Learning Linux: Week 2 – Permissions, Access Control & Networking Basics

MRIDUL TIWARIMRIDUL TIWARI
10 min read

Remote Access

  • To connect to your Linux machine, either AWS or VirtualBox, you need to know the remote system’s IP address (or hostname) and the username you want to log in as {optional: password }

  • For bash shell use the command ssh -i <pass-key> <user>@<ip-address>

  • The first time you connect to a new system over SSH, you will be asked if you would like to access the remote system’s fingerprint

  • SSH will save this fingerprint and prevent your access if it changes

  • Some basic SSH commands that might come in handy

      ssh-keygen
    
      #Create private/public key-pair with RSA Algorith (2046-bit encryption by default)
    
      ssh-keygen -t rsa
    
      #if you want to create with RSA algo with 4096-bit encryption
    
      ssh-keygen -y rsa -b 4096
    
      #copy the created key into authorized _keys file of the server you want to coonect to using ssh-copy-id
    
      ssh-copy-id username@remote_host
    

Linux File and Directory Properties

  • File Ownership

    • Every file or directory in Linux is owned by a user and a group

    • User → Owner of file

    • Group → a set of users that share the same permissions on the file

    ls -l filename
    #Result
    - rwxr-xr-x 1 user group 1234 Feb 6 10:00 filename
  • Commands to modify ownership:

    • Change owner: chown <user> <filename>

    • Change group: chown :<group> <filename>

    • Change both: chown <user>:<group> <filename>

  • File Permission

    • Read → Permission to view content

    • Write → Permission to modify the file’s content

    • Execute → Permission to run the file (for executable or scripts)

  • Permission breakdown:

    • rwxr-xr-x

    • Owner permissions (first set of 3 characters)

    • Group permissions (second set of 3 characters)

    • Other permissions (third set of 3 characters)

File Access Control List (ACLs)

  • What is Root?

    • It is the superuser or admin account on a Unix-like OS with unrestricted access to all parts of the system and can perform any action without limitation

    • It has the highest level of privileges

  • sudo

    • sudo → superuser Do → temporarily gain root privileges when needed

    • minimizes the security risk associated with being logged in as root all the time

  • Changing Password in a Linux System

    • passwd → Change your password and passwords for other users

    • To change your password, simply run passwd

    • To change other users’ passwords, run : sudo passed <user>

    • chpasswd → for changing multiple passwords at the same time

      • Syntax: sudo chpasswd < users_passwords.txt where users_passwords.txt contains

        user1:password123 user2:anotherpassword

    • usermod -L <user> → help you lock the user

      • Similar can be done with passwd -l <username>
    • usermod -U <user> → help you unlock the user

      • Similar can be done with passwd -u <username>
    • chage → used for managing password expiration policies

      • Syntax:
        sudo chage -l <username> #### check user's expiration status
        sudo chage -d 0 <username> ####force a user to change their password at next login

User and Group Management

  • Creating Users

    • useradd {options} {username} → to create a new user

    • ls -l /home → to list and show users in the system

      • -u → User ID

      • -s → assign shell

      • -e → expiry date

      • -c → comment

      • Eg: useradd -u 2020 -s /bin/bash -e 2026-01-01 -c "ADMIN USER" jeryy

    • Whenever we create a new user, we get some default folders, and the home directory of every new user is in the /home

    • passwd {username} → to create and change the user password

    • cat /etc/passwd → to list and show all users and the details of each user

    • chage {option} {username} → to display information about changing the user password expiry information

    • chage -d 0 {userame} → to force users to change their passwords on the next login

    • userdel {options} {username} → to remove the user account

    • userdel -r kerry-r or --remove to delete the username account and the related files of the username

    • /sbin/login → designed specifically to prevent users from logging in, it presented a message when trying to log In, indicating their account is currently unavailable

    • /bin/false → prevent login, don’t display message

    • /bin/rbash → limits a user’s shell command, restricts access to specific directories and commands

  • Creating Groups

    • groupadd {options} {groupname} → to create a new group

    • cat /etc/group → to show information about groups and the details of the group

      • -g or --gid → to assign an ID to the group
    • usermod {options} { group name} {username} → to show how to add members to groups

    • usermod {options} {username} → to modify user attributes

      • -a → append (assigning secondary group_

      • -G → groups

      • -g → assigning a primary group

      • -L → Lock

      • -U → unlock

      • -c → comment

    • id jerry → list all the groups user jerry is in

    • Primary vs Secondary groups

      | | Primary | Secondary | | --- | --- | --- | | Definition | Each user must be in only one primary group | Each user can be in multiple secondary groups | | Command | -g groupname username | -a -G groupname username | | Example | usermod -g network jerry | usermod -a -G database, linux jerry | | id jerry | gid=2002(network | groups=1991(linux),2021(database) |

    • groupdel {options} {groupname} → to delete a group and all entries referring to the group

    • cat /etc/group | grep developer → to double-check that we have deleted the group

  • Modifying Permission sets

    • chmod {permissions} {filename} → used to modify, change, and remove permission sets on a directory
  • Changing group ownership

    • chgrp groupname {file/directory} → to change only group ownership
  • Superuser and visudo command

    • The sudoers file is a crucial configuration file in Unix-like operating systems, primarily Linux, that controls which users and groups can execute commands with elevated privileges (typically as the root user) → located in /etc/sudoers file

    • Although we can change directly in this file, we prefer not to, as it will not check for errors and syntax before applying

    • Therefore, a better approach is to use visudo command in order to check for errors and syntax

    • using visudo opens sudoers file in editor mode, where we can make changes

    • The system automatically updates changes tothe file when we save and exit

Networking

Networking Components

  • IP Address → unique string of numbers separated by periods that identifies each computer using the Internet Protocol to communicate over a network

  • Subnet Mask → a 32-bit number that masks an IP address and divides the IP address into network address and host address.

    • Subnet Mask is made by setting network bits to all ‘1’s and setting host bits to all ‘0’s
  • Gateway → tells your computer which route you have to pick to send your traffic out and receive traffic in

  • Static vs DHCP

    • Assigning an IP to your machine that doesn’t change when you reboot is Static

    • DHCP will change on reboot, and it will pick an IP from the pool of IP addresses. Most likely, it will change the IP Address

  • Interface → NIC Card → permanent MAC Address associated with your card

Client-Server Relationship

  • It is a fundamental concept in networking, where a server provides resources, services, or data, and a client requests and consumes them

    • Client?

      • a system or application that requests services from a server

      • Sends requests and waits for a response from the server

    • Server?

      • server is a system or application that listens for client requests and provides services

      • Can handle multiple client connections at the same time

    • Client-Server Interaction Process

      • Client Initiates a Request

        • The client sends a request using a protocol like HTTP, SSH, FTP,etc.
      • Server Receives and processes the requests

        • The server listens on a specific port (80 → HTTP, 22 → SSH)
      • Server sends a response

        • Server processes the request and sends back a response

Configure & secure SSH

  • Secure Shell → Shell provides you with an interface to the Linux system

    • It takes in our commands and translates them to kernel to manage hardware
  • OpenSSH is a package /software

  • Its service daemon is sshd → A daemon runs in the background and listens for commands

  • By default, SSH port → 22

  • SSH itself is secure, meaning communication through SSH is always encrypted, but there should be some additional configuration that can be done to make it more secure

  • Common Configurations

    • Configure Idle Timeout Interval

      • Avoid having an unattended SSH session; you can set an Idle timeout interval

        • Become root

        • Edit your /etc/ssh/sshd_config file and add the following line

          • ClientAliveInterval 600 ClientAliveCountMax 0

          • # systemctl restart sshd

    • Disable root login

      • Disabling root login should be one of the measures you should take when setting up the system for the first time.

      • It disables any user from logging in to the system with the root account

        • Become root

        • Edit your /etc/ssh/sshd_config file and replace PermitRootLogin yes to no

        • PermitRootLogin no

        • # systemctl restart sshd

    • Limit Users’ SSH Access

      • To provide another layer of security, you should limit your SSH logins to only certain users who need remote access

        • Become root

        • Edit your /etc/ssh/sshd_config

          • AllowUsers user1 user2
        • systemctl restart sshd

    • Use a different Port

      • By default, SSH port runs on 22. Most hackers looking for any open SSH servers will look for port 22, and changing it can make the system much more secure

        • Become root

        • Edit /etc/ssh/sshd_config and remove the following

          • Port 22
        • systemctl restart sshd

    • SSH Keys → Access a Remote server without password

      Two reasons to access a remote machine

      • Repetitive Logins

      • Automation through scripts

      • ssh-keygen

      • ssh-copy-id root@<ip>

      • login via

        • ssh root@<ip>

        • ssh -l root <ip>

System updates and Repos

  • There are two major commands used in system updates

    • dnf → new version of CentOS

      • yum (Older version of CentOS)

      • uses the same repository definition files as yum

      • repository defined in /etc/yum.repos.d are still valid

      • The repo has the URL where you can get the package from

      • So when you are running dnf, you are telling the system to go online with this URL and get the package I want to install (need Internet Connectivity)

    • apt-get

    • rpm (RedHat Package Manager)

  • Difference between rpm and dnf

    • rpm It is used when you already have a package downloaded on your system, and then you can install it by running rpm

      • usually used in env. that don’t have internet access

      • rpm doesn’t install other dependencies automatically

      • rpm -qa → Check installed packages

      • rpm -qi → information

      • rpm -qf <fullpath> → Check which command belongs to which package

      • rpm -hiv <path>.rpm → Installation command

      • rpm -e <name> → Remove the package

      • rpm -qc → List configuration files

    • dnf does all the things for you, downloads and installs the package

      • It will install other dependencies as well, alongside

      • dnf install <package-name> → installs, verifies, and cleans up the downloads

      • dnf remove <package-name> → Remove the package

  • chrony → replacement for ntp

  • Two types of upgrades

    • Major version upgrade → from 7 to 8, 8 to 9, etc.

      • cat /etc/os-release → check version

      • cannot be upgraded viadnf command

    • Minor Version

      • CentOS = 8.1/8.2

      • Red Hat = 9.1/9.2/9.3

      • Stay within the same channel

      • can be done via dnf command

    • dnf update -y → not to prompt for yes or no

    • dnf upgrade → Delete old packages and update with newer packages

    • dnf update → Preserves the old package, why? It is good practice, in case certain applications don’t work with the newer package

0
Subscribe to my newsletter

Read articles from MRIDUL TIWARI directly inside your inbox. Subscribe to the newsletter, and don't miss out.

Written by

MRIDUL TIWARI
MRIDUL TIWARI

Software Engineer | Freelancer | Content Creator | Open Source Enthusiast | I Build Websites and Web Applications for Remote Clients.