Q.

Can you explain /etc/passwd file format for Linux and UNIX
operating systems?
A. /etc/passwd file stores essential information, which is required
during login i.e. user account information. /etc/passwd is a text
file, that contains a list of the system’s accounts, giving for each
account some useful information like user ID, group ID, [...]

Q. Can you explain /etc/passwd file format for Linux and UNIX
operating systems?

A. /etc/passwd file stores essential information, which is required

during login i.e. user account information. /etc/passwd is a text
file, that contains a list of the system’s accounts, giving for each
account some useful information like user ID, group ID, home
directory, shell, etc. It should have general read permission as many
utilities, like ls use it to map user IDs to user names, but write
access only for the superuser (root).

Understanding fields in /etc/passwd

The /etc/passwd contains one entry per line for each user (or user
account) of the system. All fields are separated by a colon (:)
symbol. Total seven fields as follows.

Root: x: 0 : 0 : root: /root: /bin/bash

Quote:
1. Username: (Root) -:It is used when user logs in. It should be
between 1 and 32 characters in length.
2. Password:(x) -: An x character indicates that encrypted
password is stored in /etc/shadow file.
3. User ID (UID): (0) -: Each user must be assigned a user ID
(UID). UID 0 (zero) is reserved for root and UIDs 1-99 are
reserved for other predefined accounts. Further UID 100-999 are
reserved by system for administrative and system
accounts/groups.
4. Group ID (GID): (0) :- The primary group ID (stored in
/etc/group file)
5. User ID Info: (root) -: The comment field. It allow you to
add extra information about the users such as user’s full name,
phone number etc. This field use by finger command.
6. Home directory: (/root) -: The absolute path to the directory
the user will be in when they log in. If this directory does
not exists then users directory becomes /
7. Command/shell: (/bin/bash) -: The absolute path of a command
or shell (/bin/bash). Typically, this is a shell. Please note
that it does not have to be a shell.

The permission on the /etc/passwd file should be read only to users

(-rw-r–r–) and the owner must be root:

Q:- Can you explain /etc/shadow file used under Linux or UNIX?

A. /etc/shadow file stores actual password in encrypted format for

user’s account with additional properties related to user password
i.e. it stores secure user account information. All fields are
separated by a colon symbol. It contains one entry per line for each
user listed in /etc/passwd file.
For Example:-
root:$1$heLNU7cb$yLf9xPG/8o5LCmqpE.fVG0:14638:0:99999:7:::

Quote:
1. User name : (root) -: It is your login name
2. Password: ( $1$heLNU7cb$yLf9xPG/8o5LCmqpE.fVG0) -: It your
encrypted password. The password should be minimum 6-8 characters
long including special characters/digits
3. Last password change (lastchanged): (14638 ) -: Days since Jan
1, 1970 that password was last changed
4. Minimum: (0) -: The minimum number of days required between
password changes i.e. the number of days left before the user is
allowed to change his/her password
5. Maximum: (99999) -: The maximum number of days the password is
valid (after that user is forced to change his/her password)
6. Warn : (7) :- The number of days before password is to expire
that user is warned that his/her password must be changed
Note -------- In above example in only 6 field in show. Two next
field in describe 7 & 8 option.
7. Inactive : The number of days after password expires that account
is disabled
8. Expire : days since Jan 1, 1970 that account is disabled i.e. an
absolute date specifying when the login may no longer be used
The last 6 fields provides password aging and account lockout
features (you need to use chage command to setup password aging).
According to man page of shadow – the password field must be filled.
The encrypted password consists of 13 to 24 characters from the 64
character alphabet a through z, A through Z, 0 through 9, \. and /.
Optionally it can start with a “$” character. This means the
encrypted password was generated using another (not DES) algorithm.
For example if it starts with “$1$” it means the MD5-based algorithm
was used.
/etc/group -:
/etc/group is a file that defines the groups to which users belong.
In Linux multiple users can be categorized into groups. Linux file
system permissions are organized into three classes, user, group, and
others. The use of groups allows additional abilities to be delegated
in an organized fashion, such as access to disks, printers, and other
peripherals.
It stores group information or defines the user groups i.e. it
defines the groups to which users belong. There is one entry per
line, and each line has the format (all fields are separated by a
colon (:)
ccache:x:497:
group_name: (ccache ) -: It is the name of group. If you run ls -l
command, you will see this name printed in the group field.
Password: (x) -: Generally password is not used, hence it is
empty/blank. It can store encrypted password. This is useful to
implement privileged groups.
Group ID (GID): (497) -: Each user must be assigned a group ID. You
can see this number in your /etc/passwd file.
Group List: It is a list of user names of users who are members of
the group. The user names, must be separated by commas.
Q-: What is umask and how is it determined on a Linux
system?
A-: The user file-creation mode mask (umask) is use to determine the
file permission for newly created files. It can be used to control
the default file permission for new files. It is a four-digit octal
number . Procedure to setup default umask:-
You can setup umask in /etc/bashrc or /etc/profile file for all
users. By default most Linux distro set it to 0022 (022) or 0002
(002).
vi /etc/profile or vi ~/.bashrc
Append/modify following line to setup a new umask:
umask 022
Save and close the file. Changes will take effect after next login.

Q-: But what is 0022 and 0002?

A-: The default umask 0002 used for normal user. With this mask
default directory permissions are 775 and default file permissions
are 664.
The default umask for the root user is 0022 result into default
directory permissions are 755 and default file permissions are 644.
For directories, the base permissions are (rwxrwxrwx) 0777 and for
files they are 0666 (rw-rw-rw).
To calculate file permission for 022 (root user):
Default Permissions: 777
Subtract umask value: 022 (-)
Allowed Permissions: 755
To calculate directory permission for 022 umaks (root user):
Default Permissions: 666
Subtract umask value: 022 (-)
Allowed Permissions: 644
Meaning in chmod command in linux :-
chmod 400 file To protect a file against accidental overwriting.
chmod 500 directory To protect yourself from accidentally
removing, renaming or moving files from this directory.
chmod 600 file A private file only changeable by the user who
entered this command.
chmod 644 file A publicly readable file that can only be changed by
the issuing user.
chmod 660 file Users belonging to your group can change this file,
others don't have any access to it at all.
chmod 700 file Protects a file against any access from other users,
while the issuing user still has full access.
chmod 755 directory For files that should be readable and executable
by others, but only changeable by the issuing user.
chmod 775 file Standard file sharing mode for a group.
chmod 777 file Everybody can do everything to this file.

How do you enable iptables to open ip ports used by Red Hat

Enterprise Linux 5 Cluster Suite?

Listed below are example iptables rules for enabling IP ports needed
by the Red Hat Cluster Suite.
Note: Replace 192.168.5.0/24 with the appropriate subnet.
1. cman (Cluster Manager) UDP Ports 5404, 5405:
iptables -I INPUT -m state --state NEW -m multiport -p udp -s
192.168.5.0/24 -d 192.168.5.0/24 --dports 5404,5405 -j
ACCEPTiptables -I INPUT -m addrtype --dst-type MULTICAST -m
state --state NEW -m multiport -p udp -s 192.168.5.0/24 --dports
5404,5405 -j ACCEPT
2. ccsd (Cluster Configuration System daemon) TCP Ports 50006,
50008, 50009:
iptables -I INPUT -m state --state NEW -m multiport -p tcp -s 192.168.5.0/24
-d 192.168.5.0/24 --dports 50006,50008,50009 -j ACCEPT
3. ccsd (Cluster Configuration System daemon) UDP Port 50007:
iptables -I INPUT -m state --state NEW -p udp -s 192.168.5.0/24 -d
192.168.5.0/24 --dport 50007 -j ACCEPT
 4. dlm (Distributed Lock Manager) TCP Port 21064:
iptables -I INPUT -m state --state NEW -p \
tcp -s 192.168.5.0/24 -d 192.168.5.0/24 --dport 21064 -j ACCEPT

5. rgmanager (High-availability Service Management daemon) TCP

Ports 41966, 41967, 41968, 41969:
iptables -I INPUT -m state --state NEW -m multiport -p \
tcp -s 192.168.5.0/24 -d 192.168.5.0/24 --dports 41966,41967,41968,41969 -j ACCEPT

6. ricci (part of Conga remote agent) TCP Port 11111:

iptables -I INPUT -m state --state NEW -p tcp -s 192.168.5.0/24 -d
192.168.5.0/24 --dport 11111 -j ACCEPT
7. luci (Conga User Interface server) TCP Port 8084:
iptables -I INPUT -m state --state NEW -p tcp -s 192.168.5.0/24 -d
192.168.5.0/24 --dport 8084 -j ACCEPT
8. modclusterd (part of Conga remote agent) TCP Port 16851:
9. iptables -I INPUT -m state --state NEW -p tcp -s 192.168.5.0/24
-d 192.168.5.0/24 --dport 16851 -j ACCEPT
10. gnbd (Global Network Block Device) TCP Port 14567:
iptables -I INPUT -m state --state NEW -p tcp -s 192.168.5.0/24 -d
192.168.5.0/24 --dport 14567 -j ACCEPT
11. After applying the iptables rules, save the configuration for
the changes to be persistent during reboot.
12. service iptables save

What ports need to be open for DNS to operate?

DNS uses both the TCP and UDP protocols. Lookups performed by clients
primarily (but not exclusively) use UDP - when the response data
exceeds 512 bytes, the UDP query will fail and the resolver will
retry using TCP. Other DNS functions such as zone transfers use TCP
exclusively. DNS servers need to be reachable on port 53 ("domain")
for both TCP and UDP from their clients (often, the whole internet);
the standards do not prescribe a specific source port for DNS
requests, so the source port is arbitrary.
Additonally, on systems that are running BIND9 as part of a zone that
(as recommended) has multiple name servers, the servers need to be
able to connect to each other on TCP port 953 ("rndc") so they can
push changes out to their peers rather than wait for them to refresh
their cached information.