 Okay, 7.30 now, here in Brazil, of course, so it's very early in the morning. My name is Cesar Brode and I am the Community Engagement Director for the Portuguese and Spanish-Speaking Regions for the Linux Professional Institute. Here with me in the event, Evan Libovic, Hernan Pashas and Juan Ibarra are participating. I know that it's being streamed to YouTube, I believe, or somewhere else, so if you guys do have some questions, please feel free to ask in the chat room and I'm sure that the messages will be forwarded to me at some point in time. Well, security is something that is so important for those who work with Linux that actually since you start your certification path with the Linux Professional Institute, you have to deal with security. I will share my screen right now. What I will show you is the main page for our educational material, which is in learning.lpi.org. So I believe you are seeing my screen right now. If you go to learning materials, go to lpi learning materials, you see that we have already having here the materials for Linux Essentials and for LPQ1. The first exam for our, the first exam, actually LPQ1 is two exams for the Linux System Administrator. But let's go to Linux Essentials in here. And what we are going to be talking in this presentation is about the basics, the security basics for those who start working with Linux. I'll try to be brief. I'll try to be clear. But of course, if you do need more information, you will find here in learning.lpi.org. And you see, topic five is exactly about security and fire permissions. In this topic, you see several, several things such as the need to have a good password, also how to secure your files. And a lot of people, they ask us, so you guys that work with Linux, why are you so into the black screen? Well, there are several reasons for that. But if you think about it, like the graphic part of an operating system, of a system itself is something that's quite heavy in terms of computing power. So why, for instance, if you have a vacuum cleaner, such as a Roomba or other vacuum cleaners that you have today, pretty much all of them runs Linux. So why should you have a graphical interface for those machines? Also the Linux that you have running in your car, but also if you consider the satellites that are around the globe, the Starlink satellites, for instance, from that are providing the internet, those all runs Linux and you do not have a graphic interface into that. So when you work with system administration, for sure you will need to work in a terminal. So what I'm going to do right now, I'm going to open my terminal and I'm going to show you some of the things that are covered in the Linux Essentials Exams that are actually related to security. So once they set, let me share my screen again. There you go. There you have my black screen. I hope you can see it. So I'll just clear my screen with the clear command and everything that you have in a Unix or a Linux system that relates to configuration is under the ETC folder. So the ETC folder is one of the main folders in the Linux operating system. And inside the ETC folder, there is a file that has to do with user configuration. So let's take a look at that. I believe all of you here already know a little bit about Linux, but anyway, cat, it does not come from the animal cat, it also comes from concatenate. So cat is concatenate to the standard output, which is my screen, the contents of the file password. ETC password. It's a big file, so I'll just pipe it two more. Oops. Of course. It's P-S-P-A-S-S-W-D, not password, and let's pipe it two more. I'm sorry, probably because I'm a little bit starting right now here in Brazil. I haven't had my coffee yet, so I'm a little bit sleepy. So here you have all of the users in your system. You see the user that shows in the first line is the root user. The root user is the super user, the one that can do everything in the system. But let's take a look a little bit more on the other things here in this line of the ETC password file. What it looks here in the second column means that the password for the root user is stored in another file called ETC shadow, and we'll take a quick look at that. Then the root user has the user ID zero and the group ID zero. More users should not have this user ID or group ID, so you should not see this happening again here in this file. So one of the most insecure ways that you can allow people to have root access to your system is actually put them in the group ID zero. So you should never do that. Then you have the full name of the user, the standard folder for that user, and the shell for that user. Shell is the program that we use to actually access the operating system. So we are using here the best shell. As you will see, there are several other users in here that do not have the ability to access the shell. Actually, it's said that the problem that they access is a problem that you take them out of the system right away, which is the no-logging. One very important user, for instance, is the WWWTAP data, which is the user for the web server. So you see the user of the web server will never be able to log into the system. Let me move a little bit down. So we have my user here, which is the user Brut, the name is Cesar Brut. My user ID is 1,000, my group ID is 1,000, and I can access the bash shell. Let's take a look at some other things. If I try to do cat with lashetc is that shadow, which is the file that contains the passwords, I'm not going to be able to do that. It says permission denied. So I have to be the super user to do that. So I will use the common sudo. sudo means super user. Do this thing for me now. So sudo cat is lashetc is lashetc shadow. And let's pipe it to more again. If you guys have some doubts, please ask me here in the chat. I'll leave my email to you in a moment. So you can also ask me after this presentation ends. So here you see it's asking for my password now. OK, and here you go. Let's take a look at the user Brut. So here you have my encrypted password. So even if you create a very simple password, the Linux system will encrypt it for you. But you must be very careful about your password because even if it's encrypted in here, it is still like a brute force attack. Like people will try several different passwords. There is password dictionaries in the internet of the most user passwords. So still, even your password being encrypted, you make sure that it will be a password that's not going to be easy to discover in a try and guess. Another file. Let's take a look at the group I forgot to pipe it to more. So let's pipe it here. You have all of the groups and you have all of the the users belonging to the group. So if you take a look at the ADM, you see that my user is part of the administrator group. And I'm also in the pseudo group. Sudo means that then I can access the system by using pseudo. By asking super user to do things for me. Another important file for you to consider is ETC pseudoers. So here you might have all the other users who will be able to use the pseudo command. So the members in the group pseudo are the ones that can execute that command. So here it pretty much says the ones that are in the group pseudo can do everything. If a user is not in the group, you can add a line in here with the name of the user and say that he also can do everything. And you can see the group of the ones that are in the admin group can also do all these kind of things. But let's take a look at another very important thing in here. Let's take a look at files permissions. So I'll go ahead and create a directory called the document foundation PDF. And now I'm going to move into this directory, this folder. Okay, I'm in there. If there is another important folder in the Linux system, which is the proc folder. The proc folder contains the information of the processes that are running in the system, but also information about your hardware. So here are all of the processes running in the system. You see that the first process, let's take a look at that. The first process is the one that call other process. So let's just take a look at that very quickly. I'll do a cat. I'll need to be pseudo again, pseudo cat slash proc slash one. No, let's do an LSE. Okay, those are the files that are under proc one, which is the information of the first process that's running the system. Let's take a look at the stat. So you'll see several numbers in here. Those numbers are used by other commands that will list it in a more human readable format. But from here, you can see that system D is the problem that actually is the first one running the process that is going to call other processes in the Linux system. Another thing that we have under proc is the CPU info, which brings information about your CPUs. So you see we have one line here, a line called processor, which is the first processor, the second processor. If we move on, we have the third processor, the fourth, and so on. So if I just want to know how many processors I have in my system, I can do something like cat proc CPU info, grab processor. So there you go, from 0 to 11, we have 12 processors. I will pipe it to another command, which is the WC world count. And I'll ask WC to only tell me how many lines I will have from the output of proc CPU info, grab processor, 12 lines. So now I could create a very small program. Let's do it right now. I'll call it num proc for a number of processors. And I'll say it is a shell script. Although for those who already know Linux and Unix, the system doesn't care about extensions. The extension is for us, not for the system. Linux will actually look into what is inside the file to find out what it is. So in the first line, I will say hashbang, which is the program that I'm going to use to run everything that is in the following lines. If I use the hash in any other line, in any other position, it's just for a comment. So this is my problem. So here, we just have a comment. I will clear the screen. So here, inside this program, I can use any shell command. And I will say echo, echo will display in the screen what I'm going to say right now. This is the number of processors I have. And here, I will just execute the line. cat slash proc slash CPU info, is that correct? Let's see. Type grep processor type wc minus l. Let's see if it works. I'm going to save, I'm going to exit. Let's take a look at our command, at our shell. OK, here it is. Now let's execute. I can execute by saying dash, oops, no proc. And here it is. This is the number of processors I have, 12. But let's take a look right now at this problem that we just created, no proc.sh. Let's use the minus l to give more information about this file. So here, we see that I can read, write. Other users in my group can read and write. And everyone else in the system can only read, cannot write, nor execute. So right now, I cannot do something like just call the program, execute from here, no proc. But slash means execute from here, dot sh. It doesn't work. It says permission is denied. I need to change this into an executable. So one way of doing that is using chmod, change mode plus x means make it executable, the program that we just created. Now, if we take a look again at the long listing of the information of this file, you see that it became green. But also now that we have the x for execution for the user, for the group, user is me, for the group, the group I belong, and for all others in the system. One important thing, if you are working with security, you will just give the permissions that are actually needed for people who need to use that. So let's suppose that I'm just creating this program. I don't want anyone else to see it. So I will go ahead and remove the permissions. For IM, you must think about user, group, and others. User is myself, group is the ones that belong to my group. You saw that on the ATC group that I belong to, the group ADM and the pseudo group, and also my own group. So people that belong to these groups would be able to do things if I gave them the permissions in the G. So think about the three first slide that is for user, the others, the ones in the middle, or for the group, and the ones here at the right are for others, everyone in the system. So I will say change mode for the group and for the others, minus x for this programming block. Now let's take a look. So you see now only I can execute. But I also don't want my group and the others to read and to write. So I can do that. Change vo minus write minus read and minus write. Let's take a look at that right now. OK, so I am the only one right now who can read, write, and execute this program. No one else can do anything else. There is another way that I can do that. If you think about for the user, myself, for the group, and for the others, you have the permissions that can be read, write, execute. Read, those are positions in the keys that you turn on and off. So here you have three keys for read, for write and execute, and they can be turned on and off. So this is for the first position, x, think of 2 to the power of 0, which is 1. For the right, it's 2 to the power of 1, which is 2. And for the read, it's 2 to the power of 2, which is 4. So it's 4 to 1. So if you add those numbers to the permissions, you can use chmod in another way. You can do something like, for instance, chmod 777. So I'm adding 4, 2, and 1 for the user, for the group, and for the others, numcroc.sh. And if I do an ls right now, so you see, now everyone can do everything. This is something that is very interesting and administrators will use this a lot other than using something like this. G, O, binds, R, W, because after some time, you actually get used with this binary that we represent in the octal format. And it makes life easier for you to change this. For instance, if I want to change it back to a way that I can do everything and the others cannot do anything, my group and the others, I'll just do 0 to 0. Let's take a look at that again. So there you go, exactly what we wanted. And this is something that for students, it's most of the time it's difficult to understand that because we are not used to the binary format of these kind of things. So let me just minimize that and let me show you one small thing that I created, which is the, let me write in the terminal so you'll be able to access. It's a small spreadsheet, which is located in breadtech.com, let's see age modator. The thing that will do the C age mod for you. And now let me go back to the navigator. And here you go. So I recommend if you are going to use this for yourself or to teach someone else, the first thing that you should do is go here and do a file and make a copy. So it will make a copy for you. And here you can play with the permissions for the user, for the group and for the others, read, write, execute. So here, for instance, I'm saying that myself as a user, I can do everything. So I add four and two and one, which you already know now that are two to the power of zero, two to the power of one and two to the power of two. The ones in my group, they can only read and execute. And I actually am not going to allow them to read the program. I just want them to be able to execute the program. So you see, as I change the permissions in here, the number in here changes. And for the others, well, okay, the other thing I system can also execute and only execute. So I have seven, one, one. So if I do C-H mode, seven, one, one, I will have R-W-X, nothing, nothing X, and nothing, nothing X. So let's just try very quickly to see if it works. So C-H mode, seven and one, no proc. And now let's take a look. Exactly as I wanted. I can read, write, execute. The ones in my group can only execute. And the others in my system can only execute. Let me stop my screen sharing right now. Okay, so I'm back here with you. These things again, they are so important for the life of a system administrator that they are covered in our most essential Linux certification, which is called Linux Essentials. It is some people that are just starting with web servers, for instance. People tend to, like if I install WordPress or something like that, people will, something doesn't work. So people go ahead and do a C-H mode, seven, seven, seven and all of the files in the folder for the pages that you are serving to the web. Now they have the permission that everybody can do everything. And this is very dangerous because if someone finds out a way to get into your system, they will do that through the files that you allow the permission to do everything they want. So never use permissions like seven, seven, seven. The golden rule here if you are a system administrator, only give permissions for those who deserve the permissions, for those who know what to do. Only place those people in your system, the users in your systems in the admin or in the pseudo group, if they actually need to do this kind of thing. And another important thing if you are, most of the systems now as you install, they create a user, they ask you to provide a password for that user and they will add this user to the pseudo group. So that user that you create when you're installing your system will be able to ask super users to do things for them. Most modern systems, they don't even have a password for the root user. So if someone is able to get into your system as the root user doesn't have a password, it will be very difficult for them to become a root user. So that is it. This is pretty much the things that are covered in the Linux Essentials, topic five, security. Of course, do take a look at learning.lpi.org that you'll see more things in there if you are going to take this certification. But here in this half an hour, I just wanted to tell you that these are the things that you need to worry about if you are going to administer a Linux system. Thank you very much. I do not see any questions in here, but if you do have questions, let me just switch to my terminal again. I will write my email in here. Oh, we have three minutes right now. So let me clear. I am cbroad.lpi.org. So feel free to email me. And I am also Cesar Brode and all social networks. And here with me are my friends Juan, Iba at lpi.org and Hernan Paches at lpi.org. Thank you all and thank you guys at the document foundation for inviting us to be here at your event. It is very good to be here with you. I'll see you soon. Bye-bye.