- Managing Users and Groups
- Managing File Ownership and Permissions
- Archiving Files
- Managing Linux Processes and Log Files
- Connecting Linux to a Network
-
How Linux User Accounts Work
- Authentication - provide who you are to system, username, password
- PAM
- root has also /home dir, it's /root
- finger - show info about the user
finger someone Directory: /home/someone Shell: /bin/bash On since Wed Jun 28 05:08 (EDT) on pts/0 from gateway 1 minute 24 seconds idle No mail. No Plan. - id - show UID, GID, groups
id someone uid=1000(someone) gid=1000(somegrp1) groups=1000(somegrp1),10(somegrp2),54321(somegrp3)
-
Where Linux User Accounts Are Stored
- local /etc/passwd
- LDAP
- NIS
- Windows domain
- Local files:
/etc/passwd - user info /etc/shadow - user passwords /etc/group - group info - /etc/passwd
normal user someone:x:1000:1000:somone fullname:/home/someone:/bin/bash user_name:legacy_password_only_x:UID:GID:full_name:home_dir:shell system user UID (from 0, to 999) sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin - /etc/shadow
someone:$6$m:17301:0:99999:7::: username:encrypted_password:last_modified:min_days(0):max_days(99999):days_warn(7):disabled_days:expire(null = infinite passw never expire) - pwck - utility to check validity and synchronization of /etc/passwd and /etc/shadow files
- pwconv - synchronize missing accouts in /etc/passwd and /etc/shadow
-
Creating and Managing User Accounts from the Command Line
- useradd:
1, default file in /etc/default/useradd # useradd defaults file GROUP=100 HOME=/home INACTIVE=-1 EXPIRE= SHELL=/bin/bash SKEL=/etc/skel CREATE_MAIL_SPOOL=yes 2, for login default is /etc/login.defs controls password expiration, UID, GID, HOME creation etc. 3, /etc/skel - contains skeleton files will be copied to new user home useradd someone - passwd
1, to report account status passwd -S someone someone LK 2017-06-27 0 99999 7 -1 (Password locked.) 2, to set password for user passwd someone New password: Retype new password: 3, to report account status after password was set passwd -S someone someone PS 2017-06-27 0 99999 7 -1 (Password set, SHA512 crypt.) - usermod:
usermod options username e.g usermod -c "Someone Fullname" someone someone:x:54323:54330:Someone Fullname:/home/someone:/bin/bash - userdel:
1, delete user account without deleting users home userdel someone 2, delete with users home userdel -r someone
- useradd:
-
Managing Linux Group Accounts
- /etc/group
- groupadd
groupadd -g 8001 mygroup grep -i --color mygroup /etc/group - groupmod
- groupdel
-
Using su
- su
with: - load user variables c switch to user and issue cmd m switch user but preserve variables
- su
-
Using sudo
- /etc/sudoers
- visudo
e.g User_Alias POWRUSR = someone1,someone2 Cmnd_Alias KILLPROCS = kill, killall Host_Alias MYHOST = myhost1 User_Alias Host_Alias = (user) Cmnd_Alias POWRUSR MYHOST = (root) KILLPROCS -
Using Log Files to view authentication attempts
- /var/log/wtmp - binary, succesfully authentication attempts, command to view last
- /var/log/faillog - binary, failed authentication attempts, command to view faillog
faillog -u user_name- who - show who is logged
- w - who is logged a what is he doing right now
-
Permisions:
Permission File Directory Value Read (r) Open,view List Dir contents 4 Write (w) Open,view,modify,save Add or Del contect to Dir 2 Execute (x) Run executable file Enter the Dir 1 - Permissions are not additive
-r---w---x 1 user1 group1 43 28. Jun 06:49 runme.sh What is true: user1 - can only read file, but not write to file, so if permission where additive than user1 should by able to read/write/execute group1 - can only write to file, e.g so as user2 member of group1 can 'cat "Changed" > runme.sh' others - can execute, but without read permission can't really execute the scriptLinks:
-
To be able to change directory (x) permission must by set on complete path we want to change
as user1 --x--x--x user1 /dir1/dir2/dir3 --x--x--x dir1 --x--x--x dir2 cd /dir1/dir2/dir3 - works if one from the path doesn't have permission, it want let you to change one dir after as user1 --x--x--x dir1 -----x--x dir2 cd /dir1/dir2/dir3 want let you enter dir3- Syntaxes to get:
-rwxrw-r-- 1 user1 group1 41 Jun 28 07:02 runme.sh- chmod -v u=rwx,g=rw,o=r runme.sh
- chmod -v u+rwx,g+rw,o+r runme.sh
- chmod -v 764 runme.sh
-
Working with Default Permissions
-
Linux create files/directories with default permission:
- files 666 rw-rw-rw-
- directories 777 rwxrwxrwx
-
umask
- default is 022
- represents a numeric permission value to be removed
default by linux: with umask 000: touch myfile.txt rw-rw-rw- myfile.txt with to umask 022: default: rw-rw-rw- myfile.txt umask ----w--w- finally: rw-r--r-- myfile.txt- change umask
umask 026 - g-w, o-rw -
umask for directories
umask 027 - g-w, o-rwx mkdir mydir1 default: rwxrwxrwx mydir1 umask 027 : rwxr-x--- mydir1 -
'umask xxxx' not persistent
- must by added /etc/profile or /etc/login.defs
-
-
Working with Special Permissions
-
SUID(4): can only applied to binary files (not shell scripts), user becomes temp. file owner when run executable binary file
chmod -v u+s dir1 (rwsrwxr-x) -
GUID(2): can only applied to binary files (not shell scripts),
- file: user becomes temp. group member when run executable binary file
- directory: when create file, group is set from parent dir, not the user primary group
chmod -v g+s dir1 (rwxrwsr-x) -
Sticky bit(1):
- directory (only): when set should allowed to delete files within directory where he doesn't have w-permission
chmod -v o+t dir1 (rwxrwsr-t)Links:
-
- Backup types:
- Full - all files are backup (slow)
- Incremental - only files updated from last backup incremental or full (restore in order)
- Differential - only files updated from last full backup (so it increase in size, but restore is fast, we pick the last)
- Selecting a Backup Schedule:
- pick one day a week to full backup, other week days incremenetal or diferential backup
- Determining What to Back Up:
- /etc
- /home
- /opt
- /var
- /root
- /srv
- Using Linux Backup Utilities
- tar,cpio,dd
- Using tar
- gzip uses Lempel-Ziv
- bzip uses Burrows-Wheeler
e.g of tar backup insted of file to SCSI tape, which is /dev/st0 tar –cvf /dev/st0 /home e.g. excludes (suppose myfile.txt and mytxt.txt exist in curren dir) vi excl myfile.txt mytxt.txt :wq tar -cvf my.tar -X excl ./* will tar without myfile.txt, mytxt.txt - gzip
e.g compress gzip myfile.txt ls myfile.txt.* myfile.txt.gz e.g decompress gunzip myfile.txt.gz gzip -d myfile.txt.gz - bzip2
e.g compress bzip2 myfile.txt ls myfile.txt.* myfile.txt.bz2 e.g decompress bunzip2 myfile.txt.bz2 bzip2 -d myfile.txt.gz - Using cpio
e.g will only backup files compress: ls | cpio –ov > ./backup.cpio decompress: cpio –iv > ./backup.cpio e.g backup files with dirs compress: find . -depth -print | cpio -ov > /home/someone/backup2.cpio decompress: cpio –iv > /home/someone/backup2.cpio e.g gzip compress: ls | cpio –ov | gzip > /home/someone/backup.cpio.gz decompress: gnuzip -c backup.cpio.gz | cpio -i - Creating an Archive with dd
- backup entire partitions
dd if=input_file of=output_file e.g entire disk dd if=/dev/sda of=/home/mybigbackup e.g partition dd if=/dev/sda1 of=/home/mybigbackup e.g MBR record backup dd if=/dev/sda of=/home/mbr.copy bs=512 count=1 bs - block size count - how many
- backup entire partitions
-
Understanding Linux Processes
- Binary executables
- Internal shell commands
- Shell scripts
-
How Linux Processes Are Loaded
- Parent/Child process
- PID - Process ID Number
- PPID - Parent Process ID Number
- init process PID 1, PPID 0 , which is Kernel process PID 0
- forking e.g. (execute) $ vi
bash (PPID=111, PID=211) --> start --> subshell (PPID=211, PID=311) --> vi (PPID=311, PID=411) so: a, vi (PPID=311, PID=411) runs within subshell (PPID=211, PID=311) b, when vi ends than also subshell (PPID=211, PID=311) ends c, returned back to bash (PPID=111, PID=211) process TODO not shure if this is still true -
Viewing Running Processes
-
top - see h for help to manipulate top format output
Run top for user foo and with unwrapping command column top -u foo -cLinks:
Run top with threads displayed within the process of PID and with unwrapping command column top -H -p PID -cLinks:
Display memory in different memory units b/kb/mb/gb/tb .etc at top window summary <Shift + e> Now it's in MB MiB Mem : 31794.33+total, 20088.98+free, 6975.496 used, 4729.855 buff/cache MiB Swap: 31803.99+total, 31803.99+free, 0.000 used. 23910.77+avail Mem Display memory in different memory units b/kb/mb/gb/tb .etc at top process view window <e> 804 someone+ 20 0 1147.5m 166.8m 45.3m S 9.0 0.5 0:13.78 chrome 4546 someone+ 20 0 1259.1m 280.6m 55.8m S 5.6 0.9 23:02.07 chrome -
ps
ps - display processes only belogs to current shell ps -e (-A) - display all processes, PID, TTY, TIME, COMD ps -ef - like previous plus, UID, PPID, C, STIME ps -efl - like previous plus, F, S, PRI, ADDR, NI, SZ, WCHAN(if running than - )Links:
-
free
free -mt -m megabytes -t totalUpdate 'free' periodically in seconds free -mt -s 10 -m megabytes -t total -s update every [s]
-
-
Prioritizing Processes
- priority (PR) - higher number -> lower priority of process, default is 80
- nice (-20 +19) - lower number -> higher priority of process, default is 0
- to execute nice, user must by root, if not than cannot set nice values lower than 0
as root nice -n -15 vi PRI will be 65 NI will be -15as normal user nice -n +5 vi PRI will be 85 NI will be 5 nice -n -5 vi will violate premissions -
Setting Priorities of Running Processes with renice
- renice
vi process runs under normal user as root user current process 0 S 54321 3809 3790 0 91 11 - 31561 poll_s pts/0 00:00:00 vi PID is 3809 PRI is 91 NI is 11 renice 5 3809 PRI will be 85 NI will be 5 0 S 54321 3809 3790 0 85 5 - 31561 poll_s pts/0 00:00:00 vi as normal user, only higher number are allowed so: renice 6 3809 - will 0 S 54321 3809 3790 0 86 6 - 31561 poll_s pts/0 00:00:00 vi renice back to renice 5 3809 - ist not allowed for normal user -
Managing Foreground and Background Processes
- Running Processes in the Background (& | Ctrl + z):
e.g touch myscript.sh && chmod -v 0775 myscript.sh vi myscript.sh myscript.sh: #!/bin/bash sleep 1000 exit 0 :wq$ ./mysript.sh ... press Ctrl + Z [1]+ 3908 Stopped ./myscript.sh jobs -l [1]+ 3908 ./myscript.sh then fg 1 $ ./mysript.sh put to background again Ctrl + Z $jobs -l [1]+ 3908 Stopped ./myscript.sh job is stopped right now, to put into running state again $bg 1 [1]+ 3908 Running ./myscript.sh
- Running Processes in the Background (& | Ctrl + z):
-
Ending a Running Process
-
kill (64 signals)
Syntax: kill -signal PID signal: SIGHUP (1) - restarts the process with same PID SIGINT (2) - send Ctrl + c SIGKILL (9) - brute-force process will not clean up allocated resources SIGTERM (15) - (default for kill when no signal is set) terminate process immediately, but allows process to clean up e.g let 8662 vi process kill -15 8662 or kill -SIGTERM 8662 -
killall - same as kill instead of PID use process name e.g
killall -15 vi
-
-
Managing Linux Log Files
-
most linux services configured to write to /dev/log device
-
when services write -> input is captured through syslog
-
configured where to log is placed in /etc/syslog.conf
-
pattern is:
facility.priority file facility e.g cron priority e.g info so cron.info /var/log/cron -
logrotate - runs daily as cron job, config in /etc/logrotate.conf, individual services can be configured in /etc/logrotate.d/
Links:
-
-
What is protocol
-
OSI Model
- Physical
- Datalink - Datagrams
- Network - IP (Internet Protocol), ICMP (Internet Control Message Protocol)
- Transport - Packets, TCP (Transmission Control Protocol), UDP (User Datagram Protocol)
- Session
- Presentation
- Application
-
Ports ICANN ( Internet Corporation for Assigned Names and Numbers) Port range: 0 - 65536
- Well-know ports (0 - 1023):
Ports 20 and 21: FTP Port 23: Telnet Port 25: SMTP Port 80: HTTP Port 110: POP3 Port 119: NNTP (news) Ports 137, 138, 139: NetBIOS Port 443: HTTPS - Registered ports (1024 - 49151)
- Dynamic ports/Private ports (49152 - 65535)
- Well-know ports (0 - 1023):
-
IP Addresses ( Network layer) - It's logically assigned to network host
- MAC address (Datalink layer) - Pernament, hardware address
- ARP protocol maps logical IP addresses to hard-coded MAC addresses
- IP Address consist from octet, binary number. Example: 192.168.1.1 - 11000000.10101000.00000001.00000001
- Conversion:
Bit 1 = 128 Bit 2 = 64 Bit 3 = 32 Bit 4 = 16 Bit 5 = 8 Bit 6 = 4 Bit 7 = 2 Bit 8 = 1 11000000 = 128 + 64 = 192 - IP Address must by unique
- Public Network Address must be globally unique (IANA - Internet Assigned Numbers Authority )
- IPv4 - 32-bit addressing scheme
- IPv6 - 128-bit addressing scheme, eight four HEX numbers, e.g:
35BC:FA77:4898:DAFC:200C:FBBC:A007:8973 - NAT (Network Address Translation) - connect private subnets to single public IP
- The Private IP address range (https://en.wikipedia.org/wiki/Private_network):
10.0.0.0–10.255.255.255 (Class A) 172.16.0.0–172.31.255.255 (Class B) 192.168.0.0–192.168.255.255 (Class C)
-
Subnet Mask
- Network address
- Node address
192.168.1.1 Network | Node
-
To identify network the host resides on.
Network - same numbers 192.168.1 Node - 0 - 255 -
Default subnet masks:
255.0.0.0 255.255.0.0 255.255.255.0 -
Calculating subnet
Links:
-
Address Classes (5, but importatnt are those 3):
Class A - octet 1 - 126, subnet mask 255.0.0.0, networks 126, nodes 16.7mil Class B - octet 128 - 191, subnet mask 255.255.0.0, networks 16.384, nodes 65.534mil Class B - octet 191 - 223, subnet mask 255.255.255.0, networks 2.097.152, nodes 254 -
Shorthand subnet masks:
192.168.1.1/24 24bits longhand 255.255.255.0 -
Partial subnetting e.g 255.255.252.0
-
The condition for two nodes to communicate each other:
Two nodes must to have same network address, which means they must have same subnet mask
e.g wrong hosts configuration
Host 1, 192.168.1.1, 255.255.255.0 Host 2, 192.168.1.2, 255.255.255.0 Host 3, 192.168.1.3, 255.255.252.0 - wrong, won't be able to communicate with Host1, Host2 without the use of a network router
-
DNS Server and Default Gateway Router Address
dig www.google.com -
Configuring IP Parameters
- ifconfig (not permanent config):
ifconfig eth0 192.168.1.1 netmask 255.255.255.0 broadcast 192.168.1.255- ip (not permanent config):
ip a add 192.168.1.1/255.255.255.0 dev eth0 or ip a add 192.168.1.1/24 dev eth0 add broadcast ip addr add broadcast 192.168.1.255 dev eth0Links:
-
permanent through (RHEL) /etc/network-scripts/ifcfg-eth0
Chages will be accepted when:
ifdown interface e.g. ifdown eth0 ifup interface e.g. ifup eth0 -
dhclient
dhclient -v eth0Links:
-
Configuring Routing Parameters (Network layer)
- routing table config (SUSE)
cat /etc/sysconfig/network/routes $ default 192.168.1.1 - - which is DESTINATION GATEWAY NETMASK INTERFACE [TYPE] TYPE: - unicast - local - broadcast - multicast - unreachable- static routing table config (RHEL), if exists /etc/sysconfig/network-scripts/route-interface
e.g cat /etc/sysconfig/network-scripts/route-eth0Links:
-
route command (obsolete, for future use ip route):
add: route add –net network_address netmask netmask gw router_address e.g route add –net 192.168.2.0 netmask 255.255.255.0 gw 192.168.1.254 del: route del –net network_address netmask netmask gw router_address e.g route del –net 192.168.2.0 netmask 255.255.255.0 gw 192.168.1.254 default route: route add default gw router_address e.g route add default gw 192.168.1.254Links:
-
Configuring Name Resolver Settings
-
/etc/hosts is the first name resolver
-
if record doesn't exists then operating system try to resolve the hostname using DNS
-
How it works: e.g google.com.
- Request to DNS port 53, if DNS is authoritative for zone, it responds with IP address. If not than
- The DNS server sends a request to a root-level DNS server (. dot). There are 13 root-level DNS servers on the Internet. The root-levle DNS servers are configured with records for authoritative DNS servers for each TLD (.com,.gov,.de ..etc)
- The root-level DNS server responds to your DNS with address of DNS server authoritative for TLD (top level domain)
- Your DNS server sends request to DNS server that’s authoritative for TLD (in this case .com)
- TLD DNS responds to your server with IP address of DNS server authoritative for the DNS (in this case google)
- Your DNS server sends a name resolution request to the DNS server that’s authoritative for the zone
- The authoritative DNS to your DNS server with the IP address.
- Your DNS server responds to your system with the IP address mapped to the hostname
(not cached) DNS Request -> Your DNS Server -> Root DNS sends TLD IP Address -> Your DNS Server -> TLD DNS Server sends IP address of DNS server authoritative to zone -> Your DNS Server -> DNS server authoritative to zone send IP address -> Your DNS Server -> Finally IP address for hostname -
configuration file in /etc/resolv.conf
search somedome.com nameserver 192.168.1.1 nameserver 192.168.1.2search, used to specify incomplete hostnames (hostname some1, will be some1.somedome.com)
-
/etc/nsswitch.conf used to define order of service used to resolve name
hosts: files dns networks: files dnsLinks:
-
-
Using ping
- ICMP protocol
- If the ICMP echo response packet is received by the sending system, than is valid:
- your network interface works correctly
- destination system is up and works correctly
- network hardware between requester system and destination system works correctly
-
Using netstat
- TODO
-
Using traceroute
- TODO
-
Using dig, host
- TODO
-
Encrypting Remote Access with OpenSSH
- How Encryption Works:
-
Symetric encryption:
-
the sender and the receiver must have exactly the same key to both encrypt and decrypt messages
-
3DES - 112bit - 168bit
-
AES - 128 - 192 - 256 bit
-
Blowfish - 448 bit
Links:
-
-
Asymetric encryption:
-
uses two keys, private key and public key
-
data encoded with public key, can be decoded only with private key and vice versa
-
DSA (Digital Signature Algorithm)
-
RSA (Rivest Shamir Adleman)
-
public/private key are much longer 1024 bits and higher
-
main disadvantage slower than symetric encryption
-
verify that a public key is legitimate we use CA (Certificate Authority)
-
private key is given only to requesting entity (one who request certificate from CA)
-
public key certificates, is a digital message signed with private key
-
A certificate contains:
- The name of the organization
- The public key of the organization
- The expiration date of the certificate
- The certificate’s serial number
- The name of the CA that signed the certificate
- A digital signature from the CA
-
2 type of CAs:
- internal CA (self signed, only for internal purposes)
- external CA
-
browser comes with lot of preinstalled certificated from external CA, see Firefox - Edit - Preferences - Advanced - Certificates
Links:
-
-
- How Encryption Works:
-
How OpenSSH Works
- OpenSSH provides:
- sshd
- ssh
- scp
- sftp
- slogin
- Keys are stored in:
- Private key: /etc/ssh/ssh_host_key
- Public key: /etc/ssh/ssh_host_key.pub
- SSH client stores keys in:
- /etc/ssh/ssh_known_hosts
- ~/.ssh/known_hosts
- It works like this:
- server send public key to client -> client accept it and decrypt new key -> send to sshd server -> server decrypt with private key (asymetric) -> now both have a same key and they start to use symetric encryption
- SSH version 2 differences:
-
host key files in:
- /etc/ssh/ssh_host_dsa_key
- /etc/ssh/ssh_host_rsa_key
-
the secret key is not transmitted from client to server
-
Diffie-Hellman key agreement
Links:
-
- OpenSSH provides:
-
Configuring OpenSSH
- sshd daemon: /etc/ssh/sshd_config
- ssh client: /etc/ssh/ssh_config file or the ~/.ssh/ssh_config file.
-
TODO ssh tunneling