Upload
others
View
6
Download
0
Embed Size (px)
Citation preview
Int roduct ionSection 1
Overview of SUSE Linux Ent erpr ise
Section 2
The Linux File Syst emSection 3
Work w it h t he Com m and Line
Section 4
The VIM Edit orSection 5
Rem ot e Adm inist rat ion
Section 6
Syst em Init ial izat ionSection 7
Process Managem entSection 8
Configuring SUSE Linux Enterprise
Exam Preparat ion
Course Navigation
Next Sect ions
Exam Preparat ion
Course Navigation
Previous Sect ions
Sof t ware Managem ent
Section 10
Net work Managem entSection 11
St orage Managem entSection 12
Adm inist rat ion and Monit or ing
Section 13
Inst all ing SUSE Linux Ent erpr iseSection 14
ConclusionSection 15
Ident it y and Secur it ySection 9
Configuring SUSE Linux Enterprise
Remote AdministrationCourse Navigation
The VIM Edit orSection 5
Rem ot e Adm inist rat ion
Section 6
Syst em Init ial izat ionSection 7
Overview of SUSE Linux Ent erpr ise
Section 2
The Linux File Syst emSection 3
Work w it h t he Com m and Line
Section 4
Understanding Remote Administration with OpenSSH
Using the SSH Utilit ies
Configuring SSH
Process Managem entSection 8
Understanding Remote Administration with VNC
Back t o Main
Topics in t h is sect ion include:
- Underst anding Rem ot e Adm inist rat ion (SSH)
- Using t he SSH Ut i l i t ies
- Conf igur ing SSH Servers
- Underst anding Rem ot e Adm inist rat ion (VNC)
Next
Remote AdministrationCourse Navigation
The VIM Edit orSection 5
Rem ot e Adm inist rat ion
Section 6
Syst em Init ial izat ionSection 7
Overview of SUSE Linux Ent erpr ise
Section 2
The Linux File Syst emSection 3
Work w it h t he Com m and Line
Section 4
Understanding Remote Administration with OpenSSH
Using the SSH Utilit ies
Configuring SSH
Process Managem entSection 8
Understanding Remote Administration with VNC
Back t o Main
Underst anding Rem ot e Adm inist rat ion w it h OpenSSH
Underst anding Rem ot e Adm inist rat ion w it h OpenSSH
In t he Beginning Was Telnet ....
- Telnet is wide-open, no encryption or modern security options
- All Telnet traffic was susceptible to sniffing- SSH (Secure SHell) was the answer
OpenSSH Overview
- Developed to be a secure replacement for Telnet- Replaces telnet, rcp, rlogin, rsh etc.- Based on Public/Private Key Encryption
OpenSSH Feat ures
- Remote login- Drop-ship commands- Multi-system copying- Secure communication- Easy to use- Advanced features
Next
Remote AdministrationCourse Navigation
The VIM Edit orSection 5
Rem ot e Adm inist rat ion
Section 6
Syst em Init ial izat ionSection 7
Overview of SUSE Linux Ent erpr ise
Section 2
The Linux File Syst emSection 3
Work w it h t he Com m and Line
Section 4
Understanding Remote Administration with OpenSSH
Using the SSH Utilit ies
Configuring SSH
Process Managem entSection 8
Understanding Remote Administration with VNC
Back t o Main
The SSH v2 Process Visually
A secure, encrypted session is established6
Client Authentication is accomplished5
Diffie-Hellman session key is agreed upon4
Client stores public key in ~/.ssh/known_hosts3
Server replies with Host Public Key2
Client init iates connection via ssh on port 221
Connection
Underst anding Rem ot e Adm inist rat ion w it h OpenSSH
Underst anding Rem ot e Adm inist rat ion w it h OpenSSH
Next
Remote AdministrationCourse Navigation
The VIM Edit orSection 5
Rem ot e Adm inist rat ion
Section 6
Syst em Init ial izat ionSection 7
Overview of SUSE Linux Ent erpr ise
Section 2
The Linux File Syst emSection 3
Work w it h t he Com m and Line
Section 4
Understanding Remote Administration with OpenSSH
Using the SSH Utilit ies
Configuring SSH
Process Managem entSection 8
Understanding Remote Administration with VNC
Back t o Main
Using t he SSH Ut i l i t ies
SSH Client Ut i l i t ies
ssh Terminal utility replacing rsh
scp Secure rcp replacement
sf t p Secure ftp replacement
$ ssh bonzo@r emot ehostThe aut hent i c i t y of host ' 172. 16. 242. 129' can' t be est abl i shed.ECDSA key f i nger pr i nt i s SHA256: BeUV1zQi GC6+bdUC34Gl GCj 3T9SFJS72++xO+I UW1Yw.Ar e you sur e you want t o cont i nue connect i ng ( yes/ no) ?
<The r emot e publ i c key wi l l be put i n t he l ocal user ' s ~/ . ssh/ knownhost s>
$ scp / home/ r oss/ f i l e1 zakkw@r emot ehost : ~/ di r 1<Copi es a f i l e f r om your host t o r emot e, i nt o / home/ zakk/ di r 1>
$ sf t p mar com@r emot ehost<Vi r t ual l y i dent i cal t o f t p, j ust over por t 22>
Exam ples
Underst anding Rem ot e Adm inist rat ion w it h OpenSSH
Using t he SSH Ut i l i t ies
Next
Remote AdministrationCourse Navigation
The VIM Edit orSection 5
Rem ot e Adm inist rat ion
Section 6
Syst em Init ial izat ionSection 7
Overview of SUSE Linux Ent erpr ise
Section 2
The Linux File Syst emSection 3
Work w it h t he Com m and Line
Section 4
Understanding Remote Administration with OpenSSH
Using the SSH Utilit ies
Configuring SSH
Process Managem entSection 8
Understanding Remote Administration with VNC
Back t o Main
Get t ing Keys f rom Host s
ssh- keyscan Manually get SSH host key
$ ssh- keyscan - t r sa r emot ehost# 172. 16. 242. 129: 22 SSH- 2. 0- OpenSSH_7. 6172. 16. 242. 129 ssh- r sa AAAAB3NzaC1yc2EAAAADAQABAAABAQC+F0/ t XI 9GcP2br sEpH8AEmnOY2gzLE3a8hAi ye5f xEf W3pHSP38Jf uZt 0st R51j cY8Mf opJ3Vgi sMQKHdXwi K4I RTm2kKg/ i 3Z/ u+i yMxzs9y
<The keyscan r et ur ns t he r sa key f or t he r emot e ser ver , whi ch you can t hen check agai nst a known r ecor d or >> r edi r ect t o t he ~/ . ssh/ known_host s f i l e>
Exam ples
- Normally the first t ime you connect via the SSH protocol, you are prompted to accept the key
- What if you just want to check the remote key matches before you attach?
Caut ionary Not e:
- You may be tempted to keyscan all known hosts and add them automatically to your known_hosts file
- This will almost guarantee a "Man-in-the-Middle" attack will succeed.
- Better record a server 's key when installed and check the current key against the known using scripting
Using t he SSH Ut i l i t ies
Underst anding Rem ot e Adm inist rat ion w it h OpenSSH
Using t he SSH Ut i l i t ies
Next
Remote AdministrationCourse Navigation
The VIM Edit orSection 5
Rem ot e Adm inist rat ion
Section 6
Syst em Init ial izat ionSection 7
Overview of SUSE Linux Ent erpr ise
Section 2
The Linux File Syst emSection 3
Work w it h t he Com m and Line
Section 4
Understanding Remote Administration with OpenSSH
Using the SSH Utilit ies
Configuring SSH
Process Managem entSection 8
Understanding Remote Administration with VNC
Back t o Main
Generat ing Key Pairs
ssh- keygen Generate key pairs
$ ssh- keygen - t r saGener at i ng publ i c/ pr i vat e r sa key pai r .Ent er f i l e i n whi ch t o save t he key ( / home/ cl oud_user / . ssh/ i d_r sa) :Ent er passphr ase ( empt y f or no passphr ase) :Ent er same passphr ase agai n:Your i dent i f i cat i on has been saved i n / home/ cl oud_user / . ssh/ i d_r sa.Your publ i c key has been saved i n / home/ cl oud_user / . ssh/ i d_r sa. pub.The key f i nger pr i nt i s :SHA256: Ham0yxQSaAJdqj 12pqRkhj Tadsadf f f C50B6oozI DBkEDNydH0k cl oud_user @r ossbr unson1c. myl abser ver . comThe key' s r andomar t i mage i s:+- - - [ RSA 2048] - - - - +| ^Xo. . . +E. || BX+ooo + . || * . * o. o + o || X= + + = . || =+= . S . || . o o . || o || || |+- - - - [ SHA256] - - - - - +
Exam ples
- Can choose rsa or dsa, both have benefits- RSA faster for encrypting and verifying signatures- DSA faster for keygen, decryption, genning signatures
Using t he SSH Ut i l i t ies
Underst anding Rem ot e Adm inist rat ion w it h OpenSSH
Using t he SSH Ut i l i t ies
Next
Remote AdministrationCourse Navigation
The VIM Edit orSection 5
Rem ot e Adm inist rat ion
Section 6
Syst em Init ial izat ionSection 7
Overview of SUSE Linux Ent erpr ise
Section 2
The Linux File Syst emSection 3
Work w it h t he Com m and Line
Section 4
Understanding Remote Administration with OpenSSH
Using the SSH Utilit ies
Configuring SSH
Process Managem entSection 8
Understanding Remote Administration with VNC
Back t o Main
Conf igur ing SSH
Conf igur ing t he SSH Client environm ent
no Stores the key automatically (security risk!)
- Overall system configuration for ssh clients- / et c/ ssh/ ssh_conf i g
- Local user configuration for ssh client- ~/ . ssh/ conf i g
yes Will only connect if key is pre-shared (secure)
ask Default, ask to store if not already known
St r ict Host KeyCheck ing Secur it y Opt ion
- This option sets how keys are added to the user 's known_host s file
- For secure environments this can lock the users to known and approved hosts only
accept - new Auto add keys, won't connect to changed
Using t he SSH Ut i l i t ies
Underst anding Rem ot e Adm inist rat ion w it h OpenSSH
Conf igur ing SSH
Next
Remote AdministrationCourse Navigation
The VIM Edit orSection 5
Rem ot e Adm inist rat ion
Section 6
Syst em Init ial izat ionSection 7
Overview of SUSE Linux Ent erpr ise
Section 2
The Linux File Syst emSection 3
Work w it h t he Com m and Line
Section 4
Understanding Remote Administration with OpenSSH
Using the SSH Utilit ies
Configuring SSH
Process Managem entSection 8
Understanding Remote Administration with VNC
Back t o Main
Conf igur ing t he SSH Server environm ent
DenyUser s Allow all BUT these users
- Overall system configuration for ssh clients- / et c/ ssh/ sshd_conf i g
Al l owUser s Deny all BUT these users
Pr ot ocol Which version to allow (v2 is default)
Im por t ant Conf igurat ion Opt ions
- Note: Remember to restart the sshd daemon/service after changing the configuration file
Por t Specify the SSH port (can be several)
UsePAM Use the Pluggable Auth Module option
Conf igur ing SSH
Using t he SSH Ut i l i t ies
Underst anding Rem ot e Adm inist rat ion w it h OpenSSH
Conf igur ing SSH
Next
Remote AdministrationCourse Navigation
The VIM Edit orSection 5
Rem ot e Adm inist rat ion
Section 6
Syst em Init ial izat ionSection 7
Overview of SUSE Linux Ent erpr ise
Section 2
The Linux File Syst emSection 3
Work w it h t he Com m and Line
Section 4
Understanding Remote Administration with OpenSSH
Using the SSH Utilit ies
Configuring SSH
Process Managem entSection 8
Understanding Remote Administration with VNC
Back t o Main
Set t ing up Key-Based Aut hent icat ion
- Allows you to use a passphrase for SSH actions- Must be set up properly, don't use for root- Uses ssh-add & ssh-agent to wrap your session
Generate a key pair (ssh-keygen)1
Upload the Public key to a remote server2
Verify the Public key works3
Add your credentials to the ssh-agent4
Connect w/o password to the remote server5
Glory in your success6
Conf igur ing SSH
Using t he SSH Ut i l i t ies
Underst anding Rem ot e Adm inist rat ion w it h OpenSSH
Conf igur ing SSH
Next
Remote AdministrationCourse Navigation
The VIM Edit orSection 5
Rem ot e Adm inist rat ion
Section 6
Syst em Init ial izat ionSection 7
Overview of SUSE Linux Ent erpr ise
Section 2
The Linux File Syst emSection 3
Work w it h t he Com m and Line
Section 4
Understanding Remote Administration with OpenSSH
Using the SSH Utilit ies
Configuring SSH
Process Managem entSection 8
Understanding Remote Administration with VNC
Back t o Main
Loading up your credent ials
ssh- agent loads the ssh-agent, may require - s
$ eval ` ssh- agent - s '$ ssh- addEnt er passphr ase f or / home/ cl oud_user / . ssh/ i d_r sa:I dent i t y added: / home/ cl oud_user / . ssh/ i d_r sa
<The eval i s used t o wr ap t he ssh- agent ar ound your cur r ent shel l envi r onment , t hen t he ssh- add l oads your i dent i t y i nt o t he agent , whi ch i nt er cept s aut hent i cat i on r equest s f or you. >
Exam ple
- If constantly typing your password is getting tedious- Load your identity into the ssh-agent with ssh-add- Let the agent provide your identity for you- All you need to do is use your passphrase to start
ssh- add loads the ssh-agent with your identity
Conf igur ing SSH
Using t he SSH Ut i l i t ies
Underst anding Rem ot e Adm inist rat ion w it h OpenSSH
Conf igur ing SSH
Next
Remote AdministrationCourse Navigation
The VIM Edit orSection 5
Rem ot e Adm inist rat ion
Section 6
Syst em Init ial izat ionSection 7
Overview of SUSE Linux Ent erpr ise
Section 2
The Linux File Syst emSection 3
Work w it h t he Com m and Line
Section 4
Understanding Remote Administration with OpenSSH
Using the SSH Utilit ies
Configuring SSH
Process Managem entSection 8
Understanding Remote Administration with VNC
Back t o Main
Underst anding Rem ot e Adm inist rat ion w it h VNC
Rem ot e Managem ent Overview
- Management via the Graphical Desktop- Uses Virtual Network Computing (VNC)- Consists of a VNC Server and VNC Client
VNC Server
- YaST -> Network Services -> Remote Management (VNC)
- Three Options- Default is off, If needed often, choose:
- Allow Rem ot e Adm inist rat ion w it h Session Managem ent
- Firewall configuration included
Conf igur ing SSH
Using t he SSH Ut i l i t ies
Underst anding Rem ot e Adm inist rat ion w it h OpenSSH
Underst anding Rem ot e Adm inist rat ion w it h VNC
Next
Remote AdministrationCourse Navigation
The VIM Edit orSection 5
Rem ot e Adm inist rat ion
Section 6
Syst em Init ial izat ionSection 7
Overview of SUSE Linux Ent erpr ise
Section 2
The Linux File Syst emSection 3
Work w it h t he Com m and Line
Section 4
Understanding Remote Administration with OpenSSH
Using the SSH Utilit ies
Configuring SSH
Process Managem entSection 8
Understanding Remote Administration with VNC
Back t o Main
Client Access Opt ions
- Most VNC clients will work - RealVNC app is recommended for Mac/Windows- SLES ships with supported vncviewer app- Use IP address and port 5901
- Browser access requires Java enabled- ht t p: / / host . domai n. xxx: 5801
VNC t hrough an SSH Tunnel
- More stable to use SSH tunneling- Use SSH to establish a tunnel from your system to
the remote system- Performs authentication in PKI, not VNC
- Establishing the tunnel is easy- ssh - L 5901: l ocal host : 5901 user @I P/ FQDN
- Then just point the client application to:- l ocal host : 5901
Underst anding Rem ot e Adm inist rat ion w it h VNC
Conf igur ing SSH
Using t he SSH Ut i l i t ies
Underst anding Rem ot e Adm inist rat ion w it h OpenSSH
Underst anding Rem ot e Adm inist rat ion w it h VNC
System Init ializationCourse Navigation
The VIM Edit orSection 5
Rem ot e Adm inist rat ion
Section 6
Syst em Init ial izat ionSection 7
Process Managem entSection 8
Overview of SUSE Linux Ent erpr ise
Section 2
The Linux File Syst emSection 3
Work w it h t he Com m and Line
Section 4
Understanding the GRUB2 Bootloader
Understanding the Boot Process
Defining and Describing `systemd`
Back t o Main
Underst anding t he Boot Process
Topics in t h is sect ion include:
- Underst anding t he Boot Process
- Underst anding t he GRUB2 Boot Loader
- Def in ing and Descr ibing syst em d
Next
System Init ializationCourse Navigation
The VIM Edit orSection 5
Rem ot e Adm inist rat ion
Section 6
Syst em Init ial izat ionSection 7
Process Managem entSection 8
Overview of SUSE Linux Ent erpr ise
Section 2
The Linux File Syst emSection 3
Work w it h t he Com m and Line
Section 4
Understanding the GRUB2 Bootloader
Understanding the Boot Process
Defining and Describing `systemd`
Back t o Main
Underst anding t he Boot Process
Boot ing SUSE Linux Syst em s
- GRUB2 is the default bootloader- Booting occurs in subsequent stages
POSTUEFI/BIOS
St age 1 (boot .im g)
St age 2 (/ boot / grub/ * )
Kernelin it ram fs
Boot loader
Hardware
syst em d
St age 1.5 (core.im g)
udevUnderst anding t he Boot Process
Next
System Init ializationCourse Navigation
The VIM Edit orSection 5
Rem ot e Adm inist rat ion
Section 6
Syst em Init ial izat ionSection 7
Process Managem entSection 8
Overview of SUSE Linux Ent erpr ise
Section 2
The Linux File Syst emSection 3
Work w it h t he Com m and Line
Section 4
Understanding the GRUB2 Bootloader
Understanding the Boot Process
Defining and Describing `systemd`
Back t o Main
Underst anding t he Boot Process
in it ram fs is:
- A small cpio archive used by the kernel- A mini-Linux system for loading the real system- Contains needed drivers to access the real root
filesystem
Once in it ram fs is loaded:
- The needed modules/drivers are loaded- udev provides the needed devices- Transfers control from the initramfs init process
to the real filesystem systemd init process
I f your hardware changes:
- The initramfs must be updated- SLES will detect the needed modules
- To generate an initramfs for the running system: $ mkinitrd
- To generate a new init executable: $ mkinitrd -R
- Specify addit ional modules for initramfs in:INITRD_MODULES in /etc/sysconfig/kernel
Underst anding t he Boot Process
Next
System Init ializationCourse Navigation
The VIM Edit orSection 5
Rem ot e Adm inist rat ion
Section 6
Syst em Init ial izat ionSection 7
Process Managem entSection 8
Overview of SUSE Linux Ent erpr ise
Section 2
The Linux File Syst emSection 3
Work w it h t he Com m and Line
Section 4
Understanding the GRUB2 Bootloader
Understanding the Boot Process
Defining and Describing `systemd`
Back t o Main
Underst anding t he GRUB2 Boot loader
Underst anding t he GRUB2 Boot loader
GRUB = Grand Unif ied Boot loader
- Version 2 = most current- Version 1 = GRUB Legacy
GRUB2 Dif ferences f rom GRUB Legacy
- Configuration file changes- Updated filesystem support (BtrFS)- Translatable and theme-able UI- Module support expanded- Bash-like console for troubleshooting/discovery
gr ub2- mkconf i g Generate new grub.cfg file
gr ub2- menul st 2cf g Convert an old menu.lst file to cfg
gr ub2- scr i pt - check Check GRUB files for syntax errors
gr ub2- mkr escue Create a bootable rescue image
GRUB2 Com m ands
gr ub2- once Set next boot to a given non-default entry
Underst anding t he Boot Process
Next
System Init ializationCourse Navigation
The VIM Edit orSection 5
Rem ot e Adm inist rat ion
Section 6
Syst em Init ial izat ionSection 7
Process Managem entSection 8
Overview of SUSE Linux Ent erpr ise
Section 2
The Linux File Syst emSection 3
Work w it h t he Com m and Line
Section 4
Understanding the GRUB2 Bootloader
Understanding the Boot Process
Defining and Describing `systemd`
Back t o Main
GRUB2 Conf igurat ion Files
Replaces legacy menu.lst, contains the menu items. Auto-generated by grub2-mkconfig, not intended to be manually edited.
/ boot / grub2/grub.cfg
Optional, used as an include file to grub.cfg at boot t ime.
/ boot / grub2/cust om .cfg
User and environment sett ings for GRUB2, backgrounds/themes.
/ et c/default / grub
Used by grub2-mkconfig, melded into the grub.cfg, executed in order: 00, 10.
/ et c/grub.d/ *
SUSE-specific config file for use with YaST and new kernel versions.
/ et c/ sysconf ig/boot loaderUnderst anding t he
GRUB2 Boot loader
Underst anding t he GRUB2 Boot loader
Underst anding t he Boot Process
Next
System Init ializationCourse Navigation
The VIM Edit orSection 5
Rem ot e Adm inist rat ion
Section 6
Syst em Init ial izat ionSection 7
Process Managem entSection 8
Overview of SUSE Linux Ent erpr ise
Section 2
The Linux File Syst emSection 3
Work w it h t he Com m and Line
Section 4
Understanding the GRUB2 Bootloader
Understanding the Boot Process
Defining and Describing `systemd`
Back t o Main
Edit ing Menu Ent r ies Dur ing Boot
- System changes can foil grub at boot- Edit ing only takes effect for that boot ? not permanent- Tab-complete for all options
Start system boot1
Press e to start edit ing2
Navigate to desired change area3
Make change to parameters/general options4
Press ESC to discard any changes and boot5
Press F10 to boot with edits in effect
OR
Underst anding t he GRUB2 Boot loader
Underst anding t he GRUB2 Boot loader
Underst anding t he Boot Process
Next
System Init ializationCourse Navigation
The VIM Edit orSection 5
Rem ot e Adm inist rat ion
Section 6
Syst em Init ial izat ionSection 7
Process Managem entSection 8
Overview of SUSE Linux Ent erpr ise
Section 2
The Linux File Syst emSection 3
Work w it h t he Com m and Line
Section 4
Understanding the GRUB2 Bootloader
Understanding the Boot Process
Defining and Describing `systemd`
Back t o Main
Def in ing and Descr ibing `syst em d`
syst em d is:
- System/service and session manager for Linux- Compatible with SysV and LSB scripts- Replaces Sys V init functions in SLES 15
syst em d Feat ures:
- Highly parallel service startups- Targets are the new runlevels (mostly)- Daemons activated on demand- Auto-restart failed daemons- Uses cgroups to control processes
Things t o rem em ber about syst em d:
- PID 1 used to be init, now it 's syst emd- While a replacement for Sys V init
- Fully compatible with it
- Unit files are analogous to service scripts- Targets are one-to-many groups of units- Not a perfect 1:1 match to Sys V, but close- Responsible for all user-space processes
Underst anding t he GRUB2 Boot loader
Def in ing and Descr ibing `syst em d`
Underst anding t he Boot Process
Next
System Init ializationCourse Navigation
The VIM Edit orSection 5
Rem ot e Adm inist rat ion
Section 6
Syst em Init ial izat ionSection 7
Process Managem entSection 8
Overview of SUSE Linux Ent erpr ise
Section 2
The Linux File Syst emSection 3
Work w it h t he Com m and Line
Section 4
Understanding the GRUB2 Bootloader
Understanding the Boot Process
Defining and Describing `systemd`
Back t o Main
syst em d Unit s are:
- Service units are similar to Sys V init scripts- Services most common, but many types- Are managed by syst emct l
Devi ce Device file known to kernel (.device)
Tar get Group of syst emd units (.target)
Ser vi ce System service (.service)
Mount Filesystem mount point (.mount)
Type Descr ipt ion Ext .
Pat h File or directory in filesystem (.path)
Socket Inter-process comm socket (.socket)
Def in ing and Descr ibing `syst em d`
Underst anding t he GRUB2 Boot loader
Def in ing and Descr ibing `syst em d`
Underst anding t he Boot Process
Next
System Init ializationCourse Navigation
The VIM Edit orSection 5
Rem ot e Adm inist rat ion
Section 6
Syst em Init ial izat ionSection 7
Process Managem entSection 8
Overview of SUSE Linux Ent erpr ise
Section 2
The Linux File Syst emSection 3
Work w it h t he Com m and Line
Section 4
Understanding the GRUB2 Bootloader
Understanding the Boot Process
Defining and Describing `systemd`
Back t o Main
syst em d Unit File Direct or ies
- A given set of unit files are installed- Can be overridden by runtime unit files- Fine-tuning can happen with syst emct l enabl e
Default RPM-installed unit files that will be overwritten when update/fixes occur
/ usr / l ib/ syst em d/syst em
Unit files created at runtime, takes precedence over the unit files in / usr / l i b/ syst emd/ syst em
/ run/ syst em d/syst em
Unit files created by using the syst emct l enabl e command. Takes precedence over the unit files in the / r un/ syst emd/ syst em directory.
/ et c/ syst em d/syst em
Def in ing and Descr ibing `syst em d`
Underst anding t he GRUB2 Boot loader
Def in ing and Descr ibing `syst em d`
Underst anding t he Boot Process
Next
System Init ializationCourse Navigation
The VIM Edit orSection 5
Rem ot e Adm inist rat ion
Section 6
Syst em Init ial izat ionSection 7
Process Managem entSection 8
Overview of SUSE Linux Ent erpr ise
Section 2
The Linux File Syst emSection 3
Work w it h t he Com m and Line
Section 4
Understanding the GRUB2 Bootloader
Understanding the Boot Process
Defining and Describing `systemd`
Back t o Main
Anat om y of a Unit File
- Units are how to define something for syst emd- More standard and easy to use than LSB headers- Much smaller than the usual init script
Dissect ing t he cron.service Unit File
Descr i pt i on Public name of the unit (systemctl, etc.)
Bef or e This unit to be started before these units
Af t er Units listed will be started before this unit
Rest ar t Keywords to define when restart happens
Requi r edBy Will fail to activate if unit(s) not active/on
Want edBy Nice to have, but won't cause unit issuesDef in ing and Descr ibing `syst em d`
Underst anding t he GRUB2 Boot loader
Def in ing and Descr ibing `syst em d`
Underst anding t he Boot Process
Next
System Init ializationCourse Navigation
The VIM Edit orSection 5
Rem ot e Adm inist rat ion
Section 6
Syst em Init ial izat ionSection 7
Process Managem entSection 8
Overview of SUSE Linux Ent erpr ise
Section 2
The Linux File Syst emSection 3
Work w it h t he Com m and Line
Section 4
Understanding the GRUB2 Bootloader
Understanding the Boot Process
Defining and Describing `systemd`
Back t o Main
Underst and and Manage Target s
- Targets are groups of units that are similar to runlevels- Targets help set the system to a given state
2/ 3/ 4 multi-user.target
1 rescue.target
0 poweroff.target
5 graphical.target
Runlevel syst em d Target
6 reboot.target
$ syst emct l get - def aul t<Di spl ays t he def aul t t ar get >
$ syst emct l i sol at e nameof . t ar get<I sol at e r emoves al l but t hat t ar get ' s pr ocesses, Al l owI sol at e must be enabl ed, s i mi l ar t o r unl evel >
$ syst emct l set - def aul t nameof . t ar get<Set s t he def aul t t ar get , t hen use i sol at e or syst emct l def aul t t o change t o def aul t t ar get >
Query and Set Target s
Def in ing and Descr ibing `syst em d`
Underst anding t he GRUB2 Boot loader
Def in ing and Descr ibing `syst em d`
Underst anding t he Boot Process
Next
System Init ializationCourse Navigation
The VIM Edit orSection 5
Rem ot e Adm inist rat ion
Section 6
Syst em Init ial izat ionSection 7
Process Managem entSection 8
Overview of SUSE Linux Ent erpr ise
Section 2
The Linux File Syst emSection 3
Work w it h t he Com m and Line
Section 4
Understanding the GRUB2 Bootloader
Understanding the Boot Process
Defining and Describing `systemd`
Back t o Main
Managing Service Unit s
$ syst emct l opt i on nameof . ser vi ce<st ar t , st op, r est ar t , r el oad, st at us, enabl e, di sabl e>
$ syst emct l l i s t - uni t s t ype=ser vi ce - - al l<shows onl y act i ve, - - al l or - a f or ever y>
$ syst emct l opt i on nameof . ser vi ce<i s- act i ve, i s- enabl ed shows ser vi ce st at e >
$ syst emct l st at us nameof . ser vi ce<shows huge amount of i nf or mat i on, see demo>
$ syst emct l l i s t - dependenci es par am cr on <Shows what st ar t s bef or e, af t er cr on>
Key syst emct l Opt ions
- Using the syst emct l command- Many keywords to know and use- Offers Tab-Complete for your assistance!
Def in ing and Descr ibing `syst em d`
Underst anding t he GRUB2 Boot loader
Def in ing and Descr ibing `syst em d`
Underst anding t he Boot Process
Next
System Init ializationCourse Navigation
The VIM Edit orSection 5
Rem ot e Adm inist rat ion
Section 6
Syst em Init ial izat ionSection 7
Process Managem entSection 8
Overview of SUSE Linux Ent erpr ise
Section 2
The Linux File Syst emSection 3
Work w it h t he Com m and Line
Section 4
Understanding the GRUB2 Bootloader
Understanding the Boot Process
Defining and Describing `systemd`
Back t o Main
syst em d and Cont rol Groups
Visualize and Manage cgroups
- syst emd depends heavily on cgroups functionality- Hierarchical structure of all processes- Can be used to control kernel-supplied restrictions
- Memory (RAM), CPU Percentages, I/O bandwidth
Why Is This im por t ant ?
- cgr oups help syst emd track a service's processes- See a service's (and all processes) utilization easily- Kill a process and all sub-processes in one shot
- No more hunting for abandoned processes!
syst emd- cgl s See cgroups in a hierarchical manner
syst emd- cgt op See the most active cgroups
Kill a service and all sub-processes
$ syst emct l k i l l nameof . ser vi ce<Sends SI GTERM t o t he ser vi ce' s pr ocesses>
$ syst emct l k i l l - s SI GWHATEV nameof . ser vi ce<Speci f i es t he SI Gnal sent t o pr ocesses>
Def in ing and Descr ibing `syst em d`
Underst anding t he GRUB2 Boot loader
Def in ing and Descr ibing `syst em d`
Underst anding t he Boot Process
Next
System Init ializationCourse Navigation
The VIM Edit orSection 5
Rem ot e Adm inist rat ion
Section 6
Syst em Init ial izat ionSection 7
Process Managem entSection 8
Overview of SUSE Linux Ent erpr ise
Section 2
The Linux File Syst emSection 3
Work w it h t he Com m and Line
Section 4
Understanding the GRUB2 Bootloader
Understanding the Boot Process
Defining and Describing `systemd`
Back t o Main
Wrapping I t Up
- syst emd is here to stay and works well- Become proficient with syst emct l- Remember Tab-Complete for help
Def in ing and Descr ibing `syst em d`
Underst anding t he GRUB2 Boot loader
Def in ing and Descr ibing `syst em d`
Underst anding t he Boot Process
Process Management
Back t o Main
Course Navigation
Understanding Background Processes
Understanding Process Administration
Understanding Process Scheduling
Process Managem entSection 8
The Linux File Syst emSection 3
Work w it h t he Com m and Line
Section 4
The VIM Edit orSection 5
Rem ot e Adm inist rat ion
Section 6
Syst em Init ial izat ionSection 7
Ident it y and Secur it ySection 9
Underst anding Process Adm inist rat ion
Underst anding Process Adm inist rat ion
Topics in t h is sect ion include:
- Underst anding Process Adm inist rat ion
- Underst anding Background Processes
- Underst anding Process Scheduling
Next
Process Management
Back t o Main
Course Navigation
Understanding Background Processes
Understanding Process Administration
Understanding Process Scheduling
Process Managem entSection 8
The Linux File Syst emSection 3
Work w it h t he Com m and Line
Section 4
The VIM Edit orSection 5
Rem ot e Adm inist rat ion
Section 6
Syst em Init ial izat ionSection 7
Ident it y and Secur it ySection 9
Def in ing Processes
- A process is the active execution of the otherwise passive collection of code that makes up a program
user Has a controlling terminal (ex: chr onyc)
daemon No controlling terminal (ex: chr onyd)
Types of Processes
Relat ionships Bet ween Processes
- All processes are descended from PID 1- All others have a PID and a PPID
- Process IDs are unique to a process
- Parent processes spawn and manage children- Removing a process normally removes its children
orphan Parent ends, init adopts orphan process
zombie Process ends, parent does not update status
Orphans and Zom bies
Underst anding Process Adm inist rat ion
Underst anding Process Adm inist rat ion
Next
Process Management
Back t o Main
Course Navigation
Understanding Background Processes
Understanding Process Administration
Understanding Process Scheduling
Process Managem entSection 8
The Linux File Syst emSection 3
Work w it h t he Com m and Line
Section 4
The VIM Edit orSection 5
Rem ot e Adm inist rat ion
Section 6
Syst em Init ial izat ionSection 7
Ident it y and Secur it ySection 9
View ing Processes
- Processes are executing code- Have working sets of memory, environment, etc.- Can be viewed natively in / pr oc/ PI D
- Where PID is the process ID numeric
Manually View ing
- Use l s in the / pr oc/ PI D tree- Use cat on the files- Tedious in the extreme
ps Displays process info, many options (aux, ef )
pstree Shows processes as a hierarchy, very prolific
Process Info Com m ands
top Updates process info until interrupted, can manage
pidstat Shows process statistics, such as disk activity
Underst anding Process Adm inist rat ion
Underst anding Process Adm inist rat ion
Next
Process Management
Back t o Main
Course Navigation
Understanding Background Processes
Understanding Process Administration
Understanding Process Scheduling
Process Managem entSection 8
The Linux File Syst emSection 3
Work w it h t he Com m and Line
Section 4
The VIM Edit orSection 5
Rem ot e Adm inist rat ion
Section 6
Syst em Init ial izat ionSection 7
Ident it y and Secur it ySection 9
Signaling Processes
- We manage processes with signals- Many signals, some common, lots are obscure- Default is always SI GTERM (15)
1 SI GHUP Hangup (a.k.a., bounce, stop and restart)
9 SI GKI LL Kills a process (forcibly removed)
15 SI GTERM Politely requests a process end itself
19 SI GSTOP Stops a process, doesn't remove
# Signal Descr ipt ion
18 SI GCONT Continue a SI GSTOP'd process
kill Kills process(es) by PID (15 is default, or specify)
killall Kills all processes by name (15 is default, or specify)
Signaling Com m ands
pkill Same as pgrep, but can kill (send signals)
top Mostly for display, can be used to signal processes
Underst anding Process Adm inist rat ion
Underst anding Process Adm inist rat ion
Next
Process Management
Back t o Main
Course Navigation
Understanding Background Processes
Understanding Process Administration
Understanding Process Scheduling
Process Managem entSection 8
The Linux File Syst emSection 3
Work w it h t he Com m and Line
Section 4
The VIM Edit orSection 5
Rem ot e Adm inist rat ion
Section 6
Syst em Init ial izat ionSection 7
Ident it y and Secur it ySection 9
Pr ior it izing Processes
- Process priorit ies are counterintuit ive- Minus numerics are HIGHER priority- Posit ive numerics are LOWER priority
Why Change Pr ior it ies?
- Systems run many processes- Only so many resources- Some processes don't play well with others
Set In it ial ly or Alt er Lat er?
- If a program is a known resource abuser, nice it- If a program is misbehaving, renice it
nice By default, sets a process to run at lesser priority
renice By default, alters a running process to lower priority
Not es about n ice and renice
- Can specify a priority with -n - Only root can increase a priority above normal- Some processes will stall or not work properly if
their priority is decreased too much
Underst anding Process Adm inist rat ion
Underst anding Process Adm inist rat ion
Next
Process Management
Back t o Main
Course Navigation
Understanding Background Processes
Understanding Process Administration
Understanding Process Scheduling
Process Managem entSection 8
The Linux File Syst emSection 3
Work w it h t he Com m and Line
Section 4
The VIM Edit orSection 5
Rem ot e Adm inist rat ion
Section 6
Syst em Init ial izat ionSection 7
Ident it y and Secur it ySection 9
Underst anding Background Processes
What Are Jobs and What Is Their Purpose?
- Processes become jobs when:- They are suspended- Set to run in the background
- Necessary for use with single sessions- Can run multiple non-interactive commands
- Can be replaced by scr een and others
& Suffix a command with & to start in background
Ctrl-z Interrupts (pauses) a running foreground program
Jobs-Relat ed Com m ands/Operat ors
bg Sends an interrupted program to run in background
fg Foregrounds last active or use specific job queue ID
jobs Displays the jobs queue
Not es about Jobs
- Can specify a job by queue number ie: f g 1- A + symbol indicates the default entry to act on
- Example: f g acts on the + entry by default
Underst anding Background Processes
Underst anding Process Adm inist rat ion
Next
Process Management
Back t o Main
Course Navigation
Understanding Background Processes
Understanding Process Administration
Understanding Process Scheduling
Process Managem entSection 8
The Linux File Syst emSection 3
Work w it h t he Com m and Line
Section 4
The VIM Edit orSection 5
Rem ot e Adm inist rat ion
Section 6
Syst em Init ial izat ionSection 7
Ident it y and Secur it ySection 9
Using screen t o Manage Sessions
- scr een sessions are jobs on rocket fuel- Much more functional than nohup- Can use for any program, local or remote- Lets you leave programs running and log out
How screen Is St ruct ured
Exam ple Usage Scenar io
- You are remotely administering a system and a procedure requires more hours than one day, but security procedures require you to log out at the end of the day
- Connect via ssh, start a scr een session, invoke the command, disconnect the session, sign out, and go home
- Reconnect via ssh next day, reconnect the session, and continue the procedure
Underst anding Background Processes
Underst anding Background Processes
Underst anding Process Adm inist rat ion
Next
Process Management
Back t o Main
Course Navigation
Understanding Background Processes
Understanding Process Administration
Understanding Process Scheduling
Process Managem entSection 8
The Linux File Syst emSection 3
Work w it h t he Com m and Line
Section 4
The VIM Edit orSection 5
Rem ot e Adm inist rat ion
Section 6
Syst em Init ial izat ionSection 7
Ident it y and Secur it ySection 9
St ar t ing Sim ple w it h screen Sessions
- scr een can start simple and go super complex
$ scr een - d - m t op<Starts t op in a new detached session, returns to shell>
$ scr een - l i s tTher e i s a scr een on:22323. . myser ver ( Det ached)1 Socket i n / r un/ uscr eens/ S- cl oud_user .<The leading numerals are the PID of the session>
$ scr een - r PI D<Reattaches to the session, if multiples use PID>
Ct r l - a d<While in session, detaches the session, return to shell>
Underst anding Background Processes
Underst anding Background Processes
Underst anding Process Adm inist rat ion
Next
Process Management
Back t o Main
Course Navigation
Understanding Background Processes
Understanding Process Administration
Understanding Process Scheduling
Process Managem entSection 8
The Linux File Syst emSection 3
Work w it h t he Com m and Line
Section 4
The VIM Edit orSection 5
Rem ot e Adm inist rat ion
Section 6
Syst em Init ial izat ionSection 7
Ident it y and Secur it ySection 9
Work ing w it h screen Windows
- scr een opens a session with one window by default- Press Ct r l-a " to view all windows in a session- Use arrow keys to select, Ent er to select window- Window numbers are persistent until close
- Ex: Close window 1 and only 0 and 2 remain
Ct r l-a A Prompts for window tit le
Ct r l-a " Shows selectable window list
Ct r l-a ' Presents a prompt for a window #
Ct r l-a k Kill (y/n) current window and go to previous
Swit ching Bet ween Windows (in a Session)
Ct r l-a N Display window # and name
- Each window can contain a command/program - Windows are locked to a given session- Invoking scr een within a screen session window
- Just adds another window
Underst anding Background Processes
Underst anding Background Processes
Underst anding Process Adm inist rat ion
Next
Process Management
Back t o Main
Course Navigation
Understanding Background Processes
Understanding Process Administration
Understanding Process Scheduling
Process Managem entSection 8
The Linux File Syst emSection 3
Work w it h t he Com m and Line
Section 4
The VIM Edit orSection 5
Rem ot e Adm inist rat ion
Section 6
Syst em Init ial izat ionSection 7
Ident it y and Secur it ySection 9
Underst anding Process Scheduling
Scheduling Tasks Overview
- System administration can be tedious- Forgetting things like backups can cause issues
- Figure a process out, then automate it
at Schedule a command to run once in the future
cron Schedule commands to run in patterns
Task Scheduler Opt ions
Types of Tasks
- Once- Now and then- Every t ime
Underst anding Background Processes
Underst anding Process Scheduling
Underst anding Process Adm inist rat ion
Next
Process Management
Back t o Main
Course Navigation
Understanding Background Processes
Understanding Process Administration
Understanding Process Scheduling
Process Managem entSection 8
The Linux File Syst emSection 3
Work w it h t he Com m and Line
Section 4
The VIM Edit orSection 5
Rem ot e Adm inist rat ion
Section 6
Syst em Init ial izat ionSection 7
Ident it y and Secur it ySection 9
Scheduling Tasks w it h at
- Schedules tasks one time in the future- Great for reminders or one-offs- Anything more complex requires cron- Installed by default, disabled by default
atd systemd-managed service, systemctl to enable
at Command to submit jobs to the daemon
at Daem on and Com m ands
atq Query the daemon for the queue of tasks
atrm Remove jobs from the task queue
batch Submits jobs based on system load average
Underst anding Process Scheduling
Underst anding Background Processes
Underst anding Process Scheduling
Underst anding Process Adm inist rat ion
Next
Process Management
Back t o Main
Course Navigation
Understanding Background Processes
Understanding Process Administration
Understanding Process Scheduling
Process Managem entSection 8
The Linux File Syst emSection 3
Work w it h t he Com m and Line
Section 4
The VIM Edit orSection 5
Rem ot e Adm inist rat ion
Section 6
Syst em Init ial izat ionSection 7
Ident it y and Secur it ySection 9
Scheduling Tasks w it h cron
- Schedules tasks at any frequency/ interval- Extremely atomic control of schedule options- Separate system and per-user cr ont abs
- cr ont ab = cron table, file to schedule tasks
cron The cron daemon, systemd-managed service
crontab Command to edit and submit task schedules
at Daem on and Com m ands
run-crons Executes cron jobs in the .hourly/ .weekly, etc.
/etc/sysconfig/cron Overall cron configuration file
/etc/crontab System-specific crontab (root-editable)
/etc/cron.d Directory for system-related crontab files
Underst anding Process Scheduling
Underst anding Background Processes
Underst anding Process Scheduling
Underst anding Process Adm inist rat ion
Next
Process Management
Back t o Main
Course Navigation
Understanding Background Processes
Understanding Process Administration
Understanding Process Scheduling
Process Managem entSection 8
The Linux File Syst emSection 3
Work w it h t he Com m and Line
Section 4
The VIM Edit orSection 5
Rem ot e Adm inist rat ion
Section 6
Syst em Init ial izat ionSection 7
Ident it y and Secur it ySection 9
Underst anding cront ab Ent r ies
- Understanding crontab entries is cr it ical- Misconfiguration can be problematic
- Ex: Five-minute duration job set to run every minute
$ cr ont ab - e
Exam ple cront ab Ent ry
0 12 * * * user / hom e/ rossb/ run.sh
Minut e of hour
Hour of day
Day of m ont h
Mont h of year
Day of week
User t o run as
Absolut e pat h t o scr ipt
Underst anding Process Scheduling
Underst anding Background Processes
Underst anding Process Scheduling
Underst anding Process Adm inist rat ion
Next
Process Management
Back t o Main
Course Navigation
Understanding Background Processes
Understanding Process Administration
Understanding Process Scheduling
Process Managem entSection 8
The Linux File Syst emSection 3
Work w it h t he Com m and Line
Section 4
The VIM Edit orSection 5
Rem ot e Adm inist rat ion
Section 6
Syst em Init ial izat ionSection 7
Ident it y and Secur it ySection 9
How cron Processes Tasks
/ usr / l ib/ syst em d/syst em /cron.service
/usr / bin/ cron
/usr / bin/ cront ab
/usr / l ib/ cron/ run-crons
/et c/ sysconf ig/ cron
/ var / spool/ cron/ last run/ cron.int erval
/ et c/ cront ab /et c/ cron.d/ * / var / spool/ cron/ t abs
cron
.ho
urly
cron
.da
ily
cron
.we
ek
ly
cron
.mo
nth
ly
controls
edits
execexec exec
exec
reads
consultsexec
Underst anding Process Scheduling
Underst anding Background Processes
Underst anding Process Scheduling
Underst anding Process Adm inist rat ion
Identity and Security
Back t o Main
Course Navigation
Understanding File System Permissions
Understanding User Management
Understanding Privilege Delegation
Ident it y and Secur it ySection 9
Work w it h t he Com m and Line
Section 4
The VIM Edit orSection 5
Rem ot e Adm inist rat ion
Section 6
Syst em Init ial izat ionSection 7
Process Managem entSection 8
Sof t ware Managem ent
Section 10
Underst anding User Managem ent
Topics in t h is sect ion include:
- Underst anding User Managem ent
- Underst anding File Syst em Perm issions
- Underst anding Pr ivi lege Delegat ion
Next
Identity and Security
Back t o Main
Course Navigation
Understanding File System Permissions
Understanding User Management
Understanding Privilege Delegation
Ident it y and Secur it ySection 9
Work w it h t he Com m and Line
Section 4
The VIM Edit orSection 5
Rem ot e Adm inist rat ion
Section 6
Syst em Init ial izat ionSection 7
Process Managem entSection 8
Sof t ware Managem ent
Section 10
Underst anding User Managem ent
User and Group Overview
- UIDs define users ? number paired with a name- GIDs define groups ? number paired with a name- All users must have a primary group- Group membership helps manage access, etc.
100- 499 Depends on the distribution, similar to 1-99
1- 99 System accounts (for service ownership)
0 Root user of the system
>1000 regular non-privileged accounts
UID Descr ipt ion
100- 499 System groups (allocated as needed)
1- 99 System groups (members inherit access)
0 Root group
>1000 Standard groups
GID Descr ipt ion
Underst anding User Managem ent
Next
Identity and Security
Back t o Main
Course Navigation
Understanding File System Permissions
Understanding User Management
Understanding Privilege Delegation
Ident it y and Secur it ySection 9
Work w it h t he Com m and Line
Section 4
The VIM Edit orSection 5
Rem ot e Adm inist rat ion
Section 6
Syst em Init ial izat ionSection 7
Process Managem entSection 8
Sof t ware Managem ent
Section 10
User and Group Dat a Files
/ et c/ shadow (640) Password and account aging file
/ et c/ passwd (644) User account definit ion file
File Perm Descr ipt ion
/ et c/ gr oup (644) Group account definit ion file
ross : x : 501 : 100 : Ross B : / hom e/ ross : / bin/bash
Usernam e
Password
User ID (UID)
Pr im ary Group ID
Com m ent /GECOS
Hom e Direct ory
Shell
passwd File Fields
Underst anding User Managem ent
Underst anding User Managem ent
Next
Identity and Security
Back t o Main
Course Navigation
Understanding File System Permissions
Understanding User Management
Understanding Privilege Delegation
Ident it y and Secur it ySection 9
Work w it h t he Com m and Line
Section 4
The VIM Edit orSection 5
Rem ot e Adm inist rat ion
Section 6
Syst em Init ial izat ionSection 7
Process Managem entSection 8
Sof t ware Managem ent
Section 10
ross:NcrYptedPw:60:30:120:14:365: :
Login nam e
Encrypt ed password
Last passwd change
Minim um pw age
Maxim um pw age
Password warning per iod
Password inact ivit y per iod
shadow File Fields
Account expirat ion dat e
users:x:100:username1,username2
Usernam e
Password
GID (Group ID)
Secondary group m em bers
group File Fields
Underst anding User Managem ent
Underst anding User Managem ent
Next
Identity and Security
Back t o Main
Course Navigation
Understanding File System Permissions
Understanding User Management
Understanding Privilege Delegation
Ident it y and Secur it ySection 9
Work w it h t he Com m and Line
Section 4
The VIM Edit orSection 5
Rem ot e Adm inist rat ion
Section 6
Syst em Init ial izat ionSection 7
Process Managem entSection 8
Sof t ware Managem ent
Section 10
Managing Users and Groups via CLI
- Creating users and groups is a foundational skill- Set the environment properly, make it easier- Root, by default, is the only one that can add either- Configure / et c/ sudoer s to delegate
Using / et c/ skel Proper ly
- Adding user copies / et c/ skel to home directory- Include anything you want all new users to have- Can use specialty skel directories by role
useradd Adds new users, many options
usermod Modifies existing user accounts, account lock, etc.
Com m ands for Managing Users
userdel Deletes existing user accounts, home dir opt.
passwd Sets or changes user passwords
Underst anding User Managem ent
Underst anding User Managem ent
Next
Identity and Security
Back t o Main
Course Navigation
Understanding File System Permissions
Understanding User Management
Understanding Privilege Delegation
Ident it y and Secur it ySection 9
Work w it h t he Com m and Line
Section 4
The VIM Edit orSection 5
Rem ot e Adm inist rat ion
Section 6
Syst em Init ial izat ionSection 7
Process Managem entSection 8
Sof t ware Managem ent
Section 10
Managing Groups via CLI
- Groups are simpler by nature- / et c/ gr oup defines secondary group membership- Primary groups are set in the / et c/ passwd- Primary group overrides any set in / et c/ gr oups
groupadd Adds new groups
groupmod Modifies existing group accounts
Com m ands for Managing Groups
groupdel Deletes existing group accounts
gpasswd Sets or changes group passwords
Underst anding User Managem ent
Underst anding User Managem ent
Next
Identity and Security
Back t o Main
Course Navigation
Understanding File System Permissions
Understanding User Management
Understanding Privilege Delegation
Ident it y and Secur it ySection 9
Work w it h t he Com m and Line
Section 4
The VIM Edit orSection 5
Rem ot e Adm inist rat ion
Section 6
Syst em Init ial izat ionSection 7
Process Managem entSection 8
Sof t ware Managem ent
Section 10
Managing Users and Groups via GUI
- YaST makes it easier and harder- Useful if you want to delegate to account manager
- Command line is much faster- YaST ensures passwd file integrity
Underst anding User Managem ent
Underst anding User Managem ent
Next
Identity and Security
Back t o Main
Course Navigation
Understanding File System Permissions
Understanding User Management
Understanding Privilege Delegation
Ident it y and Secur it ySection 9
Work w it h t he Com m and Line
Section 4
The VIM Edit orSection 5
Rem ot e Adm inist rat ion
Section 6
Syst em Init ial izat ionSection 7
Process Managem entSection 8
Sof t ware Managem ent
Section 10
Underst anding File Syst em Perm issions
Files and Direct or ies
- Directories are special f i les that can contain:- All file types, regular and special- Other Directory files (sub-directories)
- Remember filenames lead to inodes, then data
Decoding File Inform at ion
dr wxr - xr - x 1 r ossb user s 168 Jul 1 21: 12 ceasar- r w- r - - r - - 1 ner do user s 656 Mar 7 10: 14 i des
gro
up
typ
e
lin
k c
ou
nt
use
r o
wn
er
gro
up
ow
ne
r
file
siz
e
last
mo
dif
ied
da
te
last
mo
dif
ied
tim
e
ob
ject
na
me
oth
er
use
r
How Perm issions are Read
- Permissions are read from lef t t o r ight- Checks if user owner, then member of group owner
- First match stops, and is effective permissions
r w- r w- r - -
1 ner do user s
Underst anding File Syst em Perm issions
Underst anding User Managem ent
Next
Identity and Security
Back t o Main
Course Navigation
Understanding File System Permissions
Understanding User Management
Understanding Privilege Delegation
Ident it y and Secur it ySection 9
Work w it h t he Com m and Line
Section 4
The VIM Edit orSection 5
Rem ot e Adm inist rat ion
Section 6
Syst em Init ial izat ionSection 7
Process Managem entSection 8
Sof t ware Managem ent
Section 10
What Perm issions Mean for Access
x File can be executed (script or binary)
w File contents can be changed
r File contents can be read (opened)
File Perm issions
x Directory can be traversed, entered into, moved through
w Can create/delete entries, modify permissions, etc.
r Directory contents can be viewed (l s)
Direct ory Perm issions
S G T 4 2 1421 421 421- - - - - - - - - 7 7 7
4777 f i l e1
Speci al Bi t s >Regul ar Per ms >
Oct al Per ms >
$ chmod
Underst anding File Syst em Perm issions
Underst anding File Syst em Perm issions
Underst anding User Managem ent
Next
Identity and Security
Back t o Main
Course Navigation
Understanding File System Permissions
Understanding User Management
Understanding Privilege Delegation
Ident it y and Secur it ySection 9
Work w it h t he Com m and Line
Section 4
The VIM Edit orSection 5
Rem ot e Adm inist rat ion
Section 6
Syst em Init ial izat ionSection 7
Process Managem entSection 8
Sof t ware Managem ent
Section 10
Underst anding File Syst em Perm issions
Underst anding File Syst em Perm issions
Underst anding User Managem ent
Perm issions Can Be Set or Alt ered
- Setting permissions is a destructive act- Whatever they were, you overwrite them
- Altering permissions is a surgical procedure- You change only what you need to
chmod Set or alter permissions (regular/special)
The chm od com m and
$ chmod 777 f i l e1- r wxr wxr wx 1 c l oud_user user s 175 Dec 7 03: 53 f i l e1<Set t i ng f or ces over wr i t i ng of exi st i ng per mi ssi ons>
Set t ing Perm ission Exam ple
$ chmod u=r w, g- w f i l e1- r w- r - - r - - 1 c l oud_user user s 175 Dec 7 03: 53 f i l e1<Set user t o r w, r emoves w f r om gr oup, ot her i s same>
$ chmod u=a, g+x, o=r f i l e1- r wxr - xr - - 1 c l oud_user user s 175 Dec 7 03: 54 f i l e1<Set s r wx f or user , adds x t o gr oup and set s ot her t o r onl y>
Alt er ing Perm ission Exam ples
Next
Identity and Security
Back t o Main
Course Navigation
Understanding File System Permissions
Understanding User Management
Understanding Privilege Delegation
Ident it y and Secur it ySection 9
Work w it h t he Com m and Line
Section 4
The VIM Edit orSection 5
Rem ot e Adm inist rat ion
Section 6
Syst em Init ial izat ionSection 7
Process Managem entSection 8
Sof t ware Managem ent
Section 10
Underst anding File Syst em Perm issions
Underst anding File Syst em Perm issions
Underst anding User Managem ent
File and Direct ory Ownership
- All files and directories have both user & group owners- Primary group sets group owner by default
- Shared directories use SGID to force ownership
chown Change owner or group or both (owner:group)
Changing Ownership
$ chown r oot : user s f i l e1- r w- r w- r - - 1 r oot user s 175 Dec 7 03: 53 f i l e1<change bot h wi t h user : gr oup, col on or dot ok>
$ chown r ossb f i l e1- r w- r w- r - - 1 r ossb user s 175 Dec 7 03: 54 f i l e1<changi ng user owner , no separ at or necessar y>
$ chown : wheel f i l e1- r w- r w- r - - 1 r ossb wheel 175 Dec 7 03: 55 f i l e1<changi ng gr oup onl y r equi r es separ at or >
$ chgr p user s f i l e1- r w- r w- r - - 1 r ossb user s 175 Dec 7 03: 56 f i l e1<changi ng gr oup onl y r equi r es separ at or >
Exam ples of changes
chgrp Only changes group ownership
Next
Identity and Security
Back t o Main
Course Navigation
Understanding File System Permissions
Understanding User Management
Understanding Privilege Delegation
Ident it y and Secur it ySection 9
Work w it h t he Com m and Line
Section 4
The VIM Edit orSection 5
Rem ot e Adm inist rat ion
Section 6
Syst em Init ial izat ionSection 7
Process Managem entSection 8
Sof t ware Managem ent
Section 10
Special Bit s Def ined
- Gives an object special attributes- Use to enhance regular permissions- Most misunderstood type of permissions
It allows executing files with the permission of the user owner rather than the user who is executing the file. Can be misused, but is required for some utilit ies to work properly.
SUID ( 4- - - )
This allows executing files with the permission of the group owner. When set on a directory, it forces its group ownership to all created objects, files and sub-directories both.
SGID ( 2- - - )
For use with the SGID bit, it prevents users from deleting files if they are not the user owner of it , the r oot user, or the directory owner. This was historically used to keep programs in active RAM.
St icky ( 1- - - )
Underst anding File Syst em Perm issions
Underst anding File Syst em Perm issions
Underst anding User Managem ent
Next
Identity and Security
Back t o Main
Course Navigation
Understanding File System Permissions
Understanding User Management
Understanding Privilege Delegation
Ident it y and Secur it ySection 9
Work w it h t he Com m and Line
Section 4
The VIM Edit orSection 5
Rem ot e Adm inist rat ion
Section 6
Syst em Init ial izat ionSection 7
Process Managem entSection 8
Sof t ware Managem ent
Section 10
User Mask (um ask)
- Subtracts from default directory/file permissions- Set in the shell environment or manually- Requires knowing default permission values
777 Default Directory Permissions
666 Default File Permissions
Default Perm issions
Default Directory 777Umask value 022
- - - -Effective Perms 755<All directories created are reduced to 755 permissions>
Default File 666Umask value 022
- - - -Effective Perms 644<All files created are reduced to 644 permissions>
Calculat ing um ask
Underst anding File Syst em Perm issions
Underst anding File Syst em Perm issions
Underst anding User Managem ent
Next
Identity and Security
Back t o Main
Course Navigation
Understanding File System Permissions
Understanding User Management
Understanding Privilege Delegation
Ident it y and Secur it ySection 9
Work w it h t he Com m and Line
Section 4
The VIM Edit orSection 5
Rem ot e Adm inist rat ion
Section 6
Syst em Init ial izat ionSection 7
Process Managem entSection 8
Sof t ware Managem ent
Section 10
Using Access Cont rol List s
- Tradit ional permissions can't do it all- ACL's are in addition to regular permissions- Allows individual/group access as non-owners
Minimal Match only the tradit ional POSIX permissions
Extended Preserves POSIX, adds extended access entries
Types of ACL's
Underst anding File Syst em Perm issions
Underst anding File Syst em Perm issions
Underst anding User Managem ent
Access Defines the current access permissions
Default Sets a directory's inheritance to child objects
Types of ACL's
Mask Sets an upper limit on effective rights
- Problems can happen with multiple group ACL's- A Mask is designed as a safety cap on access
- You can't get more access than the Mask values
Next
Identity and Security
Back t o Main
Course Navigation
Understanding File System Permissions
Understanding User Management
Understanding Privilege Delegation
Ident it y and Secur it ySection 9
Work w it h t he Com m and Line
Section 4
The VIM Edit orSection 5
Rem ot e Adm inist rat ion
Section 6
Syst em Init ial izat ionSection 7
Process Managem entSection 8
Sof t ware Managem ent
Section 10
Mask ing Perm issions
- Masks are like a filter you pour permissions through- They do not limit the user or group owner 's permissions- Limits the named user and named group
Decoding t he Mask Ent r ies
Ent r y Type For mat Per mi ssi ons
named user user : r oss: r w- r w-
named gr oup gr oup: acl : r w- r w-
mask mask: : r - x r - x
. ef f ect i ve r - -
Using Masks Appropr iat ely
- A Minimal ACL (POSIX) does not have a mask- An Extended ACL must have a mask- When a Minimal ACL is added to, the group owner
permissions become the Mask- A mask is an uppper limit of permissions
- Effective permissions is always the most restrictive
Underst anding File Syst em Perm issions
Underst anding File Syst em Perm issions
Underst anding User Managem ent
Next
Identity and Security
Back t o Main
Course Navigation
Understanding File System Permissions
Understanding User Management
Understanding Privilege Delegation
Ident it y and Secur it ySection 9
Work w it h t he Com m and Line
Section 4
The VIM Edit orSection 5
Rem ot e Adm inist rat ion
Section 6
Syst em Init ial izat ionSection 7
Process Managem entSection 8
Sof t ware Managem ent
Section 10
Displaying ACL's
- Use the get f acl command to display ACLs:- If no Extended ACL, shows Minimal ACL- If Extended ACL, shows all ACL entries
Display a file's Minimal ACL:$ get f acl f i l e1# f i l e: f i l e1# owner : c l oud_user# gr oup: user suser : : r w-gr oup: : r - -ot her : : r - -
Display a directory's Minimal ACL:$ get f acl di r 1# f i l e: di r 1# owner : c l oud_user# gr oup: user suser : : r wxgr oup: : r - xot her : : r - x
get f acl Exam ples
POSIX
Underst anding File Syst em Perm issions
Underst anding File Syst em Perm issions
Underst anding User Managem ent
POSIX
Next
Identity and Security
Back t o Main
Course Navigation
Understanding File System Permissions
Understanding User Management
Understanding Privilege Delegation
Ident it y and Secur it ySection 9
Work w it h t he Com m and Line
Section 4
The VIM Edit orSection 5
Rem ot e Adm inist rat ion
Section 6
Syst em Init ial izat ionSection 7
Process Managem entSection 8
Sof t ware Managem ent
Section 10
Set t ing Ext ended ACLs - Files
- Use the set f acl command to change ACLs- Easiest modification is to add a user/group access - Will show in l s - l with an added "+" sign
Set a file to have a named user added to the ACL:$ set f acl - m user : ner do: r w f i l e1# f i l e: f i l e1# owner : c l oud_user# gr oup: user suser : : r w-user : ner do: r w-gr oup: : r - -mask: : r w-ot her : : r - -
I ndi cat i on of an Ext ended ACL:$ l s - l f i l e1
- r w- r w- r - - + 1 c l oud_user user s 0 <. . > f i l e1
set f acl Exam ple
added
Ext ended ACL Pr esent
Underst anding File Syst em Perm issions
Underst anding File Syst em Perm issions
Underst anding User Managem ent
Next
Identity and Security
Back t o Main
Course Navigation
Understanding File System Permissions
Understanding User Management
Understanding Privilege Delegation
Ident it y and Secur it ySection 9
Work w it h t he Com m and Line
Section 4
The VIM Edit orSection 5
Rem ot e Adm inist rat ion
Section 6
Syst em Init ial izat ionSection 7
Process Managem entSection 8
Sof t ware Managem ent
Section 10
Set t ing Ext ended ACLs - Direct or ies
Set a directory to have a named group added to the ACL:$ set f acl - m gr oup: docker : r w di r 1# f i l e: di r 1# owner : c l oud_user# gr oup: user suser : : r w-gr oup: : r - xgr oup: docker : r w-mask: : r w-ot her : : r - -
Set t i ng a di r ect or y def aul t ACL:$ set f acl - dm u: : r wx, g: : r w, o: : r di r 1# f i l e: di r 1# owner : c l oud_user# gr oup: user suser : : r wxgr oup: : r - xot her : : r - xdef aul t : user : : r wxdef aul t : gr oup: : r wxdef aul t : ot her : : r - -
Exam ple
added
Underst anding File Syst em Perm issions
Underst anding File Syst em Perm issions
Underst anding User Managem ent
added
Next
Identity and Security
Back t o Main
Course Navigation
Understanding File System Permissions
Understanding User Management
Understanding Privilege Delegation
Ident it y and Secur it ySection 9
Work w it h t he Com m and Line
Section 4
The VIM Edit orSection 5
Rem ot e Adm inist rat ion
Section 6
Syst em Init ial izat ionSection 7
Process Managem entSection 8
Sof t ware Managem ent
Section 10
Clear ing ACLs
Exam ple
Showing the target file's ACL:$ get f acl f i l e1<. . . >user : ner do: r w-<. . . >
Remove a named user from an ACL$ set f acl - x u: ner do f i l e1$ set f acl - b f i l e1# f i l e: f i l e1# owner : c l oud_user# gr oup: user suser : : r w-gr oup: : r - -ot her : : r - -
- b Remove all Extended ACL Entries (back to Minimal)
- x Selectively delete named User/Group entries
ACL Rem oval Opt ions
Underst anding File Syst em Perm issions
Underst anding File Syst em Perm issions
Underst anding User Managem ent
Next
Identity and Security
Back t o Main
Course Navigation
Understanding File System Permissions
Understanding User Management
Understanding Privilege Delegation
Ident it y and Secur it ySection 9
Work w it h t he Com m and Line
Section 4
The VIM Edit orSection 5
Rem ot e Adm inist rat ion
Section 6
Syst em Init ial izat ionSection 7
Process Managem entSection 8
Sof t ware Managem ent
Section 10
Underst anding Pr ivi lege Delegat ion
Changing User and Group Ident it y
- User accounts are limited in abilit ies by default- The r oot user decides who you can become and how- Elevated privileges are temporary by default
su Use for non-login shell, or su - for login shell
sg Allows user to switch to other effective group
Tradit ional Com m ands for Elevat ing Pr ivi leges
newgrp Similar to sg command
Underst anding File Syst em Perm issions
Underst anding Pr ivi lege Delegat ion
Underst anding User Managem ent
sudo Full privilege elevation suite, detailed abilit ies
Advanced Pr ivi lege Elevat ion
Next
Identity and Security
Back t o Main
Course Navigation
Understanding File System Permissions
Understanding User Management
Understanding Privilege Delegation
Ident it y and Secur it ySection 9
Work w it h t he Com m and Line
Section 4
The VIM Edit orSection 5
Rem ot e Adm inist rat ion
Section 6
Syst em Init ial izat ionSection 7
Process Managem entSection 8
Sof t ware Managem ent
Section 10
Using t he sudo Ut i l i t y
- Requires r oot to setup access- Logs usage for later inspection- Prevents regular users from needing the r oot
password- Highly-configurable, many options (oh so many)
sudo The main command, used by anyone
/etc/sudoers Configuration file for sudo
Com m ands Relat ed t o sudo
visudo Used to configure /etc/sudoers safely
sudoedit Same as sudo - e, limits edit ing rights, much safer than using sudo vi m f i l e
How Passwords are Handled
- By default, sudo asks for the r oot user password- Can be configured to ask for invok ing user 's password
- Best practice:- Require invoking user password for all sudo access- Grant access via aliases (easy to add/remove)- Log all sudo use and review logs often
Underst anding Pr ivi lege Delegat ion
Underst anding File Syst em Perm issions
Underst anding Pr ivi lege Delegat ion
Underst anding User Managem ent
Next
Identity and Security
Back t o Main
Course Navigation
Understanding File System Permissions
Understanding User Management
Understanding Privilege Delegation
Ident it y and Secur it ySection 9
Work w it h t he Com m and Line
Section 4
The VIM Edit orSection 5
Rem ot e Adm inist rat ion
Section 6
Syst em Init ial izat ionSection 7
Process Managem entSection 8
Sof t ware Managem ent
Section 10
Default Ent r ies in / et c/ sudoer s
- Systems ship with a default access entry: r oot ALL=( ALL: ALL) ALL
- Only r oot (or user with the r oot password) can run all commands
- If a non-r oot runs r oot commands, they're prompted for the r oot password
root ALL=(ALL:ALL) ALL
User running sudo
On what host (s)
As what user (sudo -u)
As what group (sudo -g)
Decoding a sudo Access Ent ry
Com m ands t hey can run
Underst anding Pr ivi lege Delegat ion
Underst anding File Syst em Perm issions
Underst anding Pr ivi lege Delegat ion
Underst anding User Managem ent
Next
Identity and Security
Back t o Main
Course Navigation
Understanding File System Permissions
Understanding User Management
Understanding Privilege Delegation
Ident it y and Secur it ySection 9
Work w it h t he Com m and Line
Section 4
The VIM Edit orSection 5
Rem ot e Adm inist rat ion
Section 6
Syst em Init ial izat ionSection 7
Process Managem entSection 8
Sof t ware Managem ent
Section 10
Underst anding Pr ivi lege Delegat ion
Underst anding File Syst em Perm issions
Underst anding Pr ivi lege Delegat ion
Underst anding User Managem ent
Exam ple
user ( s) host ( s) = user ( s) command( s)
1. Open the / et c/ sudoer s file:$ sudo vi sudo
2. Find the User pr i v i l ege speci f i cat i on Section##r oot ALL=( ALL) ALLcl oud_user ALL=( ALL) ALL
3. Add the following line and press Ent er , r ossb ALL=( ALL) / usr / sbi n/ user add, / usr / sbi n/ user mod
4. Save and exit v i sudo
5. Test the functionality
Sim ple Addit ions t o / et c/ sudoers
- Remember to use vi sudo- Be as simple as possible- Who on what system can run what commands
Next
Identity and Security
Back t o Main
Course Navigation
Understanding File System Permissions
Understanding User Management
Understanding Privilege Delegation
Ident it y and Secur it ySection 9
Work w it h t he Com m and Line
Section 4
The VIM Edit orSection 5
Rem ot e Adm inist rat ion
Section 6
Syst em Init ial izat ionSection 7
Process Managem entSection 8
Sof t ware Managem ent
Section 10
Underst anding sudo Aliases
- Four types of aliases exist.- Think of them as access variables you can refer to.- These can restrict all the way down to command
options.- It 's possible to easily confuse yourself and others.
Host Named set of hosts to allow users access on
Command Named set of commands to grant access to
User Named set of users you want to grant access by
Runas Lists of users a command can be run as (non-root)
Using sudo Aliases
User _Al i as PWMGRS = r oss, ur sul akCmnd_Al i as PWTOOLS = / usr / bi n/ passwd, / usr / bi n/ chageHost _Al i as PWHOSTS = host 1PWMGRS PWHOSTS = ( r oot ) PWTOOLS
Explanation: The users (r oss,ur sul ak) can use the commands (passwd,chage) as the user (r oot ) only on the host (host 1).
Underst anding Pr ivi lege Delegat ion
Underst anding File Syst em Perm issions
Underst anding Pr ivi lege Delegat ion
Underst anding User Managem ent