Linux Upskill Challenge – Part 03

Time to complete: ~1-1.5 hours

Working with Sudo, The /etc/shadow File, Hostname Change, TimeZone Settings

Let’s start at the top: what is sudo? You may have heard of it, you may not have, but it is an integral part to being a Linux administrator. Sudo is a program that allows a user to run other programs/commands as another user, usually the root user. This is authenticated with the credentials of the user you are running as. So, what does this afford us? Why not just log in as the root user and do your bidding straight from the root account? Well, there’s a few reasons why using sudo is beneficial:

  • You aren’t giving out your root password to other admins and users.
  • On systems where sudo is being utilized the root user itself can be disabled, heightening security.
  • There is an audit trail of all sudo activity in the form of logs.
  • You can limit users to have access to certain programs using sudo, further restraining privileges in the interest of security.
  • The process of running a sudo command offers a little buffer that promotes “think before you leap”.
  • Sudo authentication expires automatically, requiring the input of the user password again. Leaving a machine unattended (!!!) is less of a risk than if the root user was left logged in.

So how does this work? How do I use sudo? It’s simple. Just type sudo before the command you wish to run as root in terminal, enter your account password (your password, not the root password), and the command will be executed with root privileges. Easy to use? You bet.

But what’s really going on? Well, if we take a look at the sudo binary we’ll notice something a little peculiar about the permissions. Use the which command to see where sudo actually lives, then use ls -l to check permissions.

__________________________________________________________________________
|dpaluszek@upskill:~ -bash v5.0==>which sudo
/usr/bin/sudo
__________________________________________________________________________
|dpaluszek@upskill:~ -bash v5.0==>ls -l /usr/bin/sudo
-rwsr-xr-x 1 root root 166056 Jul 15 00:17 /usr/bin/sudo

In the permissions for the sudo binary, notice the “s” in the fourth column? This SetUID bit means that instead of the binary being invoked by the user it will be executed as the user who owns the binary, in this case, root.

So what sudo does is check the sudoers file /etc/sudoers and sees if the user who invoked sudo is on the party list. If so, and the credentials aren’t already cached (we’ll get to that in a moment), the invoking user will be prompted for their password. Entering this password will allow the command to execute as the root user. This password will be cached for 5 minutes (5 minutes is the default on most Linux systems) meaning that within this window you can run more sudo commands without having to enter your password. Sudo creates a child process where it changes the target user (again root) and then the command is executed.

If you were thinking that users need to be explicitly added to the sudoers file and that they weren’t on it by default you’d be right. So how do we grant access to sudo? It’s as easy as modifying the sudoers file itself by adding an entry for either the specific user or for a user group. It’s a no brainer that this needs to be done as the root user! Run sudo nano /etc/sudoers and enter your password to open the sudoers file in a the nano editor.

Scroll down a bit and you’ll notice there are three sections we should be concerned with here. The “User privilege specification” section is where users are listed along with what sudo permissions they have. The two sections below that govern group membership permissions to sudo, in this case the admin and sudo groups have full access. The permissions are broken down as follows:

USER ALL=(ALL:ALL) ALL
 1    2    3   4    5
  1. The username whom is getting sudo access. Groups are prefaced with a percent sigh (%).
  2. Hosts you can run sudo commands on.
  3. The target users you are allowed to run commands as.
  4. The list of groups you can switch to using the -g switch.
  5. The commands you can run.

Here’s an example of a sudoers entry that is a bit more granular:

%localadmin desktop1,desktop2=(root) /usr/bin/rm /usr/bin/hostname

Here we specify that users in the localadmin group can run the rm and hostname commands as root on 2 machines: desktop1 and desktop2.

Let’s use sudo to play around with the file that user passwords are hashed and stored in. First let’s check the permissions. Password hashes are stored in /etc/shadow.

__________________________________________________________________________
|dpaluszek@upskill:~ -bash v5.0==>ls -l /etc/shadow
-rw-r----- 1 root shadow 1163 Aug 19 11:55 /etc/shadow

You’ll notice root owns this file. Let’s try to see the contents of this file:

__________________________________________________________________________
|dpaluszek@upskill:~ -bash v5.0==>cat /etc/shadow
cat: /etc/shadow: Permission denied

Oh noes. DENIED. Let’s use sudo then. You can use either of these two commands, the latter being a nifty shortcut that runs the last command run:

sudo cat /etc/shadow
sudo !!

If you take a look at the output you’ll notice a line for every user on the system. Most will be built in system accounts for services and whatnot but you should see an entry for your user. Mine looks similar to this:

__________________________________________________________________________
|dpaluszek@upskillchallenge:~ -bash v5.0==>sudo cat /etc/shadow
[sudo] password for dpaluszek: 
root:*:18474:0:99999:7:::
daemon:*:18474:0:99999:7:::
bin:*:18474:0:99999:7:::
sys:*:18474:0:99999:7:::
sync:*:18474:0:99999:7:::
games:*:18474:0:99999:7:::
man:*:18474:0:99999:7:::
lp:*:18474:0:99999:7:::
mail:*:18474:0:99999:7:::
news:*:18474:0:99999:7:::
uucp:*:18474:0:99999:7:::
proxy:*:18474:0:99999:7:::
www-data:*:18474:0:99999:7:::
backup:*:18474:0:99999:7:::
list:*:18474:0:99999:7:::
irc:*:18474:0:99999:7:::
gnats:*:18474:0:99999:7:::
nobody:*:18474:0:99999:7:::
systemd-network:*:18474:0:99999:7:::
systemd-resolve:*:18474:0:99999:7:::
systemd-timesync:*:18474:0:99999:7:::
messagebus:*:18474:0:99999:7:::
syslog:*:18474:0:99999:7:::
_apt:*:18474:0:99999:7:::
tss:*:18474:0:99999:7:::
uuidd:*:18474:0:99999:7:::
tcpdump:*:18474:0:99999:7:::
landscape:*:18474:0:99999:7:::
pollinate:*:18474:0:99999:7:::
systemd-coredump:!!:18483::::::
dpaluszek:$6$8idosMX/U8UD2kb3$SxDlPIXxNHwY1H6ziW4WV1osagxyyw0d.YBkFFONOVO5smQAsmdd5BcVnD7lGUQiq89o56JK6DUp7/r0hiZiA.:18483:0:99999:7:::
lxd:!:18484::::::
sshd:*:18485:0:99999:7:::
mmessier:$6$8idosMX/U8UD2kb3$SxDlPIXxNHwY1H6ziW4WV1osagxyyw0d.YBkFFONOVO5smQAsmdd5BcVnD7lGUQiq89o56JK6DUp7/r0hiZiA.:18493:0:99999:7:::

Let’s break down our entry for our secondary user mmessier (Note I truncated the password hash to make this easier to read):

mmessier:$6$8idosMb3..../r0hiZiA.:18493:0:99999:7:::
    1   :           2            :  3  :4:  5  :6:7:8:9

Break down this line by section (between colons, there’s a total of 9 fields) and note what each represents:

  1. Username – The username on the system.
  2. Encrypted password – This is a hash of the password prefaced with what type of encryption is being used, delimited by dollar signs. These are the little encryption codes:
    • $1$ – MD5
    • $2a$ – Blowfish
    • $2y$ – Eksblowfish
    • $5$ – SHA-256
    • $6$ – SHA-512
  3. Date of Last Password Change – The date of the last password change, expressed as the number of days since Jan 1, 1970.
  4. Minimum Password Age – The minimum password age is the number of days the user will have to wait before she will be allowed to change her password again.
  5. Maximum Password Age – The maximum password age is the number of days after which the user will have to change her password.
  6. Password Warning Period – The number of days before a password is going to expire (see the maximum password age above) during which the user should be warned.
  7. Password Inactivity Period – The number of days after a password has expired (see the maximum password age above) during which the password should still be accepted (and the user should update her password during the next login).
  8. Account Expiration Date – The date of expiration of the account, expressed as the number of days since Jan 1, 1970.
  9. Reserved Field – This field is reserved for future use.

You can see why this file is owned by the root account. It contains sensitive information that should not be readily available to regular users. Attempts to crack the hash could be perpetrated should those hashes be exposed. I would also recommend not editing this file by hand unless you really know what you are doing. It is always a better idea to manipulate the contents of thi file using commands like passwd and chage.

Moving on.

Let’s restart our machine using the reboot command:

__________________________________________________________________________
|dpaluszek@upskill:~ -bash v5.0==>reboot
Failed to set wall message, ignoring: Interactive authentication required.
Failed to reboot system via logind: Interactive authentication required.
Failed to open initctl fifo: Permission denied
Failed to talk to init daemon.

Denied again! Looks like we’ll have to sudo this one too. Run either of these to reboot the machine:

sudo shutdown -r now
sudo reboot

Use the uptime command to verify the machine did indeed reboot.

__________________________________________________________________________
|dpaluszek@upskill:~ -bash v5.0==>uptime
 14:04:44 up 0 min,  1 user,  load average: 0.98, 0.24, 0.08

Excellent. Reboots are healthy, after all.

The sudo command logs its actions for your review. Let’s take a look at the log file /vat/log/auth.log after running a command as root.

__________________________________________________________________________
|dpaluszek@upskill:~ -bash v5.0==>sudo hostname
[sudo] password for dpaluszek: 
upskill

Cool. Let’s now cat the auth file and see what it shows:

Notice the entry for when I ran hostname? This audit trail proves useful in the sysadmin setting. It is also useful to see what commands you have run in the past, in the event you break things.

Sep 11 14:07:19 upskill sudo: dpaluszek : TTY=pts/0 ; PWD=/home/dpaluszek ; USER=root ; COMMAND=/usr/bin/hostname

Alternatively you can just grep sudo from the file in order to just grab the information you wish to see with grep sudo /var/log/auth.log.

Now that we have a grasp on how sudo works and what it can do for us let’s move on to renaming our machine.

Linux Upskill Challenge – Part 02

Assign a Static IP Address, Customizing Your Bash Prompt & Misc Commands

Time to complete: ~1-1.5 hours

Welcome back! In this installment of the Linux Upskill Challenge we’ll be completing a few tasks:

  • Assigning a static IP to your Ubuntu virtual machine.
  • Customizing your bash prompt.
  • Doing some Ubuntu user management.
  • Playing with some more common commands.

Static IP Addressing

By now you may have noticed that rebooting your Ubuntu vm may result in it receiving a new IP address each time. This is annoying since you will need to log into Ubuntu via your hypervisor console to find out what the IP is before you can SSH into it. So let’s set a static IP address shall we?

Like most things in Linux we’ll need to edit a configuration file to accomplish our task of setting a static IP address. We’ll edit the /etc/netplan/00-installer-config.yaml file using nano:

sudo nano /etc/netplan/00-installer-config.yaml

Using nano, edit the configuration file as shown, entering your own network information. It is important to note that you cannot use tabs within yaml files, so use spaces to justify any text:

Enter your network details.

There are two ways to finalize this. You can either restart netplan:

sudo netplan apply

Or you can reboot your machine:

sudo shutdown -r now

Note that reapplying netplan settings will break your SSH connection so you will need to restart your SSH session using your newly configured IP address.

Again if you find your machine inaccessible you can always log into it using the VirtualBox console so you can fix the netplan file.

Verify your network settings with any of the following commands (they all result in the same output):

ip address show
ip add show
ip a

Fun fact: Ubuntu versions prior to 17 didn’t use netplan and its associated yaml file but instead used a configuration file: /etc/network/interfaces so take note! Encountering older operating systems is common in the sysadmin world.

Let’s move on to tinkering with your bash prompt, shall we?

Linux Upskill Challenge – Part 01

Ethernet Management – SSH

Time to complete: ~1.5-2 hours

Welcome back! In this installment of the Linux Upskill Challenge we’ll be completing a few tasks:

  • Configuring VirtualBox to allow traffic from our VM to our local network.
  • Patching the system.
  • Install SSH and test access.
  • Configure SSH for remote access in a more secure way.
  • Review some basic commands that let us gain insight into our system.

VirtualBox Ethernet Settings

VirtualBox by default put our vm onto a segregated network that it created specifically for this vm. While our vm can access the Internet through this connection we cannot speak to it from any devices on our local network. The goal here is to access our Ubuntu box via SSH (secure shell protocol) from another machine, and for that we need network accessibility. While my vm can hit network objects on my local LAN I cannot see my vm from my local LAN. To make the change in VirtualBox do the following:

From the VirtualBox main screen highlight your Ubuntu vm and click “Settings”, then click the “Network” tab up top.
Change the “Attached to:” dropdown from “NAT” to “Bridged Adapter”.
Verify that the “Name” dropdown lists the connection your host machine is using to connect to your network. I am on a laptop, so I am using my laptop’s WiFi connection. If you are on a desktop select your Ethernet port.

Now that we have that out of the way done start up your vm and log in. Let’s check the IP address, shall we? Run this command:

ip address show

You should get the following output:

Your vm IP address will follow “inet” Note that 127.0.0.1 is the TCP/IP loopback address.

Verify that the IP of your vm is part of your local subnet and if so we are clear to move on.

Linux Upskill Challenge – Part 00

Learn the skills required to sysadmin a remote Linux server from the command line.

Time to complete: 1-1.5 hours

So I found this thing on Reddit: Linux Up Skill Challenge
It’s a 20 part series on Linux administration. It starts by doing some basics but evolves into doing slightly more complicated, and useful, tasks. This is all done on a headless (no GUI it’s all command line) Linux system. Pretty neat! Shall we delve into it? Let’s start learning!
I mapped this out and figured I could write a post on each section of the challenge. There’s some areas I can dip into more deeply, and I added some cool little things here and there to help round things out. In this first segment I’ll explain some basics:

  • What is virtualization?
  • What is VirtualBox?
  • What are some common Linux distributions or “distros”?
  • What other options are there for spinning up a virtual machine?

Then we’ll get into some hands on stuff:

  • What is the process for using VirtualBox to create a Linux virtual machine?
  • What are the steps to installing a Linux distro?

Virtualization and Hypervisors

Before we get into playing with Linux we need to get a machine up and running. Back in the old days spinning up a machine was accomplished by downloading an ISO installation file for the operating system of your choice (Linux, Windows, etc), burning it to a CD, then throwing that CD into your optical drive and booting your computer from it. From here you would undergo the installation process for your operating system, installing it onto a hard drive in your computer.

Well, since virtualization hit the scene those days are pretty much over. So what is virtualization? What is a “virtual machine”? Simply put virtualization is the act of creating a virtual instance of things like operating systems, networks, and even application code, as opposed to creating an actual instance. While many forms of virtualization exist the most common form, and the one generally referred to when speaking about virtualization, is hardware virtualization. In the old days as I mentioned you would “actually” install an operating system on physical hardware. Nowadays with virtualization you can install an operating system (or even multiple) on a layer of abstraction on top of the hardware. This installed instance of an operating system is called a virtual machine. The layer of abstraction managing the hardware and virtual operating system is done by the hypervisor. The hypervisor sits between the hardware and the installed operating system(s). The hypervisor is in charge of allocating resources to your installed operating systems. It orchestrates, so to speak, to ensure all virtual instances get the resources they require. There are two flavors of hypervisors: Type 1 and Type 2. Type 1 hypervisors are low level and are installed directly onto hardware. One of the most common Type 1 hypervisors is VMware’s ESXi. This is used heavily in the enterprise setting. Another Type 1 hypervisor, this one Linux based and open source, is called Proxmox. A Type 2 hypervisor runs in an installed operating system as a piece of software. Examples include Microsoft’s Hyper-V and Oracle’s VirtualBox. We’ll be using VirtualBox in this demonstration considering it is available freely on many platforms. I mentioned that I am running a MacOS machine but you can follow along if you are on Windows too, using VirtualBox.

Common Linux Flavors

There are TONS of Linux distributions out there. For an idea on how many there are, and to see the history of how certain distros spun off others, check out this graphic:
Wikipedia: Linux Distribution Timeline
There are two denominations of Linux systems, those with a pretty GUI and those that are headless, or command line only. The latter is primarily used for server related functions while the GUI enabled ones are for desktop use. Common GUI equipped flavors include

  • Ubuntu
  • Linux Mint
  • Arch Linux
  • Zorin OS

It’s important to note that the GUI isn’t quite tied to the operating system. You can mix and match supported GUIs with your Linux flavor. Note that MacOS is a derivative of a Unix operating system named Darwin, and uses the BSD kernel. Android phones run on a Linux kernel. Because it’s lightweight, many Internet of Things (IoT) devices run some sort of Linux derivative. This stuff is everywhere.

Common enterprise Linux/Unix distributions include:

  • Ubuntu
  • Debian
  • CentOS
  • RedHat
  • FreeBSD
  • OpenSUSE
  • Fedora

In this series I will be using a headless version of Ubuntu. It’s very commonly used. So if you’re looking for an answer to a question you’re likely going to find someone with the same problem online.

Someone Else’s Hypervisor?

There are other options for setting up a virtual machine aside from using a hypervisor like VirtualBox on your computer. Cloud providers have Infrastructure as a Service (IaaS) offerings where you can spin up virtual machines on a whim. This is usually done by picking from a catalog of operating systems, although you can use your own custom installation (this can get pretty advanced). Providers that offer these services include Amazon’s AWS (EC2), Google Cloud, Linode, and Digital Ocean. Being on a public provider means your virtual machine(s) can be easily configured to be on the public Internet using a public IP address. You can complete this by configuring access rules to allow traffic to whatever service you wish to make available to the Internet. This blog is on a hosted service. So meta.

Next we’ll talk about setting up a virtual machine in VirtualBox.