Unix: The shell
This chapter introduces the Unix shell. Beside the various standard shells, it also introduces the secure shell and privilege elevation using sudo, and how to capture a CLI session with script.
Table of contents
The UNIX shell is a command line interpreter (CLI). It interprets the commands the user types in and arranges for them to be carried out.
The user types in commands consisting of a single line of text,
ending with pressing the
[Enter] key. (Sometimes referred
to as the
[Return] key by those that grew up using
typewriters.) When the user press the
[Enter] key, the
entire command line is sent to the shell and interpreted.
After receiving the command, the shell may execute it itself, or call upon the kernel and/or some other program to execute the command. When execution has completed, the shell displays the default prompt again to tell the user it is ready to accept a new command.
default prompt is a dollar sign (
$) if your shell is the
classic Bourne shell sh, the Bourne Again Shell bash
or the Korn shell ksh. The default prompt is a percentage
%) if your shell is the C shell csh or
tcsh. In the examples in this ebook, a dollar sign will be
placed in front of each shell command. Do not type the dollar sign
when you try out the examples, it only there to indicate that you
should try out the example out from the command line. When a user
is running with superuser privileges, it is customary to remind the
user of that power by having an alternate prompt. This alternative
prompt is usually the hash sign (
It is possible for users to toggle between different shells on the same machine. As is evident from the previous paragraph, several different shells exist. However, one of the best and easiest to come to grips with (in this author's opinion) is the Bourne Again Shell (bash). In this ebook, bash will be used in all the examples.
If you're already using a Unix or Gnu/Linux system, you get access to the shell by means of the terminal, as discussed in the previous section.
Note that working with a command line interpreter is different from working in a GUI. In a GUI, there is no “prompt” and you initiate commands by clicking with the mouse or stroking a multi-touch screen. A GUI is always ready to accept another command, while a command line interpreter by default becomes unavailable when a task is carried out. To be fair, there are several ways around this, as will be shown later.
Remote login: ssh
An essential tool for logging in and working on a remote computer over the Internet is the secure shell (ssh).
The ssh is actually a lot more than a remote terminal. It has built-in encryption, so that everything you send and receive during a session is encrypted. It also supports various authentication facilities, secure file transfer, X session forwarding, and port forwarding.
To log in on a remote host, you type the command
username@hostname in your local shell, where “username”
is your user name on the remote host, and hostname is the DNS-address of
the remote host.
Instead of connecting through login/password to a remote host, ssh allows you to use key-based authentication.
RHEL7 uses ssh-keygen to generate a private/public key pair for key-based authentication.
[TBA: How to generate key pair and copy public key to target server. No need to edit
sshd_config on a USIT-provided RHEL7.]
If this is not working after copying the files, and the target server is running SELinux, you may need to change the “the security context” to grant access to the key:
$ cd ~/.ssh $ sudo chcon -t ssh_home_t . authorized_keys
The Amazon EC2 cloud service generates a
that contain the required keys. This file is generated when you set
up an account with Amazon Web Services, and you need to save it and
use it for logging in on your server instances. This method of
authentication makes the password redundant.
As soon as you've downloaded an identity file, make sure it is
not readable by others. If the file is named
you do this with the the chmod command like this:
$ chmod 600 mykey.pem
(The exact meaning of the above command will be explained in the chapter about access rights.)
Here is an example of me using ssh to connect to an Amazon
EC2 server instance, using the identity file
$ ssh -i mykey.pem email@example.com Last login: Mon Jan 28 05:38:37 2013 from diamant.ifi.uio.no __| __|_ ) _| ( / Amazon Linux AMI ___|\___|___| https://aws.amazon.com/amazon-linux-ami/2012.09-release-notes/ [ec2-user@domU-12-31-39-07-5C-FE ~]$
The configuration for ssh is kept in a directory
.ssh in your home directory.
The sudo and su commands
The sudo command allows a user to run programs with the security privileges of another user (by default, the Unix superuser). It prompts the user for his or her personal password and confirms the request to execute a command by checking a file that is configured by the system administrator configures. System administrators can give certain users or groups access to some or all commands without those users having to know the root password. It also logs all commands and arguments so there is a record of who used it for what, and when.
Provided your account has been given sudo privileges, the command below will perform the command given as argument with the same privileges as the Unix superuser (root):
$ sudo command [sudo] password for username: …
Replace command with the actual command to execute. In the prompt, username will be your username.
There is no need for sudo for students taking INF3272/INF5272 at the Universiy of Oslo. In fact, students do not have sudo-privileges. If you type above command, it will fail. However, as a student taking INF3272/INF5272, you may want to change the file permissions of the file tree below the web root. On a standard Unix system, you will need to have sudo-privileges to be able to do this. On the servers provided for students taking INF3272/INF5272, permissions are changed to the correct ones with the following shell command: fixperms. Use this command if you get the error “permission denied” if you try to download or update a Drupal project.
The sudo command also makes it easier to practice the principle of least privilege (PoLP), by not giving administrative rights by default, but allowing some of them to have such privileges tp perform specific tasks.
PoLP means that user privileges should by default be the least required to do what the user needs to do. It can also be applied to processes on the computer: Each component or process should have the least privileges necessary to perform its duties. This helps reduce the “attack surface” of the computer by eliminating unnecessary privileges that can result in network exploits and computer compromises. The most important result of this principle is that users are not given administrative rights by default.
The command below will spawn an interactive shell where you will have the same privileges as the Unix superuser (root).
$ sudo -i bash [sudo] password for myuser: #
This is pratical if you need to perform a sequence of operations requiring superuser privileges.
The su command allows a user to become another user. The following sequence of command demostrate of it may be used:
$ su password: # chmod a+w * # exit $ su username password: # Ctrl+d $
The first example of the su command defaults to becomming
the superuser (root). In the second example,
replace username with the username of the user which you
would like to run the commands as. In both cases, when promoted for a
password, use the superuser password. If the command succeeds, the
user will be logged in as the other user until he or she
Ctrl+d or type exit at the command prompt.
Allowing the users to use su command creates security hazards, and requires more administrative maintenance than the sudo command. It's not good practice to have numerous people knowing and using the superuser password because when logged in as the superuser, they can do anything to the system. This could provide too much power for inexperienced users, who could unintentionally damage the system. Additionally, each time a user should no longer use the superuser account (for example, an employee leaves), the system administrator will have to change the root password.
In general, using sudo is considered safer than changing the user id with the su command. It is possible to disable su forcing users to rely on sudo to gain administrative rights.
Sometimes (in particular when writing tutorials like this one) you
want to capture the output from a CLI session. You do this with the
script. This command forks a sub-shell that by
default records the terminal session to a file named
typescript. To stop recording, you exit this sub-shell using
Here is an example of a session where we record a terminal session.
After we've terminated the recording shell, we play back the recorded
session with the command
$ script Script started, file is typescript. $ pwd /home/myusername $ exit exit Script done, file is typescript $ cat typescript Script started on Sat Mar 16 2013 10:36:03 AM CET $ pwd /home/myusername $ exit exit Script done on Sat Mar 16 2013 10:36:05 AM CET
In this chapter, a few very basic shell comamnd has been used without much of an explanation. These are listed below. All of them will be described in more detail in the remaining chapters of this ebook.
chmod: change file mode bits to (e.g. access mode).
pwd: print working directory
exit: exit from a (sub-)shell
cat: catenate (display) a file