Try sysv-rc-conf
to alter the runlevel settings.
and chkconfig
to see what's running
Don't forget that ubuntu (and others?) are starting to use the Upstart Startup Manager, so you'll have to keep an eye on the /etc/init directory too
see also :
update-rc.d - init - invoke-rc.d - initctl
service SCRIPT COMMAND [OPTIONS]
service --status-all
service --help | -h | --version
Step 2
Try sysv-rc-conf
to alter the runlevel settings.
and chkconfig
to see what's running
Don't forget that ubuntu (and others?) are starting to use the Upstart Startup Manager, so you'll have to keep an eye on the /etc/init directory too
In most linux distributions you can manually start/stop services by (as root or using sudo) running the following commands:
# /etc/init.d/apache2 start
# /etc/init.d/mysqld start
# /etc/init.d/apache2 stop
# /etc/init.d/mysqld stop
Which services that are automatically started is controlled by file links in /etc/rc[runlevel].d/ . Find your current runlevel by using the command "runlevel" as root
# runlevel
N 2
Which here indicates runlevel 2 Now you just have to remove those files in /etc/rc2.d/ which you don't want started.
Removing apache and Mysql on a desktop is usually ok, but be aware of removing other services.
how often is clamav checking for updates?
Unless you setup a cronjob it will not check for updates.
Do I have to manually run freshclam via a cronjob?
The purpose of a cronjob is to automate the process. You can decide to run it in the following:
/etc/cron.daily
/etc/cron.hourly
/etc/cron.weekly
/etc/cron.monthly
I recommend cron.daily and set it up via a shell script.
sudo gedit /etc/cron.daily/freshclam.sh
#!/bin/sh
/usr/bin/freshclam --quiet
This will now run with all your other cron.daily jobs
Save and exit
chmod 755 /etc/cron.daily/freshclam.sh
If the services are started via Upstart or /etc/init.d, edit the appropriate initscripts.
umask 02
at the top of
script (they are ordinary sh
scripts)
umask
0775
anywhere (don't ask why it's inverted)
Linux does not have a strict definition of "login", and an account is merely an UID that can (or cannot) be associated with a name/homedir/etc.
When you log in on console/over SSH, the login program (or the
SSH daemon) uses PAM to set up the environment (possibly
pam_umask
), then starts your shell with the "login"
flag. The /etc/profile
script belongs to the
sh and bash shells, which only read it for
"login" invocations.
When you use sudo touch ...
or sudo
/etc/init.d/foo start
, sudo still calls PAM for
auth/account/session setup, but does not start the shell at all,
meaning all "profile" or "bashrc" files will be ignored. (That
is, unless you use sudo -i ...
.)
When Upstart runs a service, it simply switches the UID to that
of your service, skipping any "profile" scripts or PAM
configuration. The only configuration that is read is the
service's file in /etc/init
, which is where you
should put the umask setting.
A service is bound by regular permission restrictions. It all depends on what user the service runs as. Services are just regular processes that are always running.
For example,
$ ps aux | grep apache2 root 2845 0.0 0.2 75596 4508 ? Ss Sep06 0:19 /usr/sbin/apache2 -k start www-data 25608 0.0 0.1 74428 2232 ? S Sep09 0:00 /usr/sbin/apache2 -k start www-data 25609 0.0 0.1 75596 2288 ? S Sep09 0:02 /usr/sbin/apache2 -k start www-data 25610 0.0 0.4 2003664 8436 ? Sl Sep09 0:37 /usr/sbin/apache2 -k start www-data 25611 0.0 0.4 2003788 8584 ? Sl Sep09 0:36 /usr/sbin/apache2 -k start www-data 25700 0.0 0.4 2003648 8528 ? Sl Sep09 0:36 /usr/sbin/apache2 -k start
You can see that the service is run by root
and by
www-data
. Apache uses the root
process
only for binding to port 80 (or whatever port you've configured).
Recall that binding to ports < 1024 requires you to be root.
For security, though, Apache hands off all request processing to
processes that run as www-data
. What these processes
can access is up to you. If your file permissions in your
document root don't permit www-data
to access the
files, Apache won't be able to serve them.
This is the same for any service; typically they have
root
(if they must bind to
a port < 1024; not all services have a root
process, though) which delegates tasks to the less-privileged
user
bind
for BIND, www-data
for Apache, proftpd
for proftpd, etc.). Keep in mind that the names of these vary by
system (Apache sometimes runs as apache
or
apache2
instead of www-data
).
Some processes run as nobody
instead of as a
specific user, though. This can be a bad idea, but it depends on
the process and what it's doing.
These are just general rules; some processes even run entirely as
root (such as sshd
, although it will use a user
process when someone connects). Use ps aux
to see
what user a process is running under.
you can use pidof
to get pid of process
minutes | hour | day | month | day of week | username | command
0 8 * * * myuser /etc/init.d/myservice.sh start
0 14 * * * myuser /etc/init.d/myservice.sh stop
Replace myuser
with whatever is appropriate.
(probably root)
Also, belongs on serverfault or superuser
The "Device does not seem to be present" message appears to be
coming from the network
service, which is different
from the NetworkManager
service (it uses older-style
/etc/sysconfig files).
Set your system to only start the NetworkManager service. You can
do this in system-config-services
, or by running the
following as root:
# /sbin/chkconfig network off
And remember that this won't disable NetworkManager, so you'll still be able to connect.
Quoting from the Linux
Documentation Project on,
Security Quick-Start HOWTO for Red Hat
Linux:
Step 1: Which services do we really
need?
BIND (named) - This often is installed by default, but is only really needed if you are an authoritative name server for a domain. If you are not sure what this means, then you definitely don't need it.
BIND is probably the number one crack target on the Internet.
BIND is often used though in a "caching" only mode.
This can be quite useful, but does not require full exposure to the Internet.
In other words, it should be restricted or firewalled.
And, if you really want to use a caching DNS, I guess BIND 9
should also be checked.
It looks like this server is using an enhanced security model (possibly SELinux, but more likely AppArmour). You would need to update the security profile or disable the Mandatory Access Control.
service runs a System V init script or upstart job in as predictable environment as possible, removing most environment variables and with current working directory set to /.
The SCRIPT parameter specifies a System V init script, located in /etc/init.d/SCRIPT, or the name of an upstart job in /etc/init. The existence of an upstart job of the same name as a script in /etc/init.d will cause the upstart job to take precedence over the init.d script. The supported values of COMMAND depend on the invoked script, service passes COMMAND and OPTIONS to the init script unmodified. For upstart jobs, start, stop, status, are passed through to their upstart equivilents. Restart will call the upstart ’stop’ for the job, followed immediately by the ’start’, and will exit with the return code of the start command. All scripts should support at least the start and stop commands. As a special case, if COMMAND is --full-restart, the script is run twice, first with the stop command, then with the start command. This option has no effect on upstart jobs.
service --status-all runs all init scripts, in alphabetical order, with the status command. This option only calls status for sysvinit jobs, upstart jobs can be queried in a similar manner with initctl list’.
LANG, TERM
The only environment variables passed to the init scripts.
service calls the init script and returns the status returned by it.
/etc/init.d
The directory containing System V init scripts.
/etc/init
The directory containing upstart jobs.
/etc/ init .d/skeleton,
update-rc.d ,
init,
invoke-rc.d .
initctl .