IST190Unit2

1. What file has to be modified to change the default umask for ALL users who log in to your Linux server? Give an example.

/etc/profile file. As root, you can change this by adding a shell startup script named /etc/profile.d/local-umask.sh that looks something like the output in this example: Users can override the system defaults in their .bash_profile and .bashrc files. All UNIX users can override the system umask defaults in their /etc/profile file, ~/.

What is /sbin/nologin?

1. A common solution to this situation is to set the user's login shell to /sbin/nologin. If the user attempts to log in to the system directly, the nologin shell closes the connection. The nologin shell prevents interactive use of the system, but does not prevent all access. Users might be able to authenticate and upload or retrieve files through applications such as web applications, file transfer programs, or mail readers if they use the user's password for authentication.

In your own words paraphrase Chapter 6 where it asks "What is a user?"

1. A user account is used to provide security boundaries between different people and programs that can run commands. Users have user names to identify them to human users and make them easier to work with. Internally, the system distinguishes user accounts by the unique identification number assigned to them, the user ID or UID. If a user account is used by humans, it will generally be assigned a secret password that the user will use to prove that they are the actual authorized user when logging in. That can manipulate files and perform several other operations. Each user is assigned an ID that is unique for each user in the operating system.

What is significant about UID numbers above 1000?

1. In Red Hat Enterprise Linux 7 and Red Hat Enterprise Linux 8, the useradd command assigns new users the first free UID greater than or equal to 1000, unless you explicitly specify one using the -u option. This is how information leakage can occur. If the first free UID had been previously assigned to a user account which has since been removed from the system, the old user's UID will get reassigned to the new user, giving the new user ownership of the old user's remaining files.

What is a Red Hat User Private Group?

1. Red Hat Enterprise Linux uses a user private group (UPG) scheme, which makes UNIX groups easier to manage. A UPG is created whenever a new user is added to the system. A UPG has the same name as the user for which it was created and that user is the only member of the UPG. UPGs makes it safe to set default permissions for a newly created file or directory which allow both the user and that user's group to make modifications to the file or directory.

Explain the difference between primary groups and secondary groups.

1. Specifies a group that the operating system assigns to files that are created by the user. Each user must belong to a primary group. Secondary groups - Specifies one or more groups to which a user also belongs. Primary groups are small and characterized by close, personal relationships that last a long time. Secondary groups include impersonal, temporary relationships that are goal-oriented.

Define and compare what a shell variable is versus an environment variable.

1. The Bash shell allows you to set shell variables that you can use to help run commands or to modify the behavior of the shell. You can also export shell variables as environment variables, which are automatically copied to programs run from that shell when they start. You can use variables to help make it easier to run a command with a long argument, or to apply a common setting to commands run from that shell. Environmental variables are used to pass information into processes that are spawned from the shell. Shell variables are variables that are contained exclusively within the shell in which they were set or defined. They are often used to keep track of ephemeral data, like the current working directory.

1. What four things are defaults in the user password policy for a RHEL8/CentOS8 user (hint: /etc/login.defs):

1. The PASS_MAX_DAYS sets the default maximum age of the password 2. The PASS_MIN_DAYS sets the default minimum age of the password. 3. The PASS_WARN_AGE sets the default warning period of the password. 4. Any change in the default password aging policies will be effective for new users only. The existing users will continue to use the old password aging settings rather than

1. There are three pieces of information stored in a modern password hash. What are they?

1. The hashing algorithm used for this password. The number 6 indicates it is a SHA-512 hash, which is the default in Red Hat Enterprise Linux 8. A 1 would indicate MD5, a 5 SHA-256. 2. The salt used to encrypt the password. This is originally chosen at random. 3. The encrypted hash of the user's password. The salt and the unencrypted password are combined and encrypted to generate the encrypted hash of the password.

What is found in the /etc/sudoers file? How does it work?

1. The main configuration file for sudo is /etc/sudoers. To avoid problems if multiple administrators try to edit it at the same time, it should only be edited with the special visudo command. The following line from the /etc/sudoers file enables sudo access for members of group wheel. By default, /etc/sudoers also includes the contents of any files in the /etc/sudoers.d directory as part of the configuration file. This allows an administrator to add sudo access for a user simply by putting an appropriate file in that directory. In this line, %wheel is the user or group to whom the rule applies. A % specifies that this is a group, group wheel. The ALL=(ALL) specifies that on any host that might have this file, wheel can run any command. The final ALL specifies that wheel can run those commands as any user on the system. Using supplementary files under the /etc/sudoers.d directory is convenient and simple. You can enable or disable sudo access simply by copying a file into the directory or removing it from the directory.

What is an umask and how does it work? Show examples of how changing the umask affects files and directories.

1. This is an octal bitmask used to clear the permissions of new files and directories created by a process. If a bit is set in the umask, then the corresponding permission is cleared on new files. For example, the umask 0002 clears the write bit for other users. The leading zeros indicate the special, user, and group permissions are not cleared. A umask of 0077 clears all the group and other permissions of newly created files. The umask command without arguments will display the current value of the shell's umask: Use the umask command with a single numeric argument to change the umask of the current shell. The numeric argument should be an octal value corresponding to the new umask value. You can omit any leading zeros in the umask. The system's default umask values for Bash shell users are defined in the /etc/profile and /etc/bashrc files. Users can override the system defaults in the .bash_profile and .bashrc files in their home directories.

Explain the differences between the root user and all other users on a Linux server.

1. This user has the power to override normal privileges on the file system and is used to manage and administer the system. In order to perform tasks such as installing or removing software and to manage system files and directories, a user must escalate privileges to the root user. The root user has maximum permissions and can do anything to the system. Normal users on Linux run with reduced permissions - for example, they can't install software or write to system directories.

What is the purpose of the sticky bit? How do you set it?

1. Users with write access to the directory can only remove files that they own; they cannot remove or force saves to files owned by other users. o+t (sticky) A Sticky bit is a permission bit that is set on a file or a directory that lets only the owner of the file/directory or the root user to delete or rename the file. No other user is given privileges to delete the file created by some other user. An example is /tmp:

How do you expand a bash shell variable?

1. You can use variable expansion to refer to the value of a variable that you have set. To do this, precede the name of the variable with a dollar sign ($). In the following example, the echo command prints out the rest of the command line entered, but after variable expansion is performed.

What is the command using octal notation to changer the permissions on /var/www/html/ist190/index.html so that the user owner has RWX, the group has RX, and the world has R?

1. chmod 754 /var/www/html/ist190/index.html

You have been asked to setup a collaborative directory for all members of the music group at /data/musicgroup/ on your fileserver. What is the command to set create these special permissions (sgid)?

1. chmod g+s /data/musicgroup/

What is the command to add write permissions to all group owners below /var/www/html/ist190/ on a Linux webserver, including directories and files? Follow the suggestion in the chapter.

1. chmod g+w/var/www/html/ist190/

Define and explain the three permissions used in Linux to control access to directories.

1. read, write, and execute. R- contents of the directory (file names) can be listed. W- any file in the directory may be created or deleted. If write and the sticky bit are both set on a directory, then only the file or subdirectory owner may delete it, which is similar to the Windows Write permission behavior. X- contents of the directory can be accessed (dependent on the permission of the files in the directory). Exec are required on directories for them to work.

Define and explain the three permissions used in Linux to control access to files (excluding directories).

1. read, write, and execute. R-contents of the file can be read. W-contents of the file can be changed. X-files can be executed as commands. Linux divides the file permissions into read, write and execute denoted by r,w, and x. The permissions on a file can be changed by 'chmod' command which can be further divided into Absolute and Symbolic mode.

What does the hyphen do in the su - command?

1. while the command su - (with the dash option) starts a login shell. The main distinction between the two commands is that su - sets up the shell environment as if it were a new login as that user, while su just starts a shell as that user, but uses the original user's environment settings. In most cases, administrators should run su - to get a shell with the target user's normal environment settings.

Explain what a file descriptors do in Linux.

A process uses numbered channels called file descriptors to get input and send output. All processes start with at least three file descriptors. Standard input (channel 0) reads input from the keyboard. Standard output (channel 1) sends normal output to the terminal. Standard error (channel 2) sends error messages to the terminal. If a program opens separate connections to other files, it may use higher-numbered file descriptors. In Unix and Unix-like computer operating systems, a file descriptor (FD, less frequently fildes) is a unique identifier (handle) for a file or other input/output resource, such as a pipe or network socket.

What is the most efficient and fastest way to change the user owner to ist190student and the group owner to wheel for all files and directories under /var/www/html/ist190/ on a Linux webserver?

Chown :ist190student /var/www/html/ist190/

1. Explain what the following options do when used on the useradd command:

a. -a- append- Used with the -G option to add the supplementary groups to the user's current set of group memberships instead of replacing the set of supplementary groups with a new set. b. -G- groups GROUPS- Specify a comma-separated list of supplementary groups for the user account. c. -g- gid GROUP - Specify the primary group for the user account. d. -L- lock- Lock the user account. e. -s- shell SHELL - Specify a particular login shell for the user account. f. -U- unlock - Unlock the user account.

1. Explain what the following options do when used on the change command:

a. -d- username will force a password update on next login, last change date b. -E- username will expire an account on a specific day, password expiration date c. -I- inactive date d. -m- min days e. -M- max days f. -W- warn days

1. What do the following redirection operators do?

a. > file- redirect stdout to overwrite a file b. >> file- redirect stdout to append to a file c. > file 2> file2- redirect stderr to overwrite a file d. 2> /dev/null- discard stderr error messages by redirecting to /dev/null e. &> file- redirect stdout and stderr to overwrite the same file f. &>> file- redirect stdout and stderr to append to the same file

Define the four fields found in each record of the /etc/group file.

a. Field 1 = Group name for this group (group01). b. Field 2 = Obsolete group password field. This field should always be x. c. Field 3 = The GID number for this group (10000). Field 4 =A list of users who are members of this group as a supplementary group (user01, user02, user03). Primary (or default) and supplementary groups are discussed later in this section.

There are seven fields in the /etc/passwd file for each record. Define them in the proper order:

a. Field 1 = Username for this user (user01). b. Field 2 = The user's password used to be stored here in encrypted format. That has been moved to the /etc/shadow file, which will be covered later. This field should always be x. c. Field 3 = The UID number for this user account (1000). d. Field 4 = The GID number for this user account's primary group (1000). e. Field 5 = The real name for this user (User One). f. Field 6 = The home directory for this user (/home/user01). This is the initial working directory when the shell starts and contains the user's data and configuration settings. Field 7 = The default shell program for this user, which runs on login (/bin/bash). For a regular user, this is normally the program that provides the user's command-line prompt. A system user might use /sbin/nologin if interactive logins are not allowed for that user.

1. There are nine fields in the /etc/shadow file for each record. Define them in the proper order:

a. Field 1 = Username of the account this password belongs to. b. Field 2 = The encrypted password of the user. The format of encrypted passwords is discussed later in this section. c. Field 3 = The day on which the password was last changed. This is set in days since 1970-01-01, and is calculated in the UTC time zone. d. Field 4 = The minimum number of days that have to elapse since the last password change before the user can change it again. e. Field 5 = The maximum number of days that can pass without a password change before the password expires. An empty field means it does not expire based on time since the last change. f. Field 6 = Warning period. The user will be warned about an expiring password when they login for this number of days before the deadline. g. Field 7 = Inactivity period. Once the password has expired, it will still be accepted for login for this many days. After this period has elapsed, the account will be locked. h. Field 8 = The day on which the account expires. This is set in days since 1970-01-01, and is calculated in the UTC time zone. An empty field means it does not expire on a particular date. i. Field 9 = The last field is usually empty and is reserved for future use.

Explain how to use the following commands from Chapter 6:

a. Groupadd- The groupadd command creates groups. Without options the groupadd command uses the next available GID from the range specified in the /etc/login.defs file while creating the groups. b. Id- You can use the id command to show information about the currently logged-in user. The id command can also be used to find out about group membership for a user c. Passwd- The passwd username command sets the initial password or changes the existing password of username. The root user can set a password to any value. A message is displayed if the password does not meet the minimum recommended criteria, but is followed by a prompt to retype the new password and all tokens are updated successfully. A regular user must choose a password at least eight characters long and is also not based on a dictionary word, the username, or the previous password. d. ps au- use the ps command. The default is to show only processes in the current shell. Add the a option to view all processes with a terminal. To view the user associated with a process, include the u option. In the following output, the first column shows the username. e. Su- The su command allows users to switch to a different user account. If you run su from a regular user account, you will be prompted for the password of the account to which you want to switch. When root runs su, you do not need to enter the user's password. f. Sudo- The sudo command allows a user to be permitted to run a command as root, or as another user, based on settings in the /etc/sudoers file. sudo requires users to enter their own password for authentication, not the password of the account they are trying to access. g. Usermod- The use of the -a option makes usermod function in append mode. Without -a, the user will be removed from any of their current supplementary groups that are not included in the -G option's list.

Define these files, directories, variables, and commands?

a. PS1- which is a shell variable that controls the appearance of the shell prompt. If you change this value, it will change the appearance of your shell prompt. A prompt, it is virtually always desirable to end the prompt with a trailing space. b. EDITOR- The EDITOR environment variable specifies the program you want to use as your default text editor for command-line programs. Many programs use vi or vim if it is not specified, but you can override this preference if required: c. HOME- variable to the file name of the user's home directory when it starts. This can be used to help programs determine where to save files. d. LANG- which sets the locale. This adjusts the preferred language for program output; the character set; the formatting of dates, numbers, and currency; and the sort order for programs. e. PATH- variable contains a list of colon-separated directories that contain programs: When you run a command such as ls, the shell looks for the executable file ls in each of those directories in order, and runs the first matching file it finds. f. Env- To list all the environment variables for a particular shell, run the env command: g. Set- Set or unset values of shell options and positional parameters. Change the value of shell attributes and positional parameters, or display the names and values of shell variables. You can use the set command to list all shell variables that are currently set. h. Export- You can make any variable defined in the shell into an environment variable by marking it for export with the export command i. Unset- To unset and unexport a variable entirely, use the unset command: j. Unexport- To unexport a variable without unsetting it, use the export -n command k. .bashrc- if you want to make a change to your user account that affects all your interactive shell prompts at startup, edit your ~/.bashrc file. l. /etc/profile.d- adjust settings that affect all user accounts is by adding a file with a name ending in .sh containing the changes to the /etc/profile.d directory.

Define the following terms from Chapter 4

a. Stdin- Standard input b. Stdout- Standard output c. Stderr- Standard error d. Redirection- redirection changes how the process gets its input or output. Instead of getting input from the keyboard, or sending output and errors to the terminal, the process reads from or writes to files. Redirection lets you save messages to a file that are normally sent to the terminal window. Alternatively, you can use redirection to discard output or errors, so they are not displayed on the terminal or saved. e. Pipeline- A pipeline is a sequence of one or more commands separated by the pipe character (|). A pipe connects the standard output of the first command to the standard input of the next command. Pipelines allow the output of a process to be manipulated and formatted by other processes before it is output to the terminal. One useful mental image is to imagine that data is "flowing" through the pipeline from one process to another, being altered slightly by each command in the pipeline through which it flows. f. Pipe- Pipes send the standard output from one process to the standard input of another process. g. Tee- The tee command overcomes this limitation. In a pipeline, tee copies its standard input to its standard output and also redirects its standard output to the files named as arguments to the command. If you imagine data as water flowing through a pipeline, tee can be visualized as a "T" joint in the pipe which directs output in two directions

1. Editing from a command prompt:

a. What is vim? Vim is highly configurable and efficient for practiced users, including such features as split screen editing, color formatting, and highlighting for editing text. Vim is an improved version of the vi editor distributed with Linux and UNIX systems b. What is the difference between vi and vim? Vim is often used as the vi implementation on other common operating systems or distributions. For example, macOS currently includes a lightweight installation of Vim by default. Vi stands for Visual. It is a text editor that is an early attempt to a visual text editor. Vim stands for Vi IMproved. It is an implementation of the Vi standard with many additions. It is the most used implementation of the standard. Most Linux distributions come with Vim already installed. c. Define the three modes of vim? command mode, extended command mode, edit mode, and visual mode. d. What is the default mode in vim? When you first open Vim, it starts in command mode, which is used for navigation, cut and paste, and other text manipulation e. What is the keystroke enter insert mode? An i keystroke enters insert mode, where all text typed becomes file content. f. What is the keystroke to go from insert mode to command mode? Pressing Esc returns to command mode. g. What is the keystroke to enter visual mode for a block of text? A v keystroke enters visual mode, where multiple characters may be selected for text manipulation. Use Shift+V for multiline and Ctrl+V for block selection. The same keystroke used to enter visual mode (v, Shift+V or Ctrl+V) is used to exit. h. What is the keystroke to save your files and exit vim? The :wq command writes (saves) the file and quits Vim. To save the file and exit the editor simultaneously, press Esc to switch to normal mode, type :wq and hit Enter .