Pawan Sharma | December 18, 2012 | Be the first to comment!

How to Upgrade/Update Kernel in Redhat Enterprise Linux 6 (RHEL6)

In this post we will see how to update KERNEL package. As a system administrator you may require to upgrade kernel package. Upgrading kernel package is necessary for adding new features, resolving security related issues, etc. Kernel upgrade can cause problems if other packages depend on current kernel version.

If you are interested in new kernel, never use -U option as this overwrites the existing kernel and it would be hard to revert the changes. The best option to upgrade a kernel is to install new one.

You can install new kernel package using below mentioned command in Redhat Enterprise Linux 6 (RHEL6).



Linux Kernel Architecture.

# rpm -ivh new_kernel.rpm


Above command install new kernel, and related files, along with the old one.

In the below example we will upgrade kernel from 2.6.32-220.el6.x86_64 to 2.6.32-220.2.1.el6.x86_64:

To see the current kernel version:

# uname -r
2.6.32-220.el6.x86_64


Download new kernel package and install:

# rpm -ivh kernel-2.6.32-220.2.1.el6.x86_64.rpm

warning: kernel-2.6.32-220.2.1.el6.x86_64.rpm: Header V3 RSA/SHA256 Signature, key ID fd431d51: NOKEY

Preparing...               ########################################### [100%
1:kernel                   ########################################### [100%]


To verify the new kernel is installed, list contents of /boot directory:

# ls /boot/

config-2.6.32-220.2.1.el6.x86_64
config-2.6.32-220.el6.x86_64
efi
grub
initramfs-2.6.32-220.2.1.el6.x86_64.img
initramfs-2.6.32-220.el6.x86_64.img
lost+found
symvers-2.6.32-220.2.1.el6.x86_64.gz
symvers-2.6.32-220.el6.x86_64.gz
System.map-2.6.32-220.2.1.el6.x86_64
System.map-2.6.32-220.el6.x86_64
vmlinuz-2.6.32-220.2.1.el6.x86_64
vmlinuz-2.6.32-220.el6.x86_64


After installation of new kernel there will be an entry for new kernel in /etc/grub.conf (/boot/grub/grub.conf).

# cat /etc/grub.conf

# grub.conf generated by anaconda
#
# Note that you do not have to rerun grub after making changes to this file
# NOTICE:  You have a /boot partition.  This means that
#          all kernel and initrd paths are relative to /boot/, eg.
#          root (hd0,0)
#          kernel /vmlinuz-version ro root=/dev/mapper/OSVG-lvroot
#          initrd /initrd-[generic-]version.img
#boot=/dev/sda

default=0
timeout=5
splashimage=(hd0,0)/grub/splash.xpm.gz
hiddenmenu
title Red Hat Enterprise Linux Server (2.6.32-220.2.1.el6.x86_64)
        root (hd0,0)
        kernel /vmlinuz-2.6.32-220.2.1.el6.x86_64 ro root=/dev/mapper/OSVG-lvroot rd_NO_LUKS LANG=en_US.UTF-8 rd_NO_MD rd_LVM_LV=OSVG/lvswap SYSFONT=latarcyrheb-sun16 rhgb crashkernel=auto quiet rd_LVM_LV=OSVG/lvroot  KEYBOARDTYPE=pc KEYTABLE=us rd_NO_DM
        initrd /initramfs-2.6.32-220.2.1.el6.x86_64.img
        title Red Hat Enterprise Linux (2.6.32-220.el6.x86_64)

        root (hd0,0)
        kernel /vmlinuz-2.6.32-220.el6.x86_64 ro root=/dev/mapper/OSVG-lvroot rd_NO_LUKS LANG=en_US.UTF-8 rd_NO_MD rd_LVM_LV=OSVG/lvswap SYSFONT=latarcyrheb-sun16 rhgb crashkernel=auto quiet rd_LVM_LV=OSVG/lvroot  KEYBOARDTYPE=pc KEYTABLE=us rd_NO_DM
        initrd /initramfs-2.6.32-220.el6.x86_64.img


As you can see above that default kernel at boot time is 0 which is new kernel.
Reboot the server and check for the new kernel. If new kernel does not work you can change default option to 1, to boot form the old kernel.

After server restart verify the new kernel version.

# uname -r
2.6.32-220.2.1.el6.x86_64

# rpm -qa kernel
kernel-2.6.32-220.el6.x86_64
kernel-2.6.32-220.2.1.el6.x86_64


In the next post we will learn package management through YUM to automatically resolve dependencies.

Pawan Sharma | December 11, 2012 | | Be the first to comment!

Package Management in RHEL6: RPM

One of the major duties of a system administrator is to manage applications/software on the server. System administrator needs to know how to add and remove or get information about packages. In this post we will learn RPM (Redhat Package Manager) commands to manage software on Redhat Enterprise Linux 6. To pass the RHCSA certification exam this RHCSA objective is must. In this post we will learn:

  • What is RPM PACKAGE?
  • How to install .rpm package file in Redhat Enterprise Linux 6(RHEL 6)?
  • How to remove/erase rpm package in RHEL 6?
  • How to query about a package in RHEL 6?
  • How to check signature of rpm package?

In RHEL 6 applications/software comes in the form of package. In general package is a container of files. A package includes binary scripts, configuration files and documentation files. A RPM package name usually includes version and architecture. For example openssh-5.3p1-70.el6.x86_64 in this openssh is package name 5.3p1 is version build 70, x86_64 is architecture.

In Redhat Enterprise Linux 6 software packages have their dependent packages. RPM package installation won’t work if there are dependencies. To install a .rpm package use below mentioned command:

# rpm -i package_name
# rpm -U package_name

The rpm -i option install the package if it is not already installed. The rpm -U option upgrades the package if it is installed or install if already not installed. I will suggest to use -vh option while install/upgrade package this will add verbose mode and hash mark to help monitor the installation process. Also at the time of installation, if some files are to be overwrite, it automatically takes a backup of the original file as .rpmsave extension.

NOTE: Before upgrading any package, take backup of all configuration files related to that package.


EXAMPLE:

In this example we will install gcc package.

# rpm -ivh gcc-4.4.6-3.el6.x86_64.rpm

warning: gcc-4.4.6-3.el6.x86_64.rpm: Header V3 RSA/SHA256 Signature, key ID fd431d51: NOKEY
error: Failed dependencies:
        cloog-ppl >= 0.15 is needed by gcc-4.4.6-3.el6.x86_64
        cpp = 4.4.6-3.el6 is needed by gcc-4.4.6-3.el6.x86_64
        glibc-devel >= 2.2.90-12 is needed by gcc-4.4.6-3.el6.x86_64

In the above example we can see that there is an error while installing “gcc-4.4.5-6.el6.x86_64.rpm” package and installation got failed. This so due to dependencies, gcc require cpp and libgomp package to install. So we have to install cpp, clog-ppl and glibc-devel package first.

# rpm -ivh cpp-4.4.6-3.el6.x86_64.rpm

warning: cpp-4.4.6-3.el6.x86_64.rpm: Header V3 RSA/SHA256 Signature, key ID fd431d51: NOKEY
error: Failed dependencies:
        libmpfr.so.1()(64bit) is needed by cpp-4.4.6-3.el6.x86_64

Again package “cpp-4.4.6-3.el6.x86_64.rpm” failed due to dependencies error. In Linux this is called “dependency hell”. To overcome this problem Redhat introduced YUM (Yellow Dog Modifier) which will find and resolve all dependency to install package. We will discuss YUM in some other post.

If a package don’t require any dependency or all dependencies are already installed the package will install.

# rpm -ivh squid-3.1.10-1.el6_1.1.x86_64.rpm

warning: squid-3.1.10-1.el6_1.1.x86_64.rpm: Header V3 RSA/SHA256 Signature, key ID fd431d51: NOKEY
Preparing...             ########################################### [100%]
1:squid                  ########################################### [100%]

To remove a package use rpm -e command. Here e stands for erase.

# rpm -e squid

To check .rpm package signature user --checksig option:

# rpm --checksig firefox-3.6.24-3.el6_1.x86_64.rpm

firefox-3.6.24-3.el6_1.x86_64.rpm: RSA sha1 ((MD5) PGP) md5 NOT OK (MISSING KEYS: (MD5) PGP#fd431d51)

SOME MORE RPM COMMAND

  • rpm -q package_name: This will query if package is installed or not.

# rpm -q firefox
firefox-3.6.24-3.el6_1.x86_64

# rpm -q squid
package squid is not installed

  • rpm -qa: List all installed packages.

# rpm -qa

postfix-2.6.6-2.2.el6_1.x86_64
rpcbind-0.2.0-8.el6.x86_64
hpijs-3.10.9-3.el6.x86_64
system-config-printer-libs-1.1.16-22.el6.x86_64
filesystem-2.4.30-3.el6.x86_64
mdadm-3.2.2-9.el6.x86_64
…..
………..

  • rpm -ql package_name: List all files from package.
  • rpm -qc package_name: List only configuration files from package.
  • rpm -qf /path/filename: List packages associated with file.
  • rpm -qi package_name: List basic information about the package.

In the next post we will learn more about package management in RHEL 6 using YUM.

If you have any question or query please post comments.


Pawan Sharma | September 8, 2012 | | 19 Comments so far

Set Access Control List (ACL) in RHEL 6

In this post we will discuss about Access Control List in Redhat Enterprise Linux 6 to give permissions to different users and groups on file or directory. As discussed in the previous posts file/directory permissions can be set for the owner, group and other users. But what, if in a case, when we have to give different permissions to different users on the same file/directory. In such situation we can set ACL on file/directory to give different permissions to different users.

Before applying ACLs, you have to mount the partition, in which you want to set ACL, with “acl” option. We can mount the partition using mount command or can add “acl” option in /etc/fstab for that partition.

[root@PawanS1 ~]# mount -o remount,acl /appl


As shown in above picture we have added option “acl” in /etc/fstab file.
We can set ACLs on per user and per group basis, also we can modify acl mask.
To set ACL on a file or directory use command “setfacl” with -m option to add or modify current ACLs.

[root@PawanS1 ~]# setfacl -m acl_rule files


ACL RULES:

u:uid:permission :- This rule will set ACL for user with mentioned uid or user name of valid user.
g:gid:permission :- This rule will set ACL for group with mentioned gid or grou pname of valid group.
m:permission :- This will update the umask of ACL.

Note: “permission” mentioned above in rule can be combination of read(r), write(w) and execute(x).

Let’s take some examples of ACL:

Give read and execute permission to user usaid on file test.txt

[root@PawanS1 ~]# setfacl -m u:usaid:r-x test.txt

Give read, write and execute permissions to group admin on directory /servers recursively.

[root@PawanS1 ~]# setfacl -Rm g:admin:rwx /servers


Note: If possible use uid/gid to add/change acl, as username starting with a numeric character will have problem while adding access control list.

Some of the options used with setfacl command.

-b : Remove all extended ACL entries.
-d : Grant default ACL.
-m : Modify and Add ACLs.
-R : Apply ACL recursively on subdirectories.
-x : Remove particular ACL entry.

Remove all permissions of user siddharth on file test.txt

[root@PawanS1 ~]# setfacl -x u:siddharth /servers

A file on which ACL is set have “+” in last of permission column in “ls -l” output.

[root@PawanS1 ~]# ls -l shared_file.txt
-rw-rwxr--+ 1 root root 43 Aug 29 12:20 shared_file.txt

To view the current ACLs on a file or directory we can use “getfacl” command. Below example shows acl applied on a file named shared_file.txt

[root@PawanS1 ~]# getfacl shared_file.txt

# file: shared_file.txt
# owner: root
# group: root
user::rw-
user:siddharth:r--
user:usaid:rw-
user:ramswaroop:r-x
group::r--
mask::rwx
other::r--

In the above example you can see that owner and group of the file is root and user “siddharth” have read access, user “usaid” have read and write permission and user “ramswaroop” have read and execute permission on the file shared_file.txt.

For any queries please post comments. 

Pawan Sharma | August 28, 2012 | | 1 Comment so far

SUID, SGID and Sticky Bit in RHEL6

In the previous post I have explained about changing file/directory permissions using chmod command in two ways: symbolic and numeric mode. In this post we will discuss about three special file permissions: Sticky Bit, SUID Bit and SGID bit, using which we can make processes more secure and efficient:

In the previous post we have discussed about three file permissions: ream(r), write (w) and execute(x), besides these three are three more permissions: SUID(s), SGID(s) and Sticky Bit(t). First we will explain what these terms means.

Sticky Bit(t): Sticky bit is very simple and effective file permission; it increases security of a file/directory which is shared with other users. When sticky bit is enabled, only user (owner) of that file can remove or rename the file even if other users have full (rwx) permissions on that file. In the case of a directory, only user (owner) of the directory or the owner of the file in that directory can remove or rename the file. Mainly sticky bit is used on directories on which multiple users have access like /tmp. By default sticky bit is set on /tmp in Redhat Enterprise Linux 6(RHEL6).

[root@PawanS1 ~]# ls -ld /tmp
drwxrwxrwt.  96 root root  4096  Aug 28 12:06   /tmp

In the above example we can see that there is a “t” at execute permission for others. Sticky bit can be enabled using “chmod” command. Let’s take some examples of Sticky Bit.
  • Add sticky bit permission on a directory with all permissions using symbolic chmod.
[root@PawanS1 ~]# ls -ld Test_Dir/
drwxrwxrwx  2  admin pawan  4096 Aug 28 10:22  Test_Dir/

[root@PawanS1 ~]# chmod +t Test_Dir/

[root@PawanS1 ~]# ls -ld Test_Dir/
drwxrwxrwt  2  pawan admin  4096 Aug 28 10:22   Test_Dir/
  • Add sticky bit permission on a directory using numeric chmod.
[root@PawanS1 ~]# ls -ld My_Dir/
drwxr-xr-- 2 pawan admin 4096 Aug 28 10:27   My_Dir/

[root@PawanS1 ~]# chmod 1754 My_Dir/

[root@PawanS1 ~]# ls -ld Test_Dir/
drwxr-xr-T  2  pawan admin  4096 Aug 28 10:22   MY_Dir/

Note: This time we have a “T” instead of “t” because the directory does not have execute permission for others.

SUID (Set User ID) Bit(s): Mainly we enable SUID bit on files specially on executable scripts. When SUID bit is enabled on the script/ file, whenever someone executes the file it runs as the user who is owner of that file. It means the file is ensured to run as the owner, even if executed by anyone. This comes handy when you want to give execute rights of a root privileged script to some other user. In RHEL 6, SUID bit is set by default on commands like /usr/bin/passwd, /usr/bin/wall, /usr/bin/ssh-agent, etc. This is the reason a user can change its password itself.

[root@PawanS1 ~]# ls -l /usr/bin/passwd
-rwsr-xr-x 1 root root 27936 Aug  3  2010  /usr/bin/passwd

In the above example we can see that there is a “s” at execute permission of user (owner). SUID bit can be enabled using “chmod” command. Let’s take some examples of SUID bit.
  • Add SUID bit on a script using symbolic chmod.
[root@PawanS1 ~]# ls -l test_script.sh
-rwxr-xr-x 1 root admin 43 Aug 28 11:51  test_script.sh

[root@PawanS1 ~]# chmod u+s test_script.sh

[root@PawanS1 ~]# ls -l test_script.sh
-rwsr-xr-x 1 root admin 43 Aug 28 11:51  test_script.sh
  • Add SUID bit on a script which does not have execute permission for user (owner) using numeric chmod.
[root@PawanS1 ~]# ls -l my_script.sh
-rw-r--r-- 1 root admin 29 Aug 28 11:58   my_script.sh

[root@PawanS1 ~]# chmod  4644 my_script.sh

[root@PawanS1 ~]# ls -l my_script.sh
-rwSr--r-- 1 root admin 29 Aug 28 11:58   my_script.sh

Note: This time we have a “S” instead of “s” because the script “my_script.sh does not have execute permission for user.

SGID (Set Group ID) Bit: SGID bit is very useful when you have to give access of a directory to a set of users in a group. When SGID bit is enabled on a directory any file/directory created under it by any user have the same group permissions as of the parent directory.

For example, you have created a group named “sales” and you have added three user pawan, siddharth, ramswaroop and usaid in group “sales”. Now you want that every file created by any of these four users under directory “/Sales” can be accessible by any of these users.

1. To do this first you have to create a directory “/Sales” and then change group owner and group permission to sales and rwx respectively.

[root@PawanS1 ~]# mkdir /Sales/

[root@PawanS1 ~]# ls -d /Sales/
drwxr-xr-x 2 root root 4096 Aug 28 12:31 /Sales/

[root@PawanS1 ~]# chmod g=rwx /Sales/

[root@PawanS1 ~]# ghgrp sales /Sales/

[root@PawanS1 ~]# ls -d /Sales/
drwxrwxr-x 2 root sales 4096 Aug 28 12:31 /Sales/

2. Then enable SGID Bit on “/Sales” directory

[root@PawanS1 ~]# ls -d /Sales/
drwxr-xr-x 2 root root 4096 Aug 28 12:31 /Sales/

[root@PawanS1 ~]# chmod g+s /Sales/

[root@PawanS1 ~]# ls -d /Sales/
drwxrwsr-x 2 root root 4096 Aug 28 12:31 /Sales/

In the above example we can see that there is a “s” at execute permission of group. Now any file created under directory “/Sales” will have group user sales

Now login as user pawan and create a file in /Sales and check its permissions.

[pawan@PawanS1 Sales]# touch test.txt

[pawan@PawanS1 Sales]# chmod g+s /Sales/

[pawan@PawanS1 Sales]# ls -l test.txt
-rw-rw-r-- 1 pawan sales 8 Aug 28 12:43 test.txt
  • We can also enable SGID bit using chmod in numeric mode.
[root@PawanS1 ~]# ls -d /Purchase/
drwxrw-r-x 2 root purchase 4096 Aug 28 12:31 /Purchase/

[root@PawanS1 ~]# chmod 2765 /Purchase/

[root@PawanS1 ~]# ls -d /Purchase/
drwxrwSr-x 2 root purchase 4096 Aug 28 12:31 /Purchase/

Note: This time we have a “S” instead of “s” because directory “/Purchase” does not have execute permission for group.

Below table summarize the chmod for SUID, SGID and Sticky Bit.

Permission
Symbolic Mode
Numeric Mode
Sticky Bit
chmod +t file_name
chmod 1XXX file_name
SUID Bit
chmod u+s file_name
chmod 4XXX file_name
SGID Bit
chmod g+s file_name
chmod 2XXX file_name
where X is permission for user,group and other

If you have any doubts or queries please post comment.


Pawan Sharma | August 27, 2012 | | 1 Comment so far

Changing File Permissions using chmod command

In this post we will learn how to use “chmod” command to change file permissions in Redhat Enterprise Linux 6. Linux is a multi-user operating system; this means many users can have access to particular file or directory. To maintain security, in Linux, there are three categories of user (user, group and other) for file permission (as discussed in previous post), also we have three types of permission: read, write and execute for each type of user.

To view current permissions of a file we can user long directory listing command “ls -l”:

[root@PawanS1 ~]# ls -l test_file.txt
-rwxr-xr-- 1 pawan admin 30 Aug 27 13:05 test_file.txt

In the above example we can see that owner of the file is pawan, group owner of the file is admin and file have permissions rwxr-xr-- which means:
User have read, write and execute (rwx) permissions.
Group have read and execute(r-x) permission.
And others have only read(r--) permission.
Note: “-“ means no permission.

This means user pawan have full access of file test_file.txt, he can read, modify and also execute the file. And members of group admin can only read and execute the file. Also users other that pawan and members of group admin can only read the file and can’t modify or execute the fiel.

To change the permission of file we can user “chmod” command, only root and file owner can change permission of file. There are two methods of changing permissions:
  • Symbolic mode
  • Numeric mode
Symbolic Mode:
Symbolic mode is very easy to user. There are three steps in this process:
  1. Decide whether you have to change permission for user (u), group (g), other (o) or for all (a).
  2. Decide to add (+), remove (-) or reset all permission (=).
  3. Decide what would be the permission: read (r), write (w), or execute (x).
  4. Then give the name of file of which you have to change permission.
Few examples of chmod in symbolic mode:
  • Remove execute permission from user
[root@PawanS1 ~]# chmod u-x test_file.txt
  • Add write permission for both group and other
[root@PawanS1 ~]# chmod go+w test_file.txt
  • Remove write and execute permissions from other
[root@PawanS1 ~]# chmod o-wx test_file.txt
  • Add write permissions for all
[root@PawanS1 ~]# chmod a+w test_file.txt
  • Change permission of user to rwx
[root@PawanS1 ~]# chmod u=rwx test_file.txt
  • To remove execute permission recursively from files in a directory
[root@PawanS1 ~]# chmod -R u-x Test_Directory/

Below table summarize the chmod in symbolic mode

User to be modified
What to do
Permission
u (user/owner)
+ (add permission)
r (read)
g (group)
- (remove permission
w (write)
o (other)
= (change permission)
x (execute)
a (all)


 
Note: besides above mentioned permissions there are two more permissions SUID/SGID(s) and Sticky bit(t) which can be set to give special permission.

Numeric Mode:
Numeric mode of chmod command is also very useful and easy. This changes old permission directly to new permissions. In numeric file permissions are represented by three digit number. Also each permission(r,w and x) are represented with a number.

4=read(r)
2=write(w)
1=execute(x)
0=none(-)

To create permission we have to add number accordingly. For example:

rwx = 4+2+1 = 7
rw- = 4+2+0 = 6
--x = 0+0+1 = 1

To change permission we have to give a 4 digit number combining the above to change permission of file, in which the first digit is permission for user, second digit is permission for group and the third digit is permission for other.

Few examples of chmod in Numeric mode:
  • To change permission to -rwx-rw-r--
[root@PawanS1 ~]# chmod 0764 test_file.txt

In the above example 7=4+2+1, 6=4+2+0 and 4=4+0+0. This means owner have rwx(7), group have rw-(6) and others have r--(4) permission.
  • To change permission to -rw-r-x--x
[root@PawanS1 ~]# chmod 0651 test_file.txt

Note: The first digit 0 is for special permission like SUID, SGID and Sticky bit.

Besides these three bits discussed above there is a special bit which is used to give special permission to a file or directory for setting SUID bit, SGID bit and Sticky bit, which can be represented by. We will discuss this in the next post.

Numeric mode will take some time to get in ease, but it is very useful and effective to change permissions quickly.