Linux Professional Institute

Linux & LPIC

Quick Reference Guide

2nd ed. 2014-09

Foreword
This guide stems from the notes I have been taking while working with Linux and preparing the LPIC-1 and LPIC-2
certifications. As such, it includes quite a good amount of topics for these exams, some subjects in more details than others.
I started writing this guide in 2013 and it is my aim to update and integrate it periodically. Please check the edition number
and date at the bottom of any page to ensure you're reading the latest release.

This guide is an independent publication and is not affiliated with, authorized by, sponsored by, or otherwise approved by the
Linux Professional Institute. You can use and share this guide both in its electronic or in its printed form, provided that you
distribute intact the whole guide (or the single pages) and you do it not-for-profit. For any other use please email me. Feel
free also to contact me for any error, inaccuracy, or unclear point so I can correct it in future editions.

Happy Linux hacking,

Daniele Raffo

Suggested readings
● Adam Haeder et al., LPI Linux Certification in a Nutshell, O'Reilly
● Evi Nemeth et al., UNIX and Linux System Administration Handbook, O'Reilly
● Heinrich W. Klöpping et al., The LPIC-2 Exam Prep, http://lpic2.unix.nl/
● Mendel Cooper, Advanced Bash-Scripting Guide, http://tldp.org/LDP/abs/html/
● http://www.gnu.org/manual/
● http://www.commandlinefu.com/
● Linux man pages

Index
LVM................................................1
System boot....................................2
SysV startup sequence.....................3
Runlevels........................................4
Init scripts......................................5
/etc/inittab......................................6
Filesystem hierarchy.........................7
Partitions........................................8
Swap..............................................9
/etc/fstab......................................10
Filesystem operations.....................11
Filesystem maintenance..................12
XFS, ReiserFS and CD-ROM fs..........13
AutoFS..........................................14
RAID............................................15
Bootloader....................................16
GRUB configuration........................17
GRUB commands...........................18
Package management.....................19
Backup.........................................20
Command line...............................21
Text filters.....................................22
File management...........................23
I/O streams...................................24
Processes......................................25
Signals.........................................26
Resource monitoring.......................27
Regexs.........................................28
File permissions.............................29
Links............................................30
Find system files............................31
Shell environment..........................32
Scripting.......................................33
Flow control...................................34
SQL..............................................35
X Window System..........................36
User accounts................................37
User management..........................38
User privileges...............................39
User messaging.............................40
Job scheduling...............................41
Localization...................................42
System time..................................43
Syslog..........................................44
E-mail...........................................45
SMTP............................................46
Sendmail & Exim............................47
Postfix..........................................48
Postfix configuration.......................49
Procmail........................................50
Courier POP configuration................51
Courier IMAP configuration..............52
Dovecot login.................................53
Dovecot mailboxes.........................54
Dovecot IMAP & POP.......................55
Dovecot authentication...................56
FTP..............................................57
CUPS............................................58
Network addressing........................59
Subnetting....................................60
Network services............................61
Network commands........................62
Network tools................................63
Network monitoring........................64
Network configuration.....................65
TCP Wrapper..................................66
Routing.........................................67
iptables.........................................68
NAT routing...................................69
SSH..............................................70
SSH configuration...........................71
GnuPG..........................................72
OpenVPN.......................................73
Key bindings..................................74
udev.............................................75
Kernel...........................................76
Kernel management.......................77
Kernel compile and patching............78
Kernel modules..............................79
/proc filesystem.............................80
System recovery............................81
DNS.............................................82
DNS configuration..........................83
DNS zone file.................................84
Apache.........................................85
Apache configuration......................86
Apache virtual hosts.......................87
Apache directory protection.............88
HTTPS..........................................89
Apache SSL/TLS configuration..........90
OpenSSL.......................................91
CA.pl............................................92
Samba..........................................93
Samba configuration.......................94
Samba shares................................95
Samba macros...............................96
NFS..............................................97
/etc/exports..................................98
DHCP............................................99
PAM............................................100
LDAP..........................................101
OpenLDAP...................................102
 1/102 LVM
LVM
Logical Volume Management (LVM) introduces an abstraction between physical and logical storage that permits a more
versatile use of filesystems.
LVM makes use of the Linux device mapper feature (/dev/mapper).

Disks, partitions, and RAID devices are made of Physical Volumes, which are grouped into a Volume Group.
A Volume Group is divided into small fixed-size chunks called Physical Extents.
Physical Extents are mapped one-to-one to Logical Extents.
Logical Extents are grouped into Logical Volumes, on which filesystems are created.

How to create a Logical Volume

1. pvcreate /dev/hda2 /dev/hdb5 Initialize one or more Physical Volumes to be used
with LVM. Devices must be of partition type 0x8E
2. vgcreate -s 8M myvg0 /dev/hda2 /dev/hdb5 Create a Volume Group and define the size of Physical
Extents e.g. to 8 Mb (4 Mb by default)
3. lvcreate -L 1024M -n mydata myvg0 Create a Logical Volume
4. mkfs -t ext3 /dev/myvg0/mydata Create a filesystem on the Logical Volume
5. mount /dev/myvg0/mydata /mydata The Logical Volume can now be mounted and used

How to extend a Logical Volume

1. vgextend myvg0 /dev/hdc Extend the Volume Group
2. lvextend -L 2048M /dev/myvg0/mydata Extend the Logical Volume
3. resize2fs /dev/myvg0/mydata Extend the filesystem
How to reduce a Logical Volume
1. resize2fs /dev/myvg0/mydata 900M Shrink the filesystem
2. lvreduce -L 900M /dev/myvg0/mydata Shrink the Logical Volume
Note: extension/shrinking of a Logical Volume are possible only if the underlying filesystem permits it.

How to snapshot and backup a Logical Volume

1. lvcreate -s -L 1024M -n snapshot0 /dev/myvg0/mydata Create the snapshot just like another Logical Volume
2. tar cvzf snapshot0.tar.gz snapshot0 Backup the snapshot with any backup tool
3. lvremove /dev/mvvg0/snapshot0 Delete the snapshot

pvs Report information about Physical Volumes lvs Report information about Logical Volumes
pvck Check Physical Volume metadata lvchange Change Logical Volume attributes
pvdisplay Display Physical Volume attributes lvscan Scan all disks for Logical Volumes
pvscan Scan all disks for Physical Volumes
pvremove Remove a Physical Volume
pvmove Move the Logical Extents on a Physical
Volume to wherever there are available
Physical Extents (within the Volume Group)
and then put the Physical Volume offline
vgs Report information about Volume Groups
vgck Check Volume Group metadata
vgmerge Merge two Volume Groups
vgimport Import a Volume Group into a system
vgexport Export a Volume Group from a system
vgchange Change Volume Group attributes

Linux & LPIC Quick Reference Guide 2nd ed. 2014-09 © Daniele Raffo www.crans.org/~raffo
 2/102 System boot
System boot

Boot sequence
POST
Low-level check of PC hardware.
(Power-On Self Test)
BIOS
Detection of disks and hardware.
(Basic I/O System)
GRUB stage 1 is loaded from the MBR and executes GRUB stage 2 from filesystem.
GRUB chooses which OS to boot on.
The chain loader hands over to the boot sector of the partition on which resides the OS.
Chain loader The chain loader also mounts initrd, an initial ramdisk (typically a compressed ext2
GRUB
filesystem) to be used as the initial root device during kernel boot; this make possible to
(GRand Unified
load kernel modules that recognize hard drives hardware and that are hence needed to
Bootloader)
mount the real root filesystem. Afterwards, the system runs /linuxrc with PID 1.
(From Linux 2.6.13 onwards, the system instead loads into memory initramfs, a cpio-
compressed image, and unpacks it into an instance of tmpfs in RAM. The kernel then
executes /init from within the image.)
Kernel decompression into memory.

Kernel execution.
Linux kernel
Detection of devices.

The real root filesystem is mounted on / in place of the initial ramdisk.

Execution of init, the first process (PID 1).
The system tries to execute in the following order:
/sbin/init
init /etc/init
/bin/init
/bin/sh
If none of these succeeds, the kernel will panic.
Startup The system loads startup scripts and runlevel scripts.
X Server (Optional) The X Display Manager starts the X Server.

Some newer systems use UEFI (Unified Extensible Firmware Interface). UEFI does not use the MBR boot code; it has
knowledge of partition table and filesystems, and stores its application files required for launch in a EFI System Partition,
mostly formatted as FAT32.
After the POST, the system loads the UEFI firmware which initializes the hardware required for booting, then reads its Boot
Manager data to determine which UEFI application to launch. The launched UEFI application may then launch another
application, e.g. the kernel and initramfs in case of a boot loader like the GRUB.

Linux & LPIC Quick Reference Guide 2nd ed. 2014-09 © Daniele Raffo www.crans.org/~raffo
 3/102 SysV startup sequence
SysV startup sequence

OS startup sequence (SysV) Debian Red Hat

At startup /sbin/init executes all id:2:initdefault: id:5:initdefault:
instructions on /etc/inittab . This script
at first switches to the default runlevel...
... then it runs the following script (same for /etc/init.d/rcS /etc/rc.d/rc.sysinit or
all runlevels) which configures peripheral /etc/rc.sysinit
hardware, applies kernel parameters, sets
hostname, and provides disks initialization...
... and then, for runlevel N, it calls the script /etc/rcN.d/ /etc/rc.d/rcN.d/
/etc/init.d/rc N (i.e. with the runlevel
number as parameter) which launches all
services and daemons specified in the
following startup directories:
The startup directories contain symlinks to the init scripts in /etc/init.d/ which are executed in numerical order.
Links starting with K are called with argument stop, links starting with S are called with argument start.

lrwxrwxrwx. 1 root root 14 Feb 11 22:32 K88sssd -> ../init.d/sssd

lrwxrwxrwx. 1 root root 15 Nov 28 14:50 K89rdisc -> ../init.d/rdisc
lrwxrwxrwx. 1 root root 17 Nov 28 15:01 S01sysstat -> ../init.d/sysstat
lrwxrwxrwx. 1 root root 18 Nov 28 14:54 S05cgconfig -> ../init.d/cgconfig
lrwxrwxrwx. 1 root root 16 Nov 28 14:52 S07iscsid -> ../init.d/iscsid
lrwxrwxrwx. 1 root root 18 Nov 28 14:42 S08iptables -> ../init.d/iptables

The last script to be run is S99local -> ../init.d/rc.local ; therefore, an easy way to run a specific program on
boot is to add it to this script file.
/etc/init.d/boot.local runs only at boot time, not when switching runlevel.
/etc/init.d/before.local (SUSE) runs only at boot time, before the scripts in the startup directories.
/etc/init.d/after.local (SUSE) runs only at boot time, after the scripts in the startup directories.
To add or remove services at boot sequence: update-rc.d service defaults chkconfig --add service
update-rc.d -f service remove chkconfig --del service

Parameters supported by the init scripts

start Start the service
stop Stop the service
restart Restart the service (stop, then start)
Mandatory
status Display daemon PID and execution status

force-reload Reload configuration if the service supports this option,

otherwise restart the service
condrestart
try-restart Restart the service only if already running
Optional
reload Reload service configuration

/etc/init.d/service start
service service start (Red Hat) Start a service
rcservice start (SUSE)

Linux & LPIC Quick Reference Guide 2nd ed. 2014-09 © Daniele Raffo www.crans.org/~raffo
 4/102 Runlevels
Runlevels

Runlevel Debian Red Hat

0 Shutdown
1 Single user / maintenance mode
Multi-user mode Multi-user mode without network
2
(default)
3 Multi-user mode Multi-user mode with network
4 Multi-user mode Unused, for custom use
Multi-user mode Multi-user mode with network and X
5
(default)
6 Reboot
S Single user / maintenance mode
(usually accessed through runlevel 1)

The default runlevels are 2 3 4 5

runlevel
who -r Display the previous and the current runlevel

init runlevel
telinit runlevel Change runlevel

init 0
telinit 0
shutdown -h now Halt the system
halt
poweroff

init 6
telinit 6
shutdown -r now Reboot the system
reboot

shutdown Shut down the system in a secure way: all logged in users are notified via a
message to their terminal, and login is disabled.
This command can be run only by the root user and by those users (if any) listed in
/etc/shutdown.allow
shutdown -h 16:00 message Schedule a shutdown for 4 PM and send a warning message to all logged in users
shutdown -a Non-root users that are listed in /etc/shutdown.allow can use this command to
shut down the system
shutdown -f Skip fsck on reboot
shutdown -F Force fsck on reboot
shutdown -c Cancel an already running shutdown

Linux & LPIC Quick Reference Guide 2nd ed. 2014-09 © Daniele Raffo www.crans.org/~raffo
 5/102
update-rc.d service defaults
chkconfig --add service
update-rc.d -f service remove
chkconfig --del service
update-rc.d -f service \
start 30 2 3 4 5 . stop 70 0 1 6 .
chkconfig --levels 245 service on
chkconfig service on
chkconfig service off
chkconfig service reset
chkconfig service resetpriorities
chkconfig --list service
chkconfig --list
*
The Linux Standard Base (LSB) defines a format to specify the default values on an init script /etc/init.d/foo :
### BEGIN INIT INFO
# Provides: foo
# Required-Start: bar
# Defalt-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Description: Service Foo init script
### END INIT INFO
Default runlevels and S/K symlinks values can be also specified as such:
# chkconfig: 2345 85 15
# description: Foo service
Linux & LPIC Quick Reference Guide
Init scripts
Init scripts
(Debian) Startup directories will be updated
Add a service at boot
(Red Hat) by creating or deleting symlinks for
the default runlevels:
(Debian) K symlinks for runlevels 0 1 6
Remove a service at boot
(Red Hat) S symlinks for runlevels 2 3 4 5
Add a service on the default runlevels; create S30 symlinks for starting
the service and K70 symlinks for stopping it
Start the service on runlevels 2 4 5
Start the service on default runlevels (via the xinetd super server)
Stop the service on default runlevels
Reset the on/off state of the service for all runlevels to whatever is
specified in the init script *
Reset the start/stop priorities of the service for all runlevels to
whatever is specified in the init script *
Display current configuration of service (its status and the runlevels in
which it is active)
List all active services and their current configuration
2nd ed. 2014-09 © Daniele Raffo www.crans.org/~raffo
 6/102 /etc/inittab
/etc/inittab
/etc/inittab
# The default runlevel.
id:2:initdefault:

# Boot-time system configuration/initialization script.

# This is run first except when booting in emergency (-b) mode.
si::sysinit:/etc/init.d/rcS

# What to do in single-user mode.

~~:S:wait:/sbin/sulogin

# /etc/init.d executes the S and K scripts upon change of runlevel.

l0:0:wait:/etc/init.d/rc 0
l1:1:wait:/etc/init.d/rc 1
l2:2:wait:/etc/init.d/rc 2
l3:3:wait:/etc/init.d/rc 3
l4:4:wait:/etc/init.d/rc 4
l5:5:wait:/etc/init.d/rc 5
l6:6:wait:/etc/init.d/rc 6
# Normally not reached, but fall through in case of emergency.
z6:6:respawn:/sbin/sulogin

# /sbin/getty invocations for the runlevels.

# Id field must be the same as the last characters of the device (after "tty").
1:2345:respawn:/sbin/getty 38400 tty1
2:23:respawn:/sbin/getty 38400 tty2

/etc/inittab describes which processes are started at bootup and during normal operation; it is read and executed by
init at bootup.
All its entries have the form id:runlevels:action:process
1-4 characters, uniquely identifies an entry.
id
For gettys and other login processes it should be equal to the suffix of the corresponding tty
Runlevels for which the specified action must be performed.
runlevels
If empty, action is performed on all runlevels
respawn Process will be restarted when it terminates
Process is started at the specified runlevel and init will wait for its termination
wait
(i.e. execution of further lines of /etc/inittab stops until the process exits)
once Process is executed once at the specified runlevel
boot Process is executed at system boot. Runlevels field is ignored
Process is executed at system boot and init will wait for its termination.
bootwait
Runlevels field is ignored
off Does nothing
ondemand Process is executed when an on-demand runlevel (A, B, C) is called
initdefault Specifies the default runlevel to boot on. Process field is ignored
action
Process is executed at system boot, before any boot or bootwait entries.
sysinit
Runlevels field is ignored
Process is executed when power goes down and an UPS kicks in.
powerfail
init will not wait for its termination
Process is executed when power goes down and an UPS kicks in.
powerwait
init will wait for its termination
powerfailnow Process is executed when power is down and the UPS battery is almost empty
powerokwait Process is executed when power has been restored from UPS
ctrlaltdel Process is executed when init receives a SIGINT via CTRL ALT DEL

kbdrequest Process is executed when a special key combination is pressed on console

process Process to execute. If prepended by a +, utmp and wtmp accounting will not be done

Linux & LPIC Quick Reference Guide 2nd ed. 2014-09 © Daniele Raffo www.crans.org/~raffo
 7/102 Filesystem hierarchy
Filesystem hierarchy

Filesystem Hierarchy Standard (FHS)

/bin Essential command binaries
/boot Bootloader files (e.g. OS loader, kernel image, initrd)
/dev Devices and partitions
/etc System configuration files and scripts
/home Home directories for users
/lib Libraries for the binaries in /bin and /sbin, kernel modules
/lost+found Storage directory for recovered files in the partition
/media Mount points for removable media
/mnt Mount points for temporary filesystems
/net Access to directory tree on different external NFS servers
/opt Optional, large add-on application software packages
/proc Virtual filesystem providing kernel and processes information
/root Home directory for the root user
/sbin Essential system binaries, system administration commands
/srv Data for services provided by the system
/tmp Temporary files
/usr User utilities and applications
/usr/bin Non-essential command binaries (for all users)
/usr/lib Libraries for the binaries in /usr/bin and /usr/sbin
/usr/sbin Non-essential system binaries (daemons and services)
/usr/src Source code
/var Variable files (e.g. logs, caches, mail spools)

Linux & LPIC Quick Reference Guide 2nd ed. 2014-09 © Daniele Raffo www.crans.org/~raffo
 8/102
/dev/hda, /dev/hdb, /dev/hdc
/dev/sda, /dev/sdb, /dev/sdc
/dev/sda1, /dev/sda2, /dev/sda3
Partitions
Partitions
first, second, third IDE hard drive
first, second, third SATA hard drive
first, second, third partition of the first SATA drive

Partitioning limits for Linux:

Max 4 primary partitions per hard disk, or 3 primary partitions + 1 extended partition Partition numbers: 1-4
Max 11 logical partitions (inside the extended partition) per hard disk Partition numbers: 5-15

The superblock contains information relative to the filesystem: e.g. filesystem type, size, status, metadata structures.
The Master Boot Record (MBR) is a 512-byte program located in the first sector of the hard disk; it contains information
about hard disk partitions and has the duty of loading the OS.
Most modern filesystems use journaling; in a journaling filesystem, the journal logs changes before committing them to the
filesystem, which ensures faster recovery and less corruption in case of a crash.

fdisk /dev/sda Disk partitioning interactive tool

cfdisk Text-based UI fdisk
gparted GUI fdisk
fdisk -l /dev/sda List the partition table of /dev/sda
partprobe After fdisk operations, this command must be run to notify the OS of partition table
changes. Otherwise, these changes will take place only after reboot

mkfs -t fstype device Create a filesystem of the specified type on a partition (i.e. format the partition).
mkfs is a wrapper utility for the actual filesystem-specific maker commands:
mkfs.ext2 mke2fs
mkfs.ext3 mke3fs
mkfs.ext4
mkfs.msdos mkdosfs
mkfs.reiserfs mkreiserfs
mkfs.jfs
mkfs.xfs
mkfs -t ext2 /dev/sda Create a ext2 filesystem on /dev/sda
mkfs.ext2 /dev/sda
mke2fs /dev/sda
mke2fs -j /dev/sda Create a ext3 filesystem (ext2 with journaling) on /dev/sda
mkfs.ext3 /dev/sda
mke3fs /dev/sda
mkfs -t msdos /dev/sda Create a MS-DOS filesystem on /dev/sda
mkfs.msdos /dev/sda
mkdosfs /dev/sda

mount Display the currently mounted filesystems.

cat /etc/mtab mount and umount maintain in /etc/mtab a database of currently mounted
cat /proc/mounts filesystems, but /proc/mounts is authoritative
mount -a Mount all devices listed in /etc/fstab (except those indicated as noauto)
mount -t msdos /dev/fd0 /mnt Mount a MS-DOS filesystem floppy disk to mount point /mnt (this directory must exist)
mount /dev/fd0 Mount a floppy disk; /etc/fstab must contain an entry for /dev/fd0
umount /dev/fd0 Unmount a floppy disk that was mounted on /mnt (must not be busy to unmount)
umount /mnt
umount -l /dev/fd0 Unmount the floppy disk as soon as it is not in use anymore
mount -o remount,rw / Remount the root directory as read-write (supposing it was mounted read-only).
Used to change flags (in this case, read-only to read-write) for a mounted filesystem
that cannot be unmounted at the moment
mount -o nolock 10.7.7.7:/export/ /mnt/nfs Mount a NFS share without running the NFS daemons.
Useful during system recovery
mount -t iso9660 -o ro,loop=/dev/loop0 cd.img /mnt/cdrom Mount a CD-ROM ISO9660 image file like a CD-ROM

Linux & LPIC Quick Reference Guide 2nd ed. 2014-09 © Daniele Raffo www.crans.org/~raffo
 9/102 Swap
Swap
In Linux, the swap space is a virtual memory area (a file or a partition) used as RAM extension. Usually a partition is
preferred because of better performances concerning fragmentation and disk speed. Although listed as filesystem type
0x82, the swap partition is not a filesystem but a raw addressable memory with no structure.

fdisk The fdisk tool can be used to create a swap partition

dd if=/dev/zero of=/swapfile bs=1024 count=512000 Create a 512-Mb swap file

mkswap /swapfile Initialize a (already created) swap file or partition

swapon /swapfile Enable a swap file or partition, thus telling the kernel that it can use it now
swapoff /swapfile Disable a swap file or partition

swapon -s Any of these commands can be used to show the sizes of total and used swap areas
cat /proc/swaps
cat /proc/meminfo
free
top

Most used Linux-supported filesystems

Filesystem Properties Partition type
ext2 Linux default filesystem, offering the best performances 0x83
ext3 ext2 with journaling
ext4 Linux journaling filesystem, upgrade from ext3
Reiserfs Journaling filesystem
XFS Journaling filesystem, developed by SGI
JFS Journaling filesystem, developed by IBM
Btrfs B-tree filesystem, developed by Oracle
msdos DOS filesystem, supporting only 8-char filenames
umsdos Extended DOS filesystem used by Linux, compatible with DOS
fat32 MS-Windows FAT filesystem
vfat Extended DOS filesystem, with support for long filenames
ntfs Replacement for fat32 and vfat filesystems
minix Native filesystem of the MINIX OS
iso9660 CD-ROM filesystem
cramfs Compressed RAM disk
nfs Network filesystem, used to access files on remote machines
SMB Server Message Block, used to mount Windows network shares
proc Pseudo filesystem, used as an interface to kernel data structures
swap Pseudo filesystem, Linux swap area 0x82

Linux & LPIC Quick Reference Guide 2nd ed. 2014-09 © Daniele Raffo www.crans.org/~raffo
 10/102 /etc/fstab
/etc/fstab

/etc/fstab – Information about filesystems

# <filesystem> <mount point> <type> <options> <dump> <pass>

/dev/sda2 / ext2 defaults 1 1

/dev/sdb1 /home ext2 defaults 1 2
/dev/cdrom /media/cdrom auto ro,noauto,user,exec 0 0
/dev/fd0 /media/floppy auto rw,noauto,user,sync 0 0
proc /proc proc defaults 0 0
/dev/hda1 swap swap pri=42 0 0
nfsserver:/dirs /mnt nfs intr 0 0
//smbserver/jdoe /shares/jdoe cifs auto,credentials=/etc/smbcreds 0 0
LABEL=/boot /boot ext2 defaults 0 0
UUID=652b786e-b87f-49d2-af23-8087ced0c667 /test ext4 errors=remount-ro,noatime 0 0
Device or partition. The filesystem can be identified either by its name, its label, or its UUID (Universal
filesystem
Unique Identifier) which is a 128-bit hash number that is associated to the partition at its initialization
mount point Directory on which the partition must be mounted
type Filesystem type, or auto if detected automatically
defaults Use the default options: rw, suid, dev, exec, auto, nouser, async
ro Mount read-only
rw Mount read-write
suid Permit SUID and SGID bit operations
nosuid Do not permit SUID and SGID bit operations
dev Interpret block special devices on the filesystem
nodev Do not interpret block special devices on the filesystem
auto Mount automatically at bootup, or when the command mount -a is given
noauto Mount only if explicitly demanded
user Partition can be mounted by any user
nouser Partition can be mounted only by the root user
exec Binaries contained on the partition can be executed
noexec Binaries contained on the partition cannot be executed
sync Write files immediately to the partition
options
async Buffer write operations and commit them later, or when device is unmounted
rsize=nnn NFS: Size for read transfers (from server to client)
wsize=nnn NFS: Size for write transfers (from client to server)
nfsvers=n NFS: Version of NFS to use for transport
retry=n NFS: Time to keep retrying a mount attempt before giving up, in minutes
timeo=n NFS: Time after a mount attempt times out, in tenths of a second
intr NFS: User can interrupt a mount attempt
nointr NFS: User cannot interrupt a mount attempt (default)
hard NFS: The system will try a mount indefinitely (default)
soft NFS: The system will try a mount until an RPC timeout occurs
bg NFS: The system will try a mount in the foreground, all retries occur in the background
fg NFS: All mount attempts occur in the foreground (default)
tcp NFS: Connect using TCP
udp NFS: Connect using UDP
Dump (backup utility) options.
dump
0 = do not backup
Fsck (filesystem check utility) options.
pass
Defines in which order the filesystems should be checked; 0 = do not check

Linux & LPIC Quick Reference Guide 2nd ed. 2014-09 © Daniele Raffo www.crans.org/~raffo
 11/102 Filesystem operations
Filesystem operations
df Report filesystem disk space usage
df -h Report filesystem disk space usage in human-readable output

sync Flush the buffer and commit all pending writes.

To improve performance of Linux filesystems, many write operations are buffered in RAM and
written at once; writes are done in any case before unmount, reboot, or shutdown

chroot /mnt/sysimage Start a shell with /mnt/sysimage as filesystem root.

Useful during system recovery when the machine has been booted from a removable media
(which hence is defined as the filesystem root)

mknod /dev/sda Creates a directory allocating the proper inode.

Useful during system recovery when experiencing filesystem problems

blkid -U 652b786e-b87f-49d2-af23-8087ced0c667 Print the name of the specified partition, given its UUID
blkid -L /boot Print the UUID of the specified partition, given its label

findfs UUID=652b786e-b87f-49d2-af23-8087ced0c667 Print the name of the specified partition, given its UUID
findfs LABEL=/boot Print the name of the specified partition, given its label

e2label /dev/sda1 Print the label of the specified partition, given its name

hdparm Get/set drive parameters for SATA/IDE devices

hdparm -g /dev/hda Display drive geometry (cylinders, heads, sectors) of /dev/hda
hdparm -i /dev/hda Display identification information for /dev/hda
hdparm -tT /dev/hda Perform benchmarks on the /dev/hda drive
hdparm -p 12 /dev/hda Reprogram IDE interface chipset of /dev/hda to mode 4. Use with caution!

sdparm Access drive parameters for SCSI devices

Linux & LPIC Quick Reference Guide 2nd ed. 2014-09 © Daniele Raffo www.crans.org/~raffo
 12/102 Filesystem maintenance
Filesystem maintenance
fsck device Check and repair a Linux filesystem (which must be unmounted).
Corrupted files will be placed into the /lost+found of the partition.
The exit code returned is the sum of the following conditions:
0 No errors 8 Operational error
1 File system errors corrected 16 Usage or syntax error
2 System should be rebooted 32 Fsck canceled by user
4 File system errors left uncorrected 128 Shared library error
fsck is a wrapper utility for actual filesystem-specific checker commands:
fsck.ext2 e2fsck
fsck.ext3
fsck.ext4
fsck.msdos
fsck.vfat
fsck.cramfs
fsck Check and repair serially all filesystems listed in /etc/fstab
fsck -As
fsck -f /dev/sda1 Force a filesystem check on /dev/sda1 even if it thinks is not necessary
fsck -y /dev/sda1 During filesystem repair, do not ask questions and assume that the
answer is always yes
fsck.ext2 -c /dev/sda1 Check a ext2 filesystem, running the badblocks command to mark all
e2fsck -c /dev/sda1 bad blocks and add them to the bad block inode to prevent them from
being allocated to files or directories

tune2fs [options] device Adjust tunable filesystem parameters on ext2/ext3/ext4 filesystems

tune2fs -j /dev/sda1 Add a journal to this ext2 filesystem, making it a ext3
tune2fs -C 4 /dev/sda1 Set the mount count of the filesystem to 4
tune2fs -c 20 /dev/sda1 Set the filesystem to be checked by fsck after 20 mounts
tune2fs -i 15d /dev/sda1 Set the filesystem to be checked by fsck each 15 days
Both mount-count-dependent and time-dependent checking are enabled by default for all hard drives on Linux, to avoid the
risk of filesystem corruption going unnoticed.

dumpe2fs [options] device Dump ext2/ext3/ext4 filesystem information

dumpe2fs -h /dev/sda1 Display filesystem's superblock information (number of mounts, last
checks, UUID, ...)
dumpe2fs /dev/sda1 | grep -i superblock Display locations of superblock (primary and backup) of filesystem
dumpe2fs -b /dev/sda1 Display blocks that are marked as bad in the filesystem

debugfs device Interactive ext2/ext3/ext4 filesystem debugger

debugfs -w /dev/sda1 Debug /dev/sda1 in read-write mode
(by default, debugfs accesses the device in read-only mode)

Most hard drives feature the Self-Monitoring, Analysis and Reporting Technology (SMART) whose purpose is to monitor the
reliability of the drive, predict drive failures, and carry out different types of drive self-tests.
The smartd daemon attempts to poll this information from all drives every 30 minutes, logging all data to syslog.
smartctl -a /dev/sda Print SMART information for drive /dev/sda
smartctl -s off /dev/sda Disable SMART monitoring and log collection for drive /dev/sda
smartctl -t long /dev/sda Begin an extended SMART self-test on drive /dev/sda

Linux & LPIC Quick Reference Guide 2nd ed. 2014-09 © Daniele Raffo www.crans.org/~raffo
 13/102
xfs_growfs [options] mountpoint
xfs_info /dev/sda1
xfs_growfs -n /dev/sda1
xfs_check [options] device
xfs_repair [options] device
xfsdump -v silent -f /dev/tape /
xfsrestore -f /dev/tape /
xfsdump -J - / | xfsrestore -J - /new
reiserfstune [options] device
debugreiserfs device
mkisofs -r -o cdrom.img data/
Filesystem
ISO9660
UDF (Universal Disk Format)
HFS (Hierarchical File System)
Rock Ridge Contains the original file information (e.g. permissions, filename) for MS Windows 8.3 filenames
MS Joliet Used to create more MS Windows friendly CD-ROMs
El Torito Used to create bootable CD-ROMs
Linux & LPIC Quick Reference Guide
XFS, ReiserFS and CD-ROM fs
XFS, ReiserFS and CD-ROM fs
Expand an XFS filesystem (there must be at least one spare new disk
partition available)
Print XFS filesystem geometry
Check XFS filesystem consistency
Repair a damaged or corrupt XFS filesystem
Dump the root of a XFS filesystem to tape, with lowest level of verbosity.
Incremental and resumed dumps are stored in the inventory database
/var/lib/xfsdump/inventory
Restore a XFS filesystem from tape
Copy the contents of a XFS filesystem to another directory (without
updating the inventory database)
Adjust tunable filesystem parameters on ReiserFS filesystem
Interactive ReiserFS filesystem debugger
Create a CD-ROM image from the contents of the target directory.
Enable Rock Ridge extension and set all content on CD to be public
readable (instead of inheriting the permissions from the original files)
CD-ROM filesystems
Commands
mkisofs Create a ISO9660 filesystem
mkudffs Create a UDF filesystem
udffsck Check a UDF filesystem
wrudf Maintain a UDF filesystem
cdrwtool Manage CD-RW drives (disk format, read/write speed, ...)
CD-ROM filesystem extensions
2nd ed. 2014-09 © Daniele Raffo www.crans.org/~raffo
 14/102 AutoFS
AutoFS
AutoFS permits automounting of filesystems, even for nonprivileged users.
AutoFS is composed of the autofs kernel module that monitors specific directories for attempts to access them, and in this
case signals the automount userspace daemon which mounts the directory when it needs to be accessed and unmounts it
when no longer accessed.

/etc/auto.master Primary configuration file for AutoFS.

Each line is an indirect map; each map file stores the configuration for subdirs automounting

# mount point map options

/misc /etc/auto.misc
/home /etc/auto.home --timeout=60

/etc/auto.misc Configuration file for automounting of directory /misc .

# subdir options filesystem

public -ro,soft,intr ftp.example.org:/pub
cd -fstype=iso9660,ro,nosuid,nodev :/dev/cdrom

/etc/auto.home Configuration file for automounting of directory /home .

The * wildcard matches any subdir the system attepts to access, and the & variable takes
the value of the match

# subdir options filesystem

* -rw,soft,intr nfsserver.example.org:/home/&

The /net/nfsserver/ tree allows nonprivileged users to automatically access any nfsserver.

Linux & LPIC Quick Reference Guide 2nd ed. 2014-09 © Daniele Raffo www.crans.org/~raffo
 15/102 RAID
RAID

RAID levels
Level Description Storage capacity
RAID 0 Striping (data is written across all member disks). Sum of the capacity of member disks
High I/O but no redundancy
RAID 1 Mirroring (data is mirrored on all disks). Capacity of the smaller member disk
High redundancy but high cost
RAID 4 Parity on a single disk. Sum of the capacity of member disks,
I/O bottleneck unless coupled to write-back caching minus one
RAID 5 Parity distributed across all disks. Sum of the capacity of member disks,
Can sustain one disk crash minus one
RAID 6 Double parity distributed across all disks. Sum of the capacity of member disks,
Can sustain two disk crashes minus two
Linear RAID Data written sequentially across all disks. Sum of the capacity of member disks
No redundancy

mdadm -C /dev/md0 -l 5 \ Create a RAID 5 array from three partitions and a spare.
-n 3 /dev/sdb1 /dev/sdc1 /dev/sdd1 \ Partitions type must be set to 0xFD.
-x 1 /dev/sde1 Once the RAID device has been created, it must be formatted e.g. via
mke2fs -j /dev/md0

mdadm --manage /dev/md0 -f /dev/sdd1 Mark a drive as faulty, before removing it

mdadm --manage /dev/md0 -r /dev/sdd1 Remove a drive from the RAID array.
The faulty drive can now be physically removed
mdadm --manage /dev/md0 -a /dev/sdd1 Add a drive to the RAID array.
To be run after the faulty drive has been physically replaced

mdadm --misc -Q /dev/sdd1 Display information about a device

mdadm --misc -D /dev/md0 Display detailed information about the RAID array
mdadm --misc -o /dev/md0 Mark the RAID array as readonly
mdadm --misc -w /dev/md0 Mark the RAID array as read & write

/etc/mdadm.conf Configuration file for mdadm

DEVICE /dev/sdb1 /dev/sdc1 /dev/sdd1 /dev/sde1

ARRAY /dev/md0 level=raid5 num-devices=3
UUID=0098af43:812203fa:e665b421:002f5e42
devices=/dev/sdb1,/dev/sdc1,/dev/sdd1,/dev/sde1

cat /proc/mdstat Display information about RAID arrays and devices

Linux & LPIC Quick Reference Guide 2nd ed. 2014-09 © Daniele Raffo www.crans.org/~raffo
 16/102 Bootloader
Bootloader

Non-GRUB bootloaders
LILO Obsolete. Small bootloader that can be placed in the MBR or the boot sector of a partition.
(Linux Loader) The configuration file is /etc/lilo.conf (run /sbin/lilo afterwards to validate changes).
SYSLINUX Able to boot from FAT and NTFS filesystems e.g. floppy disks and USB drives.
Used for boot floppy disks, rescue floppy disks, and Live USBs.
ISOLINUX Able to boot from CD-ROM ISO 9660 filesystems.
Used for Live CDs and bootable install CDs.

The CD must contain the following files:

isolinux/isolinux.bin ISOLINUX image, from the SYSLINUX distro

boot/isolinux/isolinux.cfg ISOLINUX configuration
images/ Floppy images to boot
kernel/memdisk

The CD can be burnt with the command:

mkisofs -o output.iso -b isolinux/isolinux.bin -c isolinux/boot.cat \

-no-emul-boot -boot-load-size 4 -boot-info-table [CD root dir]
PXELINUX Able to boot from PXE (Pre-boot eXecution Environment). PXE uses DHCP or BOOTP to enable
basic networking, then uses TFTP to download a bootstrap program that loads and configures
the kernel.
SYSLINUX Used for Linux installations from a central server or network boot of diskless workstations.

The boot TFTP server must contain the following files:

/tftpboot/pxelinux.0 PXELINUX image, from the SYSLINUX distro

/tftpboot/pxelinux.cfg/ Directory containing a configuration file for each machine.
A machine with Ethernet MAC address 88:99:AA:BB:CC:DD
and IP address 192.0.2.91 (C000025B in hexadecimal) will
search for its config filename in this order:
01-88-99-aa-bb-cc-dd
C000025B
C000025
C00002
C0000
C000
C00
C0
C
default

EXTLINUX General-purpose bootloader like LILO or GRUB. Now merged with SYSLINUX.

Linux & LPIC Quick Reference Guide 2nd ed. 2014-09 © Daniele Raffo www.crans.org/~raffo
 17/102 GRUB configuration
GRUB configuration
GRUB (Grand Unified Bootloader) is the standard boot manager on modern Linux distros, which may use either version:
GRUB Legacy or GRUB 2.
GRUB Stage 1 (446 bytes), as well as the partition table (64 bytes) and the boot signature (2 bytes), is stored in the 512-
byte MBR. It then accesses the GRUB configuration and commands available on the filesystem, usually on /boot/grub .

GRUB Legacy configuration file /boot/grub/menu.lst or /boot/grub/grub.conf

timeout 10 # Boot the default kernel after 10 seconds
default 0 # Default kernel is 0

# Section 0: Linux boot

title Debian # Menu item to show on GRUB bootmenu
root (hd0,0) # root filesystem is /dev/hda1
kernel /boot/vmlinuz-2.6.24-19-generic root=/dev/hda1 ro quiet splash
initrd /boot/initrd.img-2.6.24-19-generic

# Section 1: Windows boot

title Microsoft Windows XP
root (hd0,1) # root filesystem is /dev/hda2
savedefault
makeactive # set the active flag on this partition
chainloader +1 # read 1 sector from start of partition and run

# Section 2: Firmware/BIOS update from floppy disk

title Firmware update
kernel /memdisk # boot a floppy disk image
initrd /floppy-img-7.7.7

root= Specify the location of the filesystem root. Required parameter

ro Mount read-only on boot
quiet Disable non-critical kernel messages during boot

Common debug Enable kernel debugging

kernel splash Show splash image
parameters:
emergency Emergency mode: after the kernel is booted, run sulogin (single-user login)
which asks for the root password for system maintenance, then run a Bash.
Does not load init or any daemon or configuration setting.
init=/bin/bash Run a Bash shell (may also be any other executable) instead of init

GRUB 2 configuration file /boot/grub/grub.cfg

# Linux Red Hat
menuentry "Fedora 2.6.32" { # Menu item to show on GRUB bootmenu
set root=(hd0,1) # root filesystem is /dev/hda1
linux /vmlinuz-2.6.32 ro root=/dev/hda5 mem=2048M
initrd /initrd-2.6.32
}

# Linux Debian
menuentry "Debian 2.6.36-experimental" {
set root=(hd0,1)
linux (hd0,1)/bzImage-2.6.36-experimental ro root=/dev/hda6
}

# Windows
menuentry "Windows" {
set root=(hd0,2)
chainloader +1
}
This file must not be edited manually. Instead, edit the files in /etc/grub.d/ (they are scripts that will be run in
order) and the file /etc/default/grub (the configuration file for menu display settings), then run update-grub .

Linux & LPIC Quick Reference Guide 2nd ed. 2014-09 © Daniele Raffo www.crans.org/~raffo
 18/102 GRUB commands
GRUB commands
The GRUB menu, presented at startup, permits to choose the OS or kernel to boot:
ENTER Boot the selected GRUB entry
C Get a GRUB command line
E Edit the selected GRUB entry (e.g. to edit kernel parameters in order to boot in single-user emergency mode,
or to change IRQ or I/O port of a device driver compiled in the kernel)
B Boot the GRUB entry once it has been modified
P Bring up the GRUB password prompt (necessary if a GRUB password has been set)

grub-install /dev/sda Install GRUB on first SATA drive

grub Access the GRUB shell
/boot/grub/device.map This file can be created to map Linux device filenames to BIOS drives:
(fd0) /dev/fd0
(hd0) /dev/hda

GRUB Legacy shell commands

blocklist file Print the block list notation of a file kernel file Load a kernel
boot Boot the loaded OS lock Lock a GRUB menu entry
cat file Show the contents of a file makeactive Set active partition on root disk to
GRUB's root device
chainloader file Chainload another bootloader map drive1 drive2 Map a drive to another drive
cmp file1 file2 Compare two files md5crypt Encrypt a password in MD5 format
configfile file Load a configuration file module file Load a kernel module
debug Toggle debugging mode modulenounzip file Load a kernel module without
decompressing it
displayapm Display APM BIOS information pause message Print a message and wait for a key
press
displaymem Display memory configuration quit Quit the GRUB shell
embed stage device Embed Stage 1.5 in the device reboot Reboot the system
find file Find a file read address Read a 32-bit value from memory
and print it
fstest Toggle filesystem test mode root device Set the current root device
geometry drive Print information on a drive rootnoverify device Set the current root device without
geometry mounting it
halt Shut down the system savedefault Save current menu entry as the
default entry
help command Show help for a command, or the setup device Install GRUB automatically on the
available commands device
impsprobe Probe the Intel Multiprocessor testload file Test the filesystem code on a file
Specification
initrd file Load an initial ramdisk image file testvbe mode Test a VESA BIOS EXTENSION
mode
install options Install GRUB (deprecated, use uppermem kbytes Set the upper memory size (only
setup instead) for old machines)
ioprobe drive Probe I/O ports used for a drive vbeprobe mode Probe a VESA BIOS EXTENSION
mode

Linux & LPIC Quick Reference Guide 2nd ed. 2014-09 © Daniele Raffo www.crans.org/~raffo
 19/102 Package management
Package management
Package management Debian Red Hat

Install a package file dpkg -i package.deb rpm -i package.rpm

Remove a package dpkg -r package rpm -e package
Upgrade a package
rpm -U package.rpm
(and remove old versions)

Upgrade a package rpm -F package.rpm

(only if an old version is already installed)

List installed packages and their state dpkg -l rpm -qa

Low-level tools List the content of an installed package dpkg -L package rpm -ql package
List the content of a package file dpkg -c package.deb rpm -qpl package.rpm
Show the package containing a specific file dpkg -S file rpm -qf file
Verify an installed package rpm -V package
Reconfigure a package dpkg-reconfigure package
Install a package source file rpm -i package.src.rpm
Compile a package source file rpm -ba package.spec
Install a package apt-get install package yum install package
Remove a package apt-get remove package yum remove package
Upgrade an installed package yum update package
Upgrade all installed packages apt-get upgrade yum update
Upgrade all installed packages and handle apt-get dist-upgrade
dependencies with new versions

Get the source code for a package apt-get source package

Check for broken dependencies and update
apt-get check
package cache

Fix broken dependencies apt-get install -f

High-level tools Update information about available packages apt-get update
(can install
remote List all available packages yum list
packages,
automatically Search for a package apt-cache search package yum search package
solve apt-cache depends package yum deplist package
Show package dependencies
dependencies)
Show package records apt-cache show package yum list package
Show information about a package apt-cache showpkg package yum info package
Update information about package contents apt-file update
List the content of an uninstalled package apt-file list package
Show the package containing a specific file apt-file search file yum provides file
Add a CD-ROM to the list of available sources apt-cdrom add
yumdownloader \
Download package and resolve dependencies
--resolve package
yumdownloader \
List the URLs that would be downloaded
--urls package

Text-based UI or
aptitude
Manage packages and dependencies
graphical tools dselect
Convert a RPM package to DEB and installs it. alien -i package.rpm
Other tools Might break the package system!

Convert a RPM package to cpio archive rpm2cpio package.rpm

List of available sources /etc/apt/sources.list /etc/yum.repos.d
Miscellaneous
information compressed with ar
Package format compressed with cpio
(package binutils)

Linux & LPIC Quick Reference Guide 2nd ed. 2014-09 © Daniele Raffo www.crans.org/~raffo
 20/102
dd if=/dev/sda of=/dev/sdb
dd if=/dev/sda1 of=sda1.img
dd if=/dev/cdrom of=cdrom.iso bs=2048
rsync -rzv /home /tmp/bak
rsync -rzv /home/ /tmp/bak/home
rsync -avz /home [email protected]:/backup/
ls | cpio -o > myarchive.cpio
ls | cpio -oF myarchive.cpio
find /home/ | cpio -o > homedirs.cpio
cpio -id < myarchive.cpio
cpio -i -t < myarchive.cpio
gzip myfile
gunzip myfile.gz
zcat myfile.gz
bzip2 myfile
bunzip2 myfile.bz2
bzcat myfile.bz2
tar cvzf myarc.tar.gz mydir/
tar xvzf myarc.tar.gz
tar cvjf myarc.tar.bz2 mydir/
tar xvjf myarc.tar.bz2
tar cvJf myarc.tar.xz mydir/
tar xvJf myarc.tar.xz
tar tvf myarc.tar
Devices
Utility for magnetic tapes
Utility for tape libraries
Linux & LPIC Quick Reference Guide
Backup
Backup
Copy the content of one hard disk over another, byte by byte
Create the image of a partition
Create an ISO file from a CD-ROM, using a block size of 2 Kb
Synchronize the content of the home directory with the temporary
backup directory. Use compression, verbosity, and recursion.
For all transfers subsequent to the first, rsync only copies the blocks
that have changed, making it a very efficient backup solution in terms
of speed and bandwidth
Synchronize the content of the home directory with the backup
directory on the remote server, using SSH. Use archive mode (operates
recursively and preserves owner, group, permissions, timestamps, and
symlinks)
Create an archive of all files that are on the current directory
Create an archive of all users' home directories
Extract all files from the archive, recreating the structure of directories
List the contents of an archive file without extracting it
Compress a file with gzip
Decompress a gzip-compressed file
Read a gzip-compressed text file
Compress a file with bzip2
Decompress a bzip2-compressed file
Read a bzip2-compressed text file
Create/extract a tarred gzip-compressed archive
Create/extract a tarred bzip2-compressed archive
Create/extract a tarred xz-compressed archive
List the contents of the tarred archive without extracting it
Tape libraries
/dev/st0 First SCSI tape device
/dev/nst0 First SCSI tape device (no-rewind device file)
mt -f /dev/nst0 asf 3 Position the tape at the start of 3rd file
mtx -f /dev/sg1 status Display status of tape library
mtx -f /dev/sg1 load 3 Load tape from slot 3 to drive 0
mtx -f /dev/sg1 unload Unload tape from drive 0 to original slot
mtx -f /dev/sg1 transfer 3 4 Transfer tape from slot 3 to slot 4
mtx -f /dev/sg1 inventory Force robot to rescan all slots and drives
mtx -f /dev/sg1 inquiry Inquiry about SCSI media device
(Medium Changer = tape library)
2nd ed. 2014-09 © Daniele Raffo www.crans.org/~raffo
 21/102 Command line
Command line
man 7 command Show man page 7 for a command

man man Show information about man pages' content:

1 Executable programs or shell commands
2 System calls (functions provided by the kernel)
3 Library calls (functions within program libraries)
4 Special files
5 File formats and conventions
6 Games
7 Miscellaneous
8 System administration commands (usually only for root)
9 Kernel routines

cd directory Change to the specified directory

cd - Change to the previously used directory
pwd Print the current directory

history Show the history of command lines executed up to this moment.

Commands prepend by a space will be executed but won't show up in the history.
After the user logs out from Bash, history is saved into ~/.bash_history
!n Execute command number n in the command line history
history -c Delete command line history

uname -a Print system information

vlock
away Lock the virtual console (terminal)

Almost all Linux commands accept the option -v (verbose), and many commands also accept the option -vv (very verbose).

Bash shortcuts
. Current directory
.. Parent directory
~ Home directory of current user
~jdoe Home directory of user jdoe
~- Previously used directory

Linux & LPIC Quick Reference Guide 2nd ed. 2014-09 © Daniele Raffo www.crans.org/~raffo
 22/102 Text filters
Text filters
cat myfile Print a text file
cat myfile1 myfile2 > myfile3 Concatenate text files
head myfile Print the first 10 lines of a text file
head -n 10 myfile
tail myfile Print the last 10 lines of a text file
tail -n 10 myfile
tail -f myfile Output appended data as the text file grows; useful to read logs in realtime
tac myfile Print a text file in reverse, from last line to first line
fmt -w 75 myfile Format a text file so that each line has a max width of 75 chars
pr myfile Format a text file for a printer

nl myfile Prepend line numbers to a text file

wc myfile Print the number of lines, words, and bytes of a text file

join myfile1 myfile2 Join lines of two text files on a common field
paste myfile1 myfile2 Merge lines of text files
split -l 1 myfile Split a text file into 1-line files (named xaa, xab, xac, ...)
uniq myfile Print the unique lines of a text file, omitting consecutive identical lines
sort myfile Sort alphabetically the lines of a text file
expand myfile Convert tabs into spaces
unexpand myfile Convert spaces into tabs

od myfile Dump a file into octal

cut -d: -f3 myfile Cut the lines of a file, considering : as the delimiter and printing only the 3rd field
cut -d: -f1 /etc/passwd Print the list of user accounts in the system

sed s/foo/bar/ myfile Stream Editor: Replace the first occurrence of foo with bar
sed s/foo/bar/g myfile Replace all occurrences of foo with bar

tr a-z A-Z <myfile Translate characters: Convert all lowercase into uppercase in a text file
tr [:lower:] [:upper:] <myfile
tr -d 0-9 <myfile Delete all digits from a text file
tr -d [:digit:] <myfile

Linux & LPIC Quick Reference Guide 2nd ed. 2014-09 © Daniele Raffo www.crans.org/~raffo
 23/102 File management
File management
cp myfile myfile2 Copy a file
cp myfile mydir/ Copy a file to a directory
Common options:
mv myfile myfile2 Rename a file -i Prompt before overwriting/deleting files (interactive)
-f Don't ask before overwriting/deleting files (force)
mv myfile mydir/ Move a file to a directory
rm myfile Delete a file

mkdir mydir Create a directory

mkdir -m 777 mydir Create a directory with 777 permission
mkdir -p /tmp/mydir1/mydir2 Create a directory, and the parent directories if they don't exist
rmdir mydir Delete an empty directory

touch myfile Change access/modification timestamp on a file, creating it if it doesn't exist

File-naming wildcards (globbing)

* Matches zero or more characters
? Matches one character
[kxw] Matches k, x, or w
[!kxw] Matches any character except k, x, or w
[a-z] Matches any character between a and z

Brace expansion
cp myfile.{txt,bak} Copy myfile.txt to myfile.bak
touch myfile_{a,b,c} Create myfile_a, myfile_b, myfile_c
touch {a..h} Create 8 files named a b c d e f g h

Linux & LPIC Quick Reference Guide 2nd ed. 2014-09 © Daniele Raffo www.crans.org/~raffo
 24/102 I/O streams
I/O streams
In Linux, everything is a file. File descriptors are automatically associated to any process launched.

File descriptors
# Name Type Default device
0 Standard input (stdin) Input text stream Keyboard
1 Standard output (stdout) Output text stream Terminal
2 Standard error (stderr) Output text stream Terminal

ls | sort Pipe the stdout of command ls to stdin of command sort

(i.e. generate a sorted list of the files on the current directory)

ls > myfile Redirect the stdout of command ls to a file

ls 1> myfile (i.e. write on a file the content of the current directory).
File is overwritten if it already exists; to prevent this, set the Bash noclobber option
via set -o noclobber
ls >| myfile Redirect the stdout of command ls to a file, even if noclobber is set
ls >> myfile Append the stdout of command ls to a file
ls 1>> myfile

df 2> myfile Redirect the stderr of command df to a file

(i.e. write any error encountered by the command df to a file)
df 2>> myfile Append the stderr of command df to a file

mail [email protected] < myfile Redirect a file to the stdin of command mail
(i.e. mail a file to the specified email address)

ls > myfile 2>&1 Redirect both stdout and stderr of command ls to a file
ls &> myfile

ls | tee myfile tee reads from stdin and writes both to stdout and a file
(i.e. write content of current directory to screen and to a file at the same time)
ls | tee -a myfile tee reads from stdin and appends both to stdout and a file

ls foo* | xargs cat xargs calls the cat command multiple times for each argument found on stdin
(i.e. print the content of every file whose filename starts by foo)

Linux & LPIC Quick Reference Guide 2nd ed. 2014-09 © Daniele Raffo www.crans.org/~raffo
 25/102 Processes
Processes
Any application/program/script that runs on the system is a process. Signals are used for inter-process communication.
Each process has an unique PID (Process ID) and a PPID (Parent Process ID); when a process spawns a child, the process
PID is assigned to the child's PPID.
The /sbin/init process, run at bootup, has PID 1. It is the ancestor of all processes and becomes the parent of any
orphaned process. It is also unkillable; should it die, the kernel will panic.
When a child process dies, its status becomes EXIT_ZOMBIE and a SIGCHLD is sent to the parent. The parent should then
call the wait() system call to read the dead process' exit status and other info; until that moment, the child process
remains a zombie.

ps -ef (UNIX options) List all processes

ps aux (BSD options)
pstree PID Display all processes in hierarchical format.
The process tree is rooted at PID, or at init if PID is omitted
top Monitor processes in realtime
htop

kill -9 1138 Send a signal 9 (SIGKILL) to process 1138, hence killing it

killall -9 sshd Kill processes whose name is sshd
pgrep -u root sshd Show processes whose name is sshd and are owned by root (pgrep and pkill accept
pkill -9 -u root sshd Kill processes whose name is sshd and are owned by root the same options)

jobs List all jobs (i.e. processes whose parent is a Bash shell)
CTRL Z Suspend a job, putting it in the stopped state (send a SIGTSTP)
bg %1 Put job #1 in the background (send a SIGCONT)
fg %1 Resume job #1 in the foreground and make it the current job (send a SIGCONT)
kill %1 Kill job #1

When a Bash shell is terminated cleanly via exit, its jobs will became child of the Bash's parent and will continue running.
When a Bash is killed instead, it issues a SIGHUP to his children which will terminate.
nohup myscript.sh Prevent a process from receiving a SIGHUP (hence terminating) when its parent Bash dies

To each process is associated a niceness value: the lower the niceness, the higher the priority.
The niceness value ranges from -20 to 19, and a newly created process has a default niceness of 0.
Unprivileged users can modify a process' niceness only within the range from 1 to 19.
nice -n -5 command Start a command with a niceness of -5 (if niceness is omitted, a default value of 10 is used)
renice -5 command Change the niceness of a running command to -5

Linux & LPIC Quick Reference Guide 2nd ed. 2014-09 © Daniele Raffo www.crans.org/~raffo
 26/102 Signals
Signals

Most frequently used signals

Signal number Signal name Meaning
1 SIGHUP Used by many daemons to reload their configuration
2 SIGINT Interrupt, stop
9 SIGKILL Kill unconditionally (this signal cannot be ignored)
15 SIGTERM Terminate gracefully
18 SIGCONT Continue execution
20 SIGTSTP Stop execution

man 7 signal Manual page about signals

kill -l List all available signal names

kill -l 1 Print the name of signal number 1

Linux & LPIC Quick Reference Guide 2nd ed. 2014-09 © Daniele Raffo www.crans.org/~raffo
 27/102 Resource monitoring
Resource monitoring
iostat Print a report about CPU utilization, device utilization, and network filesystem.
The first report shows statistics since the system boot; subsequent reports will show
statistics since the previous report

vmstat Print a report about process usage, virtual memory, blocks I/O, interrupts, and CPU time
vmstat 1 5 Print a report every second, for 5 times

free Show the amount of free and used memory in the system

uptime Show how long the system has been up, how many users are connected, and the system
load averages for the past 1, 5, and 15 minutes

sar Show reports about system activity.

Reports are generated from data collected via the cron job sysstat and stored in
/var/log/sa/sn, where n is the day of the month
sar -n DEV Show reports about network activity (received and transmitted packets per second)
sar -f /var/log/sa/s19 \ Show reports for system activity from 6 to 6:30 AM on the 19th of the month
-s 06:00:00 -e 06:30:00

iotop Display I/O usage by processes in the system

Monitoring tools
collectd System statistics collector
Nagios System monitor and alert
MRTG Network load monitor
Cacti Network monitor

Linux & LPIC Quick Reference Guide 2nd ed. 2014-09 © Daniele Raffo www.crans.org/~raffo
 28/102 Regexs
Regexs

Regular expressions
^ Beginning of a line
$ End of a line
\< \> Word boundaries (beginning of line, end of line, space, or punctuation mark)
. Any character, except newline
[abc] Any of the characters specified
[a-z] Any of the characters in the specified range
[^abc] Any character except those specified
* Zero or more times the preceding regex
+ One or more times the preceding regex
? Zero or one time the preceding regex
{5} Exactly 5 times the preceding regex
{3,6} Between 3 and 6 times the preceding regex
| The regex either before or after the vertical bar
( ) Grouping, to be used for back-references.
\1 expands to the first match, \2 for the second, and so on until \9

Linux & LPIC Quick Reference Guide 2nd ed. 2014-09 © Daniele Raffo www.crans.org/~raffo
 29/102 File permissions
File permissions

- r w x r w x r w x

--==regular
regularfile
file user
user(owner)
(owner) group
group others
others
dd==directory
directory
ll==symbolic
symboliclink
link rr==read
read rr==read
read rr==read
read
ss==Unix
Unixdomain
domainsocket
socket ww==write
write ww==write
write ww==write
write
pp==named
namedpipe
pipe xx==execute
execute xx==execute
execute xx==execute
execute
cc==character
characterdevice
devicefile
file ss==setUID
setUIDand
andexecute
execute ss==setGID
setGIDand
andexecute
execute tt==sticky
stickyand
andexecute
execute
bb==block
blockdevice
devicefilefile SS==setUID
setUID andnot
and notexecute
execute SS==setGID
setGID andnot
and notexecute
execute TT==sticky
sticky andnot
and notexecute
execute

Permission Octal value Command Effect on file Effect on directory

user: 400 chmod u+r

Read group: 40 chmod g+r Can open and read the file Can list directory content
others: 4 chmod o+r

user: 200 chmod u+w

Can create, delete, and rename files in
Write group: 20 chmod g+w Can modify the file
the directory
others: 2 chmod o+w

user: 100 chmod u+x

Can execute the file (binary
Execute group: 10 chmod g+x Can access the directory
or script)
others: 1 chmod o+x

Executable is run with the

SetUID (SUID) 4000 chmod u+s No effect
privileges of the file's owner
Executable is run with the All new files and subdirectories inherit
SetGID (SGID) 2000 chmod g+s
privileges of the file's group the directory's group ID
Only the file's or the directory's owner
Sticky 1000 chmod +t No effect
can delete or rename a file inside

chmod 710 file

chmod u=rwx,g=x file Set read, write, and execute permission to user; set execute permission to group

chmod ug=rw file

chmod 660 file Set read and write permission to user and group

chmod +wx file Add write and execute permission to everybody (user, group, and others)
chmod -R o+r file Add recursively read permission to others
chmod o-x file Remove execute permission from others

chown root file Change the owner of file to root

chown root:mygroup file Change the owner of file to root, and the group of file to mygroup

chgrp mygroup file Change the group of file to mygroup

The chmod, chown, and chgrp commands accept the option -R to recursively change properties of files and directories.

Set the permission mask to 022, hence masking write permission for group and others.
umask 022 Linux default permissions are 0666 for files and 0777 for directories. These base permissions are
ANDed with the inverted umask value to calculate the final permissions of a new file or directory.

Linux & LPIC Quick Reference Guide 2nd ed. 2014-09 © Daniele Raffo www.crans.org/~raffo
 30/102 Links
Links
A Linux directory contains a list of structures which are associations between a filename and an inode.
An inode contains all file metadata: file type, permissions, owner, group, size, access/change/modification/deletion times,
number of links, attributes, ACLs, and address where the actual file content (data) is stored.
An inode does not contain the name of the file; this information is stored in the directory the file is in.

ls -i Show a listing of the directory with the files' inode numbers

df -i Report filesystem inode usage

Hard link Symbolic or soft link

What it is A link to an already existing inode A path to a filename; a shortcut
How to create it ln myfile hardlink ln -s myfile symlink

Yes No
Is the link still valid if the original
(because the link references the inode (the path now references a non-
file is moved or deleted
the original file pointed to) existent file)
No
Can link to a file in another
(because inode numbers make sense Yes
filesystem
only within a determinate filesystem)
Can link to a directory No Yes
Reflect the original file's permissions,
Link permissions rwxrwxrwx
even when these are changed
Link attributes - (regular file) l (symbolic link)
Inode number The same as the original file A new inode number

Linux & LPIC Quick Reference Guide 2nd ed. 2014-09 © Daniele Raffo www.crans.org/~raffo
 31/102
find / -name "foo*"
find / -name "foo*" -print
find / -name "foo*" -exec chmod 700 {} \;
find / -name "foo*" -ok chmod 700 {} \;
find / -perm -4000 -type f
find / -perm -2000 -type f
Find system files
Find system files
Find all files, starting from the root dir, whose name start with foo
Find all files whose name start with foo and print their path
Find all files whose name start with foo and apply permission 700 to
all of them
Find all files whose name start with foo and apply permission 700 to
all of them, asking for confirmation before each file
Find all files with SUID set
(a possible security risk, because a shell with SUID root is a backdoor)
Find all files with SGID set

Locate the command ls by searching the file index, not by actually

locate ls
slocate ls walking the filesystem. The search is quick but will only held results
relative to the last rebuilding of the file index (/etc/updatedb.conf)
updatedb Build the file index (/etc/updatedb.conf)

which command Locate a binary executable command within the PATH

which -a command Locate all matches of command, not only the first one

whereis command Locate the binary, source, and manpage files for command
whereis -b command Locate the binary files for command
whereis -s command Locate the source files for command
whereis -m command Locate the manpage files for command

file myfile Analyse the content of a file or directory

Determine if command is a program or a builtin (i.e. a feature internal

type command
to the shell)

Linux & LPIC Quick Reference Guide 2nd ed. 2014-09 © Daniele Raffo www.crans.org/~raffo
 32/102 Shell environment
Shell environment

Bash shell event Files run

/etc/profile The shell executes the
~/.bash_profile system-wide profile file, then
When a login shell is launched ~/.bash_login the first of the 3 user files
~/.profile that exists and is readable
When a login shell exits ~/.bash_logout
/etc/bash.bashrc
When a non-login shell is launched ~/.bashrc

MYVAR=myvalue
((MYVAR=myvalue)) Set a variable

((MYVAR++)) Post-increment a numeric variable (C-style)

unset MYVAR Delete a variable
export MYVAR Export a variable so it can be seen by Bash child processes

echo $MYVAR Print the value of a variable

echo ${MYVAR:-mymessage} If variable exists and is not null, print its value, otherwise print a message
echo ${MYVAR:+mymessage} If variable exists and is not null, print a message, otherwise print nothing
set ${MYVAR:=myvalue} Set a variable only if it does not exist or is null

set Display all Bash variables

set -o Show the status of all Bash options
set -o option Enable a Bash option
set +o option Disable a Bash option

env Display all environment variables

typeset -f Show functions defined in the current Bash session

alias ls='ls -lap' Set up an alias for the ls command

alias Show defined aliases
\ls
Run the non-aliased version of the ls command
/bin/ls

Linux & LPIC Quick Reference Guide 2nd ed. 2014-09 © Daniele Raffo www.crans.org/~raffo
 33/102 Scripting
Scripting
Scripts must start with the shebang line #! /bin/bash indicating the location of the script interpreter.

Script execution
source myscript.sh Script execution takes place in the same shell. Variables defined and
. myscript.sh exported in the script are seen by the shell when the script exits
bash myscript.sh
Script execution spawns a new shell
./myscript.sh (file must be executable)

command & Execute a command in the background

command1; command2 Execute command 1 and then command 2
command1 && command2 Execute command 2 only if command 1 executed successfully (exit status = 0)
command1 || command2 Execute command 2 only if command 1 did not execute successfully (exit status > 0)
(command1 && command2) Group commands together for evaluation priority

exit Terminate a script

exit n Terminate a script with the specified exit status number n. By convention, a 0 exit
status is used if the script executed successfully, non-zero otherwise

function myfunc { commands }

myfunc() { commands } Define a function

myfunc arg1 arg2 ... Call a function

read MYVAR Read a variable from standard input

read -n 8 MYVAR Read only max 8 chars from standard input
read -t 60 MYVAR Read a variable from standard input, timing out after one minute
read -s MYVAR Read a variable from standard input without echoing to terminal (silent mode)

echo $MYVAR Print a variable on screen

echo -n "mymessage" Print on screen without a trailing line feed

MYVAR=`date`
MYVAR=$(date) Assign to a variable the output resulting from a command

zenity Display GTK+ graphical dialogs for user messages and input

Bash built-in variables

$0 Script name
$1, $2, ... First, second, ... argument passed to the script or function
$# Number of arguments passed to the script or function
$? Exit status of the last executed command
$$ PID of the script in which this variable is called

Linux & LPIC Quick Reference Guide 2nd ed. 2014-09 © Daniele Raffo www.crans.org/~raffo
 34/102 Flow control
Flow control
test $MYVAR = "myvalue" && mycommand
[ $MYVAR = "myvalue" ] && mycommand Perform a test; if it holds true, the command is executed
if [ $MYVAR = "myvalue" ]; then mycommand; fi

Test operators
Integer operators File operators Expression operators
-eq Equal to -e or -a Exists -a Logical AND
-ne Not equal to -d Is a directory -o Logical OR
-lt Less than -b Is a block special file ! Logical NOT
-le Less than or equal to -c Is a character special file \( \) Priority
-gt Greater than -f Is a regular file
-ge Greater than or equal to -r Is readable
String operators -w Is writable
-z Is zero length -x Is executable
-n or nothing Is non-zero length -s Is non-zero length
= or == Is equal to -u Is SUID
!= Is not equal to -g Is SGID
< Is alphabetically before -k Is sticky
> Is alphabetically after -h Is a symbolic link

expr $MYVAR = "39 + 3" Evaluate an expression; the variable will hold the value 42
expr string : regex Return the length of the substring matching the regex
expr string : \(regex\) Return the substring matching the regex

Evaluation operators
= Equal to + Plus string : regex
match string regex String matches regex
!= Not equal to - Minus
< Less than \* Multiplied by substr string pos length Substring
<= Less than or equal to / Divided by index string chars Index of any chars in string
> Greater than % Remainder length string String length
>= Greater than or equal to

Tests
if [test 1] case $VAR in
then [pattern 1]) [command 1] ;;
[command block 1] [pattern 2]) [command 2] ;;
elif [test 2] *) [command 3]
then esac
[command block 2]
else
[command block 3]
fi

Loops
while [test] for $I in [list] break Terminate a loop
do do
[command block] [command operating on $I] continue Jump to the next iteration
done done

Linux & LPIC Quick Reference Guide 2nd ed. 2014-09 © Daniele Raffo www.crans.org/~raffo
 35/102 SQL
SQL

SQL syntax
USE MyDatabase; Choose which database to use
SHOW DATABASES; Show all existing databases
SHOW TABLES; Show all tables from the selected database
DESC tableCustomers; Describe the columns of a table
SELECT * FROM tableCustomers; Select all columns from the table
SELECT * FROM tableCustomers ORDER BY columnLastname LIMIT 5; Select only the first 5 records of customers
as ordered by last name
SELECT columnFirstname, columnLastname FROM tableCustomers WHERE Select only first and last name of customers
columnZipcode = 00123; whose zip code is 00123
SELECT columnCustomerID, SUM(columnSalary) FROM tablePayments Select all salary payments grouped by
GROUP BY columnCustomerID; customer ID, summed up
SELECT tableCustomers.columnLastname, tablePayments.columnAmount Perform a join by selecting data from two
FROM tableCustomers, tablePayments WHERE tables that are linked
tableCustomers.columnCustomerID = tablePayments.columnCustomerID;
INSERT INTO tableCustomers Insert new data
(columnFirstname,columnLastname,columnDOB)
VALUES (Arthur,Dent,1959-08-01);
UPDATE tableCustomers SET columnCity = 'London' WHERE Modify data
columnZipcode = 00789;
SHOW GRANTS FOR 'user'@'localhost'; Show permissions for a user
GRANT ALL PRIVILEGES ON MyDatabase.* TO 'user'@'localhost'; Grant permissions to a user
REVOKE ALL PRIVILEGES FROM 'user'@'localhost'; Revoke permissions from a user
SELECT Host,User FROM mysql.user; List MySQL users
CREATE USER 'user'@'localhost' IDENTIFIED BY 'p4ssw0rd'; Create a MySQL user
SET PASSWORD FOR 'user'@'localhost' = PASSWORD('p4ssw0rd'); Set a password for a MySQL user

MySQL command line syntax

mysql -u root -p
mysql -u root -ps3cr3t
mysql -u root -p -e 'CREATE DATABASE NewDatabase'
mysql -u root -p NewDatabase < newdb.sql
mysqldump -u root -p MyDatabase > backup.sql
Login to MySQL as root, prompting for the password
Login to MySQL as root with password s3cr3t
Create a new database by passing a SQL command to MySQL
Create a new database from an external file (.sql files are
composed of SQL commands)
Backup a database on an external file

Linux & LPIC Quick Reference Guide 2nd ed. 2014-09 © Daniele Raffo www.crans.org/~raffo
 36/102 X Window System
X Window System
Display Managers
Display Manager Configuration files Display Manager greeting screen

/etc/x11/xdm/Xaccess Control inbound requests from

remote hosts

/etc/x11/xdm/Xresources Configuration settings for X

applications and the login screen
Association of X displays with Defined in /etc/x11/xdm/Xresources
X /etc/x11/xdm/Xservers local X server software, or with X by the following line:
xdm Display terminals via XDMCP
Manager Script launched by xdm after xlogin*greeting: \
/etc/x11/xdm/Xsession Debian GNU/Linux (CLIENTHOST)
login

/etc/x11/xdm/Xsetup_0 Script launched before the

graphical login screen

/etc/x11/xdm/xdm-config Association of all xdm

configuration files
GNOME
gdm Display /etc/gdm/gdm.conf or /etc/gdm/custom.conf Configured via gdmsetup
Manager
KDE
kdm Display /etc/kde/kdm/kdmrc Configured via kdm_config
Manager

/etc/init.d/xdm start
/etc/init.d/gdm start Start the X Display Manager
/etc/init.d/kdm start
xorgconfig Configure X (text mode) (Debian)
Xorg -configure Configure X (text mode) (Red Hat)
xorgcfg Configure X (graphical mode) (Debian)
system-config-display Configure X (graphical mode) (Red Hat)
X -version Show which version of X is running
xdpyinfo Display information about the X server
xwininfo Display information about windows
xhost + 10.3.3.3 Add 10.3.3.3 to the list of hosts allowed to make X connections to the local machine
xhost - 10.3.3.3 Remove 10.3.3.3 from the list of hosts allowed to make X connections to the local machine
mkfontdir Catalog the newly installed fonts in the new directory
xset fp+ /usr/local/fonts Dynamically add the newly installed fonts in /usr/local/fonts to the X server
xfs Start the X font server
fc-cache Install fonts and build font information cache
switchdesk gde Switch to the GDE Display Manager at runtime

/etc/X11/xorg.conf Configuration file for X

~/.Xresources Configuration settings for X applications, in the form program*resource: value

$DISPLAY Environment variable defining the display name of the X server, in the form
hostname:displaynumber.screennumber

/etc/inittab instructs init to launch XDM at runlevel 5: x:5:respawn:/usr/X11R6/bin/xdm -nodaemon

/etc/sysconfig/desktop defines GNOME as the default desktop= "gde"

Display Environment and Display Manager: displaymanager= "gdm"

Linux & LPIC Quick Reference Guide 2nd ed. 2014-09 © Daniele Raffo www.crans.org/~raffo
 37/102 User accounts
User accounts

/etc/passwd User accounts

root:x:0:0:/root:/bin/bash
bin:x:1:1:/bin:/bin/bash
jdoe:x:500:100:John Doe,,555-1234,,:/home/jdoe:/bin/bash
1 2 3 4 5 6 7
1 Login name
2 Encrypted password (obsolete), or x if password is in /etc/shadow

3 UID – User ID (UID 0 is superuser; by convention UIDs 1-99 are system accounts, UIDs above are regular users)

4 GID – Default Group ID

5 GECOS field – Information about the user: Full name, Room number, Work phone, Home phone, Other

6 Home directory of the user

7 Login shell (can be set to /bin/false to prevent a user from logging in)

/etc/shadow User passwords (file is readable only by root)

root:fZPe54/Kldu6D32pl0X/A:15537:0:99999:7:::
bin:*:15637:0:99999:7:::
jdoe:!hsp\8e3jCUdw9Ru53:15580:0:99999:7::15766:
1 2 3 4 5 67 8 9
1 Login name

2 Encrypted password (a ! prefix if the account is locked), * if account is disabled, ! or !! if no password

3 Date of last password change (in number of days since 1 January 1970)

4 Days before password may be changed; if 0, user can change the password at any time

5 Days after which password must be changed

6 Days before password expiration that user is warned

7 Days after password expiration that account is disabled

8 Date of account disabling (in number of days since 1 January 1970)

9 Reserved field

/etc/group Group accounts

root:x:0:root 1 Group name

jdoe:x:501 2 Encrypted password, or x if password is in /etc/gshadow
staff:x:530:jdoe,asmith
3 GID – Group ID
1 2 3 4
4 Group members (if this is not their Default Group)

/etc/gshadow Group passwords (file is readable only by root)

root::root:root 1 Group name

jdoe:!:: 2 Encrypted password, or ! if no password set (default)
staff:0cfz7IpLhGW19i::root,jdoe
3 Group administrators
1 2 3 4
4 Group members

Linux & LPIC Quick Reference Guide 2nd ed. 2014-09 © Daniele Raffo www.crans.org/~raffo
 38/102 User management
User management
useradd -m jdoe Create a user account, creating and populating his homedir from /etc/skel
useradd -mc "John Doe" jdoe Create a user account, specifying his full name
useradd -ms /bin/ksh jdoe Create a user account, specifying his login shell
useradd -D Show default values (specified in /etc/login.defs) for user account creation

usermod -c "Jonas Doe" jdoe Modify the GECOS field of a user account
(usermod accepts many
usermod -L jdoe Lock a user account
useradd options)
usermod -U jdoe Unlock a user account

userdel -r jdoe Delete a user and his homedir

chfn jdoe Change the GECOS field of a user

chsh jdoe Change the login shell of a user

passwd jdoe Change the password of a user

passwd -l jdoe Lock a user account

chage -E 2013-02-14 jdoe
chage -d 13111 jdoe
chage -d 0 jdoe
chage -M 30 jdoe
chage -m 7 jdoe
chage -W 15 jdoe
chage -I 3 jdoe
chage -l jdoe
Change the password expiration date, locking the account at that date
Change the date (in number of days since 1 January 1970) of last password change
Force the user to change password at his next login
Change the max number of days during which a password is valid
Change the min number of days between password changes
Change the number of days before password expiration that the user will be warned
Change the number of days after password expiration before the account is locked
List password aging information for a user

groupadd staff Create a group

groupmod -n newstaff staff Change a group name

groupdel staff Delete a group

gpasswd staff Set or change the password of a group

gpasswd -a jdoe staff Add a user to a group
gpasswd -d jdoe staff Delete a user from a group
gpasswd -A jdoe staff Add a user to the list of administrators of the group

adduser
deluser
addgroup User-friendly front-ends for user and group management (Debian)
delgroup

Linux & LPIC Quick Reference Guide 2nd ed. 2014-09 © Daniele Raffo www.crans.org/~raffo
 39/102 User privileges
User privileges

User control
who am i
whoami Print your effective user ID

who Print the list of users logged into the system

w Print the list of users logged into the system, and what they are doing

fail2ban Scan authentication logs and temporarily ban IP addresses (via firewall rules) that have
too many failed password logins

/var/log/auth.log Log containing user logins and authentication mechanisms

/var/log/pwdfail Log containing failed authentication attempts
/etc/nologin If this file exists, login and sshd deny login to the system

su and sudo
su jdoe Run a shell as the specified user. If user is not specified, assume root
su -c "fdisk -l" Pass a single command to the shell
su - Ensure that the spawned shell is a login shell, hence running login scripts and setting
su -l the correct environment variables. Recommended option

sudo fdisk -l
sudo -ujdoe fdisk -l
sudoedit /etc/passwd
sudo -e /etc/passwd
visudo
Run a command as root. Sudo commands are logged via syslog
Run a command as another user
Edit a protected file. It is recommended to use this instead of allowing users to sudo
text editors as root, which will arise security problems if the editor spawns a shell
Edit /etc/sudoers, the configuration file that specifies access rights to sudo

Linux & LPIC Quick Reference Guide 2nd ed. 2014-09 © Daniele Raffo www.crans.org/~raffo
 40/102 User messaging
User messaging
echo "Message" | write jdoe Write a message to the terminal of user jdoe
echo "Message" | wall Write a message to the terminal of all logged in users
talk jdoe Open an interactive chat session with user jdoe

mesg y Allow the other users to message you via write, wall, and talk
chmod g+w $(tty)
mesg n Disallow the other users to message you via write, wall, and talk
chmod g-w $(tty)
mesg Display your current message permission status
mesg works by enabling/disabling the group write permission of your terminal device, which is owned by system group tty.
The superuser is always able to message users.

echo $(tty) Print your terminal device (e.g. /dev/tty1, /dev/pts/1)

/etc/issue Message to be printed before the login prompt. Can contain these escape codes:
\b Baudrate of line \o Domain name
\d Date \r OS release number
\s System name and OS \t Time
\l Terminal device line \u Number of users logged in
\m Architecture identifier of machine \U "n users" logged in
\n Nodename a.k.a. hostname \v OS version and build date

/etc/issue.net Message to be printed before the login prompt on a remote session

/etc/motd Message to be printed after a successful login, before execution of the login shell

Linux & LPIC Quick Reference Guide 2nd ed. 2014-09 © Daniele Raffo www.crans.org/~raffo
 41/102 Job scheduling
Job scheduling
cron – repeated scheduled execution

/etc/crontab

# m h dom mon dow user command

25 6 * * 1 root myscript.sh
m = minutes
25 6 * * 1 = every Monday at 6:25 AM
h = hours
*/5 16 * * * = from 4:00 to 4:55 PM every 5 mins, everyday
dom = day of month (1-31)
0,30 7 25 12 * = on 25th December at 7:00 and 7:30 AM
mon = month (1-12 or jan-dec)
3 17 * * 1-5 = at 5:03 PM everyday, from Monday to Friday
dow = day of week (0-7 or sun-sat; 0=7=Sunday)
The crond daemon checks the /etc/crontab system-wide file every minute and executes command as user at the specified
times.
Each user may also set his own crontab scheduling, which will result in a file /var/spool/cron/username. A user' crontab
file has the same format, except that the user field is not present.

/etc/anacrontab

# period delay job-identifier command

7 10 cron-weekly myscript.sh
period = period in days
delay = delay in minutes
job-identifier = job identifier in anacron messages

Anacron jobs are run by crond, and permit the execution of periodic jobs on a machine that is not always running, such as a
laptop.
If the job has not been executed in the last period, the system waits for delay and then executes command.

If /etc/cron.allow exists, only users listed therein can access the service.
If /etc/cron.deny exists, all users except those listed therein can access the service.
If none of these files exist, all users can access the service.

crontab -e Edit your user crontab file

crontab -l List the contents of your crontab file
crontab -e -u jdoe Edit the crontab file of another user (only root can do this)
/etc/cron.hourly
/etc/cron.daily
/etc/cron.weekly Scripts placed in these directories will be automatically executed with the specified periods
/etc/cron.monthly

at – scheduled execution once

If /etc/at.allow exists, only users listed therein can access the service.
If /etc/at.deny exists, all users except those listed therein can access the service.
If none of these files exist, no user except root can access the service.

at 5:00pm tomorrow myscript.sh

at -f mylistofcommands.txt 5:00pm tomorrow Execute a command once at the specified time (absolute or relative)
echo "rm file" | at now+2 minutes
at -l
atq List the scheduled jobs

at -d 3
atrm 3 Remove job number 3 from the list

Linux & LPIC Quick Reference Guide 2nd ed. 2014-09 © Daniele Raffo www.crans.org/~raffo
 42/102 Localization
Localization

Locale environment variables

Language, stored in /etc/default/locale .
When scripting, LANG=C should be set because this
LANG
LANGUAGE specifies the minimal locale environment for C
translation, and guarantees a standard collation and
formats for the execution of scripts
LC_CTYPE Character classification and case conversion
LC_NUMERIC Non-monetary numeric formats
LC_TIME Date and time formats
These locale variables are in the format
LC_COLLATE Alphabetical order language_territory.encoding
LC_MONETARY Monetary formats e.g. en_US.UTF-8

LC_MESSAGES Language and encoding of system messages and user The list of supported locales is stored in
input /usr/share/i18n/SUPPORTED
LC_PAPER Paper size
LC_NAME Personal name formats
LC_ADDRESS Geographic address formats
LC_TELEPHONE Telephone number formats
LC_MEASUREMENT Measurement units (metric or others)
LC_IDENTIFICATION Metadata about locale
LC_ALL Special variable overriding all others

locale Show locale environment variables

locale-gen it_IT.UTF-8 Generate a locale by compiling a list of locale definition files

apt-get install manpages-it language-pack-it Install a different locale (system messages and manpages)

iconv -f IS6937 -t IS8859 filein > fileout Convert a text file from a codeset to another

ISO/IEC-8859 is a standard for 8-bit encoding of printable characters.

The first 256 characters in ISO/IEC-8859-1 (Latin-1) are identical to those in Unicode.
UTF-8 encoding can represent every character in the Unicode set, and was designed for backward compatibility with ASCII.

Linux & LPIC Quick Reference Guide 2nd ed. 2014-09 © Daniele Raffo www.crans.org/~raffo
 43/102 System time
System time
tzselect
tzconfig Set the timezone, stored in /etc/timezone
dpkg-reconfigure tzdata (Debian)

Timezone is also set as a symbolic link from /etc/localtime to the correct timezone file in /usr/share/zoneinfo/

date Show current date and time

date -d "9999 days ago"
date -d "1970/01/01 + 14662"
date +"%F %H:%M:%S"
date -s "20130305 23:30:00"
date 030523302013
Show a different, calculated date
Convert number of days since 1 January 1970 (e.g. 14662) in a canonical date
Show date in the format specified
Set the date
Set the date, in the format MMDDhhmmYYYY

ntpd NTP daemon, keeps the clock in sync with Internet time servers
ntpd -q Synchronize the time once and quit
ntpd -g Force NTP to start even if clock is off by more than the panic threshold (1000 secs)
ntpd -n -g -q Start NTP as a non-daemon, force set the clock, and quit

ntpq -p timeserver Query the time server for a list of peers

ntpdate timeserver Synchronizes the clock with the specified time server
ntpdate -b timeserver Brutally set the clock, without waiting for a slow adjusting
ntpdate -q timeserver Query the time server without setting the clock

hwclock --show
hwclock -r Show the hardware clock

hwclock --hctosys
hwclock -s Set the system time from the hardware clock

hwclock --systohc
hwclock -w Set the hardware clock from system time

hwclock --utc Indicate that the hardware clock is kept in Coordinated Universal Time
hwclock --localtime Indicate that the hardware clock is kept in local time

Linux & LPIC Quick Reference Guide 2nd ed. 2014-09 © Daniele Raffo www.crans.org/~raffo
 44/102 Syslog
Syslog
syslogd Daemon logging events from user processes
Syslog logging facility:
klogd Daemon logging events from kernel processes

/etc/syslog.conf
# facility.level action
*.info;mail.none;authpriv.none /var/log/messages
authpriv.* /var/log/secure
mail.* /var/log/maillog
*.alert root
*.emerg *
local5.* @10.7.7.7
local7.* /var/log/boot.log

Facility Level Action

Creator of the message Severity of the message Destination of the message
auth or security† emerg or panic† (highest) filename message is written into a logfile
authpriv alert
cron crit message is sent to a logger
daemon err or error† @hostname server (via UDP port 514)
kern warning or warn†
lpr notice message is sent to users'
mail user1,user2,user3
info consoles
mark (for syslog internal use) debug (lowest)
news
* message is sent to all logged-in
syslog
none (facility disabled) users' consoles
user
uucp
local0 ... local7 (custom)

† deprecated

logger -p auth.info "Message" Send a message to syslogd with the specified facility and priority

man 3 syslog Syslog manpage listing facilities and levels

logrotate Rotate logs (by gzipping, renaming, and eventually deleting old logfiles) according to
/etc/logrotate.conf

tail -f /var/log/messages Print the last lines of the message log file, moving forward as the file grows (i.e. read
logs in real-time)

zgrep grep_options file Grep search in a gzipped file

zcat /var/log/messages.1.gz Print a gzipped file on stdout

/var/log/messages System and kernel logfiles

/var/log/syslog
/var/log/kern.log

Linux & LPIC Quick Reference Guide 2nd ed. 2014-09 © Daniele Raffo www.crans.org/~raffo
 45/102 E-mail
E-mail

MUA MTA MTA MDA MUA

(Mail User Agent) (Mail Transfer Agent) (Mail Transfer Agent) (Mail Delivery Agent) (Mail User Agent)
mailclient of sender SMTP server of sender remote host mailserver of recipient mailclient of recipient

e.g. Alpine, Mutt e.g. Sendmail, Exim, Postfix, qmail e.g. Procmail, SpamAssassin

~/.forward Mail address(es) to forward the user's mail to, or mail commands
/etc/aliases
/etc/mail/aliases Aliases database for users on the local machine. Each line has syntax alias: user

/var/spool/mail/user Inbox for user on the local machine

/var/log/mail.log (Debian)
Mail logs
/var/log/maillog (Red Hat)

mail -s "Subject" -c "[email protected]" < bodyfile Send a mail message

newaliases
sendmail -bi Update the aliases database; must be run after any change to /etc/aliases

mailq
exim4 -bp Examine the mail queue

exim4 -M messageID Attempt delivery of message

exim4 -Mrm messageID
exim4 -Mvh messageID
exim4 -Mvb messageID
exim4 -Mvc messageID
exim4 -qf domain
exim4 -Rff domain
exim4 -bV
Remove a message from the mail queue
See the headers of a message in the mail queue
See the body of a message in the mail queue
See a message in the mail queue
Force a queue run of all queued messages for a domain
Attempt delivery of all queued messages for a domain
Show version and other info

Mailbox formats
Each mail folder is a single file, storing multiple email messages.
mbox $HOME/Mail/myfolder
Advantages: universally supported, fast search inside a mail folder.
Disadvantages: issues with file locking, possible mailbox corruption.
Each mail folder is a directory, and contains the subdirectories /cur, /new, and /tmp.
Each email message is stored in its own file with an unique filename ID.

The process that delivers an email message writes it to a file in the tmp/ directory,
and then moves it to new/. The moving is commonly done by hard linking the file to
new/ and then unlinking the file from tmp/, which guarantees that a MUA will not see
Maildir a partially written message as it never looks in tmp/. $HOME/Mail/myfolder/
When the MUA finds mail messages in new/ it moves them to cur/.

Advantages: fast location/retrieval/deletion of a specific mail message, no file locking

needed, can be used with NFS.
Disadvantages: some filesystems may not efficiently handle a large number of small
files, searching text inside all mail messages is slow

Linux & LPIC Quick Reference Guide 2nd ed. 2014-09 © Daniele Raffo www.crans.org/~raffo
 46/102 SMTP
SMTP

SMTP commands
220 smtp.example.com ESMTP Postfix Initiate the conversation and
HELO abc.example.org HELO abc.example.org
identify client host to server
250 Hello abc.example.org, glad to meet you
MAIL FROM: [email protected] EHLO abc.example.org Like HELO, but tell server to
250 Ok use Extended SMTP
RCPT TO [email protected]
250 Ok MAIL FROM: [email protected] Specify mail sender
RCPT TO [email protected] RCPT TO: [email protected] Specify mail recipient
250 Ok
DATA Specify data to send. Ended
354 End data with <CR><LF>.<CR><LF> DATA
with a dot on a single line
From: Alice <[email protected]>
To: Bob <[email protected]> QUIT
RSET Disconnect
Cc: Eve <[email protected]>
Date: Wed, 13 August 2014 18:02:43 -0500
Subject: Test message
HELP List all available commands
NOOP Empty command
This is a test message.
. Verify the existence of an e-
250 OK id=1OjReS-0005kT-Jj
VRFY [email protected] mail address (this command
QUIT should not be implemented,
221 Bye for security reasons)
EXPN mailinglist Check mailing list membership

SMTP response codes

1 Command accepted, but not processed until client sends confirmation
2 Command successfully completed
first digit 3 Command accepted, but not processed until client sends more information
4 Command failed due to temporary errors
5 Command failed due to permanent errors
0 Syntax error or command not implemented
1 Informative response in reply to a request for information
second digit
2 Connection response in reply to a data transmission
5 Status response in reply to a mail transfer operation
third digit Specifies further the response
211 System status or help reply
214 Help message
220 The server is ready
221 The server is ending the conversation
250 The requested action was completed
251 The specified user is not local, but the server will forward the mail message
354 Reply to the DATA command. After getting this, start sending the message body
421 The mail server will be shut down, try again later
450 The mailbox that you are trying to reach is busy, try again later
451 The requested action was not done. Some error occurred in the mail server
452 The requested action was not done. The mail server ran out of system storage
500 The last command contained a syntax error or the command line was too long
501 The parameters or arguments in the last command contained a syntax error
502 The last command is not implemented in the mail server
503 The last command was sent out of sequence
504 One of the parameters of the last command is not implemented by the server
550 The mailbox that you are trying to reach can't be found or you don't have access rights
551 The specified user is not local; part of message text will contain a forwarding address
552 The mailbox that you are trying to reach has run out of space, try again later
553 The mail address that you specified was not syntactically correct
554 The mail transaction has failed for unknown causes

Linux & LPIC Quick Reference Guide 2nd ed. 2014-09 © Daniele Raffo www.crans.org/~raffo
 47/102 Sendmail & Exim
Sendmail & Exim

Sendmail is distributed as a monolithic binary file.

It used to run SUID root, which caused many security problems; recent versions runs SGID smmsp, the group that has write
access on the mail queue. Sendmail uses smrsh, a restricted shell, to run some external programs.

/etc/mail/submit.cf Sendmail local mail transfer configuration file

/etc/mail/sendmail.cf Sendmail MTA configuration file
The .cf configuration files are generated from edited .mc text files via the m4 command, e.g.
m4 /etc/mail/submit.mc > /etc/mail/submit.cf

/etc/mail/access.db Access control file to allow or deny access to systems or users

/etc/mail/local-host-names.db List of domains that must be considered as local accounts
/etc/mail/virtusertable.db Map for local accounts, used to distribute incoming email
/etc/mail/mailertable.db Routing table, used to dispatch emails from remote systems
/etc/mail/domaintable.db Domain table, used for transitions from an old domain to a new one
/etc/mail/genericstable.db Map for local accounts, used to specify a different sender for outgoing mail
/etc/mail/genericsdomain.db Local FQDN
The .db database files are generated from edited text files via the makemap command, e.g.
makemap hash /etc/mail/access.db < /etc/mail/access

sendmail -bt Run Sendmail in test mode

hoststat Print statistics about remote hosts usage
purgestat Clear statistics about remote host usage
mailstats Print statistics about the mailserver
praliases Display email aliases

Exim is a free MTA, distributed under open source GPL license.

/etc/exim.conf
Exim4 configuration file
/usr/local/etc/exim/configure (FreeBSD)

exinext Give the times of the next queue run

exigrep Search through Exim logfiles
exicyclog Rotate Exim logfiles

Linux & LPIC Quick Reference Guide 2nd ed. 2014-09 © Daniele Raffo www.crans.org/~raffo
 48/102 Postfix
Postfix

Postfix is a fast, secure, easy to configure, open source MTA intended as a replacement for Sendmail. It is implemented as
a set of small helper daemons, most of which run in a chroot jail with low privileges. The main ones are:
master Postfix master daemon, always running; starts the other daemons when necessary
nqmgr Queue manager for incoming and outgoing mail, always running
smtpd SMTP daemon for incoming mail
smtp SMTP daemon for outgoing mail
bounce Manager of bounce messages
cleanup Daemon that verifies the syntax of outgoing messages before they are handed to the queue manager
local Daemon that handles local mail delivery
virtual Daemon that handles mail delivery to virtual users

/var/spool/postfix/incoming Incoming queue.

/var/spool/postfix/active
/var/spool/postfix/deferred
/var/spool/postfix/bounce
/var/spool/postfix/defer
/var/spool/postfix/trace
All new mail entering the Postfix queue is written here by the cleanup daemon.
Under normal conditions this queue is nearly empty
Active queue.
Contains messages ready to be sent. The queue manager places messages here
from the incoming queue as soon as they are available
Deferred queue.
A message is placed here when all its deliverable recipients are delivered, and for
some recipients delivery failed for a transient reason. The queue manager scans
this queue periodically and puts some messages into the active queue for a retry
Message delivery status report about why mail is bounced (non-delivered mail)
Message delivery status report about why mail is delayed (non-delivered mail)
Message delivery status report (delivered mail)

postfix reload Reload configuration

postconf -e 'mydomain = example.org' Edit a setting in the Postfix configuration

postconf -l List supported mailbox lock methods
postconf -m List supported database types
postconf -v Increase logfile verbosity

postmap dbtype:textfile Create a hashed map file of database type dbtype from textfile

postalias Convert /etc/aliases into the aliases database file /etc/aliases.db

newaliases

Linux & LPIC Quick Reference Guide 2nd ed. 2014-09 © Daniele Raffo www.crans.org/~raffo
 49/102 Postfix configuration
Postfix configuration

/etc/postfix/main.cf Postfix configuration file

mydomain = example.org This system's domain
myorigin = $mydomain Domain from which all sent mail will appear to originate
myhostname = foobar.$mydomain This system's hostname
inet_interfaces = all Network interface addresses that this system receives mail on.
Value can also be localhost, all, or loopback-only
proxy_interfaces = 1.2.3.4 Network interface addresses that this system receives mail on
by means of a proxy or NAT unit
mynetworks = 10.3.3.0/24 !10.3.3.66 Networks the SMTP clients are allowed to connect from
mydestination = $myhostname localhost Domains for which Postfix will accept received mail.
$mydomain example.com Value can also be a lookup database file e.g. a hashed map
hash:/etc/postfix/otherdomains
relayhost = 10.6.6.6 Relay host to which Postfix should send all mail for delivery,
instead of consulting DNS MX records
relay_domains = $mydestination Sources and destinations for which mail will be relayed.
Can be empty if Postfix is not intended to be a mail relay
virtual_alias_domains = virtualex.org Set up Postfix to handle mail for virtual domains too.
virtual_alias_maps = /etc/postfix/virtual The /etc/postfix/virtual file is a hashed map, each line of
the file containing the virtual domain email address and the
or destination real domain email address:
[email protected] [email protected]
virtual_alias_domains = hash:/etc/postfix/virtual
[email protected] kim.smith
@virtualex.org root
The last line is a catch-all specifying that all other email
messages to the virtual domain are delivered to the root user
on the real domain
mailbox_command = /usr/bin/procmail Use Procmail as MDA
A line beginning with whitespace or tab is a continuation of the previous line.
A line beginning with a # is a comment. The # is not a comment delimiter if it is not placed at the beginning of a line.

/etc/postfix/master.cf Postfix master daemon configuration file

# service type private unpriv chroot wakeup maxproc command + args
smtp inet n - - - - smtpd
pickup fifo n - - 60 1 pickup
cleanup unix n - - - 0 cleanup
qmgr fifo n - - 300 1 qmgr
rewrite unix - - - - - trivial-rewrite
bounce unix - - - - 0 bounce
defer unix - - - - 0 bounce
flush unix n - - 1000? 0 flush
smtp unix - - - - - smtp
showq unix n - - - - showq
error unix - - - - - error
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - n - - lmtp
service Name of the service
type Transport mechanism used by the service
private Whether the service is accessible only by Postfix daemons and not by the whole system. Default is yes
unprivileged Whether the service is unprivileged i.e. not running as root. Default is yes
chroot Whether the service is chrooted. Default is yes
wakeup How often the service needs to be woken up by the master daemon. Default is never
maxproc Max number of simultaneous processes providing the service. Default is 50
command Command used to start the service
The - indicates that an option is set to its default value.

Linux & LPIC Quick Reference Guide 2nd ed. 2014-09 © Daniele Raffo www.crans.org/~raffo
 50/102 Procmail
Procmail

Procmail is a regex-based MDA whose main purpose is to preprocess and sort incoming email messages.
It is able to work both with the standard mbox format and the Maildir format.

To have all email processed by Procmail, the ~/.forward file may be edited to contain:
"|exec /usr/local/bin/procmail || exit 75"

/etc/procmailrc System-wide recipes

~/.procmailrc User's recipes

procmail -h List all Procmail flags for recipes

formail Utility for email filtering and editing

lockfile Utility for mailbox file locking
mailstat Utility for generation of reports from Procmail logs

/etc/procmailrc and ~/.procmailrc Procmail recipes

PATH=$HOME/bin:/usr/bin:/bin:/usr/sbin:/sbin
MAILDIR=$HOME/Mail
DEFAULT=$MAILDIR/Inbox Common parameters, non specific to Procmail
LOGFILE=$HOME/.procmaillog

Flag: match headers (default) and use file locking (highly

:0h: or :0:
recommended when writing to a file or a mailbox in mbox format)
* ^From: .*(alice|bob)@foobar\.org
$DEFAULT Condition: match the header specifying the sender address
Destination: default mailfolder
:0:
* ^From: .*owner@listserv\.com Conditions: match sender address and subject headers
* ^Subject:.*Linux Destination: specified mailfolder, in mbox format
$MAILDIR/Geekstuff1
:0
Flag: file locking not necessary because using Maildir format
* ^From: .*owner@listserv\.com
* ^Subject:.*Linux Conditions: match sender address and subject headers
$MAILDIR/Geekstuff2/ Destination: specified mailfolder, in Maildir format

# Blacklisted by SpamAssassin
Flag: file locking not necessary because blackholing to /dev/null
:0
* ^X-Spam-Status: Yes Condition: match SpamAssassin's specific header
/dev/null Destination: delete the message

:0B:
* hacking Flag: match body of message instead of headers
$MAILDIR/Geekstuff
:0HB:
* hacking Flag: match either headers or body of message
$MAILDIR/Geekstuff
:0:
* > 256000 Condition: match messages larger than 256 Kb
| /root/myprogram Destination: pipe message through the specified program

:0fw
* ^From: .*@foobar\.org Flags: use the pipe as a filter (modifying the message), and tell
| /root/myprogram Procmail to wait that the filter finished processing the message

:0c
* ^Subject:.*administration
Flag: copy the message and proceed with next recipe
! [email protected]
Destination: forward to specified email address, and (as ordered
:0: by the next recipe) save in the specified mailfolder
$MAILDIR/Forwarded

Linux & LPIC Quick Reference Guide 2nd ed. 2014-09 © Daniele Raffo www.crans.org/~raffo
 51/102 Courier POP configuration
Courier POP configuration

The Courier MTA provides modules for ESMTP, IMAP, POP3, webmail, and mailing list services in a single framework.

The courier-authlib service must be launched first, then the desired mail service e.g. courier-imap for the IMAP service.

imapd Courier IMAP daemon configuration

/usr/lib/courier-imap/etc/ imapd-ssl Courier IMAPS daemon configuration
or
/etc/courier/ pop3d Courier POP3 daemon configuration
pop3d-ssl Courier POP3S daemon configuration

/usr/lib/courier-imap/share/ Directory for public and private keys

mkimapdcert Generate a certificate for the IMAPS service

mkpop3dcert Generate a certificate for the POP3 service
makealiases Create system aliases in /usr/lib/courier/etc/aliases.dat , which is
made by processing a /usr/lib/courier/etc/aliases/system text file:
root : postmaster
mailer-daemon : postmaster
MAILER-DAEMON : postmaster
uucp : postmaster
postmaster : admin

/usr/lib/courier-imap/etc/pop3d Courier POP configuration file

ADDRESS=0 Address to listen on. 0 means all addresses
PORT=127.0.0.1.900,192.168.0.1.900 Port number connections are accepted on. Accept connections on
port 900 on IP addresses 127.0.0.1 and 192.168.0.1
POP3AUTH="LOGIN CRAM-MD5 CRAM-SHA1" POP authentication advertising SASL (Simple Authentication and
Security Layer) capability, with CRAM-MD5 and CRAM-SHA1
POP3AUTH_TLS="LOGIN PLAIN" Also advertise SASL PLAIN if SSL is enabled
MAXDAEMONS=40 Maximum number of POP3 servers started
MAXPERIP=4 Maximum number of connections to accept from the same IP address
PIDFILE=/var/run/courier/pop3d.pid PID file
TCPDOPTS="-nodnslookup -noidentlookup" Miscellaneous couriertcpd options that shouldn't be changed
LOGGEROPTS="-name=pop3d" courierlogger options
POP3_PROXY=0 Enable or disable proxying
PROXY_HOSTNAME=myproxy Override value from gethostname() when checking if a proxy
connection is required
DEFDOMAIN="@example.com" Optional default domain. If the username does not contain the first
character of DEFDOMAIN, then it is appended to the username. If
DEFDOMAIN and DOMAINSEP are both set, then DEFDOMAIN is appended
only if the username does not contain any character from DOMAINSEP
POP3DSTART=YES Flag intended to be read by the system startup script
MAILDIRPATH=Maildir Name of the maildir directory

Linux & LPIC Quick Reference Guide 2nd ed. 2014-09 © Daniele Raffo www.crans.org/~raffo
 52/102 Courier IMAP configuration
Courier IMAP configuration

/usr/lib/courier-imap/etc/imapd Courier IMAP configuration file

ADDRESS=0 Address to listen on. 0 means all addresses
PORT=127.0.0.1.900,192.168.0.1.900 Port number connections are accepted on. Accept connections on
port 900 on IP addresses 127.0.0.1 and 192.168.0.1
AUTHSERVICE143=imap Authenticate using a different service parameter depending on the
connection's port. This only works with authentication modules that
use the service parameter, such as PAM
MAXDAEMONS=40 Maximum number of IMAP servers started
MAXPERIP=20 Maximum number of connections to accept from the same IP address
PIDFILE=/var/run/courier/imapd.pid File where couriertcpd will save its process ID
TCPDOPTS="-nodnslookup -noidentlookup" Miscellaneous couriertcpd options that shouldn't be changed
LOGGEROPTS="-name=imapd" courierlogger options
DEFDOMAIN="@example.com" Optional default domain. If the username does not contain the first
character of DEFDOMAIN, then it is appended to the username. If
DEFDOMAIN and DOMAINSEP are both set, then DEFDOMAIN is appended
only if the username does not contain any character from DOMAINSEP
IMAP_CAPABILITY="IMAP4rev1 UIDPLUS \ Specifies what most of the response should be to the CAPABILITY
CHILDREN NAMESPACE THREAD=ORDEREDSUBJECT \ command
THREAD=REFERENCES SORT QUOTA IDLE"
IMAP_KEYWORDS=1 Enable or disable custom IMAP keywords. Possible values are:
0 disable keywords
1 enable keywords
2 enable keywords with a slower algorithm
IMAP_ACL=1 Enable or disable IMAP ACL extension
SMAP_CAPABILITY=SMAP1 Enable the experimental Simple Mail Access Protocol extensions
IMAP_PROXY=0 Enable or disable proxying
IMAP_PROXY_FOREIGN=0 Proxying to non-Courier servers. Re-sends the CAPABILITY command
after logging in to remote server. May not work with all IMAP clients
IMAP_IDLE_TIMEOUT=60 How often, in seconds, the server should poll for changes to the
folder while in IDLE mode
IMAP_CHECK_ALL_FOLDERS=0 Enable or disable server check for mail in every folder
IMAP_UMASK=022 Set the umask of the server process. This value is passed to the
umask command. This feature is mostly useful for shared folders,
where the file permissions of the messages may be important
IMAP_ULIMITD=131072 Set the upper limit of the size of the data segment of the server
process, in Kb. This value is passed to the ulimit -d command.
This feature is used as an additional safety check that should stop any
potential DoS attacks that exploit any kind of a memory leak to
exhaust all the available memory on the server
IMAP_USELOCKS=1 Enable or disable dot-locking to support concurrent multiple access to
the same folder. Strongly recommended when using shared folders
IMAP_SHAREDINDEXFILE=\ Index of all accessible folders.
/etc/courier/shared/index Normally, this setting should not be changed
IMAP_TRASHFOLDERNAME=Trash Name of the trash folder
IMAP_EMPTYTRASH=Trash:7,Sent:30 Purge folders i.e. delete all messages from the specified folders after
the specified number of days
IMAP_MOVE_EXPUNGE_TO_TRASH=0 Enable or disable moving expunged messages to the trash folder
(instead of straight deleting them)
HEADERFROM=X-IMAP-Sender Make the return address, $SENDER, being saved in the
X-IMAP-Sender mail header. This header gets added to the sent
message (but not in the copy of the message saved in the folder)
MAILDIRPATH=Maildir Name of the mail directory

Linux & LPIC Quick Reference Guide 2nd ed. 2014-09 © Daniele Raffo www.crans.org/~raffo
 53/102 Dovecot login
Dovecot login
Dovecot is an open source, security-hardened, fast and efficient IMAP and POP3 server.
By default it uses PAM authentication. The script mkcert.sh can be used to create self-signed SSL certificates.

/etc/dovecot.conf Dovecot configuration file

base_dir = /var/run/dovecot/ Base directory where to store runtime data
protocols = imaps pop3s Protocols to serve. If Dovecot should use dovecot-auth, this can be set
to none
listen = *, [::] Network interfaces to accept connections on.
Here, listen to all IPv4 and IPv6 interfaces
disable_plaintext_auth = yes Disable LOGIN command and all other plaintext authentications unless
SSL/TLS is used (LOGINDISABLED capability)
shutdown_clients = yes Kill all IMAP and POP3 processes when Dovecot master process shuts
down. If set to no, Dovecot can be upgraded without forcing existing
client connections to close
log_path = /dev/stderr Log file to use for error messages, instead of sending them to syslog.
Here, log to stderr
info_log_path = /dev/stderr Log file to use for informational and debug messages. Default value is
the same as log_path
syslog_facility = mail Syslog facility to use if logging to syslog
login_dir = /var/run/dovecot/login Directory where the authentication process places authentication UNIX
sockets, to which the login process needs to be able to connect
login_chroot = yes Chroot login process to the login_dir
login_user = dovecot User to use for the login process. This user is used to control access for
authentication process, and not to access mail messages
login_process_size = 64 Maximum login process size, in Mb
login_process_per_connection = yes If yes, each login is processed in its own process (more secure); if no,
each login process processes multiple connections (faster)
login_processes_count = 3 Number of login processes to keep for listening for new connections
login_max_processes_count = 128 Maximum number of login processes to create
login_max_connections = 256 Maximum number of connections allowed per each login process.
This setting is used only if login_process_per_connection = no; once
the limit is reached, the process notifies master so that it can create a
new login process
login_greeting = Dovecot ready. Greeting message for clients
login_trusted_networks = \ Trusted network ranges (usually IMAP proxy servers).
10.7.7.0/24 10.8.8.0/24 Connections from these IP addresses are allowed to override their IP
addresses and ports, for logging and authentication checks.
disable_plaintext_auth is also ignored for these networks
mbox_read_locks = fcntl Locking methods to use for locking mailboxes in mbox format.
mbox_write_locks = dotlock fcntl Possible values are:
dotlock Create mailbox.lock file; oldest and NSF-safe method
dotlock_try Same as dotlock, but skip if failing
fcntl Recommended; works with NFS too if lockd is used
flock May not exist in all systems; doesn't work with NFS
lockf May not exist in all systems; doesn't work with NFS
maildir_stat_dirs = no Option for mailboxes in Maildir format. If no (default), the LIST
command returns all entries in the mail directory beginning with a dot.
If yes, returns only entries which are directories
dbox_rotate_size = 2048 Maximum and minimum file size, in Kb, of a mailbox in dbox format
dbox_rotate_min_size = 16 until it is rotated
!include /etc/dovecot/conf.d/*.conf Include configuration file
!include_try /etc/dovecot/extra.conf Include optional configuration file, do not give error if file not found

Linux & LPIC Quick Reference Guide 2nd ed. 2014-09 © Daniele Raffo www.crans.org/~raffo
 54/102 Dovecot mailboxes
Dovecot mailboxes

/etc/dovecot.conf Dovecot configuration file

mail_location = \ Mailbox location, in mbox or Maildir format. Variables:
mbox:~/mail:INBOX=/var/spool/mail/%u %u username
or %n user part in user@domain, same as %u if there is no domain
mail_location = maildir:~/Maildir
%d domain part in user@domain, empty if there is no domain
%h home directory
namespace shared { Definition of a shared namespace, for accessing other users' mailboxes
that have been shared.
Private namespaces are for users' personal emails.
Public namespaces are for shared mailboxes managed by root user
separator = / Hierarchy separator to use. Should be the same for all namespaces; it
depends on the underlying mail storage format
prefix = shared/%%u/ Prefix required to access this namespace; must be different for each.
Here, mailboxes are visible under shared/user@domain/ ; the variables
%%n, %%d and %%u are expanded to the destination user
location = maildir:%%h/Maildir:\ Mailbox location for other users' mailboxes; it is in the same format as
INDEX=~/Maildir/shared/%%u mail_location which is also the default for it.
%variable and ~/ expand to the logged in user's data;
%%variable expands to the destination user's data
inbox = no There can be only one INBOX, and this setting defines which
namespace has it
hidden = no Define whether the namespace is hidden i.e. not advertised to clients
via NAMESPACE extension
subscriptions = no Namespace handles its own subscriptions; if set to no, the parent
namespace handles them and Dovecot uses the default namespace for
saving subscriptions. If prefix is empty, this should be set to yes
list = children Show the mailboxes under this namespace with LIST command,
making the namespace visible for clients that do not support the
NAMESPACE extension.
Here, lists child mailboxes but hide the namespace prefix; list the
namespace only if there are visible shared mailboxes
}
mail_uid = 666 UID and GID used to access mail messages
mail_gid = 666
mail_privileged_group = mail Group to enable temporarily for privileged operations; currently this is
used only with INBOX when its initial creation or a dotlocking fails
mail_access_groups = tmpmail Supplementary groups to grant access to for mail processes; typically
these are used to set up access to shared mailboxes
lock_method = fcntl Locking method for index files. Can be fcntl, flock, or dotlock
first_valid_uid = 500 Valid UID range for users; default is 500 and above. This makes sure
last_valid_uid = 0 that users cannot login as daemons or other system users.
Denying root login is hardcoded to Dovecot and cannot be bypassed
first_valid_gid = 1 Valid GID range for users; default is non-root/wheel. Users having
last_valid_gid = 0 non-valid primary GID are not allowed to login
max_mail_processes = 512 Maximum number of running mail processes. When this limit is
reached, new users are not allowed to login
mail_process_size = 256 Maximum mail process size, in Mb
valid_chroot_dirs = List of directories under which chrooting is allowed for mail processes
mail_chroot = Default chroot directory for mail processes. Usually not needed as
Dovecot does not allow users to access files outside their mail directory
mailbox_idle_check_interval = 30 When IDLE command is running, mailbox is checked once in a while to
see if there are any new mails or other changes. This setting defines
the minimum time to wait between these checks, in seconds

Linux & LPIC Quick Reference Guide 2nd ed. 2014-09 © Daniele Raffo www.crans.org/~raffo
 55/102 Dovecot IMAP & POP
Dovecot IMAP & POP

/etc/dovecot.conf Dovecot configuration file

protocol imap { Block with options for the IMAP protocol
listen = *:143 Network interfaces to accept IMAP and IMAPS
ssl_listen = *:993 connections on
login_executable = /usr/libexec/dovecot/imap-login Location of the IMAP login executable
mail_executable = /usr/libexec/dovecot/imap Location of the IMAP mail executable
mail_max_userip_connections = 10 Maximum number of IMAP connections allowed for a
user from each IP address
imap_idle_notify_interval = 120 How many seconds to wait between "OK Still here"
notifications when client is IDLE
}
protocol pop3 { Block with options for the POP3 protocol
listen = *:110 Network interfaces to accept POP3 connections on
login_executable = /usr/libexec/dovecot/pop3-login Location of the POP3 login executable
mail_executable = /usr/libexec/dovecot/pop3 Location of the POP3 mail executable
pop3_no_flag_updates = no If set to no, do not try to set mail messages non-recent
or seen with POP3 sessions, to reduce disk I/O.
With Maildir format do not move files from new/ to cur/,
with mbox format do not write Status- headers
pop3_lock_session = no Whether to keep the mailbox locked for the whole POP3
session
pop3_uidl_format = %08Xu%08Xv POP3 UIDL (Unique Mail Identifier) format to use
ssl = yes SSL/TLS support.
Possible values are yes, no, required
ssl_cert_file = /etc/ssl/certs/dovecot-cert.pem Location of the SSL certificate
ssl_key_file = /etc/ssl/private/dovecot-key.pem Location of private key
ssl_key_password = b1gs3cr3t Password of private key, if it is password-protected.
Since /etc/dovecot.conf is usually world-readable, it is
better to place this setting into a root-owned 0600 file
instead and include it via the setting
!include_try /etc/dovecot/dovecot-passwd.conf .
Alternatively, Dovecot can be started with
dovecot -p b1gs3cr3t
ssl_ca_file = /etc/dovecot/cafile.pem List of trusted SSL certificate authorities; the file
contains the CA certificates followed by the CRLs
ssl_verify_client_cert = yes Request client to send a certificate
ssl_cipher_list = ALL:!LOW:!SSLv2 List of SSL ciphers to use
verbose_ssl = yes Show protocol level SSL errors

Linux & LPIC Quick Reference Guide 2nd ed. 2014-09 © Daniele Raffo www.crans.org/~raffo
 56/102 Dovecot authentication
Dovecot authentication

/etc/dovecot.conf Dovecot configuration file

auth_executable = /usr/libexec/dovecot/dovecot-auth Location of the authentication executable
auth_process_size = 256 Max authentication process size, in Mb
auth_username_chars = abcde ... VWXYZ01234567890.-_@ List of allowed characters in the username. If the
username entered by user contains a character not listed
in here, the login automatically fails. This is to prevent
an user exploiting any potential quote escaping
vulnerabilities with SQL/LDAP databases
auth_realms = List of realms for SASL authentication mechanisms that
need them. If empty, multiple realms are not supported
auth_default_realm = example.org Default realm/domain to use if none was specified
auth_anonymous_username = anonymous Username to assign to users logging in with ANONYMOUS
SASL mechanism
auth_verbose = no Whether to log unsuccessful authentication attempts and
the reasons why they failed
auth_debug = no Whether to enable more verbose logging (e.g. SQL
queries) for debugging purposes
auth_failure_delay = 2 Delay before replying to failed authentications, in seconds
auth default {
mechanisms = plain login cram-md5 Accepted authentication mechanisms
passdb passwd-file { Deny login to the users listed in /etc/dovecot.deny (file
args = /etc/dovecot.deny contains one user per line)
deny = yes
}
passdb pam { PAM authentication block.
args = cache_key=%u%r dovecot Enable authentication matching (username and remote IP
} address) for PAM.
passdb passwd { System users e.g. NSS or /etc/passwd
blocking = yes
args =
}
passdb shadow { Shadow passwords for system users e.g. NSS or
blocking = yes /etc/passwd
args =
}
passdb bsdauth { PAM-like authentication for OpenBSD
cache_key = %u
args =
}
passdb sql { SQL database
args = /etc/dovecot/dovecot-sql.conf
}
passdb ldap { LDAP database
args = /etc/dovecot/dovecot-ldap.conf
}
socket listen { Export the authentication interface to other programs.
master { Master socket provides access to userdb information; it is
path = /var/run/dovecot/auth-master typically used to give Dovecot's local delivery agent
mode = 0600 access to userdb so it can find mailbox locations. The
user =
default user/group is the one who started dovecot-auth
group =
} (i.e. root).
client { The client socket is generally safe to export to everyone.
path = /var/run/dovecot/auth-client Typical use is to export it to the SMTP server so it can do
mode = 0660 SMTP AUTH lookups using it
}
}
}

Linux & LPIC Quick Reference Guide 2nd ed. 2014-09 © Daniele Raffo www.crans.org/~raffo
 57/102 FTP
FTP

Active mode (default)

1. Client connects to FTP server on port 21 (control channel) and sends second unprivileged port number
2. Server acknowledges
3. Server connects from port 20 (data channel) to client's second unprivileged port number
4. Client acknowledges

Passive mode (more protocol-compliant, because it is the client that initiates the connection)
1. Client connects to FTP server on port 21 and requests passive mode via the PASV command
2. Server acknowledges and sends unprivileged port number via the PORT command
3. Client connects to server's unprivileged port number
4. Server acknowledges

Very Secure FTP is a hardened and high-performance FTP implementation.

The vsftpd daemon operates with multiple processes that run as a non-privileged user in a chrooted jail.
vsftpd.conf
listen=NO Run vsftpd in standalone mode (i.e. not via inetd)?
local_enable=YES Allow local system users (i.e. in /etc/passwd) to log in?
chroot_local_user=YES Chroot local users in their home directory?
write_enable=YES Allow FTP commands that write on the filesystem (i.e. STOR,
DELE, RNFR, RNTO, MKD, RMD, APPE and SITE)?
anonymous_enable=YES Allow anonymous logins? If yes, anonymous and ftp are
accepted as logins
anon_root=/var/ftp/pub After anonymous login, go to directory /var/ftp/pub
anon_upload_enable=YES Allow anonymous uploads?
chown_uploads=YES Change ownership of anonymously uploaded files?
chown_username=ftp Change ownership of anonymously uploaded files to user ftp
anon_world_readable_only=NO Allow anonymous users to only download files which are
world readable?
ssl_enable=YES Enable SSL?
force_local_data_ssl=NO Encrypt local data?
force_local_logins_ssl=YES Force encrypted authentication?
allow_anon_ssl=YES Allow anonymous users to use SSL?
ssl_tlsv1=YES Versions of SSL/TLS to allow
ssl_tlsv2=NO
ssl_tlsv3=NO
rsa_cert_file=/etc/pki/tls/certs/vsftpd.pem Location of certificate file
rsa_private_key_file=/etc/pki/tls/certs/vsftpd.pem Location of private key file

Pure-FTP is a free, easy-to-use FTP server.

pure-ftpd Pure-FTP daemon
pure-ftpwho Show clients connected to the Pure-FTP server
pure-mrtginfo Show connections to the Pure-FTP server as a MRTG graph
pure-statsdecode Show Pure-FTP log data
pure-pw Manage Pure-FTP virtual accounts
pure-pwconvert Convert the system user database to a Pure-FTP virtual accounts database
pure-quotacheck Manage Pure-FTP quota database
pure-uploadscript Run a command on the Pure-FTP server to process an uploaded file

Linux & LPIC Quick Reference Guide 2nd ed. 2014-09 © Daniele Raffo www.crans.org/~raffo
 58/102
cupsd
/etc/cups/cupsd.conf
/etc/cups/printers.conf
/etc/printcap
/var/spool/cups/
/var/log/cups/error_log
/var/log/cups/page_log
/etc/init.d/cupsys start
gnome-cups-manager
cupsenable printer0
cupsdisable printer0
cupsaccept printer0
cupsreject -r "Rejected" printer0
cupstestppd LEXC510.ppd
cupsaddsmb printer0
cups-config --cflags
cups-config --datadir
cups-config --ldflags
cups-config --libs
cups-config --serverbin
cups-config --serverroot
lpstat
lpadmin
lpadmin -p printer0 -P LEXC750.ppd
lp -d printer0 file
lpq
lpq -P printer0
lpq jdoe
lprm -P printer0 5
lprm -P printer0 jdoe
lprm -P printer0 -
lpc
a2ps file.txt
ps2pdf file.ps
mpage file.ps
gv file.ps
Linux & LPIC Quick Reference Guide
CUPS
CUPS
CUPS (Common Unix Printing System) daemon.
Administration of printers is done via web interface on http://localhost:631
CUPS configuration file
Database of available local CUPS printers
Database of printer capabilities, for old printing applications
Printer spooler for data awaiting to be printed
CUPS error log
Information about printed pages
Start the CUPS service
Run the CUPS Manager graphical application
Enable a CUPS printer
Disable a CUPS printer
Accept a job sent on a printer queue
Reject a job sent on a printer queue, with an informational message
Test the conformance of a PPD file to the format specification
Export a printer to SAMBA (for use with Windows clients)
Show the necessary compiler options
Show the default CUPS data directory
Show the necessary linker options
Show the necessary libraries to link to
Show the default CUPS binaries directory that stores filters and backends
Show the default CUPS configuration file directory
Show CUPS status information
Administer CUPS printers
Specify a PPD (Adobe PostScript Printer Description) file to associate to a printer
Print a file on the specified printer
View the default print queue
View a specific print queue
View the print queue of a specific user
Delete a specific job from a printer queue
Delete all jobs from a specific user from a printer queue
Delete all jobs from a printer queue
Manage print queues
Convert a text file to PostScript
Convert a file from PostScript to PDF
Print a PostScript document on multiple pages per sheet on a PostScript printer
View a PostScript document (the gv software is derived from GhostView)
2nd ed. 2014-09 © Daniele Raffo www.crans.org/~raffo
 59/102 Network addressing
Network addressing

IPv4 IPv6
32-bit 2130:0000:0000:0000:0007:0040:15bc:235f 128-bit
divised in 4 octects divised in 8 16-bit sections
193.22.33.44 (dotted-quad) 2130:0:0:0:7:40:15bc:235f

4 billion addresses 2130::7:40:15bc:235f 3 × 1038 addresses

IPv4 classful addressing, as assigned by IANA

Address range Prefix Number of addresses Reference

Class A (Unicast) 0.0.0.0 – 127.255.255.255 /8 128 networks × RFC 791

first octet: 0XXX XXXX 16,777,216 addresses

Class B (Unicast) 128.0.0.0 – 191.255.255.255 /16 16,384 networks × RFC 791

first octet: 10XX XXXX 65,536 addresses

Class C (Unicast) 192.0.0.0 – 223.255.255.255 /24 2,097,152 networks × RFC 791

Classful
first octet: 110X XXXX 256 addresses

Class D (Multicast) 224.0.0.0 – 239.255.255.255 /4 268,435,456 RFC 3171

first octet: 1110 XXXX

Class E (Experimental) 240.0.0.0 – 255.255.255.255 /4 268,435,456 RFC 1166

first octet: 1111 XXXX

Private Class A 10.0.0.0 – 10.255.255.255 10.0.0.0/8 16,777,216 RFC 1918

Private Private Class B 172.16.0.0 – 172.31.255.255 172.16.0.0/12 1,048,576 RFC 1918

Private Class C 192.168.0.0 – 192.168.255.255 192.168.0.0/16 65,536 RFC 1918

Source 0.0.0.0 – 0.255.255.255 0.0.0.0/8 16,777,216 RFC 1700

Loopback 127.0.0.0 – 127.255.255.255 127.0.0.0/8 16,777,216 RFC 1700

Autoconf 169.254.0.0 – 169.254.255.255 169.254.0.0/16 65,536 RFC 3330

Reserved
TEST-NET 192.0.2.0 – 192.0.2.255 192.0.2.0/24 256 RFC 3330

6to4 relay anycast 192.88.99.0 – 192.88.99.255 192.88.99.0/24 256 RFC 3068

Device benchmarks 198.18.0.0 – 198.19.255.255 198.18.0.0/15 131,072 RFC 2544

Linux & LPIC Quick Reference Guide 2nd ed. 2014-09 © Daniele Raffo www.crans.org/~raffo
 60/102 Subnetting
Subnetting

VLSM chart - Last octet subnetting (CIDR notation)

Prefix: /24 Prefix: /25 Prefix: /26 Prefix: /27 Prefix: /28 Prefix: /29 Prefix: /30
Netmask: .0 Netmask: .128 Netmask: .192 Netmask: .224 Netmask: .240 Netmask: .248 Netmask: .252
00000000 10000000 11000000 11100000 11110000 11111000 11111100
1 subnet 2 subnets 4 subnets 8 subnets 16 subnets 32 subnets 64 subnets
254 hosts each 126 hosts each 62 hosts each 30 hosts each 14 hosts each 6 hosts each 2 hosts each
254 total hosts 252 total hosts 248 total hosts 240 total hosts 224 total hosts 192 total hosts 128 total hosts
.0
.0
.4
.0
.8
.8
.12
.0
.16
.16
.20
.16
.24
.24
.28
.0
.32
.32
.36
.32
.40
.40
.44
.32
.48
.48
.52
.48
.56
.56
.60
.0
.64
.64
.68
.64
.72
.72
.76
.64
.80
.80
.84
.80
.88
.88
.92
.64
.96
.96
.100
.96
.104
.104
.108
.96
.112
.112
.116
.112
.120
.120
.124
.0
.128
.128
.132
.128
.136
.136
.140
.128
.144
.144
.148
.144
.152
.152
.156
.128
.160
.160
.164
.160
.168
.168
.172
.160
.176
.176
.180
.176
.184
.184
.188
.128
.192
.192
.196
.192
.200
.200
.204
.192
.208
.208
.212
.208
.216
.216
.220
.192
.224
.224
.228
.224
.232
.232
.236
.224
.240
.240
.244
.240
.248
.248
.252

Each block of a column identifies a subnet, whose range of valid hosts addresses is [network address +1 — broadcast address -1] inclusive.
The network address of the subnet is the number shown inside a block.
The broadcast address of the subnet is the network address of the block underneath -1 or, for the bottom block, .255.

Linux & LPIC Quick Reference Guide 2nd ed. 2014-09 © Daniele Raffo www.crans.org/~raffo
 61/102 Network services
Network services

Most frequently used well-known ports

Port number Service
20 TCP FTP (data)
21 TCP FTP (control)
22 TCP SSH
23 TCP Telnet
25 TCP SMTP
53 TCP/UDP DNS
67 UDP BOOTP/DHCP (server)
68 UDP BOOTP/DHCP (client)
80 TCP HTTP
110 TCP POP3
119 TCP NNTP
139 TCP/UDP Microsoft NetBIOS
143 TCP IMAP
161 UDP SNMP
443 TCP HTTPS (HTTP over SSL/TLS)
465 TCP SMTP over SSL
993 TCP IMAPS (IMAP over SSL)
995 TCP POP3S (POP3 over SSL)
1-1023: privileged ports, used server-side
1024-65535: unprivileged ports, used client-side

The full list of well-known ports is in /etc/services

Protocol stack models

ISO/OSI TCP/IP
7 Application
6 Presentation Application e.g. HTTP, SMTP, POP, SSH
5 Session
4 Transport Transport e.g. TCP, UDP
3 Network Internet e.g. IPv4, IPv6, ICMP
2 Data Link
Network Access e.g. Ethernet, Wi-Fi, PPP
1 Physical

Linux & LPIC Quick Reference Guide 2nd ed. 2014-09 © Daniele Raffo www.crans.org/~raffo
 62/102 Network commands
Network commands
ip addr show Display configuration of all network
ifconfig -a interfaces
ip link show eth0 Display configuration of eth0
ifconfig eth0
ip addr add dev eth0 10.1.1.1/8 Configure IP address of eth0
ifconfig eth0 10.1.1.1 netmask 255.0.0.0 broadcast 10.255.255.255
ifconfig eth0 hw ether 45:67:89:ab:cd:ef Configure MAC address of eth0
ip link set eth0 up Activate eth0
ifconfig eth0 up
ifup eth0
ip link set eth0 down Shut down eth0
ifconfig eth0 down
ifdown eth0
dhclient eth0 Request an IP address via DHCP
pump
dhcpcd eth0 (SUSE)

ip neigh Show the ARP cache table

arp -a
ip neigh show 10.1.0.6 Show the ARP cache entry for a host
arp 10.1.0.6
ip neigh add 10.1.0.7 lladdr 01:23:45:67:89:ab dev eth0 Add a new ARP entry for a host
arp -s 10.1.0.7 01:23:45:67:89:ab
ip neigh del 10.1.0.7 dev eth0 Delete a ARP entry
arp -d 10.1.0.7
ip neigh flush all Delete the ARP table for all interfaces

iwlist wlan0 scan
iwlist wlan0 freq
iwlist wlan0 rate
iwlist wlan0 txpower
iwlist wlan0 key
List all wireless devices in range, with their quality of signal and other information
Display transmission frequency settings
Display transmission speed settings
Display transmission power settings
Display encryption settings

iwgetid wlan0 option Print NWID, ESSID, AP/Cell address or other information about the wireless network
that is currently in use

iwconfig wlan0 Display configuration of wireless interface wlan0

iwconfig wlan0 option Configure wireless interface wlan0

hostname Get the hostname (stored in /etc/hostname)

hostname -f Get the FQDN (Fully Qualified Domain Name)
hostname mylinuxbox Set the hostname

/etc/init.d/networking Initialize network services

/etc/init.d/network

Linux & LPIC Quick Reference Guide 2nd ed. 2014-09 © Daniele Raffo www.crans.org/~raffo
 63/102 Network tools
Network tools
dig example.org Perform a DNS lookup for the specified domain or hostname.
Returns information in BIND zone file syntax; uses an internal
resolver and hence does not honor /etc/resolv.conf
dig @10.7.7.7 -t MX example.org Perform a DNS lookup for the MX record of the domain
example.org, querying nameserver 10.7.7.7
dig -x 203.0.113.1 Perform a reverse DNS lookup for the IP address 203.0.113.1
host example.org Perform a DNS lookup for the specified domain or hostname.
Does honor /etc/resolv.conf
host example.org 10.7.7.7 Perform a DNS lookup for the domain example.org, querying
nameserver 10.7.7.7
host 192.168.13.13 Perform a reverse DNS lookup for the IP address 192.168.13.13
nslookup example.org (deprecated) Perform a DNS lookup for the specified domain or hostname
whois example.org Query the WHOIS service for an Internet resource, usually a
domain name

ping 10.0.0.2 Test if a remote host can be reached and measure the round-trip
time to it (by sending an ICMP ECHO_REQUEST datagram and
expecting an ICMP ECHO_RESPONSE)
fping -a 10.0.0.2 10.0.0.7 10.0.0.8 Ping multiple hosts in parallel and report which ones are alive

traceroute 10.0.0.3 Print the route, hop by hop, packets trace to a remote host
(by sending a sequence of ICMP ECHO_REQUEST datagrams with
increasing TTL values, starting with TTL=1)
tracepath 10.0.0.3 Simpler traceroute
mtr 10.0.0.3 traceroute and ping combined

telnet 10.0.0.4 23 Establish a telnet connection to the specified host and port
(if port is omitted, use default port 23)

ftp 10.0.0.5 Establish an interactive FTP connection with host 10.0.0.5

wget –-no-clobber –-html-extension \ Download a whole website www.example.org/foobar

--page-requisites --convert-links \
--recursive --domains example.org \
--no-parent www.example.org/foobar

nc Netcat, the Swiss Army knife of networking, a very flexible generic

netcat (SUSE) TCP/IP client/server
nc -l -p 25 Listen for connections on port 25 (i.e. mimic a SMTP server).
Send any input on stdin to the connected client and dump on
stdout any data received from the client
nc 10.0.0.7 389 < myfile Push the content of a file to port 389 on remote host 10.0.0.7
echo "GET / HTTP/1.0\r\n\r\n" | nc 10.0.0.7 80 Connect to web server 10.0.0.7 and issue a HTTP GET command
while true; \ Start a web server, serving the specified HTML page to any
do nc -l -p 80 -q 1 < mypage.html; done connected client
nc -z 10.0.0.7 22 Scan for a listening SSH daemon on remote host 10.0.0.7
nc -v -n -z -w1 -r 10.0.0.7 1-1023 Run a TCP port scan against remote host 10.0.0.7.
Probe randomly all privileged ports with a 1-second timeout,
without resolving service names, and with verbose output
echo "" | nc -v -n -w1 10.0.0.7 1-1023 Retrieve the greeting banner of any network service that might be
running on remote host 10.0.0.7

Linux & LPIC Quick Reference Guide 2nd ed. 2014-09 © Daniele Raffo www.crans.org/~raffo
 64/102 Network monitoring
Network monitoring
netstat Display network connections
netstat –-tcp Display active TCP connections
netstat -l Display only listening sockets
netstat -a Display all listening and non-listening sockets
netstat -n Display network connections, without resolving hostnames or portnames
netstat -p Display network connections, with PID and name of program to which
each socket belongs
netstat -i Display network interfaces
netstat -s Display protocol statistics
netstat -r Display kernel routing tables (equivalent to route -e)
netstat -c Display network connections continuously

ss Display socket statistics (similar to netstat)

ss -t -a Display all TCP sockets

nmap 10.0.0.1 Scan for open ports (TCP SYN scan) on remote host 10.0.0.1
nmap -sS 10.0.0.1
nmap -sP 10.0.0.1 Do a ping sweep (ICMP ECHO probes) on remote host
nmap -sU 10.0.0.1 Scan UDP ports on remote host
nmap -sV 10.0.0.1 Do a service and version scan on open ports
nmap -p 1-65535 10.0.0.1 Scan all ports (1-65535) on remote host, not only the common ports
nmap -O 10.0.0.1 Find which operating system is running on remote host (OS fingerprinting)

tcpdump -ni eth0
tcpdump ip host 10.0.0.2 tcp port 25
tcpdump ether host '45:67:89:ab:cd:ef'
tcpdump 'src host 10.0.0.2 and \
(tcp port 80 or tcp port 443)'
tcpdump -ni eth0 not port 22
Sniff all network traffic on interface eth0, suppressing DNS resolution
Sniff network packets on TCP port 25 from and to 10.0.0.2
Sniff traffic from and to the network interface with that MAC address
Sniff HTTP and HTTPS traffic having as source host 10.0.0.2
Sniff all traffic on eth0 except that belonging to the SSH connection

tcpdump -vvnn -i eth0 arp Sniff ARP traffic on eth0, on maximum verbosity level, without converting
host IP addresses and port numbers to names
tcpdump ip host 10.0.0.2 and \ Sniff IP traffic between 10.0.0.2 and any other host except 10.0.0.9
not 10.0.0.9

lsof List all open files

lsof -u jdoe List all files currently open by user jdoe
lsof -i List open files and their sockets (equivalent to netstat -ap)
lsof -i :80 List connections of local processes on port 80
lsof [email protected] List connections of local processes to remote host 10.0.0.3
lsof [email protected]:80 List connections of local processes to remote host 10.0.0.3 on port 80
lsof -c mysqld List all files opened by the MySQL daemon
lsof /var/run/mysqld/mysqld.sock List all processes which are using a specific file

iptraf IP LAN monitor (ncurses UI)

Linux & LPIC Quick Reference Guide 2nd ed. 2014-09 © Daniele Raffo www.crans.org/~raffo
 65/102 Network configuration
Network configuration
/sys/class/net List of all network interfaces in the system

/etc/hosts Mappings between IP addresses and hostnames, for simple name resolution

127.0.0.1 localhost localhost.localdomain

10.2.3.4 myhost

/etc/nsswitch.conf Sources that must be used by various system library lookup functions

passwd: files nisplus nis

shadow: files nisplus nis
group: files nisplus nis
hosts: files dns nisplus nis

/etc/host.conf Sources for name resolution, for systems before glibc2.

Obsolete, superseded by /etc/nsswitch.conf

order hosts,bind
multi on

/etc/resolv.conf Specification of the domain names that must be appended to bare hostnames and of the
DNS servers that will be used for name resolution

search domain1.org domain2.org

nameserver 192.168.3.3
nameserver 192.168.4.4

/etc/networks Mappings between network addresses and names

loopback 127.0.0.0
mylan 10.2.3.0

/etc/services List of service TCP/UDP port numbers

/etc/protocols List of available protocols
/etc/ethers ARP mappings (MAC to IP addresses)
/etc/inetd.conf Configuration file for inetd, the super-server Internet daemon

/etc/hostname Hostname of the local machine

/etc/network/interfaces List and configuration of all network interfaces

/etc/sysconfig/network-scripts/ifcfg-eth0 (RedHat) Configuration file for network interface eth0.

This file is read by the ifup and ifdown scripts

DEVICE=eth0
BOOTPROTO=none
ONBOOT=yes
NETMASK=255.255.255.0
IPADDR=10.2.3.4
USERCTL=no

/etc/sysconfig/network-scripts/ifcfg-eth0:0 (RedHat) Configuration files for different interface aliases.

/etc/sysconfig/network-scripts/ifcfg-eth0:1 This makes possible to bind multiple IP addresses to a
/etc/sysconfig/network-scripts/ifcfg-eth0:2 single NIC

Linux & LPIC Quick Reference Guide 2nd ed. 2014-09 © Daniele Raffo www.crans.org/~raffo
 66/102 TCP Wrapper
TCP Wrapper
/etc/hosts.allow Host access control files used by the TCP Wrapper system.
/etc/hosts.deny
Each file contains zero or more daemon:client lines. The first matching line is considered.

Access is granted when a daemon:client pair matches an entry in /etc/hosts.allow .

Otherwise, access is denied when a daemon:client pair matches an entry in /etc/hosts.deny .
Otherwise, access is granted.

/etc/hosts.allow and /etc/hosts.deny lines syntax

ALL: ALL All services to all hosts
ALL: .example.edu All services to all hosts of the example.edu domain
ALL: .example.edu EXCEPT host1.example.edu All services to all hosts of example.edu, except host1
in.fingerd: .example.com Finger service to all hosts of example.com
in.tftpd: LOCAL TFTP to hosts of the local domain only
sshd: 10.0.0.3 10.0.0.4 10.1.1.0/24 SSH to the hosts and network specified
sshd: 10.0.1.0/24
sshd: 10.0.1. SSH to 10.0.1.0/24 (all commands are equivalent)
sshd: 10.0.1.0/255.255.255.0
in.tftpd: ALL: spawn (/safe_dir/safe_finger \ Send a finger probe to hosts attempting TFTP and
-l @%h | /bin/mail -s %d-%h root) & notify root user via email
portmap: ALL: (echo Illegal RPC request \ When a client attempts a RPC request via the
from %h | /bin/mail root) & portmapper (NFS access), echo a message to the
terminal and notify root user via email

Linux & LPIC Quick Reference Guide 2nd ed. 2014-09 © Daniele Raffo www.crans.org/~raffo
 67/102 Routing
Routing
ip route Display IP routing table Gateway: Flags:
route -en host gateway name U route is up
route -F * no gateway G use gateway
netstat -rn
- rejected route H target is host
! rejected route
D dynamically installed by daemon
M modified from routing daemon
R reinstate route for dynamic routing

ip route show cache Display kernel routing cache

route -C

ip route add default via 10.1.1.254 Add a default gateway

route add default gw 10.1.1.254
ip route add 10.2.0.1 dev eth0 Add a route for a host
ip route add 10.2.0.1 via 10.2.0.254
route add -host 10.2.0.1 gw 10.2.0.254
ip route add 10.2.0.0/16 via 10.2.0.254 Add a route for a network
route add -net 10.2.0.0 netmask 255.255.0.0 gw 10.2.0.254
ip route delete 10.2.0.1 dev eth0 Delete a route for a host
route del -host 10.2.0.1 gw 10.2.0.254
ip route flush all Delete the routing table for all interfaces

/etc/sysconfig/network-scripts/route-eth0 (RedHat) Static route configuration for eth0

ADDRESS=10.2.0.0
NETMASK=255.255.0.0
GATEWAY=10.2.0.254

Linux & LPIC Quick Reference Guide 2nd ed. 2014-09 © Daniele Raffo www.crans.org/~raffo
 68/102 iptables
iptables

The Netfilter framework provides firewalling capabilities in Linux. It is implemented by iptables (which replaced ipchains,
which itself replaced ipfwadm). The IPv6 equivalent of iptables is ip6tables.

Tables contain sets of chains, which contain sets of rules.

The filter table contains chains INPUT, FORWARD, OUTPUT (built-in chains).
The NAT table contains chains PREROUTING, OUTPUT, POSTROUTING.
The mangle table contains chains PREROUTING, OUTPUT.

When a packet enters the system, it is handed to the INPUT chain. If the destination is local, it is processed; if the
destination is not local and IP forwarding is enabled, the packet is handed to the FORWARD chain, otherwise it is dropped.
An outgoing packet generated by the system will go through the OUTPUT chain.
If NAT is in use, an incoming packet will pass at first through the PREROUTING chain, and an outgoing packet will pass last
through the POSTROUTING chain.

iptables -A INPUT -s 10.0.0.6 -j ACCEPT
iptables -A INPUT -s 10.0.0.7 -j REJECT
iptables -A INPUT -s 10.0.0.8 -j DROP
iptables -A INPUT -s 10.0.0.9 -j LOG
iptables -D INPUT -s 10.0.0.9 -j LOG
iptables -D INPUT 42
iptables -F INPUT
iptables -t mangle -F
iptables -t mangle -X
iptables -L INPUT
iptables -P INPUT -j DROP
iptables -A OUTPUT -d 10.7.7.0/24 -j DROP
iptables -A FORWARD -i eth0 -o eth1 -j LOG
iptables -A INPUT -p 17 -j DROP
iptables -A INPUT -p udp -j DROP
iptables -A INPUT --sport 1024:65535 --dport 53 \
-j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-request \
-m limit --limit 1/s -i eth0 -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED \
-j ACCEPT
iptables -A INPUT -m state --state NEW -j ACCEPT
iptables -A INPUT -m state --state RELATED -j ACCEPT
iptables -A INPUT -m state --state INVALID -j ACCEPT
Add a rule to accept all packets from 10.0.0.6
Add a rule to reject all packets from 10.0.0.7 and send
back a ICMP response to the sender
Add a rule to silently drop all packets from 10.0.0.8
Add a rule to log via Syslog all packets from 10.0.0.9, and
take no further action
Delete a rule
Delete rule 42 of the INPUT chain
Flush all rules of the INPUT chain
Flush all rules of the mangle table
Delete all user-defined (not built-in) rules in the mangle
table
List the rules of the INPUT chain
Define the chain policy, which takes effect when no rule
matches and the end of the rules list is reached
Add a rule to drop all packets with destination 10.7.7.0/24
Add a rule to log all packets entering the system via eth0
and exiting via eth1
Add a rule to drop all incoming UDP traffic (protocol
numbers are defined in /etc/protocols)
Add a rule to accept all packets coming from any
unprivileged port and with destination port 53
Add a rule to accept incoming pings through eth0 at a
maximum rate of 1 ping/second
Load the module for stateful packet filtering, and add a
rule to accept all packets that are part of a
communication already tracked by the state module
Add a rule to accept all packets that are not part of a
communication already tracked by the state module
Add a rule to accept all packets that are related (e.g.
ICMP responses to TCP or UDP traffic) to a communication
already tracked by the state module
Add a rule to accept all packets that do not match any of
the states above

iptables-save > fwrules.saved Save iptables configuration to a file

iptables-restore < fwrules.saved Restore a iptables configuration from a file
sysctl -w net.ipv4.ip_forward=1 Enable IP forwarding; necessary to set up a Linux machine as a router.
echo 1 > /proc/sys/net/ipv4/ip_forward (This command causes other network options to be changed as well)

Linux & LPIC Quick Reference Guide 2nd ed. 2014-09 © Daniele Raffo www.crans.org/~raffo
 69/102 NAT routing
NAT routing

LAN Linux box

eth0 NAT router eth1 Internet
10.0.0.0/24
10.0.0.1 93.184.216.119

SNAT (Source Network Address Translation)

iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -o eth1 \
-j SNAT --to-source 93.184.216.119
iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -o eth1 \
-j SNAT --to-source 93.184.216.119:93.184.216.127
iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
Map all traffic leaving the LAN to the external IP
address 93.184.216.119
Map all traffic leaving the LAN to a pool of external
IP addresses 93.184.216.119-127
Map all traffic leaving the LAN to the address
dynamically assigned to eth1 via DHCP

DNAT (Destination Network Address Translation)

iptables -t nat -A PREROUTING -i eth1 -d 93.184.216.119 \ Allow the internal host 10.0.0.13 to be publicly
-j DNAT --to-destination 10.0.0.13 reachable via the external address 93.184.216.119

PAT (Port Address Translation)

iptables -t nat -A PREROUTING -i eth1 -d 93.184.216.119 \ Make publicly accessible a webserver that is
-p tcp --dport 80 -j DNAT --to-destination 10.0.0.13:8080 located in the LAN, by mapping port 8080 of the
internal host 10.0.0.13 to port 80 of the external
address 93.184.216.119

iptables -t nat -A PREROUTING -i eth0 -d ! 10.0.0.0/24 \ Redirect all outbound HTTP traffic originating from
-p tcp --dport 80 -j REDIRECT --to-ports 3128 the LAN to a proxy running on port 3128 on the
Linux box

Linux & LPIC Quick Reference Guide 2nd ed. 2014-09 © Daniele Raffo www.crans.org/~raffo
 70/102
ssh root@remotehost
ssh -p 2222 root@remotehost
ssh root@remotehost /root/myscript.sh
sftp [email protected]
scp myfile [email protected]:/tmp/myfile2
scp [email protected]:/tmp/myfile2 myfile
scp jdoe@host1:/tmp/myfile root@host2:/root/myfile2
SSH
SSH
Connect to a remote host via SSH (Secure Shell) and login
as the superuser
Login as the superuser to a remote host via SSH using
port 2222 instead of standard port 22
Execute a command on a remote host
FTP-like tool for secure file transfer
Non-interactive secure file copy.
Able of transferring files from local to remote, from remote
to local, or between two remote systems

ssh-keygen -t rsa -b 2048 Generate interactively a 2048-bit RSA key pair, prompting
for a passphrase
ssh-keygen -t dsa Generate a DSA key pair
ssh-keygen -p -t rsa Change passphrase of the private key
ssh-keygen -q -t rsa -f /etc/ssh/ssh_host_key \ Generate a RSA key with no passphrase (to be used by a
-N '' -C '' server host, not a user) and no comment
ssh-keygen -l -f /etc/ssh/ssh_host_key View fingerprint of a public key

ssh-agent Start the SSH Agent daemon that caches decrypted

private keys in memory; also echoes to the terminal the
environment variables that must be set. The cached keys
are automatically used by SSH tools ssh, sftp and scp
eval `ssh-agent` Show the PID of ssh-agent and set appropriate
environment variables
ssh-add ~/.ssh/id_rsa Add a private key to the ssh-agent cache

ssh -L 2525:mail.foo.com:25 [email protected] SSH port forwarding (aka SSH tunneling)

Establish a SSH encrypted tunnel from localhost to remote
host mail.foo.com, redirecting traffic from local port 2525
to port 25 of remote host mail.foo.com.
Useful if the local firewall blocks outgoing port 25. In this
case, port 2525 is used to go out; the application must be
configured to connect to localhost on port 2525 (instead of
mail.foo.com on port 25)
ssh -L 2525:mail.foo.com:25 [email protected] Establish a SSH encrypted tunnel from localhost to remote
host login.foo.com.
Remote host login.foo.com will then forward, unencrypted,
all data received over the tunnel on port 2525 to remote
host mail.foo.com on port 25
ssh -R 2222:localhost:22 [email protected] SSH reverse forwarding (aka SSH reverse tunneling)
Establish a SSH encrypted reverse tunnel from remote
host login.foo.com back to localhost, redirecting traffic
sent to port 2222 of remote host login.foo.com back
towards local port 22.
Useful if the local firewall blocks incoming connections so
remote hosts cannot connect back to local machine. In
this case, port 2222 of login.foo.com is opened for
listening and connecting back to localhost on port 22;
remote host login.foo.com is then able to connect to the
local machine on port 2222 (redirected to local port 22)
ssh -D 33333 [email protected] SSH as a SOCKS proxy
The application supporting SOCKS must be configured to
connect to localhost on port 33333. Data is tunneled from
localhost to login.foo.com, then unencrypted to destination
ssh -X [email protected] X11 Forwarding
Enable the local display to execute locally a X application
stored on a remote host login.foo.com

Linux & LPIC Quick Reference Guide 2nd ed. 2014-09 © Daniele Raffo www.crans.org/~raffo
 71/102 SSH configuration
SSH configuration

SSH files
/etc/ssh/sshd_config SSH server daemon configuration file
/etc/ssh/ssh_config SSH client global configuration file
/etc/ssh/ssh_host_key Host's private key (should be mode 0600)
/etc/ssh/ssh_host_key.pub Host's public key
/etc/ssh/shosts.equiv Names of trusted hosts for host-based authentication
/etc/ssh/ssh_known_hosts Database of host public keys that were previously accepted as legitimate
~/.ssh/ User's SSH directory (must be mode 0700)
~/.ssh/config SSH client user configuration file
~/.ssh/id_rsa User's RSA or DSA private key, as generated by ssh-keygen
~/.ssh/id_dsa
~/.ssh/id_rsa.pub User's RSA or DSA public key, as generated by ssh-keygen
~/.ssh/id_dsa.pub
~/.ssh/known_hosts Host public keys that were previously accepted as legitimate by the user
~/.ssh/authorized_keys Trusted public keys; the corresponding private keys allow the user to
~/.ssh/authorized_keys2 (obsolete) authenticate on this host

PermitRootLogin yes
AllowUsers jdoe ksmith
DenyUsers jhacker
/etc/ssh/sshd_config
Control superuser login via SSH. Possible values are:
yes Superuser can login
no Superuser cannot login
without-password Superuser cannot login with password
forced-commands-only Superuser can only run commands in SSH command line
List of users that can/cannot login via SSH, or * for everybody

AllowGroups geeks
DenyGroups * List of groups whose members can/cannot login via SSH, or * for all groups

PasswordAuthentication yes Permit authentication via login and password

PubKeyAuthentication yes Permit authentication via public key
HostbasedAuthentication yes Permit authentication based on trusted hosts
Protocol 1,2 Specify protocols supported by SSH. Value can be 1 or 2 or both
X11Forwarding yes Allow X11 Forwarding

How to enable public key authentication

1. Set PubkeyAuthentication yes in /etc/ssh/sshd_config of remote server
2. Append your public key ~/.ssh/id_rsa.pub to the file ~/.ssh/authorized_keys on the remote server
How to enable host-based authentication amongst a group of trusted hosts
1. Set HostbasedAuthentication yes in /etc/ssh/sshd_config on all hosts
2. Create /etc/ssh/shosts.equiv on all hosts, and enter there all hostnames
3. Connect via SSH manually from your machine on each host so that all hosts' public keys go into ~/.ssh/known_hosts
4. Copy ~/.ssh/known_hosts from your machine to /etc/ssh/ssh_known_hosts on all hosts
How to enable SSH Agent
1. Type eval `ssh-agent`
2. Type ssh-add to add the private key to cache, and enter the key's passphrase
How to enable X11 Forwarding
1. On remote host 10.2.2.2, set X11Forwarding yes in /etc/ssh/sshd_config, and make sure that xauth is installed
2. On local host 10.1.1.1, type ssh -X 10.2.2.2, then run on remote host the graphical application e.g. xclock &
How to enable X11 Forwarding via telnet (insecure and obsolete)
1. On remote host 10.2.2.2, type export DISPLAY=10.1.1.1:0.0
2. On local host 10.1.1.1, type xhost +
3. On local host 10.1.1.1, type telnet 10.2.2.2, then run on remote host the graphical application e.g. xclock &

Linux & LPIC Quick Reference Guide 2nd ed. 2014-09 © Daniele Raffo www.crans.org/~raffo
 72/102 GnuPG
GnuPG
gpg --gen-key Generate a key pair
gpg --import alice.asc Import Alice's public key into your keyring
gpg --list-keys List the keys contained into your keyring
gpg --list-secret-keys List your private keys contained into your keyring
gpg --list-public-keys List the public keys contained into your keyring
gpg --export -o keyring_backup.gpg Export your whole keyring to a file
gpg --export-secret-key -a "You" -o private.key Export your private key (username You) to a file
gpg --export-public-key -a "Alice" -o alice.pub Export Alice's public key to a file
gpg --edit-key "Alice" Sign Alice's public key
gpg -e -u "You" -r "Alice" file.txt Encrypt a file (to Alice i.e. with Alice's public key),
signing it with your private key
gpg -d file.txt.gpg Decrypt a file (with your own public key)

Linux & LPIC Quick Reference Guide 2nd ed. 2014-09 © Daniele Raffo www.crans.org/~raffo
 73/102 OpenVPN
OpenVPN
openvpn --genkey --secret keyfile Generate a shared secret keyfile for OpenVPN authentication.
The keyfile must be copied on both server and client

openvpn server.conf Start the VPN on the server side. The encrypted VPN tunnel uses UDP port 1194
openvpn client.conf Start the VPN on the client side

/etc/openvpn/server.conf Server-side configuration file:

dev tun
ifconfig [server IP] [client IP]
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
secret keyfile

/etc/openvpn/client.conf Client-side configuration file:

remote [server public IP]

dev tun
ifconfig [client IP] [server IP]
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
secret keyfile

Linux & LPIC Quick Reference Guide 2nd ed. 2014-09 © Daniele Raffo www.crans.org/~raffo
 74/102 Key bindings
Key bindings
Key Alternate key Function

CTRL F RIGHT ARROW Move cursor forward one char

CTRL B LEFT ARROW Move cursor backward one char
CTRL A HOME Move cursor to beginning of line
CTRL E END Move cursor to end of line

CTRL H BACKSPACE Delete char to the left of cursor

CTRL W Delete word to the left of cursor
CTRL U Delete all chars to the left of cursor
CTRL K Delete all chars to the right of cursor
CTRL T Swap current char with previous char
ESC T Swap current word with previous word

SHIFT PAGE UP Scroll up the buffer

SHIFT PAGE DOWN Scroll down the buffer
CTRL L Clear screen (same as clear)

CTRL P UP ARROW Previous command in history

CTRL N DOWN ARROW Next command in history
CTRL R Reverse history search
TAB Autocomplete file and directory names

CTRL J RETURN Line feed

CTRL M Carriage return

CTRL S Pause trasfer to terminal

CTRL Q Resume transfer to terminal
CTRL Z Send a SIGTSTP to put the current job in background
CTRL C Send a SIGINT to stop the current process
CTRL D Send a EOF to current process (same as logout)

CTRL ALT DEL Send a SIGINT to reboot the machine (same as shutdown -r now)*

CTRL ALT F1 ... F6 Switch between text consoles

CTRL ALT F7 ... F11 Switch between X Window consoles
CTRL ALT + Increase X Window screen resolution
CTRL ALT - Decrease X Window screen resolution
CTRL TAB Change between X Window tasks
CTRL ALT BACKSPACE Reboot the X Window server

*
as specified in /etc/inittab and /etc/init/control-alt-delete

Linux & LPIC Quick Reference Guide 2nd ed. 2014-09 © Daniele Raffo www.crans.org/~raffo
 75/102 udev
udev
The Hardware Abstraction Layer (HAL) manages device files and provides plug-and-play facilities. The HAL daemon hald
maintains a persistent database of devices.
udev dynamically generates the device nodes in /dev/ for devices present on the system. udev also provides persistent
naming for storage devices in /dev/disk .
When a device is added, removed, or changes state, the kernel sends an uevent received by the udevd daemon which will
pass the uevent through a set of rules stored in /etc/udev/rules.d/*.rules and /lib/udev/rules.d/*.rules .

udevadm monitor Show all kernel uevents and udev messages

udevmonitor
udevadm info --attribute-walk --name=/dev/sda Print all attributes of device /dev/sda in udev rules key format
cat /sys/block/sda/size Print the size attribute of disk sda in 512-byte blocks.
This information is retrieved from sysfs
udevadm test /dev/sdb Simulate a udev event run for the device and print debug output
gnome-device-manager Browser for the HAL device manager

/etc/udev/rules.d/*.rules and /lib/udev/rules.d/*.rules udev rules

KERNEL=="hda", NAME="mydisk" Match a device which was named by the
kernel as hda; name the device node as
mydisk. The device node will be therefore
/dev/mydisk

KERNEL=="hdb", DRIVER=="ide-disk", SYMLINK+="mydisk myhd"
Match a device with kernel name and driver
as specified; name the device node with the
default name and create two symbolic links
/dev/mydisk and /dev/myhd pointing to
/dev/hdb

KERNEL=="fd[0-9]*", NAME="floppy/%n", SYMLINK+="%k" Match all floppy disk drives (i.e. fdn); place
device node in /dev/floppy/n and create a
symlink /dev/fdn to it

SUBSYSTEM=="block", ATTR{size}=="41943040", SYMLINK+="mydisk" Match a block device with a size attribute of

41943040; create a symlink /dev/mydisk

KERNEL=="fd[0-9]*", OWNER="jdoe" Match all floppy disk drives; give ownership

of the device file to user jdoe

KERNEL=="sda", PROGRAM="/bin/mydevicenamer %k", SYMLINK+="%c" Match a device named by the kernel as sda;
to name the device, use the defined
program which takes on stdin the kernel
name and output on stdout e.g. name1
name2. Create symlinks /dev/name1 and
/dev/name2 pointing to /dev/sda

KERNEL=="sda", ACTION=="add", RUN+="/bin/myprogram" Match a device named by the kernel as sda;

run the defined program when the device is
connected

KERNEL=="sda", ACTION=="remove", RUN+="/bin/myprogram" Match a device named by the kernel as sda;

run the defined program when the device is
disconnected
%n = kernel number (e.g. = 3 for fd3)
%k = kernel name (e.g. = fd3 for fd3)
%c = device name as output from program

Linux & LPIC Quick Reference Guide 2nd ed. 2014-09 © Daniele Raffo www.crans.org/~raffo
 76/102 Kernel
Kernel
A kernel version number has the form major.minor.patchlevel.
Kernel images are usually gzip-compressed and can be of two types: zImage (max 520 Kb) and bzImage (no size limit).
Kernel modules can be loaded dynamically into the kernel to provide additional functionalities on demand, instead of being
included when the kernel is compiled; this reduces memory footprint.
kerneld (daemon) and kmod (kernel thread) facilitate the dynamic loading of kernel modules.

/lib/modules/X.Y.Z/*.ko Kernel modules for kernel version X.Y.Z

/lib/modules/X.Y.Z/modules.dep
/etc/modules.conf
/etc/conf.modules (deprecated)
Modules dependencies.
This file needs to be recreated (via the command depmod -a) after a
reboot or a change in module dependencies
Modules configuration file

/usr/src/linux/ Contains the kernel source code to be compiled

/usr/src/linux/.config Kernel configuration file

freeramdisk Free the memory used for the initrd image. This command must be
run directly after unmounting /initrd
mkinitrd [initrd image] [kernel version] Create a initrd image file (Red Hat)
mkinitramfs Create a initrd image file according to the configuration file
/etc/initramfs-tools/initramfs.conf (Debian)
dracut Create initial ramdisk images for preloading modules

dbus-monitor Monitor messages going through a D-Bus message bus

dbus-monitor --session Monitor session messages (default)
dbus-monitor --system Monitor system messages

The runtime loader ld.so loads the required shared libraries of the program into RAM, searching in this order:
1. LD_LIBRARY_PATH Environment variable specifying the list of dirs where libraries should be searched for first
2. /etc/ld.so.cache Cache file
3. /lib and /usr/lib Default locations for shared libraries

/etc/ld.so.conf Configuration file used to specify other shared library locations

(other than the default ones /lib and /usr/lib)

ldconfig Create a cache file /etc/ld.so.cache of all available dynamically

linked libraries.
To be run when the system complains about missing libraries

ldd [program or lib] Print library dependencies

Linux & LPIC Quick Reference Guide 2nd ed. 2014-09 © Daniele Raffo www.crans.org/~raffo
 77/102 Kernel management
Kernel management
lsdev List information about the system's hardware

lspci List PCI devices

lspci -d 8086: List all Intel hardware present. PCI IDs are stored in /usr/share/misc/pci.ids (Debian)
or /usr/share/hwdata/pci.ids (Red Hat)

lsusb List USB devices

lsusb -d 8086: List all Intel USB devices present. USB IDs are stored in /var/lib/usbutils/usb.ids

dmesg Print the logs of the kernel ring buffer

dmesg -n 1 Set the logging level to 1 (= only panic messages)

uname -s Print the kernel name

uname -n Print the network node hostname
uname -r Print the kernel release number X.Y.Z
uname -v Print the kernel version number
uname -m Print the machine hardware name
uname -p Print the processor type
uname -i Print the hardware platform
uname -o Print the operating system
uname -a Print all the above information, in that order

Linux & LPIC Quick Reference Guide 2nd ed. 2014-09 © Daniele Raffo www.crans.org/~raffo
 78/102 Kernel compile and patching
Kernel compile and patching

Kernel compile
Download kernel source code linux-X.Y.Z.tar.bz2 from http://www.kernel.org
Download
to the base of the kernel source tree /usr/src/linux
make clean Delete most generated files
Clean make mrproper Delete all generated files and kernel configuration
make distclean Delete temporary files, patch leftover files, and similar
make config Terminal-based (options must be set in sequence)
make menuconfig ncurses UI
make xconfig
make gconfig GUI

make oldconfig Create a new config file, based on the options in the old config
file and in the source code
Configure
Components (e.g. device drivers) can be either:
- not compiled
- compiled into the kernel binary, for support of devices always used on the system or necessary
for the system to boot
- compiled as a kernel module, for optional devices

The configuration command creates a /usr/src/linux/.config config file containing

instructions for the compile
make bzImage Compile the kernel
make modules Compile the kernel modules
Build
make all Compile kernel and kernel modules
make -j2 all will speed up compilation by allocating 2 simultaneous compile jobs
Install the previously built modules present in
Modules install make modules_install
/lib/modules/X.Y.Z
make install Install the kernel automatically
To install the kernel by hand:

Copy the new compiled kernel and other files into the boot partition
Kernel install cp /usr/src/linux/arch/boot/bzImage /boot/vmlinuz-X.Y.Z (kernel)
cp /usr/src/linux/arch/boot/System.map-X.Y.Z /boot
cp /usr/src/linux/arch/boot/config-X.Y.Z /boot (config options used for this compile)

Create an entry in GRUB to boot on the new kernel

Optionally, the kernel can be packaged for install on other machines
make rpm-pkg Build source and binary RPM packages
Package
make binrpm-pkg Build binary RPM package
make deb-pkg Builds binary DEB package

Kernel patching
Download Download and decompress the patch to /usr/src
patch -p1 < file.patch Apply the patch
Patch To remove a patch, you can either apply the patch again or
patch -Rp1 < file.patch
use this command (reverse patch)
Build Build the patched kernel as explained previously
Install Install the patched kernel as explained previously

Linux & LPIC Quick Reference Guide 2nd ed. 2014-09 © Daniele Raffo www.crans.org/~raffo
 79/102 Kernel modules
Kernel modules
Kernel modules allow the kernel to access functions (symbols) for kernel services e.g. hardware drivers, network stack, or
filesystem abstraction.

lsmod List the modules that are currently loaded into the kernel
insmod module Insert a module into the kernel. If the module requires another module or if it
does not detect compatible hardware, insertion will fail
rmmod module Remove a module from the kernel. If the module is in use by another module, it
is necessary to remove the latter first
modinfo module Display the list of parameters accepted by the module
depmod -a Probe all modules in the kernel modules directory and generate the file that lists
their dependencies

It is recommended to use modprobe instead of insmod/rmmod, because it automatically handles prerequisites when inserting
modules, is more specific about errors, and accepts just the module name instead of requiring the full pathname.
modprobe module option=value Insert a module into the running kernel, with the specified parameters.
Prerequisite modules will be inserted automatically
modprobe -a Insert all modules
modprobe -t directory Attempt to load all modules contained in the directory until a module succeeds.
This action probes the hardware by successive module-insertion attempts for a
single type of hardware, e.g. a network adapter
modprobe -r module Remove a module
modprobe -c module Display module configuration
modprobe -l List loaded modules

Configuration of device drivers

Device drivers support the kernel with instructions on how to use that device.
Device driver compiled Configure the device driver by passing a kernel parameter in the GRUB menu:
into the kernel kernel /vmlinuz ro root=/dev/vg0/root vga=0x33c

Edit module configuration in /etc/modprobe.conf or /etc/modprobe.d/ (Red Hat):

Device driver provided
alias eth0 3c59x Specify that eth0 uses the 3c59x.ko driver module
as a kernel module
options 3c509 irq=10,11 Assign IRQ 10 and 11 to 3c509 devices

Linux & LPIC Quick Reference Guide 2nd ed. 2014-09 © Daniele Raffo www.crans.org/~raffo
 80/102 /proc filesystem
/proc filesystem

/proc pseudo filesystem

File Information stored Equivalent command to cat
/proc/n/ Information about process with PID n ps n
/proc/n/cmdline Command line the process was launched by
/proc/n/environ Values of environment variables of process
/proc/n/status Status of process
/proc/n/root Symlink to process' filesystem root
/proc/n/exe Symlink to process' executable
/proc/n/cwd Symlink to process' working directory
/proc/sys/ sysfs: exposes tunable kernel parameters
/proc/sys/kernel/ Kernel information and parameters
/proc/sys/net/ Network information and parameters
/proc/uptime Time elapsed since boot uptime
/proc/filesystems Filesystems supported by the system
/proc/partitions Drive partition information
/proc/mdstat Information about RAID arrays and devices
/proc/swaps Size of total and used swap areas swapon -s
/proc/mounts Mounted partitions mount
/proc/devices Drivers currently loaded
/proc/modules Kernel modules currently loaded lsmod
/proc/bus Buses (e.g. PCI, USB, PC Card)
/proc/ioports I/O addresses in use
/proc/dma DMA channels in use
/proc/interrupts Current interrupts
/proc/cpuinfo CPUs information
/proc/meminfo Total and free memory free
/proc/version Linux version uname -a

/proc/sys is the only writable branch of /proc and can be used to tune kernel parameters on-the-fly.
All changes will be lost after system shutdown.

sysctl fs.file-max
cat /proc/sys/fs/file-max Get the maximum allowed number of open files

sysctl -w "fs.file-max=100000"
echo "100000" > /proc/sys/fs/file-max Set the maximum allowed number of open files to 100000

sysctl -a List all available kernel tuning options

sysctl -p Apply all tuning settings listed in /etc/sysctl.conf .
This command is usually run at boot by the system initialization script
and therefore allows permanent changes to the kernel

Linux & LPIC Quick Reference Guide 2nd ed. 2014-09 © Daniele Raffo www.crans.org/~raffo
 81/102 System recovery
System recovery
If the kernel has been booted in emergency mode and init has not been run, some initial configuration is necessary e.g.

mount /proc
mount -o remount,rw /
mount -a

If mounting filesystems fails:

mknod /dev/sda
mknod /dev/sda1
fdisk -l /dev/sda
fsck -y /dev/sda1
mount -t ext3 /dev/sda1 /mnt/sysimage
chroot /mnt/sysimage

To install a package using an alternative root directory (useful if the system has been booted from a removable media):

rpm -U --root /mnt/sysimage package.rpm

To install GRUB on the specified directory (which must contain /boot/grub/):

grub-install –-root-directory=/mnt/sysimage /dev/sda

An alternative metod is to chroot /mnt/sysimage before installing GRUB via grub-install /dev/sda .

Run sync and unmount filesystems before exiting the shell, to ensure that all changes have been written on disk.

Linux & LPIC Quick Reference Guide 2nd ed. 2014-09 © Daniele Raffo www.crans.org/~raffo
 82/102 DNS
DNS

DNS implementations
BIND Berkeley Internet Name Domain system, is the standard DNS server for UNIX
dnsmasq Lightweight DNS, DHCP and TFTP server for a small network
djbdns Security-hardened DNS server that also includes DNS debugging tools
PowerDNS Alternative open-source DNS server

named BIND Name Daemon

ndc Name Daemon Controller for BIND 8
rndc Remote Name Daemon Controller for BIND 9, uses a shared key to communicate securely with named

dnswalk example.org. DNS debugger

rndc reconfig Reload BIND configuration and new zones

rndc reload example.org Reload the zone example.org
rndc freeze example.org Suspend updates for the zone example.org
rndc thaw example.org Resume updates for the zone example.org
rndc tsig-list List all currently active TSIG keys

DNSSEC was designed to secure the DNS tree and hence prevent cache poisoning.
The TSIG (Transaction SIGnature) standard, that authenticates communications between two trusted systems, is used to
sign zone transfers and DDNS (Dynamic DNS) updates.

dnssec-keygen -a dsa -b 1024 \
-n HOST dns1.example.org
Generate a TSIG key with DNSSEC algorithm nnn and key fingerprint fffff.
This will create two key files
Kdns1.example.org.+nnn+fffff.key
Kdns1.example.org.+nnn+fffff.private
which contain a key number that has to be inserted both in /etc/named.conf and
/etc/rndc.conf

rndc-confgen -a Generate a /etc/rndc.key key file:

key "rndc-key" {
algorithm hmac-md5;
secret "vyZqL3tPHsqnA57e4LT0Ek==";
};
options {
default-key "rndc-key";
default-server 127.0.0.1;
default-port 953;
};

This file is automatically read both by named and rndc

dnssec-signzone example.org Sign the zone example.org

named -u named -g named Run BIND as user/group named (both must be created if needed) instead of root
named -t /var/cache/bind Run BIND in a chroot jail /var/cache/bind
(actually is the chroot command that starts the named server)

Linux & LPIC Quick Reference Guide 2nd ed. 2014-09 © Daniele Raffo www.crans.org/~raffo
 83/102 DNS configuration
DNS configuration

/etc/named.conf DNS server configuration file

controls {
inet 127.0.0.1 allow {localhost;} keys {rndckey;};
};
key "rndc-key" { // TSIG key
algorithm dsa;
secret "HYZur46fftdUQ43BJKI093t4t78lkp";
};

acl "mynetwork" {10.7.0.0/24;}; // Alias definition

// Built-in ACLs: any, none, localhost, localnets

options {
directory "/var/named";
version "0.0";
listen-on port 53 {10.7.0.1; 127.0.0.1;};
blackhole {172.17.17.0/24;};
allow-query {mynetwork;};
allow-query-on {any;};
allow-query-cache {any;};
allow-recursion {mynetwork;};
allow-recursion-on {mynetwork;};
allow-transfer {10.7.0.254;};
allow-update {any;};
recursive-clients 1000;
dnssec-enable yes;
dialup no;
forward first;
forwarders {10.7.0.252; 10.7.0.253;};
};
// Working directory
// Hide version number by replacing it with 0.0
// Port and own IP addresses to listen on
// IPs whose packets are to be ignored
// IPs allowed to do iterative queries
// Local IPs that can accept iterative queries
// IPs that can get an answer from cache
// IPs to accept recursive queries from (typically
// own network's IPs). The DNS server does the full
// resolution process on behalf of these client IPs,
// and returns a referral for the other IPs
// Local IPs that can accept recursive queries
// Zone transfer is restricted to these IPs (slaves);
// on slave servers, this option should be disabled
// IPs to accept DDNS updates from
// Max number of simultaneous recursive lookups
// Enable DNSSEC
// Not a dialup connection: external zone maintenance
// (e.g. sending heartbeat packets, external zone transfers)
// is then permitted
// Site-wide cache: bypass the normal resolution
// method by querying first these central DNS
// servers if they are available

// Define the root name servers

zone "." {
type hint;
file "root.cache";
}

// Configure system to act as a master server for the example.org domain

zone "example.org" IN {
type master;
file "master/example.org.zone"; // Zone file for the example.org domain
};
zone "240.123.224.in-addr.arpa" IN { // Configure reverse lookup zone (for 224.123.240.0/24)
type master;
file "slave/example.org.revzone";
};

// Configure system to act as a slave server for the example2.org domain

zone "example2.org" IN {
type slave;
file "slave/example2.org.zone"; // Slave: do not edit this zone file!
masters {10.7.0.254;};
};
zone "0.7.10.in-addr.arpa" IN { // Configure reverse lookup zone (for 10.7.0.0/24)
type slave;
file "slave/10.7.0.revzone";
masters {10.7.0.254;};
};

Linux & LPIC Quick Reference Guide 2nd ed. 2014-09 © Daniele Raffo www.crans.org/~raffo
 84/102 DNS zone file
DNS zone file

/var/named/master/example.org.zone DNS zone file for the example.org zone

$TTL 86400 ; TTL (1 day)
$ORIGIN example.org.
example.org IN SOA dns1.example.org. help.example.org. ( ; Master DNS server is dns1.example.org
2014052300 ; serial ; For problems contact [email protected]
28800 ; refresh (8 hours)
7200 ; retry (2 hours)
604800 ; expire (1 week)
600 ) ; negative TTL (10 mins)

IN NS dns1.example.org.
IN NS dns2.example.org.
IN MX 10 mail1.example.org.
IN MX 20 mail2.example.org.

dns1 IN A 224.123.240.3
dns2 IN A 224.123.240.4
mail1 IN A 224.123.240.73
mail2 IN A 224.123.240.77
foo IN A 224.123.240.12
bar IN A 224.123.240.13
www IN A 224.123.240.19
baz IN CNAME bar

subdomain IN NS ns1.subdomain.example.org. ; Glue records

IN NS ns2.subdomain.example.org.
ns1.subdomain.example.org. IN A 224.123.240.201
ns2.subdomain.example.org. IN A 224.123.240.202

/var/named/master/example.org.revzone DNS reverse zone file for the example.org zone

$TTL 86400 ; TTL (1 day)
example.org IN SOA dns1.example.org. help.example.org. (
2014052300 ; serial
28800 ; refresh (8 hours)
7200 ; retry (2 hours)
604800 ; expire (1 week)
600 ) ; negative TTL (10 mins)

12.240.123.224.in-addr.arpa IN PTR foo

13.240.123.224.in-addr.arpa IN PTR bar
19.240.123.224.in-addr.arpa IN PTR www

Resource Records
$TTL How long to cache a positive response
$ORIGIN Suffix appended to all names not ending with a dot.
Useful when defining multiple subdomains inside the same zone
SOA Start Of Authority for the example.org zone
serial Serial number. Must be increased after each edit of the zone file
refresh How frequently a slave server refreshes its copy of zone data from the master
retry How frequently a slave server retries connecting to the master
expire How long a slave server relies on its copy of zone data. After this time period expires,
the slave server is not authoritative anymore for the zone unless it can contact a master
negative TTL How long to cache a non-existent answer
A Address: maps names to IP addresses. Used for DNS lookups.
PTR Pointer: maps IP addresses to names. Used for reverse DNS lookups.
Each A record must have a matching PTR record
CNAME Canonical Name: specifies an alias for a host with an A record (even in a different zone).
Discouraged as it causes multiple lookups; it is better to use multiple A records instead
NS Name Service: specifies the authoritative name servers for the zone
MX Mailserver: specifies address and priority of the servers able to handle mail for the zone
Glue Records are not really part of the zone; they delegate authority for other zones, usually subdomains

Linux & LPIC Quick Reference Guide 2nd ed. 2014-09 © Daniele Raffo www.crans.org/~raffo
 85/102 Apache
Apache
Methods of MPM (Multi-Processing Modules) operation of the Apache webserver:
prefork MPM A number of child processes is spawned in advance, with each child serving exclusively one connection.
Highly reliable due to Linux memory protection that isolates each child process
worker MPM Multiple child processes spawn multiple threads, with each thread serving one connection.
More scalable but prone to deadlocks if third-party non-threadsafe modules are loaded

apache2ctl start Start the Apache webserver daemon httpd

apache2ctl status
apache2ctl fullstatus
apache2ctl graceful
apache2ctl graceful-stop
apache2ctl configtest
Display a brief status report
Display a detailed status report
Gracefully restart Apache; currently open connections are not aborted
Gracefully stop Apache; currently open connections are not aborted
Test the configuration file, reporting any syntax error

/var/www/html Default document root directory

$HOME/public_html Default document root directory for users' websites
Web content must be readable by the user/group the Apache process runs as. For security reasons, it should be owned and
writable by the superuser or the webmaster user/group, not the Apache user/group.

/etc/httpd/conf/httpd.conf (Red Hat)

Apache configuration file
/etc/apache2/httpd.conf (Debian & SUSE)

Linux & LPIC Quick Reference Guide 2nd ed. 2014-09 © Daniele Raffo www.crans.org/~raffo
 86/102 Apache configuration
Apache configuration
httpd.conf

Server configuration directives

ServerName www.mysite.org:80 Name and port (if omitted, uses default HTTP port 80) of server
ServerRoot /etc/httpd Root directory for config and log files
ServerAdmin [email protected] Contact address that the server includes in any HTTP error
messages to the client. Can be an email address or an URL
StartServers 5 Number of servers to start initially
MinSpareServers 5 Minimum and maximum number of idle child server processes
MaxSpareServers 10
MaxClients 256 (before v2.3.13) Max number of simultaneous requests that will be served; clients
MaxRequestWorkers 256 (after v2.3.13) above this limit will get a HTTP error 503 - Service Unavailable.
Prefork MPM: max number of child processes launched to serve
requests.
Worker MPM: max total number of threads available to serve
requests
ServerLimit 256 Prefork MPM: max configured value for MaxRequestWorkers.
Worker MPM: in conjunction with ThreadLimit, max configured
value for MaxRequestWorkers
ThreadsPerChild 25 Worker MPM: number of threads created by each child process
ThreadLimit 64 Worker MPM: max configured value for ThreadsPerChild
LoadModule mime_module modules/mod_mime.so Load the module mime_module by linking in the object file or
library modules/mod_mime.so
Listen 10.17.1.1:80 Make the server accept connections on the specified IP
Listen 10.17.1.5:8080 addresses (optional) and ports
User nobody User and group the Apache process runs as. For security
Group nobody reasons, this should not be root
Main configuration directives
DocumentRoot /var/www/html Directory in filesystem that maps to the root of the website
Alias /image /mydir/pub/image Map the URL http://www.mysite.org/image/ to the directory
/mydir/pub/image in the filesystem. This allows Apache to
serve content placed outside of the document root
TypesConfig conf/mime.types Media types file. The path is relative to ServerRoot
AddType image/jpeg jpeg jpg jpe Map the specified filename extensions onto the specified content
type. These entries adds to or override the entries from the
media types file conf/mime.types
Redirect permanent /foo /bar Redirect to a URL on the same host. Status can be:
permanent return a HTTP status 301 - Moved Permanently
temp return a HTTP status 302 - Found
(i.e. the resource was temporarily moved)
seeother return a HTTP status 303 - See Other
gone return a HTTP status 410 - Gone
If status is omitted, default status temp is used
Redirect /foo http://www.example.com/foo Redirect to a URL on a different host
AccessFileName .htaccess Name of the distributed configuration file, which contains
directives that apply to the document directory it is in and to all
its subtrees
<Directory "/var/www/html/foobar"> Specify which global directives a .htaccess file can override:
AllowOverride AuthConfig Limit AuthConfig authorization directives for directory protection
</Directory>
FileInfo document type and metadata
Indexes directory indexing
Limit host access control
Options specific directory features
All all directives
None no directive

Linux & LPIC Quick Reference Guide 2nd ed. 2014-09 © Daniele Raffo www.crans.org/~raffo
 87/102
Virtual hosts directives
NameVirtualHost *
<VirtualHost *:80>
ServerName www.mysite.org
ServerAlias mysite.org *.mysite.org
DocumentRoot /var/www/vhosts/mysite
</VirtualHost>
<VirtualHost *:80>
ServerAdmin
[email protected]
Multiple name-based virtual hosts can share the same IP
ServerName www.mysite2.org
DocumentRoot /var/www/vhosts/mysite2
ErrorLog /var/www/logs/mysite2
</VirtualHost>
<VirtualHost *:8080>
ServerName www.mysite3.org
DocumentRoot /var/www/vhosts/mysite3
</VirtualHost>
<VirtualHost 10.17.1.5:80>
ServerName www.mysite4.org
DocumentRoot /var/www/vhosts/mysite4
</VirtualHost>
LogFormat "%h %l %u %t \"%r\" %>s %b"
LogFormat "%h %l %u %t \"%r\" %>s %b" common
CustomLog /var/log/httpd/access_log common
TransferLog /var/log/httpd/access_log
TransferLog "|rotatelogs access_log 86400"
HostnameLookups Off
Linux & LPIC Quick Reference Guide 2nd ed.
Apache virtual hosts
Apache virtual hosts
httpd.conf
Specify which IP address will serve virtual hosting. The
argument can be an IP address, an address:port pair, or * for all
IP addresses of the server. The argument will be repeated in the
relevant <VirtualHost> directive
The first listed virtual host is also the default virtual host.
It inherits those main settings that does not override.
This virtual host answers to http://www.mysite.org , and also
redirects there all HTTP requests on the domain mysite.org
Name-based virtual host http://www.mysite2.org .
address; DNS must be configured accordingly to map each name
to the correct IP address. Cannot be used with HTTPS
Port-based virtual host answering to connections on port 8080.
In this case the config file must contain a Listen 8080 directive
IP-based virtual host answering to http://10.17.1.5
Logging directives
Specify the format of a log
Specify a nickname (here, "common") for a log format.
This one is the CLF (Common Log Format) defined as such:
%h IP address of the client host
%l Identity of client as determined by identd
%u User ID of client making the request
%t Timestamp the server completed the request
%r Request as done by the user
%s Status code sent by the server to the client
%b Size of the object returned, in bytes
Set up a log filename, with the format or (as in this case)
the nickname specified
Set up a log filename, with format determined by the most
recent LogFormat directive which did not define a nickname
Organize log rotation every 24 hours
Disable DNS hostname lookup to save network traffic.
Hostnames can be resolved later by processing the log file:
logresolve <access_log >accessdns_log
2014-09 © Daniele Raffo www.crans.org/~raffo
 88/102 Apache directory protection
Apache directory protection
httpd.conf

Limited scope directives

<Directory "/var/www/html/foobar"> Limit the scope of the specified directives to the directory
[list of directives] /var/www/html/foobar and its subdirectories
</Directory>
<Location /foobar> Limit the scope of the specified directive to the URL
[list of directives] http://www.mysite.org/foobar/ and its subdirectories
</Location>

Directory protection directives

<Directory "/var/www/html/protected">
AuthName "Protected zone" Name of the realm. The client will be shown the realm name
and prompted to enter an user and password

AuthType Basic Type of user authentication: Basic, Digest, Form, or None

AuthUserFile "/var/www/.htpasswd" User database file. Each line is in the format

user:encrypted_password
To add an user jdoe to the database file, use the command:
htpasswd -c /var/www/.htpasswd jdoe
(will prompt for his password)

AuthGroupFile "/var/www/.htgroup" Group database file. Each line contains a groupname followed
by all member usernames:
mygroup: jdoe ksmith mgreen

Require valid-user Control who can access the protected resource.

valid-user any user in the user database file
user jdoe only the specified user
group mygroup only the members of the specified group

Allow from 10.13.13.0/24 Control which host can access the protected resource

Satisfy Any Set the access policy concerning user and host control.
All both Require and Allow criteria must be satisfied
Any any of Require or Allow criteria must be satisfied

Order Allow,Deny Control the evaluation order of Allow and Deny directives.
Allow,Deny First, all Allow directives are evaluated; at
least one must match, or the request is
rejected. Next, all Deny directives are
evaluated; if any matches, the request is
rejected. Last, any requests which do not
match an Allow or a Deny directive are
denied
Deny,Allow First, all Deny directives are evaluated; if
any match, the request is denied unless it
also matches an Allow directive. Any
requests which do not match any Allow or
Deny directives are permitted

</Directory>

Linux & LPIC Quick Reference Guide 2nd ed. 2014-09 © Daniele Raffo www.crans.org/~raffo
 89/102 HTTPS
HTTPS
A secure web server (using HTTP over SSL i.e. HTTPS) hands over its public key to the client when the latter connects to it
via port 443. The server's public key is signed by a CA (Certification Authority), whose validity is ensured by the root
certificates stored into the client's browser.

The openssl command and its user-friendly CA.pl script are the tools of the OpenSSL crypto library that can be used to
accomplish all public key crypto operations e.g. generate key pairs, Certificate Signing Requests, self-signed certificates.

Virtual hosting with HTTPS requires assigning an unique IP address for each virtual host; this because the SSL handshake
(during which the server sends its certificate to the client's browser) takes place before the client sends the Host: header
(which tells which virtual host the client wants to talk to).
A workaround for this is SNI (Server Name Indication) that makes the browser send the hostname in the first message of
the SSL handshake. Another workaround is to have all multiple name-based virtual hosts use the same SSL certificate e.g.
for a wildcard domain *.example.org.

/etc/ssl/openssl.cnf Configuration file for OpenSSL

/etc/httpd/conf.d/ssl.conf (Red Hat) Configuration file for the mod_ssl module

Linux & LPIC Quick Reference Guide 2nd ed. 2014-09 © Daniele Raffo www.crans.org/~raffo
 90/102 Apache SSL/TLS configuration
Apache SSL/TLS configuration

httpd.conf
SSL/TLS directives (module mod_ssl)
SSLCertificateFile \ SSL server certificate
/etc/httpd/conf/ssl.crt/server.crt
SSLCertificateKeyFile \ SSL server private key (for security reasons, this file
/etc/httpd/conf/ssl.key/server.key should be readable only by root)
SSLCACertificatePath \ Directory containing the certificates of CAs. Files in this
/usr/local/apache2/conf/ssl.crt/ directory are PEM-encoded and accessed via symlinks to
hash filenames
SSLCACertificateFile \ Certificates of CAs. Certificates are PEM-encoded and
/usr/local/apache2/conf/ssl.crt/ca-bundle.crt concatenated in a single bundle file in order of preference
SSLCertificateChainFile \ Certificate chain of the CAs. Certificates are PEM-encoded
/usr/local/apache2/conf/ssl.crt/ca.crt and concatenated from the issuing CA certificate of the
server certificate to the root CA certificate. Optional
SSLEngine on Enable the SSL/TLS Protocol Engine
SSLProtocol +SSLv3 +TLSv1.2 SSL protocol flavors that the client can use to connect to
server. Possible values are:
SSLv2 (deprecated)
SSLv3
TLSv1
TLSv1.1
TLSv1.2
All (all the above protocols)

SSLCipherSuite \ Cipher suite available for the SSL handshake (key

ALL:!aDH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP exchange algorithms, authentication algorithms,
cipher/encryption algorithms, MAC digest algorithms)
ServerTokens Full Server response header field to send back to client.
Possible values are:
Prod sends Server: Apache
Major sends Server: Apache/2
Minor sends Server: Apache/2.4
Minimal sends Server: Apache/2.4.2
OS sends Server: Apache/2.4.2 (Unix)
Full (or not specified) sends
Server: Apache/2.4.2 (Unix) PHP/4.2.2 MyMod/1.2

ServerSignature Off Trailing footer line on server-generated documents.

Possible values are:
Off no footer line (default)
On server version number and ServerName
EMail as above, plus a mailto link to ServerAdmin

SSLVerifyClient none Certificate verification level for client authentication.

Possible values are:
none no client certificate is required
require the client needs to present a valid
certificate
optional the client may present a valid
certificate (this option is unused
as it doesn't work on all browsers)
optional_no_ca the client may present a valid
certificate but it doesn't need to
be successfully verifiable (this
option has not much purpose and
is used only for SSL testing)

TraceEnable on Enable TRACE requests

Linux & LPIC Quick Reference Guide 2nd ed. 2014-09 © Daniele Raffo www.crans.org/~raffo
 91/102
openssl x509 -text -in certif.crt -noout
openssl req -text -in request.csr -noout
openssl req -new -key private.key -out request.csr
openssl req -new -nodes -keyout private.key \
-out request.csr -newkey rsa:2048
openssl ca -config ca.conf -in request.csr \
-out certif.cer -days validity -verbose
openssl ca -config ca.conf -gencrl -revoke certif.cer \
-crl_reason why
openssl ca -config ca.conf -gencrl -out crlist.crl
openssl x509 -in certif.pem -outform DER \
-out certif.der
openssl pkcs12 -export -in certif.pem \
-inkey private.key -out certif.pfx -name friendlyname
openssl dgst -hashfunction -out file.hash file
openssl dgst -hashfunction file | cmp -b file.hash
openssl dgst -hashfunction -sign private.key \
-out file.sig file
openssl dgst -hashfunction -verify public.key \
-signature file.sig file
openssl enc -e -cipher -in file -out file.enc -salt
openssl enc -d -cipher -in file.enc -out file
openssl genpkey -algorithm RSA -cipher 3des \
-pkeyopt rsa_keygen_bits:2048 -out key.pem
openssl genrsa -des3 -out key.pem 2048
openssl pkey -text -in private.key -noout
openssl rsa -text -in private.key -noout
openssl pkey -in old.key -out new.key -cipher
openssl rsa -in old.key -out new.key -cipher
openssl s_client -connect www.website.com:443 > tmpfile
CTRL C website
openssl x509 -in tmpfile -text
openssl list-message-digest-commands
openssl list-cipher-commands
Linux & LPIC Quick Reference Guide 2nd ed. 2014-09
OpenSSL
OpenSSL
Read a certificate
Read a Certificate Signing Request
Generate a Certificate Signing Request (in PEM
format) for the public key of a key pair
Create a 2048-bit RSA key pair and generate a
Certificate Signing Request for it
Sign a CSR (to generate a self-signed certificate,
the steps are creating a CSR and signing it)
Revoke a certificate
Generate a Certificate Revocation List containing
all revoked certificates so far
Convert a certificate from PEM to DER
Convert a certificate from PEM to PKCS#12
including the private key
Generate the digest of a file
Verify the digest of a file (if there is no output,
then digest verification is successful)
Generate the signature of a file
Verify the signature of a file
Encrypt a file
Decrypt a file
Generate a 2048-bit RSA key pair protected by
TripleDES passphrase
Generate a 2048-bit RSA key pair protected by
TripleDES passphrase (older versions of OpenSSL)
Examine a private key
Examine a private key
(older versions of OpenSSL)
Change a private key's passphrase
Change a private key's passphrase
(older versions of OpenSSL)
Retrieve and inspect a SSL certificate from a
List all available hash functions
List all available ciphers
© Daniele Raffo www.crans.org/~raffo
 92/102 CA.pl
CA.pl
CA.pl -newca Create a Certification Authority hierarchy
CA.pl -newreq Generate a Certificate Signing Request
CA.pl -signreq Sign a Certificate Signing Request
CA.pl -pkcs12 "My certificate" Generate a PKCS#12 certificate from a Certificate Signing Request

CA.pl -newcert Generate a self-signed certificate

CA.pl -newreq-nodes Generate a Certificate Signing Request, with an unencrypted private key
(necessary for servers as the private key must be accessed)

CA.pl -verify Verify a certificate against the Certification Authority certificate for "demoCA"

Linux & LPIC Quick Reference Guide 2nd ed. 2014-09 © Daniele Raffo www.crans.org/~raffo
 93/102 Samba
Samba
Samba is a cross-platform implementation of Microsoft's SMB (Server Message Block) protocol for file and printer sharing.
SMB is sometimes also referred to as CIFS (Common Internet File System).
WINS (Windows Internet Name Service) is a name service used to translate NetBIOS names to IP addresses.
Ports used: TCP 137 name service requests and responses
TCP 138 datagram services e.g. server announcements
TCP 139 file and printer sharing
UDP registration and translation of NetBIOS names, network browsing

smbd Server Message Block daemon. Provides SMB file and printer sharing, browser services, user authentication,
and resource lock. An extra copy of this daemon runs for each client connected to the server
nmbd NetBIOS Name Service daemon. Handles NetBIOS name lookups, WINS requests, list browsing and elections.
An extra copy of this daemon runs if Samba functions as a WINS server.
Another extra copy of this daemon runs if DNS is used to translate NetBIOS names

/etc/smb/lmhosts Samba NetBIOS hosts file

/etc/smb/netlogon User logon directory

mount.cifs //smbserver/share1 /mnt/shares/sh1 \
-o auto,credentials=/etc/smbcreds
smbmount //smbserver/share1 /mnt/shares/sh1 \
-o username=jdoe
Mount a Samba share on a Linux filesystem, using the CIFS
filesystem interface.
Access is checked upon a credentials file /etc/smbcreds
(should be readable only by root) formatted as follows:
username = jdoe
password = jd03s3cr3t
Mount a Samba share as user jdoe

smbstatus Display current information about shares, clients

connections, and locked files
smbclient //smbserver/share1 Access a Samba share on a server (with a FTP-like interface)
smbclient -L //smbserver -W WORKGROUP -U user List the Samba resources available on a server, belonging to
the specified workgroup and accessible to the specified user
cat msg.txt | smbclient -M client -U user Show a message popup on the client machine (using the
WinPopup protocol)
smbpasswd jdoe Change the Samba password of the specified user
smbpasswd -a ksmith Create a new Samba user and set his password

nmblookup smbserver Look up the NetBIOS name of a server and map it to an IP

address

nmblookup -U winsserver -R WORKGROUP#1B
nmblookup -U winsserver -R WORKGROUP#1D
testparm
Query recursively a WINS server for the Domain Master
Browser for the specified workgroup
Query recursively a WINS server for the Domain Controller
for the specified workgroup
Check for errors in the Samba configuration file

net Tool for administration of Samba and remote CIFS servers

net rpc shutdown -r -S smbserver -U root%password Reboot a CIFS server
net rpc service list -S smbserver List available service on a CIFS server
net status sessions Show active Samba sessions
net status shares Show Samba shares
net rpc info Show information about the domain
net groupmap list Show group mappings between Samba and Windows

Linux & LPIC Quick Reference Guide 2nd ed. 2014-09 © Daniele Raffo www.crans.org/~raffo
 94/102 Samba configuration
Samba configuration

/etc/smb/smb.conf Samba configuration

[global] Global server settings: defines parameters applicable for the whole
Samba server and sets the defaults that will be used for the
parameters not mentioned in other sections
workgroup = MYWORKGROUP Make Samba join the specified workgroup
server string = Linux Samba Server %L Describe server to the clients
hosts allow = 10.9.9.0/255.255.255.0 Allow only the specified machines to connect to the server
security = user Set up user-level authentication
encrypt passwords = yes Use encrypted passwords
smb passwd file = /etc/smb/smbpasswd Refer to the specified password file for user authentication.
A new user's password will need to be set both in Linux and Samba by
using these commands from shell prompt:
passwd newuser
smbpasswd newuser
unix password sync = yes When the password of a client user (e.g. under Windows) is changed,
change the Linux and Samba password too
username map = /etc/smb/smbusers Map each Samba server user name to client user name(s).
The file /etc/smb/smbusers is structured as follows:
root = Administrator Admin
jdoe = "John Doe"
kgreen = "Kim Green"
netbios name = Mysambabox Set NetBIOS name and alias
netbios aliases = Mysambabox1
wins support = yes Make Samba play the role of a WINS server.
Note: There should be only one WINS server on a network
logon server = yes Enable logon support.
Logon script parameters will be defined in a [netlogon] section
log file = /var/log/samba/log.%m Use a separate logfile for each machine that connects
max log size = 1000 Maximum size of each logfile, in Kb
syslog only = no Whether to log only via Syslog
syslog = 0 Log everything to the logfiles /var/log/smb/log.smbd and
/var/log/smb/log.nmbd, and log a minimum amount of information
to Syslog. This parameter can be set to a higher value to have Syslog
log more information
panic action = \ Mail a backtrace to the sysadmin in case Samba crashes
/usr/share/samba/panic-action %d
[netlogon] Section defining a logon script.
comment = Netlogon for Windows clients Specifies a per-user script e.g. /home/netlogon/jdoe.bat will be
path = /home/netlogon called when user jdoe logs in. It is also possible to specify a per-
browseable = no
clientname script %m.bat, which will be called when a specific machine
guest ok = no
writeable = no logs in.
logon script = %U.bat Guest access to the service (i.e. access without entering a password)
is disabled
[Canon LaserJet 3] Section defining a printer accessible via the network
printer name = lp
comment = Canon LaserJet 3 main printer
path = /var/spool/lpd/samba
printable = yes
writeable = no

Linux & LPIC Quick Reference Guide 2nd ed. 2014-09 © Daniele Raffo www.crans.org/~raffo
 95/102 Samba shares
Samba shares

/etc/smb/smb.conf Samba configuration

[public] Section defining a public share accessible on read/write by anyone
comment = Public Storage on %L Describe the public share to users
path = /home/samba Path of the public share on the server
browsable = yes Whether to show the public share when browsing
writeable = yes Whether to allow all users to write in this directory
[homes] Section enabling users that have an account and a home directory
on the Samba server to access it and modify its contents from a
Samba client.
The path variable is not set, by default is path=/home/%S
comment = %U's home directory on %L from %m Describe the share to the user
browseable = no Whether to show the homes share when browsing
writeable = yes Whether to allow the user to write in his home directory
[foobar] Section defining a specific share
path = /foobar
comment = Share Foobar on %L from %m
browsable = yes
writeable = yes
valid users = jdoe, kgreen, +geeks Allow access only to users jdoe and kgreen, and local group geeks
invalid users = csmith Deny access to user csmith
read list = bcameron Allow read-only access to user bcameron
write list = fcastle Allow read-write access to user fcastle

Samba share access

[global]
security = user
guest account = nobody
map to guest = Never
User-level authentication
Set up user-level authentication
Map the guest account to the system user nobody (default)
Specify how incoming requests are mapped to the guest account:
Bad User redirect from an invalid user to guest account on server
Bad Password redirect from an invalid password to guest account on server
Never reject unauthenticated users

Server-level authentication
[global]
security = server Set up server-level authentication
password server = srv1 srv2 Authenticate to server srv1, or to server srv2 if srv1 is unavailable
Domain-level authentication
[global]
security = ADS Set up domain-level authentication as an Active Directory member server
realm = KRB_REALM Join the specified realm.
Kerberos must be installed and an administrator account must be created:
net ads join -U Administrator%password
Share-level authentication
[global]
security = share Set up share-level authentication
[foobar] Define a share accessible to any user which can supply foobaruser's password.
path = /foobar The user foobaruser must be created on the system:
username = foobaruser useradd -c "Foobar account" -d /tmp -m -s /sbin/nologin foobaruser
only user = yes and added to the Samba password file:
smbpasswd -a foobaruser

Linux & LPIC Quick Reference Guide 2nd ed. 2014-09 © Daniele Raffo www.crans.org/~raffo
 96/102 Samba macros
Samba macros

Samba macros
%S Username The substitutes below apply only to the
configuration options that are used when a
%U Session username (the username that the client requested,
connection has been established:
not necessarily the same as the one he got)
%G Primary group of session username %S Name of the current service, if any
%h Samba server hostname %P Root directory of the current service, if any
%M Client hostname %u Username of the current service, if any
%L NetBIOS name of the server %g Primary group name of username
%m NetBIOS name of the client %H Home directory of username
%d Process ID of the current server process %N Name of the NIS home directory server as
obtained from the NIS auto.map entry.
%a Architecture of remote machine
Same as %L if Samba was not compiled with
%I IP address of client machine the --with-automount option
%i Local IP address to which a client connected %p Path of service's home directory as obtained
from the NIS auto.map entry. The NIS
%T Current date and time
auto.map entry is split up as %N:%p
%D Domain or workgroup of the current user
%w Winbind separator
%$(var) Value of the environment variable var

Linux & LPIC Quick Reference Guide 2nd ed. 2014-09 © Daniele Raffo www.crans.org/~raffo
 97/102 NFS
NFS
A Network File System (NFS) server makes filesystems available to clients for mounting.

The portmapper is needed by NFS to map incoming TCP/IP connections to the appropriate NFS RPC calls. Some Linux
distributions use rpcbind instead of the portmapper.
For security, the TCP Wrapper should be configured to limit access to the portmapper to NFS clients only:
file /etc/hosts.deny should contain portmap: ALL
file /etc/hosts.allow should contain portmap: IP_addresses_of_clients

NFS handles user permissions across systems by considering users with same UID and username as the same user.
Group permission is evaluated similarly, by GID and groupname.

rpc.nfsd NFS daemons

rpc.mountd
rpc.lockd
rpc.statd

/etc/exports List of the filesystems to be exported (via the command exportfs)

/var/lib/nfs/xtab List of exported filesystems, maintained by exportfs
/proc/fs/nfs/exports Kernel export table (can be examined via the command cat)

exportfs -ra Export or reexport all directories.

When exporting, fills the kernel export table /proc/fs/nfs/exports.
When reexporting, synchronizes /etc/exports with /var/lib/nfs/xtab by
removing those entries in /var/lib/nfs/xtab that are deleted from
/etc/exports, and removes those entries from /proc/fs/nfs/exports that
are no longer valid
exportfs -ua Unexport all directories.
All entries listed in /var/lib/nfs/xtab are removed from
/proc/fs/nfs/exports, and the file is cleared

showmount Show the remote client hosts currently having active mounts
showmount --directories Show the directories currently mounted by a remote client host
showmount --exports Show the filesystems currently exported i.e. the active export list
showmount --all Show both remote client hosts and directories
showmount -e nfsserver Show the shares a NFS server has available for mounting

mount -t nfs nfsserver:/share /usr Command to be run on a client to mount locally a remote NFS share.
NFS shares accessed frequently should be added to /etc/fstab :
nfsserver:/share /usr nfs intr 0 0

rpcinfo -p nfsserver Probe the portmapper on a NFS server and display the list of all registered
RPC services there
rpcinfo -t nfsserver nfs Test a NFS connection by sending a null pseudo request (using TCP)
rpcinfo -u nfsserver nfs Test a NFS connection by sending a null pseudo request (using UDP)

nfsstat Display NFS/RPC client/server statistics.

NFS RPC both

server -sn -sr -s
Options:
client -cn -cr -c

both -n -r -nr

Linux & LPIC Quick Reference Guide 2nd ed. 2014-09 © Daniele Raffo www.crans.org/~raffo
 98/102 /etc/exports
/etc/exports
/etc/exports
/export/ 10.3.3.3(rw)
/export/ *(ro,sync)
/home/ftp/pub client1(rw) *.example.org(ro)
/home/crew @FOOBARWORKGROUP(rw) (ro)
filesystem Filesystem on the NFS server to be exported to clients
Client systems allowed to access the exported directory.
client
Can be identified by hostname, IP address, wildcard, subnet, or @NIS workgroup.
identity
Multiple client systems can be listed, and each one can have different options
ro Read-only access (default)
rw Read and write access. The client may choose to mount read-only anyway
sync Reply to requests only after the changes made by these requests have been committed to
stable storage
async Reply to requests without waiting that changes are committed to stable storage.
client
options Improves performances but might cause loss or corruption of data if server crashes
root_squash Requests by user root on client will be done as user nobody on server (default)
no_root_squash Requests by user root on client will be done as same user root on server
all_squash Requests by a non-root user on client will be done as user nobody on server
no_all_squash Requests by a non-root user on client will be attempted as same user on server (default)

Linux & LPIC Quick Reference Guide 2nd ed. 2014-09 © Daniele Raffo www.crans.org/~raffo
 99/102 DHCP
DHCP
A DHCP (Dynamic Host Configuration Protocol) server listens for requests on UDP port 67 and answers to UDP port 68.
The assignment of an IP address to a host is done through a sequence of DHCP messages initiated by the client host:
DHCP Discover, DHCP Offer, DHCP Request, DHCP Acknowledgment.
Because DHCP Discover messages are broadcast and therefore not routed outside a LAN, a DHCP relay agent is necessary
for those clients situated outside the DHCP server's LAN. The DHCP relay agent listens to DHCP Discover messages and
relays them in unicast to the DHCP server.

/etc/dhcpd.conf Configuration file for the DHCP server

/etc/sysconfig/dhcrelay (SUSE) Configuration file for the DHCP relay agent
/var/lib/dhcpd/dhcpd.leases DHCP current leases

/etc/dhcpd.conf
option domain-name-servers 10.2.2.2;
option smtp-servers 10.3.3.3;
option pop-servers 10.4.4.4; Global parameters for DNS, mail, NTP, and news servers
option time-servers 10.5.5.5; specification
option nntp-servers 10.6.6.6;

shared-network geek-net { Definition of a network

default-lease-time 86400; Time, in seconds, that will be assigned to a lease if a client
does not ask for a specific expiration time
max-lease-time 172800; Maximum time, in seconds, that can be assigned to a
lease if a client asks for a specific expiration time
option routers 10.0.3.252;
option broadcast-address 10.0.3.255;

subnet 10.0.3.0 netmask 255.255.255.128 {

Definition of different subnets in the network, with
range 10.0.3.1 10.0.3.101;
} specification of different ranges of IP addresses that will be
subnet 10.0.3.128 netmask 255.255.255.128 { leased to clients depending on the client's subnet
range 10.0.3.129 10.0.3.229;
}
}

group { Definition of a group

option routers 10.0.17.252;
option broadcast-address 10.0.17.255;
netmask 255.255.255.0;
host linuxbox1 {
hardware ethernet AA:BB:CC:DD:EE:FF;
fixed-address 10.0.17.42;
option host-name "linuxbox1"; Definition of different hosts to whom static IP addresses
} will be assigned to, depending on their MAC address
host linuxbox2 {
hardware ethernet 33:44:55:66:77:88;
fixed-address 10.0.17.66;
option host-name "linuxbox2";
}
}

Linux & LPIC Quick Reference Guide 2nd ed. 2014-09 © Daniele Raffo www.crans.org/~raffo
100/102 PAM
PAM
PAM (Pluggable Authentication Modules) is an abstraction layer that allows applications to use authentication methods while
being implementation-agnostic.

/etc/pam.d/service PAM configuration for service

/etc/pam.conf (obsolete) PAM configuration for all services

ldd /usr/sbin/service | grep libpam Check if service is enabled to use PAM

/etc/pam.d/service
auth requisite pam_securetty.so
auth required pam_nologin.so
auth required pam_env.so
auth required pam_unix.so nullok
account required pam_unix.so
session required pam_unix.so
session optional pam_lastlog.so
password required pam_unix.so nullok obscure min=4 max=8
auth Authentication module to verify user identity and group membership
account Authorization module to determine user's right to access a resource (other than his identity)
type
password Module to update an user's authentication credentials
session Module (run at end and beginning of an user session) to set up the user environment
optional Module is not critical to the success or failure of service
sufficient If this module successes, and no previous module has failed, module stack processing ends
successfully. If this module fails, it is non-fatal and processing of the stack continues
control required If this module fails, processing of the stack continues until the end, and service fails
requisite If this module fails, service fails and control returns to the application that invoked service
include Include modules from another PAM service file
PAM module and its options, e.g.:
pam_unix.so Standard UNIX authentication module via /etc/passwd and /etc/shadow
pam_nis.so Module for authentication via NIS
pam_ldap.so Module for authentication via LDAP
module
pam_fshadow.so Module for authentication against an alternative shadow passwords file
pam_cracklib.so Module for password strength policies (e.g. length, case, max n of retries)
pam_limits.so Module for system policies and system resource usage limits
pam_listfile.so Module to deny or allow the service based on an arbitrary text file

Linux & LPIC Quick Reference Guide 2nd ed. 2014-09 © Daniele Raffo www.crans.org/~raffo
101/102 LDAP
LDAP
LDAP (Lightweight Directory Access Protocol) is a simplified version of the X.500 standard and uses TCP port 389.
LDAP permits to organize hierarchically a database of entries, each one of which is identified by an unique DN (Distinguished
Name). Each DN has a set of attributes, each one of which has a value. An attribute may appear multiple times.

Most frequently used LDAP attributes

Attribute Example Meaning
dn dn: cn=John Doe,dc=example,dc=org Distinguished Name
(not an attribute; identifies the entry)
dc dc=example,dc=org Domain Component
cn cn: John Doe Common Name
givenName givenName: John Firstname
sn sn: Doe Surname
mail mail: [email protected] Email address
telephoneNumber telephoneNumber: +1 505 1234 567 Telephone number
uid uid: jdoe User ID
c c: US Country code
l l: San Francisco Locality
st st: California State or province
street street: 42, Penguin road Street
o o: Example Corporation Organization
ou ou: IT Dept Organizational Unit
manager manager: cn=Kim Green,dc=example,dc=org Manager

ldapsearch -H ldap://ldapserver.example.org \ Query the specified LDAP server for entries where
-s base -b "ou=people,dc=example,dc=com" \ surname=Doe, and print common name, surname, and
"(sn=Doe)" cn sn telephoneNumber telephone number of the resulting entries.
Output is shown in LDIF

ldappasswd -x -D "cn=Admin,dc=example,dc=org" \ Authenticating as Admin, change the password of user jdoe in

-W -S "uid=jdoe,ou=IT Dept,dc=example,dc=org" the OU called IT Dept, on example.org

ldapmodify -b -r -f /tmp/mods.ldif Modify an entry according to the LDIF file /tmp/mods.ldif

ldapadd -h ldapserver.example.org \
-D "cn=Admin" -W -f /tmp/mods.ldif
ldapdelete -v "uid=jdoe,dc=example,dc=org" \
-D "cn=Admin,dc=example,dc=org" -W
Authenticating as Admin, add an entry by adding the content
of the LDIF file /tmp/mods.ldif to the directory.
Actually invokes the command ldapmodify -a
Authenticating as Admin, delete the entry of user jdoe

LDIF (LDAP Data Interchange Format)

dn: cn=John Doe, dc=example, dc=org This LDIF file will change the email address
changetype: modify of jdoe, add a picture, and delete the
replace: mail description attribute for the entry
mail: [email protected]
-
add: jpegPhoto
jpegPhoto:< file://tmp/jdoe.jpg
-
delete: description
-

Linux & LPIC Quick Reference Guide 2nd ed. 2014-09 © Daniele Raffo www.crans.org/~raffo
102/102 OpenLDAP
OpenLDAP
slapd Standalone OpenLDAP daemon

/var/lib/ldap/ Files constituting the OpenLDAP database

/etc/openldap/slapd.conf OpenLDAP configuration file

/usr/local/etc/openldap/slapd.conf

slapcat -l file.ldif Dump the contents of an OpenLDAP database to a LDIF file

slapadd -l file.ldif Import an OpenLDAP database from a LDIF file

slapindex Regenerate OpenLDAP's database indexes

SSSD (the System Security Services Daemon) can be used to provide access to OpenLDAP as an authentication and identity
provider.

Linux & LPIC Quick Reference Guide 2nd ed. 2014-09 © Daniele Raffo www.crans.org/~raffo