Permissions ยท Users & Groups ยท Processes ยท Packages ยท systemd ยท Containers
Domain 2 covers day-to-day Linux administration: controlling who can access what (permissions), managing users and groups, controlling processes and scheduling, installing software, managing system services with systemd, and running containers.
Every file has an owner (user), a group, and permissions for owner/group/others (rwx). The 9-bit permission string plus special bits (SUID, SGID, sticky) controls all file access. ACLs extend this model for fine-grained control beyond owner/group/others.
Users defined in /etc/passwd (username:x:UID:GID:comment:home:shell). Passwords in /etc/shadow (hashed). Groups in /etc/group. UID 0=root, UID 1โ999=system accounts, UID 1000+=regular users. Every user has a primary group and can belong to supplementary groups.
systemd manages services (daemons), timers (cron replacement), mount points, and targets. Services are defined in unit files. systemctl is the primary management command. journald collects and stores logs from all units.
Domain 2 explicitly includes containers (Docker/Podman). RBTs must understand container runtimes, managing images (pull, build, tag), running containers, volumes for persistence, and container networking. Podman is rootless by default โ a key security advantage.
| Symbol | Octal | Meaning |
|---|---|---|
r | 4 | Read (files: read content; dirs: list contents) |
w | 2 | Write (files: modify; dirs: create/delete files) |
x | 1 | Execute (files: run; dirs: enter/cd into) |
rw-r--r-- | 644 | Owner read/write; group+others read only |
rwxr-xr-x | 755 | Owner full; group+others read+execute |
rwx------ | 700 | Owner full; no access for group/others |
Symbolic: chmod u+x file (add execute for user), chmod go-w file (remove write for group+others), chmod a=r file (set all to read only). Octal: chmod 755 file, chmod 644 file. Recursive: chmod -R 755 /dir/. u=user/owner, g=group, o=others, a=all.
chown user file (change owner). chown user:group file (change owner and group). chown :group file (change group only, same as chgrp). chown -R user:group /dir/ (recursive). chgrp group file (change group). Only root can change ownership to another user.
Default permission mask applied when files/dirs are created. File base: 666, Dir base: 777. Umask subtracts: umask 022 โ files 644 (666โ022), dirs 755 (777โ022). Check: umask. Set: umask 027. Persistent: add to ~/.bashrc or /etc/profile.
On executable: runs with owner's permissions, not the runner's. Example: /usr/bin/passwd has SUID root โ allows users to change their own password (writes to /etc/shadow). Set: chmod u+s file or chmod 4755 file. Display: ls -l shows s in owner execute position (-rwsr-xr-x).
On executable: runs with group's permissions. On directory: new files/dirs created inside inherit the directory's group (useful for shared project dirs). Set: chmod g+s dir or chmod 2755 dir. Display: s in group execute position (-rwxr-sr-x).
On directory: users can only delete their OWN files, even if they have write permission on the directory. Classic example: /tmp (sticky bit set โ everyone writes but can't delete others' files). Set: chmod +t dir or chmod 1777 dir. Display: t in others execute position (drwxrwxrwt).
Extend the basic owner/group/others model. Grant specific permissions to individual users or groups beyond the standard three. Filesystem must be mounted with acl option (default on most modern systems).
setfacl -m u:alice:rw file โ grant alice read+write. setfacl -m g:devs:rx file โ grant devs group read+execute. setfacl -x u:alice file โ remove alice's ACL entry. setfacl -b file โ remove all ACLs. getfacl file โ display ACLs. Files with ACLs show + in ls -l output (-rw-rw-r--+).
ln source hardlink โ creates another directory entry pointing to the SAME inode. Same file, multiple names. Changes to either affect both (they ARE the same data). Cannot cross filesystems. Cannot link directories. If original deleted, hardlink still works (data not removed until all links gone). Check: ls -li (same inode number).
ln -s target linkname โ creates a pointer to the target path. Can cross filesystems, can link directories. If target deleted, link is broken (dangling symlink). ls -l shows l type and -> target. Common: /etc/alternatives/, system library versioning.
useradd -m -s /bin/bash -G sudo alice โ create user alice with home dir, bash shell, added to sudo group. usermod -aG docker alice โ add alice to docker group (use -a to append). userdel -r alice โ delete alice and remove home dir. passwd alice โ set password. chage -l alice โ show password aging info.
/etc/passwd โ username:x:UID:GID:comment:home:shell (colon-separated, 7 fields). /etc/shadow โ username:hashed_password:last_change:min:max:warn:inactive:expire. /etc/group โ groupname:x:GID:member_list. /etc/gshadow โ group passwords. Never edit directly โ use vipw, vigr, vipw -s.
/etc/sudoers โ edit ONLY with visudo (validates syntax). Format: alice ALL=(ALL:ALL) ALL โ alice can run any command as any user on any host. %wheel ALL=(ALL) NOPASSWD: ALL โ wheel group, no password. Include drop-in files from /etc/sudoers.d/. sudo -l โ list alice's sudo permissions.
ps aux โ all processes (USER, PID, %CPU, %MEM, STAT, CMD). ps -ef โ full format. top โ interactive real-time (press k to kill, r to renice, q to quit). htop โ enhanced top. Process states: R (running), S (sleeping), D (uninterruptible sleep/I/O), Z (zombie), T (stopped).
kill PID โ send SIGTERM (15, graceful shutdown). kill -9 PID โ SIGKILL (force kill, cannot be caught). kill -HUP PID โ SIGHUP (reload config). killall process_name โ kill by name. pkill -u alice โ kill all processes by user. Signal 1=HUP, 2=INT, 9=KILL, 15=TERM, 18=CONT, 19=STOP.
CPU scheduling priority. Range -20 (highest priority) to +19 (lowest). Default is 0. nice -n 10 command โ start with priority 10. renice -n 5 -p PID โ change running process priority. Only root can set negative (higher priority) values. View in ps output (NI column) or top.
cron โ recurring jobs. crontab -e โ edit user crontab. Format: MIN HOUR DOM MON DOW COMMAND (e.g., 0 2 * * 0 /backup.sh = 2AM every Sunday). at โ one-time future job. atq โ list pending at jobs. atrm JOB_ID โ remove at job. systemd timers increasingly replace cron.
| Feature | Debian/Ubuntu (apt/dpkg) | RHEL/Fedora (dnf/rpm) |
|---|---|---|
| Install | apt install pkg | dnf install pkg |
| Remove | apt remove pkg | dnf remove pkg |
| Update all | apt update && apt upgrade | dnf update |
| Search | apt search pkg | dnf search pkg |
| List installed | dpkg -l | rpm -qa |
| File in package | dpkg -L pkg | rpm -ql pkg |
| Package of file | dpkg -S /path/file | rpm -qf /path/file |
| Repo config | /etc/apt/sources.list.d/ | /etc/yum.repos.d/ |
systemctl start/stop/restart/reload service โ control service. systemctl enable/disable service โ start at boot (or not). systemctl status service โ show status + recent logs. systemctl is-active/is-enabled service โ check state. systemctl daemon-reload โ reload unit files after editing. systemctl list-units --type=service โ list all services.
Located in /etc/systemd/system/ (custom) or /lib/systemd/system/ (package-installed). Sections: [Unit] (Description, After, Requires), [Service] (Type, ExecStart, Restart, User), [Install] (WantedBy=multi-user.target). After creating: systemctl daemon-reload then systemctl enable --now myservice.
journalctl โ all logs. journalctl -u nginx โ logs for nginx unit. journalctl -f โ follow (like tail -f). journalctl -b โ since last boot. journalctl --since "1 hour ago". journalctl -p err โ error priority and above. journalctl --disk-usage โ log storage used. Logs stored in /var/log/journal/ (persistent) or memory (volatile).
Cron replacement. Two files: .timer (schedule) + .service (what to run). OnCalendar=*-*-* 02:00:00 (daily at 2AM). OnBootSec=5min (5 min after boot). Enable timer: systemctl enable --now mytask.timer. List timers: systemctl list-timers. Advantage over cron: logging via journald, dependency management, catch-up on missed runs.
Docker: daemon-based (dockerd runs as root), docker CLI, widely used. Podman: daemonless, rootless by default (runs containers as current user), Docker-compatible CLI, preferred on RHEL/Fedora. Commands are identical: docker run โ podman run. Podman uses podman command (or alias docker=podman).
docker/podman run -d --name web -p 8080:80 nginx โ run detached nginx. docker/podman ps โ running containers. docker/podman ps -a โ all containers. docker/podman stop/start/restart CONTAINER. docker/podman rm CONTAINER โ remove stopped container. docker/podman exec -it CONTAINER bash โ interactive shell in running container.
docker/podman pull nginx:latest โ download image. docker/podman images โ list local images. docker/podman build -t myapp:1.0 . โ build from Dockerfile. docker/podman push registry/myapp:1.0 โ push to registry. docker/podman rmi IMAGE โ remove image. docker/podman tag SOURCE TARGET โ retag image. docker/podman inspect CONTAINER/IMAGE โ detailed JSON info.
docker/podman volume create mydata โ create named volume. docker/podman run -v mydata:/data nginx โ mount volume. docker/podman run -v /host/path:/container/path nginx โ bind mount. docker/podman network create mynet โ create network. docker/podman run --network mynet nginx โ connect to network. docker/podman network ls โ list networks.
10 questions covering key exam objectives. Select an answer and click Check Answer.
drwxrwxrwt. User bob created a file report.txt in this directory. User alice (not the owner, not root) tries to delete report.txt. What happens?backup user's effective UID when any user executes it. Which command sets this special permission?/opt/project needs all files created within it to automatically belong to the devteam group, regardless of which user creates them. Which command achieves this?carol to the docker group WITHOUT removing her from existing groups. Which command is correct?/etc/systemd/system/myapp.service. Before the service can be started, which command must be run?sshd service since the last system boot using journald?/opt/data on a Podman host needs to persist beyond container restarts. Which run command correctly mounts a named volume appdata to /opt/data inside the container?Six memory hooks to lock in the most exam-critical concepts.
useradd -m -s /bin/bash -G sudo,docker alice โ creates home dir, sets bash shell, adds to groups. Always use -aG with usermod to APPEND groups (no -a = replaces!).start/stop = immediate effect. enable/disable = controls whether service starts at boot. Use --now flag to do both: systemctl enable --now nginx.docker for podman. Podman preferred on RHEL.MIN HOUR DOM MON DOW CMD. 0 2 * * 0 /backup.sh = 2AM every Sunday. */15 * * * * = every 15 min. 0 9 1 * * = 9AM on 1st of every month. Use crontab -e to edit.Click any card to flip it and reveal the answer.
setfacl -m u:alice:rw file โ add ACL for alice.setfacl -m g:devs:rx dir โ for a group.getfacl file โ view all ACLs.setfacl -x u:alice file โ remove alice's entry.setfacl -b file โ remove ALL ACLs.kill -9 PID or kill -KILL PID.-u nginx โ filter by unit.-b โ since last boot.-f โ follow (live).-p err โ errors and above.--since '1 hour ago' โ time filter.journalctl -u nginx -b -p err โ nginx errors since boot.podman run -d --name web -p 8080:80 nginx โ start detached.podman exec -it web bash โ get shell inside.podman logs web โ view stdout/stderr.podman stop web โ graceful stop.podman rm web โ remove stopped container.podman run --rm โ auto-remove when stopped.Choose the guidance that matches your current level.
Start with octal permissions (r=4, w=2, x=1; 755=owner all/others r+x, 644=owner rw/others r). Learn the three special bits (SUID=run as owner, SGID on dir=inherit group, sticky=own files only). Then practice useradd/usermod/userdel basics.
Study the cron format (MIN HOUR DOM MON DOW), systemctl (start/stop vs enable/disable), journalctl filters (-u, -b, -f, -p), and package management differences (apt vs dnf, dpkg -L vs rpm -ql).
Master ACLs (setfacl/getfacl), the -aG trap with usermod, systemd unit file structure (all three sections), timer units vs cron, and container volume management (named volumes vs bind mounts). Understand Podman rootless security advantage.
High-yield: sticky bit=/tmp, SUID=/usr/bin/passwd, SGID on dir=inherit group, umask 022โ644/755, -aG=append groups, kill -9=force, kill -HUP=reload, daemon-reload after unit file edit, journalctl -u -b, Podman=rootless/daemonless.
rwx=421; 755=rwxr-xr-x; SUID=run as owner; SGID dir=inherit group; sticky=/tmp; umask 022โ644/755; useradd -m -s -G; usermod -aG (not -G!); kill 9=force/15=graceful/HUP=reload; cron=MIN HOUR DOM MON DOW; systemctl enable --now; journalctl -u -b; Podman=rootless.