Chapter 2. Diving Deeper into the Command Line Interface

For system administrators (sysadmins), the command line interface (CLI) is home. Typing at the keyboard is standard fare for sysadmins. You’ll need to become comfortable with the command line, its idiosyncrasies, and its shortcuts--yes, there are command line shortcuts. There’s a lot for you to learn about Linux at the command line. There are dozens of commands each with dozens of options. Sure, you’ll only use a handful of commands and a limited number of options for each command but you need to know how to find the options you need and how to use them when you need to.

The true power of the CLI is in its ease of use. The CLI was the first interface that users and programmers had with which to address their operating environments. The fact that the CLI is still in use some 50 years later is a testament to its power and its usefulness to the sysadmin and user alike. In this chapter, you learn to work at the command line as a regular user and as the root user. You also learn to set and modify file permissions, and the effects that those permissions have on files.

Working as a regular user

There are two user types on a Linux system: regular users and the root user. Regular users each receive their own home directory and a somewhat limited use of the system. Users have unlimited power in their own home directories to create, modify, remove, and manipulate files but have almost no power outside of that single location. Many system commands are available to regular users while other commands are restricted to those who either have been granted limited root user access through the sudo command or through direct access to the root user account.

The general, and most security conscious, rule is that you should always work as a regular user unless some task requires administrative (root user) access, which is covered in the next section.

Working as the root user

The administrator or root user is the all-powerful account on any Linux system. The root user can create, edit, move, or remove any file on the system. The root user can reboot, change runlevels, and shutdown the system. There are three methods of becoming the root user.

  • Login as the root user

  • Use the su (substitute user) command

  • Use the sudo command

Login as root

You can directly login as the root user on a system either via SSH across the network, or interactively at the console. It’s not recommended to SSH to a system and login as root. The primary reason is that if you allow across-the-network root access to a system, then it’s possible that malicious actors can attempt to brute force a root login. You don’t want this to happen. Later in the book, I’ll show you how to prevent SSH root logins. Some Linux distributions prevent SSH root logins by default, while others leave it up to the administrators to decide.

You shouldn’t directly login as root at the console either because doing so prevents system logging from recording who has logged in and become root. Recording who uses the root user account is important because when something goes wrong, you want to know which administrator performed the actions. This record-keeping’s purpose is not to lay blame but is necessary to meet some regulatory requirements and to correct actions of a system administrator who needs a teachable moment or some advanced training. The next two options we discuss are better, safer ways to become the root user.

su to root

One of the appropriate methods of becoming the root user is to use the su (substitute user) command. The caveat with using su is that the user must know the root user password. If administrative users know the root password, then it’s difficult to prevent those same administrators from directly logging in as root. Using the su command to become root is acceptable but only if the root password changes after each use. In larger enterprises, security groups maintain root passwords and system administrators are allowed to check out the root password on a temporary basis to perform maintenance.

The root user may su to any other user account on the system without knowing the user’s password. This power gives administrators the capability to login as any user for troubleshooting purposes because it’s often difficult for users to accurately describe problems they’re experiencing. It also prevents a user from having to reveal their password to an administrator, which should force the user to change their password.

To su to another account is a simple procedure. Issue the su command and the user account you wish to su to. For this example, I use the full prompt rather than just the $ to demonstrate the user change.

[bjones@server1] $ su root
Password:
#

The # prompt informs you that you are now logged in as the root user. The user prompt is $ and the root is # to distinguish a standard user’s prompt from the root user’s prompt. Any command you issue now is done so with root privilege, which means that you must be careful because there are no restrictions on the account.

The better method of using su is to do so using the su - command because the - means that you also want to take on the root user’s full environment rather than just the account privilege. The display is much too long to show here but if you issue the env command, you’ll see the original user’s environment variables rather than root’s.

# env

Use the exit command to return to the original user account.

# exit
[bjones@server1] $

And now issue the su command with the - option. You don’t have to specify root in this command because the default is root.

[bjones@server1] $ su -
Password:
# env

The root user’s environment variables are now displayed. Using the su - command is the equivalent of logging into the console as the root user.

Actually, any user may su to any other user account but to do so requires one to know a user’s password.

[bjones@server1] $ su cdavis
Password:
[cdavis@server1] $

Use the sudo command

The best method to obtain root access is to use the “substitute user do” or “execute a command as another user” (sudo) command. The sudo command allows an appropriately configured user account to issue individual commands as the root user. The sudo command must precede each command issued. On first use, the sudo command requires that the sudoer (A user account configured for sudo use) supply their own password. Knowledge of the root password isn’t required.

$ sudo env
[sudo] password for bjones: 
bjones is not in the sudoers file.  This incident will be reported.
[bjones@server1 ~]$ 

The warning that the user is not in the sudoers file means that the user account, bjones, is not configured in the /etc/sudoers file. In the next section, I demonstrate how to setup a user to be a sudoer.

Note

The sudo command, the /etc/sudoers file, and the sudoer user label are interesting because they have their own unique pronunciations. The accepted pronunciation for sudo is ‘soodoo’ and sudoer is ‘soodooer.’ Some sysadmins pronounce them as ‘soodoe’ and ‘soodoe-ers’ and no one takes issue with either pronunciation.

Creating a sudoer

You must have root user access to edit the /etc/sudoers file and you must use the visudo utility, whose only purpose is to edit the /etc/sudoers file. You can’t successfully edit it directly with vi, emacs, or any other text editor. To edit the /etc/sudoers file, issue the visudo command as root with no options.

# visudo

The /etc/sudoers file is a simple text file that describes users, groups, and commands allowed to work with root privileges. You can create a sudoer with very restrictive permissions (i.e., to run a single command as root) or permissive: Run any command as root without entering a password to do so. I prefer to configure a mixture of the two by creating sudoers who can run any command as root but must supply their password to do so.

There are hundreds of possible configuration scenarios for the /etc/sudoers file and for sudoers. It’s out of the scope of this book to explore more than what’s given here as examples. In this first example, I demonstrate how I set up my own user account to use sudo.

## Allow root to run any commands anywhere
root    ALL=(ALL)       ALL
khess   ALL=(ALL)       ALL

I copy the root user’s setting and insert my user account in its place. The setting takes effect immediately. It’s not recommended to set up a user account to use sudo without issuing a password. Using a password when issuing a command is an attempt to make it more difficult to make mistakes while wielding root privilege. The same can be said of the sudo command itself. The theory is that if an administrator has to issue the sudo command that they will make fewer mistakes as root because it requires the user to think specifically about their command action and its results.

Setting and modifying permissions

In this section you learn how to read, set, and modify file permissions. You must learn file permissions so that you can appropriately set and modify access to files and directories. Knowing file permissions also helps with troubleshooting when users can’t access a file or directory.

File permissions are simple but central to Linux security. Their simplicity can make them susceptible to neglect and misconfiguration. Frustrated sysadmins sometimes open permissions up to solve a problem but never return to the issue or reset the permissions to their proper settings.

Read, write, and execute

The three Linux file permissions or modes are read (r), write (w), and execute (x).

Read

View a file or list directory contents.

Write

Create and modify a file or copy, move, and create files in a directory.

Execute

Execute/run a file or cd into a directory.

As mentioned in Chapter 1, filenames have nothing to do with file actions. File actions and capabilities are all permission-based.

Using the rwx designations in permissions is known as symbolic mode. The symbolic mode is one of two methods of identifying permissions. The other is the numeric mode which assigns values to each of the rwx permission modes.

Numerical permission values

Each of the permission modes has its own assigned numerical value. This shortcut method makes setting permissions easier for sysadmins.

The read permission has a value of 4, write has a value of two, and execute has a value of 1. Permission values can range from 0 to 7. A zero permission value means no permission.

  • Read - 4

  • Write - 2

  • Execute -1

  • None - 0

In the next section, you find out how these permissions work together with group permissions to create a simple, but complete file security system.

Group permissions

There are four file group permissions: user, group, others, and all. The all group includes user, group, and others. It is a shorthand method of globally assigning permissions to a file or directory. Each group has a shorthand designation as well.

  • User - u

  • Group - g

  • Other - o

  • All - a

Users and sysadmins may set permissions on files for each group individually or for all groups at once. Each Linux file and directory is assigned read, write, and execute permissions for each group. The next section brings all of the permissions settings together .

Bringing permissions settings all together

The examples in this section will use the file, file.txt. If you want to follow along with the example, issue the following command to set up your file:

$ touch file.txt

This command creates an empty file named file.txt for you. Next, issue the ls command with the -l (long) option to see file permissions.

$ ls -l
-rw-rw-r--. 1 khess khess 0 Jun 19 17:35 file.txt

Figure 2-1 illustrates the positions and their designations (in red). The first position is for special file types such as directories that will have a d in that position. Regular files have a - to show that they’re not directories or other special files. The next nine positions are user, group, and other permissions locations. The first “triad” or three positions are for the user, the second for group, and the final three are for other users.

Figure 2-1. Special character position and user, group, and other permission locations

Figure 2-2 shows you the numerical permissions for each listing and then an explicit label for the user (u), group (g), and other (o) triads.

Figure 2-2. Numerical permission values and user, group, and other (ugo) designations.

As you can see from Figure 2-2 above, numerical permissions are additive for each triad to create a permission profile for a file. For example, a file with -rw-rw-r-- permissions has a numeric permission value of 664. The read permission has a value of 4 added to the value of the write permission, which is 2, equals six. All three possible permissions, rwx, yield a value of seven.

If a file has a permission equal to 750, the rwx representation is -rwxr-x---. This means that others outside of the designated user and group have no permissions for the file.

Note

The other group is often referred to as world. For example, if permissions for a file are -rw-rw-r--, this file is referred to as world readable rather than as other readable. Permissions for the other group are especially sensitive because allowing write or execute permissions to files and directories to others can be a security risk.

In the next section, you learn how to set and change file permissions using multiple methods.

Changing file permissions

Setting and changing file permissions or modes is a common system administrator task. Each file on the filesystem has its own individual permissions that either allows or denies access to users, groups, and others. To change file permissions, you use the chmod (Change mode) command. You can set or modify permissions with the chmod command in multiple ways. You don’t have to be consistent. You can use chmod with numeric, rwx, or ugo designations, but not both together in the same command. I demonstrate several possibilities and practical examples in the following sections.

Note

Some sysadmins find the symbolic (rwx and ugo) method easier to grasp than the numeric (0, 1, 2, 4) method. You can use either or both methods because they are equivalent to one another.

Symbolic mode

Changing permissions using the symbolic mode method is quite simple. Referring back to the original file.txt file that you created in a previous example, view the original permissions with the ls -l command.

$ ls -l
-rw-rw-r--. 1 khess khess 0 Jun 19 17:35 file.txt

The current file permissions aren’t adequate. You need to restrict anyone else but yourself from even reading this file. How do you do it? You remove the read permission from others. Removing is equivalent to subtraction because you are subtracting a permission from the current ones given to the file. So, to remove read permission from the file, you subtract read from others using the chmod command.

$ chmod o-r file.txt
$ ls -l
-rw-rw----. 1 khess khess 0 Jun 19 17:35 file.txt

You have removed read permission from the file for others. Now, no one but you can read (or write to) this file. When you create a shell script and attempt to execute it with ./file.sh and nothing happens, you should check the file’s permissions to see if you’ve added the execute permission to it.

Note

To execute an executable file or script that is not in your path, you must provide the absolute path to the file. If the file is in your current directory, you must tell the shell that it is in your current directory and that you’d like to execute it. Use ./script_name.sh to inform the shell that the file is executable and in your current directory. Here, script_name.sh is the name of the file you wish to execute.

$ touch file.sh
$ echo “echo Hello” > file.sh
$ ./file.sh
-bash: ./file.sh: Permission denied

Permission denied? But, I just created the file in my home directory. Checking permissions reveals the problem.

$ ls -l
-rw-rw-r--. 1 khess khess  11 Jun 29 19:58 file.sh

The file, file.sh, although named with a .sh extension, you recall that extensions have no effect in Linux and realize that file.sh isn’t executable because it doesn’t have the execute permission and therefore you receive the “Permission denied” message. To fix the problem, add the execute permission for yourself.

$ chmod u+x file.sh
$ ls -l
-rwxrw-r--. 1 khess khess 11 Jun 29 19:58 file.sh

Now, file.sh is executable.

$ ./file.sh
Hello

You can add or subtract multiple permissions from a file and even add and subtract permissions within the same command. Here are some examples of each action. The first command removes (deletes) (rm file.txt) the file from any previous example.

To add multiple permissions to a file:

$ rm file.txt
$ touch file.txt
$ ls -l
-rw-rw-r--. 1 khess khess   0 Jun 29 20:13 file.txt
$ chmod ug+x,o+w file.txt
-rwxrwxrw-. 1 khess khess 0 Jun 29 20:13 file.txt

To subtract multiple permissions from a file:

$ ls -l
-rwxrwxrw-. 1 khess khess 0 Jun 29 20:13 file.txt
$ chmod a-x,o-rw file.txt
$ ls -l
-rw-rw----. 1 khess khess 0 Jun 29 20:13 file.txt

Now add execute permission for all groups and remove read permission for others:

$ rm file.txt
$ touch file.txt
$ ls -l
-rw-rw-r--. 1 khess khess   0 Jun 29 20:13 file.txt
$ chmod a+x,o-r file.txt
$ ls -l
-rwxrwx--x. 1 khess khess 0 Jun 29 20:23 file.txt
Warning

Be careful that you explicitly define which group you want to add or subtract permissions. The reason is that simply supplying a +x or -r defaults to all.

If you don’t specify to which groups you wish to add permissions or subtract permissions from, the default behavior is for the system to assume the intended group is all. This can be dangerous from a security perspective. Never grant a particular permission to all groups unless that is what you intended to do. The execute permission is granted to all groups because you didn’t explicitly define which group should receive it.

$ rm file.txt
$ touch file.txt
$ ls -l
-rw-rw-r--. 1 khess khess   0 Jun 29 20:34 file.txt
$ chmod +x file.txt
$ ls -l
-rwxrwxr-x. 1 khess khess 0 Jun 29 20:35 file.txt

The execute permission was granted to all groups because you didn’t explicitly define which group should receive it.

Numeric mode

For the purposes of clarity and comparison, the examples in this section are duplicates of the examples in the previous section. But here, we use the numeric mode (rather than the symbolic mode) of changing permissions. Create a new file and check its permissions.

$ rm file.txt
$ touch file.txt
$ ls -l
-rw-rw-r--. 1 khess khess   0 Jun 29 21:12 file.txt

Remove the read permission from the other group using the numeric method. First, calculate the current permission value of the file and then what you want the new value to be. Currently, the file’s permission value is 664. The desired value is 660.

$ chmod 660 file.txt
$ ls -l
-rw-rw----. 1 khess khess 0 Jun 29 20:12 file.txt

Using the numeric method, there’s no adding or subtracting of permissions. You simply reassign a value to the file. In a previous example, you added the execute permission to all and subtracted the read permission from others.

$ rm file.txt
$ touch file.txt
$ ls -l
-rw-rw-r--. 1 khess khess   0 Jun 29 20:13 file.txt
$ chmod a+x,o-r file.txt
$ ls -l
-rwxrwx--x. 1 khess khess 0 Jun 29 20:23 file.txt

The numeric equivalent is to reassign the value of the original file (664) to the new one (771).

$ rm file.txt
$ touch file.txt
$ ls -l
-rw-rw-r--. 1 khess khess   0 Jun 29 20:13 file.txt
$ chmod 771 file.txt
$ ls -l
-rwxrwx--x. 1 khess khess 0 Jun 29 20:23 file.txt

Either method of changing permissions is perfectly acceptable. There’s no stigma with using one over the other. Like most sysadmins, I use both methods interchangeably. It depends more on context and how quickly I want to do something. The process of changing permissions will become automatic to you with some practice and a few mistakes along the way.

Default permissions explained: umask

You might have noticed that when you create a new file, it’s created with specific permissions: 664 or -rw-rw-r--. For the root user the default permissions for a new file are 644 or -rw-r--r--. You might now wonder how this happens. There is a global setting called a umask or user file-creation mask that masks or filters certain permissions from being given to files by default. The execute permission is never given by default so it’s not explicitly masked by the umask setting. To find out what your system umask is, use the umask command.

$ umask
0002

You might now wonder why the umask reports four digits and we’ve only worked with three so far. The first (leftmost) digit is for special permissions such as setuid, setgid, and sticky, which I’ll cover in a later chapter. For now, focus on the other three digits: 002. These three digits correspond to rwx. When you create a new file, certain permissions are filtered out. In the case of the 002 umask, the write (w) permission is filtered out, so that new files are created as -rw-rw-r--. The 2 is for write. When a new file is created, the write permission is masked from the other group and therefore isn’t given to the new file.

For the root user, the umask is 0022. The write (w) permission is masked from both group and other. The reason for a umask is security. When a regular user creates a file, you don’t want everyone else to be able to write to it. You must explicitly grant this permission. For the root user, the umask prevents the root group and others from writing to files by default. This security feature prevents daemons or programs that might run as root from writing to certain sensitive files such as the /etc/passwd file. Everyone may read the file but only the root user may write to it.

You can change your own umask value by issuing the umask command and a new value. This temporarily changes the umask during your current login session.

$ umask 006
$ touch test.txt
$ ls -l test.txt
-rw-rw----. 1 khess khess 0 Jun 29 22:16 test.txt

To make this change permanent, do the following to append the new umask to the end of the .bashrc file:

$ echo umask 006 >> .bashrc
$ source .bashrc
$ umask
0006

Now, every time you login your umask will be set to 006 or 0006, which yields a more secure -rw-rw---- new default file permission.

Summary

In this chapter, you gained more experience working at the command line, you learned some new commands, and perhaps more importantly, you learned to read, set, and change file permissions. In Chapter 3, you learn some file editing basics and how to modify the user’s default environment.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset