From 63f4af654403227b572b707901820d2789b7398b Mon Sep 17 00:00:00 2001 From: ambaradan Date: Tue, 19 Aug 2025 09:49:33 +0200 Subject: [PATCH] revision - 'lab5-networking' and 'lab6-user_and_group_management' - moved 'main title' to frontmatter - fixed the structure of the headers - added inline codes and italics for paths and file names where missing - added some additional descriptions for the exercise commands --- .../lab5-networking.md | 247 +++++++++--------- .../lab6-user_and_group_management.md | 239 +++++++++-------- 2 files changed, 243 insertions(+), 243 deletions(-) diff --git a/docs/labs/systems_administration_I/lab5-networking.md b/docs/labs/systems_administration_I/lab5-networking.md index 6c59e77a57..f5cf9fe104 100644 --- a/docs/labs/systems_administration_I/lab5-networking.md +++ b/docs/labs/systems_administration_I/lab5-networking.md @@ -1,6 +1,7 @@ --- -author: Wale Soyinka -contributors: Steven Spencer, Ganna Zhyrnova +author: Wale Soyinka +title: Lab 5 - Networking Essentials +contributors: Steven Spencer, Ganna Zhyrnova, Franco Colussi tested on: All Versions tags: - lab exercise @@ -11,16 +12,13 @@ tags: - macvtap --- - -# Lab 5: Networking Essentials - ## Objectives After completing this lab, you will be able to: - Create virtual network devices - Manage network devices and settings on a Linux system using the `iproute2` (`ip`) toolkit -- Manage network devices and settings on a Linux system using NetworkManager (`nmcli`) toolkit +- Manage network devices and settings on a Linux system using *NetworkManager* (`nmcli`) toolkit - Troubleshoot common network issues Estimated time to complete this lab: 60 minutes @@ -29,15 +27,27 @@ Estimated time to complete this lab: 60 minutes This Networking Essentials lab covers various network configuration and troubleshooting exercises on a Linux server. You will be better equipped to manage and troubleshoot network settings using common networking utilities readily available on Linux based systems. -## Exercise 1 +### Introduction to the commands used + +The `iproute2` command is a suite of advanced utilities for configuring and managing networks on Linux systems, developed to replace the traditional *net-tools* suite (such as *ifconfig*, *route*, and *arp*). +`iproute2` is designed to manage modern Linux kernel features, including namespaces, policy routing, and advanced QoS. It is now the recommended tool for network administration on modern Linux distributions. + +The `ip` command is an essential tool for network management and configuration. It is part of the `iproute2` package and offers advanced control over network interfaces, IP addresses, routing tables, tunnels, and much more. +Thanks to its flexible syntax and options, it allows system administrators to monitor, modify, and resolve connectivity issues efficiently. +Its modular structure allows you to manage different aspects of network configuration in a consistent manner, thus simplifying administration. -### Change Hostname +The `nmcli` command is a powerful and versatile tool included in *NetworkManager*, designed for managing network connections on Linux systems directly from the terminal. Unlike graphical tools, `nmcli` allows you to efficiently configure, monitor, and control network interfaces on both local and remote machines, making it particularly useful for system administrators and advanced users. +It supports a wide range of features, including the configuration of wired, wireless, and VPN connections, mobile network management, and network status debugging. -There are many methods for identifying or referring to computers. Some of these methods guarantee uniqueness [ especially on a network], and others don't. A computer hostname can be regarded as a human-friendly name. Computer hostnames should ideally be unique depending on how they are managed and assigned. But because anyone with the Administrative privileges on a system can unilaterally assign whatever hostname they want to the system - uniqueness is not always guaranteed. +## Exercises + +### 1. Change Hostname + +There are many methods for identifying or referring to computers. Some of these methods guarantee uniqueness (especially on a network), and others don't. A computer hostname can be regarded as a human-friendly name. Computer hostnames should ideally be unique depending on how they are managed and assigned. But because anyone with the administrative privileges on a system can unilaterally assign whatever hostname they want to the system - **uniqueness is not always guaranteed**. This first exercise walks through some common tools for managing the computer hostname. -#### To change the system's hostname +#### Changing the system's hostname 1. While logged into your system, view the current *hostname*, using the popular `hostname` utility. Type: @@ -95,27 +105,27 @@ This first exercise walks through some common tools for managing the computer ho !!! Question - Consult the man page for `hostnamectl`. What are the differences between pretty, transient and static hostnames? + Consult the man page for `hostnamectl`. What are the differences between *pretty*, *transient* and *static* hostnames? -## Exercise 2 +### 2. Creation of a virtual device -The first critical step you need to complete before going on to the other exercises in this network lab will be creating a special virtual network interface known as a MACVTAP device. +The first critical step you need to complete before going on to the other exercises in this network lab will be creating a special virtual network interface known as a *MACVTAP device*. -MACVTAP devices are virtual devices that combine the properties of a software-only interface known as a TAP device as well as the properties of the MACVLAN driver. +MACVTAP devices are virtual devices that combine the properties of a software-only interface known as a *TAP device* as well as the properties of the *MACVLAN driver*. Creating and working with these MACVTAP devices will allow you to safely test, change, and configure various network configuration-related tasks. These virtual network interfaces will be used in various exercises without disrupting the existing network configuration. !!! tip - TAP devices provide a software-only interface that user-space applications can easily access. TAP devices send and receive raw Ethernet frames. - MACVLAN is used for creating virtual network interfaces that attach to physical network interfaces. + TAP devices provide a software-only interface that user-space applications can easily access. TAP devices send and receive raw Ethernet frames. + MACVLAN is used for creating virtual network interfaces that attach to physical network interfaces. The MACVTAP devices have their own unique MAC address distinct from the MAC address of the underlying physical network card they are associated with. -### Create MACVTAP Interfaces +#### Creation of a MACVTAP Interfaces This exercise starts with creating needed MACVTAP virtual network interfaces. This will allow you to safely test, change, and configure various network configuration related tasks. These virtual network interfaces will be used in various exercises without disrupting the existing network configuration. -#### To list all network interfaces on the system +#### Listing all network interfaces on the system 1. Ensure you are logged into the server. @@ -131,13 +141,13 @@ This exercise starts with creating needed MACVTAP virtual network interfaces. Th nmcli -f DEVICE device ``` -4. Query the low-level /sys virtual file-system to enumerate ALL network interfaces available on your server manually. Type: +4. Query the low-level `/sys` virtual file-system to enumerate *ALL* network interfaces available on your server manually. Type: ```bash ls -l /sys/class/net/ | grep -v 'total' | awk '{print $9}' ``` -#### To create `macvtap` interfaces +#### Creating `macvtap` interfaces 1. Ensure you are logged into the system as a user with Administrative privileges. @@ -145,22 +155,19 @@ This exercise starts with creating needed MACVTAP virtual network interfaces. Th ```bash ls -l /sys/class/net/ | grep -v 'virtual\|total' | tail -n 1 | awk '{print $9}' - eno2 ``` - The output on the sample demo system shows one suitable interface named eno2. + The output on the sample demo system shows one suitable interface named `eno2`. -3. Run the command to identify the device again but this time store the returned value in a variable named $DEVICE1. Double check the value of $DEVICE1 using echo. Type the following 2 separate commands to accomplish this: +3. Run the command to identify the device again but this time store the returned value in a variable named `$DEVICE1`. Double check the value of `$DEVICE1` using *echo*. Type the following 2 separate commands to accomplish this: ```bash - # DEVICE1=$(ls -l /sys/class/net/ | grep -v 'virtual\|total' | tail -n 1 | awk '{print $9}') - - # echo $DEVICE1 + DEVICE1=$(ls -l /sys/class/net/ | grep -v 'virtual\|total' | tail -n 1 | awk '{print $9}') + echo $DEVICE1 ``` -4. Now, create a MACVTAP interface named - `macvtap1`. The new interface will be associated with - $DEVICE1. Type: +4. Now, create a MACVTAP interface named - `macvtap1`. The new interface will be associated with `$DEVICE1`. Type: ```bash ip link add link $DEVICE1 name macvtap1 type macvtap mode bridge @@ -172,19 +179,17 @@ This exercise starts with creating needed MACVTAP virtual network interfaces. Th ip --brief link show macvtap1 ``` - Note the DOWN state of the `macvtap` interface in the output. + Note the **DOWN** state of the `macvtap` interface in the output. -6. View detailed information about all the MACVTAP-type network devices on the system. Type: +6. View detailed information about all the *MACVTAP-type* network devices on the system. Type: ```bash ip --detail link show type macvtap ``` -7. Run a command to view all the network interfaces on the server and compare the output to the output of the similar command in the earlier section "To list all network interfaces on the system". - -### Enable/Disable Network Interface +7. Run a command to view all the network interfaces on the server and compare the output to the output of the similar command in the earlier section "Listing all network interfaces on the system". -#### To enable or disable a network interface +#### Enabling/Disabling Network Interfaces 1. Check the status of the `macvtap1` network interface. Type: @@ -201,12 +206,13 @@ This exercise starts with creating needed MACVTAP virtual network interfaces. Th 3. Verify the status changes by running: ```bash - ip -br link show macvtap1 + ip -br link show macvtap1 ``` !!! TIP - If you ever need to disable a network interface, the syntax for `ip` command to do this is `ip link set down`. For example to disable a network interface named `macvtap7`, you would run: + If you ever need to disable a network interface, the syntax for `ip` command to do this is `ip link set down`. + For example to disable a network interface named `macvtap7`, you would run: ```bash ip link set macvtap7 down @@ -214,25 +220,25 @@ This exercise starts with creating needed MACVTAP virtual network interfaces. Th Now that you have set up the `macvtap` interfaces, you safely perform the various network configuration and troubleshooting tasks in the remaining exercises. -## Exercise 3 +### 3. Assign IP Addresses -### Assign IP Addresses +An **IP** (*Internet Protocol*) address is a unique numerical identifier assigned to each device connected to a network that uses the IP protocol for communication. It functions as a digital “*address*” that allows devices to send and receive data across a network, whether local (*LAN*) or global (*Internet*). -#### To set an IP addresses on a network interface +#### Setting an IPv4 address to `macvtap` interfaces 1. View the IP addresses for all network interfaces on your server. Type: ```bash - ip address show + ip address show ``` -2. Assign the IP address - 172.16.99.100 - to `macvtap1`. Type +2. Assign the IPv4 address - **172.16.99.100** - to `macvtap1`. Type ```bash - ip address add 172.16.99.100/24 dev macvtap1 + ip address add 172.16.99.100/24 dev macvtap1 ``` -3. Verify the IP address assignment for `macvtap1` +3. Verify the IPv4 address assignment for `macvtap1` ```bash ip address show macvtap1 @@ -241,16 +247,12 @@ Now that you have set up the `macvtap` interfaces, you safely perform the variou 4. Use the `nmcli` command to view the IPv4 addresses for all interfaces on your system. Type: ```bash - nmcli --get-values IP4.ADDRESS,GENERAL.DEVICE device show + nmcli --get-values IP4.ADDRESS,GENERAL.DEVICE device show ``` -## Exercise 4 - -### Configure IPv6 Addresses - -#### To assign IPv6 addresses to `macvtap` interfaces +#### Setting an IPv6 address to `macvtap` interfaces -1. Starting with `macvtap1`, assign the 2001:db8::1/64 IPv6 address to `macvtap1` by running: +1. Starting with `macvtap1`, assign the **2001:db8::1/64** IPv6 address to `macvtap1` by running: ```bash ip -6 address add 2001:db8::1/64 dev macvtap1 @@ -265,14 +267,15 @@ Now that you have set up the `macvtap` interfaces, you safely perform the variou 4. Use `nmcli` to view the IPv6 addresses for all interfaces on your system. Type: ```bash - nmcli --get-values IP6.ADDRESS,GENERAL.DEVICE device show + nmcli --get-values IP6.ADDRESS,GENERAL.DEVICE device show ``` -## Exercise 5 +### 5. Routing management -### Routing management +Routing in Linux is a mechanism that allows the operating system to manage network traffic by directing data packets to the correct destinations. The Linux kernel uses a routing table to determine the optimal path that packets should follow, based on *IP addresses*, *subnet masks*, and *gateways*. +This functionality is essential in both *home environments* and complex *corporate networks*, where multiple network interfaces and devices need to communicate with each other. -#### To view the system's routing table +#### Viewing the system routing table 1. Display the current routing table for the system. Type: @@ -283,44 +286,43 @@ Now that you have set up the `macvtap` interfaces, you safely perform the variou 192.168.2.0/24 dev enp1s0 proto kernel scope link src 192.168.2.121 metric 100 ``` -2. Using one of the networks displayed in the leftmost column of the previous command's output as the argument, display the route table entry for that network. For example to show the kernel route table entry for the 10.99.99.0/24 network, type: +2. Using one of the networks displayed in the leftmost column of the previous command's output as the argument, display the route table entry for that network. For example to show the kernel route table entry for the **10.99.99.0/24** network, type: ```bash ip route show 10.99.99.0/24 ``` 3. Query the system to see the route that will be used to get to an example arbitrary - destination. For example to view the routing details for getting to the destination IP address - 8.8.8.8, type: + destination. For example to view the routing details for getting to the destination IP address **8.8.8.8**, type: ```bash ip route get 8.8.8.8 - 8.8.8.8 via 192.168.2.1 dev enp1s0 src 192.168.2.121 uid 0 cache ``` Here is a breakdown of the output in plain-speak: - - Destination IP Address: 8.8.8.8 is the IP address that we are trying to reach - - Via: 192.168.2.1 is the next hop IP address that the packet will be sent to reach the destination - - Device: `enp1s0` is the network interface that will be used to send the packet - - Source IP Address: 192.168.2.121 is the IP address of the network interface that will be used as the source address for the packet - - UID: 0 is the user ID of the process that initiated this command - - Cache: This field indicates whether this route is cached in the kernel’s routing table + - *Destination IP Address*: **8.8.8.8** is the IP address that we are trying to reach + - *Via*: **192.168.2.1** is the next hop IP address that the packet will be sent to reach the destination + - *Device*: **enp1s0** is the network interface that will be used to send the packet + - *Source IP Address*: **192.168.2.121** is the IP address of the network interface that will be used as the source address for the packet + - *UID*: **0** is the user ID of the process that initiated this command + - *Cache*: This field indicates whether this route is cached in the kernel’s routing table 4. Now view how the system will route a packet from one IP to another destination IP address. Type: ```bash ip route get from 192.168.1.1 to 192.168.1.2 - + local 192.168.1.2 from 192.168.1.1 dev lo uid 0 cache ``` -### Set Default Gateway +#### Configuring the default gateway for the system -#### To configure a default gateway for the system +In a Linux system, the default gateway represents the default access point through which network traffic is routed to external networks not directly connected to the local interface. +Its correct configuration is essential to ensure a system's connectivity to remote networks and external services. 1. Use `ip` to query for and list the current default gateway on your system. Type: @@ -340,11 +342,9 @@ Now that you have set up the `macvtap` interfaces, you safely perform the variou ip route show default ``` -### Add Static Route +#### Adding a static route to the routing table -#### To add a static route to the routing table - -1. Add a demo static route for a bogus 172.16.0.0/16 network via 192.168.1.2. Type: +1. Add a demo static route for a bogus **172.16.0.0/16** network via **192.168.1.2**. Type: ```bash ip route add 172.16.0.0/16 via 192.168.1.2 @@ -356,11 +356,9 @@ Now that you have set up the `macvtap` interfaces, you safely perform the variou ip route show 172.16.0.0/16 ``` -### Delete Static Route - -#### To Remove a static route from the routing table +#### Removing a static route from the routing table -1. Delete the static route for 10.0.0.0/24 +1. Delete the static route for **10.0.0.0/24** ```bash ip route del 10.0.0.0/24 via 192.168.1.2 @@ -372,15 +370,12 @@ Now that you have set up the `macvtap` interfaces, you safely perform the variou ip route show ``` -## Exercise 6 - -### Deleting IP addresses - -This exercise walks through how to delete configured IP (IPv4 and IPv6) addresses on network interfaces. +### 6. Delete IP addresses -### Delete IPv4 Address +Removing IP addresses from the server is a fundamental operation for managing network security and resources. This procedure may be necessary for several reasons: mitigating DDoS attacks, revoking access to malicious users, freeing up IP addresses that are no longer in use, or complying with corporate security policies. +This exercise walks through how to delete configured IP (*IPv4* and *IPv6*) addresses on network interfaces. -#### To remove an assigned IP address from a network interface +#### Removing an assigned IPv4 address from a network interface 1. Delete the IP address on `macvtap1`. Type: @@ -394,9 +389,7 @@ This exercise walks through how to delete configured IP (IPv4 and IPv6) addresse ip address show macvtap1 ``` -### Delete IPv6 Address - -#### To remove an assigned IPv6 address from a network interface +#### Removing an assigned IPv6 address from a network interface 1. Delete the IPv6 address on `macvtap1` with this command: @@ -410,18 +403,17 @@ This exercise walks through how to delete configured IP (IPv4 and IPv6) addresse ip -6 address show macvtap1 ``` -## Exercise 7 - -### Configure Network Interfaces via `nmcli` +### 7. Configure Network Interfaces via `nmcli` +The `nmcli` (*NetworkManager Command Line Interface*) command is a tool for managing network connections. Designed to interact with *NetworkManager*, it allows you to efficiently control, configure, and monitor networks directly from the terminal, without the need for graphical interfaces. This exercise shows how to configure network interfaces using the NetworkManager tooling. !!! Note - By default, any network configuration changes done using `nmcli` (NetworkManager) will persist between system reboots. + By default, any network configuration changes done using `nmcli` will persist between system reboots. This is in contrast to the configuration changes that are done with the `ip` utility. -#### To create a `macvtap` interface using `nmcli` +#### Creating a `macvtap` interface using `nmcli` 1. Start by listing all available network devices by running: @@ -429,13 +421,13 @@ This exercise shows how to configure network interfaces using the NetworkManager nmcli device ``` -2. Next, identify an underlying network device with which to associate the new MACVTAP interface. Save the value of the identified device in the variable $DEVICE2. Type: +2. Next, identify an underlying network device with which to associate the new *MACVTAP interface*. Save the value of the identified device in the variable `$DEVICE2`. Type: ```bash DEVICE2=$(ls -l /sys/class/net/ | grep -v 'virtual\|total' | tail -n 1 | awk '{print $9}') ``` -3. Now, create a new NetworkManager connection called `macvtap2` and an associated MACVTAP interface named - `macvtap2`. The new interface will be associated with $DEVICE2. Type: +3. Now, create a new *NetworkManager* connection called `macvtap2` and an associated MACVTAP interface named - `macvtap2`. The new interface will be associated with `$DEVICE2`. Type: ```bash nmcli con add con-name macvtap2 type macvlan mode bridge tap yes dev $DEVICE2 ifname macvtap2 @@ -459,29 +451,29 @@ This exercise shows how to configure network interfaces using the NetworkManager ip --brief link show macvtap2 ``` - Note the output's UP state of the `macvtap` interface. + Note the output's **UP** state of the `macvtap` interface. !!! Question - What is the difference between the concept of a connection and that of a device in NetworkManager? + What is the difference between the concept of a *connection* and that of a *device* in NetworkManager? -#### To modify interface network configuration with `nmcli` +#### Modifying the network configuration of the interface with `nmcli` -1. Start by querying for the IPv4 address for the new `macvtap2` interface by running: +1. Start by querying for the *IPv4* address for the new `macvtap2` interface by running: ```bash nmcli -f ipv4.addresses con show macvtap2 ``` - The value of the ipv4.addresses property should be empty. + The value of the **ipv4.addresses** property should be empty. 2. Configure the `macvtap2` connection with these settings: - - IPv4 Method = manual - - IPv4 Addresses = 172.16.99.200/24 - - Gateway = 172.16.99.1 - - DNS Servers = 8.8.8.8 and 8.8.4.4 - - DNS Search domain = example.com + - *IPv4 Method* = **manual** + - *IPv4 Addresses* = **172.16.99.200/24** + - *Gateway* = **172.16.99.1** + - *DNS Servers* = **8.8.8.8 and 8.8.4.4** + - *DNS Search domain* = **example.com** Type: @@ -505,15 +497,15 @@ This exercise shows how to configure network interfaces using the NetworkManager !!! Question - What is the difference between these NetworkManager properties - ipv4.addresses and IP4.ADDRESS? + What is the difference between these NetworkManager properties - *ipv4.addresses* and *IP4.ADDRESS*? 5. Check the changes to the network connection using the `ip` command. Type: ```bash - ip -br address show dev macvtap2 + ip -br address show dev macvtap2 ``` -6. To properly apply the new settings and make them the new runtime values, use `nmcli` to first toggle the connection down (i.e. deactivate it). Type: +6. To properly apply the new settings and make them the new runtime values, use `nmcli` to first toggle the connection **down** (i.e. deactivate it). Type: ```bash nmcli connection down macvtap2 @@ -529,17 +521,17 @@ This exercise shows how to configure network interfaces using the NetworkManager Connection successfully activated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/6) ``` -8. View the final setting using the ip utility. Type: +8. View the final setting using the `ip` utility. Type: ```bash ip -br address show dev macvtap2 ``` -## Exercise 8 +### 8. Configure DNS Servers -### Configure DNS Servers +The **DNS** (*Domain Name System*) service is a fundamental component of computer networks, responsible for resolving *domain names* into *IP addresses* and vice versa. This enables communication within local networks and on the Internet. -#### To set DNS server addresses for the system +#### Setting a DNS server addresses for the system 1. Configure DNS servers for `macvtap1` @@ -553,11 +545,13 @@ This exercise shows how to configure network interfaces using the NetworkManager nmcli con show macvtap1 | grep DNS ``` -## Exercise 9 +### 9. Troubleshoot network issues -### Troubleshoot network issues +Computer networks are essential for communication and data exchange, but they often encounter problems that hinder their proper functioning. These malfunctions can be caused by a variety of factors, such as configuration errors, hardware failures, or connection interference. -#### To Identify and troubleshoot common network issues +#### Identify and resolve common network issues + +Monitoring and verifying the status of network interfaces is essential to ensuring the proper functioning of a connected system. 1. Check the status of network interfaces @@ -565,13 +559,17 @@ This exercise shows how to configure network interfaces using the NetworkManager ip link show ``` -2. Test network connectivity to a remote host (e.g., google.com) +This step allows you to verify whether a device can reach another node on the network, be it a server, router, or another client. + +2. Test network connectivity to a remote host (e.g., *google.com*) ```bash ping google.com ``` -3. Try pinging the local gateway. Type: +Pinging the local gateway is an essential test to ensure that the connection between a device and its default router is working properly. The gateway is the access point to external networks, and a malfunction at this stage can prevent access to the Internet or other subnets. + +3. Try pinging the local *gateway*. Type: ```bash ping _gateway @@ -579,11 +577,13 @@ This exercise shows how to configure network interfaces using the NetworkManager !!! Question - Through what mechanism is your system able to correctly resolve the name `_gateway` to the proper IP address for your locally configured default gateway? + Through what mechanism is your system able to correctly resolve the name `_gateway` to the proper *IP address* for your locally configured *default gateway*? -### View Active Connections +#### View Active Connections -#### To List all active network connections +Active network connections represent open communication channels between your computer and other devices or services on the network. These connections can be local (within the same machine) or remote (to external servers or clients). + +#### Listing all active network connections 1. List all active network connections @@ -591,9 +591,12 @@ This exercise shows how to configure network interfaces using the NetworkManager ss -tuln ``` -### Monitor Network Traffic +#### Monitor Network Traffic + +Network traffic in Linux represents the set of data exchanged between a system and the network, both incoming and outgoing. This flow of information is essential for the functioning of services such as the web, email, file transfer, and communication between devices. +Monitoring and managing these informations is critical to ensuring security, debugging, and optimizing network performance. -#### To monitor network traffic in real-time +#### Monitoring network traffic in real-time 1. Capture network traffic on a specific interface (e.g., `macvtap1`) @@ -603,9 +606,11 @@ This exercise shows how to configure network interfaces using the NetworkManager Analyze captured packets and observe network activity. You can stop the packet capture when done by pressing ++ctrl+c++ -### View Network Logs +#### View Network Logs + +Network logs are essential for monitoring, troubleshooting, and system security. Every time a data packet is sent or received over the network, the operating system records detailed information about these activities. These logs help system administrators identify suspicious connections, configuration errors, and potential security threats. -#### To view NetworkManager daemon related logs for troubleshooting +#### Viewing NetworkManager daemon logs for troubleshooting 1. View network-related logs diff --git a/docs/labs/systems_administration_I/lab6-user_and_group_management.md b/docs/labs/systems_administration_I/lab6-user_and_group_management.md index 1f7ed027a4..be93584129 100644 --- a/docs/labs/systems_administration_I/lab6-user_and_group_management.md +++ b/docs/labs/systems_administration_I/lab6-user_and_group_management.md @@ -1,6 +1,7 @@ --- -author: Wale Soyinka -contributors: Steven Spencer, Ganna Zhyrnova +author: Wale Soyinka +title: Lab 6 - User and group management +contributors: Steven Spencer, Ganna Zhyrnova, Franco Colussi tested on: All versions tags: - introduction system administration @@ -9,8 +10,6 @@ tags: - groups --- -# Lab 6: User and group management - ## Objectives After completing this lab, you will be able to @@ -28,7 +27,7 @@ User management is important in any multi-user network operating system. Linux i Managing users on a system is intricately tied to the system's security. There is an old saying that: ->A system is as secure as its weakest user. +> A system is as secure as its weakest user. Linux inherits the old UNIX tradition of governing access to files, programs and other resources on a per-user and per-group basis. @@ -38,7 +37,7 @@ We'll also briefly examine file permissions and ownership. Important user and group management files are below. Some of the fields or entries in the files are also discussed. -### /etc/passwd +### `/etc/passwd` - **Purpose:** user account information - **Content:** @@ -50,7 +49,7 @@ Important user and group management files are below. Some of the fields or entri - user home directory - default shell -### /etc/shadow +### `/etc/shadow` - **Purpose:** secure user account information - **Content:** @@ -64,7 +63,7 @@ Important user and group management files are below. Some of the fields or entri - days since Jan. 1, 1970 when account will be disabled - reserved -### /etc/group +### `/etc/group` - **Purpose:** group information - **Content:** @@ -73,7 +72,7 @@ Important user and group management files are below. Some of the fields or entri - the group id (GID) - list of users belonging to the group -### /etc/skel +### `/etc/skel` - **Purpose:** Stores templates to be applied to new accounts @@ -83,94 +82,101 @@ Some common utilities used in the day-to-day user and group management tasks are ### `useradd` - ```bash +- The `useradd` command is a user management tool that allows system administrators to create new user accounts directly from the command line. + ```bash Usage: useradd [options] LOGIN useradd -D useradd -D [options] Options: --badname do not check for bad names - -b, --base-dir BASE_DIR base directory for the home directory of the new account - --btrfs-subvolume-home use BTRFS subvolume for home directory - -c, --comment COMMENT GECOS field of the new account - -d, --home-dir HOME_DIR home directory of the new account - -D, --defaults print or change default useradd configuration - -e, --expiredate EXPIRE_DATE expiration date of the new account - -g, --gid GROUP name or ID of the primary group of the new account - -G, --groups GROUPS list of supplementary groups of the new account - -h, --help display this help message and exit - -k, --skel SKEL_DIR use this alternative skeleton directory - -K, --key KEY=VALUE override /etc/login.defs defaults - -l, --no-log-init do not add the user to the lastlog and faillog databases - -m, --create-home create the user's home directory - -M, --no-create-home do not create the user's home directory - -N, --no-user-group do not create a group with the same name as the user - -o, --non-unique allow to create users with duplicate (non-unique) UID - -p, --password PASSWORD encrypted password of the new account - -r, --system create a system account - -R, --root CHROOT_DIR directory to chroot into - -P, --prefix PREFIX_DIR prefix directory where are located the /etc/* files - -s, --shell SHELL login shell of the new account - -u, --uid UID user ID of the new account - -U, --user-group create a group with the same name as the user - -Z, --selinux-user SEUSER use a specific SEUSER for the SELinux user mapping + -b, --base-dir BASE_DIR base directory for the home directory of the new account + --btrfs-subvolume-home use BTRFS subvolume for home directory + -c, --comment COMMENT GECOS field of the new account + -d, --home-dir HOME_DIR home directory of the new account + -D, --defaults print or change default useradd configuration + -e, --expiredate EXPIRE_DATE expiration date of the new account + -g, --gid GROUP name or ID of the primary group of the new account + -G, --groups GROUPS list of supplementary groups of the new account + -h, --help display this help message and exit + -k, --skel SKEL_DIR use this alternative skeleton directory + -K, --key KEY=VALUE override /etc/login.defs defaults + -l, --no-log-init do not add the user to the lastlog and faillog databases + -m, --create-home create the user's home directory + -M, --no-create-home do not create the user's home directory + -N, --no-user-group do not create a group with the same name as the user + -o, --non-unique allow to create users with duplicate (non-unique) UID + -p, --password PASSWORD encrypted password of the new account + -r, --system create a system account + -R, --root CHROOT_DIR directory to chroot into + -P, --prefix PREFIX_DIR prefix directory where are located the /etc/* files + -s, --shell SHELL login shell of the new account + -u, --uid UID user ID of the new account + -U, --user-group create a group with the same name as the user + -Z, --selinux-user SEUSER use a specific SEUSER for the SELinux user mapping ``` ### `groupadd` +- The `groupadd` command is a utility for managing user groups on the system. Available in most Linux distributions, this command allows administrators to create new groups, specifying options such as the GID (Group ID), the group name, and other properties. + ```bash Usage: groupadd [options] GROUP - + Options: - -f, --force exit successfully if the group already exists, and cancel -g if the GID is already used - -g, --gid GID use GID for the new group - -h, --help display this help message and exit - -K, --key KEY=VALUE override /etc/login.defs defaults - -o, --non-unique allow to create groups with duplicate (non-unique) GID - -p, --password PASSWORD use this encrypted password for the new group - -r, --system create a system account - -R, --root CHROOT_DIR directory to chroot into - -P, --prefix PREFIX_DI directory prefix - -U, --users USERS list of user members of this group + -f, --force exit successfully if the group already exists, and cancel -g if the GID is already used + -g, --gid GID use GID for the new group + -h, --help display this help message and exit + -K, --key KEY=VALUE override /etc/login.defs defaults + -o, --non-unique allow to create groups with duplicate (non-unique) GID + -p, --password PASSWORD use this encrypted password for the new group + -r, --system create a system account + -R, --root CHROOT_DIR directory to chroot into + -P, --prefix PREFIX_DIR directory prefix + -U, --users USERS list of user members of this group ``` ### `passwd` +- The `passwd` command is a tool for managing user passwords. It allows users to change their own passwords, while administrators (root) can reset other accounts' passwords, manage password expiration, and configure security policies. + ```bash Usage: passwd [OPTION...] - -k, --keep-tokens keep non-expired authentication tokens - -d, --delete delete the password for the named account (root only); also removes password lock if any - -l, --lock lock the password for the named account (root only) - -u, --unlock unlock the password for the named account (root only) - -e, --expire expire the password for the named account (root only) - -f, --force force operation - -x, --maximum=DAYS maximum password lifetime (root only) - -n, --minimum=DAYS minimum password lifetime (root only) - -w, --warning=DAYS number of days warning users receives before password expiration (root only) - -i, --inactive=DAYS number of days after password expiration when an account becomes disabled (root only) - -S, --status report password status on the named account (root only) - --stdin read new tokens from stdin (root only) + + Options: + -k, --keep-tokens keep non-expired authentication tokens + -d, --delete delete the password for the named account (root only); also removes password lock if any + -l, --lock lock the password for the named account (root only) + -u, --unlock unlock the password for the named account (root only) + -e, --expire expire the password for the named account (root only) + -f, --force force operation + -x, --maximum=DAYS maximum password lifetime (root only) + -n, --minimum=DAYS minimum password lifetime (root only) + -w, --warning=DAYS number of days warning users receives before password expiration (root only) + -i, --inactive=DAYS number of days after password expiration when an account becomes disabled (root only) + -S, --status report password status on the named account (root only) + --stdin read new tokens from stdin (root only) Help options: - -?, --help Show this help message - --usage Display brief usage message + -?, --help Show this help message + --usage Display brief usage message ``` -## Exercise 1 +## Exercises -### Manually creating a new user +### 1. Manually create a new user -So far, throughout the previous labs, you have been using the system as the most powerful user on the system – the `root` user. This is not good practice in a production system because it makes the system vulnerable, security-wise. The root user can, do and undo unlimited damage to the system. +So far, throughout the previous labs, you have been using the system as the most powerful user on the system – the **root** user. This is not good practice in a production system because it makes the system vulnerable, security-wise. The root user can, do and undo unlimited damage to the system. Other than the superuser, every other user has limited access to files and directories. Always use your machine as a normal user. Two confusing concepts will be made clear here. -- Firstly the home directory of the root user is “ /root “. -- Secondly the root directory is the topmost directory, known as the / (slash) directory. - (“/root” is different from “/ “) +- Firstly the home directory of the root user is `/root`. +- Secondly the root directory is the topmost directory, known as the `/` (slash) directory. + (`/root` is different from `/` “) -In this lab you will create a new user called “Me Mao”. The user name for “Me Mao" will be the first name - “me”. This new user will belong to the group “me”. The password will be “a1b2c3” +In this lab you will create a new user called “Me Mao”. The user name for “Me Mao" will be the first name - “**me**”. This new user will belong to the group “**me**”. The password will be “**a1b2c3**” !!! Warning @@ -188,13 +194,13 @@ In this lab you will create a new user called “Me Mao”. The user name for gdm:x:42:42::/var/gdm:/sbin/nologin ``` - You will edit the passwd file using the format displayed above. +You will edit the *passwd file* using the format displayed above. -#### To create the user +#### Creating the user 1. We will need to edit the `/etc/passwd` file. - Launch your editor of choice and open up the file “/etc/passwd” + Launch your editor of choice and open up the file `/etc/passwd` Add the text below to the bottom or end of the file: @@ -202,10 +208,10 @@ In this lab you will create a new user called “Me Mao”. The user name for me:x:500:500:me mao:/home/me:/bin/bash ``` -2. Save your changes and close the passwd file. +2. Save your changes and close the `etc/passwd` file. -3. Next we'll edit the `/etc/shadow` file. - Launch your editor and open up the “/etc/shadow” file. +3. Next we'll edit the `/etc/shadow` file. + Launch your editor and open up the `/etc/shadow` file. Add a new entry like the one below to the bottom of the file - put an asterisk (*) in the password field. Type: ```bash @@ -222,25 +228,25 @@ In this lab you will create a new user called “Me Mao”. The user name for me:x:1000:me ``` -6. Save your changes and close the group file. +6. Save your changes and close the *group file*. 7. Time to create the home directory. - Copy the entire contents of the “/etc/skel” directory into /home directory, renaming the new directory to the name of the user i.e. “/home/me”. Type: + Copy the entire contents of the `/etc/skel` directory into `/home` directory, renaming the new directory to the name of the user i.e. `/home/me`. Type: ```bash [root@localhost root]# cp -r /etc/skel /home/me ``` -8. The root user owns the directory you just created, because she created it. In order for the user “me mao” to be able to use the directory you will change the permissions/ownership of the folder. Type: +8. The root user owns the directory you just created, because she created it. In order for the user “Me Mao” to be able to use the directory you will change the permissions/ownership of the folder. Type: ```bash [root@localhost root]# chown -R me:me /home/me ``` -9. Create a password for the user. Set the value of the password to be `a!b!c!d!`. - You will use the “passwd” utility. - Type “passwd” and follow the prompts +9. Create a password for the user. Set the value of the password to be **a!b!c!d!**. + You will use the `passwd` utility. + Type “**passwd me**” and follow the prompts ```bash [root@localhost root]# passwd me @@ -252,25 +258,19 @@ In this lab you will create a new user called “Me Mao”. The user name for 10. Logout of the system when you are done. -## Exercise 2 - -### Automatically creating a new user +### 2. Automatically creating a new user There are loads of utilities available to simplify all the tasks/steps that we manually performed in the previous exercise. We only walked through the manual process of creating a user, so that you can see what actually goes on in the background. -In this exercise we will use some common utilities to manage and simplify the process. - -You will create another user account for the user “Ying Yang” the login name will be “ying”. - -And the password for "ying" will be “y@i@n@g@”. - -You will also create a group called “common” and add the user "me" and "ying" to the group. +In this exercise we will use some common utilities to manage and simplify the process. You will create another user account for the user “**Ying Yang**” the login name will be **ying**. +And the password for **ying** will be **y@i@n@g@**. +You will also create a group called “**common**” and add the user **me** and **ying** to the group. #### To automatically create a new account 1. Login to the system as root. -2. You will create the user ying using all the defaults of the `useradd` command. Type: +2. You will create the user **ying** using all the defaults of the `useradd` command. Type: ```bash [root@localhost root]# useradd -c "Ying Yang" ying @@ -289,7 +289,7 @@ You will also create a group called “common” and add the user "me" and "ying List the new entry here? -4. The user ying will not be able to login to the system until you create a password for the user. Set ying's password to be `y@i@n@g@`. Type: +4. The user **ying** will not be able to login to the system until you create a password for the user. Set ying's password to be **y@i@n@g@**. Type: ```bash [root@localhost root]# passwd ying @@ -306,16 +306,16 @@ You will also create a group called “common” and add the user "me" and "ying uid=1000(me) gid=1000(me) groups=1000(me) ``` -6. Do the same thing for the user ying. Type: +6. Do the same thing for the user **ying**. Type: ```bash [root@localhost root]# id ying - uid=501(ying) gid=501(ying) groups=501(ying) + uid=1001(ying) gid=1001(ying) groups=1001(ying) ``` #### To automatically create a new group -1. Use the `groupadd` program to create the new group “common”. +1. Use the `groupadd` program to create the new group **common**. ```bash [root@localhost root]# groupadd common @@ -327,34 +327,34 @@ You will also create a group called “common” and add the user "me" and "ying What is the command to do this? -3. Use the `usermod` command to add an existing user to an existing group. Let's add the user ying to the `common` group we just created in Step 1. Type: +3. Use the `usermod` command to add an existing user to an existing group. Let's add the user **ying** to the **common** group we just created in Step 1. Type: ```bash [root@localhost root]# usermod -G common -a ying ``` -4. Do the same things for the user me. Type: +4. Do the same things for the user **me**. Type: ```bash [root@localhost root]# usermod -G common -a me ``` -5. Run the `id` command again on the users “ying” and "me". +5. Run the `id` command again on the users **ying** and **me**. !!! Question What has changed? -6. Use the `grep` command to view changes to the `common` group entry in the file. Type: +6. Use the `grep` command to view changes to the **common** group entry in the file. Type: - ```bash + ```bash [root@localhost root]# grep common /etc/group - common:x:1002:ying,me + common:x:1002:ying,me ``` #### To modify a user account -1. Use the `usermod` command to change the comment field for the user “me”. The new comment you will add will be “first last”. Type: +1. Use the `usermod` command to change the comment field for the user **me**. The new comment you will add will be “**first last**”. Type: ```bash [root@localhost root]# usermod -c "first last" me @@ -368,15 +368,15 @@ You will also create a group called “common” and add the user "me" and "ying !!! Question - What is the user me’s login shell? + What is the user **me**’s login shell? -2. Use the `usermod` command again to change me’s login shell to the csh shell. Type: +2. Use the `usermod` command again to change **me**’s login shell to the `csh` shell. Type: ```bash [root@localhost root]# usermod -s /bin/csh me ``` -3. Finally use the `usermod` command to undo all the changes you made to the user “me” above. +3. Finally use the `usermod` command to undo all the changes you made to the user **me** above. Restore the values ( login shell etc..) to their original values. @@ -384,53 +384,49 @@ You will also create a group called “common” and add the user "me" and "ying What are the commands to do this? -## Exercise 3 - -### Set user +### 3. Setting user -It is not always convenient to log completely out of the system completely to log in as another user. This may be because you have certain tasks running and you don’t want to end them. The `su` (set user) program is used to become another user temporarily. You can “su” from a regular user account to the root account or vice-versa. +It is not always convenient to log completely out of the system completely to log in as another user. This may be because you have certain tasks running and you don’t want to end them. The `su` (*set user*) program is used to become another user temporarily. You can “su” from a regular user account to the root account or vice-versa. It changes the current user to have the access rights of the temporary user. -The HOME, LOGNAME, and USER environment variables will be set to those of the temporary user by default. +The *HOME*, *LOGNAME*, and *USER* environment variables will be set to those of the temporary user by default. #### To temporarily become another user -1. While logged in as the root user, switch to the user “me”. Type: +1. While logged in as the root user, switch to the user **me**. Type: ```bash - [root@localhost root]# su me - + [root@localhost root]# su me [me@localhost root]$ ``` - The `su` command did not prompt you for the user me’s password because you are root + The `su` command did not prompt you for the user **me**’s password because you are root -2. Change to me’s home directory. +2. Change to **me**’s home directory. ```bash [me@localhost root]$ cd - [me@localhost me]$ cd ``` -3. While temporarily logged in as me, use `su` to login as the user ying. Type: +3. While temporarily logged in as **me**, use `su` to login as the user **ying**. Type: ```bash - [me@localhost me]$ su ying + [me@localhost me]$ su ying password: [ying@localhost me]$ ``` -4. To logout of ying’s account type: +4. To logout of **ying**’s account type: ```bash [ying@localhost me]$ exit ``` - This will throw you back into me’s account. + This will throw you back into **me**’s account. -5. Logout of me’s account to get back to the root account. +5. Logout of **me**’s account to get back to the root account. !!! question @@ -442,12 +438,11 @@ The HOME, LOGNAME, and USER environment variables will be set to those of the te ```bash [root@system1 root]# su - me - [me@system1 me]$ ``` - The difference is immediately obvious. Notice the current working directory. + The difference is immediately obvious. Notice the current *working directory*. -2. Logout of the system completely and reboot the machine. +2. Logout of the system completely and **reboot** the machine. 3. All done with Lab 6!