Reading...
Play button
Play button
Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
118 Cards in this Set
- Front
- Back
|
Group membership is controlled through the
|
Group membership is controlled through the /etc/group file.
contains a list of groups and the members belonging to each group |
|
|
Where the user’s primary group is set
|
is set in the user’s configuration in /etc/passwd (the file
that defines accounts) |
|
|
To run programs or create files with a group other than the primary one, however, the user must run the __________ cmd to switch the current group membership
|
newgrp project2
|
|
|
IDs range for system uses?
|
system 0 - 99
0 is root |
|
|
Adding users can be accomplished through the _____ utility
|
useradd [-c comment] [-d home-dir] [-e expire-date] [-f inactive-days] [-g default-group] [-G group[,...]] [-m [-k skeleton-dir] | -M] [-p password] [-s shell] [-u UID [-o]] [-r] [-n] username
|
|
|
When using useradd <username> without any parameter the default values are applied
Where are the default values for the system stored |
/etc/login.defs
|
|
|
useradd parameter
comment home director account expiration |
comment
-c comment home directory -d home-dir def is /home/username account expiration -e expire-date |
|
|
useradd parameter
inactive days default group |
inactive days
-f inactive day -1 to disable account expiration default group -g default-group name or GID of the default user group |
|
|
useradd parameter
additional groups home dire option no home dire creation |
additional groups
-G grpup[,...] home dir option -m swicht automatically create the user home dir no home dire creation -M |
|
|
useradd parameter
encrypted password specification default shell UID |
encrypted password specification
-p encrypted-password passes pre-ecnrypted password for the user to the system default shell -s shell sets the name for the users default login shell UID -u UID create an account with the specified user ID value + int > 500 |
|
|
useradd parameter
system account creation no user group |
system account creation
-r specifies the creation of a system account - an account with a value less than UID_MIN as def in /etc/login.defs no user group -n in some distos (Red Hat) the system creates a group with the same name as the specified username |
|
|
Suppose you’ve added a hard disk and mounted it as /home2. You want to create an account for a user named Sally in this directory and place her home directory on the new disk. You want to make the new user a member of the project1 and project4 groups, with default membership in project4. The user has also requested tcsh as her default shell. The following commands accomplish this goal:
|
# useradd -d /home2/sally -g project4 -G project1,project4 -s /bin/tcsh sally
# passwd sally |
|
|
setting a password cmd
|
passwd [-k] [-l] [-u [-f]] [-d] [-S] [username]
|
|
|
passwd parameter
Update expired account Lock account |
Update expired account
-k parameter indicates that the system should update an expired account Lock account -l parameter locks an account by prefixing the encrypted password with an exclamation mark (!) |
|
|
passwd parameter
Unlock accounts Remove an account’s password Display account information |
Unlock accounts
-u parameter unlock an account by removing a leading exclamation mark Remove an account’s password -d parameter removes the password from an account, rendering it a password-less Display account information -S option displays info about the password for the account |
|
|
This utility changes an existing account instead of creating a new one
|
usermod program
differences between useradd and usermod are usermod allows the addition of a -m parameter when used with -d. The -d parameter alone changes the user’s home directory, but it doesn’t move any files. Adding -m causes usermod to move the user’s files to the new location. usermod supports a -l which changes the user’s login name to the specified value You may lock and unlock a user’s password with the -L and -U options, respectively. |
|
|
Does changing the UID of an user account changes the UID stored with a user's file
|
not
You can manually update the UIDs on all files by using the chown # chown -R sally /home/sally |
|
|
command allows you to modify account settings relating to account expiration
|
chage
It’s possible to configure Linux accounts so that they automatically expire if either of two conditions is true: The password hasn’t been changed in a specified period of time. The system date is past a predetermined time. chage [-l] [-m mindays] [-M maxdays] [-d lastday] [-I inactivedays] [-E expiredate] [-W warndays] username |
|
|
chage parameters
display info set the min time between pass changes set the max time between pass changes |
display info
-l option causes change to display account expiration and password agign info for a particular user set the min time between pass changes -m mindays 0 indicates multiple changes per day 1 once per day 2 and up twice and up set the max time between pass changes -M maxdays |
|
|
chage parameters
Set the last password change date Set the maximum inactive days Set the expiration date Set the number of warning days |
Set the last password change date
-d lastday last day a password was changed. This value is normally maintained automatically by Linux Set the maximum inactive days -I inactivedays ets the number of days between password expiration and account disablement Set the expiration date -E expiredate Set the number of warning days -W warndays sets the number of days before account expiration that the system will warn the user of the impending expiration |
|
|
A typical /etc/passwd entry resembles the following
|
sally:x:529:100:Sally Jones:/home/sally:/bin/bash
Username - Password - account user ID - default login group ID - comment - home dir - default shell the x for password indicates that shadow passwords are in use |
|
|
An /etc/shadow line resembles the following:
|
sally:E/moFkeT5UnTQ:14069:0:-1:7:-1:-1:
user name - password (stored on encrypted form) - last password change - day until change is allowed - day before the change is required - warning before expiration - day between activation/deactivation - expiration date - spacial flag |
|
|
cmd to delete an user account
remove user files option force deletion option get help |
userdel
remove user files option -r/--remove removes files from the mail spool and home dir force deletion option -f/--force force deletion while user is still logger get help -h/--help |
|
|
if sally was UID 529, you can use the following command to locate all her files usefull when looking for all user files outside of home dir :
|
# find / -uid 529
|
|
|
removing users from Samba
|
Samba keeps its own list of users
manually edit smbpasswd file usually in /etc, /etc/sambe or /etc/samba.d or smbpasswd -x sally |
|
|
Linux provides the _____ command to add a new group
|
groupadd [-g GID [-o]] [-r] [-f] groupname
|
|
|
groupadd options
Specify GID Create a sub-500 GID Force creation |
Specify GID
-g GID parameter when omited uses the next available GID Create a sub-500 GID -r parameter instructs groupadd to create a group with a GID of less than 500. Force creation -f parameter if you try to create a group that already exists, groupadd returns an error message |
|
|
Group information, like user account information, may be modified either using
|
utility programs
directly editing the /etc/group |
|
|
command modifies an existing group’s setting
|
groupmod [-g GID [-o]] [-n newgroupname] oldgroupname
|
|
|
cmd to add a user to a group
|
usermod with -G
# usermod -G users,project1,project4 sally ommiting any of the current user's group will remove the user from those groups |
|
|
discover the groups to which a user currently belongs with the _________ cmd
|
groups cmd
groups sally |
|
|
cmd that allows you to modify group features and assign group admin
|
gpasswd [-a user] [-d user] [-R] [-r] [-A user[,...]] [-M user[,...]] group
|
|
|
gpasswd option
add a user delete a user disallow newgrp additions |
add a user
-a user delete a user -d user disallow newgrp additions -R option configures the group to not allow anybody to become a member through newgrp |
|
|
gpasswd options
remove passowrd add group admin add users |
remove passowrd
-r option removes the password from a group. add group admin -A user[,...] parameter to specify group administrators add users -M user[,...] |
|
|
If entered without any parameters except a group name, gpasswd changes
|
the password for the group. Group passwords enable you to control temporary membership in a group
|
|
|
Group information is stored primarily in what file
|
/etc/group
A typical line in this file resembles the following: project1:x:501:sally,sam,ellen,george group name - password - guid - user list |
|
|
Systems with shadow passwords also use another file, _________ to store shadow password information about groups.
|
/etc/gshadow
|
|
|
Deleting groups is done via
|
groupdel command
groupdel project3 You can also delete a group by editing the /etc/group file (and /etc/gshadow, if present) and removing the relevant line for the group. This is not recomended |
|
|
files in /etc are
|
global configuration files, which affect all
users |
|
|
You can view all your current environment variables by typing
|
env cmd
|
|
|
location of skeleton dir
|
/etc/skel
useradd copies files from the skeleton directory (/etc/skel by default) into a newly created home directory |
|
|
daemon def
|
daemon is a program that runs continuously in the background waiting for an event to trigger it to perform some action
|
|
|
main log deamon
|
syslogd
often installed from a package called sysklogd |
|
|
syslogd daemon expl
|
syslogd daemon handles messages from servers and other user-mode programs. It’s usually paired with a daemon called klogd, which is generally installed from the same sysklogd package as syslogd.
|
|
|
klogd daemon
|
manages logging of kernel messages
|
|
|
syslog-ng
|
daemon for logging that support advanced filtering options
|
|
|
config for syslogd
config for rsyslog |
done through the /etc/syslog.conf file
rsyslogd configuration file is /etc/rsyslog.conf |
|
|
/etc/syslog.conf structure
|
# comment line
facility.priority action facility - code word for the type of program that generated the message priority - code word for the importance of this message action - file or remote pc that accepts the message facility and priority are referred as selector |
|
|
Valid codes for the priority in /etc/syslog.conf
|
debug, info, notice, warning, warn, error, err, crit, alert, emerg, panic.
warning = warn error = err emerg = panic error, warn, panic are deprecated |
|
|
Valid codes for the facility in /etc/syslog.conf
|
auth, authpriv, cron, daemon, kern, lpr, mail, mark, news, security, syslog, user, uucp, local0 through local7.
An asterisk (*) refers to all facilities multiple facilities in one selector by separating the facilities with commas (,). |
|
|
priority in /etc/syslog.conf special cahracters
|
=crit
describes what to do with messages of cript priority only * all priorities !crit causes messages below crit priority to be logged |
|
|
priority in /etc/syslog.conf action
|
facility.priority action
most times action point to a file |
|
|
typical directory tree for logs
|
/var/log
messages, logs, secure are 3 common and importnat log files |
|
|
to display log messages on the screen what action target needs to be specified in /etc/syslog.conf
|
/dev/console
|
|
|
to display on remote machine what action target needs to be specified in /etc/syslog.conf
|
a remote machine name preceded by an at sign (@) to log data to the specified system, and a list of usernames of individuals who should see the message if they’re logged in.
|
|
|
line sends all log entries identified by the originating program as related to mail to the /var/log/mail file
|
mail.* /var/log/mail
|
|
|
line sends all emerg-level messages to the consoles of all users who are logged into the
computer using text-mode tools. |
*.emerg *
|
|
|
logs all kernel messages to /var/log/kernel
sends critical messages to logger.pangaea.edu. |
kern.* /var/log/kernel
kern.crit @logger.pangaea.edu |
|
|
sends messages that are between info and err in priority to /var/log/kernel-info.
|
kern.info;kern.!err /var/log/kernel-info
|
|
|
to manually create a log entry or have a script do so use
|
logger [-isd] [-f file] [-p pri] [-t tag] [-u socket] [message ...]
|
|
|
logger options
Record logger PID Output to standard error Log using datagrams |
Record logger PID
-i records ID of the logger process along with other data Output to standard error -s echo data to standard error, as well as to the log file Log using datagrams -d causes logger to use datagrams rather that a stream connection |
|
|
logger options
log a file identify priority log tags |
log a file
-f file identify priority -p pri specifies priority log tags -t tag by default logger includes its name in the log file as tag can be changed with this option |
|
|
logger options
specify socket specify a message |
specify socket
-u socket can log directly to a socket specify a message if you dont specify a file using -f file, logger will log whatever you type after other options as the message to be logged to terminate the input press Ctrl + D |
|
|
you want to log the message “shutting down for system maintenance” to the system log. You can do so by typing the following command:
|
$ logger shutting down for system maintenance
The result will be an entry like the following, probably in /var/log/messages: Jul 29 14:09:50 nessus logger: shutting down for system maintenance |
|
|
The most common log rotation tool is a package called
|
logrotate
typically called on a regular basis via a cron job |
|
|
logrotate program consults a configuration file called
|
/etc/logrotate.conf
includes several default settings and typically refers to files in /etc/logrotate.d to handle specific log files |
|
|
Manually Setting the Time main tool to set the software clock is
|
date [-u|--utc|--universal] [MMDDhhmm[[CC]YY][.ss]]
without parameters displays current date |
|
|
utility enables you to set the hardware clock from the software clock or vice versa
show hardware clock option set hardware clock manually |
hwclock [options]
show hardware clock option -r --show set hardware clock manually --set --deat=newdate |
|
|
hwclock [options]
Set the hardware clock based on the software clock Set the software clock based on the hardware clock Specify UTC or local time |
Set the hardware clock based on the software clock
--systohc if soft clock is set with --systohc you can set the hardware clock Set the software clock based on the hardware clock --hctosys to set the software clock to the hardware clock’s value Specify UTC or local time tell Linux to treat the hardware clock as storing UTC by using the --utc option or to treat it as holding local time by using the --localtime option |
|
|
SMB/CIFS
|
Server Message Block/Common Internet File System
|
|
|
ntp.drift
|
usually in /var/lib/ntp but is sometimes stored in /etc.
|
|
|
list NTP servers in linux
NTP config file |
ntp
xntp ntpd xntpd /etc/ntp.conf. This file contains various NTP options, but the most important are the server lines |
|
|
Once you’ve made your changes, start or restart your NTP daemon. Typically, this is done via a SysV startup script:
|
# /etc/init.d/ntpd restart
|
|
|
differences between useradd and usermod
|
- usermod allow -m when using -d
-d changes the sue's home dir, but doenst move any files -m causes usermod to move the user's file to the new location -usermod support -l changes login name to specified value |
|
|
cmd that allow modification of account settings related to account expiration
|
chage [-l] [-m mindays] [-M maxdays] [-d lastday] [-I inactivedays].
[-E expiredate] [-W warndays] username |
|
|
change -l ?
change -m ? change -M ? |
change -l
displays account expiration and password aging info for an user change -m minday parameter sets the min number of days between password change; 1 once a day; 2 every two days change -M maxday |
|
|
change -d
change -I change -E change -W |
change -d lastday
sets the last day pass was changed change -I inactivedays sets the number of days between pass expiration and account disablement change -E expirdate set an absolute expiration date change -W warndays sets the number of days before account expiration that the system will warn the user of the impeding expiration |
|
|
shutdown account def
|
many systems include a shutdown account with /bin/shutdown as the shell
if you log in in this account it immediately shutsdown the system |
|
|
Account with shell of /bin/false (def)
|
Account with shell of /bin/false prevents users from logging in as ordinary users but leave other utilities intact.
Users can still receive mail and retrieve it |
|
|
* or ! in /etc/shadow file
|
the password is stored in encrypted format in /etc/shadow
! or * denotes and account with no password aka locked account that doesn't accepts login usually used by the system itself |
|
|
permission for ownership by root
|
permission for ownership by root
rw - - - - - - -(600) /etc/shadow is with this permission rw-r--r-- (644) indicates that a file is readable by ordinary users |
|
|
omiting -r in # userdel -r sally
|
You may omit the -r parameter if you want to preserve the user’s files
|
|
|
most common way of creating groups
|
without specifying any parameters but name
#groupadd projects3 |
|
|
what useradd does with dir _________ when creating new users
|
useradd copies files from the skeleton directory /etc/skel into a newly created home dir
|
|
|
rsyslog (expl)
|
recent version of Fedora use this rsyslogd demon
|
|
|
using tail to monitor file on an ongoing basis (cmd)
|
tail -f /var/log/meesages
|
|
|
UTC
GMT (abbr) |
UTC - Coordinated Universal Time
GMT - Greenwhich Mean Time |
|
|
Example set the time to 3:02 pm on October 27,2009 by using the following cmd
|
date 102715022009
|
|
|
Options and cmd to use to set clock in UTC
|
date cmd with -u, --utc or --universal
|
|
|
ntp.drift file
|
NTP doesn’t just reset the system clock periodically;
the server improves the accuracy of the system clock. In part, this is done through the ntp.drift file, which is usually buried in /var/lib/ntp but is sometimes stored in /etc. This file holds information about the software clock’s inaccuracies and so can be used to correct for them. |
|
|
to verify that NTP is working use _________ cmd
Obtain NTP server list cmd |
ntpq
ntpq -q |
|
|
You may want to ensure that your NTP clients can’t be accessed as servers. This is a security measure. You can do this with an ______________ firewall rule or by using the _____________ line in ntp.conf
|
iptables firewall rule
restrict default ignore line in ntp.conf. This line tells the server to ignore all incoming NTP requests. |
|
|
ntpdate cmd
|
a simpler way to set the time on a client
part of the NTP suite performs a one-time clock setting #ntpdate clock.example.com |
|
|
ntpd switch equivalte to ntpdate
|
-q
ntpd -q enables it to perform a one-time clock setting to a values that's wildly divergent from the current time |
|
|
folder containing temp files created by users
|
/tmp
|
|
|
cron def
|
a program daemon, running continuously, responding to temporal events.
Wakes up once a minute and examines config files in /var/spool/cron and /etc/cron.d directories and the /etc/crontab file, and executes commands specified by these configuration files if the time matches the time listed in the files |
|
|
conf file used by cron (list ?)
|
/var/spool/cron
/etc/cron.d /etc/crontab |
|
|
two types of cron jobs (list ?)
|
system cron jobs - run as root and perform system-wide maintenance tasks
user cron jobs - ordinary users can create user cron jobs which can run some user program on a regular basis |
|
|
what file controls system cron jobs
|
/etc/crontab
usually begins with several lines that set environmental var such as $PATH and $MAILTO |
|
|
/etc/crontab sample line
|
02 4 * * * root run-parts /etc/cron.daily
first 5 fields spec. time min-hour-dayofmont-month-dayofweek * - matches all possible values - "dash" indicates range of values / "slash" in conjuction with other multi-value options, specifies stepped values - */10 means every 10 min 6th field is account name to be used when exec the prog 7th cmd to be run "run-parts /etc/cron.daily" |
|
|
most distributions include monthly, daily, weekly and hourly system cron jobs each corresponding to scripts in a directory called ________ + alternative for other distros _______
|
/etc/cron.interval
where interval is a word associated with the run frequency other distro palce the, in /etc/cron.d/interval |
|
|
to create a user cron job use _____ utility
|
crontab
(not to be confused with the /etc/crontab config file) crontab [-u user] [-l | -e | -r] [files] |
|
|
crontab modifiers
-u -l -e -r [files] |
crontab modifiers
-u user modifies the cron job associated with the current user -l causes crontab to display the current cron job -r removes the current cron job -e opens and editor to edit the current crom job [files] you can create a cron job config file and pass the file name to crontab crontab -u tbaker my-cron crontab will use my-cron as settings fro tbaker job |
|
|
Sample cron job
|
SHELL=/bin/bash
MAILTO=tbaker HOME=/home/tbaker 0,30 * * * * /usr/bin/fetchmail -s 0 2 * * mon /usr/local/bin/clean-adouble $HOME |
|
|
location for user cron job
|
/var/spool/cron
/var/spool/cron/tabs /var/spool/cron/crontabs |
|
|
Users who should be able to schedule jobs using cron should be added to what group
|
cron
but check owner and permission on the /user/sbin/cron /usr/sbin/crontab |
|
|
cron allowed users are listed in what file
cron disallowed users are listed in what file |
/etc/cron.allow
/etc/cron.deny |
|
|
anacron def
|
cron is great for systems that don't get turned off
acron keeps a record of programs it should execute and how frequently it should (in days) when acron is ran it check to see if programs execution interval has passed usually started with startup script |
|
|
anacron config file
|
/etc/anacrontab
this file consist of comments, environmental variable set lines and job definition lines job def. line: period delay identifier command delay between anacron start and when job is executed |
|
|
sample anacron file /etc/anacrontab
|
SHELL=/bin/bash
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin # format: period delay job-identifier command 1 5 cron.daily run-parts /etc/cron.daily 7 10 cron.weekly run-parts /etc/cron.weekly 30 15 cron.monthly run-parts /etc/cron.monthly |
|
|
start up script to run cron
|
SysV startup scirpt with no options that runs anacron should be config to run from your regular runlevel
OR palce a call to anacron to local startup script like /etc/rc.d/rc.local - Feodra/RedHat /etc/boot.d/boot.local - Suse |
|
|
at cmd expl
|
when you want to run a single cmd at a specific point in the future on a one-time bases user at cmd
|
|
|
at HH:MM
|
at takes a single option time
at HH:MM at MMDDYY, MM.DD.YY or MM/DD/YY |
|
|
at cmd daemon is
|
atd
at relies on it to be running if your system doesn't start atd automatically, you may need to configure a SysV startup |
|
|
What
at -f commands.sh noon does? |
use the contents of commands.sh as the commands you want to run at noon
|
|
|
Quit at cmd promt with what short cut
|
Ctrl + D
|
|
|
atq cmd
atrm cmd |
atq - list pending at jobs
atrm - removes an at job from the queue |
|
|
at cmd access restriction
|
/etc/at.allow
/etc/at.deny if neither exist only root can use at cmd |
