What is Linux?

Linux is an open source operating system. Like other operating system (such as Windows) Linux consists of various software components that manage computer hardware resources and enable you to do tasks such as surfing the web or editing a file in a text editor.

Linux is a free and open source software, which means that you can use, copy, study, and change the software in any way. It is distributed with the source code so users can view and modify it. This is in contrast to Microsoft Windows, a proprietary operating system.

Many versions of Linux exist. Some of the more popular Linux distributions are Debian, Ubuntu, Fedora, openSUSE, Red Hat Enterprise Linux and SUSE Linux Enterprise Server.

Today, Linux runs almost every computing platform available: mobile phones, tablets, servers, desktops, mainframes, etc. Android, a widely used operating system for mobile phones and tablets is based on the Linux kernel.

Modern Linux distributions usually feature a nice GUI, similar to the one found in Windows. Here is an example Linux desktop in SUSE:


Differences between Linux and Windows

Here are the major differences between Linux and Windows:

Price

Linux – distributions are generally free.

Windows – a Windows license can cost hundreds of dollars.

Development model

Linux – users can access and alter the code in any way they wish.

Windows – considered to be an closed source software.

Hardware support

Linux – partial hardware support. There are many hardware devices that don’t have Linux drivers.

Windows – almost every piece of hardware will work on a Windows installation.

Software support

Linux – there are many programs that can be run on Linux.

Windows – a large selection of software programs..

Command line

Linux – Linux shell is powerful and is used very often.

Windows – Windows command promt exists, but it is not as nearly as powerful as the one in Linux.

Ease of use

Linux – Linux will be used mostly by experienced users.

Windows – very easy to learn and use.

Differences between Unix and Linux

Unix is an operating system developed at AT&T’s Bell Labs. Linux is a clone of Unix, but there are many differences between these two operating systems. Here are the main ones:

Cost

Linux – most Linux distributions are free.

Unix – most UNIX systems are not free.

Usage

Linux – mobile phones, tablet computers, desktop computers.

Unix – developed mainly for mainframes and servers.

Source model

Linux – open source.

Unix – mostly closed source.

Examples

Linux – Ubuntu, Debian, Red Hat, openSUSE.

Unix – OS X, Solaris, IBM AIX.

Manufacturer

Linux – Linux kernel is developed by the community.

Unix – IBM, HP, Oracle.

Linux distributions

A Linux distribution is simply a collection of a specific kernel with specific support programs. Most of the included software is free and open source software. There are many distributions designed for personal computers, but there are also Linux distributions designed for supercomputers or for a specific purpose, e.g. penetration testing (Kali Linux).

There are many distributions available (over six hundred), but two major distributions became the foundation for many other distributions: Red Hat and Debian.

Some of the more popular Linux distributions beside Red Hat and Debian are Ubuntu, openSUSE, Fedora, Mandriva Linux, and Arch Linux.

Linux kernel

A kernel is the lowest level of software that interfaces with the hardware in your computer. The Linux kernel is a fundamental part of Linux and contains millions lines of code. It is released under the GPL (GNU General Public License), which allows public access to the source code. It was developed in 1991 by a Finnish computer science student Linus Torvalds. Today, thousands of developers from all over the world contribute to the development of the Linux kernel.

Generally, most kernels fall into one of the three types: monolithic, microkernel, and hybrid. Linux is a monolithic kernel which means that the entire operating system is working in kernel space and is alone in supervisor mode.

Here is a diagram of a monolithic kernel (Photo credit: Wikipedia)


To find out the kernel version of your Linux installation, you can use the uname -a command:

In the picture above we can see that the kernel version is 3.0.76-0.11.

File structure in Linux

Everything in Linux is considered a file, even a hard disk or a CD-ROM device. All files and directories appear under the root directory (represented with a single slash – /). You can refer to any file or directory using either a full path (for example, /home/bob/file.txt) or a relative path (for example, if your current directory is /home/bob/, you can refer to the file simply by typing file.txt).

A directory is similar to a folder in Windows, and it can contain files and other directories. Hardware devices are represented by a special file stored in the /dev directory (for example, /dev/sda usually represents the first hard disk on the system).

All files and directories appear under the root directory (/). Below that is a set of common directories in the Linux system (bin, dev, home, lib…):


In the picture above you can see the file hierarchy under the root directory.

Filesystem Hierarchy Standard (FHS)

Most Linux distributions have almost identical directory structures because of the Filesystem Hierarchy Standard (FHS). FHS defines the directory structure and content in UNIX-like operating systems. It is based on the older standard FSSTND (Filesystem Standard).

Linux distributions usually closely follow the FHS. For example, configuration files are located in the same location regardless of Linux distribution (usually in the /etc directory). This makes developing software for Linux much easier, since software developers don’t have to write different versions of applications for each distribution.

In the FHS all files and directories appear under the root directory (/), Here is a list of the most important directories:

/boot – contains files related to the initial booting of the computer.

/bin – contains certain critical executable files, such as ls, cp, and mount.

/dev – contains device files like hard disks or CD-ROMs.

/sbin – similar to /bin, but it contains programs that are normally run only by the system administrator.

/etc – contains configuration files.

/home – user’s home directory.

/lib – contains program libraries.

/media – mount point for removable media.

/usr – contains the majority of user utilities and applications.

/var – variable files such as logs.

/tmp – contains temporary files.

Here is the file structure from Ubuntu:


The shell in Linux

Generally speaking, a shell is a CLI (Command-Line Interface) between a users and the kernel. The shell accepts and interprets your commands. For example, Windows Command Prompt is a shell for Windows.

You can use the shell in Linux to run programs, work with file systems, manipulate text files, and so on. Although most distributions of Linux come with a GUI, to get a deeper knowledge of Linux you will need to learn how to use the shell.

Some common shells found in Linux distributions are:

• bash – bash stands for Bourne Again Shell. The most common default shell.
• C shell – the shell with the interface similar to the C language.
• Korn – popular among UNIX System V users.

In the picture below we can see the bash shell in action:


Bourne-again shell (Bash)

Bash (Bourne-again shell) is a command language interpreter. Simply put, it is a text windows interprets commands that you type. It was written by Brian Fox for the GNU Project as a replacement for the Bourne shell (sh), one of the earliest UNIX shells. Bash offers functional improvements over sh for both programming and interactive use.

Bash is the default shell in most Linux distributions. It supports some advanced features like wildcarding, piping, command substitution, variables, and the history of commands entered. Another neat feature that will save you a lot of time is the tab completion, which means that you can type just enough of the filename to uniquely identify it and than press the Tab key. Bash will automatically complete your command.

Here is a picture of Bash in Ubuntu:


Start the shell in Ubuntu

Throughout this tutorial we will be using the bash shell, but most of the work done in the bash shell can be done in a similar way in other shells.

To open the bash shell in Ubuntu, simply click on the Dash Home button in the top left corner, type terminal and click on the Terminal icon:


You should get something like this:


In the picture above you can see the terminal. It is a program that enables you to interact with a Linux shell but also supports many features beyond the basic shell such as copying and pasting text, fonts changes, etc. On the left of the @ sign is your username (bob in this case). On the right of the @ sign is the hostname of the computer (ubuntu in this case).

Essential Linux commands

In this lesson we will cover the essential commands in Linux. We will learn how to list the content of a directory, print the working directory, create a new file or directory, print a line of text, etc.

ls command

The ls command lists the directory content. If no directory is specified, the command will display the content of the working directory.


pwd command

The pwd command is used to print the path of the current directory.


mkdir command

To create a new directoy, the mkdir command is used. You must specify the name of the directory. If no path is specified, the directory is created inside the working directory.


In the picture above you can see that we’ve created a directory called my_folder using the mkdir command. We have then displayed the content of the directory with the ls command.

echo command

The echo command is used to to output text to the screen. You simply type echo and then the text you would like to display.


whoami command

The whoami command displays the username of the current user.


cd command

To change the current working directory we use the cd command. You must specify the path of the directory you would like to access.


Command line history

Linux shells maintain a history of the commands issued by a user. You can display the list of commands that you’ve entered before with the history command. This is a neat shell feature because it enables you to repeat some complex commands you’ve already entered. By default, the last 500 commands are shown.


You can also execute a command by its number in the history. For example, in the picture above, you can see that the man -k shell command is at number 17. To execute that command again, we would type !17:


The shell enables you to retrieve the previous entry from the command history by pressing the Up arrow on your keyboard. You can also press Ctrl+r to search your command history. For example, to search the history for commands that include dd, we would press Ctrl+r and then type dd:


To find the next command in history that includes dd, we can press Ctrl+r again.

Manual pages

There are thousands and thousands of Linux commands and it is impossible to remember all of them. The man (short for manual page) tool uses the less program to display information about a particular command. The usage is very simple; you just type man, followed by the command you want to find out more about. For example, to get more information about the ls command, you can type man ls. This opens up the less program with useful information about the ls command: what it does, how it is invoked, options, copyright information, etc.


Here is another useful feature of the man tool. You can search the name and summary sections of all man pages. This comes quite in handy when you don’t know the exact command for something you would like to do. For example, if you want to delete a directory but don’t know the exact command, you could type man -k delete. This will display all command names and descriptions that include the word delete. Here is the output:


To find out more about the man command, simply type man man.

info command

Another useful tool that you can use to find out more about Linux commands is info. info reads documentation in the info format (a special format generated usually from a Texinfo source). Info pages usually give more detailed information about a command then its respective man pages. Info also allows navigation and links between pages.

The syntax of the info command simple, just type info followed by the command. In the example below, we’ve entered info mkdir:


Note that not all commands have information available in the info database.

Manage directories

A directory is a location for storing files on your computer. To be able to administer your Linux distribution, you need to be familiar with commands that create, delete or move directories.

In Linux there is one root directory (represented by a single slash – /), and all files and subdirectories are placed under this directory in a treelike structure:


To create a directory, use the mkdir command:


To move a directory, use the mv command with two parameters. The first paramter is the directory that you would like to move and the second paramter is the location where you would like to move the directory to. For example, if you want to move the directory my_folder to /home/bob/my_folder1, you would enter the following command:


To delete a directory, use the rmdir command. There is one problem with this command, though. If you try to delete a non-empty directory, you will get an error:


To avoid this, you need to either empty the directory or use the rm command. If you use the rm command, you need to include the -r option, which means that the command will remove the directory and its content recursively:


Manage files

The Linux shell provides powerful tools to manipulating files. As with directories, you can move, rename or delete a file. If a file is a text file you can also use tools to edit it. In this lesson, we will describe a couple of command that can help you work with files in a Linux environment.

Creating files

There are several ways to create a file in Linux. The most common way to create a file in Linux is by using the touch command. Although the primary purpose of this command is to update the timestamp of a file, it is often instead used to create one. The syntax is simple: you just type touch followed by the name of the file. If the file doesn’t exist, a new empty file will be created.

Here is an example:


As you can see in the picture above, a file called new_file is created.

Deleting files

To delete a file you can use the rm command. The syntax: rm FILE_NAME

Example:


In the picture above you can see that new_file has been deleted with the rm command.

Displaying the file content

There are many tools in Linux to display the content of a file. One of the most commonly used ones is the less program. This program displays a file’s content one screen at a time. You can navigate the file by using the arrow keys or the mouse wheel.

The usage is simple: simply type the less command, followed with the name of the file you would like to display.


In the picture above we can see the content of the file named textfile.txt.

Environment variables

Environment variables are placeholders for data that can change. Each user has its own environment variables with different values that define his working environment. For example, each user typically has its own home directory, so the content of the HOME environment variable is different for each user on the system. A program that needs to know the user’s home directory can refer to the HOME variable to obtain this information.

To see the environment variables on your system, type env:


To set an environment variable manually, use the equal-sign assignment operator (=). If you want your variable to be available to programs you launch from your shell, use the export command:


In the example above we have assigned the value example to the variable VAR1. For brevity, you can comibne these two commands in one_: export VAR1=example._

To refer to an environment variable, use the dollar sign ($) in front of the variable name:


In the example above we have used the echo command to display the content of the variable VAR1.

Setting an environment variable as described above sets it permanently only for the current shell. For example, if you open another terminal window, the variable VAR1 will not be set:


To make environment variables permanent you need to set them in a global or local bash startup script.

Environment variables can be deleted using the unset command, which takes the name of an environment variable (without the leading $ symbol) as a parameter. In our case, unset VAR1 deletes the VAR1 environment variable.

Common environment variables

Here is a list of common environment variables in Linux:

• USER – your current username.

• SHELL – the path to the current command shell (for example, /bin/bash).

• PWD – the current working directory.

• HOSTNAME – the hostname of the computer.

• HOME – your home directory.

• MAIL – the location of the user’s mail spool. Usually /var/spool/mail/USER.

• LANG – your current language.

• TZ – your time zone.

• PS1 – the default prompt in bash.

• TERM – the current terminal type (for example, xterm).

• DISPLAY – the display used by X. This variable is usually set to :0.0, which means the first display on the current computer.

• HISTFILESIZE – the maximum number of lines contained in the history file.

• EDITOR – the user’s preferred text editor.

• MANPATH – the list of directories to search for manual pages.

• OSTYPE – the type of operating system.

PATH environment variable

One of the most important environment variables on Linux operating systems is the PATH variable. This variable holds the colon-separated list of directories used to find commands that you enter. For example, if PATH is set to /bin:/usr/sbin and you type echo, Linux looks for an executable program called echo in /bin and then in /usr/sbin.


Here is an example. Let’s say that we have a script named script.sh and we want to execute it. If the script is placed in the folder listed in the PATH variable, we can run the script regardless of the directory we are currently in:


In the example above you can see that, although our working directory is /home/bob, we were able to execute a script called script.sh. This is because the script is located in the /bin directory, the directory listed in the PATH variable. But what if we move the script to other directory that is not listed in the PATH variable?


From the output above you can see that, although our working directory is /home/bob, the directory in which the script script.sh is located, we can’t execute it. This is because the system checks for commands only in directories listed in the PATH variable.

Note that we can execute the script located in the /home/bob directory by providing the absoulte or relative path to the script. In the example above we could execute the script by entering ./script.sh (the relative path (./) indicates the working directory) or /home/bob/script.sh (the absolute path):


Inode

An inode is a data structure that stores various information about a file in Linux, such as the access mode (read, write, execute permissions), ownership, file type, file size, group, number of links, etc. Each inode is identified by an integer number. An inode is assigned to a file when it is created.

Some file systems (most notably ext3) create all inodes when the file system is created. This means that it is possible to run out of storage because all of the inodes are used, although there is available space on the disk. Other file systems (like xfs) create inodes as needed.

You can view a file’s inode number using the **_ls -il _**command:


The first number on the left represents the inode number of the file.

An inode doesn’t store the content of the file and filename.

Links

Links in Linux are used to refer to a single file by multiple names. They are used to make files more accessible, to give commands multiple names, to enable programs that look for the same files in different locations to access the same files, etc. Links in Linux have a similar purpose as shortcuts in Windows.

Links are created using the ln command. Two types of links exist in Linux:

• hard links – point to data on the hard disk and share the same inode number.
• soft (symbolic) links – special types of files that point to other files instead of pointing to data on the hard drive. Unlike hard links, they don’t share the same inode number.

By default, the ln command creates hard links. To create soft links, you need to use the -s option with the ln command.

Hard links

A hard link in Linux is a duplicate directory entry. Both directory entries point to the same file (or more precisely, to the same inode). Neither entry holds any sort of priority over the other and both are equally valid. To delete the file, you must delete both hard links to the file.

To create a hard link, you can use the ln command without any options. You need to specify the filename and the name of the link:


In the example above we have created a hard link called hlink.lnk to the file original_file.txt. Note that both files have the same inode number.

Now we will change the content of the file and then display the new content using different filenames:


Because both directory entries point to the same file, both filenames can be used to access the same content.

To delete a file, you must delete both directory entries:


In the picture above you can see that, although we have deleted the original_file.txt, the file still exists.

Hard links can only be created to files on the same partition.

Symbolic links

A symbolic link in Linux is a special type of file that points to other files, instead of pointing to data on the hard drive. Unlike hard links, symbolic links don’t share the same inode number. A symbolic link contains a string that is automatically interpreted and followed by the operating system as a path to another file or directory. A symbolic link is a second file that exists independently of its target.

Symbolic links are more common than hard links. Their biggest advantage is that they can work over different partitions.

To create a symbolic link, you use the -s option with the ln command, as shown in the example below:


In the picture above you can see that the files don’t have the same inode number.

Now we will change the content of the file and then read the new content:


If we delete the original file, the link becomes useless:


Wildcard

A wildcard in Linux is a symbol or a set of symbols that stands in for other characters. It can be used to substitute for any other character or characters in a string. For example, you can use a wildcard to get a list of all files in a directory that begin with the letter O.

Three types of wildcards are common in Linux:

• ? – matches a single character. For example, O??d matches anything that begins with O, ends with d and has two characters in between (like Oind, Okhd, Oerd, but not Oereed, Oad, Oerererd.)
• * – matches any character or set of characters, including no character. For example, O*d matches anything that begins with O and ends with d (like Oind, Okhd, Oerd, Oereed, Oad, Oerererd, Od, Oarmeerrd). The number of characters in between O and d is not important.
• Bracketed values – match characters enclosed in square brackets. For example, O[ac]d matches only Oad and Ocd. You can also specify a range of values: O[a-e]d matches Oad, Obd, Ocd, Odd and Oed.

Let’s look at a couple of examples. We’ve created files mentioned above:


If we want to list all files that begin with O, end with d and have two characters in between, we can use the following syntax:


To list all files that begin with O and end with d, no matter the number of character in between, we can use the following syntax:


To list all files that begin with O and end with d and have a or c in between, we need to use the following syntax:


Streams

Inputs to and outputs from programs are known as streams in Linux. The input usually comes from the keyboard and the output goes to the screen. You can redirect these input and output streams to come from or go to other sources.

Linux shells use three standard streams:

• standard input – usually the input from the keyboard. For example, commands that are executed by typing them.
• standard output – displays the output from commands, usually to the terminal.
• standard error – displays error output from commands. It is usually sent to the same output as standard output, but it can be redirected.

Here is the graphical representation of these streams (Photo credit: Wikipedia):

:

Redirect input and output

You can redirect the input to a program from a file. You can also redirect the output of a program to a file. Redirections are done using symbols after the command. For example, to redirect the output of the ls command to the file ls_output.txt, we can use the following command:


Note that the ls command didn’t output anything to the terminal. This is because we have redirected the output from the terminal to the file using the > operator. We’ve then displayed the content of the ls_output.txt file using the cat command.

Here is a list of all redirection symbols:


Here are a couple of examples.

To append the standard output to the file, use the » operator:


In the example above we have added the current date to the end of the ls_output.txt file.

For an example of the input redirection, we will use the mail command. This command takes the content of a file as standard input. For example, to mail the content of the file ls_output.txt to the user bob, we can use the following command:


Pipe data between programs

In Linux, you can make one command’s output the standard input of another command. This process is called piping and it is done using the pipe symbol (|). Piping lets you have one command work on some data and then have the next command deal with the results.

Here is an example. We can use the ps -A command to list all process on the system:


We can then pipe the output of the ps command to the sort command. This results in the following sorted output:


Note that we have used the -k 4 option to sort by the executable name (the fourth field).

We can pipe together as many programs as we like. For example, we can pipe the output of the ps -A | sort -k 4 command to the tail command to display only the last ten lines of the output:


Sort lines of a text file

The sort command is used to sort the lines of a text file in Linux. You can provide several command line options for sorting data in a text file.

Here is an example file:


To sort the file in alphabetical order, we can use the sort command without any options:


To sort in reverse, we can use the -r option:


We can also sort on the column. For example, we will create a file with the following text:


Blank space is the default field separator. This means that we can sort the text pictured above by the second column. To do that, the -k option, along with the field number, is used:


In the picture above, we have sorted the file sort1.txt in alphabetical order using the second column.

To check if a file is already sorted, use sort with the -c option. This option also reports the first unsorted line:


Search for text strings using grep

The grep tool is used to locates files by scanning their content. You can search a single file or a whole directory of files. By default, grep prints the matching line of text. The syntax is:

grep [OPTIONS] PATTERN FILE

For example, if we want to search the file bobs_file.txt for each occurence of the word bob, we can use the following command:


Here is another example. If we want to search the directory /home/bob for each occurence of the word bob, we can use the following command:


In the picture above we can see that there are two occurrences of the word bob in the files inside the /home/bob directory. The -r option specifies that the subdirectories will also be searched. Note that the grep command has listed the filename and the line of the text containing the keyword bob.

grep is most commonly used in conjunction with commands that produce a lot of output, so you can sift through that output for the lines that are important to you. For example, suppose that we would like to display the members of the group cdrom. We can do this by typing the cat /etc/group command, which will display all the groups and their members on the system:


We can then scroll through the output and find the cdrom group and its members. Or, we could pipe the output to the grep command and display only the lines of text that contain the word cdrom:


Here is an another example of the usefulness of the grep command. We can use the ps -A command to display all running processes on the system:


The ps -A command produces a lot of output. If we know the exact name of the process, we can pipe the output to the grep command:


In the picture above you can see that there are two instances of the top program running.

By default, grep searches the text in a case-sensitive way. You can do case-insensitive searches with the -i option.

Search for files using find

The find command is used in Linux to search for files in the directory tree starting from the location specified. It searches your filesystem live, which causes the command to run slower than the locate command.

The syntax of the command is:

find PATH EXPRESSION

The expression is a way of specifying what you want to find. You can search files by filename, size, permissions, group, UID, etc.

Here is a list of the most commonly used expressions:


We will go through a couple of examples. To find all files and directory that begin with so in our current directory, we can use the following command


Wildcards like * have to be enclosed in double quotes to work with the find command.

To find files bigger then 300 bytes, use the following command:


When using the -size expression, use c for bytes, k for Kilobytes, M for Megabytes and G for Gigabytes.

To find files owned by a particular user:

r

To find files with specific permissions:


You can also combine two or more expressions:


In the example above we have found all files that have the permissions of 775 and begin with the letter t.

Search for files using locate

The locate command searches a database of filenames in Linux. Unlike the find command, which can find files by permissions, owner, file size, etc, the locate command finds files only by their name.

This command does not search your system live. Instead, it has its own database that it usually updated once a night or once a week. This means that locate may not find files added since the last database update.

Here is an example:


What if we try to find a file that was recently added? Well, if the database wasn’t updated, we won’t get any result with when using the locate command:


To rectify this, we need to update the database manually. This can be done using the updatedb command. After the update, we should be able to find the recently added files:


Because locate works from a database, it’s usually much faster than find.

Count lines in a file

wc (short for word count) is a command in Linux that displays a count of lines (newline characters, to be precise), words, and bytes for each file you specify. The program prints these three numbers for each file you specify. For example, to find out how many lines, words and bytes bobs_file.txt has, we can use the following command:


In the picture above you can see that the bobs_file.txt file contains 5 lines, 30 words, and its size is 141 bytes.

You can specify more than one file:


Use the -l option to print only the line count, -w to print only the word count, and -c to print only the bytes count.

Determine file type

To determine the file type in Linux, we can use the file command. This command runs three sets of tests: the filesystem test, magic number test, and language test. The first test that succeeds causes the file type to be printed. For example, if a file is a text file, it will be recognized as ASCII text.

Here are a couple of examples:


• whereis command
• The whereis command in Linux is used to locate the binary, source, and manual page files for a command. This command searches for files in a restricted set of locations (binary file directories, man page directories, and library directories). It is usually used to find executables of a program, its man pages and configuration files.
• The syntax of the command is simple: you just type whereis, followed by the name of the command or program you want to find out more about.
• Here is an example:
• 
• The picture above shows the netstat executable (/bin/netstat) and the location of the netstat’s man page (/usr/share/man/man8/netstat.8.gz).

Display last lines of a text file

The tail command displays, by default, the last 10 lines of a text file in Linux. This command can be very useful when examining recent activity in log files.

Here is an example:


In the picture above you can see that the last 10 lines of the /var/log/messages file were displayed.

The tail command can be used with various options. For example, if you would like to display the last 5 lines of a file, you can use the -n option:


Another option that you will find handy is the -f option. This option keeps the file open and displays new lines as they are being added to the file.

Display first lines of a text file

The head command displays, by default, the first 10 lines of a text file in Linux. This command is often used to get an idea of the kind of text file you’re looking at; the first 10 lines are usually enough to determine what a file is.

Here is an example:


As with tail, you can specify the number of lines you would like to display with the -n option:


You can display more then one file:


Split the output of a program

The tee command splits the output of a program, so that it can be both displayed on the screen and saved in a file. This command is usually used when you want the output of the program to be both stored and displayed at the terminal.

For example, if we want to display the output of the ls command on the terminal and store it in a file called output.txt, we can use the following command:


By default, tee overwrites existing files. If you want to append data to the existing files, pass the -a option to tee.

Text editors

A text editor is a program used for editing text files. Most configuration of Linux systems is done by editing text files. All Linux distributions ship with multiple text editors included.

There are two types of text editors in Linux:

• commandline editors – vi, nano, pico
• GUI editors – gedit (for GNOME), KWrite (for KDE)

If we want to edit a file called textfile.txt using gedit, we would type gedit textfile.txt. This opens up textfile.txt for editing:


Here is the same file opened in nano:


gedit text editor

gedit is a powerful general purpose text editor in Linux. It is the default text editor of the GNOME desktop environment. One of the neatest features of this program is that it supports tabs, so you can edit multiple files.

Other features of this software are:

• syntax highlighting for various languages (C, C++, Java, Python…)
• undo/redo
• print preview support
• clipboard support
• search and replace
• multilanguage spellchecking
• configurable fonts and colors
• a flexible plugin system

To open up a file in gedit, simply type gedit FILE_NAME.


KWrite text editor

_KWrit_e is a text editor for KDE. It is based upon Kate, another text editor for KDE, but without some of its advanced features. It is the standard text editor for openSUSE.

KWrite supports the following features:

• export to HTML and PDF
• syntax highlighting
• word completion
• plugin support
• vi input mode
• auto-identation

Here is an example file opened in KWrite:


Pico text editor

Pico is a simple, display-oriented text editor based on Pine. Pico is very simple to use and offers features such as paragraph justification, cut/paste, spelling checker, search and replace, etc. However, this program doesn’t have as many features as some other popular Linux text editors (such as vi).

Pico is not truly open source, and most Linux distributions don’t even include Pico as a text editor. In fact, Ubuntu even links the command pico to nano.

nano text editor

nano is a simple text editor for Unix and Linux. It is a clone of pico and has been developed because pico’s license was not a free software license. nano is licensed under the GNU General Public License.

Here is an example file opened in nano:


As you can see from the picture above, the first line of the display is the title bar. This line shows nano’s version number and the name of the file that is being edited. The third line from the bottom of the display is the status bar. This line will prompt you for information such as a filename to write when you save your document or terms you want to find in the document when you perform a search operation. The bottom two lines of the editor show the keystrokes for the most common operations.

Here is a list of the most common shortcuts available in nano:


To turn on support for the mouse, use the -m option when invoking nano.

less text viewer

The less program displays the content of a file one screen at a time. You can navigate the file, move to a specific line, and search the file.

Here is an example file opened in less:


On the bottom you can see the message: sample_text lines 1-23/37 63%. This message indicates that you’re viewing lines 1 to 23 of the file which has 37 lines, and that you’re viewing 63% of the file.

Here is a list of navigation commands used in less:

• page down. space, f – one screen forward
• page up, b – one screen backward
• up arrow key – up a line
• down arrow key – down a line
• / – searches the content
• g NUMBER – moves to the specified line
• q – quits the program

The man command uses less to display information.

What is a process?

An instance of a running program is called a process. Every time you run a shell command, a program is run and a process is created for it. Each process in Linux has a process id (PID) and it is associated with a particular user and group account.

Linux is a multitasking operating system, which means that multiple programs can be running at the same time (processes are also known as tasks). Each process has the illusion that it is the only process on the computer. The tasks share common processing resources (like CPU and memory).

To be a good Linux administrator, you need to be familiar with a wide range of commands that enable you to list, identify or delete a process. In the next lessons we will describe such commands.

List all running processes

The most common way to list processes currently running on your system is to use the command ps (short for process status). This command has a lot of options that come in handy when troubleshooting your system.

Used without any options, the ps command displays only processes that are started from the current shell:


To get information about all processes running on the system, use ps -A:


The most used options with ps are a, u and x. This displays all processes running for all users on your system, along with useful information such as the username of the process′ owner, CPU loads, the starting time of the process, the command that initiated the process, etc.


top command

The top command is, just like ps, used to display running processes, but with one very useful feature: it updates its display every few seconds. By default, top sorts its entries by the CPU usage, but you can sort the entries by other columns as well. top is very useful to figure out which users and processes are consuming the most system resources at any given time.

Here is an example of the top window:


As you can see from the picture above, the top command displays a variety of information about processes running on your system. Here is a brief description of the most important ones:

• PID – the process ID of the task.
• USER – task’s owner.
• PR – the priority of the task.
• NI – the nice value of the task.
• VIRT – the total amount of virtual memory used by the task.
• RES – the non-swapped physical memory the task has used.
• %CPU – the task’s share of the CPU time.
• %MEM – the task’s share of the physical memory.
• COMMAND – the command used to start the task.

Sorting the top output

By default, top sorts its entries by the CPU usage. You can change that by pressing M to sort by memory usage. To reverse sort your output, press R. To return to sorting by CPU, press P. To sort by other fields press < to move the sort column to the left and > to move the sort column to the right. To get help, press h. To exit top, press q.

Killing processes with top

You can also use top to kill processes. For example, in the picture above you can see that the dd task is using 99.2% of the CPU time. That could indicate a problem. If we want to kill that process, we would simply type k and provide the PID of the process we are trying to stop – in this case 8156.

Kill a process in Linux

The kill command is used to terminate (kill) a process in Linux. If a program becomes totally unresponsive, you might be forced to terminate it using this command. The kill command sends signals to running processes (identified by their PIDs) in order to request the termination of the process. Besides telling a process to end, signals can tell a process to reread configuration files, pause, continue if stopped, etc. Signals are represented using different numbers. If you don’t specify the signal, the default value is 15, which causes the process to exit but allow it to close open files.

Here is a list of the signals you’re most likely to use and their description:


For example, lets say that we have a program called dd that is using most of the CPU time and we can’t stop it using traditional methods. To kill it with the kill command, first we need to determine the PID of the process. That can be done using the top command:


The top command displays the PID of the process (13203). To kill the process, we use the kill command. We will use a SIGKILL signal which causes the process to exit without performing routine shutdown tasks:


Kill a process by name

The killall command kills a process based on its name rather than its PID number. For instance, in our previos example we could run the killall -s 9 dd command which would kill all the processes named dd:


Change process priority

nice command

Sometimes you might want to change the priority of a process in Linux. For example, you might run a process that is very important and you want it to finish quickly. You can change the process priority using the nice command and give that process more CPU time.

Every process running on your system has a nice value. By default, the nice value is set to 0. The process priority range is from -20 to 19.

Here are a few facts about changing the priority of a process:

• the lower number is better (the process with the lower number will get more CPU time).
• a regular user can set nice values only from 0 to 19 and only on the its own processes.
• a regular user can set the nice value only higher, not lower.

For example, to launch vim with a priority of 15, we would type the following command:


To launch vim with a negative priority of -15, we would use the following command:


Notice that we had to supply the root password. That is because we wanted to specify a negative priority, which can be done only by root.

renice command

The renice program can be used to change the priority of a process that is already running. Only root can lower the priority of a process. You need to specify the PID of the process whose priority you would like to modify. For example, to modify the priority of the process with the PID of 14475 we would use the following command:


Background and foreground processes

You might have noticed that, when you launch a program, it takes over your terminal, preventing you from doing other work in the terminal. This is because most programs run in the foreground when invoked from the shell.

If you have a program that takes a long time to complete, you might want to run that program in the background. To do that, simply append an ampersand (&) to the command. For example, we might want to run the dd command which can take a lot of time. If we run the command as a foreground process we won’t be able to enter any more commands in our terminal window. However, we could run the dd command as a background process:


The dd program now runs in the background. We can use the terminal window to enter other commands.

What if a program is run as a foreground process and you want to use the terminal for something else? Well, you can suspend that program. To stop a running program and put it in the background, press Ctrl+Z. To run that program again in the foreground, type fg:


In the picture above you can see that we’ve started the dd command as a foreground process. We then suspended the program by pressing Ctrl+Z. We can now enter new commands in the terminal windows. To return the dd command to the foreground, we simply typed fg.

We could also type bg instead of fg. bg restores a job to running status, but in the background, so we can use the terminal to enter new commands.

jobs command

The jobs command displays the status of jobs started in the current terminal window. Jobs are numbered starting from 1 for each session. The job ID numbers are used by some programs instead of PIDs (for example, by fg and bg commands).

Here is an example. We will start three programs (vim, find and dd) and suspend all of them. We will then use the jobs command to find out the job IDs of the programs. We can then use these IDs with the fg command to run the second job as a foreground process.


Package managers

In Linux, a package manager is a collection of software tools that automate the process of installing, upgrading, configuring, and removing software. A package manager maintains a database of information about installed packages (called the package database) that enables the package manager to uninstall software, establish whether a new package’s dependencies have been met, and determine whether a package you’re trying to install has already been installed.

Here is a list of the major functions of a packet manager:

• verifying file checksums to ensure the validity of the installed software.
• verifying digital signatures to authenticate the origin of packages.
• upgrading software with latest versions.
• managing dependencies to ensure a package is installed with all packages it requires.
• creating binary packages.

Two major versions of package management tools exist:

• RPM Package Manager (RPM)
• Debian package manager

You cannot install a Debian package on an RPM-based system, or vice versa. However, tools to convert between formats exist (such as alien).

RPM Package Manager

Some of the RPM-based distributions are Red Hat, Fedora, Fermi Linux, CentOS, SUSE Enterprise, openSUSE, and Mandriva. RPM is a package managment system used to build, install, verify, update, and uninstall software in these distributions. This can be done using the rpm command, along with options that specify the action you would like to perform.

Some common options used with the rpm command are:


The convention for naming RPM packages is: packagename-a.b.c-x.arch.rpm. Each part of the package name has a meaning:

Package Name – the name of the package (packagename)

Version Number – package’s version number (a.b.c)

Build Number – software release number (x)

Architecture – the architecture for which the package was built (arch)

For example, the package name kdessh-4.3.5-0.3.3.x86_64.rpm represents a program named kdessh, the version 4.3.5, the build 0.3.3 for x86_64 systems.

Installing packages using rpm

To install a package using the rpm command, type rpm followed by the -i option and the name of the package you would like to install. For example, to install kdessh, we would use the following command:


Note that we have used the -v option to get more detailed information.

Getting information about packages using rmp

To determine the version and release information for software packages, you can use the rpm command with the -q option:


To get even more information, use the -qi options:


Uninstall packages using rpm

To uninstall software packages using rpm, use the -e option:


rpm does not install dependencies. Some higher level tools (like yum) are used for dependency management.

yum package manager

yum (Yellowdog Updater, Modified) is a command-line package manager for RPM-based Linux distributions such as CentOS, Red Hat, and Fedora. yum enables you to install a package and all its dependencies, delete a package, upgrade existing packages, search for packages, etc. The syntax of the yum command is:

yum [OPTIONS] [COMMAND] [PACKAGE]

To install a new package using yum, use the yum install command, along with the name of the package. For example, to install the net-tools package, we would use the yum install net-tools command:


To update a package to the latest version, use the yum update command, along with the name of the package:


To perform a full system update, use the yum update command.

To display information about an installed package, use the yum info command and the name of the package:


To search for a specific package, use the yum search command, along with the keyword that will be searched for. The search command will search package names, summaries, packagers, and descriptions for the keyword you provide:


To remove a package, use the yum remove command. For example, to remove the net-tools package we have installed previously, we would use the yum remove net-tools command:


Debian package manager

Debian packages are adopted by several Linux distributions, most notably Ubuntu, Knoppix and Linux Mint. Debian packages usually have the .deb extension. To install, remove or list Debian packages, the dpkg command is used.

Some common options used with the dpkg command are:


Installing packages using dpkg

To install a .deb package, use the dpkg command with the -i option:


Removing packages using dpkg

To remove a .deb package, use the dpkg command with the -r option


Display the list of installed packages using dpkg

To list all installed packages on a system, use the dpkg command with the -l option


Display package information using dpkg

To display information about an installed package, use the -p option along with the name of the software:


dpkg does not install dependencies. Some higher-level programs, such as apt-get and aptitude, are used for dependency resolution.

Advanced Packaging Tool (APT)

Advanced Packaging Tool (APT) is a package manager originally designed for Debian as a front-end for the dpkg utility. It is used to install or upgrade all necessary dependent applications so that .deb packages can be installed.

The APT suite of tools includes a couple of programs. Two of the most commonly used are:

• apt-cache – provides information about the Debian package database.
• apt-get – used to install, upgrade or remove software packages.

Several front-ends to APT exist, which provide more advanced installation functions and more intuitive interfaces. These include:

• Synaptic Package Manager – GTK+ graphical user interface.
• Ubuntu Software Center – a GTK+ graphical user interface developed by the Ubuntu project.
• aptitude – a console client with CLI.
• KPackage – part of KDE.

Here is how Ubuntu Software Center looks like:


apt-cache command

The APT suite of tools includes a command called apt-cache whose purpose is to provide information about the Debian package database. Information are gathered during the apt-get update operation from the sources listed in the sources.list file.

In this lesson we will describe some features of this command.

Search for a program

Let’s say you would like to install a network mapper, but you don’t know the exact name of the program. You could type apt-cache search network mapper to get a list of packages that contain the words network mapper in their name or description:


Display Package Information

To display information about a particural package, use the apt-cache showpkg PACKAGE_NAME command:


Display Package Statistics

To learn how many packages are installed, how many dependencies are recorded, and various other statistics about the package database, use the apt-cache stats command:


Find Unmet Dependencies

To display information about unmet dependencies, use the apt-cache unmet command. This command displays a summary of all unmet dependencies in the package cache.

Display Dependencies

To show all of the specified package’s dependencies, use the apt-cache depends PACKAGE_NAME command:


To find reverse dependencies (packages that depend on the one you specify), use the rdepends subcommand.

Locate All Packages

To display the names of all the packages installed on the system, use the apt-cache pkgnames command. You can specify the second parameter to filter the name list. For example, to find all packages that begin with the string doc, we would use the following command:


apt-get command

apt-get is a command from the APT suite of tools that is used to install, upgrade or remove software packages in Debian and Debian-based Linux distributions. This command has some neat features, such as ease of use over simple terminal connections (SSH) and the ability to be used in system administration scripts, which can in turn be automated by the cron scheduling utility.

The apt-get command obtains information about available packages from the sources listed in /etc/apt/sources.list and then uses that information to upgrade or install packages. Here is an example sources.list file:


Note the lines that begin with deb and deb-src. These are the sources from which packages can be obtained; deb indicates binary packages (the pre-compiled packages that we normally use), and deb-src indicates source packages.

Update the list of available packages

To obtain updated information about packages available from the installation sources listed in /etc/apt/sources.list, use the apt-get update command:


Upgrade all installed packages to the newest versions

To upgrade all installed packages, use the apt-get upgrade command. You can use the -u option to display the complete list of packages which will be upgraded:


It’s important to always run apt-get update before upgrading packages.

Perform the upgrade of all installed packages and handle the changing dependencies

To perform the upgrade but also to perform smart conflict resolution to avoid upgrading a package if doing so would break a dependency, use the apt-get dist-upgrade command:


Install a package by package name

To install a package by its name, use the apt-get install PACKAGE_NAME command:


apt-get searches the database for the most recent version of nmap and retrieves it from the corresponding archive as specified in sources.list. In the event that nmap depends on other packages – as is the case here – apt-get checks the dependencies and installs the needed packages.

Remove a package by package name

To remove a package by its name, use the apt-get remove PACKAGE_NAME command:


Check the package database for consistency

To check the package database for consistency and broken package installations, use the apt-get check command.

Remove unused package files

To clear out information about retrieved files from the Debian package database, use the apt-get clean command. This command removes everything but the lock file from /var/cache/apt/archives and /var/cache/apt/archives/partial:


The apt-get command actions, such as installation and removal of packages, are logged in the /var/log/dpkg.log file:


dselect

dselect is a front-end to dpkg that is used to manage software packages in Debian and Debian-based Linux distributions. You can use dselect to install packages on your system from the APT archives defined in /etc/apt/sources.list, review the already installed packages, uninstall and upgrade packages.

dselect has a text-mode user interface that is started with the dselect command:


dselect will guide you through the package installation through a series of steps:

Access – Choose the access method to use.

Update – Update list of available packages, if possible.

Select – Request which packages you want on your system.

Install – Install and upgrade wanted packages.

Config – Configure any packages that are unconfigured.

Remove – Remove unwanted software.

As each step is completed successfully, it will lead you on to the next. Go through them in order without skipping any steps.

Here is a brief description of each step.

Access – Choose the access method to use

First, you need to tell dselect where the packages are. For example, if you are installing packages from a CD-ROM, you would select the cdrom access method, as seen in the picture below:


Most often you would select the apt access method for installation from a local mirror of the Debian archive or from the network.

Update – Update list of available packages, if possible

To update list of available packages, select the Update option. dselect will read the Packages or Packages.gz files from the mirror and create a database of all available packages.

Select – Request which packages you want on your system

To choose which packages you wish to have installed, select the Select option. Here you can mark packages for installation or deinstallation.

Install – Install and upgrade wanted packages

Select this option to install the packages marked in the previous step.

Config – Configure any packages that are unconfigured

Most packages are configured in step 3, but any unconfigured package can be configured here.

Remove – Remove unwanted software

This option removes packages that are installed but no longer required.

dselect is not widely used anymore and is largely superseded by Advanced Packaging Tool front-ends such as aptitude.

aptitude

aptitude is a front-end to the Advanced Packaging Tool (APT) in Debian and Debian-based distributions. This program allows users to view the list of packages and perform package management tasks such as installing, removing or upgrading packages. aptitude has an interactive mode similar to dselect, but it can be also used as a command-line tool, similar to apt-get.

To enter the menu-driven package management interface, type aptitude:


We will describe how to install, remove or upgrade packages using this menu-driven interface.

Install packages

First, press u to update the list of packages available for installation. Then, navigate the menu and press + to select the packages you wish to install. You can search for a package by pressing the / key. After you have selected all the packages you wish to install, press g to begin downloading and installing the package files.

Here is how we can install nmap using aptitude:

First, we will search for nmap:


Then, we will select the nmap package by pressing the + key:


To download and install nmap, press g:


Upgrade packages

First, press u to update the list of packages available for installation. Next, press U to upgrade all packages which can be upgraded. Press g to download and install upgraded package files:


Remove packages

Navigate the aptitude menu and press – to select the packages you wish to remove. Press g to begin removing the packages.

For example, to remove nmap, we would have to find the nmap package and press the – key to select it for the removal:


We can then remove nmap by pressing g.

aptitude command line

You can also pass various commands to aptitude on the command line. aptitude emulates most apt-get command-line arguments, allowing it to act as a full replacement for apt-get. For example, to search for a package, we can type aptitude search PACKAGE_NAME:


We can update package lists from the APT repositories by typing the aptitude update command_:_


To install a package, we can use the aptitude install PACKAGE_NAME command:


To upgrade software packages, we can use the aptitude full-upgrade command:


To remove all downloaded packages, we can use the aptitude clean command:


Synaptic Package Manager

Synaptic Package Manager is a graphical package management tool based on APT. It enables you to install, update and remove packages in a user friendly GUI. Synaptic serves as a graphical front-end to APT and makes the process of software management much easier, especially if you are not familiar with the command-line. Some of the features Synaptic offers are:

• install, remove, and upgrade packages.
• upgrade your whole system.
• search and filter the list of available packages.
• perform smart system upgrades.
• fix broken package dependencies.
• edit the list of used repositories (sources.list).

To install Synaptic in Ubuntu, use the sudo apt-get install synaptic command:


Once the installation completes, start the program and you should see the main application window:


To find a package you would like to install, enter the keyword in the search box:


Once you’ve found the package you would like to install, select the checkbox next to it and choose Mark for installation:


If the package requires the installation of other packages, choose Mark to install them as well:


Click on the Apply button to start the installation:


Review the changes and click Apply:


To remove a package, select it from the menu and choose Mark for Removal (choose the Mark for Complete Removal option if you want to remove configuration files associated with the package as well):


Click Apply to apply the changes.

To display information about an installed package, such as its dependencies, version, and description, select the package and click the Properties button:


This will open up a window with information about the installed package:


To keep your system up-to-date and upgrade all packages, first click the Reload button to reload the package information:


After the reload process finished, click the Mark all Upgrades button:


In the window that opens, click Mark to mark all additional required changes:


Click Appy to apply the changes.

tar (tape archive) program

The tar (tape archive) program creates archives by combining files and directories into a single file. Tarballs (archive files created by tar and usually compressed with gzip or bzip2) are often used to distribute software packages in the Linux world.

You can use many options with the tar program to modify how it functions when creating and extracting archives. Here is a list of the most common ones:


Compression tools such as gzip, bzip2, and xz are often used with tar to apply compression to the tarball as a whole rather than to the individual files. Typically, files compressed with these utilities have .gz, .bz2, or .xz extensions, respectively.

Here are some examples of the tar command.

To create a tar archive called archive.tar that contains the files results.txt and sample_text, we can use the following command:


To archive and compress files results.txt and sample.txt into a tarball file named compress.tgz, we can use the following command:


To extract the archive created above, we can use the following command:


cpio program

cpio (copy in/out) is a file archiver utility that uses the result of the ls or find command to generate files to be archived. cpio does not compress any content, but resulting archives are often compressed using gzip or other compression utilities.

cpio has three operating modes:

• copy-out mode – creates an archive from the output of the ls or find command.
• copy-in mode – extracts files from an archive.
• copy-pass mode – copies files from one directory to another.

Copy-out mode

The copy-out mode is used with the -o or –create option to create archives by accepting the output of the ls or find command as the input for the archive. For example, to archive all files in our current directory, we use the following command:


The -v option shows which files are being archived.

Here is how we can archive the directory /home/bob/example_dir using the find command’s results:


Copy-in mode

The copy-in mode is used to extract archives. The cpio command uses the standard input redirection symbol (<) to extract an archive. The -i option is used to extract files from a cpio archive.

Here is how we can extact files from the archive we’ve created in the previous step:


Copy-pass mode

The copy-pass mode is activated by the -p or –pass-through option. You can copy files from one directory and paste them in another directory without actually creating an archive. The benefit of using this mode instead of the cp command is that, unlike the cp command, cpio preserves modification times and ownership.

Here is an example:


In the example above you can see that we’ve copied all the files from the current directory (/home/bob/example_dir) to the /home/bob/new_directory directory. Note that the original files were preserved.

Convert between packages

alien is a program in Linux that converts between RPM packages, Debian packages, Stampede packages, and tarballs. This program is usually used when you want to use a package from another Linux distribution than the one you have installed on your system. You can then use alien to convert the package to your preferred package format and install it.

The syntax of the alien command is:

alien [options] file

The options define the output type. If no output type is specified, alien converts to deb format. Here is a list of the most common options:

• -d, –to-deb – convert to Debian format
• -r, –to-rpm – convert to rpm format
• -t, –to-tgz – convert to tgz format
• –to-slp – convert to slp format
• -p, –to-pkg – convert to Solaris pkg format

For example, let’s say that you have an nmap RPM package, and you want to create a DEB package from it. You can use the following command:


You can then use the dpkg command to install the package.

If you have a Debian package and want to convert it to RPM, you can use the following command:


You can then use the rpm command to install the package.

alien requires that you have appropriate package manager software installed – for example, to convert between rpm and deb file formats, you need to have both RPM package manager and Debian package manager installed.

root account

The root user, also known as the superuser or administrator, is a special user account in Linux used for system administration. It is the most privileged user on the Linux system and it has access to all commands and files. The root user can do many things an ordinary user cannot, such as installing new software, changing the ownership of files, and managing other user accounts.

It is not recommended to use root for ordinary tasks, such as browsing the web, writing texts, e.g. A simple mistake can cause problems with the entire system, for example if you mistype a command. It is advisable to create a normal user account for such tasks. If root permissions are needed, the su and sudo commands can be used.

For example, if we try to bring the eth0 interface down with an ordinary user, we will get the following message:


To be able to perform the command above, we need to use the su or sudo command. We will learn how to do that in the next lessons.

In some Linux distributions, most notably Ubuntu, the root account password is locked by default. Instead, the sudo command is used for commands that require root privileges.

Create users

Every person on your Linux system should have its own account. You need to be familiar with tools that enable you to create, modify and delete user accounts.

In Ubuntu, you can create users using shell commands or the GUI tool.

Create users using the GUI tool

To create users using the GUI tool, click on the System Setting button on the left side of your screen. In the window that opens, type user. This should find the GUI tool called User accounts:


In the window that opens, click on the Unlock button in the upper right corner. You will need to provide the root password.


Now, click the plus button in the lower left corner. This opens up a new window:


Choose the account type and enter the Full name and Username of the user. When done, click Create.


The user is now created, but it is currently disabled. To change that, click on the Password field. This opens up a new window:


Type in the password and click Change. The user can now log in to the system.

Create users using the adduser command

You can also use the shell command adduser to create a user. This commands opens up a little wizard that helps to create a user. Here is an example:


In the picture above you can see that we’ve created the user jwilliams and set up its full name and password. The user can now log in.

Some resourses mention useradd as the utility to create users. On some distributions, adduser is just a symbolic link to useradd. In Debian, however, adduser is the front end to useradd and the recommended way to create users. Even the man page for useradd says that you should use adduser instead: “On Debian, administrators should usually use adduser instead.”

Delete users

In Ubuntu, you can delete users using shell commands or the GUI tool.

Delete users using the GUI tool

To delete users using the GUI tool, click on the System Setting button on the left side of your screen. In the window that opens, type user. This should find the GUI tool called User accounts:


In the window that opens, click on the Unlock button in the upper right corner. You will need to provide the root password.


Now, click the minus button in the lower left corner. This opens up a new window:


Choose whether you want to keep the user’s files. If you don’t want to keep them, click the Delete files button. And that’s it! The user is removed from the system.

Delete users using the deluser command

You can use the shell command deluser to delete a user. Here is an example:


Some resources mention userdel as a utility to delete users. In Debian, deluser is the front end to the userdel and the recommended way to delete user. Even the man page for userdel says that you should use deluser instead: “On Debian, administrators should usually use deluser instead”.

Modify users

To modify existing user accounts using the GUI tool, click on the System Setting button on the left side of your screen. In the window that opens, type user. This should find the GUI tool called User accounts:


In the window that opens click on the Unlock button in the upper right corner. You will need to provide the root password.


Next, click on the user you would like to modify. You can modify the user’s account type, language, password and automatic login option:


Modifying users using the usermod command

To modify an existing user the usermod command is used. Using this command you can change the user’s home directory location, login name, default shell, etc. You can also lock and unlock a user. This command accepts a number of options:


Here is an example. If we want to change the login name of the user jwillams to jowilliams, we can use the usermod command with the -l option:


One of the most frequent account modifications in Linux is changing the user’s password. You can do this using the passwd program. Simply type the sudo passwd USERNAME command. For example, to change the password of the user jwilliams, simply type sudo passwd jwilliams. This will open up the prompt where you can enter the new password.

Manage passwords

The chage command can be used to view and change a user account’s password expiration information. The root user can modify information such as the account expiration date, the minimum and maximum number of days between password changes, the number of days before account expiration that the system will warn the user, etc.

Here is a list and a brief description of the options available with the chage commands:


For example, we can list all the password expiration information for the bob user by using the following command:


As you can see from the picture above, bob’s password is set to never expire. We can change that with the following command:


Now, the bob’s password is set to expire 30 days from the day the command was run.

/etc/passwd file format

Linux stores most account features in the /etc/passwd file. It is a text-based file with with seven fields for each entry. Each entry begins with a username and continues with a set of fields separated by colons (:). Here is the syntax of an entry in the /etc/passwd file:

username:password:UID:GID:comment:home directory:default shell

Here is a description of each field:

• username – the name of the user.
• password – this field has traditionally been reserved for the password. Most Linux distributions, however, store passwords in /etc/shadow. This field is usually set to x, which means that shadow passwords are in use. If the field is set to asterisk (*) it means that the account has no password configured. If the field is set to the exclamation mark (!), the account is locked.
• UID – user identifier. It is a unique number representing the user.
• GID – the default (primary) login group ID. Users have only one primary group and that group is the group owner for all new files the user creates.
• comment – this field contain information about the user. Usually holds the user’s full name.
• home directory – the absolute path to the user’s home directory.
• default shell – the user’s default shell.

For example, here is an entry for our user bob:


In the picture above we can see the following information:

• username – bob
• password – stored in the /etc/shadow file
• UID – 1001
• GID – 1001
• comment – full name of the user is Bob Jones
• home directory – /home/bob
• default shell – /bin/bash

Although the name implies it, the /etc/passwd file doesn’t hold password information. This would present a security risk since the file is readable by all users. Instead, passwords are stored in the /etc/shadow file, explained in the next lesson.

/etc/shadow file format

Most modern Linux distributions use the /etc/shadow file to store encrypted password data. Passwords are stored using a hash (a one-way type of encryption). This file also stores various password information, such as the date of the last password change, password expiration date, etc.

Here is how an entry in the /etc/shadow file looks like:

username:encrypted password:last password change:minimum:maximum⚠️disabled:disabled date

Here is a brief description of each field:

• username – the name of the user.
• encrypted password – the password in encrypted form.
• last password change – the date of the last password change. This date is stored as the number of days since January 1, 1970.
• minimum – the number of days before a password change is allowed. The value of 0 means the password can be changed any time.
• maximum – the number of days before the password must be changed. The value 99999 means the user’s password never expires.
• warning – the number of days before a password is going to expire during which the user will be warned.
• disabled – the number of days after a password has expired until the user account is disabled. No entry in this field means that the account is disabled immediately after the password expires.
• disabled date – the number of days since January 1, 1970 that the account has been disabled. No entry in this field means the account is not disabled.

Here is an entry for our user bob:


In the picture above you can see the following information:

• username – bob
• encrypted password
• last password change – the password has last been changed 16182 days since January 1, 1970 (April 22, 2014).
• minimum – 0 means that the password can be changed at any time.
• maximum – bob’s password expires 30 days after the last password change (May 22, 2014)
• warning – bob will be warned 7 days before password is going to expire
• disabled – no value means that the account is disabled immediately after the password expires
• disabled date – no entry in this field means the account is not disabled.

The /etc/shadow file is typically not readable by ordinary users. The file is accessible only by root.

Change passwords

The passwd command is used to change passwords of Linux users. To change a password of a specific user account, simply type the passwd command, followed by the name of the user whose password you would like to change:


To view information about the password for a specific user account, use the -S option:


Let’s examine the example above. The first field of the output represents the user’s login name (john). The second field indicates if the user account has a locked password (L), has no password (NP), or has a usable password (P). The third field is the date of the last password change. The fourth field is the minimum password age (0 means that the password can be changed at any time), the fifth field is the maximum password age, the sixth field is represent the warning period, and the seventh field is the password inactivity period.

To lock an account, you can use the -l option:


To unlock an account, use the -u option:


To remove a password from an account, use the -d option:


Ordinary users can change only their own password. This can be done by invoking the passwd command without any arguments. The program will ask for the user’s old password as a security measure:


Linux groups

A group in Linux is a collection of accounts that can be given special permissions on the system. For example, you can give one group the Read permission on a file and another group the Read/Write permissions on the same file. This way, the users in the first group can only read the file while the users in the second group can read and modify it.

Every user in Linux must have a primary group assigned. In most Linux distributions, the primary group is a group with the same name as the user. When a user creates files or launch programs, those files and running programs are associated with that group.

In the next example we will create a file while logged in as the user bob:


In the picture above you can see that the file we’ve just created is associated with the group named bob (the fourth field from the left represents the group the file is associated with).

The /etc/group file is a configuration file that stores group information. This file is readable by all users.

Create groups

To create groups in Linux, you can use a tool called addgroup. addgroup is a friendlier front-end to the low level tool groupadd.

The syntax of this command is simple: you just type addgroup, followed by the name of the group. You can also provide a specific GID (Group ID) for the group with the –gid NUMBER parameter. If you omit this parameter, addgroup will use the next available GID.

Let’s create a group called test_group with the GID of 2000:


Groups are created with no users. To add a user to the group, use the adduser command with two parameters: the username and group. For instance, to add the user jowilliams to the group test_group, we would use the following command:


• Linux

Delete groups

To delete a group in Linux, you can use a tool called delgroup. delgroup is a friendlier front-end to the groupdel program. The delgroup command takes a single parameter: the group name. Note that you can’t delete the primary group of an existing user: you must delete the user first or change its primary group.

Let’s delete the group we’ve created in the previous section:


You can also delete a group by editing the /etc/group file, but it is recommended to use the delgroup command. delgroup checks whether the group is any user’s primary group and if it is, refuses to remove the group.

Modify groups

To modify an existing group in Linux, the groupmod command is used. Using this command you can change the GID of a group, set the group password and change the name of a group.

Here is a list of groupmod’s options:


Here is a simple example of this command’s usage. To change the name of the group from test_gr to test_group, we can use the following command:


Add users to groups

Interestingly enough, you can’t use the groupmod command to add a user to a group. Instead, the usermod command with the -G option is used. When adding a user to a new group, be sure to also list all of the user’s current groups. Omitting any of the user’s current groups will remove the user from those groups!

To add bob to the group test_group, we can use the following command:


We can list the groups a user is in by using the groups command:


If you don’t wont to list all the user’s current groups when adding a user to a new group, you can use the -a option. For example, if we want to add jwilliams to the group cdrom and keep the current group membership, we can use the following command:


/etc/group file format

The group membership in Linux is controlled through the /etc/group file. This is a simple text file that contains a list of groups and the members belonging to each group. Just like the /etc/passwd file, the /etc/group file consists of a series of colon-delimited lines, each of which defines a single group. The file is readable by all users.

Here is how an entry in the /etc/group file looks like:

group name:password:GID:list of users

Here is an example entry for our group test_group:


In the example above you can see that the group test_group has a GID of 5000 and two users: jwilliams and bob.

Linux distributions that use shadow passwords typically place an x in the password field; others place the encrypted password in this field.

Administer groups

The gpasswd command is used to administer groups in Linux. You can add or remove users from groups, set or change the group password, set users as group administrators, etc.

To add a user to a group, use the gpasswd command with the -a option:


As you can see from the output above, the user john was added to the group named project.

To remove a user from a group, user the -d option:


To set a user as a group administrator, use the -A option. Group administrators can add and remove other members from the group and change the group password:


To set a user as a group administrator and add the user to the list of group members, use the -M option with the gpasswd command.

Invoked without any arguments except a group name, the gpasswd command will change the group password:


Customize a user’s work environment

The /etc/skel directory holds files that are copied automatically to individual users’ home directories when their accounts are being created. These files are known as skeleton files. Typically, they’re hidden files that affect the user environment, such as .bash_history, which records each command you run, and .bashrc, which sets the default values used with the bash shell.

You can add files and directories to /etc/skel, and they will be copied to each new user’s home directory. Because users are given ownership of the files copied to their home directory, they can read, change, and delete them.

Here is a simple example. Let’s say that you want to create a README file for new users. You can create that file inside the /etc/skel directory and it will be copied automatically to each new user’s home directory:


Changes to the /etc/skel directory affect only new accounts, not the existing ones. The files that are created under /etc/skel are not copied to the existing users’ home directory.

UID (User Identifier) and GID (Group Identifier)

A UID (user identifier) is a number assigned by Linux to each user on the system. This number is used to identify the user to the system and to determine which system resources the user can access. UIDs are stored in the /etc/passwd file:


The third field represents the UID. Notice how the root user has the UID of 0. Most Linux distributions reserve the first 100 UIDs for system use. New users are assigned UIDs starting from 500 or 1000. For example, new users in Ubuntu start from 1000:


When you create a new account, it will usually be give the next-highest unused number. If we create a new user on our Ubuntu system, it will be given the UID of 1001:


Groups in Linux are defined by GIDs (group IDs). Just like with UIDs, the first 100 GIDs are usually reserved for system use. The GID of 0 corresponds to the root group and the GID of 100 usually represents the users group. GIDs are stored in the /etc/groups file:


The third field represents the GID. New groups are usually assigned GIDs starting from 1000:


Manage file ownership

In Linux, each file has an owner and a group with which it’s associated. The file’s owner can change the file’s group, but only to a group to which the user belongs. root can change both the owner and group of any file.

You can use the ls -l command to display the owner and group:


The first underlined field represents the owner of the file (bob) and the second underlined field represents the group name of the file (bob).

The ownership concept also applies to running programs. Most programs you run are tied to the account you’ve used to launch them. This identity, in conjunction with the file’s ownership and permissions, determines whether a program may or may not modify a file.


In the picture above you can see that bob is the owner of the program xeyes.

Change file ownership

The chown (stands for change owner) command is used to change the ownership of a file in Linux. In its most basic form, you just provide the name of the new owner and the filename:

chown NEW_OWNER FILENAME

For example, here is the command that will change the owner of the file called bobs_file.txt to jwilliams:


You can also change both the file owner and the group of the file using the chown command. The syntax looks like this:

chown NEW_OWNER:NEW_GROUP FILENAME

Let’s change the owner and the group of the bobs_file.txt:


To change only the group of the file, you can omit the NEW_OWNER parameter:


You can also change the group of a file using the chgrp command. The syntax of this command is simple: chgrp NEW_GROUP FILE_NAME. As with chown, you can use the -R option to allow changes to be applied recursively to all selected files and subdirectories.

Permissions basics

Permissions in Linux are designed to keep users from accessing other users’ private files and to protect important system files. They are managed in three classes:

• user – determines what the file’s owner can do with the file.
• group – determines what the members of the file’s group can do with the file.
• others (world) – determines what everyone else on the Linux system can do with the file.

There are three specific permissions in Linux:

• read – grants the ability to read a file. When set for a directory, users are allowed to list the directory’s content.
• write – grants the ability to modify a file. When set for a directory, users are allowed to add or remove files in the directory.
• execute – grants the ability to execute a file. When set for a directory, users are allowed to access file contents and metainfo if its name is known, but not to list files inside the directory (unless the read permission is set).

You assign read, write or execute permission to each of the class of users. For example, you can give the owner of the file full permissions (read, write and execute) over the file, give the group read and write permissions and deny any type of access to the others class.

Permission bits

In Linux, there are total of nine mode bits that set the basic access permissions. The first three bits set the permissions for the owner of the file. The next three bits set the permissions for the members of the file’s group. The last three bits set the permissions for everyone else on the system:


To display file permissions, you can use the ls -l command:


In the example above you can see that the file permission bits are set to rw- for the owner, rw- for the group, and r– for the other class (ignore the first hyphen on the left for now). As you can probably guess, r stands for Read, w stands for Write, and x stands for eXecute (not shown above). The hyphen (–) means that the permission hasn’t been granted. So, in this example, the permissions of the file bobs_file.txt grant the read and write permissions to the owner (root) and group (bob), but only the read permission for everyone else on the system. The execute permission is not granted to anyone.

Identify file type

Consider the following output of the ls -l command:


Notice the first character in each line of the output (the characters –, d, and l). The characters represent the file type. The type determines how Linux will interpret the file – as ordinary data, a directory, or a special file type. For example, if the first character is set to d, Linux will interpret the file as a directory. The hyphen (–) stands for a normal data file. The character l represents a symbolic link.

Here is a table of all file type codes in Linux:


Modify file permissions

To modify a file’s permissions, the chmod command is used. Only the owner of the file and root can use this command. The syntax is simple: chmod PERMISSIONS FILE.

You can set file permissions in two ways: using numbers and letters.

Change permissions using numbers

With this method, each permission is assigned a number: r=4, w=2 and x=1. You use each set’s total number to assing the permission. For example, if you want to assign a read and write permissions, you would add the numbers representing these permissions (4+2=6).

Here is a table with all possible values:


Here are a couple of examples that will help you grasp the concept.

We have a file called bobs_file.txt. Since bob is the owner of the file, he can change the file’s permissions. We have removed all permissions from the file. Now we want to assign the following permissions:

owner – read, write, execute (4+2+1=7)

group – read, write (4+2=6)

other – read (4)

We can do that by using the following command:


Remember, the first number represents the owner, the second number represents the group, and the third number represents everyone else on the system.

Here is another example with the same file. Let’s say that we want to assign the following permissions:

owner – read, write (4+2=6)

group – read (4)

other – read, execute (4+1=5)

We can do that using the following command:


Change permissions using letters

You can also change permissions of a file using letters instead of numbers. The letter r represents the Read permission, the letter w the Write permission, and the letter x the eXecute permission. You use the operators +, –, and = to indicate whether you would like to add or remove a permission.

For example, lets say that we have the following permissions on bobs_file.txt:

owner – read, write

group – read, write

other – read

We want to add the write permission only to the others group. Well, we could do that simply by typing chmod 666 bobs_file.txt. We can also use operators to change only the permission of an individual class. The owner class is represented by the letter u, the group class by the letter g, and the other class by the letter o. So in this case, we can just use the following command: chmod o+w bobs_file.txt


You can assign permissions to more than one class at once:


In the example above we have added the execute permission for the owner and other classes.

Set the default permissions for newly created files

By default, when you create a file as a regular user, it’s given the permissions of rw-rw-r–. You can use the umask (stands for user mask) command to determine the default permissions for newly created files.

The umask is the value that is subtracted from the 666 (rw-rw-rw-) permissions when creating new files, or from 777 (rwxrwxrwx) when creating new directories. For example, if the default umask is 002, new files will be created with the 664 (rw-rw-r–) permissions, and new directories with the 775 (rwxrwxr-x) permissions.

To dispay the current value of umask, run the umask command without any options:


Ignore the first zero for now. The last three numbers represent the default umask value.

To temporarily change your umask value, run the umask VALUE command. This changes the umask value only for the current shell:


In the picture above you can see that we have changed the umask value to 044. Remember the numbers representing the permissions: r=4, w=2 and x=1. The umask of 044 means that the permissions for the newly created files will be rw- -w- -w- or 622 (because 044 subtracted from 666 gives 622). The permissions for the newly created directories will be rwx -wx -wx or 733 (because 044 subtracted from 777 gives 733).

By default, execute permissions are off for regular files.

To change the default umask value permanently for a specific user, you need to modify the .bashrc file in the user’s home directory. For example, to change the default umask for user bob, just add the following line at the end of the /home/bob/.bashrc file:


Reopen the shell. The default umask value is now 044:


To change the default umask value permanently for all users, you can use the following command:

pam-config -a –umask –umask-umask=VALUE


Replace the last three numbers with the umask of your choice. The change will be made the next time you log in to the system. Note that the umask definition in the .bashrc file will override the system umask.

Change file attributes

You can use the chattr command to change file attributes in Linux. You can secure your files by modifying their attributes. For example, you can protect important system files by making them undeletable.

Here is a list of some of the attributes you can modify:

• immutable – the “i” attribute makes a file immutable, which means that the file can’t be modifed, renamed, or deleted and no link to it can be created.
• append only – the “a” attribute sets append mode, which means that data can only be appended to the file.
• compressed – a file with the “c” attribute is automatically compressed by the kernel. The file is uncompressed when read.
• no dump – a file with the “d” attribute will not be backed up by the dump utility.
• secure deletition – when the file with the “s” attribute set is deleted, the kernel zeros its data blocks. This means that the file will be securely wiped when someone deletes it. This makes it much harder for unauthorized persons to recover and view the file, which can be useful with files that contain sensitive data, such as passwords.
• no atime updates – Linux won’t update the access time stamp when you access a file with the “A” attribute. This reduces a certain amount of disk I/O, which is helpful for saving battery life on laptops.

The attributes are set using the + operator, which causes the attributes to be added to the file, the – operator, which causes the attributes to be removed, and the = operator, which causes the attributes to be the only attributes of the file.

Here is an example. We can add the immutable attribute to a file by using the “i” attribute:


We can then remove the “i” attribute:


• Manage hardware

proc filesystem (procfs)

The /proc directory in on a Linux system contains information about system resources. It is a virtual filesystem that is created dynamically by Linux to provide access to certain types of hardware information and information about the running processes.

To display information about your CPU, you can use the cat /proc/cpuinfo command:


To display information about the file systems supported by the kernel, you can use the cat /proc/filesystems command:


To display statistics about memory usage on the system, use the cat /proc/meminfo command:


To display the Linux kernel version, distribution number and other kernel-related information use the cat /proc/version command:


/proc includes a directory for each running process (including kernel processes) at /proc/PID. Each directory contains information about that process (for example, the cmdline file contains the command that started the process, the environ file contains the names and content of the environment variables for the process, the status file contains information about the process, etc.). Just like with the hardware information, you can display the content of these files using the cat command.

IRQ (Interrupt Request)

An interrupt request (IRQ) is a hardware signal sent to the processor instructing it to suspend its current activity and handle some external event, such as a keyboard input or a mouse movement. In x86 based computer systems, IRQs are numbered from 0 to 15. Newer computers, including x86-64 systems, provide more than these 16 interrupts (usually 24). Some interrupts are reserved for specific purposes, such as the keyboard and the real-time clock; others have common uses but may be reassigned; and some are left available for extra devices that may be added to the system.

Here is a list of the IRQs and their common purposes in the x86 system:


In Linux, IRQ mappings are stored in the /proc/interrupts file:


In the picture above, you can see the names of the drivers that are using each IRQ. For example, the floppy driver is using IRQ 6.

I/O ports

I/O (Input/Output) ports (also referred to as I/O addresses) are unique locations in memory reserved for communications between the CPU and specific physical hardware devices. These ports are commonly associated with specific devices and should not be shared.

Here is a table with the common I/O ports for devices in Linux:


To find out which I/O ports your system is using, use the cat /proc/ioports command:


DMA (Direct Memory Access)

DMA (Direct memory access) is an alternative method of communication to I/O ports that permits the device to transfer data directly, without the CPU’s attention. The system can request that the data be fetched into a particular memory region and continue with other tasks until the data is ready. This may result in lower CPU requirements for the I/O activity, which can improve system performance.

To support DMA, the x86 architecture implements several DMA channels. To find out what DMA channels your system uses, you can use the cat /proc/dma command:


As you can see from the output above, the DMA channels 2 and 4 are in use.

DMA addresses should not be shared in order to avoid conflicts.

Kernel modules

A kernel module is an object file that contains code to extend the running kernel of an operating systems. It is a standalone-file, typically used to add support for new hardware.

Kernel modules are usually stored in the /lib/modules subdirectories. The name of each subdirectory is based on the release number of the kernel:


As you can see from the output above, the system has all kernel modules stored inside the /lib/modules/3.0.76-0.11-default directory.

You can see which modules are currently loaded into the running kernel on your computer by using the lsmod command:


As you can see, the first column (Module) specifies the names of all the modules that are currently loaded. The Used by column describes what is using the module. All entries have a number which indicates the number of other modules or processes that are using the module. For example, in the preceding example, the md5 module isn’t currently in use, as shown by its value of 0; but the nls_utf8 module is being used, as shown by its value of 1.

You can use the modinfo command to show information about a kernel module. The syntax of the command is:

modinfo MODULE_NAME | FILENAME

For example, to show information about the md5 module, we can use the following command:


Load kernel modules

You can load any module that has been compiled and installed to a /lib/modules subdirectory using two commands: insmod and modprobe. Although Linux does a good job of loading modules automatically, you can use these two commands to load a module to use some feature temporarily (such as loading a module to support a special file system) or for testing new modules.

The syntax of the insmod command is very simple; you just type insmod, followed by the module filename. For example, to load the md5 module, we can use the following command:


Sometimes modules depend on other modules. In these cases, if you attempt to load a module that depends on others that aren’t loaded, insmod will fail. However, the modprobe command automatically loads any depended-on modules. The syntax of the command is:

modprobe MODULE_NAME

Here is an example:


With modprobe, you specify a module by its module name rather than the module filename. You can pass a few options to modify modprobe’s behavior. For example, to perform checks and all other operations except the actual module insertions, you can use the -n option. Combined with the -v (verbose) option, this option is useful for debugging problems:


The –show-depends option shows all the modules on which the specified module depends:


The -r option removes the specified module and any on which it depends (depended-on modules are not removed if they’re in use).


modprobe loads modules temporarily.To permanently add the module to your system, add the modprobe command line to one of the startup scripts.

Remove kernel modules

Sometimes you may want to remove a loaded module to reclaim the memory that the module is using or to load an updated replacement module. To do this, you can use the rmmod command. The syntax of the command is simple; you just type rmmod, followed by the name of the module you would like to remove:


Sometimes, the module you are trying to remove depends on other modules that may be loaded, like in this example:


As you can see from the picture above, the rmmod command lists those modules, so you can decide whether to unload them.

You can use the -f option to force module removal even if the module is marked as being in use. Note that this option has no effect unless the CONFIG_MODULE_FORCE_UNLOAD kernel option was set when the kernel was compiled.

Identify CPU

You can find out various information about your CPU using the following three commands:

1. cat /proc/cpuinfo – displays various information about your CPU, such as the CPU model, cache size, MHz, etc:


2. uname -p – displays the CPU architecture:


3. lscpu – displays some advanced information about your CPU:


Find out more information about your system

To find out more information about your Linux system, you can use the uname (stands for unix name) command. This command prints the hostname, kernel version, the CPU information, and other useful information about the computer and the Linux operating system running on it.

Used without any options, the uname command simply prints the OS name:


To print the device hostname, use the -n option:


To find out the kernel version number you are using, use the -r option:


To get more information about your computer, use the -m option:


The command pictured above displays the CPU mode – i686 indicates a 32-bit operating system, while x86 64 indicates a 64-bit one.

To find out what OS you are using, use the -o parameter:


The uname command is usually used with the -a option. This option returns all available information about your system:


Display information about USB devices

One of the most popular external interface forms is USB (Universal Serial Bus). It is the preferred interface for many external devices, such as keyboards, mouses, printers, flash drives, etc. Most Linux distributions ship with USB drivers enabled, so devices you connect to a USB port on your computer should be enabled automatically when you boot your system.

To display information about USB devices connected to your system, you can use the lsusb command:


Because we are using VMware Player, the recognized devices were virtual. If you run this command on a system that is running Linux directly on a pysical machine, you will get an output with information about devices connected to USB busses.

To display detailed information about each device, use the -v option:


To display the device list as a tree so you can see what devices are connected to what controllers, use the -t option:


GRUB version 1

The computer’s boot process begins with a program called boot loader. The purpose of this program is to load an operating system or some other software for the computer after completion of the self-tests. In Linux, the most-used boot loader is the Grand Unified Boot Loader (GRUB), available in two versions: GRUB version 1 (also known as GRUB Legacy) and GRUB version 2. GRUB Legacy is older of the two boot loaders. It used to be the dominant boot loader for Linux, but it’s been largely replaced by GRUB 2.

GRUB Legacy configuration

The configuration file is located at /boot/grub/menu.lst (some distributions such as Fedora, Red Hat, and Gentoo use the filename grub.conf). Here is an example menu.lst file:


GRUB numbers the disk drives different than Linux does. Instead of /dev/hda or /dev/sda , GRUB uses hd0. Similarly, /dev/hdb or /dev/sdb is likely to be hd1. GRUB doesn’t distinguish between PATA, SATA, SCSI, and USB drives, so on a SCSI-only system, the first SCSI drive is hd0. GRUB Legacy’s drive mappings are stored in the /boot/grub/device.map file:


Additionally, GRUB Legacy numbers partitions on a drive starting at 0, instead of 1 that is used by Linux. GRUB Legacy separates partition numbers from drive numbers with a comma, as in (hd0,0) for the first partition on the first disk (normally Linux’s /dev/sda1).

GRUB Legacy also defines its own root partition, which can be different from the Linux root partition. GRUB’s root partition is the partition in which GRUB’s configuration file (menu.lst or grub.conf) resides. Because this file is normally in Linux’s /boot/grub/ directory, the GRUB root partition will be the same as Linux’s root partition if you do not use a separate /boot or /boot/grub partition.

Here is a brief description of the configuration options found in the GRUB Legacy’s configuration file:

default – tells GRUB which OS to boot. GRUB indexes from 0, so the 0 option means that the first OS will be booted.

timeout – defines how long, in seconds, to wait for user input before booting the default operating system.

splashimage – defines the picture that’s displayed as the background for the boot process.

The options listed above are the global GRUB options. The following options are per-image options:

title – the name that appears on the boot screen to represent the OS.

root – specifies the location of GRUB Legacy’s root partition. This is the /boot partition if a separate one exists; otherwise, it’s usually the Linux root (/) partition.

kernel – specifies the location of the Linux kernel and kernel options that are to be passed to it. Paths are relative to GRUB Legacy’s root partition. The root option specifies the Linux root filesystem.

initrd – specifies an initial RAM disk, which holds a minimal set of drivers, utilities, and configuration files that the kernel uses to mount its root filesystem before the kernel can fully access the hard disk.

rootnoverify – is similar to the root option except that GRUB Legacy won’t try to access files on this partition. It’s used to specify a boot partition for OSs for which GRUB Legacy can’t directly load a kernel, such as DOS and Windows.

chainloader – tells GRUB Legacy to pass control to another boot loader.

GRUB Legacy officially supports BIOS but not EFI.

GRUB version 2

GRUB version 2 is the default boot loader for Fedora and Ubuntu. The GRUB 2 configuration file is located at /boot/grub/grub.cfg (some distributions place this file in /boot/grub2 to enable both GRUB Legacy and GRUB 2).

grub.cfg is generated automatically from the content of the /etc/default/grub file and the /etc/grub.d directory. You should modify or add to those files to configure GRUB 2. After making changes, you must explicitly rebuild the grub.cfg file by typing the update-grub command.

Here is an example /etc/default/grub file:


As you can see from the picture above, this file contains the GRUB 2 menu settings. You can select which OS will be loaded by default, background image, timeout, etc.

The main GRUB 2 scripts are located inside the /etc/grub.d directory. Here is the content of this directory in Ubuntu:


Here is a brief description of each script:

• 00_header – the script that loads GRUB settings from the /etc/default/grub file.
• 05_debian_theme – defines the background, colors and themes.
• 10_linux – loads the menu entries for the installed distribution.
• 20_linux_xen – loads the Xen hypervisor
• 20_memtest86+ – loads the memtest utility.
• 30_os-prober – scans the hard disks for other operating systems and adds them to the boot menu.
• 40_custom – a template that you can use to create additional entries to be added to the boot menu.

In GRUB 2, partitions are numbered starting from 1 rather than from 0. The devices are still numbered from 0. This means that sda1 is hd0,1 and NOT hd0,0, as with GRUB Legacy.

Adding a new GRUB script

To add a new boot option, you need to create a new file that has the **XX_ prefix** in the name (where **XX** is a sequence of numbers) in the **/etc/grub.d** directory. If you want the new entry to be placed above others, use lower numbers, if you want it to be placed below others, use higher numbers.

For example, 12_NAME will be placed after the default entries by the operating system, whereas 07_NAME will be placed before the 10_linux entries.

Here’s an example script:


Here is a brief description of each line in the script:

#!/bin/sh -e – use the bash shell to execute the script.

echo “String” – sets the string that you will see when running update-grub.

cat « EOF – defines the start of the actual boot entry.

menuentry “OS Name” – sets the name of the menu entry.

set root=(hdX,Y) – sets the root device.

linux /boot/vmlinuz – specifies a file that contains the Linux kernel.

initrd /boot/initrd.img – specifies an initial RAM disk.

EOF – ends the GRUB entry.

Unlike GRUB Legacy, GRUB 2 is designed to work with both BIOS and EFI-based computers.

Alternative boot loaders

There are a few other boot loaders in Linux besides GRUB. Here is a brief description of some of them:

• ISOLINUX – a boot loader from the SYSLINUX Project. Generally used by Linux Live CDs and bootable install CDs.

• LILO (Linux Loader) – the most common Linux boot loader in the 1990s. Works only on BIOS-based computers.

• ELILO (EFI Linux Loader) – a boot loader for EFI-based computers. Similar to LILO.

• gummiboot – a boot loader for EFI-based computers with a text-mode interface.

• rEFIt – a boot manager for EFI-based computers that features a GUI. Development on rEFIt has been abandoned, but it has been forked as rEFInd.

• rEFInd – a boot manager derived from rEFIt for EFI-based computers.

dmesg command

The dmesg command in Linux is used to print the kernel ring buffer (a data structure that records messages related to the operation of the kernel). During the boot process Linux displays messages destined for the kernel ring buffer. These messages sometimes scroll too quicky for you to read. You can inspect them after the boot process by using the dmesg command.

Here is an example of the dmesg command:


This command usually generates a lot of output, so you might want to redirect the output to a file or pipe it through the less program.

Some distributions, like Ubuntu, store the kernel ring buffer to the /var/log/dmesg file soon after the system boots, so you can read this file to inspect the boot process.

dmesg command

The dmesg command in Linux is used to print the kernel ring buffer (a data structure that records messages related to the operation of the kernel). During the boot process Linux displays messages destined for the kernel ring buffer. These messages sometimes scroll too quicky for you to read. You can inspect them after the boot process by using the dmesg command.

Here is an example of the dmesg command:


This command usually generates a lot of output, so you might want to redirect the output to a file or pipe it through the less program.

Some distributions, like Ubuntu, store the kernel ring buffer to the /var/log/dmesg file soon after the system boots, so you can read this file to inspect the boot process.

Runlevels

A runlevel is the operating state of a Linux operating system. Linux relies on runlevels to determine which services are started and which services are stopped. Runlevels are numbered from 0 to 6, with each runlevel offering different services. Runlevels 0, 1, and 6 are standard runlevels reserved for special purposes. Runlevels 2, 3, and 4 are used for whatever purpose you or your Linux distribution provider decide.

The /etc/inittab file defines the runlevels on a Linux system. Here is an example /etc/inittab file:


Here is a brief description of the runlevels in Linux:

0 – shuts down the system.

1, s, or S – single-user mode. Limited number of services are started. Usually used for system maintenance.

2 – text mode with multiple users, but without network support.

3 – text mode with multiple users and networking

4 – usually not defined

5 – the default runlevel. Multiuser GUI. The most common runlevel for Linux workstations.

6 – reboots the system. Used to restart a machine in the default runlevel.

This lesson describes the traditional System V (SysV) initialization system. Other Linux init systems, like Upstart and systemd, differ from this system.

To display your current runlevel, use the runlevel command:


The first character displayed is the system’s previous runlevel (3). When this character is N, this means the system hasn’t switched runlevels since booting. The second number is the current runlevel (5).

You can also call a runlevel directly using the init daemon itself. For example, if you would like to perform some maintenance tasks on your Linux installation, you can switch to runlevel 1 by using the init 1 command.

/etc/inittab

The /etc/inittab file is the configuration file used by the System V (SysV) initialization system in Linux. This file defines three items for the init process:

• the default runlevel
• what processes to start, monitor, and restart if they terminate
• what actions to take when the system enters a new runlevel

Once all the entries in /etc/inittab for your runlevel are executed, the boot process is completed, and you can log in.

Each line in the inittab file consists of four colon-delimited fields:

id:runlevels:action:process

Here is a description of these fields:

• id (identification code) – consists of a sequence of one to four characters that identifies its function.
• runlevels – lists the run levels to which this entry applies.
• action – specific codes in this field tell init how to treat the process. Possible values include: initdefault, sysinit, boot, bootwait, wait, and respawn.
• process – defines the command or script to execute.

Consider the following example:


In the picture above you can see that the runlevels are defined as:

l0:0:wait:/etc/init.d/rc 0

l1:1:wait:/etc/init.d/rc 1

l2:2:wait:/etc/init.d/rc 2

l3:3:wait:/etc/init.d/rc 3

#l4:4:wait:/etc/init.d/rc 4

l5:5:wait:/etc/init.d/rc 5

l6:6:wait:/etc/init.d/rc 6

The lines start with codes that begin with an l (a lowercase L) followed by the runlevel number—for instance, l0 for runlevel 0. These lines specify scripts or programs that will be run when the specified runlevel is entered. In our case, all the scripts are the same (/etc/init.d/rc), but the script is passed the runlevel number as an argument.

Change runlevel

The init process is the first process that is run by the kernel. Its primary purpose is to start processes from a script stored in the /etc/inittab file. You can use the init command to reread this file or change to a new runlevel. For example, to change from your current runlevel to runlevel 1 (the single-user mode), you can use the init 1 command:


Your system should reach the runlevel 1. To get back to the multiuser GUI mode, you can use the init 5 command.


You should be back in the GUI mode:


Here is a brief description of the runlevels in Linux you can reach using the init command. Note that the values listed below do not apply to all Linux distributions:

• 0 – shuts down the system.

• 1, s, or S – single-user mode. Limited number of services are started. Usually used for system maintenance.

• 2 – text mode with multiple users, but without the network support.

• 3 – text mode with multiple users and networking.

• 4 – usually not defined.

• 5 – the default runlevel. Multiuser GUI. The most common runlevel for Linux workstations.

• 6 – reboots the system. Used to restart a machine in the default runlevel.

What is an IP address?

An IP address is a 32-bit number that identifies a host on a network. It is usually written in the form of the four decimal numbers seperated by periods (e.g. 10.50.201.1).

In contrast to MAC addresses, which are physical addresses, IP addresses are logical addresses. A devices that wants to communicate with other devices on the network using TCP/IP needs to have an IP address configured. The IP address can be configured manually or it can be obtained from a DHCP server.

The term IP address usually refers to IPv4, the fourth version of the IP protocol. A newer version exists (IPv6) and uses 128-bit addressing.

Private IP addresses

There are three ranges of addresses that can be used in private networks (e.g. your home or office LAN). These addresses are not routable on the Internet.

Private addresses ranges are:

• 10.0.0.0 – 10.255.255.255
• 172.16.0.0 – 172.31.255.255
• 192.168.0.0 – 192.168.255.255

Public IP addresses

Public IP addresses are assigned to computers that connect to the Internet. It is an address that your computer (or your router) gets from your ISP when you connect to the Internet. To find out your public IP address, you can use this tool.

What is a MAC address?

A Media Access Control (MAC) address is a 48-bit address that is used for communication between two hosts in an Ethernet environment (e.g. your local network or an office LAN). It is a hardware address, which means that it is stored in the firmware of the network interface card.

A MAC address is supposed to be globaly unique. Each network card vendor gets its share of addresses (represented by the first 24 bits) and assigns a unique MAC address to each card.

A MAC address is written in the form of 12 hexadecimal digits. For example, consider the following MAC address:

D8-D3-85-C0-00-08

The first 6 hexacedimal numbers represent the manufacturer (HP in this example). The last six numbers are unique for each network card.

What is DHCP?

DHCP (Dynamic Host Configuration Protocol) is a network protocol used to assign various network parameters to a device. DHCP greatly simplifies administration, since there is no need to assign static network parameters for each device separately.

DHCP is a client-server protocol. A client is a device that is configured to use DHCP. When a client boots up, it sends a broadcast message in search of a DHCP server. DHCP server maintains a pool of available IP addresses and offers one of them to the host. A DHCP server can also provide some other parameters, such as:

• subnet mask
• default gateway
• domain name
• DNS server

Linux can be used as both DHCP client and DHCP server.

Here is a description of the DHCP process:


DHCP client goes through the four step process:

1. a DHCP client sends a broadcast packet (DHCP Discover) to discover DHCP servers on the LAN segment.

2. the DHCP servers receive the DHCP Discover packet and respond with DHCP Offer packets, offering IP addressing information.

3. if the client receives the DHCP Offer packets from multiple DHCP servers, the first DHCP Offer packet is accepted. The client responds by broadcasting a DHCP Request packet, requesting network parameters from a single server.

4. the DHCP server approves the lease with a DHCP Acknowledgement (DHCP Ack) packet. The packet includes the lease duration and other configuration information.

Network parameters provided by the DHCP server aren’t assigned permanently; the client usually renew them from time to time.

What is DNS?

DNS (Domain Name System) is a network protocol used to translate hostnames into IP addresses. DNS is not required to establish a network connection, but it is much more user friendly for users than the numeric addressing scheme. Consider this example. You can access the Google homepage by typing 74.125.227.99, but it’s much easier just to type www.google.com and let DNS do the translation.

To use DNS, you must have a DNS server configured to handle the resolution process. A DNS server has a special-purpose application installed. The application maintains a table of dynamic or static hostname-to-IP address mappings. When a user request some network resource using a hostname, (for example, by typing www.google.com in a browser), a DNS request is sent to the DNS server asking for the IP address of the hostname. The DNS server then replies with the IP address. The user’s browser is then able to access www.google.com using that IP address.

The picture below explains the concept:


DNS Client wants to communicate with the server named home_server. Since the DNC Client doesn’t know the IP address of home_server, it sends a DNS Request to the DNS Server, asking for the IP address of home_server. The DNS Server replies with the IP address of home_server (DNS Reply). The DNS Client can then communicate with home_server.

ifconfig command

To display your IP address in Linux, you can use the ifconfig command. This command can also be used to configure, disable and enable a network interface. Used without any options, ifconfig displays network settings of all network interfaces on the system:


In the picture above you can see, among other parameters, the IP address (inet addr) and the MAC address (HWaddr) of your system.

The first Ethernet interface is usually labeled as eth0. The second interface in the example (lo) represents a loopback interface, a special interface that your computer uses to communicate with itself.

To display the network setting of a specific interface, you can specify the interface in the ifconfig command:


You can use the ifconfig command to configure an IP address. You need to specify the interface you would like to configure, the IP address and the subnet address. Here is an example:


In the example above we have configure the eth0 interface with the IP address of 5.5.5.5 and the subnet mask of 255.255.255.0.

You can also enable and disable an interface using the ifconfig command. Here is how it is done:


The disabled network interface is not shown in the output of the ifconfig command, as you can see in the example above.

Configure a static IP address in Ubuntu

You can use the ifconfig command to configure the IP address in Ubuntu. However, the IP address configured this way is not permanent and will be lost after a reboot. If you want to set up a static IP address that will remain after the reboot, you will need to edit the /etc/network/interfaces file. Consider this example configuration:


Here is a description of each line:

• auto eth0 – the first Ethernet interface is usually identified as eth0.
• iface eth0 inet static – defines that the static configuration will be used .
• address 192.168.198.160 – the IP address of the interface.
• netmask 255.255.255.0 – the subnet mask of the interface.
• gateway 192.168.198.2 – the IP address of the default gateway.

Save the changes and close the file. Run the sudo ifdown eth0 and sudo ifup eth0 commands to apply the changes. You can display your new settings using the ifconfig command:


• Configure DHCP client on Ubuntu
• To configure your Ubuntu distribution to be a DHCP client, you need to modify the /etc/network/interfaces file. You will need to add the following line to the file:
• iface INTERFACE inet dhcp
• For example, to configure the eth0 interface as a DHCP client, we would add the following configuration:
• 
• The system should now request network parameters from the DHCP server when booting.
• To run the DHCP process manually, you can use the dhclient command. For example, to run the DHCP process on the eth0 interface, use the following command:
• 
• We have used the -r option to release the current interface configuration.

Configure DNS settings

To enable name resolution, you need to configure your Linux system to use DNS servers. To do this in Ubuntu, open the /etc/network/interfaces configuration file in a text editor:


This file is used to configure your network settings manually. The first Ethernet interface is usually identified as eth0. To configure a DNS server, add the dns-nameservers IP_ADDRESS line under the eth0 configuration:


The line dns-nameservers 8.8.8.8 sets up a DNS server with the IP address of 8.8.8.8 as our DNS server (it is a public DNS server from Google). To configure multiple DNS servers, just add spaces between them: dns-nameservers IP_ADDRESS1 IP_ADDRESS2 IP_ADDRESS3…

Save the file and exit. Run the sudo ifdown eth0 and sudo ifup eth0 commands to apply the changes:


You can test the DNS name resolution process by pinging a hostname:


/etc/hosts file

If you don’t want to use a DNS server for name resolution, you can use the /etc/hosts file for the purpose of name resolution. This is a simple text file that contains IP addresses to hostnames mappings. Each line consists of an IP address, followed by one or more hostnames:


In the picture above you can see the typical default content of the hosts file that contains entries for the loopback addresses. To set up your own mappings, add the entries in the form of IP_ADDRESS HOSTNAME:


The line 192.168.198.140 webserver will map the IP address of 192.168.198.140 to the webserver hostname . We can now use the webserver hostname to communicate with the remote machine:


Note that you can use both the /etc/hosts file and a DNS server for name resolution. The content of the hosts file will usually be used for lookups before DNS. If there is no match in the hosts file, then the DNS server will be used. Note that, however, the hosts files are rarely used today, since you need to edit each file individually on every machine.

Configure hostname

You can change the hostname of your Linux system using the hostname command:

hostname command

However, the hostname configured this way is not permanent will not survive a reboot of the system. To set up a new hostname permanently, you need to modify the /etc/hostname file. Open this file in a text editor and simpy change the current value to the new hostname:

etc hostname file

You also need to modify the /etc/hosts file and change the value next to 127.0.1.1 to the new hostname:

change hostname hosts file

Reboot your computer. After the reboot, the new hostname should be used by the system:

check new hostname

ping command

ping (Packet Internet Groper) is the most commonly used tool for troubleshooting a network, included with most operating systems. It is invoked using the ping command. The ping command uses ICMP (Internet Control Message Protocol) and works by sending an ICMP echo request message to the specified IP address. If the computer with the destination IP address is reachable, it responds with an ICMP echo reply message. The ping command outputs some information about a network performance, e.g. the round-trip time (the time from the packet transmission to reception).

ping can help you isolate where a network problem occurs. For instance, if you can ping local computers but not remote systems, the problem is most probably your router. If you can ping by IP address but not by hostname, the problem is probably your DNS configuration.

Here is an output of the ping command in Ubuntu:


In the example above you can see that we have pinged the IP address of 192.168.198.130. By default, ping sends ICMP request packets once every second until you interrupt it with the Ctrl+C keystroke. As you can see from the output above, the host is reachable and has replied with the ICMP reply packets. You can also see that the remote host has replied within 1 ms, which indicates that the network is not congested.

You can specify the number of packets to send by using the -c option:


To can change the packet size, you can use the -s option:


traceroute command

traceroute is a tool used to identify the path used by a packet to reach the destination. This tool uses ICMP messages, but unlike ping, identifies every router in the path. traceroute is useful when troubleshooting network problems because it can help you to localize problems in network connectivity.

The traceroute command is available on most modern operating systems (Windows, Apple Mac OS, Unix, Linux, etc). traceroute usually works by sending a series of ICMP echo request packets to a destination. First series of messages has a Time to Live (TTL) parameter set to 1, which means that the first router in a path will discard the packet and send an ICMP Time Exceeded message. TTL is then increased by one until the destination host is reached and an ICMP echo reply message is received. Originating host can then use the received ICMP messages to identify all routers in a path.

In Linux, by default, traceroute uses UDP packets with a large destination port number (33434 – 33534) that is unlikely to be used by any application at the destination host. TTLs are used to get the IP addresses of the intermediary routers. When a destination host is reached, it replies with an ICMP port unreachable message. You can change this behaviour by using the -I (the capital i) option. This forces the program to use the ICMP Echo Request (type 8) packets, instead of UDP packets.

Here is an example:


In the picture above you can see that traceroute sends a series of three packets to each system between your system and www.google.com. You can also see the amount of time (in milliseconds) that the packets were taking to traverse each route.

To speed up the process, you can disable the mapping of IP addresses with hostnames by using the -n option:


You can change the number of packets sent by using the -q option:


host command

host is a simple tool used to perform DNS lookups in Linux. It is usually used to resolve a hostname into an IP address or vice-versa.

If no arguments or options are given, host prints a short summary of its command line arguments and options:


To find out the IP address of linux-bible.com, type host linux-bible.com:


To find out the hostname of the host with the IP address of 208.117.229.34, use the following command:


To print the SOA record information, use the -C option. A SOA (Start of Authority) record contains basic properties of the domain and the zone that the domain is in.


To make a query of type ANY for google.com, use the -a option:


To specify the DNS query type, use the -t option, followed by the type. For example, to print name servers for google.com, use the -t ns option:


To print the TXT record (human readable information about a server) for google.com, use the -t TXT option:


dig command

dig (stands for domain information groper) is a tool used to perform DNS lookups in Linux. It is known for its flexibility, ease of use and the clarity of its output. dig performs more complex DNS lookups than the host command and displays more detailed information.

Here is an example of using dig to find out DNS information about linux-bible.com:


As you can see from the picture above, the dig output consists of the following sections:

• Header – displays the dig command version number, the global options used by the dig command, and some additional information.
• Question section – displays the question it asked the DNS. By default, when you pass a domain name to the dig command, it displays the A record (the IP address).
• Answer section – displays the answer received from the DNS. In this case, the IP address of linux-bible.com is displayed.
• Authority section (not shown) – displays the DNS name server that has the authority to respond to this query.
• Additional section (not shown) – displays the IP addresses of the name servers listed in the Authority section.
• Stats section – displays few dig command statistics.

To display only the Answer section, use the +noall and +answer options:


To display MX records (the mail servers responsible for accepting email messages on behalf of a recipient’s domain), use the -t mx option:


To display NS records (the name servers), use the -t ns option:


To display all DNS record types, use the -t any option:


To perform a DNS reverse look up, use the -x option:


Although usually used with the command-line arguments, dig also has a batch mode of operation for reading lookup requests from a file.

nslookup command

nslookup (name server lookup) is a tool used to perform DNS lookups in Linux. It is used to display DNS details, such as the IP address of a particular computer, the MX records for a domain or the NS servers of a domain.

nslookup can operate in two modes: interactive and non-interactive. The interactive mode allows you to query name servers for information about various hosts and domains or to print a list of hosts in a domain. The non-interactive mode allows you to print just the name and requested information for a host or domain.

The interactive mode

The interactive mode is entered by typing the nslookup command without any arguments:


To find the IP address of a host, simply type the hostname:


To perform a reverse DNS lookup, enter the IP address of a host:


To display MX records (the mail servers responsible for accepting email messages on behalf of a recipient’s domain), set the DNS query type to MX:


To display NS records, set the DNS query type to NS:


The non-interactive mode

The non-interactive mode is invoked by typing the nslookup command, followed by the name or the IP address of the host to be looked up.

For example, to display the IP address of a hostname, use the following command:


To do a reverse DNS lookup, use the following command:


To display the MX records, use the -query=mx option:


To display the NS records, use the -query=ns option:


To display the SOA record (information about the domain), use the -query=soa option:


To display all the available DNS records, use the -query=any option:


The nslookup program is officially deprecated, meaning that it’s no longer being maintained. You should use host or dig instead.

tcpdump command

tcpdump is a packet analyzer in Linux that allows you to intercept network packets and log them or display them on the screen. This tool is used for advanced network troubleshooting and enables you to examine network data in the raw form.

Used without any options, tcpdump will capture all the packets flowing through all the interfaces on the system:


You can specify a particular ethernet interface using the -i option:


Once it’s run, tcpdump begins printing lines, one for each packet it intercepts. These lines include a time stamp, the protocol of the packet (IP in all of these examples), the source system name or IP address and port, the destination system name or IP address and port, and packet-specific information. tcpdump keeps running until your terminate it by pressing Ctrl+C.

Consider the following line:


Here is a description of each field:

• 20:38:29.014324 – the time stamp.
• IP – the protocol of the packet.
• text-lb.esams.wikimedia.org.http – the source system name (text-lb.esams.wikimedia.org) and port (http = port 80).
• 192.168.198.128.54543 – the destination system IP address (192.168.198.128) and port (54543).
• ack 2 win 64239 – packet-specific information.

To display packets in ASCII (useful for capturing web pages), use the -A option:


To capture all packets arriving at or departing from the host with the IP address of 192.168.198.2, we can use the following command:


To capture only the packets of a specific protocol type, you need to specify the protocol (for example, IP, IP6, ARP, TCP or UDP). For example, to capture only the TCP traffic, use the following command:


To capture packets to and from a particular port, use the port option:


To capture packets with readable timestamp, use the -tttt option:


To save the captured packets to a file, use the -w option:


To read a tcpdump file, use the -r option:


You can also open the captured file in other network protocol analyzers, such as Wireshark.

netstat command

You can use the netstat command to display various information about the Linux networking subsystem. netstat provides information about network connections, routing tables, interface statistics, etc. This tool is often used to troubleshoot problems in a network and to determine the amount of traffic on the network.

netstat is most often used to display incoming and outgoing network connections. Used without any parameters, netstat returns information about open ports and the systems to which they connect:


To display information about the ports that server programs open to listen for network connections and already-open connections, use the -a option:


To display only the TCP connections, use the -t option:


To display only the UDP connections, use the -u option:


You can group multiple options together:


To print information continuously every few seconds, use the -c option.

To display the statistics for each protocol (IP, TCP, UDP, ICMP), use the -s option:


You can display the statistics for only TCP ports using the -st option:


To display the PID and program name, you can use the -p option:


To print information about your network interfaces, use the -i option:


To print the routing table, use the -r option:


Here is an example netstat output. We will use the netstat command to display all TCP and UDP connections using numerical addresses:


Here is a brief description of each field:

• Proto – the name of the protocol (TCP or UDP).
• Recv-Q – the bytes of data in the queue to be sent to the user program that established the connection. This value should be 0 or close to 0.
• Send-Q – the bytes in the queue to be sent to the remote program. This value should also be 0 or close to 0.
• Local Address – the IP address of the local computer and the port number being used. An asterisk (*) is shown for the host if the server is listening on all interfaces.
• Foreign Address – the IP address and port number of the remote computer to which the socket is connected. If the port is not yet established, the port number is shown as an asterisk (*).
• State – the state of a TCP connection. The possible states are: CLOSE_WAIT, CLOSED, ESTABLISHED, FIN_WAIT_1, FIN_WAIT_2, LAST_ACK, LISTEN, SYN_RECEIVED, SYN_SEND, and TIME_WAIT.

netstat is deprecated. You should use ss instead.

whois command

You can use the whois command in Linux to find out information about a domain, such as the owner of the domain, the owner’s contact information, and the nameservers that the domain is using. For example, to find out domain information of linux-bible.com, we can use the following command:


Here is a brief description of the most important fields:

• Registrar: LAUNCHPAD.COM, INC. – the company that registered the domain on behalf of the domain’s owner.
• Name Servers: NS6175.HOSTGATOR.COM, NS6176.HOSTGATOR.COM – the servers that control the domain’s DNS.
• Creation Date: 16 May 2014 – the date the domain was originally registered.
• Expiration Date: 16 May 2015 – the date when the domain will expire.
• Registrant Name, Address, City… : publicly accessible information of the domain owner.

The -H option omits the lengthy legal disclaimers that many domain registries deliver along with the domain information.

IP forwarding

You can configure your Linux distribution to function as a router and connect different networks together. To do this, you need to enable IP forwarding in the configuration file, usually stored at /etc/sysctl.conf:


Find and uncomment the net.ipv4.ip_forward=1 line:


Save the changes and exit the file. Load the new settings using the command sudo sysctl -p /etc/sysctl.conf:

File system

Generally, a file system is a data structure used to control how data is stored and retrieved. In Windows, each filesystem has its own letter (C:, D:, E:…). In Linux, a file system has a hierarchical directory structure descending from the root directory (/) and all filesystems are part of a single directory tree.

If a disk has multiple filesystem partitions, each is mounted at a mount point in the root filesystem (for example, at /home, which holds users’ data files or /boot, which holds the boot files).

Many Linux file systems exist. Here is a list of the major ones:

• ext2
• ext3
• ext4
• ReiserFS
• XFS
• JFS

To see the list of the file systems supported by your kernel, you can use the cat /proc/filesystems command.


nodev means that the filesystem is not yet associated with a physical device.


ext2fs

The Second Extended File System (ext2 or ext2fs) is a Linux file system that was popular in the 1990s. It had a reputation as a reliable file system, but it is not widely used anymore, since it lacks some advanced file system features, such as journaling.

ext2 is still sometimes used for small partitions, e.g. for a boot partition. On small partitions, the size of the journal used by more advanced file systems can be a problem, so ext2 is a logical choice. It supports files of up to 2 TB, filesystems of up to 16 TB, and filenames of up to 255 characters.

ext3fs

The Third Extended File System (ext3 or ext3fs) is a file system for the Linux kernel. It is basically ext2 with a journal. A journal is a special file used to repair any inconsistencies that occur as the result of an improper shutdown of a computer.

ext3 was a very popular file systems and a default file system for many Linux distribution, but ext4 has taken its place in a last couple of years.

ext3 supports files up of up to 2 TB, file systems of up to 16 TB, and filenames of up to 255 characters. It is backward compatibile with ext2.

ext4fs

The Fourth Extended File System (ext4 or ext4fs) is a successor to the ext3 file system. Just like ext3, it is a journaling file system. It offers better performance and improved reliability than ext3.

ext4 supports the following features:

• backward compatibility – ext4 is backward compatibile with both ex2 and ext3.
• persistent pre-allocation – ext4 can pre-allocate on-disk space for a file.
• unlimited subdirectories – ext4 supports an unlimited number of subdirectories.
• extents – ext4 uses extents to divide large files.
• faster file system checking.
• improved timestamps.

ext4 supports filenames up to 255 characters, maximum file size of up to 16 TB, and file system of up to 1 EB (1 billion gigabytes).

Reiser file system

ReiserFS (Reiser File System) is a journaling file system for Linux. ReiserFS is known to be particulary good at handling the large numbers of small files. It is the default file system on a number of distributions, including: Elive, Xandros, Linspire, and GoboLinux.

ReiserFS supports filenames up to 4032 bytes, maximum file size of up to 8 TB, and file system of up to 16 TB.

ReiserFS development has slowed because of the legal problems of Hans Reiser, its creator.

XFS file system

XFS (Extents File System) is a 64-bit, high performance journaling file system for Linux. It was initially created by Silicon Graphics for its IRIX OS, but the code was later donated to Linux. XFS works extremely well with large files and it is known for its robustness and speed.

XFS supports filenames of up to 255 bytes, files of up to 8 EB and file systems of up to 16 EB.

An XFS file system cannot be shrunk.

JFS file system

JFS (Journaled File System) a 64-bit journaling filesystem for Linux. It was created by IBM for its AIX OS and OS/2. The OS/2 version was later rewritten for Linux.

JFS is supported by Linux since the the kernel version 2.4.18pre9-ac4. It is considered to be a fast and reliable file system,

This file system supports filenams of up to 255 bytes, files of up to 4 PB and file systems of up to 32 PB (1 PB is 1000 TB).

FAT file system

FAT (File Allocation Table) is a file system developed by Microsoft. It was used in DOS and Windows 9x/ME. Linux supports all versions of FAT using the VFAT kernel module.

Although FAT doesn’t provide the same performance as some more modern file systems, it has one great advantage: it is supported by most operating system. Because of it FAT is still the default file system on on floppy disks, USB flash drives, cell phones, and other types of removable storage.

FAT32 is the most recent version of FAT.

NTFS file system

NTFS (New Technology File System) is a journaling file system that was developed by Microsoft. It is the default file system for the modern versions of Windows. NTFS supports some advanced filesystem features, such as file compression, file encryption, disk quotas, resizing, Volume Shadow Copy Service, etc.

In Linux, you’re most likely to encounter NTFS on a Windows boot partition in a dual-boot configuration. Linux can reliably NTFS and can overwrite existing files, but can’t write new files to an NTFS partition.

NTFS supports filenames of up to 255 characters, file sizes of up to 16 EB and file systems of up to 16 EB.

ISO-9660 file system

File systems on CD-ROMs use the ISO-9660 file system, published by the International Organization for Standardization (ISO). This file system standard evolved from the High Sierra Format file system. It has three different levels for files:

• Level 1 – supports only 8.3 filenames (eight characters with a three-character extension).
• Level 2 – supports longer 32-character filenames.
• Level 3 – supports longer 32-character filenames.

The Joliet extension provides support for long filenames using Windows. The Rock Ridge extensions provide support for long filenames, permissions, symbolic links, etc on Linux.

What is partitioning?

The process of dividing a disk into logical areas that can be worked with separately is called partitioning. Disk partitioning is done to subdivide the disk into pieces with broadly different purposes. There are several reasons why you want to use partitioning:

• multiple operating systems on the same disk.
• different file systems on different partitions.
• more efficient disk space management.
• different security settings on different partitions.
• easier backup procedure.

Partitions in Linux are usually created during the installation. There are a variety of GUI tools in Linux to help you with the disk partitioning. For example, in SUSE, there is a tool called Partitioner:


Swap partition

A swap partition is treated in Linux as the extension of RAM. Swap partitions are used as virtual memory when the system runs out of physical memory. Swapping occurs when a running process requires more RAM than there is available. One or more pages of RAM that have not been used recently are swapped out to make RAM available. Because disks are much slower than RAM, the more swapping occurs, the slower your system will be.

If you have a large amount of RAM, you probably won’t need to use the swap partition. However, if you’ve created the swap partition during the installation, you can use the swapon -s command to display information about the swap partition:


The size of a swap partition is usually one to two times the system RAM size.

Hard disk interfaces

Three hard disk interfaces are common on today’s computers:

• PATA (Parallel Advanced Technology Attachment) – these interfaces used to be very common, but they are being replaced by SATA in newer systems. As the name implies, PATA disks use a parallel interface, which means that several bits of are transferred at once. In Linux, PATA disks are identified as /dev/hda, /dev/hdb, and so on. Partitions are identified by numbers after the device name (e.g. /dev/hda1, /dev/hda2…).
• SATA (Serial Advanced Technology Attachment) – a serial version of the ATA protocol. As the word serial implies, SATA is a serial bus, which mean that only one bit of data can be transferred at a time. Unlike with PATA, a single cable can connect only one disk to the motherboard. Most Linux SATA drivers treat SATA disks as if they were SCSI disks and name them accordingly.
• SCSI (Small Computer System Interface) – a parallel interface that was once common on servers and high-end interfaces. Supports up to 8 or 16 devices per bus. In Linux, SCSI disks are identified as /dev/sda, /dev/sdb, and so on. Partitions are identified by numbers after the device name (e.g. /dev/sda1, /dev/sda2…).

MBR partitions

The most common partitioning scheme for x86 and x86-64 computers is MBR (Master Boot Record). This method stores its data in the first sector of the disk, called the Master Boot Record. Assuming 512-byte sectors, MBR partitions can’t support disks larger than 2 TB.

MBR supports three types of partitions:

• primary – the simplest type of partition. A disk can have zero to four primary partitions, one of which may be an extended partition.
• extended – a special type of primary partition that serves as a placeholder for logical partitions. A disk may have at most one extended partition.
• logical – partitions that reside within an extended partition.

Primary partitions are numbered from 1–4, whereas logical partitions are numbered 5 and up.

GPT partitions

GPT (GUID Partition Table) is the preferred partitioning system for hard disks bigger than 2TB (the limit for MBR partitions). With GPT, you can define up to 128 partitions by default. Gaps can occur in partition numbering, so you can have a disk with partitions numbered 3, 12, and 99, for example.

GPT employs a protective MBR (the first sector of the disk), which is a legal MBR definition that makes GPT unaware programs think that the disk holds a single MBR spanning the entire disk. GPT supports disks of up to 8 ZB (Zettabytes), which is about 4 billion times larger then the MBR’s limit.

Some older operating system don’t support GPT. Also, some utilities in Linux, like fdisk or some versions of the GRUB boot loader, don’t work with GPT disks.

fdisk utility

fdisk is a simple text-based partitioning utility. It exists for both Windows and Linux operating systems. You can use the fdisk utility in Linux to view, create, modify or edit partitions. In this lesson we will go through some basic features of this program.

Using fdisk

To use fdisk, type the command followed by the name of the disk you would like to partition. This opens up the fdisk prompt. For example, to partition the primary SATA disk, we would enter the following command:


Once inside the fdisk prompt, you can type commands to accomplish various goals.

To display the current partition table, type p:


To create a new partition, type n. This will open up a text wizard with series of questions about the partition:


To delete a partition, type d. The program will ask you for the partition number:


In the example above you can see that we have deleted the partition number 3 that was created in the previous step.

When you create a partition, fdisk assigns it a type code of 0x83, which corresponds to a Linux filesystem. If you want to create a Linux swap partition or a partition for another OS, type t. To get a list of known partition types, type l.

You can exit the fdisk utility in two ways. First, you can type q. The program exits without saving any changes. To save the changes to the disk and then quit, type w.

GNU Parted utility

GNU Parted is a text-based partitioning utility that works with MBR, GPT, APM, BSD disk labels and other disk types. This utility was designed to minimize the chance of data loss, but it is still recommended to back up your files before using this program.

Using GNU Parted

To use GNU Parted, type the parted command, followed by the name of the disk you would like to partition. This opens up the GNU Parted prompt. For example, to partition the primary SATA disk, we would type the following command:


Once inside the prompt, you can type commands to accomplish various goals.

To display the current partition table, type print:


To create a new partition, type mkpart. This opens up a series of questions about the new partition. Before creating the partition, execute the print command to view the current layout. For example, to create a 3 GB extended partition, we can use the following command:


Note that the default units in parted are megabytes.

To remove a partition, type rm:


In the example above you can see that we have deleted the partition number 3 that was created in the previous step.

To quit and save changes, type quit.

Create a file system

You can use the mkfs utility to create a file system for any supported file system type. To create a file system, the device must exist and be formatted with the fdisk utility.

The syntax of the mkfs command is:

mkfs -t FILE_SYSTEM_TYPE DEVICE

For example, to format the third partition of the first SATA disk on the system with the ext3 file system, we can use the following command:

mkfs -t ext3 /dev/sda3

Here is the output of the command above:


You can see the statistics that are outputted with the formatting done by the mkfs command. The number of inodes and blocks created are outputted, as are the number of blocks per group and fragments per group. An inode, which hold metadata such as ownership and timestamps for each file, will be consumed for every file and directory in the file system. So the number of inodes shown here limits the total number of files you can create in that file system.

One of the most commonly used options with the mkfs command is the -c option, which checks the specified device for corrupted blocks before creating the file system.

We now need to mount the file system.

Mount a file system

Linux stores information about where and how partitions should be mounted in the /etc/fstab file. Linux refers to this file and mounts file systems on devices by automatically running the mount -a command (mount all file systems) each time you boot.

Here is an example /etc/fstab file:


You can use the mount command to see what file systems are currently mounted on the Linux system. Here is an example:


You can also use the mount command to manually mount a file system. This is usually done with removeable devices such as DVDs and CDs. The syntax for this command is:

mount -t FILE_SYSTEM_TYPE DEVICE MOUNT_POINT

You can usually omit the file system type parameter since Linux does a good job of detecting the file system type. For example, to mount a CD ROM on /mount_point, we can use the following command:


We had to create the /mount_point directory before we’ve used the command above.

To unmount a device, you can use the umount command. You need to provide a directory name or a device name. For example, to unmount the device mounted above, we can use the following command:


/etc/fstab file

The /etc/fstab file is a system configuration file that contains all available disks, disk partitions and their options. Each file system is described on a separate line. Each line contains six fields separated by one or more spaces or tabs. If you add a new hard disk or have to repartition the existing one, you’ll probably need to modify this file.

The /etc/fstab file is used by the mount command, which reads the file to determine which options should be used when mounting the specified device.

Here is a sample /etc/fstab file:


A line that begins with a hash mark (#) is a comment and is ignored.

As you can see from the output above, each line consists of six fields. Here is a description of each of them:

• Device – the first field specifies the mount device. These are usually device filenames. Most distributions now specify partitions by their labels or UUIDs.
• Mount point – the second field specifies the mount point, the directory where the partition or disk will be mounted. This should usually be an empty directory in another file system.
• File system type – the third field specifies the file system type.
• Options – the fourth field specifies the mount options. Most file systems support several mount options, which modify how the kernel treats the file system. You may specify multiple mount options, separated by commas.
• Backup operation – the fifth field contains a 1 if the dump utility should back up a partition or a 0 if it shouldn’t. If you never use the dump backup program, you can ignore this option.
• File system check order – the sixth field specifies the order in which fsck checks the device/partition for errors at boot time. A 0 means that fsck should not check a file system. Higher numbers represent the check order. The root partition should have a value of 1 , and all others that need to be checked should have a value of 2.

Consider the following line from our sample /etc/fstab file:


This line specifies that the partition /dev/sdc1 should be mounted on /novi_disk. The partition should be formatted with ext3. The mount, dump and fsck options are also specified.

Mount a USB device

Most Linux distributions automatically recognize and mount removable USB drives. Ubuntu, for example, automatically mounts a USB device to the /media/USERNAME/ directory. However, you can still find some older distributions that require external USB devices to be manually mounted before they can be used.

In this lesson we will describe the steps required to mount an external USB drive manually.

First, plug in your USB device. To find out what name your device has, run the fdisk -l command:


You can also get the information on the name of the USB device by looking at the /var/log/messages file. The last few last usually contain information about the plugged device, like in this example:


In the example above, we can see that our USB device has been listed as /dev/sdd1.

Second, we need to create an empty directory where we will mount our device (/usb_device in this case). Next, we need to run the mount command:


Now we can access data on our USB device.

To unmount the device, we can use the following command:


To permanently mount our USB device, we can add an entry to the /etc/fstab file. For example, we could add the following line:


The line above specifies that the device listed as /dev/sdd1 will be mounted on /usb_device, and the file system type will be automatically recognized by the kernel. The mount, dump and fsck options are also specified.

Check disk space

To check how much disk space your files are using, you can use the df command. Invoked without any options, this command shows disk space usage on all of a system’s partitions:


In the example above you can see the device file associated with the file system, the total amount of space on the file system, the used space on the file system, the free space on the file system, the percentage of space that’s used, and the mount point. Disk space is shown in 1KB blocks. To produce output in a more human-readable form, use the -h option:


To print file systems of a particular type, you can use the -t option:


To list available and used inodes, use the -i option:


To print all file systems, including the ones that have no space, such as /proc and /dev/pts, use the -a option:


In addition to these options, you can specify one or more files to df . When you do this, df restricts its report to the file system on which the specified file or directory exists. For example, to learn about the disk space usage on the /home partition, we could type df /home:


Check file systems

Bugs, power failures, and mechanical problems can all cause data structures on a file system to become corrupted and cause severe data loss. To check and repair Linux file systems, you can use the fsck (stands for file system check ) command. This command performs a sequential investigation of the file system. If it finds a misplaced directory or a file with no inode number, it places them in the /lost+found directory.

Linux runs fsck automatically at startup on partitions that are marked for it in /etc/fstab. You can also run the fsck utility manually. To do this, run the fsck command along with the name of the file system you would like to check:


fsck is not usually used on a mounted file system because it could corrupt the file system. It is recommended to unmount the file system before running this command.

The fsck utility supports a couple of options:

• -A option – check all the file systems marked to be checked in /etc/fstab. Normally used in system startup scripts.
• -t option – normally, fsck determines the file system type automatically. You can force the type with the -t FSTYPE option.
• -N option – display what would be checked but don’t actually perform the check. This option is useful to see what would happen if you performed the check.
• -R option – checks all file systems except the root directory
• -V option – displays verbose output.

fsck is actually a front end to other tools, such as e2fsck (aka fsck.ext2 , fsck.ext3, and fsck.ext4) or XFS’s xfs_check and xfs_repair.

Check file disk usage

You can use the du command in Linux to find out how much space is being consumed by a particular directory and its subdirectories. Used without any options, this command lists all directories below the current directory, along with the space consumed by each directory. At the end of the output, du lists the total disk space used within that directory structure.

Here is an example:


In the picture above you can see the disk usage of the /home/bob/example_dir directory and its subdirectories.

By default, the disk space is displayed in 1KB block sizes. To make the output friendlier (in kilobytes, megabytes, and gigabytes), use the -h option:


The total space consumed by the /home/bob/example_dir directory is shown on the last line (56 KB in this case).

Ordinarily, du shows the space used by the files in directories but not the space used by individual files. To report the size of individual files, use the -a option:


Obtain file system information

To obtain information about your ext2, ext3 or ext4 file system, you can use the dumpe2fs command. This command is most often used with the -h option, which causes the utility to omit information about group descriptors. dumpe2fs shows some useful information about the file system, such as:

• the mount point.
• the last time the file system was checked.
• file system OS type.
• number of inodes.
• journal information.

The syntax of the dumpe2fs is simple, you just type dumpe2fs, followed by the file system device name. Here is an example output:


Unlike many low-level disk utilities (such as fsck), you can safely run dumpe2fs on a mounted file system.

An equivalent to dumpe2fs for XFS file systems is called xfs_info. Like dumpe2fs, this command provides useful information about the file system. To invoke the command, just type xfs_info, followed by the file system device name:


xfs_info requires that the file system is mounted.

Another useful tool for XFS file systems is xfs_metadump. This program copies the file system’s metadata (filenames, file sizes, and so on) to a file. For example, xfs_metadump /dev/sda3 /xfs/xfs_dump copies the metadata to /xfs/xfs_dump:


xfs_metadump should only be used to copy unmounted filesystems or read-only mounted file systems. The file generated by xfs_metadump can be restored to filesystem image (minus the data) using the xfs_mdrestore tool.

Adjust file system parameters

To tune file system parameters on a Linux ext2, ext3, or ext4 file system, you can use the tune2fs command. The syntax of this command is simple: you just type tune2fs, followed by the options and the file system device name. Here are the most common options and their description:

• -c NUMBER – ext2fs, ext3fs, and ext4fs file systems require a periodic disk check with fsck. This check is designed to prevent errors from creeping onto the disk undetected. This option specifies the maximum number of mounts between two file system checks.
• -i INTERVAL [d|m|w] – specifies the maximum time interval between two consecutive file system checks in days (d), months (m), or weeks (w). Normally, interval is a number with the character d, w, or m appended, to specify days, weeks, or months, respectively.
• -j – adds a journal to the file system, converting an ext2 file system into an ext3 file system.
• -l – displays contents of the file system’s superblock, which contains partition information.
• -f – forces completion of the tune2fs command even in an error condition.
• -m – sets the percentage of disk space that’s reserved for use by the root user.
• -L – specifies the volume label for a file system.

For example, to change the maximum number of mounts between two file system checks on the /dev/sdc1 partition to 30, you use the following command:


It is not recommend to run tune2fs on a mounted file system.

The xfs_admin command is the rough equivalent of tune2fs for XFS file systems. Here are the most common options used with this command:

• -l – prints the current file system label.
• -L – changes the file system’s label.
• -U – changes the file system’s UUID.

To display the existing label for an XFS file system and then apply a new label, you can use the following commands:


You must unmount a file system before using the xfs_admin command.

Debug a file system

You can interactively modify a file system’s features by using the debugfs utility in Linux. This utility can be used to examine and change the state of an ext2, ext3, or ext4 file system. debugfs provides the abilities of dumpe2fs, tune2fs, and many other file manipulation tools. The syntax of this program is simple: just type its name, followed by the device filename. This will open up the debugfs prompt:


Here is a list of the most commonly used commands:

• show_super_stats or stats – produces superblock information, similar to what dumpe2fs displays.
• undelete INODE NAME – undeletes a file. INODE is the inode number of the deleted file and NAME the filename you want to give to it. You can get a list of deleted inodes by typing list_deleted_inodes.
• write INTERNAL_FILE EXTERNAL_FILE – extracts a file from the file system. INTERNAL_FILE is the name of a file in the file system you’re manipulating and EXTERNAL_FILE is a filename on your main Linux system. This command comes in handy when you want to extract a critical file without mounting the file system first.
• stat filename – displays the inode data on a file or directory.
• help – shows the commands available.
• quit – quits the program.

In addition to commands explained above, you can use many ordinary Linux commands inside the debugfs promt like cd, rm, rmdir, etc.

Here is an example on how to get file system information using debugfs:


This opens up a screen with lots of useful information about the file system:


Do not use debugfs on a mounted file system.

You can use the xfs_db utility to modify an XFS file system’s features. Like debugfs, xfs_db provides an interactive tool to access and manipulate a file system:


Type help to get a list of commands available.

dsfd