Wednesday, March 19, 2008

How to become a Unix Administrator

So you want to become a Unix Jedi?  There are a number of elements that have been suggested for what it takes, but here is the short list:

  • Read a lot of books
  • Enjoy Unix
  • Find a mentor

The bulk of the Unix System Administrators out there are self-taught to varying degrees.  If you want to be a great System Administrator you need to love to learn and spend a lot of your free time doing so.  Beyond reading you will get a lot of mileage out of just doing it.  Run your own unix server for fun - if you don't have the spare hardware, download VMware Server, and run your server in a Virtual Machine.  

You need to find something that interests you, if you don't already have a project in mind, here are some ideas:

  • Web Server (Apache)
  • FTP Server
  • Email server (First using sendmail, then try it with postfix)
  • DNS Server

There are those who would recommend trying to run some flavor of unix for your workstation OS.  If that is something that excites you than that would make a great project for you.  

Many believe that finding a mentor is very important to success, but that can be easier said than done.  If you don't have a mentor you can often find great assistance in online communities.  I would highly recommend joining SAGE and USENIX.  

I've collected a recommended reading list at the bottom of this message to help you get started on your journey.  Go read through the reviews online and decide which books are right for you for your current ability level.  The list below runs from beginner to advanced with some great references thrown in for good measure (The majority of these were recommended reading from the SAGE Members mailing list). 

Unix Books

  • Unix in a Nutshell, Fourth Edition by Arnold Robbins
  • Unix Programming Environment by Brian W. Kernighan, Rob Pike
  • The UNIX Philosophy by Mike Gancarz
  • Essential System Administration, Third Edition by Æleen Frisch
  • Unix System Administration Handbook by Evi Nemeth
  • Unix Power Tools, Third Edition by Shelley Powers, Jerry Peek, Tim O'Reilly, Mike Loukides
  • Practice of System and Network Administration, The (2nd Edition) by Thomas A. Limoncelli, Christina J. Hogan , Strata R. Chalup

FreeBSD Specific Books
  • Absolute BSD: The Ultimate Guide to FreeBSD by Michael Lucas (Author), Jordan Hubbard
  • The Complete FreeBSD: Documentation from the Source by Greg Lehey
  • The Design and Implementation of the FreeBSD Operating System by Marshall Kirk McKusick , George V. Neville-Neil


X-Bofh said...

Very nice articles.
I think a lot of people is going to benefit from your knowledge.

I was searching documentation about ipa system but apart from the official docs, haven't found much info.

Have you dealed with this software?
I'm having trouble running this on a non-root account (FreeBSD).
I think the problem is that a regular user does not have permission to change IPFW rules, as it should be.

Do you know the method to allow a user access to IPFW rules?


Neil said...

IPA is new to me, and I can't speak to it's particulars, but you are correct IPFW does not allow users to modify rules - and doing so without understanding all the ramifications of what you are doing could open the door wide to those with malicious intent.

If all you needed to do was run ipfw show as a specific user, you could utilize sudo, and add something like this to your sudoers file:
someuser ALL=NOPASSWD: /sbin/ipfw show

Then from the command line that user could run sudo ipfw show and see all rules, but couldn't do anything else with ipfw. Normally I wouldn't recommend the NOPASSWD flag, as prompting for a password is a good security measure, but if this is going to be called from inside of an application the NOPASSWD flag would be prudent.

You can also solve this using setuid, but unless you really know what you are doing, don't do that. Much damage has been done by the abuse of setuid and if you aren't prepared to learn a whole lot about writing secure programs I would encourage you to avoid it.

X-Bofh said...

Hi Neil.

Haven't thought about that solution, however I think it's not going to work because ipa expects to talk with the firewall at a lower level.

ipa[19460]: MOD ipa_ipfw: kipfw_init: socket(AF_INET, SOCK_RAW, IPPROTO_RAW): Operation not permitted

For now I run ipa as root, and if this program is well designed, shouldn't be a problem.

As for collecting stats, I have created a user to manage this and it works.

$ ipastat -q -r prueba1
Rule : prueba1
Info : Outgoing HTTP traffic

From : 2008.04.01/00:00:00
To : 2008.04.30/24:00:00

Timestamp | Counter | Per day
2008.04.12/23:45:18-23:49:18 | 0 |
2008.04.12/23:52:37-23:52:46 | 0 |
2008.04.12/23:53:30-23:54:54 | 0 |
2008.04.12/23:56:54-24:00:00 | 0 | 0
2008.04.13/00:00:00-03:20:07 | 42230 | 42230
2008.04.14/01:44:33-01:45:28 | 0 |
2008.04.14/01:46:34-01:47:20 | 0 |
2008.04.14/01:47:30-24:00:00 | 25315984 | 25315984
2008.04.15/00:00:00-14:40:00 | 60671601 | 60671601

* Summary 86029815 (4 days)

* Total 86029815 (4 days)

The weird thing is than it is assumed that you can start ipa as root and it drops privileges whith the -u argument.