LINUX ADMINISTRATION BASICS

CHAPTER 6

A. SETTING THE HOSTNAME

To change your machine hostname, you need to edit two configuration files named hostname and hosts both located in /etc directory: 1. Open a terminal and run the following command: gksudo gedit /etc/hostname /etc/hosts

2. Change the line on the hostname file to the desired hostname. 3. Change the second line on the hosts file to the desired hostname. 4. Save and close both files. 5. Reboot.

B. SETTING FILE PERMISSION

Access rights: Linux's first line of defense
On a Linux system, each file has three types of access: read, write and execute for three categories of users: owner (user), group and others.
Owner is the user who creates the file. Group is the group name that the owner belongs to. Others is any other user (not being the owner and not belonging to the group having access rights to the file).

For each category of users, read, write and execute access rights can be granted or denied.

B. SETTING FILE PERMISSION

Permission File User can look at the contents of the file. User can modify the contents of the file. User can run the file as if it were a program. Directory User can list the files in the directory. User can create new files and remove existing files in the directory. User can change into the directory, but cannot list the files unless (s)he has read permission. User can read files if (s)he has read permission on them.

read write

execute

Interpretation of permissions for files and directories

B. SETTING FILE PERMISSION

With the -l option (long list) of ls, you can find out the access rights (permissions) for any given file or directory:
$ ls -l total 4 drwxrwxr-x 2 prescilla prescilla 4096 Feb -rw-rw-r-- 1 prescilla prescilla 0 Feb

9 23:24 files 9 23:20 permissions

The Linux file permission is divided into three groups: File Type Owner Group Others d rwx rwx r-x rwrwr--

B. SETTING FILE PERMISSION

When assigning permissions to a file or directory, symbols are used to represent the three categories of users and their permissions.
Symbol Represent Symbol Meaning

u g o a

user (owner) group others all users (ugo)

r w x -

read write execute No permission

Access mode codes

User group codes

B. SETTING FILE PERMISSION

Another method used to set Linux file permission is the octal system which uses numbers to represent permissions. 0 = No permission 1 = Execute permission 2 = Write permission 3 = Write and execute permissions 4 = Read permission 5 = Read and execute permissions 6 = Read and write permissions 7 = Read, write and execute permissions
Note: The essential numbers are 1, 2 and 4 which represent execute, write and read permissions respectively. Other numbers are just the sum of adding those numbers together.

B. SETTING FILE PERMISSION

The table below summarizes file permission codes (symbols or octal) used in Linux: Code Meaning The access right that is supposed to be on 0 or this place is not granted.

read access is granted to the user category defined in this place write permission is granted to the user 2 or w category defined in this place execute permission is granted to the user 1 or x category defined in this place 4 or r

B. SETTING FILE PERMISSION

The chmod (change mode) command

File and directory permissions can only be modified by their owners, or by the superuser (root), by using the chmod system utility.
Syntax: chmod options files
Note: chmod accepts options in two forms: symbolic or octal modes.

SETTING FILE PERMISSION USING SYMBOLIC MODES

To change file permission using symbolic modes, use the user group and access mode codes with operators listed in the table below:
Operator + = Description

adds the specified permission to the specified user group removes the specified permission from the specified user group Assigns the specified permissions to the specified user group

SETTING FILE PERMISSION USING SYMBOLIC MODES

Take the example below:
-rw-rw-r-- 1 prescilla prescilla 0 Feb 9 23:20 sample

The sample file has read and write permission for both user and group while other users can only read it. To add write permission to other users, run the ff. command:

$ chmod o+w sample

Note: The + and - operators are used to grant or deny a given right to a given group. o represents other users and w for write access.

SETTING FILE PERMISSION USING SYMBOLIC MODES

$ ls l sample -rw-rw-rw- 1 prescilla prescilla

0 Feb

9 23:20 sample

As seen above, other users has now write permission to the sample file. To add execute permission to all users, run the ff.:

$ chmod a+x sample

OR

$ chmod ugo+x sample

Note: x is for execute permission, a represents all users, but ugo can also be used which indicates user, group & others.

SETTING FILE PERMISSION USING SYMBOLIC MODES

$ ls l sample -rwxrwxrwx 1 prescilla prescilla

0 Feb

9 23:20 sample

As seen above, all users has now execute permission to the sample file. To remove the execute permission to all users, run the ff.:

$ chmod a-x sample

OR

$ chmod ugo-x sample

Note: The - operator is used to deny a given right to a given group.

SETTING FILE PERMISSION USING SYMBOLIC MODES

Combinations separated by commas are allowed when specifying options for chmod. Here's another one, which makes the file from the previous example a private file to user prescilla:
$ ls l sample -rw-rw-rw- 1 prescilla prescilla 0 Feb 9 23:20 sample

$ chmod u+rwx,go-rwx sample

$ ls -l sample -rwx------ 1 prescilla prescilla 0 Feb 9 23:20 sample

As seen above, all permissions to the sample file was denied to group and other users.

SETTING FILE PERMISSION USING SYMBOLIC MODES

You can also remove or deny permission by using the assignment (=) operator and setting it to none or empty. Therefore the previous chmod command line can be rewritten as:
$ chmod u+rwx,go= sample $ ls -l sample
-rwx------ 1 prescilla prescilla 0 Feb 9 23:20 sample

SETTING FILE PERMISSION USING OCTAL MODES

Octal numbers have been used widely to describes file or directory permission in Linux system. It is faster using octal numbers to change Linux file or directory permissions and easier than the first method. When using chmod with octal digits as arguments, the values for each granted access right have to be counted together per group. Thus we get a 3-digit number, which is the value for the settings chmod has to make.

SETTING FILE PERMISSION USING OCTAL MODES

Lets take the previous example:
$ ls -l sample -rwx------ 1 prescilla prescilla 0 Feb 9 23:20 sample

To set read and write permission for owner, and only read access for group and others, using the octal system:
$ chmod 644 sample -rw-r--r-- 1 prescilla prescilla 0 Feb 9 23:20 sample

Note: 644 means read and write permission for owner, read for group and others.

SETTING FILE PERMISSION USING OCTAL MODES

You can also set permissions to multiple files at once. For example:
$ ls -l -rw-r--r-- 1 root root 84669 -rw-r--r-- 1 root root 100439 -rw-r--r-- 1 root root 113450 $ chmod 666 snapshot*.png $ ls -l -rw-rw-rw- 1 root root 84669 -rw-rw-rw- 1 root root 100439 -rw-rw-rw- 1 root root 113450 2008-09-11 01:13 snapshot1.png 2008-09-11 01:14 snapshot2.png 2008-09-11 01:14 snapshot3.png

2008-09-11 01:13 snapshot1.png 2008-09-11 01:14 snapshot2.png 2008-09-11 01:14 snapshot3.png

Note: the octal digit 666 grants read (r) and write (w) permissions to all users.

SETTING FILE PERMISSION USING OCTAL MODES

chmod can also be used to set permissions for a multiple files and directories by using the R (recursive) option. To change all the permissions of each file and folder under a specified directory at once:
user@host$ sudo chmod 777 -R user@host$ ls -l total 3 -rwxrwxrwx 1 user user 0 drwxrwxrwx 2 user user 4096 -rwxrwxrwx 1 user user 0 /path/to/someDirectory

Nov 19 20:13 file1 Nov 19 20:13 folder Nov 19 20:13 file2

Note: the octal digit 777 grants read (r), write (w) & execute (x) permissions to all users.

UNDERSTANDING UMASK
When a user create a file/directory under Linux, he/she create it with a default set of permissions. The user file-creation mode mask (umask) is a four-digit octal number use to determine/control these default set of permissions. By default most Linux distribution has set it to 0022 (022) for root and 0002 (002) for normal user.

UNDERSTANDING UMASK

To check the default umask value, run umask from a terminal:

user@linux:~$ umask 0002 root@linux:~# umask 0022

UNDERSTANDING UMASK
The base permission for newly created files are 0666 (rw-rw-rw) while directories has a base permission of 0777 (rwxrwxrwx). To compute for the final permission of newly created files/directories, the umask value is subtracted from the base permission.

UNDERSTANDING UMASK

Normal user:
777 002 = 775 (directories) 666 - 002 = 664 (files)

Root user:
777 022 = 755 (directories) 666 022 = 644 (files)

UNDERSTANDING UMASK
Therefore, a normal user will have the following default permissions:

775 (rwxrwxr-x) for directories 664 (rw-rw-r--) for files

While a root user will have the following default permissions:

755 (rwxr-xr-x) for directories 644 (rw-r--r--) for files

C. SETTING FILE OWNERSHIP

Linux has a very special file ownership and permission system. Each files/directories has 2 owners which is user and group. That means, a certain file or a directory has its owner and group responsible for it. Changing user or group ownership of a file is done with the chown (change owner) and chgrp (change group) commands.

C. SETTING FILE OWNERSHIP

The chown command can be applied to change both user and group ownership of a file, while chgrp only changes group ownership. In order to only change the user ownership of a file, use this syntax: chown newuser file If you use a colon after the user name, group ownership will be changed as well, to the primary group of the user issuing the command.

C. SETTING FILE OWNERSHIP

In order to change the user and group ownership of a file, use this syntax: chown newuser:newgroup file To only change group ownership, you can either use chgrp or chown with a different syntax:
chown :newgroup file chgrp newgroup file

C. SETTING FILE OWNERSHIP

For example, p1 is owned by root and adm group, to change its ownership, use chown:
$ ls l p1 -rw-rw-r-- 1 root adm $ chown prescilla p1 $ ls l -rw-rw-r-- 1 prescilla adm 0 Feb 24 15:28 p1

0 Feb 24 15:28 p1

To change its owner and group at the same time, use chown and add a colon (:) after the user name:
$ chown prescilla: p1 $ ls l p1 -rw-rw-r-- 1 prescilla prescilla 0 Feb 24 15:28 p1

C. SETTING FILE OWNERSHIP

Using the same file, if you only want to change group ownership, use chgrp:
$ ls l p1 -rw-rw-r-- 1 root adm 0 Feb 24 15:28 p1 $ chgrp prescilla p1 $ ls l -rw-rw-r-- 1 root prescilla 0 Feb 24 15:28 p1

You can still use chown to change group ownership:

$ chown :prescilla p1 $ ls l p1 -rw-rw-r-- 1 root prescilla 0 Feb 24 15:28 p1

D. LOGGING ON TO ANOTHER GROUP

When you type id on the command line, you get a list of all the groups that you can possibly belong to, preceded by your user name and ID and the group name and ID that you are currently connected with. However, on many Linux systems you can only be actively logged in to one group at the time. By default, this active or primary group is the one that you get assigned from the /etc/passwd file.

D. LOGGING ON TO ANOTHER GROUP

For example, prescilla is currently connected to its primary group prescilla:
$ id uid=1000(prescilla) gid=1000(prescilla) groups=1000(prescilla),4(adm),6(disk),24(cdrom),27(su do),30(dip),46(plugdev),107(lpadmin),124(sambashare), 126(vboxusers)

As seen above, prescilla can also belong to several other secondary groups i.e. adm, disk, dip, etc.

D. LOGGING ON TO ANOTHER GROUP

For a user to logon to a secondary group, he/she must use the newgrp command. This is useful if a user needs to create a file that should be owned by another group.
$ newgrp adm $ id uid=1000(prescilla) gid=4(adm) $ touch test $ ls l -rw-rw-r-- 1 prescilla prescilla 0 Feb 24 15:28 p1 -rw-rw-r-- 1 prescilla adm 0 Feb 24 18:34 test Note: Logging in to a new group prevents you from having to use chown to change ownerships for you.

E. CREATING USER ACCOUNTS

Creating users in Linux system is a routine task for system administrators. Sometimes you may create a single user with default configuration or with custom configuration, or create several users at same time using some bulk user creation method.

E. CREATING USER ACCOUNTS

Method 1: Create user with default configurations using useradd command
To create user with default configurations:

useradd m <username>
By default, useradd will not create a home directory for the new user, unless you add the m option. If you need to set a different path for the users home directory, use the d option.

E. CREATING USER ACCOUNTS

Example 1: Create a new user named ayesha with default configuration: $ sudo useradd m ayesha If you dont specify a password for the account the system will lock it and the user will not be able to login to the system this is easily accomplished with the following command: $ passwd <username>

E. CREATING USER ACCOUNTS

You can create a user and set its password in one command line:
$ useradd m username p password

The previous example can be rewritten as:

$ sudo useradd m ayesha p 1234
Note: This method will print the password in the terminal screen.

E. CREATING USER ACCOUNTS

Method 2: Add user with custom configurations

To create user with custom configurations:

useradd [options] <username>
Options are listed on the next slide. To see a full list of useradd options, see the man pages, by running:

$ man useradd

USERADD OPTIONS
Options Meaning -d Specifies the users home directory -m Create the user's home directory if it does not exist. -s -g -G -e -c Specifies the name of the user's login shell Specifies the users primary group Specifies the users secondary groups Specifies the date on which the user account will be disabled. The date is specified in the format YYYY-MM-DD. Any text string. It is generally a short description of the login, and is currently used as the field for the user's full name.

-f

Specifies the number of days after a password expires until the account is permanently disabled. A value of 0 disables the account as soon as the password has expired, and a value of -1 disables the feature.

E. CREATING USER ACCOUNTS

Example 2: Create a new user with custom configurations:
$ sudo useradd m g prescilla e 201303-01 c Linus Torvalds linus

$ cat /etc/passwd | grep linus linus:x:1003:1000:Linus Torvalds:/home/linus:/bin/sh

Note: The new user linus has a group id of 1000 which is the group id of prescilla.

E. CREATING USER ACCOUNTS

To check the account and password expiry of an account, use the chage command:
$ chage l linus Last password change : Feb 24, 2013 Password expires : never Password inactive : never Account expires : Mar 01, 2013 Minimum number of days between password change: 0 Maximum number of days between password change: 99999 Number of days of warning before password expires: 7

E. CREATING USER ACCOUNTS

To disable password aging / expiration for a user, run chage command and set the following:
Minimum Password Age to 0 Maximum Password Age to 99999 Password Inactive to -1 Account Expiration Date to -1 Interactive mode command: $ chage username

OR
$ chage -I -1 -m 0 -M 99999 -E -1 username

E. CREATING USER ACCOUNTS

Method 3: Create users interactively with adduser command
A very simple way of creating a user in the command line interactively is using adduser command.

adduser <username>

E. CREATING USER ACCOUNTS

Example 3: Create a new user with adduser:
$ sudo adduser spidey Adding user `spidey' ... Adding new group `spidey' (1007) ... Adding new user `spidey' (1007) with group `spidey' ... Creating home directory `/home/spidey' ... Copying files from `/etc/skel' ... Enter new UNIX password: Retype new UNIX password: passwd: password updated successfully Changing the user information for spidey Enter the new value, or press ENTER for the default Full Name []: Peter Parker Room Number []: Work Phone []: Home Phone []: Other []: Is the information correct? [y/N] y

E. CREATING USER ACCOUNTS

Method 4: Add multiple users at once with newusers command
Sometimes you may want to to create multiple users at the same time. Fortunately, Linux offers a way to create users using newusers command. This can also be executed in batch mode as it cannot ask for any input. $ newusers FILENAME

E. CREATING USER ACCOUNTS

First step is to create a text file that will contain the user account information. The file format is same as the password file: loginname:password:uid:gid:comm ent:home_dir:shell

E. CREATING USER ACCOUNTS

$ cat users.txt user1:password:1005:513:Student Account:/home/user1:/bin/bash user2:password:1006:513:Sales user:/home/user2:/bin/bash user100:password:1007:513:Sales user:/home/user100:/bin/bash tom:password:1008:501:Guest Account:/home/guest:/bin/menu jerry:password:1009:501:Guest Account:/home/guest:/bin/menu

Since username and passwords are stored in clear text format make sure only you can read/write the file. Use chmod command: $ chmod 600 users.txt

E. CREATING USER ACCOUNTS

Now, create the users in batch:

$ newusers users.txt
Verify that your /etc/group, /etc/passwd and /etc/shadow files are updated:
less /etc/group less /etc/passwd

less /etc/shadow

F. SWITCHING BETWEEN USER ACCOUNTS

When you know the password of another user's account, you can present yourself to the system with that user's permissions using the su command (switch user).

su - username
You will be prompted to enter the password. After the authentication process, you are working on the system using the permissions of that user .

F. SWITCHING BETWEEN USER ACCOUNTS

To make sure you are logged in as another user, check with the id command:
$ su - linus $ id uid=10032(linus) gid=1000(prescilla) groups=1000(prescilla)

F. SWITCHING BETWEEN USER ACCOUNTS

By default, the Root account password is locked in Ubuntu. This means that you cannot login as Root directly or use the su command to become the Root user. However, since the Root account physically exists it is still possible to run programs with root-level privileges. This is where sudo comes in - it allows authorized users to run certain programs as Root without having to know the root password. To switch to root environment:

$ sudo i

F. SWITCHING BETWEEN USER ACCOUNTS

Allowing other users to run sudo

To add a new user to sudo:
$ sudo adduser <username> sudo

where you replace <username> with the name of the user (without the <>).

G. DELETING USER ACCOUNTS

You need to use the userdel command to delete a user account and related files from user account. The userdel command must be run as root user. The syntax is as follows:

userdel userName

G. DELETING USER ACCOUNTS

Example:
To remove the user aye from the system:
$ userdel aye

To remove the user's home directory pass the -r option to userdel, enter:
$ userdel -r aye
Note: The above command will remove all files along with the home directory itself and the user's mail spool. Please note that files located in other file systems will have to be searched for and deleted manually.

G. DISABLING USER ACCOUNTS

Sometimes is it recommend to disable an account instead of removing it right away, especially if you are working with a corporate server with lots of users. You need to use the usermod command to lock and disable user account. The -L option lock user's password by putting a (!) in front of the encrypted password. To disable user account, set expire date to 1.

G. DISABLING USER ACCOUNTS

In this example, user account aya is disabled:
$ usermod -L -e 1 aya

When aya tries to login either graphically or via text console, she will be greeted with the following messages:
Your account has expired; please contact your system administrator.

Invalid password.
Permission denied.

G. DISABLING USER ACCOUNTS

To re-enable an account with a locked password, simply remove the (!) from the /etc/shadow file which stores the encrypted password for all users.

$ gedit /etc/shadow
To remove an account expiry date, run:

$ usermod e -1 user-account
Note: You can also use chage command to set expiry date to -1.

LINUX ADMINISTRATION BASICS

END OF CHAPTER 6