Base de connaissances

In these tutorials I am using CentOS 6, a RedHat clone that is almost identical to RedHat, minus the trademarks. You can download and use CentOS 6 for free. CentOS is but one of several distributions (also known as “distros”). I chose it for no other reason than personal preference, and that it is also one of the most popular distributions used and backed by a very large vendor.

Other popular Linux distributions are SuSE, Debian, and the ever popular Ubuntu. Most of the commands and theory we’ll go into in this series work well on all mainstream Linux distributions. You should be able to easily download the distro that takes your fancy. These distros usually come as a bootable ISO installer. The one area that does vary is software installation.

Although Linux does have an optional GUI, very few Linux servers use it. Therefore this tutorial will concentrate on using the CLI to manage the machine. Important point: Please be aware that all Linux commands are lower-case (the switches may not be though) andLinux is case sensitive.

Using PuTTY

Obviously there is no RDP on the Linux server, so how does an administrator connect to a Linux server in the first instance? It is done by using a secure shell application (SSH). A user can login to the CLI using an SSH client. A very popular and free client I recommend is “PuTTY.”

Download and open the PuTTY client, and fill in the fields for username, password, and server address for the Linux box in question. One suggestion I would make is that if you are really new to Linux, running a test machine in a virtual environment is wise – this way any mistakes don’t result in tears. I can wholeheartedly recommend Virtualbox. This is a very good virtual environment, and even better, it is free to use.

• Related: Oracle VM VirtualBox Review

Using Secure Shell

When connecting to the secure shell, an administrator may get errors such as “Incorrect username or password” if they try to login as the root user, equivalent of the Windows local admin. This is because SSH is designed to be secure as possible. Without modification, users can only login with non-root credentials and then switch to the root user.

There is an easy fix to the above error. An administrator will need to create a user at the server console or using PuTTY if they have the correct user rights. It is possible to tell immediately if logged in as root because the CLI prompt will have # rather than a ~. The current user can also be gleaned by using the command whoami, which does what it says on the tin: gives the name of the current user.

Create and Add Users

Add the user by typing in useradd followed by the desired login name to create. An example would be useradd sburns. This will follow with a few questions to answer and finally create the user. You should now be able to login with PuTTY.  Once logged in as the nonprivileged user, the administrator can elevate their privileges to root.

Using su - will allow a user to switch between users, even root, as long as the user knows the relevant password. The command itself is shorthand for “switch user.” As root an administrator can change to any other user by using the command su simon (or su bill or whomever), assuming the password is known. The “-” switch is used to give all the environmental variables. Using su - without specifying a user will assume you want to switch to the root user. There is a file called /etc/sudoers that holds the configuration for su.

So now we are logged in, lets cover some rudimentary file system-related items. When logged in as a normal user, they would initially be placed in their home directory that was created when the user was created, as was shown before. Move about the system using the command cd, the same as Windows, but remember that Linux is case sensitive.

Using the Linux CLI

With Linux, the backslash becomes a forward slash. To return to your own home directory at any point, just type cd without any arguments. If you are also not sure where you are in the file structure, there is a command called pwd. This command will give the full path to your current location. This is a very useful command, especially if you have many windows open – and double check before using potentially dangerous commands!

Managing Drives with Linux

Linux has no concept of drive letter mappings. Instead drive letters map to what are known as mount points. A very rudimentary example is with CD ROM drives. In Windows, when a CD is inserted, it is mounted as a drive letter. For example, E: This differs in Linux because when you mount a CD, it essentially links the contents of a CD to a folder. Something to bear in mind is that as a rule Linux machines do not auto mount media.

An administrator would have to mount the CD and link it to a folder. Most modern Linux distributions come with a media folder for this purpose. To mount a CD, use the commandmount /dev/cdrom /media. Similarly, to dismount a disk, use the command umount /media. This mounting method is not only for CDs but also for USB sticks, hard disks, and most other media, albeit with some occasional options to specify file systems and such.

To see what is mounted currently, type the command mount. Standard mounts are stored in the file /etc/fstsab. You can modify this file to add additional mount points if you wanted to add additional storage systems at boot. Pro tips: First, make sure you have a backup (use the command cp /etc/fstab fstab.bak). Second, use the mount -a command to verify the fstab file is still valid before you reboot it and find that it isn’t!

Now it might be a good time to introduce you to how most Linux installations are organized from a file and directory perspective.

• / – root, as in the top level of the disk
• /home – where users home directories and personal data are located
• /boot – contains important boot files. You will rarely need to go in here
• /dev – contains pseudo devices that link directly to the hardware
• /root – the roots home directory, and where a root can store its files
• /etc – contains all the configuration files for pretty much everything: networking, services, and some applications
• /mount – This folder is used to mount NFS mounts and removable media
• /var – Contains many system components, logs, and miscellaneous
• /proc – Holds information about running processes.
• /bin – Contains program files
• /sbin – Contains system administration binary files

Useful Linux CLI Commands

When working with files, there are some useful commands you can run to help you manage them, as Linux doesn’t tend to do file extensions. If you want to know what type of file you are looking at, you can use the command file file, and it will interrogate the file and provide all the information it can gather.

To view human readable files, you can use the cat command. To edit a file, use the nano editor (for example, nano filename).

If you need to find a file, you can use the locate command. For example, to locate redhat-release (This file holds the release information for the RedHat Build) use the commandlocate redhat-release.

Other useful commands we can use right now are df, which gives disk space statistics. Using df -h may prove a better option as it gives sizes in human readable form of megabytes, gigabytes, and such, rather than an unwieldy size in bytes.

If you want to change your password now, you can use the command passwd. Used without any switches, it will allow you to change the password of the user you are logged in as. If you are logged in as root, you can change other people’s passwords by using thepasswd command, followed by the username. An example would be passwd stuart.

It is also possible to edit the user setup by use of the command usermod. This will allow you to manage and modify settings on a per-user basis; for example, changing the username or home directory.

Introducing Linux Services

Dealing with Linux services is easy enough. Rather than using task manager andservices,msc to configure the hosts services, CentOS uses the command chkconfig to manage the services. (There are other ways to do it, but this is the official RedHat way.)

Listing all the services in CentOS can be done by using the chkconfig command with no switches. This will list all the services that are currently manageable by chkconfig and their current status. To give you an easy breakdown of what is covered, lets look at the output column by column.

The first column is easy enough to understand and shows the names of the services. Notice the tabular columns of :on or :off. Notice how there are five groups of these, which correspond to what are known in the Linux world as runlevels.

A “runlevel” is basically a way of saying “The computer is at a known level of configuration.” As the machine boots, it will run from level 0 to 6. Runlevel 6 is reboot andrunlevel 0 is power(ed) off. The runlevels from 1 to 5 are where the machine spends most of its time (usually level 3 or 5). Use runlevel 6 only if you want to reboot your server!

Runlevel 3 is important. It is the level that most Linux servers run most of the time. Level 3 is when the server is in multiuser, network-enabled configuration. Level 5 would be the runlevel if we were running a GUI such as Gnome or KDE. As a point of note, runlevel 4 is not actually used in any Linux OS! It is just a historical throwback to when it was first designed.

You can move between runlevels by using the command runlevel followed by the level you want to move to. Using the command by itself will give the current runlevel. Run the command. Notice that there are two columns. The first column is the previous runlevel. AnN signifies that no other runlevel has been used, i.e. it has just been booted up into runlevel 3 from a powered off state.

An example of moving runlevel is issuing runlevel 1, which would move the machine into single-user mode, which does not have a live network connection. Be careful of doing this, though, as it will essentially turn off all networking (which only exists at runlevel 3 and above), and if the machine is remote, there will be no access to the machine as the network will be down.

It should start to make sense that each on or off refers to the question of if a service is enabled or disabled at the runlevel mentioned. Use the chkconfig command to change the service runlevels. For example, to turn off postfix, use the command:

chkconfig –level 3 postfix off

Note that this command doesn’t stop the service if it is currently running, it just sets the postfix service to not run at runlevel 3. It is also possible to turn services on using the format above. Do this with any service listed by the chkconfig command, substituting the service name and desired state (on or off).

Managing Linux Server Processes

Alongside the services detailed above, a Linux administrator will have to manage the server processes. Root can see the all the processes (from all users) running on the system by using the command ps -ef. Another useful command to use to monitor the system is thetop command. Top, as the command implies, gives the process list, ordered by their statistics and resource consumption.

Managing the processes is quite straightforward. To stop (or “kill,” to use the proper term) a process use the command kill followed by the process ID. Sometimes the commands won’t quit. In this case use the command kill -9 followed by process ID, which is basically, “Just kill it and kill it good.”

Top Command

To use the top command, just use the command top. Top will allow you to see the resources used in the last 5, 10, and 15 minutes. These can be seen under the load average. This can be seen in the top lefthand corner under “load average.”

A tip here is that pressing the c key will give you the full path to the process that is running if you need to locate the binary. The top command also shows the process owners and the amount of resources it consumes.

Using the top command it is possible to do some useful troubleshooting. If the load averages are consistently above the number of cores in the system (i.e. a dual core machine with a load of over 2) then the CPU may be taxed beyond its abilities. If the screen shows the WAIT % rising, this also means that the CPU is waiting for CPU time to schedule commands and perhaps it’s not up to the job.

Top will also show what processes are consuming all the resources, to allow you to investigate further.

There are many configuration options available to assist. Press the ? key to see all the configurable options.

To quit top, just use Ctrl + C.

Other Commands

Managing the services by using the service command. To stop a command – apache for example – use the command service httpd stop. To restart apache, use the commandservice httpd start. If just the current status is needed, use the command service httpd status. To just restart a service just use the restart option i.e service httpd restart.

It is worth noting that not all services are listed or respond to the service tool. For example, after-market applications installed outside of the standard installation managers can fall foul of this (yum or RPM). However, anything installed from within the package manager should adhere to this standard.

Installing Linux Software

Installing software under CentOS is quite straight forward and intuitive. There are two commands to software installation that can be used separately but complement each other. These commands  are yum and RPM.

Yellowdog Updater, Modified (yum) is the most-used management tool. It not only allows for the installation of additional software packages but also to manage software installed previously. To start with a really simple introduction to updating the software already installed on the system, we can use the command yum update.

This command will inventory what is installed on the server and check for newer version of the software. Repositories, or repos, as they are commonly known are the Linux version of the Windows update stores. A useful switch to include is the -y switch, which means “assume yes to every question.”

Installing additional software is just as easy. The commands you can use to locate the packages you want are to use or install are yum search and yum install.

Use yum search php will give you a list of all items that contain php in the name. To install the software, use the command yum install (yum install php.x86_64, for example). This will then go ahead and install the latest version of php software in the repository.

If you have downloaded an RPM package file, install this using the command yum –nogpgcheck localinstall package.rpm. The -nogpgcheck means ignore the fact that the RPM package may not be digitally signed.

To install packages outside of the yum repository system, we can use the RPM command:Rpm -iv packagename.rpm

The iv switches stand for Install and Verify. Similar switches exist for removal.

What is the difference between the RPM command and yum commands? Yum will try and resolve any dependencies and is more “intelligent.” RPM is a more advanced tool that can do serious damage if used incorrectly.

An Introduction to Linux File System Rights

Although Linux’s file system rights work in a similar fashion as Windows, there’s a few differences and gotchas. One big difference is that in Windows a user does not have their own group, but a default shared group of “Users” in Windows, assuming we’re on a standalone Windows system.

Let’s start by taking a look at my home directory. It shows a basic file that I created for this example, testfile.txt. To get the same screen, you’ll need to use “ls -l” on the command line to obtain detailed listing of directory contents as shown below.

Using the Linux LS command to list files in a directory. (Image: Stuart Burns)

Looking at the output of the command, moving from left to right, you see the following characters: r,w,x or -. These are the security attributes for the file. The initial character is either a – or d. The d refers to a directory, which underneath it all is a special file.

After that, there are nine characters that appear to have a lot of repetition of the rights mentioned above. The apparent repetition comes from the fact that this field contains the rights for not only the user who created the file, but also the users group and lastly, everyone else, also known as “other.”

Following on with the next two text lines, “stuart stuart” refers to the owner and the group owner of the file, which is usually the same as the creator. The second instance is the group the file belongs to. You may be thinking “They are the same!” Well, they are, kind of. The last two items on the screen shot, going from left to right, perhaps stating the obvious, are the creation date and lastly the file name.

If we look at a Windows server box we can we see that the rights, although not identical are very similar in nature to those offered by Linux. (See below.)

System file permissions settings in Windows Server 2008. (Image: Stuart Burns)

Understanding Linux User ID (UID) and Group ID (GID)

When a user account is created, it is given a User ID (UID) and a Group ID (GID). UID uniquely identifies the user, while the GID that identifies the group should also be unique. This provides us with the tools needed to grant rights to the UIDs and GUIDs.

Each security attribute has a weight or value associated with it. Behind the scenes the weighting goes as follows: Read is 4, Write 2, Execute 1 or — which has a weighting of zero and effectively means no rights. One thing to note is that if a user does not have execute rights, then they cannot enter the directory.

This is where you might see people who are new to Linux being lazy and using the mindset of  “just get it to work” by giving Linux files the rights mask of 777 (Read, Write and Execute). This lets anyone read, write and execute the file. Needless to say, using 777 is not a good idea in most circumstances, especially on external facing systems.

Changing the rights is quite straightforward, thankfully. If we have a group and we only want them to be able to read and download the file but the owner needs to be able to update it, we can use the following command:

This gives the user read and execute (Remember: Read is 4, Write is 2) permissions and everyone else just read permissions. This can be modified to give different access to different users.

It is also possible to setup default rights on newly created files, both locally on a per user and a group basis. This is done with what is known as a umask. This is usually set to 002 and is in effect subtracted from the initial rights that a file has. It provides a way to control the rights on newly created files.

You can set the umask quite easily by issuing the command umask 002. You would use this command to prevent files from being made executable by default, as an example. Each column maps to the User, Group and Other.

Linux Primary and Secondary Groups

In Linux, there are two types of groups, primary and secondary. Rarely will you want to modify the primary group. When you create a file, by default, the file created has your UID as the default group. The following is a simple command that shows which groups a user belongs to:

For a more involved example, let’s say we want to run a fictitious accounts department. We want our group of accountants to be able to edit and update the files, and the files to be owned by the group rather than individuals. The following steps describe how to do this:

1. Create a new group and give it a name. I am creating a shared folder in the root directory, imaginatively called “shared” using the command mkdir /shared (Note: I realise that in a production environment the server should not be on, and I recommend giving it its own partition.)

2. Next, add a new group. To add the group, use the command as shown below:

A user can be a member of several groups. An example would be “id stuart” as it’s shown in the graphic below.

3. Next, it’s a good idea to remove the “Other” rights from /shared. As you know from previous installments in this articles series, the command we need is chmod, so type:

Notice in the screenshot that we have an entry in the etc/group file.

Adding users to group using the Linux CHMOD command. (Image: Stuart Burns)

4. Now we need to add users to the new group. Use the user mod command to do this. The -a is important. If you leave it out, then you’ll end up changing the users’ primary group!

5. You can add several users in one command, chaining one user after the next. If we let a user create files that would mean that the file owner would be the individual owner in both the UID and GID. Fixing that problem is quite straightforward. Again, we fall back to using the chmod command:

This is known as an Set Group ID (SGID). This lets us create files in the folder, and the file inherits the group rights. Lastly, the following command prevents deletion of files by anyone except the owner.

Output from the LS -L command. (Image: Stuart Burns)

You may be wondering about the chmod commands that we used. Now that you understand how the rights work, there is a shortcut you can use. If you want to do simple modifications for example adding the execute right to the group, you can use the command:

You can can vary the use of it to use o for owner, g for group and o for other. Then you can add or remove the rights using a + or a – symbol. Lastly add the rights (r, w or x if you had forgotten) and the filename.

In summary, this is a basic introduction to managing files and users in Linux. There are additional things that you can do to make the control more fine grained, but are beyond the scope of this basic file system intro. I would also suggest that you take your time and make sure you get the rights correct as frequently virtual break-ins are related to lax file rights.