week we got our first introduction to the excellent new AsteriskNOW, which
is a convenient Asterisk bundle containing everything you need to get up and
running—Asterisk, a customized Linux operating system, and a nice AJAX-based
Web administration interface. Today we’re going to learn about setting a root
password, adding and removing software, and basic system administration chores.
AsteriskNOW does not have a Linux root password. The “admin” user is configured to use sudo when root permissions are necessary. And you get this nag screen when you do:
[[email protected] ~]$ sudo nano /etc/grub.conf We trust you have received the usual lecture from the local System Administrator. It usually boils down to these three things: #1) Respect the privacy of others. #2) Think before you type. #3) With great power comes great responsibility. Password:
Ahem. Presumably you are the local System Administrator. But it’s
still a good reminder. A fundamental computer security principle is the “principle
of least privilege.” The two main reasons for this are to limit exposure in case
of an intrusion, and to protect yourself a little bit from your own mistakes.
Every time you run a program as the root user, that program has access to the
entire system. So it provides a nice unimpeded path into the guts of your system
for an attacker. That’s why most services run as non-root users. Services that
do require rootly powers for certain functions, such as binding to network sockets,
drop to a non-root user after establishing networking. The Apache HTTP server
is a famous example of this.
For human users, using sudo in the way AsteriskNOW has it set up makes good sense. You only have to remember one password, and all sudo commands are logged. But you still need a “real” root password. Not all commands work with sudo; some commands and scripts don’t know how to handle sudo asking for a password. But even more importantly, the Ext3 filesystem reserves 5% of the filesystem exclusively for the root user. This makes it possible for the root user to recover a system when user processes have have gone berserk and completely filled up the filesystem. Create a root password this way:
[[email protected] ~]$ sudo passwd root
Easy peasey. Write it down and lock it up. While there are some simple ways
to recover from losing a root password—ways that prove the old Unix dictum
“she who has physical access to the box owns it”—writing it down is cheap
While we’re on the subject of cheap insurance, let’s briefly touch on the
value of putting your servers behind locked doors. Hollywood and the tech press
would have you believing that evil crackers trying to break into your systems
from their cozy underground lairs are your biggest threats. They’re not; inside
jobs are. Anyone who has physical access to a computer does not need any passwords
to easily get into it. All they need are a bootable Linux CD or USB key. Or
cruder methods like bashing the box open and removing the hard drives.
Setting up System Administration
AsteriskNOW includes rPath Linux, a customized Linux designed for packaging custom software appliances. Log in to the AsteriskNOW Web control panel and click on the “System Configuration” link up at the top right. This opens the rPath Appliance Agent administrator panel. This adds a third “admin” user to our collection, with the default of “password”. As in the AsteriskNOW control panel, you must first run through the setup wizard before anything else will work. This is a good time to put a static IP address on your server and change the admin password.
Now you have access to a number of useful tasks, such as Backup and Restore, Configuration, System Updates, and logfile viewers. First use the Time Zone and Time tab to make sure the time is set correctly, and configure it to use your NTP server. If you aren’t running a local time server, enter pool.ntp.org. If the time and date are off by more than an hour, you should first correct them manually. Otherwise it will take a long time to synchronize on its own.
Then schedule System Updates. The default is weekly, but daily is better. You don’t want to wait a week for bug and security fixes.
rPath Linux doesn’t have the usual package managers like Yum or apt-get that we know and love, but its own custom system. These two commands show an abbreviated Conary command set, and a longer list of commands:
[[email protected] ~]$ conary [[email protected] ~]$ conary help
AsteriskNOW has its own package repositories, which are configured in /etc/conaryrc. You can see a list of all packages installed on your system:
[[email protected] ~]$ conary query | less
Or see what is available to install:
[[email protected] ~]$ conary rq | less
Use good old grep to search for a specific program:
[[email protected] ~]$ conary query | grep speex speex=1.1.10-2-0.1
That shows that speex is installed. If it weren’t, conary rq | grep speex would tell us if it’s available to install. conary update [packagename] installs a new package or updates an installed package, and conary erase [packagename] removes it.