Controlling Services and Run Level

Chapter 6. Controlling Access to Services

Maintaining security on your system is extremely important, and one approach for this task is to manage access to
system services carefully. Your system may need to provide open access to particular services (for example, httpd if
you are running a web server). However, if you do not need to provide a service, you should turn it off to minimize
your exposure to possible bug exploits.
This chapter explains the concept of runlevels, and describes how to set the default one. It also covers the setup of the
services to be run in each of them using three different utilities: the Service Configuration graphical application, the
ntsysv text user interface, and the chkconfig command line tool. Finally, it describes how to start, stop, and restart the
services on a command line using the service command.
Important
When you allow access for new services, always remember that both the firewall and SELinux need to be configured
as well. One of the most common mistakes committed when configuring a new service is neglecting to implement the
necessary firewall configuration and SELinux policies to allow access for it. Refer to the Red Hat Enterprise Linux
Security Guide (see Section 6.4, “Additional Resources”) for more information.
6.1. Configuring the Default Runlevel
A runlevel is a state, or mode, defined by services that are meant to be run when this runlevel is selected. Seven
numbered runlevels exist (indexed from 0):
Runlevel Description
0 Used to halt the system. This runlevel is reserved and cannot be changed.
1 Used to run in a single-user mode. This runlevel is reserved and cannot be changed.
2 Not used by default. You are free to define it yourself.
3 Used to run in a full multi-user mode with a command line user interface.
4 Not used by default. You are free to define it yourself.
5 Used to run in a full multi-user mode with a graphical user interface.
6 Used to reboot the system. This runlevel is reserved and cannot be changed.
Table 6.1. Runlevels in Red Hat Enterprise Linux

To check in which runlevel you are operating, type the following:

~]$ runlevel
N 5
The runlevel command displays previous and current runlevel. In this case it is number 5, which means the system is
running in a full multi-user mode with a graphical user interface.
The default runlevel can be changed by modifying the /etc/inittab file, which contains a line near the end of the file
similar to the following:
id:5:initdefault:
In order to edit this file, you must have superuser privileges. To obtain them, log in as root by typing the following
command:
~]$ su -
Password:
Now open the file in a text editor such as vi or nano:
~]# nano /etc/inittab
Then change the number in this line to the desired value and exit the editor. Note that the change does not take effect
until you reboot the system.
6.2.2. Using the ntsysv Utility
The ntsysv utility is a command line application with a simple text user interface to configure which
services are to be started in selected runlevels. Note that in order to use the utility, you must obtain
superuser privileges first:

~]$ su -
Password:
To start the utility, type the following command:

~]# ntsysv

The ntsysv utility

Figure 6.3. The ntsysv utility

The utility displays the list of available services (i.e., the services from the /etc/rc.d/init.d/ directory)
along with their current status and a description obtainable by pressing F1. See Table 6.3, “Possible
Service States” for a list of used symbols and an explanation of their meaning.

Symb
Description
ol

The service is
[*]
enabled.

The service is
[]
disabled.

Table 6.3. Possible Service States

6.2.2.1. Enabling the Service

To enable a service, navigate through the list using the Up and Down arrows keys, and select it with
the Spacebar. An asterisk (*) should appear in the brackets. Once you are done, use Tab to navigate
to the Ok button, and confirm the changes by pressing Enter.
Please, keep in mind that ntsysv does not actually run the service. If you need to start the service
immediately, use the service command as described in Section 6.3.1.1, “Running the Service”.

6.2.2.2. Disabling the Service

To disable a service, navigate through the list using the Up and Down arrows keys, and toggle its
status with the Spacebar. An asterisk (*) in the brackets should disappear. Once you are done, use
Tab to navigate to the Ok button, and confirm the changes by pressing Enter.

Please, keep in mind that ntsysv does not actually stop the service. If you need to stop the service
immediately, use the service command as described in Section 6.3.1.2, “Stopping the Service”.

6.2.2.3. Selecting the Runlevels

By default, the ntsysv utility affects the current runlevel only. To enable or disable services for other
runlevels, run the command with the additional --level option followed by the string of numbers from 0
to 6 representing each runlevel you want to configure. For example, to configure runlevels 3 and 5,
type:

~]# ntsysv --level 35

Using the chkconfig Utility

The chkconfig utility is a command line application to configure which services are to be started in
selected runlevels. It also allows you to list all available services along with their current setting. Note
that with the exception of listing, you must have superuser privileges to use this command. To obtain
them, log in as root by typing:

~]$ su -
Password:

6.2.3.1. Listing the Services

To display a list of system services (i.e., both the services from the /etc/rc.d/init.d/ directory, and
the services controlled by xinetd), either type chkconfig --list, or use chkconfig with no additional
arguments. You should be presented with an output similar to this:

~]# chkconfig --list

NetworkManager 0:off 1:off 2:on 3:on 4:on 5:on 6:off
abrtd 0:off 1:off 2:off 3:on 4:off 5:on 6:off
acpid 0:off 1:off 2:on 3:on 4:on 5:on 6:off
anamon 0:off 1:off 2:off 3:off 4:off 5:off 6:off
atd 0:off 1:off 2:off 3:on 4:on 5:on 6:off
auditd 0:off 1:off 2:on 3:on 4:on 5:on 6:off
avahi-daemon 0:off 1:off 2:off 3:on 4:on 5:on 6:off
... several lines omitted ...
wpa_supplicant 0:off 1:off 2:off 3:off 4:off 5:off 6:off

xinetd based services:

chargen-dgram: off
chargen-stream: off
cvs: off
daytime-dgram: off
daytime-stream: off
discard-dgram: off
... several lines omitted ...
time-stream: off
Example 6.1. Listing the services
As you can see, each line consists of the name of the service followed by its status (on or off) for each
of the seven numbered runlevels. For example, in the listing above, NetworkManager is enabled for
runlevel 2, 3, 4, and 5, while abrtd runs in runlevel 3 and 5. The xinetd based services are listed at the
end, being either on, or off.

To display the current settings for selected service only, use chkconfig --list followed by the name of
the service:

~]# chkconfig --list sshd

sshd 0:off 1:off 2:on 3:on 4:on 5:on 6:off
Example 6.2. Listing a single service

You can also use chkconfig --list <service> to display the status of a service that is managed by
xinetd. In that case, the output will simply contain the information whether the service is enabled or
disabled:

~]# chkconfig --list rsync

rsync off
Example 6.3. Listing a service that is managed by xinetd

6.2.3.2. Enabling the Service

To enable the service for runlevels 2, 3, 4, and 5 at the same time, type chkconfig <service> on. For
instance:

~]# chkconfig httpd on

To enable the service for certain runlevels only, add the --level option followed by the string of
numbers from 0 to 6 representing each runlevel in which you want the service to run. For example, to
enable the abrtd for runlevels 3 and 5, type:

~]# chkconfig abrtd on --level 35

The service will be started the next time you enter one of these runlevels. If you need to start the
service immediately, use the service command as described in Section 6.3.1.1, “Running the Service”.

To enable the service that is managed by xinetd, use chkconfig <service> on only, as the --level
option is not allowed:

~]# chkconfig rsync on

If the xinetd daemon is running, the service is immediately enabled without having to restart the
daemon manually.

6.2.3.3. Disabling the Service

To disable the service for runlevels 2, 3, 4, and 5 at the same time, type chkconfig <service> off. For
instance:

~]# chkconfig httpd off

To disable the service for certain runlevels only, add the --level option followed by the string of
numbers from 0 to 6 representing each runlevel in which you want the service to run. For example, to
disable the abrtd for runlevels 2 and 4, type:
~]# chkconfig abrtd off --level 24
The service will be stopped the next time you enter one of these runlevels. If you need to stop the
service immediately, use the service command as described in Section 6.3.1.2, “Stopping the Service”.

To disable the service that is managed by xinetd, use chkconfig <service> off only, as the --level
option is not allowed:

~]# chkconfig rsync off

If the xinetd daemon is running, the service is immediately disabled without having to restart the
daemon manually.

6.3. Running the Services

6.3.1. Using the service Utility
The service utility enables you to start, stop, or restart the services from the /etc/init.d/ directory.
To use it, make sure you have superuser privileges:

~]$ su -
Password:

Tip
If you are running a graphical user interface, you can also use the Service Configuration utility. See
Section 6.2.1, “Using the Service Configuration Utility” for more information.

6.3.1.1. Running the Service

To run the service, type service <service_name> start. For example:

~]# service httpd start

Starting httpd: [ OK ]

6.3.1.2. Stopping the Service

To stop the service, type service <service_name> stop. For example:

~]# service httpd stop

Stopping httpd: [ OK ]

6.3.1.3. Restarting the Service

To restart the service, type service <service_name> restart. For example:

~]# service httpd restart

Stopping httpd: [ OK ]
Starting httpd: [ OK ]

6.3.1.4. Checking the Service Status

To check the current status of the service, type service <service_name> status. For example:

~]# service httpd status

httpd (pid 7474) is running...
Example 6.4. Checking the status of httpd

You can also display the status of all available services at once using the --status-all option:

~]# service --status-all

abrt (pid 1492) is running...
acpid (pid 1305) is running...
atd (pid 1540) is running...
auditd (pid 1103) is running...
automount (pid 1315) is running...
Avahi daemon is running
cpuspeed is stopped
... several lines omitted ...
wpa_supplicant (pid 1227) is running...