Learning Linux: Week 2 – Permissions, Access Control & Networking Basics


Remote Access
To connect to your Linux machine, either AWS or VirtualBox, you need to know the remote system’s IP address (or hostname) and the username you want to log in as {optional: password }
For bash shell use the command
ssh -i <pass-key> <user>@<ip-address>
The first time you connect to a new system over SSH, you will be asked if you would like to access the remote system’s fingerprint
SSH will save this fingerprint and prevent your access if it changes
Some basic SSH commands that might come in handy
ssh-keygen #Create private/public key-pair with RSA Algorith (2046-bit encryption by default) ssh-keygen -t rsa #if you want to create with RSA algo with 4096-bit encryption ssh-keygen -y rsa -b 4096 #copy the created key into authorized _keys file of the server you want to coonect to using ssh-copy-id ssh-copy-id username@remote_host
Linux File and Directory Properties
File Ownership
Every file or directory in Linux is owned by a user and a group
User → Owner of file
Group → a set of users that share the same permissions on the file
ls -l filename
#Result
- rwxr-xr-x 1 user group 1234 Feb 6 10:00 filename
Commands to modify ownership:
Change owner:
chown <user> <filename>
Change group:
chown :<group> <filename>
Change both:
chown <user>:<group> <filename>
File Permission
Read → Permission to view content
Write → Permission to modify the file’s content
Execute → Permission to run the file (for executable or scripts)
Permission breakdown:
rwxr-xr-x
Owner permissions (first set of 3 characters)
Group permissions (second set of 3 characters)
Other permissions (third set of 3 characters)
File Access Control List (ACLs)
What is Root?
It is the superuser or admin account on a Unix-like OS with unrestricted access to all parts of the system and can perform any action without limitation
It has the highest level of privileges
sudo
sudo → superuser Do → temporarily gain root privileges when needed
minimizes the security risk associated with being logged in as root all the time
Changing Password in a Linux System
passwd
→ Change your password and passwords for other usersTo change your password, simply run
passwd
To change other users’ passwords, run :
sudo passed <user>
chpasswd
→ for changing multiple passwords at the same timeSyntax:
sudo chpasswd < users_passwords.txt
where users_passwords.txt containsuser1:password123 user2:anotherpassword
usermod -L <user>
→ help you lock the user- Similar can be done with
passwd -l <username>
- Similar can be done with
usermod -U <user>
→ help you unlock the user- Similar can be done with
passwd -u <username>
- Similar can be done with
chage
→ used for managing password expiration policies- Syntax:
sudo chage -l <username> #### check user's expiration status
sudo chage -d 0 <username> ####force a user to change their password at next login
- Syntax:
User and Group Management
Creating Users
useradd {options} {username}
→ to create a new userls -l /home
→ to list and show users in the system-u
→ User ID-s
→ assign shell-e
→ expiry date-c
→ commentEg:
useradd -u 2020 -s /bin/bash -e 2026-01-01 -c "ADMIN USER" jeryy
Whenever we create a new user, we get some default folders, and the home directory of every new user is in the
/home
passwd {username}
→ to create and change the user passwordcat /etc/passwd
→ to list and show all users and the details of each userchage {option} {username}
→ to display information about changing the user password expiry informationchage -d 0 {userame}
→ to force users to change their passwords on the next loginuserdel {options} {username}
→ to remove the user accountuserdel -r kerry
→-r
or--remove
to delete the username account and the related files of the username/sbin/login
→ designed specifically to prevent users from logging in, it presented a message when trying to log In, indicating their account is currently unavailable/bin/false
→ prevent login, don’t display message/bin/rbash
→ limits a user’s shell command, restricts access to specific directories and commands
Creating Groups
groupadd {options} {groupname}
→ to create a new groupcat /etc/group
→ to show information about groups and the details of the group-g
or--gid
→ to assign an ID to the group
usermod {options} { group name} {username}
→ to show how to add members to groupsusermod {options} {username}
→ to modify user attributes-a
→ append (assigning secondary group_-G
→ groups-g
→ assigning a primary group-L
→ Lock-U
→ unlock-c
→ comment
id jerry
→ list all the groups user jerry is inPrimary vs Secondary groups
| | Primary | Secondary | | --- | --- | --- | | Definition | Each user must be in only one primary group | Each user can be in multiple secondary groups | | Command |
-g groupname username
|-a -G groupname username
| | Example |usermod -g network jerry
|usermod -a -G database, linux jerry
| | id jerry |gid=2002(network
|groups=1991(linux),2021(database)
|groupdel {options} {groupname}
→ to delete a group and all entries referring to the groupcat /etc/group | grep developer
→ to double-check that we have deleted the group
Modifying Permission sets
chmod {permissions} {filename}
→ used to modify, change, and remove permission sets on a directory
Changing group ownership
chgrp groupname {file/directory}
→ to change only group ownership
Superuser and visudo command
The
sudoers
file is a crucial configuration file in Unix-like operating systems, primarily Linux, that controls which users and groups can execute commands with elevated privileges (typically as the root user) → located in/etc/sudoers
fileAlthough we can change directly in this file, we prefer not to, as it will not check for errors and syntax before applying
Therefore, a better approach is to use
visudo
command in order to check for errors and syntaxusing
visudo
openssudoers
file in editor mode, where we can make changesThe system automatically updates changes tothe file when we save and exit
Networking
Networking Components
IP Address → unique string of numbers separated by periods that identifies each computer using the Internet Protocol to communicate over a network
Subnet Mask → a 32-bit number that masks an IP address and divides the IP address into network address and host address.
- Subnet Mask is made by setting network bits to all ‘1’s and setting host bits to all ‘0’s
Gateway → tells your computer which route you have to pick to send your traffic out and receive traffic in
Static vs DHCP →
Assigning an IP to your machine that doesn’t change when you reboot is Static
DHCP will change on reboot, and it will pick an IP from the pool of IP addresses. Most likely, it will change the IP Address
Interface → NIC Card → permanent MAC Address associated with your card
Client-Server Relationship
It is a fundamental concept in networking, where a server provides resources, services, or data, and a client requests and consumes them
Client?
a system or application that requests services from a server
Sends requests and waits for a response from the server
Server?
server is a system or application that listens for client requests and provides services
Can handle multiple client connections at the same time
Client-Server Interaction Process
Client Initiates a Request
- The client sends a request using a protocol like HTTP, SSH, FTP,etc.
Server Receives and processes the requests
- The server listens on a specific port (80 → HTTP, 22 → SSH)
Server sends a response
- Server processes the request and sends back a response
Configure & secure SSH
Secure Shell → Shell provides you with an interface to the Linux system
- It takes in our commands and translates them to kernel to manage hardware
OpenSSH is a package /software
Its service daemon is
sshd
→ A daemon runs in the background and listens for commandsBy default, SSH port → 22
SSH itself is secure, meaning communication through SSH is always encrypted, but there should be some additional configuration that can be done to make it more secure
Common Configurations
Configure Idle Timeout Interval
Avoid having an unattended SSH session; you can set an Idle timeout interval
Become root
Edit your
/etc/ssh/sshd_config
file and add the following lineClientAliveInterval 600 ClientAliveCountMax 0
# systemctl restart sshd
Disable root login
Disabling root login should be one of the measures you should take when setting up the system for the first time.
It disables any user from logging in to the system with the root account
Become root
Edit your
/etc/ssh/sshd_config
file and replace PermitRootLogin yes to noPermitRootLogin no
# systemctl restart sshd
Limit Users’ SSH Access
To provide another layer of security, you should limit your SSH logins to only certain users who need remote access
Become root
Edit your
/etc/ssh/sshd_config
AllowUsers user1 user2
systemctl restart sshd
Use a different Port
By default, SSH port runs on 22. Most hackers looking for any open SSH servers will look for port 22, and changing it can make the system much more secure
Become root
Edit
/etc/ssh/sshd_config
and remove the followingPort 22
systemctl restart sshd
SSH Keys → Access
a
Remote server without passwordTwo reasons to access a remote machine
Repetitive Logins
Automation through scripts
ssh-keygen
ssh-copy-id root@<ip>
login via
ssh root@<ip>
ssh -l root <ip>
System updates and Repos
There are two major commands used in system updates
dnf → new version of CentOS
yum (Older version of CentOS)
uses the same repository definition files as yum
repository defined in
/etc/yum.repos.d
are still validThe repo has the URL where you can get the package from
So when you are running dnf, you are telling the system to go online with this URL and get the package I want to install (need Internet Connectivity)
apt-get
rpm (RedHat Package Manager)
Difference between
rpm
anddnf
rpm
It is used when you already have a package downloaded on your system, and then you can install it by running rpmusually used in env. that don’t have internet access
rpm doesn’t install other dependencies automatically
rpm -qa
→ Check installed packagesrpm -qi
→ informationrpm -qf <fullpath>
→ Check which command belongs to which packagerpm -hiv <path>.rpm
→ Installation commandrpm -e <name>
→ Remove the packagerpm -qc
→ List configuration files
dnf
does all the things for you, downloads and installs the packageIt will install other dependencies as well, alongside
dnf install <package-name>
→ installs, verifies, and cleans up the downloadsdnf remove <package-name>
→ Remove the package
chrony
→ replacement forntp
Two types of upgrades
Major version upgrade → from 7 to 8, 8 to 9, etc.
cat /etc/os-release
→ check versioncannot be upgraded via
dnf
command
Minor Version
CentOS = 8.1/8.2
Red Hat = 9.1/9.2/9.3
Stay within the same channel
can be done via
dnf
command
dnf update -y
→ not to prompt for yes or nodnf upgrade
→ Delete old packages and update with newer packagesdnf update
→ Preserves the old package, why? It is good practice, in case certain applications don’t work with the newer package
Subscribe to my newsletter
Read articles from MRIDUL TIWARI directly inside your inbox. Subscribe to the newsletter, and don't miss out.
Written by

MRIDUL TIWARI
MRIDUL TIWARI
Software Engineer | Freelancer | Content Creator | Open Source Enthusiast | I Build Websites and Web Applications for Remote Clients.