Linux System Calls

CUPS (formerly an acronym for Common Unix Printing System,

but now with no official expansion) is a modular printing

system for Unix-like computer operating systems which allows

a computer to act as a print server. A computer running CUPS

is a host that can accept print jobs from client computers,

process them, and send them to the appropriate printer.

If you are using a client with CUPS and a CUPS server has

already been configured, installing the printers on your

client can not get much easier than this: do nothing.

Through broadcasting, the client should find the CUPS server

and automatically configure the printers that are installed

on that print server. This is one of the features of CUPS

that will be really appreciated on large networks.

Manually configuring printers with CUPS, also is a peace of

cake. If you are new to CUPS and/or Unix printing, the way

to go is probably the web interface. If you have to

configure lots of printers, using the command-line will

probably be faster.

The URL to access the CUPS web interface is

http://hostname:631/admin by default. The port can be

changed in cupsd.conf if necessary.

To add a printer from the command-line the general syntax is

lpadmin -p printer -E -v device -m ppd Lpadmin with the -p

option adds or modifies a printer. The printers are saved in

the file The -x option deletes the named printer. Read the

lpadmin man page for available options.

Example 3. command-line examples

/usr/sbin/lpadmin -p testpr1 -E -v socket://192.168.1.9 -m

deskjet.ppd

/usr/sbin/lpadmin -p testpr2 -E -v parallel:/dev/lp0 -m

laserjet.ppd

/usr/sbin/lpadmin -x testpr1

More information about configuring printers and options can

be found in the CUPS documentation. The Software

Administrators Manual will teach you all you need to know

about configuring printers with CUPS.

The sudo command stands for "superuser do". If a server

needs to be administered by a number of people it is

normally not a good idea for them all to use the root

account. This is because it becomes difficult to determine

exactly who did what, when and where if everyone logs in

with the same credentials. The sudo utility was designed to

overcome this difficulty.

The sudo utility allows users defined in the /etc/sudoers

configuration file to have temporary access to run commands

they would not normally be able to due to file permission

restrictions. The commands can be run as user "root" or as

any other user defined in the /etc/sudoers configuration file.

The privileged command you want to run must first begin with

the word sudo followed by the command's regular syntax. When

running the command with the sudo prefix, you will be

prompted for your regular password before it is executed.

You may run other privileged commands using sudo within a

five-minute period without being re-prompted for a password.

All commands run as sudo are logged in the log file

/var/log/messages.

In order to use sudo we first need to configure the sudoers

file.

Do not edit directly the file:

To edit it, use the command

# visudo

******Output***************

# /etc/sudoers

#

# This file MUST be edited with the 'visudo' command as root.

#

# See the man page for details on how to write a sudoers file.

#

Defaults env_reset

# Host alias specification

# User alias specification

# Cmnd alias specification

# User privilege specification

root ALL=(ALL) ALL

**********************************************

You will see the line

root ALL=(ALL) ALL

This lines means that the user root can execute from ALL

terminals, acting as ALL (any) users, and run ALL (any) command.

The first part is the user, the second is the terminal from

where the user can use sudo, the third is as which user he

may act, and the last one, is which commands he may run.

Example:

Granting Access To Specific Users To Specific Files

---------------------------------------------------

amsin21, %operator ALL= /sbin/, /usr/sbin,

/usr/local/apps/check.pl

This entry allows user amsin21 and all the members of the

group operator to gain access to all the program files in

the /sbin and /usr/sbin directories, plus the privilege of

running the command /usr/local/apps/check.pl. Notice how the

trailing slash (/) is required to specify a directory location:

Granting Access to Specific Files as Another User

-------------------------------------------------

The sudo -u entry allows allows you to execute a command as

if you were another user, but first you have to be granted

this privilege in the sudoers file.

This feature can be convenient for programmers who sometimes

need to kill processes related to projects they are working

on. For example, programmer amsin21 is on the team

developing a financial package that runs a program called

monthend as user accounts. From time to time the application

fails, requiring "amsin21" to stop it with the /bin/kill,

/usr/bin/kill or /usr/bin/pkill commands but only as user

"accounts". The sudoers entry would look like this:

amsin21 ALL=(accounts) /bin/kill, /usr/bin/kill, /usr/bin/pkill

User amsin21 is allowed to stop the monthend process with

this command:

# sudo -u accounts pkill monthend

Granting Access Without Needing Passwords

-----------------------------------------

This example allows all users in the group operator to

execute all the commands in the /sbin directory without the

need for entering a password. This has the added advantage

of being more convenient to the user:

%operator ALL= NOPASSWD: /sbin/

Using Aliases in the sudoers File

---------------------------------

Sometimes you'll need to assign random groupings of users

from various departments very similar sets of privileges.

The sudoers file allows users to be grouped according to

function with the group and then being assigned a nickname

or alias which is used throughout the rest of the file.

Groupings of commands can also be assigned aliases too.

In the next example, users amsin21, amsin211 and amsin212

and all the users in the operator group are made part of the

user alias ADMINS. All the command shell programs are then

assigned to the command alias SHELLS. Users ADMINS are then

denied the option of running any SHELLS commands and su:

Cmnd_Alias SHELLS = /usr/bin/sh, /usr/bin/csh,

/usr/bin/ksh, /usr/local/bin/tcsh,

/usr/bin/rsh, /usr/local/bin/zsh

User_Alias ADMINS = amsin21, amsin211, amsin212, %operator

ADMINS ALL = !/usr/bin/su, !SHELLS

This attempts to ensure that users don't permanently su to

become root, or enter command shells that bypass sudo's

command logging. It doesn't prevent them from copying the

files to other locations to be run. The advantage of this is

that it helps to create an audit trail, but the restrictions

can be enforced only as part of the company's overall

security policy.

Samba provides file and print services to all manner of

SMB/CIFS clients, including the numerous versions of

Microsoft Windows operating systems. Samba configuration

file is smb.conf:

Sample smb.conf

---------------

[global]

# Domain name ..

workgroup = DOMAIN.NAME

# Server name - as seen by Windows PCs ..

netbios name = SERVER1

# Be a PDC ..

domain logons = Yes

domain master = Yes

# Be a WINS server ..

wins support = true

# allow user privileges

#enable privileges = yes

obey pam restrictions = Yes

dns proxy = No

os level = 35

log file = /var/log/samba/log.%m

max log size = 1000

syslog = 0

panic action = /usr/share/samba/panic-action %d

pam password change = Yes

# Allows users on WinXP PCs to change their password

when they press Ctrl-Alt-Del

unix password sync = no

ldap passwd sync = yes

# Printing from PCs will go via CUPS ..

load printers = yes

printing = cups

printcap name = cups

# Use LDAP for Samba user accounts and groups ..

passdb backend = ldapsam:ldap://localhost

# This must match init.ldif ..

ldap suffix = dc=domain,dc=name

# The password for cn=admin MUST be stored in

/etc/samba/secrets.tdb

# This is done by running 'sudo smbpasswd -w'.

ldap admin dn = cn=admin,dc=domain,dc=name

# 4 OUs that Samba uses when creating user accounts,

computer accounts, etc.

# (Because we are using smbldap-tools, call them

'Users', 'Computers', etc.)

ldap machine suffix = ou=Computers

ldap user suffix = ou=Users

ldap idmap suffix = ou=Idmap

# Samba and LDAP server are on the same server in

this example.

ldap ssl = no

# Scripts for Samba to use if it creates users,

groups, etc.

add user script = /usr/sbin/smbldap-useradd -m '%u'

delete user script = /usr/sbin/smbldap-userdel %u

add group script = /usr/sbin/smbldap-groupadd -p '%g'

delete group script = /usr/sbin/smbldap-groupdel '%g'

add user to group script =

/usr/sbin/smbldap-groupmod -m '%u' '%g'

delete user from group script =

/usr/sbin/smbldap-groupmod -x '%u' '%g'

set primary group script = /usr/sbin/smbldap-usermod

-g '%g' '%u'

# Script that Samba users when a PC joins the domain ..

# (when changing 'Computer Properties' on the PC)

#add machine script = /usr/sbin/smbldap-useradd -w '%u'

add machine script = /usr/sbin/useradd -s /bin/false

-d /home/nobody %u

# Values used when a new user is created ..

# (Note: '%L' does not work properly with

smbldap-tools 0.9.4-1)

logon drive = H:

logon home = \server%U

logon path = \serverProfiles%U

logon script = logon.bat

# This is required for Windows XP client ..

server signing = auto

server schannel = Auto

[homes]

comment = Home Directories

path = /home/users/%U

valid users = %S

read only = No

browseable = No

[netlogon]

comment = Network Logon Service

path = /var/lib/samba/netlogon

admin users = root

guest ok = Yes

browseable = No

[Profiles]

comment = Roaming Profile Share

# would probably change this to elsewhere in a

production system ..

path = /var/lib/samba/profiles

read only = No

profile acls = Yes

browsable = No

hide files = /desktop.ini/ntuser.ini/NTUSER.*/

[printers]

comment = All Printers

path = /var/spool/samba

use client driver = Yes

create mask = 0600

guest ok = Yes

printable = Yes

browseable = No

public = yes

writable = yes

admin users = root

write list = root

[print$]

comment = Printer Drivers Share

path = /var/lib/samba/printers

write list = root

create mask = 0664

directory mask = 0775

admin users = root

Test it with :

# testparm /etc/samba/smb.conf

Load smb config files from /etc/samba/smb.conf

Processing section "[homes]"

Processing section "[netlogon]"

Processing section "[Profiles]"

Processing section "[printers]"

Processing section "[print$]"

Loaded services file OK.

Server role: ROLE_DOMAIN_PDC

Press enter to see a dump of your service definitions

NIS is a service that provides any user on that network

with the same working environment irrespective of the

system on that network which has been used for login

purpose.

For example if NIS server is set up in a single system and

configured to hold user accounts and their passwords and

access information. Then any user on that network can login

to his/her account that is set up in the NIS server from

any system (with nis client running) on that configured

network. This gives a look and feel that the user is logged

into his/her own system. But actually its the account on

the NIS server that is mounted on the local sytem on user

login .

A Server-- it is weather in testing or production-- are primary targets for

the attackers. By taking the proper steps, you can turn a vulnerable box into

a hardened server.

How to secure SSH sessions, configure firewall rules, minimize software, listed below,

1. Encrypt Data communication

-- use scp, ssh avoid FTP, Telnet and Rlogin /rsh

2. Minimize Software to minimize vulnerability

-- use RPM pkg management / YUM utility to remove unwanted packages installed

3. One Network Service per System or Vm Instance

-- Run different network services on separate servers or vm instance.

For example, if an attacker able to successfully exploit software called

Apache flow, he/she get an access to entire server including other services

such as MYSQL, email server and so on.

4. Keep linux software and Kernel up to date.

-- Use yum update or up2date

some distros apt-get update

5. Security essentials like selinux

6. password authentication like password aging, restricting to user previous

passphrases, and locking user accounts after login failures.

7. Disable unwanted services using chkconfig --list | grep "3:on"