Wednesday, October 16, 2013

Unix: When pipes get names

                 Unix pipes are wonderful because they keep you from having to write intermediate command output to disk (relatively slow) and you don’t need to clean up temporary files afterwards. Once you get the knack, you can string commands together and get a lot of work done with a single line of commands. But there are two types of pipes that you can use when working on a Unix system – regular, unnamed or anonymous pipes and named pipes. These two types of pipes share some advantages, but are used and implemented very differently.

The more common type of pipe allows you to take the output of one command, say ps –ef, and pass it to another command, say grep, to be processed further. Just stick a | between the commands and, voila, you have a pipe and probably some useful output. In fact, you can string together commands and pipes until you run out of things to do with the data you are manipulating. I have seen some clever one-liners with three or four pipes. These pipes exist inside the Unix kernel.

Named pipes, like their unnamed counterparts, allow separate processes to communicate, but they do so by establishing a presence in the file system. They are sometimes referred to as FIFOs. FIFO stands for “first in, first out” and, as you might suspect, these pipes work like a line at the supermarket. If you get in line first, you should be the first to push your shopping cart out to the parking lot. But, unlike unnamed pipes, these pipes can be viewed with the ls command and are created with the mkfifo command.

$ mkfifo mypipe
$ ls -l mypipe
prw-r----- 1 shs geeks 0 Sep 29  2013 mypipe
 
Notice that the file type is represented by the letter “p” and that the file has no apparent content. Permissions, as with other files, depend on your umask settings and determine who can read or write to your pipe.

Want to try a simple example? Open two ssh sessions to a system. In one, create your pipe and then send some command output to it.

$ mkfifo mypipe
$ cal > mypipe
 
Don’t worry that your command just seems to hang.
In the other, read from the pipe.

$ cat < mypipe
   September 2013
Su Mo Tu We Th Fr Sa
 1  2  3  4  5  6  7
 8  9 10 11 12 13 14
15 16 17 18 19 20 21
22 23 24 25 26 27 28
29 30
 
What should pop out of this simple demonstration is how your pipe is able to allow processes running in separate sessions to communicate. Depending on permissions, separate processes run by separate users are just as easy. And, of course, these pipes are reusable. They’ll still be sitting in your file system after your commands have completed.

Run this looping script, sending its output to your pipe.

#!/bin/bash

while true
do
    echo "I'm still running"
    sleep 10
done
$ ./loop > mypipe
In the second login session, read from your pipe:
$ cat < mypipe
I’m still running
$
As soon as you ^c in the first window, you should see your session go back to the prompt.
I'm still running
I'm still running
$
 
Depending on what you end up doing with your pipe, you could get a “broken pipe” message in the second window. This means that the input side of the pipe went away too quickly

You can also write scripts or run commands that wait for output from a named before taking the next step – as in this example. In one session, do this:

$ if read line <mypipe; then
> echo this is a test
> fi
 
Again, the session seems to freeze. But then send something through the pipe from the other session and you’ll be back at the prompt:

$ echo hello > mypipe
Check on your first window again and you should see something like this:
$ if read line <mypipe; then
> echo this is a test
> fi
this is a test
 
Named pipes are especially useful if many processes are going to read from and write to your pipes or when processes need to send a lot of information, especially a variety of data, to other processes. You can look for named pipes on your systems using a command such as this:

$ find / -type p -print 2> /dev/null
 
Don't be surprised if you find only a handful. Named pipes can be extremely handy, but they're not heavily used on most Unix systems.

Monday, September 30, 2013

Linux / Unix Command: login

NAME

login - sign on  

SYNOPSIS

login [ name ]
login -p
login -h hostname
login -f name  

DESCRIPTION

login is used when signing onto a system. It can also be used to switch from one user to another at any time (most modern shells have support for this feature built into them, however). If an argument is not given, login prompts for the username.
If the user is not root, and if /etc/nologin exists, the contents of this file are printed to the screen, and the login is terminated. This is typically used to prevent logins when the system is being taken down.
If special access restrictions are specified for the user in /etc/usertty, these must be met, or the log in attempt will be denied and a syslog message will be generated. See the section on "Special Access Restrictions".
If the user is root, then the login must be occurring on a tty listed in /etc/securetty. Failures will be logged with the syslog facility.

After these conditions have been checked, the password will be requested and checked (if a password is required for this username). Ten attempts are allowed before login dies, but after the first three, the response starts to get very slow. Login failures are reported via the syslog facility. This facility is also used to report any successful root logins.

If the file .hushlogin exists, then a "quiet" login is performed (this disables the checking of mail and the printing of the last login time and message of the day). Otherwise, if /var/log/lastlog exists, the last login time is printed (and the current login is recorded).

Random administrative things, such as setting the UID and GID of the tty are performed. The TERM environment variable is preserved, if it exists (other environment variables are preserved if the -p option is used). Then the HOME, PATH, SHELL, TERM, MAIL, and LOGNAME environment variables are set. PATH defaults to /usr/local/bin:/bin:/usr/bin:. for normal users, and to /sbin:/bin:/usr/sbin:/usr/bin for root. Last, if this is not a "quiet" login, the message of the day is printed and the file with the user's name in /var/spool/mail will be checked, and a message printed if it has non-zero length.

The user's shell is then started. If no shell is specified for the user in /etc/passwd, then /bin/sh is used. If there is no directory specified in /etc/passwd, then / is used (the home directory is checked for the .hushlogin file described above).  

OPTIONS

-p
Used by getty(8) to tell login not to destroy the environment
-f
Used to skip a second login authentication. This specifically does not work for root, and does not appear to work well under Linux.
-h
Used by other servers (i.e., telnetd(8)) to pass the name of the remote host to login so that it may be placed in utmp and wtmp. Only the superuser may use this option.
 

SPECIAL ACCESS RESTRICTIONS

The file /etc/securetty lists the names of the ttys where root is allowed to log in. One name of a tty device without the /dev/ prefix must be specified on each line. If the file does not exist, root is allowed to log in on any tty.

On most modern Linux systems PAM (Pluggable Authentication Modules) is used. On systems that do not use PAM, the file /etc/usertty specifies additional access restrictions for specific users. If this file does not exist, no additional access restrictions are imposed. The file consists of a sequence of sections. There are three possible section types: CLASSES, GROUPS and USERS. A CLASSES section defines classes of ttys and hostname patterns, A GROUPS section defines allowed ttys and hosts on a per group basis, and a USERS section defines allowed ttys and hosts on a per user basis.

Each line in this file in may be no longer than 255 characters. Comments start with # character and extend to the end of the line.
 

The CLASSES Section

A CLASSES section begins with the word CLASSES at the start of a line in all upper case. Each following line until the start of a new section or the end of the file consists of a sequence of words separated by tabs or spaces. Each line defines a class of ttys and host patterns.

The word at the beginning of a line becomes defined as a collective name for the ttys and host patterns specified at the rest of the line. This collective name can be used in any subsequent GROUPS or USERS section. No such class name must occur as part of the definition of a class in order to avoid problems with recursive classes.

An example CLASSES section:

CLASSES
myclass1                tty1 tty2
myclass2                tty3 @.foo.com
This defines the classes myclass1 and myclass2 as the corresponding right hand sides.

 

The GROUPS Section

A GROUPS section defines allowed ttys and hosts on a per Unix group basis. If a user is a member of a Unix group according to /etc/passwd and /etc/group and such a group is mentioned in a GROUPS section in /etc/usertty then the user is granted access if the group is.

A GROUPS section starts with the word GROUPS in all upper case at the start of a line, and each following line is a sequence of words separated by spaces or tabs. The first word on a line is the name of the group and the rest of the words on the line specifies the ttys and hosts where members of that group are allowed access. These specifications may involve the use of classes defined in previous CLASSES sections.

An example GROUPS section.

GROUPS
sys             tty1 @.bar.edu
stud            myclass1 tty4
This example specifies that members of group sys may log in on tty1 and from hosts in the bar.edu domain. Users in group stud may log in from hosts/ttys specified in the class myclass1 or from tty4.

The USERS Section

A USERS section starts with the word USERS in all upper case at the start of a line, and each following line is a sequence of words separated by spaces or tabs. The first word on a line is a username and that user is allowed to log in on the ttys and from the hosts mentioned on the rest of the line. These specifications may involve classes defined in previous CLASSES sections. If no section header is specified at the top of the file, the first section defaults to be a USERS section. An example USERS section:

USERS
zacho           tty1 @130.225.16.0/255.255.255.0
blue            tty3 myclass2
This lets the user zacho login only on tty1 and from hosts with IP addreses in the range 130.225.16.0 - 130.225.16.255, and user blue is allowed to log in from tty3 and whatever is specified in the class myclass2.
There may be a line in a USERS section starting with a username of *. This is a default rule and it will be applied to any user not matching any other line.

If both a USERS line and GROUPS line match a user then the user is allowed access from the union of all the ttys/hosts mentioned in these specifications.
 

Origins

The tty and host pattern specifications used in the specification of classes, group and user access are called origins. An origin string may have one of these formats:
o
The name of a tty device without the /dev/ prefix, for example tty1 or ttyS0.

o
The string @localhost, meaning that the user is allowed to telnet/rlogin from the local host to the same host. This also allows the user to for example run the command: xterm -e /bin/login.

o
A domain name suffix such as @.some.dom, meaning that the user may rlogin/telnet from any host whose domain name has the suffix .some.dom.

o
A range of IPv4 addresses, written @x.x.x.x/y.y.y.y where x.x.x.x is the IP address in the usual dotted quad decimal notation, and y.y.y.y is a bitmask in the same notation specifying which bits in the address to compare with the IP address of the remote host. For example @130.225.16.0/255.255.254.0 means that the user may rlogin/telnet from any host whose IP address is in the range 130.225.16.0 - 130.225.17.255.
Any of the above origins may be prefixed by a time specification according to the syntax:

timespec    ::= '[' <day-or-hour> [':' <day-or-hour>]* ']'
day         ::= 'mon' | 'tue' | 'wed' | 'thu' | 'fri' | 'sat' | 'sun'
hour        ::= '0' | '1' | ... | '23'
hourspec    ::= <hour> | <hour> '-' <hour>
day-or-hour ::= <day> | <hourspec>
For example, the origin [mon:tue:wed:thu:fri:8-17]tty3 means that log in is allowed on mondays through fridays between 8:00 and 17:59 (5:59 pm) on tty3. This also shows that an hour range a-b includes all moments between a:00 and b:59. A single hour specification (such as 10) means the time span between 10:00 and 10:59.

Not specifying any time prefix for a tty or host means log in from that origin is allowed any time. If you give a time prefix be sure to specify both a set of days and one or more hours or hour ranges. A time specification may not include any white space.

If no default rule is given then users not matching any line /etc/usertty are allowed to log in from anywhere as is standard behavior.

System Center 2012 SP1 Updated for Linux, Unix and Mac Management

                  Microsoft last week released an update to System Center 2012 Service Pack 1, adding support for the management of Linux and Unix operating systems, along with Mac.
This update, version 5.00.7804.1202, was published on June 10. It adds support for CentOS, Debian, Oracle Linux and Ubuntu Linux OSes, along with AIX, HP-UX and Solaris 11 Unix OSes. Microsoft's download page description also indicates that the update adds support for "Mac OS X 10.6 (Snow Leopard), Mac OS X 10.7 (Lion) and Mac OS X 10.8 (Mountain Lion)." However, the Mac support has been available since April, according to Microsoft's release history.

                   Microsoft first announced System Center 2012 SP1 support for Linux, Unix and Mac clients when it released Service Pack 1 in January. However, it apparently took six months longer for the Linux and Unix management capability to arrive for the Configuration Manager component of System Center 2012 SP1. Adding to this confusion, Microsoft's blogs describe this update as "Cumulative Update 1 for System Center 2012 Configuration Manager SP1." However, Microsoft released CU1 for System Center 2012 Configuration Manager SP1 back in March with a bunch of improvements that didn't include the Linux and Unix management capabilities.

             Another peculiarity is that the management capabilities enabled by this update vary for Linux and Unix clients compared with Mac clients. The supported scenarios for Linux and Unix machines include conducting hardware and software inventories, distributing software and patches, and reporting. On the Mac side, the update supports hardware and software inventories, distributing software and patches, the management of settings to comply with policy, and network discovery. Reporting isn't listed on the Mac side.

             It's a bit confusing that Microsoft describes Configuration Manager as having these management capabilities because it typically depends on having a Windows Intune subscription as well. IT pros can use Configuration Manager for the client management tasks, but it requires adding a "Windows Intune connector" to do so. Even still, a Microsoft TechNet article indicates that there are some management limitations for IT pros on the Android side. For instance, lifecycle management, compliance settings management and hardware inventory aren't possible tasks for IT pros looking to support Android devices, as shown in the following Microsoft table:

Management Tasks Windows RT Windows Phone 8 iOS Android
Device life cycle management such as the ability to retire, wipe, remote wipe, remove, and block devices. Yes Yes Yes No
Compliance settings that include settings for password settings, email management, security, roaming, encryption, and wireless communication. Yes Yes Yes No
Line-of-business app management. Yes Yes Yes Yes
App installation from the store that the device connects to (Windows Store, Windows Phone Store, App Store, Google Play). Yes Yes Yes Yes
Hardware inventory. Yes Yes Yes No


               Microsoft's overall scheme for mobile device management was recently described in a TechEd presentation focusing on System Center 2012 R2 and Windows Server 2012 R2, scheduled for release by year's end. The scheme depends on a device enrollment process, which in turn depends on using the Windows Intune connector. Some things seem to be changing with those upcoming products, such as a suggestion that System Center 2012 R2 Configuration Manager will enable IT pros to manage Android settings.

Ubuntu impresses in Linux enterprise server test

          Network World - Introduced in 1991, Linux boasts an estimated 67 million users worldwide according to linuxcounter.net. Free versions abound, but companies adopting Linux as part of critical infrastructure typically require more support than a community of unpaid, albeit enthusiastic, volunteers can provide.

            The five products we tested -- SUSE Enterprise Server 11 Service Pack 2, Mandriva Business Server 1.0, ClearOS 6 Professional, Red Hat Enterprise Linux 6.4 and Ubuntu 12.04 LTS -- are all enterprise server versions offering commercial support options, either at the OS level or in the form of commercial management tools and support plans.

              For enterprises, the advantages of going with commercial support options include LTR (Long Term Release) versions of the software, improved interoperability, application support and legal protection if A a portion of the open source software is found to infringe on third-party intellectual property rights. Also, vendor longevity is more likely with a Linux distribution that's backed by a commercial revenue stream.