home blog portfolio Ian Fisher

Linux sysadmin

A cheatsheet for sysadmin commands on Linux.

Users and groups

# list users
$ cat /etc/passwd | cut -d: -f 1

# create new user
$ adduser USERNAME

# delete a user
$ deluser --remove-home USERNAME

# add user to group
$ usermod -aG GROUP USERNAME
$ adduser USERNAME GROUP  # on Alpine

# remove user from group
$ gpasswd -d USERNAME GROUP

# create a new group
$ addgroup GROUP

# delete a group
$ delgroup GROUP

# list groups
$ getent group

# list groups user is in
$ groups USER

# change login shell
$ chsh
# if not available, manually edit /etc/passwd

File ACLs and extended attributes

See also: "Notes on Linux file ACLs"

# give bob read-write access to myfile.txt
setfacl --modify u:bob:rw myfile.txt

# set multiple ACLs at once
setfacl -m u:bob:rw,u:alice:r,o::--- myfile.txt

# show all ACLs on myfile.txt
getfacl myfile.txt

# set a file attribute (may require 'attr' package)
setfattr -n NAME -v VALUE PATH

# see all file attributes
getfattr -d -m - PATH
# some filesystem attributes (e.g., immutable) are not printed above
lsattr -l PATH

# make a file immutable
sudo chattr +i PATH

Grant sudo privileges

Run sudo visudo and add this line (substitute actual username for iafisher):

iafisher ALL=(ALL) NOPASSWD: ALL

SSH

See ssh

Network config

Check if any process is listening on a port:

$ sudo ss -ltnp | grep :22

Configure firewall (iptables)

# must be run as root
$ iptables -L
$ iptables -A INPUT -p tcp --dport 22 -j ACCEPT
$ iptables -A INPUT -p tcp --dport 22 -s 192.168.1.0/24 -j ACCEPT

# delete a rule
$ iptables -L --line-numbers
$ iptables -D INPUT 3

# deny everything except SSH/HTTP/HTTPS
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp  -m tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp  -m tcp --dport 443 -j ACCEPT
iptables -A INPUT -j REJECT --reject-with icmp-host-prohibited

Configure firewall (firewalld)

$ firewall-cmd --list-all

# list open ports
# (only shows explicit ports, not those from services)
$ firewall-cmd --list-ports

# allow HTTP traffic
$ firewall-cmd --zone=public --add-service=http

# deny HTTP traffic
$ firewall-cmd --zone=public --remove-service=http

# save changes
$ firewall-cmd --runtime-to-permanent

$ firewall-cmd --get-active-zones

Disks and partitions

# list block devices
$ lsblk

# list partitions
$ fdisk -l

# create partition table
$ fdisk /dev/XXX

# list currently-mounted filesystems
$ mount # or
$ df -h

# format a disk with a filesystem
$ mkfs -t ext4 /dev/XXX

# mount a device
$ mount /dev/XXX path/to/mount

# unmount a device
$ umount path/to/mount

Package management

See package-management

systemd

See systemd

Bibliography

See also