COMPUTER AND NETWORK
SYSTEM ADINISTRATION
CIS 5406-01
Summer 1997 - Lesson 5
Booting the System
Rootly Powers, Process Management
UNIX Rootly Powers
A. Taking on root identity confers certain powers
1. mount and unmount file systems
2. root can set "virtual root" via chroot()
3. creating device files (/dev)
4. setting system clock
5. can access any local file (one way or another)
6. change file ownership
7. raise resource limits (datasize, stacksize)
8. lowering nice values (raising priority)
9. changing system's hostname
10. running halt, shutdown
11. managing print subsystem
12. etc...
B. What limitations are there on root powers?
0. UNIX suffers from "one account has all powers", so
root account is focus of security breakins.
1. usually root on another machine won't trust you
2. Should be careful that when "root" you know your $PATH!
Beware ordering of file paths in $PATH, esp. current
directory (".").
C. How to become root?
1. login as "root", if allowed in /etc/ttytab (BSD):
#
# @(#)ttytab 1.7 92/06/23 SMI
#
# name getty type status
#
console "/usr/etc/getty cons8" sun on local secure
ttya "/usr/etc/getty std.9600" unknown off local secure
ttyb "/usr/etc/getty std.9600" unknown off local secure
ttyp0 none network off secure
ttyp1 none network off secure
Field 1: "/dev" device name (e.g., "/dev/ttya")
Field 2: program to monitor that line ("getty", "xdm")
Field 3: Type of terminal (in "/etc/termcap")
Field 4 and up: List of attributes for that line
"on" == start up process in field 2
"local" == use local connection line discipline (or lack thereof)
"secure" == "root" allowed to log on
** -> Table 8.5, page 120 of USA lists the terminal configuration files
for a number of different UNIXes.
2. su
- substitute user
- "su" with minus flag ("su - jtbauer") invokes a login session
3. sudo
- NOT usually a part of a vendor-supplied UNIX
- allows a class of users to execute a set of commands
with root privileges
- logs use
- does raise some vulnerabilities
System Load Average
0. "load average" == average size of ready queue over sample period
1. shows the 1, 5, and 15 minute load averages
2. can see with "w", "uptime" or "top"
3. doesn't account for scheduling priority
4. what's a reasonable load average?
--> depends on the machine and the type of jobs running
Idle Time
1. percentage of time the system is idle
2. can see with "iostat -c 1", "top", or "vmstat 1" (my fave)
3. what do you want this number to be?
Process Monitoring
A. ps - process status
- window into process table
- extremely rich command; different options
depending on whether the OS is BSD or System V based.
1. process state
- First letter indicates the runnability of the process:
R - Runnable processes.
T - Stopped processes.
P - Processes in page wait.
D - Processes in non-interruptable waits;
S - Processes sleeping < about 20 seconds.
I - Processes sleeping > 20 seconds
Z - zombie (process with NO resources other than a proc slot)
2. Swapped?
- Second letter indicates whether a process is swapped out;
blank - loaded in memory
W - Process is swapped out.
'>' - Process has specified a soft limit on memory
(imposed by the "limit" command)
3. Niced?
- Third letter indicates whether a process is running with
altered CPU scheduling priority (nice, renice)
blank - normal
N - The process priority is reduced,
< - The process priority has been raised artificially.
# renice +19 PID <- lowest priority (nice)
# renice -19 PID <- highest priority (not nice)
4. Special paging requirements
- Fourth letter indicates any special treatment of the
process for virtual memory replacement. (see vadvise()
system call)
5. Example:
USER PID %CPU %MEM SZ RSS TT STAT START TIME COMMAND
-----------------------------------------------------------------------
kuncick 7467 40.1 1.3 124 364 pc D < 09:32 0:15 find / -name foo
kuncick 7419 16.6 1.3 124 364 pc D N 09:28 0:11 find ...
kuncick 7529 39.4 1.2 100 320 pc R 09:35 0:01 find / -name foo
kuncick 7528 35.8 1.2 112 324 pc R 09:35 0:15 find / -name foo
root 1 0.0 0.0 52 0 ? IW Dec 18 0:24 /sbin/init -
root 2 0.0 0.0 0 0 ? D Dec 18 0:08 pagedaemon
root 75 0.0 0.4 48 108 ? S Dec 18 12:09 in.routed
bynum 7328 0.0 0.1 48 24 pb S 09:24 0:00 rlogin -8 sed
tajdari 7041 0.0 0.0 68 0 p6 IW 08:59 0:00 -pclab-csh (csh)
leggett 19429 0.0 0.0 80 0 ? TW Jan 21 0:00 pico +7
kohout 7036 0.0 0.0 24 0 p3 TW 08:59 0:00 /bin/sh ltxview
kohout 7008 0.0 0.0 84 0 p3 IW 08:58 0:00 -reg-csh (csh)
root 24818 0.0 0.0 32 0 ? IW 20:46 0:07 in.telnetd
johnson 7297 0.0 0.7 80 192 p8 S 09:22 0:00 pico proj1b.f
root 6842 0.0 0.0 32 0 ? IW 08:52 0:02 in.telnetd
evans 6843 0.0 0.0 76 0 p9 IW 08:52 0:00 -reg-csh (csh)
bynum 7321 0.0 0.0 404 0 pb IW 09:24 0:01 -reg-tcsh (tcsh)
root 6695 0.0 0.2 32 44 ? S 08:47 0:04 in.telnetd
root 7007 0.0 0.0 24 0 ? IW 08:58 0:00 in.rlogind
kuncick 7422 0.0 1.9 264 512 pc R 09:29 0:00 ps -aux
naus 7167 0.0 1.4 1216 384 p4 S 09:10 0:03 tin
healy 7814 0.0 3.4 184 924 ? S 09:47 0:00 xclock -rv -update 1
6. Many more features to "ps"
- note that "ps" demonstrates the Heisenberg principle
B. top - NOT part of vendor's UNIX, typically (it is bundled with Linux)
- dynamically shows processes, idle time, memory usage,
and load averages
C. monitor (AIX ONLY)
D. "pstree" - nice PD filter that shows family hierarchy of processes
E. "sa" - system accounting (BSD)
- Kernel must be enabled to do accounting and special accounting
commands must be executed first (see "accton")
- can summarize process process accounting files by user
or by command
- can fill up a file system! (usually /var/adm)
- this gives us long-term information about which processes
and which users are using the system
Sample "sa" output from a SunOS 4.1.x machine:
average i/o
#execs %calls %real %cpu per exec command
------------------------------------------------------------
105 3.88% 11.49% 41.67% 701avio pico
24 0.89% 17.17% 4.70% 1882avio in.telnet
77 2.85% 0.08% 3.93% 10011avio ld
18 0.67% 0.71% 3.63% 7214avio xmap
12 0.44% 6.13% 3.54% 2292avio gmacs
93 3.44% 0.04% 3.26% 2646avio cpp
27 1.00% 0.04% 3.08% 3133avio ccom
49 1.81% 2.47% 2.27% 1399avio elm
2 0.07% 0.10% 2.23% 69524avio uqwk
6 0.22% 0.53% 1.95% 29770avio tin
38 1.40% 2.47% 1.91% 852avio vi
45 1.66% 19.29% 1.70% 304avio csh
55 2.03% 0.02% 1.69% 1400avio as
3 0.11% 2.14% 1.66% 38549avio trn
29 1.07% 0.02% 1.62% 318avio cc1
1 0.04% 5.42% 1.46% 21232avio xspim
55 2.03% 0.01% 1.44% 1174avio in.cfing
10 0.37% 3.93% 1.40% 3922avio in.rlogi
5 0.18% 0.89% 1.27% 5672avio lynx
3 0.11% 0.01% 1.25% 11148avio zip
11 0.41% 3.19% 1.15% 463avio tcsh
3 0.11% 0.01% 1.12% 17642avio sa
233 8.61% 0.01% 1.08% 16avio ls
"sa -m":
user #execs cpu min total i/o k-core sec
-------------------------------------------------------------
auger 23 4.96cpu 3814tio 2007763k*sec
liao 597 2.14cpu 980604tio 323673k*sec
root 215 1.21cpu 235394tio 120867k*sec
nanda 267 0.82cpu 150415tio 60734k*sec
pfeil 16 0.67cpu 57073tio 212587k*sec
decker 39 0.54cpu 216602tio 139192k*sec
lloyd 256 0.40cpu 88127tio 27740k*sec
hugg 161 0.36cpu 61257tio 46332k*sec
bin 90 0.26cpu 76937tio 5853k*sec
lacerte 83 0.25cpu 184599tio 20449k*sec
lacano 113 0.20cpu 74759tio 27958k*sec
brown 36 0.18cpu 62610tio 38403k*sec
jenkins 13 0.17cpu 10611tio 24619k*sec
thoman 9 0.15cpu 53762tio 42928k*sec
johnson 86 0.12cpu 48026tio 4583k*sec
huang 36 0.12cpu 50062tio 18535k*sec
tajdari 54 0.11cpu 76533tio 8892k*sec
keithlee 25 0.11cpu 5637tio 18212k*sec
mills 68 0.09cpu 38932tio 4528k*sec
colby 33 0.08cpu 14464tio 7761k*sec
brooks 29 0.08cpu 40675tio 12337k*sec
kevsmith 3 0.07cpu 52595tio 17897k*sec
ayala 77 0.07cpu 72498tio 1229k*sec
kuncick 52 0.06cpu 32691tio 2620k*sec
houston 29 0.05cpu 21763tio 3223k*sec
sukkert 15 0.04cpu 28598tio 6592k*sec
jia 24 0.04cpu 9635tio 4332k*sec
caldwell 50 0.04cpu 2884tio 2049k*sec
owens 23 0.03cpu 11961tio 917k*sec
williams 17 0.02cpu 2846tio 637k*sec
nobody 59 0.02cpu 9308tio 77k*sec
nayak 4 0.02cpu 564tio 2080k*sec
marshall 10 0.02cpu 12014tio 406k*sec
kirby 16 0.02cpu 2585tio 1221k*sec
System V accounting is, of course, different. See "man accton" for
an overview; more in Chapter 28 of USA.
Quick Remedies
1. system clogged by many identical jobs
2. one process has been running for a long time
Long-term Remedies
1. involve more performance analysis
2. may need faster CPU, more memory or faster I/O
Windows NT Administrator Powers
The NT administrator also suffers somewhat from the UNIX "one account
has all powers" model. Access is limited to the current domain, as
well as any other domains that trust this domain.
NT has default groups, one of which is the Adminstrators group. Adding
a user to the Adminstrator group (via "User Manager for Domains")
gives them the same user rights policies that the Adminstrators
group has (check via "UMFD", "Policies", "User Rights").
NT "powers" are defined as a set of user rights policies, assigned
either individually to an account or via group memberships. The
rights are (page 779, MWNTS4):
Access this computer from network
Add workstations to domain
Back up files and directories
Change the system time
Force shutdown from a remote system
Load and unload device drivers
Log on locally
Manage auditing and security log
Restore files and directories
Shut down the system
Take ownership of files or other objects
NT also provides a set of advanced user rights, mostly for software
developers (see list on page 780 of MWNTS4). Click the "Show
Advanced User Rights" checkbox in the "User Rights Policy" dialog
box to access them. Some of the more interesting ones:
Bypass traverse checking
Act as part of the operating system
Increase scheduling priorities
Lock pages in memory
Log on as a batch job
Log on as a service
Profile single process
Profile system performance
Notice that the administrator account and the Administrators group
do not have all the user rights. Unlike UNIX, where the UNIX user
and group IDs define security, under NT the User rights access matrix
permits more flexibility, with a large set of predefined defaults.
Note "Real World" boxes on page 221 and 222 of MWNTS4 regarding
predefined group rights!
Windows NT Process Management
We already took a look at the Task Manager tool, which presents a
variety of options for display applications and processes. It
allows you to change a processes priority, kill a process, etc.
Windows NT Auditing
You can get good control over a variety of security-related
auditing events (go to User Manager for Domains/Policies/Audit)
The auditing events can be seen in the "Security" log via the
Event viewer. An interesting example is the security log event
auditing the changing of the auditing :)
Audit Policy Change:
New Policy:
Success Failure
+ + System
+ + Logon/Logoff
+ + Object Access
+ + Privilege Use
+ + Detailed Tracking
+ + Policy Change
+ + Account Management
Changed By:
User Name: Administrator
Domain Name: JBDOMAIN
Logon ID: (0x0,0x1A11)