From Annvix

System Configuration with Environment Directories and Files

Contents 1 Environment Directories 1.1 runit 1.2 tcpsvd 1.3 network 1.4 clock 1.5 USB 1.6 ulimits 1.7 kudzu 1.8 hdparm 1.9 nfs 2 Application Environment Directories 2.1 amd 2.2 mysqld 2.3 portmap 2.4 dhcpd 3 System Configuration with /etc/sysconfig 3.1 Sysconfig Files 3.1.1 hwconf 3.1.2 i18n 3.1.3 installkernel

Environment Directories

Environment directories are special directories that contain configuration items for particular services. An environment directory is particularly useful with the chpst tool to set environment variables for run scripts and other scripts. Environment directories are more secure than sysconfig files as, usually, a sysconfig file is sourced from a shell script. Sysconfig files are supposed to be configuration files that set variables for a script to use. Unfortunately, these scripts can also cause the execution of code. A short example:

$ cat test.sh
#!/bin/sh

echo "pre"
. ./test.sysconfig
echo $FOO
echo "post"
$ cat test.sysconfig
# some comment
FOO="hello"
echo test
$ sh test.sh
pre
test
hello
post

The above is not at all what you would expect when running test.sh; an extra command was executed that wasn't in the actual script. No validation of data is done (usually it isn't). The scary thing is that a lot of traditional initscripts do this, as do a number of other scripts. By and large this isn't a problem, until someone managed to modify a sysconfig file they shouldn't have access to. It's not a stretch to piggy back the modification of a sysconfig file to another vulnerability that could allow for the overwriting of such a file; think of the numerous temporary file vulnerabilities that have been fixed in the past. One could easily exploit one of these to overwrite data in a sysconfig file that could later be used by a script and execute arbitrary code as (more often than not) the root user.

Using environment directories where a single file corresponds to a variable name and the contents of the file are the contents of the variable is much safer and prevents these problems. For example:

$ cat test.sh
#!/bin/sh

echo "pre"
FOO=`cat FOO|head -1`
echo $FOO
echo "post"
$ cat FOO
hello
echo foo
$ sh test.sh
pre
hello
post

In this case, there is no unexpected code execution and the code is much cleaner. Here you know precisely what you're assigning to what and you know what variables are being set at all times.

Annvix is slowly starting to move away from sysconfig files to the much-preferred environment directory format for configuration. A number of services already utilize environment directories.

NOTE: An environment file can contain only one line. This line is the sole content of the variable. Any lines beyond the first line are completely ignored.

runit

The /etc/sysconfig/env/runit directory controls some aspects of runit shutdowns and contains the following files:

• CTRLALTDEL_TIMEOUT: the number of seconds to wait after receiving the keycode CTRL-ALT-DEL to initiate the system reboot (default: 14)
• GETTY_TIMEOUT: the number of seconds to wait for getties to exit during a shutdown or reboot before killing them (default: 14)
• STAGE_3_TIMEOUT: the number of seconds to wait for all supervised services to exit during a shutdown or reboot before killing them (default: 180)

tcpsvd

The /etc/sysconfig/env/tcpsvd directory contains files that are the default settings for tcpsvd-controlled services (such as sshd or rsync):

• HOSTNAME: the hostname of the system (default: the system hostname; this file is automatically generated each boot)
• IP: the IP address to bind to (default: 0; bind to all available IP addresses)
• MAX_BACKLOG: the number TCP SYNs allowed to be backlogged (default: 20)
• MAX_CONN: the number of connections to handle simultaneously (default: 20)
• MAX_PER_HOST:the number of connections to handle simultaneously from the same IP address (default: 5)

Note that these are system-wide defaults. Services that use tcpsvd can be individually configured via local environment directories (ie. /service/sshd/env).

network

The /etc/sysconfig/env/network directory contains files that impact networking defaults. These were originally defined in /etc/sysconfig/networking:

• HOSTNAME: the system hostname to set at each boot
• GATEWAY: the IP address of the system's gateway

clock

The /etc/sysconfig/env/clock directory contains files that impact the system clock settings. These were originally defined in /etc/sysconfig/clock:

• UTC: whether or not the computer clock is set to UTC time; if yes (or true) then the system is set to UTCl if no (or false) then the hardware clock is set to local time (default: no)
• ZONE: the timezone the computer is in (i.e. MST7MDT or America/Edmonton)

USB

The /etc/sysconfig/env/usb directory contains files that impact what the usb initscript will load (if anything). These were originally defined in /etc/sysconfig/usb:

• USB: whether or not to enable USB support (yes or no; default: yes)
• MOUSE: whether or not to enable USB mouse support (default: no)
• KEYBOARD: whether or not to enable USB keyboard support (default: no)
• STORAGE: whether or not to enable USB mass storage support (default: no)
• PRINTER: whether or not to enable USB printer support (default: no)

ulimits

The /etc/sysconfig/env/ulimits directory contains files that impact the default ulimit settings. These were originally defined in /etc/sysconfig/ulimits:

• MAX_USER_PROCS: the maximum number of processes per user (default: 100)
• MAX_DATASEG_SIZE: the maximum data segment size in bytes (default: 12288)
• MAX_OPEN_FILES: the maximum number of open files per user (default: 256)

kudzu

The /etc/sysconfig/env/kudzu directory contains files pertaining to kudzu settings. These were originally defined in /etc/sysconfig/kudzu:

• SAFE: whether or not to to run kudzu in "safe" mode which disables serial port probing, DDC monitor probing, and PS/2 probing (default: no)

hdparm

The /etc/sysconfig/env/hdparm directory contains sub-directories named after a device, such as /etc/sysconfig/hdparm/hda in which are defined the hdparm options to be passed at boot for that particular device. This replaces the /etc/sysconfig/harddiskhdX files.

• OPTS: the hdparm options to use for the device

By default, this directory is empty so there are no optimizations being done on hard drives. To enable hdparm optimizations on a particular device, do:

# mkdir /etc/sysconfig/env/hdparm/hde
# echo "-d1 -m16 -X67" >/etc/sysconfig/env/hdparm/hde/OPTS

For all of the options you can pass to hdparm, check the hdparm(8) manpage.

nfs

There are a number of NFS-related services and they share the same environment directory. For this reason, the environment directory is located at /etc/sysconfig/env/nfs rather than in an ./env subdirectory of any given service. These were originally defined in /etc/sysconfig/nfs:

• MOUNTD_OPTS: any additional options to pass to mountd
• MOUNTD_PORT: force mountd to use a given port rather than a random one assigned by portmapper (i.e. 4002)
• MOUNTD_TCP: whether or not to advertise TCP for mount (yes/no)
• MOUNTD_NFS_V3: whether or not to use NFSv3 (yes/no/auto)
• MOUNTD_NFS_V2: whether or not to use NFSv2 (yes/no/auto)
• MOUNTD_OPEN_FILES: the number of open file descriptors to use (default: 128)
• RPCNFSDCOUNT: the number of instances of rpc.nfsd to spawn (default: 8; 16 or more may be required to handle heavy client traffic)
• RPCNFSDOPTIONS: additional options to pass to rpc.nfsd
• LOCKD_TCPPORT: force lockd to use a given TCP port (i.e. 4001)
• LOCKD_UDPPORT: force lockd to use a given UDP port (i.e. 4001)
• STATD_PORT: force statd to use a given port (i.e. 4000)
• STATD_OUTPORT: force statd to use a given outbound port (i.e. 4000)
• STATD_HOSTNAME: set the hostname for statd
• SECURE_NFS: whether or not to use secure NFSv4 (yes/no; default: no)
• SECURE_NFS_MODS: modules to use with secure NFSv4 (default: "des rpcsec_gss_krb5")
• RPCGSSD_OPTS: additional options to pass to gssd
• RPCIDMAPD_OPTS: additional options to pass to idmapd
• RPCSVCGSSD_OPTS: additional options to pass to svcgssd

For more information on tuning NFS, refer to the NFS HOWTO.

NOTE: If you wish to use the rpc.rquotad daemon to export quota information, you can use the following additional option:

• RQUOTAD_PORT: set the fixed port for a remote quota server

Note that you must install the quota package and you must explicitly add the service (i.e. srv --add rpc.rquotad) for it to be used. NFS runs fine with or without rpc.rquotad so if you wish to export that information, be sure to install quota and add the service.

Application Environment Directories

Environment directories are also used by some applications to setup how they are executed. These applications are typically daemon services.

amd

The environment directory /var/service/amd/env contains the following files:

• MOUNTPTS: defines alternate mount locations (the -a option to amd) (default: -a /net)
• AMD_OPTS: additional options to pass to amd

mysqld

The enviroment directory /var/service/mysqld/env contains the following files:

• MYSQLD_OPTS: Optional arguments to pass to mysqld (default: --skip-networking)
• DATADIR: The data directory for mysqld's databases (default: /var/lib/mysql)
• LOG: The filename for the log file that mysqld will log all connections and received SQL statements to. If this is empty, no extra logging will be done (default: empty)

portmap

The environment directory /var/service/portmap/env contains the following files:

• BIND_HOST: The host to which portmap should explicitly listen to; this can be an IP address or hostname. If this is empty, the default is for portmapper to listen to everything (default: empty)

dhcpd

The environment directory /var/service/dhcpd/env contains the following files:

• CONFIGFILE: The configuration file to use (default: /etc/dhcpd.conf
• LEASEFILE: The lease file to use (default: /var/lib/dhcp/dhcpd.leases
• OPTIONS: extra options to pass to dhcpd (default: empty)
• INTERFACES: the interface (i.e. eth0) for dhcpd to bind to; if empty, listen to them all (default: empty)

By default, dhcpd is executed via the run script as:

/usr/sbin/dhcpd -d -user dhcp -group dhcp -cf ${CONFIGFILE} -lf ${LEASEFILE} ${OPTIONS} ${INTERFACES}

System Configuration with /etc/sysconfig

Like Mandriva Linux and many other Linux distributions, the /etc directory is home to many configuration files. Of particular interest is the /etc/sysconfig directory. This directory contains a number of miscellaneous files that are sourced by various run and init scripts. Unlike Mandriva Linux, most of the configuration files here have been converted to Environment Directories. The few that remain are documented below.

Examining and possibly modifying some of these files can be to your advantage. Here we look at the various configuration files to determine what their use is and how to configure them.

To edit any of these files, use vim or any other text editor you may have installed:

# cd /etc/sysconfig
# vim installkernel

Sysconfig Files

hwconf

This file is created by kudzu and lists all of the devices installed on the system, including moule information (the driver keyword), a description, vendor idenfication information, etc. This file is not meant to be user-modified.

i18n

This file sets the locale information on the system. Since Annvix only uses the english locale as of 2.0-RELEASE, this file should not be altered (i.e. changing the LANG option to something other than "en_US" probably will not accomplish what you want since all non-english locale files are removed at build).

installkernel

This file controls some aspects of how the installkernel helper script works. The defaults are sufficient for most and the file is heavily commented to show what each option does.

<< Return to User Guide

• This page was last modified 18:19, 19 February 2008.
• About Annvix
• Disclaimers