svn commit: r44404 - head/en_US.ISO8859-1/books/handbook/security
Dru Lavigne
dru at FreeBSD.org
Mon Mar 31 21:09:36 UTC 2014
Author: dru
Date: Mon Mar 31 21:09:35 2014
New Revision: 44404
URL: http://svnweb.freebsd.org/changeset/doc/44404
Log:
White space fix only. Translators can ignore.
Sponsored by: iXsystems
Modified:
head/en_US.ISO8859-1/books/handbook/security/chapter.xml
Modified: head/en_US.ISO8859-1/books/handbook/security/chapter.xml
==============================================================================
--- head/en_US.ISO8859-1/books/handbook/security/chapter.xml Mon Mar 31 20:39:26 2014 (r44403)
+++ head/en_US.ISO8859-1/books/handbook/security/chapter.xml Mon Mar 31 21:09:35 2014 (r44404)
@@ -2514,12 +2514,12 @@ racoon_enable="yes"</programlisting>
compatible with both <acronym>SSH</acronym> version 1 and 2
protocols.</para>
- <para>When data is sent over the network in an unencrypted form,
- network sniffers anywhere in between the client and server
- can steal user/password information or data transferred
- during the session. <application>OpenSSH</application> offers
- a variety of authentication and encryption methods to prevent
- this from happening.</para>
+ <para>When data is sent over the network in an unencrypted form,
+ network sniffers anywhere in between the client and server can
+ steal user/password information or data transferred during the
+ session. <application>OpenSSH</application> offers a variety of
+ authentication and encryption methods to prevent this from
+ happening.</para>
<sect2>
<title>Using the SSH Client Utilities</title>
@@ -2587,14 +2587,14 @@ COPYRIGHT 100% |*************
arguments takes the form
<option>user at host:<path_to_remote_file></option>.</para>
- <sect3 xml:id="security-ssh-keygen">
- <title>Key-based Authentication</title>
+ <sect3 xml:id="security-ssh-keygen">
+ <title>Key-based Authentication</title>
- <para>Instead of using passwords, &man.ssh-keygen.1; can be used
- to generate <acronym>DSA</acronym> or <acronym>RSA</acronym>
- keys to authenticate a user:</para>
+ <para>Instead of using passwords, &man.ssh-keygen.1; can be
+ used to generate <acronym>DSA</acronym> or
+ <acronym>RSA</acronym> keys to authenticate a user:</para>
- <screen>&prompt.user; <userinput>ssh-keygen -t <replaceable>dsa</replaceable></userinput>
+ <screen>&prompt.user; <userinput>ssh-keygen -t <replaceable>dsa</replaceable></userinput>
Generating public/private dsa key pair.
Enter file in which to save the key (/home/user/.ssh/id_dsa):
Created directory '/home/user/.ssh'.
@@ -2605,179 +2605,182 @@ Your public key has been saved in /home/
The key fingerprint is:
bb:48:db:f2:93:57:80:b6:aa:bc:f5:d5:ba:8f:79:17 user at host.example.com</screen>
- <para>&man.ssh-keygen.1; will create a public and private key
- pair for use in authentication. The private key is stored
- in <filename>~/.ssh/id_dsa</filename> or
- <filename>~/.ssh/id_rsa</filename>, whereas the public key
- is stored in <filename>~/.ssh/id_dsa.pub</filename> or
- <filename>~/.ssh/id_rsa.pub</filename>, respectively for the
- <acronym>DSA</acronym> and <acronym>RSA</acronym> key types.
- The public key must be placed in
- <filename>~/.ssh/authorized_keys</filename> on the
- remote machine for both <acronym>RSA</acronym> or
- <acronym>DSA</acronym> keys in order for the setup to
- work.</para>
-
- <para>This setup allows connections to the remote machine based
- upon <acronym>SSH</acronym> keys instead of passwords.</para>
-
- <warning>
- <para>Many users believe that keys are secure by design and
- will use a key without a passphrase. This is
- <emphasis>dangerous</emphasis> behavior and the method
- an administrator may use to verify keys have a passphrase
- is to view the key manually. If the private key file
- contains the word <literal>ENCRYPTED</literal> the key
- owner is using a passphrase. While it may still be a weak
- passphrase, at least if the system is compromised, access
- to other sites will still require some level of password
- guessing. In addition, to better secure end users, the
- <literal>from</literal> may be placed in the public key
- file. For example, adding
- <literal>from="192.168.10.5</literal> in the front of
- <literal>ssh-rsa</literal> or <literal>rsa-dsa</literal>
- prefix will only allow that specific user to login from
- that host <acronym>IP</acronym>.</para>
- </warning>
-
- <warning>
- <para>The various options and files can be different according
- to the <application>OpenSSH</application> version. To avoid
- problems, consult &man.ssh-keygen.1;.</para>
- </warning>
-
- <para>If a passphrase is used in &man.ssh-keygen.1;, the user
- will be prompted for the passphrase each time in order to use
- the private key. To load <acronym>SSH</acronym> keys into memory for use,
- without needing to type the passphrase each time, use
- &man.ssh-agent.1; and &man.ssh-add.1;.</para>
-
- <para>Authentication is handled by &man.ssh-agent.1;, using the
- private key(s) that are loaded into it. Then,
- &man.ssh-agent.1; should be used to launch another
- application. At the most basic level, it could spawn a shell
- or a window manager.</para>
-
- <para>To use &man.ssh-agent.1; in a shell, start it with a shell
- as an argument. Next, add the identity by running
- &man.ssh-add.1; and providing it the passphrase for the
- private key. Once these steps have been completed, the user
- will be able to &man.ssh.1; to any host that has the
- corresponding public key installed. For example:</para>
+ <para>&man.ssh-keygen.1; will create a public and private key
+ pair for use in authentication. The private key is stored
+ in <filename>~/.ssh/id_dsa</filename> or
+ <filename>~/.ssh/id_rsa</filename>, whereas the public key
+ is stored in <filename>~/.ssh/id_dsa.pub</filename> or
+ <filename>~/.ssh/id_rsa.pub</filename>, respectively for the
+ <acronym>DSA</acronym> and <acronym>RSA</acronym> key types.
+ The public key must be placed in
+ <filename>~/.ssh/authorized_keys</filename> on the remote
+ machine for both <acronym>RSA</acronym> or
+ <acronym>DSA</acronym> keys in order for the setup to
+ work.</para>
+
+ <para>This setup allows connections to the remote machine
+ based upon <acronym>SSH</acronym> keys instead of
+ passwords.</para>
+
+ <warning>
+ <para>Many users believe that keys are secure by design and
+ will use a key without a passphrase. This is
+ <emphasis>dangerous</emphasis> behavior and the method an
+ administrator may use to verify keys have a passphrase is
+ to view the key manually. If the private key file
+ contains the word <literal>ENCRYPTED</literal> the key
+ owner is using a passphrase. While it may still be a weak
+ passphrase, at least if the system is compromised, access
+ to other sites will still require some level of password
+ guessing. In addition, to better secure end users, the
+ <literal>from</literal> may be placed in the public key
+ file. For example, adding
+ <literal>from="192.168.10.5</literal> in the front of
+ <literal>ssh-rsa</literal> or <literal>rsa-dsa</literal>
+ prefix will only allow that specific user to login from
+ that host <acronym>IP</acronym>.</para>
+ </warning>
+
+ <warning>
+ <para>The various options and files can be different
+ according to the <application>OpenSSH</application>
+ version. To avoid problems, consult
+ &man.ssh-keygen.1;.</para>
+ </warning>
+
+ <para>If a passphrase is used in &man.ssh-keygen.1;, the user
+ will be prompted for the passphrase each time in order to
+ use the private key. To load <acronym>SSH</acronym> keys
+ into memory for use, without needing to type the passphrase
+ each time, use &man.ssh-agent.1; and &man.ssh-add.1;.</para>
+
+ <para>Authentication is handled by &man.ssh-agent.1;, using
+ the private key(s) that are loaded into it. Then,
+ &man.ssh-agent.1; should be used to launch another
+ application. At the most basic level, it could spawn a
+ shell or a window manager.</para>
+
+ <para>To use &man.ssh-agent.1; in a shell, start it with a
+ shell as an argument. Next, add the identity by running
+ &man.ssh-add.1; and providing it the passphrase for the
+ private key. Once these steps have been completed, the user
+ will be able to &man.ssh.1; to any host that has the
+ corresponding public key installed. For example:</para>
- <screen>&prompt.user; ssh-agent <replaceable>csh</replaceable>
+ <screen>&prompt.user; ssh-agent <replaceable>csh</replaceable>
&prompt.user; ssh-add
Enter passphrase for /home/user/.ssh/id_dsa:
Identity added: /home/user/.ssh/id_dsa (/home/user/.ssh/id_dsa)
&prompt.user;</screen>
- <para>To use &man.ssh-agent.1; in
- <application>&xorg;</application>, a call to &man.ssh-agent.1;
- needs to be placed in <filename>~/.xinitrc</filename>. This
- provides the &man.ssh-agent.1; services to all programs
- launched in <application>&xorg;</application>. An example
- <filename>~/.xinitrc</filename> might look like
- this:</para>
-
- <programlisting>exec ssh-agent <replaceable>startxfce4</replaceable></programlisting>
-
- <para>This launches &man.ssh-agent.1;, which in turn launches
- <application>XFCE</application>, every time
- <application>&xorg;</application> starts. Once
- <application>&xorg;</application> has been restarted so that
- the changes can take effect, run &man.ssh-add.1; to load all
- of the <acronym>SSH</acronym> keys.</para>
- </sect3>
+ <para>To use &man.ssh-agent.1; in
+ <application>&xorg;</application>, a call to
+ &man.ssh-agent.1; needs to be placed in
+ <filename>~/.xinitrc</filename>. This provides the
+ &man.ssh-agent.1; services to all programs launched in
+ <application>&xorg;</application>. An example
+ <filename>~/.xinitrc</filename> might look like this:</para>
+
+ <programlisting>exec ssh-agent <replaceable>startxfce4</replaceable></programlisting>
+
+ <para>This launches &man.ssh-agent.1;, which in turn launches
+ <application>XFCE</application>, every time
+ <application>&xorg;</application> starts. Once
+ <application>&xorg;</application> has been restarted so that
+ the changes can take effect, run &man.ssh-add.1; to load all
+ of the <acronym>SSH</acronym> keys.</para>
+ </sect3>
- <sect3 xml:id="security-ssh-tunneling">
- <title><acronym>SSH</acronym> Tunneling</title>
+ <sect3 xml:id="security-ssh-tunneling">
+ <title><acronym>SSH</acronym> Tunneling</title>
- <indexterm>
- <primary>OpenSSH</primary>
- <secondary>tunneling</secondary>
- </indexterm>
+ <indexterm>
+ <primary>OpenSSH</primary>
+ <secondary>tunneling</secondary>
+ </indexterm>
+
+ <para><application>OpenSSH</application> has the ability to
+ create a tunnel to encapsulate another protocol in an
+ encrypted session.</para>
- <para><application>OpenSSH</application> has the ability to
- create a tunnel to encapsulate another protocol in an
- encrypted session.</para>
+ <para>The following command tells &man.ssh.1; to create a
+ tunnel for &man.telnet.1;:</para>
- <para>The following command tells &man.ssh.1; to create a
- tunnel for &man.telnet.1;:</para>
-
- <screen>&prompt.user; <userinput>ssh -2 -N -f -L <replaceable>5023:localhost:23 user at foo.example.com</replaceable></userinput>
+ <screen>&prompt.user; <userinput>ssh -2 -N -f -L <replaceable>5023:localhost:23 user at foo.example.com</replaceable></userinput>
&prompt.user;</screen>
- <para>This example uses the following options:</para>
+ <para>This example uses the following options:</para>
+
+ <variablelist>
+ <varlistentry>
+ <term><option>-2</option></term>
+
+ <listitem>
+ <para>Forces &man.ssh.1; to use version 2 to connect to
+ the server.</para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><option>-N</option></term>
+
+ <listitem>
+ <para>Indicates no command, or tunnel only. If omitted,
+ &man.ssh.1; initiates a normal session.</para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><option>-f</option></term>
+
+ <listitem>
+ <para>Forces &man.ssh.1; to run in the
+ background.</para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><option>-L</option></term>
+
+ <listitem>
+ <para>Indicates a local tunnel in
+ <replaceable>localport:remotehost:remoteport</replaceable>
+ format.</para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><option>user at foo.example.com</option></term>
+
+ <listitem>
+ <para>The login name to use on the specified remote
+ <acronym>SSH</acronym> server.</para>
+ </listitem>
+ </varlistentry>
+ </variablelist>
+
+ <para>An <acronym>SSH</acronym> tunnel works by creating a
+ listen socket on <systemitem>localhost</systemitem> on the
+ specified port. It then forwards any connections received
+ on the local host/port via the <acronym>SSH</acronym>
+ connection to the specified remote host and port.</para>
+
+ <para>In the example, port <replaceable>5023</replaceable> on
+ <systemitem>localhost</systemitem> is forwarded to port
+ <replaceable>23</replaceable> on
+ <systemitem>localhost</systemitem> of the remote machine.
+ Since <replaceable>23</replaceable> is used by
+ &man.telnet.1;, this creates an encrypted &man.telnet.1;
+ session through an <acronym>SSH</acronym> tunnel.</para>
+
+ <para>This can be used to wrap any number of insecure TCP
+ protocols such as SMTP, POP3, and FTP.</para>
- <variablelist>
- <varlistentry>
- <term><option>-2</option></term>
-
- <listitem>
- <para>Forces &man.ssh.1; to use version 2 to connect to
- the server.</para>
- </listitem>
- </varlistentry>
-
- <varlistentry>
- <term><option>-N</option></term>
-
- <listitem>
- <para>Indicates no command, or tunnel only. If omitted,
- &man.ssh.1; initiates a normal session.</para>
- </listitem>
- </varlistentry>
-
- <varlistentry>
- <term><option>-f</option></term>
-
- <listitem>
- <para>Forces &man.ssh.1; to run in the background.</para>
- </listitem>
- </varlistentry>
-
- <varlistentry>
- <term><option>-L</option></term>
-
- <listitem>
- <para>Indicates a local tunnel in
- <replaceable>localport:remotehost:remoteport</replaceable>
- format.</para>
- </listitem>
- </varlistentry>
-
- <varlistentry>
- <term><option>user at foo.example.com</option></term>
-
- <listitem>
- <para>The login name to use on the specified remote
- <acronym>SSH</acronym> server.</para>
- </listitem>
- </varlistentry>
- </variablelist>
-
- <para>An <acronym>SSH</acronym> tunnel works by creating a
- listen socket on <systemitem>localhost</systemitem> on the
- specified port. It then forwards any connections received on
- the local host/port via the <acronym>SSH</acronym> connection
- to the specified remote host and port.</para>
-
- <para>In the example, port <replaceable>5023</replaceable> on
- <systemitem>localhost</systemitem> is forwarded to port
- <replaceable>23</replaceable> on
- <systemitem>localhost</systemitem> of the remote machine.
- Since <replaceable>23</replaceable> is used by &man.telnet.1;,
- this creates an encrypted &man.telnet.1; session through an
- <acronym>SSH</acronym> tunnel.</para>
-
- <para>This can be used to wrap any number of insecure TCP
- protocols such as SMTP, POP3, and FTP.</para>
-
- <example>
- <title>Using &man.ssh.1; to Create a Secure Tunnel for
- SMTP</title>
+ <example>
+ <title>Using &man.ssh.1; to Create a Secure Tunnel for
+ SMTP</title>
- <screen>&prompt.user; <userinput>ssh -2 -N -f -L <replaceable>5025:localhost:25 user at mailserver.example.com</replaceable></userinput>
+ <screen>&prompt.user; <userinput>ssh -2 -N -f -L <replaceable>5025:localhost:25 user at mailserver.example.com</replaceable></userinput>
user at mailserver.example.com's password: <userinput>*****</userinput>
&prompt.user; <userinput>telnet localhost 5025</userinput>
Trying 127.0.0.1...
@@ -2785,14 +2788,15 @@ Connected to localhost.
Escape character is '^]'.
220 mailserver.example.com ESMTP</screen>
- <para>This can be used in conjunction with &man.ssh-keygen.1;
- and additional user accounts to create a more seamless
- <acronym>SSH</acronym> tunneling environment. Keys can be
- used in place of typing a password, and the tunnels can be
- run as a separate user.</para>
- </example>
+ <para>This can be used in conjunction with
+ &man.ssh-keygen.1; and additional user accounts to create
+ a more seamless <acronym>SSH</acronym> tunneling
+ environment. Keys can be used in place of typing a
+ password, and the tunnels can be run as a separate
+ user.</para>
+ </example>
- <example>
+ <example>
<title>Secure Access of a POP3 Server</title>
<para>In this example, there is an <acronym>SSH</acronym>
@@ -2939,11 +2943,10 @@ user at unfirewalled-system.example.org's p
<primary>ACL</primary>
</indexterm>
- <para>Access Control Lists (<acronym>ACL</acronym>s)
- extend the standard &unix; permission model in a &posix;.1e
- compatible way. This permits an administrator to
- take advantage of a more fine-grained permissions
- model.</para>
+ <para>Access Control Lists (<acronym>ACL</acronym>s) extend the
+ standard &unix; permission model in a &posix;.1e compatible way.
+ This permits an administrator to take advantage of a more
+ fine-grained permissions model.</para>
<para>The &os; <filename>GENERIC</filename> kernel provides
<acronym>ACL</acronym> support for <acronym>UFS</acronym> file
@@ -2956,78 +2959,76 @@ user at unfirewalled-system.example.org's p
<para>If this option is not compiled in, a warning message will be
displayed when attempting to mount a file system with
<acronym>ACL</acronym> support. <acronym>ACL</acronym>s rely on
- extended attributes which
- are natively supported in
+ extended attributes which are natively supported in
<acronym>UFS2</acronym>.</para>
<para>This chapter describes how to enable
<acronym>ACL</acronym> support and provides some usage
examples.</para>
- <sect2>
- <title>Enabling <acronym>ACL</acronym> Support</title>
+ <sect2>
+ <title>Enabling <acronym>ACL</acronym> Support</title>
- <para><acronym>ACL</acronym>s are enabled by the mount-time
- administrative flag, <option>acls</option>, which may be added
- to <filename>/etc/fstab</filename>. The mount-time flag can
- also be automatically set in a persistent manner using
- &man.tunefs.8; to modify a superblock <acronym>ACL</acronym>s
- flag in the file system header. In general, it is preferred
- to use the superblock flag for several reasons:</para>
-
- <itemizedlist>
- <listitem>
- <para>The superblock flag cannot be
- changed by a remount using <option>mount -u</option> as it
- requires a complete <command>umount</command> and fresh <command>mount</command>.
- This means that <acronym>ACL</acronym>s cannot be enabled on
- the root file system after boot. It also means that
- <acronym>ACL</acronym> support on
- a file system cannot be changed while the system is in
- use.</para>
- </listitem>
-
- <listitem>
- <para>Setting the superblock flag causes the file system
- to always be mounted with <acronym>ACL</acronym>s enabled,
- even if there is not an <filename>fstab</filename> entry
- or if the devices re-order. This prevents accidental
- mounting of the file system without <acronym>ACL</acronym>
- support.</para>
- </listitem>
- </itemizedlist>
+ <para><acronym>ACL</acronym>s are enabled by the mount-time
+ administrative flag, <option>acls</option>, which may be added
+ to <filename>/etc/fstab</filename>. The mount-time flag can
+ also be automatically set in a persistent manner using
+ &man.tunefs.8; to modify a superblock <acronym>ACL</acronym>s
+ flag in the file system header. In general, it is preferred
+ to use the superblock flag for several reasons:</para>
- <note>
- <para>It is desirable to discourage accidental mounting without
- <acronym>ACL</acronym>s enabled because nasty things can
- happen if <acronym>ACL</acronym>s are enabled, then disabled,
- then re-enabled without flushing the extended attributes. In
- general, once <acronym>ACL</acronym>s are enabled on a
- file system, they should not be disabled, as the resulting file
- protections may not be compatible with those intended by the
- users of the system, and re-enabling <acronym>ACL</acronym>s
- may re-attach the previous <acronym>ACL</acronym>s to files
- that have since had their permissions changed, resulting in
- unpredictable behavior.</para>
- </note>
+ <itemizedlist>
+ <listitem>
+ <para>The superblock flag cannot be changed by a remount
+ using <option>mount -u</option> as it requires a complete
+ <command>umount</command> and fresh
+ <command>mount</command>. This means that
+ <acronym>ACL</acronym>s cannot be enabled on the root file
+ system after boot. It also means that
+ <acronym>ACL</acronym> support on a file system cannot be
+ changed while the system is in use.</para>
+ </listitem>
- <para>File systems with <acronym>ACL</acronym>s enabled will
- show a plus (<literal>+</literal>) sign in their permission
- settings:</para>
+ <listitem>
+ <para>Setting the superblock flag causes the file system to
+ always be mounted with <acronym>ACL</acronym>s enabled,
+ even if there is not an <filename>fstab</filename> entry
+ or if the devices re-order. This prevents accidental
+ mounting of the file system without <acronym>ACL</acronym>
+ support.</para>
+ </listitem>
+ </itemizedlist>
- <programlisting>drwx------ 2 robert robert 512 Dec 27 11:54 private
+ <note>
+ <para>It is desirable to discourage accidental mounting
+ without <acronym>ACL</acronym>s enabled because nasty things
+ can happen if <acronym>ACL</acronym>s are enabled, then
+ disabled, then re-enabled without flushing the extended
+ attributes. In general, once <acronym>ACL</acronym>s are
+ enabled on a file system, they should not be disabled, as
+ the resulting file protections may not be compatible with
+ those intended by the users of the system, and re-enabling
+ <acronym>ACL</acronym>s may re-attach the previous
+ <acronym>ACL</acronym>s to files that have since had their
+ permissions changed, resulting in unpredictable
+ behavior.</para>
+ </note>
+
+ <para>File systems with <acronym>ACL</acronym>s enabled will
+ show a plus (<literal>+</literal>) sign in their permission
+ settings:</para>
+
+ <programlisting>drwx------ 2 robert robert 512 Dec 27 11:54 private
drwxrwx---+ 2 robert robert 512 Dec 23 10:57 directory1
drwxrwx---+ 2 robert robert 512 Dec 22 10:20 directory2
drwxrwx---+ 2 robert robert 512 Dec 27 11:57 directory3
drwxr-xr-x 2 robert robert 512 Nov 10 11:54 public_html</programlisting>
- <para>In this example,
- <filename>directory1</filename>,
- <filename>directory2</filename>, and
- <filename>directory3</filename>
- are all taking advantage of <acronym>ACL</acronym>s, whereas
- <filename>public_html</filename>
- is not.</para>
+ <para>In this example, <filename>directory1</filename>,
+ <filename>directory2</filename>, and
+ <filename>directory3</filename> are all taking advantage of
+ <acronym>ACL</acronym>s, whereas
+ <filename>public_html</filename> is not.</para>
</sect2>
<sect2>
@@ -3047,11 +3048,11 @@ drwxr-xr-x 2 robert robert 512 Nov 10
other::r--</screen>
<para>To change the <acronym>ACL</acronym> settings on this
- file, use <command>setfacl</command>. To remove all of the currently defined
- <acronym>ACL</acronym>s from a file or file system, include
- <option>-k</option>. However, the preferred method is to use
- <option>-b</option> as it leaves the basic fields required
- for <acronym>ACL</acronym>s to work.</para>
+ file, use <command>setfacl</command>. To remove all of the
+ currently defined <acronym>ACL</acronym>s from a file or file
+ system, include <option>-k</option>. However, the preferred
+ method is to use <option>-b</option> as it leaves the basic
+ fields required for <acronym>ACL</acronym>s to work.</para>
<screen>&prompt.user; <userinput>setfacl -k test</userinput></screen>
@@ -3060,12 +3061,12 @@ drwxr-xr-x 2 robert robert 512 Nov 10
<screen>&prompt.user; <userinput>setfacl -m u:trhodes:rwx,group:web:r--,o::--- test</userinput></screen>
- <para>In this example, there were no
- pre-defined entries, as they were removed by the previous
- command. This command restores the default options and assigns the
- options listed. If a user or group is added which does not
- exist on the system, an <errorname>Invalid
- argument</errorname> error will be displayed.</para>
+ <para>In this example, there were no pre-defined entries, as
+ they were removed by the previous command. This command
+ restores the default options and assigns the options listed.
+ If a user or group is added which does not exist on the
+ system, an <errorname>Invalid argument</errorname> error will
+ be displayed.</para>
<para>Refer to &man.getfacl.1; and &man.setfacl.1; for more
information about the options available for these
@@ -3494,13 +3495,13 @@ UWWemqWuz3lAZuORQ9KX
their allocation among users, provide for system monitoring,
and minimally track a user's commands.</para>
- <para>Process accounting has both positive and negative points. One
- of the positives is that an intrusion may be narrowed down to
- the point of entry. A negative is the amount of logs
+ <para>Process accounting has both positive and negative points.
+ One of the positives is that an intrusion may be narrowed down
+ to the point of entry. A negative is the amount of logs
generated by process accounting, and the disk space they may
- require. This section walks an administrator through the
- basics of process accounting.</para>
-
+ require. This section walks an administrator through the basics
+ of process accounting.</para>
+
<note>
<para>If more fine-grained accounting is needed, refer to
<xref linkend="audit"/>.</para>
@@ -3520,16 +3521,16 @@ UWWemqWuz3lAZuORQ9KX
<para>Once enabled, accounting will begin to track information
such as <acronym>CPU</acronym> statistics and executed
commands. All accounting logs are in a non-human readable
- format which can be viewed using <command>sa</command>. If issued
- without any options, <command>sa</command> prints information relating to
- the number of per-user calls, the total elapsed time in
- minutes, total <acronym>CPU</acronym> and user time in
- minutes, and the average number of <acronym>I/O</acronym> operations. Refer to
- &man.sa.8; for the list of available options which control the
- output.</para>
+ format which can be viewed using <command>sa</command>. If
+ issued without any options, <command>sa</command> prints
+ information relating to the number of per-user calls, the
+ total elapsed time in minutes, total <acronym>CPU</acronym>
+ and user time in minutes, and the average number of
+ <acronym>I/O</acronym> operations. Refer to &man.sa.8; for
+ the list of available options which control the output.</para>
- <para>To display the commands issued
- by users, use <command>lastcomm</command>. For example, this command
+ <para>To display the commands issued by users, use
+ <command>lastcomm</command>. For example, this command
prints out all usage of <command>ls</command> by <systemitem
class="username">trhodes</systemitem> on the
<literal>ttyp1</literal> terminal:</para>
@@ -3559,102 +3560,96 @@ UWWemqWuz3lAZuORQ9KX
controlled through a flat file,
<filename>/etc/login.conf</filename>. While this method
is still supported, any changes require a multi-step process of
- editing this file in order to divide users into various group labels known as classes,
- rebuilding the resource database using
- <command>cap_mkdb</command>, making necessary changes
- to <filename>/etc/master.passwd</filename>, and rebuilding
- the password database using
- <command>pwd_mkdb</command>. This could be
- time consuming, depending upon the number of users to
+ editing this file in order to divide users into various group
+ labels known as classes, rebuilding the resource database using
+ <command>cap_mkdb</command>, making necessary changes to
+ <filename>/etc/master.passwd</filename>, and rebuilding the
+ password database using <command>pwd_mkdb</command>. This
+ could be time consuming, depending upon the number of users to
configure.</para>
<para>Beginning with &os; 9.0-RELEASE,
- <command>rctl</command> can be used to provide a more fine-grained
- method of controlling resources limits for users. This
- command supports much more than users as it can be used to set
- resource constraints on processes, jails, and the original login
- class. These advanced features provide administrators and users
- with methods to control resources through the command line and
- to set rules on system initialization using a configuration
+ <command>rctl</command> can be used to provide a more
+ fine-grained method of controlling resources limits for users.
+ This command supports much more than users as it can be used to
+ set resource constraints on processes, jails, and the original
+ login class. These advanced features provide administrators and
+ users with methods to control resources through the command line
+ and to set rules on system initialization using a configuration
file.</para>
- <sect2>
- <title>Enabling and Configuring Resource Limits</title>
+ <sect2>
+ <title>Enabling and Configuring Resource Limits</title>
- <para>By default, kernel support for <command>rctl</command> is
- not built-in, meaning that the kernel will first need to be
- recompiled using the instructions in <xref
- linkend="kernelconfig"/>. Add these lines to either
- <filename>GENERIC</filename> or a custom kernel
- configuration file, then rebuild the kernel:</para>
+ <para>By default, kernel support for <command>rctl</command> is
+ not built-in, meaning that the kernel will first need to be
+ recompiled using the instructions in <xref
+ linkend="kernelconfig"/>. Add these lines to either
+ <filename>GENERIC</filename> or a custom kernel configuration
+ file, then rebuild the kernel:</para>
- <programlisting>options RACCT
+ <programlisting>options RACCT
options RCTL</programlisting>
- <para>Once the system has rebooted into the new kernel,
- <command>rctl</command> may be used to set rules for the
- system.</para>
-
- <para>Rule syntax is controlled through the use of
- a subject,
- subject-id, resource,
- and action, as seen in this example
- rule:</para>
-
- <programlisting>user:trhodes:maxproc:deny=10/user</programlisting>
-
- <para>In this rule, the subject
- is <literal>user</literal>, the subject-id is
- <literal>trhodes</literal>, the resource,
- <literal>maxproc</literal>, is the maximum
- number of processes, and the
- action is <literal>deny</literal>, which blocks any
- new processes from being created. This means that the
- user, <literal>trhodes</literal>, will be constrained to no greater than
- <literal>10</literal> processes. Other possible
- actions include logging to the console, passing a
- notification to &man.devd.8;, or sending a sigterm to the
- process.</para>
-
- <para>Some care must be taken when adding rules. Since this user
- is constrained to <literal>10</literal> processes, this example
- will prevent the user from performing other
- tasks after logging in and executing a
- <command>screen</command> session. Once a resource limit has
- been hit, an error will be printed, as in this example:</para>
+ <para>Once the system has rebooted into the new kernel,
+ <command>rctl</command> may be used to set rules for the
+ system.</para>
+
+ <para>Rule syntax is controlled through the use of a subject,
+ subject-id, resource, and action, as seen in this example
+ rule:</para>
+
+ <programlisting>user:trhodes:maxproc:deny=10/user</programlisting>
+
+ <para>In this rule, the subject is <literal>user</literal>, the
+ subject-id is <literal>trhodes</literal>, the resource,
+ <literal>maxproc</literal>, is the maximum number of
+ processes, and the action is <literal>deny</literal>, which
+ blocks any new processes from being created. This means that
+ the user, <literal>trhodes</literal>, will be constrained to
+ no greater than <literal>10</literal> processes. Other
+ possible actions include logging to the console, passing a
+ notification to &man.devd.8;, or sending a sigterm to the
+ process.</para>
+
+ <para>Some care must be taken when adding rules. Since this
+ user is constrained to <literal>10</literal> processes, this
+ example will prevent the user from performing other tasks
+ after logging in and executing a
+ <command>screen</command> session. Once a resource limit has
+ been hit, an error will be printed, as in this example:</para>
- <screen>&prompt.user; <userinput>man test</userinput>
+ <screen>&prompt.user; <userinput>man test</userinput>
/usr/bin/man: Cannot fork: Resource temporarily unavailable
eval: Cannot fork: Resource temporarily unavailable</screen>
- <para>As another example,
- a jail can be prevented from exceeding a memory limit. This rule could be
- written as:</para>
-
- <screen>&prompt.root; <userinput>rctl -a jail:httpd:memoryuse:deny=2G/jail</userinput></screen>
-
- <para>Rules will persist across reboots if they have been
- added to <filename>/etc/rctl.conf</filename>. The format is a
- rule, without the preceding command. For example, the previous
- rule could be added as:</para>
+ <para>As another example, a jail can be prevented from exceeding
+ a memory limit. This rule could be written as:</para>
+
+ <screen>&prompt.root; <userinput>rctl -a jail:httpd:memoryuse:deny=2G/jail</userinput></screen>
+
+ <para>Rules will persist across reboots if they have been added
+ to <filename>/etc/rctl.conf</filename>. The format is a rule,
+ without the preceding command. For example, the previous rule
+ could be added as:</para>
- <programlisting># Block jail from using more than 2G memory:
+ <programlisting># Block jail from using more than 2G memory:
jail:httpd:memoryuse:deny=2G/jail</programlisting>
- <para>To remove a rule, use <command>rctl</command> to
- remove it from the list:</para>
+ <para>To remove a rule, use <command>rctl</command> to remove it
+ from the list:</para>
- <screen>&prompt.root; <userinput>rctl -r user:trhodes:maxproc:deny=10/user</userinput></screen>
+ <screen>&prompt.root; <userinput>rctl -r user:trhodes:maxproc:deny=10/user</userinput></screen>
- <para>A method for removing all rules is documented in &man.rctl.8;.
- However, if removing all rules for a single user is required,
- this command may be issued:</para>
+ <para>A method for removing all rules is documented in
+ &man.rctl.8;. However, if removing all rules for a single
+ user is required, this command may be issued:</para>
- <screen>&prompt.root; <userinput>rctl -r user:trhodes</userinput></screen>
+ <screen>&prompt.root; <userinput>rctl -r user:trhodes</userinput></screen>
- <para>Many other resources exist which can be used to exert
- additional control over various <literal>subjects</literal>.
- See &man.rctl.8; to learn about them.</para>
+ <para>Many other resources exist which can be used to exert
+ additional control over various <literal>subjects</literal>.
+ See &man.rctl.8; to learn about them.</para>
</sect2>
</sect1>
</chapter>
More information about the svn-doc-head
mailing list