notes

Things I've written down that I might want to reference later.
Log | Files | Refs | README

commit 9c89b194e7cd86f95401fd49c5bd23599ed04979
parent 01e51fc661751612354657c45e47ca232216125a
Author: Robbie D <git@robertdherb.com>
Date:   Tue, 18 Feb 2020 16:26:44 -0600

Added Unix Toolbox from cb.vu/unixtoolbox.html

Diffstat:
unixtoolbox.xhtml | 4035+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 4035 insertions(+), 0 deletions(-)

diff --git a/unixtoolbox.xhtml b/unixtoolbox.xhtml @@ -0,0 +1,4035 @@ + Unix Toolbox + + This document is a collection of Unix/Linux/BSD commands and tasks which + are useful for IT work or for advanced users. This is a practical guide + with concise explanations, however the reader is supposed to know what + s/he is doing. + + Unix Toolbox revision 14.5 + The latest version of this document can be found at + http://cb.vu/unixtoolbox.xhtml. Replace .xhtml on the link with .pdf for + the PDF version and with .book.pdf for the booklet version. On a duplex + printer the booklet will create a small book ready to bind. This XHTML + page can be converted into a nice PDF document with a CSS3 compliant + application (see the script example). See also the about page. + Error reports and comments are most welcome - c@cb.vu Colin Barschel. + + © Colin Barschel 2007-2016. Some rights reserved under Creative Commons. + + 1. System + 2. Processes + 3. File System + 4. Network + 5. SSH SCP + 6. VPN with SSH + 7. RSYNC + 8. SUDO + 9. Encrypt Files + 10. Encrypt Partitions + 11. SSL Certificates + 12. CVS + 13. SVN + 14. Useful Commands + 15. Install Software + 16. Convert Media + 17. Printing + 18. Databases + 19. Disk Quota + 20. Shells + 21. Scripting + 22. Programming + 23. Online Help + + white black + +System + + Hardware | Statistics | Users | Limits | Runlevels | root password | + Compile kernel | Repair grub | Misc + Running kernel and system information +# uname -a # Get the kernel version (and BSD version) +# lsb_release -a # Full release info of any LSB distribution +# cat /etc/SuSE-release # Get SuSE version +# cat /etc/debian_version # Get Debian version + + Use /etc/DISTR-release with DISTR= lsb (Ubuntu), redhat, gentoo, + mandrake, sun (Solaris), and so on. See also /etc/issue. +# uptime # Show how long the system has been running ++ load +# hostname # system's host name +# hostname -i # Display the IP address of the host. (Linux + only) +# man hier # Description of the file system hierarchy +# last reboot # Show system reboot history + +Hardware Informations + + Kernel detected hardware +# dmesg # Detected hardware and boot messages +# lsdev # information about installed hardware +# dd if=/dev/mem bs=1k skip=768 count=256 2>/dev/null | strings -n 8 # Read BIOS + +Linux + +# cat /proc/cpuinfo # CPU model +# cat /proc/meminfo # Hardware memory +# grep MemTotal /proc/meminfo # Display the physical memory +# watch -n1 'cat /proc/interrupts' # Watch changeable interrupts continuously +# free -m # Used and free memory (-m for MB) +# cat /proc/devices # Configured devices +# lspci -tv # Show PCI devices +# lsusb -tv # Show USB devices +# lshal # Show a list of all devices with their prop +erties +# dmidecode # Show DMI/SMBIOS: hw info from the BIOS + +FreeBSD + +# sysctl hw.model # CPU model +# sysctl hw # Gives a lot of hardware information +# sysctl hw.ncpu # number of active CPUs installed +# sysctl vm # Memory usage +# sysctl hw.realmem # Hardware memory +# sysctl -a | grep mem # Kernel memory settings and info +# sysctl dev # Configured devices +# pciconf -l -cv # Show PCI devices +# usbdevs -v # Show USB devices +# atacontrol list # Show ATA devices +# camcontrol devlist -v # Show SCSI devices + +Load, statistics and messages + + The following commands are useful to find out what is going on on the + system. +# top # display and update the top cpu processes +# mpstat 1 # display processors related statistics +# vmstat 2 # display virtual memory statistics +# iostat 2 # display I/O statistics (2 s intervals) +# systat -vmstat 1 # BSD summary of system statistics (1 s inte +rvals) +# systat -tcp 1 # BSD tcp connections (try also -ip) +# systat -netstat 1 # BSD active network connections +# systat -ifstat 1 # BSD network traffic through active interfa +ces +# systat -iostat 1 # BSD CPU and and disk throughput +# ipcs -a # information on System V interprocess +# tail -n 500 /var/log/messages # Last 500 kernel/syslog messages +# tail /var/log/warn # System warnings messages see syslog.conf + +Users + +# id # Show the active user id with login and gro +up +# last # Show last logins on the system +# who # Show who is logged on the system +# groupadd admin # Add group "admin" and user colin (Linux/So +laris) +# useradd -c "Colin Barschel" -g admin -m colin +# usermod -a -G <group> <user> # Add existing user to group (Debian) +# groupmod -A <user> <group> # Add existing user to group (SuSE) +# userdel colin # Delete user colin (Linux/Solaris) +# adduser joe # FreeBSD add user joe (interactive) +# rmuser joe # FreeBSD delete user joe (interactive) +# pw groupadd admin # Use pw on FreeBSD +# pw groupmod admin -m newmember # Add a new member to a group +# pw useradd colin -c "Colin Barschel" -g admin -m -s /bin/tcsh +# pw userdel colin; pw groupdel admin + + Encrypted passwords are stored in /etc/shadow for Linux and Solaris and + /etc/master.passwd on FreeBSD. If the master.passwd is modified manually + (say to delete a password), run # pwd_mkdb -p master.passwd to rebuild + the database. + To temporarily prevent logins system wide (for all users but root) use + nologin. The message in nologin will be displayed (might not work with + ssh pre-shared keys). +# echo "Sorry no login now" > /etc/nologin # (Linux) +# echo "Sorry no login now" > /var/run/nologin # (FreeBSD) + +Limits + + Some application require higher limits on open files and sockets (like a + proxy web server, database). The default limits are usually too low. + +Linux + +Per shell/script + + The shell limits are governed by ulimit. The status is checked with + ulimit -a. For example to change the open files limit from 1024 to 10240 + do: +# ulimit -n 10240 # This is only valid within the shell + + The ulimit command can be used in a script to change the limits for the + script only. + +Per user/process + + Login users and applications can be configured in + /etc/security/limits.conf. For example: +# cat /etc/security/limits.conf +* hard nproc 250 # Limit user processes +asterisk hard nofile 409600 # Limit application open files + +System wide + + Kernel limits are set with sysctl. Permanent limits are set in + /etc/sysctl.conf. +# sysctl -a # View all system limits +# sysctl fs.file-max # View max open files limit +# sysctl fs.file-max=102400 # Change max open files limit +# echo "1024 50000" > /proc/sys/net/ipv4/ip_local_port_range # port range +# cat /etc/sysctl.conf +fs.file-max=102400 # Permanent entry in sysctl.conf +# cat /proc/sys/fs/file-nr # How many file descriptors are in use + +FreeBSD + +Per shell/script + + Use the command limits in csh or tcsh or as in Linux, use ulimit in an + sh or bash shell. + +Per user/process + + The default limits on login are set in /etc/login.conf. An unlimited + value is still limited by the system maximal value. + +System wide + + Kernel limits are also set with sysctl. Permanent limits are set in + /etc/sysctl.conf or /boot/loader.conf. The syntax is the same as Linux + but the keys are different. +# sysctl -a # View all system limits +# sysctl kern.maxfiles=XXXX # maximum number of file descriptors +kern.ipc.nmbclusters=32768 # Permanent entry in /etc/sysctl.conf +kern.maxfiles=65536 # Typical values for Squid +kern.maxfilesperproc=32768 +kern.ipc.somaxconn=8192 # TCP queue. Better for apache/sendmail +# sysctl kern.openfiles # How many file descriptors are in use +# sysctl kern.ipc.numopensockets # How many open sockets are in use +# sysctl net.inet.ip.portrange.last=50000 # Default is 1024-5000 +# netstat -m # network memory buffers statistics + + See The FreeBSD handbook Chapter + 11http://www.freebsd.org/handbook/configtuning-kernel-limits.html for + details. And also FreeBSD performance + tuninghttp://serverfault.com/questions/64356/freebsd-performance-tuning- + sysctls-loader-conf-kernel + +Solaris + + The following values in /etc/system will increase the maximum file + descriptors per proc: +set rlim_fd_max = 4096 # Hard limit on file descriptors for a singl +e proc +set rlim_fd_cur = 1024 # Soft limit on file descriptors for a singl +e proc + +Runlevels + +Linux + + Once booted, the kernel starts init which then starts rc which starts + all scripts belonging to a runlevel. The scripts are stored in + /etc/init.d and are linked into /etc/rc.d/rcN.d with N the runlevel + number. + The default runlevel is configured in /etc/inittab. It is usually 3 or + 5: +# grep default: /etc/inittab +id:3:initdefault: + + The actual runlevel can be changed with init. For example to go from 3 + to 5: +# init 5 # Enters runlevel 5 + * 0 Shutdown and halt + * 1 Single-User mode (also S) + * 2 Multi-user without network + * 3 Multi-user with network + * 5 Multi-user with X + * 6 Reboot + + Use chkconfig to configure the programs that will be started at boot in + a runlevel. +# chkconfig --list # List all init scripts +# chkconfig --list sshd # Report the status of sshd +# chkconfig sshd --level 35 on # Configure sshd for levels 3 and 5 +# chkconfig sshd off # Disable sshd for all runlevels + + Debian and Debian based distributions like Ubuntu or Knoppix use the + command update-rc.d to manage the runlevels scripts. Default is to start + in 2,3,4 and 5 and shutdown in 0,1 and 6. +# update-rc.d sshd defaults # Activate sshd with the default runlevels +# update-rc.d sshd start 20 2 3 4 5 . stop 20 0 1 6 . # With explicit arguments +# update-rc.d -f sshd remove # Disable sshd for all runlevels +# shutdown -h now (or # poweroff) # Shutdown and halt the system + +FreeBSD + + The BSD boot approach is different from the SysV, there are no + runlevels. The final boot state (single user, with or without X) is + configured in /etc/ttys. All OS scripts are located in /etc/rc.d/ and in + /usr/local/etc/rc.d/ for third-party applications. The activation of the + service is configured in /etc/rc.conf and /etc/rc.conf.local. The + default behavior is configured in /etc/defaults/rc.conf. The scripts + responds at least to start|stop|status. +# /etc/rc.d/sshd status +sshd is running as pid 552. +# shutdown now # Go into single-user mode +# exit # Go back to multi-user mode +# shutdown -p now # Shutdown and halt the system +# shutdown -r now # Reboot + + The process init can also be used to reach one of the following states + level. For example # init 6 for reboot. + * 0 Halt and turn the power off (signal USR2) + * 1 Go to single-user mode (signal TERM) + * 6 Reboot the machine (signal INT) + * c Block further logins (signal TSTP) + * q Rescan the ttys(5) file (signal HUP) + +Windows + + Start and stop a service with either the service name or "service + description" (shown in the Services Control Panel) as follows: +net stop WSearch +net start WSearch # start search service +net stop "Windows Search" +net start "Windows Search" # same as above using descr. + +Reset root password + +Linux method 1 + + At the boot loader (lilo or grub), enter the following boot option: +init=/bin/sh + + The kernel will mount the root partition and init will start the bourne + shell instead of rc and then a runlevel. Use the command passwd at the + prompt to change the password and then reboot. Forget the single user + mode as you need the password for that. + If, after booting, the root partition is mounted read only, remount it + rw: +# mount -o remount,rw / +# passwd # or delete the root password (/etc/shadow) +# sync; mount -o remount,ro / # sync before to remount read only +# reboot + +FreeBSD method 1 + + On FreeBSD, boot in single user mode, remount / rw and use passwd. You + can select the single user mode on the boot menu (option 4) which is + displayed for 10 seconds at startup. The single user mode will give you + a root shell on the / partition. +# mount -u /; mount -a # will mount / rw +# passwd +# reboot + +Unixes and FreeBSD and Linux method 2 + + Other Unixes might not let you go away with the simple init trick. The + solution is to mount the root partition from an other OS (like a rescue + CD) and change the password on the disk. + * Boot a live CD or installation CD into a rescue mode which will give + you a shell. + * Find the root partition with fdisk e.g. fdisk /dev/sda + * Mount it and use chroot: + +# mount -o rw /dev/ad4s3a /mnt +# chroot /mnt # chroot into /mnt +# passwd +# reboot + +Kernel modules + +Linux + +# lsmod # List all modules loaded in the kernel +# modprobe isdn # To load a module (here isdn) + +FreeBSD + +# kldstat # List all modules loaded in the kernel +# kldload crypto # To load a module (here crypto) + +Compile Kernel + +Linux + +# cd /usr/src/linux +# make mrproper # Clean everything, including config files +# make oldconfig # Reuse the old .config if existent +# make menuconfig # or xconfig (Qt) or gconfig (GTK) +# make # Create a compressed kernel image +# make modules # Compile the modules +# make modules_install # Install the modules +# make install # Install the kernel +# reboot + +FreeBSD + + Optionally update the source tree (in /usr/src) with csup (as of FreeBSD + 6.2 or later): +# csup <supfile> + + I use the following supfile: +*default host=cvsup5.FreeBSD.org # www.freebsd.org/handbook/cvsup.html#CVSUP-MIR +RORS +*default prefix=/usr +*default base=/var/db +*default release=cvs delete tag=RELENG_7 +src-all + + To modify and rebuild the kernel, copy the generic configuration file to + a new name and edit it as needed (you can also edit the file GENERIC + directly). To restart the build after an interruption, add the option + NO_CLEAN=YES to the make command to avoid cleaning the objects already + build. +# cd /usr/src/sys/i386/conf/ +# cp GENERIC MYKERNEL +# cd /usr/src +# make buildkernel KERNCONF=MYKERNEL +# make installkernel KERNCONF=MYKERNEL + + To rebuild the full OS: +# make buildworld # Build the full OS but not the kernel +# make buildkernel # Use KERNCONF as above if appropriate +# make installkernel +# reboot +# mergemaster -p # Compares only files known to be essential +# make installworld +# mergemaster -i -U # Update all configurations and other files +# reboot + + For small changes in the source you can use NO_CLEAN=yes to avoid + rebuilding the whole tree. +# make buildworld NO_CLEAN=yes # Don't delete the old objects +# make buildkernel KERNCONF=MYKERNEL NO_CLEAN=yes + +Repair grub + + So you broke grub? Boot from a live cd, [find your linux partition under + /dev and use fdisk to find the linux partion] mount the linux partition, + add /proc and /dev and use grub-install /dev/xyz. Suppose linux lies on + /dev/sda6: +# mount /dev/sda6 /mnt # mount the linux partition on /mnt +# mount --bind /proc /mnt/proc # mount the proc subsystem into /mnt +# mount --bind /dev /mnt/dev # mount the devices into /mnt +# chroot /mnt # change root to the linux partition +# grub-install /dev/sda # reinstall grub with your old settings + +Misc + + Disable OSX virtual memory (repeat with load to re-enable). Faster + system, but a little risky. +# sudo launchctl unload -w /System/Library/LaunchDaemons/com.apple.dynamic_pager. +plist +# sleep 3600; pmset sleepnow # go to standby in one hour (OSX) +# defaults write -g com.apple.mouse.scaling -float 8 + # OSX mouse acceleration (use -1 to reverse) + +Processes + + Listing | Priority | Background/Foreground | Top | Kill + +Listing and PIDs + + Each process has a unique number, the PID. A list of all running process + is retrieved with ps. +# ps -auxefw # Extensive list of all running process + + However more typical usage is with a pipe or with pgrep (for OS X + install proctools from MacPorts): +# ps axww | grep cron + 586 ?? Is 0:01.48 /usr/sbin/cron -s +# ps axjf # All processes in a tree format (Linux) +# ps aux | grep 'ss[h]' # Find all ssh pids without the grep pid +# pgrep -l sshd # Find the PIDs of processes by (part of) na +me +# echo $$ # The PID of your shell +# fuser -va 22/tcp # List processes using port 22 (Linux) +# pmap PID # Memory map of process (hunt memory leaks) +(Linux) +# fuser -va /home # List processes accessing the /home partiti +on +# strace df # Trace system calls and signals +# truss df # same as above on FreeBSD/Solaris/Unixware + +Priority + + Change the priority of a running process with renice. Negative numbers + have a higher priority, the lowest is -20 and "nice" have a positive + value. +# renice -5 586 # Stronger priority +586: old priority 0, new priority -5 + + Start the process with a defined priority with nice. Positive is "nice" + or weak, negative is strong scheduling priority. Make sure you know if + /usr/bin/nice or the shell built-in is used (check with # which nice). +# nice -n -5 top # Stronger priority (/usr/bin/nice) +# nice -n 5 top # Weaker priority (/usr/bin/nice) +# nice +5 top # tcsh builtin nice (same as above!) + + While nice changes the CPU scheduler, an other useful command ionice + will schedule the disk IO. This is very useful for intensive IO + application (e.g. compiling). You can select a class (idle - best effort + - real time), the man page is short and well explained. +# ionice c3 -p123 # set idle class for pid 123 (Linux only) +# ionice -c2 -n0 firefox # Run firefox with best effort and high prio +rity +# ionice -c3 -p$$ # Set the actual shell to idle priority + + The last command is very useful to compile (or debug) a large project. + Every command launched from this shell will have a lover priority. $$ is + your shell pid (try echo $$). + FreeBSD uses idprio/rtprio (0 = max priority, 31 = most idle): +# idprio 31 make # compile in the lowest priority +# idprio 31 -1234 # set PID 1234 with lowest priority +# idprio -t -1234 # -t removes any real time/idle priority + +Background/Foreground + + When started from a shell, processes can be brought in the background + and back to the foreground with [Ctrl]-[Z] (^Z), bg and fg. List the + processes with jobs. When needed detach from the terminal with disown. +# ping cb.vu > ping.log +^Z # ping is suspended (stopped) with [Ctrl]-[Z +] +# bg # put in background and continues running +# jobs -l # List processes in background +[1] - 36232 Running ping cb.vu > ping.log +[2] + 36233 Suspended (tty output) top +# fg %2 # Bring process 2 back in foreground + +# make # start a long compile job but need to leave + the terminal +^Z # suspended (stopped) with [Ctrl]-[Z] +# bg # put in background and continues running +# disown -h %1 # detatch process from terminal, won't be ki +lled at logout + + No straight forward way to re-attach the process to a new terminal, try + reptyr (Linux). + Use nohup to start a process which has to keep running when the shell is + closed (immune to hangups). +# nohup ping -i 60 > ping.log & + +Top + + The program top displays running information of processes. See also the + program htop from htop.sourceforge.net (a more powerful version of top) + which runs on Linux and FreeBSD (ports/sysutils/htop/). While top is + running press the key h for a help overview. Useful keys are: + * u [user name] To display only the processes belonging to the user. + Use + or blank to see all users + * k [pid] Kill the process with pid. + * 1 To display all processors statistics (Linux only) + * R Toggle normal/reverse sort. + +Signals/Kill + + Terminate or send a signal with kill or killall. +# ping -i 60 cb.vu > ping.log & +[1] 4712 +# kill -s TERM 4712 # same as kill -15 4712 +# killall -1 httpd # Kill HUP processes by exact name +# pkill -9 http # Kill TERM processes by (part of) name +# pkill -TERM -u www # Kill TERM processes owned by www +# fuser -k -TERM -m /home # Kill every process accessing /home (to umo +unt) + + Important signals are: + * 1 HUP (hang up) + * 2 INT (interrupt) + * 3 QUIT (quit) + * 9 KILL (non-catchable, non-ignorable kill) + * 15 TERM (software termination signal) + +File System + + Disk info | Boot | Disk usage | Opened files | Mount/remount | Mount SMB + | Mount image | Burn ISO | Create image | Memory disk | Disk performance + +Permissions + + Change permission and ownership with chmod and chown. The default umask + can be changed for all users in /etc/profile for Linux or + /etc/login.conf for FreeBSD. The default umask is usually 022. The umask + is subtracted from 777, thus umask 022 results in a permission 0f 755. +1 --x execute # Mode 764 = exec/read/write | read/write | +read +2 -w- write # For: |-- Owner --| |- Group-| +|Oth| +4 r-- read + ugo=a u=user, g=group, o=others, a=everyone + +# chmod [OPTION] MODE[,MODE] FILE # MODE is of the form [ugoa]*([-+=]([rwxXst] +)) +# chmod 640 /var/log/maillog # Restrict the log -rw-r----- +# chmod u=rw,g=r,o= /var/log/maillog # Same as above +# chmod -R o-r /home/* # Recursive remove other readable for all us +ers +# chmod u+s /path/to/prog # Set SUID bit on executable (know what you +do!) +# find / -perm -u+s -print # Find all programs with the SUID bit +# chown user:group /path/to/file # Change the user and group ownership of a f +ile +# chgrp group /path/to/file # Change the group ownership of a file +# chmod 640 `find ./ -type f -print` # Change permissions to 640 for all files +# chmod 751 `find ./ -type d -print` # Change permissions to 751 for all director +ies + +Disk information + +# diskinfo -v /dev/ad2 # information about disk (sector/size) FreeB +SD +# hdparm -I /dev/sda # information about the IDE/ATA disk (Linux) +# fdisk /dev/ad2 # Display and manipulate the partition table +# smartctl -a /dev/ad2 # Display the disk SMART info + +Boot + +FreeBSD + + To boot an old kernel if the new kernel doesn't boot, stop the boot at + during the count down. +# unload +# load kernel.old +# boot + +System mount points/Disk usage + +# mount | column -t # Show mounted file-systems on the system +# df # display free disk space and mounted device +s +# cat /proc/partitions # Show all registered partitions (Linux) + +Disk usage + +# du -sh * # Directory sizes as listing +# du -csh # Total directory size of the current direct +ory +# du -ks * | sort -n -r # Sort everything by size in kilobytes +# ls -lSr # Show files, biggest last + +Who has which files opened + + This is useful to find out which file is blocking a partition which has + to be unmounted and gives a typical error of: +# umount /home/ +umount: unmount of /home # umount impossible because a file is lockin +g home + failed: Device busy + +FreeBSD and most Unixes + +# fstat -f /home # for a mount point +# fstat -p PID # for an application with PID +# fstat -u user # for a user name + + Find opened log file (or other opened files), say for Xorg: +# ps ax | grep Xorg | awk '{print $1}' +1252 +# fstat -p 1252 +USER CMD PID FD MOUNT INUM MODE SZ|DV R/W +root Xorg 1252 root / 2 drwxr-xr-x 512 r +root Xorg 1252 text /usr 216016 -rws--x--x 1679848 r +root Xorg 1252 0 /var 212042 -rw-r--r-- 56987 w + + The file with inum 212042 is the only file in /var: +# find -x /var -inum 212042 +/var/log/Xorg.0.log + +Linux + + Find opened files on a mount point with fuser or lsof: +# fuser -m /home # List processes accessing /home +# lsof /home +COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME +tcsh 29029 eedcoba cwd DIR 0,18 12288 1048587 /home/eedcoba (guam:/ho +me) +lsof 29140 eedcoba cwd DIR 0,18 12288 1048587 /home/eedcoba (guam:/ho +me) + + About an application: +ps ax | grep Xorg | awk '{print $1}' +3324 +# lsof -p 3324 +COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME +Xorg 3324 root 0w REG 8,6 56296 12492 /var/log/Xorg.0.log + + About a single file: +# lsof /var/log/Xorg.0.log +COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME +Xorg 3324 root 0w REG 8,6 56296 12492 /var/log/Xorg.0.log + +Mount/remount a file system + + For example the cdrom. If listed in /etc/fstab: +# mount /cdrom + + Or find the device in /dev/ or with dmesg + +FreeBSD + +# mount -v -t cd9660 /dev/cd0c /mnt # cdrom +# mount_cd9660 /dev/wcd0c /cdrom # other method +# mount -v -t msdos /dev/fd0c /mnt # floppy + + Entry in /etc/fstab: +# Device Mountpoint FStype Options Dump Pass# +/dev/acd0 /cdrom cd9660 ro,noauto 0 0 + + To let users do it: +# sysctl vfs.usermount=1 # Or insert the line "vfs.usermount=1" in /etc/sysctl.c +onf + +Linux + +# mount -t auto /dev/cdrom /mnt/cdrom # typical cdrom mount command +# mount /dev/hdc -t iso9660 -r /cdrom # typical IDE +# mount /dev/scd0 -t iso9660 -r /cdrom # typical SCSI cdrom +# mount /dev/sdc0 -t ntfs-3g /windows # typical SCSI + + Entry in /etc/fstab: +/dev/cdrom /media/cdrom subfs noauto,fs=cdfss,ro,procuid,nosuid,nodev,exec 0 0 + +Mount a FreeBSD partition with Linux + + Find the partition number containing with fdisk, this is usually the + root partition, but it could be an other BSD slice too. If the FreeBSD + has many slices, they are the one not listed in the fdisk table, but + visible in /dev/sda* or /dev/hda*. +# fdisk /dev/sda # Find the FreeBSD partition +/dev/sda3 * 5357 7905 20474842+ a5 FreeBSD +# mount -t ufs -o ufstype=ufs2,ro /dev/sda3 /mnt +/dev/sda10 = /tmp; /dev/sda11 /usr # The other slices + +Remount + + Remount a device without unmounting it. Necessary for fsck for example +# mount -o remount,ro / # Linux +# mount -o ro -u / # FreeBSD + + Copy the raw data from a cdrom into an iso image (default 512 blocksize + might cause problems): +# dd if=/dev/cd0c of=file.iso bs=2048 + +Virtualbox + + Allow a share on the host: +# VBoxManage sharedfolder add "GuestName" --name "share" --hostpath "C:\hostshare +" + + Mount share on guest (linux, FreeBSD) +# sudo mount -t vboxsf share /home/vboxshare # -o uid=1000,gid=1000 (as appropria +te) +share /home/colin/share vboxsf defaults,uid=colin 0 0 # fstab entry + +OSX + +# diskutil list # List the partitions of a disk +# diskutil unmountDisk /dev/disk1 # Unmount an entire disk (all volumes) +# chflags hidden ~/Documents/folder # Hide folder (reverse with unhidden) + +Add swap on-the-fly + + Suppose you need more swap (right now), say a 2GB file /swap2gb (Linux + only). +# dd if=/dev/zero of=/swap2gb bs=1024k count=2000 +# mkswap /swap2gb # create the swap area +# swapon /swap2gb # activate the swap. It now in use +# swapoff /swap2gb # when done deactivate the swap +# rm /swap2gb + +Mount an SMB share + + Suppose we want to access the SMB share myshare on the computer + smbserver, the address as typed on a Windows PC is \\smbserver\myshare\. + We mount on /mnt/smbshare. Warning> cifs wants an IP or DNS name, not a + Windows name. + +Linux/OSX + +# smbclient -U user -I 192.168.16.229 -L //smbshare/ # List the shares +# mount -t smbfs -o username=winuser //smbserver/myshare /mnt/smbshare +# mount -t cifs -o username=winuser,password=winpwd //192.168.16.229/myshare /mnt +/share + + Mount Samba share through ssh tunnel +# ssh -C -f -N -p 20022 -L 445:127.0.0.1:445 me@server # connect on 20022, tunne +l 445 +# mount -t smbfs //colin@localhost/colin ~/mnt +# mount_smbfs //colin:mypassword@127.0.0.1/private /Volumes/private # I use this +on OSX + ssh + + Additionally with the package mount.cifs it is possible to store the + credentials in a file, for example /home/user/.smb: +username=winuser +password=winpwd + + And mount as follow: +# mount -t cifs -o credentials=/home/user/.smb //192.168.16.229/myshare /mnt/smbs +hare + +FreeBSD + + Use -I to give the IP (or DNS name); smbserver is the Windows name. +# smbutil view -I 192.168.16.229 //winuser@smbserver # List the shares +# mount_smbfs -I 192.168.16.229 //winuser@smbserver/myshare /mnt/smbshare + +Mount an image + +# hdiutil mount image.iso # OS X + +Linux loop-back + +# mount -t iso9660 -o loop file.iso /mnt # Mount a CD image +# mount -t ext3 -o loop file.img /mnt # Mount an image with ext +3 fs + +FreeBSD + + With memory device (do # kldload md.ko if necessary): +# mdconfig -a -t vnode -f file.iso -u 0 +# mount -t cd9660 /dev/md0 /mnt +# umount /mnt; mdconfig -d -u 0 # Cleanup the md device + + Or with virtual node: +# vnconfig /dev/vn0c file.iso; mount -t cd9660 /dev/vn0c /mnt +# umount /mnt; vnconfig -u /dev/vn0c # Cleanup the vn device + +Solaris and FreeBSD + + with loop-back file interface or lofi: +# lofiadm -a file.iso +# mount -F hsfs -o ro /dev/lofi/1 /mnt +# umount /mnt; lofiadm -d /dev/lofi/1 # Cleanup the lofi device + +Create and burn an ISO image + + This will copy the cd or DVD sector for sector. Without conv=notrunc, + the image will be smaller if there is less content on the cd. See below + and the dd examples. +# dd if=/dev/hdc of=/tmp/mycd.iso bs=2048 conv=notrunc + + Use mkisofs to create a CD/DVD image from files in a directory. To + overcome the file names restrictions: -r enables the Rock Ridge + extensions common to UNIX systems, -J enables Joliet extensions used by + Microsoft systems. -L allows ISO9660 filenames to begin with a period. +# mkisofs -J -L -r -V TITLE -o imagefile.iso /path/to/dir +# hdiutil makehybrid -iso -joliet -o dir.iso dir/ # OS X + + On FreeBSD, mkisofs is found in the ports in sysutils/cdrtools. + +Burn a CD/DVD ISO image + +FreeBSD + + FreeBSD does not enable DMA on ATAPI drives by default. DMA is enabled + with the sysctl command and the arguments below, or with + /boot/loader.conf with the following entries: +hw.ata.ata_dma="1" +hw.ata.atapi_dma="1" + + Use burncd with an ATAPI device (burncd is part of the base system) and + cdrecord (in sysutils/cdrtools) with a SCSI drive. +# burncd -f /dev/acd0 data imagefile.iso fixate # For ATAPI drive +# cdrecord -scanbus # To find the burner device (like 1,0,0) +# cdrecord dev=1,0,0 imagefile.iso + +Linux + + Also use cdrecord with Linux as described above. Additionally it is + possible to use the native ATAPI interface which is found with: +# cdrecord dev=ATAPI -scanbus + + And burn the CD/DVD as above. + +dvd+rw-tools + + The dvd+rw-tools package (FreeBSD: ports/sysutils/dvd+rw-tools) can do + it all and includes growisofs to burn CDs or DVDs. The examples refer to + the dvd device as /dev/dvd which could be a symlink to /dev/scd0 + (typical scsi on Linux) or /dev/cd0 (typical FreeBSD) or /dev/rcd0c + (typical NetBSD/OpenBSD character SCSI) or /dev/rdsk/c0t1d0s2 (Solaris + example of a character SCSI/ATAPI CD-ROM device). There is a nice + documentation with examples on the FreeBSD handbook chapter + 18.7http://www.freebsd.org/handbook/creating-dvds.html. + # -dvd-compat closes the disk +# growisofs -dvd-compat -Z /dev/dvd=imagefile.iso # Burn existing iso image +# growisofs -dvd-compat -Z /dev/dvd -J -R /p/to/data # Burn directly + +Convert a Nero .nrg file to .iso + + Nero simply adds a 300Kb header to a normal iso image. This can be + trimmed with dd. +# dd bs=1k if=imagefile.nrg of=imagefile.iso skip=300 + +Convert a bin/cue image to .iso + + The little bchunk programhttp://freshmeat.net/projects/bchunk/ can do + this. It is in the FreeBSD ports in sysutils/bchunk. +# bchunk imagefile.bin imagefile.cue imagefile.iso + +Create a file based image + + For example a partition of 1GB using the file /usr/vdisk.img. Here we + use the vnode 0, but it could also be 1. + +FreeBSD + +# dd if=/dev/random of=/usr/vdisk.img bs=1K count=1M +# mdconfig -a -t vnode -f /usr/vdisk.img -u 0 # Creates device /dev/md1 +# bsdlabel -w /dev/md0 +# newfs /dev/md0c +# mount /dev/md0c /mnt +# umount /mnt; mdconfig -d -u 0; rm /usr/vdisk.img # Cleanup the md device + + The file based image can be automatically mounted during boot with an + entry in /etc/rc.conf and /etc/fstab. Test your setup with # + /etc/rc.d/mdconfig start (first delete the md0 device with # mdconfig -d + -u 0). + Note however that this automatic setup will only work if the file image + is NOT on the root partition. The reason is that the /etc/rc.d/mdconfig + script is executed very early during boot and the root partition is + still read-only. Images located outside the root partition will be + mounted later with the script /etc/rc.d/mdconfig2. + /boot/loader.conf: +md_load="YES" + + /etc/rc.conf: +# mdconfig_md0="-t vnode -f /usr/vdisk.img" # /usr is not on the root pa +rtition + + /etc/fstab: (The 0 0 at the end is important, it tell fsck to ignore + this device, as is does not exist yet) +/dev/md0 /usr/vdisk ufs rw 0 0 + + It is also possible to increase the size of the image afterward, say for + example 300 MB larger. +# umount /mnt; mdconfig -d -u 0 +# dd if=/dev/zero bs=1m count=300 >> /usr/vdisk.img +# mdconfig -a -t vnode -f /usr/vdisk.img -u 0 +# growfs /dev/md0 +# mount /dev/md0c /mnt # File partition is now 300 + MB larger + +Linux + +# dd if=/dev/zero of=/usr/vdisk.img bs=1024k count=1024 +# mkfs.ext3 /usr/vdisk.img +# mount -o loop /usr/vdisk.img /mnt +# umount /mnt; rm /usr/vdisk.img # Cleanup + +Linux with losetup + + /dev/zero is much faster than urandom, but less secure for encryption. +# dd if=/dev/urandom of=/usr/vdisk.img bs=1024k count=1024 +# losetup /dev/loop0 /usr/vdisk.img # Creates and associates /d +ev/loop0 +# mkfs.ext3 /dev/loop0 +# mount /dev/loop0 /mnt +# losetup -a # Check used loops +# umount /mnt +# losetup -d /dev/loop0 # Detach +# rm /usr/vdisk.img + +Create a memory file system + + A memory based file system is very fast for heavy IO application. How to + create a 64 MB partition mounted on /memdisk: + +FreeBSD + +# mount_mfs -o rw -s 64M md /memdisk +# umount /memdisk; mdconfig -d -u 0 # Cleanup the md device +md /memdisk mfs rw,-s64M 0 0 # /etc/fstab entry + +Linux + +# mount -t tmpfs -osize=64m tmpfs /memdisk + +Disk performance + + Read and write a 1 GB file on partition ad4s3c (/home) +# time dd if=/dev/ad4s3c of=/dev/null bs=1024k count=1000 +# time dd if=/dev/zero bs=1024k count=1000 of=/home/1Gb.file +# hdparm -tT /dev/hda # Linux only + +Network + + Routing | Additional IP | Change MAC | Ports | Firewall | IP Forward | + NAT | DNS | DHCP | Traffic | QoS | NIS | Netcat + +Debugging (See also Traffic analysis) + +Linux + +# ethtool eth0 # Show the ethernet status (replaces mii-diag) +# ethtool -s eth0 speed 100 duplex full # Force 100Mbit Full duplex +# ethtool -s eth0 autoneg off # Disable auto negotiation +# ethtool -p eth1 # Blink the ethernet led - very useful when supported +# ip link show # Display all interfaces on Linux (similar to ifconfi +g) +# ip link set eth0 up # Bring device up (or down). Same as "ifconfig eth0 u +p" +# ip addr show # Display all IP addresses on Linux (similar to ifcon +fig) +# ip neigh show # Similar to arp -a + +Other OSes + +# ifconfig fxp0 # Check the "media" field on FreeBSD +# arp -a # Check the router (or host) ARP entry (all OS) +# ping cb.vu # The first thing to try... +# traceroute cb.vu # Print the route path to destination +# ifconfig fxp0 media 100baseTX mediaopt full-duplex # 100Mbit full duplex (FreeB +SD) +# netstat -s # System-wide statistics for each network protocol + + Additional commands which are not always installed per default but easy + to find: +# arping 192.168.16.254 # Ping on ethernet layer +# tcptraceroute -f 5 cb.vu # uses tcp instead of icmp to trace through firewalls + +Routing + +Print routing table + +# route -n # Linux or use "ip route" +# netstat -rn # Linux, BSD and UNIX +# route print # Windows + +Add and delete a route + +FreeBSD + +# route add 212.117.0.0/16 192.168.1.1 +# route delete 212.117.0.0/16 +# route add default 192.168.1.1 + + Add the route permanently in /etc/rc.conf +static_routes="myroute" +route_myroute="-net 212.117.0.0/16 192.168.1.1" + +OS X + +# sudo route -n add 192.168.0.0/27 192.168.0.62 # add a route +# netstat -nr # routing table + +Linux + +# route add -net 192.168.20.0 netmask 255.255.255.0 gw 192.168.16.254 +# ip route add 192.168.20.0/24 via 192.168.16.254 # same as above with ip r +oute +# route add -net 192.168.20.0 netmask 255.255.255.0 dev eth0 +# route add default gw 192.168.51.254 +# ip route add default via 192.168.51.254 dev eth0 # same as above with ip r +oute +# route delete -net 192.168.20.0 netmask 255.255.255.0 + +Solaris + +# route add -net 192.168.20.0 -netmask 255.255.255.0 192.168.16.254 +# route add default 192.168.51.254 1 # 1 = hops to the next ga +teway +# route change default 192.168.50.254 1 + + Permanent entries are set in entry in /etc/defaultrouter. + +Windows + +# Route add 192.168.50.0 mask 255.255.255.0 192.168.51.253 +# Route add 0.0.0.0 mask 0.0.0.0 192.168.51.254 + + Use add -p to make the route persistent. + +Configure additional IP addresses + +Linux + +# ifconfig eth0 192.168.50.254 netmask 255.255.255.0 # First IP +# ifconfig eth0:0 192.168.51.254 netmask 255.255.255.0 # Second IP +# ip addr add 192.168.50.254/24 dev eth0 # Equivalent ip comman +ds +# ip link set dev eth0 up # Activate eth0 networ +k interface +# ip addr add 192.168.51.254/24 dev eth0 label eth0:1 +# ip link ls dev eth0 # Get info on eth0 +# ip addr del 1.2.3.4/32 dev eth0 # Remove an IP +# ip addr flush dev eth0 # Remove all addresses + +FreeBSD + +# ifconfig fxp0 inet 192.168.50.254/24 # First IP +# ifconfig fxp0 alias 192.168.51.254 netmask 255.255.255.0 # Second IP +# ifconfig fxp0 -alias 192.168.51.254 # Remove second IP ali +as + + Permanent entries in /etc/rc.conf +ifconfig_fxp0="inet 192.168.50.254 netmask 255.255.255.0" +ifconfig_fxp0_alias0="192.168.51.254 netmask 255.255.255.0" + +OS X + +# sudo ifconfig en3 10.10.10.201/24 # First IP +# ifconfig en3 delete 10.10.10.201 # Delete IP +# sudo ifconfig en1 down ; sudo ifconfig en1 up +# ipconfig getifaddr en1 # current IP address + +Solaris + + Check the settings with ifconfig -a +# ifconfig hme0 plumb # Enable the network c +ard +# ifconfig hme0 192.168.50.254 netmask 255.255.255.0 up # First IP +# ifconfig hme0:1 192.168.51.254 netmask 255.255.255.0 up # Second IP + +Change MAC address + + Normally you have to bring the interface down before the change. Don't + tell me why you want to change the MAC address... +# ifconfig eth0 down +# ifconfig eth0 hw ether 00:01:02:03:04:05 # Linux +# ifconfig fxp0 link 00:01:02:03:04:05 # FreeBSD +# ifconfig hme0 ether 00:01:02:03:04:05 # Solaris +# sudo ifconfig en0 ether 00:01:02:03:04:05 # OS X Tiger, Snow Leopard LAN* +# sudo ifconfig en0 lladdr 00:01:02:03:04:05 # OS X Leopard + + *Typical wireless interface is en1 and needs do disassociate from any + network first (osxdaily howto). +# echo "alias airport='/System/Library/PrivateFrameworks/Apple80211.framework/Ver +sions/Current/Resources/airport'"\ +>> ~/.bash_profile # or symlink to /usr/sbin +# airport -z # Disassociate from wireless networks +# airport -I # Get info from wireless network + + Many tools exist for Windows. For example + etherchangehttp://ntsecurity.nu/toolbox/etherchange. Or look for "Mac + Makeup", "smac". + +Ports in use + + Listening open ports: +# netstat -an | grep LISTEN +# lsof -i # Linux list all Internet connections +# socklist # Linux display list of open sockets +# sockstat -4 # FreeBSD application listing +# netstat -anp --udp --tcp | grep LISTEN # Linux +# netstat -tup # List active connections to/from system (Linux) +# netstat -tupl # List listening ports from system (Linux) +# netstat -ano # Windows + +Firewall + + Check if a firewall is running (typical configuration only): + +Linux + +# iptables -L -n -v # For status +Open the iptables firewall +# iptables -P INPUT ACCEPT # Open everything +# iptables -P FORWARD ACCEPT +# iptables -P OUTPUT ACCEPT +# iptables -Z # Zero the packet and byte counters in all c +hains +# iptables -F # Flush all chains +# iptables -X # Delete all chains + +FreeBSD + +# ipfw show # For status +# ipfw list 65535 # if answer is "65535 deny ip from any to any" the fw is disabl +ed +# sysctl net.inet.ip.fw.enable=0 # Disable +# sysctl net.inet.ip.fw.enable=1 # Enable + +IP Forward for routing + +Linux + + Check and then enable IP forward with: +# cat /proc/sys/net/ipv4/ip_forward # Check IP forward 0=off, 1=on +# echo 1 > /proc/sys/net/ipv4/ip_forward + + or edit /etc/sysctl.conf with: +net.ipv4.ip_forward = 1 + +FreeBSD + + Check and enable with: +# sysctl net.inet.ip.forwarding # Check IP forward 0=off, 1=on +# sysctl net.inet.ip.forwarding=1 +# sysctl net.inet.ip.fastforwarding=1 # For dedicated router or firewall +Permanent with entry in /etc/rc.conf: +gateway_enable="YES" # Set to YES if this host will be a gateway. + +Solaris + +# ndd -set /dev/ip ip_forwarding 1 # Set IP forward 0=off, 1=on + +NAT Network Address Translation + +Linux + +# iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE # to activate NAT +# iptables -t nat -A PREROUTING -p tcp -d 78.31.70.238 --dport 20022 -j DNAT \ +--to 192.168.16.44:22 # Port forward 20022 to internal IP port ssh +# iptables -t nat -A PREROUTING -p tcp -d 78.31.70.238 --dport 993:995 -j DNAT \ +--to 192.168.16.254:993-995 # Port forward of range 993-995 +# ip route flush cache +# iptables -L -t nat # Check NAT status + + Delete the port forward with -D instead of -A. The program + netstat-nathttp://tweegy.nl/projects/netstat-nat is very useful to track + connections (it uses /proc/net/ip_conntrack or /proc/net/nf_conntrack). +# netstat-nat -n # show all connections with IPs + +FreeBSD + +# natd -s -m -u -dynamic -f /etc/natd.conf -n fxp0 +Or edit /etc/rc.conf with: +firewall_enable="YES" # Set to YES to enable firewall functionality +firewall_type="open" # Firewall type (see /etc/rc.firewall) +natd_enable="YES" # Enable natd (if firewall_enable == YES). +natd_interface="tun0" # Public interface or IP address to use. +natd_flags="-s -m -u -dynamic -f /etc/natd.conf" + + Port forward with: +# cat /etc/natd.conf +same_ports yes +use_sockets yes +unregistered_only +# redirect_port tcp insideIP:2300-2399 3300-3399 # port range +redirect_port udp 192.168.51.103:7777 7777 + +DNS + + On Unix the DNS entries are valid for all interfaces and are stored in + /etc/resolv.conf. The domain to which the host belongs is also stored in + this file. A minimal configuration is: +nameserver 78.31.70.238 +search sleepyowl.net intern.lab +domain sleepyowl.net + + Check the system domain name with: +# hostname -d # Same as dnsdomainname + +Windows + + On Windows the DNS are configured per interface. To display the + configured DNS and to flush the DNS cache use: +# ipconfig /? # Display help +# ipconfig /all # See all information including DNS + +Flush DNS + + Flush the OS DNS cache, some application using their own cache (e.g. + Firefox) and will be unaffected. +# /etc/init.d/nscd restart # Restart nscd if used - Linux/BSD/Solaris +# lookupd -flushcache # OS X Tiger +# dscacheutil -flushcache # OS X Leopard and newer +# ipconfig /flushdns # Windows + +Forward queries + + Dig is you friend to test the DNS settings. For example the public DNS + server 213.133.105.2 ns.second-ns.de can be used for testing. See from + which server the client receives the answer (simplified answer). +# dig sleepyowl.net +sleepyowl.net. 600 IN A 78.31.70.238 +;; SERVER: 192.168.51.254#53(192.168.51.254) + + The router 192.168.51.254 answered and the response is the A entry. Any + entry can be queried and the DNS server can be selected with @: +# dig MX google.com +# dig @127.0.0.1 NS sun.com # To test the local server +# dig @204.97.212.10 NS MX heise.de # Query an external server +# dig AXFR @ns1.xname.org cb.vu # Get the full zone (zone transfer) + + The program host is also powerful. +# host -t MX cb.vu # Get the mail MX entry +# host -t NS -T sun.com # Get the NS record over a TCP connection +# host -a sleepyowl.net # Get everything + +Reverse queries + + Find the name belonging to an IP address (in-addr.arpa.). This can be + done with dig, host and nslookup: +# dig -x 78.31.70.238 +# host 78.31.70.238 +# nslookup 78.31.70.238 + +/etc/hosts + + Single hosts can be configured in the file /etc/hosts instead of running + named locally to resolve the hostname queries. The format is simple, for + example: +78.31.70.238 sleepyowl.net sleepyowl + + The priority between hosts and a dns query, that is the name resolution + order, can be configured in /etc/nsswitch.conf AND /etc/host.conf. The + file also exists on Windows, it is usually in: +C:\WINDOWS\SYSTEM32\DRIVERS\ETC + +DHCP + +Linux + + Some distributions (SuSE) use dhcpcd as client. The default interface is + eth0. +# dhcpcd -n eth0 # Trigger a renew (does not always work) +# dhcpcd -k eth0 # release and shutdown + + The lease with the full information is stored in: +/var/lib/dhcpcd/dhcpcd-eth0.info + +FreeBSD + + FreeBSD (and Debian) uses dhclient. To configure an interface (for + example bge0) run: +# dhclient bge0 + + The lease with the full information is stored in: +/var/db/dhclient.leases.bge0 + + Use +/etc/dhclient.conf + + to prepend options or force different options: +# cat /etc/dhclient.conf +interface "rl0" { + prepend domain-name-servers 127.0.0.1; + default domain-name "sleepyowl.net"; + supersede domain-name "sleepyowl.net"; +} + +Windows + + The dhcp lease can be renewed with ipconfig: +# ipconfig /renew # renew all adapters +# ipconfig /renew LAN # renew the adapter named "LAN" +# ipconfig /release WLAN # release the adapter named "WLAN" + + Yes it is a good idea to rename you adapter with simple names! + +Traffic analysis + + Bmonhttp://people.suug.ch/~tgr/bmon/ is a small console bandwidth + monitor and can display the flow on different interfaces. + +Sniff with tcpdump + +# tcpdump -nl -i bge0 not port ssh and src \(192.168.16.121 or 192.168.16.54\) +# tcpdump -n -i eth1 net 192.168.16.121 # select to/from a single IP +# tcpdump -n -i eth1 net 192.168.16.0/24 # select traffic to/from a netw +ork +# tcpdump -l > dump && tail -f dump # Buffered output +# tcpdump -i rl0 -w traffic.rl0 # Write traffic headers in bina +ry file +# tcpdump -i rl0 -s 0 -w traffic.rl0 # Write traffic + payload in bi +nary file +# tcpdump -r traffic.rl0 # Read from file (also for ethe +real +# tcpdump port 80 # The two classic commands +# tcpdump host google.com +# tcpdump -i eth0 -X port \(110 or 143\) # Check if pop or imap is secur +e +# tcpdump -n -i eth0 icmp # Only catch pings +# tcpdump -i eth0 -s 0 -A port 80 | grep GET # -s 0 for full packet -A for A +SCII + + Additional important options: + * -A Print each packets in clear text (without header) + * -X Print packets in hex and ASCII + * -l Make stdout line buffered + * -D Print all interfaces available + + On Windows use windump from www.winpcap.org. Use windump -D to list the + interfaces. + +Scan with nmap + + Nmaphttp://insecure.org/nmap/ is a port scanner with OS detection, it is + usually installed on most distributions and is also available for + Windows. If you don't scan your servers, hackers do it for you... +# nmap cb.vu # scans all reserved TCP ports on the host +# nmap -sP 192.168.16.0/24 # Find out which IP are used and by which host on 0/24 +# nmap -sS -sV -O cb.vu # Do a stealth SYN scan with version and OS detection +PORT STATE SERVICE VERSION +22/tcp open ssh OpenSSH 3.8.1p1 FreeBSD-20060930 (protocol 2 +.0) +25/tcp open smtp Sendmail smtpd 8.13.6/8.13.6 +80/tcp open http Apache httpd 2.0.59 ((FreeBSD) DAV/2 PHP/4. +[...] +Running: FreeBSD 5.X +Uptime 33.120 days (since Fri Aug 31 11:41:04 2007) + + Other non standard but useful tools are hping (www.hping.org) an IP + packet assembler/analyzer and fping (fping.sourceforge.net). fping can + check multiple hosts in a round-robin fashion. + +Traffic control (QoS) + + Traffic control manages the queuing, policing, scheduling, and other + traffic parameters for a network. The following examples are simple + practical uses of the Linux and FreeBSD capabilities to better use the + available bandwidth. + +Limit upload + + DSL or cable modems have a long queue to improve the upload throughput. + However filling the queue with a fast device (e.g. ethernet) will + dramatically decrease the interactivity. It is therefore useful to limit + the device upload rate to match the physical capacity of the modem, this + should greatly improve the interactivity. Set to about 90% of the modem + maximal (cable) speed. + +Linux + + For a 512 Kbit upload modem. +# tc qdisc add dev eth0 root tbf rate 480kbit latency 50ms burst 1540 +# tc -s qdisc ls dev eth0 # Status +# tc qdisc del dev eth0 root # Delete the queue +# tc qdisc change dev eth0 root tbf rate 220kbit latency 50ms burst 1540 + +FreeBSD + + FreeBSD uses the dummynet traffic shaper which is configured with ipfw. + Pipes are used to set limits the bandwidth in units of + [K|M]{bit/s|Byte/s}, 0 means unlimited bandwidth. Using the same pipe + number will reconfigure it. For example limit the upload bandwidth to + 500 Kbit. +# kldload dummynet # load the module if necessary +# ipfw pipe 1 config bw 500Kbit/s # create a pipe with limited ba +ndwidth +# ipfw add pipe 1 ip from me to any # divert the full upload into t +he pipe + +Quality of service + +Linux + + Priority queuing with tc to optimize VoIP. See the full example on + voip-info.org or www.howtoforge.com. Suppose VoIP uses udp on ports + 10000:11024 and device eth0 (could also be ppp0 or so). The following + commands define the QoS to three queues and force the VoIP traffic to + queue 1 with QoS 0x1e (all bits set). The default traffic flows into + queue 3 and QoS Minimize-Delay flows into queue 2. +# tc qdisc add dev eth0 root handle 1: prio priomap 2 2 2 2 2 2 2 2 1 1 1 1 1 1 1 + 0 +# tc qdisc add dev eth0 parent 1:1 handle 10: sfq +# tc qdisc add dev eth0 parent 1:2 handle 20: sfq +# tc qdisc add dev eth0 parent 1:3 handle 30: sfq +# tc filter add dev eth0 protocol ip parent 1: prio 1 u32 \ + match ip dport 10000 0x3C00 flowid 1:1 # use server port range + match ip dst 123.23.0.1 flowid 1:1 # or/and use server IP + + Status and remove with +# tc -s qdisc ls dev eth0 # queue status +# tc qdisc del dev eth0 root # delete all QoS + +Calculate port range and mask + + The tc filter defines the port range with port and mask which you have + to calculate. Find the 2^N ending of the port range, deduce the range + and convert to HEX. This is your mask. Example for 10000 -> 11024, the + range is 1024. +# 2^13 (8192) < 10000 < 2^14 (16384) # ending is 2^14 = 16384 +# echo "obase=16;(2^14)-1024" | bc # mask is 0x3C00 + +FreeBSD + + The max link bandwidth is 500Kbit/s and we define 3 queues with priority + 100:10:1 for VoIP:ssh:all the rest. +# ipfw pipe 1 config bw 500Kbit/s +# ipfw queue 1 config pipe 1 weight 100 +# ipfw queue 2 config pipe 1 weight 10 +# ipfw queue 3 config pipe 1 weight 1 +# ipfw add 10 queue 1 proto udp dst-port 10000-11024 +# ipfw add 11 queue 1 proto udp dst-ip 123.23.0.1 # or/and use server IP +# ipfw add 20 queue 2 dsp-port ssh +# ipfw add 30 queue 3 from me to any # all the rest + + Status and remove with +# ipfw list # rules status +# ipfw pipe list # pipe status +# ipfw flush # deletes all rules but default + +NIS Debugging + + Some commands which should work on a well configured NIS client: +# ypwhich # get the connected NIS server name +# domainname # The NIS domain name as configured +# ypcat group # should display the group from the NIS server +# cd /var/yp && make # Rebuild the yp database +# rpcinfo -p servername # Report RPC services of the server + + Is ypbind running? +# ps auxww | grep ypbind +/usr/sbin/ypbind -s -m -S servername1,servername2 # FreeBSD +/usr/sbin/ypbind # Linux +# yppoll passwd.byname +Map passwd.byname has order number 1190635041. Mon Sep 24 13:57:21 2007 +The master server is servername.domain.net. + +Linux + +# cat /etc/yp.conf +ypserver servername +domain domain.net broadcast + +Netcat + + Netcathttp://netcat.sourceforge.net (nc) is better known as the "network + Swiss Army Knife", it can manipulate, create or read/write TCP/IP + connections. Here some useful examples, there are many more on the net, + for example + g-loaded.eu[...]http://www.g-loaded.eu/2006/11/06/netcat-a-couple-of-use + ful-examples and + herehttp://www.terminally-incoherent.com/blog/2007/08/07/few-useful-netc + at-tricks. + You might need to use the command netcat instead of nc. Also see the + similar command socat. + +File transfer + + Copy a large folder over a raw tcp connection. The transfer is very + quick (no protocol overhead) and you don't need to mess up with NFS or + SMB or FTP or so, simply make the file available on the server, and get + it from the client. Here 192.168.1.1 is the server IP address. +server# tar -cf - -C VIDEO_TS . | nc -l -p 4444 # Serve tar folder on por +t 4444 +client# nc 192.168.1.1 4444 | tar xpf - -C VIDEO_TS # Pull the file on port 4 +444 +server# cat largefile | nc -l 5678 # Server a single file +client# nc 192.168.1.1 5678 > largefile # Pull the single file +server# dd if=/dev/da0 | nc -l 4444 # Server partition image +client# nc 192.168.1.1 4444 | dd of=/dev/da0 # Pull partition to clone +client# nc 192.168.1.1 4444 | dd of=da0.img # Pull partition to file + +Other hacks + + Specially here, you must know what you are doing. + +Remote shell + + Option -e only on the Windows version? Or use nc 1.10. +# nc -lp 4444 -e /bin/bash # Provide a remote shell (serve +r backdoor) +# nc -lp 4444 -e cmd.exe # remote shell for Windows + +Emergency web server + + Serve a single file on port 80 in a loop. +# while true; do nc -l -p 80 < unixtoolbox.xhtml; done + +Chat + + Alice and Bob can chat over a simple TCP socket. The text is transferred + with the enter key. +alice# nc -lp 4444 +bob # nc 192.168.1.1 4444 + +SSH SCP + + Public key | Fingerprint | SCP | Tunneling | SSHFS + See other tricks 25 ssh cmdhttp://blog.urfix.com/25-ssh-commands-tricks/ + +Public key authentication + + Connect to a host without password using public key authentication. The + idea is to append your public key to the authorized_keys2 file on the + remote host. For this example let's connect host-client to host-server, + the key is generated on the client. With cygwin you might have to create + your home directoy and the .ssh directory with # mkdir -p + /home/USER/.ssh + * Use ssh-keygen to generate a key pair. ~/.ssh/id_dsa is the private + key, ~/.ssh/id_dsa.pub is the public key. + * Copy only the public key to the server and append it to the file + ~/.ssh/authorized_keys2 on your home on the server. + +# ssh-keygen -t dsa -N '' +# cat ~/.ssh/id_dsa.pub | ssh you@host-server "cat - >> ~/.ssh/authorized_keys2" + +Using the Windows client from ssh.com + + The non commercial version of the ssh.com client can be downloaded the + main ftp site: ftp.ssh.com/pub/ssh/. Keys generated by the ssh.com + client need to be converted for the OpenSSH server. This can be done + with the ssh-keygen command. + * Create a key pair with the ssh.com client: Settings - User + Authentication - Generate New.... + * I use Key type DSA; key length 2048. + * Copy the public key generated by the ssh.com client to the server + into the ~/.ssh folder. + * The keys are in C:\Documents and Settings\%USERNAME%\Application + Data\SSH\UserKeys. + * Use the ssh-keygen command on the server to convert the key: +# cd ~/.ssh +# ssh-keygen -i -f keyfilename.pub >> authorized_keys2 + + Notice: We used a DSA key, RSA is also possible. The key is not + protected by a password. + +Using putty for Windows + + Puttyhttp://www.chiark.greenend.org.uk/~sgtatham/putty/download.html is + a simple and free ssh client for Windows. + * Create a key pair with the puTTYgen program. + * Save the public and private keys (for example into C:\Documents and + Settings\%USERNAME%\.ssh). + * Copy the public key to the server into the ~/.ssh folder: +# scp .ssh/puttykey.pub root@192.168.51.254:.ssh/ + * Use the ssh-keygen command on the server to convert the key for + OpenSSH: +# cd ~/.ssh +# ssh-keygen -i -f puttykey.pub >> authorized_keys2 + + * Point the private key location in the putty settings: Connection - + SSH - Auth + +Check fingerprint + + At the first login, ssh will ask if the unknown host with the + fingerprint has to be stored in the known hosts. To avoid a + man-in-the-middle attack the administrator of the server can send you + the server fingerprint which is then compared on the first login. Use + ssh-keygen -l to get the fingerprint (on the server): +# ssh-keygen -l -f /etc/ssh/ssh_host_rsa_key.pub # For RSA key +2048 61:33:be:9b:ae:6c:36:31:fd:83:98:b7:99:2d:9f:cd /etc/ssh/ssh_host_rsa_key.pu +b +# ssh-keygen -l -f /etc/ssh/ssh_host_dsa_key.pub # For DSA key (default) +2048 14:4a:aa:d9:73:25:46:6d:0a:48:35:c7:f4:16:d4:ee /etc/ssh/ssh_host_dsa_key.pu +b + + Now the client connecting to this server can verify that he is + connecting to the right server: +# ssh linda +The authenticity of host 'linda (192.168.16.54)' can't be established. +DSA key fingerprint is 14:4a:aa:d9:73:25:46:6d:0a:48:35:c7:f4:16:d4:ee. +Are you sure you want to continue connecting (yes/no)? yes + +Secure file transfer + + Some simple commands: +# scp file.txt host-two:/tmp +# scp joe@host-two:/www/*.html /www/tmp +# scp -r joe@host-two:/www /www/tmp +# scp -P 20022 cb@cb.vu:unixtoolbox.xhtml . # connect on port 20022 + + In Konqueror or Midnight Commander it is possible to access a remote + file system with the address fish://user@gate. However the + implementation is very slow. + Furthermore it is possible to mount a remote folder with sshfs a file + system client based on SCP. See fuse + sshfshttp://fuse.sourceforge.net/sshfs.html. +ssh_exchange_identification: Connection closed by remote host + + With this error try the following on the server: +echo 'SSHD: ALL' >> /etc/hosts.allow +/etc/init.d/sshd restart + +Tunneling + + SSH tunneling allows to forward or reverse forward a port over the SSH + connection, thus securing the traffic and accessing ports which would + otherwise be blocked. This only works with TCP. The general nomenclature + for forward and reverse is (see also ssh and NAT example): +# ssh -L localport:desthost:destport user@gate # desthost as seen from the gate +# ssh -R destport:desthost:localport user@gate # forwards your localport to dest +ination + # desthost:localport as seen from the client initiating the tunnel +# ssh -X user@gate # To force X forwarding + + This will connect to gate and forward the local port to the host + desthost:destport. Note desthost is the destination host as seen by the + gate, so if the connection is to the gate, then desthost is localhost. + More than one port forward is possible. + +Direct forward on the gate + + Let say we want to access the CVS (port 2401) and http (port 80) which + are running on the gate. This is the simplest example, desthost is thus + localhost, and we use the port 8080 locally instead of 80 so we don't + need to be root. Once the ssh session is open, both services are + accessible on the local ports. +# ssh -L 2401:localhost:2401 -L 8080:localhost:80 user@gate + +Netbios and remote desktop forward to a second server + + Let say a Windows smb server is behind the gate and is not running ssh. + We need access to the smb share and also remote desktop to the server. +# ssh -L 139:smbserver:139 -L 3388:smbserver:3389 user@gate + + The smb share can now be accessed with \\127.0.0.1\, but only if the + local share is disabled, because the local share is listening on port + 139. + It is possible to keep the local share enabled, for this we need to + create a new virtual device with a new IP address for the tunnel, the + smb share will be connected over this address. Furthermore the local RDP + is already listening on 3389, so we choose 3388. For this example let's + use a virtual IP of 10.1.1.1. + * With putty use Source port=10.1.1.1:139. It is possible to create + multiple loop devices and tunnel. On Windows 2000, only putty worked + for me. On Windows Vista also forward the port 445 in addition to + the port 139. Also on Vista the patch KB942624 prevents the port 445 + to be forwarded, so I had to uninstall this path in Vista. + * With the ssh.com client, disable "Allow local connections only". + Since ssh.com will bind to all addresses, only a single share can be + connected. + + Now create the loopback interface with IP 10.1.1.1: + * # System->Control Panel->Add Hardware # Yes, Hardware is already + connected # Add a new hardware device (at bottom). + * # Install the hardware that I manually select # Network adapters # + Microsoft , Microsoft Loopback Adapter. + * Configure the IP address of the fake device to 10.1.1.1 mask + 255.255.255.0, no gateway. + * advanced->WINS, Enable LMHosts Lookup; Disable NetBIOS over TCP/IP. + * # Enable Client for Microsoft Networks. # Disable File and Printer + Sharing for Microsoft Networks. + + I HAD to reboot for this to work. Now connect to the smb share with + \\10.1.1.1 and remote desktop to 10.1.1.1:3388. + +Debug + + If it is not working: + * Are the ports forwarded: netstat -an? Look at 0.0.0.0:139 or + 10.1.1.1:139 + * Does telnet 10.1.1.1 139 connect? + * You need the checkbox "Local ports accept connections from other + hosts". + * Is "File and Printer Sharing for Microsoft Networks" disabled on the + loopback interface? + +Connect two clients behind NAT + + Suppose two clients are behind a NAT gateway and client cliadmin has to + connect to client cliuser (the destination), both can login to the gate + with ssh and are running Linux with sshd. You don't need root access + anywhere as long as the ports on gate are above 1024. We use 2022 on + gate. Also since the gate is used locally, the option GatewayPorts is + not necessary. + On client cliuser (from destination to gate): +# ssh -R 2022:localhost:22 user@gate # forwards client 22 to gate:2022 + + On client cliadmin (from host to gate): +# ssh -L 3022:localhost:2022 admin@gate # forwards client 3022 to gate:20 +22 + + Now the admin can connect directly to the client cliuser with: +# ssh -p 3022 admin@localhost # local:3022 -> gate:2022 -> clie +nt:22 + +Connect to VNC behind NAT + + Suppose a Windows client with VNC listening on port 5900 has to be + accessed from behind NAT. On client cliwin to gate: +# ssh -R 15900:localhost:5900 user@gate + + On client cliadmin (from host to gate): +# ssh -L 5900:localhost:15900 admin@gate + + Now the admin can connect directly to the client VNC with: +# vncconnect -display :0 localhost + +Dig a multi-hop ssh tunnel + + Suppose you can not reach a server directly with ssh, but only via + multiple intermediate hosts (for example because of routing issues). + Sometimes it is still necessary to get a direct client - server + connection, for example to copy files with scp, or forward other ports + like smb or vnc. One way to do this is to chain tunnels together to + forward a port to the server along the hops. This "carrier" port only + reaches its final destination on the last connection to the server. + Suppose we want to forward the ssh port from a client to a server over + two hops. Once the tunnel is build, it is possible to connect to the + server directly from the client (and also add an other port forward). + +Create tunnel in one shell + + client -> host1 -> host2 -> server and dig tunnel 5678 +client># ssh -L5678:localhost:5678 host1 # 5678 is an arbitrary port for t +he tunnel +host_1># ssh -L5678:localhost:5678 host2 # chain 5678 from host1 to host2 +host_2># ssh -L5678:localhost:22 server # end the tunnel on port 22 on th +e server + +Use tunnel with an other shell + + client -> server using tunnel 5678 +# ssh -p 5678 localhost # connect directly from client to + server +# scp -P 5678 myfile localhost:/tmp/ # or copy a file directly using t +he tunnel +# rsync -e 'ssh -p 5678' myfile localhost:/tmp/ # or rsync a file directly to the + server + +Autoconnect and keep alive script + + I use variations of the following script to keep a machine reacheable + over a reverse ssh tunnel. The connection is automatically rebuilt if + closed. You can add multiple -L or -R tunnels on one line. +#!/bin/sh +COMMAND="ssh -N -f -g -R 3022:localhost:22 colin@cb.vu" +pgrep -f -x "$COMMAND" > /dev/null 2>&1 || $COMMAND +exit 0 + +1 * * * * colin /home/colin/port_forward.sh # crontab entry (here hourly) + +sshfs + + Mount a filesystem with ssh. +# sshfs cb@cb.vu:/ /Users/barschel/cbvu -oauto_cache,reconnect,defer_permissions +\ + ,noappledouble,negative_vncache,volname=cbvu + + Or via a two hops tunnel +# ssh -Y -A -t -L20022:127.0.0.1:20022 cbarsche@lbgw ssh -Y -A -t -L20022:127.0.0 +.1:22 rootbgv@bgvctrl +# sshfs -p 20022 cb@cb.vu:/ /Users/barschel/cbvu -oauto_cache,reconnect,defer_per +missions \ + ,noappledouble,negative_vncache,volname=cbvu + +VPN with SSH + + As of version 4.3, OpenSSH can use the tun/tap device to encrypt a + tunnel. This is very similar to other TLS based VPN solutions like + OpenVPN. One advantage with SSH is that there is no need to install and + configure additional software. Additionally the tunnel uses the SSH + authentication like pre shared keys. The drawback is that the + encapsulation is done over TCP which might result in poor performance on + a slow link. Also the tunnel is relying on a single (fragile) TCP + connection. This technique is very useful for a quick IP based VPN + setup. There is no limitation as with the single TCP port forward, all + layer 3/4 protocols like ICMP, TCP/UDP, etc. are forwarded over the VPN. + In any case, the following options are needed in the sshd_conf file: +PermitRootLogin yes +PermitTunnel yes + +Single P2P connection + + Here we are connecting two hosts, hclient and hserver with a peer to + peer tunnel. The connection is started from hclient to hserver and is + done as root. The tunnel end points are 10.0.1.1 (server) and 10.0.1.2 + (client) and we create a device tun5 (this could also be an other + number). The procedure is very simple: + * Connect with SSH using the tunnel option -w + * Configure the IP addresses of the tunnel. Once on the server and + once on the client. + +Connect to the server + + Connection started on the client and commands are executed on the + server. + +Server is on Linux + +cli># ssh -w5:5 root@hserver +srv># ifconfig tun5 10.0.1.1 netmask 255.255.255.252 # Executed on the server s +hell + +Server is on FreeBSD + +cli># ssh -w5:5 root@hserver +srv># ifconfig tun5 10.0.1.1 10.0.1.2 # Executed on the server s +hell + +Configure the client + + Commands executed on the client: +cli># ifconfig tun5 10.0.1.2 netmask 255.255.255.252 # Client is on Linux +cli># ifconfig tun5 10.0.1.2 10.0.1.1 # Client is on FreeBSD + + The two hosts are now connected and can transparently communicate with + any layer 3/4 protocol using the tunnel IP addresses. + +Connect two networks + + In addition to the p2p setup above, it is more useful to connect two + private networks with an SSH VPN using two gates. Suppose for the + example, netA is 192.168.51.0/24 and netB 192.168.16.0/24. The procedure + is similar as above, we only need to add the routing. NAT must be + activated on the private interface only if the gates are not the same as + the default gateway of their network. + 192.168.51.0/24 (netA)|gateA <-> gateB|192.168.16.0/24 (netB) + * Connect with SSH using the tunnel option -w. + * Configure the IP addresses of the tunnel. Once on the server and + once on the client. + * Add the routing for the two networks. + * If necessary, activate NAT on the private interface of the gate. + + The setup is started from gateA in netA. + +Connect from gateA to gateB + + Connection is started from gateA and commands are executed on gateB. + +gateB is on Linux + +gateA># ssh -w5:5 root@gateB +gateB># ifconfig tun5 10.0.1.1 netmask 255.255.255.252 # Executed on the gateB sh +ell +gateB># route add -net 192.168.51.0 netmask 255.255.255.0 dev tun5 +gateB># echo 1 > /proc/sys/net/ipv4/ip_forward # Only needed if not defaul +t gw +gateB># iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE + +gateB is on FreeBSD + +gateA># ssh -w5:5 root@gateB # Creates the tun5 devices +gateB># ifconfig tun5 10.0.1.1 10.0.1.2 # Executed on the gateB she +ll +gateB># route add 192.168.51.0/24 10.0.1.2 +gateB># sysctl net.inet.ip.forwarding=1 # Only needed if not defaul +t gw +gateB># natd -s -m -u -dynamic -n fxp0 # see NAT +gateA># sysctl net.inet.ip.fw.enable=1 + +Configure gateA + + Commands executed on gateA: + +gateA is on Linux + +gateA># ifconfig tun5 10.0.1.2 netmask 255.255.255.252 +gateA># route add -net 192.168.16.0 netmask 255.255.255.0 dev tun5 +gateA># echo 1 > /proc/sys/net/ipv4/ip_forward +gateA># iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE + +gateA is on FreeBSD + +gateA># ifconfig tun5 10.0.1.2 10.0.1.1 +gateA># route add 192.168.16.0/24 10.0.1.2 +gateA># sysctl net.inet.ip.forwarding=1 +gateA># natd -s -m -u -dynamic -n fxp0 # see NAT +gateA># sysctl net.inet.ip.fw.enable=1 + + The two private networks are now transparently connected via the SSH + VPN. The IP forward and NAT settings are only necessary if the gates are + not the default gateways. In this case the clients would not know where + to forward the response, and nat must be activated. + +RSYNC + + Rsync can almost completely replace cp and scp, furthermore interrupted + transfers are efficiently restarted. A trailing slash (and the absence + thereof) has different meanings, the man page is good... Here some + examples: + Copy the directories with full content: +# rsync -a /home/colin/ /backup/colin/ # "archive" mode. e.g keep +the same +# rsync -a /var/ /var_bak/ +# rsync -aR --delete-during /home/user/ /backup/ # use relative (see below) +# /opt/local/bin/rsync -azv --iconv=UTF-8-MAC,UTF-8 ~/Music/flac/ me@server:/dst/ + # convert filenames OSX UTF8 to Windows UTF8 + + Same as before but over the network and with compression. Rsync uses SSH + for the transport per default and will use the ssh key if they are set. + Use ":" as with SCP. A typical remote copy: +# rsync -axSRzv /home/user/ user@server:/backup/user/ # Copy to remote +# rsync -a 'user@server:My\ Documents' My\ Documents # Quote AND escape spaces f +or the remote shell + + Exclude any directory tmp within /home/user/ and keep the relative + folders hierarchy, that is the remote directory will have the structure + /backup/home/user/. This is typically used for backups. +# rsync -azR --exclude=tmp/ /home/user/ user@server:/backup/ + + Use port 20022 for the ssh connection: +# rsync -az -e 'ssh -p 20022' /home/colin/ user@server:/backup/colin/ + + Using the rsync daemon (used with "::") is much faster, but not + encrypted over ssh. The location of /backup is defined by the + configuration in /etc/rsyncd.conf. The variable RSYNC_PASSWORD can be + set to avoid the need to enter the password manually. +# rsync -axSRz /home/ ruser@hostname::rmodule/backup/ +# rsync -axSRz ruser@hostname::rmodule/backup/ /home/ # To copy back + + Some important options: + * -a, --archive archive mode; same as -rlptgoD (no -H) + * -r, --recursive recurse into directories + * -R, --relative use relative path names + * -H, --hard-links preserve hard links + * -S, --sparse handle sparse files efficiently + * -x, --one-file-system don't cross file system boundaries + * --exclude=PATTERN exclude files matching PATTERN + * --delete-during receiver deletes during xfer, not before + * --delete-after receiver deletes after transfer, not before + +Rsync on Windows + + Rsync is available for Windows through cygwin or as stand-alone packaged + in cwrsynchttp://sourceforge.net/projects/sereds. This is very + convenient for automated backups. Install one of them (not both) and add + the path to the Windows system variables: # Control Panel -> System -> + tab Advanced, button Environment Variables. Edit the "Path" system + variable and add the full path to the installed rsync, e.g. C:\Program + Files\cwRsync\bin or C:\cygwin\bin. This way the commands rsync and ssh + are available in a Windows command shell. + +Public key authentication + + Rsync is automatically tunneled over SSH and thus uses the SSH + authentication on the server. Automatic backups have to avoid a user + interaction, for this the SSH public key authentication can be used and + the rsync command will run without a password. + All the following commands are executed within a Windows console. In a + console (Start -> Run -> cmd) create and upload the key as described in + SSH, change "user" and "server" as appropriate. If the file + authorized_keys2 does not exist yet, simply copy id_dsa.pub to + authorized_keys2 and upload it. +# ssh-keygen -t dsa -N '' # Creates a public and a private key +# rsync user@server:.ssh/authorized_keys2 . # Copy the file locally from the serv +er +# cat id_dsa.pub >> authorized_keys2 # Or use an editor to add the key +# rsync authorized_keys2 user@server:.ssh/ # Copy the file back to the server +# del authorized_keys2 # Remove the local copy + + Now test it with (in one line): +rsync -rv "/cygdrive/c/Documents and Settings/%USERNAME%/My Documents/" \ +'user@server:My\ Documents/' + +Automatic backup + + Use a batch file to automate the backup and add the file in the + scheduled tasks (Programs -> Accessories -> System Tools -> Scheduled + Tasks). For example create the file backup.bat and replace user@server. +@ECHO OFF +REM rsync the directory My Documents +SETLOCAL +SET CWRSYNCHOME=C:\PROGRAM FILES\CWRSYNC +SET CYGWIN=nontsec +SET CWOLDPATH=%PATH% +REM uncomment the next line when using cygwin +SET PATH=%CWRSYNCHOME%\BIN;%PATH% +echo Press Control-C to abort +rsync -av "/cygdrive/c/Documents and Settings/%USERNAME%/My Documents/" \ +'user@server:My\ Documents/' +pause + +SUDO + + Sudo is a standard way to give users some administrative rights without + giving out the root password. Sudo is very useful in a multi user + environment with a mix of server and workstations. Simply call the + command with sudo: +# sudo /etc/init.d/dhcpd restart # Run the rc script as root +# sudo -u sysadmin whoami # Run cmd as an other user + +Configuration + + Sudo is configured in /etc/sudoers and must only be edited with visudo. + The basic syntax is (the lists are comma separated): +user hosts = (runas) commands # In /etc/sudoers + * users one or more users or %group (like %wheel) to gain the rights + * hosts list of hosts (or ALL) + * runas list of users (or ALL) that the command rule can be run as. It + is enclosed in ( )! + * commands list of commands (or ALL) that will be run as root or as + (runas) + + Additionally those keywords can be defined as alias, they are called + User_Alias, Host_Alias, Runas_Alias and Cmnd_Alias. This is useful for + larger setups. Here a sudoers example: +# cat /etc/sudoers +# Host aliases are subnets or hostnames. +Host_Alias DMZ = 212.118.81.40/28 +Host_Alias DESKTOP = work1, work2 + +# User aliases are a list of users which can have the same rights +User_Alias ADMINS = colin, luca, admin +User_Alias DEVEL = joe, jack, julia +Runas_Alias DBA = oracle,pgsql + +# Command aliases define the full path of a list of commands +Cmnd_Alias SYSTEM = /sbin/reboot,/usr/bin/kill,/sbin/halt,/sbin/shutdown,/etc/ +init.d/ +Cmnd_Alias PW = /usr/bin/passwd [A-z]*, !/usr/bin/passwd root # Not root p +wd! +Cmnd_Alias DEBUG = /usr/sbin/tcpdump,/usr/bin/wireshark,/usr/bin/nmap + +# The actual rules +root,ADMINS ALL = (ALL) NOPASSWD: ALL # ADMINS can do anything w/o a pass +word. +DEVEL DESKTOP = (ALL) NOPASSWD: ALL # Developers have full right on des +ktops +DEVEL DMZ = (ALL) NOPASSWD: DEBUG # Developers can debug the DMZ serv +ers. + +# User sysadmin can mess around in the DMZ servers with some commands. +sysadmin DMZ = (ALL) NOPASSWD: SYSTEM,PW,DEBUG +sysadmin ALL,!DMZ = (ALL) NOPASSWD: ALL # Can do anything outside the DMZ. +%dba ALL = (DBA) ALL # Group dba can run as database use +r. + +# anyone can mount/unmount a cd-rom on the desktop machines +ALL DESKTOP = NOPASSWD: /sbin/mount /cdrom,/sbin/umount /cdrom + +Encrypt Files + +OpenSSL + +A single file + + Encrypt and decrypt: +# openssl aes-128-cbc -salt -in file -out file.aes +# openssl aes-128-cbc -d -salt -in file.aes -out file + + Note that the file can of course be a tar archive. + +tar and encrypt a whole directory + +# tar -cf - directory | openssl aes-128-cbc -salt -out directory.tar.aes # E +ncrypt +# openssl aes-128-cbc -d -salt -in directory.tar.aes | tar -x -f - # D +ecrypt + +tar zip and encrypt a whole directory + +# tar -zcf - directory | openssl aes-128-cbc -salt -out directory.tar.gz.aes # E +ncrypt +# openssl aes-128-cbc -d -salt -in directory.tar.gz.aes | tar -xz -f - # D +ecrypt + + * Use -k mysecretpassword after aes-128-cbc to avoid the interactive + password request. However note that this is highly insecure. + * Use aes-256-cbc instead of aes-128-cbc to get even stronger + encryption. This uses also more CPU. + +GPG + + GnuPG is well known to encrypt and sign emails or any data. Furthermore + gpg and also provides an advanced key management system. This section + only covers files encryption, not email usage, signing or the + Web-Of-Trust. + The simplest encryption is with a symmetric cipher. In this case the + file is encrypted with a password and anyone who knows the password can + decrypt it, thus the keys are not needed. Gpg adds an extention ".gpg" + to the encrypted file names. +# gpg -c file # Encrypt file with password +# gpg file.gpg # Decrypt file (optionally -o otherfile) + +Using keys + + For more details see GPG Quick + Starthttp://www.madboa.com/geek/gpg-quickstart and GPG/PGP + Basicshttp://aplawrence.com/Basics/gpg.html and the gnupg + documentationhttp://gnupg.org/documentation among others. + The private and public keys are the heart of asymmetric cryptography. + What is important to remember: + * Your public key is used by others to encrypt files that only you as + the receiver can decrypt (not even the one who encrypted the file + can decrypt it). The public key is thus meant to be distributed. + * Your private key is encrypted with your passphrase and is used to + decrypt files which were encrypted with your public key. The private + key must be kept secure. Also if the key or passphrase is lost, so + are all the files encrypted with your public key. + * The key files are called keyrings as they can contain more than one + key. + + First generate a key pair. The defaults are fine, however you will have + to enter at least your full name and email and optionally a comment. The + comment is useful to create more than one key with the same name and + email. Also you should use a "passphrase", not a simple password. +# gpg --gen-key # This can take a long time + + The keys are stored in ~/.gnupg/ on Unix, on Windows they are typically + stored in + C:/Documents and Settings/%USERNAME%/Application Data/gnupg/. +~/.gnupg/pubring.gpg # Contains your public keys and all others i +mported +~/.gnupg/secring.gpg # Can contain more than one private key + + Short reminder on most used options: + * -e encrypt data + * -d decrypt data + * -r NAME encrypt for recipient NAME (or 'Full Name' or + 'email@domain') + * -a create ascii armored output of a key + * -o use as output file + + The examples use 'Your Name' and 'Alice' as the keys are referred to by + the email or full name or partial name. For example I can use 'Colin' or + 'c@cb.vu' for my key [Colin Barschel (cb.vu) <c@cb.vu>]. + +Encrypt for personal use only + + No need to export/import any key for this. You have both already. +# gpg -e -r 'Your Name' file # Encrypt with your public key +# gpg -o file -d file.gpg # Decrypt. Use -o or it goes to std +out + +Encrypt - Decrypt with keys + + First you need to export your public key for someone else to use it. And + you need to import the public say from Alice to encrypt a file for her. + You can either handle the keys in simple ascii files or use a public key + server. + For example Alice export her public key and you import it, you can then + encrypt a file for her. That is only Alice will be able to decrypt it. +# gpg -a -o alicekey.asc --export 'Alice' # Alice exported her key in ascii f +ile. +# gpg --send-keys --keyserver subkeys.pgp.net KEYID # Alice put her key on a se +rver. +# gpg --import alicekey.asc # You import her key into your pubr +ing. +# gpg --search-keys --keyserver subkeys.pgp.net 'Alice' # or get her key from a s +erver. + + Once the keys are imported it is very easy to encrypt or decrypt a file: +# gpg -e -r 'Alice' file # Encrypt the file for Alice. +# gpg -d file.gpg -o file # Decrypt a file encrypted by Alice + for you. + +Key administration + +# gpg --list-keys # list public keys and see the KEYI +DS + The KEYID follows the '/' e.g. for: pub 1024D/D12B77CE the KEYID is D12B77C +E +# gpg --gen-revoke 'Your Name' # generate revocation certificate +# gpg --list-secret-keys # list private keys +# gpg --delete-keys NAME # delete a public key from local ke +y ring +# gpg --delete-secret-key NAME # delete a secret key from local ke +y ring +# gpg --fingerprint KEYID # Show the fingerprint of the key +# gpg --edit-key KEYID # Edit key (e.g sign or add/del ema +il) + +Encrypt Partitions + + Linux with LUKS | Linux dm-crypt only | FreeBSD GELI | FBSD pwd only | + OS X image + There are (many) other alternative methods to encrypt disks, I only show + here the methods I know and use. Keep in mind that the security is only + good as long the OS has not been tempered with. An intruder could easily + record the password from the keyboard events. Furthermore the data is + freely accessible when the partition is attached and will not prevent an + intruder to have access to it in this state. + +Linux + + Those instructions use the Linux dm-crypt (device-mapper) facility + available on the 2.6 kernel. In this example, lets encrypt the partition + /dev/sdc1, it could be however any other partition or disk, or USB or a + file based partition created with losetup. In this case we would use + /dev/loop0. See file image partition. The device mapper uses labels to + identify a partition. We use sdc1 in this example, but it could be any + string. + +dm-crypt with LUKS + + LUKS with dm-crypt has better encryption and makes it possible to have + multiple passphrase for the same partition or to change the password + easily. To test if LUKS is available, simply type # cryptsetup --help, + if nothing about LUKS shows up, use the instructions below Without LUKS. + First create a partition if necessary: fdisk /dev/sdc. + +Create encrypted partition + +# dd if=/dev/urandom of=/dev/sdc1 # Optional. For paranoids only (takes +days) +# cryptsetup -y luksFormat /dev/sdc1 # This destroys any data on sdc1 +# cryptsetup luksOpen /dev/sdc1 sdc1 +# mkfs.ext3 /dev/mapper/sdc1 # create ext3 file system +# mount -t ext3 /dev/mapper/sdc1 /mnt +# umount /mnt +# cryptsetup luksClose sdc1 # Detach the encrypted partition + +Attach + +# cryptsetup luksOpen /dev/sdc1 sdc1 +# mount -t ext3 /dev/mapper/sdc1 /mnt + +Detach + +# umount /mnt +# cryptsetup luksClose sdc1 + +dm-crypt without LUKS + +# cryptsetup -y create sdc1 /dev/sdc1 # or any other partition like /dev/loo +p0 +# dmsetup ls # check it, will display: sdc1 (254, 0 +) +# mkfs.ext3 /dev/mapper/sdc1 # This is done only the first time! +# mount -t ext3 /dev/mapper/sdc1 /mnt +# umount /mnt/ +# cryptsetup remove sdc1 # Detach the encrypted partition + + Do exactly the same (without the mkfs part!) to re-attach the partition. + If the password is not correct, the mount command will fail. In this + case simply remove the map sdc1 (cryptsetup remove sdc1) and create it + again. + +FreeBSD + + The two popular FreeBSD disk encryption modules are gbde and geli. I now + use geli because it is faster and also uses the crypto device for + hardware acceleration. See The FreeBSD handbook Chapter + 18.6http://www.freebsd.org/handbook/disks-encrypting.html for all the + details. The geli module must be loaded or compiled into the kernel: +options GEOM_ELI +device crypto # or as module: +# echo 'geom_eli_load="YES"' >> /boot/loader.conf # or do: kldload geom_eli + +Use password and key + + I use those settings for a typical disk encryption, it uses a passphrase + AND a key to encrypt the master key. That is you need both the password + and the generated key /root/ad1.key to attach the partition. The master + key is stored inside the partition and is not visible. See below for + typical USB or file based image. + +Create encrypted partition + +# dd if=/dev/random of=/root/ad1.key bs=64 count=1 # this key encrypts the mater + key +# geli init -s 4096 -K /root/ad1.key /dev/ad1 # -s 8192 is also OK for disk +s +# geli attach -k /root/ad1.key /dev/ad1 # DO make a backup of /root/a +d1.key +# dd if=/dev/random of=/dev/ad1.eli bs=1m # Optional and takes a long t +ime +# newfs /dev/ad1.eli # Create file system +# mount /dev/ad1.eli /mnt + +Attach + +# geli attach -k /root/ad1.key /dev/ad1 +# fsck -ny -t ffs /dev/ad1.eli # In doubt check the file sys +tem +# mount /dev/ad1.eli /mnt + +Detach + + The detach procedure is done automatically on shutdown. +# umount /mnt +# geli detach /dev/ad1.eli + +/etc/fstab + + The encrypted partition can be configured to be mounted with /etc/fstab. + The password will be prompted when booting. The following settings are + required for this example: +# grep geli /etc/rc.conf +geli_devices="ad1" +geli_ad1_flags="-k /root/ad1.key" +# grep geli /etc/fstab +/dev/ad1.eli /home/private ufs rw 0 0 + +Use password only + + It is more convenient to encrypt a USB stick or file based image with a + passphrase only and no key. In this case it is not necessary to carry + the additional key file around. The procedure is very much the same as + above, simply without the key file. Let's encrypt a file based image + /cryptedfile of 1 GB. +# dd if=/dev/zero of=/cryptedfile bs=1M count=1000 # 1 GB file +# mdconfig -at vnode -f /cryptedfile +# geli init /dev/md0 # encrypts with password only +# geli attach /dev/md0 +# newfs -U -m 0 /dev/md0.eli +# mount /dev/md0.eli /mnt +# umount /dev/md0.eli +# geli detach md0.eli + + It is now possible to mount this image on an other system with the + password only. +# mdconfig -at vnode -f /cryptedfile +# geli attach /dev/md0 +# mount /dev/md0.eli /mnt + +OS X Encrypted Disk Image + + Don't know by command line only. See OS X Encrypted Disk + Imagehttps://wiki.thayer.dartmouth.edu/display/computing/Creating+a+Mac+ + OS+X+Encrypted+Disk+Image and Apple + supporthttp://support.apple.com/kb/ht1578 + +SSL Certificates + + So called SSL/TLS certificates are cryptographic public key certificates + and are composed of a public and a private key. The certificates are + used to authenticate the endpoints and encrypt the data. They are used + for example on a web server (https) or mail server (imaps). + +Procedure + + * We need a certificate authority to sign our certificate. This step + is usually provided by a vendor like Thawte, Verisign, etc., however + we can also create our own. + * Create a certificate signing request. This request is like an + unsigned certificate (the public part) and already contains all + necessary information. The certificate request is normally sent to + the authority vendor for signing. This step also creates the private + key on the local machine. + * Sign the certificate with the certificate authority. + * If necessary join the certificate and the key in a single file to be + used by the application (web server, mail server etc.). + +Configure OpenSSL + + We use /usr/local/certs as directory for this example check or edit + /etc/ssl/openssl.cnf accordingly to your settings so you know where the + files will be created. Here are the relevant part of openssl.cnf: +[ CA_default ] +dir = /usr/local/certs/CA # Where everything is kept +certs = $dir/certs # Where the issued certs are kept +crl_dir = $dir/crl # Where the issued crl are kept +database = $dir/index.txt # database index file. + + Make sure the directories exist or create them +# mkdir -p /usr/local/certs/CA +# cd /usr/local/certs/CA +# mkdir certs crl newcerts private +# echo "01" > serial # Only if serial does not exist +# touch index.txt + + If you intend to get a signed certificate from a vendor, you only need a + certificate signing request (CSR). This CSR will then be signed by the + vendor for a limited time (e.g. 1 year). + +Create a certificate authority + + If you do not have a certificate authority from a vendor, you'll have to + create your own. This step is not necessary if one intend to use a + vendor to sign the request. To make a certificate authority (CA): +# openssl req -new -x509 -days 730 -config /etc/ssl/openssl.cnf \ +-keyout CA/private/cakey.pem -out CA/cacert.pem + +Create a certificate signing request + + To make a new certificate (for mail server or web server for example), + first create a request certificate with its private key. If your + application do not support encrypted private key (for example UW-IMAP + does not), then disable encryption with -nodes. +# openssl req -new -keyout newkey.pem -out newreq.pem \ +-config /etc/ssl/openssl.cnf +# openssl req -nodes -new -keyout newkey.pem -out newreq.pem \ +-config /etc/ssl/openssl.cnf # No encryption for the key + + Keep this created CSR (newreq.pem) as it can be signed again at the next + renewal, the signature onlt will limit the validity of the certificate. + This process also created the private key newkey.pem. + +Sign the certificate + + The certificate request has to be signed by the CA to be valid, this + step is usually done by the vendor. Note: replace "servername" with the + name of your server in the next commands. +# cat newreq.pem newkey.pem > new.pem +# openssl ca -policy policy_anything -out servernamecert.pem \ +-config /etc/ssl/openssl.cnf -infiles new.pem +# mv newkey.pem servernamekey.pem + + Now servernamekey.pem is the private key and servernamecert.pem is the + server certificate. + +Create united certificate + + The IMAP server wants to have both private key and server certificate in + the same file. And in general, this is also easier to handle, but the + file has to be kept securely!. Apache also can deal with it well. Create + a file servername.pem containing both the certificate and key. + * Open the private key (servernamekey.pem) with a text editor and copy + the private key into the "servername.pem" file. + * Do the same with the server certificate (servernamecert.pem). + + The final servername.pem file should look like this: +-----BEGIN RSA PRIVATE KEY----- +MIICXQIBAAKBgQDutWy+o/XZ/[...]qK5LqQgT3c9dU6fcR+WuSs6aejdEDDqBRQ +-----END RSA PRIVATE KEY----- +-----BEGIN CERTIFICATE----- +MIIERzCCA7CgAwIBAgIBBDANB[...]iG9w0BAQQFADCBxTELMAkGA1UEBhMCREUx +-----END CERTIFICATE----- + + What we have now in the directory /usr/local/certs/: + * CA/private/cakey.pem (CA server private key) + * CA/cacert.pem (CA server public key) + * certs/servernamekey.pem (server private key) + * certs/servernamecert.pem (server signed certificate) + * certs/servername.pem (server certificate with private key) + + Keep the private key secure! + +View certificate information + + To view the certificate information simply do: +# openssl x509 -text -in servernamecert.pem # View the certificate info +# openssl req -noout -text -in server.csr # View the request info +# openssl s_client -connect cb.vu:443 # Check a web server certificate + +CVS + + Server setup | CVS test | SSH tunneling | CVS usage + +Server setup + +Initiate the CVS + + Decide where the main repository will rest and create a root cvs. For + example /usr/local/cvs (as root): +# mkdir -p /usr/local/cvs +# setenv CVSROOT /usr/local/cvs # Set CVSROOT to the new location (local) +# cvs init # Creates all internal CVS config files +# cd /root +# cvs checkout CVSROOT # Checkout the config files to modify them +# cd CVSROOT +edit config ( fine as it is) +# cvs commit config +cat >> writers # Create a writers file (optionally also rea +ders) +colin +^D # Use [Control][D] to quit the edit +# cvs add writers # Add the file writers into the repository +# cvs edit checkoutlist +# cat >> checkoutlist +writers +^D # Use [Control][D] to quit the edit +# cvs commit # Commit all the configuration changes + + Add a readers file if you want to differentiate read and write + permissions Note: Do not (ever) edit files directly into the main cvs, + but rather checkout the file, modify it and check it in. We did this + with the file writers to define the write access. + There are three popular ways to access the CVS at this point. The first + two don't need any further configuration. See the examples on CVSROOT + below for how to use them: + * Direct local access to the file system. The user(s) need sufficient + file permission to access the CS directly and there is no further + authentication in addition to the OS login. However this is only + useful if the repository is local. + * Remote access with ssh with the ext protocol. Any use with an ssh + shell account and read/write permissions on the CVS server can + access the CVS directly with ext over ssh without any additional + tunnel. There is no server process running on the CVS for this to + work. The ssh login does the authentication. + * Remote access with pserver (default port: 2401/tcp). This is the + preferred use for larger user base as the users are authenticated by + the CVS pserver with a dedicated password database, there is + therefore no need for local users accounts. This setup is explained + below. + +Network setup with inetd + + The CVS can be run locally only if a network access is not needed. For a + remote access, the daemon inetd can start the pserver with the following + line in /etc/inetd.conf (/etc/xinetd.d/cvs on SuSE): +cvspserver stream tcp nowait cvs /usr/bin/cvs cvs \ +--allow-root=/usr/local/cvs pserver + + It is a good idea to block the cvs port from the Internet with the + firewall and use an ssh tunnel to access the repository remotely. + +Separate authentication + + It is possible to have cvs users which are not part of the OS (no local + users). This is actually probably wanted too from the security point of + view. Simply add a file named passwd (in the CVSROOT directory) + containing the users login and password in the crypt format. This is can + be done with the apache htpasswd tool. + Note: This passwd file is the only file which has to be edited directly + in the CVSROOT directory. Also it won't be checked out. More info with + htpasswd --help +# htpasswd -cb passwd user1 password1 # -c creates the file +# htpasswd -b passwd user2 password2 + + Now add :cvs at the end of each line to tell the cvs server to change + the user to cvs (or whatever your cvs server is running under). It looks + like this: +# cat passwd +user1:xsFjhU22u8Fuo:cvs +user2:vnefJOsnnvToM:cvs + +Test it + + Test the login as normal user (for example here me) +# cvs -d :pserver:colin@192.168.50.254:/usr/local/cvs login +Logging in to :pserver:colin@192.168.50.254:2401/usr/local/cvs +CVS password: + + +CVSROOT variable + + This is an environment variable used to specify the location of the + repository we're doing operations on. For local use, it can be just set + to the directory of the repository. For use over the network, the + transport protocol must be specified. Set the CVSROOT variable with + setenv CVSROOT string on a csh, tcsh shell, or with export + CVSROOT=string on a sh, bash shell. +# setenv CVSROOT :pserver:<username>@<host>:/cvsdirectory +For example: +# setenv CVSROOT /usr/local/cvs # Used locally only +# setenv CVSROOT :local:/usr/local/cvs # Same as above +# setenv CVSROOT :ext:user@cvsserver:/usr/local/cvs # Direct access wit +h SSH +# setenv CVS_RSH ssh # for the ext acces +s +# setenv CVSROOT :pserver:user@cvsserver.254:/usr/local/cvs # network with pser +ver + + When the login succeeded one can import a new project into the + repository: cd into your project root directory +cvs import <module name> <vendor tag> <initial tag> +cvs -d :pserver:colin@192.168.50.254:/usr/local/cvs import MyProject MyCompany ST +ART + + Where MyProject is the name of the new project in the repository (used + later to checkout). Cvs will import the current directory content into + the new project. + To checkout: +# cvs -d :pserver:colin@192.168.50.254:/usr/local/cvs checkout MyProject +or +# setenv CVSROOT :pserver:colin@192.168.50.254:/usr/local/cvs +# cvs checkout MyProject + +SSH tunneling for CVS + + We need 2 shells for this. On the first shell we connect to the cvs + server with ssh and port-forward the cvs connection. On the second shell + we use the cvs normally as if it where running locally. + on shell 1: +# ssh -L2401:localhost:2401 colin@cvs_server # Connect directly to the CVS serv +er. Or: +# ssh -L2401:cvs_server:2401 colin@gateway # Use a gateway to reach the CVS + + on shell 2: +# setenv CVSROOT :pserver:colin@localhost:/usr/local/cvs +# cvs login +Logging in to :pserver:colin@localhost:2401/usr/local/cvs +CVS password: +# cvs checkout MyProject/src + +CVS commands and usage + +Import + + The import command is used to add a whole directory, it must be run from + within the directory to be imported. Say the directory /devel/ contains + all files and subdirectories to be imported. The directory name on the + CVS (the module) will be called "myapp". +# cvs import [options] directory-name vendor-tag release-tag +# cd /devel # Must be inside the project to import it +# cvs import myapp Company R1_0 # Release tag can be anything in one word + + After a while a new directory "/devel/tools/" was added and it has to be + imported too. +# cd /devel/tools +# cvs import myapp/tools Company R1_0 + +Checkout update add commit + +# cvs co myapp/tools # Will only checkout the directory tools +# cvs co -r R1_1 myapp # Checkout myapp at release R1_1 (is sticky) +# cvs -q -d update -P # A typical CVS update +# cvs update -A # Reset any sticky tag (or date, option) +# cvs add newfile # Add a new file +# cvs add -kb newfile # Add a new binary file +# cvs commit file1 file2 # Commit the two files only +# cvs commit -m "message" # Commit all changes done with a message + +Create a patch + + It is best to create and apply a patch from the working development + directory related to the project, or from within the source directory. +# cd /devel/project +# diff -Naur olddir newdir > patchfile # Create a patch from a directory or a fil +e +# diff -Naur oldfile newfile > patchfile + +Apply a patch + + Sometimes it is necessary to strip a directory level from the patch, + depending how it was created. In case of difficulties, simply look at + the first lines of the patch and try -p0, -p1 or -p2. +# cd /devel/project +# patch --dry-run -p0 < patchfile # Test the path without applying it +# patch -p0 < patchfile +# patch -p1 < patchfile # strip off the 1st level from the path + +SVN + + Server setup | SVN+SSH | SVN over http | SVN usage + Subversion (SVN)http://subversion.tigris.org/ is a version control + system designed to be the successor of CVS (Concurrent Versions System). + The concept is similar to CVS, but many shortcomings where improved. See + also the SVN bookhttp://svnbook.red-bean.com/en/1.4/. + +Server setup + + The initiation of the repository is fairly simple (here for example + /home/svn/ must exist): +# svnadmin create --fs-type fsfs /home/svn/project1 + + Now the access to the repository is made possible with: + * file:// Direct file system access with the svn client with. This + requires local permissions on the file system. + * svn:// or svn+ssh:// Remote access with the svnserve server (also + over SSH). This requires local permissions on the file system + (default port: 2690/tcp). + * http:// Remote access with webdav using apache. No local users are + necessary for this method. + + Using the local file system, it is now possible to import and then check + out an existing project. Unlike with CVS it is not necessary to cd into + the project directory, simply give the full path: +# svn import /project1/ file:///home/svn/project1/trunk -m 'Initial import' +# svn checkout file:///home/svn/project1 + + The new directory "trunk" is only a convention, this is not required. + +Remote access with ssh + + No special setup is required to access the repository via ssh, simply + replace file:// with svn+ssh/hostname. For example: +# svn checkout svn+ssh://hostname/home/svn/project1 + + As with the local file access, every user needs an ssh access to the + server (with a local account) and also read/write access. This method + might be suitable for a small group. All users could belong to a + subversion group which owns the repository, for example: +# groupadd subversion +# groupmod -A user1 subversion +# chown -R root:subversion /home/svn +# chmod -R 770 /home/svn + +Remote access with http (apache) + + Remote access over http (https) is the only good solution for a larger + user group. This method uses the apache authentication, not the local + accounts. This is a typical but small apache configuration: +LoadModule dav_module modules/mod_dav.so +LoadModule dav_svn_module modules/mod_dav_svn.so +LoadModule authz_svn_module modules/mod_authz_svn.so # Only for access contr +ol + +<Location /svn> + DAV svn + # any "/svn/foo" URL will map to a repository /home/svn/foo + SVNParentPath /home/svn + AuthType Basic + AuthName "Subversion repository" + AuthzSVNAccessFile /etc/apache2/svn.acl + AuthUserFile /etc/apache2/svn-passwd + Require valid-user +</Location> + + The apache server needs full access to the repository: +# chown -R www:www /home/svn + + Create a user with htpasswd2: +# htpasswd -c /etc/svn-passwd user1 # -c creates the file + +Access control svn.acl example + +# Default it read access. "* =" would be default no access +[/] +* = r +[groups] +project1-developers = joe, jack, jane +# Give write access to the developers +[project1:] +@project1-developers = rw + +SVN commands and usage + + See also the Subversion Quick Reference + Cardhttp://www.cs.put.poznan.pl/csobaniec/Papers/svn-refcard.pdf. + Tortoise SVNhttp://tortoisesvn.tigris.org is a nice Windows interface. + +Import + + A new project, that is a directory with some files, is imported into the + repository with the import command. Import is also used to add a + directory with its content to an existing project. +# svn help import # Get help for any command + # Add a new directory (with content) into the src dir on project1 +# svn import /project1/newdir http://host.url/svn/project1/trunk/src -m 'add newd +ir' + +Typical SVN commands + +# svn co http://host.url/svn/project1/trunk # Checkout the most recent versi +on + # Tags and branches are created by copying +# svn mkdir http://host.url/svn/project1/tags/ # Create the tags directory +# svn copy -m "Tag rc1 rel." http://host.url/svn/project1/trunk \ + http://host.url/svn/project1/tags/1.0rc1 +# svn status [--verbose] # Check files status into workin +g dir +# svn add src/file.h src/file.cpp # Add two files +# svn commit -m 'Added new class file' # Commit the changes with a mess +age +# svn ls http://host.url/svn/project1/tags/ # List all tags +# svn move foo.c bar.c # Move (rename) files +# svn delete some_old_file # Delete files + +Useful Commands + + less | vi | mail | tar | zip | dd | screen | find | Miscellaneous + +less + + The less command displays a text document on the console. It is present + on most installation. +# less unixtoolbox.xhtml + + Some important commands are (^N stands for [control]-[N]): + * h H good help on display + * f ^F ^V SPACE Forward one window (or N lines). + * b ^B ESC-v Backward one window (or N lines). + * F Forward forever; like "tail -f". + * /pattern Search forward for (N-th) matching line. + * ?pattern Search backward for (N-th) matching line. + * n Repeat previous search (for N-th occurrence). + * N Repeat previous search in reverse direction. + * q quit + +vi + + Vi is present on ANY Linux/Unix installation (not gentoo?) and it is + therefore useful to know some basic commands. There are two modes: + command mode and insertion mode. The commands mode is accessed with + [ESC], the insertion mode with i. Use : help if you are lost. + The editors nano and pico are usually available too and are easier + (IMHO) to use. + +Quit + + * :w newfilename save the file to newfilename + * :wq or :x save and quit + * :q! quit without saving + +Search and move + + * /string Search forward for string + * ?string Search back for string + * n Search for next instance of string + * N Search for previous instance of string + * { Move a paragraph back + * } Move a paragraph forward + * 1G Move to the first line of the file + * nG Move to the n th line of the file + * G Move to the last line of the file + * :%s/OLD/NEW/g Search and replace every occurrence + +Delete copy paste text + + * dd (dw) Cut current line (word) + * D Cut to the end of the line + * x Delete (cut) character + * yy (yw) Copy line (word) after cursor + * P Paste after cursor + * u Undo last modification + * U Undo all changes to current line + +mail + + The mail command is a basic application to read and send email, it is + usually installed. To send an email simply type "mail user@domain". The + first line is the subject, then the mail content. Terminate and send the + email with a single dot (.) in a new line. Example: +# mail c@cb.vu +Subject: Your text is full of typos +"For a moment, nothing happened. Then, after a second or so, +nothing continued to happen." +. +EOT +# + + This is also working with a pipe: +# echo "This is the mail body" | mail c@cb.vu + + This is also a simple way to test the mail server. + +tar + + The command tar (tape archive) creates and extracts archives of file and + directories. The archive .tar is uncompressed, a compressed archive has + the extension .tgz or .tar.gz (zip) or .tbz (bzip2). Do not use absolute + path when creating an archive, you probably want to unpack it somewhere + else. Some typical commands are: + +Create + +# cd / +# tar -cf home.tar home/ # archive the whole /home directory (c for create +) +# tar -czf home.tgz home/ # same with zip compression +# tar -cjf home.tbz home/ # same with bzip2 compression + + Only include one (or two) directories from a tree, but keep the relative + structure. For example archive /usr/local/etc and /usr/local/www and the + first directory in the archive should be local/. +# tar -C /usr -czf local.tgz local/etc local/www +# tar -C /usr -xzf local.tgz # To untar the local dir into /usr +# cd /usr; tar -xzf local.tgz # Is the same as above + +Extract + +# tar -tzf home.tgz # look inside the archive without extracting (lis +t) +# tar -xf home.tar # extract the archive here (x for extract) +# tar -xzf home.tgz # same with zip compression (-xjf for bzip2 compr +ession) + # remove leading path gallery2 and extract into g +allery +# tar --strip-components 1 -zxvf gallery2.tgz -C gallery/ +# tar -xjf home.tbz home/colin/file.txt # Restore a single file +# tar -xOf home.tbz home/colin/file.txt # Print file to stdout (no extraction) + +More advanced + +# tar c dir/ | gzip | ssh user@remote 'dd of=dir.tgz' # arch dir/ and store remot +ely. +# tar cvf - `find . -print` > backup.tar # arch the current director +y. +# tar -cf - -C /etc . | tar xpf - -C /backup/etc # Copy directories +# tar -cf - -C /etc . | ssh user@remote tar xpf - -C /backup/etc # Remote co +py. +# tar -czf home.tgz --exclude '*.o' --exclude 'tmp/' home/ + +zip/unzip + + Zip files can be easier to share with Windows. +# zip -r fileName.zip /path/to/dir # zip dir into file fileNam +e.zip +# unzip fileName.zip # uncompress zip file +# unzip -l fileName.zip # list files inside archive +# unzip -c fileName.zip fileinside.txt # print one file to stdout +(no extraction) +# unzip fileName.zip fileinside.txt # extract one file only + +dd + + The program dd (disk dump or destroy disk or see the meaning of dd) is + used to copy partitions and disks and for other copy tricks. Typical + usage: +# dd if=<source> of=<target> bs=<byte size> conv=<conversion> +# kill -INFO PID # View dd progress (FreeBSD +, OSX) + + Important conv options: + * notrunc do not truncate the output file, all zeros will be + written as zeros. + * noerror continue after read errors (e.g. bad blocks) + * sync pad every input block with Nulls to ibs-size + + The default byte size is 512 (one block). The MBR, where the partition + table is located, is on the first block, the first 63 blocks of a disk + are empty. Larger byte sizes are faster to copy but require also more + memory. + +Backup and restore + +# dd if=/dev/hda of=/dev/hdc bs=16065b # Copy disk to disk (same s +ize) +# dd if=/dev/sda7 of=/home/root.img bs=4096 conv=notrunc,noerror # Backup / +# dd if=/home/root.img of=/dev/sda7 bs=4096 conv=notrunc,noerror # Restore / +# dd bs=1M if=/dev/ad4s3e | gzip -c > ad4s3e.gz # Zip the backup +# gunzip -dc ad4s3e.gz | dd of=/dev/ad0s3e bs=1M # Restore the zi +p +# dd bs=1M if=/dev/ad4s3e | gzip | ssh eedcoba@fry 'dd of=ad4s3e.gz' # also remot +e +# gunzip -dc ad4s3e.gz | ssh eedcoba@host 'dd of=/dev/ad0s3e bs=1M' +# dd if=/dev/ad0 of=/dev/ad2 skip=1 seek=1 bs=4k conv=noerror # Skip MBR + # This is necessary if the destination (ad2) is smaller. +# dd if=/vm/FreeBSD-8.2-RELEASE-amd64-memstick.img of=/dev/disk1 bs=10240 conv=sy +nc + # Copy FreeBSD image to USB memory stick + +Recover + + The command dd will read every single block of the partition. In case of + problems it is better to use the option conv=sync,noerror so dd will + skip the bad block and write zeros at the destination. Accordingly it is + important to set the block size equal or smaller than the disk block + size. A 1k size seems safe, set it with bs=1k. If a disk has bad sectors + and the data should be recovered from a partition, create an image file + with dd, mount the image and copy the content to a new disk. With the + option noerror, dd will skip the bad sectors and write zeros instead, + thus only the data contained in the bad sectors will be lost. +# dd if=/dev/hda of=/dev/null bs=1m # Check for bad blocks +# dd bs=1k if=/dev/hda1 conv=sync,noerror,notrunc | gzip | ssh \ # Send to remote +root@fry 'dd of=hda1.gz bs=1k' +# dd bs=1k if=/dev/hda1 conv=sync,noerror,notrunc of=hda1.img # Store into an +image +# mount -o loop /hda1.img /mnt # Mount the image +# rsync -ax /mnt/ /newdisk/ # Copy on a new disk +# dd if=/dev/hda of=/dev/hda # Refresh the magnetic stat +e + # The above is useful to refresh a disk. It is perfectly safe, but must be unmo +unted. + +Delete + +# dd if=/dev/zero of=/dev/hdc # Delete full disk +# dd if=/dev/urandom of=/dev/hdc # Delete full disk better +# kill -USR1 PID # View dd progress (Linux) +# kill -INFO PID # View dd progress (FreeBSD +) + +MBR tricks + + The MBR contains the boot loader and the partition table and is 512 + bytes small. The first 446 are for the boot loader, the bytes 446 to 512 + are for the partition table. +# dd if=/dev/sda of=/mbr_sda.bak bs=512 count=1 # Backup the full MBR +# dd if=/dev/zero of=/dev/sda bs=512 count=1 # Delete MBR and partition +table +# dd if=/mbr_sda.bak of=/dev/sda bs=512 count=1 # Restore the full MBR +# dd if=/mbr_sda.bak of=/dev/sda bs=446 count=1 # Restore only the boot loa +der +# dd if=/mbr_sda.bak of=/dev/sda bs=1 count=64 skip=446 seek=446 # Restore partit +ion table + +screen + + Screen (a must have) has two main functionalities: + * Run multiple terminal session within a single terminal. + * A started program is decoupled from the real terminal and can thus + run in the background. The real terminal can be closed and + reattached later. + +Short start example + + start screen with: +# screen + + Within the screen session we can start a long lasting program (like + top). +# top + + Now detach with Ctrl-a Ctrl-d. Reattach the terminal with: +# screen -R -D + + In detail this means: If a session is running, then reattach. If + necessary detach and logout remotely first. If it was not running create + it and notify the user. Or: +# screen -x + + Attach to a running screen in a multi display mode. The console is thus + shared among multiple users. Very useful for team work/debug! + +Screen commands (within screen) + + All screen commands start with Ctrl-a. + * Ctrl-a ? help and summary of functions + * Ctrl-a c create an new window (terminal) + * Ctrl-a Ctrl-n and Ctrl-a Ctrl-p to switch to the next or previous + window in the list, by number. + * Ctrl-a Ctrl-N where N is a number from 0 to 9, to switch to the + corresponding window. + * Ctrl-a " to get a navigable list of running windows + * Ctrl-a a to clear a missed Ctrl-a + * Ctrl-a Ctrl-d to disconnect and leave the session running in the + background + * Ctrl-a x lock the screen terminal with a password + * Ctrl-a [ enter into scrollback mode, exit with esc. + Use echo "defscrollback 5000" > ~/.screenrc to increase buffer + (default is 100) + + * C-u Scrolls a half page up + * C-b Scroll a full page up + * C-d Scroll a half page down + * C-f Scroll a full page down + * / Search forward + * ? Search backward + + Configuration in ~/.screenrc: +defscrollback 100000 # increase scrollback buffer (default is 100 +) +termcapinfo xterm* ti@:te@ # avoid alternate text buffer to allow scrol +ling + + The screen session is terminated when the program within the running + terminal is closed and you logout from the terminal. + +Find + + Some important options: + * -x (on BSD) -xdev (on Linux) Stay on the same file system (dev + in fstab). + * -exec cmd {} \; Execute the command and replace {} with the + full path + * -iname Like -name but is case insensitive + * -ls Display information about the file (like ls -la) + * -size n n is +-n (k M G T P) + * -cmin n File's status was last changed n minutes ago. + +# find . -type f ! -perm -444 # Find files not readable by all +# find . -type d ! -perm -111 # Find dirs not accessible by all +# find /home/user/ -cmin 10 -print # Files created or modified in the last 10 m +in. +# find . -name '*.[ch]' | xargs grep -E 'expr' # Search 'expr' in this dir and be +low. +# find / -name "*.core" | xargs rm # Find core dumps and delete them (also try +core.*) +# find / -name "*.core" -print -exec rm {} \; # Other syntax + # Find images and create an archive, iname is not case sensitive. -r for ap +pend +# find . \( -iname "*.png" -o -iname "*.jpg" \) -print -exec tar -rf images.tar { +} \; +# find . -type f -name "*.txt" ! -name README.txt -print # Exclude README.txt fi +les +# find /var/ -size +10M -exec ls -lh {} \; # Find large files > 10 MB +# find /var/ -size +10M -ls # This is simpler +# find . -size +10M -size -50M -print +# find /usr/ports/ -name work -type d -print -exec rm -rf {} \; # Clean the port +s + # Find files with SUID; those file are vulnerable and must be kept secure +# find / -type f -user root -perm -4000 -exec ls -l {} \; +# find flac/ -iname *.flac -print -size +500k -exec /Applications/Fluke.app/Conte +nts/MacOS/Fluke {} \; + # I use above to add flac files to iTunes o +n OSX + + Be careful with xarg or exec as it might or might not honor quotings and + can return wrong results when files or directories contain spaces. In + doubt use "-print0 | xargs -0" instead of "| xargs". The option -print0 + must be the last in the find command. See this nice mini tutorial for + findhttp://www.hccfl.edu/pollock/Unix/FindCmd.htm. +# find . -type f | xargs ls -l # Will not work with spaces in names +# find . -type f -print0 | xargs -0 ls -l # Will work with spaces in names +# find . -type f -exec ls -l '{}' \; # Or use quotes '{}' with -exec + + Duplicate directory tree: +# find . -type d -exec mkdir -p /tmp/new_dest/{} \; + +Miscellaneous + +# which command # Show full path name of command +# time command # See how long a command takes to execute +# time cat # Use time as stopwatch. Ctrl-c to stop +# set | grep $USER # List the current environment +# cal -3 # Display a three month calendar +# date [-u|--utc|--universal] [MMDDhhmm[[CC]YY][.ss]] +# date 10022155 # Set date and time +# whatis grep # Display a short info on the command or wor +d +# whereis java # Search path and standard directories for w +ord +# setenv varname value # Set env. variable varname to value (csh/tc +sh) +# export varname="value" # set env. variable varname to value (sh/ksh +/bash) +# pwd # Print working directory +# mkdir -p /path/to/dir # no error if existing, make parent dirs as +needed +# mkdir -p project/{bin,src,obj,doc/{html,man,pdf},debug/some/more/dirs} +# rmdir /path/to/dir # Remove directory +# rm -rf /path/to/dir # Remove directory and its content (force) +# rm -- -badchar.txt # Remove file whitch starts with a dash (-) +# cp -la /dir1 /dir2 # Archive and hard link files instead of cop +y +# cp -lpR /dir1 /dir2 # Same for FreeBSD +# cp unixtoolbox.xhtml{,.bak} # Short way to copy the file with a new exte +nsion +# mv /dir1 /dir2 # Rename a directory +# ls -1 # list one file per line +# history | tail -50 # Display the last 50 used commands +# cd - # cd to previous ($OLDPWD) directory +# /bin/ls| grep -v .py | xargs rm -r # pipe file names to rm with xargs + + Check file hashes with openssl. This is a nice alternative to the + commands md5sum or sha1sum (FreeBSD uses md5 and sha1) which are not + always installed. +# openssl md5 file.tar.gz # Generate an md5 checksum from file +# openssl sha1 file.tar.gz # Generate an sha1 checksum from file +# openssl rmd160 file.tar.gz # Generate a RIPEMD-160 checksum from file + +Install Software + + Usually the package manager uses the proxy variable for http/ftp + requests. In .bashrc: +export http_proxy=http://proxy_server:3128 +export ftp_proxy=http://proxy_server:3128 + +List installed packages + +# rpm -qa # List installed packages (RH, SuSE, RPM bas +ed) +# dpkg -l # Debian, Ubuntu +# pkg_info # FreeBSD list all installed packages +# pkg_info -W smbd # FreeBSD show which package smbd belongs to +# pkginfo # Solaris + + More on RPM: +# rpm -ql package-name # list the files for INSTALLED package +# rpm -qlp package.rpm # list the files inside package + +Add/remove software + + Front ends: yast2/yast for SuSE, redhat-config-packages for Red Hat. +# rpm -i pkgname.rpm # install the package (RH, SuSE, RPM based) +# rpm -e pkgname # Remove package + +SuSE zypper (see doc and cheet sheet)http://en.opensuse.org/SDB:Zypper_usage + +# zypper refresh # Refresh repositorie +# zypper install vim # Install the package vim +# zypper remove vim # Remove the package vim +# zypper search vim # Search packages with vim +# zypper update vim # Search packages with vim + +Debian + +# apt-get update # First update the package lists +# apt-get install emacs # Install the package emacs +# dpkg --remove emacs # Remove the package emacs +# dpkg -S file # find what package a file belongs to + +Gentoo + + Gentoo uses emerge as the heart of its "Portage" package management + system. +# emerge --sync # First sync the local portage tree +# emerge -u packagename # Install or upgrade a package +# emerge -C packagename # Remove the package +# revdep-rebuild # Repair dependencies + +Solaris + + The <cdrom> path is usually /cdrom/cdrom0. +# pkgadd -d <cdrom>/Solaris_9/Product SUNWgtar +# pkgadd -d SUNWgtar # Add downloaded package (bunzip2 first) +# pkgrm SUNWgtar # Remove the package + +FreeBSD + +# pkg_add -r rsync # Fetch and install rsync. +# pkg_delete /var/db/pkg/rsync-xx # Delete the rsync package + + Set where the packages are fetched from with the PACKAGESITE variable. + For example: +# export PACKAGESITE=ftp://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages/Latest +/ +# or ftp://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-6-stable/Latest/ + +FreeBSD portshttp://www.freebsd.org/handbook/ports.html + + The port tree /usr/ports/ is a collection of software ready to compile + and install (see man ports). The ports are updated with the program + portsnap. +# portsnap fetch extract # Create the tree when running the first tim +e +# portsnap fetch update # Update the port tree +# cd /usr/ports/net/rsync/ # Select the package to install +# make install distclean # Install and cleanup (also see man ports) +# make package # Make a binary package of this port +# pkgdb -F # Fix the package registry database +# portsclean -C -DD # Clean workdir and distdir (part of portupg +rade) + +OS X MacPortshttp://guide.macports.org/ (use sudo for all commands) + +# port selfupdate # Update the port tree (safe) +# port installed # List installed ports +# port deps apache2 # List dependencies for this port +# port search pgrep # Search for string +# port install proctools # Install this package +# port variants ghostscript # List variants of this port +# port -v install ghostscript +no_x11# -no_x11 for negative value +# port clean --all ghostscript # Clean workdir of port +# port upgrade ghostscript # Upgrade this port +# port uninstall ghostscript # Uninstall this port +# port -f uninstall installed # Uninstall everything + +Library path + + Due to complex dependencies and runtime linking, programs are difficult + to copy to an other system or distribution. However for small programs + with little dependencies, the missing libraries can be copied over. The + runtime libraries (and the missing one) are checked with ldd and managed + with ldconfig. +# ldd /usr/bin/rsync # List all needed runtime libraries +# otool -L /usr/bin/rsync # OS X equivalent to ldd +# ldconfig -n /path/to/libs/ # Add a path to the shared libraries directo +ries +# ldconfig -m /path/to/libs/ # FreeBSD +# LD_LIBRARY_PATH # The variable set the link library path + +Convert Media + + Sometimes one simply need to convert a video, audio file or document to + another format. + +Text encoding + + Text encoding can get totally wrong, specially when the language + requires special characters like àäç. The command iconv can convert from + one encoding to an other. +# iconv -f <from_encoding> -t <to_encoding> <input_file> +# iconv -f ISO8859-1 -t UTF-8 -o file.input > file_utf8 +# iconv -l # List known coded character sets + + Without the -f option, iconv will use the local char-set, which is + usually fine if the document displays well. + Convert filenames from one encoding to another (not file content). Works + also if only some files are already utf8 +# convmv -r -f utf8 --nfd -t utf8 --nfc /dir/* --notest + +Unix - DOS newlines + + Convert DOS (CR/LF) to Unix (LF) newlines and back within a Unix shell. + See also dos2unix and unix2dos if you have them. +# sed 's/.$//' dosfile.txt > unixfile.txt # DOS to UNIX +# awk '{sub(/\r$/,"");print}' dosfile.txt > unixfile.txt # DOS to UNIX +# awk '{sub(/$/,"\r");print}' unixfile.txt > dosfile.txt # UNIX to DOS + + Convert Unix to DOS newlines within a Windows environment. Use sed or + awk from mingw or cygwin. +# sed -n p unixfile.txt > dosfile.txt +# awk 1 unixfile.txt > dosfile.txt # UNIX to DOS (with a cygwin shell) + + Remove ^M mac newline and replace with unix new line. To get a ^M use + CTL-V then CTL-M +# tr '^M' '\n' < macfile.txt + +PDF images and concatenate PDF files + + Convert a PDF document with gs (GhostScript) to jpeg (or png) images for + each page. Also much shorter with convert and mogrify (from ImageMagick + or GraphicsMagick). +# gs -dBATCH -dNOPAUSE -sDEVICE=jpeg -r150 -dTextAlphaBits=4 -dGraphicsAlphaBits= +4 \ + -dMaxStripSize=8192 -sOutputFile=unixtoolbox_%d.jpg unixtoolbox.pdf +# convert unixtoolbox.pdf unixtoolbox-%03d.png +# convert *.jpeg images.pdf # Create a simple PDF with all pictures +# convert image000* -resample 120x120 -compress JPEG -quality 80 images.pdf +# mogrify -format png *.ppm # convert all ppm images to png format + + Ghostscript can also concatenate multiple pdf files into a single one. + This only works well if the PDF files are "well behaved". +# gs -q -sPAPERSIZE=a4 -dNOPAUSE -dBATCH -sDEVICE=pdfwrite -sOutputFile=all.pdf \ +file1.pdf file2.pdf ... # On Windows use '#' instead of '=' + + Create PDF file from images +# convert 20140416-DSCF1915.jpg 20140416-DSCF1920.jpg all.pdf +convert 20140416-DSCF1915.jpg 20140416-DSCF1920.jpg -resize 1240x1753 -units Pixe +lsPerInch \ +-density 150x150 all.pdf # force A4 + + Extract images from pdf document using pdfimages from poppler or + xpdfhttp://foolabs.com/xpdf/download.html +# pdfimages document.pdf dst/ # extract all images and put in dst +# yum install poppler-utils # install poppler-utils if needed. or: +# apt-get install poppler-utils + +Convert video + + Compress the Canon digicam video with an mpeg4 codec and repair the + crappy sound. +# mencoder -o videoout.avi -oac mp3lame -ovc lavc -srate 11025 \ +-channels 1 -af-adv force=1 -lameopts preset=medium -lavcopts \ +vcodec=msmpeg4v2:vbitrate=600 -mc 0 vidoein.AVI + + See sox for sound processing. + +Copy an audio cd + + The program cdparanoiahttp://xiph.org/paranoia/ can save the audio + tracks (FreeBSD port in audio/cdparanoia/), oggenc can encode in Ogg + Vorbis format, lame converts to mp3. +# cdparanoia -B # Copy the tracks to wav files in current di +r +# lame -b 256 in.wav out.mp3 # Encode in mp3 256 kb/s +# for i in *.wav; do lame -b 256 $i `basename $i .wav`.mp3; done +# oggenc in.wav -b 256 out.ogg # Encode in Ogg Vorbis 256 kb/s + +Printing + +Print with lpr + +# lpr unixtoolbox.ps # Print on default printer +# export PRINTER=hp4600 # Change the default printer +# lpr -Php4500 #2 unixtoolbox.ps # Use printer hp4500 and print 2 copies +# lpr -o Duplex=DuplexNoTumble ... # Print duplex along the long side +# lpr -o PageSize=A4,Duplex=DuplexNoTumble ... + +# lpq # Check the queue on default printer +# lpq -l -Php4500 # Queue on printer hp4500 with verbose +# lprm - # Remove all users jobs on default printer +# lprm -Php4500 3186 # Remove job 3186. Find job nbr with lpq +# lpc status # List all available printers +# lpc status hp4500 # Check if printer is online and queue lengt +h + + Some devices are not postscript and will print garbage when fed with a + pdf file. This might be solved with: +# gs -dSAFER -dNOPAUSE -sDEVICE=deskjet -sOutputFile=\|lpr file.pdf + + Print to a PDF file even if the application does not support it. Use gs + on the print command instead of lpr. +# gs -q -sPAPERSIZE=a4 -dNOPAUSE -dBATCH -sDEVICE=pdfwrite -sOutputFile=/path/fil +e.pdf + +Databases + +PostgreSQL + +Change root or a username password + +# psql -d template1 -U pgsql +> alter user pgsql with password 'pgsql_password'; # Use username instead of "pg +sql" + +Create user and database + + The commands createuser, dropuser, createdb and dropdb are convenient + shortcuts equivalent to the SQL commands. The new user is bob with + database bobdb ; use as root with pgsql the database super user: +# createuser -U pgsql -P bob # -P will ask for password +# createdb -U pgsql -O bob bobdb # new bobdb is owned by bob +# dropdb bobdb # Delete database bobdb +# dropuser bob # Delete user bob + + The general database authentication mechanism is configured in + pg_hba.conf + +Grant remote access + + The file $PGSQL_DATA_D/postgresql.conf specifies the address to bind to. + Typically listen_addresses = '*' for Postgres 8.x. + The file $PGSQL_DATA_D/pg_hba.conf defines the access control. Examples: +# TYPE DATABASE USER IP-ADDRESS IP-MASK METHOD +host bobdb bob 212.117.81.42 255.255.255.255 password +host all all 0.0.0.0/0 password + +Backup and restore + + The backups and restore are done with the user pgsql or postgres. Backup + and restore a single database: +# pg_dump --clean dbname > dbname_sql.dump +# psql dbname < dbname_sql.dump + + Backup and restore all databases (including users): +# pg_dumpall --clean > full.dump +# psql -f full.dump postgres + + In this case the restore is started with the database postgres which is + better when reloading an empty cluster. + +MySQL + +Change mysql root or username password + +Method 1 + +# /etc/init.d/mysql stop +or +# killall mysqld +# mysqld --skip-grant-tables +# mysqladmin -u root password 'newpasswd' +# /etc/init.d/mysql start + +Method 2 + +# mysql -u root mysql +mysql> UPDATE USER SET PASSWORD=PASSWORD("newpassword") where user='root'; +mysql> FLUSH PRIVILEGES; # Use username instead of "roo +t" +mysql> quit + +Create user and database (see MySQL +dochttp://dev.mysql.com/doc/refman/5.1/en/adding-users.html) + +# mysql -u root mysql +mysql> CREATE USER 'bob'@'localhost' IDENTIFIED BY 'pwd'; # create only a user +mysql> CREATE DATABASE bobdb; +mysql> GRANT ALL ON *.* TO 'bob'@'%' IDENTIFIED BY 'pwd'; # Use localhost instead + of % + # to restrict the network acce +ss +mysql> DROP DATABASE bobdb; # Delete database +mysql> DROP USER bob; # Delete user +mysql> DELETE FROM mysql.user WHERE user='bob and host='hostname'; # Alt. command +mysql> FLUSH PRIVILEGES; + +Grant remote access + + Remote access is typically permitted for a database, and not all + databases. The file /etc/my.cnf contains the IP address to bind to. (On + FreeBSD my.cnf not created per fedault, copy one .cnf file from + /usr/local/share/mysql to /usr/local/etc/my.cnf) Typically comment the + line bind-address = out. +# mysql -u root mysql +mysql> GRANT ALL ON bobdb.* TO bob@'xxx.xxx.xxx.xxx' IDENTIFIED BY 'PASSWORD'; +mysql> REVOKE GRANT OPTION ON foo.* FROM bar@'xxx.xxx.xxx.xxx'; +mysql> FLUSH PRIVILEGES; # Use 'hostname' or also '%' for full a +ccess + +Backup and restore + + Backup and restore a single database: +# mysqldump -u root -psecret --add-drop-database dbname > dbname_sql.dump +# mysql -u root -psecret -D dbname < dbname_sql.dump + + Backup and restore all databases: +# mysqldump -u root -psecret --add-drop-database --all-databases > full.dump +# mysql -u root -psecret < full.dump + + Here is "secret" the mysql root password, there is no space after -p. + When the -p option is used alone (w/o password), the password is asked + at the command prompt. + +SQLite + + SQLitehttp://www.sqlite.org is a small powerful self-contained, + serverless, zero-configuration SQL database. + +Dump and restore + + It can be useful to dump and restore an SQLite database. For example you + can edit the dump file to change a column attribute or type and then + restore the database. This is easier than messing with SQL commands. Use + the command sqlite3 for a 3.x database. +# sqlite database.db .dump > dump.sql # dump +# sqlite database.db < dump.sql # restore + +Convert 2.x to 3.x database + +sqlite database_v2.db .dump | sqlite3 database_v3.db + +Disk Quota + + A disk quota allows to limit the amount of disk space and/or the number + of files a user or (or member of group) can use. The quotas are + allocated on a per-file system basis and are enforced by the kernel. + +Linux setup + + The quota tools package usually needs to be installed, it contains the + command line tools. + Activate the user quota in the fstab and remount the partition. If the + partition is busy, either all locked files must be closed, or the system + must be rebooted. Add usrquota to the fstab mount options, for example: +/dev/sda2 /home reiserfs rw,acl,user_xattr,usrquota 1 1 +# mount -o remount /home +# mount # Check if usrquota is active, otherwise reb +oot + + Initialize the quota.user file with quotacheck. +# quotacheck -vum /home +# chmod 644 /home/aquota.user # To let the users check their own quota + + Activate the quota either with the provided script (e.g. + /etc/init.d/quotad on SuSE) or with quotaon: +quotaon -vu /home + + Check that the quota is active with: +quota -v + +FreeBSD setup + + The quota tools are part of the base system, however the kernel needs + the option quota. If it is not there, add it and recompile the kernel. +options QUOTA + + As with Linux, add the quota to the fstab options (userquota, not + usrquota): +/dev/ad0s1d /home ufs rw,noatime,userquota 2 2 +# mount /home # To remount the partition + + Enable disk quotas in /etc/rc.conf and start the quota. +# grep quotas /etc/rc.conf +enable_quotas="YES" # turn on quotas on startup (or NO). +check_quotas="YES" # Check quotas on startup (or NO). +# /etc/rc.d/quota start + +Assign quota limits + + The quotas are not limited per default (set to 0). The limits are set + with edquota for single users. A quota can be also duplicated to many + users. The file structure is different between the quota + implementations, but the principle is the same: the values of blocks and + inodes can be limited. Only change the values of soft and hard. If not + specified, the blocks are 1k. The grace period is set with edquota -t. + For example: +# edquota -u colin + +Linux + +Disk quotas for user colin (uid 1007): + Filesystem blocks soft hard inodes soft hard + /dev/sda8 108 1000 2000 1 0 0 + +FreeBSD + +Quotas for user colin: +/home: kbytes in use: 504184, limits (soft = 700000, hard = 800000) + inodes in use: 1792, limits (soft = 0, hard = 0) + +For many users + + The command edquota -p is used to duplicate a quota to other users. For + example to duplicate a reference quota to all users: +# edquota -p refuser `awk -F: '$3 > 499 {print $1}' /etc/passwd` +# edquota -p refuser user1 user2 # Duplicate to 2 users + +Checks + + Users can check their quota by simply typing quota (the file quota.user + must be readable). Root can check all quotas. +# quota -u colin # Check quota for a user +# repquota /home # Full report for the partition for all user +s + +Shells + + Most Linux distributions use the bash shell while the BSDs use tcsh, the + bourne shell is only used for scripts. Filters are very useful and can + be piped: + * grep Pattern matching + * sed Search and Replace strings or characters + * cut Print specific columns from a marker + * sort Sort alphabetically or numerically + * uniq Remove duplicate lines from a file + + For example used all at once: +# ifconfig | sed 's/ / /g' | cut -d" " -f1 | uniq | grep -E "[a-z0-9]+" | sort - +r +# ifconfig | sed '/.*inet addr:/!d;s///;s/ .*//'|sort -t. -k1,1n -k2,2n -k3,3n -k +4,4n + + The first character in the sed pattern is a tab. To write a tab on the + console, use ctrl-v ctrl-tab. + +bash + + Redirects and pipes for bash and sh: +# cmd 1> file # Redirect stdout to file. +# cmd 2> file # Redirect stderr to file. +# cmd 1>> file # Redirect and append stdout to file. +# cmd &> file # Redirect both stdout and stderr to file. +# cmd >file 2>&1 # Redirects stderr to stdout and then to fi +le. +# cmd1 | cmd2 # pipe stdout to cmd2 +# cmd1 2>&1 | cmd2 # pipe stdout and stderr to cmd2 + + Modify your configuration in ~/.bashrc (it can also be ~/.bash_profile). + The following entries are useful, reload with ". .bashrc". With cygwin + use ~/.bash_profile; with rxvt past with shift + left-click. +# in .bashrc +bind '"\e[A"':history-search-backward # Use up and down arrow to search +bind '"\e[B"':history-search-forward # the history. Invaluable! +set -o emacs # Set emacs mode in bash (see below) +set bell-style visible # Do not beep, inverse colors + # Set a nice prompt like [user@host]/path/todir> +PS1="\[\033[1;30m\][\[\033[1;34m\]\u\[\033[1;30m\]" +PS1="$PS1@\[\033[0;33m\]\h\[\033[1;30m\]]\[\033[0;37m\]" +PS1="$PS1\w\[\033[1;30m\]>\[\033[0m\]" + +# To check the currently active aliases, simply type alias +alias ls='ls -aF' # Append indicator (one of */=>@|) +alias ll='ls -aFls' # Listing +alias la='ls -all' +alias ..='cd ..' +alias ...='cd ../..' +export HISTFILESIZE=5000 # Larger history +export CLICOLOR=1 # Use colors (if possible) +export LSCOLORS=ExGxFxdxCxDxDxBxBxExEx + +tcsh + + Redirects and pipes for tcsh and csh (simple > and >> are the same as + sh): +# cmd >& file # Redirect both stdout and stderr to file. +# cmd >>& file # Append both stdout and stderr to file. +# cmd1 | cmd2 # pipe stdout to cmd2 +# cmd1 |& cmd2 # pipe stdout and stderr to cmd2 + + The settings for csh/tcsh are set in ~/.cshrc, reload with "source + .cshrc". Examples: +# in .cshrc +alias ls 'ls -aF' +alias ll 'ls -aFls' +alias la 'ls -all' +alias .. 'cd ..' +alias ... 'cd ../..' +set prompt = "%B%n%b@%B%m%b%/> " # like user@host/path/todir> +set history = 5000 +set savehist = ( 6000 merge ) +set autolist # Report possible completions with tab +set visiblebell # Do not beep, inverse colors + +# Bindkey and colors +bindkey -e Select Emacs bindings # Use emacs keys to edit the command prompt +bindkey -k up history-search-backward # Use up and down arrow to search +bindkey -k down history-search-forward +setenv CLICOLOR 1 # Use colors (if possible) +setenv LSCOLORS ExGxFxdxCxDxDxBxBxExEx + + The emacs mode enables to use the emacs keys shortcuts to modify the + command prompt line. This is extremely useful (not only for emacs + users). The most used commands are: + * C-a Move cursor to beginning of line + * C-e Move cursor to end of line + * M-b Move cursor back one word + * M-f Move cursor forward one word + * M-d Cut the next word + * C-w Cut the last word + * C-u Cut everything before the cursor + * C-k Cut everything after the cursor (rest of the line) + * C-y Paste the last thing to be cut (simply paste) + * C-_ Undo + + Note: C- = hold control, M- = hold meta (which is usually the alt or + escape key). + +Scripting + + Basics | Script example | awk | sed | Regular Expressions | useful + commands + The Bourne shell (/bin/sh) is present on all Unix installations and + scripts written in this language are (quite) portable; man 1 sh is a + good reference. + +Basics + +Variables and arguments + + Assign with variable=value and get content with $variable +MESSAGE="Hello World" # Assign a string +PI=3.1415 # Assign a decimal number +N=8 +TWON=`expr $N * 2` # Arithmetic expression (only intege +rs) +TWON=$(($N * 2)) # Other syntax +TWOPI=`echo "$PI * 2" | bc -l` # Use bc for floating point operatio +ns +ZERO=`echo "c($PI/4)-sqrt(2)/2" | bc -l` + + The command line arguments are +$0, $1, $2, ... # $0 is the command itself +$# # The number of arguments +$* # All arguments (also $@) + +Special Variables + +$$ # The current process ID +$? # exit status of last command + command + if [ $? != 0 ]; then + echo "command failed" + fi +mypath=`pwd` +mypath=${mypath}/file.txt +echo ${mypath##*/} # Display the filename only +echo ${mypath%%.*} # Full path without extention +foo=/tmp/my.dir/filename.tar.gz +path = ${foo%/*} # Full path without extention +var2=${var:=string} # Use var if set, otherwise use stri +ng + # assign string to var and then to v +ar2. +size=$(stat -c%s "$file") # get file size in bourne script +filesize=${size:=-1} + +Constructs + +for file in `ls` +do + echo $file +done + +count=0 +while [ $count -lt 5 ]; do + echo $count + sleep 1 + count=$(($count + 1)) +done + +myfunction() { + find . -type f -name "*.$1" -print # $1 is first argument of the functi +on +} +myfunction "txt" + +Generate a file + +MYHOME=/home/colin +cat > testhome.sh << _EOF +# All of this goes into the file testhome.sh +if [ -d "$MYHOME" ] ; then + echo $MYHOME exists +else + echo $MYHOME does not exist +fi +_EOF +sh testhome.sh + +Bourne script example + + As a small example, the script used to create a PDF booklet from this + xhtml document: +#!/bin/sh +# This script creates a book in pdf format ready to print on a duplex printer +if [ $# -ne 1 ]; then # Check the argument + echo 1>&2 "Usage: $0 HtmlFile" + exit 1 # non zero exit if error +fi + +file=$1 # Assign the filename +fname=${file%.*} # Get the name of the file only +fext=${file#*.} # Get the extension of the file + +prince $file -o $fname.pdf # from www.princexml.com +pdftops -paper A4 -noshrink $fname.pdf $fname.ps # create postscript booklet +cat $fname.ps |psbook|psnup -Pa4 -2 |pstops -b "2:0,1U(21cm,29.7cm)" > $fname.boo +k.ps + +ps2pdf13 -sPAPERSIZE=a4 -sAutoRotatePages=None $fname.book.ps $fname.book.pdf + # use #a4 and #None on Windows! +exit 0 # exit 0 means successful + +Some awk commands + + Awk is useful for field stripping, like cut in a more powerful way. + Search this document for other examples. See for example gnulamp.com and + one-liners for awk for some nice examples. +awk '{ print $2, $1 }' file # Print and inverse first two column +s +awk '{printf("%5d : %s\n", NR,$0)}' file # Add line number left aligned +awk '{print FNR "\t" $0}' files # Add line number right aligned +awk NF test.txt # remove blank lines (same as grep ' +.') +awk 'length > 80' # print line longer than 80 char) + +Some sed commands + + Here is the one liner gold + minehttp://student.northpark.edu/pemente/sed/sed1line.txt. And a good + introduction and tutorial to sedhttp://www.grymoire.com/Unix/Sed.html. +sed 's/string1/string2/g' # Replace string1 with string2 +sed -i 's/wroong/wrong/g' *.txt # Replace a recurring word with g +sed 's/\(.*\)1/\12/g' # Modify anystring1 to anystring2 +sed '/<p>/,/<\/p>/d' t.xhtml # Delete lines that start with <p> + # and end with </p> +sed '/ *#/d; /^ *$/d' # Remove comments and blank lines +sed 's/[ \t]*$//' # Remove trailing spaces (use tab as + \t) +sed 's/^[ \t]*//;s/[ \t]*$//' # Remove leading and trailing spaces +sed 's/[^*]/[&]/' # Enclose first char with [] top->[t +]op +sed = file | sed 'N;s/\n/\t/' > file.num # Number lines on a file + +Regular Expressions + + Some basic regular expression useful for sed too. See Basic Regex + Syntaxhttp://www.regular-expressions.info/reference.html for a good + primer. +[\^$.|?*+() # special characters any other will match th +emselves +\ # escapes special characters and treat as li +teral +* # repeat the previous item zero or more time +s +. # single character except line break charact +ers +.* # match zero or more characters +^ # match at the start of a line/string +$ # match at the end of a line/string +.$ # match a single character at the end of lin +e/string +^ $ # match line with a single space +^[A-Z] # match any line beginning with any char fro +m A to Z + +Some useful commands + + The following commands are useful to include in a script or as one + liners. +sort -t. -k1,1n -k2,2n -k3,3n -k4,4n # Sort IPv4 ip addresses +echo 'Test' | tr '[:lower:]' '[:upper:]' # Case conversion +echo foo.bar | cut -d . -f 1 # Returns foo +PID=$(ps | grep script.sh | grep bin | awk '{print $1}') # PID of a running sc +ript +PID=$(ps axww | grep [p]ing | awk '{print $1}') # PID of ping (w/o gr +ep pid) +IP=$(ifconfig $INTERFACE | sed '/.*inet addr:/!d;s///;s/ .*//') # Linux +IP=$(ifconfig $INTERFACE | sed '/.*inet /!d;s///;s/ .*//') # FreeBSD +if [ `diff file1 file2 | wc -l` != 0 ]; then [...] fi # File changed? +cat /etc/master.passwd | grep -v root | grep -v \*: | awk -F":" \ # Create http p +asswd +'{ printf("%s:%s\n", $1, $2) }' > /usr/local/etc/apache2/passwd + +testuser=$(cat /usr/local/etc/apache2/passwd | grep -v \ # Check user in passw +d +root | grep -v \*: | awk -F":" '{ printf("%s\n", $1) }' | grep ^user$) +:(){ :|:& };: # bash fork bomb. Will kill your mac +hine +tail +2 file > file2 # remove the first line from file + + I use this little trick to change the file extension for many files at + once. For example from .cxx to .cpp. Test it first without the | sh at + the end. You can also do this with the command rename if installed. Or + with bash builtins. +# ls *.cxx | awk -F. '{print "mv "$0" "$1".cpp"}' | sh +# ls *.c | sed "s/.*/cp & &.$(date "+%Y%m%d")/" | sh # e.g. copy *.c to *.c.20080 +401 +# rename .cxx .cpp *.cxx # Rename all .cxx to cpp +# for i in *.cxx; do mv $i ${i%%.cxx}.cpp; done # with bash builtins + +Programming + +C basics + +strcpy(newstr,str) /* copy str to newstr */ +expr1 ? expr2 : expr3 /* if (expr1) expr2 else expr3 */ +x = (y > z) ? y : z; /* if (y > z) x = y; else x = z; */ +int a[]={0,1,2}; /* Initialized array (or a[3]={0,1,2}; +*/ +int a[2][3]={{1,2,3},{4,5,6}}; /* Array of array of ints */ +int i = 12345; /* Convert in i to char str */ +char str[10]; +sprintf(str, "%d", i); + +C example + + A minimal c program simple.c: +#include <stdio.h> +main() { + int number=42; + printf("The answer is %i\n", number); +} + + Compile with: +# gcc simple.c -o simple +# ./simple +The answer is 42 + +C++ basics + +*pointer // Object pointed to by pointer +&obj // Address of object obj +obj.x // Member x of class obj (object obj) +pobj->x // Member x of class pointed to by pobj + // (*pobj).x and pobj->x are the same + +C++ example + + As a slightly more realistic program in C++: a class in its own header + (IPv4.h) and implementation (IPv4.cpp) and a program which uses the + class functionality. The class converts an IP address in integer format + to the known quad format. + +IPv4 class + +IPv4.h: + +#ifndef IPV4_H +#define IPV4_H +#include <string> + +namespace GenericUtils { // create a namespace +class IPv4 { // class definition +public: + IPv4(); ~IPv4(); + std::string IPint_to_IPquad(unsigned long ip);// member interface +}; +} //namespace GenericUtils +#endif // IPV4_H + +IPv4.cpp: + +#include "IPv4.h" +#include <string> +#include <sstream> +using namespace std; // use the namespaces +using namespace GenericUtils; + +IPv4::IPv4() {} // default constructor/destruct +or +IPv4::~IPv4() {} +string IPv4::IPint_to_IPquad(unsigned long ip) { // member implementation + ostringstream ipstr; // use a stringstream + ipstr << ((ip &0xff000000) >> 24) // Bitwise right shift + << "." << ((ip &0x00ff0000) >> 16) + << "." << ((ip &0x0000ff00) >> 8) + << "." << ((ip &0x000000ff)); + return ipstr.str(); +} + +The program simplecpp.cpp + +#include "IPv4.h" +#include <iostream> +#include <string> +using namespace std; +int main (int argc, char* argv[]) { + string ipstr; // define variables + unsigned long ipint = 1347861486; // The IP in integer form + GenericUtils::IPv4 iputils; // create an object of the clas +s + ipstr = iputils.IPint_to_IPquad(ipint); // call the class member + cout << ipint << " = " << ipstr << endl; // print the result + + return 0; +} + + Compile and execute with: +# g++ -c IPv4.cpp simplecpp.cpp # Compile in objects +# g++ IPv4.o simplecpp.o -o simplecpp.exe # Link the objects to final execut +able +# ./simplecpp.exe +1347861486 = 80.86.187.238 + + Use ldd to check which libraries are used by the executable and where + they are located. Also used to check if a shared library is missing or + if the executable is static. +# ldd /sbin/ifconfig # list dynamic object dependencies +# ar rcs staticlib.a *.o # create static archive +# ar t staticlib.a # print the objects list from the +archive +# ar x /usr/lib/libc.a version.o # extract an object file from the +archive +# nm version.o # show function members provided b +y object + +Simple Makefile + + The minimal Makefile for the multi-source program is shown below. The + lines with instructions must begin with a tab! The back slash "\" can be + used to cut long lines. +CC = g++ +CFLAGS = -O +OBJS = IPv4.o simplecpp.o + +simplecpp: ${OBJS} + ${CC} -o simplecpp ${CFLAGS} ${OBJS} +clean: + rm -f ${TARGET} ${OBJS} + +Online Help + +Documentation + + Linux Documentation en.tldp.org + Linux Man Pages www.linuxmanpages.com + Linux commands directory www.oreillynet.com/linux/cmd + Linux doc man howtos linux.die.net + FreeBSD Handbook www.freebsd.org/handbook + FreeBSD Man Pages www.freebsd.org/cgi/man.cgi + FreeBSD user wiki www.freebsdwiki.net + Solaris Man Pages docs.sun.com/app/docs/coll/40.10 + +Other Unix/Linux references + + Rosetta Stone for Unix bhami.com/rosetta.html (a Unix command + translator) + Unix guide cross reference unixguide.net/unixguide.shtml + Linux commands line list www.linuxcmd.org + Short Linux reference www.pixelbeat.org/cmdline.html + Little command line goodies www.shell-fu.org + + That's all folks! + + This document: "Unix Toolbox revision 14.4" is licensed under a Creative + Commons Licence [Attribution - Share Alike]. © Colin Barschel 2007-2012. + Some rights reserved.