Generic-cli

Från wiki.soltec.se
Hoppa till: navigering, sök

Manpages

Display the different manpages for a command.

$ man -f <cmd to find>

Perform an extensive search for a manpage

$ man -k <cmd to find>

N.B!Info pages support hyperlinks, manpages do not.

STORAGE

List drives and partitions that kernel recognises

$ cat /proc/partitions   

Partitioning tools

  • fdisk | BIOS/MBR systems, 4 primary parts, 3 primary & 1 extended and many logical parts.
  • gdisk | UEFI/GPT systems, Many primary partitions
  • parted | Both BIOS/UEFI, many primary partitions also formats filesystems.

Filesystems

  • ext4 | journaled, 1EiB max, 16TiB filesize and support for SSD.
  • XFS | 8EiB max, 8EiB filesize, Not shrinkable but supports snapshots.

UUID is preferred syntax to use to mount disks as e.g USB disks etc may be removed and the path to remaining devices change.

$ partprobe  | Update partition table and view new partitions after reconfig.
$ blkid      | to display UUID of drive

To configure UUID in fstab, add a line similar to following in </etc/fstab> file.

UUID=<id>TAB TAB<mtpt>TAB<fstyp>TAB<defaults>TAB 0 0
 N.B! 0 0 is for filesystem check and restore configuration.
 Default's values are:-
 "1"    | to include in filesystem backup
 "2"    | lower prio if filesystem check performed. NOT for OS disks

Label a filesystem

$ e2label        | to label an ext4 filesystem. (xfs_admin for XFS)
     $ e2label </device> <labelname>
     $ e2label </device>
$ tune2fs        | Display more info about the filesystem incl label info.
     $ tune2fs -l <device>

To configure a “label” in fstab add a line similar to following in </etc/fstab> file.

LABEL=<labelname>TAB TAB<mtpt>TAB<fstyp>TAB<defaults>TAB 0 0

Mounting a filesystem

$ mount -a     | mount all entries in fstab
$ xfs_growfs   | to expand xfs filesystems
N.B! When mounting nfs use the <_netdev> setting to force wait for network to become active before mounting the filesystem. 
     If not using automount which is better :slightly_smiling_face:

Mount an smbshare

$ smbclient <//IP>/share> -U <user>

Use the smb credentials file </etc/samba/credentials> to store passwords and avoid having the info in the fstab file.

-o <username>
cifs rw, credentials=/etc/samba/credentials 0 0

Disks/PV/VG/LV info

Display a more readable output of disks/vols/mountpoints on Linux

  # lsblk -i

Physical Volumes

  # pvscan
  # pvdisplay

Volume Groups

  # vgscan
  # vgdisplay
  # vgchange
  # vgrename
  # vgs

Logical Volumes

  # lvscan
  # lgscan
  # lvdisplay
  # lvchange
  # lvs
  # lvresize
  # lvextend
  # lvreduce
  # lvrename

Rename Root Vol

To change the root vol name, boot from a bootable ISO or CDROM
Login and run the following

# vgrename <old-vg> <new-vg>

Mount the root disk & required sub filesystems

# mount /dev/<new-vg> /mnt
# mount --bind /proc /mnt/proc/
# mount --bind /sys /mnt/sys/
# mount --bind /dev /mnt/dev/
# mount /dev/sda1 /mnt/boot/
# chroot /mnt

Edit the fstab and grub files

# sed -i 's/<old-vg>/<new-vg>/g' /etc/fstab
# sed -i 's/<old-vg>/<new-vg>/g' /etc/default/grub

Use grub2-mkconfig

# grub2-mkconfig -o /boot/grub/grub.cfg

Create new kernel initramfs/initrd image file using a specific kernel version.

# dracut --force --kver <choose kernel vers>

Tips! Run <uname -r > to show the active kernel version or check for different versions in </boot> for required kernel name.

Use the following to check content of new initramfs/initrd image

List entire content
# lsinitrd <path-to-image>
View a specific file from the image file
# lsinitrd -f /etc/fstab <path-to-image>

unmount chroot & reboot

# umount -f /mnt
# shutdown -h now

Remove cdrom/ISO and reboot.

GRUB

Located in </boot/grub2> are the grub boot loader files for bios based computer systems. </boot/grub2/grub.cfg> is the configuration file

To modify the way Linux boots, edit </etc/default/grub>. After you’ve made changes to this file and saved them, you’ll need to run

    $ grub2-mkconfig 

which will update the boot loader code responsible for booting the system.

On UEFI systems the boot loader config is stored in the </boot/EFI/EFI/cintas/grub.cfg> file

N.B! The <grub2-mkconfig> command is also run automatically whenever we install a new kernel.
DNF will allow uninstalling of the active kernel. Yum won’t allow this.
DNF configuration file is </etc/dnf/dnf.com>
Set the "--latest-limit" setting to preserve files and stop active kernel uninstallation.

On the cli use the following to uninistall all but the last two kernels.

The following uses DNF repoquery to get a list of kernels further back 
than two and then passes that list to DNF remove.
   $ dnf remove $(dnf repoquery --installonly --latest-limit=-2 -q)

Set default kernel
    $ grub2 set-default 1
    $ grub2 set-mkconfig

Insert current kernel version into a command
   $ ls /lib/modules/$(uname -r)/kernel

RPM

Find out what pkg a file belongs to

  # rpm -qf <path-to-file/cmd>

Find out if a file was installed as part of a pkg

  # rpm -ql /usr/liblibXp.so.6

List path to files for yum

  # rpm -ql yum

Display system-wide config files for a cmd

  # rpm -qcf /bin/bash

Check contents of RPM

  # rpm -qlp RPMTOPDIR/RPMS/x86_64/<name-of-pkg>.rpm

To view different architecture version of a pkg

  # rpm -q --queryformat "%{name}.%{arch}\n" pdksh-5.2.14-36.el5

Display a pkg group

  # rpm -qa Group=“System Environment/Shells”

Display when pkgs installed

  # rpm -qa last

Display all dokumentation for a pkg

  # rpm -qd yum    dok files

Display all configuration files for a pkg

  # rpm -qc yum    cfg files 

Display all docs for a command

  # rpm -qdf /bin/bash

Display which pkgs install bash

  # rpm -q --provides bash

Display dependencies on the bash pkg

  # rpm -q --requires bash

Display all changes made to pkg

  # rpm -q --changelog bash

Display info about a specific package.

  # rpm -qip <pkgname>

Display info about files to be installed from a pkg

  # rpm -qlp <pkgname>

OBS! the ‘p’ option queries a downloaded pkg and not the repo database.

RPM TAGS

Display all pkg tags in OS vesion
  $ rpm --querytags
Display the permission modes of all files in the bash package 
  $ rpm -q --qf “[%{FILEMODES} %{FILENAMES}\n]” bash 
To format the permissions better, We can add the perms formatting modifier. 
  $ rpm -q --qf “[%{FILEMODES:perms} %{FILENAMES}\n]” bash 

N.B! To display a list of other query format modifiers use the RPM manpage and search for query options.

GREP

grep for soltec in start of line

  # grep ^"soltec"

grep for soltec at end of line

  # grep "soltec"$

Ignore all systemd messages

  # grep -v ‘systemd’ /var/log/messages
  -v for invert

Ignore multiple expressions using egrep

  # egrep -v ‘systemd|NetworkManager’ /var/log/messages


YUM

to install all pkgs in listed in file

  # yum install $(< test.txt) 
  # yum -y install $(cat list)

Display history

  # yum history
  # yum history info
  # yum history list

Configure & use YUM to download packages to local repo

Create a dir
  $ mkdir /tmp/yumdownloads

Install the yum Download-only plugin
  $ yum -y install -y yum-plugin-downloadonly

Execute YUM to download pkg(s)
  $ yum install - -downloadonly --downloaddir=/tmp/yumdownloads httpd

DNF

YUM has been rewritten and named DNF. YUM is legacy and can be executed as it uses DNF.

DNF can use software groups to install all pkgs required e.g. desktop, development tools…mm

   $ dnf group list
   $ dnf group list hidden
   $ dnf group info “Development Tools”

Display all versions of a pkg

    $ dnf --showduplicates list xfsprogs

Display pkgs that have upgrades available

    $ dnf list --updates

Upgrade a pkg (find pkg from updates command)

    $ dnf upgrade <pkgname>

Display pkgs that are available in the repo but not installed

    $ dnf list --available

Display pkgs that have been replaced by other packages

    $ dnf list --obsoletes

Display pkgs dependencies

    $ dnf deplist <pkgname>

Search for a package

    $ dnf search <search string>

To search even in pkg metadata

    $ dnf search all <search string>

Display which pkgs utilise a specific command

    $ dnf provides <cmd string>

Install a pkg over an existing pkg (similar to upgrading)

    $ dnf reinstall <pkgname>

Remove any unused dependencies in system i.e. if not used by other pkgs

    $ dnf autoremove

Remove a package and dependencies i.e. if not used by other pkgs

    $ dnf autoremove <pkgname>

Disable a pkg from being upgraded by installing version lock plugin

    $ dnf install python3-dnf-plugin-versionlock

To lock a specific kernel version

    $ dnf versionlock add <kernel-version>

To lock the current kernel version

    $ dnf versionlock add kernel

Display pkgs that are versionlocked

    $ dnf versionlock list

Clear pkgs that are versionlocked

    $ dnf versionlock clear
    $ dnf versionlock delete <locked pkg from list output>
  • Configuration files may be renamed when a new package is installed.
  • If the system administrator has not modified a configuration file, then the config file is overwritten.
  • If the system administrator has modified the configuration file, then the modified configuration file is saved with a ,rpmsave or .rpmorig extension. And the new configuration file is saved from the package.
  • The .rpmsave extension is used if the file was installed from a previous rpm package.
  • The .rpmorig extension is used if the file came from a non-rpm source. This would happen if you installed from source code and then later moved on to an rpm package.
  • If the administrator has modified the configuration file, and the software package maintainer included the noreplace label in the package, then the new configuration file is saved with a .rpmnew extension and the original configuration is left in place. When installing with dnf and rpm, you will see a message to let you know which operation was done.
    $ dnf changelog
    $ dnf changelog upgrades


VI/Vim

 dG	|delete from line to end of file
 d1G	|delete to top including current line
 dgg	|delete from line to start of file
 G      |goto last line in file
 1G	|to to first line in file
 0	|goto start of line
 $	|goto end of line
 :e!   |edit the file in a new buffer, this will allow you to ignore the changes made since last save
 :set number	 |to display line numbers
 :color desert   |to change display colours

 N.B! If you want to know where you are in the file use the “CTRL-G” command, 
      the cursor position is continuously shown in the status line
 ctrl r       |undo changes
 cl, cw, cc   |cut letter, word, line
 yl, yw, yy   |yank letter, word, line
 dl, dw, dd   |delete letter, word, line
 gu           |make lowercase
 gU           |make uppercase

Copy/Cut Blocks of text

Press v to select characters
Press V to select whole lines, or Ctrl-v to select rectangular blocks (use Ctrl-q if Ctrl-v is mapped to paste).
Press d to cut (or y to copy)

Yank

yy or Y  |yank the current line, including the newline character at the end of the line
y$       |yank to the end of the current line (but don't yank the newline character)
yiw      |yank the current word (excluding surrounding whitespace)
yaw      |yank the current word (including leading or trailing whitespace)
ytx      |yank from the current cursor position up to and before the character (til x)
yfx      |yank from the current cursor position up to and including the character (find x)

N.B! Note that many people like to remap Y to y$ in line with C and D

URL to external info page

For more info on e.g Multiple copying, copy and paste between two instances of Vim
Vi/Vim Copy, Cut and Paste

Copy/Move data

To move data on the same system, use the following:

  # cd dir1 && tar -cf - . | (cd dir2 && tar -xpvf -)
  dir1 is the directory you want to copy.
  dir2 is the directory in which you want the copy to go.
  This tar’s the current directory to STDOUT, then changes directory, 
  and untar’s the archive without ever having to find the space for a .tar file.

Use the following to do this across systems via ssh:

  # cd dir1 && tar -cf - . | ssh system2 "cd dir2 && tar -xpvf -"

RSYNC Slash or no Slash

  • Without a slash on the source directory means copy both the source directory, and the contents (recursively if specified) to the destination directory
  • Adding a trailing slash on the SRC directory means only copy the contents of the SRC directory, recursively if specified, to the destination.
$ rsync /<dir>    | copies the dir
$ rsync /<dir>/   | copies the content of the dir.

RSYNC v RSYNCD

Use rysncd instead of rsync to use resources on the target system copying the data instead of source server

Process Mgt

Nice/Renice

The nice and renice commands let you fine-tune how the kernel treats your processes by adjusting their priorities.

  • Every process has a nice value.
  • The nice value is an integer in the range of -19 to 20.
  • All standard processes are launched with a nice value of zero.
  • A high nice value tells the kernel that this process is happy to wait.
  • The larger the negative nice value, the more selfish the process is.
  • Use the nice command to set the nice value when a process is launched
  • Use renice to adjust the nice value of a running process.

Execute $top to view the nice value of your application/process

In the "top" console the nice value is the figure in the “NI" column. A zero value is expected.

Start an application with a non-default “nice” value

$ nice -15 ./httpd
    OBS! To indicate a negative number you must type two “-” characters.

Set a new value on-the-fly with renice

$ renice -n 5 PID
    OBS! there is no “-” on the 5 parameter. You don’t need one for positive numbers 
         and you only need one, not two, for negative numbers.

Renice a PID value whilst in top

  • From the top console You press “r” to change the nice value (priority) for a process.
  • You’ll be prompted for the process ID.
  • Just press Enter to use the process ID of the task at the top of the process window.

URL How to Set Process Priorities With nice and renice on Linux

SSH

Here are two links to great sites that explain SSH, Public & Private Keys, SSH-AGENT etc.

  # Using ssh-agent forwarding
  # ssh-agent forwarding

Client cfg file

  • /etc/ssh/ssh_config

Server cfg file

  • /etc/ssh/sshd_config | main cfg file i.e use this first
  • /etc/sysconfig/sshd | secondary cfg file

Copy SSH keys to remote host

$ ssh-copy-id <hostname>

Add your ssh keys to ssh-agent

$ ssh-add

Piping a command through an SSH tunnel

$ cat <filename> | ssh <IPnr “cat - >> <dir><file>”
An example is to perform a bit by bit copy of one drive to another over the network
$ dd if=/dev/sdb | ssh <IPnr> “dd of=/dev/sdb”

SCP

-P    | change port to use
-p    | preserve perms (Not File ACLs or SELinux context)
-c    | change default AES encryption method (arcfour is quick but only use on private networks)
-r    | recursive copy.
-z    | Enable compression (only on uncompressed files)

RSYNC

good for system backups

$ rsync -av -HAX --progress <Src dir> <hostIP>:<Tgt dir>
-a         | recursive & preserve perms (Not File ACLs or SELinux context)
-v         | verbose
-HAX       | Hardlinks, ACLs, Extended Attributes (SELinux security context)
--progress | Display time

Options
--dry-run            | test the cmd before execution
-e “ssh -p 1022"     | passes the ssh option of port 1022 to the rsync cmd

Copy dirs or files?

$ rsync /<dir>    | copies the dir
$ rsync /<dir>/   | copies the content of the dir.

Date/time/NTP

Display systemclock, timezone and ntp status

$ timedatectl

Edit the time settings using timedatectl

$ timedatectl list-timezones
$ timedatectl set-timezone <t.ex CET>
$ timedatectl set-time <YYYY-MM-DD>
$ timedatectl set-time <HH:MM:SS>
$ timedatectl set-ntp true

Change the hostname

$ hostnamectl set-hostname “new hostname”

AT/Cron

$ at now +15mins
       at> mkdir /apa
$ atq                  | display at queued jobs
$ atq -c <jobnr>       | displays the content of the job
$ atrm <jobnr>         | delete the job
$ batch
     at> mkdir /apa  --> ctlr-d to save

!N.B at batch jobs are only executed when the system load average is below 0.8

URL to a Crontab generator

Crontab Generator

Modules

   $ modprobe
   $ modprobe -r
   $ modprobe -vr

Auto-loading

To auto-load modules

add a file to the dir </etc/modules-load.d> with file extension <.com> 
add the module name to the <.com> file.

Blacklisting

Blacklist a module to stop it loading at boot.

Create a file </etc/modprobe.d/<filename>.conf> 
Add the line “blacklist module-name” to the .conf file.

Users

Configuration files

/etc/login.defs       | contains info for passwd ageing, actions to perform when administering users IDs.
/etc/default/useradd  | contains default actions when creating users t.ex shell, homedir path etc..
/etc/skel             | contains files copied to users homedir by default.
/etc/pam.d            | contains cfg files for pluggable authentication modules.

/etc/security/pwquality.conf   | Set the passwd quality policy, edit the conf file
$ userdel “username”     | to delete user but preserve homedir
$ userdel -r “username”  | to delete user and homedir.
$ usermod
  -a      | append to existing settings, used when using the -G option for supplemental groups.
  -l      | change login name
  -L/-U   | Lock or unlock an account, N.B! doesn’t stop login if user uses ssh-keys.
$ passwd
   -d    | deletes passwd
   -e    | expires passwd
   -l    | locks passwd   (not effective if ssh keys used)
   -u    | unlocks the passwd
   -S    | passwd status

N.B!  In the /etc/shadow file a “!!” in the password field means that the password for the user has not been set yet.

Account aging for existing users

$ chage     | change user password expiry information
  -l        | “Display acct aging info”

  N.B! If no options are selected, $ chage operates in an interactive fashion, prompting the user with the current values for all of the fields.

$ chage -d 0 “username”             | Forces the user to change passwd at next login.
$ chage -E 2022-01-01 “username”    | Set the expiration date for the users account

  N.B! If the account expires the user can no longer login even with ssh-keys.

$ chage -M “xx” “username”          | Set the max number of days between passwd change.
$ chage -I “xx”  “username”         | Set the number of days an account can be inactive before it’s locked.

$ chage -I -1 -m 0 -M 99999 -E -1 “username”    | Remove all passwd aging for a user. Used for service users.

$ usermod
    -W     | Set the number of days of warning before a password change is required.

Groups

Two commands to add users to a group

$ gpasswd -a “username” “groupname”      | this is group centric i.e. add user to a group. Can add several users at once.
$ usermod -a -G “groupname” “username”   | this is user centric i.e. add group to user's settings. Executed per user.

Set passwd for the group access for users outside of group

$ gpasswd “groupname”

Add a group temporarily as a user's primary group.

$ groups
$ newgrp “groupname”
$ groups

$ gpasswd -d “username” “grpname”   | to delete a user from a group
$ gpasswd -A “username” “grpname”   | to add admin user for a grp.
$ grpmod

How to ID yourself

$ logname       | ids who you logged in at start of session
$ whoami        | Id who you are now at present.

Add users to “wheel” group to elevate privileges for all commands.

$ useradd -u 1100 -s /bin/ksh -G wheel “username”
$ gpasswd -M “user1",“user2”,“user3" “grpname”    | Quicker than usermod as it’s performed from grp not user perspective.
$ gpasswd “groupname”                             | Add the passwd for the group. Group members won’t need to enter the passwd.
$ chage -E 90 -W 5 “username”                     | Configure user acct to expire in 90 days with warning msg sent 5 days before expire date.

Perms & ACL

To configure with symbolic perms

$ chmod u=rwx,g=rx,o= “filename”
u=rwx
g=rx
o= “nothing” sets the perms to null for other

Changing permissions is easier to do with symbolic rather than numerical mode.

You only need to know what you want to add. If you use numerical then you need to know all of the permissions.

$ chmod u+rwx “filename”     | set the rwx for the owner
$ chmod u-x “filename”       | remove execute rights for the owner
$ chmod ugo-x “filename”     | remove exec for user, group and other
$ chmod a-x “filename”       | remove exec for user, group and other

UMASK

$ umask       | display numeric values
$ umask -S    | display symbolic values

N.B! an umask can have 3 or 4 digits

Directories (DIRs) - The max initial dir perms are 777, subtract the UMASK value to give initial dir perms (777 - 022 = 755 | rwx,rx,rx)

777   (initial dir perms)
-022  (UMASK)
-----
755 | rwx, rx, rx

Files - The max initial file perms are 666, subtract the UMASK value to give initial dir perm (666 - 002 = 664 | rw,rw,r)

To temporarily change the UMASK

$ umask 0002

Users can change their own umask in “.bashrc” cfg file.

To configure umask systemwide for users change/create “/etc/profile.d/umask.sh”

if [ "$UID" -ge 1000 ]; then
   umask 0002
fi

To set bits on files

  • Set the userID (SUID) to run/execute as the owner of the file
  • Set the groupID (GUID) to run/execute as the group owner of the file
  • Set the Sticky bit to keep the file in swap and increase execution performance but this is NOT applied in RHEL/CentOS, so no point in setting it for files.
The bit values
SUID = 4
SGID = 2
Sticky = 1

t.ex
 4755 would set the suid bit “rws r-x r-x” on file permissions.
 2755 would set the sgid bit “rwx r-s r-x” on file permissions.

Numeric: $ chmod 2755 “filename”
Symbolic: $ chmod g+s “filename”

SUID

rws   |Lowercase "s", the user execution bit is also set, i.e when run the privileges are elevated to that of the owner
rwS   |Uppercase "S", the user execution bit is NOT set

SGID

r-s    |Lowercase "s", the group execution bit is also set i.e when run the privileges are elevated to that of the group
r-S    |Uppercase "S", the group execution bit is NOT set

To locate files with SUID bits configured

$ find / -perm -4000

To locate files with SGID bits configured

$ find / -perm -2000

To set bits on dirs

  • Setting the userID (SUID) on dirs has no affect.
  • Setting the groupID (SGID) provides group inheritance on the dir
  • Setting the Sticky bit on a dir allows only owners to delete their own files.
  • When setting the SGID on dirs, it will help with group collaboration work.
$ chmod 2755 “dir”

When a file is created in that dir

  • any user that is a member of the group can create a file and will be the owner
  • the group GID of the file will be for the group and thus anyone in the group will be able to r-x any file.
  • Good for collaboration areas.


Setting the Sticky bit on a dir will be shown by “t” in the exec position holder of "everyone" perms.

$ chmod 1777 “dir”
drwxrwxrwt  “dir

This is used to keep users from deleting or moving each others files.

$ chmod 777 “dir/filename”

So even with 777 file perms any other user than the owner will NOT be permitted to delete the file.

N.B! Sticky bit is mainly used for the “/tmp” dir.

ACLs

ACL file/dir symbols

t   |Sticky bit is set on a dir
+   |Indicates an ACL is set on the file
s   |The group/owner execution bit is set
S   |The group/owner execution bit is NOT set

Easy to assign users and groups the correct perms for files and dirs. ACLs are used above file/dir permissions.

$ getfacl “filename”

Use the tabular format to display more readable output

$ getfacl -t “filename”

To set a facl for a user on a file exec the following

$ setfacl -m user:“user”:“perms” “filename”

To set a facl for a group on a file exec the following

$ setfacl -m group:“group”:“perms” “filename”

To set a facl for both a user and a group on a file exec the following

$ setfacl -m user:“user”:“perms”,group:“group”:“perms” “filename”

OR in shorthand

$ setfacl -m u:“user”:“perms”,g:“group”:“perms” “filename”

Omit the username to set the facl for the fileowner

$ setfacl -m user::“perms” “filename”

The character after file perms is a “+”, which indicates an ACL is set on the file

 -rw-rwx-r--+ “filename”

To display this run

$ getfacl “filename”

N.B! It will also display a “umask” line displaying the max perms allowed on the file.

To output all file acls to a file

$ getfacl -R “dir” > dir-perms.txt

N.B! ACLs are enabled by default for “/” in CentOS but not for other drives.
  • Standard Linux perms only have one type of inheritance i.e. the SGID on dirs.
  • The files and directories created inside the dir inherit the group owner of the parent directory, which there can only be one of.
  • ACLs go much further as they let files and directories inherit any number of user or group permissions.
  • These ACLs are called default ACLs.
N.B! If you want to allow a user to access a directory, you set a regular ACL on it first. 
If however, you want that user to access all new files and directories inside it, then set a default ACL. 
Usually, you’ll need to do both of these operations.

e.g. normal unix perms allow only for group1 to have perms on dir1. 
By configuring with ACLs the group1 and group2 can have different perms on the same dir.

Default ACLs can only be applied to directories. Set ACL on the dir

$ setfacl -m u:“user”:rwx dir1

Set ACL on all the files in the dir (-R for recursive)

$ setfacl -R -m u:“user”rwx dir1

Create a default (-d) ACL for user1 for any files created in the future

$ setfacl -d -m u:“user”:rwx dir1

In the getfacl output this will be displayed as

default:user:“user”:rwx

Three ways to delete ACLs on files/dirs using $ setfacl

-x   | remove specific ACL
-k   | remove all default ACLs
-b   | remove all ACLs

Examples

$ setfacl -x u:“user” “dirname”/          | Delete specific ACL
$ setfacl -x “user” “dirname”/            | Just setting name will assume it’s user’s acl and will attempt to delete
$ setfacl -x default:u:“user” “dirname”/  | Delete a specific ACL type
$ setfacle -x g:“groupname” “dirname”/    | Delete ACL for a group
$ setfacl -d “dirname”                    | delete all “default” ACLs
$ setfacl -b “dirname”                    | delete all ACLs
$ setfacl -k “dirname”/                   | delete all default ACLs
$ setfacl -R -b “dirname”/                | delete all ACLs recursively in a dir

Create a dir for 3 users in a group, excluding all other users.

Make sure users can’t delete each others files in the dir and configure for multiple group perms on the dir and files.

  • Users: user1 user2 user3
  • Groups : devel, devtest
$ chown :devel /home/develdir  | Set owner to devel group.
$ chmod 770 /home/develdir     | Set perms to rwx for owner and group but no rights for other.
$ chmod g+s /home/develdir     | set the SGID on group perms to auto-magiskt inherit group ownership.
$ chmod o+t /home/develdir     | sets the sticky bit on the dir to hinder users from deleteing each others files.
$ setfacl -m g:devtest:rx /home/develdir/    | Allow multiple groups perms on the dir to traverse it.
$ setfacl -d -m g:devtest:rx /home/develdir/ | Allow multiple groups perms on the dir to read/execute files.


Firewalld

IPTABLES can’t be running at same time as it's not compatible.

$ systemctl enable/start firewalld
$ firewalld-cmd --state        | Display status of firewalld
$ firewalld-cmd --timeout=60   | Useful when Testing/Dev firewall cfg.
$ firewalld-cmd --permanent    | Makes changes persistent/permanent.
    $ firewalld-cmd --permanent --add-service=http     | allow ingress traffic
    $ firewalld-cmd --permanent --remove-service=http  | stop ingress traffic

Add a port/service

$ firewalld-cmd --permanent --add-port=443/tcp        | allow port 443
$ firewalld-cmd --permanent --add-port=5901-5910/tcp  | allow VNC port range

Activate any firewalld changes

$ firewalld-cmd --reload

List configurable services by name

$ firewalld-cmd --get-services

List configurable services in the current zone by name

$ firewalld-cmd --list-services

List configurable ports in the current zone by name

$ firewalld-cmd --list-ports

Troubleshoot httpd access/permission denied error

$ ausearch -c ‘httpd’ --raw      | Dry-run to double-check output)
$ ausearch -c ‘httpd’ --raw | audit2allow -M myhttpd  (exec whilst in home dir)
will create two files my-httpd.pp and my-httpd.te, which is a readable text file.
$ semodule -i my-httpd.pp        | make the policy active

An alternative solution is to check the security context cfg of the default Apache DocumentRoot dir.

$ ls -ldZ /var/www/html

Compare to your DocRoot

$ ls -ldZ <path-to-your-DocRoot>

Temporarily change the security context of your DocRoot

$ chcon -R -t httpd_sys_content_t <path-to-your-DocRoot>
   -R for recursive

To make the change permanent. This will only be applied to this DocRoot path not all dirs on device.

$ semanage fcontext -a  -t httpd_sys_content_t “path-to-your-DocRoot(/.*)?”
$ restorecon <path-to-your-DocRoot>