Bash Index : U - The 'U' Bash commands : description, flags and examples

ufw

ufw (Uncomplicated FireWall) is not actually a shell built-in but a frontend (available via ufw) for iptables. ufw :

ufw vs iptables : which one should I use ? (source)

  • provided ufw is only a frontend to iptables (and unless you need some advanced features), there's no real gain using one or the other : stick to the one you're comfortable + efficient with
  • if you already know and use iptables, ufw would only be a different tool to do the same thing (so if you're curious and have spare time, go for it)
  • if you know none of these, ufw is a good starting point since it was designed to ease iptables firewall configuration

umask

Usage :

Set / print the user's file creation mask. This is used to set the initial permissions for new files and directories.

How does it work ?

The man page (or "man bash" + search "umask") is not very explicit, so here's the recipe :
  1. there is a "default maximum permissions" value :
    • for regular files : 666
    • for directories : 777
  2. subtract the mask value (often defaults to 022) from this "default maximum permissions" value to get the default permissions :
    • for regular files : 666 - 022 = 644 (i.e. rw-r--r--)
    • for directories : 777 - 022 = 755 (i.e. rwxr-xr-x)

Mask values

Mask value Permissions for ... Who can ... ?
files directories read write
022 rw-r--r-- rwxr-xr-x everybody owner only
077 rw------- rwx------ owner only owner only

Setup

You can define the mask value with umask maskValue :
  • for everybody, in :
    • /etc/profile
    • /etc/bashrc
  • for me only, in :
    • ~/.bashrc
Check current definition :
grep umask /etc/profile /etc/bashrc ~/.bashrc 2>/dev/null

Example :

cd /run/shm; for value in 022 044 055 077; do echo -e "\numask : $value"; umask "$value"; touch myFile; mkdir myDir; ls -ld my*; rm myFile; rmdir myDir; done
umask : 022
drwxr-xr-x 2 stuart users 1024 Apr 18 10:35 myDir
-rw-r--r-- 1 stuart users    0 Apr 18 10:35 myFile

umask : 044			permissions below don't work in "real life", this example is for demonstration only
drwx-wx-wx 2 stuart users 1024 Apr 18 10:35 myDir
-rw--w--w- 1 stuart users    0 Apr 18 10:35 myFile

umask : 055			same comment as above : for demo only, not for real life
drwx-w--w- 2 stuart users 1024 Apr 18 10:35 myDir
-rw--w--w- 1 stuart users    0 Apr 18 10:35 myFile

umask : 077
drwx------ 2 stuart users 1024 Apr 18 10:35 myDir
-rw------- 1 stuart users    0 Apr 18 10:35 myFile

update-rc.d

Usage :

update-rc.d has been obsoleted by systemctl and systemd.

install and remove System-V style init script links

A common system administration error is to delete the /etc/rcrunlevel.d/[SK]NNname links with the thought that this will "disable" the service, i.e., that this will prevent the service from being started.
However, if all links have been deleted then the next time the package is upgraded, the package's postinst script will run update-rc.d again and this will reinstall links at their factory default locations.

The correct way to disable services is to configure the service as stopped in all runlevels in which it is started by default. In the System-V init system, this means renaming the service's symbolic links from S to K. To do so :

update-rc.d service disable

update-alternatives

Usage :

update-alternatives is used to maintain the symbolic links (found in /etc/alternatives/) determining default commands

It is possible for several programs fulfilling similar functions (e.g. text editors) to be installed on a single system at the same time. This gives choice to the users, allowing each to use a different editor, but makes it difficult for a program to make a good choice of editor to invoke if the user has not specified a particular preference.

The alternatives system aims to solve this problem. A generic name in the filesystem is shared by all files providing interchangeable functionality :

  1. ll /usr/bin/editor
    lrwxrwxrwx 1 root root 24 Oct 11 15:47 /usr/bin/editor -> /etc/alternatives/editor*
  2. ll /etc/alternatives/editor
    lrwxrwxrwx 1 root root 18 Mar 24 15:04 /etc/alternatives/editor -> /usr/bin/vim.basic*

update-alternatives is generally automatically executed when installing / removing software on the system.

alternatives are handled by groups (for instance: for a binary and the associated man pages) known as link groups, so that they can (should!) be updated all at once : updating the master of a link group triggers the update of the slave link(s).

Each link group is, at any given time, in one of two modes :

Link groups are in automatic mode when they are first introduced to the system. If the system administrator makes changes to the system's automatic settings, this will be noticed the next time alternatives is run on the changed link's group, and the group will automatically be switched to manual mode.

Example :

Get the value of the current alternatives editor setting :

update-alternatives --display editor
editor - manual mode
	link best version is /usr/bin/vim
	link currently points to /usr/bin/vim.basic			current setting
	link editor is /usr/bin/editor
	slave editor.1.gz is /usr/share/man/man1/editor.1.gz		symlinks /usr/share/man/man1/editor.1.gz -> /etc/alternatives/editor.1.gz -> /usr/share/man/man1/vim.1.gz
	slave editor.fr.1.gz is /usr/share/man/fr/man1/editor.1.gz
	...
/bin/nano - priority 40
	slave editor.1.gz: /usr/share/man/man1/nano.1.gz
/usr/bin/emacs24 - priority 0
	slave editor.1.gz: /usr/share/man/man1/emacs.emacs24.1.gz
/usr/bin/vim - priority 50
/usr/bin/vim.basic - priority 30
	slave editor.1.gz: /usr/share/man/man1/vim.1.gz
	slave editor.fr.1.gz: /usr/share/man/fr/man1/vim.1.gz
	...
/usr/bin/vim.tiny - priority 15
	slave editor.1.gz: /usr/share/man/man1/vim.1.gz
	slave editor.fr.1.gz: /usr/share/man/fr/man1/vim.1.gz
	...

Toggle the editor setting to automatic :

  1. As root : update-alternatives --auto editor
    update-alternatives: using /usr/bin/vim to provide /usr/bin/editor (editor) in auto mode
  2. update-alternatives --display editor
    editor - auto mode
    	link best version is /usr/bin/vim
    	link currently points to /usr/bin/vim
    	link editor is /usr/bin/editor
    	...

Configure the value of editor interactively :

As root : update-alternatives --config editor
There are 5 choices for the alternative editor (providing /usr/bin/editor).

  Selection    Path                Priority   Status
------------------------------------------------------------
* 0            /usr/bin/vim         50        auto mode
  1            /bin/nano            40        manual mode
  2            /usr/bin/emacs24     0         manual mode
  3            /usr/bin/vim         50        manual mode
  4            /usr/bin/vim.basic   30        manual mode
  5            /usr/bin/vim.tiny    15        manual mode

Press <enter> to keep the current choice[*], or type selection number: 1
update-alternatives: using /bin/nano to provide /usr/bin/editor (editor) in manual mode

Set the value of editor non-interactively :

  1. As root : update-alternatives --set editor /usr/bin/vim.basic
    update-alternatives: using /usr/bin/vim.basic to provide /usr/bin/editor (editor) in manual mode
  2. update-alternatives --display editor
    editor - manual mode
    	link best version is /usr/bin/vim
    	link currently points to /usr/bin/vim.basic
    	link editor is /usr/bin/editor
    	...

usermod

Usage :

Update user information
Changes will only be effective after the next login. (or consider newgrp)

Flags :

Flag Usage
-a (only with -G) append specified group to group list
-g change the user's initial group
-G change the user's secondary Group(s)
-L bob
--lock bob
-s otherShell change the user's shell to otherShell
-U bob
--unlock bob

Locked accounts :

When an account is locked, its owner won't be able to perform a password-based login, but SSH logins still work. To forbid any kind of login, consider changing the user's shell to any flavor of nologin.

Even more details...

Example :

Change user's primary group :

usermod -g groupName bob
Bob's primary group becomes groupName.

Add user to secondary group(s) :

usermod -aG groupName kevin
groupName is appended to the list of Kevin's secondary groups.

Or even (this is explained in man adduser) : adduser kevin groupName

Remove a user from a group :

read this

Change user's shell :

  • usermod -s /bin/bash stuart
  • usermod -s /usr/sbin/nologin stuart : forbid login to Stuart

userdel

Usage :

Delete user account

Flags :

Flag Usage
-r delete :
  • user's home directory content
  • user's home directory itself
  • user's mail spool

Example :

Delete user account + remove home directory and mail spool :

userdel -r bob

useradd / adduser

Usage :

Create a new user or update default "new user" information.

What's the difference between useradd and adduser (source) ?

file /usr/sbin/{useradd,adduser}
/usr/sbin/useradd: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=493f6bd6c372a7a9a93e26de333ee303d3ed9e53, stripped
/usr/sbin/adduser: Perl script text executable
  • useradd is a native binary compiled with the system
  • adduser is a Perl script which uses useradd binary in back-end. adduser is more user friendly and interactive than its back-end useradd. There's no difference in features provided.
  • On some Red Hatoids (noticed this on a CentOS machine) looks like /usr/sbin/adduser is not on the default path.
  • /usr/sbin/adduser actually symlinks to /usr/sbin/useradd (noticed this on a Red Hat 4.1 machine)

Flags :

Flag Usage
-d /home/userName
--home /home/userName
The new user will be created using /home/userName as the user's login directory.
-D
-D [options...]
Display Default values of account settings (group, home dir, shell, ...)
update Default value of settings field
-g value --gid value set the user's initial group : value can be either the group name or its gid. This group MUST exist.
-G group1,group2,...,groupn set user's secondary Group(s)
-m create user's home directory if it doesn't exist yet
-s specify the user's shell. This usually defaults to /bin/sh. If the user may not be allowed to log in, use either /sbin/nologin or /bin/false
-u UID --uid UID The numerical value of the user's ID

Example :

Generic user creation :

useradd -d /home/bob -g primaryGroup -m bob
useradd -d /home/bob -s /bin/bash -m bob
This way, the user account is created as disabled. (shown by the ! right after the login name in /etc/shadow) To enable it, unlock the account (blank password !!!) then login as this new user and set a password. (or, as root : passwd bob)
username='bob'; homeDir="/home/$username"; uid='7807'; gid='7800'; useradd --home "$homeDir" --uid "$uid" --gid "$gid" -m "$username"

Create account for Kevin, and set its primary group to developers :

useradd -g developers kevin

Create account for Stuart, and let him belong to secondary groups admins, ftp, www, developers :

useradd -G admins,ftp,www,developers stuart

groups are comma-separated, without space.

Declare the default shell will be /bin/sh for future account creations :

useradd -D -s /bin/sh

User creation (again) :

Debian style :

username="bob"; homeDir="/home/$username"; sshDirectory="$homeDir/.ssh"; sshKeys="$sshDirectory/authorized_keys"; adduser --home "$homeDir" --shell /bin/bash --gid 33 --disabled-password "$username"; mkdir "$sshDirectory"; touch "$sshKeys"; chmod 700 "$sshDirectory"; chmod 600 "$sshKeys"; chown "$username":"$username" "$sshDirectory" "$sshKeys"

  • --disabled-password : create an account with no password. Authentication is made with SSH keys only
  • Mind the gid parameter and the group name when it comes to chown
Red Hat style :

username="bob"; homeDir="/home/$username"; sshDirectory="$homeDir/.ssh"; sshKeys="$sshDirectory/authorized_keys"; adduser -m --home-dir "$homeDir" --shell /bin/bash "$username"; mkdir "$sshDirectory"; touch "$sshKeys"; chmod 700 "$sshDirectory"; chmod 600 "$sshKeys"; chown "$username" "$sshDirectory" "$sshKeys"

Create a passwordless account : won't get authenticated by password, must use other means such as SSH keys (details) :

  1. adduser [other options] bob
  2. passwd -l bob
See also --disabled-password.

uniq

Usage :

Report or omit repeated lines.
  • uniq does not detect repeated lines unless they are adjacent. You may want to sort the input first, or use sort -u without uniq.
  • Also, comparisons honor the rules specified by LC_COLLATE.

Flags :

Flag Usage
-c --count prefix lines with the count of occurrences
-d --repeated only print duplicate lines
-u --unique only print unique lines

Example :

Count the number of files from my home directory that where modified the same day

ll ~ | awk '!/^total/ {print $6" "$7}' | uniq -c
  • the ! prefixing the RegExp instructs Awk to apply on lines NOT matching the RegExp (lines not starting with total, here)
  • here, uniq is somewhat equivalent to a SQL select distinct ... ;

Find duplicate lines :

echo -e "aaa\nbbb\naaa\nccc" | uniq -d
(nothing)
Nothing found because duplicates are not adjacent
echo -e "aaa\naaa\nbbb\nccc" | uniq -d
aaa
echo -e "aaa\naaa\nbbb\nccc" | sort | uniq -d
aaa

Find unique lines :

echo -e "aaa\nbbb\naaa\nccc" | uniq -u
aaa
bbb
aaa
ccc
echo -e "aaa\naaa\nbbb\nccc" | uniq -u
bbb
ccc
echo -e "aaa\naaa\nbbb\nccc" | sort -u
aaa
bbb
ccc

ulimit

Usage :

User limits - limit the use of system-wide resources.

ulimit provides control over the resources available to the shell and to processes started by it, on systems that allow such control.
The soft limit is the value that the kernel enforces for the corresponding resource. The hard limit acts as a ceiling for the soft limit.
An unprivileged process may only set its soft limit to a value in the range from 0 up to the hard limit, and (irreversibly) lower its hard limit. A privileged process may make arbitrary changes to either limit value.
If limit is given, it is the new value of the specified resource. Otherwise, the current value of the soft limit for the specified resource is printed, unless the -H option is supplied.

A command returning something like cannot ...: Resource temporarily unavailable may be the sign of hitting one of these limits.

More about soft limit and hard limit (source) :

A hard limit can only be raised by root (any process can lower it). So it is useful for security: a non-root process cannot overstep a hard limit. But it's inconvenient in that a non-root process can't have a lower limit than its children.

A soft limit can be changed by the process at any time (to the extent permitted by the hard limit unless running as root of course). So it's convenient as long as processes cooperate, but no good for security.

Flags :

Flag Usage
-a Report all current limits. This can be used to check updating a limit was successful
-Hx
-Hx value
Report the hard limit associated with the resource x
Set the hard limit associated with the resource x to value
-Sx
-Sx value
Report the soft limit associated with the resource x
Set the soft limit associated with the resource x to value
-n The maximum number of open file descriptors

Example :

Get maximum number of open file descriptors (source) :

  1. (since limits can be set per user) : su - bob
  2. soft limit : ulimit -Sn
  3. hard limit : ulimit -Hn