Linux Study Notes
→ 日本語版を読むOverview
Since I'm working with Linux, I'm jotting down notes from re-studying it after a long break.
- Overview
- ssh
- Virtual Machines
- Containers
- Boot Process
- systemd
- Targets
- Main Targets
- Where Targets Live
- Managing Targets
- systemctl
- Targets
- Processes
- Process-related Commands
- Jobs
- GUI Environment
- X Window System
- Representative Window Managers
- Integrated Desktop Environments
- Representative Integrated Desktop Environments
- Display Manager
- Starting X Window System
- X Server and X Client
- File Owner and Owning Group
- Access Permissions
- chmod
- umask
- SUID
- SGID
- Sticky Bit
- SUID/SGID/Sticky Bit
- File Management
- Archives
- Hard Links and Symbolic Links
- inode (index node)
- Hard Links
- Symbolic Links
- Copying Symbolic Links
- Behavior When the Symbolic Link Source File Is Deleted
- Regular Expressions
- File Search
- Directory Structure
- Basic Directories
- How to Use
/bin,/usr/bin, and/usr/local/binDirectories
- How to Use
- Basic Directories
- Shell Types
- Basic Shell Operations
- Packages
- Package Problems
- Package Management Systems
- apt
- apt-get command
- apt-get Repositories
- apt-cache command
- apt-file command
- apt-get command
- dpkg
- yum
- rpm
- Device Management
- udev
- Hard Disk Partitions
- Partition Types
- LVM
- Device Files
- Partition Operations
- Partition Table
- File Systems
- Btrfs
- Mounting File Systems
- Network Configuration
- Configuration Files
- nmcli command
- ip command
- ifconfig command
- ifup/ifdown commands
- Security
- Removing Unnecessary SUID/SGID
- Closing Unnecessary Ports
- Stopping Unnecessary Services
- Access Control with TCP Wrappers
- firewalld Service
- Checking Login History
ssh
https://www.codelab.jp/blog/?p=3569
sudo apt install openssh-server
$ systemctl status ssh
Unit ssh.service could not be found.
$ sudo apt install openssh-server
$ sudo systemctl enable ssh
$ sudo ssh-keygen
$ ssh-copy-id bluen@localhost
$ ls .ssh/authorized_keys
$ sudo systemctl start ssh
Virtual Machines
https://note.com/vgnsz90ps/n/na8964293bf75
$ sudo apt install libvirt-clients
sudo apt install libvirt-clients qemu-utils qemu-kvm
sudo apt install libvirt-daemon
sudo apt install libvirt-daemon-system
Containers
- cgroups: manages hardware resources used by containers
- namespace
- docker
Boot Process
The boot process = the sequence of steps until Linux starts up
- BIOS (UEFI) starts
- Checks and initializes hardware
- Executes the bootloader written to the boot device, which loads the kernel into memory
- Linux starts
- The kernel starts, initializes memory, sets the system clock
- Mounts a temporary root file system
- Executes the systemd process
- systemd (init) sequentially starts what is needed for boot
- Displays the login prompt
systemd
- Manages processing in units called units (configuration files)
- Units have different types
- ~.target
- ~.service
- ~.mount
- ~.device
- ~.swap
- Units have different types
- init is old, systemd is new
- init used SysVinit to handle boot processing. SysVinit had boot processing written in shell scripts, making changes difficult
Targets
A collection of multiple units
Main Targets
- runlevel3.target
- Mode where most processes run (specified when operating a web server)
- multi-user.target
- Performs CUI login
- graphical.target
- Performs graphical login
- poweroff.target
- Shuts down the system
- reboot.target
- Reboots the system
Where Targets Live
/etc/systemd/system/
or
/lib/systemd/system/
Managing Targets
systemctl get-default
systemctl set-default <target name>
systemctl isolate <target name>
systemctl isolate poweroff.target
systemctl
systemctl
- isolate
- status
- is-active
- disable
- enable
- start
- restart
- reload
- stop
- set-default
- get-default
- reboot
- list-unit-files
Processes
- Programs currently running on Linux
- Multitasking
- Running multiple processes simultaneously
- Daemon
- A resident process that runs in the background according to certain conditions
Process-related Commands
- ps
- Display a list of processes
- top
- Display processes sorted by CPU or memory usage
- pstree
- Display the parent-child relationships of processes
- kill
- Terminate a process
- killall
- pkill
- pgrep
- Returns the PID for the process name specified as an argument
$ sleep 60 &
[1] 692
$ pgrep sleep
692
$ ps a
PID TTY STAT TIME COMMAND
243 hvc0 Ss+ 0:00 /sbin/agetty -o -p -- \u --noclear --keep-baud console 115200,38400,9600 vt220
248 tty1 Ss+ 0:00 /sbin/agetty -o -p -- \u --noclear tty1 linux
611 pts/0 Ss 0:00 -bash
612 pts/1 Ss 0:00 /bin/login -f
657 pts/1 S+ 0:00 -bash
692 pts/0 S 0:00 sleep 60
709 pts/0 R+ 0:00 ps a
$ sleep 60 &
[1] 798
$ kill -STOP 798
$ pgrep -l sleep
798 sleep
[1]+ Stopped sleep 60
$ sleep 60 &
[1] 804
$ kill -TERM 804
$ pgrep sleep
[1]+ Terminated sleep 60
$ ps a
PID TTY STAT TIME COMMAND
263 hvc0 Ss+ 0:00 /sbin/agetty -o -p -- \u --noclear --keep-baud console 115200,38400,9600 vt220
270 tty1 Ss+ 0:00 /sbin/agetty -o -p -- \u --noclear tty1 linux
653 pts/0 Ss 0:00 -bash
654 pts/1 Ss 0:00 /bin/login -f
696 pts/1 S+ 0:00 -bash
725 pts/0 S 0:00 sleep 1000
726 pts/0 S 0:00 sleep 10004
727 pts/0 S 0:00 sleep 10003
730 pts/0 R+ 0:00 ps a
$ killall sleep
[2]- Terminated sleep 10004
[1]- Terminated sleep 1000
[3]+ Terminated sleep 10003
Jobs
- Foreground jobs
- Background jobs
You can run a command as a background job by appending &.
$ sleep 120 &
[2] 1483
$ ps
PID TTY TIME CMD
653 pts/0 00:00:00 bash
1482 pts/0 00:00:00 sleep
1483 pts/0 00:00:00 sleep
1484 pts/0 00:00:00 ps
You can use the jobs command to display jobs, and the bg command to move a foreground job to the background.
$ jobs
[1]- Done sleep 12
[2]+ Running sleep 120 &
$ bg %2
-bash: bg: job 2 already in background
GUI Environment
To use a GUI environment, a mechanism called X Window System is used.
X Window System
- I/O devices are managed by the X server
- The X client requests the X server to display on screen
- The X client's window manager controls the appearance of the X Windows System
Representative Window Managers
Integrated Desktop Environments
Software that bundles various applications such as:
- Text editor
- Terminal
- File manager
- Window manager
- Display manager
Representative Integrated Desktop Environments
Display Manager
Software that performs user authentication in a GUI environment
Starting X Window System
$ startx
# systemctl isolate graphical.target
X Server and X Client
The server side is the X client, and the user side is the X server
File Owner and Owning Group
When a file is created, the user becomes the owner and the group the user belongs to becomes the owning group.
# ls -l
total 4
drwx------ 4 root root 4096 May 20 14:10 snap
-rw-r--r-- 1 root root 0 Jun 22 23:17 test.txt
# chown bluen test.txt
# ls -l
total 4
drwx------ 4 root root 4096 May 20 14:10 snap
-rw-r--r-- 1 bluen root 0 Jun 22 23:17 test.txt
# chgrp bluen test.txt
# ls -l
total 4
drwx------ 4 root root 4096 May 20 14:10 snap
-rw-r--r-- 1 bluen bluen 0 Jun 22 23:17 test.txt
Access Permissions
- Readable
- Read a file
- Read a directory (files, subdirectories)
- Writable
- Write to a file (change file contents)
- Write to a directory (create, delete files)
- Executable
- Execute a file
- Execute a directory (execute files inside the directory)
# ls -l
total 4
drwx------ 4 root root 4096 May 20 14:10 snap
-rw-r--r-- 1 bluen bluen 0 Jun 22 23:17 test.txt
# chmod o+x test.txt
# ls -l
total 4
drwx------ 4 root root 4096 May 20 14:10 snap
-rw-r--r-x 1 bluen bluen 0 Jun 22 23:17 test.txt
chmod
Target
- u: owner
- g: group
- o: other users
- a: all users
Operation
- +: add permission
- -: remove permission
- =: set permission
Permission type
- r
- w
- x
- s
- t
umask
Default access permissions
- File: 666
- Directory: 777
Use the umask command to change the default access permissions
# umask
0022
# touch test2.txt
# ls -l
-rw-r--r-- 1 root root 0 Jun 22 23:32 test2.txt
Since the umask value is 0022, you can see that 666 - 022 = 644.
In other words, it becomes -rw-r--r--.
# umask 0026
# umask
0026
# touch test3.txt
# ls -l
-rw-r--r-- 1 root root 0 Jun 22 23:32 test2.txt
-rw-r----- 1 root root 0 Jun 22 23:36 test3.txt
After changing the umask value to 0026 and creating a file, 666 - 026 = 640, i.e., -rw-r-----.
SUID
When executed by a user with execute permission, the file runs with the permissions of the file's owner.
$ ls -l /usr/bin/passwd
-rwsr-xr-x 1 root root 59976 Nov 24 2022 /usr/bin/passwd
- The execute permission position shows
s. - In the case of the passwd command, root is the owner, so it runs with root privileges.
SGID
- When executed by a user with execute permission, it runs with the permissions of the group that owns the file.
- Can also be set on a directory
$ chmod g+s test.txt
$ ls -l
-rw-r-Sr-- 1 bluen bluen 0 Jun 22 23:13 test.txt
Sticky Bit
Prevents files from being deleted even when write permission exists.
$ ls -ld /tmp
drwxrwxrwt 7 root root 4096 Jun 23 06:55 /tmp
$ ls -l
drwxr-xr-x 2 bluen bluen 4096 Jun 23 06:58 sampledir
$ chmod o+t sampledir
$ ls -l
drwxr-xr-t 2 bluen bluen 4096 Jun 23 06:58 sampledir
SUID/SGID/Sticky Bit
- SUID: 4000
- SGID: 2000
- Sticky Bit: 1000
File Management
- ls
- file
$ cat test.txt
ttthhh
$ file test.txt
test.txt: ASCII text
- copy source destination
- Use
-Rto copy an entire directory
- Use
- mv
- mkdir
- Use
-pto create directories at different levels all at once
- Use
$ ls -lR
.:
total 16
drwxr-xr-x 3 bluen bluen 4096 Jun 23 07:15 dir1
drwxr-xr-t 2 bluen bluen 4096 Jun 23 06:58 sampledir
drwx------ 3 bluen bluen 4096 May 14 20:05 snap
-rw-r--r-- 1 bluen bluen 7 Jun 23 07:05 test.txt
./dir1:
total 4
drwxr-xr-x 3 bluen bluen 4096 Jun 23 07:15 dir2
./dir1/dir2:
total 4
drwxr-xr-x 2 bluen bluen 4096 Jun 23 07:15 dir3
./dir1/dir2/dir3:
total 0
- rm
- Use
-rto delete everything inside a directory as well
- Use
- touch
- Change the timestamp of a file
$ touch -t 202201010000 test.txt
$ ls -l
-rw-r--r-- 1 bluen bluen 7 Jan 1 2022 test.txt
Archive
Combine multiple files into one archive file
$ tar -cf tests.tar test.txt test2.txt
$ ls -l
-rw-r--r-- 1 bluen bluen 7 Jan 1 2022 test.txt
-rw-r--r-- 1 bluen bluen 0 Jun 23 08:30 test2.txt
-rw-r--r-- 1 bluen bluen 10240 Jun 23 08:31 tests.tar
Hard Links and Symbolic Links
inode (index node)
- Data that consolidates attribute information about a file
- Records where the file is written on disk
$ ls -li
total 28
5260 drwxr-xr-x 3 bluen bluen 4096 Jun 23 07:15 dir1
5252 drwxr-xr-t 2 bluen bluen 4096 Jun 23 06:58 sampledir
24896 drwx------ 3 bluen bluen 4096 May 14 20:05 snap
5489 -rw-r--r-- 1 bluen bluen 7 Jan 1 2022 test.txt
5245 -rw-r--r-- 1 bluen bluen 0 Jun 23 08:30 test2.txt
5501 -rw-r--r-- 1 bluen bluen 10240 Jun 23 08:31 tests.tar
- The leading number is the inode number
Hard Links
- The files look different, but they share an inode and are connected to the same file entity
- Think of it as one room (file entity) with multiple doors (hard links)
- Hard links have a connection to the file entity
$ touch linksource.txt
$ ls
linksource.txt
$ ln linksource.txt hardlink1.txt
$ ls
hardlink1.txt linksource.txt
$ cat hardlink1.txt
$ vi hardlink1.txt
$ cat hardlink1.txt
tekesaku
$ cat linksource.txt
tekesaku
$ ls -li
5496 -rw-r--r-- 2 bluen bluen 9 Jun 23 18:18 hardlink1.txt
5496 -rw-r--r-- 2 bluen bluen 9 Jun 23 18:18 linksource.txt
851 lrwxrwxrwx 1 bluen bluen 14 Jun 23 18:21 symboliclink1.txt -> linksource.txt
- You can see that the content written in the hard link file is also changed in the source file
Symbolic Links
- Think of it as one room (file entity), one door (source file), with multiple hallways (symbolic links) connecting to the door
- Symbolic links have no direct connection to the file entity, but are connected through the source file
$ ln -s linksource.txt symboliclink1.txt
$ cat symboliclink1.txt
tekesaku
$ ls
hardlink1.txt linksource.txt symboliclink1.txt
$ ls -li
5496 -rw-r--r-- 2 bluen bluen 9 Jun 23 18:18 hardlink1.txt
5496 -rw-r--r-- 2 bluen bluen 9 Jun 23 18:18 linksource.txt
851 lrwxrwxrwx 1 bluen bluen 14 Jun 23 18:21 symboliclink1.txt -> linksource.txt
Copying Symbolic Links
- Note that when copying a symbolic link, the
-doption is required - Without
-d, the source file is copied instead
$ cp -d symboliclink1.txt symboliclink2.txt
$ cat symboliclink2.txt
tekesaku
Behavior When the Symbolic Link Source File Is Deleted
$ rm linksource.txt
$ ls
hardlink1.txt symboliclink1.txt symboliclink2.txt
$ cat symboliclink1.txt
cat: symboliclink1.txt: No such file or directory
$ cat hardlink1.txt
tekesaku
-
When the source file of a symbolic link is deleted, the symbolic link file itself remains but the referenced file is gone, resulting in the error
cat: symboliclink1.txt: No such file or directory. -
On the other hand, a hard link file can still access the file entity.
-
You can distinguish a symbolic link file using the first character of the permission in
ls -l, or withls -F. -
If the inode numbers shown by
ls -imatch, it is a hard link.
$ ls -i
851 hardlink.txt 851 source.txt
Regular Expressions
*: matches zero or more characters?: matches any single character[]: matches any one of the characters inside[]{,}: matches any of the strings separated by,
File Search
- find
$ find /home -name "*".txt
/home/hoge/hardlink.txt
/home/hoge/source.txt
-
locate
- Searches for files based on a filename database (list)
- Use the updatedb command in advance to create the database
- Creating the database takes time
-
which
- Searches for a command file and displays its absolute path
$ which find
/usr/bin/find
- whereis
- Searches for a command file and displays its path
$ whereis find
find: /usr/bin/find /usr/share/man/man1/find.1.gz /usr/share/info/find.info-1.gz /usr/share/info/find.info-2.gz /usr/share/info/find.info.gz
- type
$ type find
find is hashed (/usr/bin/find)
$ type cd
cd is a shell builtin
$ type whereis
whereis is hashed (/usr/bin/whereis)
$ type locate
locate is /usr/bin/locate
$ type ls
ls is aliased to `ls --color=auto'
Directory Structure
- In Linux distributions, the directory structure is standardized as the File System Hierarchy Standard (FHS)
- Directories hang beneath the root directory
Basic Directories
- /bin
- Contains commands executable by general users
- /sbin
- Contains commands executable only by root users
- /etc
- Contains configuration files and script files
- /dev
- Contains device files
- In Linux, various devices are operated through device files using a mechanism called udev
- /lib
- Library files
- /media
- External HDD, USB
- /proc
- System state is stored in file form
- /home
- Home directory for each user
- /root
- Directory for the root user
- /boot
- Contains files needed for boot, such as the kernel
- /tmp
- Temporary storage for files
- /var
- Contains frequently updated files such as log files
- /usr Contains commands and libraries
- /usr/bin
- Commands commonly used by users
- /usr/sbin
- Commands for system administration
- /usr/lib
- /usr/local
- /usr/share/man
- /usr/bin
How to Use /bin, /usr/bin, and /usr/local/bin Directories
Reference: https://linuc.org/study/knowledge/544/
-
/bin
- Place commands that can be used even in single-user mode
- Single-user mode is basically used in emergencies such as when the OS is broken and cannot start normally
- /bin contains very basic commands and those used in emergencies
-
/usr/bin
-
/usr/local/bin
- Contains commands and programs that are "not used in single-user mode" and "not managed on the system by a package management system such as RPM or deb"
- It is common practice to place custom scripts and the like in this directory
- This directory is often empty right after installing a Linux distribution
Shell Types
Basic Shell Operations
- Ctrl + A
- Ctrl + E
- Ctrl + D
- Ctrl + H
- Ctrl + L
- Ctrl + C
- Ctrl + S
- Ctrl + Q
- Ctrl + Z
Packages
Package Problems
- Dependency: package B uses files from package A
- Conflict: files from package A and package B cannot coexist (e.g., different versions)
=> Package management systems
Package Management Systems
apt
- Advanced Packaging Tool
- A package management system with improved usability compared to the complex dpkg
apt-get command
- Root privileges are required to install or remove packages
Subcommands
- autoclean
- Delete downloaded package source files (archives)
- autoremove
- Remove unused packages
- download
- Download only without installing
- install
- Install or upgrade
- remove
- Uninstall a package
- update
- Fetch the latest information from the repository
- dist-upgrade
- Upgrade packages to the latest version
- upgrade
- Upgrade packages that do not require adding or removing other packages
apt-get Repositories
- Repository locations are in files under the
/etc/apt/sources.list.ddirectory - Or listed in the
/etc/apt/sources.listfile
$ cat /etc/apt/sources.list.d/ondrej-ubuntu-php-jammy.list
deb https://ppa.launchpadcontent.net/ondrej/php/ubuntu/ jammy main
# deb-src https://ppa.launchpadcontent.net/ondrej/php/ubuntu/ jammy main
debmeans fetch the package file;deb-srcmeans fetch the source filehttp...is the repository URI- The
jammypart is the version name mainmeans officially supported;universemeans community-maintained;multiversemeans restricted, etc.
$ cat /etc/apt/sources.list
# See http://help.ubuntu.com/community/UpgradeNotes for how to upgrade to
# newer versions of the distribution.
deb http://archive.ubuntu.com/ubuntu/ jammy main restricted
# deb-src http://archive.ubuntu.com/ubuntu/ jammy main restricted
## Major bug fix updates produced after the final release of the
## distribution.
deb http://archive.ubuntu.com/ubuntu/ jammy-updates main restricted
# deb-src http://archive.ubuntu.com/ubuntu/ jammy-updates main restricted
## N.B. software from this repository is ENTIRELY UNSUPPORTED by the Ubuntu
## team. Also, please note that software in universe WILL NOT receive any
## review or updates from the Ubuntu security team.
deb http://archive.ubuntu.com/ubuntu/ jammy universe
# deb-src http://archive.ubuntu.com/ubuntu/ jammy universe
deb http://archive.ubuntu.com/ubuntu/ jammy-updates universe
# deb-src http://archive.ubuntu.com/ubuntu/ jammy-updates universe
## N.B. software from this repository is ENTIRELY UNSUPPORTED by the Ubuntu
## team, and may not be under a free licence. Please satisfy yourself as to
## your rights to use the software. Also, please note that software in
## multiverse WILL NOT receive any review or updates from the Ubuntu
## security team.
deb http://archive.ubuntu.com/ubuntu/ jammy multiverse
# deb-src http://archive.ubuntu.com/ubuntu/ jammy multiverse
deb http://archive.ubuntu.com/ubuntu/ jammy-updates multiverse
# deb-src http://archive.ubuntu.com/ubuntu/ jammy-updates multiverse
## N.B. software from this repository may not have been tested as
## extensively as that contained in the main release, although it includes
## newer versions of some applications which may provide useful features.
## Also, please note that software in backports WILL NOT receive any review
## or updates from the Ubuntu security team.
deb http://archive.ubuntu.com/ubuntu/ jammy-backports main restricted universe multiverse
# deb-src http://archive.ubuntu.com/ubuntu/ jammy-backports main restricted universe multiverse
deb http://security.ubuntu.com/ubuntu/ jammy-security main restricted
# deb-src http://security.ubuntu.com/ubuntu/ jammy-security main restricted
deb http://security.ubuntu.com/ubuntu/ jammy-security universe
# deb-src http://security.ubuntu.com/ubuntu/ jammy-security universe
deb http://security.ubuntu.com/ubuntu/ jammy-security multiverse
# deb-src http://security.ubuntu.com/ubuntu/ jammy-security multiverse
apt-cache command
- Search and look up package information
Subcommands
- search
- Search for packages containing the specified keyword
- show
- Display information about the specified package
- showpkg
- Display detailed information about the specified package
- depends
- Display dependencies of the specified package
$ apt-cache depends tree
tree
Depends: libc6
apt-file command
- Search for packages containing the specified file
- Requires installation before use:
apt install apt-file - Run
apt-file updatebeforehand
$ apt-file search "/usr/bin/sudo"
sshuttle: /usr/bin/sudoers-add
sudo: /usr/bin/sudo
sudo: /usr/bin/sudoedit
sudo: /usr/bin/sudoreplay
sudo-ldap: /usr/bin/sudo
sudo-ldap: /usr/bin/sudoedit
sudo-ldap: /usr/bin/sudoreplay
dpkg
- Can install but cannot download
$ sudo dpkg -iE tree_1.7.0-5_amd64.deb
- Package name
- Version
- Release number
- CPU architecture
.debindicates it is in Debian format
Options
- -i
- Install a package
- -r
- Uninstall a package while leaving configuration files
- -P
- Completely uninstall including configuration files
- -l
- Display installed packages
- -L
- List files installed from the specified package
- -S
- Show which package installed the specified file
$ dpkg -l
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name Version Architecture Description
+++-====================================-============================================-============-====================>
ii acl 2.3.1-1 amd64 access control list >
ii adduser 3.118ubuntu5 all add and remove users>
ii adwaita-icon-theme 41.0-1ubuntu1 all default icon theme o>
ii alsa-topology-conf 1.2.5.1-2 all ALSA topology config>
ii alsa-ucm-conf 1.2.6.3-1ubuntu1.6 all ALSA Use Case Manage>
ii apache2 2.4.52-1ubuntu4.5 amd64 Apache HTTP Server
ii apache2-bin 2.4.52-1ubuntu4.5 amd64 Apache HTTP Server (>
ii apache2-data 2.4.52-1ubuntu4.5 all Apache HTTP Server (>
ii apache2-utils 2.4.52-1ubuntu4.5 amd64 Apache HTTP Server (>
ii apparmor 3.0.4-2ubuntu2.2 amd64 user-space parser ut>
ii apport 2.20.11-0ubuntu82.5 all automatically genera>
ii apport-symptoms 0.24 all symptom scripts for >
ii apt 2.4.9 amd64 commandline package >
ii apt-file 3.2.2 all search for files wit>
ii apt-utils 2.4.9 amd64 package management r>
ii aspell 0.60.8-4build1 amd64 GNU Aspell spell-che>
ii aspell-en 2018.04.16-0-1 all English dictionary f>
ii at-spi2-core 2.44.0-3 amd64 Assistive Technology>
...
$ dpkg -L acl
/.
/bin
/bin/chacl
/bin/getfacl
/bin/setfacl
/usr
/usr/share
/usr/share/doc
/usr/share/doc/acl
/usr/share/doc/acl/copyright
/usr/share/man
/usr/share/man/man1
/usr/share/man/man1/chacl.1.gz
/usr/share/man/man1/getfacl.1.gz
/usr/share/man/man1/setfacl.1.gz
/usr/share/man/man5
/usr/share/man/man5/acl.5.gz
/usr/share/doc/acl/changelog.Debian.gz
$ dpkg -S /usr/share/doc/acl
acl: /usr/share/doc/acl
$ dpkg -s acl
Package: acl
Status: install ok installed
Priority: optional
Section: utils
Installed-Size: 200
Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>
Architecture: amd64
Multi-Arch: foreign
Version: 2.3.1-1
Depends: libacl1 (= 2.3.1-1), libc6 (>= 2.34)
Description: access control list - utilities
This package contains the getfacl and setfacl utilities needed for
manipulating access control lists. It also contains the chacl IRIX
compatible utility.
Original-Maintainer: Guillem Jover <guillem@debian.org>
Homepage: https://savannah.nongnu.org/projects/acl/
yum
- Yellowdog Updater, Modified
- YUM configuration file
/etc/yum.conf
- Repository information configuration
/etc/yum.repos.d
# yum info bash
Last metadata expiration check: 0:02:34 ago on Sat 24 Jun 2023 10:54:13 AM JST.
Installed Packages
Name : bash
Version : 5.1.8
Release : 4.el9
Architecture : x86_64
Size : 7.4 M
Source : bash-5.1.8-4.el9.src.rpm
Repository : @System
From repo : anaconda
Summary : The GNU Bourne Again shell
URL : https://www.gnu.org/software/bash
License : GPLv3+
Description : The GNU Bourne Again shell (Bash) is a shell or command language
: interpreter that is compatible with the Bourne shell (sh). Bash
: incorporates useful features from the Korn shell (ksh) and the C shell
: (csh). Most sh scripts can be run by bash without modification.
Available Packages
Name : bash
Version : 5.1.8
Release : 6.el9
Architecture : x86_64
Size : 1.7 M
Source : bash-5.1.8-6.el9.src.rpm
Repository : baseos
Summary : The GNU Bourne Again shell
URL : https://www.gnu.org/software/bash
License : GPLv3+
Description : The GNU Bourne Again shell (Bash) is a shell or command language
: interpreter that is compatible with the Bourne shell (sh). Bash
: incorporates useful features from the Korn shell (ksh) and the C shell
: (csh). Most sh scripts can be run by bash without modificationp
rpm
- Package management system developed by Red Hat
$ rpm -qa
bash-5.1.8-4.el9.x86_64
...
Options
- -i
- Install a package
- -U
- Upgrade or install
- -F
- Upgrade
- -e
- Uninstall
- -q
- Query; used in combination with other options
- -qa
- Display a list of installed packages
Device Management
-
Hardware is managed through device files
-
Device files are stored under
/dev -
Device files are automatically created by a mechanism called
udev -
Hardware information is stored in
/proc -
/syscontains files for accessing system information -
/proc/cpuinfo- CPU information
-
/proc/interrupts- Information about interrupt processing
-
/proc/ioports- Address information for device-to-device communication
-
/proc/meminfo- Memory information
-
/proc/swaps -
/proc/bus/usb/<device name>- USB device information
-
/proc/bus/pci/<device name>- PCI device information
Viewing device information
- cat /proc/cpuinfo
- lscpu
- lspci
- lsusb
- lsmem
udev
- Device files are automatically created under
/dev - Configuration files are in the
/etc/udev/rules.ddirectory
How udev works
- Connect a device
- The kernel creates device information in the
/sysdirectory - The
udevdaemon creates a device file in the/devdirectory - Device information is conveyed to applications via a mechanism called D-Bus
Hard Disk Partitions
- Logical divisions
- A different file system can be created per partition
- By partitioning, even if a large amount of data is saved, it will not encroach on other partitions
Partition Types
- Primary partition
- Up to 4 per disk
- Device file name is
/dev/sda1
- Extended partition
- Only one can be created per disk
- Contains logical partitions
- Extended partitions and primary partitions can total up to 4
- Logical partition
/dev/sda5or higher
- Primary partition
- Device file names from
/dev/sda1to/dev/sda4
- Device file names from
- EFI system partition
- Contains various management files
LVM
- Logical Volume Manager
- Manages physically different volumes (HDDs, etc.) as a single virtual volume
- Logical volumes can be resized or moved to other disks
- Backups can be easily created with snapshots
Device Files
- 1st HDD (SSD, USB):
/dev/sda - 2nd HDD:
/dev/sdb - 3rd HDD:
/dev/sdc - 4th HDD:
/dev/sdd - 1st CD/DVD drive:
/dev/sr0 - 1st tape drive:
/dev/st0
Partition Operations
fdisk command
$ sudo fdisk -l
[sudo] password for bluen:
Disk /dev/ram0: 64 MiB, 67108864 bytes, 131072 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 4096 bytes
I/O size (minimum/optimal): 4096 bytes / 4096 bytes
Disk /dev/ram1: 64 MiB, 67108864 bytes, 131072 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 4096 bytes
I/O size (minimum/optimal): 4096 bytes / 4096 bytes
Disk /dev/ram2: 64 MiB, 67108864 bytes, 131072 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 4096 bytes
I/O size (minimum/optimal): 4096 bytes / 4096 bytes
<omitted>
Disk /dev/sda: 363.32 MiB, 380968960 bytes, 744080 sectors
Disk model: Virtual Disk
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk /dev/sdb: 1 GiB, 1073745920 bytes, 2097160 sectors
Disk model: Virtual Disk
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 4096 bytes
I/O size (minimum/optimal): 4096 bytes / 4096 bytes
Disk /dev/sdc: 1 TiB, 1099511627776 bytes, 2147483648 sectors
Disk model: Virtual Disk
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 4096 bytes
I/O size (minimum/optimal): 4096 bytes / 4096 bytes
Disk /dev/sdd: 1 TiB, 1099511627776 bytes, 2147483648 sectors
Disk model: Virtual Disk
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 4096 bytes
I/O size (minimum/optimal): 4096 bytes / 4096 bytes
$ sudo fdisk /dev/sdd
Welcome to fdisk (util-linux 2.37.2).
Changes will remain in memory only, until you decide to write them.
Be careful before using the write command.
This disk is currently in use - repartitioning is probably a bad idea.
It's recommended to umount all file systems, and swapoff all swap
partitions on this disk.
The device contains 'ext4' signature and it will be removed by a write command. See fdisk(8) man page and --wipe option for more details.
Device does not contain a recognized partition table.
Created a new DOS disklabel with disk identifier 0x0ef9f134.
Command (m for help): m
Help:
DOS (MBR)
a toggle a bootable flag
b edit nested BSD disklabel
c toggle the dos compatibility flag
Generic
d delete a partition
F list free unpartitioned space
l list known partition types
n add a new partition
p print the partition table
t change a partition type
v verify the partition table
i print information about a partition
Misc
m print this menu
u change display/entry units
x extra functionality (experts only)
Script
I load disk layout from sfdisk script file
O dump disk layout to sfdisk script file
Save & Exit
w write table to disk and exit
q quit without saving changes
Create a new label
g create a new empty GPT partition table
G create a new empty SGI (IRIX) partition table
o create a new empty DOS partition table
s create a new empty Sun partition table
Command (m for help): q
Partition Table
- A partition table is an area for managing partitions within a storage device
- It exists at the beginning of the storage area and is read first
- Master Boot Record
- Partition table used in BIOS systems
- Read first after the motherboard bootloader starts
- Supports up to 2TB
- Up to 4 primary partitions can be created
GUID Partition Table
- Partition table used in UEFI systems
- Up to 128 partitions can be created
File System
Types
- ext4
- XFS
- Btrfs
- A newer file system
Btrfs
- Can create virtual volumes (storage pools)
- Can create a single file system spanning multiple physical volumes (multi-device file system)
- Backup via snapshots
- Create subvolumes by dividing the file system
Mounting File Systems
- Incorporating a file system into the root file system
- For example, when you connect an HDD, you mount the HDD to an arbitrary directory (mount point) before you can access it
# mount -t ext4 /dev/sdc1 /data
- Specify the file system to mount (+ device) and the mount point
- The mount command can only be run by the root user
- If no device or mount point is specified, the
/etc/fstabfile is referenced
Network Configuration
Configuration Files
/etc/hostname- Contains the hostname
/etc/hosts- Contains the mapping of hostnames to IP addresses
$ cat /etc/hostname
DESKTOP-7IGG3DT
$ cat /etc/hosts
# This file was automatically generated by WSL. To stop automatic generation of this file, add the following entry to /etc/wsl.conf:
# [network]
# generateHosts = false
127.0.0.1 localhost
127.0.1.1 DESKTOP-7IGG3DT. DESKTOP-7IGG3DT
192.168.10.121 host.docker.internal
192.168.10.121 gateway.docker.internal
127.0.0.1 kubernetes.docker.internal
# The following lines are desirable for IPv6 capable hosts
::1 ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
nmcli command
- Command to manage the network via NetworkManager
- NetworkManager is a subsystem adopted in RedHat-based systems
$ nmcli general status
STATE CONNECTIVITY WIFI-HW WIFI WWAN-HW WWAN
disconnected unknown enabled enabled enabled enabled
$ nmcli general hostname
DESKTOP-7IGG3DT
$ nmcli networking connectivity
unknown
$ nmcli radio wifi
enabled
$ nmcli radio wwan
enabled
$ nmcli device
DEVICE TYPE STATE CONNECTION
virbr0 bridge unmanaged --
eth0 ethernet unmanaged --
lo loopback unmanaged --
$ nmcli device show eth0
GENERAL.DEVICE: eth0
GENERAL.TYPE: ethernet
GENERAL.HWADDR: 00:15:5D:CF:DB:33
GENERAL.MTU: 1500
GENERAL.STATE: 10 (unmanaged)
GENERAL.CONNECTION: --
GENERAL.CON-PATH: --
WIRED-PROPERTIES.CARRIER: on
IP4.ADDRESS[1]: 172.27.63.153/20
IP4.GATEWAY: 172.27.48.1
IP4.ROUTE[1]: dst = 0.0.0.0/0, nh = 172.27.48.1, mt = 0
IP4.ROUTE[2]: dst = 172.27.48.0/20, nh = 0.0.0.0, mt = 0
IP6.ADDRESS[1]: fe80::215:5dff:fecf:db33/64
IP6.GATEWAY: --
IP6.ROUTE[1]: dst = fe80::/64, nh = ::, mt = 256
$ nmcli device wifi list
$ nmcli connection show
ip command
- Display and change the IP address of a network device
$ ip link
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP mode DEFAULT group default qlen 1000
link/ether 00:15:5d:cf:db:33 brd ff:ff:ff:ff:ff:ff
3: virbr0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN mode DEFAULT group default qlen 1000
link/ether 52:54:00:a4:b0:85 brd ff:ff:ff:ff:ff:ff
$ ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 00:15:5d:cf:db:33 brd ff:ff:ff:ff:ff:ff
inet 172.27.63.153/20 brd 172.27.63.255 scope global eth0
valid_lft forever preferred_lft forever
inet6 fe80::215:5dff:fecf:db33/64 scope link
valid_lft forever preferred_lft forever
3: virbr0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default qlen 1000
link/ether 52:54:00:a4:b0:85 brd ff:ff:ff:ff:ff:ff
inet 192.168.122.1/24 brd 192.168.122.255 scope global virbr0
valid_lft forever preferred_lft forever
$ ip route
default via 172.27.48.1 dev eth0 proto kernel
172.27.48.0/20 dev eth0 proto kernel scope link src 172.27.63.153
192.168.122.0/24 dev virbr0 proto kernel scope link src 192.168.122.1 linkdown
ifconfig command
- Display and change the IP address of a network device
- When NetworkManager is in use, ifconfig, ifup, and ifdown are not recommended
$ ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 172.27.63.153 netmask 255.255.240.0 broadcast 172.27.63.255
inet6 fe80::215:5dff:fecf:db33 prefixlen 64 scopeid 0x20<link>
ether 00:15:5d:cf:db:33 txqueuelen 1000 (Ethernet)
RX packets 6160 bytes 8986715 (8.9 MB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 1598 bytes 146271 (146.2 KB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
virbr0: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500
inet 192.168.122.1 netmask 255.255.255.0 broadcast 192.168.122.255
ether 52:54:00:a4:b0:85 txqueuelen 1000 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
ifup/ifdown commands
- Enable or disable a network interface
Security
Removing Unnecessary SUID/SGID
- Use the find command to search for files with SUID/SGID set
- If unnecessary SUID/SGID is found, remove the permission with
chmod u-s <filename>. For SGID, useg-s
$ sudo find / -perm -u+s -ls
1666 32 -rwsr-xr-x 1 root root 30872 Feb 26 2022 /usr/bin/pkexec
1817 56 -rwsr-xr-x 1 root root 55672 Feb 21 2022 /usr/bin/su
1818 228 -rwsr-xr-x 1 root root 232416 Apr 4 03:00 /usr/bin/sudo
1289 72 -rwsr-xr-x 1 root root 72712 Nov 24 2022 /usr/bin/chfn
1893 36 -rwsr-xr-x 1 root root 35192 Feb 21 2022 /usr/bin/umount
1596 40 -rwsr-xr-x 1 root root 40496 Nov 24 2022 /usr/bin/newgrp
1580 48 -rwsr-xr-x 1 root root 47480 Feb 21 2022 /usr/bin/mount
1635 60 -rwsr-xr-x 1 root root 59976 Nov 24 2022 /usr/bin/passwd
1412 36 -rwsr-xr-x 1 root root 35200 Mar 23 2022 /usr/bin/fusermount3
1295 44 -rwsr-xr-x 1 root root 44808 Nov 24 2022 /usr/bin/chsh
1433 72 -rwsr-xr-x 1 root root 72072 Nov 24 2022 /usr/bin/gpasswd
26960 60 -rwsr-xr-x 1 root root 60360 Sep 5 2021 /usr/bin/inetutils-traceroute
26010 416 -rwsr-xr-- 1 root dip 424512 Feb 25 2022 /usr/sbin/pppd
Closing Unnecessary Ports
Reference: https://linuc.org/study/knowledge/356/
There are actually two main ways to close ports.
One is "addressing it at the application level." Think about what it means for a port to be "open" in the first place. For example, when you start a web server application like Apache, port 80 (a Well Known port) opens by default and begins listening for connections on port 80.
With this in mind, stopping the server application automatically closes the port. This ties into the idea of "don't start unnecessary applications."
The other method is "restricting communication." The representative approach is a technique called "packet filtering." Using packet filtering, you can shut out communication on specific ports or from specific IP addresses. In Linux, packet filtering can be performed using a command called "iptables." With the iptables command, you can specify in detail what kind of communication to block, such as "block a specific port from a certain host."
To check which ports are open, there are commands such as "netstat," "lsof," and "nmap." The details of each command are omitted here, but netstat and lsof are used to find out "which ports you have open," while nmap is used to find out "which ports another host has open." Note that when packet filtering is applied, netstat and lsof may show a port as open even when it is filtered.
Other references:
https://network-beginners-handbook.com/netstat/
https://milestone-of-se.nesuke.com/sv-basic/linux-basic/ss-netstat/
https://qiita.com/s-yoshida/items/38e9830bd84a3bbe25b9
https://www.linuxmaster.jp/linux_skill/2009/02/linux-4.html
Stopping Unnecessary Services
Auto-start status
- Use the following command to display all available units in the systemd path (
/etc/systemd/system/or/lib/systemd/system/) and check their auto-start status systemctl list-unit-files --type=service- If an unnecessary service is set to auto-start, disable it with
systemctl disable <unit name>
$ systemctl list-unit-files --type=service
UNIT FILE STATE VENDOR PRESET
apache-htcacheclean.service disabled enabled
apache-htcacheclean@.service disabled enabled
apache2.service disabled enabled
apache2@.service disabled enabled
apparmor.service enabled enabled
<omitted>
wpa_supplicant@.service disabled enabled
x11-common.service masked enabled
201 unit files listed.
Checking service status
- Display all units that systemd attempted to load and check their status
- Units that systemd did not attempt to load are not shown
systemctl list-units --all --type=service
$ sudo systemctl list-units --type=service
UNIT LOAD ACTIVE SUB DESCRIPTION >
apport.service loaded active exited LSB: automatic crash report generation
blk-availability.service loaded active exited Availability of block devices
console-getty.service loaded active running Console Getty
<omitted>
wpa_supplicant.service loaded active running WPA supplicant
LOAD = Reflects whether the unit definition was properly loaded.
ACTIVE = The high-level unit activation state, i.e. generalization of SUB.
SUB = The low-level unit activation state, values depend on unit type.
45 loaded units listed. Pass --all to see loaded but inactive units, too.
To show all installed unit files use 'systemctl list-unit-files'.
Access Control with TCP Wrappers
TCP Wrappers apparently runs on tcpd, but it seems it can also be used with sshd even when tcpd is not running.
Access control can be configured by adding settings to /etc/hosts.allow and /etc/hosts.deny.
$ cat /etc/hosts.deny
# /etc/hosts.deny: list of hosts that are _not_ allowed to access the system.
# See the manual pages hosts_access(5) and hosts_options(5).
#
# Example: ALL: some.host.name, .some.domain
# ALL EXCEPT in.fingerd: other.host.name, .other.domain
#
# If you're going to protect the portmapper use the name "rpcbind" for the
# daemon name. See rpcbind(8) and rpc.mountd(8) for further information.
#
# The PARANOID wildcard matches any host whose name does not match its
# address.
#
# You may wish to enable this to ensure any programs that don't
# validate looked up hostnames still leave understandable logs. In past
# versions of Debian this has been the default.
# ALL: PARANOID
sshd: ALL
# ssh bluen@localhost
kex_exchange_identification: read: Connection reset by peer
Connection reset by 127.0.0.1 port 22
firewalld Service
- firewalld is software for performing packet filtering and other network operations on Linux
- https://knowledge.sakura.ad.jp/22269/#Firewalld
- https://access.redhat.com/documentation/ja-jp/red_hat_enterprise_linux/7/html/security_guide/sec-using_firewalls#sec-Zones
$ sudo apt install firewalld
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following additional packages will be installed
<omitted>
Processing triggers for dbus (1.12.20-2ubuntu4.1) ...
Processing triggers for libc-bin (2.35-0ubuntu3.1) ...
$ systemctl status firewalld
● firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled)
Active: active (running) since Fri 2023-06-30 08:44:38 JST; 1min 3s ago
Docs: man:firewalld(1)
Main PID: 2096 (firewalld)
Tasks: 2 (limit: 4559)
Memory: 30.0M
CGroup: /system.slice/firewalld.service
└─2096 /usr/bin/python3 /usr/sbin/firewalld --nofork --nopid
$ cat /lib/systemd/system/firewalld.service
[Unit]
Description=firewalld - dynamic firewall daemon
Before=network-pre.target
Wants=network-pre.target
After=dbus.service
After=polkit.service
Conflicts=iptables.service ip6tables.service ebtables.service ipset.service nftables.service
Documentation=man:firewalld(1)
[Service]
ExecStart=/usr/sbin/firewalld --nofork --nopid
ExecReload=/bin/kill -HUP $MAINPID
# supress to log debug and error output also to /var/log/messages
StandardOutput=null
StandardError=null
Type=dbus
BusName=org.fedoraproject.FirewallD1
KillMode=mixed
[Install]
WantedBy=multi-user.target
Alias=dbus-org.fedoraproject.FirewallD1.service
Checking Login History
On Red Hat-based systems, use /var/log/secure; on Debian-based systems, use /var/log/auth.log to check logs of SSH connections and server logins.
$ cat /var/log/auth.log
<omitted>
Jun 30 08:17:03 <hostname> sshd[1450]: refused connect from 127.0.0.1 (127.0.0.1)
Jun 30 08:35:32 <hostname> sshd[1656]: refused connect from 127.0.0.1 (127.0.0.1)