Anda di halaman 1dari 27

USERS,GROUPS & PERMISSION IN LINUX

USER
Red Hat Linux uses a User Private Group (UPG) Scheme

When a user is created, a group with the same name as the


username is also created. This becomes the primary group for
that user. A user can have only one primary group.

When a user is created in Linux, the following are also created by


default:

Home directory /home/<username>

Mail account /var/spool/mail/<username>

Unique user identifier (UID) and group identifier (GID)

In Linux there are three type of users:-

1- Super user or Root user

2- System users

3- Normal users

Super user or Root user:-

Super user or Root user is the most powerful user. He is


the administrator user.

System users:-

System users are the users created by the software or


applications. For example if we install Apache, it will create a user
apache. This kind of user is known as system users.

Normal users:-
Normal users are the users created by root user. They
are normal user i.e

Ram, Mukesh, John etc. Only the Root user has the permission to
create or remove a user.

In Linux every user will have a unique user ID. It is known as UID.
The range of UIDs will be as follows:

USER UID
Root 0 (Zero)
System user 1 - 499
Normal user 500 - 60000

There are three important files a user admin should be aware of.

When a user created in Linux, the following are also created by


default:

1) /etc/passwd

Store info of each user created

Each record has seven fields separated by a : sign.

Ravi : X : 500 : 500 : prog : /home/ravi :


/bin/bash

1 2 3 4 5 6
7

1) User name

2) Mask password X is encrypted password.

3) UID

4) GID ( group id )
5) Comment for user

6) Home Directory

7) Default Login Shell It will be /bin/bash. If we want to


change it to korn shell edit it to /bin/ksh. If no login shell is
required for that user then give /sbin/nologin

Now second file is :-

2- /etc/shadow

This file contains the encrypted password for user

Password are encrypted using MD5 ( Message Digest Version


5) Algorithm

Ravi : hjkadfhs8974ut/ : 13536 : 0 : 99999 :


7 :::

User passwd days since pw max life of pw

Was last changed


warning days

Days after which pw must


be changed

Now third file is :-

etc/group

The info of each group created is stored in a separate line in


the file /etc/group.

Each record has four fields separated by : sign

Ravi : X : 500 : sachin , kumar


Group name pw GID secondary
members

1-How to ADD a User:- sudo useradd username

2-How to DELETE a User:- sudo userdel username

3-All the configuration files for linux are stored in simple text files
so things like user accounts group accounts etc all that
information is stored in a text file & that text file is the -
/etc/passwd . By modifying or editing this file you can rename
user, change their home directories etc. If you want to see the
Users or their home directories etc on your Linux system ,all you
do is - sudo vim /etc/passwd

4-How to change Password for a User:- sudo passwd username.

GROUP
Group is a collection of user to whom the same permission are to
be applied.

There are two types of group:-

1) Primary

2) Secondary

The info regarding the group are stored in the following files:

/etc/group

/etc/gshadow

5-How to add Group:- sudo groupadd groupname

6-How to Delete a Group:- sudo groupdel groupname


7-How to add a user in a group:- sudo usermod -G groupname
username

8-How to delete a user from a group:-sudo deluser username


groupname

NOTE:- Be careful as to delete a user from a system command is


userdel & from a group it is deluser

9-The group information is stored in the text file name -


/etc/group

PERMISSION
In Linux normally permission are referred to by a three digit
number like 777,757,700. This three digit number basically says
what the permission are for the file.

In three digit number:-

The first digit is the permission that the Owner of the file has.

The second digit is the permission for the group members.

The third digit is the permission for everybody else in the world or
others.

The highest or full permission is 777.

So 4=Read

2=Write

1=Execute

Here 4+2+1=7
How to Change the permission for a file:- sudo chmod 777
filename -R

NOTE:- Here -R is for recursive (to change permission of folder


and the entire subfolders in it)

OWNERSHIP
To change a ownership of a file or folder

sudo chown -R username filename - (for folder -R is used)

To change group permission- sudo chgrp -R groupname


file/folder

LINUX PROCESS
What is a Process?

Anything that is running in Linux is a Process.

A Program which is being executed .

Any process may create a child process.

The first system process in RHEL 7 is systemd.

Examples:-Shell that is running & taking our commands is a


Process, The command that we type on terminal is Process.

Processes are much like us .They are born, they die. They have
Parent & Children.

Starting a Process
When you start a process (run a command), there are two ways you can
run it

Foreground Processes
Background Processes

Foreground Processes
By default, every process that you start runs in the foreground. It gets its
input from the keyboard and sends its output to the screen.

You can see this happen with the ls command. If I want to list all the files in
my current directory, I can use the following command

$ls ch*.doc

This would display all the files whose name start with ch and ends with .doc

ch01-1.doc ch010.doc ch02.doc ch03-2.doc


ch04-1.doc ch040.doc ch05.doc ch06-2.doc
ch01-2.doc ch02-1.doc

The process runs in the foreground, the output is directed to my screen,


and if the ls command wants any input (which it does not), it waits for it
from the keyboard.

While a program is running in foreground and taking much time, we cannot


run any other commands (start any other processes) because prompt would
not be available until program finishes its processing and comes out.

Background Processes
A background process runs without being connected to your keyboard. If
the background process requires any keyboard input, it waits.

The advantage of running a process in the background is that you can run
other commands; you do not have to wait until it completes to start
another!

The simplest way to start a background process is to add an ampersand


( &) at the end of the command.

$ls ch*.doc &


This would also display all the files whose name start with ch and ends
with .doc

ch01-1.doc ch010.doc ch02.doc ch03-2.doc


ch04-1.doc ch040.doc ch05.doc ch06-2.doc
ch01-2.doc ch02-1.doc

Here if the ls command wants any input (which it does not), it goes into a
stop state until I move it into the foreground and give it the data from the
keyboard.

That first line contains information about the background process - the job
number and process ID. You need to know the job number to manipulate it
between background and foreground.

If you press the Enter key now, you see the following

[1] + Done ls ch*.doc &


$

The first line tells you that the ls command background process finishes
successfully. The second is a prompt for another command.

LISTING PROCESSES
To List the running Process for Current User Command is- ps

One of the most commonly used flags for ps is the -f ( f for full)
option, which provides more information as ps -f

Here is the description of all the fields displayed by ps -f


command

Column Description

UID User ID that this process belongs to (the person running it).

PID Process ID.


PPID Parent process ID (the ID of the process that started it).

C CPU utilization of process.

STIME Process start time.

TTY Terminal type associated with the process

TIME CPU time taken by the process.

CMD The command that started this process.

To show all processes running across all other terminals:- ps -ef

There are other options which can be used along


with ps command

Option Description

-a Shows information about all users

-x Shows information about processes without terminals.

-u Shows additional information like -f option.

-e Display extended information.

Stopping Processes
Ending a process can be done in several different ways. Often,
from a console-based command, sending a CTRL + C keystroke
(the default interrupt character) will exit the command. This
works when process is running in foreground mode.

If a process is running in background mode then first you would


need to get its Job ID using ps command and after that you can
use kill command to kill the process as follows

$ps -f
UID PID PPID C STIME TTY TIME CMD
amrood 6738 3662 0 10:23:03 pts/6 0:00 first_one
amrood 6739 3662 0 10:22:54 pts/6 0:00 second_one
amrood 3662 3657 0 08:10:53 pts/6 0:00 -ksh
amrood 6892 3662 4 10:51:50 pts/6 0:00 ps -f
$kill 6738
Terminated

Here kill command would terminate first_one process. If a


process ignores a regular kill command, you can use kill
-9 followed by the process ID as follows

$kill -9 6738
Terminated

Parent and Child Processes


Each unix process has two ID numbers assigned to it: Process ID
(pid) and Parent process ID (ppid). Each user process in the
system has a parent process.

Most of the commands that you run have the shell as their
parent. Check ps -f example where this command listed both
process ID and parent process ID.

Zombie and Orphan Processes


Normally, when a child process is killed, the parent process is
told via a SIGCHLD signal. Then the parent can do some other
task or restart a new child as needed. However, sometimes the
parent process is killed before its child is killed. In this case, the
"parent of all processes," init process, becomes the new PPID
(parent process ID). Sometime these processes are called orphan
process.

When a process is killed, a ps listing may still show the process


with a Z state. This is a zombie, or defunct, process. The process
is dead and not being used. These processes are different from
orphan processes.They are the processes that has completed
execution but still has an entry in the process table.

Daemon Processes
Daemons are system-related background processes that often
run with the permissions of root and services requests from other
processes.

A daemon process has no controlling terminal. It cannot open


/dev/tty. If you do a "ps -ef" and look at the tty field, all daemons
will have a ? for the tty.

More clearly, a daemon is just a process that runs in the


background, usually waiting for something to happen that it is
capable of working with, like a printer daemon is waiting for print
commands.

If you have a program which needs to do long processing then its


worth to make it a daemon and run it in background.

The top Command


The top command is a very useful tool for quickly showing
processes sorted by various criteria.
It is an interactive diagnostic tool that updates frequently and
shows information about physical and virtual memory, CPU
usage, load averages, and your busy processes.

Here is simple syntax to run top command and to see the


statistics of CPU utilization by different processes

$top

Job ID Versus Process ID


Background and suspended processes are usually manipulated
via job number (job ID). This number is different from the process
ID and is used because it is shorter.

In addition, a job can consist of multiple processes running in series or at


the same time, in parallel, so using the job ID is easier than tracking the
individual processes.

How To Adjust Process Priorities


Often, you will want to adjust which processes are given priority in a server
environment.

Some processes might be considered mission critical for your situation, while others
may be executed whenever there might be leftover resources.

Linux controls priority through a value called niceness.

High priority tasks are considered less nice, because they don't share resources as well.
Low priority processes, on the other hand, are nice because they insist on only taking
minimal resources.
When we ran top at the beginning of the article, there was a column marked "NI". This
is the nice value of the process:

top
Tasks: 56 total, 1 running, 55 sleeping, 0 stopped, 0 zombie
Cpu(s): 0.0%us, 0.3%sy, 0.0%ni, 99.7%id, 0.0%wa, 0.0%hi, 0.0%si,
0.0%st
Mem: 1019600k total, 324496k used, 695104k free, 8512k buffers
Swap: 0k total, 0k used, 0k free, 264812k cached

PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND


1635 root 20 0 17300 1200 920 R 0.3 0.1 0:00.01 top
1 root 20 0 24188 2120 1300 S 0.0 0.2 0:00.56 init
2 root 20 0 0 0 0 S 0.0 0.0 0:00.00 kthreadd
3 root 20 0 0 0 0 S 0.0 0.0 0:00.11 ksoftirqd/0

Nice values can range between "-19/-20" (highest priority) and "19/20" (lowest priority)
depending on the system.

To run a program with a certain nice value, we can use the nice command:

nice -n 15 command_to_execute

This only works when beginning a new program.

To alter the nice value of a program that is already executing, we use a tool
called renice:

renice 0 PID_to_prioritize

Note: While nice operates with a command name by necessity, renice operates by
calling the process PID

Manage Linux Password Expiration and Aging Using


<chage> Command
1-List the password and its related details for
an user
<chage> -l username (here l for list)
For example:

2-Set Password Expiry Date for an user using chage option
M
How to Setup NFS (Network File
System) on RHEL
NFS (Network File System) is basically developed for sharing of
files and folders between Linux/Unix systems by Sun
Microsystems in 1980. It allows you to mount your local file
systems over a network and remote hosts to interact with them
as they are mounted locally on the same system. With the help of
NFS, we can set up file sharing between Unix to Linux system
and Linux to Unix system. Although there are NFS clients for
windows.

TCP 2049 is the default PORT number for NFS

Benefits of NFS
1. NFS allows local access to remote files.
2. It uses standard client/server architecture for file sharing
between all *nix based machines.
3. With NFS it is not necessary that both machines run on the
same OS.
4. With the help of NFS we can configure centralized storage
solutions.
5. Users get their data irrespective of physical location.
6. No manual refresh needed for new files.
7. Newer version of NFS also supports acl, pseudo root
mounts.
8. Can be secured with Firewalls and Kerberos.

Warning :- NFS mount privileges are granted to the client host,


not the user. Therefore, exported file systems can be accessed by
any user on a client host with access permissions. When
configuring the NFS shares, be very careful which hosts get
read/write permission (rw).
NFS Versions:-
NFSv1
NFSv1 was the development stage of NFS protocol. It was used
only for in house experimental purpose. When a stable version of
NFS was ready, Developers decided to release it as the new
version of NFS known as NFSv2.

NFSv2
NFSv2 supports only 32 bit.
NFSv2 only allowed the first 2 GB of a file to be read
NFSv2 operated only over UDP

NFSv3
NFSv3 supports 64 bit file system.
NFSv3 can handle files larger than 2 GB.
NFSv3 supports asynchronous writes on the server.
asynchronous writes improve write performance.
NFSv3 supports additional file attributes in many replies, to
avoid the need to re-fetch them.
NFSv3 supports READDIRPLUS operation. READDIRPLUS
operation get file handles and attributes along with file
names when scanning a directory.
NFSv3 supports TCP. Using TCP as a transport made NFS over
a WAN more feasible.

NFSv4
NFSv4 supports only TCP.
NFSv4 retains all NFSv3 advantages.
NFSv4 supports ACLs.
NFSv4 uses the virtual file system to present the server's
export.
NFSv4 supports Pseudo file system. Pseudo File System
provide maximum flexibility. Exports Pathname on servers
can be changed transparently to clients.
NFSv4 have locking operations as the part of protocol which
keep track of open files and delegations.
NFSv4 works through firewalls and on the Internet and no
longer requires rpcbind service.

Required Services:-
Red Hat Enterprise Linux uses a combination of kernal-level
support and daemon processes to provide NFS file sharing. All NFS
version depends on Remote Procedure Calls (RPC) service
which is controlled by rpcbind service. In earlier version of RHEL
portmap service was used to map RPC program number to IP
address port number combinations. This service is now
replaced by rpcbind to enable IPv6 support.

nfs
service nfs start starts the NFS server and the appropriate RPC
processes to service requests for shared NFS file systems.

nfslock
service nfslock start activates a mandatory service that starts the
appropriate RPC processes allowing NFS clients to lock files on the
server.
rpcbind
rpcbind accepts port reservations from local RPC services. These
ports are then made available (or advertised) so the
corresponding remote RPC services can access them. rpcbind
responds to requests for RPC services and sets up connections to
the requested RPC service. This is not used with NFSv4.

The following RPC processes facilitate NFS services:

rpc.mountd

This process is used by an NFS server to process MOUNT requests


from NFSv2 and NFSv3 clients. It checks that the requested NFS
share is currently exported by the NFS server, and that the client
is allowed to access it. If the mount request is allowed, the
rpc.mountd server replies with a Success status and provides the
File-Handle for this NFS share back to the NFS client.

rpc.nfsd
rpc.nfsd allows explicit NFS versions and protocols the server
advertises to be defined. It works with the Linux kernel to meet
the dynamic demands of NFS clients, such as providing server
threads each time an NFS client connects. This process
corresponds to the nfs service.

lockd
lockd is a kernel thread which runs on both clients and servers. It
implements the Network Lock Manager (NLM) protocol, which
allows NFSv2 and NFSv3 clients to lock files on the server. It is
started automatically whenever the NFS server is run and
whenever an NFS file system is mounted.

rpc.statd
This process implements the Network Status Monitor (NSM) RPC
protocol, which notifies NFS clients when an NFS server is
restarted without being gracefully brought down. rpc.statd is
started automatically by the nfslock service, and does not require
user configuration. This is not used with NFSv4.

rpc.rquotad
This process provides user quota information for remote users.
rpc.rquotad is started automatically by the nfs service and does
not require user configuration.

rpc.idmapd
rpc.idmapd provides NFSv4 client and server upcalls, which map
between on-the-wire NFSv4 names (which are strings in the form
of user@domain) and local UIDs and GIDs. For idmapd to function
with NFSv4, the /etc/idmapd.conf file must be configured. This
service is required for use with NFSv4, although not when all
hosts share the same DNS domain name.

NFS Services:-
Its a System V-launched service. The NFS server package
includes three facilities, included in the portmap and nfs-utils
packages.

1. portmap : It maps calls made from other machines to the


correct RPC service (not required with NFSv4).
2. nfs: It translates remote file sharing requests into requests
on the local file system.
3. rpc.mountd: This service is responsible for mounting and
unmounting of file systems.

Important Files for NFS Configuration:-


1. /etc/exports : Its a main configuration file of NFS, all
exported files and directories are defined in this file at the
NFS Server end.
2. /etc/fstab : To mount a NFS directory on your system
across the reboots, we need to make an entry in
/etc/fstab.
3. /etc/sysconfig/nfs : Configuration file of NFS to control on
which port rpc and other services are listening.

NFS Configuration Lab:-

NFS Server Configuration Steps:-


Step 1:- Configure the NIC (Network Interface Card).
Execute the following command to configure NIC.

#setup

Step 2:- Restart the Network Service by executing the following


command.
#service network restart

Step 3:- Then check your NIC Configuration with the help of
following command.

# Ifconfig

Step 4:- In the next step we need to install NFS packages on


our NFS Server as well as on NFS Client
machine. We can install it via yum (Red Hat Linux)
and apt-get (Debian and Ubuntu) package
installers.

To install NFS packages using yum in RHEL 6


execute following command it: -

# yum install nfs-utils nfs-utils-lib


#yum install rpcbind (not required with NFSv4)

To install NFS packages using apt-get in Debian or


Ubuntu execute following command it: -

#apt-get install nfs-utils nfs-utils-lib

Step 5:- In this step you have to verify that NFS Server
packages are installed.

To verify the nfs-utils package execute the following


command:-

#rpm qa nfs-utils*

To verify the rpc-bind package execute the following


command:-

#rpm qa rpcbind*
Step 6:- In the next step, create a new directory to share with
client and named it whatever you want, you can also share an
already existing directory with NFS.

To create a new directory executes the following


command:-

#mkdir /nfsshare

Step 7:- Now we need to make an entry in /etc/exports and


restart the services to make our directory shareable in the
network.

/nfsshare 172.18.209.10 (rw, sync)

In the above example, there is a directory in / partition named


nfsshare is being shared with client IP
172.18.209.10 with read and write (rw) privilege, you can also
use hostname of the client in the place
of IP in above example.

Step 8:- Now start the rpcbind and nfs service by using the
following command.

#service rpcbind start (not required with NFSv4)


#service nfs start

Step 9:- To turn on the above services at boot time, execute the
following command.

#chkconfig rpcbind on (not required with NFSv4)

#chkconfig nfs on

Step 10:- Now execute the following command to show the


available shares your NFS server.

#showmount -e

NFS Client Configuration Steps:-


Step 1:- Configure the NIC (Network Interface Card).
Execute the following command to configure NIC.

#setup

Where eth0 is your NIC number.

Step 2:- If youre NIC not configured, then first configure your
NIC.

To configure NIC, execute the following command: -

#setup

Then restart the network service: -


#service network restart

And then check the connectivity with NFS Server:-

#ping 172.18.209.9

Step 3:- In the next step we need to install NFS packages on


our NFS Server as well as on NFS Client machine. We can
install it via yum (Red Hat Linux) and apt-get (Debian and
Ubuntu) package installers.

To install NFS packages using yum in RHEL 6


execute following command it: -

# yum install nfs-utils nfs-utils-lib


#yum install rpcbind (not required with NFSv4)

To install NFS packages using apt-get in Debian or


Ubuntu execute following command it: -

#apt-get install nfs-utils nfs-utils-lib

Step 4:- In this step you have to verify that NFS Server
packages are installed.

To verify the nfs-utils package execute the following


command:-

#rpm qa nfs-utils*

To verify the rpc-bind package execute the following


command:-

#rpm qa rpcbind*

Step 5:- at the NFS client end, we need to mount that directory
in our server to access it locally. To do so, first we need to find out
that share available on the remote server or NFS Server.
Execute the following command to find out the available
share on the NFS Server.

#showmount e 172.18.209.9

Note: - where 172.18.209.9 is the NFS Server IP address.

Step 6:- Use the following command to mount that NFS share on
our client machine.

#mount t nfs 172.18.209:/nfsshare /mnt

The above command will mount that shared directory in /mnt/


on the client server. You can verify it
following command.

#mount | grep nfs

Step 7:- In the previous step we mounted the nfs shared


directory on to nfs client temporarily, to mount an NFS directory
permanently on your system across the reboots, we need to make
an entry in /etc/fstab.

Now edit the /etc/fstab file and add the following line
to this file.

#vim /etc/fstab

172.18.209.9:/nfsshare /mnt nfs defaults 0 0

To Remove the NFS Mount


If you want to unmount that shared directory from your server
after you are done with the file sharing,
you can simply unmount that particular directory with umount
command. See this example below.

#umount /mnt
You can see that the mounts were removed by then looking at the
file system again.
#df h F nfs
Important Commands for NFS:-
Some more important commands for NFS.

1. showmount -e : Shows the available shares on your local


machine
2. showmount -e <server-ip or hostname>: Lists the
available shares at the remote server
3. showmount -d : Lists all the sub directories
4. exportfs -v : Displays a list of shares files and options on a
server
5. exportfs -a : Exports all shares listed in /etc/exports, or
given name
6. exportfs -u : Unexports all shares listed in /etc/exports, or
given name
7. exportfs -r : Refresh the servers list after modifying
/etc/exports