Skillnad mellan versioner av "Generic-cli"
Js146669 (Diskussion | bidrag) (→RSYNC Slash or no Slash) |
Js146669 (Diskussion | bidrag) (→Certs/Keys) |
||
(En mellanliggande version av samma användare visas inte) | |||
Rad 738: | Rad 738: | ||
$ semanage fcontext -a -t httpd_sys_content_t “path-to-your-DocRoot(/.*)?” | $ semanage fcontext -a -t httpd_sys_content_t “path-to-your-DocRoot(/.*)?” | ||
$ restorecon <path-to-your-DocRoot> | $ restorecon <path-to-your-DocRoot> | ||
+ | |||
+ | == Certs/Keys == | ||
+ | How can I examine the certificate and key? | ||
+ | |||
+ | If the certificate is an x509 certificate in PEM format. To print it out, you can issue: | ||
+ | $ openssl x509 -in certfilename -text | ||
+ | |||
+ | This is useful if you want to know the expiration date of the certificate. | ||
+ | |||
+ | If the key is simply an RSA key in PEM format, so printing it is not likely to help you very much. If you want to print it, issue: | ||
+ | $ openssl rsa -in keyfilename -text |
Nuvarande version från 29 september 2021 kl. 08.55
Innehåll
Manpages
Display the different manpages for a command.
$ man -f <cmd to find>
Perform an extensive search for a manpage
$ man -k <cmd to find>
N.B!Info pages support hyperlinks, manpages do not.
STORAGE
List drives and partitions that kernel recognises
$ cat /proc/partitions
Partitioning tools
- fdisk | BIOS/MBR systems, 4 primary parts, 3 primary & 1 extended and many logical parts.
- gdisk | UEFI/GPT systems, Many primary partitions
- parted | Both BIOS/UEFI, many primary partitions also formats filesystems.
Filesystems
- ext4 | journaled, 1EiB max, 16TiB filesize and support for SSD.
- XFS | 8EiB max, 8EiB filesize, Not shrinkable but supports snapshots.
UUID is preferred syntax to use to mount disks as e.g USB disks etc may be removed and the path to remaining devices change.
$ partprobe | Update partition table and view new partitions after reconfig. $ blkid | to display UUID of drive
To configure UUID in fstab, add a line similar to following in </etc/fstab> file.
UUID=<id>TAB TAB<mtpt>TAB<fstyp>TAB<defaults>TAB 0 0
N.B! 0 0 is for filesystem check and restore configuration. Default's values are:- "1" | to include in filesystem backup "2" | lower prio if filesystem check performed. NOT for OS disks
Label a filesystem
$ e2label | to label an ext4 filesystem. (xfs_admin for XFS) $ e2label </device> <labelname> $ e2label </device> $ tune2fs | Display more info about the filesystem incl label info. $ tune2fs -l <device>
To configure a “label” in fstab add a line similar to following in </etc/fstab> file.
LABEL=<labelname>TAB TAB<mtpt>TAB<fstyp>TAB<defaults>TAB 0 0
Mounting a filesystem
$ mount -a | mount all entries in fstab $ xfs_growfs | to expand xfs filesystems N.B! When mounting nfs use the <_netdev> setting to force wait for network to become active before mounting the filesystem. If not using automount which is better :slightly_smiling_face:
Mount an smbshare
$ smbclient <//IP>/share> -U <user>
Use the smb credentials file </etc/samba/credentials> to store passwords and avoid having the info in the fstab file.
-o <username> cifs rw, credentials=/etc/samba/credentials 0 0
Disks/PV/VG/LV info
Display a more readable output of disks/vols/mountpoints on Linux
# lsblk -i
Physical Volumes
# pvscan # pvdisplay
Volume Groups
# vgscan # vgdisplay # vgchange # vgrename # vgs
Logical Volumes
# lvscan # lgscan # lvdisplay # lvchange # lvs # lvresize # lvextend # lvreduce # lvrename
Rename Root Vol
To change the root vol name, boot from a bootable ISO or CDROM
Login and run the following
# vgrename <old-vg> <new-vg>
Mount the root disk & required sub filesystems
# mount /dev/<new-vg> /mnt # mount --bind /proc /mnt/proc/ # mount --bind /sys /mnt/sys/ # mount --bind /dev /mnt/dev/ # mount /dev/sda1 /mnt/boot/ # chroot /mnt
Edit the fstab and grub files
# sed -i 's/<old-vg>/<new-vg>/g' /etc/fstab # sed -i 's/<old-vg>/<new-vg>/g' /etc/default/grub
Use grub2-mkconfig
# grub2-mkconfig -o /boot/grub/grub.cfg
Create new kernel initramfs/initrd image file using a specific kernel version.
# dracut --force --kver <choose kernel vers>
Tips! Run <uname -r > to show the active kernel version or check for different versions in </boot> for required kernel name.
Use the following to check content of new initramfs/initrd image
List entire content # lsinitrd <path-to-image> View a specific file from the image file # lsinitrd -f /etc/fstab <path-to-image>
unmount chroot & reboot
# umount -f /mnt # shutdown -h now
Remove cdrom/ISO and reboot.
GRUB
Located in </boot/grub2> are the grub boot loader files for bios based computer systems. </boot/grub2/grub.cfg> is the configuration file
To modify the way Linux boots, edit </etc/default/grub>. After you’ve made changes to this file and saved them, you’ll need to run
$ grub2-mkconfig
which will update the boot loader code responsible for booting the system.
On UEFI systems the boot loader config is stored in the </boot/EFI/EFI/cintas/grub.cfg> file
N.B! The <grub2-mkconfig> command is also run automatically whenever we install a new kernel.
DNF will allow uninstalling of the active kernel. Yum won’t allow this. DNF configuration file is </etc/dnf/dnf.com> Set the "--latest-limit" setting to preserve files and stop active kernel uninstallation.
On the cli use the following to uninistall all but the last two kernels.
The following uses DNF repoquery to get a list of kernels further back than two and then passes that list to DNF remove. $ dnf remove $(dnf repoquery --installonly --latest-limit=-2 -q) Set default kernel $ grub2 set-default 1 $ grub2 set-mkconfig Insert current kernel version into a command $ ls /lib/modules/$(uname -r)/kernel
RPM
Find out what pkg a file belongs to
# rpm -qf <path-to-file/cmd>
Find out if a file was installed as part of a pkg
# rpm -ql /usr/liblibXp.so.6
List path to files for yum
# rpm -ql yum
Display system-wide config files for a cmd
# rpm -qcf /bin/bash
Check contents of RPM
# rpm -qlp RPMTOPDIR/RPMS/x86_64/<name-of-pkg>.rpm
To view different architecture version of a pkg
# rpm -q --queryformat "%{name}.%{arch}\n" pdksh-5.2.14-36.el5
Display a pkg group
# rpm -qa Group=“System Environment/Shells”
Display when pkgs installed
# rpm -qa last
Display all dokumentation for a pkg
# rpm -qd yum dok files
Display all configuration files for a pkg
# rpm -qc yum cfg files
Display all docs for a command
# rpm -qdf /bin/bash
Display which pkgs install bash
# rpm -q --provides bash
Display dependencies on the bash pkg
# rpm -q --requires bash
Display all changes made to pkg
# rpm -q --changelog bash
Display info about a specific package.
# rpm -qip <pkgname>
Display info about files to be installed from a pkg
# rpm -qlp <pkgname>
OBS! the ‘p’ option queries a downloaded pkg and not the repo database.
RPM TAGS
Display all pkg tags in OS vesion $ rpm --querytags Display the permission modes of all files in the bash package $ rpm -q --qf “[%{FILEMODES} %{FILENAMES}\n]” bash To format the permissions better, We can add the perms formatting modifier. $ rpm -q --qf “[%{FILEMODES:perms} %{FILENAMES}\n]” bash
N.B! To display a list of other query format modifiers use the RPM manpage and search for query options.
GREP
grep for soltec in start of line
# grep ^"soltec"
grep for soltec at end of line
# grep "soltec"$
Ignore all systemd messages
# grep -v ‘systemd’ /var/log/messages -v for invert
Ignore multiple expressions using egrep
# egrep -v ‘systemd|NetworkManager’ /var/log/messages
YUM
to install all pkgs in listed in file
# yum install $(< test.txt) # yum -y install $(cat list)
Display history
# yum history # yum history info # yum history list
Configure & use YUM to download packages to local repo
Create a dir $ mkdir /tmp/yumdownloads Install the yum Download-only plugin $ yum -y install -y yum-plugin-downloadonly Execute YUM to download pkg(s) $ yum install - -downloadonly --downloaddir=/tmp/yumdownloads httpd
DNF
YUM has been rewritten and named DNF. YUM is legacy and can be executed as it uses DNF.
DNF can use software groups to install all pkgs required e.g. desktop, development tools…mm
$ dnf group list $ dnf group list hidden $ dnf group info “Development Tools”
Display all versions of a pkg
$ dnf --showduplicates list xfsprogs
Display pkgs that have upgrades available
$ dnf list --updates
Upgrade a pkg (find pkg from updates command)
$ dnf upgrade <pkgname>
Display pkgs that are available in the repo but not installed
$ dnf list --available
Display pkgs that have been replaced by other packages
$ dnf list --obsoletes
Display pkgs dependencies
$ dnf deplist <pkgname>
Search for a package
$ dnf search <search string>
To search even in pkg metadata
$ dnf search all <search string>
Display which pkgs utilise a specific command
$ dnf provides <cmd string>
Install a pkg over an existing pkg (similar to upgrading)
$ dnf reinstall <pkgname>
Remove any unused dependencies in system i.e. if not used by other pkgs
$ dnf autoremove
Remove a package and dependencies i.e. if not used by other pkgs
$ dnf autoremove <pkgname>
Disable a pkg from being upgraded by installing version lock plugin
$ dnf install python3-dnf-plugin-versionlock
To lock a specific kernel version
$ dnf versionlock add <kernel-version>
To lock the current kernel version
$ dnf versionlock add kernel
Display pkgs that are versionlocked
$ dnf versionlock list
Clear pkgs that are versionlocked
$ dnf versionlock clear $ dnf versionlock delete <locked pkg from list output>
- Configuration files may be renamed when a new package is installed.
- If the system administrator has not modified a configuration file, then the config file is overwritten.
- If the system administrator has modified the configuration file, then the modified configuration file is saved with a ,rpmsave or .rpmorig extension. And the new configuration file is saved from the package.
- The .rpmsave extension is used if the file was installed from a previous rpm package.
- The .rpmorig extension is used if the file came from a non-rpm source. This would happen if you installed from source code and then later moved on to an rpm package.
- If the administrator has modified the configuration file, and the software package maintainer included the noreplace label in the package, then the new configuration file is saved with a .rpmnew extension and the original configuration is left in place. When installing with dnf and rpm, you will see a message to let you know which operation was done.
$ dnf changelog $ dnf changelog upgrades
VI/Vim
dG |delete from line to end of file d1G |delete to top including current line dgg |delete from line to start of file G |goto last line in file 1G |to to first line in file 0 |goto start of line $ |goto end of line :e! |edit the file in a new buffer, this will allow you to ignore the changes made since last save :set number |to display line numbers :color desert |to change display colours N.B! If you want to know where you are in the file use the “CTRL-G” command, the cursor position is continuously shown in the status line
ctrl r |undo changes cl, cw, cc |cut letter, word, line yl, yw, yy |yank letter, word, line dl, dw, dd |delete letter, word, line gu |make lowercase gU |make uppercase
Copy/Cut Blocks of text
Press v to select characters Press V to select whole lines, or Ctrl-v to select rectangular blocks (use Ctrl-q if Ctrl-v is mapped to paste). Press d to cut (or y to copy)
Yank
yy or Y |yank the current line, including the newline character at the end of the line y$ |yank to the end of the current line (but don't yank the newline character) yiw |yank the current word (excluding surrounding whitespace) yaw |yank the current word (including leading or trailing whitespace) ytx |yank from the current cursor position up to and before the character (til x) yfx |yank from the current cursor position up to and including the character (find x) N.B! Note that many people like to remap Y to y$ in line with C and D
URL to external info page
For more info on e.g Multiple copying, copy and paste between two instances of Vim Vi/Vim Copy, Cut and Paste
Copy/Move data
To move data on the same system, use the following:
# cd dir1 && tar -cf - . | (cd dir2 && tar -xpvf -)
dir1 is the directory you want to copy. dir2 is the directory in which you want the copy to go. This tar’s the current directory to STDOUT, then changes directory, and untar’s the archive without ever having to find the space for a .tar file.
Use the following to do this across systems via ssh:
# cd dir1 && tar -cf - . | ssh system2 "cd dir2 && tar -xpvf -"
RSYNC Slash or no Slash
- Without a slash on the source directory means copy both the source directory, and the contents (recursively if specified) to the destination directory
- Adding a trailing slash on the SRC directory means only copy the contents of the SRC directory, recursively if specified, to the destination.
$ rsync /<dir> | copies the dir $ rsync /<dir>/ | copies the content of the dir.
RSYNC v RSYNCD
Use rysncd instead of rsync to use resources on the target system copying the data instead of source server
Process Mgt
Nice/Renice
The nice and renice commands let you fine-tune how the kernel treats your processes by adjusting their priorities.
- Every process has a nice value.
- The nice value is an integer in the range of -19 to 20.
- All standard processes are launched with a nice value of zero.
- A high nice value tells the kernel that this process is happy to wait.
- The larger the negative nice value, the more selfish the process is.
- Use the nice command to set the nice value when a process is launched
- Use renice to adjust the nice value of a running process.
Execute $top to view the nice value of your application/process
In the "top" console the nice value is the figure in the “NI" column. A zero value is expected.
Start an application with a non-default “nice” value
$ nice -15 ./httpd OBS! To indicate a negative number you must type two “-” characters.
Set a new value on-the-fly with renice
$ renice -n 5 PID OBS! there is no “-” on the 5 parameter. You don’t need one for positive numbers and you only need one, not two, for negative numbers.
Renice a PID value whilst in top
- From the top console You press “r” to change the nice value (priority) for a process.
- You’ll be prompted for the process ID.
- Just press Enter to use the process ID of the task at the top of the process window.
URL How to Set Process Priorities With nice and renice on Linux
SSH
Here are two links to great sites that explain SSH, Public & Private Keys, SSH-AGENT etc.
# Using ssh-agent forwarding # ssh-agent forwarding
Client cfg file
- /etc/ssh/ssh_config
Server cfg file
- /etc/ssh/sshd_config | main cfg file i.e use this first
- /etc/sysconfig/sshd | secondary cfg file
Copy SSH keys to remote host
$ ssh-copy-id <hostname>
Add your ssh keys to ssh-agent
$ ssh-add
Piping a command through an SSH tunnel
$ cat <filename> | ssh <IPnr “cat - >> <dir><file>” An example is to perform a bit by bit copy of one drive to another over the network $ dd if=/dev/sdb | ssh <IPnr> “dd of=/dev/sdb”
SCP
-P | change port to use -p | preserve perms (Not File ACLs or SELinux context) -c | change default AES encryption method (arcfour is quick but only use on private networks) -r | recursive copy. -z | Enable compression (only on uncompressed files)
RSYNC
good for system backups
$ rsync -av -HAX --progress <Src dir> <hostIP>:<Tgt dir> -a | recursive & preserve perms (Not File ACLs or SELinux context) -v | verbose -HAX | Hardlinks, ACLs, Extended Attributes (SELinux security context) --progress | Display time Options --dry-run | test the cmd before execution -e “ssh -p 1022" | passes the ssh option of port 1022 to the rsync cmd
Copy dirs or files?
$ rsync /<dir> | copies the dir $ rsync /<dir>/ | copies the content of the dir.
Date/time/NTP
Display systemclock, timezone and ntp status
$ timedatectl
Edit the time settings using timedatectl
$ timedatectl list-timezones $ timedatectl set-timezone <t.ex CET> $ timedatectl set-time <YYYY-MM-DD> $ timedatectl set-time <HH:MM:SS> $ timedatectl set-ntp true
Change the hostname
$ hostnamectl set-hostname “new hostname”
AT/Cron
$ at now +15mins at> mkdir /apa $ atq | display at queued jobs $ atq -c <jobnr> | displays the content of the job $ atrm <jobnr> | delete the job $ batch at> mkdir /apa --> ctlr-d to save
!N.B at batch jobs are only executed when the system load average is below 0.8
URL to a Crontab generator
Crontab Generator
Modules
$ modprobe $ modprobe -r $ modprobe -vr
Auto-loading
To auto-load modules
add a file to the dir </etc/modules-load.d> with file extension <.com> add the module name to the <.com> file.
Blacklisting
Blacklist a module to stop it loading at boot.
Create a file </etc/modprobe.d/<filename>.conf> Add the line “blacklist module-name” to the .conf file.
Users
Configuration files
/etc/login.defs | contains info for passwd ageing, actions to perform when administering users IDs. /etc/default/useradd | contains default actions when creating users t.ex shell, homedir path etc.. /etc/skel | contains files copied to users homedir by default. /etc/pam.d | contains cfg files for pluggable authentication modules. /etc/security/pwquality.conf | Set the passwd quality policy, edit the conf file
$ userdel “username” | to delete user but preserve homedir $ userdel -r “username” | to delete user and homedir.
$ usermod -a | append to existing settings, used when using the -G option for supplemental groups. -l | change login name -L/-U | Lock or unlock an account, N.B! doesn’t stop login if user uses ssh-keys.
$ passwd -d | deletes passwd -e | expires passwd -l | locks passwd (not effective if ssh keys used) -u | unlocks the passwd -S | passwd status N.B! In the /etc/shadow file a “!!” in the password field means that the password for the user has not been set yet.
Account aging for existing users
$ chage | change user password expiry information -l | “Display acct aging info” N.B! If no options are selected, $ chage operates in an interactive fashion, prompting the user with the current values for all of the fields. $ chage -d 0 “username” | Forces the user to change passwd at next login. $ chage -E 2022-01-01 “username” | Set the expiration date for the users account N.B! If the account expires the user can no longer login even with ssh-keys. $ chage -M “xx” “username” | Set the max number of days between passwd change. $ chage -I “xx” “username” | Set the number of days an account can be inactive before it’s locked. $ chage -I -1 -m 0 -M 99999 -E -1 “username” | Remove all passwd aging for a user. Used for service users. $ usermod -W | Set the number of days of warning before a password change is required.
Groups
Two commands to add users to a group
$ gpasswd -a “username” “groupname” | this is group centric i.e. add user to a group. Can add several users at once. $ usermod -a -G “groupname” “username” | this is user centric i.e. add group to user's settings. Executed per user.
Set passwd for the group access for users outside of group
$ gpasswd “groupname”
Add a group temporarily as a user's primary group.
$ groups $ newgrp “groupname” $ groups $ gpasswd -d “username” “grpname” | to delete a user from a group $ gpasswd -A “username” “grpname” | to add admin user for a grp. $ grpmod
How to ID yourself
$ logname | ids who you logged in at start of session $ whoami | Id who you are now at present.
Add users to “wheel” group to elevate privileges for all commands.
$ useradd -u 1100 -s /bin/ksh -G wheel “username” $ gpasswd -M “user1",“user2”,“user3" “grpname” | Quicker than usermod as it’s performed from grp not user perspective. $ gpasswd “groupname” | Add the passwd for the group. Group members won’t need to enter the passwd. $ chage -E 90 -W 5 “username” | Configure user acct to expire in 90 days with warning msg sent 5 days before expire date.
Perms & ACL
To configure with symbolic perms
$ chmod u=rwx,g=rx,o= “filename” u=rwx g=rx o= “nothing” sets the perms to null for other
Changing permissions is easier to do with symbolic rather than numerical mode.
You only need to know what you want to add. If you use numerical then you need to know all of the permissions.
$ chmod u+rwx “filename” | set the rwx for the owner $ chmod u-x “filename” | remove execute rights for the owner $ chmod ugo-x “filename” | remove exec for user, group and other $ chmod a-x “filename” | remove exec for user, group and other
UMASK
$ umask | display numeric values $ umask -S | display symbolic values N.B! an umask can have 3 or 4 digits
Directories (DIRs) - The max initial dir perms are 777, subtract the UMASK value to give initial dir perms (777 - 022 = 755 | rwx,rx,rx)
777 (initial dir perms) -022 (UMASK) ----- 755 | rwx, rx, rx
Files - The max initial file perms are 666, subtract the UMASK value to give initial dir perm (666 - 002 = 664 | rw,rw,r)
To temporarily change the UMASK
$ umask 0002
Users can change their own umask in “.bashrc” cfg file.
To configure umask systemwide for users change/create “/etc/profile.d/umask.sh”
if [ "$UID" -ge 1000 ]; then umask 0002 fi
To set bits on files
- Set the userID (SUID) to run/execute as the owner of the file
- Set the groupID (GUID) to run/execute as the group owner of the file
- Set the Sticky bit to keep the file in swap and increase execution performance but this is NOT applied in RHEL/CentOS, so no point in setting it for files.
The bit values SUID = 4 SGID = 2 Sticky = 1 t.ex 4755 would set the suid bit “rws r-x r-x” on file permissions. 2755 would set the sgid bit “rwx r-s r-x” on file permissions. Numeric: $ chmod 2755 “filename” Symbolic: $ chmod g+s “filename”
SUID
rws |Lowercase "s", the user execution bit is also set, i.e when run the privileges are elevated to that of the owner rwS |Uppercase "S", the user execution bit is NOT set
SGID
r-s |Lowercase "s", the group execution bit is also set i.e when run the privileges are elevated to that of the group r-S |Uppercase "S", the group execution bit is NOT set
To locate files with SUID bits configured
$ find / -perm -4000
To locate files with SGID bits configured
$ find / -perm -2000
To set bits on dirs
- Setting the userID (SUID) on dirs has no affect.
- Setting the groupID (SGID) provides group inheritance on the dir
- Setting the Sticky bit on a dir allows only owners to delete their own files.
- When setting the SGID on dirs, it will help with group collaboration work.
$ chmod 2755 “dir”
When a file is created in that dir
- any user that is a member of the group can create a file and will be the owner
- the group GID of the file will be for the group and thus anyone in the group will be able to r-x any file.
- Good for collaboration areas.
Setting the Sticky bit on a dir will be shown by “t” in the exec position holder of "everyone" perms.
$ chmod 1777 “dir” drwxrwxrwt “dir
This is used to keep users from deleting or moving each others files.
$ chmod 777 “dir/filename”
So even with 777 file perms any other user than the owner will NOT be permitted to delete the file.
N.B! Sticky bit is mainly used for the “/tmp” dir.
ACLs
ACL file/dir symbols
t |Sticky bit is set on a dir + |Indicates an ACL is set on the file s |The group/owner execution bit is set S |The group/owner execution bit is NOT set
Easy to assign users and groups the correct perms for files and dirs. ACLs are used above file/dir permissions.
$ getfacl “filename”
Use the tabular format to display more readable output
$ getfacl -t “filename”
To set a facl for a user on a file exec the following
$ setfacl -m user:“user”:“perms” “filename”
To set a facl for a group on a file exec the following
$ setfacl -m group:“group”:“perms” “filename”
To set a facl for both a user and a group on a file exec the following
$ setfacl -m user:“user”:“perms”,group:“group”:“perms” “filename”
OR in shorthand
$ setfacl -m u:“user”:“perms”,g:“group”:“perms” “filename”
Omit the username to set the facl for the fileowner
$ setfacl -m user::“perms” “filename”
The character after file perms is a “+”, which indicates an ACL is set on the file
-rw-rwx-r--+ “filename”
To display this run
$ getfacl “filename” N.B! It will also display a “umask” line displaying the max perms allowed on the file.
To output all file acls to a file
$ getfacl -R “dir” > dir-perms.txt N.B! ACLs are enabled by default for “/” in CentOS but not for other drives.
- Standard Linux perms only have one type of inheritance i.e. the SGID on dirs.
- The files and directories created inside the dir inherit the group owner of the parent directory, which there can only be one of.
- ACLs go much further as they let files and directories inherit any number of user or group permissions.
- These ACLs are called default ACLs.
N.B! If you want to allow a user to access a directory, you set a regular ACL on it first. If however, you want that user to access all new files and directories inside it, then set a default ACL. Usually, you’ll need to do both of these operations. e.g. normal unix perms allow only for group1 to have perms on dir1. By configuring with ACLs the group1 and group2 can have different perms on the same dir.
Default ACLs can only be applied to directories. Set ACL on the dir
$ setfacl -m u:“user”:rwx dir1
Set ACL on all the files in the dir (-R for recursive)
$ setfacl -R -m u:“user”rwx dir1
Create a default (-d) ACL for user1 for any files created in the future
$ setfacl -d -m u:“user”:rwx dir1
In the getfacl output this will be displayed as
default:user:“user”:rwx
Three ways to delete ACLs on files/dirs using $ setfacl
-x | remove specific ACL -k | remove all default ACLs -b | remove all ACLs
Examples
$ setfacl -x u:“user” “dirname”/ | Delete specific ACL $ setfacl -x “user” “dirname”/ | Just setting name will assume it’s user’s acl and will attempt to delete $ setfacl -x default:u:“user” “dirname”/ | Delete a specific ACL type $ setfacle -x g:“groupname” “dirname”/ | Delete ACL for a group $ setfacl -d “dirname” | delete all “default” ACLs $ setfacl -b “dirname” | delete all ACLs $ setfacl -k “dirname”/ | delete all default ACLs $ setfacl -R -b “dirname”/ | delete all ACLs recursively in a dir
Create a dir for 3 users in a group, excluding all other users.
Make sure users can’t delete each others files in the dir and configure for multiple group perms on the dir and files.
- Users: user1 user2 user3
- Groups : devel, devtest
$ chown :devel /home/develdir | Set owner to devel group. $ chmod 770 /home/develdir | Set perms to rwx for owner and group but no rights for other. $ chmod g+s /home/develdir | set the SGID on group perms to auto-magiskt inherit group ownership. $ chmod o+t /home/develdir | sets the sticky bit on the dir to hinder users from deleteing each others files. $ setfacl -m g:devtest:rx /home/develdir/ | Allow multiple groups perms on the dir to traverse it. $ setfacl -d -m g:devtest:rx /home/develdir/ | Allow multiple groups perms on the dir to read/execute files.
Firewalld
IPTABLES can’t be running at same time as it's not compatible.
$ systemctl enable/start firewalld $ firewalld-cmd --state | Display status of firewalld $ firewalld-cmd --timeout=60 | Useful when Testing/Dev firewall cfg. $ firewalld-cmd --permanent | Makes changes persistent/permanent. $ firewalld-cmd --permanent --add-service=http | allow ingress traffic $ firewalld-cmd --permanent --remove-service=http | stop ingress traffic
Add a port/service
$ firewalld-cmd --permanent --add-port=443/tcp | allow port 443 $ firewalld-cmd --permanent --add-port=5901-5910/tcp | allow VNC port range
Activate any firewalld changes
$ firewalld-cmd --reload
List configurable services by name
$ firewalld-cmd --get-services
List configurable services in the current zone by name
$ firewalld-cmd --list-services
List configurable ports in the current zone by name
$ firewalld-cmd --list-ports
Troubleshoot httpd access/permission denied error
$ ausearch -c ‘httpd’ --raw | Dry-run to double-check output) $ ausearch -c ‘httpd’ --raw | audit2allow -M myhttpd (exec whilst in home dir) will create two files my-httpd.pp and my-httpd.te, which is a readable text file. $ semodule -i my-httpd.pp | make the policy active
An alternative solution is to check the security context cfg of the default Apache DocumentRoot dir.
$ ls -ldZ /var/www/html
Compare to your DocRoot
$ ls -ldZ <path-to-your-DocRoot>
Temporarily change the security context of your DocRoot
$ chcon -R -t httpd_sys_content_t <path-to-your-DocRoot> -R for recursive
To make the change permanent. This will only be applied to this DocRoot path not all dirs on device.
$ semanage fcontext -a -t httpd_sys_content_t “path-to-your-DocRoot(/.*)?” $ restorecon <path-to-your-DocRoot>
Certs/Keys
How can I examine the certificate and key?
If the certificate is an x509 certificate in PEM format. To print it out, you can issue:
$ openssl x509 -in certfilename -text
This is useful if you want to know the expiration date of the certificate.
If the key is simply an RSA key in PEM format, so printing it is not likely to help you very much. If you want to print it, issue:
$ openssl rsa -in keyfilename -text