#
# AUTHOR <EMAIL@ADDRESS>, YEAR.
#
msgid ""
msgstr ""
"Project-Id-Version: 0\n"
"POT-Creation-Date: 2020-05-17 17:54+0200\n"
"PO-Revision-Date: 2012-06-01T20:23:57\n"
"Last-Translator: Automatically generated\n"
"Language-Team: None\n"
"Language: \n"
"MIME-Version: 1.0\n"
"Content-Type: application/x-publican; charset=UTF-8\n"
"Content-Transfer-Encoding: 8bit\n"

msgid "System boot"
msgstr ""

msgid "Initscripts"
msgstr ""

msgid "SSH"
msgstr ""

msgid "Telnet"
msgstr ""

msgid "Rights"
msgstr ""

msgid "Permissions"
msgstr ""

msgid "Supervision"
msgstr ""

msgid "Inetd"
msgstr ""

msgid "Cron"
msgstr ""

msgid "Backup"
msgstr ""

msgid "Hotplug"
msgstr ""

msgid "PCMCIA"
msgstr ""

msgid "APM"
msgstr ""

msgid "ACPI"
msgstr ""

msgid "Unix Services"
msgstr ""

msgid "This chapter covers a number of basic services that are common to many Unix systems. All administrators should be familiar with them."
msgstr ""

msgid "System Boot"
msgstr ""

msgid "<primary>booting</primary><secondary>the system</secondary>"
msgstr ""

msgid "When you boot the computer, the many messages scrolling by on the console display many automatic initializations and configurations that are being executed. Sometimes you may wish to slightly alter how this stage works, which means that you need to understand it well. That is the purpose of this section."
msgstr ""

msgid "First, the BIOS takes control of the computer, detects the disks, loads the <emphasis>Master Boot Record</emphasis>, and executes the bootloader. The bootloader takes over, finds the kernel on the disk, loads and executes it. The kernel is then initialized, and starts to search for and mount the partition containing the root filesystem, and finally executes the first program — <command>init</command>. Frequently, this “root partition” and this <command>init</command> are, in fact, located in a virtual filesystem that only exists in RAM (hence its name, “initramfs”, formerly called “initrd” for “initialization RAM disk”). This filesystem is loaded in memory by the bootloader, often from a file on a hard drive or from the network. It contains the bare minimum required by the kernel to load the “true” root filesystem: this may be driver modules for the hard drive, or other devices without which the system cannot boot, or, more frequently, initialization scripts and modules for assembling RAID arrays, opening encrypted partitions, activating LVM volumes, etc. Once the root partition is mounted, the initramfs hands over control to the real init, and the machine goes back to the standard boot process."
msgstr ""

msgid "Boot sequence of a computer running Linux with systemd"
msgstr ""

msgid "The systemd init system"
msgstr ""

msgid "The “real init” is currently provided by <emphasis role=\"pkg\">systemd</emphasis> and this section documents this init system."
msgstr ""

msgid "<emphasis>CULTURE</emphasis> Before <command>systemd</command>"
msgstr ""

msgid "<command>systemd</command> is a relatively recent “init system”, and although it was already available, to a certain extent, in <emphasis role=\"distribution\">Wheezy</emphasis>, it has only become the default in Debian <emphasis role=\"distribution\">Jessie</emphasis>. Previous releases relied, by default, on the “System V init” (in the <emphasis role=\"pkg\">sysv-rc</emphasis> package), a much more traditional system. We describe the System V init later on."
msgstr ""

msgid "<emphasis>ALTERNATIVE</emphasis> Other boot systems"
msgstr ""

msgid "This book describes the boot system used by default in Debian <emphasis role=\"distribution\">Buster</emphasis> (as implemented by the <emphasis role=\"pkg\">systemd</emphasis> package), as well as the previous default, <emphasis role=\"pkg\">sysvinit</emphasis>, which is derived and inherited from <emphasis>System V</emphasis> Unix systems; there are others."
msgstr ""

msgid "<emphasis role=\"pkg\">file-rc</emphasis> is a boot system with a very simple process. It keeps the principle of runlevels, but replaces the directories and symbolic links with a configuration file, which indicates to <command>init</command> the processes that must be started and their launch order."
msgstr ""

msgid "The <command>upstart</command> system is still not perfectly tested on Debian. It is event based: init scripts are no longer executed in a sequential order but in response to events such as the completion of another script upon which they are dependent. This system, started by Ubuntu, was present in Debian <emphasis role=\"distribution\">Jessie</emphasis>, but was not the default; it came, in fact, as a replacement for <emphasis role=\"pkg\">sysvinit</emphasis>, and one of the tasks launched by <command>upstart</command> was to launch the scripts written for traditional systems, especially those from the <emphasis role=\"pkg\">sysv-rc</emphasis> package."
msgstr ""

msgid "There are also other systems and other operating modes, such as <command>runit</command> or <command>minit</command>, but they are relatively specialized and not widespread."
msgstr ""

msgid "<emphasis>SPECIFIC CASE</emphasis> Booting from the network"
msgstr ""

msgid "In some configurations, the BIOS may be configured not to execute the MBR, but to seek its equivalent on the network, making it possible to build computers without a hard drive, or which are completely reinstalled on each boot. This option is not available on all hardware and it generally requires an appropriate combination of BIOS and network card."
msgstr ""

msgid "Booting from the network can be used to launch the <command>debian-installer</command> or FAI (see <xref linkend=\"sect.installation-methods\" />)."
msgstr ""

msgid "<emphasis>BACK TO BASICS</emphasis> The process, a program instance"
msgstr ""

msgid "<primary>process</primary>"
msgstr ""

msgid "A process is the representation in memory of a running program. It includes all of the information necessary for the proper execution of the software (the code itself, but also the data that it has in memory, the list of files that it has opened, the network connections it has established, etc.). A single program may be instantiated into several processes, not necessarily running under different user IDs."
msgstr ""

msgid "<emphasis>SECURITY</emphasis> Using a shell as <command>init</command> to gain root rights"
msgstr ""

msgid "By convention, the first process that is booted is the <command>init</command> program (which is a symbolic link to <filename>/lib/systemd/systemd</filename> by default). However, it is possible to pass an <literal>init</literal> option to the kernel indicating a different program."
msgstr ""

msgid "<primary><command>init</command></primary>"
msgstr ""

msgid "Any person who is able to access the computer can press the <keycap>Reset</keycap> button, and thus reboot it. Then, at the bootloader's prompt, it is possible to pass the <literal>init=/bin/sh</literal> option to the kernel to gain root access without knowing the administrator's password."
msgstr ""

msgid "To prevent this, you can protect the bootloader itself with a password. You might also think about protecting access to the BIOS (a password protection mechanism is almost always available), without which a malicious intruder could still boot the machine on a removable media containing its own Linux system, which they could then use to access data on the computer's hard drives."
msgstr ""

msgid "Finally, be aware that most BIOS have a generic password available. Initially intended for troubleshooting for those who have forgotten their password, these passwords are now public and available on the Internet (see for yourself by searching for “generic BIOS passwords” in a search engine). All of these protections will thus impede unauthorized access to the machine without being able to completely prevent it. There is no reliable way to protect a computer if the attacker can physically access it; they could dismount the hard drives to connect them to a computer under their own control anyway, or even steal the entire machine, or erase the BIOS memory to reset the password…"
msgstr ""

msgid "Systemd executes several processes, in charge of setting up the system: keyboard, drivers, filesystems, network, services. It does this while keeping a global view of the system as a whole, and the requirements of the components. Each component is described by a “unit file” (sometimes more); the general syntax is derived from the widely-used “*.ini files“ syntax, with <literal><replaceable>key</replaceable> = <replaceable>value</replaceable></literal> pairs grouped between <literal>[<replaceable>section</replaceable>]</literal> headers. Unit files are stored under <filename>/lib/systemd/system/</filename> and <filename>/etc/systemd/system/</filename>; they come in several flavors, but we will focus on “services” and “targets” here."
msgstr ""

msgid "A systemd “service file” describes a process managed by systemd. It contains roughly the same information as old-style init-scripts, but expressed in a declaratory (and much more concise) way. Systemd handles the bulk of the repetitive tasks (starting and stopping the process, checking its status, logging, dropping privileges, and so on), and the service file only needs to fill in the specifics of the process. For instance, here is the service file for SSH:"
msgstr ""

msgid ""
"[Unit]\n"
"Description=OpenBSD Secure Shell server\n"
"After=network.target auditd.service\n"
"ConditionPathExists=!/etc/ssh/sshd_not_to_be_run\n"
"\n"
"[Service]\n"
"EnvironmentFile=-/etc/default/ssh\n"
"ExecStart=/usr/sbin/sshd -D $SSHD_OPTS\n"
"ExecReload=/bin/kill -HUP $MAINPID\n"
"KillMode=process\n"
"Restart=on-failure\n"
"\n"
"[Install]\n"
"WantedBy=multi-user.target\n"
"Alias=sshd.service"
msgstr ""

msgid "As you can see, there is very little code in there, only declarations. Systemd takes care of displaying progress reports, keeping track of the processes, and even restarting them when needed."
msgstr ""

msgid "A systemd “target file” describes a state of the system, where a set of services are known to be operational. It can be thought of as an equivalent of the old-style runlevel. One of the targets is <literal>local-fs.target</literal>; when it is reached, the rest of the system can assume that all local filesystems are mounted and accessible. Other targets include <literal>network-online.target</literal> and <literal>sound.target</literal>. The dependencies of a target can be listed either within the target file (in the <literal>Requires=</literal> line), or using a symbolic link to a service file in the <literal>/lib/systemd/system/<replaceable>targetname</replaceable>.target.wants/</literal> directory. For instance, <filename>/etc/systemd/system/printer.target.wants/</filename> contains a link to <filename>/lib/systemd/system/cups.service</filename>; systemd will therefore ensure CUPS is running in order to reach <literal>printer.target</literal>."
msgstr ""

msgid "Since unit files are declarative rather than scripts or programs, they cannot be run directly, and they are only interpreted by systemd; several utilities therefore allow the administrator to interact with systemd and control the state of the system and of each component."
msgstr ""

msgid "The first such utility is <command>systemctl</command>. When run without any arguments, it lists all the unit files known to systemd (except those that have been disabled), as well as their status. <command>systemctl status</command> gives a better view of the services, as well as the related processes. If given the name of a service (as in <command>systemctl status ntp.service</command>), it returns even more details, as well as the last few log lines related to the service (more on that later)."
msgstr ""

msgid "Starting a service by hand is a simple matter of running <command>systemctl start <replaceable>servicename</replaceable>.service</command>. As one can guess, stopping the service is done with <command>systemctl stop <replaceable>servicename</replaceable>.service</command>; other subcommands include <command>reload</command> and <command>restart</command>."
msgstr ""

msgid "To control whether a service is active (i.e. whether it will get started automatically on boot), use <command>systemctl enable <replaceable>servicename</replaceable>.service</command> (or <command>disable</command>). <command>is-enabled</command> allows checking the status of the service."
msgstr ""

msgid "An interesting feature of systemd is that it includes a logging component named <command>journald</command>. It comes as a complement to more traditional logging systems such as <command>syslogd</command>, but it adds interesting features such as a formal link between a service and the messages it generates, and the ability to capture error messages generated by its initialization sequence. The messages can be displayed later on, with a little help from the <command>journalctl</command> command. Without any arguments, it simply spews all log messages that occurred since system boot; it will rarely be used in such a manner. Most of the time, it will be used with a service identifier:"
msgstr ""

msgid ""
"<computeroutput># </computeroutput><userinput>journalctl -u ssh.service\n"
"</userinput><computeroutput>-- Logs begin at Tue 2015-03-31 10:08:49 CEST, end at Tue 2015-03-31 17:06:02 CEST. --\n"
"Mar 31 10:08:55 mirtuel sshd[430]: Server listening on 0.0.0.0 port 22.\n"
"Mar 31 10:08:55 mirtuel sshd[430]: Server listening on :: port 22.\n"
"Mar 31 10:09:00 mirtuel sshd[430]: Received SIGHUP; restarting.\n"
"Mar 31 10:09:00 mirtuel sshd[430]: Server listening on 0.0.0.0 port 22.\n"
"Mar 31 10:09:00 mirtuel sshd[430]: Server listening on :: port 22.\n"
"Mar 31 10:09:32 mirtuel sshd[1151]: Accepted password for roland from 192.168.1.129 port 53394 ssh2\n"
"Mar 31 10:09:32 mirtuel sshd[1151]: pam_unix(sshd:session): session opened for user roland by (uid=0)\n"
"</computeroutput>"
msgstr ""

msgid "Another useful command-line flag is <command>-f</command>, which instructs <command>journalctl</command> to keep displaying new messages as they are emitted (much in the manner of <command>tail -f <replaceable>file</replaceable></command>)."
msgstr ""

msgid "If a service doesn't seem to be working as expected, the first step to solve the problem is to check that the service is actually running with <command>systemctl status</command>; if it is not, and the messages given by the first command are not enough to diagnose the problem, check the logs gathered by journald about that service. For instance, assume the SSH server doesn't work:"
msgstr ""

msgid ""
"<computeroutput># </computeroutput><userinput>systemctl status ssh.service\n"
"</userinput><computeroutput>● ssh.service - OpenBSD Secure Shell server\n"
"   Loaded: loaded (/lib/systemd/system/ssh.service; enabled)\n"
"   Active: failed (Result: start-limit) since Tue 2015-03-31 17:30:36 CEST; 1s ago\n"
"  Process: 1023 ExecReload=/bin/kill -HUP $MAINPID (code=exited, status=0/SUCCESS)\n"
"  Process: 1188 ExecStart=/usr/sbin/sshd -D $SSHD_OPTS (code=exited, status=255)\n"
" Main PID: 1188 (code=exited, status=255)\n"
"\n"
"Mar 31 17:30:36 mirtuel systemd[1]: ssh.service: main process exited, code=exited, status=255/n/a\n"
"Mar 31 17:30:36 mirtuel systemd[1]: Unit ssh.service entered failed state.\n"
"Mar 31 17:30:36 mirtuel systemd[1]: ssh.service start request repeated too quickly, refusing to start.\n"
"Mar 31 17:30:36 mirtuel systemd[1]: Failed to start OpenBSD Secure Shell server.\n"
"Mar 31 17:30:36 mirtuel systemd[1]: Unit ssh.service entered failed state.\n"
"# </computeroutput><userinput>journalctl -u ssh.service\n"
"</userinput><computeroutput>-- Logs begin at Tue 2015-03-31 17:29:27 CEST, end at Tue 2015-03-31 17:30:36 CEST. --\n"
"Mar 31 17:29:27 mirtuel sshd[424]: Server listening on 0.0.0.0 port 22.\n"
"Mar 31 17:29:27 mirtuel sshd[424]: Server listening on :: port 22.\n"
"Mar 31 17:29:29 mirtuel sshd[424]: Received SIGHUP; restarting.\n"
"Mar 31 17:29:29 mirtuel sshd[424]: Server listening on 0.0.0.0 port 22.\n"
"Mar 31 17:29:29 mirtuel sshd[424]: Server listening on :: port 22.\n"
"Mar 31 17:30:10 mirtuel sshd[1147]: Accepted password for roland from 192.168.1.129 port 38742 ssh2\n"
"Mar 31 17:30:10 mirtuel sshd[1147]: pam_unix(sshd:session): session opened for user roland by (uid=0)\n"
"Mar 31 17:30:35 mirtuel sshd[1180]: /etc/ssh/sshd_config line 28: unsupported option \"yess\".\n"
"Mar 31 17:30:35 mirtuel systemd[1]: ssh.service: main process exited, code=exited, status=255/n/a\n"
"Mar 31 17:30:35 mirtuel systemd[1]: Unit ssh.service entered failed state.\n"
"Mar 31 17:30:35 mirtuel sshd[1182]: /etc/ssh/sshd_config line 28: unsupported option \"yess\".\n"
"Mar 31 17:30:35 mirtuel systemd[1]: ssh.service: main process exited, code=exited, status=255/n/a\n"
"Mar 31 17:30:35 mirtuel systemd[1]: Unit ssh.service entered failed state.\n"
"Mar 31 17:30:35 mirtuel sshd[1184]: /etc/ssh/sshd_config line 28: unsupported option \"yess\".\n"
"Mar 31 17:30:35 mirtuel systemd[1]: ssh.service: main process exited, code=exited, status=255/n/a\n"
"Mar 31 17:30:35 mirtuel systemd[1]: Unit ssh.service entered failed state.\n"
"Mar 31 17:30:36 mirtuel sshd[1186]: /etc/ssh/sshd_config line 28: unsupported option \"yess\".\n"
"Mar 31 17:30:36 mirtuel systemd[1]: ssh.service: main process exited, code=exited, status=255/n/a\n"
"Mar 31 17:30:36 mirtuel systemd[1]: Unit ssh.service entered failed state.\n"
"Mar 31 17:30:36 mirtuel sshd[1188]: /etc/ssh/sshd_config line 28: unsupported option \"yess\".\n"
"Mar 31 17:30:36 mirtuel systemd[1]: ssh.service: main process exited, code=exited, status=255/n/a\n"
"Mar 31 17:30:36 mirtuel systemd[1]: Unit ssh.service entered failed state.\n"
"Mar 31 17:30:36 mirtuel systemd[1]: ssh.service start request repeated too quickly, refusing to start.\n"
"Mar 31 17:30:36 mirtuel systemd[1]: Failed to start OpenBSD Secure Shell server.\n"
"Mar 31 17:30:36 mirtuel systemd[1]: Unit ssh.service entered failed state.\n"
"# </computeroutput><userinput>vi /etc/ssh/sshd_config\n"
"</userinput><computeroutput># </computeroutput><userinput>systemctl start ssh.service\n"
"</userinput><computeroutput># </computeroutput><userinput>systemctl status ssh.service\n"
"</userinput><computeroutput>● ssh.service - OpenBSD Secure Shell server\n"
"   Loaded: loaded (/lib/systemd/system/ssh.service; enabled)\n"
"   Active: active (running) since Tue 2015-03-31 17:31:09 CEST; 2s ago\n"
"  Process: 1023 ExecReload=/bin/kill -HUP $MAINPID (code=exited, status=0/SUCCESS)\n"
" Main PID: 1222 (sshd)\n"
"   CGroup: /system.slice/ssh.service\n"
"           └─1222 /usr/sbin/sshd -D\n"
"# </computeroutput>"
msgstr ""

msgid "After checking the status of the service (failed), we went on to check the logs; they indicate an error in the configuration file. After editing the configuration file and fixing the error, we restart the service, then verify that it is indeed running."
msgstr ""

msgid "<emphasis>GOING FURTHER</emphasis> Other types of unit files"
msgstr ""

msgid "We have only described the most basic of systemd's capabilities in this section. It offers many other interesting features; we will only list a few here:"
msgstr ""

msgid "socket activation: a “socket” unit file can be used to describe a network or Unix socket managed by systemd; this means that the socket will be created by systemd, and the actual service may be started on demand when an actual connection attempt comes. This roughly replicates the feature set of <command>inetd</command>. See <citerefentry><refentrytitle>systemd.socket</refentrytitle><manvolnum>5</manvolnum></citerefentry>."
msgstr ""

msgid "timers: a “timer” unit file describes events that occur with a fixed frequency or on specific times; when a service is linked to such a timer, the corresponding task will be executed whenever the timer fires. This allows replicating part of the <command>cron</command> features. See <citerefentry><refentrytitle>systemd.timer</refentrytitle><manvolnum>5</manvolnum></citerefentry>."
msgstr ""

msgid "network: a “network“ unit file describes a network interface, which allows configuring such interfaces as well as expressing that a service depends on one particular interface being up."
msgstr ""

msgid "The System V init system"
msgstr ""

msgid "The System V init system (which we'll call init for brevity) executes several processes, following instructions from the <filename>/etc/inittab</filename> file. The first program that is executed (which corresponds to the <emphasis>sysinit</emphasis> step) is <command>/etc/init.d/rcS</command>, a script that executes all of the programs in the <filename>/etc/rcS.d/</filename> directory. <indexterm><primary><filename>/etc/init.d/rcS</filename></primary></indexterm> <indexterm><primary><filename>rcS</filename></primary></indexterm> <indexterm><primary><filename>/etc/init.d/rcS.d/</filename></primary></indexterm> <indexterm><primary><filename>rcS.d</filename></primary></indexterm>"
msgstr ""

msgid "Among these, you will find successively programs in charge of:"
msgstr ""

msgid "configuring the console's keyboard;"
msgstr ""

msgid "loading drivers: most of the kernel modules are loaded by the kernel itself as the hardware is detected; extra drivers are then loaded automatically when the corresponding modules are listed in <filename>/etc/modules</filename>;"
msgstr ""

msgid "checking the integrity of filesystems;"
msgstr ""

msgid "mounting local partitions;"
msgstr ""

msgid "configuring the network;"
msgstr ""

msgid "mounting network filesystems (NFS)."
msgstr ""

msgid "<emphasis>BACK TO BASICS</emphasis> Kernel modules and options"
msgstr ""

msgid "<primary>modules</primary><secondary>kernel modules</secondary>"
msgstr ""

msgid "Kernel modules also have options that can be configured by putting some files in <filename>/etc/modprobe.d/</filename>. These options are defined with directives like this: <literal>options <replaceable>module-name</replaceable> <replaceable>option-name</replaceable>=<replaceable>option-value</replaceable></literal>. Several options can be specified with a single directive if necessary."
msgstr ""

msgid "These configuration files are intended for <command>modprobe</command> — the program that loads a kernel module with its dependencies (modules can indeed call other modules). This program is provided by the <emphasis role=\"pkg\">kmod</emphasis> package."
msgstr ""

msgid "<primary><command>modprobe</command></primary>"
msgstr ""

msgid "<primary><emphasis role=\"pkg\">kmod</emphasis></primary>"
msgstr ""

msgid "After this stage, <command>init</command> takes over and starts the programs enabled in the default runlevel (which is usually runlevel 2). It executes <command>/etc/init.d/rc 2</command>, a script that starts all services which are listed in <filename>/etc/rc2.d/</filename> and whose names start with the “S” letter. The two-figures number that follows had historically been used to define the order in which services had to be started, but nowadays the default boot system uses <command>insserv</command>, which schedules everything automatically based on the scripts' dependencies. Each boot script thus declares the conditions that must be met to start or stop the service (for example, if it must start before or after another service); <command>init</command> then launches them in the order that meets these conditions. The static numbering of scripts is therefore no longer taken into consideration (but they must always have a name beginning with “S” followed by two digits and the actual name of the script used for the dependencies). Generally, base services (such as logging with <command>rsyslog</command>, or port assignment with <command>portmap</command>) are started first, followed by standard services and the graphical interface (<command>gdm3</command>)."
msgstr ""

msgid "This dependency-based boot system makes it possible to automate re-numbering, which could be rather tedious if it had to be done manually, and it limits the risks of human error, since scheduling is conducted according to the parameters that are indicated. Another benefit is that services can be started in parallel when they are independent from one another, which can accelerate the boot process."
msgstr ""

msgid "<primary>runlevel</primary>"
msgstr ""

msgid "<primary>level, runlevel</primary>"
msgstr ""

msgid "<command>init</command> distinguishes several runlevels, so it can switch from one to another with the <command>telinit <replaceable>new-level</replaceable></command> command. Immediately, <command>init</command> executes <command>/etc/init.d/rc</command> again with the new runlevel. This script will then start the missing services and stop those that are no longer desired. To do this, it refers to the content of the <filename>/etc/rc<replaceable>X</replaceable>.d</filename> (where <replaceable>X</replaceable> represents the new runlevel). Scripts starting with “S” (as in “Start”) are services to be started; those starting with “K” (as in “Kill”) are the services to be stopped. The script does not start any service that was already active in the previous runlevel."
msgstr ""

msgid "By default, System V init in Debian uses four different runlevels:"
msgstr ""

msgid "Level 0 is only used temporarily, while the computer is powering down. As such, it only contains many “K” scripts."
msgstr ""

msgid "Level 1, also known as single-user mode, corresponds to the system in degraded mode; it includes only basic services, and is intended for maintenance operations where interactions with ordinary users are not desired."
msgstr ""

msgid "Level 2 is the level for normal operation, which includes networking services, a graphical interface, user logins, etc."
msgstr ""

msgid "Level 6 is similar to level 0, except that it is used during the shutdown phase that precedes a reboot."
msgstr ""

msgid "Other levels exist, especially 3 to 5. By default they are configured to operate the same way as level 2, but the administrator can modify them (by adding or deleting scripts in the corresponding <filename>/etc/rc<replaceable>X</replaceable>.d</filename> directories) to adapt them to particular needs."
msgstr ""

msgid "Boot sequence of a computer running Linux with System V init"
msgstr ""

msgid "<primary>initialization script</primary>"
msgstr ""

msgid "All the scripts contained in the various <filename>/etc/rc<replaceable>X</replaceable>.d</filename> directories are really only symbolic links — created upon package installation by the <command>update-rc.d</command> program — pointing to the actual scripts which are stored in <filename>/etc/init.d/</filename>. The administrator can fine tune the services available in each runlevel by re-running <command>update-rc.d</command> with adjusted parameters. The <citerefentry><refentrytitle>update-rc.d</refentrytitle><manvolnum>1</manvolnum></citerefentry> manual page describes the syntax in detail. Please note that removing all symbolic links (with the <literal>remove</literal> parameter) is not a good method to disable a service. Instead you should simply configure it to not start in the desired runlevel (while preserving the corresponding calls to stop it in the event that the service runs in the previous runlevel). Since <command>update-rc.d</command> has a somewhat convoluted interface, you may prefer using <command>rcconf</command> (from the <emphasis role=\"pkg\">rcconf</emphasis> package) which provides a more user-friendly interface."
msgstr ""

msgid "<primary><command>update-rc.d</command></primary>"
msgstr ""

msgid "<emphasis>DEBIAN POLICY</emphasis> Restarting services"
msgstr ""

msgid "<primary><command>invoke-rc.d</command></primary>"
msgstr ""

msgid "<primary>service</primary><secondary>restart</secondary>"
msgstr ""

msgid "<primary>restarting services</primary>"
msgstr ""

msgid "The maintainer scripts for Debian packages will sometimes restart certain services to ensure their availability or get them to take certain options into account. The command that controls a service — <command>service <replaceable>service</replaceable> <replaceable>operation</replaceable></command> — doesn't take runlevel into consideration, assumes (wrongly) that the service is currently being used, and may thus initiate incorrect operations (starting a service that was deliberately stopped, or stopping a service that is already stopped, etc.). Debian therefore introduced the <command>invoke-rc.d</command> program: this program must be used by maintainer scripts to run services initialization scripts and it will only execute the necessary commands. Note that, contrary to common usage, the <filename>.d</filename> suffix is used here in a program name, and not in a directory."
msgstr ""

msgid "Finally, <command>init</command> starts control programs for various virtual consoles (<command>getty</command>). It displays a prompt, waiting for a username, then executes <command>login <replaceable>user</replaceable></command> to initiate a session."
msgstr ""

msgid "<primary><command>getty</command></primary>"
msgstr ""

msgid "<emphasis>VOCABULARY</emphasis> Console and terminal"
msgstr ""

msgid "The first computers were usually separated into several, very large parts: the storage enclosure and the central processing unit were separate from the peripheral devices used by the operators to control them. These were part of a separate furniture, the “console”. This term was retained, but its meaning has changed. It has become more or less synonymous with “terminal”, being a keyboard and a screen."
msgstr ""

msgid "With the development of computers, operating systems have offered several virtual consoles to allow for several independent sessions at the same time, even if there is only one keyboard and screen. Most GNU/Linux systems offer six virtual consoles (in text mode), accessible by typing the key combinations <keycombo action=\"simul\"> <keycap>Control</keycap> <keycap>Alt</keycap> <keycap>F1</keycap> </keycombo> through <keycombo action=\"simul\"> <keycap>Control</keycap> <keycap>Alt</keycap> <keycap>F6</keycap> </keycombo>."
msgstr ""

msgid "By extension, the terms “console” and “terminal” can also refer to a terminal emulator in a graphical X11 session (such as <command>xterm</command>, <command>gnome-terminal</command> or <command>konsole</command>)."
msgstr ""

msgid "Remote Login"
msgstr ""

msgid "It is essential for an administrator to be able to connect to a computer remotely. Servers, confined in their own room, are rarely equipped with permanent keyboards and monitors — but they are connected to the network."
msgstr ""

msgid "<emphasis>BACK TO BASICS</emphasis> Client, server"
msgstr ""

msgid "<primary>client</primary><secondary>client/server architecture</secondary>"
msgstr ""

msgid "<primary>server</primary><secondary>client/server architecture</secondary>"
msgstr ""

msgid "A system where several processes communicate with each other is often described with the “client/server” metaphor. The server is the program that takes requests coming from a client and executes them. It is the client that controls operations, the server doesn't take any initiative of its own."
msgstr ""

msgid "<primary>login</primary><secondary>remote login</secondary>"
msgstr ""

msgid "<primary>remote login</primary>"
msgstr ""

msgid "Secure Remote Login: SSH"
msgstr ""

msgid "<primary>SSH</primary>"
msgstr ""

msgid "<primary>Secure Shell</primary>"
msgstr ""

msgid "The <emphasis>SSH</emphasis> (Secure SHell) protocol was designed with security and reliability in mind. Connections using SSH are secure: the partner is authenticated and all data exchanges are encrypted."
msgstr ""

msgid "<emphasis>CULTURE</emphasis> Telnet and RSH are obsolete"
msgstr ""

msgid "<primary><command>telnet</command></primary>"
msgstr ""

msgid "<primary><command>rsh</command></primary>"
msgstr ""

msgid "Before SSH, <emphasis>Telnet</emphasis> and <emphasis>RSH</emphasis> were the main tools used to login remotely. They are now largely obsolete and should no longer be used even if Debian still provides them."
msgstr ""

msgid "<emphasis>VOCABULARY</emphasis> Authentication, encryption"
msgstr ""

msgid "When you need to give a client the ability to conduct or trigger actions on a server, security is important. You must ensure the identity of the client; this is authentication. This identity usually consists of a password that must be kept secret, or any other client could get the password. This is the purpose of encryption, which is a form of encoding that allows two systems to communicate confidential information on a public channel while protecting it from being readable to others."
msgstr ""

msgid "Authentication and encryption are often mentioned together, both because they are frequently used together, and because they are usually implemented with similar mathematical concepts."
msgstr ""

msgid "SSH also offers two file transfer services. <command>scp</command> is a command line tool that can be used like <command>cp</command>, except that any path to another machine is prefixed with the machine's name, followed by a colon."
msgstr ""

msgid "<computeroutput>$ </computeroutput><userinput>scp file machine:/tmp/</userinput>"
msgstr ""

msgid "<command>sftp</command> is an interactive command, similar to <command>ftp</command>. In a single session, <command>sftp</command> can transfer several files, and it is possible to manipulate remote files with it (delete, rename, change permissions, etc.)."
msgstr ""

msgid "<primary><command>scp</command></primary>"
msgstr ""

msgid "<primary><command>sftp</command></primary>"
msgstr ""

msgid "Debian uses OpenSSH, a free version of SSH maintained by the <command>OpenBSD</command> project (a free operating system based on the BSD kernel, focused on security) and fork of the original SSH software developed by the SSH Communications Security Corp company, of Finland. This company initially developed SSH as free software, but eventually decided to continue its development under a proprietary license. The OpenBSD project then created OpenSSH to maintain a free version of SSH."
msgstr ""

msgid "<primary>OpenSSH</primary>"
msgstr ""

msgid "<emphasis>BACK TO BASICS</emphasis> <foreignphrase>Fork</foreignphrase>"
msgstr ""

msgid "<primary>fork</primary>"
msgstr ""

msgid "A “fork”, in the software field, means a new project that starts as a clone of an existing project, and that will compete with it. From there on, both software will usually quickly diverge in terms of new developments. A fork is often the result of disagreements within the development team."
msgstr ""

msgid "The option to fork a project is a direct result of the very nature of free software; a fork is a healthy event when it enables the continuation of a project as free software (for example in case of license changes). A fork arising from technical or personal disagreements is often a waste of human resources; another resolution would be preferable. Mergers of two projects that previously went through a prior fork are not unheard of."
msgstr ""

msgid "OpenSSH is split into two packages: the client part is in the <emphasis role=\"pkg\">openssh-client</emphasis> package, and the server is in the <emphasis role=\"pkg\">openssh-server</emphasis> package. The <emphasis role=\"pkg\">ssh</emphasis> meta-package depends on both parts and facilitates installation of both (<command>apt install ssh</command>)."
msgstr ""

msgid "Key-Based Authentication"
msgstr ""

msgid "Each time someone logs in over SSH, the remote server asks for a password to authenticate the user. This can be problematic if you want to automate a connection, or if you use a tool that requires frequent connections over SSH. This is why SSH offers a key-based authentication system."
msgstr ""

msgid "The user generates a key pair on the client machine with <command>ssh-keygen -t rsa</command>; the public key is stored in <filename>~/.ssh/id_rsa.pub</filename>, while the corresponding private key is stored in <filename>~/.ssh/id_rsa</filename>. The user then uses <command>ssh-copy-id <replaceable>server</replaceable></command> to add their public key to the <filename>~/.ssh/authorized_keys</filename> file on the server. If the private key was not protected with a “passphrase” at the time of its creation, all subsequent logins on the server will work without a password. Otherwise, the private key must be decrypted each time by entering the passphrase. Fortunately, <command>ssh-agent</command> allows us to keep private keys in memory to not have to regularly re-enter the password. For this, you simply use <command>ssh-add</command> (once per work session) provided that the session is already associated with a functional instance of <command>ssh-agent</command>. Debian activates it by default in graphical sessions, but this can be deactivated by changing <filename>/etc/X11/Xsession.options</filename>. For a console session, you can manually start it with <command>eval $(ssh-agent)</command>."
msgstr ""

msgid "<emphasis>SECURITY</emphasis> Protection of the private key"
msgstr ""

msgid "Whoever has the private key can login on the account thus configured. This is why access to the private key is protected by a “passphrase”. Someone who acquires a copy of a private key file (for example, <filename>~/.ssh/id_rsa</filename>) still has to know this phrase in order to be able to use it. This additional protection is not, however, impregnable, and if you think that this file has been compromised, it is best to disable that key on the computers in which it has been installed (by removing it from the <filename>authorized_keys</filename> files) and replacing it with a newly generated key."
msgstr ""

msgid "<emphasis>CULTURE</emphasis> OpenSSL flaw in Debian <emphasis role=\"distribution\">Etch</emphasis>"
msgstr ""

msgid "The OpenSSL library, as initially provided in Debian <emphasis role=\"distribution\">Etch</emphasis>, had a serious problem in its random number generator (RNG). Indeed, the Debian maintainer had made a change so that applications using it would no longer generate warnings when analyzed by memory testing tools like <command>valgrind</command>. Unfortunately, this change also meant that the RNG was employing only one source of entropy corresponding to the process number (PID) whose 32,000 possible values do not offer enough randomness. <ulink type=\"block\" url=\"https://www.debian.org/security/2008/dsa-1571\" />"
msgstr ""

msgid "Specifically, whenever OpenSSL was used to generate a key, it always produced a key within a known set of hundreds of thousands of keys (32,000 multiplied by a small number of key lengths). This affected SSH keys, SSL keys, and X.509 certificates used by numerous applications, such as OpenVPN. A cracker had only to try all of the keys to gain unauthorized access. To reduce the impact of the problem, the SSH daemon was modified to refuse problematic keys that are listed in the <emphasis role=\"pkg\">openssh-blacklist</emphasis> and <emphasis role=\"pkg\">openssh-blacklist-extra</emphasis> packages. Additionally, the <command>ssh-vulnkey</command> command allows identification of possibly compromised keys in the system."
msgstr ""

msgid "A more thorough analysis of this incident brings to light that it is the result of multiple (small) problems, both within the OpenSSL project and with the Debian package maintainer. A widely used library like OpenSSL should — without modifications — not generate warnings when tested by <command>valgrind</command>. Furthermore, the code (especially the parts as sensitive as the RNG) should be better commented to prevent such errors. On Debian's side, the maintainer wanted to validate the modifications with the OpenSSL developers, but simply explained the modifications without providing the corresponding patch to review and failed to mention his role within Debian. Finally, the maintenance choices were sub-optimal: the changes made to the original code were not clearly documented; all the modifications were effectively stored in a Subversion repository, but they ended up all lumped into one single patch during creation of the source package."
msgstr ""

msgid "It is difficult under such conditions to find the corrective measures to prevent such incidents from recurring. The lesson to be learned here is that every divergence Debian introduces to upstream software must be justified, documented, submitted to the upstream project when possible, and widely publicized. It is from this perspective that the new source package format (“3.0 (quilt)”) and the Debian sources webservice were developed. <ulink type=\"block\" url=\"https://sources.debian.org\" />"
msgstr ""

msgid "Using Remote X11 Applications"
msgstr ""

msgid "The SSH protocol allows forwarding of graphical data (“X11” session, from the name of the most widespread graphical system in Unix); the server then keeps a dedicated channel for those data. Specifically, a graphical program executed remotely can be displayed on the X.org server of the local screen, and the whole session (input and display) will be secure. Since this feature allows remote applications to interfere with the local system, it is disabled by default. You can enable it by specifying <literal>X11Forwarding yes</literal> in the server configuration file (<filename>/etc/ssh/sshd_config</filename>). Finally, the user must also request it by adding the <literal>-X</literal> option to the <command>ssh</command> command-line."
msgstr ""

msgid "Creating Encrypted Tunnels with Port Forwarding"
msgstr ""

msgid "<primary>port forwarding</primary>"
msgstr ""

msgid "Its <literal>-R</literal> and <literal>-L</literal> options allow <command>ssh</command> to create “encrypted tunnels” between two machines, securely forwarding a local TCP port (see sidebar <xref linkend=\"sidebar.tcp-udp\" />) to a remote machine or vice versa."
msgstr ""

msgid "<emphasis>VOCABULARY</emphasis> Tunnel"
msgstr ""

msgid "<primary>tunnel (SSH)</primary><seealso>VPN</seealso>"
msgstr ""

msgid "<primary>SSH tunnel</primary><seealso>VPN</seealso>"
msgstr ""

msgid "The Internet, and most LANs that are connected to it, operate in packet mode and not in connected mode, meaning that a packet issued from one computer to another is going to be stopped at several intermediary routers to find its way to its destination. You can still simulate a connected operation where the stream is encapsulated in normal IP packets. These packets follow their usual route, but the stream is reconstructed unchanged at the destination. We call this a “tunnel”, analogous to a road tunnel in which vehicles drive directly from the entrance (input) to the exit (output) without encountering any intersections, as opposed to a path on the surface that would involve intersections and changing direction."
msgstr ""

msgid "You can use this opportunity to add encryption to the tunnel: the stream that flows through it is then unrecognizable from the outside, but it is returned in decrypted form at the exit of the tunnel."
msgstr ""

msgid "<command>ssh -L 8000:server:25 intermediary</command> establishes an SSH session with the <replaceable>intermediary</replaceable> host and listens to local port 8000 (see <xref linkend=\"figure.ssh-L\" />). For any connection established on this port, <command>ssh</command> will initiate a connection from the <replaceable>intermediary</replaceable> computer to port 25 on the <replaceable>server</replaceable>, and will bind both connections together."
msgstr ""

msgid "<command>ssh -R 8000:server:25 intermediary</command> also establishes an SSH session to the <replaceable>intermediary</replaceable> computer, but it is on this machine that <command>ssh</command> listens to port 8000 (see <xref linkend=\"figure.ssh-R\" />). Any connection established on this port will cause <command>ssh</command> to open a connection from the local machine on to port 25 of the <replaceable>server</replaceable>, and to bind both connections together."
msgstr ""

msgid "In both cases, connections are made to port 25 on the <replaceable>server</replaceable> host, which pass through the SSH tunnel established between the local machine and the <replaceable>intermediary</replaceable> machine. In the first case, the entrance to the tunnel is local port 8000, and the data move towards the <replaceable>intermediary</replaceable> machine before being directed to the <replaceable>server</replaceable> on the “public” network. In the second case, the input and output in the tunnel are reversed; the entrance is port 8000 on the <replaceable>intermediary</replaceable> machine, the output is on the local host, and the data are then directed to the <replaceable>server</replaceable>. In practice, the server is usually either the local machine or the intermediary. That way SSH secures the connection from one end to the other."
msgstr ""

msgid "Forwarding a local port with SSH"
msgstr ""

msgid "Forwarding a remote port with SSH"
msgstr ""

msgid "Using Remote Graphical Desktops"
msgstr ""

msgid "VNC (Virtual Network Computing) allows remote access to graphical desktops."
msgstr ""

msgid "<primary>VNC</primary>"
msgstr ""

msgid "<primary>Virtual Network Computing</primary>"
msgstr ""

msgid "<primary>graphical desktop</primary><secondary>remote</secondary>"
msgstr ""

msgid "<primary>remote graphical desktop</primary>"
msgstr ""

msgid "<primary>desktop, remote graphical desktop</primary>"
msgstr ""

msgid "This tool is mostly used for technical assistance; the administrator can see the errors that the user is facing, and show them the correct course of action without having to stand by them."
msgstr ""

msgid "<primary><emphasis role=\"pkg\">vino</emphasis></primary>"
msgstr ""

msgid "<primary><emphasis role=\"pkg\">krfb</emphasis></primary>"
msgstr ""

msgid "<primary><emphasis role=\"pkg\">x11vnc</emphasis></primary>"
msgstr ""

msgid "First, the user must authorize sharing their session. The GNOME graphical desktop environment from <emphasis role=\"distribution\">Jessie</emphasis> onward includes that option in its configuration panel (contrary to previous versions of Debian, where the user had to install and run <command>vino</command>). KDE Plasma still requires using <command>krfb</command> to allow sharing an existing session over VNC. For other graphical desktop environments, the <command>x11vnc</command> command (from the Debian package of the same name) serves the same purpose; you can make it available to the user with an explicit icon."
msgstr ""

msgid "<primary><emphasis role=\"pkg\">vinagre</emphasis></primary>"
msgstr ""

msgid "<primary><emphasis role=\"pkg\">tsclient</emphasis></primary>"
msgstr ""

msgid "<primary><emphasis role=\"pkg\">krdc</emphasis></primary>"
msgstr ""

msgid "<primary><emphasis role=\"pkg\">xvnc4viewer</emphasis></primary>"
msgstr ""

msgid "When the graphical session is made available by VNC, the administrator must connect to it with a VNC client. GNOME has <command>vinagre</command> and <command>remmina</command> for that, while the KDE project provides <command>krdc</command> (in the menu at <menuchoice> <guimenu>K</guimenu> <guisubmenu>Internet</guisubmenu> <guimenuitem>Remote Desktop Client</guimenuitem></menuchoice>). There are other VNC clients that use the command line, such as <command>xvnc4viewer</command> in the Debian package of the same name. Once connected, the administrator can see what is going on, work on the machine remotely, and show the user how to proceed."
msgstr ""

msgid "<emphasis>SECURITY</emphasis> VNC over SSH"
msgstr ""

msgid "<primary>SSH tunnel</primary><secondary>VNC</secondary>"
msgstr ""

msgid "If you want to connect by VNC, and you don't want your data sent in clear text on the network, it is possible to encapsulate the data in an SSH tunnel (see <xref linkend=\"sect.ssh-port-forwarding\" />). You simply have to know that VNC uses port 5900 by default for the first screen (called “localhost:0”), 5901 for the second (called “localhost:1”), etc."
msgstr ""

msgid "The <command>ssh -L localhost:5901:localhost:5900 -N -T <replaceable>machine</replaceable></command> command creates a tunnel between local port 5901 in the localhost interface and port 5900 of the <replaceable>machine</replaceable> host. The first “localhost” restricts SSH to listening to only that interface on the local machine. The second “localhost” indicates the interface on the remote machine which will receive the network traffic entering in “localhost:5901”. Thus <command>vncviewer localhost:1</command> will connect the VNC client to the remote screen, even though you indicate the name of the local machine."
msgstr ""

msgid "When the VNC session is closed, remember to close the tunnel by also quitting the corresponding SSH session."
msgstr ""

msgid "<emphasis>BACK TO BASICS</emphasis> Display manager"
msgstr ""

msgid "<primary><command>gdm3</command></primary>"
msgstr ""

msgid "<primary><command>kdm</command></primary>"
msgstr ""

msgid "<primary><command>xdm</command></primary>"
msgstr ""

msgid "<primary><command>lightdm</command></primary>"
msgstr ""

msgid "<primary>manager</primary><secondary>display manager</secondary>"
msgstr ""

msgid "<primary>display manager</primary>"
msgstr ""

msgid "<command>gdm3</command>, <command>kdm</command>, <command>lightdm</command>, and <command>xdm</command> are Display Managers. They take control of the graphical interface shortly after boot in order to provide the user a login screen. Once the user has logged in, they execute the programs needed to start a graphical work session."
msgstr ""

msgid "VNC also works for mobile users, or company executives, who occasionally need to login from their home to access a remote desktop similar to the one they use at work. The configuration of such a service is more complicated: you first install the <emphasis role=\"pkg\">vnc4server</emphasis> package, change the configuration of the display manager to accept <literal>XDMCP Query</literal> requests (for <command>gdm3</command>, this can be done by adding <literal>Enable=true</literal> in the “xdmcp” section of <filename>/etc/gdm3/daemon.conf</filename>), and finally, start the VNC server with <command>inetd</command> so that a session is automatically started when a user tries to login. For example, you may add this line to <filename>/etc/inetd.conf</filename>:"
msgstr ""

msgid "5950  stream  tcp  nowait  nobody.tty  /usr/bin/Xvnc Xvnc -inetd -query localhost -once -geometry 1024x768 -depth 16 securitytypes=none"
msgstr ""

msgid "Redirecting incoming connections to the display manager solves the problem of authentication, because only users with local accounts will pass the <command>gdm3</command> login screen (or equivalent <command>kdm</command>, <command>xdm</command>, etc.). As this operation allows multiple simultaneous logins without any problem (provided the server is powerful enough), it can even be used to provide complete desktops for mobile users (or for less powerful desktop systems, configured as thin clients). Users simply login to the server's screen with <command>vncviewer <replaceable>server</replaceable>:50</command>, because the port used is 5950."
msgstr ""

msgid "<primary><emphasis role=\"pkg\">vnc4server</emphasis></primary>"
msgstr ""

msgid "Managing Rights"
msgstr ""

msgid "Linux is definitely a multi-user system, so it is necessary to provide a permission system to control the set of authorized operations on files and directories, which includes all the system resources and devices (on a Unix system, any device is represented by a file or directory). This principle is common to all Unix systems, but a reminder is always useful, especially as there are some interesting and relatively unknown advanced uses."
msgstr ""

msgid "<primary>rights</primary>"
msgstr ""

msgid "<primary>permissions</primary>"
msgstr ""

msgid "<primary>user</primary><secondary>owner</secondary>"
msgstr ""

msgid "<primary>group</primary><secondary>owner</secondary>"
msgstr ""

msgid "<primary>owner</primary><secondary>user</secondary>"
msgstr ""

msgid "<primary>owner</primary><secondary>group</secondary>"
msgstr ""

msgid "Each file or directory has specific permissions for three categories of users:"
msgstr ""

msgid "its owner (symbolized by <literal>u</literal> as in “user”);"
msgstr ""

msgid "its owner group (symbolized by <literal>g</literal> as in “group”), representing all the members of the group;"
msgstr ""

msgid "the others (symbolized by <literal>o</literal> as in “other”)."
msgstr ""

msgid "Three types of rights can be combined:"
msgstr ""

msgid "reading (symbolized by <literal>r</literal> as in “read”);"
msgstr ""

msgid "writing (or modifying, symbolized by <literal>w</literal> as in “write”);"
msgstr ""

msgid "executing (symbolized by <literal>x</literal> as in “eXecute”)."
msgstr ""

msgid "<primary>read, right</primary>"
msgstr ""

msgid "<primary>write, right</primary>"
msgstr ""

msgid "<primary>modification, right</primary>"
msgstr ""

msgid "<primary>execution, right</primary>"
msgstr ""

msgid "In the case of a file, these rights are easily understood: read access allows reading the content (including copying), write access allows changing it, and execute access allows you to run it (which will only work if it is a program)."
msgstr ""

msgid "<emphasis>SECURITY</emphasis> <literal>setuid</literal> and <literal>setgid</literal> executables"
msgstr ""

msgid "Two particular rights are relevant to executable files: <literal>setuid</literal> and <literal>setgid</literal> (symbolized with the letter “s”). Note that we frequently speak of “bit”, since each of these boolean values can be represented by a 0 or a 1. These two rights allow any user to execute the program with the rights of the owner or the group, respectively. This mechanism grants access to features requiring higher level permissions than those you would usually have."
msgstr ""

msgid "<primary><literal>setuid</literal>, right</primary>"
msgstr ""

msgid "<primary><literal>setgid</literal>, right</primary>"
msgstr ""

msgid "Since a <literal>setuid</literal> root program is systematically run under the super-user identity, it is very important to ensure it is secure and reliable. Indeed, a user who would manage to subvert it to call a command of their choice could then impersonate the root user and have all rights on the system."
msgstr ""

msgid "A directory is handled differently. Read access gives the right to consult the list of its entries (files and directories), write access allows creating or deleting files, and execute access allows crossing through it (especially to go there with the <command>cd</command> command). Being able to cross through a directory without being able to read it gives permission to access the entries therein that are known by name, but not to find them if you do not know their existence or their exact name."
msgstr ""

msgid "<emphasis>SECURITY</emphasis> <literal>setgid</literal> directory and <emphasis>sticky bit</emphasis>"
msgstr ""

msgid "<primary><literal>setgid</literal> directory</primary>"
msgstr ""

msgid "The <literal>setgid</literal> bit also applies to directories. Any newly-created item in such directories is automatically assigned the owner group of the parent directory, instead of inheriting the creator's main group as usual. This setup avoids the user having to change its main group (with the <command>newgrp</command> command) when working in a file tree shared between several users of the same dedicated group."
msgstr ""

msgid "<primary>sticky bit</primary>"
msgstr ""

msgid "The “sticky” bit (symbolized by the letter “t”) is a permission that is only useful in directories. It is especially used for temporary directories where everybody has write access (such as <filename>/tmp/</filename>): it restricts deletion of files so that only their owner (or the owner of the parent directory) can do it. Lacking this, everyone could delete other users' files in <filename>/tmp/</filename>."
msgstr ""

msgid "Three commands control the permissions associated with a file:"
msgstr ""

msgid "<command>chown <replaceable>user</replaceable> <replaceable>file</replaceable></command> changes the owner of the file;"
msgstr ""

msgid "<command>chgrp <replaceable>group</replaceable> <replaceable>file</replaceable></command> alters the owner group;"
msgstr ""

msgid "<command>chmod <replaceable>rights</replaceable> <replaceable>file</replaceable></command> changes the permissions for the file."
msgstr ""

msgid "There are two ways of presenting rights. Among them, the symbolic representation is probably the easiest to understand and remember. It involves the letter symbols mentioned above. You can define rights for each category of users (<literal>u</literal>/<literal>g</literal>/<literal>o</literal>), by setting them explicitly (with <literal>=</literal>), by adding (<literal>+</literal>), or subtracting (<literal>-</literal>). Thus the <literal>u=rwx,g+rw,o-r</literal> formula gives the owner read, write, and execute rights, adds read and write rights for the owner group, and removes read rights for other users. Rights not altered by the addition or subtraction in such a command remain unmodified. The letter <literal>a</literal>, for “all”, covers all three categories of users, so that <literal>a=rx</literal> grants all three categories the same rights (read and execute, but not write)."
msgstr ""

msgid "<primary><command>chmod</command></primary>"
msgstr ""

msgid "<primary><command>chown</command></primary>"
msgstr ""

msgid "<primary><command>chgrp</command></primary>"
msgstr ""

msgid "<primary>octal representation of rights</primary>"
msgstr ""

msgid "<primary>rights</primary><secondary>octal representation</secondary>"
msgstr ""

msgid "The (octal) numeric representation associates each right with a value: 4 for read, 2 for write, and 1 for execute. We associate each combination of rights with the sum of the figures. Each value is then assigned to different categories of users by putting them end to end in the usual order (owner, group, others)."
msgstr ""

msgid "For instance, the <command>chmod 754 <replaceable>file</replaceable></command> command will set the following rights: read, write and execute for the owner (since 7 = 4 + 2 + 1); read and execute for the group (since 5 = 4 + 1); read-only for others. The <literal>0</literal> means no rights; thus <command>chmod 600 <replaceable>file</replaceable></command> allows for read/write rights for the owner, and no rights for anyone else. The most frequent right combinations are <literal>755</literal> for executable files and directories, and <literal>644</literal> for data files."
msgstr ""

msgid "To represent special rights, you can prefix a fourth digit to this number according to the same principle, where the <literal>setuid</literal>, <literal>setgid</literal> and <literal>sticky</literal> bits are 4, 2 and 1, respectively. <command>chmod 4754</command> will associate the <literal>setuid</literal> bit with the previously described rights."
msgstr ""

msgid "Note that the use of octal notation only allows to set all the rights at once on a file; you cannot use it to simply add a new right, such as read access for the group owner, since you must take into account the existing rights and compute the new corresponding numerical value."
msgstr ""

msgid "<emphasis>TIP</emphasis> Recursive operation"
msgstr ""

msgid "Sometimes we have to change rights for an entire file tree. All the commands above have a <literal>-R</literal> option to operate recursively in sub-directories."
msgstr ""

msgid "The distinction between directories and files sometimes causes problems with recursive operations. That is why the “X” letter has been introduced in the symbolic representation of rights. It represents a right to execute which applies only to directories (and not to files lacking this right). Thus, <command>chmod -R a+X <replaceable>directory</replaceable></command> will only add execute rights for all categories of users (<literal>a</literal>) for all of the sub-directories and files for which at least one category of user (even if their sole owner) already has execute rights."
msgstr ""

msgid "<emphasis>TIP</emphasis> Changing the user and group"
msgstr ""

msgid "Frequently you want to change the group of a file at the same time that you change the owner. The <command>chown</command> command has a special syntax for that: <command>chown <replaceable>user</replaceable>:<replaceable>group</replaceable> <replaceable>file</replaceable></command>"
msgstr ""

msgid "<emphasis>GOING FURTHER</emphasis> <command>umask</command>"
msgstr ""

msgid "When an application creates a file, it assigns indicative permissions, knowing that the system automatically removes certain rights, given by the command <command>umask</command>. Enter <command>umask</command> in a shell; you will see a mask such as <computeroutput>0022</computeroutput>. This is simply an octal representation of the rights to be systematically removed (in this case, the write right for the group and other users)."
msgstr ""

msgid "<primary>umask</primary>"
msgstr ""

msgid "<primary>rights</primary><secondary>mask</secondary>"
msgstr ""

msgid "<primary>mask</primary><secondary>rights mask</secondary>"
msgstr ""

msgid "If you give it a new octal value, the <command>umask</command> command modifies the mask. Used in a shell initialization file (for example, <filename>~/.bash_profile</filename>), it will effectively change the default mask for your work sessions."
msgstr ""

msgid "Administration Interfaces"
msgstr ""

msgid "<primary>interface</primary><secondary>administration interface</secondary>"
msgstr ""

msgid "<primary>administration, interfaces</primary>"
msgstr ""

msgid "Using a graphical interface for administration is interesting in various circumstances. An administrator does not necessarily know all the configuration details for all their services, and doesn't always have the time to go seeking out the documentation on the matter. A graphical interface for administration can thus accelerate the deployment of a new service. It can also simplify the setup of services which are hard to configure."
msgstr ""

msgid "Such an interface is only an aid, and not an end in itself. In all cases, the administrator must master its behavior in order to understand and work around any potential problem."
msgstr ""

msgid "Since no interface is perfect, you may be tempted to try several solutions. This is to be avoided as much as possible, since different tools are sometimes incompatible in their work methods. Even if they all aim to be very flexible and try to adopt the configuration file as a single reference, they are not always able to integrate external changes."
msgstr ""

msgid "Administrating on a Web Interface: <command>webmin</command>"
msgstr ""

msgid "<primary><emphasis>webmin</emphasis></primary>"
msgstr ""

msgid "This is, without a doubt, one of the most successful administration interfaces. It is a modular system managed through a web browser, covering a wide array of areas and tools. Furthermore, it is internationalized and available in many languages."
msgstr ""

msgid "Sadly, <command>webmin</command> is no longer part of Debian. Its Debian maintainer — Jaldhar H. Vyas — removed the packages he created because he no longer had the time required to maintain them at an acceptable quality level. Nobody has officially taken over, so <emphasis role=\"distribution\">Buster</emphasis> does not have the <command>webmin</command> package."
msgstr ""

msgid "There is, however, an unofficial package distributed on the <literal>webmin.com</literal> website. Contrary to the original Debian packages, this package is monolithic; all of its configuration modules are installed and activated by default, even if the corresponding service is not installed on the machine."
msgstr ""

msgid "<emphasis>SECURITY</emphasis> Changing the root password"
msgstr ""

msgid "On the first login, identification is conducted with the root username and its usual password. It is recommended to change the password used for <command>webmin</command> as soon as possible, so that if it is compromised, the root password for the server will not be involved, even if this confers important administrative rights to the machine."
msgstr ""

msgid "Beware! Since <command>webmin</command> has so many features, a malicious user accessing it could compromise the security of the entire system. In general, interfaces of this kind are not recommended for important systems with strong security constraints (firewall, sensitive servers, etc.)."
msgstr ""

msgid "Webmin is used through a web interface, but it does not require Apache to be installed. Essentially, this software has its own integrated mini web server. This server listens by default on port 10000 and accepts secure HTTP connections."
msgstr ""

msgid "Included modules cover a wide variety of services, among which:"
msgstr ""

msgid "all base services: creation of users and groups, management of <filename>crontab</filename> files, init scripts, viewing of logs, etc."
msgstr ""

msgid "bind: DNS server configuration (name service);"
msgstr ""

msgid "postfix: SMTP server configuration (e-mail);"
msgstr ""

msgid "inetd: configuration of the <command>inetd</command> super-server;"
msgstr ""

msgid "quota: user quota management;"
msgstr ""

msgid "dhcpd: DHCP server configuration;"
msgstr ""

msgid "proftpd: FTP server configuration;"
msgstr ""

msgid "samba: Samba file server configuration;"
msgstr ""

msgid "software: installation or removal of software from Debian packages and system updates."
msgstr ""

msgid "The administration interface is available in a web browser at <literal>https://localhost:10000</literal>. Beware! Not all the modules are directly usable. Sometimes they must be configured by specifying the locations of the corresponding configuration files and some executable files (program). Frequently the system will politely prompt you when it fails to activate a requested module."
msgstr ""

msgid "<emphasis>ALTERNATIVE</emphasis> GNOME control center"
msgstr ""

msgid "<primary><emphasis role=\"pkg\">gnome-control-center</emphasis></primary>"
msgstr ""

msgid "The GNOME project also provides multiple administration interfaces that are usually accessible via the “Settings” entry in the user menu on the top right. <command>gnome-control-center</command> is the main program that brings them all together but many of the system wide configuration tools are effectively provided by other packages (<emphasis role=\"pkg\">accountsservice</emphasis>, <emphasis role=\"pkg\">system-config-printer</emphasis>, etc.). Although they are easy to use, these applications cover only a limited number of base services: user management, time configuration, network configuration, printer configuration, and so on."
msgstr ""

msgid "Configuring Packages: <command>debconf</command>"
msgstr ""

msgid "<primary><command>debconf</command></primary>"
msgstr ""

msgid "<primary><command>dpkg-reconfigure</command></primary>"
msgstr ""

msgid "Many packages are automatically configured after asking a few questions during installation through the Debconf tool. These packages can be reconfigured by running <command>dpkg-reconfigure <replaceable>package</replaceable></command>."
msgstr ""

msgid "For most cases, these settings are very simple; only a few important variables in the configuration file are changed. These variables are often grouped between two “demarcation” lines so that reconfiguration of the package only impacts the enclosed area. In other cases, reconfiguration will not change anything if the script detects a manual modification of the configuration file, in order to preserve these human interventions (because the script can't ensure that its own modifications will not disrupt the existing settings)."
msgstr ""

msgid "<emphasis>DEBIAN POLICY</emphasis> Preserving changes"
msgstr ""

msgid "The Debian Policy expressly stipulates that everything should be done to preserve manual changes made to a configuration file, so more and more scripts take precautions when editing configuration files. The general principle is simple: the script will only make changes if it knows the status of the configuration file, which is verified by comparing the checksum of the file against that of the last automatically generated file. If they are the same, the script is authorized to change the configuration file. Otherwise, it determines that the file has been changed and asks what action it should take (install the new file, save the old file, or try to integrate the new changes with the existing file). This precautionary principle has long been unique to Debian, but other distributions have gradually begun to embrace it."
msgstr ""

msgid "The <command>ucf</command> program (from the Debian package of the same name) can be used to implement such a behavior."
msgstr ""

msgid "<primary><command>ucf</command></primary>"
msgstr ""

msgid "<command>syslog</command> System Events"
msgstr ""

msgid "<primary><command>rsyslogd</command></primary>"
msgstr ""

msgid "<primary>files</primary><secondary>log files</secondary>"
msgstr ""

msgid "<primary>logs</primary><secondary>dispatching</secondary>"
msgstr ""

msgid "Principle and Mechanism"
msgstr ""

msgid "The <command>rsyslogd</command> daemon is responsible for collecting service messages coming from applications and the kernel, then dispatching them into log files (usually stored in the <filename>/var/log/</filename> directory). It obeys the <filename>/etc/rsyslog.conf</filename> configuration file."
msgstr ""

msgid "Each log message is associated with an application subsystem (called “facility” in the documentation):"
msgstr ""

msgid "<literal>auth</literal> and <literal>authpriv</literal>: for authentication;"
msgstr ""

msgid "<literal>cron</literal>: comes from task scheduling services, <command>cron</command> and <command>atd</command>;"
msgstr ""

msgid "<literal>daemon</literal>: affects a daemon without any special classification (DNS, NTP, etc.);"
msgstr ""

msgid "<literal>ftp</literal>: concerns the FTP server;"
msgstr ""

msgid "<literal>kern</literal>: message coming from the kernel;"
msgstr ""

msgid "<literal>lpr</literal>: comes from the printing subsystem;"
msgstr ""

msgid "<literal>mail</literal>: comes from the e-mail subsystem;"
msgstr ""

msgid "<literal>news</literal>: Usenet subsystem message (especially from an NNTP — Network News Transfer Protocol — server that manages newsgroups);"
msgstr ""

msgid "<literal>syslog</literal>: messages from the <command>syslogd</command> server, itself;"
msgstr ""

msgid "<literal>user</literal>: user messages (generic);"
msgstr ""

msgid "<literal>uucp</literal>: messages from the UUCP server (Unix to Unix Copy Program, an old protocol notably used to distribute e-mail messages);"
msgstr ""

msgid "<literal>local0</literal> to <literal>local7</literal>: reserved for local use."
msgstr ""

msgid "Each message is also associated with a priority level. Here is the list in decreasing order:"
msgstr ""

msgid "<literal>emerg</literal>: “Help!” There is an emergency, the system is probably unusable."
msgstr ""

msgid "<literal>alert</literal>: hurry up, any delay can be dangerous, action must be taken immediately;"
msgstr ""

msgid "<literal>crit</literal>: conditions are critical;"
msgstr ""

msgid "<literal>err</literal>: error;"
msgstr ""

msgid "<literal>warn</literal>: warning (potential error);"
msgstr ""

msgid "<literal>notice</literal>: conditions are normal, but the message is important;"
msgstr ""

msgid "<literal>info</literal>: informative message;"
msgstr ""

msgid "<literal>debug</literal>: debugging message."
msgstr ""

msgid "The Configuration File"
msgstr ""

msgid "The syntax of the <filename>/etc/rsyslog.conf</filename> file is detailed in the <citerefentry><refentrytitle>rsyslog.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry> manual page, but there is also HTML documentation available in the <emphasis role=\"pkg\">rsyslog-doc</emphasis> package (<filename>/usr/share/doc/rsyslog-doc/html/index.html</filename>). The overall principle is to write “selector” and “action” pairs. The selector defines all relevant messages, and the actions describes how to deal with them."
msgstr ""

msgid "Syntax of the Selector"
msgstr ""

msgid "The selector is a semicolon-separated list of <literal><replaceable>subsystem</replaceable>.<replaceable>priority</replaceable></literal> pairs (example: <literal>auth.notice;mail.info</literal>). An asterisk may represent all subsystems or all priorities (examples: <literal>*.alert</literal> or <literal>mail.*</literal>). Several subsystems can be grouped, by separating them with a comma (example: <literal>auth,mail.info</literal>). The priority indicated also covers messages of equal or higher priority; thus <literal>auth.alert</literal> indicates the <literal>auth</literal> subsystem messages of <literal>alert</literal> or <literal>emerg</literal> priority. Prefixed with an exclamation point (!), it indicates the opposite, in other words the strictly lower priorities; <literal>auth.!notice</literal>, thus, indicates messages issued from <literal>auth</literal>, with <literal>info</literal> or <literal>debug</literal> priority. Prefixed with an equal sign (=), it corresponds to precisely and only the priority indicated (<literal>auth.=notice</literal> only concerns messages from <literal>auth</literal> with <literal>notice</literal> priority)."
msgstr ""

msgid "Each element in the list on the selector overrides previous elements. It is thus possible to restrict a set or to exclude certain elements from it. For example, <literal>kern.info;kern.!err</literal> means messages from the kernel with priority between <literal>info</literal> and <literal>warn</literal>. The <literal>none</literal> priority indicates the empty set (no priorities), and may serve to exclude a subsystem from a set of messages. Thus, <literal>*.crit;kern.none</literal> indicates all the messages of priority equal to or higher than <literal>crit</literal> not coming from the kernel."
msgstr ""

msgid "Syntax of Actions"
msgstr ""

msgid "<emphasis>BACK TO BASICS</emphasis> The named pipe, a persistent pipe"
msgstr ""

msgid "<primary>named pipe</primary>"
msgstr ""

msgid "<primary>pipe, named pipe</primary>"
msgstr ""

msgid "A named pipe is a particular type of file that operates like a traditional pipe (the pipe that you make with the “|” symbol on the command line), but via a file. This mechanism has the advantage of being able to relate two unrelated processes. Anything written to a named pipe blocks the process that writes until another process attempts to read the data written. This second process reads the data written by the first, which can then resume execution."
msgstr ""

msgid "Such a file is created with the <command>mkfifo</command> command."
msgstr ""

msgid "The various possible actions are:"
msgstr ""

msgid "add the message to a file (example: <filename>/var/log/messages</filename>);"
msgstr ""

msgid "send the message to a remote <command>syslog</command> server (example: <literal>@log.falcot.com</literal>);"
msgstr ""

msgid "send the message to an existing named pipe (example: <literal>|/dev/xconsole</literal>);"
msgstr ""

msgid "send the message to one or more users, if they are logged in (example: <literal>root,rhertzog</literal>);"
msgstr ""

msgid "send the message to all logged in users (example: <literal>*</literal>);"
msgstr ""

msgid "write the message in a text console (example: <literal>/dev/tty8</literal>)."
msgstr ""

msgid "<emphasis>SECURITY</emphasis> Forwarding logs"
msgstr ""

msgid "<primary>log</primary><secondary>forwarding</secondary>"
msgstr ""

msgid "It is a good idea to record the most important logs on a separate machine (perhaps dedicated for this purpose), since this will prevent any possible intruder from removing traces of their intrusion (unless, of course, they also compromise this other server). Furthermore, in the event of a major problem (such as a kernel crash), you have the logs available on another machine, which increases your chances of determining the sequence of events that caused the crash."
msgstr ""

msgid "To accept log messages sent by other machines, you must reconfigure <emphasis>rsyslog</emphasis>: in practice, it is sufficient to activate the ready-for-use entries in <filename>/etc/rsyslog.conf</filename> (<literal>$ModLoad imudp</literal> and <literal>$UDPServerRun 514</literal>)."
msgstr ""

msgid "The <command>inetd</command> Super-Server"
msgstr ""

msgid "Inetd (often called “Internet super-server”) is a server of servers. It executes rarely used servers on demand, so that they do not have to run continuously."
msgstr ""

msgid "<primary><command>inetd</command></primary>"
msgstr ""

msgid "<primary>super-server</primary>"
msgstr ""

msgid "The <filename>/etc/inetd.conf</filename> file lists these servers and their usual ports. The <command>inetd</command> command listens to all of them; when it detects a connection to any such port, it executes the corresponding server program."
msgstr ""

msgid "<emphasis>DEBIAN POLICY</emphasis> Register a server in <filename>inetd.conf</filename>"
msgstr ""

msgid "Packages frequently want to register a new server in the <filename>/etc/inetd.conf</filename> file, but Debian Policy prohibits any package from modifying a configuration file that it doesn't own. This is why the <command>update-inetd</command> script (in the package with the same name) was created: It manages the configuration file, and other packages can thus use it to register a new server to the super-server's configuration."
msgstr ""

msgid "Each significant line of the <filename>/etc/inetd.conf</filename> file describes a server through seven fields (separated by spaces):"
msgstr ""

msgid "The TCP or UDP port number, or the service name (which is mapped to a standard port number with the information contained in the <filename>/etc/services</filename> file)."
msgstr ""

msgid "The socket type: <literal>stream</literal> for a TCP connection, <literal>dgram</literal> for UDP datagrams."
msgstr ""

msgid "The protocol: <literal>tcp</literal> or <literal>udp</literal>."
msgstr ""

msgid "The options: two possible values: <literal>wait</literal> or <literal>nowait</literal>, to tell <command>inetd</command> whether it should wait or not for the end of the launched process before accepting another connection. For TCP connections, easily multiplexable, you can usually use <literal>nowait</literal>. For programs responding over UDP, you should use <literal>nowait</literal> only if the server is capable of managing several connections in parallel. You can suffix this field with a period, followed by the maximum number of connections authorized per minute (the default limit is 256)."
msgstr ""

msgid "The user name of the user under whose identity the server will run."
msgstr ""

msgid "The full path to the server program to execute."
msgstr ""

msgid "The arguments: this is a complete list of the program's arguments, including its own name (<literal>argv[0]</literal> in C)."
msgstr ""

msgid "The following example illustrates the most common cases:"
msgstr ""

msgid "Excerpt from <filename>/etc/inetd.conf</filename>"
msgstr ""

msgid ""
"talk   dgram  udp wait    nobody.tty /usr/sbin/in.talkd in.talkd\n"
"finger stream tcp nowait  nobody     /usr/sbin/tcpd     in.fingerd\n"
"ident  stream tcp nowait  nobody     /usr/sbin/identd   identd -i"
msgstr ""

msgid "<primary><command>tcpd</command></primary>"
msgstr ""

msgid "The <command>tcpd</command> program is frequently used in the <filename>/etc/inetd.conf</filename> file. It allows limiting incoming connections by applying access control rules, documented in the <citerefentry><refentrytitle>hosts_access</refentrytitle><manvolnum>5</manvolnum></citerefentry> manual page, and which are configured in the <filename>/etc/hosts.allow</filename> and <filename>/etc/hosts.deny</filename> files. Once it has been determined that the connection is authorized, <command>tcpd</command> executes the real server (like <command>in.fingerd</command> in our example). It is worth noting that <command>tcpd</command> relies on the name under which it was invoked (that is the first argument, <literal>argv[0]</literal>) to identify the real program to run. So you should not start the arguments list with <literal>tcpd</literal> but with the program that must be wrapped."
msgstr ""

msgid "<emphasis>COMMUNITY</emphasis> Wietse Venema"
msgstr ""

msgid "<primary>Wietse Venema</primary>"
msgstr ""

msgid "<primary>Venema, Wietse</primary>"
msgstr ""

msgid "Wietse Venema, whose expertise in security has made him a renowned programmer, is the author of the <command>tcpd</command> program. He is also the main creator of Postfix, the modular e-mail server (SMTP, Simple Mail Transfer Protocol), designed to be safer and more reliable than <command>sendmail</command>, which features a long history of security vulnerabilities."
msgstr ""

msgid "<emphasis>ALTERNATIVE</emphasis> Other <command>inetd</command> commands"
msgstr ""

msgid "While Debian installs <emphasis role=\"pkg\">openbsd-inetd</emphasis> by default, there is no lack of alternatives: we can mention <emphasis role=\"pkg\">inetutils-inetd</emphasis>, <emphasis role=\"pkg\">micro-inetd</emphasis>, <emphasis role=\"pkg\">rlinetd</emphasis> and <emphasis role=\"pkg\">xinetd</emphasis>."
msgstr ""

msgid "This last incarnation of a super-server offers very interesting possibilities. Most notably, its configuration can be split into several files (stored, of course, in the <filename>/etc/xinetd.d/</filename> directory), which can make an administrator's life easier."
msgstr ""

msgid "Last but not least, it is even possible to emulate <command>inetd</command>'s behavior with <command>systemd</command>'s socket-activation mechanism (see <xref linkend=\"sect.systemd\" />)."
msgstr ""

msgid "Scheduling Tasks with <command>cron</command> and <command>atd</command>"
msgstr ""

msgid "<primary><command>cron</command></primary>"
msgstr ""

msgid "<primary><command>atd</command></primary>"
msgstr ""

msgid "<primary>scheduled commands</primary>"
msgstr ""

msgid "<primary>command scheduling</primary>"
msgstr ""

msgid "<command>cron</command> is the daemon responsible for executing scheduled and recurring commands (every day, every week, etc.); <command>atd</command> is that which deals with commands to be executed a single time, but at a specific moment in the future."
msgstr ""

msgid "In a Unix system, many tasks are scheduled for regular execution:"
msgstr ""

msgid "rotating the logs;"
msgstr ""

msgid "updating the database for the <command>locate</command> program;"
msgstr ""

msgid "back-ups;"
msgstr ""

msgid "maintenance scripts (such as cleaning out temporary files)."
msgstr ""

msgid "By default, all users can schedule the execution of tasks. Each user has thus their own <emphasis>crontab</emphasis> in which they can record scheduled commands. It can be edited by running <command>crontab -e</command> (its content is stored in the <filename>/var/spool/cron/crontabs/<replaceable>user</replaceable></filename> file)."
msgstr ""

msgid "<emphasis>SECURITY</emphasis> Restricting <command>cron</command> or <command>atd</command>"
msgstr ""

msgid "You can restrict access to <command>cron</command> by creating an explicit authorization file (whitelist) in <filename>/etc/cron.allow</filename>, in which you indicate the only users authorized to schedule commands. All others will automatically be deprived of this feature. Conversely, to only block one or two troublemakers, you could write their username in the explicit prohibition file (blacklist), <filename>/etc/cron.deny</filename>. This same feature is available for <command>atd</command>, with the <filename>/etc/at.allow</filename> and <filename>/etc/at.deny</filename> files."
msgstr ""

msgid "The root user has their own <emphasis>crontab</emphasis>, but can also use the <filename>/etc/crontab</filename> file, or write additional <emphasis>crontab</emphasis> files in the <filename>/etc/cron.d</filename> directory. These last two solutions have the advantage of being able to specify the user identity to use when executing the command."
msgstr ""

msgid "The <emphasis>cron</emphasis> package includes by default some scheduled commands that execute:"
msgstr ""

msgid "programs in the <filename>/etc/cron.hourly/</filename> directory once per hour;"
msgstr ""

msgid "programs in <filename>/etc/cron.daily/</filename> once per day;"
msgstr ""

msgid "programs in <filename>/etc/cron.weekly/</filename> once per week;"
msgstr ""

msgid "programs in <filename>/etc/cron.monthly/</filename> once per month."
msgstr ""

msgid "Many Debian packages rely on this service: by putting maintenance scripts in these directories, they ensure optimal operation of their services."
msgstr ""

msgid "Format of a <filename>crontab</filename> File"
msgstr ""

msgid "<primary><filename>crontab</filename></primary>"
msgstr ""

msgid "<emphasis>TIP</emphasis> Text shortcuts for <command>cron</command>"
msgstr ""

msgid "<command>cron</command> recognizes some abbreviations which replace the first five fields in a <filename>crontab</filename> entry. They correspond to the most classic scheduling options:"
msgstr ""

msgid "<literal>@yearly</literal>: once per year (January 1, at 00:00);"
msgstr ""

msgid "<literal>@monthly</literal>: once per month (the 1st of the month, at 00:00);"
msgstr ""

msgid "<literal>@weekly</literal>: once per week (Sunday at 00:00);"
msgstr ""

msgid "<literal>@daily</literal>: once per day (at 00:00);"
msgstr ""

msgid "<literal>@hourly</literal>: once per hour (at the beginning of each hour)."
msgstr ""

msgid "<emphasis>SPECIAL CASE</emphasis> <command>cron</command> and daylight savings time"
msgstr ""

msgid "In Debian, <command>cron</command> takes the time change (for Daylight Savings Time, or in fact for any significant change in the local time) into account as best as it can. Thus, the commands that should have been executed during an hour that never existed (for example, tasks scheduled at 2:30 am during the Spring time change in France, since at 2:00 am the clock jumps directly to 3:00 am) are executed shortly after the time change (thus around 3:00 am DST). On the other hand, in autumn, when commands would be executed several times (2:30 am DST, then an hour later at 2:30 am standard time, since at 3:00 am DST the clock turns back to 2:00 am) are only executed once."
msgstr ""

msgid "Be careful, however, if the order in which the different scheduled tasks and the delay between their respective executions matters, you should check the compatibility of these constraints with <command>cron</command>'s behavior; if necessary, you can prepare a special schedule for the two problematic nights per year."
msgstr ""

msgid "Each significant line of a <emphasis>crontab</emphasis> describes a scheduled command with the six (or seven) following fields:"
msgstr ""

msgid "the value for the minute (number from 0 to 59);"
msgstr ""

msgid "the value for the hour (from 0 to 23);"
msgstr ""

msgid "the value for the day of the month (from 1 to 31);"
msgstr ""

msgid "the value for the month (from 1 to 12);"
msgstr ""

msgid "the value for the day of the week (from 0 to 7, 1 corresponding to Monday, Sunday being represented by both 0 and 7; it is also possible to use the first three letters of the name of the day of the week in English, such as <literal>Sun</literal>, <literal>Mon</literal>, etc.);"
msgstr ""

msgid "the user name under whose identity the command must be executed (in the <filename>/etc/crontab</filename> file and in the fragments located in <filename>/etc/cron.d/</filename>, but not in the users' own crontab files);"
msgstr ""

msgid "the command to execute (when the conditions defined by the first five columns are met)."
msgstr ""

msgid "All these details are documented in the <citerefentry><refentrytitle>crontab</refentrytitle> <manvolnum>5</manvolnum></citerefentry> man page."
msgstr ""

msgid "Each value can be expressed in the form of a list of possible values (separated by commas). The syntax <literal>a-b</literal> describes the interval of all the values between <literal>a</literal> and <literal>b</literal>. The syntax <literal>a-b/c</literal> describes the interval with an increment of <literal>c</literal> (example: <literal>0-10/2</literal> means <literal>0,2,4,6,8,10</literal>). An asterisk <literal>*</literal> is a wildcard, representing all possible values."
msgstr ""

msgid "Sample <filename>crontab</filename> file"
msgstr ""

msgid ""
"#Format\n"
"#min hour day mon dow  command\n"
"\n"
"# Download data every night at 7:25 pm\n"
" 25  19   *   *   *    $HOME/bin/get.pl\n"
"\n"
"# 8:00 am, on weekdays (Monday through Friday)\n"
" 00  08   *   *   1-5  $HOME/bin/dosomething\n"
"\n"
"# Restart the IRC proxy after each reboot\n"
"@reboot /usr/bin/dircproxy"
msgstr ""

msgid "<emphasis>TIP</emphasis> Executing a command on boot"
msgstr ""

msgid "To execute a command a single time, just after booting the computer, you can use the <literal>@reboot</literal> macro (a simple restart of <command>cron</command> does not trigger a command scheduled with <literal>@reboot</literal>). This macro replaces the first five fields of an entry in the <emphasis>crontab</emphasis>."
msgstr ""

msgid "<emphasis>ALTERNATIVE</emphasis> Emulating <command>cron</command> with <command>systemd</command>"
msgstr ""

msgid "It is possible to emulate part of <command>cron</command>'s behavior with <command>systemd</command>'s timer mechanism (see <xref linkend=\"sect.systemd\" />)."
msgstr ""

msgid "Using the <command>at</command> Command"
msgstr ""

msgid "<primary><command>at</command></primary>"
msgstr ""

msgid "The <command>at</command> executes a command at a specified moment in the future. It takes the desired time and date as command-line parameters, and the command to be executed in its standard input. The command will be executed as if it had been entered in the current shell. <command>at</command> even takes care to retain the current environment, in order to reproduce the same conditions when it executes the command. The time is indicated by following the usual conventions: <literal>16:12</literal> or <literal>4:12pm</literal> represents 4:12 pm. The date can be specified in several European and Western formats, including <literal>DD.MM.YY</literal> (<literal>27.07.15</literal> thus representing 27 July 2015), <literal>YYYY-MM-DD</literal> (this same date being expressed as <literal>2015-07-27</literal>), <literal>MM/DD/[CC]YY</literal> (ie., <literal>12/25/15</literal> or <literal>12/25/2015</literal> will be December 25, 2015), or simple <literal>MMDD[CC]YY</literal> (so that <literal>122515</literal> or <literal>12252015</literal> will, likewise, represent December 25, 2015). Without it, the command will be executed as soon as the clock reaches the time indicated (the same day, or tomorrow if that time has already passed on the same day). You can also simply write “today” or “tomorrow”, which is self-explanatory."
msgstr ""

msgid ""
"\n"
"<computeroutput>$ </computeroutput><userinput>at 09:00 27.07.15 &lt;&lt;END</userinput>\n"
"<computeroutput>&gt; </computeroutput><userinput>echo \"Don't forget to wish a Happy Birthday to Raphaël!\" \\</userinput>\n"
"<computeroutput>&gt; </computeroutput><userinput>  | mail lolando@debian.org</userinput>\n"
"<computeroutput>&gt; </computeroutput><userinput>END</userinput>\n"
"<computeroutput>warning: commands will be executed using /bin/sh\n"
"job 31 at Mon Jul 27 09:00:00 2015</computeroutput>"
msgstr ""

msgid "An alternative syntax postpones the execution for a given duration: <command>at now + <replaceable>number</replaceable> <replaceable>period</replaceable></command>. The <replaceable>period</replaceable> can be <literal>minutes</literal>, <literal>hours</literal>, <literal>days</literal>, or <literal>weeks</literal>. The <replaceable>number</replaceable> simply indicates the number of said units that must elapse before execution of the command."
msgstr ""

msgid "To cancel a task scheduled by <command>cron</command>, simply run <command>crontab -e</command> and delete the corresponding line in the <emphasis>crontab</emphasis> file. For <command>at</command> tasks, it is almost as easy: run <command>atrm <replaceable>task-number</replaceable></command>. The task number is indicated by the <command>at</command> command when you scheduled it, but you can find it again with the <command>atq</command> command, which gives the current list of scheduled tasks."
msgstr ""

msgid "<primary><command>atrm</command></primary>"
msgstr ""

msgid "<primary><command>atq</command></primary>"
msgstr ""

msgid "Scheduling Asynchronous Tasks: <command>anacron</command>"
msgstr ""

msgid "<command>anacron</command> is the daemon that completes <command>cron</command> for computers that are not on at all times. Since regular tasks are usually scheduled for the middle of the night, they will never be executed if the computer is off at that time. The purpose of <command>anacron</command> is to execute them, taking into account periods in which the computer is not working."
msgstr ""

msgid "<primary><command>anacron</command></primary>"
msgstr ""

msgid "Please note that <command>anacron</command> will frequently execute such activity a few minutes after booting the machine, which can render the computer less responsive. This is why the tasks in the <filename>/etc/anacrontab</filename> file are started with the <command>nice</command> command, which reduces their execution priority and thus limits their impact on the rest of the system. Beware, the format of this file is not the same as that of <filename>/etc/crontab</filename>; if you have particular needs for <command>anacron</command>, see the <citerefentry><refentrytitle>anacrontab</refentrytitle> <manvolnum>5</manvolnum></citerefentry> manual page."
msgstr ""

msgid "<emphasis>BACK TO BASICS</emphasis> Priorities and <command>nice</command>"
msgstr ""

msgid "Unix systems (and thus Linux) are multi-tasking and multi-user systems. Indeed, several processes can run in parallel, and be owned by different users: the kernel mediates access to the resources between the different processes. As a part of this task, it has a concept of priority, which allows it to favor certain processes over others, as needed. When you know that a process can run in low priority, you can indicate so by running it with <command>nice <replaceable>program</replaceable></command>. The program will then have a smaller share of the CPU, and will have a smaller impact on other running processes. Of course, if no other processes needs to run, the program will not be artificially held back."
msgstr ""

msgid "<command>nice</command> works with levels of “niceness”: the positive levels (from 1 to 19) progressively lower the priority, while the negative levels (from -1 to -20) will increase it — but only root can use these negative levels. Unless otherwise indicated (see the <citerefentry><refentrytitle>nice</refentrytitle> <manvolnum>1</manvolnum></citerefentry> manual page), <command>nice</command> increases the current level by 10."
msgstr ""

msgid "If you discover that an already running task should have been started with <command>nice</command> it is not too late to fix it; the <command>renice</command> command changes the priority of an already running process, in either direction (but reducing the “niceness” of a process is reserved for the root user)."
msgstr ""

msgid "Installation of the <emphasis role=\"pkg\">anacron</emphasis> package deactivates execution by <command>cron</command> of the scripts in the <filename>/etc/cron.hourly/</filename>, <filename>/etc/cron.daily/</filename>, <filename>/etc/cron.weekly/</filename>, and <filename>/etc/cron.monthly/</filename> directories. This avoids their double execution by <command>anacron</command> and <command>cron</command>. The <command>cron</command> command remains active and will continue to handle the other scheduled tasks (especially those scheduled by users)."
msgstr ""

msgid "Quotas"
msgstr ""

msgid "<primary>quota</primary>"
msgstr ""

msgid "The quota system allows limiting disk space allocated to a user or group of users. To set it up, you must have a kernel that supports it (compiled with the <varname>CONFIG_QUOTA</varname> option) — as is the case with Debian kernels. The quota management software is found in the <emphasis role=\"pkg\">quota</emphasis> Debian package."
msgstr ""

msgid "To activate quota in a filesystem, you have to indicate the <literal>usrquota</literal> and <literal>grpquota</literal> options in <filename>/etc/fstab</filename> for the user and group quotas, respectively. Rebooting the computer will then update the quotas in the absence of disk activity (a necessary condition for proper accounting of already used disk space)."
msgstr ""

msgid "The <command>edquota <replaceable>user</replaceable></command> (or <command>edquota -g <replaceable>group</replaceable></command>) command allows you to change the limits while examining current disk space usage."
msgstr ""

msgid "<primary><command>edquota</command></primary>"
msgstr ""

msgid "<emphasis>GOING FURTHER</emphasis> Defining quotas with a script"
msgstr ""

msgid "<primary><command>setquota</command></primary>"
msgstr ""

msgid "The <command>setquota</command> program can be used in a script to automatically change many quotas. Its <citerefentry><refentrytitle>setquota</refentrytitle> <manvolnum>8</manvolnum></citerefentry> manual page details the syntax to use."
msgstr ""

msgid "The quota system allows you to set four limits:"
msgstr ""

msgid "two limits (called “soft” and “hard”) refer to the number of blocks consumed. If the filesystem was created with a block-size of 1 kibibyte, a block contains 1024 bytes from the same file. Unsaturated blocks thus induce losses of disk space. A quota of 100 blocks, which theoretically allows storage of 102,400 bytes, will, however, be saturated with just 100 files of 500 bytes each, only representing 50,000 bytes in total."
msgstr ""

msgid "two limits (soft and hard) refer to the number of inodes used. Each file occupies at least one inode to store information about it (permissions, owner, timestamp of last access, etc.). It is thus a limit on the number of user files."
msgstr ""

msgid "A “soft” limit can be temporarily exceeded; the user will simply be warned that they are exceeding the quota by the <command>warnquota</command> command, which is usually invoked by <command>cron</command>. A “hard” limit can never be exceeded: the system will refuse any operation that will cause a hard quota to be exceeded."
msgstr ""

msgid "<emphasis>VOCABULARY</emphasis> Blocks and inodes"
msgstr ""

msgid "<primary>block (disk)</primary>"
msgstr ""

msgid "<primary>inode</primary>"
msgstr ""

msgid "The filesystem divides the hard drive into blocks — small contiguous areas. The size of these blocks is defined during creation of the filesystem, and generally varies between 1 and 8 kibibytes."
msgstr ""

msgid "A block can be used either to store the real data of a file, or for meta-data used by the filesystem. Among this meta-data, you will especially find the inodes. An inode uses a block on the hard drive (but this block is not taken into consideration in the block quota, only in the inode quota), and contains both the information on the file to which it corresponds (name, owner, permissions, etc.) and the pointers to the data blocks that are actually used. For very large files that occupy more blocks than it is possible to reference in a single inode, there is an indirect block system; the inode references a list of blocks that do not directly contain data, but another list of blocks."
msgstr ""

msgid "<primary><command>warnquota</command></primary>"
msgstr ""

msgid "With the <command>edquota -t</command> command, you can define a maximum authorized “grace period” within which a soft limit may be exceeded. After this period, the soft limit will be treated like a hard limit, and the user will have to reduce their disk space usage to within this limit in order to be able to write anything to the hard drive."
msgstr ""

msgid "<emphasis>GOING FURTHER</emphasis> Setting up a default quota for new users"
msgstr ""

msgid "To automatically setup a quota for new users, you have to configure a template user (with <command>edquota</command> or <command>setquota</command>) and indicate their user name in the <varname>QUOTAUSER</varname> variable in the <filename>/etc/adduser.conf</filename> file. This quota configuration will then be automatically applied to each new user created with the <command>adduser</command> command."
msgstr ""

msgid "Making backups is one of the main responsibilities of any administrator, but it is a complex subject, involving powerful tools which are often difficult to master."
msgstr ""

msgid "<primary>backup</primary>"
msgstr ""

msgid "<primary>restoration</primary>"
msgstr ""

msgid "Many programs exist, such as <command>amanda</command>, <command>bacula</command>, <command>BackupPC</command>. Those are client/server system featuring many options, whose configuration is rather difficult. Some of them provide user-friendly web interfaces to mitigate this. But Debian contains dozens of other backup software covering all possible use cases, as you can easily confirm with <command>apt-cache search backup</command>."
msgstr ""

msgid "<primary><command>amanda</command></primary>"
msgstr ""

msgid "<primary><command>bacula</command></primary>"
msgstr ""

msgid "<primary><command>BackupPC</command></primary>"
msgstr ""

msgid "Rather than detailing some of them, this section will present the thoughts of the Falcot Corp administrators when they defined their backup strategy."
msgstr ""

msgid "At Falcot Corp, backups have two goals: recovering erroneously deleted files, and quickly restoring any computer (server or desktop) whose hard drive has failed."
msgstr ""

msgid "Backing Up with <command>rsync</command>"
msgstr ""

msgid "Backups on tape having been deemed too slow and costly, data will be backed up on hard drives on a dedicated server, on which the use of software RAID (see <xref linkend=\"sect.raid-soft\" />) will protect the data from hard drive failure. Desktop computers are not backed up individually, but users are advised that their personal account on their department's file server will be backed up. The <command>rsync</command> command (from the package of the same name) is used daily to back up these different servers."
msgstr ""

msgid "<primary><command>rsync</command></primary>"
msgstr ""

msgid "<emphasis>BACK TO BASICS</emphasis> The hard link, a second name for the file"
msgstr ""

msgid "<primary>link</primary><secondary>hard link</secondary>"
msgstr ""

msgid "<primary>hard link</primary>"
msgstr ""

msgid "A hard link, as opposed to a symbolic link, cannot be differentiated from the linked file. Creating a hard link is essentially the same as giving an existing file a second name. This is why the deletion of a hard link only removes one of the names associated with the file. As long as another name is still assigned to the file, the data therein remain present on the filesystem. It is interesting to note that, unlike a copy, the hard link does not take up additional space on the hard drive."
msgstr ""

msgid "A hard link is created with the <command>ln <replaceable>target</replaceable> <replaceable>link</replaceable></command> command. The <replaceable>link</replaceable> file is then a new name for the <replaceable>target</replaceable> file. Hard links can only be created on the same filesystem, while symbolic links are not subject to this limitation."
msgstr ""

msgid "The available hard drive space prohibits implementation of a complete daily backup. As such, the <command>rsync</command> command is preceded by a duplication of the content of the previous backup with hard links, which prevents usage of too much hard drive space. The <command>rsync</command> process then only replaces files that have been modified since the last backup. With this mechanism a great number of backups can be kept in a small amount of space. Since all backups are immediately available and accessible (for example, in different directories of a given share on the network), you can quickly make comparisons between two given dates."
msgstr ""

msgid "<primary>copy, backup copy</primary>"
msgstr ""

msgid "<primary>backup</primary><secondary>copy</secondary>"
msgstr ""

msgid "<primary><emphasis role=\"pkg\">dirvish</emphasis></primary>"
msgstr ""

msgid "This backup mechanism is easily implemented with the <command>dirvish</command> program. It uses a backup storage space (“bank” in its vocabulary) in which it places timestamped copies of sets of backup files (these sets are called “vaults” in the dirvish documentation)."
msgstr ""

msgid "The main configuration is in the <filename>/etc/dirvish/master.conf</filename> file. It defines the location of the backup storage space, the list of “vaults” to manage, and default values for expiration of the backups. The rest of the configuration is located in the <filename><replaceable>bank</replaceable>/<replaceable>vault</replaceable>/dirvish/default.conf</filename> files and contains the specific configuration for the corresponding set of files."
msgstr ""

msgid "The <filename>/etc/dirvish/master.conf</filename> file"
msgstr ""

msgid ""
"bank:\n"
"    /backup\n"
"exclude:\n"
"    lost+found/\n"
"    core\n"
"    *~\n"
"Runall:\n"
"    root    22:00\n"
"expire-default: +15 days\n"
"expire-rule:\n"
"#   MIN HR    DOM MON       DOW  STRFTIME_FMT\n"
"    *   *     *   *         1    +3 months\n"
"    *   *     1-7 *         1    +1 year\n"
"    *   *     1-7 1,4,7,10  1"
msgstr ""

msgid "The <literal>bank</literal> setting indicates the directory in which the backups are stored. The <literal>exclude</literal> setting allows you to indicate files (or file types) to exclude from the backup. The <literal>Runall</literal> is a list of file sets to backup with a time-stamp for each set, which allows you to assign the correct date to the copy, in case the backup is not triggered at precisely the assigned time. You have to indicate a time just before the actual execution time (which is, by default, 10:04 pm in Debian, according to <filename>/etc/cron.d/dirvish</filename>). Finally, the <literal>expire-default</literal> and <literal>expire-rule</literal> settings define the expiration policy for backups. The above example keeps forever backups that are generated on the first Sunday of each quarter, deletes after one year those from the first Sunday of each month, and after 3 months those from other Sundays. Other daily backups are kept for 15 days. The order of the rules does matter, Dirvish uses the last matching rule, or the <literal>expire-default</literal> one if no other <literal>expire-rule</literal> matches."
msgstr ""

msgid "<emphasis>IN PRACTICE</emphasis> Scheduled expiration"
msgstr ""

msgid "The expiration rules are not used by <command>dirvish-expire</command> to do its job. In reality, the expiration rules are applied when creating a new backup copy to define the expiration date associated with that copy. <command>dirvish-expire</command> simply peruses the stored copies and deletes those for which the expiration date has passed."
msgstr ""

msgid "The <filename>/backup/root/dirvish/default.conf</filename> file"
msgstr ""

msgid ""
"client: rivendell.falcot.com\n"
"tree: /\n"
"xdev: 1\n"
"index: gzip\n"
"image-default: %Y%m%d\n"
"exclude:\n"
"    /var/cache/apt/archives/*.deb\n"
"    /var/cache/man/**\n"
"    /tmp/**\n"
"    /var/tmp/**\n"
"    *.bak"
msgstr ""

msgid "The above example specifies the set of files to back up: these are files on the machine <emphasis>rivendell.falcot.com</emphasis> (for local data backup, simply specify the name of the local machine as indicated by <command>hostname</command>), especially those in the root tree (<literal>tree: /</literal>), except those listed in <literal>exclude</literal>. The backup will be limited to the contents of one filesystem (<literal>xdev: 1</literal>). It will not include files from other mount points. An index of saved files will be generated (<literal>index: gzip</literal>), and the image will be named according to the current date (<literal>image-default: %Y%m%d</literal>)."
msgstr ""

msgid "There are many options available, all documented in the <citerefentry><refentrytitle>dirvish.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry> manual page. Once these configuration files are setup, you have to initialize each file set with the <command>dirvish --vault <replaceable>vault</replaceable> --init</command> command. From there on the daily invocation of <command>dirvish-runall</command> will automatically create a new backup copy just after having deleted those that expired."
msgstr ""

msgid "<emphasis>IN PRACTICE</emphasis> Remote backup over SSH"
msgstr ""

msgid "When dirvish needs to save data to a remote machine, it will use <command>ssh</command> to connect to it, and will start <command>rsync</command> as a server. This requires the root user to be able to automatically connect to it. The use of an SSH authentication key allows precisely that (see <xref linkend=\"sect.ssh-key-based-auth\" />)."
msgstr ""

msgid "Restoring Machines without Backups"
msgstr ""

msgid "Desktop computers, which are not backed up, will be easy to reinstall from custom DVD-ROMs prepared with <emphasis>Simple-CDD</emphasis> (see <xref linkend=\"sect.simple-cdd\" />). Since this performs an installation from scratch, it loses any customization that can have been made after the initial installation. This is fine since the systems are all hooked to a central LDAP directory for accounts and most desktop applications are preconfigured thanks to dconf (see <xref linkend=\"sect.gnome-desktop\" /> for more information about this)."
msgstr ""

msgid "The Falcot Corp administrators are aware of the limits in their backup policy. Since they can't protect the backup server as well as a tape in a fireproof safe, they have installed it in a separate room so that a disaster such as a fire in the server room won't destroy backups along with everything else. Furthermore, they do an incremental backup on DVD-ROM once per week — only files that have been modified since the last backup are included."
msgstr ""

msgid "<emphasis>GOING FURTHER</emphasis> Backing up SQL and LDAP services"
msgstr ""

msgid "Many services (such as SQL or LDAP databases) cannot be backed up by simply copying their files (unless they are properly interrupted during creation of the backups, which is frequently problematic, since they are intended to be available at all times). As such, it is necessary to use an “export” mechanism to create a “data dump” that can be safely backed up. These are often quite large, but they compress well. To reduce the storage space required, you will only store a complete text file per week, and a <command>diff</command> each day, which is created with a command of the type <command>diff <replaceable>file_from_yesterday</replaceable> <replaceable>file_from_today</replaceable></command>. The <command>xdelta</command> program produces incremental differences from binary dumps."
msgstr ""

msgid "<primary><command>xdelta</command></primary>"
msgstr ""

msgid "<primary><command>diff</command></primary>"
msgstr ""

msgid "<primary>dump</primary>"
msgstr ""

msgid "<emphasis>CULTURE</emphasis> <emphasis>TAR</emphasis>, the standard for tape backups"
msgstr ""

msgid "<primary>backup</primary><secondary>on tape</secondary>"
msgstr ""

msgid "<primary>tape, backup</primary>"
msgstr ""

msgid "<primary>TAR</primary>"
msgstr ""

msgid "Historically, the simplest means of making a backup on Unix was to store a <emphasis>TAR</emphasis> archive on a tape. The <command>tar</command> command even got its name from “Tape ARchive”."
msgstr ""

msgid "Hot Plugging: <emphasis>hotplug</emphasis>"
msgstr ""

msgid "Introduction"
msgstr ""

msgid "The <emphasis>hotplug</emphasis> kernel subsystem dynamically handles the addition and removal of devices, by loading the appropriate drivers and by creating the corresponding device files (with the help of <command>udevd</command>). With modern hardware and virtualization, almost everything can be hotplugged: from the usual USB/PCMCIA/IEEE 1394 peripherals to SATA hard drives, but also the CPU and the memory."
msgstr ""

msgid "The kernel has a database that associates each device ID with the required driver. This database is used during boot to load all the drivers for the peripheral devices detected on the different buses, but also when an additional hotplug device is connected. Once the device is ready for use, a message is sent to <command>udevd</command> so it will be able to create the corresponding entry in <filename>/dev/</filename>."
msgstr ""

msgid "<primary><emphasis>hotplug</emphasis></primary>"
msgstr ""

msgid "<primary>hotplug</primary>"
msgstr ""

msgid "<primary>USB</primary>"
msgstr ""

msgid "<primary>IEEE 1394</primary>"
msgstr ""

msgid "<primary>PCMCIA</primary>"
msgstr ""

msgid "<primary>SATA</primary>"
msgstr ""

msgid "The Naming Problem"
msgstr ""

msgid "Before the appearance of hotplug connections, it was easy to assign a fixed name to a device. It was based simply on the position of the devices on their respective bus. But this is not possible when such devices can come and go on the bus. The typical case is the use of a digital camera and a USB key, both of which appear to the computer as disk drives. The first one connected may be <filename>/dev/sdb</filename> and the second <filename>/dev/sdc</filename> (with <filename>/dev/sda</filename> representing the computer's own hard drive). The device name is not fixed; it depends on the order in which devices are connected."
msgstr ""

msgid "Additionally, more and more drivers use dynamic values for devices' major/minor numbers, which makes it impossible to have static entries for the given devices, since these essential characteristics may vary after a reboot."
msgstr ""

msgid "<emphasis>udev</emphasis> was created precisely to solve this problem."
msgstr ""

msgid "How <emphasis>udev</emphasis> Works"
msgstr ""

msgid "When <emphasis>udev</emphasis> is notified by the kernel of the appearance of a new device, it collects various information on the given device by consulting the corresponding entries in <filename>/sys/</filename>, especially those that uniquely identify it (MAC address for a network card, serial number for some USB devices, etc.)."
msgstr ""

msgid "Armed with all of this information, <emphasis>udev</emphasis> then consults all of the rules contained in <filename>/etc/udev/rules.d/</filename> and <filename>/lib/udev/rules.d/</filename>. In this process it decides how to name the device, what symbolic links to create (to give it alternative names), and what commands to execute. All of these files are consulted, and the rules are all evaluated sequentially (except when a file uses “GOTO” directives). Thus, there may be several rules that correspond to a given event."
msgstr ""

msgid "The syntax of rules files is quite simple: each row contains selection criteria and variable assignments. The former are used to select events for which there is a need to react, and the latter defines the action to take. They are all simply separated with commas, and the operator implicitly differentiates between a selection criterion (with comparison operators, such as <literal>==</literal> or <literal>!=</literal>) or an assignment directive (with operators such as <literal>=</literal>, <literal>+=</literal> or <literal>:=</literal>)."
msgstr ""

msgid "Comparison operators are used on the following variables:"
msgstr ""

msgid "<literal>KERNEL</literal>: the name that the kernel assigns to the device;"
msgstr ""

msgid "<literal>ACTION</literal>: the action corresponding to the event (“add” when a device has been added, “remove” when it has been removed);"
msgstr ""

msgid "<literal>DEVPATH</literal>: the path of the device's <filename>/sys/</filename> entry;"
msgstr ""

msgid "<literal>SUBSYSTEM</literal>: the kernel subsystem which generated the request (there are many, but a few examples are “usb”, “ide”, “net”, “firmware”, etc.);"
msgstr ""

msgid "<literal>ATTR{<replaceable>attribute</replaceable>}</literal>: file contents of the <replaceable>attribute</replaceable> file in the <filename>/sys/<replaceable>$devpath</replaceable>/</filename> directory of the device. This is where you find the MAC address and other bus specific identifiers;"
msgstr ""

msgid "<literal>KERNELS</literal>, <literal>SUBSYSTEMS</literal> and <literal>ATTRS{<replaceable>attributes</replaceable>}</literal> are variations that will try to match the different options on one of the parent devices of the current device;"
msgstr ""

msgid "<literal>PROGRAM</literal>: delegates the test to the indicated program (true if it returns 0, false if not). The content of the program's standard output is stored so that it can be reused by the <literal>RESULT</literal> test;"
msgstr ""

msgid "<literal>RESULT</literal>: execute tests on the standard output stored during the last call to <literal>PROGRAM</literal>."
msgstr ""

msgid "The right operands can use pattern expressions to match several values at the same time. For instance, <literal>*</literal> matches any string (even an empty one); <literal>?</literal> matches any character, and <literal>[]</literal> matches the set of characters listed between the square brackets (or the opposite thereof if the first character is an exclamation point, and contiguous ranges of characters are indicated like <literal>a-z</literal>)."
msgstr ""

msgid "Regarding the assignment operators, <literal>=</literal> assigns a value (and replaces the current value); in the case of a list, it is emptied and contains only the value assigned. <literal>:=</literal> does the same, but prevents later changes to the same variable. As for <literal>+=</literal>, it adds an item to a list. The following variables can be changed:"
msgstr ""

msgid "<literal>NAME</literal>: the device filename to be created in <filename>/dev/</filename>. Only the first assignment counts; the others are ignored;"
msgstr ""

msgid "<literal>SYMLINK</literal>: the list of symbolic links that will point to the same device;"
msgstr ""

msgid "<literal>OWNER</literal>, <literal>GROUP</literal> and <literal>MODE</literal> define the user and group that owns the device, as well as the associated permission;"
msgstr ""

msgid "<literal>RUN</literal>: the list of programs to execute in response to this event."
msgstr ""

msgid "The values assigned to these variables may use a number of substitutions:"
msgstr ""

msgid "<literal>$kernel</literal> or <literal>%k</literal>: equivalent to <literal>KERNEL</literal>;"
msgstr ""

msgid "<literal>$number</literal> or <literal>%n</literal>: the order number of the device, for example, for <literal>sda3</literal>, it would be “3”;"
msgstr ""

msgid "<literal>$devpath</literal> or <literal>%p</literal>: equivalent to <literal>DEVPATH</literal>;"
msgstr ""

msgid "<literal>$attr{<replaceable>attribute</replaceable>}</literal> or <literal>%s{<replaceable>attribute</replaceable>}</literal>: equivalent to <literal>ATTRS{<replaceable>attribute</replaceable>}</literal>;"
msgstr ""

msgid "<literal>$major</literal> or <literal>%M</literal>: the kernel major number of the device;"
msgstr ""

msgid "<literal>$minor</literal> or <literal>%m</literal>: the kernel minor number of the device;"
msgstr ""

msgid "<literal>$result</literal> or <literal>%c</literal>: the string output by the last program invoked by <literal>PROGRAM</literal>;"
msgstr ""

msgid "and, finally, <literal>%%</literal> and <literal>$$</literal> for the percent and dollar sign, respectively."
msgstr ""

msgid "The above lists are not complete (they include only the most important parameters), but the <citerefentry><refentrytitle>udev</refentrytitle><manvolnum>7</manvolnum></citerefentry> manual page should be exhaustive."
msgstr ""

msgid "A concrete example"
msgstr ""

msgid "Let us consider the case of a simple USB key and try to assign it a fixed name. First, you must find the elements that will identify it in a unique manner. For this, plug it in and run <command>udevadm info -a -n /dev/sdc</command> (replacing <replaceable>/dev/sdc</replaceable> with the actual name assigned to the key)."
msgstr ""

msgid ""
"<computeroutput># </computeroutput><userinput>udevadm info -a -n /dev/sdc</userinput>\n"
"<computeroutput>[...]\n"
"  looking at device '/devices/pci0000:00/0000:00:10.0/usb2/2-1/2-1:1.0/host4/target4:0:0/4:0:0:0/block/sdc':\n"
"    KERNEL==\"sdc\"\n"
"    SUBSYSTEM==\"block\"\n"
"    DRIVER==\"\"\n"
"    ATTR{hidden}==\"0\"\n"
"    ATTR{events}==\"media_change\"\n"
"    ATTR{ro}==\"0\"\n"
"    ATTR{discard_alignment}==\"0\"\n"
"    ATTR{removable}==\"1\"\n"
"    ATTR{events_async}==\"\"\n"
"    ATTR{alignment_offset}==\"0\"\n"
"    ATTR{capability}==\"51\"\n"
"    ATTR{events_poll_msecs}==\"-1\"\n"
"    ATTR{stat}==\"     130        0     6328      435        0        0        0        0        0      252      252        0        0        0        0\"\n"
"    ATTR{size}==\"15100224\"\n"
"    ATTR{range}==\"16\"\n"
"    ATTR{ext_range}==\"256\"\n"
"    ATTR{inflight}==\"       0        0\"\n"
"[...]\n"
"\n"
"  looking at parent device '/devices/pci0000:00/0000:00:10.0/usb2/2-1/2-1:1.0/host4/target4:0:0/4:0:0:0':\n"
"[...]\n"
"    ATTRS{max_sectors}==\"240\"\n"
"[...]\n"
"  looking at parent device '/devices/pci0000:00/0000:00:10.0/usb2/2-1':\n"
"    KERNELS==\"2-1\"\n"
"    SUBSYSTEMS==\"usb\"\n"
"    DRIVERS==\"usb\"\n"
"    ATTRS{bDeviceProtocol}==\"00\"\n"
"    ATTRS{bNumInterfaces}==\" 1\"\n"
"    ATTRS{busnum}==\"2\"\n"
"    ATTRS{quirks}==\"0x0\"\n"
"    ATTRS{authorized}==\"1\"\n"
"    ATTRS{ltm_capable}==\"no\"\n"
"    ATTRS{speed}==\"480\"\n"
"    ATTRS{product}==\"TF10\"\n"
"    ATTRS{manufacturer}==\"TDK LoR\"\n"
"[...]\n"
"    ATTRS{serial}==\"07032998B60AB777\"\n"
"[...]\n"
"</computeroutput>"
msgstr ""

msgid "To create a new rule, you can use tests on the device's variables, as well as those of one of the parent devices. The above case allows us to create two rules like these:"
msgstr ""

msgid ""
"KERNEL==\"sd?\", SUBSYSTEM==\"block\", ATTRS{serial}==\"07032998B60AB777\", SYMLINK+=\"usb_key/disk\"\n"
"KERNEL==\"sd?[0-9]\", SUBSYSTEM==\"block\", ATTRS{serial}==\"07032998B60AB777\", SYMLINK+=\"usb_key/part%n\""
msgstr ""

msgid "Once these rules are set in a file, named for example <filename>/etc/udev/rules.d/010_local.rules</filename>, you can simply remove and reconnect the USB key. You can then see that <filename>/dev/usb_key/disk</filename> represents the disk associated with the USB key, and <filename>/dev/usb_key/part1</filename> is its first partition."
msgstr ""

msgid "<emphasis>GOING FURTHER</emphasis> Debugging <emphasis>udev</emphasis>'s configuration"
msgstr ""

msgid "Like many daemons, <command>udevd</command> stores logs in <filename>/var/log/daemon.log</filename>. But it is not very verbose by default, and it is usually not enough to understand what is happening. The <command>udevadm control --log-priority=info</command> command increases the verbosity level and solves this problem. <command>udevadm control --log-priority=err</command> returns to the default verbosity level."
msgstr ""

msgid "Power Management: Advanced Configuration and Power Interface (ACPI)"
msgstr ""

msgid "<primary>power management</primary>"
msgstr ""

msgid "<primary>management, power management</primary>"
msgstr ""

msgid "The topic of power management is often problematic. Indeed, properly suspending the computer requires that all the computer's device drivers know how to put them to standby, and that they properly reconfigure the devices upon waking. Unfortunately, there are still a few devices unable to sleep well under Linux, because their manufacturers have not provided the required specifications."
msgstr ""

msgid "Linux supports ACPI (Advanced Configuration and Power Interface) — the most recent standard in power management. The <emphasis role=\"pkg\">acpid</emphasis> package provides a daemon that looks for power management related events (switching between AC and battery power on a laptop, etc.) and that can execute various commands in response."
msgstr ""

msgid "<primary>ACPI</primary>"
msgstr ""

msgid "<primary>Advanced Configuration and Power Interface</primary>"
msgstr ""

msgid "<primary><command>acpid</command></primary>"
msgstr ""

msgid "<emphasis>BEWARE</emphasis> Graphics card and standby"
msgstr ""

msgid "The graphics card driver is often the culprit when standby doesn't work properly. In that case, it is a good idea to test the latest version of the X.org graphics server."
msgstr ""

msgid "After this overview of basic services common to many Unix systems, we will focus on the environment of the administered machines: the network. Many services are required for the network to work properly. They will be discussed in the next chapter."
msgstr ""