- 105.1 Customize and use the shell environment - 4
- 105.2 Customize or write simple scripts - 4
- 105.3 SQL data management - 2
- 107.1 Manage user and group accounts and related system files - 5
- 107.2 Automate system administration tasks by scheduling jobs - 4
- 107.3 Localisation and internationalisation - 3
- 108.1 Maintain system time - 3
- 108.2 System logging - 3
- 108.3 Mail Transfer Agent (MTA) basics - 3
- 108.4 Manage printers and printing - 2
- 109.1 Fundamentals of internet protocols - 4
- 109.2 Basic network configuration - 4
- 109.3 Basic network troubleshooting - 4
- 109.4 Configure client side DNS - 2
- 110.1 Perform security administration tasks - 3
- 110.2 Setup host security - 3
- 110.3 Securing data with encryption - 3
-
Working with shell
- ash, bash, csh, ksh, tcsh, zsh
- shell for user is specified in /etc/passwd
- special shells
- /bin/false, returns non zero error code, block user to login
- /sbin/nologin, blocks user to login, infor with message
-
Environment variables
- variable in bash can be upper or lowercase, with letters, numbers, _
- by convention
- spaces could by escaped, e.g
- FOO="BAR BAR"
- FOO=BAR\ BAR
- variable scope
- gen.sh
#!/bin/bash cat > gen_test.sh <<EOF #!/bin/bash echo "It's foo=\$FOO" exit 0 EOF if [ -e gen_test.sh ]; then chmod -v 0755 gen_test.sh fi exit 0 - get_test.sh
#!/bin/bash echo "It's foo=$FOO" exit 0 - get_test.sh command starts a child process
FOO="bar" ./gen_test.sh $ It's foo= - export, marks variable to be available to child process
export FOO="bar" ./gen_test.sh $ It's foo=bar - setting variables from child process, with source
config.sh FOO="bar"#!/bin/bash source ./config.sh echo "It's foo=$FOO" exit 0 - setting variables from child process, with period
#!/bin/bash . ./config.sh echo "It's foo=$FOO" exit 0 - setting, unsetting variables
- unset
FOO="bar" echo $FOO bar unset FOO echo $FOO - set, enable/disable shell features
#!/bin/bash set -x FOO="bar" echo "It's foo=$FOO" set +x exit 0 Output: + FOO=bar + echo 'It'\''s foo=bar' It's foo=bar + set +x set -x print each execution line in script until set +x, this disable the shell script debug - noclobber
#!/bin/bash echo "first" > out.txt echo "second" > out.txt set -C echo "third" > out.txt set +C echo "fourth" > out.txt set -o noclobber echo "fifth" > out.txt set +o noclobber echo "sixth" > out.txt echo "Final output: \n" cat out.txt exit 0 - set as possitional parameters
set x1 x2 x3 x4 x5 x6 x7 x8 x9 x10 x11 echo $1 x1 echo ${11} x11
- unset
- gen.sh
-
Subshell
- call of subshell
#!/bin/bash echo "Parent shell $BASH_SUBSHELL pid $$" FOO="bar" echo "Parent shell FOO: $FOO" echo "Executing subshell command: " (echo -n "Before FOO: $FOO ";FOO="baz";echo -n "| After FOO: $FOO "; echo -n "| Inside the subshell $BASH_SUBSHELL "; echo $$) echo "Parent shell FOO, after subshell command: $FOO" exit 0 - env
wipes environment first env -i e.g env -i sh -c 'echo $PATH' Output: /usr/local/bin:/usr/bin env sh -c 'echo $PATH' Output: /usr/local/bin:/bin:/usr/bin:/usr/local/sbin:/usr/sbin:/home/walrus/.local/bin:/home/walrus/bin
- call of subshell
-
Global/User settings
- Login shell, when login to system
- /etc/profile
- /etc.profile.d/ -~/.bash_profile, if not exists shell looks at ~/.bash_login, ~/.profile -convetion that inside a ~/.bash_profile a ~/.bashrc is source-d
- Logout
- ~/.bash_logout, use clean to wipeout screen
- No-Login shell
- when started terminal in graphical session, root call su some_user
- only ~/.bashrc is source-d
- after exit no ~/.bash_logout are source-d
- PATH
- series of directories separted by colon |:|
- add instead of replacing
export PATH=$HOME/bin:$PATH - expand implicit check for current directory
export PATH=$PATH:. - little bit dangerous, possibly shadowing e.g /usr/bin/cat to /tmp/cat etc
- alias
~/.bashrc alias ls="ls -lh" alias one="echo $1 $2 $$ $0" source ~/.bashrc one X1 X2 Output: 1928 -bash X1 X2 X3 - functions
function name() { commands } - PS1
PS1='| \h@\u > \w |\$' \$ - effective UID is 0, than # else $
- Login shell, when login to system
Links:
- is-a-sub-shell-the-same-thing-as-a-child-shell
- dash (-) meaning in commands
- whats-the-magic-of-a-dash-in-command-line-parameters
-
Running script
- #!/bin/bash
- bash test.sh
-
Managing scripts
- system wide /usr/local/bin
- output of another command
test.sh #!/bin/bash while true; do echo $'Going to sleep \n' sleep 60 echo $'\nWake up \n' done./test.sh get commad PID: with $() PID=$(ps -ef | grep -i --color "[t]est.sh" | head -n 1 | awk '{ print $2 }') echo $PID 3356 with `` PID_APS=`ps -ef | grep -i --color "[t]est.sh" | head -n 1 | awk '{ print $2 }'` echo $PID_APS 3356 kill -15 $PID
-
Shell scripts commands
-
Numeric expressions
- math in shell, an expression must be inside $(()) parenthesis
test.sh #!/bin/bash echo $((1 + 2)) exit 0 ./test.sh 3 - bash only works with integer, to interpret decimal positions bass heeds tool bc
test.sh #!/bin/bash RADIUS=3 echo "3.14 * $RADIUS ^ 2" | bc exit 0 ./test.sh 28.26
- math in shell, an expression must be inside $(()) parenthesis
-
Conditionals
test.sh if date; then echo "It's worked" elif date; then echo "It'works again" else echo "Not worked" exit 0./test.sh It's workedModify: if de; then echo "It's worked" ./test.sh It'works againModify: if dte; then echo "It's worked" elif dte; then echo "It'works again" ./test.sh Not worked -
Testing files
test.sh #!/bin/bash if [[ -e ~/.bashrc ]]; then echo ".bashrc file exist" fi exit 0 ./test.sh .bashrc file exist- Pitfalls
Correct: if[[ -e ~/.bashrc ]]; then Wrong: if[[ -e ~/.bashrc ]]; then if [[-e ~/.bashrc ]]; then if [[ -e ~/.bashrc]]; then
- Pitfalls
-
Testing files
test.sh #!/bin/bash if [[ -e ~/.bashrc ]]; then echo ".bashrc file exist" fi -
Testing strings
- z zero length string
- n nonzero length string
test.sh #!/bin/bash echo -n "How old are you: " read AGE if [[ -z $AGE ]]; then echo "You did't write your age" elif [[ -n $AGE ]]; then echo "Your age is $AGE" fi ./test.sh (test -z) How old are you: You did't write your age ./test.sh (test -n) How old are you: 100 Your age is 100 - string equality is tested with single equals sign (=), not equal (!=)
test.sh #!/bin/bash if [[ 'test.sh' = $(basename $0) ]]; then echo "It's our script: $(basename $0)" fi
-
Testing integers
- eq,ne,ge,le,gt,lt
# input is not checked, suppose it will be number echo -n "Write one number: " read NUMBER if [[ $NUMBER -eq 10 ]]; then echo "It's 10" elif [[ $NUMBER -ne 10 ]]; then echo "Not equal 10. It's $NUMBER" fi if [[ $NUMBER -ge 10 ]]; then echo "Greater or equal 10. It's $NUMBER" fi if [[ $NUMBER -le 10 ]]; then echo "Lower or equal 10. It's number $NUMBER" fi if [[ $NUMBER -gt 10 ]]; then echo "Greater than 10. It's number $NUMBER" elif [[ $NUMBER -lt 10 ]]; then echo "Lower then 10. It's number $NUMBER" fi exit 0 -
Combining multiple tests
- single bracket conditions AND (-a), OR (-o)
test.sh #!/bin/bash NUMBER=10 if [ $NUMBER -ge 10 -a -f ~/.bashrc ]; then echo "Single bracket AND condition is met." else echo "Single bracket AND condition is not met." fi NUMBER=0 if [ $NUMBER -ge 10 -o -f ~/.bashrc ]; then echo "Single bracket OR condition is met." else echo "Single bracket OR condition is not met." fi exit 0 - double bracket conditions AND (&&), OR (||)
test.sh #!/bin/bash NUMBER=10 if [[ $NUMBER -eq 10 && -f ~/.bashrc ]]; then echo "Double bracket condition is met." else echo "Double bracket condition is not met." fi exit 0 - double bracket multiple conditions [[ COND1 && ( COND2 || COND3 ) ]]
test.sh #!/bin/bash NUMBER=10 SECOND=0 if [[ ($NUMBER -ge 10 && $SECOND -eq 0) && -f ~/.bashrc ]]; then echo "Double bracket multiple condition is met." else echo "Double bracket multiple condition is not met." fi exit 0
- single bracket conditions AND (-a), OR (-o)
-
Combining multiple tests
-
- matches everything
- statement is terminated with ;;
- whole case with esac
- after first match stops
test.sh #!/bin/bash echo -n "Which distro you use: " read DIST case $DIST in: ubuntu | debian) echo "It's $DIST" ;; rhel | centos) echo "It's $DIST" ;; *) echo "Never heard about it" esac -
-
Loops
- for, for in list; do statement; done
test.sh #!/bin/bash echo -n "Rename from:" read FROM echo -n "Rename to:" read TO for file in *.$FROM; do new_name=$(echo $file | sed "s/$FROM$/$TO/") echo "New name: $new_name" done exit 0 ./test.sh Rename from: TXT Rename to: PDF - sequences
seq 1 6 1 2 3 4 5 6 seq 1 3 10 1 4 7 10 seq -w 1 5 10 01 06 - because of 10, with seq -w 1 2 9 it won't worked, it will be 1 3 5 7 9 oneliner: for i in $(seq -w 1 10); do echo $i; done - while
test.sh #!/bin/bash STOP=5 COUNT=0 while [[ $COUNT -lt $STOP ]]; do COUNT=$(( $COUNT + 1 )) echo "Actual: $COUNT" done exit 0 - until, opposite to while or while [[ ! condition ]]; do statement; done
test.sh #!/bin/bash if [[ -f ~/done.txt ]]; then rm -v ~/done.txt fi until [[ -f ~/done.txt ]]; do sleep 10 set -x touch ~/done.txt set +x done exit 0
- for, for in list; do statement; done
-
returning error code
# successfull exit 0 # error exit 1 -
arguments
test.sh #!/bin/bash echo "Current number of arguments: $#" until [[ $# -eq 0 ]]; do echo "Arg: $1" echo "Before shift: $#" shift echo "After shift: $#" done exit 0 ./test.sh one1 two2 three3 four4 -
exec
- normaly when shell call another function a bash fork itself to parent(bash itself) and child process (identical copy of parent bash) child the executes ls command, replacing itsef with ls, parent(bash) waits until ls exits and returns a shell
- exec call replace a current shell session in memory and after exec finish a control is returned to the shell called the script and not continue with next command in script (in e.g echo "Current shell after exec sleep 2 s") so echo "Current shell after exec sleep 2 s" call never happend
test.sh #!/bin/bash echo "Current shell, exec to sleep" exec sleep 2 echo "Current shell after exec sleep 2 s" exit 0
-
Links:
-
User Accounts
-
User ID (UID)
-
Group ID (GID)
-
kernel < 2.6 support up to 65,536 users and groups
-
kernel > 2.6 support up to 4,294,967,296 users and groups
-
association between UID and user /etc/passwd
-
association between GID and group /etc/group
-
to log user into system, user entry in /etc/passwd must exist
-
/etc/passwd
- entries range 0..499
- 0 root user
- 1 bin user, sytem binaries, nonlogin accounts
- 48 apache user
- 99 nobody, annonymous access on FTP and HTTP servers, maps root to apttempt NFS access
/etc/passwd tux:x:500:100:Tux penguin:/home/tux:/bin/bash tux - user name, 8 or fewer characters, should be lowercase x - mark that password ist stored in /etc/shadow 500 - UID 100 - primary group, all the file objects created by user will have this group Tux penguin - GECOS (GE Common Operating System), could be blank, comment or full name /home/tux - absolute path to user home directory /bin/bash - define login shell -
getent - displays entries from databases supported by the Name Service Switch libraries, configured in /etc/nsswitch.conf
/etc/nsswitch.conf passwd: files nis shadow: files nis -
Special Login Files:
- /bin/false - when user's shell set to (replace, /bin/bash for e.g), user cannot log in, system accounts
- /etc/nonlogin - when user's shell set to, attempt to login generate, account is unavailable and exits with nonzero exit code
- /etc/motd - displays the /etc/motd after successful login
- .hushlogin - placed in user's home directory, changes the login process, e.g does not perform motd, last login info
- /etc/login.defs - defines defaults for users created by useradd cmd, mail, password complexity, UID, GID min - max, .etc
- /etc/securetty - specifies where the root user is allowed to log in (e.g tty1,tty2), if not exists root can log from any location
- /etc/usertty - set parameters for login locations, days, times, systems to user can connect from, used only if no PAM
-
-
Group Accounts
- Primary - appears in /etc/passwd file, user doesn't have to be listed as member in /etc/group, the GID in /etc/passed is complementary
- Secondary - user's name appear as last field in /etc/group, user is a member of group, access to object which group owns
- /etc/group ordinary GIDs:
- 0 - root group
- 1 - bin group, similar to bin user account
- 100 - regular group, ownership to objects all regular useres should have
- wheel - compatibility with BSD systems, used to create "administration group", for sudo usage
users:x:100:tux,walrus users - name, 8 characters and should be lowercase x - like /etc/shadow, group passwords in /etc/gshadow 100 - GID tux,walrus - secondaty group members, no spaces are allowed, comma(,) separated - UPG (user private group) - when no primary group is assigned to users during a account creation a primary group with same name and GID (equal to UID) is created, if the GID is not available a next incremented values is used, Red Hat base distro features, Debian base do not use this feature rather assign newly created user primary group to users(100)
- chgrp - change a group of file
chgrp staff /somefolder Change group of folder and subfiles to "staff" chgrp -hR staff /somefolder - newgrp - opens a new shell with temporary changed user primary group, user must by member of that group, exit exits
temporary shell and assign the original primary group
User tux: uid=500(tux) gid=500(tux) groups=100(users) - (UPG, Red Hat see uid and gid) newgrp users uid=500(tux) gid=100(users) groups=100(users) - temporary switch GID - gpasswd - assign password to group, if password has been assigned, then newgrp require password, even user is a member of that group
-
Account add/modify/delete
- useradd
useradd tux - Red Hat based: create same name and group, create same UID and GID, assign GID as primary group, create /home/tux, copy /etc/skel - Debian based: create user name, create UID, set GID to users (GID=100), no home dir to do the same in Debian based as in Red Hat: useradd -m -d /home/tux -k skel -g 100 -u 1025 tux - c GECOS, comment - d home-dir HOME_DIR - D useradd defaults (defined in /etc/default/useradd) - e sets account expiration date, after that date account is disabled - f num of days the password reach its max. life, user able to log in, but need to change password - g GID of user's primary group - G list of secondary groups - k skel SKEL_DIR (/etc/skell) - m create home - o non-uniqe UID - u UID user's id - s full path to user login shell - modify useradd defaults
useradd -D -s /bin/zsh cat /etc/default/useradd ... SHELL=/bin/zsh - /etc/skel usetadd
ls -la /etc/skel -rw-r--r--. 1 root root 18 Apr 10 20:53 .bash_logout -rw-r--r--. 1 root root 193 Apr 10 20:53 .bash_profile -rw-r--r--. 1 root root 231 Apr 10 20:53 .bashrc useradd -m tux ls -la /home/tux -rw-r--r--. 1 root root 18 Apr 10 20:53 .bash_logout -rw-r--r--. 1 root root 193 Apr 10 20:53 .bash_profile -rw-r--r--. 1 root root 231 Apr 10 20:53 .bashrc - customized skel template
/etc/skel/custom |-.bashrc |-.bash_profile |-.bash_logout |- walrus.txt useradd -m -k /etc/skel/custom walrus ls -la /home/walrus -rw-r--r--. 1 walrus walrus 18 Sep 16 13:29 .bash_logout -rw-r--r--. 1 walrus walrus 193 Sep 16 13:29 .bash_profile -rw-r--r--. 1 walrus walrus 231 Sep 16 13:29 .bashrc -rw-r--r--. 1 walrus walrus 0 Sep 16 13:29 walrus.txt - groupadd
groupadd clerks cat /etc/group ... clerks:x:1002: - GID for user is next number after GID_MIN specified in /etc/login.defs - usermod
- d change user's home directory, also ownership of the files located in new home have to be changed (e.g chown -R tux:users /home/new_tux)
- g change primary group, changes which file objects the user has access to
- G changes the user's secondary group e.g
id walrus uid=1001(walrus) gid=1001(walrus) groups=1001(walrus) usermod -a -G users,clerks walrus id walrus uid=1001(walrus) gid=1001(walrus) groups=1001(walrus),100(users),1002(clerks) - u change's the user's uid, change automatically uid in user's home dir, but not the others, so old UID remain e.g
as root: touch /opt/walrus_stamp.txt chown walrus:users /opt/walrus_stamp.txt ls -l /opt/walrus_stamp.txt -rw-r--r--. 1 walrus users 0 Sep 16 15:27 walrus_stamp.txt cat /etc/passwd ... walrus:x:1001:1001::/home/walrus:/bin/bash usermod -u 1003 walrus cat /etc/passwd ... walrus:x:1003:1001::/home/walrus:/bin/bash ls -la /home/walrus ... -rw-r--r--. 1 walrus walrus 0 Sep 16 13:29 walrus.txt ls -l /opt/walrus_stamp.txt -rw-r--r--. 1 1001 users 0 Sep 16 15:27 walrus_stamp.txt - L lock the account, /etc/shadow prefixing the current encrypted password with !
- U removes a lock on user's account
- groupmod
- change GID has a same effect as usermod -u, in this case a GID remain
- userdel
- Removes user without his home directory
ls -la /home/walrus ... -rw-r--r--. 1 walrus walrus 0 Sep 16 13:29 walrus.txt userdel walrus ls -la /home/walrus ... -rw-r--r--. 1 1003 1001 0 Sep 16 13:29 walrus.txt - Removes user with his home directory
userdel -r walrus - Currently logged user cannot be deleted, attempt to delete the account display a error message
userdel: user walrus is currently used by process 190909 - To delete currently logged user
Lock the user first usermod -L walrus Kill user's login shell PID kill -9 190909 Then delete the user userdel walrus
- Removes user without his home directory
- Recreate a user
ls -la /home/walrus ... -rw-r--r--. 1 1003 1001 0 Sep 16 13:29 walrus.txt First recreate walrus group with GID 1001 groupadd -g 1001 walrus Second user walrus with UID 1003 useradd -u 1003 -g walrus -d /home/walrus walrus Note: Files from /etc/skel won't be copied - groupdel
Before delete a group: 1, find if group doesn't have secondary members 2, isn't primary group for any user account 3, find all the files/dirs owned by group and assign to another groupdel clerks
- useradd
-
Shadow suite
- /etc/passwd without shadow suite
walrus:&ujw7w9:1003:1001::/home/walrus:/bin/bash &ujw7w9 - encrypted string - /etc/passwd with shadow suite
walrus:x:1003:1001::/home/walrus:/bin/bash x - replaced encrypted string - passwords are stored in:
- /etc/shadow
walrus:&ujw7w9:17791:0:99999:7:30:17000: walrus - login name &ujw7w9 - user's encrypted password 17791 - last change, since January 1, 1970 0 - minimum, days before password can by changed (0 - immediate) 99999 - maximum, days before password must be changed (99999, efective 273 years) 7 - warning, days before password expires due to maximum, with warning displayed 30 - inactive, days after account expires due to maximum, but user can still log on and change password durin log in 17000 - expiration date, since January 1, 1970 the date when account will expire- /etc/gshadow
- shadow file permissions
/etc/passwd RHEL - rw-r--r-- (644) Debian - rw-r--r-- (644) /etc/shadow RHEL - r-------- (400) Debian - rw-r----- (640)
- /etc/passwd without shadow suite
-
Change password
- for user itself
passwd - as a root for user
passwd walrus - d - disables users account, remove password
- n - min. days password lifetime
- x - max. days password lifetime
- w - warning days before password expires
- i - num. of days account inactive, before it's locked
- S - shows password info
- for user itself
-
chage
- m - min. num. of days, before user is able to change password again
- M - max. num. of days, befor user must change a password
- d - changed the last password changed value
- E - expiration date, since January 1, 1970, account will be disabled YYYY-MM-DD
- I - num. of days inactivity, after account is locked and must be reenabled by root, 0 disables this feature
- W - mun. of days user must change password with displaying the warning message
-
ulimit user variables, changes are not pernamment, have to be in /etc/bashrc, or /etc/profile
- c - lim. size core dump
- d - lim. size user process data
- f - lim. max. size of files created in shell
- n - lim. number of open file descriptors
- t - lim. CPU time for user
- u - lim. num. of processes user can run
- v - lim. max. amount of virtual memory
- a - show limits (lim.)
-
Cron
- Daemon crond
- Job configurator crontab
- to edit a crontab
crontab -e - to display crontab for user
crontab -l - to display user's crontab
as root crontab -l -u walrus - crontab format, see crontab.guru
1.2.3.4.5 * * * * * command 1. Minute (0 - 59) 2. Hour (0 - 23) 3. Day (1 - 31) 4. Month (1 - 12) 5. Day of the week (0 - 7 with 0 and 7 being Sunday) Special case, day and day of the week is defined (e.g 30 5 1 * 1 - job runs 5:30 on the first of the month (defined 3.-rd column) and every monday (defined last column) * * 1 * 1 - job runs at every minute on the day-of-month 1 and on Monday - crontab multiple matches
0 0,12 * * * - job will run at midnight and noon 0 0,12 * jun,jul,aug * - job will run at midnight and noon during june, july, august - crontab with range values
0 0,12 * jun-aug * - job will run at midnight and noon during june, july, august (same as above) 5 16-19 * * 8 - job will run at 5 minutes past every hour from 16 through 19 - step values
* */2 * * * - every two hours */30 * * * * - every 30 minutes * 1-23/2 * * * - every odd numbers - crontab command format
0 0 * * * /home/walrus/crotabtest.sh also valid shell code is accepted 0 0 * * * if [[ -f /home/walrus/garbage.log ]]; then cat /dev/null > /home/walrus/garbage.log; fi this will clean up garbage.log without delete it - crontab PATH setup
- cron doesn't run .bash_profile or .bashrc
* * * * * env > /home/walrus/crontab.env cat /home/walrus/crontab.env XDG_SESSION_ID=33 SHELL=/bin/sh USER=walrus PATH=/usr/bin:/bin PWD=/home/walrus LANG=en_US.UTF-8 SHLVL=1 HOME=/home/walrus LOGNAME=walrus XDG_RUNTIME_DIR=/run/user/1003 _=/usr/bin/env - Avalable variable definitions in crontab
PATH=/bin:/usr/bin:/usr/local/bin/:/home/walrus/bin [email protected] SHELL=/bin/zsh CRON_TZ="Europe/Berlin" * * * * * crontest.sh
- cron doesn't run .bash_profile or .bashrc
- crontab nicknames
@reboot - after reboot @yearly - once year at midnight 1 January @annually - same @yearly @monthly - midnight on the first of month @weekly - once a week on Sunday at midnight @daily - once a day at midnight @hourly - once a hour, on the hour this equals: 0 0 * * * /home/walrus/bin/crontest.sh @daily /home/walrus/bin/crontest.sh - crontab are stored in /var/spool/cron
[root@localhost ~]# cat /var/spool/cron/walrus */2 * * * * /home/walrus/bin/crontest.sh - system crontabs sar
- /etc/cron.d, integrating with package management
- crontab entries per installed packages can be added and removed without affecting shared /etc/crontab
- contain 6 columns, a column between schedule and command is a user name which should execute the job
0 1 * * Sun root /usr/bin/connect-check
- convenience crontabs, any of those crontabs garantees only that they will run as declared in crontab.*,
but the hour, day .etc are not guaranteed, scripts are placed directly to directories, no need to edit crontab
- /etc/cron.hourly
- /etc/cron.daily
- /etc/cron.weekly
- /etc/cron.monthly
- restricting access
- /etc/cron.allow, /etc/cron.deny normal is have only one of those, otherwise it should lead to confusion
- /etc/cron.allow - only users in that file cuold edit their own crontab
- /etc/cron.deny - any user could edit his own crontab, unless is not presented in this file
- if any of cron.deny, cron.allow exists, only root have an access
- most linux distribution starts with /etc/cron.deny
-
Anacron
- made to run jobs daily or less frequently, jobs where precise time doesn't matter
- advantage over cron is it runs jobs that where scheduled to go when the server is off
- focuses on when the last time job has been running
- no command, only /etc/anacrontab
- job only run under root user
- max granularity is 1 day
- can run as daemon, but run from cron itself to check processing jobs
# /etc/anacrontab: configuration file for anacron # See anacron(8) and anacrontab(5) for details. SHELL=/bin/sh PATH=/sbin:/bin:/usr/sbin:/usr/bin MAILTO=root # the maximal random delay added to the base delay of the jobs RANDOM_DELAY=45 # the jobs will be started during the following hours only START_HOURS_RANGE=3-22 #period in days delay in minutes job-identifier command 1 5 cron.daily nice run-parts /etc/cron.daily 7 25 cron.weekly nice run-parts /etc/cron.weekly @monthly 45 cron.monthly nice run-parts /etc/cron.monthly - run-parts - tool which comes with cron to run each file in the given directory
-
at
- designed run task once at specific time
- task jobs are queued up in /var/spool/at as e.g. /var/spool/at/a0007837hjvet9
- create at command
at now + 1 min > wall "It's night" [Enter] > <EOT> [Ctrl + d] job 6 at Mon Sep 17 16:12:00 2018 or echo 'wall "Hey is there a walrus?"' | at now + 1 min - midnight - 00:00
- noon - 12:00
- teatime - 16:00
- time-of-day - 2:00 p.m or 5 a.m
- date - 2 pm sep 17
- now + time - now + 1 min
- atq - list queued jobs in /var/spool/at
- atrm - delete queued jobs
- /etc/at.allow, /etc/at.deny same as cron
-
batch
- extention of at command, share same man pages
- used to run jobs not at specifics time but a threshold of system utilization
- to determine the system utilization, it uses load average, e.g a w command (who)
[root@localhost ~]# w 07:43:00 up 2 min, 1 user, load average: 0.01, 0.02, 0.01 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT root pts/0 gateway 07:40 4.00s 0.06s 0.04s w 1. 2. 3. load average: 0.01, 0.02, 0.01 1. 1 minute sample 2. 5 minute sample 3. 15 minute sample 1.,2.,3. represents the average number, of processes waiting to be run e.g system with 2 CPU, will high load when all of them are about 2.0 - batch e.g
/home/walrus/bin/walrustest.sh | batch job 18 at Tue Sep 18 08:12:00 2018 atq - should dispaly a scheduled job in queue or batch at>echo "I am walrus" at>Ctrl+d job 19 at Tue Sep 18 08:13:00 2018 - to configure utilization average atrun commad is provided (e.g for 1 CPU)
atrun -l 0.6 - batch jobs are spooled into /var/spool/at as e.g /var/spool/at/b000073639kew038
- Timezones
- UTC (Universal Coordinated Time)
- GMT (Greenwich Mean Time)
- DST (Dailight saving time)
- in Linux all timestamps are stored in UTC, system then adds or removes the time zone offset
- unix store time as seconds since UTC of January 1, 1970
- date
Display UTC time: date -u Display custom date: date +"%Y-%m-%dT%H:%M:%z" %z - Time zone offset - Setting a Time Zones
- configurations /usr/share/zoneinfo, e.g /usr/share/zoneinfo/Europe/Zurich
- to change timezone
ln -sf /usr/share/zoneinfo/Europe/Zurich /etc/localtime - if user is unable to set timezone, it; spossible to override TZ enviroment variable
export TZ=Europe/Zurich date +"%z" +0200
- tzselect, tzconfig, dpkg-reconfigure tzdata
- Character encoding
- ASCII
- ISO-8859
- UCS-2 (2 byte)
- UTF-16
- UTF8, allow 1-6 bytes, 1 because of ASCII compatibility
- Representing locales
- language code (ISO 639)
- country code (ISO 3166)
- encoding
locale -a | grep -i --color de_DE de_DE de_DE@euro de_DE.iso88591 de_DE.iso885915@euro de_DE.utf8- fallback locales, C or 8-bit version of ASCII
- Contents of locale
- Addresses
- Collation
- Measurement
- Messages
- Monetary
- Names
- Numeric
- Paper
- Telephone
- Time
- distributed as separate packages to save space, generated through locale-gen
- Use of locales in Linux
- gettext library
- LANGUAGE, when printing a messages
- LC_ALL, highest priority, even other values are in variables, LC_ALL takes priority
- LC_XXX, (mean LC_TIME, LC_NUMERIC .etc), could override some locale variable even, LANG
contains other
LANG=en_US.UTF-8 LC_CTYPE="en_US.UTF-8" LC_NUMERIC="en_US.UTF-8" LC_TIME="en_US.UTF-8" LC_COLLATE="en_US.UTF-8" LC_MONETARY="en_US.UTF-8" LC_MESSAGES="en_US.UTF-8" LC_PAPER="en_US.UTF-8" LC_NAME="en_US.UTF-8" LC_ADDRESS="en_US.UTF-8" LC_TELEPHONE="en_US.UTF-8" LC_MEASUREMENT="en_US.UTF-8" LC_IDENTIFICATION="en_US.UTF-8" LC_ALL= export LANGUAGE='' export LC_MESSAGES=de_DE.utf8 ls -l Output: insgesamt 0
- Conver file encodings
iconv -c -f ASCII -t UTF8 data.txt > utf8_data.txt
- Reasons
- file timestamps
- scheduled jobs
- annotating log entries
- current time (UTC to local)
- cryptographic ops. token expiration
- Clocks
- hardware clock, separate chip a real-time clock
- system clock, part of linux kernel (e.g timestamps)
- driff
- System clock
show UTC time date -u show from epoch 1.1.1970 date +%s minimum [MMDDhhmm[[CC]YY][.ss]] without year: date 09251030 Tue Sep 25 10:28:00 CEST 2018 with year: date 092510302014 Thu Sep 25 10:30:00 CEST 2014 - Hardware clock
- RTC, real time clock on motherboard
- hwclock, user should be root
hwclock Tue 25 Sep 2018 11:07:56 AM CEST -0.604595 seconds -0.604595 seconds - how long between the time the command was started and the clock was read, drift - /etc/adjtime, if not exists, the synchronization never happened
0.838229 1537854497 0.000000 1537854497 # LOCAL UTC than, hwclock -u - synchronization
Write sys. clock to hw. clock: hwclock -w | hwclock --systohc Write hw. clock to sys. clock: hwclock -s | hwclock --hctosys
- NTP
- Network Time Protocol
- reference clocks
- startum 1 servers
- server that get time from startum 1 servers, called stratum 2 server
- locally the server are stratum 3 or startum 4
- nptdate, as a root user, one time synchronization
ntpdate ntp1.some.net - aliases
0.pool.ntp.org 1.pool.ntp.org 2.pool.ntp.org 3.pool.ntp.org - ntpd, continual synchronization
- /etc/ntp.conf
- if diff is greater then threshold (default 1000s), ntpd will exit and user adjust time manually with ntpdate
- ntpq
- peers
- associations
- syslog
Severities: 0 | emerg 1 | alert 2 | crit 3 | err 4 | warn, warning 5 | notice 6 | info 7 | debug Facilities: kern user mail daemon auth syslog lpr cron authpriv local0-7- klogd, kernel logs, transfered to syslogd
- /etc/syslog.conf
- Logrotate
-
IP Addresses
- 32 bits, represented as 4 octets of 8 bits, separated with dot (.)
192.168.10.100 11000000.10101000.00001010.01100100
- 32 bits, represented as 4 octets of 8 bits, separated with dot (.)
-
Networks and hosts
- subnetting
-
Address classes ranges
- A - 1-126, permits 16,777,214 host addresses, -2 ID and Broadcast (2^24 - 2)
Low: 1 = 00000001 High: 126 = 01111110 - B - 128-191, permits 65,534 host addresses, -2 ID and Broadcast (2^16 -2)
Low: 128 = 10000000 High: 191 = 10111111 - C - 192-223, permits 254 host addresses, 2,097,150 Class C networks
Low: 192 = 11000000 High: 223 = 11011111 - D - 224-239, reserved for activities as multicast .etc
- E - 240-254, reserverd for future use
- 127.0.0.1 loopack, localhost networking
- A - 1-126, permits 16,777,214 host addresses, -2 ID and Broadcast (2^24 - 2)
-
Network masks
- A - 255.0.0.0 or /8, /8 is number of bit representing a network mask
- B - 255.255.0.0 or /16
- C - 255.255.255.0 or /24
- CIDR - Classes Internet Domain Routing
- default network masks
11000000.10101000.00001010.00001010 IP 11111111.11111111.11111111.00000000 Subnet mask
-
Gateway
- e.g when route is not needed and it's possible to send packets directly to hosts
Kernel IP routing table Destination Gateway Genmask Flags MSS Window irtt Iface 0.0.0.0 192.168.122.1 0.0.0.0 UG 0 0 0 eth0 192.168.122.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 so 192.168.122.5 11000000.10101000.01111010.00000101 11111111.11111111.11111111.00000000 match both: 0.0.0.0 /0 192.168.122.0 /24 kernel choose one with higher network prefix, in this case 192.168.122.0 /24 - e.g when route is needed, network mask doesn't match
192.168.122.5 |- not match 11000000.10101000.01111010.00000101 11111111.11111111.11111111.00000000 192.168.123.5 |- not match 11000000.10101000.01111011.00000101 11111111.11111111.11111111.00000000
- e.g when route is not needed and it's possible to send packets directly to hosts
-
Broadcast address
Address: 192.168.10.0 Subnet mask: 255.255.255.0 Broadcast address: 192.168.10.255 -
Custom network mask
-
Additional Protocols
- IP - Internet Protocol, addressing and comunication between devices on network
- TCP - Transmission Control Protocol, complemet to IP, focuses on transport of data packages, reliable, preforms error checking
- UDP - User Datagram Protocol, complement to IP, focuses on transport of data packages, no error checking is performed
- ICMP - Internet Control Message Protocol, allow network devices, the capability to send error messages. Other typical usage is to perform queries, through ping command if remote system is reachable
- Common Ports
- /etc/services
- 0-1023 ports, well-known ports
- 1024-49151 ports, registered ports, provided by IANA (Internet Assigned Numbers Authority)
- 49152-65535 ports, dynamic ports, can't be reserved, use for any purpose
- 143 - IMAP
- 161 & 162 - SNMP
- 389 - LDAP
- 514 - SYSLOG
-
IPv6 Difference between IPv4:
- IPv4 is 32-bit, has Dotted Decimal Notation, e.g 192.168.1.33
- IPv6 is 128-bit has Hexadecimal Notation, e.g 2001:0db8:85a3:0000:0000:8a2e:0370:7334
- Routing in IPv6 is more efficient
- Security in IPv6 built in
- Autoconfigure in IPv6 addresses are assigned dynamically, in IPv4 statically
- Header in IPv6 more robust and require less processing overhead
-
Viewing IP Information
- ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 192.168.XXX.XXX netmask 255.255.255.0 broadcast 192.168.XXX.255 inet6 fe80::XXXX:XX:XXXX:XXXX prefixlen 64 scopeid 0x20<link> ether 52:XX:00:XX:XX:XX txqueuelen 1000 (Ethernet) RX packets 3251 bytes 215616 (210.5 KiB) RX errors 0 dropped 6 overruns 0 frame 0 TX packets 424 bytes 37481 (36.6 KiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0- ether - MAC (Media Access Control), 48bit hardware address
- inet - address assignet to the interface
- broadcast - broadcast address
- netmask - network mas
- RX recieve
- TX transmit
-
- ip *
- to view all addresses
ip addr show 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000 ... - to view only for requested device
ip addr show dev eth0 eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000 ...
- ifconfig
-
Inteface Configuration
-
Red Hat based (RHEL 6):
- /etc/sysconfig/network-scripts
- /etc/sysconfig/network-scripts/ifcfg-eth0
Static example configuration IPv4: DEVICE=eth0 ONBOOT=yes BOOTPROTO=static IPADDR=192.168.1.20 NETMASK=255.255.255.0 GATEWAY=192.168.1.1 Static example configuration IPv6: IPV6INIT=yes IPV6ADDR =3CAE:XXXX:XXXX:XXXX:XXXX:1111:8901:0002 IPV6_DEFAULTGW=3CAE:XXXX:XXXX:XXXX:XXXX:1111:8901:0001 DHCP example configuration IPv4: DEVICE=eth0 ONBOOT=yes BOOTPROTO=dhcp DHCP example configuration IPv6: IPV6INIT=yes DHCPV6C=yes - Parameter BOOTPROTO, used as switch between, static or dhcp interface configuration
-
Debian based
- /etc/network/interfaces
# /etc/network/interfaces -- configuration file for ifup(8), ifdown(8) # The loopback interface# automatically added when upgrading auto lo eth0 iface lo inet loopback iface eth0 inet static address 192.168.1.20 netmask 255.255.255.0 network 192.168.20.0 broadcast 192.168.20.255 gateway 192.168.20.2
- /etc/network/interfaces
-
Viewing and Configuring Gateway Addresses
route netstat -r Output: Kernel IP routing table Destination Gateway Genmask Flags MSS Window irtt Iface 0.0.0.0 192.168.XXX.1 0.0.0.0 UG 0 0 0 eth0 192.168.XXX.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 -
Configuring a Default Gateway
- RHEL based, /etc/sysconfig/network, /etc/sysconfig/network-scripts/ifcfg-eth0
GATEWAY=10.0.0.1 - Debian based, uses /etc/network/interfaces to set individual interface gateway
- route
route add default gw 10.0.0.1 - ip route
ip route add default via 192.168.1.1 dev eth0
- RHEL based, /etc/sysconfig/network, /etc/sysconfig/network-scripts/ifcfg-eth0
-
Local name configuration
- /etc/hosts
- /etc/resolve.conf
- /etc/nsswitch.conf
- Example:
cat /etc/hosts 127.0.0.1 localhost 10.0.0.2 vm1 Resolve request: ping vm1 1. /etc/nsswitch.conf hosts: file dns nis 2. /etc/hosts contains vm1, it matches entry 10.0.0.2 Resolve request: ping donkyekong.com 1. /etc/nsswitch.conf hosts: file dns nis 2. /etc/hosts doesn't contains donkyekong.com 3. None is found, /etc/nsswitch.conf is read again, next option is dns 4. /etc/resolv.conf nameserver 10.0.0.1 nameserver 10.0.1.1 System tries to query each dns until IP is resolved, or no more entries remains 5. If dns query is successful, system returns resolved IP to client 6. If dns query fails, than NIS server is queried as a last line in /etc/nsswitch.conf - /etc/hostname - fqdn (fully qualified domain name)
- /etc/networks - Solaris
- /etc/hosts.conf - similar to /etc/nsswitch.conf, order of resolution sources, /etc/nsswitch.conf overriden it
-
-
Network Configuration Utilities
-
ifconfig - set and display IP and network mask
Setup eth0 'if' to communicate on 192.168.22.0 network IP: 192.168.33.50 Netmask: 255.255.255.0 ifconfig eth0 192.168.33.50 netmask 255.255.255.0 up ip equivalent: ip addr add 192.168.33.50/24 dev eth0 ip link set eth0 up -
ifup - bring interface up (e.g. /etc/sysconfig/network-scripts/ifup-eth)
-
ifdown - bring interface down
-
ip - replace multiple commands, like ifconfig, route .etc
-
route - sets host's routing and gateway info
route ip to loopback device route add 10.xx.xx.xx lo -
dhcpd, dhclient, pump - init, renew, release client's DHCP assigned address
dhcpd - DHCP daemon, invoked from startup scripts, RHEL - /etc/sysconfig/network-scripts/ifup-* Debian - /etc/network/interfaces to refresh, re-lease of client address, run dhcpd -k dhclient - get DHCP lease, /etc/dhclient.conf, dhclient.leases to get new lease, run dhclient to correctness of lease could be verified by ifconfig, ip command -
host, getent, nslookup, dig - lookup DNS names
hosts - performs only DNS lookups host google.com google.com has address 216.xx.xxx.xx google.com has IPv6 address 2a00:xxx:xxxx:xxx::xxxx google.com mail is handled by 10 aaaa... google.com mail is handled by 50 bbbb... google.com mail is handled by 30 cccc... google.com mail is handled by 40 dddd... google.com mail is handled by 20 eeee... getent - /etc/nsswitch.conf, query what is configured in 'hosts:', when you need lookup to both '/etc/hosts', DNS to lookup for IPv4 and IPv6 address: getent ahost google.com 172.xxx.xxx.xxx STREAM google.com 172.xxx.xxx.xxx DGRAM 172.xxx.xxx.xxx RAW 2a00:xxxx:xxxx:xxx::xxxx STREAM 2a00:xxxx:xxxx:xxx::xxxx DGRAM 2a00:xxxx:xxxx:xxx::xxxx RAW dig - perform only DNS queries, type of records MX, SIG, A, ANY dig google.com A ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59387 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;google.com. IN A ;; ANSWER SECTION: google.com. 291 IN A 172.xxx.xx.xxx ;; Query time: 11 msec ;; SERVER: 192.xxx.xxx.xxx#53(192.xxx.xxx.xxx) ;; WHEN: Sat Sep 22 06:59:18 EDT 2018 ;; MSG SIZE rcvd: 55 -
hostname - view and set fqdn hosts name, (systemd hostnamectl)
to view fully qualified domain name hostname --fqdn linked with: domainname dnsdomainname nisdomainname ypdomainname -
netstat - networking stats, attached hosts/ports
to view networking statistic: netstat -s Ip: 11288 total packets received 0 forwarded 0 incoming packets discarded 10722 incoming packets delivered ... to get a routing table: netstat -r Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 0.0.0.0:ssh 0.0.0.0:* LISTEN tcp 0 0 localhost:smtp 0.0.0.0:* LISTEN Proto - protocol Recv-Q - bytes not yet recieved Send-Q - bytes not yet acknowledged Local Address - local machine addr,port Foreign Address - remote end connection State - ESTABLISHED conn. recently active - TIME_WAIT almost done processing packets - LISTEN - socket is a service/daemon waiting for conn. ss (socket statistic) replacement for netstat, e.g (get enstablished IPv4 connections with pid(-p), -t (tcp/ip), -n(do not reslove addr)) ss -4 -t -p -n state established -
ping - check if host is alive, ICMP, -n (do not resolve hostnames)
-
ping6 - check if host is alive, IPv6
-
traceroute - determine routing paths to reach remote host, uses 3 UDP packets, first has TTL (Time To Live) 1, decremented when packet reach the first device, when packet TTL = 0, packet expire and the message is send to requester. Next 3 UDP packets with TTL = 2, ... etc - indicated problem or router is configured to note return ECHO_REQUEST
-
tracepath - same as traceroute, but traceroute can be used only by root, tracepath by all users
-
traceroute6, tracepath6 - for IPv6
-
tcpdump - capture packets from network
capture ssh packets tcpdump -r tcpdump.out port 22 -
/proc/sys/net/ipv4/ip_forward - forwarding traffic betweend different if in system (or routing)
enable forwarding temporary: echo 1 > /proc/sys/net/ipv4/ip-forward to control: sysctl -a --pattern "ip_forward" output: net.ipv4.ip_forward = 1
-
Links:
- [root.cz - predvidatelne-pojmenovani-sitovych-karet-v-linuxu-kam-se-podelo-eth0] (https://www.root.cz/clanky/predvidatelne-pojmenovani-sitovych-karet-v-linuxu-kam-se-podelo-eth0/)
- [using-the-pump-dhcp-client] (https://www.halolinux.us/network-servers/using-the-pump-dhcp-client.html)
- [how-does-the-loopback-interface-work] (https://unix.stackexchange.com/questions/363507/how-does-the-loopback-interface-work)
- [what-is-kernel-ip-forwarding] (https://unix.stackexchange.com/questions/14056/what-is-kernel-ip-forwarding)
- [iproute2 doc] (http://www.policyrouting.org/iproute2.doc.html)
-
su,sudo
- su
- non-login, su
- login, su -, su -l
- sudo
- edit sudo configuration with visudo
- configuration file /etc/sudoers
- to change editor from default vi to nano
export EDITOR=nano - e.g /etc/sudoers
a root access, defacto tux ALL=(ALL) ALL give a tux user rights to restart chronyd service tux ALL=(ALL) systemctl restart chronyd
- su
-
Providing services on demand
- inetd, configuration file /etc/inted.conf
Service Socket type Protocol Sig./Multi thread User Server Program Server Argument ------------------------------------------------------------------------------------------ ftp | stream | tcp | nowait | root | /usr/sbin/in.ftpd | in.ftpd telnet stream tcp nowait root /usr/sbin/in.telnetd in.telnetd - xined
- configuration file /etc/xinetd.conf
defaults { # limit nuber of daemon instances instances = 60 log_type = SYSLOG authpriv log_on_success = HOST PID log_on_failure = HOST # only allow 25 connection per second, more than maximum cause the service disable for 30s cps = 25 30 } includedir /etc/xinetd.d - include file /etc/xinted.d
/etc/xinetd.d/telnet service telnet { # yes, disable connections # no, doesn't disable connections disable = yes # port and service accept multiple connection flags = REUSE # can also be dgram, raw, seqpacket socket_type = stream # wait = yes, single threaded # wait = no, multi threaded wait = no # user, group, restrict user = root # path to daemon program server = /usr/sbin/in.telnetd # also log_on_succes, add fwe options to log log_on_failure += USERID # timeframe for service access_times = 011:00-13:00 # list of hostname, IP addresses .etc only_from = tux } - to enable service guarded by xinetd, chkonfig telnet on, this will change in /etc/xinetd.d/telnet, disable = yes to no
- changes doesn't required restart of xinted service
- manually changes to /etc/xinetd.d/telnet, require restarts of xinted daemon
- to disable service from initiation from xinetd, chkconfig telnet off
- inetd configuration changes to /etc/inetd.conf requires restart
- xinetd configuration changes to /etc/xinetd.d files doesn't requires restart, but /etc/xinted.conf yes
- configuration file /etc/xinetd.conf
- inetd, configuration file /etc/inted.conf
-
TCP Wrappers
- tcpd
- libwrap.a
- /etc/hosts.allow, /etc/hosts.deny
daemons: hosts : option : option daemon,service - ALL - service - daemon, daemon hosts - hostname - fqdn (e.g some.foo.com) - @group NIS - 10.1.1.0/255.255.255.0 - /path/filename - TCPWrapper read order 1, /etc/hosts.allow, any match skips /etc/hosts.deny file 2, TCP Wrapper files are read each time a service is requested 3, Read is sequential, when there are conflicting entires, the first wins 4, Files hosts.* are read only if they exists, anyway garantie complete access for services
- Format hosts.allow, hosts.deny 1, deny all by default, in hosts.deny ALL:ALL, specific hosts to hosts.allow 2, allow by default, hosts.allow not needed, banned hosts to hosts.deny 3, mix, both files
- Using rule options
service: bannedhost : severity auth.info- twist, use another program or action to response banned service, replace a curr. process
/etc/hosts.deny in.fingerd: ALL : twist /bin/echo "Sorry, get out" - spawn, allow connect to service, but some action has to be taken, create achild process
in.telnet: ALL : spawn /bin/echo 'date' from %h | mail tux
- twist, use another program or action to response banned service, replace a curr. process
-
Find file by permissions
- SUID
we are looking for -rwsrwx--- find . -perm /4000 - SGID
we are looking for -rwxrws--- find . -perm /2000 - SUID, SGID
we are looking for -rwxrws--- find . -perm /6000 - Sticky bit
find . -perm /1000 - SUID, SGID, Sticky bit
find . -perm /7000
- SUID
-
GnuPG Keys
- create keys
gpg -gen-key - export the recipient key
gpg -a -o pub_key_file --export 8i2WB27P - encrypt file
gpg -e [email protected] file - both must be send, decrypted file and exported public key, so recipietn should import it
gpg --import pub_key_file and then decrypt a file - key should be uploaded also from gpg key server
gpg --keyserver server_URL --send-keys 8i2WB27P - recipient should then recieve keys
gpg --recv-keys 8i2WB27P - then file could be decrypted
gpg file.gpg
- create keys
-
SSH
- ssh, used for remote shell sessions
- scp, remote copying
- sshd, ssh daemon
- ssh-agent, wrapper to user's session, provides authentication on request
- ssh-add, loads a user's key into the ssh-agent
- configuration files:
- /etc/ssh/sshd_config - sshd daemon main configuration
- /etc/ssh/ssh_host_[dr]sa_key - private keys, permission 600
- /etc/ssh/ssh_host_[dr]sa_key.pub - public keys, permission 644
- /etc/ssh/ssh_known_hosts - check a public key of hosts, connecting with ssh, permissions 644
- ~/.ssh/known_hosts - uses's local file, connecting client gets public key of the remote server, permissions 644
- ~/.ssh/authorized_keys - store for public keys in user's home directory for logging as this user from remote, permissions 600
- login
ssh -l tux server_remote -l to log as specific user, without it tries to log as local user - log for first time will add host's public key to ~/.ssh/known_hosts
- scp
from local: scp /path/tofile user@server:/path/on/server from server to server scp user1@server1:/path user2@server2:/path - X ssh client
ssh -X X11 forwarding
Links:
- [gpg book] (https://www.gnupg.org/gph/en/manual/book1.html)