Bash commands

- pwd

- cd

- ls

- mkdir

- cp

- mount /dev/md1 /mnt/jasondrive

- umount /mnt/md1

- mv

- nano (editor)

- rm -r images/ (recursive)

- locate

- updatedb

- man ls (display information on the command ls)

- useradd --shell /sbin/nologin tomcat6 (or just edit /etc/passwd file)

- useradd --shell /sbin/nologin --home-dir /usr/local/tomcat6 tomcat6

- usermod --append --groups groupname username

- groupadd groupname (or just edit /etc/group file)

- groupmod

- groupdel

- tar czvf archive.tar.gz [file1 file2...]

- tar cjvf archive.tar.bz2 [file1 file2...]

- su (substitute user)

- su - root

- sudo (execute a command with the specified account)

- /etc/sudoers (this file lists all users that are allowed to use sudo and the commands that are allowed to be executed)

- visudo

- df -h (disk free)

- free (displays the current system memory usage)

- yum install package

- chmod who+/-what filename

- chmod +x script.sh (make script.sh executable)

- chmod go-rwx photo.jpg (g: group, o:others, a:all, u:user/owner) no one can access the photo other than the owner.

- chown user filename

- chgrp group filename

- chown jason photo.jpg (the new owner of photo.jpg is the user "jason"

Execute:

- ./my-app (forces shell to look for files in the current working directory only)

- /home/jason/programs/my-app

- my-app (if /home/jason/programs is in the PATH)

System services:

- /etc/init.d/name command

- start / stop / restart / reload / status

Process management:

- ps aux (lists all processes)

- ps aux | grep gcpmain

- top

- kill pid (kill 12075)

- kill -9 pid

Directory

- /bin (common exe)

- /boot (critical files used at boot time)

- /dev (device and special files)

- /etc (system-wide config files)

- /home

- /lib (system-wide shared libraries and kernel modules)

- /media (list mount points for devices such as USB devices)

- /mnt (temporarily mounted filesystems

- /opt (optional software packages)

- /proc (kernel and process information virtual file system)

- /root (root user home directory)

- /sbin (system binaries dedicated to system admin)

- /srv (service data)

- /tmp (temporary files)

- /usr (read-only user data)

- /var (files that are expected to be modified by running apps)

- /dev/null

- /dev/random (random number generators)

- /dev/urandom (streams that generate flows of random numbers)

- /dev/full (pseudo device is a stream that returns an error when written to and is always considered full)

- /dev/zero (always considered empty)

Running Tomcat as Non-Root User

I don't believe there any issues with running Tomcat as root user. However, for the more security-conscious readers out there, here are some instructions on running Tomcat as a non-root user.

At this stage, the Tomcat packages, files and binaries are owned by root. We will first need to create a Tomcat user and group that will own these files, and under which Tomcat will run.

Tomcat User :: tomcat

Tomcat Group :: tomcat

Not too imaginative, huh ? We will now create the Tomcat user and group. Open a terminal window and, as root,

# groupadd tomcat
# useradd -g tomcat -d /opt/tomcat tomcat
# passwd tomcat

Notice that we specified the home directory of Tomcat to be /opt/tomcat. Some people believe that this is good practice because it eliminates an additional home directory that needs to be administered.

Now, we will put everything in /opt/tomcat under Tomcat user and group. As root,

# chown -R tomcat:tomcat /opt/tomcat

If /opt/tomcat is a symlink to your Tomcat install directory, you'll need to do this:

# chown -R tomcat:tomcat /opt/jakarta-tomcat-5.x.xx

Verify that JAVA_HOME and CATALINA_HOME environment variables are setup for tomcat user, and you should be good to go. Once the Tomcat binaries are under Tomcat user, the way you invoke it will be different.

To start Tomcat,

# su - tomcat -c /opt/tomcat/bin/startup.sh

To stop Tomcat,

# su - tomcat -c /opt/tomcat/bin/shutdown.sh

Also, be aware that your web applications will need to be deployed (i.e. copied to the web application directories) as user tomcat, instead of root. A little more hassle, but possibly a little safer too.

Note that, the JVM is a virtual machine with many threads under the same process. Therefore, because of OS constraints - all threads in the same process must run under the same user id. No thread may run as root unless they are all root. This is a limitation of the JVM.

Apache doesn't have this limitation since it uses multiple processes to do its work.

In Linux, a process can start as root, do some work then change its user id to something less via a OS system call. But once you switch down, you're stuck and can't go back.

MySQL Options

To start MySQL you simply specify mysql in a console window and press Return. The mysql programs are normally installed in the directory /usr/bin, so that it is unnecessary to provide the name of the directory.

When you start mysql you can use various options. To get a connection to the server you generally need two options, namely, -u name -p. The following list describes these and a few additional options and also gives some background information. These options are not only for mysql, but also for mysqladmin, mysqldump, and most other command tools.

-u name or —user=name: This option specifies which MySQL user name you wish to use. Depending on how MySQL is configured, there can be many MySQL users (see also Chapter 11). If no users have yet been set up or if you have administrative tasks to perform, use the user name root.

This user exists in every MySQL installation and is considered the system administrator.
If you omit the option -u, then under Unix/Linux the current login name will be used, while
under Windows, it will be ODBC. A login is possible only if users with these names have been
set up on the MySQL server.

The structure of an RPM package

The Red Hat Package Manager (RPM) is a tool that facilitates installing, uninstalling, and upgrading software for your Red Hat Linux system. It is a file that contains executable programs, scripts, documentation, and other files needed by an application or software unit. RPM packages are generally named using a convention that lets you determine the name of the package, the version of the software, the release number of the software, and the system architecture for which the application is intended. The following diagram shows how the components of a package name are arranged:

(1) Name

(2) Version

(3) Release

(4) Architecture

When you update a package, RPM installs the new version of the software but attempts to leave your existing configuration files intact. You can update a package by using the -U option of the rpm command:

rpm -Uvh  package 

When you update a package, RPM automatically uninstalls the old version of the package before installing the new one.

http://www.ibm.com/developerworks/linux/library/l-rpm2/index.html

Tomcat user

For security reasons, tomcat should run with low privileges. Create a tomcat user and set that user’s login shell to /sbin/nologin and locking the user’s password so that it can’t be guessed. Also, it’s probably a good idea to make the tomcat user’s primary group the nobody group or another group with similarly low permissions.

To create the tomcat user, you will need to do this as the root user:

# useradd -g 46 -s /sbin/nologin -d /opt/tomcat/temp tomcat

If you do not have root access, you could run Tomcat as your login user, but beware that any security vulnerabilities in Tomcat could be exploited remotely as your user account.

Tomcat user

For security reasons, you should probably create a tomcat user with low privileges and run Tomcat as that user. We suggest setting that user’s login shell to /sbin/ no login and locking the user’s password so that it can’t be guessed. Also, it’s probably
a good idea to make the tomcat user’s primary group the nobody group or another group with similarly low permissions. You will need to do this as the root user:

# useradd -g 46 -s /sbin/nologin -d /opt/tomcat/temp tomcat

If you do not have root access, you could run Tomcat as your login user, but beware that any security vulnerabilities (which are extremely rare) in Tomcat could be exploited remotely as your user account.

Relaying port 80 to port 8080

It is true that the JVM process must run as the root user in order to open a server socket on port 80 on non-Windows operating systems. But, the JVM would not need to run as root if something outside the JVM process could relay all port 80 TCP connections to Tomcat on some port higher than 1024 (such as port 8080, for example).

Tomcat can open its web server on port 8080, andsomething else with the proper permissions can relay port 80 TCP connections to Tomcat’s port 8080. This is often referredto as port relaying or net filtering and is such a handy and common feature that there are more ways than one to do this on any given operating system.

You can route all port 80 TCP connections to all network destinations that the machine is configured for by entering these two commands:

# iptables -t nat -I PREROUTING -p tcp --dport 80 -j REDIRECT --to-ports 8080

# iptables -t nat -I OUTPUT -p tcp --dport 80 -j REDIRECT --to-ports 8080

They will add the necessary relaying rules to your iptables configuration. This tells the kernel that all TCP connections destined for the machine on port 80 need to be redirected to port 8080.