Summer 1996 - Lesson 03
More Daemons
syslogd - continued
A.handles logging requests from:
1. the kernel
2. other local user processes (including daemons)
3. processes on other machines (across the net)
B. syslog(priority, message, facility)
1. priority - level of criticality
2. message
3. facility - source of message
C. configuration file /etc/syslog.conf
*.err;kern.debug;user.none;mail.notice /dev/console
*.err;kern.debug;daemon,auth.notice; /var/adm/messages
auth.notice ifdef(`LOGHOST', /var/log/authlog, @loghost)
SA RELEVANCE:
1. route important syslog messages to one location
Jan 10 23:01:09 nu su: 'su root' failed for kuncick on
Jan 9 08:38:14 grep su: 'su root' failed for bushong on
Jan 9 08:38:40 mu su: 'su root' failed for kuncick on
Jan 9 08:39:17 nu su: 'su root' succeeded for kuncick
Jan 9 09:05:54 nu su: 'su root' succeeded for strozier on
printing
A. lpd - BSD print spooling daemon
1. accepts jobs and spools them (via "lpr", "lprm")
2. does actual interaction with printer
3. ships jobs to other machines
4. will cover in Chapter 25
B. lpsched - ATT version of lpd (more complex to administer)
sendmail
A. routes local and network mail
B. one of the largest and historically buggiest
daemons
C. the file /etc/sendmail.cf is a set of rewrite
rules for modifying addresses (think: context free grammars)
D. sample:
# now delete the local info
R$*<$*$=w.UUCP>$* $1<$2>$4 thishost
R$*<$*$=w.$T.$D>$* $1<$2>$4 thishost
R$*<$*$=w>$* $1<$2>$4 thishost
R$*<$*@zip.fsu.edu>$* $1.zip<@>$3
R$*<$*@zap.fsu.edu>$* $1.zap<@>$3
R$*<$*.>$* $1<$2>$3 drop trailing dot
R<@>:$* $@$>0$1 retry after route strip
R$*<@> $@$>0$1 strip null trash & retry
E. we'll cover this in Chapter 21
SA RELEVANCE:
1. mail service is the most popular and
arguably, most important service on your system
2. users get very upset when mail does not work
exactly right
3. it is also one of the source of security holes
4. configuring and tuning mail can take a lot of SA time
NFS - Network File Service
A. NFS was developed by Sun and is now used by many
UNIX system including Linux
B. it allows file access across the network as if
the files were local
C. we'll cover NFS in Ch. 17
D. server daemons
1. if the configuration file /etc/exports exists then the machine
is presumed to be an NFS server
2. the rc.local script will (typically) start the mountd
3. the mount daemon (can be run under inetd) listens for NFS
mount requests and grants them if /etc/exports
includes the client machine
4. the rc.local script will (typically) also start a number of nfsd's
5. the nfsd simply makes a system call to the kernel
to actually perform the I/O
6. they are implemented as separate processes to make
scheduling easier
E. client daemons
1. the biod daemons (asynchronous block I/O daemon)
do read-ahead and write-behind block caching
2. this is an attempt to improve NFS performance
F. lock daemons - supports NFS "flock()" call
1. lockd - maintains advisory locks on local and remote files
2. statd - the status monitor, provides crash and recovery
mechanism for file locks
3. /etc/sm - hold the names of machines that statd is trying
to monitor
SA RELEVANCE:
1. tuning NFS - choosing the optimum number of nfsd's and
biod's is a black art
2. modifying the export files is a common SA task
3. example exports file:
/real/cs20 -root=nu:mu,access=lpdaemon:lpdaemon2:majorslab
/real/cs21 -root=nu:mu:export,access=lpdaemon:lpdaemon2:majorslab
/real/cs22 -root=nu:mu,access=lpdaemon:lpdaemon2
/real/cs23 -root=nu:mu:mount,access=lpdaemon:lpdaemon2:majorslab:\
sysadm4:sysadm7:sysadm8:sysadm9:sysadm10:sysadm11:\
sysadm12:sysadm13:sysadm14:sysadm15:sysadm16:sysadm18:\
sysadm20:sysadm21
3. security holes and concerns
yellow pages (NIS)
A. allows key system files to be shared over the net
1. "ypcat passwd | more" *vs* "more /etc/passwd"
2. /var/yp
B. ypserv - server daemon
1. one master (see via "ypwhich")
2. serves a yp domain - 'csdept' via "domainname"
3. slave servers (secondaries)
4. NOTE: YP domain name != name server domain name
D. ypbind - client daemon
1. locates a yp server
2. ypbind remembers a 'binding'
SA RELEVANCE:
A. must decide whether or not to use NIS
B. it makes life a lot more convenient (Kuncicky religious preference :)
C. it is prone to security holes
D. Will cover more later (Chapter 18)
ftpd - inet
A. file transfer protocol daemon
SA RELEVANCE:
1. ftpd has been the site of a number of security holes
2. wu-archive ftp daemon is more secure than Sun's
rlogind - inet
telnet - inet
A. remote login servers
B. how are they different?
C. under certain cases rlogin doesn't ask for a password (.rhosts)
D. telnet allows you to see/modify parameters from
within a session
E. telnet is supported on non-UNIX systems
remote execution daemons
A. rshd - "rcp" server
B. rexecd - older; requires name/password
C. rexd - RPC remote execution daemon; usually
so insecure that it's recommended to be turned off
named
A. domain name server daemon
B. distributed database
C. maps IP names to numbers (and the reverse)
SA RELEVANCE:
A. DNS is a primary SA task
fingerd
A. returns information about users
B. earlier versions were riddled with security holes
C. we run the GNU fingerd
SA RELEVANCE:
A. do you want to provide finger service outside
of your local domain?
httpd
A. WWW server
B. provides service for hypertext viewers
SA RELEVANCE:
1. the administration of the daemon and of the
contents of the documents should be well separated
2. Use of CGI scripts can be problematic
diskless clients (X-terminals or Sun3/50 workstations)
A. bootpd (newer) and bootparamd (older)
1. used to provide information to clients for booting
B. tftpd
1. trivial file transfer daemon
2. a non-authenticated file transfer program
3. stores boot programs (similar to bootblock) in /tftpboot (usually)
4. also store IP->bootfile mappings
SA RELEVANCE:
1. tftpd is a real security hole
2. limit content
C. rarpd
1. reverse address resolution protocol daemon
2. broadcast 'who-am-i?'
3. /etc/ethers
4. server then caches mapping
5. ARP table visible via "arp -a", usually
SA RELEVANCE:
1. cache can be a source of problems if an incorrect
map gets cached; clear via "arp -flush" usually