perm 646 –or –perm 446
In the above instruction, we are seeking any files whose permissions give others (world)
write access. Similarly, there may be files in specific directories that should not be readable
by anyone but the user or group. We could further elaborate upon the find command by
executing a chmod command on those files found. This might look like
find / perm . . . -exec chmod 660 {} \;
On the other hand, we might want to write a script that similarly examines file permis-
sions and catalogs those files whose permissions do not seem suitable. Below is an example
of such a script. Note that stat -c “%a” will return the permission of the given file as a three-
digit number.
#!/bin/bash
for file in $(ls –R /); do
if [ -f $file ]; then
number
=
‘stat –c "%a" $file‘
if [[ number –eq 666 || number –eq 646 ||
number –eq 446 || number –eq 466 ]]; then
echo
$file
$number
>>
/root/badfilepermissions.txt
fi
fi
done
The system administrator can inspect the badfilepermissions.txt file to see which files
should be altered. Another script can be written to easily alter file permissions. The script
below uses the while read statement to iterate through every entry in the file and alter the
permissions of each file to the value given as a parameter. This script, call it changepermis-
sions.sh, could then be executed from the command line as
./changepermissions.sh 660 < /root/badfilepermissions.txt
#!/bin/bash
while read file number; do
chmod $1 $file
done

The Linux File System
◾
435
Ensuring that data are available is only one part of the duties of protecting disk data.
Another side to this is the use of encryption. We explored the idea of encryption in Chapter
5 when we introduced the open source encryption tool openssl. Although openssl is pri-
marily intended on encrypted messages to be sent over network, it can also be used to
encrypt files in a local file system. You can also specify that a partition be encrypted when
you create the partition. Alternatively, you can apply encryption programs later, including
Loop-AES, DM-crypt, PGP, and TrueCrypt.
10.6.4 Isolating a Directory within a File System
We end this section with one last tool,
chroot
. This program is utilized alongside of
another process. What chroot does is isolate a process at the time the process is launched
so that it is limited to the file space specified. Inside this file space, the process operates as
if there were no other file system available. Thus, the process is unable to breach the root
level of this file space and affect other files.
Consider for instance a web server that operates on scripts, password files, log files,
error files, and the web documents. Let us assume the entire collection of web server files
(including its own binaries) is located under /usr/local/apache2. The web server has no
need to access files in /etc, /boot, /dev, /home, or /var. By launching the webserver with a
chroot of /usr/local/apache2, it is unable to access anything above this directory. This pro-
tects your system in that inadvertent or erroneous code cannot damage your system, nor
can a hacker using the web server to attack your system and damage any part of the system
outside of the web server.
The chroot command has other useful applications aside from creating a secure or iso-
lated space. You can use it to create an isolated file system to test code that you are devel-
oping. This is sometimes known as a
sandbox
. You do not deploy the software for testing
on a normal system but instead isolate it within a sandbox. If you are running software
that invokes services, files, or programs whose names conflict with system names already
installed, using chroot allows the isolated file space to use the same names without the
system confusing which specific files/programs are being requested.
The chroot command is used as follows:
chroot [options]

Download 5,65 Mb.

Do'stlaringiz bilan baham:

1 ... 160 161 162 163 164 165 166 167 ... 254