UNIT-4

TOPICS TO BE COVERED

 Performing Basic Linux Tasks

 Managing Users and Groups
 Managing Permissions and Ownership
 Managing Storage
 PERFORMING BASIC LINUX TASKS

General Purpose Utilities

THE CLI:- The Command –line interface is a text-based interface between the user and the operating
system that accepts input in the form of commands.

The CLI presents a command prompt to the user, and the user enters a command to interact with the
system in a variety of ways.

Developers and administrators often use the CLI, whereas regular users will typically rely on a
graphical user interface (GUI)
CLI ADVANTAGES

 It’s faster for the system to process

 It’s faster for administrators to enter information
 Commands can be stored in text files called scripts that you can execute with one command.
 Scripts can be scheduled to execute on a regular basis
 Additional options are available in the CLI that may not be present in the GUI
CHALLENGES

 It’s more difficult to learn than a GUI

 Commands have many options and are not always consistent
 There are many command-line environments among the Linux, Unix, macOS, and Windows
platforms
SHELLS

 Bourne shell(sh) This is the original Unix shell that is still available on Linux systems.

 Bash(bash) This is the default Linux shell and a replacement for the Bourne shell. Its full
name comes from the learn Bourne-again shell.
 C shell(csh) this shell in based on C programming language and was designed to support
C language development environments.
 KornShell(ksh) This shell uses the features of the C shell with the syntax of the Bourne
shell. It is common on Unix systems.
BASH SYNTAX
Syntax Format Command Description

Command only ls List directory content with default output.

Command with options ls-la List directory contents in long format (-l) and
showing “hidden” files(-a).

Command with an ls/var/log List directory contents of /var/log directory with

argument default output.

Command with options ls-la/var/log List directory contents of /var/log directory in long
and an argument format and showing “hidden” files.
BASIC BASH COMMANDS
Command Command Description

echo Repeats input back to user on the screen.
Commonly used to send information to the user in
a script.
ls Lists the contents of a directory. Can be given
options to view permission, hidden files, etc.
pwd Displays the current working directory .
cd Changes your current working directory.
echo ‘Good Morning’ returns “Good Morning”
at CLI
• ls lists contents of current directory.
• ls -a includes hidden files.
• ls -l outputs in long format.
• ls /var/log lists contents of specified directory.
pwd returns the path to your current working
directory.
• cd /var/log changes your current directory
to /var/log
• cd /etc changes your current directory to /etc
BASIC BASH COMMANDS
Command Command Description

touch Updates timestamp on an existing file, but can also touch file1 updates the timestamp on file1 if it
be used to create an empty file. exists; creates file1 if it doesn't.

cp Copies a file or directory to another location. cp file1 file2 copies the contents of file1 to file2.

mkdir Creates a directory. mkdir newdir creates a new directory called

newdir.
FILE EDITING COMMANDS

Commands Description Examples

vim Starts a powerful text editor and the 1. vim file1 to open a text file in
default for Linux. command mode.
2. Press i to enter insert mode.
3. Press Esc to leave insert mode.
4. :wq to save the file and quit.
nano Starts a simple, user-friendly text 1. nano file1 to open a text file.
editor. It may not be installed on all 2. Enter text directly in the interface.
distros. 3. Press Ctrl+O to save changes.
4. Press Ctrl+X to quit.
gedit Starts a GUI text editor that is easy to 1. Select
use. Requires a desktop environment Applications→Accessories→Text
to be installed. Editor.
2. Enter text directly in the interface.
3. Use the menu to save and quit.
USERS AND GROUPS

 User accounts represent identities that authenticate to the system and can use authentication credentials to do
specific tasks. User information includes group memberships.

 Types of user accounts:-

 Root
 Standard user
 Service
SUPERUSER

 The root account is also referred to as the superuser. The security best practice is to never log on to the system
with administrative credentials, but rather to log on with a non-privileged account and elevate credentials when
necessary.
 One way of elevating privileges is to "substitute user“ using the su command.
ADDING USER

THE useradd COMMAND

The useradd command is used to create user accounts and configure basic settings. As part of the account creation
process, useradd references several files:
• The account is stored in the /etc/passwd file.
• The account is configured according to various options set in the /etc/login.defs file.
• The account's home directory is created at the /home/<account name> directory.
• The account's home directory is populated using files from the /etc/skel directory.
SYNTAX
The syntax of the useradd command is useradd [options] [username]
 The /etc/passwd file stores user account information. All accounts, default or user-specific, will be found in this
file. Each account contains seven fields of information. Each field is separated by a colon.
 For adding comments while adding user
 To set home directory while adding user
 To set home userid while adding user
 To add user in existing group
 To delete user
useradd username –c “comments”
useradd username –d path
useradd username –u uid
useradd username –g groupname
userdel username
USERADD COMMAND OPTIONS

Option Descreption Example

-c Sets the comment field, which is typically used useradd -c "User One" user1
as the field for the user's full name.
-e Sets the account expiration date. useradd -e 2019/12/31
-s Sets the user's default shell. useradd -s /bin/ksh
-D View the default configurations for new users. useradd -D
THE passwd COMMAND

 The passwd command is used by root to set or reset a password for any user. A user can use the passwd command
themselves to reset their own password. It is also used to set the initial password for a user after creating the
account with the useradd command.

SYNTAX
 The syntax of the passwd command is passwd [user name] where [username] can be used by root to set a specific
user's password
THE /ETC/SHADOW FILE

 The /etc/passwd file was once used to store the cryptographically hashed version of passwords. That file is world-
readable, however, meaning that one user could see the hashed version of another user's password.
 The /etc/shadow file is the modern storage location for hashed passwords, as well as additional account
information. This additional information includes password requirements and expiration information. Only root
has access to the content of the /etc/shadow file, preventing users from attempting to crack each other's passwords.
FORMAT
usermod COMMANDS
 For Shift
changing content
home from
directory home
directory
To set
expiry
date for
account

For Lock
making User
account passwd
inactive

To
change
UID
THE usermod COMMAND

 The usermod command is used to modify settings for regular users. It edits the /etc/passwd file, avoiding the need
for administrators to edit the file directly.

SYNTAX
 The syntax of the usermod command is usermod [options] {username}
Option –c $ usermod Username –c “comment”
Option –d $ usermod Username –d /home/path
Option –e $ usermod Username –e yyyy-mm-dd
Option –l $ usermod Username –l newusername
Option –u $ usermod Username –u UID
QUESTIONS

Why are user passwords stored in the /etc/shadow file and not the /etc/passwd
file?

What is the purpose of the /etc/skel directory?

Why might an administrator change a user’s default shell?

QUESTIONS

Why are user passwords stored in the /etc/shadow file and not the /etc/passwd
file?
The /etc/passwd file can be read by all processes and therefore isn’t as secure. The /etc/shadow file can
only be read by root.

What is the purpose of the /etc/skel directory?

Any files stored in this directory are automatically copied to the home directory of new user accounts.
Profile files and other configurations can be easily set using /etc/skel.

Why might an administrator change a user’s default shell?

The user may be more comfortable with a different shell than Bash, such as the Zsh
or Ksh.
GROUP ACCOUNTS

 Groups associate user accounts that have similar security requirements. Groups simplify administrative tasks,
allowing multiple users to be granted permissions to resources. Groups are represented on the system by a group
ID number (GID). Users may be a member of more than one group

 The /etc/group file is the storage location for groups. All groups, default or userspecific will be found in this file.
The groupadd command creates a group. By default, the group has no members and no password.

SYNTAX
The syntax of the groupadd command is groupadd [options] {groupnames}
The groupmod command is used to change the group's own attributes. It will edit the /etc/group file for you.
SYNTAX
The syntax of the groupmod command is groupmod [options] {groupnames}

The groupdel command will delete groups from the /etc/group file. It does not delete user accounts that are members of the group.
SYNTAX
The syntax of the groupdel command is groupdel [options] {groupnames}
 One way of displaying the contents of /etc/group is to use the tail
command.
 For example, type tail /etc/group. The output displays the last 10 entries
in the file, including the most recently added groups.
 Deleting a group does not delete the user accounts that are a member
of that group. A group is a separate object from the user.
 Note that you cannot remove the primary group of an existing user.
You must remove the user account first by using the userdel command.
ADD USERS TO GROUPS

 Adding a user to a group is a modification of the user, not the group. Use the usermod command
covered earlier to add a user to an existing group.
 Two specific options are used with usermod to manage group membership:
ADD USERS TO GROUPS
If the -a option is not selected, the user is removed from all other groups and added only to
the specified group. Users can be a member of multiple groups, so such a mistake could
have drastic consequences.

The syntax for using the usermod command is usermod –options argument

For example, the command to add Joseph Deng to the sales group while retaining
membership in all other groups is: usermod -aG sales jdeng.
QUESTIONS

1. Suggest at least two ways to display group membership information.

2. What command adds a user to a group?

3. What is the result if an administrator forgets to add the -a option when adding a user to a group?

4. Why might a user be a member of multiple groups?

QUESTIONS

1. Suggest at least two ways to display group membership information.

View the /etc/group file, id command, group command.

2. What command adds a user to a group?

The usermod command (usually with the -aG options).

3. What is the result if an administrator forgets to add the -a option when adding a user to a group?
The user is added to the specified group but removed from all other groups.

4. Why might a user be a member of multiple groups?

Membership in multiple groups provides access to different resources. For example, a user who is a
member of both the sales group and the marketing group can be granted access to both types of
resources.
WHAT IS PRIVILEGE ESCALATION?
 The root user is the system’s administration account. It has full privileges to do anything
on the system. This is both necessary for managing the system and dangerous in the
hands of malicious or inexperienced users.
 Standard user accounts typically have privileges to manage their own data and some basic
system settings and preferences. Most standard accounts cannot run commands that
would damage or disable the system, which also means they cannot usually make the
configuration changes necessary to administer Linux.
 Service accounts represent services running on the system that consume resources.
Because the services are represented by service accounts, their ability to consume system
resources can be controlled. This helps prevent a service from overwhelming the system or
blocking other services from accessing resources.
WHAT IS PRIVILEGE ESCALATION?

 Understand a Disabled Root Account: Your organization’s security policy may require that
you log on to server systems with a non-privileged account. This is a very good practice
to keep in mind; however, it often isn’t possible to execute administrative tasks with
nonadministrative privileges.
 Logging on with a standard user account and then changing your identity to one with
administrative privileges is referred to as privilege escalation.
 There are two ways of managing privilege escalation: su and sudo.
ELEVATE PRIVILEGES WITH SU

 The su utility provides the ability to “switch user” to another account. The most common
example is a sysadmin that follows proper security practices by signing in as a standard
user and then switches to the root user to accomplish system administration tasks.
 The syntax for using su is su {user-name}.
 For example, to switch to the root user, type su root.
ELEVATE PRIVILEGES WITH SUDO

 With the su command, any user who knows the root password can “get root” and do anything the
root user can do. An account using su - root essentially is the server administrator.
QUESTIONS

A developer at your organization needs the ability to reboot a test server, but their account’s standard
privileges do not permit this. The developer requests the system's root user password in order to use su to
reboot the server. Is there a more secure option that aligns with the principle of least privilege?

How are the su root and su - root commands different?

Whose password must be entered with sudo? Whose password must be entered with su?
QUESTIONS

A developer at your organization needs the ability to reboot a test server, but their account’s standard
privileges do not permit this. The developer requests the system's root user password in order to use su to
reboot the server. Is there a more secure option that aligns with the principle of least privilege?
A better option is sudo, which allows the administrator to delegate only the necessary task (in this
case, rebooting the server). The root password combined with su would grant more than just the
reboot privilege.

How are the su root and su - root commands different?

Whose password must be entered with sudo? Whose password must be entered with su?
QUESTIONS

A developer at your organization needs the ability to reboot a test server, but their account’s standard
privileges do not permit this. The developer requests the system's root user password in order to use su to
reboot the server. Is there a more secure option that aligns with the principle of least privilege?
A better option is sudo, which allows the administrator to delegate only the necessary task (in this
case, rebooting the server). The root password combined with su would grant more than just the
reboot privilege.

How are the su root and su - root commands different?

The su root command switches the user identity to that of root within the user profile settings of the
original user. The su - root command switches the user identity to that of root with the root user’s
own profile settings.

Whose password must be entered with sudo? Whose password must be entered with su?
QUESTIONS

A developer at your organization needs the ability to reboot a test server, but their account’s standard
privileges do not permit this. The developer requests the system's root user password in order to use su to
reboot the server. Is there a more secure option that aligns with the principle of least privilege?
A better option is sudo, which allows the administrator to delegate only the necessary task (in this
case, rebooting the server). The root password combined with su would grant more than just the
reboot privilege.

How are the su root and su - root commands different?

The su root command switches the user identity to that of root within the user profile settings of the
original user. The su - root command switches the user identity to that of root with the root user’s
own profile settings.

Whose password must be entered with sudo? Whose password must be entered with su?
The user’s own password must be entered with sudo. The destination user’s password must be
entered with su.
QUESTIONS
FILE PERMISSIONS

 Every file has its own access rights for different groups of users. Access rights are – Read, Write and Execute. These rights are
provided to different groups of users which are- Owner, Groups, Other Users. A file’s permission appears to be in format of three
group of letters. Here three groups represent the permissions given to groups of the user.
 • Owner (u): The owner of the file or directory, also simply referred to as the user.
 • Group (g): The file or directory's group and all users belonging to that group.
 • Other (o): All other users (neither owner nor group member).
CHMOD-ABSOLUTE METHOD

chmod command is used to change the permissions of files and directories.

We can view the permissions of a file by using ‘ls -l’ command in the terminal. For example let’s say we have output in
terminal as follows:
$ ls –l
rwx-r--r-- 1 root root 415 Feb 19 21:04 file1
First part: rwx : Represents the access rights of the owner of the file.
Second part: r-- : Represents the access rights of group.
Third part: r-- : Represents the access rights of other users

Here, meaning of symbols is as following: r- readable, w- writeable and x- executable.

CHMOD-COMMANDS

Now in order to change the permissions we use ‘chmod’ command. Suppose we want the permissions of file1.txt to
be Readable, Writeable and Executable for Owner.
Readable and Executable for Group.
No Permissions for others.

$ chmod 750 file1

$ls -l
rwx-r-x--- 1 root root 415 Feb 19 21:04 file1
OCTAL CODES FOR PERMISSIONS

 7- We are granting all rights- reading, writing and executing a file

 6- We are granting two rights- reading and writing on file.
 5- We are granting two rights- read and execute file.
 4- We are granting one right- read a file.
 3- We are granting two rights – write and execute a file.
 2- We are granting one right- write on a file.
 1- We are granting one right- execute a file.
 0- We are granting no rights at all.
CHMOD-RELATIVE METHOD

chmod can also be used in relative method. In this method we tell which permissions is to be granted and which permission is to be denied.
Now suppose that you want to deny execute permissions to owner.
$chmod u-x file1
$ls -l
rw--r--r-- 1 root root 415 Feb 19 21:04 file1
Now suppose that you want to allow write permissions to group.
$chmod g+w file1
$ls -l
rw--rw-r-- 1 root root 415 Feb 19 21:04 file1
In the similar manner chmod can be used to change permissions of directories also.
UMASK

chmod can change permissions of existing files and directories. But if you want to change the default permissions that
are given when you create a new file or directory then the command is umask.
Suppose you want that every newly created file be given the following permissions
Read and write to the owner
Read to the group
None to others
UMASK-COMMAND

$umask 137
The interpretation of the octal number is opposite to chmod. Here 1 means execute permission is denied to the owner,
3 means write and execute and denied to group and 7 means no permission to others.

Note: A regular can never be given execute permission by default.

QUESTIONS

List at least three reasons a user account might be locked.

During a security audit it is discovered that a user does not have a password set. When you check the
/etc/passwd file, the password field is properly populated with the x character. What file would actually display
whether a password has been set for the user?
QUESTIONS

List at least three reasons a user account might be locked.

An administrator locked the account while the user was on a leave of absence, an incorrect password
was entered too many times, and password settings are misconfigured.

During a security audit it is discovered that a user does not have a password set. When you check the
/etc/passwd file, the password field is properly populated with the x character. What file would actually display
whether a password has been set for the user?

/etc/shadow
STORAGE

 Managing a Linux server that stores a significant amount of data

requires an understanding of storage technologies. Various storage
formats are better suited to storing specific types of data.

 In addition, the balance between cost and performance must be

maintained, leading administrators to make particular choices
when it comes to interfaces such as SATA, SCSI, and SAS.
STORAGE

 Storage capacity for user data, databases, logs, configuration files,

operating system and application executables, and other resources
are of major concern to sysadmins.

 Capacity is only one part of the issue, however. Related is the ability
to maintain cost-effective, reliable, and secure storage media that is
accessible to users and services.
STORAGE

Some examples of storage media types include:

Hard disk drive (HDD): Spinning magnetic disks, usually inexpensive, large, and relatively
slow
Solid-state disk (SSD): Flash memory storage, usually expensive, fast, small, and shorter -lived
Universal Serial Bus (USB): Connection protocol for various external devices, including
storage drives
Thumb drive: Removable storage media, usually connects via USB
External: Removable storage disk, usually connects via USB
TYPES OF STORAGE DESIGN

 Stored data is usually managed via one of three different designs:

file, block, and object storage.

 File storage is the common approach to storing data on local drives,

with data organized into discrete files stored in directories. These
directories are organized in a hierarchical structure. Data is easy to
retrieve and change, but file storage does not scale well: it must be
scaled out rather than scaled up.
TYPES OF STORAGE DESIGN

 Block storage is a good choice for large quantities of unstructured

data stored across multiple platforms and storage types.
 Commonly used with SAN technologies, it is quick, reliable, and
efficient.
TYPES OF STORAGE DESIGN

 Object storage is cost-effective and very scalable but best for static
data because it’s difficult to modify data once written.
 This makes it particularly unsuited for databases.

Note: A typical Linux server will rely on file storage by using one or
more internal drives that use a standard filesystem to organize and
retrieve data.
STORAGE INTERFACES

 Internal storage devices use different protocols and interfaces to

communicate with the rest of the system.

 These designs vary by speed, communication type, and scalability.

Various solid-state drives, hard disk drives, and flash storage use
these interfaces.
STORAGE INTERFACES

 Serial Advanced Technology Attachment (SATA) is a common

inexpensive storage media that uses a serial connection to
communicate with the motherboard. This is the slowest of the
three options discussed here but the least expensive. It is a good
all-around solution for most systems.
STORAGE INTERFACES

 Small Computer Systems Interface (SCSI) tends to be expensive with

less capacity than most SATA drives but makes up for this by being
very fast. For servers, RPMs of 10,000 and 15,000 are common,
while desktop and laptop drives might spin at 7,200 or 5,400 RPMs.
Multiple SCSI drives can be attached to the same chain, making
their scalability far more flexible than SATA.
STORAGE INTERFACES

 Serial Attached SCSI (SAS) is an upgraded SCSI design with larger

capacities, faster transfer speeds, and greater flexibility. However,
these benefits come with a higher cost. The cost may be well worth
it for mission-critical servers.
STORAGE INTERFACES

 Do all RAID array designs provide fault tolerance?

STORAGE INTERFACES
A storage quota is the storage space allotted to a user for file storage on a computer. Storage
quotas are configured on a per-user basis.
A quota report contains the following details:
The name of the user/group.
The total number of blocks (in kilobytes) that are being used by the user/group on a file system.
The user’s/group’s storage soft limit.
The user’s/group’s storage hard limit.
The grace period.
The total number of inodes that have been used on a file system by the