freeVSD Enables Safe Experimentation
The /usr/sbin/vsd-genskel.pl installation script copies system files from the host into a directory referred to as the skeleton. This process is controlled by entries in /etc/freevsd.conf, which specifies files to include and delete. The copies are placed in /home/vsd/skel/ by default:
$ ls /home/vsd/skel bin dev etc home lib proc sbin tmp usr
The root filesystem of each virtual server relies on hard links to corresponding binaries in this skeleton. A hard link is an additional directory entry pointing to a particular file. Note that hard links differ from symbolic links in that every hard link must be deleted before the file is removed from the system; if the file that a symbolic link points to is removed, the symlinked file becomes unresolvable. Since each server shares the same copies of files that comprise most of the default filesystem, relying on hard links creates a tremendous savings of disk usage.
As far as ps and top are concerned, the freeVSD user processes seem to run as root; however, they don't start with root privileges. By default, UIDS start at 1,000 and increment by 200 for each subsequent virtual machine (i.e., the first vm starts at 1,000, the next at 1,200, etc.). This behavior can be modified by changes to the configuration file, /etc/vsd.conf.
As mentioned earlier, the host machine assumes multiple IP addresses using IP aliasing. A dæmon, /usr/sbin/virtuald, works with inetd (or xinetd, which replaces inetd in Red Hat 7.0) to intercept client connections to services such as Telnet or FTP. The incoming connection is handed to the appropriate dæmon in the virtual environment by using chroot to the host's filesystem, by default a directory located in /home/vsd/vs/.
Because of potential security exploits, the virtual web server does not run directly on port 80. Instead, a host server process called vsredirect forwards traffic from port 80 to port 8080 and moves https traffic on port 443 to port 8443. The file documentation file security.txt details how a malicious user could gain root access without this safeguard in place. Redirection is recommended for all privileged ports below 1000.
Within the freeVSD filesystem, several common commands such as rm, ls and passwd have been modified slightly so that the Admin account has the additional privileges required to administer accounts on the virtual server. This includes the ability to establish user accounts and manage their files.
Separate dæmon processes (httpd, pro-ftpd, sendmail and so on) are created for each virtual host. A suid script allows the Admin of the virtual host to start and stop the dæmons via the /usr/sbin/rebootvs command.
The Admin account has simulated root privileges, enabling the Admin user to perform various administrative tasks without seriously compromising the host. The Admin is not a diluted root account; rather, it is an enhanced user account with the limited ability to manage files and accounts on a particular virtual server.
Upon logging in, whoami reports admin and your home directory is /root. Examination of the root (/) directory reveals that Admin owns /root, /home and /tmp. Other Admin-owned files can be determined by running
find / -name admin -print
You are really running Linux, and it really is the bash shell. It's not a watered-down experience. You can run Python or Perl or even compile new apps with gcc. You are in a standard Linux shell environment, and it appears to be your own system.
In /home/httpd/docs one can find the DocumentRoot for the default web server, and /home/web/log contains the log files. The httpd.conf file is located in /etc/httpd/conf/ and may be modified by Admin. As mentioned earlier, /usr/sbin/rebootvs will effectively restart the virtual server by restarting its processes.
Examining /etc/passwd shows the regular system accounts and the admin account; note that this file is read-only. However, /usr/sbin/useradd <newuser> works as expected, including the addition of the new user to the /etc/passwd file.
The file /etc/vsd/priv has a format similar to /etc/groups. It controls which users have privileges such as login, Telnet and FTP access, as well as whether they are allowed to run Perl or gcc. The /usr/bin/listrights command will show the rights granted to a named user. The /usr/sbin/setrights command is a utility to manage this file; however, from a review of the source code (setrights.c), it doesn't appear that the login privilege may be granted with this utility. It is possible to edit /etc/vsd/priv manually and grant this privilege; since Admin doesn't have write privileges in /etc/, the login privilege can only be granted by root.
Practical Task Scheduling Deployment
July 20, 2016 12:00 pm CDT
One of the best things about the UNIX environment (aside from being stable and efficient) is the vast array of software tools available to help you do your job. Traditionally, a UNIX tool does only one thing, but does that one thing very well. For example, grep is very easy to use and can search vast amounts of data quickly. The find tool can find a particular file or files based on all kinds of criteria. It's pretty easy to string these tools together to build even more powerful tools, such as a tool that finds all of the .log files in the /home directory and searches each one for a particular entry. This erector-set mentality allows UNIX system administrators to seem to always have the right tool for the job.
Cron traditionally has been considered another such a tool for job scheduling, but is it enough? This webinar considers that very question. The first part builds on a previous Geek Guide, Beyond Cron, and briefly describes how to know when it might be time to consider upgrading your job scheduling infrastructure. The second part presents an actual planning and implementation framework.
Join Linux Journal's Mike Diehl and Pat Cameron of Help Systems.
Free to Linux Journal readers.Register Now!
- Paranoid Penguin - Building a Secure Squid Web Proxy, Part IV
- SUSE LLC's SUSE Manager
- Google's SwiftShader Released
- Murat Yener and Onur Dundar's Expert Android Studio (Wrox)
- My +1 Sword of Productivity
- Managing Linux Using Puppet
- Non-Linux FOSS: Caffeine!
- SuperTuxKart 0.9.2 Released
- Parsing an RSS News Feed with a Bash Script
- Rogue Wave Software's Zend Server
With all the industry talk about the benefits of Linux on Power and all the performance advantages offered by its open architecture, you may be considering a move in that direction. If you are thinking about analytics, big data and cloud computing, you would be right to evaluate Power. The idea of using commodity x86 hardware and replacing it every three years is an outdated cost model. It doesn’t consider the total cost of ownership, and it doesn’t consider the advantage of real processing power, high-availability and multithreading like a demon.
This ebook takes a look at some of the practical applications of the Linux on Power platform and ways you might bring all the performance power of this open architecture to bear for your organization. There are no smoke and mirrors here—just hard, cold, empirical evidence provided by independent sources. I also consider some innovative ways Linux on Power will be used in the future.Get the Guide