Thursday, June 28, 2012

Intro to File Permissions

Intro to File Permissions

Ever want to know who has access to your files and what they're allowed to do to those files? Turns out there are permissions that do exactly those two things.

Let's start by listing out the folder contents in long format with ls -l (shortcut: ll)

alchemist@BogWarfs:/opt/test$ ll
total 12
-rw-r----- 1 organdr  dwarves   100 Jun 26 22:26 dwarvenVault
-rw-r----- 1 deltys   elves     113 Jun 28 22:55 elvenVault
-rw-r----- 1 herpderp goblins   109 Jun 28 22:56 goblinVault
alchemist@BogWarfs:/opt/test$ cat dwarvenVault 
cat: dwarvenVault: Permission denied

Breakdown

Starting from right-to-left.

Filename

You can bequeath names in the common tongue.

-rw-r----- 1 organdr  dwarves   100 Jun 26 22:26 dwarvenVault

File name.

Modify Time

Timestamp. If you touch it, it will change. There are different timestamps too but that's a topic for another day.

-rw-r----- 1 organdr  dwarves   100 Jun 26 22:26 dwarvenVault

File Size

The file size here is 100 bytes. Whoopie.

-rw-r----- 1 organdr  dwarves   100 Jun 26 22:26 dwarvenVault

Group Name

This file belongs to the group, 'dwarves'. A file can have at most one group.

-rw-r----- 1 organdr  dwarves   100 Jun 26 22:26 dwarvenVault

Owner Name

This file belongs to the user, 'organdr'. A file can have at most one owner.

-rw-r----- 1 organdr  dwarves   100 Jun 26 22:26 dwarvenVault

Links

There is one link to the file. Topic for another day.

-rw-r----- 1 organdr  dwarves   100 Jun 26 22:26 dwarvenVault

Permissions

This is actually a multi-part permissions ACL - Access Control List.

rw-r----- 1 organdr  dwarves   100 Jun 26 22:26 dwarvenVault

This row of dashes and letters has all sorts of meaning. Let's go through what each of the letters stand for. The meanings of these words are lost to mankind.

  • d - directory
  • r - read
  • w - write
  • x - execute

There are actually 4 groupings of permissions here.

-           Directory (in this case, off) 
 rw-        Owner Permissions (organdr)
    r--     Group Permissions (dwarves)
       ---  Global Permissions (everyone else)

From this ACL we can see that Organdr can read/write to the dwarvenVault, Dwarves can read from the Vault, and everyone else isn't allowed to do anything to dwarvenVault.

That's enough for one sitting, we'll talk about changing permissions in the next entry.

Posted by at No comments:
Labels: , , , , ,

Tuesday, June 26, 2012

Linux - Intro to sed - Text replacement

Linux - Inplace Text Replacement


Here's one way you can do a text replacement in Linux. This is useful for mass-editing files like html, source code, or whatever text file you use.

Example 1: Turn Lead into Gold

Here are the contents of a file, dwarvenVault

Hint: cat outputs a file to the terminal.
alchemist@BogWarfs:/opt/test$ cat dwarvenVault 
Inventory
-------------------
 5 x Lead bricks
10 x Lead bracelets
20 x Lead rings
42 x Lead swords
alchemist@BogWarfs:/opt/test$

Let's do alchemy!

alchemist@BogWarfs:/opt/test$ sed 's/Lead/Gold/g' dwarvenVault 
Inventory
-------------------
 5 x Gold bricks
10 x Gold bracelets
20 x Gold rings
42 x Gold swords
alchemist@BogWarfs:/opt/test$ cat dwarvenVault
Inventory
-------------------
 5 x Lead bricks
10 x Lead bracelets
20 x Lead rings
42 x Lead swords
alchemist@BogWarfs:/opt/test$

Aw poop, we have the change, but it didn't stick in the file. Ho hum.

Protip:Use -i to change it in place.
alchemist@BogWarfs:/opt/test$ sed -i 's/Lead/Gold/g' dwarvenVault 
alchemist@BogWarfs:/opt/test$ cat dwarvenVault 
Inventory
-------------------
 5 x Gold bricks
10 x Gold bracelets
20 x Gold rings
42 x Gold swords
alchemist@BogWarfs:/opt/test$

Example 2: Multiple files

You can also use a regex or some other mechanism to change many files at once.

alchemist@BogWarfs:/opt/test/$ ls
dwarvenVault  elvenVault  goblinVault
alchemist@BogWarfs:/opt/test/$ cat *
Inventory
-------------------
 5 x Lead bricks
10 x Lead bracelets
20 x Lead rings
42 x Lead swords
Inventory
--------------------
 24 x Lead bricks
300 x Lead bracelets
 50 x Lead rings
 15 x Lead swords
Inventory
--------------------
191 x Lead bricks
  3 x Lead bracelets
  1 x Lead rings
 26 x Lead swords
alchemist@BogWarfs:/opt/test/$ sed -i 's/Lead/Gold/g' *Vault
alchemist@BogWarfs:/opt/test/$ cat *
Inventory
-------------------
 5 x Gold bricks
10 x Gold bracelets
20 x Gold rings
42 x Gold swords
Inventory
--------------------
 24 x Gold bricks
300 x Gold bracelets
 50 x Gold rings
 15 x Gold swords
Inventory
--------------------
191 x Gold bricks
  3 x Gold bracelets
  1 x Gold rings
 26 x Gold swords
alchemist@BogWarfs:/opt/test/$

Yer a wizard 'Arry

Posted by at No comments:
Labels: ,

Monday, June 25, 2012

Remote DHCP

Remote DHCP on Cisco IOS

Use these techniques to reach a DHCP server outside of your subnet. Or don't. I don't care.

Case 1: Single Subnet

Devices

  • Spider Station Router:  10.111.0.1/24
  • Spider Station Switch:  10.111.0.2/24
  • HQ Router:  10.200.0.1/24
  • HQ DHCP Server:  10.200.0.2/24
To enable DHCP at Spider Station without setting-up a new DHCP server...

Spider Router

hostname Spider-RTR
!
interface FastEthernet 0/0
 ip address 10.111.0.1 255.255.255.0
 ip helper-address 10.200.0.2

Ta-da! That's it.

Simply add an IP helper to whatever fancy interface you're using. Port-channel, Ether-channel, Vlan, Multilink, BVI, or some other menacing interface/sub-interface.

Fail Warning: If an interface has sub-interfaces, apply it to the sub-interface. Helpers will not be inherited from the parent interface.

Fail Warning: The above also applies to logical interfaces. Even though Fa0/0 and Fa0/1 may be in Port-Channel 1, the helper must be applied to the port channel, not the physical interfaces.

When a client broadcasts a DHCPDiscover, Spider-RTR relays it using that interface's primary interface. (Putting an IP helper-address on a trunk port will make your router/L3 switch feel silly.)

Case 2: With Redundancy

Using multiple remote DHCP servers.

Devices

  • Spider Spider Station Router:  10.222.0.1/24

ReinforcedSpider Router

hostname SpiderSpider-RTR
!
interface GigabitEthernet 0/3
 ip address 10.222.0.1 255.255.255.0
 ip helper-address 10.200.0.100
 ip helper-address 10.200.0.101

In this case, the DHCPDiscover is sent to both DHCP servers. It's OK though, because the client will only DHCPRequest one offer. Unless it's Eve and she's trying to consume all of my precious IPs...but that's another issue.

Case 3: With Secondary IPs

Sometimes an office's network needs grow and you have to temporarily (ha!) put a second subnet at the branch.

Since the helper only sources the primary interface by default, we'll need an extra command.

ip dhcp smart-relay

If the router doesn't detect a DHCPOffer, it will then relay a DHCPDiscover with a different giaddr in the DHCP packet. Layman's terms: it will try the secondary addresses.

Devices

  • Hungry Caterpillar Router (new subnet):  10.33.1.1/24
  • Hungry Caterpillar Router (old subnet):  10.33.0.1/25

Hungry Caterpillar Router

hostname HungryCaterpillar-RTR
!
ip dhcp smart-relay
!
interface FastEthernet 1/1
 ip address 10.33.0.1 255.255.255.128 secondary
 ip address 10.33.1.1 255.255.255.0
 ip helper-address 10.200.0.100
 ip helper-address 10.200.0.101
Well that's it from me tonight.
Posted by at No comments:
Labels: , , , ,

Sunday, June 24, 2012

Redundant DHCP

Adventures in Networking - DHCP - Part 2:  Redundancy

In my last post, I described the simplest DHCP functionality.  Your computers can grab an IP from a DHCP server and boom, you're done.  What if you're an availability kind of guy and the idea of having a single point of failure for IP acquisition rustles your jimmies?  Have no fear, redundancy is totally a possibility.

Let's review what the server does during a DHCP request.
  1. Hear a DHCP discover.
  2. Reserve an available IP from a DHCP pool, recording the MAC of the requester.
  3. Offer the IP.
  4. Acknowledge that the IP was accepted.
Note in step 2 that the DHCP server records the DHCP binding; it associates an IP with a MAC address in its DHCP binding table.  In a redundant setup you wouldn't want two servers having mismatched bindings.  It would be really bad if Server A handed out 10.0.0.5 and then have Server B hand out the same IP to a different machine.  So to fix this issue, split the work.  Each server gets half of the original DHCP pool.

In my examples, I will use Cisco IOS's built-in DHCP running on a router or layer 3 switch.  I will post examples for dhcpd and Windows AD on another day.

Simple Setup - Single DHCP Server

This DHCP server will hand out IPs for the 10.0.0.0/24 network. It will use Google for DNS (8.8.8.8). We exclude the range 10.0.0.1 - 10.0.0.10 for our network equipment.

Router 1

Router(config)# ip dhcp excluded-addresses 10.0.0.1 10.0.0.10
Router(config)# ip dhcp pool david
Router(dhcp-config)# network 10.0.0.0 255.255.255.0
Router(dhcp-config)# domain-name example.davidisbad.com
Router(dhcp-config)# dns-server 8.8.8.8
Router(dhcp-config)# default-router 10.0.0.1

Redundancy Setup - Two DHCP Servers

Router 1 serves 10.0.0.11 - 10.0.0.127.
Router 2 serves 10.0.0.128 - 10.0.0.254.

Router 1

Router1(config)# ip dhcp excluded-addresses 10.0.0.1 10.0.0.10
Router1(config)# ip dhcp excluded-addresses 10.0.0.128 10.0.0.255
Router1(config)# ip dhcp pool david
Router1(dhcp-config)# network 10.0.0.0 255.255.255.0
Router1(dhcp-config)# domain-name example.davidisbad.com
Router1(dhcp-config)# dns-server 8.8.8.8
Router1(dhcp-config)# default-router 10.0.0.1

Router 2

Router2(config)# ip dhcp excluded-addresses 10.0.0.1 10.0.0.127
Router2(config)# ip dhcp pool david
Router2(dhcp-config)# network 10.0.0.0 255.255.255.0
Router2(dhcp-config)# domain-name example.davidisbad.com
Router2(dhcp-config)# dns-server 8.8.8.8
Router2(dhcp-config)# default-router 10.0.0.1
Posted by at No comments:
Labels: , , , ,

Saturday, June 23, 2012

Intro to DHCP

Adventures in Networking - DHCP

DHCP is one of the fundamentals of our current network infrastructure.  It is one of the protocols that allows devices to join your network without you having to push any buttons.  In our techno-splurge culture we bring our tablets and laptops with us everywhere and expect it to work whenever we find a WiFi network.

When I connect to a network, my laptop gets an IP address but how did it do it?  When you plug in a network device, it will start by broadcasting a DHCP discovery (DHCP-DISCOVER).  The broadcast can be heard by anybody within the same subnet.  If a DHCP server (usually the router in a home environment) hears the request, it responds with a DHCP offer (DHCP-OFFER).  The laptop then formally requests the offer (DHCP-REQ) and the server acknowledges it (DHCP-ACK).

These DHCP messages are sent as a package with many envelopes (DHCP Options) which each have a meaning... but we'll get to that later.

Scene 1:  Local DHCP Server

1:  Laptop:  (Yelling) Is there anybody tell me how I can join?  I need an IP address!

2:  Server:  (Yelling) Sure, how about 192.168.0.3?

(Server reserves 192.168.0.3 for Laptop then sends Laptop an info package with everything it needs to know.)

3:  Laptop:  (Yelling optional)  Server, can I please have 192.168.0.3?

4:  Server:  (Softly to Laptop)  Yes, you can use all the info you found in that package to join.

It turns in transaction 1, Laptop actually requests more than just an IP.  It will often request everything it needs to join the network.
  • #3:  Default Gateway (Router's address)
  • #1:  Subnet Mask (The boundaries of the subnet)
  • #15:  Domain Name (Network's name)
  • #6:  Domain Name Server (Server that knows all the names.)
It can request even more information if it needs to.  A VoIP phone might also ask where the call-manager is, a wireless access point might request the location of a wireless controller (not a Wii-mote in this case).  All of these requests get marked in an envelope (DHCP Option 55) and are sent to the DHCP server.  The DHCP server sees envelope #55 and does its best to include a reply for each item in that request list.

That ends our first adventure into DHCP.  It was a very simple transaction, but it enabled our laptop do a lot of amazing things.  We got an IP address and 4 DHCP options which enable our laptop  to look up names on the network and able to talk to other devices without broadcasting to everybody.
Posted by at No comments:
Labels: , ,
Subscribe to: Comments (Atom)