chapter 6 - linux administration basics.pdf

7/28/2019 Chapter 6 - Linux Administration Basics.pdf

1/57

C H A P T E R 6

LINUX ADMINISTRATIONBASICS


2/57

A. SETTING THE HOSTNAME

To change your machine hostname, you need to edit twoconfiguration files named hostname and hosts bothlocated in/etc directory:

1. Open a terminal and run the following command:

gksudo gedit /etc/hostname /etc/hosts

2. Change the line on the hostname file to the desiredhostname.

3. Change the second line on the hosts file to the desiredhostname.

4. Save and close both files.

5. Reboot.


3/57

B. SETTING FILE PERMISSION

Access rights: Linux's first line of defense

On a Linux system, each file has three types of access:read, write and execute for three categories of

users: owner (user), group and others.

Owner is the user who creates the file. Group is thegroup name that the owner belongs to. Others is any

other user (not being the owner and not belonging tothe group having access rights to the file).

For each category of users, read, write and executeaccess rights can be granted or denied.


4/57


Permission File Directory

readUser can look at thecontents of the file.

User can list the files in thedirectory.

writeUser can modify thecontents of the file.

User can create new files andremove existing files in thedirectory.

execute

User can run the file

as if it were aprogram.

User can change into thedirectory, but cannot list the files

unless (s)he has read permission.User can read files if (s)he hasread permission on them.

Interpretation of permissions for files and directories


5/57


With the -l option (long list) ofls, you can find outthe access rights (permissions) for any given file ordirectory:

$ ls -ltotal 4drwxrwxr-x 2 prescilla prescilla 4096 Feb 9 23:24 files-rw-rw-r-- 1 prescilla prescilla 0 Feb 9 23:20 permissions

The Linux file permission is divided into three groups:FileType Owner Group Othersd rwx rwx r-x- rw- rw- r--


6/57


When assigning permissions to a file or directory,symbols are used to represent the threecategories of users and their permissions.

Symbol Represent

u user (owner)

g group

o others

a all users (ugo)

Symbol Meaning

r read

w write

x execute

- No permission

Access mode codesUser group codes


7/57


Another method used to set Linux file permission is theoctal system which uses numbers to representpermissions.

0 = No permission1 = Execute permission2 = Write permission3 = Write and execute permissions4 = Read permission

5 = Read and execute permissions6 = Read and write permissions7 = Read, write and execute permissions

Note: The essential numbers are1, 2and4which represent execute, write and readpermissions respectively. Other numbers are just the sum of adding those numbers together.


8/57


Code Meaning

0 or - The access right that is supposed to be onthis place is not granted.

4 or rread access is granted to the usercategory defined in this place

2 or wwrite permission is granted to the usercategory defined in this place

1 or xexecute permission is granted to the usercategory defined in this place

The table below summarizes file permission codes(symbols or octal) used in Linux:


9/57


10/57

SETTING FILE PERMISSION USINGSYMBOLIC MODES

To change file permission using symbolic modes, usethe user group and access mode codes withoperators listed in the table below:

Operator Description

+adds the specified permission to thespecified user group

- removes the specified permission fromthe specified user group

=Assigns the specified permissions to thespecified user group


11/57


Take the example below:

-rw-rw-r-- 1 prescilla prescilla 0 Feb 9 23:20 sample

The sample file has read and write permission forboth user and group while other users can only readit. To add write permission to other users, run the ff.command:

$ chmod o+w sample

Note: The+ and- operators are used tograntordenya given right to agiven group. o represents other users and w for write access.


12/57


$ ls l sample-rw-rw-rw- 1 prescilla prescilla 0 Feb 9 23:20 sample

As seen above, other users has now write

permission to the sample file.

To add execute permission to all users, run the ff.:

$ chmod a+x sample

OR$ chmod ugo+x sample

Note: x is for execute permission, a represents all users, butugo canalso be used which indicates user, group & others.


13/57


$ ls l sample-rwxrwxrwx 1 prescilla prescilla 0 Feb 9 23:20 sample

As seen above, all users has now execute permission

to the sample file.

To remove the execute permission to all users, runthe ff.:

$ chmod a-x sampleOR

$ chmod ugo-x sample

Note: The- operator is used to deny a given right to a given group.


14/57


Combinations separated by commas are allowed whenspecifying options for chmod.

Here's another one, which makes the file from theprevious example a private file to user prescilla:

$ ls l sample-rw-rw-rw- 1 prescilla prescilla 0 Feb 9 23:20 sample

$ chmod u+rwx,go-rwx sample

$ ls -l sample-rwx------ 1 prescilla prescilla 0 Feb 9 23:20 sample

As seen above, all permissions to the sample file wasdenied to group and other users.


15/57


You can also remove or deny permission by usingthe assignment (=) operator and setting it to noneor empty. Therefore the previous chmodcommand line can be rewritten as:

$ chmod u+rwx,go= sample$ ls -l sample

-rwx------ 1 prescilla prescilla 0 Feb 9 23:20 sample


16/57

SETTING FILE PERMISSION USING OCTALMODES

Octal numbers have been used widely todescribes file or directory permission in Linuxsystem. It is faster using octal numbers to

change Linux file or directory permissions andeasier than the first method.

When using chmod with octal digits as

arguments, the values for each granted accessright have to be counted together per group.Thus we get a 3-digit number, which is the valuefor the settings chmod has to make.


17/57


Lets take the previous example:

$ ls -l sample-rwx------ 1 prescilla prescilla 0 Feb 9 23:20 sample

To set read and write permission for owner, andonly read access for group and others, using theoctal system:

$ chmod 644 sample-rw-r--r-- 1 prescilla prescilla 0 Feb 9 23:20 sample

Note:644 means read and write permission for owner, read for groupand others.


18/57


You can also set permissions to multiple files atonce. For example:

$ ls -l

-rw-r--r-- 1 root root 84669 2008-09-11 01:13 snapshot1.png-rw-r--r-- 1 root root 100439 2008-09-11 01:14 snapshot2.png-rw-r--r-- 1 root root 113450 2008-09-11 01:14 snapshot3.png$ chmod 666 snapshot*.png$ ls -l-rw-rw-rw- 1 root root 84669 2008-09-11 01:13 snapshot1.png

-rw-rw-rw- 1 root root 100439 2008-09-11 01:14 snapshot2.png-rw-rw-rw- 1 root root 113450 2008-09-11 01:14 snapshot3.png

Note: the octal digit 666 grants read (r) and write (w) permissions to allusers.


19/57


chmodcan also be used to set permissions for a

multiple files and directories by using the R(recursive) option. To change all the permissions

of each file and folder under a specified directoryat once:

user@host$ sudo chmod 777 -R /path/to/someDirectoryuser@host$ ls -l

total 3-rwxrwxrwx 1 user user 0 Nov 19 20:13 file1drwxrwxrwx 2 user user 4096 Nov 19 20:13 folder-rwxrwxrwx 1 user user 0 Nov 19 20:13 file2

Note: the octal digit 777 grants read (r), write (w) & execute (x) permissions to all users.


20/57

UNDERSTANDING UMASK

When a user create a file/directory underLinux, he/she create it with a default set ofpermissions. The user file-creation mode mask(umask) is a four-digit octal number use todetermine/control these default set ofpermissions.

By default most Linux distribution has set it to0022 (022) for root and 0002 (002) for normaluser.


21/57

UNDERSTANDING UMASK

To check the default umask value, runumask from a terminal:

user@linux:~$ umask0002

root@linux:~# umask0022


22/57

UNDERSTANDING UMASK

The base permission for newly created filesare 0666 (rw-rw-rw) while directories hasa base permission of

0777(rwxrwxrwx

).

To compute for the final permission ofnewly created files/directories, the umask

value is subtracted from the basepermission.


23/57

UNDERSTANDING UMASK

Normal user:777 002 = 775 (directories)

666 - 002 = 664 (files)

Root user:

777 022 = 755 (directories)666 022 = 644 (files)


24/57

UNDERSTANDING UMASK

Therefore, a normal user will have thefollowing default permissions:

775 (rwxrwxr-x) for directories

664 (rw-rw-r--) for files

While a root user will have the following

default permissions:755 (rwxr-xr-x) for directories

644 (rw-r--r--) for files


25/57

C. SETTING FILE OWNERSHIP

Linux has a very special file ownership andpermission system. Each files/directorieshas 2 owners which is user and group. Thatmeans, a certain file or a directory has itsowner and group responsible for it.

Changing user or group ownership of a fileis done with the chown (change owner)and chgrp (change group) commands.


26/57


The chown command can be applied to changeboth user and group ownership of a file, whilechgrp only changes group ownership.

In order to only change the user ownership ofa file, use this syntax:

chown newuser file

If you use a colon after the user name, groupownership will be changed as well, to theprimary group of the user issuing thecommand.


27/57


In order to change the user and groupownership of a file, use this syntax:

chown newuser:newgroup file

To only change group ownership, you caneither use chgrp or chown with a different

syntax:chown :newgroup file

chgrp newgroup file


28/57


For example, p1 is owned by root and adm group,to change its ownership, use chown:

$ ls l p1-rw-rw-r-- 1 root adm 0 Feb 24 15:28 p1$ chown prescilla p1$ ls l-rw-rw-r-- 1 prescilla adm 0 Feb 24 15:28 p1

To change its owner and group at the same time,use chown and add a colon (:) after the user name:

$ chown prescilla: p1$ ls l p1-rw-rw-r-- 1 prescilla prescilla 0 Feb 24 15:28 p1


29/57


Using the same file, if you only want to changegroup ownership, use chgrp:

$ ls l p1-rw-rw-r-- 1 root adm 0 Feb 24 15:28 p1$ chgrp prescilla p1$ ls l-rw-rw-r-- 1 root prescilla 0 Feb 24 15:28 p1

You can still use chown to change groupownership:

$ chown :prescilla p1$ ls l p1-rw-rw-r-- 1 root prescilla 0 Feb 24 15:28 p1


30/57

D. LOGGING ON TO ANOTHER GROUP

When you type idon the command line, youget a list of all the groups that you canpossibly belong to, preceded by your user

name and ID and the group name and ID thatyou are currently connected with.

However, on many Linux systems you can only

be actively logged in to one group at the time.By default, this active or primary group is theone that you get assigned from the/etc/passwdfile.


31/57


For example, prescilla is currently connectedto its primary group prescilla:

$ id

uid=1000(prescilla) gid=1000(prescilla)groups=1000(prescilla),4(adm),6(disk),24(cdrom),27(sudo),30(dip),46(plugdev),107(lpadmin),124(sambashare),126(vboxusers)

As seen above, prescilla can also belong toseveral other secondary groups i.e. adm, disk,dip, etc.


32/57


For a user to logon to a secondary group, he/shemust use the newgrp command. This is useful if a

user needs to create a file that should be ownedby another group.

$ newgrp adm$ iduid=1000(prescilla) gid=4(adm)$ touch test

$ ls l-rw-rw-r-- 1 prescilla prescilla 0 Feb 24 15:28 p1-rw-rw-r-- 1 prescilla adm 0 Feb 24 18:34 test

Note: Logging in to a new group prevents you from having to usechown to change ownerships for you.


33/57

E. CREATING USER ACCOUNTS

Creating users in Linux system is a routinetask for system administrators.

Sometimes you may create a single userwith default configuration or with customconfiguration, or create several users at

same time using some bulk user creationmethod.


34/57


Method 1: Create user with defaultconfigurations using useraddcommand

To create user with default configurations:

useraddm

By default, useradd will not create a home

directory for the new user, unless you add the moption. If you need to set a different path for theusers home directory, use the doption.


35/57


Example 1:Create a new user named ayeshawith default configuration:

$ sudo useraddm ayesha

If you dont specify a password for the accountthe system will lock it and the user will not beable to login to the system this is easilyaccomplished with the following command:

$ passwd


36/57


You can create a user and set its passwordin one command line:

$ useraddm username p password

The previous example can be rewritten as:

$ sudo useraddm ayesha p 1234

Note:This method will print the password in the terminalscreen.


37/57


Method 2: Add user with custom configurations

To create user with custom configurations:

useradd [options]

Options are listed on the next slide. To see a fulllist of

useraddoptions, see the man pages, by

running:

$ man useradd


38/57

USERADD OPTIONS

Options Meaning-d Specifies the users home directory

-m Create the user's home directory if it does not exist.

-s Specifies the name of the user's login shell

-g Specifies the users primary group-G Specifies the users secondary groups

-eSpecifies the date on which the user account will be disabled.

The date is specified in the format YYYY-MM-DD.

-cAny text string. It is generally a short description of the login,

and is currently used as the field for the user's full name.

-f

Specifies the number of days after a password expires until the

account is permanently disabled. A value of 0 disables the

account as soon as the password has expired, and a value of -1

disables the feature.


39/57


Example 2:Create a new user with customconfigurations:

$ sudo useraddmg prescilla e 2013-

03-01 c Linus Torvalds linus

$ cat /etc/passwd | grep linuslinus:x:1003:1000:Linus

Torvalds:/home/linus:/bin/shNote:The new user linus has a group id of 1000 which isthe group id of prescilla.


40/57


To check the account and password expiry ofan account, use the chagecommand:

$ chage l linus

Last password change : Feb 24, 2013Password expires : neverPassword inactive : never

Account expires : Mar 01, 2013Minimum number of days between password change: 0

Maximum number of days between password change: 99999Number of days of warning before password expires: 7


41/57


To disable password aging / expiration for a user,run chage command and set the following:

Minimum Password Age to 0

Maximum Password Age to 99999Password Inactive to -1Account Expiration Date to -1

Interactive mode command:

$ chage username

OR

$ chage -I -1 -m 0 -M 99999 -E -1 username


42/57


Method 3: Create users interactively withadduser command

A very simple way of creating a user in thecommand line interactively is using adduser

command.

adduser


43/57


Example 3:Create a new user with adduser:

$ sudo adduser spideyAdding user `spidey' ...Adding new group `spidey' (1007) ...

Adding new user `spidey' (1007) with group `spidey' ...Creating home directory `/home/spidey' ...Copying files from `/etc/skel' ...Enter new UNIX password:Retype new UNIX password:passwd: password updated successfullyChanging the user information for spidey

Enter the new value, or press ENTER for the defaultFull Name []: Peter ParkerRoom Number []:Work Phone []:Home Phone []:Other []:Is the information correct? [y/N] y


44/57


Method 4: Add multiple users at oncewith newusers command

Sometimes you may want to to create multiple

users at the same time. Fortunately, Linux offers away to create users using newusers command.This can also be executed in batch mode as it

cannot ask for any input.$ newusers FILENAME


45/57


First step is to create a text file that willcontain the user account information.

The file format is same as the password file:loginname:password:uid:gid:comment:home_dir:shell


46/57


$ cat users.txtuser1:password:1005:513:Student Account:/home/user1:/bin/bashuser2:password:1006:513:Sales user:/home/user2:/bin/bashuser100:password:1007:513:Sales user:/home/user100:/bin/bashtom:password:1008:501:Guest Account:/home/guest:/bin/menujerry:password:1009:501:Guest Account:/home/guest:/bin/menu

Since username and passwords are stored inclear text format make sure only you canread/write the file. Use chmodcommand:

$ chmod 600 users.txt


47/57


Now, create the users in batch:

$ newusers users.txt

Verify that your /etc/group, /etc/passwdand /etc/shadow files are updated:

less /etc/group

less /etc/passwd

less /etc/shadow


48/57

F. SWITCHING BETWEEN USER ACCOUNTS

When you know the password of anotheruser's account, you can present yourself to thesystem with that user's permissions using the

su command (switch user).

su - username

You will be prompted to enter the password.After the authentication process, you areworking on the system using the permissionsof that user .


49/57


To make sure you are logged in as anotheruser, check with the idcommand:

$ su - linus$ iduid=10032(linus)gid=1000(prescilla)

groups=1000(prescilla)


50/57


By default, the Root account password is lockedin Ubuntu. This means that you cannot login asRoot directly or use the su command to become

the Root user. However, since the Root accountphysically exists it is still possible to run programswith root-level privileges. This is where sudo

comes in - it allows authorized users to run certain

programs as Root without having to know theroot password. To switch to root environment:

$ sudo i


51/57


Allowing other users to run sudo

To add a new user to sudo:

$ sudo adduser sudo

where you replace with the name

of the user (without the ).


52/57

G. DELETING USER ACCOUNTS

You need to use the userdel command to

delete a user account and related files fromuser account.

The userdel command must be run as

root user. The syntax is as follows:

userdel userName


53/57

G. DELETING USER ACCOUNTS

Example:

To remove the user aye from the system:

$ userdel ayeTo remove the user's home directory pass the-r option to userdel, enter:

$ userdel -r ayeNote:The above command will remove all files along with the homedirectory itself and the user's mail spool. Please note that files locatedin other file systems will have to be searched for and deletedmanually.


54/57

G. DISABLING USER ACCOUNTS

Sometimes is it recommend to disable anaccount instead of removing it right away,especially if you are working with a

corporate server with lots of users.You need to use the usermodcommand tolock and disable user account. The -L

option lock user's password by putting a (!)in front of the encrypted password. Todisable user account, set expire date to 1.


55/57


In this example, user account aya is disabled:

$ usermod -L -e 1 aya

When aya tries to login either graphically orvia text console, she will be greeted with thefollowing messages:

Your account has expired; please

contact your systemadministrator.

Invalid password.

Permission denied.


56/57


To re-enable an account with a lockedpassword, simply remove the (!) from the/etc/shadow file which stores the encrypted

password for all users.

$ gedit /etc/shadow

To remove an account expiry date, run:$ usermode -1 user-account

Note:You can also use chage command to set expiry date to -1.


57/57

E N D O F C H A P T E R 6

LINUX ADMINISTRATIONBASICS

chapter 6 - linux administration basics.pdf

Documents