Safety net

Posted on 3 Jul 2002 at 16:24

1 of 5

Virtually all Unix and Linux systems have options to throw out 'bad' passwords (predictable ones, or ones based on a dictionary word) and to 'age' passwords so that users are forced to change them after a few days or weeks. You need to switch this feature on when deploying a public server.
Personal daemons
There are ways to secure network services on Linux and related Unix-type operating systems. Network services are provided by programs called daemons that run continuously, waiting for an incoming request from a client system connecting over the internet. In general, there are two types of server daemon: standalone servers and servers controlled by inetd, the master internet daemon.
Standalone servers run continuously until a connection comes in. They then spawn a child copy of themselves to deal with the connection, while the parent process goes back to listening for more requests. A common standalone server is Apache, the standard web server found on most Linux systems. Other common standalone servers include the Berkeley Internet Name Daemon (BIND), which handles domain name lookup requests; sendmail, the heavy-duty SMTP mail server; inn, a UseNet news server; Zope, an object-oriented web application server; and MySQL or PostgreSQL, two common free relational database servers.
Standalone servers are usually started and stopped by an rc (runcom) shell script. This is executed by the init (system control) process when the Linux system changes run level; for example, when it first brings up networking and switches to multi-user mode while booting.
Level head
So what can be done with the rc scripts? Linux and non-BSD Unix systems operate in one of a number of 'run levels' that indicate the system's availability. Run level zero means 'switched off'. Run level 1 is single-user mode, in which networking is disabled, filesystems are unmounted and only the system administrator can log in via the console (for example, to repair damaged filesystems or carry out heavy-duty maintenance). Run level 3 is standard multi-user with networking support. In run level 5 the X-based login server Xdm may be run, giving you a graphical login screen on a workstation. Switch to run level 6 and the system will shut down and reboot; in run level 0 it will shut down and halt.
Switching run levels is controlled by the init process. A special program 'telinit' can be used to tell init to change run level. When you change run level, init reads the file /etc/inittab and executes appropriate programs specified in it. One program is executed whenever you change run level n /etc/init.d/rc (or /etc/init.d/rc.d/rc on RedHat). This in turn looks in the appropriate directory for the new run level (if switching to run level 3 this would be /etc/init.d/rc.d/rc3.d on SuSE) and executes scripts it finds there. These have names consisting of the letters S or K n for Start or Kill, depending on the mode they're executed in when entering the run level n and a two-digit number. The number dictates the order in which they're executed; the S or K prefix determines whether they're run with the 'start' or 'stop' parameter. Each script controls a system service, such as a standalone web server or the PCMCIA card interface on a notebook.
Using this system it's possible to specify the order in which services start and stop with extreme precision, at the cost of simplicity. In practice, however, the S and K scripts in each run level are symbolic links pointing to a single 'master' script for that service, which lives in /etc/init.d. Thus, editing the file /etc/init.d/rc3.d/S21apache actually modifies the file /etc/init.d/apache, which may appear in other run levels.