2002 07 11


                    LINUX NEWS
        Resources & Links From CramSession.com
             Thursday, July 11, 2002


TABLE OF CONTENTS

1) Sean’s Notes

2) Linux News

Lessons Learned From Tolkein
LSB Certification
Lindows PC Reviewed
Countdown to Y2Pay

3) Linux Resources

Hooking Up Linux with AD
Use BIND With AD
Advanced Bash Scripting Guide
C-shell Cookbook
How to Switch to Dvorak

4) App o’ the Week

~~~~~~~~~~~~~~~~~~~~~~ ADVERTISEMENT ~~~~~~~~~~~~~~~~~~~~~~~

Serebra Learning Corporation knows that it’s true, you get paid more if you have the skills. Learn at your own pace with our dynamic training programs for the skills needed to succeed in today’s IT market. The Best Way to Learn Anything, Anywhere, Anytime. Check out this month’s specials!

http://ad.brainbuzz.com/?RC06&AIT65







For information on how to advertise in this newsletter
please contact mailto:adsales@CramSession.com or visit
http://cramsession.com/marketing/default.asp

-------------------------
1) Sean's Notes
-------------------------

For the past couple of weeks we've been learning about Unix
file permissions.  Two weeks ago, it was the basics of file
permissions, and last week, it was applied to directories.

http://newsletters.cramsession.com/Newsletters/NewsletterArchive/Li
nuxNews/july-4-2002linux.txt

A file or a directory can have the read, write, and execute
flags applied to its owner, group, or everyone, for a total
of 9 different permission bits.  Hold on to your shirt,
though: there are some that I didn't tell you about earlier.

The 't' bit is usually reserved for directories (it has a
meaning for files, but not really used).  Last week, I said
that you could give read/write/execute access to everyone
on a directory (octal permissions 777), except that people
could then delete each other's files.  Well, +t is what you
want.  On a directory, it ensures that only the owner of a
file can delete it.  /tmp is like that, a global place that
you can dump temporary files:

drwxrwxrwt   25 root     root       5120 Jul 10 21:31 /tmp

To set or clear it, you can use the long format:

$ chmod +t /tmp #set
$ chmod -t /tmp #clear

It's got an octal equivalent of 1, but to use it we'll have
to go to four digits instead of three.

$ chmod 1777 /tmp

(Note that you have to resupply the normal permission bits,
one reason I prefer to use the long approach.)

Or, to clear all the special bits:

$ chmod 0777 /tmp

When applied to a file, it means that you want the program
image saved to swap, in the hopes that the next time it's run,
it'll start up faster.  I've never tried, nor used it, so I
can't say how well it works.

The next special permission is the 's' bit.  It's both
dangerous and confusing, but incredibly helpful, so be careful
when you use it!  This bit is always applied specifically to
a user or group (or both).  In octal, 4 applies to the user,
and 2 applies to the group.  Thus, 4555 sets +s on the user,
and read/execute to all classes.  In the long form, specify
group or user:

chmod u+s foo
chmod g-s foo

On an executable program, the file runs as the owner when
applied to the owner, or the group when applied to the group.
Thus, they're usually referred to as the setuid and setgid
bits respectively, because they cause the programs UID or
GID to be set.

This needs some more explanation.  Take for example a program
that needs to run as root such as tcpdump.  If you want a
normal user to be able to run it, but don't want to give them
the root password, then setting the setuid bit will cause
tcpdump to run as the owner (presumably root), no matter who
executes it.

NOTE: THIS IS A BIG SECURITY RISK. USE IT WITH CAUTION.

Two things can go wrong here.  One is that there is something
like a buffer overflow can cause the program to give up a
shell.  It's running as root, even though an unprivileged
user started it, so guess what kind of shell that's going to
give you?  Yup, a root shell.

The second is that the program itself is nice enough to run
programs for you.  Take for example, vi.  With a few
keystrokes, vi can run other programs...  As root, if it was
running setuid.

Scary stuff aside, there are many cases where this is needed.
In order to edit your crontab, you have to be able to edit
files in protected areas.  /usr/bin/crontab has the setuid
bit set, within the program itself it does any necessary
security checks.

-rwsr-xr-x    1 root   root   21280 Jun 24  2001 /usr/bin/crontab

Here, you can see a lowercase 's' where the 'x' usually goes,
which tells you it's running setuid.  Had it been running
setgid, it would have been in the group execute:

-r-xr-s--x    1 root    games   233356 Sep 16  2001 /usr/games/gtali

Most of the games are setgid to "games" so that they can
write to a system wide high score file.  This prevents normal
users from overwriting the scores.

When using the setuid or setgid bits on your own, it's often
best to restrict access to the binary itself through the use
of groups.  Say you wanted your network admins to be able to
use tcpdump without root access.

- create a group, netadmins
- change the group ownership of tcpdump to netadmins
- change the permissions of tcpdump to 4550 (setuid, owner/group
  read/execute, no one else can execute)
- put the netadmins in the netadmin group (/etc/group)

Last note on the setuid/setgid bits -- don't use 'em on shell
scripts.  Modern shells will give up the permissions anyway,
but there are just too many ways for an attacker to exploit a
script running with elevated permissions.

On a directory, the setgid bit has special meaning (the
setuid bit does nothing).  Assuming the user in the directory
is a member of the same group that the directory is, then all
newly created files will be owned by that group.  (Remember
that a user can belong to several groups).  By giving group
write access to the directory and setting the setgid bit, you
can ensure that everyone in the group can share files properly.

Remember this:

1 - t (must be owner to delete file for a directory)
2 - setgid (process assumes gid on files, forces group ownership
    on directories
4 - setuid (process assumes uid on files)

In practice, I never use octal values when dealing with special
permissions, instead always preferring to set it explicitly
with the +/- operators.  You don't want to accidentally give
setuid permissions (4) when you meant to do a setgid (2).

The permissions I showed you today are both very powerful, but
require a great deal of thought before using.  It's tempting
to simply setuid any binary that is causing you trouble, but
often, a more elegant solution is available (for example,
rather than setuid'ing CD writing utilities, relax the
permissions on the CD device itself).  Use them with care!


Long live the Penguin,

Sean
swalberg@cramsession.com


-------------------------
2) Linux News
-------------------------

-----------------------------
Lessons Learned From Tolkein
-----------------------------
Linux is playing a big role in the making of The Two Towers,
the next movie in the Lord of the Rings series. The CTO of a
company doing work on the project speaks a bit about the
making of the movie, and the challenges they've encountered.

http://www.digitalanimators.com/2002/07_jul/features/lessons.htm


-------------------
LSB Certification
-------------------
A while ago the Linux Standards Base was announced as ready
to be used. The Open Group has now created a program to
certify and brand LSB certified distributions and
applications. Fees are quite reasonable, and unlike the so
called "United Linux", likely won't result in fees being
passed on to consumers.

http://www.opengroup.org/lsb/cert/


--------------------
Lindows PC Reviewed
--------------------
NewsForge reviewed the Lindows PC offering from WalMart, and
the results were disappointing. Poor documentation, a
subscription fee for the software service, and a general lack
 of polish are the marks against it. Still, it's progress.

http://newsforge.com/article.pl?sid/07/02/1247234&mode=thread&tid#



-------------------
Countdown to Y2Pay
-------------------
Afraid of the new licencing scheme coming down the pipe from
Microsoft? Ximian might make it worth your while, as they're
offering some discounts on their Linux desktop solutions.

http://www.ximian.com/solutions/y2pay.html


-------------------------
3) Linux Resources
-------------------------

-------------------------
Hooking Up Linux with AD
-------------------------
Microsoft guru QCumber dug up this little gem on how to get
your Linux box to authenticate to an Active Directory server.
It's even able to use SSL to protect the data in transit.

http://jaxen.ratisle.net/~jj/nss_ldap-AD_Integration_how-to.html


------------------
Use BIND With AD
------------------
Windows 2000 makes heavy use of DNS. Linux is good with DNS.
Hey! A match made in heaven. You've got Q to thank for this
one, too.

http://ibiblio.org/gferg/ldp/BIND+AD-HOWTO/BIND+AD-HOWTO.html


------------------------------
Advanced Bash Scripting Guide
------------------------------
Here is a very complete shell scripting guide. The subtitle,
"An in-depth exploration of the gentle art of shell scripting"
doesn't do it justice. Hell, it implements the "Game of Life"
in the examples. Bookmark this one.

http://tldp.org/LDP/abs/html/index.html


-----------------
C-shell Cookbook
-----------------
"This cookbook describes the fundamentals of writing scripts
using the UNIX C shell. It shows how to combine Starlink and
private applications with shell commands and constructs to
create powerful and time-saving tools for performing
repetitive jobs, creating data-processing pipelines, and
encapsulating useful recipes."

http://www.starlink.rl.ac.uk/star/docs/sc4.htx/sc4.html


------------------------
How to Switch to Dvorak
------------------------
The Dvorak keyboard layout is supposed to be more efficient,
and also less prone to cause injury. Switching your keyboard
layout is pretty easy, though learning it is a pain (yes, I
gave up soon after starting this week's edition).

http://www.mwbrooks.com/dvorak/


-------------------------
4) App o' the Week
-------------------------
Microsoft Proxy Server has a setting where all clients have
to provide NTLM authentication before going out on the
Internet, effectively limiting your choice of browsers to
Internet Explorer. Here's a proxy that will let any browser
emulate IE; the proxy server will be none the wiser, and you
can use your favorite browser.

http://www.geocities.com/rozmanov/ntlm/


-------------------------
(C) 2002 BrainBuzz.com, Inc. All Rights Reserved.
-------------------------
-------------------------

          This message is from CramSession

You are currently subscribed to the following list
   Hottest Linux News and Resources
   as: sean@ertw.com

To un-subscribe from this newsletter by e-mail,
   send a blank email message to:
   mailto:leave-linuxnews-3825955Y@list.cramsession.com

To subscribe to this newsletter and many others visit
our site at:
http://newsletters.cramsession.com/signup/default.asp

-------------------------------------------------------