Skip to content

Instantly share code, notes, and snippets.

@neidiom
Forked from mbodo/lpi.md
Created March 18, 2018 09:01
Show Gist options
  • Save neidiom/bbed0b8d28e8ca95ba77c131fb16df4e to your computer and use it in GitHub Desktop.
Save neidiom/bbed0b8d28e8ca95ba77c131fb16df4e to your computer and use it in GitHub Desktop.
LPI notices

LPI Essentials Notices

8 Managing Users and Groups

  • How Linux User Accounts Work

    • Authentication - provide who you are to system, username, password
    • PAM
    • root has also /home dir, it's /root
    • finger - show info about the user
      finger someone
      
      Directory: /home/someone            	Shell: /bin/bash
      On since Wed Jun 28 05:08 (EDT) on pts/0 from gateway
      1 minute 24 seconds idle
      No mail.
      No Plan.
      
    • id - show UID, GID, groups
      id someone
      
      uid=1000(someone) gid=1000(somegrp1) groups=1000(somegrp1),10(somegrp2),54321(somegrp3)
      
  • Where Linux User Accounts Are Stored

    • local /etc/passwd
    • LDAP
    • NIS
    • Windows domain
    • Local files:
      /etc/passwd - user info
      /etc/shadow - user passwords
      /etc/group  - group info
      
    • /etc/passwd
      normal user
      
      someone:x:1000:1000:somone fullname:/home/someone:/bin/bash
      user_name:legacy_password_only_x:UID:GID:full_name:home_dir:shell
      
      system user UID (from 0, to 999)
      
      sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
      
    • /etc/shadow
      someone:$6$m:17301:0:99999:7:::
      username:encrypted_password:last_modified:min_days(0):max_days(99999):days_warn(7):disabled_days:expire(null = infinite passw never expire)
      
    • pwck - utility to check validity and synchronization of /etc/passwd and /etc/shadow files
    • pwconv - synchronize missing accouts in /etc/passwd and /etc/shadow
  • Creating and Managing User Accounts from the Command Line

    • useradd:
      1, default file in /etc/default/useradd
      
      # useradd defaults file
      GROUP=100
      HOME=/home
      INACTIVE=-1
      EXPIRE=
      SHELL=/bin/bash
      SKEL=/etc/skel
      CREATE_MAIL_SPOOL=yes
      
      2, for login default is /etc/login.defs
      
      controls password expiration, UID, GID, HOME creation etc.
      
      3, /etc/skel - contains skeleton files will be copied to new user home
      
      useradd someone
      
    • passwd
      1, to report account status
      
      passwd -S someone
      
      someone LK 2017-06-27 0 99999 7 -1 (Password locked.)
      
      2, to set password for user
      
      passwd someone
      New password:
      Retype new password:
      
      3, to report account status after password was set
      
      passwd -S someone
      
      someone PS 2017-06-27 0 99999 7 -1 (Password set, SHA512 crypt.)
      
    • usermod:
      usermod options username
      
      e.g
      
      usermod -c "Someone Fullname" someone
      
      someone:x:54323:54330:Someone Fullname:/home/someone:/bin/bash
      
    • userdel:
      1, delete user account without deleting users home
      
      userdel someone
      
      2, delete with users home
      
      userdel -r someone
      
  • Managing Linux Group Accounts

    • /etc/group
    • groupadd
      groupadd -g 8001 mygroup
      
      grep -i --color mygroup /etc/group
      
    • groupmod
    • groupdel
  • Using su

    • su
      with:
      - load user variables
      c switch to user and issue cmd
      m switch user but preserve variables
      
  • Using sudo

    • /etc/sudoers
    • visudo
    e.g
    
    User_Alias POWRUSR = someone1,someone2
    Cmnd_Alias KILLPROCS = kill, killall
    Host_Alias MYHOST = myhost1
    
    User_Alias Host_Alias = (user) Cmnd_Alias
    POWRUSR MYHOST = (root) KILLPROCS
    
  • Using Log Files to view authentication attempts

    • /var/log/wtmp - binary, succesfully authentication attempts, command to view last
    • /var/log/faillog - binary, failed authentication attempts, command to view faillog
    faillog -u user_name
    
    • who - show who is logged
    • w - who is logged a what is he doing right now

9 Managing File Ownership and Permissions

  • Permisions:

    Permission File Directory Value
    Read (r) Open,view List Dir contents 4
    Write (w) Open,view,modify,save Add or Del contect to Dir 2
    Execute (x) Run executable file Enter the Dir 1
    • Permissions are not additive
    -r---w---x 1 user1 group1  43 28. Jun 06:49 runme.sh
    
    What is true:
    user1 - can only read file, but not write to file,
            so if permission where additive than user1 should
            by able to read/write/execute
    group1 - can only write to file, e.g so as user2 member of group1 
             can 'cat "Changed" > runme.sh'
    others - can execute, but without read permission can't really
             execute the script
    

    Links:

    as user1
    
    --x--x--x user1 /dir1/dir2/dir3
    
    --x--x--x dir1
    --x--x--x dir2
    
    cd /dir1/dir2/dir3 - works
    
    if one from the path doesn't have permission, it want let you to change one dir after
    
    as user1
    
    --x--x--x dir1
    -----x--x dir2
    
    cd /dir1/dir2/dir3 want let you enter dir3
    
    • Syntaxes to get:
    -rwxrw-r-- 1 user1 group1 41 Jun 28 07:02 runme.sh
    
    • chmod -v u=rwx,g=rw,o=r runme.sh
    • chmod -v u+rwx,g+rw,o+r runme.sh
    • chmod -v 764 runme.sh
  • Working with Default Permissions

    • Linux create files/directories with default permission:

      • files 666 rw-rw-rw-
      • directories 777 rwxrwxrwx
    • umask

      • default is 022
      • represents a numeric permission value to be removed
      default by linux:
      
      with umask 000:
      
      touch myfile.txt
      rw-rw-rw- myfile.txt
      
      with to umask 022:
      
      default: rw-rw-rw- myfile.txt
      umask    ----w--w-
      
      finally: rw-r--r-- myfile.txt
      
      • change umask
      umask 026 - g-w, o-rw
      
    • umask for directories

      umask 027 - g-w, o-rwx
      mkdir mydir1
      
      default: rwxrwxrwx mydir1
      umask 027 : rwxr-x--- mydir1
      
      
    • 'umask xxxx' not persistent

      • must by added /etc/profile or /etc/login.defs
  • Working with Special Permissions

    • SUID(4): can only applied to binary files (not shell scripts), user becomes temp. file owner when run executable binary file

      chmod -v u+s dir1
      
      (rwsrwxr-x)
      
    • GUID(2): can only applied to binary files (not shell scripts),

      • file: user becomes temp. group member when run executable binary file
      • directory: when create file, group is set from parent dir, not the user primary group
      chmod -v g+s dir1
      
      (rwxrwsr-x)
      
    • Sticky bit(1):

      • directory (only): when set should allowed to delete files within directory where he doesn't have w-permission
      chmod -v o+t dir1
      
      (rwxrwsr-t)
      

      Links:

10 Archiving Files

  • Backup types:
    • Full - all files are backup (slow)
    • Incremental - only files updated from last backup incremental or full (restore in order)
    • Differential - only files updated from last full backup (so it increase in size, but restore is fast, we pick the last)
  • Selecting a Backup Schedule:
    • pick one day a week to full backup, other week days incremenetal or diferential backup
  • Determining What to Back Up:
    • /etc
    • /home
    • /opt
    • /var
    • /root
    • /srv
  • Using Linux Backup Utilities
    • tar,cpio,dd
  • Using tar
    • gzip uses Lempel-Ziv
    • bzip uses Burrows-Wheeler
      e.g of tar backup insted of file to SCSI tape, which is /dev/st0
      
      tar –cvf /dev/st0 /home 
      
      e.g. excludes (suppose myfile.txt and mytxt.txt exist in curren dir)
      
      vi excl
      
      myfile.txt
      mytxt.txt
      
      :wq
      
      tar -cvf my.tar -X excl ./*
      
      will tar without myfile.txt, mytxt.txt
      
    • gzip
      e.g compress
      
      gzip myfile.txt
      
      ls myfile.txt.*
      myfile.txt.gz
      
      e.g decompress
      gunzip myfile.txt.gz
      gzip -d myfile.txt.gz
      
    • bzip2
      e.g compress
      
      bzip2 myfile.txt
      
      ls myfile.txt.*
      myfile.txt.bz2
      
      e.g decompress
      bunzip2 myfile.txt.bz2
      bzip2 -d myfile.txt.gz
      
    • Using cpio
      e.g  will only backup files
      
      compress:
      ls | cpio –ov > ./backup.cpio
      
      decompress:
      cpio –iv > ./backup.cpio
      
      e.g backup files with dirs
      
      compress:
      find . -depth -print | cpio -ov > /home/someone/backup2.cpio
      
      decompress:
      cpio –iv > /home/someone/backup2.cpio
      
      e.g gzip 
      
      compress:
      ls | cpio –ov | gzip > /home/someone/backup.cpio.gz
      
      decompress:
      
      gnuzip -c backup.cpio.gz | cpio -i 
      
    • Creating an Archive with dd
      • backup entire partitions
        dd if=input_file of=output_file
        
        e.g entire disk
        dd if=/dev/sda of=/home/mybigbackup
        
        e.g partition
        dd if=/dev/sda1 of=/home/mybigbackup
        
        e.g MBR record backup
        dd if=/dev/sda of=/home/mbr.copy bs=512 count=1
        
        bs    - block size
        count - how many
        

11 Managing Linux Processes and Log Files

  • Understanding Linux Processes

    • Binary executables
    • Internal shell commands
    • Shell scripts
  • How Linux Processes Are Loaded

    • Parent/Child process
    • PID - Process ID Number
    • PPID - Parent Process ID Number
    • init process PID 1, PPID 0 , which is Kernel process PID 0
    • forking e.g. (execute) $ vi
    bash (PPID=111, PID=211) --> start --> subshell (PPID=211, PID=311) --> vi (PPID=311, PID=411)
    
    so:
    a, vi (PPID=311, PID=411) runs within subshell (PPID=211, PID=311)
    b, when vi ends than also subshell (PPID=211, PID=311) ends
    c, returned back to bash (PPID=111, PID=211) process
    
    TODO not shure if this is still true
    
  • Viewing Running Processes

    • top - see h for help to manipulate top format output

      Run top for user foo and with unwrapping command column
      
      top -u foo -c
      

      Links:

      Run top with threads displayed within the process of PID and with unwrapping command column
      
      top -H -p PID -c
      

      Links:

      Display memory in different memory units b/kb/mb/gb/tb .etc at top window summary
      
      <Shift + e>
      
      Now it's in MB
      
      MiB Mem : 31794.33+total, 20088.98+free, 6975.496 used, 4729.855 buff/cache
      MiB Swap: 31803.99+total, 31803.99+free,    0.000 used. 23910.77+avail Mem 
      
      Display memory in different memory units b/kb/mb/gb/tb .etc at top process view window
      
      <e> 
      
      804  someone+  20   0 1147.5m 166.8m  45.3m S   9.0  0.5   0:13.78 chrome 
      4546 someone+  20   0 1259.1m 280.6m  55.8m S   5.6  0.9  23:02.07 chrome
      
    • ps

      ps          - display processes only belogs to current shell
      ps -e (-A)  - display all processes, PID, TTY, TIME, COMD
      ps -ef      - like previous plus, UID, PPID, C, STIME
      ps -efl     - like previous plus, F, S, PRI, ADDR, NI, SZ, WCHAN(if running than - )
      

      Links:

    • free

      free -mt
      -m megabytes
      -t total
      
      Update 'free' periodically in seconds 
      
      free -mt -s 10
      -m megabytes
      -t total
      -s update every [s]
      
  • Prioritizing Processes

    • priority (PR) - higher number -> lower priority of process, default is 80
    • nice (-20 +19) - lower number -> higher priority of process, default is 0
    • to execute nice, user must by root, if not than cannot set nice values lower than 0
    as root
    
    nice -n -15 vi
    
    PRI will be 65
    NI  will be -15  
    
    as normal user
      
    nice -n +5 vi
    
    PRI will be 85
    NI  will be 5
    
    nice -n -5 vi
    will violate premissions
    
  • Setting Priorities of Running Processes with renice

    • renice
    vi process runs under normal user
    
    as root user
    
    current process
    0 S 54321  3809  3790  0  91  11 - 31561 poll_s pts/0    00:00:00 vi
    
    PID is 3809
    PRI is 91
    NI  is 11  
    
    renice 5 3809
    
    PRI will be 85
    NI  will be 5  
    
    0 S 54321  3809  3790  0  85  5 - 31561 poll_s pts/0    00:00:00 vi
    
    as normal user, only higher number are allowed so:
    
    renice 6 3809 - will 
    0 S 54321  3809  3790  0  86  6 - 31561 poll_s pts/0    00:00:00 vi
    
    renice back to 
    
    renice 5 3809 - ist not allowed for normal user
    
  • Managing Foreground and Background Processes

    • Running Processes in the Background (& | Ctrl + z):
      e.g
      
      touch myscript.sh && chmod -v 0775 myscript.sh
      vi myscript.sh
      
      myscript.sh:
      #!/bin/bash
      
      sleep 1000
      
      exit 0
      
      :wq
      
      $ ./mysript.sh
      ...
      
      press Ctrl + Z
      
      [1]+  3908 Stopped             ./myscript.sh
      
      jobs -l
      
      [1]+  3908                    ./myscript.sh
      
      then
      
      fg 1
      
      $ ./mysript.sh
      
      put to background again
      
      Ctrl + Z
      $jobs -l
      
      [1]+  3908 Stopped             ./myscript.sh
      
      job is stopped right now, to put into running state again
      
      $bg 1
      
      [1]+  3908 Running             ./myscript.sh
      
  • Ending a Running Process

    • kill (64 signals)

      Syntax: kill -signal PID
      
      signal:
      
      SIGHUP  (1)  - restarts the process with same PID
      SIGINT  (2)  - send Ctrl + c
      SIGKILL (9)  - brute-force process will not clean up allocated resources
      SIGTERM (15) - (default for kill when no signal is set) terminate process immediately,
                   but allows process to clean up
                   
      e.g let 8662 vi process
      kill -15 8662
      
      or
      
      kill -SIGTERM 8662
      
    • killall - same as kill instead of PID use process name e.g

      killall -15 vi
      
  • Managing Linux Log Files

    • most linux services configured to write to /dev/log device

    • when services write -> input is captured through syslog

    • configured where to log is placed in /etc/syslog.conf

    • pattern is:

      facility.priority     file
      
      facility e.g cron
      priority e.g info
      
      so
      
      cron.info    /var/log/cron
      
    • logrotate - runs daily as cron job, config in /etc/logrotate.conf, individual services can be configured in /etc/logrotate.d/

      Links:

13 Connecting Linux to a Network

  • What is protocol

  • OSI Model

    • Physical
    • Datalink - Datagrams
    • Network - IP (Internet Protocol), ICMP (Internet Control Message Protocol)
    • Transport - Packets, TCP (Transmission Control Protocol), UDP (User Datagram Protocol)
    • Session
    • Presentation
    • Application
  • Ports ICANN ( Internet Corporation for Assigned Names and Numbers) Port range: 0 - 65536

    • Well-know ports (0 - 1023):
      Ports 20 and 21: FTP
      Port 23: Telnet
      Port 25: SMTP
      Port 80: HTTP
      Port 110: POP3
      Port 119: NNTP (news)
      Ports 137, 138, 139: NetBIOS
      Port 443: HTTPS
      
    • Registered ports (1024 - 49151)
    • Dynamic ports/Private ports (49152 - 65535)
  • IP Addresses ( Network layer) - It's logically assigned to network host

    • MAC address (Datalink layer) - Pernament, hardware address
    • ARP protocol maps logical IP addresses to hard-coded MAC addresses
    • IP Address consist from octet, binary number. Example: 192.168.1.1 - 11000000.10101000.00000001.00000001
    • Conversion:
      Bit 1 = 128
      Bit 2 = 64
      Bit 3 = 32
      Bit 4 = 16
      Bit 5 = 8
      Bit 6 = 4
      Bit 7 = 2
      Bit 8 = 1
      
      11000000 = 128 + 64 = 192
      
    • IP Address must by unique
    • Public Network Address must be globally unique (IANA - Internet Assigned Numbers Authority )
    • IPv4 - 32-bit addressing scheme
    • IPv6 - 128-bit addressing scheme, eight four HEX numbers, e.g:
      35BC:FA77:4898:DAFC:200C:FBBC:A007:8973
      
    • NAT (Network Address Translation) - connect private subnets to single public IP
    • The Private IP address range (https://en.wikipedia.org/wiki/Private_network):
      10.0.0.0–10.255.255.255     (Class A)
      172.16.0.0–172.31.255.255   (Class B)
      192.168.0.0–192.168.255.255 (Class C)
      
  • Subnet Mask

    • Network address
    • Node address
    192.168.1.1
     Network | Node
    
  • To identify network the host resides on.

    Network - same numbers 192.168.1
    Node - 0 - 255
    
  • Default subnet masks:

    255.0.0.0
    255.255.0.0
    255.255.255.0
    
  • Calculating subnet

    Links:

  • Address Classes (5, but importatnt are those 3):

    Class A - octet 1   - 126, subnet mask 255.0.0.0,       networks 126,       nodes 16.7mil
    Class B - octet 128 - 191, subnet mask 255.255.0.0,     networks 16.384,    nodes 65.534mil
    Class B - octet 191 - 223, subnet mask 255.255.255.0,   networks 2.097.152, nodes 254
    
  • Shorthand subnet masks:

    192.168.1.1/24 24bits longhand 255.255.255.0
    
  • Partial subnetting e.g 255.255.252.0

  • The condition for two nodes to communicate each other:

    Two nodes must to have same network address, which means they must have same subnet mask

    e.g wrong hosts configuration

    Host 1, 192.168.1.1, 255.255.255.0
    Host 2, 192.168.1.2, 255.255.255.0
    Host 3, 192.168.1.3, 255.255.252.0 - wrong, won't be able to communicate with Host1, Host2 
                                         without the use of a network router
    
  • permanent through (RHEL) /etc/network-scripts/ifcfg-eth0

    Chages will be accepted when:

    ifdown interface 
    e.g.  ifdown eth0
    
    ifup interface
    e.g.  ifup eth0
    
  • dhclient

    dhclient -v eth0
    

    Links:

  • Configuring Routing Parameters (Network layer)

    • routing table config (SUSE)
    cat /etc/sysconfig/network/routes
    
    $ default 192.168.1.1 - -
    
    which is 
    
    DESTINATION GATEWAY NETMASK INTERFACE [TYPE]
    
    TYPE:
    
    - unicast
    - local
    - broadcast
    - multicast
    - unreachable
    
    • static routing table config (RHEL), if exists /etc/sysconfig/network-scripts/route-interface
    e.g
    
    cat /etc/sysconfig/network-scripts/route-eth0
    
    

    Links:

    add:
    
    route add –net network_address netmask netmask gw router_address
    e.g  route add –net 192.168.2.0 netmask 255.255.255.0 gw 192.168.1.254
    
    del:
    
    route del –net network_address netmask netmask gw router_address
    e.g  route del –net 192.168.2.0 netmask 255.255.255.0 gw 192.168.1.254
    
    default route:
    
    route add default gw router_address
    e.g  route add default gw 192.168.1.254
    

    Links:

  • Configuring Name Resolver Settings

    • /etc/hosts is the first name resolver

    • if record doesn't exists then operating system try to resolve the hostname using DNS

    • How it works: e.g google.com.

      1. Request to DNS port 53, if DNS is authoritative for zone, it responds with IP address. If not than
      2. The DNS server sends a request to a root-level DNS server (. dot). There are 13 root-level DNS servers on the Internet. The root-levle DNS servers are configured with records for authoritative DNS servers for each TLD (.com,.gov,.de ..etc)
      3. The root-level DNS server responds to your DNS with address of DNS server authoritative for TLD (top level domain)
      4. Your DNS server sends request to DNS server that’s authoritative for TLD (in this case .com)
      5. TLD DNS responds to your server with IP address of DNS server authoritative for the DNS (in this case google)
      6. Your DNS server sends a name resolution request to the DNS server that’s authoritative for the zone
      7. The authoritative DNS to your DNS server with the IP address.
      8. Your DNS server responds to your system with the IP address mapped to the hostname
      (not cached)
      DNS Request -> Your DNS Server -> Root DNS sends TLD IP Address -> Your DNS Server -> 
      TLD DNS Server sends IP address of DNS server authoritative to zone -> Your DNS Server -> 
      DNS server authoritative to zone send IP address -> Your DNS Server
      -> Finally IP address for hostname
      
    • configuration file in /etc/resolv.conf

      search somedome.com
      nameserver 192.168.1.1
      nameserver 192.168.1.2
      

      search, used to specify incomplete hostnames (hostname some1, will be some1.somedome.com)

    • /etc/nsswitch.conf used to define order of service used to resolve name

      hosts:     files dns
      networks:  files dns
      

      Links:

  • Using ping

    • ICMP protocol
    • If the ICMP echo response packet is received by the sending system, than is valid:
      1. your network interface works correctly
      2. destination system is up and works correctly
      3. network hardware between requester system and destination system works correctly
  • Using netstat

    • TODO
  • Using traceroute

    • TODO
  • Using dig, host

    • TODO
  • Encrypting Remote Access with OpenSSH

    • How Encryption Works:
      • Symetric encryption:

        • the sender and the receiver must have exactly the same key to both encrypt and decrypt messages

        • 3DES - 112bit - 168bit

        • AES - 128 - 192 - 256 bit

        • Blowfish - 448 bit

          Links:

      • Asymetric encryption:

        • uses two keys, private key and public key

        • data encoded with public key, can be decoded only with private key and vice versa

        • DSA (Digital Signature Algorithm)

        • RSA (Rivest Shamir Adleman)

        • public/private key are much longer 1024 bits and higher

        • main disadvantage slower than symetric encryption

        • verify that a public key is legitimate we use CA (Certificate Authority)

        • private key is given only to requesting entity (one who request certificate from CA)

        • public key certificates, is a digital message signed with private key

        • A certificate contains:

          • The name of the organization
          • The public key of the organization
          • The expiration date of the certificate
          • The certificate’s serial number
          • The name of the CA that signed the certificate
          • A digital signature from the CA
        • 2 type of CAs:

          • internal CA (self signed, only for internal purposes)
          • external CA
        • browser comes with lot of preinstalled certificated from external CA, see Firefox - Edit - Preferences - Advanced - Certificates

          Links:

  • How OpenSSH Works

    • OpenSSH provides:
      • sshd
      • ssh
      • scp
      • sftp
      • slogin
    • Keys are stored in:
      • Private key: /etc/ssh/ssh_host_key
      • Public key: /etc/ssh/ssh_host_key.pub
    • SSH client stores keys in:
      • /etc/ssh/ssh_known_hosts
      • ~/.ssh/known_hosts
    • It works like this:
      • server send public key to client -> client accept it and decrypt new key -> send to sshd server -> server decrypt with private key (asymetric) -> now both have a same key and they start to use symetric encryption
    • SSH version 2 differences:
      • host key files in:

        • /etc/ssh/ssh_host_dsa_key
        • /etc/ssh/ssh_host_rsa_key
      • the secret key is not transmitted from client to server

      • Diffie-Hellman key agreement

        Links:

  • Configuring OpenSSH

    • sshd daemon: /etc/ssh/sshd_config
    • ssh client: /etc/ssh/ssh_config file or the ~/.ssh/ssh_config file.
  • TODO ssh tunneling

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment