20 Examples: Make Sure Unix / Linux Configuration Files Are Free From Syntax Errors

by on April 5, 2012 · 23 comments· LAST UPDATED April 6, 2012

in Linux, UNIX

In Linux and UNIX in general, services are configured using various text files,in the /etc/ directory trees. A typical server system could have dozens of configuration files. It is important that you check the validity of the configuration file. In some cases it is possible to to check the sanity of the special data (such as keys) or directories (such as /var/lib/cache/). Text files are easier to manage remotely. You can use ssh and a text editor. If there is an error in configuration, server may not start. This may result into a disaster. In this article I will explains howto find out a syntax error for popular servers and test configuration file for syntax errors.

Stop! Test Your Server Configuration Before Restarting Unix / Linux Services

  1. The following option(s) will not run server (or stop running server), it will just test the configuration file and then exit.
  2. It will check configuration for correct syntax and then try to open files referred in configuration.
  3. The config file is parsed and checked for syntax errors, along with all files included config file(s) by server.
  4. In most case you can also specify which configuration file server should use instead of the default.
  5. Once you've verified your configuration files and fixed any errors you can go ahead and reload or restart required services.

A Note About Reloading Servers

The syntax is as follows under Linux:
/sbin/service SERVICE-NAME [reload|restart]
OR
/etc/init.d/SERVICE-NAME [reload|restart]
The reload option reloads the config file without interrupting pending operations. For example the following command will reload Apache web server after the config file changes:
# /sbin/service httpd reload
However, most Unix / Linux daemon programs sometimes use SIGHUP as a signal to restart themselves, the most common reason for this being to re-read a configuration file that has been changed. The syntax is as follows:
kill -HUP $(cat /var/run/SERVICE.pid)
OR
kill -HUP `cat /var/run/SERVICE.pid`

#1: OpenSSH Server

You can use the following syntax to test OpenSSH config file, type:
# /usr/sbin/sshd -t && echo $?
A sample configuration error session:
# usr/sbin/sshd -t
Sample outputs:

/etc/ssh/sshd_config line 26: Bad yes/without-password/forced-commands-only/no argument: Naa

To print line # 26, enter:
# sed -n '26p' /etc/ssh/sshd_config
Sample outputs:

PermitRootLogin Naa

Use a text editor such as vi to edit the file, enter:
# vi +26 etc/ssh/sshd_config
Finally update the syntax, enter:

PermitRootLogin No

Save and close the file. Test it again:
# /usr/sbin/sshd -t

OpenSSH Extended Test Mode

Use the -T option to check the validity of the configuration file, output the effective configuration to stdout (screen) and then exit:
# /usr/sbin/sshd -T
See also: Openssh server security best practices for more information.

#2: Apache Web Server

The syntax is as follows to run syntax tests for configuration files only:
# /usr/sbin/apache2 -t
Sample error reporting:

apache2: Syntax error on line 50 of /etc/apache2/apache2.conf: ServerRoot must be a valid directory

On RHEL and friend, enter:
# /usr/sbin/httpd -t
Sample outputs:

Syntax OK

You can also use the apachectl command (pass the configtest or -t option). It will run a configuration file syntax test. It parses the configuration files and either reports Syntax Ok or detailed information about the particular syntax error:
# apachectl configtest
OR
# apachectl -t
Reload Apache server, enter:
# apachectl -k graceful

#3: Nginx Web Server

To run syntax tests for nginx configuration files, enter:
# /usr/local/nginx/sbin/nginx -t
# /usr/local/nginx/sbin/nginx -t -c /usr/local/nginx/conf/nginx.conf

Sample outputs:

nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful

Where,

  • -c /path/to/file : Specify which configuration file Nginx should use instead of the default.
  • -t : Just test the configuration file.

See also: Howto set nginx as a reverse proxy server and top 20 nginx best security practices for more information.

#4: Lighttpd Web Server

To test the config-file, and exit, enter:
# /usr/local/sbin/lighttpd -t -f /usr/local/etc/lighttpd/cyberciti.biz/lighttpd.conf
Sample outputs:

Syntax OK

Where,

  • -f filename : Use filename of the config-file.
  • -t : Test config-file.

#5: BIND (named) DNS Server

Use named-checkconf command to check the syntax, but not the semantics. The file is parsed and checked for syntax errors, along with all files included by it
# named-checkconf /etc/named.conf
You can also check bind zone files, enter:
# named-checkzone cyberciti.biz /var/named/zone.cyberciti.biz

#6: Squid Proxy Server

To parse and test configuration file, enter:
# /usr/sbin/squid -k check
# /usr/sbin/squid -k parse

Sample outputs:

2012/03/30 07:44:35| Processing Configuration File: /etc/squid/squid.conf (depth 0)
2012/03/30 07:44:35| Initializing https proxy context

#7: MySQL (mysqld) Database Server

Type the following command:
# mysqld --verbose --help
The above will procduce too much output. I recommend redirecting output to /dev/null and only display error/warning on the screen
# /usr/libexec/mysqld --verbose --help 1>/dev/null
Sample outputs:

120330  7:52:43 [Warning] '--log_slow_queries' is deprecated and will be removed in a future release. Please use ''--slow_query_log'/'--slow_query_log_file'' instead.

You can specify a new configuration file such as /root/test-my.cnf
# mysqld --defaults-file=/root/test-my.cnf --verbose --help 1>/dev/null

#8: Postfix Mail Server (MTA)

Use the following syntax. To warn about bad directory/file ownership or permissions, and create missing directories, enter:
# postfix check
OR
# postfix -vvv
Sample outputs:

postfix: dict_register: mail_dict 1
postfix: dict_update: config_directory = /etc/postfix
postfix: dict_update: queue_directory = /var/spool/postfix
postfix: dict_update: command_directory = /usr/sbin
postfix: dict_update: daemon_directory = /usr/libexec/postfix
postfix: dict_update: data_directory = /var/lib/postfix
postfix: dict_update: mail_owner = postfix
postfix: dict_update: inet_interfaces = localhost
postfix: dict_update: inet_protocols = all
postfix: dict_update: mydestination = $myhostname, localhost.$mydomain, localhost
postfix: dict_update: unknown_local_recipient_reject_code = 550
postfix: fatal: /etc/postfix/main.cf, line 385: missing '=' after attribute name: "sss"

You can see errors in maillog log file, enter:
# tail -f /var/log/maillog
Sample outputs:

And it'll run mysqld (or drizzled), parse tMar 30 08:01:34 mx421 postfix[2284]: dict_update: command_directory = /usr/sbin
Mar 30 08:01:34 mx421 postfix[2284]: dict_update: daemon_directory = /usr/libexec/postfix
Mar 30 08:01:34 mx421 postfix[2284]: dict_update: data_directory = /var/lib/postfix
Mar 30 08:01:34 mx421 postfix[2284]: dict_update: mail_owner = postfix
Mar 30 08:01:34 mx421 postfix[2284]: dict_update: inet_interfaces = localhost
Mar 30 08:01:34 mx421 postfix[2284]: dict_update: inet_protocols = all
Mar 30 08:01:34 mx421 postfix[2284]: dict_update: mydestination = $myhostname, localhost.$mydomain, localhost
Mar 30 08:01:34 mx421 postfix[2284]: dict_update: unknown_local_recipient_reject_code = 550
Mar 30 08:01:34 mx421 postfix[2284]: fatal: /etc/postfix/main.cf, line 385: missing '=' after attribute name: "sss"
Mar 30 08:01:42 mx421 postfix[2285]: fatal: /etc/postfix/main.cf, line 385: missing '=' after attribute name: "sss"he config, report any problems, print help, and exit without initializing storage engines or trying to

#9: Samba (SMB/CIFS) File Server

Type the following command:
# testparm -v

#10: tcpd

The tcpd program can be set up to monitor incoming requests for telnet, finger, ftp, exec, rsh, rlogin, tftp, talk, comsat and other services that have a one-to-one mapping onto executable files. The tcpdchk command examines your tcp wrapper configuration and reports all potential and real problems it can find:
# tcpdchk
# tcpdchk -a
# tcpdchk -d
# tcpdchk -i /path/to/inetd.conf
# tcpdchk -v

Where,

  • -a : Report access control rules that permit access without an explicit ALLOW keyword.
  • -d : Examine hosts.allow and hosts.deny files in the current directory instead of the default ones.
  • -i inet_conf : Specify this option when tcpdchk is unable to find your inetd.conf network configuration file, or when you suspect that the program uses the wrong one.
  • -v : Display the contents of each access control rule. Daemon lists, client lists, shell commands and options are shown in a pretty-printed format; this makes it easier for you to spot any discrepancies between what you want and what the program understands.

#11: dhcpd Server

The Internet Systems Consortium DHCP Server, dhcpd, implements the Dynamic Host Configuration Protocol (DHCP) and the Internet Bootstrap Protocol (BOOTP). DHCP allows hosts on a TCP/IP network to request and be assigned IP addresses, and also to discover information about the network to which they are attached. BOOTP provides similar functionality, with certain restrictions. To test syntax pass the following option:
# dhcpd -t
OR
# dhcpd -t -cf /path/to/dhcpd.testing.conf
OR
# dhcpd -T
OR
# dhcpd -T -lf /path/to/dhcpd.lease.file

Where,

  • -t : The -t flag is specified, the server will simply test the configuration file for correct syntax, but will not attempt to perform any network operations. This can be used to test the a new configuration file automatically before installing it.
  • -T : This flag can be used to test the lease database file in a similar way.
  • -cf /path/to/dhcpd.testing.conf : Use an alternate configuration file called /path/to/dhcpd.testing.conf.
  • -lf /path/to/dhcpd.lease.file : an alternate lease file called -lf /path/to/dhcpd.lease.file

#12: vsftpd FTP Server

vsftpd is the Very Secure File Transfer Protocol daemon. Use the following command to make sure configuration file is free from syntax errors:
# vsftpd
OR
# vsftpd -olisten=NO /path/to/vsftpd.testing.conf
That example overrides vsftpd's built-in default for the "listen" option to be NO, but then loads settings from /path/to/vsftpd.testing.conf.

#13: Nagios

Nagios is a popular open source computer system monitor, network monitoring and infrastructure monitoring software application. Use the following syntax to run a sanity check on nagios.cfg as follows:
# nagios -v /path/to/testing/nagios.cfg
Where,

  • -v : Verify your configuration.

#14: Openntpd Server

The ntpd daemon synchronizes the local clock to one or more remote NTP servers or local timedelta sensors. ntpd can also act as an NTP server itself, redistributing the local time. Use the following syntax to run a sanity check on ntpd.conf:
# ntpd -n
# ntpd -f /usr/local/etc/ntpd.conf -n
# ntpd -d -f /usr/local/etc/ntpd.conf -n

Where,

  • -n : Only check the configuration file for validity.
  • -f /usr/local/etc/ntpd.conf : Use /usr/local/etc/ntpd.conf file as the configuration file, instead of the default /etc/ntpd.conf.
  • -d : Do not daemonize and ntpd will run in the foreground and log to stderr.

#15: Xorg - The X11 Server

Linux and Unix like operating systems uses X11 to provide users with a powerful graphical user interface. X11 is a freely available version of the X Window System that is implemented in Xorg. The default xorg.conf is located in /etc/X11 directory. You can build an initial configuration file by simply running the following command:
# Xorg -configure
To test the existing configuration to verify that Xorg can work with the graphics hardware on the target system, enter:
# Xorg -config /path/to/xorg.conf.new -retro
Please note that the new Xorg is largely self-configuring and doesn't need one. But, if you use proprietary (say Nvidia) or other drives you need to test Xorg syntax using the above described method.

#16: syslogd / rsyslogd

syslogd is Unix / Linux system logging server. rsyslogd is reliable and extended syslogd for modern Linux distros. Rsyslogd is derived from the sysklogd package which in turn is derived from the stock BSD sources. To check for syntax error, type:
# syslogd -f /etc/rsyslog.testing.conf -d
OR
rsyslogd -c4 -f /etc/rsyslog.testing.conf -N 1
Sample outputs:

rsyslogd: version 4.6.4, config validation run (level 1), master config /etc/rsyslog.conf
rsyslogd: invalid or yet-unknown config file command - have you forgotten to load a module? [try http://www.rsyslog.com/e/3003 ]
rsyslogd: the last error occured in /etc/rsyslog.conf, line 11:"$FilesOnwer root"
rsyslogd: CONFIG ERROR: could not interpret master config file '/etc/rsyslog.testing.conf'. [try http://www.rsyslog.com/e/2124 ]

A sanity check without any errors:

rsyslogd: version 4.6.4, config validation run (level 1), master config /etc/rsyslog.testing.conf
rsyslogd: End of config validation run. Bye.

Where,

  • -c4 : Selects the desired backward compatibility mode (in this example it is # 4).
  • -f /etc/rsyslog.testing.conf : Specify an alternative configuration file instead of /etc/rsyslog.conf, which is the default.
  • -d : Debug mode (only use with syslogd)
  • -N 1 : Do a config file check. Do NOT run in regular mode, just check configuration file correctness. This option is meant to verify a config file. The level argument modifies behaviour. Currently, 0 is the same as not specifying the -N option at all (so this makes limited sense) and 1 actually activates the code. Later, higher levels will mean more verbosity (this is a forward-compatibility option).

#17: CUPS Printing System

CUPS is the standards-based, open source printing system developed by Apple, for Mac OS X and other UNIX/Linux-like operating systems. cupsd is the scheduler for CUPS. It implements a printing system based upon the Internet Printing Protocol, version 2.1. To test config files for error type:
# cupsd -f -c /path/to/cupsd.testing.conf -t
Sample outputs:

Unknown directive Loggslevel on line 6.
/etc/cups/cupsd.conf is OK

A sanity check without any errors:

/etc/cups/cupsd.conf is OK

Where,

  • -f : Run cupsd in the foreground; the default is to run in the background as a "daemon".
  • -c /path/to/cupsd.testing.conf : Uses the /path/to/cupsd.testing.conf configuration file.
  • -t :
    Test the configuration file for syntax errors.

#18: slapd Stand-alone LDAP Daemon

OpenLDAP Software is a free, open source implementation of the Lightweight Directory Access Protocol (LDAP) developed by the OpenLDAP Project. To test whether the configuration file is correct or not, type:
# slapd -Tt
OR
# slapd -Tt -f /path/to/slapd-config.conf
Where,

  • -Tt : Test for config file errors.
  • -f /path/to/slapd-config.conf : Specifies the slapd configuration file. The default is /etc/openldap/slapd.conf.

#19: varnishd - HTTP Accelerator Daemon

To test varnishd vlc syntax, enter:
# varnishd -C -f /path/to/wordpress.vlc
Where,

  • -C : Print VCL code compiled to C language and exit. Specify the VCL file to compile with the -f option.
  • -F /path/to/wordpress.vlc : Use the specified VCL configuration file instead of the builtin default.

#20: exim MTA

Pass the -bV option to exim. If there are any errors in the configuration file, Exim outputs error messages. Otherwise it outputs the version number and build date, the DBM library that is being used, and information about which drivers and other optional code modules are included in the binary.
# exim -bV
Some simple routing tests can be done by using the address testing option. For example,
# exim -bt <local username>
Admin users can test the malware scanning configuration (in Exim >= 4.73) with the -bmalware option:
# exim -bmalware <filename>
Another source of information is running Exim with debugging turned on, by specifying the -d option. If a message is stuck on Exim's spool, you can force a delivery with debugging turned on by a command of the form
# exim -d -M <exim-message-id>

#21: Bonus tips

Some additional tips:

Bash / KSH Shell Scripts

It is possible to check a bash script syntax without executing it:
$ bash -n ./myscript
Sample outputs:

./myscript<: line 16: syntax error near unexpected token `fi'
./myscript<: line 16: `fi'

OR
$ ksh -n /path/to/backup.ksh
See how to debug a shell script under Linux or UNIX for more information.

FreeBSD/OpenBSD/Apple OS X pf Firewall

The pfctl command used to control the pf firewall and NAT devices under *BSD operating system including Apple OS X. The syntax is as follows to test for errors:
# pfctl -nf /etc/pf.conf

Where,

  • -n : Do not load rules from /path/to/pf.testing.conf, just parse them.
  • -f /path/to/pf.testing.conf : Load the firewall rules contained in a file called /path/to/pf.testing.conf.

Command Summary

DaemonCommand
OpenSSH/usr/sbin/sshd -t && echo $?
/usr/sbin/sshd -T
Apache/usr/sbin/apache2 -t
apachectl configtest
nginx/usr/local/nginx/sbin/nginx -t
/usr/local/nginx/sbin/nginx -t -c /usr/local/nginx/conf/nginx.conf
lighttpd/usr/local/sbin/lighttpd -t -f /usr/local/etc/lighttpd/cyberciti.biz/lighttpd.conf
Bind (named server config)named-checkconf /etc/named.conf
Bind (zone syntx)named-checkzone cyberciti.biz /var/named/zone.cyberciti.biz
Squid proxy/usr/sbin/squid -k check
/usr/sbin/squid -k parse
MySQL servermysqld --verbose --help
/usr/libexec/mysqld --verbose --help 1>/dev/null
Postfix MTApostfix check
postfix -vvv
Samba SMB/CIFStestparm -v
tcpdtcpdchk
tcpdchk -v
dhcpd (DHCP / BOOTP) serverdhcpd -t -cf /path/to/dhcpd.testing.conf
vsftpd servervsftpd -olisten=NO /path/to/vsftpd.testing.conf
nagiosnagios -v /path/to/testing/nagios.cfg
Openntpd NTPD serverntpd -d -f /usr/local/etc/ntpd.conf -n
Xorg (X11 Server)Xorg -config /path/to/xorg.conf.new -retro
syslogd / rsyslogdrsyslogd -c4 -f /etc/rsyslog.testing.conf -N 1
CUPS Printing Systemcupsd -f -c /path/to/cupsd.testing.conf -t
slapd (OpenLDAP)slapd -Tt
varnishdvarnishd -C -f /path/to/wordpress.vlc
exim MTAexim -bV
Bash/Ksh scriptsbash -n ./myscript
ksh -n /path/to/script.ksh
BSD pf firewallpfctl -nf /etc/pf.conf
proftpdproftpd -t -c /path/to/proftpd.testing.conf
Perl scriptsperl -c /path/to/script.pl
perl -wc /path/to/script.pl

I hope you find these tips useful. Have a favorite command to check the Unix / Linux / BSD server config file for any syntax errors and/or warnings? Let's hear about it in the comments.

TwitterFacebookGoogle+PDF versionFound an error/typo on this page? Help us!

1 Jouni "Rautamiekka" Järvinen April 5, 2012 at 9:29 pm

You have a typo in #14: ervers -> servers.

I think it’s everything wasted to say ‘OpenSSH SSH Server’.

What about ProFTPD ?

2 nixCraft April 5, 2012 at 9:36 pm

Thanks for the heads up. To read the proftpd configuration file, report any syntax errors, and exit, run:

proftpd -t
proftpd -t -c /path/to/proftpd.testing.conf

Hope this helps!

3 Jouni "Rautamiekka" Järvinen April 5, 2012 at 9:38 pm

Doesn’t IPTables perform automatic check upon inserting a new rule ?

4 Jouni "Rautamiekka" Järvinen April 5, 2012 at 9:39 pm

Add’: Never attempted IPTables for its difficult syntax. Using UFW instead, on Ubuntu/Debian and the likes. Otherwise using some other method.

5 nixCraft April 6, 2012 at 7:49 am

Noop. No automatic check exits for IPTables. But, iptables-apply command will try to apply a new ruleset (as output by iptables-save/read by iptables-restore) to iptables, then prompt the user whether the changes are okay. If the new ruleset cut the existing connection, the user will not be able to answer affirmatively. In this case, the script rolls back to the previous ruleset after the timeout expired. The timeout can be set with -t.

ssh root@remote1
iptables-apply -t 30 < /root/mynew.rules

6 robert April 6, 2012 at 4:48 am

also perl: perl -c /path/to/script.pl

7 Raj April 6, 2012 at 7:44 am

+1 see the warnings (-w)

perl -wc script.pl

8 nixCraft April 6, 2012 at 7:49 am

Thanks for sharing -c and -w :)

9 Philippe Petrinko April 6, 2012 at 8:40 am

Hi Vivek,

Typo here ? (copy-and-paste not edited, I think)

Finally update the syntax, enter:
PermitRootLogin Naa

Shouldn’t it be :

PermitRootLogin no

Shouldn’t it ?

KUTGW,
– Philippe

10 nixCraft April 6, 2012 at 10:29 am

Thanks. The post has been updated.

11 smilyface April 6, 2012 at 11:00 am

Vivek..,
It’s quite interesting.. I came to know about it through your facebook comment.

What about this;

root@web ~# /etc/init.d/tomcat7 -t
Usage: tomcat7 {start|stop|restart|status}

root ~# /etc/init.d/tomcat7 -T
Usage: tomcat7 {start|stop|restart|status}

[root@DB ~]# /etc/init.d/postgresql-9.1 -t
Usage: /usr/local/pgsql_9.1/installer/server/startupcfg.sh {start|stop|restart|condrestart|status}

[root@DB ~]# /etc/init.d/postgresql-9.1 -T
Usage: /usr/local/pgsql_9.1/installer/server/startupcfg.sh {start|stop|restart|condrestart|status}

P.S:
tomcat7 is manually configured service file for apache tomcat(version 7)

Is there any way to handle this ?

12 Jalal Hajigholamali April 6, 2012 at 12:35 pm

Hi,
Thanks a lot …very nice & useful article..

if possible, send a new article about other well known services

13 Roy April 6, 2012 at 1:56 pm

Great post. It seems that the “option” -t rules :)

14 kiranjith April 7, 2012 at 6:26 pm

Great :)
u rOck ! :D

15 Alex April 8, 2012 at 7:05 am

This is really useful, that Apache bit was priceless this morning :)

Thanks!

16 Andy Paton April 12, 2012 at 9:25 am

Alternative to @smilyface suggested “-T” option, is just use service without an option. This gives all possible options similar to the previous mentioned “-T” option, which helps discover the check syntax/config options.

Example
$ service postfix
Usage: /etc/init.d/postfix {start|stop|restart|reload|abort|flush|check|status|condrestart}

$ service postfix check
[ OK ]

# service httpd
Usage: httpd {start|stop|restart|condrestart|try-restart|force-reload|reload|status|fullstatus|graceful|help|configtest}

# service httpd configtest
httpd: apr_sockaddr_info_get() failed for xx.xx.xx
httpd: Could not reliably determine the server’s fully qualified domain name, using 127.0.0.1 for ServerName
Syntax OK

17 Collin B April 18, 2012 at 6:07 pm

The service command can be useful but you should be aware of what you are actually running. Check the /etc/init.d/servicename file and verify that its not sending kill signals to the app if you are just wanting to test your config file.

18 LUIGI May 12, 2012 at 7:21 pm

Very good article. THis will mantain my servers active when modifying config files. Little Typo: In the second command-line code after OpenSHH, isn’t it “# /usr/sbin/sshd -t” instead of “# usr/sbin/sshd -t”?

19 dotme June 3, 2012 at 12:16 am

#5: BIND (named) DNS Server

Checking binds configuration and all zones can be done in a single step with

named-checkconf -z

20 nixCraft June 3, 2012 at 3:45 am

@dotme

I wasn’t aware of the -z option. Appreciate your comment.

21 Andrija March 7, 2013 at 2:15 pm

Hi,
good article.
small typo, kind of: instead fo wordpress.vlc – wordpress.vcl

22 Mike April 16, 2013 at 7:44 pm

Logrotate is often forgotten. Syntax errors may result in log rotation failing for some or all logs.

The standard configuration file is /etc/logrotate.conf and includes the files in /etc/logrotate.d/. Logrotate will also attempt to process any backup files left in /etc/logrotate.d/. Syntactical errors will result in logrotate quitting at the file containing the error and not continuing. Duplicate log entries will also result in logrotate stopping.

Fortunately, there’s an easy test:

logrotate -d /etc/logrotate.conf

23 rajkumar kathane September 24, 2013 at 9:47 am

very nice & useful article..

if possible, send a new article about other well known services

Comments on this FAQ are closed. If you'd like to continue the discussion on this topic, you can do so at our forum.

Tagged as: , , , , , , , , , , , , , , , , , , ,

Previous post:

Next post: