1 

Unix Review 

Today’s topics

Brief History of Unix

Commonly Used Unix Distributions

Users and file permissions

The system boot process

Logging in

Inetd

Network Daemon Processes 

2 

In The Beginning…… 

The UNIX “epoch” is January 1st 1970 (technically it was created in 1969.) 

System V Unix  AT&T (Bell Labs)

System V Rev. 4 is the latest. 

BSD Unix UC Berkeley (1979) Released in 1983 

Unix is a multi-user OS written mostly in C 

3 

Commonly Used Unix Distributions 

AIX - IBM Corp.

DG-UX - Data General Corp.  (run away, run away!)

HP-UX - Hewlett Packard Co.

IRIX - Silicon Graphics Inc. (SGI)

SCO - Santa Cruz Operation, Inc

Solaris - Sun Microsystems (System V)

SunOS 4.x - Sun Microsystems (BSD)

Tru64 - Was DEC-Digital Unix, now Compaq Tru64.

Ultrix  - DEC’s version of Unix before Digital Unix

Linux  (Several distributions)

BSDs (FreeBSD/BSDI, OpenBSD,NetBSD)

4 

New to Unix? 
 

Usenet News comp.unix.* 

Unix FAQ from ftp://rtfm.mit.edu 

Unix Guru Universe  http://www.ugu.com

http://vertigo.hsrl.rutgers.edu/ug/unix_history.html 

The Linux Documentation Project:

http://www.linuxdoc.org

5 

Unix Users 

“Super User” Root can view and or modify any file or process on the system. 

“users” can only view or modify files for which they have permission.  They can only modify processes that they own. 

File permissions:

-rwxrwxrwx 1 jake staff  686 Feb 20 11:56 myfile.txt 
 

  user   group     other

type

6 

SUID - Set user id 

When an executable is SUID, it runs with the privileges of the owner of the executable. 

Some system binaries are SUID root to allow “average” users the ability to  perform necessary tasks. 

When an executable is SGID, it runs with the group designation specified on the file. 
 

7 

SUID- Example 

For example logging in to the system: 

The login program, that runs when a user logs in, is SUID

root so that the process can read the shadow file.

(The shadow file is only readable by root) 
 
    r-sr-xr-x   1 root     bin        29292 Oct  6  1998 login     

The SUID bit is shown as an “s” in the user’s execute portion of the file permissions when using the command “ls -al” 

8 

Booting the system 

The process of booting a system is slightly different between BSD and System V UNIX. 

We will be focusing on System V process of booting since it is becoming the Linux standard in most distributions and Linux will be used in the class Lab.

9 

Booting Linux (simplified) 

At the first step in the boot process the system BIOS checks the system hardware. 

The BIOS then reads the instructions on the MBR (Master Boot Record) stored on the first sector of the hard disk. 

With a Linux system, the MBR typically loads the LILO (Linux Loader) program. 

LILO proceeds to boot the kernel which initializes memory, loads device drivers, then launches the “init” process.

10 

Booting Linux (simplified) Cont’d… 

The “init” process is the mother of all processes, with a process ID of 1. 

Init is responsible for starting all the system processes at boot time, and re-spawning some if they terminate while the system is running. 

The file /etc/inittab configures the behavior of the init process, and specifies the default run level. 

See the man pages for init and inittab for more details. 

11 

Kicking it old school (Sys V style) 

System V UNIX introduced the concept of runlevels.

Different processes are started at each run level.

Run levels

0 - Halted

1 - Single User

2 - Linux: Not used, SYSV: Multi-user without NFS

3 - Multi-user with NFS

4 - Not Used

5 - Linux: Full Multi-user with X Login, SYSV: Halt, power off

6 - Reboot 

12 

Sys V init cont… 

The inittab is configured to instruct init to run /etc/rc.sysinit first. It is a shell script which initializes the system, mounts local file systems and starts network parameters. 

Init then launches /etc/rc.d/rc x which parses the directories /etc/rc.d/rcx.d  (where x is the runlevel 0-6).  

SysV: Init starts with x=1 and increments till it reaches the default run level specified in inittab

Linux: Init uses x=default run level and parses /etc/rc.d/rcx.d

13 

Sys V init cont…. 

The directories /etc/rc.d/rcx.d contain shell scripts which start and stop services and/or daemons. An example of a script name is S99sshd.

As the directories are parsed, /etc/rc.d/rc executes the scripts in numeric and alphabetic order with the argument of start.

     (Ex: S99sshd start)

This process is continued until the last script of the default run level is executed, then init spawns a getty process to present the login prompt.

Alternatively at shutdown, init parses the same directories as it decrements run levels with the argument of stop.

14 

Logging in: The Password file 

The file /etc/passwd contains information about valid user’s of the UNIX system.  

/etc/passwd has several fields separated by a ‘:’

The fields are

    Username:Encrypted Password:UserID:GroupID:GCOS(Comment) :HomeDirectory:login shell

Example:

  jake:x:9730:10:Jake:/home/jake:/usr/bin/bash 

Notice the x in the Encrypted Password field. This indicates that shadow passwords are being used. 

15 

Logging in: The shadow file 

All UNIX systems have /etc/passwd, but not all have /etc/shadow 

/etc/shadow contains a corresponding user entry from /etc/passwd, and additional fields seperated by a : 

The fields are:     username:encryptedpassword:lastchg:min:max:warn:inactive:expire: 

Example:

     jake:ABC123DEF::::::: 

16 

Logging in: Login process (Very Brief) 

The “login” process handles all user logins from terminal sessions. The log on each user must present their username and password.  

The login process verifies that an entry in /etc/passwd exists for the user.  

The login process then, using a “salt”, encrypts the entered password and compares it to the encrypted password in /etc/passwd or /etc/shadow. (Depending if shadowed passwords are used or not.)

If the encrypted passwords match, you’re allowed in! 

17 

Inetd 

Inetd is often referred to as the “Internet super server”

The inetd process oversees several other network daemons which provide specific services such as ftp, telnet, rlogin etc… as defined in its configuration file /etc/inetd.conf

For example: Telnet

    inetd.conf entry:

    telnet stream tcp nowait root /usr/sbin/tcpd in.telnetd

The keyword “telnet” now needs a corresponding entry in /etc/services to tell the system which port it’s listening.

    /etc/services entry:

    telnet          23/tcp 

18 

Inetd. Cont…. 

In this example inetd has been configured to handle incoming telnet requests.

Inetd listens on tcp port 23 for incoming connections.

When a valid connection is received, inetd then spawns a telnet process (in.telnetd) to handle the request.

  Why?  - Inetd cuts down on the number of processes running on the system. Processes spawned by inetd will only run as long as they are needed. 

19 

Network Daemon Processes 

Running Daemons 

Some Internet service daemons are spawned by inetd, and others run as stand-alone daemons the listen on a particular port. 

Stand-alone daemons such as httpd fork() a child process to handle each connection. 

A default installation of most UNIX systems install and start several daemons by default  such as portmap/rpcbind, nfsd, httpd, lpd….) 

20 

Process Control 

The ps (process status) command can be used to view the current running processes 

the kill command  can be used to send a signal to a process to terminate, restart or reconfigure the process.

See the kill and signal man pages for more details

Commonly used signals: 

1 (HUP) - Tells a process to re-read its configuration file

15 (TERM) - Tells a process to terminate

9   (KILL)    - Forces a process to die when it doesn’t respond to a TERM 

21 

Find running processes with “ps” 

Output of “ps -aux” 

USER       PID %CPU %MEM   VSZ  RSS TTY      STAT START   TIME COMMAND

root         1  2.2  0.8  1324  536 ?        S    21:20   0:05 init [5]

root         2  0.0  0.0     0    0 ?        SW   21:20   0:00 [kflushd]

root         3  0.0  0.0     0    0 ?        SW   21:20   0:00 [kupdate]

root         4  0.0  0.0     0    0 ?        SW   21:20   0:00 [kpiod]

root         5  0.0  0.0     0    0 ?        SW   21:20   0:00 [kswapd]

root         6  0.0  0.0     0    0 ?        SW<  21:20   0:00 [mdrecoveryd]

root       334  0.2  1.3  1660  844 ?        S    21:21   0:00 syslogd -m 0

root       344  0.0  1.3  1624  820 ?        S    21:21   0:00 klogd

rpc        359  0.0  0.9  1468  576 ?        S    21:21   0:00 portmap

root       375  0.0  0.0     0    0 ?        SW   21:21   0:00 [lockd]

root       376  0.0  0.0     0    0 ?        SW   21:21   0:00 [rpciod]

rpcuser    386  0.0  1.3  1572  824 ?        S    21:21   0:00 rpc.statd

root       401  0.0  0.8  1308  524 ?        S    21:21   0:00 /usr/sbin/apmd -p

daemon     455  0.0  0.9  1356  576 ?        S    21:21   0:00 /usr/sbin/atd 

22 

Finding open ports 

Network daemons are bound to a particular port and listen for connection requests. 

A listing of service/port mappings are found in the file /etc/services . 

There are a few utilities in UNIX which allow a user to view which ports are “open”.

netstat

lsof

nmap 
 

23 

Using netstat to find open ports 

netstat --inet --all  (Linux, show network ports)

netstat -f inet             (Solaris, Digital Unix) 

Active Internet connections (servers and established)

Proto Recv-Q Send-Q Local Address           Foreign Address    State     

tcp        0      0 *:www                   *:*                LISTEN     

tcp        0      0 *:1024                  *:*                LISTEN     

tcp        0      0 *:sunrpc                *:*                LISTEN     

udp        0     96 laptop.oit:1034 nic.umass.edu:domain               

udp        0      0 laptop.oit:1034 nic.umass.edu:domain               

udp        0      0 *:1027                  *:*                                

udp        0      0 *:986                   *:*                                

udp        0      0 *:1026                  *:*                                

udp        0      0 *:sunrpc                *:*                                

udp        0      0 *:1025                  *:*                                

udp        0      0 *:sunrpc                *:*                                

udp        0      0 *:1025                  *:*                                

udp        0      0 *:1024                  *:*                                  
 

24 

Using lsof to find open ports 

The utility lsof (“list open files”) can list network ports along with the listening process.

lsof -i tcp          (list all tcp ports) 

COMMAND    PID USER   FD   TYPE DEVICE SIZE NODE NAME

portmap    359 root    4u  IPv4    423       TCP *:sunrpc (LISTEN)

rpc.statd  386 root    7u  IPv4    463       TCP *:1024 (LISTEN)

httpd     1021 root   16u  IPv4  16531       TCP *:www (LISTEN)

httpd     1022 root   16u  IPv4  16531       TCP *:www (LISTEN)

httpd     1023 root   16u  IPv4  16531       TCP *:www (LISTEN)

httpd     1024 root   16u  IPv4  16531       TCP *:www (LISTEN)

httpd     1025 root   16u  IPv4  16531       TCP *:www (LISTEN)

httpd     1026 root   16u  IPv4  16531       TCP *:www (LISTEN) 

25 

Using nmap to find open ports 

nmap is an extremely versatile port scanning tool.

http://www.insecure.org/nmap

Using the command “nmap -sT laptop.oit.umass.edu” 

Starting nmap V. 2.53 by fyodor@insecure.org

Interesting ports on laptop.oit.umass.edu (128.119.xxx.xxx):

(The 1519 ports scanned but not shown below are in state: closed)

Port       State       Service

80/tcp     open        http                   

111/tcp    open        sunrpc                 

1024/tcp   open        kdm                    

6000/tcp   open        X11