Linux Quick Reference Guide: 5 Edition September 2017
Linux Quick Reference Guide: 5 Edition September 2017
Daniele Raffo
Version history
1st edition May 2013
2nd edition September 2014
3rd edition July 2015
4th edition June 2016
5th edition September 2017
Logical Volume Management (LVM) introduces an abstraction between physical and logical storage that permits a more
versatile use of filesystems. LVM uses the Linux device mapper feature (/dev/mapper).
Disks, partitions, and RAID devices are made of Physical Volumes, which are grouped into a Volume Group.
A Volume Group is divided into small fixed-size chunks called Physical Extents, which are mapped 1-to-1 to Logical Extents.
Logical Extents are grouped into Logical Volumes, on which filesystems are created.
How to increase the size of a Logical Volume (only if the underlying filesystem permits it)
1. Add a new physical or virtual disk to the machine; this will provide the extra disk space
2. fdisk /dev/sdc Partition the new disk
3. pvcreate /dev/sdc Initialize the Physical Volume /dev/sdc
4. vgextend myvg0 /dev/sdc Add /dev/sdc to an existing Volume Group
5. lvextend -L 2048M /dev/myvg0/mylv
Extend the Logical Volume by 2 Gb
or lvresize -L+2048M /dev/myvg0/mylv
or lvresize -l+100%FREE /dev/myvg/mylv or extend the Logical Volume taking all free space
6. resize2fs /dev/myvg0/mylv Extend the filesystem
How to reduce the size of a Logical Volume (only if the underlying filesystem permits it)
1. resize2fs /dev/myvg0/mylv 900M Shrink the filesystem
2. lvreduce -L 900M /dev/myvg0/mylv
Shrink the Logical Volume by 900 Mb
or lvresize -L-900M /dev/myvg0/mylv
Linux Quick Reference Guide 5th ed. September 2017 © Daniele Raffo www.crans.org/~raffo
2/155 LVM commands
LVM commands
Linux Quick Reference Guide 5th ed. September 2017 © Daniele Raffo www.crans.org/~raffo
3/155 System boot
System boot
Boot sequence
POST
Low-level check of PC hardware.
(Power-On Self Test)
BIOS
Detection of disks and hardware.
(Basic I/O System)
GRUB stage 1 is loaded from the MBR and executes GRUB stage 2 from filesystem.
GRUB chooses which OS to boot on.
The chain loader hands over to the boot sector of the partition on which resides the OS.
Chain loader The chain loader also mounts initrd, an initial ramdisk (typically a compressed ext2
GRUB
filesystem) to be used as the initial root device during kernel boot; this make possible to
(GRand Unified
load kernel modules that recognize hard drives hardware and that are hence needed to
Bootloader)
mount the real root filesystem. Afterwards, the system runs /linuxrc with PID 1.
(From Linux 2.6.13 onward, the system instead loads into memory initramfs, a cpio-
compressed image, and unpacks it into an instance of tmpfs in RAM. The kernel then
executes /init from within the image.)
Kernel execution.
Linux kernel
Detection of devices.
Newer systems use UEFI (Unified Extensible Firmware Interface) instead of BIOS. UEFI does not use the MBR boot code; it
has knowledge of partition table and filesystems, and stores its application files required for launch in a EFI System
Partition, mostly formatted as FAT32.
After the POST, the system loads the UEFI firmware which initializes the hardware required for booting, then reads its Boot
Manager data to determine which UEFI application to launch. The launched UEFI application may then launch another
application, e.g. the kernel and initramfs in case of a boot loader like GRUB.
Linux Quick Reference Guide 5th ed. September 2017 © Daniele Raffo www.crans.org/~raffo
4/155 SysV startup sequence
SysV startup sequence
The last script to be run is S99local -> ../init.d/rc.local ; therefore, an easy way to run a specific program
upon boot is to call it from this script file.
/etc/init.d/boot.local runs only at boot time, not when switching runlevel.
/etc/init.d/before.local (SUSE) runs only at boot time, before the scripts in the startup directories.
/etc/init.d/after.local (SUSE) runs only at boot time, after the scripts in the startup directories.
To add or remove services at boot sequence: update-rc.d service defaults chkconfig --add service
update-rc.d -f service remove chkconfig --del service
When adding or removing a service at boot, startup directories will be updated by creating or deleting symlinks for the
default runlevels: K symlinks for runlevels 0 1 6, and S symlinks for runlevels 2 3 4 5.
Service will be run via the xinetd super server.
Default runlevels and S/K symlinks values can also be specified as such:
# chkconfig: 2345 85 15
# description: Foo service
Linux Quick Reference Guide 5th ed. September 2017 © Daniele Raffo www.crans.org/~raffo
5/155 Login
Login
/etc/init/start-ttys.conf (Red Hat) Start the specified number of terminals at bootup via getty, which
manages physical or virtual terminals (TTYs)
/etc/sysconfig/init (Red Hat) Control appearance and functioning of the system during bootup
/etc/securetty List of TTYs from which the root user is allowed to login
/etc/issue.net Message that will be printed before the login prompt on a remote session
/etc/motd Message that will be printed after a successful login, before execution of
the login shell
/etc/os-release Definitions of values for the name, version, and other information about
this Linux distribution
Linux Quick Reference Guide 5th ed. September 2017 © Daniele Raffo www.crans.org/~raffo
6/155 Runlevels
Runlevels
Runlevel Target
Debian Red Hat
(SysV) (Systemd)
0 Shutdown
1 Single user / maintenance mode
Multi-user mode
2 Multi-user mode without network
(default)
shutdown Shut down the system in a secure way: all logged-in users are notified via a
message to their terminal, and login is disabled.
This command can be run only by the root user, and by the users (if any) listed in
/etc/shutdown.allow
shutdown -h 16:00 message Schedule a shutdown for 4 PM and send a warning message to all logged-in users
shutdown -a Non-root users that are listed in /etc/shutdown.allow can use this command to
shut down the system
shutdown -f Skip fsck on reboot
shutdown -F Force fsck on reboot
shutdown -c Cancel a shutdown that has been already initiated
Linux Quick Reference Guide 5th ed. September 2017 © Daniele Raffo www.crans.org/~raffo
7/155 SysV vs Systemd
SysV vs Systemd
Linux Quick Reference Guide 5th ed. September 2017 © Daniele Raffo www.crans.org/~raffo
8/155 /etc/inittab
/etc/inittab
/etc/inittab
# The default runlevel.
id:2:initdefault:
/etc/inittab describes which processes are started at bootup and during normal operation; it is read and executed by
init at bootup.
All its entries have the form id:runlevels:action:process
Linux Quick Reference Guide 5th ed. September 2017 © Daniele Raffo www.crans.org/~raffo
9/155 Filesystem Hierarchy Standard
Filesystem Hierarchy Standard
Linux Quick Reference Guide 5th ed. September 2017 © Daniele Raffo www.crans.org/~raffo
10/155 Partitions
Partitions
/dev/hda, /dev/hdb, /dev/hdc ... first, second, third ... hard drive
/dev/sda1, /dev/sda2, /dev/sda3 ... first, second, third ... partition of the first hard drive
The superblock contains information relative to the filesystem e.g. filesystem type, size, status, metadata structures.
The Master Boot Record (MBR) is a 512-byte program located in the first sector of the hard disk; it contains information
about hard disk partitions and has the duty of loading the OS. On recent systems, the MBR has been replaced by the GUID
Partition Table (GPT).
Most modern filesystems use journaling; in a journaling filesystem, the journal logs changes before committing them to the
filesystem, which ensures faster recovery and less corruption in case of a crash.
GPT makes no difference between primary, extended, or logical partitions; moreover, it has practically no limits concerning
number and size of partitions.
partprobe After fdisk operations, this command can be run to notify the OS of partition table
changes. Otherwise, these changes will take place only after reboot
mkfs -t fstype device Create a filesystem of the specified type on a partition (i.e. format the partition).
mkfs is a wrapper utility for the actual filesystem-specific maker commands:
mkfs.ext2 aka mke2fs
mkfs.ext3 aka mke3fs
mkfs.ext4
mkfs.msdos aka mkdosfs
mkfs.ntfs aka mkntfs
mkfs.reiserfs aka mkreiserfs
mkfs.jfs
mkfs.xfs
mkfs -t ext2 /dev/sda Create an ext2 filesystem on /dev/sda
mkfs.ext2 /dev/sda
mke2fs /dev/sda
mke2fs -j /dev/sda Create an ext3 filesystem (ext2 with journaling) on /dev/sda
mkfs.ext3 /dev/sda
mke3fs /dev/sda
mkfs -t msdos /dev/sda Create a MS-DOS filesystem on /dev/sda
mkfs.msdos /dev/sda
mkdosfs /dev/sda
Linux Quick Reference Guide 5th ed. September 2017 © Daniele Raffo www.crans.org/~raffo
11/155 mount
mount
mount Display the currently mounted filesystems.
cat /proc/mounts The commands mount and umount maintain in /etc/mtab a database of currently
cat /etc/mtab mounted filesystems, but /proc/mounts is authoritative
mount -a Mount all devices listed in /etc/fstab (except those indicated as noauto)
mount -t ext3 /dev/sda /foobar Mount a Linux-formatted disk. The mount point (directory) must exist
mount -t msdos /dev/fd0 /mnt Mount a MS-DOS filesystem floppy disk to mount point /mnt
mount /dev/fd0 Mount a floppy disk. /etc/fstab must contain an entry for /dev/fd0
mount -o remount,rw / Remount the root directory as read-write (supposing it was mounted read-only).
Useful to change flags (in this case, read-only to read-write) for a mounted
filesystem that cannot be unmounted at the moment
mount -o nolock 10.7.7.7:/export/ /mnt/nfs Mount a NFS share without running NFS daemons.
Useful during system recovery
mount -t iso9660 -o ro,loop=/dev/loop0 cd.img /mnt/cdrom Mount a CD-ROM ISO9660 image file like a CD-ROM
(via the loop device)
umount /dev/fd0 Unmount a floppy disk that was mounted on /mnt (device must not be busy)
umount /mnt
umount -l /dev/fd0 Unmount the floppy disk as soon as it is not in use anymore
The UUID (Universal Unique Identifier) of a partition is a 128-bit hash number that is associated to the partition when it is
initialized.
blkid -U 652b786e-b87f-49d2-af23-8087ced0c667 Print the name of the specified partition, given its UUID
blkid -L /boot Print the UUID of the specified partition, given its label
findfs UUID=652b786e-b87f-49d2-af23-8087ced0c667 Print the name of the specified partition, given its UUID
findfs LABEL=/boot Print the name of the specified partition, given its label
e2label /dev/sda1 Print the label of the specified partition, given its name
Linux Quick Reference Guide 5th ed. September 2017 © Daniele Raffo www.crans.org/~raffo
12/155 Filesystem types
Filesystem types
Partition types
0x00 Empty 0x4e QNX4.x 2nd part 0xa8 Darwin UFS
0x01 FAT12 0x4f QNX4.x 3rd part 0xa9 NetBSD
0x02 XENIX root 0x50 OnTrack DM 0xab Darwin boot
0x03 XENIX usr 0x51 OnTrack DM6 Aux1 0xaf HFS / HFS+
0x04 FAT16 <32M 0x52 CP/M 0xb7 BSDI fs
0x05 Extended 0x53 OnTrack DM6 Aux3 0xb8 BSDI swap
0x06 FAT16 0x54 OnTrackDM6 0xbb Boot Wizard hidden
0x07 HPFS/NTFS/exFAT 0x55 EZ-Drive 0xbe Solaris boot
0x08 AIX 0x56 Golden Bow 0xbf Solaris
0x09 AIX bootable 0x5c Priam Edisk 0xc1 DRDOS/sec (FAT-12)
0x0a OS/2 Boot Manager 0x61 SpeedStor 0xc4 DRDOS/sec (FAT-16 < 32M)
0x0b W95 FAT32 0x63 GNU HURD or SysV 0xc6 DRDOS/sec (FAT-16)
0x0c W95 FAT32 (LBA) 0x64 Novell Netware 286 0xc7 Syrinx
0x0e W95 FAT16 (LBA) 0x65 Novell Netware 386 0xda Non-FS data
0x0f W95 extended (LBA) 0x70 DiskSecure Multi-Boot 0xdb CP/M / CTOS / ...
0x10 OPUS 0x75 PC/IX 0xde Dell Utility
0x11 Hidden FAT12 0x80 Old Minix 0xdf BootIt
0x12 Compaq diagnostics 0x81 Minix / old Linux 0xe1 DOS access
0x14 Hidden FAT16 <32M 0x82 Linux swap / Solaris 0xe3 DOS R/O
0x16 Hidden FAT16 0x83 Linux 0xe4 SpeedStor
0x17 Hidden HPFS/NTFS 0x84 OS/2 hidden C: drive 0xeb BeOS fs
0x18 AST SmartSleep 0x85 Linux extended 0xee GPT
0x1b Hidden W95 FAT32 0x86 NTFS volume set 0xef EFI (FAT-12/16/32)
0x1c Hidden W95 FAT32 (LBA) 0x87 NTFS volume set 0xf0 Linux/PA-RISC boot
0x1e Hidden W95 FAT16 (LBA) 0x88 Linux plaintext 0xf1 SpeedStor
0x24 NEC DOS 0x8e Linux LVM 0xf4 SpeedStor
0x27 Hidden NTFS WinRE 0x93 Amoeba 0xf2 DOS secondary
0x39 Plan 9 0x94 Amoeba BBT 0xfb VMware VMFS
0x3c PartitionMagic recovery 0x9f BSD/OS 0xfc VMware VMKCORE
0x40 Venix 80286 0xa0 IBM Thinkpad hibernation 0xfd Linux raid autodetect
0x41 PPC PReP Boot 0xa5 FreeBSD 0xfe LANstep
0x42 SFS 0xa6 OpenBSD 0xff BBT
0x4d QNX4.x 0xa7 NeXTSTEP
Above is the list of partition IDs and their names, as obtained by the command sfdisk -T
Linux Quick Reference Guide 5th ed. September 2017 © Daniele Raffo www.crans.org/~raffo
13/155 Swap
Swap
In Linux, the swap space is a virtual memory area (a file or a partition) used as RAM extension. Usually a partition is
preferred because of better performances concerning fragmentation and disk speed. Although listed as filesystem type
0x82, the swap partition is not a filesystem but a raw addressable memory with no structure; therefore it is not shown in
the output of mount or df commands.
The fdisk tool can be used to create a swap partition.
swapon /swapfile Enable a swap file or partition, thus telling the kernel that it can use it now
swapoff /swapfile Disable a swap file or partition
Linux Quick Reference Guide 5th ed. September 2017 © Daniele Raffo www.crans.org/~raffo
14/155 /etc/fstab
/etc/fstab
filesystem Device or partition. The filesystem can be identified either by its name, label, or UUID
mount point Directory on which the partition must be mounted
type Filesystem type, or auto if detected automatically
defaults Use the default options: rw, suid, dev, exec, auto, nouser, async
ro Mount read-only
rw Mount read-write (default)
suid Permit SUID and SGID bit operations (default)
nosuid Do not permit SUID and SGID bit operations
dev Interpret block special devices on the filesystem (default)
nodev Do not interpret block special devices on the filesystem
auto Mount automatically at bootup, or when command mount -a is given (default)
options
noauto Mount only if explicitly demanded
user Partition can be mounted by any user
nouser Partition can be mounted only by the root user (default)
exec Binaries contained on the partition can be executed
noexec Binaries contained on the partition cannot be executed
sync Write files immediately to the partition
async Buffer write ops and commit them later, or when device is unmounted (default)
Other specific options apply to specific partition types (e.g. NFS or Samba)
dump Options for the dump backup utility. 0 = do not backup
pass Order in which the filesystem must be checked by fsck. 0 = do not check
Linux Quick Reference Guide 5th ed. September 2017 © Daniele Raffo www.crans.org/~raffo
15/155 Filesystem operations
Filesystem operations
df Report filesystem disk space usage
df -h Report filesystem disk space usage in human-readable output
df directory Shows on which device the specified directory is mounted
blockdev --getbsz /dev/sda1 Get the block size of the specified partition
Linux Quick Reference Guide 5th ed. September 2017 © Daniele Raffo www.crans.org/~raffo
16/155 Filesystem maintenance
Filesystem maintenance
fsck device Check and repair a Linux filesystem. Warning: filesystem must be unmounted!
Corrupted files will be placed into the /lost+found of the partition.
The exit code returned is the sum of the following conditions:
0 No errors 8 Operational error
1 File system errors corrected 16 Usage or syntax error
2 System should be rebooted 32 Fsck canceled by user
4 File system errors left uncorrected 128 Shared library error
Fsck is a wrapper utility for the actual filesystem-specific checker commands:
fsck.ext2 aka e2fsck
fsck.ext3 aka e2fsck
fsck.ext4 aka e2fsck
fsck.msdos
fsck.vfat
fsck.cramfs
fsck Check and repair serially all filesystems listed in /etc/fstab
fsck -As
fsck -f /dev/sda1 Force a filesystem check on /dev/sda1 even if it thinks is not necessary
fsck -y /dev/sda1 During filesystem repair, do not ask questions and assume that the answer is always yes
fsck.ext2 -c /dev/sda1 Check an ext2 filesystem, running the badblocks command to mark all bad blocks and
e2fsck -c /dev/sda1 add them to the bad block inode so they will not be allocated to files or directories
touch /forcefsck Force a filesystem check after next reboot (Red Hat)
Many hard drives feature the Self-Monitoring, Analysis and Reporting Technology (SMART) whose purpose is to monitor the
reliability of the drive, predict drive failures, and carry out different types of drive self-tests.
The smartd daemon attempts to poll this information from all drives every 30 minutes, logging all data to syslog.
smartctl -a /dev/sda Print SMART information for drive /dev/sda
smartctl -s off /dev/sda Disable SMART monitoring and log collection for drive /dev/sda
smartctl -t long /dev/sda Begin an extended SMART self-test on drive /dev/sda
Linux Quick Reference Guide 5th ed. September 2017 © Daniele Raffo www.crans.org/~raffo
17/155 XFS, ReiserFS, CD-ROM fs
XFS, ReiserFS, CD-ROM fs
xfs_growfs options mountpoint Expand an XFS filesystem (there must be at least one spare new disk
partition available)
xfsdump -v silent -f /dev/tape / Dump the root of a XFS filesystem to tape, with lowest level of verbosity.
Incremental and resumed dumps are stored in the inventory database
/var/lib/xfsdump/inventory
xfsrestore -f /dev/tape / Restore a XFS filesystem from tape
xfsdump -J - / | xfsrestore -J - /new Copy the contents of a XFS filesystem to another directory (without
updating the inventory database)
mkisofs -r -o cdrom.img data/ Create a CD-ROM image from the contents of the target directory.
Enable Rock Ridge extension and set all content on CD to be public
readable (instead of inheriting the permissions from the original files)
CD-ROM filesystems
Filesystem Commands
ISO9660 mkisofs Create a ISO9660 filesystem
mkudffs Create a UDF filesystem
udffsck Check a UDF filesystem
UDF (Universal Disk Format)
wrudf Maintain a UDF filesystem
cdrwtool Manage CD-RW drives (disk format, read/write speed, ...)
HFS (Hierarchical File System)
CD-ROM filesystem extensions
Rock Ridge Contains the original file information (e.g. permissions, filename) for MS Windows 8.3 filenames
MS Joliet Used to create more MS Windows friendly CD-ROMs
El Torito Used to create bootable CD-ROMs
Linux Quick Reference Guide 5th ed. September 2017 © Daniele Raffo www.crans.org/~raffo
18/155 AutoFS
AutoFS
AutoFS is a client-side service that permits automounting of filesystems, even for nonprivileged users.
AutoFS is composed of the autofs kernel module that monitors specific directories for attempts to access them; in this case,
the kernel module signals the automount userspace daemon which mounts the directory when it needs to be accessed and
unmounts it when is no longer accessed.
Mounts managed by AutoFS should not be mounted/unmounted manually or via /etc/fstab, to avoid inconsistencies.
The -hosts map tells AutoFS to mount/unmount automatically any export from the NFS
server nfsserver when the directory /net/nfsserver/ is accessed.
# dir filesystem
/mydir nfsserver1.foo.org:/myshare
/etc/auto.misc Indirect map file for automounting of directory /misc .
Linux Quick Reference Guide 5th ed. September 2017 © Daniele Raffo www.crans.org/~raffo
19/155 RAID
RAID
RAID levels
Level Description Storage capacity
RAID 0 Striping (data is written across all member disks). Sum of the capacity of member disks
High I/O but no redundancy
RAID 1 Mirroring (data is mirrored on all disks). Capacity of the smaller member disk
High redundancy but high cost
RAID 4 Parity on a single disk. Sum of the capacity of member disks,
I/O bottleneck unless coupled to write-back caching minus one
RAID 5 Parity distributed across all disks. Sum of the capacity of member disks,
Can sustain one disk crash minus one
RAID 6 Double parity distributed across all disks. Sum of the capacity of member disks,
Can sustain two disk crashes minus two
RAID 10 (1+0) Striping + mirroring. Capacity of the smaller member disk
High redundancy but high cost
Linear RAID Data written sequentially across all disks. Sum of the capacity of member disks
No redundancy
mdadm -C /dev/md0 -l 5 \ Create a RAID 5 array from three partitions and a spare.
-n 3 /dev/sdb1 /dev/sdc1 /dev/sdd1 \ Partitions type must be set to 0xFD.
-x 1 /dev/sde1 Once the RAID device has been created, it must be formatted e.g. via
mke2fs -j /dev/md0
Linux Quick Reference Guide 5th ed. September 2017 © Daniele Raffo www.crans.org/~raffo
20/155 Bootloader
Bootloader
Non-GRUB bootloaders
LILO Obsolete. Small bootloader that can be placed in the MBR or the boot sector of a partition.
(Linux Loader) The configuration file is /etc/lilo.conf (run /sbin/lilo afterwards to validate changes).
SYSLINUX Able to boot from FAT and NTFS filesystems e.g. floppy disks and USB drives.
Used for boot floppy disks, rescue floppy disks, and Live USBs.
ISOLINUX Able to boot from CD-ROM ISO 9660 filesystems.
Used for Live CDs and bootable install CDs.
PXELINUX Able to boot from PXE (Pre-boot eXecution Environment). PXE uses DHCP or BOOTP to enable
basic networking, then uses TFTP to download a bootstrap program that loads and configures
SYSLINUX the kernel.
Used for Linux installations from a central server or network boot of diskless workstations.
EXTLINUX General-purpose bootloader like LILO or GRUB. Now merged with SYSLINUX.
Linux Quick Reference Guide 5th ed. September 2017 © Daniele Raffo www.crans.org/~raffo
21/155 GRUB 2 configuration
GRUB 2 configuration
GRUB (Grand Unified Bootloader) is the standard boot manager on modern Linux distros. The latest version is GRUB 2; the
older version is GRUB Legacy.
GRUB Stage 1 (446 bytes), as well as the partition table (64 bytes) and the boot signature (2 bytes), is stored in the 512-
byte MBR. It then accesses the GRUB configuration and commands available on the filesystem, usually on /boot/grub .
# Linux Debian
menuentry "Debian 2.6.36-experimental" {
set root=(hd0,1)
linux (hd0,1)/bzImage-2.6.36-experimental ro root=/dev/hda6
}
# Windows
menuentry "Windows" {
set root=(hd0,2)
chainloader +1
}
The GRUB 2 configuration file must not be edited manually. Instead, edit the files in /etc/grub.d/ (these are scripts that
will be run in order) and the file /etc/default/grub (the configuration file for menu display settings), then run update-
grub (Debian) or grub2-mkconfig (Red Hat) which will recreate this configuration file.
root= Specify the location of the filesystem root. This is a required parameter
ro Mount read-only on boot
quiet Disable non-critical kernel messages during boot
debug Enable kernel debugging
Common
splash Show splash image
kernel
parameters: single Boot in single-user mode (runlevel 1)
emergency Emergency mode: after the kernel is booted, run sulogin (single-user login)
which asks for the root password for system maintenance, then run a Bash. Does
not load init or any daemon or configuration setting.
init=/bin/bash Run a Bash shell (may also be any other executable) instead of init
Linux Quick Reference Guide 5th ed. September 2017 © Daniele Raffo www.crans.org/~raffo
22/155 GRUB 2 usage
GRUB 2 usage
The GRUB menu, presented at startup, permits to choose the OS or kernel to boot:
ENTER Boot the currently selected GRUB entry
C Get a GRUB command line
E Edit the selected GRUB entry (e.g. to edit kernel parameters in order to boot in single-user emergency mode,
or to change IRQ or I/O port of a device driver compiled in the kernel)
B Boot the currently selected GRUB entry (this is usually done after finishing modifying it)
P Bring up the GRUB password prompt (necessary if a GRUB password has been set)
grub2-set-default 1 Set GRUB to automatically boot the second entry in the GRUB menu
grub2-editenv list Display the current GRUB menu entry that is automatically booted
/boot/grub/device.map This file can be created to map Linux device filenames to BIOS drives:
(fd0) /dev/fd0
(hd0) /dev/hda
Linux Quick Reference Guide 5th ed. September 2017 © Daniele Raffo www.crans.org/~raffo
23/155 GRUB Legacy
GRUB Legacy
Linux Quick Reference Guide 5th ed. September 2017 © Daniele Raffo www.crans.org/~raffo
24/155 Low-level package managers
Low-level package managers
List the content of a package file dpkg -c package.deb rpm -qpl package.rpm
Show the package containing a specific file dpkg -S file rpm -qf file
Linux Quick Reference Guide 5th ed. September 2017 © Daniele Raffo www.crans.org/~raffo
25/155 High-level package managers
High-level package managers
Show information about a package apt-cache showpkg package yum info package
Show the installation history about a package yum history package package
yum history list package package
Show which package provides a specific file apt-file search file yum whatprovides file
High-level package managers are able to install remote packages and automatically solve dependencies.
Linux Quick Reference Guide 5th ed. September 2017 © Daniele Raffo www.crans.org/~raffo
26/155 Package management tools
Package management tools
Linux Quick Reference Guide 5th ed. September 2017 © Daniele Raffo www.crans.org/~raffo
27/155 Backup
Backup
dd if=/dev/sda of=/dev/sdb Copy the content of one hard disk over another, byte by byte
cat /dev/sda > /dev/sdb
dd if=/dev/sda1 of=sda1.img Generate the image file of a partition
dd if=/dev/cdrom of=cdrom.iso bs=2048 Create an ISO file from a CD-ROM, using a block size transfer of 2 Kb
dd if=install.iso of=/dev/sdc bs=512k Write an installation ISO file to a device (e.g. a USB thumb drive)
rsync -rzv /home /tmp/bak Synchronize the content of the home directory with the temporary
rsync -rzv /home/ /tmp/bak/home backup directory. Use recursion, compression, and verbosity.
For all transfers subsequent to the first, rsync only copies the blocks that
have changed, making it a very efficient backup solution in terms of
speed and bandwidth
rsync -avz /home [email protected]:/backup/ Synchronize the content of the home directory with the backup directory
on the remote server, using SSH. Use archive mode (operates
recursively and preserves owner, group, permissions, timestamps, and
symlinks)
Tape libraries
/dev/st0 First SCSI tape device
Devices
/dev/nst0 First SCSI tape device (no-rewind device file)
Utility for magnetic tapes mt -f /dev/nst0 asf 3 Position the tape at the start of 3rd file
mtx -f /dev/sg1 status Display status of tape library
mtx -f /dev/sg1 load 3 Load tape from slot 3 to drive 0
mtx -f /dev/sg1 unload Unload tape from drive 0 to original slot
Utility for tape libraries mtx -f /dev/sg1 transfer 3 4 Transfer tape from slot 3 to slot 4
mtx -f /dev/sg1 inventory Force robot to rescan all slots and drives
mtx -f /dev/sg1 inquiry Inquiry about SCSI media device
(Medium Changer = tape library)
Linux Quick Reference Guide 5th ed. September 2017 © Daniele Raffo www.crans.org/~raffo
28/155 Archive formats
Archive formats
ls | cpio -o > archive.cpio Create a cpio archive of all files in the current directory
ls | cpio -oF archive.cpio
find /home/ | cpio -o > archive.cpio Create a cpio archive of all users' home directories
cpio
cpio -id < archive.cpio Extract all files, recreating the directory structure
cpio -i -t < archive.cpio List the contents of a cpio archive file
gzip file Compress a file with gzip
gunzip file.gz Decompress a gzip-compressed file
gunzip -tv file.gz Test the integrity of a gzip-compressed file
Linux Quick Reference Guide 5th ed. September 2017 © Daniele Raffo www.crans.org/~raffo
29/155 Command line basics
Command line basics
man command Show the man page for a command
man 7 command Show section 7 of the command man page
man man Show information about man pages' sections:
1 - Executable programs or shell commands
2 - System calls (functions provided by the kernel)
3 - Library calls (functions within program libraries)
4 - Special files
5 - File formats and conventions
6 - Games
7 - Miscellaneous
8 - System administration commands (usually only for root)
9 - Kernel routines
whatis command Show the man page's short description for a command
apropos keyword Show the commands whose man page's short description matches the keyword.
Inverse of the whatis command
apropos -r regex Show the commands whose man page's short description matches the regex
man -k regex
man -K regex Show the commands whose man page's full text matches the regex
info command Show the Info documentation for a command
Unless otherwise specified, shell commands and operations in this guide refer to Bash which is the default shell in many
Linux distributions.
Almost all Linux commands accept the option -v (verbose), and some commands also accept the options -vv or -vvv
(increasing levels of verbosity).
All Bash built-in commands, and many other commands, accept the flag -- which denotes the end of options and the start
of positional parameters:
grep -- -i file Search for the string "-i" in file
rm -- -rf Delete a file called "-rf"
Linux Quick Reference Guide 5th ed. September 2017 © Daniele Raffo www.crans.org/~raffo
30/155 Directories
Directories
cd directory Change to the specified directory
cd - Change to the previously used directory
pwd Print the current working directory
pushd directory Add a directory to the top of the directory stack and make it the current
working directory
popd Remove the top directory from the directory stack and change to the new top
directory
dirname file Output the directory path the file is in, stripping any non-directory suffix from
the filename
Linux Quick Reference Guide 5th ed. September 2017 © Daniele Raffo www.crans.org/~raffo
31/155 Text filters
Text filters
cat file Print a text file
cat file1 file2 > file3 Concatenate text files
cat > file <<EOF Create a Here Document, storing the lines entered in input to a file
line 1
line 2
line 3
EOF
cat file1 > file2 Copy file1 to file2. Note that these can also be binary files of any kind, because cat
> file2 < file1 cat is able to operate on binary streams as well
tac file Print or concatenate text files in reverse, from last line to first line
join file1 file2 Join lines of two text files on a common field
paste file1 file2 Merge lines of text files
split -l 1 file Split a text file into 1-line files (named xaa, xab, xac, and so on)
uniq file Print the unique lines of a text file, omitting consecutive identical lines
sort file Sort alphabetically the lines of a text file
shuf file Shuffle randomly the lines of a text file
diff file1 file2 Compare two text files line by line and print the differences
cmp file1 file2 Compare two files and print the differences
Linux Quick Reference Guide 5th ed. September 2017 © Daniele Raffo www.crans.org/~raffo
32/155 Advanced text filters
Advanced text filters
cut -d: -f3 file Cut the lines of a file, considering : as the delimiter and printing only the 3rd field
cut -d: -f1 /etc/passwd Print the list of user accounts in the system
cut -c3-50 file Print character 3 to 50 of each line of a file
sed 's/foo/bar/' file Stream Editor: Replace the first occurrence on a line of foo with bar in file, and print
on stdout the result
sed -i 's/foo/bar/' file Replace foo with bar, overwriting the results in file
sed 's/foo/bar/g' file Replace all occurrences of foo with bar
sed '0,/foo/s//bar/' file Replace only the first line match
sed -n '7,13p' file Print line 7 to 13 of a text file
sed "s/foo/$var/" file Replace foo with the value of variable $var.
The double quotes allow for variable expansion
tr a-z A-Z <file Translate characters: Convert all lowercase into uppercase in a text file
tr [:lower:] [:upper:] <file
tr -d 0-9 <file Delete all digits from a text file
tr -d [:digit:] <file
awk Interpreter for the AWK programming language, designed for text processing and
data extraction
Linux Quick Reference Guide 5th ed. September 2017 © Daniele Raffo www.crans.org/~raffo
33/155 Regular expressions
Regular expressions
^ Beginning of a line
$ End of a line
\< \> Word boundaries (beginning of line, end of line, space, or punctuation mark)
. Any character, except newline
[abc] Any of the characters specified
[a-z] Any of the characters in the specified range
[^abc] Any character except those specified
* Zero or more times the preceding regex
+ One or more times the preceding regex
? Zero or one time the preceding regex
{5} Exactly 5 times the preceding regex
{5,} 5 times or more the preceding regex
{5,10} Between 5 and 10 times the preceding regex
| The regex either before or after the vertical bar
( ) Grouping, to be used for back-references. \1 expands to the 1st match, \2 to the 2nd, and so on until \9
The symbols above are used in POSIX EREs (Extended Regular Expressions).
For POSIX BREs (Basic Regular Expressions), some symbols will need escaping.
Linux Quick Reference Guide 5th ed. September 2017 © Daniele Raffo www.crans.org/~raffo
34/155 File management
File management
cp file file2 Copy a file
cp file dir/ Copy a file to a directory Common options:
cp -ar /root/mydir/. /opt/ Copy a directory recursively -i Prompt before overwriting/deleting files
(interactive)
mv file file2 Rename a file -f Don't ask before overwriting/deleting files
mv file dir/ Move a file to a directory (force)
pv file > file2 Copy a file, monitoring the progress of data through a pipe
Linux Quick Reference Guide 5th ed. September 2017 © Daniele Raffo www.crans.org/~raffo
35/155 I/O streams
I/O streams
In Linux, everything is (displayed as) a file. File descriptors are automatically associated to any process launched.
File descriptors
# Name Type Default device Device file
0 Standard input (stdin) Input text stream Keyboard /dev/stdin
cat /etc/passwd | wc -l Pipe the stdout of command cat to the stdin of command wc (hence printing the number
of accounts in the system). Note that piped commands run concurrently
ls > file Redirect the stdout of command ls to a file (hence writing on a file the content of the
ls 1> file current directory). File is overwritten if it already exists, unless the Bash noclobber
option is set (via set -o noclobber)
ls >| file Redirect the stdout of command ls to a file, even if noclobber is set
ls >> file Append the stdout of command ls to a file
ls 1>> file
ls 2> file Redirect the stderr of command ls to a file (hence writing any error encountered by the
command to a file)
ls 2>> file Append the stderr of command ls to a file
ls 2> /dev/null Silence any error coming from command ls
mail [email protected] < file Redirect a file to the stdin of command mail (hence sending via e-mail a file to the
specified email address)
echo "$(sort file)" > file Sort the contents of a file and write the output in the file itself.
echo "`sort file`" > file sort file > file would not produce the desired result, because the stdout destination
sort file | sponge file is created (deleting the content of the existing file) before the sort command is run
> file Create an empty file. If the file exists, its content will be deleted
ls | tee file tee reads from stdin and writes both to stdout and a file (hence writing content of
current directory to screen and to a file at the same time)
ls | tee -a file tee reads from stdin and appends both to stdout and a file
ls foo* | xargs cat xargs calls the cat command multiple times for each argument found on stdin
(hence printing the content of every file whose filename starts by foo)
Linux Quick Reference Guide 5th ed. September 2017 © Daniele Raffo www.crans.org/~raffo
36/155 read and echo
read and echo
while read -r line Process a text file line by line, reading from file.
do If file is /dev/stdin, reads from standard input instead
echo "Hello $line"
done < file
Linux Quick Reference Guide 5th ed. September 2017 © Daniele Raffo www.crans.org/~raffo
37/155 Processes
Processes
Any application, program, or script that runs on the system is a process. Signals are used for inter-process communication.
Each process has a unique PID (Process ID) and a PPID (Parent Process ID); when a process spawns a child, the process
PID is assigned to the child's PPID.
The /sbin/init process, run at bootup, has PID 1. It is the ancestor of all processes and becomes the parent of any
orphaned process. It is also unkillable; should it die, the kernel will panic.
When a child process dies, its status becomes EXIT_ZOMBIE and a SIGCHLD is sent to the parent. The parent should then
call the wait() system call to read the dead process' exit status and other info; until that moment, the child process
remains a zombie.
jobs List all jobs (i.e. processes whose parent is a Bash shell)
CTRL Z Suspend a job, putting it in the stopped state (send a SIGTSTP)
bg %1 Put job #1 in the background (send a SIGCONT)
fg %1 Resume job #1 in the foreground and make it the current job (send a SIGCONT)
kill %1 Kill job #1
When a Bash shell is terminated cleanly via exit, its jobs will became child of the Bash's parent and will continue running.
When a Bash is killed instead, it issues a SIGHUP to his children which will terminate.
nohup myscript.sh Prevent a process from terminating (receiving a SIGHUP) when its parent Bash dies
To each process is associated a niceness value: the higher the niceness, the lower the priority.
The niceness value ranges from -20 to 19, and a newly created process has a default niceness of 0.
Unprivileged users can modify a process' niceness only within the range from 1 to 19.
nice -n -5 command Start a command with a niceness of -5. If niceness is omitted, a default value of 10 is used
renice -5 command Change the niceness of a running command to -5
strace command Trace the execution of a command, intercepting and printing the system calls called by a
process and the signals received by a process
( command )& pid=$!; sleep n; kill -9 $pid Run a command and kill it after n seconds
Linux Quick Reference Guide 5th ed. September 2017 © Daniele Raffo www.crans.org/~raffo
38/155 Signals
Signals
Linux Quick Reference Guide 5th ed. September 2017 © Daniele Raffo www.crans.org/~raffo
39/155 Resource monitoring
Resource monitoring
vmstat Print a report about virtual memory statistics: processes, memory, paging, block I/O,
traps, disks, and CPU activity
iostat Print a report about CPU utilization, device utilization, and network filesystem.
The first report shows statistics since the system boot; subsequent reports will show
statistics since the previous report
mpstat Print a report about processor activities
atop Advanced system monitor that displays the load on CPU, RAM, disk, and network
free Show the amount of free and used memory in the system
uptime Show how long the system has been up, how many users are connected, and the system
load averages for the past 1, 5, and 15 minutes
time command Execute command and, at its completion, write to stderr timing statistics about the run
i.e. elapsed real time, user CPU time, system CPU time
sysbench Multithreaded benchmark tool able to monitor different OS parameters: file I/O,
scheduler, memory allocation, thread implementation, databases
inxi Debugging tool to rapidly and easily gather system information and configuration
Linux Quick Reference Guide 5th ed. September 2017 © Daniele Raffo www.crans.org/~raffo
40/155 vmstat and free
vmstat and free
*
These are the true values indicating the free system resources available. All values are in Kb, unless options are used.
Linux Quick Reference Guide 5th ed. September 2017 © Daniele Raffo www.crans.org/~raffo
41/155 File permissions
File permissions
- r w x r w x r w x
--==regular
regularfile
file user
user(owner)
(owner) group
group others
others
dd==directory
directory
ll==symbolic rr==read rr==read rr==read
symboliclink
link read read read
ss==Unix
Unixdomain
domainsocket
socket ww==write
write ww==write
write ww==write
write
pp==named xx==execute xx==execute xx==execute
namedpipe
pipe execute execute execute
cc==character
characterdevice
devicefile
file ss==setUID
setUIDand
andexecute
execute ss==setGID
setGIDand
andexecute
execute tt==sticky
stickyand
andexecute
execute
bb==block SS==setUID
setUID andnot
and notexecute SS==setGID
setGID andnot
and notexecute TT==sticky
sticky andnot
and notexecute
blockdevice
devicefilefile execute execute execute
Read group: 40 chmod g+r Can open and read the file Can list directory content
others: 4 chmod o+r
chmod 710 file Set read, write, and execute permission to user; set execute permission to group
chmod u=rwx,g=x file
chmod 660 file Set read and write permission to user and group
chmod ug=rw file
chmod +wx file Add write and execute permission to everybody (user, group, and others)
chmod -R o+r file Add recursively read permission to others
chmod o-x file Remove execute permission from others
The chmod, chown, and chgrp commands accept the option -R to recursively change properties of files and directories.
umask 022 Set the permission mask to 022, hence masking write permission for group and others.
Linux default permissions are 0666 for files and 0777 for directories. These base permissions are
ANDed with the inverted umask value to calculate the final permissions of a new file or directory.
Linux Quick Reference Guide 5th ed. September 2017 © Daniele Raffo www.crans.org/~raffo
42/155 File attributes
File attributes
chattr +mode file Add a file or directory attribute
chattr -mode file Remove a file or directory attribute
chattr =mode file Set a file or directory attribute, removing all other attributes
lsattr file List file or directory attributes
Mode Effect
a File can only be open in append mode for writing
A When file is accessed, its atime record is not modified
c File is automatically compressed on-the-fly on disk by the kernel
C File is not subject to copy-on-write updates (only for filesystems which perform copy-on-write)
d File will not be backed up by the dump program
D When directory is modified, changes are written synchronously on disk (equivalent to dirsync mount option)
e File is using extents for mapping the blocks on disk
E Compression error on file (attribute used by experimental compression patches)
h File is storing its blocks in units of filesystem blocksize instead of in units of sectors, and was larger than 2 Tb
i File is immutable: cannot be modified, linked, or changed permissions
I Directory is being indexed using hashed trees
j All file data is written to the ext3 or ext4 journal before being written to the file itself
N File has data stored inline within the inode itself
s File will be securely wiped by zeroing when deleted
S When file is modified, changes are written synchronously on disk (equivalent to sync mount option)
t File will not have EOF partial block fragment merged with other files (only for filesystems supporting tail-merging)
T Directory is the top of directory hierarchies for the purpose of the Orlov block allocator
u After file is deleted, it can be undeleted
X Raw contents of compressed file can be accessed directly (attribute used by experimental compression patches)
Z Compressed file is dirty (attribute used by experimental compression patches)
Linux Quick Reference Guide 5th ed. September 2017 © Daniele Raffo www.crans.org/~raffo
43/155 ACLs
ACLs
Access Control Lists (ACLs) provide a fine-grained set of permissions that can be applied to files and directories.
An access ACL is set on an individual file or directory; a default ACL is set on a directory, and applies to all files and
subdirs created inside it that don't have an access ACL.
The final permissions are the intersection of the ACL with the chmod/umask value.
A partition must have been mounted with the acl option in order to support ACLs on files.
setfacl -m d:u:user:permissions dir As above, but set a default ACL instead of an access ACL.
setfacl -d -m u:user:permissions dir This applies to all commands above
getfacl file Display the access (and default, if any) ACL for a file
getfacl file1 | setfacl --set-file=- file2 Copy the ACL of file1 and apply it to file2
getfacl --access dir | setfacl -d -M- dir Copy the access ACL of a directory and set it as default ACL
Linux Quick Reference Guide 5th ed. September 2017 © Daniele Raffo www.crans.org/~raffo
44/155 Links
Links
A Linux directory contains a list of structures which are associations between a filename and an inode.
An inode contains all file metadata: file type, permissions, owner, group, size, access/change/modification/deletion times,
number of links, attributes, ACLs, and address where the actual file content (data) is stored.
An inode does not contain the name of the file; this information is stored in the directory where the file is.
Link is still valid if the original file Yes (because the link references the No (because the path now references a
is moved or deleted inode the original file pointed to) non-existent file)
Can link to a file in another No (because inode numbers make sense
Yes
filesystem only within a determinate filesystem)
Can link to a directory No Yes
Reflect the original file's permissions,
Link permissions rwxrwxrwx
even when these are changed
Link attributes - (regular file) l (symbolic link)
Inode number The same as the original file A new inode number
Linux Quick Reference Guide 5th ed. September 2017 © Daniele Raffo www.crans.org/~raffo
45/155 Find system files
Find system files
find / -name "foo*" Find all files, starting from the root dir, whose name start with foo
find / -name "foo*" -print
find / -name "foo*" -exec chmod 700 {} \; Find all files whose name start with foo and apply permission 700 to
all of them
find / -name "foo*" -ok chmod 700 {} \; Find all files whose name start with foo and apply permission 700 to
all of them, asking for confirmation before each file
find / -size +128M Find all files larger than 128 Mb
find / -ctime +10 Find all files created more than 10 days ago
find / -perm -4000 -type f Find all files of type file (i.e. not directories) and with SUID set
(a possible security risk, because a shell with SUID root is a backdoor)
find / -perm -2000 -type f Find all files with SGID set
find /home/jdoe/path -type f \ Find and delete all files newer than the specified datetime.
-newermt "May 4 14:50" -delete Using -delete is preferable to using -exec rm {} \;
find . -type f -print -exec cat {} \; Print all files in the current directory with a filename header
whereis command Locate the binary, source, and manpage files for a command
whereis -b command Locate the binary files for a command
whereis -s command Locate the source files for a command
whereis -m command Locate the manpage files for a command
file myfile Analyze the content of a file or directory, and display the kind of file
(e.g. executable, text file, program text, swap file)
Linux Quick Reference Guide 5th ed. September 2017 © Daniele Raffo www.crans.org/~raffo
46/155 Shell options
Shell options
Linux Quick Reference Guide 5th ed. September 2017 © Daniele Raffo www.crans.org/~raffo
47/155 Shell variables
Shell variables
The scope of variables is the current shell only, while environment variables are visible within the current shell as well as
within all subshells and Bash child processes spawned by the shell.
Environment variables are set in /etc/environment in the form var=value .
MYVAR=$((2+2)) Evaluate a numeric expression and assign the result to another variable
MYVAR=$[2+2]
FOO=$((BAR + 42))
FOO=`expr $BAR + 42`
for i in $(ls) Loop and operate through all the output tokens (in this case, the contents of the
do current directory). Warning: depending on the operation, filenames containing
echo "Item: $i" whitespace or glob characters may break the script
done
echo ${MYVAR:-message} If variable exists and is not null, print its value, otherwise print message
echo ${MYVAR:+message} If variable exists and is not null, print message, otherwise print nothing
echo ${MYVAR,,} Print a string variable in lowercase
Linux Quick Reference Guide 5th ed. September 2017 © Daniele Raffo www.crans.org/~raffo
48/155 Bash scripting
Bash scripting
Bash scripts must start with the shebang line #!/bin/bash indicating the location of the script interpreter.
Script execution
source myscript.sh Script execution takes place in the same shell. Variables defined and
. myscript.sh exported in the script are seen by the shell when the script exits
bash myscript.sh
Script execution spawns a new shell
./myscript.sh (file must be executable)
command || exit 1 (To be used inside a script.) Exit the script if command fails
if [ $? -eq 0 ] Evaluate whether the last executed command exited successfully or failed
then
echo "Success"
else
echo "Fail"
fi
Linux Quick Reference Guide 5th ed. September 2017 © Daniele Raffo www.crans.org/~raffo
49/155 Bash advanced scripting
Bash advanced scripting
watch command Execute command every 2 seconds
watch -d -n 1 command Execute command every second, highlighting the differences in the output
time command Execute command and print its execution time: elapsed real time between invocation and
termination, user CPU time, and system CPU time
expect Dialogue with interactive programs according to a script, analyzing what can be expected
from the interactive program and replying accordingly
parallel command Run a command in parallel. This is used to operate on multiple inputs, similarly to xargs
zenity Display GTK+ graphical dialogs for user messages and input
Linux Quick Reference Guide 5th ed. September 2017 © Daniele Raffo www.crans.org/~raffo
50/155 Tests
Tests
test $MYVAR = "value" && command
[ $MYVAR = "value" ] && command Perform a test; if it holds true, command is executed
if [ $MYVAR = "value" ]; then command; fi
Test operators
Integer operators File operators Expression operators
-eq Equal to -e or -a Exists -a Logical AND
-ne Not equal to -d Is a directory -o Logical OR
-lt Less than -b Is a block special file ! Logical NOT
-le Less than or equal to -c Is a character special file \( \) Priority
-gt Greater than -f Is a regular file
-ge Greater than or equal to -r Is readable
String operators -w Is writable
-z Is zero length -x Is executable
-n or nothing Is non-zero length -s Is non-zero length
= or == Is equal to -u Is SUID
!= Is not equal to -g Is SGID
< Is alphabetically before -k Is sticky
> Is alphabetically after -h Is a symbolic link
expr string : regex Return the length of the substring matching the regex
expr string : \(regex\) Return the substring matching the regex
Evaluation operators
= Equal to + Plus string : regex
match string regex String matches regex
!= Not equal to - Minus
< Less than \* Multiplied by substr string pos length Substring
<= Less than or equal to / Divided by index string chars Index of any chars in string
> Greater than % Remainder length string String length
>= Greater than or equal to
Linux Quick Reference Guide 5th ed. September 2017 © Daniele Raffo www.crans.org/~raffo
51/155 Flow control
Flow control
Tests
if [test 1] case $VAR in
then pattern1)
[command block 1] command1
elif [test 2] command1bis
then ;;
[command block 2] pattern2)
else command2
[command block 3] ;;
fi *)
command3
;;
esac
Loops
while [test] until [test] for I in [list]
do [command block] do [command block] do [command block]
done done done
The command block executes The command block executes The command block executes
as long as test is true as long as test is false for each I in list
i=0 i=0 for i in 0 1 2 3 4 5 6 7
while [ $i -le 7 ] until [ $i -gt 7 ] do
do do echo $i
echo $i echo $i done
let i++ let i++
done done for i in {0..7}
do
echo $i
done
start=0
end=7
for i in $(seq $start $end)
do
echo $i
done
start=0
end=7
for ((i = start; i <= end; i++))
do
echo $i
done
break Exit a loop
continue Jump to the next iteration
Linux Quick Reference Guide 5th ed. September 2017 © Daniele Raffo www.crans.org/~raffo
52/155 Text processors
Text processors
vi Vi, text editor
vim Vi Improved, an advanced text editor
gvim Vim with GUI
strings file Show all printable character sequences at least 4-character long that are inside a file
q Quit
Linux Quick Reference Guide 5th ed. September 2017 © Daniele Raffo www.crans.org/~raffo
53/155 Vi commands
Vi commands
ESC Go to Command mode
i Insert text before cursor
I Insert text after line
and go to Insert mode
a Append text after cursor
A Append text after line
v Go to Visual mode, character-wise
then use the arrow keys to select a block of text
V Go to Visual mode, line-wise
d Delete selected block gu Switch block to lowercase
y Copy (yank) selected block into buffer gU Switch block to uppercase
w Move to next word $ Move to end of line
b Move to beginning of word 1G Move to line 1 i.e. beginning of file
e Move to end of word G Move to end of file
0 Move to beginning of line z RETURN Make current line the top line of the screen
CTRL G Show current line and column number
ma Mark position "a". Marks a-z are local to current file, while marks A-Z are global to a specific file
'a Go to mark "a". If using a global mark, it also opens the specific file
y'a Copy (yank) from mark "a" to current line, into the buffer
d'a Delete from mark "a" to current line
p Paste buffer after current line yy Copy current line
P Paste buffer before current line yyp Duplicate current line
x Delete current character D Delete from current character to end of line
X Delete before current character dd Delete current line
7dd Delete 7 lines. Almost any command can be prepended by a number to repeat it a number of times
u Undo last command. Vi can undo the last command only, Vim is able to undo several commands
. Repeat last text-changing command
/string Search for string forward n Search for next match of string
?string Search for string backwards N Search for previous match of string
:s/s1/s2/ Replace the first occurrence of s1 with s2 in the current line
:s/s1/s2/g Replace globally every occurrence of s1 with s2 in the current line
:%s/s1/s2/g Replace globally every occurrence of s1 with s2 in the whole file
:%s/s1/s2/gc Replace globally every occurrence of s1 with s2 in the whole file, asking for confirmation
:5,40s/^/#/ Add a hash character at the beginning of each line, from line 5 to 40
!!program Replace line with output from program
:r file Read file and insert it after current line
:X Encrypt current document. Vi will automatically prompt for the password to encrypt and decrypt
:w file Write to file
:wq Save changes and quit
:x
ZZ
:q Quit (fails if there are unsaved changes) :q! Abandon all changes and quit
Linux Quick Reference Guide 5th ed. September 2017 © Daniele Raffo www.crans.org/~raffo
54/155 Vi options
Vi options
Option Effect
ai Turn on auto indentation
all Display all options
ap Print a line after the commands d c J m :s t u
aw Automatic write on commands :n ! e# ^^ :rew ^} :tag
bf Discard control characters from input
dir=tmpdir Set tmpdir as directory for temporary files
eb Precede error messages with a bell
ht=8 Set terminal tab as 8 spaces
ic Ignore case when searching
lisp Modify brackets for Lisp compatibility
list Show tabs and EOL characters
set listchars=tab:>- Show tab as > for the first char and as - for the following chars
magic Allow pattern matching with special characters
mesg Enable UNIX terminal messaging
nu Show line numbers
opt Speed up output by eliminating automatic Return
para=LIlPLPPPQPbpP Set macro to start paragraphs for { } operators
prompt Prompt : for command input
re Simulate smart terminal on dumb terminal
remap Accept macros within macros
report Show largest size of changes on status line
ro Make file readonly
scroll=12 Set screen size as 12 lines
sh=/bin/bash Set shell escape to /bin/bash
showmode Show current mode on status line
slow Postpone display updates during inserts
sm Show matching parentheses when typing
sw=8 Set shift width to 8 characters
tags=/usr/lib/tags Set path for files checked for tags
term Print terminal type
terse Print terse messages
timeout Eliminate 1-second time limit for macros
tl=3 Set significance of tags beyond 3 characters (0 = all)
ts=8 Set tab stops to 8 for text input
wa Inhibit normal checks before write commands
warn Warn "No write since last change"
window=24 Set text window as 24 lines
wm=0 Set automatic wraparound 0 spaces from right margin
:set option turn on an option
:set nooption turn off an option
Options can also be permanently set by including them in ~/.exrc
Linux Quick Reference Guide 5th ed. September 2017 © Daniele Raffo www.crans.org/~raffo
55/155 SQL
SQL
SHOW DATABASES; Show all existing databases
SHOW TABLES; Show all tables from the selected database
USE CompanyDatabase; Choose which database to use
SELECT DATABASE(); Show which database is currently selected
Linux Quick Reference Guide 5th ed. September 2017 © Daniele Raffo www.crans.org/~raffo
56/155 SQL SELECTs
SQL SELECTs
SELECT * FROM customers; Select all columns from the
customers table
SELECT firstname, lastname FROM customers LIMIT 5; Select first and last name of
customers, showing 5 records only
SELECT firstname, lastname FROM customers WHERE zipcode = '00123'; Select first and last name of
customers whose zip code is 00123
SELECT firstname, lastname FROM customers WHERE zipcode IS NOT NULL; Select first and last name of
customers with a recorded zip code
SELECT * FROM customers ORDER BY lastname, firstname; Select customers in alphabetical
order by last name, then first name
SELECT * FROM customers ORDER by zipcode DESC; Select customers, sorting them by zip
code in reverse order
SELECT firstname, lastname, Select first name, last name, and
TIMESTAMPDIFF(YEAR,dob,CURRENT_DATE) as AGE FROM customers; calculated age of customers
SELECT DISTINCT city FROM customers; Show all cities but retrieving each
unique output record only once
SELECT city, COUNT(*) FROM customers GROUP BY city; Show all cities and the number of
customers in each city. NULL values
are not counted
SELECT cusid, SUM(fee) FROM payments GROUP BY cusid; Show all fee payments grouped by
customer ID, summed up
SELECT cusid, AVG(fee) FROM payments GROUP BY cusid Show the average of fee payments
HAVING AVG(fee)<50; grouped by customer ID, where this
average is less than 50
SELECT MAX(fee) FROM payments; Show the highest fee in the table
SELECT COUNT(*) FROM customers; Show how many rows are in the table
SELECT cusid FROM payments t1 WHERE fee = Show the customer ID that pays the
(SELECT MAX(t2.fee) FROM payments t2 WHERE t1.cusid=t2.cusid); highest fee (via a subquery)
SELECT @maxfee:=MAX(fee) FROM payments; Show the customer ID that pays the
SELECT cusid FROM payments t1 WHERE fee = @maxfee; highest fee (via a user set variable)
SELECT cusid FROM payments WHERE fee > Show the customer IDs that pay fees
ALL (SELECT fee FROM payments WHERE cusid = 4242001; higher than the highest fee paid by
customer ID 4242001
SELECT * FROM customers WHERE firstname LIKE 'Trill%'; Select customers whose first name
starts with "Trill"
SELECT * FROM customers WHERE firstname LIKE 'F_rd'; Select matching customers;
the _ matches a single character
SELECT * FROM customers WHERE firstname REGEXP '^Art.*r$'; Select customers whose first name
matches the regex
SELECT firstname, lastname FROM customers WHERE zipcode = '00123' Select customers that satisfy any of
UNION the two requirements
SELECT firstname, lastname FROM customers WHERE cusid > 4242001;
SELECT firstname, lastname FROM customers WHERE zipcode = '00123' Select customers that satisfy both of
INTERSECT the two requirements
SELECT firstname, lastname FROM customers WHERE cusid > 4242001;
SELECT firstname, lastname FROM customers WHERE zipcode = '00123' Select customers that satisfy the first
EXCEPT requirement but not the second
SELECT firstname, lastname FROM customers WHERE cusid > 4242001;
Linux Quick Reference Guide 5th ed. September 2017 © Daniele Raffo www.crans.org/~raffo
57/155 SQL JOINs
SQL JOINs
Linux Quick Reference Guide 5th ed. September 2017 © Daniele Raffo www.crans.org/~raffo
58/155 MySQL
MySQL
MySQL is the most used open source RDBMS (Relational Database Management System). It runs on TCP port 3306.
mysql -u root -p Login to MySQL as root and prompt for the password
mysql -u root -ppassword Login to MySQL as root with the specified password
mysql -u root -p -h host -P port Login to the specified remote MySQL server and port
mysql -u root -p -eNB'SHOW DATABASES' Run a SQL command via MySQL. Flags are:
e Run in batch mode
N Do not print table header
B Do not print table decoration characters +-|
mysqldump -u root -p --all-databases > alldbs.sql Backup all databases to a dump file
mysqldump -u root -p MyDatabase > mydb.sql Backup a database to a dump file
mysqldump -u root -p --databases MyDb1 MyDb2 > dbs.sql Backup several databases to a dump file
mysqldump -u root -p MyDatabase t1 t2 > tables.sql Backup some tables of a database to a dump file
mysql -u root -p < alldbsbak.sql Restore all databases from a dump file (which contains a
complete dump of a MySQL server)
mysql -u root -p MyDatabase < mydbbak.sql Restore a specific database from a dump file (which
contains one database)
mysql_upgrade -u root -p Check all tables in all databases for incompatibilities with
the current version of MySQL
Linux Quick Reference Guide 5th ed. September 2017 © Daniele Raffo www.crans.org/~raffo
59/155 MySQL syntax
MySQL syntax
SELECT Host, User FROM mysql.user; List all MySQL users
CREATE USER 'john'@'localhost' IDENTIFIED BY 'p4ssw0rd'; Create a MySQL user and set his
password
DROP USER 'john'@'localhost'; Delete a MySQL user
SET PASSWORD FOR 'john'@'localhost' = PASSWORD('p4ssw0rd'); Set a password for a MySQL user.
SET PASSWORD FOR 'john'@'localhost' = '*7E684A3DF6273CD1B6DE53'; The password can be specified either in
plaintext or by its hash value
SHOW GRANTS FOR 'john'@'localhost'; Show permissions for a user
GRANT ALL PRIVILEGES ON MyDatabase.* TO 'john'@'localhost'; Grant permissions to a user
REVOKE ALL PRIVILEGES ON MyDatabase.* FROM 'john'@'localhost'; Revoke permissions from a user; must
match the granted permission on the
same database or table
GRANT SELECT ON *.* TO 'john'@'localhost' IDENTIFIED BY 'p4ssw0rd'; Create a MySQL user and set his grants
GRANT SELECT ON *.* TO 'john'@'localhost' IDENTIFIED BY PASSWORD
'*7E684A3DF6273CD1B6DE53';
FLUSH PRIVILEGES; Reload and commit the grant tables; to be
used after any GRANT command
Linux Quick Reference Guide 5th ed. September 2017 © Daniele Raffo www.crans.org/~raffo
60/155 MySQL status
MySQL status
SHOW VARIABLES; Print session variables (affecting the current connection only)
SHOW SESSION VARIABLES;
SHOW LOCAL VARIABLES;
SHOW GLOBAL VARIABLES; Print global variables (affecting the global operations on the server)
SHOW VARIABLES LIKE '%query%'; Print session variables that match the given pattern
SHOW VARIABLES LIKE 'hostname'; Print a session variable with the given name
SELECT @@hostname;
SHOW STATUS; Print session status (concerning the current connection only)
SHOW SESSION STATUS;
SHOW LOCAL STATUS;
SHOW GLOBAL STATUS; Print global status (concerning the global operations on the server)
SHOW STATUS LIKE '%wsrep%'; Print session status values that match the given pattern
SHOW WARNINGS; Print warnings, errors and notes resulting from the most recent
statement in the current session that generated messages
SHOW ERRORS; Print errors resulting from the most recent statement in the current
session that generated messages
SHOW TABLE STATUS; Print information about all tables of the currently selected database
e.g. engine (InnoDB or MyISAM), rows, indexes, data length
SHOW ENGINE INNODB STATUS; Print statistics concerning the InnoDB engine
SHOW FULL PROCESSLIST; Print the list of threads running on the system
SHOW CREATE TABLE table; Print the CREATE statement that created the specified table or view
SHOW CREATE VIEW view;
Linux Quick Reference Guide 5th ed. September 2017 © Daniele Raffo www.crans.org/~raffo
61/155 MySQL recipes
MySQL recipes
SELECT table_schema "Name", Display the sizes of all databases in the
SUM(data_length+index_length)/1024/1024 "Size in Mb" system (counting data + indexes)
FROM information_schema.tables GROUP BY table_schema;
SELECT table_name "Name", Display data and index size of all tables of
ROUND(((data_length)/1024/1024),2) "Data size in Mb", database
ROUND(((index_length)/1024/1024),2) "Index size in Mb"
FROM information_schema.TABLES WHERE table_schema='database'
ORDER BY table_name;
SELECT SUM(data_length+index_length)/1024/1024 "InnoDB in Mb" Display the amount of InnoDB data in all
FROM information_schema.tables WHERE engine='InnoDB'; databases
SELECT table_name, engine FROM information_schema.tables Print name and engine of all tables in
WHERE table_schema = 'database'; database
SHOW FULL TABLES IN database WHERE TABLE_TYPE LIKE 'VIEW'; Display the list of views in database
SELECT 'table1' AS `set`, t1.* FROM table1 t1 Display the differences between the contents
WHERE of two tables (assuming they're composed of
ROW(t1.col1, t1.col2, t1.col3) NOT IN (SELECT * FROM table2) 3 columns each)
UNION ALL
SELECT 'table2' AS `set`, t2.* FROM table2 t2
WHERE
ROW(t2.col1, t2.col2, t1.col3) NOT IN (SELECT * FROM table1)
dbs="$(mysql -uroot -ppassword -Bse'SHOW DATABASES;')" Perform an operation on each database name
for db in $dbs
do
[operation on $db]
done
Linux Quick Reference Guide 5th ed. September 2017 © Daniele Raffo www.crans.org/~raffo
62/155 MySQL operations
MySQL operations
Linux Quick Reference Guide 5th ed. September 2017 © Daniele Raffo www.crans.org/~raffo
63/155 X Window
X Window
Display Managers
Display Manager Configuration files Display Manager greeting screen
Linux Quick Reference Guide 5th ed. September 2017 © Daniele Raffo www.crans.org/~raffo
64/155 X Window tools
X Window tools
xdotool X automation tool
xdotool getwindowfocus Get the ID of the currently focused window (usually the terminal where
this command is typed)
xdotool selectwindow Pop up an X cursor and get the ID of the window selected by it
xdotool key --window 12345678 Return Simulate a Return keystroke inside window ID 12345678
Linux Quick Reference Guide 5th ed. September 2017 © Daniele Raffo www.crans.org/~raffo
65/155 X11 keysim codes
X11 keysim codes
This is an excerpt of keysymdef.h which defines keysym codes (i.e. characters or functions associated with each key in X11)
as XK_key and the key hex value. These keys can be used as argument for the xdotool key command.
Linux Quick Reference Guide 5th ed. September 2017 © Daniele Raffo www.crans.org/~raffo
66/155 /etc/passwd
/etc/passwd
root:x:0:0:/root:/bin/bash
bin:x:1:1:/bin:/bin/bash
jdoe:x:500:100:John Doe,,555-1234,,:/home/jdoe:/bin/bash
1 2 3 4 5 6 7
1 Login name
2 Hashed password (obsolete), or x if password is in /etc/shadow
3 UID – User ID
4 GID – Default Group ID
5 GECOS field – Information about the user: Full name, Room number, Work phone, Home phone, Other
6 Home directory of the user
7 Login shell (if set to /bin/false, user will be unable to log in)
root:$6$qk8JmJHf$X9GfOZ/i9LZP4Kldu6.D3cx2pXA:15537:0:99999:7:::
bin:*:15637:0:99999:7:::
jdoe:!$6$YOiH1otQ$KxeeUKHExK8e3jCUdw9Rxy3Wu53:15580:0:99999:7::15766:
1 2 a b c 3 4 5 6 7 8 9
1 Login name
2 Hashed password (* if account is disabled, ! or !! if no password is set, prefixed by ! if the account is locked).
Composed of the following subfields separated by $:
a Hashing algorithm: 1 = MD5, 2a = Blowfish, 5 = SHA256, 6 = SHA512 (recommended)
b Random salt, up to 16 chars long. This is to thwart password cracking attempts based on rainbow tables
c String obtained by hashing the user's plaintext password concatenated to the stored salt
3 Date of last password change (in number of days since 1 January 1970)
4 Days before password may be changed; if 0, user can change the password at any time
5 Days after which password must be changed
6 Days before password expiration that user is warned
7 Days after password expiration that account is disabled
8 Date of account disabling (in number of days since 1 January 1970)
9 Reserved field
/etc/shadow and /etc/gshadow are mode 000 and therefore readable only by the root user.
Linux Quick Reference Guide 5th ed. September 2017 © Daniele Raffo www.crans.org/~raffo
67/155 User management
User management
useradd -m jdoe Create a user account, creating and populating his homedir from /etc/skel
useradd -mc "John Doe" jdoe Create a user account, specifying his full name
useradd -ms /bin/ksh jdoe Create a user account, specifying his login shell
useradd -D Show default values for user account creation, as specified in /etc/login.defs and
/etc/default/useradd
usermod -c "Jonas Doe" jdoe Modify the GECOS field of a user account
usermod -L jdoe Lock a user account
usermod -U jdoe Unlock a user account
Many options for usermod are the same as useradd options.
chage -E 2013-02-14 jdoe Change the password expiration date; account will be locked at that date
chage -d 13111 jdoe Change the date (in number of days since 1 January 1970) of last password change
chage -d 0 jdoe Force the user to change password at his next login
chage -M 30 jdoe Change the max number of days during which a password is valid
chage -m 7 jdoe Change the min number of days between password changes
chage -W 15 jdoe Change the number of days before password expiration that the user will be warned
chage -I 3 jdoe Change the number of days after password expiration before the account is locked
chage -l jdoe List password aging information for a user
adduser
deluser
addgroup (Debian) User-friendly front-end commands for user and group management
delgroup
Linux Quick Reference Guide 5th ed. September 2017 © Daniele Raffo www.crans.org/~raffo
68/155 UID and GID
UID and GID
*
as recommended by the Linux Standard Base core specifications
/etc/nologin If this file exists, login and sshd deny login to the system.
Useful to prevent users to log in when doing system maintenance
/etc/login.defs Definition of default values (UID and GID ranges, mail directory, account validity,
password encryption method, and so on) for user account creation
last Print the list of users that logged in and out. Searches through the file /var/log/wtmp
lastb Print the list of bad login attempts. Searches through the file /var/log/btmp
fail2ban Scan authentication logs and temporarily ban IP addresses (via firewall rules) that have
too many failed password logins
Linux Quick Reference Guide 5th ed. September 2017 © Daniele Raffo www.crans.org/~raffo
69/155 su and sudo
su and sudo
runuser -u jdoe command Run a command as user jdoe. Can be launched only by the superuser
Sudo commands are logged via syslog on /var/log/auth.log (Debian) or /var/log/secure (Red Hat).
gksu -u root -l GUI front-ends to su and sudo used to run an X Window command as root. Will pop up
gksudo -u root guicommand a requester prompting the user for root's password
Linux Quick Reference Guide 5th ed. September 2017 © Daniele Raffo www.crans.org/~raffo
70/155 Terminals
Terminals
chvt n Make /dev/ttyn the foreground terminal
CTRL ALT Fn
How to detach an already-running job that was not started in a screen session
Linux Quick Reference Guide 5th ed. September 2017 © Daniele Raffo www.crans.org/~raffo
71/155 Messaging
Messaging
write jdoe Write interactively a message to the terminal of user jdoe (must be logged in)
wall Write interactively a message to the terminal of all logged in users
echo "Hello" | write jdoe Write a message to the terminal of user jdoe (must be logged in)
echo "Hello" | wall Write a message to the terminal of all logged in users
talk jdoe Open an interactive chat session with user jdoe (must be logged in)
mesg y Allow the other users to message you via write, wall, and talk
chmod g+w $(tty)
mesg n Disallow the other users to message you via write, wall, and talk
chmod g-w $(tty)
mesg Display your current message permission status
mesg works by enabling/disabling the group write permission of your terminal device, which is owned by system group tty.
The root user is always able to message users.
Linux Quick Reference Guide 5th ed. September 2017 © Daniele Raffo www.crans.org/~raffo
72/155 cron
cron
If /etc/cron.allow exists, only users listed therein can access the service.
If /etc/cron.deny exists, all users except those listed therein can access the service.
If none of these files exist, all users can access the service.
It is not necessary to restart crond after the modification of a crontab file, as the changes will be reloaded automatically.
/etc/crontab System-wide crontab file; this is the list of commands to execute periodically
/etc/cron.d/ Directory containing commands to execute periodically, one command per file
(which must have the same syntax as /etc/crontab)
/etc/cron.hourly/ Scripts placed in these directories will be automatically executed on the
/etc/cron.daily/ specified periods
/etc/cron.weekly/
/etc/cron.monthly/
/var/spool/cron/user Crontab of user
/etc/crontab
# m h dom mon dow user command
25 6 * * 1 root foo.sh every Monday at 6:25 AM
*/5 16 * * * root /opt/myscript.sh from 4:00 to 4:55 PM every 5 minutes everyday
0,30 7 25 12 * jdoe /home/jdoe/bar.sh at 7:00 and 7:30 AM on 25th December
3 17 * * 1-5 root baz.sh at 5:03 PM everyday, from Monday to Friday
m minutes
h hours
dom day of month (1-31)
mon month (1-12 or jan-dec)
dow day of week (0-7 or sun-sat; 0=7=Sunday)
user User as whom the command will be executed
command Command that will be executed at the specified times
The crond daemon checks /etc/crontab every minute and runs the command as the specified user at the specified times.
Each user may also set his own crontab scheduling, which will result in a file /var/spool/cron/user; this user's crontab file
has the same format as the system-wide crontab file, except that the user field is not present.
/etc/anacrontab
# period delay job-identifier command
7 10 cron.weekly /opt/myscript.sh If the job has not been run in the last 7 days,
wait 10 minutes and then execute the command
period period, in days, during which the command was not executed
delay delay to wait, in minutes, before execution of the command
job-identifier job identifier in anacron messages; should be unique for each anacron job
command command that will be executed
Anacron jobs are run by crond, and permit the execution of periodic jobs on a machine that is not always powered on, such
as a laptop.
Only the superuser can schedule anacron jobs, which have a granularity of one day (vs one minute for cron jobs).
The file /var/spool/anacron/job_identifier contains the date of the last execution of the specified anacron job.
Linux Quick Reference Guide 5th ed. September 2017 © Daniele Raffo www.crans.org/~raffo
73/155 at
at
at is used for scheduled execution of commands that must run only once.
If /etc/at.allow exists, only users listed therein can access the service.
If /etc/at.deny exists, all users except those listed therein can access the service.
If none of these files exist, no user except root can access the service.
at -d 3
atrm 3 Remove job number 3 from the list
Linux Quick Reference Guide 5th ed. September 2017 © Daniele Raffo www.crans.org/~raffo
74/155 Utilities
Utilities
bc Calculator
cal Calendar
speaker-test Speaker test tone generator for the ALSA (Advanced Linux Sound Architecture) framework
on_ac_power Return an exit code of 0 (true) if the machine is currently connected to AC power, 1 if it is
powered by battery (e.g. a laptop)
Linux Quick Reference Guide 5th ed. September 2017 © Daniele Raffo www.crans.org/~raffo
75/155 Localization
Localization
apt-get install manpages-it language-pack-it Install a different locale (system messages and manpages)
iconv -f IS6937 -t IS8859 filein > fileout Convert a text file from a codeset to another
Linux Quick Reference Guide 5th ed. September 2017 © Daniele Raffo www.crans.org/~raffo
76/155 System time
System time
date Show current date and time
date -d "9999 days ago" Calculate a date and show it
date -d "1970/01/01 + 4242"
date +"%F %H:%M:%S" Show current date in the format specified
date +"%s" Show current date in Unix time format (seconds elapsed since 00:00:00 1/1/1970)
date -s "20130305 23:30:00" Set the date
date 030523302013 Set the date, in the format MMDDhhmmYYYY
zdump GMT Show current date and time in the GMT timezone
ntpd NTP daemon, keeps the clock in sync with Internet time servers
ntpd -q Synchronize the time once and quit
ntpd -g Force NTP to start even if clock is off by more than the panic threshold (1000 secs)
ntpd -n -g -q Start NTP as a non-daemon, force set the clock, and quit
ntpq -p timeserver Print the list of peers for the time server
ntpdate timeserver Synchronizes the clock with the specified time server
ntpdate -b timeserver Brutally set the clock, without waiting for a slow adjusting
ntpdate -q timeserver Query the time server without setting the clock
The ntpdate command is deprecated and will be phased out in future Linux releases.
hwclock --hctosys Set the system time from the hardware clock
hwclock -s
hwclock --utc Indicate that the hardware clock is kept in Coordinated Universal Time
hwclock --localtime Indicate that the hardware clock is kept in local time
Linux Quick Reference Guide 5th ed. September 2017 © Daniele Raffo www.crans.org/~raffo
77/155 Syslog
Syslog
syslogd
Daemon logging events from user processes
Syslog logging facility: rsyslogd (Ubuntu 14)
klogd Daemon logging events from kernel processes
/etc/syslog.conf
# facility.level action
*.info;mail.none;authpriv.none /var/log/messages
authpriv.* /var/log/secure
mail.* /var/log/maillog
*.alert root
*.emerg *
local5.* @10.7.7.7
local7.* /var/log/boot.log
† = deprecated
logger -p auth.info "Message" Send a message to syslogd with the specified facility and priority
man 3 syslog Show the syslog manpage listing facilities and levels
logrotate Rotate logs (by gzipping, renaming, and eventually deleting old logfiles) according to
/etc/logrotate.conf
tail -f /var/log/messages Print the end of the message log file, moving forward as the file grows (i.e. read logs
less +F /var/log/messages in real-time)
In Systemd there is no /var/log/messages ; instead, the command journalctl must be used to view the kernel logs.
Linux Quick Reference Guide 5th ed. September 2017 © Daniele Raffo www.crans.org/~raffo
78/155 E-mail
E-mail
e.g. Pine, Mutt e.g. Sendmail, Exim, Postfix, qmail e.g. Procmail, SpamAssassin
~/.forward Mail address(es) to which forward the user's mail, or mail commands
/etc/aliases
/etc/mail/aliases Aliases database for users on the local machine. Each line has syntax alias: user
mail
mailx Commands to send mail
Mailbox formats
Each mail folder is a single file, storing multiple email messages.
mbox $HOME/Mail/myfolder
Advantages: universally supported, fast search inside a mail folder.
Disadvantages: issues with file locking, possible mailbox corruption.
Each mail folder is a directory, and contains the subdirectories /cur, /new, and /tmp.
Each email message is stored in its own file with an unique filename ID.
The process that delivers an email message writes it to a file in the tmp/ directory,
and then moves it to new/. The moving is commonly done by hard linking the file to
new/ and then unlinking the file from tmp/, which guarantees that a MUA will not see
Maildir a partially written message as it never looks in tmp/. $HOME/Mail/myfolder/
When the MUA finds mail messages in new/ it moves them to cur/.
Linux Quick Reference Guide 5th ed. September 2017 © Daniele Raffo www.crans.org/~raffo
79/155 SMTP
SMTP
SMTP commands
220 smtp.example.com ESMTP Postfix Initiate the conversation and
HELO abc.example.org HELO abc.example.org
identify client host to server
250 Hello abc.example.org, glad to meet you
MAIL FROM: [email protected] EHLO abc.example.org Like HELO, but tell server to
250 Ok use Extended SMTP
RCPT TO [email protected]
250 Ok MAIL FROM: [email protected] Specify mail sender
RCPT TO [email protected] RCPT TO: [email protected] Specify mail recipient
250 Ok
DATA
DATA Specify data to send. Ended
354 End data with <CR><LF>.<CR><LF> with a dot on a single line
From: Alice <[email protected]>
To: Bob <[email protected]> QUIT
RSET Disconnect
Cc: Eve <[email protected]>
Date: Wed, 13 August 2014 18:02:43 -0500 HELP List all available commands
Subject: Test message
NOOP Empty command
This is a test message.
. Verify the existence of an e-
250 OK id=1OjReS-0005kT-Jj VRFY [email protected] mail address (this command
QUIT should not be implemented,
221 Bye for security reasons)
EXPN mailinglist Check mailing list membership
Linux Quick Reference Guide 5th ed. September 2017 © Daniele Raffo www.crans.org/~raffo
80/155 Sendmail
Sendmail
newaliases Update the aliases database; must be run after any change to /etc/aliases
sendmail -bi
mailq Examine the mail queue
sendmail -bp
sendmail -bt Run Sendmail in test mode
sendmail -q Force a queue run
Linux Quick Reference Guide 5th ed. September 2017 © Daniele Raffo www.crans.org/~raffo
81/155 Exim
Exim
Linux Quick Reference Guide 5th ed. September 2017 © Daniele Raffo www.crans.org/~raffo
82/155 Postfix
Postfix
Postfix is a fast, secure, easy to configure, open source MTA intended as a replacement for Sendmail. It is implemented as
a set of small helper daemons, most of which run in a chroot jail with low privileges. The main ones are:
master Postfix master daemon, always running; starts the other daemons when necessary
nqmgr Queue manager for incoming and outgoing mail, always running
smtpd SMTP daemon for incoming mail
smtp SMTP daemon for outgoing mail
bounce Manager of bounce messages
cleanup Daemon that verifies the syntax of outgoing messages before they are handed to the queue manager
local Daemon that handles local mail delivery
virtual Daemon that handles mail delivery to virtual users
postmap dbtype:textfile Manage Postfix lookup tables, creating a hashed map file of database
type dbtype from textfile
postmap hash:/etc/postfix/transport Regenerate the transport database
Linux Quick Reference Guide 5th ed. September 2017 © Daniele Raffo www.crans.org/~raffo
83/155 Postfix configuration
Postfix configuration
Linux Quick Reference Guide 5th ed. September 2017 © Daniele Raffo www.crans.org/~raffo
84/155 Procmail
Procmail
Procmail is a regex-based MDA whose main purpose is to preprocess and sort incoming email messages.
It is able to work both with the standard mbox format and the Maildir format.
To have all email processed by Procmail, the ~/.forward file may be edited to contain:
"|exec /usr/local/bin/procmail || exit 75"
# Blacklisted by SpamAssassin
Flag: file locking not necessary because blackholing to /dev/null
:0
* ^X-Spam-Status: Yes Condition: match SpamAssassin's specific header
/dev/null Destination: delete the message
:0B:
* hacking Flag: match body of message instead of headers
$MAILDIR/Geekstuff
:0HB:
* hacking Flag: match either headers or body of message
$MAILDIR/Geekstuff
:0:
* > 256000 Condition: match messages larger than 256 Kb
| /root/myprogram Destination: pipe message through the specified program
:0fw
* ^From: .*@foobar\.org Flags: use the pipe as a filter (modifying the message), and tell
| /root/myprogram Procmail to wait that the filter finished processing the message
:0c
* ^Subject:.*administration
Flag: copy the message and proceed with next recipe
! [email protected]
Destination: forward to specified email address, and (as ordered
:0: by the next recipe) save in the specified mailfolder
$MAILDIR/Forwarded
Linux Quick Reference Guide 5th ed. September 2017 © Daniele Raffo www.crans.org/~raffo
85/155 Courier POP configuration
Courier POP configuration
The Courier MTA provides modules for ESMTP, IMAP, POP3, webmail, and mailing list services in a single framework.
To use it, you must first launch the courier-authlib service, then launch the desired mail service e.g. courier-imap for
the IMAP service.
Linux Quick Reference Guide 5th ed. September 2017 © Daniele Raffo www.crans.org/~raffo
86/155 Courier IMAP configuration
Courier IMAP configuration
Linux Quick Reference Guide 5th ed. September 2017 © Daniele Raffo www.crans.org/~raffo
87/155 Dovecot
Dovecot
Dovecot is an open source, security-hardened, fast and efficient IMAP and POP3 server.
By default it uses PAM authentication. The script mkcert.sh can be used to create self-signed SSL certificates.
Linux Quick Reference Guide 5th ed. September 2017 © Daniele Raffo www.crans.org/~raffo
88/155 Dovecot mailbox configuration
Dovecot mailbox configuration
Linux Quick Reference Guide 5th ed. September 2017 © Daniele Raffo www.crans.org/~raffo
89/155 Dovecot POP and IMAP configuration
Dovecot POP and IMAP configuration
Linux Quick Reference Guide 5th ed. September 2017 © Daniele Raffo www.crans.org/~raffo
90/155 Dovecot authentication
Dovecot authentication
Linux Quick Reference Guide 5th ed. September 2017 © Daniele Raffo www.crans.org/~raffo
91/155 FTP
FTP
Passive mode (more protocol-compliant, because it is the client that initiates the connection)
1. Client connects to FTP server on port 21 and requests passive mode via the PASV command
2. Server acknowledges and sends unprivileged port number via the PORT command
3. Client connects to server's unprivileged port number
4. Server acknowledges
FTP servers
Very Secure FTP A hardened and high-performance FTP implementation. The vsftpd daemon operates with multiple
processes that run as a non-privileged user in a chrooted jail.
Pure-FTP A free, easy-to-use FTP server.
pure-ftpd Pure-FTP daemon
pure-ftpwho Show clients connected to the Pure-FTP server
pure-mrtginfo Show connections to the Pure-FTP server as a MRTG graph
pure-statsdecode Show Pure-FTP log data
pure-pw Manage Pure-FTP virtual accounts
pure-pwconvert Convert the system user database to a Pure-FTP virtual accounts database
pure-quotacheck Manage Pure-FTP quota database
pure-uploadscript Run a command on the Pure-FTP server to process an uploaded file
FTP clients
ftp Standard FTP client.
lftp A sophisticated FTP client with support for HTTP and BitTorrent.
lftp ftpserver.domain.org Connect to a FTP server and tries an anonymous login
Linux Quick Reference Guide 5th ed. September 2017 © Daniele Raffo www.crans.org/~raffo
92/155 vsftpd
vsftpd
Linux Quick Reference Guide 5th ed. September 2017 © Daniele Raffo www.crans.org/~raffo
93/155 CUPS
CUPS
cupsd CUPS (Common Unix Printing System) daemon.
Administration of printers is done via web interface on http://localhost:631
Linux Quick Reference Guide 5th ed. September 2017 © Daniele Raffo www.crans.org/~raffo
94/155 IP addressing
IP addressing
e.g. 193.22.33.44
IPv6 addressing
64-bit network prefix (>= 48-bit routing prefix + <= 16-bit subnet id) + 64-bit interface identifier
Unicast
A 48-bit MAC address is transformed into a 64-bit EUI-64 by inserting ff:fe in the middle.
A EUI-64 is then transformed into a IPv6 interface identifier by inverting the 7 th most significant bit.
IPv6 address: 128-bit long, represented divided in eight 16-bit groups (4 hex digits).
Linux Quick Reference Guide 5th ed. September 2017 © Daniele Raffo www.crans.org/~raffo
95/155 Subnetting
Subnetting
Each block of a column identifies a subnet, whose range of valid hosts addresses is [network address +1 — broadcast address -1] inclusive.
The network address of the subnet is the number shown inside a block.
The broadcast address of the subnet is the network address of the block underneath -1 or, for the bottom block, .255.
Linux Quick Reference Guide 5th ed. September 2017 © Daniele Raffo www.crans.org/~raffo
96/155 Network services
Network services
Linux Quick Reference Guide 5th ed. September 2017 © Daniele Raffo www.crans.org/~raffo
97/155 Network configuration commands
Network configuration commands
ip a Display configuration of all network
ip addr interfaces
ip addr show
ifconfig -a
ip link show eth0 Display configuration of eth0
ifconfig eth0
ip addr add dev eth0 10.1.1.1/8 Configure IP address of eth0
ifconfig eth0 10.1.1.1 netmask 255.0.0.0 broadcast 10.255.255.255
ifconfig eth0 hw ether 45:67:89:ab:cd:ef Configure MAC address of eth0
ip link set eth0 up Activate eth0
ifconfig eth0 up
ifup eth0
ip link set eth0 down Shut down eth0
ifconfig eth0 down
ifdown eth0
dhclient eth0 Request an IP address via DHCP
pump
dhcpcd eth0 (SUSE)
brctl command bridge Manage the Ethernet bridge configuration in the Linux kernel
ethtool option device Query or control network driver and hardware settings
ethtool eth0 View hardware settings of eth0
Linux Quick Reference Guide 5th ed. September 2017 © Daniele Raffo www.crans.org/~raffo
98/155 Wireless networking
Wireless networking
iwlist wlan0 scan List all wireless devices in range, with their quality of signal and other information
iwlist wlan0 freq Display transmission frequency settings
iwlist wlan0 rate Display transmission speed settings
iwlist wlan0 txpower Display transmission power settings
iwlist wlan0 key Display encryption settings
iwgetid wlan0 option Print NWID, ESSID, AP/Cell address or other information about the wireless network
that is currently in use
iw dev wlan0 station dump On a wireless card configured in AP Mode, display information (e.g. MAC address,
tx/rx, bitrate, signal strength) about the clients
hcidump -i device Display raw HCI (Host Controller Interface) data exchanged with a Bluetooth device
Linux Quick Reference Guide 5th ed. September 2017 © Daniele Raffo www.crans.org/~raffo
99/155 Network tools
Network tools
dig example.org Perform a DNS lookup for the specified domain or hostname.
Returns information in BIND zone file syntax; uses an internal
resolver and hence does not honor /etc/resolv.conf
host example.org Perform a DNS lookup for the specified domain or hostname.
Does honor /etc/resolv.conf
nslookup example.org (deprecated) Perform a DNS lookup for the specified domain or hostname
dig @10.7.7.7 -t MX example.org Perform a DNS lookup for the MX record of the domain
host -t example.org 10.7.7.7 example.org, querying nameserver 10.7.7.7
dig example.org any Get all DNS records for a domain
host -a example.org
dig -x 203.0.113.1 Perform a reverse DNS lookup for the IP address 203.0.113.1
host 203.0.113.1
whois example.org Query the WHOIS service for an Internet resource, usually a
domain name
ping 10.0.0.2 Test if a remote host can be reached and measure the round-trip
time to it (by sending an ICMP ECHO_REQUEST datagram and
expecting an ICMP ECHO_RESPONSE)
fping -a 10.0.0.2 10.0.0.7 10.0.0.8 Ping multiple hosts in parallel and report which ones are alive
bing 10.0.0.10 10.0.0.11 Calculate point-to-point throughput between two remote hosts
traceroute 10.0.0.3 Print the route, hop by hop, packets trace to a remote host
(by sending a sequence of ICMP ECHO_REQUEST datagrams with
increasing TTL values, starting with TTL=1)
telnet 10.0.0.4 23 Establish a telnet connection to the specified host and port
(if port is omitted, use default port 23)
curl -XPUT 10.0.0.6 -d'data' Send a HTTP PUT command with data to 10.0.0.6
curl -o file.html www.example.org/file.html Download a file via HTTP
Linux Quick Reference Guide 5th ed. September 2017 © Daniele Raffo www.crans.org/~raffo
100/155 Network monitoring
Network monitoring
netstat Display network connections
netstat –-tcp Display active TCP connections
netstat -t
netstat -l Display only listening sockets
netstat -a Display all listening and non-listening sockets
netstat -n Display network connections, without resolving hostnames or portnames
netstat -p Display network connections, with PID and name of program to which each socket
belongs
netstat -i Display network interfaces
netstat -s Display protocol statistics
netstat -r Display kernel routing tables (equivalent to route -e)
netstat -c Display network connections continuously
nmap 10.0.0.1 Scan for open ports (TCP SYN scan) on remote host 10.0.0.1
nmap -sS 10.0.0.1
nmap -sP 10.0.0.1 Do a ping sweep (ICMP ECHO probes) on remote host
nmap -sU 10.0.0.1 Scan UDP ports on remote host
nmap -sV 10.0.0.1 Do a service and version scan on open ports
nmap -p 1-65535 10.0.0.1 Scan all ports (1-65535) on remote host, not only the common ports
nmap -O 10.0.0.1 Find which operating system is running on remote host (OS fingerprinting)
Linux Quick Reference Guide 5th ed. September 2017 © Daniele Raffo www.crans.org/~raffo
101/155 tcpdump
tcpdump
tcpdump -ni eth0 Sniff all network traffic on interface eth0, suppressing DNS resolution
tcpdump ip host 10.0.0.2 tcp port 25 Sniff network packets on TCP port 25 from and to 10.0.0.2
tcpdump ether host '45:67:89:ab:cd:ef' Sniff traffic from and to the network interface having MAC address
45:67:89:ab:cd:ef
tcpdump 'src host 10.0.0.2 and \ Sniff HTTP and HTTPS traffic having as source host 10.0.0.2
(tcp port 80 or tcp port 443)'
tcpdump -ni eth0 not port 22 Sniff all traffic on eth0 except that belonging to the SSH connection
tcpdump -vvnn -i eth0 arp Sniff ARP traffic on eth0, on maximum verbosity level, without
converting host IP addresses and port numbers to names
tcpdump ip host 10.0.0.2 and \ Sniff IP traffic between 10.0.0.2 and any other host except 10.0.0.9
not 10.0.0.9
Linux Quick Reference Guide 5th ed. September 2017 © Daniele Raffo www.crans.org/~raffo
102/155 netcat
netcat
nc Netcat, "the Swiss Army knife of networking", a very flexible
ncat (Red Hat) generic TCP/IP client/server
netcat (SUSE)
nc 10.0.0.7 389 < file Push the content of file to port 389 on remote host 10.0.0.7
echo "GET / HTTP/1.0\r\n\r\n" | nc 10.0.0.7 80 Connect to web server 10.0.0.7 and issue a HTTP GET
while true; \ Start a minimal web server, serving the specified HTML page
do nc -l -p 80 -q 1 < page.html; done to any connected client
while true; \
do echo "<html><body><h1>WWW</h1></body></html>" \
| ncat -l -p 80; done
nc -v -n -z -w1 -r 10.0.0.7 1-1023 Run a TCP port scan against remote host 10.0.0.7.
Probe randomly all privileged ports with a 1-second timeout,
without resolving service names, and with verbose output
echo "" | nc -v -n -w1 10.0.0.7 1-1023 Retrieve the greeting banner of any network service that
might be running on remote host 10.0.0.7
Linux Quick Reference Guide 5th ed. September 2017 © Daniele Raffo www.crans.org/~raffo
103/155 Network configuration
Network configuration
/etc/hosts Mappings between IP addresses and hostnames, for name resolution
/etc/nsswitch.conf Sources that must be used by various system library lookup functions
order hosts,bind
multi on
/etc/resolv.conf Domain names that must be appended to bare hostnames, and DNS servers
that will be used for name resolution
loopback 127.0.0.0
mylan 10.2.3.0
allow-hotplug eth0
iface eth0 inet static
address 10.2.3.4
netmask 255.255.255.0
gateway 10.2.3.254
dns-domain example.com
dns-nameservers 8.8.8.8 4.4.4.4
Linux Quick Reference Guide 5th ed. September 2017 © Daniele Raffo www.crans.org/~raffo
104/155 Network configuration (Red Hat)
Network configuration (Red Hat)
/etc/sysconfig/network Network configuration file
ADDRESS=10.2.3.4
NETMASK=255.255.255.0
GATEWAY=10.2.3.254
HOSTNAME=mylinuxbox.example.org
NETWORKING=yes
DEVICE=eth0
TYPE=Ethernet
HWADDR=AA:BB:CC:DD:EE:FF
BOOTPROTO=none
ONBOOT=yes
NM_CONTROLLED=no
IPADDR=10.2.3.4
NETMASK=255.255.255.0
GATEWAY=10.2.3.254
DNS1=8.8.8.8
DNS2=4.4.4.4
USERCTL=no
Linux Quick Reference Guide 5th ed. September 2017 © Daniele Raffo www.crans.org/~raffo
105/155 TCP Wrapper
TCP Wrapper
/etc/hosts.allow Host access control files used by the TCP Wrapper system.
/etc/hosts.deny
Each file contains zero or more daemon:client lines. The first matching line is considered.
Linux Quick Reference Guide 5th ed. September 2017 © Daniele Raffo www.crans.org/~raffo
106/155 Routing
Routing
- rejected route
network mask network mask to apply for the destination network
Genmask 255.255.255.255 destination host
0.0.0.0 default route
U route is up
G use gateway
H target is host
Flags ! rejected route
D dynamically installed by daemon
M modified from routing daemon
R reinstate route for dynamic routing
Linux Quick Reference Guide 5th ed. September 2017 © Daniele Raffo www.crans.org/~raffo
107/155 iptables
iptables
The Netfilter framework provides firewalling capabilities in Linux. It is implemented by the user-space application programs
iptables for IPv4 (which replaced ipchains, which itself replaced ipfwadm) and ip6tables for IPv6.
Iptables is implemented in the kernel and therefore does not have a daemon process or a service.
The ability to track connection state is provided by the ip_conntrack kernel module.
From RHEL 7 onward, iptables has been replaced by the firewalld daemon. To use it anyway, it is necessary to install the
package iptables-services which provides a systemd interface for iptables, and disable firewalld.
In Ubuntu, iptables is managed by the ufw service (Uncomplicated Firewall).
iptables-restore < file Load into iptables the firewall rules specified in the file
iptables-save > file Save into iptables the firewall rules specified in the file
Linux Quick Reference Guide 5th ed. September 2017 © Daniele Raffo www.crans.org/~raffo
108/155 iptables rules
iptables rules
Iptables uses tables containing sets of chains, which contain sets of rules. Each rule has a target (e.g. ACCEPT).
The "filter" table contains chains INPUT, FORWARD, OUTPUT (built-in chains); this is the default table to which all iptables
commands are applied, unless another table is specified via the -t option.
The "nat" table contains chains PREROUTING, OUTPUT, POSTROUTING.
The "mangle" table contains chains PREROUTING, OUTPUT.
When a packet enters the system, it is handed to the INPUT chain. If the destination is local, it is processed; if the
destination is not local and IP forwarding is enabled, the packet is handed to the FORWARD chain, otherwise it is dropped.
An outgoing packet generated by the system will go through the OUTPUT chain.
If NAT is in use, an incoming packet will pass at first through the PREROUTING chain, and an outgoing packet will pass last
through the POSTROUTING chain.
iptables -A INPUT -s 10.0.0.6 -j ACCEPT Add a rule to accept all packets from 10.0.0.6
iptables -A INPUT -s 10.0.0.7 -j REJECT Add a rule to reject all packets from 10.0.0.7 and send
back a ICMP response to the sender
iptables -A INPUT -s 10.0.0.8 -j DROP Add a rule to silently drop all packets from 10.0.0.8
iptables -A INPUT -s 10.0.0.9 -j LOG Add a rule to log via syslog all packets from 10.0.0.9
iptables -A OUTPUT -d 10.7.7.0/24 -j DROP Add a rule to drop all packets with destination 10.7.7.0/24
iptables -A FORWARD -i eth0 -o eth1 -j LOG Add a rule to log all packets entering the system via eth0
and exiting via eth1
iptables -A INPUT -p 17 -j DROP Add a rule to drop all incoming UDP traffic (protocol
iptables -A INPUT -p udp -j DROP numbers are defined in /etc/protocols)
iptables -A INPUT --sport 1024:65535 --dport 53 \ Add a rule to accept all packets coming from any
-j ACCEPT unprivileged port and with destination port 53
iptables -A INPUT -p icmp --icmp-type echo-request \ Add a rule to accept incoming pings through eth0 at a
-m limit --limit 1/s -i eth0 -j ACCEPT maximum rate of 1 ping/second
iptables -A INPUT -m state --state ESTABLISHED \ Load the module for stateful packet filtering, and add a
-j ACCEPT rule to accept all packets that are part of a
communication already tracked by the state module
iptables -A INPUT -m state --state NEW -j ACCEPT Add a rule to accept all packets that are not part of a
communication already tracked by the state module
iptables -A INPUT -m state --state RELATED -j ACCEPT Add a rule to accept all packets that are related (e.g.
ICMP responses to TCP or UDP traffic) to a communication
already tracked by the state module
iptables -A INPUT -m state --state INVALID -j ACCEPT Add a rule to accept all packets that do not match any of
the states above
Linux Quick Reference Guide 5th ed. September 2017 © Daniele Raffo www.crans.org/~raffo
109/155 firewalld
firewalld
In firewalld, a network interface (aka interface) or a subnet address (aka source) can be assigned to a specific zone.
To determine to which zone a packet belongs, first the zone of the source is analyzed, then the zone of the interface; if no
source or interface matches, the packet is associated to the default zone (which is "public", unless set otherwise).
If the zone is not specified in a command, the command is applied to the default zone.
By default, commands are temporary; adding the --permanent option to a command sets it as permanent, or shows
permanent settings only.
Temporary commands are effective immediately but are canceled at reboot, firewall reload, or firewall restart.
Permanent commands are effective only after reboot, firewall reload, or firewall restart.
block Rejects incoming connections with an ICMP HOST_PROHIBITED; allows only established connections
dmz Used to expose services to the public; allows only specific incoming connections
drop Drops all incoming packets; allows only outgoing connections
external Used for routing and masquerading; allows only specific connections
home Allows only specific incoming connections
internal Used to define internal networks and allow only private network traffic
public Allows only specific incoming connections
trusted Accepts all traffic
work Used to define internal networks and allow only private network traffic
firewall-cmd --reload Reload firewall configuration; this applies all permanent changes and
cancels all temporary changes. Current connections are not terminated
firewall-cmd --complete-reload Reload firewall configuration, stopping all current connections
firewall-cmd --runtime-to-permanent Transform all temporary changes to permanent
Linux Quick Reference Guide 5th ed. September 2017 © Daniele Raffo www.crans.org/~raffo
110/155 firewalld rules
firewalld rules
firewall-cmd --zone=trusted --add-service=ssh
firewall-cmd --zone=trusted --add-port=22/tcp Add the SSH service to the "trusted" zone
firewall-cmd --zone=trusted --add-service={ssh,http,https} Add the SSH, HTTP, and HTTPS services to the
"trusted" zone
firewall-cmd --direct --add-rule ipv4 filter INPUT 0 \ Set up a direct rule (in iptables format) to
-p tcp --dport 22 -j ACCEPT accept SSH connections
Linux Quick Reference Guide 5th ed. September 2017 © Daniele Raffo www.crans.org/~raffo
111/155 NAT routing
NAT routing
Linux Quick Reference Guide 5th ed. September 2017 © Daniele Raffo www.crans.org/~raffo
112/155 SSH
SSH
ssh root@remotehost Connect to a remote host via SSH (Secure Shell) and login
as the root user
ssh -v root@remotehost Connect via SSH, specifying increasing levels of verbosity
ssh -vv root@remotehost
ssh -vvv root@remotehost
ssh -p 2222 root@remotehost SSH as root using port 2222 instead of standard port 22
ssh root@remotehost /root/mycommand Execute a command on a remote host
sshpass -p p455w0rd ssh root@remotehost Connect to a remote host using the specified password
pssh -i -H "host1 host2 host3" /root/mycommand Execute a command in parallel on a group of remote hosts
ssh-keygen -t rsa -b 2048 Generate interactively a 2048-bit RSA key pair; will
prompt for a passphrase
ssh-keygen -t dsa Generate a DSA key pair
ssh-keygen -p -t rsa Change passphrase of the private key
ssh-keygen -q -t rsa -f /etc/ssh/id_rsa -N '' -C '' Generate a RSA key with no passphrase (for non-
interactive use) and no comment
ssh-keygen -lf /etc/ssh/id_rsa.pub View key length and fingerprint of a public key
ssh-copy-id root@remotehost Use locally available keys to authorize, via public key
authentication, login of root on a remote host.
Copies root's local public key ~/.ssh/id_rsa.pub to
~/.ssh/authorized_keys on the remote host
Linux Quick Reference Guide 5th ed. September 2017 © Daniele Raffo www.crans.org/~raffo
113/155 SSH operations
SSH operations
X11 Forwarding
ssh -X [email protected] Enable the local display to execute locally a X application
stored on a remote host login.foo.com
It is also possible to enable X11 Forwarding via telnet (but this is insecure and obsolete, and therefore not recommended):
1. On remote host 10.2.2.2, type export DISPLAY=10.1.1.1:0.0
2. On local host 10.1.1.1, type xhost +
3. On local host 10.1.1.1, type telnet 10.2.2.2, then run on remote host the graphical application e.g. xclock &
Linux Quick Reference Guide 5th ed. September 2017 © Daniele Raffo www.crans.org/~raffo
114/155 SSH configuration
SSH configuration
/etc/ssh/sshd_config SSH server daemon configuration file
/etc/ssh/ssh_config SSH client global configuration file
/etc/ssh/ssh_host_key Host's private key (should be mode 0600)
/etc/ssh/ssh_host_key.pub Host's public key
/etc/ssh/shosts.equiv Names of trusted hosts for host-based authentication
/etc/ssh/ssh_known_hosts Database of host public keys that were previously accepted as legitimate
~/.ssh/ User's SSH directory (must be mode 0700)
~/.ssh/config SSH client user configuration file
~/.ssh/id_rsa User's RSA or DSA private key, as generated by ssh-keygen
~/.ssh/id_dsa
~/.ssh/id_rsa.pub User's RSA or DSA public key, as generated by ssh-keygen
~/.ssh/id_dsa.pub
~/.ssh/known_hosts Host public keys that were previously accepted as legitimate by the user
~/.ssh/authorized_keys Trusted public keys; the corresponding private keys allow the user to
~/.ssh/authorized_keys2 (obsolete) authenticate on this host
AllowGroups geeks
DenyGroups * List of groups whose members can/cannot login via SSH, or * for all groups
Linux Quick Reference Guide 5th ed. September 2017 © Daniele Raffo www.crans.org/~raffo
115/155 OpenSSL
OpenSSL
openssl x509 -text -in certif.crt -noout Read a certificate
openssl req -text -in request.csr -noout Read a Certificate Signing Request
openssl req -new -key private.key -out request.csr Generate a Certificate Signing Request (in PEM
format) for the public key of a key pair
openssl req -new -nodes -keyout private.key \ Create a 2048-bit RSA key pair and generate a
-out request.csr -newkey rsa:2048 Certificate Signing Request for it
openssl req -x509 -newkey rsa:2048 -nodes \ Generate a self-signed root certificate (and create
-keyout private.key -out certif.crt -days validity a new CA private key)
openssl ca -config ca.conf -in request.csr \ Generate a self-signed certificate
-out certif.crt -days validity -verbose
openssl ca -config ca.conf -gencrl -revoke certif.crt \ Revoke a certificate
-crl_reason why
openssl ca -config ca.conf -gencrl -out crlist.crl Generate a Certificate Revocation List containing
all revoked certificates so far
openssl x509 -in certif.pem -outform DER \ Convert a certificate from PEM to DER
-out certif.der
openssl pkcs12 -export -in certif.pem \ Convert a certificate from PEM to PKCS#12
-inkey private.key -out certif.pfx -name friendlyname including the private key
cat cert.crt cert.key > cert.pem Create a PEM certificate from CRT and private key
openssl dgst -hashfunction -out file.hash file Generate the digest of a file
openssl dgst -hashfunction file | cmp -b file.hash Verify the digest of a file (no output means that
digest verification is successful)
openssl dgst -hashfunction -sign private.key \ Generate the signature of a file
-out file.sig file
openssl dgst -hashfunction -verify public.key \ Verify the signature of a file
-signature file.sig file
openssl enc -e -cipher -in file -out file.enc -salt Encrypt a file
openssl enc -d -cipher -in file.enc -out file Decrypt a file
openssl genpkey -algorithm RSA -cipher 3des \ Generate a 2048-bit RSA key pair protected by
-pkeyopt rsa_keygen_bits:2048 -out key.pem TripleDES passphrase
openssl pkey -text -in private.key -noout Examine a private key
openssl pkey -in old.key -out new.key -cipher Change the passphrase of a private key
openssl pkey -in old.key -out new.key Remove the passphrase from a private key
1. openssl s_client -connect www.website.com:443 > tmpfile Retrieve and inspect a SSL certificate from a
website
2. CTRL C
Linux Quick Reference Guide 5th ed. September 2017 © Daniele Raffo www.crans.org/~raffo
116/155 CA.pl
CA.pl
CA.pl -newca Create a Certification Authority hierarchy
CA.pl -newreq Generate a Certificate Signing Request
CA.pl -signreq Sign a Certificate Signing Request
CA.pl -pkcs12 "Certificate name" Generate a PKCS#12 certificate from a Certificate Signing Request
CA.pl -newreq-nodes Generate a Certificate Signing Request, with unencrypted private key
(this is necessary for use in servers, because the private key is accessed in
non-interactive mode i.e. without passphrase typing)
CA.pl -verify Verify a certificate against the Certification Authority certificate for "demoCA"
Linux Quick Reference Guide 5th ed. September 2017 © Daniele Raffo www.crans.org/~raffo
117/155 GnuPG
GnuPG
gpg --gen-key Generate a key pair
gpg --import alice.asc Import Alice's public key into your keyring
gpg --list-keys List the keys contained into your keyring
gpg --list-secret-keys List your private keys contained into your keyring
gpg --list-public-keys List the public keys contained into your keyring
gpg --export -o keyring_backup.gpg Export your whole keyring to a file
gpg --export-secret-key -a "You" -o private.key Export your private key (username You) to a file
gpg --export-public-key -a "Alice" -o alice.pub Export Alice's public key to a file
gpg --edit-key "Alice" Sign Alice's public key
gpg -e -u "You" -r "Alice" file.txt Sign a file (with your private key) and encrypt it to
Alice (i.e. with Alice's public key)
gpg -d file.txt.gpg Decrypt a file (with your own public key)
Linux Quick Reference Guide 5th ed. September 2017 © Daniele Raffo www.crans.org/~raffo
118/155 OpenVPN
OpenVPN
openvpn --genkey --secret keyfile Generate a shared secret keyfile for OpenVPN authentication.
The keyfile must be copied on both server and client
openvpn server.conf Start the VPN on the server side. The encrypted VPN tunnel uses UDP port 1194
openvpn client.conf Start the VPN on the client side
dev tun
ifconfig server_IP client_IP
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
secret keyfile
remote server_public_IP
dev tun
ifconfig client_IP server_IP
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
secret keyfile
Linux Quick Reference Guide 5th ed. September 2017 © Daniele Raffo www.crans.org/~raffo
119/155 Key bindings - terminal
Key bindings - terminal
CTRL ALT E Expand the Bash alias currently entered on the command line
CTRL ALT DEL Send a SIGINT to reboot the machine (same as shutdown -r now);
specified in /etc/inittab and /etc/init/control-alt-delete
Linux Quick Reference Guide 5th ed. September 2017 © Daniele Raffo www.crans.org/~raffo
120/155 Key bindings - X
Key bindings - X
Linux Quick Reference Guide 5th ed. September 2017 © Daniele Raffo www.crans.org/~raffo
121/155 udev
udev
The Hardware Abstraction Layer (HAL) manages device files and provides plug-and-play facilities. The HAL daemon hald
maintains a persistent database of devices.
udev is the device manager for the Linux kernel. It dynamically generates the device nodes in /dev/ for devices present on
the system; it also provides persistent naming for storage devices in /dev/disk .
When a device is added, removed, or changes state, the kernel sends an uevent received by the udevd daemon which will
pass the uevent through a set of rules stored in /etc/udev/rules.d/*.rules and /lib/udev/rules.d/*.rules .
KERNEL=="hdb", DRIVER=="ide-disk", SYMLINK+="mydisk myhd" Match a device with kernel name and driver
as specified; name the device node with the
default name and create two symbolic links
/dev/mydisk and /dev/myhd pointing to
/dev/hdb
KERNEL=="fd[0-9]*", NAME="floppy/%n", SYMLINK+="%k" Match all floppy disk drives (i.e. fdn); place
device node in /dev/floppy/n and create a
symlink /dev/fdn to it
KERNEL=="sda", PROGRAM="/bin/mydevicenamer %k", SYMLINK+="%c" Match a device named by the kernel as sda;
to name the device, use the defined
program which takes on stdin the kernel
name and output on stdout e.g. name1
name2. Create symlinks /dev/name1 and
/dev/name2 pointing to /dev/sda
Linux Quick Reference Guide 5th ed. September 2017 © Daniele Raffo www.crans.org/~raffo
122/155 Kernel
Kernel
freeramdisk Free the memory used for the initrd image. This command must be
run directly after unmounting /initrd
mkinitrd initrd_image kernel_version Create a initrd image file (Red Hat)
mkinitramfs Create a initrd image file according to the configuration file
/etc/initramfs-tools/initramfs.conf (Debian)
dracut Create initial ramdisk images for preloading modules
The runtime loader ld.so loads the required shared libraries of the program into RAM, searching in this order:
1. LD_LIBRARY_PATH Environment variable specifying the list of dirs where libraries should be searched for first
2. /etc/ld.so.cache Cache file
3. /lib and /usr/lib Default locations for shared libraries
Linux Quick Reference Guide 5th ed. September 2017 © Daniele Raffo www.crans.org/~raffo
123/155 Kernel management
Kernel management
lspci List PCI devices
lspci -d 8086: List all Intel hardware present. PCI IDs are stored in:
/usr/share/misc/pci.ids (Debian)
/usr/share/hwdata/pci.ids (Red Hat)
Linux Quick Reference Guide 5th ed. September 2017 © Daniele Raffo www.crans.org/~raffo
124/155 Kernel compile and patching
Kernel compile and patching
Kernel compile
Download kernel source code linux-X.Y.Z.tar.bz2 from http://www.kernel.org
Download
to the base of the kernel source tree /usr/src/linux
make clean Delete most generated files
Clean make mrproper Delete all generated files and kernel configuration
make distclean Delete temporary files, patch leftover files, and similar
make config Terminal-based (options must be set in sequence)
make menuconfig ncurses UI
make xconfig
make gconfig GUI
make oldconfig Create a new config file, based on the options in the old config
file and in the source code
Configure
Components (e.g. device drivers) can be either:
- not compiled
- compiled into the kernel binary, for support of devices always used on the system or necessary
for the system to boot
- compiled as a kernel module, for optional devices
Copy the new compiled kernel and other files into the boot partition
Kernel install cp /usr/src/linux/arch/boot/bzImage /boot/vmlinuz-X.Y.Z (kernel)
cp /usr/src/linux/arch/boot/System.map-X.Y.Z /boot
cp /usr/src/linux/arch/boot/config-X.Y.Z /boot (config options used for this compile)
Kernel patching
Download Download and decompress the patch to /usr/src
patch -p1 < file.patch Apply the patch
Patch To remove a patch, you can either apply the patch again or
patch -Rp1 < file.patch
use this command (reverse patch)
Build Build the patched kernel as explained previously
Install Install the patched kernel as explained previously
Linux Quick Reference Guide 5th ed. September 2017 © Daniele Raffo www.crans.org/~raffo
125/155 Kernel modules
Kernel modules
Kernel modules allow the kernel to access functions (symbols) for kernel services e.g. hardware drivers, network stack, or
filesystem abstraction.
lsmod List the modules that are currently loaded into the kernel
insmod module Insert a module into the kernel. If the module requires another module or if it
does not detect compatible hardware, insertion will fail
rmmod module Remove a module from the kernel. If the module is in use by another module, it
is necessary to remove the latter first
modinfo module Display the list of parameters accepted by the module
depmod -a Probe all modules in the kernel modules directory and generate the file that lists
their dependencies
It is recommended to use modprobe instead of insmod/rmmod, because it automatically handles prerequisites when inserting
modules, is more specific about errors, and accepts just the module name instead of requiring the full pathname.
modprobe module option=value Insert a module into the running kernel, with the specified parameters.
Prerequisite modules will be inserted automatically
modprobe -a Insert all modules
modprobe -t directory Attempt to load all modules contained in the directory until a module succeeds.
This action probes the hardware by successive module-insertion attempts for a
single type of hardware, e.g. a network adapter
modprobe -r module Remove a module
modprobe -c module Display module configuration
modprobe -l List loaded modules
Linux Quick Reference Guide 5th ed. September 2017 © Daniele Raffo www.crans.org/~raffo
126/155 /proc filesystem
/proc filesystem
/proc is a pseudo filesystem that gives access to process data held in the kernel.
/proc/sys is the only writable branch of /proc and can be used to tune kernel parameters on-the-fly.
All changes are lost after system shutdown.
sysctl -w "fs.file-max=100000" Set the maximum allowed number of open files to 100000
echo "100000" > /proc/sys/fs/file-max
Linux Quick Reference Guide 5th ed. September 2017 © Daniele Raffo www.crans.org/~raffo
127/155 System recovery
System recovery
If the kernel has been booted in emergency mode and init has not been run, some initial configuration is necessary e.g.
mount /proc
mount -o remount,rw /
mount -a
mknod /dev/sda
mknod /dev/sda1
fdisk -l /dev/sda
fsck -y /dev/sda1
mount -t ext3 /dev/sda1 /mnt/sysimage
chroot /mnt/sysimage
To install a package using an alternative root directory (useful if the system has been booted from a removable media):
An alternative metod is to chroot /mnt/sysimage before installing GRUB via grub-install /dev/sda .
Run sync and unmount all filesystems before exiting the shell, to ensure that all changes have been written on disk.
3. Press CTRL X ; the system will boot on the initramfs switch_root prompt.
Linux Quick Reference Guide 5th ed. September 2017 © Daniele Raffo www.crans.org/~raffo
128/155 DNS
DNS
DNS implementations
BIND Berkeley Internet Name Domain system, is the standard DNS server for UNIX
dnsmasq Lightweight DNS, DHCP and TFTP server for a small network
djbdns Security-hardened DNS server that also includes DNS debugging tools
PowerDNS Alternative open-source DNS server
DNSSEC was designed to secure the DNS tree and hence prevent cache poisoning.
The TSIG (Transaction SIGnature) standard, that authenticates communications between two trusted systems, is used to
sign zone transfers and DDNS (Dynamic DNS) updates.
dnssec-keygen -a dsa -b 1024 \ Generate a TSIG key with DNSSEC algorithm nnn and key fingerprint fffff.
-n HOST dns1.example.org This will create two key files
Kdns1.example.org.+nnn+fffff.key
Kdns1.example.org.+nnn+fffff.private
which contain a key number that has to be inserted both in /etc/named.conf and
/etc/rndc.conf
key "rndc-key" {
algorithm hmac-md5;
secret "vyZqL3tPHsqnA57e4LT0Ek==";
};
options {
default-key "rndc-key";
default-server 127.0.0.1;
default-port 953;
};
named -u named -g named Run BIND as user/group named (both must be created if needed) instead of root
named -t /var/cache/bind Run BIND in a chroot jail /var/cache/bind
(actually is the chroot command that starts the named server)
Linux Quick Reference Guide 5th ed. September 2017 © Daniele Raffo www.crans.org/~raffo
129/155 DNS configuration
DNS configuration
options {
directory "/var/named"; // Working directory
version "0.0"; // Hide version number by replacing it with 0.0
listen-on port 53 {10.7.0.1; 127.0.0.1;}; // Port and own IP addresses to listen on
blackhole {172.17.17.0/24;}; // IPs whose packets are to be ignored
allow-query {mynetwork;}; // IPs allowed to do iterative queries
allow-query-on {any;}; // Local IPs that can accept iterative queries
allow-query-cache {any;}; // IPs that can get an answer from cache
allow-recursion {mynetwork;}; // IPs to accept recursive queries from (typically
// own network's IPs). The DNS server does the full
// resolution process on behalf of these client IPs,
// and returns a referral for the other IPs
allow-recursion-on {mynetwork;}; // Local IPs that can accept recursive queries
allow-transfer {10.7.0.254;}; // Zone transfer is restricted to these IPs (slaves);
// on slave servers, this option should be disabled
allow-update {any;}; // IPs to accept DDNS updates from
recursive-clients 1000; // Max number of simultaneous recursive lookups
dnssec-enable yes; // Enable DNSSEC
dialup no; // Not a dialup connection: external zone maintenance
// (e.g. sending heartbeat packets, external zone transfers)
// is then permitted
forward first; // Site-wide cache: bypass the normal resolution
forwarders {10.7.0.252; 10.7.0.253;}; // method by querying first these central DNS
// servers if they are available
};
Linux Quick Reference Guide 5th ed. September 2017 © Daniele Raffo www.crans.org/~raffo
130/155 DNS zone file
DNS zone file
IN NS dns1.example.org.
IN NS dns2.example.org.
IN MX 10 mail1.example.org.
IN MX 20 mail2.example.org.
dns1 IN A 224.123.240.3
dns2 IN A 224.123.240.4
mail1 IN A 224.123.240.73
mail2 IN A 224.123.240.77
foo IN A 224.123.240.12
bar IN A 224.123.240.13
www IN A 224.123.240.19
baz IN CNAME bar
Resource Records
$TTL How long to cache a positive response
$ORIGIN Suffix appended to all names not ending with a dot.
Useful when defining multiple subdomains inside the same zone
SOA Start Of Authority for the example.org zone
serial Serial number. Must be increased after each edit of the zone file
refresh How frequently a slave server refreshes its copy of zone data from the master
retry How frequently a slave server retries connecting to the master
expire How long a slave server relies on its copy of zone data. After this time period expires,
the slave server is not authoritative anymore for the zone unless it can contact a master
negative TTL How long to cache a non-existent answer
A Address: maps names to IP addresses. Used for DNS lookups.
PTR Pointer: maps IP addresses to names. Used for reverse DNS lookups.
Each A record must have a matching PTR record
CNAME Canonical Name: specifies an alias for a host with an A record (even in a different zone).
Discouraged as it causes multiple lookups; it is better to use multiple A records instead
NS Name Service: specifies the authoritative name servers for the zone
MX Mailserver: specifies address and priority of the servers able to handle mail for the zone
Glue Records are not really part of the zone; they delegate authority for other zones, usually subdomains
Linux Quick Reference Guide 5th ed. September 2017 © Daniele Raffo www.crans.org/~raffo
131/155 Apache
Apache
The Apache webserver contains a number of MPMs (Multi-Processing Modules) which can operate following two methods:
prefork MPM A number of child processes is spawned in advance, with each child serving one connection.
Highly reliable due to Linux memory protection that isolates each child process
worker MPM Multiple child processes spawn multiple threads, with each thread serving one connection.
More scalable but prone to deadlocks if third-party non-threadsafe modules are loaded
HTTPS
A secure web server (one which uses HTTP over SSL i.e. HTTPS) hands over its public key to the client when the latter
connects to it via port 443. The server's public key is signed by a CA (Certification Authority), whose validity is
ensured by the root certificates stored into the client's browser.
The openssl command and its user-friendly CA.pl script are the tools of the OpenSSL crypto library that can be used
to accomplish all public key crypto operations e.g. generate key pairs, Certificate Signing Requests, self-signed
certificates.
Virtual hosting with HTTPS requires assigning an unique IP address for each virtual host; this because the SSL
handshake (during which the server sends its certificate to the client's browser) takes place before the client sends
the Host: header (which tells to which virtual host the client wants to talk).
A workaround for this is SNI (Server Name Indication) that makes the browser send the hostname in the first
message of the SSL handshake. Another workaround is to have all multiple name-based virtual hosts use the same
SSL certificate with a wildcard domain e.g. *.example.org.
Linux Quick Reference Guide 5th ed. September 2017 © Daniele Raffo www.crans.org/~raffo
132/155 Apache configuration
Apache configuration
MaxClients 256 (before v2.3.13) Max number of simultaneous requests that will be served; clients
MaxRequestWorkers 256 (v2.3.13 and later) above this limit will get a HTTP error 503 - Service Unavailable.
Prefork MPM: max number of child processes launched to serve
requests.
Worker MPM: max total number of threads available to serve
requests
ServerLimit 256 Prefork MPM: max configured value for MaxRequestWorkers.
Worker MPM: in conjunction with ThreadLimit, max configured
value for MaxRequestWorkers
ThreadsPerChild 25 Worker MPM: number of threads created by each child process
ThreadLimit 64 Worker MPM: max configured value for ThreadsPerChild
LoadModule mime_module modules/mod_mime.so Load the module mime_module by linking in the object file or
library modules/mod_mime.so
Listen 10.17.1.1:80 Make the server accept connections on the specified IP
Listen 10.17.1.5:8080 addresses (optional) and ports
User nobody User and group the Apache process runs as. For security
Group nobody reasons, this should not be root
Linux Quick Reference Guide 5th ed. September 2017 © Daniele Raffo www.crans.org/~raffo
133/155 Apache virtual hosts
Apache virtual hosts
Logging directives
LogFormat "%h %l %u %t \"%r\" %>s %b" Specify the format of a log
LogFormat "%h %l %u %t \"%r\" %>s %b" common Specify a nickname (here, "common") for a log format.
This one is the CLF (Common Log Format) defined as such:
%h IP address of the client host
%l Identity of client as determined by identd
%u User ID of client making the request
%t Timestamp the server completed the request
%r Request as done by the user
%s Status code sent by the server to the client
%b Size of the object returned, in bytes
CustomLog /var/log/httpd/access_log common Set up a log filename, with the format or (as in this case)
the nickname specified
TransferLog /var/log/httpd/access_log Set up a log filename, with format determined by the most
recent LogFormat directive which did not define a nickname
TransferLog "|rotatelogs access_log 86400" Organize log rotation every 24 hours
HostnameLookups Off Disable DNS hostname lookup to save network traffic.
Hostnames can be resolved later by processing the log file:
logresolve <access_log >accessdns_log
Linux Quick Reference Guide 5th ed. September 2017 © Daniele Raffo www.crans.org/~raffo
134/155 Apache directory protection
Apache directory protection
</Directory>
Linux Quick Reference Guide 5th ed. September 2017 © Daniele Raffo www.crans.org/~raffo
135/155 Apache SSL/TLS
Apache SSL/TLS
Linux Quick Reference Guide 5th ed. September 2017 © Daniele Raffo www.crans.org/~raffo
136/155 Tomcat
Tomcat
Tomcat is an open source Java Servlet Container implementing several Java EE specifications, and was originally part of the
Jakarta Project. It is composed of:
- Catalina, the core component and servlet container implementation;
- Coyote, an HTTP connector component, providing a pure Java webserver environment to run Java code;
- Jasper, a JSP (Java Server Pages) engine, which parses JSP files and compiles them into Java servlets.
Linux Quick Reference Guide 5th ed. September 2017 © Daniele Raffo www.crans.org/~raffo
137/155 Samba server
Samba server
smbd Server Message Block daemon. Provides SMB file and printer sharing, browser services, user authentication,
and resource lock. An extra copy of this daemon runs for each client connected to the server
nmbd NetBIOS Name Service daemon. Handles NetBIOS name lookups, WINS requests, list browsing and elections.
An extra copy of this daemon runs if Samba functions as a WINS server.
Another extra copy of this daemon runs if DNS is used to translate NetBIOS names
testparm Check the Samba configuration file and report any error
Linux Quick Reference Guide 5th ed. September 2017 © Daniele Raffo www.crans.org/~raffo
138/155 Samba client
Samba client
smbmount Mount a Samba share on a Linux filesystem, using the CIFS
mount.cifs filesystem interface
smbmount //smbserver/share1 /mnt/shares/sh1 \ Mount a Samba share checking access upon a credentials
-o auto,credentials=/etc/smbcreds file /etc/smbcreds (which should be readable only by root):
username = jdoe
password = jd03s3cr3t
smbmount //smbserver/share1 /mnt/shares/sh1 \ Mount a Samba share as user jdoe
-o username=jdoe
cat msg.txt | smbclient -M client -U user Show a message popup on the client machine (using the
WinPopup protocol)
Linux Quick Reference Guide 5th ed. September 2017 © Daniele Raffo www.crans.org/~raffo
139/155 Samba global configuration
Samba global configuration
Linux Quick Reference Guide 5th ed. September 2017 © Daniele Raffo www.crans.org/~raffo
140/155 Samba share configuration
Samba share configuration
Linux Quick Reference Guide 5th ed. September 2017 © Daniele Raffo www.crans.org/~raffo
141/155 Samba share access and macros
Samba share access and macros
Server-level authentication
[global]
security = server Set up server-level authentication
password server = srv1 srv2 Authenticate to server srv1, or to server srv2 if srv1 is unavailable
Domain-level authentication
[global]
security = ADS Set up domain-level authentication as an Active Directory member server
realm = KRB_REALM Join the specified realm.
Kerberos must be installed and an administrator account must be created:
net ads join -U Administrator%password
Share-level authentication
[global]
security = share Set up share-level authentication
[foobar] Define a foobar share accessible to any user which can supply quux's password.
path = /foobar The user quux must be created on the system:
username = quux useradd -c "Foobar account" -d /tmp -m -s /sbin/nologin quux
only user = yes and added to the Samba password file:
smbpasswd -a quux
Samba macros
%S Username The substitutes below apply only to the
configuration options that are used when
%U Session username (the username that the client requested,
a connection has been established:
not necessarily the same as the one he got)
%G Primary group of session username %S Name of the current service, if any
%h Samba server hostname %P Root directory of the current service, if any
%M Client hostname %u Username of the current service, if any
%L NetBIOS name of the server %g Primary group name of username
%m NetBIOS name of the client %H Home directory of username
%d Process ID of the current server process %N Name of the NIS home directory server as
obtained from the NIS auto.map entry.
%a Architecture of remote machine
Same as %L if Samba was not compiled with
%I IP address of client machine the --with-automount option
%i Local IP address to which a client connected %p Path of service's home directory as obtained
from the NIS auto.map entry.
%T Current date and time
The NIS auto.map entry is split up as %N:%p
%D Domain or workgroup of the current user
%w Winbind separator
%$(var) Value of the environment variable var
Linux Quick Reference Guide 5th ed. September 2017 © Daniele Raffo www.crans.org/~raffo
142/155 NFS
NFS
A Network File System (NFS) server makes filesystems available to remote clients for mounting.
The portmapper is needed by NFS to map incoming TCP/IP connections to the appropriate NFS RPC calls. Some Linux
distributions use rpcbind instead of the portmapper.
For security, the TCP Wrapper should be configured to limit access to the portmapper to NFS clients only:
file /etc/hosts.deny should contain portmap: ALL
file /etc/hosts.allow should contain portmap: IP_addresses_of_clients
NFS handles user permissions across systems by considering users with same UID and username as the same user.
Group permission is evaluated similarly, by GID and groupname.
showmount Show the remote client hosts currently having active mounts
showmount --directories Show the directories currently mounted by a remote client host
showmount --exports Show the filesystems currently exported i.e. the active export list
showmount --all Show both remote client hosts and directories
showmount -e nfsserver Show the shares a NFS server has available for mounting
rpcinfo -p nfsserver Probe the portmapper on a NFS server and display the list of all registered
RPC services there
rpcinfo -t nfsserver nfs Test a NFS connection by sending a null pseudo request (using TCP)
rpcinfo -u nfsserver nfs Test a NFS connection by sending a null pseudo request (using UDP)
both -n -r -nr
mount -t nfs nfsserver:/share /usr Command to be run on a client to mount locally a remote NFS share.
NFS shares accessed frequently should be added to /etc/fstab e.g.
nfsserver:/share /usr nfs intr 0 0
Linux Quick Reference Guide 5th ed. September 2017 © Daniele Raffo www.crans.org/~raffo
143/155 /etc/exports
/etc/exports
/etc/exports
/export/ 10.3.3.3(rw)
/export/ *(ro,sync)
/home/ftp/pub client1(rw) *.example.org(ro)
/home/crew @FOOBARWORKGROUP(rw) (ro)
Linux Quick Reference Guide 5th ed. September 2017 © Daniele Raffo www.crans.org/~raffo
144/155 DHCP
DHCP
A DHCP (Dynamic Host Configuration Protocol) server listens for requests on UDP port 67 and answers to UDP port 68.
The assignment of an IP address to a host is done through a sequence of DHCP messages initiated by the client host:
DHCP Discover, DHCP Offer, DHCP Request, DHCP Acknowledgment.
Because DHCP Discover messages are broadcast and therefore not routed outside a LAN, a DHCP relay agent is necessary
for those clients situated outside the DHCP server's LAN. The DHCP relay agent listens to DHCP Discover messages and
relays them in unicast to the DHCP server.
Linux Quick Reference Guide 5th ed. September 2017 © Daniele Raffo www.crans.org/~raffo
145/155 PAM
PAM
PAM (Pluggable Authentication Modules) is an abstraction layer that allows applications to use authentication methods while
being implementation-agnostic.
/etc/pam.d/service
auth requisite pam_securetty.so
auth required pam_nologin.so
auth required pam_env.so
auth required pam_unix.so nullok
account required pam_unix.so
session required pam_unix.so
session optional pam_lastlog.so
password required pam_unix.so nullok obscure min=4 max=8
auth Authentication module to verify user identity and group membership
account Authorization module to determine user's right to access a resource (other than his identity)
type
password Module to update an user's authentication credentials
session Module (run at end and beginning of an user session) to set up the user environment
optional Module is not critical to the success or failure of service
sufficient If this module successes, and no previous module has failed, module stack processing ends
successfully. If this module fails, it is non-fatal and processing of the stack continues
control required If this module fails, processing of the stack continues until the end, and service fails
requisite If this module fails, service fails and control returns to the application that invoked service
include Include modules from another PAM service file
PAM module and its options, e.g.:
pam_unix.so Standard UNIX authentication module via /etc/passwd and /etc/shadow
pam_nis.so Module for authentication via NIS
pam_ldap.so Module for authentication via LDAP
module
pam_fshadow.so Module for authentication against an alternative shadow passwords file
pam_cracklib.so Module for password strength policies (e.g. length, case, max n of retries)
pam_limits.so Module for system policies and system resource usage limits
pam_listfile.so Module to deny or allow the service based on an arbitrary text file
Linux Quick Reference Guide 5th ed. September 2017 © Daniele Raffo www.crans.org/~raffo
146/155 LDAP
LDAP
LDAP (Lightweight Directory Access Protocol) is a simplified version of the X.500 standard and uses TCP port 389.
LDAP permits to organize hierarchically a database of entries, each one of which is identified by an unique DN (Distinguished
Name). Each DN has a set of attributes, each one of which has a value. An attribute may appear multiple times.
ldapsearch -H ldap://ldapserver.example.org \ Query the specified LDAP server for entries where
-s base -b "ou=people,dc=example,dc=com" \ surname=Doe, and print common name, surname, and
"(sn=Doe)" cn sn telephoneNumber telephone number of the resulting entries.
Output is shown in LDIF
Linux Quick Reference Guide 5th ed. September 2017 © Daniele Raffo www.crans.org/~raffo
147/155 OpenLDAP
OpenLDAP
slapd Standalone OpenLDAP daemon
yum install openldap openldap-clients \ Install the OpenLDAP client (on RHEL 7)
authconfig sssd nss-pam-ldapd authconfig-gtk
getent group groupname Get entries about groupname from NSS libraries
sssd (the System Security Services Daemon) must be running to provide access to OpenLDAP as an authentication and
identity provider.
Linux Quick Reference Guide 5th ed. September 2017 © Daniele Raffo www.crans.org/~raffo
148/155 SELinux
SELinux
Security-Enhanced Linux (SELinux) is a Linux kernel security module that provides a mechanism for supporting access
control security policies.
SELinux implements a Mandatory Access Control framework that allows the definition of fine-grained permissions for how
subjects (i.e. processes) interact with objects (i.e. other processes, files, devices, ports, sockets); this improves security
with respect to the standard Discretionary Access Control, which defines accesses based on users and groups. The security
context of a file is stored in its extended attributes.
The decisions SELinux takes about allowing or disallowing access are stored in the AVC (Access Vector Cache).
chcon context file Change the security context of file to the specified context
chcon --reference=file0 file Change the security context of file to the same as the reference file file0
restorecon -f file Restore the security context of file to the system default
tar --selinux [other args] Create or extract archives that retain the security context of files
star -xattr -H=exustar [other args]
sealert -a logfile Analyze a SELinux logfile and display SELinux policy violations
grep nnnnn.mmm:pp logfile | audit2why Diagnostic a specific AVC event entry from a SELinux logfile:
type=AVC msg=audit(nnnnn.mmm:pp): avc: denied (...)
Linux Quick Reference Guide 5th ed. September 2017 © Daniele Raffo www.crans.org/~raffo
149/155 KVM
KVM
KVM (Kernel-based Virtual Machine) is a virtualization infrastructure for the Linux kernel that allows it to function as an
hypervisor.
/etc/libvirt/qemu/ Directory containing the XML files that define VMs properties.
libvirtd must be restarted after modifying a XML file
/var/lib/libvirt/ Directory containing files related to the VMs
Kickstart
Kickstart is a method to perform automatic installation and configuration of RHEL machines.
This can be done by specifying inst.ks=hd:/dev/sda:/root/path/ksfile either as a boot option, or an option
to the kernel command in GRUB 2.
Linux Quick Reference Guide 5th ed. September 2017 © Daniele Raffo www.crans.org/~raffo
150/155 Git
Git
git init Initialize the current directory as a repository
git pull Pull the changes from the remote repository branch to the local branch
git add file Add file to the content staged for the next commit (hence starting to track it)
git rm file Remove file from the content staged for the next commit
git status See the status (e.g. files changed but not yet staged) of the current branch
git commit -am "Message" Commit all staged files in the current branch
git push Push the local commits from the current branch to the remote repository
git push origin branch Push the local commits from branch to the remote repository
git merge branch Merge changes made on branch to the master branch
Linux Quick Reference Guide 5th ed. September 2017 © Daniele Raffo www.crans.org/~raffo
151/155 HTML 4.01 - components
HTML 4.01 - components
Tag Attributes
<h1>...<h6> Heading align=left|center|right|justify Heading alignment †
† = deprecated
Linux Quick Reference Guide 5th ed. September 2017 © Daniele Raffo www.crans.org/~raffo
152/155 HTML 4.01 - text
HTML 4.01 - text
Tag Attributes
<i> Italic
<b> Bold
<s>
<strike> Strike-through Strike-through text †
<small> Smaller
<sub> Subscript
<sup> Superscript
<strong> Strong
<acronym> Acronym
† = deprecated
Linux Quick Reference Guide 5th ed. September 2017 © Daniele Raffo www.crans.org/~raffo
153/155 HTML 4.01 - images
HTML 4.01 - images
Tag Attributes
align=top|bottom|left|middle|right Image alignment with respect to surrounding text †
alt=alternatetext Description of the image for text-only browsers
border=npixels Border width around the image †
height=npixels|percent% Image height
hspace=npixels Blank space on the left and right side of image †
<img>
ismap=url URL for server-side image map
Image
longdesc=url URL containing a long description of the image
src=url URL of the image
usemap=url URL for client-side image map
vspace=npixels Blank space on top and bottom of image †
width=npixels|percent% Image width
† = deprecated
Linux Quick Reference Guide 5th ed. September 2017 © Daniele Raffo www.crans.org/~raffo
154/155 HTML 4.01 - tables and lists
HTML 4.01 - tables and lists
Tag Attributes
align=left|center|right Table alignment †
bgcolor=rgb(r,g,b)|#rrggbb|color Table background color †
border=npixels Border width
cellpadding=npixels|percent% Space around the content of each cell
cellspacing=npixels|percent% Space between cells
<table>
Table frame=void|above|below|
lhs|rhs|hsides|vsides|box|border Visibility of sides of the table border
† = deprecated
Linux Quick Reference Guide 5th ed. September 2017 © Daniele Raffo www.crans.org/~raffo
155/155 7-bit ASCII table
7-bit ASCII table
Dec Hex Char Dec Hex Char Dec Hex Char Dec Hex Char
0 0 NUL Null 32 20 space 64 40 @ 96 60 `
8 8 BS Backspace 40 28 ( 72 48 H 104 68 h
15 F SI Shift in 47 2F / 79 4F O 111 6F o
Linux Quick Reference Guide 5th ed. September 2017 © Daniele Raffo www.crans.org/~raffo