[deployment-guide/comm-rel: 9/26] Created table of available runlevels.
by dsilas
commit 4cb7682ea82c0675761da70efb8da8854173abe6
Author: Jaromir Hradilek <jhradile(a)redhat.com>
Date: Mon Jun 14 10:55:47 2010 +0200
Created table of available runlevels.
Personally, I think it is much readable than the simple list that was
used before. It is also easier to refer to it.
en-US/Controlling_Access_to_Services.xml | 80 +++++++++++++++++++++---------
1 files changed, 57 insertions(+), 23 deletions(-)
---
diff --git a/en-US/Controlling_Access_to_Services.xml b/en-US/Controlling_Access_to_Services.xml
index 23ff981..14ad9c4 100644
--- a/en-US/Controlling_Access_to_Services.xml
+++ b/en-US/Controlling_Access_to_Services.xml
@@ -49,29 +49,63 @@
<title>Configuring the Default Runlevel</title>
<para>Before you can configure access to services, you must understand Linux runlevels. A runlevel is a state, or <firstterm>mode</firstterm>, that is defined by the services listed in the directory <filename>/etc/rc.d/rc<replaceable><x></replaceable>.d</filename>, where <replaceable><x></replaceable> is the number of the runlevel.</para>
<para>The following runlevels exist:</para>
- <itemizedlist>
- <listitem>
- <para>0 — Halt</para>
- </listitem>
- <listitem>
- <para>1 — Single-user mode</para>
- </listitem>
- <listitem>
- <para>2 — Not used (user-definable)</para>
- </listitem>
- <listitem>
- <para>3 — Full multi-user mode</para>
- </listitem>
- <listitem>
- <para>4 — Not used (user-definable)</para>
- </listitem>
- <listitem>
- <para>5 — Full multi-user mode (with an X-based login screen)</para>
- </listitem>
- <listitem>
- <para>6 — Reboot</para>
- </listitem>
- </itemizedlist>
+ <table id="table-services-runlevels">
+ <title>Runlevels in &MAJOROS;</title>
+ <tgroup cols="2">
+ <colspec colname="runlevel" colnum="1" colwidth="10*" />
+ <colspec colname="description" colnum="2" colwidth="60*" />
+ <thead>
+ <row>
+ <entry>Runlevel</entry>
+ <entry>Description</entry>
+ </row>
+ </thead>
+ <tbody>
+ <row>
+ <entry><option>0</option></entry>
+ <entry>
+ Used to halt the system. This runlevel is reserved and cannot be changed.
+ </entry>
+ </row>
+ <row>
+ <entry><option>1</option></entry>
+ <entry>
+ Used to run in a single-user mode. This runlevel is reserved and cannot be changed.
+ </entry>
+ </row>
+ <row>
+ <entry><option>2</option></entry>
+ <entry>
+ Not used by default. You are free to define it yourself.
+ </entry>
+ </row>
+ <row>
+ <entry><option>3</option></entry>
+ <entry>
+ Used to run in full multi-user mode with a command line user interface.
+ </entry>
+ </row>
+ <row>
+ <entry><option>4</option></entry>
+ <entry>
+ Not used by default. You are free to define it yourself.
+ </entry>
+ </row>
+ <row>
+ <entry><option>5</option></entry>
+ <entry>
+ Used to run in full multi-user mode with a graphical user interface.
+ </entry>
+ </row>
+ <row>
+ <entry><option>6</option></entry>
+ <entry>
+ Used to reboot the system. This runlevel is reserved and cannot be changed.
+ </entry>
+ </row>
+ </tbody>
+ </tgroup>
+ </table>
<para>If you use a text login screen, you are operating in runlevel 3. If you use a graphical login screen, you are operating in runlevel 5.</para>
<para>The default runlevel can be changed by modifying the <filename>/etc/inittab</filename> file, which contains a line near the top of the file similar to the following:</para>
<screen>id:5:initdefault:</screen>
14 years
[deployment-guide/comm-rel: 8/26] Changed the structure of the chapter.
by dsilas
commit 2e1712b2c624a9083806394c101ce9f605ade31f
Author: Jaromir Hradilek <jhradile(a)redhat.com>
Date: Sat Jun 12 02:25:41 2010 +0200
Changed the structure of the chapter.
No new content written yet, I just wanted to make the chapter easier to
navigate (both for future readers and me).
en-US/Controlling_Access_to_Services.xml | 228 ++++++++++++++----------------
1 files changed, 107 insertions(+), 121 deletions(-)
---
diff --git a/en-US/Controlling_Access_to_Services.xml b/en-US/Controlling_Access_to_Services.xml
index eb604a0..23ff981 100644
--- a/en-US/Controlling_Access_to_Services.xml
+++ b/en-US/Controlling_Access_to_Services.xml
@@ -1,8 +1,7 @@
<?xml version='1.0'?>
<!DOCTYPE chapter PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN" "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
]>
-<chapter
- id="ch-Controlling_Access_to_Services">
+<chapter id="ch-Controlling_Access_to_Services">
<title>Controlling Access to Services</title>
<para>Maintaining security on your system is extremely important, and one approach for this task is to manage access to system services carefully. Your system may need to provide open access to particular services (for example, <command>httpd</command> if you are running a Web server). However, if you do not need to provide a service, you should turn it off to minimize your exposure to possible bug exploits.</para>
<para>There are several different methods for managing access to system services. <!-- RHEL5: Decide -->Choose which method of management to use based on the service, your system's configuration, and your level of Linux expertise.</para>
@@ -46,9 +45,8 @@
<title>Important</title>
<para>When you allow access for new services, always remember that both the firewall and SELinux need to be configured as well. One of the most common mistakes committed when configuring a new service is neglecting to implement the necessary firewall configuration and SELinux policies to allow access for it. Refer to <!-- TBD6: <xref linkend="s1-basic-firewall"/> --> for more information.</para>
</important>
- <section
- id="s1-services-runlevels">
- <title>Runlevels</title>
+ <section id="s1-services-runlevels">
+ <title>Configuring the Default Runlevel</title>
<para>Before you can configure access to services, you must understand Linux runlevels. A runlevel is a state, or <firstterm>mode</firstterm>, that is defined by the services listed in the directory <filename>/etc/rc.d/rc<replaceable><x></replaceable>.d</filename>, where <replaceable><x></replaceable> is the number of the runlevel.</para>
<para>The following runlevels exist:</para>
<itemizedlist>
@@ -79,19 +77,112 @@
<screen>id:5:initdefault:</screen>
<para>Change the number in this line to the desired runlevel. The change does not take effect until you reboot the system.</para>
</section>
- <section
- id="s1-services-tcp-wrappers">
- <title>TCP Wrappers</title>
+ <section id="s1-services-services">
+ <title>Configuring Running Services</title>
+ <section id="s2-services-serviceconf">
+ <title>Using <application>Service Configuration</application> tool</title>
+ <para>The <application>Services Configuration Tool</application> is a graphical application developed by Red Hat to configure which SysV services in the <filename>/etc/rc.d/init.d</filename> directory are started at boot time (for runlevels 3, 4, and 5) and which <command>xinetd</command> services are enabled. It also allows you to start, stop, and restart SysV services as well as <!-- RHEL5: restart --> reload <command>xinetd</command>.</para>
+ <para>To start the <application>Services Configuration Tool</application> from the desktop, go to the Applications (the main menu on the panel) > <guimenu>System Settings</guimenu> > <guimenu>Server Settings</guimenu> > <guimenuitem>Services</guimenuitem> or type the command <command>system-config-services</command> at a shell prompt (for example, in an <application>XTerm</application> or a <application>GNOME terminal</application>).</para>
+ <figure
+ float="0"
+ id="fig-serviceconf">
+ <title>
+ <application>Services Configuration Tool</application>
+ </title>
+ <mediaobject>
+ <imageobject>
+ <imagedata
+ fileref="images/serviceconf.png"
+ format="PNG"
+ scalefit="1"/>
+ </imageobject>
+ <textobject>
+ <para>Configuring network services</para>
+ </textobject>
+ </mediaobject>
+ </figure>
+ <para>The <application>Services Configuration Tool</application> displays the current runlevel as well as the runlevel you are currently editing. To edit a different runlevel, select <guimenu>Edit Runlevel</guimenu> from the pulldown menu and select runlevel 3, 4, or 5. Refer to <xref
+ linkend="s1-services-runlevels"/> for a description of runlevels.</para>
+ <para>The <application>Services Configuration Tool</application> lists the services from the <filename>/etc/rc.d/init.d</filename> directory as well as the services controlled by <command>xinetd</command>. Click on the name of the service from the list on the left-hand side of the application to display a brief description of that service as well as the status of the service. If the service is not an <command>xinetd</command> service, the status window shows whether the service is currently running. If the service is controlled by <command>xinetd</command>, the status window displays the phrase <guilabel>xinetd service</guilabel>.</para>
+ <para>To start, stop, or restart a service immediately, select the service from the list and click the appropriate button on the toolbar (or choose the action from the <guimenu>Actions</guimenu> pulldown menu). If the service is an <command>xinetd</command> service, the action buttons are disabled because they cannot be started or stopped individually.</para>
+ <para>If you enable/disable an <command>xinetd</command> service by checking or unchecking the checkbox next to the service name, you must select <guimenu>File</guimenu> > <guimenuitem>Save Changes</guimenuitem> from the pulldown menu (or the <guimenuitem>Save</guimenuitem> button above the tabs) to <!-- RHEL5: restart -->reload <command>xinetd</command> and immediately enable/disable the <command>xinetd</command> service that you changed. <command>xinetd</command> is also configured to remember the setting. You can enable/disable multiple <command>xinetd</command> services at a time and save the changes when you are finished.</para>
+ <para>For example, assume you check <command>rsync</command> to enable it in runlevel 3 and then save the changes. The <command>rsync</command> service is immediately enabled. The next time <command>xinetd</command> is started, <command>rsync</command> is still enabled.</para>
+ <note>
+ <title>Note</title>
+ <para>When you save changes to <command>xinetd</command> services, <command>xinetd</command> is <!-- RHEL5: restarted -->reloaded, and the changes take place immediately. When you save changes to other services, the runlevel is reconfigured, but the changes do not take effect immediately.</para>
+ </note>
+ <para>To enable a non-<command>xinetd</command> service to start at boot time for the currently selected runlevel, check the <!-- RHEL5: check -->box beside the name of the service in the list. After configuring the runlevel, apply the changes by selecting <guimenu>File</guimenu> > <guimenuitem>Save Changes</guimenuitem> from the pulldown menu. The runlevel configuration is changed, but the runlevel is not restarted; thus, the changes do not take place immediately.</para>
+ <para>For example, assume you are configuring runlevel 3. If you change the value for the <command>httpd</command> service from checked to unchecked and then select <guimenuitem>Save Changes</guimenuitem>, the runlevel 3 configuration changes so that <command>httpd</command> is not started at boot time. However, runlevel 3 is not reinitialized, so <command>httpd</command> is still running. Select one of following options at this point:</para>
+ <orderedlist
+ continuation="restarts"
+ inheritnum="ignore">
+ <listitem>
+ <para>Stop the <command>httpd</command> service — Stop the service by selecting it from the list and clicking the <guibutton>Stop</guibutton> button. A message appears stating that the service was stopped successfully.</para>
+ </listitem>
+ <listitem>
+ <para>Reinitialize the runlevel — Reinitialize the runlevel by going to a shell prompt and typing the command <command>telinit <replaceable>x</replaceable>
+ </command> (where <replaceable>x</replaceable> is the runlevel number; in this example, 3.). This option is recommended if you change the <guilabel>Start at Boot</guilabel> value of multiple services and want to activate the changes immediately.</para>
+ </listitem>
+ <listitem>
+ <para>Do nothing else — You do not have to stop the <command>httpd</command> service. You can wait until the system is rebooted for the service to stop. The next time the system is booted, the runlevel is initialized without the <command>httpd</command> service running.</para>
+ </listitem>
+ </orderedlist>
+ <para>To add a service to a runlevel, select the runlevel from the <guimenu>Edit Runlevel</guimenu> pulldown menu, and then select <guimenu>Actions</guimenu> > <guimenuitem>Add Service</guimenuitem>. To delete a service from a runlevel, select the runlevel from the <guimenu>Edit Runlevel</guimenu> pulldown menu, select the service to be deleted from the list on the left, and select <guimenu>Actions</guimenu> > <guimenuitem>Delete Service</guimenuitem>.</para>
+ </section>
+ <section id="s2-services-chkconfig">
+ <title>Using <command>chkconfig</command></title>
+ <para>The <command>chkconfig</command> command can also be used to activate and deactivate services. The <command>chkconfig --list</command> command displays a list of system services and whether they are started (<command>on</command>) or stopped (<command>off</command>) in runlevels 0-6. At the end of the list is a section for the services managed by <command>xinetd</command>.</para>
+ <para>If the <command>chkconfig --list</command> command is used to query a service managed by <command>xinetd</command>, it displays whether the <command>xinetd</command> service is enabled (<command>on</command>) or disabled (<command>off</command>). For example, the command <command>chkconfig --list rsync</command> returns the following output:</para>
+ <screen>rsync on</screen>
+ <para>As shown, <command>rsync</command> is enabled as an <command>xinetd</command> service. If <command>xinetd</command> is running, <command>rsync</command> is enabled.</para>
+ <para>If you use <command>chkconfig --list</command> to query a service in <filename>/etc/rc.d</filename>, that service's settings for each runlevel are displayed. For example, the command <command>chkconfig --list httpd</command> returns the following output:</para>
+ <screen>httpd 0:off 1:off 2:on 3:on 4:on 5:on 6:off</screen>
+ <para>
+ <command>chkconfig</command> can also be used to configure a service to be started (or not) in a specific runlevel. For example, to turn <command>nscd</command> off in runlevels 3, 4, and 5, use the following command:</para>
+ <screen>
+ <command>chkconfig --level 345 nscd off</command>
+ </screen>
+ <warning>
+ <title>Warning</title>
+ <para>Services managed by <command>xinetd</command> are immediately affected by <command>chkconfig</command>. For example, if <command>xinetd</command> is running while <command>rsync</command> is disabled, and the command <command>chkconfig rsync on</command> is executed, then <command>rsync</command> is immediately enabled without having to restart <command>xinetd</command> manually. Changes for other services do not take effect immediately after using <command>chkconfig</command>. You must stop or start the individual service with the command <command>service <replaceable><daemon></replaceable> stop</command> (where <replaceable><daemon></replaceable> is the name of the service you want to stop; for example, <command>httpd</command>). Replace <command>stop</command> with <command>start</command> or <command>restart</command> to start or restart the service.</para>
+ </warning>
+ </section>
+ <section id="s2-services-ntsysv">
+ <title>Using <application>ntsysv</application></title>
+ <para>The <application>ntsysv</application> utility provides a simple interface for activating or deactivating services. You can use <application>ntsysv</application> to turn an <command>xinetd</command>-managed service on or off. You can also use <application>ntsysv</application> to configure runlevels. By default, only the current runlevel is configured. To configure a different runlevel, specify one or more runlevels with the <option>--level</option> option. For example, the command <command>ntsysv --level 345</command> configures runlevels 3, 4, and 5.</para>
+ <para>The <application>ntsysv</application> interface works like the text mode installation program. Use the up and down arrows to navigate up and down the list. The space bar selects/unselects services and is also used to "press" the <guilabel>Ok</guilabel> and <guilabel>Cancel</guilabel> buttons. To move between the list of services and the <guilabel>Ok</guilabel> and <guilabel>Cancel</guilabel> buttons, use the <keycap>Tab</keycap> key. An asterisk (<guilabel>*</guilabel>) signifies that a service is set to on. Pressing the <keycap>F1</keycap> key displays a short description of the selected service.</para>
+ <!-- RHEL5: ddomingo(a)redhat.com: added PNG image -->
+ <figure
+ float="0"
+ id="fig-ntsysv">
+ <title>The <application>ntsysv</application> utility</title>
+ <mediaobject>
+ <imageobject>
+ <imagedata
+ fileref="images/ntsysv.png"
+ format="PNG"/>
+ </imageobject>
+ <textobject>
+ <para>The <application>ntsysv</application> utility</para>
+ </textobject>
+ </mediaobject>
+ </figure>
+ <warning>
+ <title>Warning</title>
+ <para>Services managed by <command>xinetd</command> are immediately affected by <application>ntsysv</application>. For all other services, changes do not take effect immediately. You must stop or start the individual service with the command <command>service <replaceable><daemon></replaceable> stop</command> (where <replaceable><daemon></replaceable> is the name of the service you want to stop; for example, <command>httpd</command>). Replace <command>stop</command> with <command>start</command> or <command>restart</command> to start or restart the service.</para>
+ </warning>
+ </section>
+
+ </section>
+ <section id="s1-services-tcp-wrappers">
+ <title>Configuring TCP Wrappers</title>
<para>
Many UNIX system administrators are accustomed to using TCP wrappers to manage access to certain network services. Any network services managed by <command>xinetd</command> (as well as any program with built-in support for <command>libwrap</command>) can use TCP wrappers to manage access. <command>xinetd</command> can use the <filename>/etc/hosts.allow</filename> and <filename>/etc/hosts.deny</filename> files to configure access to system services. As the names imply, <filename>hosts.allow</filename> contains a list of rules that allow clients to access the network services controlled by <command>xinetd</command>, and <filename>hosts.deny</filename> contains rules to deny access. The <filename>hosts.allow</filename> file takes precedence over the <filename>hosts.deny</filename> file. Permissions to grant or deny access can be based on individual IP address (or hostnames) or on a pattern of clients. Refer to <filename>hosts_access</filename> in section 5 of the man pag
es (<command>man 5 hosts_access</command>) for details.</para>
<!-- RHEL5: REMOVING CROSS LINK
<para>For more information on using TCP Wrappers, refer to <xref linkend="s1-tcpwrappers-purpose"/>.</para>
-->
- <section
- id="s2-services-xinetd">
- <title>
- <command>xinetd</command>
- </title>
+ <section id="s2-services-xinetd">
+ <title>Using <command>xinetd</command></title>
<para>To control access to Internet services, use <command>xinetd</command>, which is a secure replacement for <command>inetd</command>. The <command>xinetd</command> daemon conserves system resources, provides access control and logging, and can be used to start special-purpose servers. <command>xinetd</command> can also be used to grant or deny access to particular hosts, provide service access at specific times, limit the rate of incoming connections, limit the load created by connections, and more.</para>
<para>
<command>xinetd</command> runs constantly and listens on all ports for the services it manages. When a connection request arrives for one of its managed services, <command>xinetd</command> starts up the appropriate server for that service.</para>
@@ -101,114 +192,10 @@
-->
</section>
</section>
- <section
- id="s1-services-serviceconf">
- <title>
- <application>Services Configuration Tool</application>
- </title>
- <para>The <application>Services Configuration Tool</application> is a graphical application developed by Red Hat to configure which SysV services in the <filename>/etc/rc.d/init.d</filename> directory are started at boot time (for runlevels 3, 4, and 5) and which <command>xinetd</command> services are enabled. It also allows you to start, stop, and restart SysV services as well as <!-- RHEL5: restart --> reload <command>xinetd</command>.</para>
- <para>To start the <application>Services Configuration Tool</application> from the desktop, go to the Applications (the main menu on the panel) > <guimenu>System Settings</guimenu> > <guimenu>Server Settings</guimenu> > <guimenuitem>Services</guimenuitem> or type the command <command>system-config-services</command> at a shell prompt (for example, in an <application>XTerm</application> or a <application>GNOME terminal</application>).</para>
- <figure
- float="0"
- id="fig-serviceconf">
- <title>
- <application>Services Configuration Tool</application>
- </title>
- <mediaobject>
- <imageobject>
- <imagedata
- fileref="images/serviceconf.png"
- format="PNG"
- scalefit="1"/>
- </imageobject>
- <textobject>
- <para>Configuring network services</para>
- </textobject>
- </mediaobject>
- </figure>
- <para>The <application>Services Configuration Tool</application> displays the current runlevel as well as the runlevel you are currently editing. To edit a different runlevel, select <guimenu>Edit Runlevel</guimenu> from the pulldown menu and select runlevel 3, 4, or 5. Refer to <xref
- linkend="s1-services-runlevels"/> for a description of runlevels.</para>
- <para>The <application>Services Configuration Tool</application> lists the services from the <filename>/etc/rc.d/init.d</filename> directory as well as the services controlled by <command>xinetd</command>. Click on the name of the service from the list on the left-hand side of the application to display a brief description of that service as well as the status of the service. If the service is not an <command>xinetd</command> service, the status window shows whether the service is currently running. If the service is controlled by <command>xinetd</command>, the status window displays the phrase <guilabel>xinetd service</guilabel>.</para>
- <para>To start, stop, or restart a service immediately, select the service from the list and click the appropriate button on the toolbar (or choose the action from the <guimenu>Actions</guimenu> pulldown menu). If the service is an <command>xinetd</command> service, the action buttons are disabled because they cannot be started or stopped individually.</para>
- <para>If you enable/disable an <command>xinetd</command> service by checking or unchecking the checkbox next to the service name, you must select <guimenu>File</guimenu> > <guimenuitem>Save Changes</guimenuitem> from the pulldown menu (or the <guimenuitem>Save</guimenuitem> button above the tabs) to <!-- RHEL5: restart -->reload <command>xinetd</command> and immediately enable/disable the <command>xinetd</command> service that you changed. <command>xinetd</command> is also configured to remember the setting. You can enable/disable multiple <command>xinetd</command> services at a time and save the changes when you are finished.</para>
- <para>For example, assume you check <command>rsync</command> to enable it in runlevel 3 and then save the changes. The <command>rsync</command> service is immediately enabled. The next time <command>xinetd</command> is started, <command>rsync</command> is still enabled.</para>
- <note>
- <title>Note</title>
- <para>When you save changes to <command>xinetd</command> services, <command>xinetd</command> is <!-- RHEL5: restarted -->reloaded, and the changes take place immediately. When you save changes to other services, the runlevel is reconfigured, but the changes do not take effect immediately.</para>
- </note>
- <para>To enable a non-<command>xinetd</command> service to start at boot time for the currently selected runlevel, check the <!-- RHEL5: check -->box beside the name of the service in the list. After configuring the runlevel, apply the changes by selecting <guimenu>File</guimenu> > <guimenuitem>Save Changes</guimenuitem> from the pulldown menu. The runlevel configuration is changed, but the runlevel is not restarted; thus, the changes do not take place immediately.</para>
- <para>For example, assume you are configuring runlevel 3. If you change the value for the <command>httpd</command> service from checked to unchecked and then select <guimenuitem>Save Changes</guimenuitem>, the runlevel 3 configuration changes so that <command>httpd</command> is not started at boot time. However, runlevel 3 is not reinitialized, so <command>httpd</command> is still running. Select one of following options at this point:</para>
- <orderedlist
- continuation="restarts"
- inheritnum="ignore">
- <listitem>
- <para>Stop the <command>httpd</command> service — Stop the service by selecting it from the list and clicking the <guibutton>Stop</guibutton> button. A message appears stating that the service was stopped successfully.</para>
- </listitem>
- <listitem>
- <para>Reinitialize the runlevel — Reinitialize the runlevel by going to a shell prompt and typing the command <command>telinit <replaceable>x</replaceable>
- </command> (where <replaceable>x</replaceable> is the runlevel number; in this example, 3.). This option is recommended if you change the <guilabel>Start at Boot</guilabel> value of multiple services and want to activate the changes immediately.</para>
- </listitem>
- <listitem>
- <para>Do nothing else — You do not have to stop the <command>httpd</command> service. You can wait until the system is rebooted for the service to stop. The next time the system is booted, the runlevel is initialized without the <command>httpd</command> service running.</para>
- </listitem>
- </orderedlist>
- <para>To add a service to a runlevel, select the runlevel from the <guimenu>Edit Runlevel</guimenu> pulldown menu, and then select <guimenu>Actions</guimenu> > <guimenuitem>Add Service</guimenuitem>. To delete a service from a runlevel, select the runlevel from the <guimenu>Edit Runlevel</guimenu> pulldown menu, select the service to be deleted from the list on the left, and select <guimenu>Actions</guimenu> > <guimenuitem>Delete Service</guimenuitem>.</para>
- </section>
- <section
- id="s1-services-ntsysv">
- <title>
- <application>ntsysv</application>
- </title>
- <para>The <application>ntsysv</application> utility provides a simple interface for activating or deactivating services. You can use <application>ntsysv</application> to turn an <command>xinetd</command>-managed service on or off. You can also use <application>ntsysv</application> to configure runlevels. By default, only the current runlevel is configured. To configure a different runlevel, specify one or more runlevels with the <option>--level</option> option. For example, the command <command>ntsysv --level 345</command> configures runlevels 3, 4, and 5.</para>
- <para>The <application>ntsysv</application> interface works like the text mode installation program. Use the up and down arrows to navigate up and down the list. The space bar selects/unselects services and is also used to "press" the <guilabel>Ok</guilabel> and <guilabel>Cancel</guilabel> buttons. To move between the list of services and the <guilabel>Ok</guilabel> and <guilabel>Cancel</guilabel> buttons, use the <keycap>Tab</keycap> key. An asterisk (<guilabel>*</guilabel>) signifies that a service is set to on. Pressing the <keycap>F1</keycap> key displays a short description of the selected service.</para>
- <!-- RHEL5: ddomingo(a)redhat.com: added PNG image -->
- <figure
- float="0"
- id="fig-ntsysv">
- <title>The <application>ntsysv</application> utility</title>
- <mediaobject>
- <imageobject>
- <imagedata
- fileref="images/ntsysv.png"
- format="PNG"/>
- </imageobject>
- <textobject>
- <para>The <application>ntsysv</application> utility</para>
- </textobject>
- </mediaobject>
- </figure>
- <warning>
- <title>Warning</title>
- <para>Services managed by <command>xinetd</command> are immediately affected by <application>ntsysv</application>. For all other services, changes do not take effect immediately. You must stop or start the individual service with the command <command>service <replaceable><daemon></replaceable> stop</command> (where <replaceable><daemon></replaceable> is the name of the service you want to stop; for example, <command>httpd</command>). Replace <command>stop</command> with <command>start</command> or <command>restart</command> to start or restart the service.</para>
- </warning>
- </section>
- <section
- id="s1-services-chkconfig">
- <title>
- <command>chkconfig</command>
- </title>
- <para>The <command>chkconfig</command> command can also be used to activate and deactivate services. The <command>chkconfig --list</command> command displays a list of system services and whether they are started (<command>on</command>) or stopped (<command>off</command>) in runlevels 0-6. At the end of the list is a section for the services managed by <command>xinetd</command>.</para>
- <para>If the <command>chkconfig --list</command> command is used to query a service managed by <command>xinetd</command>, it displays whether the <command>xinetd</command> service is enabled (<command>on</command>) or disabled (<command>off</command>). For example, the command <command>chkconfig --list rsync</command> returns the following output:</para>
- <screen>rsync on</screen>
- <para>As shown, <command>rsync</command> is enabled as an <command>xinetd</command> service. If <command>xinetd</command> is running, <command>rsync</command> is enabled.</para>
- <para>If you use <command>chkconfig --list</command> to query a service in <filename>/etc/rc.d</filename>, that service's settings for each runlevel are displayed. For example, the command <command>chkconfig --list httpd</command> returns the following output:</para>
- <screen>httpd 0:off 1:off 2:on 3:on 4:on 5:on 6:off</screen>
- <para>
- <command>chkconfig</command> can also be used to configure a service to be started (or not) in a specific runlevel. For example, to turn <command>nscd</command> off in runlevels 3, 4, and 5, use the following command:</para>
- <screen>
-<command>chkconfig --level 345 nscd off</command>
- </screen>
- <warning>
- <title>Warning</title>
- <para>Services managed by <command>xinetd</command> are immediately affected by <command>chkconfig</command>. For example, if <command>xinetd</command> is running while <command>rsync</command> is disabled, and the command <command>chkconfig rsync on</command> is executed, then <command>rsync</command> is immediately enabled without having to restart <command>xinetd</command> manually. Changes for other services do not take effect immediately after using <command>chkconfig</command>. You must stop or start the individual service with the command <command>service <replaceable><daemon></replaceable> stop</command> (where <replaceable><daemon></replaceable> is the name of the service you want to stop; for example, <command>httpd</command>). Replace <command>stop</command> with <command>start</command> or <command>restart</command> to start or restart the service.</para>
- </warning>
- </section>
- <section
- id="s1-services-additional-resources">
+ <section id="s1-services-additional-resources">
<title>Additional Resources</title>
<para>For more information, refer to the following resources.</para>
- <section
- id="services-installed-docs">
+ <section id="services-installed-docs">
<title>Installed Documentation</title>
<itemizedlist>
<listitem>
@@ -220,8 +207,7 @@
</listitem>
</itemizedlist>
</section>
- <section
- id="services-useful-websites">
+ <section id="services-useful-websites">
<title>Useful Websites</title>
<itemizedlist>
<listitem>
14 years
[deployment-guide/comm-rel: 7/26] Removed all index terms as I am going to rewrite them anyway.
by dsilas
commit ae53d27bee0f90918783d2ba509a8fa1e8268e96
Author: Jaromir Hradilek <jhradile(a)redhat.com>
Date: Sat Jun 12 01:33:54 2010 +0200
Removed all index terms as I am going to rewrite them anyway.
en-US/Controlling_Access_to_Services.xml | 48 ------------------------------
1 files changed, 0 insertions(+), 48 deletions(-)
---
diff --git a/en-US/Controlling_Access_to_Services.xml b/en-US/Controlling_Access_to_Services.xml
index 02a268f..eb604a0 100644
--- a/en-US/Controlling_Access_to_Services.xml
+++ b/en-US/Controlling_Access_to_Services.xml
@@ -4,15 +4,6 @@
<chapter
id="ch-Controlling_Access_to_Services">
<title>Controlling Access to Services</title>
- <indexterm
- significance="normal">
- <primary>services</primary>
- <secondary>controlling access to</secondary>
- </indexterm>
- <indexterm
- significance="normal">
- <primary>security</primary>
- </indexterm>
<para>Maintaining security on your system is extremely important, and one approach for this task is to manage access to system services carefully. Your system may need to provide open access to particular services (for example, <command>httpd</command> if you are running a Web server). However, if you do not need to provide a service, you should turn it off to minimize your exposure to possible bug exploits.</para>
<para>There are several different methods for managing access to system services. <!-- RHEL5: Decide -->Choose which method of management to use based on the service, your system's configuration, and your level of Linux expertise.</para>
<para>The easiest way to deny access to a service is to turn it off. Both the services managed by <command>xinetd</command> and the services in the <filename>/etc/rc.d/init.d</filename> hierarchy (also known as SysV services) can be configured to start or stop using three different applications:</para>
@@ -58,10 +49,6 @@
<section
id="s1-services-runlevels">
<title>Runlevels</title>
- <indexterm
- significance="normal">
- <primary>runlevels</primary>
- </indexterm>
<para>Before you can configure access to services, you must understand Linux runlevels. A runlevel is a state, or <firstterm>mode</firstterm>, that is defined by the services listed in the directory <filename>/etc/rc.d/rc<replaceable><x></replaceable>.d</filename>, where <replaceable><x></replaceable> is the number of the runlevel.</para>
<para>The following runlevels exist:</para>
<itemizedlist>
@@ -96,10 +83,6 @@
id="s1-services-tcp-wrappers">
<title>TCP Wrappers</title>
<para>
- <indexterm
- significance="normal">
- <primary>TCP wrappers</primary>
- </indexterm>
Many UNIX system administrators are accustomed to using TCP wrappers to manage access to certain network services. Any network services managed by <command>xinetd</command> (as well as any program with built-in support for <command>libwrap</command>) can use TCP wrappers to manage access. <command>xinetd</command> can use the <filename>/etc/hosts.allow</filename> and <filename>/etc/hosts.deny</filename> files to configure access to system services. As the names imply, <filename>hosts.allow</filename> contains a list of rules that allow clients to access the network services controlled by <command>xinetd</command>, and <filename>hosts.deny</filename> contains rules to deny access. The <filename>hosts.allow</filename> file takes precedence over the <filename>hosts.deny</filename> file. Permissions to grant or deny access can be based on individual IP address (or hostnames) or on a pattern of clients. Refer to <filename>hosts_access</filename> in section 5 of the man pag
es (<command>man 5 hosts_access</command>) for details.</para>
<!-- RHEL5: REMOVING CROSS LINK
<para>For more information on using TCP Wrappers, refer to <xref linkend="s1-tcpwrappers-purpose"/>.</para>
@@ -109,19 +92,6 @@
<title>
<command>xinetd</command>
</title>
- <indexterm
- significance="normal">
- <primary>
- <command>xinetd</command>
- </primary>
- </indexterm>
- <indexterm
- significance="normal">
- <primary>TCP wrappers</primary>
- <secondary>
- <command>xinetd</command>
- </secondary>
- </indexterm>
<para>To control access to Internet services, use <command>xinetd</command>, which is a secure replacement for <command>inetd</command>. The <command>xinetd</command> daemon conserves system resources, provides access control and logging, and can be used to start special-purpose servers. <command>xinetd</command> can also be used to grant or deny access to particular hosts, provide service access at specific times, limit the rate of incoming connections, limit the load created by connections, and more.</para>
<para>
<command>xinetd</command> runs constantly and listens on all ports for the services it manages. When a connection request arrives for one of its managed services, <command>xinetd</command> starts up the appropriate server for that service.</para>
@@ -136,12 +106,6 @@
<title>
<application>Services Configuration Tool</application>
</title>
- <indexterm
- significance="normal">
- <primary>
- <application>Services Configuration Tool</application>
- </primary>
- </indexterm>
<para>The <application>Services Configuration Tool</application> is a graphical application developed by Red Hat to configure which SysV services in the <filename>/etc/rc.d/init.d</filename> directory are started at boot time (for runlevels 3, 4, and 5) and which <command>xinetd</command> services are enabled. It also allows you to start, stop, and restart SysV services as well as <!-- RHEL5: restart --> reload <command>xinetd</command>.</para>
<para>To start the <application>Services Configuration Tool</application> from the desktop, go to the Applications (the main menu on the panel) > <guimenu>System Settings</guimenu> > <guimenu>Server Settings</guimenu> > <guimenuitem>Services</guimenuitem> or type the command <command>system-config-services</command> at a shell prompt (for example, in an <application>XTerm</application> or a <application>GNOME terminal</application>).</para>
<figure
@@ -195,12 +159,6 @@
<title>
<application>ntsysv</application>
</title>
- <indexterm
- significance="normal">
- <primary>
- <application>ntsysv</application>
- </primary>
- </indexterm>
<para>The <application>ntsysv</application> utility provides a simple interface for activating or deactivating services. You can use <application>ntsysv</application> to turn an <command>xinetd</command>-managed service on or off. You can also use <application>ntsysv</application> to configure runlevels. By default, only the current runlevel is configured. To configure a different runlevel, specify one or more runlevels with the <option>--level</option> option. For example, the command <command>ntsysv --level 345</command> configures runlevels 3, 4, and 5.</para>
<para>The <application>ntsysv</application> interface works like the text mode installation program. Use the up and down arrows to navigate up and down the list. The space bar selects/unselects services and is also used to "press" the <guilabel>Ok</guilabel> and <guilabel>Cancel</guilabel> buttons. To move between the list of services and the <guilabel>Ok</guilabel> and <guilabel>Cancel</guilabel> buttons, use the <keycap>Tab</keycap> key. An asterisk (<guilabel>*</guilabel>) signifies that a service is set to on. Pressing the <keycap>F1</keycap> key displays a short description of the selected service.</para>
<!-- RHEL5: ddomingo(a)redhat.com: added PNG image -->
@@ -229,12 +187,6 @@
<title>
<command>chkconfig</command>
</title>
- <indexterm
- significance="normal">
- <primary>
- <command>chkconfig</command>
- </primary>
- </indexterm>
<para>The <command>chkconfig</command> command can also be used to activate and deactivate services. The <command>chkconfig --list</command> command displays a list of system services and whether they are started (<command>on</command>) or stopped (<command>off</command>) in runlevels 0-6. At the end of the list is a section for the services managed by <command>xinetd</command>.</para>
<para>If the <command>chkconfig --list</command> command is used to query a service managed by <command>xinetd</command>, it displays whether the <command>xinetd</command> service is enabled (<command>on</command>) or disabled (<command>off</command>). For example, the command <command>chkconfig --list rsync</command> returns the following output:</para>
<screen>rsync on</screen>
14 years
[deployment-guide/comm-rel: 6/26] Removed all tabs.
by dsilas
commit bcbf154bf083d0df2fb0293a129909117a2d35cf
Author: Jaromir Hradilek <jhradile(a)redhat.com>
Date: Sat Jun 12 01:29:21 2010 +0200
Removed all tabs.
Again, I have replaced all '\t' characters with two spaces to unite the
indentation style.
en-US/Controlling_Access_to_Services.xml | 16 ++++++++--------
1 files changed, 8 insertions(+), 8 deletions(-)
---
diff --git a/en-US/Controlling_Access_to_Services.xml b/en-US/Controlling_Access_to_Services.xml
index b88d54f..02a268f 100644
--- a/en-US/Controlling_Access_to_Services.xml
+++ b/en-US/Controlling_Access_to_Services.xml
@@ -46,10 +46,10 @@
<para>Another way to manage access to system services is by using <command>iptables</command> to configure an IP firewall. If you are a new Linux user, <!-- RHEL5: please realize -->note that <command>iptables</command> may not be the best solution for you. Setting up <command>iptables</command> can be complicated, and is best tackled by experienced Linux system administrators.</para>
<para
lang="en-US,as-IN,bn-IN,gu-IN,hi-IN,kn-IN,ml-IN,mr-IN,or-IN,pa-IN,si-LK,ta-IN,te-IN">
- On the other hand, the benefit of using <command>iptables</command> is flexibility. For example, if you need a customized solution which provides certain hosts access to certain services, <command>iptables</command> can provide it for you. Refer to <!-- TBD6: <xref linkend="s1-firewall-ipt"/> --> and <!-- TBD6: <xref linkend="s1-fireall-ipt-act"/> --> for more information about <command>iptables</command>.</para>
+ On the other hand, the benefit of using <command>iptables</command> is flexibility. For example, if you need a customized solution which provides certain hosts access to certain services, <command>iptables</command> can provide it for you. Refer to <!-- TBD6: <xref linkend="s1-firewall-ipt"/> --> and <!-- TBD6: <xref linkend="s1-fireall-ipt-act"/> --> for more information about <command>iptables</command>.</para>
<para
lang="en-US,as-IN,bn-IN,gu-IN,hi-IN,kn-IN,ml-IN,mr-IN,or-IN,pa-IN,si-LK,ta-IN,te-IN">
- Refer to <!-- TBD6: <xref linkend="ch-fw"/> --> for more information.</para>
+ Refer to <!-- TBD6: <xref linkend="ch-fw"/> --> for more information.</para>
<important
lang="en-US,as-IN,bn-IN,gu-IN,hi-IN,kn-IN,ml-IN,mr-IN,or-IN,pa-IN,si-LK,ta-IN,te-IN">
<title>Important</title>
@@ -100,9 +100,9 @@
significance="normal">
<primary>TCP wrappers</primary>
</indexterm>
- Many UNIX system administrators are accustomed to using TCP wrappers to manage access to certain network services. Any network services managed by <command>xinetd</command> (as well as any program with built-in support for <command>libwrap</command>) can use TCP wrappers to manage access. <command>xinetd</command> can use the <filename>/etc/hosts.allow</filename> and <filename>/etc/hosts.deny</filename> files to configure access to system services. As the names imply, <filename>hosts.allow</filename> contains a list of rules that allow clients to access the network services controlled by <command>xinetd</command>, and <filename>hosts.deny</filename> contains rules to deny access. The <filename>hosts.allow</filename> file takes precedence over the <filename>hosts.deny</filename> file. Permissions to grant or deny access can be based on individual IP address (or hostnames) or on a pattern of clients. Refer to <filename>hosts_access</filename> in section 5 of the man pages
(<command>man 5 hosts_access</command>) for details.</para>
- <!-- RHEL5: REMOVING CROSS LINK
- <para>For more information on using TCP Wrappers, refer to <xref linkend="s1-tcpwrappers-purpose"/>.</para>
+ Many UNIX system administrators are accustomed to using TCP wrappers to manage access to certain network services. Any network services managed by <command>xinetd</command> (as well as any program with built-in support for <command>libwrap</command>) can use TCP wrappers to manage access. <command>xinetd</command> can use the <filename>/etc/hosts.allow</filename> and <filename>/etc/hosts.deny</filename> files to configure access to system services. As the names imply, <filename>hosts.allow</filename> contains a list of rules that allow clients to access the network services controlled by <command>xinetd</command>, and <filename>hosts.deny</filename> contains rules to deny access. The <filename>hosts.allow</filename> file takes precedence over the <filename>hosts.deny</filename> file. Permissions to grant or deny access can be based on individual IP address (or hostnames) or on a pattern of clients. Refer to <filename>hosts_access</filename> in section 5 of the man pag
es (<command>man 5 hosts_access</command>) for details.</para>
+ <!-- RHEL5: REMOVING CROSS LINK
+ <para>For more information on using TCP Wrappers, refer to <xref linkend="s1-tcpwrappers-purpose"/>.</para>
-->
<section
id="s2-services-xinetd">
@@ -126,8 +126,8 @@
<para>
<command>xinetd</command> runs constantly and listens on all ports for the services it manages. When a connection request arrives for one of its managed services, <command>xinetd</command> starts up the appropriate server for that service.</para>
<para>The configuration file for <command>xinetd</command> is <filename>/etc/xinetd.conf</filename>, but the file only contains a few defaults and an instruction to include the <filename>/etc/xinetd.d</filename> directory. To enable or disable an <command>xinetd</command> service, edit its configuration file in the <filename>/etc/xinetd.d</filename> directory. If the <computeroutput>disable</computeroutput> attribute is set to <userinput>yes</userinput>, the service is disabled. If the <computeroutput>disable</computeroutput> attribute is set to <userinput>no</userinput>, the service is enabled. You can edit any of the <command>xinetd</command> configuration files or change its enabled status using the <application>Services Configuration Tool</application>, <application>ntsysv</application>, or <command>chkconfig</command>. For a list of network services controlled by <command>xinetd</command>, review the contents of the <filename>/etc/xinetd.d</filename> directory wit
h the command <command>ls /etc/xinetd.d</command>.</para>
- <!-- RHEL5: REMOVING CROSS LINK
- <para>For more information on using <command>xinetd</command>, refer to <xref linkend="s1-tcpwrappers-xinetd"/>.</para>
+ <!-- RHEL5: REMOVING CROSS LINK
+ <para>For more information on using <command>xinetd</command>, refer to <xref linkend="s1-tcpwrappers-xinetd"/>.</para>
-->
</section>
</section>
@@ -203,7 +203,7 @@
</indexterm>
<para>The <application>ntsysv</application> utility provides a simple interface for activating or deactivating services. You can use <application>ntsysv</application> to turn an <command>xinetd</command>-managed service on or off. You can also use <application>ntsysv</application> to configure runlevels. By default, only the current runlevel is configured. To configure a different runlevel, specify one or more runlevels with the <option>--level</option> option. For example, the command <command>ntsysv --level 345</command> configures runlevels 3, 4, and 5.</para>
<para>The <application>ntsysv</application> interface works like the text mode installation program. Use the up and down arrows to navigate up and down the list. The space bar selects/unselects services and is also used to "press" the <guilabel>Ok</guilabel> and <guilabel>Cancel</guilabel> buttons. To move between the list of services and the <guilabel>Ok</guilabel> and <guilabel>Cancel</guilabel> buttons, use the <keycap>Tab</keycap> key. An asterisk (<guilabel>*</guilabel>) signifies that a service is set to on. Pressing the <keycap>F1</keycap> key displays a short description of the selected service.</para>
- <!-- RHEL5: ddomingo(a)redhat.com: added PNG image -->
+ <!-- RHEL5: ddomingo(a)redhat.com: added PNG image -->
<figure
float="0"
id="fig-ntsysv">
14 years
[deployment-guide/comm-rel: 5/26] Modified the chapter introduction.
by dsilas
commit 98ff340b73d00afc30676870c707cbd3866139b1
Author: Jaromir Hradilek <jhradile(a)redhat.com>
Date: Fri Jun 11 15:07:25 2010 +0200
Modified the chapter introduction.
en-US/Console_Access.xml | 29 +++++++++++++++++++----------
1 files changed, 19 insertions(+), 10 deletions(-)
---
diff --git a/en-US/Console_Access.xml b/en-US/Console_Access.xml
index ae354e0..4fb9e3c 100644
--- a/en-US/Console_Access.xml
+++ b/en-US/Console_Access.xml
@@ -1,22 +1,31 @@
<?xml version='1.0'?>
<!DOCTYPE chapter PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN" "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
]>
-<chapter
- id="ch-Console_Access">
+<chapter id="ch-Console_Access">
<title>Console Access</title>
- <para>When normal (non-root) users log into a computer locally, they are given two types of special permissions:</para>
- <orderedlist
- continuation="restarts"
- inheritnum="ignore">
+ <para>When non-root users log into a computer locally, they are given two types of special permissions:</para>
+ <orderedlist>
<listitem>
- <para>They can run certain programs that they would otherwise be unable to run.</para>
+ <para>
+ <emphasis>They can run certain commands that they would otherwise be unable to run.</emphasis> By default, every user who logs in at the console is allowed to run selected commands that accomplish tasks normally restricted to the superuser only. These include <command>halt</command>, <command>poweroff</command>, and <command>reboot</command>. In graphical user interface, these actions are accessible from the <menuchoice><guimenu>System</guimenu><guimenuitem>Shut Down...</guimenuitem></menuchoice> menu option.
+ </para>
</listitem>
<listitem>
- <para>They can access certain files (normally special device files used to access diskettes, CD-ROMs, and so on) that they would otherwise be unable to access.</para>
+ <para>
+ <emphasis>They can access certain files that they would othherwise be unable to access.</emphasis> This usually means special device files located in <filename class="directory">/dev</filename> that are used to access CD-ROM drives, USB media, etc.
+ </para>
+<!--
+ <para>
+ Since there are multiple consoles on a single computer and multiple users can be logged into the computer locally at the same time, one of the users has to essentially win the race to access the files. The first user to log in at the console owns those files. Once the first user logs out, the next user who logs in owns the files.
+ </para>
+-->
</listitem>
</orderedlist>
- <para>Since there are multiple consoles on a single computer and multiple users can be logged into the computer locally at the same time, one of the users has to essentially win the race to access the files. The first user to log in at the console owns those files. Once the first user logs out, the next user who logs in owns the files.</para>
- <para>In contrast, <emphasis>every</emphasis> user who logs in at the console is allowed to run programs that accomplish tasks normally restricted to the root user. If X is running, these actions can be included as menu items in a graphical user interface. As shipped, these console-accessible programs include <command>halt</command>, <command>poweroff</command>, and <command>reboot</command>.</para>
+ <para>
+ Note that in order to perform actions described in this chapter, you have to be logged in as a superuser:
+ </para>
+ <screen>~]$ <command>su -</command>
+Password: </screen>
<section
id="s1-access-console-ctrlaltdel">
<title>Disabling Shutdown Via <keycombo><keycap>Ctrl</keycap>
14 years
[deployment-guide/comm-rel: 4/26] Removed all index terms temporarily.
by dsilas
commit ffc0cca3e0d027dca160162a9711dfba04a8e867
Author: Jaromir Hradilek <jhradile(a)redhat.com>
Date: Fri Jun 11 12:29:04 2010 +0200
Removed all index terms temporarily.
Since I am going to rewrite the most of the chapter, it would be better
to start the indexing from scratch.
en-US/Console_Access.xml | 65 ----------------------------------------------
1 files changed, 0 insertions(+), 65 deletions(-)
---
diff --git a/en-US/Console_Access.xml b/en-US/Console_Access.xml
index e713065..ae354e0 100644
--- a/en-US/Console_Access.xml
+++ b/en-US/Console_Access.xml
@@ -4,16 +4,6 @@
<chapter
id="ch-Console_Access">
<title>Console Access</title>
- <indexterm
- significance="normal">
- <primary>console access</primary>
- <secondary>configuring</secondary>
- </indexterm>
- <indexterm
- significance="normal">
- <primary>configuration</primary>
- <secondary>console access</secondary>
- </indexterm>
<para>When normal (non-root) users log into a computer locally, they are given two types of special permissions:</para>
<orderedlist
continuation="restarts"
@@ -34,26 +24,6 @@
<keycap>Del</keycap>
</keycombo>
</title>
- <indexterm
- significance="normal">
- <primary>
- <keycombo>
- <keycap>Ctrl</keycap>
- <keycap>Alt</keycap>
- <keycap>Del</keycap>
- </keycombo>
- </primary>
- <secondary>shutdown, disabling</secondary>
- </indexterm>
- <indexterm
- significance="normal">
- <primary>shutdown</primary>
- <secondary>disabling<keycombo><keycap>Ctrl</keycap>
- <keycap>Alt</keycap>
- <keycap>Del</keycap>
- </keycombo>
- </secondary>
- </indexterm>
<para>By default, <filename>/etc/inittab</filename> specifies that your system is set to shutdown and reboot in response to a <keycombo><keycap>Ctrl</keycap>
<keycap>Alt</keycap>
<keycap>Del</keycap>
@@ -88,11 +58,6 @@
<section
id="s1-access-console-program">
<title>Disabling Console Program Access</title>
- <indexterm
- significance="normal">
- <primary>console access</primary>
- <secondary>disabling</secondary>
- </indexterm>
<para>To disable access by users to console programs, run the following command as root:</para>
<screen>
<command>rm -f /etc/security/console.apps/*</command>
@@ -111,11 +76,6 @@
<section
id="s1-access-console-define">
<title>Defining the Console</title>
- <indexterm
- significance="normal">
- <primary>console access</primary>
- <secondary>defining</secondary>
- </indexterm>
<para>The <filename>pam_console.so</filename> module uses the <filename>/etc/security/console.perms</filename> file to determine the permissions for users at the system console. The syntax of the file is very flexible; you can edit the file so that these instructions no longer apply. However, the default file has a line that looks like this:</para>
<screen>
<command><console>=tty[0-9][0-9]* vc/[0-9][0-9]* :[0-9]\.[0-9] :[0-9]</command>
@@ -128,11 +88,6 @@
<section
id="s1-access-console-files">
<title>Making Files Accessible From the Console</title>
- <indexterm
- significance="normal">
- <primary>console</primary>
- <secondary>making files accessible from</secondary>
- </indexterm>
<!--TBD6: /etc/security/console.perms.d/* are obsolete directories for Fedora 12-->
<para>The default settings for individual device classes and permission definitions are defined in <filename>/etc/security/console.perms.d/50-default.perms</filename>. To edit file and device permissions, it is advisable to create a new default file in <filename>/etc/security/console.perms.d/</filename> containing your preferred settings for a specified set of files or devices. The name of the new default file must begin with a number higher than 50 (for example, <filename>51-default.perms</filename>) in order to override <filename>50-default.perms</filename>.</para>
<para>To do this, create a new file named <filename>51-default.perms</filename> in <filename>/etc/security/console.perms.d/</filename>:</para>
@@ -161,11 +116,6 @@
<section
id="s1-access-console-enable">
<title>Enabling Console Access for Other Applications</title>
- <indexterm
- significance="normal">
- <primary>console access</primary>
- <secondary>enabling</secondary>
- </indexterm>
<para>To make other applications accessible to console users, a bit more work is required.</para>
<para>First of all, console access <emphasis>only</emphasis> works for applications which reside in <filename>/sbin/</filename> or <filename>/usr/sbin/</filename>, so the application that you wish to run must be there. After verifying that, perform the following steps:</para>
<orderedlist
@@ -195,12 +145,6 @@
</filename> is a copy of <filename>/etc/pam.d/halt</filename> (otherwise, it does precisely what is specified in <filename>/etc/pam.d/<replaceable>foo</replaceable>
</filename>) and then runs <filename>/usr/sbin/<replaceable>foo</replaceable>
</filename> with root permissions.</para>
- <indexterm
- significance="normal">
- <primary>
- <filename>pam_timestamp</filename>
- </primary>
- </indexterm>
<para>In the PAM configuration file, an application can be configured to use the <firstterm>pam_timestamp</firstterm> module to remember (or cache) a successful authentication attempt. When an application is started and proper authentication is provided (the root password), a timestamp file is created. By default, a successful authentication is cached for five minutes. During this time, any other application that is configured to use <filename>pam_timestamp</filename> and run from the same session is automatically authenticated for the user — the user does not have to enter the root password again.</para>
<para>This module is included in the <filename>pam</filename> package. To enable this feature, add the following lines to your PAM configuration file in <filename>etc/pam.d/</filename>:</para>
<!-- RHEL5: ddomingo(a)redhat.com: above replaces below, less awkwardness
@@ -230,15 +174,6 @@
<section
id="s1-access-floppy">
<title>The <filename>floppy</filename> Group</title>
- <indexterm
- significance="normal">
- <primary>groups</primary>
- <secondary>floppy, use of</secondary>
- </indexterm>
- <indexterm
- significance="normal">
- <primary>floppy group, use of</primary>
- </indexterm>
<para>If, for whatever reason, console access is not appropriate for you and your non-root users require access to your system's diskette drive, this can be done using the <filename>floppy</filename> group. Add the user(s) to the <filename>floppy</filename> group using the tool of your choice. For example, the <command>gpasswd</command> command can be used to add user <command>fred</command> to the <filename>floppy</filename> group:</para>
<screen>
<command>gpasswd -a fred floppy</command>
14 years
[deployment-guide/comm-rel: 3/26] Removed all tabs.
by dsilas
commit 5093558e6d521167a6bb4e3573f4a287b5ec2e05
Author: Jaromir Hradilek <jhradile(a)redhat.com>
Date: Fri Jun 11 12:25:31 2010 +0200
Removed all tabs.
I have replaced all '\t' characters with two spaces to preserve the
overall document formatting and correct indentation.
en-US/Console_Access.xml | 30 +++++++++++++++---------------
1 files changed, 15 insertions(+), 15 deletions(-)
---
diff --git a/en-US/Console_Access.xml b/en-US/Console_Access.xml
index 341fd92..e713065 100644
--- a/en-US/Console_Access.xml
+++ b/en-US/Console_Access.xml
@@ -133,7 +133,7 @@
<primary>console</primary>
<secondary>making files accessible from</secondary>
</indexterm>
- <!--TBD6: /etc/security/console.perms.d/* are obsolete directories for Fedora 12-->
+ <!--TBD6: /etc/security/console.perms.d/* are obsolete directories for Fedora 12-->
<para>The default settings for individual device classes and permission definitions are defined in <filename>/etc/security/console.perms.d/50-default.perms</filename>. To edit file and device permissions, it is advisable to create a new default file in <filename>/etc/security/console.perms.d/</filename> containing your preferred settings for a specified set of files or devices. The name of the new default file must begin with a number higher than 50 (for example, <filename>51-default.perms</filename>) in order to override <filename>50-default.perms</filename>.</para>
<para>To do this, create a new file named <filename>51-default.perms</filename> in <filename>/etc/security/console.perms.d/</filename>:</para>
<screen>
@@ -145,8 +145,8 @@
<screen><scanner>=/dev/scanner /dev/usb/scanner*</screen>
<para>Of course, you must use the appropriate name for the device. Ensure that <filename>/dev/scanner</filename> is really your scanner and not some other device, such as your hard drive.</para>
<para>Once you have properly defined a device or file, the second step is to specify its <firstterm>permission definitions</firstterm>. The second section of <filename>/etc/security/console.perms.d/50-default.perms</filename> defines this, with lines similar to the following:</para>
- <!-- RHEL5: ddomingo(a)redhat.com: above replaces below
- <para>Once you have properly defined a device or file, the second step is to define what is done with it. Look in the last section of <filename>/etc/security/console.perms</filename> for lines similar to the following:</para> -->
+ <!-- RHEL5: ddomingo(a)redhat.com: above replaces below
+ <para>Once you have properly defined a device or file, the second step is to define what is done with it. Look in the last section of <filename>/etc/security/console.perms</filename> for lines similar to the following:</para> -->
<screen><console> 0660 <floppy> 0660 root.floppy <console> 0600 <sound> 0640 root <console> 0600 <cdrom> 0600 root.disk</screen>
<para>To define permissions for a scanner, add a line similar to the following in <filename>51-default.perms</filename>:</para>
<screen>
@@ -203,28 +203,28 @@
</indexterm>
<para>In the PAM configuration file, an application can be configured to use the <firstterm>pam_timestamp</firstterm> module to remember (or cache) a successful authentication attempt. When an application is started and proper authentication is provided (the root password), a timestamp file is created. By default, a successful authentication is cached for five minutes. During this time, any other application that is configured to use <filename>pam_timestamp</filename> and run from the same session is automatically authenticated for the user — the user does not have to enter the root password again.</para>
<para>This module is included in the <filename>pam</filename> package. To enable this feature, add the following lines to your PAM configuration file in <filename>etc/pam.d/</filename>:</para>
- <!-- RHEL5: ddomingo(a)redhat.com: above replaces below, less awkwardness
- <para>This module is included in the <filename>pam</filename> package. To enable this feature, the PAM configuration file in <filename>etc/pam.d/</filename> must include the following lines:</para>
- -->
+ <!-- RHEL5: ddomingo(a)redhat.com: above replaces below, less awkwardness
+ <para>This module is included in the <filename>pam</filename> package. To enable this feature, the PAM configuration file in <filename>etc/pam.d/</filename> must include the following lines:</para>
+ -->
<screen>auth include config-util account include config-util session include config-util</screen>
- <!-- RHEL5: ddomingo(a)redhat.com: above replaces below
+ <!-- RHEL5: ddomingo(a)redhat.com: above replaces below
<screen>auth sufficient /lib/security/pam_timestamp.so session optional /lib/security/pam_timestamp.so</screen> -->
<para>These lines can be copied from any of the <filename>/etc/pam.d/system-config-<replaceable>*</replaceable>
</filename> configuration files. Note that these lines must be added <emphasis>below</emphasis> any other <computeroutput>auth sufficient</computeroutput>
<computeroutput>session optional</computeroutput> lines in your PAM configuration file.</para>
- <!-- RHEL5: ddomingo(a)redhat.com: above replaces below, less awkwardness
- <para>The first line that begins with <computeroutput>auth</computeroutput> should be after any other <computeroutput>auth sufficient</computeroutput> lines, and the line that begins with
- <computeroutput>session</computeroutput> should be after any other <computeroutput>session optional</computeroutput> lines.</para>
- -->
+ <!-- RHEL5: ddomingo(a)redhat.com: above replaces below, less awkwardness
+ <para>The first line that begins with <computeroutput>auth</computeroutput> should be after any other <computeroutput>auth sufficient</computeroutput> lines, and the line that begins with
+ <computeroutput>session</computeroutput> should be after any other <computeroutput>session optional</computeroutput> lines.</para>
+ -->
<para>If an application configured to use <filename>pam_timestamp</filename> is successfully authenticated from the <!-- RHEL5: <guimenu>Main Menu Button</guimenu> (on the Panel) -->Applications (the main menu on the panel), the
- <inlinemediaobject>
- <imageobject>
- <imagedata
+ <inlinemediaobject>
+ <imageobject>
+ <imagedata
fileref="images/pam-icon.png"
format="PNG"/>
</imageobject>
</inlinemediaobject>
- icon is displayed in the notification area of the panel if you are running the <application>GNOME</application> or <application>KDE</application> desktop environment. After the authentication expires (the default is five minutes), the icon disappears.</para>
+ icon is displayed in the notification area of the panel if you are running the <application>GNOME</application> or <application>KDE</application> desktop environment. After the authentication expires (the default is five minutes), the icon disappears.</para>
<para>The user can select to forget the cached authentication by clicking on the icon and selecting the option to forget authentication.</para>
</section>
<section
14 years
[deployment-guide/comm-rel: 2/26] Merge branch 'master' of git+ssh://git.engineering.redhat.com/srv/git/users/dhensley/Deployment_Guid
by dsilas
commit 5f4ff48505f99bd504eedd07a442ac9e21d7ed1f
Merge: 9bc01e7... 13a8476...
Author: fnadge <fnadge(a)redhat.com>
Date: Wed Jun 9 15:44:41 2010 +0200
Merge branch 'master' of git+ssh://git.engineering.redhat.com/srv/git/users/dhensley/Deployment_Guide
.gitignore | 1 +
en-US/Book_Info.xml | 6 +-
en-US/Date_and_Time_Configuration.xml | 506 ++++++++++++++------
en-US/Deployment_Guide.ent | 2 +-
en-US/Email.xml | 12 +-
en-US/Feedback.xml | 2 +-
en-US/RPM.xml | 145 +++---
en-US/References.xml | 232 ---------
en-US/The_X_Window_System.xml | 147 +++---
en-US/Yum.xml | 4 +-
en-US/images/date-and-time-authentication.png | Bin 0 -> 15591 bytes
en-US/images/date-and-time-date_and_time.png | Bin 0 -> 165347 bytes
.../images/date-and-time-network_time_protocol.png | Bin 0 -> 173179 bytes
en-US/images/date-and-time-time_zone.png | Bin 0 -> 209964 bytes
en-US/images/date-time-ntp.png | Bin 21611 -> 0 bytes
en-US/images/date-time.png | Bin 19805 -> 0 bytes
en-US/images/timezone.png | Bin 29020 -> 0 bytes
17 files changed, 526 insertions(+), 531 deletions(-)
---
14 years
[deployment-guide/comm-rel: 1/26] initial import
by dsilas
commit 9bc01e7bfe78e816054aff9795017763c3e9b3e4
Author: fnadge <fnadge(a)redhat.com>
Date: Mon May 31 15:50:56 2010 +0200
initial import
0 files changed, 0 insertions(+), 0 deletions(-)
---
diff --git a/my_flo b/my_flo
new file mode 100644
index 0000000..e69de29
14 years
[deployment-guide/comm-rel] (26 commits) ...Merge branch 'master' into comm
by dsilas
Summary of changes:
9bc01e7... initial import
5f4ff48... Merge branch 'master' of git+ssh://git.engineering.redhat.c
5093558... Removed all tabs.
ffc0cca... Removed all index terms temporarily.
98ff340... Modified the chapter introduction.
bcbf154... Removed all tabs.
ae53d27... Removed all index terms as I am going to rewrite them anywa
2e1712b... Changed the structure of the chapter.
4cb7682... Created table of available runlevels.
c20a7b9... Updated the section about runlevels.
89e7364... Updated the Service Tool section.
c1c4bcc... Updated the chkconfig section.
7fc1e1b... Updated the ntsysv section.
e68c8b9... Simplified the chapter introduction.
937a957... Updated the Additional Resources section.
6fbca30... Added a chapter outline to the introduction.
3944d8b... Added index terms where appropriate.
0654584... Started updating the Console Access chapter.
8fa6400... Added other manual pages to the list.
0d44146... Removed the TCP Wrappers section.
0ed6e37... Added service to the list of recommended man pages.
6f8b2c1... Merge branch 'jarek'
895b48d... indexed
dd6a4c3... GenParams, NetInterfaces: mk DG modprobe.conf-clean
dde72de... Merge branch 'flo'
ac3bc34... Merge branch 'master' into comm
14 years