Suse Config

Understand SuSEconfig

S E C T I O N 3 Understand SuSEconfig

In this section you learn about the SuSEconfig tool and how to use it for system administration and management.

Objectives

1. Describe the Files in /etc/sysconfig/

2. Understand SuSEconfig

3. Check File Permissions with SuSEconfig

Introduction

A large part of the configuration of SLES 9 is based on the files in the directory /etc/sysconfig/.

The configuration tool SuSEconfig maintains configuration setups that depend on several packages. Whenever one or more of these packages are changed, SuSEconfig needs to be run.

You can also use the SuSEconfig script to check for specific settings such as file permissions.

Version 2 Copyright © 2007 Novell, Inc. Copying or distributing all or part of this manual is protected by 3-1 a Creative Commons Attribution-NonCommercial-ShareAlike 2.5 license.

Migrating to SUSE LINUX

Objective 1 Describe the Files in /etc/sysconfig/

The directory /etc/sysconfig/ is the central place for configuration files for SUSE LINUX.

Some of the files in /etc/sysconfig/ are interpreted by start scripts in /etc/init.d/ to configure the services.

The files contain general system configuration variables.

■ Variables for the network configuration are defined in

/etc/sysconfig/network/

■ Variables for the mail configuration are defined in

/etc/sysconfig/mail and /etc/sysconfig/postfix

■ Variables for cron are set in

/etc/sysconfig/cron

■ Variables for Apache are set in

/etc/sysconfig/apache (Apache 1.x) and /etc/sysconfig/apache2 (Apache 2.x)

The files contain parameters in the format

VARIABLE=”value”

Hash marks (##) are used for comments above each variable. YaST takes these comments to describe the variables in their configuration module.

The comments also contain metadata. YaST uses them to display information about the variables in the YaST /etc/sysconfig Editor module.

3-2 Copyright © 2007 Novell, Inc. Copying or distributing all or part of this manual is protected by Version 2a Creative Commons Attribution-NonCommercial-ShareAlike 2.5 license.


The following is an example of metadata in the file /etc/sysconfig/postfix:

Metadata is defined as follows:

■ Is part of the variable description.

■ Its lines begin with 2 hash characters (##).

■ It contains pairs: keyword:value

The following are Metadata keywords:

■ Path. Defines where the variable will be located in the tree widget, valid for all following variables in the file.

There are predefined paths into which all sysconfig variables are divided:

❑ Hardware. Hardware-related settings.

❑ System. Basic system configuration.

❑ Desktop. Desktop settings.

❑ Applications. Application settings.

❑ Network. Network services.

## Path: Network/Mail/Postfix## Description: Basic configuration of the postfix MTA## Type: string## Default: ""## Config: postfix## Should we use a mailrelay?# NOTE: ALL mail that is not considered to be my destination# (POSTFIX_LOCALDOMAINS), will be sent to this host.# If this host is not your MX, then you have to use [square brackets]# around the hostname, e.g. [relay.digitalairlines.com]# You may also specify an alternate port number, e.g.# relay.digitalairlines.com:26 or [relay.digitalairlines.com]:26 to prevent MX lookups.#POSTFIX_RELAYHOST=""...



❑ Other. Settings that don’t fit into the classes above.

■ Description. Describes the path that is displayed when the user selects Path in the tree instead of variables.

■ Type. Specifies the data type of value. It is used for checking the value entered.

The following table lists supported types and values:

x If no type value is defined, the default value string will be used.

Table 3-1 Type Valid Values

string Any value

string(v1,v2,...) Value from list or any value

list(v1,v2,...) Only value from list

integer Integer

integer(min:max) Integer in specified range (one limit can be missing, use e.g. integer(0:) for values >= 0)

boolean Only True or False

yesno Only Yes or No

ip IPv4 or IPv6 address (such as 10.20.0.1)

ip4 IPv4 address

ip6 IPv6 address

regexp(re) Only strings that match regular expression re (POSIX Extended Regular Expression), e.g. use regexp(^0[0-7]*$) for octal values



■ Default. The default value, represented by a valid value, which will be set if the user selects Set Default in YaST.

■ ServiceReload/ServiceRestart/Command/Config. Describes what to do when items in this file have been changed in the YaST /etc/sysconfig Editor module:

❑ ServiceReload. Reloads services if they are running.

This is equivalent to the command

/etc/init.d/service reload

❑ ServiceRestart. Restarts services if they are running.

This is equivalent to the command

/etc/init.d/service restart

❑ Command. Starts a command in the bash shell.

❑ Config. Starts selected SuSEconfig modules.

x All keywords are optional. For more information about metadata, see /usr/share/doc/packages/yast2-config/metadata.txt.

The files in /etc/sysconfig/ can be edited:

■ Manually with any text editor.

■ With the special YaST editor for /etc/sysconfig/ in the YaST /etc/sysconfig Editor module.

Start the YaST /etc/sysconfig Editor module by selecting

yast2 > System > /etc/sysconfig Editor

or directly by entering

yast2 sysconfig



The following window appears:

Figure 3-1

After performing changes with YaST, the script /sbin/SuSEconfig runs. This script updates the system configuration where necessary.

If you modify any of the configuration files with an editor, you have to run /sbin/SuSEconfig manually to update your system configuration.



Objective 2 Understand SuSEconfig

This objective contains the following:

■ Describe SuSEconfig

■ Describe SuSEconfig Functions

■ Understand When to Start SuSEconfig

■ Describe the Structure of SuSEconfig Modules in /sbin/conf.d/

■ Understand the Function check_md5_and_move Used by SuSEconfig Modules

■ Restart Services

Describe SuSEconfig

SuSEconfig is a tool for updating the system configuration.

x SuSEconfig has to be run by the user root.

It is based on shell scripts and consists of

■ The program /sbin/SuSEconfig.

■ Modules located in the directory /sbin/conf.d/.

Additionally, there is a file /lib/YaST/SuSEconfig.functions that provides functions used by several modules.

Describe SuSEconfig Functions

SuSEconfig has two tasks:

1. The main function of SuSEconfig is to maintain the system configuration.



Parts of the configuration depend on several packages. Whenever one of these packages is changed (installed, updated, or removed), SuSEconfig updates the configuration.

For example, the configuration of the X11 fonts must be updated after any package providing fonts is changed.

2. In earlier releases of SUSE LINUX, SuSEconfig was used to update configuration files for services depending on settings in files located in /etc/sysconfig/.

For example, most of the commonly used configuration options for the Apache web server could be set in /etc/sysconfig/apache. SuSEconfig would then modify the corresponding options in /etc/httpd/httpd.conf.

This feature will not be included in future releases of SuSEconfig because very few services use it (for example, Postfix).

Understand When to Start SuSEconfig

You have to run SuSEconfig to update the configuration after modifying files in /etc/sysconfig/ manually.

Start SuSEconfig by entering

If the changes affect only one service, you can start the needed modules with the option --module.

For example:

DA3:~ # SuSEconfig

DA3:~ # SuSEconfig --module postfix



x It is usually difficult to decide which module should be processed, so it is easier to run all SuSEconfig modules after any change in /etc/sysconfig/ or after any package is changed. YaST starts SuSEconfig automatically after performing changes with YaST.

Describe the Structure of SuSEconfig Modules in /sbin/conf.d/

SuSEconfig consists of several modules (shell scripts) located in /sbin/conf.d/. Their names begin with SuSEconfig. (such as SuSEconfig.fonts and SuSEconfig.hostname).

In the following, the postfix module (/sbin/conf.d/SuSEconfig.postfix) is used as an example.

These files

■ Contain the required configuration files usually sourced from /etc/sysconfig/:

...test -s $r/etc/sysconfig/postfix || { echo "No $r/etc/sysconfig/postfix found." exit 1}. $r/etc/sysconfig/postfix...



■ Load predefined functions, if needed. These are defined in the file /lib/YaST/SuSEconfig.functions. Loading is done like this:

■ Contain code that updates the system configuration:

...test -f $r/lib/YaST/SuSEconfig.functions || { echo "ERROR - can not find $r/lib/YaST/SuSEconfig.functions!!" echo "This should not happen. Exit..." exit 1}. $r/lib/YaST/SuSEconfig.functions...

...if test -z "$r" && test "$POSTFIX_UPDATE_MAPS" == yes ; then test -e /etc/aliases && \ if test /etc/aliases -nt /etc/aliases.db \ -o ! -e /etc/aliases.db ; then echo "Rebuilding /etc/aliases.db." /usr/bin/newaliases fi update_db virtual transport access canonical sender_canonical \ relocated sasl_passwd relay_ccerts chmod 600 /etc/postfix/sasl_passwd.db

for i in $(get_alias_maps); do if test $i -nt $i.db -o ! -e $i.db; then echo "Rebuilding $i.db" /usr/sbin/postalias $i fi done /usr/sbin/postfix reload > /dev/null 2>&1fi...



Understand the Function check_md5_and_move Used by SuSEconfig Modules

The function check_md5_and_move checks a file and replaces it with a new version, if the original one has not been changed by the user.

If a configuration file controlled by SuSEconfig is changed manually, SuSEconfig leaves the manually modified files untouched. This function helps to keep changes made by the user.

The function check_md5_and_move does the following:

1. It checks for config_file.SuSEconfig. This file includes the changes suggested by SuSEconfig.

2. It checks MD5 sum of the config_file.

This checksums are stored in subdirectories in the directory /var/adm/SuSEconfig/md5/etc/.

3. It moves the suggested config_file.SuSEconfig to config_file, if the MD5 checksum is the same or is missing.

4. It updates the MD5 checksum.

5. If the checksum of config_file and config_file.SuSEconfig are different, it keeps config_file untouched and prints the message to inform the administrator.The created config_file.SuSEconfig file can be compared with the manually changed configuration file to check which changes SuSEconfig would have made.



For example, after a manual change to /etc/postfix/main.cf, the following happens, when SuSEconfig is launched:

Restart Services

After a file in /etc/sysconfig/ has been edited and all affected files have been updated by running SuSEconfig, the involved services must be restarted.

For example, for the network configuration, this can be done with the following command:

On SLES 9, you can also enter

x rcnetwork is a symbolic link to /etc/init.d/network stored in /sbin/.

DA3:~ # SuSEconfig --module postfixStarting SuSEconfig, the SuSE Configuration Tool...Running module postfix onlyReading /etc/sysconfig and updating the system...Executing /sbin/conf.d/SuSEconfig.postfix...Setting up postfix local as MDA...Setting SPAM protection to "off"...ATTENTION: You have modified /etc/postfix/main.cf. Leaving it untouched...You can find my version in /etc/postfix/main.cf.SuSEconfig...Finished.

DA3:~ # /etc/init.d/network restart

DA3:~ # rcnetwork restart



Objective 3 Check File Permissions with SuSEconfig

In Linux you have to find a balance between security and ease of use. On SLES 9, this is handled with the SuSEconfig permissions module.

To activate the permission check, the variable CHECK_PERMISSIONS in /etc/sysconfig/security has to be set to the value of set (this is the default). If you set this value to warn, SuSEconfig will only issue warnings but will not change any permissions.

Each time SuSEconfig runs, the permissions of the following files are checked:

■ The files listed in the file /etc/permissions

■ The files listed in one or more of the following files:

❑ /etc/permissions.easy

❑ /etc/permissions.local

❑ /etc/permissions.security

❑ /etc/permissions.paranoid

The variable PERMISSION_SECURITY determines which of these files are checked.



The variable PERMISSION_SECURITY is set in the file /etc/sysconfig/security:

If the variable contains easy local, the following files are checked:

■ /etc/permissions.easy

■ /etc/permissions.local

If the variable contains secure, the following file is checked:

■ /etc/permissions.secure

If the variable contains paranoid, the following file is checked:

■ /etc/permissions.paranoid

## Path: System/Security/Permissions## Description: Configuration of permissions on the system## Type: list(set,warn,no)## Default: set## Config: permissions## SuSEconfig can call chkstat to check permissions and ownerships for# files and directories (using /etc/permissions).# Setting to "set" will correct it, "warn" produces warnings, if# something strange is found. Disable this feature with "no".#CHECK_PERMISSIONS="set"

## Type: string## Default: "easy local"## SuSE Linux contains two different configurations for# chkstat. The differences can be found in /etc/permissions.secure# and /etc/permissions.easy. If you create your own configuration# (e.g. permissions.foo), you can enter the extension here as well.## (easy/secure local foo whateveryouwant).#PERMISSION_SECURITY="easy local"...



Additionally, the directory /etc/permissions.d/ can contain permission files for specific packages. The Postfix package is an example.

A short description of the general permission files is given below:

■ /etc/permissions. Used by SuSEconfig to check or set the modes and ownerships of files and directories common for all installations.

■ /etc/permissions.local. Holds local additions made by the system administrator to reflect file permissions and ownerships of locally installed packages (usually in /opt/local/ or /usr/local/).

This file will not be changed during an upgrade of the SLES 9 installation.

■ /etc/permissions.easy. Used in a standalone and single-user installation to make things work out-of-the box.

Some of the settings might be somewhat relaxed from the security standpoint. These settings are handled differently in the file /etc/permissions.secure.

■ /etc/permissions.secure. Used in a multiuser and networked installation. Most privileged file modes are disabled here.

Programs that still have their SUID or SGID modes are always a security risk. Those that remain SUID or SGID with /etc/permission.secure are considered necessary for normal system operation.

■ /etc/permissions.paranoid. This should not be used on a system where normal users are expected to work on.

Derived from /etc/permissions.secure, it has all SGID and SUID bits cleared; therefore, the system might be unusable for non-privileged users except for simple tasks.

In addition, many configuration files are not readable for other users than root.



SuSEconfig uses the program /usr/bin/chkstat to check the access mode and the user and group memberships.

For example, the command

chkstat -set /etc/permissions

will parse the file /etc/permissions and set the access mode and the user and group memberships for each file listed.

The format for the input file is

filename owner:group mode

For example:

/etc/passwd root:root 644

x Wildcards are not supported for the file path.



The YaST Security module can be used to configure which /etc/permissions.* file is used by SuSEconfig; as shown in the following:

Figure 3-2



Exercise 3-1 Use the YaST /etc/sysconfig Editor Module

To use the YaST /etc/sysconfig Editor module, complete the following:

1. Ensure that you are logged into the server’s GUI as geeko with a password of Nov3ll.

2. Launch a terminal window by selecting the respective icon.

3. In the terminal window, enter

less /etc/sysconfig/cron

4. Record the value of the variable MAX_DAYS_IN_TMP:

5. Quit less by pressing q.

6. Launch YaST from the main menu by selecting System > Configuration > YaST Control Center.

7. Enter the root password novell in the authentication window.

8. On the left, select System.

9. On the right, select /etc/sysconfig Editor.

10. Browse through the tree on the left side to view the available options.

11. On the left, open the System entry.

12. Within System, open the Cron entry.

13. Within Cron, select MAX_DAYS_IN_TMP.

14. Change the value to 180.

15. Select Finish.

16. Accept the modified variables by selecting OK.

17. In the terminal window, repeat the command



less /etc/sysconfig/cron

by pressing Up-Arrow and Enter.

Notice the change to the MAX_DAYS_IN_TMP variable.

x The advantage of the YaST module is the tree structure. The tree lets you find the variables easily without having to bother with the filename and see where these variables are defined. Apart from that, changing the values within the files using an editor has the same effect.

18. Close YaST and your terminal session.

(End of Exercise)

Exercise 3-2 Use SuSEconfig to Check and Set File Permissions

To use SuSEconfig to check and set file permissions, complete the following:

1. Ensure you are logged in to your server’s GUI as geeko with a password of N0v3ll.

2. Launch a terminal window:

a. Press Alt + F2.

b. Enter konsole.

c. Select Run.

3. In the terminal, get root privileges by entering sux -.

4. Enter the root password novell at the prompt.

5. To edit the file /etc/permissions.local, enter

vi /etc/permissions.local



6. Add the following line to the end of the file:

/etc/hosts root:root 0644

7. Save the file and exit vi by entering :wq.

8. Run SuSEconfig to check file permissions by entering

SuSEconfig --module permissions

You will see a result similar to this:

9. Change the file permissions on /etc/hosts to simulate a misconfiguration by entering

chmod g+w /etc/hosts

10. Run SuSEconfig again to check permissions by entering

SuSEconfig --module permissions

Starting SuSEconfig, the SuSE Configuration Tool...Running module permissions onlyReading /etc/sysconfig and updating the system...Executing /sbin/conf.d/SuSEconfig.permissions...Checking permissions and ownerships - using the permissions files/etc/permissions.d/apache2/etc/permissions.d/cups-client/etc/permissions.d/kdebase3/etc/permissions.d/kdelibs3/etc/permissions.d/mailman....Finished.



You will see a result similar to the following:

11. Check that the permissions have been corrected by entering

ls -l /etc/hosts

12. Simulate a misconfiguration to the hosts file permissions by entering

chmod g+w /etc/hosts

13. Check and reset the permissions by entering chkstat --set /etc/permissions.local.

You will see a result similar to the following:

14. Check that the permissions have been reset again to the configured value by entering

ls -l /etc/hosts

The result will look like the following:

Starting SuSEconfig, the SuSE Configuration Tool...Running module permissions onlyReading /etc/sysconfig and updating the system...Executing /sbin/conf.d/SuSEconfig.permissions...Checking permissions and ownerships - using the permissions files/etc/permissions.d/apache2/etc/permissions.d/cups-client/etc/permissions.d/kdebase3/etc/permissions.d/kdelibs3/etc/permissions.d/mailman....setting /etc/hosts to root:root 0644. (wrong permissions 0664)Finished.

Checking permissions and ownerships - using the permissions files /etc/permissions.localsetting /etc/hosts to root:root 0644. (wrong permissions 0664)

-rw-r--r-- 1 root root 687 Jun 18 08:42 /etc/hosts



15. Leave the session with root privileges by entering exit.

16. Close your terminal window.

(End of Exercise)



Summary

Objective Summary

1. Describe the Files in /etc/sysconfig/

/etc/sysconfig/ is the central place for configuration files.

The configuration files contain general system configuration variables in the format

VARIABLE=”value”

The comments above each variable contain metadata in the format:

## keyword:value

YaST takes the metadata to display information on the variables in the YaST /etc/sysconfig Editor module.



1. Describe the Files in /etc/sysconfig/ (continued)

Metadata keywords are:

■ Path. Predefined paths are

■ Hardware

■ System

■ Desktop

■ Applications

■ Network

■ Other

■ Description

■ Type

■ Default

■ Service Reload/Service Restart/Command/Config

The files in /etc/sysconfig/ can be edited

■ Manually with an editor.

■ With the YaST /etc/sysconfig Editor module.

Start this YaST module by selecting

yast2 > System > /etc/sysconfig Editor

or by entering

yast2 sysconfig

After performing changes with YaST, the script /sbin/SuSEconfig runs automatically.

After performing changes with an editor, you have to run /sbin/SuSEconfig manually.

Objective Summary



2. Understand SuSEconfig SuSEconfig

■ Is a tool for updating the system configuration.

■ Is based on shell scripts.

■ Consists of

■ /sbin/SuSEconfig.

■ Modules in /sbin/conf.d/.

/lib/YaST/SuSEconfig.functions provides functions used by modules.

SuSEconfig has two functions:

■ Maintaining the system configuration depending on changes in different packages

■ Generating configuration files from settings in files located in /etc/sysconfig/ (only used by a few services).

SuSEconfig has to be started manually, when files in /etc/sysconfig/ have been modified using an editor.

Start SuSEconfig by entering

SuSEconfig

Start a selected SuSEconfig module by entering

SuSEconfig --module module

Objective Summary



2. Understand SuSEconfig (continued)

The files in /sbin/conf.d/ are shell scripts.

Their name begins with SuSEconfig.

The files

■ Contain required configuration files, usually sourced from /etc/sysconfig/.

■ Load predefined functions, defined in /lib/YaST/SuSEconfig.functions.

■ Contain code that updates the system configuration.

check_md5_and_move checks a configuration file and replaces it with a new version.

If the user has changed a file manually, SuSEconfig leaves the file untouched and creates a file, that can be compared with the manually changed file.

After editing a file in /etc/sysconfig/ and updating all affected files by running SuSEconfig, the involved services must be restarted by entering

/etc/init.d/service restart

or

rcservice restart

Objective Summary



3. Check File Permissions with SuSEconfig

SuSEconfig checks the permissions of

■ Files listed in /etc/permissions

■ One or more of the following files (depending on the variable PERMISSION_SECURITY in /etc/sysconfig/security):

■ /etc/permissions.local

■ /etc/permissions.easy

■ /etc/permissions.secure

■ /etc/permissions.paranoid

SuSEconfig uses /usr/bin/chkstat to check the access mode and user and group membership.

YaST Security module can be used to configure which /etc/permissions.* file is used by SuSEconfig.

Objective Summary




Documents

Suse Config