www.acuityeducare.

com

Acuity Educare

LINUX SYSTEM
ADMINISTRATION
SEM : V
SEM V: UNIT 2

607A, 6th floor, Ecstasy business park, city of joy, JSD

road, mulund (W) | 8591065589/022-25600622

Abhay More abhay_more

 TRAINING -> CERTIFICATION -> PLACEMENT BSC IT : SEM - V : LINUX – U2

Q. List different types of partitions. How will you create partitions with the help of fdisk?
There are three types of partitions
1. Primary Partitions These are written directly to the master boot record of hard drive. After creating
four primary partitions, you can’t add any more partitions—even if there is still a lot ofdisk space
available. There’s space for just four partitions in the partition table.
2. Extended Partition Every hard drive can have one extended partition. You cannot create a filesystem
in an extended partition. The only thing you can do with it is to create logical partitions. You’ll use an
extended partition if more than four partitions are required on a hard drive.
3. Logical Partitions A logical partition is created inside an extended partition. You can have amaximum
of 11 logical partitions per disk, and you can create file systems on top of logical partitions.
• Once we select between primary, extended, or logical partitions, we need to provide partition type.
Partition type is an indication to the operating system what the partition is to be used for.On RHEL
servers, the following are the most common partition types:
o 83 This is the default partition type. It is used for any partition that is formatted with a Linux
file system.
o 82 This type is used to indicate that the partition is used as swap space.
o 05 This partition type is used to indicate that it is an extended partition.
o 8e Use this partition type if you want to use the partition as an LVM physical volume.
• Once the partition is created, restart your server to activate the new partition.

There are two ways to create and manage partitions on a Red Hat server.
1. Graphical Palimpsest tool, from Applications System Tools Disk Utility
2. Command-line tool, fdisk

fdisk tool:
1. To View All Existing Disk Partitions
# fdisk –l /dev/sda

9. Open device in fdisk

# fdisk /dev/sda

10. Type m to see an overview of all commands that are available in fdisk.
Command (m for help): m
Command action d delete a partition
l list known partition typesm print this menu
n add a new partition
p print the partition table
q quit without saving changes
t change a partition's system idw write table to disk and exit

11. Creating a new partition in fdisk

• To create new partition type n to create a new partition. fdisk ask for primary or an extendedpartition.
Type p for primary and enter a partition number.

Page 1 of 40
YouTube - Abhay More | Telegram - abhay_more
607A, 6th floor, Ecstasy business park, city of joy, JSD road, mulund (W) | 8591065589/022-25600622
TRAINING -> CERTIFICATION -> PLACEMENT BSC IT : SEM - V : LINUX – U2

• Next enter the first sector of the partition. Press Enter to accept the default value of sector.When asked
for the last sector, type +1G and press Enter
Command (m for help): nCommand action
e extended
p primary partition (1-4)p
Partition number (1-4): 3
First sector: (press enter- use default)
Last sector, +sectors or +size{K,M,G}: +1G

• Now create an extended partition. Type n again to add this new par tition. Now choose option eto indicate
that you want to add an extended partition. Partition number is not asked as it is the last partition. Next
press Enter to accept the default first and last sector. This will use the rest ofthe available disk space for
the extended partition.
Command (m for help): nCommand action
e extended
p primary partitione
Selected Partition number 4.First sector :
Last sector, +sectors or +size{K,M,G}:
• When you press n, fdisk will create a logical par tition inside extended partition as all 4partitions are
already created.
Command (m for help): nFirst sector:
Last sector, +sectors or +size{K,M,G}: +100M

12. Print current partition overview

Command (m for help): p

If we are happy with the partitioning, type the w command to write the new partitions to disk and exit
else press q to quit without saving.
13. To activate the new partitions reboot your server or run partprobe
# partprobe /dev/sda

14. Format Partitions / Create file system on partitions

• After creating and activating your partition, you need to format it with a file system.
• Use the following command to format to ext4 file format.
• Partition 4 is extended partition hence we need not provide a file system to it.

#mkfs.ext4 /dev/sda3#mkfs.ext4 /dev/sda5

15. Mounting the newly created and formatted partitions.
a. Temporary mount
# mkdir /dir1
# mount /dev/sda3 /dir1
#mkdir /dir2
#mount /dev/sda5 /dir2
Page 2 of 40
YouTube - Abhay More | Telegram - abhay_more
607A, 6th floor, Ecstasy business park, city of joy, JSD road, mulund (W) | 8591065589/022-25600622
 TRAINING -> CERTIFICATION -> PLACEMENT BSC IT : SEM - V : LINUX – U2

For unmounting use:

# umount /dir1#umount /dir2
b. Permanent mount
Step 1:
Open a root shell, and use the # blkid command to find the UUID of the /dev/sda3 and /dev/sda5
devices.

Step 2:
Create directories to mount the devices.
# mkdir /dir3 /dir4

Step 3:
Open /etc/fstab in vi editor using # vi /etc/fstab, and add line with the following contents.
UUID= <copy from step1> /dir3 ext4 defaults 0 0UUID= <copy from step1> /dir4
ext4 defaults 0 0

If UUID is not generated as per step 1 then write the name of device.

Step 4: Use the vi command esc:wq! to save and apply the changes to /etc/fstab.

Step 5:Use # mount -a to verify that the device is mounted from /etc/fstab. The mount -a command tries to
mount everything in /etc/fstab that hasn’t been mounted already.

Q. List and explain different File Systems supported by linux

• Several file systems are available on Red Hat Enterprise Linux, currently Ext4 is used as thedefault file
system.
Ext2/3
• The predecessors of the Ext4 file system. Ext2 doesn’t use a file system journal, and thereforeit is a
good choice for very small partitions (less than 100MB).
• ext3 provides all the features of ext2, and also features journaling and backward compatibility with ext2.
• The backward compatibility enables you to still run kernels that are only ext2 aware with ext3 partitions.
You can upgrade an ext2 file system to an ext3 file system without losing any of yourdata.
• ext3’s journaling feature speeds up the amount of time it takes to bring the file system back to a normal
state if it’s not been cleanly unmounted (that is, in the event of a power outage or a system crash).
• Under ext2, when a file system is uncleanly mounted, the whole file system must be checked. This takes
a long time on large file systems. ext3 keeps a record of uncommitted file transactions and applies only
those transactions when the system is brought back up.
• ext3’s journaling feature involves a small performance hit to maintain the file system transactionjournal.

Page 3 of 40
YouTube - Abhay More | Telegram - abhay_more
607A, 6th floor, Ecstasy business park, city of joy, JSD road, mulund (W) | 8591065589/022-25600622
 TRAINING -> CERTIFICATION -> PLACEMENT BSC IT : SEM - V : LINUX – U2

• Therefore, it’s recommended that you use ext3 mostly for your larger file systems, where the ext3
journaling performance hit is made up for in time saved by not having to run fsck on ahuge ext2
file system.

Ext4
• The default file system on RHEL. It is a general-purpose file system. Ext4 uses file system journaling
feature. The file system journal works as a transaction log in which the file system keeps records of files
that are open for modification at any given time.
• The benefit of using a file system journal is that, if the server crashes, it can check to see what files were
open at the time of the crash and find the damaged files
• The drawback of using a journal is that it takes up disk space. For example, an average of 50MB normally
on Ext4. That means it’s not a good idea to create a journal on very small file systems because it might
leave insufficient space to hold your files.
XFS
• Provides good performance for very large file systems and very large files.
Btrfs
• Btrfs is the next generation of Linux file system. It is based onB-tree database, which makes thefile
system faster. It also has features like Copy on Write, which makes it very easy to revert toa previous
version of a file. This file system is easy to grow and shrink. Btrfs is currently available as a tech preview
version only, which means that it is not supported and not yet readyfor production.
VFAT and MS-DOS
• Sometimes it ’s useful to put files on a USB drive to exchange them among Windows users.This is the
purpose of the VFAT and MS-DOS file systems.
GFS
• GFS is Red Hat ’s Global File System. It is designed for use in high availability clusters wheremultiple
nodes need to be able to write to the same file system simultaneously.

Q. Give steps to Create File System on partitions. List Steps to format a partition with the Ext4
file system.

• To create a file system, you can use the mkfs utility.

• To create an ext4 file system, use mkfs.ext4 or mkfs -t ext4 command.
1. Generate List of all partitions on disk /dev/sda

# fdisk –l /dev/sda

All partitions those have type 83 (i.e linux partition) can be used to create file system.

2. Check partition is empty

• Before creating the file system, check that there is nothing on the partition. To verify this, usethe
command
Page 4 of 40
YouTube - Abhay More | Telegram - abhay_more
607A, 6th floor, Ecstasy business park, city of joy, JSD road, mulund (W) | 8591065589/022-25600622
 TRAINING -> CERTIFICATION -> PLACEMENT BSC IT : SEM - V : LINUX – U2

# mount /dev/sda3 /mnt

• If this command fails means partition is not yet formatted with file system and there is nothingon this
partition.
• If the command succeeds, check that there are no files you want to keep on the partition byverifying the
contents of the /mnt directory.

3. Format /dev/sda3 with ext4 file system

# mkfs.ext4 /dev/sda3

4. mount file system on /mnt directory

# mount /dev/sda3 /mnt

Q. Write short note on

1.Check &Change File System Properties
2.Check file system integrity

1. Check file system properties

• To check the file system properties, use dumpe2fs command.
# dumpe2fs /dev/sda3 | less
2. Change file system properties
• To change current file system properties, use the tune2fs command.
• example: Set a File System Label
a. Make sure the /dev/sda3 device is not currently mounted.
# umount /dev/sda3
b. Set the label to mylabel
# tune2fs -L mylabel /dev/sda3
Page 5 of 40
YouTube - Abhay More | Telegram - abhay_more
607A, 6th floor, Ecstasy business park, city of joy, JSD road, mulund (W) | 8591065589/022-25600622
 TRAINING -> CERTIFICATION -> PLACEMENT BSC IT : SEM - V : LINUX – U2

c. Verify that the label is set. It is listed as the file system volume name on the first line of thedumpe2fs
output.
# dumpe2fs /dev/sda3 | less
d. mount /dev/sda3 using label on /mnt directory
# mount label=mylabel /mnt
3. Check file system integrity
• The integrity of your file systems is checked at boot, but we can use fsck command to checkintegrity.
# fsck #fsck –p
Where, p option attempts to perform an automatic repair, without prompting.
Q. Explain /etc/fstab configuration file with an example.

• We can mount File Systems Automatically using /etc/fstab configuration file.

• The /etc/fstab file is used to mount two different kinds of devices:

a. Mount file systems

b. Mount system devices

• To specify how the mounts should be performed, six different columns are used:
1. The name of the device to be mounted.
2. The directory where this device should be mounted.
3. The file system that should be used to mount the device.
4. Specific mount options: use defaults if you want to perform the mount without any specific
options.
5. Dump support: use 1 if you want the dump backup utility to be able to make a backup ofthis device,
and use 0 if you don’t.
6. fsck support: use 0 if you don’t want this file system to be checked automatically while booting.
Use 1 to ensure that it is checked before anything else takes place. Use 1 for theroot file system. Use
2 for all other file systems.

Steps to Mount Devices through /etc/fstab:

Step 1:
Open a root shell, and use the # blkid command to find the UUID of the /dev/sda3 device.

Step 2:
Create a directory /dir1 to mount the device.

Page 6 of 40
YouTube - Abhay More | Telegram - abhay_more
607A, 6th floor, Ecstasy business park, city of joy, JSD road, mulund (W) | 8591065589/022-25600622
 TRAINING -> CERTIFICATION -> PLACEMENT BSC IT : SEM - V : LINUX – U2

# mkdir /dir1

Step 3:
Open /etc/fstab in vi editor using # vi /etc/fstab, and add a line with the following contents.
UUID= <copy from step1> /dir1 ext4 defaults 0 0

Step 4: Use the vi command esc:wq! to save and apply the changes to /etc/fstab.

Step 5:Use # mount -a to verify that the device is mounted from /etc/fstab. The mount -a commandtries to
mount everything in /etc/fstab that hasn’t been mounted already

Q. What is LVM? Write steps to Create Logical Volumes.

• LVM stands for Logical Volume Management. It is a system of managing logical volumes, or
filesystems
• If storage configuration is not going to change in future then we can use partitions instead ofLVM.
The benefit of using partition is that it is easier to create and manage partitions.
• If storage configuration is going to change like system logs can grow /var partition can be full,
increasing a partition size without LVM is very difficult. We need another disk drive, create a
/var mount point on that disk then copy all our data from the old /var to the new /var disk
location.
• With LVM, we can add another disk, create a physical volume, and then add the physicalvolume
to the volume group that contains the /var partition. Then we can use the LVM file
system resizing tool to increase the file system size to match the new partition size.
Advantages of LVM:
• LVM makes resizing of volumes possible.
• In LVM, you can work with snapshots, which are useful in making a reliable backup.
• In LVM, you can easily replace failing storage devices.

To create logical volumes, you need to set up three different parts.

• Physical volume (PV)
The physical volume is the actual storage device in your LVM configuration.

Page 7 of 40
YouTube - Abhay More | Telegram - abhay_more
607A, 6th floor, Ecstasy business park, city of joy, JSD road, mulund (W) | 8591065589/022-25600622
 TRAINING -> CERTIFICATION -> PLACEMENT BSC IT : SEM - V : LINUX – U2

• Volume group (VG)

The volume group is the collection of all the storage devices you want to use in an LVM
configuration.
• Logical Volume (LV)
The Logical Volume of specific size is created from volume group in LVM configuration.

Steps for Creat ing LVM Logical Volumes:

Step 1: Change partitions to 8e partition type to use them for Logical volume.
# fdisk /dev/sda

• To activate the partitions reboot your server or run partprobe

# partprobe /dev/sda

Step 2: Use pvcreate to create the physical volume.

# pvcreate /dev/sda{5,6}
To view physical volume type command
# pvdisplay /dev/sda{5,6}

Step 3: Create the volume group (VG) using vgcreate command.\

# vgcreate volg /dev/sda{5,6}
To view the volume group type command
# vgdisplay volg

Step 4: create the LVM volumes using lvcreate command.

Page 8 of 40
YouTube - Abhay More | Telegram - abhay_more
607A, 6th floor, Ecstasy business park, city of joy, JSD road, mulund (W) | 8591065589/022-25600622
 TRAINING -> CERTIFICATION -> PLACEMENT BSC IT : SEM - V : LINUX – U2

• lvcreate command requires volume group to use and size of the logical volume.
• To specify the size, you can use -L to specify the size in kilo, mega, giga, tera, exa, or petabytes or -l to
specify the size in extents. The extent is the basic building block of the LVM logical volume, and it typically
has a size of 4MB or use -l 100%FREE, which uses all available extents in the volume group.

#lvcreate –n lv –L 800M volgOr

#lvcreate –n lv –l 100%FREE volg
To view logical volume type command# lvdisplay /dev/volg/lv
Or
#lvs
It summarizes all currently existing logical volumes.
Step 5: format logical volume with ext4 file system
# mkfs.ext4 /dev/volg/lv

Step 6: Mount the logical volume

# mkdir /lvmtest
# mount /dev/volg/lv /lvmtest

Q. Explain Resizing Logical Volumes with examples.

The three common scenarios for resizing a logical volume are as follows:
1. Extending a logical volume if there are still unallocated extents in the volume group.
2. Extending a logical volume if there are no longer any unallocated extents in the volumegroup.
Here, extend the volume group first.
3. Shrinking a logical volume.
1. Extending a logical volume if there are still unallocated extents in the volume group.
• Assumtion: There is unallocated space available in the volume group.
• You have to grow the logical volume and extend the Ext file system.

a. Type vgs to get an overview of the current volume groups.

# vgs

b. Adds 100 percent of all free extents to the lv logical volume.

# lvextend –l +100%FREE /dev/volg/lv

c. Extend the file system on the logical volume to the current size of the logical volume.
# resize2fs /dev/volg/lv

2. Extending a logical volume if there are no longer any unallocated extents in the volumegroup.
Here, extend the volume group first.
• If you want to extend a logical volume and you don’t have unallocated extents in the volumegroup, you
first need to create a physical volume and add that to the volume group.

a. Use the vgs command to confirm that VFree indicates that no unallocated disk space isavailable.
# vgs
Page 9 of 40
YouTube - Abhay More | Telegram - abhay_more
607A, 6th floor, Ecstasy business park, city of joy, JSD road, mulund (W) | 8591065589/022-25600622
 TRAINING -> CERTIFICATION -> PLACEMENT BSC IT : SEM - V : LINUX – U2

b. Create a logical par tition called /dev/sdb7 that has a size of 100MB and set partition type to 8e.Write
the changes to disk and reboot your server or partprobe.
# fdisk /dev/sda

• To activate the partitions reboot your server or run partprobe

# partprobe /dev/sda
c. Use vgextend volg /dev/sdb7 to extend the volume group with the new physical volume.
# vgextend volg /dev/sda7

To view volume group type command

# vgdisplay volg
Or
# vgs

d. Extend the logical volume as per scenario 1

3. Shrinking a logical volume / Reducing a Logical Volume
• If we need to reduce a logical volume, first unmount the file system, check its integrity and thenreduce
the file system.

a. Unmount file system and check its integrity

# umount /dev/volg/lv #e2fsck –f /dev/volg/lv

Page 10 of 40
YouTube - Abhay More | Telegram - abhay_more
607A, 6th floor, Ecstasy business park, city of joy, JSD road, mulund (W) | 8591065589/022-25600622
 TRAINING -> CERTIFICATION -> PLACEMENT BSC IT : SEM - V : LINUX – U2

b. Shrink the file system on the volume by 100MB

# lvreduce -l -100M /dev/volg/lv

Q. What are Snapshots? Give steps to Manage Snapshot.

• LVMsnapshotallows you to freeze the current state of an LVM volume.

• Snapshot keeps the current state of a volume so that we can revert back to this state if requiredlater.
• They are used to create backups safely. Instead of making a backup of the normal LVM volumewhere
files may be opened, you can create a backup from the snapshot volume, where no file
will be open at any time.

• A volume consists of two essential parts:

a. File system metadata
b. Actual blocks containing data in a file.
• The file system uses the metadata pointers to find the file’s data blocks. When we create snapshot it
copies the file system metadata to the newly created snapshot volume, the file blocks stay on the original
volume.
• But, when a file changes on the original volume, the original blocks are copied to the snapshot volume
before the change is committed to the file system.
• Hence we can say that the size of snapshot increases over the period. This also means that wehave to
estimate the number of changes that are going to take place on the original volume to create the right
size snapshot.
• If only a few changes are expected in original volume then we can create 5 percent backup.
• Every snapshot has a life cycle. That means snapshot does not exist forever. If you no longerneed the
snapshot, you can delete it using the lvremove command.

1. Use vgs to get an overview of current available disk space in your volume groups.
# vgs

2. Mount the logical volume on the /mnt directory and Copy some files to the /mnt directory i.elogical
volume.
# mount /dev/volg/lv /mnt# cp /etc/* /mnt

3. Create a snapshot with name snap

# lvcreate -s -L 50M -n snap /dev/volg/lv

4. Verify the creation of the snapshot volume.

#lvs

5. create a temporary mounting point for the snapshot and check its contents
# mkdir /snapmount
# mount /dev/volg/snap /snapmount
#cd /snapmount# ls

6. remove all files from /mnt directory ( i.e logical volume contents are removed)
# rm -rf /mnt/ *

Page 11 of 40
YouTube - Abhay More | Telegram - abhay_more
607A, 6th floor, Ecstasy business park, city of joy, JSD road, mulund (W) | 8591065589/022-25600622
 TRAINING -> CERTIFICATION -> PLACEMENT BSC IT : SEM - V : LINUX – U2

7. Merge of the snapshot back into the original volume at the next volume activation.
# lvconvert --merge /dev/volg/snap

8. Unmount the original volume and deactivate then activate the original volume, which is arequired step
in merging the snapshot back into the original volume.
We don’t need to remove snapshot. By converting it to original volume, it is automaticallyremoved.

• Unmount the snapshot using, as it will no longer be available after deactivation and activationof
original volume.
# umount /snapmount
# umount /mnt.
# lvchange -a n /dev/volg/lv; lvchange -a y /dev/volg/lv

9. Check /mnt directory to verify contents

# mount /dev/volg/lv /mnt# ls /mn
Q. Write steps to replace failing devices.

• Sometimes we may get errors in syslog relating to a device that you’re using in LVM. If thathappens, you
can move all physical extents from the failing device to another device in thesame volume group.

1. Moving Extents to existing physical volumes in volume group

• If there are enough free extents on the other physical volumes in the group, then use followingsteps.

Step 1: move data from /dev/sda3 to existing physical volumes.

# pvmove /dev/sda3
This frees up the failing device, which allows you to remove it.

Step 2: Use vgreduce command to remove the physical volume from the volume group.
#vgreduce volg /dev/sda3

2. Moving Extents to a new disk

• If there are not free exgtents on the other physical volumes in the group, then use followingsteps.

Step 1: Create a new partition /dev/sda7.

Step 2: Create physical volume

# pvcreate /dev/sda7

Step 3: add this physical volume to existing volume group.

# vgextend volg /dev/sda7

Step 4: move data from /dev/sda3 to /dev/sda7

# pvmove /dev/sda3 /dev/sda7

Step 5: Removing old physical volume from volume group.

# vgreduce volg /dev/sda3

Page 12 of 40
YouTube - Abhay More | Telegram - abhay_more
607A, 6th floor, Ecstasy business park, city of joy, JSD road, mulund (W) | 8591065589/022-25600622
 TRAINING -> CERTIFICATION -> PLACEMENT BSC IT : SEM - V : LINUX – U2

Q. Give steps to create swap space.

• In many cases, it’s enough to allocate just 1GB of swap space, but sometimes server is out ofmemory.
There are some scenarios in which we need more swap space.
• For example:
1. If you install RHEL Server on a laptop, we need RAM + 1GB to be able to close the lid of thelaptop to
suspend it.
2. If you install an application that has specific requirement for swap space, like Oracledatabases and
SAP Netweaver applications.

• Swap space can be a partition or a logical volume or a large empty file.

The Linux kernel addresses swap space directly hence it does not matter where it is.
• Adding swap space is a four-step procedure.

Swap space as Large empty file:

Step 1: Create a device for swap.
# dd if=/dev/zero of=/swapfile bs=1M count=1024
• This command creates a 1GB swap file in the root directory of your server.

Step 2: Use mkswap to format the swap device.

# mkswap /swapfile

Step 3: Use swapon to activate the swap space.

• First check current amount of swap space on your server.

# free –m
• Next, activate swap file.
# swapon /swapfile
• Verify added 1GB of swap space
# free –m

Step 4: Create a line in /etc/fstab to activate the swap space automatically the next time you rebootyour
server.
• Open /etc/fstab with an editor, and put in the following line
/swapfile swap swap defaults 0 0

Swap space as a partition:

Step 1: Create a device for swap.
# fdisk /dev/sda

Page 13 of 40
YouTube - Abhay More | Telegram - abhay_more
607A, 6th floor, Ecstasy business park, city of joy, JSD road, mulund (W) | 8591065589/022-25600622
 TRAINING -> CERTIFICATION -> PLACEMENT BSC IT : SEM - V : LINUX – U2

# partprobe
Step 2: Use mkswap to format the swap device.
# mkswap /dev/sda3

Step 3: Use swapon to activate the swap space.

• First check current amount of swap space on your server.
# free –m
• Next, activate swap file.
# swapon /dev/sda3
• Verify added 1GB of swap space
# free –m

Step 4: Create a line in /etc/fstab to activate the swap space automatically the next time you rebootyour
server.
• Open /etc/fstab with an editor, and put in the following line
/dev/sda3 swap swap defaults 0 0
Or
• Find UUID with following command
# blkid /dev/sda3
• Open /etc/fstab with an editor, and put in the following line
UUID=<Universal Unique Identifier> swap swap defaults 0 0

Q. Write step to create Encrypted Volume.

• Normally, files on servers are protected from unauthorized access to them remotely but if someone
gets physical access then skilled person can easily gain access to all data. Hence,encrypted drives can be
used to keep data secure.
• We can use LUKS (Linux Unified Key Setup) to create an encrypted volume.

1. Create the device you want to encrypt. This can be an LVM logical volume or a partition.
# fdisk /dev/sda

Add a new partition:

Page 14 of 40
YouTube - Abhay More | Telegram - abhay_more
607A, 6th floor, Ecstasy business park, city of joy, JSD road, mulund (W) | 8591065589/022-25600622
 TRAINING -> CERTIFICATION -> PLACEMENT BSC IT : SEM - V : LINUX – U2

# partprobe
2. Format the device as an encrypted device.
# cryptsetup luksFormat /dev/sda3Are you sure: YES
Enter LUKS Paraphrase: <password>

Open the device and assign a name to this encrypted device. This name occurs in the
/dev/mapper directory, because this entire procedure is managed by Device Mapper.
# cryptsetup luksOpen /dev/sda3 confidential
4. Create a file system on the device
# mkfs.ext4 /dev/mapper/confidential

5. Mount encrypted device.

# mount /dev/mapper/confidential /mnt

6. After using the encrypted device, unmount and close the device. Once closed all contents onthe device
are locked.

#umount /mnt
# cryptsetup luksClose confidential

Q . Explain different init Levels &explain the purpose of inittab file What is runlevel? List
various runlevels. Explain them.

Runlevels:
• The runlevel defines the state in which the server boots.
• Every runlevel is referenced by number. Common runlevels are runlevel 3 and runlevel 5.
• Runlevel 3 is used to start services for a server that starts without a graphical user interface,and
runlevel 5 with a graphical interface.

• In each runlevel, service scripts are started. These service scripts are installed in the /etc/init.d directory
and managed with the service command.
• A service script doesn’t contain any variable parameters. All variable parameters are read while the
service script starts, either from its configuration file in the /etc directory or from a configuration file
that it uses, which is stored in the /etc/sysconfig directory.

Page 15 of 40
YouTube - Abhay More | Telegram - abhay_more
607A, 6th floor, Ecstasy business park, city of joy, JSD road, mulund (W) | 8591065589/022-25600622
 TRAINING -> CERTIFICATION -> PLACEMENT BSC IT : SEM - V : LINUX – U2

• There are typically 8 runlevels on Linux system, but Fedora core or Redhat Entreprise Linux(RHEL)
systems uses 7 runlevels.
0 – Halt
1 – Single-User Mode.
2 – Not Used (User definable)
3 – Full Multiuser Mode (without GUI)4 – Not Used (User definable)
5 – Full Multiuser Mode (with GUI)6 – Reboot

• The /etc/inittab file controls the default runlevel for the system to use when it boots. We can change
the runlevel for our system by making following changes. Look for, Id:5:default in
/etc/inittab file. The number 5 in the line means that the system will boot into runlevel 5.

• If we want to boot the system in runlevel 3 then just change number 5 to number 3 so line looks like:
Id:3:default
The default runlevel for fedora core and RHEL is runlevel 5 which provides full multiuser environment and
starts the x-window system to give user graphical environment

• Runlevel 3 provides full multiuser system without graphical environment for the user.

• Runlevel 2 and 4 are not used in Fedora core and RHEL systems. These runlevels are there sothat the
user can use them to configure as desired. By doing this, we can make our own custom runlevel.
• Runlevel 1 lets us enter single-user mode. This is useful for troubleshooting or running diagnostics on
the system. But it is not usually set as the default runlevel in /etc/inittab file. If wehave problem with
the system, we can enter runlevel 1.

Step to enter runlevel 1:

1. When boot screen appears highlight the kernel you want to change by using down arrowkey.
2. Press e
3. Scroll to second line or kernel line, press e again.
4. At the end of the line type 1 and press enter.
Press b to boot the system in single-user mode.

Q. How can rc scripts be managed using chkconfig? List and explain commands to enable the
services.

• chkconfig manages services that are started at boot time.

• The chkconfig utility is a command-line tool that allows you to specify in which runlevel to starta
selected service, as well as to list all available services along with their current setting.

Listing the Services

• To display a list of system services either type chkconfig --list, or use chkconfig with no
additional arguments
• Each line consists of the name of the service followed by its status (on or off) for each of theseven
numbered runlevels.
• To display the current settings for a selected service only, use chkconfig --list followed by thename of
the service:

Page 16 of 40
YouTube - Abhay More | Telegram - abhay_more
607A, 6th floor, Ecstasy business park, city of joy, JSD road, mulund (W) | 8591065589/022-25600622
 TRAINING -> CERTIFICATION -> PLACEMENT BSC IT : SEM - V : LINUX – U2

• chkconfig --list service_name

• For example, to display the current settings for the bluetooth service, type:
• # chkconfig --list bluetooth
• bluetooth 0:off 1:off 2:on 3:on 4:on 5:on 6:off

Enabling a Service
• To enable a service in runlevels 2, 3, 4, and 5, type the following at a shell prompt as rootuser:
• chkconfig service_name on
• For example, to enable the bluetooth service in these four runlevels, type:
• # chkconfig bluetooth on
• To enable a service in certain runlevels only, add the --level option followed by numbers from 0to 6
representing each runlevel in which you want the service to run:
• chkconfig service_name on --level runlevels
• For instance, to enable the bluetooth service in runlevels 3 and 5, type:
• # chkconfig bluetooth on --level 35

Disabling a Service
• To disable a service in runlevels 2, 3, 4, and 5, type the following at a shell prompt as root:
• # chkconfig service_name off
• For instance, to disable the bluetooth service in these four runlevels, type:
# chkconfig bluetooth off
• To disable a service in certain runlevels only, add the --level option followed by numbers from 0to 6
representing each runlevel in which you do not want the service to run:
• #chkconfig service_name off --level runlevels
• For instance, to disable the bluetooth in runlevels 2 and 4, type:
• # chkconfig bluetooth off --level 24
• With chkconfig command, the service will be started or stopped the next time you enter one of these
runlevels. If you need to start or stop the service immediately, Red Hat/Fedora also havea useful script
called service which can be used to start or stop any service for the current session. For example, to
start Apache web server using the service script, the command is as follows -
# service httpd start
and to stop the service...
# service httpd stop
Type # service httpd status, this should tell you that the httpd service is currently stopped

Q. List Network Manager Configuration Files and explain any one in detail.

Page 17 of 40
YouTube - Abhay More | Telegram - abhay_more
607A, 6th floor, Ecstasy business park, city of joy, JSD road, mulund (W) | 8591065589/022-25600622
 TRAINING -> CERTIFICATION -> PLACEMENT BSC IT : SEM - V : LINUX – U2

• For each network interface, there is a configuration file in /etc/sysconfig/network-scripts. The

names of all of these files start with ifcfg- and are followed by the names of the specific network
cards.
• For example: LO (local loop back interface) is internal to the computer, the IP address is usually
127.0.0.1.
• Similarly, Ethernet cards are used to connect to the world external to the computer, usually
named eth0, eth1, eth2 and so on.
•Network interface files holding the configuration of LO and ethernet are:
/etc/sysconfig/nework-scripts/ifcfg-lo
/etc/sysconfig/nework-scripts/ifcfg-eth0
•Example: cat ifcfg-eth0
DEVICE=eth0
NM_CONTROLLED=yes
ONBOOT=yes
TYPE=Ethernet
BOOTPROTO=none
DEFROUTE=yes
IPV4_FAILURE_FATAL=yes
IPV6INIT=no
NAME="System 1"
UUID=131a1c02-1aee-2884-a5tb-05cc5ab849d9
HWADDR=b1:ab:3f:c8:12:34
IPADDR=192.168.1.1
PREFIX=24
GATEWAY=192.168.1.2
DNS1=8.8.8.8
USERCTL=no

Page 18 of 40
YouTube - Abhay More | Telegram - abhay_more
607A, 6th floor, Ecstasy business park, city of joy, JSD road, mulund (W) | 8591065589/022-25600622
 TRAINING -> CERTIFICATION -> PLACEMENT BSC IT : SEM - V : LINUX – U2

Q. Give different commands to Configure Network from the Command Line. Explain ip
command with an example.

The classic tool for manual network confi guration and monitoring is ifconfig
• ifconfig is used for manual network configuration and monitoring.
• This command conveniently provides an overview of the current configuration of all networkcards.
• ifconfig is no longer used for network configuration. the ip is the default tool for manual networkconfi
guration and monitoring.
• ip command is difficult to use. This is because the ip command works with subcommands, known as
objects in the help for the command. Using these objects makesthe ip command veryversatile but
complex.

Syntax:

Page 19 of 40
YouTube - Abhay More | Telegram - abhay_more
607A, 6th floor, Ecstasy business park, city of joy, JSD road, mulund (W) | 8591065589/022-25600622
 TRAINING -> CERTIFICATION -> PLACEMENT BSC IT : SEM - V : LINUX – U2

• There are many objects, but three are mostly used:

a. ip addr is used to show and manipulate the IP addresses of network interfaces.
• For example: Configuring a Network Interface with ip
1. Open a terminal with root permission
2. Use the command #ip addr show to display the current IP address configuration, checknetwork
card name
3. add an IP address to this network card using the command
# ip addr add dev eth0 192.168.1.1/24
4. use the command # ping 192.168.1.1 to check the availability of the IP address.
5. With # ifconfig can’t see the secondary IP address.
6. Use # ip addr show to display the current network configuration.
b. ip link can set device properties and monitor the current state of a device.
• For example: change the state of the device to UP or DOWN
• Syntax: ip link set dev {DEVICE} {up|down}
To make the state of the device eth1 down, enter:
#ip link set dev eth1 down
To make the state of the device eth1 up, enter:
#ip link set dev eth1 up

c. ip route can be used to show and manage routes on your server.

• Example: Add a route to network 192.168.1.0/24 via gateway 192.168.1.254:# ip route add
192.168.1.0/24 via 192.168.1.254
# ip route show

Q. Explain network Troubleshooting

Checking the Network Card

1. Check the configuration of the network card by seeing whether it is up or not and whether it hasan IP
address currently assigned to it.
# ip addr
2. If we have confirmed that the problem is related to the local network card, check whether youcan fix it
without changing the actual configuration files.
a. Use ifup on your network card to try to change its status to up
b. If that fails, check thephysical connection; that is, is the network cable plugged in?
3. Use ip addr add to add an IP address manually to the network card. If this fixes the problem,you
probably have a DHCP server that’s not working properly or a misconfigurationin the network card’s
configuration file.
# ip addr add dev eth0 192.168.1.1/24
4. Test the network with ping command# ping 192.168.1.1

Page 20 of 40
YouTube - Abhay More | Telegram - abhay_more
607A, 6th floor, Ecstasy business park, city of joy, JSD road, mulund (W) | 8591065589/022-25600622
 TRAINING -> CERTIFICATION -> PLACEMENT BSC IT : SEM - V : LINUX – U2

Checking Routing
1. Use ip route show to display your current routing config.
2. If you have a default router set, verify that there is no local firewall blocking access. To do this,use
iptables -L as root.
3. Service iptables stop then Service iptables start
4. If you don’t have a firewall issue, there might be something wrong between your default gateway and
the host on the Internet you’re trying to reach. Use traceroute, followed by the IP address of the target
host.

Checking DNS
• The third usual suspect in network communications errors is DNS.
1. check DNS configuration with dig command# dig www.redhat.com
connection timed out; no servers could be reached

2. If error comes as no DNS server could be reached, the error is probably in the local DNS configuration.
This means you have to check the/etc/resolv.conf file, which contains a list ofDNS servers to be
contacted.
# cat /etc/resolv.conf search example.com nameserver 192.168.0.70
nameserver 8.8.8.8
Q. Explain the purpose of /etc/passwd and /etc/shadow file. List and explain Configuration
Files for user management.

• /etc/passwd
• This file constains all information regarding the user. Only superuser can change this file, toother users
this file is read-only.
• Each line of the file contains information about one user, which is separated by colon (:)
• Syntax:
username:password:uid:gid:gecos:directory:shell

• In all linux system the actual password is stored in /etc/shadow, indicated by an x in the password field
in /etc/passwd. Because /etc/passwd is readable by all users, storing even encrypted passwords in it
makes password guessing easier.
• /etc/shadow is more secure because it is readable only by programs that run with root privileges, such
as login and passwd.
Page 21 of 40
YouTube - Abhay More | Telegram - abhay_more
607A, 6th floor, Ecstasy business park, city of joy, JSD road, mulund (W) | 8591065589/022-25600622
 TRAINING -> CERTIFICATION -> PLACEMENT BSC IT : SEM - V : LINUX – U2

• Example: # cat /etc/passwd

mary:x:502:502:Mary:/home/mary:/bin/bash

• if manual changes are made to file, you should check integrity with pwck command.
• Make sure to use the vipw command to edit the /etc/passwd and /etc/shadow files in order toprevent
locking issues if other users or commands are editing the files at the same time.

• /etc/ shadow
• The encrypted user passwords are stored in /etc/shadow. Information relating to passwordexpiry
is also kept in this file.
• It Improves system security by keeping the encrypted passwords in /etc/shadow, which is
readable only by root.
• Keeps all information about password aging.

• Here are the fields used in the lines in /etc/shadow:

• Login name
• Encrypted password
• Last Password Change-Days since January 1, 1970 that password was last changed
• Min-Days before password may be changed
• Max-Days after which password must be changed
• Warn- Days before password is to expire that user is warned
• Inactive-Days after password expires that account is disabled.
• If a user does not change his password in maximum allowed days, his password will be markedas expired.
A user account which password is expired will be disabled automatically once the days specified in this
field are elapsed.
• Expire-Days since January 1, 1970, that account is disabled.
• A user is not allowed to login after the date specified in this field. To specify a date, number of days
starting from 1 January 1970 is used. For example, to set account expiration date to 28 June 2018, number
17710 will be used. If this field is set to blank, user account will never expire.
• Reserve field, not currently used

For example: # cat /etc/shadow

rahul : <encrypted password> : 17780 : 0 : 99999 : 7 : : :

• /etc/ login.defs
• /etc/login.defs is a configuration file that relates to the user environment but is used completelyin the
background.
• Some generic settings are defined in this configuration file.
• In login.defs, you’ll find variables. These variables specify the default values used when usersare
created.
CREATE_HOME yes UMASK 022 USERGROUPS_ENAB yes
ENCRYPT_METHOD SHA512

Q. Explain how system administrator can create, modify and delete user accounts. List and
explain commands for user management.

Page 22 of 40
YouTube - Abhay More | Telegram - abhay_more
607A, 6th floor, Ecstasy business park, city of joy, JSD road, mulund (W) | 8591065589/022-25600622
 TRAINING -> CERTIFICATION -> PLACEMENT BSC IT : SEM - V : LINUX – U2

Following are the commands for adding, modifying, and deleting user accounts.
• useradd — Create user login accounts
• userdel — Delete user login accounts
• usermod — Modify user login accounts
• passwd — Set or change account passwords

useradd
The useradd command creates new user accounts and, when invoked with the -D option, modifiesthe
default values applied to new accounts.

Syntax 1:
useradd [-p passwd] [-u uid [-o]] [-g initial] [-G group[,...]][-c comment] [-d dir [–m]] ] [-sshell][-e
date] [-f time] username

Page 23 of 40
YouTube - Abhay More | Telegram - abhay_more
607A, 6th floor, Ecstasy business park, city of joy, JSD road, mulund (W) | 8591065589/022-25600622
 TRAINING -> CERTIFICATION -> PLACEMENT BSC IT : SEM - V : LINUX – U2

Syntax 2:
useradd -D [-g group] [-b(base)home_dir] [-f inactive_time] [-e expire_date] [-s shell]

• To view the current default values, invoke useradd with -D and no other arguments. Thefollowing short
listing shows the defaults on a stock Red Hat Linux installation:
# useradd -DGROUP=100
HOME=/home INACTIVE=-1 EXPIRE=
SHELL=/bin/bash

Example:
# useradd –D –s /bin/ksh

Passwd
• To access the system, a user needs a password. your newly created userscan’t do anything onthe server
if they don’t have password.
• To enable these users, assign passwords using the passwdcommand.
• A user can use it to change his password. The passwd command will first prompt for the oldpassword
and then for the newone.
• The user root can use the passwd command in three generic ways.
• First, you can use it for password maintenance, for example: to change a password
• Second, it can be used to set password expiry information, which dictates that a password willexpire at
a particulardate.
• Next, the passwd command can be used for account maintenance. For example,an
administrator can use passwd to lock an account so that login is disabled temporarily.
passwd [-l] [-u [-f]] [-d] [-S] [username]

-l Enables an administrator to lock an account. For example, passwd -l lucy will lockthe account foruser
lucy.
-u Unlocks an account that has been locked before.
-S Reports the status of the password for a given account.
-e Forces the user to change their password on next login.
usernameindicates the user account on which to operate. If not specified,passwd operates on thecurrent
user’s account.

Managing Password Expiry:

• In a server environment, it makes sense to change passwords occasionally. The passwdcommand has
some options to manage account expiry.
-n min This rarely used option is applied to set the minimum number of days that a usermust usetheir
password. If this option is not used, a user can change their password at any time.
-x max This option is used to set the maximum number of days a user can use a password withoutchanging
it.
-c warn When a password is about to expire, you can use this option to send a warningto the user.The
argument for this option specifies the number of days before expiry of thepassword that the user will
receive the warning.
-i inact Use this option to expire an account automatically when it hasn’t been used fora givenperiod of
time. The argument for this option is used to specify the exact duration ofthis period.
Page 24 of 40
YouTube - Abhay More | Telegram - abhay_more
607A, 6th floor, Ecstasy business park, city of joy, JSD road, mulund (W) | 8591065589/022-25600622
 TRAINING -> CERTIFICATION -> PLACEMENT BSC IT : SEM - V : LINUX – U2

Usermod
• The usermod command modifies the given user’s account in various ways such as changing ahome
directory.
Syntax:
usermod [options] username

usermod [-p passwd] [-u uid [-o]] [-g group] [-G group[,...]] [-c comment] [-d dir [-m]] [-sshell][-e
date] [-f inactive] [-l new_username] [-L|-U] username
example:
usermod –d /home/homejaya jaya

options other than useradd command:

-l new_username:changes the account name from username to new_username.
-L disables:locks username’s account by placing a! in front of the user’s encrypted password in
/etc/shadow.
-U enables: unlocks the account by removing the !.

At least one option must be specified, but -p, -U, and -L may not be used together in anycombination.

Userdel
• The userdel command deletes a user account and, optionally, related files.
You cannot delete the account of a logged in user, so userdel fails if username is logged in.
Its syntax is:
userdel [-r][f] username
where,
username identifies the user account to delete.
-r deletes the corresponding home directory and mail spool. Without -r, userdel removes only theaccount
references in the user and group database files.
-f If there are files that are not owned by user in his home directory, userdel can’t remove it. If thisis the
case, add the option –f.

Q. Which command is used to change the expiration policy for user’s password? Explain with
suitable example.

# chage [-d lastpwchangedate] [-m mindays] [-M maxdays] [-W warndays][-Iinactive] [-E expirydate]
username

Step 1: Login with root user

Step 2: Create the user
#useradd testuser# chage - -list testuser
Last password change : Apr 01, 2019
Password expires : never
Password inactive : never
Account expires : never
Minimum number of days between password change 0
Maximum number of days between password change 99999
Number of days of warning before password expires 7
Page 25 of 40
YouTube - Abhay More | Telegram - abhay_more
607A, 6th floor, Ecstasy business park, city of joy, JSD road, mulund (W) | 8591065589/022-25600622
 TRAINING -> CERTIFICATION -> PLACEMENT BSC IT : SEM - V : LINUX – U2

Step 3: Set Password Expiry Date for an user using chage option -MSyntax: # chage -M number-of-days
username
# chage -M 10 testuser
# chage --list testuser
Maximum number of days between password change 10

Step 4: Set the Account Expiry Date for an User

# chage -E "2019-10-31" testuser
# chage -l testuser
Account expires : October 31, 2019
Step 5: Force the user account to be locked after X number of inactivity days
# chage -I 10 testuser

Step 6: Set the password expiry warning message days (By default, this value is set to 7.)
# chage –W 10 testuser

Disable password aging for a user

#chage -I-1 -m 0 -M 99999 -E -1 testuser
• -I-1 : This will set the “Password inactive” to never
• -m 0 : This will set the minimum number of days between password change to 0
• -M 99999 : This will set the maximum number of days between password change to 99999
• -E -1 : This will set “Account expires” to never.
This will disable the password expiry of a user if it is already enabled.

Q. Explain group configuration file.

There are two group configuration files.

• /etc/group: Group account information.
• /etc/gshadow: Secure group account information.
• /etc/group
• To work with groups we must understand group file /etc/group. It has one entry per line, and
each line has the format:

groupname:password:gid:userlist
o groupnameis the name of the group
o passwordis an optional field containing the encrypted group password
o gidis the numeric group ID number
o userlistis a comma-separated list of the user account names that comprise the group
o If x appears in the password field, nonmembers of the group cannot join it using the newgrp
command.
admins:x:507:repo,heera,lopo
groupname is admins; password is empty, meaning no group password has been set; gid is
503;and userlist is repo,heera,lopo.

• /etc/gshadow
• The /etc/gshadow file is readable only by the root user and contains an encrypted password for
each group, as well as group membership and administrator information.
Page 26 of 40
YouTube - Abhay More | Telegram - abhay_more
607A, 6th floor, Ecstasy business park, city of joy, JSD road, mulund (W) | 8591065589/022-25600622
 TRAINING -> CERTIFICATION -> PLACEMENT BSC IT : SEM - V : LINUX – U2

• Just as in the /etc/group file, each group's information is on a separate line. Each of these linesis
a colon delimited list including the following information:
o Group name — The name of the group.
o Encrypted password — The encrypted password for the group. If set, non-members of the
group can join the group by typing the password for that group using the newgrp command.
If the value of this field is !, then no user is allowed to access the group usingthe newgrp command.
o Group administrators — Group members listed here (in a comma delimited list) can add or
remove group members using the gpasswd command.
Group members — Group members listed here (in a comma delimited list) are regular,non-administrative
members of the group
Q. List and explain commands for Group management. Explain with example how to create
new group?

• There are three commands to manage the groups in your environment: groupadd, groupdel,and
groupmod.

1. groupadd
• To create a new group, use the groupadd command.
• Its syntax is:
groupadd [[-g gid [-o]] [-r] [-f] groupname

• groupnameis the only required argument and must be the name of a non-existent group. Wheninvoked
with only the name of the new group, groupadd creates the group and assigns it the first unused GID
that is both greater than 500 and not already in use.

• -f - force groupadd to accept an existing groupname.

• -g -gid option if you want to specify the new group’s GID, replacing gid with a unique GID (usethe -o
option to force groupadd to accept a nonunique GID).

• -r- Create system group, one that has special privileges.

• For example:The following command creates a new group named admins:# groupadd admins
Here is the resulting entry created in /etc/group:
admins:x:507:

2. groupdel
• The groupdel command modifies the system account files and deletes all entries that referto GROUP.
• syntax:
groupdel [options] GROUP

• options
• -h: Display help message and exit.
• -R: Apply changes in the CHROOT_DIR directory and use the configuration files fromthe CHROOT_DIR
directory.

Page 27 of 40
YouTube - Abhay More | Telegram - abhay_more
607A, 6th floor, Ecstasy business park, city of joy, JSD road, mulund (W) | 8591065589/022-25600622
 TRAINING -> CERTIFICATION -> PLACEMENT BSC IT : SEM - V : LINUX – U2

Example:
# groupdel mygroup

3. groupmod
• Modify a group definition on the system.
• Syntax:
groupmod [options] GROUP

• OPTIONS
• -g: The group ID of the given GROUP will be changed to GID. The value of GID must be a non-negative
decimal integer. This value must be unique, unless the -o option is used.
• -h: Display help message and exit.
• -n: The name of the group will be changed from GROUP to NEW_GROUPname.
• -o: When used with the -g option, allows to change the group GID to a non-unique value.
• -p: The encrypted password
• -R: Apply changes in the CHROOT_DIR directory and use the configuration files fromthe CHROOT_DIR
directory.

• For example:
• To change groupid of group:
# groupmod -g 777 oldgroup

Q. List and explain different External Authentication Sources.

• The local user database in /etc/passwd and /etc/shadow is used in a default installation ofRed Hat
Enterprise Linux.
• In a corporate environment, an external source of authentication is used, such as an LDAP directory
server or an Active Directory servicethat is offered by Windows servers on thenetwork.
• To configure our server to use thesesources, we can use the system-config-authentication tool or
authconfig.

• There are two tabs under system-config-authentication tool.

1. On the Identity & Authentication tab, we can specify how authentication should happen. By default, the
tool is set to use local accounts only as the user account database. We can selectexternal authentication
source also. Four options are given:
o Local Accounts Only Use this option to use the local user databases in /etc/passwdand/etc/shadow.
o LDAP (Lightweight Directory Access Protocol) This option allows you to log in using anexternal
LDAP directory server.
o NIS Usethis to connect to a NIS authentication service.
Winbind This option allows us to authenticate on Windows networks

Page 28 of 40
YouTube - Abhay More | Telegram - abhay_more
607A, 6th floor, Ecstasy business park, city of joy, JSD road, mulund (W) | 8591065589/022-25600622
 TRAINING -> CERTIFICATION -> PLACEMENT BSC IT : SEM - V : LINUX – U2

2. On the Advanced Options tab, you can enable advanced authentication methods, such as theuse of a
fingerprint Reader

Connecting to an LDAP Server

• An LDAP server is organized as a hierarchical structure, which looks a bit like the structure ofdomains
and subdomains that is used in DNS. In many cases, the DNS structure ismapped one-to-one to the
LDAP database—only the way it is written is different.
• The DNSdomain referred to as example.com is referred to as dc=example,dc=com in LDAP.
• To connect to LDAP, you need to specify LDAP base DN and authentication method. For bestsecurity,
Kerberos passwords are used.
• To log in using Kerberos, you need at least three parameters.
o Realm This is like a domain, but in Kerberos the domain name is referred to as a realm. Therealm
specifies where authentication should be handled.
o KDCs In Kerberos, a key distribution center (KDC) is used to hand out tickets that areneeded while
authenticating.
o Admin Servers The admin server is the server that is used for administration tasks in aKerberos
environment. It is often the same as the KDC.
• To connect to the LDAP server, it is good practice to use TLS to encrypt connections.

Logging in Using an LDAP Directory Server

Page 29 of 40
YouTube - Abhay More | Telegram - abhay_more
607A, 6th floor, Ecstasy business park, city of joy, JSD road, mulund (W) | 8591065589/022-25600622
TRAINING -> CERTIFICATION -> PLACEMENT BSC IT : SEM - V : LINUX – U2

1. Start system-config-authentication, and on the Identity & Authentication tab, select LDAP. Thisopens a
window in which you can enter all the parameters that are required to connect to an LDAP server.
2. In the User Account Configuration section, enter the LDAP search base DN. eg
dc=example,dc=com.
3. In the LDAP Server field, enter the IP address eg. 127.0.0.1.
4. Select TLS, and click Download CA Certificate. This opens a browser that allows you to specifythe URL
from where the TLS certificate can be downloaded. Skip this task.
5. Under Authentication Method, make sure that Kerberos password is selected. Enter the namesof the
realm, the KDC, and the admin servers you want to use. We can use default settings.
6. Click Save to apply the settings. The system-config-authentication tool is closed and sssd
service is started.

Connecting to an Active Directory Server

• Active Directory is standard for authentication in corporate networks. Tohave your usersauthenticate
on Active Directory, you need Winbind.
• Once Winbind has been installed, you can specify the required parameters in system-config-
authentication that allows you to connect to the Windows environment.
• The followingparameters can be used:
o Winbind Domain The name of the domain to which you want to connect. This is anActiveDirectory
domain or a classical Windows NT domain.
o Security Model Choose between ADS, domain, server, and user to specify how you wanttoconnect
to the Windows environment. To connect to Active Directory, select ADS.
o Windows ADS Realm Use this to specify the Kerberos realm to use.
o Winbind Domain Controllers This parameter is used to specify where the domaincontrollers.
o Template Shell Use this to indicate which shell should be used for the users at local login ofLinux
machine. By default, the shell is set to /bin/false, which doesn’t allow shelllogin for Winbind users.

Page 30 of 40
YouTube - Abhay More | Telegram - abhay_more
607A, 6th floor, Ecstasy business park, city of joy, JSD road, mulund (W) | 8591065589/022-25600622
 TRAINING -> CERTIFICATION -> PLACEMENT BSC IT : SEM - V : LINUX – U2

After setting the connection parameters, click Join Domain to join your Red Hat serverto thedomain, provide
administrator password.

Q. List and explain different Authentication Process

When a user authenticates to our server, the local user database files/etc/passwd and
/etc/shadow is used on a default configuration.
• If wev have used external authentication source sssd, PAM and /etc/nsswitch.conf are used.
a. sssd
• The sssd service provides information about all available authentication sources, and it is alsocapable of
providing offline authentication.
• This means that if you’re on a laptop that is temporarily disconnected from the network, you canstill
authenticate against the external authentication service using the sssd cache.
• The sssd configuration file is /etc/sssd/sssd.conf.
For example: LDAP authentication information written to sssd, when LDAP is configuredid_provider = ldap
ldap_search_base = dc=example,dc=comldap_uri= ldap://127.0.0.1/ ldap_tls_cacertdir =
/etc/openldap/cacertsauth_provider = krb5
krb5_realm = EXAMPLE.COM krb5_kdcip = kerberos.example.com krb5_server = kerberos.example.com
.
.
.

b. nsswitch
The /etc/nsswitch file is used to provide configuration information for different services on acomputer.
For example: /etc/nsswitch.conf filepasswd: files sssd
shadow: files sssdgroup: files sssd hosts: files dns ethers: files netmasks: files networks: files protocols:
files rpc: files
services: files

c. Pluggable Authentication Modules

On Linux, pluggable authentication modules (PAM) are used to make authenticationpluggable.There are
two parts in PAM.
First there are the configuration files in use. Every servicehas its own configuration file in thedirectory
/etc/pam.d.
For example, the login serviceuses the configuration file /etc/pam.d/login.

Configuring PAM
/etc/securetty file isused by the PAM configuration file for login.
The /etc/securettyfile defines the terminals on which it is secure for user root to log in.

1. Open a root shell. Using vi, modify the /etc/securetty file in this root shell and remove the linethat
contains the text tty4.
2. Use the Ctrl+Alt+F4 key sequence to open tty4. Log in as root. You’ll notice this doesn’t work.
3. Open the /etc/pam.d/login file and see that it uses /etc/securetty.
4. Open tty4 again, and now log in as other user and use su - to get to root permissions. You’llnotice that
this works.
5. Open the /etc/pam.d/su file, and add the following on the first line:
Page 31 of 40
YouTube - Abhay More | Telegram - abhay_more
607A, 6th floor, Ecstasy business park, city of joy, JSD road, mulund (W) | 8591065589/022-25600622
 TRAINING -> CERTIFICATION -> PLACEMENT BSC IT : SEM - V : LINUX – U2

auth required pam_securetty.so

6. Save the changes, and close the file.
7. on tty4 log in as other user and try to get root permissions. Now you will get an access deniedmessage,
coming from the security module.

Q. What is ownership? How to change user and group ownership?

• Every file and every directory has an owner on Linux.

• To determine whether you, as a user, have permissions to a file or a directory, the kernelchecks
ownership.
• First it will see whether you are the user owner, which is also referred to as the user of the file.If you
are the user,you will get the permissions that are set for the user.
• If you are not the user owner, the shell will check whether you are a member of the group. Ifyes,
you will get access to the file with the permissions of the group.
• If youare neither the user owner nor the group owner, you’ll get the permissions of others.
• ls -l command shows ownership for files in a given directory.
1. Changing User Ownership
• The chown command is used to change user ownership.
• The syntax: chown who what
• For example,
• # chown lisa myfilewill change ownership for the file to user lisa.
• option: -R. (Recursive) it allows you to set ownership of the current directory andeverythingbelow it.
• For example:
• # chown -R lisa /home changes ownership for the directory/home and everything inside it touser lisa.
2. Changing Group Ownership
• There are two ways to change group ownership.
• You can do it using chown and chgrp.

a. chown
• If you want to use the chown command, use a :in front of the group name.
• For example:
• # chown :account /home/account
• This command will change the group owner of directory /home/account to the group account.
b. chgrp
• You can also use the chgrp command for the same purpose.
• # chgrp account /home/account
• Set group ownership for the directory /home/account to the group account.
You can use the option -R with chgrp to change group ownership recursively.

Q. What are file and directory permissions? How to change permissions. Explain chmod
command.

The three basic permissions allow you to read, write, and execute.The effect of these permissions is
different for files and directories.
Files
• The readpermissiongives you the right to open the fi le for reading.

Page 32 of 40
YouTube - Abhay More | Telegram - abhay_more
607A, 6th floor, Ecstasy business park, city of joy, JSD road, mulund (W) | 8591065589/022-25600622
 TRAINING -> CERTIFICATION -> PLACEMENT BSC IT : SEM - V : LINUX – U2

• The write permission allows you to write/ modify that file.

• Executepermissionis required to execute a file. It is never set by default, which makesLinuxalmost
completely immune to viruses.
Directory
• read allows you to list the contents of that directory. This permission does not allow us to readfiles in
the directory.
• Write permission allows you to create and remove new subdirectories and files, but weneedexecute as
well to go down into the directory.
• execute permission indicates that the user can use the cd command to go to that directory.This
permission is required to change to a particular directory or create files in that directory.

Applying Read, Write, and Execute Permissions:

• Use the chmod command to apply permissions.
• We can use this command in two modes: relative and absolute.
In the absolute mode, three digits are used to set the basic permissions.

• For example, if we want to set read, write, execute for the user, read and execute for the group,and
read and execute for others on the file /somefile, we would use the chmod command
• # chmod 755 /somefile.
• When using chmod this way, all current permissions are replaced by the permissions you set.
• If we want to modify permissions relative to the current permissions, we can use chmod in relative mode.
• When using chmod in relative mode, you work with three indicators to specify what you want to do. First
you’ll specify for whom you want to change permissions. To do this, you can choose between user (u),
group (g), and others (o).
• Next you use an operator to add or remove permissions from the current mode or set them inan
absolute way.
• At the end, you use r, w, and x to specify the permissions you want to set.
• When changing permissions in relative mode, you may omit the “to whom” part to add or remove a
permission for all entities.
Page 33 of 40
YouTube - Abhay More | Telegram - abhay_more
607A, 6th floor, Ecstasy business park, city of joy, JSD road, mulund (W) | 8591065589/022-25600622
 TRAINING -> CERTIFICATION -> PLACEMENT BSC IT : SEM - V : LINUX – U2

For example, # chmod +x somefile would add the execute permission for all users.
• When working in relative mode, you may use more complex commands as well.
• For example: #chmod g+w,o-rsomefile
• This command add the write permission to the group and remove read for others.

Q. List and explain Advanced Permissions.

There are three advanced permissions.

1. set user ID (SUID) permission.
2. set group ID (SGID).
3. sticky bit.

• To apply SUID, SGID, and sticky bit, you can use the chmod command.
• SUID has numerical value of 4, SGID has numerical value of 2, and sticky bit has numericalvalue of 1.
• If wewant to apply these permissions, we need to add a four-digit argument to chmod.

set user ID (SUID) permission:

• SUID (Set owner User ID up) is a special type of file permissions given to a file.
• When a program runs, it inherits access permissions from the logged in user. SUID is definedas giving
temporary permissions to a user to run a program/file with the permissions of the fileowner rather that
the user who runs it.
• In simple words users will get file owner’s permissions as well as owner UID and GIDwhen
executing a file/program/command.

• For example: a user needs to change their password. To do this, the user needs to write the new
password to the /etc/shadow file. But this file is not writable for users who don’t have rootpermissions.
• The SUID permission is applied by default to /usr/bin/passwd.

Page 34 of 40
YouTube - Abhay More | Telegram - abhay_more
607A, 6th floor, Ecstasy business park, city of joy, JSD road, mulund (W) | 8591065589/022-25600622
 TRAINING -> CERTIFICATION -> PLACEMENT BSC IT : SEM - V : LINUX – U2

• This means that when changing a password, the usertemporarily has root permissions, whichallow the
user to write to the /etc/shadow file.
• SUID can be set in two ways
1) Symbolic way (s, Stands for Set)
Numerical/octal way (4)
Symbolic way:
• chmod u+s file1.txt
• Here owner permission execute bit is set to SUID with +s

Numerical way:
• chmod 4750 file1.txt
• Here in 4750, four indicates SUID bit set, seven for full permissions for owner, five for read andexecute
permissions for group, and no permissions for others.

• Use ls –l to check if the x in owner permissions field is replaced by s or S

set group ID (SGID):

• SGID (Set Group ID ) is a special type of file permissions given to a file/folder.
• When a program runs, it inherit’s access permissions from the logged in user. SGID is definedas giving
temporary permissions to a user to run a program/file with the permissions of the filegroup permissions
to become member of that group to execute the file.
• In simple words users will get file Group’s permissions when executing a
Folder/file/program/command.
SGID is similar to SUID. The difference between both is that SUID assumes owner of the file permissions
and SGID assumes group’s permissions when executing a file instead of logged inuser inherit permissions

• SGID can be set in two ways

• 1) Symbolic way (s)
• 2) Numerical/octal way (2, SGID bit as value 2)
Symbolic way:
• chmod g+s file1.txt
• setting SGID(+s) to group who owns this file.

Numerical way:
• chmod 2750 file1.txt
• Here in 2750, 2 indicates SGID bit’set, 7 for full permissions for owner, 5 for read andexecute
permissions for group, and no permissions for others.

Page 35 of 40
YouTube - Abhay More | Telegram - abhay_more
607A, 6th floor, Ecstasy business park, city of joy, JSD road, mulund (W) | 8591065589/022-25600622
 TRAINING -> CERTIFICATION -> PLACEMENT BSC IT : SEM - V : LINUX – U2

• use ls –l to check if the x in group permissions field is replaced by s or S

sticky bit:
• Sticky bit permission is used to protect files against accidental deletion in an environment where
multiple users have write permissions in the same directory. For this reason, it is appliedas a default
permission to the /tmp directory, and it can be useful on shared group directories as well.

Without sticky bit, if a user can create files in a directory, the user can also delete files from thatdirectory. In
a shared group environment, this can be a problem
• When applying sticky bit, a user can delete files only if either of the following is true:
• The user is owner of the file
• The user is owner of the directory where the file exists

• Sticky Bit can be set in two ways

• Symbolic way (t,represents sticky bit)
• Numerical/octal way (1, Sticky Bit bit as value 1)

Symbolic way:
• chmod o+t /myfolder/
• or
• chmod +t /myfolder
• Setting Sticky Bit(+t) to folder by using chmod command.

Numerical way:
• chmod 1757 /myfolder/
• Here in 1757, 1 indicates Sticky Bit set, 7 for full permissions for owner, 5 for read and execute
permissions for group, and full permissions for others.

• Use ls -l to check if the x in others permissions field is replaced by t or T.

Note: Capital alphabel S, T means file/folder does not have executable permissions.

Q. Explain Access Control Lists.

• Advanced permissionsdon’t allow us to give permissions to more than one user or one groupon the
same file. This feature is given by access control lists (ACLs).
• Drawback of ACL is all utilities doesn’t support it

Preparing Your File System for ACLs

Page 36 of 40
YouTube - Abhay More | Telegram - abhay_more
607A, 6th floor, Ecstasy business park, city of joy, JSD road, mulund (W) | 8591065589/022-25600622
 TRAINING -> CERTIFICATION -> PLACEMENT BSC IT : SEM - V : LINUX – U2

• There are two ways to add file system support for permissions. First, if you’re using the Ext4 file
system, ACL support is added to all file systems that were created while installing the system.
• You can verify this is the case by using the dumpe2fs utility on the device you want to check.
• For example, use dumpe2fs /dev/sda1 to check to see whether ACLs are supported on the filesystem
on the device /dev/sda1.
• The Default mount options line shows the current default mount options for your file system.
• If your file system doesn’t offer support for permissions, you can use tune2fs to add support toit, or you
can use acl as a mount option in fstab to activate it on every mount. To add acl support by using
tune2fs, use the command tune2fs -o acl,user_xattr /dev/yourdevice.

Another option is to put the ACL option in fstab so that it is activated every time your systemreboots. Just
make sure that in /etc/fstab, the fourth column reads acl,user_xattr.
Changing and Viewing ACL Settings with setfacl and getfacl
• To set ACLs, you need to use the setfacl command. To see your current ACL settings, youneed to use
getfacl.

[root@hnl /]# getfacl /data

getfacl: Removing leading ‘/’ from absolute path names# file: data
# owner: root# group: rootuser::rwx group::r-x other::r-x

Changing group ACLs using setfacl [root@hnl /]# setfacl -m g:sales:rx /data[root@hnl /]# getfacl /data
getfacl: Removing leading ‘/’ from absolute path names# file: data
# owner: root
# group: root
user::rwx
group::r-x
group:sales:r-
xmask::r-x
other::r-x

Q. Setting Default Permissions with umask

• When creating a new file, some default permissions are set. These permissions are given bythe umask
setting.
• This is a shell setting that is applied to all users when logging in to the system. The umask setting contains
a numeric value that is subtracted from the maximum permissions that can be set automatically to a file.
• The maximum setting for files is 666 and for directories is 777.
• In umask first digit refers to end-user permissions, the second digit refers to the group permissions, and
the last refers to default permissions set for others.
• The default umask setting of 022 gives 644 for all new files and 755 for all new directories that are
created on your server.

Page 37 of 40
YouTube - Abhay More | Telegram - abhay_more
607A, 6th floor, Ecstasy business park, city of joy, JSD road, mulund (W) | 8591065589/022-25600622
TRAINING -> CERTIFICATION -> PLACEMENT BSC IT : SEM - V : LINUX – U2

There are two ways to change the umask setting: one for all users and one for individual users.

If we want to set umask for all users, we must make sure the umask setting is entered in theconfiguration
file /etc/profile.
Next, Enter umask setting in profile, which is created in the home directory of an individualuser. Settings
applied in this file are for the individual user only

Q. Explain Working with Attributes

Explain chattr command for Immutable (Unchangeable)
• chattr (Change Attribute) is a command line Linux utility that is used to set/unset certain attributes
to a file in Linux system to secure accidental deletion or modification of important filesand folders,
even though you are logged in as a root user.
• Syntax: #chattr [operator] [flags] [filename]

Attributes and Flags

A This attribute ensures that the file access time of the file is not modified. Normally,every time afile is
opened, the file access time is written to the file’s metadata. This affectsperformance in a negative way.
Therefore, on files that are accessed on a regular basis, theA attribute is used to disable this feature.

a This attribute allows a file to be added to but not to be removed. File gets open in append modeonly.

c If you are using a file system where volume-level compression is supported, this fileattribute makes
sure that the file is compressed the first time that the compression enginebecomes active.D This
attribute makes sure that changes to files are written to disk immediately and notto cache first. This is a
useful attribute on important database files to make sure they don’tget lost betweenfile cache and hard
disk.

d This attribute makes sure the file is not backed up in backups where the dump utility isused. IThis
attribute enables indexing for the directory where it is enabled. It allows faster fileaccess forprimitive
file systems.

Page 38 of 40
YouTube - Abhay More | Telegram - abhay_more
607A, 6th floor, Ecstasy business park, city of joy, JSD road, mulund (W) | 8591065589/022-25600622
TRAINING -> CERTIFICATION -> PLACEMENT BSC IT : SEM - V : LINUX – U2

I This attribute makes the file immutable. This means that no changes can be made to thefile,which is
useful for files that need a bit of extra protection.

j This attribute ensures that, on an ext3 file system, the file is first written to the journaland onlyafter
that to the data blocks on the hard drive.

s This attribute overwrites the blocks where the file was stored with zeros after the file hasbeen
deleted. It makes sure that recovery of the file is not possible after it has been deleted.

u When a file has ‘u’ attribute is deleted, its data are saved. This enables the user to ask for itsundeletion.

Operator

1. + : Adds the attribute to the existing attribute of the files.

2. – : Removes the attribute to the existing attribute of the files.

3. = : Keep the existing attributes that the files have.

1. Add attributes on files to secure from deletion (immutable)

Step 1: Create a folder demo and file abc.txt and verify attributes using ls command# ls -l
drwxr-xr-x. 2 root root 6 Aug 31 18:02 demo
-rwxrwxrwx. 1 root root 0 Aug 31 17:42 abc.txt

Step 2: Set immutable bit on the files with +iflags to prevent anyone from deleting a file, even aroot
user don’t have permission to delete it.

# chattr
+idemo/#
chattr +iabc.txt

Step 3:verify the immutable attribute using command ‘lsattr‘.#

lsattr

----i -------- -- ./demo

----i -------- -- ./abc.txt

Step 4: Now, try to delete forcefully, rename or change the permissions, but it won’t allowed says
“Operation not permitted“.

# rm -rf demo/

Page 39 of 40
YouTube - Abhay More | Telegram - abhay_more
607A, 6th floor, Ecstasy business park, city of joy, JSD road, mulund (W) | 8591065589/022-25600622
TRAINING -> CERTIFICATION -> PLACEMENT BSC IT : SEM - V : LINUX – U2

rm: cannot remove âdemo/â: Operation not permitted#

mv demo/ demo_alter

mv: cannot move âdemo/â to âdemo_alterâ: Operation not permitted#

chmod 755 abc.txt

chmod: changing permissions of âabc.txtâ: Operation not permitted

2. unset attribute on Files

Step 1: reset (unset attribute) permissions and allows to make a files changeable or alterableusing -
iflag.

# chattr -idemo/ abc.txt

Step 2: After resetting permissions, verify the immutable status of files using ‘lsattr‘ command.

# lsattr

---------------- ./demo

---------------- ./abc.txt

Step 3: Now we can delete the forlders#

rm -rf demo
# ls -l
total 0

Page 40 of 40
YouTube - Abhay More | Telegram - abhay_more
607A, 6th floor, Ecstasy business park, city of joy, JSD road, mulund (W) | 8591065589/022-25600622