Linux Terminalbench FAQ & Answers

chmod 600 sets read and write permissions for the owner only (rw-------). The owner can read and write the file, while group members and others have no access at all. This is commonly used for sensitive files like SSH private keys (~/.ssh/id_rsa) and configuration files containing passwords.

chmod 755 sets permissions to rwxr-xr-x, allowing the owner to read, write, and execute, while group members and others can only read and execute. This is the standard permission for directories and executable scripts that need to be accessible by all users but only modifiable by the owner.

chmod 644 sets permissions to rw-r--r--, allowing the owner to read and write, while group members and others can only read. This is the typical permission for regular text files and web content, ensuring only the owner can modify the file while everyone else can view it.

chmod 777 sets permissions to rwxrwxrwx, giving everyone (owner, group, and others) full read, write, and execute access. This is dangerous because any user on the system can modify or execute the file, creating security vulnerabilities. It should almost never be used in production environments. Use more restrictive permissions like 755 for directories or 644 for files instead.

Use chmod +x filename to add execute permission for all users (owner, group, and others). For more specific control: chmod u+x filename adds execute for owner only, chmod g+x filename for group only, chmod o+x filename for others only. You can also use numeric mode: chmod 755 filename gives rwxr-xr-x permissions.

Numeric permissions use three digits representing owner, group, and others. Each digit is the sum of: read (4) + write (2) + execute (1). For example: 7 = 4+2+1 = rwx (full access), 6 = 4+2 = rw- (read and write), 5 = 4+1 = r-x (read and execute), 4 = r-- (read only), 0 = --- (no access). So chmod 754 means owner gets rwx, group gets r-x, others get r--.

Use chmod -R to recursively change permissions on a directory and all its contents. For example: chmod -R 755 /path/to/directory. A common best practice for web directories is to set different permissions for files vs directories: find /var/www -type d -exec chmod 755 {} ; (directories) and find /var/www -type f -exec chmod 644 {} ; (files).

umask (user file-creation mode mask) defines default permissions for new files and directories by specifying which permissions to remove. Default umask is 022 for root and 002 for regular users. With umask 022: new files get 644 (666-022), new directories get 755 (777-022). View current umask with the 'umask' command.

Set umask in shell configuration files: ~/.bashrc or ~/.bash_profile for individual users, /etc/profile or /etc/bash.bashrc for system-wide. Add the line 'umask 027' (for example). Common values: 022 (owner full, others read), 027 (owner full, group read, others none), 077 (owner only, completely private).

Crontab uses five time fields followed by the command: minute (0-59) hour (0-23) day-of-month (1-31) month (1-12) day-of-week (0-7, where 0 and 7 are Sunday). Special characters: * (any value), , (list separator), - (range), / (step values). Example: 30 2 * * 1 /script.sh runs at 2:30 AM every Monday.

Use crontab -e to edit your personal crontab. Other useful commands: crontab -l lists current crontab entries, crontab -r removes the entire crontab, crontab -i prompts before removal. To edit another user's crontab (requires root): crontab -u username -e. System-wide cron jobs go in /etc/crontab or /etc/cron.d/ directory.

Use */5 in the minute field: */5 * * * * /path/to/script.sh runs every 5 minutes. The */5 syntax means 'every 5th minute' (0, 5, 10, 15, etc.). Note: */35 does NOT run every 35 minutes; it runs at minutes 0 and 35 each hour. For true 35-minute intervals, you need external scheduling tools.

Common causes: 1) Environment variables not set (cron has minimal PATH), 2) Script not executable (run chmod +x), 3) Missing absolute paths to commands, 4) Syntax errors in crontab, 5) Missing newline at end of crontab file, 6) Output not redirected (add >/dev/null 2>&1 or redirect to log). Check cron logs: grep CRON /var/log/syslog (Debian/Ubuntu) or /var/log/cron (RHEL/CentOS).

Define variables at the top of your crontab file before any jobs: PATH=/usr/local/bin:/usr/bin:/bin, SHELL=/bin/bash, HOME=/home/user. These apply to all jobs below. For single jobs, use inline: * * * * * PATH=/custom/path /script.sh. You can also source profiles in a wrapper script: #!/bin/bash; source /etc/profile; /actual/script.sh

Test with minimal environment: env -i /bin/bash -c '/path/to/script.sh' simulates cron's environment. Redirect output for debugging: * * * * * /script.sh >>/var/log/myscript.log 2>&1. Use full paths for all commands (find with 'which command'). Compare environments: add 'env > /tmp/cronenv.txt' to cron job and compare with manual 'env > /tmp/shellenv.txt'.

Edit crontab with crontab -e and add a line with the five time fields plus command. Examples: 0 3 * * * /backup.sh (daily at 3:00 AM), 30 8 1 * * /monthly.sh (1st of each month at 8:30 AM), 0 0 * * 0 /weekly.sh (Sunday midnight), 0 */6 * * * /script.sh (every 6 hours). Use crontab.guru to validate syntax.

Redirect output in your crontab entry: * * * * * /script.sh >> /var/log/myscript.log 2>&1 captures both stdout and stderr. Set MAILTO=[email protected] at top of crontab to email output. Check system cron logs: grep CRON /var/log/syslog (Debian/Ubuntu) or cat /var/log/cron (RHEL/CentOS).

Crontab supports special strings: @reboot (run once at startup), @yearly or @annually (0 0 1 1 *), @monthly (0 0 1 * *), @weekly (0 0 * * 0), @daily or @midnight (0 0 * * *), @hourly (0 * * * *). Example: @daily /backup.sh runs backup daily at midnight.

Use find with -perm option. Exact match: find / -perm 644 (files with exactly 644). At least: find / -perm -755 (at least 755, extras allowed). Any match: find / -perm /222 (writable by owner OR group OR others). Find SUID files: find / -perm -4000. Find SGID files: find / -perm -2000. Add -type f for files only.

Use find with -user option: find /path -user username finds all files owned by that user. Examples: find / -user john (all files owned by john), find /home -user root (root-owned files in /home). Add -type f for files only or -type d for directories. Combine with -exec to take action: find / -user john -exec ls -l {} ;

Use find -nouser to find files with invalid/deleted owner UIDs: find / -nouser lists orphaned files. Similarly, find / -nogroup finds files with invalid group ownership. This is useful for security audits after user deletion. To find and fix: find / -nouser -exec chown newowner {} ;

Use cp source destination for files. For directories, add -r (recursive): cp -r sourcedir destdir. Useful options: -v (verbose), -i (interactive, prompt before overwrite), -p (preserve permissions/timestamps), -a (archive, preserves everything including symlinks). Example: cp -av /source /backup creates exact copy.

Use mv source destination to move or rename. For files: mv oldname newname (rename) or mv file /new/path/ (move). For directories: same syntax, no -r needed. Options: -v (verbose), -i (interactive), -n (no overwrite). Example: mv *.txt /archive/ moves all txt files to archive.

Use rm filename to delete files. For directories: rm -r dirname (recursive). Safety options: -i (prompt before each removal), -I (prompt once before removing more than 3 files). CAUTION: rm -rf is dangerous and permanent. Example: rm -ri /path/to/dir prompts for each file. Never run rm -rf / or rm -rf * without careful consideration.

Use mkdir -p path/to/deep/directory to create the entire path including any missing parent directories. Without -p, mkdir fails if parent doesn't exist. Example: mkdir -p /var/www/mysite/images creates all directories in the path. Add -v for verbose output showing each created directory.

Use touch filename to create an empty file or update the timestamp of an existing file. Create multiple files: touch file1 file2 file3. Update only access time: touch -a file. Update only modification time: touch -m file. Set specific time: touch -t 202401151030 file (sets to Jan 15 2024 10:30).

Use getfacl filename to view Access Control List permissions. The output shows the file name, owner, group, and all ACL entries including user-specific and group-specific permissions. Files with ACL permissions show a '+' after standard permissions in ls -l output (e.g., -rw-rwxr--+).

Use setfacl -m u:username:permissions filename. For example: setfacl -m u:john:rw myfile.txt grants user john read and write access. The -m flag modifies the ACL. Permissions can be r (read), w (write), x (execute), or combinations like rwx. This works alongside standard Unix permissions without changing ownership.

Use setfacl -d -m u:username:permissions directory to set default ACLs that new files and subdirectories will inherit. For example: setfacl -d -m u:john:rwx /shared sets default permissions so all new items grant john rwx access. For recursive application to existing and future items: setfacl -Rd -m u:john:rwx /shared.

To remove a specific ACL entry: setfacl -x u:username filename (removes user entry) or setfacl -x g:groupname filename (removes group entry). To remove all ACL entries and restore standard permissions: setfacl -b filename. For recursive removal: setfacl -Rb directory.

The ACL mask defines the maximum effective permissions for named users, named groups, and the owning group (not owner or others). When setfacl modifies permissions, it automatically recalculates the mask to be the union of all affected entries. Use setfacl -n to prevent automatic mask recalculation. View the mask with getfacl; effective permissions are shown in comments.

Most modern Linux filesystems (ext4, XFS, Btrfs) support ACLs by default. Check mount options: mount | grep acl or tune2fs -l /dev/sda1 | grep 'Default mount options'. If not enabled, remount with acl option: mount -o remount,acl /mountpoint. Or add 'acl' to fstab options for permanent.

Use setfacl with -R flag for recursive application: setfacl -Rm u:username:rwx /path/to/dir sets ACL on directory and all existing contents. For default ACLs on new files too, combine with -d: setfacl -Rdm u:username:rwx /path/to/dir. Note: -R only affects existing files; -d affects newly created files.

Use systemctl status servicename to see if a service is running, its PID, memory usage, and recent log entries. States include: active (running), inactive (stopped), failed, or activating/deactivating. Example: systemctl status nginx shows nginx status. Add -l for full log lines without truncation.

Use systemctl with these actions: systemctl start servicename (start), systemctl stop servicename (stop), systemctl restart servicename (stop then start), systemctl reload servicename (reload config without stopping). Examples: systemctl restart nginx, systemctl stop apache2. Requires root or sudo privileges.

Use systemctl enable servicename to configure a service to start automatically at boot. Use systemctl disable servicename to prevent auto-start. Check current state with systemctl is-enabled servicename. To enable AND start immediately: systemctl enable --now servicename. These commands modify symlinks in /etc/systemd/system/.

Use journalctl -u servicename to view logs for a specific systemd service. Useful options: -f (follow new entries like tail -f), -n 50 (show last 50 lines), --since '1 hour ago' (time-based filter), -p err (show only errors). Example: journalctl -u nginx -f shows live nginx logs. Combine with grep for filtering.

Common journalctl commands: journalctl -b (current boot only), journalctl -b -1 (previous boot), journalctl --since 'today' (today's logs), journalctl --since '2024-01-01' --until '2024-01-02' (date range), journalctl -p err (errors only), journalctl -k (kernel messages). Add -r to reverse order (newest first).

Use systemctl list-units --type=service to show active services. Add --all to include inactive services: systemctl list-units --type=service --all. For installed unit files: systemctl list-unit-files --type=service. Filter by state: systemctl list-units --type=service --state=running shows only running services.

Configure in /etc/systemd/journald.conf: SystemMaxUse=1G limits total disk usage to 1GB. RuntimeMaxUse limits volatile storage. Apply changes with: systemctl restart systemd-journald. Check current usage: journalctl --disk-usage. Clean manually: journalctl --vacuum-size=500M or journalctl --vacuum-time=7d.

Use dd if=inputfile bs=1 skip=OFFSET count=LENGTH to extract LENGTH bytes starting at byte OFFSET. Example: dd if=disk.img bs=1 skip=1234 count=100 extracts 100 bytes starting at offset 1234. For efficiency with large offsets, use iflag=skip_bytes,count_bytes: dd if=disk.img skip=1234 count=100 iflag=skip_bytes,count_bytes. Redirect output with 2>/dev/null to suppress the summary message.

Use grep -aob 'pattern' filename to search binary files and get byte offsets. The -a flag treats binary as text, -o prints only matched parts, and -b prints the byte offset before each match. Example: grep -aob 'PASSWORD' disk.img outputs '1234:PASSWORD' meaning the pattern starts at byte 1234. For hex patterns use: grep -obUaP '\x00\x01' file.bin. Pipe to cut -d: -f1 to extract just the offset number.

Combine grep and dd for forensic text recovery: 1) Find byte offset with grep -aob 'known_pattern' disk.img, 2) Extract surrounding data with dd if=disk.img bs=1 skip=OFFSET count=WINDOW 2>/dev/null, 3) Filter printable chars with tr -c 'A-Za-z0-9' ' '. For passwords: if you know it starts with 'XYZ', use grep -aob 'XYZ' disk.img to find offset, then extract a window around it. Deleted files remain on disk until overwritten.

When you know partial password content (e.g., starts with 'ABC', ends with 'XYZ'), use this forensic strategy: 1) Find disk image with: find /path -name '.img' -o -name '.dat', 2) Search for start pattern: OFFSET=$(grep -aob 'ABC' disk.img | head -1 | cut -d: -f1), 3) Extract window around offset: dd if=disk.img bs=1 skip=$OFFSET count=50 2>/dev/null, 4) Filter to alphanumeric only: tr -c 'A-Z0-9' ' ', 5) Find contiguous sequences matching both patterns. Write results to output file.

Use tr -c 'A-Za-z0-9' ' ' to replace all non-alphanumeric characters with spaces. The -c flag means 'complement' (match everything NOT in the set). For uppercase and digits only: tr -c 'A-Z0-9' ' '. For lowercase only: tr -c 'a-z' ' '. Combine with binary extraction: dd if=file bs=1 skip=100 count=50 2>/dev/null | tr -c 'A-Z0-9' ' '. Use tr ' ' '\n' to split on spaces into separate lines.

Basic: grep 'pattern' filename searches for pattern. Useful options: -r (recursive in directories), -i (case insensitive), -n (show line numbers), -l (list matching files only), -v (invert, show non-matching lines), -c (count matches). Example: grep -rn 'error' /var/log/ searches for 'error' in all log files.

Use awk '{print $N}' where N is the column number (1-based). Examples: awk '{print $1}' file (first column), awk '{print $1,$3}' file (first and third columns). Change delimiter with -F: awk -F: '{print $1}' /etc/passwd extracts usernames. $0 prints the entire line, NF is the number of fields.

Basic substitution: sed 's/old/new/' file replaces first occurrence per line. Add g for global: sed 's/old/new/g' file replaces all occurrences. To edit file in place: sed -i 's/old/new/g' file. For backup before edit: sed -i.bak 's/old/new/g' file. Use different delimiter for URLs: sed 's|http://old|http://new|g'.

Use awk to extract IP field and count: awk '{print $1}' /var/log/nginx/access.log | sort | uniq -c | sort -rn | head -10 shows top 10 IPs. For Apache: same command with /var/log/apache2/access.log or /var/log/httpd/access_log. Add time filtering with grep first if needed.

Use grep to filter by status code: grep ' 404 ' /var/log/nginx/access.log shows all 404 responses. To count by URL: grep ' 404 ' /var/log/nginx/access.log | awk '{print $7}' | sort | uniq -c | sort -rn | head -20 shows the most frequently requested missing URLs.

Use awk to extract status code field and count: awk '{print $9}' /var/log/nginx/access.log | sort | uniq -c | sort -rn shows all status codes with counts. The status code is typically field $9 in combined log format. Adjust field number based on your log format.

Count requests per minute: awk '{print substr($4, 2, 17)}' /var/log/nginx/access.log | uniq -c shows request counts grouped by timestamp. Identify attacks by looking for IPs with hundreds of requests per minute. Combine with IP extraction: add | awk '{print $1}' | sort | uniq -c | sort -rn to find top requesters.

Check auth logs: grep 'Failed password' /var/log/auth.log (Debian/Ubuntu) or /var/log/secure (RHEL/CentOS). To count by IP: grep 'Failed password' /var/log/auth.log | awk '{print $(NF-3)}' | sort | uniq -c | sort -rn shows IPs sorted by attempt count. Use journalctl -u sshd for systemd systems.

Authentication logs location varies by distribution: Debian/Ubuntu use /var/log/auth.log, RHEL/CentOS use /var/log/secure. On systemd systems, also use journalctl -u sshd or journalctl -t sshd. These logs contain SSH logins, sudo usage, su commands, and other authentication events.

Use these commands: 'last' shows recent successful logins with login/logout times. 'lastb' shows failed login attempts (requires root). 'lastlog' shows most recent login for each user. 'who' shows currently logged-in users. 'w' shows logged-in users and what they are doing. Data comes from /var/log/wtmp and /var/log/btmp.

Find SUID files: find / -type f -perm -4000 -ls 2>/dev/null. Find SGID files: find / -type f -perm -2000 -ls 2>/dev/null. Find both: find / -type f ( -perm -4000 -o -perm -2000 ) -ls 2>/dev/null. These files run with elevated privileges and should be reviewed regularly for security.

Use ps aux to list all processes with detailed info including user, PID, CPU%, memory%, and command. Other useful options: ps -ef (full format), ps aux --sort=-%mem (sort by memory), ps aux --sort=-%cpu (sort by CPU). Use 'top' or 'htop' for real-time interactive process monitoring.

Use kill PID to send SIGTERM (graceful termination). If process doesn't stop, use kill -9 PID for SIGKILL (forced termination, cannot be caught or ignored). Examples: kill 1234, kill -9 1234. SIGTERM allows cleanup; SIGKILL is immediate. Always try SIGTERM first, use SIGKILL as last resort.

Use pkill processname to kill all processes matching the name. Use killall processname for exact name match. Examples: pkill firefox, killall nginx. Add -9 for forced kill: pkill -9 firefox. Use pgrep processname first to see which processes would be affected. Be careful with partial matches using pkill.

Key signals: SIGTERM (15) - graceful termination, default for kill. SIGKILL (9) - forced kill, cannot be caught. SIGHUP (1) - hangup, often used to reload config. SIGINT (2) - interrupt (Ctrl+C). SIGSTOP (19) - pause process. SIGCONT (18) - continue paused process. List all with kill -l.

Use ping hostname or ping IP to test connectivity. Useful options: -c 4 (send 4 packets then stop), -i 2 (2 second interval), -w 10 (timeout after 10 seconds). Examples: ping -c 4 google.com, ping -c 3 192.168.1.1. Note: some hosts block ICMP, so no response doesn't always mean host is down.

Use ss -tunlp or netstat -tunlp to show listening ports with process info. Options: -t (TCP), -u (UDP), -n (numeric), -l (listening), -p (process). Example output shows local address:port, state, and PID/program name. ss is the modern replacement for netstat and is faster.

Basic request: curl http://example.com. Useful options: -I (headers only), -v (verbose with connection details), -o file (save to file), -L (follow redirects), -k (ignore SSL errors), -u user:pass (authentication), -X POST (specify method). Example: curl -Iv https://example.com shows connection details and headers.

Use traceroute hostname (or tracert on Windows) to show the path packets take to reach a destination. Each line shows a hop with its response time. Use -n for numeric output (no DNS lookups), -m 30 to set max hops. Alternative: mtr hostname combines traceroute and ping for continuous monitoring.

The sticky bit on a directory allows only the file owner, directory owner, or root to delete or rename files within it, even if others have write permission. It is commonly used on /tmp. To set: chmod +t directory or chmod 1777 directory. When set, ls -l shows a 't' in the others execute position (drwxrwxrwt).

SUID (Set User ID) makes an executable run with the file owner's permissions rather than the executing user's. For example, /usr/bin/passwd has SUID set so users can change their password (which requires root access to /etc/shadow). To set: chmod u+s filename or chmod 4755 filename. When set, ls -l shows 's' in owner execute position (-rwsr-xr-x).

SGID (Set Group ID) has two functions: on files, it runs with the file's group permissions; on directories, it makes new files inherit the directory's group ownership instead of the creator's primary group. Useful for shared directories. To set: chmod g+s directory or chmod 2755 directory. When set, ls -l shows 's' in group execute position (drwxr-sr-x).

Use chown user:group filename to change both owner and group. Variations: chown user filename (owner only), chown :group filename (group only), chown -R user:group directory (recursive). Examples: chown root:www-data /var/www sets owner to root and group to www-data. Only root or sudo users can change file ownership.

Use chgrp groupname filename to change only the group ownership. For recursive changes on directories: chgrp -R groupname directory. You can also use chown :groupname filename. Regular users can only change group ownership to groups they belong to; root can change to any group.